Project homepage Mailing List  Warmcat.com  API Docs  Github Mirror 
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1752655313, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"c8866f7ba2e59d734f3681abd689e988", "commit": {"type":"commit", "time": 1519131569, "time_ofs": 0, "oid_tree": { "oid": "856dc7f1bbb48b00d7c51429fe205e65cec497f2", "alias": []}, "oid":{ "oid": "abcd22bf621b25e5db724b0ad9bcb4bcc189b1d3", "alias": []}, "msg": "Flatten the Curve 448 source structure", "sig_commit": { "git_time": { "time": 1519131569, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }, "sig_author": { "git_time": { "time": 1510761567, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }}, "body": "Flatten the Curve 448 source structure\n\nReviewed-by: Bernd Edlinger \u003cbernd.edlinger@hotmail.de\u003e\n(Merged from https://github.com/openssl/openssl/pull/5105)\n" , "diff": "diff --git a/crypto/ec/curve448/GENERATED/c/ed448goldilocks/decaf.c b/crypto/ec/curve448/GENERATED/c/ed448goldilocks/decaf.c\ndeleted file mode 100644\nindex 3fdc491..0000000\n--- a/crypto/ec/curve448/GENERATED/c/ed448goldilocks/decaf.c\n+++ /dev/null\n@@ -1,1598 +0,0 @@\n-/**\n- * @file ed448goldilocks/decaf.c\n- * @author Mike Hamburg\n- *\n- * @copyright\n- * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- *\n- * @brief Decaf high-level functions.\n- *\n- * @warning This file was automatically generated in Python.\n- * Please do not edit it.\n- */\n-#define _XOPEN_SOURCE 600 /* for posix_memalign */\n-#include \u0022word.h\u0022\n-#include \u0022field.h\u0022\n-\n-#include \u003cdecaf.h\u003e\n-#include \u003cdecaf/ed448.h\u003e\n-\n-/* Template stuff */\n-#define API_NS(_id) decaf_448_##_id\n-#define SCALAR_BITS DECAF_448_SCALAR_BITS\n-#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES\n-#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS\n-#define scalar_t API_NS(scalar_t)\n-#define point_t API_NS(point_t)\n-#define precomputed_s API_NS(precomputed_s)\n-#define IMAGINE_TWIST 0\n-#define COFACTOR 4\n-\n-/* Comb config: number of combs, n, t, s. */\n-#define COMBS_N 5\n-#define COMBS_T 5\n-#define COMBS_S 18\n-#define DECAF_WINDOW_BITS 5\n-#define DECAF_WNAF_FIXED_TABLE_BITS 5\n-#define DECAF_WNAF_VAR_TABLE_BITS 3\n-\n-#define EDDSA_USE_SIGMA_ISOGENY 0\n-\n-static const int EDWARDS_D \u003d -39081;\n-static const scalar_t point_scalarmul_adjustment \u003d {{{\n- SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)\n-}}}, precomputed_scalarmul_adjustment \u003d {{{\n- SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)\n-}}};\n-\n-const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] \u003d { 0x05 };\n-\n-#define RISTRETTO_FACTOR DECAF_448_RISTRETTO_FACTOR\n-const gf RISTRETTO_FACTOR \u003d {{{\n- 0x42ef0f45572736, 0x7bf6aa20ce5296, 0xf4fd6eded26033, 0x968c14ba839a66, 0xb8d54b64a2d780, 0x6aa0a1f1a7b8a5, 0x683bf68d722fa2, 0x22d962fbeb24f7\n-}}};\n-\n-#if IMAGINE_TWIST\n-#define TWISTED_D (-(EDWARDS_D))\n-#else\n-#define TWISTED_D ((EDWARDS_D)-1)\n-#endif\n-\n-#if TWISTED_D \u003c 0\n-#define EFF_D (-(TWISTED_D))\n-#define NEG_D 1\n-#else\n-#define EFF_D TWISTED_D\n-#define NEG_D 0\n-#endif\n-\n-/* End of template stuff */\n-\n-/* Sanity */\n-#if (COFACTOR \u003d\u003d 8) \u0026\u0026 !IMAGINE_TWIST \u0026\u0026 !UNSAFE_CURVE_HAS_POINTS_AT_INFINITY\n-/* FUTURE MAGIC: Curve41417 doesn't have these properties. */\n-#error \u0022Currently require IMAGINE_TWIST (and thus p\u003d5 mod 8) for cofactor 8\u0022\n- /* OK, but why?\n- * Two reasons: #1: There are bugs when COFACTOR \u003d\u003d \u0026\u0026 IMAGINE_TWIST\n- # #2: \n- */\n-#endif\n-\n-#if IMAGINE_TWIST \u0026\u0026 (P_MOD_8 !\u003d 5)\n- #error \u0022Cannot use IMAGINE_TWIST except for p \u003d\u003d 5 mod 8\u0022\n-#endif\n-\n-#if (COFACTOR !\u003d 8) \u0026\u0026 (COFACTOR !\u003d 4)\n- #error \u0022COFACTOR must be 4 or 8\u0022\n-#endif\n- \n-#if IMAGINE_TWIST\n- extern const gf SQRT_MINUS_ONE;\n-#endif\n-\n-#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */\n-\n-extern const point_t API_NS(point_base);\n-\n-/* Projective Niels coordinates */\n-typedef struct { gf a, b, c; } niels_s, niels_t[1];\n-typedef struct { niels_t n; gf z; } VECTOR_ALIGNED pniels_s, pniels_t[1];\n-\n-/* Precomputed base */\n-struct precomputed_s { niels_t table [COMBS_N\u003c\u003c(COMBS_T-1)]; };\n-\n-extern const gf API_NS(precomputed_base_as_fe)[];\n-const precomputed_s *API_NS(precomputed_base) \u003d\n- (const precomputed_s *) \u0026API_NS(precomputed_base_as_fe);\n-\n-const size_t API_NS(sizeof_precomputed_s) \u003d sizeof(precomputed_s);\n-const size_t API_NS(alignof_precomputed_s) \u003d sizeof(big_register_t);\n-\n-/** Inverse. */\n-static void\n-gf_invert(gf y, const gf x, int assert_nonzero) {\n- gf t1, t2;\n- gf_sqr(t1, x); // o^2\n- mask_t ret \u003d gf_isr(t2, t1); // +-1/sqrt(o^2) \u003d +-1/o\n- (void)ret;\n- if (assert_nonzero) assert(ret);\n- gf_sqr(t1, t2);\n- gf_mul(t2, t1, x); // not direct to y in case of alias.\n- gf_copy(y, t2);\n-}\n-\n-/** identity \u003d (0,1) */\n-const point_t API_NS(point_identity) \u003d {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};\n-\n-/* Predeclare because not static: called by elligator */\n-void API_NS(deisogenize) (\n- gf_s *__restrict__ s,\n- gf_s *__restrict__ inv_el_sum,\n- gf_s *__restrict__ inv_el_m1,\n- const point_t p,\n- mask_t toggle_s,\n- mask_t toggle_altx,\n- mask_t toggle_rotation\n-);\n-\n-void API_NS(deisogenize) (\n- gf_s *__restrict__ s,\n- gf_s *__restrict__ inv_el_sum,\n- gf_s *__restrict__ inv_el_m1,\n- const point_t p,\n- mask_t toggle_s,\n- mask_t toggle_altx,\n- mask_t toggle_rotation\n-) {\n-#if COFACTOR \u003d\u003d 4 \u0026\u0026 !IMAGINE_TWIST\n- (void)toggle_rotation; /* Only applies to cofactor 8 */\n- gf t1;\n- gf_s *t2 \u003d s, *t3\u003dinv_el_sum, *t4\u003dinv_el_m1;\n- \n- gf_add(t1,p-\u003ex,p-\u003et);\n- gf_sub(t2,p-\u003ex,p-\u003et);\n- gf_mul(t3,t1,t2); /* t3 \u003d num */\n- gf_sqr(t2,p-\u003ex);\n- gf_mul(t1,t2,t3);\n- gf_mulw(t2,t1,-1-TWISTED_D); /* -x^2 * (a-d) * num */\n- gf_isr(t1,t2); /* t1 \u003d isr */\n- gf_mul(t2,t1,t3); /* t2 \u003d ratio */\n- gf_mul(t4,t2,RISTRETTO_FACTOR);\n- mask_t negx \u003d gf_lobit(t4) ^ toggle_altx;\n- gf_cond_neg(t2, negx);\n- gf_mul(t3,t2,p-\u003ez);\n- gf_sub(t3,t3,p-\u003et);\n- gf_mul(t2,t3,p-\u003ex);\n- gf_mulw(t4,t2,-1-TWISTED_D);\n- gf_mul(s,t4,t1);\n- mask_t lobs \u003d gf_lobit(s);\n- gf_cond_neg(s,lobs);\n- gf_copy(inv_el_m1,p-\u003ex);\n- gf_cond_neg(inv_el_m1,~lobs^negx^toggle_s);\n- gf_add(inv_el_m1,inv_el_m1,p-\u003et);\n- \n-#elif COFACTOR \u003d\u003d 8 \u0026\u0026 IMAGINE_TWIST\n- /* More complicated because of rotation */\n- gf t1,t2,t3,t4,t5;\n- gf_add(t1,p-\u003ez,p-\u003ey);\n- gf_sub(t2,p-\u003ez,p-\u003ey);\n- gf_mul(t3,t1,t2); /* t3 \u003d num */\n- gf_mul(t2,p-\u003ex,p-\u003ey); /* t2 \u003d den */\n- gf_sqr(t1,t2);\n- gf_mul(t4,t1,t3);\n- gf_mulw(t1,t4,-1-TWISTED_D);\n- gf_isr(t4,t1); /* isqrt(num*(a-d)*den^2) */\n- gf_mul(t1,t2,t4);\n- gf_mul(t2,t1,RISTRETTO_FACTOR); /* t2 \u003d \u0022iden\u0022 in ristretto.sage */\n- gf_mul(t1,t3,t4); /* t1 \u003d \u0022inum\u0022 in ristretto.sage */\n-\n- /* Calculate altxy \u003d iden*inum*i*t^2*(d-a) */\n- gf_mul(t3,t1,t2);\n- gf_mul_i(t4,t3);\n- gf_mul(t3,t4,p-\u003et);\n- gf_mul(t4,t3,p-\u003et);\n- gf_mulw(t3,t4,TWISTED_D+1); /* iden*inum*i*t^2*(d-1) */\n- mask_t rotate \u003d toggle_rotation ^ gf_lobit(t3);\n- \n- /* Rotate if altxy is negative */\n- gf_cond_swap(t1,t2,rotate);\n- gf_mul_i(t4,p-\u003ex);\n- gf_cond_sel(t4,p-\u003ey,t4,rotate); /* t4 \u003d \u0022fac\u0022 \u003d ix if rotate, else y */\n- \n- gf_mul_i(t5,RISTRETTO_FACTOR); /* t5 \u003d imi */\n- gf_mul(t3,t5,t2); /* iden * imi */\n- gf_mul(t2,t5,t1);\n- gf_mul(t5,t2,p-\u003et); /* \u0022altx\u0022 \u003d iden*imi*t */\n- mask_t negx \u003d gf_lobit(t5) ^ toggle_altx;\n- \n- gf_cond_neg(t1,negx^rotate);\n- gf_mul(t2,t1,p-\u003ez);\n- gf_add(t2,t2,ONE);\n- gf_mul(inv_el_sum,t2,t4);\n- gf_mul(s,inv_el_sum,t3);\n- \n- mask_t negs \u003d gf_lobit(s);\n- gf_cond_neg(s,negs);\n- \n- mask_t negz \u003d ~negs ^ toggle_s ^ negx;\n- gf_copy(inv_el_m1,p-\u003ez);\n- gf_cond_neg(inv_el_m1,negz);\n- gf_sub(inv_el_m1,inv_el_m1,t4);\n-#else\n-#error \u0022Cofactor must be 4 (with no IMAGINE_TWIST) or 8 (with IMAGINE_TWIST)\u0022\n-#endif\n-}\n-\n-void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) {\n- gf s,ie1,ie2;\n- API_NS(deisogenize)(s,ie1,ie2,p,0,0,0);\n- gf_serialize(ser,s,1);\n-}\n-\n-decaf_error_t API_NS(point_decode) (\n- point_t p,\n- const unsigned char ser[SER_BYTES],\n- decaf_bool_t allow_identity\n-) {\n- gf s, s2, num, tmp;\n- gf_s *tmp2\u003ds2, *ynum\u003dp-\u003ez, *isr\u003dp-\u003ex, *den\u003dp-\u003et;\n- \n- mask_t succ \u003d gf_deserialize(s, ser, 1, 0);\n- succ \u0026\u003d bool_to_mask(allow_identity) | ~gf_eq(s, ZERO);\n- succ \u0026\u003d ~gf_lobit(s);\n- \n- gf_sqr(s2,s); /* s^2 \u003d -as^2 */\n-#if IMAGINE_TWIST\n- gf_sub(s2,ZERO,s2); /* -as^2 */\n-#endif\n- gf_sub(den,ONE,s2); /* 1+as^2 */\n- gf_add(ynum,ONE,s2); /* 1-as^2 */\n- gf_mulw(num,s2,-4*TWISTED_D);\n- gf_sqr(tmp,den); /* tmp \u003d den^2 */\n- gf_add(num,tmp,num); /* num \u003d den^2 - 4*d*s^2 */\n- gf_mul(tmp2,num,tmp); /* tmp2 \u003d num*den^2 */\n- succ \u0026\u003d gf_isr(isr,tmp2); /* isr \u003d 1/sqrt(num*den^2) */\n- gf_mul(tmp,isr,den); /* isr*den */\n- gf_mul(p-\u003ey,tmp,ynum); /* isr*den*(1-as^2) */\n- gf_mul(tmp2,tmp,s); /* s*isr*den */\n- gf_add(tmp2,tmp2,tmp2); /* 2*s*isr*den */\n- gf_mul(tmp,tmp2,isr); /* 2*s*isr^2*den */\n- gf_mul(p-\u003ex,tmp,num); /* 2*s*isr^2*den*num */\n- gf_mul(tmp,tmp2,RISTRETTO_FACTOR); /* 2*s*isr*den*magic */\n- gf_cond_neg(p-\u003ex,gf_lobit(tmp)); /* flip x */\n- \n-#if COFACTOR\u003d\u003d8\n- /* Additionally check y !\u003d 0 and x*y*isomagic nonegative */\n- succ \u0026\u003d ~gf_eq(p-\u003ey,ZERO);\n- gf_mul(tmp,p-\u003ex,p-\u003ey);\n- gf_mul(tmp2,tmp,RISTRETTO_FACTOR);\n- succ \u0026\u003d ~gf_lobit(tmp2);\n-#endif\n-\n-#if IMAGINE_TWIST\n- gf_copy(tmp,p-\u003ex);\n- gf_mul_i(p-\u003ex,tmp);\n-#endif\n-\n- /* Fill in z and t */\n- gf_copy(p-\u003ez,ONE);\n- gf_mul(p-\u003et,p-\u003ex,p-\u003ey);\n- \n- assert(API_NS(point_valid)(p) | ~succ);\n- return decaf_succeed_if(mask_to_bool(succ));\n-}\n-\n-void API_NS(point_sub) (\n- point_t p,\n- const point_t q,\n- const point_t r\n-) {\n- gf a, b, c, d;\n- gf_sub_nr ( b, q-\u003ey, q-\u003ex ); /* 3+e */\n- gf_sub_nr ( d, r-\u003ey, r-\u003ex ); /* 3+e */\n- gf_add_nr ( c, r-\u003ey, r-\u003ex ); /* 2+e */\n- gf_mul ( a, c, b );\n- gf_add_nr ( b, q-\u003ey, q-\u003ex ); /* 2+e */\n- gf_mul ( p-\u003ey, d, b );\n- gf_mul ( b, r-\u003et, q-\u003et );\n- gf_mulw ( p-\u003ex, b, 2*EFF_D );\n- gf_add_nr ( b, a, p-\u003ey ); /* 2+e */\n- gf_sub_nr ( c, p-\u003ey, a ); /* 3+e */\n- gf_mul ( a, q-\u003ez, r-\u003ez );\n- gf_add_nr ( a, a, a ); /* 2+e */\n- if (GF_HEADROOM \u003c\u003d 3) gf_weak_reduce(a); /* or 1+e */\n-#if NEG_D\n- gf_sub_nr ( p-\u003ey, a, p-\u003ex ); /* 4+e or 3+e */\n- gf_add_nr ( a, a, p-\u003ex ); /* 3+e or 2+e */\n-#else\n- gf_add_nr ( p-\u003ey, a, p-\u003ex ); /* 3+e or 2+e */\n- gf_sub_nr ( a, a, p-\u003ex ); /* 4+e or 3+e */\n-#endif\n- gf_mul ( p-\u003ez, a, p-\u003ey );\n- gf_mul ( p-\u003ex, p-\u003ey, c );\n- gf_mul ( p-\u003ey, a, b );\n- gf_mul ( p-\u003et, b, c );\n-}\n- \n-void API_NS(point_add) (\n- point_t p,\n- const point_t q,\n- const point_t r\n-) {\n- gf a, b, c, d;\n- gf_sub_nr ( b, q-\u003ey, q-\u003ex ); /* 3+e */\n- gf_sub_nr ( c, r-\u003ey, r-\u003ex ); /* 3+e */\n- gf_add_nr ( d, r-\u003ey, r-\u003ex ); /* 2+e */\n- gf_mul ( a, c, b );\n- gf_add_nr ( b, q-\u003ey, q-\u003ex ); /* 2+e */\n- gf_mul ( p-\u003ey, d, b );\n- gf_mul ( b, r-\u003et, q-\u003et );\n- gf_mulw ( p-\u003ex, b, 2*EFF_D );\n- gf_add_nr ( b, a, p-\u003ey ); /* 2+e */\n- gf_sub_nr ( c, p-\u003ey, a ); /* 3+e */\n- gf_mul ( a, q-\u003ez, r-\u003ez );\n- gf_add_nr ( a, a, a ); /* 2+e */\n- if (GF_HEADROOM \u003c\u003d 3) gf_weak_reduce(a); /* or 1+e */\n-#if NEG_D\n- gf_add_nr ( p-\u003ey, a, p-\u003ex ); /* 3+e or 2+e */\n- gf_sub_nr ( a, a, p-\u003ex ); /* 4+e or 3+e */\n-#else\n- gf_sub_nr ( p-\u003ey, a, p-\u003ex ); /* 4+e or 3+e */\n- gf_add_nr ( a, a, p-\u003ex ); /* 3+e or 2+e */\n-#endif\n- gf_mul ( p-\u003ez, a, p-\u003ey );\n- gf_mul ( p-\u003ex, p-\u003ey, c );\n- gf_mul ( p-\u003ey, a, b );\n- gf_mul ( p-\u003et, b, c );\n-}\n-\n-static DECAF_NOINLINE void\n-point_double_internal (\n- point_t p,\n- const point_t q,\n- int before_double\n-) {\n- gf a, b, c, d;\n- gf_sqr ( c, q-\u003ex );\n- gf_sqr ( a, q-\u003ey );\n- gf_add_nr ( d, c, a ); /* 2+e */\n- gf_add_nr ( p-\u003et, q-\u003ey, q-\u003ex ); /* 2+e */\n- gf_sqr ( b, p-\u003et );\n- gf_subx_nr ( b, b, d, 3 ); /* 4+e */\n- gf_sub_nr ( p-\u003et, a, c ); /* 3+e */\n- gf_sqr ( p-\u003ex, q-\u003ez );\n- gf_add_nr ( p-\u003ez, p-\u003ex, p-\u003ex ); /* 2+e */\n- gf_subx_nr ( a, p-\u003ez, p-\u003et, 4 ); /* 6+e */\n- if (GF_HEADROOM \u003d\u003d 5) gf_weak_reduce(a); /* or 1+e */\n- gf_mul ( p-\u003ex, a, b );\n- gf_mul ( p-\u003ez, p-\u003et, a );\n- gf_mul ( p-\u003ey, p-\u003et, d );\n- if (!before_double) gf_mul ( p-\u003et, b, d );\n-}\n-\n-void API_NS(point_double)(point_t p, const point_t q) {\n- point_double_internal(p,q,0);\n-}\n-\n-void API_NS(point_negate) (\n- point_t nega,\n- const point_t a\n-) {\n- gf_sub(nega-\u003ex, ZERO, a-\u003ex);\n- gf_copy(nega-\u003ey, a-\u003ey);\n- gf_copy(nega-\u003ez, a-\u003ez);\n- gf_sub(nega-\u003et, ZERO, a-\u003et);\n-}\n-\n-/* Operations on [p]niels */\n-static DECAF_INLINE void\n-cond_neg_niels (\n- niels_t n,\n- mask_t neg\n-) {\n- gf_cond_swap(n-\u003ea, n-\u003eb, neg);\n- gf_cond_neg(n-\u003ec, neg);\n-}\n-\n-static DECAF_NOINLINE void pt_to_pniels (\n- pniels_t b,\n- const point_t a\n-) {\n- gf_sub ( b-\u003en-\u003ea, a-\u003ey, a-\u003ex );\n- gf_add ( b-\u003en-\u003eb, a-\u003ex, a-\u003ey );\n- gf_mulw ( b-\u003en-\u003ec, a-\u003et, 2*TWISTED_D );\n- gf_add ( b-\u003ez, a-\u003ez, a-\u003ez );\n-}\n-\n-static DECAF_NOINLINE void pniels_to_pt (\n- point_t e,\n- const pniels_t d\n-) {\n- gf eu;\n- gf_add ( eu, d-\u003en-\u003eb, d-\u003en-\u003ea );\n- gf_sub ( e-\u003ey, d-\u003en-\u003eb, d-\u003en-\u003ea );\n- gf_mul ( e-\u003et, e-\u003ey, eu);\n- gf_mul ( e-\u003ex, d-\u003ez, e-\u003ey );\n- gf_mul ( e-\u003ey, d-\u003ez, eu );\n- gf_sqr ( e-\u003ez, d-\u003ez );\n-}\n-\n-static DECAF_NOINLINE void\n-niels_to_pt (\n- point_t e,\n- const niels_t n\n-) {\n- gf_add ( e-\u003ey, n-\u003eb, n-\u003ea );\n- gf_sub ( e-\u003ex, n-\u003eb, n-\u003ea );\n- gf_mul ( e-\u003et, e-\u003ey, e-\u003ex );\n- gf_copy ( e-\u003ez, ONE );\n-}\n-\n-static DECAF_NOINLINE void\n-add_niels_to_pt (\n- point_t d,\n- const niels_t e,\n- int before_double\n-) {\n- gf a, b, c;\n- gf_sub_nr ( b, d-\u003ey, d-\u003ex ); /* 3+e */\n- gf_mul ( a, e-\u003ea, b );\n- gf_add_nr ( b, d-\u003ex, d-\u003ey ); /* 2+e */\n- gf_mul ( d-\u003ey, e-\u003eb, b );\n- gf_mul ( d-\u003ex, e-\u003ec, d-\u003et );\n- gf_add_nr ( c, a, d-\u003ey ); /* 2+e */\n- gf_sub_nr ( b, d-\u003ey, a ); /* 3+e */\n- gf_sub_nr ( d-\u003ey, d-\u003ez, d-\u003ex ); /* 3+e */\n- gf_add_nr ( a, d-\u003ex, d-\u003ez ); /* 2+e */\n- gf_mul ( d-\u003ez, a, d-\u003ey );\n- gf_mul ( d-\u003ex, d-\u003ey, b );\n- gf_mul ( d-\u003ey, a, c );\n- if (!before_double) gf_mul ( d-\u003et, b, c );\n-}\n-\n-static DECAF_NOINLINE void\n-sub_niels_from_pt (\n- point_t d,\n- const niels_t e,\n- int before_double\n-) {\n- gf a, b, c;\n- gf_sub_nr ( b, d-\u003ey, d-\u003ex ); /* 3+e */\n- gf_mul ( a, e-\u003eb, b );\n- gf_add_nr ( b, d-\u003ex, d-\u003ey ); /* 2+e */\n- gf_mul ( d-\u003ey, e-\u003ea, b );\n- gf_mul ( d-\u003ex, e-\u003ec, d-\u003et );\n- gf_add_nr ( c, a, d-\u003ey ); /* 2+e */\n- gf_sub_nr ( b, d-\u003ey, a ); /* 3+e */\n- gf_add_nr ( d-\u003ey, d-\u003ez, d-\u003ex ); /* 2+e */\n- gf_sub_nr ( a, d-\u003ez, d-\u003ex ); /* 3+e */\n- gf_mul ( d-\u003ez, a, d-\u003ey );\n- gf_mul ( d-\u003ex, d-\u003ey, b );\n- gf_mul ( d-\u003ey, a, c );\n- if (!before_double) gf_mul ( d-\u003et, b, c );\n-}\n-\n-static void\n-add_pniels_to_pt (\n- point_t p,\n- const pniels_t pn,\n- int before_double\n-) {\n- gf L0;\n- gf_mul ( L0, p-\u003ez, pn-\u003ez );\n- gf_copy ( p-\u003ez, L0 );\n- add_niels_to_pt( p, pn-\u003en, before_double );\n-}\n-\n-static void\n-sub_pniels_from_pt (\n- point_t p,\n- const pniels_t pn,\n- int before_double\n-) {\n- gf L0;\n- gf_mul ( L0, p-\u003ez, pn-\u003ez );\n- gf_copy ( p-\u003ez, L0 );\n- sub_niels_from_pt( p, pn-\u003en, before_double );\n-}\n-\n-static DECAF_NOINLINE void\n-prepare_fixed_window(\n- pniels_t *multiples,\n- const point_t b,\n- int ntable\n-) {\n- point_t tmp;\n- pniels_t pn;\n- int i;\n- \n- point_double_internal(tmp, b, 0);\n- pt_to_pniels(pn, tmp);\n- pt_to_pniels(multiples[0], b);\n- API_NS(point_copy)(tmp, b);\n- for (i\u003d1; i\u003cntable; i++) {\n- add_pniels_to_pt(tmp, pn, 0);\n- pt_to_pniels(multiples[i], tmp);\n- }\n- \n- decaf_bzero(pn,sizeof(pn));\n- decaf_bzero(tmp,sizeof(tmp));\n-}\n-\n-void API_NS(point_scalarmul) (\n- point_t a,\n- const point_t b,\n- const scalar_t scalar\n-) {\n- const int WINDOW \u003d DECAF_WINDOW_BITS,\n- WINDOW_MASK \u003d (1\u003c\u003cWINDOW)-1,\n- WINDOW_T_MASK \u003d WINDOW_MASK \u003e\u003e 1,\n- NTABLE \u003d 1\u003c\u003c(WINDOW-1);\n- \n- scalar_t scalar1x;\n- API_NS(scalar_add)(scalar1x, scalar, point_scalarmul_adjustment);\n- API_NS(scalar_halve)(scalar1x,scalar1x);\n- \n- /* Set up a precomputed table with odd multiples of b. */\n- pniels_t pn, multiples[NTABLE];\n- point_t tmp;\n- prepare_fixed_window(multiples, b, NTABLE);\n-\n- /* Initialize. */\n- int i,j,first\u003d1;\n- i \u003d SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1;\n-\n- for (; i\u003e\u003d0; i-\u003dWINDOW) {\n- /* Fetch another block of bits */\n- word_t bits \u003d scalar1x-\u003elimb[i/WBITS] \u003e\u003e (i%WBITS);\n- if (i%WBITS \u003e\u003d WBITS-WINDOW \u0026\u0026 i/WBITS\u003cSCALAR_LIMBS-1) {\n- bits ^\u003d scalar1x-\u003elimb[i/WBITS+1] \u003c\u003c (WBITS - (i%WBITS));\n- }\n- bits \u0026\u003d WINDOW_MASK;\n- mask_t inv \u003d (bits\u003e\u003e(WINDOW-1))-1;\n- bits ^\u003d inv;\n- \n- /* Add in from table. Compute t only on last iteration. */\n- constant_time_lookup(pn, multiples, sizeof(pn), NTABLE, bits \u0026 WINDOW_T_MASK);\n- cond_neg_niels(pn-\u003en, inv);\n- if (first) {\n- pniels_to_pt(tmp, pn);\n- first \u003d 0;\n- } else {\n- /* Using Hisil et al's lookahead method instead of extensible here\n- * for no particular reason. Double WINDOW times, but only compute t on\n- * the last one.\n- */\n- for (j\u003d0; j\u003cWINDOW-1; j++)\n- point_double_internal(tmp, tmp, -1);\n- point_double_internal(tmp, tmp, 0);\n- add_pniels_to_pt(tmp, pn, i ? -1 : 0);\n- }\n- }\n- \n- /* Write out the answer */\n- API_NS(point_copy)(a,tmp);\n- \n- decaf_bzero(scalar1x,sizeof(scalar1x));\n- decaf_bzero(pn,sizeof(pn));\n- decaf_bzero(multiples,sizeof(multiples));\n- decaf_bzero(tmp,sizeof(tmp));\n-}\n-\n-void API_NS(point_double_scalarmul) (\n- point_t a,\n- const point_t b,\n- const scalar_t scalarb,\n- const point_t c,\n- const scalar_t scalarc\n-) {\n- const int WINDOW \u003d DECAF_WINDOW_BITS,\n- WINDOW_MASK \u003d (1\u003c\u003cWINDOW)-1,\n- WINDOW_T_MASK \u003d WINDOW_MASK \u003e\u003e 1,\n- NTABLE \u003d 1\u003c\u003c(WINDOW-1);\n- \n- scalar_t scalar1x, scalar2x;\n- API_NS(scalar_add)(scalar1x, scalarb, point_scalarmul_adjustment);\n- API_NS(scalar_halve)(scalar1x,scalar1x);\n- API_NS(scalar_add)(scalar2x, scalarc, point_scalarmul_adjustment);\n- API_NS(scalar_halve)(scalar2x,scalar2x);\n- \n- /* Set up a precomputed table with odd multiples of b. */\n- pniels_t pn, multiples1[NTABLE], multiples2[NTABLE];\n- point_t tmp;\n- prepare_fixed_window(multiples1, b, NTABLE);\n- prepare_fixed_window(multiples2, c, NTABLE);\n-\n- /* Initialize. */\n- int i,j,first\u003d1;\n- i \u003d SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1;\n-\n- for (; i\u003e\u003d0; i-\u003dWINDOW) {\n- /* Fetch another block of bits */\n- word_t bits1 \u003d scalar1x-\u003elimb[i/WBITS] \u003e\u003e (i%WBITS),\n- bits2 \u003d scalar2x-\u003elimb[i/WBITS] \u003e\u003e (i%WBITS);\n- if (i%WBITS \u003e\u003d WBITS-WINDOW \u0026\u0026 i/WBITS\u003cSCALAR_LIMBS-1) {\n- bits1 ^\u003d scalar1x-\u003elimb[i/WBITS+1] \u003c\u003c (WBITS - (i%WBITS));\n- bits2 ^\u003d scalar2x-\u003elimb[i/WBITS+1] \u003c\u003c (WBITS - (i%WBITS));\n- }\n- bits1 \u0026\u003d WINDOW_MASK;\n- bits2 \u0026\u003d WINDOW_MASK;\n- mask_t inv1 \u003d (bits1\u003e\u003e(WINDOW-1))-1;\n- mask_t inv2 \u003d (bits2\u003e\u003e(WINDOW-1))-1;\n- bits1 ^\u003d inv1;\n- bits2 ^\u003d inv2;\n- \n- /* Add in from table. Compute t only on last iteration. */\n- constant_time_lookup(pn, multiples1, sizeof(pn), NTABLE, bits1 \u0026 WINDOW_T_MASK);\n- cond_neg_niels(pn-\u003en, inv1);\n- if (first) {\n- pniels_to_pt(tmp, pn);\n- first \u003d 0;\n- } else {\n- /* Using Hisil et al's lookahead method instead of extensible here\n- * for no particular reason. Double WINDOW times, but only compute t on\n- * the last one.\n- */\n- for (j\u003d0; j\u003cWINDOW-1; j++)\n- point_double_internal(tmp, tmp, -1);\n- point_double_internal(tmp, tmp, 0);\n- add_pniels_to_pt(tmp, pn, 0);\n- }\n- constant_time_lookup(pn, multiples2, sizeof(pn), NTABLE, bits2 \u0026 WINDOW_T_MASK);\n- cond_neg_niels(pn-\u003en, inv2);\n- add_pniels_to_pt(tmp, pn, i?-1:0);\n- }\n- \n- /* Write out the answer */\n- API_NS(point_copy)(a,tmp);\n- \n-\n- decaf_bzero(scalar1x,sizeof(scalar1x));\n- decaf_bzero(scalar2x,sizeof(scalar2x));\n- decaf_bzero(pn,sizeof(pn));\n- decaf_bzero(multiples1,sizeof(multiples1));\n- decaf_bzero(multiples2,sizeof(multiples2));\n- decaf_bzero(tmp,sizeof(tmp));\n-}\n-\n-void API_NS(point_dual_scalarmul) (\n- point_t a1,\n- point_t a2,\n- const point_t b,\n- const scalar_t scalar1,\n- const scalar_t scalar2\n-) {\n- const int WINDOW \u003d DECAF_WINDOW_BITS,\n- WINDOW_MASK \u003d (1\u003c\u003cWINDOW)-1,\n- WINDOW_T_MASK \u003d WINDOW_MASK \u003e\u003e 1,\n- NTABLE \u003d 1\u003c\u003c(WINDOW-1);\n- \n- scalar_t scalar1x, scalar2x;\n- API_NS(scalar_add)(scalar1x, scalar1, point_scalarmul_adjustment);\n- API_NS(scalar_halve)(scalar1x,scalar1x);\n- API_NS(scalar_add)(scalar2x, scalar2, point_scalarmul_adjustment);\n- API_NS(scalar_halve)(scalar2x,scalar2x);\n- \n- /* Set up a precomputed table with odd multiples of b. */\n- point_t multiples1[NTABLE], multiples2[NTABLE], working, tmp;\n- pniels_t pn;\n- \n- API_NS(point_copy)(working, b);\n-\n- /* Initialize. */\n- int i,j;\n- \n- for (i\u003d0; i\u003cNTABLE; i++) {\n- API_NS(point_copy)(multiples1[i], API_NS(point_identity));\n- API_NS(point_copy)(multiples2[i], API_NS(point_identity));\n- }\n-\n- for (i\u003d0; i\u003cSCALAR_BITS; i+\u003dWINDOW) { \n- if (i) {\n- for (j\u003d0; j\u003cWINDOW-1; j++)\n- point_double_internal(working, working, -1);\n- point_double_internal(working, working, 0);\n- }\n- \n- /* Fetch another block of bits */\n- word_t bits1 \u003d scalar1x-\u003elimb[i/WBITS] \u003e\u003e (i%WBITS),\n- bits2 \u003d scalar2x-\u003elimb[i/WBITS] \u003e\u003e (i%WBITS);\n- if (i%WBITS \u003e\u003d WBITS-WINDOW \u0026\u0026 i/WBITS\u003cSCALAR_LIMBS-1) {\n- bits1 ^\u003d scalar1x-\u003elimb[i/WBITS+1] \u003c\u003c (WBITS - (i%WBITS));\n- bits2 ^\u003d scalar2x-\u003elimb[i/WBITS+1] \u003c\u003c (WBITS - (i%WBITS));\n- }\n- bits1 \u0026\u003d WINDOW_MASK;\n- bits2 \u0026\u003d WINDOW_MASK;\n- mask_t inv1 \u003d (bits1\u003e\u003e(WINDOW-1))-1;\n- mask_t inv2 \u003d (bits2\u003e\u003e(WINDOW-1))-1;\n- bits1 ^\u003d inv1;\n- bits2 ^\u003d inv2;\n- \n- pt_to_pniels(pn, working);\n-\n- constant_time_lookup(tmp, multiples1, sizeof(tmp), NTABLE, bits1 \u0026 WINDOW_T_MASK);\n- cond_neg_niels(pn-\u003en, inv1);\n- /* add_pniels_to_pt(multiples1[bits1 \u0026 WINDOW_T_MASK], pn, 0); */\n- add_pniels_to_pt(tmp, pn, 0);\n- constant_time_insert(multiples1, tmp, sizeof(tmp), NTABLE, bits1 \u0026 WINDOW_T_MASK);\n- \n- \n- constant_time_lookup(tmp, multiples2, sizeof(tmp), NTABLE, bits2 \u0026 WINDOW_T_MASK);\n- cond_neg_niels(pn-\u003en, inv1^inv2);\n- /* add_pniels_to_pt(multiples2[bits2 \u0026 WINDOW_T_MASK], pn, 0); */\n- add_pniels_to_pt(tmp, pn, 0);\n- constant_time_insert(multiples2, tmp, sizeof(tmp), NTABLE, bits2 \u0026 WINDOW_T_MASK);\n- }\n- \n- if (NTABLE \u003e 1) {\n- API_NS(point_copy)(working, multiples1[NTABLE-1]);\n- API_NS(point_copy)(tmp , multiples2[NTABLE-1]);\n- \n- for (i\u003dNTABLE-1; i\u003e1; i--) {\n- API_NS(point_add)(multiples1[i-1], multiples1[i-1], multiples1[i]);\n- API_NS(point_add)(multiples2[i-1], multiples2[i-1], multiples2[i]);\n- API_NS(point_add)(working, working, multiples1[i-1]);\n- API_NS(point_add)(tmp, tmp, multiples2[i-1]);\n- }\n- \n- API_NS(point_add)(multiples1[0], multiples1[0], multiples1[1]);\n- API_NS(point_add)(multiples2[0], multiples2[0], multiples2[1]);\n- point_double_internal(working, working, 0);\n- point_double_internal(tmp, tmp, 0);\n- API_NS(point_add)(a1, working, multiples1[0]);\n- API_NS(point_add)(a2, tmp, multiples2[0]);\n- } else {\n- API_NS(point_copy)(a1, multiples1[0]);\n- API_NS(point_copy)(a2, multiples2[0]);\n- }\n-\n- decaf_bzero(scalar1x,sizeof(scalar1x));\n- decaf_bzero(scalar2x,sizeof(scalar2x));\n- decaf_bzero(pn,sizeof(pn));\n- decaf_bzero(multiples1,sizeof(multiples1));\n- decaf_bzero(multiples2,sizeof(multiples2));\n- decaf_bzero(tmp,sizeof(tmp));\n- decaf_bzero(working,sizeof(working));\n-}\n-\n-decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {\n- /* equality mod 2-torsion compares x/y */\n- gf a, b;\n- gf_mul ( a, p-\u003ey, q-\u003ex );\n- gf_mul ( b, q-\u003ey, p-\u003ex );\n- mask_t succ \u003d gf_eq(a,b);\n- \n- #if (COFACTOR \u003d\u003d 8) \u0026\u0026 IMAGINE_TWIST\n- gf_mul ( a, p-\u003ey, q-\u003ey );\n- gf_mul ( b, q-\u003ex, p-\u003ex );\n- #if !(IMAGINE_TWIST)\n- gf_sub ( a, ZERO, a );\n- #else\n- /* Interesting note: the 4tor would normally be rotation.\n- * But because of the *i twist, it's actually\n- * (x,y) \u003c-\u003e (iy,ix)\n- */\n- \n- /* No code, just a comment. */\n- #endif\n- succ |\u003d gf_eq(a,b);\n- #endif\n- \n- return mask_to_bool(succ);\n-}\n-\n-decaf_bool_t API_NS(point_valid) (\n- const point_t p\n-) {\n- gf a,b,c;\n- gf_mul(a,p-\u003ex,p-\u003ey);\n- gf_mul(b,p-\u003ez,p-\u003et);\n- mask_t out \u003d gf_eq(a,b);\n- gf_sqr(a,p-\u003ex);\n- gf_sqr(b,p-\u003ey);\n- gf_sub(a,b,a);\n- gf_sqr(b,p-\u003et);\n- gf_mulw(c,b,TWISTED_D);\n- gf_sqr(b,p-\u003ez);\n- gf_add(b,b,c);\n- out \u0026\u003d gf_eq(a,b);\n- out \u0026\u003d ~gf_eq(p-\u003ez,ZERO);\n- return mask_to_bool(out);\n-}\n-\n-void API_NS(point_debugging_torque) (\n- point_t q,\n- const point_t p\n-) {\n-#if COFACTOR \u003d\u003d 8 \u0026\u0026 IMAGINE_TWIST\n- gf tmp;\n- gf_mul(tmp,p-\u003ex,SQRT_MINUS_ONE);\n- gf_mul(q-\u003ex,p-\u003ey,SQRT_MINUS_ONE);\n- gf_copy(q-\u003ey,tmp);\n- gf_copy(q-\u003ez,p-\u003ez);\n- gf_sub(q-\u003et,ZERO,p-\u003et);\n-#else\n- gf_sub(q-\u003ex,ZERO,p-\u003ex);\n- gf_sub(q-\u003ey,ZERO,p-\u003ey);\n- gf_copy(q-\u003ez,p-\u003ez);\n- gf_copy(q-\u003et,p-\u003et);\n-#endif\n-}\n-\n-void API_NS(point_debugging_pscale) (\n- point_t q,\n- const point_t p,\n- const uint8_t factor[SER_BYTES]\n-) {\n- gf gfac,tmp;\n- /* NB this means you'll never pscale by negative numbers for p521 */\n- ignore_result(gf_deserialize(gfac,factor,0,0));\n- gf_cond_sel(gfac,gfac,ONE,gf_eq(gfac,ZERO));\n- gf_mul(tmp,p-\u003ex,gfac);\n- gf_copy(q-\u003ex,tmp);\n- gf_mul(tmp,p-\u003ey,gfac);\n- gf_copy(q-\u003ey,tmp);\n- gf_mul(tmp,p-\u003ez,gfac);\n- gf_copy(q-\u003ez,tmp);\n- gf_mul(tmp,p-\u003et,gfac);\n- gf_copy(q-\u003et,tmp);\n-}\n-\n-static void gf_batch_invert (\n- gf *__restrict__ out,\n- const gf *in,\n- unsigned int n\n-) {\n- gf t1;\n- assert(n\u003e1);\n- \n- gf_copy(out[1], in[0]);\n- int i;\n- for (i\u003d1; i\u003c(int) (n-1); i++) {\n- gf_mul(out[i+1], out[i], in[i]);\n- }\n- gf_mul(out[0], out[n-1], in[n-1]);\n-\n- gf_invert(out[0], out[0], 1);\n-\n- for (i\u003dn-1; i\u003e0; i--) {\n- gf_mul(t1, out[i], out[0]);\n- gf_copy(out[i], t1);\n- gf_mul(t1, out[0], in[i]);\n- gf_copy(out[0], t1);\n- }\n-}\n-\n-static void batch_normalize_niels (\n- niels_t *table,\n- const gf *zs,\n- gf *__restrict__ zis,\n- int n\n-) {\n- int i;\n- gf product;\n- gf_batch_invert(zis, zs, n);\n-\n- for (i\u003d0; i\u003cn; i++) {\n- gf_mul(product, table[i]-\u003ea, zis[i]);\n- gf_strong_reduce(product);\n- gf_copy(table[i]-\u003ea, product);\n- \n- gf_mul(product, table[i]-\u003eb, zis[i]);\n- gf_strong_reduce(product);\n- gf_copy(table[i]-\u003eb, product);\n- \n- gf_mul(product, table[i]-\u003ec, zis[i]);\n- gf_strong_reduce(product);\n- gf_copy(table[i]-\u003ec, product);\n- }\n- \n- decaf_bzero(product,sizeof(product));\n-}\n-\n-void API_NS(precompute) (\n- precomputed_s *table,\n- const point_t base\n-) { \n- const unsigned int n \u003d COMBS_N, t \u003d COMBS_T, s \u003d COMBS_S;\n- assert(n*t*s \u003e\u003d SCALAR_BITS);\n- \n- point_t working, start, doubles[t-1];\n- API_NS(point_copy)(working, base);\n- pniels_t pn_tmp;\n- \n- gf zs[n\u003c\u003c(t-1)], zis[n\u003c\u003c(t-1)];\n- \n- unsigned int i,j,k;\n- \n- /* Compute n tables */\n- for (i\u003d0; i\u003cn; i++) {\n-\n- /* Doubling phase */\n- for (j\u003d0; j\u003ct; j++) {\n- if (j) API_NS(point_add)(start, start, working);\n- else API_NS(point_copy)(start, working);\n-\n- if (j\u003d\u003dt-1 \u0026\u0026 i\u003d\u003dn-1) break;\n-\n- point_double_internal(working, working,0);\n- if (j\u003ct-1) API_NS(point_copy)(doubles[j], working);\n-\n- for (k\u003d0; k\u003cs-1; k++)\n- point_double_internal(working, working, k\u003cs-2);\n- }\n-\n- /* Gray-code phase */\n- for (j\u003d0;; j++) {\n- int gray \u003d j ^ (j\u003e\u003e1);\n- int idx \u003d (((i+1)\u003c\u003c(t-1))-1) ^ gray;\n-\n- pt_to_pniels(pn_tmp, start);\n- memcpy(table-\u003etable[idx], pn_tmp-\u003en, sizeof(pn_tmp-\u003en));\n- gf_copy(zs[idx], pn_tmp-\u003ez);\n-\t\t\t\n- if (j \u003e\u003d (1u\u003c\u003c(t-1)) - 1) break;\n- int delta \u003d (j+1) ^ ((j+1)\u003e\u003e1) ^ gray;\n-\n- for (k\u003d0; delta\u003e1; k++)\n- delta \u003e\u003e\u003d1;\n- \n- if (gray \u0026 (1\u003c\u003ck)) {\n- API_NS(point_add)(start, start, doubles[k]);\n- } else {\n- API_NS(point_sub)(start, start, doubles[k]);\n- }\n- }\n- }\n- \n- batch_normalize_niels(table-\u003etable,(const gf *)zs,zis,n\u003c\u003c(t-1));\n- \n- decaf_bzero(zs,sizeof(zs));\n- decaf_bzero(zis,sizeof(zis));\n- decaf_bzero(pn_tmp,sizeof(pn_tmp));\n- decaf_bzero(working,sizeof(working));\n- decaf_bzero(start,sizeof(start));\n- decaf_bzero(doubles,sizeof(doubles));\n-}\n-\n-static DECAF_INLINE void\n-constant_time_lookup_niels (\n- niels_s *__restrict__ ni,\n- const niels_t *table,\n- int nelts,\n- int idx\n-) {\n- constant_time_lookup(ni, table, sizeof(niels_s), nelts, idx);\n-}\n-\n-void API_NS(precomputed_scalarmul) (\n- point_t out,\n- const precomputed_s *table,\n- const scalar_t scalar\n-) {\n- int i;\n- unsigned j,k;\n- const unsigned int n \u003d COMBS_N, t \u003d COMBS_T, s \u003d COMBS_S;\n- \n- scalar_t scalar1x;\n- API_NS(scalar_add)(scalar1x, scalar, precomputed_scalarmul_adjustment);\n- API_NS(scalar_halve)(scalar1x,scalar1x);\n- \n- niels_t ni;\n- \n- for (i\u003ds-1; i\u003e\u003d0; i--) {\n- if (i !\u003d (int)s-1) point_double_internal(out,out,0);\n- \n- for (j\u003d0; j\u003cn; j++) {\n- int tab \u003d 0;\n- \n- for (k\u003d0; k\u003ct; k++) {\n- unsigned int bit \u003d i + s*(k + j*t);\n- if (bit \u003c SCALAR_BITS) {\n- tab |\u003d (scalar1x-\u003elimb[bit/WBITS] \u003e\u003e (bit%WBITS) \u0026 1) \u003c\u003c k;\n- }\n- }\n- \n- mask_t invert \u003d (tab\u003e\u003e(t-1))-1;\n- tab ^\u003d invert;\n- tab \u0026\u003d (1\u003c\u003c(t-1)) - 1;\n-\n- constant_time_lookup_niels(ni, \u0026table-\u003etable[j\u003c\u003c(t-1)], 1\u003c\u003c(t-1), tab);\n-\n- cond_neg_niels(ni, invert);\n- if ((i!\u003d(int)s-1)||j) {\n- add_niels_to_pt(out, ni, j\u003d\u003dn-1 \u0026\u0026 i);\n- } else {\n- niels_to_pt(out, ni);\n- }\n- }\n- }\n- \n- decaf_bzero(ni,sizeof(ni));\n- decaf_bzero(scalar1x,sizeof(scalar1x));\n-}\n-\n-void API_NS(point_cond_sel) (\n- point_t out,\n- const point_t a,\n- const point_t b,\n- decaf_bool_t pick_b\n-) {\n- constant_time_select(out,a,b,sizeof(point_t),bool_to_mask(pick_b),0);\n-}\n-\n-/* FUTURE: restore Curve25519 Montgomery ladder? */\n-decaf_error_t API_NS(direct_scalarmul) (\n- uint8_t scaled[SER_BYTES],\n- const uint8_t base[SER_BYTES],\n- const scalar_t scalar,\n- decaf_bool_t allow_identity,\n- decaf_bool_t short_circuit\n-) {\n- point_t basep;\n- decaf_error_t succ \u003d API_NS(point_decode)(basep, base, allow_identity);\n- if (short_circuit \u0026\u0026 succ !\u003d DECAF_SUCCESS) return succ;\n- API_NS(point_cond_sel)(basep, API_NS(point_base), basep, succ);\n- API_NS(point_scalarmul)(basep, basep, scalar);\n- API_NS(point_encode)(scaled, basep);\n- API_NS(point_destroy)(basep);\n- return succ;\n-}\n-\n-void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (\n- uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const point_t p\n-) {\n- \n- /* The point is now on the twisted curve. Move it to untwisted. */\n- gf x, y, z, t;\n- point_t q;\n-#if COFACTOR \u003d\u003d 8\n- API_NS(point_double)(q,p);\n-#else\n- API_NS(point_copy)(q,p);\n-#endif\n- \n-#if EDDSA_USE_SIGMA_ISOGENY\n- {\n- /* Use 4-isogeny like ed25519:\n- * 2*x*y*sqrt(d/a-1)/(ax^2 + y^2 - 2)\n- * (y^2 - ax^2)/(y^2 + ax^2)\n- * with a \u003d -1, d \u003d -EDWARDS_D:\n- * -2xysqrt(EDWARDS_D-1)/(2z^2-y^2+x^2)\n- * (y^2+x^2)/(y^2-x^2)\n- */\n- gf u;\n- gf_sqr ( x, q-\u003ex ); // x^2\n- gf_sqr ( t, q-\u003ey ); // y^2\n- gf_add( u, x, t ); // x^2 + y^2\n- gf_add( z, q-\u003ey, q-\u003ex );\n- gf_sqr ( y, z);\n- gf_sub ( y, u, y ); // -2xy\n- gf_sub ( z, t, x ); // y^2 - x^2\n- gf_sqr ( x, q-\u003ez );\n- gf_add ( t, x, x);\n- gf_sub ( t, t, z); // 2z^2 - y^2 + x^2\n- gf_mul ( x, y, z ); // 2xy(y^2-x^2)\n- gf_mul ( y, u, t ); // (x^2+y^2)(2z^2-y^2+x^2)\n- gf_mul ( u, z, t );\n- gf_copy( z, u );\n- gf_mul ( u, x, RISTRETTO_FACTOR );\n-#if IMAGINE_TWIST\n- gf_mul_i( x, u );\n-#else\n-#error \u0022... probably wrong\u0022\n- gf_copy( x, u );\n-#endif\n- decaf_bzero(u,sizeof(u));\n- }\n-#elif IMAGINE_TWIST\n- {\n- API_NS(point_double)(q,q);\n- API_NS(point_double)(q,q);\n- gf_mul_i(x, q-\u003ex);\n- gf_copy(y, q-\u003ey);\n- gf_copy(z, q-\u003ez);\n- }\n-#else\n- {\n- /* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */\n- gf u;\n- gf_sqr ( x, q-\u003ex );\n- gf_sqr ( t, q-\u003ey );\n- gf_add( u, x, t );\n- gf_add( z, q-\u003ey, q-\u003ex );\n- gf_sqr ( y, z);\n- gf_sub ( y, y, u );\n- gf_sub ( z, t, x );\n- gf_sqr ( x, q-\u003ez );\n- gf_add ( t, x, x); \n- gf_sub ( t, t, z);\n- gf_mul ( x, t, y );\n- gf_mul ( y, z, u );\n- gf_mul ( z, u, t );\n- decaf_bzero(u,sizeof(u));\n- }\n-#endif\n- /* Affinize */\n- gf_invert(z,z,1);\n- gf_mul(t,x,z);\n- gf_mul(x,y,z);\n- \n- /* Encode */\n- enc[DECAF_EDDSA_448_PRIVATE_BYTES-1] \u003d 0;\n- gf_serialize(enc, x, 1);\n- enc[DECAF_EDDSA_448_PRIVATE_BYTES-1] |\u003d 0x80 \u0026 gf_lobit(t);\n-\n- decaf_bzero(x,sizeof(x));\n- decaf_bzero(y,sizeof(y));\n- decaf_bzero(z,sizeof(z));\n- decaf_bzero(t,sizeof(t));\n- API_NS(point_destroy)(q);\n-}\n-\n-\n-decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (\n- point_t p,\n- const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]\n-) {\n- uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES];\n- memcpy(enc2,enc,sizeof(enc2));\n-\n- mask_t low \u003d ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] \u0026 0x80);\n- enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] \u0026\u003d ~0x80;\n- \n- mask_t succ \u003d gf_deserialize(p-\u003ey, enc2, 1, 0);\n-#if 0 \u003d\u003d 0\n- succ \u0026\u003d word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1]);\n-#endif\n-\n- gf_sqr(p-\u003ex,p-\u003ey);\n- gf_sub(p-\u003ez,ONE,p-\u003ex); /* num \u003d 1-y^2 */\n- #if EDDSA_USE_SIGMA_ISOGENY\n- gf_mulw(p-\u003et,p-\u003ez,EDWARDS_D); /* d-dy^2 */\n- gf_mulw(p-\u003ex,p-\u003ez,EDWARDS_D-1); /* num \u003d (1-y^2)(d-1) */\n- gf_copy(p-\u003ez,p-\u003ex);\n- #else\n- gf_mulw(p-\u003et,p-\u003ex,EDWARDS_D); /* dy^2 */\n- #endif\n- gf_sub(p-\u003et,ONE,p-\u003et); /* denom \u003d 1-dy^2 or 1-d + dy^2 */\n- \n- gf_mul(p-\u003ex,p-\u003ez,p-\u003et);\n- succ \u0026\u003d gf_isr(p-\u003et,p-\u003ex); /* 1/sqrt(num * denom) */\n- \n- gf_mul(p-\u003ex,p-\u003et,p-\u003ez); /* sqrt(num / denom) */\n- gf_cond_neg(p-\u003ex,gf_lobit(p-\u003ex)^low);\n- gf_copy(p-\u003ez,ONE);\n- \n- #if EDDSA_USE_SIGMA_ISOGENY\n- {\n- /* Use 4-isogeny like ed25519:\n- * 2*x*y/sqrt(1-d/a)/(ax^2 + y^2 - 2)\n- * (y^2 - ax^2)/(y^2 + ax^2)\n- * (MAGIC: above formula may be off by a factor of -a\n- * or something somewhere; check it for other a)\n- *\n- * with a \u003d -1, d \u003d -EDWARDS_D:\n- * -2xy/sqrt(1-EDWARDS_D)/(2z^2-y^2+x^2)\n- * (y^2+x^2)/(y^2-x^2)\n- */\n- gf a, b, c, d;\n- gf_sqr ( c, p-\u003ex );\n- gf_sqr ( a, p-\u003ey );\n- gf_add ( d, c, a ); // x^2 + y^2\n- gf_add ( p-\u003et, p-\u003ey, p-\u003ex );\n- gf_sqr ( b, p-\u003et );\n- gf_sub ( b, b, d ); // 2xy\n- gf_sub ( p-\u003et, a, c ); // y^2 - x^2\n- gf_sqr ( p-\u003ex, p-\u003ez );\n- gf_add ( p-\u003ez, p-\u003ex, p-\u003ex );\n- gf_sub ( c, p-\u003ez, p-\u003et ); // 2z^2 - y^2 + x^2\n- gf_div_i ( a, c );\n- gf_mul ( c, a, RISTRETTO_FACTOR );\n- gf_mul ( p-\u003ex, b, p-\u003et); // (2xy)(y^2-x^2)\n- gf_mul ( p-\u003ez, p-\u003et, c ); // (y^2-x^2)sd(2z^2 - y^2 + x^2)\n- gf_mul ( p-\u003ey, d, c ); // (y^2+x^2)sd(2z^2 - y^2 + x^2)\n- gf_mul ( p-\u003et, d, b );\n- decaf_bzero(a,sizeof(a));\n- decaf_bzero(b,sizeof(b));\n- decaf_bzero(c,sizeof(c));\n- decaf_bzero(d,sizeof(d));\n- } \n- #elif IMAGINE_TWIST\n- {\n- gf_mul(p-\u003et,p-\u003ex,SQRT_MINUS_ONE);\n- gf_copy(p-\u003ex,p-\u003et);\n- gf_mul(p-\u003et,p-\u003ex,p-\u003ey);\n- }\n- #else\n- {\n- /* 4-isogeny 2xy/(y^2-ax^2), (y^2+ax^2)/(2-y^2-ax^2) */\n- gf a, b, c, d;\n- gf_sqr ( c, p-\u003ex );\n- gf_sqr ( a, p-\u003ey );\n- gf_add ( d, c, a );\n- gf_add ( p-\u003et, p-\u003ey, p-\u003ex );\n- gf_sqr ( b, p-\u003et );\n- gf_sub ( b, b, d );\n- gf_sub ( p-\u003et, a, c );\n- gf_sqr ( p-\u003ex, p-\u003ez );\n- gf_add ( p-\u003ez, p-\u003ex, p-\u003ex );\n- gf_sub ( a, p-\u003ez, d );\n- gf_mul ( p-\u003ex, a, b );\n- gf_mul ( p-\u003ez, p-\u003et, a );\n- gf_mul ( p-\u003ey, p-\u003et, d );\n- gf_mul ( p-\u003et, b, d );\n- decaf_bzero(a,sizeof(a));\n- decaf_bzero(b,sizeof(b));\n- decaf_bzero(c,sizeof(c));\n- decaf_bzero(d,sizeof(d));\n- }\n- #endif\n- \n- decaf_bzero(enc2,sizeof(enc2));\n- assert(API_NS(point_valid)(p) || ~succ);\n- \n- return decaf_succeed_if(mask_to_bool(succ));\n-}\n-\n-decaf_error_t decaf_x448 (\n- uint8_t out[X_PUBLIC_BYTES],\n- const uint8_t base[X_PUBLIC_BYTES],\n- const uint8_t scalar[X_PRIVATE_BYTES]\n-) {\n- gf x1, x2, z2, x3, z3, t1, t2;\n- ignore_result(gf_deserialize(x1,base,1,0));\n- gf_copy(x2,ONE);\n- gf_copy(z2,ZERO);\n- gf_copy(x3,x1);\n- gf_copy(z3,ONE);\n- \n- int t;\n- mask_t swap \u003d 0;\n- \n- for (t \u003d X_PRIVATE_BITS-1; t\u003e\u003d0; t--) {\n- uint8_t sb \u003d scalar[t/8];\n- \n- /* Scalar conditioning */\n- if (t/8\u003d\u003d0) sb \u0026\u003d -(uint8_t)COFACTOR;\n- else if (t \u003d\u003d X_PRIVATE_BITS-1) sb \u003d -1;\n- \n- mask_t k_t \u003d (sb\u003e\u003e(t%8)) \u0026 1;\n- k_t \u003d -k_t; /* set to all 0s or all 1s */\n- \n- swap ^\u003d k_t;\n- gf_cond_swap(x2,x3,swap);\n- gf_cond_swap(z2,z3,swap);\n- swap \u003d k_t;\n- \n- gf_add_nr(t1,x2,z2); /* A \u003d x2 + z2 */ /* 2+e */\n- gf_sub_nr(t2,x2,z2); /* B \u003d x2 - z2 */ /* 3+e */\n- gf_sub_nr(z2,x3,z3); /* D \u003d x3 - z3 */ /* 3+e */\n- gf_mul(x2,t1,z2); /* DA */\n- gf_add_nr(z2,z3,x3); /* C \u003d x3 + z3 */ /* 2+e */\n- gf_mul(x3,t2,z2); /* CB */\n- gf_sub_nr(z3,x2,x3); /* DA-CB */ /* 3+e */\n- gf_sqr(z2,z3); /* (DA-CB)^2 */\n- gf_mul(z3,x1,z2); /* z3 \u003d x1(DA-CB)^2 */\n- gf_add_nr(z2,x2,x3); /* (DA+CB) */ /* 2+e */\n- gf_sqr(x3,z2); /* x3 \u003d (DA+CB)^2 */\n- \n- gf_sqr(z2,t1); /* AA \u003d A^2 */\n- gf_sqr(t1,t2); /* BB \u003d B^2 */\n- gf_mul(x2,z2,t1); /* x2 \u003d AA*BB */\n- gf_sub_nr(t2,z2,t1); /* E \u003d AA-BB */ /* 3+e */\n- \n- gf_mulw(t1,t2,-EDWARDS_D); /* E*-d \u003d a24*E */\n- gf_add_nr(t1,t1,z2); /* AA + a24*E */ /* 2+e */\n- gf_mul(z2,t2,t1); /* z2 \u003d E(AA+a24*E) */\n- }\n- \n- /* Finish */\n- gf_cond_swap(x2,x3,swap);\n- gf_cond_swap(z2,z3,swap);\n- gf_invert(z2,z2,0);\n- gf_mul(x1,x2,z2);\n- gf_serialize(out,x1,1);\n- mask_t nz \u003d ~gf_eq(x1,ZERO);\n- \n- decaf_bzero(x1,sizeof(x1));\n- decaf_bzero(x2,sizeof(x2));\n- decaf_bzero(z2,sizeof(z2));\n- decaf_bzero(x3,sizeof(x3));\n- decaf_bzero(z3,sizeof(z3));\n- decaf_bzero(t1,sizeof(t1));\n- decaf_bzero(t2,sizeof(t2));\n- \n- return decaf_succeed_if(mask_to_bool(nz));\n-}\n-\n-/* Thanks Johan Pascal */\n-void decaf_ed448_convert_public_key_to_x448 (\n- uint8_t x[DECAF_X448_PUBLIC_BYTES],\n- const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES]\n-) {\n- gf y;\n- const uint8_t mask \u003d (uint8_t)(0xFE\u003c\u003c(7));\n- ignore_result(gf_deserialize(y, ed, 1, mask));\n- \n- {\n- gf n,d;\n- \n-#if EDDSA_USE_SIGMA_ISOGENY\n- /* u \u003d (1+y)/(1-y)*/\n- gf_add(n, y, ONE); /* n \u003d y+1 */\n- gf_sub(d, ONE, y); /* d \u003d 1-y */\n- gf_invert(d, d, 0); /* d \u003d 1/(1-y) */\n- gf_mul(y, n, d); /* u \u003d (y+1)/(1-y) */\n- gf_serialize(x,y,1);\n-#else /* EDDSA_USE_SIGMA_ISOGENY */\n- /* u \u003d y^2 * (1-dy^2) / (1-y^2) */\n- gf_sqr(n,y); /* y^2*/\n- gf_sub(d,ONE,n); /* 1-y^2*/\n- gf_invert(d,d,0); /* 1/(1-y^2)*/\n- gf_mul(y,n,d); /* y^2 / (1-y^2) */\n- gf_mulw(d,n,EDWARDS_D); /* dy^2*/\n- gf_sub(d, ONE, d); /* 1-dy^2*/\n- gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */\n- gf_serialize(x,n,1);\n-#endif /* EDDSA_USE_SIGMA_ISOGENY */\n- \n- decaf_bzero(y,sizeof(y));\n- decaf_bzero(n,sizeof(n));\n- decaf_bzero(d,sizeof(d));\n- }\n-}\n-\n-void decaf_x448_generate_key (\n- uint8_t out[X_PUBLIC_BYTES],\n- const uint8_t scalar[X_PRIVATE_BYTES]\n-) {\n- decaf_x448_derive_public_key(out,scalar);\n-}\n-\n-void API_NS(point_mul_by_ratio_and_encode_like_x448) (\n- uint8_t out[X_PUBLIC_BYTES],\n- const point_t p\n-) {\n- point_t q;\n-#if COFACTOR \u003d\u003d 8\n- point_double_internal(q,p,1);\n-#else\n- API_NS(point_copy)(q,p);\n-#endif\n- gf_invert(q-\u003et,q-\u003ex,0); /* 1/x */\n- gf_mul(q-\u003ez,q-\u003et,q-\u003ey); /* y/x */\n- gf_sqr(q-\u003ey,q-\u003ez); /* (y/x)^2 */\n-#if IMAGINE_TWIST\n- gf_sub(q-\u003ey,ZERO,q-\u003ey);\n-#endif\n- gf_serialize(out,q-\u003ey,1);\n- API_NS(point_destroy(q));\n-}\n-\n-void decaf_x448_derive_public_key (\n- uint8_t out[X_PUBLIC_BYTES],\n- const uint8_t scalar[X_PRIVATE_BYTES]\n-) {\n- /* Scalar conditioning */\n- uint8_t scalar2[X_PRIVATE_BYTES];\n- memcpy(scalar2,scalar,sizeof(scalar2));\n- scalar2[0] \u0026\u003d -(uint8_t)COFACTOR;\n- \n- scalar2[X_PRIVATE_BYTES-1] \u0026\u003d ~(-1u\u003c\u003c((X_PRIVATE_BITS+7)%8));\n- scalar2[X_PRIVATE_BYTES-1] |\u003d 1\u003c\u003c((X_PRIVATE_BITS+7)%8);\n- \n- scalar_t the_scalar;\n- API_NS(scalar_decode_long)(the_scalar,scalar2,sizeof(scalar2));\n- \n- /* Compensate for the encoding ratio */\n- for (unsigned i\u003d1; i\u003cDECAF_X448_ENCODE_RATIO; i\u003c\u003c\u003d1) {\n- API_NS(scalar_halve)(the_scalar,the_scalar);\n- }\n- point_t p;\n- API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),the_scalar);\n- API_NS(point_mul_by_ratio_and_encode_like_x448)(out,p);\n- API_NS(point_destroy)(p);\n-}\n-\n-/**\n- * @cond internal\n- * Control for variable-time scalar multiply algorithms.\n- */\n-struct smvt_control {\n- int power, addend;\n-};\n-\n-static int recode_wnaf (\n- struct smvt_control *control, /* [nbits/(table_bits+1) + 3] */\n- const scalar_t scalar,\n- unsigned int table_bits\n-) {\n- unsigned int table_size \u003d SCALAR_BITS/(table_bits+1) + 3;\n- int position \u003d table_size - 1; /* at the end */\n- \n- /* place the end marker */\n- control[position].power \u003d -1;\n- control[position].addend \u003d 0;\n- position--;\n-\n- /* PERF: Could negate scalar if it's large. But then would need more cases\n- * in the actual code that uses it, all for an expected reduction of like 1/5 op.\n- * Probably not worth it.\n- */\n- \n- uint64_t current \u003d scalar-\u003elimb[0] \u0026 0xFFFF;\n- uint32_t mask \u003d (1\u003c\u003c(table_bits+1))-1;\n-\n- unsigned int w;\n- const unsigned int B_OVER_16 \u003d sizeof(scalar-\u003elimb[0]) / 2;\n- for (w \u003d 1; w\u003c(SCALAR_BITS-1)/16+3; w++) {\n- if (w \u003c (SCALAR_BITS-1)/16+1) {\n- /* Refill the 16 high bits of current */\n- current +\u003d (uint32_t)((scalar-\u003elimb[w/B_OVER_16]\u003e\u003e(16*(w%B_OVER_16)))\u003c\u003c16);\n- }\n- \n- while (current \u0026 0xFFFF) {\n- assert(position \u003e\u003d 0);\n- uint32_t pos \u003d __builtin_ctz((uint32_t)current), odd \u003d (uint32_t)current \u003e\u003e pos;\n- int32_t delta \u003d odd \u0026 mask;\n- if (odd \u0026 1\u003c\u003c(table_bits+1)) delta -\u003d (1\u003c\u003c(table_bits+1));\n- current -\u003d delta \u003c\u003c pos;\n- control[position].power \u003d pos + 16*(w-1);\n- control[position].addend \u003d delta;\n- position--;\n- }\n- current \u003e\u003e\u003d 16;\n- }\n- assert(current\u003d\u003d0);\n- \n- position++;\n- unsigned int n \u003d table_size - position;\n- unsigned int i;\n- for (i\u003d0; i\u003cn; i++) {\n- control[i] \u003d control[i+position];\n- }\n- return n-1;\n-}\n-\n-static void\n-prepare_wnaf_table(\n- pniels_t *output,\n- const point_t working,\n- unsigned int tbits\n-) {\n- point_t tmp;\n- int i;\n- pt_to_pniels(output[0], working);\n-\n- if (tbits \u003d\u003d 0) return;\n-\n- API_NS(point_double)(tmp,working);\n- pniels_t twop;\n- pt_to_pniels(twop, tmp);\n-\n- add_pniels_to_pt(tmp, output[0],0);\n- pt_to_pniels(output[1], tmp);\n-\n- for (i\u003d2; i \u003c 1\u003c\u003ctbits; i++) {\n- add_pniels_to_pt(tmp, twop,0);\n- pt_to_pniels(output[i], tmp);\n- }\n- \n- API_NS(point_destroy)(tmp);\n- decaf_bzero(twop,sizeof(twop));\n-}\n-\n-extern const gf API_NS(precomputed_wnaf_as_fe)[];\n-static const niels_t *API_NS(wnaf_base) \u003d (const niels_t *)API_NS(precomputed_wnaf_as_fe);\n-const size_t API_NS(sizeof_precomputed_wnafs) __attribute((visibility(\u0022hidden\u0022)))\n- \u003d sizeof(niels_t)\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS;\n-\n-void API_NS(precompute_wnafs) (\n- niels_t out[1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS],\n- const point_t base\n-) __attribute__ ((visibility (\u0022hidden\u0022)));\n-\n-void API_NS(precompute_wnafs) (\n- niels_t out[1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS],\n- const point_t base\n-) {\n- pniels_t tmp[1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS];\n- gf zs[1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS], zis[1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS];\n- int i;\n- prepare_wnaf_table(tmp,base,DECAF_WNAF_FIXED_TABLE_BITS);\n- for (i\u003d0; i\u003c1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS; i++) {\n- memcpy(out[i], tmp[i]-\u003en, sizeof(niels_t));\n- gf_copy(zs[i], tmp[i]-\u003ez);\n- }\n- batch_normalize_niels(out, (const gf *)zs, zis, 1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS);\n- \n- decaf_bzero(tmp,sizeof(tmp));\n- decaf_bzero(zs,sizeof(zs));\n- decaf_bzero(zis,sizeof(zis));\n-}\n-\n-void API_NS(base_double_scalarmul_non_secret) (\n- point_t combo,\n- const scalar_t scalar1,\n- const point_t base2,\n- const scalar_t scalar2\n-) {\n- const int table_bits_var \u003d DECAF_WNAF_VAR_TABLE_BITS,\n- table_bits_pre \u003d DECAF_WNAF_FIXED_TABLE_BITS;\n- struct smvt_control control_var[SCALAR_BITS/(table_bits_var+1)+3];\n- struct smvt_control control_pre[SCALAR_BITS/(table_bits_pre+1)+3];\n- \n- int ncb_pre \u003d recode_wnaf(control_pre, scalar1, table_bits_pre);\n- int ncb_var \u003d recode_wnaf(control_var, scalar2, table_bits_var);\n- \n- pniels_t precmp_var[1\u003c\u003ctable_bits_var];\n- prepare_wnaf_table(precmp_var, base2, table_bits_var);\n- \n- int contp\u003d0, contv\u003d0, i \u003d control_var[0].power;\n-\n- if (i \u003c 0) {\n- API_NS(point_copy)(combo, API_NS(point_identity));\n- return;\n- } else if (i \u003e control_pre[0].power) {\n- pniels_to_pt(combo, precmp_var[control_var[0].addend \u003e\u003e 1]);\n- contv++;\n- } else if (i \u003d\u003d control_pre[0].power \u0026\u0026 i \u003e\u003d0 ) {\n- pniels_to_pt(combo, precmp_var[control_var[0].addend \u003e\u003e 1]);\n- add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend \u003e\u003e 1], i);\n- contv++; contp++;\n- } else {\n- i \u003d control_pre[0].power;\n- niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend \u003e\u003e 1]);\n- contp++;\n- }\n- \n- for (i--; i \u003e\u003d 0; i--) {\n- int cv \u003d (i\u003d\u003dcontrol_var[contv].power), cp \u003d (i\u003d\u003dcontrol_pre[contp].power);\n- point_double_internal(combo,combo,i \u0026\u0026 !(cv||cp));\n-\n- if (cv) {\n- assert(control_var[contv].addend);\n-\n- if (control_var[contv].addend \u003e 0) {\n- add_pniels_to_pt(combo, precmp_var[control_var[contv].addend \u003e\u003e 1], i\u0026\u0026!cp);\n- } else {\n- sub_pniels_from_pt(combo, precmp_var[(-control_var[contv].addend) \u003e\u003e 1], i\u0026\u0026!cp);\n- }\n- contv++;\n- }\n-\n- if (cp) {\n- assert(control_pre[contp].addend);\n-\n- if (control_pre[contp].addend \u003e 0) {\n- add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[contp].addend \u003e\u003e 1], i);\n- } else {\n- sub_niels_from_pt(combo, API_NS(wnaf_base)[(-control_pre[contp].addend) \u003e\u003e 1], i);\n- }\n- contp++;\n- }\n- }\n- \n- /* This function is non-secret, but whatever this is cheap. */\n- decaf_bzero(control_var,sizeof(control_var));\n- decaf_bzero(control_pre,sizeof(control_pre));\n- decaf_bzero(precmp_var,sizeof(precmp_var));\n-\n- assert(contv \u003d\u003d ncb_var); (void)ncb_var;\n- assert(contp \u003d\u003d ncb_pre); (void)ncb_pre;\n-}\n-\n-void API_NS(point_destroy) (\n- point_t point\n-) {\n- decaf_bzero(point, sizeof(point_t));\n-}\n-\n-void API_NS(precomputed_destroy) (\n- precomputed_s *pre\n-) {\n- decaf_bzero(pre, API_NS(sizeof_precomputed_s));\n-}\ndiff --git a/crypto/ec/curve448/GENERATED/c/ed448goldilocks/decaf_tables.c b/crypto/ec/curve448/GENERATED/c/ed448goldilocks/decaf_tables.c\ndeleted file mode 100644\nindex ab4e6d7..0000000\n--- a/crypto/ec/curve448/GENERATED/c/ed448goldilocks/decaf_tables.c\n+++ /dev/null\n@@ -1,354 +0,0 @@\n-/** @warning: this file was automatically generated. */\n-#include \u0022field.h\u0022\n-\n-#include \u003cdecaf.h\u003e\n-\n-#define API_NS(_id) decaf_448_##_id\n-const API_NS(point_t) API_NS(point_base) \u003d {{\n-{FIELD_LITERAL(0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0080000000000000,0x00fffffffffffffe,0x00ffffffffffffff,0x00ffffffffffffff,0x007fffffffffffff)},\n- {FIELD_LITERAL(0x006079b4dfdd4a64,0x000c1e3ab470a1c8,0x0044d73f48e5199b,0x0050452714141818,0x004c74c393d5242c,0x0024080526437050,0x00d48d06c13078ca,0x008508de14f04286)},\n- {FIELD_LITERAL(0x0000000000000001,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000)},\n- {FIELD_LITERAL(0x00e3c816dc198105,0x0062071833f4e093,0x004dde98e3421403,0x00a319b57519c985,0x00794be956382384,0x00e1ddc2b86da60f,0x0050e23d5682a9ff,0x006d3669e173c6a4)}\n-}};\n-const gf API_NS(precomputed_base_as_fe)[240]\n-VECTOR_ALIGNED __attribute__((visibility(\u0022hidden\u0022))) \u003d {\n- {FIELD_LITERAL(0x00cc3b062366f4cc,0x003d6e34e314aa3c,0x00d51c0a7521774d,0x0094e060eec6ab8b,0x00d21291b4d80082,0x00befed12b55ef1e,0x00c3dd2df5c94518,0x00e0a7b112b8d4e6)},\n- {FIELD_LITERAL(0x0019eb5608d8723a,0x00d1bab52fb3aedb,0x00270a7311ebc90c,0x0037c12b91be7f13,0x005be16cd8b5c704,0x003e181acda888e1,0x00bc1f00fc3fc6d0,0x00d3839bfa319e20)},\n- {FIELD_LITERAL(0x003caeb88611909f,0x00ea8b378c4df3d4,0x00b3295b95a5a19a,0x00a65f97514bdfb5,0x00b39efba743cab1,0x0016ba98b862fd2d,0x0001508812ee71d7,0x000a75740eea114a)},\n- {FIELD_LITERAL(0x00ebcf0eb649f823,0x00166d332e98ea03,0x0059ddf64f5cd5f6,0x0047763123d9471b,0x00a64065c53ef62f,0x00978e44c480153d,0x000b5b2a0265f194,0x0046a24b9f32965a)},\n- {FIELD_LITERAL(0x00b9eef787034df0,0x0020bc24de3390cd,0x000022160bae99bb,0x00ae66e886e97946,0x0048d4bbe02cbb8b,0x0072ba97b34e38d4,0x00eae7ec8f03e85a,0x005ba92ecf808b2c)},\n- {FIELD_LITERAL(0x00c9cfbbe74258fd,0x00843a979ea9eaa7,0x000cbb4371cfbe90,0x0059bac8f7f0a628,0x004b3dff882ff530,0x0011869df4d90733,0x00595aa71f4abfc2,0x0070e2d38990c2e6)},\n- {FIELD_LITERAL(0x00de2010c0a01733,0x00c739a612e24297,0x00a7212643141d7c,0x00f88444f6b67c11,0x00484b7b16ec28f2,0x009c1b8856af9c68,0x00ff4669591fe9d6,0x0054974be08a32c8)},\n- {FIELD_LITERAL(0x0010de3fd682ceed,0x008c07642d83ca4e,0x0013bb064e00a1cc,0x009411ae27870e11,0x00ea8e5b4d531223,0x0032fe7d2aaece2e,0x00d989e243e7bb41,0x000fe79a508e9b8b)},\n- {FIELD_LITERAL(0x005e0426b9bfc5b1,0x0041a5b1d29ee4fa,0x0015b0def7774391,0x00bc164f1f51af01,0x00d543b0942797b9,0x003c129b6398099c,0x002b114c6e5adf18,0x00b4e630e4018a7b)},\n- {FIELD_LITERAL(0x00d490afc95f8420,0x00b096bf50c1d9b9,0x00799fd707679866,0x007c74d9334afbea,0x00efaa8be80ff4ed,0x0075c4943bb81694,0x00c21c2fca161f36,0x00e77035d492bfee)},\n- {FIELD_LITERAL(0x006658a190dd6661,0x00e0e9bab38609a6,0x0028895c802237ed,0x006a0229c494f587,0x002dcde96c9916b7,0x00d158822de16218,0x00173b917a06856f,0x00ca78a79ae07326)},\n- {FIELD_LITERAL(0x00e35bfc79caced4,0x0087238a3e1fe3bb,0x00bcbf0ff4ceff5b,0x00a19c1c94099b91,0x0071e102b49db976,0x0059e3d004eada1e,0x008da78afa58a47e,0x00579c8ebf269187)},\n- {FIELD_LITERAL(0x00a16c2905eee75f,0x009d4bcaea2c7e1d,0x00d3bd79bfad19df,0x0050da745193342c,0x006abdb8f6b29ab1,0x00a24fe0a4fef7ef,0x0063730da1057dfb,0x00a08c312c8eb108)},\n- {FIELD_LITERAL(0x00b583be005375be,0x00a40c8f8a4e3df4,0x003fac4a8f5bdbf7,0x00d4481d872cd718,0x004dc8749cdbaefe,0x00cce740d5e5c975,0x000b1c1f4241fd21,0x00a76de1b4e1cd07)},\n- {FIELD_LITERAL(0x007a076500d30b62,0x000a6e117b7f090f,0x00c8712ae7eebd9a,0x000fbd6c1d5f6ff7,0x003a7977246ebf11,0x00166ed969c6600e,0x00aa42e469c98bec,0x00dc58f307cf0666)},\n- {FIELD_LITERAL(0x004b491f65a9a28b,0x006a10309e8a55b7,0x00b67210185187ef,0x00cf6497b12d9b8f,0x0085778c56e2b1ba,0x0015b4c07a814d85,0x00686479e62da561,0x008de5d88f114916)},\n- {FIELD_LITERAL(0x00e37c88d6bba7b1,0x003e4577e1b8d433,0x0050d8ea5f510ec0,0x0042fc9f2da9ef59,0x003bd074c1141420,0x00561b8b7b68774e,0x00232e5e5d1013a3,0x006b7f2cb3d7e73f)},\n- {FIELD_LITERAL(0x004bdd0f0b41e6a0,0x001773057c405d24,0x006029f99915bd97,0x006a5ba70a17fe2f,0x0046111977df7e08,0x004d8124c89fb6b7,0x00580983b2bb2724,0x00207bf330d6f3fe)},\n- {FIELD_LITERAL(0x007efdc93972a48b,0x002f5e50e78d5fee,0x0080dc11d61c7fe5,0x0065aa598707245b,0x009abba2300641be,0x000c68787656543a,0x00ffe0fef2dc0a17,0x00007ffbd6cb4f3a)},\n- {FIELD_LITERAL(0x0036012f2b836efc,0x00458c126d6b5fbc,0x00a34436d719ad1e,0x0097be6167117dea,0x0009c219c879cff3,0x0065564493e60755,0x00993ac94a8cdec0,0x002d4885a4d0dbaf)},\n- {FIELD_LITERAL(0x00598b60b4c068ba,0x00c547a0be7f1afd,0x009582164acf12af,0x00af4acac4fbbe40,0x005f6ca7c539121a,0x003b6e752ebf9d66,0x00f08a30d5cac5d4,0x00e399bb5f97c5a9)},\n- {FIELD_LITERAL(0x007445a0409c0a66,0x00a65c369f3829c0,0x0031d248a4f74826,0x006817f34defbe8e,0x00649741d95ebf2e,0x00d46466ab16b397,0x00fdc35703bee414,0x00343b43334525f8)},\n- {FIELD_LITERAL(0x001796bea93f6401,0x00090c5a42e85269,0x00672412ba1252ed,0x001201d47b6de7de,0x006877bccfe66497,0x00b554fd97a4c161,0x009753f42dbac3cf,0x00e983e3e378270a)},\n- {FIELD_LITERAL(0x00ac3eff18849872,0x00f0eea3bff05690,0x00a6d72c21dd505d,0x001b832642424169,0x00a6813017b540e5,0x00a744bd71b385cd,0x0022a7d089130a7b,0x004edeec9a133486)},\n- {FIELD_LITERAL(0x00b2d6729196e8a9,0x0088a9bb2031cef4,0x00579e7787dc1567,0x0030f49feb059190,0x00a0b1d69c7f7d8f,0x0040bdcc6d9d806f,0x00d76c4037edd095,0x00bbf24376415dd7)},\n- {FIELD_LITERAL(0x00240465ff5a7197,0x00bb97e76caf27d0,0x004b4edbf8116d39,0x001d8586f708cbaa,0x000f8ee8ff8e4a50,0x00dde5a1945dd622,0x00e6fc1c0957e07c,0x0041c9cdabfd88a0)},\n- {FIELD_LITERAL(0x005344b0bf5b548c,0x002957d0b705cc99,0x00f586a70390553d,0x0075b3229f583cc3,0x00a1aa78227490e4,0x001bf09cf7957717,0x00cf6bf344325f52,0x0065bd1c23ca3ecf)},\n- {FIELD_LITERAL(0x009bff3b3239363c,0x00e17368796ef7c0,0x00528b0fe0971f3a,0x0008014fc8d4a095,0x00d09f2e8a521ec4,0x006713ab5dde5987,0x0003015758e0dbb1,0x00215999f1ba212d)},\n- {FIELD_LITERAL(0x002c88e93527da0e,0x0077c78f3456aad5,0x0071087a0a389d1c,0x00934dac1fb96dbd,0x008470e801162697,0x005bc2196cd4ad49,0x00e535601d5087c3,0x00769888700f497f)},\n- {FIELD_LITERAL(0x00da7a4b557298ad,0x0019d2589ea5df76,0x00ef3e38be0c6497,0x00a9644e1312609a,0x004592f61b2558da,0x0082c1df510d7e46,0x0042809a535c0023,0x00215bcb5afd7757)},\n- {FIELD_LITERAL(0x002b9df55a1a4213,0x00dcfc3b464a26be,0x00c4f9e07a8144d5,0x00c8e0617a92b602,0x008e3c93accafae0,0x00bf1bcb95b2ca60,0x004ce2426a613bf3,0x00266cac58e40921)},\n- {FIELD_LITERAL(0x008456d5db76e8f0,0x0032ca9cab2ce163,0x0059f2b8bf91abcf,0x0063c2a021712788,0x00f86155af22f72d,0x00db98b2a6c005a0,0x00ac6e416a693ac4,0x007a93572af53226)},\n- {FIELD_LITERAL(0x0087767520f0de22,0x0091f64012279fb5,0x001050f1f0644999,0x004f097a2477ad3c,0x006b37913a9947bd,0x001a3d78645af241,0x0057832bbb3008a7,0x002c1d902b80dc20)},\n- {FIELD_LITERAL(0x001a6002bf178877,0x009bce168aa5af50,0x005fc318ff04a7f5,0x0052818f55c36461,0x008768f5d4b24afb,0x0037ffbae7b69c85,0x0018195a4b61edc0,0x001e12ea088434b2)},\n- {FIELD_LITERAL(0x0047d3f804e7ab07,0x00a809ab5f905260,0x00b3ffc7cdaf306d,0x00746e8ec2d6e509,0x00d0dade8887a645,0x00acceeebde0dd37,0x009bc2579054686b,0x0023804f97f1c2bf)},\n- {FIELD_LITERAL(0x0043e2e2e50b80d7,0x00143aafe4427e0f,0x005594aaecab855b,0x008b12ccaaecbc01,0x002deeb091082bc3,0x009cca4be2ae7514,0x00142b96e696d047,0x00ad2a2b1c05256a)},\n- {FIELD_LITERAL(0x003914f2f144b78b,0x007a95dd8bee6f68,0x00c7f4384d61c8e6,0x004e51eb60f1bdb2,0x00f64be7aa4621d8,0x006797bfec2f0ac0,0x007d17aab3c75900,0x001893e73cac8bc5)},\n- {FIELD_LITERAL(0x00140360b768665b,0x00b68aca4967f977,0x0001089b66195ae4,0x00fe71122185e725,0x000bca2618d49637,0x00a54f0557d7e98a,0x00cdcd2f91d6f417,0x00ab8c13741fd793)},\n- {FIELD_LITERAL(0x00725ee6b1e549e0,0x007124a0769777fa,0x000b68fdad07ae42,0x0085b909cd4952df,0x0092d2e3c81606f4,0x009f22f6cac099a0,0x00f59da57f2799a8,0x00f06c090122f777)},\n- {FIELD_LITERAL(0x00ce0bed0a3532bc,0x001a5048a22df16b,0x00e31db4cbad8bf1,0x00e89292120cf00e,0x007d1dd1a9b00034,0x00e2a9041ff8f680,0x006a4c837ae596e7,0x00713af1068070b3)},\n- {FIELD_LITERAL(0x00c4fe64ce66d04b,0x00b095d52e09b3d7,0x00758bbecb1a3a8e,0x00f35cce8d0650c0,0x002b878aa5984473,0x0062e0a3b7544ddc,0x00b25b290ed116fe,0x007b0f6abe0bebf2)},\n- {FIELD_LITERAL(0x0081d4e3addae0a8,0x003410c836c7ffcc,0x00c8129ad89e4314,0x000e3d5a23922dcd,0x00d91e46f29c31f3,0x006c728cde8c5947,0x002bc655ba2566c0,0x002ca94721533108)},\n- {FIELD_LITERAL(0x0051e4b3f764d8a9,0x0019792d46e904a0,0x00853bc13dbc8227,0x000840208179f12d,0x0068243474879235,0x0013856fbfe374d0,0x00bda12fe8676424,0x00bbb43635926eb2)},\n- {FIELD_LITERAL(0x0012cdc880a93982,0x003c495b21cd1b58,0x00b7e5c93f22a26e,0x0044aa82dfb99458,0x009ba092cdffe9c0,0x00a14b3ab2083b73,0x000271c2f70e1c4b,0x00eea9cac0f66eb8)},\n- {FIELD_LITERAL(0x001a1847c4ac5480,0x00b1b412935bb03a,0x00f74285983bf2b2,0x00624138b5b5d0f1,0x008820c0b03d38bf,0x00b94e50a18c1572,0x0060f6934841798f,0x00c52f5d66d6ebe2)},\n- {FIELD_LITERAL(0x00da23d59f9bcea6,0x00e0f27007a06a4b,0x00128b5b43a6758c,0x000cf50190fa8b56,0x00fc877aba2b2d72,0x00623bef52edf53f,0x00e6af6b819669e2,0x00e314dc34fcaa4f)},\n- {FIELD_LITERAL(0x0066e5eddd164d1e,0x00418a7c6fe28238,0x0002e2f37e962c25,0x00f01f56b5975306,0x0048842fa503875c,0x0057b0e968078143,0x00ff683024f3d134,0x0082ae28fcad12e4)},\n- {FIELD_LITERAL(0x0011ddfd21260e42,0x00d05b0319a76892,0x00183ea4368e9b8f,0x00b0815662affc96,0x00b466a5e7ce7c88,0x00db93b07506e6ee,0x0033885f82f62401,0x0086f9090ec9b419)},\n- {FIELD_LITERAL(0x00d95d1c5fcb435a,0x0016d1ed6b5086f9,0x00792aa0b7e54d71,0x0067b65715f1925d,0x00a219755ec6176b,0x00bc3f026b12c28f,0x00700c897ffeb93e,0x0089b83f6ec50b46)},\n- {FIELD_LITERAL(0x003c97e6384da36e,0x00423d53eac81a09,0x00b70d68f3cdce35,0x00ee7959b354b92c,0x00f4e9718819c8ca,0x009349f12acbffe9,0x005aee7b62cb7da6,0x00d97764154ffc86)},\n- {FIELD_LITERAL(0x00526324babb46dc,0x002ee99b38d7bf9e,0x007ea51794706ef4,0x00abeb04da6e3c39,0x006b457c1d281060,0x00fe243e9a66c793,0x00378de0fb6c6ee4,0x003e4194b9c3cb93)},\n- {FIELD_LITERAL(0x00fed3cd80ca2292,0x0015b043a73ca613,0x000a9fd7bf9be227,0x003b5e03de2db983,0x005af72d46904ef7,0x00c0f1b5c49faa99,0x00dc86fc3bd305e1,0x00c92f08c1cb1797)},\n- {FIELD_LITERAL(0x0079680ce111ed3b,0x001a1ed82806122c,0x000c2e7466d15df3,0x002c407f6f7150fd,0x00c5e7c96b1b0ce3,0x009aa44626863ff9,0x00887b8b5b80be42,0x00b6023cec964825)},\n- {FIELD_LITERAL(0x00e4a8e1048970c8,0x0062887b7830a302,0x00bcf1c8cd81402b,0x0056dbb81a68f5be,0x0014eced83f12452,0x00139e1a510150df,0x00bb81140a82d1a3,0x000febcc1aaf1aa7)},\n- {FIELD_LITERAL(0x00a7527958238159,0x0013ec9537a84cd6,0x001d7fee7d562525,0x00b9eefa6191d5e5,0x00dbc97db70bcb8a,0x00481affc7a4d395,0x006f73d3e70c31bb,0x00183f324ed96a61)},\n- {FIELD_LITERAL(0x0039dd7ce7fc6860,0x00d64f6425653da1,0x003e037c7f57d0af,0x0063477a06e2bcf2,0x001727dbb7ac67e6,0x0049589f5efafe2e,0x00fc0fef2e813d54,0x008baa5d087fb50d)},\n- {FIELD_LITERAL(0x0024fb59d9b457c7,0x00a7d4e060223e4c,0x00c118d1b555fd80,0x0082e216c732f22a,0x00cd2a2993089504,0x003638e836a3e13d,0x000d855ee89b4729,0x008ec5b7d4810c91)},\n- {FIELD_LITERAL(0x001bf51f7d65cdfd,0x00d14cdafa16a97d,0x002c38e60fcd10e7,0x00a27446e393efbd,0x000b5d8946a71fdd,0x0063df2cde128f2f,0x006c8679569b1888,0x0059ffc4925d732d)},\n- {FIELD_LITERAL(0x00ece96f95f2b66f,0x00ece7952813a27b,0x0026fc36592e489e,0x007157d1a2de0f66,0x00759dc111d86ddf,0x0012881e5780bb0f,0x00c8ccc83ad29496,0x0012b9bd1929eb71)},\n- {FIELD_LITERAL(0x000fa15a20da5df0,0x00349ddb1a46cd31,0x002c512ad1d8e726,0x00047611f669318d,0x009e68fba591e17e,0x004320dffa803906,0x00a640874951a3d3,0x00b6353478baa24f)},\n- {FIELD_LITERAL(0x009696510000d333,0x00ec2f788bc04826,0x000e4d02b1f67ba5,0x00659aa8dace08b6,0x00d7a38a3a3ae533,0x008856defa8c746b,0x004d7a4402d3da1a,0x00ea82e06229260f)},\n- {FIELD_LITERAL(0x006a15bb20f75c0c,0x0079a144027a5d0c,0x00d19116ce0b4d70,0x0059b83bcb0b268e,0x005f58f63f16c127,0x0079958318ee2c37,0x00defbb063d07f82,0x00f1f0b931d2d446)},\n- {FIELD_LITERAL(0x00cb5e4c3c35d422,0x008df885ca43577f,0x00fa50b16ca3e471,0x005a0e58e17488c8,0x00b2ceccd6d34d19,0x00f01d5d235e36e9,0x00db2e7e4be6ca44,0x00260ab77f35fccd)},\n- {FIELD_LITERAL(0x006f6fd9baac61d5,0x002a7710a020a895,0x009de0db7fc03d4d,0x00cdedcb1875f40b,0x00050caf9b6b1e22,0x005e3a6654456ab0,0x00775fdf8c4423d4,0x0028701ea5738b5d)},\n- {FIELD_LITERAL(0x009ffd90abfeae96,0x00cba3c2b624a516,0x005ef08bcee46c91,0x00e6fde30afb6185,0x00f0b4db4f818ce4,0x006c54f45d2127f5,0x00040125035854c7,0x00372658a3287e13)},\n- {FIELD_LITERAL(0x00d7070fb1beb2ab,0x0078fc845a93896b,0x006894a4b2f224a6,0x005bdd8192b9dbde,0x00b38839874b3a9e,0x00f93618b04b7a57,0x003e3ec75fd2c67e,0x00bf5e6bfc29494a)},\n- {FIELD_LITERAL(0x00f19224ebba2aa5,0x0074f89d358e694d,0x00eea486597135ad,0x0081579a4555c7e1,0x0010b9b872930a9d,0x00f002e87a30ecc0,0x009b9d66b6de56e2,0x00a3c4f45e8004eb)},\n- {FIELD_LITERAL(0x0045e8dda9400888,0x002ff12e5fc05db7,0x00a7098d54afe69c,0x00cdbe846a500585,0x00879c1593ca1882,0x003f7a7fea76c8b0,0x002cd73dd0c8e0a1,0x00645d6ce96f51fe)},\n- {FIELD_LITERAL(0x002b7e83e123d6d6,0x00398346f7419c80,0x0042922e55940163,0x005e7fc5601886a3,0x00e88f2cee1d3103,0x00e7fab135f2e377,0x00b059984dbf0ded,0x0009ce080faa5bb8)},\n- {FIELD_LITERAL(0x0085e78af7758979,0x00275a4ee1631a3a,0x00d26bc0ed78b683,0x004f8355ea21064f,0x00d618e1a32696e5,0x008d8d7b150e5680,0x00a74cd854b278d2,0x001dd62702203ea0)},\n- {FIELD_LITERAL(0x00f89335c2a59286,0x00a0f5c905d55141,0x00b41fb836ee9382,0x00e235d51730ca43,0x00a5cb37b5c0a69a,0x009b966ffe136c45,0x00cb2ea10bf80ed1,0x00fb2b370b40dc35)},\n- {FIELD_LITERAL(0x00d687d16d4ee8ba,0x0071520bdd069dff,0x00de85c60d32355d,0x0087d2e3565102f4,0x00cde391b8dfc9aa,0x00e18d69efdfefe5,0x004a9d0591954e91,0x00fa36dd8b50eee5)},\n- {FIELD_LITERAL(0x002e788749a865f7,0x006e4dc3116861ea,0x009f1428c37276e6,0x00e7d2e0fc1e1226,0x003aeebc6b6c45f6,0x0071a8073bf500c9,0x004b22ad986b530c,0x00f439e63c0d79d4)},\n- {FIELD_LITERAL(0x006bc3d53011f470,0x00032d6e692b83e8,0x00059722f497cd0b,0x0009b4e6f0c497cc,0x0058a804b7cce6c0,0x002b71d3302bbd5d,0x00e2f82a36765fce,0x008dded99524c703)},\n- {FIELD_LITERAL(0x004d058953747d64,0x00701940fe79aa6f,0x00a620ac71c760bf,0x009532b611158b75,0x00547ed7f466f300,0x003cb5ab53a8401a,0x00c7763168ce3120,0x007e48e33e4b9ab2)},\n- {FIELD_LITERAL(0x001b2fc57bf3c738,0x006a3f918993fb80,0x0026f7a14fdec288,0x0075a2cdccef08db,0x00d3ecbc9eecdbf1,0x0048c40f06e5bf7f,0x00d63e423009896b,0x000598bc99c056a8)},\n- {FIELD_LITERAL(0x002f194eaafa46dc,0x008e38f57fe87613,0x00dc8e5ae25f4ab2,0x000a17809575e6bd,0x00d3ec7923ba366a,0x003a7e72e0ad75e3,0x0010024b88436e0a,0x00ed3c5444b64051)},\n- {FIELD_LITERAL(0x00831fc1340af342,0x00c9645669466d35,0x007692b4cc5a080f,0x009fd4a47ac9259f,0x001eeddf7d45928b,0x003c0446fc45f28b,0x002c0713aa3e2507,0x0095706935f0f41e)},\n- {FIELD_LITERAL(0x00766ae4190ec6d8,0x0065768cabc71380,0x00b902598416cdc2,0x00380021ad38df52,0x008f0b89d6551134,0x004254d4cc62c5a5,0x000d79f4484b9b94,0x00b516732ae3c50e)},\n- {FIELD_LITERAL(0x001fb73475c45509,0x00d2b2e5ea43345a,0x00cb3c3842077bd1,0x0029f90ad820946e,0x007c11b2380778aa,0x009e54ece62c1704,0x004bc60c41ca01c3,0x004525679a5a0b03)},\n- {FIELD_LITERAL(0x00c64fbddbed87b3,0x0040601d11731faa,0x009c22475b6f9d67,0x0024b79dae875f15,0x00616fed3f02c3b0,0x0000cf39f6af2d3b,0x00c46bac0aa9a688,0x00ab23e2800da204)},\n- {FIELD_LITERAL(0x000b3a37617632b0,0x00597199fe1cfb6c,0x0042a7ccdfeafdd6,0x004cc9f15ebcea17,0x00f436e596a6b4a4,0x00168861142df0d8,0x000753edfec26af5,0x000c495d7e388116)},\n- {FIELD_LITERAL(0x0017085f4a346148,0x00c7cf7a37f62272,0x001776e129bc5c30,0x009955134c9eef2a,0x001ba5bdf1df07be,0x00ec39497103a55c,0x006578354fda6cfb,0x005f02719d4f15ee)},\n- {FIELD_LITERAL(0x0052b9d9b5d9655d,0x00d4ec7ba1b461c3,0x00f95df4974f280b,0x003d8e5ca11aeb51,0x00d4981eb5a70b26,0x000af9a4f6659f29,0x004598c846faeb43,0x0049d9a183a47670)},\n- {FIELD_LITERAL(0x000a72d23dcb3f1f,0x00a3737f84011727,0x00f870c0fbbf4a47,0x00a7aadd04b5c9ca,0x000c7715c67bd072,0x00015a136afcd74e,0x0080d5caea499634,0x0026b448ec7514b7)},\n- {FIELD_LITERAL(0x00b60167d9e7d065,0x00e60ba0d07381e8,0x003a4f17b725c2d4,0x006c19fe176b64fa,0x003b57b31af86ccb,0x0021047c286180fd,0x00bdc8fb00c6dbb6,0x00fe4a9f4bab4f3f)},\n- {FIELD_LITERAL(0x0088ffc3a16111f7,0x009155e4245d0bc8,0x00851d68220572d5,0x00557ace1e514d29,0x0031d7c339d91022,0x00101d0ae2eaceea,0x00246ab3f837b66a,0x00d5216d381ff530)},\n- {FIELD_LITERAL(0x0057e7ea35f36dae,0x00f47d7ad15de22e,0x00d757ea4b105115,0x008311457d579d7e,0x00b49b75b1edd4eb,0x0081c7ff742fd63a,0x00ddda3187433df6,0x00475727d55f9c66)},\n- {FIELD_LITERAL(0x00a6295218dc136a,0x00563b3af0e9c012,0x00d3753b0145db1b,0x004550389c043dc1,0x00ea94ae27401bdf,0x002b0b949f2b7956,0x00c63f780ad8e23c,0x00e591c47d6bab15)},\n- {FIELD_LITERAL(0x00416c582b058eb6,0x004107da5b2cc695,0x00b3cd2556aeec64,0x00c0b418267e57a1,0x001799293579bd2e,0x0046ed44590e4d07,0x001d7459b3630a1e,0x00c6afba8b6696aa)},\n- {FIELD_LITERAL(0x008d6009b26da3f8,0x00898e88ca06b1ca,0x00edb22b2ed7fe62,0x00fbc93516aabe80,0x008b4b470c42ce0d,0x00e0032ba7d0dcbb,0x00d76da3a956ecc8,0x007f20fe74e3852a)},\n- {FIELD_LITERAL(0x002419222c607674,0x00a7f23af89188b3,0x00ad127284e73d1c,0x008bba582fae1c51,0x00fc6aa7ca9ecab1,0x003df5319eb6c2ba,0x002a05af8a8b199a,0x004bf8354558407c)},\n- {FIELD_LITERAL(0x00ce7d4a30f0fcbf,0x00d02c272629f03d,0x0048c001f7400bc2,0x002c21368011958d,0x0098a550391e96b5,0x002d80b66390f379,0x001fa878760cc785,0x001adfce54b613d5)},\n- {FIELD_LITERAL(0x001ed4dc71fa2523,0x005d0bff19bf9b5c,0x00c3801cee065a64,0x001ed0b504323fbf,0x0003ab9fdcbbc593,0x00df82070178b8d2,0x00a2bcaa9c251f85,0x00c628a3674bd02e)},\n- {FIELD_LITERAL(0x006b7a0674f9f8de,0x00a742414e5c7cff,0x0041cbf3c6e13221,0x00e3a64fd207af24,0x0087c05f15fbe8d1,0x004c50936d9e8a33,0x001306ec21042b6d,0x00a4f4137d1141c2)},\n- {FIELD_LITERAL(0x0009e6fb921568b0,0x00b3c60120219118,0x002a6c3460dd503a,0x009db1ef11654b54,0x0063e4bf0be79601,0x00670d34bb2592b9,0x00dcee2f6c4130ce,0x00b2682e88e77f54)},\n- {FIELD_LITERAL(0x000d5b4b3da135ab,0x00838f3e5064d81d,0x00d44eb50f6d94ed,0x0008931ab502ac6d,0x00debe01ca3d3586,0x0025c206775f0641,0x005ad4b6ae912763,0x007e2c318ad8f247)},\n- {FIELD_LITERAL(0x00ddbe0750dd1add,0x004b3c7b885844b8,0x00363e7ecf12f1ae,0x0062e953e6438f9d,0x0023cc73b076afe9,0x00b09fa083b4da32,0x00c7c3d2456c541d,0x005b591ec6b694d4)},\n- {FIELD_LITERAL(0x0028656e19d62fcf,0x0052a4af03df148d,0x00122765ddd14e42,0x00f2252904f67157,0x004741965b636f3a,0x006441d296132cb9,0x005e2106f956a5b7,0x00247029592d335c)},\n- {FIELD_LITERAL(0x003fe038eb92f894,0x000e6da1b72e8e32,0x003a1411bfcbe0fa,0x00b55d473164a9e4,0x00b9a775ac2df48d,0x0002ddf350659e21,0x00a279a69eb19cb3,0x00f844eab25cba44)},\n- {FIELD_LITERAL(0x00c41d1f9c1f1ac1,0x007b2df4e9f19146,0x00b469355fd5ba7a,0x00b5e1965afc852a,0x00388d5f1e2d8217,0x0022079e4c09ae93,0x0014268acd4ef518,0x00c1dd8d9640464c)},\n- {FIELD_LITERAL(0x0038526adeed0c55,0x00dd68c607e3fe85,0x00f746ddd48a5d57,0x0042f2952b963b7c,0x001cbbd6876d5ec2,0x005e341470bca5c2,0x00871d41e085f413,0x00e53ab098f45732)},\n- {FIELD_LITERAL(0x004d51124797c831,0x008f5ae3750347ad,0x0070ced94c1a0c8e,0x00f6db2043898e64,0x000d00c9a5750cd0,0x000741ec59bad712,0x003c9d11aab37b7f,0x00a67ba169807714)},\n- {FIELD_LITERAL(0x00adb2c1566e8b8f,0x0096c68a35771a9a,0x00869933356f334a,0x00ba9c93459f5962,0x009ec73fb6e8ca4b,0x003c3802c27202e1,0x0031f5b733e0c008,0x00f9058c19611fa9)},\n- {FIELD_LITERAL(0x00238f01814a3421,0x00c325a44b6cce28,0x002136f97aeb0e73,0x000cac8268a4afe2,0x0022fd218da471b3,0x009dcd8dfff8def9,0x00cb9f8181d999bb,0x00143ae56edea349)},\n- {FIELD_LITERAL(0x0000623bf87622c5,0x00a1966fdd069496,0x00c315b7b812f9fc,0x00bdf5efcd128b97,0x001d464f532e3e16,0x003cd94f081bfd7e,0x00ed9dae12ce4009,0x002756f5736eee70)},\n- {FIELD_LITERAL(0x00a5187e6ee7341b,0x00e6d52e82d83b6e,0x00df3c41323094a7,0x00b3324f444e9de9,0x00689eb21a35bfe5,0x00f16363becd548d,0x00e187cc98e7f60f,0x00127d9062f0ccab)},\n- {FIELD_LITERAL(0x004ad71b31c29e40,0x00a5fcace12fae29,0x004425b5597280ed,0x00e7ef5d716c3346,0x0010b53ada410ac8,0x0092310226060c9b,0x0091c26128729c7e,0x0088b42900f8ec3b)},\n- {FIELD_LITERAL(0x00f1e26e9762d4a8,0x00d9d74082183414,0x00ffec9bd57a0282,0x000919e128fd497a,0x00ab7ae7d00fe5f8,0x0054dc442851ff68,0x00c9ebeb3b861687,0x00507f7cab8b698f)},\n- {FIELD_LITERAL(0x00c13c5aae3ae341,0x009c6c9ed98373e7,0x00098f26864577a8,0x0015b886e9488b45,0x0037692c42aadba5,0x00b83170b8e7791c,0x001670952ece1b44,0x00fd932a39276da2)},\n- {FIELD_LITERAL(0x0081a3259bef3398,0x005480fff416107b,0x00ce4f607d21be98,0x003ffc084b41df9b,0x0043d0bb100502d1,0x00ec35f575ba3261,0x00ca18f677300ef3,0x00e8bb0a827d8548)},\n- {FIELD_LITERAL(0x00df76b3328ada72,0x002e20621604a7c2,0x00f910638a105b09,0x00ef4724d96ef2cd,0x00377d83d6b8a2f7,0x00b4f48805ade324,0x001cd5da8b152018,0x0045af671a20ca7f)},\n- {FIELD_LITERAL(0x009ae3b93a56c404,0x004a410b7a456699,0x00023a619355e6b2,0x009cdc7297387257,0x0055b94d4ae70d04,0x002cbd607f65b005,0x003208b489697166,0x00ea2aa058867370)},\n- {FIELD_LITERAL(0x00f29d2598ee3f32,0x00b4ac5385d82adc,0x007633eaf04df19b,0x00aa2d3d77ceab01,0x004a2302fcbb778a,0x00927f225d5afa34,0x004a8e9d5047f237,0x008224ae9dbce530)},\n- {FIELD_LITERAL(0x001cf640859b02f8,0x00758d1d5d5ce427,0x00763c784ef4604c,0x005fa81aee205270,0x00ac537bfdfc44cb,0x004b919bd342d670,0x00238508d9bf4b7a,0x00154888795644f3)},\n- {FIELD_LITERAL(0x00c845923c084294,0x00072419a201bc25,0x0045f408b5f8e669,0x00e9d6a186b74dfe,0x00e19108c68fa075,0x0017b91d874177b7,0x002f0ca2c7912c5a,0x009400aa385a90a2)},\n- {FIELD_LITERAL(0x0071110b01482184,0x00cfed0044f2bef8,0x0034f2901cf4662e,0x003b4ae2a67f9834,0x00cca9b96fe94810,0x00522507ae77abd0,0x00bac7422721e73e,0x0066622b0f3a62b0)},\n- {FIELD_LITERAL(0x00f8ac5cf4705b6a,0x00867d82dcb457e3,0x007e13ab2ccc2ce9,0x009ee9a018d3930e,0x008370f8ecb42df8,0x002d9f019add263e,0x003302385b92d196,0x00a15654536e2c0c)},\n- {FIELD_LITERAL(0x0026ef1614e160af,0x00c023f9edfc9c76,0x00cff090da5f57ba,0x0076db7a66643ae9,0x0019462f8c646999,0x008fec00b3854b22,0x00d55041692a0a1c,0x0065db894215ca00)},\n- {FIELD_LITERAL(0x00a925036e0a451c,0x002a0390c36b6cc1,0x00f27020d90894f4,0x008d90d52cbd3d7f,0x00e1d0137392f3b8,0x00f017c158b51a8f,0x00cac313d3ed7dbc,0x00b99a81e3eb42d3)},\n- {FIELD_LITERAL(0x00b54850275fe626,0x0053a3fd1ec71140,0x00e3d2d7dbe096fa,0x00e4ac7b595cce4c,0x0077bad449c0a494,0x00b7c98814afd5b3,0x0057226f58486cf9,0x00b1557154f0cc57)},\n- {FIELD_LITERAL(0x008cc9cd236315c0,0x0031d9c5b39fda54,0x00a5713ef37e1171,0x00293d5ae2886325,0x00c4aba3e05015e1,0x0003f35ef78e4fc6,0x0039d6bd3ac1527b,0x0019d7c3afb77106)},\n- {FIELD_LITERAL(0x007b162931a985af,0x00ad40a2e0daa713,0x006df27c4009f118,0x00503e9f4e2e8bec,0x00751a77c82c182d,0x000298937769245b,0x00ffb1e8fabf9ee5,0x0008334706e09abe)},\n- {FIELD_LITERAL(0x00dbca4e98a7dcd9,0x00ee29cfc78bde99,0x00e4a3b6995f52e9,0x0045d70189ae8096,0x00fd2a8a3b9b0d1b,0x00af1793b107d8e1,0x00dbf92cbe4afa20,0x00da60f798e3681d)},\n- {FIELD_LITERAL(0x004246bfcecc627a,0x004ba431246c03a4,0x00bd1d101872d497,0x003b73d3f185ee16,0x001feb2e2678c0e3,0x00ff13c5a89dec76,0x00ed06042e771d8f,0x00a4fd2a897a83dd)},\n- {FIELD_LITERAL(0x009a4a3be50d6597,0x00de3165fc5a1096,0x004f3f56e345b0c7,0x00f7bf721d5ab8bc,0x004313e47b098c50,0x00e4c7d5c0e1adbb,0x002e3e3db365051e,0x00a480c2cd6a96fb)},\n- {FIELD_LITERAL(0x00417fa30a7119ed,0x00af257758419751,0x00d358a487b463d4,0x0089703cc720b00d,0x00ce56314ff7f271,0x0064db171ade62c1,0x00640b36d4a22fed,0x00424eb88696d23f)},\n- {FIELD_LITERAL(0x004ede34af2813f3,0x00d4a8e11c9e8216,0x004796d5041de8a5,0x00c4c6b4d21cc987,0x00e8a433ee07fa1e,0x0055720b5abcc5a1,0x008873ea9c74b080,0x005b3fec1ab65d48)},\n- {FIELD_LITERAL(0x0047e5277db70ec5,0x000a096c66db7d6b,0x00b4164cc1730159,0x004a9f783fe720fe,0x00a8177b94449dbc,0x0095a24ff49a599f,0x0069c1c578250cbc,0x00452019213debf4)},\n- {FIELD_LITERAL(0x0021ce99e09ebda3,0x00fcbd9f91875ad0,0x009bbf6b7b7a0b5f,0x00388886a69b1940,0x00926a56d0f81f12,0x00e12903c3358d46,0x005dfce4e8e1ce9d,0x0044cfa94e2f7e23)},\n- {FIELD_LITERAL(0x001bd59c09e982ea,0x00f72daeb937b289,0x0018b76dca908e0e,0x00edb498512384ad,0x00ce0243b6cc9538,0x00f96ff690cb4e70,0x007c77bf9f673c8d,0x005bf704c088a528)},\n- {FIELD_LITERAL(0x0093d4628dcb33be,0x0095263d51d42582,0x0049b3222458fe06,0x00e7fce73b653a7f,0x003ca2ebce60b369,0x00c5de239a32bea4,0x0063b8b3d71fb6bf,0x0039aeeb78a1a839)},\n- {FIELD_LITERAL(0x007dc52da400336c,0x001fded1e15b9457,0x00902e00f5568e3a,0x00219bef40456d2d,0x005684161fb3dbc9,0x004a4e9be49a76ea,0x006e685ae88b78ff,0x0021c42f13042d3c)},\n- {FIELD_LITERAL(0x00fb22bb5fd3ce50,0x0017b48aada7ae54,0x00fd5c44ad19a536,0x000ccc4e4e55e45c,0x00fd637d45b4c3f5,0x0038914e023c37cf,0x00ac1881d6a8d898,0x00611ed8d3d943a8)},\n- {FIELD_LITERAL(0x0056e2259d113d2b,0x00594819b284ec16,0x00c7bf794bb36696,0x00721ee75097cdc6,0x00f71be9047a2892,0x00df6ba142564edf,0x0069580b7a184e8d,0x00f056e38fca0fee)},\n- {FIELD_LITERAL(0x009df98566a18c6d,0x00cf3a200968f219,0x0044ba60da6d9086,0x00dbc9c0e344da03,0x000f9401c4466855,0x00d46a57c5b0a8d1,0x00875a635d7ac7c6,0x00ef4a933b7e0ae6)},\n- {FIELD_LITERAL(0x005e8694077a1535,0x008bef75f71c8f1d,0x000a7c1316423511,0x00906e1d70604320,0x003fc46c1a2ffbd6,0x00d1d5022e68f360,0x002515fba37bbf46,0x00ca16234e023b44)},\n- {FIELD_LITERAL(0x00787c99561f4690,0x00a857a8c1561f27,0x00a10df9223c09fe,0x00b98a9562e3b154,0x004330b8744c3ed2,0x00e06812807ec5c4,0x00e4cf6a7db9f1e3,0x00d95b089f132a34)},\n- {FIELD_LITERAL(0x002922b39ca33eec,0x0090d12a5f3ab194,0x00ab60c02fb5f8ed,0x00188d292abba1cf,0x00e10edec9698f6e,0x0069a4d9934133c8,0x0024aac40e6d3d06,0x001702c2177661b0)},\n- {FIELD_LITERAL(0x00139078397030bd,0x000e3c447e859a00,0x0064a5b334c82393,0x00b8aabeb7358093,0x00020778bb9ae73b,0x0032ee94c7892a18,0x008215253cb41bda,0x005e2797593517ae)},\n- {FIELD_LITERAL(0x0083765a5f855d4a,0x0051b6d1351b8ee2,0x00116de548b0f7bb,0x0087bd88703affa0,0x0095b2cc34d7fdd2,0x0084cd81b53f0bc8,0x008562fc995350ed,0x00a39abb193651e3)},\n- {FIELD_LITERAL(0x0019e23f0474b114,0x00eb94c2ad3b437e,0x006ddb34683b75ac,0x00391f9209b564c6,0x00083b3bb3bff7aa,0x00eedcd0f6dceefc,0x00b50817f794fe01,0x0036474deaaa75c9)},\n- {FIELD_LITERAL(0x0091868594265aa2,0x00797accae98ca6d,0x0008d8c5f0f8a184,0x00d1f4f1c2b2fe6e,0x0036783dfb48a006,0x008c165120503527,0x0025fd780058ce9b,0x0068beb007be7d27)},\n- {FIELD_LITERAL(0x00d0ff88aa7c90c2,0x00b2c60dacf53394,0x0094a7284d9666d6,0x00bed9022ce7a19d,0x00c51553f0cd7682,0x00c3fb870b124992,0x008d0bc539956c9b,0x00fc8cf258bb8885)},\n- {FIELD_LITERAL(0x003667bf998406f8,0x0000115c43a12975,0x001e662f3b20e8fd,0x0019ffa534cb24eb,0x00016be0dc8efb45,0x00ff76a8b26243f5,0x00ae20d241a541e3,0x0069bd6af13cd430)},\n- {FIELD_LITERAL(0x0045fdc16487cda3,0x00b2d8e844cf2ed7,0x00612c50e88c1607,0x00a08aabc66c1672,0x006031fdcbb24d97,0x001b639525744b93,0x004409d62639ab17,0x00a1853d0347ab1d)},\n- {FIELD_LITERAL(0x0075a1a56ebf5c21,0x00a3e72be9ac53ed,0x00efcde1629170c2,0x0004225fe91ef535,0x0088049fc73dfda7,0x004abc74857e1288,0x0024e2434657317c,0x00d98cb3d3e5543c)},\n- {FIELD_LITERAL(0x00b4b53eab6bdb19,0x009b22d8b43711d0,0x00d948b9d961785d,0x00cb167b6f279ead,0x00191de3a678e1c9,0x00d9dd9511095c2e,0x00f284324cd43067,0x00ed74fa535151dd)},\n- {FIELD_LITERAL(0x007e32c049b5c477,0x009d2bfdbd9bcfd8,0x00636e93045938c6,0x007fde4af7687298,0x0046a5184fafa5d3,0x0079b1e7f13a359b,0x00875adf1fb927d6,0x00333e21c61bcad2)},\n- {FIELD_LITERAL(0x00048014f73d8b8d,0x0075684aa0966388,0x0092be7df06dc47c,0x0097cebcd0f5568a,0x005a7004d9c4c6a9,0x00b0ecbb659924c7,0x00d90332dd492a7c,0x0057fc14df11493d)},\n- {FIELD_LITERAL(0x0008ed8ea0ad95be,0x0041d324b9709645,0x00e25412257a19b4,0x0058df9f3423d8d2,0x00a9ab20def71304,0x009ae0dbf8ac4a81,0x00c9565977e4392a,0x003c9269444baf55)},\n- {FIELD_LITERAL(0x007df6cbb926830b,0x00d336058ae37865,0x007af47dac696423,0x0048d3011ec64ac8,0x006b87666e40049f,0x0036a2e0e51303d7,0x00ba319bd79dbc55,0x003e2737ecc94f53)},\n- {FIELD_LITERAL(0x00d296ff726272d9,0x00f6d097928fcf57,0x00e0e616a55d7013,0x00deaf454ed9eac7,0x0073a56bedef4d92,0x006ccfdf6fc92e19,0x009d1ee1371a7218,0x00ee3c2ee4462d80)},\n- {FIELD_LITERAL(0x00437bce9bccdf9d,0x00e0c8e2f85dc0a3,0x00c91a7073995a19,0x00856ec9fe294559,0x009e4b33394b156e,0x00e245b0dc497e5c,0x006a54e687eeaeff,0x00f1cd1cd00fdb7c)},\n- {FIELD_LITERAL(0x008132ae5c5d8cd1,0x00121d68324a1d9f,0x00d6be9dafcb8c76,0x00684d9070edf745,0x00519fbc96d7448e,0x00388182fdc1f27e,0x000235baed41f158,0x00bf6cf6f1a1796a)},\n- {FIELD_LITERAL(0x002adc4b4d148219,0x003084ada0d3a90a,0x0046de8aab0f2e4e,0x00452d342a67b5fd,0x00d4b50f01d4de21,0x00db6d9fc0cefb79,0x008c184c86a462cd,0x00e17c83764d42da)},\n- {FIELD_LITERAL(0x007b2743b9a1e01a,0x007847ffd42688c4,0x006c7844d610a316,0x00f0cb8b250aa4b0,0x00a19060143b3ae6,0x0014eb10b77cfd80,0x000170905729dd06,0x00063b5b9cd72477)},\n- {FIELD_LITERAL(0x00ce382dc7993d92,0x00021153e938b4c8,0x00096f7567f48f51,0x0058f81ddfe4b0d5,0x00cc379a56b355c7,0x002c760770d3e819,0x00ee22d1d26e5a40,0x00de6d93d5b082d7)},\n- {FIELD_LITERAL(0x000a91a42c52e056,0x00185f6b77fce7ea,0x000803c51962f6b5,0x0022528582ba563d,0x0043f8040e9856d6,0x0085a29ec81fb860,0x005f9a611549f5ff,0x00c1f974ecbd4b06)},\n- {FIELD_LITERAL(0x005b64c6fd65ec97,0x00c1fdd7f877bc7f,0x000d9cc6c89f841c,0x005c97b7f1aff9ad,0x0075e3c61475d47e,0x001ecb1ba8153011,0x00fe7f1c8d71d40d,0x003fa9757a229832)},\n- {FIELD_LITERAL(0x00ffc5c89d2b0cba,0x00d363d42e3e6fc3,0x0019a1a0118e2e8a,0x00f7baeff48882e1,0x001bd5af28c6b514,0x0055476ca2253cb2,0x00d8eb1977e2ddf3,0x00b173b1adb228a1)},\n- {FIELD_LITERAL(0x00f2cb99dd0ad707,0x00e1e08b6859ddd8,0x000008f2d0650bcc,0x00d7ed392f8615c3,0x00976750a94da27f,0x003e83bb0ecb69ba,0x00df8e8d15c14ac6,0x00f9f7174295d9c2)},\n- {FIELD_LITERAL(0x00f11cc8e0e70bcb,0x00e5dc689974e7dd,0x0014e409f9ee5870,0x00826e6689acbd63,0x008a6f4e3d895d88,0x00b26a8da41fd4ad,0x000fb7723f83efd7,0x009c749db0a5f6c3)},\n- {FIELD_LITERAL(0x002389319450f9ba,0x003677f31aa1250a,0x0092c3db642f38cb,0x00f8b64c0dfc9773,0x00cd49fe3505b795,0x0068105a4090a510,0x00df0ba2072a8bb6,0x00eb396143afd8be)},\n- {FIELD_LITERAL(0x00a0d4ecfb24cdff,0x00ddaf8008ba6479,0x00f0b3e36d4b0f44,0x003734bd3af1f146,0x00b87e2efc75527e,0x00d230df55ddab50,0x002613257ae56c1d,0x00bc0946d135934d)},\n- {FIELD_LITERAL(0x00468711bd994651,0x0033108fa67561bf,0x0089d760192a54b4,0x00adc433de9f1871,0x000467d05f36e050,0x007847e0f0579f7f,0x00a2314ad320052d,0x00b3a93649f0b243)},\n- {FIELD_LITERAL(0x0067f8f0c4fe26c9,0x0079c4a3cc8f67b9,0x0082b1e62f23550d,0x00f2d409caefd7f5,0x0080e67dcdb26e81,0x0087ae993ea1f98a,0x00aa108becf61d03,0x001acf11efb608a3)},\n- {FIELD_LITERAL(0x008225febbab50d9,0x00f3b605e4dd2083,0x00a32b28189e23d2,0x00d507e5e5eb4c97,0x005a1a84e302821f,0x0006f54c1c5f08c7,0x00a347c8cb2843f0,0x0009f73e9544bfa5)},\n- {FIELD_LITERAL(0x006c59c9ae744185,0x009fc32f1b4282cd,0x004d6348ca59b1ac,0x00105376881be067,0x00af4096013147dc,0x004abfb5a5cb3124,0x000d2a7f8626c354,0x009c6ed568e07431)},\n- {FIELD_LITERAL(0x00e828333c297f8b,0x009ef3cf8c3f7e1f,0x00ab45f8fff31cb9,0x00c8b4178cb0b013,0x00d0c50dd3260a3f,0x0097126ac257f5bc,0x0042376cc90c705a,0x001d96fdb4a1071e)},\n- {FIELD_LITERAL(0x00542d44d89ee1a8,0x00306642e0442d98,0x0090853872b87338,0x002362cbf22dc044,0x002c222adff663b8,0x0067c924495fcb79,0x000e621d983c977c,0x00df77a9eccb66fb)},\n- {FIELD_LITERAL(0x002809e4bbf1814a,0x00b9e854f9fafb32,0x00d35e67c10f7a67,0x008f1bcb76e748cf,0x004224d9515687d2,0x005ba0b774e620c4,0x00b5e57db5d54119,0x00e15babe5683282)},\n- {FIELD_LITERAL(0x00832d02369b482c,0x00cba52ff0d93450,0x003fa9c908d554db,0x008d1e357b54122f,0x00abd91c2dc950c6,0x007eff1df4c0ec69,0x003f6aeb13fb2d31,0x00002d6179fc5b2c)},\n- {FIELD_LITERAL(0x0046c9eda81c9c89,0x00b60cb71c8f62fc,0x0022f5a683baa558,0x00f87319fccdf997,0x009ca09b51ce6a22,0x005b12baf4af7d77,0x008a46524a1e33e2,0x00035a77e988be0d)},\n- {FIELD_LITERAL(0x00a7efe46a7dbe2f,0x002f66fd55014fe7,0x006a428afa1ff026,0x0056caaa9604ab72,0x0033f3bcd7fac8ae,0x00ccb1aa01c86764,0x00158d1edf13bf40,0x009848ee76fcf3b4)},\n- {FIELD_LITERAL(0x00a9e7730a819691,0x00d9cc73c4992b70,0x00e299bde067de5a,0x008c314eb705192a,0x00e7226f17e8a3cc,0x0029dfd956e65a47,0x0053a8e839073b12,0x006f942b2ab1597e)},\n- {FIELD_LITERAL(0x001c3d780ecd5e39,0x0094f247fbdcc5fe,0x00d5c786fd527764,0x00b6f4da74f0db2a,0x0080f1f8badcd5fc,0x00f36a373ad2e23b,0x00f804f9f4343bf2,0x00d1af40ec623982)},\n- {FIELD_LITERAL(0x0082aeace5f1b144,0x00f68b3108cf4dd3,0x00634af01dde3020,0x000beab5df5c2355,0x00e8b790d1b49b0b,0x00e48d15854e36f4,0x0040ab2d95f3db9f,0x002711c4ed9e899a)},\n- {FIELD_LITERAL(0x0039343746531ebe,0x00c8509d835d429d,0x00e79eceff6b0018,0x004abfd31e8efce5,0x007bbfaaa1e20210,0x00e3be89c193e179,0x001c420f4c31d585,0x00f414a315bef5ae)},\n- {FIELD_LITERAL(0x007c296a24990df8,0x00d5d07525a75588,0x00dd8e113e94b7e7,0x007bbc58febe0cc8,0x0029f51af9bfcad3,0x007e9311ec7ab6f3,0x009a884de1676343,0x0050d5f2dce84be9)},\n- {FIELD_LITERAL(0x005fa020cca2450a,0x00491c29db6416d8,0x0037cefe3f9f9a85,0x003d405230647066,0x0049e835f0fdbe89,0x00feb78ac1a0815c,0x00828e4b32dc9724,0x00db84f2dc8d6fd4)},\n- {FIELD_LITERAL(0x0098cddc8b39549a,0x006da37e3b05d22c,0x00ce633cfd4eb3cb,0x00fda288ef526acd,0x0025338878c5d30a,0x00f34438c4e5a1b4,0x00584efea7c310f1,0x0041a551f1b660ad)},\n- {FIELD_LITERAL(0x00d7f7a8fbd6437a,0x0062872413bf3753,0x00ad4bbcb43c584b,0x007fe49be601d7e3,0x0077c659789babf4,0x00eb45fcb06a741b,0x005ce244913f9708,0x0088426401736326)},\n- {FIELD_LITERAL(0x007bf562ca768d7c,0x006c1f3a174e387c,0x00f024b447fee939,0x007e7af75f01143f,0x003adb70b4eed89d,0x00e43544021ad79a,0x0091f7f7042011f6,0x0093c1a1ee3a0ddc)},\n- {FIELD_LITERAL(0x00a0b68ec1eb72d2,0x002c03235c0d45a0,0x00553627323fe8c5,0x006186e94b17af94,0x00a9906196e29f14,0x0025b3aee6567733,0x007e0dd840080517,0x0018eb5801a4ba93)},\n- {FIELD_LITERAL(0x00d7fe7017bf6a40,0x006e3f0624be0c42,0x00ffbba205358245,0x00f9fc2cf8194239,0x008d93b37bf15b4e,0x006ddf2e38be8e95,0x002b6e79bf5fcff9,0x00ab355da425e2de)},\n- {FIELD_LITERAL(0x00938f97e20be973,0x0099141a36aaf306,0x0057b0ca29e545a1,0x0085db571f9fbc13,0x008b333c554b4693,0x0043ab6ef3e241cb,0x0054fb20aa1e5c70,0x00be0ff852760adf)},\n- {FIELD_LITERAL(0x003973d8938971d6,0x002aca26fa80c1f5,0x00108af1faa6b513,0x00daae275d7924e6,0x0053634ced721308,0x00d2355fe0bbd443,0x00357612b2d22095,0x00f9bb9dd4136cf3)},\n- {FIELD_LITERAL(0x002bff12cf5e03a5,0x001bdb1fa8a19cf8,0x00c91c6793f84d39,0x00f869f1b2eba9af,0x0059bc547dc3236b,0x00d91611d6d38689,0x00e062daaa2c0214,0x00ed3c047cc2bc82)},\n- {FIELD_LITERAL(0x000050d70c32b31a,0x001939d576d437b3,0x00d709e598bf9fe6,0x00a885b34bd2ee9e,0x00dd4b5c08ab1a50,0x0091bebd50b55639,0x00cf79ff64acdbc6,0x006067a39d826336)},\n- {FIELD_LITERAL(0x0062dd0fb31be374,0x00fcc96b84c8e727,0x003f64f1375e6ae3,0x0057d9b6dd1af004,0x00d6a167b1103c7b,0x00dd28f3180fb537,0x004ff27ad7167128,0x008934c33461f2ac)},\n- {FIELD_LITERAL(0x0065b472b7900043,0x00ba7efd2ff1064b,0x000b67d6c4c3020f,0x0012d28469f4e46d,0x0031c32939703ec7,0x00b49f0bce133066,0x00f7e10416181d47,0x005c90f51867eecc)},\n- {FIELD_LITERAL(0x0051207abd179101,0x00fc2a5c20d9c5da,0x00fb9d5f2701b6df,0x002dd040fdea82b8,0x00f163b0738442ff,0x00d9736bd68855b8,0x00e0d8e93005e61c,0x00df5a40b3988570)},\n- {FIELD_LITERAL(0x0006918f5dfce6dc,0x00d4bf1c793c57fb,0x0069a3f649435364,0x00e89a50e5b0cd6e,0x00b9f6a237e973af,0x006d4ed8b104e41d,0x00498946a3924cd2,0x00c136ec5ac9d4f7)},\n- {FIELD_LITERAL(0x0011a9c290ac5336,0x002b9a2d4a6a6533,0x009a8a68c445d937,0x00361b27b07e5e5c,0x003c043b1755b974,0x00b7eb66cf1155ee,0x0077af5909eefff2,0x0098f609877cc806)},\n- {FIELD_LITERAL(0x00ab13af436bf8f4,0x000bcf0a0dac8574,0x00d50c864f705045,0x00c40e611debc842,0x0085010489bd5caa,0x007c5050acec026f,0x00f67d943c8da6d1,0x00de1da0278074c6)},\n- {FIELD_LITERAL(0x00b373076597455f,0x00e83f1af53ac0f5,0x0041f63c01dc6840,0x0097dea19b0c6f4b,0x007f9d63b4c1572c,0x00e692d492d0f5f0,0x00cbcb392e83b4ad,0x0069c0f39ed9b1a8)},\n- {FIELD_LITERAL(0x00861030012707c9,0x009fbbdc7fd4aafb,0x008f591d6b554822,0x00df08a41ea18ade,0x009d7d83e642abea,0x0098c71bda3b78ff,0x0022c89e7021f005,0x0044d29a3fe1e3c4)},\n- {FIELD_LITERAL(0x00e748cd7b5c52f2,0x00ea9df883f89cc3,0x0018970df156b6c7,0x00c5a46c2a33a847,0x00cbde395e32aa09,0x0072474ebb423140,0x00fb00053086a23d,0x001dafcfe22d4e1f)},\n- {FIELD_LITERAL(0x00c903ee6d825540,0x00add6c4cf98473e,0x007636efed4227f1,0x00905124ae55e772,0x00e6b38fab12ed53,0x0045e132b863fe55,0x003974662edb366a,0x00b1787052be8208)},\n- {FIELD_LITERAL(0x00a614b00d775c7c,0x00d7c78941cc7754,0x00422dd68b5dabc4,0x00a6110f0167d28b,0x00685a309c252886,0x00b439ffd5143660,0x003656e29ee7396f,0x00c7c9b9ed5ad854)},\n- {FIELD_LITERAL(0x0040f7e7c5b37bf2,0x0064e4dc81181bba,0x00a8767ae2a366b6,0x001496b4f90546f2,0x002a28493f860441,0x0021f59513049a3a,0x00852d369a8b7ee3,0x00dd2e7d8b7d30a9)},\n- {FIELD_LITERAL(0x00006e34a35d9fbc,0x00eee4e48b2f019a,0x006b344743003a5f,0x00541d514f04a7e3,0x00e81f9ee7647455,0x005e2b916c438f81,0x00116f8137b7eff0,0x009bd3decc7039d1)},\n- {FIELD_LITERAL(0x0005d226f434110d,0x00af8288b8ef21d5,0x004a7a52ef181c8c,0x00be0b781b4b06de,0x00e6e3627ded07e1,0x00e43aa342272b8b,0x00e86ab424577d84,0x00fb292c566e35bb)},\n- {FIELD_LITERAL(0x00334f5303ea1222,0x00dfb3dbeb0a5d3e,0x002940d9592335c1,0x00706a7a63e8938a,0x005a533558bc4caf,0x00558e33192022a9,0x00970d9faf74c133,0x002979fcb63493ca)},\n- {FIELD_LITERAL(0x00e38abece3c82ab,0x005a51f18a2c7a86,0x009dafa2e86d592e,0x00495a62eb688678,0x00b79df74c0eb212,0x0023e8cc78b75982,0x005998cb91075e13,0x00735aa9ba61bc76)},\n- {FIELD_LITERAL(0x00d9f7a82ddbe628,0x00a1fc782889ae0f,0x0071ffda12d14b66,0x0037cf4eca7fb3d5,0x00c80bc242c58808,0x0075bf8c2d08c863,0x008d41f31afc52a7,0x00197962ecf38741)},\n- {FIELD_LITERAL(0x006e9f475cccf2ee,0x00454b9cd506430c,0x00224a4fb79ee479,0x0062e3347ef0b5e2,0x0034fd2a3512232a,0x00b8b3cb0f457046,0x00eb20165daa38ec,0x00128eebc2d9c0f7)},\n- {FIELD_LITERAL(0x00bfc5fa1e4ea21f,0x00c21d7b6bb892e6,0x00cf043f3acf0291,0x00c13f2f849b3c90,0x00d1a97ebef10891,0x0061e130a445e7fe,0x0019513fdedbf22b,0x001d60c813bff841)},\n- {FIELD_LITERAL(0x0019561c7fcf0213,0x00e3dca6843ebd77,0x0068ea95b9ca920e,0x009bdfb70f253595,0x00c68f59186aa02a,0x005aee1cca1c3039,0x00ab79a8a937a1ce,0x00b9a0e549959e6f)},\n- {FIELD_LITERAL(0x00c79e0b6d97dfbd,0x00917c71fd2bc6e8,0x00db7529ccfb63d8,0x00be5be957f17866,0x00a9e11fdc2cdac1,0x007b91a8e1f44443,0x00a3065e4057d80f,0x004825f5b8d5f6d4)},\n- {FIELD_LITERAL(0x003e4964fa8a8fc8,0x00f6a1cdbcf41689,0x00943cb18fe7fda7,0x00606dafbf34440a,0x005d37a86399c789,0x00e79a2a69417403,0x00fe34f7e68b8866,0x0011f448ed2df10e)},\n- {FIELD_LITERAL(0x00f1f57efcc1fcc4,0x00513679117de154,0x002e5b5b7c86d8c3,0x009f6486561f9cfb,0x00169e74b0170cf7,0x00900205af4af696,0x006acfddb77853f3,0x00df184c90f31068)},\n- {FIELD_LITERAL(0x00b37396c3320791,0x00fc7b67175c5783,0x00c36d2cd73ecc38,0x0080ebcc0b328fc5,0x0043a5b22b35d35d,0x00466c9f1713c9da,0x0026ad346dcaa8da,0x007c684e701183a6)},\n- {FIELD_LITERAL(0x00fd579ffb691713,0x00b76af4f81c412d,0x00f239de96110f82,0x00e965fb437f0306,0x00ca7e9436900921,0x00e487f1325fa24a,0x00633907de476380,0x00721c62ac5b8ea0)},\n- {FIELD_LITERAL(0x00c0d54e542eb4f9,0x004ed657171c8dcf,0x00b743a4f7c2a39b,0x00fd9f93ed6cc567,0x00307fae3113e58b,0x0058aa577c93c319,0x00d254556f35b346,0x00491aada2203f0d)},\n- {FIELD_LITERAL(0x00dff3103786ff34,0x000144553b1f20c3,0x0095613baeb930e4,0x00098058275ea5d4,0x007cd1402b046756,0x0074d74e4d58aee3,0x005f93fc343ff69b,0x00873df17296b3b0)},\n- {FIELD_LITERAL(0x00c4a1fb48635413,0x00b5dd54423ad59f,0x009ff5d53fd24a88,0x003c98d267fc06a7,0x002db7cb20013641,0x00bd1d6716e191f2,0x006dbc8b29094241,0x0044bbf233dafa2c)},\n- {FIELD_LITERAL(0x0055838d41f531e6,0x00bf6a2dd03c81b2,0x005827a061c4839e,0x0000de2cbb36aac3,0x002efa29d9717478,0x00f9e928cc8a77ba,0x00c134b458def9ef,0x00958a182223fc48)},\n- {FIELD_LITERAL(0x000a9ee23c06881f,0x002c727d3d871945,0x00f47d971512d24a,0x00671e816f9ef31a,0x00883af2cfaad673,0x00601f98583d6c9a,0x00b435f5adc79655,0x00ad87b71c04bff2)},\n- {FIELD_LITERAL(0x007860d99db787cf,0x00fda8983018f4a8,0x008c8866bac4743c,0x00ef471f84c82a3f,0x00abea5976d3b8e7,0x00714882896cd015,0x00b49fae584ddac5,0x008e33a1a0b69c81)},\n- {FIELD_LITERAL(0x007b6ee2c9e8a9ec,0x002455dbbd89d622,0x006490cf4eaab038,0x00d925f6c3081561,0x00153b3047de7382,0x003b421f8bdceb6f,0x00761a4a5049da78,0x00980348c5202433)},\n- {FIELD_LITERAL(0x007f8a43da97dd5c,0x00058539c800fc7b,0x0040f3cf5a28414a,0x00d68dd0d95283d6,0x004adce9da90146e,0x00befa41c7d4f908,0x007603bc2e3c3060,0x00bdf360ab3545db)},\n- {FIELD_LITERAL(0x00eebfd4e2312cc3,0x00474b2564e4fc8c,0x003303ef14b1da9b,0x003c93e0e66beb1d,0x0013619b0566925a,0x008817c24d901bf3,0x00b62bd8898d218b,0x0075a7716f1e88a2)},\n- {FIELD_LITERAL(0x0009218da1e6890f,0x0026907f5fd02575,0x004dabed5f19d605,0x003abf181870249d,0x00b52fd048cc92c4,0x00b6dd51e415a5c5,0x00d9eb82bd2b4014,0x002c865a43b46b43)},\n- {FIELD_LITERAL(0x0070047189452f4c,0x00f7ad12e1ce78d5,0x00af1ba51ec44a8b,0x005f39f63e667cd6,0x00058eac4648425e,0x00d7fdab42bea03b,0x0028576a5688de15,0x00af973209e77c10)},\n- {FIELD_LITERAL(0x00c338b915d8fef0,0x00a893292045c39a,0x0028ab4f2eba6887,0x0060743cb519fd61,0x0006213964093ac0,0x007c0b7a43f6266d,0x008e3557c4fa5bda,0x002da976de7b8d9d)},\n- {FIELD_LITERAL(0x0048729f8a8b6dcd,0x00fe23b85cc4d323,0x00e7384d16e4db0e,0x004a423970678942,0x00ec0b763345d4ba,0x00c477b9f99ed721,0x00c29dad3777b230,0x001c517b466f7df6)},\n- {FIELD_LITERAL(0x006366c380f7b574,0x001c7d1f09ff0438,0x003e20a7301f5b22,0x00d3efb1916d28f6,0x0049f4f81060ce83,0x00c69d91ea43ced1,0x002b6f3e5cd269ed,0x005b0fb22ce9ec65)},\n- {FIELD_LITERAL(0x00aa2261022d883f,0x00ebcca4548010ac,0x002528512e28a437,0x0070ca7676b66082,0x0084bda170f7c6d3,0x00581b4747c9b8bb,0x005c96a01061c7e2,0x00fb7c4a362b5273)},\n- {FIELD_LITERAL(0x00c30020eb512d02,0x0060f288283a4d26,0x00b7ed13becde260,0x0075ebb74220f6e9,0x00701079fcfe8a1f,0x001c28fcdff58938,0x002e4544b8f4df6b,0x0060c5bc4f1a7d73)},\n- {FIELD_LITERAL(0x00ae307cf069f701,0x005859f222dd618b,0x00212d6c46ec0b0d,0x00a0fe4642afb62d,0x00420d8e4a0a8903,0x00a80ff639bdf7b0,0x0019bee1490b5d8e,0x007439e4b9c27a86)},\n- {FIELD_LITERAL(0x00a94700032a093f,0x0076e96c225216e7,0x00a63a4316e45f91,0x007d8bbb4645d3b2,0x00340a6ff22793eb,0x006f935d4572aeb7,0x00b1fb69f00afa28,0x009e8f3423161ed3)},\n- {FIELD_LITERAL(0x009ef49c6b5ced17,0x00a555e6269e9f0a,0x007e6f1d79ec73b5,0x009ac78695a32ac4,0x0001d77fbbcd5682,0x008cea1fee0aaeed,0x00f42bea82a53462,0x002e46ab96cafcc9)},\n- {FIELD_LITERAL(0x0051cfcc5885377a,0x00dce566cb1803ca,0x00430c7643f2c7d4,0x00dce1a1337bdcc0,0x0010d5bd7283c128,0x003b1b547f9b46fe,0x000f245e37e770ab,0x007b72511f022b37)},\n- {FIELD_LITERAL(0x0060db815bc4786c,0x006fab25beedc434,0x00c610d06084797c,0x000c48f08537bec0,0x0031aba51c5b93da,0x007968fa6e01f347,0x0030070da52840c6,0x00c043c225a4837f)},\n- {FIELD_LITERAL(0x001bcfd00649ee93,0x006dceb47e2a0fd5,0x00f2cebda0cf8fd0,0x00b6b9d9d1fbdec3,0x00815262e6490611,0x00ef7f5ce3176760,0x00e49cd0c998d58b,0x005fc6cc269ba57c)},\n- {FIELD_LITERAL(0x008940211aa0d633,0x00addae28136571d,0x00d68fdbba20d673,0x003bc6129bc9e21a,0x000346cf184ebe9a,0x0068774d741ebc7f,0x0019d5e9e6966557,0x0003cbd7f981b651)},\n- {FIELD_LITERAL(0x004a2902926f8d3f,0x00ad79b42637ab75,0x0088f60b90f2d4e8,0x0030f54ef0e398c4,0x00021dc9bf99681e,0x007ebf66fde74ee3,0x004ade654386e9a4,0x00e7485066be4c27)},\n- {FIELD_LITERAL(0x00445f1263983be0,0x004cf371dda45e6a,0x00744a89d5a310e7,0x001f20ce4f904833,0x00e746edebe66e29,0x000912ab1f6c153d,0x00f61d77d9b2444c,0x0001499cd6647610)}\n-};\n-const