jmg
/
ed448goldilocks


			
				
					
						
						
							
							/**
 * @cond internal
 * @file ec_point.c
 * @copyright
 *   Copyright (c) 2014 Cryptography Research, Inc.  \n
 *   Released under the MIT License.  See LICENSE.txt for license information.
 * @author Mike Hamburg
 * @warning This file was automatically generated.
 *     Then it was edited by hand.  Good luck, have fun.
 */

#include "ec_point.h"
#include "magic.h"

#define is32 (GOLDI_BITS == 32)

/* I wanted to just use if (is32)
 * But clang's -Wunreachable-code flags it.
 * I wanted to keep that warning on.
 */
#if (is32)
#define IF32(s) (s)
#else
#define IF32(s)
#endif

/* Multiply by signed curve constant */
static __inline__ void
field_mulw_scc (
    struct field_t* __restrict__ out,
    const struct field_t *a,
    int64_t scc
) {
    if (scc >= 0) {
        field_mulw(out, a, scc);
    } else {
        field_mulw(out, a, -scc);
        field_neg(out,out);
        field_bias(out,2);
    }
}

/* Multiply by signed curve constant and weak reduce if biased */
static __inline__ void
field_mulw_scc_wr (
    struct field_t* __restrict__ out,
    const struct field_t *a,
    int64_t scc
) {
    field_mulw_scc(out, a, scc);
    if (scc < 0)
        field_weak_reduce(out);
}

void
field_isr (
    struct field_t*       a,
    const struct field_t* x
) {
    struct field_t L0, L1, L2;
    field_sqr  (   &L1,     x );
    field_mul  (   &L2,     x,   &L1 );
    field_sqr  (   &L1,   &L2 );
    field_mul  (   &L2,     x,   &L1 );
    field_sqrn (   &L1,   &L2,     3 );
    field_mul  (   &L0,   &L2,   &L1 );
    field_sqrn (   &L1,   &L0,     3 );
    field_mul  (   &L0,   &L2,   &L1 );
    field_sqrn (   &L2,   &L0,     9 );
    field_mul  (   &L1,   &L0,   &L2 );
    field_sqr  (   &L0,   &L1 );
    field_mul  (   &L2,     x,   &L0 );
    field_sqrn (   &L0,   &L2,    18 );
    field_mul  (   &L2,   &L1,   &L0 );
    field_sqrn (   &L0,   &L2,    37 );
    field_mul  (   &L1,   &L2,   &L0 );
    field_sqrn (   &L0,   &L1,    37 );
    field_mul  (   &L1,   &L2,   &L0 );
    field_sqrn (   &L0,   &L1,   111 );
    field_mul  (   &L2,   &L1,   &L0 );
    field_sqr  (   &L0,   &L2 );
    field_mul  (   &L1,     x,   &L0 );
    field_sqrn (   &L0,   &L1,   223 );
    field_mul  (     a,   &L2,   &L0 );
}

void
add_tw_niels_to_tw_extensible (
    struct tw_extensible_t*  d,
    const struct tw_niels_t* e
) {
    struct field_t L0, L1;
    field_sub  (   &L1, &d->y, &d->x );
    field_bias (   &L1,     2 );
    IF32( field_weak_reduce(   &L1 ) );
    field_mul  (   &L0, &e->a,   &L1 );
    field_add  (   &L1, &d->x, &d->y );
    field_mul  ( &d->y, &e->b,   &L1 );
    field_mul  (   &L1, &d->u, &d->t );
    field_mul  ( &d->x, &e->c,   &L1 );
    field_add  ( &d->u,   &L0, &d->y );
    field_sub  ( &d->t, &d->y,   &L0 );
    field_bias ( &d->t,     2 );
    IF32( field_weak_reduce( &d->t ) );
    field_sub  ( &d->y, &d->z, &d->x );
    field_bias ( &d->y,     2 );
    IF32( field_weak_reduce( &d->y ) );
    field_add  (   &L0, &d->x, &d->z );
    field_mul  ( &d->z,   &L0, &d->y );
    field_mul  ( &d->x, &d->y, &d->t );
    field_mul  ( &d->y,   &L0, &d->u );
}

void
sub_tw_niels_from_tw_extensible (
    struct tw_extensible_t*  d,
    const struct tw_niels_t* e
) {
    struct field_t L0, L1;
    field_sub  (   &L1, &d->y, &d->x );
    field_bias (   &L1,     2 );
    IF32( field_weak_reduce(   &L1 ) );
    field_mul  (   &L0, &e->b,   &L1 );
    field_add  (   &L1, &d->x, &d->y );
    field_mul  ( &d->y, &e->a,   &L1 );
    field_mul  (   &L1, &d->u, &d->t );
    field_mul  ( &d->x, &e->c,   &L1 );
    field_add  ( &d->u,   &L0, &d->y );
    field_sub  ( &d->t, &d->y,   &L0 );
    field_bias ( &d->t,     2 );
    IF32( field_weak_reduce( &d->t ) );
    field_add  ( &d->y, &d->x, &d->z );
    field_sub  (   &L0, &d->z, &d->x );
    field_bias (   &L0,     2 );
    IF32( field_weak_reduce(   &L0 ) );
    field_mul  ( &d->z,   &L0, &d->y );
    field_mul  ( &d->x, &d->y, &d->t );
    field_mul  ( &d->y,   &L0, &d->u );
}

