From b2e281855cb40f5c9b0903f2d04e73a899f4044e Mon Sep 17 00:00:00 2001 From: Alexandr Kitaev Date: Sat, 20 May 2023 21:59:26 +0300 Subject: [PATCH] bign-curve256v1 (#796) bign curve (STB 34.101.45-2013) --- .github/workflows/bign256.yml | 114 + Cargo.lock | 28 + Cargo.toml | 1 + README.md | 3 + bign256/.gitignore | 2 + bign256/CHANGELOG.md | 6 + bign256/Cargo.toml | 45 + bign256/LICENSE-APACHE | 201 + bign256/LICENSE-MIT | 25 + bign256/README.md | 85 + bign256/benches/field.rs | 55 + bign256/benches/scalar.rs | 75 + bign256/src/arithmetic.rs | 45 + bign256/src/arithmetic/field.rs | 159 + bign256/src/arithmetic/field/bign256_32.rs | 5374 ++++++++++++++++ bign256/src/arithmetic/field/bign256_64.rs | 2015 ++++++ bign256/src/arithmetic/scalar.rs | 320 + .../arithmetic/scalar/bign256_scalar_32.rs | 5730 +++++++++++++++++ .../arithmetic/scalar/bign256_scalar_64.rs | 2106 ++++++ bign256/src/lib.rs | 106 + bign256/src/test_vectors.rs | 5 + bign256/src/test_vectors/field.rs | 257 + bign256/src/test_vectors/group.rs | 257 + bign256/tests/projective.rs | 27 + bign256/tests/scalar.rs | 22 + 25 files changed, 17063 insertions(+) create mode 100644 .github/workflows/bign256.yml create mode 100644 bign256/.gitignore create mode 100644 bign256/CHANGELOG.md create mode 100644 bign256/Cargo.toml create mode 100644 bign256/LICENSE-APACHE create mode 100644 bign256/LICENSE-MIT create mode 100644 bign256/README.md create mode 100644 bign256/benches/field.rs create mode 100644 bign256/benches/scalar.rs create mode 100644 bign256/src/arithmetic.rs create mode 100644 bign256/src/arithmetic/field.rs create mode 100644 bign256/src/arithmetic/field/bign256_32.rs create mode 100644 bign256/src/arithmetic/field/bign256_64.rs create mode 100644 bign256/src/arithmetic/scalar.rs create mode 100644 bign256/src/arithmetic/scalar/bign256_scalar_32.rs create mode 100644 bign256/src/arithmetic/scalar/bign256_scalar_64.rs create mode 100644 bign256/src/lib.rs create mode 100644 bign256/src/test_vectors.rs create mode 100644 bign256/src/test_vectors/field.rs create mode 100644 bign256/src/test_vectors/group.rs create mode 100644 bign256/tests/projective.rs create mode 100644 bign256/tests/scalar.rs diff --git a/.github/workflows/bign256.yml b/.github/workflows/bign256.yml new file mode 100644 index 00000000..e7d9b34d --- /dev/null +++ b/.github/workflows/bign256.yml @@ -0,0 +1,114 @@ +name: bign256 + +on: + pull_request: + paths: + - ".github/workflows/bign256.yml" + - "bign256/**" + - "Cargo.*" + push: + branches: master + +defaults: + run: + working-directory: bign256 + +env: + CARGO_INCREMENTAL: 0 + RUSTFLAGS: "-Dwarnings" + RUSTDOCFLAGS: "-Dwarnings" + +jobs: + build: + runs-on: ubuntu-latest + strategy: + matrix: + rust: + - 1.65.0 # MSRV + - stable + target: + - thumbv7em-none-eabi + - wasm32-unknown-unknown + steps: + - uses: actions/checkout@v3 + - uses: dtolnay/rust-toolchain@master + with: + toolchain: ${{ matrix.rust }} + targets: ${{ matrix.target }} + - run: cargo build --target ${{ matrix.target }} --release --no-default-features + - run: cargo build --target ${{ matrix.target }} --release --no-default-features --features alloc + - run: cargo build --target ${{ matrix.target }} --release --no-default-features --features pkcs8 + + test: + runs-on: ubuntu-latest + strategy: + matrix: + include: + # 32-bit Linux + - target: i686-unknown-linux-gnu + rust: 1.65.0 # MSRV + deps: sudo apt update && sudo apt install gcc-multilib + - target: i686-unknown-linux-gnu + rust: stable + deps: sudo apt update && sudo apt install gcc-multilib + + # 64-bit Linux + - target: x86_64-unknown-linux-gnu + rust: 1.65.0 # MSRV + - target: x86_64-unknown-linux-gnu + rust: stable + + steps: + - uses: actions/checkout@v3 + - uses: dtolnay/rust-toolchain@master + with: + toolchain: ${{ matrix.rust }} + targets: ${{ matrix.target }} + - run: ${{ matrix.deps }} + - run: cargo check --target ${{ matrix.target }} --all-features + - run: cargo test --release --target ${{ matrix.target }} --no-default-features + - run: cargo test --release --target ${{ matrix.target }} + - run: cargo test --release --target ${{ matrix.target }} --all-features + + cross: + strategy: + matrix: + include: + # ARM32 + - target: armv7-unknown-linux-gnueabihf + rust: 1.65.0 # MSRV (cross) + - target: armv7-unknown-linux-gnueabihf + rust: stable + + # ARM64 + - target: aarch64-unknown-linux-gnu + rust: 1.65.0 # MSRV (cross) + - target: aarch64-unknown-linux-gnu + rust: stable + + # PPC32 + - target: powerpc-unknown-linux-gnu + rust: 1.65.0 # MSRV (cross) + - target: powerpc-unknown-linux-gnu + rust: stable + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - run: ${{ matrix.deps }} + - uses: dtolnay/rust-toolchain@master + with: + toolchain: ${{ matrix.rust }} + targets: ${{ matrix.target }} + - uses: RustCrypto/actions/cross-install@master + - run: cross test --release --target ${{ matrix.target }} --all-features + + doc: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: RustCrypto/actions/cargo-cache@master + - uses: dtolnay/rust-toolchain@master + with: + toolchain: stable + - run: cargo doc --all-features diff --git a/Cargo.lock b/Cargo.lock index b51c2860..46d7ef93 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -46,6 +46,34 @@ version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b" +[[package]] +name = "belt-block" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5a1be3fcfd5950762b6ac3f929b7ac65f31b35afee94e17f6fcadd58ee47abee" + +[[package]] +name = "belt-hash" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4d8ee43afdfcc493dec1e51c8032546cc1c52b4d68549e6469d03ff2cf3c3d91" +dependencies = [ + "belt-block", + "digest", +] + +[[package]] +name = "bign256" +version = "0.1.0" +dependencies = [ + "belt-hash", + "ecdsa", + "elliptic-curve", + "hex-literal", + "primeorder", + "serdect", +] + [[package]] name = "bit-set" version = "0.5.3" diff --git a/Cargo.toml b/Cargo.toml index 84a8641b..15523c0f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,7 @@ [workspace] resolver = "2" members = [ + "bign256", "bp256", "bp384", "k256", diff --git a/README.md b/README.md index bca00eae..bc4786b9 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ NOTE: Most crates have field/point arithmetic implementations gated under the | Name | Curve | `arithmetic`? | Crates.io | Documentation | Build Status | |-----------|--------------------|---------------|-------------------------------------------------------------------------------------------|----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------| +| [`bign256`] | bign-curve256v1 | βœ… | [![crates.io](https://img.shields.io/crates/v/bign256.svg)](https://crates.io/crates/bign256) | [![Documentation](https://docs.rs/bign256/badge.svg)](https://docs.rs/bign256) | ![build](https://github.com/RustCrypto/elliptic-curves/workflows/bign256/badge.svg?branch=master&event=push) | | [`bp256`] | brainpoolP256r1/t1 | 🚧 | [![crates.io](https://img.shields.io/crates/v/bp256.svg)](https://crates.io/crates/bp256) | [![Documentation](https://docs.rs/bp256/badge.svg)](https://docs.rs/bp256) | ![build](https://github.com/RustCrypto/elliptic-curves/workflows/bp256/badge.svg?branch=master&event=push) | | [`bp384`] | brainpoolP384r1/t1 | 🚧 | [![crates.io](https://img.shields.io/crates/v/bp384.svg)](https://crates.io/crates/bp384) | [![Documentation](https://docs.rs/bp384/badge.svg)](https://docs.rs/bp384) | ![build](https://github.com/RustCrypto/elliptic-curves/workflows/bp384/badge.svg?branch=master&event=push) | | [`k256`] | [secp256k1] | βœ… | [![crates.io](https://img.shields.io/crates/v/k256.svg)](https://crates.io/crates/k256) | [![Documentation](https://docs.rs/k256/badge.svg)](https://docs.rs/k256) | ![build](https://github.com/RustCrypto/elliptic-curves/workflows/k256/badge.svg?branch=master&event=push) | @@ -64,6 +65,7 @@ dual licensed as above, without any additional terms or conditions. [//]: # (crates) +[`bign256`]: ./bign256 [`bp256`]: ./bp256 [`bp384`]: ./bp384 [`k256`]: ./k256 @@ -83,6 +85,7 @@ dual licensed as above, without any additional terms or conditions. [NIST P-384]: https://neuromancer.sk/std/nist/P-384 [NIST P-521]: https://neuromancer.sk/std/nist/P-521 [SM2]: https://neuromancer.sk/std/oscaa/SM2 +[BIGN P-256]: https://apmi.bsu.by/assets/files/std/bign-spec294.pdf [//]: # (links) diff --git a/bign256/.gitignore b/bign256/.gitignore new file mode 100644 index 00000000..4fffb2f8 --- /dev/null +++ b/bign256/.gitignore @@ -0,0 +1,2 @@ +/target +/Cargo.lock diff --git a/bign256/CHANGELOG.md b/bign256/CHANGELOG.md new file mode 100644 index 00000000..9ae95379 --- /dev/null +++ b/bign256/CHANGELOG.md @@ -0,0 +1,6 @@ +# Changelog +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + diff --git a/bign256/Cargo.toml b/bign256/Cargo.toml new file mode 100644 index 00000000..8f6228fa --- /dev/null +++ b/bign256/Cargo.toml @@ -0,0 +1,45 @@ +[package] +name = "bign256" +version = "0.0.0" +description = """ +Pure Rust implementation of the Bign P-256 (a.k.a. bign-curve256v1) +elliptic curve as defined in STB 34.101.45-2013, with +general purpose curve arithmetic +""" +authors = ["RustCrypto Developers"] +license = "Apache-2.0 OR MIT" +documentation = "https://docs.rs/bign-curve256v1" +repository = "https://github.com/RustCrypto/elliptic-curves/tree/master/bign256" +readme = "README.md" +categories = ["cryptography", "no-std"] +keywords = ["crypto", "ecc", "stb", "bign-curve256v1", "bignp256"] +edition = "2021" +rust-version = "1.65" + +[dependencies] +elliptic-curve = { version = "0.13.1", features = ["hazmat", "sec1", "arithmetic"] } +primeorder = { version = "0.13", path = "../primeorder" } + +ecdsa-core = { version = "0.16", package = "ecdsa", optional = true, default-features = false, features = ["der"] } +serdect = { version = "0.2", optional = true, default-features = false } +belt-hash = { version = "0.1.0", optional = true } + +[dev-dependencies] +hex-literal = "0.4" +criterion = "0.4" + + +[features] +default = ["pkcs8", "std"] +alloc = ["ecdsa-core?/alloc", "elliptic-curve/alloc"] +std = ["alloc", "ecdsa-core?/std", "elliptic-curve/std"] + +pkcs8 = ["ecdsa-core/pkcs8", "elliptic-curve/pkcs8"] + +[[bench]] +name = "field" +harness = false + +[[bench]] +name = "scalar" +harness = false diff --git a/bign256/LICENSE-APACHE b/bign256/LICENSE-APACHE new file mode 100644 index 00000000..78173fa2 --- /dev/null +++ b/bign256/LICENSE-APACHE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/bign256/LICENSE-MIT b/bign256/LICENSE-MIT new file mode 100644 index 00000000..700494a1 --- /dev/null +++ b/bign256/LICENSE-MIT @@ -0,0 +1,25 @@ +Copyright (c) 2023 RustCrypto Developers + +Permission is hereby granted, free of charge, to any +person obtaining a copy of this software and associated +documentation files (the "Software"), to deal in the +Software without restriction, including without +limitation the rights to use, copy, modify, merge, +publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software +is furnished to do so, subject to the following +conditions: + +The above copyright notice and this permission notice +shall be included in all copies or substantial portions +of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF +ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED +TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A +PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT +SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR +IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. diff --git a/bign256/README.md b/bign256/README.md new file mode 100644 index 00000000..1b67ee58 --- /dev/null +++ b/bign256/README.md @@ -0,0 +1,85 @@ +# [RustCrypto]: BIGN P-256 (bign-curve256v1) elliptic curve + +[![crate][crate-image]][crate-link] +[![Docs][docs-image]][docs-link] +[![Build Status][build-image]][build-link] +![Apache2/MIT licensed][license-image] +![Rust Version][rustc-image] +[![Project Chat][chat-image]][chat-link] + +Pure Rust implementation of the BIGN P-256 (a.k.a. bign-curve256v1) elliptic curve +with support for ECDSA signing/verification, and general purpose curve +arithmetic support implemented in terms of traits from the [`elliptic-curve`] +crate. + +[Documentation][docs-link] + +## ⚠️ Security Warning + +The elliptic curve arithmetic contained in this crate has never been +independently audited! + +This crate has been designed with the goal of ensuring that secret-dependent +operations are performed in constant time (using the `subtle` crate and +constant-time formulas). However, it has not been thoroughly assessed to ensure +that generated assembly is constant time on common CPU architectures. + +USE AT YOUR OWN RISK! + +## Supported Algorithms + +## About BIGN P-256 + +BIGN P-256 is a Weierstrass curve specified in [STB 34.101.45-2013]: +Recommendations for Discrete Logarithm-based Cryptography: +Elliptic Curve Domain Parameters. + +Also known as bign-curve256v1. + +## Minimum Supported Rust Version + +Rust **1.65** or higher. + +Minimum supported Rust version can be changed in the future, but it will be +done with a minor version bump. + +## SemVer Policy + +- All on-by-default features of this library are covered by SemVer +- MSRV is considered exempt from SemVer as noted above + +## License + +All crates licensed under either of + + * [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0) + * [MIT license](http://opensource.org/licenses/MIT) + +at your option. + +### Contribution + +Unless you explicitly state otherwise, any contribution intentionally submitted +for inclusion in the work by you, as defined in the Apache-2.0 license, shall be +dual licensed as above, without any additional terms or conditions. + +[//]: # (badges) + +[crate-image]: https://buildstats.info/crate/p224 +[crate-link]: https://crates.io/crates/p224 +[docs-image]: https://docs.rs/p224/badge.svg +[docs-link]: https://docs.rs/p224/ +[build-image]: https://github.com/RustCrypto/elliptic-curves/actions/workflows/p224.yml/badge.svg +[build-link]: https://github.com/RustCrypto/elliptic-curves/actions/workflows/p224.yml +[license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg +[rustc-image]: https://img.shields.io/badge/rustc-1.65+-blue.svg +[chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg +[chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260040-elliptic-curves + +[//]: # (general links) + +[RustCrypto]: https://github.com/rustcrypto/ +[`elliptic-curve`]: https://github.com/RustCrypto/traits/tree/master/elliptic-curve +[ECDH]: https://en.wikipedia.org/wiki/Elliptic-curve_Diffie-Hellman +[ECDSA]: https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm +[STB 34.101.45-2013]: https://apmi.bsu.by/assets/files/std/bign-spec294.pdf diff --git a/bign256/benches/field.rs b/bign256/benches/field.rs new file mode 100644 index 00000000..7812c27a --- /dev/null +++ b/bign256/benches/field.rs @@ -0,0 +1,55 @@ +//! bign-curve256v1 field element benchmarks + +use bign256::elliptic_curve::Field; +use bign256::FieldElement; +use criterion::{ + criterion_group, criterion_main, measurement::Measurement, BenchmarkGroup, Criterion, +}; +use hex_literal::hex; + +fn test_field_element_x() -> FieldElement { + FieldElement::from_bytes( + &hex!("1ccbe91c075fc7f4f033bfa248db8fccd3565de94bbfb12f3c59ff46c271bf83").into(), + ) + .unwrap() +} + +fn test_field_element_y() -> FieldElement { + FieldElement::from_bytes( + &hex!("ce4014c68811f9a21a1fdb2c0e6113e06db7ca93b7404e78dc7ccd5ca89a4ca9").into(), + ) + .unwrap() +} + +fn bench_field_element_mul<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { + let x = test_field_element_x(); + let y = test_field_element_y(); + group.bench_function("mul", |b| b.iter(|| &x * &y)); +} + +fn bench_field_element_square<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { + let x = test_field_element_x(); + group.bench_function("square", |b| b.iter(|| x.square())); +} + +fn bench_field_element_sqrt<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { + let x = test_field_element_x(); + group.bench_function("sqrt", |b| b.iter(|| x.sqrt())); +} + +fn bench_field_element_invert<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { + let x = test_field_element_x(); + group.bench_function("invert", |b| b.iter(|| x.invert())); +} + +fn bench_field_element(c: &mut Criterion) { + let mut group = c.benchmark_group("field element operations"); + bench_field_element_mul(&mut group); + bench_field_element_square(&mut group); + bench_field_element_invert(&mut group); + bench_field_element_sqrt(&mut group); + group.finish(); +} + +criterion_group!(benches, bench_field_element); +criterion_main!(benches); diff --git a/bign256/benches/scalar.rs b/bign256/benches/scalar.rs new file mode 100644 index 00000000..ac63234d --- /dev/null +++ b/bign256/benches/scalar.rs @@ -0,0 +1,75 @@ +//! bign-curve256v1 scalar arithmetic benchmarks + +use bign256::{elliptic_curve::group::ff::PrimeField, ProjectivePoint, Scalar}; +use criterion::{ + criterion_group, criterion_main, measurement::Measurement, BenchmarkGroup, Criterion, +}; +use hex_literal::hex; + +fn test_scalar_x() -> Scalar { + Scalar::from_repr( + hex!("519b423d715f8b581f4fa8ee59f4771a5b44c8130b4e3eacca54a56dda72b464").into(), + ) + .unwrap() +} + +fn test_scalar_y() -> Scalar { + Scalar::from_repr( + hex!("0f56db78ca460b055c500064824bed999a25aaf48ebb519ac201537b85479813").into(), + ) + .unwrap() +} + +fn bench_point_mul<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { + let p = ProjectivePoint::GENERATOR; + let m = test_scalar_x(); + let s = Scalar::from_repr(m.into()).unwrap(); + group.bench_function("point-scalar mul", |b| b.iter(|| &p * &s)); +} + +fn bench_scalar_sub<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { + let x = test_scalar_x(); + let y = test_scalar_y(); + group.bench_function("sub", |b| b.iter(|| &x - &y)); +} + +fn bench_scalar_add<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { + let x = test_scalar_x(); + let y = test_scalar_y(); + group.bench_function("add", |b| b.iter(|| &x + &y)); +} + +fn bench_scalar_mul<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { + let x = test_scalar_x(); + let y = test_scalar_y(); + group.bench_function("mul", |b| b.iter(|| &x * &y)); +} + +fn bench_scalar_negate<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { + let x = test_scalar_x(); + group.bench_function("negate", |b| b.iter(|| -x)); +} + +fn bench_scalar_invert<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { + let x = test_scalar_x(); + group.bench_function("invert", |b| b.iter(|| x.invert())); +} + +fn bench_point(c: &mut Criterion) { + let mut group = c.benchmark_group("point operations"); + bench_point_mul(&mut group); + group.finish(); +} + +fn bench_scalar(c: &mut Criterion) { + let mut group = c.benchmark_group("scalar operations"); + bench_scalar_sub(&mut group); + bench_scalar_add(&mut group); + bench_scalar_mul(&mut group); + bench_scalar_negate(&mut group); + bench_scalar_invert(&mut group); + group.finish(); +} + +criterion_group!(benches, bench_point, bench_scalar); +criterion_main!(benches); diff --git a/bign256/src/arithmetic.rs b/bign256/src/arithmetic.rs new file mode 100644 index 00000000..55ca2482 --- /dev/null +++ b/bign256/src/arithmetic.rs @@ -0,0 +1,45 @@ +//! Pure Rust implementation of group operations on bign-curve256v1. +//! +//! Curve parameters can be found in STB 34.101.45-2013 +//! +//! +//! See table B.1: l = 128. + +pub(crate) mod field; +pub(crate) mod scalar; + +pub use self::scalar::Scalar; + +use self::field::FieldElement; +use crate::BignP256; +use elliptic_curve::{CurveArithmetic, PrimeCurveArithmetic}; +use primeorder::{point_arithmetic, PrimeCurveParams}; + +/// Elliptic curve point in affine coordinates. +pub type AffinePoint = primeorder::AffinePoint; + +/// Elliptic curve point in projective coordinates. +pub type ProjectivePoint = primeorder::ProjectivePoint; + +impl CurveArithmetic for BignP256 { + type AffinePoint = AffinePoint; + type ProjectivePoint = ProjectivePoint; + type Scalar = Scalar; +} + +impl PrimeCurveArithmetic for BignP256 { + type CurveGroup = ProjectivePoint; +} + +impl PrimeCurveParams for BignP256 { + type FieldElement = FieldElement; + type PointArithmetic = point_arithmetic::EquationAIsGeneric; + const EQUATION_A: Self::FieldElement = + FieldElement::from_hex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF40"); + const EQUATION_B: Self::FieldElement = + FieldElement::from_hex("77CE6C1515F3A8EDD2C13AABE4D8FBBE4CF55069978B9253B22E7D6BD69C03F1"); + const GENERATOR: (Self::FieldElement, Self::FieldElement) = ( + FieldElement::ZERO, + FieldElement::from_hex("6BF7FC3CFB16D69F5CE4C9A351D6835D78913966C408F6521E29CF1804516A93"), + ); +} diff --git a/bign256/src/arithmetic/field.rs b/bign256/src/arithmetic/field.rs new file mode 100644 index 00000000..e35dd5f8 --- /dev/null +++ b/bign256/src/arithmetic/field.rs @@ -0,0 +1,159 @@ +//! Field arithmetic modulo p = 2^{256} βˆ’ 189 +//! +//! Arithmetic implementations are extracted Rust code from the Coq fiat-crypto +//! libraries. +//! +//! # License +//! +//! Copyright (c) 2015-2020 the fiat-crypto authors +//! +//! fiat-crypto is distributed under the terms of the MIT License, the +//! Apache License (Version 2.0), and the BSD 1-Clause License; +//! users may pick which license to apply. + +#![allow( + clippy::should_implement_trait, + clippy::suspicious_op_assign_impl, + clippy::unused_unit, + clippy::unnecessary_cast, + clippy::too_many_arguments, + clippy::identity_op +)] + +#[cfg_attr(target_pointer_width = "32", path = "field/bign256_32.rs")] +#[cfg_attr(target_pointer_width = "64", path = "field/bign256_64.rs")] +mod field_impl; + +use self::field_impl::*; +use crate::{BignP256, FieldBytes, Uint}; +use core::{ + iter::{Product, Sum}, + ops::{AddAssign, MulAssign, Neg, SubAssign}, +}; +use elliptic_curve::bigint::Limb; +use elliptic_curve::{ + ff::PrimeField, + subtle::{Choice, ConstantTimeEq, CtOption}, +}; +use primeorder::impl_bernstein_yang_invert; + +/// Constant representing the modulus +/// p = 2^{256} βˆ’ 189 +pub(crate) const MODULUS: Uint = + Uint::from_be_hex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF43"); + +/// Element of the bign-256 base field used for curve coordinates. +#[derive(Clone, Copy, Debug)] +pub struct FieldElement(pub(super) Uint); + +primeorder::impl_mont_field_element!( + BignP256, + FieldElement, + FieldBytes, + Uint, + MODULUS, + fiat_bign256_montgomery_domain_field_element, + fiat_bign256_from_montgomery, + fiat_bign256_to_montgomery, + fiat_bign256_add, + fiat_bign256_sub, + fiat_bign256_mul, + fiat_bign256_opp, + fiat_bign256_square +); + +impl FieldElement { + /// Compute [`FieldElement`] inversion: `1 / self`. + pub fn invert(&self) -> CtOption { + CtOption::new(self.invert_unchecked(), !self.is_zero()) + } + + /// Returns the multiplicative inverse of self. + /// + /// Does not check that self is non-zero. + const fn invert_unchecked(&self) -> Self { + let words = impl_bernstein_yang_invert!( + self.0.as_words(), + Self::ONE.0.to_words(), + 256, + Uint::LIMBS, + Limb, + fiat_bign256_from_montgomery, + fiat_bign256_mul, + fiat_bign256_opp, + fiat_bign256_divstep_precomp, + fiat_bign256_divstep, + fiat_bign256_msat, + fiat_bign256_selectznz, + ); + Self(Uint::from_words(words)) + } + + /// Returns the square root of self mod p, or `None` if no square root + /// exists. + pub fn sqrt(&self) -> CtOption { + // Because p ≑ 3 mod 4, sqrt can be done with only one + // exponentiation via the computation of self^((p + 1) // 4) (mod p). + let sqrt = self.pow_vartime(&[ + 0xffffffffffffffd1, + 0xffffffffffffffff, + 0xffffffffffffffff, + 0x3fffffffffffffff, + ]); + CtOption::new(sqrt, (sqrt * sqrt).ct_eq(self)) + } +} + +impl PrimeField for FieldElement { + type Repr = FieldBytes; + + #[inline] + fn from_repr(bytes: FieldBytes) -> CtOption { + Self::from_bytes(&bytes) + } + + #[inline] + fn to_repr(&self) -> FieldBytes { + self.to_bytes() + } + + #[inline] + fn is_odd(&self) -> Choice { + self.is_odd() + } + + const MODULUS: &'static str = + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff43"; + const NUM_BITS: u32 = 256; + const CAPACITY: u32 = 255; + const TWO_INV: Self = Self::from_u64(2).invert_unchecked(); + const MULTIPLICATIVE_GENERATOR: Self = Self::from_u64(2); + const S: u32 = 1; + const ROOT_OF_UNITY: Self = + Self::from_hex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff42"); + const ROOT_OF_UNITY_INV: Self = Self::ROOT_OF_UNITY.invert_unchecked(); + const DELTA: Self = Self::from_u64(4); +} + +#[cfg(test)] +mod tests { + use super::FieldElement; + use elliptic_curve::ff::PrimeField; + use primeorder::{ + impl_field_identity_tests, impl_field_invert_tests, impl_field_sqrt_tests, + impl_primefield_tests, + }; + + // t = (modulus - 1) >> S + const T: [u64; 4] = [ + 0xffffffffffffffa1, + 0xffffffffffffffff, + 0xffffffffffffffff, + 0x7fffffffffffffff, + ]; + + impl_field_identity_tests!(FieldElement); + impl_field_invert_tests!(FieldElement); + impl_field_sqrt_tests!(FieldElement); + impl_primefield_tests!(FieldElement, T); +} diff --git a/bign256/src/arithmetic/field/bign256_32.rs b/bign256/src/arithmetic/field/bign256_32.rs new file mode 100644 index 00000000..8e155dff --- /dev/null +++ b/bign256/src/arithmetic/field/bign256_32.rs @@ -0,0 +1,5374 @@ +#![doc = " fiat-crypto output postprocessed by fiat-constify: "] +#![doc = " Autogenerated: './word_by_word_montgomery' --lang Rust --inline bign256 32 '2^256 - 189' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp"] +#![doc = " curve description: bign256"] +#![doc = " machine_wordsize = 32 (from \"32\")"] +#![doc = " requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp"] +#![doc = " m = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff43 (from \"2^256 - 189\")"] +#![doc = ""] +#![doc = " NOTE: In addition to the bounds specified above each function, all"] +#![doc = " functions synthesized for this Montgomery arithmetic require the"] +#![doc = " input to be strictly less than the prime modulus (m), and also"] +#![doc = " require the input to be in the unique saturated representation."] +#![doc = " All functions also ensure that these two properties are true of"] +#![doc = " return values."] +#![doc = ""] +#![doc = " Computed values:"] +#![doc = " eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224)"] +#![doc = " bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248)"] +#![doc = " twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in"] +#![doc = " if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256"] +#![allow(unused_parens)] +#![allow(non_camel_case_types)] +#![allow( + clippy::identity_op, + clippy::unnecessary_cast, + dead_code, + rustdoc::broken_intra_doc_links, + unused_assignments, + unused_mut, + unused_variables +)] +pub type fiat_bign256_u1 = u8; +pub type fiat_bign256_i1 = i8; +pub type fiat_bign256_u2 = u8; +pub type fiat_bign256_i2 = i8; +pub type fiat_bign256_montgomery_domain_field_element = [u32; 8]; +pub type fiat_bign256_non_montgomery_domain_field_element = [u32; 8]; +#[doc = " The function fiat_bign256_addcarryx_u32 is an addition with carry."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (arg1 + arg2 + arg3) mod 2^32"] +#[doc = " out2 = ⌊(arg1 + arg2 + arg3) / 2^32βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[doc = " out2: [0x0 ~> 0x1]"] +#[inline] +pub const fn fiat_bign256_addcarryx_u32( + arg1: fiat_bign256_u1, + arg2: u32, + arg3: u32, +) -> (u32, fiat_bign256_u1) { + let mut out1: u32 = 0; + let mut out2: fiat_bign256_u1 = 0; + let x1: u64 = (((arg1 as u64) + (arg2 as u64)) + (arg3 as u64)); + let x2: u32 = ((x1 & (0xffffffff as u64)) as u32); + let x3: fiat_bign256_u1 = ((x1 >> 32) as fiat_bign256_u1); + out1 = x2; + out2 = x3; + (out1, out2) +} +#[doc = " The function fiat_bign256_subborrowx_u32 is a subtraction with borrow."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (-arg1 + arg2 + -arg3) mod 2^32"] +#[doc = " out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[doc = " out2: [0x0 ~> 0x1]"] +#[inline] +pub const fn fiat_bign256_subborrowx_u32( + arg1: fiat_bign256_u1, + arg2: u32, + arg3: u32, +) -> (u32, fiat_bign256_u1) { + let mut out1: u32 = 0; + let mut out2: fiat_bign256_u1 = 0; + let x1: i64 = (((arg2 as i64) - (arg1 as i64)) - (arg3 as i64)); + let x2: fiat_bign256_i1 = ((x1 >> 32) as fiat_bign256_i1); + let x3: u32 = ((x1 & (0xffffffff as i64)) as u32); + out1 = x3; + out2 = (((0x0 as fiat_bign256_i2) - (x2 as fiat_bign256_i2)) as fiat_bign256_u1); + (out1, out2) +} +#[doc = " The function fiat_bign256_mulx_u32 is a multiplication, returning the full double-width result."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (arg1 * arg2) mod 2^32"] +#[doc = " out2 = ⌊arg1 * arg2 / 2^32βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0xffffffff]"] +#[doc = " arg2: [0x0 ~> 0xffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[doc = " out2: [0x0 ~> 0xffffffff]"] +#[inline] +pub const fn fiat_bign256_mulx_u32(arg1: u32, arg2: u32) -> (u32, u32) { + let mut out1: u32 = 0; + let mut out2: u32 = 0; + let x1: u64 = ((arg1 as u64) * (arg2 as u64)); + let x2: u32 = ((x1 & (0xffffffff as u64)) as u32); + let x3: u32 = ((x1 >> 32) as u32); + out1 = x2; + out2 = x3; + (out1, out2) +} +#[doc = " The function fiat_bign256_cmovznz_u32 is a single-word conditional move."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[inline] +pub const fn fiat_bign256_cmovznz_u32(arg1: fiat_bign256_u1, arg2: u32, arg3: u32) -> u32 { + let mut out1: u32 = 0; + let x1: fiat_bign256_u1 = (!(!arg1)); + let x2: u32 = ((((((0x0 as fiat_bign256_i2) - (x1 as fiat_bign256_i2)) as fiat_bign256_i1) + as i64) + & (0xffffffff as i64)) as u32); + let x3: u32 = ((x2 & arg3) | ((!x2) & arg2)); + out1 = x3; + out1 +} +#[doc = " The function fiat_bign256_mul multiplies two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_mul( + arg1: &fiat_bign256_montgomery_domain_field_element, + arg2: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 8]; + let x1: u32 = (arg1[1]); + let x2: u32 = (arg1[2]); + let x3: u32 = (arg1[3]); + let x4: u32 = (arg1[4]); + let x5: u32 = (arg1[5]); + let x6: u32 = (arg1[6]); + let x7: u32 = (arg1[7]); + let x8: u32 = (arg1[0]); + let mut x9: u32 = 0; + let mut x10: u32 = 0; + let (x9, x10) = fiat_bign256_mulx_u32(x8, (arg2[7])); + let mut x11: u32 = 0; + let mut x12: u32 = 0; + let (x11, x12) = fiat_bign256_mulx_u32(x8, (arg2[6])); + let mut x13: u32 = 0; + let mut x14: u32 = 0; + let (x13, x14) = fiat_bign256_mulx_u32(x8, (arg2[5])); + let mut x15: u32 = 0; + let mut x16: u32 = 0; + let (x15, x16) = fiat_bign256_mulx_u32(x8, (arg2[4])); + let mut x17: u32 = 0; + let mut x18: u32 = 0; + let (x17, x18) = fiat_bign256_mulx_u32(x8, (arg2[3])); + let mut x19: u32 = 0; + let mut x20: u32 = 0; + let (x19, x20) = fiat_bign256_mulx_u32(x8, (arg2[2])); + let mut x21: u32 = 0; + let mut x22: u32 = 0; + let (x21, x22) = fiat_bign256_mulx_u32(x8, (arg2[1])); + let mut x23: u32 = 0; + let mut x24: u32 = 0; + let (x23, x24) = fiat_bign256_mulx_u32(x8, (arg2[0])); + let mut x25: u32 = 0; + let mut x26: fiat_bign256_u1 = 0; + let (x25, x26) = fiat_bign256_addcarryx_u32(0x0, x24, x21); + let mut x27: u32 = 0; + let mut x28: fiat_bign256_u1 = 0; + let (x27, x28) = fiat_bign256_addcarryx_u32(x26, x22, x19); + let mut x29: u32 = 0; + let mut x30: fiat_bign256_u1 = 0; + let (x29, x30) = fiat_bign256_addcarryx_u32(x28, x20, x17); + let mut x31: u32 = 0; + let mut x32: fiat_bign256_u1 = 0; + let (x31, x32) = fiat_bign256_addcarryx_u32(x30, x18, x15); + let mut x33: u32 = 0; + let mut x34: fiat_bign256_u1 = 0; + let (x33, x34) = fiat_bign256_addcarryx_u32(x32, x16, x13); + let mut x35: u32 = 0; + let mut x36: fiat_bign256_u1 = 0; + let (x35, x36) = fiat_bign256_addcarryx_u32(x34, x14, x11); + let mut x37: u32 = 0; + let mut x38: fiat_bign256_u1 = 0; + let (x37, x38) = fiat_bign256_addcarryx_u32(x36, x12, x9); + let x39: u32 = ((x38 as u32) + x10); + let mut x40: u32 = 0; + let mut x41: u32 = 0; + let (x40, x41) = fiat_bign256_mulx_u32(x23, 0xea53fa95); + let mut x42: u32 = 0; + let mut x43: u32 = 0; + let (x42, x43) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x44: u32 = 0; + let mut x45: u32 = 0; + let (x44, x45) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x46: u32 = 0; + let mut x47: u32 = 0; + let (x46, x47) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x48: u32 = 0; + let mut x49: u32 = 0; + let (x48, x49) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x50: u32 = 0; + let mut x51: u32 = 0; + let (x50, x51) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x52: u32 = 0; + let mut x53: u32 = 0; + let (x52, x53) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x54: u32 = 0; + let mut x55: u32 = 0; + let (x54, x55) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x56: u32 = 0; + let mut x57: u32 = 0; + let (x56, x57) = fiat_bign256_mulx_u32(x40, 0xffffff43); + let mut x58: u32 = 0; + let mut x59: fiat_bign256_u1 = 0; + let (x58, x59) = fiat_bign256_addcarryx_u32(0x0, x57, x54); + let mut x60: u32 = 0; + let mut x61: fiat_bign256_u1 = 0; + let (x60, x61) = fiat_bign256_addcarryx_u32(x59, x55, x52); + let mut x62: u32 = 0; + let mut x63: fiat_bign256_u1 = 0; + let (x62, x63) = fiat_bign256_addcarryx_u32(x61, x53, x50); + let mut x64: u32 = 0; + let mut x65: fiat_bign256_u1 = 0; + let (x64, x65) = fiat_bign256_addcarryx_u32(x63, x51, x48); + let mut x66: u32 = 0; + let mut x67: fiat_bign256_u1 = 0; + let (x66, x67) = fiat_bign256_addcarryx_u32(x65, x49, x46); + let mut x68: u32 = 0; + let mut x69: fiat_bign256_u1 = 0; + let (x68, x69) = fiat_bign256_addcarryx_u32(x67, x47, x44); + let mut x70: u32 = 0; + let mut x71: fiat_bign256_u1 = 0; + let (x70, x71) = fiat_bign256_addcarryx_u32(x69, x45, x42); + let x72: u32 = ((x71 as u32) + x43); + let mut x73: u32 = 0; + let mut x74: fiat_bign256_u1 = 0; + let (x73, x74) = fiat_bign256_addcarryx_u32(0x0, x23, x56); + let mut x75: u32 = 0; + let mut x76: fiat_bign256_u1 = 0; + let (x75, x76) = fiat_bign256_addcarryx_u32(x74, x25, x58); + let mut x77: u32 = 0; + let mut x78: fiat_bign256_u1 = 0; + let (x77, x78) = fiat_bign256_addcarryx_u32(x76, x27, x60); + let mut x79: u32 = 0; + let mut x80: fiat_bign256_u1 = 0; + let (x79, x80) = fiat_bign256_addcarryx_u32(x78, x29, x62); + let mut x81: u32 = 0; + let mut x82: fiat_bign256_u1 = 0; + let (x81, x82) = fiat_bign256_addcarryx_u32(x80, x31, x64); + let mut x83: u32 = 0; + let mut x84: fiat_bign256_u1 = 0; + let (x83, x84) = fiat_bign256_addcarryx_u32(x82, x33, x66); + let mut x85: u32 = 0; + let mut x86: fiat_bign256_u1 = 0; + let (x85, x86) = fiat_bign256_addcarryx_u32(x84, x35, x68); + let mut x87: u32 = 0; + let mut x88: fiat_bign256_u1 = 0; + let (x87, x88) = fiat_bign256_addcarryx_u32(x86, x37, x70); + let mut x89: u32 = 0; + let mut x90: fiat_bign256_u1 = 0; + let (x89, x90) = fiat_bign256_addcarryx_u32(x88, x39, x72); + let mut x91: u32 = 0; + let mut x92: u32 = 0; + let (x91, x92) = fiat_bign256_mulx_u32(x1, (arg2[7])); + let mut x93: u32 = 0; + let mut x94: u32 = 0; + let (x93, x94) = fiat_bign256_mulx_u32(x1, (arg2[6])); + let mut x95: u32 = 0; + let mut x96: u32 = 0; + let (x95, x96) = fiat_bign256_mulx_u32(x1, (arg2[5])); + let mut x97: u32 = 0; + let mut x98: u32 = 0; + let (x97, x98) = fiat_bign256_mulx_u32(x1, (arg2[4])); + let mut x99: u32 = 0; + let mut x100: u32 = 0; + let (x99, x100) = fiat_bign256_mulx_u32(x1, (arg2[3])); + let mut x101: u32 = 0; + let mut x102: u32 = 0; + let (x101, x102) = fiat_bign256_mulx_u32(x1, (arg2[2])); + let mut x103: u32 = 0; + let mut x104: u32 = 0; + let (x103, x104) = fiat_bign256_mulx_u32(x1, (arg2[1])); + let mut x105: u32 = 0; + let mut x106: u32 = 0; + let (x105, x106) = fiat_bign256_mulx_u32(x1, (arg2[0])); + let mut x107: u32 = 0; + let mut x108: fiat_bign256_u1 = 0; + let (x107, x108) = fiat_bign256_addcarryx_u32(0x0, x106, x103); + let mut x109: u32 = 0; + let mut x110: fiat_bign256_u1 = 0; + let (x109, x110) = fiat_bign256_addcarryx_u32(x108, x104, x101); + let mut x111: u32 = 0; + let mut x112: fiat_bign256_u1 = 0; + let (x111, x112) = fiat_bign256_addcarryx_u32(x110, x102, x99); + let mut x113: u32 = 0; + let mut x114: fiat_bign256_u1 = 0; + let (x113, x114) = fiat_bign256_addcarryx_u32(x112, x100, x97); + let mut x115: u32 = 0; + let mut x116: fiat_bign256_u1 = 0; + let (x115, x116) = fiat_bign256_addcarryx_u32(x114, x98, x95); + let mut x117: u32 = 0; + let mut x118: fiat_bign256_u1 = 0; + let (x117, x118) = fiat_bign256_addcarryx_u32(x116, x96, x93); + let mut x119: u32 = 0; + let mut x120: fiat_bign256_u1 = 0; + let (x119, x120) = fiat_bign256_addcarryx_u32(x118, x94, x91); + let x121: u32 = ((x120 as u32) + x92); + let mut x122: u32 = 0; + let mut x123: fiat_bign256_u1 = 0; + let (x122, x123) = fiat_bign256_addcarryx_u32(0x0, x75, x105); + let mut x124: u32 = 0; + let mut x125: fiat_bign256_u1 = 0; + let (x124, x125) = fiat_bign256_addcarryx_u32(x123, x77, x107); + let mut x126: u32 = 0; + let mut x127: fiat_bign256_u1 = 0; + let (x126, x127) = fiat_bign256_addcarryx_u32(x125, x79, x109); + let mut x128: u32 = 0; + let mut x129: fiat_bign256_u1 = 0; + let (x128, x129) = fiat_bign256_addcarryx_u32(x127, x81, x111); + let mut x130: u32 = 0; + let mut x131: fiat_bign256_u1 = 0; + let (x130, x131) = fiat_bign256_addcarryx_u32(x129, x83, x113); + let mut x132: u32 = 0; + let mut x133: fiat_bign256_u1 = 0; + let (x132, x133) = fiat_bign256_addcarryx_u32(x131, x85, x115); + let mut x134: u32 = 0; + let mut x135: fiat_bign256_u1 = 0; + let (x134, x135) = fiat_bign256_addcarryx_u32(x133, x87, x117); + let mut x136: u32 = 0; + let mut x137: fiat_bign256_u1 = 0; + let (x136, x137) = fiat_bign256_addcarryx_u32(x135, x89, x119); + let mut x138: u32 = 0; + let mut x139: fiat_bign256_u1 = 0; + let (x138, x139) = fiat_bign256_addcarryx_u32(x137, (x90 as u32), x121); + let mut x140: u32 = 0; + let mut x141: u32 = 0; + let (x140, x141) = fiat_bign256_mulx_u32(x122, 0xea53fa95); + let mut x142: u32 = 0; + let mut x143: u32 = 0; + let (x142, x143) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x144: u32 = 0; + let mut x145: u32 = 0; + let (x144, x145) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x146: u32 = 0; + let mut x147: u32 = 0; + let (x146, x147) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x148: u32 = 0; + let mut x149: u32 = 0; + let (x148, x149) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x150: u32 = 0; + let mut x151: u32 = 0; + let (x150, x151) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x152: u32 = 0; + let mut x153: u32 = 0; + let (x152, x153) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x154: u32 = 0; + let mut x155: u32 = 0; + let (x154, x155) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x156: u32 = 0; + let mut x157: u32 = 0; + let (x156, x157) = fiat_bign256_mulx_u32(x140, 0xffffff43); + let mut x158: u32 = 0; + let mut x159: fiat_bign256_u1 = 0; + let (x158, x159) = fiat_bign256_addcarryx_u32(0x0, x157, x154); + let mut x160: u32 = 0; + let mut x161: fiat_bign256_u1 = 0; + let (x160, x161) = fiat_bign256_addcarryx_u32(x159, x155, x152); + let mut x162: u32 = 0; + let mut x163: fiat_bign256_u1 = 0; + let (x162, x163) = fiat_bign256_addcarryx_u32(x161, x153, x150); + let mut x164: u32 = 0; + let mut x165: fiat_bign256_u1 = 0; + let (x164, x165) = fiat_bign256_addcarryx_u32(x163, x151, x148); + let mut x166: u32 = 0; + let mut x167: fiat_bign256_u1 = 0; + let (x166, x167) = fiat_bign256_addcarryx_u32(x165, x149, x146); + let mut x168: u32 = 0; + let mut x169: fiat_bign256_u1 = 0; + let (x168, x169) = fiat_bign256_addcarryx_u32(x167, x147, x144); + let mut x170: u32 = 0; + let mut x171: fiat_bign256_u1 = 0; + let (x170, x171) = fiat_bign256_addcarryx_u32(x169, x145, x142); + let x172: u32 = ((x171 as u32) + x143); + let mut x173: u32 = 0; + let mut x174: fiat_bign256_u1 = 0; + let (x173, x174) = fiat_bign256_addcarryx_u32(0x0, x122, x156); + let mut x175: u32 = 0; + let mut x176: fiat_bign256_u1 = 0; + let (x175, x176) = fiat_bign256_addcarryx_u32(x174, x124, x158); + let mut x177: u32 = 0; + let mut x178: fiat_bign256_u1 = 0; + let (x177, x178) = fiat_bign256_addcarryx_u32(x176, x126, x160); + let mut x179: u32 = 0; + let mut x180: fiat_bign256_u1 = 0; + let (x179, x180) = fiat_bign256_addcarryx_u32(x178, x128, x162); + let mut x181: u32 = 0; + let mut x182: fiat_bign256_u1 = 0; + let (x181, x182) = fiat_bign256_addcarryx_u32(x180, x130, x164); + let mut x183: u32 = 0; + let mut x184: fiat_bign256_u1 = 0; + let (x183, x184) = fiat_bign256_addcarryx_u32(x182, x132, x166); + let mut x185: u32 = 0; + let mut x186: fiat_bign256_u1 = 0; + let (x185, x186) = fiat_bign256_addcarryx_u32(x184, x134, x168); + let mut x187: u32 = 0; + let mut x188: fiat_bign256_u1 = 0; + let (x187, x188) = fiat_bign256_addcarryx_u32(x186, x136, x170); + let mut x189: u32 = 0; + let mut x190: fiat_bign256_u1 = 0; + let (x189, x190) = fiat_bign256_addcarryx_u32(x188, x138, x172); + let x191: u32 = ((x190 as u32) + (x139 as u32)); + let mut x192: u32 = 0; + let mut x193: u32 = 0; + let (x192, x193) = fiat_bign256_mulx_u32(x2, (arg2[7])); + let mut x194: u32 = 0; + let mut x195: u32 = 0; + let (x194, x195) = fiat_bign256_mulx_u32(x2, (arg2[6])); + let mut x196: u32 = 0; + let mut x197: u32 = 0; + let (x196, x197) = fiat_bign256_mulx_u32(x2, (arg2[5])); + let mut x198: u32 = 0; + let mut x199: u32 = 0; + let (x198, x199) = fiat_bign256_mulx_u32(x2, (arg2[4])); + let mut x200: u32 = 0; + let mut x201: u32 = 0; + let (x200, x201) = fiat_bign256_mulx_u32(x2, (arg2[3])); + let mut x202: u32 = 0; + let mut x203: u32 = 0; + let (x202, x203) = fiat_bign256_mulx_u32(x2, (arg2[2])); + let mut x204: u32 = 0; + let mut x205: u32 = 0; + let (x204, x205) = fiat_bign256_mulx_u32(x2, (arg2[1])); + let mut x206: u32 = 0; + let mut x207: u32 = 0; + let (x206, x207) = fiat_bign256_mulx_u32(x2, (arg2[0])); + let mut x208: u32 = 0; + let mut x209: fiat_bign256_u1 = 0; + let (x208, x209) = fiat_bign256_addcarryx_u32(0x0, x207, x204); + let mut x210: u32 = 0; + let mut x211: fiat_bign256_u1 = 0; + let (x210, x211) = fiat_bign256_addcarryx_u32(x209, x205, x202); + let mut x212: u32 = 0; + let mut x213: fiat_bign256_u1 = 0; + let (x212, x213) = fiat_bign256_addcarryx_u32(x211, x203, x200); + let mut x214: u32 = 0; + let mut x215: fiat_bign256_u1 = 0; + let (x214, x215) = fiat_bign256_addcarryx_u32(x213, x201, x198); + let mut x216: u32 = 0; + let mut x217: fiat_bign256_u1 = 0; + let (x216, x217) = fiat_bign256_addcarryx_u32(x215, x199, x196); + let mut x218: u32 = 0; + let mut x219: fiat_bign256_u1 = 0; + let (x218, x219) = fiat_bign256_addcarryx_u32(x217, x197, x194); + let mut x220: u32 = 0; + let mut x221: fiat_bign256_u1 = 0; + let (x220, x221) = fiat_bign256_addcarryx_u32(x219, x195, x192); + let x222: u32 = ((x221 as u32) + x193); + let mut x223: u32 = 0; + let mut x224: fiat_bign256_u1 = 0; + let (x223, x224) = fiat_bign256_addcarryx_u32(0x0, x175, x206); + let mut x225: u32 = 0; + let mut x226: fiat_bign256_u1 = 0; + let (x225, x226) = fiat_bign256_addcarryx_u32(x224, x177, x208); + let mut x227: u32 = 0; + let mut x228: fiat_bign256_u1 = 0; + let (x227, x228) = fiat_bign256_addcarryx_u32(x226, x179, x210); + let mut x229: u32 = 0; + let mut x230: fiat_bign256_u1 = 0; + let (x229, x230) = fiat_bign256_addcarryx_u32(x228, x181, x212); + let mut x231: u32 = 0; + let mut x232: fiat_bign256_u1 = 0; + let (x231, x232) = fiat_bign256_addcarryx_u32(x230, x183, x214); + let mut x233: u32 = 0; + let mut x234: fiat_bign256_u1 = 0; + let (x233, x234) = fiat_bign256_addcarryx_u32(x232, x185, x216); + let mut x235: u32 = 0; + let mut x236: fiat_bign256_u1 = 0; + let (x235, x236) = fiat_bign256_addcarryx_u32(x234, x187, x218); + let mut x237: u32 = 0; + let mut x238: fiat_bign256_u1 = 0; + let (x237, x238) = fiat_bign256_addcarryx_u32(x236, x189, x220); + let mut x239: u32 = 0; + let mut x240: fiat_bign256_u1 = 0; + let (x239, x240) = fiat_bign256_addcarryx_u32(x238, x191, x222); + let mut x241: u32 = 0; + let mut x242: u32 = 0; + let (x241, x242) = fiat_bign256_mulx_u32(x223, 0xea53fa95); + let mut x243: u32 = 0; + let mut x244: u32 = 0; + let (x243, x244) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x245: u32 = 0; + let mut x246: u32 = 0; + let (x245, x246) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x247: u32 = 0; + let mut x248: u32 = 0; + let (x247, x248) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x249: u32 = 0; + let mut x250: u32 = 0; + let (x249, x250) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x251: u32 = 0; + let mut x252: u32 = 0; + let (x251, x252) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x253: u32 = 0; + let mut x254: u32 = 0; + let (x253, x254) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x255: u32 = 0; + let mut x256: u32 = 0; + let (x255, x256) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x257: u32 = 0; + let mut x258: u32 = 0; + let (x257, x258) = fiat_bign256_mulx_u32(x241, 0xffffff43); + let mut x259: u32 = 0; + let mut x260: fiat_bign256_u1 = 0; + let (x259, x260) = fiat_bign256_addcarryx_u32(0x0, x258, x255); + let mut x261: u32 = 0; + let mut x262: fiat_bign256_u1 = 0; + let (x261, x262) = fiat_bign256_addcarryx_u32(x260, x256, x253); + let mut x263: u32 = 0; + let mut x264: fiat_bign256_u1 = 0; + let (x263, x264) = fiat_bign256_addcarryx_u32(x262, x254, x251); + let mut x265: u32 = 0; + let mut x266: fiat_bign256_u1 = 0; + let (x265, x266) = fiat_bign256_addcarryx_u32(x264, x252, x249); + let mut x267: u32 = 0; + let mut x268: fiat_bign256_u1 = 0; + let (x267, x268) = fiat_bign256_addcarryx_u32(x266, x250, x247); + let mut x269: u32 = 0; + let mut x270: fiat_bign256_u1 = 0; + let (x269, x270) = fiat_bign256_addcarryx_u32(x268, x248, x245); + let mut x271: u32 = 0; + let mut x272: fiat_bign256_u1 = 0; + let (x271, x272) = fiat_bign256_addcarryx_u32(x270, x246, x243); + let x273: u32 = ((x272 as u32) + x244); + let mut x274: u32 = 0; + let mut x275: fiat_bign256_u1 = 0; + let (x274, x275) = fiat_bign256_addcarryx_u32(0x0, x223, x257); + let mut x276: u32 = 0; + let mut x277: fiat_bign256_u1 = 0; + let (x276, x277) = fiat_bign256_addcarryx_u32(x275, x225, x259); + let mut x278: u32 = 0; + let mut x279: fiat_bign256_u1 = 0; + let (x278, x279) = fiat_bign256_addcarryx_u32(x277, x227, x261); + let mut x280: u32 = 0; + let mut x281: fiat_bign256_u1 = 0; + let (x280, x281) = fiat_bign256_addcarryx_u32(x279, x229, x263); + let mut x282: u32 = 0; + let mut x283: fiat_bign256_u1 = 0; + let (x282, x283) = fiat_bign256_addcarryx_u32(x281, x231, x265); + let mut x284: u32 = 0; + let mut x285: fiat_bign256_u1 = 0; + let (x284, x285) = fiat_bign256_addcarryx_u32(x283, x233, x267); + let mut x286: u32 = 0; + let mut x287: fiat_bign256_u1 = 0; + let (x286, x287) = fiat_bign256_addcarryx_u32(x285, x235, x269); + let mut x288: u32 = 0; + let mut x289: fiat_bign256_u1 = 0; + let (x288, x289) = fiat_bign256_addcarryx_u32(x287, x237, x271); + let mut x290: u32 = 0; + let mut x291: fiat_bign256_u1 = 0; + let (x290, x291) = fiat_bign256_addcarryx_u32(x289, x239, x273); + let x292: u32 = ((x291 as u32) + (x240 as u32)); + let mut x293: u32 = 0; + let mut x294: u32 = 0; + let (x293, x294) = fiat_bign256_mulx_u32(x3, (arg2[7])); + let mut x295: u32 = 0; + let mut x296: u32 = 0; + let (x295, x296) = fiat_bign256_mulx_u32(x3, (arg2[6])); + let mut x297: u32 = 0; + let mut x298: u32 = 0; + let (x297, x298) = fiat_bign256_mulx_u32(x3, (arg2[5])); + let mut x299: u32 = 0; + let mut x300: u32 = 0; + let (x299, x300) = fiat_bign256_mulx_u32(x3, (arg2[4])); + let mut x301: u32 = 0; + let mut x302: u32 = 0; + let (x301, x302) = fiat_bign256_mulx_u32(x3, (arg2[3])); + let mut x303: u32 = 0; + let mut x304: u32 = 0; + let (x303, x304) = fiat_bign256_mulx_u32(x3, (arg2[2])); + let mut x305: u32 = 0; + let mut x306: u32 = 0; + let (x305, x306) = fiat_bign256_mulx_u32(x3, (arg2[1])); + let mut x307: u32 = 0; + let mut x308: u32 = 0; + let (x307, x308) = fiat_bign256_mulx_u32(x3, (arg2[0])); + let mut x309: u32 = 0; + let mut x310: fiat_bign256_u1 = 0; + let (x309, x310) = fiat_bign256_addcarryx_u32(0x0, x308, x305); + let mut x311: u32 = 0; + let mut x312: fiat_bign256_u1 = 0; + let (x311, x312) = fiat_bign256_addcarryx_u32(x310, x306, x303); + let mut x313: u32 = 0; + let mut x314: fiat_bign256_u1 = 0; + let (x313, x314) = fiat_bign256_addcarryx_u32(x312, x304, x301); + let mut x315: u32 = 0; + let mut x316: fiat_bign256_u1 = 0; + let (x315, x316) = fiat_bign256_addcarryx_u32(x314, x302, x299); + let mut x317: u32 = 0; + let mut x318: fiat_bign256_u1 = 0; + let (x317, x318) = fiat_bign256_addcarryx_u32(x316, x300, x297); + let mut x319: u32 = 0; + let mut x320: fiat_bign256_u1 = 0; + let (x319, x320) = fiat_bign256_addcarryx_u32(x318, x298, x295); + let mut x321: u32 = 0; + let mut x322: fiat_bign256_u1 = 0; + let (x321, x322) = fiat_bign256_addcarryx_u32(x320, x296, x293); + let x323: u32 = ((x322 as u32) + x294); + let mut x324: u32 = 0; + let mut x325: fiat_bign256_u1 = 0; + let (x324, x325) = fiat_bign256_addcarryx_u32(0x0, x276, x307); + let mut x326: u32 = 0; + let mut x327: fiat_bign256_u1 = 0; + let (x326, x327) = fiat_bign256_addcarryx_u32(x325, x278, x309); + let mut x328: u32 = 0; + let mut x329: fiat_bign256_u1 = 0; + let (x328, x329) = fiat_bign256_addcarryx_u32(x327, x280, x311); + let mut x330: u32 = 0; + let mut x331: fiat_bign256_u1 = 0; + let (x330, x331) = fiat_bign256_addcarryx_u32(x329, x282, x313); + let mut x332: u32 = 0; + let mut x333: fiat_bign256_u1 = 0; + let (x332, x333) = fiat_bign256_addcarryx_u32(x331, x284, x315); + let mut x334: u32 = 0; + let mut x335: fiat_bign256_u1 = 0; + let (x334, x335) = fiat_bign256_addcarryx_u32(x333, x286, x317); + let mut x336: u32 = 0; + let mut x337: fiat_bign256_u1 = 0; + let (x336, x337) = fiat_bign256_addcarryx_u32(x335, x288, x319); + let mut x338: u32 = 0; + let mut x339: fiat_bign256_u1 = 0; + let (x338, x339) = fiat_bign256_addcarryx_u32(x337, x290, x321); + let mut x340: u32 = 0; + let mut x341: fiat_bign256_u1 = 0; + let (x340, x341) = fiat_bign256_addcarryx_u32(x339, x292, x323); + let mut x342: u32 = 0; + let mut x343: u32 = 0; + let (x342, x343) = fiat_bign256_mulx_u32(x324, 0xea53fa95); + let mut x344: u32 = 0; + let mut x345: u32 = 0; + let (x344, x345) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x346: u32 = 0; + let mut x347: u32 = 0; + let (x346, x347) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x348: u32 = 0; + let mut x349: u32 = 0; + let (x348, x349) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x350: u32 = 0; + let mut x351: u32 = 0; + let (x350, x351) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x352: u32 = 0; + let mut x353: u32 = 0; + let (x352, x353) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x354: u32 = 0; + let mut x355: u32 = 0; + let (x354, x355) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x356: u32 = 0; + let mut x357: u32 = 0; + let (x356, x357) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x358: u32 = 0; + let mut x359: u32 = 0; + let (x358, x359) = fiat_bign256_mulx_u32(x342, 0xffffff43); + let mut x360: u32 = 0; + let mut x361: fiat_bign256_u1 = 0; + let (x360, x361) = fiat_bign256_addcarryx_u32(0x0, x359, x356); + let mut x362: u32 = 0; + let mut x363: fiat_bign256_u1 = 0; + let (x362, x363) = fiat_bign256_addcarryx_u32(x361, x357, x354); + let mut x364: u32 = 0; + let mut x365: fiat_bign256_u1 = 0; + let (x364, x365) = fiat_bign256_addcarryx_u32(x363, x355, x352); + let mut x366: u32 = 0; + let mut x367: fiat_bign256_u1 = 0; + let (x366, x367) = fiat_bign256_addcarryx_u32(x365, x353, x350); + let mut x368: u32 = 0; + let mut x369: fiat_bign256_u1 = 0; + let (x368, x369) = fiat_bign256_addcarryx_u32(x367, x351, x348); + let mut x370: u32 = 0; + let mut x371: fiat_bign256_u1 = 0; + let (x370, x371) = fiat_bign256_addcarryx_u32(x369, x349, x346); + let mut x372: u32 = 0; + let mut x373: fiat_bign256_u1 = 0; + let (x372, x373) = fiat_bign256_addcarryx_u32(x371, x347, x344); + let x374: u32 = ((x373 as u32) + x345); + let mut x375: u32 = 0; + let mut x376: fiat_bign256_u1 = 0; + let (x375, x376) = fiat_bign256_addcarryx_u32(0x0, x324, x358); + let mut x377: u32 = 0; + let mut x378: fiat_bign256_u1 = 0; + let (x377, x378) = fiat_bign256_addcarryx_u32(x376, x326, x360); + let mut x379: u32 = 0; + let mut x380: fiat_bign256_u1 = 0; + let (x379, x380) = fiat_bign256_addcarryx_u32(x378, x328, x362); + let mut x381: u32 = 0; + let mut x382: fiat_bign256_u1 = 0; + let (x381, x382) = fiat_bign256_addcarryx_u32(x380, x330, x364); + let mut x383: u32 = 0; + let mut x384: fiat_bign256_u1 = 0; + let (x383, x384) = fiat_bign256_addcarryx_u32(x382, x332, x366); + let mut x385: u32 = 0; + let mut x386: fiat_bign256_u1 = 0; + let (x385, x386) = fiat_bign256_addcarryx_u32(x384, x334, x368); + let mut x387: u32 = 0; + let mut x388: fiat_bign256_u1 = 0; + let (x387, x388) = fiat_bign256_addcarryx_u32(x386, x336, x370); + let mut x389: u32 = 0; + let mut x390: fiat_bign256_u1 = 0; + let (x389, x390) = fiat_bign256_addcarryx_u32(x388, x338, x372); + let mut x391: u32 = 0; + let mut x392: fiat_bign256_u1 = 0; + let (x391, x392) = fiat_bign256_addcarryx_u32(x390, x340, x374); + let x393: u32 = ((x392 as u32) + (x341 as u32)); + let mut x394: u32 = 0; + let mut x395: u32 = 0; + let (x394, x395) = fiat_bign256_mulx_u32(x4, (arg2[7])); + let mut x396: u32 = 0; + let mut x397: u32 = 0; + let (x396, x397) = fiat_bign256_mulx_u32(x4, (arg2[6])); + let mut x398: u32 = 0; + let mut x399: u32 = 0; + let (x398, x399) = fiat_bign256_mulx_u32(x4, (arg2[5])); + let mut x400: u32 = 0; + let mut x401: u32 = 0; + let (x400, x401) = fiat_bign256_mulx_u32(x4, (arg2[4])); + let mut x402: u32 = 0; + let mut x403: u32 = 0; + let (x402, x403) = fiat_bign256_mulx_u32(x4, (arg2[3])); + let mut x404: u32 = 0; + let mut x405: u32 = 0; + let (x404, x405) = fiat_bign256_mulx_u32(x4, (arg2[2])); + let mut x406: u32 = 0; + let mut x407: u32 = 0; + let (x406, x407) = fiat_bign256_mulx_u32(x4, (arg2[1])); + let mut x408: u32 = 0; + let mut x409: u32 = 0; + let (x408, x409) = fiat_bign256_mulx_u32(x4, (arg2[0])); + let mut x410: u32 = 0; + let mut x411: fiat_bign256_u1 = 0; + let (x410, x411) = fiat_bign256_addcarryx_u32(0x0, x409, x406); + let mut x412: u32 = 0; + let mut x413: fiat_bign256_u1 = 0; + let (x412, x413) = fiat_bign256_addcarryx_u32(x411, x407, x404); + let mut x414: u32 = 0; + let mut x415: fiat_bign256_u1 = 0; + let (x414, x415) = fiat_bign256_addcarryx_u32(x413, x405, x402); + let mut x416: u32 = 0; + let mut x417: fiat_bign256_u1 = 0; + let (x416, x417) = fiat_bign256_addcarryx_u32(x415, x403, x400); + let mut x418: u32 = 0; + let mut x419: fiat_bign256_u1 = 0; + let (x418, x419) = fiat_bign256_addcarryx_u32(x417, x401, x398); + let mut x420: u32 = 0; + let mut x421: fiat_bign256_u1 = 0; + let (x420, x421) = fiat_bign256_addcarryx_u32(x419, x399, x396); + let mut x422: u32 = 0; + let mut x423: fiat_bign256_u1 = 0; + let (x422, x423) = fiat_bign256_addcarryx_u32(x421, x397, x394); + let x424: u32 = ((x423 as u32) + x395); + let mut x425: u32 = 0; + let mut x426: fiat_bign256_u1 = 0; + let (x425, x426) = fiat_bign256_addcarryx_u32(0x0, x377, x408); + let mut x427: u32 = 0; + let mut x428: fiat_bign256_u1 = 0; + let (x427, x428) = fiat_bign256_addcarryx_u32(x426, x379, x410); + let mut x429: u32 = 0; + let mut x430: fiat_bign256_u1 = 0; + let (x429, x430) = fiat_bign256_addcarryx_u32(x428, x381, x412); + let mut x431: u32 = 0; + let mut x432: fiat_bign256_u1 = 0; + let (x431, x432) = fiat_bign256_addcarryx_u32(x430, x383, x414); + let mut x433: u32 = 0; + let mut x434: fiat_bign256_u1 = 0; + let (x433, x434) = fiat_bign256_addcarryx_u32(x432, x385, x416); + let mut x435: u32 = 0; + let mut x436: fiat_bign256_u1 = 0; + let (x435, x436) = fiat_bign256_addcarryx_u32(x434, x387, x418); + let mut x437: u32 = 0; + let mut x438: fiat_bign256_u1 = 0; + let (x437, x438) = fiat_bign256_addcarryx_u32(x436, x389, x420); + let mut x439: u32 = 0; + let mut x440: fiat_bign256_u1 = 0; + let (x439, x440) = fiat_bign256_addcarryx_u32(x438, x391, x422); + let mut x441: u32 = 0; + let mut x442: fiat_bign256_u1 = 0; + let (x441, x442) = fiat_bign256_addcarryx_u32(x440, x393, x424); + let mut x443: u32 = 0; + let mut x444: u32 = 0; + let (x443, x444) = fiat_bign256_mulx_u32(x425, 0xea53fa95); + let mut x445: u32 = 0; + let mut x446: u32 = 0; + let (x445, x446) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x447: u32 = 0; + let mut x448: u32 = 0; + let (x447, x448) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x449: u32 = 0; + let mut x450: u32 = 0; + let (x449, x450) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x451: u32 = 0; + let mut x452: u32 = 0; + let (x451, x452) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x453: u32 = 0; + let mut x454: u32 = 0; + let (x453, x454) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x455: u32 = 0; + let mut x456: u32 = 0; + let (x455, x456) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x457: u32 = 0; + let mut x458: u32 = 0; + let (x457, x458) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x459: u32 = 0; + let mut x460: u32 = 0; + let (x459, x460) = fiat_bign256_mulx_u32(x443, 0xffffff43); + let mut x461: u32 = 0; + let mut x462: fiat_bign256_u1 = 0; + let (x461, x462) = fiat_bign256_addcarryx_u32(0x0, x460, x457); + let mut x463: u32 = 0; + let mut x464: fiat_bign256_u1 = 0; + let (x463, x464) = fiat_bign256_addcarryx_u32(x462, x458, x455); + let mut x465: u32 = 0; + let mut x466: fiat_bign256_u1 = 0; + let (x465, x466) = fiat_bign256_addcarryx_u32(x464, x456, x453); + let mut x467: u32 = 0; + let mut x468: fiat_bign256_u1 = 0; + let (x467, x468) = fiat_bign256_addcarryx_u32(x466, x454, x451); + let mut x469: u32 = 0; + let mut x470: fiat_bign256_u1 = 0; + let (x469, x470) = fiat_bign256_addcarryx_u32(x468, x452, x449); + let mut x471: u32 = 0; + let mut x472: fiat_bign256_u1 = 0; + let (x471, x472) = fiat_bign256_addcarryx_u32(x470, x450, x447); + let mut x473: u32 = 0; + let mut x474: fiat_bign256_u1 = 0; + let (x473, x474) = fiat_bign256_addcarryx_u32(x472, x448, x445); + let x475: u32 = ((x474 as u32) + x446); + let mut x476: u32 = 0; + let mut x477: fiat_bign256_u1 = 0; + let (x476, x477) = fiat_bign256_addcarryx_u32(0x0, x425, x459); + let mut x478: u32 = 0; + let mut x479: fiat_bign256_u1 = 0; + let (x478, x479) = fiat_bign256_addcarryx_u32(x477, x427, x461); + let mut x480: u32 = 0; + let mut x481: fiat_bign256_u1 = 0; + let (x480, x481) = fiat_bign256_addcarryx_u32(x479, x429, x463); + let mut x482: u32 = 0; + let mut x483: fiat_bign256_u1 = 0; + let (x482, x483) = fiat_bign256_addcarryx_u32(x481, x431, x465); + let mut x484: u32 = 0; + let mut x485: fiat_bign256_u1 = 0; + let (x484, x485) = fiat_bign256_addcarryx_u32(x483, x433, x467); + let mut x486: u32 = 0; + let mut x487: fiat_bign256_u1 = 0; + let (x486, x487) = fiat_bign256_addcarryx_u32(x485, x435, x469); + let mut x488: u32 = 0; + let mut x489: fiat_bign256_u1 = 0; + let (x488, x489) = fiat_bign256_addcarryx_u32(x487, x437, x471); + let mut x490: u32 = 0; + let mut x491: fiat_bign256_u1 = 0; + let (x490, x491) = fiat_bign256_addcarryx_u32(x489, x439, x473); + let mut x492: u32 = 0; + let mut x493: fiat_bign256_u1 = 0; + let (x492, x493) = fiat_bign256_addcarryx_u32(x491, x441, x475); + let x494: u32 = ((x493 as u32) + (x442 as u32)); + let mut x495: u32 = 0; + let mut x496: u32 = 0; + let (x495, x496) = fiat_bign256_mulx_u32(x5, (arg2[7])); + let mut x497: u32 = 0; + let mut x498: u32 = 0; + let (x497, x498) = fiat_bign256_mulx_u32(x5, (arg2[6])); + let mut x499: u32 = 0; + let mut x500: u32 = 0; + let (x499, x500) = fiat_bign256_mulx_u32(x5, (arg2[5])); + let mut x501: u32 = 0; + let mut x502: u32 = 0; + let (x501, x502) = fiat_bign256_mulx_u32(x5, (arg2[4])); + let mut x503: u32 = 0; + let mut x504: u32 = 0; + let (x503, x504) = fiat_bign256_mulx_u32(x5, (arg2[3])); + let mut x505: u32 = 0; + let mut x506: u32 = 0; + let (x505, x506) = fiat_bign256_mulx_u32(x5, (arg2[2])); + let mut x507: u32 = 0; + let mut x508: u32 = 0; + let (x507, x508) = fiat_bign256_mulx_u32(x5, (arg2[1])); + let mut x509: u32 = 0; + let mut x510: u32 = 0; + let (x509, x510) = fiat_bign256_mulx_u32(x5, (arg2[0])); + let mut x511: u32 = 0; + let mut x512: fiat_bign256_u1 = 0; + let (x511, x512) = fiat_bign256_addcarryx_u32(0x0, x510, x507); + let mut x513: u32 = 0; + let mut x514: fiat_bign256_u1 = 0; + let (x513, x514) = fiat_bign256_addcarryx_u32(x512, x508, x505); + let mut x515: u32 = 0; + let mut x516: fiat_bign256_u1 = 0; + let (x515, x516) = fiat_bign256_addcarryx_u32(x514, x506, x503); + let mut x517: u32 = 0; + let mut x518: fiat_bign256_u1 = 0; + let (x517, x518) = fiat_bign256_addcarryx_u32(x516, x504, x501); + let mut x519: u32 = 0; + let mut x520: fiat_bign256_u1 = 0; + let (x519, x520) = fiat_bign256_addcarryx_u32(x518, x502, x499); + let mut x521: u32 = 0; + let mut x522: fiat_bign256_u1 = 0; + let (x521, x522) = fiat_bign256_addcarryx_u32(x520, x500, x497); + let mut x523: u32 = 0; + let mut x524: fiat_bign256_u1 = 0; + let (x523, x524) = fiat_bign256_addcarryx_u32(x522, x498, x495); + let x525: u32 = ((x524 as u32) + x496); + let mut x526: u32 = 0; + let mut x527: fiat_bign256_u1 = 0; + let (x526, x527) = fiat_bign256_addcarryx_u32(0x0, x478, x509); + let mut x528: u32 = 0; + let mut x529: fiat_bign256_u1 = 0; + let (x528, x529) = fiat_bign256_addcarryx_u32(x527, x480, x511); + let mut x530: u32 = 0; + let mut x531: fiat_bign256_u1 = 0; + let (x530, x531) = fiat_bign256_addcarryx_u32(x529, x482, x513); + let mut x532: u32 = 0; + let mut x533: fiat_bign256_u1 = 0; + let (x532, x533) = fiat_bign256_addcarryx_u32(x531, x484, x515); + let mut x534: u32 = 0; + let mut x535: fiat_bign256_u1 = 0; + let (x534, x535) = fiat_bign256_addcarryx_u32(x533, x486, x517); + let mut x536: u32 = 0; + let mut x537: fiat_bign256_u1 = 0; + let (x536, x537) = fiat_bign256_addcarryx_u32(x535, x488, x519); + let mut x538: u32 = 0; + let mut x539: fiat_bign256_u1 = 0; + let (x538, x539) = fiat_bign256_addcarryx_u32(x537, x490, x521); + let mut x540: u32 = 0; + let mut x541: fiat_bign256_u1 = 0; + let (x540, x541) = fiat_bign256_addcarryx_u32(x539, x492, x523); + let mut x542: u32 = 0; + let mut x543: fiat_bign256_u1 = 0; + let (x542, x543) = fiat_bign256_addcarryx_u32(x541, x494, x525); + let mut x544: u32 = 0; + let mut x545: u32 = 0; + let (x544, x545) = fiat_bign256_mulx_u32(x526, 0xea53fa95); + let mut x546: u32 = 0; + let mut x547: u32 = 0; + let (x546, x547) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x548: u32 = 0; + let mut x549: u32 = 0; + let (x548, x549) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x550: u32 = 0; + let mut x551: u32 = 0; + let (x550, x551) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x552: u32 = 0; + let mut x553: u32 = 0; + let (x552, x553) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x554: u32 = 0; + let mut x555: u32 = 0; + let (x554, x555) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x556: u32 = 0; + let mut x557: u32 = 0; + let (x556, x557) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x558: u32 = 0; + let mut x559: u32 = 0; + let (x558, x559) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x560: u32 = 0; + let mut x561: u32 = 0; + let (x560, x561) = fiat_bign256_mulx_u32(x544, 0xffffff43); + let mut x562: u32 = 0; + let mut x563: fiat_bign256_u1 = 0; + let (x562, x563) = fiat_bign256_addcarryx_u32(0x0, x561, x558); + let mut x564: u32 = 0; + let mut x565: fiat_bign256_u1 = 0; + let (x564, x565) = fiat_bign256_addcarryx_u32(x563, x559, x556); + let mut x566: u32 = 0; + let mut x567: fiat_bign256_u1 = 0; + let (x566, x567) = fiat_bign256_addcarryx_u32(x565, x557, x554); + let mut x568: u32 = 0; + let mut x569: fiat_bign256_u1 = 0; + let (x568, x569) = fiat_bign256_addcarryx_u32(x567, x555, x552); + let mut x570: u32 = 0; + let mut x571: fiat_bign256_u1 = 0; + let (x570, x571) = fiat_bign256_addcarryx_u32(x569, x553, x550); + let mut x572: u32 = 0; + let mut x573: fiat_bign256_u1 = 0; + let (x572, x573) = fiat_bign256_addcarryx_u32(x571, x551, x548); + let mut x574: u32 = 0; + let mut x575: fiat_bign256_u1 = 0; + let (x574, x575) = fiat_bign256_addcarryx_u32(x573, x549, x546); + let x576: u32 = ((x575 as u32) + x547); + let mut x577: u32 = 0; + let mut x578: fiat_bign256_u1 = 0; + let (x577, x578) = fiat_bign256_addcarryx_u32(0x0, x526, x560); + let mut x579: u32 = 0; + let mut x580: fiat_bign256_u1 = 0; + let (x579, x580) = fiat_bign256_addcarryx_u32(x578, x528, x562); + let mut x581: u32 = 0; + let mut x582: fiat_bign256_u1 = 0; + let (x581, x582) = fiat_bign256_addcarryx_u32(x580, x530, x564); + let mut x583: u32 = 0; + let mut x584: fiat_bign256_u1 = 0; + let (x583, x584) = fiat_bign256_addcarryx_u32(x582, x532, x566); + let mut x585: u32 = 0; + let mut x586: fiat_bign256_u1 = 0; + let (x585, x586) = fiat_bign256_addcarryx_u32(x584, x534, x568); + let mut x587: u32 = 0; + let mut x588: fiat_bign256_u1 = 0; + let (x587, x588) = fiat_bign256_addcarryx_u32(x586, x536, x570); + let mut x589: u32 = 0; + let mut x590: fiat_bign256_u1 = 0; + let (x589, x590) = fiat_bign256_addcarryx_u32(x588, x538, x572); + let mut x591: u32 = 0; + let mut x592: fiat_bign256_u1 = 0; + let (x591, x592) = fiat_bign256_addcarryx_u32(x590, x540, x574); + let mut x593: u32 = 0; + let mut x594: fiat_bign256_u1 = 0; + let (x593, x594) = fiat_bign256_addcarryx_u32(x592, x542, x576); + let x595: u32 = ((x594 as u32) + (x543 as u32)); + let mut x596: u32 = 0; + let mut x597: u32 = 0; + let (x596, x597) = fiat_bign256_mulx_u32(x6, (arg2[7])); + let mut x598: u32 = 0; + let mut x599: u32 = 0; + let (x598, x599) = fiat_bign256_mulx_u32(x6, (arg2[6])); + let mut x600: u32 = 0; + let mut x601: u32 = 0; + let (x600, x601) = fiat_bign256_mulx_u32(x6, (arg2[5])); + let mut x602: u32 = 0; + let mut x603: u32 = 0; + let (x602, x603) = fiat_bign256_mulx_u32(x6, (arg2[4])); + let mut x604: u32 = 0; + let mut x605: u32 = 0; + let (x604, x605) = fiat_bign256_mulx_u32(x6, (arg2[3])); + let mut x606: u32 = 0; + let mut x607: u32 = 0; + let (x606, x607) = fiat_bign256_mulx_u32(x6, (arg2[2])); + let mut x608: u32 = 0; + let mut x609: u32 = 0; + let (x608, x609) = fiat_bign256_mulx_u32(x6, (arg2[1])); + let mut x610: u32 = 0; + let mut x611: u32 = 0; + let (x610, x611) = fiat_bign256_mulx_u32(x6, (arg2[0])); + let mut x612: u32 = 0; + let mut x613: fiat_bign256_u1 = 0; + let (x612, x613) = fiat_bign256_addcarryx_u32(0x0, x611, x608); + let mut x614: u32 = 0; + let mut x615: fiat_bign256_u1 = 0; + let (x614, x615) = fiat_bign256_addcarryx_u32(x613, x609, x606); + let mut x616: u32 = 0; + let mut x617: fiat_bign256_u1 = 0; + let (x616, x617) = fiat_bign256_addcarryx_u32(x615, x607, x604); + let mut x618: u32 = 0; + let mut x619: fiat_bign256_u1 = 0; + let (x618, x619) = fiat_bign256_addcarryx_u32(x617, x605, x602); + let mut x620: u32 = 0; + let mut x621: fiat_bign256_u1 = 0; + let (x620, x621) = fiat_bign256_addcarryx_u32(x619, x603, x600); + let mut x622: u32 = 0; + let mut x623: fiat_bign256_u1 = 0; + let (x622, x623) = fiat_bign256_addcarryx_u32(x621, x601, x598); + let mut x624: u32 = 0; + let mut x625: fiat_bign256_u1 = 0; + let (x624, x625) = fiat_bign256_addcarryx_u32(x623, x599, x596); + let x626: u32 = ((x625 as u32) + x597); + let mut x627: u32 = 0; + let mut x628: fiat_bign256_u1 = 0; + let (x627, x628) = fiat_bign256_addcarryx_u32(0x0, x579, x610); + let mut x629: u32 = 0; + let mut x630: fiat_bign256_u1 = 0; + let (x629, x630) = fiat_bign256_addcarryx_u32(x628, x581, x612); + let mut x631: u32 = 0; + let mut x632: fiat_bign256_u1 = 0; + let (x631, x632) = fiat_bign256_addcarryx_u32(x630, x583, x614); + let mut x633: u32 = 0; + let mut x634: fiat_bign256_u1 = 0; + let (x633, x634) = fiat_bign256_addcarryx_u32(x632, x585, x616); + let mut x635: u32 = 0; + let mut x636: fiat_bign256_u1 = 0; + let (x635, x636) = fiat_bign256_addcarryx_u32(x634, x587, x618); + let mut x637: u32 = 0; + let mut x638: fiat_bign256_u1 = 0; + let (x637, x638) = fiat_bign256_addcarryx_u32(x636, x589, x620); + let mut x639: u32 = 0; + let mut x640: fiat_bign256_u1 = 0; + let (x639, x640) = fiat_bign256_addcarryx_u32(x638, x591, x622); + let mut x641: u32 = 0; + let mut x642: fiat_bign256_u1 = 0; + let (x641, x642) = fiat_bign256_addcarryx_u32(x640, x593, x624); + let mut x643: u32 = 0; + let mut x644: fiat_bign256_u1 = 0; + let (x643, x644) = fiat_bign256_addcarryx_u32(x642, x595, x626); + let mut x645: u32 = 0; + let mut x646: u32 = 0; + let (x645, x646) = fiat_bign256_mulx_u32(x627, 0xea53fa95); + let mut x647: u32 = 0; + let mut x648: u32 = 0; + let (x647, x648) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x649: u32 = 0; + let mut x650: u32 = 0; + let (x649, x650) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x651: u32 = 0; + let mut x652: u32 = 0; + let (x651, x652) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x653: u32 = 0; + let mut x654: u32 = 0; + let (x653, x654) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x655: u32 = 0; + let mut x656: u32 = 0; + let (x655, x656) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x657: u32 = 0; + let mut x658: u32 = 0; + let (x657, x658) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x659: u32 = 0; + let mut x660: u32 = 0; + let (x659, x660) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x661: u32 = 0; + let mut x662: u32 = 0; + let (x661, x662) = fiat_bign256_mulx_u32(x645, 0xffffff43); + let mut x663: u32 = 0; + let mut x664: fiat_bign256_u1 = 0; + let (x663, x664) = fiat_bign256_addcarryx_u32(0x0, x662, x659); + let mut x665: u32 = 0; + let mut x666: fiat_bign256_u1 = 0; + let (x665, x666) = fiat_bign256_addcarryx_u32(x664, x660, x657); + let mut x667: u32 = 0; + let mut x668: fiat_bign256_u1 = 0; + let (x667, x668) = fiat_bign256_addcarryx_u32(x666, x658, x655); + let mut x669: u32 = 0; + let mut x670: fiat_bign256_u1 = 0; + let (x669, x670) = fiat_bign256_addcarryx_u32(x668, x656, x653); + let mut x671: u32 = 0; + let mut x672: fiat_bign256_u1 = 0; + let (x671, x672) = fiat_bign256_addcarryx_u32(x670, x654, x651); + let mut x673: u32 = 0; + let mut x674: fiat_bign256_u1 = 0; + let (x673, x674) = fiat_bign256_addcarryx_u32(x672, x652, x649); + let mut x675: u32 = 0; + let mut x676: fiat_bign256_u1 = 0; + let (x675, x676) = fiat_bign256_addcarryx_u32(x674, x650, x647); + let x677: u32 = ((x676 as u32) + x648); + let mut x678: u32 = 0; + let mut x679: fiat_bign256_u1 = 0; + let (x678, x679) = fiat_bign256_addcarryx_u32(0x0, x627, x661); + let mut x680: u32 = 0; + let mut x681: fiat_bign256_u1 = 0; + let (x680, x681) = fiat_bign256_addcarryx_u32(x679, x629, x663); + let mut x682: u32 = 0; + let mut x683: fiat_bign256_u1 = 0; + let (x682, x683) = fiat_bign256_addcarryx_u32(x681, x631, x665); + let mut x684: u32 = 0; + let mut x685: fiat_bign256_u1 = 0; + let (x684, x685) = fiat_bign256_addcarryx_u32(x683, x633, x667); + let mut x686: u32 = 0; + let mut x687: fiat_bign256_u1 = 0; + let (x686, x687) = fiat_bign256_addcarryx_u32(x685, x635, x669); + let mut x688: u32 = 0; + let mut x689: fiat_bign256_u1 = 0; + let (x688, x689) = fiat_bign256_addcarryx_u32(x687, x637, x671); + let mut x690: u32 = 0; + let mut x691: fiat_bign256_u1 = 0; + let (x690, x691) = fiat_bign256_addcarryx_u32(x689, x639, x673); + let mut x692: u32 = 0; + let mut x693: fiat_bign256_u1 = 0; + let (x692, x693) = fiat_bign256_addcarryx_u32(x691, x641, x675); + let mut x694: u32 = 0; + let mut x695: fiat_bign256_u1 = 0; + let (x694, x695) = fiat_bign256_addcarryx_u32(x693, x643, x677); + let x696: u32 = ((x695 as u32) + (x644 as u32)); + let mut x697: u32 = 0; + let mut x698: u32 = 0; + let (x697, x698) = fiat_bign256_mulx_u32(x7, (arg2[7])); + let mut x699: u32 = 0; + let mut x700: u32 = 0; + let (x699, x700) = fiat_bign256_mulx_u32(x7, (arg2[6])); + let mut x701: u32 = 0; + let mut x702: u32 = 0; + let (x701, x702) = fiat_bign256_mulx_u32(x7, (arg2[5])); + let mut x703: u32 = 0; + let mut x704: u32 = 0; + let (x703, x704) = fiat_bign256_mulx_u32(x7, (arg2[4])); + let mut x705: u32 = 0; + let mut x706: u32 = 0; + let (x705, x706) = fiat_bign256_mulx_u32(x7, (arg2[3])); + let mut x707: u32 = 0; + let mut x708: u32 = 0; + let (x707, x708) = fiat_bign256_mulx_u32(x7, (arg2[2])); + let mut x709: u32 = 0; + let mut x710: u32 = 0; + let (x709, x710) = fiat_bign256_mulx_u32(x7, (arg2[1])); + let mut x711: u32 = 0; + let mut x712: u32 = 0; + let (x711, x712) = fiat_bign256_mulx_u32(x7, (arg2[0])); + let mut x713: u32 = 0; + let mut x714: fiat_bign256_u1 = 0; + let (x713, x714) = fiat_bign256_addcarryx_u32(0x0, x712, x709); + let mut x715: u32 = 0; + let mut x716: fiat_bign256_u1 = 0; + let (x715, x716) = fiat_bign256_addcarryx_u32(x714, x710, x707); + let mut x717: u32 = 0; + let mut x718: fiat_bign256_u1 = 0; + let (x717, x718) = fiat_bign256_addcarryx_u32(x716, x708, x705); + let mut x719: u32 = 0; + let mut x720: fiat_bign256_u1 = 0; + let (x719, x720) = fiat_bign256_addcarryx_u32(x718, x706, x703); + let mut x721: u32 = 0; + let mut x722: fiat_bign256_u1 = 0; + let (x721, x722) = fiat_bign256_addcarryx_u32(x720, x704, x701); + let mut x723: u32 = 0; + let mut x724: fiat_bign256_u1 = 0; + let (x723, x724) = fiat_bign256_addcarryx_u32(x722, x702, x699); + let mut x725: u32 = 0; + let mut x726: fiat_bign256_u1 = 0; + let (x725, x726) = fiat_bign256_addcarryx_u32(x724, x700, x697); + let x727: u32 = ((x726 as u32) + x698); + let mut x728: u32 = 0; + let mut x729: fiat_bign256_u1 = 0; + let (x728, x729) = fiat_bign256_addcarryx_u32(0x0, x680, x711); + let mut x730: u32 = 0; + let mut x731: fiat_bign256_u1 = 0; + let (x730, x731) = fiat_bign256_addcarryx_u32(x729, x682, x713); + let mut x732: u32 = 0; + let mut x733: fiat_bign256_u1 = 0; + let (x732, x733) = fiat_bign256_addcarryx_u32(x731, x684, x715); + let mut x734: u32 = 0; + let mut x735: fiat_bign256_u1 = 0; + let (x734, x735) = fiat_bign256_addcarryx_u32(x733, x686, x717); + let mut x736: u32 = 0; + let mut x737: fiat_bign256_u1 = 0; + let (x736, x737) = fiat_bign256_addcarryx_u32(x735, x688, x719); + let mut x738: u32 = 0; + let mut x739: fiat_bign256_u1 = 0; + let (x738, x739) = fiat_bign256_addcarryx_u32(x737, x690, x721); + let mut x740: u32 = 0; + let mut x741: fiat_bign256_u1 = 0; + let (x740, x741) = fiat_bign256_addcarryx_u32(x739, x692, x723); + let mut x742: u32 = 0; + let mut x743: fiat_bign256_u1 = 0; + let (x742, x743) = fiat_bign256_addcarryx_u32(x741, x694, x725); + let mut x744: u32 = 0; + let mut x745: fiat_bign256_u1 = 0; + let (x744, x745) = fiat_bign256_addcarryx_u32(x743, x696, x727); + let mut x746: u32 = 0; + let mut x747: u32 = 0; + let (x746, x747) = fiat_bign256_mulx_u32(x728, 0xea53fa95); + let mut x748: u32 = 0; + let mut x749: u32 = 0; + let (x748, x749) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x750: u32 = 0; + let mut x751: u32 = 0; + let (x750, x751) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x752: u32 = 0; + let mut x753: u32 = 0; + let (x752, x753) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x754: u32 = 0; + let mut x755: u32 = 0; + let (x754, x755) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x756: u32 = 0; + let mut x757: u32 = 0; + let (x756, x757) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x758: u32 = 0; + let mut x759: u32 = 0; + let (x758, x759) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x760: u32 = 0; + let mut x761: u32 = 0; + let (x760, x761) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x762: u32 = 0; + let mut x763: u32 = 0; + let (x762, x763) = fiat_bign256_mulx_u32(x746, 0xffffff43); + let mut x764: u32 = 0; + let mut x765: fiat_bign256_u1 = 0; + let (x764, x765) = fiat_bign256_addcarryx_u32(0x0, x763, x760); + let mut x766: u32 = 0; + let mut x767: fiat_bign256_u1 = 0; + let (x766, x767) = fiat_bign256_addcarryx_u32(x765, x761, x758); + let mut x768: u32 = 0; + let mut x769: fiat_bign256_u1 = 0; + let (x768, x769) = fiat_bign256_addcarryx_u32(x767, x759, x756); + let mut x770: u32 = 0; + let mut x771: fiat_bign256_u1 = 0; + let (x770, x771) = fiat_bign256_addcarryx_u32(x769, x757, x754); + let mut x772: u32 = 0; + let mut x773: fiat_bign256_u1 = 0; + let (x772, x773) = fiat_bign256_addcarryx_u32(x771, x755, x752); + let mut x774: u32 = 0; + let mut x775: fiat_bign256_u1 = 0; + let (x774, x775) = fiat_bign256_addcarryx_u32(x773, x753, x750); + let mut x776: u32 = 0; + let mut x777: fiat_bign256_u1 = 0; + let (x776, x777) = fiat_bign256_addcarryx_u32(x775, x751, x748); + let x778: u32 = ((x777 as u32) + x749); + let mut x779: u32 = 0; + let mut x780: fiat_bign256_u1 = 0; + let (x779, x780) = fiat_bign256_addcarryx_u32(0x0, x728, x762); + let mut x781: u32 = 0; + let mut x782: fiat_bign256_u1 = 0; + let (x781, x782) = fiat_bign256_addcarryx_u32(x780, x730, x764); + let mut x783: u32 = 0; + let mut x784: fiat_bign256_u1 = 0; + let (x783, x784) = fiat_bign256_addcarryx_u32(x782, x732, x766); + let mut x785: u32 = 0; + let mut x786: fiat_bign256_u1 = 0; + let (x785, x786) = fiat_bign256_addcarryx_u32(x784, x734, x768); + let mut x787: u32 = 0; + let mut x788: fiat_bign256_u1 = 0; + let (x787, x788) = fiat_bign256_addcarryx_u32(x786, x736, x770); + let mut x789: u32 = 0; + let mut x790: fiat_bign256_u1 = 0; + let (x789, x790) = fiat_bign256_addcarryx_u32(x788, x738, x772); + let mut x791: u32 = 0; + let mut x792: fiat_bign256_u1 = 0; + let (x791, x792) = fiat_bign256_addcarryx_u32(x790, x740, x774); + let mut x793: u32 = 0; + let mut x794: fiat_bign256_u1 = 0; + let (x793, x794) = fiat_bign256_addcarryx_u32(x792, x742, x776); + let mut x795: u32 = 0; + let mut x796: fiat_bign256_u1 = 0; + let (x795, x796) = fiat_bign256_addcarryx_u32(x794, x744, x778); + let x797: u32 = ((x796 as u32) + (x745 as u32)); + let mut x798: u32 = 0; + let mut x799: fiat_bign256_u1 = 0; + let (x798, x799) = fiat_bign256_subborrowx_u32(0x0, x781, 0xffffff43); + let mut x800: u32 = 0; + let mut x801: fiat_bign256_u1 = 0; + let (x800, x801) = fiat_bign256_subborrowx_u32(x799, x783, 0xffffffff); + let mut x802: u32 = 0; + let mut x803: fiat_bign256_u1 = 0; + let (x802, x803) = fiat_bign256_subborrowx_u32(x801, x785, 0xffffffff); + let mut x804: u32 = 0; + let mut x805: fiat_bign256_u1 = 0; + let (x804, x805) = fiat_bign256_subborrowx_u32(x803, x787, 0xffffffff); + let mut x806: u32 = 0; + let mut x807: fiat_bign256_u1 = 0; + let (x806, x807) = fiat_bign256_subborrowx_u32(x805, x789, 0xffffffff); + let mut x808: u32 = 0; + let mut x809: fiat_bign256_u1 = 0; + let (x808, x809) = fiat_bign256_subborrowx_u32(x807, x791, 0xffffffff); + let mut x810: u32 = 0; + let mut x811: fiat_bign256_u1 = 0; + let (x810, x811) = fiat_bign256_subborrowx_u32(x809, x793, 0xffffffff); + let mut x812: u32 = 0; + let mut x813: fiat_bign256_u1 = 0; + let (x812, x813) = fiat_bign256_subborrowx_u32(x811, x795, 0xffffffff); + let mut x814: u32 = 0; + let mut x815: fiat_bign256_u1 = 0; + let (x814, x815) = fiat_bign256_subborrowx_u32(x813, x797, (0x0 as u32)); + let mut x816: u32 = 0; + let (x816) = fiat_bign256_cmovznz_u32(x815, x798, x781); + let mut x817: u32 = 0; + let (x817) = fiat_bign256_cmovznz_u32(x815, x800, x783); + let mut x818: u32 = 0; + let (x818) = fiat_bign256_cmovznz_u32(x815, x802, x785); + let mut x819: u32 = 0; + let (x819) = fiat_bign256_cmovznz_u32(x815, x804, x787); + let mut x820: u32 = 0; + let (x820) = fiat_bign256_cmovznz_u32(x815, x806, x789); + let mut x821: u32 = 0; + let (x821) = fiat_bign256_cmovznz_u32(x815, x808, x791); + let mut x822: u32 = 0; + let (x822) = fiat_bign256_cmovznz_u32(x815, x810, x793); + let mut x823: u32 = 0; + let (x823) = fiat_bign256_cmovznz_u32(x815, x812, x795); + out1[0] = x816; + out1[1] = x817; + out1[2] = x818; + out1[3] = x819; + out1[4] = x820; + out1[5] = x821; + out1[6] = x822; + out1[7] = x823; + out1 +} +#[doc = " The function fiat_bign256_square squares a field element in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_square( + arg1: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 8]; + let x1: u32 = (arg1[1]); + let x2: u32 = (arg1[2]); + let x3: u32 = (arg1[3]); + let x4: u32 = (arg1[4]); + let x5: u32 = (arg1[5]); + let x6: u32 = (arg1[6]); + let x7: u32 = (arg1[7]); + let x8: u32 = (arg1[0]); + let mut x9: u32 = 0; + let mut x10: u32 = 0; + let (x9, x10) = fiat_bign256_mulx_u32(x8, (arg1[7])); + let mut x11: u32 = 0; + let mut x12: u32 = 0; + let (x11, x12) = fiat_bign256_mulx_u32(x8, (arg1[6])); + let mut x13: u32 = 0; + let mut x14: u32 = 0; + let (x13, x14) = fiat_bign256_mulx_u32(x8, (arg1[5])); + let mut x15: u32 = 0; + let mut x16: u32 = 0; + let (x15, x16) = fiat_bign256_mulx_u32(x8, (arg1[4])); + let mut x17: u32 = 0; + let mut x18: u32 = 0; + let (x17, x18) = fiat_bign256_mulx_u32(x8, (arg1[3])); + let mut x19: u32 = 0; + let mut x20: u32 = 0; + let (x19, x20) = fiat_bign256_mulx_u32(x8, (arg1[2])); + let mut x21: u32 = 0; + let mut x22: u32 = 0; + let (x21, x22) = fiat_bign256_mulx_u32(x8, (arg1[1])); + let mut x23: u32 = 0; + let mut x24: u32 = 0; + let (x23, x24) = fiat_bign256_mulx_u32(x8, (arg1[0])); + let mut x25: u32 = 0; + let mut x26: fiat_bign256_u1 = 0; + let (x25, x26) = fiat_bign256_addcarryx_u32(0x0, x24, x21); + let mut x27: u32 = 0; + let mut x28: fiat_bign256_u1 = 0; + let (x27, x28) = fiat_bign256_addcarryx_u32(x26, x22, x19); + let mut x29: u32 = 0; + let mut x30: fiat_bign256_u1 = 0; + let (x29, x30) = fiat_bign256_addcarryx_u32(x28, x20, x17); + let mut x31: u32 = 0; + let mut x32: fiat_bign256_u1 = 0; + let (x31, x32) = fiat_bign256_addcarryx_u32(x30, x18, x15); + let mut x33: u32 = 0; + let mut x34: fiat_bign256_u1 = 0; + let (x33, x34) = fiat_bign256_addcarryx_u32(x32, x16, x13); + let mut x35: u32 = 0; + let mut x36: fiat_bign256_u1 = 0; + let (x35, x36) = fiat_bign256_addcarryx_u32(x34, x14, x11); + let mut x37: u32 = 0; + let mut x38: fiat_bign256_u1 = 0; + let (x37, x38) = fiat_bign256_addcarryx_u32(x36, x12, x9); + let x39: u32 = ((x38 as u32) + x10); + let mut x40: u32 = 0; + let mut x41: u32 = 0; + let (x40, x41) = fiat_bign256_mulx_u32(x23, 0xea53fa95); + let mut x42: u32 = 0; + let mut x43: u32 = 0; + let (x42, x43) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x44: u32 = 0; + let mut x45: u32 = 0; + let (x44, x45) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x46: u32 = 0; + let mut x47: u32 = 0; + let (x46, x47) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x48: u32 = 0; + let mut x49: u32 = 0; + let (x48, x49) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x50: u32 = 0; + let mut x51: u32 = 0; + let (x50, x51) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x52: u32 = 0; + let mut x53: u32 = 0; + let (x52, x53) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x54: u32 = 0; + let mut x55: u32 = 0; + let (x54, x55) = fiat_bign256_mulx_u32(x40, 0xffffffff); + let mut x56: u32 = 0; + let mut x57: u32 = 0; + let (x56, x57) = fiat_bign256_mulx_u32(x40, 0xffffff43); + let mut x58: u32 = 0; + let mut x59: fiat_bign256_u1 = 0; + let (x58, x59) = fiat_bign256_addcarryx_u32(0x0, x57, x54); + let mut x60: u32 = 0; + let mut x61: fiat_bign256_u1 = 0; + let (x60, x61) = fiat_bign256_addcarryx_u32(x59, x55, x52); + let mut x62: u32 = 0; + let mut x63: fiat_bign256_u1 = 0; + let (x62, x63) = fiat_bign256_addcarryx_u32(x61, x53, x50); + let mut x64: u32 = 0; + let mut x65: fiat_bign256_u1 = 0; + let (x64, x65) = fiat_bign256_addcarryx_u32(x63, x51, x48); + let mut x66: u32 = 0; + let mut x67: fiat_bign256_u1 = 0; + let (x66, x67) = fiat_bign256_addcarryx_u32(x65, x49, x46); + let mut x68: u32 = 0; + let mut x69: fiat_bign256_u1 = 0; + let (x68, x69) = fiat_bign256_addcarryx_u32(x67, x47, x44); + let mut x70: u32 = 0; + let mut x71: fiat_bign256_u1 = 0; + let (x70, x71) = fiat_bign256_addcarryx_u32(x69, x45, x42); + let x72: u32 = ((x71 as u32) + x43); + let mut x73: u32 = 0; + let mut x74: fiat_bign256_u1 = 0; + let (x73, x74) = fiat_bign256_addcarryx_u32(0x0, x23, x56); + let mut x75: u32 = 0; + let mut x76: fiat_bign256_u1 = 0; + let (x75, x76) = fiat_bign256_addcarryx_u32(x74, x25, x58); + let mut x77: u32 = 0; + let mut x78: fiat_bign256_u1 = 0; + let (x77, x78) = fiat_bign256_addcarryx_u32(x76, x27, x60); + let mut x79: u32 = 0; + let mut x80: fiat_bign256_u1 = 0; + let (x79, x80) = fiat_bign256_addcarryx_u32(x78, x29, x62); + let mut x81: u32 = 0; + let mut x82: fiat_bign256_u1 = 0; + let (x81, x82) = fiat_bign256_addcarryx_u32(x80, x31, x64); + let mut x83: u32 = 0; + let mut x84: fiat_bign256_u1 = 0; + let (x83, x84) = fiat_bign256_addcarryx_u32(x82, x33, x66); + let mut x85: u32 = 0; + let mut x86: fiat_bign256_u1 = 0; + let (x85, x86) = fiat_bign256_addcarryx_u32(x84, x35, x68); + let mut x87: u32 = 0; + let mut x88: fiat_bign256_u1 = 0; + let (x87, x88) = fiat_bign256_addcarryx_u32(x86, x37, x70); + let mut x89: u32 = 0; + let mut x90: fiat_bign256_u1 = 0; + let (x89, x90) = fiat_bign256_addcarryx_u32(x88, x39, x72); + let mut x91: u32 = 0; + let mut x92: u32 = 0; + let (x91, x92) = fiat_bign256_mulx_u32(x1, (arg1[7])); + let mut x93: u32 = 0; + let mut x94: u32 = 0; + let (x93, x94) = fiat_bign256_mulx_u32(x1, (arg1[6])); + let mut x95: u32 = 0; + let mut x96: u32 = 0; + let (x95, x96) = fiat_bign256_mulx_u32(x1, (arg1[5])); + let mut x97: u32 = 0; + let mut x98: u32 = 0; + let (x97, x98) = fiat_bign256_mulx_u32(x1, (arg1[4])); + let mut x99: u32 = 0; + let mut x100: u32 = 0; + let (x99, x100) = fiat_bign256_mulx_u32(x1, (arg1[3])); + let mut x101: u32 = 0; + let mut x102: u32 = 0; + let (x101, x102) = fiat_bign256_mulx_u32(x1, (arg1[2])); + let mut x103: u32 = 0; + let mut x104: u32 = 0; + let (x103, x104) = fiat_bign256_mulx_u32(x1, (arg1[1])); + let mut x105: u32 = 0; + let mut x106: u32 = 0; + let (x105, x106) = fiat_bign256_mulx_u32(x1, (arg1[0])); + let mut x107: u32 = 0; + let mut x108: fiat_bign256_u1 = 0; + let (x107, x108) = fiat_bign256_addcarryx_u32(0x0, x106, x103); + let mut x109: u32 = 0; + let mut x110: fiat_bign256_u1 = 0; + let (x109, x110) = fiat_bign256_addcarryx_u32(x108, x104, x101); + let mut x111: u32 = 0; + let mut x112: fiat_bign256_u1 = 0; + let (x111, x112) = fiat_bign256_addcarryx_u32(x110, x102, x99); + let mut x113: u32 = 0; + let mut x114: fiat_bign256_u1 = 0; + let (x113, x114) = fiat_bign256_addcarryx_u32(x112, x100, x97); + let mut x115: u32 = 0; + let mut x116: fiat_bign256_u1 = 0; + let (x115, x116) = fiat_bign256_addcarryx_u32(x114, x98, x95); + let mut x117: u32 = 0; + let mut x118: fiat_bign256_u1 = 0; + let (x117, x118) = fiat_bign256_addcarryx_u32(x116, x96, x93); + let mut x119: u32 = 0; + let mut x120: fiat_bign256_u1 = 0; + let (x119, x120) = fiat_bign256_addcarryx_u32(x118, x94, x91); + let x121: u32 = ((x120 as u32) + x92); + let mut x122: u32 = 0; + let mut x123: fiat_bign256_u1 = 0; + let (x122, x123) = fiat_bign256_addcarryx_u32(0x0, x75, x105); + let mut x124: u32 = 0; + let mut x125: fiat_bign256_u1 = 0; + let (x124, x125) = fiat_bign256_addcarryx_u32(x123, x77, x107); + let mut x126: u32 = 0; + let mut x127: fiat_bign256_u1 = 0; + let (x126, x127) = fiat_bign256_addcarryx_u32(x125, x79, x109); + let mut x128: u32 = 0; + let mut x129: fiat_bign256_u1 = 0; + let (x128, x129) = fiat_bign256_addcarryx_u32(x127, x81, x111); + let mut x130: u32 = 0; + let mut x131: fiat_bign256_u1 = 0; + let (x130, x131) = fiat_bign256_addcarryx_u32(x129, x83, x113); + let mut x132: u32 = 0; + let mut x133: fiat_bign256_u1 = 0; + let (x132, x133) = fiat_bign256_addcarryx_u32(x131, x85, x115); + let mut x134: u32 = 0; + let mut x135: fiat_bign256_u1 = 0; + let (x134, x135) = fiat_bign256_addcarryx_u32(x133, x87, x117); + let mut x136: u32 = 0; + let mut x137: fiat_bign256_u1 = 0; + let (x136, x137) = fiat_bign256_addcarryx_u32(x135, x89, x119); + let mut x138: u32 = 0; + let mut x139: fiat_bign256_u1 = 0; + let (x138, x139) = fiat_bign256_addcarryx_u32(x137, (x90 as u32), x121); + let mut x140: u32 = 0; + let mut x141: u32 = 0; + let (x140, x141) = fiat_bign256_mulx_u32(x122, 0xea53fa95); + let mut x142: u32 = 0; + let mut x143: u32 = 0; + let (x142, x143) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x144: u32 = 0; + let mut x145: u32 = 0; + let (x144, x145) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x146: u32 = 0; + let mut x147: u32 = 0; + let (x146, x147) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x148: u32 = 0; + let mut x149: u32 = 0; + let (x148, x149) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x150: u32 = 0; + let mut x151: u32 = 0; + let (x150, x151) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x152: u32 = 0; + let mut x153: u32 = 0; + let (x152, x153) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x154: u32 = 0; + let mut x155: u32 = 0; + let (x154, x155) = fiat_bign256_mulx_u32(x140, 0xffffffff); + let mut x156: u32 = 0; + let mut x157: u32 = 0; + let (x156, x157) = fiat_bign256_mulx_u32(x140, 0xffffff43); + let mut x158: u32 = 0; + let mut x159: fiat_bign256_u1 = 0; + let (x158, x159) = fiat_bign256_addcarryx_u32(0x0, x157, x154); + let mut x160: u32 = 0; + let mut x161: fiat_bign256_u1 = 0; + let (x160, x161) = fiat_bign256_addcarryx_u32(x159, x155, x152); + let mut x162: u32 = 0; + let mut x163: fiat_bign256_u1 = 0; + let (x162, x163) = fiat_bign256_addcarryx_u32(x161, x153, x150); + let mut x164: u32 = 0; + let mut x165: fiat_bign256_u1 = 0; + let (x164, x165) = fiat_bign256_addcarryx_u32(x163, x151, x148); + let mut x166: u32 = 0; + let mut x167: fiat_bign256_u1 = 0; + let (x166, x167) = fiat_bign256_addcarryx_u32(x165, x149, x146); + let mut x168: u32 = 0; + let mut x169: fiat_bign256_u1 = 0; + let (x168, x169) = fiat_bign256_addcarryx_u32(x167, x147, x144); + let mut x170: u32 = 0; + let mut x171: fiat_bign256_u1 = 0; + let (x170, x171) = fiat_bign256_addcarryx_u32(x169, x145, x142); + let x172: u32 = ((x171 as u32) + x143); + let mut x173: u32 = 0; + let mut x174: fiat_bign256_u1 = 0; + let (x173, x174) = fiat_bign256_addcarryx_u32(0x0, x122, x156); + let mut x175: u32 = 0; + let mut x176: fiat_bign256_u1 = 0; + let (x175, x176) = fiat_bign256_addcarryx_u32(x174, x124, x158); + let mut x177: u32 = 0; + let mut x178: fiat_bign256_u1 = 0; + let (x177, x178) = fiat_bign256_addcarryx_u32(x176, x126, x160); + let mut x179: u32 = 0; + let mut x180: fiat_bign256_u1 = 0; + let (x179, x180) = fiat_bign256_addcarryx_u32(x178, x128, x162); + let mut x181: u32 = 0; + let mut x182: fiat_bign256_u1 = 0; + let (x181, x182) = fiat_bign256_addcarryx_u32(x180, x130, x164); + let mut x183: u32 = 0; + let mut x184: fiat_bign256_u1 = 0; + let (x183, x184) = fiat_bign256_addcarryx_u32(x182, x132, x166); + let mut x185: u32 = 0; + let mut x186: fiat_bign256_u1 = 0; + let (x185, x186) = fiat_bign256_addcarryx_u32(x184, x134, x168); + let mut x187: u32 = 0; + let mut x188: fiat_bign256_u1 = 0; + let (x187, x188) = fiat_bign256_addcarryx_u32(x186, x136, x170); + let mut x189: u32 = 0; + let mut x190: fiat_bign256_u1 = 0; + let (x189, x190) = fiat_bign256_addcarryx_u32(x188, x138, x172); + let x191: u32 = ((x190 as u32) + (x139 as u32)); + let mut x192: u32 = 0; + let mut x193: u32 = 0; + let (x192, x193) = fiat_bign256_mulx_u32(x2, (arg1[7])); + let mut x194: u32 = 0; + let mut x195: u32 = 0; + let (x194, x195) = fiat_bign256_mulx_u32(x2, (arg1[6])); + let mut x196: u32 = 0; + let mut x197: u32 = 0; + let (x196, x197) = fiat_bign256_mulx_u32(x2, (arg1[5])); + let mut x198: u32 = 0; + let mut x199: u32 = 0; + let (x198, x199) = fiat_bign256_mulx_u32(x2, (arg1[4])); + let mut x200: u32 = 0; + let mut x201: u32 = 0; + let (x200, x201) = fiat_bign256_mulx_u32(x2, (arg1[3])); + let mut x202: u32 = 0; + let mut x203: u32 = 0; + let (x202, x203) = fiat_bign256_mulx_u32(x2, (arg1[2])); + let mut x204: u32 = 0; + let mut x205: u32 = 0; + let (x204, x205) = fiat_bign256_mulx_u32(x2, (arg1[1])); + let mut x206: u32 = 0; + let mut x207: u32 = 0; + let (x206, x207) = fiat_bign256_mulx_u32(x2, (arg1[0])); + let mut x208: u32 = 0; + let mut x209: fiat_bign256_u1 = 0; + let (x208, x209) = fiat_bign256_addcarryx_u32(0x0, x207, x204); + let mut x210: u32 = 0; + let mut x211: fiat_bign256_u1 = 0; + let (x210, x211) = fiat_bign256_addcarryx_u32(x209, x205, x202); + let mut x212: u32 = 0; + let mut x213: fiat_bign256_u1 = 0; + let (x212, x213) = fiat_bign256_addcarryx_u32(x211, x203, x200); + let mut x214: u32 = 0; + let mut x215: fiat_bign256_u1 = 0; + let (x214, x215) = fiat_bign256_addcarryx_u32(x213, x201, x198); + let mut x216: u32 = 0; + let mut x217: fiat_bign256_u1 = 0; + let (x216, x217) = fiat_bign256_addcarryx_u32(x215, x199, x196); + let mut x218: u32 = 0; + let mut x219: fiat_bign256_u1 = 0; + let (x218, x219) = fiat_bign256_addcarryx_u32(x217, x197, x194); + let mut x220: u32 = 0; + let mut x221: fiat_bign256_u1 = 0; + let (x220, x221) = fiat_bign256_addcarryx_u32(x219, x195, x192); + let x222: u32 = ((x221 as u32) + x193); + let mut x223: u32 = 0; + let mut x224: fiat_bign256_u1 = 0; + let (x223, x224) = fiat_bign256_addcarryx_u32(0x0, x175, x206); + let mut x225: u32 = 0; + let mut x226: fiat_bign256_u1 = 0; + let (x225, x226) = fiat_bign256_addcarryx_u32(x224, x177, x208); + let mut x227: u32 = 0; + let mut x228: fiat_bign256_u1 = 0; + let (x227, x228) = fiat_bign256_addcarryx_u32(x226, x179, x210); + let mut x229: u32 = 0; + let mut x230: fiat_bign256_u1 = 0; + let (x229, x230) = fiat_bign256_addcarryx_u32(x228, x181, x212); + let mut x231: u32 = 0; + let mut x232: fiat_bign256_u1 = 0; + let (x231, x232) = fiat_bign256_addcarryx_u32(x230, x183, x214); + let mut x233: u32 = 0; + let mut x234: fiat_bign256_u1 = 0; + let (x233, x234) = fiat_bign256_addcarryx_u32(x232, x185, x216); + let mut x235: u32 = 0; + let mut x236: fiat_bign256_u1 = 0; + let (x235, x236) = fiat_bign256_addcarryx_u32(x234, x187, x218); + let mut x237: u32 = 0; + let mut x238: fiat_bign256_u1 = 0; + let (x237, x238) = fiat_bign256_addcarryx_u32(x236, x189, x220); + let mut x239: u32 = 0; + let mut x240: fiat_bign256_u1 = 0; + let (x239, x240) = fiat_bign256_addcarryx_u32(x238, x191, x222); + let mut x241: u32 = 0; + let mut x242: u32 = 0; + let (x241, x242) = fiat_bign256_mulx_u32(x223, 0xea53fa95); + let mut x243: u32 = 0; + let mut x244: u32 = 0; + let (x243, x244) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x245: u32 = 0; + let mut x246: u32 = 0; + let (x245, x246) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x247: u32 = 0; + let mut x248: u32 = 0; + let (x247, x248) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x249: u32 = 0; + let mut x250: u32 = 0; + let (x249, x250) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x251: u32 = 0; + let mut x252: u32 = 0; + let (x251, x252) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x253: u32 = 0; + let mut x254: u32 = 0; + let (x253, x254) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x255: u32 = 0; + let mut x256: u32 = 0; + let (x255, x256) = fiat_bign256_mulx_u32(x241, 0xffffffff); + let mut x257: u32 = 0; + let mut x258: u32 = 0; + let (x257, x258) = fiat_bign256_mulx_u32(x241, 0xffffff43); + let mut x259: u32 = 0; + let mut x260: fiat_bign256_u1 = 0; + let (x259, x260) = fiat_bign256_addcarryx_u32(0x0, x258, x255); + let mut x261: u32 = 0; + let mut x262: fiat_bign256_u1 = 0; + let (x261, x262) = fiat_bign256_addcarryx_u32(x260, x256, x253); + let mut x263: u32 = 0; + let mut x264: fiat_bign256_u1 = 0; + let (x263, x264) = fiat_bign256_addcarryx_u32(x262, x254, x251); + let mut x265: u32 = 0; + let mut x266: fiat_bign256_u1 = 0; + let (x265, x266) = fiat_bign256_addcarryx_u32(x264, x252, x249); + let mut x267: u32 = 0; + let mut x268: fiat_bign256_u1 = 0; + let (x267, x268) = fiat_bign256_addcarryx_u32(x266, x250, x247); + let mut x269: u32 = 0; + let mut x270: fiat_bign256_u1 = 0; + let (x269, x270) = fiat_bign256_addcarryx_u32(x268, x248, x245); + let mut x271: u32 = 0; + let mut x272: fiat_bign256_u1 = 0; + let (x271, x272) = fiat_bign256_addcarryx_u32(x270, x246, x243); + let x273: u32 = ((x272 as u32) + x244); + let mut x274: u32 = 0; + let mut x275: fiat_bign256_u1 = 0; + let (x274, x275) = fiat_bign256_addcarryx_u32(0x0, x223, x257); + let mut x276: u32 = 0; + let mut x277: fiat_bign256_u1 = 0; + let (x276, x277) = fiat_bign256_addcarryx_u32(x275, x225, x259); + let mut x278: u32 = 0; + let mut x279: fiat_bign256_u1 = 0; + let (x278, x279) = fiat_bign256_addcarryx_u32(x277, x227, x261); + let mut x280: u32 = 0; + let mut x281: fiat_bign256_u1 = 0; + let (x280, x281) = fiat_bign256_addcarryx_u32(x279, x229, x263); + let mut x282: u32 = 0; + let mut x283: fiat_bign256_u1 = 0; + let (x282, x283) = fiat_bign256_addcarryx_u32(x281, x231, x265); + let mut x284: u32 = 0; + let mut x285: fiat_bign256_u1 = 0; + let (x284, x285) = fiat_bign256_addcarryx_u32(x283, x233, x267); + let mut x286: u32 = 0; + let mut x287: fiat_bign256_u1 = 0; + let (x286, x287) = fiat_bign256_addcarryx_u32(x285, x235, x269); + let mut x288: u32 = 0; + let mut x289: fiat_bign256_u1 = 0; + let (x288, x289) = fiat_bign256_addcarryx_u32(x287, x237, x271); + let mut x290: u32 = 0; + let mut x291: fiat_bign256_u1 = 0; + let (x290, x291) = fiat_bign256_addcarryx_u32(x289, x239, x273); + let x292: u32 = ((x291 as u32) + (x240 as u32)); + let mut x293: u32 = 0; + let mut x294: u32 = 0; + let (x293, x294) = fiat_bign256_mulx_u32(x3, (arg1[7])); + let mut x295: u32 = 0; + let mut x296: u32 = 0; + let (x295, x296) = fiat_bign256_mulx_u32(x3, (arg1[6])); + let mut x297: u32 = 0; + let mut x298: u32 = 0; + let (x297, x298) = fiat_bign256_mulx_u32(x3, (arg1[5])); + let mut x299: u32 = 0; + let mut x300: u32 = 0; + let (x299, x300) = fiat_bign256_mulx_u32(x3, (arg1[4])); + let mut x301: u32 = 0; + let mut x302: u32 = 0; + let (x301, x302) = fiat_bign256_mulx_u32(x3, (arg1[3])); + let mut x303: u32 = 0; + let mut x304: u32 = 0; + let (x303, x304) = fiat_bign256_mulx_u32(x3, (arg1[2])); + let mut x305: u32 = 0; + let mut x306: u32 = 0; + let (x305, x306) = fiat_bign256_mulx_u32(x3, (arg1[1])); + let mut x307: u32 = 0; + let mut x308: u32 = 0; + let (x307, x308) = fiat_bign256_mulx_u32(x3, (arg1[0])); + let mut x309: u32 = 0; + let mut x310: fiat_bign256_u1 = 0; + let (x309, x310) = fiat_bign256_addcarryx_u32(0x0, x308, x305); + let mut x311: u32 = 0; + let mut x312: fiat_bign256_u1 = 0; + let (x311, x312) = fiat_bign256_addcarryx_u32(x310, x306, x303); + let mut x313: u32 = 0; + let mut x314: fiat_bign256_u1 = 0; + let (x313, x314) = fiat_bign256_addcarryx_u32(x312, x304, x301); + let mut x315: u32 = 0; + let mut x316: fiat_bign256_u1 = 0; + let (x315, x316) = fiat_bign256_addcarryx_u32(x314, x302, x299); + let mut x317: u32 = 0; + let mut x318: fiat_bign256_u1 = 0; + let (x317, x318) = fiat_bign256_addcarryx_u32(x316, x300, x297); + let mut x319: u32 = 0; + let mut x320: fiat_bign256_u1 = 0; + let (x319, x320) = fiat_bign256_addcarryx_u32(x318, x298, x295); + let mut x321: u32 = 0; + let mut x322: fiat_bign256_u1 = 0; + let (x321, x322) = fiat_bign256_addcarryx_u32(x320, x296, x293); + let x323: u32 = ((x322 as u32) + x294); + let mut x324: u32 = 0; + let mut x325: fiat_bign256_u1 = 0; + let (x324, x325) = fiat_bign256_addcarryx_u32(0x0, x276, x307); + let mut x326: u32 = 0; + let mut x327: fiat_bign256_u1 = 0; + let (x326, x327) = fiat_bign256_addcarryx_u32(x325, x278, x309); + let mut x328: u32 = 0; + let mut x329: fiat_bign256_u1 = 0; + let (x328, x329) = fiat_bign256_addcarryx_u32(x327, x280, x311); + let mut x330: u32 = 0; + let mut x331: fiat_bign256_u1 = 0; + let (x330, x331) = fiat_bign256_addcarryx_u32(x329, x282, x313); + let mut x332: u32 = 0; + let mut x333: fiat_bign256_u1 = 0; + let (x332, x333) = fiat_bign256_addcarryx_u32(x331, x284, x315); + let mut x334: u32 = 0; + let mut x335: fiat_bign256_u1 = 0; + let (x334, x335) = fiat_bign256_addcarryx_u32(x333, x286, x317); + let mut x336: u32 = 0; + let mut x337: fiat_bign256_u1 = 0; + let (x336, x337) = fiat_bign256_addcarryx_u32(x335, x288, x319); + let mut x338: u32 = 0; + let mut x339: fiat_bign256_u1 = 0; + let (x338, x339) = fiat_bign256_addcarryx_u32(x337, x290, x321); + let mut x340: u32 = 0; + let mut x341: fiat_bign256_u1 = 0; + let (x340, x341) = fiat_bign256_addcarryx_u32(x339, x292, x323); + let mut x342: u32 = 0; + let mut x343: u32 = 0; + let (x342, x343) = fiat_bign256_mulx_u32(x324, 0xea53fa95); + let mut x344: u32 = 0; + let mut x345: u32 = 0; + let (x344, x345) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x346: u32 = 0; + let mut x347: u32 = 0; + let (x346, x347) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x348: u32 = 0; + let mut x349: u32 = 0; + let (x348, x349) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x350: u32 = 0; + let mut x351: u32 = 0; + let (x350, x351) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x352: u32 = 0; + let mut x353: u32 = 0; + let (x352, x353) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x354: u32 = 0; + let mut x355: u32 = 0; + let (x354, x355) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x356: u32 = 0; + let mut x357: u32 = 0; + let (x356, x357) = fiat_bign256_mulx_u32(x342, 0xffffffff); + let mut x358: u32 = 0; + let mut x359: u32 = 0; + let (x358, x359) = fiat_bign256_mulx_u32(x342, 0xffffff43); + let mut x360: u32 = 0; + let mut x361: fiat_bign256_u1 = 0; + let (x360, x361) = fiat_bign256_addcarryx_u32(0x0, x359, x356); + let mut x362: u32 = 0; + let mut x363: fiat_bign256_u1 = 0; + let (x362, x363) = fiat_bign256_addcarryx_u32(x361, x357, x354); + let mut x364: u32 = 0; + let mut x365: fiat_bign256_u1 = 0; + let (x364, x365) = fiat_bign256_addcarryx_u32(x363, x355, x352); + let mut x366: u32 = 0; + let mut x367: fiat_bign256_u1 = 0; + let (x366, x367) = fiat_bign256_addcarryx_u32(x365, x353, x350); + let mut x368: u32 = 0; + let mut x369: fiat_bign256_u1 = 0; + let (x368, x369) = fiat_bign256_addcarryx_u32(x367, x351, x348); + let mut x370: u32 = 0; + let mut x371: fiat_bign256_u1 = 0; + let (x370, x371) = fiat_bign256_addcarryx_u32(x369, x349, x346); + let mut x372: u32 = 0; + let mut x373: fiat_bign256_u1 = 0; + let (x372, x373) = fiat_bign256_addcarryx_u32(x371, x347, x344); + let x374: u32 = ((x373 as u32) + x345); + let mut x375: u32 = 0; + let mut x376: fiat_bign256_u1 = 0; + let (x375, x376) = fiat_bign256_addcarryx_u32(0x0, x324, x358); + let mut x377: u32 = 0; + let mut x378: fiat_bign256_u1 = 0; + let (x377, x378) = fiat_bign256_addcarryx_u32(x376, x326, x360); + let mut x379: u32 = 0; + let mut x380: fiat_bign256_u1 = 0; + let (x379, x380) = fiat_bign256_addcarryx_u32(x378, x328, x362); + let mut x381: u32 = 0; + let mut x382: fiat_bign256_u1 = 0; + let (x381, x382) = fiat_bign256_addcarryx_u32(x380, x330, x364); + let mut x383: u32 = 0; + let mut x384: fiat_bign256_u1 = 0; + let (x383, x384) = fiat_bign256_addcarryx_u32(x382, x332, x366); + let mut x385: u32 = 0; + let mut x386: fiat_bign256_u1 = 0; + let (x385, x386) = fiat_bign256_addcarryx_u32(x384, x334, x368); + let mut x387: u32 = 0; + let mut x388: fiat_bign256_u1 = 0; + let (x387, x388) = fiat_bign256_addcarryx_u32(x386, x336, x370); + let mut x389: u32 = 0; + let mut x390: fiat_bign256_u1 = 0; + let (x389, x390) = fiat_bign256_addcarryx_u32(x388, x338, x372); + let mut x391: u32 = 0; + let mut x392: fiat_bign256_u1 = 0; + let (x391, x392) = fiat_bign256_addcarryx_u32(x390, x340, x374); + let x393: u32 = ((x392 as u32) + (x341 as u32)); + let mut x394: u32 = 0; + let mut x395: u32 = 0; + let (x394, x395) = fiat_bign256_mulx_u32(x4, (arg1[7])); + let mut x396: u32 = 0; + let mut x397: u32 = 0; + let (x396, x397) = fiat_bign256_mulx_u32(x4, (arg1[6])); + let mut x398: u32 = 0; + let mut x399: u32 = 0; + let (x398, x399) = fiat_bign256_mulx_u32(x4, (arg1[5])); + let mut x400: u32 = 0; + let mut x401: u32 = 0; + let (x400, x401) = fiat_bign256_mulx_u32(x4, (arg1[4])); + let mut x402: u32 = 0; + let mut x403: u32 = 0; + let (x402, x403) = fiat_bign256_mulx_u32(x4, (arg1[3])); + let mut x404: u32 = 0; + let mut x405: u32 = 0; + let (x404, x405) = fiat_bign256_mulx_u32(x4, (arg1[2])); + let mut x406: u32 = 0; + let mut x407: u32 = 0; + let (x406, x407) = fiat_bign256_mulx_u32(x4, (arg1[1])); + let mut x408: u32 = 0; + let mut x409: u32 = 0; + let (x408, x409) = fiat_bign256_mulx_u32(x4, (arg1[0])); + let mut x410: u32 = 0; + let mut x411: fiat_bign256_u1 = 0; + let (x410, x411) = fiat_bign256_addcarryx_u32(0x0, x409, x406); + let mut x412: u32 = 0; + let mut x413: fiat_bign256_u1 = 0; + let (x412, x413) = fiat_bign256_addcarryx_u32(x411, x407, x404); + let mut x414: u32 = 0; + let mut x415: fiat_bign256_u1 = 0; + let (x414, x415) = fiat_bign256_addcarryx_u32(x413, x405, x402); + let mut x416: u32 = 0; + let mut x417: fiat_bign256_u1 = 0; + let (x416, x417) = fiat_bign256_addcarryx_u32(x415, x403, x400); + let mut x418: u32 = 0; + let mut x419: fiat_bign256_u1 = 0; + let (x418, x419) = fiat_bign256_addcarryx_u32(x417, x401, x398); + let mut x420: u32 = 0; + let mut x421: fiat_bign256_u1 = 0; + let (x420, x421) = fiat_bign256_addcarryx_u32(x419, x399, x396); + let mut x422: u32 = 0; + let mut x423: fiat_bign256_u1 = 0; + let (x422, x423) = fiat_bign256_addcarryx_u32(x421, x397, x394); + let x424: u32 = ((x423 as u32) + x395); + let mut x425: u32 = 0; + let mut x426: fiat_bign256_u1 = 0; + let (x425, x426) = fiat_bign256_addcarryx_u32(0x0, x377, x408); + let mut x427: u32 = 0; + let mut x428: fiat_bign256_u1 = 0; + let (x427, x428) = fiat_bign256_addcarryx_u32(x426, x379, x410); + let mut x429: u32 = 0; + let mut x430: fiat_bign256_u1 = 0; + let (x429, x430) = fiat_bign256_addcarryx_u32(x428, x381, x412); + let mut x431: u32 = 0; + let mut x432: fiat_bign256_u1 = 0; + let (x431, x432) = fiat_bign256_addcarryx_u32(x430, x383, x414); + let mut x433: u32 = 0; + let mut x434: fiat_bign256_u1 = 0; + let (x433, x434) = fiat_bign256_addcarryx_u32(x432, x385, x416); + let mut x435: u32 = 0; + let mut x436: fiat_bign256_u1 = 0; + let (x435, x436) = fiat_bign256_addcarryx_u32(x434, x387, x418); + let mut x437: u32 = 0; + let mut x438: fiat_bign256_u1 = 0; + let (x437, x438) = fiat_bign256_addcarryx_u32(x436, x389, x420); + let mut x439: u32 = 0; + let mut x440: fiat_bign256_u1 = 0; + let (x439, x440) = fiat_bign256_addcarryx_u32(x438, x391, x422); + let mut x441: u32 = 0; + let mut x442: fiat_bign256_u1 = 0; + let (x441, x442) = fiat_bign256_addcarryx_u32(x440, x393, x424); + let mut x443: u32 = 0; + let mut x444: u32 = 0; + let (x443, x444) = fiat_bign256_mulx_u32(x425, 0xea53fa95); + let mut x445: u32 = 0; + let mut x446: u32 = 0; + let (x445, x446) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x447: u32 = 0; + let mut x448: u32 = 0; + let (x447, x448) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x449: u32 = 0; + let mut x450: u32 = 0; + let (x449, x450) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x451: u32 = 0; + let mut x452: u32 = 0; + let (x451, x452) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x453: u32 = 0; + let mut x454: u32 = 0; + let (x453, x454) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x455: u32 = 0; + let mut x456: u32 = 0; + let (x455, x456) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x457: u32 = 0; + let mut x458: u32 = 0; + let (x457, x458) = fiat_bign256_mulx_u32(x443, 0xffffffff); + let mut x459: u32 = 0; + let mut x460: u32 = 0; + let (x459, x460) = fiat_bign256_mulx_u32(x443, 0xffffff43); + let mut x461: u32 = 0; + let mut x462: fiat_bign256_u1 = 0; + let (x461, x462) = fiat_bign256_addcarryx_u32(0x0, x460, x457); + let mut x463: u32 = 0; + let mut x464: fiat_bign256_u1 = 0; + let (x463, x464) = fiat_bign256_addcarryx_u32(x462, x458, x455); + let mut x465: u32 = 0; + let mut x466: fiat_bign256_u1 = 0; + let (x465, x466) = fiat_bign256_addcarryx_u32(x464, x456, x453); + let mut x467: u32 = 0; + let mut x468: fiat_bign256_u1 = 0; + let (x467, x468) = fiat_bign256_addcarryx_u32(x466, x454, x451); + let mut x469: u32 = 0; + let mut x470: fiat_bign256_u1 = 0; + let (x469, x470) = fiat_bign256_addcarryx_u32(x468, x452, x449); + let mut x471: u32 = 0; + let mut x472: fiat_bign256_u1 = 0; + let (x471, x472) = fiat_bign256_addcarryx_u32(x470, x450, x447); + let mut x473: u32 = 0; + let mut x474: fiat_bign256_u1 = 0; + let (x473, x474) = fiat_bign256_addcarryx_u32(x472, x448, x445); + let x475: u32 = ((x474 as u32) + x446); + let mut x476: u32 = 0; + let mut x477: fiat_bign256_u1 = 0; + let (x476, x477) = fiat_bign256_addcarryx_u32(0x0, x425, x459); + let mut x478: u32 = 0; + let mut x479: fiat_bign256_u1 = 0; + let (x478, x479) = fiat_bign256_addcarryx_u32(x477, x427, x461); + let mut x480: u32 = 0; + let mut x481: fiat_bign256_u1 = 0; + let (x480, x481) = fiat_bign256_addcarryx_u32(x479, x429, x463); + let mut x482: u32 = 0; + let mut x483: fiat_bign256_u1 = 0; + let (x482, x483) = fiat_bign256_addcarryx_u32(x481, x431, x465); + let mut x484: u32 = 0; + let mut x485: fiat_bign256_u1 = 0; + let (x484, x485) = fiat_bign256_addcarryx_u32(x483, x433, x467); + let mut x486: u32 = 0; + let mut x487: fiat_bign256_u1 = 0; + let (x486, x487) = fiat_bign256_addcarryx_u32(x485, x435, x469); + let mut x488: u32 = 0; + let mut x489: fiat_bign256_u1 = 0; + let (x488, x489) = fiat_bign256_addcarryx_u32(x487, x437, x471); + let mut x490: u32 = 0; + let mut x491: fiat_bign256_u1 = 0; + let (x490, x491) = fiat_bign256_addcarryx_u32(x489, x439, x473); + let mut x492: u32 = 0; + let mut x493: fiat_bign256_u1 = 0; + let (x492, x493) = fiat_bign256_addcarryx_u32(x491, x441, x475); + let x494: u32 = ((x493 as u32) + (x442 as u32)); + let mut x495: u32 = 0; + let mut x496: u32 = 0; + let (x495, x496) = fiat_bign256_mulx_u32(x5, (arg1[7])); + let mut x497: u32 = 0; + let mut x498: u32 = 0; + let (x497, x498) = fiat_bign256_mulx_u32(x5, (arg1[6])); + let mut x499: u32 = 0; + let mut x500: u32 = 0; + let (x499, x500) = fiat_bign256_mulx_u32(x5, (arg1[5])); + let mut x501: u32 = 0; + let mut x502: u32 = 0; + let (x501, x502) = fiat_bign256_mulx_u32(x5, (arg1[4])); + let mut x503: u32 = 0; + let mut x504: u32 = 0; + let (x503, x504) = fiat_bign256_mulx_u32(x5, (arg1[3])); + let mut x505: u32 = 0; + let mut x506: u32 = 0; + let (x505, x506) = fiat_bign256_mulx_u32(x5, (arg1[2])); + let mut x507: u32 = 0; + let mut x508: u32 = 0; + let (x507, x508) = fiat_bign256_mulx_u32(x5, (arg1[1])); + let mut x509: u32 = 0; + let mut x510: u32 = 0; + let (x509, x510) = fiat_bign256_mulx_u32(x5, (arg1[0])); + let mut x511: u32 = 0; + let mut x512: fiat_bign256_u1 = 0; + let (x511, x512) = fiat_bign256_addcarryx_u32(0x0, x510, x507); + let mut x513: u32 = 0; + let mut x514: fiat_bign256_u1 = 0; + let (x513, x514) = fiat_bign256_addcarryx_u32(x512, x508, x505); + let mut x515: u32 = 0; + let mut x516: fiat_bign256_u1 = 0; + let (x515, x516) = fiat_bign256_addcarryx_u32(x514, x506, x503); + let mut x517: u32 = 0; + let mut x518: fiat_bign256_u1 = 0; + let (x517, x518) = fiat_bign256_addcarryx_u32(x516, x504, x501); + let mut x519: u32 = 0; + let mut x520: fiat_bign256_u1 = 0; + let (x519, x520) = fiat_bign256_addcarryx_u32(x518, x502, x499); + let mut x521: u32 = 0; + let mut x522: fiat_bign256_u1 = 0; + let (x521, x522) = fiat_bign256_addcarryx_u32(x520, x500, x497); + let mut x523: u32 = 0; + let mut x524: fiat_bign256_u1 = 0; + let (x523, x524) = fiat_bign256_addcarryx_u32(x522, x498, x495); + let x525: u32 = ((x524 as u32) + x496); + let mut x526: u32 = 0; + let mut x527: fiat_bign256_u1 = 0; + let (x526, x527) = fiat_bign256_addcarryx_u32(0x0, x478, x509); + let mut x528: u32 = 0; + let mut x529: fiat_bign256_u1 = 0; + let (x528, x529) = fiat_bign256_addcarryx_u32(x527, x480, x511); + let mut x530: u32 = 0; + let mut x531: fiat_bign256_u1 = 0; + let (x530, x531) = fiat_bign256_addcarryx_u32(x529, x482, x513); + let mut x532: u32 = 0; + let mut x533: fiat_bign256_u1 = 0; + let (x532, x533) = fiat_bign256_addcarryx_u32(x531, x484, x515); + let mut x534: u32 = 0; + let mut x535: fiat_bign256_u1 = 0; + let (x534, x535) = fiat_bign256_addcarryx_u32(x533, x486, x517); + let mut x536: u32 = 0; + let mut x537: fiat_bign256_u1 = 0; + let (x536, x537) = fiat_bign256_addcarryx_u32(x535, x488, x519); + let mut x538: u32 = 0; + let mut x539: fiat_bign256_u1 = 0; + let (x538, x539) = fiat_bign256_addcarryx_u32(x537, x490, x521); + let mut x540: u32 = 0; + let mut x541: fiat_bign256_u1 = 0; + let (x540, x541) = fiat_bign256_addcarryx_u32(x539, x492, x523); + let mut x542: u32 = 0; + let mut x543: fiat_bign256_u1 = 0; + let (x542, x543) = fiat_bign256_addcarryx_u32(x541, x494, x525); + let mut x544: u32 = 0; + let mut x545: u32 = 0; + let (x544, x545) = fiat_bign256_mulx_u32(x526, 0xea53fa95); + let mut x546: u32 = 0; + let mut x547: u32 = 0; + let (x546, x547) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x548: u32 = 0; + let mut x549: u32 = 0; + let (x548, x549) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x550: u32 = 0; + let mut x551: u32 = 0; + let (x550, x551) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x552: u32 = 0; + let mut x553: u32 = 0; + let (x552, x553) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x554: u32 = 0; + let mut x555: u32 = 0; + let (x554, x555) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x556: u32 = 0; + let mut x557: u32 = 0; + let (x556, x557) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x558: u32 = 0; + let mut x559: u32 = 0; + let (x558, x559) = fiat_bign256_mulx_u32(x544, 0xffffffff); + let mut x560: u32 = 0; + let mut x561: u32 = 0; + let (x560, x561) = fiat_bign256_mulx_u32(x544, 0xffffff43); + let mut x562: u32 = 0; + let mut x563: fiat_bign256_u1 = 0; + let (x562, x563) = fiat_bign256_addcarryx_u32(0x0, x561, x558); + let mut x564: u32 = 0; + let mut x565: fiat_bign256_u1 = 0; + let (x564, x565) = fiat_bign256_addcarryx_u32(x563, x559, x556); + let mut x566: u32 = 0; + let mut x567: fiat_bign256_u1 = 0; + let (x566, x567) = fiat_bign256_addcarryx_u32(x565, x557, x554); + let mut x568: u32 = 0; + let mut x569: fiat_bign256_u1 = 0; + let (x568, x569) = fiat_bign256_addcarryx_u32(x567, x555, x552); + let mut x570: u32 = 0; + let mut x571: fiat_bign256_u1 = 0; + let (x570, x571) = fiat_bign256_addcarryx_u32(x569, x553, x550); + let mut x572: u32 = 0; + let mut x573: fiat_bign256_u1 = 0; + let (x572, x573) = fiat_bign256_addcarryx_u32(x571, x551, x548); + let mut x574: u32 = 0; + let mut x575: fiat_bign256_u1 = 0; + let (x574, x575) = fiat_bign256_addcarryx_u32(x573, x549, x546); + let x576: u32 = ((x575 as u32) + x547); + let mut x577: u32 = 0; + let mut x578: fiat_bign256_u1 = 0; + let (x577, x578) = fiat_bign256_addcarryx_u32(0x0, x526, x560); + let mut x579: u32 = 0; + let mut x580: fiat_bign256_u1 = 0; + let (x579, x580) = fiat_bign256_addcarryx_u32(x578, x528, x562); + let mut x581: u32 = 0; + let mut x582: fiat_bign256_u1 = 0; + let (x581, x582) = fiat_bign256_addcarryx_u32(x580, x530, x564); + let mut x583: u32 = 0; + let mut x584: fiat_bign256_u1 = 0; + let (x583, x584) = fiat_bign256_addcarryx_u32(x582, x532, x566); + let mut x585: u32 = 0; + let mut x586: fiat_bign256_u1 = 0; + let (x585, x586) = fiat_bign256_addcarryx_u32(x584, x534, x568); + let mut x587: u32 = 0; + let mut x588: fiat_bign256_u1 = 0; + let (x587, x588) = fiat_bign256_addcarryx_u32(x586, x536, x570); + let mut x589: u32 = 0; + let mut x590: fiat_bign256_u1 = 0; + let (x589, x590) = fiat_bign256_addcarryx_u32(x588, x538, x572); + let mut x591: u32 = 0; + let mut x592: fiat_bign256_u1 = 0; + let (x591, x592) = fiat_bign256_addcarryx_u32(x590, x540, x574); + let mut x593: u32 = 0; + let mut x594: fiat_bign256_u1 = 0; + let (x593, x594) = fiat_bign256_addcarryx_u32(x592, x542, x576); + let x595: u32 = ((x594 as u32) + (x543 as u32)); + let mut x596: u32 = 0; + let mut x597: u32 = 0; + let (x596, x597) = fiat_bign256_mulx_u32(x6, (arg1[7])); + let mut x598: u32 = 0; + let mut x599: u32 = 0; + let (x598, x599) = fiat_bign256_mulx_u32(x6, (arg1[6])); + let mut x600: u32 = 0; + let mut x601: u32 = 0; + let (x600, x601) = fiat_bign256_mulx_u32(x6, (arg1[5])); + let mut x602: u32 = 0; + let mut x603: u32 = 0; + let (x602, x603) = fiat_bign256_mulx_u32(x6, (arg1[4])); + let mut x604: u32 = 0; + let mut x605: u32 = 0; + let (x604, x605) = fiat_bign256_mulx_u32(x6, (arg1[3])); + let mut x606: u32 = 0; + let mut x607: u32 = 0; + let (x606, x607) = fiat_bign256_mulx_u32(x6, (arg1[2])); + let mut x608: u32 = 0; + let mut x609: u32 = 0; + let (x608, x609) = fiat_bign256_mulx_u32(x6, (arg1[1])); + let mut x610: u32 = 0; + let mut x611: u32 = 0; + let (x610, x611) = fiat_bign256_mulx_u32(x6, (arg1[0])); + let mut x612: u32 = 0; + let mut x613: fiat_bign256_u1 = 0; + let (x612, x613) = fiat_bign256_addcarryx_u32(0x0, x611, x608); + let mut x614: u32 = 0; + let mut x615: fiat_bign256_u1 = 0; + let (x614, x615) = fiat_bign256_addcarryx_u32(x613, x609, x606); + let mut x616: u32 = 0; + let mut x617: fiat_bign256_u1 = 0; + let (x616, x617) = fiat_bign256_addcarryx_u32(x615, x607, x604); + let mut x618: u32 = 0; + let mut x619: fiat_bign256_u1 = 0; + let (x618, x619) = fiat_bign256_addcarryx_u32(x617, x605, x602); + let mut x620: u32 = 0; + let mut x621: fiat_bign256_u1 = 0; + let (x620, x621) = fiat_bign256_addcarryx_u32(x619, x603, x600); + let mut x622: u32 = 0; + let mut x623: fiat_bign256_u1 = 0; + let (x622, x623) = fiat_bign256_addcarryx_u32(x621, x601, x598); + let mut x624: u32 = 0; + let mut x625: fiat_bign256_u1 = 0; + let (x624, x625) = fiat_bign256_addcarryx_u32(x623, x599, x596); + let x626: u32 = ((x625 as u32) + x597); + let mut x627: u32 = 0; + let mut x628: fiat_bign256_u1 = 0; + let (x627, x628) = fiat_bign256_addcarryx_u32(0x0, x579, x610); + let mut x629: u32 = 0; + let mut x630: fiat_bign256_u1 = 0; + let (x629, x630) = fiat_bign256_addcarryx_u32(x628, x581, x612); + let mut x631: u32 = 0; + let mut x632: fiat_bign256_u1 = 0; + let (x631, x632) = fiat_bign256_addcarryx_u32(x630, x583, x614); + let mut x633: u32 = 0; + let mut x634: fiat_bign256_u1 = 0; + let (x633, x634) = fiat_bign256_addcarryx_u32(x632, x585, x616); + let mut x635: u32 = 0; + let mut x636: fiat_bign256_u1 = 0; + let (x635, x636) = fiat_bign256_addcarryx_u32(x634, x587, x618); + let mut x637: u32 = 0; + let mut x638: fiat_bign256_u1 = 0; + let (x637, x638) = fiat_bign256_addcarryx_u32(x636, x589, x620); + let mut x639: u32 = 0; + let mut x640: fiat_bign256_u1 = 0; + let (x639, x640) = fiat_bign256_addcarryx_u32(x638, x591, x622); + let mut x641: u32 = 0; + let mut x642: fiat_bign256_u1 = 0; + let (x641, x642) = fiat_bign256_addcarryx_u32(x640, x593, x624); + let mut x643: u32 = 0; + let mut x644: fiat_bign256_u1 = 0; + let (x643, x644) = fiat_bign256_addcarryx_u32(x642, x595, x626); + let mut x645: u32 = 0; + let mut x646: u32 = 0; + let (x645, x646) = fiat_bign256_mulx_u32(x627, 0xea53fa95); + let mut x647: u32 = 0; + let mut x648: u32 = 0; + let (x647, x648) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x649: u32 = 0; + let mut x650: u32 = 0; + let (x649, x650) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x651: u32 = 0; + let mut x652: u32 = 0; + let (x651, x652) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x653: u32 = 0; + let mut x654: u32 = 0; + let (x653, x654) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x655: u32 = 0; + let mut x656: u32 = 0; + let (x655, x656) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x657: u32 = 0; + let mut x658: u32 = 0; + let (x657, x658) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x659: u32 = 0; + let mut x660: u32 = 0; + let (x659, x660) = fiat_bign256_mulx_u32(x645, 0xffffffff); + let mut x661: u32 = 0; + let mut x662: u32 = 0; + let (x661, x662) = fiat_bign256_mulx_u32(x645, 0xffffff43); + let mut x663: u32 = 0; + let mut x664: fiat_bign256_u1 = 0; + let (x663, x664) = fiat_bign256_addcarryx_u32(0x0, x662, x659); + let mut x665: u32 = 0; + let mut x666: fiat_bign256_u1 = 0; + let (x665, x666) = fiat_bign256_addcarryx_u32(x664, x660, x657); + let mut x667: u32 = 0; + let mut x668: fiat_bign256_u1 = 0; + let (x667, x668) = fiat_bign256_addcarryx_u32(x666, x658, x655); + let mut x669: u32 = 0; + let mut x670: fiat_bign256_u1 = 0; + let (x669, x670) = fiat_bign256_addcarryx_u32(x668, x656, x653); + let mut x671: u32 = 0; + let mut x672: fiat_bign256_u1 = 0; + let (x671, x672) = fiat_bign256_addcarryx_u32(x670, x654, x651); + let mut x673: u32 = 0; + let mut x674: fiat_bign256_u1 = 0; + let (x673, x674) = fiat_bign256_addcarryx_u32(x672, x652, x649); + let mut x675: u32 = 0; + let mut x676: fiat_bign256_u1 = 0; + let (x675, x676) = fiat_bign256_addcarryx_u32(x674, x650, x647); + let x677: u32 = ((x676 as u32) + x648); + let mut x678: u32 = 0; + let mut x679: fiat_bign256_u1 = 0; + let (x678, x679) = fiat_bign256_addcarryx_u32(0x0, x627, x661); + let mut x680: u32 = 0; + let mut x681: fiat_bign256_u1 = 0; + let (x680, x681) = fiat_bign256_addcarryx_u32(x679, x629, x663); + let mut x682: u32 = 0; + let mut x683: fiat_bign256_u1 = 0; + let (x682, x683) = fiat_bign256_addcarryx_u32(x681, x631, x665); + let mut x684: u32 = 0; + let mut x685: fiat_bign256_u1 = 0; + let (x684, x685) = fiat_bign256_addcarryx_u32(x683, x633, x667); + let mut x686: u32 = 0; + let mut x687: fiat_bign256_u1 = 0; + let (x686, x687) = fiat_bign256_addcarryx_u32(x685, x635, x669); + let mut x688: u32 = 0; + let mut x689: fiat_bign256_u1 = 0; + let (x688, x689) = fiat_bign256_addcarryx_u32(x687, x637, x671); + let mut x690: u32 = 0; + let mut x691: fiat_bign256_u1 = 0; + let (x690, x691) = fiat_bign256_addcarryx_u32(x689, x639, x673); + let mut x692: u32 = 0; + let mut x693: fiat_bign256_u1 = 0; + let (x692, x693) = fiat_bign256_addcarryx_u32(x691, x641, x675); + let mut x694: u32 = 0; + let mut x695: fiat_bign256_u1 = 0; + let (x694, x695) = fiat_bign256_addcarryx_u32(x693, x643, x677); + let x696: u32 = ((x695 as u32) + (x644 as u32)); + let mut x697: u32 = 0; + let mut x698: u32 = 0; + let (x697, x698) = fiat_bign256_mulx_u32(x7, (arg1[7])); + let mut x699: u32 = 0; + let mut x700: u32 = 0; + let (x699, x700) = fiat_bign256_mulx_u32(x7, (arg1[6])); + let mut x701: u32 = 0; + let mut x702: u32 = 0; + let (x701, x702) = fiat_bign256_mulx_u32(x7, (arg1[5])); + let mut x703: u32 = 0; + let mut x704: u32 = 0; + let (x703, x704) = fiat_bign256_mulx_u32(x7, (arg1[4])); + let mut x705: u32 = 0; + let mut x706: u32 = 0; + let (x705, x706) = fiat_bign256_mulx_u32(x7, (arg1[3])); + let mut x707: u32 = 0; + let mut x708: u32 = 0; + let (x707, x708) = fiat_bign256_mulx_u32(x7, (arg1[2])); + let mut x709: u32 = 0; + let mut x710: u32 = 0; + let (x709, x710) = fiat_bign256_mulx_u32(x7, (arg1[1])); + let mut x711: u32 = 0; + let mut x712: u32 = 0; + let (x711, x712) = fiat_bign256_mulx_u32(x7, (arg1[0])); + let mut x713: u32 = 0; + let mut x714: fiat_bign256_u1 = 0; + let (x713, x714) = fiat_bign256_addcarryx_u32(0x0, x712, x709); + let mut x715: u32 = 0; + let mut x716: fiat_bign256_u1 = 0; + let (x715, x716) = fiat_bign256_addcarryx_u32(x714, x710, x707); + let mut x717: u32 = 0; + let mut x718: fiat_bign256_u1 = 0; + let (x717, x718) = fiat_bign256_addcarryx_u32(x716, x708, x705); + let mut x719: u32 = 0; + let mut x720: fiat_bign256_u1 = 0; + let (x719, x720) = fiat_bign256_addcarryx_u32(x718, x706, x703); + let mut x721: u32 = 0; + let mut x722: fiat_bign256_u1 = 0; + let (x721, x722) = fiat_bign256_addcarryx_u32(x720, x704, x701); + let mut x723: u32 = 0; + let mut x724: fiat_bign256_u1 = 0; + let (x723, x724) = fiat_bign256_addcarryx_u32(x722, x702, x699); + let mut x725: u32 = 0; + let mut x726: fiat_bign256_u1 = 0; + let (x725, x726) = fiat_bign256_addcarryx_u32(x724, x700, x697); + let x727: u32 = ((x726 as u32) + x698); + let mut x728: u32 = 0; + let mut x729: fiat_bign256_u1 = 0; + let (x728, x729) = fiat_bign256_addcarryx_u32(0x0, x680, x711); + let mut x730: u32 = 0; + let mut x731: fiat_bign256_u1 = 0; + let (x730, x731) = fiat_bign256_addcarryx_u32(x729, x682, x713); + let mut x732: u32 = 0; + let mut x733: fiat_bign256_u1 = 0; + let (x732, x733) = fiat_bign256_addcarryx_u32(x731, x684, x715); + let mut x734: u32 = 0; + let mut x735: fiat_bign256_u1 = 0; + let (x734, x735) = fiat_bign256_addcarryx_u32(x733, x686, x717); + let mut x736: u32 = 0; + let mut x737: fiat_bign256_u1 = 0; + let (x736, x737) = fiat_bign256_addcarryx_u32(x735, x688, x719); + let mut x738: u32 = 0; + let mut x739: fiat_bign256_u1 = 0; + let (x738, x739) = fiat_bign256_addcarryx_u32(x737, x690, x721); + let mut x740: u32 = 0; + let mut x741: fiat_bign256_u1 = 0; + let (x740, x741) = fiat_bign256_addcarryx_u32(x739, x692, x723); + let mut x742: u32 = 0; + let mut x743: fiat_bign256_u1 = 0; + let (x742, x743) = fiat_bign256_addcarryx_u32(x741, x694, x725); + let mut x744: u32 = 0; + let mut x745: fiat_bign256_u1 = 0; + let (x744, x745) = fiat_bign256_addcarryx_u32(x743, x696, x727); + let mut x746: u32 = 0; + let mut x747: u32 = 0; + let (x746, x747) = fiat_bign256_mulx_u32(x728, 0xea53fa95); + let mut x748: u32 = 0; + let mut x749: u32 = 0; + let (x748, x749) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x750: u32 = 0; + let mut x751: u32 = 0; + let (x750, x751) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x752: u32 = 0; + let mut x753: u32 = 0; + let (x752, x753) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x754: u32 = 0; + let mut x755: u32 = 0; + let (x754, x755) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x756: u32 = 0; + let mut x757: u32 = 0; + let (x756, x757) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x758: u32 = 0; + let mut x759: u32 = 0; + let (x758, x759) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x760: u32 = 0; + let mut x761: u32 = 0; + let (x760, x761) = fiat_bign256_mulx_u32(x746, 0xffffffff); + let mut x762: u32 = 0; + let mut x763: u32 = 0; + let (x762, x763) = fiat_bign256_mulx_u32(x746, 0xffffff43); + let mut x764: u32 = 0; + let mut x765: fiat_bign256_u1 = 0; + let (x764, x765) = fiat_bign256_addcarryx_u32(0x0, x763, x760); + let mut x766: u32 = 0; + let mut x767: fiat_bign256_u1 = 0; + let (x766, x767) = fiat_bign256_addcarryx_u32(x765, x761, x758); + let mut x768: u32 = 0; + let mut x769: fiat_bign256_u1 = 0; + let (x768, x769) = fiat_bign256_addcarryx_u32(x767, x759, x756); + let mut x770: u32 = 0; + let mut x771: fiat_bign256_u1 = 0; + let (x770, x771) = fiat_bign256_addcarryx_u32(x769, x757, x754); + let mut x772: u32 = 0; + let mut x773: fiat_bign256_u1 = 0; + let (x772, x773) = fiat_bign256_addcarryx_u32(x771, x755, x752); + let mut x774: u32 = 0; + let mut x775: fiat_bign256_u1 = 0; + let (x774, x775) = fiat_bign256_addcarryx_u32(x773, x753, x750); + let mut x776: u32 = 0; + let mut x777: fiat_bign256_u1 = 0; + let (x776, x777) = fiat_bign256_addcarryx_u32(x775, x751, x748); + let x778: u32 = ((x777 as u32) + x749); + let mut x779: u32 = 0; + let mut x780: fiat_bign256_u1 = 0; + let (x779, x780) = fiat_bign256_addcarryx_u32(0x0, x728, x762); + let mut x781: u32 = 0; + let mut x782: fiat_bign256_u1 = 0; + let (x781, x782) = fiat_bign256_addcarryx_u32(x780, x730, x764); + let mut x783: u32 = 0; + let mut x784: fiat_bign256_u1 = 0; + let (x783, x784) = fiat_bign256_addcarryx_u32(x782, x732, x766); + let mut x785: u32 = 0; + let mut x786: fiat_bign256_u1 = 0; + let (x785, x786) = fiat_bign256_addcarryx_u32(x784, x734, x768); + let mut x787: u32 = 0; + let mut x788: fiat_bign256_u1 = 0; + let (x787, x788) = fiat_bign256_addcarryx_u32(x786, x736, x770); + let mut x789: u32 = 0; + let mut x790: fiat_bign256_u1 = 0; + let (x789, x790) = fiat_bign256_addcarryx_u32(x788, x738, x772); + let mut x791: u32 = 0; + let mut x792: fiat_bign256_u1 = 0; + let (x791, x792) = fiat_bign256_addcarryx_u32(x790, x740, x774); + let mut x793: u32 = 0; + let mut x794: fiat_bign256_u1 = 0; + let (x793, x794) = fiat_bign256_addcarryx_u32(x792, x742, x776); + let mut x795: u32 = 0; + let mut x796: fiat_bign256_u1 = 0; + let (x795, x796) = fiat_bign256_addcarryx_u32(x794, x744, x778); + let x797: u32 = ((x796 as u32) + (x745 as u32)); + let mut x798: u32 = 0; + let mut x799: fiat_bign256_u1 = 0; + let (x798, x799) = fiat_bign256_subborrowx_u32(0x0, x781, 0xffffff43); + let mut x800: u32 = 0; + let mut x801: fiat_bign256_u1 = 0; + let (x800, x801) = fiat_bign256_subborrowx_u32(x799, x783, 0xffffffff); + let mut x802: u32 = 0; + let mut x803: fiat_bign256_u1 = 0; + let (x802, x803) = fiat_bign256_subborrowx_u32(x801, x785, 0xffffffff); + let mut x804: u32 = 0; + let mut x805: fiat_bign256_u1 = 0; + let (x804, x805) = fiat_bign256_subborrowx_u32(x803, x787, 0xffffffff); + let mut x806: u32 = 0; + let mut x807: fiat_bign256_u1 = 0; + let (x806, x807) = fiat_bign256_subborrowx_u32(x805, x789, 0xffffffff); + let mut x808: u32 = 0; + let mut x809: fiat_bign256_u1 = 0; + let (x808, x809) = fiat_bign256_subborrowx_u32(x807, x791, 0xffffffff); + let mut x810: u32 = 0; + let mut x811: fiat_bign256_u1 = 0; + let (x810, x811) = fiat_bign256_subborrowx_u32(x809, x793, 0xffffffff); + let mut x812: u32 = 0; + let mut x813: fiat_bign256_u1 = 0; + let (x812, x813) = fiat_bign256_subborrowx_u32(x811, x795, 0xffffffff); + let mut x814: u32 = 0; + let mut x815: fiat_bign256_u1 = 0; + let (x814, x815) = fiat_bign256_subborrowx_u32(x813, x797, (0x0 as u32)); + let mut x816: u32 = 0; + let (x816) = fiat_bign256_cmovznz_u32(x815, x798, x781); + let mut x817: u32 = 0; + let (x817) = fiat_bign256_cmovznz_u32(x815, x800, x783); + let mut x818: u32 = 0; + let (x818) = fiat_bign256_cmovznz_u32(x815, x802, x785); + let mut x819: u32 = 0; + let (x819) = fiat_bign256_cmovznz_u32(x815, x804, x787); + let mut x820: u32 = 0; + let (x820) = fiat_bign256_cmovznz_u32(x815, x806, x789); + let mut x821: u32 = 0; + let (x821) = fiat_bign256_cmovznz_u32(x815, x808, x791); + let mut x822: u32 = 0; + let (x822) = fiat_bign256_cmovznz_u32(x815, x810, x793); + let mut x823: u32 = 0; + let (x823) = fiat_bign256_cmovznz_u32(x815, x812, x795); + out1[0] = x816; + out1[1] = x817; + out1[2] = x818; + out1[3] = x819; + out1[4] = x820; + out1[5] = x821; + out1[6] = x822; + out1[7] = x823; + out1 +} +#[doc = " The function fiat_bign256_add adds two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_add( + arg1: &fiat_bign256_montgomery_domain_field_element, + arg2: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 8]; + let mut x1: u32 = 0; + let mut x2: fiat_bign256_u1 = 0; + let (x1, x2) = fiat_bign256_addcarryx_u32(0x0, (arg1[0]), (arg2[0])); + let mut x3: u32 = 0; + let mut x4: fiat_bign256_u1 = 0; + let (x3, x4) = fiat_bign256_addcarryx_u32(x2, (arg1[1]), (arg2[1])); + let mut x5: u32 = 0; + let mut x6: fiat_bign256_u1 = 0; + let (x5, x6) = fiat_bign256_addcarryx_u32(x4, (arg1[2]), (arg2[2])); + let mut x7: u32 = 0; + let mut x8: fiat_bign256_u1 = 0; + let (x7, x8) = fiat_bign256_addcarryx_u32(x6, (arg1[3]), (arg2[3])); + let mut x9: u32 = 0; + let mut x10: fiat_bign256_u1 = 0; + let (x9, x10) = fiat_bign256_addcarryx_u32(x8, (arg1[4]), (arg2[4])); + let mut x11: u32 = 0; + let mut x12: fiat_bign256_u1 = 0; + let (x11, x12) = fiat_bign256_addcarryx_u32(x10, (arg1[5]), (arg2[5])); + let mut x13: u32 = 0; + let mut x14: fiat_bign256_u1 = 0; + let (x13, x14) = fiat_bign256_addcarryx_u32(x12, (arg1[6]), (arg2[6])); + let mut x15: u32 = 0; + let mut x16: fiat_bign256_u1 = 0; + let (x15, x16) = fiat_bign256_addcarryx_u32(x14, (arg1[7]), (arg2[7])); + let mut x17: u32 = 0; + let mut x18: fiat_bign256_u1 = 0; + let (x17, x18) = fiat_bign256_subborrowx_u32(0x0, x1, 0xffffff43); + let mut x19: u32 = 0; + let mut x20: fiat_bign256_u1 = 0; + let (x19, x20) = fiat_bign256_subborrowx_u32(x18, x3, 0xffffffff); + let mut x21: u32 = 0; + let mut x22: fiat_bign256_u1 = 0; + let (x21, x22) = fiat_bign256_subborrowx_u32(x20, x5, 0xffffffff); + let mut x23: u32 = 0; + let mut x24: fiat_bign256_u1 = 0; + let (x23, x24) = fiat_bign256_subborrowx_u32(x22, x7, 0xffffffff); + let mut x25: u32 = 0; + let mut x26: fiat_bign256_u1 = 0; + let (x25, x26) = fiat_bign256_subborrowx_u32(x24, x9, 0xffffffff); + let mut x27: u32 = 0; + let mut x28: fiat_bign256_u1 = 0; + let (x27, x28) = fiat_bign256_subborrowx_u32(x26, x11, 0xffffffff); + let mut x29: u32 = 0; + let mut x30: fiat_bign256_u1 = 0; + let (x29, x30) = fiat_bign256_subborrowx_u32(x28, x13, 0xffffffff); + let mut x31: u32 = 0; + let mut x32: fiat_bign256_u1 = 0; + let (x31, x32) = fiat_bign256_subborrowx_u32(x30, x15, 0xffffffff); + let mut x33: u32 = 0; + let mut x34: fiat_bign256_u1 = 0; + let (x33, x34) = fiat_bign256_subborrowx_u32(x32, (x16 as u32), (0x0 as u32)); + let mut x35: u32 = 0; + let (x35) = fiat_bign256_cmovznz_u32(x34, x17, x1); + let mut x36: u32 = 0; + let (x36) = fiat_bign256_cmovznz_u32(x34, x19, x3); + let mut x37: u32 = 0; + let (x37) = fiat_bign256_cmovznz_u32(x34, x21, x5); + let mut x38: u32 = 0; + let (x38) = fiat_bign256_cmovznz_u32(x34, x23, x7); + let mut x39: u32 = 0; + let (x39) = fiat_bign256_cmovznz_u32(x34, x25, x9); + let mut x40: u32 = 0; + let (x40) = fiat_bign256_cmovznz_u32(x34, x27, x11); + let mut x41: u32 = 0; + let (x41) = fiat_bign256_cmovznz_u32(x34, x29, x13); + let mut x42: u32 = 0; + let (x42) = fiat_bign256_cmovznz_u32(x34, x31, x15); + out1[0] = x35; + out1[1] = x36; + out1[2] = x37; + out1[3] = x38; + out1[4] = x39; + out1[5] = x40; + out1[6] = x41; + out1[7] = x42; + out1 +} +#[doc = " The function fiat_bign256_sub subtracts two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_sub( + arg1: &fiat_bign256_montgomery_domain_field_element, + arg2: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 8]; + let mut x1: u32 = 0; + let mut x2: fiat_bign256_u1 = 0; + let (x1, x2) = fiat_bign256_subborrowx_u32(0x0, (arg1[0]), (arg2[0])); + let mut x3: u32 = 0; + let mut x4: fiat_bign256_u1 = 0; + let (x3, x4) = fiat_bign256_subborrowx_u32(x2, (arg1[1]), (arg2[1])); + let mut x5: u32 = 0; + let mut x6: fiat_bign256_u1 = 0; + let (x5, x6) = fiat_bign256_subborrowx_u32(x4, (arg1[2]), (arg2[2])); + let mut x7: u32 = 0; + let mut x8: fiat_bign256_u1 = 0; + let (x7, x8) = fiat_bign256_subborrowx_u32(x6, (arg1[3]), (arg2[3])); + let mut x9: u32 = 0; + let mut x10: fiat_bign256_u1 = 0; + let (x9, x10) = fiat_bign256_subborrowx_u32(x8, (arg1[4]), (arg2[4])); + let mut x11: u32 = 0; + let mut x12: fiat_bign256_u1 = 0; + let (x11, x12) = fiat_bign256_subborrowx_u32(x10, (arg1[5]), (arg2[5])); + let mut x13: u32 = 0; + let mut x14: fiat_bign256_u1 = 0; + let (x13, x14) = fiat_bign256_subborrowx_u32(x12, (arg1[6]), (arg2[6])); + let mut x15: u32 = 0; + let mut x16: fiat_bign256_u1 = 0; + let (x15, x16) = fiat_bign256_subborrowx_u32(x14, (arg1[7]), (arg2[7])); + let mut x17: u32 = 0; + let (x17) = fiat_bign256_cmovznz_u32(x16, (0x0 as u32), 0xffffffff); + let mut x18: u32 = 0; + let mut x19: fiat_bign256_u1 = 0; + let (x18, x19) = fiat_bign256_addcarryx_u32(0x0, x1, (x17 & 0xffffff43)); + let mut x20: u32 = 0; + let mut x21: fiat_bign256_u1 = 0; + let (x20, x21) = fiat_bign256_addcarryx_u32(x19, x3, x17); + let mut x22: u32 = 0; + let mut x23: fiat_bign256_u1 = 0; + let (x22, x23) = fiat_bign256_addcarryx_u32(x21, x5, x17); + let mut x24: u32 = 0; + let mut x25: fiat_bign256_u1 = 0; + let (x24, x25) = fiat_bign256_addcarryx_u32(x23, x7, x17); + let mut x26: u32 = 0; + let mut x27: fiat_bign256_u1 = 0; + let (x26, x27) = fiat_bign256_addcarryx_u32(x25, x9, x17); + let mut x28: u32 = 0; + let mut x29: fiat_bign256_u1 = 0; + let (x28, x29) = fiat_bign256_addcarryx_u32(x27, x11, x17); + let mut x30: u32 = 0; + let mut x31: fiat_bign256_u1 = 0; + let (x30, x31) = fiat_bign256_addcarryx_u32(x29, x13, x17); + let mut x32: u32 = 0; + let mut x33: fiat_bign256_u1 = 0; + let (x32, x33) = fiat_bign256_addcarryx_u32(x31, x15, x17); + out1[0] = x18; + out1[1] = x20; + out1[2] = x22; + out1[3] = x24; + out1[4] = x26; + out1[5] = x28; + out1[6] = x30; + out1[7] = x32; + out1 +} +#[doc = " The function fiat_bign256_opp negates a field element in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_opp( + arg1: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 8]; + let mut x1: u32 = 0; + let mut x2: fiat_bign256_u1 = 0; + let (x1, x2) = fiat_bign256_subborrowx_u32(0x0, (0x0 as u32), (arg1[0])); + let mut x3: u32 = 0; + let mut x4: fiat_bign256_u1 = 0; + let (x3, x4) = fiat_bign256_subborrowx_u32(x2, (0x0 as u32), (arg1[1])); + let mut x5: u32 = 0; + let mut x6: fiat_bign256_u1 = 0; + let (x5, x6) = fiat_bign256_subborrowx_u32(x4, (0x0 as u32), (arg1[2])); + let mut x7: u32 = 0; + let mut x8: fiat_bign256_u1 = 0; + let (x7, x8) = fiat_bign256_subborrowx_u32(x6, (0x0 as u32), (arg1[3])); + let mut x9: u32 = 0; + let mut x10: fiat_bign256_u1 = 0; + let (x9, x10) = fiat_bign256_subborrowx_u32(x8, (0x0 as u32), (arg1[4])); + let mut x11: u32 = 0; + let mut x12: fiat_bign256_u1 = 0; + let (x11, x12) = fiat_bign256_subborrowx_u32(x10, (0x0 as u32), (arg1[5])); + let mut x13: u32 = 0; + let mut x14: fiat_bign256_u1 = 0; + let (x13, x14) = fiat_bign256_subborrowx_u32(x12, (0x0 as u32), (arg1[6])); + let mut x15: u32 = 0; + let mut x16: fiat_bign256_u1 = 0; + let (x15, x16) = fiat_bign256_subborrowx_u32(x14, (0x0 as u32), (arg1[7])); + let mut x17: u32 = 0; + let (x17) = fiat_bign256_cmovznz_u32(x16, (0x0 as u32), 0xffffffff); + let mut x18: u32 = 0; + let mut x19: fiat_bign256_u1 = 0; + let (x18, x19) = fiat_bign256_addcarryx_u32(0x0, x1, (x17 & 0xffffff43)); + let mut x20: u32 = 0; + let mut x21: fiat_bign256_u1 = 0; + let (x20, x21) = fiat_bign256_addcarryx_u32(x19, x3, x17); + let mut x22: u32 = 0; + let mut x23: fiat_bign256_u1 = 0; + let (x22, x23) = fiat_bign256_addcarryx_u32(x21, x5, x17); + let mut x24: u32 = 0; + let mut x25: fiat_bign256_u1 = 0; + let (x24, x25) = fiat_bign256_addcarryx_u32(x23, x7, x17); + let mut x26: u32 = 0; + let mut x27: fiat_bign256_u1 = 0; + let (x26, x27) = fiat_bign256_addcarryx_u32(x25, x9, x17); + let mut x28: u32 = 0; + let mut x29: fiat_bign256_u1 = 0; + let (x28, x29) = fiat_bign256_addcarryx_u32(x27, x11, x17); + let mut x30: u32 = 0; + let mut x31: fiat_bign256_u1 = 0; + let (x30, x31) = fiat_bign256_addcarryx_u32(x29, x13, x17); + let mut x32: u32 = 0; + let mut x33: fiat_bign256_u1 = 0; + let (x32, x33) = fiat_bign256_addcarryx_u32(x31, x15, x17); + out1[0] = x18; + out1[1] = x20; + out1[2] = x22; + out1[3] = x24; + out1[4] = x26; + out1[5] = x28; + out1[6] = x30; + out1[7] = x32; + out1 +} +#[doc = " The function fiat_bign256_from_montgomery translates a field element out of the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_from_montgomery( + arg1: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_non_montgomery_domain_field_element { + let mut out1: fiat_bign256_non_montgomery_domain_field_element = [0; 8]; + let x1: u32 = (arg1[0]); + let mut x2: u32 = 0; + let mut x3: u32 = 0; + let (x2, x3) = fiat_bign256_mulx_u32(x1, 0xea53fa95); + let mut x4: u32 = 0; + let mut x5: u32 = 0; + let (x4, x5) = fiat_bign256_mulx_u32(x2, 0xffffffff); + let mut x6: u32 = 0; + let mut x7: u32 = 0; + let (x6, x7) = fiat_bign256_mulx_u32(x2, 0xffffffff); + let mut x8: u32 = 0; + let mut x9: u32 = 0; + let (x8, x9) = fiat_bign256_mulx_u32(x2, 0xffffffff); + let mut x10: u32 = 0; + let mut x11: u32 = 0; + let (x10, x11) = fiat_bign256_mulx_u32(x2, 0xffffffff); + let mut x12: u32 = 0; + let mut x13: u32 = 0; + let (x12, x13) = fiat_bign256_mulx_u32(x2, 0xffffffff); + let mut x14: u32 = 0; + let mut x15: u32 = 0; + let (x14, x15) = fiat_bign256_mulx_u32(x2, 0xffffffff); + let mut x16: u32 = 0; + let mut x17: u32 = 0; + let (x16, x17) = fiat_bign256_mulx_u32(x2, 0xffffffff); + let mut x18: u32 = 0; + let mut x19: u32 = 0; + let (x18, x19) = fiat_bign256_mulx_u32(x2, 0xffffff43); + let mut x20: u32 = 0; + let mut x21: fiat_bign256_u1 = 0; + let (x20, x21) = fiat_bign256_addcarryx_u32(0x0, x19, x16); + let mut x22: u32 = 0; + let mut x23: fiat_bign256_u1 = 0; + let (x22, x23) = fiat_bign256_addcarryx_u32(x21, x17, x14); + let mut x24: u32 = 0; + let mut x25: fiat_bign256_u1 = 0; + let (x24, x25) = fiat_bign256_addcarryx_u32(x23, x15, x12); + let mut x26: u32 = 0; + let mut x27: fiat_bign256_u1 = 0; + let (x26, x27) = fiat_bign256_addcarryx_u32(x25, x13, x10); + let mut x28: u32 = 0; + let mut x29: fiat_bign256_u1 = 0; + let (x28, x29) = fiat_bign256_addcarryx_u32(x27, x11, x8); + let mut x30: u32 = 0; + let mut x31: fiat_bign256_u1 = 0; + let (x30, x31) = fiat_bign256_addcarryx_u32(x29, x9, x6); + let mut x32: u32 = 0; + let mut x33: fiat_bign256_u1 = 0; + let (x32, x33) = fiat_bign256_addcarryx_u32(x31, x7, x4); + let mut x34: u32 = 0; + let mut x35: fiat_bign256_u1 = 0; + let (x34, x35) = fiat_bign256_addcarryx_u32(0x0, x1, x18); + let mut x36: u32 = 0; + let mut x37: fiat_bign256_u1 = 0; + let (x36, x37) = fiat_bign256_addcarryx_u32(x35, (0x0 as u32), x20); + let mut x38: u32 = 0; + let mut x39: fiat_bign256_u1 = 0; + let (x38, x39) = fiat_bign256_addcarryx_u32(x37, (0x0 as u32), x22); + let mut x40: u32 = 0; + let mut x41: fiat_bign256_u1 = 0; + let (x40, x41) = fiat_bign256_addcarryx_u32(x39, (0x0 as u32), x24); + let mut x42: u32 = 0; + let mut x43: fiat_bign256_u1 = 0; + let (x42, x43) = fiat_bign256_addcarryx_u32(x41, (0x0 as u32), x26); + let mut x44: u32 = 0; + let mut x45: fiat_bign256_u1 = 0; + let (x44, x45) = fiat_bign256_addcarryx_u32(x43, (0x0 as u32), x28); + let mut x46: u32 = 0; + let mut x47: fiat_bign256_u1 = 0; + let (x46, x47) = fiat_bign256_addcarryx_u32(x45, (0x0 as u32), x30); + let mut x48: u32 = 0; + let mut x49: fiat_bign256_u1 = 0; + let (x48, x49) = fiat_bign256_addcarryx_u32(x47, (0x0 as u32), x32); + let mut x50: u32 = 0; + let mut x51: fiat_bign256_u1 = 0; + let (x50, x51) = fiat_bign256_addcarryx_u32(x49, (0x0 as u32), ((x33 as u32) + x5)); + let mut x52: u32 = 0; + let mut x53: fiat_bign256_u1 = 0; + let (x52, x53) = fiat_bign256_addcarryx_u32(0x0, x36, (arg1[1])); + let mut x54: u32 = 0; + let mut x55: fiat_bign256_u1 = 0; + let (x54, x55) = fiat_bign256_addcarryx_u32(x53, x38, (0x0 as u32)); + let mut x56: u32 = 0; + let mut x57: fiat_bign256_u1 = 0; + let (x56, x57) = fiat_bign256_addcarryx_u32(x55, x40, (0x0 as u32)); + let mut x58: u32 = 0; + let mut x59: fiat_bign256_u1 = 0; + let (x58, x59) = fiat_bign256_addcarryx_u32(x57, x42, (0x0 as u32)); + let mut x60: u32 = 0; + let mut x61: fiat_bign256_u1 = 0; + let (x60, x61) = fiat_bign256_addcarryx_u32(x59, x44, (0x0 as u32)); + let mut x62: u32 = 0; + let mut x63: fiat_bign256_u1 = 0; + let (x62, x63) = fiat_bign256_addcarryx_u32(x61, x46, (0x0 as u32)); + let mut x64: u32 = 0; + let mut x65: fiat_bign256_u1 = 0; + let (x64, x65) = fiat_bign256_addcarryx_u32(x63, x48, (0x0 as u32)); + let mut x66: u32 = 0; + let mut x67: fiat_bign256_u1 = 0; + let (x66, x67) = fiat_bign256_addcarryx_u32(x65, x50, (0x0 as u32)); + let mut x68: u32 = 0; + let mut x69: u32 = 0; + let (x68, x69) = fiat_bign256_mulx_u32(x52, 0xea53fa95); + let mut x70: u32 = 0; + let mut x71: u32 = 0; + let (x70, x71) = fiat_bign256_mulx_u32(x68, 0xffffffff); + let mut x72: u32 = 0; + let mut x73: u32 = 0; + let (x72, x73) = fiat_bign256_mulx_u32(x68, 0xffffffff); + let mut x74: u32 = 0; + let mut x75: u32 = 0; + let (x74, x75) = fiat_bign256_mulx_u32(x68, 0xffffffff); + let mut x76: u32 = 0; + let mut x77: u32 = 0; + let (x76, x77) = fiat_bign256_mulx_u32(x68, 0xffffffff); + let mut x78: u32 = 0; + let mut x79: u32 = 0; + let (x78, x79) = fiat_bign256_mulx_u32(x68, 0xffffffff); + let mut x80: u32 = 0; + let mut x81: u32 = 0; + let (x80, x81) = fiat_bign256_mulx_u32(x68, 0xffffffff); + let mut x82: u32 = 0; + let mut x83: u32 = 0; + let (x82, x83) = fiat_bign256_mulx_u32(x68, 0xffffffff); + let mut x84: u32 = 0; + let mut x85: u32 = 0; + let (x84, x85) = fiat_bign256_mulx_u32(x68, 0xffffff43); + let mut x86: u32 = 0; + let mut x87: fiat_bign256_u1 = 0; + let (x86, x87) = fiat_bign256_addcarryx_u32(0x0, x85, x82); + let mut x88: u32 = 0; + let mut x89: fiat_bign256_u1 = 0; + let (x88, x89) = fiat_bign256_addcarryx_u32(x87, x83, x80); + let mut x90: u32 = 0; + let mut x91: fiat_bign256_u1 = 0; + let (x90, x91) = fiat_bign256_addcarryx_u32(x89, x81, x78); + let mut x92: u32 = 0; + let mut x93: fiat_bign256_u1 = 0; + let (x92, x93) = fiat_bign256_addcarryx_u32(x91, x79, x76); + let mut x94: u32 = 0; + let mut x95: fiat_bign256_u1 = 0; + let (x94, x95) = fiat_bign256_addcarryx_u32(x93, x77, x74); + let mut x96: u32 = 0; + let mut x97: fiat_bign256_u1 = 0; + let (x96, x97) = fiat_bign256_addcarryx_u32(x95, x75, x72); + let mut x98: u32 = 0; + let mut x99: fiat_bign256_u1 = 0; + let (x98, x99) = fiat_bign256_addcarryx_u32(x97, x73, x70); + let mut x100: u32 = 0; + let mut x101: fiat_bign256_u1 = 0; + let (x100, x101) = fiat_bign256_addcarryx_u32(0x0, x52, x84); + let mut x102: u32 = 0; + let mut x103: fiat_bign256_u1 = 0; + let (x102, x103) = fiat_bign256_addcarryx_u32(x101, x54, x86); + let mut x104: u32 = 0; + let mut x105: fiat_bign256_u1 = 0; + let (x104, x105) = fiat_bign256_addcarryx_u32(x103, x56, x88); + let mut x106: u32 = 0; + let mut x107: fiat_bign256_u1 = 0; + let (x106, x107) = fiat_bign256_addcarryx_u32(x105, x58, x90); + let mut x108: u32 = 0; + let mut x109: fiat_bign256_u1 = 0; + let (x108, x109) = fiat_bign256_addcarryx_u32(x107, x60, x92); + let mut x110: u32 = 0; + let mut x111: fiat_bign256_u1 = 0; + let (x110, x111) = fiat_bign256_addcarryx_u32(x109, x62, x94); + let mut x112: u32 = 0; + let mut x113: fiat_bign256_u1 = 0; + let (x112, x113) = fiat_bign256_addcarryx_u32(x111, x64, x96); + let mut x114: u32 = 0; + let mut x115: fiat_bign256_u1 = 0; + let (x114, x115) = fiat_bign256_addcarryx_u32(x113, x66, x98); + let mut x116: u32 = 0; + let mut x117: fiat_bign256_u1 = 0; + let (x116, x117) = + fiat_bign256_addcarryx_u32(x115, ((x67 as u32) + (x51 as u32)), ((x99 as u32) + x71)); + let mut x118: u32 = 0; + let mut x119: fiat_bign256_u1 = 0; + let (x118, x119) = fiat_bign256_addcarryx_u32(0x0, x102, (arg1[2])); + let mut x120: u32 = 0; + let mut x121: fiat_bign256_u1 = 0; + let (x120, x121) = fiat_bign256_addcarryx_u32(x119, x104, (0x0 as u32)); + let mut x122: u32 = 0; + let mut x123: fiat_bign256_u1 = 0; + let (x122, x123) = fiat_bign256_addcarryx_u32(x121, x106, (0x0 as u32)); + let mut x124: u32 = 0; + let mut x125: fiat_bign256_u1 = 0; + let (x124, x125) = fiat_bign256_addcarryx_u32(x123, x108, (0x0 as u32)); + let mut x126: u32 = 0; + let mut x127: fiat_bign256_u1 = 0; + let (x126, x127) = fiat_bign256_addcarryx_u32(x125, x110, (0x0 as u32)); + let mut x128: u32 = 0; + let mut x129: fiat_bign256_u1 = 0; + let (x128, x129) = fiat_bign256_addcarryx_u32(x127, x112, (0x0 as u32)); + let mut x130: u32 = 0; + let mut x131: fiat_bign256_u1 = 0; + let (x130, x131) = fiat_bign256_addcarryx_u32(x129, x114, (0x0 as u32)); + let mut x132: u32 = 0; + let mut x133: fiat_bign256_u1 = 0; + let (x132, x133) = fiat_bign256_addcarryx_u32(x131, x116, (0x0 as u32)); + let mut x134: u32 = 0; + let mut x135: u32 = 0; + let (x134, x135) = fiat_bign256_mulx_u32(x118, 0xea53fa95); + let mut x136: u32 = 0; + let mut x137: u32 = 0; + let (x136, x137) = fiat_bign256_mulx_u32(x134, 0xffffffff); + let mut x138: u32 = 0; + let mut x139: u32 = 0; + let (x138, x139) = fiat_bign256_mulx_u32(x134, 0xffffffff); + let mut x140: u32 = 0; + let mut x141: u32 = 0; + let (x140, x141) = fiat_bign256_mulx_u32(x134, 0xffffffff); + let mut x142: u32 = 0; + let mut x143: u32 = 0; + let (x142, x143) = fiat_bign256_mulx_u32(x134, 0xffffffff); + let mut x144: u32 = 0; + let mut x145: u32 = 0; + let (x144, x145) = fiat_bign256_mulx_u32(x134, 0xffffffff); + let mut x146: u32 = 0; + let mut x147: u32 = 0; + let (x146, x147) = fiat_bign256_mulx_u32(x134, 0xffffffff); + let mut x148: u32 = 0; + let mut x149: u32 = 0; + let (x148, x149) = fiat_bign256_mulx_u32(x134, 0xffffffff); + let mut x150: u32 = 0; + let mut x151: u32 = 0; + let (x150, x151) = fiat_bign256_mulx_u32(x134, 0xffffff43); + let mut x152: u32 = 0; + let mut x153: fiat_bign256_u1 = 0; + let (x152, x153) = fiat_bign256_addcarryx_u32(0x0, x151, x148); + let mut x154: u32 = 0; + let mut x155: fiat_bign256_u1 = 0; + let (x154, x155) = fiat_bign256_addcarryx_u32(x153, x149, x146); + let mut x156: u32 = 0; + let mut x157: fiat_bign256_u1 = 0; + let (x156, x157) = fiat_bign256_addcarryx_u32(x155, x147, x144); + let mut x158: u32 = 0; + let mut x159: fiat_bign256_u1 = 0; + let (x158, x159) = fiat_bign256_addcarryx_u32(x157, x145, x142); + let mut x160: u32 = 0; + let mut x161: fiat_bign256_u1 = 0; + let (x160, x161) = fiat_bign256_addcarryx_u32(x159, x143, x140); + let mut x162: u32 = 0; + let mut x163: fiat_bign256_u1 = 0; + let (x162, x163) = fiat_bign256_addcarryx_u32(x161, x141, x138); + let mut x164: u32 = 0; + let mut x165: fiat_bign256_u1 = 0; + let (x164, x165) = fiat_bign256_addcarryx_u32(x163, x139, x136); + let mut x166: u32 = 0; + let mut x167: fiat_bign256_u1 = 0; + let (x166, x167) = fiat_bign256_addcarryx_u32(0x0, x118, x150); + let mut x168: u32 = 0; + let mut x169: fiat_bign256_u1 = 0; + let (x168, x169) = fiat_bign256_addcarryx_u32(x167, x120, x152); + let mut x170: u32 = 0; + let mut x171: fiat_bign256_u1 = 0; + let (x170, x171) = fiat_bign256_addcarryx_u32(x169, x122, x154); + let mut x172: u32 = 0; + let mut x173: fiat_bign256_u1 = 0; + let (x172, x173) = fiat_bign256_addcarryx_u32(x171, x124, x156); + let mut x174: u32 = 0; + let mut x175: fiat_bign256_u1 = 0; + let (x174, x175) = fiat_bign256_addcarryx_u32(x173, x126, x158); + let mut x176: u32 = 0; + let mut x177: fiat_bign256_u1 = 0; + let (x176, x177) = fiat_bign256_addcarryx_u32(x175, x128, x160); + let mut x178: u32 = 0; + let mut x179: fiat_bign256_u1 = 0; + let (x178, x179) = fiat_bign256_addcarryx_u32(x177, x130, x162); + let mut x180: u32 = 0; + let mut x181: fiat_bign256_u1 = 0; + let (x180, x181) = fiat_bign256_addcarryx_u32(x179, x132, x164); + let mut x182: u32 = 0; + let mut x183: fiat_bign256_u1 = 0; + let (x182, x183) = fiat_bign256_addcarryx_u32( + x181, + ((x133 as u32) + (x117 as u32)), + ((x165 as u32) + x137), + ); + let mut x184: u32 = 0; + let mut x185: fiat_bign256_u1 = 0; + let (x184, x185) = fiat_bign256_addcarryx_u32(0x0, x168, (arg1[3])); + let mut x186: u32 = 0; + let mut x187: fiat_bign256_u1 = 0; + let (x186, x187) = fiat_bign256_addcarryx_u32(x185, x170, (0x0 as u32)); + let mut x188: u32 = 0; + let mut x189: fiat_bign256_u1 = 0; + let (x188, x189) = fiat_bign256_addcarryx_u32(x187, x172, (0x0 as u32)); + let mut x190: u32 = 0; + let mut x191: fiat_bign256_u1 = 0; + let (x190, x191) = fiat_bign256_addcarryx_u32(x189, x174, (0x0 as u32)); + let mut x192: u32 = 0; + let mut x193: fiat_bign256_u1 = 0; + let (x192, x193) = fiat_bign256_addcarryx_u32(x191, x176, (0x0 as u32)); + let mut x194: u32 = 0; + let mut x195: fiat_bign256_u1 = 0; + let (x194, x195) = fiat_bign256_addcarryx_u32(x193, x178, (0x0 as u32)); + let mut x196: u32 = 0; + let mut x197: fiat_bign256_u1 = 0; + let (x196, x197) = fiat_bign256_addcarryx_u32(x195, x180, (0x0 as u32)); + let mut x198: u32 = 0; + let mut x199: fiat_bign256_u1 = 0; + let (x198, x199) = fiat_bign256_addcarryx_u32(x197, x182, (0x0 as u32)); + let mut x200: u32 = 0; + let mut x201: u32 = 0; + let (x200, x201) = fiat_bign256_mulx_u32(x184, 0xea53fa95); + let mut x202: u32 = 0; + let mut x203: u32 = 0; + let (x202, x203) = fiat_bign256_mulx_u32(x200, 0xffffffff); + let mut x204: u32 = 0; + let mut x205: u32 = 0; + let (x204, x205) = fiat_bign256_mulx_u32(x200, 0xffffffff); + let mut x206: u32 = 0; + let mut x207: u32 = 0; + let (x206, x207) = fiat_bign256_mulx_u32(x200, 0xffffffff); + let mut x208: u32 = 0; + let mut x209: u32 = 0; + let (x208, x209) = fiat_bign256_mulx_u32(x200, 0xffffffff); + let mut x210: u32 = 0; + let mut x211: u32 = 0; + let (x210, x211) = fiat_bign256_mulx_u32(x200, 0xffffffff); + let mut x212: u32 = 0; + let mut x213: u32 = 0; + let (x212, x213) = fiat_bign256_mulx_u32(x200, 0xffffffff); + let mut x214: u32 = 0; + let mut x215: u32 = 0; + let (x214, x215) = fiat_bign256_mulx_u32(x200, 0xffffffff); + let mut x216: u32 = 0; + let mut x217: u32 = 0; + let (x216, x217) = fiat_bign256_mulx_u32(x200, 0xffffff43); + let mut x218: u32 = 0; + let mut x219: fiat_bign256_u1 = 0; + let (x218, x219) = fiat_bign256_addcarryx_u32(0x0, x217, x214); + let mut x220: u32 = 0; + let mut x221: fiat_bign256_u1 = 0; + let (x220, x221) = fiat_bign256_addcarryx_u32(x219, x215, x212); + let mut x222: u32 = 0; + let mut x223: fiat_bign256_u1 = 0; + let (x222, x223) = fiat_bign256_addcarryx_u32(x221, x213, x210); + let mut x224: u32 = 0; + let mut x225: fiat_bign256_u1 = 0; + let (x224, x225) = fiat_bign256_addcarryx_u32(x223, x211, x208); + let mut x226: u32 = 0; + let mut x227: fiat_bign256_u1 = 0; + let (x226, x227) = fiat_bign256_addcarryx_u32(x225, x209, x206); + let mut x228: u32 = 0; + let mut x229: fiat_bign256_u1 = 0; + let (x228, x229) = fiat_bign256_addcarryx_u32(x227, x207, x204); + let mut x230: u32 = 0; + let mut x231: fiat_bign256_u1 = 0; + let (x230, x231) = fiat_bign256_addcarryx_u32(x229, x205, x202); + let mut x232: u32 = 0; + let mut x233: fiat_bign256_u1 = 0; + let (x232, x233) = fiat_bign256_addcarryx_u32(0x0, x184, x216); + let mut x234: u32 = 0; + let mut x235: fiat_bign256_u1 = 0; + let (x234, x235) = fiat_bign256_addcarryx_u32(x233, x186, x218); + let mut x236: u32 = 0; + let mut x237: fiat_bign256_u1 = 0; + let (x236, x237) = fiat_bign256_addcarryx_u32(x235, x188, x220); + let mut x238: u32 = 0; + let mut x239: fiat_bign256_u1 = 0; + let (x238, x239) = fiat_bign256_addcarryx_u32(x237, x190, x222); + let mut x240: u32 = 0; + let mut x241: fiat_bign256_u1 = 0; + let (x240, x241) = fiat_bign256_addcarryx_u32(x239, x192, x224); + let mut x242: u32 = 0; + let mut x243: fiat_bign256_u1 = 0; + let (x242, x243) = fiat_bign256_addcarryx_u32(x241, x194, x226); + let mut x244: u32 = 0; + let mut x245: fiat_bign256_u1 = 0; + let (x244, x245) = fiat_bign256_addcarryx_u32(x243, x196, x228); + let mut x246: u32 = 0; + let mut x247: fiat_bign256_u1 = 0; + let (x246, x247) = fiat_bign256_addcarryx_u32(x245, x198, x230); + let mut x248: u32 = 0; + let mut x249: fiat_bign256_u1 = 0; + let (x248, x249) = fiat_bign256_addcarryx_u32( + x247, + ((x199 as u32) + (x183 as u32)), + ((x231 as u32) + x203), + ); + let mut x250: u32 = 0; + let mut x251: fiat_bign256_u1 = 0; + let (x250, x251) = fiat_bign256_addcarryx_u32(0x0, x234, (arg1[4])); + let mut x252: u32 = 0; + let mut x253: fiat_bign256_u1 = 0; + let (x252, x253) = fiat_bign256_addcarryx_u32(x251, x236, (0x0 as u32)); + let mut x254: u32 = 0; + let mut x255: fiat_bign256_u1 = 0; + let (x254, x255) = fiat_bign256_addcarryx_u32(x253, x238, (0x0 as u32)); + let mut x256: u32 = 0; + let mut x257: fiat_bign256_u1 = 0; + let (x256, x257) = fiat_bign256_addcarryx_u32(x255, x240, (0x0 as u32)); + let mut x258: u32 = 0; + let mut x259: fiat_bign256_u1 = 0; + let (x258, x259) = fiat_bign256_addcarryx_u32(x257, x242, (0x0 as u32)); + let mut x260: u32 = 0; + let mut x261: fiat_bign256_u1 = 0; + let (x260, x261) = fiat_bign256_addcarryx_u32(x259, x244, (0x0 as u32)); + let mut x262: u32 = 0; + let mut x263: fiat_bign256_u1 = 0; + let (x262, x263) = fiat_bign256_addcarryx_u32(x261, x246, (0x0 as u32)); + let mut x264: u32 = 0; + let mut x265: fiat_bign256_u1 = 0; + let (x264, x265) = fiat_bign256_addcarryx_u32(x263, x248, (0x0 as u32)); + let mut x266: u32 = 0; + let mut x267: u32 = 0; + let (x266, x267) = fiat_bign256_mulx_u32(x250, 0xea53fa95); + let mut x268: u32 = 0; + let mut x269: u32 = 0; + let (x268, x269) = fiat_bign256_mulx_u32(x266, 0xffffffff); + let mut x270: u32 = 0; + let mut x271: u32 = 0; + let (x270, x271) = fiat_bign256_mulx_u32(x266, 0xffffffff); + let mut x272: u32 = 0; + let mut x273: u32 = 0; + let (x272, x273) = fiat_bign256_mulx_u32(x266, 0xffffffff); + let mut x274: u32 = 0; + let mut x275: u32 = 0; + let (x274, x275) = fiat_bign256_mulx_u32(x266, 0xffffffff); + let mut x276: u32 = 0; + let mut x277: u32 = 0; + let (x276, x277) = fiat_bign256_mulx_u32(x266, 0xffffffff); + let mut x278: u32 = 0; + let mut x279: u32 = 0; + let (x278, x279) = fiat_bign256_mulx_u32(x266, 0xffffffff); + let mut x280: u32 = 0; + let mut x281: u32 = 0; + let (x280, x281) = fiat_bign256_mulx_u32(x266, 0xffffffff); + let mut x282: u32 = 0; + let mut x283: u32 = 0; + let (x282, x283) = fiat_bign256_mulx_u32(x266, 0xffffff43); + let mut x284: u32 = 0; + let mut x285: fiat_bign256_u1 = 0; + let (x284, x285) = fiat_bign256_addcarryx_u32(0x0, x283, x280); + let mut x286: u32 = 0; + let mut x287: fiat_bign256_u1 = 0; + let (x286, x287) = fiat_bign256_addcarryx_u32(x285, x281, x278); + let mut x288: u32 = 0; + let mut x289: fiat_bign256_u1 = 0; + let (x288, x289) = fiat_bign256_addcarryx_u32(x287, x279, x276); + let mut x290: u32 = 0; + let mut x291: fiat_bign256_u1 = 0; + let (x290, x291) = fiat_bign256_addcarryx_u32(x289, x277, x274); + let mut x292: u32 = 0; + let mut x293: fiat_bign256_u1 = 0; + let (x292, x293) = fiat_bign256_addcarryx_u32(x291, x275, x272); + let mut x294: u32 = 0; + let mut x295: fiat_bign256_u1 = 0; + let (x294, x295) = fiat_bign256_addcarryx_u32(x293, x273, x270); + let mut x296: u32 = 0; + let mut x297: fiat_bign256_u1 = 0; + let (x296, x297) = fiat_bign256_addcarryx_u32(x295, x271, x268); + let mut x298: u32 = 0; + let mut x299: fiat_bign256_u1 = 0; + let (x298, x299) = fiat_bign256_addcarryx_u32(0x0, x250, x282); + let mut x300: u32 = 0; + let mut x301: fiat_bign256_u1 = 0; + let (x300, x301) = fiat_bign256_addcarryx_u32(x299, x252, x284); + let mut x302: u32 = 0; + let mut x303: fiat_bign256_u1 = 0; + let (x302, x303) = fiat_bign256_addcarryx_u32(x301, x254, x286); + let mut x304: u32 = 0; + let mut x305: fiat_bign256_u1 = 0; + let (x304, x305) = fiat_bign256_addcarryx_u32(x303, x256, x288); + let mut x306: u32 = 0; + let mut x307: fiat_bign256_u1 = 0; + let (x306, x307) = fiat_bign256_addcarryx_u32(x305, x258, x290); + let mut x308: u32 = 0; + let mut x309: fiat_bign256_u1 = 0; + let (x308, x309) = fiat_bign256_addcarryx_u32(x307, x260, x292); + let mut x310: u32 = 0; + let mut x311: fiat_bign256_u1 = 0; + let (x310, x311) = fiat_bign256_addcarryx_u32(x309, x262, x294); + let mut x312: u32 = 0; + let mut x313: fiat_bign256_u1 = 0; + let (x312, x313) = fiat_bign256_addcarryx_u32(x311, x264, x296); + let mut x314: u32 = 0; + let mut x315: fiat_bign256_u1 = 0; + let (x314, x315) = fiat_bign256_addcarryx_u32( + x313, + ((x265 as u32) + (x249 as u32)), + ((x297 as u32) + x269), + ); + let mut x316: u32 = 0; + let mut x317: fiat_bign256_u1 = 0; + let (x316, x317) = fiat_bign256_addcarryx_u32(0x0, x300, (arg1[5])); + let mut x318: u32 = 0; + let mut x319: fiat_bign256_u1 = 0; + let (x318, x319) = fiat_bign256_addcarryx_u32(x317, x302, (0x0 as u32)); + let mut x320: u32 = 0; + let mut x321: fiat_bign256_u1 = 0; + let (x320, x321) = fiat_bign256_addcarryx_u32(x319, x304, (0x0 as u32)); + let mut x322: u32 = 0; + let mut x323: fiat_bign256_u1 = 0; + let (x322, x323) = fiat_bign256_addcarryx_u32(x321, x306, (0x0 as u32)); + let mut x324: u32 = 0; + let mut x325: fiat_bign256_u1 = 0; + let (x324, x325) = fiat_bign256_addcarryx_u32(x323, x308, (0x0 as u32)); + let mut x326: u32 = 0; + let mut x327: fiat_bign256_u1 = 0; + let (x326, x327) = fiat_bign256_addcarryx_u32(x325, x310, (0x0 as u32)); + let mut x328: u32 = 0; + let mut x329: fiat_bign256_u1 = 0; + let (x328, x329) = fiat_bign256_addcarryx_u32(x327, x312, (0x0 as u32)); + let mut x330: u32 = 0; + let mut x331: fiat_bign256_u1 = 0; + let (x330, x331) = fiat_bign256_addcarryx_u32(x329, x314, (0x0 as u32)); + let mut x332: u32 = 0; + let mut x333: u32 = 0; + let (x332, x333) = fiat_bign256_mulx_u32(x316, 0xea53fa95); + let mut x334: u32 = 0; + let mut x335: u32 = 0; + let (x334, x335) = fiat_bign256_mulx_u32(x332, 0xffffffff); + let mut x336: u32 = 0; + let mut x337: u32 = 0; + let (x336, x337) = fiat_bign256_mulx_u32(x332, 0xffffffff); + let mut x338: u32 = 0; + let mut x339: u32 = 0; + let (x338, x339) = fiat_bign256_mulx_u32(x332, 0xffffffff); + let mut x340: u32 = 0; + let mut x341: u32 = 0; + let (x340, x341) = fiat_bign256_mulx_u32(x332, 0xffffffff); + let mut x342: u32 = 0; + let mut x343: u32 = 0; + let (x342, x343) = fiat_bign256_mulx_u32(x332, 0xffffffff); + let mut x344: u32 = 0; + let mut x345: u32 = 0; + let (x344, x345) = fiat_bign256_mulx_u32(x332, 0xffffffff); + let mut x346: u32 = 0; + let mut x347: u32 = 0; + let (x346, x347) = fiat_bign256_mulx_u32(x332, 0xffffffff); + let mut x348: u32 = 0; + let mut x349: u32 = 0; + let (x348, x349) = fiat_bign256_mulx_u32(x332, 0xffffff43); + let mut x350: u32 = 0; + let mut x351: fiat_bign256_u1 = 0; + let (x350, x351) = fiat_bign256_addcarryx_u32(0x0, x349, x346); + let mut x352: u32 = 0; + let mut x353: fiat_bign256_u1 = 0; + let (x352, x353) = fiat_bign256_addcarryx_u32(x351, x347, x344); + let mut x354: u32 = 0; + let mut x355: fiat_bign256_u1 = 0; + let (x354, x355) = fiat_bign256_addcarryx_u32(x353, x345, x342); + let mut x356: u32 = 0; + let mut x357: fiat_bign256_u1 = 0; + let (x356, x357) = fiat_bign256_addcarryx_u32(x355, x343, x340); + let mut x358: u32 = 0; + let mut x359: fiat_bign256_u1 = 0; + let (x358, x359) = fiat_bign256_addcarryx_u32(x357, x341, x338); + let mut x360: u32 = 0; + let mut x361: fiat_bign256_u1 = 0; + let (x360, x361) = fiat_bign256_addcarryx_u32(x359, x339, x336); + let mut x362: u32 = 0; + let mut x363: fiat_bign256_u1 = 0; + let (x362, x363) = fiat_bign256_addcarryx_u32(x361, x337, x334); + let mut x364: u32 = 0; + let mut x365: fiat_bign256_u1 = 0; + let (x364, x365) = fiat_bign256_addcarryx_u32(0x0, x316, x348); + let mut x366: u32 = 0; + let mut x367: fiat_bign256_u1 = 0; + let (x366, x367) = fiat_bign256_addcarryx_u32(x365, x318, x350); + let mut x368: u32 = 0; + let mut x369: fiat_bign256_u1 = 0; + let (x368, x369) = fiat_bign256_addcarryx_u32(x367, x320, x352); + let mut x370: u32 = 0; + let mut x371: fiat_bign256_u1 = 0; + let (x370, x371) = fiat_bign256_addcarryx_u32(x369, x322, x354); + let mut x372: u32 = 0; + let mut x373: fiat_bign256_u1 = 0; + let (x372, x373) = fiat_bign256_addcarryx_u32(x371, x324, x356); + let mut x374: u32 = 0; + let mut x375: fiat_bign256_u1 = 0; + let (x374, x375) = fiat_bign256_addcarryx_u32(x373, x326, x358); + let mut x376: u32 = 0; + let mut x377: fiat_bign256_u1 = 0; + let (x376, x377) = fiat_bign256_addcarryx_u32(x375, x328, x360); + let mut x378: u32 = 0; + let mut x379: fiat_bign256_u1 = 0; + let (x378, x379) = fiat_bign256_addcarryx_u32(x377, x330, x362); + let mut x380: u32 = 0; + let mut x381: fiat_bign256_u1 = 0; + let (x380, x381) = fiat_bign256_addcarryx_u32( + x379, + ((x331 as u32) + (x315 as u32)), + ((x363 as u32) + x335), + ); + let mut x382: u32 = 0; + let mut x383: fiat_bign256_u1 = 0; + let (x382, x383) = fiat_bign256_addcarryx_u32(0x0, x366, (arg1[6])); + let mut x384: u32 = 0; + let mut x385: fiat_bign256_u1 = 0; + let (x384, x385) = fiat_bign256_addcarryx_u32(x383, x368, (0x0 as u32)); + let mut x386: u32 = 0; + let mut x387: fiat_bign256_u1 = 0; + let (x386, x387) = fiat_bign256_addcarryx_u32(x385, x370, (0x0 as u32)); + let mut x388: u32 = 0; + let mut x389: fiat_bign256_u1 = 0; + let (x388, x389) = fiat_bign256_addcarryx_u32(x387, x372, (0x0 as u32)); + let mut x390: u32 = 0; + let mut x391: fiat_bign256_u1 = 0; + let (x390, x391) = fiat_bign256_addcarryx_u32(x389, x374, (0x0 as u32)); + let mut x392: u32 = 0; + let mut x393: fiat_bign256_u1 = 0; + let (x392, x393) = fiat_bign256_addcarryx_u32(x391, x376, (0x0 as u32)); + let mut x394: u32 = 0; + let mut x395: fiat_bign256_u1 = 0; + let (x394, x395) = fiat_bign256_addcarryx_u32(x393, x378, (0x0 as u32)); + let mut x396: u32 = 0; + let mut x397: fiat_bign256_u1 = 0; + let (x396, x397) = fiat_bign256_addcarryx_u32(x395, x380, (0x0 as u32)); + let mut x398: u32 = 0; + let mut x399: u32 = 0; + let (x398, x399) = fiat_bign256_mulx_u32(x382, 0xea53fa95); + let mut x400: u32 = 0; + let mut x401: u32 = 0; + let (x400, x401) = fiat_bign256_mulx_u32(x398, 0xffffffff); + let mut x402: u32 = 0; + let mut x403: u32 = 0; + let (x402, x403) = fiat_bign256_mulx_u32(x398, 0xffffffff); + let mut x404: u32 = 0; + let mut x405: u32 = 0; + let (x404, x405) = fiat_bign256_mulx_u32(x398, 0xffffffff); + let mut x406: u32 = 0; + let mut x407: u32 = 0; + let (x406, x407) = fiat_bign256_mulx_u32(x398, 0xffffffff); + let mut x408: u32 = 0; + let mut x409: u32 = 0; + let (x408, x409) = fiat_bign256_mulx_u32(x398, 0xffffffff); + let mut x410: u32 = 0; + let mut x411: u32 = 0; + let (x410, x411) = fiat_bign256_mulx_u32(x398, 0xffffffff); + let mut x412: u32 = 0; + let mut x413: u32 = 0; + let (x412, x413) = fiat_bign256_mulx_u32(x398, 0xffffffff); + let mut x414: u32 = 0; + let mut x415: u32 = 0; + let (x414, x415) = fiat_bign256_mulx_u32(x398, 0xffffff43); + let mut x416: u32 = 0; + let mut x417: fiat_bign256_u1 = 0; + let (x416, x417) = fiat_bign256_addcarryx_u32(0x0, x415, x412); + let mut x418: u32 = 0; + let mut x419: fiat_bign256_u1 = 0; + let (x418, x419) = fiat_bign256_addcarryx_u32(x417, x413, x410); + let mut x420: u32 = 0; + let mut x421: fiat_bign256_u1 = 0; + let (x420, x421) = fiat_bign256_addcarryx_u32(x419, x411, x408); + let mut x422: u32 = 0; + let mut x423: fiat_bign256_u1 = 0; + let (x422, x423) = fiat_bign256_addcarryx_u32(x421, x409, x406); + let mut x424: u32 = 0; + let mut x425: fiat_bign256_u1 = 0; + let (x424, x425) = fiat_bign256_addcarryx_u32(x423, x407, x404); + let mut x426: u32 = 0; + let mut x427: fiat_bign256_u1 = 0; + let (x426, x427) = fiat_bign256_addcarryx_u32(x425, x405, x402); + let mut x428: u32 = 0; + let mut x429: fiat_bign256_u1 = 0; + let (x428, x429) = fiat_bign256_addcarryx_u32(x427, x403, x400); + let mut x430: u32 = 0; + let mut x431: fiat_bign256_u1 = 0; + let (x430, x431) = fiat_bign256_addcarryx_u32(0x0, x382, x414); + let mut x432: u32 = 0; + let mut x433: fiat_bign256_u1 = 0; + let (x432, x433) = fiat_bign256_addcarryx_u32(x431, x384, x416); + let mut x434: u32 = 0; + let mut x435: fiat_bign256_u1 = 0; + let (x434, x435) = fiat_bign256_addcarryx_u32(x433, x386, x418); + let mut x436: u32 = 0; + let mut x437: fiat_bign256_u1 = 0; + let (x436, x437) = fiat_bign256_addcarryx_u32(x435, x388, x420); + let mut x438: u32 = 0; + let mut x439: fiat_bign256_u1 = 0; + let (x438, x439) = fiat_bign256_addcarryx_u32(x437, x390, x422); + let mut x440: u32 = 0; + let mut x441: fiat_bign256_u1 = 0; + let (x440, x441) = fiat_bign256_addcarryx_u32(x439, x392, x424); + let mut x442: u32 = 0; + let mut x443: fiat_bign256_u1 = 0; + let (x442, x443) = fiat_bign256_addcarryx_u32(x441, x394, x426); + let mut x444: u32 = 0; + let mut x445: fiat_bign256_u1 = 0; + let (x444, x445) = fiat_bign256_addcarryx_u32(x443, x396, x428); + let mut x446: u32 = 0; + let mut x447: fiat_bign256_u1 = 0; + let (x446, x447) = fiat_bign256_addcarryx_u32( + x445, + ((x397 as u32) + (x381 as u32)), + ((x429 as u32) + x401), + ); + let mut x448: u32 = 0; + let mut x449: fiat_bign256_u1 = 0; + let (x448, x449) = fiat_bign256_addcarryx_u32(0x0, x432, (arg1[7])); + let mut x450: u32 = 0; + let mut x451: fiat_bign256_u1 = 0; + let (x450, x451) = fiat_bign256_addcarryx_u32(x449, x434, (0x0 as u32)); + let mut x452: u32 = 0; + let mut x453: fiat_bign256_u1 = 0; + let (x452, x453) = fiat_bign256_addcarryx_u32(x451, x436, (0x0 as u32)); + let mut x454: u32 = 0; + let mut x455: fiat_bign256_u1 = 0; + let (x454, x455) = fiat_bign256_addcarryx_u32(x453, x438, (0x0 as u32)); + let mut x456: u32 = 0; + let mut x457: fiat_bign256_u1 = 0; + let (x456, x457) = fiat_bign256_addcarryx_u32(x455, x440, (0x0 as u32)); + let mut x458: u32 = 0; + let mut x459: fiat_bign256_u1 = 0; + let (x458, x459) = fiat_bign256_addcarryx_u32(x457, x442, (0x0 as u32)); + let mut x460: u32 = 0; + let mut x461: fiat_bign256_u1 = 0; + let (x460, x461) = fiat_bign256_addcarryx_u32(x459, x444, (0x0 as u32)); + let mut x462: u32 = 0; + let mut x463: fiat_bign256_u1 = 0; + let (x462, x463) = fiat_bign256_addcarryx_u32(x461, x446, (0x0 as u32)); + let mut x464: u32 = 0; + let mut x465: u32 = 0; + let (x464, x465) = fiat_bign256_mulx_u32(x448, 0xea53fa95); + let mut x466: u32 = 0; + let mut x467: u32 = 0; + let (x466, x467) = fiat_bign256_mulx_u32(x464, 0xffffffff); + let mut x468: u32 = 0; + let mut x469: u32 = 0; + let (x468, x469) = fiat_bign256_mulx_u32(x464, 0xffffffff); + let mut x470: u32 = 0; + let mut x471: u32 = 0; + let (x470, x471) = fiat_bign256_mulx_u32(x464, 0xffffffff); + let mut x472: u32 = 0; + let mut x473: u32 = 0; + let (x472, x473) = fiat_bign256_mulx_u32(x464, 0xffffffff); + let mut x474: u32 = 0; + let mut x475: u32 = 0; + let (x474, x475) = fiat_bign256_mulx_u32(x464, 0xffffffff); + let mut x476: u32 = 0; + let mut x477: u32 = 0; + let (x476, x477) = fiat_bign256_mulx_u32(x464, 0xffffffff); + let mut x478: u32 = 0; + let mut x479: u32 = 0; + let (x478, x479) = fiat_bign256_mulx_u32(x464, 0xffffffff); + let mut x480: u32 = 0; + let mut x481: u32 = 0; + let (x480, x481) = fiat_bign256_mulx_u32(x464, 0xffffff43); + let mut x482: u32 = 0; + let mut x483: fiat_bign256_u1 = 0; + let (x482, x483) = fiat_bign256_addcarryx_u32(0x0, x481, x478); + let mut x484: u32 = 0; + let mut x485: fiat_bign256_u1 = 0; + let (x484, x485) = fiat_bign256_addcarryx_u32(x483, x479, x476); + let mut x486: u32 = 0; + let mut x487: fiat_bign256_u1 = 0; + let (x486, x487) = fiat_bign256_addcarryx_u32(x485, x477, x474); + let mut x488: u32 = 0; + let mut x489: fiat_bign256_u1 = 0; + let (x488, x489) = fiat_bign256_addcarryx_u32(x487, x475, x472); + let mut x490: u32 = 0; + let mut x491: fiat_bign256_u1 = 0; + let (x490, x491) = fiat_bign256_addcarryx_u32(x489, x473, x470); + let mut x492: u32 = 0; + let mut x493: fiat_bign256_u1 = 0; + let (x492, x493) = fiat_bign256_addcarryx_u32(x491, x471, x468); + let mut x494: u32 = 0; + let mut x495: fiat_bign256_u1 = 0; + let (x494, x495) = fiat_bign256_addcarryx_u32(x493, x469, x466); + let mut x496: u32 = 0; + let mut x497: fiat_bign256_u1 = 0; + let (x496, x497) = fiat_bign256_addcarryx_u32(0x0, x448, x480); + let mut x498: u32 = 0; + let mut x499: fiat_bign256_u1 = 0; + let (x498, x499) = fiat_bign256_addcarryx_u32(x497, x450, x482); + let mut x500: u32 = 0; + let mut x501: fiat_bign256_u1 = 0; + let (x500, x501) = fiat_bign256_addcarryx_u32(x499, x452, x484); + let mut x502: u32 = 0; + let mut x503: fiat_bign256_u1 = 0; + let (x502, x503) = fiat_bign256_addcarryx_u32(x501, x454, x486); + let mut x504: u32 = 0; + let mut x505: fiat_bign256_u1 = 0; + let (x504, x505) = fiat_bign256_addcarryx_u32(x503, x456, x488); + let mut x506: u32 = 0; + let mut x507: fiat_bign256_u1 = 0; + let (x506, x507) = fiat_bign256_addcarryx_u32(x505, x458, x490); + let mut x508: u32 = 0; + let mut x509: fiat_bign256_u1 = 0; + let (x508, x509) = fiat_bign256_addcarryx_u32(x507, x460, x492); + let mut x510: u32 = 0; + let mut x511: fiat_bign256_u1 = 0; + let (x510, x511) = fiat_bign256_addcarryx_u32(x509, x462, x494); + let mut x512: u32 = 0; + let mut x513: fiat_bign256_u1 = 0; + let (x512, x513) = fiat_bign256_addcarryx_u32( + x511, + ((x463 as u32) + (x447 as u32)), + ((x495 as u32) + x467), + ); + let mut x514: u32 = 0; + let mut x515: fiat_bign256_u1 = 0; + let (x514, x515) = fiat_bign256_subborrowx_u32(0x0, x498, 0xffffff43); + let mut x516: u32 = 0; + let mut x517: fiat_bign256_u1 = 0; + let (x516, x517) = fiat_bign256_subborrowx_u32(x515, x500, 0xffffffff); + let mut x518: u32 = 0; + let mut x519: fiat_bign256_u1 = 0; + let (x518, x519) = fiat_bign256_subborrowx_u32(x517, x502, 0xffffffff); + let mut x520: u32 = 0; + let mut x521: fiat_bign256_u1 = 0; + let (x520, x521) = fiat_bign256_subborrowx_u32(x519, x504, 0xffffffff); + let mut x522: u32 = 0; + let mut x523: fiat_bign256_u1 = 0; + let (x522, x523) = fiat_bign256_subborrowx_u32(x521, x506, 0xffffffff); + let mut x524: u32 = 0; + let mut x525: fiat_bign256_u1 = 0; + let (x524, x525) = fiat_bign256_subborrowx_u32(x523, x508, 0xffffffff); + let mut x526: u32 = 0; + let mut x527: fiat_bign256_u1 = 0; + let (x526, x527) = fiat_bign256_subborrowx_u32(x525, x510, 0xffffffff); + let mut x528: u32 = 0; + let mut x529: fiat_bign256_u1 = 0; + let (x528, x529) = fiat_bign256_subborrowx_u32(x527, x512, 0xffffffff); + let mut x530: u32 = 0; + let mut x531: fiat_bign256_u1 = 0; + let (x530, x531) = fiat_bign256_subborrowx_u32(x529, (x513 as u32), (0x0 as u32)); + let mut x532: u32 = 0; + let (x532) = fiat_bign256_cmovznz_u32(x531, x514, x498); + let mut x533: u32 = 0; + let (x533) = fiat_bign256_cmovznz_u32(x531, x516, x500); + let mut x534: u32 = 0; + let (x534) = fiat_bign256_cmovznz_u32(x531, x518, x502); + let mut x535: u32 = 0; + let (x535) = fiat_bign256_cmovznz_u32(x531, x520, x504); + let mut x536: u32 = 0; + let (x536) = fiat_bign256_cmovznz_u32(x531, x522, x506); + let mut x537: u32 = 0; + let (x537) = fiat_bign256_cmovznz_u32(x531, x524, x508); + let mut x538: u32 = 0; + let (x538) = fiat_bign256_cmovznz_u32(x531, x526, x510); + let mut x539: u32 = 0; + let (x539) = fiat_bign256_cmovznz_u32(x531, x528, x512); + out1[0] = x532; + out1[1] = x533; + out1[2] = x534; + out1[3] = x535; + out1[4] = x536; + out1[5] = x537; + out1[6] = x538; + out1[7] = x539; + out1 +} +#[doc = " The function fiat_bign256_to_montgomery translates a field element into the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = eval arg1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_to_montgomery( + arg1: &fiat_bign256_non_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 8]; + let mut x1: u32 = 0; + let mut x2: u32 = 0; + let (x1, x2) = fiat_bign256_mulx_u32((arg1[0]), 0x8b89); + let mut x3: u32 = 0; + let mut x4: u32 = 0; + let (x3, x4) = fiat_bign256_mulx_u32(x1, 0xea53fa95); + let mut x5: u32 = 0; + let mut x6: u32 = 0; + let (x5, x6) = fiat_bign256_mulx_u32(x3, 0xffffffff); + let mut x7: u32 = 0; + let mut x8: u32 = 0; + let (x7, x8) = fiat_bign256_mulx_u32(x3, 0xffffffff); + let mut x9: u32 = 0; + let mut x10: u32 = 0; + let (x9, x10) = fiat_bign256_mulx_u32(x3, 0xffffffff); + let mut x11: u32 = 0; + let mut x12: u32 = 0; + let (x11, x12) = fiat_bign256_mulx_u32(x3, 0xffffffff); + let mut x13: u32 = 0; + let mut x14: u32 = 0; + let (x13, x14) = fiat_bign256_mulx_u32(x3, 0xffffffff); + let mut x15: u32 = 0; + let mut x16: u32 = 0; + let (x15, x16) = fiat_bign256_mulx_u32(x3, 0xffffffff); + let mut x17: u32 = 0; + let mut x18: u32 = 0; + let (x17, x18) = fiat_bign256_mulx_u32(x3, 0xffffffff); + let mut x19: u32 = 0; + let mut x20: u32 = 0; + let (x19, x20) = fiat_bign256_mulx_u32(x3, 0xffffff43); + let mut x21: u32 = 0; + let mut x22: fiat_bign256_u1 = 0; + let (x21, x22) = fiat_bign256_addcarryx_u32(0x0, x20, x17); + let mut x23: u32 = 0; + let mut x24: fiat_bign256_u1 = 0; + let (x23, x24) = fiat_bign256_addcarryx_u32(x22, x18, x15); + let mut x25: u32 = 0; + let mut x26: fiat_bign256_u1 = 0; + let (x25, x26) = fiat_bign256_addcarryx_u32(x24, x16, x13); + let mut x27: u32 = 0; + let mut x28: fiat_bign256_u1 = 0; + let (x27, x28) = fiat_bign256_addcarryx_u32(x26, x14, x11); + let mut x29: u32 = 0; + let mut x30: fiat_bign256_u1 = 0; + let (x29, x30) = fiat_bign256_addcarryx_u32(x28, x12, x9); + let mut x31: u32 = 0; + let mut x32: fiat_bign256_u1 = 0; + let (x31, x32) = fiat_bign256_addcarryx_u32(x30, x10, x7); + let mut x33: u32 = 0; + let mut x34: fiat_bign256_u1 = 0; + let (x33, x34) = fiat_bign256_addcarryx_u32(x32, x8, x5); + let mut x35: u32 = 0; + let mut x36: fiat_bign256_u1 = 0; + let (x35, x36) = fiat_bign256_addcarryx_u32(0x0, x1, x19); + let mut x37: u32 = 0; + let mut x38: fiat_bign256_u1 = 0; + let (x37, x38) = fiat_bign256_addcarryx_u32(x36, x2, x21); + let mut x39: u32 = 0; + let mut x40: fiat_bign256_u1 = 0; + let (x39, x40) = fiat_bign256_addcarryx_u32(x38, (0x0 as u32), x23); + let mut x41: u32 = 0; + let mut x42: fiat_bign256_u1 = 0; + let (x41, x42) = fiat_bign256_addcarryx_u32(x40, (0x0 as u32), x25); + let mut x43: u32 = 0; + let mut x44: fiat_bign256_u1 = 0; + let (x43, x44) = fiat_bign256_addcarryx_u32(x42, (0x0 as u32), x27); + let mut x45: u32 = 0; + let mut x46: fiat_bign256_u1 = 0; + let (x45, x46) = fiat_bign256_addcarryx_u32(x44, (0x0 as u32), x29); + let mut x47: u32 = 0; + let mut x48: fiat_bign256_u1 = 0; + let (x47, x48) = fiat_bign256_addcarryx_u32(x46, (0x0 as u32), x31); + let mut x49: u32 = 0; + let mut x50: fiat_bign256_u1 = 0; + let (x49, x50) = fiat_bign256_addcarryx_u32(x48, (0x0 as u32), x33); + let mut x51: u32 = 0; + let mut x52: fiat_bign256_u1 = 0; + let (x51, x52) = fiat_bign256_addcarryx_u32(x50, (0x0 as u32), ((x34 as u32) + x6)); + let mut x53: u32 = 0; + let mut x54: u32 = 0; + let (x53, x54) = fiat_bign256_mulx_u32((arg1[1]), 0x8b89); + let mut x55: u32 = 0; + let mut x56: fiat_bign256_u1 = 0; + let (x55, x56) = fiat_bign256_addcarryx_u32(0x0, x37, x53); + let mut x57: u32 = 0; + let mut x58: fiat_bign256_u1 = 0; + let (x57, x58) = fiat_bign256_addcarryx_u32(x56, x39, x54); + let mut x59: u32 = 0; + let mut x60: fiat_bign256_u1 = 0; + let (x59, x60) = fiat_bign256_addcarryx_u32(x58, x41, (0x0 as u32)); + let mut x61: u32 = 0; + let mut x62: fiat_bign256_u1 = 0; + let (x61, x62) = fiat_bign256_addcarryx_u32(x60, x43, (0x0 as u32)); + let mut x63: u32 = 0; + let mut x64: fiat_bign256_u1 = 0; + let (x63, x64) = fiat_bign256_addcarryx_u32(x62, x45, (0x0 as u32)); + let mut x65: u32 = 0; + let mut x66: fiat_bign256_u1 = 0; + let (x65, x66) = fiat_bign256_addcarryx_u32(x64, x47, (0x0 as u32)); + let mut x67: u32 = 0; + let mut x68: fiat_bign256_u1 = 0; + let (x67, x68) = fiat_bign256_addcarryx_u32(x66, x49, (0x0 as u32)); + let mut x69: u32 = 0; + let mut x70: fiat_bign256_u1 = 0; + let (x69, x70) = fiat_bign256_addcarryx_u32(x68, x51, (0x0 as u32)); + let mut x71: u32 = 0; + let mut x72: u32 = 0; + let (x71, x72) = fiat_bign256_mulx_u32(x55, 0xea53fa95); + let mut x73: u32 = 0; + let mut x74: u32 = 0; + let (x73, x74) = fiat_bign256_mulx_u32(x71, 0xffffffff); + let mut x75: u32 = 0; + let mut x76: u32 = 0; + let (x75, x76) = fiat_bign256_mulx_u32(x71, 0xffffffff); + let mut x77: u32 = 0; + let mut x78: u32 = 0; + let (x77, x78) = fiat_bign256_mulx_u32(x71, 0xffffffff); + let mut x79: u32 = 0; + let mut x80: u32 = 0; + let (x79, x80) = fiat_bign256_mulx_u32(x71, 0xffffffff); + let mut x81: u32 = 0; + let mut x82: u32 = 0; + let (x81, x82) = fiat_bign256_mulx_u32(x71, 0xffffffff); + let mut x83: u32 = 0; + let mut x84: u32 = 0; + let (x83, x84) = fiat_bign256_mulx_u32(x71, 0xffffffff); + let mut x85: u32 = 0; + let mut x86: u32 = 0; + let (x85, x86) = fiat_bign256_mulx_u32(x71, 0xffffffff); + let mut x87: u32 = 0; + let mut x88: u32 = 0; + let (x87, x88) = fiat_bign256_mulx_u32(x71, 0xffffff43); + let mut x89: u32 = 0; + let mut x90: fiat_bign256_u1 = 0; + let (x89, x90) = fiat_bign256_addcarryx_u32(0x0, x88, x85); + let mut x91: u32 = 0; + let mut x92: fiat_bign256_u1 = 0; + let (x91, x92) = fiat_bign256_addcarryx_u32(x90, x86, x83); + let mut x93: u32 = 0; + let mut x94: fiat_bign256_u1 = 0; + let (x93, x94) = fiat_bign256_addcarryx_u32(x92, x84, x81); + let mut x95: u32 = 0; + let mut x96: fiat_bign256_u1 = 0; + let (x95, x96) = fiat_bign256_addcarryx_u32(x94, x82, x79); + let mut x97: u32 = 0; + let mut x98: fiat_bign256_u1 = 0; + let (x97, x98) = fiat_bign256_addcarryx_u32(x96, x80, x77); + let mut x99: u32 = 0; + let mut x100: fiat_bign256_u1 = 0; + let (x99, x100) = fiat_bign256_addcarryx_u32(x98, x78, x75); + let mut x101: u32 = 0; + let mut x102: fiat_bign256_u1 = 0; + let (x101, x102) = fiat_bign256_addcarryx_u32(x100, x76, x73); + let mut x103: u32 = 0; + let mut x104: fiat_bign256_u1 = 0; + let (x103, x104) = fiat_bign256_addcarryx_u32(0x0, x55, x87); + let mut x105: u32 = 0; + let mut x106: fiat_bign256_u1 = 0; + let (x105, x106) = fiat_bign256_addcarryx_u32(x104, x57, x89); + let mut x107: u32 = 0; + let mut x108: fiat_bign256_u1 = 0; + let (x107, x108) = fiat_bign256_addcarryx_u32(x106, x59, x91); + let mut x109: u32 = 0; + let mut x110: fiat_bign256_u1 = 0; + let (x109, x110) = fiat_bign256_addcarryx_u32(x108, x61, x93); + let mut x111: u32 = 0; + let mut x112: fiat_bign256_u1 = 0; + let (x111, x112) = fiat_bign256_addcarryx_u32(x110, x63, x95); + let mut x113: u32 = 0; + let mut x114: fiat_bign256_u1 = 0; + let (x113, x114) = fiat_bign256_addcarryx_u32(x112, x65, x97); + let mut x115: u32 = 0; + let mut x116: fiat_bign256_u1 = 0; + let (x115, x116) = fiat_bign256_addcarryx_u32(x114, x67, x99); + let mut x117: u32 = 0; + let mut x118: fiat_bign256_u1 = 0; + let (x117, x118) = fiat_bign256_addcarryx_u32(x116, x69, x101); + let mut x119: u32 = 0; + let mut x120: fiat_bign256_u1 = 0; + let (x119, x120) = + fiat_bign256_addcarryx_u32(x118, ((x70 as u32) + (x52 as u32)), ((x102 as u32) + x74)); + let mut x121: u32 = 0; + let mut x122: u32 = 0; + let (x121, x122) = fiat_bign256_mulx_u32((arg1[2]), 0x8b89); + let mut x123: u32 = 0; + let mut x124: fiat_bign256_u1 = 0; + let (x123, x124) = fiat_bign256_addcarryx_u32(0x0, x105, x121); + let mut x125: u32 = 0; + let mut x126: fiat_bign256_u1 = 0; + let (x125, x126) = fiat_bign256_addcarryx_u32(x124, x107, x122); + let mut x127: u32 = 0; + let mut x128: fiat_bign256_u1 = 0; + let (x127, x128) = fiat_bign256_addcarryx_u32(x126, x109, (0x0 as u32)); + let mut x129: u32 = 0; + let mut x130: fiat_bign256_u1 = 0; + let (x129, x130) = fiat_bign256_addcarryx_u32(x128, x111, (0x0 as u32)); + let mut x131: u32 = 0; + let mut x132: fiat_bign256_u1 = 0; + let (x131, x132) = fiat_bign256_addcarryx_u32(x130, x113, (0x0 as u32)); + let mut x133: u32 = 0; + let mut x134: fiat_bign256_u1 = 0; + let (x133, x134) = fiat_bign256_addcarryx_u32(x132, x115, (0x0 as u32)); + let mut x135: u32 = 0; + let mut x136: fiat_bign256_u1 = 0; + let (x135, x136) = fiat_bign256_addcarryx_u32(x134, x117, (0x0 as u32)); + let mut x137: u32 = 0; + let mut x138: fiat_bign256_u1 = 0; + let (x137, x138) = fiat_bign256_addcarryx_u32(x136, x119, (0x0 as u32)); + let mut x139: u32 = 0; + let mut x140: u32 = 0; + let (x139, x140) = fiat_bign256_mulx_u32(x123, 0xea53fa95); + let mut x141: u32 = 0; + let mut x142: u32 = 0; + let (x141, x142) = fiat_bign256_mulx_u32(x139, 0xffffffff); + let mut x143: u32 = 0; + let mut x144: u32 = 0; + let (x143, x144) = fiat_bign256_mulx_u32(x139, 0xffffffff); + let mut x145: u32 = 0; + let mut x146: u32 = 0; + let (x145, x146) = fiat_bign256_mulx_u32(x139, 0xffffffff); + let mut x147: u32 = 0; + let mut x148: u32 = 0; + let (x147, x148) = fiat_bign256_mulx_u32(x139, 0xffffffff); + let mut x149: u32 = 0; + let mut x150: u32 = 0; + let (x149, x150) = fiat_bign256_mulx_u32(x139, 0xffffffff); + let mut x151: u32 = 0; + let mut x152: u32 = 0; + let (x151, x152) = fiat_bign256_mulx_u32(x139, 0xffffffff); + let mut x153: u32 = 0; + let mut x154: u32 = 0; + let (x153, x154) = fiat_bign256_mulx_u32(x139, 0xffffffff); + let mut x155: u32 = 0; + let mut x156: u32 = 0; + let (x155, x156) = fiat_bign256_mulx_u32(x139, 0xffffff43); + let mut x157: u32 = 0; + let mut x158: fiat_bign256_u1 = 0; + let (x157, x158) = fiat_bign256_addcarryx_u32(0x0, x156, x153); + let mut x159: u32 = 0; + let mut x160: fiat_bign256_u1 = 0; + let (x159, x160) = fiat_bign256_addcarryx_u32(x158, x154, x151); + let mut x161: u32 = 0; + let mut x162: fiat_bign256_u1 = 0; + let (x161, x162) = fiat_bign256_addcarryx_u32(x160, x152, x149); + let mut x163: u32 = 0; + let mut x164: fiat_bign256_u1 = 0; + let (x163, x164) = fiat_bign256_addcarryx_u32(x162, x150, x147); + let mut x165: u32 = 0; + let mut x166: fiat_bign256_u1 = 0; + let (x165, x166) = fiat_bign256_addcarryx_u32(x164, x148, x145); + let mut x167: u32 = 0; + let mut x168: fiat_bign256_u1 = 0; + let (x167, x168) = fiat_bign256_addcarryx_u32(x166, x146, x143); + let mut x169: u32 = 0; + let mut x170: fiat_bign256_u1 = 0; + let (x169, x170) = fiat_bign256_addcarryx_u32(x168, x144, x141); + let mut x171: u32 = 0; + let mut x172: fiat_bign256_u1 = 0; + let (x171, x172) = fiat_bign256_addcarryx_u32(0x0, x123, x155); + let mut x173: u32 = 0; + let mut x174: fiat_bign256_u1 = 0; + let (x173, x174) = fiat_bign256_addcarryx_u32(x172, x125, x157); + let mut x175: u32 = 0; + let mut x176: fiat_bign256_u1 = 0; + let (x175, x176) = fiat_bign256_addcarryx_u32(x174, x127, x159); + let mut x177: u32 = 0; + let mut x178: fiat_bign256_u1 = 0; + let (x177, x178) = fiat_bign256_addcarryx_u32(x176, x129, x161); + let mut x179: u32 = 0; + let mut x180: fiat_bign256_u1 = 0; + let (x179, x180) = fiat_bign256_addcarryx_u32(x178, x131, x163); + let mut x181: u32 = 0; + let mut x182: fiat_bign256_u1 = 0; + let (x181, x182) = fiat_bign256_addcarryx_u32(x180, x133, x165); + let mut x183: u32 = 0; + let mut x184: fiat_bign256_u1 = 0; + let (x183, x184) = fiat_bign256_addcarryx_u32(x182, x135, x167); + let mut x185: u32 = 0; + let mut x186: fiat_bign256_u1 = 0; + let (x185, x186) = fiat_bign256_addcarryx_u32(x184, x137, x169); + let mut x187: u32 = 0; + let mut x188: fiat_bign256_u1 = 0; + let (x187, x188) = fiat_bign256_addcarryx_u32( + x186, + ((x138 as u32) + (x120 as u32)), + ((x170 as u32) + x142), + ); + let mut x189: u32 = 0; + let mut x190: u32 = 0; + let (x189, x190) = fiat_bign256_mulx_u32((arg1[3]), 0x8b89); + let mut x191: u32 = 0; + let mut x192: fiat_bign256_u1 = 0; + let (x191, x192) = fiat_bign256_addcarryx_u32(0x0, x173, x189); + let mut x193: u32 = 0; + let mut x194: fiat_bign256_u1 = 0; + let (x193, x194) = fiat_bign256_addcarryx_u32(x192, x175, x190); + let mut x195: u32 = 0; + let mut x196: fiat_bign256_u1 = 0; + let (x195, x196) = fiat_bign256_addcarryx_u32(x194, x177, (0x0 as u32)); + let mut x197: u32 = 0; + let mut x198: fiat_bign256_u1 = 0; + let (x197, x198) = fiat_bign256_addcarryx_u32(x196, x179, (0x0 as u32)); + let mut x199: u32 = 0; + let mut x200: fiat_bign256_u1 = 0; + let (x199, x200) = fiat_bign256_addcarryx_u32(x198, x181, (0x0 as u32)); + let mut x201: u32 = 0; + let mut x202: fiat_bign256_u1 = 0; + let (x201, x202) = fiat_bign256_addcarryx_u32(x200, x183, (0x0 as u32)); + let mut x203: u32 = 0; + let mut x204: fiat_bign256_u1 = 0; + let (x203, x204) = fiat_bign256_addcarryx_u32(x202, x185, (0x0 as u32)); + let mut x205: u32 = 0; + let mut x206: fiat_bign256_u1 = 0; + let (x205, x206) = fiat_bign256_addcarryx_u32(x204, x187, (0x0 as u32)); + let mut x207: u32 = 0; + let mut x208: u32 = 0; + let (x207, x208) = fiat_bign256_mulx_u32(x191, 0xea53fa95); + let mut x209: u32 = 0; + let mut x210: u32 = 0; + let (x209, x210) = fiat_bign256_mulx_u32(x207, 0xffffffff); + let mut x211: u32 = 0; + let mut x212: u32 = 0; + let (x211, x212) = fiat_bign256_mulx_u32(x207, 0xffffffff); + let mut x213: u32 = 0; + let mut x214: u32 = 0; + let (x213, x214) = fiat_bign256_mulx_u32(x207, 0xffffffff); + let mut x215: u32 = 0; + let mut x216: u32 = 0; + let (x215, x216) = fiat_bign256_mulx_u32(x207, 0xffffffff); + let mut x217: u32 = 0; + let mut x218: u32 = 0; + let (x217, x218) = fiat_bign256_mulx_u32(x207, 0xffffffff); + let mut x219: u32 = 0; + let mut x220: u32 = 0; + let (x219, x220) = fiat_bign256_mulx_u32(x207, 0xffffffff); + let mut x221: u32 = 0; + let mut x222: u32 = 0; + let (x221, x222) = fiat_bign256_mulx_u32(x207, 0xffffffff); + let mut x223: u32 = 0; + let mut x224: u32 = 0; + let (x223, x224) = fiat_bign256_mulx_u32(x207, 0xffffff43); + let mut x225: u32 = 0; + let mut x226: fiat_bign256_u1 = 0; + let (x225, x226) = fiat_bign256_addcarryx_u32(0x0, x224, x221); + let mut x227: u32 = 0; + let mut x228: fiat_bign256_u1 = 0; + let (x227, x228) = fiat_bign256_addcarryx_u32(x226, x222, x219); + let mut x229: u32 = 0; + let mut x230: fiat_bign256_u1 = 0; + let (x229, x230) = fiat_bign256_addcarryx_u32(x228, x220, x217); + let mut x231: u32 = 0; + let mut x232: fiat_bign256_u1 = 0; + let (x231, x232) = fiat_bign256_addcarryx_u32(x230, x218, x215); + let mut x233: u32 = 0; + let mut x234: fiat_bign256_u1 = 0; + let (x233, x234) = fiat_bign256_addcarryx_u32(x232, x216, x213); + let mut x235: u32 = 0; + let mut x236: fiat_bign256_u1 = 0; + let (x235, x236) = fiat_bign256_addcarryx_u32(x234, x214, x211); + let mut x237: u32 = 0; + let mut x238: fiat_bign256_u1 = 0; + let (x237, x238) = fiat_bign256_addcarryx_u32(x236, x212, x209); + let mut x239: u32 = 0; + let mut x240: fiat_bign256_u1 = 0; + let (x239, x240) = fiat_bign256_addcarryx_u32(0x0, x191, x223); + let mut x241: u32 = 0; + let mut x242: fiat_bign256_u1 = 0; + let (x241, x242) = fiat_bign256_addcarryx_u32(x240, x193, x225); + let mut x243: u32 = 0; + let mut x244: fiat_bign256_u1 = 0; + let (x243, x244) = fiat_bign256_addcarryx_u32(x242, x195, x227); + let mut x245: u32 = 0; + let mut x246: fiat_bign256_u1 = 0; + let (x245, x246) = fiat_bign256_addcarryx_u32(x244, x197, x229); + let mut x247: u32 = 0; + let mut x248: fiat_bign256_u1 = 0; + let (x247, x248) = fiat_bign256_addcarryx_u32(x246, x199, x231); + let mut x249: u32 = 0; + let mut x250: fiat_bign256_u1 = 0; + let (x249, x250) = fiat_bign256_addcarryx_u32(x248, x201, x233); + let mut x251: u32 = 0; + let mut x252: fiat_bign256_u1 = 0; + let (x251, x252) = fiat_bign256_addcarryx_u32(x250, x203, x235); + let mut x253: u32 = 0; + let mut x254: fiat_bign256_u1 = 0; + let (x253, x254) = fiat_bign256_addcarryx_u32(x252, x205, x237); + let mut x255: u32 = 0; + let mut x256: fiat_bign256_u1 = 0; + let (x255, x256) = fiat_bign256_addcarryx_u32( + x254, + ((x206 as u32) + (x188 as u32)), + ((x238 as u32) + x210), + ); + let mut x257: u32 = 0; + let mut x258: u32 = 0; + let (x257, x258) = fiat_bign256_mulx_u32((arg1[4]), 0x8b89); + let mut x259: u32 = 0; + let mut x260: fiat_bign256_u1 = 0; + let (x259, x260) = fiat_bign256_addcarryx_u32(0x0, x241, x257); + let mut x261: u32 = 0; + let mut x262: fiat_bign256_u1 = 0; + let (x261, x262) = fiat_bign256_addcarryx_u32(x260, x243, x258); + let mut x263: u32 = 0; + let mut x264: fiat_bign256_u1 = 0; + let (x263, x264) = fiat_bign256_addcarryx_u32(x262, x245, (0x0 as u32)); + let mut x265: u32 = 0; + let mut x266: fiat_bign256_u1 = 0; + let (x265, x266) = fiat_bign256_addcarryx_u32(x264, x247, (0x0 as u32)); + let mut x267: u32 = 0; + let mut x268: fiat_bign256_u1 = 0; + let (x267, x268) = fiat_bign256_addcarryx_u32(x266, x249, (0x0 as u32)); + let mut x269: u32 = 0; + let mut x270: fiat_bign256_u1 = 0; + let (x269, x270) = fiat_bign256_addcarryx_u32(x268, x251, (0x0 as u32)); + let mut x271: u32 = 0; + let mut x272: fiat_bign256_u1 = 0; + let (x271, x272) = fiat_bign256_addcarryx_u32(x270, x253, (0x0 as u32)); + let mut x273: u32 = 0; + let mut x274: fiat_bign256_u1 = 0; + let (x273, x274) = fiat_bign256_addcarryx_u32(x272, x255, (0x0 as u32)); + let mut x275: u32 = 0; + let mut x276: u32 = 0; + let (x275, x276) = fiat_bign256_mulx_u32(x259, 0xea53fa95); + let mut x277: u32 = 0; + let mut x278: u32 = 0; + let (x277, x278) = fiat_bign256_mulx_u32(x275, 0xffffffff); + let mut x279: u32 = 0; + let mut x280: u32 = 0; + let (x279, x280) = fiat_bign256_mulx_u32(x275, 0xffffffff); + let mut x281: u32 = 0; + let mut x282: u32 = 0; + let (x281, x282) = fiat_bign256_mulx_u32(x275, 0xffffffff); + let mut x283: u32 = 0; + let mut x284: u32 = 0; + let (x283, x284) = fiat_bign256_mulx_u32(x275, 0xffffffff); + let mut x285: u32 = 0; + let mut x286: u32 = 0; + let (x285, x286) = fiat_bign256_mulx_u32(x275, 0xffffffff); + let mut x287: u32 = 0; + let mut x288: u32 = 0; + let (x287, x288) = fiat_bign256_mulx_u32(x275, 0xffffffff); + let mut x289: u32 = 0; + let mut x290: u32 = 0; + let (x289, x290) = fiat_bign256_mulx_u32(x275, 0xffffffff); + let mut x291: u32 = 0; + let mut x292: u32 = 0; + let (x291, x292) = fiat_bign256_mulx_u32(x275, 0xffffff43); + let mut x293: u32 = 0; + let mut x294: fiat_bign256_u1 = 0; + let (x293, x294) = fiat_bign256_addcarryx_u32(0x0, x292, x289); + let mut x295: u32 = 0; + let mut x296: fiat_bign256_u1 = 0; + let (x295, x296) = fiat_bign256_addcarryx_u32(x294, x290, x287); + let mut x297: u32 = 0; + let mut x298: fiat_bign256_u1 = 0; + let (x297, x298) = fiat_bign256_addcarryx_u32(x296, x288, x285); + let mut x299: u32 = 0; + let mut x300: fiat_bign256_u1 = 0; + let (x299, x300) = fiat_bign256_addcarryx_u32(x298, x286, x283); + let mut x301: u32 = 0; + let mut x302: fiat_bign256_u1 = 0; + let (x301, x302) = fiat_bign256_addcarryx_u32(x300, x284, x281); + let mut x303: u32 = 0; + let mut x304: fiat_bign256_u1 = 0; + let (x303, x304) = fiat_bign256_addcarryx_u32(x302, x282, x279); + let mut x305: u32 = 0; + let mut x306: fiat_bign256_u1 = 0; + let (x305, x306) = fiat_bign256_addcarryx_u32(x304, x280, x277); + let mut x307: u32 = 0; + let mut x308: fiat_bign256_u1 = 0; + let (x307, x308) = fiat_bign256_addcarryx_u32(0x0, x259, x291); + let mut x309: u32 = 0; + let mut x310: fiat_bign256_u1 = 0; + let (x309, x310) = fiat_bign256_addcarryx_u32(x308, x261, x293); + let mut x311: u32 = 0; + let mut x312: fiat_bign256_u1 = 0; + let (x311, x312) = fiat_bign256_addcarryx_u32(x310, x263, x295); + let mut x313: u32 = 0; + let mut x314: fiat_bign256_u1 = 0; + let (x313, x314) = fiat_bign256_addcarryx_u32(x312, x265, x297); + let mut x315: u32 = 0; + let mut x316: fiat_bign256_u1 = 0; + let (x315, x316) = fiat_bign256_addcarryx_u32(x314, x267, x299); + let mut x317: u32 = 0; + let mut x318: fiat_bign256_u1 = 0; + let (x317, x318) = fiat_bign256_addcarryx_u32(x316, x269, x301); + let mut x319: u32 = 0; + let mut x320: fiat_bign256_u1 = 0; + let (x319, x320) = fiat_bign256_addcarryx_u32(x318, x271, x303); + let mut x321: u32 = 0; + let mut x322: fiat_bign256_u1 = 0; + let (x321, x322) = fiat_bign256_addcarryx_u32(x320, x273, x305); + let mut x323: u32 = 0; + let mut x324: fiat_bign256_u1 = 0; + let (x323, x324) = fiat_bign256_addcarryx_u32( + x322, + ((x274 as u32) + (x256 as u32)), + ((x306 as u32) + x278), + ); + let mut x325: u32 = 0; + let mut x326: u32 = 0; + let (x325, x326) = fiat_bign256_mulx_u32((arg1[5]), 0x8b89); + let mut x327: u32 = 0; + let mut x328: fiat_bign256_u1 = 0; + let (x327, x328) = fiat_bign256_addcarryx_u32(0x0, x309, x325); + let mut x329: u32 = 0; + let mut x330: fiat_bign256_u1 = 0; + let (x329, x330) = fiat_bign256_addcarryx_u32(x328, x311, x326); + let mut x331: u32 = 0; + let mut x332: fiat_bign256_u1 = 0; + let (x331, x332) = fiat_bign256_addcarryx_u32(x330, x313, (0x0 as u32)); + let mut x333: u32 = 0; + let mut x334: fiat_bign256_u1 = 0; + let (x333, x334) = fiat_bign256_addcarryx_u32(x332, x315, (0x0 as u32)); + let mut x335: u32 = 0; + let mut x336: fiat_bign256_u1 = 0; + let (x335, x336) = fiat_bign256_addcarryx_u32(x334, x317, (0x0 as u32)); + let mut x337: u32 = 0; + let mut x338: fiat_bign256_u1 = 0; + let (x337, x338) = fiat_bign256_addcarryx_u32(x336, x319, (0x0 as u32)); + let mut x339: u32 = 0; + let mut x340: fiat_bign256_u1 = 0; + let (x339, x340) = fiat_bign256_addcarryx_u32(x338, x321, (0x0 as u32)); + let mut x341: u32 = 0; + let mut x342: fiat_bign256_u1 = 0; + let (x341, x342) = fiat_bign256_addcarryx_u32(x340, x323, (0x0 as u32)); + let mut x343: u32 = 0; + let mut x344: u32 = 0; + let (x343, x344) = fiat_bign256_mulx_u32(x327, 0xea53fa95); + let mut x345: u32 = 0; + let mut x346: u32 = 0; + let (x345, x346) = fiat_bign256_mulx_u32(x343, 0xffffffff); + let mut x347: u32 = 0; + let mut x348: u32 = 0; + let (x347, x348) = fiat_bign256_mulx_u32(x343, 0xffffffff); + let mut x349: u32 = 0; + let mut x350: u32 = 0; + let (x349, x350) = fiat_bign256_mulx_u32(x343, 0xffffffff); + let mut x351: u32 = 0; + let mut x352: u32 = 0; + let (x351, x352) = fiat_bign256_mulx_u32(x343, 0xffffffff); + let mut x353: u32 = 0; + let mut x354: u32 = 0; + let (x353, x354) = fiat_bign256_mulx_u32(x343, 0xffffffff); + let mut x355: u32 = 0; + let mut x356: u32 = 0; + let (x355, x356) = fiat_bign256_mulx_u32(x343, 0xffffffff); + let mut x357: u32 = 0; + let mut x358: u32 = 0; + let (x357, x358) = fiat_bign256_mulx_u32(x343, 0xffffffff); + let mut x359: u32 = 0; + let mut x360: u32 = 0; + let (x359, x360) = fiat_bign256_mulx_u32(x343, 0xffffff43); + let mut x361: u32 = 0; + let mut x362: fiat_bign256_u1 = 0; + let (x361, x362) = fiat_bign256_addcarryx_u32(0x0, x360, x357); + let mut x363: u32 = 0; + let mut x364: fiat_bign256_u1 = 0; + let (x363, x364) = fiat_bign256_addcarryx_u32(x362, x358, x355); + let mut x365: u32 = 0; + let mut x366: fiat_bign256_u1 = 0; + let (x365, x366) = fiat_bign256_addcarryx_u32(x364, x356, x353); + let mut x367: u32 = 0; + let mut x368: fiat_bign256_u1 = 0; + let (x367, x368) = fiat_bign256_addcarryx_u32(x366, x354, x351); + let mut x369: u32 = 0; + let mut x370: fiat_bign256_u1 = 0; + let (x369, x370) = fiat_bign256_addcarryx_u32(x368, x352, x349); + let mut x371: u32 = 0; + let mut x372: fiat_bign256_u1 = 0; + let (x371, x372) = fiat_bign256_addcarryx_u32(x370, x350, x347); + let mut x373: u32 = 0; + let mut x374: fiat_bign256_u1 = 0; + let (x373, x374) = fiat_bign256_addcarryx_u32(x372, x348, x345); + let mut x375: u32 = 0; + let mut x376: fiat_bign256_u1 = 0; + let (x375, x376) = fiat_bign256_addcarryx_u32(0x0, x327, x359); + let mut x377: u32 = 0; + let mut x378: fiat_bign256_u1 = 0; + let (x377, x378) = fiat_bign256_addcarryx_u32(x376, x329, x361); + let mut x379: u32 = 0; + let mut x380: fiat_bign256_u1 = 0; + let (x379, x380) = fiat_bign256_addcarryx_u32(x378, x331, x363); + let mut x381: u32 = 0; + let mut x382: fiat_bign256_u1 = 0; + let (x381, x382) = fiat_bign256_addcarryx_u32(x380, x333, x365); + let mut x383: u32 = 0; + let mut x384: fiat_bign256_u1 = 0; + let (x383, x384) = fiat_bign256_addcarryx_u32(x382, x335, x367); + let mut x385: u32 = 0; + let mut x386: fiat_bign256_u1 = 0; + let (x385, x386) = fiat_bign256_addcarryx_u32(x384, x337, x369); + let mut x387: u32 = 0; + let mut x388: fiat_bign256_u1 = 0; + let (x387, x388) = fiat_bign256_addcarryx_u32(x386, x339, x371); + let mut x389: u32 = 0; + let mut x390: fiat_bign256_u1 = 0; + let (x389, x390) = fiat_bign256_addcarryx_u32(x388, x341, x373); + let mut x391: u32 = 0; + let mut x392: fiat_bign256_u1 = 0; + let (x391, x392) = fiat_bign256_addcarryx_u32( + x390, + ((x342 as u32) + (x324 as u32)), + ((x374 as u32) + x346), + ); + let mut x393: u32 = 0; + let mut x394: u32 = 0; + let (x393, x394) = fiat_bign256_mulx_u32((arg1[6]), 0x8b89); + let mut x395: u32 = 0; + let mut x396: fiat_bign256_u1 = 0; + let (x395, x396) = fiat_bign256_addcarryx_u32(0x0, x377, x393); + let mut x397: u32 = 0; + let mut x398: fiat_bign256_u1 = 0; + let (x397, x398) = fiat_bign256_addcarryx_u32(x396, x379, x394); + let mut x399: u32 = 0; + let mut x400: fiat_bign256_u1 = 0; + let (x399, x400) = fiat_bign256_addcarryx_u32(x398, x381, (0x0 as u32)); + let mut x401: u32 = 0; + let mut x402: fiat_bign256_u1 = 0; + let (x401, x402) = fiat_bign256_addcarryx_u32(x400, x383, (0x0 as u32)); + let mut x403: u32 = 0; + let mut x404: fiat_bign256_u1 = 0; + let (x403, x404) = fiat_bign256_addcarryx_u32(x402, x385, (0x0 as u32)); + let mut x405: u32 = 0; + let mut x406: fiat_bign256_u1 = 0; + let (x405, x406) = fiat_bign256_addcarryx_u32(x404, x387, (0x0 as u32)); + let mut x407: u32 = 0; + let mut x408: fiat_bign256_u1 = 0; + let (x407, x408) = fiat_bign256_addcarryx_u32(x406, x389, (0x0 as u32)); + let mut x409: u32 = 0; + let mut x410: fiat_bign256_u1 = 0; + let (x409, x410) = fiat_bign256_addcarryx_u32(x408, x391, (0x0 as u32)); + let mut x411: u32 = 0; + let mut x412: u32 = 0; + let (x411, x412) = fiat_bign256_mulx_u32(x395, 0xea53fa95); + let mut x413: u32 = 0; + let mut x414: u32 = 0; + let (x413, x414) = fiat_bign256_mulx_u32(x411, 0xffffffff); + let mut x415: u32 = 0; + let mut x416: u32 = 0; + let (x415, x416) = fiat_bign256_mulx_u32(x411, 0xffffffff); + let mut x417: u32 = 0; + let mut x418: u32 = 0; + let (x417, x418) = fiat_bign256_mulx_u32(x411, 0xffffffff); + let mut x419: u32 = 0; + let mut x420: u32 = 0; + let (x419, x420) = fiat_bign256_mulx_u32(x411, 0xffffffff); + let mut x421: u32 = 0; + let mut x422: u32 = 0; + let (x421, x422) = fiat_bign256_mulx_u32(x411, 0xffffffff); + let mut x423: u32 = 0; + let mut x424: u32 = 0; + let (x423, x424) = fiat_bign256_mulx_u32(x411, 0xffffffff); + let mut x425: u32 = 0; + let mut x426: u32 = 0; + let (x425, x426) = fiat_bign256_mulx_u32(x411, 0xffffffff); + let mut x427: u32 = 0; + let mut x428: u32 = 0; + let (x427, x428) = fiat_bign256_mulx_u32(x411, 0xffffff43); + let mut x429: u32 = 0; + let mut x430: fiat_bign256_u1 = 0; + let (x429, x430) = fiat_bign256_addcarryx_u32(0x0, x428, x425); + let mut x431: u32 = 0; + let mut x432: fiat_bign256_u1 = 0; + let (x431, x432) = fiat_bign256_addcarryx_u32(x430, x426, x423); + let mut x433: u32 = 0; + let mut x434: fiat_bign256_u1 = 0; + let (x433, x434) = fiat_bign256_addcarryx_u32(x432, x424, x421); + let mut x435: u32 = 0; + let mut x436: fiat_bign256_u1 = 0; + let (x435, x436) = fiat_bign256_addcarryx_u32(x434, x422, x419); + let mut x437: u32 = 0; + let mut x438: fiat_bign256_u1 = 0; + let (x437, x438) = fiat_bign256_addcarryx_u32(x436, x420, x417); + let mut x439: u32 = 0; + let mut x440: fiat_bign256_u1 = 0; + let (x439, x440) = fiat_bign256_addcarryx_u32(x438, x418, x415); + let mut x441: u32 = 0; + let mut x442: fiat_bign256_u1 = 0; + let (x441, x442) = fiat_bign256_addcarryx_u32(x440, x416, x413); + let mut x443: u32 = 0; + let mut x444: fiat_bign256_u1 = 0; + let (x443, x444) = fiat_bign256_addcarryx_u32(0x0, x395, x427); + let mut x445: u32 = 0; + let mut x446: fiat_bign256_u1 = 0; + let (x445, x446) = fiat_bign256_addcarryx_u32(x444, x397, x429); + let mut x447: u32 = 0; + let mut x448: fiat_bign256_u1 = 0; + let (x447, x448) = fiat_bign256_addcarryx_u32(x446, x399, x431); + let mut x449: u32 = 0; + let mut x450: fiat_bign256_u1 = 0; + let (x449, x450) = fiat_bign256_addcarryx_u32(x448, x401, x433); + let mut x451: u32 = 0; + let mut x452: fiat_bign256_u1 = 0; + let (x451, x452) = fiat_bign256_addcarryx_u32(x450, x403, x435); + let mut x453: u32 = 0; + let mut x454: fiat_bign256_u1 = 0; + let (x453, x454) = fiat_bign256_addcarryx_u32(x452, x405, x437); + let mut x455: u32 = 0; + let mut x456: fiat_bign256_u1 = 0; + let (x455, x456) = fiat_bign256_addcarryx_u32(x454, x407, x439); + let mut x457: u32 = 0; + let mut x458: fiat_bign256_u1 = 0; + let (x457, x458) = fiat_bign256_addcarryx_u32(x456, x409, x441); + let mut x459: u32 = 0; + let mut x460: fiat_bign256_u1 = 0; + let (x459, x460) = fiat_bign256_addcarryx_u32( + x458, + ((x410 as u32) + (x392 as u32)), + ((x442 as u32) + x414), + ); + let mut x461: u32 = 0; + let mut x462: u32 = 0; + let (x461, x462) = fiat_bign256_mulx_u32((arg1[7]), 0x8b89); + let mut x463: u32 = 0; + let mut x464: fiat_bign256_u1 = 0; + let (x463, x464) = fiat_bign256_addcarryx_u32(0x0, x445, x461); + let mut x465: u32 = 0; + let mut x466: fiat_bign256_u1 = 0; + let (x465, x466) = fiat_bign256_addcarryx_u32(x464, x447, x462); + let mut x467: u32 = 0; + let mut x468: fiat_bign256_u1 = 0; + let (x467, x468) = fiat_bign256_addcarryx_u32(x466, x449, (0x0 as u32)); + let mut x469: u32 = 0; + let mut x470: fiat_bign256_u1 = 0; + let (x469, x470) = fiat_bign256_addcarryx_u32(x468, x451, (0x0 as u32)); + let mut x471: u32 = 0; + let mut x472: fiat_bign256_u1 = 0; + let (x471, x472) = fiat_bign256_addcarryx_u32(x470, x453, (0x0 as u32)); + let mut x473: u32 = 0; + let mut x474: fiat_bign256_u1 = 0; + let (x473, x474) = fiat_bign256_addcarryx_u32(x472, x455, (0x0 as u32)); + let mut x475: u32 = 0; + let mut x476: fiat_bign256_u1 = 0; + let (x475, x476) = fiat_bign256_addcarryx_u32(x474, x457, (0x0 as u32)); + let mut x477: u32 = 0; + let mut x478: fiat_bign256_u1 = 0; + let (x477, x478) = fiat_bign256_addcarryx_u32(x476, x459, (0x0 as u32)); + let mut x479: u32 = 0; + let mut x480: u32 = 0; + let (x479, x480) = fiat_bign256_mulx_u32(x463, 0xea53fa95); + let mut x481: u32 = 0; + let mut x482: u32 = 0; + let (x481, x482) = fiat_bign256_mulx_u32(x479, 0xffffffff); + let mut x483: u32 = 0; + let mut x484: u32 = 0; + let (x483, x484) = fiat_bign256_mulx_u32(x479, 0xffffffff); + let mut x485: u32 = 0; + let mut x486: u32 = 0; + let (x485, x486) = fiat_bign256_mulx_u32(x479, 0xffffffff); + let mut x487: u32 = 0; + let mut x488: u32 = 0; + let (x487, x488) = fiat_bign256_mulx_u32(x479, 0xffffffff); + let mut x489: u32 = 0; + let mut x490: u32 = 0; + let (x489, x490) = fiat_bign256_mulx_u32(x479, 0xffffffff); + let mut x491: u32 = 0; + let mut x492: u32 = 0; + let (x491, x492) = fiat_bign256_mulx_u32(x479, 0xffffffff); + let mut x493: u32 = 0; + let mut x494: u32 = 0; + let (x493, x494) = fiat_bign256_mulx_u32(x479, 0xffffffff); + let mut x495: u32 = 0; + let mut x496: u32 = 0; + let (x495, x496) = fiat_bign256_mulx_u32(x479, 0xffffff43); + let mut x497: u32 = 0; + let mut x498: fiat_bign256_u1 = 0; + let (x497, x498) = fiat_bign256_addcarryx_u32(0x0, x496, x493); + let mut x499: u32 = 0; + let mut x500: fiat_bign256_u1 = 0; + let (x499, x500) = fiat_bign256_addcarryx_u32(x498, x494, x491); + let mut x501: u32 = 0; + let mut x502: fiat_bign256_u1 = 0; + let (x501, x502) = fiat_bign256_addcarryx_u32(x500, x492, x489); + let mut x503: u32 = 0; + let mut x504: fiat_bign256_u1 = 0; + let (x503, x504) = fiat_bign256_addcarryx_u32(x502, x490, x487); + let mut x505: u32 = 0; + let mut x506: fiat_bign256_u1 = 0; + let (x505, x506) = fiat_bign256_addcarryx_u32(x504, x488, x485); + let mut x507: u32 = 0; + let mut x508: fiat_bign256_u1 = 0; + let (x507, x508) = fiat_bign256_addcarryx_u32(x506, x486, x483); + let mut x509: u32 = 0; + let mut x510: fiat_bign256_u1 = 0; + let (x509, x510) = fiat_bign256_addcarryx_u32(x508, x484, x481); + let mut x511: u32 = 0; + let mut x512: fiat_bign256_u1 = 0; + let (x511, x512) = fiat_bign256_addcarryx_u32(0x0, x463, x495); + let mut x513: u32 = 0; + let mut x514: fiat_bign256_u1 = 0; + let (x513, x514) = fiat_bign256_addcarryx_u32(x512, x465, x497); + let mut x515: u32 = 0; + let mut x516: fiat_bign256_u1 = 0; + let (x515, x516) = fiat_bign256_addcarryx_u32(x514, x467, x499); + let mut x517: u32 = 0; + let mut x518: fiat_bign256_u1 = 0; + let (x517, x518) = fiat_bign256_addcarryx_u32(x516, x469, x501); + let mut x519: u32 = 0; + let mut x520: fiat_bign256_u1 = 0; + let (x519, x520) = fiat_bign256_addcarryx_u32(x518, x471, x503); + let mut x521: u32 = 0; + let mut x522: fiat_bign256_u1 = 0; + let (x521, x522) = fiat_bign256_addcarryx_u32(x520, x473, x505); + let mut x523: u32 = 0; + let mut x524: fiat_bign256_u1 = 0; + let (x523, x524) = fiat_bign256_addcarryx_u32(x522, x475, x507); + let mut x525: u32 = 0; + let mut x526: fiat_bign256_u1 = 0; + let (x525, x526) = fiat_bign256_addcarryx_u32(x524, x477, x509); + let mut x527: u32 = 0; + let mut x528: fiat_bign256_u1 = 0; + let (x527, x528) = fiat_bign256_addcarryx_u32( + x526, + ((x478 as u32) + (x460 as u32)), + ((x510 as u32) + x482), + ); + let mut x529: u32 = 0; + let mut x530: fiat_bign256_u1 = 0; + let (x529, x530) = fiat_bign256_subborrowx_u32(0x0, x513, 0xffffff43); + let mut x531: u32 = 0; + let mut x532: fiat_bign256_u1 = 0; + let (x531, x532) = fiat_bign256_subborrowx_u32(x530, x515, 0xffffffff); + let mut x533: u32 = 0; + let mut x534: fiat_bign256_u1 = 0; + let (x533, x534) = fiat_bign256_subborrowx_u32(x532, x517, 0xffffffff); + let mut x535: u32 = 0; + let mut x536: fiat_bign256_u1 = 0; + let (x535, x536) = fiat_bign256_subborrowx_u32(x534, x519, 0xffffffff); + let mut x537: u32 = 0; + let mut x538: fiat_bign256_u1 = 0; + let (x537, x538) = fiat_bign256_subborrowx_u32(x536, x521, 0xffffffff); + let mut x539: u32 = 0; + let mut x540: fiat_bign256_u1 = 0; + let (x539, x540) = fiat_bign256_subborrowx_u32(x538, x523, 0xffffffff); + let mut x541: u32 = 0; + let mut x542: fiat_bign256_u1 = 0; + let (x541, x542) = fiat_bign256_subborrowx_u32(x540, x525, 0xffffffff); + let mut x543: u32 = 0; + let mut x544: fiat_bign256_u1 = 0; + let (x543, x544) = fiat_bign256_subborrowx_u32(x542, x527, 0xffffffff); + let mut x545: u32 = 0; + let mut x546: fiat_bign256_u1 = 0; + let (x545, x546) = fiat_bign256_subborrowx_u32(x544, (x528 as u32), (0x0 as u32)); + let mut x547: u32 = 0; + let (x547) = fiat_bign256_cmovznz_u32(x546, x529, x513); + let mut x548: u32 = 0; + let (x548) = fiat_bign256_cmovznz_u32(x546, x531, x515); + let mut x549: u32 = 0; + let (x549) = fiat_bign256_cmovznz_u32(x546, x533, x517); + let mut x550: u32 = 0; + let (x550) = fiat_bign256_cmovznz_u32(x546, x535, x519); + let mut x551: u32 = 0; + let (x551) = fiat_bign256_cmovznz_u32(x546, x537, x521); + let mut x552: u32 = 0; + let (x552) = fiat_bign256_cmovznz_u32(x546, x539, x523); + let mut x553: u32 = 0; + let (x553) = fiat_bign256_cmovznz_u32(x546, x541, x525); + let mut x554: u32 = 0; + let (x554) = fiat_bign256_cmovznz_u32(x546, x543, x527); + out1[0] = x547; + out1[1] = x548; + out1[2] = x549; + out1[3] = x550; + out1[4] = x551; + out1[5] = x552; + out1[6] = x553; + out1[7] = x554; + out1 +} +#[doc = " The function fiat_bign256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[inline] +pub const fn fiat_bign256_nonzero(arg1: &[u32; 8]) -> u32 { + let mut out1: u32 = 0; + let x1: u32 = ((arg1[0]) + | ((arg1[1]) + | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | (arg1[7])))))))); + out1 = x1; + out1 +} +#[doc = " The function fiat_bign256_selectznz is a multi-limb conditional select."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[inline] +pub const fn fiat_bign256_selectznz( + arg1: fiat_bign256_u1, + arg2: &[u32; 8], + arg3: &[u32; 8], +) -> [u32; 8] { + let mut out1: [u32; 8] = [0; 8]; + let mut x1: u32 = 0; + let (x1) = fiat_bign256_cmovznz_u32(arg1, (arg2[0]), (arg3[0])); + let mut x2: u32 = 0; + let (x2) = fiat_bign256_cmovznz_u32(arg1, (arg2[1]), (arg3[1])); + let mut x3: u32 = 0; + let (x3) = fiat_bign256_cmovznz_u32(arg1, (arg2[2]), (arg3[2])); + let mut x4: u32 = 0; + let (x4) = fiat_bign256_cmovznz_u32(arg1, (arg2[3]), (arg3[3])); + let mut x5: u32 = 0; + let (x5) = fiat_bign256_cmovznz_u32(arg1, (arg2[4]), (arg3[4])); + let mut x6: u32 = 0; + let (x6) = fiat_bign256_cmovznz_u32(arg1, (arg2[5]), (arg3[5])); + let mut x7: u32 = 0; + let (x7) = fiat_bign256_cmovznz_u32(arg1, (arg2[6]), (arg3[6])); + let mut x8: u32 = 0; + let (x8) = fiat_bign256_cmovznz_u32(arg1, (arg2[7]), (arg3[7])); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; + out1[5] = x6; + out1[6] = x7; + out1[7] = x8; + out1 +} +#[doc = " The function fiat_bign256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = map (Ξ» x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)βŒ‹) [0..31]"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]"] +#[inline] +pub const fn fiat_bign256_to_bytes(arg1: &[u32; 8]) -> [u8; 32] { + let mut out1: [u8; 32] = [0; 32]; + let x1: u32 = (arg1[7]); + let x2: u32 = (arg1[6]); + let x3: u32 = (arg1[5]); + let x4: u32 = (arg1[4]); + let x5: u32 = (arg1[3]); + let x6: u32 = (arg1[2]); + let x7: u32 = (arg1[1]); + let x8: u32 = (arg1[0]); + let x9: u8 = ((x8 & (0xff as u32)) as u8); + let x10: u32 = (x8 >> 8); + let x11: u8 = ((x10 & (0xff as u32)) as u8); + let x12: u32 = (x10 >> 8); + let x13: u8 = ((x12 & (0xff as u32)) as u8); + let x14: u8 = ((x12 >> 8) as u8); + let x15: u8 = ((x7 & (0xff as u32)) as u8); + let x16: u32 = (x7 >> 8); + let x17: u8 = ((x16 & (0xff as u32)) as u8); + let x18: u32 = (x16 >> 8); + let x19: u8 = ((x18 & (0xff as u32)) as u8); + let x20: u8 = ((x18 >> 8) as u8); + let x21: u8 = ((x6 & (0xff as u32)) as u8); + let x22: u32 = (x6 >> 8); + let x23: u8 = ((x22 & (0xff as u32)) as u8); + let x24: u32 = (x22 >> 8); + let x25: u8 = ((x24 & (0xff as u32)) as u8); + let x26: u8 = ((x24 >> 8) as u8); + let x27: u8 = ((x5 & (0xff as u32)) as u8); + let x28: u32 = (x5 >> 8); + let x29: u8 = ((x28 & (0xff as u32)) as u8); + let x30: u32 = (x28 >> 8); + let x31: u8 = ((x30 & (0xff as u32)) as u8); + let x32: u8 = ((x30 >> 8) as u8); + let x33: u8 = ((x4 & (0xff as u32)) as u8); + let x34: u32 = (x4 >> 8); + let x35: u8 = ((x34 & (0xff as u32)) as u8); + let x36: u32 = (x34 >> 8); + let x37: u8 = ((x36 & (0xff as u32)) as u8); + let x38: u8 = ((x36 >> 8) as u8); + let x39: u8 = ((x3 & (0xff as u32)) as u8); + let x40: u32 = (x3 >> 8); + let x41: u8 = ((x40 & (0xff as u32)) as u8); + let x42: u32 = (x40 >> 8); + let x43: u8 = ((x42 & (0xff as u32)) as u8); + let x44: u8 = ((x42 >> 8) as u8); + let x45: u8 = ((x2 & (0xff as u32)) as u8); + let x46: u32 = (x2 >> 8); + let x47: u8 = ((x46 & (0xff as u32)) as u8); + let x48: u32 = (x46 >> 8); + let x49: u8 = ((x48 & (0xff as u32)) as u8); + let x50: u8 = ((x48 >> 8) as u8); + let x51: u8 = ((x1 & (0xff as u32)) as u8); + let x52: u32 = (x1 >> 8); + let x53: u8 = ((x52 & (0xff as u32)) as u8); + let x54: u32 = (x52 >> 8); + let x55: u8 = ((x54 & (0xff as u32)) as u8); + let x56: u8 = ((x54 >> 8) as u8); + out1[0] = x9; + out1[1] = x11; + out1[2] = x13; + out1[3] = x14; + out1[4] = x15; + out1[5] = x17; + out1[6] = x19; + out1[7] = x20; + out1[8] = x21; + out1[9] = x23; + out1[10] = x25; + out1[11] = x26; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x38; + out1[20] = x39; + out1[21] = x41; + out1[22] = x43; + out1[23] = x44; + out1[24] = x45; + out1[25] = x47; + out1[26] = x49; + out1[27] = x50; + out1[28] = x51; + out1[29] = x53; + out1[30] = x55; + out1[31] = x56; + out1 +} +#[doc = " The function fiat_bign256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ bytes_eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval out1 mod m = bytes_eval arg1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[inline] +pub const fn fiat_bign256_from_bytes(arg1: &[u8; 32]) -> [u32; 8] { + let mut out1: [u32; 8] = [0; 8]; + let x1: u32 = (((arg1[31]) as u32) << 24); + let x2: u32 = (((arg1[30]) as u32) << 16); + let x3: u32 = (((arg1[29]) as u32) << 8); + let x4: u8 = (arg1[28]); + let x5: u32 = (((arg1[27]) as u32) << 24); + let x6: u32 = (((arg1[26]) as u32) << 16); + let x7: u32 = (((arg1[25]) as u32) << 8); + let x8: u8 = (arg1[24]); + let x9: u32 = (((arg1[23]) as u32) << 24); + let x10: u32 = (((arg1[22]) as u32) << 16); + let x11: u32 = (((arg1[21]) as u32) << 8); + let x12: u8 = (arg1[20]); + let x13: u32 = (((arg1[19]) as u32) << 24); + let x14: u32 = (((arg1[18]) as u32) << 16); + let x15: u32 = (((arg1[17]) as u32) << 8); + let x16: u8 = (arg1[16]); + let x17: u32 = (((arg1[15]) as u32) << 24); + let x18: u32 = (((arg1[14]) as u32) << 16); + let x19: u32 = (((arg1[13]) as u32) << 8); + let x20: u8 = (arg1[12]); + let x21: u32 = (((arg1[11]) as u32) << 24); + let x22: u32 = (((arg1[10]) as u32) << 16); + let x23: u32 = (((arg1[9]) as u32) << 8); + let x24: u8 = (arg1[8]); + let x25: u32 = (((arg1[7]) as u32) << 24); + let x26: u32 = (((arg1[6]) as u32) << 16); + let x27: u32 = (((arg1[5]) as u32) << 8); + let x28: u8 = (arg1[4]); + let x29: u32 = (((arg1[3]) as u32) << 24); + let x30: u32 = (((arg1[2]) as u32) << 16); + let x31: u32 = (((arg1[1]) as u32) << 8); + let x32: u8 = (arg1[0]); + let x33: u32 = (x31 + (x32 as u32)); + let x34: u32 = (x30 + x33); + let x35: u32 = (x29 + x34); + let x36: u32 = (x27 + (x28 as u32)); + let x37: u32 = (x26 + x36); + let x38: u32 = (x25 + x37); + let x39: u32 = (x23 + (x24 as u32)); + let x40: u32 = (x22 + x39); + let x41: u32 = (x21 + x40); + let x42: u32 = (x19 + (x20 as u32)); + let x43: u32 = (x18 + x42); + let x44: u32 = (x17 + x43); + let x45: u32 = (x15 + (x16 as u32)); + let x46: u32 = (x14 + x45); + let x47: u32 = (x13 + x46); + let x48: u32 = (x11 + (x12 as u32)); + let x49: u32 = (x10 + x48); + let x50: u32 = (x9 + x49); + let x51: u32 = (x7 + (x8 as u32)); + let x52: u32 = (x6 + x51); + let x53: u32 = (x5 + x52); + let x54: u32 = (x3 + (x4 as u32)); + let x55: u32 = (x2 + x54); + let x56: u32 = (x1 + x55); + out1[0] = x35; + out1[1] = x38; + out1[2] = x41; + out1[3] = x44; + out1[4] = x47; + out1[5] = x50; + out1[6] = x53; + out1[7] = x56; + out1 +} +#[doc = " The function fiat_bign256_set_one returns the field element one in the Montgomery domain."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = 1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_set_one() -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 8]; + out1[0] = 0xbd; + out1[1] = (0x0 as u32); + out1[2] = (0x0 as u32); + out1[3] = (0x0 as u32); + out1[4] = (0x0 as u32); + out1[5] = (0x0 as u32); + out1[6] = (0x0 as u32); + out1[7] = (0x0 as u32); + out1 +} +#[doc = " The function fiat_bign256_msat returns the saturated representation of the prime modulus."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " twos_complement_eval out1 = m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[inline] +pub const fn fiat_bign256_msat() -> [u32; 9] { + let mut out1: [u32; 9] = [0; 9]; + out1[0] = 0xffffff43; + out1[1] = 0xffffffff; + out1[2] = 0xffffffff; + out1[3] = 0xffffffff; + out1[4] = 0xffffffff; + out1[5] = 0xffffffff; + out1[6] = 0xffffffff; + out1[7] = 0xffffffff; + out1[8] = (0x0 as u32); + out1 +} +#[doc = " The function fiat_bign256_divstep computes a divstep."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg4 < m"] +#[doc = " 0 ≀ eval arg5 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1)"] +#[doc = " twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2)"] +#[doc = " twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2βŒ‹ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2βŒ‹)"] +#[doc = " eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m)"] +#[doc = " eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m)"] +#[doc = " 0 ≀ eval out5 < m"] +#[doc = " 0 ≀ eval out5 < m"] +#[doc = " 0 ≀ eval out2 < m"] +#[doc = " 0 ≀ eval out3 < m"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0xffffffff]"] +#[doc = " arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[doc = " out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[inline] +pub const fn fiat_bign256_divstep( + arg1: u32, + arg2: &[u32; 9], + arg3: &[u32; 9], + arg4: &[u32; 8], + arg5: &[u32; 8], +) -> (u32, [u32; 9], [u32; 9], [u32; 8], [u32; 8]) { + let mut out1: u32 = 0; + let mut out2: [u32; 9] = [0; 9]; + let mut out3: [u32; 9] = [0; 9]; + let mut out4: [u32; 8] = [0; 8]; + let mut out5: [u32; 8] = [0; 8]; + let mut x1: u32 = 0; + let mut x2: fiat_bign256_u1 = 0; + let (x1, x2) = fiat_bign256_addcarryx_u32(0x0, (!arg1), (0x1 as u32)); + let x3: fiat_bign256_u1 = + (((x1 >> 31) as fiat_bign256_u1) & (((arg3[0]) & (0x1 as u32)) as fiat_bign256_u1)); + let mut x4: u32 = 0; + let mut x5: fiat_bign256_u1 = 0; + let (x4, x5) = fiat_bign256_addcarryx_u32(0x0, (!arg1), (0x1 as u32)); + let mut x6: u32 = 0; + let (x6) = fiat_bign256_cmovznz_u32(x3, arg1, x4); + let mut x7: u32 = 0; + let (x7) = fiat_bign256_cmovznz_u32(x3, (arg2[0]), (arg3[0])); + let mut x8: u32 = 0; + let (x8) = fiat_bign256_cmovznz_u32(x3, (arg2[1]), (arg3[1])); + let mut x9: u32 = 0; + let (x9) = fiat_bign256_cmovznz_u32(x3, (arg2[2]), (arg3[2])); + let mut x10: u32 = 0; + let (x10) = fiat_bign256_cmovznz_u32(x3, (arg2[3]), (arg3[3])); + let mut x11: u32 = 0; + let (x11) = fiat_bign256_cmovznz_u32(x3, (arg2[4]), (arg3[4])); + let mut x12: u32 = 0; + let (x12) = fiat_bign256_cmovznz_u32(x3, (arg2[5]), (arg3[5])); + let mut x13: u32 = 0; + let (x13) = fiat_bign256_cmovznz_u32(x3, (arg2[6]), (arg3[6])); + let mut x14: u32 = 0; + let (x14) = fiat_bign256_cmovznz_u32(x3, (arg2[7]), (arg3[7])); + let mut x15: u32 = 0; + let (x15) = fiat_bign256_cmovznz_u32(x3, (arg2[8]), (arg3[8])); + let mut x16: u32 = 0; + let mut x17: fiat_bign256_u1 = 0; + let (x16, x17) = fiat_bign256_addcarryx_u32(0x0, (0x1 as u32), (!(arg2[0]))); + let mut x18: u32 = 0; + let mut x19: fiat_bign256_u1 = 0; + let (x18, x19) = fiat_bign256_addcarryx_u32(x17, (0x0 as u32), (!(arg2[1]))); + let mut x20: u32 = 0; + let mut x21: fiat_bign256_u1 = 0; + let (x20, x21) = fiat_bign256_addcarryx_u32(x19, (0x0 as u32), (!(arg2[2]))); + let mut x22: u32 = 0; + let mut x23: fiat_bign256_u1 = 0; + let (x22, x23) = fiat_bign256_addcarryx_u32(x21, (0x0 as u32), (!(arg2[3]))); + let mut x24: u32 = 0; + let mut x25: fiat_bign256_u1 = 0; + let (x24, x25) = fiat_bign256_addcarryx_u32(x23, (0x0 as u32), (!(arg2[4]))); + let mut x26: u32 = 0; + let mut x27: fiat_bign256_u1 = 0; + let (x26, x27) = fiat_bign256_addcarryx_u32(x25, (0x0 as u32), (!(arg2[5]))); + let mut x28: u32 = 0; + let mut x29: fiat_bign256_u1 = 0; + let (x28, x29) = fiat_bign256_addcarryx_u32(x27, (0x0 as u32), (!(arg2[6]))); + let mut x30: u32 = 0; + let mut x31: fiat_bign256_u1 = 0; + let (x30, x31) = fiat_bign256_addcarryx_u32(x29, (0x0 as u32), (!(arg2[7]))); + let mut x32: u32 = 0; + let mut x33: fiat_bign256_u1 = 0; + let (x32, x33) = fiat_bign256_addcarryx_u32(x31, (0x0 as u32), (!(arg2[8]))); + let mut x34: u32 = 0; + let (x34) = fiat_bign256_cmovznz_u32(x3, (arg3[0]), x16); + let mut x35: u32 = 0; + let (x35) = fiat_bign256_cmovznz_u32(x3, (arg3[1]), x18); + let mut x36: u32 = 0; + let (x36) = fiat_bign256_cmovznz_u32(x3, (arg3[2]), x20); + let mut x37: u32 = 0; + let (x37) = fiat_bign256_cmovznz_u32(x3, (arg3[3]), x22); + let mut x38: u32 = 0; + let (x38) = fiat_bign256_cmovznz_u32(x3, (arg3[4]), x24); + let mut x39: u32 = 0; + let (x39) = fiat_bign256_cmovznz_u32(x3, (arg3[5]), x26); + let mut x40: u32 = 0; + let (x40) = fiat_bign256_cmovznz_u32(x3, (arg3[6]), x28); + let mut x41: u32 = 0; + let (x41) = fiat_bign256_cmovznz_u32(x3, (arg3[7]), x30); + let mut x42: u32 = 0; + let (x42) = fiat_bign256_cmovznz_u32(x3, (arg3[8]), x32); + let mut x43: u32 = 0; + let (x43) = fiat_bign256_cmovznz_u32(x3, (arg4[0]), (arg5[0])); + let mut x44: u32 = 0; + let (x44) = fiat_bign256_cmovznz_u32(x3, (arg4[1]), (arg5[1])); + let mut x45: u32 = 0; + let (x45) = fiat_bign256_cmovznz_u32(x3, (arg4[2]), (arg5[2])); + let mut x46: u32 = 0; + let (x46) = fiat_bign256_cmovznz_u32(x3, (arg4[3]), (arg5[3])); + let mut x47: u32 = 0; + let (x47) = fiat_bign256_cmovznz_u32(x3, (arg4[4]), (arg5[4])); + let mut x48: u32 = 0; + let (x48) = fiat_bign256_cmovznz_u32(x3, (arg4[5]), (arg5[5])); + let mut x49: u32 = 0; + let (x49) = fiat_bign256_cmovznz_u32(x3, (arg4[6]), (arg5[6])); + let mut x50: u32 = 0; + let (x50) = fiat_bign256_cmovznz_u32(x3, (arg4[7]), (arg5[7])); + let mut x51: u32 = 0; + let mut x52: fiat_bign256_u1 = 0; + let (x51, x52) = fiat_bign256_addcarryx_u32(0x0, x43, x43); + let mut x53: u32 = 0; + let mut x54: fiat_bign256_u1 = 0; + let (x53, x54) = fiat_bign256_addcarryx_u32(x52, x44, x44); + let mut x55: u32 = 0; + let mut x56: fiat_bign256_u1 = 0; + let (x55, x56) = fiat_bign256_addcarryx_u32(x54, x45, x45); + let mut x57: u32 = 0; + let mut x58: fiat_bign256_u1 = 0; + let (x57, x58) = fiat_bign256_addcarryx_u32(x56, x46, x46); + let mut x59: u32 = 0; + let mut x60: fiat_bign256_u1 = 0; + let (x59, x60) = fiat_bign256_addcarryx_u32(x58, x47, x47); + let mut x61: u32 = 0; + let mut x62: fiat_bign256_u1 = 0; + let (x61, x62) = fiat_bign256_addcarryx_u32(x60, x48, x48); + let mut x63: u32 = 0; + let mut x64: fiat_bign256_u1 = 0; + let (x63, x64) = fiat_bign256_addcarryx_u32(x62, x49, x49); + let mut x65: u32 = 0; + let mut x66: fiat_bign256_u1 = 0; + let (x65, x66) = fiat_bign256_addcarryx_u32(x64, x50, x50); + let mut x67: u32 = 0; + let mut x68: fiat_bign256_u1 = 0; + let (x67, x68) = fiat_bign256_subborrowx_u32(0x0, x51, 0xffffff43); + let mut x69: u32 = 0; + let mut x70: fiat_bign256_u1 = 0; + let (x69, x70) = fiat_bign256_subborrowx_u32(x68, x53, 0xffffffff); + let mut x71: u32 = 0; + let mut x72: fiat_bign256_u1 = 0; + let (x71, x72) = fiat_bign256_subborrowx_u32(x70, x55, 0xffffffff); + let mut x73: u32 = 0; + let mut x74: fiat_bign256_u1 = 0; + let (x73, x74) = fiat_bign256_subborrowx_u32(x72, x57, 0xffffffff); + let mut x75: u32 = 0; + let mut x76: fiat_bign256_u1 = 0; + let (x75, x76) = fiat_bign256_subborrowx_u32(x74, x59, 0xffffffff); + let mut x77: u32 = 0; + let mut x78: fiat_bign256_u1 = 0; + let (x77, x78) = fiat_bign256_subborrowx_u32(x76, x61, 0xffffffff); + let mut x79: u32 = 0; + let mut x80: fiat_bign256_u1 = 0; + let (x79, x80) = fiat_bign256_subborrowx_u32(x78, x63, 0xffffffff); + let mut x81: u32 = 0; + let mut x82: fiat_bign256_u1 = 0; + let (x81, x82) = fiat_bign256_subborrowx_u32(x80, x65, 0xffffffff); + let mut x83: u32 = 0; + let mut x84: fiat_bign256_u1 = 0; + let (x83, x84) = fiat_bign256_subborrowx_u32(x82, (x66 as u32), (0x0 as u32)); + let x85: u32 = (arg4[7]); + let x86: u32 = (arg4[6]); + let x87: u32 = (arg4[5]); + let x88: u32 = (arg4[4]); + let x89: u32 = (arg4[3]); + let x90: u32 = (arg4[2]); + let x91: u32 = (arg4[1]); + let x92: u32 = (arg4[0]); + let mut x93: u32 = 0; + let mut x94: fiat_bign256_u1 = 0; + let (x93, x94) = fiat_bign256_subborrowx_u32(0x0, (0x0 as u32), x92); + let mut x95: u32 = 0; + let mut x96: fiat_bign256_u1 = 0; + let (x95, x96) = fiat_bign256_subborrowx_u32(x94, (0x0 as u32), x91); + let mut x97: u32 = 0; + let mut x98: fiat_bign256_u1 = 0; + let (x97, x98) = fiat_bign256_subborrowx_u32(x96, (0x0 as u32), x90); + let mut x99: u32 = 0; + let mut x100: fiat_bign256_u1 = 0; + let (x99, x100) = fiat_bign256_subborrowx_u32(x98, (0x0 as u32), x89); + let mut x101: u32 = 0; + let mut x102: fiat_bign256_u1 = 0; + let (x101, x102) = fiat_bign256_subborrowx_u32(x100, (0x0 as u32), x88); + let mut x103: u32 = 0; + let mut x104: fiat_bign256_u1 = 0; + let (x103, x104) = fiat_bign256_subborrowx_u32(x102, (0x0 as u32), x87); + let mut x105: u32 = 0; + let mut x106: fiat_bign256_u1 = 0; + let (x105, x106) = fiat_bign256_subborrowx_u32(x104, (0x0 as u32), x86); + let mut x107: u32 = 0; + let mut x108: fiat_bign256_u1 = 0; + let (x107, x108) = fiat_bign256_subborrowx_u32(x106, (0x0 as u32), x85); + let mut x109: u32 = 0; + let (x109) = fiat_bign256_cmovznz_u32(x108, (0x0 as u32), 0xffffffff); + let mut x110: u32 = 0; + let mut x111: fiat_bign256_u1 = 0; + let (x110, x111) = fiat_bign256_addcarryx_u32(0x0, x93, (x109 & 0xffffff43)); + let mut x112: u32 = 0; + let mut x113: fiat_bign256_u1 = 0; + let (x112, x113) = fiat_bign256_addcarryx_u32(x111, x95, x109); + let mut x114: u32 = 0; + let mut x115: fiat_bign256_u1 = 0; + let (x114, x115) = fiat_bign256_addcarryx_u32(x113, x97, x109); + let mut x116: u32 = 0; + let mut x117: fiat_bign256_u1 = 0; + let (x116, x117) = fiat_bign256_addcarryx_u32(x115, x99, x109); + let mut x118: u32 = 0; + let mut x119: fiat_bign256_u1 = 0; + let (x118, x119) = fiat_bign256_addcarryx_u32(x117, x101, x109); + let mut x120: u32 = 0; + let mut x121: fiat_bign256_u1 = 0; + let (x120, x121) = fiat_bign256_addcarryx_u32(x119, x103, x109); + let mut x122: u32 = 0; + let mut x123: fiat_bign256_u1 = 0; + let (x122, x123) = fiat_bign256_addcarryx_u32(x121, x105, x109); + let mut x124: u32 = 0; + let mut x125: fiat_bign256_u1 = 0; + let (x124, x125) = fiat_bign256_addcarryx_u32(x123, x107, x109); + let mut x126: u32 = 0; + let (x126) = fiat_bign256_cmovznz_u32(x3, (arg5[0]), x110); + let mut x127: u32 = 0; + let (x127) = fiat_bign256_cmovznz_u32(x3, (arg5[1]), x112); + let mut x128: u32 = 0; + let (x128) = fiat_bign256_cmovznz_u32(x3, (arg5[2]), x114); + let mut x129: u32 = 0; + let (x129) = fiat_bign256_cmovznz_u32(x3, (arg5[3]), x116); + let mut x130: u32 = 0; + let (x130) = fiat_bign256_cmovznz_u32(x3, (arg5[4]), x118); + let mut x131: u32 = 0; + let (x131) = fiat_bign256_cmovznz_u32(x3, (arg5[5]), x120); + let mut x132: u32 = 0; + let (x132) = fiat_bign256_cmovznz_u32(x3, (arg5[6]), x122); + let mut x133: u32 = 0; + let (x133) = fiat_bign256_cmovznz_u32(x3, (arg5[7]), x124); + let x134: fiat_bign256_u1 = ((x34 & (0x1 as u32)) as fiat_bign256_u1); + let mut x135: u32 = 0; + let (x135) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x7); + let mut x136: u32 = 0; + let (x136) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x8); + let mut x137: u32 = 0; + let (x137) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x9); + let mut x138: u32 = 0; + let (x138) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x10); + let mut x139: u32 = 0; + let (x139) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x11); + let mut x140: u32 = 0; + let (x140) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x12); + let mut x141: u32 = 0; + let (x141) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x13); + let mut x142: u32 = 0; + let (x142) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x14); + let mut x143: u32 = 0; + let (x143) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x15); + let mut x144: u32 = 0; + let mut x145: fiat_bign256_u1 = 0; + let (x144, x145) = fiat_bign256_addcarryx_u32(0x0, x34, x135); + let mut x146: u32 = 0; + let mut x147: fiat_bign256_u1 = 0; + let (x146, x147) = fiat_bign256_addcarryx_u32(x145, x35, x136); + let mut x148: u32 = 0; + let mut x149: fiat_bign256_u1 = 0; + let (x148, x149) = fiat_bign256_addcarryx_u32(x147, x36, x137); + let mut x150: u32 = 0; + let mut x151: fiat_bign256_u1 = 0; + let (x150, x151) = fiat_bign256_addcarryx_u32(x149, x37, x138); + let mut x152: u32 = 0; + let mut x153: fiat_bign256_u1 = 0; + let (x152, x153) = fiat_bign256_addcarryx_u32(x151, x38, x139); + let mut x154: u32 = 0; + let mut x155: fiat_bign256_u1 = 0; + let (x154, x155) = fiat_bign256_addcarryx_u32(x153, x39, x140); + let mut x156: u32 = 0; + let mut x157: fiat_bign256_u1 = 0; + let (x156, x157) = fiat_bign256_addcarryx_u32(x155, x40, x141); + let mut x158: u32 = 0; + let mut x159: fiat_bign256_u1 = 0; + let (x158, x159) = fiat_bign256_addcarryx_u32(x157, x41, x142); + let mut x160: u32 = 0; + let mut x161: fiat_bign256_u1 = 0; + let (x160, x161) = fiat_bign256_addcarryx_u32(x159, x42, x143); + let mut x162: u32 = 0; + let (x162) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x43); + let mut x163: u32 = 0; + let (x163) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x44); + let mut x164: u32 = 0; + let (x164) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x45); + let mut x165: u32 = 0; + let (x165) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x46); + let mut x166: u32 = 0; + let (x166) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x47); + let mut x167: u32 = 0; + let (x167) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x48); + let mut x168: u32 = 0; + let (x168) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x49); + let mut x169: u32 = 0; + let (x169) = fiat_bign256_cmovznz_u32(x134, (0x0 as u32), x50); + let mut x170: u32 = 0; + let mut x171: fiat_bign256_u1 = 0; + let (x170, x171) = fiat_bign256_addcarryx_u32(0x0, x126, x162); + let mut x172: u32 = 0; + let mut x173: fiat_bign256_u1 = 0; + let (x172, x173) = fiat_bign256_addcarryx_u32(x171, x127, x163); + let mut x174: u32 = 0; + let mut x175: fiat_bign256_u1 = 0; + let (x174, x175) = fiat_bign256_addcarryx_u32(x173, x128, x164); + let mut x176: u32 = 0; + let mut x177: fiat_bign256_u1 = 0; + let (x176, x177) = fiat_bign256_addcarryx_u32(x175, x129, x165); + let mut x178: u32 = 0; + let mut x179: fiat_bign256_u1 = 0; + let (x178, x179) = fiat_bign256_addcarryx_u32(x177, x130, x166); + let mut x180: u32 = 0; + let mut x181: fiat_bign256_u1 = 0; + let (x180, x181) = fiat_bign256_addcarryx_u32(x179, x131, x167); + let mut x182: u32 = 0; + let mut x183: fiat_bign256_u1 = 0; + let (x182, x183) = fiat_bign256_addcarryx_u32(x181, x132, x168); + let mut x184: u32 = 0; + let mut x185: fiat_bign256_u1 = 0; + let (x184, x185) = fiat_bign256_addcarryx_u32(x183, x133, x169); + let mut x186: u32 = 0; + let mut x187: fiat_bign256_u1 = 0; + let (x186, x187) = fiat_bign256_subborrowx_u32(0x0, x170, 0xffffff43); + let mut x188: u32 = 0; + let mut x189: fiat_bign256_u1 = 0; + let (x188, x189) = fiat_bign256_subborrowx_u32(x187, x172, 0xffffffff); + let mut x190: u32 = 0; + let mut x191: fiat_bign256_u1 = 0; + let (x190, x191) = fiat_bign256_subborrowx_u32(x189, x174, 0xffffffff); + let mut x192: u32 = 0; + let mut x193: fiat_bign256_u1 = 0; + let (x192, x193) = fiat_bign256_subborrowx_u32(x191, x176, 0xffffffff); + let mut x194: u32 = 0; + let mut x195: fiat_bign256_u1 = 0; + let (x194, x195) = fiat_bign256_subborrowx_u32(x193, x178, 0xffffffff); + let mut x196: u32 = 0; + let mut x197: fiat_bign256_u1 = 0; + let (x196, x197) = fiat_bign256_subborrowx_u32(x195, x180, 0xffffffff); + let mut x198: u32 = 0; + let mut x199: fiat_bign256_u1 = 0; + let (x198, x199) = fiat_bign256_subborrowx_u32(x197, x182, 0xffffffff); + let mut x200: u32 = 0; + let mut x201: fiat_bign256_u1 = 0; + let (x200, x201) = fiat_bign256_subborrowx_u32(x199, x184, 0xffffffff); + let mut x202: u32 = 0; + let mut x203: fiat_bign256_u1 = 0; + let (x202, x203) = fiat_bign256_subborrowx_u32(x201, (x185 as u32), (0x0 as u32)); + let mut x204: u32 = 0; + let mut x205: fiat_bign256_u1 = 0; + let (x204, x205) = fiat_bign256_addcarryx_u32(0x0, x6, (0x1 as u32)); + let x206: u32 = ((x144 >> 1) | ((x146 << 31) & 0xffffffff)); + let x207: u32 = ((x146 >> 1) | ((x148 << 31) & 0xffffffff)); + let x208: u32 = ((x148 >> 1) | ((x150 << 31) & 0xffffffff)); + let x209: u32 = ((x150 >> 1) | ((x152 << 31) & 0xffffffff)); + let x210: u32 = ((x152 >> 1) | ((x154 << 31) & 0xffffffff)); + let x211: u32 = ((x154 >> 1) | ((x156 << 31) & 0xffffffff)); + let x212: u32 = ((x156 >> 1) | ((x158 << 31) & 0xffffffff)); + let x213: u32 = ((x158 >> 1) | ((x160 << 31) & 0xffffffff)); + let x214: u32 = ((x160 & 0x80000000) | (x160 >> 1)); + let mut x215: u32 = 0; + let (x215) = fiat_bign256_cmovznz_u32(x84, x67, x51); + let mut x216: u32 = 0; + let (x216) = fiat_bign256_cmovznz_u32(x84, x69, x53); + let mut x217: u32 = 0; + let (x217) = fiat_bign256_cmovznz_u32(x84, x71, x55); + let mut x218: u32 = 0; + let (x218) = fiat_bign256_cmovznz_u32(x84, x73, x57); + let mut x219: u32 = 0; + let (x219) = fiat_bign256_cmovznz_u32(x84, x75, x59); + let mut x220: u32 = 0; + let (x220) = fiat_bign256_cmovznz_u32(x84, x77, x61); + let mut x221: u32 = 0; + let (x221) = fiat_bign256_cmovznz_u32(x84, x79, x63); + let mut x222: u32 = 0; + let (x222) = fiat_bign256_cmovznz_u32(x84, x81, x65); + let mut x223: u32 = 0; + let (x223) = fiat_bign256_cmovznz_u32(x203, x186, x170); + let mut x224: u32 = 0; + let (x224) = fiat_bign256_cmovznz_u32(x203, x188, x172); + let mut x225: u32 = 0; + let (x225) = fiat_bign256_cmovznz_u32(x203, x190, x174); + let mut x226: u32 = 0; + let (x226) = fiat_bign256_cmovznz_u32(x203, x192, x176); + let mut x227: u32 = 0; + let (x227) = fiat_bign256_cmovznz_u32(x203, x194, x178); + let mut x228: u32 = 0; + let (x228) = fiat_bign256_cmovznz_u32(x203, x196, x180); + let mut x229: u32 = 0; + let (x229) = fiat_bign256_cmovznz_u32(x203, x198, x182); + let mut x230: u32 = 0; + let (x230) = fiat_bign256_cmovznz_u32(x203, x200, x184); + out1 = x204; + out2[0] = x7; + out2[1] = x8; + out2[2] = x9; + out2[3] = x10; + out2[4] = x11; + out2[5] = x12; + out2[6] = x13; + out2[7] = x14; + out2[8] = x15; + out3[0] = x206; + out3[1] = x207; + out3[2] = x208; + out3[3] = x209; + out3[4] = x210; + out3[5] = x211; + out3[6] = x212; + out3[7] = x213; + out3[8] = x214; + out4[0] = x215; + out4[1] = x216; + out4[2] = x217; + out4[3] = x218; + out4[4] = x219; + out4[5] = x220; + out4[6] = x221; + out4[7] = x222; + out5[0] = x223; + out5[1] = x224; + out5[2] = x225; + out5[3] = x226; + out5[4] = x227; + out5[5] = x228; + out5[6] = x229; + out5[7] = x230; + (out1, out2, out3, out4, out5) +} +#[doc = " The function fiat_bign256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form)."