gf API_NS(precomputed_wnaf_as_fe)[96]\n-VECTOR_ALIGNED __attribute__((visibility(\u0022hidden\u0022))) \u003d {\n- {FIELD_LITERAL(0x00303cda6feea532,0x00860f1d5a3850e4,0x00226b9fa4728ccd,0x00e822938a0a0c0c,0x00263a61c9ea9216,0x001204029321b828,0x006a468360983c65,0x0002846f0a782143)},\n- {FIELD_LITERAL(0x00303cda6feea532,0x00860f1d5a3850e4,0x00226b9fa4728ccd,0x006822938a0a0c0c,0x00263a61c9ea9215,0x001204029321b828,0x006a468360983c65,0x0082846f0a782143)},\n- {FIELD_LITERAL(0x00ef8e22b275198d,0x00b0eb141a0b0e8b,0x001f6789da3cb38c,0x006d2ff8ed39073e,0x00610bdb69a167f3,0x00571f306c9689b4,0x00f557e6f84b2df8,0x002affd38b2c86db)},\n- {FIELD_LITERAL(0x00cea0fc8d2e88b5,0x00821612d69f1862,0x0074c283b3e67522,0x005a195ba05a876d,0x000cddfe557feea4,0x008046c795bcc5e5,0x00540969f4d6e119,0x00d27f96d6b143d5)},\n- {FIELD_LITERAL(0x000c3b1019d474e8,0x00e19533e4952284,0x00cc9810ba7c920a,0x00f103d2785945ac,0x00bfa5696cc69b34,0x00a8d3d51e9ca839,0x005623cb459586b9,0x00eae7ce1cd52e9e)},\n- {FIELD_LITERAL(0x0005a178751dd7d8,0x002cc3844c69c42f,0x00acbfe5efe10539,0x009c20f43431a65a,0x008435d96374a7b3,0x009ee57566877bd3,0x0044691725ed4757,0x001e87bb2fe2c6b2)},\n- {FIELD_LITERAL(0x000cedc4debf7a04,0x002ffa45000470ac,0x002e9f9678201915,0x0017da1208c4fe72,0x007d558cc7d656cb,0x0037a827287cf289,0x00142472d3441819,0x009c21f166cf8dd1)},\n- {FIELD_LITERAL(0x003ef83af164b2f2,0x000949a5a0525d0d,0x00f4498186cac051,0x00e77ac09ef126d2,0x0073ae0b2c9296e9,0x001c163f6922e3ed,0x0062946159321bea,0x00cfb79b22990b39)},\n- {FIELD_LITERAL(0x00b001431ca9e654,0x002d7e5eabcc9a3a,0x0052e8114c2f6747,0x0079ac4f94487f92,0x00bffd919b5d749c,0x00261f92ad15e620,0x00718397b7a97895,0x00c1443e6ebbc0c4)},\n- {FIELD_LITERAL(0x00eacd90c1e0a049,0x008977935b149fbe,0x0004cb9ba11c93dc,0x009fbd5b3470844d,0x004bc18c9bfc22cf,0x0057679a991839f3,0x00ef15b76fb4092e,0x0074a5173a225041)},\n- {FIELD_LITERAL(0x003f5f9d7ec4777b,0x00ab2e733c919c94,0x001bb6c035245ae5,0x00a325a49a883630,0x0033e9a9ea3cea2f,0x00e442a1eaa0e844,0x00b2116d5b0e71b8,0x00c16abed6d64047)},\n- {FIELD_LITERAL(0x00c560b5ed051165,0x001945adc5d65094,0x00e221865710f910,0x00cc12bc9e9b8ceb,0x004faa9518914e35,0x0017476d89d42f6d,0x00b8f637c8fa1c8b,0x0088c7d2790864b8)},\n- {FIELD_LITERAL(0x00ef7eafc1c69be6,0x0085d3855778fbea,0x002c8d5b450cb6f5,0x004e77de5e1e7fec,0x0047c057893abded,0x001b430b85d51e16,0x00965c7b45640c3c,0x00487b2bb1162b97)},\n- {FIELD_LITERAL(0x0099c73a311beec2,0x00a3eff38d8912ad,0x002efa9d1d7e8972,0x00f717ae1e14d126,0x002833f795850c8b,0x0066c12ad71486bd,0x00ae9889da4820eb,0x00d6044309555c08)},\n- {FIELD_LITERAL(0x004b1c5283d15e41,0x00669d8ea308ff75,0x0004390233f762a1,0x00e1d67b83cb6cec,0x003eebaa964c78b1,0x006b0aff965eb664,0x00b313d4470bdc37,0x008814ffcb3cb9d8)},\n- {FIELD_LITERAL(0x009724b8ce68db70,0x007678b5ed006f3d,0x00bdf4b89c0abd73,0x00299748e04c7c6d,0x00ddd86492c3c977,0x00c5a7febfa30a99,0x00ed84715b4b02bb,0x00319568adf70486)},\n- {FIELD_LITERAL(0x0070ff2d864de5bb,0x005a37eeb637ee95,0x0033741c258de160,0x00e6ca5cb1988f46,0x001ceabd92a24661,0x0030957bd500fe40,0x001c3362afe912c5,0x005187889f678bd2)},\n- {FIELD_LITERAL(0x0086835fc62bbdc7,0x009c3516ca4910a1,0x00956c71f8d00783,0x0095c78fcf63235f,0x00fc7ff6ba05c222,0x00cdd8b3f8d74a52,0x00ac5ae16de8256e,0x00e9d4be8ed48624)},\n- {FIELD_LITERAL(0x00c0ce11405df2d8,0x004e3f37b293d7b6,0x002410172e1ac6db,0x00b8dbff4bf8143d,0x003a7b409d56eb66,0x003e0f6a0dfef9af,0x0081c4e4d3645be1,0x00ce76076b127623)},\n- {FIELD_LITERAL(0x00f6ee0f98974239,0x0042d89af07d3a4f,0x00846b7fe84346b5,0x006a21fc6a8d39a1,0x00ac8bc2541ff2d9,0x006d4e2a77732732,0x009a39b694cc3f2f,0x0085c0aa2a404c8f)},\n- {FIELD_LITERAL(0x00b261101a218548,0x00c1cae96424277b,0x00869da0a77dd268,0x00bc0b09f8ec83ea,0x00d61027f8e82ba9,0x00aa4c85999dce67,0x00eac3132b9f3fe1,0x00fb9b0cf1c695d2)},\n- {FIELD_LITERAL(0x0043079295512f0d,0x0046a009861758e0,0x003ee2842a807378,0x0034cc9d1298e4fa,0x009744eb4d31b3ee,0x00afacec96650cd0,0x00ac891b313761ae,0x00e864d6d26e708a)},\n- {FIELD_LITERAL(0x00a84d7c8a23b491,0x0088e19aa868b27f,0x0005986d43e78ce9,0x00f28012f0606d28,0x0017ded7e10249b3,0x005ed4084b23af9b,0x00b9b0a940564472,0x00ad9056cceeb1f4)},\n- {FIELD_LITERAL(0x00db91b357fe755e,0x00a1aa544b15359c,0x00af4931a0195574,0x007686124fe11aef,0x00d1ead3c7b9ef7e,0x00aaf5fc580f8c15,0x00e727be147ee1ec,0x003c61c1e1577b86)},\n- {FIELD_LITERAL(0x009d3fca983220cf,0x00cd11acbc853dc4,0x0017590409d27f1d,0x00d2176698082802,0x00fa01251b2838c8,0x00dd297a0d9b51c6,0x00d76c92c045820a,0x00534bc7c46c9033)},\n- {FIELD_LITERAL(0x0080ed9bc9b07338,0x00fceac7745d2652,0x008a9d55f5f2cc69,0x0096ce72df301ac5,0x00f53232e7974d87,0x0071728c7ae73947,0x0090507602570778,0x00cb81cfd883b1b2)},\n- {FIELD_LITERAL(0x005011aadea373da,0x003a8578ec896034,0x00f20a6535fa6d71,0x005152d31e5a87cf,0x002bac1c8e68ca31,0x00b0e323db4c1381,0x00f1d596b7d5ae25,0x00eae458097cb4e0)},\n- {FIELD_LITERAL(0x00920ac80f9b0d21,0x00f80f7f73401246,0x0086d37849b557d6,0x0002bd4b317b752e,0x00b26463993a42bb,0x002070422a73b129,0x00341acaa0380cb3,0x00541914dd66a1b2)},\n- {FIELD_LITERAL(0x00c1513cd66abe8c,0x000139e01118944d,0x0064abbcb8080bbb,0x00b3b08202473142,0x00c629ef25da2403,0x00f0aec3310d9b7f,0x0050b2227472d8cd,0x00f6c8a922d41fb4)},\n- {FIELD_LITERAL(0x001075ccf26b7b1f,0x00bb6bb213170433,0x00e9491ad262da79,0x009ef4f48d2d384c,0x008992770766f09d,0x001584396b6b1101,0x00af3f8676c9feef,0x0024603c40269118)},\n- {FIELD_LITERAL(0x009dd7b31319527c,0x001e7ac948d873a9,0x00fa54b46ef9673a,0x0066efb8d5b02fe6,0x00754b1d3928aeae,0x0004262ac72a6f6b,0x0079b7d49a6eb026,0x003126a753540102)},\n- {FIELD_LITERAL(0x009666e24f693947,0x00f714311269d45f,0x0010ffac1d0c851c,0x0066e80c37363497,0x00f1f4ad010c60b0,0x0015c87408470ff7,0x00651d5e9c7766a4,0x008138819d7116de)},\n- {FIELD_LITERAL(0x003934b11c57253b,0x00ef308edf21f46e,0x00e54e99c7a16198,0x0080d57135764e63,0x00751c27b946bc24,0x00dd389ce4e9e129,0x00a1a2bfd1cd84dc,0x002fae73e5149b32)},\n- {FIELD_LITERAL(0x00911657dffb4cdd,0x00c100b7cc553d06,0x00449d075ec467cc,0x007062100bc64e70,0x0043cf86f7bd21e7,0x00f401dc4b797dea,0x005224afb2f62e65,0x00d1ede3fb5a42be)},\n- {FIELD_LITERAL(0x00f2ba36a41aa144,0x00a0c22d946ee18f,0x008aae8ef9a14f99,0x00eef4d79b19bb36,0x008e75ce3d27b1fc,0x00a65daa03b29a27,0x00d9cc83684eb145,0x009e1ed80cc2ed74)},\n- {FIELD_LITERAL(0x00bed953d1997988,0x00b93ed175a24128,0x00871c5963fb6365,0x00ca2df20014a787,0x00f5d9c1d0b34322,0x00f6f5942818db0a,0x004cc091f49c9906,0x00e8a188a60bff9f)},\n- {FIELD_LITERAL(0x0032c7762032fae8,0x00e4087232e0bc21,0x00f767344b6e8d85,0x00bbf369b76c2aa2,0x008a1f46c6e1570c,0x001368cd9780369f,0x007359a39d079430,0x0003646512921434)},\n- {FIELD_LITERAL(0x007c4b47ca7c73e7,0x005396221039734b,0x008b64ddf0e45d7e,0x00bfad5af285e6c2,0x008ec711c5b1a1a8,0x00cf663301237f98,0x00917ee3f1655126,0x004152f337efedd8)},\n- {FIELD_LITERAL(0x0007c7edc9305daa,0x000a6664f273701c,0x00f6e78795e200b1,0x005d05b9ecd2473e,0x0014f5f17c865786,0x00c7fd2d166fa995,0x004939a2d8eb80e0,0x002244ba0942c199)},\n- {FIELD_LITERAL(0x00321e767f0262cf,0x002e57d776caf68e,0x00bf2c94814f0437,0x00c339196acd622f,0x001db4cce71e2770,0x001ded5ddba6eee2,0x0078608ab1554c8d,0x00067fe0ab76365b)},\n- {FIELD_LITERAL(0x00f09758e11e3985,0x00169efdbd64fad3,0x00e8889b7d6dacd6,0x0035cdd58ea88209,0x00bcda47586d7f49,0x003cdddcb2879088,0x0016da70187e954b,0x009556ea2e92aacd)},\n- {FIELD_LITERAL(0x008cab16bd1ff897,0x00b389972cdf753f,0x00ea8ed1e46dfdc0,0x004fe7ef94c589f4,0x002b8ae9b805ecf3,0x0025c08d892874a5,0x0023938e98d44c4c,0x00f759134cabf69c)},\n- {FIELD_LITERAL(0x006c2a84678e4b3b,0x007a194aacd1868f,0x00ed0225af424761,0x00da0a6f293c64b8,0x001062ac5c6a7a18,0x0030f5775a8aeef4,0x0002acaad76b7af0,0x00410b8fd63a579f)},\n- {FIELD_LITERAL(0x001ec59db3d9590e,0x001e9e3f1c3f182d,0x0045a9c3ec2cab14,0x0008198572aeb673,0x00773b74068bd167,0x0012535eaa395434,0x0044dba9e3bbb74a,0x002fba4d3c74bd0e)},\n- {FIELD_LITERAL(0x0042bf08fe66922c,0x003318b8fbb49e8c,0x00d75946004aa14c,0x00f601586b42bf1c,0x00c74cf1d912fe66,0x00abcb36974b30ad,0x007eb78720c9d2b8,0x009f54ab7bd4df85)},\n- {FIELD_LITERAL(0x00db9fc948f73826,0x00fa8b3746ed8ee9,0x00132cb65aafbeb2,0x00c36ff3fe7925b8,0x00837daed353d2fe,0x00ec661be0667cf4,0x005beb8ed2e90204,0x00d77dd69e564967)},\n- {FIELD_LITERAL(0x0042e6268b861751,0x0008dd0469500c16,0x00b51b57c338a3fd,0x00cc4497d85cff6b,0x002f13d6b57c34a4,0x0083652eaf301105,0x00cc344294cc93a8,0x0060f4d02810e270)},\n- {FIELD_LITERAL(0x00a8954363cd518b,0x00ad171124bccb7b,0x0065f46a4adaae00,0x001b1a5b2a96e500,0x0043fe24f8233285,0x0066996d8ae1f2c3,0x00c530f3264169f9,0x00c0f92d07cf6a57)},\n- {FIELD_LITERAL(0x0036a55c6815d943,0x008c8d1def993db3,0x002e0e1e8ff7318f,0x00d883a4b92db00a,0x002f5e781ae33906,0x001a72adb235c06d,0x00f2e59e736e9caa,0x001a4b58e3031914)},\n- {FIELD_LITERAL(0x00d73bfae5e00844,0x00bf459766fb5f52,0x0061b4f5a5313cde,0x004392d4c3b95514,0x000d3551b1077523,0x0000998840ee5d71,0x006de6e340448b7b,0x00251aa504875d6e)},\n- {FIELD_LITERAL(0x003bf343427ac342,0x00adc0a78642b8c5,0x0003b893175a8314,0x0061a34ade5703bc,0x00ea3ea8bb71d632,0x00be0df9a1f198c2,0x0046dd8e7c1635fb,0x00f1523fdd25d5e5)},\n- {FIELD_LITERAL(0x00633f63fc9dd406,0x00e713ff80e04a43,0x0060c6e970f2d621,0x00a57cd7f0df1891,0x00f2406a550650bb,0x00b064290efdc684,0x001eab0144d17916,0x00cd15f863c293ab)},\n- {FIELD_LITERAL(0x0029cec55273f70d,0x007044ee275c6340,0x0040f637a93015e2,0x00338bb78db5aae9,0x001491b2a6132147,0x00a125d6cfe6bde3,0x005f7ac561ba8669,0x001d5eaea3fbaacf)},\n- {FIELD_LITERAL(0x00054e9635e3be31,0x000e43f31e2872be,0x00d05b1c9e339841,0x006fac50bd81fd98,0x00cdc7852eaebb09,0x004ff519b061991b,0x009099e8107d4c85,0x00273e24c36a4a61)},\n- {FIELD_LITERAL(0x00070b4441ef2c46,0x00efa5b02801a109,0x00bf0b8c3ee64adf,0x008a67e0b3452e98,0x001916b1f2fa7a74,0x00d781a78ff6cdc3,0x008682ce57e5c919,0x00cc1109dd210da3)},\n- {FIELD_LITERAL(0x00cae8aaff388663,0x005e983a35dda1c7,0x007ab1030d8e37f4,0x00e48940f5d032fe,0x006a36f9ef30b331,0x009be6f03958c757,0x0086231ceba91400,0x008bd0f7b823e7aa)},\n- {FIELD_LITERAL(0x00cf881ebef5a45a,0x004ebea78e7c6f2c,0x0090da9209cf26a0,0x00de2b2e4c775b84,0x0071d6031c3c15ae,0x00d9e927ef177d70,0x00894ee8c23896fd,0x00e3b3b401e41aad)},\n- {FIELD_LITERAL(0x00204fef26864170,0x00819269c5dee0f8,0x00bfb4713ec97966,0x0026339a6f34df78,0x001f26e64c761dc2,0x00effe3af313cb60,0x00e17b70138f601b,0x00f16e1ccd9ede5e)},\n- {FIELD_LITERAL(0x005d9a8353fdb2db,0x0055cc2048c698f0,0x00f6c4ac89657218,0x00525034d73faeb2,0x00435776fbda3c7d,0x0070ea5312323cbc,0x007a105d44d069fb,0x006dbc8d6dc786aa)},\n- {FIELD_LITERAL(0x0017cff19cd394ec,0x00fef7b810922587,0x00e6483970dff548,0x00ddf36ad6874264,0x00e61778523fcce2,0x0093a66c0c93b24a,0x00fd367114db7f86,0x007652d7ddce26dd)},\n- {FIELD_LITERAL(0x00d92ced7ba12843,0x00aea9c7771e86e7,0x0046639693354f7b,0x00a628dbb6a80c47,0x003a0b0507372953,0x00421113ab45c0d9,0x00e545f08362ab7a,0x0028ce087b4d6d96)},\n- {FIELD_LITERAL(0x00a67ee7cf9f99eb,0x005713b275f2ff68,0x00f1d536a841513d,0x00823b59b024712e,0x009c46b9d0d38cec,0x00cdb1595aa2d7d4,0x008375b3423d9af8,0x000ab0b516d978f7)},\n- {FIELD_LITERAL(0x00428dcb3c510b0f,0x00585607ea24bb4e,0x003736bf1603687a,0x00c47e568c4fe3c7,0x003cd00282848605,0x0043a487c3b91939,0x004ffc04e1095a06,0x00a4c989a3d4b918)},\n- {FIELD_LITERAL(0x00a8778d0e429f7a,0x004c02b059105a68,0x0016653b609da3ff,0x00d5107bd1a12d27,0x00b4708f9a771cab,0x00bb63b662033f69,0x0072f322240e7215,0x0019445b59c69222)},\n- {FIELD_LITERAL(0x00cf4f6069a658e6,0x0053ca52859436a6,0x0064b994d7e3e117,0x00cb469b9a07f534,0x00cfb68f399e9d47,0x00f0dcb8dac1c6e7,0x00f2ab67f538b3a5,0x0055544f178ab975)},\n- {FIELD_LITERAL(0x0099b7a2685d538c,0x00e2f1897b7c0018,0x003adac8ce48dae3,0x00089276d5c50c0c,0x00172fca07ad6717,0x00cb1a72f54069e5,0x004ee42f133545b3,0x00785f8651362f16)},\n- {FIELD_LITERAL(0x0049cbac38509e11,0x0015234505d42cdf,0x00794fb0b5840f1c,0x00496437344045a5,0x0031b6d944e4f9b0,0x00b207318ac1f5d8,0x0000c840da7f5c5d,0x00526f373a5c8814)},\n- {FIELD_LITERAL(0x002c7b7742d1dfd9,0x002cabeb18623c01,0x00055f5e3e044446,0x006c20f3b4ef54ba,0x00c600141ec6b35f,0x00354f437f1a32a3,0x00bac4624a3520f9,0x00c483f734a90691)},\n- {FIELD_LITERAL(0x0053a737d422918d,0x00f7fca1d8758625,0x00c360336dadb04c,0x00f38e3d9158a1b8,0x0069ce3b418e84c6,0x005d1697eca16ead,0x00f8bd6a35ece13d,0x007885dfc2b5afea)},\n- {FIELD_LITERAL(0x00c3617ae260776c,0x00b20dc3e96922d7,0x00a1a7802246706a,0x00ca6505a5240244,0x002246b62d919782,0x001439102d7aa9b3,0x00e8af1139e6422c,0x00c888d1b52f2b05)},\n- {FIELD_LITERAL(0x005b67690ffd41d9,0x005294f28df516f9,0x00a879272412fcb9,0x00098b629a6d1c8d,0x00fabd3c8050865a,0x00cd7e5b0a3879c5,0x00153238210f3423,0x00357cac101e9f42)},\n- {FIELD_LITERAL(0x008917b454444fb7,0x00f59247c97e441b,0x00a6200a6815152d,0x0009a4228601d254,0x001c0360559bd374,0x007563362039cb36,0x00bd75b48d74e32b,0x0017f515ac3499e8)},\n- {FIELD_LITERAL(0x001532a7ffe41c5a,0x00eb1edce358d6bf,0x00ddbacc7b678a7b,0x008a7b70f3c841a3,0x00f1923bf27d3f4c,0x000b2713ed8f7873,0x00aaf67e29047902,0x0044994a70b3976d)},\n- {FIELD_LITERAL(0x00d54e802082d42c,0x00a55aa0dce7cc6c,0x006477b96073f146,0x0082efe4ceb43594,0x00a922bcba026845,0x0077f19d1ab75182,0x00c2bb2737846e59,0x0004d7eec791dd33)},\n- {FIELD_LITERAL(0x0044588d1a81d680,0x00b0a9097208e4f8,0x00212605350dc57e,0x0028717cd2871123,0x00fb083c100fd979,0x0045a056ce063fdf,0x00a5d604b4dd6a41,0x001dabc08ba4e236)},\n- {FIELD_LITERAL(0x00c4887198d7a7fa,0x00244f98fb45784a,0x0045911e15a15d01,0x001d323d374c0966,0x00967c3915196562,0x0039373abd2f3c67,0x000d2c5614312423,0x0041cf2215442ce3)},\n- {FIELD_LITERAL(0x008ede889ada7f06,0x001611e91de2e135,0x00fdb9a458a471b9,0x00563484e03710d1,0x0031cc81925e3070,0x0062c97b3af80005,0x00fa733eea28edeb,0x00e82457e1ebbc88)},\n- {FIELD_LITERAL(0x006a0df5fe9b6f59,0x00a0d4ff46040d92,0x004a7cedb6f93250,0x00d1df8855b8c357,0x00e73a46086fd058,0x0048fb0add6dfe59,0x001e03a28f1b4e3d,0x00a871c993308d76)},\n- {FIELD_LITERAL(0x0030dbb2d1766ec8,0x00586c0ad138555e,0x00d1a34f9e91c77c,0x0063408ad0e89014,0x00d61231b05f6f5b,0x0009abf569f5fd8a,0x00aec67a110f1c43,0x0031d1a790938dd7)},\n- {FIELD_LITERAL(0x006cded841e2a862,0x00198d60af0ab6fb,0x0018f09db809e750,0x004e6ac676016263,0x00eafcd1620969cb,0x002c9784ca34917d,0x0054f00079796de7,0x00d9fab5c5972204)},\n- {FIELD_LITERAL(0x004bd0fee2438a83,0x00b571e62b0f83bd,0x0059287d7ce74800,0x00fb3631b645c3f0,0x00a018e977f78494,0x0091e27065c27b12,0x007696c1817165e0,0x008c40be7c45ba3a)},\n- {FIELD_LITERAL(0x00a0f326327cb684,0x001c7d0f672680ff,0x008c1c81ffb112d1,0x00f8f801674eddc8,0x00e926d5d48c2a9d,0x005bd6d954c6fe9a,0x004c6b24b4e33703,0x00d05eb5c09105cc)},\n- {FIELD_LITERAL(0x00d61731caacf2cf,0x002df0c7609e01c5,0x00306172208b1e2b,0x00b413fe4fb2b686,0x00826d360902a221,0x003f8d056e67e7f7,0x0065025b0175e989,0x00369add117865eb)},\n- {FIELD_LITERAL(0x00aaf895aec2fa11,0x000f892bc313eb52,0x005b1c794dad050b,0x003f8ec4864cec14,0x00af81058d0b90e5,0x00ebe43e183997bb,0x00a9d610f9f3e615,0x007acd8eec2e88d3)},\n- {FIELD_LITERAL(0x0049b2fab13812a3,0x00846db32cd60431,0x000177fa578c8d6c,0x00047d0e2ad4bc51,0x00b158ba38d1e588,0x006a45daad79e3f3,0x000997b93cab887b,0x00c47ea42fa23dc3)},\n- {FIELD_LITERAL(0x0012b6fef7aeb1ca,0x009412768194b6a7,0x00ff0d351f23ab93,0x007e8a14c1aff71b,0x006c1c0170c512bc,0x0016243ea02ab2e5,0x007bb6865b303f3e,0x0015ce6b29b159f4)},\n- {FIELD_LITERAL(0x009961cd02e68108,0x00e2035d3a1d0836,0x005d51f69b5e1a1d,0x004bccb4ea36edcd,0x0069be6a7aeef268,0x0063f4dd9de8d5a7,0x006283783092ca35,0x0075a31af2c35409)},\n- {FIELD_LITERAL(0x00c412365162e8cf,0x00012283fb34388a,0x003e6543babf39e2,0x00eead6b3a804978,0x0099c0314e8b326f,0x00e98e0a8d477a4f,0x00d2eb96b127a687,0x00ed8d7df87571bb)},\n- {FIELD_LITERAL(0x00777463e308cacf,0x00c8acb93950132d,0x00ebddbf4ca48b2c,0x0026ad7ca0795a0a,0x00f99a3d9a715064,0x000d60bcf9d4dfcc,0x005e65a73a437a06,0x0019d536a8db56c8)},\n- {FIELD_LITERAL(0x00192d7dd558d135,0x0027cd6a8323ffa7,0x00239f1a412dc1e7,0x0046b4b3be74fc5c,0x0020c47a2bef5bce,0x00aa17e48f43862b,0x00f7e26c96342e5f,0x0008011c530f39a9)},\n- {FIELD_LITERAL(0x00aad4ac569bf0f1,0x00a67adc90b27740,0x0048551369a5751a,0x0031252584a3306a,0x0084e15df770e6fc,0x00d7bba1c74b5805,0x00a80ef223af1012,0x0089c85ceb843a34)},\n- {FIELD_LITERAL(0x00c4545be4a54004,0x0099e11f60357e6c,0x001f3936d19515a6,0x007793df84341a6e,0x0051061886717ffa,0x00e9b0a660b28f85,0x0044ea685892de0d,0x000257d2a1fda9d9)},\n- {FIELD_LITERAL(0x007e8b01b24ac8a8,0x006cf3b0b5ca1337,0x00f1607d3e36a570,0x0039b7fab82991a1,0x00231777065840c5,0x00998e5afdd346f9,0x00b7dc3e64acc85f,0x00baacc748013ad6)},\n- {FIELD_LITERAL(0x008ea6a4177580bf,0x005fa1953e3f0378,0x005fe409ac74d614,0x00452327f477e047,0x00a4018507fb6073,0x007b6e71951caac8,0x0012b42ab8a6ce91,0x0080eca677294ab7)},\n- {FIELD_LITERAL(0x00a53edc023ba69b,0x00c6afa83ddde2e8,0x00c3f638b307b14e,0x004a357a64414062,0x00e4d94d8b582dc9,0x001739caf71695b7,0x0012431b2ae28de1,0x003b6bc98682907c)},\n- {FIELD_LITERAL(0x008a9a93be1f99d6,0x0079fa627cc699c8,0x00b0cfb134ba84c8,0x001c4b778249419a,0x00df4ab3d9c44f40,0x009f596e6c1a9e3c,0x001979c0df237316,0x00501e953a919b87)}\n-};\ndiff --git a/crypto/ec/curve448/GENERATED/c/ed448goldilocks/eddsa.c b/crypto/ec/curve448/GENERATED/c/ed448goldilocks/eddsa.c\ndeleted file mode 100644\nindex f6c1836..0000000\n--- a/crypto/ec/curve448/GENERATED/c/ed448goldilocks/eddsa.c\n+++ /dev/null\n@@ -1,328 +0,0 @@\n-/**\n- * @file ed448goldilocks/eddsa.c\n- * @author Mike Hamburg\n- *\n- * @copyright\n- * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- *\n- * @cond internal\n- * @brief EdDSA routines.\n- *\n- * @warning This file was automatically generated in Python.\n- * Please do not edit it.\n- */\n-#include \u0022word.h\u0022\n-#include \u003cdecaf/ed448.h\u003e\n-#include \u003cdecaf/shake.h\u003e\n-#include \u003cdecaf/sha512.h\u003e\n-#include \u003cstring.h\u003e\n-\n-#define API_NAME \u0022decaf_448\u0022\n-#define API_NS(_id) decaf_448_##_id\n-\n-#define hash_ctx_t decaf_shake256_ctx_t\n-#define hash_init decaf_shake256_init\n-#define hash_update decaf_shake256_update\n-#define hash_final decaf_shake256_final\n-#define hash_destroy decaf_shake256_destroy\n-#define hash_hash decaf_shake256_hash\n-\n-#define NO_CONTEXT DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS\n-#define EDDSA_USE_SIGMA_ISOGENY 0\n-#define COFACTOR 4\n-#define EDDSA_PREHASH_BYTES 64\n-\n-#if NO_CONTEXT\n-const uint8_t NO_CONTEXT_POINTS_HERE \u003d 0;\n-const uint8_t * const DECAF_ED448_NO_CONTEXT \u003d \u0026NO_CONTEXT_POINTS_HERE;\n-#endif\n-\n-/* EDDSA_BASE_POINT_RATIO \u003d 1 or 2\n- * Because EdDSA25519 is not on E_d but on the isogenous E_sigma_d,\n- * its base point is twice ours.\n- */\n-#define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY) /* TODO: remove */\n-\n-static void clamp (\n- uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]\n-) {\n- /* Blarg */\n- secret_scalar_ser[0] \u0026\u003d -COFACTOR;\n- uint8_t hibit \u003d (1\u003c\u003c0)\u003e\u003e1;\n- if (hibit \u003d\u003d 0) {\n- secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] \u003d 0;\n- secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |\u003d 0x80;\n- } else {\n- secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] \u0026\u003d hibit-1;\n- secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |\u003d hibit;\n- }\n-}\n-\n-static void hash_init_with_dom(\n- hash_ctx_t hash,\n- uint8_t prehashed,\n- uint8_t for_prehash,\n- const uint8_t *context,\n- uint8_t context_len\n-) {\n- hash_init(hash);\n-\n-#if NO_CONTEXT\n- if (context_len \u003d\u003d 0 \u0026\u0026 context \u003d\u003d DECAF_ED448_NO_CONTEXT) {\n- (void)prehashed;\n- (void)for_prehash;\n- (void)context;\n- (void)context_len;\n- return;\n- }\n-#endif\n- const char *dom_s \u003d \u0022SigEd448\u0022;\n- const uint8_t dom[2] \u003d {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};\n- hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));\n- hash_update(hash,dom,2);\n- hash_update(hash,context,context_len);\n-}\n-\n-void decaf_ed448_prehash_init (\n- hash_ctx_t hash\n-) {\n- hash_init(hash);\n-}\n-\n-/* In this file because it uses the hash */\n-void decaf_ed448_convert_private_key_to_x448 (\n- uint8_t x[DECAF_X448_PRIVATE_BYTES],\n- const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]\n-) {\n- /* pass the private key through hash_hash function */\n- /* and keep the first DECAF_X448_PRIVATE_BYTES bytes */\n- hash_hash(\n- x,\n- DECAF_X448_PRIVATE_BYTES,\n- ed,\n- DECAF_EDDSA_448_PRIVATE_BYTES\n- );\n-}\n- \n-void decaf_ed448_derive_public_key (\n- uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]\n-) {\n- /* only this much used for keygen */\n- uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];\n- \n- hash_hash(\n- secret_scalar_ser,\n- sizeof(secret_scalar_ser),\n- privkey,\n- DECAF_EDDSA_448_PRIVATE_BYTES\n- );\n- clamp(secret_scalar_ser);\n- \n- API_NS(scalar_t) secret_scalar;\n- API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));\n- \n- /* Since we are going to mul_by_cofactor during encoding, divide by it here.\n- * However, the EdDSA base point is not the same as the decaf base point if\n- * the sigma isogeny is in use: the EdDSA base point is on Etwist_d/(1-d) and\n- * the decaf base point is on Etwist_d, and when converted it effectively\n- * picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1. \n- */\n- for (unsigned int c\u003d1; c\u003cDECAF_448_EDDSA_ENCODE_RATIO; c \u003c\u003c\u003d 1) {\n- API_NS(scalar_halve)(secret_scalar,secret_scalar);\n- }\n- \n- API_NS(point_t) p;\n- API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);\n- \n- API_NS(point_mul_by_ratio_and_encode_like_eddsa)(pubkey, p);\n- \n- /* Cleanup */\n- API_NS(scalar_destroy)(secret_scalar);\n- API_NS(point_destroy)(p);\n- decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser));\n-}\n-\n-void decaf_ed448_sign (\n- uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n- const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],\n- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const uint8_t *message,\n- size_t message_len,\n- uint8_t prehashed,\n- const uint8_t *context,\n- uint8_t context_len\n-) {\n- API_NS(scalar_t) secret_scalar;\n- hash_ctx_t hash;\n- {\n- /* Schedule the secret key */\n- struct {\n- uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];\n- uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES];\n- } __attribute__((packed)) expanded;\n- hash_hash(\n- (uint8_t *)\u0026expanded,\n- sizeof(expanded),\n- privkey,\n- DECAF_EDDSA_448_PRIVATE_BYTES\n- );\n- clamp(expanded.secret_scalar_ser); \n- API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));\n- \n- /* Hash to create the nonce */\n- hash_init_with_dom(hash,prehashed,0,context,context_len);\n- hash_update(hash,expanded.seed,sizeof(expanded.seed));\n- hash_update(hash,message,message_len);\n- decaf_bzero(\u0026expanded, sizeof(expanded));\n- }\n- \n- /* Decode the nonce */\n- API_NS(scalar_t) nonce_scalar;\n- {\n- uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES];\n- hash_final(hash,nonce,sizeof(nonce));\n- API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));\n- decaf_bzero(nonce, sizeof(nonce));\n- }\n- \n- uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] \u003d {0};\n- {\n- /* Scalarmul to create the nonce-point */\n- API_NS(scalar_t) nonce_scalar_2;\n- API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);\n- for (unsigned int c \u003d 2; c \u003c DECAF_448_EDDSA_ENCODE_RATIO; c \u003c\u003c\u003d 1) {\n- API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);\n- }\n- \n- API_NS(point_t) p;\n- API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);\n- API_NS(point_mul_by_ratio_and_encode_like_eddsa)(nonce_point, p);\n- API_NS(point_destroy)(p);\n- API_NS(scalar_destroy)(nonce_scalar_2);\n- }\n- \n- API_NS(scalar_t) challenge_scalar;\n- {\n- /* Compute the challenge */\n- hash_init_with_dom(hash,prehashed,0,context,context_len);\n- hash_update(hash,nonce_point,sizeof(nonce_point));\n- hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);\n- hash_update(hash,message,message_len);\n- uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];\n- hash_final(hash,challenge,sizeof(challenge));\n- hash_destroy(hash);\n- API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));\n- decaf_bzero(challenge,sizeof(challenge));\n- }\n- \n- API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);\n- API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);\n- \n- decaf_bzero(signature,DECAF_EDDSA_448_SIGNATURE_BYTES);\n- memcpy(signature,nonce_point,sizeof(nonce_point));\n- API_NS(scalar_encode)(\u0026signature[DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);\n- \n- API_NS(scalar_destroy)(secret_scalar);\n- API_NS(scalar_destroy)(nonce_scalar);\n- API_NS(scalar_destroy)(challenge_scalar);\n-}\n-\n-\n-void decaf_ed448_sign_prehash (\n- uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n- const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],\n- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const decaf_ed448_prehash_ctx_t hash,\n- const uint8_t *context,\n- uint8_t context_len\n-) {\n- uint8_t hash_output[EDDSA_PREHASH_BYTES];\n- {\n- decaf_ed448_prehash_ctx_t hash_too;\n- memcpy(hash_too,hash,sizeof(hash_too));\n- hash_final(hash_too,hash_output,sizeof(hash_output));\n- hash_destroy(hash_too);\n- }\n-\n- decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);\n- decaf_bzero(hash_output,sizeof(hash_output));\n-}\n-\n-decaf_error_t decaf_ed448_verify (\n- const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const uint8_t *message,\n- size_t message_len,\n- uint8_t prehashed,\n- const uint8_t *context,\n- uint8_t context_len\n-) { \n- API_NS(point_t) pk_point, r_point;\n- decaf_error_t error \u003d API_NS(point_decode_like_eddsa_and_mul_by_ratio)(pk_point,pubkey);\n- if (DECAF_SUCCESS !\u003d error) { return error; }\n- \n- error \u003d API_NS(point_decode_like_eddsa_and_mul_by_ratio)(r_point,signature);\n- if (DECAF_SUCCESS !\u003d error) { return error; }\n- \n- API_NS(scalar_t) challenge_scalar;\n- {\n- /* Compute the challenge */\n- hash_ctx_t hash;\n- hash_init_with_dom(hash,prehashed,0,context,context_len);\n- hash_update(hash,signature,DECAF_EDDSA_448_PUBLIC_BYTES);\n- hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);\n- hash_update(hash,message,message_len);\n- uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];\n- hash_final(hash,challenge,sizeof(challenge));\n- hash_destroy(hash);\n- API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));\n- decaf_bzero(challenge,sizeof(challenge));\n- }\n- API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);\n- \n- API_NS(scalar_t) response_scalar;\n- API_NS(scalar_decode_long)(\n- response_scalar,\n- \u0026signature[DECAF_EDDSA_448_PUBLIC_BYTES],\n- DECAF_EDDSA_448_PRIVATE_BYTES\n- );\n- \n- for (unsigned c\u003d1; c\u003cDECAF_448_EDDSA_DECODE_RATIO; c\u003c\u003c\u003d1) {\n- API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);\n- }\n- \n- \n- /* pk_point \u003d -c(x(P)) + (cx + k)G \u003d kG */\n- API_NS(base_double_scalarmul_non_secret)(\n- pk_point,\n- response_scalar,\n- pk_point,\n- challenge_scalar\n- );\n- return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));\n-}\n-\n-\n-decaf_error_t decaf_ed448_verify_prehash (\n- const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const decaf_ed448_prehash_ctx_t hash,\n- const uint8_t *context,\n- uint8_t context_len\n-) {\n- decaf_error_t ret;\n- \n- uint8_t hash_output[EDDSA_PREHASH_BYTES];\n- {\n- decaf_ed448_prehash_ctx_t hash_too;\n- memcpy(hash_too,hash,sizeof(hash_too));\n- hash_final(hash_too,hash_output,sizeof(hash_output));\n- hash_destroy(hash_too);\n- }\n- \n- ret \u003d decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);\n- \n- return ret;\n-}\ndiff --git a/crypto/ec/curve448/GENERATED/c/ed448goldilocks/scalar.c b/crypto/ec/curve448/GENERATED/c/ed448goldilocks/scalar.c\ndeleted file mode 100644\nindex 1c98ac9..0000000\n--- a/crypto/ec/curve448/GENERATED/c/ed448goldilocks/scalar.c\n+++ /dev/null\n@@ -1,341 +0,0 @@\n-/**\n- * @file ed448goldilocks/scalar.c\n- * @author Mike Hamburg\n- *\n- * @copyright\n- * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- *\n- * @brief Decaf high-level functions.\n- *\n- * @warning This file was automatically generated in Python.\n- * Please do not edit it.\n- */\n-#include \u0022word.h\u0022\n-#include \u0022constant_time.h\u0022\n-#include \u003cdecaf.h\u003e\n-\n-/* Template stuff */\n-#define API_NS(_id) decaf_448_##_id\n-#define SCALAR_BITS DECAF_448_SCALAR_BITS\n-#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES\n-#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS\n-#define scalar_t API_NS(scalar_t)\n-\n-static const decaf_word_t MONTGOMERY_FACTOR \u003d (decaf_word_t)0x3bd440fae918bc5ull;\n-static const scalar_t sc_p \u003d {{{\n- SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff)\n-}}}, sc_r2 \u003d {{{\n- SC_LIMB(0xe3539257049b9b60), SC_LIMB(0x7af32c4bc1b195d9), SC_LIMB(0x0d66de2388ea1859), SC_LIMB(0xae17cf725ee4d838), SC_LIMB(0x1a9cc14ba3c47c44), SC_LIMB(0x2052bcb7e4d070af), SC_LIMB(0x3402a939f823b729)\n-}}};\n-/* End of template stuff */\n-\n-#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */\n-\n-const scalar_t API_NS(scalar_one) \u003d {{{1}}}, API_NS(scalar_zero) \u003d {{{0}}};\n-\n-/** {extra,accum} - sub +? p\n- * Must have extra \u003c\u003d 1\n- */\n-static DECAF_NOINLINE void sc_subx(\n- scalar_t out,\n- const decaf_word_t accum[SCALAR_LIMBS],\n- const scalar_t sub,\n- const scalar_t p,\n- decaf_word_t extra\n-) {\n- decaf_dsword_t chain \u003d 0;\n- unsigned int i;\n- for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n- chain \u003d (chain + accum[i]) - sub-\u003elimb[i];\n- out-\u003elimb[i] \u003d chain;\n- chain \u003e\u003e\u003d WBITS;\n- }\n- decaf_word_t borrow \u003d chain+extra; /* \u003d 0 or -1 */\n- \n- chain \u003d 0;\n- for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n- chain \u003d (chain + out-\u003elimb[i]) + (p-\u003elimb[i] \u0026 borrow);\n- out-\u003elimb[i] \u003d chain;\n- chain \u003e\u003e\u003d WBITS;\n- }\n-}\n-\n-static DECAF_NOINLINE void sc_montmul (\n- scalar_t out,\n- const scalar_t a,\n- const scalar_t b\n-) {\n- unsigned int i,j;\n- decaf_word_t accum[SCALAR_LIMBS+1] \u003d {0};\n- decaf_word_t hi_carry \u003d 0;\n- \n- for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n- decaf_word_t mand \u003d a-\u003elimb[i];\n- const decaf_word_t *mier \u003d b-\u003elimb;\n- \n- decaf_dword_t chain \u003d 0;\n- for (j\u003d0; j\u003cSCALAR_LIMBS; j++) {\n- chain +\u003d ((decaf_dword_t)mand)*mier[j] + accum[j];\n- accum[j] \u003d chain;\n- chain \u003e\u003e\u003d WBITS;\n- }\n- accum[j] \u003d chain;\n- \n- mand \u003d accum[0] * MONTGOMERY_FACTOR;\n- chain \u003d 0;\n- mier \u003d sc_p-\u003elimb;\n- for (j\u003d0; j\u003cSCALAR_LIMBS; j++) {\n- chain +\u003d (decaf_dword_t)mand*mier[j] + accum[j];\n- if (j) accum[j-1] \u003d chain;\n- chain \u003e\u003e\u003d WBITS;\n- }\n- chain +\u003d accum[j];\n- chain +\u003d hi_carry;\n- accum[j-1] \u003d chain;\n- hi_carry \u003d chain \u003e\u003e WBITS;\n- }\n- \n- sc_subx(out, accum, sc_p, sc_p, hi_carry);\n-}\n-\n-void API_NS(scalar_mul) (\n- scalar_t out,\n- const scalar_t a,\n- const scalar_t b\n-) {\n- sc_montmul(out,a,b);\n- sc_montmul(out,out,sc_r2);\n-}\n-\n-/* PERF: could implement this */\n-static DECAF_INLINE void sc_montsqr (scalar_t out, const scalar_t a) {\n- sc_montmul(out,a,a);\n-}\n-\n-decaf_error_t API_NS(scalar_invert) (\n- scalar_t out,\n- const scalar_t a\n-) {\n- /* Fermat's little theorem, sliding window.\n- * Sliding window is fine here because the modulus isn't secret.\n- */\n- const int SCALAR_WINDOW_BITS \u003d 3;\n- scalar_t precmp[1\u003c\u003cSCALAR_WINDOW_BITS];\n- const int LAST \u003d (1\u003c\u003cSCALAR_WINDOW_BITS)-1;\n-\n- /* Precompute precmp \u003d [a^1,a^3,...] */\n- sc_montmul(precmp[0],a,sc_r2);\n- if (LAST \u003e 0) sc_montmul(precmp[LAST],precmp[0],precmp[0]);\n-\n- int i;\n- for (i\u003d1; i\u003c\u003dLAST; i++) {\n- sc_montmul(precmp[i],precmp[i-1],precmp[LAST]);\n- }\n- \n- /* Sliding window */\n- unsigned residue \u003d 0, trailing \u003d 0, started \u003d 0;\n- for (i\u003dSCALAR_BITS-1; i\u003e\u003d-SCALAR_WINDOW_BITS; i--) {\n- \n- if (started) sc_montsqr(out,out);\n- \n- decaf_word_t w \u003d (i\u003e\u003d0) ? sc_p-\u003elimb[i/WBITS] : 0;\n- if (i \u003e\u003d 0 \u0026\u0026 i\u003cWBITS) {\n- assert(w \u003e\u003d 2);\n- w-\u003d2;\n- }\n- \n- residue \u003d (residue\u003c\u003c1) | ((w\u003e\u003e(i%WBITS))\u00261);\n- if (residue\u003e\u003eSCALAR_WINDOW_BITS !\u003d 0) {\n- assert(trailing \u003d\u003d 0);\n- trailing \u003d residue;\n- residue \u003d 0;\n- }\n- \n- if (trailing \u003e 0 \u0026\u0026 (trailing \u0026 ((1\u003c\u003cSCALAR_WINDOW_BITS)-1)) \u003d\u003d 0) {\n- if (started) {\n- sc_montmul(out,out,precmp[trailing\u003e\u003e(SCALAR_WINDOW_BITS+1)]);\n- } else {\n- API_NS(scalar_copy)(out,precmp[trailing\u003e\u003e(SCALAR_WINDOW_BITS+1)]);\n- started \u003d 1;\n- }\n- trailing \u003d 0;\n- }\n- trailing \u003c\u003c\u003d 1;\n- \n- }\n- assert(residue\u003d\u003d0);\n- assert(trailing\u003d\u003d0);\n- \n- /* Demontgomerize */\n- sc_montmul(out,out,API_NS(scalar_one));\n- decaf_bzero(precmp, sizeof(precmp));\n- return decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero)));\n-}\n-\n-void API_NS(scalar_sub) (\n- scalar_t out,\n- const scalar_t a,\n- const scalar_t b\n-) {\n- sc_subx(out, a-\u003elimb, b, sc_p, 0);\n-}\n-\n-void API_NS(scalar_add) (\n- scalar_t out,\n- const scalar_t a,\n- const scalar_t b\n-) {\n- decaf_dword_t chain \u003d 0;\n- unsigned int i;\n- for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n- chain \u003d (chain + a-\u003elimb[i]) + b-\u003elimb[i];\n- out-\u003elimb[i] \u003d chain;\n- chain \u003e\u003e\u003d WBITS;\n- }\n- sc_subx(out, out-\u003elimb, sc_p, sc_p, chain);\n-}\n-\n-void\n-API_NS(scalar_set_unsigned) (\n- scalar_t out,\n- uint64_t w\n-) {\n- memset(out,0,sizeof(scalar_t));\n- unsigned int i \u003d 0;\n- for (; i\u003csizeof(uint64_t)/sizeof(decaf_word_t); i++) {\n- out-\u003elimb[i] \u003d w;\n-#if DECAF_WORD_BITS \u003c 64\n- w \u003e\u003e\u003d 8*sizeof(decaf_word_t);\n-#endif\n- }\n-}\n-\n-decaf_bool_t\n-API_NS(scalar_eq) (\n- const scalar_t a,\n- const scalar_t b\n-) {\n- decaf_word_t diff \u003d 0;\n- unsigned int i;\n- for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n- diff |\u003d a-\u003elimb[i] ^ b-\u003elimb[i];\n- }\n- return mask_to_bool(word_is_zero(diff));\n-}\n-\n-static DECAF_INLINE void scalar_decode_short (\n- scalar_t s,\n- const unsigned char *ser,\n- unsigned int nbytes\n-) {\n- unsigned int i,j,k\u003d0;\n- for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n- decaf_word_t out \u003d 0;\n- for (j\u003d0; j\u003csizeof(decaf_word_t) \u0026\u0026 k\u003cnbytes; j++,k++) {\n- out |\u003d ((decaf_word_t)ser[k])\u003c\u003c(8*j);\n- }\n- s-\u003elimb[i] \u003d out;\n- }\n-}\n-\n-decaf_error_t API_NS(scalar_decode)(\n- scalar_t s,\n- const unsigned char ser[SCALAR_SER_BYTES]\n-) {\n- unsigned int i;\n- scalar_decode_short(s, ser, SCALAR_SER_BYTES);\n- decaf_dsword_t accum \u003d 0;\n- for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n- accum \u003d (accum + s-\u003elimb[i] - sc_p-\u003elimb[i]) \u003e\u003e WBITS;\n- }\n- /* Here accum \u003d\u003d 0 or -1 */\n- \n- API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */\n- \n- return decaf_succeed_if(~word_is_zero(accum));\n-}\n-\n-void API_NS(scalar_destroy) (\n- scalar_t scalar\n-) {\n- decaf_bzero(scalar, sizeof(scalar_t));\n-}\n-\n-void API_NS(scalar_decode_long)(\n- scalar_t s,\n- const unsigned char *ser,\n- size_t ser_len\n-) {\n- if (ser_len \u003d\u003d 0) {\n- API_NS(scalar_copy)(s, API_NS(scalar_zero));\n- return;\n- }\n- \n- size_t i;\n- scalar_t t1, t2;\n-\n- i \u003d ser_len - (ser_len%SCALAR_SER_BYTES);\n- if (i\u003d\u003dser_len) i -\u003d SCALAR_SER_BYTES;\n- \n- scalar_decode_short(t1, \u0026ser[i], ser_len-i);\n-\n- if (ser_len \u003d\u003d sizeof(scalar_t)) {\n- assert(i\u003d\u003d0);\n- /* ham-handed reduce */\n- API_NS(scalar_mul)(s,t1,API_NS(scalar_one));\n- API_NS(scalar_destroy)(t1);\n- return;\n- }\n-\n- while (i) {\n- i -\u003d SCALAR_SER_BYTES;\n- sc_montmul(t1,t1,sc_r2);\n- ignore_result( API_NS(scalar_decode)(t2, ser+i) );\n- API_NS(scalar_add)(t1, t1, t2);\n- }\n-\n- API_NS(scalar_copy)(s, t1);\n- API_NS(scalar_destroy)(t1);\n- API_NS(scalar_destroy)(t2);\n-}\n-\n-void API_NS(scalar_encode)(\n- unsigned char ser[SCALAR_SER_BYTES],\n- const scalar_t s\n-) {\n- unsigned int i,j,k\u003d0;\n- for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n- for (j\u003d0; j\u003csizeof(decaf_word_t); j++,k++) {\n- ser[k] \u003d s-\u003elimb[i] \u003e\u003e (8*j);\n- }\n- }\n-}\n-\n-void API_NS(scalar_cond_sel) (\n- scalar_t out,\n- const scalar_t a,\n- const scalar_t b,\n- decaf_bool_t pick_b\n-) {\n- constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out-\u003elimb[0]));\n-}\n-\n-void API_NS(scalar_halve) (\n- scalar_t out,\n- const scalar_t a\n-) {\n- decaf_word_t mask \u003d -(a-\u003elimb[0] \u0026 1);\n- decaf_dword_t chain \u003d 0;\n- unsigned int i;\n- for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n- chain \u003d (chain + a-\u003elimb[i]) + (sc_p-\u003elimb[i] \u0026 mask);\n- out-\u003elimb[i] \u003d chain;\n- chain \u003e\u003e\u003d DECAF_WORD_BITS;\n- }\n- for (i\u003d0; i\u003cSCALAR_LIMBS-1; i++) {\n- out-\u003elimb[i] \u003d out-\u003elimb[i]\u003e\u003e1 | out-\u003elimb[i+1]\u003c\u003c(WBITS-1);\n- }\n- out-\u003elimb[i] \u003d out-\u003elimb[i]\u003e\u003e1 | chain\u003c\u003c(WBITS-1);\n-}\n-\ndiff --git a/crypto/ec/curve448/GENERATED/c/p448/f_field.h b/crypto/ec/curve448/GENERATED/c/p448/f_field.h\ndeleted file mode 100644\nindex 4eef718..0000000\n--- a/crypto/ec/curve448/GENERATED/c/p448/f_field.h\n+++ /dev/null\n@@ -1,110 +0,0 @@\n-/**\n- * @file p448/f_field.h\n- * @author Mike Hamburg\n- *\n- * @copyright\n- * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- *\n- * @brief Field-specific code for 2^448 - 2^224 - 1.\n- *\n- * @warning This file was automatically generated in Python.\n- * Please do not edit it.\n- */\n-\n-#ifndef __P448_F_FIELD_H__\n-#define __P448_F_FIELD_H__ 1\n-\n-#include \u0022constant_time.h\u0022\n-#include \u003cstring.h\u003e\n-#include \u003cassert.h\u003e\n-\n-#include \u0022word.h\u0022\n-\n-#define __DECAF_448_GF_DEFINED__ 1\n-#define NLIMBS (64/sizeof(word_t))\n-#define X_SER_BYTES 56\n-#define SER_BYTES 56\n-typedef struct gf_448_s {\n- word_t limb[NLIMBS];\n-} __attribute__((aligned(32))) gf_448_s, gf_448_t[1];\n-\n-#define GF_LIT_LIMB_BITS 56\n-#define GF_BITS 448\n-#define ZERO gf_448_ZERO\n-#define ONE gf_448_ONE\n-#define MODULUS gf_448_MODULUS\n-#define gf gf_448_t\n-#define gf_s gf_448_s\n-#define gf_eq gf_448_eq\n-#define gf_hibit gf_448_hibit\n-#define gf_lobit gf_448_lobit\n-#define gf_copy gf_448_copy\n-#define gf_add gf_448_add\n-#define gf_sub gf_448_sub\n-#define gf_add_RAW gf_448_add_RAW\n-#define gf_sub_RAW gf_448_sub_RAW\n-#define gf_bias gf_448_bias\n-#define gf_weak_reduce gf_448_weak_reduce\n-#define gf_strong_reduce gf_448_strong_reduce\n-#define gf_mul gf_448_mul\n-#define gf_sqr gf_448_sqr\n-#define gf_mulw_unsigned gf_448_mulw_unsigned\n-#define gf_isr gf_448_isr\n-#define gf_serialize gf_448_serialize\n-#define gf_deserialize gf_448_deserialize\n-\n-/* RFC 7748 support */\n-#define X_PUBLIC_BYTES X_SER_BYTES\n-#define X_PRIVATE_BYTES X_PUBLIC_BYTES\n-#define X_PRIVATE_BITS 448\n-\n-#define SQRT_MINUS_ONE P448_SQRT_MINUS_ONE /* might not be defined */\n-\n-#define INLINE_UNUSED __inline__ __attribute__((unused,always_inline))\n-\n-#ifdef __cplusplus\n-extern \u0022C\u0022 {\n-#endif\n-\n-/* Defined below in f_impl.h */\n-static INLINE_UNUSED void gf_copy (gf out, const gf a) { *out \u003d *a; }\n-static INLINE_UNUSED void gf_add_RAW (gf out, const gf a, const gf b);\n-static INLINE_UNUSED void gf_sub_RAW (gf out, const gf a, const gf b);\n-static INLINE_UNUSED void gf_bias (gf inout, int amount);\n-static INLINE_UNUSED void gf_weak_reduce (gf inout);\n-\n-void gf_strong_reduce (gf inout); \n-void gf_add (gf out, const gf a, const gf b);\n-void gf_sub (gf out, const gf a, const gf b);\n-void gf_mul (gf_s *__restrict__ out, const gf a, const gf b);\n-void gf_mulw_unsigned (gf_s *__restrict__ out, const gf a, uint32_t b);\n-void gf_sqr (gf_s *__restrict__ out, const gf a);\n-mask_t gf_isr(gf a, const gf x); /** a^2 x \u003d 1, QNR, or 0 if x\u003d0. Return true if successful */\n-mask_t gf_eq (const gf x, const gf y);\n-mask_t gf_lobit (const gf x);\n-mask_t gf_hibit (const gf x);\n-\n-void gf_serialize (uint8_t *serial, const gf x,int with_highbit);\n-mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_hibit,uint8_t hi_nmask);\n-\n-\n-#ifdef __cplusplus\n-} /* extern \u0022C\u0022 */\n-#endif\n-\n-#include \u0022f_impl.h\u0022 /* Bring in the inline implementations */\n-\n-#define P_MOD_8 7\n-#if P_MOD_8 \u003d\u003d 5\n- extern const gf SQRT_MINUS_ONE;\n-#endif\n-\n-#ifndef LIMBPERM\n- #define LIMBPERM(i) (i)\n-#endif\n-#define LIMB_MASK(i) (((1ull)\u003c\u003cLIMB_PLACE_VALUE(i))-1)\n-\n-static const gf ZERO \u003d {{{0}}}, ONE \u003d {{{ [LIMBPERM(0)] \u003d 1 }}};\n-\n-#endif /* __P448_F_FIELD_H__ */\ndiff --git a/crypto/ec/curve448/GENERATED/c/p448/f_generic.c b/crypto/ec/curve448/GENERATED/c/p448/f_generic.c\ndeleted file mode 100644\nindex d09a989..0000000\n--- a/crypto/ec/curve448/GENERATED/c/p448/f_generic.c\n+++ /dev/null\n@@ -1,144 +0,0 @@\n-/**\n- * @file p448/f_generic.c\n- * @author Mike Hamburg\n- *\n- * @copyright\n- * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- *\n- * @brief Generic arithmetic which has to be compiled per field.\n- *\n- * @warning This file was automatically generated in Python.\n- * Please do not edit it.\n- */\n-#include \u0022field.h\u0022\n-\n-static const gf MODULUS \u003d {FIELD_LITERAL(\n- 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff, 0xfffffffffffffe, 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff\n-)};\n- \n-#if P_MOD_8 \u003d\u003d 5\n- const gf SQRT_MINUS_ONE \u003d {FIELD_LITERAL(\n- /* NOPE */\n- )};\n-#endif\n-\n-/** Serialize to wire format. */\n-void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {\n- gf red;\n- gf_copy(red, x);\n- gf_strong_reduce(red);\n- if (!with_hibit) { assert(gf_hibit(red) \u003d\u003d 0); }\n- \n- unsigned int j\u003d0, fill\u003d0;\n- dword_t buffer \u003d 0;\n- UNROLL for (unsigned int i\u003d0; i\u003c(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {\n- if (fill \u003c 8 \u0026\u0026 j \u003c NLIMBS) {\n- buffer |\u003d ((dword_t)red-\u003elimb[LIMBPERM(j)]) \u003c\u003c fill;\n- fill +\u003d LIMB_PLACE_VALUE(LIMBPERM(j));\n- j++;\n- }\n- serial[i] \u003d buffer;\n- fill -\u003d 8;\n- buffer \u003e\u003e\u003d 8;\n- }\n-}\n-\n-/** Return high bit of x \u003d low bit of 2x mod p */\n-mask_t gf_hibit(const gf x) {\n- gf y;\n- gf_add(y,x,x);\n- gf_strong_reduce(y);\n- return -(y-\u003elimb[0]\u00261);\n-}\n-\n-/** Return high bit of x \u003d low bit of 2x mod p */\n-mask_t gf_lobit(const gf x) {\n- gf y;\n- gf_copy(y,x);\n- gf_strong_reduce(y);\n- return -(y-\u003elimb[0]\u00261);\n-}\n-\n-/** Deserialize from wire format; return -1 on success and 0 on failure. */\n-mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, uint8_t hi_nmask) {\n- unsigned int j\u003d0, fill\u003d0;\n- dword_t buffer \u003d 0;\n- dsword_t scarry \u003d 0;\n- const unsigned nbytes \u003d with_hibit ? X_SER_BYTES : SER_BYTES;\n- UNROLL for (unsigned int i\u003d0; i\u003cNLIMBS; i++) {\n- UNROLL while (fill \u003c LIMB_PLACE_VALUE(LIMBPERM(i)) \u0026\u0026 j \u003c nbytes) {\n- uint8_t sj \u003d serial[j];\n- if (j\u003d\u003dnbytes-1) sj \u0026\u003d ~hi_nmask;\n- buffer |\u003d ((dword_t)sj) \u003c\u003c fill;\n- fill +\u003d 8;\n- j++;\n- }\n- x-\u003elimb[LIMBPERM(i)] \u003d (i\u003cNLIMBS-1) ? buffer \u0026 LIMB_MASK(LIMBPERM(i)) : buffer;\n- fill -\u003d LIMB_PLACE_VALUE(LIMBPERM(i));\n- buffer \u003e\u003e\u003d LIMB_PLACE_VALUE(LIMBPERM(i));\n- scarry \u003d (scarry + x-\u003elimb[LIMBPERM(i)] - MODULUS-\u003elimb[LIMBPERM(i)]) \u003e\u003e (8*sizeof(word_t));\n- }\n- mask_t succ \u003d with_hibit ? -(mask_t)1 : ~gf_hibit(x);\n- return succ \u0026 word_is_zero(buffer) \u0026 ~word_is_zero(scarry);\n-}\n-\n-/** Reduce to canonical form. */\n-void gf_strong_reduce (gf a) {\n- /* first, clear high */\n- gf_weak_reduce(a); /* Determined to have negligible perf impact. */\n-\n- /* now the total is less than 2p */\n-\n- /* compute total_value - p. No need to reduce mod p. */\n- dsword_t scarry \u003d 0;\n- for (unsigned int i\u003d0; i\u003cNLIMBS; i++) {\n- scarry \u003d scarry + a-\u003elimb[LIMBPERM(i)] - MODULUS-\u003elimb[LIMBPERM(i)];\n- a-\u003elimb[LIMBPERM(i)] \u003d scarry \u0026 LIMB_MASK(LIMBPERM(i));\n- scarry \u003e\u003e\u003d LIMB_PLACE_VALUE(LIMBPERM(i));\n- }\n-\n- /* uncommon case: it was \u003e\u003d p, so now scarry \u003d 0 and this \u003d x\n- * common case: it was \u003c p, so now scarry \u003d -1 and this \u003d x - p + 2^255\n- * so let's add back in p. will carry back off the top for 2^255.\n- */\n- assert(word_is_zero(scarry) | word_is_zero(scarry+1));\n-\n- word_t scarry_0 \u003d scarry;\n- dword_t carry \u003d 0;\n-\n- /* add it back */\n- for (unsigned int i\u003d0; i\u003cNLIMBS; i++) {\n- carry \u003d carry + a-\u003elimb[LIMBPERM(i)] + (scarry_0 \u0026 MODULUS-\u003elimb[LIMBPERM(i)]);\n- a-\u003elimb[LIMBPERM(i)] \u003d carry \u0026 LIMB_MASK(LIMBPERM(i));\n- carry \u003e\u003e\u003d LIMB_PLACE_VALUE(LIMBPERM(i));\n- }\n-\n- assert(word_is_zero(carry + scarry_0));\n-}\n-\n-/** Subtract two gf elements d\u003da-b */\n-void gf_sub (gf d, const gf a, const gf b) {\n- gf_sub_RAW ( d, a, b );\n- gf_bias( d, 2 );\n- gf_weak_reduce ( d );\n-}\n-\n-/** Add two field elements d \u003d a+b */\n-void gf_add (gf d, const gf a, const gf b) {\n- gf_add_RAW ( d, a, b );\n- gf_weak_reduce ( d );\n-}\n-\n-/** Compare a\u003d\u003db */\n-mask_t gf_eq(const gf a, const gf b) {\n- gf c;\n- gf_sub(c,a,b);\n- gf_strong_reduce(c);\n- mask_t ret\u003d0;\n- for (unsigned int i\u003d0; i\u003cNLIMBS; i++) {\n- ret |\u003d c-\u003elimb[LIMBPERM(i)];\n- }\n-\n- return word_is_zero(ret);\n-}\ndiff --git a/crypto/ec/curve448/GENERATED/include/decaf.h b/crypto/ec/curve448/GENERATED/include/decaf.h\ndeleted file mode 100644\nindex d3cb60c..0000000\n--- a/crypto/ec/curve448/GENERATED/include/decaf.h\n+++ /dev/null\n@@ -1,32 +0,0 @@\n-/**\n- * @file decaf.h\n- * @author Mike Hamburg\n- *\n- * @copyright\n- * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- *\n- * Master header for Decaf library.\n- *\n- * The Decaf library implements cryptographic operations on a elliptic curve\n- * groups of prime order p. It accomplishes this by using a twisted Edwards\n- * curve (isogenous to Ed448-Goldilocks or Ed25519) and wiping out the cofactor.\n- *\n- * The formulas are all complete and have no special cases. However, some\n- * functions can fail. For example, decoding functions can fail because not\n- * every string is the encoding of a valid group element.\n- *\n- * The formulas contain no data-dependent branches, timing or memory accesses,\n- * except for decaf_XXX_base_double_scalarmul_non_secret.\n- *\n- * @warning This file was automatically generated in Python.\n- * Please do not edit it.\n- */\n-\n-#ifndef __DECAF_H__\n-#define __DECAF_H__ 1\n-\n-#include \u003cdecaf/point_255.h\u003e\n-#include \u003cdecaf/point_448.h\u003e\n-\n-#endif /* __DECAF_H__ */\ndiff --git a/crypto/ec/curve448/GENERATED/include/decaf/common.h b/crypto/ec/curve448/GENERATED/include/decaf/common.h\ndeleted file mode 100644\nindex 64719ad..0000000\n--- a/crypto/ec/curve448/GENERATED/include/decaf/common.h\n+++ /dev/null\n@@ -1,116 +0,0 @@\n-/**\n- * @file decaf/common.h\n- * @author Mike Hamburg\n- *\n- * @copyright\n- * Copyright (c) 2015 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- *\n- * @brief Common utility headers for Decaf library.\n- */\n-\n-#ifndef __DECAF_COMMON_H__\n-#define __DECAF_COMMON_H__ 1\n-\n-#include \u003cstdint.h\u003e\n-#include \u003csys/types.h\u003e\n-\n-#ifdef __cplusplus\n-extern \u0022C\u0022 {\n-#endif\n-\n-/* Goldilocks' build flags default to hidden and stripping executables. */\n-/** @cond internal */\n-#if defined(DOXYGEN) \u0026\u0026 !defined(__attribute__)\n-#define __attribute__((x))\n-#endif\n-#define DECAF_API_VIS __attribute__((visibility(\u0022default\u0022)))\n-#define DECAF_NOINLINE __attribute__((noinline))\n-#define DECAF_WARN_UNUSED __attribute__((warn_unused_result))\n-#define DECAF_NONNULL __attribute__((nonnull))\n-#define DECAF_INLINE inline __attribute__((always_inline,unused))\n-// Cribbed from libnotmuch\n-#if defined (__clang_major__) \u0026\u0026 __clang_major__ \u003e\u003d 3 \u005c\n- || defined (__GNUC__) \u0026\u0026 __GNUC__ \u003e\u003d 5 \u005c\n- || defined (__GNUC__) \u0026\u0026 __GNUC__ \u003d\u003d 4 \u0026\u0026 __GNUC_MINOR__ \u003e\u003d 5\n-#define DECAF_DEPRECATED(msg) __attribute__ ((deprecated(msg)))\n-#else\n-#define DECAF_DEPRECATED(msg) __attribute__ ((deprecated))\n-#endif\n-/** @endcond */\n-\n-/* Internal word types.\n- *\n- * Somewhat tricky. This could be decided separately per platform. However,\n- * the structs do need to be all the same size and alignment on a given\n- * platform to support dynamic linking, since even if you header was built\n- * with eg arch_neon, you might end up linking a library built with arch_arm32.\n- */\n-#ifndef DECAF_WORD_BITS\n- #if (defined(__ILP64__) || defined(__amd64__) || defined(__x86_64__) || (((__UINT_FAST32_MAX__)\u003e\u003e30)\u003e\u003e30))\n- #define DECAF_WORD_BITS 64 /**\u003c The number of bits in a word */\n- #else\n- #define DECAF_WORD_BITS 32 /**\u003c The number of bits in a word */\n- #endif\n-#endif\n- \n-#if DECAF_WORD_BITS \u003d\u003d 64\n-typedef uint64_t decaf_word_t; /**\u003c Word size for internal computations */\n-typedef int64_t decaf_sword_t; /**\u003c Signed word size for internal computations */\n-typedef uint64_t decaf_bool_t; /**\u003c \u0022Boolean\u0022 type, will be set to all-zero or all-one (i.e. -1u) */\n-typedef __uint128_t decaf_dword_t; /**\u003c Double-word size for internal computations */\n-typedef __int128_t decaf_dsword_t; /**\u003c Signed double-word size for internal computations */\n-#elif DECAF_WORD_BITS \u003d\u003d 32 /**\u003c The number of bits in a word */\n-typedef uint32_t decaf_word_t; /**\u003c Word size for internal computations */\n-typedef int32_t decaf_sword_t; /**\u003c Signed word size for internal computations */\n-typedef uint32_t decaf_bool_t; /**\u003c \u0022Boolean\u0022 type, will be set to all-zero or all-one (i.e. -1u) */\n-typedef uint64_t decaf_dword_t; /**\u003c Double-word size for internal computations */\n-typedef int64_t decaf_dsword_t; /**\u003c Signed double-word size for internal computations */\n-#else\n-#error \u0022Only supporting DECAF_WORD_BITS \u003d 32 or 64 for now\u0022\n-#endif\n- \n-/** DECAF_TRUE \u003d -1 so that DECAF_TRUE \u0026 x \u003d x */\n-static const decaf_bool_t DECAF_TRUE \u003d -(decaf_bool_t)1;\n-\n-/** DECAF_FALSE \u003d 0 so that DECAF_FALSE \u0026 x \u003d 0 */\n-static const decaf_bool_t DECAF_FALSE \u003d 0;\n-\n-/** Another boolean type used to indicate success or failure. */\n-typedef enum {\n- DECAF_SUCCESS \u003d -1, /**\u003c The operation succeeded. */\n- DECAF_FAILURE \u003d 0 /**\u003c The operation failed. */\n-} decaf_error_t;\n-\n-\n-/** Return success if x is true */\n-static DECAF_INLINE decaf_error_t\n-decaf_succeed_if(decaf_bool_t x) {\n- return (decaf_error_t)x;\n-}\n-\n-/** Return DECAF_TRUE iff x \u003d\u003d DECAF_SUCCESS */\n-static DECAF_INLINE decaf_bool_t\n-decaf_successful(decaf_error_t e) {\n- decaf_dword_t w \u003d ((decaf_word_t)e) ^ ((decaf_word_t)DECAF_SUCCESS);\n- return (w-1)\u003e\u003eDECAF_WORD_BITS;\n-}\n- \n-/** Overwrite data with zeros. Uses memset_s if available. */\n-void decaf_bzero (\n- void *data,\n- size_t size\n-) DECAF_NONNULL DECAF_API_VIS;\n-\n-/** Compare two buffers, returning DECAF_TRUE if they are equal. */\n-decaf_bool_t decaf_memeq (\n- const void *data1,\n- const void *data2,\n- size_t size\n-) DECAF_NONNULL DECAF_WARN_UNUSED DECAF_API_VIS;\n- \n-#ifdef __cplusplus\n-} /* extern \u0022C\u0022 */\n-#endif\n- \n-#endif /* __DECAF_COMMON_H__ */\ndiff --git a/crypto/ec/curve448/GENERATED/include/decaf/ed448.h b/crypto/ec/curve448/GENERATED/include/decaf/ed448.h\ndeleted file mode 100644\nindex eeed619..0000000\n--- a/crypto/ec/curve448/GENERATED/include/decaf/ed448.h\n+++ /dev/null\n@@ -1,251 +0,0 @@\n-/**\n- * @file decaf/ed448.h\n- * @author Mike Hamburg\n- *\n- * @copyright\n- * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- *\n- * @brief A group of prime order p, based on Ed448-Goldilocks.\n- *\n- * @warning This file was automatically generated in Python.\n- * Please do not edit it.\n- */\n-\n-#ifndef __DECAF_ED448_H__\n-#define __DECAF_ED448_H__ 1\n-\n-#include \u003cdecaf/point_448.h\u003e\n-#include \u003cdecaf/shake.h\u003e\n-#include \u003cdecaf/sha512.h\u003e\n-\n-#ifdef __cplusplus\n-extern \u0022C\u0022 {\n-#endif\n-\n-/** Number of bytes in an EdDSA public key. */\n-#define DECAF_EDDSA_448_PUBLIC_BYTES 57\n-\n-/** Number of bytes in an EdDSA private key. */\n-#define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES\n-\n-/** Number of bytes in an EdDSA private key. */\n-#define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + DECAF_EDDSA_448_PRIVATE_BYTES)\n-\n-/** Does EdDSA support non-contextual signatures? */\n-#define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0\n-\n-/** Prehash context renaming macros. */\n-#define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s\n-#define decaf_ed448_prehash_ctx_t decaf_shake256_ctx_t\n-#define decaf_ed448_prehash_update decaf_shake256_update\n-#define decaf_ed448_prehash_destroy decaf_shake256_destroy\n-\n-/** EdDSA encoding ratio. */\n-#define DECAF_448_EDDSA_ENCODE_RATIO 4\n-\n-/** EdDSA decoding ratio. */\n-#define DECAF_448_EDDSA_DECODE_RATIO (4 / 4)\n-\n-/**\n- * @brief EdDSA key generation. This function uses a different (non-Decaf)\n- * encoding.\n- *\n- * @param [out] pubkey The public key.\n- * @param [in] privkey The private key.\n- */ \n-void decaf_ed448_derive_public_key (\n- uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief EdDSA signing.\n- *\n- * @param [out] signature The signature.\n- * @param [in] privkey The private key.\n- * @param [in] pubkey The public key.\n- * @param [in] message The message to sign.\n- * @param [in] message_len The length of the message.\n- * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.\n- * @param [in] context A \u0022context\u0022 for this signature of up to 255 bytes.\n- * @param [in] context_len Length of the context.\n- *\n- * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed\n- * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is\n- * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives\n- * you no seat belt.\n- */ \n-void decaf_ed448_sign (\n- uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n- const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],\n- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const uint8_t *message,\n- size_t message_len,\n- uint8_t prehashed,\n- const uint8_t *context,\n- uint8_t context_len\n-) DECAF_API_VIS __attribute__((nonnull(1,2,3))) DECAF_NOINLINE;\n-\n-/**\n- * @brief EdDSA signing with prehash.\n- *\n- * @param [out] signature The signature.\n- * @param [in] privkey The private key.\n- * @param [in] pubkey The public key.\n- * @param [in] hash The hash of the message. This object will not be modified by the call.\n- * @param [in] context A \u0022context\u0022 for this signature of up to 255 bytes. Must be the same as what was used for the prehash.\n- * @param [in] context_len Length of the context.\n- *\n- * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed\n- * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is\n- * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives\n- * you no seat belt.\n- */ \n-void decaf_ed448_sign_prehash (\n- uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n- const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],\n- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const decaf_ed448_prehash_ctx_t hash,\n- const uint8_t *context,\n- uint8_t context_len\n-) DECAF_API_VIS __attribute__((nonnull(1,2,3,4))) DECAF_NOINLINE;\n- \n-/**\n- * @brief Prehash initialization, with contexts if supported.\n- *\n- * @param [out] hash The hash object to be initialized.\n- */\n-void decaf_ed448_prehash_init (\n- decaf_ed448_prehash_ctx_t hash\n-) DECAF_API_VIS __attribute__((nonnull(1))) DECAF_NOINLINE;\n-\n-/**\n- * @brief EdDSA signature verification.\n- *\n- * Uses the standard (i.e. less-strict) verification formula.\n- *\n- * @param [in] signature The signature.\n- * @param [in] pubkey The public key.\n- * @param [in] message The message to verify.\n- * @param [in] message_len The length of the message.\n- * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.\n- * @param [in] context A \u0022context\u0022 for this signature of up to 255 bytes.\n- * @param [in] context_len Length of the context.\n- *\n- * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed\n- * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is\n- * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives\n- * you no seat belt.\n- */\n-decaf_error_t decaf_ed448_verify (\n- const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const uint8_t *message,\n- size_t message_len,\n- uint8_t prehashed,\n- const uint8_t *context,\n- uint8_t context_len\n-) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;\n-\n-/**\n- * @brief EdDSA signature verification.\n- *\n- * Uses the standard (i.e. less-strict) verification formula.\n- *\n- * @param [in] signature The signature.\n- * @param [in] pubkey The public key.\n- * @param [in] hash The hash of the message. This object will not be modified by the call.\n- * @param [in] context A \u0022context\u0022 for this signature of up to 255 bytes. Must be the same as what was used for the prehash.\n- * @param [in] context_len Length of the context.\n- *\n- * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed\n- * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is\n- * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives\n- * you no seat belt.\n- */\n-decaf_error_t decaf_ed448_verify_prehash (\n- const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n- const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const decaf_ed448_prehash_ctx_t hash,\n- const uint8_t *context,\n- uint8_t context_len\n-) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;\n-\n-/**\n- * @brief EdDSA point encoding. Used internally, exposed externally.\n- * Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first.\n- *\n- * The multiplication is required because the EdDSA encoding represents\n- * the cofactor information, but the Decaf encoding ignores it (which\n- * is the whole point). So if you decode from EdDSA and re-encode to\n- * EdDSA, the cofactor info must get cleared, because the intermediate\n- * representation doesn't track it.\n- *\n- * The way libdecaf handles this is to multiply by\n- * DECAF_448_EDDSA_DECODE_RATIO when decoding, and by\n- * DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these\n- * ratios is always exactly the cofactor 4, so the cofactor\n- * ends up cleared one way or another. But exactly how that shakes\n- * out depends on the base points specified in RFC 8032.\n- *\n- * The upshot is that if you pass the Decaf/Ristretto base point to\n- * this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the\n- * EdDSA base point.\n- *\n- * @param [out] enc The encoded point.\n- * @param [in] p The point.\n- */ \n-void decaf_448_point_mul_by_ratio_and_encode_like_eddsa (\n- uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],\n- const decaf_448_point_t p\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO,\n- * and ignores cofactor information.\n- *\n- * See notes on decaf_448_point_mul_by_ratio_and_encode_like_eddsa\n- *\n- * @param [out] enc The encoded point.\n- * @param [in] p The point.\n- */ \n-decaf_error_t decaf_448_point_decode_like_eddsa_and_mul_by_ratio (\n- decaf_448_point_t p,\n- const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief EdDSA to ECDH public key conversion\n- * Deserialize the point to get y on Edwards curve,\n- * Convert it to u coordinate on Montgomery curve.\n- *\n- * @warning This function does not check that the public key being converted\n- * is a valid EdDSA public key (FUTURE?)\n- *\n- * @param[out] x The ECDH public key as in RFC7748(point on Montgomery curve)\n- * @param[in] ed The EdDSA public key(point on Edwards curve)\n- */\n-void decaf_ed448_convert_public_key_to_x448 (\n- uint8_t x[DECAF_X448_PUBLIC_BYTES],\n- const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief EdDSA to ECDH private key conversion\n- * Using the appropriate hash function, hash the EdDSA private key\n- * and keep only the lower bytes to get the ECDH private key\n- *\n- * @param[out] x The ECDH private key as in RFC7748\n- * @param[in] ed The EdDSA private key\n- */\n-void decaf_ed448_convert_private_key_to_x448 (\n- uint8_t x[DECAF_X448_PRIVATE_BYTES],\n- const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-#ifdef __cplusplus\n-} /* extern \u0022C\u0022 */\n-#endif\n-\n-#endif /* __DECAF_ED448_H__ */\ndiff --git a/crypto/ec/curve448/GENERATED/include/decaf/point_255.h b/crypto/ec/curve448/GENERATED/include/decaf/point_255.h\ndeleted file mode 100644\nindex 94e30a5..0000000\n--- a/crypto/ec/curve448/GENERATED/include/decaf/point_255.h\n+++ /dev/null\n@@ -1,765 +0,0 @@\n-/**\n- * @file decaf/point_255.h\n- * @author Mike Hamburg\n- *\n- * @copyright\n- * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- *\n- * @brief A group of prime order p, based on Curve25519.\n- *\n- * @warning This file was automatically generated in Python.\n- * Please do not edit it.\n- */\n-\n-#ifndef __DECAF_POINT_255_H__\n-#define __DECAF_POINT_255_H__ 1\n-\n-#include \u003cdecaf/common.h\u003e\n-\n-#ifdef __cplusplus\n-extern \u0022C\u0022 {\n-#endif\n-\n-/** @cond internal */\n-#define DECAF_255_SCALAR_LIMBS ((253-1)/DECAF_WORD_BITS+1)\n-/** @endcond */\n-\n-/** The number of bits in a scalar */\n-#define DECAF_255_SCALAR_BITS 253\n-\n-/** @cond internal */\n-#ifndef __DECAF_25519_GF_DEFINED__\n-#define __DECAF_25519_GF_DEFINED__ 1\n-/** @brief Galois field element internal structure */\n-typedef struct gf_25519_s {\n- decaf_word_t limb[320/DECAF_WORD_BITS];\n-} __attribute__((aligned(32))) gf_25519_s, gf_25519_t[1];\n-#endif /* __DECAF_25519_GF_DEFINED__ */\n-/** @endcond */\n-\n-/** Number of bytes in a serialized point. */\n-#define DECAF_255_SER_BYTES 32\n-\n-/** Number of bytes in an elligated point. For now set the same as SER_BYTES\n- * but could be different for other curves.\n- */\n-#define DECAF_255_HASH_BYTES 32\n-\n-/** Number of bytes in a serialized scalar. */\n-#define DECAF_255_SCALAR_BYTES 32\n-\n-/** Number of bits in the \u0022which\u0022 field of an elligator inverse */\n-#define DECAF_255_INVERT_ELLIGATOR_WHICH_BITS 5\n-\n-/** The cofactor the curve would have, if we hadn't removed it */\n-#define DECAF_255_REMOVED_COFACTOR 8\n-\n-/** X25519 encoding ratio. */\n-#define DECAF_X25519_ENCODE_RATIO 4\n-\n-/** Number of bytes in an x25519 public key */\n-#define DECAF_X25519_PUBLIC_BYTES 32\n-\n-/** Number of bytes in an x25519 private key */\n-#define DECAF_X25519_PRIVATE_BYTES 32\n-\n-/** Twisted Edwards extended homogeneous coordinates */\n-typedef struct decaf_255_point_s {\n- /** @cond internal */\n- gf_25519_t x,y,z,t;\n- /** @endcond */\n-} decaf_255_point_t[1];\n-\n-/** Precomputed table based on a point. Can be trivial implementation. */\n-struct decaf_255_precomputed_s;\n-\n-/** Precomputed table based on a point. Can be trivial implementation. */\n-typedef struct decaf_255_precomputed_s decaf_255_precomputed_s; \n-\n-/** Size and alignment of precomputed point tables. */\n-extern const size_t decaf_255_sizeof_precomputed_s DECAF_API_VIS, decaf_255_alignof_precomputed_s DECAF_API_VIS;\n-\n-/** Scalar is stored packed, because we don't need the speed. */\n-typedef struct decaf_255_scalar_s {\n- /** @cond internal */\n- decaf_word_t limb[DECAF_255_SCALAR_LIMBS];\n- /** @endcond */\n-} decaf_255_scalar_t[1];\n-\n-/** A scalar equal to 1. */\n-extern const decaf_255_scalar_t decaf_255_scalar_one DECAF_API_VIS;\n-\n-/** A scalar equal to 0. */\n-extern const decaf_255_scalar_t decaf_255_scalar_zero DECAF_API_VIS;\n-\n-/** The identity point on the curve. */\n-extern const decaf_255_point_t decaf_255_point_identity DECAF_API_VIS;\n-\n-/** An arbitrarily chosen base point on the curve. */\n-extern const decaf_255_point_t decaf_255_point_base DECAF_API_VIS;\n-\n-/** Precomputed table for the base point on the curve. */\n-extern const struct decaf_255_precomputed_s *decaf_255_precomputed_base DECAF_API_VIS;\n-\n-/**\n- * @brief Read a scalar from wire format or from bytes.\n- *\n- * @param [in] ser Serialized form of a scalar.\n- * @param [out] out Deserialized form.\n- *\n- * @retval DECAF_SUCCESS The scalar was correctly encoded.\n- * @retval DECAF_FAILURE The scalar was greater than the modulus,\n- * and has been reduced modulo that modulus.\n- */\n-decaf_error_t decaf_255_scalar_decode (\n- decaf_255_scalar_t out,\n- const unsigned char ser[DECAF_255_SCALAR_BYTES]\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Read a scalar from wire format or from bytes. Reduces mod\n- * scalar prime.\n- *\n- * @param [in] ser Serialized form of a scalar.\n- * @param [in] ser_len Length of serialized form.\n- * @param [out] out Deserialized form.\n- */\n-void decaf_255_scalar_decode_long (\n- decaf_255_scalar_t out,\n- const unsigned char *ser,\n- size_t ser_len\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n- \n-/**\n- * @brief Serialize a scalar to wire format.\n- *\n- * @param [out] ser Serialized form of a scalar.\n- * @param [in] s Deserialized scalar.\n- */\n-void decaf_255_scalar_encode (\n- unsigned char ser[DECAF_255_SCALAR_BYTES],\n- const decaf_255_scalar_t s\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE;\n- \n-/**\n- * @brief Add two scalars. The scalars may use the same memory.\n- * @param [in] a One scalar.\n- * @param [in] b Another scalar.\n- * @param [out] out a+b.\n- */\n-void decaf_255_scalar_add (\n- decaf_255_scalar_t out,\n- const decaf_255_scalar_t a,\n- const decaf_255_scalar_t b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Compare two scalars.\n- * @param [in] a One scalar.\n- * @param [in] b Another scalar.\n- * @retval DECAF_TRUE The scalars are equal.\n- * @retval DECAF_FALSE The scalars are not equal.\n- */ \n-decaf_bool_t decaf_255_scalar_eq (\n- const decaf_255_scalar_t a,\n- const decaf_255_scalar_t b\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Subtract two scalars. The scalars may use the same memory.\n- * @param [in] a One scalar.\n- * @param [in] b Another scalar.\n- * @param [out] out a-b.\n- */ \n-void decaf_255_scalar_sub (\n- decaf_255_scalar_t out,\n- const decaf_255_scalar_t a,\n- const decaf_255_scalar_t b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply two scalars. The scalars may use the same memory.\n- * @param [in] a One scalar.\n- * @param [in] b Another scalar.\n- * @param [out] out a*b.\n- */ \n-void decaf_255_scalar_mul (\n- decaf_255_scalar_t out,\n- const decaf_255_scalar_t a,\n- const decaf_255_scalar_t b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n- \n-/**\n-* @brief Halve a scalar. The scalars may use the same memory.\n-* @param [in] a A scalar.\n-* @param [out] out a/2.\n-*/\n-void decaf_255_scalar_halve (\n- decaf_255_scalar_t out,\n- const decaf_255_scalar_t a\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Invert a scalar. When passed zero, return 0. The input and output may alias.\n- * @param [in] a A scalar.\n- * @param [out] out 1/a.\n- * @return DECAF_SUCCESS The input is nonzero.\n- */ \n-decaf_error_t decaf_255_scalar_invert (\n- decaf_255_scalar_t out,\n- const decaf_255_scalar_t a\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Copy a scalar. The scalars may use the same memory, in which\n- * case this function does nothing.\n- * @param [in] a A scalar.\n- * @param [out] out Will become a copy of a.\n- */\n-static inline void DECAF_NONNULL decaf_255_scalar_copy (\n- decaf_255_scalar_t out,\n- const decaf_255_scalar_t a\n-) {\n- *out \u003d *a;\n-}\n-\n-/**\n- * @brief Set a scalar to an unsigned 64-bit integer.\n- * @param [in] a An integer.\n- * @param [out] out Will become equal to a.\n- */ \n-void decaf_255_scalar_set_unsigned (\n- decaf_255_scalar_t out,\n- uint64_t a\n-) DECAF_API_VIS DECAF_NONNULL;\n-\n-/**\n- * @brief Encode a point as a sequence of bytes.\n- *\n- * @param [out] ser The byte representation of the point.\n- * @param [in] pt The point to encode.\n- */\n-void decaf_255_point_encode (\n- uint8_t ser[DECAF_255_SER_BYTES],\n- const decaf_255_point_t pt\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Decode a point from a sequence of bytes.\n- *\n- * Every point has a unique encoding, so not every\n- * sequence of bytes is a valid encoding. If an invalid\n- * encoding is given, the output is undefined.\n- *\n- * @param [out] pt The decoded point.\n- * @param [in] ser The serialized version of the point.\n- * @param [in] allow_identity DECAF_TRUE if the identity is a legal input.\n- * @retval DECAF_SUCCESS The decoding succeeded.\n- * @retval DECAF_FAILURE The decoding didn't succeed, because\n- * ser does not represent a point.\n- */\n-decaf_error_t decaf_255_point_decode (\n- decaf_255_point_t pt,\n- const uint8_t ser[DECAF_255_SER_BYTES],\n- decaf_bool_t allow_identity\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Copy a point. The input and output may alias,\n- * in which case this function does nothing.\n- *\n- * @param [out] a A copy of the point.\n- * @param [in] b Any point.\n- */\n-static inline void DECAF_NONNULL decaf_255_point_copy (\n- decaf_255_point_t a,\n- const decaf_255_point_t b\n-) {\n- *a\u003d*b;\n-}\n-\n-/**\n- * @brief Test whether two points are equal. If yes, return\n- * DECAF_TRUE, else return DECAF_FALSE.\n- *\n- * @param [in] a A point.\n- * @param [in] b Another point.\n- * @retval DECAF_TRUE The points are equal.\n- * @retval DECAF_FALSE The points are not equal.\n- */\n-decaf_bool_t decaf_255_point_eq (\n- const decaf_255_point_t a,\n- const decaf_255_point_t b\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Add two points to produce a third point. The\n- * input points and output point can be pointers to the same\n- * memory.\n- *\n- * @param [out] sum The sum a+b.\n- * @param [in] a An addend.\n- * @param [in] b An addend.\n- */\n-void decaf_255_point_add (\n- decaf_255_point_t sum,\n- const decaf_255_point_t a,\n- const decaf_255_point_t b\n-) DECAF_API_VIS DECAF_NONNULL;\n-\n-/**\n- * @brief Double a point. Equivalent to\n- * decaf_255_point_add(two_a,a,a), but potentially faster.\n- *\n- * @param [out] two_a The sum a+a.\n- * @param [in] a A point.\n- */\n-void decaf_255_point_double (\n- decaf_255_point_t two_a,\n- const decaf_255_point_t a\n-) DECAF_API_VIS DECAF_NONNULL;\n-\n-/**\n- * @brief Subtract two points to produce a third point. The\n- * input points and output point can be pointers to the same\n- * memory.\n- *\n- * @param [out] diff The difference a-b.\n- * @param [in] a The minuend.\n- * @param [in] b The subtrahend.\n- */\n-void decaf_255_point_sub (\n- decaf_255_point_t diff,\n- const decaf_255_point_t a,\n- const decaf_255_point_t b\n-) DECAF_API_VIS DECAF_NONNULL;\n- \n-/**\n- * @brief Negate a point to produce another point. The input\n- * and output points can use the same memory.\n- *\n- * @param [out] nega The negated input point\n- * @param [in] a The input point.\n- */\n-void decaf_255_point_negate (\n- decaf_255_point_t nega,\n- const decaf_255_point_t a\n-) DECAF_API_VIS DECAF_NONNULL;\n-\n-/**\n- * @brief Multiply a base point by a scalar: scaled \u003d scalar*base.\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] base The point to be scaled.\n- * @param [in] scalar The scalar to multiply by.\n- */\n-void decaf_255_point_scalarmul (\n- decaf_255_point_t scaled,\n- const decaf_255_point_t base,\n- const decaf_255_scalar_t scalar\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply a base point by a scalar: scaled \u003d scalar*base.\n- * This function operates directly on serialized forms.\n- *\n- * @warning This function is experimental. It may not be supported\n- * long-term.\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] base The point to be scaled.\n- * @param [in] scalar The scalar to multiply by.\n- * @param [in] allow_identity Allow the input to be the identity.\n- * @param [in] short_circuit Allow a fast return if the input is illegal.\n- *\n- * @retval DECAF_SUCCESS The scalarmul succeeded.\n- * @retval DECAF_FAILURE The scalarmul didn't succeed, because\n- * base does not represent a point.\n- */\n-decaf_error_t decaf_255_direct_scalarmul (\n- uint8_t scaled[DECAF_255_SER_BYTES],\n- const uint8_t base[DECAF_255_SER_BYTES],\n- const decaf_255_scalar_t scalar,\n- decaf_bool_t allow_identity,\n- decaf_bool_t short_circuit\n-) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;\n-\n-/**\n- * @brief RFC 7748 Diffie-Hellman scalarmul. This function uses a different\n- * (non-Decaf) encoding.\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] base The point to be scaled.\n- * @param [in] scalar The scalar to multiply by.