void
add_tw_pniels_to_tw_extensible (
    struct tw_extensible_t*   e,
    const struct tw_pniels_t* a
) {
    struct field_t L0;
    field_mul  (   &L0, &e->z, &a->z );
    field_copy ( &e->z,   &L0 );
    add_tw_niels_to_tw_extensible(     e, &a->n );
}

void
sub_tw_pniels_from_tw_extensible (
    struct tw_extensible_t*   e,
    const struct tw_pniels_t* a
) {
    struct field_t L0;
    field_mul  (   &L0, &e->z, &a->z );
    field_copy ( &e->z,   &L0 );
    sub_tw_niels_from_tw_extensible(     e, &a->n );
}

void
double_tw_extensible (
    struct tw_extensible_t* a
) {
    struct field_t L0, L1, L2;
    field_sqr  (   &L2, &a->x );
    field_sqr  (   &L0, &a->y );
    field_add  ( &a->u,   &L2,   &L0 );
    field_add  ( &a->t, &a->y, &a->x );
    field_sqr  (   &L1, &a->t );
    field_sub  ( &a->t,   &L1, &a->u );
    field_bias ( &a->t,     3 );
    IF32( field_weak_reduce( &a->t ) );
    field_sub  (   &L1,   &L0,   &L2 );
    field_bias (   &L1,     2 );
    IF32( field_weak_reduce(   &L1 ) );
    field_sqr  ( &a->x, &a->z );
    field_bias ( &a->x,     2-is32 /*is32 ? 1 : 2*/ );
    field_add  ( &a->z, &a->x, &a->x );
    field_sub  (   &L0, &a->z,   &L1 );
    IF32( field_weak_reduce(   &L0 ) );
    field_mul  ( &a->z,   &L1,   &L0 );
    field_mul  ( &a->x,   &L0, &a->t );
    field_mul  ( &a->y,   &L1, &a->u );
}

void
double_extensible (
    struct extensible_t* a
) {
    struct field_t L0, L1, L2;
    field_sqr  (   &L2, &a->x );
    field_sqr  (   &L0, &a->y );
    field_add  (   &L1,   &L2,   &L0 );
    field_add  ( &a->t, &a->y, &a->x );
    field_sqr  ( &a->u, &a->t );
    field_sub  ( &a->t, &a->u,   &L1 );
    field_bias ( &a->t,     3 );
    IF32( field_weak_reduce( &a->t ) );
    field_sub  ( &a->u,   &L0,   &L2 );
    field_bias ( &a->u,     2 );
    IF32( field_weak_reduce( &a->u ) );
    field_sqr  ( &a->x, &a->z );
    field_bias ( &a->x,     2 );
    field_add  ( &a->z, &a->x, &a->x );
    field_sub  (   &L0, &a->z,   &L1 );
    IF32( field_weak_reduce(   &L0 ) );
    field_mul  ( &a->z,   &L1,   &L0 );
    field_mul  ( &a->x,   &L0, &a->t );
    field_mul  ( &a->y,   &L1, &a->u );
}

void
twist_and_double (
    struct tw_extensible_t*    b,
    const struct extensible_t* a
) {
    struct field_t L0;
    field_sqr  ( &b->x, &a->x );
    field_sqr  ( &b->z, &a->y );
    field_add  ( &b->u, &b->x, &b->z );
    field_add  ( &b->t, &a->y, &a->x );
    field_sqr  (   &L0, &b->t );
    field_sub  ( &b->t,   &L0, &b->u );
    field_bias ( &b->t,     3 );
    IF32( field_weak_reduce( &b->t ) );
    field_sub  (   &L0, &b->z, &b->x );
    field_bias (   &L0,     2 );
    IF32( field_weak_reduce(   &L0 ) );
    field_sqr  ( &b->x, &a->z );
    field_bias ( &b->x,     2 );
    field_add  ( &b->z, &b->x, &b->x );
    field_sub  ( &b->y, &b->z, &b->u );
    IF32( field_weak_reduce( &b->y ) );
    field_mul  ( &b->z,   &L0, &b->y );
    field_mul  ( &b->x, &b->y, &b->t );
    field_mul  ( &b->y,   &L0, &b->u );
}