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) = ⌊(m - 1) / 2βŒ‹^(if ⌊log2 mβŒ‹ + 1 < 46 then ⌊(49 * (⌊log2 mβŒ‹ + 1) + 80) / 17βŒ‹ else ⌊(49 * (⌊log2 mβŒ‹ + 1) + 57) / 17βŒ‹)"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[inline] +pub const fn fiat_bign256_divstep_precomp() -> [u32; 8] { + let mut out1: [u32; 8] = [0; 8]; + out1[0] = 0x127f51fe; + out1[1] = 0x7ea454d3; + out1[2] = 0x5546a7f1; + out1[3] = 0x4802b1d; + out1[4] = 0x495d722c; + out1[5] = 0xab83282b; + out1[6] = 0x12f2d964; + out1[7] = 0xdb33014c; + out1 +} diff --git a/bign256/src/arithmetic/field/bign256_64.rs b/bign256/src/arithmetic/field/bign256_64.rs new file mode 100644 index 00000000..1a82ffb8 --- /dev/null +++ b/bign256/src/arithmetic/field/bign256_64.rs @@ -0,0 +1,2015 @@ +#![doc = " fiat-crypto output postprocessed by fiat-constify: "] +#![doc = " Autogenerated: './word_by_word_montgomery' --lang Rust --inline bign256 64 '2^256 - 189' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp"] +#![doc = " curve description: bign256"] +#![doc = " machine_wordsize = 64 (from \"64\")"] +#![doc = " requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp"] +#![doc = " m = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff43 (from \"2^256 - 189\")"] +#![doc = ""] +#![doc = " NOTE: In addition to the bounds specified above each function, all"] +#![doc = " functions synthesized for this Montgomery arithmetic require the"] +#![doc = " input to be strictly less than the prime modulus (m), and also"] +#![doc = " require the input to be in the unique saturated representation."] +#![doc = " All functions also ensure that these two properties are true of"] +#![doc = " return values."] +#![doc = ""] +#![doc = " Computed values:"] +#![doc = " eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192)"] +#![doc = " bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248)"] +#![doc = " twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in"] +#![doc = " if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256"] +#![allow(unused_parens)] +#![allow(non_camel_case_types)] +#![allow( + clippy::identity_op, + clippy::unnecessary_cast, + dead_code, + rustdoc::broken_intra_doc_links, + unused_assignments, + unused_mut, + unused_variables +)] +pub type fiat_bign256_u1 = u8; +pub type fiat_bign256_i1 = i8; +pub type fiat_bign256_u2 = u8; +pub type fiat_bign256_i2 = i8; +pub type fiat_bign256_montgomery_domain_field_element = [u64; 4]; +pub type fiat_bign256_non_montgomery_domain_field_element = [u64; 4]; +#[doc = " The function fiat_bign256_addcarryx_u64 is an addition with carry."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (arg1 + arg2 + arg3) mod 2^64"] +#[doc = " out2 = ⌊(arg1 + arg2 + arg3) / 2^64βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " out2: [0x0 ~> 0x1]"] +#[inline] +pub const fn fiat_bign256_addcarryx_u64( + arg1: fiat_bign256_u1, + arg2: u64, + arg3: u64, +) -> (u64, fiat_bign256_u1) { + let mut out1: u64 = 0; + let mut out2: fiat_bign256_u1 = 0; + let x1: u128 = (((arg1 as u128) + (arg2 as u128)) + (arg3 as u128)); + let x2: u64 = ((x1 & (0xffffffffffffffff as u128)) as u64); + let x3: fiat_bign256_u1 = ((x1 >> 64) as fiat_bign256_u1); + out1 = x2; + out2 = x3; + (out1, out2) +} +#[doc = " The function fiat_bign256_subborrowx_u64 is a subtraction with borrow."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (-arg1 + arg2 + -arg3) mod 2^64"] +#[doc = " out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " out2: [0x0 ~> 0x1]"] +#[inline] +pub const fn fiat_bign256_subborrowx_u64( + arg1: fiat_bign256_u1, + arg2: u64, + arg3: u64, +) -> (u64, fiat_bign256_u1) { + let mut out1: u64 = 0; + let mut out2: fiat_bign256_u1 = 0; + let x1: i128 = (((arg2 as i128) - (arg1 as i128)) - (arg3 as i128)); + let x2: fiat_bign256_i1 = ((x1 >> 64) as fiat_bign256_i1); + let x3: u64 = ((x1 & (0xffffffffffffffff as i128)) as u64); + out1 = x3; + out2 = (((0x0 as fiat_bign256_i2) - (x2 as fiat_bign256_i2)) as fiat_bign256_u1); + (out1, out2) +} +#[doc = " The function fiat_bign256_mulx_u64 is a multiplication, returning the full double-width result."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (arg1 * arg2) mod 2^64"] +#[doc = " out2 = ⌊arg1 * arg2 / 2^64βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " out2: [0x0 ~> 0xffffffffffffffff]"] +#[inline] +pub const fn fiat_bign256_mulx_u64(arg1: u64, arg2: u64) -> (u64, u64) { + let mut out1: u64 = 0; + let mut out2: u64 = 0; + let x1: u128 = ((arg1 as u128) * (arg2 as u128)); + let x2: u64 = ((x1 & (0xffffffffffffffff as u128)) as u64); + let x3: u64 = ((x1 >> 64) as u64); + out1 = x2; + out2 = x3; + (out1, out2) +} +#[doc = " The function fiat_bign256_cmovznz_u64 is a single-word conditional move."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[inline] +pub const fn fiat_bign256_cmovznz_u64(arg1: fiat_bign256_u1, arg2: u64, arg3: u64) -> u64 { + let mut out1: u64 = 0; + let x1: fiat_bign256_u1 = (!(!arg1)); + let x2: u64 = ((((((0x0 as fiat_bign256_i2) - (x1 as fiat_bign256_i2)) as fiat_bign256_i1) + as i128) + & (0xffffffffffffffff as i128)) as u64); + let x3: u64 = ((x2 & arg3) | ((!x2) & arg2)); + out1 = x3; + out1 +} +#[doc = " The function fiat_bign256_mul multiplies two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_mul( + arg1: &fiat_bign256_montgomery_domain_field_element, + arg2: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 4]; + let x1: u64 = (arg1[1]); + let x2: u64 = (arg1[2]); + let x3: u64 = (arg1[3]); + let x4: u64 = (arg1[0]); + let mut x5: u64 = 0; + let mut x6: u64 = 0; + let (x5, x6) = fiat_bign256_mulx_u64(x4, (arg2[3])); + let mut x7: u64 = 0; + let mut x8: u64 = 0; + let (x7, x8) = fiat_bign256_mulx_u64(x4, (arg2[2])); + let mut x9: u64 = 0; + let mut x10: u64 = 0; + let (x9, x10) = fiat_bign256_mulx_u64(x4, (arg2[1])); + let mut x11: u64 = 0; + let mut x12: u64 = 0; + let (x11, x12) = fiat_bign256_mulx_u64(x4, (arg2[0])); + let mut x13: u64 = 0; + let mut x14: fiat_bign256_u1 = 0; + let (x13, x14) = fiat_bign256_addcarryx_u64(0x0, x12, x9); + let mut x15: u64 = 0; + let mut x16: fiat_bign256_u1 = 0; + let (x15, x16) = fiat_bign256_addcarryx_u64(x14, x10, x7); + let mut x17: u64 = 0; + let mut x18: fiat_bign256_u1 = 0; + let (x17, x18) = fiat_bign256_addcarryx_u64(x16, x8, x5); + let x19: u64 = ((x18 as u64) + x6); + let mut x20: u64 = 0; + let mut x21: u64 = 0; + let (x20, x21) = fiat_bign256_mulx_u64(x11, 0xa53fa94fea53fa95); + let mut x22: u64 = 0; + let mut x23: u64 = 0; + let (x22, x23) = fiat_bign256_mulx_u64(x20, 0xffffffffffffffff); + let mut x24: u64 = 0; + let mut x25: u64 = 0; + let (x24, x25) = fiat_bign256_mulx_u64(x20, 0xffffffffffffffff); + let mut x26: u64 = 0; + let mut x27: u64 = 0; + let (x26, x27) = fiat_bign256_mulx_u64(x20, 0xffffffffffffffff); + let mut x28: u64 = 0; + let mut x29: u64 = 0; + let (x28, x29) = fiat_bign256_mulx_u64(x20, 0xffffffffffffff43); + let mut x30: u64 = 0; + let mut x31: fiat_bign256_u1 = 0; + let (x30, x31) = fiat_bign256_addcarryx_u64(0x0, x29, x26); + let mut x32: u64 = 0; + let mut x33: fiat_bign256_u1 = 0; + let (x32, x33) = fiat_bign256_addcarryx_u64(x31, x27, x24); + let mut x34: u64 = 0; + let mut x35: fiat_bign256_u1 = 0; + let (x34, x35) = fiat_bign256_addcarryx_u64(x33, x25, x22); + let x36: u64 = ((x35 as u64) + x23); + let mut x37: u64 = 0; + let mut x38: fiat_bign256_u1 = 0; + let (x37, x38) = fiat_bign256_addcarryx_u64(0x0, x11, x28); + let mut x39: u64 = 0; + let mut x40: fiat_bign256_u1 = 0; + let (x39, x40) = fiat_bign256_addcarryx_u64(x38, x13, x30); + let mut x41: u64 = 0; + let mut x42: fiat_bign256_u1 = 0; + let (x41, x42) = fiat_bign256_addcarryx_u64(x40, x15, x32); + let mut x43: u64 = 0; + let mut x44: fiat_bign256_u1 = 0; + let (x43, x44) = fiat_bign256_addcarryx_u64(x42, x17, x34); + let mut x45: u64 = 0; + let mut x46: fiat_bign256_u1 = 0; + let (x45, x46) = fiat_bign256_addcarryx_u64(x44, x19, x36); + let mut x47: u64 = 0; + let mut x48: u64 = 0; + let (x47, x48) = fiat_bign256_mulx_u64(x1, (arg2[3])); + let mut x49: u64 = 0; + let mut x50: u64 = 0; + let (x49, x50) = fiat_bign256_mulx_u64(x1, (arg2[2])); + let mut x51: u64 = 0; + let mut x52: u64 = 0; + let (x51, x52) = fiat_bign256_mulx_u64(x1, (arg2[1])); + let mut x53: u64 = 0; + let mut x54: u64 = 0; + let (x53, x54) = fiat_bign256_mulx_u64(x1, (arg2[0])); + let mut x55: u64 = 0; + let mut x56: fiat_bign256_u1 = 0; + let (x55, x56) = fiat_bign256_addcarryx_u64(0x0, x54, x51); + let mut x57: u64 = 0; + let mut x58: fiat_bign256_u1 = 0; + let (x57, x58) = fiat_bign256_addcarryx_u64(x56, x52, x49); + let mut x59: u64 = 0; + let mut x60: fiat_bign256_u1 = 0; + let (x59, x60) = fiat_bign256_addcarryx_u64(x58, x50, x47); + let x61: u64 = ((x60 as u64) + x48); + let mut x62: u64 = 0; + let mut x63: fiat_bign256_u1 = 0; + let (x62, x63) = fiat_bign256_addcarryx_u64(0x0, x39, x53); + let mut x64: u64 = 0; + let mut x65: fiat_bign256_u1 = 0; + let (x64, x65) = fiat_bign256_addcarryx_u64(x63, x41, x55); + let mut x66: u64 = 0; + let mut x67: fiat_bign256_u1 = 0; + let (x66, x67) = fiat_bign256_addcarryx_u64(x65, x43, x57); + let mut x68: u64 = 0; + let mut x69: fiat_bign256_u1 = 0; + let (x68, x69) = fiat_bign256_addcarryx_u64(x67, x45, x59); + let mut x70: u64 = 0; + let mut x71: fiat_bign256_u1 = 0; + let (x70, x71) = fiat_bign256_addcarryx_u64(x69, (x46 as u64), x61); + let mut x72: u64 = 0; + let mut x73: u64 = 0; + let (x72, x73) = fiat_bign256_mulx_u64(x62, 0xa53fa94fea53fa95); + let mut x74: u64 = 0; + let mut x75: u64 = 0; + let (x74, x75) = fiat_bign256_mulx_u64(x72, 0xffffffffffffffff); + let mut x76: u64 = 0; + let mut x77: u64 = 0; + let (x76, x77) = fiat_bign256_mulx_u64(x72, 0xffffffffffffffff); + let mut x78: u64 = 0; + let mut x79: u64 = 0; + let (x78, x79) = fiat_bign256_mulx_u64(x72, 0xffffffffffffffff); + let mut x80: u64 = 0; + let mut x81: u64 = 0; + let (x80, x81) = fiat_bign256_mulx_u64(x72, 0xffffffffffffff43); + let mut x82: u64 = 0; + let mut x83: fiat_bign256_u1 = 0; + let (x82, x83) = fiat_bign256_addcarryx_u64(0x0, x81, x78); + let mut x84: u64 = 0; + let mut x85: fiat_bign256_u1 = 0; + let (x84, x85) = fiat_bign256_addcarryx_u64(x83, x79, x76); + let mut x86: u64 = 0; + let mut x87: fiat_bign256_u1 = 0; + let (x86, x87) = fiat_bign256_addcarryx_u64(x85, x77, x74); + let x88: u64 = ((x87 as u64) + x75); + let mut x89: u64 = 0; + let mut x90: fiat_bign256_u1 = 0; + let (x89, x90) = fiat_bign256_addcarryx_u64(0x0, x62, x80); + let mut x91: u64 = 0; + let mut x92: fiat_bign256_u1 = 0; + let (x91, x92) = fiat_bign256_addcarryx_u64(x90, x64, x82); + let mut x93: u64 = 0; + let mut x94: fiat_bign256_u1 = 0; + let (x93, x94) = fiat_bign256_addcarryx_u64(x92, x66, x84); + let mut x95: u64 = 0; + let mut x96: fiat_bign256_u1 = 0; + let (x95, x96) = fiat_bign256_addcarryx_u64(x94, x68, x86); + let mut x97: u64 = 0; + let mut x98: fiat_bign256_u1 = 0; + let (x97, x98) = fiat_bign256_addcarryx_u64(x96, x70, x88); + let x99: u64 = ((x98 as u64) + (x71 as u64)); + let mut x100: u64 = 0; + let mut x101: u64 = 0; + let (x100, x101) = fiat_bign256_mulx_u64(x2, (arg2[3])); + let mut x102: u64 = 0; + let mut x103: u64 = 0; + let (x102, x103) = fiat_bign256_mulx_u64(x2, (arg2[2])); + let mut x104: u64 = 0; + let mut x105: u64 = 0; + let (x104, x105) = fiat_bign256_mulx_u64(x2, (arg2[1])); + let mut x106: u64 = 0; + let mut x107: u64 = 0; + let (x106, x107) = fiat_bign256_mulx_u64(x2, (arg2[0])); + let mut x108: u64 = 0; + let mut x109: fiat_bign256_u1 = 0; + let (x108, x109) = fiat_bign256_addcarryx_u64(0x0, x107, x104); + let mut x110: u64 = 0; + let mut x111: fiat_bign256_u1 = 0; + let (x110, x111) = fiat_bign256_addcarryx_u64(x109, x105, x102); + let mut x112: u64 = 0; + let mut x113: fiat_bign256_u1 = 0; + let (x112, x113) = fiat_bign256_addcarryx_u64(x111, x103, x100); + let x114: u64 = ((x113 as u64) + x101); + let mut x115: u64 = 0; + let mut x116: fiat_bign256_u1 = 0; + let (x115, x116) = fiat_bign256_addcarryx_u64(0x0, x91, x106); + let mut x117: u64 = 0; + let mut x118: fiat_bign256_u1 = 0; + let (x117, x118) = fiat_bign256_addcarryx_u64(x116, x93, x108); + let mut x119: u64 = 0; + let mut x120: fiat_bign256_u1 = 0; + let (x119, x120) = fiat_bign256_addcarryx_u64(x118, x95, x110); + let mut x121: u64 = 0; + let mut x122: fiat_bign256_u1 = 0; + let (x121, x122) = fiat_bign256_addcarryx_u64(x120, x97, x112); + let mut x123: u64 = 0; + let mut x124: fiat_bign256_u1 = 0; + let (x123, x124) = fiat_bign256_addcarryx_u64(x122, x99, x114); + let mut x125: u64 = 0; + let mut x126: u64 = 0; + let (x125, x126) = fiat_bign256_mulx_u64(x115, 0xa53fa94fea53fa95); + let mut x127: u64 = 0; + let mut x128: u64 = 0; + let (x127, x128) = fiat_bign256_mulx_u64(x125, 0xffffffffffffffff); + let mut x129: u64 = 0; + let mut x130: u64 = 0; + let (x129, x130) = fiat_bign256_mulx_u64(x125, 0xffffffffffffffff); + let mut x131: u64 = 0; + let mut x132: u64 = 0; + let (x131, x132) = fiat_bign256_mulx_u64(x125, 0xffffffffffffffff); + let mut x133: u64 = 0; + let mut x134: u64 = 0; + let (x133, x134) = fiat_bign256_mulx_u64(x125, 0xffffffffffffff43); + let mut x135: u64 = 0; + let mut x136: fiat_bign256_u1 = 0; + let (x135, x136) = fiat_bign256_addcarryx_u64(0x0, x134, x131); + let mut x137: u64 = 0; + let mut x138: fiat_bign256_u1 = 0; + let (x137, x138) = fiat_bign256_addcarryx_u64(x136, x132, x129); + let mut x139: u64 = 0; + let mut x140: fiat_bign256_u1 = 0; + let (x139, x140) = fiat_bign256_addcarryx_u64(x138, x130, x127); + let x141: u64 = ((x140 as u64) + x128); + let mut x142: u64 = 0; + let mut x143: fiat_bign256_u1 = 0; + let (x142, x143) = fiat_bign256_addcarryx_u64(0x0, x115, x133); + let mut x144: u64 = 0; + let mut x145: fiat_bign256_u1 = 0; + let (x144, x145) = fiat_bign256_addcarryx_u64(x143, x117, x135); + let mut x146: u64 = 0; + let mut x147: fiat_bign256_u1 = 0; + let (x146, x147) = fiat_bign256_addcarryx_u64(x145, x119, x137); + let mut x148: u64 = 0; + let mut x149: fiat_bign256_u1 = 0; + let (x148, x149) = fiat_bign256_addcarryx_u64(x147, x121, x139); + let mut x150: u64 = 0; + let mut x151: fiat_bign256_u1 = 0; + let (x150, x151) = fiat_bign256_addcarryx_u64(x149, x123, x141); + let x152: u64 = ((x151 as u64) + (x124 as u64)); + let mut x153: u64 = 0; + let mut x154: u64 = 0; + let (x153, x154) = fiat_bign256_mulx_u64(x3, (arg2[3])); + let mut x155: u64 = 0; + let mut x156: u64 = 0; + let (x155, x156) = fiat_bign256_mulx_u64(x3, (arg2[2])); + let mut x157: u64 = 0; + let mut x158: u64 = 0; + let (x157, x158) = fiat_bign256_mulx_u64(x3, (arg2[1])); + let mut x159: u64 = 0; + let mut x160: u64 = 0; + let (x159, x160) = fiat_bign256_mulx_u64(x3, (arg2[0])); + let mut x161: u64 = 0; + let mut x162: fiat_bign256_u1 = 0; + let (x161, x162) = fiat_bign256_addcarryx_u64(0x0, x160, x157); + let mut x163: u64 = 0; + let mut x164: fiat_bign256_u1 = 0; + let (x163, x164) = fiat_bign256_addcarryx_u64(x162, x158, x155); + let mut x165: u64 = 0; + let mut x166: fiat_bign256_u1 = 0; + let (x165, x166) = fiat_bign256_addcarryx_u64(x164, x156, x153); + let x167: u64 = ((x166 as u64) + x154); + let mut x168: u64 = 0; + let mut x169: fiat_bign256_u1 = 0; + let (x168, x169) = fiat_bign256_addcarryx_u64(0x0, x144, x159); + let mut x170: u64 = 0; + let mut x171: fiat_bign256_u1 = 0; + let (x170, x171) = fiat_bign256_addcarryx_u64(x169, x146, x161); + let mut x172: u64 = 0; + let mut x173: fiat_bign256_u1 = 0; + let (x172, x173) = fiat_bign256_addcarryx_u64(x171, x148, x163); + let mut x174: u64 = 0; + let mut x175: fiat_bign256_u1 = 0; + let (x174, x175) = fiat_bign256_addcarryx_u64(x173, x150, x165); + let mut x176: u64 = 0; + let mut x177: fiat_bign256_u1 = 0; + let (x176, x177) = fiat_bign256_addcarryx_u64(x175, x152, x167); + let mut x178: u64 = 0; + let mut x179: u64 = 0; + let (x178, x179) = fiat_bign256_mulx_u64(x168, 0xa53fa94fea53fa95); + let mut x180: u64 = 0; + let mut x181: u64 = 0; + let (x180, x181) = fiat_bign256_mulx_u64(x178, 0xffffffffffffffff); + let mut x182: u64 = 0; + let mut x183: u64 = 0; + let (x182, x183) = fiat_bign256_mulx_u64(x178, 0xffffffffffffffff); + let mut x184: u64 = 0; + let mut x185: u64 = 0; + let (x184, x185) = fiat_bign256_mulx_u64(x178, 0xffffffffffffffff); + let mut x186: u64 = 0; + let mut x187: u64 = 0; + let (x186, x187) = fiat_bign256_mulx_u64(x178, 0xffffffffffffff43); + let mut x188: u64 = 0; + let mut x189: fiat_bign256_u1 = 0; + let (x188, x189) = fiat_bign256_addcarryx_u64(0x0, x187, x184); + let mut x190: u64 = 0; + let mut x191: fiat_bign256_u1 = 0; + let (x190, x191) = fiat_bign256_addcarryx_u64(x189, x185, x182); + let mut x192: u64 = 0; + let mut x193: fiat_bign256_u1 = 0; + let (x192, x193) = fiat_bign256_addcarryx_u64(x191, x183, x180); + let x194: u64 = ((x193 as u64) + x181); + let mut x195: u64 = 0; + let mut x196: fiat_bign256_u1 = 0; + let (x195, x196) = fiat_bign256_addcarryx_u64(0x0, x168, x186); + let mut x197: u64 = 0; + let mut x198: fiat_bign256_u1 = 0; + let (x197, x198) = fiat_bign256_addcarryx_u64(x196, x170, x188); + let mut x199: u64 = 0; + let mut x200: fiat_bign256_u1 = 0; + let (x199, x200) = fiat_bign256_addcarryx_u64(x198, x172, x190); + let mut x201: u64 = 0; + let mut x202: fiat_bign256_u1 = 0; + let (x201, x202) = fiat_bign256_addcarryx_u64(x200, x174, x192); + let mut x203: u64 = 0; + let mut x204: fiat_bign256_u1 = 0; + let (x203, x204) = fiat_bign256_addcarryx_u64(x202, x176, x194); + let x205: u64 = ((x204 as u64) + (x177 as u64)); + let mut x206: u64 = 0; + let mut x207: fiat_bign256_u1 = 0; + let (x206, x207) = fiat_bign256_subborrowx_u64(0x0, x197, 0xffffffffffffff43); + let mut x208: u64 = 0; + let mut x209: fiat_bign256_u1 = 0; + let (x208, x209) = fiat_bign256_subborrowx_u64(x207, x199, 0xffffffffffffffff); + let mut x210: u64 = 0; + let mut x211: fiat_bign256_u1 = 0; + let (x210, x211) = fiat_bign256_subborrowx_u64(x209, x201, 0xffffffffffffffff); + let mut x212: u64 = 0; + let mut x213: fiat_bign256_u1 = 0; + let (x212, x213) = fiat_bign256_subborrowx_u64(x211, x203, 0xffffffffffffffff); + let mut x214: u64 = 0; + let mut x215: fiat_bign256_u1 = 0; + let (x214, x215) = fiat_bign256_subborrowx_u64(x213, x205, (0x0 as u64)); + let mut x216: u64 = 0; + let (x216) = fiat_bign256_cmovznz_u64(x215, x206, x197); + let mut x217: u64 = 0; + let (x217) = fiat_bign256_cmovznz_u64(x215, x208, x199); + let mut x218: u64 = 0; + let (x218) = fiat_bign256_cmovznz_u64(x215, x210, x201); + let mut x219: u64 = 0; + let (x219) = fiat_bign256_cmovznz_u64(x215, x212, x203); + out1[0] = x216; + out1[1] = x217; + out1[2] = x218; + out1[3] = x219; + out1 +} +#[doc = " The function fiat_bign256_square squares a field element in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_square( + arg1: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 4]; + let x1: u64 = (arg1[1]); + let x2: u64 = (arg1[2]); + let x3: u64 = (arg1[3]); + let x4: u64 = (arg1[0]); + let mut x5: u64 = 0; + let mut x6: u64 = 0; + let (x5, x6) = fiat_bign256_mulx_u64(x4, (arg1[3])); + let mut x7: u64 = 0; + let mut x8: u64 = 0; + let (x7, x8) = fiat_bign256_mulx_u64(x4, (arg1[2])); + let mut x9: u64 = 0; + let mut x10: u64 = 0; + let (x9, x10) = fiat_bign256_mulx_u64(x4, (arg1[1])); + let mut x11: u64 = 0; + let mut x12: u64 = 0; + let (x11, x12) = fiat_bign256_mulx_u64(x4, (arg1[0])); + let mut x13: u64 = 0; + let mut x14: fiat_bign256_u1 = 0; + let (x13, x14) = fiat_bign256_addcarryx_u64(0x0, x12, x9); + let mut x15: u64 = 0; + let mut x16: fiat_bign256_u1 = 0; + let (x15, x16) = fiat_bign256_addcarryx_u64(x14, x10, x7); + let mut x17: u64 = 0; + let mut x18: fiat_bign256_u1 = 0; + let (x17, x18) = fiat_bign256_addcarryx_u64(x16, x8, x5); + let x19: u64 = ((x18 as u64) + x6); + let mut x20: u64 = 0; + let mut x21: u64 = 0; + let (x20, x21) = fiat_bign256_mulx_u64(x11, 0xa53fa94fea53fa95); + let mut x22: u64 = 0; + let mut x23: u64 = 0; + let (x22, x23) = fiat_bign256_mulx_u64(x20, 0xffffffffffffffff); + let mut x24: u64 = 0; + let mut x25: u64 = 0; + let (x24, x25) = fiat_bign256_mulx_u64(x20, 0xffffffffffffffff); + let mut x26: u64 = 0; + let mut x27: u64 = 0; + let (x26, x27) = fiat_bign256_mulx_u64(x20, 0xffffffffffffffff); + let mut x28: u64 = 0; + let mut x29: u64 = 0; + let (x28, x29) = fiat_bign256_mulx_u64(x20, 0xffffffffffffff43); + let mut x30: u64 = 0; + let mut x31: fiat_bign256_u1 = 0; + let (x30, x31) = fiat_bign256_addcarryx_u64(0x0, x29, x26); + let mut x32: u64 = 0; + let mut x33: fiat_bign256_u1 = 0; + let (x32, x33) = fiat_bign256_addcarryx_u64(x31, x27, x24); + let mut x34: u64 = 0; + let mut x35: fiat_bign256_u1 = 0; + let (x34, x35) = fiat_bign256_addcarryx_u64(x33, x25, x22); + let x36: u64 = ((x35 as u64) + x23); + let mut x37: u64 = 0; + let mut x38: fiat_bign256_u1 = 0; + let (x37, x38) = fiat_bign256_addcarryx_u64(0x0, x11, x28); + let mut x39: u64 = 0; + let mut x40: fiat_bign256_u1 = 0; + let (x39, x40) = fiat_bign256_addcarryx_u64(x38, x13, x30); + let mut x41: u64 = 0; + let mut x42: fiat_bign256_u1 = 0; + let (x41, x42) = fiat_bign256_addcarryx_u64(x40, x15, x32); + let mut x43: u64 = 0; + let mut x44: fiat_bign256_u1 = 0; + let (x43, x44) = fiat_bign256_addcarryx_u64(x42, x17, x34); + let mut x45: u64 = 0; + let mut x46: fiat_bign256_u1 = 0; + let (x45, x46) = fiat_bign256_addcarryx_u64(x44, x19, x36); + let mut x47: u64 = 0; + let mut x48: u64 = 0; + let (x47, x48) = fiat_bign256_mulx_u64(x1, (arg1[3])); + let mut x49: u64 = 0; + let mut x50: u64 = 0; + let (x49, x50) = fiat_bign256_mulx_u64(x1, (arg1[2])); + let mut x51: u64 = 0; + let mut x52: u64 = 0; + let (x51, x52) = fiat_bign256_mulx_u64(x1, (arg1[1])); + let mut x53: u64 = 0; + let mut x54: u64 = 0; + let (x53, x54) = fiat_bign256_mulx_u64(x1, (arg1[0])); + let mut x55: u64 = 0; + let mut x56: fiat_bign256_u1 = 0; + let (x55, x56) = fiat_bign256_addcarryx_u64(0x0, x54, x51); + let mut x57: u64 = 0; + let mut x58: fiat_bign256_u1 = 0; + let (x57, x58) = fiat_bign256_addcarryx_u64(x56, x52, x49); + let mut x59: u64 = 0; + let mut x60: fiat_bign256_u1 = 0; + let (x59, x60) = fiat_bign256_addcarryx_u64(x58, x50, x47); + let x61: u64 = ((x60 as u64) + x48); + let mut x62: u64 = 0; + let mut x63: fiat_bign256_u1 = 0; + let (x62, x63) = fiat_bign256_addcarryx_u64(0x0, x39, x53); + let mut x64: u64 = 0; + let mut x65: fiat_bign256_u1 = 0; + let (x64, x65) = fiat_bign256_addcarryx_u64(x63, x41, x55); + let mut x66: u64 = 0; + let mut x67: fiat_bign256_u1 = 0; + let (x66, x67) = fiat_bign256_addcarryx_u64(x65, x43, x57); + let mut x68: u64 = 0; + let mut x69: fiat_bign256_u1 = 0; + let (x68, x69) = fiat_bign256_addcarryx_u64(x67, x45, x59); + let mut x70: u64 = 0; + let mut x71: fiat_bign256_u1 = 0; + let (x70, x71) = fiat_bign256_addcarryx_u64(x69, (x46 as u64), x61); + let mut x72: u64 = 0; + let mut x73: u64 = 0; + let (x72, x73) = fiat_bign256_mulx_u64(x62, 0xa53fa94fea53fa95); + let mut x74: u64 = 0; + let mut x75: u64 = 0; + let (x74, x75) = fiat_bign256_mulx_u64(x72, 0xffffffffffffffff); + let mut x76: u64 = 0; + let mut x77: u64 = 0; + let (x76, x77) = fiat_bign256_mulx_u64(x72, 0xffffffffffffffff); + let mut x78: u64 = 0; + let mut x79: u64 = 0; + let (x78, x79) = fiat_bign256_mulx_u64(x72, 0xffffffffffffffff); + let mut x80: u64 = 0; + let mut x81: u64 = 0; + let (x80, x81) = fiat_bign256_mulx_u64(x72, 0xffffffffffffff43); + let mut x82: u64 = 0; + let mut x83: fiat_bign256_u1 = 0; + let (x82, x83) = fiat_bign256_addcarryx_u64(0x0, x81, x78); + let mut x84: u64 = 0; + let mut x85: fiat_bign256_u1 = 0; + let (x84, x85) = fiat_bign256_addcarryx_u64(x83, x79, x76); + let mut x86: u64 = 0; + let mut x87: fiat_bign256_u1 = 0; + let (x86, x87) = fiat_bign256_addcarryx_u64(x85, x77, x74); + let x88: u64 = ((x87 as u64) + x75); + let mut x89: u64 = 0; + let mut x90: fiat_bign256_u1 = 0; + let (x89, x90) = fiat_bign256_addcarryx_u64(0x0, x62, x80); + let mut x91: u64 = 0; + let mut x92: fiat_bign256_u1 = 0; + let (x91, x92) = fiat_bign256_addcarryx_u64(x90, x64, x82); + let mut x93: u64 = 0; + let mut x94: fiat_bign256_u1 = 0; + let (x93, x94) = fiat_bign256_addcarryx_u64(x92, x66, x84); + let mut x95: u64 = 0; + let mut x96: fiat_bign256_u1 = 0; + let (x95, x96) = fiat_bign256_addcarryx_u64(x94, x68, x86); + let mut x97: u64 = 0; + let mut x98: fiat_bign256_u1 = 0; + let (x97, x98) = fiat_bign256_addcarryx_u64(x96, x70, x88); + let x99: u64 = ((x98 as u64) + (x71 as u64)); + let mut x100: u64 = 0; + let mut x101: u64 = 0; + let (x100, x101) = fiat_bign256_mulx_u64(x2, (arg1[3])); + let mut x102: u64 = 0; + let mut x103: u64 = 0; + let (x102, x103) = fiat_bign256_mulx_u64(x2, (arg1[2])); + let mut x104: u64 = 0; + let mut x105: u64 = 0; + let (x104, x105) = fiat_bign256_mulx_u64(x2, (arg1[1])); + let mut x106: u64 = 0; + let mut x107: u64 = 0; + let (x106, x107) = fiat_bign256_mulx_u64(x2, (arg1[0])); + let mut x108: u64 = 0; + let mut x109: fiat_bign256_u1 = 0; + let (x108, x109) = fiat_bign256_addcarryx_u64(0x0, x107, x104); + let mut x110: u64 = 0; + let mut x111: fiat_bign256_u1 = 0; + let (x110, x111) = fiat_bign256_addcarryx_u64(x109, x105, x102); + let mut x112: u64 = 0; + let mut x113: fiat_bign256_u1 = 0; + let (x112, x113) = fiat_bign256_addcarryx_u64(x111, x103, x100); + let x114: u64 = ((x113 as u64) + x101); + let mut x115: u64 = 0; + let mut x116: fiat_bign256_u1 = 0; + let (x115, x116) = fiat_bign256_addcarryx_u64(0x0, x91, x106); + let mut x117: u64 = 0; + let mut x118: fiat_bign256_u1 = 0; + let (x117, x118) = fiat_bign256_addcarryx_u64(x116, x93, x108); + let mut x119: u64 = 0; + let mut x120: fiat_bign256_u1 = 0; + let (x119, x120) = fiat_bign256_addcarryx_u64(x118, x95, x110); + let mut x121: u64 = 0; + let mut x122: fiat_bign256_u1 = 0; + let (x121, x122) = fiat_bign256_addcarryx_u64(x120, x97, x112); + let mut x123: u64 = 0; + let mut x124: fiat_bign256_u1 = 0; + let (x123, x124) = fiat_bign256_addcarryx_u64(x122, x99, x114); + let mut x125: u64 = 0; + let mut x126: u64 = 0; + let (x125, x126) = fiat_bign256_mulx_u64(x115, 0xa53fa94fea53fa95); + let mut x127: u64 = 0; + let mut x128: u64 = 0; + let (x127, x128) = fiat_bign256_mulx_u64(x125, 0xffffffffffffffff); + let mut x129: u64 = 0; + let mut x130: u64 = 0; + let (x129, x130) = fiat_bign256_mulx_u64(x125, 0xffffffffffffffff); + let mut x131: u64 = 0; + let mut x132: u64 = 0; + let (x131, x132) = fiat_bign256_mulx_u64(x125, 0xffffffffffffffff); + let mut x133: u64 = 0; + let mut x134: u64 = 0; + let (x133, x134) = fiat_bign256_mulx_u64(x125, 0xffffffffffffff43); + let mut x135: u64 = 0; + let mut x136: fiat_bign256_u1 = 0; + let (x135, x136) = fiat_bign256_addcarryx_u64(0x0, x134, x131); + let mut x137: u64 = 0; + let mut x138: fiat_bign256_u1 = 0; + let (x137, x138) = fiat_bign256_addcarryx_u64(x136, x132, x129); + let mut x139: u64 = 0; + let mut x140: fiat_bign256_u1 = 0; + let (x139, x140) = fiat_bign256_addcarryx_u64(x138, x130, x127); + let x141: u64 = ((x140 as u64) + x128); + let mut x142: u64 = 0; + let mut x143: fiat_bign256_u1 = 0; + let (x142, x143) = fiat_bign256_addcarryx_u64(0x0, x115, x133); + let mut x144: u64 = 0; + let mut x145: fiat_bign256_u1 = 0; + let (x144, x145) = fiat_bign256_addcarryx_u64(x143, x117, x135); + let mut x146: u64 = 0; + let mut x147: fiat_bign256_u1 = 0; + let (x146, x147) = fiat_bign256_addcarryx_u64(x145, x119, x137); + let mut x148: u64 = 0; + let mut x149: fiat_bign256_u1 = 0; + let (x148, x149) = fiat_bign256_addcarryx_u64(x147, x121, x139); + let mut x150: u64 = 0; + let mut x151: fiat_bign256_u1 = 0; + let (x150, x151) = fiat_bign256_addcarryx_u64(x149, x123, x141); + let x152: u64 = ((x151 as u64) + (x124 as u64)); + let mut x153: u64 = 0; + let mut x154: u64 = 0; + let (x153, x154) = fiat_bign256_mulx_u64(x3, (arg1[3])); + let mut x155: u64 = 0; + let mut x156: u64 = 0; + let (x155, x156) = fiat_bign256_mulx_u64(x3, (arg1[2])); + let mut x157: u64 = 0; + let mut x158: u64 = 0; + let (x157, x158) = fiat_bign256_mulx_u64(x3, (arg1[1])); + let mut x159: u64 = 0; + let mut x160: u64 = 0; + let (x159, x160) = fiat_bign256_mulx_u64(x3, (arg1[0])); + let mut x161: u64 = 0; + let mut x162: fiat_bign256_u1 = 0; + let (x161, x162) = fiat_bign256_addcarryx_u64(0x0, x160, x157); + let mut x163: u64 = 0; + let mut x164: fiat_bign256_u1 = 0; + let (x163, x164) = fiat_bign256_addcarryx_u64(x162, x158, x155); + let mut x165: u64 = 0; + let mut x166: fiat_bign256_u1 = 0; + let (x165, x166) = fiat_bign256_addcarryx_u64(x164, x156, x153); + let x167: u64 = ((x166 as u64) + x154); + let mut x168: u64 = 0; + let mut x169: fiat_bign256_u1 = 0; + let (x168, x169) = fiat_bign256_addcarryx_u64(0x0, x144, x159); + let mut x170: u64 = 0; + let mut x171: fiat_bign256_u1 = 0; + let (x170, x171) = fiat_bign256_addcarryx_u64(x169, x146, x161); + let mut x172: u64 = 0; + let mut x173: fiat_bign256_u1 = 0; + let (x172, x173) = fiat_bign256_addcarryx_u64(x171, x148, x163); + let mut x174: u64 = 0; + let mut x175: fiat_bign256_u1 = 0; + let (x174, x175) = fiat_bign256_addcarryx_u64(x173, x150, x165); + let mut x176: u64 = 0; + let mut x177: fiat_bign256_u1 = 0; + let (x176, x177) = fiat_bign256_addcarryx_u64(x175, x152, x167); + let mut x178: u64 = 0; + let mut x179: u64 = 0; + let (x178, x179) = fiat_bign256_mulx_u64(x168, 0xa53fa94fea53fa95); + let mut x180: u64 = 0; + let mut x181: u64 = 0; + let (x180, x181) = fiat_bign256_mulx_u64(x178, 0xffffffffffffffff); + let mut x182: u64 = 0; + let mut x183: u64 = 0; + let (x182, x183) = fiat_bign256_mulx_u64(x178, 0xffffffffffffffff); + let mut x184: u64 = 0; + let mut x185: u64 = 0; + let (x184, x185) = fiat_bign256_mulx_u64(x178, 0xffffffffffffffff); + let mut x186: u64 = 0; + let mut x187: u64 = 0; + let (x186, x187) = fiat_bign256_mulx_u64(x178, 0xffffffffffffff43); + let mut x188: u64 = 0; + let mut x189: fiat_bign256_u1 = 0; + let (x188, x189) = fiat_bign256_addcarryx_u64(0x0, x187, x184); + let mut x190: u64 = 0; + let mut x191: fiat_bign256_u1 = 0; + let (x190, x191) = fiat_bign256_addcarryx_u64(x189, x185, x182); + let mut x192: u64 = 0; + let mut x193: fiat_bign256_u1 = 0; + let (x192, x193) = fiat_bign256_addcarryx_u64(x191, x183, x180); + let x194: u64 = ((x193 as u64) + x181); + let mut x195: u64 = 0; + let mut x196: fiat_bign256_u1 = 0; + let (x195, x196) = fiat_bign256_addcarryx_u64(0x0, x168, x186); + let mut x197: u64 = 0; + let mut x198: fiat_bign256_u1 = 0; + let (x197, x198) = fiat_bign256_addcarryx_u64(x196, x170, x188); + let mut x199: u64 = 0; + let mut x200: fiat_bign256_u1 = 0; + let (x199, x200) = fiat_bign256_addcarryx_u64(x198, x172, x190); + let mut x201: u64 = 0; + let mut x202: fiat_bign256_u1 = 0; + let (x201, x202) = fiat_bign256_addcarryx_u64(x200, x174, x192); + let mut x203: u64 = 0; + let mut x204: fiat_bign256_u1 = 0; + let (x203, x204) = fiat_bign256_addcarryx_u64(x202, x176, x194); + let x205: u64 = ((x204 as u64) + (x177 as u64)); + let mut x206: u64 = 0; + let mut x207: fiat_bign256_u1 = 0; + let (x206, x207) = fiat_bign256_subborrowx_u64(0x0, x197, 0xffffffffffffff43); + let mut x208: u64 = 0; + let mut x209: fiat_bign256_u1 = 0; + let (x208, x209) = fiat_bign256_subborrowx_u64(x207, x199, 0xffffffffffffffff); + let mut x210: u64 = 0; + let mut x211: fiat_bign256_u1 = 0; + let (x210, x211) = fiat_bign256_subborrowx_u64(x209, x201, 0xffffffffffffffff); + let mut x212: u64 = 0; + let mut x213: fiat_bign256_u1 = 0; + let (x212, x213) = fiat_bign256_subborrowx_u64(x211, x203, 0xffffffffffffffff); + let mut x214: u64 = 0; + let mut x215: fiat_bign256_u1 = 0; + let (x214, x215) = fiat_bign256_subborrowx_u64(x213, x205, (0x0 as u64)); + let mut x216: u64 = 0; + let (x216) = fiat_bign256_cmovznz_u64(x215, x206, x197); + let mut x217: u64 = 0; + let (x217) = fiat_bign256_cmovznz_u64(x215, x208, x199); + let mut x218: u64 = 0; + let (x218) = fiat_bign256_cmovznz_u64(x215, x210, x201); + let mut x219: u64 = 0; + let (x219) = fiat_bign256_cmovznz_u64(x215, x212, x203); + out1[0] = x216; + out1[1] = x217; + out1[2] = x218; + out1[3] = x219; + out1 +} +#[doc = " The function fiat_bign256_add adds two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_add( + arg1: &fiat_bign256_montgomery_domain_field_element, + arg2: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 4]; + let mut x1: u64 = 0; + let mut x2: fiat_bign256_u1 = 0; + let (x1, x2) = fiat_bign256_addcarryx_u64(0x0, (arg1[0]), (arg2[0])); + let mut x3: u64 = 0; + let mut x4: fiat_bign256_u1 = 0; + let (x3, x4) = fiat_bign256_addcarryx_u64(x2, (arg1[1]), (arg2[1])); + let mut x5: u64 = 0; + let mut x6: fiat_bign256_u1 = 0; + let (x5, x6) = fiat_bign256_addcarryx_u64(x4, (arg1[2]), (arg2[2])); + let mut x7: u64 = 0; + let mut x8: fiat_bign256_u1 = 0; + let (x7, x8) = fiat_bign256_addcarryx_u64(x6, (arg1[3]), (arg2[3])); + let mut x9: u64 = 0; + let mut x10: fiat_bign256_u1 = 0; + let (x9, x10) = fiat_bign256_subborrowx_u64(0x0, x1, 0xffffffffffffff43); + let mut x11: u64 = 0; + let mut x12: fiat_bign256_u1 = 0; + let (x11, x12) = fiat_bign256_subborrowx_u64(x10, x3, 0xffffffffffffffff); + let mut x13: u64 = 0; + let mut x14: fiat_bign256_u1 = 0; + let (x13, x14) = fiat_bign256_subborrowx_u64(x12, x5, 0xffffffffffffffff); + let mut x15: u64 = 0; + let mut x16: fiat_bign256_u1 = 0; + let (x15, x16) = fiat_bign256_subborrowx_u64(x14, x7, 0xffffffffffffffff); + let mut x17: u64 = 0; + let mut x18: fiat_bign256_u1 = 0; + let (x17, x18) = fiat_bign256_subborrowx_u64(x16, (x8 as u64), (0x0 as u64)); + let mut x19: u64 = 0; + let (x19) = fiat_bign256_cmovznz_u64(x18, x9, x1); + let mut x20: u64 = 0; + let (x20) = fiat_bign256_cmovznz_u64(x18, x11, x3); + let mut x21: u64 = 0; + let (x21) = fiat_bign256_cmovznz_u64(x18, x13, x5); + let mut x22: u64 = 0; + let (x22) = fiat_bign256_cmovznz_u64(x18, x15, x7); + out1[0] = x19; + out1[1] = x20; + out1[2] = x21; + out1[3] = x22; + out1 +} +#[doc = " The function fiat_bign256_sub subtracts two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_sub( + arg1: &fiat_bign256_montgomery_domain_field_element, + arg2: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 4]; + let mut x1: u64 = 0; + let mut x2: fiat_bign256_u1 = 0; + let (x1, x2) = fiat_bign256_subborrowx_u64(0x0, (arg1[0]), (arg2[0])); + let mut x3: u64 = 0; + let mut x4: fiat_bign256_u1 = 0; + let (x3, x4) = fiat_bign256_subborrowx_u64(x2, (arg1[1]), (arg2[1])); + let mut x5: u64 = 0; + let mut x6: fiat_bign256_u1 = 0; + let (x5, x6) = fiat_bign256_subborrowx_u64(x4, (arg1[2]), (arg2[2])); + let mut x7: u64 = 0; + let mut x8: fiat_bign256_u1 = 0; + let (x7, x8) = fiat_bign256_subborrowx_u64(x6, (arg1[3]), (arg2[3])); + let mut x9: u64 = 0; + let (x9) = fiat_bign256_cmovznz_u64(x8, (0x0 as u64), 0xffffffffffffffff); + let mut x10: u64 = 0; + let mut x11: fiat_bign256_u1 = 0; + let (x10, x11) = fiat_bign256_addcarryx_u64(0x0, x1, (x9 & 0xffffffffffffff43)); + let mut x12: u64 = 0; + let mut x13: fiat_bign256_u1 = 0; + let (x12, x13) = fiat_bign256_addcarryx_u64(x11, x3, x9); + let mut x14: u64 = 0; + let mut x15: fiat_bign256_u1 = 0; + let (x14, x15) = fiat_bign256_addcarryx_u64(x13, x5, x9); + let mut x16: u64 = 0; + let mut x17: fiat_bign256_u1 = 0; + let (x16, x17) = fiat_bign256_addcarryx_u64(x15, x7, x9); + out1[0] = x10; + out1[1] = x12; + out1[2] = x14; + out1[3] = x16; + out1 +} +#[doc = " The function fiat_bign256_opp negates a field element in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_opp( + arg1: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 4]; + let mut x1: u64 = 0; + let mut x2: fiat_bign256_u1 = 0; + let (x1, x2) = fiat_bign256_subborrowx_u64(0x0, (0x0 as u64), (arg1[0])); + let mut x3: u64 = 0; + let mut x4: fiat_bign256_u1 = 0; + let (x3, x4) = fiat_bign256_subborrowx_u64(x2, (0x0 as u64), (arg1[1])); + let mut x5: u64 = 0; + let mut x6: fiat_bign256_u1 = 0; + let (x5, x6) = fiat_bign256_subborrowx_u64(x4, (0x0 as u64), (arg1[2])); + let mut x7: u64 = 0; + let mut x8: fiat_bign256_u1 = 0; + let (x7, x8) = fiat_bign256_subborrowx_u64(x6, (0x0 as u64), (arg1[3])); + let mut x9: u64 = 0; + let (x9) = fiat_bign256_cmovznz_u64(x8, (0x0 as u64), 0xffffffffffffffff); + let mut x10: u64 = 0; + let mut x11: fiat_bign256_u1 = 0; + let (x10, x11) = fiat_bign256_addcarryx_u64(0x0, x1, (x9 & 0xffffffffffffff43)); + let mut x12: u64 = 0; + let mut x13: fiat_bign256_u1 = 0; + let (x12, x13) = fiat_bign256_addcarryx_u64(x11, x3, x9); + let mut x14: u64 = 0; + let mut x15: fiat_bign256_u1 = 0; + let (x14, x15) = fiat_bign256_addcarryx_u64(x13, x5, x9); + let mut x16: u64 = 0; + let mut x17: fiat_bign256_u1 = 0; + let (x16, x17) = fiat_bign256_addcarryx_u64(x15, x7, x9); + out1[0] = x10; + out1[1] = x12; + out1[2] = x14; + out1[3] = x16; + out1 +} +#[doc = " The function fiat_bign256_from_montgomery translates a field element out of the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_from_montgomery( + arg1: &fiat_bign256_montgomery_domain_field_element, +) -> fiat_bign256_non_montgomery_domain_field_element { + let mut out1: fiat_bign256_non_montgomery_domain_field_element = [0; 4]; + let x1: u64 = (arg1[0]); + let mut x2: u64 = 0; + let mut x3: u64 = 0; + let (x2, x3) = fiat_bign256_mulx_u64(x1, 0xa53fa94fea53fa95); + let mut x4: u64 = 0; + let mut x5: u64 = 0; + let (x4, x5) = fiat_bign256_mulx_u64(x2, 0xffffffffffffffff); + let mut x6: u64 = 0; + let mut x7: u64 = 0; + let (x6, x7) = fiat_bign256_mulx_u64(x2, 0xffffffffffffffff); + let mut x8: u64 = 0; + let mut x9: u64 = 0; + let (x8, x9) = fiat_bign256_mulx_u64(x2, 0xffffffffffffffff); + let mut x10: u64 = 0; + let mut x11: u64 = 0; + let (x10, x11) = fiat_bign256_mulx_u64(x2, 0xffffffffffffff43); + let mut x12: u64 = 0; + let mut x13: fiat_bign256_u1 = 0; + let (x12, x13) = fiat_bign256_addcarryx_u64(0x0, x11, x8); + let mut x14: u64 = 0; + let mut x15: fiat_bign256_u1 = 0; + let (x14, x15) = fiat_bign256_addcarryx_u64(x13, x9, x6); + let mut x16: u64 = 0; + let mut x17: fiat_bign256_u1 = 0; + let (x16, x17) = fiat_bign256_addcarryx_u64(x15, x7, x4); + let mut x18: u64 = 0; + let mut x19: fiat_bign256_u1 = 0; + let (x18, x19) = fiat_bign256_addcarryx_u64(0x0, x1, x10); + let mut x20: u64 = 0; + let mut x21: fiat_bign256_u1 = 0; + let (x20, x21) = fiat_bign256_addcarryx_u64(x19, (0x0 as u64), x12); + let mut x22: u64 = 0; + let mut x23: fiat_bign256_u1 = 0; + let (x22, x23) = fiat_bign256_addcarryx_u64(x21, (0x0 as u64), x14); + let mut x24: u64 = 0; + let mut x25: fiat_bign256_u1 = 0; + let (x24, x25) = fiat_bign256_addcarryx_u64(x23, (0x0 as u64), x16); + let mut x26: u64 = 0; + let mut x27: fiat_bign256_u1 = 0; + let (x26, x27) = fiat_bign256_addcarryx_u64(x25, (0x0 as u64), ((x17 as u64) + x5)); + let mut x28: u64 = 0; + let mut x29: fiat_bign256_u1 = 0; + let (x28, x29) = fiat_bign256_addcarryx_u64(0x0, x20, (arg1[1])); + let mut x30: u64 = 0; + let mut x31: fiat_bign256_u1 = 0; + let (x30, x31) = fiat_bign256_addcarryx_u64(x29, x22, (0x0 as u64)); + let mut x32: u64 = 0; + let mut x33: fiat_bign256_u1 = 0; + let (x32, x33) = fiat_bign256_addcarryx_u64(x31, x24, (0x0 as u64)); + let mut x34: u64 = 0; + let mut x35: fiat_bign256_u1 = 0; + let (x34, x35) = fiat_bign256_addcarryx_u64(x33, x26, (0x0 as u64)); + let mut x36: u64 = 0; + let mut x37: u64 = 0; + let (x36, x37) = fiat_bign256_mulx_u64(x28, 0xa53fa94fea53fa95); + let mut x38: u64 = 0; + let mut x39: u64 = 0; + let (x38, x39) = fiat_bign256_mulx_u64(x36, 0xffffffffffffffff); + let mut x40: u64 = 0; + let mut x41: u64 = 0; + let (x40, x41) = fiat_bign256_mulx_u64(x36, 0xffffffffffffffff); + let mut x42: u64 = 0; + let mut x43: u64 = 0; + let (x42, x43) = fiat_bign256_mulx_u64(x36, 0xffffffffffffffff); + let mut x44: u64 = 0; + let mut x45: u64 = 0; + let (x44, x45) = fiat_bign256_mulx_u64(x36, 0xffffffffffffff43); + let mut x46: u64 = 0; + let mut x47: fiat_bign256_u1 = 0; + let (x46, x47) = fiat_bign256_addcarryx_u64(0x0, x45, x42); + let mut x48: u64 = 0; + let mut x49: fiat_bign256_u1 = 0; + let (x48, x49) = fiat_bign256_addcarryx_u64(x47, x43, x40); + let mut x50: u64 = 0; + let mut x51: fiat_bign256_u1 = 0; + let (x50, x51) = fiat_bign256_addcarryx_u64(x49, x41, x38); + let mut x52: u64 = 0; + let mut x53: fiat_bign256_u1 = 0; + let (x52, x53) = fiat_bign256_addcarryx_u64(0x0, x28, x44); + let mut x54: u64 = 0; + let mut x55: fiat_bign256_u1 = 0; + let (x54, x55) = fiat_bign256_addcarryx_u64(x53, x30, x46); + let mut x56: u64 = 0; + let mut x57: fiat_bign256_u1 = 0; + let (x56, x57) = fiat_bign256_addcarryx_u64(x55, x32, x48); + let mut x58: u64 = 0; + let mut x59: fiat_bign256_u1 = 0; + let (x58, x59) = fiat_bign256_addcarryx_u64(x57, x34, x50); + let mut x60: u64 = 0; + let mut x61: fiat_bign256_u1 = 0; + let (x60, x61) = + fiat_bign256_addcarryx_u64(x59, ((x35 as u64) + (x27 as u64)), ((x51 as u64) + x39)); + let mut x62: u64 = 0; + let mut x63: fiat_bign256_u1 = 0; + let (x62, x63) = fiat_bign256_addcarryx_u64(0x0, x54, (arg1[2])); + let mut x64: u64 = 0; + let mut x65: fiat_bign256_u1 = 0; + let (x64, x65) = fiat_bign256_addcarryx_u64(x63, x56, (0x0 as u64)); + let mut x66: u64 = 0; + let mut x67: fiat_bign256_u1 = 0; + let (x66, x67) = fiat_bign256_addcarryx_u64(x65, x58, (0x0 as u64)); + let mut x68: u64 = 0; + let mut x69: fiat_bign256_u1 = 0; + let (x68, x69) = fiat_bign256_addcarryx_u64(x67, x60, (0x0 as u64)); + let mut x70: u64 = 0; + let mut x71: u64 = 0; + let (x70, x71) = fiat_bign256_mulx_u64(x62, 0xa53fa94fea53fa95); + let mut x72: u64 = 0; + let mut x73: u64 = 0; + let (x72, x73) = fiat_bign256_mulx_u64(x70, 0xffffffffffffffff); + let mut x74: u64 = 0; + let mut x75: u64 = 0; + let (x74, x75) = fiat_bign256_mulx_u64(x70, 0xffffffffffffffff); + let mut x76: u64 = 0; + let mut x77: u64 = 0; + let (x76, x77) = fiat_bign256_mulx_u64(x70, 0xffffffffffffffff); + let mut x78: u64 = 0; + let mut x79: u64 = 0; + let (x78, x79) = fiat_bign256_mulx_u64(x70, 0xffffffffffffff43); + let mut x80: u64 = 0; + let mut x81: fiat_bign256_u1 = 0; + let (x80, x81) = fiat_bign256_addcarryx_u64(0x0, x79, x76); + let mut x82: u64 = 0; + let mut x83: fiat_bign256_u1 = 0; + let (x82, x83) = fiat_bign256_addcarryx_u64(x81, x77, x74); + let mut x84: u64 = 0; + let mut x85: fiat_bign256_u1 = 0; + let (x84, x85) = fiat_bign256_addcarryx_u64(x83, x75, x72); + let mut x86: u64 = 0; + let mut x87: fiat_bign256_u1 = 0; + let (x86, x87) = fiat_bign256_addcarryx_u64(0x0, x62, x78); + let mut x88: u64 = 0; + let mut x89: fiat_bign256_u1 = 0; + let (x88, x89) = fiat_bign256_addcarryx_u64(x87, x64, x80); + let mut x90: u64 = 0; + let mut x91: fiat_bign256_u1 = 0; + let (x90, x91) = fiat_bign256_addcarryx_u64(x89, x66, x82); + let mut x92: u64 = 0; + let mut x93: fiat_bign256_u1 = 0; + let (x92, x93) = fiat_bign256_addcarryx_u64(x91, x68, x84); + let mut x94: u64 = 0; + let mut x95: fiat_bign256_u1 = 0; + let (x94, x95) = + fiat_bign256_addcarryx_u64(x93, ((x69 as u64) + (x61 as u64)), ((x85 as u64) + x73)); + let mut x96: u64 = 0; + let mut x97: fiat_bign256_u1 = 0; + let (x96, x97) = fiat_bign256_addcarryx_u64(0x0, x88, (arg1[3])); + let mut x98: u64 = 0; + let mut x99: fiat_bign256_u1 = 0; + let (x98, x99) = fiat_bign256_addcarryx_u64(x97, x90, (0x0 as u64)); + let mut x100: u64 = 0; + let mut x101: fiat_bign256_u1 = 0; + let (x100, x101) = fiat_bign256_addcarryx_u64(x99, x92, (0x0 as u64)); + let mut x102: u64 = 0; + let mut x103: fiat_bign256_u1 = 0; + let (x102, x103) = fiat_bign256_addcarryx_u64(x101, x94, (0x0 as u64)); + let mut x104: u64 = 0; + let mut x105: u64 = 0; + let (x104, x105) = fiat_bign256_mulx_u64(x96, 0xa53fa94fea53fa95); + let mut x106: u64 = 0; + let mut x107: u64 = 0; + let (x106, x107) = fiat_bign256_mulx_u64(x104, 0xffffffffffffffff); + let mut x108: u64 = 0; + let mut x109: u64 = 0; + let (x108, x109) = fiat_bign256_mulx_u64(x104, 0xffffffffffffffff); + let mut x110: u64 = 0; + let mut x111: u64 = 0; + let (x110, x111) = fiat_bign256_mulx_u64(x104, 0xffffffffffffffff); + let mut x112: u64 = 0; + let mut x113: u64 = 0; + let (x112, x113) = fiat_bign256_mulx_u64(x104, 0xffffffffffffff43); + let mut x114: u64 = 0; + let mut x115: fiat_bign256_u1 = 0; + let (x114, x115) = fiat_bign256_addcarryx_u64(0x0, x113, x110); + let mut x116: u64 = 0; + let mut x117: fiat_bign256_u1 = 0; + let (x116, x117) = fiat_bign256_addcarryx_u64(x115, x111, x108); + let mut x118: u64 = 0; + let mut x119: fiat_bign256_u1 = 0; + let (x118, x119) = fiat_bign256_addcarryx_u64(x117, x109, x106); + let mut x120: u64 = 0; + let mut x121: fiat_bign256_u1 = 0; + let (x120, x121) = fiat_bign256_addcarryx_u64(0x0, x96, x112); + let mut x122: u64 = 0; + let mut x123: fiat_bign256_u1 = 0; + let (x122, x123) = fiat_bign256_addcarryx_u64(x121, x98, x114); + let mut x124: u64 = 0; + let mut x125: fiat_bign256_u1 = 0; + let (x124, x125) = fiat_bign256_addcarryx_u64(x123, x100, x116); + let mut x126: u64 = 0; + let mut x127: fiat_bign256_u1 = 0; + let (x126, x127) = fiat_bign256_addcarryx_u64(x125, x102, x118); + let mut x128: u64 = 0; + let mut x129: fiat_bign256_u1 = 0; + let (x128, x129) = + fiat_bign256_addcarryx_u64(x127, ((x103 as u64) + (x95 as u64)), ((x119 as u64) + x107)); + let mut x130: u64 = 0; + let mut x131: fiat_bign256_u1 = 0; + let (x130, x131) = fiat_bign256_subborrowx_u64(0x0, x122, 0xffffffffffffff43); + let mut x132: u64 = 0; + let mut x133: fiat_bign256_u1 = 0; + let (x132, x133) = fiat_bign256_subborrowx_u64(x131, x124, 0xffffffffffffffff); + let mut x134: u64 = 0; + let mut x135: fiat_bign256_u1 = 0; + let (x134, x135) = fiat_bign256_subborrowx_u64(x133, x126, 0xffffffffffffffff); + let mut x136: u64 = 0; + let mut x137: fiat_bign256_u1 = 0; + let (x136, x137) = fiat_bign256_subborrowx_u64(x135, x128, 0xffffffffffffffff); + let mut x138: u64 = 0; + let mut x139: fiat_bign256_u1 = 0; + let (x138, x139) = fiat_bign256_subborrowx_u64(x137, (x129 as u64), (0x0 as u64)); + let mut x140: u64 = 0; + let (x140) = fiat_bign256_cmovznz_u64(x139, x130, x122); + let mut x141: u64 = 0; + let (x141) = fiat_bign256_cmovznz_u64(x139, x132, x124); + let mut x142: u64 = 0; + let (x142) = fiat_bign256_cmovznz_u64(x139, x134, x126); + let mut x143: u64 = 0; + let (x143) = fiat_bign256_cmovznz_u64(x139, x136, x128); + out1[0] = x140; + out1[1] = x141; + out1[2] = x142; + out1[3] = x143; + out1 +} +#[doc = " The function fiat_bign256_to_montgomery translates a field element into the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = eval arg1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_to_montgomery( + arg1: &fiat_bign256_non_montgomery_domain_field_element, +) -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 4]; + let mut x1: u64 = 0; + let mut x2: u64 = 0; + let (x1, x2) = fiat_bign256_mulx_u64((arg1[0]), 0x8b89); + let mut x3: u64 = 0; + let mut x4: u64 = 0; + let (x3, x4) = fiat_bign256_mulx_u64(x1, 0xa53fa94fea53fa95); + let mut x5: u64 = 0; + let mut x6: u64 = 0; + let (x5, x6) = fiat_bign256_mulx_u64(x3, 0xffffffffffffffff); + let mut x7: u64 = 0; + let mut x8: u64 = 0; + let (x7, x8) = fiat_bign256_mulx_u64(x3, 0xffffffffffffffff); + let mut x9: u64 = 0; + let mut x10: u64 = 0; + let (x9, x10) = fiat_bign256_mulx_u64(x3, 0xffffffffffffffff); + let mut x11: u64 = 0; + let mut x12: u64 = 0; + let (x11, x12) = fiat_bign256_mulx_u64(x3, 0xffffffffffffff43); + let mut x13: u64 = 0; + let mut x14: fiat_bign256_u1 = 0; + let (x13, x14) = fiat_bign256_addcarryx_u64(0x0, x12, x9); + let mut x15: u64 = 0; + let mut x16: fiat_bign256_u1 = 0; + let (x15, x16) = fiat_bign256_addcarryx_u64(x14, x10, x7); + let mut x17: u64 = 0; + let mut x18: fiat_bign256_u1 = 0; + let (x17, x18) = fiat_bign256_addcarryx_u64(x16, x8, x5); + let mut x19: u64 = 0; + let mut x20: fiat_bign256_u1 = 0; + let (x19, x20) = fiat_bign256_addcarryx_u64(0x0, x1, x11); + let mut x21: u64 = 0; + let mut x22: fiat_bign256_u1 = 0; + let (x21, x22) = fiat_bign256_addcarryx_u64(x20, x2, x13); + let mut x23: u64 = 0; + let mut x24: fiat_bign256_u1 = 0; + let (x23, x24) = fiat_bign256_addcarryx_u64(x22, (0x0 as u64), x15); + let mut x25: u64 = 0; + let mut x26: fiat_bign256_u1 = 0; + let (x25, x26) = fiat_bign256_addcarryx_u64(x24, (0x0 as u64), x17); + let mut x27: u64 = 0; + let mut x28: fiat_bign256_u1 = 0; + let (x27, x28) = fiat_bign256_addcarryx_u64(x26, (0x0 as u64), ((x18 as u64) + x6)); + let mut x29: u64 = 0; + let mut x30: u64 = 0; + let (x29, x30) = fiat_bign256_mulx_u64((arg1[1]), 0x8b89); + let mut x31: u64 = 0; + let mut x32: fiat_bign256_u1 = 0; + let (x31, x32) = fiat_bign256_addcarryx_u64(0x0, x21, x29); + let mut x33: u64 = 0; + let mut x34: fiat_bign256_u1 = 0; + let (x33, x34) = fiat_bign256_addcarryx_u64(x32, x23, x30); + let mut x35: u64 = 0; + let mut x36: fiat_bign256_u1 = 0; + let (x35, x36) = fiat_bign256_addcarryx_u64(x34, x25, (0x0 as u64)); + let mut x37: u64 = 0; + let mut x38: fiat_bign256_u1 = 0; + let (x37, x38) = fiat_bign256_addcarryx_u64(x36, x27, (0x0 as u64)); + let mut x39: u64 = 0; + let mut x40: u64 = 0; + let (x39, x40) = fiat_bign256_mulx_u64(x31, 0xa53fa94fea53fa95); + let mut x41: u64 = 0; + let mut x42: u64 = 0; + let (x41, x42) = fiat_bign256_mulx_u64(x39, 0xffffffffffffffff); + let mut x43: u64 = 0; + let mut x44: u64 = 0; + let (x43, x44) = fiat_bign256_mulx_u64(x39, 0xffffffffffffffff); + let mut x45: u64 = 0; + let mut x46: u64 = 0; + let (x45, x46) = fiat_bign256_mulx_u64(x39, 0xffffffffffffffff); + let mut x47: u64 = 0; + let mut x48: u64 = 0; + let (x47, x48) = fiat_bign256_mulx_u64(x39, 0xffffffffffffff43); + let mut x49: u64 = 0; + let mut x50: fiat_bign256_u1 = 0; + let (x49, x50) = fiat_bign256_addcarryx_u64(0x0, x48, x45); + let mut x51: u64 = 0; + let mut x52: fiat_bign256_u1 = 0; + let (x51, x52) = fiat_bign256_addcarryx_u64(x50, x46, x43); + let mut x53: u64 = 0; + let mut x54: fiat_bign256_u1 = 0; + let (x53, x54) = fiat_bign256_addcarryx_u64(x52, x44, x41); + let mut x55: u64 = 0; + let mut x56: fiat_bign256_u1 = 0; + let (x55, x56) = fiat_bign256_addcarryx_u64(0x0, x31, x47); + let mut x57: u64 = 0; + let mut x58: fiat_bign256_u1 = 0; + let (x57, x58) = fiat_bign256_addcarryx_u64(x56, x33, x49); + let mut x59: u64 = 0; + let mut x60: fiat_bign256_u1 = 0; + let (x59, x60) = fiat_bign256_addcarryx_u64(x58, x35, x51); + let mut x61: u64 = 0; + let mut x62: fiat_bign256_u1 = 0; + let (x61, x62) = fiat_bign256_addcarryx_u64(x60, x37, x53); + let mut x63: u64 = 0; + let mut x64: fiat_bign256_u1 = 0; + let (x63, x64) = + fiat_bign256_addcarryx_u64(x62, ((x38 as u64) + (x28 as u64)), ((x54 as u64) + x42)); + let mut x65: u64 = 0; + let mut x66: u64 = 0; + let (x65, x66) = fiat_bign256_mulx_u64((arg1[2]), 0x8b89); + let mut x67: u64 = 0; + let mut x68: fiat_bign256_u1 = 0; + let (x67, x68) = fiat_bign256_addcarryx_u64(0x0, x57, x65); + let mut x69: u64 = 0; + let mut x70: fiat_bign256_u1 = 0; + let (x69, x70) = fiat_bign256_addcarryx_u64(x68, x59, x66); + let mut x71: u64 = 0; + let mut x72: fiat_bign256_u1 = 0; + let (x71, x72) = fiat_bign256_addcarryx_u64(x70, x61, (0x0 as u64)); + let mut x73: u64 = 0; + let mut x74: fiat_bign256_u1 = 0; + let (x73, x74) = fiat_bign256_addcarryx_u64(x72, x63, (0x0 as u64)); + let mut x75: u64 = 0; + let mut x76: u64 = 0; + let (x75, x76) = fiat_bign256_mulx_u64(x67, 0xa53fa94fea53fa95); + let mut x77: u64 = 0; + let mut x78: u64 = 0; + let (x77, x78) = fiat_bign256_mulx_u64(x75, 0xffffffffffffffff); + let mut x79: u64 = 0; + let mut x80: u64 = 0; + let (x79, x80) = fiat_bign256_mulx_u64(x75, 0xffffffffffffffff); + let mut x81: u64 = 0; + let mut x82: u64 = 0; + let (x81, x82) = fiat_bign256_mulx_u64(x75, 0xffffffffffffffff); + let mut x83: u64 = 0; + let mut x84: u64 = 0; + let (x83, x84) = fiat_bign256_mulx_u64(x75, 0xffffffffffffff43); + let mut x85: u64 = 0; + let mut x86: fiat_bign256_u1 = 0; + let (x85, x86) = fiat_bign256_addcarryx_u64(0x0, x84, x81); + let mut x87: u64 = 0; + let mut x88: fiat_bign256_u1 = 0; + let (x87, x88) = fiat_bign256_addcarryx_u64(x86, x82, x79); + let mut x89: u64 = 0; + let mut x90: fiat_bign256_u1 = 0; + let (x89, x90) = fiat_bign256_addcarryx_u64(x88, x80, x77); + let mut x91: u64 = 0; + let mut x92: fiat_bign256_u1 = 0; + let (x91, x92) = fiat_bign256_addcarryx_u64(0x0, x67, x83); + let mut x93: u64 = 0; + let mut x94: fiat_bign256_u1 = 0; + let (x93, x94) = fiat_bign256_addcarryx_u64(x92, x69, x85); + let mut x95: u64 = 0; + let mut x96: fiat_bign256_u1 = 0; + let (x95, x96) = fiat_bign256_addcarryx_u64(x94, x71, x87); + let mut x97: u64 = 0; + let mut x98: fiat_bign256_u1 = 0; + let (x97, x98) = fiat_bign256_addcarryx_u64(x96, x73, x89); + let mut x99: u64 = 0; + let mut x100: fiat_bign256_u1 = 0; + let (x99, x100) = + fiat_bign256_addcarryx_u64(x98, ((x74 as u64) + (x64 as u64)), ((x90 as u64) + x78)); + let mut x101: u64 = 0; + let mut x102: u64 = 0; + let (x101, x102) = fiat_bign256_mulx_u64((arg1[3]), 0x8b89); + let mut x103: u64 = 0; + let mut x104: fiat_bign256_u1 = 0; + let (x103, x104) = fiat_bign256_addcarryx_u64(0x0, x93, x101); + let mut x105: u64 = 0; + let mut x106: fiat_bign256_u1 = 0; + let (x105, x106) = fiat_bign256_addcarryx_u64(x104, x95, x102); + let mut x107: u64 = 0; + let mut x108: fiat_bign256_u1 = 0; + let (x107, x108) = fiat_bign256_addcarryx_u64(x106, x97, (0x0 as u64)); + let mut x109: u64 = 0; + let mut x110: fiat_bign256_u1 = 0; + let (x109, x110) = fiat_bign256_addcarryx_u64(x108, x99, (0x0 as u64)); + let mut x111: u64 = 0; + let mut x112: u64 = 0; + let (x111, x112) = fiat_bign256_mulx_u64(x103, 0xa53fa94fea53fa95); + let mut x113: u64 = 0; + let mut x114: u64 = 0; + let (x113, x114) = fiat_bign256_mulx_u64(x111, 0xffffffffffffffff); + let mut x115: u64 = 0; + let mut x116: u64 = 0; + let (x115, x116) = fiat_bign256_mulx_u64(x111, 0xffffffffffffffff); + let mut x117: u64 = 0; + let mut x118: u64 = 0; + let (x117, x118) = fiat_bign256_mulx_u64(x111, 0xffffffffffffffff); + let mut x119: u64 = 0; + let mut x120: u64 = 0; + let (x119, x120) = fiat_bign256_mulx_u64(x111, 0xffffffffffffff43); + let mut x121: u64 = 0; + let mut x122: fiat_bign256_u1 = 0; + let (x121, x122) = fiat_bign256_addcarryx_u64(0x0, x120, x117); + let mut x123: u64 = 0; + let mut x124: fiat_bign256_u1 = 0; + let (x123, x124) = fiat_bign256_addcarryx_u64(x122, x118, x115); + let mut x125: u64 = 0; + let mut x126: fiat_bign256_u1 = 0; + let (x125, x126) = fiat_bign256_addcarryx_u64(x124, x116, x113); + let mut x127: u64 = 0; + let mut x128: fiat_bign256_u1 = 0; + let (x127, x128) = fiat_bign256_addcarryx_u64(0x0, x103, x119); + let mut x129: u64 = 0; + let mut x130: fiat_bign256_u1 = 0; + let (x129, x130) = fiat_bign256_addcarryx_u64(x128, x105, x121); + let mut x131: u64 = 0; + let mut x132: fiat_bign256_u1 = 0; + let (x131, x132) = fiat_bign256_addcarryx_u64(x130, x107, x123); + let mut x133: u64 = 0; + let mut x134: fiat_bign256_u1 = 0; + let (x133, x134) = fiat_bign256_addcarryx_u64(x132, x109, x125); + let mut x135: u64 = 0; + let mut x136: fiat_bign256_u1 = 0; + let (x135, x136) = fiat_bign256_addcarryx_u64( + x134, + ((x110 as u64) + (x100 as u64)), + ((x126 as u64) + x114), + ); + let mut x137: u64 = 0; + let mut x138: fiat_bign256_u1 = 0; + let (x137, x138) = fiat_bign256_subborrowx_u64(0x0, x129, 0xffffffffffffff43); + let mut x139: u64 = 0; + let mut x140: fiat_bign256_u1 = 0; + let (x139, x140) = fiat_bign256_subborrowx_u64(x138, x131, 0xffffffffffffffff); + let mut x141: u64 = 0; + let mut x142: fiat_bign256_u1 = 0; + let (x141, x142) = fiat_bign256_subborrowx_u64(x140, x133, 0xffffffffffffffff); + let mut x143: u64 = 0; + let mut x144: fiat_bign256_u1 = 0; + let (x143, x144) = fiat_bign256_subborrowx_u64(x142, x135, 0xffffffffffffffff); + let mut x145: u64 = 0; + let mut x146: fiat_bign256_u1 = 0; + let (x145, x146) = fiat_bign256_subborrowx_u64(x144, (x136 as u64), (0x0 as u64)); + let mut x147: u64 = 0; + let (x147) = fiat_bign256_cmovznz_u64(x146, x137, x129); + let mut x148: u64 = 0; + let (x148) = fiat_bign256_cmovznz_u64(x146, x139, x131); + let mut x149: u64 = 0; + let (x149) = fiat_bign256_cmovznz_u64(x146, x141, x133); + let mut x150: u64 = 0; + let (x150) = fiat_bign256_cmovznz_u64(x146, x143, x135); + out1[0] = x147; + out1[1] = x148; + out1[2] = x149; + out1[3] = x150; + out1 +} +#[doc = " The function fiat_bign256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[inline] +pub const fn fiat_bign256_nonzero(arg1: &[u64; 4]) -> u64 { + let mut out1: u64 = 0; + let x1: u64 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3])))); + out1 = x1; + out1 +} +#[doc = " The function fiat_bign256_selectznz is a multi-limb conditional select."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[inline] +pub const fn fiat_bign256_selectznz( + arg1: fiat_bign256_u1, + arg2: &[u64; 4], + arg3: &[u64; 4], +) -> [u64; 4] { + let mut out1: [u64; 4] = [0; 4]; + let mut x1: u64 = 0; + let (x1) = fiat_bign256_cmovznz_u64(arg1, (arg2[0]), (arg3[0])); + let mut x2: u64 = 0; + let (x2) = fiat_bign256_cmovznz_u64(arg1, (arg2[1]), (arg3[1])); + let mut x3: u64 = 0; + let (x3) = fiat_bign256_cmovznz_u64(arg1, (arg2[2]), (arg3[2])); + let mut x4: u64 = 0; + let (x4) = fiat_bign256_cmovznz_u64(arg1, (arg2[3]), (arg3[3])); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1 +} +#[doc = " The function fiat_bign256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = map (Ξ» x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)βŒ‹) [0..31]"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]"] +#[inline] +pub const fn fiat_bign256_to_bytes(arg1: &[u64; 4]) -> [u8; 32] { + let mut out1: [u8; 32] = [0; 32]; + let x1: u64 = (arg1[3]); + let x2: u64 = (arg1[2]); + let x3: u64 = (arg1[1]); + let x4: u64 = (arg1[0]); + let x5: u8 = ((x4 & (0xff as u64)) as u8); + let x6: u64 = (x4 >> 8); + let x7: u8 = ((x6 & (0xff as u64)) as u8); + let x8: u64 = (x6 >> 8); + let x9: u8 = ((x8 & (0xff as u64)) as u8); + let x10: u64 = (x8 >> 8); + let x11: u8 = ((x10 & (0xff as u64)) as u8); + let x12: u64 = (x10 >> 8); + let x13: u8 = ((x12 & (0xff as u64)) as u8); + let x14: u64 = (x12 >> 8); + let x15: u8 = ((x14 & (0xff as u64)) as u8); + let x16: u64 = (x14 >> 8); + let x17: u8 = ((x16 & (0xff as u64)) as u8); + let x18: u8 = ((x16 >> 8) as u8); + let x19: u8 = ((x3 & (0xff as u64)) as u8); + let x20: u64 = (x3 >> 8); + let x21: u8 = ((x20 & (0xff as u64)) as u8); + let x22: u64 = (x20 >> 8); + let x23: u8 = ((x22 & (0xff as u64)) as u8); + let x24: u64 = (x22 >> 8); + let x25: u8 = ((x24 & (0xff as u64)) as u8); + let x26: u64 = (x24 >> 8); + let x27: u8 = ((x26 & (0xff as u64)) as u8); + let x28: u64 = (x26 >> 8); + let x29: u8 = ((x28 & (0xff as u64)) as u8); + let x30: u64 = (x28 >> 8); + let x31: u8 = ((x30 & (0xff as u64)) as u8); + let x32: u8 = ((x30 >> 8) as u8); + let x33: u8 = ((x2 & (0xff as u64)) as u8); + let x34: u64 = (x2 >> 8); + let x35: u8 = ((x34 & (0xff as u64)) as u8); + let x36: u64 = (x34 >> 8); + let x37: u8 = ((x36 & (0xff as u64)) as u8); + let x38: u64 = (x36 >> 8); + let x39: u8 = ((x38 & (0xff as u64)) as u8); + let x40: u64 = (x38 >> 8); + let x41: u8 = ((x40 & (0xff as u64)) as u8); + let x42: u64 = (x40 >> 8); + let x43: u8 = ((x42 & (0xff as u64)) as u8); + let x44: u64 = (x42 >> 8); + let x45: u8 = ((x44 & (0xff as u64)) as u8); + let x46: u8 = ((x44 >> 8) as u8); + let x47: u8 = ((x1 & (0xff as u64)) as u8); + let x48: u64 = (x1 >> 8); + let x49: u8 = ((x48 & (0xff as u64)) as u8); + let x50: u64 = (x48 >> 8); + let x51: u8 = ((x50 & (0xff as u64)) as u8); + let x52: u64 = (x50 >> 8); + let x53: u8 = ((x52 & (0xff as u64)) as u8); + let x54: u64 = (x52 >> 8); + let x55: u8 = ((x54 & (0xff as u64)) as u8); + let x56: u64 = (x54 >> 8); + let x57: u8 = ((x56 & (0xff as u64)) as u8); + let x58: u64 = (x56 >> 8); + let x59: u8 = ((x58 & (0xff as u64)) as u8); + let x60: u8 = ((x58 >> 8) as u8); + out1[0] = x5; + out1[1] = x7; + out1[2] = x9; + out1[3] = x11; + out1[4] = x13; + out1[5] = x15; + out1[6] = x17; + out1[7] = x18; + out1[8] = x19; + out1[9] = x21; + out1[10] = x23; + out1[11] = x25; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x39; + out1[20] = x41; + out1[21] = x43; + out1[22] = x45; + out1[23] = x46; + out1[24] = x47; + out1[25] = x49; + out1[26] = x51; + out1[27] = x53; + out1[28] = x55; + out1[29] = x57; + out1[30] = x59; + out1[31] = x60; + out1 +} +#[doc = " The function fiat_bign256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ bytes_eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval out1 mod m = bytes_eval arg1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[inline] +pub const fn fiat_bign256_from_bytes(arg1: &[u8; 32]) -> [u64; 4] { + let mut out1: [u64; 4] = [0; 4]; + let x1: u64 = (((arg1[31]) as u64) << 56); + let x2: u64 = (((arg1[30]) as u64) << 48); + let x3: u64 = (((arg1[29]) as u64) << 40); + let x4: u64 = (((arg1[28]) as u64) << 32); + let x5: u64 = (((arg1[27]) as u64) << 24); + let x6: u64 = (((arg1[26]) as u64) << 16); + let x7: u64 = (((arg1[25]) as u64) << 8); + let x8: u8 = (arg1[24]); + let x9: u64 = (((arg1[23]) as u64) << 56); + let x10: u64 = (((arg1[22]) as u64) << 48); + let x11: u64 = (((arg1[21]) as u64) << 40); + let x12: u64 = (((arg1[20]) as u64) << 32); + let x13: u64 = (((arg1[19]) as u64) << 24); + let x14: u64 = (((arg1[18]) as u64) << 16); + let x15: u64 = (((arg1[17]) as u64) << 8); + let x16: u8 = (arg1[16]); + let x17: u64 = (((arg1[15]) as u64) << 56); + let x18: u64 = (((arg1[14]) as u64) << 48); + let x19: u64 = (((arg1[13]) as u64) << 40); + let x20: u64 = (((arg1[12]) as u64) << 32); + let x21: u64 = (((arg1[11]) as u64) << 24); + let x22: u64 = (((arg1[10]) as u64) << 16); + let x23: u64 = (((arg1[9]) as u64) << 8); + let x24: u8 = (arg1[8]); + let x25: u64 = (((arg1[7]) as u64) << 56); + let x26: u64 = (((arg1[6]) as u64) << 48); + let x27: u64 = (((arg1[5]) as u64) << 40); + let x28: u64 = (((arg1[4]) as u64) << 32); + let x29: u64 = (((arg1[3]) as u64) << 24); + let x30: u64 = (((arg1[2]) as u64) << 16); + let x31: u64 = (((arg1[1]) as u64) << 8); + let x32: u8 = (arg1[0]); + let x33: u64 = (x31 + (x32 as u64)); + let x34: u64 = (x30 + x33); + let x35: u64 = (x29 + x34); + let x36: u64 = (x28 + x35); + let x37: u64 = (x27 + x36); + let x38: u64 = (x26 + x37); + let x39: u64 = (x25 + x38); + let x40: u64 = (x23 + (x24 as u64)); + let x41: u64 = (x22 + x40); + let x42: u64 = (x21 + x41); + let x43: u64 = (x20 + x42); + let x44: u64 = (x19 + x43); + let x45: u64 = (x18 + x44); + let x46: u64 = (x17 + x45); + let x47: u64 = (x15 + (x16 as u64)); + let x48: u64 = (x14 + x47); + let x49: u64 = (x13 + x48); + let x50: u64 = (x12 + x49); + let x51: u64 = (x11 + x50); + let x52: u64 = (x10 + x51); + let x53: u64 = (x9 + x52); + let x54: u64 = (x7 + (x8 as u64)); + let x55: u64 = (x6 + x54); + let x56: u64 = (x5 + x55); + let x57: u64 = (x4 + x56); + let x58: u64 = (x3 + x57); + let x59: u64 = (x2 + x58); + let x60: u64 = (x1 + x59); + out1[0] = x39; + out1[1] = x46; + out1[2] = x53; + out1[3] = x60; + out1 +} +#[doc = " The function fiat_bign256_set_one returns the field element one in the Montgomery domain."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = 1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_set_one() -> fiat_bign256_montgomery_domain_field_element { + let mut out1: fiat_bign256_montgomery_domain_field_element = [0; 4]; + out1[0] = 0xbd; + out1[1] = (0x0 as u64); + out1[2] = (0x0 as u64); + out1[3] = (0x0 as u64); + out1 +} +#[doc = " The function fiat_bign256_msat returns the saturated representation of the prime modulus."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " twos_complement_eval out1 = m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[inline] +pub const fn fiat_bign256_msat() -> [u64; 5] { + let mut out1: [u64; 5] = [0; 5]; + out1[0] = 0xffffffffffffff43; + out1[1] = 0xffffffffffffffff; + out1[2] = 0xffffffffffffffff; + out1[3] = 0xffffffffffffffff; + out1[4] = (0x0 as u64); + out1 +} +#[doc = " The function fiat_bign256_divstep computes a divstep."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg4 < m"] +#[doc = " 0 ≀ eval arg5 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1)"] +#[doc = " twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2)"] +#[doc = " twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2βŒ‹ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2βŒ‹)"] +#[doc = " eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m)"] +#[doc = " eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m)"] +#[doc = " 0 ≀ eval out5 < m"] +#[doc = " 0 ≀ eval out5 < m"] +#[doc = " 0 ≀ eval out2 < m"] +#[doc = " 0 ≀ eval out3 < m"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[inline] +pub const fn fiat_bign256_divstep( + arg1: u64, + arg2: &[u64; 5], + arg3: &[u64; 5], + arg4: &[u64; 4], + arg5: &[u64; 4], +) -> (u64, [u64; 5], [u64; 5], [u64; 4], [u64; 4]) { + let mut out1: u64 = 0; + let mut out2: [u64; 5] = [0; 5]; + let mut out3: [u64; 5] = [0; 5]; + let mut out4: [u64; 4] = [0; 4]; + let mut out5: [u64; 4] = [0; 4]; + let mut x1: u64 = 0; + let mut x2: fiat_bign256_u1 = 0; + let (x1, x2) = fiat_bign256_addcarryx_u64(0x0, (!arg1), (0x1 as u64)); + let x3: fiat_bign256_u1 = + (((x1 >> 63) as fiat_bign256_u1) & (((arg3[0]) & (0x1 as u64)) as fiat_bign256_u1)); + let mut x4: u64 = 0; + let mut x5: fiat_bign256_u1 = 0; + let (x4, x5) = fiat_bign256_addcarryx_u64(0x0, (!arg1), (0x1 as u64)); + let mut x6: u64 = 0; + let (x6) = fiat_bign256_cmovznz_u64(x3, arg1, x4); + let mut x7: u64 = 0; + let (x7) = fiat_bign256_cmovznz_u64(x3, (arg2[0]), (arg3[0])); + let mut x8: u64 = 0; + let (x8) = fiat_bign256_cmovznz_u64(x3, (arg2[1]), (arg3[1])); + let mut x9: u64 = 0; + let (x9) = fiat_bign256_cmovznz_u64(x3, (arg2[2]), (arg3[2])); + let mut x10: u64 = 0; + let (x10) = fiat_bign256_cmovznz_u64(x3, (arg2[3]), (arg3[3])); + let mut x11: u64 = 0; + let (x11) = fiat_bign256_cmovznz_u64(x3, (arg2[4]), (arg3[4])); + let mut x12: u64 = 0; + let mut x13: fiat_bign256_u1 = 0; + let (x12, x13) = fiat_bign256_addcarryx_u64(0x0, (0x1 as u64), (!(arg2[0]))); + let mut x14: u64 = 0; + let mut x15: fiat_bign256_u1 = 0; + let (x14, x15) = fiat_bign256_addcarryx_u64(x13, (0x0 as u64), (!(arg2[1]))); + let mut x16: u64 = 0; + let mut x17: fiat_bign256_u1 = 0; + let (x16, x17) = fiat_bign256_addcarryx_u64(x15, (0x0 as u64), (!(arg2[2]))); + let mut x18: u64 = 0; + let mut x19: fiat_bign256_u1 = 0; + let (x18, x19) = fiat_bign256_addcarryx_u64(x17, (0x0 as u64), (!(arg2[3]))); + let mut x20: u64 = 0; + let mut x21: fiat_bign256_u1 = 0; + let (x20, x21) = fiat_bign256_addcarryx_u64(x19, (0x0 as u64), (!(arg2[4]))); + let mut x22: u64 = 0; + let (x22) = fiat_bign256_cmovznz_u64(x3, (arg3[0]), x12); + let mut x23: u64 = 0; + let (x23) = fiat_bign256_cmovznz_u64(x3, (arg3[1]), x14); + let mut x24: u64 = 0; + let (x24) = fiat_bign256_cmovznz_u64(x3, (arg3[2]), x16); + let mut x25: u64 = 0; + let (x25) = fiat_bign256_cmovznz_u64(x3, (arg3[3]), x18); + let mut x26: u64 = 0; + let (x26) = fiat_bign256_cmovznz_u64(x3, (arg3[4]), x20); + let mut x27: u64 = 0; + let (x27) = fiat_bign256_cmovznz_u64(x3, (arg4[0]), (arg5[0])); + let mut x28: u64 = 0; + let (x28) = fiat_bign256_cmovznz_u64(x3, (arg4[1]), (arg5[1])); + let mut x29: u64 = 0; + let (x29) = fiat_bign256_cmovznz_u64(x3, (arg4[2]), (arg5[2])); + let mut x30: u64 = 0; + let (x30) = fiat_bign256_cmovznz_u64(x3, (arg4[3]), (arg5[3])); + let mut x31: u64 = 0; + let mut x32: fiat_bign256_u1 = 0; + let (x31, x32) = fiat_bign256_addcarryx_u64(0x0, x27, x27); + let mut x33: u64 = 0; + let mut x34: fiat_bign256_u1 = 0; + let (x33, x34) = fiat_bign256_addcarryx_u64(x32, x28, x28); + let mut x35: u64 = 0; + let mut x36: fiat_bign256_u1 = 0; + let (x35, x36) = fiat_bign256_addcarryx_u64(x34, x29, x29); + let mut x37: u64 = 0; + let mut x38: fiat_bign256_u1 = 0; + let (x37, x38) = fiat_bign256_addcarryx_u64(x36, x30, x30); + let mut x39: u64 = 0; + let mut x40: fiat_bign256_u1 = 0; + let (x39, x40) = fiat_bign256_subborrowx_u64(0x0, x31, 0xffffffffffffff43); + let mut x41: u64 = 0; + let mut x42: fiat_bign256_u1 = 0; + let (x41, x42) = fiat_bign256_subborrowx_u64(x40, x33, 0xffffffffffffffff); + let mut x43: u64 = 0; + let mut x44: fiat_bign256_u1 = 0; + let (x43, x44) = fiat_bign256_subborrowx_u64(x42, x35, 0xffffffffffffffff); + let mut x45: u64 = 0; + let mut x46: fiat_bign256_u1 = 0; + let (x45, x46) = fiat_bign256_subborrowx_u64(x44, x37, 0xffffffffffffffff); + let mut x47: u64 = 0; + let mut x48: fiat_bign256_u1 = 0; + let (x47, x48) = fiat_bign256_subborrowx_u64(x46, (x38 as u64), (0x0 as u64)); + let x49: u64 = (arg4[3]); + let x50: u64 = (arg4[2]); + let x51: u64 = (arg4[1]); + let x52: u64 = (arg4[0]); + let mut x53: u64 = 0; + let mut x54: fiat_bign256_u1 = 0; + let (x53, x54) = fiat_bign256_subborrowx_u64(0x0, (0x0 as u64), x52); + let mut x55: u64 = 0; + let mut x56: fiat_bign256_u1 = 0; + let (x55, x56) = fiat_bign256_subborrowx_u64(x54, (0x0 as u64), x51); + let mut x57: u64 = 0; + let mut x58: fiat_bign256_u1 = 0; + let (x57, x58) = fiat_bign256_subborrowx_u64(x56, (0x0 as u64), x50); + let mut x59: u64 = 0; + let mut x60: fiat_bign256_u1 = 0; + let (x59, x60) = fiat_bign256_subborrowx_u64(x58, (0x0 as u64), x49); + let mut x61: u64 = 0; + let (x61) = fiat_bign256_cmovznz_u64(x60, (0x0 as u64), 0xffffffffffffffff); + let mut x62: u64 = 0; + let mut x63: fiat_bign256_u1 = 0; + let (x62, x63) = fiat_bign256_addcarryx_u64(0x0, x53, (x61 & 0xffffffffffffff43)); + let mut x64: u64 = 0; + let mut x65: fiat_bign256_u1 = 0; + let (x64, x65) = fiat_bign256_addcarryx_u64(x63, x55, x61); + let mut x66: u64 = 0; + let mut x67: fiat_bign256_u1 = 0; + let (x66, x67) = fiat_bign256_addcarryx_u64(x65, x57, x61); + let mut x68: u64 = 0; + let mut x69: fiat_bign256_u1 = 0; + let (x68, x69) = fiat_bign256_addcarryx_u64(x67, x59, x61); + let mut x70: u64 = 0; + let (x70) = fiat_bign256_cmovznz_u64(x3, (arg5[0]), x62); + let mut x71: u64 = 0; + let (x71) = fiat_bign256_cmovznz_u64(x3, (arg5[1]), x64); + let mut x72: u64 = 0; + let (x72) = fiat_bign256_cmovznz_u64(x3, (arg5[2]), x66); + let mut x73: u64 = 0; + let (x73) = fiat_bign256_cmovznz_u64(x3, (arg5[3]), x68); + let x74: fiat_bign256_u1 = ((x22 & (0x1 as u64)) as fiat_bign256_u1); + let mut x75: u64 = 0; + let (x75) = fiat_bign256_cmovznz_u64(x74, (0x0 as u64), x7); + let mut x76: u64 = 0; + let (x76) = fiat_bign256_cmovznz_u64(x74, (0x0 as u64), x8); + let mut x77: u64 = 0; + let (x77) = fiat_bign256_cmovznz_u64(x74, (0x0 as u64), x9); + let mut x78: u64 = 0; + let (x78) = fiat_bign256_cmovznz_u64(x74, (0x0 as u64), x10); + let mut x79: u64 = 0; + let (x79) = fiat_bign256_cmovznz_u64(x74, (0x0 as u64), x11); + let mut x80: u64 = 0; + let mut x81: fiat_bign256_u1 = 0; + let (x80, x81) = fiat_bign256_addcarryx_u64(0x0, x22, x75); + let mut x82: u64 = 0; + let mut x83: fiat_bign256_u1 = 0; + let (x82, x83) = fiat_bign256_addcarryx_u64(x81, x23, x76); + let mut x84: u64 = 0; + let mut x85: fiat_bign256_u1 = 0; + let (x84, x85) = fiat_bign256_addcarryx_u64(x83, x24, x77); + let mut x86: u64 = 0; + let mut x87: fiat_bign256_u1 = 0; + let (x86, x87) = fiat_bign256_addcarryx_u64(x85, x25, x78); + let mut x88: u64 = 0; + let mut x89: fiat_bign256_u1 = 0; + let (x88, x89) = fiat_bign256_addcarryx_u64(x87, x26, x79); + let mut x90: u64 = 0; + let (x90) = fiat_bign256_cmovznz_u64(x74, (0x0 as u64), x27); + let mut x91: u64 = 0; + let (x91) = fiat_bign256_cmovznz_u64(x74, (0x0 as u64), x28); + let mut x92: u64 = 0; + let (x92) = fiat_bign256_cmovznz_u64(x74, (0x0 as u64), x29); + let mut x93: u64 = 0; + let (x93) = fiat_bign256_cmovznz_u64(x74, (0x0 as u64), x30); + let mut x94: u64 = 0; + let mut x95: fiat_bign256_u1 = 0; + let (x94, x95) = fiat_bign256_addcarryx_u64(0x0, x70, x90); + let mut x96: u64 = 0; + let mut x97: fiat_bign256_u1 = 0; + let (x96, x97) = fiat_bign256_addcarryx_u64(x95, x71, x91); + let mut x98: u64 = 0; + let mut x99: fiat_bign256_u1 = 0; + let (x98, x99) = fiat_bign256_addcarryx_u64(x97, x72, x92); + let mut x100: u64 = 0; + let mut x101: fiat_bign256_u1 = 0; + let (x100, x101) = fiat_bign256_addcarryx_u64(x99, x73, x93); + let mut x102: u64 = 0; + let mut x103: fiat_bign256_u1 = 0; + let (x102, x103) = fiat_bign256_subborrowx_u64(0x0, x94, 0xffffffffffffff43); + let mut x104: u64 = 0; + let mut x105: fiat_bign256_u1 = 0; + let (x104, x105) = fiat_bign256_subborrowx_u64(x103, x96, 0xffffffffffffffff); + let mut x106: u64 = 0; + let mut x107: fiat_bign256_u1 = 0; + let (x106, x107) = fiat_bign256_subborrowx_u64(x105, x98, 0xffffffffffffffff); + let mut x108: u64 = 0; + let mut x109: fiat_bign256_u1 = 0; + let (x108, x109) = fiat_bign256_subborrowx_u64(x107, x100, 0xffffffffffffffff); + let mut x110: u64 = 0; + let mut x111: fiat_bign256_u1 = 0; + let (x110, x111) = fiat_bign256_subborrowx_u64(x109, (x101 as u64), (0x0 as u64)); + let mut x112: u64 = 0; + let mut x113: fiat_bign256_u1 = 0; + let (x112, x113) = fiat_bign256_addcarryx_u64(0x0, x6, (0x1 as u64)); + let x114: u64 = ((x80 >> 1) | ((x82 << 63) & 0xffffffffffffffff)); + let x115: u64 = ((x82 >> 1) | ((x84 << 63) & 0xffffffffffffffff)); + let x116: u64 = ((x84 >> 1) | ((x86 << 63) & 0xffffffffffffffff)); + let x117: u64 = ((x86 >> 1) | ((x88 << 63) & 0xffffffffffffffff)); + let x118: u64 = ((x88 & 0x8000000000000000) | (x88 >> 1)); + let mut x119: u64 = 0; + let (x119) = fiat_bign256_cmovznz_u64(x48, x39, x31); + let mut x120: u64 = 0; + let (x120) = fiat_bign256_cmovznz_u64(x48, x41, x33); + let mut x121: u64 = 0; + let (x121) = fiat_bign256_cmovznz_u64(x48, x43, x35); + let mut x122: u64 = 0; + let (x122) = fiat_bign256_cmovznz_u64(x48, x45, x37); + let mut x123: u64 = 0; + let (x123) = fiat_bign256_cmovznz_u64(x111, x102, x94); + let mut x124: u64 = 0; + let (x124) = fiat_bign256_cmovznz_u64(x111, x104, x96); + let mut x125: u64 = 0; + let (x125) = fiat_bign256_cmovznz_u64(x111, x106, x98); + let mut x126: u64 = 0; + let (x126) = fiat_bign256_cmovznz_u64(x111, x108, x100); + out1 = x112; + out2[0] = x7; + out2[1] = x8; + out2[2] = x9; + out2[3] = x10; + out2[4] = x11; + out3[0] = x114; + out3[1] = x115; + out3[2] = x116; + out3[3] = x117; + out3[4] = x118; + out4[0] = x119; + out4[1] = x120; + out4[2] = x121; + out4[3] = x122; + out5[0] = x123; + out5[1] = x124; + out5[2] = x125; + out5[3] = x126; + (out1, out2, out3, out4, out5) +} +#[doc = " The function fiat_bign256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form)."