\n- *\n- * @retval DECAF_SUCCESS The scalarmul succeeded.\n- * @retval DECAF_FAILURE The scalarmul didn't succeed, because the base\n- * point is in a small subgroup.\n- */\n-decaf_error_t decaf_x25519 (\n- uint8_t out[DECAF_X25519_PUBLIC_BYTES],\n- const uint8_t base[DECAF_X25519_PUBLIC_BYTES],\n- const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply a point by DECAF_X25519_ENCODE_RATIO,\n- * then encode it like RFC 7748.\n- *\n- * This function is mainly used internally, but is exported in case\n- * it will be useful.\n- *\n- * The ratio is necessary because the internal representation doesn't\n- * track the cofactor information, so on output we must clear the cofactor.\n- * This would multiply by the cofactor, but in fact internally libdecaf's\n- * points are always even, so it multiplies by half the cofactor instead.\n- *\n- * As it happens, this aligns with the base point definitions; that is,\n- * if you pass the Decaf/Ristretto base point to this function, the result\n- * will be DECAF_X25519_ENCODE_RATIO times the X25519\n- * base point.\n- *\n- * @param [out] out The scaled and encoded point.\n- * @param [in] p The point to be scaled and encoded.\n- */\n-void decaf_255_point_mul_by_ratio_and_encode_like_x25519 (\n- uint8_t out[DECAF_X25519_PUBLIC_BYTES],\n- const decaf_255_point_t p\n-) DECAF_API_VIS DECAF_NONNULL;\n-\n-/** The base point for X25519 Diffie-Hellman */\n-extern const uint8_t decaf_x25519_base_point[DECAF_X25519_PUBLIC_BYTES] DECAF_API_VIS;\n-\n-/**\n- * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses\n- * a different (non-Decaf) encoding.\n- *\n- * @deprecated Renamed to decaf_x25519_derive_public_key.\n- * I have no particular timeline for removing this name.\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] scalar The scalar to multiply by.\n- */\n-void decaf_x25519_generate_key (\n- uint8_t out[DECAF_X25519_PUBLIC_BYTES],\n- const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_DEPRECATED(\u0022Renamed to decaf_x25519_derive_public_key\u0022);\n- \n-/**\n- * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses\n- * a different (non-Decaf) encoding.\n- *\n- * Does exactly the same thing as decaf_x25519_generate_key,\n- * but has a better name.\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] scalar The scalar to multiply by.\n- */\n-void decaf_x25519_derive_public_key (\n- uint8_t out[DECAF_X25519_PUBLIC_BYTES],\n- const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/* FUTURE: uint8_t decaf_255_encode_like_curve25519) */\n-\n-/**\n- * @brief Precompute a table for fast scalar multiplication.\n- * Some implementations do not include precomputed points; for\n- * those implementations, this implementation simply copies the\n- * point.\n- *\n- * @param [out] a A precomputed table of multiples of the point.\n- * @param [in] b Any point.\n- */\n-void decaf_255_precompute (\n- decaf_255_precomputed_s *a,\n- const decaf_255_point_t b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply a precomputed base point by a scalar:\n- * scaled \u003d scalar*base.\n- * Some implementations do not include precomputed points; for\n- * those implementations, this function is the same as\n- * decaf_255_point_scalarmul\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] base The point to be scaled.\n- * @param [in] scalar The scalar to multiply by.\n- */\n-void decaf_255_precomputed_scalarmul (\n- decaf_255_point_t scaled,\n- const decaf_255_precomputed_s *base,\n- const decaf_255_scalar_t scalar\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply two base points by two scalars:\n- * scaled \u003d scalar1*base1 + scalar2*base2.\n- *\n- * Equivalent to two calls to decaf_255_point_scalarmul, but may be\n- * faster.\n- *\n- * @param [out] combo The linear combination scalar1*base1 + scalar2*base2.\n- * @param [in] base1 A first point to be scaled.\n- * @param [in] scalar1 A first scalar to multiply by.\n- * @param [in] base2 A second point to be scaled.\n- * @param [in] scalar2 A second scalar to multiply by.\n- */\n-void decaf_255_point_double_scalarmul (\n- decaf_255_point_t combo,\n- const decaf_255_point_t base1,\n- const decaf_255_scalar_t scalar1,\n- const decaf_255_point_t base2,\n- const decaf_255_scalar_t scalar2\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n- \n-/**\n- * Multiply one base point by two scalars:\n- *\n- * a1 \u003d scalar1 * base\n- * a2 \u003d scalar2 * base\n- *\n- * Equivalent to two calls to decaf_255_point_scalarmul, but may be\n- * faster.\n- *\n- * @param [out] a1 The first multiple. It may be the same as the input point.\n- * @param [out] a2 The second multiple. It may be the same as the input point.\n- * @param [in] base1 A point to be scaled.\n- * @param [in] scalar1 A first scalar to multiply by.\n- * @param [in] scalar2 A second scalar to multiply by.\n- */\n-void decaf_255_point_dual_scalarmul (\n- decaf_255_point_t a1,\n- decaf_255_point_t a2,\n- const decaf_255_point_t base1,\n- const decaf_255_scalar_t scalar1,\n- const decaf_255_scalar_t scalar2\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply two base points by two scalars:\n- * scaled \u003d scalar1*decaf_255_point_base + scalar2*base2.\n- *\n- * Otherwise equivalent to decaf_255_point_double_scalarmul, but may be\n- * faster at the expense of being variable time.\n- *\n- * @param [out] combo The linear combination scalar1*base + scalar2*base2.\n- * @param [in] scalar1 A first scalar to multiply by.\n- * @param [in] base2 A second point to be scaled.\n- * @param [in] scalar2 A second scalar to multiply by.\n- *\n- * @warning: This function takes variable time, and may leak the scalars\n- * used. It is designed for signature verification.\n- */\n-void decaf_255_base_double_scalarmul_non_secret (\n- decaf_255_point_t combo,\n- const decaf_255_scalar_t scalar1,\n- const decaf_255_point_t base2,\n- const decaf_255_scalar_t scalar2\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Constant-time decision between two points. If pick_b\n- * is zero, out \u003d a; else out \u003d b.\n- *\n- * @param [out] out The output. It may be the same as either input.\n- * @param [in] a Any point.\n- * @param [in] b Any point.\n- * @param [in] pick_b If nonzero, choose point b.\n- */\n-void decaf_255_point_cond_sel (\n- decaf_255_point_t out,\n- const decaf_255_point_t a,\n- const decaf_255_point_t b,\n- decaf_word_t pick_b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Constant-time decision between two scalars. If pick_b\n- * is zero, out \u003d a; else out \u003d b.\n- *\n- * @param [out] out The output. It may be the same as either input.\n- * @param [in] a Any scalar.\n- * @param [in] b Any scalar.\n- * @param [in] pick_b If nonzero, choose scalar b.\n- */\n-void decaf_255_scalar_cond_sel (\n- decaf_255_scalar_t out,\n- const decaf_255_scalar_t a,\n- const decaf_255_scalar_t b,\n- decaf_word_t pick_b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Test that a point is valid, for debugging purposes.\n- *\n- * @param [in] to_test The point to test.\n- * @retval DECAF_TRUE The point is valid.\n- * @retval DECAF_FALSE The point is invalid.\n- */\n-decaf_bool_t decaf_255_point_valid (\n- const decaf_255_point_t to_test\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Torque a point, for debugging purposes. The output\n- * will be equal to the input.\n- *\n- * @param [out] q The point to torque.\n- * @param [in] p The point to torque.\n- */\n-void decaf_255_point_debugging_torque (\n- decaf_255_point_t q,\n- const decaf_255_point_t p\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Projectively scale a point, for debugging purposes.\n- * The output will be equal to the input, and will be valid\n- * even if the factor is zero.\n- *\n- * @param [out] q The point to scale.\n- * @param [in] p The point to scale.\n- * @param [in] factor Serialized GF factor to scale.\n- */\n-void decaf_255_point_debugging_pscale (\n- decaf_255_point_t q,\n- const decaf_255_point_t p,\n- const unsigned char factor[DECAF_255_SER_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Almost-Elligator-like hash to curve.\n- *\n- * Call this function with the output of a hash to make a hash to the curve.\n- *\n- * This function runs Elligator2 on the decaf_255 Jacobi quartic model. It then\n- * uses the isogeny to put the result in twisted Edwards form. As a result,\n- * it is safe (cannot produce points of order 4), and would be compatible with\n- * hypothetical other implementations of Decaf using a Montgomery or untwisted\n- * Edwards model.\n- *\n- * Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]:\n- * A factor of 2 due to the isogeny.\n- * A factor of 2 because we quotient out the 2-torsion.\n- *\n- * This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8.\n- *\n- * Negating the input (mod q) results in the same point. Inverting the input\n- * (mod q) results in the negative point. This is the same as Elligator.\n- *\n- * This function isn't quite indifferentiable from a random oracle.\n- * However, it is suitable for many protocols, including SPEKE and SPAKE2 EE. \n- * Furthermore, calling it twice with independent seeds and adding the results\n- * is indifferentiable from a random oracle.\n- *\n- * @param [in] hashed_data Output of some hash function.\n- * @param [out] pt The data hashed to the curve.\n- */\n-void\n-decaf_255_point_from_hash_nonuniform (\n- decaf_255_point_t pt,\n- const unsigned char hashed_data[DECAF_255_HASH_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Indifferentiable hash function encoding to curve.\n- *\n- * Equivalent to calling decaf_255_point_from_hash_nonuniform twice and adding.\n- *\n- * @param [in] hashed_data Output of some hash function.\n- * @param [out] pt The data hashed to the curve.\n- */ \n-void decaf_255_point_from_hash_uniform (\n- decaf_255_point_t pt,\n- const unsigned char hashed_data[2*DECAF_255_HASH_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Inverse of elligator-like hash to curve.\n- *\n- * This function writes to the buffer, to make it so that\n- * decaf_255_point_from_hash_nonuniform(buffer) \u003d pt if\n- * possible. Since there may be multiple preimages, the\n- * \u0022which\u0022 parameter chooses between them. To ensure uniform\n- * inverse sampling, this function succeeds or fails\n- * independently for different \u0022which\u0022 values.\n- *\n- * This function isn't guaranteed to find every possible\n- * preimage, but it finds all except a small finite number.\n- * In particular, when the number of bits in the modulus isn't\n- * a multiple of 8 (i.e. for curve25519), it sets the high bits\n- * independently, which enables the generated data to be uniform.\n- * But it doesn't add p, so you'll never get exactly p from this\n- * function. This might change in the future, especially if\n- * we ever support eg Brainpool curves, where this could cause\n- * real nonuniformity.\n- *\n- * @param [out] recovered_hash Encoded data.\n- * @param [in] pt The point to encode.\n- * @param [in] which A value determining which inverse point\n- * to return.\n- *\n- * @retval DECAF_SUCCESS The inverse succeeded.\n- * @retval DECAF_FAILURE The inverse failed.\n- */\n-decaf_error_t\n-decaf_255_invert_elligator_nonuniform (\n- unsigned char recovered_hash[DECAF_255_HASH_BYTES],\n- const decaf_255_point_t pt,\n- uint32_t which\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;\n-\n-/**\n- * @brief Inverse of elligator-like hash to curve.\n- *\n- * This function writes to the buffer, to make it so that\n- * decaf_255_point_from_hash_uniform(buffer) \u003d pt if\n- * possible. Since there may be multiple preimages, the\n- * \u0022which\u0022 parameter chooses between them. To ensure uniform\n- * inverse sampling, this function succeeds or fails\n- * independently for different \u0022which\u0022 values.\n- *\n- * @param [out] recovered_hash Encoded data.\n- * @param [in] pt The point to encode.\n- * @param [in] which A value determining which inverse point\n- * to return.\n- *\n- * @retval DECAF_SUCCESS The inverse succeeded.\n- * @retval DECAF_FAILURE The inverse failed.\n- */\n-decaf_error_t\n-decaf_255_invert_elligator_uniform (\n- unsigned char recovered_hash[2*DECAF_255_HASH_BYTES],\n- const decaf_255_point_t pt,\n- uint32_t which\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;\n-\n-/**\n- * @brief Overwrite scalar with zeros.\n- */\n-void decaf_255_scalar_destroy (\n- decaf_255_scalar_t scalar\n-) DECAF_NONNULL DECAF_API_VIS;\n-\n-/**\n- * @brief Overwrite point with zeros.\n- */\n-void decaf_255_point_destroy (\n- decaf_255_point_t point\n-) DECAF_NONNULL DECAF_API_VIS;\n-\n-/**\n- * @brief Overwrite precomputed table with zeros.\n- */\n-void decaf_255_precomputed_destroy (\n- decaf_255_precomputed_s *pre\n-) DECAF_NONNULL DECAF_API_VIS;\n-\n-#ifdef __cplusplus\n-} /* extern \u0022C\u0022 */\n-#endif\n-\n-#endif /* __DECAF_POINT_255_H__ */\ndiff --git a/crypto/ec/curve448/GENERATED/include/decaf/point_448.h b/crypto/ec/curve448/GENERATED/include/decaf/point_448.h\ndeleted file mode 100644\nindex bc1cb43..0000000\n--- a/crypto/ec/curve448/GENERATED/include/decaf/point_448.h\n+++ /dev/null\n@@ -1,765 +0,0 @@\n-/**\n- * @file decaf/point_448.h\n- * @author Mike Hamburg\n- *\n- * @copyright\n- * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- *\n- * @brief A group of prime order p, based on Ed448-Goldilocks.\n- *\n- * @warning This file was automatically generated in Python.\n- * Please do not edit it.\n- */\n-\n-#ifndef __DECAF_POINT_448_H__\n-#define __DECAF_POINT_448_H__ 1\n-\n-#include \u003cdecaf/common.h\u003e\n-\n-#ifdef __cplusplus\n-extern \u0022C\u0022 {\n-#endif\n-\n-/** @cond internal */\n-#define DECAF_448_SCALAR_LIMBS ((446-1)/DECAF_WORD_BITS+1)\n-/** @endcond */\n-\n-/** The number of bits in a scalar */\n-#define DECAF_448_SCALAR_BITS 446\n-\n-/** @cond internal */\n-#ifndef __DECAF_448_GF_DEFINED__\n-#define __DECAF_448_GF_DEFINED__ 1\n-/** @brief Galois field element internal structure */\n-typedef struct gf_448_s {\n- decaf_word_t limb[512/DECAF_WORD_BITS];\n-} __attribute__((aligned(32))) gf_448_s, gf_448_t[1];\n-#endif /* __DECAF_448_GF_DEFINED__ */\n-/** @endcond */\n-\n-/** Number of bytes in a serialized point. */\n-#define DECAF_448_SER_BYTES 56\n-\n-/** Number of bytes in an elligated point. For now set the same as SER_BYTES\n- * but could be different for other curves.\n- */\n-#define DECAF_448_HASH_BYTES 56\n-\n-/** Number of bytes in a serialized scalar. */\n-#define DECAF_448_SCALAR_BYTES 56\n-\n-/** Number of bits in the \u0022which\u0022 field of an elligator inverse */\n-#define DECAF_448_INVERT_ELLIGATOR_WHICH_BITS 3\n-\n-/** The cofactor the curve would have, if we hadn't removed it */\n-#define DECAF_448_REMOVED_COFACTOR 4\n-\n-/** X448 encoding ratio. */\n-#define DECAF_X448_ENCODE_RATIO 2\n-\n-/** Number of bytes in an x448 public key */\n-#define DECAF_X448_PUBLIC_BYTES 56\n-\n-/** Number of bytes in an x448 private key */\n-#define DECAF_X448_PRIVATE_BYTES 56\n-\n-/** Twisted Edwards extended homogeneous coordinates */\n-typedef struct decaf_448_point_s {\n- /** @cond internal */\n- gf_448_t x,y,z,t;\n- /** @endcond */\n-} decaf_448_point_t[1];\n-\n-/** Precomputed table based on a point. Can be trivial implementation. */\n-struct decaf_448_precomputed_s;\n-\n-/** Precomputed table based on a point. Can be trivial implementation. */\n-typedef struct decaf_448_precomputed_s decaf_448_precomputed_s; \n-\n-/** Size and alignment of precomputed point tables. */\n-extern const size_t decaf_448_sizeof_precomputed_s DECAF_API_VIS, decaf_448_alignof_precomputed_s DECAF_API_VIS;\n-\n-/** Scalar is stored packed, because we don't need the speed. */\n-typedef struct decaf_448_scalar_s {\n- /** @cond internal */\n- decaf_word_t limb[DECAF_448_SCALAR_LIMBS];\n- /** @endcond */\n-} decaf_448_scalar_t[1];\n-\n-/** A scalar equal to 1. */\n-extern const decaf_448_scalar_t decaf_448_scalar_one DECAF_API_VIS;\n-\n-/** A scalar equal to 0. */\n-extern const decaf_448_scalar_t decaf_448_scalar_zero DECAF_API_VIS;\n-\n-/** The identity point on the curve. */\n-extern const decaf_448_point_t decaf_448_point_identity DECAF_API_VIS;\n-\n-/** An arbitrarily chosen base point on the curve. */\n-extern const decaf_448_point_t decaf_448_point_base DECAF_API_VIS;\n-\n-/** Precomputed table for the base point on the curve. */\n-extern const struct decaf_448_precomputed_s *decaf_448_precomputed_base DECAF_API_VIS;\n-\n-/**\n- * @brief Read a scalar from wire format or from bytes.\n- *\n- * @param [in] ser Serialized form of a scalar.\n- * @param [out] out Deserialized form.\n- *\n- * @retval DECAF_SUCCESS The scalar was correctly encoded.\n- * @retval DECAF_FAILURE The scalar was greater than the modulus,\n- * and has been reduced modulo that modulus.\n- */\n-decaf_error_t decaf_448_scalar_decode (\n- decaf_448_scalar_t out,\n- const unsigned char ser[DECAF_448_SCALAR_BYTES]\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Read a scalar from wire format or from bytes. Reduces mod\n- * scalar prime.\n- *\n- * @param [in] ser Serialized form of a scalar.\n- * @param [in] ser_len Length of serialized form.\n- * @param [out] out Deserialized form.\n- */\n-void decaf_448_scalar_decode_long (\n- decaf_448_scalar_t out,\n- const unsigned char *ser,\n- size_t ser_len\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n- \n-/**\n- * @brief Serialize a scalar to wire format.\n- *\n- * @param [out] ser Serialized form of a scalar.\n- * @param [in] s Deserialized scalar.\n- */\n-void decaf_448_scalar_encode (\n- unsigned char ser[DECAF_448_SCALAR_BYTES],\n- const decaf_448_scalar_t s\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE;\n- \n-/**\n- * @brief Add two scalars. The scalars may use the same memory.\n- * @param [in] a One scalar.\n- * @param [in] b Another scalar.\n- * @param [out] out a+b.\n- */\n-void decaf_448_scalar_add (\n- decaf_448_scalar_t out,\n- const decaf_448_scalar_t a,\n- const decaf_448_scalar_t b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Compare two scalars.\n- * @param [in] a One scalar.\n- * @param [in] b Another scalar.\n- * @retval DECAF_TRUE The scalars are equal.\n- * @retval DECAF_FALSE The scalars are not equal.\n- */ \n-decaf_bool_t decaf_448_scalar_eq (\n- const decaf_448_scalar_t a,\n- const decaf_448_scalar_t b\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Subtract two scalars. The scalars may use the same memory.\n- * @param [in] a One scalar.\n- * @param [in] b Another scalar.\n- * @param [out] out a-b.\n- */ \n-void decaf_448_scalar_sub (\n- decaf_448_scalar_t out,\n- const decaf_448_scalar_t a,\n- const decaf_448_scalar_t b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply two scalars. The scalars may use the same memory.\n- * @param [in] a One scalar.\n- * @param [in] b Another scalar.\n- * @param [out] out a*b.\n- */ \n-void decaf_448_scalar_mul (\n- decaf_448_scalar_t out,\n- const decaf_448_scalar_t a,\n- const decaf_448_scalar_t b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n- \n-/**\n-* @brief Halve a scalar. The scalars may use the same memory.\n-* @param [in] a A scalar.\n-* @param [out] out a/2.\n-*/\n-void decaf_448_scalar_halve (\n- decaf_448_scalar_t out,\n- const decaf_448_scalar_t a\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Invert a scalar. When passed zero, return 0. The input and output may alias.\n- * @param [in] a A scalar.\n- * @param [out] out 1/a.\n- * @return DECAF_SUCCESS The input is nonzero.\n- */ \n-decaf_error_t decaf_448_scalar_invert (\n- decaf_448_scalar_t out,\n- const decaf_448_scalar_t a\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Copy a scalar. The scalars may use the same memory, in which\n- * case this function does nothing.\n- * @param [in] a A scalar.\n- * @param [out] out Will become a copy of a.\n- */\n-static inline void DECAF_NONNULL decaf_448_scalar_copy (\n- decaf_448_scalar_t out,\n- const decaf_448_scalar_t a\n-) {\n- *out \u003d *a;\n-}\n-\n-/**\n- * @brief Set a scalar to an unsigned 64-bit integer.\n- * @param [in] a An integer.\n- * @param [out] out Will become equal to a.\n- */ \n-void decaf_448_scalar_set_unsigned (\n- decaf_448_scalar_t out,\n- uint64_t a\n-) DECAF_API_VIS DECAF_NONNULL;\n-\n-/**\n- * @brief Encode a point as a sequence of bytes.\n- *\n- * @param [out] ser The byte representation of the point.\n- * @param [in] pt The point to encode.\n- */\n-void decaf_448_point_encode (\n- uint8_t ser[DECAF_448_SER_BYTES],\n- const decaf_448_point_t pt\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Decode a point from a sequence of bytes.\n- *\n- * Every point has a unique encoding, so not every\n- * sequence of bytes is a valid encoding. If an invalid\n- * encoding is given, the output is undefined.\n- *\n- * @param [out] pt The decoded point.\n- * @param [in] ser The serialized version of the point.\n- * @param [in] allow_identity DECAF_TRUE if the identity is a legal input.\n- * @retval DECAF_SUCCESS The decoding succeeded.\n- * @retval DECAF_FAILURE The decoding didn't succeed, because\n- * ser does not represent a point.\n- */\n-decaf_error_t decaf_448_point_decode (\n- decaf_448_point_t pt,\n- const uint8_t ser[DECAF_448_SER_BYTES],\n- decaf_bool_t allow_identity\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Copy a point. The input and output may alias,\n- * in which case this function does nothing.\n- *\n- * @param [out] a A copy of the point.\n- * @param [in] b Any point.\n- */\n-static inline void DECAF_NONNULL decaf_448_point_copy (\n- decaf_448_point_t a,\n- const decaf_448_point_t b\n-) {\n- *a\u003d*b;\n-}\n-\n-/**\n- * @brief Test whether two points are equal. If yes, return\n- * DECAF_TRUE, else return DECAF_FALSE.\n- *\n- * @param [in] a A point.\n- * @param [in] b Another point.\n- * @retval DECAF_TRUE The points are equal.\n- * @retval DECAF_FALSE The points are not equal.\n- */\n-decaf_bool_t decaf_448_point_eq (\n- const decaf_448_point_t a,\n- const decaf_448_point_t b\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Add two points to produce a third point. The\n- * input points and output point can be pointers to the same\n- * memory.\n- *\n- * @param [out] sum The sum a+b.\n- * @param [in] a An addend.\n- * @param [in] b An addend.\n- */\n-void decaf_448_point_add (\n- decaf_448_point_t sum,\n- const decaf_448_point_t a,\n- const decaf_448_point_t b\n-) DECAF_API_VIS DECAF_NONNULL;\n-\n-/**\n- * @brief Double a point. Equivalent to\n- * decaf_448_point_add(two_a,a,a), but potentially faster.\n- *\n- * @param [out] two_a The sum a+a.\n- * @param [in] a A point.\n- */\n-void decaf_448_point_double (\n- decaf_448_point_t two_a,\n- const decaf_448_point_t a\n-) DECAF_API_VIS DECAF_NONNULL;\n-\n-/**\n- * @brief Subtract two points to produce a third point. The\n- * input points and output point can be pointers to the same\n- * memory.\n- *\n- * @param [out] diff The difference a-b.\n- * @param [in] a The minuend.\n- * @param [in] b The subtrahend.\n- */\n-void decaf_448_point_sub (\n- decaf_448_point_t diff,\n- const decaf_448_point_t a,\n- const decaf_448_point_t b\n-) DECAF_API_VIS DECAF_NONNULL;\n- \n-/**\n- * @brief Negate a point to produce another point. The input\n- * and output points can use the same memory.\n- *\n- * @param [out] nega The negated input point\n- * @param [in] a The input point.\n- */\n-void decaf_448_point_negate (\n- decaf_448_point_t nega,\n- const decaf_448_point_t a\n-) DECAF_API_VIS DECAF_NONNULL;\n-\n-/**\n- * @brief Multiply a base point by a scalar: scaled \u003d scalar*base.\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] base The point to be scaled.\n- * @param [in] scalar The scalar to multiply by.\n- */\n-void decaf_448_point_scalarmul (\n- decaf_448_point_t scaled,\n- const decaf_448_point_t base,\n- const decaf_448_scalar_t scalar\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply a base point by a scalar: scaled \u003d scalar*base.\n- * This function operates directly on serialized forms.\n- *\n- * @warning This function is experimental. It may not be supported\n- * long-term.\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] base The point to be scaled.\n- * @param [in] scalar The scalar to multiply by.\n- * @param [in] allow_identity Allow the input to be the identity.\n- * @param [in] short_circuit Allow a fast return if the input is illegal.\n- *\n- * @retval DECAF_SUCCESS The scalarmul succeeded.\n- * @retval DECAF_FAILURE The scalarmul didn't succeed, because\n- * base does not represent a point.\n- */\n-decaf_error_t decaf_448_direct_scalarmul (\n- uint8_t scaled[DECAF_448_SER_BYTES],\n- const uint8_t base[DECAF_448_SER_BYTES],\n- const decaf_448_scalar_t scalar,\n- decaf_bool_t allow_identity,\n- decaf_bool_t short_circuit\n-) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;\n-\n-/**\n- * @brief RFC 7748 Diffie-Hellman scalarmul. This function uses a different\n- * (non-Decaf) encoding.\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] base The point to be scaled.\n- * @param [in] scalar The scalar to multiply by.\n- *\n- * @retval DECAF_SUCCESS The scalarmul succeeded.\n- * @retval DECAF_FAILURE The scalarmul didn't succeed, because the base\n- * point is in a small subgroup.\n- */\n-decaf_error_t decaf_x448 (\n- uint8_t out[DECAF_X448_PUBLIC_BYTES],\n- const uint8_t base[DECAF_X448_PUBLIC_BYTES],\n- const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply a point by DECAF_X448_ENCODE_RATIO,\n- * then encode it like RFC 7748.\n- *\n- * This function is mainly used internally, but is exported in case\n- * it will be useful.\n- *\n- * The ratio is necessary because the internal representation doesn't\n- * track the cofactor information, so on output we must clear the cofactor.\n- * This would multiply by the cofactor, but in fact internally libdecaf's\n- * points are always even, so it multiplies by half the cofactor instead.\n- *\n- * As it happens, this aligns with the base point definitions; that is,\n- * if you pass the Decaf/Ristretto base point to this function, the result\n- * will be DECAF_X448_ENCODE_RATIO times the X448\n- * base point.\n- *\n- * @param [out] out The scaled and encoded point.\n- * @param [in] p The point to be scaled and encoded.\n- */\n-void decaf_448_point_mul_by_ratio_and_encode_like_x448 (\n- uint8_t out[DECAF_X448_PUBLIC_BYTES],\n- const decaf_448_point_t p\n-) DECAF_API_VIS DECAF_NONNULL;\n-\n-/** The base point for X448 Diffie-Hellman */\n-extern const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] DECAF_API_VIS;\n-\n-/**\n- * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses\n- * a different (non-Decaf) encoding.\n- *\n- * @deprecated Renamed to decaf_x448_derive_public_key.\n- * I have no particular timeline for removing this name.\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] scalar The scalar to multiply by.\n- */\n-void decaf_x448_generate_key (\n- uint8_t out[DECAF_X448_PUBLIC_BYTES],\n- const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_DEPRECATED(\u0022Renamed to decaf_x448_derive_public_key\u0022);\n- \n-/**\n- * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses\n- * a different (non-Decaf) encoding.\n- *\n- * Does exactly the same thing as decaf_x448_generate_key,\n- * but has a better name.\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] scalar The scalar to multiply by.\n- */\n-void decaf_x448_derive_public_key (\n- uint8_t out[DECAF_X448_PUBLIC_BYTES],\n- const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/* FUTURE: uint8_t decaf_448_encode_like_curve448) */\n-\n-/**\n- * @brief Precompute a table for fast scalar multiplication.\n- * Some implementations do not include precomputed points; for\n- * those implementations, this implementation simply copies the\n- * point.\n- *\n- * @param [out] a A precomputed table of multiples of the point.\n- * @param [in] b Any point.\n- */\n-void decaf_448_precompute (\n- decaf_448_precomputed_s *a,\n- const decaf_448_point_t b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply a precomputed base point by a scalar:\n- * scaled \u003d scalar*base.\n- * Some implementations do not include precomputed points; for\n- * those implementations, this function is the same as\n- * decaf_448_point_scalarmul\n- *\n- * @param [out] scaled The scaled point base*scalar\n- * @param [in] base The point to be scaled.\n- * @param [in] scalar The scalar to multiply by.\n- */\n-void decaf_448_precomputed_scalarmul (\n- decaf_448_point_t scaled,\n- const decaf_448_precomputed_s *base,\n- const decaf_448_scalar_t scalar\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply two base points by two scalars:\n- * scaled \u003d scalar1*base1 + scalar2*base2.\n- *\n- * Equivalent to two calls to decaf_448_point_scalarmul, but may be\n- * faster.\n- *\n- * @param [out] combo The linear combination scalar1*base1 + scalar2*base2.\n- * @param [in] base1 A first point to be scaled.\n- * @param [in] scalar1 A first scalar to multiply by.\n- * @param [in] base2 A second point to be scaled.\n- * @param [in] scalar2 A second scalar to multiply by.\n- */\n-void decaf_448_point_double_scalarmul (\n- decaf_448_point_t combo,\n- const decaf_448_point_t base1,\n- const decaf_448_scalar_t scalar1,\n- const decaf_448_point_t base2,\n- const decaf_448_scalar_t scalar2\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n- \n-/**\n- * Multiply one base point by two scalars:\n- *\n- * a1 \u003d scalar1 * base\n- * a2 \u003d scalar2 * base\n- *\n- * Equivalent to two calls to decaf_448_point_scalarmul, but may be\n- * faster.\n- *\n- * @param [out] a1 The first multiple. It may be the same as the input point.\n- * @param [out] a2 The second multiple. It may be the same as the input point.\n- * @param [in] base1 A point to be scaled.\n- * @param [in] scalar1 A first scalar to multiply by.\n- * @param [in] scalar2 A second scalar to multiply by.\n- */\n-void decaf_448_point_dual_scalarmul (\n- decaf_448_point_t a1,\n- decaf_448_point_t a2,\n- const decaf_448_point_t base1,\n- const decaf_448_scalar_t scalar1,\n- const decaf_448_scalar_t scalar2\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Multiply two base points by two scalars:\n- * scaled \u003d scalar1*decaf_448_point_base + scalar2*base2.\n- *\n- * Otherwise equivalent to decaf_448_point_double_scalarmul, but may be\n- * faster at the expense of being variable time.\n- *\n- * @param [out] combo The linear combination scalar1*base + scalar2*base2.\n- * @param [in] scalar1 A first scalar to multiply by.\n- * @param [in] base2 A second point to be scaled.\n- * @param [in] scalar2 A second scalar to multiply by.\n- *\n- * @warning: This function takes variable time, and may leak the scalars\n- * used. It is designed for signature verification.\n- */\n-void decaf_448_base_double_scalarmul_non_secret (\n- decaf_448_point_t combo,\n- const decaf_448_scalar_t scalar1,\n- const decaf_448_point_t base2,\n- const decaf_448_scalar_t scalar2\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Constant-time decision between two points. If pick_b\n- * is zero, out \u003d a; else out \u003d b.\n- *\n- * @param [out] out The output. It may be the same as either input.\n- * @param [in] a Any point.\n- * @param [in] b Any point.\n- * @param [in] pick_b If nonzero, choose point b.\n- */\n-void decaf_448_point_cond_sel (\n- decaf_448_point_t out,\n- const decaf_448_point_t a,\n- const decaf_448_point_t b,\n- decaf_word_t pick_b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Constant-time decision between two scalars. If pick_b\n- * is zero, out \u003d a; else out \u003d b.\n- *\n- * @param [out] out The output. It may be the same as either input.\n- * @param [in] a Any scalar.\n- * @param [in] b Any scalar.\n- * @param [in] pick_b If nonzero, choose scalar b.\n- */\n-void decaf_448_scalar_cond_sel (\n- decaf_448_scalar_t out,\n- const decaf_448_scalar_t a,\n- const decaf_448_scalar_t b,\n- decaf_word_t pick_b\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Test that a point is valid, for debugging purposes.\n- *\n- * @param [in] to_test The point to test.\n- * @retval DECAF_TRUE The point is valid.\n- * @retval DECAF_FALSE The point is invalid.\n- */\n-decaf_bool_t decaf_448_point_valid (\n- const decaf_448_point_t to_test\n-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Torque a point, for debugging purposes. The output\n- * will be equal to the input.\n- *\n- * @param [out] q The point to torque.\n- * @param [in] p The point to torque.\n- */\n-void decaf_448_point_debugging_torque (\n- decaf_448_point_t q,\n- const decaf_448_point_t p\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Projectively scale a point, for debugging purposes.\n- * The output will be equal to the input, and will be valid\n- * even if the factor is zero.\n- *\n- * @param [out] q The point to scale.\n- * @param [in] p The point to scale.\n- * @param [in] factor Serialized GF factor to scale.\n- */\n-void decaf_448_point_debugging_pscale (\n- decaf_448_point_t q,\n- const decaf_448_point_t p,\n- const unsigned char factor[DECAF_448_SER_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Almost-Elligator-like hash to curve.\n- *\n- * Call this function with the output of a hash to make a hash to the curve.\n- *\n- * This function runs Elligator2 on the decaf_448 Jacobi quartic model. It then\n- * uses the isogeny to put the result in twisted Edwards form. As a result,\n- * it is safe (cannot produce points of order 4), and would be compatible with\n- * hypothetical other implementations of Decaf using a Montgomery or untwisted\n- * Edwards model.\n- *\n- * Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]:\n- * A factor of 2 due to the isogeny.\n- * A factor of 2 because we quotient out the 2-torsion.\n- *\n- * This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8.\n- *\n- * Negating the input (mod q) results in the same point. Inverting the input\n- * (mod q) results in the negative point. This is the same as Elligator.\n- *\n- * This function isn't quite indifferentiable from a random oracle.\n- * However, it is suitable for many protocols, including SPEKE and SPAKE2 EE. \n- * Furthermore, calling it twice with independent seeds and adding the results\n- * is indifferentiable from a random oracle.\n- *\n- * @param [in] hashed_data Output of some hash function.\n- * @param [out] pt The data hashed to the curve.\n- */\n-void\n-decaf_448_point_from_hash_nonuniform (\n- decaf_448_point_t pt,\n- const unsigned char hashed_data[DECAF_448_HASH_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Indifferentiable hash function encoding to curve.\n- *\n- * Equivalent to calling decaf_448_point_from_hash_nonuniform twice and adding.\n- *\n- * @param [in] hashed_data Output of some hash function.\n- * @param [out] pt The data hashed to the curve.\n- */ \n-void decaf_448_point_from_hash_uniform (\n- decaf_448_point_t pt,\n- const unsigned char hashed_data[2*DECAF_448_HASH_BYTES]\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n-\n-/**\n- * @brief Inverse of elligator-like hash to curve.\n- *\n- * This function writes to the buffer, to make it so that\n- * decaf_448_point_from_hash_nonuniform(buffer) \u003d pt if\n- * possible. Since there may be multiple preimages, the\n- * \u0022which\u0022 parameter chooses between them. To ensure uniform\n- * inverse sampling, this function succeeds or fails\n- * independently for different \u0022which\u0022 values.\n- *\n- * This function isn't guaranteed to find every possible\n- * preimage, but it finds all except a small finite number.\n- * In particular, when the number of bits in the modulus isn't\n- * a multiple of 8 (i.e. for curve25519), it sets the high bits\n- * independently, which enables the generated data to be uniform.\n- * But it doesn't add p, so you'll never get exactly p from this\n- * function. This might change in the future, especially if\n- * we ever support eg Brainpool curves, where this could cause\n- * real nonuniformity.\n- *\n- * @param [out] recovered_hash Encoded data.\n- * @param [in] pt The point to encode.\n- * @param [in] which A value determining which inverse point\n- * to return.\n- *\n- * @retval DECAF_SUCCESS The inverse succeeded.\n- * @retval DECAF_FAILURE The inverse failed.\n- */\n-decaf_error_t\n-decaf_448_invert_elligator_nonuniform (\n- unsigned char recovered_hash[DECAF_448_HASH_BYTES],\n- const decaf_448_point_t pt,\n- uint32_t which\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;\n-\n-/**\n- * @brief Inverse of elligator-like hash to curve.\n- *\n- * This function writes to the buffer, to make it so that\n- * decaf_448_point_from_hash_uniform(buffer) \u003d pt if\n- * possible. Since there may be multiple preimages, the\n- * \u0022which\u0022 parameter chooses between them. To ensure uniform\n- * inverse sampling, this function succeeds or fails\n- * independently for different \u0022which\u0022 values.\n- *\n- * @param [out] recovered_hash Encoded data.\n- * @param [in] pt The point to encode.\n- * @param [in] which A value determining which inverse point\n- * to return.\n- *\n- * @retval DECAF_SUCCESS The inverse succeeded.\n- * @retval DECAF_FAILURE The inverse failed.\n- */\n-decaf_error_t\n-decaf_448_invert_elligator_uniform (\n- unsigned char recovered_hash[2*DECAF_448_HASH_BYTES],\n- const decaf_448_point_t pt,\n- uint32_t which\n-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;\n-\n-/**\n- * @brief Overwrite scalar with zeros.\n- */\n-void decaf_448_scalar_destroy (\n- decaf_448_scalar_t scalar\n-) DECAF_NONNULL DECAF_API_VIS;\n-\n-/**\n- * @brief Overwrite point with zeros.\n- */\n-void decaf_448_point_destroy (\n- decaf_448_point_t point\n-) DECAF_NONNULL DECAF_API_VIS;\n-\n-/**\n- * @brief Overwrite precomputed table with zeros.\n- */\n-void decaf_448_precomputed_destroy (\n- decaf_448_precomputed_s *pre\n-) DECAF_NONNULL DECAF_API_VIS;\n-\n-#ifdef __cplusplus\n-} /* extern \u0022C\u0022 */\n-#endif\n-\n-#endif /* __DECAF_POINT_448_H__ */\ndiff --git a/crypto/ec/curve448/GENERATED/include/decaf/sha512.h b/crypto/ec/curve448/GENERATED/include/decaf/sha512.h\ndeleted file mode 100644\nindex 3c8ec70..0000000\n--- a/crypto/ec/curve448/GENERATED/include/decaf/sha512.h\n+++ /dev/null\n@@ -1,53 +0,0 @@\n-/**\n- * @file decaf/shake.h\n- * @copyright Public domain.\n- * @author Mike Hamburg\n- * @brief SHA2-512\n- */\n-\n-#ifndef __DECAF_SHA512_H__\n-#define __DECAF_SHA512_H__\n-\n-#include \u003cstdint.h\u003e\n-#include \u003csys/types.h\u003e\n-#include \u003cstdlib.h\u003e /* for NULL */\n-\n-#include \u003cdecaf/common.h\u003e\n-\n-#ifdef __cplusplus\n-extern \u0022C\u0022 {\n-#endif\n- \n-\n-typedef struct decaf_sha512_ctx_s {\n- uint64_t state[8];\n- uint8_t block[128];\n- uint64_t bytes_processed;\n-} decaf_sha512_ctx_s, decaf_sha512_ctx_t[1];\n-\n-void decaf_sha512_init(decaf_sha512_ctx_t ctx) DECAF_NONNULL DECAF_API_VIS;\n-void decaf_sha512_update(decaf_sha512_ctx_t ctx, const uint8_t *message, size_t length) DECAF_NONNULL DECAF_API_VIS;\n-void decaf_sha512_final(decaf_sha512_ctx_t ctx, uint8_t *out, size_t length) DECAF_NONNULL DECAF_API_VIS;\n-\n-static inline void decaf_sha512_destroy(decaf_sha512_ctx_t ctx) {\n- decaf_bzero(ctx,sizeof(*ctx));\n-}\n-\n-static inline void decaf_sha512_hash(\n- uint8_t *output,\n- size_t output_len,\n- const uint8_t *message,\n- size_t message_len\n-) {\n- decaf_sha512_ctx_t ctx;\n- decaf_sha512_init(ctx);\n- decaf_sha512_update(ctx,message,message_len);\n- decaf_sha512_final(ctx,output,output_len);\n- decaf_sha512_destroy(ctx);\n-}\n-\n-#ifdef __cplusplus\n-} /* extern \u0022C\u0022 */\n-#endif\n- \n-#endif /* __DECAF_SHA512_H__ */\ndiff --git a/crypto/ec/curve448/GENERATED/include/decaf/shake.h b/crypto/ec/curve448/GENERATED/include/decaf/shake.h\ndeleted file mode 100644\nindex ae125b9..0000000\n--- a/crypto/ec/curve448/GENERATED/include/decaf/shake.h\n+++ /dev/null\n@@ -1,219 +0,0 @@\n-/**\n- * @file decaf/shake.h\n- * @copyright\n- * Based on CC0 code by David Leon Gil, 2015 \u005cn\n- * Copyright (c) 2015 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- * @author Mike Hamburg\n- * @brief SHA-3-n and DECAF_SHAKE-n instances.\n- */\n-\n-#ifndef __DECAF_SHAKE_H__\n-#define __DECAF_SHAKE_H__\n-\n-#include \u003cstdint.h\u003e\n-#include \u003csys/types.h\u003e\n-#include \u003cstdlib.h\u003e /* for NULL */\n-\n-#include \u003cdecaf/common.h\u003e\n-\n-#ifdef __cplusplus\n-extern \u0022C\u0022 {\n-#endif\n-\n-#ifndef INTERNAL_SPONGE_STRUCT\n- /** Sponge container object for the various primitives. */\n- typedef struct decaf_keccak_sponge_s {\n- /** @cond internal */\n- uint64_t opaque[26];\n- /** @endcond */\n- } decaf_keccak_sponge_s;\n-\n- /** Convenience GMP-style one-element array version */\n- typedef struct decaf_keccak_sponge_s decaf_keccak_sponge_t[1];\n-\n- /** Parameters for sponge construction, distinguishing DECAF_SHA3 and\n- * DECAF_SHAKE instances.\n- */\n- struct decaf_kparams_s;\n-#endif\n-\n-/**\n- * @brief Initialize a sponge context object.\n- * @param [out] sponge The object to initialize.\n- * @param [in] params The sponge's parameter description.\n- */\n-void decaf_sha3_init (\n- decaf_keccak_sponge_t sponge,\n- const struct decaf_kparams_s *params\n-) DECAF_API_VIS;\n-\n-/**\n- * @brief Absorb data into a DECAF_SHA3 or DECAF_SHAKE hash context.\n- * @param [inout] sponge The context.\n- * @param [in] in The input data.\n- * @param [in] len The input data's length in bytes.\n- * @return DECAF_FAILURE if the sponge has already been used for output.\n- * @return DECAF_SUCCESS otherwise.\n- */\n-decaf_error_t decaf_sha3_update (\n- struct decaf_keccak_sponge_s * __restrict__ sponge,\n- const uint8_t *in,\n- size_t len\n-) DECAF_API_VIS;\n-\n-/**\n- * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.\n- * This does not destroy or re-initialize the hash context, and\n- * decaf_sha3 output can be called more times.\n- *\n- * @param [inout] sponge The context.\n- * @param [out] out The output data.\n- * @param [in] len The requested output data length in bytes.\n- * @return DECAF_FAILURE if the sponge has exhausted its output capacity.\n- * @return DECAF_SUCCESS otherwise.\n- */ \n-decaf_error_t decaf_sha3_output (\n- decaf_keccak_sponge_t sponge,\n- uint8_t * __restrict__ out,\n- size_t len\n-) DECAF_API_VIS;\n-\n-/**\n- * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.\n- * This re-initializes the context to its starting parameters.\n- *\n- * @param [inout] sponge The context.\n- * @param [out] out The output data.\n- * @param [in] len The requested output data length in bytes.\n- */ \n-decaf_error_t decaf_sha3_final (\n- decaf_keccak_sponge_t sponge,\n- uint8_t * __restrict__ out,\n- size_t len\n-) DECAF_API_VIS;\n-\n-/**\n- * @brief Reset the sponge to the empty string.\n- *\n- * @param [inout] sponge The context.\n- */ \n-void decaf_sha3_reset (\n- decaf_keccak_sponge_t sponge\n-) DECAF_API_VIS;\n-\n-/**\n- * @brief Return the default output length of the sponge construction,\n- * for the purpose of C++ default operators.\n- *\n- * Returns n/8 for DECAF_SHA3-n and 2n/8 for DECAF_SHAKE-n.\n- */ \n-size_t decaf_sha3_default_output_bytes (\n- const decaf_keccak_sponge_t sponge /**\u003c [inout] The context. */\n-) DECAF_API_VIS;\n-\n-/**\n- * @brief Return the default output length of the sponge construction,\n- * for the purpose of C++ default operators.\n- *\n- * Returns n/8 for DECAF_SHA3-n and SIZE_MAX for DECAF_SHAKE-n.\n- */ \n-size_t decaf_sha3_max_output_bytes (\n- const decaf_keccak_sponge_t sponge /**\u003c [inout] The context. */\n-) DECAF_API_VIS;\n-\n-/**\n- * @brief Destroy a DECAF_SHA3 or DECAF_SHAKE sponge context by overwriting it with 0.\n- * @param [out] sponge The context.\n- */ \n-void decaf_sha3_destroy (\n- decaf_keccak_sponge_t sponge\n-) DECAF_API_VIS;\n-\n-/**\n- * @brief Hash (in) to (out)\n- * @param [in] in The input data.\n- * @param [in] inlen The length of the input data.\n- * @param [out] out A buffer for the output data.\n- * @param [in] outlen The length of the output data.\n- * @param [in] params The parameters of the sponge hash.\n- */ \n-decaf_error_t decaf_sha3_hash (\n- uint8_t *out,\n- size_t outlen,\n- const uint8_t *in,\n- size_t inlen,\n- const struct decaf_kparams_s *params\n-) DECAF_API_VIS;\n-\n-/* FUTURE: expand/doxygenate individual DECAF_SHAKE/DECAF_SHA3 instances? */\n-\n-/** @cond internal */\n-#define DECAF_DEC_SHAKE(n) \u005c\n- extern const struct decaf_kparams_s DECAF_SHAKE##n##_params_s DECAF_API_VIS; \u005c\n- typedef struct decaf_shake##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_shake##n##_ctx_t[1]; \u005c\n- static inline void DECAF_NONNULL decaf_shake##n##_init(decaf_shake##n##_ctx_t sponge) { \u005c\n- decaf_sha3_init(sponge-\u003es, \u0026DECAF_SHAKE##n##_params_s); \u005c\n- } \u005c\n- static inline void DECAF_NONNULL decaf_shake##n##_gen_init(decaf_keccak_sponge_t sponge) { \u005c\n- decaf_sha3_init(sponge, \u0026DECAF_SHAKE##n##_params_s); \u005c\n- } \u005c\n- static inline decaf_error_t DECAF_NONNULL decaf_shake##n##_update(decaf_shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \u005c\n- return decaf_sha3_update(sponge-\u003es, in, inlen); \u005c\n- } \u005c\n- static inline void DECAF_NONNULL decaf_shake##n##_final(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \u005c\n- decaf_sha3_output(sponge-\u003es, out, outlen); \u005c\n- decaf_sha3_init(sponge-\u003es, \u0026DECAF_SHAKE##n##_params_s); \u005c\n- } \u005c\n- static inline void DECAF_NONNULL decaf_shake##n##_output(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \u005c\n- decaf_sha3_output(sponge-\u003es, out, outlen); \u005c\n- } \u005c\n- static inline void DECAF_NONNULL decaf_shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \u005c\n- decaf_sha3_hash(out,outlen,in,inlen,\u0026DECAF_SHAKE##n##_params_s); \u005c\n- } \u005c\n- static inline void DECAF_NONNULL decaf_shake##n##_destroy( decaf_shake##n##_ctx_t sponge ) { \u005c\n- decaf_sha3_destroy(sponge-\u003es); \u005c\n- }\n-\n-#define DECAF_DEC_SHA3(n) \u005c\n- extern const struct decaf_kparams_s DECAF_SHA3_##n##_params_s DECAF_API_VIS; \u005c\n- typedef struct decaf_sha3_##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_sha3_##n##_ctx_t[1]; \u005c\n- static inline void DECAF_NONNULL decaf_sha3_##n##_init(decaf_sha3_##n##_ctx_t sponge) { \u005c\n- decaf_sha3_init(sponge-\u003es, \u0026DECAF_SHA3_##n##_params_s); \u005c\n- } \u005c\n- static inline void DECAF_NONNULL decaf_sha3_##n##_gen_init(decaf_keccak_sponge_t sponge) { \u005c\n- decaf_sha3_init(sponge, \u0026DECAF_SHA3_##n##_params_s); \u005c\n- } \u005c\n- static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_update(decaf_sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \u005c\n- return decaf_sha3_update(sponge-\u003es, in, inlen); \u005c\n- } \u005c\n- static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_final(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \u005c\n- decaf_error_t ret \u003d decaf_sha3_output(sponge-\u003es, out, outlen); \u005c\n- decaf_sha3_init(sponge-\u003es, \u0026DECAF_SHA3_##n##_params_s); \u005c\n- return ret; \u005c\n- } \u005c\n- static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_output(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \u005c\n- return decaf_sha3_output(sponge-\u003es, out, outlen); \u005c\n- } \u005c\n- static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \u005c\n- return decaf_sha3_hash(out,outlen,in,inlen,\u0026DECAF_SHA3_##n##_params_s); \u005c\n- } \u005c\n- static inline void DECAF_NONNULL decaf_sha3_##n##_destroy(decaf_sha3_##n##_ctx_t sponge) { \u005c\n- decaf_sha3_destroy(sponge-\u003es); \u005c\n- }\n-/** @endcond */\n-\n-DECAF_DEC_SHAKE(128)\n-DECAF_DEC_SHAKE(256)\n-DECAF_DEC_SHA3(224)\n-DECAF_DEC_SHA3(256)\n-DECAF_DEC_SHA3(384)\n-DECAF_DEC_SHA3(512)\n-#undef DECAF_DEC_SHAKE\n-#undef DECAF_DEC_SHA3\n-\n-#ifdef __cplusplus\n-} /* extern \u0022C\u0022 */\n-#endif\n- \n-#endif /* __DECAF_SHAKE_H__ */\ndiff --git a/crypto/ec/curve448/arch_32/arch_intrinsics.h b/crypto/ec/curve448/arch_32/arch_intrinsics.h\nnew file mode 100644\nindex 0000000..f3908a2\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_32/arch_intrinsics.h\n@@ -0,0 +1,22 @@\n+/* Copyright (c) 2016 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#ifndef __ARCH_ARCH_32_ARCH_INTRINSICS_H__\n+#define __ARCH_ARCH_32_ARCH_INTRINSICS_H__\n+\n+#define ARCH_WORD_BITS 32\n+\n+static __inline__ __attribute((always_inline,unused))\n+uint32_t word_is_zero(uint32_t a) {\n+ /* let's hope the compiler isn't clever enough to optimize this. */\n+ return (((uint64_t)a)-1)\u003e\u003e32;\n+}\n+\n+static __inline__ __attribute((always_inline,unused))\n+uint64_t widemul(uint32_t a, uint32_t b) {\n+ return ((uint64_t)a) * b;\n+}\n+\n+#endif /* __ARCH_ARM_32_ARCH_INTRINSICS_H__ */\n+\ndiff --git a/crypto/ec/curve448/arch_32/f_impl.c b/crypto/ec/curve448/arch_32/f_impl.c\nnew file mode 100644\nindex 0000000..0770bd9\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_32/f_impl.c\n@@ -0,0 +1,101 @@\n+/* Copyright (c) 2014 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#include \u0022f_field.h\u0022\n+\n+#if (defined(__OPTIMIZE__) \u0026\u0026 !defined(__OPTIMIZE_SIZE__) \u0026\u0026 !I_HATE_UNROLLED_LOOPS) \u005c\n+ || defined(DECAF_FORCE_UNROLL)\n+#define REPEAT8(_x) _x _x _x _x _x _x _x _x\n+#define FOR_LIMB(_i,_start,_end,_x) do { _i\u003d_start; REPEAT8( if (_i\u003c_end) { _x; } _i++;) } while (0)\n+#else\n+#define FOR_LIMB(_i,_start,_end,_x) do { for (_i\u003d_start; _i\u003c_end; _i++) _x; } while (0)\n+#endif\n+\n+void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) { \n+ const uint32_t *a \u003d as-\u003elimb, *b \u003d bs-\u003elimb;\n+ uint32_t *c \u003d cs-\u003elimb;\n+\n+ uint64_t accum0 \u003d 0, accum1 \u003d 0, accum2 \u003d 0;\n+ uint32_t mask \u003d (1\u003c\u003c28) - 1; \n+\n+ uint32_t aa[8], bb[8];\n+ \n+ int i,j;\n+ for (i\u003d0; i\u003c8; i++) {\n+ aa[i] \u003d a[i] + a[i+8];\n+ bb[i] \u003d b[i] + b[i+8];\n+ }\n+ \n+ FOR_LIMB(j,0,8,{\n+ accum2 \u003d 0;\n+ \n+ FOR_LIMB (i,0,j+1,{\n+ accum2 +\u003d widemul(a[j-i],b[i]);\n+ accum1 +\u003d widemul(aa[j-i],bb[i]);\n+ accum0 +\u003d widemul(a[8+j-i], b[8+i]);\n+ });\n+ \n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+ accum2 \u003d 0;\n+ \n+ FOR_LIMB (i,j+1,8,{\n+ accum0 -\u003d widemul(a[8+j-i], b[i]);\n+ accum2 +\u003d widemul(aa[8+j-i], bb[i]);\n+ accum1 +\u003d widemul(a[16+j-i], b[8+i]);\n+ });\n+\n+ accum1 +\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[j] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[j+8] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 28;\n+ accum1 \u003e\u003e\u003d 28;\n+ });\n+ \n+ accum0 +\u003d accum1;\n+ accum0 +\u003d c[8];\n+ accum1 +\u003d c[0];\n+ c[8] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[0] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+ \n+ accum0 \u003e\u003e\u003d 28;\n+ accum1 \u003e\u003e\u003d 28;\n+ c[9] +\u003d ((uint32_t)(accum0));\n+ c[1] +\u003d ((uint32_t)(accum1));\n+}\n+\n+void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) {\n+ assert(b\u003c1\u003c\u003c28);\n+ \n+ const uint32_t *a \u003d as-\u003elimb;\n+ uint32_t *c \u003d cs-\u003elimb;\n+\n+ uint64_t accum0 \u003d 0, accum8 \u003d 0;\n+ uint32_t mask \u003d (1ull\u003c\u003c28)-1; \n+\n+ int i;\n+ FOR_LIMB(i,0,8,{\n+ accum0 +\u003d widemul(b, a[i]);\n+ accum8 +\u003d widemul(b, a[i+8]);\n+\n+ c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n+ c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n+ });\n+\n+ accum0 +\u003d accum8 + c[8];\n+ c[8] \u003d accum0 \u0026 mask;\n+ c[9] +\u003d accum0 \u003e\u003e 28;\n+\n+ accum8 +\u003d c[0];\n+ c[0] \u003d accum8 \u0026 mask;\n+ c[1] +\u003d accum8 \u003e\u003e 28;\n+}\n+\n+void gf_sqr (gf_s *__restrict__ cs, const gf as) {\n+ gf_mul(cs,as,as); /* Performs better with a dedicated square */\n+}\n+\ndiff --git a/crypto/ec/curve448/arch_32/f_impl.h b/crypto/ec/curve448/arch_32/f_impl.h\nnew file mode 100644\nindex 0000000..c368788\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_32/f_impl.h\n@@ -0,0 +1,40 @@\n+/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#define GF_HEADROOM 2\n+#define LIMB(x) (x##ull)\u0026((1ull\u003c\u003c28)-1), (x##ull)\u003e\u003e28\n+#define FIELD_LITERAL(a,b,c,d,e,f,g,h) \u005c\n+ {{LIMB(a),LIMB(b),LIMB(c),LIMB(d),LIMB(e),LIMB(f),LIMB(g),LIMB(h)}}\n+ \n+#define LIMB_PLACE_VALUE(i) 28\n+\n+void gf_add_RAW (gf out, const gf a, const gf b) {\n+ for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n+ out-\u003elimb[i] \u003d a-\u003elimb[i] + b-\u003elimb[i];\n+ }\n+}\n+\n+void gf_sub_RAW (gf out, const gf a, const gf b) {\n+ for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n+ out-\u003elimb[i] \u003d a-\u003elimb[i] - b-\u003elimb[i];\n+ }\n+}\n+\n+void gf_bias (gf a, int amt) { \n+ uint32_t co1 \u003d ((1ull\u003c\u003c28)-1)*amt, co2 \u003d co1-amt;\n+ for (unsigned int i\u003d0; i\u003csizeof(*a)/sizeof(a-\u003elimb[0]); i++) {\n+ a-\u003elimb[i] +\u003d (i\u003d\u003dsizeof(*a)/sizeof(a-\u003elimb[0])/2) ? co2 : co1;\n+ }\n+}\n+\n+void gf_weak_reduce (gf a) {\n+ uint32_t mask \u003d (1ull\u003c\u003c28) - 1;\n+ uint32_t tmp \u003d a-\u003elimb[15] \u003e\u003e 28;\n+ a-\u003elimb[8] +\u003d tmp;\n+ for (unsigned int i\u003d15; i\u003e0; i--) {\n+ a-\u003elimb[i] \u003d (a-\u003elimb[i] \u0026 mask) + (a-\u003elimb[i-1]\u003e\u003e28);\n+ }\n+ a-\u003elimb[0] \u003d (a-\u003elimb[0] \u0026 mask) + tmp;\n+}\n+\ndiff --git a/crypto/ec/curve448/arch_arm_32/arch_intrinsics.h b/crypto/ec/curve448/arch_arm_32/arch_intrinsics.h\nnew file mode 100644\nindex 0000000..7451c6f\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_arm_32/arch_intrinsics.h\n@@ -0,0 +1,24 @@\n+/* Copyright (c) 2016 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#ifndef __ARCH_ARM_32_ARCH_INTRINSICS_H__\n+#define __ARCH_ARM_32_ARCH_INTRINSICS_H__\n+\n+#define ARCH_WORD_BITS 32\n+\n+static __inline__ __attribute((always_inline,unused))\n+uint32_t word_is_zero(uint32_t a) {\n+ uint32_t ret;\n+ asm(\u0022subs %0, %1, #1;\u005cn\u005ctsbc %0, %0, %0\u0022 : \u0022\u003dr\u0022(ret) : \u0022r\u0022(a) : \u0022cc\u0022);\n+ return ret;\n+}\n+\n+static __inline__ __attribute((always_inline,unused))\n+uint64_t widemul(uint32_t a, uint32_t b) {\n+ /* Could be UMULL, but it's hard to express to CC that the registers must be different */\n+ return ((uint64_t)a) * b; \n+}\n+\n+#endif /* __ARCH_ARM_32_ARCH_INTRINSICS_H__ */\n+\ndiff --git a/crypto/ec/curve448/arch_arm_32/f_impl.c b/crypto/ec/curve448/arch_arm_32/f_impl.c\nnew file mode 100644\nindex 0000000..0454bd6\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_arm_32/f_impl.c\n@@ -0,0 +1,819 @@\n+/* Copyright (c) 2014 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#include \u0022f_field.h\u0022\n+\n+static inline void __attribute__((gnu_inline,always_inline))\n+smlal (\n+ uint64_t *acc,\n+ const uint32_t a,\n+ const uint32_t b\n+) {\n+\n+#ifdef __ARMEL__\n+ uint32_t lo \u003d *acc, hi \u003d (*acc)\u003e\u003e32;\n+ \n+ __asm__ __volatile__ (\u0022smlal %[lo], %[hi], %[a], %[b]\u0022\n+ : [lo]\u0022+\u0026r\u0022(lo), [hi]\u0022+\u0026r\u0022(hi)\n+ : [a]\u0022r\u0022(a), [b]\u0022r\u0022(b));\n+ \n+ *acc \u003d lo + (((uint64_t)hi)\u003c\u003c32);\n+#else\n+ *acc +\u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b;\n+#endif\n+}\n+\n+static inline void __attribute__((gnu_inline,always_inline))\n+smlal2 (\n+ uint64_t *acc,\n+ const uint32_t a,\n+ const uint32_t b\n+) {\n+#ifdef __ARMEL__\n+ uint32_t lo \u003d *acc, hi \u003d (*acc)\u003e\u003e32;\n+ \n+ __asm__ __volatile__ (\u0022smlal %[lo], %[hi], %[a], %[b]\u0022\n+ : [lo]\u0022+\u0026r\u0022(lo), [hi]\u0022+\u0026r\u0022(hi)\n+ : [a]\u0022r\u0022(a), [b]\u0022r\u0022(2*b));\n+ \n+ *acc \u003d lo + (((uint64_t)hi)\u003c\u003c32);\n+#else\n+ *acc +\u003d (int64_t)(int32_t)a * (int64_t)(int32_t)(b * 2);\n+#endif\n+}\n+\n+static inline void __attribute__((gnu_inline,always_inline))\n+smull (\n+ uint64_t *acc,\n+ const uint32_t a,\n+ const uint32_t b\n+) {\n+#ifdef __ARMEL__\n+ uint32_t lo, hi;\n+ \n+ __asm__ __volatile__ (\u0022smull %[lo], %[hi], %[a], %[b]\u0022\n+ : [lo]\u0022\u003d\u0026r\u0022(lo), [hi]\u0022\u003d\u0026r\u0022(hi)\n+ : [a]\u0022r\u0022(a), [b]\u0022r\u0022(b));\n+ \n+ *acc \u003d lo + (((uint64_t)hi)\u003c\u003c32);\n+#else\n+ *acc \u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b;\n+#endif\n+}\n+\n+static inline void __attribute__((gnu_inline,always_inline))\n+smull2 (\n+ uint64_t *acc,\n+ const uint32_t a,\n+ const uint32_t b\n+) {\n+#ifdef __ARMEL__\n+ uint32_t lo, hi;\n+ \n+ __asm__ /*__volatile__*/ (\u0022smull %[lo], %[hi], %[a], %[b]\u0022\n+ : [lo]\u0022\u003d\u0026r\u0022(lo), [hi]\u0022\u003d\u0026r\u0022(hi)\n+ : [a]\u0022r\u0022(a), [b]\u0022r\u0022(2*b));\n+ \n+ *acc \u003d lo + (((uint64_t)hi)\u003c\u003c32);\n+#else\n+ *acc \u003d (int64_t)(int32_t)a * (int64_t)(int32_t)(b * 2);\n+#endif\n+}\n+\n+void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) {\n+ \n+ const uint32_t *a \u003d as-\u003elimb, *b \u003d bs-\u003elimb;\n+ uint32_t *c \u003d cs-\u003elimb;\n+\n+ uint64_t accum0 \u003d 0, accum1 \u003d 0, accum2, accum3, accumC0, accumC1;\n+ uint32_t mask \u003d (1\u003c\u003c28) - 1; \n+\n+ uint32_t aa[8], bm[8];\n+\n+ int i;\n+ for (i\u003d0; i\u003c8; i++) {\n+ aa[i] \u003d a[i] + a[i+8];\n+ bm[i] \u003d b[i] - b[i+8];\n+ }\n+\n+ uint32_t ax,bx;\n+ {\n+ /* t^3 terms */\n+ smull(\u0026accum1, ax \u003d aa[1], bx \u003d b[15]);\n+ smull(\u0026accum3, ax \u003d aa[2], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[14]);\n+ smlal(\u0026accum3, ax \u003d aa[3], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[13]);\n+ smlal(\u0026accum3, ax \u003d aa[4], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[12]);\n+ smlal(\u0026accum3, ax \u003d aa[5], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[11]);\n+ smlal(\u0026accum3, ax \u003d aa[6], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[10]);\n+ smlal(\u0026accum3, ax \u003d aa[7], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[9]);\n+ \n+ accum0 \u003d accum1;\n+ accum2 \u003d accum3;\n+ \n+ /* t^2 terms */\n+ smlal(\u0026accum2, ax \u003d aa[0], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[8]);\n+ smlal(\u0026accum2, ax \u003d aa[1], bx);\n+ \n+ smlal(\u0026accum0, ax \u003d a[9], bx \u003d b[7]);\n+ smlal(\u0026accum2, ax \u003d a[10], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[6]);\n+ smlal(\u0026accum2, ax \u003d a[11], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[5]);\n+ smlal(\u0026accum2, ax \u003d a[12], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[4]);\n+ smlal(\u0026accum2, ax \u003d a[13], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[3]);\n+ smlal(\u0026accum2, ax \u003d a[14], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[2]);\n+ smlal(\u0026accum2, ax \u003d a[15], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[1]);\n+ \n+ /* t terms */\n+ accum1 +\u003d accum0;\n+ accum3 +\u003d accum2;\n+ smlal(\u0026accum3, ax \u003d a[8], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[0]);\n+ smlal(\u0026accum3, ax \u003d a[9], bx);\n+ \n+ smlal(\u0026accum1, ax \u003d a[1], bx \u003d bm[7]);\n+ smlal(\u0026accum3, ax \u003d a[2], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[6]);\n+ smlal(\u0026accum3, ax \u003d a[3], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[5]);\n+ smlal(\u0026accum3, ax \u003d a[4], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[4]);\n+ smlal(\u0026accum3, ax \u003d a[5], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[3]);\n+ smlal(\u0026accum3, ax \u003d a[6], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[2]);\n+ smlal(\u0026accum3, ax \u003d a[7], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[1]);\n+ \n+ /* 1 terms */\n+ smlal(\u0026accum2, ax \u003d a[0], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[0]);\n+ smlal(\u0026accum2, ax \u003d a[1], bx);\n+ \n+ accum2 +\u003d accum0 \u003e\u003e 28;\n+ accum3 +\u003d accum1 \u003e\u003e 28;\n+ \n+ c[0] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[1] \u003d ((uint32_t)(accum2)) \u0026 mask;\n+ c[8] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+ c[9] \u003d ((uint32_t)(accum3)) \u0026 mask;\n+ \n+ accumC0 \u003d accum2 \u003e\u003e 28;\n+ accumC1 \u003d accum3 \u003e\u003e 28;\n+ }\n+ {\n+ /* t^3 terms */\n+ smull(\u0026accum1, ax \u003d aa[3], bx \u003d b[15]);\n+ smull(\u0026accum3, ax \u003d aa[4], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[14]);\n+ smlal(\u0026accum3, ax \u003d aa[5], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[13]);\n+ smlal(\u0026accum3, ax \u003d aa[6], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[12]);\n+ smlal(\u0026accum3, ax \u003d aa[7], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[11]);\n+ \n+ accum0 \u003d accum1;\n+ accum2 \u003d accum3;\n+ \n+ /* t^2 terms */\n+ smlal(\u0026accum2, ax \u003d aa[0], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[10]);\n+ smlal(\u0026accum2, ax \u003d aa[1], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[9]);\n+ smlal(\u0026accum2, ax \u003d aa[2], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[8]);\n+ smlal(\u0026accum2, ax \u003d aa[3], bx);\n+ \n+ smlal(\u0026accum0, ax \u003d a[11], bx \u003d b[7]);\n+ smlal(\u0026accum2, ax \u003d a[12], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[6]);\n+ smlal(\u0026accum2, ax \u003d a[13], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[5]);\n+ smlal(\u0026accum2, ax \u003d a[14], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[4]);\n+ smlal(\u0026accum2, ax \u003d a[15], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[3]);\n+ \n+ /* t terms */\n+ accum1 +\u003d accum0;\n+ accum3 +\u003d accum2;\n+ smlal(\u0026accum3, ax \u003d a[8], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[2]);\n+ smlal(\u0026accum3, ax \u003d a[9], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[1]);\n+ smlal(\u0026accum3, ax \u003d a[10], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[0]);\n+ smlal(\u0026accum3, ax \u003d a[11], bx);\n+ \n+ smlal(\u0026accum1, ax \u003d a[3], bx \u003d bm[7]);\n+ smlal(\u0026accum3, ax \u003d a[4], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[6]);\n+ smlal(\u0026accum3, ax \u003d a[5], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[5]);\n+ smlal(\u0026accum3, ax \u003d a[6], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[4]);\n+ smlal(\u0026accum3, ax \u003d a[7], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[3]);\n+ \n+ /* 1 terms */\n+ smlal(\u0026accum2, ax \u003d a[0], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[2]);\n+ smlal(\u0026accum2, ax \u003d a[1], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[1]);\n+ smlal(\u0026accum2, ax \u003d a[2], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[0]);\n+ smlal(\u0026accum2, ax \u003d a[3], bx);\n+ \n+ accum0 +\u003d accumC0;\n+ accum1 +\u003d accumC1;\n+ accum2 +\u003d accum0 \u003e\u003e 28;\n+ accum3 +\u003d accum1 \u003e\u003e 28;\n+ \n+ c[2] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[3] \u003d ((uint32_t)(accum2)) \u0026 mask;\n+ c[10] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+ c[11] \u003d ((uint32_t)(accum3)) \u0026 mask;\n+ \n+ accumC0 \u003d accum2 \u003e\u003e 28;\n+ accumC1 \u003d accum3 \u003e\u003e 28;\n+ }\n+ {\n+ \n+ /* t^3 terms */\n+ smull(\u0026accum1, ax \u003d aa[5], bx \u003d b[15]);\n+ smull(\u0026accum3, ax \u003d aa[6], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[14]);\n+ smlal(\u0026accum3, ax \u003d aa[7], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[13]);\n+ \n+ accum0 \u003d accum1;\n+ accum2 \u003d accum3;\n+ \n+ /* t^2 terms */\n+ \n+ smlal(\u0026accum2, ax \u003d aa[0], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[12]);\n+ smlal(\u0026accum2, ax \u003d aa[1], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[11]);\n+ smlal(\u0026accum2, ax \u003d aa[2], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[10]);\n+ smlal(\u0026accum2, ax \u003d aa[3], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[9]);\n+ smlal(\u0026accum2, ax \u003d aa[4], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[8]);\n+ smlal(\u0026accum2, ax \u003d aa[5], bx);\n+ \n+ \n+ smlal(\u0026accum0, ax \u003d a[13], bx \u003d b[7]);\n+ smlal(\u0026accum2, ax \u003d a[14], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[6]);\n+ smlal(\u0026accum2, ax \u003d a[15], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[5]);\n+ \n+ /* t terms */\n+ accum1 +\u003d accum0;\n+ accum3 +\u003d accum2;\n+ \n+ smlal(\u0026accum3, ax \u003d a[8], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[4]);\n+ smlal(\u0026accum3, ax \u003d a[9], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[3]);\n+ smlal(\u0026accum3, ax \u003d a[10], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[2]);\n+ smlal(\u0026accum3, ax \u003d a[11], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[1]);\n+ smlal(\u0026accum3, ax \u003d a[12], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[0]);\n+ smlal(\u0026accum3, ax \u003d a[13], bx);\n+ \n+ \n+ smlal(\u0026accum1, ax \u003d a[5], bx \u003d bm[7]);\n+ smlal(\u0026accum3, ax \u003d a[6], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[6]);\n+ smlal(\u0026accum3, ax \u003d a[7], bx);\n+ smlal(\u0026accum1, ax, bx \u003d bm[5]);\n+ \n+ /* 1 terms */\n+ \n+ smlal(\u0026accum2, ax \u003d a[0], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[4]);\n+ smlal(\u0026accum2, ax \u003d a[1], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[3]);\n+ smlal(\u0026accum2, ax \u003d a[2], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[2]);\n+ smlal(\u0026accum2, ax \u003d a[3], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[1]);\n+ smlal(\u0026accum2, ax \u003d a[4], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[0]);\n+ smlal(\u0026accum2, ax \u003d a[5], bx);\n+ \n+ accum0 +\u003d accumC0;\n+ accum1 +\u003d accumC1;\n+ accum2 +\u003d accum0 \u003e\u003e 28;\n+ accum3 +\u003d accum1 \u003e\u003e 28;\n+ \n+ c[4] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[5] \u003d ((uint32_t)(accum2)) \u0026 mask;\n+ c[12] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+ c[13] \u003d ((uint32_t)(accum3)) \u0026 mask;\n+ \n+ accumC0 \u003d accum2 \u003e\u003e 28;\n+ accumC1 \u003d accum3 \u003e\u003e 28;\n+ }\n+ {\n+ \n+ /* t^3 terms */\n+ smull(\u0026accum1, ax \u003d aa[7], bx \u003d b[15]);\n+ accum0 \u003d accum1;\n+ \n+ /* t^2 terms */\n+ \n+ smull(\u0026accum2, ax \u003d aa[0], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[14]);\n+ smlal(\u0026accum2, ax \u003d aa[1], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[13]);\n+ smlal(\u0026accum2, ax \u003d aa[2], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[12]);\n+ smlal(\u0026accum2, ax \u003d aa[3], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[11]);\n+ smlal(\u0026accum2, ax \u003d aa[4], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[10]);\n+ smlal(\u0026accum2, ax \u003d aa[5], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[9]);\n+ smlal(\u0026accum2, ax \u003d aa[6], bx);\n+ smlal(\u0026accum0, ax, bx \u003d b[8]);\n+ smlal(\u0026accum2, ax \u003d aa[7], bx);\n+ \n+ \n+ smlal(\u0026accum0, ax \u003d a[15], bx \u003d b[7]);\n+ \n+ /* t terms */\n+ accum1 +\u003d accum0;\n+ accum3 \u003d accum2;\n+ \n+ smlal(\u0026accum3, ax \u003d a[8], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[6]);\n+ smlal(\u0026accum3, ax \u003d a[9], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[5]);\n+ smlal(\u0026accum3, ax \u003d a[10], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[4]);\n+ smlal(\u0026accum3, ax \u003d a[11], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[3]);\n+ smlal(\u0026accum3, ax \u003d a[12], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[2]);\n+ smlal(\u0026accum3, ax \u003d a[13], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[1]);\n+ smlal(\u0026accum3, ax \u003d a[14], bx);\n+ smlal(\u0026accum1, ax, bx \u003d b[0]);\n+ smlal(\u0026accum3, ax \u003d a[15], bx);\n+ \n+ \n+ smlal(\u0026accum1, ax \u003d a[7], bx \u003d bm[7]);\n+ \n+ /* 1 terms */\n+ \n+ smlal(\u0026accum2, ax \u003d a[0], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[6]);\n+ smlal(\u0026accum2, ax \u003d a[1], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[5]);\n+ smlal(\u0026accum2, ax \u003d a[2], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[4]);\n+ smlal(\u0026accum2, ax \u003d a[3], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[3]);\n+ smlal(\u0026accum2, ax \u003d a[4], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[2]);\n+ smlal(\u0026accum2, ax \u003d a[5], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[1]);\n+ smlal(\u0026accum2, ax \u003d a[6], bx);\n+ smlal(\u0026accum0, ax, bx \u003d bm[0]);\n+ smlal(\u0026accum2, ax \u003d a[7], bx);\n+ \n+ accum0 +\u003d accumC0;\n+ accum1 +\u003d accumC1;\n+ accum2 +\u003d accum0 \u003e\u003e 28;\n+ accum3 +\u003d accum1 \u003e\u003e 28;\n+ \n+ c[6] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[7] \u003d ((uint32_t)(accum2)) \u0026 mask;\n+ c[14] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+ c[15] \u003d ((uint32_t)(accum3)) \u0026 mask;\n+ \n+ accum0 \u003d accum2 \u003e\u003e 28;\n+ accum1 \u003d accum3 \u003e\u003e 28;\n+ }\n+\n+ accum0 +\u003d accum1;\n+ accum0 +\u003d c[8];\n+ accum1 +\u003d c[0];\n+ c[8] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[0] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+ \n+ accum0 \u003e\u003e\u003d 28;\n+ accum1 \u003e\u003e\u003d 28;\n+ c[9] +\u003d ((uint32_t)(accum0));\n+ c[1] +\u003d ((uint32_t)(accum1));\n+}\n+\n+void gf_sqr (gf_s *__restrict__ cs, const gf as) {\n+ const uint32_t *a \u003d as-\u003elimb;\n+ uint32_t *c \u003d cs-\u003elimb;\n+\n+ uint64_t accum0 \u003d 0, accum1 \u003d 0, accum2, accum3, accumC0, accumC1, tmp;\n+ uint32_t mask \u003d (1\u003c\u003c28) - 1; \n+\n+ uint32_t bm[8];\n+ \n+ int i;\n+ for (i\u003d0; i\u003c8; i++) {\n+ bm[i] \u003d a[i] - a[i+8];\n+ }\n+\n+ uint32_t ax,bx;\n+ {\n+ /* t^3 terms */\n+ smull2(\u0026accum1, ax \u003d a[9], bx \u003d a[15]);\n+ smull2(\u0026accum3, ax \u003d a[10], bx);\n+ smlal2(\u0026accum1, ax, bx \u003d a[14]);\n+ smlal2(\u0026accum3, ax \u003d a[11], bx);\n+ smlal2(\u0026accum1, ax, bx \u003d a[13]);\n+ smlal2(\u0026accum3, ax \u003d a[12], bx);\n+ smlal(\u0026accum1, ax, ax);\n+ \n+ accum0 \u003d accum1;\n+ accum2 \u003d accum3;\n+ \n+ /* t^2 terms */\n+ smlal2(\u0026accum2, ax \u003d a[8], a[9]);\n+ smlal(\u0026accum0, ax, ax);\n+ \n+ smlal2(\u0026accum0, ax \u003d a[1], bx \u003d a[7]);\n+ smlal2(\u0026accum2, ax \u003d a[2], bx);\n+ smlal2(\u0026accum0, ax, bx \u003d a[6]);\n+ smlal2(\u0026accum2, ax \u003d a[3], bx);\n+ smlal2(\u0026accum0, ax, bx \u003d a[5]);\n+ smlal2(\u0026accum2, ax \u003d a[4], bx);\n+ smlal(\u0026accum0, ax, ax);\n+ \n+ /* t terms */\n+ accum1 +\u003d accum0;\n+ accum3 +\u003d accum2;\n+ smlal2(\u0026accum3, ax \u003d a[0], bx \u003d a[1]);\n+ smlal(\u0026accum1, ax, ax);\n+ \n+ accum1 \u003d -accum1;\n+ accum3 \u003d -accum3;\n+ accum2 \u003d -accum2;\n+ accum0 \u003d -accum0;\n+ \n+ smlal2(\u0026accum1, ax \u003d bm[1], bx \u003d bm[7]);\n+ smlal2(\u0026accum3, ax \u003d bm[2], bx);\n+ smlal2(\u0026accum1, ax, bx \u003d bm[6]);\n+ smlal2(\u0026accum3, ax \u003d bm[3], bx);\n+ smlal2(\u0026accum1, ax, bx \u003d bm[5]);\n+ smlal2(\u0026accum3, ax \u003d bm[4], bx);\n+ smlal(\u0026accum1, ax, ax);\n+ \n+ /* 1 terms */\n+ smlal2(\u0026accum2, ax \u003d bm[0], bx \u003d bm[1]);\n+ smlal(\u0026accum0, ax, ax);\n+ \n+ tmp \u003d -accum3; accum3 \u003d tmp-accum2; accum2 \u003d tmp;\n+ tmp \u003d -accum1; accum1 \u003d tmp-accum0; accum0 \u003d tmp;\n+ \n+ accum2 +\u003d accum0 \u003e\u003e 28;\n+ accum3 +\u003d accum1 \u003e\u003e 28;\n+ \n+ c[0] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[1] \u003d ((uint32_t)(accum2)) \u0026 mask;\n+ c[8] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+ c[9] \u003d ((uint32_t)(accum3)) \u0026 mask;\n+ \n+ accumC0 \u003d accum2 \u003e\u003e 28;\n+ accumC1 \u003d accum3 \u003e\u003e 28;\n+ }\n+ {\n+ /* t^3 terms */\n+ smull2(\u0026accum1, ax \u003d a[11], bx \u003d a[15]);\n+ smull2(\u0026accum3, ax \u003d a[12], bx);\n+ smlal2(\u0026accum1, ax, bx \u003d a[14]);\n+ smlal2(\u0026accum3, ax \u003d a[13], bx);\n+ smlal(\u0026accum1, ax, ax);\n+ \n+ accum0 \u003d accum1;\n+ accum2 \u003d accum3;\n+ \n+ /* t^2 terms */\n+ smlal2(\u0026accum2, ax \u003d a[8], bx \u003d a[11]);\n+ smlal2(\u0026accum0, ax, bx \u003d a[10]);\n+ smlal2(\u0026accum2, ax \u003d a[9], bx);\n+ smlal(\u0026accum0, ax, ax);\n+ \n+ smlal2(\u0026accum0, ax \u003d a[3], bx \u003d a[7]);\n+ smlal2(\u0026accum2, ax \u003d a[4], bx);\n+ smlal2(\u0026accum0, ax, bx \u003d a[6]);\n+ smlal2(\u0026accum2, ax \u003d a[5], bx);\n+ smlal(\u0026accum0, ax, ax);\n+ \n+ /* t terms */\n+ accum1 +\u003d accum0;\n+ accum3 +\u003d accum2;\n+ smlal2(\u0026accum3, ax \u003d a[0], bx \u003d a[3]);\n+ smlal2(\u0026accum1, ax, bx \u003d a[2]);\n+ smlal2(\u0026accum3, ax \u003d a[1], bx);\n+ smlal(\u0026accum1, ax, ax);\n+ \n+ accum1 \u003d -accum1;\n+ accum3 \u003d -accum3;\n+ accum2 \u003d -accum2;\n+ accum0 \u003d -accum0;\n+ \n+ smlal2(\u0026accum1, ax \u003d bm[3], bx \u003d bm[7]);\n+ smlal2(\u0026accum3, ax \u003d bm[4], bx);\n+ smlal2(\u0026accum1, ax, bx \u003d bm[6]);\n+ smlal2(\u0026accum3, ax \u003d bm[5], bx);\n+ smlal(\u0026accum1, ax, ax);\n+ \n+ /* 1 terms */\n+ smlal2(\u0026accum2, ax \u003d bm[0], bx \u003d bm[3]);\n+ smlal2(\u0026accum0, ax, bx \u003d bm[2]);\n+ smlal2(\u0026accum2, ax \u003d bm[1], bx);\n+ smlal(\u0026accum0, ax, ax);\n+ \n+ \n+ tmp \u003d -accum3; accum3 \u003d tmp-accum2; accum2 \u003d tmp;\n+ tmp \u003d -accum1; accum1 \u003d tmp-accum0; accum0 \u003d tmp;\n+ \n+ accum0 +\u003d accumC0;\n+ accum1 +\u003d accumC1;\n+ accum2 +\u003d accum0 \u003e\u003e 28;\n+ accum3 +\u003d accum1 \u003e\u003e 28;\n+ \n+ c[2] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[3] \u003d ((uint32_t)(accum2)) \u0026 mask;\n+ c[10] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+ c[11] \u003d ((uint32_t)(accum3)) \u0026 mask;\n+ \n+ accumC0 \u003d accum2 \u003e\u003e 28;\n+ accumC1 \u003d accum3 \u003e\u003e 28;\n+ }\n+ {\n+ \n+ /* t^3 terms */\n+ smull2(\u0026accum1, ax \u003d a[13], bx \u003d a[15]);\n+ smull2(\u0026accum3, ax \u003d a[14], bx);\n+ smlal(\u0026accum1, ax, ax);\n+ \n+ accum0 \u003d accum1;\n+ accum2 \u003d accum3;\n+ \n+ /* t^2 terms */\n+ \n+ smlal2(\u0026accum2, ax \u003d a[8], bx \u003d a[13]);\n+ smlal2(\u0026accum0, ax, bx \u003d a[12]);\n+ smlal2(\u0026accum2, ax \u003d a[9], bx);\n+ smlal2(\u0026accum0, ax, bx \u003d a[11]);\n+ smlal2(\u0026accum2, ax \u003d a[10], bx);\n+ smlal(\u0026accum0, ax, ax);\n+ \n+ \n+ smlal2(\u0026accum0, ax \u003d a[5], bx \u003d a[7]);\n+ smlal2(\u0026accum2, ax \u003d a[6], bx);\n+ smlal(\u0026accum0, ax, ax);\n+ \n+ /* t terms */\n+ accum1 +\u003d accum0;\n+ accum3 +\u003d accum2;\n+ \n+ smlal2(\u0026accum3, ax \u003d a[0], bx \u003d a[5]);\n+ smlal2(\u0026accum1, ax, bx \u003d a[4]);\n+ smlal2(\u0026accum3, ax \u003d a[1], bx);\n+ smlal2(\u0026accum1, ax, bx \u003d a[3]);\n+ smlal2(\u0026accum3, ax \u003d a[2], bx);\n+ smlal(\u0026accum1, ax, ax);\n+ \n+ accum1 \u003d -accum1;\n+ accum3 \u003d -accum3;\n+ accum2 \u003d -accum2;\n+ accum0 \u003d -accum0;\n+ \n+ smlal2(\u0026accum1, ax \u003d bm[5], bx \u003d bm[7]);\n+ smlal2(\u0026accum3, ax \u003d bm[6], bx);\n+ smlal(\u0026accum1, ax, ax);\n+ \n+ /* 1 terms */\n+ \n+ smlal2(\u0026accum2, ax \u003d bm[0], bx \u003d bm[5]);\n+ smlal2(\u0026accum0, ax, bx \u003d bm[4]);\n+ smlal2(\u0026accum2, ax \u003d bm[1], bx);\n+ smlal2(\u0026accum0, ax, bx \u003d bm[3]);\n+ smlal2(\u0026accum2, ax \u003d bm[2], bx);\n+ smlal(\u0026accum0, ax, ax);\n+ \n+ \n+ tmp \u003d -accum3; accum3 \u003d tmp-accum2; accum2 \u003d tmp;\n+ tmp \u003d -accum1; accum1 \u003d tmp-accum0; accum0 \u003d tmp;\n+ \n+ accum0 +\u003d accumC0;\n+ accum1 +\u003d accumC1;\n+ accum2 +\u003d accum0 \u003e\u003e 28;\n+ accum3 +\u003d accum1 \u003e\u003e 28;\n+ \n+ c[4] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[5] \u003d ((uint32_t)(accum2)) \u0026 mask;\n+ c[12] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+ c[13] \u003d ((uint32_t)(accum3)) \u0026 mask;\n+ \n+ accumC0 \u003d accum2 \u003e\u003e 28;\n+ accumC1 \u003d accum3 \u003e\u003e 28;\n+ }\n+ {\n+ \n+ /* t^3 terms */\n+ smull(\u0026accum1, ax \u003d a[15], bx \u003d a[15]);\n+ accum0 \u003d accum1;\n+ \n+ /* t^2 terms */\n+ \n+ smull2(\u0026accum2, ax \u003d a[8], bx);\n+ smlal2(\u0026accum0, ax, bx \u003d a[14]);\n+ smlal2(\u0026accum2, ax \u003d a[9], bx);\n+ smlal2(\u0026accum0, ax, bx \u003d a[13]);\n+ smlal2(\u0026accum2, ax \u003d a[10], bx);\n+ smlal2(\u0026accum0, ax, bx \u003d a[12]);\n+ smlal2(\u0026accum2, ax \u003d a[11], bx);\n+ smlal(\u0026accum0, ax, ax);\n+ \n+ \n+ smlal(\u0026accum0, ax \u003d a[7], bx \u003d a[7]);\n+ \n+ /* t terms */\n+ accum1 +\u003d accum0;\n+ accum3 \u003d accum2;\n+ \n+ smlal2(\u0026accum3, ax \u003d a[0], bx);\n+ smlal2(\u0026accum1, ax, bx \u003d a[6]);\n+ smlal2(\u0026accum3, ax \u003d a[1], bx);\n+ smlal2(\u0026accum1, ax, bx \u003d a[5]);\n+ smlal2(\u0026accum3, ax \u003d a[2], bx);\n+ smlal2(\u0026accum1, ax, bx \u003d a[4]);\n+ smlal2(\u0026accum3, ax \u003d a[3], bx);\n+ smlal(\u0026accum1, ax, ax);\n+ \n+ accum1 \u003d -accum1;\n+ accum3 \u003d -accum3;\n+ accum2 \u003d -accum2;\n+ accum0 \u003d -accum0;\n+ \n+ bx \u003d bm[7];\n+ smlal(\u0026accum1, bx, bx);\n+ \n+ /* 1 terms */\n+ \n+ smlal2(\u0026accum2, ax \u003d bm[0], bx);\n+ smlal2(\u0026accum0, ax, bx \u003d bm[6]);\n+ smlal2(\u0026accum2, ax \u003d bm[1], bx);\n+ smlal2(\u0026accum0, ax, bx \u003d bm[5]);\n+ smlal2(\u0026accum2, ax \u003d bm[2], bx);\n+ smlal2(\u0026accum0, ax, bx \u003d bm[4]);\n+ smlal2(\u0026accum2, ax \u003d bm[3], bx);\n+ smlal(\u0026accum0, ax, ax);\n+ \n+ tmp \u003d -accum3; accum3 \u003d tmp-accum2; accum2 \u003d tmp;\n+ tmp \u003d -accum1; accum1 \u003d tmp-accum0; accum0 \u003d tmp;\n+ \n+ \n+ accum0 +\u003d accumC0;\n+ accum1 +\u003d accumC1;\n+ accum2 +\u003d accum0 \u003e\u003e 28;\n+ accum3 +\u003d accum1 \u003e\u003e 28;\n+ \n+ c[6] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[7] \u003d ((uint32_t)(accum2)) \u0026 mask;\n+ c[14] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+ c[15] \u003d ((uint32_t)(accum3)) \u0026 mask;\n+ \n+ accum0 \u003d accum2 \u003e\u003e 28;\n+ accum1 \u003d accum3 \u003e\u003e 28;\n+ }\n+\n+ accum0 +\u003d accum1;\n+ accum0 +\u003d c[8];\n+ accum1 +\u003d c[0];\n+ c[8] \u003d ((uint32_t)(accum0)) \u0026 mask;\n+ c[0] \u003d ((uint32_t)(accum1)) \u0026 mask;\n+ \n+ accum0 \u003e\u003e\u003d 28;\n+ accum1 \u003e\u003e\u003d 28;\n+ c[9] +\u003d ((uint32_t)(accum0));\n+ c[1] +\u003d ((uint32_t)(accum1));\n+}\n+\n+void gf_mulw_unsigned (\n+ gf_s *__restrict__ cs,\n+ const gf as,\n+ uint32_t b\n+) {\n+ uint32_t mask \u003d (1ull\u003c\u003c28)-1; \n+ assert(b \u003c\u003d mask);\n+ \n+ const uint32_t *a \u003d as-\u003elimb;\n+ uint32_t *c \u003d cs-\u003elimb;\n+\n+ uint64_t accum0, accum8;\n+\n+ int i;\n+\n+ uint32_t c0, c8, n0, n8;\n+ c0 \u003d a[0]; c8 \u003d a[8];\n+ accum0 \u003d widemul(b, c0);\n+ accum8 \u003d widemul(b, c8);\n+\n+ c[0] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n+ c[8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n+ \n+ i\u003d1;\n+ {\n+ n0 \u003d a[i]; n8 \u003d a[i+8];\n+ smlal(\u0026accum0, b, n0);\n+ smlal(\u0026accum8, b, n8);\n+ \n+ c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n+ c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n+ i++;\n+ }\n+ {\n+ c0 \u003d a[i]; c8 \u003d a[i+8];\n+ smlal(\u0026accum0, b, c0);\n+ smlal(\u0026accum8, b, c8);\n+\n+ c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n+ c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n+ i++;\n+ }\n+ {\n+ n0 \u003d a[i]; n8 \u003d a[i+8];\n+ smlal(\u0026accum0, b, n0);\n+ smlal(\u0026accum8, b, n8);\n+\n+ c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n+ c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n+ i++;\n+ }\n+ {\n+ c0 \u003d a[i]; c8 \u003d a[i+8];\n+ smlal(\u0026accum0, b, c0);\n+ smlal(\u0026accum8, b, c8);\n+\n+ c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n+ c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n+ i++;\n+ }\n+ {\n+ n0 \u003d a[i]; n8 \u003d a[i+8];\n+ smlal(\u0026accum0, b, n0);\n+ smlal(\u0026accum8, b, n8);\n+\n+ c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n+ c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n+ i++;\n+ }\n+ {\n+ c0 \u003d a[i]; c8 \u003d a[i+8];\n+ smlal(\u0026accum0, b, c0);\n+ smlal(\u0026accum8, b, c8);\n+ \n+ c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n+ c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n+ i++;\n+ }\n+ {\n+ n0 \u003d a[i]; n8 \u003d a[i+8];\n+ smlal(\u0026accum0, b, n0);\n+ smlal(\u0026accum8, b, n8);\n+\n+ c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n+ c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n+ i++;\n+ }\n+\n+ accum0 +\u003d accum8 + c[8];\n+ c[8] \u003d accum0 \u0026 mask;\n+ c[9] +\u003d accum0 \u003e\u003e 28;\n+\n+ accum8 +\u003d c[0];\n+ c[0] \u003d accum8 \u0026 mask;\n+ c[1] +\u003d accum8 \u003e\u003e 28;\n+}\ndiff --git a/crypto/ec/curve448/arch_arm_32/f_impl.h b/crypto/ec/curve448/arch_arm_32/f_impl.h\nnew file mode 100644\nindex 0000000..09d77aa\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_arm_32/f_impl.h\n@@ -0,0 +1,53 @@\n+/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#define GF_HEADROOM 2\n+#define LIMB(x) (x##ull)\u0026((1ull\u003c\u003c28)-1), (x##ull)\u003e\u003e28\n+#define FIELD_LITERAL(a,b,c,d,e,f,g,h) \u005c\n+ {{LIMB(a),LIMB(b),LIMB(c),LIMB(d),LIMB(e),LIMB(f),LIMB(g),LIMB(h)}}\n+ \n+#define LIMB_PLACE_VALUE(i) 28\n+\n+void gf_add_RAW (gf out, const gf a, const gf b) {\n+ for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint32xn_t); i++) {\n+ ((uint32xn_t*)out)[i] \u003d ((const uint32xn_t*)a)[i] + ((const uint32xn_t*)b)[i];\n+ }\n+ /*\n+ for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n+ out-\u003elimb[i] \u003d a-\u003elimb[i] + b-\u003elimb[i];\n+ }\n+ */\n+}\n+\n+void gf_sub_RAW (gf out, const gf a, const gf b) {\n+ for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint32xn_t); i++) {\n+ ((uint32xn_t*)out)[i] \u003d ((const uint32xn_t*)a)[i] - ((const uint32xn_t*)b)[i];\n+ }\n+ /*\n+ for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n+ out-\u003elimb[i] \u003d a-\u003elimb[i] - b-\u003elimb[i];\n+ }\n+ */\n+}\n+\n+void gf_bias (gf a, int amt) {\n+ uint32_t co1 \u003d ((1ull\u003c\u003c28)-1)*amt, co2 \u003d co1-amt;\n+ uint32x4_t lo \u003d {co1,co1,co1,co1}, hi \u003d {co2,co1,co1,co1};\n+ uint32x4_t *aa \u003d (uint32x4_t*) a;\n+ aa[0] +\u003d lo;\n+ aa[1] +\u003d lo;\n+ aa[2] +\u003d hi;\n+ aa[3] +\u003d lo;\n+}\n+\n+void gf_weak_reduce (gf a) {\n+ uint64_t mask \u003d (1ull\u003c\u003c28) - 1;\n+ uint64_t tmp \u003d a-\u003elimb[15] \u003e\u003e 28;\n+ a-\u003elimb[8] +\u003d tmp;\n+ for (unsigned int i\u003d15; i\u003e0; i--) {\n+ a-\u003elimb[i] \u003d (a-\u003elimb[i] \u0026 mask) + (a-\u003elimb[i-1]\u003e\u003e28);\n+ }\n+ a-\u003elimb[0] \u003d (a-\u003elimb[0] \u0026 mask) + tmp;\n+}\n+\ndiff --git a/crypto/ec/curve448/arch_neon/arch_intrinsics.h b/crypto/ec/curve448/arch_neon/arch_intrinsics.h\nnew file mode 100644\nindex 0000000..1a1e14b\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_neon/arch_intrinsics.h\n@@ -0,0 +1,24 @@\n+/* Copyright (c) 2016 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#ifndef __ARCH_NEON_ARCH_INTRINSICS_H__\n+#define __ARCH_NEON_ARCH_INTRINSICS_H__\n+\n+#define ARCH_WORD_BITS 32\n+\n+static __inline__ __attribute((always_inline,unused))\n+uint32_t word_is_zero(uint32_t a) {\n+ uint32_t ret;\n+ __asm__(\u0022subs %0, %1, #1;\u005cn\u005ctsbc %0, %0, %0\u0022 : \u0022\u003dr\u0022(ret) : \u0022r\u0022(a) : \u0022cc\u0022);\n+ return ret;\n+}\n+\n+static __inline__ __attribute((always_inline,unused))\n+uint64_t widemul(uint32_t a, uint32_t b) {\n+ /* Could be UMULL, but it's hard to express to CC that the registers must be different */\n+ return ((uint64_t)a) * b; \n+}\n+\n+#endif /* __ARCH_NEON_ARCH_INTRINSICS_H__ */\n+\ndiff --git a/crypto/ec/curve448/arch_neon/f_impl.c b/crypto/ec/curve448/arch_neon/f_impl.c\nnew file mode 100644\nindex 0000000..5e998f9\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_neon/f_impl.c\n@@ -0,0 +1,592 @@\n+/* Copyright (c) 2014 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#include \u0022f_field.h\u0022\n+\n+static __inline__ uint64x2_t __attribute__((gnu_inline,always_inline,unused))\n+xx_vaddup_u64(uint64x2_t x) {\n+ __asm__ (\u0022vadd.s64 %f0, %e0\u0022 : \u0022+w\u0022(x));\n+ return x;\n+}\n+\n+static __inline__ int64x2_t __attribute__((gnu_inline,always_inline,unused))\n+vrev128_s64(int64x2_t x) {\n+ __asm__ (\u0022vswp.s64 %e0, %f0\u0022 : \u0022+w\u0022(x));\n+ return x;\n+}\n+\n+static __inline__ uint64x2_t __attribute__((gnu_inline,always_inline))\n+vrev128_u64(uint64x2_t x) {\n+ __asm__ (\u0022vswp.s64 %e0, %f0\u0022 : \u0022+w\u0022(x));\n+ return x;\n+}\n+\n+static inline void __attribute__((gnu_inline,always_inline,unused))\n+smlal (\n+ uint64_t *acc,\n+ const uint32_t a,\n+ const uint32_t b\n+) {\n+ *acc +\u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b;\n+}\n+\n+static inline void __attribute__((gnu_inline,always_inline,unused))\n+smlal2 (\n+ uint64_t *acc,\n+ const uint32_t a,\n+ const uint32_t b\n+) {\n+ *acc +\u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b * 2;\n+}\n+\n+static inline void __attribute__((gnu_inline,always_inline,unused))\n+smull (\n+ uint64_t *acc,\n+ const uint32_t a,\n+ const uint32_t b\n+) {\n+ *acc \u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b;\n+}\n+\n+static inline void __attribute__((gnu_inline,always_inline,unused))\n+smull2 (\n+ uint64_t *acc,\n+ const uint32_t a,\n+ const uint32_t b\n+) {\n+ *acc \u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b * 2;\n+}\n+\n+void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) {\n+ #define _bl0 \u0022q0\u0022\n+ #define _bl0_0 \u0022d0\u0022\n+ #define _bl0_1 \u0022d1\u0022\n+ #define _bh0 \u0022q1\u0022\n+ #define _bh0_0 \u0022d2\u0022\n+ #define _bh0_1 \u0022d3\u0022\n+ #define _bs0 \u0022q2\u0022\n+ #define _bs0_0 \u0022d4\u0022\n+ #define _bs0_1 \u0022d5\u0022\n+ #define _bl2 \u0022q3\u0022\n+ #define _bl2_0 \u0022d6\u0022\n+ #define _bl2_1 \u0022d7\u0022\n+ #define _bh2 \u0022q4\u0022\n+ #define _bh2_0 \u0022d8\u0022\n+ #define _bh2_1 \u0022d9\u0022\n+ #define _bs2 \u0022q5\u0022\n+ #define _bs2_0 \u0022d10\u0022\n+ #define _bs2_1 \u0022d11\u0022\n+\n+ #define _as0 \u0022q6\u0022\n+ #define _as0_0 \u0022d12\u0022\n+ #define _as0_1 \u0022d13\u0022\n+ #define _as2 \u0022q7\u0022\n+ #define _as2_0 \u0022d14\u0022\n+ #define _as2_1 \u0022d15\u0022\n+ #define _al0 \u0022q8\u0022\n+ #define _al0_0 \u0022d16\u0022\n+ #define _al0_1 \u0022d17\u0022\n+ #define _ah0 \u0022q9\u0022\n+ #define _ah0_0 \u0022d18\u0022\n+ #define _ah0_1 \u0022d19\u0022\n+ #define _al2 \u0022q10\u0022\n+ #define _al2_0 \u0022d20\u0022\n+ #define _al2_1 \u0022d21\u0022\n+ #define _ah2 \u0022q11\u0022\n+ #define _ah2_0 \u0022d22\u0022\n+ #define _ah2_1 \u0022d23\u0022\n+\n+ #define _a0a \u0022q12\u0022\n+ #define _a0a_0 \u0022d24\u0022\n+ #define _a0a_1 \u0022d25\u0022\n+ #define _a0b \u0022q13\u0022\n+ #define _a0b_0 \u0022d26\u0022\n+ #define _a0b_1 \u0022d27\u0022\n+ #define _a1a \u0022q14\u0022\n+ #define _a1a_0 \u0022d28\u0022\n+ #define _a1a_1 \u0022d29\u0022\n+ #define _a1b \u0022q15\u0022\n+ #define _a1b_0 \u0022d30\u0022\n+ #define _a1b_1 \u0022d31\u0022\n+ #define VMAC(op,result,a,b,n) #op\u0022 \u0022result\u0022, \u0022a\u0022, \u0022b\u0022[\u0022 #n \u0022]\u005cn\u005ct\u0022\n+ #define VOP3(op,result,a,b) #op\u0022 \u0022result\u0022, \u0022a\u0022, \u0022b\u0022\u005cn\u005ct\u0022\n+ #define VOP2(op,result,a) #op\u0022 \u0022result\u0022, \u0022a\u0022\u005cn\u005ct\u0022\n+\n+ int32x2_t *vc \u003d (int32x2_t*) cs-\u003elimb;\n+\n+ __asm__ __volatile__(\n+ \n+ \u0022vld2.32 {\u0022_al0_0\u0022,\u0022_al0_1\u0022,\u0022_ah0_0\u0022,\u0022_ah0_1\u0022}, [%[a],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n+ VOP3(vadd.i32,_as0,_al0,_ah0)\n+ \n+ \u0022vld2.32 {\u0022_bl0_0\u0022,\u0022_bl0_1\u0022,\u0022_bh0_0\u0022,\u0022_bh0_1\u0022}, [%[b],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n+ VOP3(vadd.i32,_bs0_1,_bl0_1,_bh0_1)\n+ VOP3(vsub.i32,_bs0_0,_bl0_0,_bh0_0)\n+ \n+ \u0022vld2.32 {\u0022_bl2_0\u0022,\u0022_bl2_1\u0022,\u0022_bh2_0\u0022,\u0022_bh2_1\u0022}, [%[b],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n+ VOP3(vadd.i32,_bs2,_bl2,_bh2)\n+ \n+ \u0022vld2.32 {\u0022_al2_0\u0022,\u0022_al2_1\u0022,\u0022_ah2_0\u0022,\u0022_ah2_1\u0022}, [%[a],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n+ VOP3(vadd.i32,_as2,_al2,_ah2)\n+ \n+ VMAC(vmull.s32,_a0b,_as0_1,_bs2_1,0)\n+ VMAC(vmlal.s32,_a0b,_as2_0,_bs2_0,0)\n+ VMAC(vmlal.s32,_a0b,_as2_1,_bs0_1,0)\n+ VMAC(vmlal.s32,_a0b,_as0_0,_bh0_0,0)\n+ \n+ VMAC(vmull.s32,_a1b,_as0_1,_bs2_1,1)\n+ VMAC(vmlal.s32,_a1b,_as2_0,_bs2_0,1)\n+ VMAC(vmlal.s32,_a1b,_as2_1,_bs0_1,1)\n+ VMAC(vmlal.s32,_a1b,_as0_0,_bh0_0,1)\n+ \n+ VOP2(vmov,_a0a,_a0b)\n+ VMAC(vmlal.s32,_a0a,_ah0_1,_bh2_1,0)\n+ VMAC(vmlal.s32,_a0a,_ah2_0,_bh2_0,0)\n+ VMAC(vmlal.s32,_a0a,_ah2_1,_bh0_1,0)\n+ VMAC(vmlal.s32,_a0a,_ah0_0,_bl0_0,0)\n+ \n+ VMAC(vmlsl.s32,_a0b,_al0_1,_bl2_1,0)\n+ VMAC(vmlsl.s32,_a0b,_al2_0,_bl2_0,0)\n+ VMAC(vmlsl.s32,_a0b,_al2_1,_bl0_1,0)\n+ VMAC(vmlal.s32,_a0b,_al0_0,_bs0_0,0)\n+ \n+ VOP2(vmov,_a1a,_a1b)\n+ VMAC(vmlal.s32,_a1a,_ah0_1,_bh2_1,1)\n+ VMAC(vmlal.s32,_a1a,_ah2_0,_bh2_0,1)\n+ VMAC(vmlal.s32,_a1a,_ah2_1,_bh0_1,1)\n+ VMAC(vmlal.s32,_a1a,_ah0_0,_bl0_0,1)\n+ \n+ VOP2(vswp,_a0b_1,_a0a_0)\n+ \n+ VMAC(vmlsl.s32,_a1b,_al0_1,_bl2_1,1)\n+ VMAC(vmlsl.s32,_a1b,_al2_0,_bl2_0,1)\n+ VMAC(vmlsl.s32,_a1b,_al2_1,_bl0_1,1)\n+ VMAC(vmlal.s32,_a1b,_al0_0,_bs0_0,1)\n+ \n+ VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n+ VOP3(vsub.i32,_bs0_1,_bl0_1,_bh0_1)\n+ VOP2(vmovn.i64,_a0b_0,_a0b)\n+ \n+ VOP2(vswp,_a1b_1,_a1a_0)\n+ VOP3(vadd.i64,_a1b,_a0a,_a1b)\n+ \n+ \n+ VMAC(vmull.s32,_a0a,_as2_0,_bs2_1,0)\n+ VOP2(vmovn.i64,_a0b_1,_a1b)\n+ VMAC(vmlal.s32,_a0a,_as2_1,_bs2_0,0)\n+ VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n+ VMAC(vmlal.s32,_a0a,_as0_0,_bh0_1,0)\n+ VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n+ VMAC(vmlal.s32,_a0a,_as0_1,_bh0_0,0)\n+ \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n+ \n+ VMAC(vmull.s32,_a1b,_as2_0,_bs2_1,1)\n+ VMAC(vmlal.s32,_a1b,_as2_1,_bs2_0,1)\n+ VMAC(vmlal.s32,_a1b,_as0_0,_bh0_1,1)\n+ VMAC(vmlal.s32,_a1b,_as0_1,_bh0_0,1)\n+\n+ VOP2(vmov,_a0b_1,_a0a_1)\n+ VOP3(vadd.i64,_a0b_0,_a0a_0,_a1a_0)\n+ VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n+ VMAC(vmlal.s32,_a0a,_ah2_0,_bh2_1,0)\n+ VMAC(vmlal.s32,_a0a,_ah2_1,_bh2_0,0)\n+ VMAC(vmlal.s32,_a0a,_ah0_0,_bl0_1,0)\n+ VMAC(vmlal.s32,_a0a,_ah0_1,_bl0_0,0)\n+\n+ VMAC(vmlsl.s32,_a0b,_al2_0,_bl2_1,0)\n+ VMAC(vmlsl.s32,_a0b,_al2_1,_bl2_0,0)\n+ VMAC(vmlal.s32,_a0b,_al0_0,_bs0_1,0)\n+ VMAC(vmlal.s32,_a0b,_al0_1,_bs0_0,0)\n+\n+ VOP2(vmov,_a1a,_a1b)\n+ VMAC(vmlal.s32,_a1a,_ah2_0,_bh2_1,1)\n+ VMAC(vmlal.s32,_a1a,_ah2_1,_bh2_0,1)\n+ VMAC(vmlal.s32,_a1a,_ah0_0,_bl0_1,1)\n+ VMAC(vmlal.s32,_a1a,_ah0_1,_bl0_0,1)\n+\n+ VOP2(vswp,_a0b_1,_a0a_0)\n+\n+ VMAC(vmlsl.s32,_a1b,_al2_0,_bl2_1,1)\n+ VMAC(vmlsl.s32,_a1b,_al2_1,_bl2_0,1)\n+ VMAC(vmlal.s32,_a1b,_al0_0,_bs0_1,1)\n+ VMAC(vmlal.s32,_a1b,_al0_1,_bs0_0,1)\n+ \n+ VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n+ VOP3(vsub.i32,_bs2_0,_bl2_0,_bh2_0)\n+ VOP2(vmovn.i64,_a0b_0,_a0b)\n+ \n+ VOP2(vswp,_a1b_1,_a1a_0)\n+ VOP3(vadd.i64,_a1b,_a0a,_a1b)\n+\n+ VMAC(vmull.s32,_a0a,_as2_1,_bs2_1,0)\n+ VOP2(vmovn.i64,_a0b_1,_a1b)\n+ VMAC(vmlal.s32,_a0a,_as0_0,_bh2_0,0)\n+ VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n+ VMAC(vmlal.s32,_a0a,_as0_1,_bh0_1,0)\n+ VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n+ VMAC(vmlal.s32,_a0a,_as2_0,_bh0_0,0)\n+ \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n+\n+ VMAC(vmull.s32,_a1b,_as2_1,_bs2_1,1)\n+ VMAC(vmlal.s32,_a1b,_as0_0,_bh2_0,1)\n+ VMAC(vmlal.s32,_a1b,_as0_1,_bh0_1,1)\n+ VMAC(vmlal.s32,_a1b,_as2_0,_bh0_0,1)\n+\n+ VOP2(vmov,_a0b_1,_a0a_1)\n+ VOP3(vadd.i64,_a0b_0,_a0a_0,_a1a_0)\n+ VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n+ VMAC(vmlal.s32,_a0a,_ah2_1,_bh2_1,0)\n+ VMAC(vmlal.s32,_a0a,_ah0_0,_bl2_0,0)\n+ VMAC(vmlal.s32,_a0a,_ah0_1,_bl0_1,0)\n+ VMAC(vmlal.s32,_a0a,_ah2_0,_bl0_0,0)\n+\n+ VMAC(vmlsl.s32,_a0b,_al2_1,_bl2_1,0)\n+ VMAC(vmlal.s32,_a0b,_al0_0,_bs2_0,0)\n+ VMAC(vmlal.s32,_a0b,_al0_1,_bs0_1,0)\n+ VMAC(vmlal.s32,_a0b,_al2_0,_bs0_0,0)\n+\n+ VOP2(vmov,_a1a,_a1b)\n+ VMAC(vmlal.s32,_a1a,_ah2_1,_bh2_1,1)\n+ VMAC(vmlal.s32,_a1a,_ah0_0,_bl2_0,1)\n+ VMAC(vmlal.s32,_a1a,_ah0_1,_bl0_1,1)\n+ VMAC(vmlal.s32,_a1a,_ah2_0,_bl0_0,1)\n+\n+ VOP2(vswp,_a0b_1,_a0a_0)\n+\n+ VMAC(vmlsl.s32,_a1b,_al2_1,_bl2_1,1)\n+ VMAC(vmlal.s32,_a1b,_al0_0,_bs2_0,1)\n+ VMAC(vmlal.s32,_a1b,_al0_1,_bs0_1,1)\n+ VMAC(vmlal.s32,_a1b,_al2_0,_bs0_0,1)\n+ \n+ VOP3(vsub.i32,_bs2_1,_bl2_1,_bh2_1)\n+ VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n+ VOP2(vmovn.i64,_a0b_0,_a0b)\n+ \n+ VOP2(vswp,_a1b_1,_a1a_0)\n+ VOP3(vadd.i64,_a1b,_a0a,_a1b)\n+\n+ VMAC(vmull.s32,_a0a,_as0_0,_bh2_1,0)\n+ VOP2(vmovn.i64,_a0b_1,_a1b)\n+ VMAC(vmlal.s32,_a0a,_as0_1,_bh2_0,0)\n+ VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n+ VMAC(vmlal.s32,_a0a,_as2_0,_bh0_1,0)\n+ VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n+ VMAC(vmlal.s32,_a0a,_as2_1,_bh0_0,0)\n+ \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n+\n+ VMAC(vmull.s32,_a1b,_as0_0,_bh2_1,1)\n+ VMAC(vmlal.s32,_a1b,_as0_1,_bh2_0,1)\n+ VMAC(vmlal.s32,_a1b,_as2_0,_bh0_1,1)\n+ VMAC(vmlal.s32,_a1b,_as2_1,_bh0_0,1)\n+\n+ VOP2(vmov,_a0b_1,_a0a_1)\n+ VOP3(vadd.i64,_a0b_0,_a0a_0,_a1a_0)\n+ VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n+ VMAC(vmlal.s32,_a0a,_ah0_0,_bl2_1,0)\n+ VMAC(vmlal.s32,_a0a,_ah0_1,_bl2_0,0)\n+ VMAC(vmlal.s32,_a0a,_ah2_0,_bl0_1,0)\n+ VMAC(vmlal.s32,_a0a,_ah2_1,_bl0_0,0)\n+\n+ VMAC(vmlal.s32,_a0b,_al0_0,_bs2_1,0)\n+ VMAC(vmlal.s32,_a0b,_al0_1,_bs2_0,0)\n+ VMAC(vmlal.s32,_a0b,_al2_0,_bs0_1,0)\n+ VMAC(vmlal.s32,_a0b,_al2_1,_bs0_0,0)\n+\n+ VOP2(vmov,_a1a,_a1b)\n+ VMAC(vmlal.s32,_a1a,_ah0_0,_bl2_1,1)\n+ VMAC(vmlal.s32,_a1a,_ah0_1,_bl2_0,1)\n+ VMAC(vmlal.s32,_a1a,_ah2_0,_bl0_1,1)\n+ VMAC(vmlal.s32,_a1a,_ah2_1,_bl0_0,1)\n+\n+ VOP2(vswp,_a0b_1,_a0a_0)\n+\n+ VMAC(vmlal.s32,_a1b,_al0_0,_bs2_1,1)\n+ VMAC(vmlal.s32,_a1b,_al0_1,_bs2_0,1)\n+ VMAC(vmlal.s32,_a1b,_al2_0,_bs0_1,1)\n+ VMAC(vmlal.s32,_a1b,_al2_1,_bs0_0,1)\n+ \n+ VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n+ VOP2(vmovn.i64,_a0b_0,_a0b)\n+ \n+ VOP2(vswp,_a1b_1,_a1a_0)\n+ VOP3(vadd.i64,_a0a,_a0a,_a1b)\n+\n+ VOP2(vmovn.i64,_a0b_1,_a0a)\n+ VOP3(vsra.u64,_a1a,_a0a,\u0022#28\u0022)\n+ \n+ VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022) \n+ \n+ VOP2(vswp,_a1a_0,_a1a_1)\n+ \n+ \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022 \n+ \u0022sub %[c], #64\u0022 \u0022\u005cn\u005ct\u0022\n+ \n+ VOP3(vadd.i64,_a1a_1,_a1a_1,_a1a_0)\n+ \n+ \u0022vldmia %[c], {\u0022_a0a_0\u0022, \u0022_a0a_1\u0022, \u0022_a0b_0\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n+ VOP2(vaddw.s32,_a1a,_a0a_0)\n+ VOP2(vmovn.i64,_a0a_0,_a1a)\n+ VOP2(vshr.s64,_a1a,\u0022#28\u0022)\n+ \n+ VOP2(vaddw.s32,_a1a,_a0a_1)\n+ VOP2(vmovn.i64,_a0a_1,_a1a)\n+ VOP2(vshr.s64,_a1a,\u0022#28\u0022)\n+ \n+ VOP2(vbic.i32,_a0a,\u0022#0xf0000000\u0022)\n+ \n+ VOP2(vaddw.s32,_a1a,_a0b_0) \n+ VOP2(vmovn.i64,_a0b_0,_a1a)\n+ \n+ \u0022vstmia %[c], {\u0022_a0a_0\u0022, \u0022_a0a_1\u0022, \u0022_a0b_0\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n+ \n+ : [a]\u0022+r\u0022(as)\n+ , [b]\u0022+r\u0022(bs)\n+ , [c]\u0022+r\u0022(vc)\n+ \n+ :: \u0022q0\u0022,\u0022q1\u0022,\u0022q2\u0022,\u0022q3\u0022,\n+ \u0022q4\u0022,\u0022q5\u0022,\u0022q6\u0022,\u0022q7\u0022,\n+ \u0022q8\u0022,\u0022q9\u0022,\u0022q10\u0022,\u0022q11\u0022,\n+ \u0022q12\u0022,\u0022q13\u0022,\u0022q14\u0022,\u0022q15\u0022,\n+ \u0022memory\u0022\n+ );\n+}\n+\n+void gf_sqr (gf_s *__restrict__ cs, const gf bs) {\n+ int32x2_t *vc \u003d (int32x2_t*) cs-\u003elimb;\n+\n+ __asm__ __volatile__ (\n+ \u0022vld2.32 {\u0022_bl0_0\u0022,\u0022_bl0_1\u0022,\u0022_bh0_0\u0022,\u0022_bh0_1\u0022}, [%[b],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n+ VOP3(vadd.i32,_bs0_1,_bl0_1,_bh0_1) /* 0 .. 2^30 */\n+ VOP3(vsub.i32,_bs0_0,_bl0_0,_bh0_0) /* +- 2^29 */\n+ VOP3(vadd.i32,_as0,_bl0,_bh0) /* 0 .. 2^30 */\n+ \n+ \u0022vld2.32 {\u0022_bl2_0\u0022,\u0022_bl2_1\u0022,\u0022_bh2_0\u0022,\u0022_bh2_1\u0022}, [%[b],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n+ VOP3(vadd.i32,_bs2,_bl2,_bh2) /* 0 .. 2^30 */\n+ VOP2(vmov,_as2,_bs2)\n+ \n+ VMAC(vqdmull.s32,_a0b,_as0_1,_bs2_1,0) /* 0 .. 8 * 2^58. danger for vqdmlal is 32 */\n+ VMAC(vmlal.s32,_a0b,_as2_0,_bs2_0,0) /* 0 .. 12 */\n+ VMAC(vmlal.s32,_a0b,_as0_0,_bh0_0,0) /* 0 .. 14 */\n+ \n+ VMAC(vqdmull.s32,_a1b,_as0_1,_bs2_1,1) /* 0 .. 8 */\n+ VMAC(vmlal.s32,_a1b,_as2_0,_bs2_0,1) /* 0 .. 14 */\n+ VMAC(vmlal.s32,_a1b,_as0_0,_bh0_0,1) /* 0 .. 16 */\n+ \n+ VOP2(vmov,_a0a,_a0b) /* 0 .. 14 */\n+ VMAC(vqdmlal.s32,_a0a,_bh0_1,_bh2_1,0) /* 0 .. 16 */\n+ VMAC(vmlal.s32,_a0a,_bh2_0,_bh2_0,0) /* 0 .. 17 */\n+ VMAC(vmlal.s32,_a0a,_bh0_0,_bl0_0,0) /* 0 .. 18 */\n+ \n+ VMAC(vqdmlsl.s32,_a0b,_bl0_1,_bl2_1,0) /*-2 .. 14 */\n+ VMAC(vmlsl.s32,_a0b,_bl2_0,_bl2_0,0) /*-3 .. 14 */\n+ VMAC(vmlal.s32,_a0b,_bl0_0,_bs0_0,0) /*-4 .. 15 */\n+ \n+ VOP2(vmov,_a1a,_a1b)\n+ VMAC(vqdmlal.s32,_a1a,_bh0_1,_bh2_1,1) /* 0 .. 18 */\n+ VMAC(vmlal.s32,_a1a,_bh2_0,_bh2_0,1) /* 0 .. 19 */\n+ VMAC(vmlal.s32,_a1a,_bh0_0,_bl0_0,1) /* 0 .. 20 */\n+ \n+ VOP2(vswp,_a0b_1,_a0a_0)\n+ \n+ VMAC(vqdmlsl.s32,_a1b,_bl0_1,_bl2_1,1) /*-2 .. 16 */\n+ VMAC(vmlsl.s32,_a1b,_bl2_0,_bl2_0,1) /*-3 .. 16 */\n+ VMAC(vmlal.s32,_a1b,_bl0_0,_bs0_0,1) /*-4 .. 17 */\n+ \n+ VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n+ VOP3(vsub.i32,_bs0_1,_bl0_1,_bh0_1)\n+ VOP2(vmovn.i64,_a0b_0,_a0b)\n+ \n+ VOP2(vswp,_a1b_1,_a1a_0)\n+ VOP3(vadd.i64,_a1b,_a0a,_a1b)\n+ \n+ \n+ VMAC(vqdmull.s32,_a0a,_as2_0,_bs2_1,0) /* 0 .. 8 */\n+ VOP2(vmovn.i64,_a0b_1,_a1b)\n+ VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n+ VMAC(vqdmlal.s32,_a0a,_as0_0,_bh0_1,0) /* 0 .. 12 */\n+ VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n+ \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n+ \n+ VMAC(vqdmull.s32,_a1b,_as2_0,_bs2_1,1) /* 0 .. 8 */\n+ VMAC(vqdmlal.s32,_a1b,_as0_0,_bh0_1,1) /* 0 .. 12 */\n+\n+ VOP2(vmov,_a0b,_a0a) /* 0 .. 12 */\n+ VMAC(vqdmlal.s32,_a0a,_bh2_0,_bh2_1,0) /* 0 .. 14 */\n+ VMAC(vqdmlal.s32,_a0a,_bh0_0,_bl0_1,0) /* 0 .. 16 */\n+\n+ VMAC(vqdmlsl.s32,_a0b,_bl2_0,_bl2_1,0) /*-2 .. 12 */\n+ VMAC(vqdmlal.s32,_a0b,_bl0_0,_bs0_1,0) /*-4 .. 14 */\n+ VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n+ VOP3(vadd.i64,_a0b_0,_a0b_0,_a1a_0)\n+\n+ VOP2(vmov,_a1a,_a1b) /* 0 .. 12 */\n+ VMAC(vqdmlal.s32,_a1a,_bh2_0,_bh2_1,1) /* 0 .. 14 */\n+ VMAC(vqdmlal.s32,_a1a,_bh0_0,_bl0_1,1) /* 0 .. 16 */\n+\n+ VOP2(vswp,_a0b_1,_a0a_0)\n+\n+ VMAC(vqdmlsl.s32,_a1b,_bl2_0,_bl2_1,1) /*-2 .. 12 */\n+ VMAC(vqdmlal.s32,_a1b,_bl0_0,_bs0_1,1) /*-4 .. 14 */\n+ \n+ VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n+ VOP3(vsub.i32,_bs2_0,_bl2_0,_bh2_0)\n+ VOP2(vmovn.i64,_a0b_0,_a0b)\n+ \n+ VOP2(vswp,_a1b_1,_a1a_0)\n+ VOP3(vadd.i64,_a1b,_a0a,_a1b)\n+\n+ VMAC(vmull.s32,_a0a,_as2_1,_bs2_1,0)\n+ VOP2(vmovn.i64,_a0b_1,_a1b)\n+ VMAC(vqdmlal.s32,_a0a,_as0_0,_bh2_0,0)\n+ VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n+ VMAC(vmlal.s32,_a0a,_as0_1,_bh0_1,0)\n+ VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n+ \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n+\n+ VMAC(vmull.s32,_a1b,_as2_1,_bs2_1,1)\n+ VMAC(vqdmlal.s32,_a1b,_as0_0,_bh2_0,1)\n+ VMAC(vmlal.s32,_a1b,_as0_1,_bh0_1,1)\n+\n+ VOP2(vmov,_a0b_1,_a0a_1)\n+ VOP3(vadd.i64,_a0b_0,_a0a_0,_a1a_0)\n+ VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n+ VMAC(vmlal.s32,_a0a,_bh2_1,_bh2_1,0)\n+ VMAC(vqdmlal.s32,_a0a,_bh0_0,_bl2_0,0)\n+ VMAC(vmlal.s32,_a0a,_bh0_1,_bl0_1,0)\n+\n+ VMAC(vmlsl.s32,_a0b,_bl2_1,_bl2_1,0)\n+ VMAC(vqdmlal.s32,_a0b,_bl0_0,_bs2_0,0)\n+ VMAC(vmlal.s32,_a0b,_bl0_1,_bs0_1,0)\n+\n+ VOP2(vmov,_a1a,_a1b)\n+ VMAC(vmlal.s32,_a1a,_bh2_1,_bh2_1,1)\n+ VMAC(vqdmlal.s32,_a1a,_bh0_0,_bl2_0,1)\n+ VMAC(vmlal.s32,_a1a,_bh0_1,_bl0_1,1)\n+\n+ VOP2(vswp,_a0b_1,_a0a_0)\n+\n+ VMAC(vmlsl.s32,_a1b,_bl2_1,_bl2_1,1)\n+ VMAC(vqdmlal.s32,_a1b,_bl0_0,_bs2_0,1)\n+ VMAC(vmlal.s32,_a1b,_bl0_1,_bs0_1,1)\n+ \n+ VOP3(vsub.i32,_bs2_1,_bl2_1,_bh2_1)\n+ VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n+ VOP2(vmovn.i64,_a0b_0,_a0b)\n+ \n+ VOP2(vswp,_a1b_1,_a1a_0)\n+ VOP3(vadd.i64,_a1b,_a0a,_a1b)\n+\n+ VMAC(vqdmull.s32,_a0a,_as0_0,_bh2_1,0)\n+ VOP2(vmovn.i64,_a0b_1,_a1b)\n+ VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n+ VMAC(vqdmlal.s32,_a0a,_as2_0,_bh0_1,0)\n+ VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n+ \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n+\n+ VMAC(vqdmull.s32,_a1b,_as0_0,_bh2_1,1)\n+ VMAC(vqdmlal.s32,_a1b,_as2_0,_bh0_1,1)\n+\n+ VOP2(vmov,_a0b_1,_a0a_1)\n+ VOP3(vadd.i64,_a0b_0,_a0a_0,_a1a_0)\n+ VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n+ VMAC(vqdmlal.s32,_a0a,_bh0_0,_bl2_1,0)\n+ VMAC(vqdmlal.s32,_a0a,_bh2_0,_bl0_1,0)\n+\n+ VMAC(vqdmlal.s32,_a0b,_bl0_0,_bs2_1,0)\n+ VMAC(vqdmlal.s32,_a0b,_bl2_0,_bs0_1,0)\n+\n+ VOP2(vmov,_a1a,_a1b)\n+ VMAC(vqdmlal.s32,_a1a,_bh0_0,_bl2_1,1)\n+ VMAC(vqdmlal.s32,_a1a,_bh2_0,_bl0_1,1)\n+\n+ VOP2(vswp,_a0b_1,_a0a_0)\n+\n+ VMAC(vqdmlal.s32,_a1b,_bl0_0,_bs2_1,1)\n+ VMAC(vqdmlal.s32,_a1b,_bl2_0,_bs0_1,1)\n+ \n+ VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n+ VOP2(vmovn.i64,_a0b_0,_a0b)\n+ \n+ VOP2(vswp,_a1b_1,_a1a_0)\n+ VOP3(vadd.i64,_a0a,_a0a,_a1b)\n+\n+ VOP2(vmovn.i64,_a0b_1,_a0a)\n+ VOP3(vsra.u64,_a1a,_a0a,\u0022#28\u0022)\n+ \n+ VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022) \n+ \n+ VOP2(vswp,_a1a_0,_a1a_1)\n+ \n+ \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022 \n+ \u0022sub %[c], #64\u0022 \u0022\u005cn\u005ct\u0022\n+ \n+ VOP3(vadd.i64,_a1a_1,_a1a_1,_a1a_0)\n+ \n+ \u0022vldmia %[c], {\u0022_a0a_0\u0022, \u0022_a0a_1\u0022, \u0022_a0b_0\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n+ VOP2(vaddw.s32,_a1a,_a0a_0)\n+ VOP2(vmovn.i64,_a0a_0,_a1a)\n+ VOP2(vshr.s64,_a1a,\u0022#28\u0022)\n+ \n+ VOP2(vaddw.s32,_a1a,_a0a_1)\n+ VOP2(vmovn.i64,_a0a_1,_a1a)\n+ VOP2(vshr.s64,_a1a,\u0022#28\u0022)\n+ \n+ VOP2(vbic.i32,_a0a,\u0022#0xf0000000\u0022)\n+ \n+ VOP2(vaddw.s32,_a1a,_a0b_0) \n+ VOP2(vmovn.i64,_a0b_0,_a1a)\n+ \n+ \u0022vstmia %[c], {\u0022_a0a_0\u0022, \u0022_a0a_1\u0022, \u0022_a0b_0\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n+ \n+ : [b]\u0022+r\u0022(bs)\n+ , [c]\u0022+r\u0022(vc)\n+ \n+ :: \u0022q0\u0022,\u0022q1\u0022,\u0022q2\u0022,\u0022q3\u0022,\n+ \u0022q4\u0022,\u0022q5\u0022,\u0022q6\u0022,\u0022q7\u0022,\n+ \u0022q12\u0022,\u0022q13\u0022,\u0022q14\u0022,\u0022q15\u0022,\n+ \u0022memory\u0022\n+ );\n+}\n+\n+void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) { \n+ uint32x2_t vmask \u003d {(1\u003c\u003c28) - 1, (1\u003c\u003c28)-1};\n+ assert(b\u003c(1\u003c\u003c28));\n+ \n+ uint64x2_t accum;\n+ const uint32x2_t *va \u003d (const uint32x2_t *) as-\u003elimb;\n+ uint32x2_t *vo \u003d (uint32x2_t *) cs-\u003elimb;\n+ uint32x2_t vc, vn;\n+ uint32x2_t vb \u003d {b, 0};\n+ \n+ vc \u003d va[0];\n+ accum \u003d vmull_lane_u32(vc, vb, 0);\n+ vo[0] \u003d vmovn_u64(accum) \u0026 vmask;\n+ accum \u003d vshrq_n_u64(accum,28);\n+ \n+ /* PERF: the right way to do this is to reduce behind, i.e.\n+ * vmull + vmlal round 0\n+ * vmull + vmlal round 1\n+ * vmull + vmlal round 2\n+ * vsraq round 0, 1\n+ * vmull + vmlal round 3\n+ * vsraq round 1, 2\n+ * ...\n+ */\n+ \n+ int i;\n+ for (i\u003d1; i\u003c8; i++) {\n+ vn \u003d va[i];\n+ accum \u003d vmlal_lane_u32(accum, vn, vb, 0);\n+ vo[i] \u003d vmovn_u64(accum) \u0026 vmask;\n+ accum \u003d vshrq_n_u64(accum,28);\n+ vc \u003d vn;\n+ }\n+ \n+ accum \u003d xx_vaddup_u64(vrev128_u64(accum));\n+ accum \u003d vaddw_u32(accum, vo[0]);\n+ vo[0] \u003d vmovn_u64(accum) \u0026 vmask;\n+ \n+ accum \u003d vshrq_n_u64(accum,28);\n+ vo[1] +\u003d vmovn_u64(accum);\n+}\ndiff --git a/crypto/ec/curve448/arch_neon/f_impl.h b/crypto/ec/curve448/arch_neon/f_impl.h\nnew file mode 100644\nindex 0000000..ba48d8c\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_neon/f_impl.h\n@@ -0,0 +1,56 @@\n+/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#define GF_HEADROOM 2\n+#define LIMBPERM(x) (((x)\u003c\u003c1 | (x)\u003e\u003e3) \u0026 15)\n+#define USE_NEON_PERM 1\n+#define LIMBHI(x) ((x##ull)\u003e\u003e28)\n+#define LIMBLO(x) ((x##ull)\u0026((1ull\u003c\u003c28)-1))\n+# define FIELD_LITERAL(a,b,c,d,e,f,g,h) \u005c\n+ {{LIMBLO(a),LIMBLO(e), LIMBHI(a),LIMBHI(e), \u005c\n+ LIMBLO(b),LIMBLO(f), LIMBHI(b),LIMBHI(f), \u005c\n+ LIMBLO(c),LIMBLO(g), LIMBHI(c),LIMBHI(g), \u005c\n+ LIMBLO(d),LIMBLO(h), LIMBHI(d),LIMBHI(h)}}\n+ \n+#define LIMB_PLACE_VALUE(i) 28\n+\n+void gf_add_RAW (gf out, const gf a, const gf b) {\n+ for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint32xn_t); i++) {\n+ ((uint32xn_t*)out)[i] \u003d ((const uint32xn_t*)a)[i] + ((const uint32xn_t*)b)[i];\n+ }\n+}\n+\n+void gf_sub_RAW (gf out, const gf a, const gf b) {\n+ for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint32xn_t); i++) {\n+ ((uint32xn_t*)out)[i] \u003d ((const uint32xn_t*)a)[i] - ((const uint32xn_t*)b)[i];\n+ }\n+ /*\n+ unsigned int i;\n+ for (i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n+ out-\u003elimb[i] \u003d a-\u003elimb[i] - b-\u003elimb[i];\n+ }\n+ */\n+}\n+\n+void gf_bias (gf a, int amt) {\n+ uint32_t co1 \u003d ((1ull\u003c\u003c28)-1)*amt, co2 \u003d co1-amt;\n+ uint32x4_t lo \u003d {co1,co2,co1,co1}, hi \u003d {co1,co1,co1,co1};\n+ uint32x4_t *aa \u003d (uint32x4_t*) a;\n+ aa[0] +\u003d lo;\n+ aa[1] +\u003d hi;\n+ aa[2] +\u003d hi;\n+ aa[3] +\u003d hi;\n+}\n+\n+void gf_weak_reduce (gf a) {\n+\n+ uint32x2_t *aa \u003d (uint32x2_t*) a, vmask \u003d {(1ull\u003c\u003c28)-1, (1ull\u003c\u003c28)-1}, vm2 \u003d {0,-1},\n+ tmp \u003d vshr_n_u32(aa[7],28);\n+ \n+ for (unsigned int i\u003d7; i\u003e\u003d1; i--) {\n+ aa[i] \u003d vsra_n_u32(aa[i] \u0026 vmask, aa[i-1], 28);\n+ }\n+ aa[0] \u003d (aa[0] \u0026 vmask) + vrev64_u32(tmp) + (tmp\u0026vm2);\n+}\n+\ndiff --git a/crypto/ec/curve448/arch_ref64/arch_intrinsics.h b/crypto/ec/curve448/arch_ref64/arch_intrinsics.h\nnew file mode 100644\nindex 0000000..4b34ea5\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_ref64/arch_intrinsics.h\n@@ -0,0 +1,22 @@\n+/* Copyright (c) 2016 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#ifndef __ARCH_REF64_ARCH_INTRINSICS_H__\n+#define __ARCH_REF64_ARCH_INTRINSICS_H__\n+\n+#define ARCH_WORD_BITS 64\n+\n+static __inline__ __attribute((always_inline,unused))\n+uint64_t word_is_zero(uint64_t a) {\n+ /* let's hope the compiler isn't clever enough to optimize this. */\n+ return (((__uint128_t)a)-1)\u003e\u003e64;\n+}\n+\n+static __inline__ __attribute((always_inline,unused))\n+__uint128_t widemul(uint64_t a, uint64_t b) {\n+ return ((__uint128_t)a) * b; \n+}\n+\n+#endif /* ARCH_REF64_ARCH_INTRINSICS_H__ */\n+\ndiff --git a/crypto/ec/curve448/arch_ref64/f_impl.c b/crypto/ec/curve448/arch_ref64/f_impl.c\nnew file mode 100644\nindex 0000000..5268100\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_ref64/f_impl.c\n@@ -0,0 +1,302 @@\n+/* Copyright (c) 2014 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#include \u0022f_field.h\u0022\n+\n+void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) {\n+ const uint64_t *a \u003d as-\u003elimb, *b \u003d bs-\u003elimb;\n+ uint64_t *c \u003d cs-\u003elimb;\n+\n+ __uint128_t accum0 \u003d 0, accum1 \u003d 0, accum2;\n+ uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n+\n+ uint64_t aa[4], bb[4], bbb[4];\n+\n+ unsigned int i;\n+ for (i\u003d0; i\u003c4; i++) {\n+ aa[i] \u003d a[i] + a[i+4];\n+ bb[i] \u003d b[i] + b[i+4];\n+ bbb[i] \u003d bb[i] + b[i+4];\n+ }\n+\n+ int I_HATE_UNROLLED_LOOPS \u003d 0;\n+\n+ if (I_HATE_UNROLLED_LOOPS) {\n+ /* The compiler probably won't unroll this,\n+ * so it's like 80% slower.\n+ */\n+ for (i\u003d0; i\u003c4; i++) {\n+ accum2 \u003d 0;\n+\n+ unsigned int j;\n+ for (j\u003d0; j\u003c\u003di; j++) {\n+ accum2 +\u003d widemul(a[j], b[i-j]);\n+ accum1 +\u003d widemul(aa[j], bb[i-j]);\n+ accum0 +\u003d widemul(a[j+4], b[i-j+4]);\n+ }\n+ for (; j\u003c4; j++) {\n+ accum2 +\u003d widemul(a[j], b[i-j+8]);\n+ accum1 +\u003d widemul(aa[j], bbb[i-j+4]);\n+ accum0 +\u003d widemul(a[j+4], bb[i-j+4]);\n+ }\n+\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[i] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[i+4] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+ }\n+ } else {\n+ accum2 \u003d widemul(a[0], b[0]);\n+ accum1 +\u003d widemul(aa[0], bb[0]);\n+ accum0 +\u003d widemul(a[4], b[4]);\n+\n+ accum2 +\u003d widemul(a[1], b[7]);\n+ accum1 +\u003d widemul(aa[1], bbb[3]);\n+ accum0 +\u003d widemul(a[5], bb[3]);\n+\n+ accum2 +\u003d widemul(a[2], b[6]);\n+ accum1 +\u003d widemul(aa[2], bbb[2]);\n+ accum0 +\u003d widemul(a[6], bb[2]);\n+\n+ accum2 +\u003d widemul(a[3], b[5]);\n+ accum1 +\u003d widemul(aa[3], bbb[1]);\n+ accum0 +\u003d widemul(a[7], bb[1]);\n+\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[0] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[4] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum2 \u003d widemul(a[0], b[1]);\n+ accum1 +\u003d widemul(aa[0], bb[1]);\n+ accum0 +\u003d widemul(a[4], b[5]);\n+\n+ accum2 +\u003d widemul(a[1], b[0]);\n+ accum1 +\u003d widemul(aa[1], bb[0]);\n+ accum0 +\u003d widemul(a[5], b[4]);\n+\n+ accum2 +\u003d widemul(a[2], b[7]);\n+ accum1 +\u003d widemul(aa[2], bbb[3]);\n+ accum0 +\u003d widemul(a[6], bb[3]);\n+\n+ accum2 +\u003d widemul(a[3], b[6]);\n+ accum1 +\u003d widemul(aa[3], bbb[2]);\n+ accum0 +\u003d widemul(a[7], bb[2]);\n+\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[1] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[5] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum2 \u003d widemul(a[0], b[2]);\n+ accum1 +\u003d widemul(aa[0], bb[2]);\n+ accum0 +\u003d widemul(a[4], b[6]);\n+\n+ accum2 +\u003d widemul(a[1], b[1]);\n+ accum1 +\u003d widemul(aa[1], bb[1]);\n+ accum0 +\u003d widemul(a[5], b[5]);\n+\n+ accum2 +\u003d widemul(a[2], b[0]);\n+ accum1 +\u003d widemul(aa[2], bb[0]);\n+ accum0 +\u003d widemul(a[6], b[4]);\n+\n+ accum2 +\u003d widemul(a[3], b[7]);\n+ accum1 +\u003d widemul(aa[3], bbb[3]);\n+ accum0 +\u003d widemul(a[7], bb[3]);\n+\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[2] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[6] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum2 \u003d widemul(a[0], b[3]);\n+ accum1 +\u003d widemul(aa[0], bb[3]);\n+ accum0 +\u003d widemul(a[4], b[7]);\n+\n+ accum2 +\u003d widemul(a[1], b[2]);\n+ accum1 +\u003d widemul(aa[1], bb[2]);\n+ accum0 +\u003d widemul(a[5], b[6]);\n+\n+ accum2 +\u003d widemul(a[2], b[1]);\n+ accum1 +\u003d widemul(aa[2], bb[1]);\n+ accum0 +\u003d widemul(a[6], b[5]);\n+\n+ accum2 +\u003d widemul(a[3], b[0]);\n+ accum1 +\u003d widemul(aa[3], bb[0]);\n+ accum0 +\u003d widemul(a[7], b[4]);\n+\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[3] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[7] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+ } /* !I_HATE_UNROLLED_LOOPS */\n+\n+ accum0 +\u003d accum1;\n+ accum0 +\u003d c[4];\n+ accum1 +\u003d c[0];\n+ c[4] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[0] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ c[5] +\u003d ((uint64_t)(accum0));\n+ c[1] +\u003d ((uint64_t)(accum1));\n+}\n+\n+void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) {\n+ const uint64_t *a \u003d as-\u003elimb;\n+ uint64_t *c \u003d cs-\u003elimb;\n+\n+ __uint128_t accum0 \u003d 0, accum4 \u003d 0;\n+ uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n+\n+ int i;\n+ for (i\u003d0; i\u003c4; i++) {\n+ accum0 +\u003d widemul(b, a[i]);\n+ accum4 +\u003d widemul(b, a[i+4]);\n+ c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 56;\n+ c[i+4] \u003d accum4 \u0026 mask; accum4 \u003e\u003e\u003d 56;\n+ }\n+ \n+ accum0 +\u003d accum4 + c[4];\n+ c[4] \u003d accum0 \u0026 mask;\n+ c[5] +\u003d accum0 \u003e\u003e 56;\n+\n+ accum4 +\u003d c[0];\n+ c[0] \u003d accum4 \u0026 mask;\n+ c[1] +\u003d accum4 \u003e\u003e 56;\n+}\n+\n+void gf_sqr (gf_s *__restrict__ cs, const gf as) {\n+ const uint64_t *a \u003d as-\u003elimb;\n+ uint64_t *c \u003d cs-\u003elimb;\n+\n+ __uint128_t accum0 \u003d 0, accum1 \u003d 0, accum2;\n+ uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n+\n+ uint64_t aa[4];\n+\n+ /* For some reason clang doesn't vectorize this without prompting? */\n+ unsigned int i;\n+ for (i\u003d0; i\u003c4; i++) {\n+ aa[i] \u003d a[i] + a[i+4];\n+ }\n+\n+ accum2 \u003d widemul(a[0],a[3]);\n+ accum0 \u003d widemul(aa[0],aa[3]);\n+ accum1 \u003d widemul(a[4],a[7]);\n+\n+ accum2 +\u003d widemul(a[1], a[2]);\n+ accum0 +\u003d widemul(aa[1], aa[2]);\n+ accum1 +\u003d widemul(a[5], a[6]);\n+\n+ accum0 -\u003d accum2;\n+ accum1 +\u003d accum2;\n+\n+ c[3] \u003d ((uint64_t)(accum1))\u003c\u003c1 \u0026 mask;\n+ c[7] \u003d ((uint64_t)(accum0))\u003c\u003c1 \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 55;\n+ accum1 \u003e\u003e\u003d 55;\n+\n+ accum0 +\u003d widemul(2*aa[1],aa[3]);\n+ accum1 +\u003d widemul(2*a[5], a[7]);\n+ accum0 +\u003d widemul(aa[2], aa[2]);\n+ accum1 +\u003d accum0;\n+\n+ accum0 -\u003d widemul(2*a[1], a[3]);\n+ accum1 +\u003d widemul(a[6], a[6]);\n+ \n+ accum2 \u003d widemul(a[0],a[0]);\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ accum0 -\u003d widemul(a[2], a[2]);\n+ accum1 +\u003d widemul(aa[0], aa[0]);\n+ accum0 +\u003d widemul(a[4], a[4]);\n+\n+ c[0] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[4] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum2 \u003d widemul(2*aa[2],aa[3]);\n+ accum0 -\u003d widemul(2*a[2], a[3]);\n+ accum1 +\u003d widemul(2*a[6], a[7]);\n+\n+ accum1 +\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ accum2 \u003d widemul(2*a[0],a[1]);\n+ accum1 +\u003d widemul(2*aa[0], aa[1]);\n+ accum0 +\u003d widemul(2*a[4], a[5]);\n+\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[1] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[5] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum2 \u003d widemul(aa[3],aa[3]);\n+ accum0 -\u003d widemul(a[3], a[3]);\n+ accum1 +\u003d widemul(a[7], a[7]);\n+\n+ accum1 +\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ accum2 \u003d widemul(2*a[0],a[2]);\n+ accum1 +\u003d widemul(2*aa[0], aa[2]);\n+ accum0 +\u003d widemul(2*a[4], a[6]);\n+\n+ accum2 +\u003d widemul(a[1], a[1]);\n+ accum1 +\u003d widemul(aa[1], aa[1]);\n+ accum0 +\u003d widemul(a[5], a[5]);\n+\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[2] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[6] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum0 +\u003d c[3];\n+ accum1 +\u003d c[7];\n+ c[3] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[7] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ /* we could almost stop here, but it wouldn't be stable, so... */\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+ c[4] +\u003d ((uint64_t)(accum0)) + ((uint64_t)(accum1));\n+ c[0] +\u003d ((uint64_t)(accum1));\n+}\n+\ndiff --git a/crypto/ec/curve448/arch_ref64/f_impl.h b/crypto/ec/curve448/arch_ref64/f_impl.h\nnew file mode 100644\nindex 0000000..05206bf\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_ref64/f_impl.h\n@@ -0,0 +1,38 @@\n+/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#define GF_HEADROOM 9999 /* Everything is reduced anyway */\n+#define FIELD_LITERAL(a,b,c,d,e,f,g,h) {{a,b,c,d,e,f,g,h}}\n+ \n+#define LIMB_PLACE_VALUE(i) 56\n+\n+void gf_add_RAW (gf out, const gf a, const gf b) {\n+ for (unsigned int i\u003d0; i\u003c8; i++) {\n+ out-\u003elimb[i] \u003d a-\u003elimb[i] + b-\u003elimb[i];\n+ }\n+ gf_weak_reduce(out);\n+}\n+\n+void gf_sub_RAW (gf out, const gf a, const gf b) {\n+ uint64_t co1 \u003d ((1ull\u003c\u003c56)-1)*2, co2 \u003d co1-2;\n+ for (unsigned int i\u003d0; i\u003c8; i++) {\n+ out-\u003elimb[i] \u003d a-\u003elimb[i] - b-\u003elimb[i] + ((i\u003d\u003d4) ? co2 : co1);\n+ }\n+ gf_weak_reduce(out);\n+}\n+\n+void gf_bias (gf a, int amt) {\n+ (void) a;\n+ (void) amt;\n+}\n+\n+void gf_weak_reduce (gf a) {\n+ uint64_t mask \u003d (1ull\u003c\u003c56) - 1;\n+ uint64_t tmp \u003d a-\u003elimb[7] \u003e\u003e 56;\n+ a-\u003elimb[4] +\u003d tmp;\n+ for (unsigned int i\u003d7; i\u003e0; i--) {\n+ a-\u003elimb[i] \u003d (a-\u003elimb[i] \u0026 mask) + (a-\u003elimb[i-1]\u003e\u003e56);\n+ }\n+ a-\u003elimb[0] \u003d (a-\u003elimb[0] \u0026 mask) + tmp;\n+}\ndiff --git a/crypto/ec/curve448/arch_x86_64/arch_intrinsics.h b/crypto/ec/curve448/arch_x86_64/arch_intrinsics.h\nnew file mode 100644\nindex 0000000..8fcf2c8\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_x86_64/arch_intrinsics.h\n@@ -0,0 +1,305 @@\n+/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#ifndef __ARCH_X86_64_ARCH_INTRINSICS_H__\n+#define __ARCH_X86_64_ARCH_INTRINSICS_H__\n+\n+#define ARCH_WORD_BITS 64\n+\n+#include \u003cstdint.h\u003e\n+\n+/* FUTURE: autogenerate */\n+static __inline__ __uint128_t widemul(const uint64_t *a, const uint64_t *b) {\n+ uint64_t c,d;\n+ #ifndef __BMI2__\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rax;\u0022\n+ \u0022mulq %[b];\u0022\n+ : [c]\u0022\u003d\u0026a\u0022(c), [d]\u0022\u003dd\u0022(d)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022cc\u0022);\n+ #else\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rdx;\u0022\n+ \u0022mulx %[b], %[c], %[d];\u0022\n+ : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rdx\u0022);\n+ #endif\n+ return (((__uint128_t)(d))\u003c\u003c64) | c;\n+}\n+\n+static __inline__ __uint128_t widemul_rm(uint64_t a, const uint64_t *b) {\n+ uint64_t c,d;\n+ #ifndef __BMI2__\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rax;\u0022\n+ \u0022mulq %[b];\u0022\n+ : [c]\u0022\u003d\u0026a\u0022(c), [d]\u0022\u003dd\u0022(d)\n+ : [b]\u0022m\u0022(*b), [a]\u0022r\u0022(a)\n+ : \u0022cc\u0022);\n+ #else\n+ __asm__ volatile\n+ (\u0022mulx %[b], %[c], %[d];\u0022\n+ : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d)\n+ : [b]\u0022m\u0022(*b), [a]\u0022d\u0022(a));\n+ #endif\n+ return (((__uint128_t)(d))\u003c\u003c64) | c;\n+}\n+\n+static __inline__ __uint128_t widemul_rr(uint64_t a, uint64_t b) {\n+ uint64_t c,d;\n+ #ifndef __BMI2__\n+ __asm__ volatile\n+ (\u0022mulq %[b];\u0022\n+ : [c]\u0022\u003da\u0022(c), [d]\u0022\u003dd\u0022(d)\n+ : [b]\u0022r\u0022(b), \u0022a\u0022(a)\n+ : \u0022cc\u0022);\n+ #else\n+ __asm__ volatile\n+ (\u0022mulx %[b], %[c], %[d];\u0022\n+ : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d)\n+ : [b]\u0022r\u0022(b), [a]\u0022d\u0022(a));\n+ #endif\n+ return (((__uint128_t)(d))\u003c\u003c64) | c;\n+}\n+\n+static __inline__ __uint128_t widemul2(const uint64_t *a, const uint64_t *b) {\n+ uint64_t c,d;\n+ #ifndef __BMI2__\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rax; \u0022\n+ \u0022addq %%rax, %%rax; \u0022\n+ \u0022mulq %[b];\u0022\n+ : [c]\u0022\u003d\u0026a\u0022(c), [d]\u0022\u003dd\u0022(d)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022cc\u0022);\n+ #else\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rdx;\u0022\n+ \u0022leaq (,%%rdx,2), %%rdx;\u0022\n+ \u0022mulx %[b], %[c], %[d];\u0022\n+ : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rdx\u0022);\n+ #endif\n+ return (((__uint128_t)(d))\u003c\u003c64) | c;\n+}\n+\n+static __inline__ void mac(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {\n+ uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n+ \n+ #ifdef __BMI2__\n+ uint64_t c,d;\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rdx; \u0022\n+ \u0022mulx %[b], %[c], %[d]; \u0022\n+ \u0022addq %[c], %[lo]; \u0022\n+ \u0022adcq %[d], %[hi]; \u0022\n+ : [c]\u0022\u003d\u0026r\u0022(c), [d]\u0022\u003d\u0026r\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rdx\u0022, \u0022cc\u0022);\n+ #else\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rax; \u0022\n+ \u0022mulq %[b]; \u0022\n+ \u0022addq %%rax, %[lo]; \u0022\n+ \u0022adcq %%rdx, %[hi]; \u0022\n+ : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n+ #endif\n+ \n+ *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n+}\n+\n+static __inline__ void macac(__uint128_t *acc, __uint128_t *acc2, const uint64_t *a, const uint64_t *b) {\n+ uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n+ uint64_t lo2 \u003d *acc2, hi2 \u003d *acc2\u003e\u003e64;\n+ \n+ #ifdef __BMI2__\n+ uint64_t c,d;\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rdx; \u0022\n+ \u0022mulx %[b], %[c], %[d]; \u0022\n+ \u0022addq %[c], %[lo]; \u0022\n+ \u0022adcq %[d], %[hi]; \u0022\n+ \u0022addq %[c], %[lo2]; \u0022\n+ \u0022adcq %[d], %[hi2]; \u0022\n+ : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi), [lo2]\u0022+r\u0022(lo2), [hi2]\u0022+r\u0022(hi2)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rdx\u0022, \u0022cc\u0022);\n+ #else\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rax; \u0022\n+ \u0022mulq %[b]; \u0022\n+ \u0022addq %%rax, %[lo]; \u0022\n+ \u0022adcq %%rdx, %[hi]; \u0022\n+ \u0022addq %%rax, %[lo2]; \u0022\n+ \u0022adcq %%rdx, %[hi2]; \u0022\n+ : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi), [lo2]\u0022+r\u0022(lo2), [hi2]\u0022+r\u0022(hi2)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n+ #endif\n+ \n+ *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n+ *acc2 \u003d (((__uint128_t)(hi2))\u003c\u003c64) | lo2;\n+}\n+\n+static __inline__ void mac_rm(__uint128_t *acc, uint64_t a, const uint64_t *b) {\n+ uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n+ \n+ #ifdef __BMI2__\n+ uint64_t c,d;\n+ __asm__ volatile\n+ (\u0022mulx %[b], %[c], %[d]; \u0022\n+ \u0022addq %[c], %[lo]; \u0022\n+ \u0022adcq %[d], %[hi]; \u0022\n+ : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022m\u0022(*b), [a]\u0022d\u0022(a)\n+ : \u0022cc\u0022);\n+ #else\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rax; \u0022\n+ \u0022mulq %[b]; \u0022\n+ \u0022addq %%rax, %[lo]; \u0022\n+ \u0022adcq %%rdx, %[hi]; \u0022\n+ : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022m\u0022(*b), [a]\u0022r\u0022(a)\n+ : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n+ #endif\n+ \n+ *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n+}\n+\n+static __inline__ void mac_rr(__uint128_t *acc, uint64_t a, const uint64_t b) {\n+ uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n+ \n+ #ifdef __BMI2__\n+ uint64_t c,d;\n+ __asm__ volatile\n+ (\u0022mulx %[b], %[c], %[d]; \u0022\n+ \u0022addq %[c], %[lo]; \u0022\n+ \u0022adcq %[d], %[hi]; \u0022\n+ : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022r\u0022(b), [a]\u0022d\u0022(a)\n+ : \u0022cc\u0022);\n+ #else\n+ __asm__ volatile\n+ (\u0022mulq %[b]; \u0022\n+ \u0022addq %%rax, %[lo]; \u0022\n+ \u0022adcq %%rdx, %[hi]; \u0022\n+ : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi), \u0022+a\u0022(a)\n+ : [b]\u0022r\u0022(b)\n+ : \u0022rdx\u0022, \u0022cc\u0022);\n+ #endif\n+ \n+ *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n+}\n+\n+static __inline__ void mac2(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {\n+ uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n+ \n+ #ifdef __BMI2__\n+ uint64_t c,d;\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rdx; \u0022\n+ \u0022addq %%rdx, %%rdx; \u0022\n+ \u0022mulx %[b], %[c], %[d]; \u0022\n+ \u0022addq %[c], %[lo]; \u0022\n+ \u0022adcq %[d], %[hi]; \u0022\n+ : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rdx\u0022, \u0022cc\u0022);\n+ #else\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rax; \u0022\n+ \u0022addq %%rax, %%rax; \u0022\n+ \u0022mulq %[b]; \u0022\n+ \u0022addq %%rax, %[lo]; \u0022\n+ \u0022adcq %%rdx, %[hi]; \u0022\n+ : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n+ #endif\n+ \n+ *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n+}\n+\n+static __inline__ void msb(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {\n+ uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n+ #ifdef __BMI2__\n+ uint64_t c,d;\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rdx; \u0022\n+ \u0022mulx %[b], %[c], %[d]; \u0022\n+ \u0022subq %[c], %[lo]; \u0022\n+ \u0022sbbq %[d], %[hi]; \u0022\n+ : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rdx\u0022, \u0022cc\u0022);\n+ #else\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rax; \u0022\n+ \u0022mulq %[b]; \u0022\n+ \u0022subq %%rax, %[lo]; \u0022\n+ \u0022sbbq %%rdx, %[hi]; \u0022\n+ : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n+ #endif\n+ *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n+}\n+\n+static __inline__ void msb2(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {\n+ uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n+ #ifdef __BMI2__\n+ uint64_t c,d;\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rdx; \u0022\n+ \u0022addq %%rdx, %%rdx; \u0022\n+ \u0022mulx %[b], %[c], %[d]; \u0022\n+ \u0022subq %[c], %[lo]; \u0022\n+ \u0022sbbq %[d], %[hi]; \u0022\n+ : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rdx\u0022, \u0022cc\u0022);\n+ #else\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rax; \u0022\n+ \u0022addq %%rax, %%rax; \u0022\n+ \u0022mulq %[b]; \u0022\n+ \u0022subq %%rax, %[lo]; \u0022\n+ \u0022sbbq %%rdx, %[hi]; \u0022\n+ : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n+ #endif\n+ *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n+ \n+}\n+\n+static __inline__ void mrs(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {\n+ uint64_t c,d, lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n+ __asm__ volatile\n+ (\u0022movq %[a], %%rdx; \u0022\n+ \u0022mulx %[b], %[c], %[d]; \u0022\n+ \u0022subq %[lo], %[c]; \u0022\n+ \u0022sbbq %[hi], %[d]; \u0022\n+ : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n+ : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n+ : \u0022rdx\u0022, \u0022cc\u0022);\n+ *acc \u003d (((__uint128_t)(d))\u003c\u003c64) | c;\n+}\n+\n+static __inline__ uint64_t word_is_zero(uint64_t x) {\n+ __asm__ volatile(\u0022neg %0; sbb %0, %0;\u0022 : \u0022+r\u0022(x));\n+ return ~x;\n+}\n+\n+static inline uint64_t shrld(__uint128_t x, int n) {\n+ return x\u003e\u003en;\n+}\n+\n+#endif /* __ARCH_X86_64_ARCH_INTRINSICS_H__ */\ndiff --git a/crypto/ec/curve448/arch_x86_64/f_impl.c b/crypto/ec/curve448/arch_x86_64/f_impl.c\nnew file mode 100644\nindex 0000000..1e1d76d\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_x86_64/f_impl.c\n@@ -0,0 +1,291 @@\n+/* Copyright (c) 2014 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#include \u0022f_field.h\u0022\n+\n+void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) {\n+ const uint64_t *a \u003d as-\u003elimb, *b \u003d bs-\u003elimb;\n+ uint64_t *c \u003d cs-\u003elimb;\n+\n+ __uint128_t accum0 \u003d 0, accum1 \u003d 0, accum2;\n+ uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n+\n+ uint64_t aa[4] VECTOR_ALIGNED, bb[4] VECTOR_ALIGNED, bbb[4] VECTOR_ALIGNED;\n+\n+ /* For some reason clang doesn't vectorize this without prompting? */\n+ unsigned int i;\n+ for (i\u003d0; i\u003csizeof(aa)/sizeof(uint64xn_t); i++) {\n+ ((uint64xn_t*)aa)[i] \u003d ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)(\u0026a[4]))[i];\n+ ((uint64xn_t*)bb)[i] \u003d ((const uint64xn_t*)b)[i] + ((const uint64xn_t*)(\u0026b[4]))[i]; \n+ ((uint64xn_t*)bbb)[i] \u003d ((const uint64xn_t*)bb)[i] + ((const uint64xn_t*)(\u0026b[4]))[i]; \n+ }\n+ /*\n+ for (int i\u003d0; i\u003c4; i++) {\n+ aa[i] \u003d a[i] + a[i+4];\n+ bb[i] \u003d b[i] + b[i+4];\n+ }\n+ */\n+\n+ accum2 \u003d widemul(\u0026a[0],\u0026b[3]);\n+ accum0 \u003d widemul(\u0026aa[0],\u0026bb[3]);\n+ accum1 \u003d widemul(\u0026a[4],\u0026b[7]);\n+\n+ mac(\u0026accum2, \u0026a[1], \u0026b[2]);\n+ mac(\u0026accum0, \u0026aa[1], \u0026bb[2]);\n+ mac(\u0026accum1, \u0026a[5], \u0026b[6]);\n+\n+ mac(\u0026accum2, \u0026a[2], \u0026b[1]);\n+ mac(\u0026accum0, \u0026aa[2], \u0026bb[1]);\n+ mac(\u0026accum1, \u0026a[6], \u0026b[5]);\n+\n+ mac(\u0026accum2, \u0026a[3], \u0026b[0]);\n+ mac(\u0026accum0, \u0026aa[3], \u0026bb[0]);\n+ mac(\u0026accum1, \u0026a[7], \u0026b[4]);\n+\n+ accum0 -\u003d accum2;\n+ accum1 +\u003d accum2;\n+\n+ c[3] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+ c[7] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+ \n+ mac(\u0026accum0, \u0026aa[1],\u0026bb[3]);\n+ mac(\u0026accum1, \u0026a[5], \u0026b[7]);\n+ mac(\u0026accum0, \u0026aa[2], \u0026bb[2]);\n+ mac(\u0026accum1, \u0026a[6], \u0026b[6]);\n+ mac(\u0026accum0, \u0026aa[3], \u0026bb[1]);\n+ accum1 +\u003d accum0;\n+\n+ accum2 \u003d widemul(\u0026a[0],\u0026b[0]);\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+ \n+ msb(\u0026accum0, \u0026a[1], \u0026b[3]);\n+ msb(\u0026accum0, \u0026a[2], \u0026b[2]);\n+ mac(\u0026accum1, \u0026a[7], \u0026b[5]);\n+ msb(\u0026accum0, \u0026a[3], \u0026b[1]);\n+ mac(\u0026accum1, \u0026aa[0], \u0026bb[0]);\n+ mac(\u0026accum0, \u0026a[4], \u0026b[4]);\n+\n+ c[0] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[4] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum2 \u003d widemul(\u0026a[2],\u0026b[7]);\n+ mac(\u0026accum0, \u0026a[6], \u0026bb[3]);\n+ mac(\u0026accum1, \u0026aa[2], \u0026bbb[3]);\n+\n+ mac(\u0026accum2, \u0026a[3], \u0026b[6]);\n+ mac(\u0026accum0, \u0026a[7], \u0026bb[2]);\n+ mac(\u0026accum1, \u0026aa[3], \u0026bbb[2]);\n+\n+ mac(\u0026accum2, \u0026a[0],\u0026b[1]);\n+ mac(\u0026accum1, \u0026aa[0], \u0026bb[1]);\n+ mac(\u0026accum0, \u0026a[4], \u0026b[5]);\n+\n+ mac(\u0026accum2, \u0026a[1], \u0026b[0]);\n+ mac(\u0026accum1, \u0026aa[1], \u0026bb[0]);\n+ mac(\u0026accum0, \u0026a[5], \u0026b[4]);\n+\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[1] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[5] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum2 \u003d widemul(\u0026a[3],\u0026b[7]);\n+ mac(\u0026accum0, \u0026a[7], \u0026bb[3]);\n+ mac(\u0026accum1, \u0026aa[3], \u0026bbb[3]);\n+\n+ mac(\u0026accum2, \u0026a[0],\u0026b[2]);\n+ mac(\u0026accum1, \u0026aa[0], \u0026bb[2]);\n+ mac(\u0026accum0, \u0026a[4], \u0026b[6]);\n+\n+ mac(\u0026accum2, \u0026a[1], \u0026b[1]);\n+ mac(\u0026accum1, \u0026aa[1], \u0026bb[1]);\n+ mac(\u0026accum0, \u0026a[5], \u0026b[5]);\n+\n+ mac(\u0026accum2, \u0026a[2], \u0026b[0]);\n+ mac(\u0026accum1, \u0026aa[2], \u0026bb[0]);\n+ mac(\u0026accum0, \u0026a[6], \u0026b[4]);\n+\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[2] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[6] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum0 +\u003d c[3];\n+ accum1 +\u003d c[7];\n+ c[3] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[7] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ /* we could almost stop here, but it wouldn't be stable, so... */\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+ c[4] +\u003d ((uint64_t)(accum0)) + ((uint64_t)(accum1));\n+ c[0] +\u003d ((uint64_t)(accum1));\n+}\n+\n+void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) {\n+ const uint64_t *a \u003d as-\u003elimb;\n+ uint64_t *c \u003d cs-\u003elimb;\n+\n+ __uint128_t accum0, accum4;\n+ uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n+\n+ accum0 \u003d widemul_rm(b, \u0026a[0]);\n+ accum4 \u003d widemul_rm(b, \u0026a[4]);\n+\n+ c[0] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 56;\n+ c[4] \u003d accum4 \u0026 mask; accum4 \u003e\u003e\u003d 56;\n+\n+ mac_rm(\u0026accum0, b, \u0026a[1]);\n+ mac_rm(\u0026accum4, b, \u0026a[5]);\n+\n+ c[1] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 56;\n+ c[5] \u003d accum4 \u0026 mask; accum4 \u003e\u003e\u003d 56;\n+\n+ mac_rm(\u0026accum0, b, \u0026a[2]);\n+ mac_rm(\u0026accum4, b, \u0026a[6]);\n+\n+ c[2] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 56;\n+ c[6] \u003d accum4 \u0026 mask; accum4 \u003e\u003e\u003d 56;\n+\n+ mac_rm(\u0026accum0, b, \u0026a[3]);\n+ mac_rm(\u0026accum4, b, \u0026a[7]);\n+\n+ c[3] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 56;\n+ c[7] \u003d accum4 \u0026 mask; accum4 \u003e\u003e\u003d 56;\n+ \n+ accum0 +\u003d accum4 + c[4];\n+ c[4] \u003d accum0 \u0026 mask;\n+ c[5] +\u003d accum0 \u003e\u003e 56;\n+\n+ accum4 +\u003d c[0];\n+ c[0] \u003d accum4 \u0026 mask;\n+ c[1] +\u003d accum4 \u003e\u003e 56;\n+}\n+\n+void gf_sqr (gf_s *__restrict__ cs, const gf as) {\n+ const uint64_t *a \u003d as-\u003elimb;\n+ uint64_t *c \u003d cs-\u003elimb;\n+\n+ __uint128_t accum0 \u003d 0, accum1 \u003d 0, accum2;\n+ uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n+\n+ uint64_t aa[4] VECTOR_ALIGNED;\n+\n+ /* For some reason clang doesn't vectorize this without prompting? */\n+ unsigned int i;\n+ for (i\u003d0; i\u003csizeof(aa)/sizeof(uint64xn_t); i++) {\n+ ((uint64xn_t*)aa)[i] \u003d ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)(\u0026a[4]))[i];\n+ }\n+\n+ accum2 \u003d widemul(\u0026a[0],\u0026a[3]);\n+ accum0 \u003d widemul(\u0026aa[0],\u0026aa[3]);\n+ accum1 \u003d widemul(\u0026a[4],\u0026a[7]);\n+\n+ mac(\u0026accum2, \u0026a[1], \u0026a[2]);\n+ mac(\u0026accum0, \u0026aa[1], \u0026aa[2]);\n+ mac(\u0026accum1, \u0026a[5], \u0026a[6]);\n+\n+ accum0 -\u003d accum2;\n+ accum1 +\u003d accum2;\n+\n+ c[3] \u003d ((uint64_t)(accum1))\u003c\u003c1 \u0026 mask;\n+ c[7] \u003d ((uint64_t)(accum0))\u003c\u003c1 \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 55;\n+ accum1 \u003e\u003e\u003d 55;\n+\n+ mac2(\u0026accum0, \u0026aa[1],\u0026aa[3]);\n+ mac2(\u0026accum1, \u0026a[5], \u0026a[7]);\n+ mac(\u0026accum0, \u0026aa[2], \u0026aa[2]);\n+ accum1 +\u003d accum0;\n+\n+ msb2(\u0026accum0, \u0026a[1], \u0026a[3]);\n+ mac(\u0026accum1, \u0026a[6], \u0026a[6]);\n+ \n+ accum2 \u003d widemul(\u0026a[0],\u0026a[0]);\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ msb(\u0026accum0, \u0026a[2], \u0026a[2]);\n+ mac(\u0026accum1, \u0026aa[0], \u0026aa[0]);\n+ mac(\u0026accum0, \u0026a[4], \u0026a[4]);\n+\n+ c[0] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[4] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum2 \u003d widemul2(\u0026aa[2],\u0026aa[3]);\n+ msb2(\u0026accum0, \u0026a[2], \u0026a[3]);\n+ mac2(\u0026accum1, \u0026a[6], \u0026a[7]);\n+\n+ accum1 +\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ accum2 \u003d widemul2(\u0026a[0],\u0026a[1]);\n+ mac2(\u0026accum1, \u0026aa[0], \u0026aa[1]);\n+ mac2(\u0026accum0, \u0026a[4], \u0026a[5]);\n+\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[1] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[5] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum2 \u003d widemul(\u0026aa[3],\u0026aa[3]);\n+ msb(\u0026accum0, \u0026a[3], \u0026a[3]);\n+ mac(\u0026accum1, \u0026a[7], \u0026a[7]);\n+\n+ accum1 +\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ accum2 \u003d widemul2(\u0026a[0],\u0026a[2]);\n+ mac2(\u0026accum1, \u0026aa[0], \u0026aa[2]);\n+ mac2(\u0026accum0, \u0026a[4], \u0026a[6]);\n+\n+ mac(\u0026accum2, \u0026a[1], \u0026a[1]);\n+ mac(\u0026accum1, \u0026aa[1], \u0026aa[1]);\n+ mac(\u0026accum0, \u0026a[5], \u0026a[5]);\n+\n+ accum1 -\u003d accum2;\n+ accum0 +\u003d accum2;\n+\n+ c[2] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[6] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+\n+ accum0 +\u003d c[3];\n+ accum1 +\u003d c[7];\n+ c[3] \u003d ((uint64_t)(accum0)) \u0026 mask;\n+ c[7] \u003d ((uint64_t)(accum1)) \u0026 mask;\n+\n+ /* we could almost stop here, but it wouldn't be stable, so... */\n+\n+ accum0 \u003e\u003e\u003d 56;\n+ accum1 \u003e\u003e\u003d 56;\n+ c[4] +\u003d ((uint64_t)(accum0)) + ((uint64_t)(accum1));\n+ c[0] +\u003d ((uint64_t)(accum1));\n+}\ndiff --git a/crypto/ec/curve448/arch_x86_64/f_impl.h b/crypto/ec/curve448/arch_x86_64/f_impl.h\nnew file mode 100644\nindex 0000000..a85044a\n--- /dev/null\n+++ b/crypto/ec/curve448/arch_x86_64/f_impl.h\n@@ -0,0 +1,65 @@\n+/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#define GF_HEADROOM 60\n+#define FIELD_LITERAL(a,b,c,d,e,f,g,h) {{a,b,c,d,e,f,g,h}}\n+#define LIMB_PLACE_VALUE(i) 56\n+\n+void gf_add_RAW (gf out, const gf a, const gf b) {\n+ for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint64xn_t); i++) {\n+ ((uint64xn_t*)out)[i] \u003d ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)b)[i];\n+ }\n+ /*\n+ unsigned int i;\n+ for (i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n+ out-\u003elimb[i] \u003d a-\u003elimb[i] + b-\u003elimb[i];\n+ }\n+ */\n+}\n+\n+void gf_sub_RAW (gf out, const gf a, const gf b) {\n+ for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint64xn_t); i++) {\n+ ((uint64xn_t*)out)[i] \u003d ((const uint64xn_t*)a)[i] - ((const uint64xn_t*)b)[i];\n+ }\n+ /*\n+ unsigned int i;\n+ for (i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n+ out-\u003elimb[i] \u003d a-\u003elimb[i] - b-\u003elimb[i];\n+ }\n+ */\n+}\n+\n+void gf_bias (gf a, int amt) {\n+ uint64_t co1 \u003d ((1ull\u003c\u003c56)-1)*amt, co2 \u003d co1-amt;\n+ \n+#if __AVX2__\n+ uint64x4_t lo \u003d {co1,co1,co1,co1}, hi \u003d {co2,co1,co1,co1};\n+ uint64x4_t *aa \u003d (uint64x4_t*) a;\n+ aa[0] +\u003d lo;\n+ aa[1] +\u003d hi;\n+#elif __SSE2__\n+ uint64x2_t lo \u003d {co1,co1}, hi \u003d {co2,co1};\n+ uint64x2_t *aa \u003d (uint64x2_t*) a;\n+ aa[0] +\u003d lo;\n+ aa[1] +\u003d lo;\n+ aa[2] +\u003d hi;\n+ aa[3] +\u003d lo;\n+#else\n+ for (unsigned int i\u003d0; i\u003csizeof(*a)/sizeof(uint64_t); i++) {\n+ a-\u003elimb[i] +\u003d (i\u003d\u003d4) ? co2 : co1;\n+ }\n+#endif\n+}\n+\n+void gf_weak_reduce (gf a) {\n+ /* PERF: use pshufb/palignr if anyone cares about speed of this */\n+ uint64_t mask \u003d (1ull\u003c\u003c56) - 1;\n+ uint64_t tmp \u003d a-\u003elimb[7] \u003e\u003e 56;\n+ a-\u003elimb[4] +\u003d tmp;\n+ for (unsigned int i\u003d7; i\u003e0; i--) {\n+ a-\u003elimb[i] \u003d (a-\u003elimb[i] \u0026 mask) + (a-\u003elimb[i-1]\u003e\u003e56);\n+ }\n+ a-\u003elimb[0] \u003d (a-\u003elimb[0] \u0026 mask) + tmp;\n+}\n+\ndiff --git a/crypto/ec/curve448/constant_time.h b/crypto/ec/curve448/constant_time.h\nnew file mode 100644\nindex 0000000..025ffe1\n--- /dev/null\n+++ b/crypto/ec/curve448/constant_time.h\n@@ -0,0 +1,362 @@\n+/**\n+ * @file constant_time.h\n+ * @copyright\n+ * Copyright (c) 2014 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ * @author Mike Hamburg\n+ *\n+ * @brief Constant-time routines.\n+ */\n+\n+#ifndef __CONSTANT_TIME_H__\n+#define __CONSTANT_TIME_H__ 1\n+\n+#include \u0022word.h\u0022\n+#include \u003cstring.h\u003e\n+\n+/*\n+ * Constant-time operations on hopefully-compile-time-sized memory\n+ * regions. Needed for flexibility / demagication: not all fields\n+ * have sizes which are multiples of the vector width, necessitating\n+ * a change from the Ed448 versions.\n+ *\n+ * These routines would be much simpler to define at the byte level,\n+ * but if not vectorized they would be a significant fraction of the\n+ * runtime. Eg on NEON-less ARM, constant_time_lookup is like 15% of\n+ * signing time, vs 6% on Haswell with its fancy AVX2 vectors.\n+ *\n+ * If the compiler could do a good job of autovectorizing the code,\n+ * we could just leave it with the byte definition. But that's unlikely\n+ * on most deployed compilers, especially if you consider that pcmpeq[size]\n+ * is much faster than moving a scalar to the vector unit (which is what\n+ * a naive autovectorizer will do with constant_time_lookup on Intel).\n+ *\n+ * Instead, we're putting our trust in the loop unroller and unswitcher.\n+ */\n+\n+\n+/**\n+ * Unaligned big (vector?) register.\n+ */\n+typedef struct {\n+ big_register_t unaligned;\n+} __attribute__((packed)) unaligned_br_t;\n+\n+/**\n+ * Unaligned word register, for architectures where that matters.\n+ */\n+typedef struct {\n+ word_t unaligned;\n+} __attribute__((packed)) unaligned_word_t;\n+\n+/**\n+ * @brief Constant-time conditional swap.\n+ *\n+ * If doswap, then swap elem_bytes between *a and *b.\n+ *\n+ * *a and *b must not alias. Also, they must be at least as aligned\n+ * as their sizes, if the CPU cares about that sort of thing.\n+ */\n+static __inline__ void\n+__attribute__((unused,always_inline))\n+constant_time_cond_swap (\n+ void *__restrict__ a_,\n+ void *__restrict__ b_,\n+ word_t elem_bytes,\n+ mask_t doswap\n+) {\n+ word_t k;\n+ unsigned char *a \u003d (unsigned char *)a_;\n+ unsigned char *b \u003d (unsigned char *)b_;\n+ \n+ big_register_t br_mask \u003d br_set_to_mask(doswap);\n+ for (k\u003d0; k\u003c\u003delem_bytes-sizeof(big_register_t); k+\u003dsizeof(big_register_t)) {\n+ if (elem_bytes % sizeof(big_register_t)) {\n+ /* unaligned */\n+ big_register_t xor \u003d\n+ ((unaligned_br_t*)(\u0026a[k]))-\u003eunaligned\n+ ^ ((unaligned_br_t*)(\u0026b[k]))-\u003eunaligned;\n+ xor \u0026\u003d br_mask;\n+ ((unaligned_br_t*)(\u0026a[k]))-\u003eunaligned ^\u003d xor;\n+ ((unaligned_br_t*)(\u0026b[k]))-\u003eunaligned ^\u003d xor;\n+ } else {\n+ /* aligned */\n+ big_register_t xor \u003d\n+ *((big_register_t*)(\u0026a[k]))\n+ ^ *((big_register_t*)(\u0026b[k]));\n+ xor \u0026\u003d br_mask;\n+ *((big_register_t*)(\u0026a[k])) ^\u003d xor;\n+ *((big_register_t*)(\u0026b[k])) ^\u003d xor;\n+ }\n+ }\n+\n+ if (elem_bytes % sizeof(big_register_t) \u003e\u003d sizeof(word_t)) {\n+ for (; k\u003c\u003delem_bytes-sizeof(word_t); k+\u003dsizeof(word_t)) {\n+ if (elem_bytes % sizeof(word_t)) {\n+ /* unaligned */\n+ word_t xor \u003d\n+ ((unaligned_word_t*)(\u0026a[k]))-\u003eunaligned\n+ ^ ((unaligned_word_t*)(\u0026b[k]))-\u003eunaligned;\n+ xor \u0026\u003d doswap;\n+ ((unaligned_word_t*)(\u0026a[k]))-\u003eunaligned ^\u003d xor;\n+ ((unaligned_word_t*)(\u0026b[k]))-\u003eunaligned ^\u003d xor;\n+ } else {\n+ /* aligned */\n+ word_t xor \u003d\n+ *((word_t*)(\u0026a[k]))\n+ ^ *((word_t*)(\u0026b[k]));\n+ xor \u0026\u003d doswap;\n+ *((word_t*)(\u0026a[k])) ^\u003d xor;\n+ *((word_t*)(\u0026b[k])) ^\u003d xor;\n+ }\n+ }\n+ }\n+ \n+ if (elem_bytes % sizeof(word_t)) {\n+ for (; k\u003celem_bytes; k+\u003d1) {\n+ unsigned char xor \u003d a[k] ^ b[k];\n+ xor \u0026\u003d doswap;\n+ a[k] ^\u003d xor;\n+ b[k] ^\u003d xor;\n+ }\n+ }\n+}\n+\n+/**\n+ * @brief Constant-time equivalent of memcpy(out, table + elem_bytes*idx, elem_bytes);\n+ *\n+ * The table must be at least as aligned as elem_bytes. The output must be word aligned,\n+ * and if the input size is vector aligned it must also be vector aligned.\n+ *\n+ * The table and output must not alias.\n+ */\n+static __inline__ void\n+__attribute__((unused,always_inline))\n+constant_time_lookup (\n+ void *__restrict__ out_,\n+ const void *table_,\n+ word_t elem_bytes,\n+ word_t n_table,\n+ word_t idx\n+) {\n+ big_register_t big_one \u003d br_set_to_mask(1), big_i \u003d br_set_to_mask(idx);\n+ \n+ /* Can't do pointer arithmetic on void* */\n+ unsigned char *out \u003d (unsigned char *)out_;\n+ const unsigned char *table \u003d (const unsigned char *)table_;\n+ word_t j,k;\n+ \n+ memset(out, 0, elem_bytes);\n+ for (j\u003d0; j\u003cn_table; j++, big_i-\u003dbig_one) { \n+ big_register_t br_mask \u003d br_is_zero(big_i);\n+ for (k\u003d0; k\u003c\u003delem_bytes-sizeof(big_register_t); k+\u003dsizeof(big_register_t)) {\n+ if (elem_bytes % sizeof(big_register_t)) {\n+ /* unaligned */\n+ ((unaligned_br_t *)(out+k))-\u003eunaligned\n+\t\t\t|\u003d br_mask \u0026 ((const unaligned_br_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned;\n+ } else {\n+ /* aligned */\n+ *(big_register_t *)(out+k) |\u003d br_mask \u0026 *(const big_register_t*)(\u0026table[k+j*elem_bytes]);\n+ }\n+ }\n+\n+ word_t mask \u003d word_is_zero(idx^j);\n+ if (elem_bytes % sizeof(big_register_t) \u003e\u003d sizeof(word_t)) {\n+ for (; k\u003c\u003delem_bytes-sizeof(word_t); k+\u003dsizeof(word_t)) {\n+ if (elem_bytes % sizeof(word_t)) {\n+ /* input unaligned, output aligned */\n+ *(word_t *)(out+k) |\u003d mask \u0026 ((const unaligned_word_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned;\n+ } else {\n+ /* aligned */\n+ *(word_t *)(out+k) |\u003d mask \u0026 *(const word_t*)(\u0026table[k+j*elem_bytes]);\n+ }\n+ }\n+ }\n+ \n+ if (elem_bytes % sizeof(word_t)) {\n+ for (; k\u003celem_bytes; k+\u003d1) {\n+ out[k] |\u003d mask \u0026 table[k+j*elem_bytes];\n+ }\n+ }\n+ }\n+}\n+\n+/**\n+ * @brief Constant-time equivalent of memcpy(table + elem_bytes*idx, in, elem_bytes);\n+ *\n+ * The table must be at least as aligned as elem_bytes. The input must be word aligned,\n+ * and if the output size is vector aligned it must also be vector aligned.\n+ *\n+ * The table and input must not alias.\n+ */\n+static __inline__ void\n+__attribute__((unused,always_inline))\n+constant_time_insert (\n+ void *__restrict__ table_,\n+ const void *in_,\n+ word_t elem_bytes,\n+ word_t n_table,\n+ word_t idx\n+) {\n+ big_register_t big_one \u003d br_set_to_mask(1), big_i \u003d br_set_to_mask(idx);\n+ \n+ /* Can't do pointer arithmetic on void* */\n+ const unsigned char *in \u003d (const unsigned char *)in_;\n+ unsigned char *table \u003d (unsigned char *)table_;\n+ word_t j,k;\n+ \n+ for (j\u003d0; j\u003cn_table; j++, big_i-\u003dbig_one) { \n+ big_register_t br_mask \u003d br_is_zero(big_i);\n+ for (k\u003d0; k\u003c\u003delem_bytes-sizeof(big_register_t); k+\u003dsizeof(big_register_t)) {\n+ if (elem_bytes % sizeof(big_register_t)) {\n+ /* unaligned */\n+ ((unaligned_br_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned\n+ \u003d ( ((unaligned_br_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned \u0026 ~br_mask )\n+ | ( ((const unaligned_br_t *)(in+k))-\u003eunaligned \u0026 br_mask );\n+ } else {\n+ /* aligned */\n+ *(big_register_t*)(\u0026table[k+j*elem_bytes])\n+ \u003d ( *(big_register_t*)(\u0026table[k+j*elem_bytes]) \u0026 ~br_mask )\n+ | ( *(const big_register_t *)(in+k) \u0026 br_mask );\n+ }\n+ }\n+\n+ word_t mask \u003d word_is_zero(idx^j);\n+ if (elem_bytes % sizeof(big_register_t) \u003e\u003d sizeof(word_t)) {\n+ for (; k\u003c\u003delem_bytes-sizeof(word_t); k+\u003dsizeof(word_t)) {\n+ if (elem_bytes % sizeof(word_t)) {\n+ /* output unaligned, input aligned */\n+ ((unaligned_word_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned\n+ \u003d ( ((unaligned_word_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned \u0026 ~mask )\n+ | ( *(const word_t *)(in+k) \u0026 mask );\n+ } else {\n+ /* aligned */\n+ *(word_t*)(\u0026table[k+j*elem_bytes])\n+ \u003d ( *(word_t*)(\u0026table[k+j*elem_bytes]) \u0026 ~mask )\n+ | ( *(const word_t *)(in+k) \u0026 mask );\n+ }\n+ }\n+ }\n+ \n+ if (elem_bytes % sizeof(word_t)) {\n+ for (; k\u003celem_bytes; k+\u003d1) {\n+ table[k+j*elem_bytes]\n+ \u003d ( table[k+j*elem_bytes] \u0026 ~mask )\n+ | ( in[k] \u0026 mask );\n+ }\n+ }\n+ }\n+}\n+\n+/**\n+ * @brief Constant-time a \u003d b\u0026mask.\n+ *\n+ * The input and output must be at least as aligned as elem_bytes.\n+ */\n+static __inline__ void\n+__attribute__((unused,always_inline))\n+constant_time_mask (\n+ void * a_,\n+ const void *b_,\n+ word_t elem_bytes,\n+ mask_t mask\n+) {\n+ unsigned char *a \u003d (unsigned char *)a_;\n+ const unsigned char *b \u003d (const unsigned char *)b_;\n+ \n+ word_t k;\n+ big_register_t br_mask \u003d br_set_to_mask(mask);\n+ for (k\u003d0; k\u003c\u003delem_bytes-sizeof(big_register_t); k+\u003dsizeof(big_register_t)) {\n+ if (elem_bytes % sizeof(big_register_t)) {\n+ /* unaligned */\n+ ((unaligned_br_t*)(\u0026a[k]))-\u003eunaligned \u003d br_mask \u0026 ((const unaligned_br_t*)(\u0026b[k]))-\u003eunaligned;\n+ } else {\n+ /* aligned */\n+ *(big_register_t *)(a+k) \u003d br_mask \u0026 *(const big_register_t*)(\u0026b[k]);\n+ }\n+ }\n+\n+ if (elem_bytes % sizeof(big_register_t) \u003e\u003d sizeof(word_t)) {\n+ for (; k\u003c\u003delem_bytes-sizeof(word_t); k+\u003dsizeof(word_t)) {\n+ if (elem_bytes % sizeof(word_t)) {\n+ /* unaligned */\n+ ((unaligned_word_t*)(\u0026a[k]))-\u003eunaligned \u003d mask \u0026 ((const unaligned_word_t*)(\u0026b[k]))-\u003eunaligned;\n+ } else {\n+ /* aligned */\n+ *(word_t *)(a+k) \u003d mask \u0026 *(const word_t*)(\u0026b[k]);\n+ }\n+ }\n+ }\n+ \n+ if (elem_bytes % sizeof(word_t)) {\n+ for (; k\u003celem_bytes; k+\u003d1) {\n+ a[k] \u003d mask \u0026 b[k];\n+ }\n+ }\n+}\n+\n+/**\n+ * @brief Constant-time a \u003d mask ? bTrue : bFalse.\n+ *\n+ * The input and output must be at least as aligned as alignment_bytes\n+ * or their size, whichever is smaller.\n+ *\n+ * Note that the output is not __restrict__, but if it overlaps either\n+ * input, it must be equal and not partially overlap.\n+ */\n+static __inline__ void\n+__attribute__((unused,always_inline))\n+constant_time_select (\n+ void *a_,\n+ const void *bFalse_,\n+ const void *bTrue_,\n+ word_t elem_bytes,\n+ mask_t mask,\n+ size_t alignment_bytes\n+) {\n+ unsigned char *a \u003d (unsigned char *)a_;\n+ const unsigned char *bTrue \u003d (const unsigned char *)bTrue_;\n+ const unsigned char *bFalse \u003d (const unsigned char *)bFalse_;\n+ \n+ alignment_bytes |\u003d elem_bytes;\n+\n+ word_t k;\n+ big_register_t br_mask \u003d br_set_to_mask(mask);\n+ for (k\u003d0; k\u003c\u003delem_bytes-sizeof(big_register_t); k+\u003dsizeof(big_register_t)) {\n+ if (alignment_bytes % sizeof(big_register_t)) {\n+ /* unaligned */\n+ ((unaligned_br_t*)(\u0026a[k]))-\u003eunaligned \u003d\n+\t\t ( br_mask \u0026 ((const unaligned_br_t*)(\u0026bTrue [k]))-\u003eunaligned)\n+\t\t| (~br_mask \u0026 ((const unaligned_br_t*)(\u0026bFalse[k]))-\u003eunaligned);\n+ } else {\n+ /* aligned */\n+ *(big_register_t *)(a+k) \u003d\n+\t\t ( br_mask \u0026 *(const big_register_t*)(\u0026bTrue [k]))\n+\t\t| (~br_mask \u0026 *(const big_register_t*)(\u0026bFalse[k]));\n+ }\n+ }\n+\n+ if (elem_bytes % sizeof(big_register_t) \u003e\u003d sizeof(word_t)) {\n+ for (; k\u003c\u003delem_bytes-sizeof(word_t); k+\u003dsizeof(word_t)) {\n+ if (alignment_bytes % sizeof(word_t)) {\n+ /* unaligned */\n+ ((unaligned_word_t*)(\u0026a[k]))-\u003eunaligned \u003d\n+\t\t ( mask \u0026 ((const unaligned_word_t*)(\u0026bTrue [k]))-\u003eunaligned)\n+\t\t | (~mask \u0026 ((const unaligned_word_t*)(\u0026bFalse[k]))-\u003eunaligned);\n+ } else {\n+ /* aligned */\n+ *(word_t *)(a+k) \u003d\n+\t\t ( mask \u0026 *(const word_t*)(\u0026bTrue [k]))\n+\t\t | (~mask \u0026 *(const word_t*)(\u0026bFalse[k]));\n+ }\n+ }\n+ }\n+ \n+ if (elem_bytes % sizeof(word_t)) {\n+ for (; k\u003celem_bytes; k+\u003d1) {\n+ a[k] \u003d ( mask \u0026 bTrue[k]) | (~mask \u0026 bFalse[k]);\n+ }\n+ }\n+}\n+\n+#endif /* __CONSTANT_TIME_H__ */\ndiff --git a/crypto/ec/curve448/decaf.c b/crypto/ec/curve448/decaf.c\nnew file mode 100644\nindex 0000000..3fdc491\n--- /dev/null\n+++ b/crypto/ec/curve448/decaf.c\n@@ -0,0 +1,1598 @@\n+/**\n+ * @file ed448goldilocks/decaf.c\n+ * @author Mike Hamburg\n+ *\n+ * @copyright\n+ * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ *\n+ * @brief Decaf high-level functions.\n+ *\n+ * @warning This file was automatically generated in Python.\n+ * Please do not edit it.\n+ */\n+#define _XOPEN_SOURCE 600 /* for posix_memalign */\n+#include \u0022word.h\u0022\n+#include \u0022field.h\u0022\n+\n+#include \u003cdecaf.h\u003e\n+#include \u003cdecaf/ed448.h\u003e\n+\n+/* Template stuff */\n+#define API_NS(_id) decaf_448_##_id\n+#define SCALAR_BITS DECAF_448_SCALAR_BITS\n+#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES\n+#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS\n+#define scalar_t API_NS(scalar_t)\n+#define point_t API_NS(point_t)\n+#define precomputed_s API_NS(precomputed_s)\n+#define IMAGINE_TWIST 0\n+#define COFACTOR 4\n+\n+/* Comb config: number of combs, n, t, s. */\n+#define COMBS_N 5\n+#define COMBS_T 5\n+#define COMBS_S 18\n+#define DECAF_WINDOW_BITS 5\n+#define DECAF_WNAF_FIXED_TABLE_BITS 5\n+#define DECAF_WNAF_VAR_TABLE_BITS 3\n+\n+#define EDDSA_USE_SIGMA_ISOGENY 0\n+\n+static const int EDWARDS_D \u003d -39081;\n+static const scalar_t point_scalarmul_adjustment \u003d {{{\n+ SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)\n+}}}, precomputed_scalarmul_adjustment \u003d {{{\n+ SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)\n+}}};\n+\n+const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] \u003d { 0x05 };\n+\n+#define RISTRETTO_FACTOR DECAF_448_RISTRETTO_FACTOR\n+const gf RISTRETTO_FACTOR \u003d {{{\n+ 0x42ef0f45572736, 0x7bf6aa20ce5296, 0xf4fd6eded26033, 0x968c14ba839a66, 0xb8d54b64a2d780, 0x6aa0a1f1a7b8a5, 0x683bf68d722fa2, 0x22d962fbeb24f7\n+}}};\n+\n+#if IMAGINE_TWIST\n+#define TWISTED_D (-(EDWARDS_D))\n+#else\n+#define TWISTED_D ((EDWARDS_D)-1)\n+#endif\n+\n+#if TWISTED_D \u003c 0\n+#define EFF_D (-(TWISTED_D))\n+#define NEG_D 1\n+#else\n+#define EFF_D TWISTED_D\n+#define NEG_D 0\n+#endif\n+\n+/* End of template stuff */\n+\n+/* Sanity */\n+#if (COFACTOR \u003d\u003d 8) \u0026\u0026 !IMAGINE_TWIST \u0026\u0026 !UNSAFE_CURVE_HAS_POINTS_AT_INFINITY\n+/* FUTURE MAGIC: Curve41417 doesn't have these properties. */\n+#error \u0022Currently require IMAGINE_TWIST (and thus p\u003d5 mod 8) for cofactor 8\u0022\n+ /* OK, but why?\n+ * Two reasons: #1: There are bugs when COFACTOR \u003d\u003d \u0026\u0026 IMAGINE_TWIST\n+ # #2: \n+ */\n+#endif\n+\n+#if IMAGINE_TWIST \u0026\u0026 (P_MOD_8 !\u003d 5)\n+ #error \u0022Cannot use IMAGINE_TWIST except for p \u003d\u003d 5 mod 8\u0022\n+#endif\n+\n+#if (COFACTOR !\u003d 8) \u0026\u0026 (COFACTOR !\u003d 4)\n+ #error \u0022COFACTOR must be 4 or 8\u0022\n+#endif\n+ \n+#if IMAGINE_TWIST\n+ extern const gf SQRT_MINUS_ONE;\n+#endif\n+\n+#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */\n+\n+extern const point_t API_NS(point_base);\n+\n+/* Projective Niels coordinates */\n+typedef struct { gf a, b, c; } niels_s, niels_t[1];\n+typedef struct { niels_t n; gf z; } VECTOR_ALIGNED pniels_s, pniels_t[1];\n+\n+/* Precomputed base */\n+struct precomputed_s { niels_t table [COMBS_N\u003c\u003c(COMBS_T-1)]; };\n+\n+extern const gf API_NS(precomputed_base_as_fe)[];\n+const precomputed_s *API_NS(precomputed_base) \u003d\n+ (const precomputed_s *) \u0026API_NS(precomputed_base_as_fe);\n+\n+const size_t API_NS(sizeof_precomputed_s) \u003d sizeof(precomputed_s);\n+const size_t API_NS(alignof_precomputed_s) \u003d sizeof(big_register_t);\n+\n+/** Inverse. */\n+static void\n+gf_invert(gf y, const gf x, int assert_nonzero) {\n+ gf t1, t2;\n+ gf_sqr(t1, x); // o^2\n+ mask_t ret \u003d gf_isr(t2, t1); // +-1/sqrt(o^2) \u003d +-1/o\n+ (void)ret;\n+ if (assert_nonzero) assert(ret);\n+ gf_sqr(t1, t2);\n+ gf_mul(t2, t1, x); // not direct to y in case of alias.\n+ gf_copy(y, t2);\n+}\n+\n+/** identity \u003d (0,1) */\n+const point_t API_NS(point_identity) \u003d {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};\n+\n+/* Predeclare because not static: called by elligator */\n+void API_NS(deisogenize) (\n+ gf_s *__restrict__ s,\n+ gf_s *__restrict__ inv_el_sum,\n+ gf_s *__restrict__ inv_el_m1,\n+ const point_t p,\n+ mask_t toggle_s,\n+ mask_t toggle_altx,\n+ mask_t toggle_rotation\n+);\n+\n+void API_NS(deisogenize) (\n+ gf_s *__restrict__ s,\n+ gf_s *__restrict__ inv_el_sum,\n+ gf_s *__restrict__ inv_el_m1,\n+ const point_t p,\n+ mask_t toggle_s,\n+ mask_t toggle_altx,\n+ mask_t toggle_rotation\n+) {\n+#if COFACTOR \u003d\u003d 4 \u0026\u0026 !IMAGINE_TWIST\n+ (void)toggle_rotation; /* Only applies to cofactor 8 */\n+ gf t1;\n+ gf_s *t2 \u003d s, *t3\u003dinv_el_sum, *t4\u003dinv_el_m1;\n+ \n+ gf_add(t1,p-\u003ex,p-\u003et);\n+ gf_sub(t2,p-\u003ex,p-\u003et);\n+ gf_mul(t3,t1,t2); /* t3 \u003d num */\n+ gf_sqr(t2,p-\u003ex);\n+ gf_mul(t1,t2,t3);\n+ gf_mulw(t2,t1,-1-TWISTED_D); /* -x^2 * (a-d) * num */\n+ gf_isr(t1,t2); /* t1 \u003d isr */\n+ gf_mul(t2,t1,t3); /* t2 \u003d ratio */\n+ gf_mul(t4,t2,RISTRETTO_FACTOR);\n+ mask_t negx \u003d gf_lobit(t4) ^ toggle_altx;\n+ gf_cond_neg(t2, negx);\n+ gf_mul(t3,t2,p-\u003ez);\n+ gf_sub(t3,t3,p-\u003et);\n+ gf_mul(t2,t3,p-\u003ex);\n+ gf_mulw(t4,t2,-1-TWISTED_D);\n+ gf_mul(s,t4,t1);\n+ mask_t lobs \u003d gf_lobit(s);\n+ gf_cond_neg(s,lobs);\n+ gf_copy(inv_el_m1,p-\u003ex);\n+ gf_cond_neg(inv_el_m1,~lobs^negx^toggle_s);\n+ gf_add(inv_el_m1,inv_el_m1,p-\u003et);\n+ \n+#elif COFACTOR \u003d\u003d 8 \u0026\u0026 IMAGINE_TWIST\n+ /* More complicated because of rotation */\n+ gf t1,t2,t3,t4,t5;\n+ gf_add(t1,p-\u003ez,p-\u003ey);\n+ gf_sub(t2,p-\u003ez,p-\u003ey);\n+ gf_mul(t3,t1,t2); /* t3 \u003d num */\n+ gf_mul(t2,p-\u003ex,p-\u003ey); /* t2 \u003d den */\n+ gf_sqr(t1,t2);\n+ gf_mul(t4,t1,t3);\n+ gf_mulw(t1,t4,-1-TWISTED_D);\n+ gf_isr(t4,t1); /* isqrt(num*(a-d)*den^2) */\n+ gf_mul(t1,t2,t4);\n+ gf_mul(t2,t1,RISTRETTO_FACTOR); /* t2 \u003d \u0022iden\u0022 in ristretto.sage */\n+ gf_mul(t1,t3,t4); /* t1 \u003d \u0022inum\u0022 in ristretto.sage */\n+\n+ /* Calculate altxy \u003d iden*inum*i*t^2*(d-a) */\n+ gf_mul(t3,t1,t2);\n+ gf_mul_i(t4,t3);\n+ gf_mul(t3,t4,p-\u003et);\n+ gf_mul(t4,t3,p-\u003et);\n+ gf_mulw(t3,t4,TWISTED_D+1); /* iden*inum*i*t^2*(d-1) */\n+ mask_t rotate \u003d toggle_rotation ^ gf_lobit(t3);\n+ \n+ /* Rotate if altxy is negative */\n+ gf_cond_swap(t1,t2,rotate);\n+ gf_mul_i(t4,p-\u003ex);\n+ gf_cond_sel(t4,p-\u003ey,t4,rotate); /* t4 \u003d \u0022fac\u0022 \u003d ix if rotate, else y */\n+ \n+ gf_mul_i(t5,RISTRETTO_FACTOR); /* t5 \u003d imi */\n+ gf_mul(t3,t5,t2); /* iden * imi */\n+ gf_mul(t2,t5,t1);\n+ gf_mul(t5,t2,p-\u003et); /* \u0022altx\u0022 \u003d iden*imi*t */\n+ mask_t negx \u003d gf_lobit(t5) ^ toggle_altx;\n+ \n+ gf_cond_neg(t1,negx^rotate);\n+ gf_mul(t2,t1,p-\u003ez);\n+ gf_add(t2,t2,ONE);\n+ gf_mul(inv_el_sum,t2,t4);\n+ gf_mul(s,inv_el_sum,t3);\n+ \n+ mask_t negs \u003d gf_lobit(s);\n+ gf_cond_neg(s,negs);\n+ \n+ mask_t negz \u003d ~negs ^ toggle_s ^ negx;\n+ gf_copy(inv_el_m1,p-\u003ez);\n+ gf_cond_neg(inv_el_m1,negz);\n+ gf_sub(inv_el_m1,inv_el_m1,t4);\n+#else\n+#error \u0022Cofactor must be 4 (with no IMAGINE_TWIST) or 8 (with IMAGINE_TWIST)\u0022\n+#endif\n+}\n+\n+void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) {\n+ gf s,ie1,ie2;\n+ API_NS(deisogenize)(s,ie1,ie2,p,0,0,0);\n+ gf_serialize(ser,s,1);\n+}\n+\n+decaf_error_t API_NS(point_decode) (\n+ point_t p,\n+ const unsigned char ser[SER_BYTES],\n+ decaf_bool_t allow_identity\n+) {\n+ gf s, s2, num, tmp;\n+ gf_s *tmp2\u003ds2, *ynum\u003dp-\u003ez, *isr\u003dp-\u003ex, *den\u003dp-\u003et;\n+ \n+ mask_t succ \u003d gf_deserialize(s, ser, 1, 0);\n+ succ \u0026\u003d bool_to_mask(allow_identity) | ~gf_eq(s, ZERO);\n+ succ \u0026\u003d ~gf_lobit(s);\n+ \n+ gf_sqr(s2,s); /* s^2 \u003d -as^2 */\n+#if IMAGINE_TWIST\n+ gf_sub(s2,ZERO,s2); /* -as^2 */\n+#endif\n+ gf_sub(den,ONE,s2); /* 1+as^2 */\n+ gf_add(ynum,ONE,s2); /* 1-as^2 */\n+ gf_mulw(num,s2,-4*TWISTED_D);\n+ gf_sqr(tmp,den); /* tmp \u003d den^2 */\n+ gf_add(num,tmp,num); /* num \u003d den^2 - 4*d*s^2 */\n+ gf_mul(tmp2,num,tmp); /* tmp2 \u003d num*den^2 */\n+ succ \u0026\u003d gf_isr(isr,tmp2); /* isr \u003d 1/sqrt(num*den^2) */\n+ gf_mul(tmp,isr,den); /* isr*den */\n+ gf_mul(p-\u003ey,tmp,ynum); /* isr*den*(1-as^2) */\n+ gf_mul(tmp2,tmp,s); /* s*isr*den */\n+ gf_add(tmp2,tmp2,tmp2); /* 2*s*isr*den */\n+ gf_mul(tmp,tmp2,isr); /* 2*s*isr^2*den */\n+ gf_mul(p-\u003ex,tmp,num); /* 2*s*isr^2*den*num */\n+ gf_mul(tmp,tmp2,RISTRETTO_FACTOR); /* 2*s*isr*den*magic */\n+ gf_cond_neg(p-\u003ex,gf_lobit(tmp)); /* flip x */\n+ \n+#if COFACTOR\u003d\u003d8\n+ /* Additionally check y !\u003d 0 and x*y*isomagic nonegative */\n+ succ \u0026\u003d ~gf_eq(p-\u003ey,ZERO);\n+ gf_mul(tmp,p-\u003ex,p-\u003ey);\n+ gf_mul(tmp2,tmp,RISTRETTO_FACTOR);\n+ succ \u0026\u003d ~gf_lobit(tmp2);\n+#endif\n+\n+#if IMAGINE_TWIST\n+ gf_copy(tmp,p-\u003ex);\n+ gf_mul_i(p-\u003ex,tmp);\n+#endif\n+\n+ /* Fill in z and t */\n+ gf_copy(p-\u003ez,ONE);\n+ gf_mul(p-\u003et,p-\u003ex,p-\u003ey);\n+ \n+ assert(API_NS(point_valid)(p) | ~succ);\n+ return decaf_succeed_if(mask_to_bool(succ));\n+}\n+\n+void API_NS(point_sub) (\n+ point_t p,\n+ const point_t q,\n+ const point_t r\n+) {\n+ gf a, b, c, d;\n+ gf_sub_nr ( b, q-\u003ey, q-\u003ex ); /* 3+e */\n+ gf_sub_nr ( d, r-\u003ey, r-\u003ex ); /* 3+e */\n+ gf_add_nr ( c, r-\u003ey, r-\u003ex ); /* 2+e */\n+ gf_mul ( a, c, b );\n+ gf_add_nr ( b, q-\u003ey, q-\u003ex ); /* 2+e */\n+ gf_mul ( p-\u003ey, d, b );\n+ gf_mul ( b, r-\u003et, q-\u003et );\n+ gf_mulw ( p-\u003ex, b, 2*EFF_D );\n+ gf_add_nr ( b, a, p-\u003ey ); /* 2+e */\n+ gf_sub_nr ( c, p-\u003ey, a ); /* 3+e */\n+ gf_mul ( a, q-\u003ez, r-\u003ez );\n+ gf_add_nr ( a, a, a ); /* 2+e */\n+ if (GF_HEADROOM \u003c\u003d 3) gf_weak_reduce(a); /* or 1+e */\n+#if NEG_D\n+ gf_sub_nr ( p-\u003ey, a, p-\u003ex ); /* 4+e or 3+e */\n+ gf_add_nr ( a, a, p-\u003ex ); /* 3+e or 2+e */\n+#else\n+ gf_add_nr ( p-\u003ey, a, p-\u003ex ); /* 3+e or 2+e */\n+ gf_sub_nr ( a, a, p-\u003ex ); /* 4+e or 3+e */\n+#endif\n+ gf_mul ( p-\u003ez, a, p-\u003ey );\n+ gf_mul ( p-\u003ex, p-\u003ey, c );\n+ gf_mul ( p-\u003ey, a, b );\n+ gf_mul ( p-\u003et, b, c );\n+}\n+ \n+void API_NS(point_add) (\n+ point_t p,\n+ const point_t q,\n+ const point_t r\n+) {\n+ gf a, b, c, d;\n+ gf_sub_nr ( b, q-\u003ey, q-\u003ex ); /* 3+e */\n+ gf_sub_nr ( c, r-\u003ey, r-\u003ex ); /* 3+e */\n+ gf_add_nr ( d, r-\u003ey, r-\u003ex ); /* 2+e */\n+ gf_mul ( a, c, b );\n+ gf_add_nr ( b, q-\u003ey, q-\u003ex ); /* 2+e */\n+ gf_mul ( p-\u003ey, d, b );\n+ gf_mul ( b, r-\u003et, q-\u003et );\n+ gf_mulw ( p-\u003ex, b, 2*EFF_D );\n+ gf_add_nr ( b, a, p-\u003ey ); /* 2+e */\n+ gf_sub_nr ( c, p-\u003ey, a ); /* 3+e */\n+ gf_mul ( a, q-\u003ez, r-\u003ez );\n+ gf_add_nr ( a, a, a ); /* 2+e */\n+ if (GF_HEADROOM \u003c\u003d 3) gf_weak_reduce(a); /* or 1+e */\n+#if NEG_D\n+ gf_add_nr ( p-\u003ey, a, p-\u003ex ); /* 3+e or 2+e */\n+ gf_sub_nr ( a, a, p-\u003ex ); /* 4+e or 3+e */\n+#else\n+ gf_sub_nr ( p-\u003ey, a, p-\u003ex ); /* 4+e or 3+e */\n+ gf_add_nr ( a, a, p-\u003ex ); /* 3+e or 2+e */\n+#endif\n+ gf_mul ( p-\u003ez, a, p-\u003ey );\n+ gf_mul ( p-\u003ex, p-\u003ey, c );\n+ gf_mul ( p-\u003ey, a, b );\n+ gf_mul ( p-\u003et, b, c );\n+}\n+\n+static DECAF_NOINLINE void\n+point_double_internal (\n+ point_t p,\n+ const point_t q,\n+ int before_double\n+) {\n+ gf a, b, c, d;\n+ gf_sqr ( c, q-\u003ex );\n+ gf_sqr ( a, q-\u003ey );\n+ gf_add_nr ( d, c, a ); /* 2+e */\n+ gf_add_nr ( p-\u003et, q-\u003ey, q-\u003ex ); /* 2+e */\n+ gf_sqr ( b, p-\u003et );\n+ gf_subx_nr ( b, b, d, 3 ); /* 4+e */\n+ gf_sub_nr ( p-\u003et, a, c ); /* 3+e */\n+ gf_sqr ( p-\u003ex, q-\u003ez );\n+ gf_add_nr ( p-\u003ez, p-\u003ex, p-\u003ex ); /* 2+e */\n+ gf_subx_nr ( a, p-\u003ez, p-\u003et, 4 ); /* 6+e */\n+ if (GF_HEADROOM \u003d\u003d 5) gf_weak_reduce(a); /* or 1+e */\n+ gf_mul ( p-\u003ex, a, b );\n+ gf_mul ( p-\u003ez, p-\u003et, a );\n+ gf_mul ( p-\u003ey, p-\u003et, d );\n+ if (!before_double) gf_mul ( p-\u003et, b, d );\n+}\n+\n+void API_NS(point_double)(point_t p, const point_t q) {\n+ point_double_internal(p,q,0);\n+}\n+\n+void API_NS(point_negate) (\n+ point_t nega,\n+ const point_t a\n+) {\n+ gf_sub(nega-\u003ex, ZERO, a-\u003ex);\n+ gf_copy(nega-\u003ey, a-\u003ey);\n+ gf_copy(nega-\u003ez, a-\u003ez);\n+ gf_sub(nega-\u003et, ZERO, a-\u003et);\n+}\n+\n+/* Operations on [p]niels */\n+static DECAF_INLINE void\n+cond_neg_niels (\n+ niels_t n,\n+ mask_t neg\n+) {\n+ gf_cond_swap(n-\u003ea, n-\u003eb, neg);\n+ gf_cond_neg(n-\u003ec, neg);\n+}\n+\n+static DECAF_NOINLINE void pt_to_pniels (\n+ pniels_t b,\n+ const point_t a\n+) {\n+ gf_sub ( b-\u003en-\u003ea, a-\u003ey, a-\u003ex );\n+ gf_add ( b-\u003en-\u003eb, a-\u003ex, a-\u003ey );\n+ gf_mulw ( b-\u003en-\u003ec, a-\u003et, 2*TWISTED_D );\n+ gf_add ( b-\u003ez, a-\u003ez, a-\u003ez );\n+}\n+\n+static DECAF_NOINLINE void pniels_to_pt (\n+ point_t e,\n+ const pniels_t d\n+) {\n+ gf eu;\n+ gf_add ( eu, d-\u003en-\u003eb, d-\u003en-\u003ea );\n+ gf_sub ( e-\u003ey, d-\u003en-\u003eb, d-\u003en-\u003ea );\n+ gf_mul ( e-\u003et, e-\u003ey, eu);\n+ gf_mul ( e-\u003ex, d-\u003ez, e-\u003ey );\n+ gf_mul ( e-\u003ey, d-\u003ez, eu );\n+ gf_sqr ( e-\u003ez, d-\u003ez );\n+}\n+\n+static DECAF_NOINLINE void\n+niels_to_pt (\n+ point_t e,\n+ const niels_t n\n+) {\n+ gf_add ( e-\u003ey, n-\u003eb, n-\u003ea );\n+ gf_sub ( e-\u003ex, n-\u003eb, n-\u003ea );\n+ gf_mul ( e-\u003et, e-\u003ey, e-\u003ex );\n+ gf_copy ( e-\u003ez, ONE );\n+}\n+\n+static DECAF_NOINLINE void\n+add_niels_to_pt (\n+ point_t d,\n+ const niels_t e,\n+ int before_double\n+) {\n+ gf a, b, c;\n+ gf_sub_nr ( b, d-\u003ey, d-\u003ex ); /* 3+e */\n+ gf_mul ( a, e-\u003ea, b );\n+ gf_add_nr ( b, d-\u003ex, d-\u003ey ); /* 2+e */\n+ gf_mul ( d-\u003ey, e-\u003eb, b );\n+ gf_mul ( d-\u003ex, e-\u003ec, d-\u003et );\n+ gf_add_nr ( c, a, d-\u003ey ); /* 2+e */\n+ gf_sub_nr ( b, d-\u003ey, a ); /* 3+e */\n+ gf_sub_nr ( d-\u003ey, d-\u003ez, d-\u003ex ); /* 3+e */\n+ gf_add_nr ( a, d-\u003ex, d-\u003ez ); /* 2+e */\n+ gf_mul ( d-\u003ez, a, d-\u003ey );\n+ gf_mul ( d-\u003ex, d-\u003ey, b );\n+ gf_mul ( d-\u003ey, a, c );\n+ if (!before_double) gf_mul ( d-\u003et, b, c );\n+}\n+\n+static DECAF_NOINLINE void\n+sub_niels_from_pt (\n+ point_t d,\n+ const niels_t e,\n+ int before_double\n+) {\n+ gf a, b, c;\n+ gf_sub_nr ( b, d-\u003ey, d-\u003ex ); /* 3+e */\n+ gf_mul ( a, e-\u003eb, b );\n+ gf_add_nr ( b, d-\u003ex, d-\u003ey ); /* 2+e */\n+ gf_mul ( d-\u003ey, e-\u003ea, b );\n+ gf_mul ( d-\u003ex, e-\u003ec, d-\u003et );\n+ gf_add_nr ( c, a, d-\u003ey ); /* 2+e */\n+ gf_sub_nr ( b, d-\u003ey, a ); /* 3+e */\n+ gf_add_nr ( d-\u003ey, d-\u003ez, d-\u003ex ); /* 2+e */\n+ gf_sub_nr ( a, d-\u003ez, d-\u003ex ); /* 3+e */\n+ gf_mul ( d-\u003ez, a, d-\u003ey );\n+ gf_mul ( d-\u003ex, d-\u003ey, b );\n+ gf_mul ( d-\u003ey, a, c );\n+ if (!before_double) gf_mul ( d-\u003et, b, c );\n+}\n+\n+static void\n+add_pniels_to_pt (\n+ point_t p,\n+ const pniels_t pn,\n+ int before_double\n+) {\n+ gf L0;\n+ gf_mul ( L0, p-\u003ez, pn-\u003ez );\n+ gf_copy ( p-\u003ez, L0 );\n+ add_niels_to_pt( p, pn-\u003en, before_double );\n+}\n+\n+static void\n+sub_pniels_from_pt (\n+ point_t p,\n+ const pniels_t pn,\n+ int before_double\n+) {\n+ gf L0;\n+ gf_mul ( L0, p-\u003ez, pn-\u003ez );\n+ gf_copy ( p-\u003ez, L0 );\n+ sub_niels_from_pt( p, pn-\u003en, before_double );\n+}\n+\n+static DECAF_NOINLINE void\n+prepare_fixed_window(\n+ pniels_t *multiples,\n+ const point_t b,\n+ int ntable\n+) {\n+ point_t tmp;\n+ pniels_t pn;\n+ int i;\n+ \n+ point_double_internal(tmp, b, 0);\n+ pt_to_pniels(pn, tmp);\n+ pt_to_pniels(multiples[0], b);\n+ API_NS(point_copy)(tmp, b);\n+ for (i\u003d1; i\u003cntable; i++) {\n+ add_pniels_to_pt(tmp, pn, 0);\n+ pt_to_pniels(multiples[i], tmp);\n+ }\n+ \n+ decaf_bzero(pn,sizeof(pn));\n+ decaf_bzero(tmp,sizeof(tmp));\n+}\n+\n+void API_NS(point_scalarmul) (\n+ point_t a,\n+ const point_t b,\n+ const scalar_t scalar\n+) {\n+ const int WINDOW \u003d DECAF_WINDOW_BITS,\n+ WINDOW_MASK \u003d (1\u003c\u003cWINDOW)-1,\n+ WINDOW_T_MASK \u003d WINDOW_MASK \u003e\u003e 1,\n+ NTABLE \u003d 1\u003c\u003c(WINDOW-1);\n+ \n+ scalar_t scalar1x;\n+ API_NS(scalar_add)(scalar1x, scalar, point_scalarmul_adjustment);\n+ API_NS(scalar_halve)(scalar1x,scalar1x);\n+ \n+ /* Set up a precomputed table with odd multiples of b. */\n+ pniels_t pn, multiples[NTABLE];\n+ point_t tmp;\n+ prepare_fixed_window(multiples, b, NTABLE);\n+\n+ /* Initialize. */\n+ int i,j,first\u003d1;\n+ i \u003d SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1;\n+\n+ for (; i\u003e\u003d0; i-\u003dWINDOW) {\n+ /* Fetch another block of bits */\n+ word_t bits \u003d scalar1x-\u003elimb[i/WBITS] \u003e\u003e (i%WBITS);\n+ if (i%WBITS \u003e\u003d WBITS-WINDOW \u0026\u0026 i/WBITS\u003cSCALAR_LIMBS-1) {\n+ bits ^\u003d scalar1x-\u003elimb[i/WBITS+1] \u003c\u003c (WBITS - (i%WBITS));\n+ }\n+ bits \u0026\u003d WINDOW_MASK;\n+ mask_t inv \u003d (bits\u003e\u003e(WINDOW-1))-1;\n+ bits ^\u003d inv;\n+ \n+ /* Add in from table. Compute t only on last iteration. */\n+ constant_time_lookup(pn, multiples, sizeof(pn), NTABLE, bits \u0026 WINDOW_T_MASK);\n+ cond_neg_niels(pn-\u003en, inv);\n+ if (first) {\n+ pniels_to_pt(tmp, pn);\n+ first \u003d 0;\n+ } else {\n+ /* Using Hisil et al's lookahead method instead of extensible here\n+ * for no particular reason. Double WINDOW times, but only compute t on\n+ * the last one.