void
untwist_and_double (
    struct extensible_t*          b,
    const struct tw_extensible_t* a
) {
    struct field_t L0;
    field_sqr  ( &b->x, &a->x );
    field_sqr  ( &b->z, &a->y );
    field_add  (   &L0, &b->x, &b->z );
    field_add  ( &b->t, &a->y, &a->x );
    field_sqr  ( &b->u, &b->t );
    field_sub  ( &b->t, &b->u,   &L0 );
    field_bias ( &b->t,     3 );
    IF32( field_weak_reduce( &b->t ) );
    field_sub  ( &b->u, &b->z, &b->x );
    field_bias ( &b->u,     2 );
    IF32( field_weak_reduce( &b->u ) );
    field_sqr  ( &b->x, &a->z );
    field_bias ( &b->x,     2-is32 /*is32 ? 1 : 2*/ );
    field_add  ( &b->z, &b->x, &b->x );
    field_sub  ( &b->y, &b->z, &b->u );
    IF32( field_weak_reduce( &b->y ) );
    field_mul  ( &b->z,   &L0, &b->y );
    field_mul  ( &b->x, &b->y, &b->t );
    field_mul  ( &b->y,   &L0, &b->u );
}

void
convert_tw_affine_to_tw_pniels (
    struct tw_pniels_t*       b,
    const struct tw_affine_t* a
) {
    field_sub  ( &b->n.a, &a->y, &a->x );
    field_bias ( &b->n.a,     2 );
    field_weak_reduce( &b->n.a );
    field_add  ( &b->n.b, &a->x, &a->y );
    field_weak_reduce( &b->n.b );
    field_mul  ( &b->z, &a->y, &a->x );
    field_mulw_scc_wr ( &b->n.c, &b->z, 2*EDWARDS_D-2 );
    field_set_ui( &b->z,     2 );
}

void
convert_tw_affine_to_tw_extensible (
    struct tw_extensible_t*   b,
    const struct tw_affine_t* a
) {
    field_copy ( &b->x, &a->x );
    field_copy ( &b->y, &a->y );
    field_set_ui( &b->z,     1 );
    field_copy ( &b->t, &a->x );
    field_copy ( &b->u, &a->y );
}

void
convert_affine_to_extensible (
    struct extensible_t*   b,
    const struct affine_t* a
) {
    field_copy ( &b->x, &a->x );
    field_copy ( &b->y, &a->y );
    field_set_ui( &b->z,     1 );
    field_copy ( &b->t, &a->x );
    field_copy ( &b->u, &a->y );
}

void
convert_tw_extensible_to_tw_pniels (
    struct tw_pniels_t*           b,
    const struct tw_extensible_t* a
) {
    field_sub  ( &b->n.a, &a->y, &a->x );
    field_bias ( &b->n.a,     2 );
    field_weak_reduce( &b->n.a );
    field_add  ( &b->n.b, &a->x, &a->y );
    field_weak_reduce( &b->n.b );
    field_mul  ( &b->z, &a->u, &a->t );
    field_mulw_scc_wr ( &b->n.c, &b->z, 2*EDWARDS_D-2 );
    field_add  ( &b->z, &a->z, &a->z );
    field_weak_reduce( &b->z );
}

void
convert_tw_pniels_to_tw_extensible (
    struct tw_extensible_t*   e,
    const struct tw_pniels_t* d
) {
    field_add  ( &e->u, &d->n.b, &d->n.a );
    field_sub  ( &e->t, &d->n.b, &d->n.a );
    field_bias ( &e->t,     2 );
    IF32( field_weak_reduce( &e->t ) );
    field_mul  ( &e->x, &d->z, &e->t );
    field_mul  ( &e->y, &d->z, &e->u );
    field_sqr  ( &e->z, &d->z );
}

void
convert_tw_niels_to_tw_extensible (
    struct tw_extensible_t*  e,
    const struct tw_niels_t* d
) {
    field_add  ( &e->y, &d->b, &d->a );
    field_weak_reduce( &e->y );
    field_sub  ( &e->x, &d->b, &d->a );
    field_bias ( &e->x,     2 );
    field_weak_reduce( &e->x );
    field_set_ui( &e->z,     1 );
    field_copy ( &e->t, &e->x );
    field_copy ( &e->u, &e->y );
}

void
montgomery_step (
    struct montgomery_t* a
) {
    struct field_t L0, L1;
    field_add  (   &L0, &a->zd, &a->xd );
    field_sub  (   &L1, &a->xd, &a->zd );
    field_bias (   &L1,     2 );
    IF32( field_weak_reduce(   &L1 ) );
    field_sub  ( &a->zd, &a->xa, &a->za );
    field_bias ( &a->zd,     2 );
    IF32( field_weak_reduce( &a->zd ) );
    field_mul  ( &a->xd,   &L0, &a->zd );
    field_add  ( &a->zd, &a->za, &a->xa );
    field_mul  ( &a->za,   &L1, &a->zd );
    field_add  ( &a->xa, &a->za, &a->xd );
    field_sqr  ( &a->zd, &a->xa );
    field_mul  ( &a->xa, &a->z0, &a->zd );
    field_sub  ( &a->zd, &a->xd, &a->za );
    field_bias ( &a->zd,     2 );
    IF32( field_weak_reduce( &a->zd ) );
    field_sqr  ( &a->za, &a->zd );
    field_sqr  ( &a->xd,   &L0 );
    field_sqr  (   &L0,   &L1 );
    field_mulw ( &a->zd, &a->xd, 1-EDWARDS_D );
    field_sub  (   &L1, &a->xd,   &L0 );
    field_bias (   &L1,     2 );
    IF32( field_weak_reduce(   &L1 ) );
    field_mul  ( &a->xd,   &L0, &a->zd );
    field_sub  (   &L0, &a->zd,   &L1 );
    field_bias (   &L0,     4 - 2*is32 /*is32 ? 2 : 4*/ );
    IF32( field_weak_reduce(   &L0 ) );
    field_mul  ( &a->zd,   &L0,   &L1 );
}