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) = ⌊(m - 1) / 2βŒ‹^(if ⌊log2 mβŒ‹ + 1 < 46 then ⌊(49 * (⌊log2 mβŒ‹ + 1) + 80) / 17βŒ‹ else ⌊(49 * (⌊log2 mβŒ‹ + 1) + 57) / 17βŒ‹)"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[inline] +pub const fn fiat_bign256_divstep_precomp() -> [u64; 4] { + let mut out1: [u64; 4] = [0; 4]; + out1[0] = 0x7ea454d3127f51fe; + out1[1] = 0x4802b1d5546a7f1; + out1[2] = 0xab83282b495d722c; + out1[3] = 0xdb33014c12f2d964; + out1 +} diff --git a/bign256/src/arithmetic/scalar.rs b/bign256/src/arithmetic/scalar.rs new file mode 100644 index 00000000..98c39630 --- /dev/null +++ b/bign256/src/arithmetic/scalar.rs @@ -0,0 +1,320 @@ +//! bign-curve256v1 scalar field elements. + +#![allow(clippy::unusual_byte_groupings)] + +#[cfg_attr(target_pointer_width = "32", path = "scalar/bign256_scalar_32.rs")] +#[cfg_attr(target_pointer_width = "64", path = "scalar/bign256_scalar_64.rs")] +#[allow( + clippy::identity_op, + clippy::too_many_arguments, + clippy::unnecessary_cast +)] +mod scalar_impl; + +use self::scalar_impl::*; +use crate::{BignP256, FieldBytes, FieldBytesEncoding, SecretKey, Uint, ORDER_HEX}; +use core::{ + iter::{Product, Sum}, + ops::{AddAssign, MulAssign, Neg, Shr, ShrAssign, SubAssign}, +}; +use elliptic_curve::{ + bigint::Limb, + ff::PrimeField, + ops::{Invert, Reduce}, + scalar::{FromUintUnchecked, IsHigh}, + subtle::{Choice, ConditionallySelectable, ConstantTimeEq, ConstantTimeGreater, CtOption}, + Curve as _, Error, Result, ScalarPrimitive, +}; +use primeorder::impl_bernstein_yang_invert; + +#[cfg(feature = "bits")] +use {crate::ScalarBits, elliptic_curve::group::ff::PrimeFieldBits}; + +#[cfg(feature = "serde")] +use serdect::serde::{de, ser, Deserialize, Serialize}; + +#[cfg(doc)] +use core::ops::{Add, Mul, Sub}; + +/// Scalars are elements in the finite field modulo `n`. +/// +/// # Trait impls +/// +/// Much of the important functionality of scalars is provided by traits from +/// the [`ff`](https://docs.rs/ff/) crate, which is re-exported as +/// `bign256::elliptic_curve::ff`: +/// +/// - [`Field`](https://docs.rs/ff/latest/ff/trait.Field.html) - +/// represents elements of finite fields and provides: +/// - [`Field::random`](https://docs.rs/ff/latest/ff/trait.Field.html#tymethod.random) - +/// generate a random scalar +/// - `double`, `square`, and `invert` operations +/// - Bounds for [`Add`], [`Sub`], [`Mul`], and [`Neg`] (as well as `*Assign` equivalents) +/// - Bounds for [`ConditionallySelectable`] from the `subtle` crate +/// - [`PrimeField`](https://docs.rs/ff/latest/ff/trait.PrimeField.html) - +/// represents elements of prime fields and provides: +/// - `from_repr`/`to_repr` for converting field elements from/to big integers. +/// - `multiplicative_generator` and `root_of_unity` constants. +/// - [`PrimeFieldBits`](https://docs.rs/ff/latest/ff/trait.PrimeFieldBits.html) - +/// operations over field elements represented as bits (requires `bits` feature) +/// +/// Please see the documentation for the relevant traits for more information. +#[derive(Clone, Copy, Debug, PartialOrd, Ord)] +pub struct Scalar(Uint); + +primeorder::impl_mont_field_element!( + BignP256, + Scalar, + FieldBytes, + Uint, + BignP256::ORDER, + fiat_bign256_scalar_montgomery_domain_field_element, + fiat_bign256_scalar_from_montgomery, + fiat_bign256_scalar_to_montgomery, + fiat_bign256_scalar_add, + fiat_bign256_scalar_sub, + fiat_bign256_scalar_mul, + fiat_bign256_scalar_opp, + fiat_bign256_scalar_square +); + +impl Scalar { + /// Compute [`Scalar`] inversion: `1 / self`. + pub fn invert(&self) -> CtOption { + CtOption::new(self.invert_unchecked(), !self.is_zero()) + } + + /// Returns the multiplicative inverse of self. + /// + /// Does not check that self is non-zero. + const fn invert_unchecked(&self) -> Self { + let words = impl_bernstein_yang_invert!( + self.0.as_words(), + Self::ONE.0.to_words(), + 256, + Uint::LIMBS, + Limb, + fiat_bign256_scalar_from_montgomery, + fiat_bign256_scalar_mul, + fiat_bign256_scalar_opp, + fiat_bign256_scalar_divstep_precomp, + fiat_bign256_scalar_divstep, + fiat_bign256_scalar_msat, + fiat_bign256_scalar_selectznz, + ); + Self(Uint::from_words(words)) + } + + /// Returns the square root of self mod p, or `None` if no square root + /// exists. + pub fn sqrt(&self) -> CtOption { + // Because p ≑ 3 mod 4, sqrt can be done with only one + // exponentiation via the computation of self^((p + 1) // 4) (mod p). + let sqrt = self.pow_vartime(&[ + 0x1f96afe6498f5982, + 0xf65723b5837ed37f, + 0xffffffffffffffff, + 0x3fffffffffffffff, + ]); + CtOption::new(sqrt, (sqrt * sqrt).ct_eq(self)) + } + + /// Right shifts the scalar. + /// + /// Note: not constant-time with respect to the `shift` parameter. + pub const fn shr_vartime(&self, shift: usize) -> Scalar { + Self(self.0.shr_vartime(shift)) + } +} + +impl AsRef for Scalar { + fn as_ref(&self) -> &Scalar { + self + } +} + +impl FromUintUnchecked for Scalar { + type Uint = Uint; + + fn from_uint_unchecked(uint: Self::Uint) -> Self { + Self::from_uint_unchecked(uint) + } +} + +impl Invert for Scalar { + type Output = CtOption; + + fn invert(&self) -> CtOption { + self.invert() + } +} + +impl IsHigh for Scalar { + fn is_high(&self) -> Choice { + const MODULUS_SHR1: Uint = BignP256::ORDER.shr_vartime(1); + self.to_canonical().ct_gt(&MODULUS_SHR1) + } +} + +impl Shr for Scalar { + type Output = Self; + + fn shr(self, rhs: usize) -> Self::Output { + self.shr_vartime(rhs) + } +} + +impl Shr for &Scalar { + type Output = Scalar; + + fn shr(self, rhs: usize) -> Self::Output { + self.shr_vartime(rhs) + } +} + +impl ShrAssign for Scalar { + fn shr_assign(&mut self, rhs: usize) { + *self = *self >> rhs; + } +} + +impl PrimeField for Scalar { + type Repr = FieldBytes; + + fn from_repr(repr: Self::Repr) -> CtOption { + Self::from_bytes(&repr) + } + + fn to_repr(&self) -> Self::Repr { + self.to_bytes() + } + + fn is_odd(&self) -> Choice { + self.is_odd() + } + + const MODULUS: &'static str = ORDER_HEX; + const NUM_BITS: u32 = 256; + const CAPACITY: u32 = 255; + const TWO_INV: Self = Self::from_u64(2).invert_unchecked(); + const MULTIPLICATIVE_GENERATOR: Self = Self::from_u64(3); + const S: u32 = 1; + const ROOT_OF_UNITY: Self = + Self::from_hex("ffffffffffffffffffffffffffffffffd95c8ed60dfb4dfc7e5abf99263d6606"); + const ROOT_OF_UNITY_INV: Self = Self::ROOT_OF_UNITY.invert_unchecked(); + const DELTA: Self = Self::from_u64(9); +} + +#[cfg(feature = "bits")] +impl PrimeFieldBits for Scalar { + type ReprBits = fiat_bign256_scalar_montgomery_domain_field_element; + + fn to_le_bits(&self) -> ScalarBits { + self.to_canonical().to_words().into() + } + + fn char_le_bits() -> ScalarBits { + BignP256::ORDER.to_words().into() + } +} + +impl Reduce for Scalar { + type Bytes = FieldBytes; + + fn reduce(w: Uint) -> Self { + let (r, underflow) = w.sbb(&BignP256::ORDER, Limb::ZERO); + let underflow = Choice::from((underflow.0 >> (Limb::BITS - 1)) as u8); + Self::from_uint_unchecked(Uint::conditional_select(&w, &r, !underflow)) + } + + #[inline] + fn reduce_bytes(bytes: &FieldBytes) -> Self { + let w = >::decode_field_bytes(bytes); + Self::reduce(w) + } +} + +impl From> for Scalar { + fn from(w: ScalarPrimitive) -> Self { + Scalar::from(&w) + } +} + +impl From<&ScalarPrimitive> for Scalar { + fn from(w: &ScalarPrimitive) -> Scalar { + Scalar::from_uint_unchecked(*w.as_uint()) + } +} + +impl From for ScalarPrimitive { + fn from(scalar: Scalar) -> ScalarPrimitive { + ScalarPrimitive::from(&scalar) + } +} + +impl From<&Scalar> for ScalarPrimitive { + fn from(scalar: &Scalar) -> ScalarPrimitive { + ScalarPrimitive::new(scalar.into()).unwrap() + } +} + +impl From for FieldBytes { + fn from(scalar: Scalar) -> Self { + scalar.to_repr() + } +} + +impl From<&Scalar> for FieldBytes { + fn from(scalar: &Scalar) -> Self { + scalar.to_repr() + } +} + +impl From for Uint { + fn from(scalar: Scalar) -> Uint { + Uint::from(&scalar) + } +} + +impl From<&Scalar> for Uint { + fn from(scalar: &Scalar) -> Uint { + scalar.to_canonical() + } +} + +impl From<&SecretKey> for Scalar { + fn from(secret_key: &SecretKey) -> Scalar { + *secret_key.to_nonzero_scalar() + } +} + +impl TryFrom for Scalar { + type Error = Error; + + fn try_from(w: Uint) -> Result { + Option::from(Self::from_uint(w)).ok_or(Error) + } +} + +#[cfg(test)] +mod tests { + use super::Scalar; + use elliptic_curve::ff::PrimeField; + use primeorder::{ + impl_field_identity_tests, impl_field_invert_tests, impl_field_sqrt_tests, + impl_primefield_tests, + }; + + // t = (modulus - 1) >> S + const T: [u64; 4] = [ + 0x3f2d5fcc931eb303, + 0xecae476b06fda6fe, + 0xffffffffffffffff, + 0x7fffffffffffffff, + ]; + + impl_field_identity_tests!(Scalar); + impl_field_invert_tests!(Scalar); + impl_field_sqrt_tests!(Scalar); + impl_primefield_tests!(Scalar, T); +} diff --git a/bign256/src/arithmetic/scalar/bign256_scalar_32.rs b/bign256/src/arithmetic/scalar/bign256_scalar_32.rs new file mode 100644 index 00000000..26053d2f --- /dev/null +++ b/bign256/src/arithmetic/scalar/bign256_scalar_32.rs @@ -0,0 +1,5730 @@ +#![doc = " fiat-crypto output postprocessed by fiat-constify: "] +#![doc = " Autogenerated: './word_by_word_montgomery' --lang Rust --inline bign256_scalar 32 '2^256 - 51359303463308904523350978545619999225' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp"] +#![doc = " curve description: bign256_scalar"] +#![doc = " machine_wordsize = 32 (from \"32\")"] +#![doc = " requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp"] +#![doc = " m = 0xffffffffffffffffffffffffffffffffd95c8ed60dfb4dfc7e5abf99263d6607 (from \"2^256 - 51359303463308904523350978545619999225\")"] +#![doc = ""] +#![doc = " NOTE: In addition to the bounds specified above each function, all"] +#![doc = " functions synthesized for this Montgomery arithmetic require the"] +#![doc = " input to be strictly less than the prime modulus (m), and also"] +#![doc = " require the input to be in the unique saturated representation."] +#![doc = " All functions also ensure that these two properties are true of"] +#![doc = " return values."] +#![doc = ""] +#![doc = " Computed values:"] +#![doc = " eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224)"] +#![doc = " bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248)"] +#![doc = " twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in"] +#![doc = " if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256"] +#![allow(unused_parens)] +#![allow(non_camel_case_types)] +#![allow( + clippy::identity_op, + clippy::unnecessary_cast, + dead_code, + rustdoc::broken_intra_doc_links, + unused_assignments, + unused_mut, + unused_variables +)] +pub type fiat_bign256_scalar_u1 = u8; +pub type fiat_bign256_scalar_i1 = i8; +pub type fiat_bign256_scalar_u2 = u8; +pub type fiat_bign256_scalar_i2 = i8; +pub type fiat_bign256_scalar_montgomery_domain_field_element = [u32; 8]; +pub type fiat_bign256_scalar_non_montgomery_domain_field_element = [u32; 8]; +#[doc = " The function fiat_bign256_scalar_addcarryx_u32 is an addition with carry."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (arg1 + arg2 + arg3) mod 2^32"] +#[doc = " out2 = ⌊(arg1 + arg2 + arg3) / 2^32βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[doc = " out2: [0x0 ~> 0x1]"] +#[inline] +pub const fn fiat_bign256_scalar_addcarryx_u32( + arg1: fiat_bign256_scalar_u1, + arg2: u32, + arg3: u32, +) -> (u32, fiat_bign256_scalar_u1) { + let mut out1: u32 = 0; + let mut out2: fiat_bign256_scalar_u1 = 0; + let x1: u64 = (((arg1 as u64) + (arg2 as u64)) + (arg3 as u64)); + let x2: u32 = ((x1 & (0xffffffff as u64)) as u32); + let x3: fiat_bign256_scalar_u1 = ((x1 >> 32) as fiat_bign256_scalar_u1); + out1 = x2; + out2 = x3; + (out1, out2) +} +#[doc = " The function fiat_bign256_scalar_subborrowx_u32 is a subtraction with borrow."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (-arg1 + arg2 + -arg3) mod 2^32"] +#[doc = " out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[doc = " out2: [0x0 ~> 0x1]"] +#[inline] +pub const fn fiat_bign256_scalar_subborrowx_u32( + arg1: fiat_bign256_scalar_u1, + arg2: u32, + arg3: u32, +) -> (u32, fiat_bign256_scalar_u1) { + let mut out1: u32 = 0; + let mut out2: fiat_bign256_scalar_u1 = 0; + let x1: i64 = (((arg2 as i64) - (arg1 as i64)) - (arg3 as i64)); + let x2: fiat_bign256_scalar_i1 = ((x1 >> 32) as fiat_bign256_scalar_i1); + let x3: u32 = ((x1 & (0xffffffff as i64)) as u32); + out1 = x3; + out2 = (((0x0 as fiat_bign256_scalar_i2) - (x2 as fiat_bign256_scalar_i2)) + as fiat_bign256_scalar_u1); + (out1, out2) +} +#[doc = " The function fiat_bign256_scalar_mulx_u32 is a multiplication, returning the full double-width result."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (arg1 * arg2) mod 2^32"] +#[doc = " out2 = ⌊arg1 * arg2 / 2^32βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0xffffffff]"] +#[doc = " arg2: [0x0 ~> 0xffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[doc = " out2: [0x0 ~> 0xffffffff]"] +#[inline] +pub const fn fiat_bign256_scalar_mulx_u32(arg1: u32, arg2: u32) -> (u32, u32) { + let mut out1: u32 = 0; + let mut out2: u32 = 0; + let x1: u64 = ((arg1 as u64) * (arg2 as u64)); + let x2: u32 = ((x1 & (0xffffffff as u64)) as u32); + let x3: u32 = ((x1 >> 32) as u32); + out1 = x2; + out2 = x3; + (out1, out2) +} +#[doc = " The function fiat_bign256_scalar_cmovznz_u32 is a single-word conditional move."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[inline] +pub const fn fiat_bign256_scalar_cmovznz_u32( + arg1: fiat_bign256_scalar_u1, + arg2: u32, + arg3: u32, +) -> u32 { + let mut out1: u32 = 0; + let x1: fiat_bign256_scalar_u1 = (!(!arg1)); + let x2: u32 = ((((((0x0 as fiat_bign256_scalar_i2) - (x1 as fiat_bign256_scalar_i2)) + as fiat_bign256_scalar_i1) as i64) + & (0xffffffff as i64)) as u32); + let x3: u32 = ((x2 & arg3) | ((!x2) & arg2)); + out1 = x3; + out1 +} +#[doc = " The function fiat_bign256_scalar_mul multiplies two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_mul( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, + arg2: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 8]; + let x1: u32 = (arg1[1]); + let x2: u32 = (arg1[2]); + let x3: u32 = (arg1[3]); + let x4: u32 = (arg1[4]); + let x5: u32 = (arg1[5]); + let x6: u32 = (arg1[6]); + let x7: u32 = (arg1[7]); + let x8: u32 = (arg1[0]); + let mut x9: u32 = 0; + let mut x10: u32 = 0; + let (x9, x10) = fiat_bign256_scalar_mulx_u32(x8, (arg2[7])); + let mut x11: u32 = 0; + let mut x12: u32 = 0; + let (x11, x12) = fiat_bign256_scalar_mulx_u32(x8, (arg2[6])); + let mut x13: u32 = 0; + let mut x14: u32 = 0; + let (x13, x14) = fiat_bign256_scalar_mulx_u32(x8, (arg2[5])); + let mut x15: u32 = 0; + let mut x16: u32 = 0; + let (x15, x16) = fiat_bign256_scalar_mulx_u32(x8, (arg2[4])); + let mut x17: u32 = 0; + let mut x18: u32 = 0; + let (x17, x18) = fiat_bign256_scalar_mulx_u32(x8, (arg2[3])); + let mut x19: u32 = 0; + let mut x20: u32 = 0; + let (x19, x20) = fiat_bign256_scalar_mulx_u32(x8, (arg2[2])); + let mut x21: u32 = 0; + let mut x22: u32 = 0; + let (x21, x22) = fiat_bign256_scalar_mulx_u32(x8, (arg2[1])); + let mut x23: u32 = 0; + let mut x24: u32 = 0; + let (x23, x24) = fiat_bign256_scalar_mulx_u32(x8, (arg2[0])); + let mut x25: u32 = 0; + let mut x26: fiat_bign256_scalar_u1 = 0; + let (x25, x26) = fiat_bign256_scalar_addcarryx_u32(0x0, x24, x21); + let mut x27: u32 = 0; + let mut x28: fiat_bign256_scalar_u1 = 0; + let (x27, x28) = fiat_bign256_scalar_addcarryx_u32(x26, x22, x19); + let mut x29: u32 = 0; + let mut x30: fiat_bign256_scalar_u1 = 0; + let (x29, x30) = fiat_bign256_scalar_addcarryx_u32(x28, x20, x17); + let mut x31: u32 = 0; + let mut x32: fiat_bign256_scalar_u1 = 0; + let (x31, x32) = fiat_bign256_scalar_addcarryx_u32(x30, x18, x15); + let mut x33: u32 = 0; + let mut x34: fiat_bign256_scalar_u1 = 0; + let (x33, x34) = fiat_bign256_scalar_addcarryx_u32(x32, x16, x13); + let mut x35: u32 = 0; + let mut x36: fiat_bign256_scalar_u1 = 0; + let (x35, x36) = fiat_bign256_scalar_addcarryx_u32(x34, x14, x11); + let mut x37: u32 = 0; + let mut x38: fiat_bign256_scalar_u1 = 0; + let (x37, x38) = fiat_bign256_scalar_addcarryx_u32(x36, x12, x9); + let x39: u32 = ((x38 as u32) + x10); + let mut x40: u32 = 0; + let mut x41: u32 = 0; + let (x40, x41) = fiat_bign256_scalar_mulx_u32(x23, 0x858d849); + let mut x42: u32 = 0; + let mut x43: u32 = 0; + let (x42, x43) = fiat_bign256_scalar_mulx_u32(x40, 0xffffffff); + let mut x44: u32 = 0; + let mut x45: u32 = 0; + let (x44, x45) = fiat_bign256_scalar_mulx_u32(x40, 0xffffffff); + let mut x46: u32 = 0; + let mut x47: u32 = 0; + let (x46, x47) = fiat_bign256_scalar_mulx_u32(x40, 0xffffffff); + let mut x48: u32 = 0; + let mut x49: u32 = 0; + let (x48, x49) = fiat_bign256_scalar_mulx_u32(x40, 0xffffffff); + let mut x50: u32 = 0; + let mut x51: u32 = 0; + let (x50, x51) = fiat_bign256_scalar_mulx_u32(x40, 0xd95c8ed6); + let mut x52: u32 = 0; + let mut x53: u32 = 0; + let (x52, x53) = fiat_bign256_scalar_mulx_u32(x40, 0xdfb4dfc); + let mut x54: u32 = 0; + let mut x55: u32 = 0; + let (x54, x55) = fiat_bign256_scalar_mulx_u32(x40, 0x7e5abf99); + let mut x56: u32 = 0; + let mut x57: u32 = 0; + let (x56, x57) = fiat_bign256_scalar_mulx_u32(x40, 0x263d6607); + let mut x58: u32 = 0; + let mut x59: fiat_bign256_scalar_u1 = 0; + let (x58, x59) = fiat_bign256_scalar_addcarryx_u32(0x0, x57, x54); + let mut x60: u32 = 0; + let mut x61: fiat_bign256_scalar_u1 = 0; + let (x60, x61) = fiat_bign256_scalar_addcarryx_u32(x59, x55, x52); + let mut x62: u32 = 0; + let mut x63: fiat_bign256_scalar_u1 = 0; + let (x62, x63) = fiat_bign256_scalar_addcarryx_u32(x61, x53, x50); + let mut x64: u32 = 0; + let mut x65: fiat_bign256_scalar_u1 = 0; + let (x64, x65) = fiat_bign256_scalar_addcarryx_u32(x63, x51, x48); + let mut x66: u32 = 0; + let mut x67: fiat_bign256_scalar_u1 = 0; + let (x66, x67) = fiat_bign256_scalar_addcarryx_u32(x65, x49, x46); + let mut x68: u32 = 0; + let mut x69: fiat_bign256_scalar_u1 = 0; + let (x68, x69) = fiat_bign256_scalar_addcarryx_u32(x67, x47, x44); + let mut x70: u32 = 0; + let mut x71: fiat_bign256_scalar_u1 = 0; + let (x70, x71) = fiat_bign256_scalar_addcarryx_u32(x69, x45, x42); + let x72: u32 = ((x71 as u32) + x43); + let mut x73: u32 = 0; + let mut x74: fiat_bign256_scalar_u1 = 0; + let (x73, x74) = fiat_bign256_scalar_addcarryx_u32(0x0, x23, x56); + let mut x75: u32 = 0; + let mut x76: fiat_bign256_scalar_u1 = 0; + let (x75, x76) = fiat_bign256_scalar_addcarryx_u32(x74, x25, x58); + let mut x77: u32 = 0; + let mut x78: fiat_bign256_scalar_u1 = 0; + let (x77, x78) = fiat_bign256_scalar_addcarryx_u32(x76, x27, x60); + let mut x79: u32 = 0; + let mut x80: fiat_bign256_scalar_u1 = 0; + let (x79, x80) = fiat_bign256_scalar_addcarryx_u32(x78, x29, x62); + let mut x81: u32 = 0; + let mut x82: fiat_bign256_scalar_u1 = 0; + let (x81, x82) = fiat_bign256_scalar_addcarryx_u32(x80, x31, x64); + let mut x83: u32 = 0; + let mut x84: fiat_bign256_scalar_u1 = 0; + let (x83, x84) = fiat_bign256_scalar_addcarryx_u32(x82, x33, x66); + let mut x85: u32 = 0; + let mut x86: fiat_bign256_scalar_u1 = 0; + let (x85, x86) = fiat_bign256_scalar_addcarryx_u32(x84, x35, x68); + let mut x87: u32 = 0; + let mut x88: fiat_bign256_scalar_u1 = 0; + let (x87, x88) = fiat_bign256_scalar_addcarryx_u32(x86, x37, x70); + let mut x89: u32 = 0; + let mut x90: fiat_bign256_scalar_u1 = 0; + let (x89, x90) = fiat_bign256_scalar_addcarryx_u32(x88, x39, x72); + let mut x91: u32 = 0; + let mut x92: u32 = 0; + let (x91, x92) = fiat_bign256_scalar_mulx_u32(x1, (arg2[7])); + let mut x93: u32 = 0; + let mut x94: u32 = 0; + let (x93, x94) = fiat_bign256_scalar_mulx_u32(x1, (arg2[6])); + let mut x95: u32 = 0; + let mut x96: u32 = 0; + let (x95, x96) = fiat_bign256_scalar_mulx_u32(x1, (arg2[5])); + let mut x97: u32 = 0; + let mut x98: u32 = 0; + let (x97, x98) = fiat_bign256_scalar_mulx_u32(x1, (arg2[4])); + let mut x99: u32 = 0; + let mut x100: u32 = 0; + let (x99, x100) = fiat_bign256_scalar_mulx_u32(x1, (arg2[3])); + let mut x101: u32 = 0; + let mut x102: u32 = 0; + let (x101, x102) = fiat_bign256_scalar_mulx_u32(x1, (arg2[2])); + let mut x103: u32 = 0; + let mut x104: u32 = 0; + let (x103, x104) = fiat_bign256_scalar_mulx_u32(x1, (arg2[1])); + let mut x105: u32 = 0; + let mut x106: u32 = 0; + let (x105, x106) = fiat_bign256_scalar_mulx_u32(x1, (arg2[0])); + let mut x107: u32 = 0; + let mut x108: fiat_bign256_scalar_u1 = 0; + let (x107, x108) = fiat_bign256_scalar_addcarryx_u32(0x0, x106, x103); + let mut x109: u32 = 0; + let mut x110: fiat_bign256_scalar_u1 = 0; + let (x109, x110) = fiat_bign256_scalar_addcarryx_u32(x108, x104, x101); + let mut x111: u32 = 0; + let mut x112: fiat_bign256_scalar_u1 = 0; + let (x111, x112) = fiat_bign256_scalar_addcarryx_u32(x110, x102, x99); + let mut x113: u32 = 0; + let mut x114: fiat_bign256_scalar_u1 = 0; + let (x113, x114) = fiat_bign256_scalar_addcarryx_u32(x112, x100, x97); + let mut x115: u32 = 0; + let mut x116: fiat_bign256_scalar_u1 = 0; + let (x115, x116) = fiat_bign256_scalar_addcarryx_u32(x114, x98, x95); + let mut x117: u32 = 0; + let mut x118: fiat_bign256_scalar_u1 = 0; + let (x117, x118) = fiat_bign256_scalar_addcarryx_u32(x116, x96, x93); + let mut x119: u32 = 0; + let mut x120: fiat_bign256_scalar_u1 = 0; + let (x119, x120) = fiat_bign256_scalar_addcarryx_u32(x118, x94, x91); + let x121: u32 = ((x120 as u32) + x92); + let mut x122: u32 = 0; + let mut x123: fiat_bign256_scalar_u1 = 0; + let (x122, x123) = fiat_bign256_scalar_addcarryx_u32(0x0, x75, x105); + let mut x124: u32 = 0; + let mut x125: fiat_bign256_scalar_u1 = 0; + let (x124, x125) = fiat_bign256_scalar_addcarryx_u32(x123, x77, x107); + let mut x126: u32 = 0; + let mut x127: fiat_bign256_scalar_u1 = 0; + let (x126, x127) = fiat_bign256_scalar_addcarryx_u32(x125, x79, x109); + let mut x128: u32 = 0; + let mut x129: fiat_bign256_scalar_u1 = 0; + let (x128, x129) = fiat_bign256_scalar_addcarryx_u32(x127, x81, x111); + let mut x130: u32 = 0; + let mut x131: fiat_bign256_scalar_u1 = 0; + let (x130, x131) = fiat_bign256_scalar_addcarryx_u32(x129, x83, x113); + let mut x132: u32 = 0; + let mut x133: fiat_bign256_scalar_u1 = 0; + let (x132, x133) = fiat_bign256_scalar_addcarryx_u32(x131, x85, x115); + let mut x134: u32 = 0; + let mut x135: fiat_bign256_scalar_u1 = 0; + let (x134, x135) = fiat_bign256_scalar_addcarryx_u32(x133, x87, x117); + let mut x136: u32 = 0; + let mut x137: fiat_bign256_scalar_u1 = 0; + let (x136, x137) = fiat_bign256_scalar_addcarryx_u32(x135, x89, x119); + let mut x138: u32 = 0; + let mut x139: fiat_bign256_scalar_u1 = 0; + let (x138, x139) = fiat_bign256_scalar_addcarryx_u32(x137, (x90 as u32), x121); + let mut x140: u32 = 0; + let mut x141: u32 = 0; + let (x140, x141) = fiat_bign256_scalar_mulx_u32(x122, 0x858d849); + let mut x142: u32 = 0; + let mut x143: u32 = 0; + let (x142, x143) = fiat_bign256_scalar_mulx_u32(x140, 0xffffffff); + let mut x144: u32 = 0; + let mut x145: u32 = 0; + let (x144, x145) = fiat_bign256_scalar_mulx_u32(x140, 0xffffffff); + let mut x146: u32 = 0; + let mut x147: u32 = 0; + let (x146, x147) = fiat_bign256_scalar_mulx_u32(x140, 0xffffffff); + let mut x148: u32 = 0; + let mut x149: u32 = 0; + let (x148, x149) = fiat_bign256_scalar_mulx_u32(x140, 0xffffffff); + let mut x150: u32 = 0; + let mut x151: u32 = 0; + let (x150, x151) = fiat_bign256_scalar_mulx_u32(x140, 0xd95c8ed6); + let mut x152: u32 = 0; + let mut x153: u32 = 0; + let (x152, x153) = fiat_bign256_scalar_mulx_u32(x140, 0xdfb4dfc); + let mut x154: u32 = 0; + let mut x155: u32 = 0; + let (x154, x155) = fiat_bign256_scalar_mulx_u32(x140, 0x7e5abf99); + let mut x156: u32 = 0; + let mut x157: u32 = 0; + let (x156, x157) = fiat_bign256_scalar_mulx_u32(x140, 0x263d6607); + let mut x158: u32 = 0; + let mut x159: fiat_bign256_scalar_u1 = 0; + let (x158, x159) = fiat_bign256_scalar_addcarryx_u32(0x0, x157, x154); + let mut x160: u32 = 0; + let mut x161: fiat_bign256_scalar_u1 = 0; + let (x160, x161) = fiat_bign256_scalar_addcarryx_u32(x159, x155, x152); + let mut x162: u32 = 0; + let mut x163: fiat_bign256_scalar_u1 = 0; + let (x162, x163) = fiat_bign256_scalar_addcarryx_u32(x161, x153, x150); + let mut x164: u32 = 0; + let mut x165: fiat_bign256_scalar_u1 = 0; + let (x164, x165) = fiat_bign256_scalar_addcarryx_u32(x163, x151, x148); + let mut x166: u32 = 0; + let mut x167: fiat_bign256_scalar_u1 = 0; + let (x166, x167) = fiat_bign256_scalar_addcarryx_u32(x165, x149, x146); + let mut x168: u32 = 0; + let mut x169: fiat_bign256_scalar_u1 = 0; + let (x168, x169) = fiat_bign256_scalar_addcarryx_u32(x167, x147, x144); + let mut x170: u32 = 0; + let mut x171: fiat_bign256_scalar_u1 = 0; + let (x170, x171) = fiat_bign256_scalar_addcarryx_u32(x169, x145, x142); + let x172: u32 = ((x171 as u32) + x143); + let mut x173: u32 = 0; + let mut x174: fiat_bign256_scalar_u1 = 0; + let (x173, x174) = fiat_bign256_scalar_addcarryx_u32(0x0, x122, x156); + let mut x175: u32 = 0; + let mut x176: fiat_bign256_scalar_u1 = 0; + let (x175, x176) = fiat_bign256_scalar_addcarryx_u32(x174, x124, x158); + let mut x177: u32 = 0; + let mut x178: fiat_bign256_scalar_u1 = 0; + let (x177, x178) = fiat_bign256_scalar_addcarryx_u32(x176, x126, x160); + let mut x179: u32 = 0; + let mut x180: fiat_bign256_scalar_u1 = 0; + let (x179, x180) = fiat_bign256_scalar_addcarryx_u32(x178, x128, x162); + let mut x181: u32 = 0; + let mut x182: fiat_bign256_scalar_u1 = 0; + let (x181, x182) = fiat_bign256_scalar_addcarryx_u32(x180, x130, x164); + let mut x183: u32 = 0; + let mut x184: fiat_bign256_scalar_u1 = 0; + let (x183, x184) = fiat_bign256_scalar_addcarryx_u32(x182, x132, x166); + let mut x185: u32 = 0; + let mut x186: fiat_bign256_scalar_u1 = 0; + let (x185, x186) = fiat_bign256_scalar_addcarryx_u32(x184, x134, x168); + let mut x187: u32 = 0; + let mut x188: fiat_bign256_scalar_u1 = 0; + let (x187, x188) = fiat_bign256_scalar_addcarryx_u32(x186, x136, x170); + let mut x189: u32 = 0; + let mut x190: fiat_bign256_scalar_u1 = 0; + let (x189, x190) = fiat_bign256_scalar_addcarryx_u32(x188, x138, x172); + let x191: u32 = ((x190 as u32) + (x139 as u32)); + let mut x192: u32 = 0; + let mut x193: u32 = 0; + let (x192, x193) = fiat_bign256_scalar_mulx_u32(x2, (arg2[7])); + let mut x194: u32 = 0; + let mut x195: u32 = 0; + let (x194, x195) = fiat_bign256_scalar_mulx_u32(x2, (arg2[6])); + let mut x196: u32 = 0; + let mut x197: u32 = 0; + let (x196, x197) = fiat_bign256_scalar_mulx_u32(x2, (arg2[5])); + let mut x198: u32 = 0; + let mut x199: u32 = 0; + let (x198, x199) = fiat_bign256_scalar_mulx_u32(x2, (arg2[4])); + let mut x200: u32 = 0; + let mut x201: u32 = 0; + let (x200, x201) = fiat_bign256_scalar_mulx_u32(x2, (arg2[3])); + let mut x202: u32 = 0; + let mut x203: u32 = 0; + let (x202, x203) = fiat_bign256_scalar_mulx_u32(x2, (arg2[2])); + let mut x204: u32 = 0; + let mut x205: u32 = 0; + let (x204, x205) = fiat_bign256_scalar_mulx_u32(x2, (arg2[1])); + let mut x206: u32 = 0; + let mut x207: u32 = 0; + let (x206, x207) = fiat_bign256_scalar_mulx_u32(x2, (arg2[0])); + let mut x208: u32 = 0; + let mut x209: fiat_bign256_scalar_u1 = 0; + let (x208, x209) = fiat_bign256_scalar_addcarryx_u32(0x0, x207, x204); + let mut x210: u32 = 0; + let mut x211: fiat_bign256_scalar_u1 = 0; + let (x210, x211) = fiat_bign256_scalar_addcarryx_u32(x209, x205, x202); + let mut x212: u32 = 0; + let mut x213: fiat_bign256_scalar_u1 = 0; + let (x212, x213) = fiat_bign256_scalar_addcarryx_u32(x211, x203, x200); + let mut x214: u32 = 0; + let mut x215: fiat_bign256_scalar_u1 = 0; + let (x214, x215) = fiat_bign256_scalar_addcarryx_u32(x213, x201, x198); + let mut x216: u32 = 0; + let mut x217: fiat_bign256_scalar_u1 = 0; + let (x216, x217) = fiat_bign256_scalar_addcarryx_u32(x215, x199, x196); + let mut x218: u32 = 0; + let mut x219: fiat_bign256_scalar_u1 = 0; + let (x218, x219) = fiat_bign256_scalar_addcarryx_u32(x217, x197, x194); + let mut x220: u32 = 0; + let mut x221: fiat_bign256_scalar_u1 = 0; + let (x220, x221) = fiat_bign256_scalar_addcarryx_u32(x219, x195, x192); + let x222: u32 = ((x221 as u32) + x193); + let mut x223: u32 = 0; + let mut x224: fiat_bign256_scalar_u1 = 0; + let (x223, x224) = fiat_bign256_scalar_addcarryx_u32(0x0, x175, x206); + let mut x225: u32 = 0; + let mut x226: fiat_bign256_scalar_u1 = 0; + let (x225, x226) = fiat_bign256_scalar_addcarryx_u32(x224, x177, x208); + let mut x227: u32 = 0; + let mut x228: fiat_bign256_scalar_u1 = 0; + let (x227, x228) = fiat_bign256_scalar_addcarryx_u32(x226, x179, x210); + let mut x229: u32 = 0; + let mut x230: fiat_bign256_scalar_u1 = 0; + let (x229, x230) = fiat_bign256_scalar_addcarryx_u32(x228, x181, x212); + let mut x231: u32 = 0; + let mut x232: fiat_bign256_scalar_u1 = 0; + let (x231, x232) = fiat_bign256_scalar_addcarryx_u32(x230, x183, x214); + let mut x233: u32 = 0; + let mut x234: fiat_bign256_scalar_u1 = 0; + let (x233, x234) = fiat_bign256_scalar_addcarryx_u32(x232, x185, x216); + let mut x235: u32 = 0; + let mut x236: fiat_bign256_scalar_u1 = 0; + let (x235, x236) = fiat_bign256_scalar_addcarryx_u32(x234, x187, x218); + let mut x237: u32 = 0; + let mut x238: fiat_bign256_scalar_u1 = 0; + let (x237, x238) = fiat_bign256_scalar_addcarryx_u32(x236, x189, x220); + let mut x239: u32 = 0; + let mut x240: fiat_bign256_scalar_u1 = 0; + let (x239, x240) = fiat_bign256_scalar_addcarryx_u32(x238, x191, x222); + let mut x241: u32 = 0; + let mut x242: u32 = 0; + let (x241, x242) = fiat_bign256_scalar_mulx_u32(x223, 0x858d849); + let mut x243: u32 = 0; + let mut x244: u32 = 0; + let (x243, x244) = fiat_bign256_scalar_mulx_u32(x241, 0xffffffff); + let mut x245: u32 = 0; + let mut x246: u32 = 0; + let (x245, x246) = fiat_bign256_scalar_mulx_u32(x241, 0xffffffff); + let mut x247: u32 = 0; + let mut x248: u32 = 0; + let (x247, x248) = fiat_bign256_scalar_mulx_u32(x241, 0xffffffff); + let mut x249: u32 = 0; + let mut x250: u32 = 0; + let (x249, x250) = fiat_bign256_scalar_mulx_u32(x241, 0xffffffff); + let mut x251: u32 = 0; + let mut x252: u32 = 0; + let (x251, x252) = fiat_bign256_scalar_mulx_u32(x241, 0xd95c8ed6); + let mut x253: u32 = 0; + let mut x254: u32 = 0; + let (x253, x254) = fiat_bign256_scalar_mulx_u32(x241, 0xdfb4dfc); + let mut x255: u32 = 0; + let mut x256: u32 = 0; + let (x255, x256) = fiat_bign256_scalar_mulx_u32(x241, 0x7e5abf99); + let mut x257: u32 = 0; + let mut x258: u32 = 0; + let (x257, x258) = fiat_bign256_scalar_mulx_u32(x241, 0x263d6607); + let mut x259: u32 = 0; + let mut x260: fiat_bign256_scalar_u1 = 0; + let (x259, x260) = fiat_bign256_scalar_addcarryx_u32(0x0, x258, x255); + let mut x261: u32 = 0; + let mut x262: fiat_bign256_scalar_u1 = 0; + let (x261, x262) = fiat_bign256_scalar_addcarryx_u32(x260, x256, x253); + let mut x263: u32 = 0; + let mut x264: fiat_bign256_scalar_u1 = 0; + let (x263, x264) = fiat_bign256_scalar_addcarryx_u32(x262, x254, x251); + let mut x265: u32 = 0; + let mut x266: fiat_bign256_scalar_u1 = 0; + let (x265, x266) = fiat_bign256_scalar_addcarryx_u32(x264, x252, x249); + let mut x267: u32 = 0; + let mut x268: fiat_bign256_scalar_u1 = 0; + let (x267, x268) = fiat_bign256_scalar_addcarryx_u32(x266, x250, x247); + let mut x269: u32 = 0; + let mut x270: fiat_bign256_scalar_u1 = 0; + let (x269, x270) = fiat_bign256_scalar_addcarryx_u32(x268, x248, x245); + let mut x271: u32 = 0; + let mut x272: fiat_bign256_scalar_u1 = 0; + let (x271, x272) = fiat_bign256_scalar_addcarryx_u32(x270, x246, x243); + let x273: u32 = ((x272 as u32) + x244); + let mut x274: u32 = 0; + let mut x275: fiat_bign256_scalar_u1 = 0; + let (x274, x275) = fiat_bign256_scalar_addcarryx_u32(0x0, x223, x257); + let mut x276: u32 = 0; + let mut x277: fiat_bign256_scalar_u1 = 0; + let (x276, x277) = fiat_bign256_scalar_addcarryx_u32(x275, x225, x259); + let mut x278: u32 = 0; + let mut x279: fiat_bign256_scalar_u1 = 0; + let (x278, x279) = fiat_bign256_scalar_addcarryx_u32(x277, x227, x261); + let mut x280: u32 = 0; + let mut x281: fiat_bign256_scalar_u1 = 0; + let (x280, x281) = fiat_bign256_scalar_addcarryx_u32(x279, x229, x263); + let mut x282: u32 = 0; + let mut x283: fiat_bign256_scalar_u1 = 0; + let (x282, x283) = fiat_bign256_scalar_addcarryx_u32(x281, x231, x265); + let mut x284: u32 = 0; + let mut x285: fiat_bign256_scalar_u1 = 0; + let (x284, x285) = fiat_bign256_scalar_addcarryx_u32(x283, x233, x267); + let mut x286: u32 = 0; + let mut x287: fiat_bign256_scalar_u1 = 0; + let (x286, x287) = fiat_bign256_scalar_addcarryx_u32(x285, x235, x269); + let mut x288: u32 = 0; + let mut x289: fiat_bign256_scalar_u1 = 0; + let (x288, x289) = fiat_bign256_scalar_addcarryx_u32(x287, x237, x271); + let mut x290: u32 = 0; + let mut x291: fiat_bign256_scalar_u1 = 0; + let (x290, x291) = fiat_bign256_scalar_addcarryx_u32(x289, x239, x273); + let x292: u32 = ((x291 as u32) + (x240 as u32)); + let mut x293: u32 = 0; + let mut x294: u32 = 0; + let (x293, x294) = fiat_bign256_scalar_mulx_u32(x3, (arg2[7])); + let mut x295: u32 = 0; + let mut x296: u32 = 0; + let (x295, x296) = fiat_bign256_scalar_mulx_u32(x3, (arg2[6])); + let mut x297: u32 = 0; + let mut x298: u32 = 0; + let (x297, x298) = fiat_bign256_scalar_mulx_u32(x3, (arg2[5])); + let mut x299: u32 = 0; + let mut x300: u32 = 0; + let (x299, x300) = fiat_bign256_scalar_mulx_u32(x3, (arg2[4])); + let mut x301: u32 = 0; + let mut x302: u32 = 0; + let (x301, x302) = fiat_bign256_scalar_mulx_u32(x3, (arg2[3])); + let mut x303: u32 = 0; + let mut x304: u32 = 0; + let (x303, x304) = fiat_bign256_scalar_mulx_u32(x3, (arg2[2])); + let mut x305: u32 = 0; + let mut x306: u32 = 0; + let (x305, x306) = fiat_bign256_scalar_mulx_u32(x3, (arg2[1])); + let mut x307: u32 = 0; + let mut x308: u32 = 0; + let (x307, x308) = fiat_bign256_scalar_mulx_u32(x3, (arg2[0])); + let mut x309: u32 = 0; + let mut x310: fiat_bign256_scalar_u1 = 0; + let (x309, x310) = fiat_bign256_scalar_addcarryx_u32(0x0, x308, x305); + let mut x311: u32 = 0; + let mut x312: fiat_bign256_scalar_u1 = 0; + let (x311, x312) = fiat_bign256_scalar_addcarryx_u32(x310, x306, x303); + let mut x313: u32 = 0; + let mut x314: fiat_bign256_scalar_u1 = 0; + let (x313, x314) = fiat_bign256_scalar_addcarryx_u32(x312, x304, x301); + let mut x315: u32 = 0; + let mut x316: fiat_bign256_scalar_u1 = 0; + let (x315, x316) = fiat_bign256_scalar_addcarryx_u32(x314, x302, x299); + let mut x317: u32 = 0; + let mut x318: fiat_bign256_scalar_u1 = 0; + let (x317, x318) = fiat_bign256_scalar_addcarryx_u32(x316, x300, x297); + let mut x319: u32 = 0; + let mut x320: fiat_bign256_scalar_u1 = 0; + let (x319, x320) = fiat_bign256_scalar_addcarryx_u32(x318, x298, x295); + let mut x321: u32 = 0; + let mut x322: fiat_bign256_scalar_u1 = 0; + let (x321, x322) = fiat_bign256_scalar_addcarryx_u32(x320, x296, x293); + let x323: u32 = ((x322 as u32) + x294); + let mut x324: u32 = 0; + let mut x325: fiat_bign256_scalar_u1 = 0; + let (x324, x325) = fiat_bign256_scalar_addcarryx_u32(0x0, x276, x307); + let mut x326: u32 = 0; + let mut x327: fiat_bign256_scalar_u1 = 0; + let (x326, x327) = fiat_bign256_scalar_addcarryx_u32(x325, x278, x309); + let mut x328: u32 = 0; + let mut x329: fiat_bign256_scalar_u1 = 0; + let (x328, x329) = fiat_bign256_scalar_addcarryx_u32(x327, x280, x311); + let mut x330: u32 = 0; + let mut x331: fiat_bign256_scalar_u1 = 0; + let (x330, x331) = fiat_bign256_scalar_addcarryx_u32(x329, x282, x313); + let mut x332: u32 = 0; + let mut x333: fiat_bign256_scalar_u1 = 0; + let (x332, x333) = fiat_bign256_scalar_addcarryx_u32(x331, x284, x315); + let mut x334: u32 = 0; + let mut x335: fiat_bign256_scalar_u1 = 0; + let (x334, x335) = fiat_bign256_scalar_addcarryx_u32(x333, x286, x317); + let mut x336: u32 = 0; + let mut x337: fiat_bign256_scalar_u1 = 0; + let (x336, x337) = fiat_bign256_scalar_addcarryx_u32(x335, x288, x319); + let mut x338: u32 = 0; + let mut x339: fiat_bign256_scalar_u1 = 0; + let (x338, x339) = fiat_bign256_scalar_addcarryx_u32(x337, x290, x321); + let mut x340: u32 = 0; + let mut x341: fiat_bign256_scalar_u1 = 0; + let (x340, x341) = fiat_bign256_scalar_addcarryx_u32(x339, x292, x323); + let mut x342: u32 = 0; + let mut x343: u32 = 0; + let (x342, x343) = fiat_bign256_scalar_mulx_u32(x324, 0x858d849); + let mut x344: u32 = 0; + let mut x345: u32 = 0; + let (x344, x345) = fiat_bign256_scalar_mulx_u32(x342, 0xffffffff); + let mut x346: u32 = 0; + let mut x347: u32 = 0; + let (x346, x347) = fiat_bign256_scalar_mulx_u32(x342, 0xffffffff); + let mut x348: u32 = 0; + let mut x349: u32 = 0; + let (x348, x349) = fiat_bign256_scalar_mulx_u32(x342, 0xffffffff); + let mut x350: u32 = 0; + let mut x351: u32 = 0; + let (x350, x351) = fiat_bign256_scalar_mulx_u32(x342, 0xffffffff); + let mut x352: u32 = 0; + let mut x353: u32 = 0; + let (x352, x353) = fiat_bign256_scalar_mulx_u32(x342, 0xd95c8ed6); + let mut x354: u32 = 0; + let mut x355: u32 = 0; + let (x354, x355) = fiat_bign256_scalar_mulx_u32(x342, 0xdfb4dfc); + let mut x356: u32 = 0; + let mut x357: u32 = 0; + let (x356, x357) = fiat_bign256_scalar_mulx_u32(x342, 0x7e5abf99); + let mut x358: u32 = 0; + let mut x359: u32 = 0; + let (x358, x359) = fiat_bign256_scalar_mulx_u32(x342, 0x263d6607); + let mut x360: u32 = 0; + let mut x361: fiat_bign256_scalar_u1 = 0; + let (x360, x361) = fiat_bign256_scalar_addcarryx_u32(0x0, x359, x356); + let mut x362: u32 = 0; + let mut x363: fiat_bign256_scalar_u1 = 0; + let (x362, x363) = fiat_bign256_scalar_addcarryx_u32(x361, x357, x354); + let mut x364: u32 = 0; + let mut x365: fiat_bign256_scalar_u1 = 0; + let (x364, x365) = fiat_bign256_scalar_addcarryx_u32(x363, x355, x352); + let mut x366: u32 = 0; + let mut x367: fiat_bign256_scalar_u1 = 0; + let (x366, x367) = fiat_bign256_scalar_addcarryx_u32(x365, x353, x350); + let mut x368: u32 = 0; + let mut x369: fiat_bign256_scalar_u1 = 0; + let (x368, x369) = fiat_bign256_scalar_addcarryx_u32(x367, x351, x348); + let mut x370: u32 = 0; + let mut x371: fiat_bign256_scalar_u1 = 0; + let (x370, x371) = fiat_bign256_scalar_addcarryx_u32(x369, x349, x346); + let mut x372: u32 = 0; + let mut x373: fiat_bign256_scalar_u1 = 0; + let (x372, x373) = fiat_bign256_scalar_addcarryx_u32(x371, x347, x344); + let x374: u32 = ((x373 as u32) + x345); + let mut x375: u32 = 0; + let mut x376: fiat_bign256_scalar_u1 = 0; + let (x375, x376) = fiat_bign256_scalar_addcarryx_u32(0x0, x324, x358); + let mut x377: u32 = 0; + let mut x378: fiat_bign256_scalar_u1 = 0; + let (x377, x378) = fiat_bign256_scalar_addcarryx_u32(x376, x326, x360); + let mut x379: u32 = 0; + let mut x380: fiat_bign256_scalar_u1 = 0; + let (x379, x380) = fiat_bign256_scalar_addcarryx_u32(x378, x328, x362); + let mut x381: u32 = 0; + let mut x382: fiat_bign256_scalar_u1 = 0; + let (x381, x382) = fiat_bign256_scalar_addcarryx_u32(x380, x330, x364); + let mut x383: u32 = 0; + let mut x384: fiat_bign256_scalar_u1 = 0; + let (x383, x384) = fiat_bign256_scalar_addcarryx_u32(x382, x332, x366); + let mut x385: u32 = 0; + let mut x386: fiat_bign256_scalar_u1 = 0; + let (x385, x386) = fiat_bign256_scalar_addcarryx_u32(x384, x334, x368); + let mut x387: u32 = 0; + let mut x388: fiat_bign256_scalar_u1 = 0; + let (x387, x388) = fiat_bign256_scalar_addcarryx_u32(x386, x336, x370); + let mut x389: u32 = 0; + let mut x390: fiat_bign256_scalar_u1 = 0; + let (x389, x390) = fiat_bign256_scalar_addcarryx_u32(x388, x338, x372); + let mut x391: u32 = 0; + let mut x392: fiat_bign256_scalar_u1 = 0; + let (x391, x392) = fiat_bign256_scalar_addcarryx_u32(x390, x340, x374); + let x393: u32 = ((x392 as u32) + (x341 as u32)); + let mut x394: u32 = 0; + let mut x395: u32 = 0; + let (x394, x395) = fiat_bign256_scalar_mulx_u32(x4, (arg2[7])); + let mut x396: u32 = 0; + let mut x397: u32 = 0; + let (x396, x397) = fiat_bign256_scalar_mulx_u32(x4, (arg2[6])); + let mut x398: u32 = 0; + let mut x399: u32 = 0; + let (x398, x399) = fiat_bign256_scalar_mulx_u32(x4, (arg2[5])); + let mut x400: u32 = 0; + let mut x401: u32 = 0; + let (x400, x401) = fiat_bign256_scalar_mulx_u32(x4, (arg2[4])); + let mut x402: u32 = 0; + let mut x403: u32 = 0; + let (x402, x403) = fiat_bign256_scalar_mulx_u32(x4, (arg2[3])); + let mut x404: u32 = 0; + let mut x405: u32 = 0; + let (x404, x405) = fiat_bign256_scalar_mulx_u32(x4, (arg2[2])); + let mut x406: u32 = 0; + let mut x407: u32 = 0; + let (x406, x407) = fiat_bign256_scalar_mulx_u32(x4, (arg2[1])); + let mut x408: u32 = 0; + let mut x409: u32 = 0; + let (x408, x409) = fiat_bign256_scalar_mulx_u32(x4, (arg2[0])); + let mut x410: u32 = 0; + let mut x411: fiat_bign256_scalar_u1 = 0; + let (x410, x411) = fiat_bign256_scalar_addcarryx_u32(0x0, x409, x406); + let mut x412: u32 = 0; + let mut x413: fiat_bign256_scalar_u1 = 0; + let (x412, x413) = fiat_bign256_scalar_addcarryx_u32(x411, x407, x404); + let mut x414: u32 = 0; + let mut x415: fiat_bign256_scalar_u1 = 0; + let (x414, x415) = fiat_bign256_scalar_addcarryx_u32(x413, x405, x402); + let mut x416: u32 = 0; + let mut x417: fiat_bign256_scalar_u1 = 0; + let (x416, x417) = fiat_bign256_scalar_addcarryx_u32(x415, x403, x400); + let mut x418: u32 = 0; + let mut x419: fiat_bign256_scalar_u1 = 0; + let (x418, x419) = fiat_bign256_scalar_addcarryx_u32(x417, x401, x398); + let mut x420: u32 = 0; + let mut x421: fiat_bign256_scalar_u1 = 0; + let (x420, x421) = fiat_bign256_scalar_addcarryx_u32(x419, x399, x396); + let mut x422: u32 = 0; + let mut x423: fiat_bign256_scalar_u1 = 0; + let (x422, x423) = fiat_bign256_scalar_addcarryx_u32(x421, x397, x394); + let x424: u32 = ((x423 as u32) + x395); + let mut x425: u32 = 0; + let mut x426: fiat_bign256_scalar_u1 = 0; + let (x425, x426) = fiat_bign256_scalar_addcarryx_u32(0x0, x377, x408); + let mut x427: u32 = 0; + let mut x428: fiat_bign256_scalar_u1 = 0; + let (x427, x428) = fiat_bign256_scalar_addcarryx_u32(x426, x379, x410); + let mut x429: u32 = 0; + let mut x430: fiat_bign256_scalar_u1 = 0; + let (x429, x430) = fiat_bign256_scalar_addcarryx_u32(x428, x381, x412); + let mut x431: u32 = 0; + let mut x432: fiat_bign256_scalar_u1 = 0; + let (x431, x432) = fiat_bign256_scalar_addcarryx_u32(x430, x383, x414); + let mut x433: u32 = 0; + let mut x434: fiat_bign256_scalar_u1 = 0; + let (x433, x434) = fiat_bign256_scalar_addcarryx_u32(x432, x385, x416); + let mut x435: u32 = 0; + let mut x436: fiat_bign256_scalar_u1 = 0; + let (x435, x436) = fiat_bign256_scalar_addcarryx_u32(x434, x387, x418); + let mut x437: u32 = 0; + let mut x438: fiat_bign256_scalar_u1 = 0; + let (x437, x438) = fiat_bign256_scalar_addcarryx_u32(x436, x389, x420); + let mut x439: u32 = 0; + let mut x440: fiat_bign256_scalar_u1 = 0; + let (x439, x440) = fiat_bign256_scalar_addcarryx_u32(x438, x391, x422); + let mut x441: u32 = 0; + let mut x442: fiat_bign256_scalar_u1 = 0; + let (x441, x442) = fiat_bign256_scalar_addcarryx_u32(x440, x393, x424); + let mut x443: u32 = 0; + let mut x444: u32 = 0; + let (x443, x444) = fiat_bign256_scalar_mulx_u32(x425, 0x858d849); + let mut x445: u32 = 0; + let mut x446: u32 = 0; + let (x445, x446) = fiat_bign256_scalar_mulx_u32(x443, 0xffffffff); + let mut x447: u32 = 0; + let mut x448: u32 = 0; + let (x447, x448) = fiat_bign256_scalar_mulx_u32(x443, 0xffffffff); + let mut x449: u32 = 0; + let mut x450: u32 = 0; + let (x449, x450) = fiat_bign256_scalar_mulx_u32(x443, 0xffffffff); + let mut x451: u32 = 0; + let mut x452: u32 = 0; + let (x451, x452) = fiat_bign256_scalar_mulx_u32(x443, 0xffffffff); + let mut x453: u32 = 0; + let mut x454: u32 = 0; + let (x453, x454) = fiat_bign256_scalar_mulx_u32(x443, 0xd95c8ed6); + let mut x455: u32 = 0; + let mut x456: u32 = 0; + let (x455, x456) = fiat_bign256_scalar_mulx_u32(x443, 0xdfb4dfc); + let mut x457: u32 = 0; + let mut x458: u32 = 0; + let (x457, x458) = fiat_bign256_scalar_mulx_u32(x443, 0x7e5abf99); + let mut x459: u32 = 0; + let mut x460: u32 = 0; + let (x459, x460) = fiat_bign256_scalar_mulx_u32(x443, 0x263d6607); + let mut x461: u32 = 0; + let mut x462: fiat_bign256_scalar_u1 = 0; + let (x461, x462) = fiat_bign256_scalar_addcarryx_u32(0x0, x460, x457); + let mut x463: u32 = 0; + let mut x464: fiat_bign256_scalar_u1 = 0; + let (x463, x464) = fiat_bign256_scalar_addcarryx_u32(x462, x458, x455); + let mut x465: u32 = 0; + let mut x466: fiat_bign256_scalar_u1 = 0; + let (x465, x466) = fiat_bign256_scalar_addcarryx_u32(x464, x456, x453); + let mut x467: u32 = 0; + let mut x468: fiat_bign256_scalar_u1 = 0; + let (x467, x468) = fiat_bign256_scalar_addcarryx_u32(x466, x454, x451); + let mut x469: u32 = 0; + let mut x470: fiat_bign256_scalar_u1 = 0; + let (x469, x470) = fiat_bign256_scalar_addcarryx_u32(x468, x452, x449); + let mut x471: u32 = 0; + let mut x472: fiat_bign256_scalar_u1 = 0; + let (x471, x472) = fiat_bign256_scalar_addcarryx_u32(x470, x450, x447); + let mut x473: u32 = 0; + let mut x474: fiat_bign256_scalar_u1 = 0; + let (x473, x474) = fiat_bign256_scalar_addcarryx_u32(x472, x448, x445); + let x475: u32 = ((x474 as u32) + x446); + let mut x476: u32 = 0; + let mut x477: fiat_bign256_scalar_u1 = 0; + let (x476, x477) = fiat_bign256_scalar_addcarryx_u32(0x0, x425, x459); + let mut x478: u32 = 0; + let mut x479: fiat_bign256_scalar_u1 = 0; + let (x478, x479) = fiat_bign256_scalar_addcarryx_u32(x477, x427, x461); + let mut x480: u32 = 0; + let mut x481: fiat_bign256_scalar_u1 = 0; + let (x480, x481) = fiat_bign256_scalar_addcarryx_u32(x479, x429, x463); + let mut x482: u32 = 0; + let mut x483: fiat_bign256_scalar_u1 = 0; + let (x482, x483) = fiat_bign256_scalar_addcarryx_u32(x481, x431, x465); + let mut x484: u32 = 0; + let mut x485: fiat_bign256_scalar_u1 = 0; + let (x484, x485) = fiat_bign256_scalar_addcarryx_u32(x483, x433, x467); + let mut x486: u32 = 0; + let mut x487: fiat_bign256_scalar_u1 = 0; + let (x486, x487) = fiat_bign256_scalar_addcarryx_u32(x485, x435, x469); + let mut x488: u32 = 0; + let mut x489: fiat_bign256_scalar_u1 = 0; + let (x488, x489) = fiat_bign256_scalar_addcarryx_u32(x487, x437, x471); + let mut x490: u32 = 0; + let mut x491: fiat_bign256_scalar_u1 = 0; + let (x490, x491) = fiat_bign256_scalar_addcarryx_u32(x489, x439, x473); + let mut x492: u32 = 0; + let mut x493: fiat_bign256_scalar_u1 = 0; + let (x492, x493) = fiat_bign256_scalar_addcarryx_u32(x491, x441, x475); + let x494: u32 = ((x493 as u32) + (x442 as u32)); + let mut x495: u32 = 0; + let mut x496: u32 = 0; + let (x495, x496) = fiat_bign256_scalar_mulx_u32(x5, (arg2[7])); + let mut x497: u32 = 0; + let mut x498: u32 = 0; + let (x497, x498) = fiat_bign256_scalar_mulx_u32(x5, (arg2[6])); + let mut x499: u32 = 0; + let mut x500: u32 = 0; + let (x499, x500) = fiat_bign256_scalar_mulx_u32(x5, (arg2[5])); + let mut x501: u32 = 0; + let mut x502: u32 = 0; + let (x501, x502) = fiat_bign256_scalar_mulx_u32(x5, (arg2[4])); + let mut x503: u32 = 0; + let mut x504: u32 = 0; + let (x503, x504) = fiat_bign256_scalar_mulx_u32(x5, (arg2[3])); + let mut x505: u32 = 0; + let mut x506: u32 = 0; + let (x505, x506) = fiat_bign256_scalar_mulx_u32(x5, (arg2[2])); + let mut x507: u32 = 0; + let mut x508: u32 = 0; + let (x507, x508) = fiat_bign256_scalar_mulx_u32(x5, (arg2[1])); + let mut x509: u32 = 0; + let mut x510: u32 = 0; + let (x509, x510) = fiat_bign256_scalar_mulx_u32(x5, (arg2[0])); + let mut x511: u32 = 0; + let mut x512: fiat_bign256_scalar_u1 = 0; + let (x511, x512) = fiat_bign256_scalar_addcarryx_u32(0x0, x510, x507); + let mut x513: u32 = 0; + let mut x514: fiat_bign256_scalar_u1 = 0; + let (x513, x514) = fiat_bign256_scalar_addcarryx_u32(x512, x508, x505); + let mut x515: u32 = 0; + let mut x516: fiat_bign256_scalar_u1 = 0; + let (x515, x516) = fiat_bign256_scalar_addcarryx_u32(x514, x506, x503); + let mut x517: u32 = 0; + let mut x518: fiat_bign256_scalar_u1 = 0; + let (x517, x518) = fiat_bign256_scalar_addcarryx_u32(x516, x504, x501); + let mut x519: u32 = 0; + let mut x520: fiat_bign256_scalar_u1 = 0; + let (x519, x520) = fiat_bign256_scalar_addcarryx_u32(x518, x502, x499); + let mut x521: u32 = 0; + let mut x522: fiat_bign256_scalar_u1 = 0; + let (x521, x522) = fiat_bign256_scalar_addcarryx_u32(x520, x500, x497); + let mut x523: u32 = 0; + let mut x524: fiat_bign256_scalar_u1 = 0; + let (x523, x524) = fiat_bign256_scalar_addcarryx_u32(x522, x498, x495); + let x525: u32 = ((x524 as u32) + x496); + let mut x526: u32 = 0; + let mut x527: fiat_bign256_scalar_u1 = 0; + let (x526, x527) = fiat_bign256_scalar_addcarryx_u32(0x0, x478, x509); + let mut x528: u32 = 0; + let mut x529: fiat_bign256_scalar_u1 = 0; + let (x528, x529) = fiat_bign256_scalar_addcarryx_u32(x527, x480, x511); + let mut x530: u32 = 0; + let mut x531: fiat_bign256_scalar_u1 = 0; + let (x530, x531) = fiat_bign256_scalar_addcarryx_u32(x529, x482, x513); + let mut x532: u32 = 0; + let mut x533: fiat_bign256_scalar_u1 = 0; + let (x532, x533) = fiat_bign256_scalar_addcarryx_u32(x531, x484, x515); + let mut x534: u32 = 0; + let mut x535: fiat_bign256_scalar_u1 = 0; + let (x534, x535) = fiat_bign256_scalar_addcarryx_u32(x533, x486, x517); + let mut x536: u32 = 0; + let mut x537: fiat_bign256_scalar_u1 = 0; + let (x536, x537) = fiat_bign256_scalar_addcarryx_u32(x535, x488, x519); + let mut x538: u32 = 0; + let mut x539: fiat_bign256_scalar_u1 = 0; + let (x538, x539) = fiat_bign256_scalar_addcarryx_u32(x537, x490, x521); + let mut x540: u32 = 0; + let mut x541: fiat_bign256_scalar_u1 = 0; + let (x540, x541) = fiat_bign256_scalar_addcarryx_u32(x539, x492, x523); + let mut x542: u32 = 0; + let mut x543: fiat_bign256_scalar_u1 = 0; + let (x542, x543) = fiat_bign256_scalar_addcarryx_u32(x541, x494, x525); + let mut x544: u32 = 0; + let mut x545: u32 = 0; + let (x544, x545) = fiat_bign256_scalar_mulx_u32(x526, 0x858d849); + let mut x546: u32 = 0; + let mut x547: u32 = 0; + let (x546, x547) = fiat_bign256_scalar_mulx_u32(x544, 0xffffffff); + let mut x548: u32 = 0; + let mut x549: u32 = 0; + let (x548, x549) = fiat_bign256_scalar_mulx_u32(x544, 0xffffffff); + let mut x550: u32 = 0; + let mut x551: u32 = 0; + let (x550, x551) = fiat_bign256_scalar_mulx_u32(x544, 0xffffffff); + let mut x552: u32 = 0; + let mut x553: u32 = 0; + let (x552, x553) = fiat_bign256_scalar_mulx_u32(x544, 0xffffffff); + let mut x554: u32 = 0; + let mut x555: u32 = 0; + let (x554, x555) = fiat_bign256_scalar_mulx_u32(x544, 0xd95c8ed6); + let mut x556: u32 = 0; + let mut x557: u32 = 0; + let (x556, x557) = fiat_bign256_scalar_mulx_u32(x544, 0xdfb4dfc); + let mut x558: u32 = 0; + let mut x559: u32 = 0; + let (x558, x559) = fiat_bign256_scalar_mulx_u32(x544, 0x7e5abf99); + let mut x560: u32 = 0; + let mut x561: u32 = 0; + let (x560, x561) = fiat_bign256_scalar_mulx_u32(x544, 0x263d6607); + let mut x562: u32 = 0; + let mut x563: fiat_bign256_scalar_u1 = 0; + let (x562, x563) = fiat_bign256_scalar_addcarryx_u32(0x0, x561, x558); + let mut x564: u32 = 0; + let mut x565: fiat_bign256_scalar_u1 = 0; + let (x564, x565) = fiat_bign256_scalar_addcarryx_u32(x563, x559, x556); + let mut x566: u32 = 0; + let mut x567: fiat_bign256_scalar_u1 = 0; + let (x566, x567) = fiat_bign256_scalar_addcarryx_u32(x565, x557, x554); + let mut x568: u32 = 0; + let mut x569: fiat_bign256_scalar_u1 = 0; + let (x568, x569) = fiat_bign256_scalar_addcarryx_u32(x567, x555, x552); + let mut x570: u32 = 0; + let mut x571: fiat_bign256_scalar_u1 = 0; + let (x570, x571) = fiat_bign256_scalar_addcarryx_u32(x569, x553, x550); + let mut x572: u32 = 0; + let mut x573: fiat_bign256_scalar_u1 = 0; + let (x572, x573) = fiat_bign256_scalar_addcarryx_u32(x571, x551, x548); + let mut x574: u32 = 0; + let mut x575: fiat_bign256_scalar_u1 = 0; + let (x574, x575) = fiat_bign256_scalar_addcarryx_u32(x573, x549, x546); + let x576: u32 = ((x575 as u32) + x547); + let mut x577: u32 = 0; + let mut x578: fiat_bign256_scalar_u1 = 0; + let (x577, x578) = fiat_bign256_scalar_addcarryx_u32(0x0, x526, x560); + let mut x579: u32 = 0; + let mut x580: fiat_bign256_scalar_u1 = 0; + let (x579, x580) = fiat_bign256_scalar_addcarryx_u32(x578, x528, x562); + let mut x581: u32 = 0; + let mut x582: fiat_bign256_scalar_u1 = 0; + let (x581, x582) = fiat_bign256_scalar_addcarryx_u32(x580, x530, x564); + let mut x583: u32 = 0; + let mut x584: fiat_bign256_scalar_u1 = 0; + let (x583, x584) = fiat_bign256_scalar_addcarryx_u32(x582, x532, x566); + let mut x585: u32 = 0; + let mut x586: fiat_bign256_scalar_u1 = 0; + let (x585, x586) = fiat_bign256_scalar_addcarryx_u32(x584, x534, x568); + let mut x587: u32 = 0; + let mut x588: fiat_bign256_scalar_u1 = 0; + let (x587, x588) = fiat_bign256_scalar_addcarryx_u32(x586, x536, x570); + let mut x589: u32 = 0; + let mut x590: fiat_bign256_scalar_u1 = 0; + let (x589, x590) = fiat_bign256_scalar_addcarryx_u32(x588, x538, x572); + let mut x591: u32 = 0; + let mut x592: fiat_bign256_scalar_u1 = 0; + let (x591, x592) = fiat_bign256_scalar_addcarryx_u32(x590, x540, x574); + let mut x593: u32 = 0; + let mut x594: fiat_bign256_scalar_u1 = 0; + let (x593, x594) = fiat_bign256_scalar_addcarryx_u32(x592, x542, x576); + let x595: u32 = ((x594 as u32) + (x543 as u32)); + let mut x596: u32 = 0; + let mut x597: u32 = 0; + let (x596, x597) = fiat_bign256_scalar_mulx_u32(x6, (arg2[7])); + let mut x598: u32 = 0; + let mut x599: u32 = 0; + let (x598, x599) = fiat_bign256_scalar_mulx_u32(x6, (arg2[6])); + let mut x600: u32 = 0; + let mut x601: u32 = 0; + let (x600, x601) = fiat_bign256_scalar_mulx_u32(x6, (arg2[5])); + let mut x602: u32 = 0; + let mut x603: u32 = 0; + let (x602, x603) = fiat_bign256_scalar_mulx_u32(x6, (arg2[4])); + let mut x604: u32 = 0; + let mut x605: u32 = 0; + let (x604, x605) = fiat_bign256_scalar_mulx_u32(x6, (arg2[3])); + let mut x606: u32 = 0; + let mut x607: u32 = 0; + let (x606, x607) = fiat_bign256_scalar_mulx_u32(x6, (arg2[2])); + let mut x608: u32 = 0; + let mut x609: u32 = 0; + let (x608, x609) = fiat_bign256_scalar_mulx_u32(x6, (arg2[1])); + let mut x610: u32 = 0; + let mut x611: u32 = 0; + let (x610, x611) = fiat_bign256_scalar_mulx_u32(x6, (arg2[0])); + let mut x612: u32 = 0; + let mut x613: fiat_bign256_scalar_u1 = 0; + let (x612, x613) = fiat_bign256_scalar_addcarryx_u32(0x0, x611, x608); + let mut x614: u32 = 0; + let mut x615: fiat_bign256_scalar_u1 = 0; + let (x614, x615) = fiat_bign256_scalar_addcarryx_u32(x613, x609, x606); + let mut x616: u32 = 0; + let mut x617: fiat_bign256_scalar_u1 = 0; + let (x616, x617) = fiat_bign256_scalar_addcarryx_u32(x615, x607, x604); + let mut x618: u32 = 0; + let mut x619: fiat_bign256_scalar_u1 = 0; + let (x618, x619) = fiat_bign256_scalar_addcarryx_u32(x617, x605, x602); + let mut x620: u32 = 0; + let mut x621: fiat_bign256_scalar_u1 = 0; + let (x620, x621) = fiat_bign256_scalar_addcarryx_u32(x619, x603, x600); + let mut x622: u32 = 0; + let mut x623: fiat_bign256_scalar_u1 = 0; + let (x622, x623) = fiat_bign256_scalar_addcarryx_u32(x621, x601, x598); + let mut x624: u32 = 0; + let mut x625: fiat_bign256_scalar_u1 = 0; + let (x624, x625) = fiat_bign256_scalar_addcarryx_u32(x623, x599, x596); + let x626: u32 = ((x625 as u32) + x597); + let mut x627: u32 = 0; + let mut x628: fiat_bign256_scalar_u1 = 0; + let (x627, x628) = fiat_bign256_scalar_addcarryx_u32(0x0, x579, x610); + let mut x629: u32 = 0; + let mut x630: fiat_bign256_scalar_u1 = 0; + let (x629, x630) = fiat_bign256_scalar_addcarryx_u32(x628, x581, x612); + let mut x631: u32 = 0; + let mut x632: fiat_bign256_scalar_u1 = 0; + let (x631, x632) = fiat_bign256_scalar_addcarryx_u32(x630, x583, x614); + let mut x633: u32 = 0; + let mut x634: fiat_bign256_scalar_u1 = 0; + let (x633, x634) = fiat_bign256_scalar_addcarryx_u32(x632, x585, x616); + let mut x635: u32 = 0; + let mut x636: fiat_bign256_scalar_u1 = 0; + let (x635, x636) = fiat_bign256_scalar_addcarryx_u32(x634, x587, x618); + let mut x637: u32 = 0; + let mut x638: fiat_bign256_scalar_u1 = 0; + let (x637, x638) = fiat_bign256_scalar_addcarryx_u32(x636, x589, x620); + let mut x639: u32 = 0; + let mut x640: fiat_bign256_scalar_u1 = 0; + let (x639, x640) = fiat_bign256_scalar_addcarryx_u32(x638, x591, x622); + let mut x641: u32 = 0; + let mut x642: fiat_bign256_scalar_u1 = 0; + let (x641, x642) = fiat_bign256_scalar_addcarryx_u32(x640, x593, x624); + let mut x643: u32 = 0; + let mut x644: fiat_bign256_scalar_u1 = 0; + let (x643, x644) = fiat_bign256_scalar_addcarryx_u32(x642, x595, x626); + let mut x645: u32 = 0; + let mut x646: u32 = 0; + let (x645, x646) = fiat_bign256_scalar_mulx_u32(x627, 0x858d849); + let mut x647: u32 = 0; + let mut x648: u32 = 0; + let (x647, x648) = fiat_bign256_scalar_mulx_u32(x645, 0xffffffff); + let mut x649: u32 = 0; + let mut x650: u32 = 0; + let (x649, x650) = fiat_bign256_scalar_mulx_u32(x645, 0xffffffff); + let mut x651: u32 = 0; + let mut x652: u32 = 0; + let (x651, x652) = fiat_bign256_scalar_mulx_u32(x645, 0xffffffff); + let mut x653: u32 = 0; + let mut x654: u32 = 0; + let (x653, x654) = fiat_bign256_scalar_mulx_u32(x645, 0xffffffff); + let mut x655: u32 = 0; + let mut x656: u32 = 0; + let (x655, x656) = fiat_bign256_scalar_mulx_u32(x645, 0xd95c8ed6); + let mut x657: u32 = 0; + let mut x658: u32 = 0; + let (x657, x658) = fiat_bign256_scalar_mulx_u32(x645, 0xdfb4dfc); + let mut x659: u32 = 0; + let mut x660: u32 = 0; + let (x659, x660) = fiat_bign256_scalar_mulx_u32(x645, 0x7e5abf99); + let mut x661: u32 = 0; + let mut x662: u32 = 0; + let (x661, x662) = fiat_bign256_scalar_mulx_u32(x645, 0x263d6607); + let mut x663: u32 = 0; + let mut x664: fiat_bign256_scalar_u1 = 0; + let (x663, x664) = fiat_bign256_scalar_addcarryx_u32(0x0, x662, x659); + let mut x665: u32 = 0; + let mut x666: fiat_bign256_scalar_u1 = 0; + let (x665, x666) = fiat_bign256_scalar_addcarryx_u32(x664, x660, x657); + let mut x667: u32 = 0; + let mut x668: fiat_bign256_scalar_u1 = 0; + let (x667, x668) = fiat_bign256_scalar_addcarryx_u32(x666, x658, x655); + let mut x669: u32 = 0; + let mut x670: fiat_bign256_scalar_u1 = 0; + let (x669, x670) = fiat_bign256_scalar_addcarryx_u32(x668, x656, x653); + let mut x671: u32 = 0; + let mut x672: fiat_bign256_scalar_u1 = 0; + let (x671, x672) = fiat_bign256_scalar_addcarryx_u32(x670, x654, x651); + let mut x673: u32 = 0; + let mut x674: fiat_bign256_scalar_u1 = 0; + let (x673, x674) = fiat_bign256_scalar_addcarryx_u32(x672, x652, x649); + let mut x675: u32 = 0; + let mut x676: fiat_bign256_scalar_u1 = 0; + let (x675, x676) = fiat_bign256_scalar_addcarryx_u32(x674, x650, x647); + let x677: u32 = ((x676 as u32) + x648); + let mut x678: u32 = 0; + let mut x679: fiat_bign256_scalar_u1 = 0; + let (x678, x679) = fiat_bign256_scalar_addcarryx_u32(0x0, x627, x661); + let mut x680: u32 = 0; + let mut x681: fiat_bign256_scalar_u1 = 0; + let (x680, x681) = fiat_bign256_scalar_addcarryx_u32(x679, x629, x663); + let mut x682: u32 = 0; + let mut x683: fiat_bign256_scalar_u1 = 0; + let (x682, x683) = fiat_bign256_scalar_addcarryx_u32(x681, x631, x665); + let mut x684: u32 = 0; + let mut x685: fiat_bign256_scalar_u1 = 0; + let (x684, x685) = fiat_bign256_scalar_addcarryx_u32(x683, x633, x667); + let mut x686: u32 = 0; + let mut x687: fiat_bign256_scalar_u1 = 0; + let (x686, x687) = fiat_bign256_scalar_addcarryx_u32(x685, x635, x669); + let mut x688: u32 = 0; + let mut x689: fiat_bign256_scalar_u1 = 0; + let (x688, x689) = fiat_bign256_scalar_addcarryx_u32(x687, x637, x671); + let mut x690: u32 = 0; + let mut x691: fiat_bign256_scalar_u1 = 0; + let (x690, x691) = fiat_bign256_scalar_addcarryx_u32(x689, x639, x673); + let mut x692: u32 = 0; + let mut x693: fiat_bign256_scalar_u1 = 0; + let (x692, x693) = fiat_bign256_scalar_addcarryx_u32(x691, x641, x675); + let mut x694: u32 = 0; + let mut x695: fiat_bign256_scalar_u1 = 0; + let (x694, x695) = fiat_bign256_scalar_addcarryx_u32(x693, x643, x677); + let x696: u32 = ((x695 as u32) + (x644 as u32)); + let mut x697: u32 = 0; + let mut x698: u32 = 0; + let (x697, x698) = fiat_bign256_scalar_mulx_u32(x7, (arg2[7])); + let mut x699: u32 = 0; + let mut x700: u32 = 0; + let (x699, x700) = fiat_bign256_scalar_mulx_u32(x7, (arg2[6])); + let mut x701: u32 = 0; + let mut x702: u32 = 0; + let (x701, x702) = fiat_bign256_scalar_mulx_u32(x7, (arg2[5])); + let mut x703: u32 = 0; + let mut x704: u32 = 0; + let (x703, x704) = fiat_bign256_scalar_mulx_u32(x7, (arg2[4])); + let mut x705: u32 = 0; + let mut x706: u32 = 0; + let (x705, x706) = fiat_bign256_scalar_mulx_u32(x7, (arg2[3])); + let mut x707: u32 = 0; + let mut x708: u32 = 0; + let (x707, x708) = fiat_bign256_scalar_mulx_u32(x7, (arg2[2])); + let mut x709: u32 = 0; + let mut x710: u32 = 0; + let (x709, x710) = fiat_bign256_scalar_mulx_u32(x7, (arg2[1])); + let mut x711: u32 = 0; + let mut x712: u32 = 0; + let (x711, x712) = fiat_bign256_scalar_mulx_u32(x7, (arg2[0])); + let mut x713: u32 = 0; + let mut x714: fiat_bign256_scalar_u1 = 0; + let (x713, x714) = fiat_bign256_scalar_addcarryx_u32(0x0, x712, x709); + let mut x715: u32 = 0; + let mut x716: fiat_bign256_scalar_u1 = 0; + let (x715, x716) = fiat_bign256_scalar_addcarryx_u32(x714, x710, x707); + let mut x717: u32 = 0; + let mut x718: fiat_bign256_scalar_u1 = 0; + let (x717, x718) = fiat_bign256_scalar_addcarryx_u32(x716, x708, x705); + let mut x719: u32 = 0; + let mut x720: fiat_bign256_scalar_u1 = 0; + let (x719, x720) = fiat_bign256_scalar_addcarryx_u32(x718, x706, x703); + let mut x721: u32 = 0; + let mut x722: fiat_bign256_scalar_u1 = 0; + let (x721, x722) = fiat_bign256_scalar_addcarryx_u32(x720, x704, x701); + let mut x723: u32 = 0; + let mut x724: fiat_bign256_scalar_u1 = 0; + let (x723, x724) = fiat_bign256_scalar_addcarryx_u32(x722, x702, x699); + let mut x725: u32 = 0; + let mut x726: fiat_bign256_scalar_u1 = 0; + let (x725, x726) = fiat_bign256_scalar_addcarryx_u32(x724, x700, x697); + let x727: u32 = ((x726 as u32) + x698); + let mut x728: u32 = 0; + let mut x729: fiat_bign256_scalar_u1 = 0; + let (x728, x729) = fiat_bign256_scalar_addcarryx_u32(0x0, x680, x711); + let mut x730: u32 = 0; + let mut x731: fiat_bign256_scalar_u1 = 0; + let (x730, x731) = fiat_bign256_scalar_addcarryx_u32(x729, x682, x713); + let mut x732: u32 = 0; + let mut x733: fiat_bign256_scalar_u1 = 0; + let (x732, x733) = fiat_bign256_scalar_addcarryx_u32(x731, x684, x715); + let mut x734: u32 = 0; + let mut x735: fiat_bign256_scalar_u1 = 0; + let (x734, x735) = fiat_bign256_scalar_addcarryx_u32(x733, x686, x717); + let mut x736: u32 = 0; + let mut x737: fiat_bign256_scalar_u1 = 0; + let (x736, x737) = fiat_bign256_scalar_addcarryx_u32(x735, x688, x719); + let mut x738: u32 = 0; + let mut x739: fiat_bign256_scalar_u1 = 0; + let (x738, x739) = fiat_bign256_scalar_addcarryx_u32(x737, x690, x721); + let mut x740: u32 = 0; + let mut x741: fiat_bign256_scalar_u1 = 0; + let (x740, x741) = fiat_bign256_scalar_addcarryx_u32(x739, x692, x723); + let mut x742: u32 = 0; + let mut x743: fiat_bign256_scalar_u1 = 0; + let (x742, x743) = fiat_bign256_scalar_addcarryx_u32(x741, x694, x725); + let mut x744: u32 = 0; + let mut x745: fiat_bign256_scalar_u1 = 0; + let (x744, x745) = fiat_bign256_scalar_addcarryx_u32(x743, x696, x727); + let mut x746: u32 = 0; + let mut x747: u32 = 0; + let (x746, x747) = fiat_bign256_scalar_mulx_u32(x728, 0x858d849); + let mut x748: u32 = 0; + let mut x749: u32 = 0; + let (x748, x749) = fiat_bign256_scalar_mulx_u32(x746, 0xffffffff); + let mut x750: u32 = 0; + let mut x751: u32 = 0; + let (x750, x751) = fiat_bign256_scalar_mulx_u32(x746, 0xffffffff); + let mut x752: u32 = 0; + let mut x753: u32 = 0; + let (x752, x753) = fiat_bign256_scalar_mulx_u32(x746, 0xffffffff); + let mut x754: u32 = 0; + let mut x755: u32 = 0; + let (x754, x755) = fiat_bign256_scalar_mulx_u32(x746, 0xffffffff); + let mut x756: u32 = 0; + let mut x757: u32 = 0; + let (x756, x757) = fiat_bign256_scalar_mulx_u32(x746, 0xd95c8ed6); + let mut x758: u32 = 0; + let mut x759: u32 = 0; + let (x758, x759) = fiat_bign256_scalar_mulx_u32(x746, 0xdfb4dfc); + let mut x760: u32 = 0; + let mut x761: u32 = 0; + let (x760, x761) = fiat_bign256_scalar_mulx_u32(x746, 0x7e5abf99); + let mut x762: u32 = 0; + let mut x763: u32 = 0; + let (x762, x763) = fiat_bign256_scalar_mulx_u32(x746, 0x263d6607); + let mut x764: u32 = 0; + let mut x765: fiat_bign256_scalar_u1 = 0; + let (x764, x765) = fiat_bign256_scalar_addcarryx_u32(0x0, x763, x760); + let mut x766: u32 = 0; + let mut x767: fiat_bign256_scalar_u1 = 0; + let (x766, x767) = fiat_bign256_scalar_addcarryx_u32(x765, x761, x758); + let mut x768: u32 = 0; + let mut x769: fiat_bign256_scalar_u1 = 0; + let (x768, x769) = fiat_bign256_scalar_addcarryx_u32(x767, x759, x756); + let mut x770: u32 = 0; + let mut x771: fiat_bign256_scalar_u1 = 0; + let (x770, x771) = fiat_bign256_scalar_addcarryx_u32(x769, x757, x754); + let mut x772: u32 = 0; + let mut x773: fiat_bign256_scalar_u1 = 0; + let (x772, x773) = fiat_bign256_scalar_addcarryx_u32(x771, x755, x752); + let mut x774: u32 = 0; + let mut x775: fiat_bign256_scalar_u1 = 0; + let (x774, x775) = fiat_bign256_scalar_addcarryx_u32(x773, x753, x750); + let mut x776: u32 = 0; + let mut x777: fiat_bign256_scalar_u1 = 0; + let (x776, x777) = fiat_bign256_scalar_addcarryx_u32(x775, x751, x748); + let x778: u32 = ((x777 as u32) + x749); + let mut x779: u32 = 0; + let mut x780: fiat_bign256_scalar_u1 = 0; + let (x779, x780) = fiat_bign256_scalar_addcarryx_u32(0x0, x728, x762); + let mut x781: u32 = 0; + let mut x782: fiat_bign256_scalar_u1 = 0; + let (x781, x782) = fiat_bign256_scalar_addcarryx_u32(x780, x730, x764); + let mut x783: u32 = 0; + let mut x784: fiat_bign256_scalar_u1 = 0; + let (x783, x784) = fiat_bign256_scalar_addcarryx_u32(x782, x732, x766); + let mut x785: u32 = 0; + let mut x786: fiat_bign256_scalar_u1 = 0; + let (x785, x786) = fiat_bign256_scalar_addcarryx_u32(x784, x734, x768); + let mut x787: u32 = 0; + let mut x788: fiat_bign256_scalar_u1 = 0; + let (x787, x788) = fiat_bign256_scalar_addcarryx_u32(x786, x736, x770); + let mut x789: u32 = 0; + let mut x790: fiat_bign256_scalar_u1 = 0; + let (x789, x790) = fiat_bign256_scalar_addcarryx_u32(x788, x738, x772); + let mut x791: u32 = 0; + let mut x792: fiat_bign256_scalar_u1 = 0; + let (x791, x792) = fiat_bign256_scalar_addcarryx_u32(x790, x740, x774); + let mut x793: u32 = 0; + let mut x794: fiat_bign256_scalar_u1 = 0; + let (x793, x794) = fiat_bign256_scalar_addcarryx_u32(x792, x742, x776); + let mut x795: u32 = 0; + let mut x796: fiat_bign256_scalar_u1 = 0; + let (x795, x796) = fiat_bign256_scalar_addcarryx_u32(x794, x744, x778); + let x797: u32 = ((x796 as u32) + (x745 as u32)); + let mut x798: u32 = 0; + let mut x799: fiat_bign256_scalar_u1 = 0; + let (x798, x799) = fiat_bign256_scalar_subborrowx_u32(0x0, x781, 0x263d6607); + let mut x800: u32 = 0; + let mut x801: fiat_bign256_scalar_u1 = 0; + let (x800, x801) = fiat_bign256_scalar_subborrowx_u32(x799, x783, 0x7e5abf99); + let mut x802: u32 = 0; + let mut x803: fiat_bign256_scalar_u1 = 0; + let (x802, x803) = fiat_bign256_scalar_subborrowx_u32(x801, x785, 0xdfb4dfc); + let mut x804: u32 = 0; + let mut x805: fiat_bign256_scalar_u1 = 0; + let (x804, x805) = fiat_bign256_scalar_subborrowx_u32(x803, x787, 0xd95c8ed6); + let mut x806: u32 = 0; + let mut x807: fiat_bign256_scalar_u1 = 0; + let (x806, x807) = fiat_bign256_scalar_subborrowx_u32(x805, x789, 0xffffffff); + let mut x808: u32 = 0; + let mut x809: fiat_bign256_scalar_u1 = 0; + let (x808, x809) = fiat_bign256_scalar_subborrowx_u32(x807, x791, 0xffffffff); + let mut x810: u32 = 0; + let mut x811: fiat_bign256_scalar_u1 = 0; + let (x810, x811) = fiat_bign256_scalar_subborrowx_u32(x809, x793, 0xffffffff); + let mut x812: u32 = 0; + let mut x813: fiat_bign256_scalar_u1 = 0; + let (x812, x813) = fiat_bign256_scalar_subborrowx_u32(x811, x795, 0xffffffff); + let mut x814: u32 = 0; + let mut x815: fiat_bign256_scalar_u1 = 0; + let (x814, x815) = fiat_bign256_scalar_subborrowx_u32(x813, x797, (0x0 as u32)); + let mut x816: u32 = 0; + let (x816) = fiat_bign256_scalar_cmovznz_u32(x815, x798, x781); + let mut x817: u32 = 0; + let (x817) = fiat_bign256_scalar_cmovznz_u32(x815, x800, x783); + let mut x818: u32 = 0; + let (x818) = fiat_bign256_scalar_cmovznz_u32(x815, x802, x785); + let mut x819: u32 = 0; + let (x819) = fiat_bign256_scalar_cmovznz_u32(x815, x804, x787); + let mut x820: u32 = 0; + let (x820) = fiat_bign256_scalar_cmovznz_u32(x815, x806, x789); + let mut x821: u32 = 0; + let (x821) = fiat_bign256_scalar_cmovznz_u32(x815, x808, x791); + let mut x822: u32 = 0; + let (x822) = fiat_bign256_scalar_cmovznz_u32(x815, x810, x793); + let mut x823: u32 = 0; + let (x823) = fiat_bign256_scalar_cmovznz_u32(x815, x812, x795); + out1[0] = x816; + out1[1] = x817; + out1[2] = x818; + out1[3] = x819; + out1[4] = x820; + out1[5] = x821; + out1[6] = x822; + out1[7] = x823; + out1 +} +#[doc = " The function fiat_bign256_scalar_square squares a field element in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_square( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 8]; + let x1: u32 = (arg1[1]); + let x2: u32 = (arg1[2]); + let x3: u32 = (arg1[3]); + let x4: u32 = (arg1[4]); + let x5: u32 = (arg1[5]); + let x6: u32 = (arg1[6]); + let x7: u32 = (arg1[7]); + let x8: u32 = (arg1[0]); + let mut x9: u32 = 0; + let mut x10: u32 = 0; + let (x9, x10) = fiat_bign256_scalar_mulx_u32(x8, (arg1[7])); + let mut x11: u32 = 0; + let mut x12: u32 = 0; + let (x11, x12) = fiat_bign256_scalar_mulx_u32(x8, (arg1[6])); + let mut x13: u32 = 0; + let mut x14: u32 = 0; + let (x13, x14) = fiat_bign256_scalar_mulx_u32(x8, (arg1[5])); + let mut x15: u32 = 0; + let mut x16: u32 = 0; + let (x15, x16) = fiat_bign256_scalar_mulx_u32(x8, (arg1[4])); + let mut x17: u32 = 0; + let mut x18: u32 = 0; + let (x17, x18) = fiat_bign256_scalar_mulx_u32(x8, (arg1[3])); + let mut x19: u32 = 0; + let mut x20: u32 = 0; + let (x19, x20) = fiat_bign256_scalar_mulx_u32(x8, (arg1[2])); + let mut x21: u32 = 0; + let mut x22: u32 = 0; + let (x21, x22) = fiat_bign256_scalar_mulx_u32(x8, (arg1[1])); + let mut x23: u32 = 0; + let mut x24: u32 = 0; + let (x23, x24) = fiat_bign256_scalar_mulx_u32(x8, (arg1[0])); + let mut x25: u32 = 0; + let mut x26: fiat_bign256_scalar_u1 = 0; + let (x25, x26) = fiat_bign256_scalar_addcarryx_u32(0x0, x24, x21); + let mut x27: u32 = 0; + let mut x28: fiat_bign256_scalar_u1 = 0; + let (x27, x28) = fiat_bign256_scalar_addcarryx_u32(x26, x22, x19); + let mut x29: u32 = 0; + let mut x30: fiat_bign256_scalar_u1 = 0; + let (x29, x30) = fiat_bign256_scalar_addcarryx_u32(x28, x20, x17); + let mut x31: u32 = 0; + let mut x32: fiat_bign256_scalar_u1 = 0; + let (x31, x32) = fiat_bign256_scalar_addcarryx_u32(x30, x18, x15); + let mut x33: u32 = 0; + let mut x34: fiat_bign256_scalar_u1 = 0; + let (x33, x34) = fiat_bign256_scalar_addcarryx_u32(x32, x16, x13); + let mut x35: u32 = 0; + let mut x36: fiat_bign256_scalar_u1 = 0; + let (x35, x36) = fiat_bign256_scalar_addcarryx_u32(x34, x14, x11); + let mut x37: u32 = 0; + let mut x38: fiat_bign256_scalar_u1 = 0; + let (x37, x38) = fiat_bign256_scalar_addcarryx_u32(x36, x12, x9); + let x39: u32 = ((x38 as u32) + x10); + let mut x40: u32 = 0; + let mut x41: u32 = 0; + let (x40, x41) = fiat_bign256_scalar_mulx_u32(x23, 0x858d849); + let mut x42: u32 = 0; + let mut x43: u32 = 0; + let (x42, x43) = fiat_bign256_scalar_mulx_u32(x40, 0xffffffff); + let mut x44: u32 = 0; + let mut x45: u32 = 0; + let (x44, x45) = fiat_bign256_scalar_mulx_u32(x40, 0xffffffff); + let mut x46: u32 = 0; + let mut x47: u32 = 0; + let (x46, x47) = fiat_bign256_scalar_mulx_u32(x40, 0xffffffff); + let mut x48: u32 = 0; + let mut x49: u32 = 0; + let (x48, x49) = fiat_bign256_scalar_mulx_u32(x40, 0xffffffff); + let mut x50: u32 = 0; + let mut x51: u32 = 0; + let (x50, x51) = fiat_bign256_scalar_mulx_u32(x40, 0xd95c8ed6); + let mut x52: u32 = 0; + let mut x53: u32 = 0; + let (x52, x53) = fiat_bign256_scalar_mulx_u32(x40, 0xdfb4dfc); + let mut x54: u32 = 0; + let mut x55: u32 = 0; + let (x54, x55) = fiat_bign256_scalar_mulx_u32(x40, 0x7e5abf99); + let mut x56: u32 = 0; + let mut x57: u32 = 0; + let (x56, x57) = fiat_bign256_scalar_mulx_u32(x40, 0x263d6607); + let mut x58: u32 = 0; + let mut x59: fiat_bign256_scalar_u1 = 0; + let (x58, x59) = fiat_bign256_scalar_addcarryx_u32(0x0, x57, x54); + let mut x60: u32 = 0; + let mut x61: fiat_bign256_scalar_u1 = 0; + let (x60, x61) = fiat_bign256_scalar_addcarryx_u32(x59, x55, x52); + let mut x62: u32 = 0; + let mut x63: fiat_bign256_scalar_u1 = 0; + let (x62, x63) = fiat_bign256_scalar_addcarryx_u32(x61, x53, x50); + let mut x64: u32 = 0; + let mut x65: fiat_bign256_scalar_u1 = 0; + let (x64, x65) = fiat_bign256_scalar_addcarryx_u32(x63, x51, x48); + let mut x66: u32 = 0; + let mut x67: fiat_bign256_scalar_u1 = 0; + let (x66, x67) = fiat_bign256_scalar_addcarryx_u32(x65, x49, x46); + let mut x68: u32 = 0; + let mut x69: fiat_bign256_scalar_u1 = 0; + let (x68, x69) = fiat_bign256_scalar_addcarryx_u32(x67, x47, x44); + let mut x70: u32 = 0; + let mut x71: fiat_bign256_scalar_u1 = 0; + let (x70, x71) = fiat_bign256_scalar_addcarryx_u32(x69, x45, x42); + let x72: u32 = ((x71 as u32) + x43); + let mut x73: u32 = 0; + let mut x74: fiat_bign256_scalar_u1 = 0; + let (x73, x74) = fiat_bign256_scalar_addcarryx_u32(0x0, x23, x56); + let mut x75: u32 = 0; + let mut x76: fiat_bign256_scalar_u1 = 0; + let (x75, x76) = fiat_bign256_scalar_addcarryx_u32(x74, x25, x58); + let mut x77: u32 = 0; + let mut x78: fiat_bign256_scalar_u1 = 0; + let (x77, x78) = fiat_bign256_scalar_addcarryx_u32(x76, x27, x60); + let mut x79: u32 = 0; + let mut x80: fiat_bign256_scalar_u1 = 0; + let (x79, x80) = fiat_bign256_scalar_addcarryx_u32(x78, x29, x62); + let mut x81: u32 = 0; + let mut x82: fiat_bign256_scalar_u1 = 0; + let (x81, x82) = fiat_bign256_scalar_addcarryx_u32(x80, x31, x64); + let mut x83: u32 = 0; + let mut x84: fiat_bign256_scalar_u1 = 0; + let (x83, x84) = fiat_bign256_scalar_addcarryx_u32(x82, x33, x66); + let mut x85: u32 = 0; + let mut x86: fiat_bign256_scalar_u1 = 0; + let (x85, x86) = fiat_bign256_scalar_addcarryx_u32(x84, x35, x68); + let mut x87: u32 = 0; + let mut x88: fiat_bign256_scalar_u1 = 0; + let (x87, x88) = fiat_bign256_scalar_addcarryx_u32(x86, x37, x70); + let mut x89: u32 = 0; + let mut x90: fiat_bign256_scalar_u1 = 0; + let (x89, x90) = fiat_bign256_scalar_addcarryx_u32(x88, x39, x72); + let mut x91: u32 = 0; + let mut x92: u32 = 0; + let (x91, x92) = fiat_bign256_scalar_mulx_u32(x1, (arg1[7])); + let mut x93: u32 = 0; + let mut x94: u32 = 0; + let (x93, x94) = fiat_bign256_scalar_mulx_u32(x1, (arg1[6])); + let mut x95: u32 = 0; + let mut x96: u32 = 0; + let (x95, x96) = fiat_bign256_scalar_mulx_u32(x1, (arg1[5])); + let mut x97: u32 = 0; + let mut x98: u32 = 0; + let (x97, x98) = fiat_bign256_scalar_mulx_u32(x1, (arg1[4])); + let mut x99: u32 = 0; + let mut x100: u32 = 0; + let (x99, x100) = fiat_bign256_scalar_mulx_u32(x1, (arg1[3])); + let mut x101: u32 = 0; + let mut x102: u32 = 0; + let (x101, x102) = fiat_bign256_scalar_mulx_u32(x1, (arg1[2])); + let mut x103: u32 = 0; + let mut x104: u32 = 0; + let (x103, x104) = fiat_bign256_scalar_mulx_u32(x1, (arg1[1])); + let mut x105: u32 = 0; + let mut x106: u32 = 0; + let (x105, x106) = fiat_bign256_scalar_mulx_u32(x1, (arg1[0])); + let mut x107: u32 = 0; + let mut x108: fiat_bign256_scalar_u1 = 0; + let (x107, x108) = fiat_bign256_scalar_addcarryx_u32(0x0, x106, x103); + let mut x109: u32 = 0; + let mut x110: fiat_bign256_scalar_u1 = 0; + let (x109, x110) = fiat_bign256_scalar_addcarryx_u32(x108, x104, x101); + let mut x111: u32 = 0; + let mut x112: fiat_bign256_scalar_u1 = 0; + let (x111, x112) = fiat_bign256_scalar_addcarryx_u32(x110, x102, x99); + let mut x113: u32 = 0; + let mut x114: fiat_bign256_scalar_u1 = 0; + let (x113, x114) = fiat_bign256_scalar_addcarryx_u32(x112, x100, x97); + let mut x115: u32 = 0; + let mut x116: fiat_bign256_scalar_u1 = 0; + let (x115, x116) = fiat_bign256_scalar_addcarryx_u32(x114, x98, x95); + let mut x117: u32 = 0; + let mut x118: fiat_bign256_scalar_u1 = 0; + let (x117, x118) = fiat_bign256_scalar_addcarryx_u32(x116, x96, x93); + let mut x119: u32 = 0; + let mut x120: fiat_bign256_scalar_u1 = 0; + let (x119, x120) = fiat_bign256_scalar_addcarryx_u32(x118, x94, x91); + let x121: u32 = ((x120 as u32) + x92); + let mut x122: u32 = 0; + let mut x123: fiat_bign256_scalar_u1 = 0; + let (x122, x123) = fiat_bign256_scalar_addcarryx_u32(0x0, x75, x105); + let mut x124: u32 = 0; + let mut x125: fiat_bign256_scalar_u1 = 0; + let (x124, x125) = fiat_bign256_scalar_addcarryx_u32(x123, x77, x107); + let mut x126: u32 = 0; + let mut x127: fiat_bign256_scalar_u1 = 0; + let (x126, x127) = fiat_bign256_scalar_addcarryx_u32(x125, x79, x109); + let mut x128: u32 = 0; + let mut x129: fiat_bign256_scalar_u1 = 0; + let (x128, x129) = fiat_bign256_scalar_addcarryx_u32(x127, x81, x111); + let mut x130: u32 = 0; + let mut x131: fiat_bign256_scalar_u1 = 0; + let (x130, x131) = fiat_bign256_scalar_addcarryx_u32(x129, x83, x113); + let mut x132: u32 = 0; + let mut x133: fiat_bign256_scalar_u1 = 0; + let (x132, x133) = fiat_bign256_scalar_addcarryx_u32(x131, x85, x115); + let mut x134: u32 = 0; + let mut x135: fiat_bign256_scalar_u1 = 0; + let (x134, x135) = fiat_bign256_scalar_addcarryx_u32(x133, x87, x117); + let mut x136: u32 = 0; + let mut x137: fiat_bign256_scalar_u1 = 0; + let (x136, x137) = fiat_bign256_scalar_addcarryx_u32(x135, x89, x119); + let mut x138: u32 = 0; + let mut x139: fiat_bign256_scalar_u1 = 0; + let (x138, x139) = fiat_bign256_scalar_addcarryx_u32(x137, (x90 as u32), x121); + let mut x140: u32 = 0; + let mut x141: u32 = 0; + let (x140, x141) = fiat_bign256_scalar_mulx_u32(x122, 0x858d849); + let mut x142: u32 = 0; + let mut x143: u32 = 0; + let (x142, x143) = fiat_bign256_scalar_mulx_u32(x140, 0xffffffff); + let mut x144: u32 = 0; + let mut x145: u32 = 0; + let (x144, x145) = fiat_bign256_scalar_mulx_u32(x140, 0xffffffff); + let mut x146: u32 = 0; + let mut x147: u32 = 0; + let (x146, x147) = fiat_bign256_scalar_mulx_u32(x140, 0xffffffff); + let mut x148: u32 = 0; + let mut x149: u32 = 0; + let (x148, x149) = fiat_bign256_scalar_mulx_u32(x140, 0xffffffff); + let mut x150: u32 = 0; + let mut x151: u32 = 0; + let (x150, x151) = fiat_bign256_scalar_mulx_u32(x140, 0xd95c8ed6); + let mut x152: u32 = 0; + let mut x153: u32 = 0; + let (x152, x153) = fiat_bign256_scalar_mulx_u32(x140, 0xdfb4dfc); + let mut x154: u32 = 0; + let mut x155: u32 = 0; + let (x154, x155) = fiat_bign256_scalar_mulx_u32(x140, 0x7e5abf99); + let mut x156: u32 = 0; + let mut x157: u32 = 0; + let (x156, x157) = fiat_bign256_scalar_mulx_u32(x140, 0x263d6607); + let mut x158: u32 = 0; + let mut x159: fiat_bign256_scalar_u1 = 0; + let (x158, x159) = fiat_bign256_scalar_addcarryx_u32(0x0, x157, x154); + let mut x160: u32 = 0; + let mut x161: fiat_bign256_scalar_u1 = 0; + let (x160, x161) = fiat_bign256_scalar_addcarryx_u32(x159, x155, x152); + let mut x162: u32 = 0; + let mut x163: fiat_bign256_scalar_u1 = 0; + let (x162, x163) = fiat_bign256_scalar_addcarryx_u32(x161, x153, x150); + let mut x164: u32 = 0; + let mut x165: fiat_bign256_scalar_u1 = 0; + let (x164, x165) = fiat_bign256_scalar_addcarryx_u32(x163, x151, x148); + let mut x166: u32 = 0; + let mut x167: fiat_bign256_scalar_u1 = 0; + let (x166, x167) = fiat_bign256_scalar_addcarryx_u32(x165, x149, x146); + let mut x168: u32 = 0; + let mut x169: fiat_bign256_scalar_u1 = 0; + let (x168, x169) = fiat_bign256_scalar_addcarryx_u32(x167, x147, x144); + let mut x170: u32 = 0; + let mut x171: fiat_bign256_scalar_u1 = 0; + let (x170, x171) = fiat_bign256_scalar_addcarryx_u32(x169, x145, x142); + let x172: u32 = ((x171 as u32) + x143); + let mut x173: u32 = 0; + let mut x174: fiat_bign256_scalar_u1 = 0; + let (x173, x174) = fiat_bign256_scalar_addcarryx_u32(0x0, x122, x156); + let mut x175: u32 = 0; + let mut x176: fiat_bign256_scalar_u1 = 0; + let (x175, x176) = fiat_bign256_scalar_addcarryx_u32(x174, x124, x158); + let mut x177: u32 = 0; + let mut x178: fiat_bign256_scalar_u1 = 0; + let (x177, x178) = fiat_bign256_scalar_addcarryx_u32(x176, x126, x160); + let mut x179: u32 = 0; + let mut x180: fiat_bign256_scalar_u1 = 0; + let (x179, x180) = fiat_bign256_scalar_addcarryx_u32(x178, x128, x162); + let mut x181: u32 = 0; + let mut x182: fiat_bign256_scalar_u1 = 0; + let (x181, x182) = fiat_bign256_scalar_addcarryx_u32(x180, x130, x164); + let mut x183: u32 = 0; + let mut x184: fiat_bign256_scalar_u1 = 0; + let (x183, x184) = fiat_bign256_scalar_addcarryx_u32(x182, x132, x166); + let mut x185: u32 = 0; + let mut x186: fiat_bign256_scalar_u1 = 0; + let (x185, x186) = fiat_bign256_scalar_addcarryx_u32(x184, x134, x168); + let mut x187: u32 = 0; + let mut x188: fiat_bign256_scalar_u1 = 0; + let (x187, x188) = fiat_bign256_scalar_addcarryx_u32(x186, x136, x170); + let mut x189: u32 = 0; + let mut x190: fiat_bign256_scalar_u1 = 0; + let (x189, x190) = fiat_bign256_scalar_addcarryx_u32(x188, x138, x172); + let x191: u32 = ((x190 as u32) + (x139 as u32)); + let mut x192: u32 = 0; + let mut x193: u32 = 0; + let (x192, x193) = fiat_bign256_scalar_mulx_u32(x2, (arg1[7])); + let mut x194: u32 = 0; + let mut x195: u32 = 0; + let (x194, x195) = fiat_bign256_scalar_mulx_u32(x2, (arg1[6])); + let mut x196: u32 = 0; + let mut x197: u32 = 0; + let (x196, x197) = fiat_bign256_scalar_mulx_u32(x2, (arg1[5])); + let mut x198: u32 = 0; + let mut x199: u32 = 0; + let (x198, x199) = fiat_bign256_scalar_mulx_u32(x2, (arg1[4])); + let mut x200: u32 = 0; + let mut x201: u32 = 0; + let (x200, x201) = fiat_bign256_scalar_mulx_u32(x2, (arg1[3])); + let mut x202: u32 = 0; + let mut x203: u32 = 0; + let (x202, x203) = fiat_bign256_scalar_mulx_u32(x2, (arg1[2])); + let mut x204: u32 = 0; + let mut x205: u32 = 0; + let (x204, x205) = fiat_bign256_scalar_mulx_u32(x2, (arg1[1])); + let mut x206: u32 = 0; + let mut x207: u32 = 0; + let (x206, x207) = fiat_bign256_scalar_mulx_u32(x2, (arg1[0])); + let mut x208: u32 = 0; + let mut x209: fiat_bign256_scalar_u1 = 0; + let (x208, x209) = fiat_bign256_scalar_addcarryx_u32(0x0, x207, x204); + let mut x210: u32 = 0; + let mut x211: fiat_bign256_scalar_u1 = 0; + let (x210, x211) = fiat_bign256_scalar_addcarryx_u32(x209, x205, x202); + let mut x212: u32 = 0; + let mut x213: fiat_bign256_scalar_u1 = 0; + let (x212, x213) = fiat_bign256_scalar_addcarryx_u32(x211, x203, x200); + let mut x214: u32 = 0; + let mut x215: fiat_bign256_scalar_u1 = 0; + let (x214, x215) = fiat_bign256_scalar_addcarryx_u32(x213, x201, x198); + let mut x216: u32 = 0; + let mut x217: fiat_bign256_scalar_u1 = 0; + let (x216, x217) = fiat_bign256_scalar_addcarryx_u32(x215, x199, x196); + let mut x218: u32 = 0; + let mut x219: fiat_bign256_scalar_u1 = 0; + let (x218, x219) = fiat_bign256_scalar_addcarryx_u32(x217, x197, x194); + let mut x220: u32 = 0; + let mut x221: fiat_bign256_scalar_u1 = 0; + let (x220, x221) = fiat_bign256_scalar_addcarryx_u32(x219, x195, x192); + let x222: u32 = ((x221 as u32) + x193); + let mut x223: u32 = 0; + let mut x224: fiat_bign256_scalar_u1 = 0; + let (x223, x224) = fiat_bign256_scalar_addcarryx_u32(0x0, x175, x206); + let mut x225: u32 = 0; + let mut x226: fiat_bign256_scalar_u1 = 0; + let (x225, x226) = fiat_bign256_scalar_addcarryx_u32(x224, x177, x208); + let mut x227: u32 = 0; + let mut x228: fiat_bign256_scalar_u1 = 0; + let (x227, x228) = fiat_bign256_scalar_addcarryx_u32(x226, x179, x210); + let mut x229: u32 = 0; + let mut x230: fiat_bign256_scalar_u1 = 0; + let (x229, x230) = fiat_bign256_scalar_addcarryx_u32(x228, x181, x212); + let mut x231: u32 = 0; + let mut x232: fiat_bign256_scalar_u1 = 0; + let (x231, x232) = fiat_bign256_scalar_addcarryx_u32(x230, x183, x214); + let mut x233: u32 = 0; + let mut x234: fiat_bign256_scalar_u1 = 0; + let (x233, x234) = fiat_bign256_scalar_addcarryx_u32(x232, x185, x216); + let mut x235: u32 = 0; + let mut x236: fiat_bign256_scalar_u1 = 0; + let (x235, x236) = fiat_bign256_scalar_addcarryx_u32(x234, x187, x218); + let mut x237: u32 = 0; + let mut x238: fiat_bign256_scalar_u1 = 0; + let (x237, x238) = fiat_bign256_scalar_addcarryx_u32(x236, x189, x220); + let mut x239: u32 = 0; + let mut x240: fiat_bign256_scalar_u1 = 0; + let (x239, x240) = fiat_bign256_scalar_addcarryx_u32(x238, x191, x222); + let mut x241: u32 = 0; + let mut x242: u32 = 0; + let (x241, x242) = fiat_bign256_scalar_mulx_u32(x223, 0x858d849); + let mut x243: u32 = 0; + let mut x244: u32 = 0; + let (x243, x244) = fiat_bign256_scalar_mulx_u32(x241, 0xffffffff); + let mut x245: u32 = 0; + let mut x246: u32 = 0; + let (x245, x246) = fiat_bign256_scalar_mulx_u32(x241, 0xffffffff); + let mut x247: u32 = 0; + let mut x248: u32 = 0; + let (x247, x248) = fiat_bign256_scalar_mulx_u32(x241, 0xffffffff); + let mut x249: u32 = 0; + let mut x250: u32 = 0; + let (x249, x250) = fiat_bign256_scalar_mulx_u32(x241, 0xffffffff); + let mut x251: u32 = 0; + let mut x252: u32 = 0; + let (x251, x252) = fiat_bign256_scalar_mulx_u32(x241, 0xd95c8ed6); + let mut x253: u32 = 0; + let mut x254: u32 = 0; + let (x253, x254) = fiat_bign256_scalar_mulx_u32(x241, 0xdfb4dfc); + let mut x255: u32 = 0; + let mut x256: u32 = 0; + let (x255, x256) = fiat_bign256_scalar_mulx_u32(x241, 0x7e5abf99); + let mut x257: u32 = 0; + let mut x258: u32 = 0; + let (x257, x258) = fiat_bign256_scalar_mulx_u32(x241, 0x263d6607); + let mut x259: u32 = 0; + let mut x260: fiat_bign256_scalar_u1 = 0; + let (x259, x260) = fiat_bign256_scalar_addcarryx_u32(0x0, x258, x255); + let mut x261: u32 = 0; + let mut x262: fiat_bign256_scalar_u1 = 0; + let (x261, x262) = fiat_bign256_scalar_addcarryx_u32(x260, x256, x253); + let mut x263: u32 = 0; + let mut x264: fiat_bign256_scalar_u1 = 0; + let (x263, x264) = fiat_bign256_scalar_addcarryx_u32(x262, x254, x251); + let mut x265: u32 = 0; + let mut x266: fiat_bign256_scalar_u1 = 0; + let (x265, x266) = fiat_bign256_scalar_addcarryx_u32(x264, x252, x249); + let mut x267: u32 = 0; + let mut x268: fiat_bign256_scalar_u1 = 0; + let (x267, x268) = fiat_bign256_scalar_addcarryx_u32(x266, x250, x247); + let mut x269: u32 = 0; + let mut x270: fiat_bign256_scalar_u1 = 0; + let (x269, x270) = fiat_bign256_scalar_addcarryx_u32(x268, x248, x245); + let mut x271: u32 = 0; + let mut x272: fiat_bign256_scalar_u1 = 0; + let (x271, x272) = fiat_bign256_scalar_addcarryx_u32(x270, x246, x243); + let x273: u32 = ((x272 as u32) + x244); + let mut x274: u32 = 0; + let mut x275: fiat_bign256_scalar_u1 = 0; + let (x274, x275) = fiat_bign256_scalar_addcarryx_u32(0x0, x223, x257); + let mut x276: u32 = 0; + let mut x277: fiat_bign256_scalar_u1 = 0; + let (x276, x277) = fiat_bign256_scalar_addcarryx_u32(x275, x225, x259); + let mut x278: u32 = 0; + let mut x279: fiat_bign256_scalar_u1 = 0; + let (x278, x279) = fiat_bign256_scalar_addcarryx_u32(x277, x227, x261); + let mut x280: u32 = 0; + let mut x281: fiat_bign256_scalar_u1 = 0; + let (x280, x281) = fiat_bign256_scalar_addcarryx_u32(x279, x229, x263); + let mut x282: u32 = 0; + let mut x283: fiat_bign256_scalar_u1 = 0; + let (x282, x283) = fiat_bign256_scalar_addcarryx_u32(x281, x231, x265); + let mut x284: u32 = 0; + let mut x285: fiat_bign256_scalar_u1 = 0; + let (x284, x285) = fiat_bign256_scalar_addcarryx_u32(x283, x233, x267); + let mut x286: u32 = 0; + let mut x287: fiat_bign256_scalar_u1 = 0; + let (x286, x287) = fiat_bign256_scalar_addcarryx_u32(x285, x235, x269); + let mut x288: u32 = 0; + let mut x289: fiat_bign256_scalar_u1 = 0; + let (x288, x289) = fiat_bign256_scalar_addcarryx_u32(x287, x237, x271); + let mut x290: u32 = 0; + let mut x291: fiat_bign256_scalar_u1 = 0; + let (x290, x291) = fiat_bign256_scalar_addcarryx_u32(x289, x239, x273); + let x292: u32 = ((x291 as u32) + (x240 as u32)); + let mut x293: u32 = 0; + let mut x294: u32 = 0; + let (x293, x294) = fiat_bign256_scalar_mulx_u32(x3, (arg1[7])); + let mut x295: u32 = 0; + let mut x296: u32 = 0; + let (x295, x296) = fiat_bign256_scalar_mulx_u32(x3, (arg1[6])); + let mut x297: u32 = 0; + let mut x298: u32 = 0; + let (x297, x298) = fiat_bign256_scalar_mulx_u32(x3, (arg1[5])); + let mut x299: u32 = 0; + let mut x300: u32 = 0; + let (x299, x300) = fiat_bign256_scalar_mulx_u32(x3, (arg1[4])); + let mut x301: u32 = 0; + let mut x302: u32 = 0; + let (x301, x302) = fiat_bign256_scalar_mulx_u32(x3, (arg1[3])); + let mut x303: u32 = 0; + let mut x304: u32 = 0; + let (x303, x304) = fiat_bign256_scalar_mulx_u32(x3, (arg1[2])); + let mut x305: u32 = 0; + let mut x306: u32 = 0; + let (x305, x306) = fiat_bign256_scalar_mulx_u32(x3, (arg1[1])); + let mut x307: u32 = 0; + let mut x308: u32 = 0; + let (x307, x308) = fiat_bign256_scalar_mulx_u32(x3, (arg1[0])); + let mut x309: u32 = 0; + let mut x310: fiat_bign256_scalar_u1 = 0; + let (x309, x310) = fiat_bign256_scalar_addcarryx_u32(0x0, x308, x305); + let mut x311: u32 = 0; + let mut x312: fiat_bign256_scalar_u1 = 0; + let (x311, x312) = fiat_bign256_scalar_addcarryx_u32(x310, x306, x303); + let mut x313: u32 = 0; + let mut x314: fiat_bign256_scalar_u1 = 0; + let (x313, x314) = fiat_bign256_scalar_addcarryx_u32(x312, x304, x301); + let mut x315: u32 = 0; + let mut x316: fiat_bign256_scalar_u1 = 0; + let (x315, x316) = fiat_bign256_scalar_addcarryx_u32(x314, x302, x299); + let mut x317: u32 = 0; + let mut x318: fiat_bign256_scalar_u1 = 0; + let (x317, x318) = fiat_bign256_scalar_addcarryx_u32(x316, x300, x297); + let mut x319: u32 = 0; + let mut x320: fiat_bign256_scalar_u1 = 0; + let (x319, x320) = fiat_bign256_scalar_addcarryx_u32(x318, x298, x295); + let mut x321: u32 = 0; + let mut x322: fiat_bign256_scalar_u1 = 0; + let (x321, x322) = fiat_bign256_scalar_addcarryx_u32(x320, x296, x293); + let x323: u32 = ((x322 as u32) + x294); + let mut x324: u32 = 0; + let mut x325: fiat_bign256_scalar_u1 = 0; + let (x324, x325) = fiat_bign256_scalar_addcarryx_u32(0x0, x276, x307); + let mut x326: u32 = 0; + let mut x327: fiat_bign256_scalar_u1 = 0; + let (x326, x327) = fiat_bign256_scalar_addcarryx_u32(x325, x278, x309); + let mut x328: u32 = 0; + let mut x329: fiat_bign256_scalar_u1 = 0; + let (x328, x329) = fiat_bign256_scalar_addcarryx_u32(x327, x280, x311); + let mut x330: u32 = 0; + let mut x331: fiat_bign256_scalar_u1 = 0; + let (x330, x331) = fiat_bign256_scalar_addcarryx_u32(x329, x282, x313); + let mut x332: u32 = 0; + let mut x333: fiat_bign256_scalar_u1 = 0; + let (x332, x333) = fiat_bign256_scalar_addcarryx_u32(x331, x284, x315); + let mut x334: u32 = 0; + let mut x335: fiat_bign256_scalar_u1 = 0; + let (x334, x335) = fiat_bign256_scalar_addcarryx_u32(x333, x286, x317); + let mut x336: u32 = 0; + let mut x337: fiat_bign256_scalar_u1 = 0; + let (x336, x337) = fiat_bign256_scalar_addcarryx_u32(x335, x288, x319); + let mut x338: u32 = 0; + let mut x339: fiat_bign256_scalar_u1 = 0; + let (x338, x339) = fiat_bign256_scalar_addcarryx_u32(x337, x290, x321); + let mut x340: u32 = 0; + let mut x341: fiat_bign256_scalar_u1 = 0; + let (x340, x341) = fiat_bign256_scalar_addcarryx_u32(x339, x292, x323); + let mut x342: u32 = 0; + let mut x343: u32 = 0; + let (x342, x343) = fiat_bign256_scalar_mulx_u32(x324, 0x858d849); + let mut x344: u32 = 0; + let mut x345: u32 = 0; + let (x344, x345) = fiat_bign256_scalar_mulx_u32(x342, 0xffffffff); + let mut x346: u32 = 0; + let mut x347: u32 = 0; + let (x346, x347) = fiat_bign256_scalar_mulx_u32(x342, 0xffffffff); + let mut x348: u32 = 0; + let mut x349: u32 = 0; + let (x348, x349) = fiat_bign256_scalar_mulx_u32(x342, 0xffffffff); + let mut x350: u32 = 0; + let mut x351: u32 = 0; + let (x350, x351) = fiat_bign256_scalar_mulx_u32(x342, 0xffffffff); + let mut x352: u32 = 0; + let mut x353: u32 = 0; + let (x352, x353) = fiat_bign256_scalar_mulx_u32(x342, 0xd95c8ed6); + let mut x354: u32 = 0; + let mut x355: u32 = 0; + let (x354, x355) = fiat_bign256_scalar_mulx_u32(x342, 0xdfb4dfc); + let mut x356: u32 = 0; + let mut x357: u32 = 0; + let (x356, x357) = fiat_bign256_scalar_mulx_u32(x342, 0x7e5abf99); + let mut x358: u32 = 0; + let mut x359: u32 = 0; + let (x358, x359) = fiat_bign256_scalar_mulx_u32(x342, 0x263d6607); + let mut x360: u32 = 0; + let mut x361: fiat_bign256_scalar_u1 = 0; + let (x360, x361) = fiat_bign256_scalar_addcarryx_u32(0x0, x359, x356); + let mut x362: u32 = 0; + let mut x363: fiat_bign256_scalar_u1 = 0; + let (x362, x363) = fiat_bign256_scalar_addcarryx_u32(x361, x357, x354); + let mut x364: u32 = 0; + let mut x365: fiat_bign256_scalar_u1 = 0; + let (x364, x365) = fiat_bign256_scalar_addcarryx_u32(x363, x355, x352); + let mut x366: u32 = 0; + let mut x367: fiat_bign256_scalar_u1 = 0; + let (x366, x367) = fiat_bign256_scalar_addcarryx_u32(x365, x353, x350); + let mut x368: u32 = 0; + let mut x369: fiat_bign256_scalar_u1 = 0; + let (x368, x369) = fiat_bign256_scalar_addcarryx_u32(x367, x351, x348); + let mut x370: u32 = 0; + let mut x371: fiat_bign256_scalar_u1 = 0; + let (x370, x371) = fiat_bign256_scalar_addcarryx_u32(x369, x349, x346); + let mut x372: u32 = 0; + let mut x373: fiat_bign256_scalar_u1 = 0; + let (x372, x373) = fiat_bign256_scalar_addcarryx_u32(x371, x347, x344); + let x374: u32 = ((x373 as u32) + x345); + let mut x375: u32 = 0; + let mut x376: fiat_bign256_scalar_u1 = 0; + let (x375, x376) = fiat_bign256_scalar_addcarryx_u32(0x0, x324, x358); + let mut x377: u32 = 0; + let mut x378: fiat_bign256_scalar_u1 = 0; + let (x377, x378) = fiat_bign256_scalar_addcarryx_u32(x376, x326, x360); + let mut x379: u32 = 0; + let mut x380: fiat_bign256_scalar_u1 = 0; + let (x379, x380) = fiat_bign256_scalar_addcarryx_u32(x378, x328, x362); + let mut x381: u32 = 0; + let mut x382: fiat_bign256_scalar_u1 = 0; + let (x381, x382) = fiat_bign256_scalar_addcarryx_u32(x380, x330, x364); + let mut x383: u32 = 0; + let mut x384: fiat_bign256_scalar_u1 = 0; + let (x383, x384) = fiat_bign256_scalar_addcarryx_u32(x382, x332, x366); + let mut x385: u32 = 0; + let mut x386: fiat_bign256_scalar_u1 = 0; + let (x385, x386) = fiat_bign256_scalar_addcarryx_u32(x384, x334, x368); + let mut x387: u32 = 0; + let mut x388: fiat_bign256_scalar_u1 = 0; + let (x387, x388) = fiat_bign256_scalar_addcarryx_u32(x386, x336, x370); + let mut x389: u32 = 0; + let mut x390: fiat_bign256_scalar_u1 = 0; + let (x389, x390) = fiat_bign256_scalar_addcarryx_u32(x388, x338, x372); + let mut x391: u32 = 0; + let mut x392: fiat_bign256_scalar_u1 = 0; + let (x391, x392) = fiat_bign256_scalar_addcarryx_u32(x390, x340, x374); + let x393: u32 = ((x392 as u32) + (x341 as u32)); + let mut x394: u32 = 0; + let mut x395: u32 = 0; + let (x394, x395) = fiat_bign256_scalar_mulx_u32(x4, (arg1[7])); + let mut x396: u32 = 0; + let mut x397: u32 = 0; + let (x396, x397) = fiat_bign256_scalar_mulx_u32(x4, (arg1[6])); + let mut x398: u32 = 0; + let mut x399: u32 = 0; + let (x398, x399) = fiat_bign256_scalar_mulx_u32(x4, (arg1[5])); + let mut x400: u32 = 0; + let mut x401: u32 = 0; + let (x400, x401) = fiat_bign256_scalar_mulx_u32(x4, (arg1[4])); + let mut x402: u32 = 0; + let mut x403: u32 = 0; + let (x402, x403) = fiat_bign256_scalar_mulx_u32(x4, (arg1[3])); + let mut x404: u32 = 0; + let mut x405: u32 = 0; + let (x404, x405) = fiat_bign256_scalar_mulx_u32(x4, (arg1[2])); + let mut x406: u32 = 0; + let mut x407: u32 = 0; + let (x406, x407) = fiat_bign256_scalar_mulx_u32(x4, (arg1[1])); + let mut x408: u32 = 0; + let mut x409: u32 = 0; + let (x408, x409) = fiat_bign256_scalar_mulx_u32(x4, (arg1[0])); + let mut x410: u32 = 0; + let mut x411: fiat_bign256_scalar_u1 = 0; + let (x410, x411) = fiat_bign256_scalar_addcarryx_u32(0x0, x409, x406); + let mut x412: u32 = 0; + let mut x413: fiat_bign256_scalar_u1 = 0; + let (x412, x413) = fiat_bign256_scalar_addcarryx_u32(x411, x407, x404); + let mut x414: u32 = 0; + let mut x415: fiat_bign256_scalar_u1 = 0; + let (x414, x415) = fiat_bign256_scalar_addcarryx_u32(x413, x405, x402); + let mut x416: u32 = 0; + let mut x417: fiat_bign256_scalar_u1 = 0; + let (x416, x417) = fiat_bign256_scalar_addcarryx_u32(x415, x403, x400); + let mut x418: u32 = 0; + let mut x419: fiat_bign256_scalar_u1 = 0; + let (x418, x419) = fiat_bign256_scalar_addcarryx_u32(x417, x401, x398); + let mut x420: u32 = 0; + let mut x421: fiat_bign256_scalar_u1 = 0; + let (x420, x421) = fiat_bign256_scalar_addcarryx_u32(x419, x399, x396); + let mut x422: u32 = 0; + let mut x423: fiat_bign256_scalar_u1 = 0; + let (x422, x423) = fiat_bign256_scalar_addcarryx_u32(x421, x397, x394); + let x424: u32 = ((x423 as u32) + x395); + let mut x425: u32 = 0; + let mut x426: fiat_bign256_scalar_u1 = 0; + let (x425, x426) = fiat_bign256_scalar_addcarryx_u32(0x0, x377, x408); + let mut x427: u32 = 0; + let mut x428: fiat_bign256_scalar_u1 = 0; + let (x427, x428) = fiat_bign256_scalar_addcarryx_u32(x426, x379, x410); + let mut x429: u32 = 0; + let mut x430: fiat_bign256_scalar_u1 = 0; + let (x429, x430) = fiat_bign256_scalar_addcarryx_u32(x428, x381, x412); + let mut x431: u32 = 0; + let mut x432: fiat_bign256_scalar_u1 = 0; + let (x431, x432) = fiat_bign256_scalar_addcarryx_u32(x430, x383, x414); + let mut x433: u32 = 0; + let mut x434: fiat_bign256_scalar_u1 = 0; + let (x433, x434) = fiat_bign256_scalar_addcarryx_u32(x432, x385, x416); + let mut x435: u32 = 0; + let mut x436: fiat_bign256_scalar_u1 = 0; + let (x435, x436) = fiat_bign256_scalar_addcarryx_u32(x434, x387, x418); + let mut x437: u32 = 0; + let mut x438: fiat_bign256_scalar_u1 = 0; + let (x437, x438) = fiat_bign256_scalar_addcarryx_u32(x436, x389, x420); + let mut x439: u32 = 0; + let mut x440: fiat_bign256_scalar_u1 = 0; + let (x439, x440) = fiat_bign256_scalar_addcarryx_u32(x438, x391, x422); + let mut x441: u32 = 0; + let mut x442: fiat_bign256_scalar_u1 = 0; + let (x441, x442) = fiat_bign256_scalar_addcarryx_u32(x440, x393, x424); + let mut x443: u32 = 0; + let mut x444: u32 = 0; + let (x443, x444) = fiat_bign256_scalar_mulx_u32(x425, 0x858d849); + let mut x445: u32 = 0; + let mut x446: u32 = 0; + let (x445, x446) = fiat_bign256_scalar_mulx_u32(x443, 0xffffffff); + let mut x447: u32 = 0; + let mut x448: u32 = 0; + let (x447, x448) = fiat_bign256_scalar_mulx_u32(x443, 0xffffffff); + let mut x449: u32 = 0; + let mut x450: u32 = 0; + let (x449, x450) = fiat_bign256_scalar_mulx_u32(x443, 0xffffffff); + let mut x451: u32 = 0; + let mut x452: u32 = 0; + let (x451, x452) = fiat_bign256_scalar_mulx_u32(x443, 0xffffffff); + let mut x453: u32 = 0; + let mut x454: u32 = 0; + let (x453, x454) = fiat_bign256_scalar_mulx_u32(x443, 0xd95c8ed6); + let mut x455: u32 = 0; + let mut x456: u32 = 0; + let (x455, x456) = fiat_bign256_scalar_mulx_u32(x443, 0xdfb4dfc); + let mut x457: u32 = 0; + let mut x458: u32 = 0; + let (x457, x458) = fiat_bign256_scalar_mulx_u32(x443, 0x7e5abf99); + let mut x459: u32 = 0; + let mut x460: u32 = 0; + let (x459, x460) = fiat_bign256_scalar_mulx_u32(x443, 0x263d6607); + let mut x461: u32 = 0; + let mut x462: fiat_bign256_scalar_u1 = 0; + let (x461, x462) = fiat_bign256_scalar_addcarryx_u32(0x0, x460, x457); + let mut x463: u32 = 0; + let mut x464: fiat_bign256_scalar_u1 = 0; + let (x463, x464) = fiat_bign256_scalar_addcarryx_u32(x462, x458, x455); + let mut x465: u32 = 0; + let mut x466: fiat_bign256_scalar_u1 = 0; + let (x465, x466) = fiat_bign256_scalar_addcarryx_u32(x464, x456, x453); + let mut x467: u32 = 0; + let mut x468: fiat_bign256_scalar_u1 = 0; + let (x467, x468) = fiat_bign256_scalar_addcarryx_u32(x466, x454, x451); + let mut x469: u32 = 0; + let mut x470: fiat_bign256_scalar_u1 = 0; + let (x469, x470) = fiat_bign256_scalar_addcarryx_u32(x468, x452, x449); + let mut x471: u32 = 0; + let mut x472: fiat_bign256_scalar_u1 = 0; + let (x471, x472) = fiat_bign256_scalar_addcarryx_u32(x470, x450, x447); + let mut x473: u32 = 0; + let mut x474: fiat_bign256_scalar_u1 = 0; + let (x473, x474) = fiat_bign256_scalar_addcarryx_u32(x472, x448, x445); + let x475: u32 = ((x474 as u32) + x446); + let mut x476: u32 = 0; + let mut x477: fiat_bign256_scalar_u1 = 0; + let (x476, x477) = fiat_bign256_scalar_addcarryx_u32(0x0, x425, x459); + let mut x478: u32 = 0; + let mut x479: fiat_bign256_scalar_u1 = 0; + let (x478, x479) = fiat_bign256_scalar_addcarryx_u32(x477, x427, x461); + let mut x480: u32 = 0; + let mut x481: fiat_bign256_scalar_u1 = 0; + let (x480, x481) = fiat_bign256_scalar_addcarryx_u32(x479, x429, x463); + let mut x482: u32 = 0; + let mut x483: fiat_bign256_scalar_u1 = 0; + let (x482, x483) = fiat_bign256_scalar_addcarryx_u32(x481, x431, x465); + let mut x484: u32 = 0; + let mut x485: fiat_bign256_scalar_u1 = 0; + let (x484, x485) = fiat_bign256_scalar_addcarryx_u32(x483, x433, x467); + let mut x486: u32 = 0; + let mut x487: fiat_bign256_scalar_u1 = 0; + let (x486, x487) = fiat_bign256_scalar_addcarryx_u32(x485, x435, x469); + let mut x488: u32 = 0; + let mut x489: fiat_bign256_scalar_u1 = 0; + let (x488, x489) = fiat_bign256_scalar_addcarryx_u32(x487, x437, x471); + let mut x490: u32 = 0; + let mut x491: fiat_bign256_scalar_u1 = 0; + let (x490, x491) = fiat_bign256_scalar_addcarryx_u32(x489, x439, x473); + let mut x492: u32 = 0; + let mut x493: fiat_bign256_scalar_u1 = 0; + let (x492, x493) = fiat_bign256_scalar_addcarryx_u32(x491, x441, x475); + let x494: u32 = ((x493 as u32) + (x442 as u32)); + let mut x495: u32 = 0; + let mut x496: u32 = 0; + let (x495, x496) = fiat_bign256_scalar_mulx_u32(x5, (arg1[7])); + let mut x497: u32 = 0; + let mut x498: u32 = 0; + let (x497, x498) = fiat_bign256_scalar_mulx_u32(x5, (arg1[6])); + let mut x499: u32 = 0; + let mut x500: u32 = 0; + let (x499, x500) = fiat_bign256_scalar_mulx_u32(x5, (arg1[5])); + let mut x501: u32 = 0; + let mut x502: u32 = 0; + let (x501, x502) = fiat_bign256_scalar_mulx_u32(x5, (arg1[4])); + let mut x503: u32 = 0; + let mut x504: u32 = 0; + let (x503, x504) = fiat_bign256_scalar_mulx_u32(x5, (arg1[3])); + let mut x505: u32 = 0; + let mut x506: u32 = 0; + let (x505, x506) = fiat_bign256_scalar_mulx_u32(x5, (arg1[2])); + let mut x507: u32 = 0; + let mut x508: u32 = 0; + let (x507, x508) = fiat_bign256_scalar_mulx_u32(x5, (arg1[1])); + let mut x509: u32 = 0; + let mut x510: u32 = 0; + let (x509, x510) = fiat_bign256_scalar_mulx_u32(x5, (arg1[0])); + let mut x511: u32 = 0; + let mut x512: fiat_bign256_scalar_u1 = 0; + let (x511, x512) = fiat_bign256_scalar_addcarryx_u32(0x0, x510, x507); + let mut x513: u32 = 0; + let mut x514: fiat_bign256_scalar_u1 = 0; + let (x513, x514) = fiat_bign256_scalar_addcarryx_u32(x512, x508, x505); + let mut x515: u32 = 0; + let mut x516: fiat_bign256_scalar_u1 = 0; + let (x515, x516) = fiat_bign256_scalar_addcarryx_u32(x514, x506, x503); + let mut x517: u32 = 0; + let mut x518: fiat_bign256_scalar_u1 = 0; + let (x517, x518) = fiat_bign256_scalar_addcarryx_u32(x516, x504, x501); + let mut x519: u32 = 0; + let mut x520: fiat_bign256_scalar_u1 = 0; + let (x519, x520) = fiat_bign256_scalar_addcarryx_u32(x518, x502, x499); + let mut x521: u32 = 0; + let mut x522: fiat_bign256_scalar_u1 = 0; + let (x521, x522) = fiat_bign256_scalar_addcarryx_u32(x520, x500, x497); + let mut x523: u32 = 0; + let mut x524: fiat_bign256_scalar_u1 = 0; + let (x523, x524) = fiat_bign256_scalar_addcarryx_u32(x522, x498, x495); + let x525: u32 = ((x524 as u32) + x496); + let mut x526: u32 = 0; + let mut x527: fiat_bign256_scalar_u1 = 0; + let (x526, x527) = fiat_bign256_scalar_addcarryx_u32(0x0, x478, x509); + let mut x528: u32 = 0; + let mut x529: fiat_bign256_scalar_u1 = 0; + let (x528, x529) = fiat_bign256_scalar_addcarryx_u32(x527, x480, x511); + let mut x530: u32 = 0; + let mut x531: fiat_bign256_scalar_u1 = 0; + let (x530, x531) = fiat_bign256_scalar_addcarryx_u32(x529, x482, x513); + let mut x532: u32 = 0; + let mut x533: fiat_bign256_scalar_u1 = 0; + let (x532, x533) = fiat_bign256_scalar_addcarryx_u32(x531, x484, x515); + let mut x534: u32 = 0; + let mut x535: fiat_bign256_scalar_u1 = 0; + let (x534, x535) = fiat_bign256_scalar_addcarryx_u32(x533, x486, x517); + let mut x536: u32 = 0; + let mut x537: fiat_bign256_scalar_u1 = 0; + let (x536, x537) = fiat_bign256_scalar_addcarryx_u32(x535, x488, x519); + let mut x538: u32 = 0; + let mut x539: fiat_bign256_scalar_u1 = 0; + let (x538, x539) = fiat_bign256_scalar_addcarryx_u32(x537, x490, x521); + let mut x540: u32 = 0; + let mut x541: fiat_bign256_scalar_u1 = 0; + let (x540, x541) = fiat_bign256_scalar_addcarryx_u32(x539, x492, x523); + let mut x542: u32 = 0; + let mut x543: fiat_bign256_scalar_u1 = 0; + let (x542, x543) = fiat_bign256_scalar_addcarryx_u32(x541, x494, x525); + let mut x544: u32 = 0; + let mut x545: u32 = 0; + let (x544, x545) = fiat_bign256_scalar_mulx_u32(x526, 0x858d849); + let mut x546: u32 = 0; + let mut x547: u32 = 0; + let (x546, x547) = fiat_bign256_scalar_mulx_u32(x544, 0xffffffff); + let mut x548: u32 = 0; + let mut x549: u32 = 0; + let (x548, x549) = fiat_bign256_scalar_mulx_u32(x544, 0xffffffff); + let mut x550: u32 = 0; + let mut x551: u32 = 0; + let (x550, x551) = fiat_bign256_scalar_mulx_u32(x544, 0xffffffff); + let mut x552: u32 = 0; + let mut x553: u32 = 0; + let (x552, x553) = fiat_bign256_scalar_mulx_u32(x544, 0xffffffff); + let mut x554: u32 = 0; + let mut x555: u32 = 0; + let (x554, x555) = fiat_bign256_scalar_mulx_u32(x544, 0xd95c8ed6); + let mut x556: u32 = 0; + let mut x557: u32 = 0; + let (x556, x557) = fiat_bign256_scalar_mulx_u32(x544, 0xdfb4dfc); + let mut x558: u32 = 0; + let mut x559: u32 = 0; + let (x558, x559) = fiat_bign256_scalar_mulx_u32(x544, 0x7e5abf99); + let mut x560: u32 = 0; + let mut x561: u32 = 0; + let (x560, x561) = fiat_bign256_scalar_mulx_u32(x544, 0x263d6607); + let mut x562: u32 = 0; + let mut x563: fiat_bign256_scalar_u1 = 0; + let (x562, x563) = fiat_bign256_scalar_addcarryx_u32(0x0, x561, x558); + let mut x564: u32 = 0; + let mut x565: fiat_bign256_scalar_u1 = 0; + let (x564, x565) = fiat_bign256_scalar_addcarryx_u32(x563, x559, x556); + let mut x566: u32 = 0; + let mut x567: fiat_bign256_scalar_u1 = 0; + let (x566, x567) = fiat_bign256_scalar_addcarryx_u32(x565, x557, x554); + let mut x568: u32 = 0; + let mut x569: fiat_bign256_scalar_u1 = 0; + let (x568, x569) = fiat_bign256_scalar_addcarryx_u32(x567, x555, x552); + let mut x570: u32 = 0; + let mut x571: fiat_bign256_scalar_u1 = 0; + let (x570, x571) = fiat_bign256_scalar_addcarryx_u32(x569, x553, x550); + let mut x572: u32 = 0; + let mut x573: fiat_bign256_scalar_u1 = 0; + let (x572, x573) = fiat_bign256_scalar_addcarryx_u32(x571, x551, x548); + let mut x574: u32 = 0; + let mut x575: fiat_bign256_scalar_u1 = 0; + let (x574, x575) = fiat_bign256_scalar_addcarryx_u32(x573, x549, x546); + let x576: u32 = ((x575 as u32) + x547); + let mut x577: u32 = 0; + let mut x578: fiat_bign256_scalar_u1 = 0; + let (x577, x578) = fiat_bign256_scalar_addcarryx_u32(0x0, x526, x560); + let mut x579: u32 = 0; + let mut x580: fiat_bign256_scalar_u1 = 0; + let (x579, x580) = fiat_bign256_scalar_addcarryx_u32(x578, x528, x562); + let mut x581: u32 = 0; + let mut x582: fiat_bign256_scalar_u1 = 0; + let (x581, x582) = fiat_bign256_scalar_addcarryx_u32(x580, x530, x564); + let mut x583: u32 = 0; + let mut x584: fiat_bign256_scalar_u1 = 0; + let (x583, x584) = fiat_bign256_scalar_addcarryx_u32(x582, x532, x566); + let mut x585: u32 = 0; + let mut x586: fiat_bign256_scalar_u1 = 0; + let (x585, x586) = fiat_bign256_scalar_addcarryx_u32(x584, x534, x568); + let mut x587: u32 = 0; + let mut x588: fiat_bign256_scalar_u1 = 0; + let (x587, x588) = fiat_bign256_scalar_addcarryx_u32(x586, x536, x570); + let mut x589: u32 = 0; + let mut x590: fiat_bign256_scalar_u1 = 0; + let (x589, x590) = fiat_bign256_scalar_addcarryx_u32(x588, x538, x572); + let mut x591: u32 = 0; + let mut x592: fiat_bign256_scalar_u1 = 0; + let (x591, x592) = fiat_bign256_scalar_addcarryx_u32(x590, x540, x574); + let mut x593: u32 = 0; + let mut x594: fiat_bign256_scalar_u1 = 0; + let (x593, x594) = fiat_bign256_scalar_addcarryx_u32(x592, x542, x576); + let x595: u32 = ((x594 as u32) + (x543 as u32)); + let mut x596: u32 = 0; + let mut x597: u32 = 0; + let (x596, x597) = fiat_bign256_scalar_mulx_u32(x6, (arg1[7])); + let mut x598: u32 = 0; + let mut x599: u32 = 0; + let (x598, x599) = fiat_bign256_scalar_mulx_u32(x6, (arg1[6])); + let mut x600: u32 = 0; + let mut x601: u32 = 0; + let (x600, x601) = fiat_bign256_scalar_mulx_u32(x6, (arg1[5])); + let mut x602: u32 = 0; + let mut x603: u32 = 0; + let (x602, x603) = fiat_bign256_scalar_mulx_u32(x6, (arg1[4])); + let mut x604: u32 = 0; + let mut x605: u32 = 0; + let (x604, x605) = fiat_bign256_scalar_mulx_u32(x6, (arg1[3])); + let mut x606: u32 = 0; + let mut x607: u32 = 0; + let (x606, x607) = fiat_bign256_scalar_mulx_u32(x6, (arg1[2])); + let mut x608: u32 = 0; + let mut x609: u32 = 0; + let (x608, x609) = fiat_bign256_scalar_mulx_u32(x6, (arg1[1])); + let mut x610: u32 = 0; + let mut x611: u32 = 0; + let (x610, x611) = fiat_bign256_scalar_mulx_u32(x6, (arg1[0])); + let mut x612: u32 = 0; + let mut x613: fiat_bign256_scalar_u1 = 0; + let (x612, x613) = fiat_bign256_scalar_addcarryx_u32(0x0, x611, x608); + let mut x614: u32 = 0; + let mut x615: fiat_bign256_scalar_u1 = 0; + let (x614, x615) = fiat_bign256_scalar_addcarryx_u32(x613, x609, x606); + let mut x616: u32 = 0; + let mut x617: fiat_bign256_scalar_u1 = 0; + let (x616, x617) = fiat_bign256_scalar_addcarryx_u32(x615, x607, x604); + let mut x618: u32 = 0; + let mut x619: fiat_bign256_scalar_u1 = 0; + let (x618, x619) = fiat_bign256_scalar_addcarryx_u32(x617, x605, x602); + let mut x620: u32 = 0; + let mut x621: fiat_bign256_scalar_u1 = 0; + let (x620, x621) = fiat_bign256_scalar_addcarryx_u32(x619, x603, x600); + let mut x622: u32 = 0; + let mut x623: fiat_bign256_scalar_u1 = 0; + let (x622, x623) = fiat_bign256_scalar_addcarryx_u32(x621, x601, x598); + let mut x624: u32 = 0; + let mut x625: fiat_bign256_scalar_u1 = 0; + let (x624, x625) = fiat_bign256_scalar_addcarryx_u32(x623, x599, x596); + let x626: u32 = ((x625 as u32) + x597); + let mut x627: u32 = 0; + let mut x628: fiat_bign256_scalar_u1 = 0; + let (x627, x628) = fiat_bign256_scalar_addcarryx_u32(0x0, x579, x610); + let mut x629: u32 = 0; + let mut x630: fiat_bign256_scalar_u1 = 0; + let (x629, x630) = fiat_bign256_scalar_addcarryx_u32(x628, x581, x612); + let mut x631: u32 = 0; + let mut x632: fiat_bign256_scalar_u1 = 0; + let (x631, x632) = fiat_bign256_scalar_addcarryx_u32(x630, x583, x614); + let mut x633: u32 = 0; + let mut x634: fiat_bign256_scalar_u1 = 0; + let (x633, x634) = fiat_bign256_scalar_addcarryx_u32(x632, x585, x616); + let mut x635: u32 = 0; + let mut x636: fiat_bign256_scalar_u1 = 0; + let (x635, x636) = fiat_bign256_scalar_addcarryx_u32(x634, x587, x618); + let mut x637: u32 = 0; + let mut x638: fiat_bign256_scalar_u1 = 0; + let (x637, x638) = fiat_bign256_scalar_addcarryx_u32(x636, x589, x620); + let mut x639: u32 = 0; + let mut x640: fiat_bign256_scalar_u1 = 0; + let (x639, x640) = fiat_bign256_scalar_addcarryx_u32(x638, x591, x622); + let mut x641: u32 = 0; + let mut x642: fiat_bign256_scalar_u1 = 0; + let (x641, x642) = fiat_bign256_scalar_addcarryx_u32(x640, x593, x624); + let mut x643: u32 = 0; + let mut x644: fiat_bign256_scalar_u1 = 0; + let (x643, x644) = fiat_bign256_scalar_addcarryx_u32(x642, x595, x626); + let mut x645: u32 = 0; + let mut x646: u32 = 0; + let (x645, x646) = fiat_bign256_scalar_mulx_u32(x627, 0x858d849); + let mut x647: u32 = 0; + let mut x648: u32 = 0; + let (x647, x648) = fiat_bign256_scalar_mulx_u32(x645, 0xffffffff); + let mut x649: u32 = 0; + let mut x650: u32 = 0; + let (x649, x650) = fiat_bign256_scalar_mulx_u32(x645, 0xffffffff); + let mut x651: u32 = 0; + let mut x652: u32 = 0; + let (x651, x652) = fiat_bign256_scalar_mulx_u32(x645, 0xffffffff); + let mut x653: u32 = 0; + let mut x654: u32 = 0; + let (x653, x654) = fiat_bign256_scalar_mulx_u32(x645, 0xffffffff); + let mut x655: u32 = 0; + let mut x656: u32 = 0; + let (x655, x656) = fiat_bign256_scalar_mulx_u32(x645, 0xd95c8ed6); + let mut x657: u32 = 0; + let mut x658: u32 = 0; + let (x657, x658) = fiat_bign256_scalar_mulx_u32(x645, 0xdfb4dfc); + let mut x659: u32 = 0; + let mut x660: u32 = 0; + let (x659, x660) = fiat_bign256_scalar_mulx_u32(x645, 0x7e5abf99); + let mut x661: u32 = 0; + let mut x662: u32 = 0; + let (x661, x662) = fiat_bign256_scalar_mulx_u32(x645, 0x263d6607); + let mut x663: u32 = 0; + let mut x664: fiat_bign256_scalar_u1 = 0; + let (x663, x664) = fiat_bign256_scalar_addcarryx_u32(0x0, x662, x659); + let mut x665: u32 = 0; + let mut x666: fiat_bign256_scalar_u1 = 0; + let (x665, x666) = fiat_bign256_scalar_addcarryx_u32(x664, x660, x657); + let mut x667: u32 = 0; + let mut x668: fiat_bign256_scalar_u1 = 0; + let (x667, x668) = fiat_bign256_scalar_addcarryx_u32(x666, x658, x655); + let mut x669: u32 = 0; + let mut x670: fiat_bign256_scalar_u1 = 0; + let (x669, x670) = fiat_bign256_scalar_addcarryx_u32(x668, x656, x653); + let mut x671: u32 = 0; + let mut x672: fiat_bign256_scalar_u1 = 0; + let (x671, x672) = fiat_bign256_scalar_addcarryx_u32(x670, x654, x651); + let mut x673: u32 = 0; + let mut x674: fiat_bign256_scalar_u1 = 0; + let (x673, x674) = fiat_bign256_scalar_addcarryx_u32(x672, x652, x649); + let mut x675: u32 = 0; + let mut x676: fiat_bign256_scalar_u1 = 0; + let (x675, x676) = fiat_bign256_scalar_addcarryx_u32(x674, x650, x647); + let x677: u32 = ((x676 as u32) + x648); + let mut x678: u32 = 0; + let mut x679: fiat_bign256_scalar_u1 = 0; + let (x678, x679) = fiat_bign256_scalar_addcarryx_u32(0x0, x627, x661); + let mut x680: u32 = 0; + let mut x681: fiat_bign256_scalar_u1 = 0; + let (x680, x681) = fiat_bign256_scalar_addcarryx_u32(x679, x629, x663); + let mut x682: u32 = 0; + let mut x683: fiat_bign256_scalar_u1 = 0; + let (x682, x683) = fiat_bign256_scalar_addcarryx_u32(x681, x631, x665); + let mut x684: u32 = 0; + let mut x685: fiat_bign256_scalar_u1 = 0; + let (x684, x685) = fiat_bign256_scalar_addcarryx_u32(x683, x633, x667); + let mut x686: u32 = 0; + let mut x687: fiat_bign256_scalar_u1 = 0; + let (x686, x687) = fiat_bign256_scalar_addcarryx_u32(x685, x635, x669); + let mut x688: u32 = 0; + let mut x689: fiat_bign256_scalar_u1 = 0; + let (x688, x689) = fiat_bign256_scalar_addcarryx_u32(x687, x637, x671); + let mut x690: u32 = 0; + let mut x691: fiat_bign256_scalar_u1 = 0; + let (x690, x691) = fiat_bign256_scalar_addcarryx_u32(x689, x639, x673); + let mut x692: u32 = 0; + let mut x693: fiat_bign256_scalar_u1 = 0; + let (x692, x693) = fiat_bign256_scalar_addcarryx_u32(x691, x641, x675); + let mut x694: u32 = 0; + let mut x695: fiat_bign256_scalar_u1 = 0; + let (x694, x695) = fiat_bign256_scalar_addcarryx_u32(x693, x643, x677); + let x696: u32 = ((x695 as u32) + (x644 as u32)); + let mut x697: u32 = 0; + let mut x698: u32 = 0; + let (x697, x698) = fiat_bign256_scalar_mulx_u32(x7, (arg1[7])); + let mut x699: u32 = 0; + let mut x700: u32 = 0; + let (x699, x700) = fiat_bign256_scalar_mulx_u32(x7, (arg1[6])); + let mut x701: u32 = 0; + let mut x702: u32 = 0; + let (x701, x702) = fiat_bign256_scalar_mulx_u32(x7, (arg1[5])); + let mut x703: u32 = 0; + let mut x704: u32 = 0; + let (x703, x704) = fiat_bign256_scalar_mulx_u32(x7, (arg1[4])); + let mut x705: u32 = 0; + let mut x706: u32 = 0; + let (x705, x706) = fiat_bign256_scalar_mulx_u32(x7, (arg1[3])); + let mut x707: u32 = 0; + let mut x708: u32 = 0; + let (x707, x708) = fiat_bign256_scalar_mulx_u32(x7, (arg1[2])); + let mut x709: u32 = 0; + let mut x710: u32 = 0; + let (x709, x710) = fiat_bign256_scalar_mulx_u32(x7, (arg1[1])); + let mut x711: u32 = 0; + let mut x712: u32 = 0; + let (x711, x712) = fiat_bign256_scalar_mulx_u32(x7, (arg1[0])); + let mut x713: u32 = 0; + let mut x714: fiat_bign256_scalar_u1 = 0; + let (x713, x714) = fiat_bign256_scalar_addcarryx_u32(0x0, x712, x709); + let mut x715: u32 = 0; + let mut x716: fiat_bign256_scalar_u1 = 0; + let (x715, x716) = fiat_bign256_scalar_addcarryx_u32(x714, x710, x707); + let mut x717: u32 = 0; + let mut x718: fiat_bign256_scalar_u1 = 0; + let (x717, x718) = fiat_bign256_scalar_addcarryx_u32(x716, x708, x705); + let mut x719: u32 = 0; + let mut x720: fiat_bign256_scalar_u1 = 0; + let (x719, x720) = fiat_bign256_scalar_addcarryx_u32(x718, x706, x703); + let mut x721: u32 = 0; + let mut x722: fiat_bign256_scalar_u1 = 0; + let (x721, x722) = fiat_bign256_scalar_addcarryx_u32(x720, x704, x701); + let mut x723: u32 = 0; + let mut x724: fiat_bign256_scalar_u1 = 0; + let (x723, x724) = fiat_bign256_scalar_addcarryx_u32(x722, x702, x699); + let mut x725: u32 = 0; + let mut x726: fiat_bign256_scalar_u1 = 0; + let (x725, x726) = fiat_bign256_scalar_addcarryx_u32(x724, x700, x697); + let x727: u32 = ((x726 as u32) + x698); + let mut x728: u32 = 0; + let mut x729: fiat_bign256_scalar_u1 = 0; + let (x728, x729) = fiat_bign256_scalar_addcarryx_u32(0x0, x680, x711); + let mut x730: u32 = 0; + let mut x731: fiat_bign256_scalar_u1 = 0; + let (x730, x731) = fiat_bign256_scalar_addcarryx_u32(x729, x682, x713); + let mut x732: u32 = 0; + let mut x733: fiat_bign256_scalar_u1 = 0; + let (x732, x733) = fiat_bign256_scalar_addcarryx_u32(x731, x684, x715); + let mut x734: u32 = 0; + let mut x735: fiat_bign256_scalar_u1 = 0; + let (x734, x735) = fiat_bign256_scalar_addcarryx_u32(x733, x686, x717); + let mut x736: u32 = 0; + let mut x737: fiat_bign256_scalar_u1 = 0; + let (x736, x737) = fiat_bign256_scalar_addcarryx_u32(x735, x688, x719); + let mut x738: u32 = 0; + let mut x739: fiat_bign256_scalar_u1 = 0; + let (x738, x739) = fiat_bign256_scalar_addcarryx_u32(x737, x690, x721); + let mut x740: u32 = 0; + let mut x741: fiat_bign256_scalar_u1 = 0; + let (x740, x741) = fiat_bign256_scalar_addcarryx_u32(x739, x692, x723); + let mut x742: u32 = 0; + let mut x743: fiat_bign256_scalar_u1 = 0; + let (x742, x743) = fiat_bign256_scalar_addcarryx_u32(x741, x694, x725); + let mut x744: u32 = 0; + let mut x745: fiat_bign256_scalar_u1 = 0; + let (x744, x745) = fiat_bign256_scalar_addcarryx_u32(x743, x696, x727); + let mut x746: u32 = 0; + let mut x747: u32 = 0; + let (x746, x747) = fiat_bign256_scalar_mulx_u32(x728, 0x858d849); + let mut x748: u32 = 0; + let mut x749: u32 = 0; + let (x748, x749) = fiat_bign256_scalar_mulx_u32(x746, 0xffffffff); + let mut x750: u32 = 0; + let mut x751: u32 = 0; + let (x750, x751) = fiat_bign256_scalar_mulx_u32(x746, 0xffffffff); + let mut x752: u32 = 0; + let mut x753: u32 = 0; + let (x752, x753) = fiat_bign256_scalar_mulx_u32(x746, 0xffffffff); + let mut x754: u32 = 0; + let mut x755: u32 = 0; + let (x754, x755) = fiat_bign256_scalar_mulx_u32(x746, 0xffffffff); + let mut x756: u32 = 0; + let mut x757: u32 = 0; + let (x756, x757) = fiat_bign256_scalar_mulx_u32(x746, 0xd95c8ed6); + let mut x758: u32 = 0; + let mut x759: u32 = 0; + let (x758, x759) = fiat_bign256_scalar_mulx_u32(x746, 0xdfb4dfc); + let mut x760: u32 = 0; + let mut x761: u32 = 0; + let (x760, x761) = fiat_bign256_scalar_mulx_u32(x746, 0x7e5abf99); + let mut x762: u32 = 0; + let mut x763: u32 = 0; + let (x762, x763) = fiat_bign256_scalar_mulx_u32(x746, 0x263d6607); + let mut x764: u32 = 0; + let mut x765: fiat_bign256_scalar_u1 = 0; + let (x764, x765) = fiat_bign256_scalar_addcarryx_u32(0x0, x763, x760); + let mut x766: u32 = 0; + let mut x767: fiat_bign256_scalar_u1 = 0; + let (x766, x767) = fiat_bign256_scalar_addcarryx_u32(x765, x761, x758); + let mut x768: u32 = 0; + let mut x769: fiat_bign256_scalar_u1 = 0; + let (x768, x769) = fiat_bign256_scalar_addcarryx_u32(x767, x759, x756); + let mut x770: u32 = 0; + let mut x771: fiat_bign256_scalar_u1 = 0; + let (x770, x771) = fiat_bign256_scalar_addcarryx_u32(x769, x757, x754); + let mut x772: u32 = 0; + let mut x773: fiat_bign256_scalar_u1 = 0; + let (x772, x773) = fiat_bign256_scalar_addcarryx_u32(x771, x755, x752); + let mut x774: u32 = 0; + let mut x775: fiat_bign256_scalar_u1 = 0; + let (x774, x775) = fiat_bign256_scalar_addcarryx_u32(x773, x753, x750); + let mut x776: u32 = 0; + let mut x777: fiat_bign256_scalar_u1 = 0; + let (x776, x777) = fiat_bign256_scalar_addcarryx_u32(x775, x751, x748); + let x778: u32 = ((x777 as u32) + x749); + let mut x779: u32 = 0; + let mut x780: fiat_bign256_scalar_u1 = 0; + let (x779, x780) = fiat_bign256_scalar_addcarryx_u32(0x0, x728, x762); + let mut x781: u32 = 0; + let mut x782: fiat_bign256_scalar_u1 = 0; + let (x781, x782) = fiat_bign256_scalar_addcarryx_u32(x780, x730, x764); + let mut x783: u32 = 0; + let mut x784: fiat_bign256_scalar_u1 = 0; + let (x783, x784) = fiat_bign256_scalar_addcarryx_u32(x782, x732, x766); + let mut x785: u32 = 0; + let mut x786: fiat_bign256_scalar_u1 = 0; + let (x785, x786) = fiat_bign256_scalar_addcarryx_u32(x784, x734, x768); + let mut x787: u32 = 0; + let mut x788: fiat_bign256_scalar_u1 = 0; + let (x787, x788) = fiat_bign256_scalar_addcarryx_u32(x786, x736, x770); + let mut x789: u32 = 0; + let mut x790: fiat_bign256_scalar_u1 = 0; + let (x789, x790) = fiat_bign256_scalar_addcarryx_u32(x788, x738, x772); + let mut x791: u32 = 0; + let mut x792: fiat_bign256_scalar_u1 = 0; + let (x791, x792) = fiat_bign256_scalar_addcarryx_u32(x790, x740, x774); + let mut x793: u32 = 0; + let mut x794: fiat_bign256_scalar_u1 = 0; + let (x793, x794) = fiat_bign256_scalar_addcarryx_u32(x792, x742, x776); + let mut x795: u32 = 0; + let mut x796: fiat_bign256_scalar_u1 = 0; + let (x795, x796) = fiat_bign256_scalar_addcarryx_u32(x794, x744, x778); + let x797: u32 = ((x796 as u32) + (x745 as u32)); + let mut x798: u32 = 0; + let mut x799: fiat_bign256_scalar_u1 = 0; + let (x798, x799) = fiat_bign256_scalar_subborrowx_u32(0x0, x781, 0x263d6607); + let mut x800: u32 = 0; + let mut x801: fiat_bign256_scalar_u1 = 0; + let (x800, x801) = fiat_bign256_scalar_subborrowx_u32(x799, x783, 0x7e5abf99); + let mut x802: u32 = 0; + let mut x803: fiat_bign256_scalar_u1 = 0; + let (x802, x803) = fiat_bign256_scalar_subborrowx_u32(x801, x785, 0xdfb4dfc); + let mut x804: u32 = 0; + let mut x805: fiat_bign256_scalar_u1 = 0; + let (x804, x805) = fiat_bign256_scalar_subborrowx_u32(x803, x787, 0xd95c8ed6); + let mut x806: u32 = 0; + let mut x807: fiat_bign256_scalar_u1 = 0; + let (x806, x807) = fiat_bign256_scalar_subborrowx_u32(x805, x789, 0xffffffff); + let mut x808: u32 = 0; + let mut x809: fiat_bign256_scalar_u1 = 0; + let (x808, x809) = fiat_bign256_scalar_subborrowx_u32(x807, x791, 0xffffffff); + let mut x810: u32 = 0; + let mut x811: fiat_bign256_scalar_u1 = 0; + let (x810, x811) = fiat_bign256_scalar_subborrowx_u32(x809, x793, 0xffffffff); + let mut x812: u32 = 0; + let mut x813: fiat_bign256_scalar_u1 = 0; + let (x812, x813) = fiat_bign256_scalar_subborrowx_u32(x811, x795, 0xffffffff); + let mut x814: u32 = 0; + let mut x815: fiat_bign256_scalar_u1 = 0; + let (x814, x815) = fiat_bign256_scalar_subborrowx_u32(x813, x797, (0x0 as u32)); + let mut x816: u32 = 0; + let (x816) = fiat_bign256_scalar_cmovznz_u32(x815, x798, x781); + let mut x817: u32 = 0; + let (x817) = fiat_bign256_scalar_cmovznz_u32(x815, x800, x783); + let mut x818: u32 = 0; + let (x818) = fiat_bign256_scalar_cmovznz_u32(x815, x802, x785); + let mut x819: u32 = 0; + let (x819) = fiat_bign256_scalar_cmovznz_u32(x815, x804, x787); + let mut x820: u32 = 0; + let (x820) = fiat_bign256_scalar_cmovznz_u32(x815, x806, x789); + let mut x821: u32 = 0; + let (x821) = fiat_bign256_scalar_cmovznz_u32(x815, x808, x791); + let mut x822: u32 = 0; + let (x822) = fiat_bign256_scalar_cmovznz_u32(x815, x810, x793); + let mut x823: u32 = 0; + let (x823) = fiat_bign256_scalar_cmovznz_u32(x815, x812, x795); + out1[0] = x816; + out1[1] = x817; + out1[2] = x818; + out1[3] = x819; + out1[4] = x820; + out1[5] = x821; + out1[6] = x822; + out1[7] = x823; + out1 +} +#[doc = " The function fiat_bign256_scalar_add adds two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_add( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, + arg2: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 8]; + let mut x1: u32 = 0; + let mut x2: fiat_bign256_scalar_u1 = 0; + let (x1, x2) = fiat_bign256_scalar_addcarryx_u32(0x0, (arg1[0]), (arg2[0])); + let mut x3: u32 = 0; + let mut x4: fiat_bign256_scalar_u1 = 0; + let (x3, x4) = fiat_bign256_scalar_addcarryx_u32(x2, (arg1[1]), (arg2[1])); + let mut x5: u32 = 0; + let mut x6: fiat_bign256_scalar_u1 = 0; + let (x5, x6) = fiat_bign256_scalar_addcarryx_u32(x4, (arg1[2]), (arg2[2])); + let mut x7: u32 = 0; + let mut x8: fiat_bign256_scalar_u1 = 0; + let (x7, x8) = fiat_bign256_scalar_addcarryx_u32(x6, (arg1[3]), (arg2[3])); + let mut x9: u32 = 0; + let mut x10: fiat_bign256_scalar_u1 = 0; + let (x9, x10) = fiat_bign256_scalar_addcarryx_u32(x8, (arg1[4]), (arg2[4])); + let mut x11: u32 = 0; + let mut x12: fiat_bign256_scalar_u1 = 0; + let (x11, x12) = fiat_bign256_scalar_addcarryx_u32(x10, (arg1[5]), (arg2[5])); + let mut x13: u32 = 0; + let mut x14: fiat_bign256_scalar_u1 = 0; + let (x13, x14) = fiat_bign256_scalar_addcarryx_u32(x12, (arg1[6]), (arg2[6])); + let mut x15: u32 = 0; + let mut x16: fiat_bign256_scalar_u1 = 0; + let (x15, x16) = fiat_bign256_scalar_addcarryx_u32(x14, (arg1[7]), (arg2[7])); + let mut x17: u32 = 0; + let mut x18: fiat_bign256_scalar_u1 = 0; + let (x17, x18) = fiat_bign256_scalar_subborrowx_u32(0x0, x1, 0x263d6607); + let mut x19: u32 = 0; + let mut x20: fiat_bign256_scalar_u1 = 0; + let (x19, x20) = fiat_bign256_scalar_subborrowx_u32(x18, x3, 0x7e5abf99); + let mut x21: u32 = 0; + let mut x22: fiat_bign256_scalar_u1 = 0; + let (x21, x22) = fiat_bign256_scalar_subborrowx_u32(x20, x5, 0xdfb4dfc); + let mut x23: u32 = 0; + let mut x24: fiat_bign256_scalar_u1 = 0; + let (x23, x24) = fiat_bign256_scalar_subborrowx_u32(x22, x7, 0xd95c8ed6); + let mut x25: u32 = 0; + let mut x26: fiat_bign256_scalar_u1 = 0; + let (x25, x26) = fiat_bign256_scalar_subborrowx_u32(x24, x9, 0xffffffff); + let mut x27: u32 = 0; + let mut x28: fiat_bign256_scalar_u1 = 0; + let (x27, x28) = fiat_bign256_scalar_subborrowx_u32(x26, x11, 0xffffffff); + let mut x29: u32 = 0; + let mut x30: fiat_bign256_scalar_u1 = 0; + let (x29, x30) = fiat_bign256_scalar_subborrowx_u32(x28, x13, 0xffffffff); + let mut x31: u32 = 0; + let mut x32: fiat_bign256_scalar_u1 = 0; + let (x31, x32) = fiat_bign256_scalar_subborrowx_u32(x30, x15, 0xffffffff); + let mut x33: u32 = 0; + let mut x34: fiat_bign256_scalar_u1 = 0; + let (x33, x34) = fiat_bign256_scalar_subborrowx_u32(x32, (x16 as u32), (0x0 as u32)); + let mut x35: u32 = 0; + let (x35) = fiat_bign256_scalar_cmovznz_u32(x34, x17, x1); + let mut x36: u32 = 0; + let (x36) = fiat_bign256_scalar_cmovznz_u32(x34, x19, x3); + let mut x37: u32 = 0; + let (x37) = fiat_bign256_scalar_cmovznz_u32(x34, x21, x5); + let mut x38: u32 = 0; + let (x38) = fiat_bign256_scalar_cmovznz_u32(x34, x23, x7); + let mut x39: u32 = 0; + let (x39) = fiat_bign256_scalar_cmovznz_u32(x34, x25, x9); + let mut x40: u32 = 0; + let (x40) = fiat_bign256_scalar_cmovznz_u32(x34, x27, x11); + let mut x41: u32 = 0; + let (x41) = fiat_bign256_scalar_cmovznz_u32(x34, x29, x13); + let mut x42: u32 = 0; + let (x42) = fiat_bign256_scalar_cmovznz_u32(x34, x31, x15); + out1[0] = x35; + out1[1] = x36; + out1[2] = x37; + out1[3] = x38; + out1[4] = x39; + out1[5] = x40; + out1[6] = x41; + out1[7] = x42; + out1 +} +#[doc = " The function fiat_bign256_scalar_sub subtracts two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_sub( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, + arg2: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 8]; + let mut x1: u32 = 0; + let mut x2: fiat_bign256_scalar_u1 = 0; + let (x1, x2) = fiat_bign256_scalar_subborrowx_u32(0x0, (arg1[0]), (arg2[0])); + let mut x3: u32 = 0; + let mut x4: fiat_bign256_scalar_u1 = 0; + let (x3, x4) = fiat_bign256_scalar_subborrowx_u32(x2, (arg1[1]), (arg2[1])); + let mut x5: u32 = 0; + let mut x6: fiat_bign256_scalar_u1 = 0; + let (x5, x6) = fiat_bign256_scalar_subborrowx_u32(x4, (arg1[2]), (arg2[2])); + let mut x7: u32 = 0; + let mut x8: fiat_bign256_scalar_u1 = 0; + let (x7, x8) = fiat_bign256_scalar_subborrowx_u32(x6, (arg1[3]), (arg2[3])); + let mut x9: u32 = 0; + let mut x10: fiat_bign256_scalar_u1 = 0; + let (x9, x10) = fiat_bign256_scalar_subborrowx_u32(x8, (arg1[4]), (arg2[4])); + let mut x11: u32 = 0; + let mut x12: fiat_bign256_scalar_u1 = 0; + let (x11, x12) = fiat_bign256_scalar_subborrowx_u32(x10, (arg1[5]), (arg2[5])); + let mut x13: u32 = 0; + let mut x14: fiat_bign256_scalar_u1 = 0; + let (x13, x14) = fiat_bign256_scalar_subborrowx_u32(x12, (arg1[6]), (arg2[6])); + let mut x15: u32 = 0; + let mut x16: fiat_bign256_scalar_u1 = 0; + let (x15, x16) = fiat_bign256_scalar_subborrowx_u32(x14, (arg1[7]), (arg2[7])); + let mut x17: u32 = 0; + let (x17) = fiat_bign256_scalar_cmovznz_u32(x16, (0x0 as u32), 0xffffffff); + let mut x18: u32 = 0; + let mut x19: fiat_bign256_scalar_u1 = 0; + let (x18, x19) = fiat_bign256_scalar_addcarryx_u32(0x0, x1, (x17 & 0x263d6607)); + let mut x20: u32 = 0; + let mut x21: fiat_bign256_scalar_u1 = 0; + let (x20, x21) = fiat_bign256_scalar_addcarryx_u32(x19, x3, (x17 & 0x7e5abf99)); + let mut x22: u32 = 0; + let mut x23: fiat_bign256_scalar_u1 = 0; + let (x22, x23) = fiat_bign256_scalar_addcarryx_u32(x21, x5, (x17 & 0xdfb4dfc)); + let mut x24: u32 = 0; + let mut x25: fiat_bign256_scalar_u1 = 0; + let (x24, x25) = fiat_bign256_scalar_addcarryx_u32(x23, x7, (x17 & 0xd95c8ed6)); + let mut x26: u32 = 0; + let mut x27: fiat_bign256_scalar_u1 = 0; + let (x26, x27) = fiat_bign256_scalar_addcarryx_u32(x25, x9, x17); + let mut x28: u32 = 0; + let mut x29: fiat_bign256_scalar_u1 = 0; + let (x28, x29) = fiat_bign256_scalar_addcarryx_u32(x27, x11, x17); + let mut x30: u32 = 0; + let mut x31: fiat_bign256_scalar_u1 = 0; + let (x30, x31) = fiat_bign256_scalar_addcarryx_u32(x29, x13, x17); + let mut x32: u32 = 0; + let mut x33: fiat_bign256_scalar_u1 = 0; + let (x32, x33) = fiat_bign256_scalar_addcarryx_u32(x31, x15, x17); + out1[0] = x18; + out1[1] = x20; + out1[2] = x22; + out1[3] = x24; + out1[4] = x26; + out1[5] = x28; + out1[6] = x30; + out1[7] = x32; + out1 +} +#[doc = " The function fiat_bign256_scalar_opp negates a field element in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_opp( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 8]; + let mut x1: u32 = 0; + let mut x2: fiat_bign256_scalar_u1 = 0; + let (x1, x2) = fiat_bign256_scalar_subborrowx_u32(0x0, (0x0 as u32), (arg1[0])); + let mut x3: u32 = 0; + let mut x4: fiat_bign256_scalar_u1 = 0; + let (x3, x4) = fiat_bign256_scalar_subborrowx_u32(x2, (0x0 as u32), (arg1[1])); + let mut x5: u32 = 0; + let mut x6: fiat_bign256_scalar_u1 = 0; + let (x5, x6) = fiat_bign256_scalar_subborrowx_u32(x4, (0x0 as u32), (arg1[2])); + let mut x7: u32 = 0; + let mut x8: fiat_bign256_scalar_u1 = 0; + let (x7, x8) = fiat_bign256_scalar_subborrowx_u32(x6, (0x0 as u32), (arg1[3])); + let mut x9: u32 = 0; + let mut x10: fiat_bign256_scalar_u1 = 0; + let (x9, x10) = fiat_bign256_scalar_subborrowx_u32(x8, (0x0 as u32), (arg1[4])); + let mut x11: u32 = 0; + let mut x12: fiat_bign256_scalar_u1 = 0; + let (x11, x12) = fiat_bign256_scalar_subborrowx_u32(x10, (0x0 as u32), (arg1[5])); + let mut x13: u32 = 0; + let mut x14: fiat_bign256_scalar_u1 = 0; + let (x13, x14) = fiat_bign256_scalar_subborrowx_u32(x12, (0x0 as u32), (arg1[6])); + let mut x15: u32 = 0; + let mut x16: fiat_bign256_scalar_u1 = 0; + let (x15, x16) = fiat_bign256_scalar_subborrowx_u32(x14, (0x0 as u32), (arg1[7])); + let mut x17: u32 = 0; + let (x17) = fiat_bign256_scalar_cmovznz_u32(x16, (0x0 as u32), 0xffffffff); + let mut x18: u32 = 0; + let mut x19: fiat_bign256_scalar_u1 = 0; + let (x18, x19) = fiat_bign256_scalar_addcarryx_u32(0x0, x1, (x17 & 0x263d6607)); + let mut x20: u32 = 0; + let mut x21: fiat_bign256_scalar_u1 = 0; + let (x20, x21) = fiat_bign256_scalar_addcarryx_u32(x19, x3, (x17 & 0x7e5abf99)); + let mut x22: u32 = 0; + let mut x23: fiat_bign256_scalar_u1 = 0; + let (x22, x23) = fiat_bign256_scalar_addcarryx_u32(x21, x5, (x17 & 0xdfb4dfc)); + let mut x24: u32 = 0; + let mut x25: fiat_bign256_scalar_u1 = 0; + let (x24, x25) = fiat_bign256_scalar_addcarryx_u32(x23, x7, (x17 & 0xd95c8ed6)); + let mut x26: u32 = 0; + let mut x27: fiat_bign256_scalar_u1 = 0; + let (x26, x27) = fiat_bign256_scalar_addcarryx_u32(x25, x9, x17); + let mut x28: u32 = 0; + let mut x29: fiat_bign256_scalar_u1 = 0; + let (x28, x29) = fiat_bign256_scalar_addcarryx_u32(x27, x11, x17); + let mut x30: u32 = 0; + let mut x31: fiat_bign256_scalar_u1 = 0; + let (x30, x31) = fiat_bign256_scalar_addcarryx_u32(x29, x13, x17); + let mut x32: u32 = 0; + let mut x33: fiat_bign256_scalar_u1 = 0; + let (x32, x33) = fiat_bign256_scalar_addcarryx_u32(x31, x15, x17); + out1[0] = x18; + out1[1] = x20; + out1[2] = x22; + out1[3] = x24; + out1[4] = x26; + out1[5] = x28; + out1[6] = x30; + out1[7] = x32; + out1 +} +#[doc = " The function fiat_bign256_scalar_from_montgomery translates a field element out of the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_from_montgomery( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_non_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_non_montgomery_domain_field_element = [0; 8]; + let x1: u32 = (arg1[0]); + let mut x2: u32 = 0; + let mut x3: u32 = 0; + let (x2, x3) = fiat_bign256_scalar_mulx_u32(x1, 0x858d849); + let mut x4: u32 = 0; + let mut x5: u32 = 0; + let (x4, x5) = fiat_bign256_scalar_mulx_u32(x2, 0xffffffff); + let mut x6: u32 = 0; + let mut x7: u32 = 0; + let (x6, x7) = fiat_bign256_scalar_mulx_u32(x2, 0xffffffff); + let mut x8: u32 = 0; + let mut x9: u32 = 0; + let (x8, x9) = fiat_bign256_scalar_mulx_u32(x2, 0xffffffff); + let mut x10: u32 = 0; + let mut x11: u32 = 0; + let (x10, x11) = fiat_bign256_scalar_mulx_u32(x2, 0xffffffff); + let mut x12: u32 = 0; + let mut x13: u32 = 0; + let (x12, x13) = fiat_bign256_scalar_mulx_u32(x2, 0xd95c8ed6); + let mut x14: u32 = 0; + let mut x15: u32 = 0; + let (x14, x15) = fiat_bign256_scalar_mulx_u32(x2, 0xdfb4dfc); + let mut x16: u32 = 0; + let mut x17: u32 = 0; + let (x16, x17) = fiat_bign256_scalar_mulx_u32(x2, 0x7e5abf99); + let mut x18: u32 = 0; + let mut x19: u32 = 0; + let (x18, x19) = fiat_bign256_scalar_mulx_u32(x2, 0x263d6607); + let mut x20: u32 = 0; + let mut x21: fiat_bign256_scalar_u1 = 0; + let (x20, x21) = fiat_bign256_scalar_addcarryx_u32(0x0, x19, x16); + let mut x22: u32 = 0; + let mut x23: fiat_bign256_scalar_u1 = 0; + let (x22, x23) = fiat_bign256_scalar_addcarryx_u32(x21, x17, x14); + let mut x24: u32 = 0; + let mut x25: fiat_bign256_scalar_u1 = 0; + let (x24, x25) = fiat_bign256_scalar_addcarryx_u32(x23, x15, x12); + let mut x26: u32 = 0; + let mut x27: fiat_bign256_scalar_u1 = 0; + let (x26, x27) = fiat_bign256_scalar_addcarryx_u32(x25, x13, x10); + let mut x28: u32 = 0; + let mut x29: fiat_bign256_scalar_u1 = 0; + let (x28, x29) = fiat_bign256_scalar_addcarryx_u32(x27, x11, x8); + let mut x30: u32 = 0; + let mut x31: fiat_bign256_scalar_u1 = 0; + let (x30, x31) = fiat_bign256_scalar_addcarryx_u32(x29, x9, x6); + let mut x32: u32 = 0; + let mut x33: fiat_bign256_scalar_u1 = 0; + let (x32, x33) = fiat_bign256_scalar_addcarryx_u32(x31, x7, x4); + let mut x34: u32 = 0; + let mut x35: fiat_bign256_scalar_u1 = 0; + let (x34, x35) = fiat_bign256_scalar_addcarryx_u32(0x0, x1, x18); + let mut x36: u32 = 0; + let mut x37: fiat_bign256_scalar_u1 = 0; + let (x36, x37) = fiat_bign256_scalar_addcarryx_u32(x35, (0x0 as u32), x20); + let mut x38: u32 = 0; + let mut x39: fiat_bign256_scalar_u1 = 0; + let (x38, x39) = fiat_bign256_scalar_addcarryx_u32(x37, (0x0 as u32), x22); + let mut x40: u32 = 0; + let mut x41: fiat_bign256_scalar_u1 = 0; + let (x40, x41) = fiat_bign256_scalar_addcarryx_u32(x39, (0x0 as u32), x24); + let mut x42: u32 = 0; + let mut x43: fiat_bign256_scalar_u1 = 0; + let (x42, x43) = fiat_bign256_scalar_addcarryx_u32(x41, (0x0 as u32), x26); + let mut x44: u32 = 0; + let mut x45: fiat_bign256_scalar_u1 = 0; + let (x44, x45) = fiat_bign256_scalar_addcarryx_u32(x43, (0x0 as u32), x28); + let mut x46: u32 = 0; + let mut x47: fiat_bign256_scalar_u1 = 0; + let (x46, x47) = fiat_bign256_scalar_addcarryx_u32(x45, (0x0 as u32), x30); + let mut x48: u32 = 0; + let mut x49: fiat_bign256_scalar_u1 = 0; + let (x48, x49) = fiat_bign256_scalar_addcarryx_u32(x47, (0x0 as u32), x32); + let mut x50: u32 = 0; + let mut x51: fiat_bign256_scalar_u1 = 0; + let (x50, x51) = fiat_bign256_scalar_addcarryx_u32(x49, (0x0 as u32), ((x33 as u32) + x5)); + let mut x52: u32 = 0; + let mut x53: fiat_bign256_scalar_u1 = 0; + let (x52, x53) = fiat_bign256_scalar_addcarryx_u32(0x0, x36, (arg1[1])); + let mut x54: u32 = 0; + let mut x55: fiat_bign256_scalar_u1 = 0; + let (x54, x55) = fiat_bign256_scalar_addcarryx_u32(x53, x38, (0x0 as u32)); + let mut x56: u32 = 0; + let mut x57: fiat_bign256_scalar_u1 = 0; + let (x56, x57) = fiat_bign256_scalar_addcarryx_u32(x55, x40, (0x0 as u32)); + let mut x58: u32 = 0; + let mut x59: fiat_bign256_scalar_u1 = 0; + let (x58, x59) = fiat_bign256_scalar_addcarryx_u32(x57, x42, (0x0 as u32)); + let mut x60: u32 = 0; + let mut x61: fiat_bign256_scalar_u1 = 0; + let (x60, x61) = fiat_bign256_scalar_addcarryx_u32(x59, x44, (0x0 as u32)); + let mut x62: u32 = 0; + let mut x63: fiat_bign256_scalar_u1 = 0; + let (x62, x63) = fiat_bign256_scalar_addcarryx_u32(x61, x46, (0x0 as u32)); + let mut x64: u32 = 0; + let mut x65: fiat_bign256_scalar_u1 = 0; + let (x64, x65) = fiat_bign256_scalar_addcarryx_u32(x63, x48, (0x0 as u32)); + let mut x66: u32 = 0; + let mut x67: fiat_bign256_scalar_u1 = 0; + let (x66, x67) = fiat_bign256_scalar_addcarryx_u32(x65, x50, (0x0 as u32)); + let mut x68: u32 = 0; + let mut x69: u32 = 0; + let (x68, x69) = fiat_bign256_scalar_mulx_u32(x52, 0x858d849); + let mut x70: u32 = 0; + let mut x71: u32 = 0; + let (x70, x71) = fiat_bign256_scalar_mulx_u32(x68, 0xffffffff); + let mut x72: u32 = 0; + let mut x73: u32 = 0; + let (x72, x73) = fiat_bign256_scalar_mulx_u32(x68, 0xffffffff); + let mut x74: u32 = 0; + let mut x75: u32 = 0; + let (x74, x75) = fiat_bign256_scalar_mulx_u32(x68, 0xffffffff); + let mut x76: u32 = 0; + let mut x77: u32 = 0; + let (x76, x77) = fiat_bign256_scalar_mulx_u32(x68, 0xffffffff); + let mut x78: u32 = 0; + let mut x79: u32 = 0; + let (x78, x79) = fiat_bign256_scalar_mulx_u32(x68, 0xd95c8ed6); + let mut x80: u32 = 0; + let mut x81: u32 = 0; + let (x80, x81) = fiat_bign256_scalar_mulx_u32(x68, 0xdfb4dfc); + let mut x82: u32 = 0; + let mut x83: u32 = 0; + let (x82, x83) = fiat_bign256_scalar_mulx_u32(x68, 0x7e5abf99); + let mut x84: u32 = 0; + let mut x85: u32 = 0; + let (x84, x85) = fiat_bign256_scalar_mulx_u32(x68, 0x263d6607); + let mut x86: u32 = 0; + let mut x87: fiat_bign256_scalar_u1 = 0; + let (x86, x87) = fiat_bign256_scalar_addcarryx_u32(0x0, x85, x82); + let mut x88: u32 = 0; + let mut x89: fiat_bign256_scalar_u1 = 0; + let (x88, x89) = fiat_bign256_scalar_addcarryx_u32(x87, x83, x80); + let mut x90: u32 = 0; + let mut x91: fiat_bign256_scalar_u1 = 0; + let (x90, x91) = fiat_bign256_scalar_addcarryx_u32(x89, x81, x78); + let mut x92: u32 = 0; + let mut x93: fiat_bign256_scalar_u1 = 0; + let (x92, x93) = fiat_bign256_scalar_addcarryx_u32(x91, x79, x76); + let mut x94: u32 = 0; + let mut x95: fiat_bign256_scalar_u1 = 0; + let (x94, x95) = fiat_bign256_scalar_addcarryx_u32(x93, x77, x74); + let mut x96: u32 = 0; + let mut x97: fiat_bign256_scalar_u1 = 0; + let (x96, x97) = fiat_bign256_scalar_addcarryx_u32(x95, x75, x72); + let mut x98: u32 = 0; + let mut x99: fiat_bign256_scalar_u1 = 0; + let (x98, x99) = fiat_bign256_scalar_addcarryx_u32(x97, x73, x70); + let mut x100: u32 = 0; + let mut x101: fiat_bign256_scalar_u1 = 0; + let (x100, x101) = fiat_bign256_scalar_addcarryx_u32(0x0, x52, x84); + let mut x102: u32 = 0; + let mut x103: fiat_bign256_scalar_u1 = 0; + let (x102, x103) = fiat_bign256_scalar_addcarryx_u32(x101, x54, x86); + let mut x104: u32 = 0; + let mut x105: fiat_bign256_scalar_u1 = 0; + let (x104, x105) = fiat_bign256_scalar_addcarryx_u32(x103, x56, x88); + let mut x106: u32 = 0; + let mut x107: fiat_bign256_scalar_u1 = 0; + let (x106, x107) = fiat_bign256_scalar_addcarryx_u32(x105, x58, x90); + let mut x108: u32 = 0; + let mut x109: fiat_bign256_scalar_u1 = 0; + let (x108, x109) = fiat_bign256_scalar_addcarryx_u32(x107, x60, x92); + let mut x110: u32 = 0; + let mut x111: fiat_bign256_scalar_u1 = 0; + let (x110, x111) = fiat_bign256_scalar_addcarryx_u32(x109, x62, x94); + let mut x112: u32 = 0; + let mut x113: fiat_bign256_scalar_u1 = 0; + let (x112, x113) = fiat_bign256_scalar_addcarryx_u32(x111, x64, x96); + let mut x114: u32 = 0; + let mut x115: fiat_bign256_scalar_u1 = 0; + let (x114, x115) = fiat_bign256_scalar_addcarryx_u32(x113, x66, x98); + let mut x116: u32 = 0; + let mut x117: fiat_bign256_scalar_u1 = 0; + let (x116, x117) = fiat_bign256_scalar_addcarryx_u32( + x115, + ((x67 as u32) + (x51 as u32)), + ((x99 as u32) + x71), + ); + let mut x118: u32 = 0; + let mut x119: fiat_bign256_scalar_u1 = 0; + let (x118, x119) = fiat_bign256_scalar_addcarryx_u32(0x0, x102, (arg1[2])); + let mut x120: u32 = 0; + let mut x121: fiat_bign256_scalar_u1 = 0; + let (x120, x121) = fiat_bign256_scalar_addcarryx_u32(x119, x104, (0x0 as u32)); + let mut x122: u32 = 0; + let mut x123: fiat_bign256_scalar_u1 = 0; + let (x122, x123) = fiat_bign256_scalar_addcarryx_u32(x121, x106, (0x0 as u32)); + let mut x124: u32 = 0; + let mut x125: fiat_bign256_scalar_u1 = 0; + let (x124, x125) = fiat_bign256_scalar_addcarryx_u32(x123, x108, (0x0 as u32)); + let mut x126: u32 = 0; + let mut x127: fiat_bign256_scalar_u1 = 0; + let (x126, x127) = fiat_bign256_scalar_addcarryx_u32(x125, x110, (0x0 as u32)); + let mut x128: u32 = 0; + let mut x129: fiat_bign256_scalar_u1 = 0; + let (x128, x129) = fiat_bign256_scalar_addcarryx_u32(x127, x112, (0x0 as u32)); + let mut x130: u32 = 0; + let mut x131: fiat_bign256_scalar_u1 = 0; + let (x130, x131) = fiat_bign256_scalar_addcarryx_u32(x129, x114, (0x0 as u32)); + let mut x132: u32 = 0; + let mut x133: fiat_bign256_scalar_u1 = 0; + let (x132, x133) = fiat_bign256_scalar_addcarryx_u32(x131, x116, (0x0 as u32)); + let mut x134: u32 = 0; + let mut x135: u32 = 0; + let (x134, x135) = fiat_bign256_scalar_mulx_u32(x118, 0x858d849); + let mut x136: u32 = 0; + let mut x137: u32 = 0; + let (x136, x137) = fiat_bign256_scalar_mulx_u32(x134, 0xffffffff); + let mut x138: u32 = 0; + let mut x139: u32 = 0; + let (x138, x139) = fiat_bign256_scalar_mulx_u32(x134, 0xffffffff); + let mut x140: u32 = 0; + let mut x141: u32 = 0; + let (x140, x141) = fiat_bign256_scalar_mulx_u32(x134, 0xffffffff); + let mut x142: u32 = 0; + let mut x143: u32 = 0; + let (x142, x143) = fiat_bign256_scalar_mulx_u32(x134, 0xffffffff); + let mut x144: u32 = 0; + let mut x145: u32 = 0; + let (x144, x145) = fiat_bign256_scalar_mulx_u32(x134, 0xd95c8ed6); + let mut x146: u32 = 0; + let mut x147: u32 = 0; + let (x146, x147) = fiat_bign256_scalar_mulx_u32(x134, 0xdfb4dfc); + let mut x148: u32 = 0; + let mut x149: u32 = 0; + let (x148, x149) = fiat_bign256_scalar_mulx_u32(x134, 0x7e5abf99); + let mut x150: u32 = 0; + let mut x151: u32 = 0; + let (x150, x151) = fiat_bign256_scalar_mulx_u32(x134, 0x263d6607); + let mut x152: u32 = 0; + let mut x153: fiat_bign256_scalar_u1 = 0; + let (x152, x153) = fiat_bign256_scalar_addcarryx_u32(0x0, x151, x148); + let mut x154: u32 = 0; + let mut x155: fiat_bign256_scalar_u1 = 0; + let (x154, x155) = fiat_bign256_scalar_addcarryx_u32(x153, x149, x146); + let mut x156: u32 = 0; + let mut x157: fiat_bign256_scalar_u1 = 0; + let (x156, x157) = fiat_bign256_scalar_addcarryx_u32(x155, x147, x144); + let mut x158: u32 = 0; + let mut x159: fiat_bign256_scalar_u1 = 0; + let (x158, x159) = fiat_bign256_scalar_addcarryx_u32(x157, x145, x142); + let mut x160: u32 = 0; + let mut x161: fiat_bign256_scalar_u1 = 0; + let (x160, x161) = fiat_bign256_scalar_addcarryx_u32(x159, x143, x140); + let mut x162: u32 = 0; + let mut x163: fiat_bign256_scalar_u1 = 0; + let (x162, x163) = fiat_bign256_scalar_addcarryx_u32(x161, x141, x138); + let mut x164: u32 = 0; + let mut x165: fiat_bign256_scalar_u1 = 0; + let (x164, x165) = fiat_bign256_scalar_addcarryx_u32(x163, x139, x136); + let mut x166: u32 = 0; + let mut x167: fiat_bign256_scalar_u1 = 0; + let (x166, x167) = fiat_bign256_scalar_addcarryx_u32(0x0, x118, x150); + let mut x168: u32 = 0; + let mut x169: fiat_bign256_scalar_u1 = 0; + let (x168, x169) = fiat_bign256_scalar_addcarryx_u32(x167, x120, x152); + let mut x170: u32 = 0; + let mut x171: fiat_bign256_scalar_u1 = 0; + let (x170, x171) = fiat_bign256_scalar_addcarryx_u32(x169, x122, x154); + let mut x172: u32 = 0; + let mut x173: fiat_bign256_scalar_u1 = 0; + let (x172, x173) = fiat_bign256_scalar_addcarryx_u32(x171, x124, x156); + let mut x174: u32 = 0; + let mut x175: fiat_bign256_scalar_u1 = 0; + let (x174, x175) = fiat_bign256_scalar_addcarryx_u32(x173, x126, x158); + let mut x176: u32 = 0; + let mut x177: fiat_bign256_scalar_u1 = 0; + let (x176, x177) = fiat_bign256_scalar_addcarryx_u32(x175, x128, x160); + let mut x178: u32 = 0; + let mut x179: fiat_bign256_scalar_u1 = 0; + let (x178, x179) = fiat_bign256_scalar_addcarryx_u32(x177, x130, x162); + let mut x180: u32 = 0; + let mut x181: fiat_bign256_scalar_u1 = 0; + let (x180, x181) = fiat_bign256_scalar_addcarryx_u32(x179, x132, x164); + let mut x182: u32 = 0; + let mut x183: fiat_bign256_scalar_u1 = 0; + let (x182, x183) = fiat_bign256_scalar_addcarryx_u32( + x181, + ((x133 as u32) + (x117 as u32)), + ((x165 as u32) + x137), + ); + let mut x184: u32 = 0; + let mut x185: fiat_bign256_scalar_u1 = 0; + let (x184, x185) = fiat_bign256_scalar_addcarryx_u32(0x0, x168, (arg1[3])); + let mut x186: u32 = 0; + let mut x187: fiat_bign256_scalar_u1 = 0; + let (x186, x187) = fiat_bign256_scalar_addcarryx_u32(x185, x170, (0x0 as u32)); + let mut x188: u32 = 0; + let mut x189: fiat_bign256_scalar_u1 = 0; + let (x188, x189) = fiat_bign256_scalar_addcarryx_u32(x187, x172, (0x0 as u32)); + let mut x190: u32 = 0; + let mut x191: fiat_bign256_scalar_u1 = 0; + let (x190, x191) = fiat_bign256_scalar_addcarryx_u32(x189, x174, (0x0 as u32)); + let mut x192: u32 = 0; + let mut x193: fiat_bign256_scalar_u1 = 0; + let (x192, x193) = fiat_bign256_scalar_addcarryx_u32(x191, x176, (0x0 as u32)); + let mut x194: u32 = 0; + let mut x195: fiat_bign256_scalar_u1 = 0; + let (x194, x195) = fiat_bign256_scalar_addcarryx_u32(x193, x178, (0x0 as u32)); + let mut x196: u32 = 0; + let mut x197: fiat_bign256_scalar_u1 = 0; + let (x196, x197) = fiat_bign256_scalar_addcarryx_u32(x195, x180, (0x0 as u32)); + let mut x198: u32 = 0; + let mut x199: fiat_bign256_scalar_u1 = 0; + let (x198, x199) = fiat_bign256_scalar_addcarryx_u32(x197, x182, (0x0 as u32)); + let mut x200: u32 = 0; + let mut x201: u32 = 0; + let (x200, x201) = fiat_bign256_scalar_mulx_u32(x184, 0x858d849); + let mut x202: u32 = 0; + let mut x203: u32 = 0; + let (x202, x203) = fiat_bign256_scalar_mulx_u32(x200, 0xffffffff); + let mut x204: u32 = 0; + let mut x205: u32 = 0; + let (x204, x205) = fiat_bign256_scalar_mulx_u32(x200, 0xffffffff); + let mut x206: u32 = 0; + let mut x207: u32 = 0; + let (x206, x207) = fiat_bign256_scalar_mulx_u32(x200, 0xffffffff); + let mut x208: u32 = 0; + let mut x209: u32 = 0; + let (x208, x209) = fiat_bign256_scalar_mulx_u32(x200, 0xffffffff); + let mut x210: u32 = 0; + let mut x211: u32 = 0; + let (x210, x211) = fiat_bign256_scalar_mulx_u32(x200, 0xd95c8ed6); + let mut x212: u32 = 0; + let mut x213: u32 = 0; + let (x212, x213) = fiat_bign256_scalar_mulx_u32(x200, 0xdfb4dfc); + let mut x214: u32 = 0; + let mut x215: u32 = 0; + let (x214, x215) = fiat_bign256_scalar_mulx_u32(x200, 0x7e5abf99); + let mut x216: u32 = 0; + let mut x217: u32 = 0; + let (x216, x217) = fiat_bign256_scalar_mulx_u32(x200, 0x263d6607); + let mut x218: u32 = 0; + let mut x219: fiat_bign256_scalar_u1 = 0; + let (x218, x219) = fiat_bign256_scalar_addcarryx_u32(0x0, x217, x214); + let mut x220: u32 = 0; + let mut x221: fiat_bign256_scalar_u1 = 0; + let (x220, x221) = fiat_bign256_scalar_addcarryx_u32(x219, x215, x212); + let mut x222: u32 = 0; + let mut x223: fiat_bign256_scalar_u1 = 0; + let (x222, x223) = fiat_bign256_scalar_addcarryx_u32(x221, x213, x210); + let mut x224: u32 = 0; + let mut x225: fiat_bign256_scalar_u1 = 0; + let (x224, x225) = fiat_bign256_scalar_addcarryx_u32(x223, x211, x208); + let mut x226: u32 = 0; + let mut x227: fiat_bign256_scalar_u1 = 0; + let (x226, x227) = fiat_bign256_scalar_addcarryx_u32(x225, x209, x206); + let mut x228: u32 = 0; + let mut x229: fiat_bign256_scalar_u1 = 0; + let (x228, x229) = fiat_bign256_scalar_addcarryx_u32(x227, x207, x204); + let mut x230: u32 = 0; + let mut x231: fiat_bign256_scalar_u1 = 0; + let (x230, x231) = fiat_bign256_scalar_addcarryx_u32(x229, x205, x202); + let mut x232: u32 = 0; + let mut x233: fiat_bign256_scalar_u1 = 0; + let (x232, x233) = fiat_bign256_scalar_addcarryx_u32(0x0, x184, x216); + let mut x234: u32 = 0; + let mut x235: fiat_bign256_scalar_u1 = 0; + let (x234, x235) = fiat_bign256_scalar_addcarryx_u32(x233, x186, x218); + let mut x236: u32 = 0; + let mut x237: fiat_bign256_scalar_u1 = 0; + let (x236, x237) = fiat_bign256_scalar_addcarryx_u32(x235, x188, x220); + let mut x238: u32 = 0; + let mut x239: fiat_bign256_scalar_u1 = 0; + let (x238, x239) = fiat_bign256_scalar_addcarryx_u32(x237, x190, x222); + let mut x240: u32 = 0; + let mut x241: fiat_bign256_scalar_u1 = 0; + let (x240, x241) = fiat_bign256_scalar_addcarryx_u32(x239, x192, x224); + let mut x242: u32 = 0; + let mut x243: fiat_bign256_scalar_u1 = 0; + let (x242, x243) = fiat_bign256_scalar_addcarryx_u32(x241, x194, x226); + let mut x244: u32 = 0; + let mut x245: fiat_bign256_scalar_u1 = 0; + let (x244, x245) = fiat_bign256_scalar_addcarryx_u32(x243, x196, x228); + let mut x246: u32 = 0; + let mut x247: fiat_bign256_scalar_u1 = 0; + let (x246, x247) = fiat_bign256_scalar_addcarryx_u32(x245, x198, x230); + let mut x248: u32 = 0; + let mut x249: fiat_bign256_scalar_u1 = 0; + let (x248, x249) = fiat_bign256_scalar_addcarryx_u32( + x247, + ((x199 as u32) + (x183 as u32)), + ((x231 as u32) + x203), + ); + let mut x250: u32 = 0; + let mut x251: fiat_bign256_scalar_u1 = 0; + let (x250, x251) = fiat_bign256_scalar_addcarryx_u32(0x0, x234, (arg1[4])); + let mut x252: u32 = 0; + let mut x253: fiat_bign256_scalar_u1 = 0; + let (x252, x253) = fiat_bign256_scalar_addcarryx_u32(x251, x236, (0x0 as u32)); + let mut x254: u32 = 0; + let mut x255: fiat_bign256_scalar_u1 = 0; + let (x254, x255) = fiat_bign256_scalar_addcarryx_u32(x253, x238, (0x0 as u32)); + let mut x256: u32 = 0; + let mut x257: fiat_bign256_scalar_u1 = 0; + let (x256, x257) = fiat_bign256_scalar_addcarryx_u32(x255, x240, (0x0 as u32)); + let mut x258: u32 = 0; + let mut x259: fiat_bign256_scalar_u1 = 0; + let (x258, x259) = fiat_bign256_scalar_addcarryx_u32(x257, x242, (0x0 as u32)); + let mut x260: u32 = 0; + let mut x261: fiat_bign256_scalar_u1 = 0; + let (x260, x261) = fiat_bign256_scalar_addcarryx_u32(x259, x244, (0x0 as u32)); + let mut x262: u32 = 0; + let mut x263: fiat_bign256_scalar_u1 = 0; + let (x262, x263) = fiat_bign256_scalar_addcarryx_u32(x261, x246, (0x0 as u32)); + let mut x264: u32 = 0; + let mut x265: fiat_bign256_scalar_u1 = 0; + let (x264, x265) = fiat_bign256_scalar_addcarryx_u32(x263, x248, (0x0 as u32)); + let mut x266: u32 = 0; + let mut x267: u32 = 0; + let (x266, x267) = fiat_bign256_scalar_mulx_u32(x250, 0x858d849); + let mut x268: u32 = 0; + let mut x269: u32 = 0; + let (x268, x269) = fiat_bign256_scalar_mulx_u32(x266, 0xffffffff); + let mut x270: u32 = 0; + let mut x271: u32 = 0; + let (x270, x271) = fiat_bign256_scalar_mulx_u32(x266, 0xffffffff); + let mut x272: u32 = 0; + let mut x273: u32 = 0; + let (x272, x273) = fiat_bign256_scalar_mulx_u32(x266, 0xffffffff); + let mut x274: u32 = 0; + let mut x275: u32 = 0; + let (x274, x275) = fiat_bign256_scalar_mulx_u32(x266, 0xffffffff); + let mut x276: u32 = 0; + let mut x277: u32 = 0; + let (x276, x277) = fiat_bign256_scalar_mulx_u32(x266, 0xd95c8ed6); + let mut x278: u32 = 0; + let mut x279: u32 = 0; + let (x278, x279) = fiat_bign256_scalar_mulx_u32(x266, 0xdfb4dfc); + let mut x280: u32 = 0; + let mut x281: u32 = 0; + let (x280, x281) = fiat_bign256_scalar_mulx_u32(x266, 0x7e5abf99); + let mut x282: u32 = 0; + let mut x283: u32 = 0; + let (x282, x283) = fiat_bign256_scalar_mulx_u32(x266, 