\n+ */\n+ for (j\u003d0; j\u003cWINDOW-1; j++)\n+ point_double_internal(tmp, tmp, -1);\n+ point_double_internal(tmp, tmp, 0);\n+ add_pniels_to_pt(tmp, pn, i ? -1 : 0);\n+ }\n+ }\n+ \n+ /* Write out the answer */\n+ API_NS(point_copy)(a,tmp);\n+ \n+ decaf_bzero(scalar1x,sizeof(scalar1x));\n+ decaf_bzero(pn,sizeof(pn));\n+ decaf_bzero(multiples,sizeof(multiples));\n+ decaf_bzero(tmp,sizeof(tmp));\n+}\n+\n+void API_NS(point_double_scalarmul) (\n+ point_t a,\n+ const point_t b,\n+ const scalar_t scalarb,\n+ const point_t c,\n+ const scalar_t scalarc\n+) {\n+ const int WINDOW \u003d DECAF_WINDOW_BITS,\n+ WINDOW_MASK \u003d (1\u003c\u003cWINDOW)-1,\n+ WINDOW_T_MASK \u003d WINDOW_MASK \u003e\u003e 1,\n+ NTABLE \u003d 1\u003c\u003c(WINDOW-1);\n+ \n+ scalar_t scalar1x, scalar2x;\n+ API_NS(scalar_add)(scalar1x, scalarb, point_scalarmul_adjustment);\n+ API_NS(scalar_halve)(scalar1x,scalar1x);\n+ API_NS(scalar_add)(scalar2x, scalarc, point_scalarmul_adjustment);\n+ API_NS(scalar_halve)(scalar2x,scalar2x);\n+ \n+ /* Set up a precomputed table with odd multiples of b. */\n+ pniels_t pn, multiples1[NTABLE], multiples2[NTABLE];\n+ point_t tmp;\n+ prepare_fixed_window(multiples1, b, NTABLE);\n+ prepare_fixed_window(multiples2, c, NTABLE);\n+\n+ /* Initialize. */\n+ int i,j,first\u003d1;\n+ i \u003d SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1;\n+\n+ for (; i\u003e\u003d0; i-\u003dWINDOW) {\n+ /* Fetch another block of bits */\n+ word_t bits1 \u003d scalar1x-\u003elimb[i/WBITS] \u003e\u003e (i%WBITS),\n+ bits2 \u003d scalar2x-\u003elimb[i/WBITS] \u003e\u003e (i%WBITS);\n+ if (i%WBITS \u003e\u003d WBITS-WINDOW \u0026\u0026 i/WBITS\u003cSCALAR_LIMBS-1) {\n+ bits1 ^\u003d scalar1x-\u003elimb[i/WBITS+1] \u003c\u003c (WBITS - (i%WBITS));\n+ bits2 ^\u003d scalar2x-\u003elimb[i/WBITS+1] \u003c\u003c (WBITS - (i%WBITS));\n+ }\n+ bits1 \u0026\u003d WINDOW_MASK;\n+ bits2 \u0026\u003d WINDOW_MASK;\n+ mask_t inv1 \u003d (bits1\u003e\u003e(WINDOW-1))-1;\n+ mask_t inv2 \u003d (bits2\u003e\u003e(WINDOW-1))-1;\n+ bits1 ^\u003d inv1;\n+ bits2 ^\u003d inv2;\n+ \n+ /* Add in from table. Compute t only on last iteration. */\n+ constant_time_lookup(pn, multiples1, sizeof(pn), NTABLE, bits1 \u0026 WINDOW_T_MASK);\n+ cond_neg_niels(pn-\u003en, inv1);\n+ if (first) {\n+ pniels_to_pt(tmp, pn);\n+ first \u003d 0;\n+ } else {\n+ /* Using Hisil et al's lookahead method instead of extensible here\n+ * for no particular reason. Double WINDOW times, but only compute t on\n+ * the last one.\n+ */\n+ for (j\u003d0; j\u003cWINDOW-1; j++)\n+ point_double_internal(tmp, tmp, -1);\n+ point_double_internal(tmp, tmp, 0);\n+ add_pniels_to_pt(tmp, pn, 0);\n+ }\n+ constant_time_lookup(pn, multiples2, sizeof(pn), NTABLE, bits2 \u0026 WINDOW_T_MASK);\n+ cond_neg_niels(pn-\u003en, inv2);\n+ add_pniels_to_pt(tmp, pn, i?-1:0);\n+ }\n+ \n+ /* Write out the answer */\n+ API_NS(point_copy)(a,tmp);\n+ \n+\n+ decaf_bzero(scalar1x,sizeof(scalar1x));\n+ decaf_bzero(scalar2x,sizeof(scalar2x));\n+ decaf_bzero(pn,sizeof(pn));\n+ decaf_bzero(multiples1,sizeof(multiples1));\n+ decaf_bzero(multiples2,sizeof(multiples2));\n+ decaf_bzero(tmp,sizeof(tmp));\n+}\n+\n+void API_NS(point_dual_scalarmul) (\n+ point_t a1,\n+ point_t a2,\n+ const point_t b,\n+ const scalar_t scalar1,\n+ const scalar_t scalar2\n+) {\n+ const int WINDOW \u003d DECAF_WINDOW_BITS,\n+ WINDOW_MASK \u003d (1\u003c\u003cWINDOW)-1,\n+ WINDOW_T_MASK \u003d WINDOW_MASK \u003e\u003e 1,\n+ NTABLE \u003d 1\u003c\u003c(WINDOW-1);\n+ \n+ scalar_t scalar1x, scalar2x;\n+ API_NS(scalar_add)(scalar1x, scalar1, point_scalarmul_adjustment);\n+ API_NS(scalar_halve)(scalar1x,scalar1x);\n+ API_NS(scalar_add)(scalar2x, scalar2, point_scalarmul_adjustment);\n+ API_NS(scalar_halve)(scalar2x,scalar2x);\n+ \n+ /* Set up a precomputed table with odd multiples of b. */\n+ point_t multiples1[NTABLE], multiples2[NTABLE], working, tmp;\n+ pniels_t pn;\n+ \n+ API_NS(point_copy)(working, b);\n+\n+ /* Initialize. */\n+ int i,j;\n+ \n+ for (i\u003d0; i\u003cNTABLE; i++) {\n+ API_NS(point_copy)(multiples1[i], API_NS(point_identity));\n+ API_NS(point_copy)(multiples2[i], API_NS(point_identity));\n+ }\n+\n+ for (i\u003d0; i\u003cSCALAR_BITS; i+\u003dWINDOW) { \n+ if (i) {\n+ for (j\u003d0; j\u003cWINDOW-1; j++)\n+ point_double_internal(working, working, -1);\n+ point_double_internal(working, working, 0);\n+ }\n+ \n+ /* Fetch another block of bits */\n+ word_t bits1 \u003d scalar1x-\u003elimb[i/WBITS] \u003e\u003e (i%WBITS),\n+ bits2 \u003d scalar2x-\u003elimb[i/WBITS] \u003e\u003e (i%WBITS);\n+ if (i%WBITS \u003e\u003d WBITS-WINDOW \u0026\u0026 i/WBITS\u003cSCALAR_LIMBS-1) {\n+ bits1 ^\u003d scalar1x-\u003elimb[i/WBITS+1] \u003c\u003c (WBITS - (i%WBITS));\n+ bits2 ^\u003d scalar2x-\u003elimb[i/WBITS+1] \u003c\u003c (WBITS - (i%WBITS));\n+ }\n+ bits1 \u0026\u003d WINDOW_MASK;\n+ bits2 \u0026\u003d WINDOW_MASK;\n+ mask_t inv1 \u003d (bits1\u003e\u003e(WINDOW-1))-1;\n+ mask_t inv2 \u003d (bits2\u003e\u003e(WINDOW-1))-1;\n+ bits1 ^\u003d inv1;\n+ bits2 ^\u003d inv2;\n+ \n+ pt_to_pniels(pn, working);\n+\n+ constant_time_lookup(tmp, multiples1, sizeof(tmp), NTABLE, bits1 \u0026 WINDOW_T_MASK);\n+ cond_neg_niels(pn-\u003en, inv1);\n+ /* add_pniels_to_pt(multiples1[bits1 \u0026 WINDOW_T_MASK], pn, 0); */\n+ add_pniels_to_pt(tmp, pn, 0);\n+ constant_time_insert(multiples1, tmp, sizeof(tmp), NTABLE, bits1 \u0026 WINDOW_T_MASK);\n+ \n+ \n+ constant_time_lookup(tmp, multiples2, sizeof(tmp), NTABLE, bits2 \u0026 WINDOW_T_MASK);\n+ cond_neg_niels(pn-\u003en, inv1^inv2);\n+ /* add_pniels_to_pt(multiples2[bits2 \u0026 WINDOW_T_MASK], pn, 0); */\n+ add_pniels_to_pt(tmp, pn, 0);\n+ constant_time_insert(multiples2, tmp, sizeof(tmp), NTABLE, bits2 \u0026 WINDOW_T_MASK);\n+ }\n+ \n+ if (NTABLE \u003e 1) {\n+ API_NS(point_copy)(working, multiples1[NTABLE-1]);\n+ API_NS(point_copy)(tmp , multiples2[NTABLE-1]);\n+ \n+ for (i\u003dNTABLE-1; i\u003e1; i--) {\n+ API_NS(point_add)(multiples1[i-1], multiples1[i-1], multiples1[i]);\n+ API_NS(point_add)(multiples2[i-1], multiples2[i-1], multiples2[i]);\n+ API_NS(point_add)(working, working, multiples1[i-1]);\n+ API_NS(point_add)(tmp, tmp, multiples2[i-1]);\n+ }\n+ \n+ API_NS(point_add)(multiples1[0], multiples1[0], multiples1[1]);\n+ API_NS(point_add)(multiples2[0], multiples2[0], multiples2[1]);\n+ point_double_internal(working, working, 0);\n+ point_double_internal(tmp, tmp, 0);\n+ API_NS(point_add)(a1, working, multiples1[0]);\n+ API_NS(point_add)(a2, tmp, multiples2[0]);\n+ } else {\n+ API_NS(point_copy)(a1, multiples1[0]);\n+ API_NS(point_copy)(a2, multiples2[0]);\n+ }\n+\n+ decaf_bzero(scalar1x,sizeof(scalar1x));\n+ decaf_bzero(scalar2x,sizeof(scalar2x));\n+ decaf_bzero(pn,sizeof(pn));\n+ decaf_bzero(multiples1,sizeof(multiples1));\n+ decaf_bzero(multiples2,sizeof(multiples2));\n+ decaf_bzero(tmp,sizeof(tmp));\n+ decaf_bzero(working,sizeof(working));\n+}\n+\n+decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {\n+ /* equality mod 2-torsion compares x/y */\n+ gf a, b;\n+ gf_mul ( a, p-\u003ey, q-\u003ex );\n+ gf_mul ( b, q-\u003ey, p-\u003ex );\n+ mask_t succ \u003d gf_eq(a,b);\n+ \n+ #if (COFACTOR \u003d\u003d 8) \u0026\u0026 IMAGINE_TWIST\n+ gf_mul ( a, p-\u003ey, q-\u003ey );\n+ gf_mul ( b, q-\u003ex, p-\u003ex );\n+ #if !(IMAGINE_TWIST)\n+ gf_sub ( a, ZERO, a );\n+ #else\n+ /* Interesting note: the 4tor would normally be rotation.\n+ * But because of the *i twist, it's actually\n+ * (x,y) \u003c-\u003e (iy,ix)\n+ */\n+ \n+ /* No code, just a comment. */\n+ #endif\n+ succ |\u003d gf_eq(a,b);\n+ #endif\n+ \n+ return mask_to_bool(succ);\n+}\n+\n+decaf_bool_t API_NS(point_valid) (\n+ const point_t p\n+) {\n+ gf a,b,c;\n+ gf_mul(a,p-\u003ex,p-\u003ey);\n+ gf_mul(b,p-\u003ez,p-\u003et);\n+ mask_t out \u003d gf_eq(a,b);\n+ gf_sqr(a,p-\u003ex);\n+ gf_sqr(b,p-\u003ey);\n+ gf_sub(a,b,a);\n+ gf_sqr(b,p-\u003et);\n+ gf_mulw(c,b,TWISTED_D);\n+ gf_sqr(b,p-\u003ez);\n+ gf_add(b,b,c);\n+ out \u0026\u003d gf_eq(a,b);\n+ out \u0026\u003d ~gf_eq(p-\u003ez,ZERO);\n+ return mask_to_bool(out);\n+}\n+\n+void API_NS(point_debugging_torque) (\n+ point_t q,\n+ const point_t p\n+) {\n+#if COFACTOR \u003d\u003d 8 \u0026\u0026 IMAGINE_TWIST\n+ gf tmp;\n+ gf_mul(tmp,p-\u003ex,SQRT_MINUS_ONE);\n+ gf_mul(q-\u003ex,p-\u003ey,SQRT_MINUS_ONE);\n+ gf_copy(q-\u003ey,tmp);\n+ gf_copy(q-\u003ez,p-\u003ez);\n+ gf_sub(q-\u003et,ZERO,p-\u003et);\n+#else\n+ gf_sub(q-\u003ex,ZERO,p-\u003ex);\n+ gf_sub(q-\u003ey,ZERO,p-\u003ey);\n+ gf_copy(q-\u003ez,p-\u003ez);\n+ gf_copy(q-\u003et,p-\u003et);\n+#endif\n+}\n+\n+void API_NS(point_debugging_pscale) (\n+ point_t q,\n+ const point_t p,\n+ const uint8_t factor[SER_BYTES]\n+) {\n+ gf gfac,tmp;\n+ /* NB this means you'll never pscale by negative numbers for p521 */\n+ ignore_result(gf_deserialize(gfac,factor,0,0));\n+ gf_cond_sel(gfac,gfac,ONE,gf_eq(gfac,ZERO));\n+ gf_mul(tmp,p-\u003ex,gfac);\n+ gf_copy(q-\u003ex,tmp);\n+ gf_mul(tmp,p-\u003ey,gfac);\n+ gf_copy(q-\u003ey,tmp);\n+ gf_mul(tmp,p-\u003ez,gfac);\n+ gf_copy(q-\u003ez,tmp);\n+ gf_mul(tmp,p-\u003et,gfac);\n+ gf_copy(q-\u003et,tmp);\n+}\n+\n+static void gf_batch_invert (\n+ gf *__restrict__ out,\n+ const gf *in,\n+ unsigned int n\n+) {\n+ gf t1;\n+ assert(n\u003e1);\n+ \n+ gf_copy(out[1], in[0]);\n+ int i;\n+ for (i\u003d1; i\u003c(int) (n-1); i++) {\n+ gf_mul(out[i+1], out[i], in[i]);\n+ }\n+ gf_mul(out[0], out[n-1], in[n-1]);\n+\n+ gf_invert(out[0], out[0], 1);\n+\n+ for (i\u003dn-1; i\u003e0; i--) {\n+ gf_mul(t1, out[i], out[0]);\n+ gf_copy(out[i], t1);\n+ gf_mul(t1, out[0], in[i]);\n+ gf_copy(out[0], t1);\n+ }\n+}\n+\n+static void batch_normalize_niels (\n+ niels_t *table,\n+ const gf *zs,\n+ gf *__restrict__ zis,\n+ int n\n+) {\n+ int i;\n+ gf product;\n+ gf_batch_invert(zis, zs, n);\n+\n+ for (i\u003d0; i\u003cn; i++) {\n+ gf_mul(product, table[i]-\u003ea, zis[i]);\n+ gf_strong_reduce(product);\n+ gf_copy(table[i]-\u003ea, product);\n+ \n+ gf_mul(product, table[i]-\u003eb, zis[i]);\n+ gf_strong_reduce(product);\n+ gf_copy(table[i]-\u003eb, product);\n+ \n+ gf_mul(product, table[i]-\u003ec, zis[i]);\n+ gf_strong_reduce(product);\n+ gf_copy(table[i]-\u003ec, product);\n+ }\n+ \n+ decaf_bzero(product,sizeof(product));\n+}\n+\n+void API_NS(precompute) (\n+ precomputed_s *table,\n+ const point_t base\n+) { \n+ const unsigned int n \u003d COMBS_N, t \u003d COMBS_T, s \u003d COMBS_S;\n+ assert(n*t*s \u003e\u003d SCALAR_BITS);\n+ \n+ point_t working, start, doubles[t-1];\n+ API_NS(point_copy)(working, base);\n+ pniels_t pn_tmp;\n+ \n+ gf zs[n\u003c\u003c(t-1)], zis[n\u003c\u003c(t-1)];\n+ \n+ unsigned int i,j,k;\n+ \n+ /* Compute n tables */\n+ for (i\u003d0; i\u003cn; i++) {\n+\n+ /* Doubling phase */\n+ for (j\u003d0; j\u003ct; j++) {\n+ if (j) API_NS(point_add)(start, start, working);\n+ else API_NS(point_copy)(start, working);\n+\n+ if (j\u003d\u003dt-1 \u0026\u0026 i\u003d\u003dn-1) break;\n+\n+ point_double_internal(working, working,0);\n+ if (j\u003ct-1) API_NS(point_copy)(doubles[j], working);\n+\n+ for (k\u003d0; k\u003cs-1; k++)\n+ point_double_internal(working, working, k\u003cs-2);\n+ }\n+\n+ /* Gray-code phase */\n+ for (j\u003d0;; j++) {\n+ int gray \u003d j ^ (j\u003e\u003e1);\n+ int idx \u003d (((i+1)\u003c\u003c(t-1))-1) ^ gray;\n+\n+ pt_to_pniels(pn_tmp, start);\n+ memcpy(table-\u003etable[idx], pn_tmp-\u003en, sizeof(pn_tmp-\u003en));\n+ gf_copy(zs[idx], pn_tmp-\u003ez);\n+\t\t\t\n+ if (j \u003e\u003d (1u\u003c\u003c(t-1)) - 1) break;\n+ int delta \u003d (j+1) ^ ((j+1)\u003e\u003e1) ^ gray;\n+\n+ for (k\u003d0; delta\u003e1; k++)\n+ delta \u003e\u003e\u003d1;\n+ \n+ if (gray \u0026 (1\u003c\u003ck)) {\n+ API_NS(point_add)(start, start, doubles[k]);\n+ } else {\n+ API_NS(point_sub)(start, start, doubles[k]);\n+ }\n+ }\n+ }\n+ \n+ batch_normalize_niels(table-\u003etable,(const gf *)zs,zis,n\u003c\u003c(t-1));\n+ \n+ decaf_bzero(zs,sizeof(zs));\n+ decaf_bzero(zis,sizeof(zis));\n+ decaf_bzero(pn_tmp,sizeof(pn_tmp));\n+ decaf_bzero(working,sizeof(working));\n+ decaf_bzero(start,sizeof(start));\n+ decaf_bzero(doubles,sizeof(doubles));\n+}\n+\n+static DECAF_INLINE void\n+constant_time_lookup_niels (\n+ niels_s *__restrict__ ni,\n+ const niels_t *table,\n+ int nelts,\n+ int idx\n+) {\n+ constant_time_lookup(ni, table, sizeof(niels_s), nelts, idx);\n+}\n+\n+void API_NS(precomputed_scalarmul) (\n+ point_t out,\n+ const precomputed_s *table,\n+ const scalar_t scalar\n+) {\n+ int i;\n+ unsigned j,k;\n+ const unsigned int n \u003d COMBS_N, t \u003d COMBS_T, s \u003d COMBS_S;\n+ \n+ scalar_t scalar1x;\n+ API_NS(scalar_add)(scalar1x, scalar, precomputed_scalarmul_adjustment);\n+ API_NS(scalar_halve)(scalar1x,scalar1x);\n+ \n+ niels_t ni;\n+ \n+ for (i\u003ds-1; i\u003e\u003d0; i--) {\n+ if (i !\u003d (int)s-1) point_double_internal(out,out,0);\n+ \n+ for (j\u003d0; j\u003cn; j++) {\n+ int tab \u003d 0;\n+ \n+ for (k\u003d0; k\u003ct; k++) {\n+ unsigned int bit \u003d i + s*(k + j*t);\n+ if (bit \u003c SCALAR_BITS) {\n+ tab |\u003d (scalar1x-\u003elimb[bit/WBITS] \u003e\u003e (bit%WBITS) \u0026 1) \u003c\u003c k;\n+ }\n+ }\n+ \n+ mask_t invert \u003d (tab\u003e\u003e(t-1))-1;\n+ tab ^\u003d invert;\n+ tab \u0026\u003d (1\u003c\u003c(t-1)) - 1;\n+\n+ constant_time_lookup_niels(ni, \u0026table-\u003etable[j\u003c\u003c(t-1)], 1\u003c\u003c(t-1), tab);\n+\n+ cond_neg_niels(ni, invert);\n+ if ((i!\u003d(int)s-1)||j) {\n+ add_niels_to_pt(out, ni, j\u003d\u003dn-1 \u0026\u0026 i);\n+ } else {\n+ niels_to_pt(out, ni);\n+ }\n+ }\n+ }\n+ \n+ decaf_bzero(ni,sizeof(ni));\n+ decaf_bzero(scalar1x,sizeof(scalar1x));\n+}\n+\n+void API_NS(point_cond_sel) (\n+ point_t out,\n+ const point_t a,\n+ const point_t b,\n+ decaf_bool_t pick_b\n+) {\n+ constant_time_select(out,a,b,sizeof(point_t),bool_to_mask(pick_b),0);\n+}\n+\n+/* FUTURE: restore Curve25519 Montgomery ladder? */\n+decaf_error_t API_NS(direct_scalarmul) (\n+ uint8_t scaled[SER_BYTES],\n+ const uint8_t base[SER_BYTES],\n+ const scalar_t scalar,\n+ decaf_bool_t allow_identity,\n+ decaf_bool_t short_circuit\n+) {\n+ point_t basep;\n+ decaf_error_t succ \u003d API_NS(point_decode)(basep, base, allow_identity);\n+ if (short_circuit \u0026\u0026 succ !\u003d DECAF_SUCCESS) return succ;\n+ API_NS(point_cond_sel)(basep, API_NS(point_base), basep, succ);\n+ API_NS(point_scalarmul)(basep, basep, scalar);\n+ API_NS(point_encode)(scaled, basep);\n+ API_NS(point_destroy)(basep);\n+ return succ;\n+}\n+\n+void API_NS(point_mul_by_ratio_and_encode_like_eddsa) (\n+ uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const point_t p\n+) {\n+ \n+ /* The point is now on the twisted curve. Move it to untwisted. */\n+ gf x, y, z, t;\n+ point_t q;\n+#if COFACTOR \u003d\u003d 8\n+ API_NS(point_double)(q,p);\n+#else\n+ API_NS(point_copy)(q,p);\n+#endif\n+ \n+#if EDDSA_USE_SIGMA_ISOGENY\n+ {\n+ /* Use 4-isogeny like ed25519:\n+ * 2*x*y*sqrt(d/a-1)/(ax^2 + y^2 - 2)\n+ * (y^2 - ax^2)/(y^2 + ax^2)\n+ * with a \u003d -1, d \u003d -EDWARDS_D:\n+ * -2xysqrt(EDWARDS_D-1)/(2z^2-y^2+x^2)\n+ * (y^2+x^2)/(y^2-x^2)\n+ */\n+ gf u;\n+ gf_sqr ( x, q-\u003ex ); // x^2\n+ gf_sqr ( t, q-\u003ey ); // y^2\n+ gf_add( u, x, t ); // x^2 + y^2\n+ gf_add( z, q-\u003ey, q-\u003ex );\n+ gf_sqr ( y, z);\n+ gf_sub ( y, u, y ); // -2xy\n+ gf_sub ( z, t, x ); // y^2 - x^2\n+ gf_sqr ( x, q-\u003ez );\n+ gf_add ( t, x, x);\n+ gf_sub ( t, t, z); // 2z^2 - y^2 + x^2\n+ gf_mul ( x, y, z ); // 2xy(y^2-x^2)\n+ gf_mul ( y, u, t ); // (x^2+y^2)(2z^2-y^2+x^2)\n+ gf_mul ( u, z, t );\n+ gf_copy( z, u );\n+ gf_mul ( u, x, RISTRETTO_FACTOR );\n+#if IMAGINE_TWIST\n+ gf_mul_i( x, u );\n+#else\n+#error \u0022... probably wrong\u0022\n+ gf_copy( x, u );\n+#endif\n+ decaf_bzero(u,sizeof(u));\n+ }\n+#elif IMAGINE_TWIST\n+ {\n+ API_NS(point_double)(q,q);\n+ API_NS(point_double)(q,q);\n+ gf_mul_i(x, q-\u003ex);\n+ gf_copy(y, q-\u003ey);\n+ gf_copy(z, q-\u003ez);\n+ }\n+#else\n+ {\n+ /* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */\n+ gf u;\n+ gf_sqr ( x, q-\u003ex );\n+ gf_sqr ( t, q-\u003ey );\n+ gf_add( u, x, t );\n+ gf_add( z, q-\u003ey, q-\u003ex );\n+ gf_sqr ( y, z);\n+ gf_sub ( y, y, u );\n+ gf_sub ( z, t, x );\n+ gf_sqr ( x, q-\u003ez );\n+ gf_add ( t, x, x); \n+ gf_sub ( t, t, z);\n+ gf_mul ( x, t, y );\n+ gf_mul ( y, z, u );\n+ gf_mul ( z, u, t );\n+ decaf_bzero(u,sizeof(u));\n+ }\n+#endif\n+ /* Affinize */\n+ gf_invert(z,z,1);\n+ gf_mul(t,x,z);\n+ gf_mul(x,y,z);\n+ \n+ /* Encode */\n+ enc[DECAF_EDDSA_448_PRIVATE_BYTES-1] \u003d 0;\n+ gf_serialize(enc, x, 1);\n+ enc[DECAF_EDDSA_448_PRIVATE_BYTES-1] |\u003d 0x80 \u0026 gf_lobit(t);\n+\n+ decaf_bzero(x,sizeof(x));\n+ decaf_bzero(y,sizeof(y));\n+ decaf_bzero(z,sizeof(z));\n+ decaf_bzero(t,sizeof(t));\n+ API_NS(point_destroy)(q);\n+}\n+\n+\n+decaf_error_t API_NS(point_decode_like_eddsa_and_mul_by_ratio) (\n+ point_t p,\n+ const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]\n+) {\n+ uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES];\n+ memcpy(enc2,enc,sizeof(enc2));\n+\n+ mask_t low \u003d ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] \u0026 0x80);\n+ enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1] \u0026\u003d ~0x80;\n+ \n+ mask_t succ \u003d gf_deserialize(p-\u003ey, enc2, 1, 0);\n+#if 0 \u003d\u003d 0\n+ succ \u0026\u003d word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES-1]);\n+#endif\n+\n+ gf_sqr(p-\u003ex,p-\u003ey);\n+ gf_sub(p-\u003ez,ONE,p-\u003ex); /* num \u003d 1-y^2 */\n+ #if EDDSA_USE_SIGMA_ISOGENY\n+ gf_mulw(p-\u003et,p-\u003ez,EDWARDS_D); /* d-dy^2 */\n+ gf_mulw(p-\u003ex,p-\u003ez,EDWARDS_D-1); /* num \u003d (1-y^2)(d-1) */\n+ gf_copy(p-\u003ez,p-\u003ex);\n+ #else\n+ gf_mulw(p-\u003et,p-\u003ex,EDWARDS_D); /* dy^2 */\n+ #endif\n+ gf_sub(p-\u003et,ONE,p-\u003et); /* denom \u003d 1-dy^2 or 1-d + dy^2 */\n+ \n+ gf_mul(p-\u003ex,p-\u003ez,p-\u003et);\n+ succ \u0026\u003d gf_isr(p-\u003et,p-\u003ex); /* 1/sqrt(num * denom) */\n+ \n+ gf_mul(p-\u003ex,p-\u003et,p-\u003ez); /* sqrt(num / denom) */\n+ gf_cond_neg(p-\u003ex,gf_lobit(p-\u003ex)^low);\n+ gf_copy(p-\u003ez,ONE);\n+ \n+ #if EDDSA_USE_SIGMA_ISOGENY\n+ {\n+ /* Use 4-isogeny like ed25519:\n+ * 2*x*y/sqrt(1-d/a)/(ax^2 + y^2 - 2)\n+ * (y^2 - ax^2)/(y^2 + ax^2)\n+ * (MAGIC: above formula may be off by a factor of -a\n+ * or something somewhere; check it for other a)\n+ *\n+ * with a \u003d -1, d \u003d -EDWARDS_D:\n+ * -2xy/sqrt(1-EDWARDS_D)/(2z^2-y^2+x^2)\n+ * (y^2+x^2)/(y^2-x^2)\n+ */\n+ gf a, b, c, d;\n+ gf_sqr ( c, p-\u003ex );\n+ gf_sqr ( a, p-\u003ey );\n+ gf_add ( d, c, a ); // x^2 + y^2\n+ gf_add ( p-\u003et, p-\u003ey, p-\u003ex );\n+ gf_sqr ( b, p-\u003et );\n+ gf_sub ( b, b, d ); // 2xy\n+ gf_sub ( p-\u003et, a, c ); // y^2 - x^2\n+ gf_sqr ( p-\u003ex, p-\u003ez );\n+ gf_add ( p-\u003ez, p-\u003ex, p-\u003ex );\n+ gf_sub ( c, p-\u003ez, p-\u003et ); // 2z^2 - y^2 + x^2\n+ gf_div_i ( a, c );\n+ gf_mul ( c, a, RISTRETTO_FACTOR );\n+ gf_mul ( p-\u003ex, b, p-\u003et); // (2xy)(y^2-x^2)\n+ gf_mul ( p-\u003ez, p-\u003et, c ); // (y^2-x^2)sd(2z^2 - y^2 + x^2)\n+ gf_mul ( p-\u003ey, d, c ); // (y^2+x^2)sd(2z^2 - y^2 + x^2)\n+ gf_mul ( p-\u003et, d, b );\n+ decaf_bzero(a,sizeof(a));\n+ decaf_bzero(b,sizeof(b));\n+ decaf_bzero(c,sizeof(c));\n+ decaf_bzero(d,sizeof(d));\n+ } \n+ #elif IMAGINE_TWIST\n+ {\n+ gf_mul(p-\u003et,p-\u003ex,SQRT_MINUS_ONE);\n+ gf_copy(p-\u003ex,p-\u003et);\n+ gf_mul(p-\u003et,p-\u003ex,p-\u003ey);\n+ }\n+ #else\n+ {\n+ /* 4-isogeny 2xy/(y^2-ax^2), (y^2+ax^2)/(2-y^2-ax^2) */\n+ gf a, b, c, d;\n+ gf_sqr ( c, p-\u003ex );\n+ gf_sqr ( a, p-\u003ey );\n+ gf_add ( d, c, a );\n+ gf_add ( p-\u003et, p-\u003ey, p-\u003ex );\n+ gf_sqr ( b, p-\u003et );\n+ gf_sub ( b, b, d );\n+ gf_sub ( p-\u003et, a, c );\n+ gf_sqr ( p-\u003ex, p-\u003ez );\n+ gf_add ( p-\u003ez, p-\u003ex, p-\u003ex );\n+ gf_sub ( a, p-\u003ez, d );\n+ gf_mul ( p-\u003ex, a, b );\n+ gf_mul ( p-\u003ez, p-\u003et, a );\n+ gf_mul ( p-\u003ey, p-\u003et, d );\n+ gf_mul ( p-\u003et, b, d );\n+ decaf_bzero(a,sizeof(a));\n+ decaf_bzero(b,sizeof(b));\n+ decaf_bzero(c,sizeof(c));\n+ decaf_bzero(d,sizeof(d));\n+ }\n+ #endif\n+ \n+ decaf_bzero(enc2,sizeof(enc2));\n+ assert(API_NS(point_valid)(p) || ~succ);\n+ \n+ return decaf_succeed_if(mask_to_bool(succ));\n+}\n+\n+decaf_error_t decaf_x448 (\n+ uint8_t out[X_PUBLIC_BYTES],\n+ const uint8_t base[X_PUBLIC_BYTES],\n+ const uint8_t scalar[X_PRIVATE_BYTES]\n+) {\n+ gf x1, x2, z2, x3, z3, t1, t2;\n+ ignore_result(gf_deserialize(x1,base,1,0));\n+ gf_copy(x2,ONE);\n+ gf_copy(z2,ZERO);\n+ gf_copy(x3,x1);\n+ gf_copy(z3,ONE);\n+ \n+ int t;\n+ mask_t swap \u003d 0;\n+ \n+ for (t \u003d X_PRIVATE_BITS-1; t\u003e\u003d0; t--) {\n+ uint8_t sb \u003d scalar[t/8];\n+ \n+ /* Scalar conditioning */\n+ if (t/8\u003d\u003d0) sb \u0026\u003d -(uint8_t)COFACTOR;\n+ else if (t \u003d\u003d X_PRIVATE_BITS-1) sb \u003d -1;\n+ \n+ mask_t k_t \u003d (sb\u003e\u003e(t%8)) \u0026 1;\n+ k_t \u003d -k_t; /* set to all 0s or all 1s */\n+ \n+ swap ^\u003d k_t;\n+ gf_cond_swap(x2,x3,swap);\n+ gf_cond_swap(z2,z3,swap);\n+ swap \u003d k_t;\n+ \n+ gf_add_nr(t1,x2,z2); /* A \u003d x2 + z2 */ /* 2+e */\n+ gf_sub_nr(t2,x2,z2); /* B \u003d x2 - z2 */ /* 3+e */\n+ gf_sub_nr(z2,x3,z3); /* D \u003d x3 - z3 */ /* 3+e */\n+ gf_mul(x2,t1,z2); /* DA */\n+ gf_add_nr(z2,z3,x3); /* C \u003d x3 + z3 */ /* 2+e */\n+ gf_mul(x3,t2,z2); /* CB */\n+ gf_sub_nr(z3,x2,x3); /* DA-CB */ /* 3+e */\n+ gf_sqr(z2,z3); /* (DA-CB)^2 */\n+ gf_mul(z3,x1,z2); /* z3 \u003d x1(DA-CB)^2 */\n+ gf_add_nr(z2,x2,x3); /* (DA+CB) */ /* 2+e */\n+ gf_sqr(x3,z2); /* x3 \u003d (DA+CB)^2 */\n+ \n+ gf_sqr(z2,t1); /* AA \u003d A^2 */\n+ gf_sqr(t1,t2); /* BB \u003d B^2 */\n+ gf_mul(x2,z2,t1); /* x2 \u003d AA*BB */\n+ gf_sub_nr(t2,z2,t1); /* E \u003d AA-BB */ /* 3+e */\n+ \n+ gf_mulw(t1,t2,-EDWARDS_D); /* E*-d \u003d a24*E */\n+ gf_add_nr(t1,t1,z2); /* AA + a24*E */ /* 2+e */\n+ gf_mul(z2,t2,t1); /* z2 \u003d E(AA+a24*E) */\n+ }\n+ \n+ /* Finish */\n+ gf_cond_swap(x2,x3,swap);\n+ gf_cond_swap(z2,z3,swap);\n+ gf_invert(z2,z2,0);\n+ gf_mul(x1,x2,z2);\n+ gf_serialize(out,x1,1);\n+ mask_t nz \u003d ~gf_eq(x1,ZERO);\n+ \n+ decaf_bzero(x1,sizeof(x1));\n+ decaf_bzero(x2,sizeof(x2));\n+ decaf_bzero(z2,sizeof(z2));\n+ decaf_bzero(x3,sizeof(x3));\n+ decaf_bzero(z3,sizeof(z3));\n+ decaf_bzero(t1,sizeof(t1));\n+ decaf_bzero(t2,sizeof(t2));\n+ \n+ return decaf_succeed_if(mask_to_bool(nz));\n+}\n+\n+/* Thanks Johan Pascal */\n+void decaf_ed448_convert_public_key_to_x448 (\n+ uint8_t x[DECAF_X448_PUBLIC_BYTES],\n+ const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES]\n+) {\n+ gf y;\n+ const uint8_t mask \u003d (uint8_t)(0xFE\u003c\u003c(7));\n+ ignore_result(gf_deserialize(y, ed, 1, mask));\n+ \n+ {\n+ gf n,d;\n+ \n+#if EDDSA_USE_SIGMA_ISOGENY\n+ /* u \u003d (1+y)/(1-y)*/\n+ gf_add(n, y, ONE); /* n \u003d y+1 */\n+ gf_sub(d, ONE, y); /* d \u003d 1-y */\n+ gf_invert(d, d, 0); /* d \u003d 1/(1-y) */\n+ gf_mul(y, n, d); /* u \u003d (y+1)/(1-y) */\n+ gf_serialize(x,y,1);\n+#else /* EDDSA_USE_SIGMA_ISOGENY */\n+ /* u \u003d y^2 * (1-dy^2) / (1-y^2) */\n+ gf_sqr(n,y); /* y^2*/\n+ gf_sub(d,ONE,n); /* 1-y^2*/\n+ gf_invert(d,d,0); /* 1/(1-y^2)*/\n+ gf_mul(y,n,d); /* y^2 / (1-y^2) */\n+ gf_mulw(d,n,EDWARDS_D); /* dy^2*/\n+ gf_sub(d, ONE, d); /* 1-dy^2*/\n+ gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */\n+ gf_serialize(x,n,1);\n+#endif /* EDDSA_USE_SIGMA_ISOGENY */\n+ \n+ decaf_bzero(y,sizeof(y));\n+ decaf_bzero(n,sizeof(n));\n+ decaf_bzero(d,sizeof(d));\n+ }\n+}\n+\n+void decaf_x448_generate_key (\n+ uint8_t out[X_PUBLIC_BYTES],\n+ const uint8_t scalar[X_PRIVATE_BYTES]\n+) {\n+ decaf_x448_derive_public_key(out,scalar);\n+}\n+\n+void API_NS(point_mul_by_ratio_and_encode_like_x448) (\n+ uint8_t out[X_PUBLIC_BYTES],\n+ const point_t p\n+) {\n+ point_t q;\n+#if COFACTOR \u003d\u003d 8\n+ point_double_internal(q,p,1);\n+#else\n+ API_NS(point_copy)(q,p);\n+#endif\n+ gf_invert(q-\u003et,q-\u003ex,0); /* 1/x */\n+ gf_mul(q-\u003ez,q-\u003et,q-\u003ey); /* y/x */\n+ gf_sqr(q-\u003ey,q-\u003ez); /* (y/x)^2 */\n+#if IMAGINE_TWIST\n+ gf_sub(q-\u003ey,ZERO,q-\u003ey);\n+#endif\n+ gf_serialize(out,q-\u003ey,1);\n+ API_NS(point_destroy(q));\n+}\n+\n+void decaf_x448_derive_public_key (\n+ uint8_t out[X_PUBLIC_BYTES],\n+ const uint8_t scalar[X_PRIVATE_BYTES]\n+) {\n+ /* Scalar conditioning */\n+ uint8_t scalar2[X_PRIVATE_BYTES];\n+ memcpy(scalar2,scalar,sizeof(scalar2));\n+ scalar2[0] \u0026\u003d -(uint8_t)COFACTOR;\n+ \n+ scalar2[X_PRIVATE_BYTES-1] \u0026\u003d ~(-1u\u003c\u003c((X_PRIVATE_BITS+7)%8));\n+ scalar2[X_PRIVATE_BYTES-1] |\u003d 1\u003c\u003c((X_PRIVATE_BITS+7)%8);\n+ \n+ scalar_t the_scalar;\n+ API_NS(scalar_decode_long)(the_scalar,scalar2,sizeof(scalar2));\n+ \n+ /* Compensate for the encoding ratio */\n+ for (unsigned i\u003d1; i\u003cDECAF_X448_ENCODE_RATIO; i\u003c\u003c\u003d1) {\n+ API_NS(scalar_halve)(the_scalar,the_scalar);\n+ }\n+ point_t p;\n+ API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),the_scalar);\n+ API_NS(point_mul_by_ratio_and_encode_like_x448)(out,p);\n+ API_NS(point_destroy)(p);\n+}\n+\n+/**\n+ * @cond internal\n+ * Control for variable-time scalar multiply algorithms.\n+ */\n+struct smvt_control {\n+ int power, addend;\n+};\n+\n+static int recode_wnaf (\n+ struct smvt_control *control, /* [nbits/(table_bits+1) + 3] */\n+ const scalar_t scalar,\n+ unsigned int table_bits\n+) {\n+ unsigned int table_size \u003d SCALAR_BITS/(table_bits+1) + 3;\n+ int position \u003d table_size - 1; /* at the end */\n+ \n+ /* place the end marker */\n+ control[position].power \u003d -1;\n+ control[position].addend \u003d 0;\n+ position--;\n+\n+ /* PERF: Could negate scalar if it's large. But then would need more cases\n+ * in the actual code that uses it, all for an expected reduction of like 1/5 op.\n+ * Probably not worth it.\n+ */\n+ \n+ uint64_t current \u003d scalar-\u003elimb[0] \u0026 0xFFFF;\n+ uint32_t mask \u003d (1\u003c\u003c(table_bits+1))-1;\n+\n+ unsigned int w;\n+ const unsigned int B_OVER_16 \u003d sizeof(scalar-\u003elimb[0]) / 2;\n+ for (w \u003d 1; w\u003c(SCALAR_BITS-1)/16+3; w++) {\n+ if (w \u003c (SCALAR_BITS-1)/16+1) {\n+ /* Refill the 16 high bits of current */\n+ current +\u003d (uint32_t)((scalar-\u003elimb[w/B_OVER_16]\u003e\u003e(16*(w%B_OVER_16)))\u003c\u003c16);\n+ }\n+ \n+ while (current \u0026 0xFFFF) {\n+ assert(position \u003e\u003d 0);\n+ uint32_t pos \u003d __builtin_ctz((uint32_t)current), odd \u003d (uint32_t)current \u003e\u003e pos;\n+ int32_t delta \u003d odd \u0026 mask;\n+ if (odd \u0026 1\u003c\u003c(table_bits+1)) delta -\u003d (1\u003c\u003c(table_bits+1));\n+ current -\u003d delta \u003c\u003c pos;\n+ control[position].power \u003d pos + 16*(w-1);\n+ control[position].addend \u003d delta;\n+ position--;\n+ }\n+ current \u003e\u003e\u003d 16;\n+ }\n+ assert(current\u003d\u003d0);\n+ \n+ position++;\n+ unsigned int n \u003d table_size - position;\n+ unsigned int i;\n+ for (i\u003d0; i\u003cn; i++) {\n+ control[i] \u003d control[i+position];\n+ }\n+ return n-1;\n+}\n+\n+static void\n+prepare_wnaf_table(\n+ pniels_t *output,\n+ const point_t working,\n+ unsigned int tbits\n+) {\n+ point_t tmp;\n+ int i;\n+ pt_to_pniels(output[0], working);\n+\n+ if (tbits \u003d\u003d 0) return;\n+\n+ API_NS(point_double)(tmp,working);\n+ pniels_t twop;\n+ pt_to_pniels(twop, tmp);\n+\n+ add_pniels_to_pt(tmp, output[0],0);\n+ pt_to_pniels(output[1], tmp);\n+\n+ for (i\u003d2; i \u003c 1\u003c\u003ctbits; i++) {\n+ add_pniels_to_pt(tmp, twop,0);\n+ pt_to_pniels(output[i], tmp);\n+ }\n+ \n+ API_NS(point_destroy)(tmp);\n+ decaf_bzero(twop,sizeof(twop));\n+}\n+\n+extern const gf API_NS(precomputed_wnaf_as_fe)[];\n+static const niels_t *API_NS(wnaf_base) \u003d (const niels_t *)API_NS(precomputed_wnaf_as_fe);\n+const size_t API_NS(sizeof_precomputed_wnafs) __attribute((visibility(\u0022hidden\u0022)))\n+ \u003d sizeof(niels_t)\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS;\n+\n+void API_NS(precompute_wnafs) (\n+ niels_t out[1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS],\n+ const point_t base\n+) __attribute__ ((visibility (\u0022hidden\u0022)));\n+\n+void API_NS(precompute_wnafs) (\n+ niels_t out[1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS],\n+ const point_t base\n+) {\n+ pniels_t tmp[1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS];\n+ gf zs[1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS], zis[1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS];\n+ int i;\n+ prepare_wnaf_table(tmp,base,DECAF_WNAF_FIXED_TABLE_BITS);\n+ for (i\u003d0; i\u003c1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS; i++) {\n+ memcpy(out[i], tmp[i]-\u003en, sizeof(niels_t));\n+ gf_copy(zs[i], tmp[i]-\u003ez);\n+ }\n+ batch_normalize_niels(out, (const gf *)zs, zis, 1\u003c\u003cDECAF_WNAF_FIXED_TABLE_BITS);\n+ \n+ decaf_bzero(tmp,sizeof(tmp));\n+ decaf_bzero(zs,sizeof(zs));\n+ decaf_bzero(zis,sizeof(zis));\n+}\n+\n+void API_NS(base_double_scalarmul_non_secret) (\n+ point_t combo,\n+ const scalar_t scalar1,\n+ const point_t base2,\n+ const scalar_t scalar2\n+) {\n+ const int table_bits_var \u003d DECAF_WNAF_VAR_TABLE_BITS,\n+ table_bits_pre \u003d DECAF_WNAF_FIXED_TABLE_BITS;\n+ struct smvt_control control_var[SCALAR_BITS/(table_bits_var+1)+3];\n+ struct smvt_control control_pre[SCALAR_BITS/(table_bits_pre+1)+3];\n+ \n+ int ncb_pre \u003d recode_wnaf(control_pre, scalar1, table_bits_pre);\n+ int ncb_var \u003d recode_wnaf(control_var, scalar2, table_bits_var);\n+ \n+ pniels_t precmp_var[1\u003c\u003ctable_bits_var];\n+ prepare_wnaf_table(precmp_var, base2, table_bits_var);\n+ \n+ int contp\u003d0, contv\u003d0, i \u003d control_var[0].power;\n+\n+ if (i \u003c 0) {\n+ API_NS(point_copy)(combo, API_NS(point_identity));\n+ return;\n+ } else if (i \u003e control_pre[0].power) {\n+ pniels_to_pt(combo, precmp_var[control_var[0].addend \u003e\u003e 1]);\n+ contv++;\n+ } else if (i \u003d\u003d control_pre[0].power \u0026\u0026 i \u003e\u003d0 ) {\n+ pniels_to_pt(combo, precmp_var[control_var[0].addend \u003e\u003e 1]);\n+ add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend \u003e\u003e 1], i);\n+ contv++; contp++;\n+ } else {\n+ i \u003d control_pre[0].power;\n+ niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend \u003e\u003e 1]);\n+ contp++;\n+ }\n+ \n+ for (i--; i \u003e\u003d 0; i--) {\n+ int cv \u003d (i\u003d\u003dcontrol_var[contv].power), cp \u003d (i\u003d\u003dcontrol_pre[contp].power);\n+ point_double_internal(combo,combo,i \u0026\u0026 !(cv||cp));\n+\n+ if (cv) {\n+ assert(control_var[contv].addend);\n+\n+ if (control_var[contv].addend \u003e 0) {\n+ add_pniels_to_pt(combo, precmp_var[control_var[contv].addend \u003e\u003e 1], i\u0026\u0026!cp);\n+ } else {\n+ sub_pniels_from_pt(combo, precmp_var[(-control_var[contv].addend) \u003e\u003e 1], i\u0026\u0026!cp);\n+ }\n+ contv++;\n+ }\n+\n+ if (cp) {\n+ assert(control_pre[contp].addend);\n+\n+ if (control_pre[contp].addend \u003e 0) {\n+ add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[contp].addend \u003e\u003e 1], i);\n+ } else {\n+ sub_niels_from_pt(combo, API_NS(wnaf_base)[(-control_pre[contp].addend) \u003e\u003e 1], i);\n+ }\n+ contp++;\n+ }\n+ }\n+ \n+ /* This function is non-secret, but whatever this is cheap. */\n+ decaf_bzero(control_var,sizeof(control_var));\n+ decaf_bzero(control_pre,sizeof(control_pre));\n+ decaf_bzero(precmp_var,sizeof(precmp_var));\n+\n+ assert(contv \u003d\u003d ncb_var); (void)ncb_var;\n+ assert(contp \u003d\u003d ncb_pre); (void)ncb_pre;\n+}\n+\n+void API_NS(point_destroy) (\n+ point_t point\n+) {\n+ decaf_bzero(point, sizeof(point_t));\n+}\n+\n+void API_NS(precomputed_destroy) (\n+ precomputed_s *pre\n+) {\n+ decaf_bzero(pre, API_NS(sizeof_precomputed_s));\n+}\ndiff --git a/crypto/ec/curve448/decaf.h b/crypto/ec/curve448/decaf.h\nnew file mode 100644\nindex 0000000..d3cb60c\n--- /dev/null\n+++ b/crypto/ec/curve448/decaf.h\n@@ -0,0 +1,32 @@\n+/**\n+ * @file decaf.h\n+ * @author Mike Hamburg\n+ *\n+ * @copyright\n+ * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ *\n+ * Master header for Decaf library.\n+ *\n+ * The Decaf library implements cryptographic operations on a elliptic curve\n+ * groups of prime order p. It accomplishes this by using a twisted Edwards\n+ * curve (isogenous to Ed448-Goldilocks or Ed25519) and wiping out the cofactor.\n+ *\n+ * The formulas are all complete and have no special cases. However, some\n+ * functions can fail. For example, decoding functions can fail because not\n+ * every string is the encoding of a valid group element.\n+ *\n+ * The formulas contain no data-dependent branches, timing or memory accesses,\n+ * except for decaf_XXX_base_double_scalarmul_non_secret.\n+ *\n+ * @warning This file was automatically generated in Python.\n+ * Please do not edit it.\n+ */\n+\n+#ifndef __DECAF_H__\n+#define __DECAF_H__ 1\n+\n+#include \u003cdecaf/point_255.h\u003e\n+#include \u003cdecaf/point_448.h\u003e\n+\n+#endif /* __DECAF_H__ */\ndiff --git a/crypto/ec/curve448/decaf/common.h b/crypto/ec/curve448/decaf/common.h\nnew file mode 100644\nindex 0000000..64719ad\n--- /dev/null\n+++ b/crypto/ec/curve448/decaf/common.h\n@@ -0,0 +1,116 @@\n+/**\n+ * @file decaf/common.h\n+ * @author Mike Hamburg\n+ *\n+ * @copyright\n+ * Copyright (c) 2015 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ *\n+ * @brief Common utility headers for Decaf library.\n+ */\n+\n+#ifndef __DECAF_COMMON_H__\n+#define __DECAF_COMMON_H__ 1\n+\n+#include \u003cstdint.h\u003e\n+#include \u003csys/types.h\u003e\n+\n+#ifdef __cplusplus\n+extern \u0022C\u0022 {\n+#endif\n+\n+/* Goldilocks' build flags default to hidden and stripping executables. */\n+/** @cond internal */\n+#if defined(DOXYGEN) \u0026\u0026 !defined(__attribute__)\n+#define __attribute__((x))\n+#endif\n+#define DECAF_API_VIS __attribute__((visibility(\u0022default\u0022)))\n+#define DECAF_NOINLINE __attribute__((noinline))\n+#define DECAF_WARN_UNUSED __attribute__((warn_unused_result))\n+#define DECAF_NONNULL __attribute__((nonnull))\n+#define DECAF_INLINE inline __attribute__((always_inline,unused))\n+// Cribbed from libnotmuch\n+#if defined (__clang_major__) \u0026\u0026 __clang_major__ \u003e\u003d 3 \u005c\n+ || defined (__GNUC__) \u0026\u0026 __GNUC__ \u003e\u003d 5 \u005c\n+ || defined (__GNUC__) \u0026\u0026 __GNUC__ \u003d\u003d 4 \u0026\u0026 __GNUC_MINOR__ \u003e\u003d 5\n+#define DECAF_DEPRECATED(msg) __attribute__ ((deprecated(msg)))\n+#else\n+#define DECAF_DEPRECATED(msg) __attribute__ ((deprecated))\n+#endif\n+/** @endcond */\n+\n+/* Internal word types.\n+ *\n+ * Somewhat tricky. This could be decided separately per platform. However,\n+ * the structs do need to be all the same size and alignment on a given\n+ * platform to support dynamic linking, since even if you header was built\n+ * with eg arch_neon, you might end up linking a library built with arch_arm32.\n+ */\n+#ifndef DECAF_WORD_BITS\n+ #if (defined(__ILP64__) || defined(__amd64__) || defined(__x86_64__) || (((__UINT_FAST32_MAX__)\u003e\u003e30)\u003e\u003e30))\n+ #define DECAF_WORD_BITS 64 /**\u003c The number of bits in a word */\n+ #else\n+ #define DECAF_WORD_BITS 32 /**\u003c The number of bits in a word */\n+ #endif\n+#endif\n+ \n+#if DECAF_WORD_BITS \u003d\u003d 64\n+typedef uint64_t decaf_word_t; /**\u003c Word size for internal computations */\n+typedef int64_t decaf_sword_t; /**\u003c Signed word size for internal computations */\n+typedef uint64_t decaf_bool_t; /**\u003c \u0022Boolean\u0022 type, will be set to all-zero or all-one (i.e. -1u) */\n+typedef __uint128_t decaf_dword_t; /**\u003c Double-word size for internal computations */\n+typedef __int128_t decaf_dsword_t; /**\u003c Signed double-word size for internal computations */\n+#elif DECAF_WORD_BITS \u003d\u003d 32 /**\u003c The number of bits in a word */\n+typedef uint32_t decaf_word_t; /**\u003c Word size for internal computations */\n+typedef int32_t decaf_sword_t; /**\u003c Signed word size for internal computations */\n+typedef uint32_t decaf_bool_t; /**\u003c \u0022Boolean\u0022 type, will be set to all-zero or all-one (i.e. -1u) */\n+typedef uint64_t decaf_dword_t; /**\u003c Double-word size for internal computations */\n+typedef int64_t decaf_dsword_t; /**\u003c Signed double-word size for internal computations */\n+#else\n+#error \u0022Only supporting DECAF_WORD_BITS \u003d 32 or 64 for now\u0022\n+#endif\n+ \n+/** DECAF_TRUE \u003d -1 so that DECAF_TRUE \u0026 x \u003d x */\n+static const decaf_bool_t DECAF_TRUE \u003d -(decaf_bool_t)1;\n+\n+/** DECAF_FALSE \u003d 0 so that DECAF_FALSE \u0026 x \u003d 0 */\n+static const decaf_bool_t DECAF_FALSE \u003d 0;\n+\n+/** Another boolean type used to indicate success or failure. */\n+typedef enum {\n+ DECAF_SUCCESS \u003d -1, /**\u003c The operation succeeded. */\n+ DECAF_FAILURE \u003d 0 /**\u003c The operation failed. */\n+} decaf_error_t;\n+\n+\n+/** Return success if x is true */\n+static DECAF_INLINE decaf_error_t\n+decaf_succeed_if(decaf_bool_t x) {\n+ return (decaf_error_t)x;\n+}\n+\n+/** Return DECAF_TRUE iff x \u003d\u003d DECAF_SUCCESS */\n+static DECAF_INLINE decaf_bool_t\n+decaf_successful(decaf_error_t e) {\n+ decaf_dword_t w \u003d ((decaf_word_t)e) ^ ((decaf_word_t)DECAF_SUCCESS);\n+ return (w-1)\u003e\u003eDECAF_WORD_BITS;\n+}\n+ \n+/** Overwrite data with zeros. Uses memset_s if available. */\n+void decaf_bzero (\n+ void *data,\n+ size_t size\n+) DECAF_NONNULL DECAF_API_VIS;\n+\n+/** Compare two buffers, returning DECAF_TRUE if they are equal. */\n+decaf_bool_t decaf_memeq (\n+ const void *data1,\n+ const void *data2,\n+ size_t size\n+) DECAF_NONNULL DECAF_WARN_UNUSED DECAF_API_VIS;\n+ \n+#ifdef __cplusplus\n+} /* extern \u0022C\u0022 */\n+#endif\n+ \n+#endif /* __DECAF_COMMON_H__ */\ndiff --git a/crypto/ec/curve448/decaf/ed448.h b/crypto/ec/curve448/decaf/ed448.h\nnew file mode 100644\nindex 0000000..eeed619\n--- /dev/null\n+++ b/crypto/ec/curve448/decaf/ed448.h\n@@ -0,0 +1,251 @@\n+/**\n+ * @file decaf/ed448.h\n+ * @author Mike Hamburg\n+ *\n+ * @copyright\n+ * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ *\n+ * @brief A group of prime order p, based on Ed448-Goldilocks.\n+ *\n+ * @warning This file was automatically generated in Python.\n+ * Please do not edit it.\n+ */\n+\n+#ifndef __DECAF_ED448_H__\n+#define __DECAF_ED448_H__ 1\n+\n+#include \u003cdecaf/point_448.h\u003e\n+#include \u003cdecaf/shake.h\u003e\n+#include \u003cdecaf/sha512.h\u003e\n+\n+#ifdef __cplusplus\n+extern \u0022C\u0022 {\n+#endif\n+\n+/** Number of bytes in an EdDSA public key. */\n+#define DECAF_EDDSA_448_PUBLIC_BYTES 57\n+\n+/** Number of bytes in an EdDSA private key. */\n+#define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES\n+\n+/** Number of bytes in an EdDSA private key. */\n+#define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + DECAF_EDDSA_448_PRIVATE_BYTES)\n+\n+/** Does EdDSA support non-contextual signatures? */\n+#define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0\n+\n+/** Prehash context renaming macros. */\n+#define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s\n+#define decaf_ed448_prehash_ctx_t decaf_shake256_ctx_t\n+#define decaf_ed448_prehash_update decaf_shake256_update\n+#define decaf_ed448_prehash_destroy decaf_shake256_destroy\n+\n+/** EdDSA encoding ratio. */\n+#define DECAF_448_EDDSA_ENCODE_RATIO 4\n+\n+/** EdDSA decoding ratio. */\n+#define DECAF_448_EDDSA_DECODE_RATIO (4 / 4)\n+\n+/**\n+ * @brief EdDSA key generation. This function uses a different (non-Decaf)\n+ * encoding.\n+ *\n+ * @param [out] pubkey The public key.\n+ * @param [in] privkey The private key.\n+ */ \n+void decaf_ed448_derive_public_key (\n+ uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief EdDSA signing.\n+ *\n+ * @param [out] signature The signature.\n+ * @param [in] privkey The private key.\n+ * @param [in] pubkey The public key.\n+ * @param [in] message The message to sign.\n+ * @param [in] message_len The length of the message.\n+ * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.\n+ * @param [in] context A \u0022context\u0022 for this signature of up to 255 bytes.\n+ * @param [in] context_len Length of the context.\n+ *\n+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed\n+ * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is\n+ * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives\n+ * you no seat belt.\n+ */ \n+void decaf_ed448_sign (\n+ uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n+ const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],\n+ const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const uint8_t *message,\n+ size_t message_len,\n+ uint8_t prehashed,\n+ const uint8_t *context,\n+ uint8_t context_len\n+) DECAF_API_VIS __attribute__((nonnull(1,2,3))) DECAF_NOINLINE;\n+\n+/**\n+ * @brief EdDSA signing with prehash.\n+ *\n+ * @param [out] signature The signature.\n+ * @param [in] privkey The private key.\n+ * @param [in] pubkey The public key.\n+ * @param [in] hash The hash of the message. This object will not be modified by the call.\n+ * @param [in] context A \u0022context\u0022 for this signature of up to 255 bytes. Must be the same as what was used for the prehash.\n+ * @param [in] context_len Length of the context.\n+ *\n+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed\n+ * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is\n+ * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives\n+ * you no seat belt.\n+ */ \n+void decaf_ed448_sign_prehash (\n+ uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n+ const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],\n+ const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const decaf_ed448_prehash_ctx_t hash,\n+ const uint8_t *context,\n+ uint8_t context_len\n+) DECAF_API_VIS __attribute__((nonnull(1,2,3,4))) DECAF_NOINLINE;\n+ \n+/**\n+ * @brief Prehash initialization, with contexts if supported.\n+ *\n+ * @param [out] hash The hash object to be initialized.\n+ */\n+void decaf_ed448_prehash_init (\n+ decaf_ed448_prehash_ctx_t hash\n+) DECAF_API_VIS __attribute__((nonnull(1))) DECAF_NOINLINE;\n+\n+/**\n+ * @brief EdDSA signature verification.\n+ *\n+ * Uses the standard (i.e. less-strict) verification formula.\n+ *\n+ * @param [in] signature The signature.\n+ * @param [in] pubkey The public key.\n+ * @param [in] message The message to verify.\n+ * @param [in] message_len The length of the message.\n+ * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.\n+ * @param [in] context A \u0022context\u0022 for this signature of up to 255 bytes.\n+ * @param [in] context_len Length of the context.\n+ *\n+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed\n+ * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is\n+ * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives\n+ * you no seat belt.\n+ */\n+decaf_error_t decaf_ed448_verify (\n+ const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n+ const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const uint8_t *message,\n+ size_t message_len,\n+ uint8_t prehashed,\n+ const uint8_t *context,\n+ uint8_t context_len\n+) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;\n+\n+/**\n+ * @brief EdDSA signature verification.\n+ *\n+ * Uses the standard (i.e. less-strict) verification formula.\n+ *\n+ * @param [in] signature The signature.\n+ * @param [in] pubkey The public key.\n+ * @param [in] hash The hash of the message. This object will not be modified by the call.\n+ * @param [in] context A \u0022context\u0022 for this signature of up to 255 bytes. Must be the same as what was used for the prehash.\n+ * @param [in] context_len Length of the context.\n+ *\n+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed\n+ * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is\n+ * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives\n+ * you no seat belt.\n+ */\n+decaf_error_t decaf_ed448_verify_prehash (\n+ const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n+ const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const decaf_ed448_prehash_ctx_t hash,\n+ const uint8_t *context,\n+ uint8_t context_len\n+) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;\n+\n+/**\n+ * @brief EdDSA point encoding. Used internally, exposed externally.\n+ * Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first.\n+ *\n+ * The multiplication is required because the EdDSA encoding represents\n+ * the cofactor information, but the Decaf encoding ignores it (which\n+ * is the whole point). So if you decode from EdDSA and re-encode to\n+ * EdDSA, the cofactor info must get cleared, because the intermediate\n+ * representation doesn't track it.\n+ *\n+ * The way libdecaf handles this is to multiply by\n+ * DECAF_448_EDDSA_DECODE_RATIO when decoding, and by\n+ * DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these\n+ * ratios is always exactly the cofactor 4, so the cofactor\n+ * ends up cleared one way or another. But exactly how that shakes\n+ * out depends on the base points specified in RFC 8032.\n+ *\n+ * The upshot is that if you pass the Decaf/Ristretto base point to\n+ * this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the\n+ * EdDSA base point.\n+ *\n+ * @param [out] enc The encoded point.\n+ * @param [in] p The point.\n+ */ \n+void decaf_448_point_mul_by_ratio_and_encode_like_eddsa (\n+ uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const decaf_448_point_t p\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO,\n+ * and ignores cofactor information.\n+ *\n+ * See notes on decaf_448_point_mul_by_ratio_and_encode_like_eddsa\n+ *\n+ * @param [out] enc The encoded point.\n+ * @param [in] p The point.\n+ */ \n+decaf_error_t decaf_448_point_decode_like_eddsa_and_mul_by_ratio (\n+ decaf_448_point_t p,\n+ const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief EdDSA to ECDH public key conversion\n+ * Deserialize the point to get y on Edwards curve,\n+ * Convert it to u coordinate on Montgomery curve.\n+ *\n+ * @warning This function does not check that the public key being converted\n+ * is a valid EdDSA public key (FUTURE?)\n+ *\n+ * @param[out] x The ECDH public key as in RFC7748(point on Montgomery curve)\n+ * @param[in] ed The EdDSA public key(point on Edwards curve)\n+ */\n+void decaf_ed448_convert_public_key_to_x448 (\n+ uint8_t x[DECAF_X448_PUBLIC_BYTES],\n+ const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief EdDSA to ECDH private key conversion\n+ * Using the appropriate hash function, hash the EdDSA private key\n+ * and keep only the lower bytes to get the ECDH private key\n+ *\n+ * @param[out] x The ECDH private key as in RFC7748\n+ * @param[in] ed The EdDSA private key\n+ */\n+void decaf_ed448_convert_private_key_to_x448 (\n+ uint8_t x[DECAF_X448_PRIVATE_BYTES],\n+ const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+#ifdef __cplusplus\n+} /* extern \u0022C\u0022 */\n+#endif\n+\n+#endif /* __DECAF_ED448_H__ */\ndiff --git a/crypto/ec/curve448/decaf/point_255.h b/crypto/ec/curve448/decaf/point_255.h\nnew file mode 100644\nindex 0000000..94e30a5\n--- /dev/null\n+++ b/crypto/ec/curve448/decaf/point_255.h\n@@ -0,0 +1,765 @@\n+/**\n+ * @file decaf/point_255.h\n+ * @author Mike Hamburg\n+ *\n+ * @copyright\n+ * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ *\n+ * @brief A group of prime order p, based on Curve25519.\n+ *\n+ * @warning This file was automatically generated in Python.\n+ * Please do not edit it.\n+ */\n+\n+#ifndef __DECAF_POINT_255_H__\n+#define __DECAF_POINT_255_H__ 1\n+\n+#include \u003cdecaf/common.h\u003e\n+\n+#ifdef __cplusplus\n+extern \u0022C\u0022 {\n+#endif\n+\n+/** @cond internal */\n+#define DECAF_255_SCALAR_LIMBS ((253-1)/DECAF_WORD_BITS+1)\n+/** @endcond */\n+\n+/** The number of bits in a scalar */\n+#define DECAF_255_SCALAR_BITS 253\n+\n+/** @cond internal */\n+#ifndef __DECAF_25519_GF_DEFINED__\n+#define __DECAF_25519_GF_DEFINED__ 1\n+/** @brief Galois field element internal structure */\n+typedef struct gf_25519_s {\n+ decaf_word_t limb[320/DECAF_WORD_BITS];\n+} __attribute__((aligned(32))) gf_25519_s, gf_25519_t[1];\n+#endif /* __DECAF_25519_GF_DEFINED__ */\n+/** @endcond */\n+\n+/** Number of bytes in a serialized point. */\n+#define DECAF_255_SER_BYTES 32\n+\n+/** Number of bytes in an elligated point. For now set the same as SER_BYTES\n+ * but could be different for other curves.\n+ */\n+#define DECAF_255_HASH_BYTES 32\n+\n+/** Number of bytes in a serialized scalar. */\n+#define DECAF_255_SCALAR_BYTES 32\n+\n+/** Number of bits in the \u0022which\u0022 field of an elligator inverse */\n+#define DECAF_255_INVERT_ELLIGATOR_WHICH_BITS 5\n+\n+/** The cofactor the curve would have, if we hadn't removed it */\n+#define DECAF_255_REMOVED_COFACTOR 8\n+\n+/** X25519 encoding ratio. */\n+#define DECAF_X25519_ENCODE_RATIO 4\n+\n+/** Number of bytes in an x25519 public key */\n+#define DECAF_X25519_PUBLIC_BYTES 32\n+\n+/** Number of bytes in an x25519 private key */\n+#define DECAF_X25519_PRIVATE_BYTES 32\n+\n+/** Twisted Edwards extended homogeneous coordinates */\n+typedef struct decaf_255_point_s {\n+ /** @cond internal */\n+ gf_25519_t x,y,z,t;\n+ /** @endcond */\n+} decaf_255_point_t[1];\n+\n+/** Precomputed table based on a point. Can be trivial implementation. */\n+struct decaf_255_precomputed_s;\n+\n+/** Precomputed table based on a point. Can be trivial implementation. */\n+typedef struct decaf_255_precomputed_s decaf_255_precomputed_s; \n+\n+/** Size and alignment of precomputed point tables. */\n+extern const size_t decaf_255_sizeof_precomputed_s DECAF_API_VIS, decaf_255_alignof_precomputed_s DECAF_API_VIS;\n+\n+/** Scalar is stored packed, because we don't need the speed. */\n+typedef struct decaf_255_scalar_s {\n+ /** @cond internal */\n+ decaf_word_t limb[DECAF_255_SCALAR_LIMBS];\n+ /** @endcond */\n+} decaf_255_scalar_t[1];\n+\n+/** A scalar equal to 1. */\n+extern const decaf_255_scalar_t decaf_255_scalar_one DECAF_API_VIS;\n+\n+/** A scalar equal to 0. */\n+extern const decaf_255_scalar_t decaf_255_scalar_zero DECAF_API_VIS;\n+\n+/** The identity point on the curve. */\n+extern const decaf_255_point_t decaf_255_point_identity DECAF_API_VIS;\n+\n+/** An arbitrarily chosen base point on the curve. */\n+extern const decaf_255_point_t decaf_255_point_base DECAF_API_VIS;\n+\n+/** Precomputed table for the base point on the curve. */\n+extern const struct decaf_255_precomputed_s *decaf_255_precomputed_base DECAF_API_VIS;\n+\n+/**\n+ * @brief Read a scalar from wire format or from bytes.\n+ *\n+ * @param [in] ser Serialized form of a scalar.\n+ * @param [out] out Deserialized form.\n+ *\n+ * @retval DECAF_SUCCESS The scalar was correctly encoded.\n+ * @retval DECAF_FAILURE The scalar was greater than the modulus,\n+ * and has been reduced modulo that modulus.\n+ */\n+decaf_error_t decaf_255_scalar_decode (\n+ decaf_255_scalar_t out,\n+ const unsigned char ser[DECAF_255_SCALAR_BYTES]\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Read a scalar from wire format or from bytes. Reduces mod\n+ * scalar prime.\n+ *\n+ * @param [in] ser Serialized form of a scalar.\n+ * @param [in] ser_len Length of serialized form.\n+ * @param [out] out Deserialized form.\n+ */\n+void decaf_255_scalar_decode_long (\n+ decaf_255_scalar_t out,\n+ const unsigned char *ser,\n+ size_t ser_len\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+ \n+/**\n+ * @brief Serialize a scalar to wire format.\n+ *\n+ * @param [out] ser Serialized form of a scalar.\n+ * @param [in] s Deserialized scalar.\n+ */\n+void decaf_255_scalar_encode (\n+ unsigned char ser[DECAF_255_SCALAR_BYTES],\n+ const decaf_255_scalar_t s\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE;\n+ \n+/**\n+ * @brief Add two scalars. The scalars may use the same memory.\n+ * @param [in] a One scalar.\n+ * @param [in] b Another scalar.\n+ * @param [out] out a+b.\n+ */\n+void decaf_255_scalar_add (\n+ decaf_255_scalar_t out,\n+ const decaf_255_scalar_t a,\n+ const decaf_255_scalar_t b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Compare two scalars.\n+ * @param [in] a One scalar.\n+ * @param [in] b Another scalar.\n+ * @retval DECAF_TRUE The scalars are equal.\n+ * @retval DECAF_FALSE The scalars are not equal.\n+ */ \n+decaf_bool_t decaf_255_scalar_eq (\n+ const decaf_255_scalar_t a,\n+ const decaf_255_scalar_t b\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Subtract two scalars. The scalars may use the same memory.\n+ * @param [in] a One scalar.\n+ * @param [in] b Another scalar.\n+ * @param [out] out a-b.\n+ */ \n+void decaf_255_scalar_sub (\n+ decaf_255_scalar_t out,\n+ const decaf_255_scalar_t a,\n+ const decaf_255_scalar_t b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply two scalars. The scalars may use the same memory.\n+ * @param [in] a One scalar.\n+ * @param [in] b Another scalar.\n+ * @param [out] out a*b.\n+ */ \n+void decaf_255_scalar_mul (\n+ decaf_255_scalar_t out,\n+ const decaf_255_scalar_t a,\n+ const decaf_255_scalar_t b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+ \n+/**\n+* @brief Halve a scalar. The scalars may use the same memory.\n+* @param [in] a A scalar.\n+* @param [out] out a/2.\n+*/\n+void decaf_255_scalar_halve (\n+ decaf_255_scalar_t out,\n+ const decaf_255_scalar_t a\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Invert a scalar. When passed zero, return 0. The input and output may alias.\n+ * @param [in] a A scalar.\n+ * @param [out] out 1/a.\n+ * @return DECAF_SUCCESS The input is nonzero.\n+ */ \n+decaf_error_t decaf_255_scalar_invert (\n+ decaf_255_scalar_t out,\n+ const decaf_255_scalar_t a\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Copy a scalar. The scalars may use the same memory, in which\n+ * case this function does nothing.\n+ * @param [in] a A scalar.\n+ * @param [out] out Will become a copy of a.\n+ */\n+static inline void DECAF_NONNULL decaf_255_scalar_copy (\n+ decaf_255_scalar_t out,\n+ const decaf_255_scalar_t a\n+) {\n+ *out \u003d *a;\n+}\n+\n+/**\n+ * @brief Set a scalar to an unsigned 64-bit integer.\n+ * @param [in] a An integer.\n+ * @param [out] out Will become equal to a.\n+ */ \n+void decaf_255_scalar_set_unsigned (\n+ decaf_255_scalar_t out,\n+ uint64_t a\n+) DECAF_API_VIS DECAF_NONNULL;\n+\n+/**\n+ * @brief Encode a point as a sequence of bytes.\n+ *\n+ * @param [out] ser The byte representation of the point.\n+ * @param [in] pt The point to encode.\n+ */\n+void decaf_255_point_encode (\n+ uint8_t ser[DECAF_255_SER_BYTES],\n+ const decaf_255_point_t pt\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Decode a point from a sequence of bytes.\n+ *\n+ * Every point has a unique encoding, so not every\n+ * sequence of bytes is a valid encoding. If an invalid\n+ * encoding is given, the output is undefined.\n+ *\n+ * @param [out] pt The decoded point.\n+ * @param [in] ser The serialized version of the point.\n+ * @param [in] allow_identity DECAF_TRUE if the identity is a legal input.\n+ * @retval DECAF_SUCCESS The decoding succeeded.\n+ * @retval DECAF_FAILURE The decoding didn't succeed, because\n+ * ser does not represent a point.\n+ */\n+decaf_error_t decaf_255_point_decode (\n+ decaf_255_point_t pt,\n+ const uint8_t ser[DECAF_255_SER_BYTES],\n+ decaf_bool_t allow_identity\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Copy a point. The input and output may alias,\n+ * in which case this function does nothing.\n+ *\n+ * @param [out] a A copy of the point.\n+ * @param [in] b Any point.\n+ */\n+static inline void DECAF_NONNULL decaf_255_point_copy (\n+ decaf_255_point_t a,\n+ const decaf_255_point_t b\n+) {\n+ *a\u003d*b;\n+}\n+\n+/**\n+ * @brief Test whether two points are equal. If yes, return\n+ * DECAF_TRUE, else return DECAF_FALSE.\n+ *\n+ * @param [in] a A point.\n+ * @param [in] b Another point.\n+ * @retval DECAF_TRUE The points are equal.\n+ * @retval DECAF_FALSE The points are not equal.\n+ */\n+decaf_bool_t decaf_255_point_eq (\n+ const decaf_255_point_t a,\n+ const decaf_255_point_t b\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Add two points to produce a third point. The\n+ * input points and output point can be pointers to the same\n+ * memory.\n+ *\n+ * @param [out] sum The sum a+b.\n+ * @param [in] a An addend.\n+ * @param [in] b An addend.\n+ */\n+void decaf_255_point_add (\n+ decaf_255_point_t sum,\n+ const decaf_255_point_t a,\n+ const decaf_255_point_t b\n+) DECAF_API_VIS DECAF_NONNULL;\n+\n+/**\n+ * @brief Double a point. Equivalent to\n+ * decaf_255_point_add(two_a,a,a), but potentially faster.\n+ *\n+ * @param [out] two_a The sum a+a.\n+ * @param [in] a A point.\n+ */\n+void decaf_255_point_double (\n+ decaf_255_point_t two_a,\n+ const decaf_255_point_t a\n+) DECAF_API_VIS DECAF_NONNULL;\n+\n+/**\n+ * @brief Subtract two points to produce a third point. The\n+ * input points and output point can be pointers to the same\n+ * memory.\n+ *\n+ * @param [out] diff The difference a-b.\n+ * @param [in] a The minuend.\n+ * @param [in] b The subtrahend.\n+ */\n+void decaf_255_point_sub (\n+ decaf_255_point_t diff,\n+ const decaf_255_point_t a,\n+ const decaf_255_point_t b\n+) DECAF_API_VIS DECAF_NONNULL;\n+ \n+/**\n+ * @brief Negate a point to produce another point. The input\n+ * and output points can use the same memory.\n+ *\n+ * @param [out] nega The negated input point\n+ * @param [in] a The input point.\n+ */\n+void decaf_255_point_negate (\n+ decaf_255_point_t nega,\n+ const decaf_255_point_t a\n+) DECAF_API_VIS DECAF_NONNULL;\n+\n+/**\n+ * @brief Multiply a base point by a scalar: scaled \u003d scalar*base.\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] base The point to be scaled.\n+ * @param [in] scalar The scalar to multiply by.\n+ */\n+void decaf_255_point_scalarmul (\n+ decaf_255_point_t scaled,\n+ const decaf_255_point_t base,\n+ const decaf_255_scalar_t scalar\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply a base point by a scalar: scaled \u003d scalar*base.\n+ * This function operates directly on serialized forms.\n+ *\n+ * @warning This function is experimental. It may not be supported\n+ * long-term.\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] base The point to be scaled.\n+ * @param [in] scalar The scalar to multiply by.\n+ * @param [in] allow_identity Allow the input to be the identity.\n+ * @param [in] short_circuit Allow a fast return if the input is illegal.\n+ *\n+ * @retval DECAF_SUCCESS The scalarmul succeeded.\n+ * @retval DECAF_FAILURE The scalarmul didn't succeed, because\n+ * base does not represent a point.\n+ */\n+decaf_error_t decaf_255_direct_scalarmul (\n+ uint8_t scaled[DECAF_255_SER_BYTES],\n+ const uint8_t base[DECAF_255_SER_BYTES],\n+ const decaf_255_scalar_t scalar,\n+ decaf_bool_t allow_identity,\n+ decaf_bool_t short_circuit\n+) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;\n+\n+/**\n+ * @brief RFC 7748 Diffie-Hellman scalarmul. This function uses a different\n+ * (non-Decaf) encoding.\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] base The point to be scaled.\n+ * @param [in] scalar The scalar to multiply by.\n+ *\n+ * @retval DECAF_SUCCESS The scalarmul succeeded.\n+ * @retval DECAF_FAILURE The scalarmul didn't succeed, because the base\n+ * point is in a small subgroup.\n+ */\n+decaf_error_t decaf_x25519 (\n+ uint8_t out[DECAF_X25519_PUBLIC_BYTES],\n+ const uint8_t base[DECAF_X25519_PUBLIC_BYTES],\n+ const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply a point by DECAF_X25519_ENCODE_RATIO,\n+ * then encode it like RFC 7748.\n+ *\n+ * This function is mainly used internally, but is exported in case\n+ * it will be useful.\n+ *\n+ * The ratio is necessary because the internal representation doesn't\n+ * track the cofactor information, so on output we must clear the cofactor.\n+ * This would multiply by the cofactor, but in fact internally libdecaf's\n+ * points are always even, so it multiplies by half the cofactor instead.\n+ *\n+ * As it happens, this aligns with the base point definitions; that is,\n+ * if you pass the Decaf/Ristretto base point to this function, the result\n+ * will be DECAF_X25519_ENCODE_RATIO times the X25519\n+ * base point.\n+ *\n+ * @param [out] out The scaled and encoded point.\n+ * @param [in] p The point to be scaled and encoded.\n+ */\n+void decaf_255_point_mul_by_ratio_and_encode_like_x25519 (\n+ uint8_t out[DECAF_X25519_PUBLIC_BYTES],\n+ const decaf_255_point_t p\n+) DECAF_API_VIS DECAF_NONNULL;\n+\n+/** The base point for X25519 Diffie-Hellman */\n+extern const uint8_t decaf_x25519_base_point[DECAF_X25519_PUBLIC_BYTES] DECAF_API_VIS;\n+\n+/**\n+ * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses\n+ * a different (non-Decaf) encoding.\n+ *\n+ * @deprecated Renamed to decaf_x25519_derive_public_key.\n+ * I have no particular timeline for removing this name.\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] scalar The scalar to multiply by.\n+ */\n+void decaf_x25519_generate_key (\n+ uint8_t out[DECAF_X25519_PUBLIC_BYTES],\n+ const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_DEPRECATED(\u0022Renamed to decaf_x25519_derive_public_key\u0022);\n+ \n+/**\n+ * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses\n+ * a different (non-Decaf) encoding.\n+ *\n+ * Does exactly the same thing as decaf_x25519_generate_key,\n+ * but has a better name.\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] scalar The scalar to multiply by.\n+ */\n+void decaf_x25519_derive_public_key (\n+ uint8_t out[DECAF_X25519_PUBLIC_BYTES],\n+ const uint8_t scalar[DECAF_X25519_PRIVATE_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/* FUTURE: uint8_t decaf_255_encode_like_curve25519) */\n+\n+/**\n+ * @brief Precompute a table for fast scalar multiplication.\n+ * Some implementations do not include precomputed points; for\n+ * those implementations, this implementation simply copies the\n+ * point.\n+ *\n+ * @param [out] a A precomputed table of multiples of the point.\n+ * @param [in] b Any point.\n+ */\n+void decaf_255_precompute (\n+ decaf_255_precomputed_s *a,\n+ const decaf_255_point_t b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply a precomputed base point by a scalar:\n+ * scaled \u003d scalar*base.\n+ * Some implementations do not include precomputed points; for\n+ * those implementations, this function is the same as\n+ * decaf_255_point_scalarmul\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] base The point to be scaled.\n+ * @param [in] scalar The scalar to multiply by.\n+ */\n+void decaf_255_precomputed_scalarmul (\n+ decaf_255_point_t scaled,\n+ const decaf_255_precomputed_s *base,\n+ const decaf_255_scalar_t scalar\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply two base points by two scalars:\n+ * scaled \u003d scalar1*base1 + scalar2*base2.\n+ *\n+ * Equivalent to two calls to decaf_255_point_scalarmul, but may be\n+ * faster.\n+ *\n+ * @param [out] combo The linear combination scalar1*base1 + scalar2*base2.\n+ * @param [in] base1 A first point to be scaled.\n+ * @param [in] scalar1 A first scalar to multiply by.\n+ * @param [in] base2 A second point to be scaled.\n+ * @param [in] scalar2 A second scalar to multiply by.\n+ */\n+void decaf_255_point_double_scalarmul (\n+ decaf_255_point_t combo,\n+ const decaf_255_point_t base1,\n+ const decaf_255_scalar_t scalar1,\n+ const decaf_255_point_t base2,\n+ const decaf_255_scalar_t scalar2\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+ \n+/**\n+ * Multiply one base point by two scalars:\n+ *\n+ * a1 \u003d scalar1 * base\n+ * a2 \u003d scalar2 * base\n+ *\n+ * Equivalent to two calls to decaf_255_point_scalarmul, but may be\n+ * faster.\n+ *\n+ * @param [out] a1 The first multiple. It may be the same as the input point.\n+ * @param [out] a2 The second multiple. It may be the same as the input point.\n+ * @param [in] base1 A point to be scaled.\n+ * @param [in] scalar1 A first scalar to multiply by.\n+ * @param [in] scalar2 A second scalar to multiply by.\n+ */\n+void decaf_255_point_dual_scalarmul (\n+ decaf_255_point_t a1,\n+ decaf_255_point_t a2,\n+ const decaf_255_point_t base1,\n+ const decaf_255_scalar_t scalar1,\n+ const decaf_255_scalar_t scalar2\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply two base points by two scalars:\n+ * scaled \u003d scalar1*decaf_255_point_base + scalar2*base2.\n+ *\n+ * Otherwise equivalent to decaf_255_point_double_scalarmul, but may be\n+ * faster at the expense of being variable time.\n+ *\n+ * @param [out] combo The linear combination scalar1*base + scalar2*base2.\n+ * @param [in] scalar1 A first scalar to multiply by.\n+ * @param [in] base2 A second point to be scaled.\n+ * @param [in] scalar2 A second scalar to multiply by.\n+ *\n+ * @warning: This function takes variable time, and may leak the scalars\n+ * used. It is designed for signature verification.\n+ */\n+void decaf_255_base_double_scalarmul_non_secret (\n+ decaf_255_point_t combo,\n+ const decaf_255_scalar_t scalar1,\n+ const decaf_255_point_t base2,\n+ const decaf_255_scalar_t scalar2\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Constant-time decision between two points. If pick_b\n+ * is zero, out \u003d a; else out \u003d b.\n+ *\n+ * @param [out] out The output. It may be the same as either input.\n+ * @param [in] a Any point.\n+ * @param [in] b Any point.\n+ * @param [in] pick_b If nonzero, choose point b.\n+ */\n+void decaf_255_point_cond_sel (\n+ decaf_255_point_t out,\n+ const decaf_255_point_t a,\n+ const decaf_255_point_t b,\n+ decaf_word_t pick_b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Constant-time decision between two scalars. If pick_b\n+ * is zero, out \u003d a; else out \u003d b.\n+ *\n+ * @param [out] out The output. It may be the same as either input.\n+ * @param [in] a Any scalar.\n+ * @param [in] b Any scalar.\n+ * @param [in] pick_b If nonzero, choose scalar b.\n+ */\n+void decaf_255_scalar_cond_sel (\n+ decaf_255_scalar_t out,\n+ const decaf_255_scalar_t a,\n+ const decaf_255_scalar_t b,\n+ decaf_word_t pick_b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Test that a point is valid, for debugging purposes.\n+ *\n+ * @param [in] to_test The point to test.\n+ * @retval DECAF_TRUE The point is valid.\n+ * @retval DECAF_FALSE The point is invalid.\n+ */\n+decaf_bool_t decaf_255_point_valid (\n+ const decaf_255_point_t to_test\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Torque a point, for debugging purposes. The output\n+ * will be equal to the input.\n+ *\n+ * @param [out] q The point to torque.\n+ * @param [in] p The point to torque.\n+ */\n+void decaf_255_point_debugging_torque (\n+ decaf_255_point_t q,\n+ const decaf_255_point_t p\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Projectively scale a point, for debugging purposes.\n+ * The output will be equal to the input, and will be valid\n+ * even if the factor is zero.\n+ *\n+ * @param [out] q The point to scale.\n+ * @param [in] p The point to scale.\n+ * @param [in] factor Serialized GF factor to scale.\n+ */\n+void decaf_255_point_debugging_pscale (\n+ decaf_255_point_t q,\n+ const decaf_255_point_t p,\n+ const unsigned char factor[DECAF_255_SER_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Almost-Elligator-like hash to curve.\n+ *\n+ * Call this function with the output of a hash to make a hash to the curve.\n+ *\n+ * This function runs Elligator2 on the decaf_255 Jacobi quartic model. It then\n+ * uses the isogeny to put the result in twisted Edwards form. As a result,\n+ * it is safe (cannot produce points of order 4), and would be compatible with\n+ * hypothetical other implementations of Decaf using a Montgomery or untwisted\n+ * Edwards model.\n+ *\n+ * Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]:\n+ * A factor of 2 due to the isogeny.\n+ * A factor of 2 because we quotient out the 2-torsion.\n+ *\n+ * This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8.\n+ *\n+ * Negating the input (mod q) results in the same point. Inverting the input\n+ * (mod q) results in the negative point. This is the same as Elligator.\n+ *\n+ * This function isn't quite indifferentiable from a random oracle.\n+ * However, it is suitable for many protocols, including SPEKE and SPAKE2 EE. \n+ * Furthermore, calling it twice with independent seeds and adding the results\n+ * is indifferentiable from a random oracle.\n+ *\n+ * @param [in] hashed_data Output of some hash function.\n+ * @param [out] pt The data hashed to the curve.\n+ */\n+void\n+decaf_255_point_from_hash_nonuniform (\n+ decaf_255_point_t pt,\n+ const unsigned char hashed_data[DECAF_255_HASH_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Indifferentiable hash function encoding to curve.\n+ *\n+ * Equivalent to calling decaf_255_point_from_hash_nonuniform twice and adding.\n+ *\n+ * @param [in] hashed_data Output of some hash function.\n+ * @param [out] pt The data hashed to the curve.\n+ */ \n+void decaf_255_point_from_hash_uniform (\n+ decaf_255_point_t pt,\n+ const unsigned char hashed_data[2*DECAF_255_HASH_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Inverse of elligator-like hash to curve.\n+ *\n+ * This function writes to the buffer, to make it so that\n+ * decaf_255_point_from_hash_nonuniform(buffer) \u003d pt if\n+ * possible. Since there may be multiple preimages, the\n+ * \u0022which\u0022 parameter chooses between them. To ensure uniform\n+ * inverse sampling, this function succeeds or fails\n+ * independently for different \u0022which\u0022 values.\n+ *\n+ * This function isn't guaranteed to find every possible\n+ * preimage, but it finds all except a small finite number.\n+ * In particular, when the number of bits in the modulus isn't\n+ * a multiple of 8 (i.e. for curve25519), it sets the high bits\n+ * independently, which enables the generated data to be uniform.\n+ * But it doesn't add p, so you'll never get exactly p from this\n+ * function. This might change in the future, especially if\n+ * we ever support eg Brainpool curves, where this could cause\n+ * real nonuniformity.\n+ *\n+ * @param [out] recovered_hash Encoded data.\n+ * @param [in] pt The point to encode.\n+ * @param [in] which A value determining which inverse point\n+ * to return.\n+ *\n+ * @retval DECAF_SUCCESS The inverse succeeded.\n+ * @retval DECAF_FAILURE The inverse failed.\n+ */\n+decaf_error_t\n+decaf_255_invert_elligator_nonuniform (\n+ unsigned char recovered_hash[DECAF_255_HASH_BYTES],\n+ const decaf_255_point_t pt,\n+ uint32_t which\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;\n+\n+/**\n+ * @brief Inverse of elligator-like hash to curve.\n+ *\n+ * This function writes to the buffer, to make it so that\n+ * decaf_255_point_from_hash_uniform(buffer) \u003d pt if\n+ * possible. Since there may be multiple preimages, the\n+ * \u0022which\u0022 parameter chooses between them. To ensure uniform\n+ * inverse sampling, this function succeeds or fails\n+ * independently for different \u0022which\u0022 values.\n+ *\n+ * @param [out] recovered_hash Encoded data.\n+ * @param [in] pt The point to encode.\n+ * @param [in] which A value determining which inverse point\n+ * to return.\n+ *\n+ * @retval DECAF_SUCCESS The inverse succeeded.\n+ * @retval DECAF_FAILURE The inverse failed.\n+ */\n+decaf_error_t\n+decaf_255_invert_elligator_uniform (\n+ unsigned char recovered_hash[2*DECAF_255_HASH_BYTES],\n+ const decaf_255_point_t pt,\n+ uint32_t which\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;\n+\n+/**\n+ * @brief Overwrite scalar with zeros.\n+ */\n+void decaf_255_scalar_destroy (\n+ decaf_255_scalar_t scalar\n+) DECAF_NONNULL DECAF_API_VIS;\n+\n+/**\n+ * @brief Overwrite point with zeros.\n+ */\n+void decaf_255_point_destroy (\n+ decaf_255_point_t point\n+) DECAF_NONNULL DECAF_API_VIS;\n+\n+/**\n+ * @brief Overwrite precomputed table with zeros.\n+ */\n+void decaf_255_precomputed_destroy (\n+ decaf_255_precomputed_s *pre\n+) DECAF_NONNULL DECAF_API_VIS;\n+\n+#ifdef __cplusplus\n+} /* extern \u0022C\u0022 */\n+#endif\n+\n+#endif /* __DECAF_POINT_255_H__ */\ndiff --git a/crypto/ec/curve448/decaf/point_448.h b/crypto/ec/curve448/decaf/point_448.h\nnew file mode 100644\nindex 0000000..bc1cb43\n--- /dev/null\n+++ b/crypto/ec/curve448/decaf/point_448.h\n@@ -0,0 +1,765 @@\n+/**\n+ * @file decaf/point_448.h\n+ * @author Mike Hamburg\n+ *\n+ * @copyright\n+ * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ *\n+ * @brief A group of prime order p, based on Ed448-Goldilocks.\n+ *\n+ * @warning This file was automatically generated in Python.\n+ * Please do not edit it.\n+ */\n+\n+#ifndef __DECAF_POINT_448_H__\n+#define __DECAF_POINT_448_H__ 1\n+\n+#include \u003cdecaf/common.h\u003e\n+\n+#ifdef __cplusplus\n+extern \u0022C\u0022 {\n+#endif\n+\n+/** @cond internal */\n+#define DECAF_448_SCALAR_LIMBS ((446-1)/DECAF_WORD_BITS+1)\n+/** @endcond */\n+\n+/** The number of bits in a scalar */\n+#define DECAF_448_SCALAR_BITS 446\n+\n+/** @cond internal */\n+#ifndef __DECAF_448_GF_DEFINED__\n+#define __DECAF_448_GF_DEFINED__ 1\n+/** @brief Galois field element internal structure */\n+typedef struct gf_448_s {\n+ decaf_word_t limb[512/DECAF_WORD_BITS];\n+} __attribute__((aligned(32))) gf_448_s, gf_448_t[1];\n+#endif /* __DECAF_448_GF_DEFINED__ */\n+/** @endcond */\n+\n+/** Number of bytes in a serialized point. */\n+#define DECAF_448_SER_BYTES 56\n+\n+/** Number of bytes in an elligated point. For now set the same as SER_BYTES\n+ * but could be different for other curves.\n+ */\n+#define DECAF_448_HASH_BYTES 56\n+\n+/** Number of bytes in a serialized scalar. */\n+#define DECAF_448_SCALAR_BYTES 56\n+\n+/** Number of bits in the \u0022which\u0022 field of an elligator inverse */\n+#define DECAF_448_INVERT_ELLIGATOR_WHICH_BITS 3\n+\n+/** The cofactor the curve would have, if we hadn't removed it */\n+#define DECAF_448_REMOVED_COFACTOR 4\n+\n+/** X448 encoding ratio. */\n+#define DECAF_X448_ENCODE_RATIO 2\n+\n+/** Number of bytes in an x448 public key */\n+#define DECAF_X448_PUBLIC_BYTES 56\n+\n+/** Number of bytes in an x448 private key */\n+#define DECAF_X448_PRIVATE_BYTES 56\n+\n+/** Twisted Edwards extended homogeneous coordinates */\n+typedef struct decaf_448_point_s {\n+ /** @cond internal */\n+ gf_448_t x,y,z,t;\n+ /** @endcond */\n+} decaf_448_point_t[1];\n+\n+/** Precomputed table based on a point. Can be trivial implementation. */\n+struct decaf_448_precomputed_s;\n+\n+/** Precomputed table based on a point. Can be trivial implementation. */\n+typedef struct decaf_448_precomputed_s decaf_448_precomputed_s; \n+\n+/** Size and alignment of precomputed point tables. */\n+extern const size_t decaf_448_sizeof_precomputed_s DECAF_API_VIS, decaf_448_alignof_precomputed_s DECAF_API_VIS;\n+\n+/** Scalar is stored packed, because we don't need the speed. */\n+typedef struct decaf_448_scalar_s {\n+ /** @cond internal */\n+ decaf_word_t limb[DECAF_448_SCALAR_LIMBS];\n+ /** @endcond */\n+} decaf_448_scalar_t[1];\n+\n+/** A scalar equal to 1. */\n+extern const decaf_448_scalar_t decaf_448_scalar_one DECAF_API_VIS;\n+\n+/** A scalar equal to 0. */\n+extern const decaf_448_scalar_t decaf_448_scalar_zero DECAF_API_VIS;\n+\n+/** The identity point on the curve. */\n+extern const decaf_448_point_t decaf_448_point_identity DECAF_API_VIS;\n+\n+/** An arbitrarily chosen base point on the curve. */\n+extern const decaf_448_point_t decaf_448_point_base DECAF_API_VIS;\n+\n+/** Precomputed table for the base point on the curve. */\n+extern const struct decaf_448_precomputed_s *decaf_448_precomputed_base DECAF_API_VIS;\n+\n+/**\n+ * @brief Read a scalar from wire format or from bytes.\n+ *\n+ * @param [in] ser Serialized form of a scalar.\n+ * @param [out] out Deserialized form.\n+ *\n+ * @retval DECAF_SUCCESS The scalar was correctly encoded.\n+ * @retval DECAF_FAILURE The scalar was greater than the modulus,\n+ * and has been reduced modulo that modulus.\n+ */\n+decaf_error_t decaf_448_scalar_decode (\n+ decaf_448_scalar_t out,\n+ const unsigned char ser[DECAF_448_SCALAR_BYTES]\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Read a scalar from wire format or from bytes. Reduces mod\n+ * scalar prime.\n+ *\n+ * @param [in] ser Serialized form of a scalar.\n+ * @param [in] ser_len Length of serialized form.\n+ * @param [out] out Deserialized form.\n+ */\n+void decaf_448_scalar_decode_long (\n+ decaf_448_scalar_t out,\n+ const unsigned char *ser,\n+ size_t ser_len\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+ \n+/**\n+ * @brief Serialize a scalar to wire format.\n+ *\n+ * @param [out] ser Serialized form of a scalar.\n+ * @param [in] s Deserialized scalar.\n+ */\n+void decaf_448_scalar_encode (\n+ unsigned char ser[DECAF_448_SCALAR_BYTES],\n+ const decaf_448_scalar_t s\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE;\n+ \n+/**\n+ * @brief Add two scalars. The scalars may use the same memory.\n+ * @param [in] a One scalar.\n+ * @param [in] b Another scalar.\n+ * @param [out] out a+b.\n+ */\n+void decaf_448_scalar_add (\n+ decaf_448_scalar_t out,\n+ const decaf_448_scalar_t a,\n+ const decaf_448_scalar_t b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Compare two scalars.\n+ * @param [in] a One scalar.\n+ * @param [in] b Another scalar.\n+ * @retval DECAF_TRUE The scalars are equal.\n+ * @retval DECAF_FALSE The scalars are not equal.\n+ */ \n+decaf_bool_t decaf_448_scalar_eq (\n+ const decaf_448_scalar_t a,\n+ const decaf_448_scalar_t b\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Subtract two scalars. The scalars may use the same memory.\n+ * @param [in] a One scalar.\n+ * @param [in] b Another scalar.\n+ * @param [out] out a-b.\n+ */ \n+void decaf_448_scalar_sub (\n+ decaf_448_scalar_t out,\n+ const decaf_448_scalar_t a,\n+ const decaf_448_scalar_t b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply two scalars. The scalars may use the same memory.\n+ * @param [in] a One scalar.\n+ * @param [in] b Another scalar.\n+ * @param [out] out a*b.\n+ */ \n+void decaf_448_scalar_mul (\n+ decaf_448_scalar_t out,\n+ const decaf_448_scalar_t a,\n+ const decaf_448_scalar_t b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+ \n+/**\n+* @brief Halve a scalar. The scalars may use the same memory.\n+* @param [in] a A scalar.\n+* @param [out] out a/2.\n+*/\n+void decaf_448_scalar_halve (\n+ decaf_448_scalar_t out,\n+ const decaf_448_scalar_t a\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Invert a scalar. When passed zero, return 0. The input and output may alias.\n+ * @param [in] a A scalar.\n+ * @param [out] out 1/a.\n+ * @return DECAF_SUCCESS The input is nonzero.\n+ */ \n+decaf_error_t decaf_448_scalar_invert (\n+ decaf_448_scalar_t out,\n+ const decaf_448_scalar_t a\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Copy a scalar. The scalars may use the same memory, in which\n+ * case this function does nothing.\n+ * @param [in] a A scalar.\n+ * @param [out] out Will become a copy of a.\n+ */\n+static inline void DECAF_NONNULL decaf_448_scalar_copy (\n+ decaf_448_scalar_t out,\n+ const decaf_448_scalar_t a\n+) {\n+ *out \u003d *a;\n+}\n+\n+/**\n+ * @brief Set a scalar to an unsigned 64-bit integer.\n+ * @param [in] a An integer.\n+ * @param [out] out Will become equal to a.\n+ */ \n+void decaf_448_scalar_set_unsigned (\n+ decaf_448_scalar_t out,\n+ uint64_t a\n+) DECAF_API_VIS DECAF_NONNULL;\n+\n+/**\n+ * @brief Encode a point as a sequence of bytes.\n+ *\n+ * @param [out] ser The byte representation of the point.\n+ * @param [in] pt The point to encode.\n+ */\n+void decaf_448_point_encode (\n+ uint8_t ser[DECAF_448_SER_BYTES],\n+ const decaf_448_point_t pt\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Decode a point from a sequence of bytes.\n+ *\n+ * Every point has a unique encoding, so not every\n+ * sequence of bytes is a valid encoding. If an invalid\n+ * encoding is given, the output is undefined.\n+ *\n+ * @param [out] pt The decoded point.\n+ * @param [in] ser The serialized version of the point.\n+ * @param [in] allow_identity DECAF_TRUE if the identity is a legal input.\n+ * @retval DECAF_SUCCESS The decoding succeeded.\n+ * @retval DECAF_FAILURE The decoding didn't succeed, because\n+ * ser does not represent a point.\n+ */\n+decaf_error_t decaf_448_point_decode (\n+ decaf_448_point_t pt,\n+ const uint8_t ser[DECAF_448_SER_BYTES],\n+ decaf_bool_t allow_identity\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Copy a point. The input and output may alias,\n+ * in which case this function does nothing.\n+ *\n+ * @param [out] a A copy of the point.\n+ * @param [in] b Any point.\n+ */\n+static inline void DECAF_NONNULL decaf_448_point_copy (\n+ decaf_448_point_t a,\n+ const decaf_448_point_t b\n+) {\n+ *a\u003d*b;\n+}\n+\n+/**\n+ * @brief Test whether two points are equal. If yes, return\n+ * DECAF_TRUE, else return DECAF_FALSE.\n+ *\n+ * @param [in] a A point.\n+ * @param [in] b Another point.\n+ * @retval DECAF_TRUE The points are equal.\n+ * @retval DECAF_FALSE The points are not equal.\n+ */\n+decaf_bool_t decaf_448_point_eq (\n+ const decaf_448_point_t a,\n+ const decaf_448_point_t b\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Add two points to produce a third point. The\n+ * input points and output point can be pointers to the same\n+ * memory.\n+ *\n+ * @param [out] sum The sum a+b.\n+ * @param [in] a An addend.\n+ * @param [in] b An addend.