void
deserialize_montgomery (
    struct montgomery_t* a,
    const struct field_t* sbz
) {
    field_sqr  ( &a->z0,   sbz );
    field_set_ui( &a->xd,     1 );
    field_set_ui( &a->zd,     0 );
    field_set_ui( &a->xa,     1 );
    field_copy ( &a->za, &a->z0 );
}

mask_t
serialize_montgomery (
    struct field_t*             b,
    const struct montgomery_t* a,
    const struct field_t*       sbz
) {
    mask_t L4, L5, L6;
    struct field_t L0, L1, L2, L3;
    field_mul  (   &L3, &a->z0, &a->zd );
    field_sub  (   &L1,   &L3, &a->xd );
    field_bias (   &L1,     2 );
    IF32( field_weak_reduce(   &L1 ) );
    field_mul  (   &L3, &a->za,   &L1 );
    field_mul  (   &L2, &a->z0, &a->xd );
    field_sub  (   &L1,   &L2, &a->zd );
    field_bias (   &L1,     2 );
    IF32( field_weak_reduce(   &L1 ) );
    field_mul  (   &L0, &a->xa,   &L1 );
    field_add  (   &L2,   &L0,   &L3 );
    field_sub  (   &L1,   &L3,   &L0 );
    field_bias (   &L1,     2 );
    IF32( field_weak_reduce(   &L1 ) );
    field_mul  (   &L3,   &L1,   &L2 );
    field_copy (   &L2, &a->z0 );
    field_addw (   &L2,     1 );
    field_sqr  (   &L1,   &L2 );
    field_mulw (   &L2,   &L1, 1-EDWARDS_D );
    field_neg  (   &L1,   &L2 );
    field_add  (   &L2, &a->z0, &a->z0 );
    field_bias (   &L2,     1 );
    field_add  (   &L0,   &L2,   &L2 );
    field_add  (   &L2,   &L0,   &L1 );
    IF32( field_weak_reduce(   &L2 ) );
    field_mul  (   &L0, &a->xd,   &L2 );
       L5 = field_is_zero( &a->zd );
       L6 = -   L5;
    field_mask (   &L1,   &L0,    L5 );
    field_add  (   &L2,   &L1, &a->zd );
       L4 = ~   L5;
    field_mul  (   &L1,   sbz,   &L3 );
    field_addw (   &L1,    L6 );
    field_mul  (   &L3,   &L2,   &L1 );
    field_mul  (   &L1,   &L3,   &L2 );
    field_mul  (   &L2,   &L3, &a->xd );
    field_mul  (   &L3,   &L1,   &L2 );
    field_isr  (   &L0,   &L3 );
    field_mul  (   &L2,   &L1,   &L0 );
    field_sqr  (   &L1,   &L0 );
    field_mul  (   &L0,   &L3,   &L1 );
    field_mask (     b,   &L2,    L4 );
    field_subw (   &L0,     1 );
    field_bias (   &L0,     1 );
       L5 = field_is_zero(   &L0 );
       L4 = field_is_zero(   sbz );
    return    L5 |    L4;
}

void
serialize_extensible (
    struct field_t*             b,
    const struct extensible_t* a
) {
    struct field_t L0, L1, L2;
    field_sub  (   &L0, &a->y, &a->z );
    field_bias (   &L0,     2 );
    IF32( field_weak_reduce(   &L0 ) );
    field_add  (     b, &a->z, &a->y );
    field_mul  (   &L1, &a->z, &a->x );
    field_mul  (   &L2,   &L0,   &L1 );
    field_mul  (   &L1,   &L2,   &L0 );
    field_mul  (   &L0,   &L2,     b );
    field_mul  (   &L2,   &L1,   &L0 );
    field_isr  (   &L0,   &L2 );
    field_mul  (     b,   &L1,   &L0 );
    field_sqr  (   &L1,   &L0 );
    field_mul  (   &L0,   &L2,   &L1 );
}