0x263d6607); + let mut x284: u32 = 0; + let mut x285: fiat_bign256_scalar_u1 = 0; + let (x284, x285) = fiat_bign256_scalar_addcarryx_u32(0x0, x283, x280); + let mut x286: u32 = 0; + let mut x287: fiat_bign256_scalar_u1 = 0; + let (x286, x287) = fiat_bign256_scalar_addcarryx_u32(x285, x281, x278); + let mut x288: u32 = 0; + let mut x289: fiat_bign256_scalar_u1 = 0; + let (x288, x289) = fiat_bign256_scalar_addcarryx_u32(x287, x279, x276); + let mut x290: u32 = 0; + let mut x291: fiat_bign256_scalar_u1 = 0; + let (x290, x291) = fiat_bign256_scalar_addcarryx_u32(x289, x277, x274); + let mut x292: u32 = 0; + let mut x293: fiat_bign256_scalar_u1 = 0; + let (x292, x293) = fiat_bign256_scalar_addcarryx_u32(x291, x275, x272); + let mut x294: u32 = 0; + let mut x295: fiat_bign256_scalar_u1 = 0; + let (x294, x295) = fiat_bign256_scalar_addcarryx_u32(x293, x273, x270); + let mut x296: u32 = 0; + let mut x297: fiat_bign256_scalar_u1 = 0; + let (x296, x297) = fiat_bign256_scalar_addcarryx_u32(x295, x271, x268); + let mut x298: u32 = 0; + let mut x299: fiat_bign256_scalar_u1 = 0; + let (x298, x299) = fiat_bign256_scalar_addcarryx_u32(0x0, x250, x282); + let mut x300: u32 = 0; + let mut x301: fiat_bign256_scalar_u1 = 0; + let (x300, x301) = fiat_bign256_scalar_addcarryx_u32(x299, x252, x284); + let mut x302: u32 = 0; + let mut x303: fiat_bign256_scalar_u1 = 0; + let (x302, x303) = fiat_bign256_scalar_addcarryx_u32(x301, x254, x286); + let mut x304: u32 = 0; + let mut x305: fiat_bign256_scalar_u1 = 0; + let (x304, x305) = fiat_bign256_scalar_addcarryx_u32(x303, x256, x288); + let mut x306: u32 = 0; + let mut x307: fiat_bign256_scalar_u1 = 0; + let (x306, x307) = fiat_bign256_scalar_addcarryx_u32(x305, x258, x290); + let mut x308: u32 = 0; + let mut x309: fiat_bign256_scalar_u1 = 0; + let (x308, x309) = fiat_bign256_scalar_addcarryx_u32(x307, x260, x292); + let mut x310: u32 = 0; + let mut x311: fiat_bign256_scalar_u1 = 0; + let (x310, x311) = fiat_bign256_scalar_addcarryx_u32(x309, x262, x294); + let mut x312: u32 = 0; + let mut x313: fiat_bign256_scalar_u1 = 0; + let (x312, x313) = fiat_bign256_scalar_addcarryx_u32(x311, x264, x296); + let mut x314: u32 = 0; + let mut x315: fiat_bign256_scalar_u1 = 0; + let (x314, x315) = fiat_bign256_scalar_addcarryx_u32( + x313, + ((x265 as u32) + (x249 as u32)), + ((x297 as u32) + x269), + ); + let mut x316: u32 = 0; + let mut x317: fiat_bign256_scalar_u1 = 0; + let (x316, x317) = fiat_bign256_scalar_addcarryx_u32(0x0, x300, (arg1[5])); + let mut x318: u32 = 0; + let mut x319: fiat_bign256_scalar_u1 = 0; + let (x318, x319) = fiat_bign256_scalar_addcarryx_u32(x317, x302, (0x0 as u32)); + let mut x320: u32 = 0; + let mut x321: fiat_bign256_scalar_u1 = 0; + let (x320, x321) = fiat_bign256_scalar_addcarryx_u32(x319, x304, (0x0 as u32)); + let mut x322: u32 = 0; + let mut x323: fiat_bign256_scalar_u1 = 0; + let (x322, x323) = fiat_bign256_scalar_addcarryx_u32(x321, x306, (0x0 as u32)); + let mut x324: u32 = 0; + let mut x325: fiat_bign256_scalar_u1 = 0; + let (x324, x325) = fiat_bign256_scalar_addcarryx_u32(x323, x308, (0x0 as u32)); + let mut x326: u32 = 0; + let mut x327: fiat_bign256_scalar_u1 = 0; + let (x326, x327) = fiat_bign256_scalar_addcarryx_u32(x325, x310, (0x0 as u32)); + let mut x328: u32 = 0; + let mut x329: fiat_bign256_scalar_u1 = 0; + let (x328, x329) = fiat_bign256_scalar_addcarryx_u32(x327, x312, (0x0 as u32)); + let mut x330: u32 = 0; + let mut x331: fiat_bign256_scalar_u1 = 0; + let (x330, x331) = fiat_bign256_scalar_addcarryx_u32(x329, x314, (0x0 as u32)); + let mut x332: u32 = 0; + let mut x333: u32 = 0; + let (x332, x333) = fiat_bign256_scalar_mulx_u32(x316, 0x858d849); + let mut x334: u32 = 0; + let mut x335: u32 = 0; + let (x334, x335) = fiat_bign256_scalar_mulx_u32(x332, 0xffffffff); + let mut x336: u32 = 0; + let mut x337: u32 = 0; + let (x336, x337) = fiat_bign256_scalar_mulx_u32(x332, 0xffffffff); + let mut x338: u32 = 0; + let mut x339: u32 = 0; + let (x338, x339) = fiat_bign256_scalar_mulx_u32(x332, 0xffffffff); + let mut x340: u32 = 0; + let mut x341: u32 = 0; + let (x340, x341) = fiat_bign256_scalar_mulx_u32(x332, 0xffffffff); + let mut x342: u32 = 0; + let mut x343: u32 = 0; + let (x342, x343) = fiat_bign256_scalar_mulx_u32(x332, 0xd95c8ed6); + let mut x344: u32 = 0; + let mut x345: u32 = 0; + let (x344, x345) = fiat_bign256_scalar_mulx_u32(x332, 0xdfb4dfc); + let mut x346: u32 = 0; + let mut x347: u32 = 0; + let (x346, x347) = fiat_bign256_scalar_mulx_u32(x332, 0x7e5abf99); + let mut x348: u32 = 0; + let mut x349: u32 = 0; + let (x348, x349) = fiat_bign256_scalar_mulx_u32(x332, 0x263d6607); + let mut x350: u32 = 0; + let mut x351: fiat_bign256_scalar_u1 = 0; + let (x350, x351) = fiat_bign256_scalar_addcarryx_u32(0x0, x349, x346); + let mut x352: u32 = 0; + let mut x353: fiat_bign256_scalar_u1 = 0; + let (x352, x353) = fiat_bign256_scalar_addcarryx_u32(x351, x347, x344); + let mut x354: u32 = 0; + let mut x355: fiat_bign256_scalar_u1 = 0; + let (x354, x355) = fiat_bign256_scalar_addcarryx_u32(x353, x345, x342); + let mut x356: u32 = 0; + let mut x357: fiat_bign256_scalar_u1 = 0; + let (x356, x357) = fiat_bign256_scalar_addcarryx_u32(x355, x343, x340); + let mut x358: u32 = 0; + let mut x359: fiat_bign256_scalar_u1 = 0; + let (x358, x359) = fiat_bign256_scalar_addcarryx_u32(x357, x341, x338); + let mut x360: u32 = 0; + let mut x361: fiat_bign256_scalar_u1 = 0; + let (x360, x361) = fiat_bign256_scalar_addcarryx_u32(x359, x339, x336); + let mut x362: u32 = 0; + let mut x363: fiat_bign256_scalar_u1 = 0; + let (x362, x363) = fiat_bign256_scalar_addcarryx_u32(x361, x337, x334); + let mut x364: u32 = 0; + let mut x365: fiat_bign256_scalar_u1 = 0; + let (x364, x365) = fiat_bign256_scalar_addcarryx_u32(0x0, x316, x348); + let mut x366: u32 = 0; + let mut x367: fiat_bign256_scalar_u1 = 0; + let (x366, x367) = fiat_bign256_scalar_addcarryx_u32(x365, x318, x350); + let mut x368: u32 = 0; + let mut x369: fiat_bign256_scalar_u1 = 0; + let (x368, x369) = fiat_bign256_scalar_addcarryx_u32(x367, x320, x352); + let mut x370: u32 = 0; + let mut x371: fiat_bign256_scalar_u1 = 0; + let (x370, x371) = fiat_bign256_scalar_addcarryx_u32(x369, x322, x354); + let mut x372: u32 = 0; + let mut x373: fiat_bign256_scalar_u1 = 0; + let (x372, x373) = fiat_bign256_scalar_addcarryx_u32(x371, x324, x356); + let mut x374: u32 = 0; + let mut x375: fiat_bign256_scalar_u1 = 0; + let (x374, x375) = fiat_bign256_scalar_addcarryx_u32(x373, x326, x358); + let mut x376: u32 = 0; + let mut x377: fiat_bign256_scalar_u1 = 0; + let (x376, x377) = fiat_bign256_scalar_addcarryx_u32(x375, x328, x360); + let mut x378: u32 = 0; + let mut x379: fiat_bign256_scalar_u1 = 0; + let (x378, x379) = fiat_bign256_scalar_addcarryx_u32(x377, x330, x362); + let mut x380: u32 = 0; + let mut x381: fiat_bign256_scalar_u1 = 0; + let (x380, x381) = fiat_bign256_scalar_addcarryx_u32( + x379, + ((x331 as u32) + (x315 as u32)), + ((x363 as u32) + x335), + ); + let mut x382: u32 = 0; + let mut x383: fiat_bign256_scalar_u1 = 0; + let (x382, x383) = fiat_bign256_scalar_addcarryx_u32(0x0, x366, (arg1[6])); + let mut x384: u32 = 0; + let mut x385: fiat_bign256_scalar_u1 = 0; + let (x384, x385) = fiat_bign256_scalar_addcarryx_u32(x383, x368, (0x0 as u32)); + let mut x386: u32 = 0; + let mut x387: fiat_bign256_scalar_u1 = 0; + let (x386, x387) = fiat_bign256_scalar_addcarryx_u32(x385, x370, (0x0 as u32)); + let mut x388: u32 = 0; + let mut x389: fiat_bign256_scalar_u1 = 0; + let (x388, x389) = fiat_bign256_scalar_addcarryx_u32(x387, x372, (0x0 as u32)); + let mut x390: u32 = 0; + let mut x391: fiat_bign256_scalar_u1 = 0; + let (x390, x391) = fiat_bign256_scalar_addcarryx_u32(x389, x374, (0x0 as u32)); + let mut x392: u32 = 0; + let mut x393: fiat_bign256_scalar_u1 = 0; + let (x392, x393) = fiat_bign256_scalar_addcarryx_u32(x391, x376, (0x0 as u32)); + let mut x394: u32 = 0; + let mut x395: fiat_bign256_scalar_u1 = 0; + let (x394, x395) = fiat_bign256_scalar_addcarryx_u32(x393, x378, (0x0 as u32)); + let mut x396: u32 = 0; + let mut x397: fiat_bign256_scalar_u1 = 0; + let (x396, x397) = fiat_bign256_scalar_addcarryx_u32(x395, x380, (0x0 as u32)); + let mut x398: u32 = 0; + let mut x399: u32 = 0; + let (x398, x399) = fiat_bign256_scalar_mulx_u32(x382, 0x858d849); + let mut x400: u32 = 0; + let mut x401: u32 = 0; + let (x400, x401) = fiat_bign256_scalar_mulx_u32(x398, 0xffffffff); + let mut x402: u32 = 0; + let mut x403: u32 = 0; + let (x402, x403) = fiat_bign256_scalar_mulx_u32(x398, 0xffffffff); + let mut x404: u32 = 0; + let mut x405: u32 = 0; + let (x404, x405) = fiat_bign256_scalar_mulx_u32(x398, 0xffffffff); + let mut x406: u32 = 0; + let mut x407: u32 = 0; + let (x406, x407) = fiat_bign256_scalar_mulx_u32(x398, 0xffffffff); + let mut x408: u32 = 0; + let mut x409: u32 = 0; + let (x408, x409) = fiat_bign256_scalar_mulx_u32(x398, 0xd95c8ed6); + let mut x410: u32 = 0; + let mut x411: u32 = 0; + let (x410, x411) = fiat_bign256_scalar_mulx_u32(x398, 0xdfb4dfc); + let mut x412: u32 = 0; + let mut x413: u32 = 0; + let (x412, x413) = fiat_bign256_scalar_mulx_u32(x398, 0x7e5abf99); + let mut x414: u32 = 0; + let mut x415: u32 = 0; + let (x414, x415) = fiat_bign256_scalar_mulx_u32(x398, 0x263d6607); + let mut x416: u32 = 0; + let mut x417: fiat_bign256_scalar_u1 = 0; + let (x416, x417) = fiat_bign256_scalar_addcarryx_u32(0x0, x415, x412); + let mut x418: u32 = 0; + let mut x419: fiat_bign256_scalar_u1 = 0; + let (x418, x419) = fiat_bign256_scalar_addcarryx_u32(x417, x413, x410); + let mut x420: u32 = 0; + let mut x421: fiat_bign256_scalar_u1 = 0; + let (x420, x421) = fiat_bign256_scalar_addcarryx_u32(x419, x411, x408); + let mut x422: u32 = 0; + let mut x423: fiat_bign256_scalar_u1 = 0; + let (x422, x423) = fiat_bign256_scalar_addcarryx_u32(x421, x409, x406); + let mut x424: u32 = 0; + let mut x425: fiat_bign256_scalar_u1 = 0; + let (x424, x425) = fiat_bign256_scalar_addcarryx_u32(x423, x407, x404); + let mut x426: u32 = 0; + let mut x427: fiat_bign256_scalar_u1 = 0; + let (x426, x427) = fiat_bign256_scalar_addcarryx_u32(x425, x405, x402); + let mut x428: u32 = 0; + let mut x429: fiat_bign256_scalar_u1 = 0; + let (x428, x429) = fiat_bign256_scalar_addcarryx_u32(x427, x403, x400); + let mut x430: u32 = 0; + let mut x431: fiat_bign256_scalar_u1 = 0; + let (x430, x431) = fiat_bign256_scalar_addcarryx_u32(0x0, x382, x414); + let mut x432: u32 = 0; + let mut x433: fiat_bign256_scalar_u1 = 0; + let (x432, x433) = fiat_bign256_scalar_addcarryx_u32(x431, x384, x416); + let mut x434: u32 = 0; + let mut x435: fiat_bign256_scalar_u1 = 0; + let (x434, x435) = fiat_bign256_scalar_addcarryx_u32(x433, x386, x418); + let mut x436: u32 = 0; + let mut x437: fiat_bign256_scalar_u1 = 0; + let (x436, x437) = fiat_bign256_scalar_addcarryx_u32(x435, x388, x420); + let mut x438: u32 = 0; + let mut x439: fiat_bign256_scalar_u1 = 0; + let (x438, x439) = fiat_bign256_scalar_addcarryx_u32(x437, x390, x422); + let mut x440: u32 = 0; + let mut x441: fiat_bign256_scalar_u1 = 0; + let (x440, x441) = fiat_bign256_scalar_addcarryx_u32(x439, x392, x424); + let mut x442: u32 = 0; + let mut x443: fiat_bign256_scalar_u1 = 0; + let (x442, x443) = fiat_bign256_scalar_addcarryx_u32(x441, x394, x426); + let mut x444: u32 = 0; + let mut x445: fiat_bign256_scalar_u1 = 0; + let (x444, x445) = fiat_bign256_scalar_addcarryx_u32(x443, x396, x428); + let mut x446: u32 = 0; + let mut x447: fiat_bign256_scalar_u1 = 0; + let (x446, x447) = fiat_bign256_scalar_addcarryx_u32( + x445, + ((x397 as u32) + (x381 as u32)), + ((x429 as u32) + x401), + ); + let mut x448: u32 = 0; + let mut x449: fiat_bign256_scalar_u1 = 0; + let (x448, x449) = fiat_bign256_scalar_addcarryx_u32(0x0, x432, (arg1[7])); + let mut x450: u32 = 0; + let mut x451: fiat_bign256_scalar_u1 = 0; + let (x450, x451) = fiat_bign256_scalar_addcarryx_u32(x449, x434, (0x0 as u32)); + let mut x452: u32 = 0; + let mut x453: fiat_bign256_scalar_u1 = 0; + let (x452, x453) = fiat_bign256_scalar_addcarryx_u32(x451, x436, (0x0 as u32)); + let mut x454: u32 = 0; + let mut x455: fiat_bign256_scalar_u1 = 0; + let (x454, x455) = fiat_bign256_scalar_addcarryx_u32(x453, x438, (0x0 as u32)); + let mut x456: u32 = 0; + let mut x457: fiat_bign256_scalar_u1 = 0; + let (x456, x457) = fiat_bign256_scalar_addcarryx_u32(x455, x440, (0x0 as u32)); + let mut x458: u32 = 0; + let mut x459: fiat_bign256_scalar_u1 = 0; + let (x458, x459) = fiat_bign256_scalar_addcarryx_u32(x457, x442, (0x0 as u32)); + let mut x460: u32 = 0; + let mut x461: fiat_bign256_scalar_u1 = 0; + let (x460, x461) = fiat_bign256_scalar_addcarryx_u32(x459, x444, (0x0 as u32)); + let mut x462: u32 = 0; + let mut x463: fiat_bign256_scalar_u1 = 0; + let (x462, x463) = fiat_bign256_scalar_addcarryx_u32(x461, x446, (0x0 as u32)); + let mut x464: u32 = 0; + let mut x465: u32 = 0; + let (x464, x465) = fiat_bign256_scalar_mulx_u32(x448, 0x858d849); + let mut x466: u32 = 0; + let mut x467: u32 = 0; + let (x466, x467) = fiat_bign256_scalar_mulx_u32(x464, 0xffffffff); + let mut x468: u32 = 0; + let mut x469: u32 = 0; + let (x468, x469) = fiat_bign256_scalar_mulx_u32(x464, 0xffffffff); + let mut x470: u32 = 0; + let mut x471: u32 = 0; + let (x470, x471) = fiat_bign256_scalar_mulx_u32(x464, 0xffffffff); + let mut x472: u32 = 0; + let mut x473: u32 = 0; + let (x472, x473) = fiat_bign256_scalar_mulx_u32(x464, 0xffffffff); + let mut x474: u32 = 0; + let mut x475: u32 = 0; + let (x474, x475) = fiat_bign256_scalar_mulx_u32(x464, 0xd95c8ed6); + let mut x476: u32 = 0; + let mut x477: u32 = 0; + let (x476, x477) = fiat_bign256_scalar_mulx_u32(x464, 0xdfb4dfc); + let mut x478: u32 = 0; + let mut x479: u32 = 0; + let (x478, x479) = fiat_bign256_scalar_mulx_u32(x464, 0x7e5abf99); + let mut x480: u32 = 0; + let mut x481: u32 = 0; + let (x480, x481) = fiat_bign256_scalar_mulx_u32(x464, 0x263d6607); + let mut x482: u32 = 0; + let mut x483: fiat_bign256_scalar_u1 = 0; + let (x482, x483) = fiat_bign256_scalar_addcarryx_u32(0x0, x481, x478); + let mut x484: u32 = 0; + let mut x485: fiat_bign256_scalar_u1 = 0; + let (x484, x485) = fiat_bign256_scalar_addcarryx_u32(x483, x479, x476); + let mut x486: u32 = 0; + let mut x487: fiat_bign256_scalar_u1 = 0; + let (x486, x487) = fiat_bign256_scalar_addcarryx_u32(x485, x477, x474); + let mut x488: u32 = 0; + let mut x489: fiat_bign256_scalar_u1 = 0; + let (x488, x489) = fiat_bign256_scalar_addcarryx_u32(x487, x475, x472); + let mut x490: u32 = 0; + let mut x491: fiat_bign256_scalar_u1 = 0; + let (x490, x491) = fiat_bign256_scalar_addcarryx_u32(x489, x473, x470); + let mut x492: u32 = 0; + let mut x493: fiat_bign256_scalar_u1 = 0; + let (x492, x493) = fiat_bign256_scalar_addcarryx_u32(x491, x471, x468); + let mut x494: u32 = 0; + let mut x495: fiat_bign256_scalar_u1 = 0; + let (x494, x495) = fiat_bign256_scalar_addcarryx_u32(x493, x469, x466); + let mut x496: u32 = 0; + let mut x497: fiat_bign256_scalar_u1 = 0; + let (x496, x497) = fiat_bign256_scalar_addcarryx_u32(0x0, x448, x480); + let mut x498: u32 = 0; + let mut x499: fiat_bign256_scalar_u1 = 0; + let (x498, x499) = fiat_bign256_scalar_addcarryx_u32(x497, x450, x482); + let mut x500: u32 = 0; + let mut x501: fiat_bign256_scalar_u1 = 0; + let (x500, x501) = fiat_bign256_scalar_addcarryx_u32(x499, x452, x484); + let mut x502: u32 = 0; + let mut x503: fiat_bign256_scalar_u1 = 0; + let (x502, x503) = fiat_bign256_scalar_addcarryx_u32(x501, x454, x486); + let mut x504: u32 = 0; + let mut x505: fiat_bign256_scalar_u1 = 0; + let (x504, x505) = fiat_bign256_scalar_addcarryx_u32(x503, x456, x488); + let mut x506: u32 = 0; + let mut x507: fiat_bign256_scalar_u1 = 0; + let (x506, x507) = fiat_bign256_scalar_addcarryx_u32(x505, x458, x490); + let mut x508: u32 = 0; + let mut x509: fiat_bign256_scalar_u1 = 0; + let (x508, x509) = fiat_bign256_scalar_addcarryx_u32(x507, x460, x492); + let mut x510: u32 = 0; + let mut x511: fiat_bign256_scalar_u1 = 0; + let (x510, x511) = fiat_bign256_scalar_addcarryx_u32(x509, x462, x494); + let mut x512: u32 = 0; + let mut x513: fiat_bign256_scalar_u1 = 0; + let (x512, x513) = fiat_bign256_scalar_addcarryx_u32( + x511, + ((x463 as u32) + (x447 as u32)), + ((x495 as u32) + x467), + ); + let mut x514: u32 = 0; + let mut x515: fiat_bign256_scalar_u1 = 0; + let (x514, x515) = fiat_bign256_scalar_subborrowx_u32(0x0, x498, 0x263d6607); + let mut x516: u32 = 0; + let mut x517: fiat_bign256_scalar_u1 = 0; + let (x516, x517) = fiat_bign256_scalar_subborrowx_u32(x515, x500, 0x7e5abf99); + let mut x518: u32 = 0; + let mut x519: fiat_bign256_scalar_u1 = 0; + let (x518, x519) = fiat_bign256_scalar_subborrowx_u32(x517, x502, 0xdfb4dfc); + let mut x520: u32 = 0; + let mut x521: fiat_bign256_scalar_u1 = 0; + let (x520, x521) = fiat_bign256_scalar_subborrowx_u32(x519, x504, 0xd95c8ed6); + let mut x522: u32 = 0; + let mut x523: fiat_bign256_scalar_u1 = 0; + let (x522, x523) = fiat_bign256_scalar_subborrowx_u32(x521, x506, 0xffffffff); + let mut x524: u32 = 0; + let mut x525: fiat_bign256_scalar_u1 = 0; + let (x524, x525) = fiat_bign256_scalar_subborrowx_u32(x523, x508, 0xffffffff); + let mut x526: u32 = 0; + let mut x527: fiat_bign256_scalar_u1 = 0; + let (x526, x527) = fiat_bign256_scalar_subborrowx_u32(x525, x510, 0xffffffff); + let mut x528: u32 = 0; + let mut x529: fiat_bign256_scalar_u1 = 0; + let (x528, x529) = fiat_bign256_scalar_subborrowx_u32(x527, x512, 0xffffffff); + let mut x530: u32 = 0; + let mut x531: fiat_bign256_scalar_u1 = 0; + let (x530, x531) = fiat_bign256_scalar_subborrowx_u32(x529, (x513 as u32), (0x0 as u32)); + let mut x532: u32 = 0; + let (x532) = fiat_bign256_scalar_cmovznz_u32(x531, x514, x498); + let mut x533: u32 = 0; + let (x533) = fiat_bign256_scalar_cmovznz_u32(x531, x516, x500); + let mut x534: u32 = 0; + let (x534) = fiat_bign256_scalar_cmovznz_u32(x531, x518, x502); + let mut x535: u32 = 0; + let (x535) = fiat_bign256_scalar_cmovznz_u32(x531, x520, x504); + let mut x536: u32 = 0; + let (x536) = fiat_bign256_scalar_cmovznz_u32(x531, x522, x506); + let mut x537: u32 = 0; + let (x537) = fiat_bign256_scalar_cmovznz_u32(x531, x524, x508); + let mut x538: u32 = 0; + let (x538) = fiat_bign256_scalar_cmovznz_u32(x531, x526, x510); + let mut x539: u32 = 0; + let (x539) = fiat_bign256_scalar_cmovznz_u32(x531, x528, x512); + out1[0] = x532; + out1[1] = x533; + out1[2] = x534; + out1[3] = x535; + out1[4] = x536; + out1[5] = x537; + out1[6] = x538; + out1[7] = x539; + out1 +} +#[doc = " The function fiat_bign256_scalar_to_montgomery translates a field element into the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = eval arg1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_to_montgomery( + arg1: &fiat_bign256_scalar_non_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 8]; + let x1: u32 = (arg1[1]); + let x2: u32 = (arg1[2]); + let x3: u32 = (arg1[3]); + let x4: u32 = (arg1[4]); + let x5: u32 = (arg1[5]); + let x6: u32 = (arg1[6]); + let x7: u32 = (arg1[7]); + let x8: u32 = (arg1[0]); + let mut x9: u32 = 0; + let mut x10: u32 = 0; + let (x9, x10) = fiat_bign256_scalar_mulx_u32(x8, 0x5d4edf1); + let mut x11: u32 = 0; + let mut x12: u32 = 0; + let (x11, x12) = fiat_bign256_scalar_mulx_u32(x8, 0xc149a55b); + let mut x13: u32 = 0; + let mut x14: u32 = 0; + let (x13, x14) = fiat_bign256_scalar_mulx_u32(x8, 0x4a6925c6); + let mut x15: u32 = 0; + let mut x16: u32 = 0; + let (x15, x16) = fiat_bign256_scalar_mulx_u32(x8, 0xa269dbf8); + let mut x17: u32 = 0; + let mut x18: u32 = 0; + let (x17, x18) = fiat_bign256_scalar_mulx_u32(x8, 0x1b5a5bc1); + let mut x19: u32 = 0; + let mut x20: u32 = 0; + let (x19, x20) = fiat_bign256_scalar_mulx_u32(x8, 0x8b44a10); + let mut x21: u32 = 0; + let mut x22: u32 = 0; + let (x21, x22) = fiat_bign256_scalar_mulx_u32(x8, 0xfa44af61); + let mut x23: u32 = 0; + let mut x24: u32 = 0; + let (x23, x24) = fiat_bign256_scalar_mulx_u32(x8, 0xdbff9431); + let mut x25: u32 = 0; + let mut x26: fiat_bign256_scalar_u1 = 0; + let (x25, x26) = fiat_bign256_scalar_addcarryx_u32(0x0, x24, x21); + let mut x27: u32 = 0; + let mut x28: fiat_bign256_scalar_u1 = 0; + let (x27, x28) = fiat_bign256_scalar_addcarryx_u32(x26, x22, x19); + let mut x29: u32 = 0; + let mut x30: fiat_bign256_scalar_u1 = 0; + let (x29, x30) = fiat_bign256_scalar_addcarryx_u32(x28, x20, x17); + let mut x31: u32 = 0; + let mut x32: fiat_bign256_scalar_u1 = 0; + let (x31, x32) = fiat_bign256_scalar_addcarryx_u32(x30, x18, x15); + let mut x33: u32 = 0; + let mut x34: fiat_bign256_scalar_u1 = 0; + let (x33, x34) = fiat_bign256_scalar_addcarryx_u32(x32, x16, x13); + let mut x35: u32 = 0; + let mut x36: fiat_bign256_scalar_u1 = 0; + let (x35, x36) = fiat_bign256_scalar_addcarryx_u32(x34, x14, x11); + let mut x37: u32 = 0; + let mut x38: fiat_bign256_scalar_u1 = 0; + let (x37, x38) = fiat_bign256_scalar_addcarryx_u32(x36, x12, x9); + let mut x39: u32 = 0; + let mut x40: u32 = 0; + let (x39, x40) = fiat_bign256_scalar_mulx_u32(x23, 0x858d849); + let mut x41: u32 = 0; + let mut x42: u32 = 0; + let (x41, x42) = fiat_bign256_scalar_mulx_u32(x39, 0xffffffff); + let mut x43: u32 = 0; + let mut x44: u32 = 0; + let (x43, x44) = fiat_bign256_scalar_mulx_u32(x39, 0xffffffff); + let mut x45: u32 = 0; + let mut x46: u32 = 0; + let (x45, x46) = fiat_bign256_scalar_mulx_u32(x39, 0xffffffff); + let mut x47: u32 = 0; + let mut x48: u32 = 0; + let (x47, x48) = fiat_bign256_scalar_mulx_u32(x39, 0xffffffff); + let mut x49: u32 = 0; + let mut x50: u32 = 0; + let (x49, x50) = fiat_bign256_scalar_mulx_u32(x39, 0xd95c8ed6); + let mut x51: u32 = 0; + let mut x52: u32 = 0; + let (x51, x52) = fiat_bign256_scalar_mulx_u32(x39, 0xdfb4dfc); + let mut x53: u32 = 0; + let mut x54: u32 = 0; + let (x53, x54) = fiat_bign256_scalar_mulx_u32(x39, 0x7e5abf99); + let mut x55: u32 = 0; + let mut x56: u32 = 0; + let (x55, x56) = fiat_bign256_scalar_mulx_u32(x39, 0x263d6607); + let mut x57: u32 = 0; + let mut x58: fiat_bign256_scalar_u1 = 0; + let (x57, x58) = fiat_bign256_scalar_addcarryx_u32(0x0, x56, x53); + let mut x59: u32 = 0; + let mut x60: fiat_bign256_scalar_u1 = 0; + let (x59, x60) = fiat_bign256_scalar_addcarryx_u32(x58, x54, x51); + let mut x61: u32 = 0; + let mut x62: fiat_bign256_scalar_u1 = 0; + let (x61, x62) = fiat_bign256_scalar_addcarryx_u32(x60, x52, x49); + let mut x63: u32 = 0; + let mut x64: fiat_bign256_scalar_u1 = 0; + let (x63, x64) = fiat_bign256_scalar_addcarryx_u32(x62, x50, x47); + let mut x65: u32 = 0; + let mut x66: fiat_bign256_scalar_u1 = 0; + let (x65, x66) = fiat_bign256_scalar_addcarryx_u32(x64, x48, x45); + let mut x67: u32 = 0; + let mut x68: fiat_bign256_scalar_u1 = 0; + let (x67, x68) = fiat_bign256_scalar_addcarryx_u32(x66, x46, x43); + let mut x69: u32 = 0; + let mut x70: fiat_bign256_scalar_u1 = 0; + let (x69, x70) = fiat_bign256_scalar_addcarryx_u32(x68, x44, x41); + let mut x71: u32 = 0; + let mut x72: fiat_bign256_scalar_u1 = 0; + let (x71, x72) = fiat_bign256_scalar_addcarryx_u32(0x0, x23, x55); + let mut x73: u32 = 0; + let mut x74: fiat_bign256_scalar_u1 = 0; + let (x73, x74) = fiat_bign256_scalar_addcarryx_u32(x72, x25, x57); + let mut x75: u32 = 0; + let mut x76: fiat_bign256_scalar_u1 = 0; + let (x75, x76) = fiat_bign256_scalar_addcarryx_u32(x74, x27, x59); + let mut x77: u32 = 0; + let mut x78: fiat_bign256_scalar_u1 = 0; + let (x77, x78) = fiat_bign256_scalar_addcarryx_u32(x76, x29, x61); + let mut x79: u32 = 0; + let mut x80: fiat_bign256_scalar_u1 = 0; + let (x79, x80) = fiat_bign256_scalar_addcarryx_u32(x78, x31, x63); + let mut x81: u32 = 0; + let mut x82: fiat_bign256_scalar_u1 = 0; + let (x81, x82) = fiat_bign256_scalar_addcarryx_u32(x80, x33, x65); + let mut x83: u32 = 0; + let mut x84: fiat_bign256_scalar_u1 = 0; + let (x83, x84) = fiat_bign256_scalar_addcarryx_u32(x82, x35, x67); + let mut x85: u32 = 0; + let mut x86: fiat_bign256_scalar_u1 = 0; + let (x85, x86) = fiat_bign256_scalar_addcarryx_u32(x84, x37, x69); + let mut x87: u32 = 0; + let mut x88: fiat_bign256_scalar_u1 = 0; + let (x87, x88) = + fiat_bign256_scalar_addcarryx_u32(x86, ((x38 as u32) + x10), ((x70 as u32) + x42)); + let mut x89: u32 = 0; + let mut x90: u32 = 0; + let (x89, x90) = fiat_bign256_scalar_mulx_u32(x1, 0x5d4edf1); + let mut x91: u32 = 0; + let mut x92: u32 = 0; + let (x91, x92) = fiat_bign256_scalar_mulx_u32(x1, 0xc149a55b); + let mut x93: u32 = 0; + let mut x94: u32 = 0; + let (x93, x94) = fiat_bign256_scalar_mulx_u32(x1, 0x4a6925c6); + let mut x95: u32 = 0; + let mut x96: u32 = 0; + let (x95, x96) = fiat_bign256_scalar_mulx_u32(x1, 0xa269dbf8); + let mut x97: u32 = 0; + let mut x98: u32 = 0; + let (x97, x98) = fiat_bign256_scalar_mulx_u32(x1, 0x1b5a5bc1); + let mut x99: u32 = 0; + let mut x100: u32 = 0; + let (x99, x100) = fiat_bign256_scalar_mulx_u32(x1, 0x8b44a10); + let mut x101: u32 = 0; + let mut x102: u32 = 0; + let (x101, x102) = fiat_bign256_scalar_mulx_u32(x1, 0xfa44af61); + let mut x103: u32 = 0; + let mut x104: u32 = 0; + let (x103, x104) = fiat_bign256_scalar_mulx_u32(x1, 0xdbff9431); + let mut x105: u32 = 0; + let mut x106: fiat_bign256_scalar_u1 = 0; + let (x105, x106) = fiat_bign256_scalar_addcarryx_u32(0x0, x104, x101); + let mut x107: u32 = 0; + let mut x108: fiat_bign256_scalar_u1 = 0; + let (x107, x108) = fiat_bign256_scalar_addcarryx_u32(x106, x102, x99); + let mut x109: u32 = 0; + let mut x110: fiat_bign256_scalar_u1 = 0; + let (x109, x110) = fiat_bign256_scalar_addcarryx_u32(x108, x100, x97); + let mut x111: u32 = 0; + let mut x112: fiat_bign256_scalar_u1 = 0; + let (x111, x112) = fiat_bign256_scalar_addcarryx_u32(x110, x98, x95); + let mut x113: u32 = 0; + let mut x114: fiat_bign256_scalar_u1 = 0; + let (x113, x114) = fiat_bign256_scalar_addcarryx_u32(x112, x96, x93); + let mut x115: u32 = 0; + let mut x116: fiat_bign256_scalar_u1 = 0; + let (x115, x116) = fiat_bign256_scalar_addcarryx_u32(x114, x94, x91); + let mut x117: u32 = 0; + let mut x118: fiat_bign256_scalar_u1 = 0; + let (x117, x118) = fiat_bign256_scalar_addcarryx_u32(x116, x92, x89); + let mut x119: u32 = 0; + let mut x120: fiat_bign256_scalar_u1 = 0; + let (x119, x120) = fiat_bign256_scalar_addcarryx_u32(0x0, x73, x103); + let mut x121: u32 = 0; + let mut x122: fiat_bign256_scalar_u1 = 0; + let (x121, x122) = fiat_bign256_scalar_addcarryx_u32(x120, x75, x105); + let mut x123: u32 = 0; + let mut x124: fiat_bign256_scalar_u1 = 0; + let (x123, x124) = fiat_bign256_scalar_addcarryx_u32(x122, x77, x107); + let mut x125: u32 = 0; + let mut x126: fiat_bign256_scalar_u1 = 0; + let (x125, x126) = fiat_bign256_scalar_addcarryx_u32(x124, x79, x109); + let mut x127: u32 = 0; + let mut x128: fiat_bign256_scalar_u1 = 0; + let (x127, x128) = fiat_bign256_scalar_addcarryx_u32(x126, x81, x111); + let mut x129: u32 = 0; + let mut x130: fiat_bign256_scalar_u1 = 0; + let (x129, x130) = fiat_bign256_scalar_addcarryx_u32(x128, x83, x113); + let mut x131: u32 = 0; + let mut x132: fiat_bign256_scalar_u1 = 0; + let (x131, x132) = fiat_bign256_scalar_addcarryx_u32(x130, x85, x115); + let mut x133: u32 = 0; + let mut x134: fiat_bign256_scalar_u1 = 0; + let (x133, x134) = fiat_bign256_scalar_addcarryx_u32(x132, x87, x117); + let mut x135: u32 = 0; + let mut x136: u32 = 0; + let (x135, x136) = fiat_bign256_scalar_mulx_u32(x119, 0x858d849); + let mut x137: u32 = 0; + let mut x138: u32 = 0; + let (x137, x138) = fiat_bign256_scalar_mulx_u32(x135, 0xffffffff); + let mut x139: u32 = 0; + let mut x140: u32 = 0; + let (x139, x140) = fiat_bign256_scalar_mulx_u32(x135, 0xffffffff); + let mut x141: u32 = 0; + let mut x142: u32 = 0; + let (x141, x142) = fiat_bign256_scalar_mulx_u32(x135, 0xffffffff); + let mut x143: u32 = 0; + let mut x144: u32 = 0; + let (x143, x144) = fiat_bign256_scalar_mulx_u32(x135, 0xffffffff); + let mut x145: u32 = 0; + let mut x146: u32 = 0; + let (x145, x146) = fiat_bign256_scalar_mulx_u32(x135, 0xd95c8ed6); + let mut x147: u32 = 0; + let mut x148: u32 = 0; + let (x147, x148) = fiat_bign256_scalar_mulx_u32(x135, 0xdfb4dfc); + let mut x149: u32 = 0; + let mut x150: u32 = 0; + let (x149, x150) = fiat_bign256_scalar_mulx_u32(x135, 0x7e5abf99); + let mut x151: u32 = 0; + let mut x152: u32 = 0; + let (x151, x152) = fiat_bign256_scalar_mulx_u32(x135, 0x263d6607); + let mut x153: u32 = 0; + let mut x154: fiat_bign256_scalar_u1 = 0; + let (x153, x154) = fiat_bign256_scalar_addcarryx_u32(0x0, x152, x149); + let mut x155: u32 = 0; + let mut x156: fiat_bign256_scalar_u1 = 0; + let (x155, x156) = fiat_bign256_scalar_addcarryx_u32(x154, x150, x147); + let mut x157: u32 = 0; + let mut x158: fiat_bign256_scalar_u1 = 0; + let (x157, x158) = fiat_bign256_scalar_addcarryx_u32(x156, x148, x145); + let mut x159: u32 = 0; + let mut x160: fiat_bign256_scalar_u1 = 0; + let (x159, x160) = fiat_bign256_scalar_addcarryx_u32(x158, x146, x143); + let mut x161: u32 = 0; + let mut x162: fiat_bign256_scalar_u1 = 0; + let (x161, x162) = fiat_bign256_scalar_addcarryx_u32(x160, x144, x141); + let mut x163: u32 = 0; + let mut x164: fiat_bign256_scalar_u1 = 0; + let (x163, x164) = fiat_bign256_scalar_addcarryx_u32(x162, x142, x139); + let mut x165: u32 = 0; + let mut x166: fiat_bign256_scalar_u1 = 0; + let (x165, x166) = fiat_bign256_scalar_addcarryx_u32(x164, x140, x137); + let mut x167: u32 = 0; + let mut x168: fiat_bign256_scalar_u1 = 0; + let (x167, x168) = fiat_bign256_scalar_addcarryx_u32(0x0, x119, x151); + let mut x169: u32 = 0; + let mut x170: fiat_bign256_scalar_u1 = 0; + let (x169, x170) = fiat_bign256_scalar_addcarryx_u32(x168, x121, x153); + let mut x171: u32 = 0; + let mut x172: fiat_bign256_scalar_u1 = 0; + let (x171, x172) = fiat_bign256_scalar_addcarryx_u32(x170, x123, x155); + let mut x173: u32 = 0; + let mut x174: fiat_bign256_scalar_u1 = 0; + let (x173, x174) = fiat_bign256_scalar_addcarryx_u32(x172, x125, x157); + let mut x175: u32 = 0; + let mut x176: fiat_bign256_scalar_u1 = 0; + let (x175, x176) = fiat_bign256_scalar_addcarryx_u32(x174, x127, x159); + let mut x177: u32 = 0; + let mut x178: fiat_bign256_scalar_u1 = 0; + let (x177, x178) = fiat_bign256_scalar_addcarryx_u32(x176, x129, x161); + let mut x179: u32 = 0; + let mut x180: fiat_bign256_scalar_u1 = 0; + let (x179, x180) = fiat_bign256_scalar_addcarryx_u32(x178, x131, x163); + let mut x181: u32 = 0; + let mut x182: fiat_bign256_scalar_u1 = 0; + let (x181, x182) = fiat_bign256_scalar_addcarryx_u32(x180, x133, x165); + let mut x183: u32 = 0; + let mut x184: fiat_bign256_scalar_u1 = 0; + let (x183, x184) = fiat_bign256_scalar_addcarryx_u32( + x182, + (((x134 as u32) + (x88 as u32)) + ((x118 as u32) + x90)), + ((x166 as u32) + x138), + ); + let mut x185: u32 = 0; + let mut x186: u32 = 0; + let (x185, x186) = fiat_bign256_scalar_mulx_u32(x2, 0x5d4edf1); + let mut x187: u32 = 0; + let mut x188: u32 = 0; + let (x187, x188) = fiat_bign256_scalar_mulx_u32(x2, 0xc149a55b); + let mut x189: u32 = 0; + let mut x190: u32 = 0; + let (x189, x190) = fiat_bign256_scalar_mulx_u32(x2, 0x4a6925c6); + let mut x191: u32 = 0; + let mut x192: u32 = 0; + let (x191, x192) = fiat_bign256_scalar_mulx_u32(x2, 0xa269dbf8); + let mut x193: u32 = 0; + let mut x194: u32 = 0; + let (x193, x194) = fiat_bign256_scalar_mulx_u32(x2, 0x1b5a5bc1); + let mut x195: u32 = 0; + let mut x196: u32 = 0; + let (x195, x196) = fiat_bign256_scalar_mulx_u32(x2, 0x8b44a10); + let mut x197: u32 = 0; + let mut x198: u32 = 0; + let (x197, x198) = fiat_bign256_scalar_mulx_u32(x2, 0xfa44af61); + let mut x199: u32 = 0; + let mut x200: u32 = 0; + let (x199, x200) = fiat_bign256_scalar_mulx_u32(x2, 0xdbff9431); + let mut x201: u32 = 0; + let mut x202: fiat_bign256_scalar_u1 = 0; + let (x201, x202) = fiat_bign256_scalar_addcarryx_u32(0x0, x200, x197); + let mut x203: u32 = 0; + let mut x204: fiat_bign256_scalar_u1 = 0; + let (x203, x204) = fiat_bign256_scalar_addcarryx_u32(x202, x198, x195); + let mut x205: u32 = 0; + let mut x206: fiat_bign256_scalar_u1 = 0; + let (x205, x206) = fiat_bign256_scalar_addcarryx_u32(x204, x196, x193); + let mut x207: u32 = 0; + let mut x208: fiat_bign256_scalar_u1 = 0; + let (x207, x208) = fiat_bign256_scalar_addcarryx_u32(x206, x194, x191); + let mut x209: u32 = 0; + let mut x210: fiat_bign256_scalar_u1 = 0; + let (x209, x210) = fiat_bign256_scalar_addcarryx_u32(x208, x192, x189); + let mut x211: u32 = 0; + let mut x212: fiat_bign256_scalar_u1 = 0; + let (x211, x212) = fiat_bign256_scalar_addcarryx_u32(x210, x190, x187); + let mut x213: u32 = 0; + let mut x214: fiat_bign256_scalar_u1 = 0; + let (x213, x214) = fiat_bign256_scalar_addcarryx_u32(x212, x188, x185); + let mut x215: u32 = 0; + let mut x216: fiat_bign256_scalar_u1 = 0; + let (x215, x216) = fiat_bign256_scalar_addcarryx_u32(0x0, x169, x199); + let mut x217: u32 = 0; + let mut x218: fiat_bign256_scalar_u1 = 0; + let (x217, x218) = fiat_bign256_scalar_addcarryx_u32(x216, x171, x201); + let mut x219: u32 = 0; + let mut x220: fiat_bign256_scalar_u1 = 0; + let (x219, x220) = fiat_bign256_scalar_addcarryx_u32(x218, x173, x203); + let mut x221: u32 = 0; + let mut x222: fiat_bign256_scalar_u1 = 0; + let (x221, x222) = fiat_bign256_scalar_addcarryx_u32(x220, x175, x205); + let mut x223: u32 = 0; + let mut x224: fiat_bign256_scalar_u1 = 0; + let (x223, x224) = fiat_bign256_scalar_addcarryx_u32(x222, x177, x207); + let mut x225: u32 = 0; + let mut x226: fiat_bign256_scalar_u1 = 0; + let (x225, x226) = fiat_bign256_scalar_addcarryx_u32(x224, x179, x209); + let mut x227: u32 = 0; + let mut x228: fiat_bign256_scalar_u1 = 0; + let (x227, x228) = fiat_bign256_scalar_addcarryx_u32(x226, x181, x211); + let mut x229: u32 = 0; + let mut x230: fiat_bign256_scalar_u1 = 0; + let (x229, x230) = fiat_bign256_scalar_addcarryx_u32(x228, x183, x213); + let mut x231: u32 = 0; + let mut x232: u32 = 0; + let (x231, x232) = fiat_bign256_scalar_mulx_u32(x215, 0x858d849); + let mut x233: u32 = 0; + let mut x234: u32 = 0; + let (x233, x234) = fiat_bign256_scalar_mulx_u32(x231, 0xffffffff); + let mut x235: u32 = 0; + let mut x236: u32 = 0; + let (x235, x236) = fiat_bign256_scalar_mulx_u32(x231, 0xffffffff); + let mut x237: u32 = 0; + let mut x238: u32 = 0; + let (x237, x238) = fiat_bign256_scalar_mulx_u32(x231, 0xffffffff); + let mut x239: u32 = 0; + let mut x240: u32 = 0; + let (x239, x240) = fiat_bign256_scalar_mulx_u32(x231, 0xffffffff); + let mut x241: u32 = 0; + let mut x242: u32 = 0; + let (x241, x242) = fiat_bign256_scalar_mulx_u32(x231, 0xd95c8ed6); + let mut x243: u32 = 0; + let mut x244: u32 = 0; + let (x243, x244) = fiat_bign256_scalar_mulx_u32(x231, 0xdfb4dfc); + let mut x245: u32 = 0; + let mut x246: u32 = 0; + let (x245, x246) = fiat_bign256_scalar_mulx_u32(x231, 0x7e5abf99); + let mut x247: u32 = 0; + let mut x248: u32 = 0; + let (x247, x248) = fiat_bign256_scalar_mulx_u32(x231, 0x263d6607); + let mut x249: u32 = 0; + let mut x250: fiat_bign256_scalar_u1 = 0; + let (x249, x250) = fiat_bign256_scalar_addcarryx_u32(0x0, x248, x245); + let mut x251: u32 = 0; + let mut x252: fiat_bign256_scalar_u1 = 0; + let (x251, x252) = fiat_bign256_scalar_addcarryx_u32(x250, x246, x243); + let mut x253: u32 = 0; + let mut x254: fiat_bign256_scalar_u1 = 0; + let (x253, x254) = fiat_bign256_scalar_addcarryx_u32(x252, x244, x241); + let mut x255: u32 = 0; + let mut x256: fiat_bign256_scalar_u1 = 0; + let (x255, x256) = fiat_bign256_scalar_addcarryx_u32(x254, x242, x239); + let mut x257: u32 = 0; + let mut x258: fiat_bign256_scalar_u1 = 0; + let (x257, x258) = fiat_bign256_scalar_addcarryx_u32(x256, x240, x237); + let mut x259: u32 = 0; + let mut x260: fiat_bign256_scalar_u1 = 0; + let (x259, x260) = fiat_bign256_scalar_addcarryx_u32(x258, x238, x235); + let mut x261: u32 = 0; + let mut x262: fiat_bign256_scalar_u1 = 0; + let (x261, x262) = fiat_bign256_scalar_addcarryx_u32(x260, x236, x233); + let mut x263: u32 = 0; + let mut x264: fiat_bign256_scalar_u1 = 0; + let (x263, x264) = fiat_bign256_scalar_addcarryx_u32(0x0, x215, x247); + let mut x265: u32 = 0; + let mut x266: fiat_bign256_scalar_u1 = 0; + let (x265, x266) = fiat_bign256_scalar_addcarryx_u32(x264, x217, x249); + let mut x267: u32 = 0; + let mut x268: fiat_bign256_scalar_u1 = 0; + let (x267, x268) = fiat_bign256_scalar_addcarryx_u32(x266, x219, x251); + let mut x269: u32 = 0; + let mut x270: fiat_bign256_scalar_u1 = 0; + let (x269, x270) = fiat_bign256_scalar_addcarryx_u32(x268, x221, x253); + let mut x271: u32 = 0; + let mut x272: fiat_bign256_scalar_u1 = 0; + let (x271, x272) = fiat_bign256_scalar_addcarryx_u32(x270, x223, x255); + let mut x273: u32 = 0; + let mut x274: fiat_bign256_scalar_u1 = 0; + let (x273, x274) = fiat_bign256_scalar_addcarryx_u32(x272, x225, x257); + let mut x275: u32 = 0; + let mut x276: fiat_bign256_scalar_u1 = 0; + let (x275, x276) = fiat_bign256_scalar_addcarryx_u32(x274, x227, x259); + let mut x277: u32 = 0; + let mut x278: fiat_bign256_scalar_u1 = 0; + let (x277, x278) = fiat_bign256_scalar_addcarryx_u32(x276, x229, x261); + let mut x279: u32 = 0; + let mut x280: fiat_bign256_scalar_u1 = 0; + let (x279, x280) = fiat_bign256_scalar_addcarryx_u32( + x278, + (((x230 as u32) + (x184 as u32)) + ((x214 as u32) + x186)), + ((x262 as u32) + x234), + ); + let mut x281: u32 = 0; + let mut x282: u32 = 0; + let (x281, x282) = fiat_bign256_scalar_mulx_u32(x3, 0x5d4edf1); + let mut x283: u32 = 0; + let mut x284: u32 = 0; + let (x283, x284) = fiat_bign256_scalar_mulx_u32(x3, 0xc149a55b); + let mut x285: u32 = 0; + let mut x286: u32 = 0; + let (x285, x286) = fiat_bign256_scalar_mulx_u32(x3, 0x4a6925c6); + let mut x287: u32 = 0; + let mut x288: u32 = 0; + let (x287, x288) = fiat_bign256_scalar_mulx_u32(x3, 0xa269dbf8); + let mut x289: u32 = 0; + let mut x290: u32 = 0; + let (x289, x290) = fiat_bign256_scalar_mulx_u32(x3, 0x1b5a5bc1); + let mut x291: u32 = 0; + let mut x292: u32 = 0; + let (x291, x292) = fiat_bign256_scalar_mulx_u32(x3, 0x8b44a10); + let mut x293: u32 = 0; + let mut x294: u32 = 0; + let (x293, x294) = fiat_bign256_scalar_mulx_u32(x3, 0xfa44af61); + let mut x295: u32 = 0; + let mut x296: u32 = 0; + let (x295, x296) = fiat_bign256_scalar_mulx_u32(x3, 0xdbff9431); + let mut x297: u32 = 0; + let mut x298: fiat_bign256_scalar_u1 = 0; + let (x297, x298) = fiat_bign256_scalar_addcarryx_u32(0x0, x296, x293); + let mut x299: u32 = 0; + let mut x300: fiat_bign256_scalar_u1 = 0; + let (x299, x300) = fiat_bign256_scalar_addcarryx_u32(x298, x294, x291); + let mut x301: u32 = 0; + let mut x302: fiat_bign256_scalar_u1 = 0; + let (x301, x302) = fiat_bign256_scalar_addcarryx_u32(x300, x292, x289); + let mut x303: u32 = 0; + let mut x304: fiat_bign256_scalar_u1 = 0; + let (x303, x304) = fiat_bign256_scalar_addcarryx_u32(x302, x290, x287); + let mut x305: u32 = 0; + let mut x306: fiat_bign256_scalar_u1 = 0; + let (x305, x306) = fiat_bign256_scalar_addcarryx_u32(x304, x288, x285); + let mut x307: u32 = 0; + let mut x308: fiat_bign256_scalar_u1 = 0; + let (x307, x308) = fiat_bign256_scalar_addcarryx_u32(x306, x286, x283); + let mut x309: u32 = 0; + let mut x310: fiat_bign256_scalar_u1 = 0; + let (x309, x310) = fiat_bign256_scalar_addcarryx_u32(x308, x284, x281); + let mut x311: u32 = 0; + let mut x312: fiat_bign256_scalar_u1 = 0; + let (x311, x312) = fiat_bign256_scalar_addcarryx_u32(0x0, x265, x295); + let mut x313: u32 = 0; + let mut x314: fiat_bign256_scalar_u1 = 0; + let (x313, x314) = fiat_bign256_scalar_addcarryx_u32(x312, x267, x297); + let mut x315: u32 = 0; + let mut x316: fiat_bign256_scalar_u1 = 0; + let (x315, x316) = fiat_bign256_scalar_addcarryx_u32(x314, x269, x299); + let mut x317: u32 = 0; + let mut x318: fiat_bign256_scalar_u1 = 0; + let (x317, x318) = fiat_bign256_scalar_addcarryx_u32(x316, x271, x301); + let mut x319: u32 = 0; + let mut x320: fiat_bign256_scalar_u1 = 0; + let (x319, x320) = fiat_bign256_scalar_addcarryx_u32(x318, x273, x303); + let mut x321: u32 = 0; + let mut x322: fiat_bign256_scalar_u1 = 0; + let (x321, x322) = fiat_bign256_scalar_addcarryx_u32(x320, x275, x305); + let mut x323: u32 = 0; + let mut x324: fiat_bign256_scalar_u1 = 0; + let (x323, x324) = fiat_bign256_scalar_addcarryx_u32(x322, x277, x307); + let mut x325: u32 = 0; + let mut x326: fiat_bign256_scalar_u1 = 0; + let (x325, x326) = fiat_bign256_scalar_addcarryx_u32(x324, x279, x309); + let mut x327: u32 = 0; + let mut x328: u32 = 0; + let (x327, x328) = fiat_bign256_scalar_mulx_u32(x311, 0x858d849); + let mut x329: u32 = 0; + let mut x330: u32 = 0; + let (x329, x330) = fiat_bign256_scalar_mulx_u32(x327, 0xffffffff); + let mut x331: u32 = 0; + let mut x332: u32 = 0; + let (x331, x332) = fiat_bign256_scalar_mulx_u32(x327, 0xffffffff); + let mut x333: u32 = 0; + let mut x334: u32 = 0; + let (x333, x334) = fiat_bign256_scalar_mulx_u32(x327, 0xffffffff); + let mut x335: u32 = 0; + let mut x336: u32 = 0; + let (x335, x336) = fiat_bign256_scalar_mulx_u32(x327, 0xffffffff); + let mut x337: u32 = 0; + let mut x338: u32 = 0; + let (x337, x338) = fiat_bign256_scalar_mulx_u32(x327, 0xd95c8ed6); + let mut x339: u32 = 0; + let mut x340: u32 = 0; + let (x339, x340) = fiat_bign256_scalar_mulx_u32(x327, 0xdfb4dfc); + let mut x341: u32 = 0; + let mut x342: u32 = 0; + let (x341, x342) = fiat_bign256_scalar_mulx_u32(x327, 0x7e5abf99); + let mut x343: u32 = 0; + let mut x344: u32 = 0; + let (x343, x344) = fiat_bign256_scalar_mulx_u32(x327, 0x263d6607); + let mut x345: u32 = 0; + let mut x346: fiat_bign256_scalar_u1 = 0; + let (x345, x346) = fiat_bign256_scalar_addcarryx_u32(0x0, x344, x341); + let mut x347: u32 = 0; + let mut x348: fiat_bign256_scalar_u1 = 0; + let (x347, x348) = fiat_bign256_scalar_addcarryx_u32(x346, x342, x339); + let mut x349: u32 = 0; + let mut x350: fiat_bign256_scalar_u1 = 0; + let (x349, x350) = fiat_bign256_scalar_addcarryx_u32(x348, x340, x337); + let mut x351: u32 = 0; + let mut x352: fiat_bign256_scalar_u1 = 0; + let (x351, x352) = fiat_bign256_scalar_addcarryx_u32(x350, x338, x335); + let mut x353: u32 = 0; + let mut x354: fiat_bign256_scalar_u1 = 0; + let (x353, x354) = fiat_bign256_scalar_addcarryx_u32(x352, x336, x333); + let mut x355: u32 = 0; + let mut x356: fiat_bign256_scalar_u1 = 0; + let (x355, x356) = fiat_bign256_scalar_addcarryx_u32(x354, x334, x331); + let mut x357: u32 = 0; + let mut x358: fiat_bign256_scalar_u1 = 0; + let (x357, x358) = fiat_bign256_scalar_addcarryx_u32(x356, x332, x329); + let mut x359: u32 = 0; + let mut x360: fiat_bign256_scalar_u1 = 0; + let (x359, x360) = fiat_bign256_scalar_addcarryx_u32(0x0, x311, x343); + let mut x361: u32 = 0; + let mut x362: fiat_bign256_scalar_u1 = 0; + let (x361, x362) = fiat_bign256_scalar_addcarryx_u32(x360, x313, x345); + let mut x363: u32 = 0; + let mut x364: fiat_bign256_scalar_u1 = 0; + let (x363, x364) = fiat_bign256_scalar_addcarryx_u32(x362, x315, x347); + let mut x365: u32 = 0; + let mut x366: fiat_bign256_scalar_u1 = 0; + let (x365, x366) = fiat_bign256_scalar_addcarryx_u32(x364, x317, x349); + let mut x367: u32 = 0; + let mut x368: fiat_bign256_scalar_u1 = 0; + let (x367, x368) = fiat_bign256_scalar_addcarryx_u32(x366, x319, x351); + let mut x369: u32 = 0; + let mut x370: fiat_bign256_scalar_u1 = 0; + let (x369, x370) = fiat_bign256_scalar_addcarryx_u32(x368, x321, x353); + let mut x371: u32 = 0; + let mut x372: fiat_bign256_scalar_u1 = 0; + let (x371, x372) = fiat_bign256_scalar_addcarryx_u32(x370, x323, x355); + let mut x373: u32 = 0; + let mut x374: fiat_bign256_scalar_u1 = 0; + let (x373, x374) = fiat_bign256_scalar_addcarryx_u32(x372, x325, x357); + let mut x375: u32 = 0; + let mut x376: fiat_bign256_scalar_u1 = 0; + let (x375, x376) = fiat_bign256_scalar_addcarryx_u32( + x374, + (((x326 as u32) + (x280 as u32)) + ((x310 as u32) + x282)), + ((x358 as u32) + x330), + ); + let mut x377: u32 = 0; + let mut x378: u32 = 0; + let (x377, x378) = fiat_bign256_scalar_mulx_u32(x4, 0x5d4edf1); + let mut x379: u32 = 0; + let mut x380: u32 = 0; + let (x379, x380) = fiat_bign256_scalar_mulx_u32(x4, 0xc149a55b); + let mut x381: u32 = 0; + let mut x382: u32 = 0; + let (x381, x382) = fiat_bign256_scalar_mulx_u32(x4, 0x4a6925c6); + let mut x383: u32 = 0; + let mut x384: u32 = 0; + let (x383, x384) = fiat_bign256_scalar_mulx_u32(x4, 0xa269dbf8); + let mut x385: u32 = 0; + let mut x386: u32 = 0; + let (x385, x386) = fiat_bign256_scalar_mulx_u32(x4, 0x1b5a5bc1); + let mut x387: u32 = 0; + let mut x388: u32 = 0; + let (x387, x388) = fiat_bign256_scalar_mulx_u32(x4, 0x8b44a10); + let mut x389: u32 = 0; + let mut x390: u32 = 0; + let (x389, x390) = fiat_bign256_scalar_mulx_u32(x4, 0xfa44af61); + let mut x391: u32 = 0; + let mut x392: u32 = 0; + let (x391, x392) = fiat_bign256_scalar_mulx_u32(x4, 0xdbff9431); + let mut x393: u32 = 0; + let mut x394: fiat_bign256_scalar_u1 = 0; + let (x393, x394) = fiat_bign256_scalar_addcarryx_u32(0x0, x392, x389); + let mut x395: u32 = 0; + let mut x396: fiat_bign256_scalar_u1 = 0; + let (x395, x396) = fiat_bign256_scalar_addcarryx_u32(x394, x390, x387); + let mut x397: u32 = 0; + let mut x398: fiat_bign256_scalar_u1 = 0; + let (x397, x398) = fiat_bign256_scalar_addcarryx_u32(x396, x388, x385); + let mut x399: u32 = 0; + let mut x400: fiat_bign256_scalar_u1 = 0; + let (x399, x400) = fiat_bign256_scalar_addcarryx_u32(x398, x386, x383); + let mut x401: u32 = 0; + let mut x402: fiat_bign256_scalar_u1 = 0; + let (x401, x402) = fiat_bign256_scalar_addcarryx_u32(x400, x384, x381); + let mut x403: u32 = 0; + let mut x404: fiat_bign256_scalar_u1 = 0; + let (x403, x404) = fiat_bign256_scalar_addcarryx_u32(x402, x382, x379); + let mut x405: u32 = 0; + let mut x406: fiat_bign256_scalar_u1 = 0; + let (x405, x406) = fiat_bign256_scalar_addcarryx_u32(x404, x380, x377); + let mut x407: u32 = 0; + let mut x408: fiat_bign256_scalar_u1 = 0; + let (x407, x408) = fiat_bign256_scalar_addcarryx_u32(0x0, x361, x391); + let mut x409: u32 = 0; + let mut x410: fiat_bign256_scalar_u1 = 0; + let (x409, x410) = fiat_bign256_scalar_addcarryx_u32(x408, x363, x393); + let mut x411: u32 = 0; + let mut x412: fiat_bign256_scalar_u1 = 0; + let (x411, x412) = fiat_bign256_scalar_addcarryx_u32(x410, x365, x395); + let mut x413: u32 = 0; + let mut x414: fiat_bign256_scalar_u1 = 0; + let (x413, x414) = fiat_bign256_scalar_addcarryx_u32(x412, x367, x397); + let mut x415: u32 = 0; + let mut x416: fiat_bign256_scalar_u1 = 0; + let (x415, x416) = fiat_bign256_scalar_addcarryx_u32(x414, x369, x399); + let mut x417: u32 = 0; + let mut x418: fiat_bign256_scalar_u1 = 0; + let (x417, x418) = fiat_bign256_scalar_addcarryx_u32(x416, x371, x401); + let mut x419: u32 = 0; + let mut x420: fiat_bign256_scalar_u1 = 0; + let (x419, x420) = fiat_bign256_scalar_addcarryx_u32(x418, x373, x403); + let mut x421: u32 = 0; + let mut x422: fiat_bign256_scalar_u1 = 0; + let (x421, x422) = fiat_bign256_scalar_addcarryx_u32(x420, x375, x405); + let mut x423: u32 = 0; + let mut x424: u32 = 0; + let (x423, x424) = fiat_bign256_scalar_mulx_u32(x407, 0x858d849); + let mut x425: u32 = 0; + let mut x426: u32 = 0; + let (x425, x426) = fiat_bign256_scalar_mulx_u32(x423, 0xffffffff); + let mut x427: u32 = 0; + let mut x428: u32 = 0; + let (x427, x428) = fiat_bign256_scalar_mulx_u32(x423, 0xffffffff); + let mut x429: u32 = 0; + let mut x430: u32 = 0; + let (x429, x430) = fiat_bign256_scalar_mulx_u32(x423, 0xffffffff); + let mut x431: u32 = 0; + let mut x432: u32 = 0; + let (x431, x432) = fiat_bign256_scalar_mulx_u32(x423, 0xffffffff); + let mut x433: u32 = 0; + let mut x434: u32 = 0; + let (x433, x434) = fiat_bign256_scalar_mulx_u32(x423, 0xd95c8ed6); + let mut x435: u32 = 0; + let mut x436: u32 = 0; + let (x435, x436) = fiat_bign256_scalar_mulx_u32(x423, 0xdfb4dfc); + let mut x437: u32 = 0; + let mut x438: u32 = 0; + let (x437, x438) = fiat_bign256_scalar_mulx_u32(x423, 0x7e5abf99); + let mut x439: u32 = 0; + let mut x440: u32 = 0; + let (x439, x440) = fiat_bign256_scalar_mulx_u32(x423, 0x263d6607); + let mut x441: u32 = 0; + let mut x442: fiat_bign256_scalar_u1 = 0; + let (x441, x442) = fiat_bign256_scalar_addcarryx_u32(0x0, x440, x437); + let mut x443: u32 = 0; + let mut x444: fiat_bign256_scalar_u1 = 0; + let (x443, x444) = fiat_bign256_scalar_addcarryx_u32(x442, x438, x435); + let mut x445: u32 = 0; + let mut x446: fiat_bign256_scalar_u1 = 0; + let (x445, x446) = fiat_bign256_scalar_addcarryx_u32(x444, x436, x433); + let mut x447: u32 = 0; + let mut x448: fiat_bign256_scalar_u1 = 0; + let (x447, x448) = fiat_bign256_scalar_addcarryx_u32(x446, x434, x431); + let mut x449: u32 = 0; + let mut x450: fiat_bign256_scalar_u1 = 0; + let (x449, x450) = fiat_bign256_scalar_addcarryx_u32(x448, x432, x429); + let mut x451: u32 = 0; + let mut x452: fiat_bign256_scalar_u1 = 0; + let (x451, x452) = fiat_bign256_scalar_addcarryx_u32(x450, x430, x427); + let mut x453: u32 = 0; + let mut x454: fiat_bign256_scalar_u1 = 0; + let (x453, x454) = fiat_bign256_scalar_addcarryx_u32(x452, x428, x425); + let mut x455: u32 = 0; + let mut x456: fiat_bign256_scalar_u1 = 0; + let (x455, x456) = fiat_bign256_scalar_addcarryx_u32(0x0, x407, x439); + let mut x457: u32 = 0; + let mut x458: fiat_bign256_scalar_u1 = 0; + let (x457, x458) = fiat_bign256_scalar_addcarryx_u32(x456, x409, x441); + let mut x459: u32 = 0; + let mut x460: fiat_bign256_scalar_u1 = 0; + let (x459, x460) = fiat_bign256_scalar_addcarryx_u32(x458, x411, x443); + let mut x461: u32 = 0; + let mut x462: fiat_bign256_scalar_u1 = 0; + let (x461, x462) = fiat_bign256_scalar_addcarryx_u32(x460, x413, x445); + let mut x463: u32 = 0; + let mut x464: fiat_bign256_scalar_u1 = 0; + let (x463, x464) = fiat_bign256_scalar_addcarryx_u32(x462, x415, x447); + let mut x465: u32 = 0; + let mut x466: fiat_bign256_scalar_u1 = 0; + let (x465, x466) = fiat_bign256_scalar_addcarryx_u32(x464, x417, x449); + let mut x467: u32 = 0; + let mut x468: fiat_bign256_scalar_u1 = 0; + let (x467, x468) = fiat_bign256_scalar_addcarryx_u32(x466, x419, x451); + let mut x469: u32 = 0; + let mut x470: fiat_bign256_scalar_u1 = 0; + let (x469, x470) = fiat_bign256_scalar_addcarryx_u32(x468, x421, x453); + let mut x471: u32 = 0; + let mut x472: fiat_bign256_scalar_u1 = 0; + let (x471, x472) = fiat_bign256_scalar_addcarryx_u32( + x470, + (((x422 as u32) + (x376 as u32)) + ((x406 as u32) + x378)), + ((x454 as u32) + x426), + ); + let mut x473: u32 = 0; + let mut x474: u32 = 0; + let (x473, x474) = fiat_bign256_scalar_mulx_u32(x5, 0x5d4edf1); + let mut x475: u32 = 0; + let mut x476: u32 = 0; + let (x475, x476) = fiat_bign256_scalar_mulx_u32(x5, 0xc149a55b); + let mut x477: u32 = 0; + let mut x478: u32 = 0; + let (x477, x478) = fiat_bign256_scalar_mulx_u32(x5, 0x4a6925c6); + let mut x479: u32 = 0; + let mut x480: u32 = 0; + let (x479, x480) = fiat_bign256_scalar_mulx_u32(x5, 0xa269dbf8); + let mut x481: u32 = 0; + let mut x482: u32 = 0; + let (x481, x482) = fiat_bign256_scalar_mulx_u32(x5, 0x1b5a5bc1); + let mut x483: u32 = 0; + let mut x484: u32 = 0; + let (x483, x484) = fiat_bign256_scalar_mulx_u32(x5, 0x8b44a10); + let mut x485: u32 = 0; + let mut x486: u32 = 0; + let (x485, x486) = fiat_bign256_scalar_mulx_u32(x5, 0xfa44af61); + let mut x487: u32 = 0; + let mut x488: u32 = 0; + let (x487, x488) = fiat_bign256_scalar_mulx_u32(x5, 0xdbff9431); + let mut x489: u32 = 0; + let mut x490: fiat_bign256_scalar_u1 = 0; + let (x489, x490) = fiat_bign256_scalar_addcarryx_u32(0x0, x488, x485); + let mut x491: u32 = 0; + let mut x492: fiat_bign256_scalar_u1 = 0; + let (x491, x492) = fiat_bign256_scalar_addcarryx_u32(x490, x486, x483); + let mut x493: u32 = 0; + let mut x494: fiat_bign256_scalar_u1 = 0; + let (x493, x494) = fiat_bign256_scalar_addcarryx_u32(x492, x484, x481); + let mut x495: u32 = 0; + let mut x496: fiat_bign256_scalar_u1 = 0; + let (x495, x496) = fiat_bign256_scalar_addcarryx_u32(x494, x482, x479); + let mut x497: u32 = 0; + let mut x498: fiat_bign256_scalar_u1 = 0; + let (x497, x498) = fiat_bign256_scalar_addcarryx_u32(x496, x480, x477); + let mut x499: u32 = 0; + let mut x500: fiat_bign256_scalar_u1 = 0; + let (x499, x500) = fiat_bign256_scalar_addcarryx_u32(x498, x478, x475); + let mut x501: u32 = 0; + let mut x502: fiat_bign256_scalar_u1 = 0; + let (x501, x502) = fiat_bign256_scalar_addcarryx_u32(x500, x476, x473); + let mut x503: u32 = 0; + let mut x504: fiat_bign256_scalar_u1 = 0; + let (x503, x504) = fiat_bign256_scalar_addcarryx_u32(0x0, x457, x487); + let mut x505: u32 = 0; + let mut x506: fiat_bign256_scalar_u1 = 0; + let (x505, x506) = fiat_bign256_scalar_addcarryx_u32(x504, x459, x489); + let mut x507: u32 = 0; + let mut x508: fiat_bign256_scalar_u1 = 0; + let (x507, x508) = fiat_bign256_scalar_addcarryx_u32(x506, x461, x491); + let mut x509: u32 = 0; + let mut x510: fiat_bign256_scalar_u1 = 0; + let (x509, x510) = fiat_bign256_scalar_addcarryx_u32(x508, x463, x493); + let mut x511: u32 = 0; + let mut x512: fiat_bign256_scalar_u1 = 0; + let (x511, x512) = fiat_bign256_scalar_addcarryx_u32(x510, x465, x495); + let mut x513: u32 = 0; + let mut x514: fiat_bign256_scalar_u1 = 0; + let (x513, x514) = fiat_bign256_scalar_addcarryx_u32(x512, x467, x497); + let mut x515: u32 = 0; + let mut x516: fiat_bign256_scalar_u1 = 0; + let (x515, x516) = fiat_bign256_scalar_addcarryx_u32(x514, x469, x499); + let mut x517: u32 = 0; + let mut x518: fiat_bign256_scalar_u1 = 0; + let (x517, x518) = fiat_bign256_scalar_addcarryx_u32(x516, x471, x501); + let mut x519: u32 = 0; + let mut x520: u32 = 0; + let (x519, x520) = fiat_bign256_scalar_mulx_u32(x503, 0x858d849); + let mut x521: u32 = 0; + let mut x522: u32 = 0; + let (x521, x522) = fiat_bign256_scalar_mulx_u32(x519, 0xffffffff); + let mut x523: u32 = 0; + let mut x524: u32 = 0; + let (x523, x524) = fiat_bign256_scalar_mulx_u32(x519, 0xffffffff); + let mut x525: u32 = 0; + let mut x526: u32 = 0; + let (x525, x526) = fiat_bign256_scalar_mulx_u32(x519, 0xffffffff); + let mut x527: u32 = 0; + let mut x528: u32 = 0; + let (x527, x528) = fiat_bign256_scalar_mulx_u32(x519, 0xffffffff); + let mut x529: u32 = 0; + let mut x530: u32 = 0; + let (x529, x530) = fiat_bign256_scalar_mulx_u32(x519, 0xd95c8ed6); + let mut x531: u32 = 0; + let mut x532: u32 = 0; + let (x531, x532) = fiat_bign256_scalar_mulx_u32(x519, 0xdfb4dfc); + let mut x533: u32 = 0; + let mut x534: u32 = 0; + let (x533, x534) = fiat_bign256_scalar_mulx_u32(x519, 0x7e5abf99); + let mut x535: u32 = 0; + let mut x536: u32 = 0; + let (x535, x536) = fiat_bign256_scalar_mulx_u32(x519, 0x263d6607); + let mut x537: u32 = 0; + let mut x538: fiat_bign256_scalar_u1 = 0; + let (x537, x538) = fiat_bign256_scalar_addcarryx_u32(0x0, x536, x533); + let mut x539: u32 = 0; + let mut x540: fiat_bign256_scalar_u1 = 0; + let (x539, x540) = fiat_bign256_scalar_addcarryx_u32(x538, x534, x531); + let mut x541: u32 = 0; + let mut x542: fiat_bign256_scalar_u1 = 0; + let (x541, x542) = fiat_bign256_scalar_addcarryx_u32(x540, x532, x529); + let mut x543: u32 = 0; + let mut x544: fiat_bign256_scalar_u1 = 0; + let (x543, x544) = fiat_bign256_scalar_addcarryx_u32(x542, x530, x527); + let mut x545: u32 = 0; + let mut x546: fiat_bign256_scalar_u1 = 0; + let (x545, x546) = fiat_bign256_scalar_addcarryx_u32(x544, x528, x525); + let mut x547: u32 = 0; + let mut x548: fiat_bign256_scalar_u1 = 0; + let (x547, x548) = fiat_bign256_scalar_addcarryx_u32(x546, x526, x523); + let mut x549: u32 = 0; + let mut x550: fiat_bign256_scalar_u1 = 0; + let (x549, x550) = fiat_bign256_scalar_addcarryx_u32(x548, x524, x521); + let mut x551: u32 = 0; + let mut x552: fiat_bign256_scalar_u1 = 0; + let (x551, x552) = fiat_bign256_scalar_addcarryx_u32(0x0, x503, x535); + let mut x553: u32 = 0; + let mut x554: fiat_bign256_scalar_u1 = 0; + let (x553, x554) = fiat_bign256_scalar_addcarryx_u32(x552, x505, x537); + let mut x555: u32 = 0; + let mut x556: fiat_bign256_scalar_u1 = 0; + let (x555, x556) = fiat_bign256_scalar_addcarryx_u32(x554, x507, x539); + let mut x557: u32 = 0; + let mut x558: fiat_bign256_scalar_u1 = 0; + let (x557, x558) = fiat_bign256_scalar_addcarryx_u32(x556, x509, x541); + let mut x559: u32 = 0; + let mut x560: fiat_bign256_scalar_u1 = 0; + let (x559, x560) = fiat_bign256_scalar_addcarryx_u32(x558, x511, x543); + let mut x561: u32 = 0; + let mut x562: fiat_bign256_scalar_u1 = 0; + let (x561, x562) = fiat_bign256_scalar_addcarryx_u32(x560, x513, x545); + let mut x563: u32 = 0; + let mut x564: fiat_bign256_scalar_u1 = 0; + let (x563, x564) = fiat_bign256_scalar_addcarryx_u32(x562, x515, x547); + let mut x565: u32 = 0; + let mut x566: fiat_bign256_scalar_u1 = 0; + let (x565, x566) = fiat_bign256_scalar_addcarryx_u32(x564, x517, x549); + let mut x567: u32 = 0; + let mut x568: fiat_bign256_scalar_u1 = 0; + let (x567, x568) = fiat_bign256_scalar_addcarryx_u32( + x566, + (((x518 as u32) + (x472 as u32)) + ((x502 as u32) + x474)), + ((x550 as u32) + x522), + ); + let mut x569: u32 = 0; + let mut x570: u32 = 0; + let (x569, x570) = fiat_bign256_scalar_mulx_u32(x6, 0x5d4edf1); + let mut x571: u32 = 0; + let mut x572: u32 = 0; + let (x571, x572) = fiat_bign256_scalar_mulx_u32(x6, 0xc149a55b); + let mut x573: u32 = 0; + let mut x574: u32 = 0; + let (x573, x574) = fiat_bign256_scalar_mulx_u32(x6, 0x4a6925c6); + let mut x575: u32 = 0; + let mut x576: u32 = 0; + let (x575, x576) = fiat_bign256_scalar_mulx_u32(x6, 0xa269dbf8); + let mut x577: u32 = 0; + let mut x578: u32 = 0; + let (x577, x578) = fiat_bign256_scalar_mulx_u32(x6, 0x1b5a5bc1); + let mut x579: u32 = 0; + let mut x580: u32 = 0; + let (x579, x580) = fiat_bign256_scalar_mulx_u32(x6, 0x8b44a10); + let mut x581: u32 = 0; + let mut x582: u32 = 0; + let (x581, x582) = fiat_bign256_scalar_mulx_u32(x6, 0xfa44af61); + let mut x583: u32 = 0; + let mut x584: u32 = 0; + let (x583, x584) = fiat_bign256_scalar_mulx_u32(x6, 0xdbff9431); + let mut x585: u32 = 0; + let mut x586: fiat_bign256_scalar_u1 = 0; + let (x585, x586) = fiat_bign256_scalar_addcarryx_u32(0x0, x584, x581); + let mut x587: u32 = 0; + let mut x588: fiat_bign256_scalar_u1 = 0; + let (x587, x588) = fiat_bign256_scalar_addcarryx_u32(x586, x582, x579); + let mut x589: u32 = 0; + let mut x590: fiat_bign256_scalar_u1 = 0; + let (x589, x590) = fiat_bign256_scalar_addcarryx_u32(x588, x580, x577); + let mut x591: u32 = 0; + let mut x592: fiat_bign256_scalar_u1 = 0; + let (x591, x592) = fiat_bign256_scalar_addcarryx_u32(x590, x578, x575); + let mut x593: u32 = 0; + let mut x594: fiat_bign256_scalar_u1 = 0; + let (x593, x594) = fiat_bign256_scalar_addcarryx_u32(x592, x576, x573); + let mut x595: u32 = 0; + let mut x596: fiat_bign256_scalar_u1 = 0; + let (x595, x596) = fiat_bign256_scalar_addcarryx_u32(x594, x574, x571); + let mut x597: u32 = 0; + let mut x598: fiat_bign256_scalar_u1 = 0; + let (x597, x598) = fiat_bign256_scalar_addcarryx_u32(x596, x572, x569); + let mut x599: u32 = 0; + let mut x600: fiat_bign256_scalar_u1 = 0; + let (x599, x600) = fiat_bign256_scalar_addcarryx_u32(0x0, x553, x583); + let mut x601: u32 = 0; + let mut x602: fiat_bign256_scalar_u1 = 0; + let (x601, x602) = fiat_bign256_scalar_addcarryx_u32(x600, x555, x585); + let mut x603: u32 = 0; + let mut x604: fiat_bign256_scalar_u1 = 0; + let (x603, x604) = fiat_bign256_scalar_addcarryx_u32(x602, x557, x587); + let mut x605: u32 = 0; + let mut x606: fiat_bign256_scalar_u1 = 0; + let (x605, x606) = fiat_bign256_scalar_addcarryx_u32(x604, x559, x589); + let mut x607: u32 = 0; + let mut x608: fiat_bign256_scalar_u1 = 0; + let (x607, x608) = fiat_bign256_scalar_addcarryx_u32(x606, x561, x591); + let mut x609: u32 = 0; + let mut x610: fiat_bign256_scalar_u1 = 0; + let (x609, x610) = fiat_bign256_scalar_addcarryx_u32(x608, x563, x593); + let mut x611: u32 = 0; + let mut x612: fiat_bign256_scalar_u1 = 0; + let (x611, x612) = fiat_bign256_scalar_addcarryx_u32(x610, x565, x595); + let mut x613: u32 = 0; + let mut x614: fiat_bign256_scalar_u1 = 0; + let (x613, x614) = fiat_bign256_scalar_addcarryx_u32(x612, x567, x597); + let mut x615: u32 = 0; + let mut x616: u32 = 0; + let (x615, x616) = fiat_bign256_scalar_mulx_u32(x599, 0x858d849); + let mut x617: u32 = 0; + let mut x618: u32 = 0; + let (x617, x618) = fiat_bign256_scalar_mulx_u32(x615, 0xffffffff); + let mut x619: u32 = 0; + let mut x620: u32 = 0; + let (x619, x620) = fiat_bign256_scalar_mulx_u32(x615, 0xffffffff); + let mut x621: u32 = 0; + let mut x622: u32 = 0; + let (x621, x622) = fiat_bign256_scalar_mulx_u32(x615, 0xffffffff); + let mut x623: u32 = 0; + let mut x624: u32 = 0; + let (x623, x624) = fiat_bign256_scalar_mulx_u32(x615, 0xffffffff); + let mut x625: u32 = 0; + let mut x626: u32 = 0; + let (x625, x626) = fiat_bign256_scalar_mulx_u32(x615, 0xd95c8ed6); + let mut x627: u32 = 0; + let mut x628: u32 = 0; + let (x627, x628) = fiat_bign256_scalar_mulx_u32(x615, 0xdfb4dfc); + let mut x629: u32 = 0; + let mut x630: u32 = 0; + let (x629, x630) = fiat_bign256_scalar_mulx_u32(x615, 0x7e5abf99); + let mut x631: u32 = 0; + let mut x632: u32 = 0; + let (x631, x632) = fiat_bign256_scalar_mulx_u32(x615, 0x263d6607); + let mut x633: u32 = 0; + let mut x634: fiat_bign256_scalar_u1 = 0; + let (x633, x634) = fiat_bign256_scalar_addcarryx_u32(0x0, x632, x629); + let mut x635: u32 = 0; + let mut x636: fiat_bign256_scalar_u1 = 0; + let (x635, x636) = fiat_bign256_scalar_addcarryx_u32(x634, x630, x627); + let mut x637: u32 = 0; + let mut x638: fiat_bign256_scalar_u1 = 0; + let (x637, x638) = fiat_bign256_scalar_addcarryx_u32(x636, x628, x625); + let mut x639: u32 = 0; + let mut x640: fiat_bign256_scalar_u1 = 0; + let (x639, x640) = fiat_bign256_scalar_addcarryx_u32(x638, x626, x623); + let mut x641: u32 = 0; + let mut x642: fiat_bign256_scalar_u1 = 0; + let (x641, x642) = fiat_bign256_scalar_addcarryx_u32(x640, x624, x621); + let mut x643: u32 = 0; + let mut x644: fiat_bign256_scalar_u1 = 0; + let (x643, x644) = fiat_bign256_scalar_addcarryx_u32(x642, x622, x619); + let mut x645: u32 = 0; + let mut x646: fiat_bign256_scalar_u1 = 0; + let (x645, x646) = fiat_bign256_scalar_addcarryx_u32(x644, x620, x617); + let mut x647: u32 = 0; + let mut x648: fiat_bign256_scalar_u1 = 0; + let (x647, x648) = fiat_bign256_scalar_addcarryx_u32(0x0, x599, x631); + let mut x649: u32 = 0; + let mut x650: fiat_bign256_scalar_u1 = 0; + let (x649, x650) = fiat_bign256_scalar_addcarryx_u32(x648, x601, x633); + let mut x651: u32 = 0; + let mut x652: fiat_bign256_scalar_u1 = 0; + let (x651, x652) = fiat_bign256_scalar_addcarryx_u32(x650, x603, x635); + let mut x653: u32 = 0; + let mut x654: fiat_bign256_scalar_u1 = 0; + let (x653, x654) = fiat_bign256_scalar_addcarryx_u32(x652, x605, x637); + let mut x655: u32 = 0; + let mut x656: fiat_bign256_scalar_u1 = 0; + let (x655, x656) = fiat_bign256_scalar_addcarryx_u32(x654, x607, x639); + let mut x657: u32 = 0; + let mut x658: fiat_bign256_scalar_u1 = 0; + let (x657, x658) = fiat_bign256_scalar_addcarryx_u32(x656, x609, x641); + let mut x659: u32 = 0; + let mut x660: fiat_bign256_scalar_u1 = 0; + let (x659, x660) = fiat_bign256_scalar_addcarryx_u32(x658, x611, x643); + let mut x661: u32 = 0; + let mut x662: fiat_bign256_scalar_u1 = 0; + let (x661, x662) = fiat_bign256_scalar_addcarryx_u32(x660, x613, x645); + let mut x663: u32 = 0; + let mut x664: fiat_bign256_scalar_u1 = 0; + let (x663, x664) = fiat_bign256_scalar_addcarryx_u32( + x662, + (((x614 as u32) + (x568 as u32)) + ((x598 as u32) + x570)), + ((x646 as u32) + x618), + ); + let mut x665: u32 = 0; + let mut x666: u32 = 0; + let (x665, x666) = fiat_bign256_scalar_mulx_u32(x7, 0x5d4edf1); + let mut x667: u32 = 0; + let mut x668: u32 = 0; + let (x667, x668) = fiat_bign256_scalar_mulx_u32(x7, 0xc149a55b); + let mut x669: u32 = 0; + let mut x670: u32 = 0; + let (x669, x670) = fiat_bign256_scalar_mulx_u32(x7, 0x4a6925c6); + let mut x671: u32 = 0; + let mut x672: u32 = 0; + let (x671, x672) = fiat_bign256_scalar_mulx_u32(x7, 0xa269dbf8); + let mut x673: u32 = 0; + let mut x674: u32 = 0; + let (x673, x674) = fiat_bign256_scalar_mulx_u32(x7, 0x1b5a5bc1); + let mut x675: u32 = 0; + let mut x676: u32 = 0; + let (x675, x676) = fiat_bign256_scalar_mulx_u32(x7, 0x8b44a10); + let mut x677: u32 = 0; + let mut x678: u32 = 0; + let (x677, x678) = fiat_bign256_scalar_mulx_u32(x7, 0xfa44af61); + let mut x679: u32 = 0; + let mut x680: u32 = 0; + let (x679, x680) = fiat_bign256_scalar_mulx_u32(x7, 0xdbff9431); + let mut x681: u32 = 0; + let mut x682: fiat_bign256_scalar_u1 = 0; + let (x681, x682) = fiat_bign256_scalar_addcarryx_u32(0x0, x680, x677); + let mut x683: u32 = 0; + let mut x684: fiat_bign256_scalar_u1 = 0; + let (x683, x684) = fiat_bign256_scalar_addcarryx_u32(x682, x678, x675); + let mut x685: u32 = 0; + let mut x686: fiat_bign256_scalar_u1 = 0; + let (x685, x686) = fiat_bign256_scalar_addcarryx_u32(x684, x676, x673); + let mut x687: u32 = 0; + let mut x688: fiat_bign256_scalar_u1 = 0; + let (x687, x688) = fiat_bign256_scalar_addcarryx_u32(x686, x674, x671); + let mut x689: u32 = 0; + let mut x690: fiat_bign256_scalar_u1 = 0; + let (x689, x690) = fiat_bign256_scalar_addcarryx_u32(x688, x672, x669); + let mut x691: u32 = 0; + let mut x692: fiat_bign256_scalar_u1 = 0; + let (x691, x692) = fiat_bign256_scalar_addcarryx_u32(x690, x670, x667); + let mut x693: u32 = 0; + let mut x694: fiat_bign256_scalar_u1 = 0; + let (x693, x694) = fiat_bign256_scalar_addcarryx_u32(x692, x668, x665); + let mut x695: u32 = 0; + let mut x696: fiat_bign256_scalar_u1 = 0; + let (x695, x696) = fiat_bign256_scalar_addcarryx_u32(0x0, x649, x679); + let mut x697: u32 = 0; + let mut x698: fiat_bign256_scalar_u1 = 0; + let (x697, x698) = fiat_bign256_scalar_addcarryx_u32(x696, x651, x681); + let mut x699: u32 = 0; + let mut x700: fiat_bign256_scalar_u1 = 0; + let (x699, x700) = fiat_bign256_scalar_addcarryx_u32(x698, x653, x683); + let mut x701: u32 = 0; + let mut x702: fiat_bign256_scalar_u1 = 0; + let (x701, x702) = fiat_bign256_scalar_addcarryx_u32(x700, x655, x685); + let mut x703: u32 = 0; + let mut x704: fiat_bign256_scalar_u1 = 0; + let (x703, x704) = fiat_bign256_scalar_addcarryx_u32(x702, x657, x687); + let mut x705: u32 = 0; + let mut x706: fiat_bign256_scalar_u1 = 0; + let (x705, x706) = fiat_bign256_scalar_addcarryx_u32(x704, x659, x689); + let mut x707: u32 = 0; + let mut x708: fiat_bign256_scalar_u1 = 0; + let (x707, x708) = fiat_bign256_scalar_addcarryx_u32(x706, x661, x691); + let mut x709: u32 = 0; + let mut x710: fiat_bign256_scalar_u1 = 0; + let (x709, x710) = fiat_bign256_scalar_addcarryx_u32(x708, x663, x693); + let mut x711: u32 = 0; + let mut x712: u32 = 0; + let (x711, x712) = fiat_bign256_scalar_mulx_u32(x695, 0x858d849); + let mut x713: u32 = 0; + let mut x714: u32 = 0; + let (x713, x714) = fiat_bign256_scalar_mulx_u32(x711, 0xffffffff); + let mut x715: u32 = 0; + let mut x716: u32 = 0; + let (x715, x716) = fiat_bign256_scalar_mulx_u32(x711, 0xffffffff); + let mut x717: u32 = 0; + let mut x718: u32 = 0; + let (x717, x718) = fiat_bign256_scalar_mulx_u32(x711, 0xffffffff); + let mut x719: u32 = 0; + let mut x720: u32 = 0; + let (x719, x720) = fiat_bign256_scalar_mulx_u32(x711, 0xffffffff); + let mut x721: u32 = 0; + let mut x722: u32 = 0; + let (x721, x722) = fiat_bign256_scalar_mulx_u32(x711, 0xd95c8ed6); + let mut x723: u32 = 0; + let mut x724: u32 = 0; + let (x723, x724) = fiat_bign256_scalar_mulx_u32(x711, 0xdfb4dfc); + let mut x725: u32 = 0; + let mut x726: u32 = 0; + let (x725, x726) = fiat_bign256_scalar_mulx_u32(x711, 0x7e5abf99); + let mut x727: u32 = 0; + let mut x728: u32 = 0; + let (x727, x728) = fiat_bign256_scalar_mulx_u32(x711, 0x263d6607); + let mut x729: u32 = 0; + let mut x730: fiat_bign256_scalar_u1 = 0; + let (x729, x730) = fiat_bign256_scalar_addcarryx_u32(0x0, x728, x725); + let mut x731: u32 = 0; + let mut x732: fiat_bign256_scalar_u1 = 0; + let (x731, x732) = fiat_bign256_scalar_addcarryx_u32(x730, x726, x723); + let mut x733: u32 = 0; + let mut x734: fiat_bign256_scalar_u1 = 0; + let (x733, x734) = fiat_bign256_scalar_addcarryx_u32(x732, x724, x721); + let mut x735: u32 = 0; + let mut x736: fiat_bign256_scalar_u1 = 0; + let (x735, x736) = fiat_bign256_scalar_addcarryx_u32(x734, x722, x719); + let mut x737: u32 = 0; + let mut x738: fiat_bign256_scalar_u1 = 0; + let (x737, x738) = fiat_bign256_scalar_addcarryx_u32(x736, x720, x717); + let mut x739: u32 = 0; + let mut x740: fiat_bign256_scalar_u1 = 0; + let (x739, x740) = fiat_bign256_scalar_addcarryx_u32(x738, x718, x715); + let mut x741: u32 = 0; + let mut x742: fiat_bign256_scalar_u1 = 0; + let (x741, x742) = fiat_bign256_scalar_addcarryx_u32(x740, x716, x713); + let mut x743: u32 = 0; + let mut x744: fiat_bign256_scalar_u1 = 0; + let (x743, x744) = fiat_bign256_scalar_addcarryx_u32(0x0, x695, x727); + let mut x745: u32 = 0; + let mut x746: fiat_bign256_scalar_u1 = 0; + let (x745, x746) = fiat_bign256_scalar_addcarryx_u32(x744, x697, x729); + let mut x747: u32 = 0; + let mut x748: fiat_bign256_scalar_u1 = 0; + let (x747, x748) = fiat_bign256_scalar_addcarryx_u32(x746, x699, x731); + let mut x749: u32 = 0; + let mut x750: fiat_bign256_scalar_u1 = 0; + let (x749, x750) = fiat_bign256_scalar_addcarryx_u32(x748, x701, x733); + let mut x751: u32 = 0; + let mut x752: fiat_bign256_scalar_u1 = 0; + let (x751, x752) = fiat_bign256_scalar_addcarryx_u32(x750, x703, x735); + let mut x753: u32 = 0; + let mut x754: fiat_bign256_scalar_u1 = 0; + let (x753, x754) = fiat_bign256_scalar_addcarryx_u32(x752, x705, x737); + let mut x755: u32 = 0; + let mut x756: fiat_bign256_scalar_u1 = 0; + let (x755, x756) = fiat_bign256_scalar_addcarryx_u32(x754, x707, x739); + let mut x757: u32 = 0; + let mut x758: fiat_bign256_scalar_u1 = 0; + let (x757, x758) = fiat_bign256_scalar_addcarryx_u32(x756, x709, x741); + let mut x759: u32 = 0; + let mut x760: fiat_bign256_scalar_u1 = 0; + let (x759, x760) = fiat_bign256_scalar_addcarryx_u32( + x758, + (((x710 as u32) + (x664 as u32)) + ((x694 as u32) + x666)), + ((x742 as u32) + x714), + ); + let mut x761: u32 = 0; + let mut x762: fiat_bign256_scalar_u1 = 0; + let (x761, x762) = fiat_bign256_scalar_subborrowx_u32(0x0, x745, 0x263d6607); + let mut x763: u32 = 0; + let mut x764: fiat_bign256_scalar_u1 = 0; + let (x763, x764) = fiat_bign256_scalar_subborrowx_u32(x762, x747, 0x7e5abf99); + let mut x765: u32 = 0; + let mut x766: fiat_bign256_scalar_u1 = 0; + let (x765, x766) = fiat_bign256_scalar_subborrowx_u32(x764, x749, 0xdfb4dfc); + let mut x767: u32 = 0; + let mut x768: fiat_bign256_scalar_u1 = 0; + let (x767, x768) = fiat_bign256_scalar_subborrowx_u32(x766, x751, 0xd95c8ed6); + let mut x769: u32 = 0; + let mut x770: fiat_bign256_scalar_u1 = 0; + let (x769, x770) = fiat_bign256_scalar_subborrowx_u32(x768, x753, 0xffffffff); + let mut x771: u32 = 0; + let mut x772: fiat_bign256_scalar_u1 = 0; + let (x771, x772) = fiat_bign256_scalar_subborrowx_u32(x770, x755, 0xffffffff); + let mut x773: u32 = 0; + let mut x774: fiat_bign256_scalar_u1 = 0; + let (x773, x774) = fiat_bign256_scalar_subborrowx_u32(x772, x757, 0xffffffff); + let mut x775: u32 = 0; + let mut x776: fiat_bign256_scalar_u1 = 0; + let (x775, x776) = fiat_bign256_scalar_subborrowx_u32(x774, x759, 0xffffffff); + let mut x777: u32 = 0; + let mut x778: fiat_bign256_scalar_u1 = 0; + let (x777, x778) = fiat_bign256_scalar_subborrowx_u32(x776, (x760 as u32), (0x0 as u32)); + let mut x779: u32 = 0; + let (x779) = fiat_bign256_scalar_cmovznz_u32(x778, x761, x745); + let mut x780: u32 = 0; + let (x780) = fiat_bign256_scalar_cmovznz_u32(x778, x763, x747); + let mut x781: u32 = 0; + let (x781) = fiat_bign256_scalar_cmovznz_u32(x778, x765, x749); + let mut x782: u32 = 0; + let (x782) = fiat_bign256_scalar_cmovznz_u32(x778, x767, x751); + let mut x783: u32 = 0; + let (x783) = fiat_bign256_scalar_cmovznz_u32(x778, x769, x753); + let mut x784: u32 = 0; + let (x784) = fiat_bign256_scalar_cmovznz_u32(x778, x771, x755); + let mut x785: u32 = 0; + let (x785) = fiat_bign256_scalar_cmovznz_u32(x778, x773, x757); + let mut x786: u32 = 0; + let (x786) = fiat_bign256_scalar_cmovznz_u32(x778, x775, x759); + out1[0] = x779; + out1[1] = x780; + out1[2] = x781; + out1[3] = x782; + out1[4] = x783; + out1[5] = x784; + out1[6] = x785; + out1[7] = x786; + out1 +} +#[doc = " The function fiat_bign256_scalar_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[inline] +pub const fn fiat_bign256_scalar_nonzero(arg1: &[u32; 8]) -> u32 { + let mut out1: u32 = 0; + let x1: u32 = ((arg1[0]) + | ((arg1[1]) + | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | (arg1[7])))))))); + out1 = x1; + out1 +} +#[doc = " The function fiat_bign256_scalar_selectznz is a multi-limb conditional select."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[inline] +pub const fn fiat_bign256_scalar_selectznz( + arg1: fiat_bign256_scalar_u1, + arg2: &[u32; 8], + arg3: &[u32; 8], +) -> [u32; 8] { + let mut out1: [u32; 8] = [0; 8]; + let mut x1: u32 = 0; + let (x1) = fiat_bign256_scalar_cmovznz_u32(arg1, (arg2[0]), (arg3[0])); + let mut x2: u32 = 0; + let (x2) = fiat_bign256_scalar_cmovznz_u32(arg1, (arg2[1]), (arg3[1])); + let mut x3: u32 = 0; + let (x3) = fiat_bign256_scalar_cmovznz_u32(arg1, (arg2[2]), (arg3[2])); + let mut x4: u32 = 0; + let (x4) = fiat_bign256_scalar_cmovznz_u32(arg1, (arg2[3]), (arg3[3])); + let mut x5: u32 = 0; + let (x5) = fiat_bign256_scalar_cmovznz_u32(arg1, (arg2[4]), (arg3[4])); + let mut x6: u32 = 0; + let (x6) = fiat_bign256_scalar_cmovznz_u32(arg1, (arg2[5]), (arg3[5])); + let mut x7: u32 = 0; + let (x7) = fiat_bign256_scalar_cmovznz_u32(arg1, (arg2[6]), (arg3[6])); + let mut x8: u32 = 0; + let (x8) = fiat_bign256_scalar_cmovznz_u32(arg1, (arg2[7]), (arg3[7])); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; + out1[5] = x6; + out1[6] = x7; + out1[7] = x8; + out1 +} +#[doc = " The function fiat_bign256_scalar_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = map (Ξ» x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)βŒ‹) [0..31]"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]"] +#[inline] +pub const fn fiat_bign256_scalar_to_bytes(arg1: &[u32; 8]) -> [u8; 32] { + let mut out1: [u8; 32] = [0; 32]; + let x1: u32 = (arg1[7]); + let x2: u32 = (arg1[6]); + let x3: u32 = (arg1[5]); + let x4: u32 = (arg1[4]); + let x5: u32 = (arg1[3]); + let x6: u32 = (arg1[2]); + let x7: u32 = (arg1[1]); + let x8: u32 = (arg1[0]); + let x9: u8 = ((x8 & (0xff as u32)) as u8); + let x10: u32 = (x8 >> 8); + let x11: u8 = ((x10 & (0xff as u32)) as u8); + let x12: u32 = (x10 >> 8); + let x13: u8 = ((x12 & (0xff as u32)) as u8); + let x14: u8 = ((x12 >> 8) as u8); + let x15: u8 = ((x7 & (0xff as u32)) as u8); + let x16: u32 = (x7 >> 8); + let x17: u8 = ((x16 & (0xff as u32)) as u8); + let x18: u32 = (x16 >> 8); + let x19: u8 = ((x18 & (0xff as u32)) as u8); + let x20: u8 = ((x18 >> 8) as u8); + let x21: u8 = ((x6 & (0xff as u32)) as u8); + let x22: u32 = (x6 >> 8); + let x23: u8 = ((x22 & (0xff as u32)) as u8); + let x24: u32 = (x22 >> 8); + let x25: u8 = ((x24 & (0xff as u32)) as u8); + let x26: u8 = ((x24 >> 8) as u8); + let x27: u8 = ((x5 & (0xff as u32)) as u8); + let x28: u32 = (x5 >> 8); + let x29: u8 = ((x28 & (0xff as u32)) as u8); + let x30: u32 = (x28 >> 8); + let x31: u8 = ((x30 & (0xff as u32)) as u8); + let x32: u8 = ((x30 >> 8) as u8); + let x33: u8 = ((x4 & (0xff as u32)) as u8); + let x34: u32 = (x4 >> 8); + let x35: u8 = ((x34 & (0xff as u32)) as u8); + let x36: u32 = (x34 >> 8); + let x37: u8 = ((x36 & (0xff as u32)) as u8); + let x38: u8 = ((x36 >> 8) as u8); + let x39: u8 = ((x3 & (0xff as u32)) as u8); + let x40: u32 = (x3 >> 8); + let x41: u8 = ((x40 & (0xff as u32)) as u8); + let x42: u32 = (x40 >> 8); + let x43: u8 = ((x42 & (0xff as u32)) as u8); + let x44: u8 = ((x42 >> 8) as u8); + let x45: u8 = ((x2 & (0xff as u32)) as u8); + let x46: u32 = (x2 >> 8); + let x47: u8 = ((x46 & (0xff as u32)) as u8); + let x48: u32 = (x46 >> 8); + let x49: u8 = ((x48 & (0xff as u32)) as u8); + let x50: u8 = ((x48 >> 8) as u8); + let x51: u8 = ((x1 & (0xff as u32)) as u8); + let x52: u32 = (x1 >> 8); + let x53: u8 = ((x52 & (0xff as u32)) as u8); + let x54: u32 = (x52 >> 8); + let x55: u8 = ((x54 & (0xff as u32)) as u8); + let x56: u8 = ((x54 >> 8) as u8); + out1[0] = x9; + out1[1] = x11; + out1[2] = x13; + out1[3] = x14; + out1[4] = x15; + out1[5] = x17; + out1[6] = x19; + out1[7] = x20; + out1[8] = x21; + out1[9] = x23; + out1[10] = x25; + out1[11] = x26; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x38; + out1[20] = x39; + out1[21] = x41; + out1[22] = x43; + out1[23] = x44; + out1[24] = x45; + out1[25] = x47; + out1[26] = x49; + out1[27] = x50; + out1[28] = x51; + out1[29] = x53; + out1[30] = x55; + out1[31] = x56; + out1 +} +#[doc = " The function fiat_bign256_scalar_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ bytes_eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval out1 mod m = bytes_eval arg1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[inline] +pub const fn fiat_bign256_scalar_from_bytes(arg1: &[u8; 32]) -> [u32; 8] { + let mut out1: [u32; 8] = [0; 8]; + let x1: u32 = (((arg1[31]) as u32) << 24); + let x2: u32 = (((arg1[30]) as u32) << 16); + let x3: u32 = (((arg1[29]) as u32) << 8); + let x4: u8 = (arg1[28]); + let x5: u32 = (((arg1[27]) as u32) << 24); + let x6: u32 = (((arg1[26]) as u32) << 16); + let x7: u32 = (((arg1[25]) as u32) << 8); + let x8: u8 = (arg1[24]); + let x9: u32 = (((arg1[23]) as u32) << 24); + let x10: u32 = (((arg1[22]) as u32) << 16); + let x11: u32 = (((arg1[21]) as u32) << 8); + let x12: u8 = (arg1[20]); + let x13: u32 = (((arg1[19]) as u32) << 24); + let x14: u32 = (((arg1[18]) as u32) << 16); + let x15: u32 = (((arg1[17]) as u32) << 8); + let x16: u8 = (arg1[16]); + let x17: u32 = (((arg1[15]) as u32) << 24); + let x18: u32 = (((arg1[14]) as u32) << 16); + let x19: u32 = (((arg1[13]) as u32) << 8); + let x20: u8 = (arg1[12]); + let x21: u32 = (((arg1[11]) as u32) << 24); + let x22: u32 = (((arg1[10]) as u32) << 16); + let x23: u32 = (((arg1[9]) as u32) << 8); + let x24: u8 = (arg1[8]); + let x25: u32 = (((arg1[7]) as u32) << 24); + let x26: u32 = (((arg1[6]) as u32) << 16); + let x27: u32 = (((arg1[5]) as u32) << 8); + let x28: u8 = (arg1[4]); + let x29: u32 = (((arg1[3]) as u32) << 24); + let x30: u32 = (((arg1[2]) as u32) << 16); + let x31: u32 = (((arg1[1]) as u32) << 8); + let x32: u8 = (arg1[0]); + let x33: u32 = (x31 + (x32 as u32)); + let x34: u32 = (x30 + x33); + let x35: u32 = (x29 + x34); + let x36: u32 = (x27 + (x28 as u32)); + let x37: u32 = (x26 + x36); + let x38: u32 = (x25 + x37); + let x39: u32 = (x23 + (x24 as u32)); + let x40: u32 = (x22 + x39); + let x41: u32 = (x21 + x40); + let x42: u32 = (x19 + (x20 as u32)); + let x43: u32 = (x18 + x42); + let x44: u32 = (x17 + x43); + let x45: u32 = (x15 + (x16 as u32)); + let x46: u32 = (x14 + x45); + let x47: u32 = (x13 + x46); + let x48: u32 = (x11 + (x12 as u32)); + let x49: u32 = (x10 + x48); + let x50: u32 = (x9 + x49); + let x51: u32 = (x7 + (x8 as u32)); + let x52: u32 = (x6 + x51); + let x53: u32 = (x5 + x52); + let x54: u32 = (x3 + (x4 as u32)); + let x55: u32 = (x2 + x54); + let x56: u32 = (x1 + x55); + out1[0] = x35; + out1[1] = x38; + out1[2] = x41; + out1[3] = x44; + out1[4] = x47; + out1[5] = x50; + out1[6] = x53; + out1[7] = x56; + out1 +} +#[doc = " The function fiat_bign256_scalar_set_one returns the field element one in the Montgomery domain."