\n+ */\n+void decaf_448_point_add (\n+ decaf_448_point_t sum,\n+ const decaf_448_point_t a,\n+ const decaf_448_point_t b\n+) DECAF_API_VIS DECAF_NONNULL;\n+\n+/**\n+ * @brief Double a point. Equivalent to\n+ * decaf_448_point_add(two_a,a,a), but potentially faster.\n+ *\n+ * @param [out] two_a The sum a+a.\n+ * @param [in] a A point.\n+ */\n+void decaf_448_point_double (\n+ decaf_448_point_t two_a,\n+ const decaf_448_point_t a\n+) DECAF_API_VIS DECAF_NONNULL;\n+\n+/**\n+ * @brief Subtract two points to produce a third point. The\n+ * input points and output point can be pointers to the same\n+ * memory.\n+ *\n+ * @param [out] diff The difference a-b.\n+ * @param [in] a The minuend.\n+ * @param [in] b The subtrahend.\n+ */\n+void decaf_448_point_sub (\n+ decaf_448_point_t diff,\n+ const decaf_448_point_t a,\n+ const decaf_448_point_t b\n+) DECAF_API_VIS DECAF_NONNULL;\n+ \n+/**\n+ * @brief Negate a point to produce another point. The input\n+ * and output points can use the same memory.\n+ *\n+ * @param [out] nega The negated input point\n+ * @param [in] a The input point.\n+ */\n+void decaf_448_point_negate (\n+ decaf_448_point_t nega,\n+ const decaf_448_point_t a\n+) DECAF_API_VIS DECAF_NONNULL;\n+\n+/**\n+ * @brief Multiply a base point by a scalar: scaled \u003d scalar*base.\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] base The point to be scaled.\n+ * @param [in] scalar The scalar to multiply by.\n+ */\n+void decaf_448_point_scalarmul (\n+ decaf_448_point_t scaled,\n+ const decaf_448_point_t base,\n+ const decaf_448_scalar_t scalar\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply a base point by a scalar: scaled \u003d scalar*base.\n+ * This function operates directly on serialized forms.\n+ *\n+ * @warning This function is experimental. It may not be supported\n+ * long-term.\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] base The point to be scaled.\n+ * @param [in] scalar The scalar to multiply by.\n+ * @param [in] allow_identity Allow the input to be the identity.\n+ * @param [in] short_circuit Allow a fast return if the input is illegal.\n+ *\n+ * @retval DECAF_SUCCESS The scalarmul succeeded.\n+ * @retval DECAF_FAILURE The scalarmul didn't succeed, because\n+ * base does not represent a point.\n+ */\n+decaf_error_t decaf_448_direct_scalarmul (\n+ uint8_t scaled[DECAF_448_SER_BYTES],\n+ const uint8_t base[DECAF_448_SER_BYTES],\n+ const decaf_448_scalar_t scalar,\n+ decaf_bool_t allow_identity,\n+ decaf_bool_t short_circuit\n+) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;\n+\n+/**\n+ * @brief RFC 7748 Diffie-Hellman scalarmul. This function uses a different\n+ * (non-Decaf) encoding.\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] base The point to be scaled.\n+ * @param [in] scalar The scalar to multiply by.\n+ *\n+ * @retval DECAF_SUCCESS The scalarmul succeeded.\n+ * @retval DECAF_FAILURE The scalarmul didn't succeed, because the base\n+ * point is in a small subgroup.\n+ */\n+decaf_error_t decaf_x448 (\n+ uint8_t out[DECAF_X448_PUBLIC_BYTES],\n+ const uint8_t base[DECAF_X448_PUBLIC_BYTES],\n+ const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply a point by DECAF_X448_ENCODE_RATIO,\n+ * then encode it like RFC 7748.\n+ *\n+ * This function is mainly used internally, but is exported in case\n+ * it will be useful.\n+ *\n+ * The ratio is necessary because the internal representation doesn't\n+ * track the cofactor information, so on output we must clear the cofactor.\n+ * This would multiply by the cofactor, but in fact internally libdecaf's\n+ * points are always even, so it multiplies by half the cofactor instead.\n+ *\n+ * As it happens, this aligns with the base point definitions; that is,\n+ * if you pass the Decaf/Ristretto base point to this function, the result\n+ * will be DECAF_X448_ENCODE_RATIO times the X448\n+ * base point.\n+ *\n+ * @param [out] out The scaled and encoded point.\n+ * @param [in] p The point to be scaled and encoded.\n+ */\n+void decaf_448_point_mul_by_ratio_and_encode_like_x448 (\n+ uint8_t out[DECAF_X448_PUBLIC_BYTES],\n+ const decaf_448_point_t p\n+) DECAF_API_VIS DECAF_NONNULL;\n+\n+/** The base point for X448 Diffie-Hellman */\n+extern const uint8_t decaf_x448_base_point[DECAF_X448_PUBLIC_BYTES] DECAF_API_VIS;\n+\n+/**\n+ * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses\n+ * a different (non-Decaf) encoding.\n+ *\n+ * @deprecated Renamed to decaf_x448_derive_public_key.\n+ * I have no particular timeline for removing this name.\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] scalar The scalar to multiply by.\n+ */\n+void decaf_x448_generate_key (\n+ uint8_t out[DECAF_X448_PUBLIC_BYTES],\n+ const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_DEPRECATED(\u0022Renamed to decaf_x448_derive_public_key\u0022);\n+ \n+/**\n+ * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses\n+ * a different (non-Decaf) encoding.\n+ *\n+ * Does exactly the same thing as decaf_x448_generate_key,\n+ * but has a better name.\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] scalar The scalar to multiply by.\n+ */\n+void decaf_x448_derive_public_key (\n+ uint8_t out[DECAF_X448_PUBLIC_BYTES],\n+ const uint8_t scalar[DECAF_X448_PRIVATE_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/* FUTURE: uint8_t decaf_448_encode_like_curve448) */\n+\n+/**\n+ * @brief Precompute a table for fast scalar multiplication.\n+ * Some implementations do not include precomputed points; for\n+ * those implementations, this implementation simply copies the\n+ * point.\n+ *\n+ * @param [out] a A precomputed table of multiples of the point.\n+ * @param [in] b Any point.\n+ */\n+void decaf_448_precompute (\n+ decaf_448_precomputed_s *a,\n+ const decaf_448_point_t b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply a precomputed base point by a scalar:\n+ * scaled \u003d scalar*base.\n+ * Some implementations do not include precomputed points; for\n+ * those implementations, this function is the same as\n+ * decaf_448_point_scalarmul\n+ *\n+ * @param [out] scaled The scaled point base*scalar\n+ * @param [in] base The point to be scaled.\n+ * @param [in] scalar The scalar to multiply by.\n+ */\n+void decaf_448_precomputed_scalarmul (\n+ decaf_448_point_t scaled,\n+ const decaf_448_precomputed_s *base,\n+ const decaf_448_scalar_t scalar\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply two base points by two scalars:\n+ * scaled \u003d scalar1*base1 + scalar2*base2.\n+ *\n+ * Equivalent to two calls to decaf_448_point_scalarmul, but may be\n+ * faster.\n+ *\n+ * @param [out] combo The linear combination scalar1*base1 + scalar2*base2.\n+ * @param [in] base1 A first point to be scaled.\n+ * @param [in] scalar1 A first scalar to multiply by.\n+ * @param [in] base2 A second point to be scaled.\n+ * @param [in] scalar2 A second scalar to multiply by.\n+ */\n+void decaf_448_point_double_scalarmul (\n+ decaf_448_point_t combo,\n+ const decaf_448_point_t base1,\n+ const decaf_448_scalar_t scalar1,\n+ const decaf_448_point_t base2,\n+ const decaf_448_scalar_t scalar2\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+ \n+/**\n+ * Multiply one base point by two scalars:\n+ *\n+ * a1 \u003d scalar1 * base\n+ * a2 \u003d scalar2 * base\n+ *\n+ * Equivalent to two calls to decaf_448_point_scalarmul, but may be\n+ * faster.\n+ *\n+ * @param [out] a1 The first multiple. It may be the same as the input point.\n+ * @param [out] a2 The second multiple. It may be the same as the input point.\n+ * @param [in] base1 A point to be scaled.\n+ * @param [in] scalar1 A first scalar to multiply by.\n+ * @param [in] scalar2 A second scalar to multiply by.\n+ */\n+void decaf_448_point_dual_scalarmul (\n+ decaf_448_point_t a1,\n+ decaf_448_point_t a2,\n+ const decaf_448_point_t base1,\n+ const decaf_448_scalar_t scalar1,\n+ const decaf_448_scalar_t scalar2\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Multiply two base points by two scalars:\n+ * scaled \u003d scalar1*decaf_448_point_base + scalar2*base2.\n+ *\n+ * Otherwise equivalent to decaf_448_point_double_scalarmul, but may be\n+ * faster at the expense of being variable time.\n+ *\n+ * @param [out] combo The linear combination scalar1*base + scalar2*base2.\n+ * @param [in] scalar1 A first scalar to multiply by.\n+ * @param [in] base2 A second point to be scaled.\n+ * @param [in] scalar2 A second scalar to multiply by.\n+ *\n+ * @warning: This function takes variable time, and may leak the scalars\n+ * used. It is designed for signature verification.\n+ */\n+void decaf_448_base_double_scalarmul_non_secret (\n+ decaf_448_point_t combo,\n+ const decaf_448_scalar_t scalar1,\n+ const decaf_448_point_t base2,\n+ const decaf_448_scalar_t scalar2\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Constant-time decision between two points. If pick_b\n+ * is zero, out \u003d a; else out \u003d b.\n+ *\n+ * @param [out] out The output. It may be the same as either input.\n+ * @param [in] a Any point.\n+ * @param [in] b Any point.\n+ * @param [in] pick_b If nonzero, choose point b.\n+ */\n+void decaf_448_point_cond_sel (\n+ decaf_448_point_t out,\n+ const decaf_448_point_t a,\n+ const decaf_448_point_t b,\n+ decaf_word_t pick_b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Constant-time decision between two scalars. If pick_b\n+ * is zero, out \u003d a; else out \u003d b.\n+ *\n+ * @param [out] out The output. It may be the same as either input.\n+ * @param [in] a Any scalar.\n+ * @param [in] b Any scalar.\n+ * @param [in] pick_b If nonzero, choose scalar b.\n+ */\n+void decaf_448_scalar_cond_sel (\n+ decaf_448_scalar_t out,\n+ const decaf_448_scalar_t a,\n+ const decaf_448_scalar_t b,\n+ decaf_word_t pick_b\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Test that a point is valid, for debugging purposes.\n+ *\n+ * @param [in] to_test The point to test.\n+ * @retval DECAF_TRUE The point is valid.\n+ * @retval DECAF_FALSE The point is invalid.\n+ */\n+decaf_bool_t decaf_448_point_valid (\n+ const decaf_448_point_t to_test\n+) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Torque a point, for debugging purposes. The output\n+ * will be equal to the input.\n+ *\n+ * @param [out] q The point to torque.\n+ * @param [in] p The point to torque.\n+ */\n+void decaf_448_point_debugging_torque (\n+ decaf_448_point_t q,\n+ const decaf_448_point_t p\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Projectively scale a point, for debugging purposes.\n+ * The output will be equal to the input, and will be valid\n+ * even if the factor is zero.\n+ *\n+ * @param [out] q The point to scale.\n+ * @param [in] p The point to scale.\n+ * @param [in] factor Serialized GF factor to scale.\n+ */\n+void decaf_448_point_debugging_pscale (\n+ decaf_448_point_t q,\n+ const decaf_448_point_t p,\n+ const unsigned char factor[DECAF_448_SER_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Almost-Elligator-like hash to curve.\n+ *\n+ * Call this function with the output of a hash to make a hash to the curve.\n+ *\n+ * This function runs Elligator2 on the decaf_448 Jacobi quartic model. It then\n+ * uses the isogeny to put the result in twisted Edwards form. As a result,\n+ * it is safe (cannot produce points of order 4), and would be compatible with\n+ * hypothetical other implementations of Decaf using a Montgomery or untwisted\n+ * Edwards model.\n+ *\n+ * Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]:\n+ * A factor of 2 due to the isogeny.\n+ * A factor of 2 because we quotient out the 2-torsion.\n+ *\n+ * This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8.\n+ *\n+ * Negating the input (mod q) results in the same point. Inverting the input\n+ * (mod q) results in the negative point. This is the same as Elligator.\n+ *\n+ * This function isn't quite indifferentiable from a random oracle.\n+ * However, it is suitable for many protocols, including SPEKE and SPAKE2 EE. \n+ * Furthermore, calling it twice with independent seeds and adding the results\n+ * is indifferentiable from a random oracle.\n+ *\n+ * @param [in] hashed_data Output of some hash function.\n+ * @param [out] pt The data hashed to the curve.\n+ */\n+void\n+decaf_448_point_from_hash_nonuniform (\n+ decaf_448_point_t pt,\n+ const unsigned char hashed_data[DECAF_448_HASH_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Indifferentiable hash function encoding to curve.\n+ *\n+ * Equivalent to calling decaf_448_point_from_hash_nonuniform twice and adding.\n+ *\n+ * @param [in] hashed_data Output of some hash function.\n+ * @param [out] pt The data hashed to the curve.\n+ */ \n+void decaf_448_point_from_hash_uniform (\n+ decaf_448_point_t pt,\n+ const unsigned char hashed_data[2*DECAF_448_HASH_BYTES]\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;\n+\n+/**\n+ * @brief Inverse of elligator-like hash to curve.\n+ *\n+ * This function writes to the buffer, to make it so that\n+ * decaf_448_point_from_hash_nonuniform(buffer) \u003d pt if\n+ * possible. Since there may be multiple preimages, the\n+ * \u0022which\u0022 parameter chooses between them. To ensure uniform\n+ * inverse sampling, this function succeeds or fails\n+ * independently for different \u0022which\u0022 values.\n+ *\n+ * This function isn't guaranteed to find every possible\n+ * preimage, but it finds all except a small finite number.\n+ * In particular, when the number of bits in the modulus isn't\n+ * a multiple of 8 (i.e. for curve25519), it sets the high bits\n+ * independently, which enables the generated data to be uniform.\n+ * But it doesn't add p, so you'll never get exactly p from this\n+ * function. This might change in the future, especially if\n+ * we ever support eg Brainpool curves, where this could cause\n+ * real nonuniformity.\n+ *\n+ * @param [out] recovered_hash Encoded data.\n+ * @param [in] pt The point to encode.\n+ * @param [in] which A value determining which inverse point\n+ * to return.\n+ *\n+ * @retval DECAF_SUCCESS The inverse succeeded.\n+ * @retval DECAF_FAILURE The inverse failed.\n+ */\n+decaf_error_t\n+decaf_448_invert_elligator_nonuniform (\n+ unsigned char recovered_hash[DECAF_448_HASH_BYTES],\n+ const decaf_448_point_t pt,\n+ uint32_t which\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;\n+\n+/**\n+ * @brief Inverse of elligator-like hash to curve.\n+ *\n+ * This function writes to the buffer, to make it so that\n+ * decaf_448_point_from_hash_uniform(buffer) \u003d pt if\n+ * possible. Since there may be multiple preimages, the\n+ * \u0022which\u0022 parameter chooses between them. To ensure uniform\n+ * inverse sampling, this function succeeds or fails\n+ * independently for different \u0022which\u0022 values.\n+ *\n+ * @param [out] recovered_hash Encoded data.\n+ * @param [in] pt The point to encode.\n+ * @param [in] which A value determining which inverse point\n+ * to return.\n+ *\n+ * @retval DECAF_SUCCESS The inverse succeeded.\n+ * @retval DECAF_FAILURE The inverse failed.\n+ */\n+decaf_error_t\n+decaf_448_invert_elligator_uniform (\n+ unsigned char recovered_hash[2*DECAF_448_HASH_BYTES],\n+ const decaf_448_point_t pt,\n+ uint32_t which\n+) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;\n+\n+/**\n+ * @brief Overwrite scalar with zeros.\n+ */\n+void decaf_448_scalar_destroy (\n+ decaf_448_scalar_t scalar\n+) DECAF_NONNULL DECAF_API_VIS;\n+\n+/**\n+ * @brief Overwrite point with zeros.\n+ */\n+void decaf_448_point_destroy (\n+ decaf_448_point_t point\n+) DECAF_NONNULL DECAF_API_VIS;\n+\n+/**\n+ * @brief Overwrite precomputed table with zeros.\n+ */\n+void decaf_448_precomputed_destroy (\n+ decaf_448_precomputed_s *pre\n+) DECAF_NONNULL DECAF_API_VIS;\n+\n+#ifdef __cplusplus\n+} /* extern \u0022C\u0022 */\n+#endif\n+\n+#endif /* __DECAF_POINT_448_H__ */\ndiff --git a/crypto/ec/curve448/decaf/sha512.h b/crypto/ec/curve448/decaf/sha512.h\nnew file mode 100644\nindex 0000000..3c8ec70\n--- /dev/null\n+++ b/crypto/ec/curve448/decaf/sha512.h\n@@ -0,0 +1,53 @@\n+/**\n+ * @file decaf/shake.h\n+ * @copyright Public domain.\n+ * @author Mike Hamburg\n+ * @brief SHA2-512\n+ */\n+\n+#ifndef __DECAF_SHA512_H__\n+#define __DECAF_SHA512_H__\n+\n+#include \u003cstdint.h\u003e\n+#include \u003csys/types.h\u003e\n+#include \u003cstdlib.h\u003e /* for NULL */\n+\n+#include \u003cdecaf/common.h\u003e\n+\n+#ifdef __cplusplus\n+extern \u0022C\u0022 {\n+#endif\n+ \n+\n+typedef struct decaf_sha512_ctx_s {\n+ uint64_t state[8];\n+ uint8_t block[128];\n+ uint64_t bytes_processed;\n+} decaf_sha512_ctx_s, decaf_sha512_ctx_t[1];\n+\n+void decaf_sha512_init(decaf_sha512_ctx_t ctx) DECAF_NONNULL DECAF_API_VIS;\n+void decaf_sha512_update(decaf_sha512_ctx_t ctx, const uint8_t *message, size_t length) DECAF_NONNULL DECAF_API_VIS;\n+void decaf_sha512_final(decaf_sha512_ctx_t ctx, uint8_t *out, size_t length) DECAF_NONNULL DECAF_API_VIS;\n+\n+static inline void decaf_sha512_destroy(decaf_sha512_ctx_t ctx) {\n+ decaf_bzero(ctx,sizeof(*ctx));\n+}\n+\n+static inline void decaf_sha512_hash(\n+ uint8_t *output,\n+ size_t output_len,\n+ const uint8_t *message,\n+ size_t message_len\n+) {\n+ decaf_sha512_ctx_t ctx;\n+ decaf_sha512_init(ctx);\n+ decaf_sha512_update(ctx,message,message_len);\n+ decaf_sha512_final(ctx,output,output_len);\n+ decaf_sha512_destroy(ctx);\n+}\n+\n+#ifdef __cplusplus\n+} /* extern \u0022C\u0022 */\n+#endif\n+ \n+#endif /* __DECAF_SHA512_H__ */\ndiff --git a/crypto/ec/curve448/decaf/shake.h b/crypto/ec/curve448/decaf/shake.h\nnew file mode 100644\nindex 0000000..ae125b9\n--- /dev/null\n+++ b/crypto/ec/curve448/decaf/shake.h\n@@ -0,0 +1,219 @@\n+/**\n+ * @file decaf/shake.h\n+ * @copyright\n+ * Based on CC0 code by David Leon Gil, 2015 \u005cn\n+ * Copyright (c) 2015 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ * @author Mike Hamburg\n+ * @brief SHA-3-n and DECAF_SHAKE-n instances.\n+ */\n+\n+#ifndef __DECAF_SHAKE_H__\n+#define __DECAF_SHAKE_H__\n+\n+#include \u003cstdint.h\u003e\n+#include \u003csys/types.h\u003e\n+#include \u003cstdlib.h\u003e /* for NULL */\n+\n+#include \u003cdecaf/common.h\u003e\n+\n+#ifdef __cplusplus\n+extern \u0022C\u0022 {\n+#endif\n+\n+#ifndef INTERNAL_SPONGE_STRUCT\n+ /** Sponge container object for the various primitives. */\n+ typedef struct decaf_keccak_sponge_s {\n+ /** @cond internal */\n+ uint64_t opaque[26];\n+ /** @endcond */\n+ } decaf_keccak_sponge_s;\n+\n+ /** Convenience GMP-style one-element array version */\n+ typedef struct decaf_keccak_sponge_s decaf_keccak_sponge_t[1];\n+\n+ /** Parameters for sponge construction, distinguishing DECAF_SHA3 and\n+ * DECAF_SHAKE instances.\n+ */\n+ struct decaf_kparams_s;\n+#endif\n+\n+/**\n+ * @brief Initialize a sponge context object.\n+ * @param [out] sponge The object to initialize.\n+ * @param [in] params The sponge's parameter description.\n+ */\n+void decaf_sha3_init (\n+ decaf_keccak_sponge_t sponge,\n+ const struct decaf_kparams_s *params\n+) DECAF_API_VIS;\n+\n+/**\n+ * @brief Absorb data into a DECAF_SHA3 or DECAF_SHAKE hash context.\n+ * @param [inout] sponge The context.\n+ * @param [in] in The input data.\n+ * @param [in] len The input data's length in bytes.\n+ * @return DECAF_FAILURE if the sponge has already been used for output.\n+ * @return DECAF_SUCCESS otherwise.\n+ */\n+decaf_error_t decaf_sha3_update (\n+ struct decaf_keccak_sponge_s * __restrict__ sponge,\n+ const uint8_t *in,\n+ size_t len\n+) DECAF_API_VIS;\n+\n+/**\n+ * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.\n+ * This does not destroy or re-initialize the hash context, and\n+ * decaf_sha3 output can be called more times.\n+ *\n+ * @param [inout] sponge The context.\n+ * @param [out] out The output data.\n+ * @param [in] len The requested output data length in bytes.\n+ * @return DECAF_FAILURE if the sponge has exhausted its output capacity.\n+ * @return DECAF_SUCCESS otherwise.\n+ */ \n+decaf_error_t decaf_sha3_output (\n+ decaf_keccak_sponge_t sponge,\n+ uint8_t * __restrict__ out,\n+ size_t len\n+) DECAF_API_VIS;\n+\n+/**\n+ * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.\n+ * This re-initializes the context to its starting parameters.\n+ *\n+ * @param [inout] sponge The context.\n+ * @param [out] out The output data.\n+ * @param [in] len The requested output data length in bytes.\n+ */ \n+decaf_error_t decaf_sha3_final (\n+ decaf_keccak_sponge_t sponge,\n+ uint8_t * __restrict__ out,\n+ size_t len\n+) DECAF_API_VIS;\n+\n+/**\n+ * @brief Reset the sponge to the empty string.\n+ *\n+ * @param [inout] sponge The context.\n+ */ \n+void decaf_sha3_reset (\n+ decaf_keccak_sponge_t sponge\n+) DECAF_API_VIS;\n+\n+/**\n+ * @brief Return the default output length of the sponge construction,\n+ * for the purpose of C++ default operators.\n+ *\n+ * Returns n/8 for DECAF_SHA3-n and 2n/8 for DECAF_SHAKE-n.\n+ */ \n+size_t decaf_sha3_default_output_bytes (\n+ const decaf_keccak_sponge_t sponge /**\u003c [inout] The context. */\n+) DECAF_API_VIS;\n+\n+/**\n+ * @brief Return the default output length of the sponge construction,\n+ * for the purpose of C++ default operators.\n+ *\n+ * Returns n/8 for DECAF_SHA3-n and SIZE_MAX for DECAF_SHAKE-n.\n+ */ \n+size_t decaf_sha3_max_output_bytes (\n+ const decaf_keccak_sponge_t sponge /**\u003c [inout] The context. */\n+) DECAF_API_VIS;\n+\n+/**\n+ * @brief Destroy a DECAF_SHA3 or DECAF_SHAKE sponge context by overwriting it with 0.\n+ * @param [out] sponge The context.\n+ */ \n+void decaf_sha3_destroy (\n+ decaf_keccak_sponge_t sponge\n+) DECAF_API_VIS;\n+\n+/**\n+ * @brief Hash (in) to (out)\n+ * @param [in] in The input data.\n+ * @param [in] inlen The length of the input data.\n+ * @param [out] out A buffer for the output data.\n+ * @param [in] outlen The length of the output data.\n+ * @param [in] params The parameters of the sponge hash.\n+ */ \n+decaf_error_t decaf_sha3_hash (\n+ uint8_t *out,\n+ size_t outlen,\n+ const uint8_t *in,\n+ size_t inlen,\n+ const struct decaf_kparams_s *params\n+) DECAF_API_VIS;\n+\n+/* FUTURE: expand/doxygenate individual DECAF_SHAKE/DECAF_SHA3 instances? */\n+\n+/** @cond internal */\n+#define DECAF_DEC_SHAKE(n) \u005c\n+ extern const struct decaf_kparams_s DECAF_SHAKE##n##_params_s DECAF_API_VIS; \u005c\n+ typedef struct decaf_shake##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_shake##n##_ctx_t[1]; \u005c\n+ static inline void DECAF_NONNULL decaf_shake##n##_init(decaf_shake##n##_ctx_t sponge) { \u005c\n+ decaf_sha3_init(sponge-\u003es, \u0026DECAF_SHAKE##n##_params_s); \u005c\n+ } \u005c\n+ static inline void DECAF_NONNULL decaf_shake##n##_gen_init(decaf_keccak_sponge_t sponge) { \u005c\n+ decaf_sha3_init(sponge, \u0026DECAF_SHAKE##n##_params_s); \u005c\n+ } \u005c\n+ static inline decaf_error_t DECAF_NONNULL decaf_shake##n##_update(decaf_shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \u005c\n+ return decaf_sha3_update(sponge-\u003es, in, inlen); \u005c\n+ } \u005c\n+ static inline void DECAF_NONNULL decaf_shake##n##_final(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \u005c\n+ decaf_sha3_output(sponge-\u003es, out, outlen); \u005c\n+ decaf_sha3_init(sponge-\u003es, \u0026DECAF_SHAKE##n##_params_s); \u005c\n+ } \u005c\n+ static inline void DECAF_NONNULL decaf_shake##n##_output(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \u005c\n+ decaf_sha3_output(sponge-\u003es, out, outlen); \u005c\n+ } \u005c\n+ static inline void DECAF_NONNULL decaf_shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \u005c\n+ decaf_sha3_hash(out,outlen,in,inlen,\u0026DECAF_SHAKE##n##_params_s); \u005c\n+ } \u005c\n+ static inline void DECAF_NONNULL decaf_shake##n##_destroy( decaf_shake##n##_ctx_t sponge ) { \u005c\n+ decaf_sha3_destroy(sponge-\u003es); \u005c\n+ }\n+\n+#define DECAF_DEC_SHA3(n) \u005c\n+ extern const struct decaf_kparams_s DECAF_SHA3_##n##_params_s DECAF_API_VIS; \u005c\n+ typedef struct decaf_sha3_##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_sha3_##n##_ctx_t[1]; \u005c\n+ static inline void DECAF_NONNULL decaf_sha3_##n##_init(decaf_sha3_##n##_ctx_t sponge) { \u005c\n+ decaf_sha3_init(sponge-\u003es, \u0026DECAF_SHA3_##n##_params_s); \u005c\n+ } \u005c\n+ static inline void DECAF_NONNULL decaf_sha3_##n##_gen_init(decaf_keccak_sponge_t sponge) { \u005c\n+ decaf_sha3_init(sponge, \u0026DECAF_SHA3_##n##_params_s); \u005c\n+ } \u005c\n+ static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_update(decaf_sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \u005c\n+ return decaf_sha3_update(sponge-\u003es, in, inlen); \u005c\n+ } \u005c\n+ static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_final(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \u005c\n+ decaf_error_t ret \u003d decaf_sha3_output(sponge-\u003es, out, outlen); \u005c\n+ decaf_sha3_init(sponge-\u003es, \u0026DECAF_SHA3_##n##_params_s); \u005c\n+ return ret; \u005c\n+ } \u005c\n+ static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_output(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \u005c\n+ return decaf_sha3_output(sponge-\u003es, out, outlen); \u005c\n+ } \u005c\n+ static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \u005c\n+ return decaf_sha3_hash(out,outlen,in,inlen,\u0026DECAF_SHA3_##n##_params_s); \u005c\n+ } \u005c\n+ static inline void DECAF_NONNULL decaf_sha3_##n##_destroy(decaf_sha3_##n##_ctx_t sponge) { \u005c\n+ decaf_sha3_destroy(sponge-\u003es); \u005c\n+ }\n+/** @endcond */\n+\n+DECAF_DEC_SHAKE(128)\n+DECAF_DEC_SHAKE(256)\n+DECAF_DEC_SHA3(224)\n+DECAF_DEC_SHA3(256)\n+DECAF_DEC_SHA3(384)\n+DECAF_DEC_SHA3(512)\n+#undef DECAF_DEC_SHAKE\n+#undef DECAF_DEC_SHA3\n+\n+#ifdef __cplusplus\n+} /* extern \u0022C\u0022 */\n+#endif\n+ \n+#endif /* __DECAF_SHAKE_H__ */\ndiff --git a/crypto/ec/curve448/decaf_tables.c b/crypto/ec/curve448/decaf_tables.c\nnew file mode 100644\nindex 0000000..ab4e6d7\n--- /dev/null\n+++ b/crypto/ec/curve448/decaf_tables.c\n@@ -0,0 +1,354 @@\n+/** @warning: this file was automatically generated. */\n+#include \u0022field.h\u0022\n+\n+#include \u003cdecaf.h\u003e\n+\n+#define API_NS(_id) decaf_448_##_id\n+const API_NS(point_t) API_NS(point_base) \u003d {{\n+{FIELD_LITERAL(0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0080000000000000,0x00fffffffffffffe,0x00ffffffffffffff,0x00ffffffffffffff,0x007fffffffffffff)},\n+ {FIELD_LITERAL(0x006079b4dfdd4a64,0x000c1e3ab470a1c8,0x0044d73f48e5199b,0x0050452714141818,0x004c74c393d5242c,0x0024080526437050,0x00d48d06c13078ca,0x008508de14f04286)},\n+ {FIELD_LITERAL(0x0000000000000001,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000)},\n+ {FIELD_LITERAL(0x00e3c816dc198105,0x0062071833f4e093,0x004dde98e3421403,0x00a319b57519c985,0x00794be956382384,0x00e1ddc2b86da60f,0x0050e23d5682a9ff,0x006d3669e173c6a4)}\n+}};\n+const gf API_NS(precomputed_base_as_fe)[240]\n+VECTOR_ALIGNED __attribute__((visibility(\u0022hidden\u0022))) \u003d {\n+ {FIELD_LITERAL(0x00cc3b062366f4cc,0x003d6e34e314aa3c,0x00d51c0a7521774d,0x0094e060eec6ab8b,0x00d21291b4d80082,0x00befed12b55ef1e,0x00c3dd2df5c94518,0x00e0a7b112b8d4e6)},\n+ {FIELD_LITERAL(0x0019eb5608d8723a,0x00d1bab52fb3aedb,0x00270a7311ebc90c,0x0037c12b91be7f13,0x005be16cd8b5c704,0x003e181acda888e1,0x00bc1f00fc3fc6d0,0x00d3839bfa319e20)},\n+ {FIELD_LITERAL(0x003caeb88611909f,0x00ea8b378c4df3d4,0x00b3295b95a5a19a,0x00a65f97514bdfb5,0x00b39efba743cab1,0x0016ba98b862fd2d,0x0001508812ee71d7,0x000a75740eea114a)},\n+ {FIELD_LITERAL(0x00ebcf0eb649f823,0x00166d332e98ea03,0x0059ddf64f5cd5f6,0x0047763123d9471b,0x00a64065c53ef62f,0x00978e44c480153d,0x000b5b2a0265f194,0x0046a24b9f32965a)},\n+ {FIELD_LITERAL(0x00b9eef787034df0,0x0020bc24de3390cd,0x000022160bae99bb,0x00ae66e886e97946,0x0048d4bbe02cbb8b,0x0072ba97b34e38d4,0x00eae7ec8f03e85a,0x005ba92ecf808b2c)},\n+ {FIELD_LITERAL(0x00c9cfbbe74258fd,0x00843a979ea9eaa7,0x000cbb4371cfbe90,0x0059bac8f7f0a628,0x004b3dff882ff530,0x0011869df4d90733,0x00595aa71f4abfc2,0x0070e2d38990c2e6)},\n+ {FIELD_LITERAL(0x00de2010c0a01733,0x00c739a612e24297,0x00a7212643141d7c,0x00f88444f6b67c11,0x00484b7b16ec28f2,0x009c1b8856af9c68,0x00ff4669591fe9d6,0x0054974be08a32c8)},\n+ {FIELD_LITERAL(0x0010de3fd682ceed,0x008c07642d83ca4e,0x0013bb064e00a1cc,0x009411ae27870e11,0x00ea8e5b4d531223,0x0032fe7d2aaece2e,0x00d989e243e7bb41,0x000fe79a508e9b8b)},\n+ {FIELD_LITERAL(0x005e0426b9bfc5b1,0x0041a5b1d29ee4fa,0x0015b0def7774391,0x00bc164f1f51af01,0x00d543b0942797b9,0x003c129b6398099c,0x002b114c6e5adf18,0x00b4e630e4018a7b)},\n+ {FIELD_LITERAL(0x00d490afc95f8420,0x00b096bf50c1d9b9,0x00799fd707679866,0x007c74d9334afbea,0x00efaa8be80ff4ed,0x0075c4943bb81694,0x00c21c2fca161f36,0x00e77035d492bfee)},\n+ {FIELD_LITERAL(0x006658a190dd6661,0x00e0e9bab38609a6,0x0028895c802237ed,0x006a0229c494f587,0x002dcde96c9916b7,0x00d158822de16218,0x00173b917a06856f,0x00ca78a79ae07326)},\n+ {FIELD_LITERAL(0x00e35bfc79caced4,0x0087238a3e1fe3bb,0x00bcbf0ff4ceff5b,0x00a19c1c94099b91,0x0071e102b49db976,0x0059e3d004eada1e,0x008da78afa58a47e,0x00579c8ebf269187)},\n+ {FIELD_LITERAL(0x00a16c2905eee75f,0x009d4bcaea2c7e1d,0x00d3bd79bfad19df,0x0050da745193342c,0x006abdb8f6b29ab1,0x00a24fe0a4fef7ef,0x0063730da1057dfb,0x00a08c312c8eb108)},\n+ {FIELD_LITERAL(0x00b583be005375be,0x00a40c8f8a4e3df4,0x003fac4a8f5bdbf7,0x00d4481d872cd718,0x004dc8749cdbaefe,0x00cce740d5e5c975,0x000b1c1f4241fd21,0x00a76de1b4e1cd07)},\n+ {FIELD_LITERAL(0x007a076500d30b62,0x000a6e117b7f090f,0x00c8712ae7eebd9a,0x000fbd6c1d5f6ff7,0x003a7977246ebf11,0x00166ed969c6600e,0x00aa42e469c98bec,0x00dc58f307cf0666)},\n+ {FIELD_LITERAL(0x004b491f65a9a28b,0x006a10309e8a55b7,0x00b67210185187ef,0x00cf6497b12d9b8f,0x0085778c56e2b1ba,0x0015b4c07a814d85,0x00686479e62da561,0x008de5d88f114916)},\n+ {FIELD_LITERAL(0x00e37c88d6bba7b1,0x003e4577e1b8d433,0x0050d8ea5f510ec0,0x0042fc9f2da9ef59,0x003bd074c1141420,0x00561b8b7b68774e,0x00232e5e5d1013a3,0x006b7f2cb3d7e73f)},\n+ {FIELD_LITERAL(0x004bdd0f0b41e6a0,0x001773057c405d24,0x006029f99915bd97,0x006a5ba70a17fe2f,0x0046111977df7e08,0x004d8124c89fb6b7,0x00580983b2bb2724,0x00207bf330d6f3fe)},\n+ {FIELD_LITERAL(0x007efdc93972a48b,0x002f5e50e78d5fee,0x0080dc11d61c7fe5,0x0065aa598707245b,0x009abba2300641be,0x000c68787656543a,0x00ffe0fef2dc0a17,0x00007ffbd6cb4f3a)},\n+ {FIELD_LITERAL(0x0036012f2b836efc,0x00458c126d6b5fbc,0x00a34436d719ad1e,0x0097be6167117dea,0x0009c219c879cff3,0x0065564493e60755,0x00993ac94a8cdec0,0x002d4885a4d0dbaf)},\n+ {FIELD_LITERAL(0x00598b60b4c068ba,0x00c547a0be7f1afd,0x009582164acf12af,0x00af4acac4fbbe40,0x005f6ca7c539121a,0x003b6e752ebf9d66,0x00f08a30d5cac5d4,0x00e399bb5f97c5a9)},\n+ {FIELD_LITERAL(0x007445a0409c0a66,0x00a65c369f3829c0,0x0031d248a4f74826,0x006817f34defbe8e,0x00649741d95ebf2e,0x00d46466ab16b397,0x00fdc35703bee414,0x00343b43334525f8)},\n+ {FIELD_LITERAL(0x001796bea93f6401,0x00090c5a42e85269,0x00672412ba1252ed,0x001201d47b6de7de,0x006877bccfe66497,0x00b554fd97a4c161,0x009753f42dbac3cf,0x00e983e3e378270a)},\n+ {FIELD_LITERAL(0x00ac3eff18849872,0x00f0eea3bff05690,0x00a6d72c21dd505d,0x001b832642424169,0x00a6813017b540e5,0x00a744bd71b385cd,0x0022a7d089130a7b,0x004edeec9a133486)},\n+ {FIELD_LITERAL(0x00b2d6729196e8a9,0x0088a9bb2031cef4,0x00579e7787dc1567,0x0030f49feb059190,0x00a0b1d69c7f7d8f,0x0040bdcc6d9d806f,0x00d76c4037edd095,0x00bbf24376415dd7)},\n+ {FIELD_LITERAL(0x00240465ff5a7197,0x00bb97e76caf27d0,0x004b4edbf8116d39,0x001d8586f708cbaa,0x000f8ee8ff8e4a50,0x00dde5a1945dd622,0x00e6fc1c0957e07c,0x0041c9cdabfd88a0)},\n+ {FIELD_LITERAL(0x005344b0bf5b548c,0x002957d0b705cc99,0x00f586a70390553d,0x0075b3229f583cc3,0x00a1aa78227490e4,0x001bf09cf7957717,0x00cf6bf344325f52,0x0065bd1c23ca3ecf)},\n+ {FIELD_LITERAL(0x009bff3b3239363c,0x00e17368796ef7c0,0x00528b0fe0971f3a,0x0008014fc8d4a095,0x00d09f2e8a521ec4,0x006713ab5dde5987,0x0003015758e0dbb1,0x00215999f1ba212d)},\n+ {FIELD_LITERAL(0x002c88e93527da0e,0x0077c78f3456aad5,0x0071087a0a389d1c,0x00934dac1fb96dbd,0x008470e801162697,0x005bc2196cd4ad49,0x00e535601d5087c3,0x00769888700f497f)},\n+ {FIELD_LITERAL(0x00da7a4b557298ad,0x0019d2589ea5df76,0x00ef3e38be0c6497,0x00a9644e1312609a,0x004592f61b2558da,0x0082c1df510d7e46,0x0042809a535c0023,0x00215bcb5afd7757)},\n+ {FIELD_LITERAL(0x002b9df55a1a4213,0x00dcfc3b464a26be,0x00c4f9e07a8144d5,0x00c8e0617a92b602,0x008e3c93accafae0,0x00bf1bcb95b2ca60,0x004ce2426a613bf3,0x00266cac58e40921)},\n+ {FIELD_LITERAL(0x008456d5db76e8f0,0x0032ca9cab2ce163,0x0059f2b8bf91abcf,0x0063c2a021712788,0x00f86155af22f72d,0x00db98b2a6c005a0,0x00ac6e416a693ac4,0x007a93572af53226)},\n+ {FIELD_LITERAL(0x0087767520f0de22,0x0091f64012279fb5,0x001050f1f0644999,0x004f097a2477ad3c,0x006b37913a9947bd,0x001a3d78645af241,0x0057832bbb3008a7,0x002c1d902b80dc20)},\n+ {FIELD_LITERAL(0x001a6002bf178877,0x009bce168aa5af50,0x005fc318ff04a7f5,0x0052818f55c36461,0x008768f5d4b24afb,0x0037ffbae7b69c85,0x0018195a4b61edc0,0x001e12ea088434b2)},\n+ {FIELD_LITERAL(0x0047d3f804e7ab07,0x00a809ab5f905260,0x00b3ffc7cdaf306d,0x00746e8ec2d6e509,0x00d0dade8887a645,0x00acceeebde0dd37,0x009bc2579054686b,0x0023804f97f1c2bf)},\n+ {FIELD_LITERAL(0x0043e2e2e50b80d7,0x00143aafe4427e0f,0x005594aaecab855b,0x008b12ccaaecbc01,0x002deeb091082bc3,0x009cca4be2ae7514,0x00142b96e696d047,0x00ad2a2b1c05256a)},\n+ {FIELD_LITERAL(0x003914f2f144b78b,0x007a95dd8bee6f68,0x00c7f4384d61c8e6,0x004e51eb60f1bdb2,0x00f64be7aa4621d8,0x006797bfec2f0ac0,0x007d17aab3c75900,0x001893e73cac8bc5)},\n+ {FIELD_LITERAL(0x00140360b768665b,0x00b68aca4967f977,0x0001089b66195ae4,0x00fe71122185e725,0x000bca2618d49637,0x00a54f0557d7e98a,0x00cdcd2f91d6f417,0x00ab8c13741fd793)},\n+ {FIELD_LITERAL(0x00725ee6b1e549e0,0x007124a0769777fa,0x000b68fdad07ae42,0x0085b909cd4952df,0x0092d2e3c81606f4,0x009f22f6cac099a0,0x00f59da57f2799a8,0x00f06c090122f777)},\n+ {FIELD_LITERAL(0x00ce0bed0a3532bc,0x001a5048a22df16b,0x00e31db4cbad8bf1,0x00e89292120cf00e,0x007d1dd1a9b00034,0x00e2a9041ff8f680,0x006a4c837ae596e7,0x00713af1068070b3)},\n+ {FIELD_LITERAL(0x00c4fe64ce66d04b,0x00b095d52e09b3d7,0x00758bbecb1a3a8e,0x00f35cce8d0650c0,0x002b878aa5984473,0x0062e0a3b7544ddc,0x00b25b290ed116fe,0x007b0f6abe0bebf2)},\n+ {FIELD_LITERAL(0x0081d4e3addae0a8,0x003410c836c7ffcc,0x00c8129ad89e4314,0x000e3d5a23922dcd,0x00d91e46f29c31f3,0x006c728cde8c5947,0x002bc655ba2566c0,0x002ca94721533108)},\n+ {FIELD_LITERAL(0x0051e4b3f764d8a9,0x0019792d46e904a0,0x00853bc13dbc8227,0x000840208179f12d,0x0068243474879235,0x0013856fbfe374d0,0x00bda12fe8676424,0x00bbb43635926eb2)},\n+ {FIELD_LITERAL(0x0012cdc880a93982,0x003c495b21cd1b58,0x00b7e5c93f22a26e,0x0044aa82dfb99458,0x009ba092cdffe9c0,0x00a14b3ab2083b73,0x000271c2f70e1c4b,0x00eea9cac0f66eb8)},\n+ {FIELD_LITERAL(0x001a1847c4ac5480,0x00b1b412935bb03a,0x00f74285983bf2b2,0x00624138b5b5d0f1,0x008820c0b03d38bf,0x00b94e50a18c1572,0x0060f6934841798f,0x00c52f5d66d6ebe2)},\n+ {FIELD_LITERAL(0x00da23d59f9bcea6,0x00e0f27007a06a4b,0x00128b5b43a6758c,0x000cf50190fa8b56,0x00fc877aba2b2d72,0x00623bef52edf53f,0x00e6af6b819669e2,0x00e314dc34fcaa4f)},\n+ {FIELD_LITERAL(0x0066e5eddd164d1e,0x00418a7c6fe28238,0x0002e2f37e962c25,0x00f01f56b5975306,0x0048842fa503875c,0x0057b0e968078143,0x00ff683024f3d134,0x0082ae28fcad12e4)},\n+ {FIELD_LITERAL(0x0011ddfd21260e42,0x00d05b0319a76892,0x00183ea4368e9b8f,0x00b0815662affc96,0x00b466a5e7ce7c88,0x00db93b07506e6ee,0x0033885f82f62401,0x0086f9090ec9b419)},\n+ {FIELD_LITERAL(0x00d95d1c5fcb435a,0x0016d1ed6b5086f9,0x00792aa0b7e54d71,0x0067b65715f1925d,0x00a219755ec6176b,0x00bc3f026b12c28f,0x00700c897ffeb93e,0x0089b83f6ec50b46)},\n+ {FIELD_LITERAL(0x003c97e6384da36e,0x00423d53eac81a09,0x00b70d68f3cdce35,0x00ee7959b354b92c,0x00f4e9718819c8ca,0x009349f12acbffe9,0x005aee7b62cb7da6,0x00d97764154ffc86)},\n+ {FIELD_LITERAL(0x00526324babb46dc,0x002ee99b38d7bf9e,0x007ea51794706ef4,0x00abeb04da6e3c39,0x006b457c1d281060,0x00fe243e9a66c793,0x00378de0fb6c6ee4,0x003e4194b9c3cb93)},\n+ {FIELD_LITERAL(0x00fed3cd80ca2292,0x0015b043a73ca613,0x000a9fd7bf9be227,0x003b5e03de2db983,0x005af72d46904ef7,0x00c0f1b5c49faa99,0x00dc86fc3bd305e1,0x00c92f08c1cb1797)},\n+ {FIELD_LITERAL(0x0079680ce111ed3b,0x001a1ed82806122c,0x000c2e7466d15df3,0x002c407f6f7150fd,0x00c5e7c96b1b0ce3,0x009aa44626863ff9,0x00887b8b5b80be42,0x00b6023cec964825)},\n+ {FIELD_LITERAL(0x00e4a8e1048970c8,0x0062887b7830a302,0x00bcf1c8cd81402b,0x0056dbb81a68f5be,0x0014eced83f12452,0x00139e1a510150df,0x00bb81140a82d1a3,0x000febcc1aaf1aa7)},\n+ {FIELD_LITERAL(0x00a7527958238159,0x0013ec9537a84cd6,0x001d7fee7d562525,0x00b9eefa6191d5e5,0x00dbc97db70bcb8a,0x00481affc7a4d395,0x006f73d3e70c31bb,0x00183f324ed96a61)},\n+ {FIELD_LITERAL(0x0039dd7ce7fc6860,0x00d64f6425653da1,0x003e037c7f57d0af,0x0063477a06e2bcf2,0x001727dbb7ac67e6,0x0049589f5efafe2e,0x00fc0fef2e813d54,0x008baa5d087fb50d)},\n+ {FIELD_LITERAL(0x0024fb59d9b457c7,0x00a7d4e060223e4c,0x00c118d1b555fd80,0x0082e216c732f22a,0x00cd2a2993089504,0x003638e836a3e13d,0x000d855ee89b4729,0x008ec5b7d4810c91)},\n+ {FIELD_LITERAL(0x001bf51f7d65cdfd,0x00d14cdafa16a97d,0x002c38e60fcd10e7,0x00a27446e393efbd,0x000b5d8946a71fdd,0x0063df2cde128f2f,0x006c8679569b1888,0x0059ffc4925d732d)},\n+ {FIELD_LITERAL(0x00ece96f95f2b66f,0x00ece7952813a27b,0x0026fc36592e489e,0x007157d1a2de0f66,0x00759dc111d86ddf,0x0012881e5780bb0f,0x00c8ccc83ad29496,0x0012b9bd1929eb71)},\n+ {FIELD_LITERAL(0x000fa15a20da5df0,0x00349ddb1a46cd31,0x002c512ad1d8e726,0x00047611f669318d,0x009e68fba591e17e,0x004320dffa803906,0x00a640874951a3d3,0x00b6353478baa24f)},\n+ {FIELD_LITERAL(0x009696510000d333,0x00ec2f788bc04826,0x000e4d02b1f67ba5,0x00659aa8dace08b6,0x00d7a38a3a3ae533,0x008856defa8c746b,0x004d7a4402d3da1a,0x00ea82e06229260f)},\n+ {FIELD_LITERAL(0x006a15bb20f75c0c,0x0079a144027a5d0c,0x00d19116ce0b4d70,0x0059b83bcb0b268e,0x005f58f63f16c127,0x0079958318ee2c37,0x00defbb063d07f82,0x00f1f0b931d2d446)},\n+ {FIELD_LITERAL(0x00cb5e4c3c35d422,0x008df885ca43577f,0x00fa50b16ca3e471,0x005a0e58e17488c8,0x00b2ceccd6d34d19,0x00f01d5d235e36e9,0x00db2e7e4be6ca44,0x00260ab77f35fccd)},\n+ {FIELD_LITERAL(0x006f6fd9baac61d5,0x002a7710a020a895,0x009de0db7fc03d4d,0x00cdedcb1875f40b,0x00050caf9b6b1e22,0x005e3a6654456ab0,0x00775fdf8c4423d4,0x0028701ea5738b5d)},\n+ {FIELD_LITERAL(0x009ffd90abfeae96,0x00cba3c2b624a516,0x005ef08bcee46c91,0x00e6fde30afb6185,0x00f0b4db4f818ce4,0x006c54f45d2127f5,0x00040125035854c7,0x00372658a3287e13)},\n+ {FIELD_LITERAL(0x00d7070fb1beb2ab,0x0078fc845a93896b,0x006894a4b2f224a6,0x005bdd8192b9dbde,0x00b38839874b3a9e,0x00f93618b04b7a57,0x003e3ec75fd2c67e,0x00bf5e6bfc29494a)},\n+ {FIELD_LITERAL(0x00f19224ebba2aa5,0x0074f89d358e694d,0x00eea486597135ad,0x0081579a4555c7e1,0x0010b9b872930a9d,0x00f002e87a30ecc0,0x009b9d66b6de56e2,0x00a3c4f45e8004eb)},\n+ {FIELD_LITERAL(0x0045e8dda9400888,0x002ff12e5fc05db7,0x00a7098d54afe69c,0x00cdbe846a500585,0x00879c1593ca1882,0x003f7a7fea76c8b0,0x002cd73dd0c8e0a1,0x00645d6ce96f51fe)},\n+ {FIELD_LITERAL(0x002b7e83e123d6d6,0x00398346f7419c80,0x0042922e55940163,0x005e7fc5601886a3,0x00e88f2cee1d3103,0x00e7fab135f2e377,0x00b059984dbf0ded,0x0009ce080faa5bb8)},\n+ {FIELD_LITERAL(0x0085e78af7758979,0x00275a4ee1631a3a,0x00d26bc0ed78b683,0x004f8355ea21064f,0x00d618e1a32696e5,0x008d8d7b150e5680,0x00a74cd854b278d2,0x001dd62702203ea0)},\n+ {FIELD_LITERAL(0x00f89335c2a59286,0x00a0f5c905d55141,0x00b41fb836ee9382,0x00e235d51730ca43,0x00a5cb37b5c0a69a,0x009b966ffe136c45,0x00cb2ea10bf80ed1,0x00fb2b370b40dc35)},\n+ {FIELD_LITERAL(0x00d687d16d4ee8ba,0x0071520bdd069dff,0x00de85c60d32355d,0x0087d2e3565102f4,0x00cde391b8dfc9aa,0x00e18d69efdfefe5,0x004a9d0591954e91,0x00fa36dd8b50eee5)},\n+ {FIELD_LITERAL(0x002e788749a865f7,0x006e4dc3116861ea,0x009f1428c37276e6,0x00e7d2e0fc1e1226,0x003aeebc6b6c45f6,0x0071a8073bf500c9,0x004b22ad986b530c,0x00f439e63c0d79d4)},\n+ {FIELD_LITERAL(0x006bc3d53011f470,0x00032d6e692b83e8,0x00059722f497cd0b,0x0009b4e6f0c497cc,0x0058a804b7cce6c0,0x002b71d3302bbd5d,0x00e2f82a36765fce,0x008dded99524c703)},\n+ {FIELD_LITERAL(0x004d058953747d64,0x00701940fe79aa6f,0x00a620ac71c760bf,0x009532b611158b75,0x00547ed7f466f300,0x003cb5ab53a8401a,0x00c7763168ce3120,0x007e48e33e4b9ab2)},\n+ {FIELD_LITERAL(0x001b2fc57bf3c738,0x006a3f918993fb80,0x0026f7a14fdec288,0x0075a2cdccef08db,0x00d3ecbc9eecdbf1,0x0048c40f06e5bf7f,0x00d63e423009896b,0x000598bc99c056a8)},\n+ {FIELD_LITERAL(0x002f194eaafa46dc,0x008e38f57fe87613,0x00dc8e5ae25f4ab2,0x000a17809575e6bd,0x00d3ec7923ba366a,0x003a7e72e0ad75e3,0x0010024b88436e0a,0x00ed3c5444b64051)},\n+ {FIELD_LITERAL(0x00831fc1340af342,0x00c9645669466d35,0x007692b4cc5a080f,0x009fd4a47ac9259f,0x001eeddf7d45928b,0x003c0446fc45f28b,0x002c0713aa3e2507,0x0095706935f0f41e)},\n+ {FIELD_LITERAL(0x00766ae4190ec6d8,0x0065768cabc71380,0x00b902598416cdc2,0x00380021ad38df52,0x008f0b89d6551134,0x004254d4cc62c5a5,0x000d79f4484b9b94,0x00b516732ae3c50e)},\n+ {FIELD_LITERAL(0x001fb73475c45509,0x00d2b2e5ea43345a,0x00cb3c3842077bd1,0x0029f90ad820946e,0x007c11b2380778aa,0x009e54ece62c1704,0x004bc60c41ca01c3,0x004525679a5a0b03)},\n+ {FIELD_LITERAL(0x00c64fbddbed87b3,0x0040601d11731faa,0x009c22475b6f9d67,0x0024b79dae875f15,0x00616fed3f02c3b0,0x0000cf39f6af2d3b,0x00c46bac0aa9a688,0x00ab23e2800da204)},\n+ {FIELD_LITERAL(0x000b3a37617632b0,0x00597199fe1cfb6c,0x0042a7ccdfeafdd6,0x004cc9f15ebcea17,0x00f436e596a6b4a4,0x00168861142df0d8,0x000753edfec26af5,0x000c495d7e388116)},\n+ {FIELD_LITERAL(0x0017085f4a346148,0x00c7cf7a37f62272,0x001776e129bc5c30,0x009955134c9eef2a,0x001ba5bdf1df07be,0x00ec39497103a55c,0x006578354fda6cfb,0x005f02719d4f15ee)},\n+ {FIELD_LITERAL(0x0052b9d9b5d9655d,0x00d4ec7ba1b461c3,0x00f95df4974f280b,0x003d8e5ca11aeb51,0x00d4981eb5a70b26,0x000af9a4f6659f29,0x004598c846faeb43,0x0049d9a183a47670)},\n+ {FIELD_LITERAL(0x000a72d23dcb3f1f,0x00a3737f84011727,0x00f870c0fbbf4a47,0x00a7aadd04b5c9ca,0x000c7715c67bd072,0x00015a136afcd74e,0x0080d5caea499634,0x0026b448ec7514b7)},\n+ {FIELD_LITERAL(0x00b60167d9e7d065,0x00e60ba0d07381e8,0x003a4f17b725c2d4,0x006c19fe176b64fa,0x003b57b31af86ccb,0x0021047c286180fd,0x00bdc8fb00c6dbb6,0x00fe4a9f4bab4f3f)},\n+ {FIELD_LITERAL(0x0088ffc3a16111f7,0x009155e4245d0bc8,0x00851d68220572d5,0x00557ace1e514d29,0x0031d7c339d91022,0x00101d0ae2eaceea,0x00246ab3f837b66a,0x00d5216d381ff530)},\n+ {FIELD_LITERAL(0x0057e7ea35f36dae,0x00f47d7ad15de22e,0x00d757ea4b105115,0x008311457d579d7e,0x00b49b75b1edd4eb,0x0081c7ff742fd63a,0x00ddda3187433df6,0x00475727d55f9c66)},\n+ {FIELD_LITERAL(0x00a6295218dc136a,0x00563b3af0e9c012,0x00d3753b0145db1b,0x004550389c043dc1,0x00ea94ae27401bdf,0x002b0b949f2b7956,0x00c63f780ad8e23c,0x00e591c47d6bab15)},\n+ {FIELD_LITERAL(0x00416c582b058eb6,0x004107da5b2cc695,0x00b3cd2556aeec64,0x00c0b418267e57a1,0x001799293579bd2e,0x0046ed44590e4d07,0x001d7459b3630a1e,0x00c6afba8b6696aa)},\n+ {FIELD_LITERAL(0x008d6009b26da3f8,0x00898e88ca06b1ca,0x00edb22b2ed7fe62,0x00fbc93516aabe80,0x008b4b470c42ce0d,0x00e0032ba7d0dcbb,0x00d76da3a956ecc8,0x007f20fe74e3852a)},\n+ {FIELD_LITERAL(0x002419222c607674,0x00a7f23af89188b3,0x00ad127284e73d1c,0x008bba582fae1c51,0x00fc6aa7ca9ecab1,0x003df5319eb6c2ba,0x002a05af8a8b199a,0x004bf8354558407c)},\n+ {FIELD_LITERAL(0x00ce7d4a30f0fcbf,0x00d02c272629f03d,0x0048c001f7400bc2,0x002c21368011958d,0x0098a550391e96b5,0x002d80b66390f379,0x001fa878760cc785,0x001adfce54b613d5)},\n+ {FIELD_LITERAL(0x001ed4dc71fa2523,0x005d0bff19bf9b5c,0x00c3801cee065a64,0x001ed0b504323fbf,0x0003ab9fdcbbc593,0x00df82070178b8d2,0x00a2bcaa9c251f85,0x00c628a3674bd02e)},\n+ {FIELD_LITERAL(0x006b7a0674f9f8de,0x00a742414e5c7cff,0x0041cbf3c6e13221,0x00e3a64fd207af24,0x0087c05f15fbe8d1,0x004c50936d9e8a33,0x001306ec21042b6d,0x00a4f4137d1141c2)},\n+ {FIELD_LITERAL(0x0009e6fb921568b0,0x00b3c60120219118,0x002a6c3460dd503a,0x009db1ef11654b54,0x0063e4bf0be79601,0x00670d34bb2592b9,0x00dcee2f6c4130ce,0x00b2682e88e77f54)},\n+ {FIELD_LITERAL(0x000d5b4b3da135ab,0x00838f3e5064d81d,0x00d44eb50f6d94ed,0x0008931ab502ac6d,0x00debe01ca3d3586,0x0025c206775f0641,0x005ad4b6ae912763,0x007e2c318ad8f247)},\n+ {FIELD_LITERAL(0x00ddbe0750dd1add,0x004b3c7b885844b8,0x00363e7ecf12f1ae,0x0062e953e6438f9d,0x0023cc73b076afe9,0x00b09fa083b4da32,0x00c7c3d2456c541d,0x005b591ec6b694d4)},\n+ {FIELD_LITERAL(0x0028656e19d62fcf,0x0052a4af03df148d,0x00122765ddd14e42,0x00f2252904f67157,0x004741965b636f3a,0x006441d296132cb9,0x005e2106f956a5b7,0x00247029592d335c)},\n+ {FIELD_LITERAL(0x003fe038eb92f894,0x000e6da1b72e8e32,0x003a1411bfcbe0fa,0x00b55d473164a9e4,0x00b9a775ac2df48d,0x0002ddf350659e21,0x00a279a69eb19cb3,0x00f844eab25cba44)},\n+ {FIELD_LITERAL(0x00c41d1f9c1f1ac1,0x007b2df4e9f19146,0x00b469355fd5ba7a,0x00b5e1965afc852a,0x00388d5f1e2d8217,0x0022079e4c09ae93,0x0014268acd4ef518,0x00c1dd8d9640464c)},\n+ {FIELD_LITERAL(0x0038526adeed0c55,0x00dd68c607e3fe85,0x00f746ddd48a5d57,0x0042f2952b963b7c,0x001cbbd6876d5ec2,0x005e341470bca5c2,0x00871d41e085f413,0x00e53ab098f45732)},\n+ {FIELD_LITERAL(0x004d51124797c831,0x008f5ae3750347ad,0x0070ced94c1a0c8e,0x00f6db2043898e64,0x000d00c9a5750cd0,0x000741ec59bad712,0x003c9d11aab37b7f,0x00a67ba169807714)},\n+ {FIELD_LITERAL(0x00adb2c1566e8b8f,0x0096c68a35771a9a,0x00869933356f334a,0x00ba9c93459f5962,0x009ec73fb6e8ca4b,0x003c3802c27202e1,0x0031f5b733e0c008,0x00f9058c19611fa9)},\n+ {FIELD_LITERAL(0x00238f01814a3421,0x00c325a44b6cce28,0x002136f97aeb0e73,0x000cac8268a4afe2,0x0022fd218da471b3,0x009dcd8dfff8def9,0x00cb9f8181d999bb,0x00143ae56edea349)},\n+ {FIELD_LITERAL(0x0000623bf87622c5,0x00a1966fdd069496,0x00c315b7b812f9fc,0x00bdf5efcd128b97,0x001d464f532e3e16,0x003cd94f081bfd7e,0x00ed9dae12ce4009,0x002756f5736eee70)},\n+ {FIELD_LITERAL(0x00a5187e6ee7341b,0x00e6d52e82d83b6e,0x00df3c41323094a7,0x00b3324f444e9de9,0x00689eb21a35bfe5,0x00f16363becd548d,0x00e187cc98e7f60f,0x00127d9062f0ccab)},\n+ {FIELD_LITERAL(0x004ad71b31c29e40,0x00a5fcace12fae29,0x004425b5597280ed,0x00e7ef5d716c3346,0x0010b53ada410ac8,0x0092310226060c9b,0x0091c26128729c7e,0x0088b42900f8ec3b)},\n+ {FIELD_LITERAL(0x00f1e26e9762d4a8,0x00d9d74082183414,0x00ffec9bd57a0282,0x000919e128fd497a,0x00ab7ae7d00fe5f8,0x0054dc442851ff68,0x00c9ebeb3b861687,0x00507f7cab8b698f)},\n+ {FIELD_LITERAL(0x00c13c5aae3ae341,0x009c6c9ed98373e7,0x00098f26864577a8,0x0015b886e9488b45,0x0037692c42aadba5,0x00b83170b8e7791c,0x001670952ece1b44,0x00fd932a39276da2)},\n+ {FIELD_LITERAL(0x0081a3259bef3398,0x005480fff416107b,0x00ce4f607d21be98,0x003ffc084b41df9b,0x0043d0bb100502d1,0x00ec35f575ba3261,0x00ca18f677300ef3,0x00e8bb0a827d8548)},\n+ {FIELD_LITERAL(0x00df76b3328ada72,0x002e20621604a7c2,0x00f910638a105b09,0x00ef4724d96ef2cd,0x00377d83d6b8a2f7,0x00b4f48805ade324,0x001cd5da8b152018,0x0045af671a20ca7f)},\n+ {FIELD_LITERAL(0x009ae3b93a56c404,0x004a410b7a456699,0x00023a619355e6b2,0x009cdc7297387257,0x0055b94d4ae70d04,0x002cbd607f65b005,0x003208b489697166,0x00ea2aa058867370)},\n+ {FIELD_LITERAL(0x00f29d2598ee3f32,0x00b4ac5385d82adc,0x007633eaf04df19b,0x00aa2d3d77ceab01,0x004a2302fcbb778a,0x00927f225d5afa34,0x004a8e9d5047f237,0x008224ae9dbce530)},\n+ {FIELD_LITERAL(0x001cf640859b02f8,0x00758d1d5d5ce427,0x00763c784ef4604c,0x005fa81aee205270,0x00ac537bfdfc44cb,0x004b919bd342d670,0x00238508d9bf4b7a,0x00154888795644f3)},\n+ {FIELD_LITERAL(0x00c845923c084294,0x00072419a201bc25,0x0045f408b5f8e669,0x00e9d6a186b74dfe,0x00e19108c68fa075,0x0017b91d874177b7,0x002f0ca2c7912c5a,0x009400aa385a90a2)},\n+ {FIELD_LITERAL(0x0071110b01482184,0x00cfed0044f2bef8,0x0034f2901cf4662e,0x003b4ae2a67f9834,0x00cca9b96fe94810,0x00522507ae77abd0,0x00bac7422721e73e,0x0066622b0f3a62b0)},\n+ {FIELD_LITERAL(0x00f8ac5cf4705b6a,0x00867d82dcb457e3,0x007e13ab2ccc2ce9,0x009ee9a018d3930e,0x008370f8ecb42df8,0x002d9f019add263e,0x003302385b92d196,0x00a15654536e2c0c)},\n+ {FIELD_LITERAL(0x0026ef1614e160af,0x00c023f9edfc9c76,0x00cff090da5f57ba,0x0076db7a66643ae9,0x0019462f8c646999,0x008fec00b3854b22,0x00d55041692a0a1c,0x0065db894215ca00)},\n+ {FIELD_LITERAL(0x00a925036e0a451c,0x002a0390c36b6cc1,0x00f27020d90894f4,0x008d90d52cbd3d7f,0x00e1d0137392f3b8,0x00f017c158b51a8f,0x00cac313d3ed7dbc,0x00b99a81e3eb42d3)},\n+ {FIELD_LITERAL(0x00b54850275fe626,0x0053a3fd1ec71140,0x00e3d2d7dbe096fa,0x00e4ac7b595cce4c,0x0077bad449c0a494,0x00b7c98814afd5b3,0x0057226f58486cf9,0x00b1557154f0cc57)},\n+ {FIELD_LITERAL(0x008cc9cd236315c0,0x0031d9c5b39fda54,0x00a5713ef37e1171,0x00293d5ae2886325,0x00c4aba3e05015e1,0x0003f35ef78e4fc6,0x0039d6bd3ac1527b,0x0019d7c3afb77106)},\n+ {FIELD_LITERAL(0x007b162931a985af,0x00ad40a2e0daa713,0x006df27c4009f118,0x00503e9f4e2e8bec,0x00751a77c82c182d,0x000298937769245b,0x00ffb1e8fabf9ee5,0x0008334706e09abe)},\n+ {FIELD_LITERAL(0x00dbca4e98a7dcd9,0x00ee29cfc78bde99,0x00e4a3b6995f52e9,0x0045d70189ae8096,0x00fd2a8a3b9b0d1b,0x00af1793b107d8e1,0x00dbf92cbe4afa20,0x00da60f798e3681d)},\n+ {FIELD_LITERAL(0x004246bfcecc627a,0x004ba431246c03a4,0x00bd1d101872d497,0x003b73d3f185ee16,0x001feb2e2678c0e3,0x00ff13c5a89dec76,0x00ed06042e771d8f,0x00a4fd2a897a83dd)},\n+ {FIELD_LITERAL(0x009a4a3be50d6597,0x00de3165fc5a1096,0x004f3f56e345b0c7,0x00f7bf721d5ab8bc,0x004313e47b098c50,0x00e4c7d5c0e1adbb,0x002e3e3db365051e,0x00a480c2cd6a96fb)},\n+ {FIELD_LITERAL(0x00417fa30a7119ed,0x00af257758419751,0x00d358a487b463d4,0x0089703cc720b00d,0x00ce56314ff7f271,0x0064db171ade62c1,0x00640b36d4a22fed,0x00424eb88696d23f)},\n+ {FIELD_LITERAL(0x004ede34af2813f3,0x00d4a8e11c9e8216,0x004796d5041de8a5,0x00c4c6b4d21cc987,0x00e8a433ee07fa1e,0x0055720b5abcc5a1,0x008873ea9c74b080,0x005b3fec1ab65d48)},\n+ {FIELD_LITERAL(0x0047e5277db70ec5,0x000a096c66db7d6b,0x00b4164cc1730159,0x004a9f783fe720fe,0x00a8177b94449dbc,0x0095a24ff49a599f,0x0069c1c578250cbc,0x00452019213debf4)},\n+ {FIELD_LITERAL(0x0021ce99e09ebda3,0x00fcbd9f91875ad0,0x009bbf6b7b7a0b5f,0x00388886a69b1940,0x00926a56d0f81f12,0x00e12903c3358d46,0x005dfce4e8e1ce9d,0x0044cfa94e2f7e23)},\n+ {FIELD_LITERAL(0x001bd59c09e982ea,0x00f72daeb937b289,0x0018b76dca908e0e,0x00edb498512384ad,0x00ce0243b6cc9538,0x00f96ff690cb4e70,0x007c77bf9f673c8d,0x005bf704c088a528)},\n+ {FIELD_LITERAL(0x0093d4628dcb33be,0x0095263d51d42582,0x0049b3222458fe06,0x00e7fce73b653a7f,0x003ca2ebce60b369,0x00c5de239a32bea4,0x0063b8b3d71fb6bf,0x0039aeeb78a1a839)},\n+ {FIELD_LITERAL(0x007dc52da400336c,0x001fded1e15b9457,0x00902e00f5568e3a,0x00219bef40456d2d,0x005684161fb3dbc9,0x004a4e9be49a76ea,0x006e685ae88b78ff,0x0021c42f13042d3c)},\n+ {FIELD_LITERAL(0x00fb22bb5fd3ce50,0x0017b48aada7ae54,0x00fd5c44ad19a536,0x000ccc4e4e55e45c,0x00fd637d45b4c3f5,0x0038914e023c37cf,0x00ac1881d6a8d898,0x00611ed8d3d943a8)},\n+ {FIELD_LITERAL(0x0056e2259d113d2b,0x00594819b284ec16,0x00c7bf794bb36696,0x00721ee75097cdc6,0x00f71be9047a2892,0x00df6ba142564edf,0x0069580b7a184e8d,0x00f056e38fca0fee)},\n+ {FIELD_LITERAL(0x009df98566a18c6d,0x00cf3a200968f219,0x0044ba60da6d9086,0x00dbc9c0e344da03,0x000f9401c4466855,0x00d46a57c5b0a8d1,0x00875a635d7ac7c6,0x00ef4a933b7e0ae6)},\n+ {FIELD_LITERAL(0x005e8694077a1535,0x008bef75f71c8f1d,0x000a7c1316423511,0x00906e1d70604320,0x003fc46c1a2ffbd6,0x00d1d5022e68f360,0x002515fba37bbf46,0x00ca16234e023b44)},\n+ {FIELD_LITERAL(0x00787c99561f4690,0x00a857a8c1561f27,0x00a10df9223c09fe,0x00b98a9562e3b154,0x004330b8744c3ed2,0x00e06812807ec5c4,0x00e4cf6a7db9f1e3,0x00d95b089f132a34)},\n+ {FIELD_LITERAL(0x002922b39ca33eec,0x0090d12a5f3ab194,0x00ab60c02fb5f8ed,0x00188d292abba1cf,0x00e10edec9698f6e,0x0069a4d9934133c8,0x0024aac40e6d3d06,0x001702c2177661b0)},\n+ {FIELD_LITERAL(0x00139078397030bd,0x000e3c447e859a00,0x0064a5b334c82393,0x00b8aabeb7358093,0x00020778bb9ae73b,0x0032ee94c7892a18,0x008215253cb41bda,0x005e2797593517ae)},\n+ {FIELD_LITERAL(0x0083765a5f855d4a,0x0051b6d1351b8ee2,0x00116de548b0f7bb,0x0087bd88703affa0,0x0095b2cc34d7fdd2,0x0084cd81b53f0bc8,0x008562fc995350ed,0x00a39abb193651e3)},\n+ {FIELD_LITERAL(0x0019e23f0474b114,0x00eb94c2ad3b437e,0x006ddb34683b75ac,0x00391f9209b564c6,0x00083b3bb3bff7aa,0x00eedcd0f6dceefc,0x00b50817f794fe01,0x0036474deaaa75c9)},\n+ {FIELD_LITERAL(0x0091868594265aa2,0x00797accae98ca6d,0x0008d8c5f0f8a184,0x00d1f4f1c2b2fe6e,0x0036783dfb48a006,0x008c165120503527,0x0025fd780058ce9b,0x0068beb007be7d27)},\n+ {FIELD_LITERAL(0x00d0ff88aa7c90c2,0x00b2c60dacf53394,0x0094a7284d9666d6,0x00bed9022ce7a19d,0x00c51553f0cd7682,0x00c3fb870b124992,0x008d0bc539956c9b,0x00fc8cf258bb8885)},\n+ {FIELD_LITERAL(0x003667bf998406f8,0x0000115c43a12975,0x001e662f3b20e8fd,0x0019ffa534cb24eb,0x00016be0dc8efb45,0x00ff76a8b26243f5,0x00ae20d241a541e3,0x0069bd6af13cd430)},\n+ {FIELD_LITERAL(0x0045fdc16487cda3,0x00b2d8e844cf2ed7,0x00612c50e88c1607,0x00a08aabc66c1672,0x006031fdcbb24d97,0x001b639525744b93,0x004409d62639ab17,0x00a1853d0347ab1d)},\n+ {FIELD_LITERAL(0x0075a1a56ebf5c21,0x00a3e72be9ac53ed,0x00efcde1629170c2,0x0004225fe91ef535,0x0088049fc73dfda7,0x004abc74857e1288,0x0024e2434657317c,0x00d98cb3d3e5543c)},\n+ {FIELD_LITERAL(0x00b4b53eab6bdb19,0x009b22d8b43711d0,0x00d948b9d961785d,0x00cb167b6f279ead,0x00191de3a678e1c9,0x00d9dd9511095c2e,0x00f284324cd43067,0x00ed74fa535151dd)},\n+ {FIELD_LITERAL(0x007e32c049b5c477,0x009d2bfdbd9bcfd8,0x00636e93045938c6,0x007fde4af7687298,0x0046a5184fafa5d3,0x0079b1e7f13a359b,0x00875adf1fb927d6,0x00333e21c61bcad2)},\n+ {FIELD_LITERAL(0x00048014f73d8b8d,0x0075684aa0966388,0x0092be7df06dc47c,0x0097cebcd0f5568a,0x005a7004d9c4c6a9,0x00b0ecbb659924c7,0x00d90332dd492a7c,0x0057fc14df11493d)},\n+ {FIELD_LITERAL(0x0008ed8ea0ad95be,0x0041d324b9709645,0x00e25412257a19b4,0x0058df9f3423d8d2,0x00a9ab20def71304,0x009ae0dbf8ac4a81,0x00c9565977e4392a,0x003c9269444baf55)},\n+ {FIELD_LITERAL(0x007df6cbb926830b,0x00d336058ae37865,0x007af47dac696423,0x0048d3011ec64ac8,0x006b87666e40049f,0x0036a2e0e51303d7,0x00ba319bd79dbc55,0x003e2737ecc94f53)},\n+ {FIELD_LITERAL(0x00d296ff726272d9,0x00f6d097928fcf57,0x00e0e616a55d7013,0x00deaf454ed9eac7,0x0073a56bedef4d92,0x006ccfdf6fc92e19,0x009d1ee1371a7218,0x00ee3c2ee4462d80)},\n+ {FIELD_LITERAL(0x00437bce9bccdf9d,0x00e0c8e2f85dc0a3,0x00c91a7073995a19,0x00856ec9fe294559,0x009e4b33394b156e,0x00e245b0dc497e5c,0x006a54e687eeaeff,0x00f1cd1cd00fdb7c)},\n+ {FIELD_LITERAL(0x008132ae5c5d8cd1,0x00121d68324a1d9f,0x00d6be9dafcb8c76,0x00684d9070edf745,0x00519fbc96d7448e,0x00388182fdc1f27e,0x000235baed41f158,0x00bf6cf6f1a1796a)},\n+ {FIELD_LITERAL(0x002adc4b4d148219,0x003084ada0d3a90a,0x0046de8aab0f2e4e,0x00452d342a67b5fd,0x00d4b50f01d4de21,0x00db6d9fc0cefb79,0x008c184c86a462cd,0x00e17c83764d42da)},\n+ {FIELD_LITERAL(0x007b2743b9a1e01a,0x007847ffd42688c4,0x006c7844d610a316,0x00f0cb8b250aa4b0,0x00a19060143b3ae6,0x0014eb10b77cfd80,0x000170905729dd06,0x00063b5b9cd72477)},\n+ {FIELD_LITERAL(0x00ce382dc7993d92,0x00021153e938b4c8,0x00096f7567f48f51,0x0058f81ddfe4b0d5,0x00cc379a56b355c7,0x002c760770d3e819,0x00ee22d1d26e5a40,0x00de6d93d5b082d7)},\n+ {FIELD_LITERAL(0x000a91a42c52e056,0x00185f6b77fce7ea,0x000803c51962f6b5,0x0022528582ba563d,0x0043f8040e9856d6,0x0085a29ec81fb860,0x005f9a611549f5ff,0x00c1f974ecbd4b06)},\n+ {FIELD_LITERAL(0x005b64c6fd65ec97,0x00c1fdd7f877bc7f,0x000d9cc6c89f841c,0x005c97b7f1aff9ad,0x0075e3c61475d47e,0x001ecb1ba8153011,0x00fe7f1c8d71d40d,0x003fa9757a229832)},\n+ {FIELD_LITERAL(0x00ffc5c89d2b0cba,0x00d363d42e3e6fc3,0x0019a1a0118e2e8a,0x00f7baeff48882e1,0x001bd5af28c6b514,0x0055476ca2253cb2,0x00d8eb1977e2ddf3,0x00b173b1adb228a1)},\n+ {FIELD_LITERAL(0x00f2cb99dd0ad707,0x00e1e08b6859ddd8,0x000008f2d0650bcc,0x00d7ed392f8615c3,0x00976750a94da27f,0x003e83bb0ecb69ba,0x00df8e8d15c14ac6,0x00f9f7174295d9c2)},\n+ {FIELD_LITERAL(0x00f11cc8e0e70bcb,0x00e5dc689974e7dd,0x0014e409f9ee5870,0x00826e6689acbd63,0x008a6f4e3d895d88,0x00b26a8da41fd4ad,0x000fb7723f83efd7,0x009c749db0a5f6c3)},\n+ {FIELD_LITERAL(0x002389319450f9ba,0x003677f31aa1250a,0x0092c3db642f38cb,0x00f8b64c0dfc9773,0x00cd49fe3505b795,0x0068105a4090a510,0x00df0ba2072a8bb6,0x00eb396143afd8be)},\n+ {FIELD_LITERAL(0x00a0d4ecfb24cdff,0x00ddaf8008ba6479,0x00f0b3e36d4b0f44,0x003734bd3af1f146,0x00b87e2efc75527e,0x00d230df55ddab50,0x002613257ae56c1d,0x00bc0946d135934d)},\n+ {FIELD_LITERAL(0x00468711bd994651,0x0033108fa67561bf,0x0089d760192a54b4,0x00adc433de9f1871,0x000467d05f36e050,0x007847e0f0579f7f,0x00a2314ad320052d,0x00b3a93649f0b243)},\n+ {FIELD_LITERAL(0x0067f8f0c4fe26c9,0x0079c4a3cc8f67b9,0x0082b1e62f23550d,0x00f2d409caefd7f5,0x0080e67dcdb26e81,0x0087ae993ea1f98a,0x00aa108becf61d03,0x001acf11efb608a3)},\n+ {FIELD_LITERAL(0x008225febbab50d9,0x00f3b605e4dd2083,0x00a32b28189e23d2,0x00d507e5e5eb4c97,0x005a1a84e302821f,0x0006f54c1c5f08c7,0x00a347c8cb2843f0,0x0009f73e9544bfa5)},\n+ {FIELD_LITERAL(0x006c59c9ae744185,0x009fc32f1b4282cd,0x004d6348ca59b1ac,0x00105376881be067,0x00af4096013147dc,0x004abfb5a5cb3124,0x000d2a7f8626c354,0x009c6ed568e07431)},\n+ {FIELD_LITERAL(0x00e828333c297f8b,0x009ef3cf8c3f7e1f,0x00ab45f8fff31cb9,0x00c8b4178cb0b013,0x00d0c50dd3260a3f,0x0097126ac257f5bc,0x0042376cc90c705a,0x001d96fdb4a1071e)},\n+ {FIELD_LITERAL(0x00542d44d89ee1a8,0x00306642e0442d98,0x0090853872b87338,0x002362cbf22dc044,0x002c222adff663b8,0x0067c924495fcb79,0x000e621d983c977c,0x00df77a9eccb66fb)},\n+ {FIELD_LITERAL(0x002809e4bbf1814a,0x00b9e854f9fafb32,0x00d35e67c10f7a67,0x008f1bcb76e748cf,0x004224d9515687d2,0x005ba0b774e620c4,0x00b5e57db5d54119,0x00e15babe5683282)},\n+ {FIELD_LITERAL(0x00832d02369b482c,0x00cba52ff0d93450,0x003fa9c908d554db,0x008d1e357b54122f,0x00abd91c2dc950c6,0x007eff1df4c0ec69,0x003f6aeb13fb2d31,0x00002d6179fc5b2c)},\n+ {FIELD_LITERAL(0x0046c9eda81c9c89,0x00b60cb71c8f62fc,0x0022f5a683baa558,0x00f87319fccdf997,0x009ca09b51ce6a22,0x005b12baf4af7d77,0x008a46524a1e33e2,0x00035a77e988be0d)},\n+ {FIELD_LITERAL(0x00a7efe46a7dbe2f,0x002f66fd55014fe7,0x006a428afa1ff026,0x0056caaa9604ab72,0x0033f3bcd7fac8ae,0x00ccb1aa01c86764,0x00158d1edf13bf40,0x009848ee76fcf3b4)},\n+ {FIELD_LITERAL(0x00a9e7730a819691,0x00d9cc73c4992b70,0x00e299bde067de5a,0x008c314eb705192a,0x00e7226f17e8a3cc,0x0029dfd956e65a47,0x0053a8e839073b12,0x006f942b2ab1597e)},\n+ {FIELD_LITERAL(0x001c3d780ecd5e39,0x0094f247fbdcc5fe,0x00d5c786fd527764,0x00b6f4da74f0db2a,0x0080f1f8badcd5fc,0x00f36a373ad2e23b,0x00f804f9f4343bf2,0x00d1af40ec623982)},\n+ {FIELD_LITERAL(0x0082aeace5f1b144,0x00f68b3108cf4dd3,0x00634af01dde3020,0x000beab5df5c2355,0x00e8b790d1b49b0b,0x00e48d15854e36f4,0x0040ab2d95f3db9f,0x002711c4ed9e899a)},\n+ {FIELD_LITERAL(0x0039343746531ebe,0x00c8509d835d429d,0x00e79eceff6b0018,0x004abfd31e8efce5,0x007bbfaaa1e20210,0x00e3be89c193e179,0x001c420f4c31d585,0x00f414a315bef5ae)},\n+ {FIELD_LITERAL(0x007c296a24990df8,0x00d5d07525a75588,0x00dd8e113e94b7e7,0x007bbc58febe0cc8,0x0029f51af9bfcad3,0x007e9311ec7ab6f3,0x009a884de1676343,0x0050d5f2dce84be9)},\n+ {FIELD_LITERAL(0x005fa020cca2450a,0x00491c29db6416d8,0x0037cefe3f9f9a85,0x003d405230647066,0x0049e835f0fdbe89,0x00feb78ac1a0815c,0x00828e4b32dc9724,0x00db84f2dc8d6fd4)},\n+ {FIELD_LITERAL(0x0098cddc8b39549a,0x006da37e3b05d22c,0x00ce633cfd4eb3cb,0x00fda288ef526acd,0x0025338878c5d30a,0x00f34438c4e5a1b4,0x00584efea7c310f1,0x0041a551f1b660ad)},\n+ {FIELD_LITERAL(0x00d7f7a8fbd6437a,0x0062872413bf3753,0x00ad4bbcb43c584b,0x007fe49be601d7e3,0x0077c659789babf4,0x00eb45fcb06a741b,0x005ce244913f9708,0x0088426401736326)},\n+ {FIELD_LITERAL(0x007bf562ca768d7c,0x006c1f3a174e387c,0x00f024b447fee939,0x007e7af75f01143f,0x003adb70b4eed89d,0x00e43544021ad79a,0x0091f7f7042011f6,0x0093c1a1ee3a0ddc)},\n+ {FIELD_LITERAL(0x00a0b68ec1eb72d2,0x002c03235c0d45a0,0x00553627323fe8c5,0x006186e94b17af94,0x00a9906196e29f14,0x0025b3aee6567733,0x007e0dd840080517,0x0018eb5801a4ba93)},\n+ {FIELD_LITERAL(0x00d7fe7017bf6a40,0x006e3f0624be0c42,0x00ffbba205358245,0x00f9fc2cf8194239,0x008d93b37bf15b4e,0x006ddf2e38be8e95,0x002b6e79bf5fcff9,0x00ab355da425e2de)},\n+ {FIELD_LITERAL(0x00938f97e20be973,0x0099141a36aaf306,0x0057b0ca29e545a1,0x0085db571f9fbc13,0x008b333c554b4693,0x0043ab6ef3e241cb,0x0054fb20aa1e5c70,0x00be0ff852760adf)},\n+ {FIELD_LITERAL(0x003973d8938971d6,0x002aca26fa80c1f5,0x00108af1faa6b513,0x00daae275d7924e6,0x0053634ced721308,0x00d2355fe0bbd443,0x00357612b2d22095,0x00f9bb9dd4136cf3)},\n+ {FIELD_LITERAL(0x002bff12cf5e03a5,0x001bdb1fa8a19cf8,0x00c91c6793f84d39,0x00f869f1b2eba9af,0x0059bc547dc3236b,0x00d91611d6d38689,0x00e062daaa2c0214,0x00ed3c047cc2bc82)},\n+ {FIELD_LITERAL(0x000050d70c32b31a,0x001939d576d437b3,0x00d709e598bf9fe6,0x00a885b34bd2ee9e,0x00dd4b5c08ab1a50,0x0091bebd50b55639,0x00cf79ff64acdbc6,0x006067a39d826336)},\n+ {FIELD_LITERAL(0x0062dd0fb31be374,0x00fcc96b84c8e727,0x003f64f1375e6ae3,0x0057d9b6dd1af004,0x00d6a167b1103c7b,0x00dd28f3180fb537,0x004ff27ad7167128,0x008934c33461f2ac)},\n+ {FIELD_LITERAL(0x0065b472b7900043,0x00ba7efd2ff1064b,0x000b67d6c4c3020f,0x0012d28469f4e46d,0x0031c32939703ec7,0x00b49f0bce133066,0x00f7e10416181d47,0x005c90f51867eecc)},\n+ {FIELD_LITERAL(0x0051207abd179101,0x00fc2a5c20d9c5da,0x00fb9d5f2701b6df,0x002dd040fdea82b8,0x00f163b0738442ff,0x00d9736bd68855b8,0x00e0d8e93005e61c,0x00df5a40b3988570)},\n+ {FIELD_LITERAL(0x0006918f5dfce6dc,0x00d4bf1c793c57fb,0x0069a3f649435364,0x00e89a50e5b0cd6e,0x00b9f6a237e973af,0x006d4ed8b104e41d,0x00498946a3924cd2,0x00c136ec5ac9d4f7)},\n+ {FIELD_LITERAL(0x0011a9c290ac5336,0x002b9a2d4a6a6533,0x009a8a68c445d937,0x00361b27b07e5e5c,0x003c043b1755b974,0x00b7eb66cf1155ee,0x0077af5909eefff2,0x0098f609877cc806)},\n+ {FIELD_LITERAL(0x00ab13af436bf8f4,0x000bcf0a0dac8574,0x00d50c864f705045,0x00c40e611debc842,0x0085010489bd5caa,0x007c5050acec026f,0x00f67d943c8da6d1,0x00de1da0278074c6)},\n+ {FIELD_LITERAL(0x00b373076597455f,0x00e83f1af53ac0f5,0x0041f63c01dc6840,0x0097dea19b0c6f4b,0x007f9d63b4c1572c,0x00e692d492d0f5f0,0x00cbcb392e83b4ad,0x0069c0f39ed9b1a8)},\n+ {FIELD_LITERAL(0x00861030012707c9,0x009fbbdc7fd4aafb,0x008f591d6b554822,0x00df08a41ea18ade,0x009d7d83e642abea,0x0098c71bda3b78ff,0x0022c89e7021f005,0x0044d29a3fe1e3c4)},\n+ {FIELD_LITERAL(0x00e748cd7b5c52f2,0x00ea9df883f89cc3,0x0018970df156b6c7,0x00c5a46c2a33a847,0x00cbde395e32aa09,0x0072474ebb423140,0x00fb00053086a23d,0x001dafcfe22d4e1f)},\n+ {FIELD_LITERAL(0x00c903ee6d825540,0x00add6c4cf98473e,0x007636efed4227f1,0x00905124ae55e772,0x00e6b38fab12ed53,0x0045e132b863fe55,0x003974662edb366a,0x00b1787052be8208)},\n+ {FIELD_LITERAL(0x00a614b00d775c7c,0x00d7c78941cc7754,0x00422dd68b5dabc4,0x00a6110f0167d28b,0x00685a309c252886,0x00b439ffd5143660,0x003656e29ee7396f,0x00c7c9b9ed5ad854)},\n+ {FIELD_LITERAL(0x0040f7e7c5b37bf2,0x0064e4dc81181bba,0x00a8767ae2a366b6,0x001496b4f90546f2,0x002a28493f860441,0x0021f59513049a3a,0x00852d369a8b7ee3,0x00dd2e7d8b7d30a9)},\n+ {FIELD_LITERAL(0x00006e34a35d9fbc,0x00eee4e48b2f019a,0x006b344743003a5f,0x00541d514f04a7e3,0x00e81f9ee7647455,0x005e2b916c438f81,0x00116f8137b7eff0,0x009bd3decc7039d1)},\n+ {FIELD_LITERAL(0x0005d226f434110d,0x00af8288b8ef21d5,0x004a7a52ef181c8c,0x00be0b781b4b06de,0x00e6e3627ded07e1,0x00e43aa342272b8b,0x00e86ab424577d84,0x00fb292c566e35bb)},\n+ {FIELD_LITERAL(0x00334f5303ea1222,0x00dfb3dbeb0a5d3e,0x002940d9592335c1,0x00706a7a63e8938a,0x005a533558bc4caf,0x00558e33192022a9,0x00970d9faf74c133,0x002979fcb63493ca)},\n+ {FIELD_LITERAL(0x00e38abece3c82ab,0x005a51f18a2c7a86,0x009dafa2e86d592e,0x00495a62eb688678,0x00b79df74c0eb212,0x0023e8cc78b75982,0x005998cb91075e13,0x00735aa9ba61bc76)},\n+ {FIELD_LITERAL(0x00d9f7a82ddbe628,0x00a1fc782889ae0f,0x0071ffda12d14b66,0x0037cf4eca7fb3d5,0x00c80bc242c58808,0x0075bf8c2d08c863,0x008d41f31afc52a7,0x00197962ecf38741)},\n+ {FIELD_LITERAL(0x006e9f475cccf2ee,0x00454b9cd506430c,0x00224a4fb79ee479,0x0062e3347ef0b5e2,0x0034fd2a3512232a,0x00b8b3cb0f457046,0x00eb20165daa38ec,0x00128eebc2d9c0f7)},\n+ {FIELD_LITERAL(0x00bfc5fa1e4ea21f,0x00c21d7b6bb892e6,0x00cf043f3acf0291,0x00c13f2f849b3c90,0x00d1a97ebef10891,0x0061e130a445e7fe,0x0019513fdedbf22b,0x001d60c813bff841)},\n+ {FIELD_LITERAL(0x0019561c7fcf0213,0x00e3dca6843ebd77,0x0068ea95b9ca920e,0x009bdfb70f253595,0x00c68f59186aa02a,0x005aee1cca1c3039,0x00ab79a8a937a1ce,0x00b9a0e549959e6f)},\n+ {FIELD_LITERAL(0x00c79e0b6d97dfbd,0x00917c71fd2bc6e8,0x00db7529ccfb63d8,0x00be5be957f17866,0x00a9e11fdc2cdac1,0x007b91a8e1f44443,0x00a3065e4057d80f,0x004825f5b8d5f6d4)},\n+ {FIELD_LITERAL(0x003e4964fa8a8fc8,0x00f6a1cdbcf41689,0x00943cb18fe7fda7,0x00606dafbf34440a,0x005d37a86399c789,0x00e79a2a69417403,0x00fe34f7e68b8866,0x0011f448ed2df10e)},\n+ {FIELD_LITERAL(0x00f1f57efcc1fcc4,0x00513679117de154,0x002e5b5b7c86d8c3,0x009f6486561f9cfb,0x00169e74b0170cf7,0x00900205af4af696,0x006acfddb77853f3,0x00df184c90f31068)},\n+ {FIELD_LITERAL(0x00b37396c3320791,0x00fc7b67175c5783,0x00c36d2cd73ecc38,0x0080ebcc0b328fc5,0x0043a5b22b35d35d,0x00466c9f1713c9da,0x0026ad346dcaa8da,0x007c684e701183a6)},\n+ {FIELD_LITERAL(0x00fd579ffb691713,0x00b76af4f81c412d,0x00f239de96110f82,0x00e965fb437f0306,0x00ca7e9436900921,0x00e487f1325fa24a,0x00633907de476380,0x00721c62ac5b8ea0)},\n+ {FIELD_LITERAL(0x00c0d54e542eb4f9,0x004ed657171c8dcf,0x00b743a4f7c2a39b,0x00fd9f93ed6cc567,0x00307fae3113e58b,0x0058aa577c93c319,0x00d254556f35b346,0x00491aada2203f0d)},\n+ {FIELD_LITERAL(0x00dff3103786ff34,0x000144553b1f20c3,0x0095613baeb930e4,0x00098058275ea5d4,0x007cd1402b046756,0x0074d74e4d58aee3,0x005f93fc343ff69b,0x00873df17296b3b0)},\n+ {FIELD_LITERAL(0x00c4a1fb48635413,0x00b5dd54423ad59f,0x009ff5d53fd24a88,0x003c98d267fc06a7,0x002db7cb20013641,0x00bd1d6716e191f2,0x006dbc8b29094241,0x0044bbf233dafa2c)},\n+ {FIELD_LITERAL(0x0055838d41f531e6,0x00bf6a2dd03c81b2,0x005827a061c4839e,0x0000de2cbb36aac3,0x002efa29d9717478,0x00f9e928cc8a77ba,0x00c134b458def9ef,0x00958a182223fc48)},\n+ {FIELD_LITERAL(0x000a9ee23c06881f,0x002c727d3d871945,0x00f47d971512d24a,0x00671e816f9ef31a,0x00883af2cfaad673,0x00601f98583d6c9a,0x00b435f5adc79655,0x00ad87b71c04bff2)},\n+ {FIELD_LITERAL(0x007860d99db787cf,0x00fda8983018f4a8,0x008c8866bac4743c,0x00ef471f84c82a3f,0x00abea5976d3b8e7,0x00714882896cd015,0x00b49fae584ddac5,0x008e33a1a0b69c81)},\n+ {FIELD_LITERAL(0x007b6ee2c9e8a9ec,0x002455dbbd89d622,0x006490cf4eaab038,0x00d925f6c3081561,0x00153b3047de7382,0x003b421f8bdceb6f,0x00761a4a5049da78,0x00980348c5202433)},\n+ {FIELD_LITERAL(0x007f8a43da97dd5c,0x00058539c800fc7b,0x0040f3cf5a28414a,0x00d68dd0d95283d6,0x004adce9da90146e,0x00befa41c7d4f908,0x007603bc2e3c3060,0x00bdf360ab3545db)},\n+ {FIELD_LITERAL(0x00eebfd4e2312cc3,0x00474b2564e4fc8c,0x003303ef14b1da9b,0x003c93e0e66beb1d,0x0013619b0566925a,0x008817c24d901bf3,0x00b62bd8898d218b,0x0075a7716f1e88a2)},\n+ {FIELD_LITERAL(0x0009218da1e6890f,0x0026907f5fd02575,0x004dabed5f19d605,0x003abf181870249d,0x00b52fd048cc92c4,0x00b6dd51e415a5c5,0x00d9eb82bd2b4014,0x002c865a43b46b43)},\n+ {FIELD_LITERAL(0x0070047189452f4c,0x00f7ad12e1ce78d5,0x00af1ba51ec44a8b,0x005f39f63e667cd6,0x00058eac4648425e,0x00d7fdab42bea03b,0x0028576a5688de15,0x00af973209e77c10)},\n+ {FIELD_LITERAL(0x00c338b915d8fef0,0x00a893292045c39a,0x0028ab4f2eba6887,0x0060743cb519fd61,0x0006213964093ac0,0x007c0b7a43f6266d,0x008e3557c4fa5bda,0x002da976de7b8d9d)},\n+ {FIELD_LITERAL(0x0048729f8a8b6dcd,0x00fe23b85cc4d323,0x00e7384d16e4db0e,0x004a423970678942,0x00ec0b763345d4ba,0x00c477b9f99ed721,0x00c29dad3777b230,0x001c517b466f7df6)},\n+ {FIELD_LITERAL(0x006366c380f7b574,0x001c7d1f09ff0438,0x003e20a7301f5b22,0x00d3efb1916d28f6,0x0049f4f81060ce83,0x00c69d91ea43ced1,0x002b6f3e5cd269ed,0x005b0fb22ce9ec65)},\n+ {FIELD_LITERAL(0x00aa2261022d883f,0x00ebcca4548010ac,0x002528512e28a437,0x0070ca7676b66082,0x0084bda170f7c6d3,0x00581b4747c9b8bb,0x005c96a01061c7e2,0x00fb7c4a362b5273)},\n+ {FIELD_LITERAL(0x00c30020eb512d02,0x0060f288283a4d26,0x00b7ed13becde260,0x0075ebb74220f6e9,0x00701079fcfe8a1f,0x001c28fcdff58938,0x002e4544b8f4df6b,0x0060c5bc4f1a7d73)},\n+ {FIELD_LITERAL(0x00ae307cf069f701,0x005859f222dd618b,0x00212d6c46ec0b0d,0x00a0fe4642afb62d,0x00420d8e4a0a8903,0x00a80ff639bdf7b0,0x0019bee1490b5d8e,0x007439e4b9c27a86)},\n+ {FIELD_LITERAL(0x00a94700032a093f,0x0076e96c225216e7,0x00a63a4316e45f91,0x007d8bbb4645d3b2,0x00340a6ff22793eb,0x006f935d4572aeb7,0x00b1fb69f00afa28,0x009e8f3423161ed3)},\n+ {FIELD_LITERAL(0x009ef49c6b5ced17,0x00a555e6269e9f0a,0x007e6f1d79ec73b5,0x009ac78695a32ac4,0x0001d77fbbcd5682,0x008cea1fee0aaeed,0x00f42bea82a53462,0x002e46ab96cafcc9)},\n+ {FIELD_LITERAL(0x0051cfcc5885377a,0x00dce566cb1803ca,0x00430c7643f2c7d4,0x00dce1a1337bdcc0,0x0010d5bd7283c128,0x003b1b547f9b46fe,0x000f245e37e770ab,0x007b72511f022b37)},\n+ {FIELD_LITERAL(0x0060db815bc4786c,0x006fab25beedc434,0x00c610d06084797c,0x000c48f08537bec0,0x0031aba51c5b93da,0x007968fa6e01f347,0x0030070da52840c6,0x00c043c225a4837f)},\n+ {FIELD_LITERAL(0x001bcfd00649ee93,0x006dceb47e2a0fd5,0x00f2cebda0cf8fd0,0x00b6b9d9d1fbdec3,0x00815262e6490611,0x00ef7f5ce3176760,0x00e49cd0c998d58b,0x005fc6cc269ba57c)},\n+ {FIELD_LITERAL(0x008940211aa0d633,0x00addae28136571d,0x00d68fdbba20d673,0x003bc6129bc9e21a,0x000346cf184ebe9a,0x0068774d741ebc7f,0x0019d5e9e6966557,0x0003cbd7f981b651)},\n+ {FIELD_LITERAL(0x004a2902926f8d3f,0x00ad79b42637ab75,0x0088f60b90f2d4e8,0x0030f54ef0e398c4,0x00021dc9bf99681e,0x007ebf66fde74ee3,0x004ade654386e9a4,0x00e7485066be4c27)},\n+ {FIELD_LITERAL(0x00445f1263983be0,0x004cf371dda45e6a,0x00744a89d5a310e7,0x001f20ce4f904833,0x00e746edebe66e29,0x000912ab1f6c153d,0x00f61d77d9b2444c,0x0001499cd6647610)}\n+};\n+const gf API_NS(precomputed_wnaf_as_fe)[96]\n+VECTOR_ALIGNED __attribute__((visibility(\u0022hidden\u0022))) \u003d {\n+ {FIELD_LITERAL(0x00303cda6feea532,0x00860f1d5a3850e4,0x00226b9fa4728ccd,0x00e822938a0a0c0c,0x00263a61c9ea9216,0x001204029321b828,0x006a468360983c65,0x0002846f0a782143)},\n+ {FIELD_LITERAL(0x00303cda6feea532,0x00860f1d5a3850e4,0x00226b9fa4728ccd,0x006822938a0a0c0c,0x00263a61c9ea9215,0x001204029321b828,0x006a468360983c65,0x0082846f0a782143)},\n+ {FIELD_LITERAL(0x00ef8e22b275198d,0x00b0eb141a0b0e8b,0x001f6789da3cb38c,0x006d2ff8ed39073e,0x00610bdb69a167f3,0x00571f306c9689b4,0x00f557e6f84b2df8,0x002affd38b2c86db)},\n+ {FIELD_LITERAL(0x00cea0fc8d2e88b5,0x00821612d69f1862,0x0074c283b3e67522,0x005a195ba05a876d,0x000cddfe557feea4,0x008046c795bcc5e5,0x00540969f4d6e119,0x00d27f96d6b143d5)},\n+ {FIELD_LITERAL(0x000c3b1019d474e8,0x00e19533e4952284,0x00cc9810ba7c920a,0x00f103d2785945ac,0x00bfa5696cc69b34,0x00a8d3d51e9ca839,0x005623cb459586b9,0x00eae7ce1cd52e9e)},\n+ {FIELD_LITERAL(0x0005a178751dd7d8,0x002cc3844c69c42f,0x00acbfe5efe10539,0x009c20f43431a65a,0x008435d96374a7b3,0x009ee57566877bd3,0x0044691725ed4757,0x001e87bb2fe2c6b2)},\n+ {FIELD_LITERAL(0x000cedc4debf7a04,0x002ffa45000470ac,0x002e9f9678201915,0x0017da1208c4fe72,0x007d558cc7d656cb,0x0037a827287cf289,0x00142472d3441819,0x009c21f166cf8dd1)},\n+ {FIELD_LITERAL(0x003ef83af164b2f2,0x000949a5a0525d0d,0x00f4498186cac051,0x00e77ac09ef126d2,0x0073ae0b2c9296e9,0x001c163f6922e3ed,0x0062946159321bea,0x00cfb79b22990b39)},\n+ {FIELD_LITERAL(0x00b001431ca9e654,0x002d7e5eabcc9a3a,0x0052e8114c2f6747,0x0079ac4f94487f92,0x00bffd919b5d749c,0x00261f92ad15e620,0x00718397b7a97895,0x00c1443e6ebbc0c4)},\n+ {FIELD_LITERAL(0x00eacd90c1e0a049,0x008977935b149fbe,0x0004cb9ba11c93dc,0x009fbd5b3470844d,0x004bc18c9bfc22cf,0x0057679a991839f3,0x00ef15b76fb4092e,0x0074a5173a225041)},\n+ {FIELD_LITERAL(0x003f5f9d7ec4777b,0x00ab2e733c919c94,0x001bb6c035245ae5,0x00a325a49a883630,0x0033e9a9ea3cea2f,0x00e442a1eaa0e844,0x00b2116d5b0e71b8,0x00c16abed6d64047)},\n+ {FIELD_LITERAL(0x00c560b5ed051165,0x001945adc5d65094,0x00e221865710f910,0x00cc12bc9e9b8ceb,0x004faa9518914e35,0x0017476d89d42f6d,0x00b8f637c8fa1c8b,0x0088c7d2790864b8)},\n+ {FIELD_LITERAL(0x00ef7eafc1c69be6,0x0085d3855778fbea,0x002c8d5b450cb6f5,0x004e77de5e1e7fec,0x0047c057893abded,0x001b430b85d51e16,0x00965c7b45640c3c,0x00487b2bb1162b97)},\n+ {FIELD_LITERAL(0x0099c73a311beec2,0x00a3eff38d8912ad,0x002efa9d1d7e8972,0x00f717ae1e14d126,0x002833f795850c8b,0x0066c12ad71486bd,0x00ae9889da4820eb,0x00d6044309555c08)},\n+ {FIELD_LITERAL(0x004b1c5283d15e41,0x00669d8ea308ff75,0x0004390233f762a1,0x00e1d67b83cb6cec,0x003eebaa964c78b1,0x006b0aff965eb664,0x00b313d4470bdc37,0x008814ffcb3cb9d8)},\n+ {FIELD_LITERAL(0x009724b8ce68db70,0x007678b5ed006f3d,0x00bdf4b89c0abd73,0x00299748e04c7c6d,0x00ddd86492c3c977,0x00c5a7febfa30a99,0x00ed84715b4b02bb,0x00319568adf70486)},\n+ {FIELD_LITERAL(0x0070ff2d864de5bb,0x005a37eeb637ee95,0x0033741c258de160,0x00e6ca5cb1988f46,0x001ceabd92a24661,0x0030957bd500fe40,0x001c3362afe912c5,0x005187889f678bd2)},\n+ {FIELD_LITERAL(0x0086835fc62bbdc7,0x009c3516ca4910a1,0x00956c71f8d00783,0x0095c78fcf63235f,0x00fc7ff6ba05c222,0x00cdd8b3f8d74a52,0x00ac5ae16de8256e,0x00e9d4be8ed48624)},\n+ {FIELD_LITERAL(0x00c0ce11405df2d8,0x004e3f37b293d7b6,0x002410172e1ac6db,0x00b8dbff4bf8143d,0x003a7b409d56eb66,0x003e0f6a0dfef9af,0x0081c4e4d3645be1,0x00ce76076b127623)},\n+ {FIELD_LITERAL(0x00f6ee0f98974239,0x0042d89af07d3a4f,0x00846b7fe84346b5,0x006a21fc6a8d39a1,0x00ac8bc2541ff2d9,0x006d4e2a77732732,0x009a39b694cc3f2f,0x0085c0aa2a404c8f)},\n+ {FIELD_LITERAL(0x00b261101a218548,0x00c1cae96424277b,0x00869da0a77dd268,0x00bc0b09f8ec83ea,0x00d61027f8e82ba9,0x00aa4c85999dce67,0x00eac3132b9f3fe1,0x00fb9b0cf1c695d2)},\n+ {FIELD_LITERAL(0x0043079295512f0d,0x0046a009861758e0,0x003ee2842a807378,0x0034cc9d1298e4fa,0x009744eb4d31b3ee,0x00afacec96650cd0,0x00ac891b313761ae,0x00e864d6d26e708a)},\n+ {FIELD_LITERAL(0x00a84d7c8a23b491,0x0088e19aa868b27f,0x0005986d43e78ce9,0x00f28012f0606d28,0x0017ded7e10249b3,0x005ed4084b23af9b,0x00b9b0a940564472,0x00ad9056cceeb1f4)},\n+ {FIELD_LITERAL(0x00db91b357fe755e,0x00a1aa544b15359c,0x00af4931a0195574,0x007686124fe11aef,0x00d1ead3c7b9ef7e,0x00aaf5fc580f8c15,0x00e727be147ee1ec,0x003c61c1e1577b86)},\n+ {FIELD_LITERAL(0x009d3fca983220cf,0x00cd11acbc853dc4,0x0017590409d27f1d,0x00d2176698082802,0x00fa01251b2838c8,0x00dd297a0d9b51c6,0x00d76c92c045820a,0x00534bc7c46c9033)},\n+ {FIELD_LITERAL(0x0080ed9bc9b07338,0x00fceac7745d2652,0x008a9d55f5f2cc69,0x0096ce72df301ac5,0x00f53232e7974d87,0x0071728c7ae73947,0x0090507602570778,0x00cb81cfd883b1b2)},\n+ {FIELD_LITERAL(0x005011aadea373da,0x003a8578ec896034,0x00f20a6535fa6d71,0x005152d31e5a87cf,0x002bac1c8e68ca31,0x00b0e323db4c1381,0x00f1d596b7d5ae25,0x00eae458097cb4e0)},\n+ {FIELD_LITERAL(0x00920ac80f9b0d21,0x00f80f7f73401246,0x0086d37849b557d6,0x0002bd4b317b752e,0x00b26463993a42bb,0x002070422a73b129,0x00341acaa0380cb3,0x00541914dd66a1b2)},\n+ {FIELD_LITERAL(0x00c1513cd66abe8c,0x000139e01118944d,0x0064abbcb8080bbb,0x00b3b08202473142,0x00c629ef25da2403,0x00f0aec3310d9b7f,0x0050b2227472d8cd,0x00f6c8a922d41fb4)},\n+ {FIELD_LITERAL(0x001075ccf26b7b1f,0x00bb6bb213170433,0x00e9491ad262da79,0x009ef4f48d2d384c,0x008992770766f09d,0x001584396b6b1101,0x00af3f8676c9feef,0x0024603c40269118)},\n+ {FIELD_LITERAL(0x009dd7b31319527c,0x001e7ac948d873a9,0x00fa54b46ef9673a,0x0066efb8d5b02fe6,0x00754b1d3928aeae,0x0004262ac72a6f6b,0x0079b7d49a6eb026,0x003126a753540102)},\n+ {FIELD_LITERAL(0x009666e24f693947,0x00f714311269d45f,0x0010ffac1d0c851c,0x0066e80c37363497,0x00f1f4ad010c60b0,0x0015c87408470ff7,0x00651d5e9c7766a4,0x008138819d7116de)},\n+ {FIELD_LITERAL(0x003934b11c57253b,0x00ef308edf21f46e,0x00e54e99c7a16198,0x0080d57135764e63,0x00751c27b946bc24,0x00dd389ce4e9e129,0x00a1a2bfd1cd84dc,0x002fae73e5149b32)},\n+ {FIELD_LITERAL(0x00911657dffb4cdd,0x00c100b7cc553d06,0x00449d075ec467cc,0x007062100bc64e70,0x0043cf86f7bd21e7,0x00f401dc4b797dea,0x005224afb2f62e65,0x00d1ede3fb5a42be)},\n+ {FIELD_LITERAL(0x00f2ba36a41aa144,0x00a0c22d946ee18f,0x008aae8ef9a14f99,0x00eef4d79b19bb36,0x008e75ce3d27b1fc,0x00a65daa03b29a27,0x00d9cc83684eb145,0x009e1ed80cc2ed74)},\n+ {FIELD_LITERAL(0x00bed953d1997988,0x00b93ed175a24128,0x00871c5963fb6365,0x00ca2df20014a787,0x00f5d9c1d0b34322,0x00f6f5942818db0a,0x004cc091f49c9906,0x00e8a188a60bff9f)},\n+ {FIELD_LITERAL(0x0032c7762032fae8,0x00e4087232e0bc21,0x00f767344b6e8d85,0x00bbf369b76c2aa2,0x008a1f46c6e1570c,0x001368cd9780369f,0x007359a39d079430,0x0003646512921434)},\n+ {FIELD_LITERAL(0x007c4b47ca7c73e7,0x005396221039734b,0x008b64ddf0e45d7e,0x00bfad5af285e6c2,0x008ec711c5b1a1a8,0x00cf663301237f98,0x00917ee3f1655126,0x004152f337efedd8)},\n+ {FIELD_LITERAL(0x0007c7edc9305daa,0x000a6664f273701c,0x00f6e78795e200b1,0x005d05b9ecd2473e,0x0014f5f17c865786,0x00c7fd2d166fa995,0x004939a2d8eb80e0,0x002244ba0942c199)},\n+ {FIELD_LITERAL(0x00321e767f0262cf,0x002e57d776caf68e,0x00bf2c94814f0437,0x00c339196acd622f,0x001db4cce71e2770,0x001ded5ddba6eee2,0x0078608ab1554c8d,0x00067fe0ab76365b)},\n+ {FIELD_LITERAL(0x00f09758e11e3985,0x00169efdbd64fad3,0x00e8889b7d6dacd6,0x0035cdd58ea88209,0x00bcda47586d7f49,0x003cdddcb2879088,0x0016da70187e954b,0x009556ea2e92aacd)},\n+ {FIELD_LITERAL(0x008cab16bd1ff897,0x00b389972cdf753f,0x00ea8ed1e46dfdc0,0x004fe7ef94c589f4,0x002b8ae9b805ecf3,0x0025c08d892874a5,0x0023938e98d44c4c,0x00f759134cabf69c)},\n+ {FIELD_LITERAL(0x006c2a84678e4b3b,0x007a194aacd1868f,0x00ed0225af424761,0x00da0a6f293c64b8,0x001062ac5c6a7a18,0x0030f5775a8aeef4,0x0002acaad76b7af0,0x00410b8fd63a579f)},\n+ {FIELD_LITERAL(0x001ec59db3d9590e,0x001e9e3f1c3f182d,0x0045a9c3ec2cab14,0x0008198572aeb673,0x00773b74068bd167,0x0012535eaa395434,0x0044dba9e3bbb74a,0x002fba4d3c74bd0e)},\n+ {FIELD_LITERAL(0x0042bf08fe66922c,0x003318b8fbb49e8c,0x00d75946004aa14c,0x00f601586b42bf1c,0x00c74cf1d912fe66,0x00abcb36974b30ad,0x007eb78720c9d2b8,0x009f54ab7bd4df85)},\n+ {FIELD_LITERAL(0x00db9fc948f73826,0x00fa8b3746ed8ee9,0x00132cb65aafbeb2,0x00c36ff3fe7925b8,0x00837daed353d2fe,0x00ec661be0667cf4,0x005beb8ed2e90204,0x00d77dd69e564967)},\n+ {FIELD_LITERAL(0x0042e6268b861751,0x0008dd0469500c16,0x00b51b57c338a3fd,0x00cc4497d85cff6b,0x002f13d6b57c34a4,0x0083652eaf301105,0x00cc344294cc93a8,0x0060f4d02810e270)},\n+ {FIELD_LITERAL(0x00a8954363cd518b,0x00ad171124bccb7b,0x0065f46a4adaae00,0x001b1a5b2a96e500,0x0043fe24f8233285,0x0066996d8ae1f2c3,0x00c530f3264169f9,0x00c0f92d07cf6a57)},\n+ {FIELD_LITERAL(0x0036a55c6815d943,0x008c8d1def993db3,0x002e0e1e8ff7318f,0x00d883a4b92db00a,0x002f5e781ae33906,0x001a72adb235c06d,0x00f2e59e736e9caa,0x001a4b58e3031914)},\n+ {FIELD_LITERAL(0x00d73bfae5e00844,0x00bf459766fb5f52,0x0061b4f5a5313cde,0x004392d4c3b95514,0x000d3551b1077523,0x0000998840ee5d71,0x006de6e340448b7b,0x00251aa504875d6e)},\n+ {FIELD_LITERAL(0x003bf343427ac342,0x00adc0a78642b8c5,0x0003b893175a8314,0x0061a34ade5703bc,0x00ea3ea8bb71d632,0x00be0df9a1f198c2,0x0046dd8e7c1635fb,0x00f1523fdd25d5e5)},\n+ {FIELD_LITERAL(0x00633f63fc9dd406,0x00e713ff80e04a43,0x0060c6e970f2d621,0x00a57cd7f0df1891,0x00f2406a550650bb,0x00b064290efdc684,0x001eab0144d17916,0x00cd15f863c293ab)},\n+ {FIELD_LITERAL(0x0029cec55273f70d,0x007044ee275c6340,0x0040f637a93015e2,0x00338bb78db5aae9,0x001491b2a6132147,0x00a125d6cfe6bde3,0x005f7ac561ba8669,0x001d5eaea3fbaacf)},\n+ {FIELD_LITERAL(0x00054e9635e3be31,0x000e43f31e2872be,0x00d05b1c9e339841,0x006fac50bd81fd98,0x00cdc7852eaebb09,0x004ff519b061991b,0x009099e8107d4c85,0x00273e24c36a4a61)},\n+ {FIELD_LITERAL(0x00070b4441ef2c46,0x00efa5b02801a109,0x00bf0b8c3ee64adf,0x008a67e0b3452e98,0x001916b1f2fa7a74,0x00d781a78ff6cdc3,0x008682ce57e5c919,0x00cc1109dd210da3)},\n+ {FIELD_LITERAL(0x00cae8aaff388663,0x005e983a35dda1c7,0x007ab1030d8e37f4,0x00e48940f5d032fe,0x006a36f9ef30b331,0x009be6f03958c757,0x0086231ceba91400,0x008bd0f7b823e7aa)},\n+ {FIELD_LITERAL(0x00cf881ebef5a45a,0x004ebea78e7c6f2c,0x0090da9209cf26a0,0x00de2b2e4c775b84,0x0071d6031c3c15ae,0x00d9e927ef177d70,0x00894ee8c23896fd,0x00e3b3b401e41aad)},\n+ {FIELD_LITERAL(0x00204fef26864170,0x00819269c5dee0f8,0x00bfb4713ec97966,0x0026339a6f34df78,0x001f26e64c761dc2,0x00effe3af313cb60,0x00e17b70138f601b,0x00f16e1ccd9ede5e)},\n+ {FIELD_LITERAL(0x005d9a8353fdb2db,0x0055cc2048c698f0,0x00f6c4ac89657218,0x00525034d73faeb2,0x00435776fbda3c7d,0x0070ea5312323cbc,0x007a105d44d069fb,0x006dbc8d6dc786aa)},\n+ {FIELD_LITERAL(0x0017cff19cd394ec,0x00fef7b810922587,0x00e6483970dff548,0x00ddf36ad6874264,0x00e61778523fcce2,0x0093a66c0c93b24a,0x00fd367114db7f86,0x007652d7ddce26dd)},\n+ {FIELD_LITERAL(0x00d92ced7ba12843,0x00aea9c7771e86e7,0x0046639693354f7b,0x00a628dbb6a80c47,0x003a0b0507372953,0x00421113ab45c0d9,0x00e545f08362ab7a,0x0028ce087b4d6d96)},\n+ {FIELD_LITERAL(0x00a67ee7cf9f99eb,0x005713b275f2ff68,0x00f1d536a841513d,0x00823b59b024712e,0x009c46b9d0d38cec,0x00cdb1595aa2d7d4,0x008375b3423d9af8,0x000ab0b516d978f7)},\n+ {FIELD_LITERAL(0x00428dcb3c510b0f,0x00585607ea24bb4e,0x003736bf1603687a,0x00c47e568c4fe3c7,0x003cd00282848605,0x0043a487c3b91939,0x004ffc04e1095a06,0x00a4c989a3d4b918)},\n+ {FIELD_LITERAL(0x00a8778d0e429f7a,0x004c02b059105a68,0x0016653b609da3ff,0x00d5107bd1a12d27,0x00b4708f9a771cab,0x00bb63b662033f69,0x0072f322240e7215,0x0019445b59c69222)},\n+ {FIELD_LITERAL(0x00cf4f6069a658e6,0x0053ca52859436a6,0x0064b994d7e3e117,0x00cb469b9a07f534,0x00cfb68f399e9d47,0x00f0dcb8dac1c6e7,0x00f2ab67f538b3a5,0x0055544f178ab975)},\n+ {FIELD_LITERAL(0x0099b7a2685d538c,0x00e2f1897b7c0018,0x003adac8ce48dae3,0x00089276d5c50c0c,0x00172fca07ad6717,0x00cb1a72f54069e5,0x004ee42f133545b3,0x00785f8651362f16)},\n+ {FIELD_LITERAL(0x0049cbac38509e11,0x0015234505d42cdf,0x00794fb0b5840f1c,0x00496437344045a5,0x0031b6d944e4f9b0,0x00b207318ac1f5d8,0x0000c840da7f5c5d,0x00526f373a5c8814)},\n+ {FIELD_LITERAL(0x002c7b7742d1dfd9,0x002cabeb18623c01,0x00055f5e3e044446,0x006c20f3b4ef54ba,0x00c600141ec6b35f,0x00354f437f1a32a3,0x00bac4624a3520f9,0x00c483f734a90691)},\n+ {FIELD_LITERAL(0x0053a737d422918d,0x00f7fca1d8758625,0x00c360336dadb04c,0x00f38e3d9158a1b8,0x0069ce3b418e84c6,0x005d1697eca16ead,0x00f8bd6a35ece13d,0x007885dfc2b5afea)},\n+ {FIELD_LITERAL(0x00c3617ae260776c,0x00b20dc3e96922d7,0x00a1a7802246706a,0x00ca6505a5240244,0x002246b62d919782,0x001439102d7aa9b3,0x00e8af1139e6422c,0x00c888d1b52f2b05)},\n+ {FIELD_LITERAL(0x005b67690ffd41d9,0x005294f28df516f9,0x00a879272412fcb9,0x00098b629a6d1c8d,0x00fabd3c8050865a,0x00cd7e5b0a3879c5,0x00153238210f3423,0x00357cac101e9f42)},\n+ {FIELD_LITERAL(0x008917b454444fb7,0x00f59247c97e441b,0x00a6200a6815152d,0x0009a4228601d254,0x001c0360559bd374,0x007563362039cb36,0x00bd75b48d74e32b,0x0017f515ac3499e8)},\n+ {FIELD_LITERAL(0x001532a7ffe41c5a,0x00eb1edce358d6bf,0x00ddbacc7b678a7b,0x008a7b70f3c841a3,0x00f1923bf27d3f4c,0x000b2713ed8f7873,0x00aaf67e29047902,0x0044994a70b3976d)},\n+ {FIELD_LITERAL(0x00d54e802082d42c,0x00a55aa0dce7cc6c,0x006477b96073f146,0x0082efe4ceb43594,0x00a922bcba026845,0x0077f19d1ab75182,0x00c2bb2737846e59,0x0004d7eec791dd33)},\n+ {FIELD_LITERAL(0x0044588d1a81d680,0x00b0a9097208e4f8,0x00212605350dc57e,0x0028717cd2871123,0x00fb083c100fd979,0x0045a056ce063fdf,0x00a5d604b4dd6a41,0x001dabc08ba4e236)},\n+ {FIELD_LITERAL(0x00c4887198d7a7fa,0x00244f98fb45784a,0x0045911e15a15d01,0x001d323d374c0966,0x00967c3915196562,0x0039373abd2f3c67,0x000d2c5614312423,0x0041cf2215442ce3)},\n+ {FIELD_LITERAL(0x008ede889ada7f06,0x001611e91de2e135,0x00fdb9a458a471b9,0x00563484e03710d1,0x0031cc81925e3070,0x0062c97b3af80005,0x00fa733eea28edeb,0x00e82457e1ebbc88)},\n+ {FIELD_LITERAL(0x006a0df5fe9b6f59,0x00a0d4ff46040d92,0x004a7cedb6f93250,0x00d1df8855b8c357,0x00e73a46086fd058,0x0048fb0add6dfe59,0x001e03a28f1b4e3d,0x00a871c993308d76)},\n+ {FIELD_LITERAL(0x0030dbb2d1766ec8,0x00586c0ad138555e,0x00d1a34f9e91c77c,0x0063408ad0e89014,0x00d61231b05f6f5b,0x0009abf569f5fd8a,0x00aec67a110f1c43,0x0031d1a790938dd7)},\n+ {FIELD_LITERAL(0x006cded841e2a862,0x00198d60af0ab6fb,0x0018f09db809e750,0x004e6ac676016263,0x00eafcd1620969cb,0x002c9784ca34917d,0x0054f00079796de7,0x00d9fab5c5972204)},\n+ {FIELD_LITERAL(0x004bd0fee2438a83,0x00b571e62b0f83bd,0x0059287d7ce74800,0x00fb3631b645c3f0,0x00a018e977f78494,0x0091e27065c27b12,0x007696c1817165e0,0x008c40be7c45ba3a)},\n+ {FIELD_LITERAL(0x00a0f326327cb684,0x001c7d0f672680ff,0x008c1c81ffb112d1,0x00f8f801674eddc8,0x00e926d5d48c2a9d,0x005bd6d954c6fe9a,0x004c6b24b4e33703,0x00d05eb5c09105cc)},\n+ {FIELD_LITERAL(0x00d61731caacf2cf,0x002df0c7609e01c5,0x00306172208b1e2b,0x00b413fe4fb2b686,0x00826d360902a221,0x003f8d056e67e7f7,0x0065025b0175e989,0x00369add117865eb)},\n+ {FIELD_LITERAL(0x00aaf895aec2fa11,0x000f892bc313eb52,0x005b1c794dad050b,0x003f8ec4864cec14,0x00af81058d0b90e5,0x00ebe43e183997bb,0x00a9d610f9f3e615,0x007acd8eec2e88d3)},\n+ {FIELD_LITERAL(0x0049b2fab13812a3,0x00846db32cd60431,0x000177fa578c8d6c,0x00047d0e2ad4bc51,0x00b158ba38d1e588,0x006a45daad79e3f3,0x000997b93cab887b,0x00c47ea42fa23dc3)},\n+ {FIELD_LITERAL(0x0012b6fef7aeb1ca,0x009412768194b6a7,0x00ff0d351f23ab93,0x007e8a14c1aff71b,0x006c1c0170c512bc,0x0016243ea02ab2e5,0x007bb6865b303f3e,0x0015ce6b29b159f4)},\n+ {FIELD_LITERAL(0x009961cd02e68108,0x00e2035d3a1d0836,0x005d51f69b5e1a1d,0x004bccb4ea36edcd,0x0069be6a7aeef268,0x0063f4dd9de8d5a7,0x006283783092ca35,0x0075a31af2c35409)},\n+ {FIELD_LITERAL(0x00c412365162e8cf,0x00012283fb34388a,0x003e6543babf39e2,0x00eead6b3a804978,0x0099c0314e8b326f,0x00e98e0a8d477a4f,0x00d2eb96b127a687,0x00ed8d7df87571bb)},\n+ {FIELD_LITERAL(0x00777463e308cacf,0x00c8acb93950132d,0x00ebddbf4ca48b2c,0x0026ad7ca0795a0a,0x00f99a3d9a715064,0x000d60bcf9d4dfcc,0x005e65a73a437a06,0x0019d536a8db56c8)},\n+ {FIELD_LITERAL(0x00192d7dd558d135,0x0027cd6a8323ffa7,0x00239f1a412dc1e7,0x0046b4b3be74fc5c,0x0020c47a2bef5bce,0x00aa17e48f43862b,0x00f7e26c96342e5f,0x0008011c530f39a9)},\n+ {FIELD_LITERAL(0x00aad4ac569bf0f1,0x00a67adc90b27740,0x0048551369a5751a,0x0031252584a3306a,0x0084e15df770e6fc,0x00d7bba1c74b5805,0x00a80ef223af1012,0x0089c85ceb843a34)},\n+ {FIELD_LITERAL(0x00c4545be4a54004,0x0099e11f60357e6c,0x001f3936d19515a6,0x007793df84341a6e,0x0051061886717ffa,0x00e9b0a660b28f85,0x0044ea685892de0d,0x000257d2a1fda9d9)},\n+ {FIELD_LITERAL(0x007e8b01b24ac8a8,0x006cf3b0b5ca1337,0x00f1607d3e36a570,0x0039b7fab82991a1,0x00231777065840c5,0x00998e5afdd346f9,0x00b7dc3e64acc85f,0x00baacc748013ad6)},\n+ {FIELD_LITERAL(0x008ea6a4177580bf,0x005fa1953e3f0378,0x005fe409ac74d614,0x00452327f477e047,0x00a4018507fb6073,0x007b6e71951caac8,0x0012b42ab8a6ce91,0x0080eca677294ab7)},\n+ {FIELD_LITERAL(0x00a53edc023ba69b,0x00c6afa83ddde2e8,0x00c3f638b307b14e,0x004a357a64414062,0x00e4d94d8b582dc9,0x001739caf71695b7,0x0012431b2ae28de1,0x003b6bc98682907c)},\n+ {FIELD_LITERAL(0x008a9a93be1f99d6,0x0079fa627cc699c8,0x00b0cfb134ba84c8,0x001c4b778249419a,0x00df4ab3d9c44f40,0x009f596e6c1a9e3c,0x001979c0df237316,0x00501e953a919b87)}\n+};\ndiff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c\nnew file mode 100644\nindex 0000000..f6c1836\n--- /dev/null\n+++ b/crypto/ec/curve448/eddsa.c\n@@ -0,0 +1,328 @@\n+/**\n+ * @file ed448goldilocks/eddsa.c\n+ * @author Mike Hamburg\n+ *\n+ * @copyright\n+ * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ *\n+ * @cond internal\n+ * @brief EdDSA routines.