void
untwist_and_double_and_serialize (
    struct field_t*                b,
    const struct tw_extensible_t* a
) {
    struct field_t L0, L1, L2, L3;
    field_mul  (   &L3, &a->y, &a->x );
    field_add  (     b, &a->y, &a->x );
    field_sqr  (   &L1,     b );
    field_add  (   &L2,   &L3,   &L3 );
    field_sub  (     b,   &L1,   &L2 );
    field_bias (     b,     3 );
    IF32( field_weak_reduce(     b ) );
    field_sqr  (   &L2, &a->z );
    field_sqr  (   &L1,   &L2 );
    field_add  (   &L2,     b,     b );
    field_mulw (     b,   &L2, 1-EDWARDS_D );
    field_neg  (   &L2,     b );
    field_bias (   &L2,     2 );
    field_mulw (   &L0,   &L2, 1-EDWARDS_D );
    field_neg  (     b,   &L0 );
    field_bias (     b,     2 );
    field_mul  (   &L0,   &L2,   &L1 );
    field_mul  (   &L2,     b,   &L0 );
    field_isr  (   &L0,   &L2 );
    field_mul  (   &L1,     b,   &L0 );
    field_sqr  (     b,   &L0 );
    field_mul  (   &L0,   &L2,     b );
    field_mul  (     b,   &L1,   &L3 );
}

void
twist_even (
    struct tw_extensible_t*    b,
    const struct extensible_t* a
) {
    mask_t L0, L1;
    field_sqr  ( &b->y, &a->z );
    field_sqr  ( &b->z, &a->x );
    field_sub  ( &b->u, &b->y, &b->z );
    field_bias ( &b->u,     2 );
    IF32( field_weak_reduce( &b->u ) );
    field_sub  ( &b->z, &a->z, &a->x );
    field_bias ( &b->z,     2 );
    IF32( field_weak_reduce( &b->z ) );
    field_mul  ( &b->y, &b->z, &a->y );
    field_sub  ( &b->z, &a->z, &a->y );
    field_bias ( &b->z,     2 );
    IF32( field_weak_reduce( &b->z ) );
    field_mul  ( &b->x, &b->z, &b->y );
    field_mul  ( &b->t, &b->x, &b->u );
    field_mul  ( &b->y, &b->x, &b->t );
    field_isr  ( &b->t, &b->y );
    field_mul  ( &b->u, &b->x, &b->t );
    field_sqr  ( &b->x, &b->t );
    field_mul  ( &b->t, &b->y, &b->x );
    field_mul  ( &b->x, &a->x, &b->u );
    field_mul  ( &b->y, &a->y, &b->u );
       L1 = field_is_zero( &b->z );
       L0 = -   L1;
    field_addw ( &b->y,    L0 );
    field_weak_reduce( &b->y );
    field_set_ui( &b->z,     1 );
    field_copy ( &b->t, &b->x );
    field_copy ( &b->u, &b->y );
}

void
test_only_twist (
    struct tw_extensible_t*    b,
    const struct extensible_t* a
) {
    mask_t L2, L3;
    struct field_t L0, L1;
    field_sqr  ( &b->u, &a->z );
    field_sqr  ( &b->y, &a->x );
    field_sub  ( &b->z, &b->u, &b->y );
    field_bias ( &b->z,     2 );
    field_add  ( &b->y, &b->z, &b->z );
    field_add  ( &b->u, &b->y, &b->y );
    IF32( field_weak_reduce( &b->u ) );
    field_sub  ( &b->y, &a->z, &a->x );
    field_bias ( &b->y,     2 );
    IF32( field_weak_reduce( &b->y ) );
    field_mul  ( &b->x, &b->y, &a->y );
    field_sub  ( &b->z, &a->z, &a->y );
    field_bias ( &b->z,     2 );
    IF32( field_weak_reduce( &b->z ) );
    field_mul  ( &b->t, &b->z, &b->x );
    field_mul  (   &L1, &b->t, &b->u );
    field_mul  ( &b->x, &b->t,   &L1 );
    field_isr  (   &L0, &b->x );
    field_mul  ( &b->u, &b->t,   &L0 );
    field_sqr  (   &L1,   &L0 );
    field_mul  ( &b->t, &b->x,   &L1 );
    field_add  (   &L1, &a->y, &a->x );
    IF32( field_weak_reduce(   &L1 ) );
    field_sub  (   &L0, &a->x, &a->y );
    field_bias (   &L0,     2 );
    IF32( field_weak_reduce(   &L0 ) );
    field_mul  ( &b->x, &b->t,   &L0 );
    field_add  (   &L0, &b->x,   &L1 );
    field_sub  ( &b->t,   &L1, &b->x );
    field_bias ( &b->t,     2 );
    IF32( field_weak_reduce( &b->t ) );
    field_mul  ( &b->x,   &L0, &b->u );
       L2 = field_is_zero( &b->y );
       L3 = -   L2;
    field_addw ( &b->x,    L3 );
    field_weak_reduce( &b->x );
    field_mul  ( &b->y, &b->t, &b->u );
       L2 = field_is_zero( &b->z );
       L3 = -   L2;
    field_addw ( &b->y,    L3 );
    field_weak_reduce( &b->y );
       L3 = field_is_zero( &a->y );
       L2 =    L3 +     1;
    field_set_ui( &b->z,    L2 );
    field_copy ( &b->t, &b->x );
    field_copy ( &b->u, &b->y );
}

mask_t
is_even_pt (
    const struct extensible_t* a
) {
    struct field_t L0, L1, L2;
    field_sqr  (   &L2, &a->z );
    field_sqr  (   &L1, &a->x );
    field_sub  (   &L0,   &L2,   &L1 );
    field_bias (   &L0,     2 );
    field_weak_reduce(   &L0 );
    return field_is_square (   &L0 );
}

mask_t
is_even_tw (
    const struct tw_extensible_t* a
) {
    struct field_t L0, L1, L2;
    field_sqr  (   &L2, &a->z );
    field_sqr  (   &L1, &a->x );
    field_add  (   &L0,   &L1,   &L2 );
    field_weak_reduce(   &L0 );
    return field_is_square (   &L0 );
}

mask_t
deserialize_affine (
    struct affine_t*     a,
    const struct field_t* sz
) {
    struct field_t L0, L1, L2, L3;
    field_sqr  (   &L1,    sz );
    field_copy (   &L3,   &L1 );
    field_addw (   &L3,     1 );
    field_sqr  (   &L2,   &L3 );
    field_mulw (   &L3,   &L2, 1-EDWARDS_D );
    field_neg  ( &a->x,   &L3 );
    field_add  (   &L3,   &L1,   &L1 );
    field_bias (   &L3,     1 );
    field_add  ( &a->y,   &L3,   &L3 );
    field_add  (   &L3, &a->y, &a->x );
    IF32( field_weak_reduce(   &L3 ) );
    field_copy ( &a->y,   &L1 );
    field_subw ( &a->y,     1 );
    field_neg  ( &a->x, &a->y );
    field_bias ( &a->x,     2 );
    IF32( field_weak_reduce( &a->x ) );
    field_mul  ( &a->y, &a->x,   &L3 );
    field_sqr  (   &L2, &a->x );
    field_mul  (   &L0,   &L2, &a->y );
    field_mul  ( &a->y, &a->x,   &L0 );
    field_isr  (   &L3, &a->y );
    field_mul  ( &a->y,   &L2,   &L3 );
    field_sqr  (   &L2,   &L3 );
    field_mul  (   &L3,   &L0,   &L2 );
    field_mul  (   &L0, &a->x,   &L3 );
    field_add  (   &L2, &a->y, &a->y );
    field_mul  ( &a->x,    sz,   &L2 );
    field_addw (   &L1,     1 );
    field_mul  ( &a->y,   &L1,   &L3 );
    field_subw (   &L0,     1 );
    field_bias (   &L0,     1 );
    return field_is_zero(   &L0 );
}

mask_t
deserialize_and_twist_approx (
    struct tw_extensible_t* a,
    const struct field_t*    sdm1,
    const struct field_t*    sz
) {
    struct field_t L0, L1;
    field_sqr  ( &a->z,    sz );
    field_copy ( &a->y, &a->z );
    field_addw ( &a->y,     1 );
    field_sqr  ( &a->x, &a->y );
    field_mulw ( &a->y, &a->x, 1-EDWARDS_D );
    field_neg  ( &a->x, &a->y );
    field_add  ( &a->y, &a->z, &a->z );
    field_bias ( &a->y,     1 );
    field_add  ( &a->u, &a->y, &a->y );
    field_add  ( &a->y, &a->u, &a->x );
    IF32( field_weak_reduce( &a->y ) );
    field_sqr  ( &a->x, &a->z );
    field_subw ( &a->x,     1 );
    field_neg  ( &a->u, &a->x );
    field_bias ( &a->u,     2 );
    IF32( field_weak_reduce( &a->u ) );
    field_mul  ( &a->x,  sdm1, &a->u );
    field_mul  (   &L0, &a->x, &a->y );
    field_mul  ( &a->t,   &L0, &a->y );
    field_mul  ( &a->u, &a->x, &a->t );
    field_mul  ( &a->t, &a->u,   &L0 );
    field_mul  ( &a->y, &a->x, &a->t );
    field_isr  (   &L0, &a->y );
    field_mul  ( &a->y, &a->u,   &L0 );
    field_sqr  (   &L1,   &L0 );
    field_mul  ( &a->u, &a->t,   &L1 );
    field_mul  ( &a->t, &a->x, &a->u );
    field_add  ( &a->x,    sz,    sz );
    field_mul  (   &L0, &a->u, &a->x );
    field_copy ( &a->x, &a->z );
    field_subw ( &a->x,     1 );
    field_neg  (   &L1, &a->x );
    field_bias (   &L1,     2 );
    IF32( field_weak_reduce(   &L1 ) );
    field_mul  ( &a->x,   &L1,   &L0 );
    field_mul  (   &L0, &a->u, &a->y );
    field_addw ( &a->z,     1 );
    field_mul  ( &a->y, &a->z,   &L0 );
    field_subw ( &a->t,     1 );
    field_bias ( &a->t,     1 );
    mask_t ret = field_is_zero( &a->t );
    field_set_ui( &a->z,     1 );
    field_copy ( &a->t, &a->x );
    field_copy ( &a->u, &a->y );
    return ret;
}