\n+ *\n+ * @warning This file was automatically generated in Python.\n+ * Please do not edit it.\n+ */\n+#include \u0022word.h\u0022\n+#include \u003cdecaf/ed448.h\u003e\n+#include \u003cdecaf/shake.h\u003e\n+#include \u003cdecaf/sha512.h\u003e\n+#include \u003cstring.h\u003e\n+\n+#define API_NAME \u0022decaf_448\u0022\n+#define API_NS(_id) decaf_448_##_id\n+\n+#define hash_ctx_t decaf_shake256_ctx_t\n+#define hash_init decaf_shake256_init\n+#define hash_update decaf_shake256_update\n+#define hash_final decaf_shake256_final\n+#define hash_destroy decaf_shake256_destroy\n+#define hash_hash decaf_shake256_hash\n+\n+#define NO_CONTEXT DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS\n+#define EDDSA_USE_SIGMA_ISOGENY 0\n+#define COFACTOR 4\n+#define EDDSA_PREHASH_BYTES 64\n+\n+#if NO_CONTEXT\n+const uint8_t NO_CONTEXT_POINTS_HERE \u003d 0;\n+const uint8_t * const DECAF_ED448_NO_CONTEXT \u003d \u0026NO_CONTEXT_POINTS_HERE;\n+#endif\n+\n+/* EDDSA_BASE_POINT_RATIO \u003d 1 or 2\n+ * Because EdDSA25519 is not on E_d but on the isogenous E_sigma_d,\n+ * its base point is twice ours.\n+ */\n+#define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY) /* TODO: remove */\n+\n+static void clamp (\n+ uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]\n+) {\n+ /* Blarg */\n+ secret_scalar_ser[0] \u0026\u003d -COFACTOR;\n+ uint8_t hibit \u003d (1\u003c\u003c0)\u003e\u003e1;\n+ if (hibit \u003d\u003d 0) {\n+ secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] \u003d 0;\n+ secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |\u003d 0x80;\n+ } else {\n+ secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] \u0026\u003d hibit-1;\n+ secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |\u003d hibit;\n+ }\n+}\n+\n+static void hash_init_with_dom(\n+ hash_ctx_t hash,\n+ uint8_t prehashed,\n+ uint8_t for_prehash,\n+ const uint8_t *context,\n+ uint8_t context_len\n+) {\n+ hash_init(hash);\n+\n+#if NO_CONTEXT\n+ if (context_len \u003d\u003d 0 \u0026\u0026 context \u003d\u003d DECAF_ED448_NO_CONTEXT) {\n+ (void)prehashed;\n+ (void)for_prehash;\n+ (void)context;\n+ (void)context_len;\n+ return;\n+ }\n+#endif\n+ const char *dom_s \u003d \u0022SigEd448\u0022;\n+ const uint8_t dom[2] \u003d {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};\n+ hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));\n+ hash_update(hash,dom,2);\n+ hash_update(hash,context,context_len);\n+}\n+\n+void decaf_ed448_prehash_init (\n+ hash_ctx_t hash\n+) {\n+ hash_init(hash);\n+}\n+\n+/* In this file because it uses the hash */\n+void decaf_ed448_convert_private_key_to_x448 (\n+ uint8_t x[DECAF_X448_PRIVATE_BYTES],\n+ const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]\n+) {\n+ /* pass the private key through hash_hash function */\n+ /* and keep the first DECAF_X448_PRIVATE_BYTES bytes */\n+ hash_hash(\n+ x,\n+ DECAF_X448_PRIVATE_BYTES,\n+ ed,\n+ DECAF_EDDSA_448_PRIVATE_BYTES\n+ );\n+}\n+ \n+void decaf_ed448_derive_public_key (\n+ uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]\n+) {\n+ /* only this much used for keygen */\n+ uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];\n+ \n+ hash_hash(\n+ secret_scalar_ser,\n+ sizeof(secret_scalar_ser),\n+ privkey,\n+ DECAF_EDDSA_448_PRIVATE_BYTES\n+ );\n+ clamp(secret_scalar_ser);\n+ \n+ API_NS(scalar_t) secret_scalar;\n+ API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));\n+ \n+ /* Since we are going to mul_by_cofactor during encoding, divide by it here.\n+ * However, the EdDSA base point is not the same as the decaf base point if\n+ * the sigma isogeny is in use: the EdDSA base point is on Etwist_d/(1-d) and\n+ * the decaf base point is on Etwist_d, and when converted it effectively\n+ * picks up a factor of 2 from the isogenies. So we might start at 2 instead of 1. \n+ */\n+ for (unsigned int c\u003d1; c\u003cDECAF_448_EDDSA_ENCODE_RATIO; c \u003c\u003c\u003d 1) {\n+ API_NS(scalar_halve)(secret_scalar,secret_scalar);\n+ }\n+ \n+ API_NS(point_t) p;\n+ API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);\n+ \n+ API_NS(point_mul_by_ratio_and_encode_like_eddsa)(pubkey, p);\n+ \n+ /* Cleanup */\n+ API_NS(scalar_destroy)(secret_scalar);\n+ API_NS(point_destroy)(p);\n+ decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser));\n+}\n+\n+void decaf_ed448_sign (\n+ uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n+ const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],\n+ const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const uint8_t *message,\n+ size_t message_len,\n+ uint8_t prehashed,\n+ const uint8_t *context,\n+ uint8_t context_len\n+) {\n+ API_NS(scalar_t) secret_scalar;\n+ hash_ctx_t hash;\n+ {\n+ /* Schedule the secret key */\n+ struct {\n+ uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];\n+ uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES];\n+ } __attribute__((packed)) expanded;\n+ hash_hash(\n+ (uint8_t *)\u0026expanded,\n+ sizeof(expanded),\n+ privkey,\n+ DECAF_EDDSA_448_PRIVATE_BYTES\n+ );\n+ clamp(expanded.secret_scalar_ser); \n+ API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));\n+ \n+ /* Hash to create the nonce */\n+ hash_init_with_dom(hash,prehashed,0,context,context_len);\n+ hash_update(hash,expanded.seed,sizeof(expanded.seed));\n+ hash_update(hash,message,message_len);\n+ decaf_bzero(\u0026expanded, sizeof(expanded));\n+ }\n+ \n+ /* Decode the nonce */\n+ API_NS(scalar_t) nonce_scalar;\n+ {\n+ uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES];\n+ hash_final(hash,nonce,sizeof(nonce));\n+ API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));\n+ decaf_bzero(nonce, sizeof(nonce));\n+ }\n+ \n+ uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] \u003d {0};\n+ {\n+ /* Scalarmul to create the nonce-point */\n+ API_NS(scalar_t) nonce_scalar_2;\n+ API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);\n+ for (unsigned int c \u003d 2; c \u003c DECAF_448_EDDSA_ENCODE_RATIO; c \u003c\u003c\u003d 1) {\n+ API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);\n+ }\n+ \n+ API_NS(point_t) p;\n+ API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);\n+ API_NS(point_mul_by_ratio_and_encode_like_eddsa)(nonce_point, p);\n+ API_NS(point_destroy)(p);\n+ API_NS(scalar_destroy)(nonce_scalar_2);\n+ }\n+ \n+ API_NS(scalar_t) challenge_scalar;\n+ {\n+ /* Compute the challenge */\n+ hash_init_with_dom(hash,prehashed,0,context,context_len);\n+ hash_update(hash,nonce_point,sizeof(nonce_point));\n+ hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);\n+ hash_update(hash,message,message_len);\n+ uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];\n+ hash_final(hash,challenge,sizeof(challenge));\n+ hash_destroy(hash);\n+ API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));\n+ decaf_bzero(challenge,sizeof(challenge));\n+ }\n+ \n+ API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);\n+ API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);\n+ \n+ decaf_bzero(signature,DECAF_EDDSA_448_SIGNATURE_BYTES);\n+ memcpy(signature,nonce_point,sizeof(nonce_point));\n+ API_NS(scalar_encode)(\u0026signature[DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);\n+ \n+ API_NS(scalar_destroy)(secret_scalar);\n+ API_NS(scalar_destroy)(nonce_scalar);\n+ API_NS(scalar_destroy)(challenge_scalar);\n+}\n+\n+\n+void decaf_ed448_sign_prehash (\n+ uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n+ const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],\n+ const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const decaf_ed448_prehash_ctx_t hash,\n+ const uint8_t *context,\n+ uint8_t context_len\n+) {\n+ uint8_t hash_output[EDDSA_PREHASH_BYTES];\n+ {\n+ decaf_ed448_prehash_ctx_t hash_too;\n+ memcpy(hash_too,hash,sizeof(hash_too));\n+ hash_final(hash_too,hash_output,sizeof(hash_output));\n+ hash_destroy(hash_too);\n+ }\n+\n+ decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);\n+ decaf_bzero(hash_output,sizeof(hash_output));\n+}\n+\n+decaf_error_t decaf_ed448_verify (\n+ const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n+ const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const uint8_t *message,\n+ size_t message_len,\n+ uint8_t prehashed,\n+ const uint8_t *context,\n+ uint8_t context_len\n+) { \n+ API_NS(point_t) pk_point, r_point;\n+ decaf_error_t error \u003d API_NS(point_decode_like_eddsa_and_mul_by_ratio)(pk_point,pubkey);\n+ if (DECAF_SUCCESS !\u003d error) { return error; }\n+ \n+ error \u003d API_NS(point_decode_like_eddsa_and_mul_by_ratio)(r_point,signature);\n+ if (DECAF_SUCCESS !\u003d error) { return error; }\n+ \n+ API_NS(scalar_t) challenge_scalar;\n+ {\n+ /* Compute the challenge */\n+ hash_ctx_t hash;\n+ hash_init_with_dom(hash,prehashed,0,context,context_len);\n+ hash_update(hash,signature,DECAF_EDDSA_448_PUBLIC_BYTES);\n+ hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);\n+ hash_update(hash,message,message_len);\n+ uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];\n+ hash_final(hash,challenge,sizeof(challenge));\n+ hash_destroy(hash);\n+ API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));\n+ decaf_bzero(challenge,sizeof(challenge));\n+ }\n+ API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);\n+ \n+ API_NS(scalar_t) response_scalar;\n+ API_NS(scalar_decode_long)(\n+ response_scalar,\n+ \u0026signature[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ DECAF_EDDSA_448_PRIVATE_BYTES\n+ );\n+ \n+ for (unsigned c\u003d1; c\u003cDECAF_448_EDDSA_DECODE_RATIO; c\u003c\u003c\u003d1) {\n+ API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);\n+ }\n+ \n+ \n+ /* pk_point \u003d -c(x(P)) + (cx + k)G \u003d kG */\n+ API_NS(base_double_scalarmul_non_secret)(\n+ pk_point,\n+ response_scalar,\n+ pk_point,\n+ challenge_scalar\n+ );\n+ return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));\n+}\n+\n+\n+decaf_error_t decaf_ed448_verify_prehash (\n+ const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],\n+ const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],\n+ const decaf_ed448_prehash_ctx_t hash,\n+ const uint8_t *context,\n+ uint8_t context_len\n+) {\n+ decaf_error_t ret;\n+ \n+ uint8_t hash_output[EDDSA_PREHASH_BYTES];\n+ {\n+ decaf_ed448_prehash_ctx_t hash_too;\n+ memcpy(hash_too,hash,sizeof(hash_too));\n+ hash_final(hash_too,hash_output,sizeof(hash_output));\n+ hash_destroy(hash_too);\n+ }\n+ \n+ ret \u003d decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);\n+ \n+ return ret;\n+}\ndiff --git a/crypto/ec/curve448/f_arithmetic.c b/crypto/ec/curve448/f_arithmetic.c\nnew file mode 100644\nindex 0000000..cf68519\n--- /dev/null\n+++ b/crypto/ec/curve448/f_arithmetic.c\n@@ -0,0 +1,46 @@\n+/**\n+ * @cond internal\n+ * @file f_arithmetic.c\n+ * @copyright\n+ * Copyright (c) 2014 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ * @author Mike Hamburg\n+ * @brief Field-specific arithmetic.\n+ */\n+\n+#include \u0022field.h\u0022\n+\n+mask_t gf_isr (\n+ gf a,\n+ const gf x\n+) {\n+ gf L0, L1, L2;\n+ gf_sqr (L1, x );\n+ gf_mul (L2, x, L1 );\n+ gf_sqr (L1, L2 );\n+ gf_mul (L2, x, L1 );\n+ gf_sqrn (L1, L2, 3 );\n+ gf_mul (L0, L2, L1 );\n+ gf_sqrn (L1, L0, 3 );\n+ gf_mul (L0, L2, L1 );\n+ gf_sqrn (L2, L0, 9 );\n+ gf_mul (L1, L0, L2 );\n+ gf_sqr (L0, L1 );\n+ gf_mul (L2, x, L0 );\n+ gf_sqrn (L0, L2, 18 );\n+ gf_mul (L2, L1, L0 );\n+ gf_sqrn (L0, L2, 37 );\n+ gf_mul (L1, L2, L0 );\n+ gf_sqrn (L0, L1, 37 );\n+ gf_mul (L1, L2, L0 );\n+ gf_sqrn (L0, L1, 111 );\n+ gf_mul (L2, L1, L0 );\n+ gf_sqr (L0, L2 );\n+ gf_mul (L1, x, L0 );\n+ gf_sqrn (L0, L1, 223 );\n+ gf_mul (L1, L2, L0 );\n+ gf_sqr (L2, L1);\n+ gf_mul (L0, L2, x);\n+ gf_copy(a,L1);\n+ return gf_eq(L0,ONE);\n+}\ndiff --git a/crypto/ec/curve448/f_field.h b/crypto/ec/curve448/f_field.h\nnew file mode 100644\nindex 0000000..4eef718\n--- /dev/null\n+++ b/crypto/ec/curve448/f_field.h\n@@ -0,0 +1,110 @@\n+/**\n+ * @file p448/f_field.h\n+ * @author Mike Hamburg\n+ *\n+ * @copyright\n+ * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ *\n+ * @brief Field-specific code for 2^448 - 2^224 - 1.\n+ *\n+ * @warning This file was automatically generated in Python.\n+ * Please do not edit it.\n+ */\n+\n+#ifndef __P448_F_FIELD_H__\n+#define __P448_F_FIELD_H__ 1\n+\n+#include \u0022constant_time.h\u0022\n+#include \u003cstring.h\u003e\n+#include \u003cassert.h\u003e\n+\n+#include \u0022word.h\u0022\n+\n+#define __DECAF_448_GF_DEFINED__ 1\n+#define NLIMBS (64/sizeof(word_t))\n+#define X_SER_BYTES 56\n+#define SER_BYTES 56\n+typedef struct gf_448_s {\n+ word_t limb[NLIMBS];\n+} __attribute__((aligned(32))) gf_448_s, gf_448_t[1];\n+\n+#define GF_LIT_LIMB_BITS 56\n+#define GF_BITS 448\n+#define ZERO gf_448_ZERO\n+#define ONE gf_448_ONE\n+#define MODULUS gf_448_MODULUS\n+#define gf gf_448_t\n+#define gf_s gf_448_s\n+#define gf_eq gf_448_eq\n+#define gf_hibit gf_448_hibit\n+#define gf_lobit gf_448_lobit\n+#define gf_copy gf_448_copy\n+#define gf_add gf_448_add\n+#define gf_sub gf_448_sub\n+#define gf_add_RAW gf_448_add_RAW\n+#define gf_sub_RAW gf_448_sub_RAW\n+#define gf_bias gf_448_bias\n+#define gf_weak_reduce gf_448_weak_reduce\n+#define gf_strong_reduce gf_448_strong_reduce\n+#define gf_mul gf_448_mul\n+#define gf_sqr gf_448_sqr\n+#define gf_mulw_unsigned gf_448_mulw_unsigned\n+#define gf_isr gf_448_isr\n+#define gf_serialize gf_448_serialize\n+#define gf_deserialize gf_448_deserialize\n+\n+/* RFC 7748 support */\n+#define X_PUBLIC_BYTES X_SER_BYTES\n+#define X_PRIVATE_BYTES X_PUBLIC_BYTES\n+#define X_PRIVATE_BITS 448\n+\n+#define SQRT_MINUS_ONE P448_SQRT_MINUS_ONE /* might not be defined */\n+\n+#define INLINE_UNUSED __inline__ __attribute__((unused,always_inline))\n+\n+#ifdef __cplusplus\n+extern \u0022C\u0022 {\n+#endif\n+\n+/* Defined below in f_impl.h */\n+static INLINE_UNUSED void gf_copy (gf out, const gf a) { *out \u003d *a; }\n+static INLINE_UNUSED void gf_add_RAW (gf out, const gf a, const gf b);\n+static INLINE_UNUSED void gf_sub_RAW (gf out, const gf a, const gf b);\n+static INLINE_UNUSED void gf_bias (gf inout, int amount);\n+static INLINE_UNUSED void gf_weak_reduce (gf inout);\n+\n+void gf_strong_reduce (gf inout); \n+void gf_add (gf out, const gf a, const gf b);\n+void gf_sub (gf out, const gf a, const gf b);\n+void gf_mul (gf_s *__restrict__ out, const gf a, const gf b);\n+void gf_mulw_unsigned (gf_s *__restrict__ out, const gf a, uint32_t b);\n+void gf_sqr (gf_s *__restrict__ out, const gf a);\n+mask_t gf_isr(gf a, const gf x); /** a^2 x \u003d 1, QNR, or 0 if x\u003d0. Return true if successful */\n+mask_t gf_eq (const gf x, const gf y);\n+mask_t gf_lobit (const gf x);\n+mask_t gf_hibit (const gf x);\n+\n+void gf_serialize (uint8_t *serial, const gf x,int with_highbit);\n+mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_hibit,uint8_t hi_nmask);\n+\n+\n+#ifdef __cplusplus\n+} /* extern \u0022C\u0022 */\n+#endif\n+\n+#include \u0022f_impl.h\u0022 /* Bring in the inline implementations */\n+\n+#define P_MOD_8 7\n+#if P_MOD_8 \u003d\u003d 5\n+ extern const gf SQRT_MINUS_ONE;\n+#endif\n+\n+#ifndef LIMBPERM\n+ #define LIMBPERM(i) (i)\n+#endif\n+#define LIMB_MASK(i) (((1ull)\u003c\u003cLIMB_PLACE_VALUE(i))-1)\n+\n+static const gf ZERO \u003d {{{0}}}, ONE \u003d {{{ [LIMBPERM(0)] \u003d 1 }}};\n+\n+#endif /* __P448_F_FIELD_H__ */\ndiff --git a/crypto/ec/curve448/f_generic.c b/crypto/ec/curve448/f_generic.c\nnew file mode 100644\nindex 0000000..d09a989\n--- /dev/null\n+++ b/crypto/ec/curve448/f_generic.c\n@@ -0,0 +1,144 @@\n+/**\n+ * @file p448/f_generic.c\n+ * @author Mike Hamburg\n+ *\n+ * @copyright\n+ * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ *\n+ * @brief Generic arithmetic which has to be compiled per field.\n+ *\n+ * @warning This file was automatically generated in Python.\n+ * Please do not edit it.\n+ */\n+#include \u0022field.h\u0022\n+\n+static const gf MODULUS \u003d {FIELD_LITERAL(\n+ 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff, 0xfffffffffffffe, 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff\n+)};\n+ \n+#if P_MOD_8 \u003d\u003d 5\n+ const gf SQRT_MINUS_ONE \u003d {FIELD_LITERAL(\n+ /* NOPE */\n+ )};\n+#endif\n+\n+/** Serialize to wire format. */\n+void gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {\n+ gf red;\n+ gf_copy(red, x);\n+ gf_strong_reduce(red);\n+ if (!with_hibit) { assert(gf_hibit(red) \u003d\u003d 0); }\n+ \n+ unsigned int j\u003d0, fill\u003d0;\n+ dword_t buffer \u003d 0;\n+ UNROLL for (unsigned int i\u003d0; i\u003c(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {\n+ if (fill \u003c 8 \u0026\u0026 j \u003c NLIMBS) {\n+ buffer |\u003d ((dword_t)red-\u003elimb[LIMBPERM(j)]) \u003c\u003c fill;\n+ fill +\u003d LIMB_PLACE_VALUE(LIMBPERM(j));\n+ j++;\n+ }\n+ serial[i] \u003d buffer;\n+ fill -\u003d 8;\n+ buffer \u003e\u003e\u003d 8;\n+ }\n+}\n+\n+/** Return high bit of x \u003d low bit of 2x mod p */\n+mask_t gf_hibit(const gf x) {\n+ gf y;\n+ gf_add(y,x,x);\n+ gf_strong_reduce(y);\n+ return -(y-\u003elimb[0]\u00261);\n+}\n+\n+/** Return high bit of x \u003d low bit of 2x mod p */\n+mask_t gf_lobit(const gf x) {\n+ gf y;\n+ gf_copy(y,x);\n+ gf_strong_reduce(y);\n+ return -(y-\u003elimb[0]\u00261);\n+}\n+\n+/** Deserialize from wire format; return -1 on success and 0 on failure. */\n+mask_t gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit, uint8_t hi_nmask) {\n+ unsigned int j\u003d0, fill\u003d0;\n+ dword_t buffer \u003d 0;\n+ dsword_t scarry \u003d 0;\n+ const unsigned nbytes \u003d with_hibit ? X_SER_BYTES : SER_BYTES;\n+ UNROLL for (unsigned int i\u003d0; i\u003cNLIMBS; i++) {\n+ UNROLL while (fill \u003c LIMB_PLACE_VALUE(LIMBPERM(i)) \u0026\u0026 j \u003c nbytes) {\n+ uint8_t sj \u003d serial[j];\n+ if (j\u003d\u003dnbytes-1) sj \u0026\u003d ~hi_nmask;\n+ buffer |\u003d ((dword_t)sj) \u003c\u003c fill;\n+ fill +\u003d 8;\n+ j++;\n+ }\n+ x-\u003elimb[LIMBPERM(i)] \u003d (i\u003cNLIMBS-1) ? buffer \u0026 LIMB_MASK(LIMBPERM(i)) : buffer;\n+ fill -\u003d LIMB_PLACE_VALUE(LIMBPERM(i));\n+ buffer \u003e\u003e\u003d LIMB_PLACE_VALUE(LIMBPERM(i));\n+ scarry \u003d (scarry + x-\u003elimb[LIMBPERM(i)] - MODULUS-\u003elimb[LIMBPERM(i)]) \u003e\u003e (8*sizeof(word_t));\n+ }\n+ mask_t succ \u003d with_hibit ? -(mask_t)1 : ~gf_hibit(x);\n+ return succ \u0026 word_is_zero(buffer) \u0026 ~word_is_zero(scarry);\n+}\n+\n+/** Reduce to canonical form. */\n+void gf_strong_reduce (gf a) {\n+ /* first, clear high */\n+ gf_weak_reduce(a); /* Determined to have negligible perf impact. */\n+\n+ /* now the total is less than 2p */\n+\n+ /* compute total_value - p. No need to reduce mod p. */\n+ dsword_t scarry \u003d 0;\n+ for (unsigned int i\u003d0; i\u003cNLIMBS; i++) {\n+ scarry \u003d scarry + a-\u003elimb[LIMBPERM(i)] - MODULUS-\u003elimb[LIMBPERM(i)];\n+ a-\u003elimb[LIMBPERM(i)] \u003d scarry \u0026 LIMB_MASK(LIMBPERM(i));\n+ scarry \u003e\u003e\u003d LIMB_PLACE_VALUE(LIMBPERM(i));\n+ }\n+\n+ /* uncommon case: it was \u003e\u003d p, so now scarry \u003d 0 and this \u003d x\n+ * common case: it was \u003c p, so now scarry \u003d -1 and this \u003d x - p + 2^255\n+ * so let's add back in p. will carry back off the top for 2^255.\n+ */\n+ assert(word_is_zero(scarry) | word_is_zero(scarry+1));\n+\n+ word_t scarry_0 \u003d scarry;\n+ dword_t carry \u003d 0;\n+\n+ /* add it back */\n+ for (unsigned int i\u003d0; i\u003cNLIMBS; i++) {\n+ carry \u003d carry + a-\u003elimb[LIMBPERM(i)] + (scarry_0 \u0026 MODULUS-\u003elimb[LIMBPERM(i)]);\n+ a-\u003elimb[LIMBPERM(i)] \u003d carry \u0026 LIMB_MASK(LIMBPERM(i));\n+ carry \u003e\u003e\u003d LIMB_PLACE_VALUE(LIMBPERM(i));\n+ }\n+\n+ assert(word_is_zero(carry + scarry_0));\n+}\n+\n+/** Subtract two gf elements d\u003da-b */\n+void gf_sub (gf d, const gf a, const gf b) {\n+ gf_sub_RAW ( d, a, b );\n+ gf_bias( d, 2 );\n+ gf_weak_reduce ( d );\n+}\n+\n+/** Add two field elements d \u003d a+b */\n+void gf_add (gf d, const gf a, const gf b) {\n+ gf_add_RAW ( d, a, b );\n+ gf_weak_reduce ( d );\n+}\n+\n+/** Compare a\u003d\u003db */\n+mask_t gf_eq(const gf a, const gf b) {\n+ gf c;\n+ gf_sub(c,a,b);\n+ gf_strong_reduce(c);\n+ mask_t ret\u003d0;\n+ for (unsigned int i\u003d0; i\u003cNLIMBS; i++) {\n+ ret |\u003d c-\u003elimb[LIMBPERM(i)];\n+ }\n+\n+ return word_is_zero(ret);\n+}\ndiff --git a/crypto/ec/curve448/field.h b/crypto/ec/curve448/field.h\nnew file mode 100644\nindex 0000000..c536a51\n--- /dev/null\n+++ b/crypto/ec/curve448/field.h\n@@ -0,0 +1,112 @@\n+/**\n+ * @file field.h\n+ * @brief Generic gf header.\n+ * @copyright\n+ * Copyright (c) 2014 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ * @author Mike Hamburg\n+ */\n+\n+#ifndef __GF_H__\n+#define __GF_H__\n+\n+#include \u0022constant_time.h\u0022\n+#include \u0022f_field.h\u0022\n+#include \u003cstring.h\u003e\n+ \n+/** Square x, n times. */\n+static DECAF_INLINE void gf_sqrn (\n+ gf_s *__restrict__ y,\n+ const gf x,\n+ int n\n+) {\n+ gf tmp;\n+ assert(n\u003e0);\n+ if (n\u00261) {\n+ gf_sqr(y,x);\n+ n--;\n+ } else {\n+ gf_sqr(tmp,x);\n+ gf_sqr(y,tmp);\n+ n-\u003d2;\n+ }\n+ for (; n; n-\u003d2) {\n+ gf_sqr(tmp,y);\n+ gf_sqr(y,tmp);\n+ }\n+}\n+\n+#define gf_add_nr gf_add_RAW\n+\n+/** Subtract mod p. Bias by 2 and don't reduce */\n+static inline void gf_sub_nr ( gf c, const gf a, const gf b ) {\n+ gf_sub_RAW(c,a,b);\n+ gf_bias(c, 2);\n+ if (GF_HEADROOM \u003c 3) gf_weak_reduce(c);\n+}\n+\n+/** Subtract mod p. Bias by amt but don't reduce. */\n+static inline void gf_subx_nr ( gf c, const gf a, const gf b, int amt ) {\n+ gf_sub_RAW(c,a,b);\n+ gf_bias(c, amt);\n+ if (GF_HEADROOM \u003c amt+1) gf_weak_reduce(c);\n+}\n+\n+/** Mul by signed int. Not constant-time WRT the sign of that int. */\n+static inline void gf_mulw(gf c, const gf a, int32_t w) {\n+ if (w\u003e0) {\n+ gf_mulw_unsigned(c, a, w);\n+ } else {\n+ gf_mulw_unsigned(c, a, -w);\n+ gf_sub(c,ZERO,c);\n+ }\n+}\n+\n+/** Constant time, x \u003d is_z ? z : y */\n+static inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) {\n+ constant_time_select(x,y,z,sizeof(gf),is_z,0);\n+}\n+\n+/** Constant time, if (neg) x\u003d-x; */\n+static inline void gf_cond_neg(gf x, mask_t neg) {\n+ gf y;\n+ gf_sub(y,ZERO,x);\n+ gf_cond_sel(x,x,y,neg);\n+}\n+\n+/** Constant time, if (swap) (x,y) \u003d (y,x); */\n+static inline void\n+gf_cond_swap(gf x, gf_s *__restrict__ y, mask_t swap) {\n+ constant_time_cond_swap(x,y,sizeof(gf_s),swap);\n+}\n+\n+static DECAF_INLINE void gf_mul_qnr(gf_s *__restrict__ out, const gf x) {\n+#if P_MOD_8 \u003d\u003d 5\n+ /* r \u003d QNR * r0^2 */\n+ gf_mul(out,x,SQRT_MINUS_ONE);\n+#elif P_MOD_8 \u003d\u003d 3 || P_MOD_8 \u003d\u003d 7\n+ gf_sub(out,ZERO,x);\n+#else\n+ #error \u0022Only supporting p\u003d3,5,7 mod 8\u0022\n+#endif\n+}\n+\n+static DECAF_INLINE void gf_div_qnr(gf_s *__restrict__ out, const gf x) {\n+#if P_MOD_8 \u003d\u003d 5\n+ /* r \u003d QNR * r0^2 */\n+ gf_mul(out,x,SQRT_MINUS_ONE);\n+ gf_sub(out,ZERO,out);\n+#elif P_MOD_8 \u003d\u003d 3 || P_MOD_8 \u003d\u003d 7\n+ gf_sub(out,ZERO,x);\n+#else\n+ #error \u0022Only supporting p\u003d3,5,7 mod 8\u0022\n+#endif\n+}\n+\n+#if P_MOD_8 \u003d\u003d 5\n+#define gf_mul_i gf_mul_qnr\n+#define gf_div_i gf_div_qnr\n+#endif\n+\n+\n+#endif // __GF_H__\ndiff --git a/crypto/ec/curve448/include/arch_32/arch_intrinsics.h b/crypto/ec/curve448/include/arch_32/arch_intrinsics.h\ndeleted file mode 100644\nindex f3908a2..0000000\n--- a/crypto/ec/curve448/include/arch_32/arch_intrinsics.h\n+++ /dev/null\n@@ -1,22 +0,0 @@\n-/* Copyright (c) 2016 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#ifndef __ARCH_ARCH_32_ARCH_INTRINSICS_H__\n-#define __ARCH_ARCH_32_ARCH_INTRINSICS_H__\n-\n-#define ARCH_WORD_BITS 32\n-\n-static __inline__ __attribute((always_inline,unused))\n-uint32_t word_is_zero(uint32_t a) {\n- /* let's hope the compiler isn't clever enough to optimize this. */\n- return (((uint64_t)a)-1)\u003e\u003e32;\n-}\n-\n-static __inline__ __attribute((always_inline,unused))\n-uint64_t widemul(uint32_t a, uint32_t b) {\n- return ((uint64_t)a) * b;\n-}\n-\n-#endif /* __ARCH_ARM_32_ARCH_INTRINSICS_H__ */\n-\ndiff --git a/crypto/ec/curve448/include/arch_arm_32/arch_intrinsics.h b/crypto/ec/curve448/include/arch_arm_32/arch_intrinsics.h\ndeleted file mode 100644\nindex 7451c6f..0000000\n--- a/crypto/ec/curve448/include/arch_arm_32/arch_intrinsics.h\n+++ /dev/null\n@@ -1,24 +0,0 @@\n-/* Copyright (c) 2016 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#ifndef __ARCH_ARM_32_ARCH_INTRINSICS_H__\n-#define __ARCH_ARM_32_ARCH_INTRINSICS_H__\n-\n-#define ARCH_WORD_BITS 32\n-\n-static __inline__ __attribute((always_inline,unused))\n-uint32_t word_is_zero(uint32_t a) {\n- uint32_t ret;\n- asm(\u0022subs %0, %1, #1;\u005cn\u005ctsbc %0, %0, %0\u0022 : \u0022\u003dr\u0022(ret) : \u0022r\u0022(a) : \u0022cc\u0022);\n- return ret;\n-}\n-\n-static __inline__ __attribute((always_inline,unused))\n-uint64_t widemul(uint32_t a, uint32_t b) {\n- /* Could be UMULL, but it's hard to express to CC that the registers must be different */\n- return ((uint64_t)a) * b; \n-}\n-\n-#endif /* __ARCH_ARM_32_ARCH_INTRINSICS_H__ */\n-\ndiff --git a/crypto/ec/curve448/include/arch_neon/arch_intrinsics.h b/crypto/ec/curve448/include/arch_neon/arch_intrinsics.h\ndeleted file mode 100644\nindex 1a1e14b..0000000\n--- a/crypto/ec/curve448/include/arch_neon/arch_intrinsics.h\n+++ /dev/null\n@@ -1,24 +0,0 @@\n-/* Copyright (c) 2016 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#ifndef __ARCH_NEON_ARCH_INTRINSICS_H__\n-#define __ARCH_NEON_ARCH_INTRINSICS_H__\n-\n-#define ARCH_WORD_BITS 32\n-\n-static __inline__ __attribute((always_inline,unused))\n-uint32_t word_is_zero(uint32_t a) {\n- uint32_t ret;\n- __asm__(\u0022subs %0, %1, #1;\u005cn\u005ctsbc %0, %0, %0\u0022 : \u0022\u003dr\u0022(ret) : \u0022r\u0022(a) : \u0022cc\u0022);\n- return ret;\n-}\n-\n-static __inline__ __attribute((always_inline,unused))\n-uint64_t widemul(uint32_t a, uint32_t b) {\n- /* Could be UMULL, but it's hard to express to CC that the registers must be different */\n- return ((uint64_t)a) * b; \n-}\n-\n-#endif /* __ARCH_NEON_ARCH_INTRINSICS_H__ */\n-\ndiff --git a/crypto/ec/curve448/include/arch_ref64/arch_intrinsics.h b/crypto/ec/curve448/include/arch_ref64/arch_intrinsics.h\ndeleted file mode 100644\nindex 4b34ea5..0000000\n--- a/crypto/ec/curve448/include/arch_ref64/arch_intrinsics.h\n+++ /dev/null\n@@ -1,22 +0,0 @@\n-/* Copyright (c) 2016 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#ifndef __ARCH_REF64_ARCH_INTRINSICS_H__\n-#define __ARCH_REF64_ARCH_INTRINSICS_H__\n-\n-#define ARCH_WORD_BITS 64\n-\n-static __inline__ __attribute((always_inline,unused))\n-uint64_t word_is_zero(uint64_t a) {\n- /* let's hope the compiler isn't clever enough to optimize this. */\n- return (((__uint128_t)a)-1)\u003e\u003e64;\n-}\n-\n-static __inline__ __attribute((always_inline,unused))\n-__uint128_t widemul(uint64_t a, uint64_t b) {\n- return ((__uint128_t)a) * b; \n-}\n-\n-#endif /* ARCH_REF64_ARCH_INTRINSICS_H__ */\n-\ndiff --git a/crypto/ec/curve448/include/arch_x86_64/arch_intrinsics.h b/crypto/ec/curve448/include/arch_x86_64/arch_intrinsics.h\ndeleted file mode 100644\nindex 8fcf2c8..0000000\n--- a/crypto/ec/curve448/include/arch_x86_64/arch_intrinsics.h\n+++ /dev/null\n@@ -1,305 +0,0 @@\n-/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#ifndef __ARCH_X86_64_ARCH_INTRINSICS_H__\n-#define __ARCH_X86_64_ARCH_INTRINSICS_H__\n-\n-#define ARCH_WORD_BITS 64\n-\n-#include \u003cstdint.h\u003e\n-\n-/* FUTURE: autogenerate */\n-static __inline__ __uint128_t widemul(const uint64_t *a, const uint64_t *b) {\n- uint64_t c,d;\n- #ifndef __BMI2__\n- __asm__ volatile\n- (\u0022movq %[a], %%rax;\u0022\n- \u0022mulq %[b];\u0022\n- : [c]\u0022\u003d\u0026a\u0022(c), [d]\u0022\u003dd\u0022(d)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022cc\u0022);\n- #else\n- __asm__ volatile\n- (\u0022movq %[a], %%rdx;\u0022\n- \u0022mulx %[b], %[c], %[d];\u0022\n- : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rdx\u0022);\n- #endif\n- return (((__uint128_t)(d))\u003c\u003c64) | c;\n-}\n-\n-static __inline__ __uint128_t widemul_rm(uint64_t a, const uint64_t *b) {\n- uint64_t c,d;\n- #ifndef __BMI2__\n- __asm__ volatile\n- (\u0022movq %[a], %%rax;\u0022\n- \u0022mulq %[b];\u0022\n- : [c]\u0022\u003d\u0026a\u0022(c), [d]\u0022\u003dd\u0022(d)\n- : [b]\u0022m\u0022(*b), [a]\u0022r\u0022(a)\n- : \u0022cc\u0022);\n- #else\n- __asm__ volatile\n- (\u0022mulx %[b], %[c], %[d];\u0022\n- : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d)\n- : [b]\u0022m\u0022(*b), [a]\u0022d\u0022(a));\n- #endif\n- return (((__uint128_t)(d))\u003c\u003c64) | c;\n-}\n-\n-static __inline__ __uint128_t widemul_rr(uint64_t a, uint64_t b) {\n- uint64_t c,d;\n- #ifndef __BMI2__\n- __asm__ volatile\n- (\u0022mulq %[b];\u0022\n- : [c]\u0022\u003da\u0022(c), [d]\u0022\u003dd\u0022(d)\n- : [b]\u0022r\u0022(b), \u0022a\u0022(a)\n- : \u0022cc\u0022);\n- #else\n- __asm__ volatile\n- (\u0022mulx %[b], %[c], %[d];\u0022\n- : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d)\n- : [b]\u0022r\u0022(b), [a]\u0022d\u0022(a));\n- #endif\n- return (((__uint128_t)(d))\u003c\u003c64) | c;\n-}\n-\n-static __inline__ __uint128_t widemul2(const uint64_t *a, const uint64_t *b) {\n- uint64_t c,d;\n- #ifndef __BMI2__\n- __asm__ volatile\n- (\u0022movq %[a], %%rax; \u0022\n- \u0022addq %%rax, %%rax; \u0022\n- \u0022mulq %[b];\u0022\n- : [c]\u0022\u003d\u0026a\u0022(c), [d]\u0022\u003dd\u0022(d)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022cc\u0022);\n- #else\n- __asm__ volatile\n- (\u0022movq %[a], %%rdx;\u0022\n- \u0022leaq (,%%rdx,2), %%rdx;\u0022\n- \u0022mulx %[b], %[c], %[d];\u0022\n- : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rdx\u0022);\n- #endif\n- return (((__uint128_t)(d))\u003c\u003c64) | c;\n-}\n-\n-static __inline__ void mac(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {\n- uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n- \n- #ifdef __BMI2__\n- uint64_t c,d;\n- __asm__ volatile\n- (\u0022movq %[a], %%rdx; \u0022\n- \u0022mulx %[b], %[c], %[d]; \u0022\n- \u0022addq %[c], %[lo]; \u0022\n- \u0022adcq %[d], %[hi]; \u0022\n- : [c]\u0022\u003d\u0026r\u0022(c), [d]\u0022\u003d\u0026r\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rdx\u0022, \u0022cc\u0022);\n- #else\n- __asm__ volatile\n- (\u0022movq %[a], %%rax; \u0022\n- \u0022mulq %[b]; \u0022\n- \u0022addq %%rax, %[lo]; \u0022\n- \u0022adcq %%rdx, %[hi]; \u0022\n- : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n- #endif\n- \n- *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n-}\n-\n-static __inline__ void macac(__uint128_t *acc, __uint128_t *acc2, const uint64_t *a, const uint64_t *b) {\n- uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n- uint64_t lo2 \u003d *acc2, hi2 \u003d *acc2\u003e\u003e64;\n- \n- #ifdef __BMI2__\n- uint64_t c,d;\n- __asm__ volatile\n- (\u0022movq %[a], %%rdx; \u0022\n- \u0022mulx %[b], %[c], %[d]; \u0022\n- \u0022addq %[c], %[lo]; \u0022\n- \u0022adcq %[d], %[hi]; \u0022\n- \u0022addq %[c], %[lo2]; \u0022\n- \u0022adcq %[d], %[hi2]; \u0022\n- : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi), [lo2]\u0022+r\u0022(lo2), [hi2]\u0022+r\u0022(hi2)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rdx\u0022, \u0022cc\u0022);\n- #else\n- __asm__ volatile\n- (\u0022movq %[a], %%rax; \u0022\n- \u0022mulq %[b]; \u0022\n- \u0022addq %%rax, %[lo]; \u0022\n- \u0022adcq %%rdx, %[hi]; \u0022\n- \u0022addq %%rax, %[lo2]; \u0022\n- \u0022adcq %%rdx, %[hi2]; \u0022\n- : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi), [lo2]\u0022+r\u0022(lo2), [hi2]\u0022+r\u0022(hi2)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n- #endif\n- \n- *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n- *acc2 \u003d (((__uint128_t)(hi2))\u003c\u003c64) | lo2;\n-}\n-\n-static __inline__ void mac_rm(__uint128_t *acc, uint64_t a, const uint64_t *b) {\n- uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n- \n- #ifdef __BMI2__\n- uint64_t c,d;\n- __asm__ volatile\n- (\u0022mulx %[b], %[c], %[d]; \u0022\n- \u0022addq %[c], %[lo]; \u0022\n- \u0022adcq %[d], %[hi]; \u0022\n- : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022m\u0022(*b), [a]\u0022d\u0022(a)\n- : \u0022cc\u0022);\n- #else\n- __asm__ volatile\n- (\u0022movq %[a], %%rax; \u0022\n- \u0022mulq %[b]; \u0022\n- \u0022addq %%rax, %[lo]; \u0022\n- \u0022adcq %%rdx, %[hi]; \u0022\n- : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022m\u0022(*b), [a]\u0022r\u0022(a)\n- : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n- #endif\n- \n- *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n-}\n-\n-static __inline__ void mac_rr(__uint128_t *acc, uint64_t a, const uint64_t b) {\n- uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n- \n- #ifdef __BMI2__\n- uint64_t c,d;\n- __asm__ volatile\n- (\u0022mulx %[b], %[c], %[d]; \u0022\n- \u0022addq %[c], %[lo]; \u0022\n- \u0022adcq %[d], %[hi]; \u0022\n- : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022r\u0022(b), [a]\u0022d\u0022(a)\n- : \u0022cc\u0022);\n- #else\n- __asm__ volatile\n- (\u0022mulq %[b]; \u0022\n- \u0022addq %%rax, %[lo]; \u0022\n- \u0022adcq %%rdx, %[hi]; \u0022\n- : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi), \u0022+a\u0022(a)\n- : [b]\u0022r\u0022(b)\n- : \u0022rdx\u0022, \u0022cc\u0022);\n- #endif\n- \n- *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n-}\n-\n-static __inline__ void mac2(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {\n- uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n- \n- #ifdef __BMI2__\n- uint64_t c,d;\n- __asm__ volatile\n- (\u0022movq %[a], %%rdx; \u0022\n- \u0022addq %%rdx, %%rdx; \u0022\n- \u0022mulx %[b], %[c], %[d]; \u0022\n- \u0022addq %[c], %[lo]; \u0022\n- \u0022adcq %[d], %[hi]; \u0022\n- : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rdx\u0022, \u0022cc\u0022);\n- #else\n- __asm__ volatile\n- (\u0022movq %[a], %%rax; \u0022\n- \u0022addq %%rax, %%rax; \u0022\n- \u0022mulq %[b]; \u0022\n- \u0022addq %%rax, %[lo]; \u0022\n- \u0022adcq %%rdx, %[hi]; \u0022\n- : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n- #endif\n- \n- *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n-}\n-\n-static __inline__ void msb(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {\n- uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n- #ifdef __BMI2__\n- uint64_t c,d;\n- __asm__ volatile\n- (\u0022movq %[a], %%rdx; \u0022\n- \u0022mulx %[b], %[c], %[d]; \u0022\n- \u0022subq %[c], %[lo]; \u0022\n- \u0022sbbq %[d], %[hi]; \u0022\n- : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rdx\u0022, \u0022cc\u0022);\n- #else\n- __asm__ volatile\n- (\u0022movq %[a], %%rax; \u0022\n- \u0022mulq %[b]; \u0022\n- \u0022subq %%rax, %[lo]; \u0022\n- \u0022sbbq %%rdx, %[hi]; \u0022\n- : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n- #endif\n- *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n-}\n-\n-static __inline__ void msb2(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {\n- uint64_t lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n- #ifdef __BMI2__\n- uint64_t c,d;\n- __asm__ volatile\n- (\u0022movq %[a], %%rdx; \u0022\n- \u0022addq %%rdx, %%rdx; \u0022\n- \u0022mulx %[b], %[c], %[d]; \u0022\n- \u0022subq %[c], %[lo]; \u0022\n- \u0022sbbq %[d], %[hi]; \u0022\n- : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rdx\u0022, \u0022cc\u0022);\n- #else\n- __asm__ volatile\n- (\u0022movq %[a], %%rax; \u0022\n- \u0022addq %%rax, %%rax; \u0022\n- \u0022mulq %[b]; \u0022\n- \u0022subq %%rax, %[lo]; \u0022\n- \u0022sbbq %%rdx, %[hi]; \u0022\n- : [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rax\u0022, \u0022rdx\u0022, \u0022cc\u0022);\n- #endif\n- *acc \u003d (((__uint128_t)(hi))\u003c\u003c64) | lo;\n- \n-}\n-\n-static __inline__ void mrs(__uint128_t *acc, const uint64_t *a, const uint64_t *b) {\n- uint64_t c,d, lo \u003d *acc, hi \u003d *acc\u003e\u003e64;\n- __asm__ volatile\n- (\u0022movq %[a], %%rdx; \u0022\n- \u0022mulx %[b], %[c], %[d]; \u0022\n- \u0022subq %[lo], %[c]; \u0022\n- \u0022sbbq %[hi], %[d]; \u0022\n- : [c]\u0022\u003dr\u0022(c), [d]\u0022\u003dr\u0022(d), [lo]\u0022+r\u0022(lo), [hi]\u0022+r\u0022(hi)\n- : [b]\u0022m\u0022(*b), [a]\u0022m\u0022(*a)\n- : \u0022rdx\u0022, \u0022cc\u0022);\n- *acc \u003d (((__uint128_t)(d))\u003c\u003c64) | c;\n-}\n-\n-static __inline__ uint64_t word_is_zero(uint64_t x) {\n- __asm__ volatile(\u0022neg %0; sbb %0, %0;\u0022 : \u0022+r\u0022(x));\n- return ~x;\n-}\n-\n-static inline uint64_t shrld(__uint128_t x, int n) {\n- return x\u003e\u003en;\n-}\n-\n-#endif /* __ARCH_X86_64_ARCH_INTRINSICS_H__ */\ndiff --git a/crypto/ec/curve448/include/constant_time.h b/crypto/ec/curve448/include/constant_time.h\ndeleted file mode 100644\nindex 025ffe1..0000000\n--- a/crypto/ec/curve448/include/constant_time.h\n+++ /dev/null\n@@ -1,362 +0,0 @@\n-/**\n- * @file constant_time.h\n- * @copyright\n- * Copyright (c) 2014 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- * @author Mike Hamburg\n- *\n- * @brief Constant-time routines.\n- */\n-\n-#ifndef __CONSTANT_TIME_H__\n-#define __CONSTANT_TIME_H__ 1\n-\n-#include \u0022word.h\u0022\n-#include \u003cstring.h\u003e\n-\n-/*\n- * Constant-time operations on hopefully-compile-time-sized memory\n- * regions. Needed for flexibility / demagication: not all fields\n- * have sizes which are multiples of the vector width, necessitating\n- * a change from the Ed448 versions.\n- *\n- * These routines would be much simpler to define at the byte level,\n- * but if not vectorized they would be a significant fraction of the\n- * runtime. Eg on NEON-less ARM, constant_time_lookup is like 15% of\n- * signing time, vs 6% on Haswell with its fancy AVX2 vectors.\n- *\n- * If the compiler could do a good job of autovectorizing the code,\n- * we could just leave it with the byte definition. But that's unlikely\n- * on most deployed compilers, especially if you consider that pcmpeq[size]\n- * is much faster than moving a scalar to the vector unit (which is what\n- * a naive autovectorizer will do with constant_time_lookup on Intel).\n- *\n- * Instead, we're putting our trust in the loop unroller and unswitcher.\n- */\n-\n-\n-/**\n- * Unaligned big (vector?) register.\n- */\n-typedef struct {\n- big_register_t unaligned;\n-} __attribute__((packed)) unaligned_br_t;\n-\n-/**\n- * Unaligned word register, for architectures where that matters.\n- */\n-typedef struct {\n- word_t unaligned;\n-} __attribute__((packed)) unaligned_word_t;\n-\n-/**\n- * @brief Constant-time conditional swap.\n- *\n- * If doswap, then swap elem_bytes between *a and *b.\n- *\n- * *a and *b must not alias. Also, they must be at least as aligned\n- * as their sizes, if the CPU cares about that sort of thing.\n- */\n-static __inline__ void\n-__attribute__((unused,always_inline))\n-constant_time_cond_swap (\n- void *__restrict__ a_,\n- void *__restrict__ b_,\n- word_t elem_bytes,\n- mask_t doswap\n-) {\n- word_t k;\n- unsigned char *a \u003d (unsigned char *)a_;\n- unsigned char *b \u003d (unsigned char *)b_;\n- \n- big_register_t br_mask \u003d br_set_to_mask(doswap);\n- for (k\u003d0; k\u003c\u003delem_bytes-sizeof(big_register_t); k+\u003dsizeof(big_register_t)) {\n- if (elem_bytes % sizeof(big_register_t)) {\n- /* unaligned */\n- big_register_t xor \u003d\n- ((unaligned_br_t*)(\u0026a[k]))-\u003eunaligned\n- ^ ((unaligned_br_t*)(\u0026b[k]))-\u003eunaligned;\n- xor \u0026\u003d br_mask;\n- ((unaligned_br_t*)(\u0026a[k]))-\u003eunaligned ^\u003d xor;\n- ((unaligned_br_t*)(\u0026b[k]))-\u003eunaligned ^\u003d xor;\n- } else {\n- /* aligned */\n- big_register_t xor \u003d\n- *((big_register_t*)(\u0026a[k]))\n- ^ *((big_register_t*)(\u0026b[k]));\n- xor \u0026\u003d br_mask;\n- *((big_register_t*)(\u0026a[k])) ^\u003d xor;\n- *((big_register_t*)(\u0026b[k])) ^\u003d xor;\n- }\n- }\n-\n- if (elem_bytes % sizeof(big_register_t) \u003e\u003d sizeof(word_t)) {\n- for (; k\u003c\u003delem_bytes-sizeof(word_t); k+\u003dsizeof(word_t)) {\n- if (elem_bytes % sizeof(word_t)) {\n- /* unaligned */\n- word_t xor \u003d\n- ((unaligned_word_t*)(\u0026a[k]))-\u003eunaligned\n- ^ ((unaligned_word_t*)(\u0026b[k]))-\u003eunaligned;\n- xor \u0026\u003d doswap;\n- ((unaligned_word_t*)(\u0026a[k]))-\u003eunaligned ^\u003d xor;\n- ((unaligned_word_t*)(\u0026b[k]))-\u003eunaligned ^\u003d xor;\n- } else {\n- /* aligned */\n- word_t xor \u003d\n- *((word_t*)(\u0026a[k]))\n- ^ *((word_t*)(\u0026b[k]));\n- xor \u0026\u003d doswap;\n- *((word_t*)(\u0026a[k])) ^\u003d xor;\n- *((word_t*)(\u0026b[k])) ^\u003d xor;\n- }\n- }\n- }\n- \n- if (elem_bytes % sizeof(word_t)) {\n- for (; k\u003celem_bytes; k+\u003d1) {\n- unsigned char xor \u003d a[k] ^ b[k];\n- xor \u0026\u003d doswap;\n- a[k] ^\u003d xor;\n- b[k] ^\u003d xor;\n- }\n- }\n-}\n-\n-/**\n- * @brief Constant-time equivalent of memcpy(out, table + elem_bytes*idx, elem_bytes);\n- *\n- * The table must be at least as aligned as elem_bytes. The output must be word aligned,\n- * and if the input size is vector aligned it must also be vector aligned.\n- *\n- * The table and output must not alias.\n- */\n-static __inline__ void\n-__attribute__((unused,always_inline))\n-constant_time_lookup (\n- void *__restrict__ out_,\n- const void *table_,\n- word_t elem_bytes,\n- word_t n_table,\n- word_t idx\n-) {\n- big_register_t big_one \u003d br_set_to_mask(1), big_i \u003d br_set_to_mask(idx);\n- \n- /* Can't do pointer arithmetic on void* */\n- unsigned char *out \u003d (unsigned char *)out_;\n- const unsigned char *table \u003d (const unsigned char *)table_;\n- word_t j,k;\n- \n- memset(out, 0, elem_bytes);\n- for (j\u003d0; j\u003cn_table; j++, big_i-\u003dbig_one) { \n- big_register_t br_mask \u003d br_is_zero(big_i);\n- for (k\u003d0; k\u003c\u003delem_bytes-sizeof(big_register_t); k+\u003dsizeof(big_register_t)) {\n- if (elem_bytes % sizeof(big_register_t)) {\n- /* unaligned */\n- ((unaligned_br_t *)(out+k))-\u003eunaligned\n-\t\t\t|\u003d br_mask \u0026 ((const unaligned_br_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned;\n- } else {\n- /* aligned */\n- *(big_register_t *)(out+k) |\u003d br_mask \u0026 *(const big_register_t*)(\u0026table[k+j*elem_bytes]);\n- }\n- }\n-\n- word_t mask \u003d word_is_zero(idx^j);\n- if (elem_bytes % sizeof(big_register_t) \u003e\u003d sizeof(word_t)) {\n- for (; k\u003c\u003delem_bytes-sizeof(word_t); k+\u003dsizeof(word_t)) {\n- if (elem_bytes % sizeof(word_t)) {\n- /* input unaligned, output aligned */\n- *(word_t *)(out+k) |\u003d mask \u0026 ((const unaligned_word_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned;\n- } else {\n- /* aligned */\n- *(word_t *)(out+k) |\u003d mask \u0026 *(const word_t*)(\u0026table[k+j*elem_bytes]);\n- }\n- }\n- }\n- \n- if (elem_bytes % sizeof(word_t)) {\n- for (; k\u003celem_bytes; k+\u003d1) {\n- out[k] |\u003d mask \u0026 table[k+j*elem_bytes];\n- }\n- }\n- }\n-}\n-\n-/**\n- * @brief Constant-time equivalent of memcpy(table + elem_bytes*idx, in, elem_bytes);\n- *\n- * The table must be at least as aligned as elem_bytes. The input must be word aligned,\n- * and if the output size is vector aligned it must also be vector aligned.\n- *\n- * The table and input must not alias.\n- */\n-static __inline__ void\n-__attribute__((unused,always_inline))\n-constant_time_insert (\n- void *__restrict__ table_,\n- const void *in_,\n- word_t elem_bytes,\n- word_t n_table,\n- word_t idx\n-) {\n- big_register_t big_one \u003d br_set_to_mask(1), big_i \u003d br_set_to_mask(idx);\n- \n- /* Can't do pointer arithmetic on void* */\n- const unsigned char *in \u003d (const unsigned char *)in_;\n- unsigned char *table \u003d (unsigned char *)table_;\n- word_t j,k;\n- \n- for (j\u003d0; j\u003cn_table; j++, big_i-\u003dbig_one) { \n- big_register_t br_mask \u003d br_is_zero(big_i);\n- for (k\u003d0; k\u003c\u003delem_bytes-sizeof(big_register_t); k+\u003dsizeof(big_register_t)) {\n- if (elem_bytes % sizeof(big_register_t)) {\n- /* unaligned */\n- ((unaligned_br_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned\n- \u003d ( ((unaligned_br_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned \u0026 ~br_mask )\n- | ( ((const unaligned_br_t *)(in+k))-\u003eunaligned \u0026 br_mask );\n- } else {\n- /* aligned */\n- *(big_register_t*)(\u0026table[k+j*elem_bytes])\n- \u003d ( *(big_register_t*)(\u0026table[k+j*elem_bytes]) \u0026 ~br_mask )\n- | ( *(const big_register_t *)(in+k) \u0026 br_mask );\n- }\n- }\n-\n- word_t mask \u003d word_is_zero(idx^j);\n- if (elem_bytes % sizeof(big_register_t) \u003e\u003d sizeof(word_t)) {\n- for (; k\u003c\u003delem_bytes-sizeof(word_t); k+\u003dsizeof(word_t)) {\n- if (elem_bytes % sizeof(word_t)) {\n- /* output unaligned, input aligned */\n- ((unaligned_word_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned\n- \u003d ( ((unaligned_word_t*)(\u0026table[k+j*elem_bytes]))-\u003eunaligned \u0026 ~mask )\n- | ( *(const word_t *)(in+k) \u0026 mask );\n- } else {\n- /* aligned */\n- *(word_t*)(\u0026table[k+j*elem_bytes])\n- \u003d ( *(word_t*)(\u0026table[k+j*elem_bytes]) \u0026 ~mask )\n- | ( *(const word_t *)(in+k) \u0026 mask );\n- }\n- }\n- }\n- \n- if (elem_bytes % sizeof(word_t)) {\n- for (; k\u003celem_bytes; k+\u003d1) {\n- table[k+j*elem_bytes]\n- \u003d ( table[k+j*elem_bytes] \u0026 ~mask )\n- | ( in[k] \u0026 mask );\n- }\n- }\n- }\n-}\n-\n-/**\n- * @brief Constant-time a \u003d b\u0026mask.\n- *\n- * The input and output must be at least as aligned as elem_bytes.\n- */\n-static __inline__ void\n-__attribute__((unused,always_inline))\n-constant_time_mask (\n- void * a_,\n- const void *b_,\n- word_t elem_bytes,\n- mask_t mask\n-) {\n- unsigned char *a \u003d (unsigned char *)a_;\n- const unsigned char *b \u003d (const unsigned char *)b_;\n- \n- word_t k;\n- big_register_t br_mask \u003d br_set_to_mask(mask);\n- for (k\u003d0; k\u003c\u003delem_bytes-sizeof(big_register_t); k+\u003dsizeof(big_register_t)) {\n- if (elem_bytes % sizeof(big_register_t)) {\n- /* unaligned */\n- ((unaligned_br_t*)(\u0026a[k]))-\u003eunaligned \u003d br_mask \u0026 ((const unaligned_br_t*)(\u0026b[k]))-\u003eunaligned;\n- } else {\n- /* aligned */\n- *(big_register_t *)(a+k) \u003d br_mask \u0026 *(const big_register_t*)(\u0026b[k]);\n- }\n- }\n-\n- if (elem_bytes % sizeof(big_register_t) \u003e\u003d sizeof(word_t)) {\n- for (; k\u003c\u003delem_bytes-sizeof(word_t); k+\u003dsizeof(word_t)) {\n- if (elem_bytes % sizeof(word_t)) {\n- /* unaligned */\n- ((unaligned_word_t*)(\u0026a[k]))-\u003eunaligned \u003d mask \u0026 ((const unaligned_word_t*)(\u0026b[k]))-\u003eunaligned;\n- } else {\n- /* aligned */\n- *(word_t *)(a+k) \u003d mask \u0026 *(const word_t*)(\u0026b[k]);\n- }\n- }\n- }\n- \n- if (elem_bytes % sizeof(word_t)) {\n- for (; k\u003celem_bytes; k+\u003d1) {\n- a[k] \u003d mask \u0026 b[k];\n- }\n- }\n-}\n-\n-/**\n- * @brief Constant-time a \u003d mask ? bTrue : bFalse.\n- *\n- * The input and output must be at least as aligned as alignment_bytes\n- * or their size, whichever is smaller.\n- *\n- * Note that the output is not __restrict__, but if it overlaps either\n- * input, it must be equal and not partially overlap.\n- */\n-static __inline__ void\n-__attribute__((unused,always_inline))\n-constant_time_select (\n- void *a_,\n- const void *bFalse_,\n- const void *bTrue_,\n- word_t elem_bytes,\n- mask_t mask,\n- size_t alignment_bytes\n-) {\n- unsigned char *a \u003d (unsigned char *)a_;\n- const unsigned char *bTrue \u003d (const unsigned char *)bTrue_;\n- const unsigned char *bFalse \u003d (const unsigned char *)bFalse_;\n- \n- alignment_bytes |\u003d elem_bytes;\n-\n- word_t k;\n- big_register_t br_mask \u003d br_set_to_mask(mask);\n- for (k\u003d0; k\u003c\u003delem_bytes-sizeof(big_register_t); k+\u003dsizeof(big_register_t)) {\n- if (alignment_bytes % sizeof(big_register_t)) {\n- /* unaligned */\n- ((unaligned_br_t*)(\u0026a[k]))-\u003eunaligned \u003d\n-\t\t ( br_mask \u0026 ((const unaligned_br_t*)(\u0026bTrue [k]))-\u003eunaligned)\n-\t\t| (~br_mask \u0026 ((const unaligned_br_t*)(\u0026bFalse[k]))-\u003eunaligned);\n- } else {\n- /* aligned */\n- *(big_register_t *)(a+k) \u003d\n-\t\t ( br_mask \u0026 *(const big_register_t*)(\u0026bTrue [k]))\n-\t\t| (~br_mask \u0026 *(const big_register_t*)(\u0026bFalse[k]));\n- }\n- }\n-\n- if (elem_bytes % sizeof(big_register_t) \u003e\u003d sizeof(word_t)) {\n- for (; k\u003c\u003delem_bytes-sizeof(word_t); k+\u003dsizeof(word_t)) {\n- if (alignment_bytes % sizeof(word_t)) {\n- /* unaligned */\n- ((unaligned_word_t*)(\u0026a[k]))-\u003eunaligned \u003d\n-\t\t ( mask \u0026 ((const unaligned_word_t*)(\u0026bTrue [k]))-\u003eunaligned)\n-\t\t | (~mask \u0026 ((const unaligned_word_t*)(\u0026bFalse[k]))-\u003eunaligned);\n- } else {\n- /* aligned */\n- *(word_t *)(a+k) \u003d\n-\t\t ( mask \u0026 *(const word_t*)(\u0026bTrue [k]))\n-\t\t | (~mask \u0026 *(const word_t*)(\u0026bFalse[k]));\n- }\n- }\n- }\n- \n- if (elem_bytes % sizeof(word_t)) {\n- for (; k\u003celem_bytes; k+\u003d1) {\n- a[k] \u003d ( mask \u0026 bTrue[k]) | (~mask \u0026 bFalse[k]);\n- }\n- }\n-}\n-\n-#endif /* __CONSTANT_TIME_H__ */\ndiff --git a/crypto/ec/curve448/include/field.h b/crypto/ec/curve448/include/field.h\ndeleted file mode 100644\nindex c536a51..0000000\n--- a/crypto/ec/curve448/include/field.h\n+++ /dev/null\n@@ -1,112 +0,0 @@\n-/**\n- * @file field.h\n- * @brief Generic gf header.\n- * @copyright\n- * Copyright (c) 2014 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- * @author Mike Hamburg\n- */\n-\n-#ifndef __GF_H__\n-#define __GF_H__\n-\n-#include \u0022constant_time.h\u0022\n-#include \u0022f_field.h\u0022\n-#include \u003cstring.h\u003e\n- \n-/** Square x, n times. */\n-static DECAF_INLINE void gf_sqrn (\n- gf_s *__restrict__ y,\n- const gf x,\n- int n\n-) {\n- gf tmp;\n- assert(n\u003e0);\n- if (n\u00261) {\n- gf_sqr(y,x);\n- n--;\n- } else {\n- gf_sqr(tmp,x);\n- gf_sqr(y,tmp);\n- n-\u003d2;\n- }\n- for (; n; n-\u003d2) {\n- gf_sqr(tmp,y);\n- gf_sqr(y,tmp);\n- }\n-}\n-\n-#define gf_add_nr gf_add_RAW\n-\n-/** Subtract mod p. Bias by 2 and don't reduce */\n-static inline void gf_sub_nr ( gf c, const gf a, const gf b ) {\n- gf_sub_RAW(c,a,b);\n- gf_bias(c, 2);\n- if (GF_HEADROOM \u003c 3) gf_weak_reduce(c);\n-}\n-\n-/** Subtract mod p. Bias by amt but don't reduce. */\n-static inline void gf_subx_nr ( gf c, const gf a, const gf b, int amt ) {\n- gf_sub_RAW(c,a,b);\n- gf_bias(c, amt);\n- if (GF_HEADROOM \u003c amt+1) gf_weak_reduce(c);\n-}\n-\n-/** Mul by signed int. Not constant-time WRT the sign of that int. */\n-static inline void gf_mulw(gf c, const gf a, int32_t w) {\n- if (w\u003e0) {\n- gf_mulw_unsigned(c, a, w);\n- } else {\n- gf_mulw_unsigned(c, a, -w);\n- gf_sub(c,ZERO,c);\n- }\n-}\n-\n-/** Constant time, x \u003d is_z ? z : y */\n-static inline void gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) {\n- constant_time_select(x,y,z,sizeof(gf),is_z,0);\n-}\n-\n-/** Constant time, if (neg) x\u003d-x; */\n-static inline void gf_cond_neg(gf x, mask_t neg) {\n- gf y;\n- gf_sub(y,ZERO,x);\n- gf_cond_sel(x,x,y,neg);\n-}\n-\n-/** Constant time, if (swap) (x,y) \u003d (y,x); */\n-static inline void\n-gf_cond_swap(gf x, gf_s *__restrict__ y, mask_t swap) {\n- constant_time_cond_swap(x,y,sizeof(gf_s),swap);\n-}\n-\n-static DECAF_INLINE void gf_mul_qnr(gf_s *__restrict__ out, const gf x) {\n-#if P_MOD_8 \u003d\u003d 5\n- /* r \u003d QNR * r0^2 */\n- gf_mul(out,x,SQRT_MINUS_ONE);\n-#elif P_MOD_8 \u003d\u003d 3 || P_MOD_8 \u003d\u003d 7\n- gf_sub(out,ZERO,x);\n-#else\n- #error \u0022Only supporting p\u003d3,5,7 mod 8\u0022\n-#endif\n-}\n-\n-static DECAF_INLINE void gf_div_qnr(gf_s *__restrict__ out, const gf x) {\n-#if P_MOD_8 \u003d\u003d 5\n- /* r \u003d QNR * r0^2 */\n- gf_mul(out,x,SQRT_MINUS_ONE);\n- gf_sub(out,ZERO,out);\n-#elif P_MOD_8 \u003d\u003d 3 || P_MOD_8 \u003d\u003d 7\n- gf_sub(out,ZERO,x);\n-#else\n- #error \u0022Only supporting p\u003d3,5,7 mod 8\u0022\n-#endif\n-}\n-\n-#if P_MOD_8 \u003d\u003d 5\n-#define gf_mul_i gf_mul_qnr\n-#define gf_div_i gf_div_qnr\n-#endif\n-\n-\n-#endif // __GF_H__\ndiff --git a/crypto/ec/curve448/include/keccak_internal.h b/crypto/ec/curve448/include/keccak_internal.h\ndeleted file mode 100644\nindex 15d1be4..0000000\n--- a/crypto/ec/curve448/include/keccak_internal.h\n+++ /dev/null\n@@ -1,38 +0,0 @@\n-/**\n- * @cond internal\n- * @file keccak_internal.h\n- * @copyright\n- * Copyright (c) 2016 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- * @author Mike Hamburg\n- * @brief Keccak internal interfaces. Will be used by STROBE once reintegrated.\n- */\n-#ifndef __DECAF_KECCAK_INTERNAL_H__\n-#define __DECAF_KECCAK_INTERNAL_H__ 1\n-\n-#include \u003cstdint.h\u003e\n-\n-/* The internal, non-opaque definition of the decaf_sponge struct. */\n-typedef union {\n- uint64_t w[25]; uint8_t b[25*8];\n-} kdomain_t[1];\n-\n-typedef struct decaf_kparams_s {\n- uint8_t position, flags, rate, start_round, pad, rate_pad, max_out, remaining;\n-} decaf_kparams_s, decaf_kparams_t[1];\n-\n-typedef struct decaf_keccak_sponge_s {\n- kdomain_t state;\n- decaf_kparams_t params;\n-} decaf_keccak_sponge_s, decaf_keccak_sponge_t[1];\n-\n-#define INTERNAL_SPONGE_STRUCT 1\n-\n-void __attribute__((noinline)) keccakf(kdomain_t state, uint8_t start_round);\n-\n-static inline void dokeccak (decaf_keccak_sponge_t decaf_sponge) {\n- keccakf(decaf_sponge-\u003estate, decaf_sponge-\u003eparams-\u003estart_round);\n- decaf_sponge-\u003eparams-\u003eposition \u003d 0;\n-}\n-\n-#endif /* __DECAF_KECCAK_INTERNAL_H__ */\ndiff --git a/crypto/ec/curve448/include/portable_endian.h b/crypto/ec/curve448/include/portable_endian.h\ndeleted file mode 100644\nindex 5cbfca7..0000000\n--- a/crypto/ec/curve448/include/portable_endian.h\n+++ /dev/null\n@@ -1,39 +0,0 @@\n-/* Subset of Mathias Panzenböck's portable endian code, public domain */\n-\n-#ifndef __PORTABLE_ENDIAN_H__\n-#define __PORTABLE_ENDIAN_H__\n-\n-#if defined(__linux__) || defined(__CYGWIN__)\n-#\tinclude \u003cendian.h\u003e\n-#elif defined(__OpenBSD__)\n-#\tinclude \u003csys/endian.h\u003e\n-#elif defined(__APPLE__)\n-#\tinclude \u003clibkern/OSByteOrder.h\u003e\n-#\tdefine htole64(x) OSSwapHostToLittleInt64(x)\n-#\tdefine le64toh(x) OSSwapLittleToHostInt64(x)\n-#elif defined(__NetBSD__) || defined(__FreeBSD__) || defined(__DragonFly__)\n-#\tinclude \u003csys/endian.h\u003e\n-#\tifndef le64toh\n-#\t\tdefine le64toh(x) letoh64(x)\n-#\tendif\n-#elif defined(__sun) \u0026\u0026 defined(__SVR4)\n-#\tinclude \u003csys/byteorder.h\u003e\n-#\tdefine htole64(x) LE_64(x)\n-#\tdefine le64toh(x) LE_64(x)\n-#elif defined(_WIN16) || defined(_WIN32) || defined(_WIN64) || defined(__WINDOWS__)\n-#\tinclude \u003cwinsock2.h\u003e\n-#\tinclude \u003csys/param.h\u003e\n-#\tif BYTE_ORDER \u003d\u003d LITTLE_ENDIAN\n-#\t\tdefine htole64(x) (x)\n-#\t\tdefine le64toh(x) (x)\n-#\telif BYTE_ORDER \u003d\u003d BIG_ENDIAN\n-#\t\tdefine htole64(x) __builtin_bswap64(x)\n-#\t\tdefine le64toh(x) __builtin_bswap64(x)\n-#\telse\n-#\t\terror byte order not supported\n-#\tendif\n-#else\n-#\terror platform not supported\n-#endif\n-\n-#endif // __PORTABLE_ENDIAN_H__\ndiff --git a/crypto/ec/curve448/include/word.h b/crypto/ec/curve448/include/word.h\ndeleted file mode 100644\nindex 7c7644a..0000000\n--- a/crypto/ec/curve448/include/word.h\n+++ /dev/null\n@@ -1,281 +0,0 @@\n-/* Copyright (c) 2014 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#ifndef __WORD_H__\n-#define __WORD_H__\n-\n-/* for posix_memalign */\n-#define _XOPEN_SOURCE 600\n-#define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s */\n-#include \u003cstring.h\u003e\n-#if defined(__sun) \u0026\u0026 defined(__SVR4)\n-extern int posix_memalign(void **, size_t, size_t);\n-#endif\n-\n-#include \u003cassert.h\u003e\n-#include \u003cstdint.h\u003e\n-#include \u0022arch_intrinsics.h\u0022\n-\n-#include \u003cdecaf/common.h\u003e\n-\n-#ifndef _BSD_SOURCE\n-#define _BSD_SOURCE 1\n-#endif\n-\n-#ifndef _DEFAULT_SOURCE\n-#define _DEFAULT_SOURCE 1\n-#endif\n-\n-#include \u0022portable_endian.h\u0022\n-\n-#include \u003cstdlib.h\u003e\n-#include \u003csys/types.h\u003e\n-#include \u003cinttypes.h\u003e\n-\n-#if defined(__ARM_NEON__)\n-#include \u003carm_neon.h\u003e\n-#elif defined(__SSE2__)\n- #if !defined(__GNUC__) || __clang__ || __GNUC__ \u003e\u003d 5 || (__GNUC__\u003d\u003d4 \u0026\u0026 __GNUC_MINOR__ \u003e\u003d 4)\n- #include \u003cimmintrin.h\u003e\n- #else\n- #include \u003cemmintrin.h\u003e\n- #endif\n-#endif\n-\n-#if (ARCH_WORD_BITS \u003d\u003d 64)\n- typedef uint64_t word_t, mask_t;\n- typedef __uint128_t dword_t;\n- typedef int32_t hsword_t;\n- typedef int64_t sword_t;\n- typedef __int128_t dsword_t;\n-#elif (ARCH_WORD_BITS \u003d\u003d 32)\n- typedef uint32_t word_t, mask_t;\n- typedef uint64_t dword_t;\n- typedef int16_t hsword_t;\n- typedef int32_t sword_t;\n- typedef int64_t dsword_t;\n-#else\n- #error \u0022For now, libdecaf only supports 32- and 64-bit architectures.\u0022\n-#endif\n- \n-/* Scalar limbs are keyed off of the API word size instead of the arch word size. */\n-#if DECAF_WORD_BITS \u003d\u003d 64\n- #define SC_LIMB(x) (x##ull)\n-#elif DECAF_WORD_BITS \u003d\u003d 32\n- #define SC_LIMB(x) ((uint32_t)x##ull),(x##ull\u003e\u003e32)\n-#else\n- #error \u0022For now, libdecaf only supports 32- and 64-bit architectures.\u0022\n-#endif\n-\n-#ifdef __ARM_NEON__\n- typedef uint32x4_t vecmask_t;\n-#elif __clang__\n- typedef uint64_t uint64x2_t __attribute__((ext_vector_type(2)));\n- typedef int64_t int64x2_t __attribute__((ext_vector_type(2)));\n- typedef uint64_t uint64x4_t __attribute__((ext_vector_type(4)));\n- typedef int64_t int64x4_t __attribute__((ext_vector_type(4)));\n- typedef uint32_t uint32x4_t __attribute__((ext_vector_type(4)));\n- typedef int32_t int32x4_t __attribute__((ext_vector_type(4)));\n- typedef uint32_t uint32x2_t __attribute__((ext_vector_type(2)));\n- typedef int32_t int32x2_t __attribute__((ext_vector_type(2)));\n- typedef uint32_t uint32x8_t __attribute__((ext_vector_type(8)));\n- typedef int32_t int32x8_t __attribute__((ext_vector_type(8)));\n- typedef word_t vecmask_t __attribute__((ext_vector_type(4)));\n-#else /* GCC, hopefully? */\n- typedef uint64_t uint64x2_t __attribute__((vector_size(16)));\n- typedef int64_t int64x2_t __attribute__((vector_size(16)));\n- typedef uint64_t uint64x4_t __attribute__((vector_size(32)));\n- typedef int64_t int64x4_t __attribute__((vector_size(32)));\n- typedef uint32_t uint32x4_t __attribute__((vector_size(16)));\n- typedef int32_t int32x4_t __attribute__((vector_size(16)));\n- typedef uint32_t uint32x2_t __attribute__((vector_size(8)));\n- typedef int32_t int32x2_t __attribute__((vector_size(8)));\n- typedef uint32_t uint32x8_t __attribute__((vector_size(32)));\n- typedef int32_t int32x8_t __attribute__((vector_size(32)));\n- typedef word_t vecmask_t __attribute__((vector_size(32)));\n-#endif\n-\n-#if __AVX2__\n- #define VECTOR_ALIGNED __attribute__((aligned(32)))\n- typedef uint32x8_t big_register_t;\n- typedef uint64x4_t uint64xn_t;\n- typedef uint32x8_t uint32xn_t;\n-\n- static DECAF_INLINE big_register_t\n- br_set_to_mask(mask_t x) {\n- uint32_t y \u003d (uint32_t)x;\n- big_register_t ret \u003d {y,y,y,y,y,y,y,y};\n- return ret;\n- }\n-#elif __SSE2__\n- #define VECTOR_ALIGNED __attribute__((aligned(16)))\n- typedef uint32x4_t big_register_t;\n- typedef uint64x2_t uint64xn_t;\n- typedef uint32x4_t uint32xn_t;\n-\n- static DECAF_INLINE big_register_t\n- br_set_to_mask(mask_t x) {\n- uint32_t y \u003d x;\n- big_register_t ret \u003d {y,y,y,y};\n- return ret;\n- }\n-#elif __ARM_NEON__\n- #define VECTOR_ALIGNED __attribute__((aligned(16)))\n- typedef uint32x4_t big_register_t;\n- typedef uint64x2_t uint64xn_t;\n- typedef uint32x4_t uint32xn_t;\n- \n- static DECAF_INLINE big_register_t\n- br_set_to_mask(mask_t x) {\n- return vdupq_n_u32(x);\n- }\n-#elif _WIN64 || __amd64__ || __X86_64__ || __aarch64__\n- #define VECTOR_ALIGNED __attribute__((aligned(8)))\n- typedef uint64_t big_register_t, uint64xn_t;\n-\n- typedef uint32_t uint32xn_t;\n- static DECAF_INLINE big_register_t\n- br_set_to_mask(mask_t x) {\n- return (big_register_t)x;\n- }\n-#else\n- #define VECTOR_ALIGNED __attribute__((aligned(4)))\n- typedef uint64_t uint64xn_t;\n- typedef uint32_t uint32xn_t;\n- typedef uint32_t big_register_t;\n-\n- static DECAF_INLINE big_register_t\n- br_set_to_mask(mask_t x) {\n- return (big_register_t)x;\n- }\n-#endif\n-\n-typedef struct {\n- uint64xn_t unaligned;\n-} __attribute__((packed)) unaligned_uint64xn_t;\n-\n-typedef struct {\n- uint32xn_t unaligned;\n-} __attribute__((packed)) unaligned_uint32xn_t;\n-\n-#if __AVX2__\n- static DECAF_INLINE big_register_t\n- br_is_zero(big_register_t x) {\n- return (big_register_t)(x \u003d\u003d br_set_to_mask(0));\n- }\n-#elif __SSE2__\n- static DECAF_INLINE big_register_t\n- br_is_zero(big_register_t x) {\n- return (big_register_t)_mm_cmpeq_epi32((__m128i)x, _mm_setzero_si128());\n- //return (big_register_t)(x \u003d\u003d br_set_to_mask(0));\n- }\n-#elif __ARM_NEON__\n- static DECAF_INLINE big_register_t\n- br_is_zero(big_register_t x) {\n- return vceqq_u32(x,x^x);\n- }\n-#else\n- #define br_is_zero word_is_zero\n-#endif\n-\n-/**\n- * Really call memset, in a way that prevents the compiler from optimizing it out.\n- * @param p The object to zeroize.\n- * @param c The char to set it to (probably zero).\n- * @param s The size of the object.\n- */\n-#if defined(__DARWIN_C_LEVEL) || defined(__STDC_LIB_EXT1__)\n-#define HAS_MEMSET_S\n-#endif\n-\n-#if !defined(__STDC_WANT_LIB_EXT1__) || __STDC_WANT_LIB_EXT1__ !\u003d 1\n-#define NEED_MEMSET_S_EXTERN\n-#endif\n-\n-#ifdef HAS_MEMSET_S\n- #ifdef NEED_MEMSET_S_EXTERN\n- extern int memset_s(void *, size_t, int, size_t);\n- #endif\n- static DECAF_INLINE void\n- really_memset(void *p, char c, size_t s) {\n- memset_s(p, s, c, s);\n- }\n-#else\n- /* PERF: use words? */\n- static DECAF_INLINE void\n- really_memset(void *p, char c, size_t s) {\n- volatile char *pv \u003d (volatile char *)p;\n- size_t i;\n- for (i\u003d0; i\u003cs; i++) pv[i] \u003d c;\n- }\n-#endif\n-\n-/**\n- * Allocate memory which is sufficiently aligned to be used for the\n- * largest vector on the system (for now that's a big_register_t).\n- *\n- * Man malloc says that it does this, but at least for AVX2 on MacOS X,\n- * it's lying.\n- *\n- * @param size The size of the region to allocate.\n- * @return A suitable pointer, which can be free'd with free(),\n- * or NULL if no memory can be allocated.\n- */\n-static DECAF_INLINE void *\n-malloc_vector(size_t size) {\n- void *out \u003d NULL;\n- \n- int ret \u003d posix_memalign(\u0026out, sizeof(big_register_t), size);\n- \n- if (ret) {\n- return NULL;\n- } else {\n- return out;\n- }\n-}\n-\n-/* PERF: vectorize vs unroll */\n-#ifdef __clang__\n-#if 100*__clang_major__ + __clang_minor__ \u003e 305\n-#define UNROLL _Pragma(\u0022clang loop unroll(full)\u0022)\n-#endif\n-#endif\n-\n-#ifndef UNROLL\n-#define UNROLL\n-#endif\n-\n-/* The plan on booleans:\n- *\n- * The external interface uses decaf_bool_t, but this might be a different\n- * size than our particular arch's word_t (and thus mask_t). Also, the caller\n- * isn't guaranteed to pass it as nonzero. So bool_to_mask converts word sizes\n- * and checks nonzero.\n- *\n- * On the flip side, mask_t is always -1 or 0, but it might be a different size\n- * than decaf_bool_t.\n- *\n- * On the third hand, we have success vs boolean types, but that's handled in\n- * common.h: it converts between decaf_bool_t and decaf_error_t.\n- */\n-static DECAF_INLINE decaf_bool_t mask_to_bool (mask_t m) {\n- return (decaf_sword_t)(sword_t)m;\n-}\n-\n-static DECAF_INLINE mask_t bool_to_mask (decaf_bool_t m) {\n- /* On most arches this will be optimized to a simple cast. */\n- mask_t ret \u003d 0;\n- unsigned int limit \u003d sizeof(decaf_bool_t)/sizeof(mask_t);\n- if (limit \u003c 1) limit \u003d 1;\n- for (unsigned int i\u003d0; i\u003climit; i++) {\n- ret |\u003d ~ word_is_zero(m \u003e\u003e (i*8*sizeof(word_t)));\n- }\n- return ret;\n-}\n-\n-static DECAF_INLINE void ignore_result ( decaf_bool_t boo ) {\n- (void)boo;\n-}\n-\n-#endif /* __WORD_H__ */\ndiff --git a/crypto/ec/curve448/keccak_internal.h b/crypto/ec/curve448/keccak_internal.h\nnew file mode 100644\nindex 0000000..15d1be4\n--- /dev/null\n+++ b/crypto/ec/curve448/keccak_internal.h\n@@ -0,0 +1,38 @@\n+/**\n+ * @cond internal\n+ * @file keccak_internal.h\n+ * @copyright\n+ * Copyright (c) 2016 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ * @author Mike Hamburg\n+ * @brief Keccak internal interfaces. Will be used by STROBE once reintegrated.\n+ */\n+#ifndef __DECAF_KECCAK_INTERNAL_H__\n+#define __DECAF_KECCAK_INTERNAL_H__ 1\n+\n+#include \u003cstdint.h\u003e\n+\n+/* The internal, non-opaque definition of the decaf_sponge struct. */\n+typedef union {\n+ uint64_t w[25]; uint8_t b[25*8];\n+} kdomain_t[1];\n+\n+typedef struct decaf_kparams_s {\n+ uint8_t position, flags, rate, start_round, pad, rate_pad, max_out, remaining;\n+} decaf_kparams_s, decaf_kparams_t[1];\n+\n+typedef struct decaf_keccak_sponge_s {\n+ kdomain_t state;\n+ decaf_kparams_t params;\n+} decaf_keccak_sponge_s, decaf_keccak_sponge_t[1];\n+\n+#define INTERNAL_SPONGE_STRUCT 1\n+\n+void __attribute__((noinline)) keccakf(kdomain_t state, uint8_t start_round);\n+\n+static inline void dokeccak (decaf_keccak_sponge_t decaf_sponge) {\n+ keccakf(decaf_sponge-\u003estate, decaf_sponge-\u003eparams-\u003estart_round);\n+ decaf_sponge-\u003eparams-\u003eposition \u003d 0;\n+}\n+\n+#endif /* __DECAF_KECCAK_INTERNAL_H__ */\ndiff --git a/crypto/ec/curve448/p448/arch_32/f_impl.c b/crypto/ec/curve448/p448/arch_32/f_impl.c\ndeleted file mode 100644\nindex 0770bd9..0000000\n--- a/crypto/ec/curve448/p448/arch_32/f_impl.c\n+++ /dev/null\n@@ -1,101 +0,0 @@\n-/* Copyright (c) 2014 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#include \u0022f_field.h\u0022\n-\n-#if (defined(__OPTIMIZE__) \u0026\u0026 !defined(__OPTIMIZE_SIZE__) \u0026\u0026 !I_HATE_UNROLLED_LOOPS) \u005c\n- || defined(DECAF_FORCE_UNROLL)\n-#define REPEAT8(_x) _x _x _x _x _x _x _x _x\n-#define FOR_LIMB(_i,_start,_end,_x) do { _i\u003d_start; REPEAT8( if (_i\u003c_end) { _x; } _i++;) } while (0)\n-#else\n-#define FOR_LIMB(_i,_start,_end,_x) do { for (_i\u003d_start; _i\u003c_end; _i++) _x; } while (0)\n-#endif\n-\n-void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) { \n- const uint32_t *a \u003d as-\u003elimb, *b \u003d bs-\u003elimb;\n- uint32_t *c \u003d cs-\u003elimb;\n-\n- uint64_t accum0 \u003d 0, accum1 \u003d 0, accum2 \u003d 0;\n- uint32_t mask \u003d (1\u003c\u003c28) - 1; \n-\n- uint32_t aa[8], bb[8];\n- \n- int i,j;\n- for (i\u003d0; i\u003c8; i++) {\n- aa[i] \u003d a[i] + a[i+8];\n- bb[i] \u003d b[i] + b[i+8];\n- }\n- \n- FOR_LIMB(j,0,8,{\n- accum2 \u003d 0;\n- \n- FOR_LIMB (i,0,j+1,{\n- accum2 +\u003d widemul(a[j-i],b[i]);\n- accum1 +\u003d widemul(aa[j-i],bb[i]);\n- accum0 +\u003d widemul(a[8+j-i], b[8+i]);\n- });\n- \n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n- accum2 \u003d 0;\n- \n- FOR_LIMB (i,j+1,8,{\n- accum0 -\u003d widemul(a[8+j-i], b[i]);\n- accum2 +\u003d widemul(aa[8+j-i], bb[i]);\n- accum1 +\u003d widemul(a[16+j-i], b[8+i]);\n- });\n-\n- accum1 +\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[j] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[j+8] \u003d ((uint32_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 28;\n- accum1 \u003e\u003e\u003d 28;\n- });\n- \n- accum0 +\u003d accum1;\n- accum0 +\u003d c[8];\n- accum1 +\u003d c[0];\n- c[8] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[0] \u003d ((uint32_t)(accum1)) \u0026 mask;\n- \n- accum0 \u003e\u003e\u003d 28;\n- accum1 \u003e\u003e\u003d 28;\n- c[9] +\u003d ((uint32_t)(accum0));\n- c[1] +\u003d ((uint32_t)(accum1));\n-}\n-\n-void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) {\n- assert(b\u003c1\u003c\u003c28);\n- \n- const uint32_t *a \u003d as-\u003elimb;\n- uint32_t *c \u003d cs-\u003elimb;\n-\n- uint64_t accum0 \u003d 0, accum8 \u003d 0;\n- uint32_t mask \u003d (1ull\u003c\u003c28)-1; \n-\n- int i;\n- FOR_LIMB(i,0,8,{\n- accum0 +\u003d widemul(b, a[i]);\n- accum8 +\u003d widemul(b, a[i+8]);\n-\n- c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n- c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n- });\n-\n- accum0 +\u003d accum8 + c[8];\n- c[8] \u003d accum0 \u0026 mask;\n- c[9] +\u003d accum0 \u003e\u003e 28;\n-\n- accum8 +\u003d c[0];\n- c[0] \u003d accum8 \u0026 mask;\n- c[1] +\u003d accum8 \u003e\u003e 28;\n-}\n-\n-void gf_sqr (gf_s *__restrict__ cs, const gf as) {\n- gf_mul(cs,as,as); /* Performs better with a dedicated square */\n-}\n-\ndiff --git a/crypto/ec/curve448/p448/arch_32/f_impl.h b/crypto/ec/curve448/p448/arch_32/f_impl.h\ndeleted file mode 100644\nindex c368788..0000000\n--- a/crypto/ec/curve448/p448/arch_32/f_impl.h\n+++ /dev/null\n@@ -1,40 +0,0 @@\n-/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#define GF_HEADROOM 2\n-#define LIMB(x) (x##ull)\u0026((1ull\u003c\u003c28)-1), (x##ull)\u003e\u003e28\n-#define FIELD_LITERAL(a,b,c,d,e,f,g,h) \u005c\n- {{LIMB(a),LIMB(b),LIMB(c),LIMB(d),LIMB(e),LIMB(f),LIMB(g),LIMB(h)}}\n- \n-#define LIMB_PLACE_VALUE(i) 28\n-\n-void gf_add_RAW (gf out, const gf a, const gf b) {\n- for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n- out-\u003elimb[i] \u003d a-\u003elimb[i] + b-\u003elimb[i];\n- }\n-}\n-\n-void gf_sub_RAW (gf out, const gf a, const gf b) {\n- for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n- out-\u003elimb[i] \u003d a-\u003elimb[i] - b-\u003elimb[i];\n- }\n-}\n-\n-void gf_bias (gf a, int amt) { \n- uint32_t co1 \u003d ((1ull\u003c\u003c28)-1)*amt, co2 \u003d co1-amt;\n- for (unsigned int i\u003d0; i\u003csizeof(*a)/sizeof(a-\u003elimb[0]); i++) {\n- a-\u003elimb[i] +\u003d (i\u003d\u003dsizeof(*a)/sizeof(a-\u003elimb[0])/2) ? co2 : co1;\n- }\n-}\n-\n-void gf_weak_reduce (gf a) {\n- uint32_t mask \u003d (1ull\u003c\u003c28) - 1;\n- uint32_t tmp \u003d a-\u003elimb[15] \u003e\u003e 28;\n- a-\u003elimb[8] +\u003d tmp;\n- for (unsigned int i\u003d15; i\u003e0; i--) {\n- a-\u003elimb[i] \u003d (a-\u003elimb[i] \u0026 mask) + (a-\u003elimb[i-1]\u003e\u003e28);\n- }\n- a-\u003elimb[0] \u003d (a-\u003elimb[0] \u0026 mask) + tmp;\n-}\n-\ndiff --git a/crypto/ec/curve448/p448/arch_arm_32/f_impl.c b/crypto/ec/curve448/p448/arch_arm_32/f_impl.c\ndeleted file mode 100644\nindex 0454bd6..0000000\n--- a/crypto/ec/curve448/p448/arch_arm_32/f_impl.c\n+++ /dev/null\n@@ -1,819 +0,0 @@\n-/* Copyright (c) 2014 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#include \u0022f_field.h\u0022\n-\n-static inline void __attribute__((gnu_inline,always_inline))\n-smlal (\n- uint64_t *acc,\n- const uint32_t a,\n- const uint32_t b\n-) {\n-\n-#ifdef __ARMEL__\n- uint32_t lo \u003d *acc, hi \u003d (*acc)\u003e\u003e32;\n- \n- __asm__ __volatile__ (\u0022smlal %[lo], %[hi], %[a], %[b]\u0022\n- : [lo]\u0022+\u0026r\u0022(lo), [hi]\u0022+\u0026r\u0022(hi)\n- : [a]\u0022r\u0022(a), [b]\u0022r\u0022(b));\n- \n- *acc \u003d lo + (((uint64_t)hi)\u003c\u003c32);\n-#else\n- *acc +\u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b;\n-#endif\n-}\n-\n-static inline void __attribute__((gnu_inline,always_inline))\n-smlal2 (\n- uint64_t *acc,\n- const uint32_t a,\n- const uint32_t b\n-) {\n-#ifdef __ARMEL__\n- uint32_t lo \u003d *acc, hi \u003d (*acc)\u003e\u003e32;\n- \n- __asm__ __volatile__ (\u0022smlal %[lo], %[hi], %[a], %[b]\u0022\n- : [lo]\u0022+\u0026r\u0022(lo), [hi]\u0022+\u0026r\u0022(hi)\n- : [a]\u0022r\u0022(a), [b]\u0022r\u0022(2*b));\n- \n- *acc \u003d lo + (((uint64_t)hi)\u003c\u003c32);\n-#else\n- *acc +\u003d (int64_t)(int32_t)a * (int64_t)(int32_t)(b * 2);\n-#endif\n-}\n-\n-static inline void __attribute__((gnu_inline,always_inline))\n-smull (\n- uint64_t *acc,\n- const uint32_t a,\n- const uint32_t b\n-) {\n-#ifdef __ARMEL__\n- uint32_t lo, hi;\n- \n- __asm__ __volatile__ (\u0022smull %[lo], %[hi], %[a], %[b]\u0022\n- : [lo]\u0022\u003d\u0026r\u0022(lo), [hi]\u0022\u003d\u0026r\u0022(hi)\n- : [a]\u0022r\u0022(a), [b]\u0022r\u0022(b));\n- \n- *acc \u003d lo + (((uint64_t)hi)\u003c\u003c32);\n-#else\n- *acc \u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b;\n-#endif\n-}\n-\n-static inline void __attribute__((gnu_inline,always_inline))\n-smull2 (\n- uint64_t *acc,\n- const uint32_t a,\n- const uint32_t b\n-) {\n-#ifdef __ARMEL__\n- uint32_t lo, hi;\n- \n- __asm__ /*__volatile__*/ (\u0022smull %[lo], %[hi], %[a], %[b]\u0022\n- : [lo]\u0022\u003d\u0026r\u0022(lo), [hi]\u0022\u003d\u0026r\u0022(hi)\n- : [a]\u0022r\u0022(a), [b]\u0022r\u0022(2*b));\n- \n- *acc \u003d lo + (((uint64_t)hi)\u003c\u003c32);\n-#else\n- *acc \u003d (int64_t)(int32_t)a * (int64_t)(int32_t)(b * 2);\n-#endif\n-}\n-\n-void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) {\n- \n- const uint32_t *a \u003d as-\u003elimb, *b \u003d bs-\u003elimb;\n- uint32_t *c \u003d cs-\u003elimb;\n-\n- uint64_t accum0 \u003d 0, accum1 \u003d 0, accum2, accum3, accumC0, accumC1;\n- uint32_t mask \u003d (1\u003c\u003c28) - 1; \n-\n- uint32_t aa[8], bm[8];\n-\n- int i;\n- for (i\u003d0; i\u003c8; i++) {\n- aa[i] \u003d a[i] + a[i+8];\n- bm[i] \u003d b[i] - b[i+8];\n- }\n-\n- uint32_t ax,bx;\n- {\n- /* t^3 terms */\n- smull(\u0026accum1, ax \u003d aa[1], bx \u003d b[15]);\n- smull(\u0026accum3, ax \u003d aa[2], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[14]);\n- smlal(\u0026accum3, ax \u003d aa[3], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[13]);\n- smlal(\u0026accum3, ax \u003d aa[4], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[12]);\n- smlal(\u0026accum3, ax \u003d aa[5], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[11]);\n- smlal(\u0026accum3, ax \u003d aa[6], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[10]);\n- smlal(\u0026accum3, ax \u003d aa[7], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[9]);\n- \n- accum0 \u003d accum1;\n- accum2 \u003d accum3;\n- \n- /* t^2 terms */\n- smlal(\u0026accum2, ax \u003d aa[0], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[8]);\n- smlal(\u0026accum2, ax \u003d aa[1], bx);\n- \n- smlal(\u0026accum0, ax \u003d a[9], bx \u003d b[7]);\n- smlal(\u0026accum2, ax \u003d a[10], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[6]);\n- smlal(\u0026accum2, ax \u003d a[11], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[5]);\n- smlal(\u0026accum2, ax \u003d a[12], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[4]);\n- smlal(\u0026accum2, ax \u003d a[13], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[3]);\n- smlal(\u0026accum2, ax \u003d a[14], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[2]);\n- smlal(\u0026accum2, ax \u003d a[15], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[1]);\n- \n- /* t terms */\n- accum1 +\u003d accum0;\n- accum3 +\u003d accum2;\n- smlal(\u0026accum3, ax \u003d a[8], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[0]);\n- smlal(\u0026accum3, ax \u003d a[9], bx);\n- \n- smlal(\u0026accum1, ax \u003d a[1], bx \u003d bm[7]);\n- smlal(\u0026accum3, ax \u003d a[2], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[6]);\n- smlal(\u0026accum3, ax \u003d a[3], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[5]);\n- smlal(\u0026accum3, ax \u003d a[4], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[4]);\n- smlal(\u0026accum3, ax \u003d a[5], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[3]);\n- smlal(\u0026accum3, ax \u003d a[6], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[2]);\n- smlal(\u0026accum3, ax \u003d a[7], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[1]);\n- \n- /* 1 terms */\n- smlal(\u0026accum2, ax \u003d a[0], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[0]);\n- smlal(\u0026accum2, ax \u003d a[1], bx);\n- \n- accum2 +\u003d accum0 \u003e\u003e 28;\n- accum3 +\u003d accum1 \u003e\u003e 28;\n- \n- c[0] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[1] \u003d ((uint32_t)(accum2)) \u0026 mask;\n- c[8] \u003d ((uint32_t)(accum1)) \u0026 mask;\n- c[9] \u003d ((uint32_t)(accum3)) \u0026 mask;\n- \n- accumC0 \u003d accum2 \u003e\u003e 28;\n- accumC1 \u003d accum3 \u003e\u003e 28;\n- }\n- {\n- /* t^3 terms */\n- smull(\u0026accum1, ax \u003d aa[3], bx \u003d b[15]);\n- smull(\u0026accum3, ax \u003d aa[4], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[14]);\n- smlal(\u0026accum3, ax \u003d aa[5], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[13]);\n- smlal(\u0026accum3, ax \u003d aa[6], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[12]);\n- smlal(\u0026accum3, ax \u003d aa[7], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[11]);\n- \n- accum0 \u003d accum1;\n- accum2 \u003d accum3;\n- \n- /* t^2 terms */\n- smlal(\u0026accum2, ax \u003d aa[0], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[10]);\n- smlal(\u0026accum2, ax \u003d aa[1], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[9]);\n- smlal(\u0026accum2, ax \u003d aa[2], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[8]);\n- smlal(\u0026accum2, ax \u003d aa[3], bx);\n- \n- smlal(\u0026accum0, ax \u003d a[11], bx \u003d b[7]);\n- smlal(\u0026accum2, ax \u003d a[12], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[6]);\n- smlal(\u0026accum2, ax \u003d a[13], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[5]);\n- smlal(\u0026accum2, ax \u003d a[14], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[4]);\n- smlal(\u0026accum2, ax \u003d a[15], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[3]);\n- \n- /* t terms */\n- accum1 +\u003d accum0;\n- accum3 +\u003d accum2;\n- smlal(\u0026accum3, ax \u003d a[8], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[2]);\n- smlal(\u0026accum3, ax \u003d a[9], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[1]);\n- smlal(\u0026accum3, ax \u003d a[10], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[0]);\n- smlal(\u0026accum3, ax \u003d a[11], bx);\n- \n- smlal(\u0026accum1, ax \u003d a[3], bx \u003d bm[7]);\n- smlal(\u0026accum3, ax \u003d a[4], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[6]);\n- smlal(\u0026accum3, ax \u003d a[5], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[5]);\n- smlal(\u0026accum3, ax \u003d a[6], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[4]);\n- smlal(\u0026accum3, ax \u003d a[7], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[3]);\n- \n- /* 1 terms */\n- smlal(\u0026accum2, ax \u003d a[0], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[2]);\n- smlal(\u0026accum2, ax \u003d a[1], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[1]);\n- smlal(\u0026accum2, ax \u003d a[2], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[0]);\n- smlal(\u0026accum2, ax \u003d a[3], bx);\n- \n- accum0 +\u003d accumC0;\n- accum1 +\u003d accumC1;\n- accum2 +\u003d accum0 \u003e\u003e 28;\n- accum3 +\u003d accum1 \u003e\u003e 28;\n- \n- c[2] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[3] \u003d ((uint32_t)(accum2)) \u0026 mask;\n- c[10] \u003d ((uint32_t)(accum1)) \u0026 mask;\n- c[11] \u003d ((uint32_t)(accum3)) \u0026 mask;\n- \n- accumC0 \u003d accum2 \u003e\u003e 28;\n- accumC1 \u003d accum3 \u003e\u003e 28;\n- }\n- {\n- \n- /* t^3 terms */\n- smull(\u0026accum1, ax \u003d aa[5], bx \u003d b[15]);\n- smull(\u0026accum3, ax \u003d aa[6], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[14]);\n- smlal(\u0026accum3, ax \u003d aa[7], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[13]);\n- \n- accum0 \u003d accum1;\n- accum2 \u003d accum3;\n- \n- /* t^2 terms */\n- \n- smlal(\u0026accum2, ax \u003d aa[0], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[12]);\n- smlal(\u0026accum2, ax \u003d aa[1], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[11]);\n- smlal(\u0026accum2, ax \u003d aa[2], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[10]);\n- smlal(\u0026accum2, ax \u003d aa[3], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[9]);\n- smlal(\u0026accum2, ax \u003d aa[4], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[8]);\n- smlal(\u0026accum2, ax \u003d aa[5], bx);\n- \n- \n- smlal(\u0026accum0, ax \u003d a[13], bx \u003d b[7]);\n- smlal(\u0026accum2, ax \u003d a[14], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[6]);\n- smlal(\u0026accum2, ax \u003d a[15], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[5]);\n- \n- /* t terms */\n- accum1 +\u003d accum0;\n- accum3 +\u003d accum2;\n- \n- smlal(\u0026accum3, ax \u003d a[8], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[4]);\n- smlal(\u0026accum3, ax \u003d a[9], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[3]);\n- smlal(\u0026accum3, ax \u003d a[10], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[2]);\n- smlal(\u0026accum3, ax \u003d a[11], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[1]);\n- smlal(\u0026accum3, ax \u003d a[12], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[0]);\n- smlal(\u0026accum3, ax \u003d a[13], bx);\n- \n- \n- smlal(\u0026accum1, ax \u003d a[5], bx \u003d bm[7]);\n- smlal(\u0026accum3, ax \u003d a[6], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[6]);\n- smlal(\u0026accum3, ax \u003d a[7], bx);\n- smlal(\u0026accum1, ax, bx \u003d bm[5]);\n- \n- /* 1 terms */\n- \n- smlal(\u0026accum2, ax \u003d a[0], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[4]);\n- smlal(\u0026accum2, ax \u003d a[1], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[3]);\n- smlal(\u0026accum2, ax \u003d a[2], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[2]);\n- smlal(\u0026accum2, ax \u003d a[3], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[1]);\n- smlal(\u0026accum2, ax \u003d a[4], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[0]);\n- smlal(\u0026accum2, ax \u003d a[5], bx);\n- \n- accum0 +\u003d accumC0;\n- accum1 +\u003d accumC1;\n- accum2 +\u003d accum0 \u003e\u003e 28;\n- accum3 +\u003d accum1 \u003e\u003e 28;\n- \n- c[4] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[5] \u003d ((uint32_t)(accum2)) \u0026 mask;\n- c[12] \u003d ((uint32_t)(accum1)) \u0026 mask;\n- c[13] \u003d ((uint32_t)(accum3)) \u0026 mask;\n- \n- accumC0 \u003d accum2 \u003e\u003e 28;\n- accumC1 \u003d accum3 \u003e\u003e 28;\n- }\n- {\n- \n- /* t^3 terms */\n- smull(\u0026accum1, ax \u003d aa[7], bx \u003d b[15]);\n- accum0 \u003d accum1;\n- \n- /* t^2 terms */\n- \n- smull(\u0026accum2, ax \u003d aa[0], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[14]);\n- smlal(\u0026accum2, ax \u003d aa[1], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[13]);\n- smlal(\u0026accum2, ax \u003d aa[2], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[12]);\n- smlal(\u0026accum2, ax \u003d aa[3], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[11]);\n- smlal(\u0026accum2, ax \u003d aa[4], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[10]);\n- smlal(\u0026accum2, ax \u003d aa[5], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[9]);\n- smlal(\u0026accum2, ax \u003d aa[6], bx);\n- smlal(\u0026accum0, ax, bx \u003d b[8]);\n- smlal(\u0026accum2, ax \u003d aa[7], bx);\n- \n- \n- smlal(\u0026accum0, ax \u003d a[15], bx \u003d b[7]);\n- \n- /* t terms */\n- accum1 +\u003d accum0;\n- accum3 \u003d accum2;\n- \n- smlal(\u0026accum3, ax \u003d a[8], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[6]);\n- smlal(\u0026accum3, ax \u003d a[9], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[5]);\n- smlal(\u0026accum3, ax \u003d a[10], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[4]);\n- smlal(\u0026accum3, ax \u003d a[11], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[3]);\n- smlal(\u0026accum3, ax \u003d a[12], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[2]);\n- smlal(\u0026accum3, ax \u003d a[13], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[1]);\n- smlal(\u0026accum3, ax \u003d a[14], bx);\n- smlal(\u0026accum1, ax, bx \u003d b[0]);\n- smlal(\u0026accum3, ax \u003d a[15], bx);\n- \n- \n- smlal(\u0026accum1, ax \u003d a[7], bx \u003d bm[7]);\n- \n- /* 1 terms */\n- \n- smlal(\u0026accum2, ax \u003d a[0], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[6]);\n- smlal(\u0026accum2, ax \u003d a[1], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[5]);\n- smlal(\u0026accum2, ax \u003d a[2], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[4]);\n- smlal(\u0026accum2, ax \u003d a[3], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[3]);\n- smlal(\u0026accum2, ax \u003d a[4], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[2]);\n- smlal(\u0026accum2, ax \u003d a[5], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[1]);\n- smlal(\u0026accum2, ax \u003d a[6], bx);\n- smlal(\u0026accum0, ax, bx \u003d bm[0]);\n- smlal(\u0026accum2, ax \u003d a[7], bx);\n- \n- accum0 +\u003d accumC0;\n- accum1 +\u003d accumC1;\n- accum2 +\u003d accum0 \u003e\u003e 28;\n- accum3 +\u003d accum1 \u003e\u003e 28;\n- \n- c[6] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[7] \u003d ((uint32_t)(accum2)) \u0026 mask;\n- c[14] \u003d ((uint32_t)(accum1)) \u0026 mask;\n- c[15] \u003d ((uint32_t)(accum3)) \u0026 mask;\n- \n- accum0 \u003d accum2 \u003e\u003e 28;\n- accum1 \u003d accum3 \u003e\u003e 28;\n- }\n-\n- accum0 +\u003d accum1;\n- accum0 +\u003d c[8];\n- accum1 +\u003d c[0];\n- c[8] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[0] \u003d ((uint32_t)(accum1)) \u0026 mask;\n- \n- accum0 \u003e\u003e\u003d 28;\n- accum1 \u003e\u003e\u003d 28;\n- c[9] +\u003d ((uint32_t)(accum0));\n- c[1] +\u003d ((uint32_t)(accum1));\n-}\n-\n-void gf_sqr (gf_s *__restrict__ cs, const gf as) {\n- const uint32_t *a \u003d as-\u003elimb;\n- uint32_t *c \u003d cs-\u003elimb;\n-\n- uint64_t accum0 \u003d 0, accum1 \u003d 0, accum2, accum3, accumC0, accumC1, tmp;\n- uint32_t mask \u003d (1\u003c\u003c28) - 1; \n-\n- uint32_t bm[8];\n- \n- int i;\n- for (i\u003d0; i\u003c8; i++) {\n- bm[i] \u003d a[i] - a[i+8];\n- }\n-\n- uint32_t ax,bx;\n- {\n- /* t^3 terms */\n- smull2(\u0026accum1, ax \u003d a[9], bx \u003d a[15]);\n- smull2(\u0026accum3, ax \u003d a[10], bx);\n- smlal2(\u0026accum1, ax, bx \u003d a[14]);\n- smlal2(\u0026accum3, ax \u003d a[11], bx);\n- smlal2(\u0026accum1, ax, bx \u003d a[13]);\n- smlal2(\u0026accum3, ax \u003d a[12], bx);\n- smlal(\u0026accum1, ax, ax);\n- \n- accum0 \u003d accum1;\n- accum2 \u003d accum3;\n- \n- /* t^2 terms */\n- smlal2(\u0026accum2, ax \u003d a[8], a[9]);\n- smlal(\u0026accum0, ax, ax);\n- \n- smlal2(\u0026accum0, ax \u003d a[1], bx \u003d a[7]);\n- smlal2(\u0026accum2, ax \u003d a[2], bx);\n- smlal2(\u0026accum0, ax, bx \u003d a[6]);\n- smlal2(\u0026accum2, ax \u003d a[3], bx);\n- smlal2(\u0026accum0, ax, bx \u003d a[5]);\n- smlal2(\u0026accum2, ax \u003d a[4], bx);\n- smlal(\u0026accum0, ax, ax);\n- \n- /* t terms */\n- accum1 +\u003d accum0;\n- accum3 +\u003d accum2;\n- smlal2(\u0026accum3, ax \u003d a[0], bx \u003d a[1]);\n- smlal(\u0026accum1, ax, ax);\n- \n- accum1 \u003d -accum1;\n- accum3 \u003d -accum3;\n- accum2 \u003d -accum2;\n- accum0 \u003d -accum0;\n- \n- smlal2(\u0026accum1, ax \u003d bm[1], bx \u003d bm[7]);\n- smlal2(\u0026accum3, ax \u003d bm[2], bx);\n- smlal2(\u0026accum1, ax, bx \u003d bm[6]);\n- smlal2(\u0026accum3, ax \u003d bm[3], bx);\n- smlal2(\u0026accum1, ax, bx \u003d bm[5]);\n- smlal2(\u0026accum3, ax \u003d bm[4], bx);\n- smlal(\u0026accum1, ax, ax);\n- \n- /* 1 terms */\n- smlal2(\u0026accum2, ax \u003d bm[0], bx \u003d bm[1]);\n- smlal(\u0026accum0, ax, ax);\n- \n- tmp \u003d -accum3; accum3 \u003d tmp-accum2; accum2 \u003d tmp;\n- tmp \u003d -accum1; accum1 \u003d tmp-accum0; accum0 \u003d tmp;\n- \n- accum2 +\u003d accum0 \u003e\u003e 28;\n- accum3 +\u003d accum1 \u003e\u003e 28;\n- \n- c[0] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[1] \u003d ((uint32_t)(accum2)) \u0026 mask;\n- c[8] \u003d ((uint32_t)(accum1)) \u0026 mask;\n- c[9] \u003d ((uint32_t)(accum3)) \u0026 mask;\n- \n- accumC0 \u003d accum2 \u003e\u003e 28;\n- accumC1 \u003d accum3 \u003e\u003e 28;\n- }\n- {\n- /* t^3 terms */\n- smull2(\u0026accum1, ax \u003d a[11], bx \u003d a[15]);\n- smull2(\u0026accum3, ax \u003d a[12], bx);\n- smlal2(\u0026accum1, ax, bx \u003d a[14]);\n- smlal2(\u0026accum3, ax \u003d a[13], bx);\n- smlal(\u0026accum1, ax, ax);\n- \n- accum0 \u003d accum1;\n- accum2 \u003d accum3;\n- \n- /* t^2 terms */\n- smlal2(\u0026accum2, ax \u003d a[8], bx \u003d a[11]);\n- smlal2(\u0026accum0, ax, bx \u003d a[10]);\n- smlal2(\u0026accum2, ax \u003d a[9], bx);\n- smlal(\u0026accum0, ax, ax);\n- \n- smlal2(\u0026accum0, ax \u003d a[3], bx \u003d a[7]);\n- smlal2(\u0026accum2, ax \u003d a[4], bx);\n- smlal2(\u0026accum0, ax, bx \u003d a[6]);\n- smlal2(\u0026accum2, ax \u003d a[5], bx);\n- smlal(\u0026accum0, ax, ax);\n- \n- /* t terms */\n- accum1 +\u003d accum0;\n- accum3 +\u003d accum2;\n- smlal2(\u0026accum3, ax \u003d a[0], bx \u003d a[3]);\n- smlal2(\u0026accum1, ax, bx \u003d a[2]);\n- smlal2(\u0026accum3, ax \u003d a[1], bx);\n- smlal(\u0026accum1, ax, ax);\n- \n- accum1 \u003d -accum1;\n- accum3 \u003d -accum3;\n- accum2 \u003d -accum2;\n- accum0 \u003d -accum0;\n- \n- smlal2(\u0026accum1, ax \u003d bm[3], bx \u003d bm[7]);\n- smlal2(\u0026accum3, ax \u003d bm[4], bx);\n- smlal2(\u0026accum1, ax, bx \u003d bm[6]);\n- smlal2(\u0026accum3, ax \u003d bm[5], bx);\n- smlal(\u0026accum1, ax, ax);\n- \n- /* 1 terms */\n- smlal2(\u0026accum2, ax \u003d bm[0], bx \u003d bm[3]);\n- smlal2(\u0026accum0, ax, bx \u003d bm[2]);\n- smlal2(\u0026accum2, ax \u003d bm[1], bx);\n- smlal(\u0026accum0, ax, ax);\n- \n- \n- tmp \u003d -accum3; accum3 \u003d tmp-accum2; accum2 \u003d tmp;\n- tmp \u003d -accum1; accum1 \u003d tmp-accum0; accum0 \u003d tmp;\n- \n- accum0 +\u003d accumC0;\n- accum1 +\u003d accumC1;\n- accum2 +\u003d accum0 \u003e\u003e 28;\n- accum3 +\u003d accum1 \u003e\u003e 28;\n- \n- c[2] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[3] \u003d ((uint32_t)(accum2)) \u0026 mask;\n- c[10] \u003d ((uint32_t)(accum1)) \u0026 mask;\n- c[11] \u003d ((uint32_t)(accum3)) \u0026 mask;\n- \n- accumC0 \u003d accum2 \u003e\u003e 28;\n- accumC1 \u003d accum3 \u003e\u003e 28;\n- }\n- {\n- \n- /* t^3 terms */\n- smull2(\u0026accum1, ax \u003d a[13], bx \u003d a[15]);\n- smull2(\u0026accum3, ax \u003d a[14], bx);\n- smlal(\u0026accum1, ax, ax);\n- \n- accum0 \u003d accum1;\n- accum2 \u003d accum3;\n- \n- /* t^2 terms */\n- \n- smlal2(\u0026accum2, ax \u003d a[8], bx \u003d a[13]);\n- smlal2(\u0026accum0, ax, bx \u003d a[12]);\n- smlal2(\u0026accum2, ax \u003d a[9], bx);\n- smlal2(\u0026accum0, ax, bx \u003d a[11]);\n- smlal2(\u0026accum2, ax \u003d a[10], bx);\n- smlal(\u0026accum0, ax, ax);\n- \n- \n- smlal2(\u0026accum0, ax \u003d a[5], bx \u003d a[7]);\n- smlal2(\u0026accum2, ax \u003d a[6], bx);\n- smlal(\u0026accum0, ax, ax);\n- \n- /* t terms */\n- accum1 +\u003d accum0;\n- accum3 +\u003d accum2;\n- \n- smlal2(\u0026accum3, ax \u003d a[0], bx \u003d a[5]);\n- smlal2(\u0026accum1, ax, bx \u003d a[4]);\n- smlal2(\u0026accum3, ax \u003d a[1], bx);\n- smlal2(\u0026accum1, ax, bx \u003d a[3]);\n- smlal2(\u0026accum3, ax \u003d a[2], bx);\n- smlal(\u0026accum1, ax, ax);\n- \n- accum1 \u003d -accum1;\n- accum3 \u003d -accum3;\n- accum2 \u003d -accum2;\n- accum0 \u003d -accum0;\n- \n- smlal2(\u0026accum1, ax \u003d bm[5], bx \u003d bm[7]);\n- smlal2(\u0026accum3, ax \u003d bm[6], bx);\n- smlal(\u0026accum1, ax, ax);\n- \n- /* 1 terms */\n- \n- smlal2(\u0026accum2, ax \u003d bm[0], bx \u003d bm[5]);\n- smlal2(\u0026accum0, ax, bx \u003d bm[4]);\n- smlal2(\u0026accum2, ax \u003d bm[1], bx);\n- smlal2(\u0026accum0, ax, bx \u003d bm[3]);\n- smlal2(\u0026accum2, ax \u003d bm[2], bx);\n- smlal(\u0026accum0, ax, ax);\n- \n- \n- tmp \u003d -accum3; accum3 \u003d tmp-accum2; accum2 \u003d tmp;\n- tmp \u003d -accum1; accum1 \u003d tmp-accum0; accum0 \u003d tmp;\n- \n- accum0 +\u003d accumC0;\n- accum1 +\u003d accumC1;\n- accum2 +\u003d accum0 \u003e\u003e 28;\n- accum3 +\u003d accum1 \u003e\u003e 28;\n- \n- c[4] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[5] \u003d ((uint32_t)(accum2)) \u0026 mask;\n- c[12] \u003d ((uint32_t)(accum1)) \u0026 mask;\n- c[13] \u003d ((uint32_t)(accum3)) \u0026 mask;\n- \n- accumC0 \u003d accum2 \u003e\u003e 28;\n- accumC1 \u003d accum3 \u003e\u003e 28;\n- }\n- {\n- \n- /* t^3 terms */\n- smull(\u0026accum1, ax \u003d a[15], bx \u003d a[15]);\n- accum0 \u003d accum1;\n- \n- /* t^2 terms */\n- \n- smull2(\u0026accum2, ax \u003d a[8], bx);\n- smlal2(\u0026accum0, ax, bx \u003d a[14]);\n- smlal2(\u0026accum2, ax \u003d a[9], bx);\n- smlal2(\u0026accum0, ax, bx \u003d a[13]);\n- smlal2(\u0026accum2, ax \u003d a[10], bx);\n- smlal2(\u0026accum0, ax, bx \u003d a[12]);\n- smlal2(\u0026accum2, ax \u003d a[11], bx);\n- smlal(\u0026accum0, ax, ax);\n- \n- \n- smlal(\u0026accum0, ax \u003d a[7], bx \u003d a[7]);\n- \n- /* t terms */\n- accum1 +\u003d accum0;\n- accum3 \u003d accum2;\n- \n- smlal2(\u0026accum3, ax \u003d a[0], bx);\n- smlal2(\u0026accum1, ax, bx \u003d a[6]);\n- smlal2(\u0026accum3, ax \u003d a[1], bx);\n- smlal2(\u0026accum1, ax, bx \u003d a[5]);\n- smlal2(\u0026accum3, ax \u003d a[2], bx);\n- smlal2(\u0026accum1, ax, bx \u003d a[4]);\n- smlal2(\u0026accum3, ax \u003d a[3], bx);\n- smlal(\u0026accum1, ax, ax);\n- \n- accum1 \u003d -accum1;\n- accum3 \u003d -accum3;\n- accum2 \u003d -accum2;\n- accum0 \u003d -accum0;\n- \n- bx \u003d bm[7];\n- smlal(\u0026accum1, bx, bx);\n- \n- /* 1 terms */\n- \n- smlal2(\u0026accum2, ax \u003d bm[0], bx);\n- smlal2(\u0026accum0, ax, bx \u003d bm[6]);\n- smlal2(\u0026accum2, ax \u003d bm[1], bx);\n- smlal2(\u0026accum0, ax, bx \u003d bm[5]);\n- smlal2(\u0026accum2, ax \u003d bm[2], bx);\n- smlal2(\u0026accum0, ax, bx \u003d bm[4]);\n- smlal2(\u0026accum2, ax \u003d bm[3], bx);\n- smlal(\u0026accum0, ax, ax);\n- \n- tmp \u003d -accum3; accum3 \u003d tmp-accum2; accum2 \u003d tmp;\n- tmp \u003d -accum1; accum1 \u003d tmp-accum0; accum0 \u003d tmp;\n- \n- \n- accum0 +\u003d accumC0;\n- accum1 +\u003d accumC1;\n- accum2 +\u003d accum0 \u003e\u003e 28;\n- accum3 +\u003d accum1 \u003e\u003e 28;\n- \n- c[6] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[7] \u003d ((uint32_t)(accum2)) \u0026 mask;\n- c[14] \u003d ((uint32_t)(accum1)) \u0026 mask;\n- c[15] \u003d ((uint32_t)(accum3)) \u0026 mask;\n- \n- accum0 \u003d accum2 \u003e\u003e 28;\n- accum1 \u003d accum3 \u003e\u003e 28;\n- }\n-\n- accum0 +\u003d accum1;\n- accum0 +\u003d c[8];\n- accum1 +\u003d c[0];\n- c[8] \u003d ((uint32_t)(accum0)) \u0026 mask;\n- c[0] \u003d ((uint32_t)(accum1)) \u0026 mask;\n- \n- accum0 \u003e\u003e\u003d 28;\n- accum1 \u003e\u003e\u003d 28;\n- c[9] +\u003d ((uint32_t)(accum0));\n- c[1] +\u003d ((uint32_t)(accum1));\n-}\n-\n-void gf_mulw_unsigned (\n- gf_s *__restrict__ cs,\n- const gf as,\n- uint32_t b\n-) {\n- uint32_t mask \u003d (1ull\u003c\u003c28)-1; \n- assert(b \u003c\u003d mask);\n- \n- const uint32_t *a \u003d as-\u003elimb;\n- uint32_t *c \u003d cs-\u003elimb;\n-\n- uint64_t accum0, accum8;\n-\n- int i;\n-\n- uint32_t c0, c8, n0, n8;\n- c0 \u003d a[0]; c8 \u003d a[8];\n- accum0 \u003d widemul(b, c0);\n- accum8 \u003d widemul(b, c8);\n-\n- c[0] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n- c[8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n- \n- i\u003d1;\n- {\n- n0 \u003d a[i]; n8 \u003d a[i+8];\n- smlal(\u0026accum0, b, n0);\n- smlal(\u0026accum8, b, n8);\n- \n- c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n- c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n- i++;\n- }\n- {\n- c0 \u003d a[i]; c8 \u003d a[i+8];\n- smlal(\u0026accum0, b, c0);\n- smlal(\u0026accum8, b, c8);\n-\n- c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n- c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n- i++;\n- }\n- {\n- n0 \u003d a[i]; n8 \u003d a[i+8];\n- smlal(\u0026accum0, b, n0);\n- smlal(\u0026accum8, b, n8);\n-\n- c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n- c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n- i++;\n- }\n- {\n- c0 \u003d a[i]; c8 \u003d a[i+8];\n- smlal(\u0026accum0, b, c0);\n- smlal(\u0026accum8, b, c8);\n-\n- c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n- c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n- i++;\n- }\n- {\n- n0 \u003d a[i]; n8 \u003d a[i+8];\n- smlal(\u0026accum0, b, n0);\n- smlal(\u0026accum8, b, n8);\n-\n- c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n- c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n- i++;\n- }\n- {\n- c0 \u003d a[i]; c8 \u003d a[i+8];\n- smlal(\u0026accum0, b, c0);\n- smlal(\u0026accum8, b, c8);\n- \n- c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n- c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n- i++;\n- }\n- {\n- n0 \u003d a[i]; n8 \u003d a[i+8];\n- smlal(\u0026accum0, b, n0);\n- smlal(\u0026accum8, b, n8);\n-\n- c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 28;\n- c[i+8] \u003d accum8 \u0026 mask; accum8 \u003e\u003e\u003d 28;\n- i++;\n- }\n-\n- accum0 +\u003d accum8 + c[8];\n- c[8] \u003d accum0 \u0026 mask;\n- c[9] +\u003d accum0 \u003e\u003e 28;\n-\n- accum8 +\u003d c[0];\n- c[0] \u003d accum8 \u0026 mask;\n- c[1] +\u003d accum8 \u003e\u003e 28;\n-}\ndiff --git a/crypto/ec/curve448/p448/arch_arm_32/f_impl.h b/crypto/ec/curve448/p448/arch_arm_32/f_impl.h\ndeleted file mode 100644\nindex 09d77aa..0000000\n--- a/crypto/ec/curve448/p448/arch_arm_32/f_impl.h\n+++ /dev/null\n@@ -1,53 +0,0 @@\n-/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#define GF_HEADROOM 2\n-#define LIMB(x) (x##ull)\u0026((1ull\u003c\u003c28)-1), (x##ull)\u003e\u003e28\n-#define FIELD_LITERAL(a,b,c,d,e,f,g,h) \u005c\n- {{LIMB(a),LIMB(b),LIMB(c),LIMB(d),LIMB(e),LIMB(f),LIMB(g),LIMB(h)}}\n- \n-#define LIMB_PLACE_VALUE(i) 28\n-\n-void gf_add_RAW (gf out, const gf a, const gf b) {\n- for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint32xn_t); i++) {\n- ((uint32xn_t*)out)[i] \u003d ((const uint32xn_t*)a)[i] + ((const uint32xn_t*)b)[i];\n- }\n- /*\n- for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n- out-\u003elimb[i] \u003d a-\u003elimb[i] + b-\u003elimb[i];\n- }\n- */\n-}\n-\n-void gf_sub_RAW (gf out, const gf a, const gf b) {\n- for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint32xn_t); i++) {\n- ((uint32xn_t*)out)[i] \u003d ((const uint32xn_t*)a)[i] - ((const uint32xn_t*)b)[i];\n- }\n- /*\n- for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n- out-\u003elimb[i] \u003d a-\u003elimb[i] - b-\u003elimb[i];\n- }\n- */\n-}\n-\n-void gf_bias (gf a, int amt) {\n- uint32_t co1 \u003d ((1ull\u003c\u003c28)-1)*amt, co2 \u003d co1-amt;\n- uint32x4_t lo \u003d {co1,co1,co1,co1}, hi \u003d {co2,co1,co1,co1};\n- uint32x4_t *aa \u003d (uint32x4_t*) a;\n- aa[0] +\u003d lo;\n- aa[1] +\u003d lo;\n- aa[2] +\u003d hi;\n- aa[3] +\u003d lo;\n-}\n-\n-void gf_weak_reduce (gf a) {\n- uint64_t mask \u003d (1ull\u003c\u003c28) - 1;\n- uint64_t tmp \u003d a-\u003elimb[15] \u003e\u003e 28;\n- a-\u003elimb[8] +\u003d tmp;\n- for (unsigned int i\u003d15; i\u003e0; i--) {\n- a-\u003elimb[i] \u003d (a-\u003elimb[i] \u0026 mask) + (a-\u003elimb[i-1]\u003e\u003e28);\n- }\n- a-\u003elimb[0] \u003d (a-\u003elimb[0] \u0026 mask) + tmp;\n-}\n-\ndiff --git a/crypto/ec/curve448/p448/arch_neon/f_impl.c b/crypto/ec/curve448/p448/arch_neon/f_impl.c\ndeleted file mode 100644\nindex 5e998f9..0000000\n--- a/crypto/ec/curve448/p448/arch_neon/f_impl.c\n+++ /dev/null\n@@ -1,592 +0,0 @@\n-/* Copyright (c) 2014 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#include \u0022f_field.h\u0022\n-\n-static __inline__ uint64x2_t __attribute__((gnu_inline,always_inline,unused))\n-xx_vaddup_u64(uint64x2_t x) {\n- __asm__ (\u0022vadd.s64 %f0, %e0\u0022 : \u0022+w\u0022(x));\n- return x;\n-}\n-\n-static __inline__ int64x2_t __attribute__((gnu_inline,always_inline,unused))\n-vrev128_s64(int64x2_t x) {\n- __asm__ (\u0022vswp.s64 %e0, %f0\u0022 : \u0022+w\u0022(x));\n- return x;\n-}\n-\n-static __inline__ uint64x2_t __attribute__((gnu_inline,always_inline))\n-vrev128_u64(uint64x2_t x) {\n- __asm__ (\u0022vswp.s64 %e0, %f0\u0022 : \u0022+w\u0022(x));\n- return x;\n-}\n-\n-static inline void __attribute__((gnu_inline,always_inline,unused))\n-smlal (\n- uint64_t *acc,\n- const uint32_t a,\n- const uint32_t b\n-) {\n- *acc +\u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b;\n-}\n-\n-static inline void __attribute__((gnu_inline,always_inline,unused))\n-smlal2 (\n- uint64_t *acc,\n- const uint32_t a,\n- const uint32_t b\n-) {\n- *acc +\u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b * 2;\n-}\n-\n-static inline void __attribute__((gnu_inline,always_inline,unused))\n-smull (\n- uint64_t *acc,\n- const uint32_t a,\n- const uint32_t b\n-) {\n- *acc \u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b;\n-}\n-\n-static inline void __attribute__((gnu_inline,always_inline,unused))\n-smull2 (\n- uint64_t *acc,\n- const uint32_t a,\n- const uint32_t b\n-) {\n- *acc \u003d (int64_t)(int32_t)a * (int64_t)(int32_t)b * 2;\n-}\n-\n-void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) {\n- #define _bl0 \u0022q0\u0022\n- #define _bl0_0 \u0022d0\u0022\n- #define _bl0_1 \u0022d1\u0022\n- #define _bh0 \u0022q1\u0022\n- #define _bh0_0 \u0022d2\u0022\n- #define _bh0_1 \u0022d3\u0022\n- #define _bs0 \u0022q2\u0022\n- #define _bs0_0 \u0022d4\u0022\n- #define _bs0_1 \u0022d5\u0022\n- #define _bl2 \u0022q3\u0022\n- #define _bl2_0 \u0022d6\u0022\n- #define _bl2_1 \u0022d7\u0022\n- #define _bh2 \u0022q4\u0022\n- #define _bh2_0 \u0022d8\u0022\n- #define _bh2_1 \u0022d9\u0022\n- #define _bs2 \u0022q5\u0022\n- #define _bs2_0 \u0022d10\u0022\n- #define _bs2_1 \u0022d11\u0022\n-\n- #define _as0 \u0022q6\u0022\n- #define _as0_0 \u0022d12\u0022\n- #define _as0_1 \u0022d13\u0022\n- #define _as2 \u0022q7\u0022\n- #define _as2_0 \u0022d14\u0022\n- #define _as2_1 \u0022d15\u0022\n- #define _al0 \u0022q8\u0022\n- #define _al0_0 \u0022d16\u0022\n- #define _al0_1 \u0022d17\u0022\n- #define _ah0 \u0022q9\u0022\n- #define _ah0_0 \u0022d18\u0022\n- #define _ah0_1 \u0022d19\u0022\n- #define _al2 \u0022q10\u0022\n- #define _al2_0 \u0022d20\u0022\n- #define _al2_1 \u0022d21\u0022\n- #define _ah2 \u0022q11\u0022\n- #define _ah2_0 \u0022d22\u0022\n- #define _ah2_1 \u0022d23\u0022\n-\n- #define _a0a \u0022q12\u0022\n- #define _a0a_0 \u0022d24\u0022\n- #define _a0a_1 \u0022d25\u0022\n- #define _a0b \u0022q13\u0022\n- #define _a0b_0 \u0022d26\u0022\n- #define _a0b_1 \u0022d27\u0022\n- #define _a1a \u0022q14\u0022\n- #define _a1a_0 \u0022d28\u0022\n- #define _a1a_1 \u0022d29\u0022\n- #define _a1b \u0022q15\u0022\n- #define _a1b_0 \u0022d30\u0022\n- #define _a1b_1 \u0022d31\u0022\n- #define VMAC(op,result,a,b,n) #op\u0022 \u0022result\u0022, \u0022a\u0022, \u0022b\u0022[\u0022 #n \u0022]\u005cn\u005ct\u0022\n- #define VOP3(op,result,a,b) #op\u0022 \u0022result\u0022, \u0022a\u0022, \u0022b\u0022\u005cn\u005ct\u0022\n- #define VOP2(op,result,a) #op\u0022 \u0022result\u0022, \u0022a\u0022\u005cn\u005ct\u0022\n-\n- int32x2_t *vc \u003d (int32x2_t*) cs-\u003elimb;\n-\n- __asm__ __volatile__(\n- \n- \u0022vld2.32 {\u0022_al0_0\u0022,\u0022_al0_1\u0022,\u0022_ah0_0\u0022,\u0022_ah0_1\u0022}, [%[a],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n- VOP3(vadd.i32,_as0,_al0,_ah0)\n- \n- \u0022vld2.32 {\u0022_bl0_0\u0022,\u0022_bl0_1\u0022,\u0022_bh0_0\u0022,\u0022_bh0_1\u0022}, [%[b],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n- VOP3(vadd.i32,_bs0_1,_bl0_1,_bh0_1)\n- VOP3(vsub.i32,_bs0_0,_bl0_0,_bh0_0)\n- \n- \u0022vld2.32 {\u0022_bl2_0\u0022,\u0022_bl2_1\u0022,\u0022_bh2_0\u0022,\u0022_bh2_1\u0022}, [%[b],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n- VOP3(vadd.i32,_bs2,_bl2,_bh2)\n- \n- \u0022vld2.32 {\u0022_al2_0\u0022,\u0022_al2_1\u0022,\u0022_ah2_0\u0022,\u0022_ah2_1\u0022}, [%[a],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n- VOP3(vadd.i32,_as2,_al2,_ah2)\n- \n- VMAC(vmull.s32,_a0b,_as0_1,_bs2_1,0)\n- VMAC(vmlal.s32,_a0b,_as2_0,_bs2_0,0)\n- VMAC(vmlal.s32,_a0b,_as2_1,_bs0_1,0)\n- VMAC(vmlal.s32,_a0b,_as0_0,_bh0_0,0)\n- \n- VMAC(vmull.s32,_a1b,_as0_1,_bs2_1,1)\n- VMAC(vmlal.s32,_a1b,_as2_0,_bs2_0,1)\n- VMAC(vmlal.s32,_a1b,_as2_1,_bs0_1,1)\n- VMAC(vmlal.s32,_a1b,_as0_0,_bh0_0,1)\n- \n- VOP2(vmov,_a0a,_a0b)\n- VMAC(vmlal.s32,_a0a,_ah0_1,_bh2_1,0)\n- VMAC(vmlal.s32,_a0a,_ah2_0,_bh2_0,0)\n- VMAC(vmlal.s32,_a0a,_ah2_1,_bh0_1,0)\n- VMAC(vmlal.s32,_a0a,_ah0_0,_bl0_0,0)\n- \n- VMAC(vmlsl.s32,_a0b,_al0_1,_bl2_1,0)\n- VMAC(vmlsl.s32,_a0b,_al2_0,_bl2_0,0)\n- VMAC(vmlsl.s32,_a0b,_al2_1,_bl0_1,0)\n- VMAC(vmlal.s32,_a0b,_al0_0,_bs0_0,0)\n- \n- VOP2(vmov,_a1a,_a1b)\n- VMAC(vmlal.s32,_a1a,_ah0_1,_bh2_1,1)\n- VMAC(vmlal.s32,_a1a,_ah2_0,_bh2_0,1)\n- VMAC(vmlal.s32,_a1a,_ah2_1,_bh0_1,1)\n- VMAC(vmlal.s32,_a1a,_ah0_0,_bl0_0,1)\n- \n- VOP2(vswp,_a0b_1,_a0a_0)\n- \n- VMAC(vmlsl.s32,_a1b,_al0_1,_bl2_1,1)\n- VMAC(vmlsl.s32,_a1b,_al2_0,_bl2_0,1)\n- VMAC(vmlsl.s32,_a1b,_al2_1,_bl0_1,1)\n- VMAC(vmlal.s32,_a1b,_al0_0,_bs0_0,1)\n- \n- VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n- VOP3(vsub.i32,_bs0_1,_bl0_1,_bh0_1)\n- VOP2(vmovn.i64,_a0b_0,_a0b)\n- \n- VOP2(vswp,_a1b_1,_a1a_0)\n- VOP3(vadd.i64,_a1b,_a0a,_a1b)\n- \n- \n- VMAC(vmull.s32,_a0a,_as2_0,_bs2_1,0)\n- VOP2(vmovn.i64,_a0b_1,_a1b)\n- VMAC(vmlal.s32,_a0a,_as2_1,_bs2_0,0)\n- VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n- VMAC(vmlal.s32,_a0a,_as0_0,_bh0_1,0)\n- VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n- VMAC(vmlal.s32,_a0a,_as0_1,_bh0_0,0)\n- \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n- \n- VMAC(vmull.s32,_a1b,_as2_0,_bs2_1,1)\n- VMAC(vmlal.s32,_a1b,_as2_1,_bs2_0,1)\n- VMAC(vmlal.s32,_a1b,_as0_0,_bh0_1,1)\n- VMAC(vmlal.s32,_a1b,_as0_1,_bh0_0,1)\n-\n- VOP2(vmov,_a0b_1,_a0a_1)\n- VOP3(vadd.i64,_a0b_0,_a0a_0,_a1a_0)\n- VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n- VMAC(vmlal.s32,_a0a,_ah2_0,_bh2_1,0)\n- VMAC(vmlal.s32,_a0a,_ah2_1,_bh2_0,0)\n- VMAC(vmlal.s32,_a0a,_ah0_0,_bl0_1,0)\n- VMAC(vmlal.s32,_a0a,_ah0_1,_bl0_0,0)\n-\n- VMAC(vmlsl.s32,_a0b,_al2_0,_bl2_1,0)\n- VMAC(vmlsl.s32,_a0b,_al2_1,_bl2_0,0)\n- VMAC(vmlal.s32,_a0b,_al0_0,_bs0_1,0)\n- VMAC(vmlal.s32,_a0b,_al0_1,_bs0_0,0)\n-\n- VOP2(vmov,_a1a,_a1b)\n- VMAC(vmlal.s32,_a1a,_ah2_0,_bh2_1,1)\n- VMAC(vmlal.s32,_a1a,_ah2_1,_bh2_0,1)\n- VMAC(vmlal.s32,_a1a,_ah0_0,_bl0_1,1)\n- VMAC(vmlal.s32,_a1a,_ah0_1,_bl0_0,1)\n-\n- VOP2(vswp,_a0b_1,_a0a_0)\n-\n- VMAC(vmlsl.s32,_a1b,_al2_0,_bl2_1,1)\n- VMAC(vmlsl.s32,_a1b,_al2_1,_bl2_0,1)\n- VMAC(vmlal.s32,_a1b,_al0_0,_bs0_1,1)\n- VMAC(vmlal.s32,_a1b,_al0_1,_bs0_0,1)\n- \n- VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n- VOP3(vsub.i32,_bs2_0,_bl2_0,_bh2_0)\n- VOP2(vmovn.i64,_a0b_0,_a0b)\n- \n- VOP2(vswp,_a1b_1,_a1a_0)\n- VOP3(vadd.i64,_a1b,_a0a,_a1b)\n-\n- VMAC(vmull.s32,_a0a,_as2_1,_bs2_1,0)\n- VOP2(vmovn.i64,_a0b_1,_a1b)\n- VMAC(vmlal.s32,_a0a,_as0_0,_bh2_0,0)\n- VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n- VMAC(vmlal.s32,_a0a,_as0_1,_bh0_1,0)\n- VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n- VMAC(vmlal.s32,_a0a,_as2_0,_bh0_0,0)\n- \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n-\n- VMAC(vmull.s32,_a1b,_as2_1,_bs2_1,1)\n- VMAC(vmlal.s32,_a1b,_as0_0,_bh2_0,1)\n- VMAC(vmlal.s32,_a1b,_as0_1,_bh0_1,1)\n- VMAC(vmlal.s32,_a1b,_as2_0,_bh0_0,1)\n-\n- VOP2(vmov,_a0b_1,_a0a_1)\n- VOP3(vadd.i64,_a0b_0,_a0a_0,_a1a_0)\n- VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n- VMAC(vmlal.s32,_a0a,_ah2_1,_bh2_1,0)\n- VMAC(vmlal.s32,_a0a,_ah0_0,_bl2_0,0)\n- VMAC(vmlal.s32,_a0a,_ah0_1,_bl0_1,0)\n- VMAC(vmlal.s32,_a0a,_ah2_0,_bl0_0,0)\n-\n- VMAC(vmlsl.s32,_a0b,_al2_1,_bl2_1,0)\n- VMAC(vmlal.s32,_a0b,_al0_0,_bs2_0,0)\n- VMAC(vmlal.s32,_a0b,_al0_1,_bs0_1,0)\n- VMAC(vmlal.s32,_a0b,_al2_0,_bs0_0,0)\n-\n- VOP2(vmov,_a1a,_a1b)\n- VMAC(vmlal.s32,_a1a,_ah2_1,_bh2_1,1)\n- VMAC(vmlal.s32,_a1a,_ah0_0,_bl2_0,1)\n- VMAC(vmlal.s32,_a1a,_ah0_1,_bl0_1,1)\n- VMAC(vmlal.s32,_a1a,_ah2_0,_bl0_0,1)\n-\n- VOP2(vswp,_a0b_1,_a0a_0)\n-\n- VMAC(vmlsl.s32,_a1b,_al2_1,_bl2_1,1)\n- VMAC(vmlal.s32,_a1b,_al0_0,_bs2_0,1)\n- VMAC(vmlal.s32,_a1b,_al0_1,_bs0_1,1)\n- VMAC(vmlal.s32,_a1b,_al2_0,_bs0_0,1)\n- \n- VOP3(vsub.i32,_bs2_1,_bl2_1,_bh2_1)\n- VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n- VOP2(vmovn.i64,_a0b_0,_a0b)\n- \n- VOP2(vswp,_a1b_1,_a1a_0)\n- VOP3(vadd.i64,_a1b,_a0a,_a1b)\n-\n- VMAC(vmull.s32,_a0a,_as0_0,_bh2_1,0)\n- VOP2(vmovn.i64,_a0b_1,_a1b)\n- VMAC(vmlal.s32,_a0a,_as0_1,_bh2_0,0)\n- VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n- VMAC(vmlal.s32,_a0a,_as2_0,_bh0_1,0)\n- VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n- VMAC(vmlal.s32,_a0a,_as2_1,_bh0_0,0)\n- \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n-\n- VMAC(vmull.s32,_a1b,_as0_0,_bh2_1,1)\n- VMAC(vmlal.s32,_a1b,_as0_1,_bh2_0,1)\n- VMAC(vmlal.s32,_a1b,_as2_0,_bh0_1,1)\n- VMAC(vmlal.s32,_a1b,_as2_1,_bh0_0,1)\n-\n- VOP2(vmov,_a0b_1,_a0a_1)\n- VOP3(vadd.i64,_a0b_0,_a0a_0,_a1a_0)\n- VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n- VMAC(vmlal.s32,_a0a,_ah0_0,_bl2_1,0)\n- VMAC(vmlal.s32,_a0a,_ah0_1,_bl2_0,0)\n- VMAC(vmlal.s32,_a0a,_ah2_0,_bl0_1,0)\n- VMAC(vmlal.s32,_a0a,_ah2_1,_bl0_0,0)\n-\n- VMAC(vmlal.s32,_a0b,_al0_0,_bs2_1,0)\n- VMAC(vmlal.s32,_a0b,_al0_1,_bs2_0,0)\n- VMAC(vmlal.s32,_a0b,_al2_0,_bs0_1,0)\n- VMAC(vmlal.s32,_a0b,_al2_1,_bs0_0,0)\n-\n- VOP2(vmov,_a1a,_a1b)\n- VMAC(vmlal.s32,_a1a,_ah0_0,_bl2_1,1)\n- VMAC(vmlal.s32,_a1a,_ah0_1,_bl2_0,1)\n- VMAC(vmlal.s32,_a1a,_ah2_0,_bl0_1,1)\n- VMAC(vmlal.s32,_a1a,_ah2_1,_bl0_0,1)\n-\n- VOP2(vswp,_a0b_1,_a0a_0)\n-\n- VMAC(vmlal.s32,_a1b,_al0_0,_bs2_1,1)\n- VMAC(vmlal.s32,_a1b,_al0_1,_bs2_0,1)\n- VMAC(vmlal.s32,_a1b,_al2_0,_bs0_1,1)\n- VMAC(vmlal.s32,_a1b,_al2_1,_bs0_0,1)\n- \n- VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n- VOP2(vmovn.i64,_a0b_0,_a0b)\n- \n- VOP2(vswp,_a1b_1,_a1a_0)\n- VOP3(vadd.i64,_a0a,_a0a,_a1b)\n-\n- VOP2(vmovn.i64,_a0b_1,_a0a)\n- VOP3(vsra.u64,_a1a,_a0a,\u0022#28\u0022)\n- \n- VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022) \n- \n- VOP2(vswp,_a1a_0,_a1a_1)\n- \n- \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022 \n- \u0022sub %[c], #64\u0022 \u0022\u005cn\u005ct\u0022\n- \n- VOP3(vadd.i64,_a1a_1,_a1a_1,_a1a_0)\n- \n- \u0022vldmia %[c], {\u0022_a0a_0\u0022, \u0022_a0a_1\u0022, \u0022_a0b_0\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n- VOP2(vaddw.s32,_a1a,_a0a_0)\n- VOP2(vmovn.i64,_a0a_0,_a1a)\n- VOP2(vshr.s64,_a1a,\u0022#28\u0022)\n- \n- VOP2(vaddw.s32,_a1a,_a0a_1)\n- VOP2(vmovn.i64,_a0a_1,_a1a)\n- VOP2(vshr.s64,_a1a,\u0022#28\u0022)\n- \n- VOP2(vbic.i32,_a0a,\u0022#0xf0000000\u0022)\n- \n- VOP2(vaddw.s32,_a1a,_a0b_0) \n- VOP2(vmovn.i64,_a0b_0,_a1a)\n- \n- \u0022vstmia %[c], {\u0022_a0a_0\u0022, \u0022_a0a_1\u0022, \u0022_a0b_0\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n- \n- : [a]\u0022+r\u0022(as)\n- , [b]\u0022+r\u0022(bs)\n- , [c]\u0022+r\u0022(vc)\n- \n- :: \u0022q0\u0022,\u0022q1\u0022,\u0022q2\u0022,\u0022q3\u0022,\n- \u0022q4\u0022,\u0022q5\u0022,\u0022q6\u0022,\u0022q7\u0022,\n- \u0022q8\u0022,\u0022q9\u0022,\u0022q10\u0022,\u0022q11\u0022,\n- \u0022q12\u0022,\u0022q13\u0022,\u0022q14\u0022,\u0022q15\u0022,\n- \u0022memory\u0022\n- );\n-}\n-\n-void gf_sqr (gf_s *__restrict__ cs, const gf bs) {\n- int32x2_t *vc \u003d (int32x2_t*) cs-\u003elimb;\n-\n- __asm__ __volatile__ (\n- \u0022vld2.32 {\u0022_bl0_0\u0022,\u0022_bl0_1\u0022,\u0022_bh0_0\u0022,\u0022_bh0_1\u0022}, [%[b],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n- VOP3(vadd.i32,_bs0_1,_bl0_1,_bh0_1) /* 0 .. 2^30 */\n- VOP3(vsub.i32,_bs0_0,_bl0_0,_bh0_0) /* +- 2^29 */\n- VOP3(vadd.i32,_as0,_bl0,_bh0) /* 0 .. 2^30 */\n- \n- \u0022vld2.32 {\u0022_bl2_0\u0022,\u0022_bl2_1\u0022,\u0022_bh2_0\u0022,\u0022_bh2_1\u0022}, [%[b],:128]!\u0022 \u0022\u005cn\u005ct\u0022\n- VOP3(vadd.i32,_bs2,_bl2,_bh2) /* 0 .. 2^30 */\n- VOP2(vmov,_as2,_bs2)\n- \n- VMAC(vqdmull.s32,_a0b,_as0_1,_bs2_1,0) /* 0 .. 8 * 2^58. danger for vqdmlal is 32 */\n- VMAC(vmlal.s32,_a0b,_as2_0,_bs2_0,0) /* 0 .. 12 */\n- VMAC(vmlal.s32,_a0b,_as0_0,_bh0_0,0) /* 0 .. 14 */\n- \n- VMAC(vqdmull.s32,_a1b,_as0_1,_bs2_1,1) /* 0 .. 8 */\n- VMAC(vmlal.s32,_a1b,_as2_0,_bs2_0,1) /* 0 .. 14 */\n- VMAC(vmlal.s32,_a1b,_as0_0,_bh0_0,1) /* 0 .. 16 */\n- \n- VOP2(vmov,_a0a,_a0b) /* 0 .. 14 */\n- VMAC(vqdmlal.s32,_a0a,_bh0_1,_bh2_1,0) /* 0 .. 16 */\n- VMAC(vmlal.s32,_a0a,_bh2_0,_bh2_0,0) /* 0 .. 17 */\n- VMAC(vmlal.s32,_a0a,_bh0_0,_bl0_0,0) /* 0 .. 18 */\n- \n- VMAC(vqdmlsl.s32,_a0b,_bl0_1,_bl2_1,0) /*-2 .. 14 */\n- VMAC(vmlsl.s32,_a0b,_bl2_0,_bl2_0,0) /*-3 .. 14 */\n- VMAC(vmlal.s32,_a0b,_bl0_0,_bs0_0,0) /*-4 .. 15 */\n- \n- VOP2(vmov,_a1a,_a1b)\n- VMAC(vqdmlal.s32,_a1a,_bh0_1,_bh2_1,1) /* 0 .. 18 */\n- VMAC(vmlal.s32,_a1a,_bh2_0,_bh2_0,1) /* 0 .. 19 */\n- VMAC(vmlal.s32,_a1a,_bh0_0,_bl0_0,1) /* 0 .. 20 */\n- \n- VOP2(vswp,_a0b_1,_a0a_0)\n- \n- VMAC(vqdmlsl.s32,_a1b,_bl0_1,_bl2_1,1) /*-2 .. 16 */\n- VMAC(vmlsl.s32,_a1b,_bl2_0,_bl2_0,1) /*-3 .. 16 */\n- VMAC(vmlal.s32,_a1b,_bl0_0,_bs0_0,1) /*-4 .. 17 */\n- \n- VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n- VOP3(vsub.i32,_bs0_1,_bl0_1,_bh0_1)\n- VOP2(vmovn.i64,_a0b_0,_a0b)\n- \n- VOP2(vswp,_a1b_1,_a1a_0)\n- VOP3(vadd.i64,_a1b,_a0a,_a1b)\n- \n- \n- VMAC(vqdmull.s32,_a0a,_as2_0,_bs2_1,0) /* 0 .. 8 */\n- VOP2(vmovn.i64,_a0b_1,_a1b)\n- VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n- VMAC(vqdmlal.s32,_a0a,_as0_0,_bh0_1,0) /* 0 .. 12 */\n- VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n- \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n- \n- VMAC(vqdmull.s32,_a1b,_as2_0,_bs2_1,1) /* 0 .. 8 */\n- VMAC(vqdmlal.s32,_a1b,_as0_0,_bh0_1,1) /* 0 .. 12 */\n-\n- VOP2(vmov,_a0b,_a0a) /* 0 .. 12 */\n- VMAC(vqdmlal.s32,_a0a,_bh2_0,_bh2_1,0) /* 0 .. 14 */\n- VMAC(vqdmlal.s32,_a0a,_bh0_0,_bl0_1,0) /* 0 .. 16 */\n-\n- VMAC(vqdmlsl.s32,_a0b,_bl2_0,_bl2_1,0) /*-2 .. 12 */\n- VMAC(vqdmlal.s32,_a0b,_bl0_0,_bs0_1,0) /*-4 .. 14 */\n- VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n- VOP3(vadd.i64,_a0b_0,_a0b_0,_a1a_0)\n-\n- VOP2(vmov,_a1a,_a1b) /* 0 .. 12 */\n- VMAC(vqdmlal.s32,_a1a,_bh2_0,_bh2_1,1) /* 0 .. 14 */\n- VMAC(vqdmlal.s32,_a1a,_bh0_0,_bl0_1,1) /* 0 .. 16 */\n-\n- VOP2(vswp,_a0b_1,_a0a_0)\n-\n- VMAC(vqdmlsl.s32,_a1b,_bl2_0,_bl2_1,1) /*-2 .. 12 */\n- VMAC(vqdmlal.s32,_a1b,_bl0_0,_bs0_1,1) /*-4 .. 14 */\n- \n- VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n- VOP3(vsub.i32,_bs2_0,_bl2_0,_bh2_0)\n- VOP2(vmovn.i64,_a0b_0,_a0b)\n- \n- VOP2(vswp,_a1b_1,_a1a_0)\n- VOP3(vadd.i64,_a1b,_a0a,_a1b)\n-\n- VMAC(vmull.s32,_a0a,_as2_1,_bs2_1,0)\n- VOP2(vmovn.i64,_a0b_1,_a1b)\n- VMAC(vqdmlal.s32,_a0a,_as0_0,_bh2_0,0)\n- VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n- VMAC(vmlal.s32,_a0a,_as0_1,_bh0_1,0)\n- VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n- \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n-\n- VMAC(vmull.s32,_a1b,_as2_1,_bs2_1,1)\n- VMAC(vqdmlal.s32,_a1b,_as0_0,_bh2_0,1)\n- VMAC(vmlal.s32,_a1b,_as0_1,_bh0_1,1)\n-\n- VOP2(vmov,_a0b_1,_a0a_1)\n- VOP3(vadd.i64,_a0b_0,_a0a_0,_a1a_0)\n- VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n- VMAC(vmlal.s32,_a0a,_bh2_1,_bh2_1,0)\n- VMAC(vqdmlal.s32,_a0a,_bh0_0,_bl2_0,0)\n- VMAC(vmlal.s32,_a0a,_bh0_1,_bl0_1,0)\n-\n- VMAC(vmlsl.s32,_a0b,_bl2_1,_bl2_1,0)\n- VMAC(vqdmlal.s32,_a0b,_bl0_0,_bs2_0,0)\n- VMAC(vmlal.s32,_a0b,_bl0_1,_bs0_1,0)\n-\n- VOP2(vmov,_a1a,_a1b)\n- VMAC(vmlal.s32,_a1a,_bh2_1,_bh2_1,1)\n- VMAC(vqdmlal.s32,_a1a,_bh0_0,_bl2_0,1)\n- VMAC(vmlal.s32,_a1a,_bh0_1,_bl0_1,1)\n-\n- VOP2(vswp,_a0b_1,_a0a_0)\n-\n- VMAC(vmlsl.s32,_a1b,_bl2_1,_bl2_1,1)\n- VMAC(vqdmlal.s32,_a1b,_bl0_0,_bs2_0,1)\n- VMAC(vmlal.s32,_a1b,_bl0_1,_bs0_1,1)\n- \n- VOP3(vsub.i32,_bs2_1,_bl2_1,_bh2_1)\n- VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n- VOP2(vmovn.i64,_a0b_0,_a0b)\n- \n- VOP2(vswp,_a1b_1,_a1a_0)\n- VOP3(vadd.i64,_a1b,_a0a,_a1b)\n-\n- VMAC(vqdmull.s32,_a0a,_as0_0,_bh2_1,0)\n- VOP2(vmovn.i64,_a0b_1,_a1b)\n- VOP3(vsra.u64,_a1a,_a1b,\u0022#28\u0022)\n- VMAC(vqdmlal.s32,_a0a,_as2_0,_bh0_1,0)\n- VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022)\n- \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n-\n- VMAC(vqdmull.s32,_a1b,_as0_0,_bh2_1,1)\n- VMAC(vqdmlal.s32,_a1b,_as2_0,_bh0_1,1)\n-\n- VOP2(vmov,_a0b_1,_a0a_1)\n- VOP3(vadd.i64,_a0b_0,_a0a_0,_a1a_0)\n- VOP3(vadd.i64,_a0a_0,_a0a_0,_a1a_1)\n- VMAC(vqdmlal.s32,_a0a,_bh0_0,_bl2_1,0)\n- VMAC(vqdmlal.s32,_a0a,_bh2_0,_bl0_1,0)\n-\n- VMAC(vqdmlal.s32,_a0b,_bl0_0,_bs2_1,0)\n- VMAC(vqdmlal.s32,_a0b,_bl2_0,_bs0_1,0)\n-\n- VOP2(vmov,_a1a,_a1b)\n- VMAC(vqdmlal.s32,_a1a,_bh0_0,_bl2_1,1)\n- VMAC(vqdmlal.s32,_a1a,_bh2_0,_bl0_1,1)\n-\n- VOP2(vswp,_a0b_1,_a0a_0)\n-\n- VMAC(vqdmlal.s32,_a1b,_bl0_0,_bs2_1,1)\n- VMAC(vqdmlal.s32,_a1b,_bl2_0,_bs0_1,1)\n- \n- VOP3(vsra.u64,_a0a,_a0b,\u0022#28\u0022)\n- VOP2(vmovn.i64,_a0b_0,_a0b)\n- \n- VOP2(vswp,_a1b_1,_a1a_0)\n- VOP3(vadd.i64,_a0a,_a0a,_a1b)\n-\n- VOP2(vmovn.i64,_a0b_1,_a0a)\n- VOP3(vsra.u64,_a1a,_a0a,\u0022#28\u0022)\n- \n- VOP2(vbic.i32,_a0b,\u0022#0xf0000000\u0022) \n- \n- VOP2(vswp,_a1a_0,_a1a_1)\n- \n- \u0022vstmia %[c]!, {\u0022_a0b_0\u0022, \u0022_a0b_1\u0022}\u0022 \u0022\u005cn\u005ct\u0022 \n- \u0022sub %[c], #64\u0022 \u0022\u005cn\u005ct\u0022\n- \n- VOP3(vadd.i64,_a1a_1,_a1a_1,_a1a_0)\n- \n- \u0022vldmia %[c], {\u0022_a0a_0\u0022, \u0022_a0a_1\u0022, \u0022_a0b_0\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n- VOP2(vaddw.s32,_a1a,_a0a_0)\n- VOP2(vmovn.i64,_a0a_0,_a1a)\n- VOP2(vshr.s64,_a1a,\u0022#28\u0022)\n- \n- VOP2(vaddw.s32,_a1a,_a0a_1)\n- VOP2(vmovn.i64,_a0a_1,_a1a)\n- VOP2(vshr.s64,_a1a,\u0022#28\u0022)\n- \n- VOP2(vbic.i32,_a0a,\u0022#0xf0000000\u0022)\n- \n- VOP2(vaddw.s32,_a1a,_a0b_0) \n- VOP2(vmovn.i64,_a0b_0,_a1a)\n- \n- \u0022vstmia %[c], {\u0022_a0a_0\u0022, \u0022_a0a_1\u0022, \u0022_a0b_0\u0022}\u0022 \u0022\u005cn\u005ct\u0022\n- \n- : [b]\u0022+r\u0022(bs)\n- , [c]\u0022+r\u0022(vc)\n- \n- :: \u0022q0\u0022,\u0022q1\u0022,\u0022q2\u0022,\u0022q3\u0022,\n- \u0022q4\u0022,\u0022q5\u0022,\u0022q6\u0022,\u0022q7\u0022,\n- \u0022q12\u0022,\u0022q13\u0022,\u0022q14\u0022,\u0022q15\u0022,\n- \u0022memory\u0022\n- );\n-}\n-\n-void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) { \n- uint32x2_t vmask \u003d {(1\u003c\u003c28) - 1, (1\u003c\u003c28)-1};\n- assert(b\u003c(1\u003c\u003c28));\n- \n- uint64x2_t accum;\n- const uint32x2_t *va \u003d (const uint32x2_t *) as-\u003elimb;\n- uint32x2_t *vo \u003d (uint32x2_t *) cs-\u003elimb;\n- uint32x2_t vc, vn;\n- uint32x2_t vb \u003d {b, 0};\n- \n- vc \u003d va[0];\n- accum \u003d vmull_lane_u32(vc, vb, 0);\n- vo[0] \u003d vmovn_u64(accum) \u0026 vmask;\n- accum \u003d vshrq_n_u64(accum,28);\n- \n- /* PERF: the right way to do this is to reduce behind, i.e.\n- * vmull + vmlal round 0\n- * vmull + vmlal round 1\n- * vmull + vmlal round 2\n- * vsraq round 0, 1\n- * vmull + vmlal round 3\n- * vsraq round 1, 2\n- * ...\n- */\n- \n- int i;\n- for (i\u003d1; i\u003c8; i++) {\n- vn \u003d va[i];\n- accum \u003d vmlal_lane_u32(accum, vn, vb, 0);\n- vo[i] \u003d vmovn_u64(accum) \u0026 vmask;\n- accum \u003d vshrq_n_u64(accum,28);\n- vc \u003d vn;\n- }\n- \n- accum \u003d xx_vaddup_u64(vrev128_u64(accum));\n- accum \u003d vaddw_u32(accum, vo[0]);\n- vo[0] \u003d vmovn_u64(accum) \u0026 vmask;\n- \n- accum \u003d vshrq_n_u64(accum,28);\n- vo[1] +\u003d vmovn_u64(accum);\n-}\ndiff --git a/crypto/ec/curve448/p448/arch_neon/f_impl.h b/crypto/ec/curve448/p448/arch_neon/f_impl.h\ndeleted file mode 100644\nindex ba48d8c..0000000\n--- a/crypto/ec/curve448/p448/arch_neon/f_impl.h\n+++ /dev/null\n@@ -1,56 +0,0 @@\n-/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#define GF_HEADROOM 2\n-#define LIMBPERM(x) (((x)\u003c\u003c1 | (x)\u003e\u003e3) \u0026 15)\n-#define USE_NEON_PERM 1\n-#define LIMBHI(x) ((x##ull)\u003e\u003e28)\n-#define LIMBLO(x) ((x##ull)\u0026((1ull\u003c\u003c28)-1))\n-# define FIELD_LITERAL(a,b,c,d,e,f,g,h) \u005c\n- {{LIMBLO(a),LIMBLO(e), LIMBHI(a),LIMBHI(e), \u005c\n- LIMBLO(b),LIMBLO(f), LIMBHI(b),LIMBHI(f), \u005c\n- LIMBLO(c),LIMBLO(g), LIMBHI(c),LIMBHI(g), \u005c\n- LIMBLO(d),LIMBLO(h), LIMBHI(d),LIMBHI(h)}}\n- \n-#define LIMB_PLACE_VALUE(i) 28\n-\n-void gf_add_RAW (gf out, const gf a, const gf b) {\n- for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint32xn_t); i++) {\n- ((uint32xn_t*)out)[i] \u003d ((const uint32xn_t*)a)[i] + ((const uint32xn_t*)b)[i];\n- }\n-}\n-\n-void gf_sub_RAW (gf out, const gf a, const gf b) {\n- for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint32xn_t); i++) {\n- ((uint32xn_t*)out)[i] \u003d ((const uint32xn_t*)a)[i] - ((const uint32xn_t*)b)[i];\n- }\n- /*\n- unsigned int i;\n- for (i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n- out-\u003elimb[i] \u003d a-\u003elimb[i] - b-\u003elimb[i];\n- }\n- */\n-}\n-\n-void gf_bias (gf a, int amt) {\n- uint32_t co1 \u003d ((1ull\u003c\u003c28)-1)*amt, co2 \u003d co1-amt;\n- uint32x4_t lo \u003d {co1,co2,co1,co1}, hi \u003d {co1,co1,co1,co1};\n- uint32x4_t *aa \u003d (uint32x4_t*) a;\n- aa[0] +\u003d lo;\n- aa[1] +\u003d hi;\n- aa[2] +\u003d hi;\n- aa[3] +\u003d hi;\n-}\n-\n-void gf_weak_reduce (gf a) {\n-\n- uint32x2_t *aa \u003d (uint32x2_t*) a, vmask \u003d {(1ull\u003c\u003c28)-1, (1ull\u003c\u003c28)-1}, vm2 \u003d {0,-1},\n- tmp \u003d vshr_n_u32(aa[7],28);\n- \n- for (unsigned int i\u003d7; i\u003e\u003d1; i--) {\n- aa[i] \u003d vsra_n_u32(aa[i] \u0026 vmask, aa[i-1], 28);\n- }\n- aa[0] \u003d (aa[0] \u0026 vmask) + vrev64_u32(tmp) + (tmp\u0026vm2);\n-}\n-\ndiff --git a/crypto/ec/curve448/p448/arch_ref64/f_impl.c b/crypto/ec/curve448/p448/arch_ref64/f_impl.c\ndeleted file mode 100644\nindex 5268100..0000000\n--- a/crypto/ec/curve448/p448/arch_ref64/f_impl.c\n+++ /dev/null\n@@ -1,302 +0,0 @@\n-/* Copyright (c) 2014 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#include \u0022f_field.h\u0022\n-\n-void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) {\n- const uint64_t *a \u003d as-\u003elimb, *b \u003d bs-\u003elimb;\n- uint64_t *c \u003d cs-\u003elimb;\n-\n- __uint128_t accum0 \u003d 0, accum1 \u003d 0, accum2;\n- uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n-\n- uint64_t aa[4], bb[4], bbb[4];\n-\n- unsigned int i;\n- for (i\u003d0; i\u003c4; i++) {\n- aa[i] \u003d a[i] + a[i+4];\n- bb[i] \u003d b[i] + b[i+4];\n- bbb[i] \u003d bb[i] + b[i+4];\n- }\n-\n- int I_HATE_UNROLLED_LOOPS \u003d 0;\n-\n- if (I_HATE_UNROLLED_LOOPS) {\n- /* The compiler probably won't unroll this,\n- * so it's like 80% slower.\n- */\n- for (i\u003d0; i\u003c4; i++) {\n- accum2 \u003d 0;\n-\n- unsigned int j;\n- for (j\u003d0; j\u003c\u003di; j++) {\n- accum2 +\u003d widemul(a[j], b[i-j]);\n- accum1 +\u003d widemul(aa[j], bb[i-j]);\n- accum0 +\u003d widemul(a[j+4], b[i-j+4]);\n- }\n- for (; j\u003c4; j++) {\n- accum2 +\u003d widemul(a[j], b[i-j+8]);\n- accum1 +\u003d widemul(aa[j], bbb[i-j+4]);\n- accum0 +\u003d widemul(a[j+4], bb[i-j+4]);\n- }\n-\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[i] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[i+4] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n- }\n- } else {\n- accum2 \u003d widemul(a[0], b[0]);\n- accum1 +\u003d widemul(aa[0], bb[0]);\n- accum0 +\u003d widemul(a[4], b[4]);\n-\n- accum2 +\u003d widemul(a[1], b[7]);\n- accum1 +\u003d widemul(aa[1], bbb[3]);\n- accum0 +\u003d widemul(a[5], bb[3]);\n-\n- accum2 +\u003d widemul(a[2], b[6]);\n- accum1 +\u003d widemul(aa[2], bbb[2]);\n- accum0 +\u003d widemul(a[6], bb[2]);\n-\n- accum2 +\u003d widemul(a[3], b[5]);\n- accum1 +\u003d widemul(aa[3], bbb[1]);\n- accum0 +\u003d widemul(a[7], bb[1]);\n-\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[0] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[4] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum2 \u003d widemul(a[0], b[1]);\n- accum1 +\u003d widemul(aa[0], bb[1]);\n- accum0 +\u003d widemul(a[4], b[5]);\n-\n- accum2 +\u003d widemul(a[1], b[0]);\n- accum1 +\u003d widemul(aa[1], bb[0]);\n- accum0 +\u003d widemul(a[5], b[4]);\n-\n- accum2 +\u003d widemul(a[2], b[7]);\n- accum1 +\u003d widemul(aa[2], bbb[3]);\n- accum0 +\u003d widemul(a[6], bb[3]);\n-\n- accum2 +\u003d widemul(a[3], b[6]);\n- accum1 +\u003d widemul(aa[3], bbb[2]);\n- accum0 +\u003d widemul(a[7], bb[2]);\n-\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[1] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[5] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum2 \u003d widemul(a[0], b[2]);\n- accum1 +\u003d widemul(aa[0], bb[2]);\n- accum0 +\u003d widemul(a[4], b[6]);\n-\n- accum2 +\u003d widemul(a[1], b[1]);\n- accum1 +\u003d widemul(aa[1], bb[1]);\n- accum0 +\u003d widemul(a[5], b[5]);\n-\n- accum2 +\u003d widemul(a[2], b[0]);\n- accum1 +\u003d widemul(aa[2], bb[0]);\n- accum0 +\u003d widemul(a[6], b[4]);\n-\n- accum2 +\u003d widemul(a[3], b[7]);\n- accum1 +\u003d widemul(aa[3], bbb[3]);\n- accum0 +\u003d widemul(a[7], bb[3]);\n-\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[2] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[6] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum2 \u003d widemul(a[0], b[3]);\n- accum1 +\u003d widemul(aa[0], bb[3]);\n- accum0 +\u003d widemul(a[4], b[7]);\n-\n- accum2 +\u003d widemul(a[1], b[2]);\n- accum1 +\u003d widemul(aa[1], bb[2]);\n- accum0 +\u003d widemul(a[5], b[6]);\n-\n- accum2 +\u003d widemul(a[2], b[1]);\n- accum1 +\u003d widemul(aa[2], bb[1]);\n- accum0 +\u003d widemul(a[6], b[5]);\n-\n- accum2 +\u003d widemul(a[3], b[0]);\n- accum1 +\u003d widemul(aa[3], bb[0]);\n- accum0 +\u003d widemul(a[7], b[4]);\n-\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[3] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[7] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n- } /* !I_HATE_UNROLLED_LOOPS */\n-\n- accum0 +\u003d accum1;\n- accum0 +\u003d c[4];\n- accum1 +\u003d c[0];\n- c[4] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[0] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- c[5] +\u003d ((uint64_t)(accum0));\n- c[1] +\u003d ((uint64_t)(accum1));\n-}\n-\n-void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) {\n- const uint64_t *a \u003d as-\u003elimb;\n- uint64_t *c \u003d cs-\u003elimb;\n-\n- __uint128_t accum0 \u003d 0, accum4 \u003d 0;\n- uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n-\n- int i;\n- for (i\u003d0; i\u003c4; i++) {\n- accum0 +\u003d widemul(b, a[i]);\n- accum4 +\u003d widemul(b, a[i+4]);\n- c[i] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 56;\n- c[i+4] \u003d accum4 \u0026 mask; accum4 \u003e\u003e\u003d 56;\n- }\n- \n- accum0 +\u003d accum4 + c[4];\n- c[4] \u003d accum0 \u0026 mask;\n- c[5] +\u003d accum0 \u003e\u003e 56;\n-\n- accum4 +\u003d c[0];\n- c[0] \u003d accum4 \u0026 mask;\n- c[1] +\u003d accum4 \u003e\u003e 56;\n-}\n-\n-void gf_sqr (gf_s *__restrict__ cs, const gf as) {\n- const uint64_t *a \u003d as-\u003elimb;\n- uint64_t *c \u003d cs-\u003elimb;\n-\n- __uint128_t accum0 \u003d 0, accum1 \u003d 0, accum2;\n- uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n-\n- uint64_t aa[4];\n-\n- /* For some reason clang doesn't vectorize this without prompting? */\n- unsigned int i;\n- for (i\u003d0; i\u003c4; i++) {\n- aa[i] \u003d a[i] + a[i+4];\n- }\n-\n- accum2 \u003d widemul(a[0],a[3]);\n- accum0 \u003d widemul(aa[0],aa[3]);\n- accum1 \u003d widemul(a[4],a[7]);\n-\n- accum2 +\u003d widemul(a[1], a[2]);\n- accum0 +\u003d widemul(aa[1], aa[2]);\n- accum1 +\u003d widemul(a[5], a[6]);\n-\n- accum0 -\u003d accum2;\n- accum1 +\u003d accum2;\n-\n- c[3] \u003d ((uint64_t)(accum1))\u003c\u003c1 \u0026 mask;\n- c[7] \u003d ((uint64_t)(accum0))\u003c\u003c1 \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 55;\n- accum1 \u003e\u003e\u003d 55;\n-\n- accum0 +\u003d widemul(2*aa[1],aa[3]);\n- accum1 +\u003d widemul(2*a[5], a[7]);\n- accum0 +\u003d widemul(aa[2], aa[2]);\n- accum1 +\u003d accum0;\n-\n- accum0 -\u003d widemul(2*a[1], a[3]);\n- accum1 +\u003d widemul(a[6], a[6]);\n- \n- accum2 \u003d widemul(a[0],a[0]);\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- accum0 -\u003d widemul(a[2], a[2]);\n- accum1 +\u003d widemul(aa[0], aa[0]);\n- accum0 +\u003d widemul(a[4], a[4]);\n-\n- c[0] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[4] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum2 \u003d widemul(2*aa[2],aa[3]);\n- accum0 -\u003d widemul(2*a[2], a[3]);\n- accum1 +\u003d widemul(2*a[6], a[7]);\n-\n- accum1 +\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- accum2 \u003d widemul(2*a[0],a[1]);\n- accum1 +\u003d widemul(2*aa[0], aa[1]);\n- accum0 +\u003d widemul(2*a[4], a[5]);\n-\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[1] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[5] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum2 \u003d widemul(aa[3],aa[3]);\n- accum0 -\u003d widemul(a[3], a[3]);\n- accum1 +\u003d widemul(a[7], a[7]);\n-\n- accum1 +\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- accum2 \u003d widemul(2*a[0],a[2]);\n- accum1 +\u003d widemul(2*aa[0], aa[2]);\n- accum0 +\u003d widemul(2*a[4], a[6]);\n-\n- accum2 +\u003d widemul(a[1], a[1]);\n- accum1 +\u003d widemul(aa[1], aa[1]);\n- accum0 +\u003d widemul(a[5], a[5]);\n-\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[2] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[6] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum0 +\u003d c[3];\n- accum1 +\u003d c[7];\n- c[3] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[7] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- /* we could almost stop here, but it wouldn't be stable, so... */\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n- c[4] +\u003d ((uint64_t)(accum0)) + ((uint64_t)(accum1));\n- c[0] +\u003d ((uint64_t)(accum1));\n-}\n-\ndiff --git a/crypto/ec/curve448/p448/arch_ref64/f_impl.h b/crypto/ec/curve448/p448/arch_ref64/f_impl.h\ndeleted file mode 100644\nindex 05206bf..0000000\n--- a/crypto/ec/curve448/p448/arch_ref64/f_impl.h\n+++ /dev/null\n@@ -1,38 +0,0 @@\n-/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#define GF_HEADROOM 9999 /* Everything is reduced anyway */\n-#define FIELD_LITERAL(a,b,c,d,e,f,g,h) {{a,b,c,d,e,f,g,h}}\n- \n-#define LIMB_PLACE_VALUE(i) 56\n-\n-void gf_add_RAW (gf out, const gf a, const gf b) {\n- for (unsigned int i\u003d0; i\u003c8; i++) {\n- out-\u003elimb[i] \u003d a-\u003elimb[i] + b-\u003elimb[i];\n- }\n- gf_weak_reduce(out);\n-}\n-\n-void gf_sub_RAW (gf out, const gf a, const gf b) {\n- uint64_t co1 \u003d ((1ull\u003c\u003c56)-1)*2, co2 \u003d co1-2;\n- for (unsigned int i\u003d0; i\u003c8; i++) {\n- out-\u003elimb[i] \u003d a-\u003elimb[i] - b-\u003elimb[i] + ((i\u003d\u003d4) ? co2 : co1);\n- }\n- gf_weak_reduce(out);\n-}\n-\n-void gf_bias (gf a, int amt) {\n- (void) a;\n- (void) amt;\n-}\n-\n-void gf_weak_reduce (gf a) {\n- uint64_t mask \u003d (1ull\u003c\u003c56) - 1;\n- uint64_t tmp \u003d a-\u003elimb[7] \u003e\u003e 56;\n- a-\u003elimb[4] +\u003d tmp;\n- for (unsigned int i\u003d7; i\u003e0; i--) {\n- a-\u003elimb[i] \u003d (a-\u003elimb[i] \u0026 mask) + (a-\u003elimb[i-1]\u003e\u003e56);\n- }\n- a-\u003elimb[0] \u003d (a-\u003elimb[0] \u0026 mask) + tmp;\n-}\ndiff --git a/crypto/ec/curve448/p448/arch_x86_64/f_impl.c b/crypto/ec/curve448/p448/arch_x86_64/f_impl.c\ndeleted file mode 100644\nindex 1e1d76d..0000000\n--- a/crypto/ec/curve448/p448/arch_x86_64/f_impl.c\n+++ /dev/null\n@@ -1,291 +0,0 @@\n-/* Copyright (c) 2014 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#include \u0022f_field.h\u0022\n-\n-void gf_mul (gf_s *__restrict__ cs, const gf as, const gf bs) {\n- const uint64_t *a \u003d as-\u003elimb, *b \u003d bs-\u003elimb;\n- uint64_t *c \u003d cs-\u003elimb;\n-\n- __uint128_t accum0 \u003d 0, accum1 \u003d 0, accum2;\n- uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n-\n- uint64_t aa[4] VECTOR_ALIGNED, bb[4] VECTOR_ALIGNED, bbb[4] VECTOR_ALIGNED;\n-\n- /* For some reason clang doesn't vectorize this without prompting? */\n- unsigned int i;\n- for (i\u003d0; i\u003csizeof(aa)/sizeof(uint64xn_t); i++) {\n- ((uint64xn_t*)aa)[i] \u003d ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)(\u0026a[4]))[i];\n- ((uint64xn_t*)bb)[i] \u003d ((const uint64xn_t*)b)[i] + ((const uint64xn_t*)(\u0026b[4]))[i]; \n- ((uint64xn_t*)bbb)[i] \u003d ((const uint64xn_t*)bb)[i] + ((const uint64xn_t*)(\u0026b[4]))[i]; \n- }\n- /*\n- for (int i\u003d0; i\u003c4; i++) {\n- aa[i] \u003d a[i] + a[i+4];\n- bb[i] \u003d b[i] + b[i+4];\n- }\n- */\n-\n- accum2 \u003d widemul(\u0026a[0],\u0026b[3]);\n- accum0 \u003d widemul(\u0026aa[0],\u0026bb[3]);\n- accum1 \u003d widemul(\u0026a[4],\u0026b[7]);\n-\n- mac(\u0026accum2, \u0026a[1], \u0026b[2]);\n- mac(\u0026accum0, \u0026aa[1], \u0026bb[2]);\n- mac(\u0026accum1, \u0026a[5], \u0026b[6]);\n-\n- mac(\u0026accum2, \u0026a[2], \u0026b[1]);\n- mac(\u0026accum0, \u0026aa[2], \u0026bb[1]);\n- mac(\u0026accum1, \u0026a[6], \u0026b[5]);\n-\n- mac(\u0026accum2, \u0026a[3], \u0026b[0]);\n- mac(\u0026accum0, \u0026aa[3], \u0026bb[0]);\n- mac(\u0026accum1, \u0026a[7], \u0026b[4]);\n-\n- accum0 -\u003d accum2;\n- accum1 +\u003d accum2;\n-\n- c[3] \u003d ((uint64_t)(accum1)) \u0026 mask;\n- c[7] \u003d ((uint64_t)(accum0)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n- \n- mac(\u0026accum0, \u0026aa[1],\u0026bb[3]);\n- mac(\u0026accum1, \u0026a[5], \u0026b[7]);\n- mac(\u0026accum0, \u0026aa[2], \u0026bb[2]);\n- mac(\u0026accum1, \u0026a[6], \u0026b[6]);\n- mac(\u0026accum0, \u0026aa[3], \u0026bb[1]);\n- accum1 +\u003d accum0;\n-\n- accum2 \u003d widemul(\u0026a[0],\u0026b[0]);\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n- \n- msb(\u0026accum0, \u0026a[1], \u0026b[3]);\n- msb(\u0026accum0, \u0026a[2], \u0026b[2]);\n- mac(\u0026accum1, \u0026a[7], \u0026b[5]);\n- msb(\u0026accum0, \u0026a[3], \u0026b[1]);\n- mac(\u0026accum1, \u0026aa[0], \u0026bb[0]);\n- mac(\u0026accum0, \u0026a[4], \u0026b[4]);\n-\n- c[0] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[4] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum2 \u003d widemul(\u0026a[2],\u0026b[7]);\n- mac(\u0026accum0, \u0026a[6], \u0026bb[3]);\n- mac(\u0026accum1, \u0026aa[2], \u0026bbb[3]);\n-\n- mac(\u0026accum2, \u0026a[3], \u0026b[6]);\n- mac(\u0026accum0, \u0026a[7], \u0026bb[2]);\n- mac(\u0026accum1, \u0026aa[3], \u0026bbb[2]);\n-\n- mac(\u0026accum2, \u0026a[0],\u0026b[1]);\n- mac(\u0026accum1, \u0026aa[0], \u0026bb[1]);\n- mac(\u0026accum0, \u0026a[4], \u0026b[5]);\n-\n- mac(\u0026accum2, \u0026a[1], \u0026b[0]);\n- mac(\u0026accum1, \u0026aa[1], \u0026bb[0]);\n- mac(\u0026accum0, \u0026a[5], \u0026b[4]);\n-\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[1] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[5] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum2 \u003d widemul(\u0026a[3],\u0026b[7]);\n- mac(\u0026accum0, \u0026a[7], \u0026bb[3]);\n- mac(\u0026accum1, \u0026aa[3], \u0026bbb[3]);\n-\n- mac(\u0026accum2, \u0026a[0],\u0026b[2]);\n- mac(\u0026accum1, \u0026aa[0], \u0026bb[2]);\n- mac(\u0026accum0, \u0026a[4], \u0026b[6]);\n-\n- mac(\u0026accum2, \u0026a[1], \u0026b[1]);\n- mac(\u0026accum1, \u0026aa[1], \u0026bb[1]);\n- mac(\u0026accum0, \u0026a[5], \u0026b[5]);\n-\n- mac(\u0026accum2, \u0026a[2], \u0026b[0]);\n- mac(\u0026accum1, \u0026aa[2], \u0026bb[0]);\n- mac(\u0026accum0, \u0026a[6], \u0026b[4]);\n-\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[2] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[6] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum0 +\u003d c[3];\n- accum1 +\u003d c[7];\n- c[3] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[7] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- /* we could almost stop here, but it wouldn't be stable, so... */\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n- c[4] +\u003d ((uint64_t)(accum0)) + ((uint64_t)(accum1));\n- c[0] +\u003d ((uint64_t)(accum1));\n-}\n-\n-void gf_mulw_unsigned (gf_s *__restrict__ cs, const gf as, uint32_t b) {\n- const uint64_t *a \u003d as-\u003elimb;\n- uint64_t *c \u003d cs-\u003elimb;\n-\n- __uint128_t accum0, accum4;\n- uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n-\n- accum0 \u003d widemul_rm(b, \u0026a[0]);\n- accum4 \u003d widemul_rm(b, \u0026a[4]);\n-\n- c[0] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 56;\n- c[4] \u003d accum4 \u0026 mask; accum4 \u003e\u003e\u003d 56;\n-\n- mac_rm(\u0026accum0, b, \u0026a[1]);\n- mac_rm(\u0026accum4, b, \u0026a[5]);\n-\n- c[1] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 56;\n- c[5] \u003d accum4 \u0026 mask; accum4 \u003e\u003e\u003d 56;\n-\n- mac_rm(\u0026accum0, b, \u0026a[2]);\n- mac_rm(\u0026accum4, b, \u0026a[6]);\n-\n- c[2] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 56;\n- c[6] \u003d accum4 \u0026 mask; accum4 \u003e\u003e\u003d 56;\n-\n- mac_rm(\u0026accum0, b, \u0026a[3]);\n- mac_rm(\u0026accum4, b, \u0026a[7]);\n-\n- c[3] \u003d accum0 \u0026 mask; accum0 \u003e\u003e\u003d 56;\n- c[7] \u003d accum4 \u0026 mask; accum4 \u003e\u003e\u003d 56;\n- \n- accum0 +\u003d accum4 + c[4];\n- c[4] \u003d accum0 \u0026 mask;\n- c[5] +\u003d accum0 \u003e\u003e 56;\n-\n- accum4 +\u003d c[0];\n- c[0] \u003d accum4 \u0026 mask;\n- c[1] +\u003d accum4 \u003e\u003e 56;\n-}\n-\n-void gf_sqr (gf_s *__restrict__ cs, const gf as) {\n- const uint64_t *a \u003d as-\u003elimb;\n- uint64_t *c \u003d cs-\u003elimb;\n-\n- __uint128_t accum0 \u003d 0, accum1 \u003d 0, accum2;\n- uint64_t mask \u003d (1ull\u003c\u003c56) - 1; \n-\n- uint64_t aa[4] VECTOR_ALIGNED;\n-\n- /* For some reason clang doesn't vectorize this without prompting? */\n- unsigned int i;\n- for (i\u003d0; i\u003csizeof(aa)/sizeof(uint64xn_t); i++) {\n- ((uint64xn_t*)aa)[i] \u003d ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)(\u0026a[4]))[i];\n- }\n-\n- accum2 \u003d widemul(\u0026a[0],\u0026a[3]);\n- accum0 \u003d widemul(\u0026aa[0],\u0026aa[3]);\n- accum1 \u003d widemul(\u0026a[4],\u0026a[7]);\n-\n- mac(\u0026accum2, \u0026a[1], \u0026a[2]);\n- mac(\u0026accum0, \u0026aa[1], \u0026aa[2]);\n- mac(\u0026accum1, \u0026a[5], \u0026a[6]);\n-\n- accum0 -\u003d accum2;\n- accum1 +\u003d accum2;\n-\n- c[3] \u003d ((uint64_t)(accum1))\u003c\u003c1 \u0026 mask;\n- c[7] \u003d ((uint64_t)(accum0))\u003c\u003c1 \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 55;\n- accum1 \u003e\u003e\u003d 55;\n-\n- mac2(\u0026accum0, \u0026aa[1],\u0026aa[3]);\n- mac2(\u0026accum1, \u0026a[5], \u0026a[7]);\n- mac(\u0026accum0, \u0026aa[2], \u0026aa[2]);\n- accum1 +\u003d accum0;\n-\n- msb2(\u0026accum0, \u0026a[1], \u0026a[3]);\n- mac(\u0026accum1, \u0026a[6], \u0026a[6]);\n- \n- accum2 \u003d widemul(\u0026a[0],\u0026a[0]);\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- msb(\u0026accum0, \u0026a[2], \u0026a[2]);\n- mac(\u0026accum1, \u0026aa[0], \u0026aa[0]);\n- mac(\u0026accum0, \u0026a[4], \u0026a[4]);\n-\n- c[0] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[4] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum2 \u003d widemul2(\u0026aa[2],\u0026aa[3]);\n- msb2(\u0026accum0, \u0026a[2], \u0026a[3]);\n- mac2(\u0026accum1, \u0026a[6], \u0026a[7]);\n-\n- accum1 +\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- accum2 \u003d widemul2(\u0026a[0],\u0026a[1]);\n- mac2(\u0026accum1, \u0026aa[0], \u0026aa[1]);\n- mac2(\u0026accum0, \u0026a[4], \u0026a[5]);\n-\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[1] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[5] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum2 \u003d widemul(\u0026aa[3],\u0026aa[3]);\n- msb(\u0026accum0, \u0026a[3], \u0026a[3]);\n- mac(\u0026accum1, \u0026a[7], \u0026a[7]);\n-\n- accum1 +\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- accum2 \u003d widemul2(\u0026a[0],\u0026a[2]);\n- mac2(\u0026accum1, \u0026aa[0], \u0026aa[2]);\n- mac2(\u0026accum0, \u0026a[4], \u0026a[6]);\n-\n- mac(\u0026accum2, \u0026a[1], \u0026a[1]);\n- mac(\u0026accum1, \u0026aa[1], \u0026aa[1]);\n- mac(\u0026accum0, \u0026a[5], \u0026a[5]);\n-\n- accum1 -\u003d accum2;\n- accum0 +\u003d accum2;\n-\n- c[2] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[6] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n-\n- accum0 +\u003d c[3];\n- accum1 +\u003d c[7];\n- c[3] \u003d ((uint64_t)(accum0)) \u0026 mask;\n- c[7] \u003d ((uint64_t)(accum1)) \u0026 mask;\n-\n- /* we could almost stop here, but it wouldn't be stable, so... */\n-\n- accum0 \u003e\u003e\u003d 56;\n- accum1 \u003e\u003e\u003d 56;\n- c[4] +\u003d ((uint64_t)(accum0)) + ((uint64_t)(accum1));\n- c[0] +\u003d ((uint64_t)(accum1));\n-}\ndiff --git a/crypto/ec/curve448/p448/arch_x86_64/f_impl.h b/crypto/ec/curve448/p448/arch_x86_64/f_impl.h\ndeleted file mode 100644\nindex a85044a..0000000\n--- a/crypto/ec/curve448/p448/arch_x86_64/f_impl.h\n+++ /dev/null\n@@ -1,65 +0,0 @@\n-/* Copyright (c) 2014-2016 Cryptography Research, Inc.\n- * Released under the MIT License. See LICENSE.txt for license information.\n- */\n-\n-#define GF_HEADROOM 60\n-#define FIELD_LITERAL(a,b,c,d,e,f,g,h) {{a,b,c,d,e,f,g,h}}\n-#define LIMB_PLACE_VALUE(i) 56\n-\n-void gf_add_RAW (gf out, const gf a, const gf b) {\n- for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint64xn_t); i++) {\n- ((uint64xn_t*)out)[i] \u003d ((const uint64xn_t*)a)[i] + ((const uint64xn_t*)b)[i];\n- }\n- /*\n- unsigned int i;\n- for (i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n- out-\u003elimb[i] \u003d a-\u003elimb[i] + b-\u003elimb[i];\n- }\n- */\n-}\n-\n-void gf_sub_RAW (gf out, const gf a, const gf b) {\n- for (unsigned int i\u003d0; i\u003csizeof(*out)/sizeof(uint64xn_t); i++) {\n- ((uint64xn_t*)out)[i] \u003d ((const uint64xn_t*)a)[i] - ((const uint64xn_t*)b)[i];\n- }\n- /*\n- unsigned int i;\n- for (i\u003d0; i\u003csizeof(*out)/sizeof(out-\u003elimb[0]); i++) {\n- out-\u003elimb[i] \u003d a-\u003elimb[i] - b-\u003elimb[i];\n- }\n- */\n-}\n-\n-void gf_bias (gf a, int amt) {\n- uint64_t co1 \u003d ((1ull\u003c\u003c56)-1)*amt, co2 \u003d co1-amt;\n- \n-#if __AVX2__\n- uint64x4_t lo \u003d {co1,co1,co1,co1}, hi \u003d {co2,co1,co1,co1};\n- uint64x4_t *aa \u003d (uint64x4_t*) a;\n- aa[0] +\u003d lo;\n- aa[1] +\u003d hi;\n-#elif __SSE2__\n- uint64x2_t lo \u003d {co1,co1}, hi \u003d {co2,co1};\n- uint64x2_t *aa \u003d (uint64x2_t*) a;\n- aa[0] +\u003d lo;\n- aa[1] +\u003d lo;\n- aa[2] +\u003d hi;\n- aa[3] +\u003d lo;\n-#else\n- for (unsigned int i\u003d0; i\u003csizeof(*a)/sizeof(uint64_t); i++) {\n- a-\u003elimb[i] +\u003d (i\u003d\u003d4) ? co2 : co1;\n- }\n-#endif\n-}\n-\n-void gf_weak_reduce (gf a) {\n- /* PERF: use pshufb/palignr if anyone cares about speed of this */\n- uint64_t mask \u003d (1ull\u003c\u003c56) - 1;\n- uint64_t tmp \u003d a-\u003elimb[7] \u003e\u003e 56;\n- a-\u003elimb[4] +\u003d tmp;\n- for (unsigned int i\u003d7; i\u003e0; i--) {\n- a-\u003elimb[i] \u003d (a-\u003elimb[i] \u0026 mask) + (a-\u003elimb[i-1]\u003e\u003e56);\n- }\n- a-\u003elimb[0] \u003d (a-\u003elimb[0] \u0026 mask) + tmp;\n-}\n-\ndiff --git a/crypto/ec/curve448/p448/f_arithmetic.c b/crypto/ec/curve448/p448/f_arithmetic.c\ndeleted file mode 100644\nindex cf68519..0000000\n--- a/crypto/ec/curve448/p448/f_arithmetic.c\n+++ /dev/null\n@@ -1,46 +0,0 @@\n-/**\n- * @cond internal\n- * @file f_arithmetic.c\n- * @copyright\n- * Copyright (c) 2014 Cryptography Research, Inc. \u005cn\n- * Released under the MIT License. See LICENSE.txt for license information.\n- * @author Mike Hamburg\n- * @brief Field-specific arithmetic.\n- */\n-\n-#include \u0022field.h\u0022\n-\n-mask_t gf_isr (\n- gf a,\n- const gf x\n-) {\n- gf L0, L1, L2;\n- gf_sqr (L1, x );\n- gf_mul (L2, x, L1 );\n- gf_sqr (L1, L2 );\n- gf_mul (L2, x, L1 );\n- gf_sqrn (L1, L2, 3 );\n- gf_mul (L0, L2, L1 );\n- gf_sqrn (L1, L0, 3 );\n- gf_mul (L0, L2, L1 );\n- gf_sqrn (L2, L0, 9 );\n- gf_mul (L1, L0, L2 );\n- gf_sqr (L0, L1 );\n- gf_mul (L2, x, L0 );\n- gf_sqrn (L0, L2, 18 );\n- gf_mul (L2, L1, L0 );\n- gf_sqrn (L0, L2, 37 );\n- gf_mul (L1, L2, L0 );\n- gf_sqrn (L0, L1, 37 );\n- gf_mul (L1, L2, L0 );\n- gf_sqrn (L0, L1, 111 );\n- gf_mul (L2, L1, L0 );\n- gf_sqr (L0, L2 );\n- gf_mul (L1, x, L0 );\n- gf_sqrn (L0, L1, 223 );\n- gf_mul (L1, L2, L0 );\n- gf_sqr (L2, L1);\n- gf_mul (L0, L2, x);\n- gf_copy(a,L1);\n- return gf_eq(L0,ONE);\n-}\ndiff --git a/crypto/ec/curve448/portable_endian.h b/crypto/ec/curve448/portable_endian.h\nnew file mode 100644\nindex 0000000..5cbfca7\n--- /dev/null\n+++ b/crypto/ec/curve448/portable_endian.h\n@@ -0,0 +1,39 @@\n+/* Subset of Mathias Panzenböck's portable endian code, public domain */\n+\n+#ifndef __PORTABLE_ENDIAN_H__\n+#define __PORTABLE_ENDIAN_H__\n+\n+#if defined(__linux__) || defined(__CYGWIN__)\n+#\tinclude \u003cendian.h\u003e\n+#elif defined(__OpenBSD__)\n+#\tinclude \u003csys/endian.h\u003e\n+#elif defined(__APPLE__)\n+#\tinclude \u003clibkern/OSByteOrder.h\u003e\n+#\tdefine htole64(x) OSSwapHostToLittleInt64(x)\n+#\tdefine le64toh(x) OSSwapLittleToHostInt64(x)\n+#elif defined(__NetBSD__) || defined(__FreeBSD__) || defined(__DragonFly__)\n+#\tinclude \u003csys/endian.h\u003e\n+#\tifndef le64toh\n+#\t\tdefine le64toh(x) letoh64(x)\n+#\tendif\n+#elif defined(__sun) \u0026\u0026 defined(__SVR4)\n+#\tinclude \u003csys/byteorder.h\u003e\n+#\tdefine htole64(x) LE_64(x)\n+#\tdefine le64toh(x) LE_64(x)\n+#elif defined(_WIN16) || defined(_WIN32) || defined(_WIN64) || defined(__WINDOWS__)\n+#\tinclude \u003cwinsock2.h\u003e\n+#\tinclude \u003csys/param.h\u003e\n+#\tif BYTE_ORDER \u003d\u003d LITTLE_ENDIAN\n+#\t\tdefine htole64(x) (x)\n+#\t\tdefine le64toh(x) (x)\n+#\telif BYTE_ORDER \u003d\u003d BIG_ENDIAN\n+#\t\tdefine htole64(x) __builtin_bswap64(x)\n+#\t\tdefine le64toh(x) __builtin_bswap64(x)\n+#\telse\n+#\t\terror byte order not supported\n+#\tendif\n+#else\n+#\terror platform not supported\n+#endif\n+\n+#endif // __PORTABLE_ENDIAN_H__\ndiff --git a/crypto/ec/curve448/scalar.c b/crypto/ec/curve448/scalar.c\nnew file mode 100644\nindex 0000000..1c98ac9\n--- /dev/null\n+++ b/crypto/ec/curve448/scalar.c\n@@ -0,0 +1,341 @@\n+/**\n+ * @file ed448goldilocks/scalar.c\n+ * @author Mike Hamburg\n+ *\n+ * @copyright\n+ * Copyright (c) 2015-2016 Cryptography Research, Inc. \u005cn\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ *\n+ * @brief Decaf high-level functions.\n+ *\n+ * @warning This file was automatically generated in Python.\n+ * Please do not edit it.\n+ */\n+#include \u0022word.h\u0022\n+#include \u0022constant_time.h\u0022\n+#include \u003cdecaf.h\u003e\n+\n+/* Template stuff */\n+#define API_NS(_id) decaf_448_##_id\n+#define SCALAR_BITS DECAF_448_SCALAR_BITS\n+#define SCALAR_SER_BYTES DECAF_448_SCALAR_BYTES\n+#define SCALAR_LIMBS DECAF_448_SCALAR_LIMBS\n+#define scalar_t API_NS(scalar_t)\n+\n+static const decaf_word_t MONTGOMERY_FACTOR \u003d (decaf_word_t)0x3bd440fae918bc5ull;\n+static const scalar_t sc_p \u003d {{{\n+ SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff)\n+}}}, sc_r2 \u003d {{{\n+ SC_LIMB(0xe3539257049b9b60), SC_LIMB(0x7af32c4bc1b195d9), SC_LIMB(0x0d66de2388ea1859), SC_LIMB(0xae17cf725ee4d838), SC_LIMB(0x1a9cc14ba3c47c44), SC_LIMB(0x2052bcb7e4d070af), SC_LIMB(0x3402a939f823b729)\n+}}};\n+/* End of template stuff */\n+\n+#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */\n+\n+const scalar_t API_NS(scalar_one) \u003d {{{1}}}, API_NS(scalar_zero) \u003d {{{0}}};\n+\n+/** {extra,accum} - sub +? p\n+ * Must have extra \u003c\u003d 1\n+ */\n+static DECAF_NOINLINE void sc_subx(\n+ scalar_t out,\n+ const decaf_word_t accum[SCALAR_LIMBS],\n+ const scalar_t sub,\n+ const scalar_t p,\n+ decaf_word_t extra\n+) {\n+ decaf_dsword_t chain \u003d 0;\n+ unsigned int i;\n+ for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n+ chain \u003d (chain + accum[i]) - sub-\u003elimb[i];\n+ out-\u003elimb[i] \u003d chain;\n+ chain \u003e\u003e\u003d WBITS;\n+ }\n+ decaf_word_t borrow \u003d chain+extra; /* \u003d 0 or -1 */\n+ \n+ chain \u003d 0;\n+ for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n+ chain \u003d (chain + out-\u003elimb[i]) + (p-\u003elimb[i] \u0026 borrow);\n+ out-\u003elimb[i] \u003d chain;\n+ chain \u003e\u003e\u003d WBITS;\n+ }\n+}\n+\n+static DECAF_NOINLINE void sc_montmul (\n+ scalar_t out,\n+ const scalar_t a,\n+ const scalar_t b\n+) {\n+ unsigned int i,j;\n+ decaf_word_t accum[SCALAR_LIMBS+1] \u003d {0};\n+ decaf_word_t hi_carry \u003d 0;\n+ \n+ for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n+ decaf_word_t mand \u003d a-\u003elimb[i];\n+ const decaf_word_t *mier \u003d b-\u003elimb;\n+ \n+ decaf_dword_t chain \u003d 0;\n+ for (j\u003d0; j\u003cSCALAR_LIMBS; j++) {\n+ chain +\u003d ((decaf_dword_t)mand)*mier[j] + accum[j];\n+ accum[j] \u003d chain;\n+ chain \u003e\u003e\u003d WBITS;\n+ }\n+ accum[j] \u003d chain;\n+ \n+ mand \u003d accum[0] * MONTGOMERY_FACTOR;\n+ chain \u003d 0;\n+ mier \u003d sc_p-\u003elimb;\n+ for (j\u003d0; j\u003cSCALAR_LIMBS; j++) {\n+ chain +\u003d (decaf_dword_t)mand*mier[j] + accum[j];\n+ if (j) accum[j-1] \u003d chain;\n+ chain \u003e\u003e\u003d WBITS;\n+ }\n+ chain +\u003d accum[j];\n+ chain +\u003d hi_carry;\n+ accum[j-1] \u003d chain;\n+ hi_carry \u003d chain \u003e\u003e WBITS;\n+ }\n+ \n+ sc_subx(out, accum, sc_p, sc_p, hi_carry);\n+}\n+\n+void API_NS(scalar_mul) (\n+ scalar_t out,\n+ const scalar_t a,\n+ const scalar_t b\n+) {\n+ sc_montmul(out,a,b);\n+ sc_montmul(out,out,sc_r2);\n+}\n+\n+/* PERF: could implement this */\n+static DECAF_INLINE void sc_montsqr (scalar_t out, const scalar_t a) {\n+ sc_montmul(out,a,a);\n+}\n+\n+decaf_error_t API_NS(scalar_invert) (\n+ scalar_t out,\n+ const scalar_t a\n+) {\n+ /* Fermat's little theorem, sliding window.\n+ * Sliding window is fine here because the modulus isn't secret.\n+ */\n+ const int SCALAR_WINDOW_BITS \u003d 3;\n+ scalar_t precmp[1\u003c\u003cSCALAR_WINDOW_BITS];\n+ const int LAST \u003d (1\u003c\u003cSCALAR_WINDOW_BITS)-1;\n+\n+ /* Precompute precmp \u003d [a^1,a^3,...] */\n+ sc_montmul(precmp[0],a,sc_r2);\n+ if (LAST \u003e 0) sc_montmul(precmp[LAST],precmp[0],precmp[0]);\n+\n+ int i;\n+ for (i\u003d1; i\u003c\u003dLAST; i++) {\n+ sc_montmul(precmp[i],precmp[i-1],precmp[LAST]);\n+ }\n+ \n+ /* Sliding window */\n+ unsigned residue \u003d 0, trailing \u003d 0, started \u003d 0;\n+ for (i\u003dSCALAR_BITS-1; i\u003e\u003d-SCALAR_WINDOW_BITS; i--) {\n+ \n+ if (started) sc_montsqr(out,out);\n+ \n+ decaf_word_t w \u003d (i\u003e\u003d0) ? sc_p-\u003elimb[i/WBITS] : 0;\n+ if (i \u003e\u003d 0 \u0026\u0026 i\u003cWBITS) {\n+ assert(w \u003e\u003d 2);\n+ w-\u003d2;\n+ }\n+ \n+ residue \u003d (residue\u003c\u003c1) | ((w\u003e\u003e(i%WBITS))\u00261);\n+ if (residue\u003e\u003eSCALAR_WINDOW_BITS !\u003d 0) {\n+ assert(trailing \u003d\u003d 0);\n+ trailing \u003d residue;\n+ residue \u003d 0;\n+ }\n+ \n+ if (trailing \u003e 0 \u0026\u0026 (trailing \u0026 ((1\u003c\u003cSCALAR_WINDOW_BITS)-1)) \u003d\u003d 0) {\n+ if (started) {\n+ sc_montmul(out,out,precmp[trailing\u003e\u003e(SCALAR_WINDOW_BITS+1)]);\n+ } else {\n+ API_NS(scalar_copy)(out,precmp[trailing\u003e\u003e(SCALAR_WINDOW_BITS+1)]);\n+ started \u003d 1;\n+ }\n+ trailing \u003d 0;\n+ }\n+ trailing \u003c\u003c\u003d 1;\n+ \n+ }\n+ assert(residue\u003d\u003d0);\n+ assert(trailing\u003d\u003d0);\n+ \n+ /* Demontgomerize */\n+ sc_montmul(out,out,API_NS(scalar_one));\n+ decaf_bzero(precmp, sizeof(precmp));\n+ return decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero)));\n+}\n+\n+void API_NS(scalar_sub) (\n+ scalar_t out,\n+ const scalar_t a,\n+ const scalar_t b\n+) {\n+ sc_subx(out, a-\u003elimb, b, sc_p, 0);\n+}\n+\n+void API_NS(scalar_add) (\n+ scalar_t out,\n+ const scalar_t a,\n+ const scalar_t b\n+) {\n+ decaf_dword_t chain \u003d 0;\n+ unsigned int i;\n+ for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n+ chain \u003d (chain + a-\u003elimb[i]) + b-\u003elimb[i];\n+ out-\u003elimb[i] \u003d chain;\n+ chain \u003e\u003e\u003d WBITS;\n+ }\n+ sc_subx(out, out-\u003elimb, sc_p, sc_p, chain);\n+}\n+\n+void\n+API_NS(scalar_set_unsigned) (\n+ scalar_t out,\n+ uint64_t w\n+) {\n+ memset(out,0,sizeof(scalar_t));\n+ unsigned int i \u003d 0;\n+ for (; i\u003csizeof(uint64_t)/sizeof(decaf_word_t); i++) {\n+ out-\u003elimb[i] \u003d w;\n+#if DECAF_WORD_BITS \u003c 64\n+ w \u003e\u003e\u003d 8*sizeof(decaf_word_t);\n+#endif\n+ }\n+}\n+\n+decaf_bool_t\n+API_NS(scalar_eq) (\n+ const scalar_t a,\n+ const scalar_t b\n+) {\n+ decaf_word_t diff \u003d 0;\n+ unsigned int i;\n+ for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n+ diff |\u003d a-\u003elimb[i] ^ b-\u003elimb[i];\n+ }\n+ return mask_to_bool(word_is_zero(diff));\n+}\n+\n+static DECAF_INLINE void scalar_decode_short (\n+ scalar_t s,\n+ const unsigned char *ser,\n+ unsigned int nbytes\n+) {\n+ unsigned int i,j,k\u003d0;\n+ for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n+ decaf_word_t out \u003d 0;\n+ for (j\u003d0; j\u003csizeof(decaf_word_t) \u0026\u0026 k\u003cnbytes; j++,k++) {\n+ out |\u003d ((decaf_word_t)ser[k])\u003c\u003c(8*j);\n+ }\n+ s-\u003elimb[i] \u003d out;\n+ }\n+}\n+\n+decaf_error_t API_NS(scalar_decode)(\n+ scalar_t s,\n+ const unsigned char ser[SCALAR_SER_BYTES]\n+) {\n+ unsigned int i;\n+ scalar_decode_short(s, ser, SCALAR_SER_BYTES);\n+ decaf_dsword_t accum \u003d 0;\n+ for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n+ accum \u003d (accum + s-\u003elimb[i] - sc_p-\u003elimb[i]) \u003e\u003e WBITS;\n+ }\n+ /* Here accum \u003d\u003d 0 or -1 */\n+ \n+ API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */\n+ \n+ return decaf_succeed_if(~word_is_zero(accum));\n+}\n+\n+void API_NS(scalar_destroy) (\n+ scalar_t scalar\n+) {\n+ decaf_bzero(scalar, sizeof(scalar_t));\n+}\n+\n+void API_NS(scalar_decode_long)(\n+ scalar_t s,\n+ const unsigned char *ser,\n+ size_t ser_len\n+) {\n+ if (ser_len \u003d\u003d 0) {\n+ API_NS(scalar_copy)(s, API_NS(scalar_zero));\n+ return;\n+ }\n+ \n+ size_t i;\n+ scalar_t t1, t2;\n+\n+ i \u003d ser_len - (ser_len%SCALAR_SER_BYTES);\n+ if (i\u003d\u003dser_len) i -\u003d SCALAR_SER_BYTES;\n+ \n+ scalar_decode_short(t1, \u0026ser[i], ser_len-i);\n+\n+ if (ser_len \u003d\u003d sizeof(scalar_t)) {\n+ assert(i\u003d\u003d0);\n+ /* ham-handed reduce */\n+ API_NS(scalar_mul)(s,t1,API_NS(scalar_one));\n+ API_NS(scalar_destroy)(t1);\n+ return;\n+ }\n+\n+ while (i) {\n+ i -\u003d SCALAR_SER_BYTES;\n+ sc_montmul(t1,t1,sc_r2);\n+ ignore_result( API_NS(scalar_decode)(t2, ser+i) );\n+ API_NS(scalar_add)(t1, t1, t2);\n+ }\n+\n+ API_NS(scalar_copy)(s, t1);\n+ API_NS(scalar_destroy)(t1);\n+ API_NS(scalar_destroy)(t2);\n+}\n+\n+void API_NS(scalar_encode)(\n+ unsigned char ser[SCALAR_SER_BYTES],\n+ const scalar_t s\n+) {\n+ unsigned int i,j,k\u003d0;\n+ for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n+ for (j\u003d0; j\u003csizeof(decaf_word_t); j++,k++) {\n+ ser[k] \u003d s-\u003elimb[i] \u003e\u003e (8*j);\n+ }\n+ }\n+}\n+\n+void API_NS(scalar_cond_sel) (\n+ scalar_t out,\n+ const scalar_t a,\n+ const scalar_t b,\n+ decaf_bool_t pick_b\n+) {\n+ constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out-\u003elimb[0]));\n+}\n+\n+void API_NS(scalar_halve) (\n+ scalar_t out,\n+ const scalar_t a\n+) {\n+ decaf_word_t mask \u003d -(a-\u003elimb[0] \u0026 1);\n+ decaf_dword_t chain \u003d 0;\n+ unsigned int i;\n+ for (i\u003d0; i\u003cSCALAR_LIMBS; i++) {\n+ chain \u003d (chain + a-\u003elimb[i]) + (sc_p-\u003elimb[i] \u0026 mask);\n+ out-\u003elimb[i] \u003d chain;\n+ chain \u003e\u003e\u003d DECAF_WORD_BITS;\n+ }\n+ for (i\u003d0; i\u003cSCALAR_LIMBS-1; i++) {\n+ out-\u003elimb[i] \u003d out-\u003elimb[i]\u003e\u003e1 | out-\u003elimb[i+1]\u003c\u003c(WBITS-1);\n+ }\n+ out-\u003elimb[i] \u003d out-\u003elimb[i]\u003e\u003e1 | chain\u003c\u003c(WBITS-1);\n+}\n+\ndiff --git a/crypto/ec/curve448/word.h b/crypto/ec/curve448/word.h\nnew file mode 100644\nindex 0000000..7c7644a\n--- /dev/null\n+++ b/crypto/ec/curve448/word.h\n@@ -0,0 +1,281 @@\n+/* Copyright (c) 2014 Cryptography Research, Inc.\n+ * Released under the MIT License. See LICENSE.txt for license information.\n+ */\n+\n+#ifndef __WORD_H__\n+#define __WORD_H__\n+\n+/* for posix_memalign */\n+#define _XOPEN_SOURCE 600\n+#define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s */\n+#include \u003cstring.h\u003e\n+#if defined(__sun) \u0026\u0026 defined(__SVR4)\n+extern int posix_memalign(void **, size_t, size_t);\n+#endif\n+\n+#include \u003cassert.h\u003e\n+#include \u003cstdint.h\u003e\n+#include \u0022arch_intrinsics.h\u0022\n+\n+#include \u003cdecaf/common.h\u003e\n+\n+#ifndef _BSD_SOURCE\n+#define _BSD_SOURCE 1\n+#endif\n+\n+#ifndef _DEFAULT_SOURCE\n+#define _DEFAULT_SOURCE 1\n+#endif\n+\n+#include \u0022portable_endian.h\u0022\n+\n+#include \u003cstdlib.h\u003e\n+#include \u003csys/types.h\u003e\n+#include \u003cinttypes.h\u003e\n+\n+#if defined(__ARM_NEON__)\n+#include \u003carm_neon.h\u003e\n+#elif defined(__SSE2__)\n+ #if !defined(__GNUC__) || __clang__ || __GNUC__ \u003e\u003d 5 || (__GNUC__\u003d\u003d4 \u0026\u0026 __GNUC_MINOR__ \u003e\u003d 4)\n+ #include \u003cimmintrin.h\u003e\n+ #else\n+ #include \u003cemmintrin.h\u003e\n+ #endif\n+#endif\n+\n+#if (ARCH_WORD_BITS \u003d\u003d 64)\n+ typedef uint64_t word_t, mask_t;\n+ typedef __uint128_t dword_t;\n+ typedef int32_t hsword_t;\n+ typedef int64_t sword_t;\n+ typedef __int128_t dsword_t;\n+#elif (ARCH_WORD_BITS \u003d\u003d 32)\n+ typedef uint32_t word_t, mask_t;\n+ typedef uint64_t dword_t;\n+ typedef int16_t hsword_t;\n+ typedef int32_t sword_t;\n+ typedef int64_t dsword_t;\n+#else\n+ #error \u0022For now, libdecaf only supports 32- and 64-bit architectures.\u0022\n+#endif\n+ \n+/* Scalar limbs are keyed off of the API word size instead of the arch word size. */\n+#if DECAF_WORD_BITS \u003d\u003d 64\n+ #define SC_LIMB(x) (x##ull)\n+#elif DECAF_WORD_BITS \u003d\u003d 32\n+ #define SC_LIMB(x) ((uint32_t)x##ull),(x##ull\u003e\u003e32)\n+#else\n+ #error \u0022For now, libdecaf only supports 32- and 64-bit architectures.\u0022\n+#endif\n+\n+#ifdef __ARM_NEON__\n+ typedef uint32x4_t vecmask_t;\n+#elif __clang__\n+ typedef uint64_t uint64x2_t __attribute__((ext_vector_type(2)));\n+ typedef int64_t int64x2_t __attribute__((ext_vector_type(2)));\n+ typedef uint64_t uint64x4_t __attribute__((ext_vector_type(4)));\n+ typedef int64_t int64x4_t __attribute__((ext_vector_type(4)));\n+ typedef uint32_t uint32x4_t __attribute__((ext_vector_type(4)));\n+ typedef int32_t int32x4_t __attribute__((ext_vector_type(4)));\n+ typedef uint32_t uint32x2_t __attribute__((ext_vector_type(2)));\n+ typedef int32_t int32x2_t __attribute__((ext_vector_type(2)));\n+ typedef uint32_t uint32x8_t __attribute__((ext_vector_type(8)));\n+ typedef int32_t int32x8_t __attribute__((ext_vector_type(8)));\n+ typedef word_t vecmask_t __attribute__((ext_vector_type(4)));\n+#else /* GCC, hopefully? */\n+ typedef uint64_t uint64x2_t __attribute__((vector_size(16)));\n+ typedef int64_t int64x2_t __attribute__((vector_size(16)));\n+ typedef uint64_t uint64x4_t __attribute__((vector_size(32)));\n+ typedef int64_t int64x4_t __attribute__((vector_size(32)));\n+ typedef uint32_t uint32x4_t __attribute__((vector_size(16)));\n+ typedef int32_t int32x4_t __attribute__((vector_size(16)));\n+ typedef uint32_t uint32x2_t __attribute__((vector_size(8)));\n+ typedef int32_t int32x2_t __attribute__((vector_size(8)));\n+ typedef uint32_t uint32x8_t __attribute__((vector_size(32)));\n+ typedef int32_t int32x8_t __attribute__((vector_size(32)));\n+ typedef word_t vecmask_t __attribute__((vector_size(32)));\n+#endif\n+\n+#if __AVX2__\n+ #define VECTOR_ALIGNED __attribute__((aligned(32)))\n+ typedef uint32x8_t big_register_t;\n+ typedef uint64x4_t uint64xn_t;\n+ typedef uint32x8_t uint32xn_t;\n+\n+ static DECAF_INLINE big_register_t\n+ br_set_to_mask(mask_t x) {\n+ uint32_t y \u003d (uint32_t)x;\n+ big_register_t ret \u003d {y,y,y,y,y,y,y,y};\n+ return ret;\n+ }\n+#elif __SSE2__\n+ #define VECTOR_ALIGNED __attribute__((aligned(16)))\n+ typedef uint32x4_t big_register_t;\n+ typedef uint64x2_t uint64xn_t;\n+ typedef uint32x4_t uint32xn_t;\n+\n+ static DECAF_INLINE big_register_t\n+ br_set_to_mask(mask_t x) {\n+ uint32_t y \u003d x;\n+ big_register_t ret \u003d {y,y,y,y};\n+ return ret;\n+ }\n+#elif __ARM_NEON__\n+ #define VECTOR_ALIGNED __attribute__((aligned(16)))\n+ typedef uint32x4_t big_register_t;\n+ typedef uint64x2_t uint64xn_t;\n+ typedef uint32x4_t uint32xn_t;\n+ \n+ static DECAF_INLINE big_register_t\n+ br_set_to_mask(mask_t x) {\n+ return vdupq_n_u32(x);\n+ }\n+#elif _WIN64 || __amd64__ || __X86_64__ || __aarch64__\n+ #define VECTOR_ALIGNED __attribute__((aligned(8)))\n+ typedef uint64_t big_register_t, uint64xn_t;\n+\n+ typedef uint32_t uint32xn_t;\n+ static DECAF_INLINE big_register_t\n+ br_set_to_mask(mask_t x) {\n+ return (big_register_t)x;\n+ }\n+#else\n+ #define VECTOR_ALIGNED __attribute__((aligned(4)))\n+ typedef uint64_t uint64xn_t;\n+ typedef uint32_t uint32xn_t;\n+ typedef uint32_t big_register_t;\n+\n+ static DECAF_INLINE big_register_t\n+ br_set_to_mask(mask_t x) {\n+ return (big_register_t)x;\n+ }\n+#endif\n+\n+typedef struct {\n+ uint64xn_t unaligned;\n+} __attribute__((packed)) unaligned_uint64xn_t;\n+\n+typedef struct {\n+ uint32xn_t unaligned;\n+} __attribute__((packed)) unaligned_uint32xn_t;\n+\n+#if __AVX2__\n+ static DECAF_INLINE big_register_t\n+ br_is_zero(big_register_t x) {\n+ return (big_register_t)(x \u003d\u003d br_set_to_mask(0));\n+ }\n+#elif __SSE2__\n+ static DECAF_INLINE big_register_t\n+ br_is_zero(big_register_t x) {\n+ return (big_register_t)_mm_cmpeq_epi32((__m128i)x, _mm_setzero_si128());\n+ //return (big_register_t)(x \u003d\u003d br_set_to_mask(0));\n+ }\n+#elif __ARM_NEON__\n+ static DECAF_INLINE big_register_t\n+ br_is_zero(big_register_t x) {\n+ return vceqq_u32(x,x^x);\n+ }\n+#else\n+ #define br_is_zero word_is_zero\n+#endif\n+\n+/**\n+ * Really call memset, in a way that prevents the compiler from optimizing it out.\n+ * @param p The object to zeroize.\n+ * @param c The char to set it to (probably zero).\n+ * @param s The size of the object.\n+ */\n+#if defined(__DARWIN_C_LEVEL) || defined(__STDC_LIB_EXT1__)\n+#define HAS_MEMSET_S\n+#endif\n+\n+#if !defined(__STDC_WANT_LIB_EXT1__) || __STDC_WANT_LIB_EXT1__ !\u003d 1\n+#define NEED_MEMSET_S_EXTERN\n+#endif\n+\n+#ifdef HAS_MEMSET_S\n+ #ifdef NEED_MEMSET_S_EXTERN\n+ extern int memset_s(void *, size_t, int, size_t);\n+ #endif\n+ static DECAF_INLINE void\n+ really_memset(void *p, char c, size_t s) {\n+ memset_s(p, s, c, s);\n+ }\n+#else\n+ /* PERF: use words? */\n+ static DECAF_INLINE void\n+ really_memset(void *p, char c, size_t s) {\n+ volatile char *pv \u003d (volatile char *)p;\n+ size_t i;\n+ for (i\u003d0; i\u003cs; i++) pv[i] \u003d c;\n+ }\n+#endif\n+\n+/**\n+ * Allocate memory which is sufficiently aligned to be used for the\n+ * largest vector on the system (for now that's a big_register_t).\n+ *\n+ * Man malloc says that it does this, but at least for AVX2 on MacOS X,\n+ * it's lying.\n+ *\n+ * @param size The size of the region to allocate.\n+ * @return A suitable pointer, which can be free'd with free(),\n+ * or NULL if no memory can be allocated.\n+ */\n+static DECAF_INLINE void *\n+malloc_vector(size_t size) {\n+ void *out \u003d NULL;\n+ \n+ int ret \u003d posix_memalign(\u0026out, sizeof(big_register_t), size);\n+ \n+ if (ret) {\n+ return NULL;\n+ } else {\n+ return out;\n+ }\n+}\n+\n+/* PERF: vectorize vs unroll */\n+#ifdef __clang__\n+#if 100*__clang_major__ + __clang_minor__ \u003e 305\n+#define UNROLL _Pragma(\u0022clang loop unroll(full)\u0022)\n+#endif\n+#endif\n+\n+#ifndef UNROLL\n+#define UNROLL\n+#endif\n+\n+/* The plan on booleans:\n+ *\n+ * The external interface uses decaf_bool_t, but this might be a different\n+ * size than our particular arch's word_t (and thus mask_t). Also, the caller\n+ * isn't guaranteed to pass it as nonzero. So bool_to_mask converts word sizes\n+ * and checks nonzero.\n+ *\n+ * On the flip side, mask_t is always -1 or 0, but it might be a different size\n+ * than decaf_bool_t.\n+ *\n+ * On the third hand, we have success vs boolean types, but that's handled in\n+ * common.h: it converts between decaf_bool_t and decaf_error_t.\n+ */\n+static DECAF_INLINE decaf_bool_t mask_to_bool (mask_t m) {\n+ return (decaf_sword_t)(sword_t)m;\n+}\n+\n+static DECAF_INLINE mask_t bool_to_mask (decaf_bool_t m) {\n+ /* On most arches this will be optimized to a simple cast. */\n+ mask_t ret \u003d 0;\n+ unsigned int limit \u003d sizeof(decaf_bool_t)/sizeof(mask_t);\n+ if (limit \u003c 1) limit \u003d 1;\n+ for (unsigned int i\u003d0; i\u003climit; i++) {\n+ ret |\u003d ~ word_is_zero(m \u003e\u003e (i*8*sizeof(word_t)));\n+ }\n+ return ret;\n+}\n+\n+static DECAF_INLINE void ignore_result ( decaf_bool_t boo ) {\n+ (void)boo;\n+}\n+\n+#endif /* __WORD_H__ */\n","s":{"c":1752655313,"u": 61555}} ],"g": 289049,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}