void
set_identity_extensible (
    struct extensible_t* a
) {
    field_set_ui( &a->x,     0 );
    field_set_ui( &a->y,     1 );
    field_set_ui( &a->z,     1 );
    field_set_ui( &a->t,     0 );
    field_set_ui( &a->u,     0 );
}

void
set_identity_tw_extensible (
    struct tw_extensible_t* a
) {
    field_set_ui( &a->x,     0 );
    field_set_ui( &a->y,     1 );
    field_set_ui( &a->z,     1 );
    field_set_ui( &a->t,     0 );
    field_set_ui( &a->u,     0 );
}

void
set_identity_affine (
    struct affine_t* a
) {
    field_set_ui( &a->x,     0 );
    field_set_ui( &a->y,     1 );
}

mask_t
eq_affine (
    const struct affine_t* a,
    const struct affine_t* b
) {
    mask_t L1, L2;
    struct field_t L0;
    field_sub  (   &L0, &a->x, &b->x );
    field_bias (   &L0,     2 );
       L2 = field_is_zero(   &L0 );
    field_sub  (   &L0, &a->y, &b->y );
    field_bias (   &L0,     2 );
       L1 = field_is_zero(   &L0 );
    return    L2 &    L1;
}

mask_t
eq_extensible (
    const struct extensible_t* a,
    const struct extensible_t* b
) {
    mask_t L3, L4;
    struct field_t L0, L1, L2;
    field_mul  (   &L2, &b->z, &a->x );
    field_mul  (   &L1, &a->z, &b->x );
    field_sub  (   &L0,   &L2,   &L1 );
    field_bias (   &L0,     2 );
       L4 = field_is_zero(   &L0 );
    field_mul  (   &L2, &b->z, &a->y );
    field_mul  (   &L1, &a->z, &b->y );
    field_sub  (   &L0,   &L2,   &L1 );
    field_bias (   &L0,     2 );
       L3 = field_is_zero(   &L0 );
    return    L4 &    L3;
}

mask_t
eq_tw_extensible (
    const struct tw_extensible_t* a,
    const struct tw_extensible_t* b
) {
    mask_t L3, L4;
    struct field_t L0, L1, L2;
    field_mul  (   &L2, &b->z, &a->x );
    field_mul  (   &L1, &a->z, &b->x );
    field_sub  (   &L0,   &L2,   &L1 );
    field_bias (   &L0,     2 );
       L4 = field_is_zero(   &L0 );
    field_mul  (   &L2, &b->z, &a->y );
    field_mul  (   &L1, &a->z, &b->y );
    field_sub  (   &L0,   &L2,   &L1 );
    field_bias (   &L0,     2 );
       L3 = field_is_zero(   &L0 );
    return    L4 &    L3;
}

void
elligator_2s_inject (
    struct affine_t*     a,
    const struct field_t* r
) {
    mask_t L0, L1;
    struct field_t L2, L3, L4, L5, L6, L7, L8;
    field_sqr  ( &a->x,     r );
    field_sqr  (   &L3, &a->x );
    field_copy ( &a->y,   &L3 );
    field_subw ( &a->y,     1 );
    field_neg  (   &L4, &a->y );
    field_bias (   &L4,     2 );
    IF32( field_weak_reduce(   &L4 ) );
    field_sqr  (   &L2,   &L4 );
    field_mulw (   &L7,   &L2, (EDWARDS_D-1)*(EDWARDS_D-1) );
    field_mulw (   &L8,   &L3, 4*(EDWARDS_D+1)*(EDWARDS_D+1) );
    field_add  ( &a->y,   &L8,   &L7 );
    IF32( field_weak_reduce( &a->y ) );
    field_mulw (   &L8,   &L2, 4*(EDWARDS_D)*(EDWARDS_D-1) );
    field_sub  (   &L7, &a->y,   &L8 );
    field_bias (   &L7,     2 );
    IF32( field_weak_reduce(   &L7 ) );
    field_mulw_scc (   &L6, &a->y, -2-2*EDWARDS_D );
    field_mul  (   &L5,   &L7,   &L6 );
    field_mul  (   &L8,   &L5,   &L4 );
    field_mul  (   &L4,   &L5,   &L6 );
    field_mul  (   &L5,   &L7,   &L8 );
    field_mul  (   &L8,   &L5,   &L4 );
    field_mul  (   &L4,   &L7,   &L8 );
    field_isr  (   &L6,   &L4 );
    field_mul  (   &L4,   &L5,   &L6 );
    field_sqr  (   &L5,   &L6 );
    field_mul  (   &L6,   &L8,   &L5 );
    field_mul  (   &L8,   &L7,   &L6 );
    field_mul  (   &L7,   &L8,   &L6 );
    field_copy (   &L6, &a->x );
    field_subw (   &L6,     1 );
    field_addw ( &a->x,     1 );
    field_mul  (   &L5, &a->x,   &L8 );
    field_sub  ( &a->x,   &L6,   &L5 );
    field_bias ( &a->x,     3 );
    IF32( field_weak_reduce( &a->x ) );
    field_mul  (   &L5,   &L4, &a->x );
    field_mulw_scc_wr (   &a->x,   &L5, -2-2*EDWARDS_D );
    field_add  (   &L4,   &L3,   &L3 );
    field_add  (   &L3,   &L4,   &L2 );
    field_subw (   &L3,     2 );
    field_bias (   &L3,     1 );
    IF32( field_weak_reduce(   &L3 ) );
    field_mul  (   &L2,   &L3,   &L8 );
    field_mulw (   &L3,   &L2, 2*(EDWARDS_D+1)*(EDWARDS_D-1) );
    field_add  (   &L2,   &L3, &a->y );
    field_mul  ( &a->y,   &L7,   &L2 );
       L1 = field_is_zero(   &L8 );
       L0 = -   L1;
    field_addw ( &a->y,    L0 );
    field_weak_reduce( &a->y );
}

mask_t
validate_affine (
    const struct affine_t* a
) {
    struct field_t L0, L1, L2, L3;
    field_sqr  (   &L0, &a->y );
    field_sqr  (   &L1, &a->x );
    field_add  (   &L3,   &L1,   &L0 );
    field_subw (   &L3,     1 );
    field_mulw_scc (   &L2,   &L1, EDWARDS_D );
    field_mul  (   &L1,   &L0,   &L2 );
    field_sub  (   &L0,   &L3,   &L1 );
    field_bias (   &L0,     3 );
    return field_is_zero(   &L0 );
}

mask_t
validate_tw_extensible (
    const struct tw_extensible_t* ext
) {
    mask_t L4, L5;
    struct field_t L0, L1, L2, L3;
    /*
     * Check invariant:
     * 0 = -x*y + z*t*u
     */
    field_mul  (   &L1, &ext->t, &ext->u );
    field_mul  (   &L2, &ext->z,   &L1 );
    field_mul  (   &L0, &ext->x, &ext->y );
    field_neg  (   &L1,   &L0 );
    field_add  (   &L0,   &L1,   &L2 );
    field_bias (   &L0,     2 );
       L5 = field_is_zero(   &L0 );
    /*
     * Check invariant:
     * 0 = d*t^2*u^2 + x^2 - y^2 + z^2 - t^2*u^2
     */
    field_sqr  (   &L2, &ext->y );
    field_neg  (   &L1,   &L2 );
    field_sqr  (   &L0, &ext->x );
    field_add  (   &L2,   &L0,   &L1 );
    field_sqr  (   &L3, &ext->u );
    field_sqr  (   &L0, &ext->t );
    field_mul  (   &L1,   &L0,   &L3 );
    field_mulw_scc (   &L3,   &L1, EDWARDS_D );
    field_add  (   &L0,   &L3,   &L2 );
    field_neg  (   &L3,   &L1 );
    field_add  (   &L2,   &L3,   &L0 );
    field_sqr  (   &L1, &ext->z );
    field_add  (   &L0,   &L1,   &L2 );
    field_bias (   &L0,     2 );
       L4 = field_is_zero(   &L0 );
    return    L5 & L4 &~ field_is_zero(&ext->z);
}

mask_t
validate_extensible (
    const struct extensible_t* ext
) {
    mask_t L4, L5;
    struct field_t L0, L1, L2, L3;
    /*
     * Check invariant:
     * 0 = d*t^2*u^2 - x^2 - y^2 + z^2
     */
    field_sqr  (   &L2, &ext->y );
    field_neg  (   &L1,   &L2 );
    field_sqr  (   &L0, &ext->z );
    field_add  (   &L2,   &L0,   &L1 );
    field_sqr  (   &L3, &ext->u );
    field_sqr  (   &L0, &ext->t );
    field_mul  (   &L1,   &L0,   &L3 );
    field_mulw_scc (   &L0,   &L1, EDWARDS_D );
    field_add  (   &L1,   &L0,   &L2 );
    field_sqr  (   &L0, &ext->x );
    field_neg  (   &L2,   &L0 );
    field_add  (   &L0,   &L2,   &L1 );
    field_bias (   &L0,     2 );
       L5 = field_is_zero(   &L0 );
    /*
     * Check invariant:
     * 0 = -x*y + z*t*u
     */
    field_mul  (   &L1, &ext->t, &ext->u );
    field_mul  (   &L2, &ext->z,   &L1 );
    field_mul  (   &L0, &ext->x, &ext->y );
    field_neg  (   &L1,   &L0 );
    field_add  (   &L0,   &L1,   &L2 );
    field_bias (   &L0,     2 );
       L4 = field_is_zero(   &L0 );
    return L5 & L4 &~ field_is_zero(&ext->z);
}