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = 1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_set_one() -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 8]; + out1[0] = 0xd9c299f9; + out1[1] = 0x81a54066; + out1[2] = 0xf204b203; + out1[3] = 0x26a37129; + out1[4] = (0x0 as u32); + out1[5] = (0x0 as u32); + out1[6] = (0x0 as u32); + out1[7] = (0x0 as u32); + out1 +} +#[doc = " The function fiat_bign256_scalar_msat returns the saturated representation of the prime modulus."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " twos_complement_eval out1 = m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[inline] +pub const fn fiat_bign256_scalar_msat() -> [u32; 9] { + let mut out1: [u32; 9] = [0; 9]; + out1[0] = 0x263d6607; + out1[1] = 0x7e5abf99; + out1[2] = 0xdfb4dfc; + out1[3] = 0xd95c8ed6; + out1[4] = 0xffffffff; + out1[5] = 0xffffffff; + out1[6] = 0xffffffff; + out1[7] = 0xffffffff; + out1[8] = (0x0 as u32); + out1 +} +#[doc = " The function fiat_bign256_scalar_divstep computes a divstep."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg4 < m"] +#[doc = " 0 ≀ eval arg5 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1)"] +#[doc = " twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2)"] +#[doc = " twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2βŒ‹ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2βŒ‹)"] +#[doc = " eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m)"] +#[doc = " eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m)"] +#[doc = " 0 ≀ eval out5 < m"] +#[doc = " 0 ≀ eval out5 < m"] +#[doc = " 0 ≀ eval out2 < m"] +#[doc = " 0 ≀ eval out3 < m"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0xffffffff]"] +#[doc = " arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffff]"] +#[doc = " out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[doc = " out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[inline] +pub const fn fiat_bign256_scalar_divstep( + arg1: u32, + arg2: &[u32; 9], + arg3: &[u32; 9], + arg4: &[u32; 8], + arg5: &[u32; 8], +) -> (u32, [u32; 9], [u32; 9], [u32; 8], [u32; 8]) { + let mut out1: u32 = 0; + let mut out2: [u32; 9] = [0; 9]; + let mut out3: [u32; 9] = [0; 9]; + let mut out4: [u32; 8] = [0; 8]; + let mut out5: [u32; 8] = [0; 8]; + let mut x1: u32 = 0; + let mut x2: fiat_bign256_scalar_u1 = 0; + let (x1, x2) = fiat_bign256_scalar_addcarryx_u32(0x0, (!arg1), (0x1 as u32)); + let x3: fiat_bign256_scalar_u1 = (((x1 >> 31) as fiat_bign256_scalar_u1) + & (((arg3[0]) & (0x1 as u32)) as fiat_bign256_scalar_u1)); + let mut x4: u32 = 0; + let mut x5: fiat_bign256_scalar_u1 = 0; + let (x4, x5) = fiat_bign256_scalar_addcarryx_u32(0x0, (!arg1), (0x1 as u32)); + let mut x6: u32 = 0; + let (x6) = fiat_bign256_scalar_cmovznz_u32(x3, arg1, x4); + let mut x7: u32 = 0; + let (x7) = fiat_bign256_scalar_cmovznz_u32(x3, (arg2[0]), (arg3[0])); + let mut x8: u32 = 0; + let (x8) = fiat_bign256_scalar_cmovznz_u32(x3, (arg2[1]), (arg3[1])); + let mut x9: u32 = 0; + let (x9) = fiat_bign256_scalar_cmovznz_u32(x3, (arg2[2]), (arg3[2])); + let mut x10: u32 = 0; + let (x10) = fiat_bign256_scalar_cmovznz_u32(x3, (arg2[3]), (arg3[3])); + let mut x11: u32 = 0; + let (x11) = fiat_bign256_scalar_cmovznz_u32(x3, (arg2[4]), (arg3[4])); + let mut x12: u32 = 0; + let (x12) = fiat_bign256_scalar_cmovznz_u32(x3, (arg2[5]), (arg3[5])); + let mut x13: u32 = 0; + let (x13) = fiat_bign256_scalar_cmovznz_u32(x3, (arg2[6]), (arg3[6])); + let mut x14: u32 = 0; + let (x14) = fiat_bign256_scalar_cmovznz_u32(x3, (arg2[7]), (arg3[7])); + let mut x15: u32 = 0; + let (x15) = fiat_bign256_scalar_cmovznz_u32(x3, (arg2[8]), (arg3[8])); + let mut x16: u32 = 0; + let mut x17: fiat_bign256_scalar_u1 = 0; + let (x16, x17) = fiat_bign256_scalar_addcarryx_u32(0x0, (0x1 as u32), (!(arg2[0]))); + let mut x18: u32 = 0; + let mut x19: fiat_bign256_scalar_u1 = 0; + let (x18, x19) = fiat_bign256_scalar_addcarryx_u32(x17, (0x0 as u32), (!(arg2[1]))); + let mut x20: u32 = 0; + let mut x21: fiat_bign256_scalar_u1 = 0; + let (x20, x21) = fiat_bign256_scalar_addcarryx_u32(x19, (0x0 as u32), (!(arg2[2]))); + let mut x22: u32 = 0; + let mut x23: fiat_bign256_scalar_u1 = 0; + let (x22, x23) = fiat_bign256_scalar_addcarryx_u32(x21, (0x0 as u32), (!(arg2[3]))); + let mut x24: u32 = 0; + let mut x25: fiat_bign256_scalar_u1 = 0; + let (x24, x25) = fiat_bign256_scalar_addcarryx_u32(x23, (0x0 as u32), (!(arg2[4]))); + let mut x26: u32 = 0; + let mut x27: fiat_bign256_scalar_u1 = 0; + let (x26, x27) = fiat_bign256_scalar_addcarryx_u32(x25, (0x0 as u32), (!(arg2[5]))); + let mut x28: u32 = 0; + let mut x29: fiat_bign256_scalar_u1 = 0; + let (x28, x29) = fiat_bign256_scalar_addcarryx_u32(x27, (0x0 as u32), (!(arg2[6]))); + let mut x30: u32 = 0; + let mut x31: fiat_bign256_scalar_u1 = 0; + let (x30, x31) = fiat_bign256_scalar_addcarryx_u32(x29, (0x0 as u32), (!(arg2[7]))); + let mut x32: u32 = 0; + let mut x33: fiat_bign256_scalar_u1 = 0; + let (x32, x33) = fiat_bign256_scalar_addcarryx_u32(x31, (0x0 as u32), (!(arg2[8]))); + let mut x34: u32 = 0; + let (x34) = fiat_bign256_scalar_cmovznz_u32(x3, (arg3[0]), x16); + let mut x35: u32 = 0; + let (x35) = fiat_bign256_scalar_cmovznz_u32(x3, (arg3[1]), x18); + let mut x36: u32 = 0; + let (x36) = fiat_bign256_scalar_cmovznz_u32(x3, (arg3[2]), x20); + let mut x37: u32 = 0; + let (x37) = fiat_bign256_scalar_cmovznz_u32(x3, (arg3[3]), x22); + let mut x38: u32 = 0; + let (x38) = fiat_bign256_scalar_cmovznz_u32(x3, (arg3[4]), x24); + let mut x39: u32 = 0; + let (x39) = fiat_bign256_scalar_cmovznz_u32(x3, (arg3[5]), x26); + let mut x40: u32 = 0; + let (x40) = fiat_bign256_scalar_cmovznz_u32(x3, (arg3[6]), x28); + let mut x41: u32 = 0; + let (x41) = fiat_bign256_scalar_cmovznz_u32(x3, (arg3[7]), x30); + let mut x42: u32 = 0; + let (x42) = fiat_bign256_scalar_cmovznz_u32(x3, (arg3[8]), x32); + let mut x43: u32 = 0; + let (x43) = fiat_bign256_scalar_cmovznz_u32(x3, (arg4[0]), (arg5[0])); + let mut x44: u32 = 0; + let (x44) = fiat_bign256_scalar_cmovznz_u32(x3, (arg4[1]), (arg5[1])); + let mut x45: u32 = 0; + let (x45) = fiat_bign256_scalar_cmovznz_u32(x3, (arg4[2]), (arg5[2])); + let mut x46: u32 = 0; + let (x46) = fiat_bign256_scalar_cmovznz_u32(x3, (arg4[3]), (arg5[3])); + let mut x47: u32 = 0; + let (x47) = fiat_bign256_scalar_cmovznz_u32(x3, (arg4[4]), (arg5[4])); + let mut x48: u32 = 0; + let (x48) = fiat_bign256_scalar_cmovznz_u32(x3, (arg4[5]), (arg5[5])); + let mut x49: u32 = 0; + let (x49) = fiat_bign256_scalar_cmovznz_u32(x3, (arg4[6]), (arg5[6])); + let mut x50: u32 = 0; + let (x50) = fiat_bign256_scalar_cmovznz_u32(x3, (arg4[7]), (arg5[7])); + let mut x51: u32 = 0; + let mut x52: fiat_bign256_scalar_u1 = 0; + let (x51, x52) = fiat_bign256_scalar_addcarryx_u32(0x0, x43, x43); + let mut x53: u32 = 0; + let mut x54: fiat_bign256_scalar_u1 = 0; + let (x53, x54) = fiat_bign256_scalar_addcarryx_u32(x52, x44, x44); + let mut x55: u32 = 0; + let mut x56: fiat_bign256_scalar_u1 = 0; + let (x55, x56) = fiat_bign256_scalar_addcarryx_u32(x54, x45, x45); + let mut x57: u32 = 0; + let mut x58: fiat_bign256_scalar_u1 = 0; + let (x57, x58) = fiat_bign256_scalar_addcarryx_u32(x56, x46, x46); + let mut x59: u32 = 0; + let mut x60: fiat_bign256_scalar_u1 = 0; + let (x59, x60) = fiat_bign256_scalar_addcarryx_u32(x58, x47, x47); + let mut x61: u32 = 0; + let mut x62: fiat_bign256_scalar_u1 = 0; + let (x61, x62) = fiat_bign256_scalar_addcarryx_u32(x60, x48, x48); + let mut x63: u32 = 0; + let mut x64: fiat_bign256_scalar_u1 = 0; + let (x63, x64) = fiat_bign256_scalar_addcarryx_u32(x62, x49, x49); + let mut x65: u32 = 0; + let mut x66: fiat_bign256_scalar_u1 = 0; + let (x65, x66) = fiat_bign256_scalar_addcarryx_u32(x64, x50, x50); + let mut x67: u32 = 0; + let mut x68: fiat_bign256_scalar_u1 = 0; + let (x67, x68) = fiat_bign256_scalar_subborrowx_u32(0x0, x51, 0x263d6607); + let mut x69: u32 = 0; + let mut x70: fiat_bign256_scalar_u1 = 0; + let (x69, x70) = fiat_bign256_scalar_subborrowx_u32(x68, x53, 0x7e5abf99); + let mut x71: u32 = 0; + let mut x72: fiat_bign256_scalar_u1 = 0; + let (x71, x72) = fiat_bign256_scalar_subborrowx_u32(x70, x55, 0xdfb4dfc); + let mut x73: u32 = 0; + let mut x74: fiat_bign256_scalar_u1 = 0; + let (x73, x74) = fiat_bign256_scalar_subborrowx_u32(x72, x57, 0xd95c8ed6); + let mut x75: u32 = 0; + let mut x76: fiat_bign256_scalar_u1 = 0; + let (x75, x76) = fiat_bign256_scalar_subborrowx_u32(x74, x59, 0xffffffff); + let mut x77: u32 = 0; + let mut x78: fiat_bign256_scalar_u1 = 0; + let (x77, x78) = fiat_bign256_scalar_subborrowx_u32(x76, x61, 0xffffffff); + let mut x79: u32 = 0; + let mut x80: fiat_bign256_scalar_u1 = 0; + let (x79, x80) = fiat_bign256_scalar_subborrowx_u32(x78, x63, 0xffffffff); + let mut x81: u32 = 0; + let mut x82: fiat_bign256_scalar_u1 = 0; + let (x81, x82) = fiat_bign256_scalar_subborrowx_u32(x80, x65, 0xffffffff); + let mut x83: u32 = 0; + let mut x84: fiat_bign256_scalar_u1 = 0; + let (x83, x84) = fiat_bign256_scalar_subborrowx_u32(x82, (x66 as u32), (0x0 as u32)); + let x85: u32 = (arg4[7]); + let x86: u32 = (arg4[6]); + let x87: u32 = (arg4[5]); + let x88: u32 = (arg4[4]); + let x89: u32 = (arg4[3]); + let x90: u32 = (arg4[2]); + let x91: u32 = (arg4[1]); + let x92: u32 = (arg4[0]); + let mut x93: u32 = 0; + let mut x94: fiat_bign256_scalar_u1 = 0; + let (x93, x94) = fiat_bign256_scalar_subborrowx_u32(0x0, (0x0 as u32), x92); + let mut x95: u32 = 0; + let mut x96: fiat_bign256_scalar_u1 = 0; + let (x95, x96) = fiat_bign256_scalar_subborrowx_u32(x94, (0x0 as u32), x91); + let mut x97: u32 = 0; + let mut x98: fiat_bign256_scalar_u1 = 0; + let (x97, x98) = fiat_bign256_scalar_subborrowx_u32(x96, (0x0 as u32), x90); + let mut x99: u32 = 0; + let mut x100: fiat_bign256_scalar_u1 = 0; + let (x99, x100) = fiat_bign256_scalar_subborrowx_u32(x98, (0x0 as u32), x89); + let mut x101: u32 = 0; + let mut x102: fiat_bign256_scalar_u1 = 0; + let (x101, x102) = fiat_bign256_scalar_subborrowx_u32(x100, (0x0 as u32), x88); + let mut x103: u32 = 0; + let mut x104: fiat_bign256_scalar_u1 = 0; + let (x103, x104) = fiat_bign256_scalar_subborrowx_u32(x102, (0x0 as u32), x87); + let mut x105: u32 = 0; + let mut x106: fiat_bign256_scalar_u1 = 0; + let (x105, x106) = fiat_bign256_scalar_subborrowx_u32(x104, (0x0 as u32), x86); + let mut x107: u32 = 0; + let mut x108: fiat_bign256_scalar_u1 = 0; + let (x107, x108) = fiat_bign256_scalar_subborrowx_u32(x106, (0x0 as u32), x85); + let mut x109: u32 = 0; + let (x109) = fiat_bign256_scalar_cmovznz_u32(x108, (0x0 as u32), 0xffffffff); + let mut x110: u32 = 0; + let mut x111: fiat_bign256_scalar_u1 = 0; + let (x110, x111) = fiat_bign256_scalar_addcarryx_u32(0x0, x93, (x109 & 0x263d6607)); + let mut x112: u32 = 0; + let mut x113: fiat_bign256_scalar_u1 = 0; + let (x112, x113) = fiat_bign256_scalar_addcarryx_u32(x111, x95, (x109 & 0x7e5abf99)); + let mut x114: u32 = 0; + let mut x115: fiat_bign256_scalar_u1 = 0; + let (x114, x115) = fiat_bign256_scalar_addcarryx_u32(x113, x97, (x109 & 0xdfb4dfc)); + let mut x116: u32 = 0; + let mut x117: fiat_bign256_scalar_u1 = 0; + let (x116, x117) = fiat_bign256_scalar_addcarryx_u32(x115, x99, (x109 & 0xd95c8ed6)); + let mut x118: u32 = 0; + let mut x119: fiat_bign256_scalar_u1 = 0; + let (x118, x119) = fiat_bign256_scalar_addcarryx_u32(x117, x101, x109); + let mut x120: u32 = 0; + let mut x121: fiat_bign256_scalar_u1 = 0; + let (x120, x121) = fiat_bign256_scalar_addcarryx_u32(x119, x103, x109); + let mut x122: u32 = 0; + let mut x123: fiat_bign256_scalar_u1 = 0; + let (x122, x123) = fiat_bign256_scalar_addcarryx_u32(x121, x105, x109); + let mut x124: u32 = 0; + let mut x125: fiat_bign256_scalar_u1 = 0; + let (x124, x125) = fiat_bign256_scalar_addcarryx_u32(x123, x107, x109); + let mut x126: u32 = 0; + let (x126) = fiat_bign256_scalar_cmovznz_u32(x3, (arg5[0]), x110); + let mut x127: u32 = 0; + let (x127) = fiat_bign256_scalar_cmovznz_u32(x3, (arg5[1]), x112); + let mut x128: u32 = 0; + let (x128) = fiat_bign256_scalar_cmovznz_u32(x3, (arg5[2]), x114); + let mut x129: u32 = 0; + let (x129) = fiat_bign256_scalar_cmovznz_u32(x3, (arg5[3]), x116); + let mut x130: u32 = 0; + let (x130) = fiat_bign256_scalar_cmovznz_u32(x3, (arg5[4]), x118); + let mut x131: u32 = 0; + let (x131) = fiat_bign256_scalar_cmovznz_u32(x3, (arg5[5]), x120); + let mut x132: u32 = 0; + let (x132) = fiat_bign256_scalar_cmovznz_u32(x3, (arg5[6]), x122); + let mut x133: u32 = 0; + let (x133) = fiat_bign256_scalar_cmovznz_u32(x3, (arg5[7]), x124); + let x134: fiat_bign256_scalar_u1 = ((x34 & (0x1 as u32)) as fiat_bign256_scalar_u1); + let mut x135: u32 = 0; + let (x135) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x7); + let mut x136: u32 = 0; + let (x136) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x8); + let mut x137: u32 = 0; + let (x137) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x9); + let mut x138: u32 = 0; + let (x138) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x10); + let mut x139: u32 = 0; + let (x139) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x11); + let mut x140: u32 = 0; + let (x140) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x12); + let mut x141: u32 = 0; + let (x141) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x13); + let mut x142: u32 = 0; + let (x142) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x14); + let mut x143: u32 = 0; + let (x143) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x15); + let mut x144: u32 = 0; + let mut x145: fiat_bign256_scalar_u1 = 0; + let (x144, x145) = fiat_bign256_scalar_addcarryx_u32(0x0, x34, x135); + let mut x146: u32 = 0; + let mut x147: fiat_bign256_scalar_u1 = 0; + let (x146, x147) = fiat_bign256_scalar_addcarryx_u32(x145, x35, x136); + let mut x148: u32 = 0; + let mut x149: fiat_bign256_scalar_u1 = 0; + let (x148, x149) = fiat_bign256_scalar_addcarryx_u32(x147, x36, x137); + let mut x150: u32 = 0; + let mut x151: fiat_bign256_scalar_u1 = 0; + let (x150, x151) = fiat_bign256_scalar_addcarryx_u32(x149, x37, x138); + let mut x152: u32 = 0; + let mut x153: fiat_bign256_scalar_u1 = 0; + let (x152, x153) = fiat_bign256_scalar_addcarryx_u32(x151, x38, x139); + let mut x154: u32 = 0; + let mut x155: fiat_bign256_scalar_u1 = 0; + let (x154, x155) = fiat_bign256_scalar_addcarryx_u32(x153, x39, x140); + let mut x156: u32 = 0; + let mut x157: fiat_bign256_scalar_u1 = 0; + let (x156, x157) = fiat_bign256_scalar_addcarryx_u32(x155, x40, x141); + let mut x158: u32 = 0; + let mut x159: fiat_bign256_scalar_u1 = 0; + let (x158, x159) = fiat_bign256_scalar_addcarryx_u32(x157, x41, x142); + let mut x160: u32 = 0; + let mut x161: fiat_bign256_scalar_u1 = 0; + let (x160, x161) = fiat_bign256_scalar_addcarryx_u32(x159, x42, x143); + let mut x162: u32 = 0; + let (x162) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x43); + let mut x163: u32 = 0; + let (x163) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x44); + let mut x164: u32 = 0; + let (x164) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x45); + let mut x165: u32 = 0; + let (x165) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x46); + let mut x166: u32 = 0; + let (x166) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x47); + let mut x167: u32 = 0; + let (x167) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x48); + let mut x168: u32 = 0; + let (x168) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x49); + let mut x169: u32 = 0; + let (x169) = fiat_bign256_scalar_cmovznz_u32(x134, (0x0 as u32), x50); + let mut x170: u32 = 0; + let mut x171: fiat_bign256_scalar_u1 = 0; + let (x170, x171) = fiat_bign256_scalar_addcarryx_u32(0x0, x126, x162); + let mut x172: u32 = 0; + let mut x173: fiat_bign256_scalar_u1 = 0; + let (x172, x173) = fiat_bign256_scalar_addcarryx_u32(x171, x127, x163); + let mut x174: u32 = 0; + let mut x175: fiat_bign256_scalar_u1 = 0; + let (x174, x175) = fiat_bign256_scalar_addcarryx_u32(x173, x128, x164); + let mut x176: u32 = 0; + let mut x177: fiat_bign256_scalar_u1 = 0; + let (x176, x177) = fiat_bign256_scalar_addcarryx_u32(x175, x129, x165); + let mut x178: u32 = 0; + let mut x179: fiat_bign256_scalar_u1 = 0; + let (x178, x179) = fiat_bign256_scalar_addcarryx_u32(x177, x130, x166); + let mut x180: u32 = 0; + let mut x181: fiat_bign256_scalar_u1 = 0; + let (x180, x181) = fiat_bign256_scalar_addcarryx_u32(x179, x131, x167); + let mut x182: u32 = 0; + let mut x183: fiat_bign256_scalar_u1 = 0; + let (x182, x183) = fiat_bign256_scalar_addcarryx_u32(x181, x132, x168); + let mut x184: u32 = 0; + let mut x185: fiat_bign256_scalar_u1 = 0; + let (x184, x185) = fiat_bign256_scalar_addcarryx_u32(x183, x133, x169); + let mut x186: u32 = 0; + let mut x187: fiat_bign256_scalar_u1 = 0; + let (x186, x187) = fiat_bign256_scalar_subborrowx_u32(0x0, x170, 0x263d6607); + let mut x188: u32 = 0; + let mut x189: fiat_bign256_scalar_u1 = 0; + let (x188, x189) = fiat_bign256_scalar_subborrowx_u32(x187, x172, 0x7e5abf99); + let mut x190: u32 = 0; + let mut x191: fiat_bign256_scalar_u1 = 0; + let (x190, x191) = fiat_bign256_scalar_subborrowx_u32(x189, x174, 0xdfb4dfc); + let mut x192: u32 = 0; + let mut x193: fiat_bign256_scalar_u1 = 0; + let (x192, x193) = fiat_bign256_scalar_subborrowx_u32(x191, x176, 0xd95c8ed6); + let mut x194: u32 = 0; + let mut x195: fiat_bign256_scalar_u1 = 0; + let (x194, x195) = fiat_bign256_scalar_subborrowx_u32(x193, x178, 0xffffffff); + let mut x196: u32 = 0; + let mut x197: fiat_bign256_scalar_u1 = 0; + let (x196, x197) = fiat_bign256_scalar_subborrowx_u32(x195, x180, 0xffffffff); + let mut x198: u32 = 0; + let mut x199: fiat_bign256_scalar_u1 = 0; + let (x198, x199) = fiat_bign256_scalar_subborrowx_u32(x197, x182, 0xffffffff); + let mut x200: u32 = 0; + let mut x201: fiat_bign256_scalar_u1 = 0; + let (x200, x201) = fiat_bign256_scalar_subborrowx_u32(x199, x184, 0xffffffff); + let mut x202: u32 = 0; + let mut x203: fiat_bign256_scalar_u1 = 0; + let (x202, x203) = fiat_bign256_scalar_subborrowx_u32(x201, (x185 as u32), (0x0 as u32)); + let mut x204: u32 = 0; + let mut x205: fiat_bign256_scalar_u1 = 0; + let (x204, x205) = fiat_bign256_scalar_addcarryx_u32(0x0, x6, (0x1 as u32)); + let x206: u32 = ((x144 >> 1) | ((x146 << 31) & 0xffffffff)); + let x207: u32 = ((x146 >> 1) | ((x148 << 31) & 0xffffffff)); + let x208: u32 = ((x148 >> 1) | ((x150 << 31) & 0xffffffff)); + let x209: u32 = ((x150 >> 1) | ((x152 << 31) & 0xffffffff)); + let x210: u32 = ((x152 >> 1) | ((x154 << 31) & 0xffffffff)); + let x211: u32 = ((x154 >> 1) | ((x156 << 31) & 0xffffffff)); + let x212: u32 = ((x156 >> 1) | ((x158 << 31) & 0xffffffff)); + let x213: u32 = ((x158 >> 1) | ((x160 << 31) & 0xffffffff)); + let x214: u32 = ((x160 & 0x80000000) | (x160 >> 1)); + let mut x215: u32 = 0; + let (x215) = fiat_bign256_scalar_cmovznz_u32(x84, x67, x51); + let mut x216: u32 = 0; + let (x216) = fiat_bign256_scalar_cmovznz_u32(x84, x69, x53); + let mut x217: u32 = 0; + let (x217) = fiat_bign256_scalar_cmovznz_u32(x84, x71, x55); + let mut x218: u32 = 0; + let (x218) = fiat_bign256_scalar_cmovznz_u32(x84, x73, x57); + let mut x219: u32 = 0; + let (x219) = fiat_bign256_scalar_cmovznz_u32(x84, x75, x59); + let mut x220: u32 = 0; + let (x220) = fiat_bign256_scalar_cmovznz_u32(x84, x77, x61); + let mut x221: u32 = 0; + let (x221) = fiat_bign256_scalar_cmovznz_u32(x84, x79, x63); + let mut x222: u32 = 0; + let (x222) = fiat_bign256_scalar_cmovznz_u32(x84, x81, x65); + let mut x223: u32 = 0; + let (x223) = fiat_bign256_scalar_cmovznz_u32(x203, x186, x170); + let mut x224: u32 = 0; + let (x224) = fiat_bign256_scalar_cmovznz_u32(x203, x188, x172); + let mut x225: u32 = 0; + let (x225) = fiat_bign256_scalar_cmovznz_u32(x203, x190, x174); + let mut x226: u32 = 0; + let (x226) = fiat_bign256_scalar_cmovznz_u32(x203, x192, x176); + let mut x227: u32 = 0; + let (x227) = fiat_bign256_scalar_cmovznz_u32(x203, x194, x178); + let mut x228: u32 = 0; + let (x228) = fiat_bign256_scalar_cmovznz_u32(x203, x196, x180); + let mut x229: u32 = 0; + let (x229) = fiat_bign256_scalar_cmovznz_u32(x203, x198, x182); + let mut x230: u32 = 0; + let (x230) = fiat_bign256_scalar_cmovznz_u32(x203, x200, x184); + out1 = x204; + out2[0] = x7; + out2[1] = x8; + out2[2] = x9; + out2[3] = x10; + out2[4] = x11; + out2[5] = x12; + out2[6] = x13; + out2[7] = x14; + out2[8] = x15; + out3[0] = x206; + out3[1] = x207; + out3[2] = x208; + out3[3] = x209; + out3[4] = x210; + out3[5] = x211; + out3[6] = x212; + out3[7] = x213; + out3[8] = x214; + out4[0] = x215; + out4[1] = x216; + out4[2] = x217; + out4[3] = x218; + out4[4] = x219; + out4[5] = x220; + out4[6] = x221; + out4[7] = x222; + out5[0] = x223; + out5[1] = x224; + out5[2] = x225; + out5[3] = x226; + out5[4] = x227; + out5[5] = x228; + out5[6] = x229; + out5[7] = x230; + (out1, out2, out3, out4, out5) +} +#[doc = " The function fiat_bign256_scalar_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form)."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) = ⌊(m - 1) / 2βŒ‹^(if ⌊log2 mβŒ‹ + 1 < 46 then ⌊(49 * (⌊log2 mβŒ‹ + 1) + 80) / 17βŒ‹ else ⌊(49 * (⌊log2 mβŒ‹ + 1) + 57) / 17βŒ‹)"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]"] +#[inline] +pub const fn fiat_bign256_scalar_divstep_precomp() -> [u32; 8] { + let mut out1: [u32; 8] = [0; 8]; + out1[0] = 0x2465feb0; + out1[1] = 0xeffe1f65; + out1[2] = 0x1a30f6de; + out1[3] = 0xb12c827f; + out1[4] = 0x445b1483; + out1[5] = 0xf63934f7; + out1[6] = 0x55dddae4; + out1[7] = 0x898f2e1e; + out1 +} diff --git a/bign256/src/arithmetic/scalar/bign256_scalar_64.rs b/bign256/src/arithmetic/scalar/bign256_scalar_64.rs new file mode 100644 index 00000000..bfa25928 --- /dev/null +++ b/bign256/src/arithmetic/scalar/bign256_scalar_64.rs @@ -0,0 +1,2106 @@ +#![doc = " fiat-crypto output postprocessed by fiat-constify: "] +#![doc = " Autogenerated: './word_by_word_montgomery' --lang Rust --inline bign256_scalar 64 '2^256 - 51359303463308904523350978545619999225' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp"] +#![doc = " curve description: bign256_scalar"] +#![doc = " machine_wordsize = 64 (from \"64\")"] +#![doc = " requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp"] +#![doc = " m = 0xffffffffffffffffffffffffffffffffd95c8ed60dfb4dfc7e5abf99263d6607 (from \"2^256 - 51359303463308904523350978545619999225\")"] +#![doc = ""] +#![doc = " NOTE: In addition to the bounds specified above each function, all"] +#![doc = " functions synthesized for this Montgomery arithmetic require the"] +#![doc = " input to be strictly less than the prime modulus (m), and also"] +#![doc = " require the input to be in the unique saturated representation."] +#![doc = " All functions also ensure that these two properties are true of"] +#![doc = " return values."] +#![doc = ""] +#![doc = " Computed values:"] +#![doc = " eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192)"] +#![doc = " bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248)"] +#![doc = " twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in"] +#![doc = " if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256"] +#![allow(unused_parens)] +#![allow(non_camel_case_types)] +#![allow( + clippy::identity_op, + clippy::unnecessary_cast, + dead_code, + rustdoc::broken_intra_doc_links, + unused_assignments, + unused_mut, + unused_variables +)] +pub type fiat_bign256_scalar_u1 = u8; +pub type fiat_bign256_scalar_i1 = i8; +pub type fiat_bign256_scalar_u2 = u8; +pub type fiat_bign256_scalar_i2 = i8; +pub type fiat_bign256_scalar_montgomery_domain_field_element = [u64; 4]; +pub type fiat_bign256_scalar_non_montgomery_domain_field_element = [u64; 4]; +#[doc = " The function fiat_bign256_scalar_addcarryx_u64 is an addition with carry."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (arg1 + arg2 + arg3) mod 2^64"] +#[doc = " out2 = ⌊(arg1 + arg2 + arg3) / 2^64βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " out2: [0x0 ~> 0x1]"] +#[inline] +pub const fn fiat_bign256_scalar_addcarryx_u64( + arg1: fiat_bign256_scalar_u1, + arg2: u64, + arg3: u64, +) -> (u64, fiat_bign256_scalar_u1) { + let mut out1: u64 = 0; + let mut out2: fiat_bign256_scalar_u1 = 0; + let x1: u128 = (((arg1 as u128) + (arg2 as u128)) + (arg3 as u128)); + let x2: u64 = ((x1 & (0xffffffffffffffff as u128)) as u64); + let x3: fiat_bign256_scalar_u1 = ((x1 >> 64) as fiat_bign256_scalar_u1); + out1 = x2; + out2 = x3; + (out1, out2) +} +#[doc = " The function fiat_bign256_scalar_subborrowx_u64 is a subtraction with borrow."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (-arg1 + arg2 + -arg3) mod 2^64"] +#[doc = " out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " out2: [0x0 ~> 0x1]"] +#[inline] +pub const fn fiat_bign256_scalar_subborrowx_u64( + arg1: fiat_bign256_scalar_u1, + arg2: u64, + arg3: u64, +) -> (u64, fiat_bign256_scalar_u1) { + let mut out1: u64 = 0; + let mut out2: fiat_bign256_scalar_u1 = 0; + let x1: i128 = (((arg2 as i128) - (arg1 as i128)) - (arg3 as i128)); + let x2: fiat_bign256_scalar_i1 = ((x1 >> 64) as fiat_bign256_scalar_i1); + let x3: u64 = ((x1 & (0xffffffffffffffff as i128)) as u64); + out1 = x3; + out2 = (((0x0 as fiat_bign256_scalar_i2) - (x2 as fiat_bign256_scalar_i2)) + as fiat_bign256_scalar_u1); + (out1, out2) +} +#[doc = " The function fiat_bign256_scalar_mulx_u64 is a multiplication, returning the full double-width result."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (arg1 * arg2) mod 2^64"] +#[doc = " out2 = ⌊arg1 * arg2 / 2^64βŒ‹"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " out2: [0x0 ~> 0xffffffffffffffff]"] +#[inline] +pub const fn fiat_bign256_scalar_mulx_u64(arg1: u64, arg2: u64) -> (u64, u64) { + let mut out1: u64 = 0; + let mut out2: u64 = 0; + let x1: u128 = ((arg1 as u128) * (arg2 as u128)); + let x2: u64 = ((x1 & (0xffffffffffffffff as u128)) as u64); + let x3: u64 = ((x1 >> 64) as u64); + out1 = x2; + out2 = x3; + (out1, out2) +} +#[doc = " The function fiat_bign256_scalar_cmovznz_u64 is a single-word conditional move."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " arg3: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[inline] +pub const fn fiat_bign256_scalar_cmovznz_u64( + arg1: fiat_bign256_scalar_u1, + arg2: u64, + arg3: u64, +) -> u64 { + let mut out1: u64 = 0; + let x1: fiat_bign256_scalar_u1 = (!(!arg1)); + let x2: u64 = ((((((0x0 as fiat_bign256_scalar_i2) - (x1 as fiat_bign256_scalar_i2)) + as fiat_bign256_scalar_i1) as i128) + & (0xffffffffffffffff as i128)) as u64); + let x3: u64 = ((x2 & arg3) | ((!x2) & arg2)); + out1 = x3; + out1 +} +#[doc = " The function fiat_bign256_scalar_mul multiplies two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_mul( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, + arg2: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 4]; + let x1: u64 = (arg1[1]); + let x2: u64 = (arg1[2]); + let x3: u64 = (arg1[3]); + let x4: u64 = (arg1[0]); + let mut x5: u64 = 0; + let mut x6: u64 = 0; + let (x5, x6) = fiat_bign256_scalar_mulx_u64(x4, (arg2[3])); + let mut x7: u64 = 0; + let mut x8: u64 = 0; + let (x7, x8) = fiat_bign256_scalar_mulx_u64(x4, (arg2[2])); + let mut x9: u64 = 0; + let mut x10: u64 = 0; + let (x9, x10) = fiat_bign256_scalar_mulx_u64(x4, (arg2[1])); + let mut x11: u64 = 0; + let mut x12: u64 = 0; + let (x11, x12) = fiat_bign256_scalar_mulx_u64(x4, (arg2[0])); + let mut x13: u64 = 0; + let mut x14: fiat_bign256_scalar_u1 = 0; + let (x13, x14) = fiat_bign256_scalar_addcarryx_u64(0x0, x12, x9); + let mut x15: u64 = 0; + let mut x16: fiat_bign256_scalar_u1 = 0; + let (x15, x16) = fiat_bign256_scalar_addcarryx_u64(x14, x10, x7); + let mut x17: u64 = 0; + let mut x18: fiat_bign256_scalar_u1 = 0; + let (x17, x18) = fiat_bign256_scalar_addcarryx_u64(x16, x8, x5); + let x19: u64 = ((x18 as u64) + x6); + let mut x20: u64 = 0; + let mut x21: u64 = 0; + let (x20, x21) = fiat_bign256_scalar_mulx_u64(x11, 0x8d64dbd30858d849); + let mut x22: u64 = 0; + let mut x23: u64 = 0; + let (x22, x23) = fiat_bign256_scalar_mulx_u64(x20, 0xffffffffffffffff); + let mut x24: u64 = 0; + let mut x25: u64 = 0; + let (x24, x25) = fiat_bign256_scalar_mulx_u64(x20, 0xffffffffffffffff); + let mut x26: u64 = 0; + let mut x27: u64 = 0; + let (x26, x27) = fiat_bign256_scalar_mulx_u64(x20, 0xd95c8ed60dfb4dfc); + let mut x28: u64 = 0; + let mut x29: u64 = 0; + let (x28, x29) = fiat_bign256_scalar_mulx_u64(x20, 0x7e5abf99263d6607); + let mut x30: u64 = 0; + let mut x31: fiat_bign256_scalar_u1 = 0; + let (x30, x31) = fiat_bign256_scalar_addcarryx_u64(0x0, x29, x26); + let mut x32: u64 = 0; + let mut x33: fiat_bign256_scalar_u1 = 0; + let (x32, x33) = fiat_bign256_scalar_addcarryx_u64(x31, x27, x24); + let mut x34: u64 = 0; + let mut x35: fiat_bign256_scalar_u1 = 0; + let (x34, x35) = fiat_bign256_scalar_addcarryx_u64(x33, x25, x22); + let x36: u64 = ((x35 as u64) + x23); + let mut x37: u64 = 0; + let mut x38: fiat_bign256_scalar_u1 = 0; + let (x37, x38) = fiat_bign256_scalar_addcarryx_u64(0x0, x11, x28); + let mut x39: u64 = 0; + let mut x40: fiat_bign256_scalar_u1 = 0; + let (x39, x40) = fiat_bign256_scalar_addcarryx_u64(x38, x13, x30); + let mut x41: u64 = 0; + let mut x42: fiat_bign256_scalar_u1 = 0; + let (x41, x42) = fiat_bign256_scalar_addcarryx_u64(x40, x15, x32); + let mut x43: u64 = 0; + let mut x44: fiat_bign256_scalar_u1 = 0; + let (x43, x44) = fiat_bign256_scalar_addcarryx_u64(x42, x17, x34); + let mut x45: u64 = 0; + let mut x46: fiat_bign256_scalar_u1 = 0; + let (x45, x46) = fiat_bign256_scalar_addcarryx_u64(x44, x19, x36); + let mut x47: u64 = 0; + let mut x48: u64 = 0; + let (x47, x48) = fiat_bign256_scalar_mulx_u64(x1, (arg2[3])); + let mut x49: u64 = 0; + let mut x50: u64 = 0; + let (x49, x50) = fiat_bign256_scalar_mulx_u64(x1, (arg2[2])); + let mut x51: u64 = 0; + let mut x52: u64 = 0; + let (x51, x52) = fiat_bign256_scalar_mulx_u64(x1, (arg2[1])); + let mut x53: u64 = 0; + let mut x54: u64 = 0; + let (x53, x54) = fiat_bign256_scalar_mulx_u64(x1, (arg2[0])); + let mut x55: u64 = 0; + let mut x56: fiat_bign256_scalar_u1 = 0; + let (x55, x56) = fiat_bign256_scalar_addcarryx_u64(0x0, x54, x51); + let mut x57: u64 = 0; + let mut x58: fiat_bign256_scalar_u1 = 0; + let (x57, x58) = fiat_bign256_scalar_addcarryx_u64(x56, x52, x49); + let mut x59: u64 = 0; + let mut x60: fiat_bign256_scalar_u1 = 0; + let (x59, x60) = fiat_bign256_scalar_addcarryx_u64(x58, x50, x47); + let x61: u64 = ((x60 as u64) + x48); + let mut x62: u64 = 0; + let mut x63: fiat_bign256_scalar_u1 = 0; + let (x62, x63) = fiat_bign256_scalar_addcarryx_u64(0x0, x39, x53); + let mut x64: u64 = 0; + let mut x65: fiat_bign256_scalar_u1 = 0; + let (x64, x65) = fiat_bign256_scalar_addcarryx_u64(x63, x41, x55); + let mut x66: u64 = 0; + let mut x67: fiat_bign256_scalar_u1 = 0; + let (x66, x67) = fiat_bign256_scalar_addcarryx_u64(x65, x43, x57); + let mut x68: u64 = 0; + let mut x69: fiat_bign256_scalar_u1 = 0; + let (x68, x69) = fiat_bign256_scalar_addcarryx_u64(x67, x45, x59); + let mut x70: u64 = 0; + let mut x71: fiat_bign256_scalar_u1 = 0; + let (x70, x71) = fiat_bign256_scalar_addcarryx_u64(x69, (x46 as u64), x61); + let mut x72: u64 = 0; + let mut x73: u64 = 0; + let (x72, x73) = fiat_bign256_scalar_mulx_u64(x62, 0x8d64dbd30858d849); + let mut x74: u64 = 0; + let mut x75: u64 = 0; + let (x74, x75) = fiat_bign256_scalar_mulx_u64(x72, 0xffffffffffffffff); + let mut x76: u64 = 0; + let mut x77: u64 = 0; + let (x76, x77) = fiat_bign256_scalar_mulx_u64(x72, 0xffffffffffffffff); + let mut x78: u64 = 0; + let mut x79: u64 = 0; + let (x78, x79) = fiat_bign256_scalar_mulx_u64(x72, 0xd95c8ed60dfb4dfc); + let mut x80: u64 = 0; + let mut x81: u64 = 0; + let (x80, x81) = fiat_bign256_scalar_mulx_u64(x72, 0x7e5abf99263d6607); + let mut x82: u64 = 0; + let mut x83: fiat_bign256_scalar_u1 = 0; + let (x82, x83) = fiat_bign256_scalar_addcarryx_u64(0x0, x81, x78); + let mut x84: u64 = 0; + let mut x85: fiat_bign256_scalar_u1 = 0; + let (x84, x85) = fiat_bign256_scalar_addcarryx_u64(x83, x79, x76); + let mut x86: u64 = 0; + let mut x87: fiat_bign256_scalar_u1 = 0; + let (x86, x87) = fiat_bign256_scalar_addcarryx_u64(x85, x77, x74); + let x88: u64 = ((x87 as u64) + x75); + let mut x89: u64 = 0; + let mut x90: fiat_bign256_scalar_u1 = 0; + let (x89, x90) = fiat_bign256_scalar_addcarryx_u64(0x0, x62, x80); + let mut x91: u64 = 0; + let mut x92: fiat_bign256_scalar_u1 = 0; + let (x91, x92) = fiat_bign256_scalar_addcarryx_u64(x90, x64, x82); + let mut x93: u64 = 0; + let mut x94: fiat_bign256_scalar_u1 = 0; + let (x93, x94) = fiat_bign256_scalar_addcarryx_u64(x92, x66, x84); + let mut x95: u64 = 0; + let mut x96: fiat_bign256_scalar_u1 = 0; + let (x95, x96) = fiat_bign256_scalar_addcarryx_u64(x94, x68, x86); + let mut x97: u64 = 0; + let mut x98: fiat_bign256_scalar_u1 = 0; + let (x97, x98) = fiat_bign256_scalar_addcarryx_u64(x96, x70, x88); + let x99: u64 = ((x98 as u64) + (x71 as u64)); + let mut x100: u64 = 0; + let mut x101: u64 = 0; + let (x100, x101) = fiat_bign256_scalar_mulx_u64(x2, (arg2[3])); + let mut x102: u64 = 0; + let mut x103: u64 = 0; + let (x102, x103) = fiat_bign256_scalar_mulx_u64(x2, (arg2[2])); + let mut x104: u64 = 0; + let mut x105: u64 = 0; + let (x104, x105) = fiat_bign256_scalar_mulx_u64(x2, (arg2[1])); + let mut x106: u64 = 0; + let mut x107: u64 = 0; + let (x106, x107) = fiat_bign256_scalar_mulx_u64(x2, (arg2[0])); + let mut x108: u64 = 0; + let mut x109: fiat_bign256_scalar_u1 = 0; + let (x108, x109) = fiat_bign256_scalar_addcarryx_u64(0x0, x107, x104); + let mut x110: u64 = 0; + let mut x111: fiat_bign256_scalar_u1 = 0; + let (x110, x111) = fiat_bign256_scalar_addcarryx_u64(x109, x105, x102); + let mut x112: u64 = 0; + let mut x113: fiat_bign256_scalar_u1 = 0; + let (x112, x113) = fiat_bign256_scalar_addcarryx_u64(x111, x103, x100); + let x114: u64 = ((x113 as u64) + x101); + let mut x115: u64 = 0; + let mut x116: fiat_bign256_scalar_u1 = 0; + let (x115, x116) = fiat_bign256_scalar_addcarryx_u64(0x0, x91, x106); + let mut x117: u64 = 0; + let mut x118: fiat_bign256_scalar_u1 = 0; + let (x117, x118) = fiat_bign256_scalar_addcarryx_u64(x116, x93, x108); + let mut x119: u64 = 0; + let mut x120: fiat_bign256_scalar_u1 = 0; + let (x119, x120) = fiat_bign256_scalar_addcarryx_u64(x118, x95, x110); + let mut x121: u64 = 0; + let mut x122: fiat_bign256_scalar_u1 = 0; + let (x121, x122) = fiat_bign256_scalar_addcarryx_u64(x120, x97, x112); + let mut x123: u64 = 0; + let mut x124: fiat_bign256_scalar_u1 = 0; + let (x123, x124) = fiat_bign256_scalar_addcarryx_u64(x122, x99, x114); + let mut x125: u64 = 0; + let mut x126: u64 = 0; + let (x125, x126) = fiat_bign256_scalar_mulx_u64(x115, 0x8d64dbd30858d849); + let mut x127: u64 = 0; + let mut x128: u64 = 0; + let (x127, x128) = fiat_bign256_scalar_mulx_u64(x125, 0xffffffffffffffff); + let mut x129: u64 = 0; + let mut x130: u64 = 0; + let (x129, x130) = fiat_bign256_scalar_mulx_u64(x125, 0xffffffffffffffff); + let mut x131: u64 = 0; + let mut x132: u64 = 0; + let (x131, x132) = fiat_bign256_scalar_mulx_u64(x125, 0xd95c8ed60dfb4dfc); + let mut x133: u64 = 0; + let mut x134: u64 = 0; + let (x133, x134) = fiat_bign256_scalar_mulx_u64(x125, 0x7e5abf99263d6607); + let mut x135: u64 = 0; + let mut x136: fiat_bign256_scalar_u1 = 0; + let (x135, x136) = fiat_bign256_scalar_addcarryx_u64(0x0, x134, x131); + let mut x137: u64 = 0; + let mut x138: fiat_bign256_scalar_u1 = 0; + let (x137, x138) = fiat_bign256_scalar_addcarryx_u64(x136, x132, x129); + let mut x139: u64 = 0; + let mut x140: fiat_bign256_scalar_u1 = 0; + let (x139, x140) = fiat_bign256_scalar_addcarryx_u64(x138, x130, x127); + let x141: u64 = ((x140 as u64) + x128); + let mut x142: u64 = 0; + let mut x143: fiat_bign256_scalar_u1 = 0; + let (x142, x143) = fiat_bign256_scalar_addcarryx_u64(0x0, x115, x133); + let mut x144: u64 = 0; + let mut x145: fiat_bign256_scalar_u1 = 0; + let (x144, x145) = fiat_bign256_scalar_addcarryx_u64(x143, x117, x135); + let mut x146: u64 = 0; + let mut x147: fiat_bign256_scalar_u1 = 0; + let (x146, x147) = fiat_bign256_scalar_addcarryx_u64(x145, x119, x137); + let mut x148: u64 = 0; + let mut x149: fiat_bign256_scalar_u1 = 0; + let (x148, x149) = fiat_bign256_scalar_addcarryx_u64(x147, x121, x139); + let mut x150: u64 = 0; + let mut x151: fiat_bign256_scalar_u1 = 0; + let (x150, x151) = fiat_bign256_scalar_addcarryx_u64(x149, x123, x141); + let x152: u64 = ((x151 as u64) + (x124 as u64)); + let mut x153: u64 = 0; + let mut x154: u64 = 0; + let (x153, x154) = fiat_bign256_scalar_mulx_u64(x3, (arg2[3])); + let mut x155: u64 = 0; + let mut x156: u64 = 0; + let (x155, x156) = fiat_bign256_scalar_mulx_u64(x3, (arg2[2])); + let mut x157: u64 = 0; + let mut x158: u64 = 0; + let (x157, x158) = fiat_bign256_scalar_mulx_u64(x3, (arg2[1])); + let mut x159: u64 = 0; + let mut x160: u64 = 0; + let (x159, x160) = fiat_bign256_scalar_mulx_u64(x3, (arg2[0])); + let mut x161: u64 = 0; + let mut x162: fiat_bign256_scalar_u1 = 0; + let (x161, x162) = fiat_bign256_scalar_addcarryx_u64(0x0, x160, x157); + let mut x163: u64 = 0; + let mut x164: fiat_bign256_scalar_u1 = 0; + let (x163, x164) = fiat_bign256_scalar_addcarryx_u64(x162, x158, x155); + let mut x165: u64 = 0; + let mut x166: fiat_bign256_scalar_u1 = 0; + let (x165, x166) = fiat_bign256_scalar_addcarryx_u64(x164, x156, x153); + let x167: u64 = ((x166 as u64) + x154); + let mut x168: u64 = 0; + let mut x169: fiat_bign256_scalar_u1 = 0; + let (x168, x169) = fiat_bign256_scalar_addcarryx_u64(0x0, x144, x159); + let mut x170: u64 = 0; + let mut x171: fiat_bign256_scalar_u1 = 0; + let (x170, x171) = fiat_bign256_scalar_addcarryx_u64(x169, x146, x161); + let mut x172: u64 = 0; + let mut x173: fiat_bign256_scalar_u1 = 0; + let (x172, x173) = fiat_bign256_scalar_addcarryx_u64(x171, x148, x163); + let mut x174: u64 = 0; + let mut x175: fiat_bign256_scalar_u1 = 0; + let (x174, x175) = fiat_bign256_scalar_addcarryx_u64(x173, x150, x165); + let mut x176: u64 = 0; + let mut x177: fiat_bign256_scalar_u1 = 0; + let (x176, x177) = fiat_bign256_scalar_addcarryx_u64(x175, x152, x167); + let mut x178: u64 = 0; + let mut x179: u64 = 0; + let (x178, x179) = fiat_bign256_scalar_mulx_u64(x168, 0x8d64dbd30858d849); + let mut x180: u64 = 0; + let mut x181: u64 = 0; + let (x180, x181) = fiat_bign256_scalar_mulx_u64(x178, 0xffffffffffffffff); + let mut x182: u64 = 0; + let mut x183: u64 = 0; + let (x182, x183) = fiat_bign256_scalar_mulx_u64(x178, 0xffffffffffffffff); + let mut x184: u64 = 0; + let mut x185: u64 = 0; + let (x184, x185) = fiat_bign256_scalar_mulx_u64(x178, 0xd95c8ed60dfb4dfc); + let mut x186: u64 = 0; + let mut x187: u64 = 0; + let (x186, x187) = fiat_bign256_scalar_mulx_u64(x178, 0x7e5abf99263d6607); + let mut x188: u64 = 0; + let mut x189: fiat_bign256_scalar_u1 = 0; + let (x188, x189) = fiat_bign256_scalar_addcarryx_u64(0x0, x187, x184); + let mut x190: u64 = 0; + let mut x191: fiat_bign256_scalar_u1 = 0; + let (x190, x191) = fiat_bign256_scalar_addcarryx_u64(x189, x185, x182); + let mut x192: u64 = 0; + let mut x193: fiat_bign256_scalar_u1 = 0; + let (x192, x193) = fiat_bign256_scalar_addcarryx_u64(x191, x183, x180); + let x194: u64 = ((x193 as u64) + x181); + let mut x195: u64 = 0; + let mut x196: fiat_bign256_scalar_u1 = 0; + let (x195, x196) = fiat_bign256_scalar_addcarryx_u64(0x0, x168, x186); + let mut x197: u64 = 0; + let mut x198: fiat_bign256_scalar_u1 = 0; + let (x197, x198) = fiat_bign256_scalar_addcarryx_u64(x196, x170, x188); + let mut x199: u64 = 0; + let mut x200: fiat_bign256_scalar_u1 = 0; + let (x199, x200) = fiat_bign256_scalar_addcarryx_u64(x198, x172, x190); + let mut x201: u64 = 0; + let mut x202: fiat_bign256_scalar_u1 = 0; + let (x201, x202) = fiat_bign256_scalar_addcarryx_u64(x200, x174, x192); + let mut x203: u64 = 0; + let mut x204: fiat_bign256_scalar_u1 = 0; + let (x203, x204) = fiat_bign256_scalar_addcarryx_u64(x202, x176, x194); + let x205: u64 = ((x204 as u64) + (x177 as u64)); + let mut x206: u64 = 0; + let mut x207: fiat_bign256_scalar_u1 = 0; + let (x206, x207) = fiat_bign256_scalar_subborrowx_u64(0x0, x197, 0x7e5abf99263d6607); + let mut x208: u64 = 0; + let mut x209: fiat_bign256_scalar_u1 = 0; + let (x208, x209) = fiat_bign256_scalar_subborrowx_u64(x207, x199, 0xd95c8ed60dfb4dfc); + let mut x210: u64 = 0; + let mut x211: fiat_bign256_scalar_u1 = 0; + let (x210, x211) = fiat_bign256_scalar_subborrowx_u64(x209, x201, 0xffffffffffffffff); + let mut x212: u64 = 0; + let mut x213: fiat_bign256_scalar_u1 = 0; + let (x212, x213) = fiat_bign256_scalar_subborrowx_u64(x211, x203, 0xffffffffffffffff); + let mut x214: u64 = 0; + let mut x215: fiat_bign256_scalar_u1 = 0; + let (x214, x215) = fiat_bign256_scalar_subborrowx_u64(x213, x205, (0x0 as u64)); + let mut x216: u64 = 0; + let (x216) = fiat_bign256_scalar_cmovznz_u64(x215, x206, x197); + let mut x217: u64 = 0; + let (x217) = fiat_bign256_scalar_cmovznz_u64(x215, x208, x199); + let mut x218: u64 = 0; + let (x218) = fiat_bign256_scalar_cmovznz_u64(x215, x210, x201); + let mut x219: u64 = 0; + let (x219) = fiat_bign256_scalar_cmovznz_u64(x215, x212, x203); + out1[0] = x216; + out1[1] = x217; + out1[2] = x218; + out1[3] = x219; + out1 +} +#[doc = " The function fiat_bign256_scalar_square squares a field element in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_square( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 4]; + let x1: u64 = (arg1[1]); + let x2: u64 = (arg1[2]); + let x3: u64 = (arg1[3]); + let x4: u64 = (arg1[0]); + let mut x5: u64 = 0; + let mut x6: u64 = 0; + let (x5, x6) = fiat_bign256_scalar_mulx_u64(x4, (arg1[3])); + let mut x7: u64 = 0; + let mut x8: u64 = 0; + let (x7, x8) = fiat_bign256_scalar_mulx_u64(x4, (arg1[2])); + let mut x9: u64 = 0; + let mut x10: u64 = 0; + let (x9, x10) = fiat_bign256_scalar_mulx_u64(x4, (arg1[1])); + let mut x11: u64 = 0; + let mut x12: u64 = 0; + let (x11, x12) = fiat_bign256_scalar_mulx_u64(x4, (arg1[0])); + let mut x13: u64 = 0; + let mut x14: fiat_bign256_scalar_u1 = 0; + let (x13, x14) = fiat_bign256_scalar_addcarryx_u64(0x0, x12, x9); + let mut x15: u64 = 0; + let mut x16: fiat_bign256_scalar_u1 = 0; + let (x15, x16) = fiat_bign256_scalar_addcarryx_u64(x14, x10, x7); + let mut x17: u64 = 0; + let mut x18: fiat_bign256_scalar_u1 = 0; + let (x17, x18) = fiat_bign256_scalar_addcarryx_u64(x16, x8, x5); + let x19: u64 = ((x18 as u64) + x6); + let mut x20: u64 = 0; + let mut x21: u64 = 0; + let (x20, x21) = fiat_bign256_scalar_mulx_u64(x11, 0x8d64dbd30858d849); + let mut x22: u64 = 0; + let mut x23: u64 = 0; + let (x22, x23) = fiat_bign256_scalar_mulx_u64(x20, 0xffffffffffffffff); + let mut x24: u64 = 0; + let mut x25: u64 = 0; + let (x24, x25) = fiat_bign256_scalar_mulx_u64(x20, 0xffffffffffffffff); + let mut x26: u64 = 0; + let mut x27: u64 = 0; + let (x26, x27) = fiat_bign256_scalar_mulx_u64(x20, 0xd95c8ed60dfb4dfc); + let mut x28: u64 = 0; + let mut x29: u64 = 0; + let (x28, x29) = fiat_bign256_scalar_mulx_u64(x20, 0x7e5abf99263d6607); + let mut x30: u64 = 0; + let mut x31: fiat_bign256_scalar_u1 = 0; + let (x30, x31) = fiat_bign256_scalar_addcarryx_u64(0x0, x29, x26); + let mut x32: u64 = 0; + let mut x33: fiat_bign256_scalar_u1 = 0; + let (x32, x33) = fiat_bign256_scalar_addcarryx_u64(x31, x27, x24); + let mut x34: u64 = 0; + let mut x35: fiat_bign256_scalar_u1 = 0; + let (x34, x35) = fiat_bign256_scalar_addcarryx_u64(x33, x25, x22); + let x36: u64 = ((x35 as u64) + x23); + let mut x37: u64 = 0; + let mut x38: fiat_bign256_scalar_u1 = 0; + let (x37, x38) = fiat_bign256_scalar_addcarryx_u64(0x0, x11, x28); + let mut x39: u64 = 0; + let mut x40: fiat_bign256_scalar_u1 = 0; + let (x39, x40) = fiat_bign256_scalar_addcarryx_u64(x38, x13, x30); + let mut x41: u64 = 0; + let mut x42: fiat_bign256_scalar_u1 = 0; + let (x41, x42) = fiat_bign256_scalar_addcarryx_u64(x40, x15, x32); + let mut x43: u64 = 0; + let mut x44: fiat_bign256_scalar_u1 = 0; + let (x43, x44) = fiat_bign256_scalar_addcarryx_u64(x42, x17, x34); + let mut x45: u64 = 0; + let mut x46: fiat_bign256_scalar_u1 = 0; + let (x45, x46) = fiat_bign256_scalar_addcarryx_u64(x44, x19, x36); + let mut x47: u64 = 0; + let mut x48: u64 = 0; + let (x47, x48) = fiat_bign256_scalar_mulx_u64(x1, (arg1[3])); + let mut x49: u64 = 0; + let mut x50: u64 = 0; + let (x49, x50) = fiat_bign256_scalar_mulx_u64(x1, (arg1[2])); + let mut x51: u64 = 0; + let mut x52: u64 = 0; + let (x51, x52) = fiat_bign256_scalar_mulx_u64(x1, (arg1[1])); + let mut x53: u64 = 0; + let mut x54: u64 = 0; + let (x53, x54) = fiat_bign256_scalar_mulx_u64(x1, (arg1[0])); + let mut x55: u64 = 0; + let mut x56: fiat_bign256_scalar_u1 = 0; + let (x55, x56) = fiat_bign256_scalar_addcarryx_u64(0x0, x54, x51); + let mut x57: u64 = 0; + let mut x58: fiat_bign256_scalar_u1 = 0; + let (x57, x58) = fiat_bign256_scalar_addcarryx_u64(x56, x52, x49); + let mut x59: u64 = 0; + let mut x60: fiat_bign256_scalar_u1 = 0; + let (x59, x60) = fiat_bign256_scalar_addcarryx_u64(x58, x50, x47); + let x61: u64 = ((x60 as u64) + x48); + let mut x62: u64 = 0; + let mut x63: fiat_bign256_scalar_u1 = 0; + let (x62, x63) = fiat_bign256_scalar_addcarryx_u64(0x0, x39, x53); + let mut x64: u64 = 0; + let mut x65: fiat_bign256_scalar_u1 = 0; + let (x64, x65) = fiat_bign256_scalar_addcarryx_u64(x63, x41, x55); + let mut x66: u64 = 0; + let mut x67: fiat_bign256_scalar_u1 = 0; + let (x66, x67) = fiat_bign256_scalar_addcarryx_u64(x65, x43, x57); + let mut x68: u64 = 0; + let mut x69: fiat_bign256_scalar_u1 = 0; + let (x68, x69) = fiat_bign256_scalar_addcarryx_u64(x67, x45, x59); + let mut x70: u64 = 0; + let mut x71: fiat_bign256_scalar_u1 = 0; + let (x70, x71) = fiat_bign256_scalar_addcarryx_u64(x69, (x46 as u64), x61); + let mut x72: u64 = 0; + let mut x73: u64 = 0; + let (x72, x73) = fiat_bign256_scalar_mulx_u64(x62, 0x8d64dbd30858d849); + let mut x74: u64 = 0; + let mut x75: u64 = 0; + let (x74, x75) = fiat_bign256_scalar_mulx_u64(x72, 0xffffffffffffffff); + let mut x76: u64 = 0; + let mut x77: u64 = 0; + let (x76, x77) = fiat_bign256_scalar_mulx_u64(x72, 0xffffffffffffffff); + let mut x78: u64 = 0; + let mut x79: u64 = 0; + let (x78, x79) = fiat_bign256_scalar_mulx_u64(x72, 0xd95c8ed60dfb4dfc); + let mut x80: u64 = 0; + let mut x81: u64 = 0; + let (x80, x81) = fiat_bign256_scalar_mulx_u64(x72, 0x7e5abf99263d6607); + let mut x82: u64 = 0; + let mut x83: fiat_bign256_scalar_u1 = 0; + let (x82, x83) = fiat_bign256_scalar_addcarryx_u64(0x0, x81, x78); + let mut x84: u64 = 0; + let mut x85: fiat_bign256_scalar_u1 = 0; + let (x84, x85) = fiat_bign256_scalar_addcarryx_u64(x83, x79, x76); + let mut x86: u64 = 0; + let mut x87: fiat_bign256_scalar_u1 = 0; + let (x86, x87) = fiat_bign256_scalar_addcarryx_u64(x85, x77, x74); + let x88: u64 = ((x87 as u64) + x75); + let mut x89: u64 = 0; + let mut x90: fiat_bign256_scalar_u1 = 0; + let (x89, x90) = fiat_bign256_scalar_addcarryx_u64(0x0, x62, x80); + let mut x91: u64 = 0; + let mut x92: fiat_bign256_scalar_u1 = 0; + let (x91, x92) = fiat_bign256_scalar_addcarryx_u64(x90, x64, x82); + let mut x93: u64 = 0; + let mut x94: fiat_bign256_scalar_u1 = 0; + let (x93, x94) = fiat_bign256_scalar_addcarryx_u64(x92, x66, x84); + let mut x95: u64 = 0; + let mut x96: fiat_bign256_scalar_u1 = 0; + let (x95, x96) = fiat_bign256_scalar_addcarryx_u64(x94, x68, x86); + let mut x97: u64 = 0; + let mut x98: fiat_bign256_scalar_u1 = 0; + let (x97, x98) = fiat_bign256_scalar_addcarryx_u64(x96, x70, x88); + let x99: u64 = ((x98 as u64) + (x71 as u64)); + let mut x100: u64 = 0; + let mut x101: u64 = 0; + let (x100, x101) = fiat_bign256_scalar_mulx_u64(x2, (arg1[3])); + let mut x102: u64 = 0; + let mut x103: u64 = 0; + let (x102, x103) = fiat_bign256_scalar_mulx_u64(x2, (arg1[2])); + let mut x104: u64 = 0; + let mut x105: u64 = 0; + let (x104, x105) = fiat_bign256_scalar_mulx_u64(x2, (arg1[1])); + let mut x106: u64 = 0; + let mut x107: u64 = 0; + let (x106, x107) = fiat_bign256_scalar_mulx_u64(x2, (arg1[0])); + let mut x108: u64 = 0; + let mut x109: fiat_bign256_scalar_u1 = 0; + let (x108, x109) = fiat_bign256_scalar_addcarryx_u64(0x0, x107, x104); + let mut x110: u64 = 0; + let mut x111: fiat_bign256_scalar_u1 = 0; + let (x110, x111) = fiat_bign256_scalar_addcarryx_u64(x109, x105, x102); + let mut x112: u64 = 0; + let mut x113: fiat_bign256_scalar_u1 = 0; + let (x112, x113) = fiat_bign256_scalar_addcarryx_u64(x111, x103, x100); + let x114: u64 = ((x113 as u64) + x101); + let mut x115: u64 = 0; + let mut x116: fiat_bign256_scalar_u1 = 0; + let (x115, x116) = fiat_bign256_scalar_addcarryx_u64(0x0, x91, x106); + let mut x117: u64 = 0; + let mut x118: fiat_bign256_scalar_u1 = 0; + let (x117, x118) = fiat_bign256_scalar_addcarryx_u64(x116, x93, x108); + let mut x119: u64 = 0; + let mut x120: fiat_bign256_scalar_u1 = 0; + let (x119, x120) = fiat_bign256_scalar_addcarryx_u64(x118, x95, x110); + let mut x121: u64 = 0; + let mut x122: fiat_bign256_scalar_u1 = 0; + let (x121, x122) = fiat_bign256_scalar_addcarryx_u64(x120, x97, x112); + let mut x123: u64 = 0; + let mut x124: fiat_bign256_scalar_u1 = 0; + let (x123, x124) = fiat_bign256_scalar_addcarryx_u64(x122, x99, x114); + let mut x125: u64 = 0; + let mut x126: u64 = 0; + let (x125, x126) = fiat_bign256_scalar_mulx_u64(x115, 0x8d64dbd30858d849); + let mut x127: u64 = 0; + let mut x128: u64 = 0; + let (x127, x128) = fiat_bign256_scalar_mulx_u64(x125, 0xffffffffffffffff); + let mut x129: u64 = 0; + let mut x130: u64 = 0; + let (x129, x130) = fiat_bign256_scalar_mulx_u64(x125, 0xffffffffffffffff); + let mut x131: u64 = 0; + let mut x132: u64 = 0; + let (x131, x132) = fiat_bign256_scalar_mulx_u64(x125, 0xd95c8ed60dfb4dfc); + let mut x133: u64 = 0; + let mut x134: u64 = 0; + let (x133, x134) = fiat_bign256_scalar_mulx_u64(x125, 0x7e5abf99263d6607); + let mut x135: u64 = 0; + let mut x136: fiat_bign256_scalar_u1 = 0; + let (x135, x136) = fiat_bign256_scalar_addcarryx_u64(0x0, x134, x131); + let mut x137: u64 = 0; + let mut x138: fiat_bign256_scalar_u1 = 0; + let (x137, x138) = fiat_bign256_scalar_addcarryx_u64(x136, x132, x129); + let mut x139: u64 = 0; + let mut x140: fiat_bign256_scalar_u1 = 0; + let (x139, x140) = fiat_bign256_scalar_addcarryx_u64(x138, x130, x127); + let x141: u64 = ((x140 as u64) + x128); + let mut x142: u64 = 0; + let mut x143: fiat_bign256_scalar_u1 = 0; + let (x142, x143) = fiat_bign256_scalar_addcarryx_u64(0x0, x115, x133); + let mut x144: u64 = 0; + let mut x145: fiat_bign256_scalar_u1 = 0; + let (x144, x145) = fiat_bign256_scalar_addcarryx_u64(x143, x117, x135); + let mut x146: u64 = 0; + let mut x147: fiat_bign256_scalar_u1 = 0; + let (x146, x147) = fiat_bign256_scalar_addcarryx_u64(x145, x119, x137); + let mut x148: u64 = 0; + let mut x149: fiat_bign256_scalar_u1 = 0; + let (x148, x149) = fiat_bign256_scalar_addcarryx_u64(x147, x121, x139); + let mut x150: u64 = 0; + let mut x151: fiat_bign256_scalar_u1 = 0; + let (x150, x151) = fiat_bign256_scalar_addcarryx_u64(x149, x123, x141); + let x152: u64 = ((x151 as u64) + (x124 as u64)); + let mut x153: u64 = 0; + let mut x154: u64 = 0; + let (x153, x154) = fiat_bign256_scalar_mulx_u64(x3, (arg1[3])); + let mut x155: u64 = 0; + let mut x156: u64 = 0; + let (x155, x156) = fiat_bign256_scalar_mulx_u64(x3, (arg1[2])); + let mut x157: u64 = 0; + let mut x158: u64 = 0; + let (x157, x158) = fiat_bign256_scalar_mulx_u64(x3, (arg1[1])); + let mut x159: u64 = 0; + let mut x160: u64 = 0; + let (x159, x160) = fiat_bign256_scalar_mulx_u64(x3, (arg1[0])); + let mut x161: u64 = 0; + let mut x162: fiat_bign256_scalar_u1 = 0; + let (x161, x162) = fiat_bign256_scalar_addcarryx_u64(0x0, x160, x157); + let mut x163: u64 = 0; + let mut x164: fiat_bign256_scalar_u1 = 0; + let (x163, x164) = fiat_bign256_scalar_addcarryx_u64(x162, x158, x155); + let mut x165: u64 = 0; + let mut x166: fiat_bign256_scalar_u1 = 0; + let (x165, x166) = fiat_bign256_scalar_addcarryx_u64(x164, x156, x153); + let x167: u64 = ((x166 as u64) + x154); + let mut x168: u64 = 0; + let mut x169: fiat_bign256_scalar_u1 = 0; + let (x168, x169) = fiat_bign256_scalar_addcarryx_u64(0x0, x144, x159); + let mut x170: u64 = 0; + let mut x171: fiat_bign256_scalar_u1 = 0; + let (x170, x171) = fiat_bign256_scalar_addcarryx_u64(x169, x146, x161); + let mut x172: u64 = 0; + let mut x173: fiat_bign256_scalar_u1 = 0; + let (x172, x173) = fiat_bign256_scalar_addcarryx_u64(x171, x148, x163); + let mut x174: u64 = 0; + let mut x175: fiat_bign256_scalar_u1 = 0; + let (x174, x175) = fiat_bign256_scalar_addcarryx_u64(x173, x150, x165); + let mut x176: u64 = 0; + let mut x177: fiat_bign256_scalar_u1 = 0; + let (x176, x177) = fiat_bign256_scalar_addcarryx_u64(x175, x152, x167); + let mut x178: u64 = 0; + let mut x179: u64 = 0; + let (x178, x179) = fiat_bign256_scalar_mulx_u64(x168, 0x8d64dbd30858d849); + let mut x180: u64 = 0; + let mut x181: u64 = 0; + let (x180, x181) = fiat_bign256_scalar_mulx_u64(x178, 0xffffffffffffffff); + let mut x182: u64 = 0; + let mut x183: u64 = 0; + let (x182, x183) = fiat_bign256_scalar_mulx_u64(x178, 0xffffffffffffffff); + let mut x184: u64 = 0; + let mut x185: u64 = 0; + let (x184, x185) = fiat_bign256_scalar_mulx_u64(x178, 0xd95c8ed60dfb4dfc); + let mut x186: u64 = 0; + let mut x187: u64 = 0; + let (x186, x187) = fiat_bign256_scalar_mulx_u64(x178, 0x7e5abf99263d6607); + let mut x188: u64 = 0; + let mut x189: fiat_bign256_scalar_u1 = 0; + let (x188, x189) = fiat_bign256_scalar_addcarryx_u64(0x0, x187, x184); + let mut x190: u64 = 0; + let mut x191: fiat_bign256_scalar_u1 = 0; + let (x190, x191) = fiat_bign256_scalar_addcarryx_u64(x189, x185, x182); + let mut x192: u64 = 0; + let mut x193: fiat_bign256_scalar_u1 = 0; + let (x192, x193) = fiat_bign256_scalar_addcarryx_u64(x191, x183, x180); + let x194: u64 = ((x193 as u64) + x181); + let mut x195: u64 = 0; + let mut x196: fiat_bign256_scalar_u1 = 0; + let (x195, x196) = fiat_bign256_scalar_addcarryx_u64(0x0, x168, x186); + let mut x197: u64 = 0; + let mut x198: fiat_bign256_scalar_u1 = 0; + let (x197, x198) = fiat_bign256_scalar_addcarryx_u64(x196, x170, x188); + let mut x199: u64 = 0; + let mut x200: fiat_bign256_scalar_u1 = 0; + let (x199, x200) = fiat_bign256_scalar_addcarryx_u64(x198, x172, x190); + let mut x201: u64 = 0; + let mut x202: fiat_bign256_scalar_u1 = 0; + let (x201, x202) = fiat_bign256_scalar_addcarryx_u64(x200, x174, x192); + let mut x203: u64 = 0; + let mut x204: fiat_bign256_scalar_u1 = 0; + let (x203, x204) = fiat_bign256_scalar_addcarryx_u64(x202, x176, x194); + let x205: u64 = ((x204 as u64) + (x177 as u64)); + let mut x206: u64 = 0; + let mut x207: fiat_bign256_scalar_u1 = 0; + let (x206, x207) = fiat_bign256_scalar_subborrowx_u64(0x0, x197, 0x7e5abf99263d6607); + let mut x208: u64 = 0; + let mut x209: fiat_bign256_scalar_u1 = 0; + let (x208, x209) = fiat_bign256_scalar_subborrowx_u64(x207, x199, 0xd95c8ed60dfb4dfc); + let mut x210: u64 = 0; + let mut x211: fiat_bign256_scalar_u1 = 0; + let (x210, x211) = fiat_bign256_scalar_subborrowx_u64(x209, x201, 0xffffffffffffffff); + let mut x212: u64 = 0; + let mut x213: fiat_bign256_scalar_u1 = 0; + let (x212, x213) = fiat_bign256_scalar_subborrowx_u64(x211, x203, 0xffffffffffffffff); + let mut x214: u64 = 0; + let mut x215: fiat_bign256_scalar_u1 = 0; + let (x214, x215) = fiat_bign256_scalar_subborrowx_u64(x213, x205, (0x0 as u64)); + let mut x216: u64 = 0; + let (x216) = fiat_bign256_scalar_cmovznz_u64(x215, x206, x197); + let mut x217: u64 = 0; + let (x217) = fiat_bign256_scalar_cmovznz_u64(x215, x208, x199); + let mut x218: u64 = 0; + let (x218) = fiat_bign256_scalar_cmovznz_u64(x215, x210, x201); + let mut x219: u64 = 0; + let (x219) = fiat_bign256_scalar_cmovznz_u64(x215, x212, x203); + out1[0] = x216; + out1[1] = x217; + out1[2] = x218; + out1[3] = x219; + out1 +} +#[doc = " The function fiat_bign256_scalar_add adds two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_add( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, + arg2: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 4]; + let mut x1: u64 = 0; + let mut x2: fiat_bign256_scalar_u1 = 0; + let (x1, x2) = fiat_bign256_scalar_addcarryx_u64(0x0, (arg1[0]), (arg2[0])); + let mut x3: u64 = 0; + let mut x4: fiat_bign256_scalar_u1 = 0; + let (x3, x4) = fiat_bign256_scalar_addcarryx_u64(x2, (arg1[1]), (arg2[1])); + let mut x5: u64 = 0; + let mut x6: fiat_bign256_scalar_u1 = 0; + let (x5, x6) = fiat_bign256_scalar_addcarryx_u64(x4, (arg1[2]), (arg2[2])); + let mut x7: u64 = 0; + let mut x8: fiat_bign256_scalar_u1 = 0; + let (x7, x8) = fiat_bign256_scalar_addcarryx_u64(x6, (arg1[3]), (arg2[3])); + let mut x9: u64 = 0; + let mut x10: fiat_bign256_scalar_u1 = 0; + let (x9, x10) = fiat_bign256_scalar_subborrowx_u64(0x0, x1, 0x7e5abf99263d6607); + let mut x11: u64 = 0; + let mut x12: fiat_bign256_scalar_u1 = 0; + let (x11, x12) = fiat_bign256_scalar_subborrowx_u64(x10, x3, 0xd95c8ed60dfb4dfc); + let mut x13: u64 = 0; + let mut x14: fiat_bign256_scalar_u1 = 0; + let (x13, x14) = fiat_bign256_scalar_subborrowx_u64(x12, x5, 0xffffffffffffffff); + let mut x15: u64 = 0; + let mut x16: fiat_bign256_scalar_u1 = 0; + let (x15, x16) = fiat_bign256_scalar_subborrowx_u64(x14, x7, 0xffffffffffffffff); + let mut x17: u64 = 0; + let mut x18: fiat_bign256_scalar_u1 = 0; + let (x17, x18) = fiat_bign256_scalar_subborrowx_u64(x16, (x8 as u64), (0x0 as u64)); + let mut x19: u64 = 0; + let (x19) = fiat_bign256_scalar_cmovznz_u64(x18, x9, x1); + let mut x20: u64 = 0; + let (x20) = fiat_bign256_scalar_cmovznz_u64(x18, x11, x3); + let mut x21: u64 = 0; + let (x21) = fiat_bign256_scalar_cmovznz_u64(x18, x13, x5); + let mut x22: u64 = 0; + let (x22) = fiat_bign256_scalar_cmovznz_u64(x18, x15, x7); + out1[0] = x19; + out1[1] = x20; + out1[2] = x21; + out1[3] = x22; + out1 +} +#[doc = " The function fiat_bign256_scalar_sub subtracts two field elements in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " 0 ≀ eval arg2 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_sub( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, + arg2: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 4]; + let mut x1: u64 = 0; + let mut x2: fiat_bign256_scalar_u1 = 0; + let (x1, x2) = fiat_bign256_scalar_subborrowx_u64(0x0, (arg1[0]), (arg2[0])); + let mut x3: u64 = 0; + let mut x4: fiat_bign256_scalar_u1 = 0; + let (x3, x4) = fiat_bign256_scalar_subborrowx_u64(x2, (arg1[1]), (arg2[1])); + let mut x5: u64 = 0; + let mut x6: fiat_bign256_scalar_u1 = 0; + let (x5, x6) = fiat_bign256_scalar_subborrowx_u64(x4, (arg1[2]), (arg2[2])); + let mut x7: u64 = 0; + let mut x8: fiat_bign256_scalar_u1 = 0; + let (x7, x8) = fiat_bign256_scalar_subborrowx_u64(x6, (arg1[3]), (arg2[3])); + let mut x9: u64 = 0; + let (x9) = fiat_bign256_scalar_cmovznz_u64(x8, (0x0 as u64), 0xffffffffffffffff); + let mut x10: u64 = 0; + let mut x11: fiat_bign256_scalar_u1 = 0; + let (x10, x11) = fiat_bign256_scalar_addcarryx_u64(0x0, x1, (x9 & 0x7e5abf99263d6607)); + let mut x12: u64 = 0; + let mut x13: fiat_bign256_scalar_u1 = 0; + let (x12, x13) = fiat_bign256_scalar_addcarryx_u64(x11, x3, (x9 & 0xd95c8ed60dfb4dfc)); + let mut x14: u64 = 0; + let mut x15: fiat_bign256_scalar_u1 = 0; + let (x14, x15) = fiat_bign256_scalar_addcarryx_u64(x13, x5, x9); + let mut x16: u64 = 0; + let mut x17: fiat_bign256_scalar_u1 = 0; + let (x16, x17) = fiat_bign256_scalar_addcarryx_u64(x15, x7, x9); + out1[0] = x10; + out1[1] = x12; + out1[2] = x14; + out1[3] = x16; + out1 +} +#[doc = " The function fiat_bign256_scalar_opp negates a field element in the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_opp( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 4]; + let mut x1: u64 = 0; + let mut x2: fiat_bign256_scalar_u1 = 0; + let (x1, x2) = fiat_bign256_scalar_subborrowx_u64(0x0, (0x0 as u64), (arg1[0])); + let mut x3: u64 = 0; + let mut x4: fiat_bign256_scalar_u1 = 0; + let (x3, x4) = fiat_bign256_scalar_subborrowx_u64(x2, (0x0 as u64), (arg1[1])); + let mut x5: u64 = 0; + let mut x6: fiat_bign256_scalar_u1 = 0; + let (x5, x6) = fiat_bign256_scalar_subborrowx_u64(x4, (0x0 as u64), (arg1[2])); + let mut x7: u64 = 0; + let mut x8: fiat_bign256_scalar_u1 = 0; + let (x7, x8) = fiat_bign256_scalar_subborrowx_u64(x6, (0x0 as u64), (arg1[3])); + let mut x9: u64 = 0; + let (x9) = fiat_bign256_scalar_cmovznz_u64(x8, (0x0 as u64), 0xffffffffffffffff); + let mut x10: u64 = 0; + let mut x11: fiat_bign256_scalar_u1 = 0; + let (x10, x11) = fiat_bign256_scalar_addcarryx_u64(0x0, x1, (x9 & 0x7e5abf99263d6607)); + let mut x12: u64 = 0; + let mut x13: fiat_bign256_scalar_u1 = 0; + let (x12, x13) = fiat_bign256_scalar_addcarryx_u64(x11, x3, (x9 & 0xd95c8ed60dfb4dfc)); + let mut x14: u64 = 0; + let mut x15: fiat_bign256_scalar_u1 = 0; + let (x14, x15) = fiat_bign256_scalar_addcarryx_u64(x13, x5, x9); + let mut x16: u64 = 0; + let mut x17: fiat_bign256_scalar_u1 = 0; + let (x16, x17) = fiat_bign256_scalar_addcarryx_u64(x15, x7, x9); + out1[0] = x10; + out1[1] = x12; + out1[2] = x14; + out1[3] = x16; + out1 +} +#[doc = " The function fiat_bign256_scalar_from_montgomery translates a field element out of the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_from_montgomery( + arg1: &fiat_bign256_scalar_montgomery_domain_field_element, +) -> fiat_bign256_scalar_non_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_non_montgomery_domain_field_element = [0; 4]; + let x1: u64 = (arg1[0]); + let mut x2: u64 = 0; + let mut x3: u64 = 0; + let (x2, x3) = fiat_bign256_scalar_mulx_u64(x1, 0x8d64dbd30858d849); + let mut x4: u64 = 0; + let mut x5: u64 = 0; + let (x4, x5) = fiat_bign256_scalar_mulx_u64(x2, 0xffffffffffffffff); + let mut x6: u64 = 0; + let mut x7: u64 = 0; + let (x6, x7) = fiat_bign256_scalar_mulx_u64(x2, 0xffffffffffffffff); + let mut x8: u64 = 0; + let mut x9: u64 = 0; + let (x8, x9) = fiat_bign256_scalar_mulx_u64(x2, 0xd95c8ed60dfb4dfc); + let mut x10: u64 = 0; + let mut x11: u64 = 0; + let (x10, x11) = fiat_bign256_scalar_mulx_u64(x2, 0x7e5abf99263d6607); + let mut x12: u64 = 0; + let mut x13: fiat_bign256_scalar_u1 = 0; + let (x12, x13) = fiat_bign256_scalar_addcarryx_u64(0x0, x11, x8); + let mut x14: u64 = 0; + let mut x15: fiat_bign256_scalar_u1 = 0; + let (x14, x15) = fiat_bign256_scalar_addcarryx_u64(x13, x9, x6); + let mut x16: u64 = 0; + let mut x17: fiat_bign256_scalar_u1 = 0; + let (x16, x17) = fiat_bign256_scalar_addcarryx_u64(x15, x7, x4); + let mut x18: u64 = 0; + let mut x19: fiat_bign256_scalar_u1 = 0; + let (x18, x19) = fiat_bign256_scalar_addcarryx_u64(0x0, x1, x10); + let mut x20: u64 = 0; + let mut x21: fiat_bign256_scalar_u1 = 0; + let (x20, x21) = fiat_bign256_scalar_addcarryx_u64(x19, (0x0 as u64), x12); + let mut x22: u64 = 0; + let mut x23: fiat_bign256_scalar_u1 = 0; + let (x22, x23) = fiat_bign256_scalar_addcarryx_u64(x21, (0x0 as u64), x14); + let mut x24: u64 = 0; + let mut x25: fiat_bign256_scalar_u1 = 0; + let (x24, x25) = fiat_bign256_scalar_addcarryx_u64(x23, (0x0 as u64), x16); + let mut x26: u64 = 0; + let mut x27: fiat_bign256_scalar_u1 = 0; + let (x26, x27) = fiat_bign256_scalar_addcarryx_u64(x25, (0x0 as u64), ((x17 as u64) + x5)); + let mut x28: u64 = 0; + let mut x29: fiat_bign256_scalar_u1 = 0; + let (x28, x29) = fiat_bign256_scalar_addcarryx_u64(0x0, x20, (arg1[1])); + let mut x30: u64 = 0; + let mut x31: fiat_bign256_scalar_u1 = 0; + let (x30, x31) = fiat_bign256_scalar_addcarryx_u64(x29, x22, (0x0 as u64)); + let mut x32: u64 = 0; + let mut x33: fiat_bign256_scalar_u1 = 0; + let (x32, x33) = fiat_bign256_scalar_addcarryx_u64(x31, x24, (0x0 as u64)); + let mut x34: u64 = 0; + let mut x35: fiat_bign256_scalar_u1 = 0; + let (x34, x35) = fiat_bign256_scalar_addcarryx_u64(x33, x26, (0x0 as u64)); + let mut x36: u64 = 0; + let mut x37: u64 = 0; + let (x36, x37) = fiat_bign256_scalar_mulx_u64(x28, 0x8d64dbd30858d849); + let mut x38: u64 = 0; + let mut x39: u64 = 0; + let (x38, x39) = fiat_bign256_scalar_mulx_u64(x36, 0xffffffffffffffff); + let mut x40: u64 = 0; + let mut x41: u64 = 0; + let (x40, x41) = fiat_bign256_scalar_mulx_u64(x36, 0xffffffffffffffff); + let mut x42: u64 = 0; + let mut x43: u64 = 0; + let (x42, x43) = fiat_bign256_scalar_mulx_u64(x36, 0xd95c8ed60dfb4dfc); + let mut x44: u64 = 0; + let mut x45: u64 = 0; + let (x44, x45) = fiat_bign256_scalar_mulx_u64(x36, 0x7e5abf99263d6607); + let mut x46: u64 = 0; + let mut x47: fiat_bign256_scalar_u1 = 0; + let (x46, x47) = fiat_bign256_scalar_addcarryx_u64(0x0, x45, x42); + let mut x48: u64 = 0; + let mut x49: fiat_bign256_scalar_u1 = 0; + let (x48, x49) = fiat_bign256_scalar_addcarryx_u64(x47, x43, x40); + let mut x50: u64 = 0; + let mut x51: fiat_bign256_scalar_u1 = 0; + let (x50, x51) = fiat_bign256_scalar_addcarryx_u64(x49, x41, x38); + let mut x52: u64 = 0; + let mut x53: fiat_bign256_scalar_u1 = 0; + let (x52, x53) = fiat_bign256_scalar_addcarryx_u64(0x0, x28, x44); + let mut x54: u64 = 0; + let mut x55: fiat_bign256_scalar_u1 = 0; + let (x54, x55) = fiat_bign256_scalar_addcarryx_u64(x53, x30, x46); + let mut x56: u64 = 0; + let mut x57: fiat_bign256_scalar_u1 = 0; + let (x56, x57) = fiat_bign256_scalar_addcarryx_u64(x55, x32, x48); + let mut x58: u64 = 0; + let mut x59: fiat_bign256_scalar_u1 = 0; + let (x58, x59) = fiat_bign256_scalar_addcarryx_u64(x57, x34, x50); + let mut x60: u64 = 0; + let mut x61: fiat_bign256_scalar_u1 = 0; + let (x60, x61) = + fiat_bign256_scalar_addcarryx_u64(x59, ((x35 as u64) + (x27 as u64)), ((x51 as u64) + x39)); + let mut x62: u64 = 0; + let mut x63: fiat_bign256_scalar_u1 = 0; + let (x62, x63) = fiat_bign256_scalar_addcarryx_u64(0x0, x54, (arg1[2])); + let mut x64: u64 = 0; + let mut x65: fiat_bign256_scalar_u1 = 0; + let (x64, x65) = fiat_bign256_scalar_addcarryx_u64(x63, x56, (0x0 as u64)); + let mut x66: u64 = 0; + let mut x67: fiat_bign256_scalar_u1 = 0; + let (x66, x67) = fiat_bign256_scalar_addcarryx_u64(x65, x58, (0x0 as u64)); + let mut x68: u64 = 0; + let mut x69: fiat_bign256_scalar_u1 = 0; + let (x68, x69) = fiat_bign256_scalar_addcarryx_u64(x67, x60, (0x0 as u64)); + let mut x70: u64 = 0; + let mut x71: u64 = 0; + let (x70, x71) = fiat_bign256_scalar_mulx_u64(x62, 0x8d64dbd30858d849); + let mut x72: u64 = 0; + let mut x73: u64 = 0; + let (x72, x73) = fiat_bign256_scalar_mulx_u64(x70, 0xffffffffffffffff); + let mut x74: u64 = 0; + let mut x75: u64 = 0; + let (x74, x75) = fiat_bign256_scalar_mulx_u64(x70, 0xffffffffffffffff); + let mut x76: u64 = 0; + let mut x77: u64 = 0; + let (x76, x77) = fiat_bign256_scalar_mulx_u64(x70, 0xd95c8ed60dfb4dfc); + let mut x78: u64 = 0; + let mut x79: u64 = 0; + let (x78, x79) = fiat_bign256_scalar_mulx_u64(x70, 0x7e5abf99263d6607); + let mut x80: u64 = 0; + let mut x81: fiat_bign256_scalar_u1 = 0; + let (x80, x81) = fiat_bign256_scalar_addcarryx_u64(0x0, x79, x76); + let mut x82: u64 = 0; + let mut x83: fiat_bign256_scalar_u1 = 0; + let (x82, x83) = fiat_bign256_scalar_addcarryx_u64(x81, x77, x74); + let mut x84: u64 = 0; + let mut x85: fiat_bign256_scalar_u1 = 0; + let (x84, x85) = fiat_bign256_scalar_addcarryx_u64(x83, x75, x72); + let mut x86: u64 = 0; + let mut x87: fiat_bign256_scalar_u1 = 0; + let (x86, x87) = fiat_bign256_scalar_addcarryx_u64(0x0, x62, x78); + let mut x88: u64 = 0; + let mut x89: fiat_bign256_scalar_u1 = 0; + let (x88, x89) = fiat_bign256_scalar_addcarryx_u64(x87, x64, x80); + let mut x90: u64 = 0; + let mut x91: fiat_bign256_scalar_u1 = 0; + let (x90, x91) = fiat_bign256_scalar_addcarryx_u64(x89, x66, x82); + let mut x92: u64 = 0; + let mut x93: fiat_bign256_scalar_u1 = 0; + let (x92, x93) = fiat_bign256_scalar_addcarryx_u64(x91, x68, x84); + let mut x94: u64 = 0; + let mut x95: fiat_bign256_scalar_u1 = 0; + let (x94, x95) = + fiat_bign256_scalar_addcarryx_u64(x93, ((x69 as u64) + (x61 as u64)), ((x85 as u64) + x73)); + let mut x96: u64 = 0; + let mut x97: fiat_bign256_scalar_u1 = 0; + let (x96, x97) = fiat_bign256_scalar_addcarryx_u64(0x0, x88, (arg1[3])); + let mut x98: u64 = 0; + let mut x99: fiat_bign256_scalar_u1 = 0; + let (x98, x99) = fiat_bign256_scalar_addcarryx_u64(x97, x90, (0x0 as u64)); + let mut x100: u64 = 0; + let mut x101: fiat_bign256_scalar_u1 = 0; + let (x100, x101) = fiat_bign256_scalar_addcarryx_u64(x99, x92, (0x0 as u64)); + let mut x102: u64 = 0; + let mut x103: fiat_bign256_scalar_u1 = 0; + let (x102, x103) = fiat_bign256_scalar_addcarryx_u64(x101, x94, (0x0 as u64)); + let mut x104: u64 = 0; + let mut x105: u64 = 0; + let (x104, x105) = fiat_bign256_scalar_mulx_u64(x96, 0x8d64dbd30858d849); + let mut x106: u64 = 0; + let mut x107: u64 = 0; + let (x106, x107) = fiat_bign256_scalar_mulx_u64(x104, 0xffffffffffffffff); + let mut x108: u64 = 0; + let mut x109: u64 = 0; + let (x108, x109) = fiat_bign256_scalar_mulx_u64(x104, 0xffffffffffffffff); + let mut x110: u64 = 0; + let mut x111: u64 = 0; + let (x110, x111) = fiat_bign256_scalar_mulx_u64(x104, 0xd95c8ed60dfb4dfc); + let mut x112: u64 = 0; + let mut x113: u64 = 0; + let (x112, x113) = fiat_bign256_scalar_mulx_u64(x104, 0x7e5abf99263d6607); + let mut x114: u64 = 0; + let mut x115: fiat_bign256_scalar_u1 = 0; + let (x114, x115) = fiat_bign256_scalar_addcarryx_u64(0x0, x113, x110); + let mut x116: u64 = 0; + let mut x117: fiat_bign256_scalar_u1 = 0; + let (x116, x117) = fiat_bign256_scalar_addcarryx_u64(x115, x111, x108); + let mut x118: u64 = 0; + let mut x119: fiat_bign256_scalar_u1 = 0; + let (x118, x119) = fiat_bign256_scalar_addcarryx_u64(x117, x109, x106); + let mut x120: u64 = 0; + let mut x121: fiat_bign256_scalar_u1 = 0; + let (x120, x121) = fiat_bign256_scalar_addcarryx_u64(0x0, x96, x112); + let mut x122: u64 = 0; + let mut x123: fiat_bign256_scalar_u1 = 0; + let (x122, x123) = fiat_bign256_scalar_addcarryx_u64(x121, x98, x114); + let mut x124: u64 = 0; + let mut x125: fiat_bign256_scalar_u1 = 0; + let (x124, x125) = fiat_bign256_scalar_addcarryx_u64(x123, x100, x116); + let mut x126: u64 = 0; + let mut x127: fiat_bign256_scalar_u1 = 0; + let (x126, x127) = fiat_bign256_scalar_addcarryx_u64(x125, x102, x118); + let mut x128: u64 = 0; + let mut x129: fiat_bign256_scalar_u1 = 0; + let (x128, x129) = fiat_bign256_scalar_addcarryx_u64( + x127, + ((x103 as u64) + (x95 as u64)), + ((x119 as u64) + x107), + ); + let mut x130: u64 = 0; + let mut x131: fiat_bign256_scalar_u1 = 0; + let (x130, x131) = fiat_bign256_scalar_subborrowx_u64(0x0, x122, 0x7e5abf99263d6607); + let mut x132: u64 = 0; + let mut x133: fiat_bign256_scalar_u1 = 0; + let (x132, x133) = fiat_bign256_scalar_subborrowx_u64(x131, x124, 0xd95c8ed60dfb4dfc); + let mut x134: u64 = 0; + let mut x135: fiat_bign256_scalar_u1 = 0; + let (x134, x135) = fiat_bign256_scalar_subborrowx_u64(x133, x126, 0xffffffffffffffff); + let mut x136: u64 = 0; + let mut x137: fiat_bign256_scalar_u1 = 0; + let (x136, x137) = fiat_bign256_scalar_subborrowx_u64(x135, x128, 0xffffffffffffffff); + let mut x138: u64 = 0; + let mut x139: fiat_bign256_scalar_u1 = 0; + let (x138, x139) = fiat_bign256_scalar_subborrowx_u64(x137, (x129 as u64), (0x0 as u64)); + let mut x140: u64 = 0; + let (x140) = fiat_bign256_scalar_cmovznz_u64(x139, x130, x122); + let mut x141: u64 = 0; + let (x141) = fiat_bign256_scalar_cmovznz_u64(x139, x132, x124); + let mut x142: u64 = 0; + let (x142) = fiat_bign256_scalar_cmovznz_u64(x139, x134, x126); + let mut x143: u64 = 0; + let (x143) = fiat_bign256_scalar_cmovznz_u64(x139, x136, x128); + out1[0] = x140; + out1[1] = x141; + out1[2] = x142; + out1[3] = x143; + out1 +} +#[doc = " The function fiat_bign256_scalar_to_montgomery translates a field element into the Montgomery domain."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = eval arg1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_to_montgomery( + arg1: &fiat_bign256_scalar_non_montgomery_domain_field_element, +) -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 4]; + let x1: u64 = (arg1[1]); + let x2: u64 = (arg1[2]); + let x3: u64 = (arg1[3]); + let x4: u64 = (arg1[0]); + let mut x5: u64 = 0; + let mut x6: u64 = 0; + let (x5, x6) = fiat_bign256_scalar_mulx_u64(x4, 0x5d4edf1c149a55b); + let mut x7: u64 = 0; + let mut x8: u64 = 0; + let (x7, x8) = fiat_bign256_scalar_mulx_u64(x4, 0x4a6925c6a269dbf8); + let mut x9: u64 = 0; + let mut x10: u64 = 0; + let (x9, x10) = fiat_bign256_scalar_mulx_u64(x4, 0x1b5a5bc108b44a10); + let mut x11: u64 = 0; + let mut x12: u64 = 0; + let (x11, x12) = fiat_bign256_scalar_mulx_u64(x4, 0xfa44af61dbff9431); + let mut x13: u64 = 0; + let mut x14: fiat_bign256_scalar_u1 = 0; + let (x13, x14) = fiat_bign256_scalar_addcarryx_u64(0x0, x12, x9); + let mut x15: u64 = 0; + let mut x16: fiat_bign256_scalar_u1 = 0; + let (x15, x16) = fiat_bign256_scalar_addcarryx_u64(x14, x10, x7); + let mut x17: u64 = 0; + let mut x18: fiat_bign256_scalar_u1 = 0; + let (x17, x18) = fiat_bign256_scalar_addcarryx_u64(x16, x8, x5); + let mut x19: u64 = 0; + let mut x20: u64 = 0; + let (x19, x20) = fiat_bign256_scalar_mulx_u64(x11, 0x8d64dbd30858d849); + let mut x21: u64 = 0; + let mut x22: u64 = 0; + let (x21, x22) = fiat_bign256_scalar_mulx_u64(x19, 0xffffffffffffffff); + let mut x23: u64 = 0; + let mut x24: u64 = 0; + let (x23, x24) = fiat_bign256_scalar_mulx_u64(x19, 0xffffffffffffffff); + let mut x25: u64 = 0; + let mut x26: u64 = 0; + let (x25, x26) = fiat_bign256_scalar_mulx_u64(x19, 0xd95c8ed60dfb4dfc); + let mut x27: u64 = 0; + let mut x28: u64 = 0; + let (x27, x28) = fiat_bign256_scalar_mulx_u64(x19, 0x7e5abf99263d6607); + let mut x29: u64 = 0; + let mut x30: fiat_bign256_scalar_u1 = 0; + let (x29, x30) = fiat_bign256_scalar_addcarryx_u64(0x0, x28, x25); + let mut x31: u64 = 0; + let mut x32: fiat_bign256_scalar_u1 = 0; + let (x31, x32) = fiat_bign256_scalar_addcarryx_u64(x30, x26, x23); + let mut x33: u64 = 0; + let mut x34: fiat_bign256_scalar_u1 = 0; + let (x33, x34) = fiat_bign256_scalar_addcarryx_u64(x32, x24, x21); + let mut x35: u64 = 0; + let mut x36: fiat_bign256_scalar_u1 = 0; + let (x35, x36) = fiat_bign256_scalar_addcarryx_u64(0x0, x11, x27); + let mut x37: u64 = 0; + let mut x38: fiat_bign256_scalar_u1 = 0; + let (x37, x38) = fiat_bign256_scalar_addcarryx_u64(x36, x13, x29); + let mut x39: u64 = 0; + let mut x40: fiat_bign256_scalar_u1 = 0; + let (x39, x40) = fiat_bign256_scalar_addcarryx_u64(x38, x15, x31); + let mut x41: u64 = 0; + let mut x42: fiat_bign256_scalar_u1 = 0; + let (x41, x42) = fiat_bign256_scalar_addcarryx_u64(x40, x17, x33); + let mut x43: u64 = 0; + let mut x44: fiat_bign256_scalar_u1 = 0; + let (x43, x44) = + fiat_bign256_scalar_addcarryx_u64(x42, ((x18 as u64) + x6), ((x34 as u64) + x22)); + let mut x45: u64 = 0; + let mut x46: u64 = 0; + let (x45, x46) = fiat_bign256_scalar_mulx_u64(x1, 0x5d4edf1c149a55b); + let mut x47: u64 = 0; + let mut x48: u64 = 0; + let (x47, x48) = fiat_bign256_scalar_mulx_u64(x1, 0x4a6925c6a269dbf8); + let mut x49: u64 = 0; + let mut x50: u64 = 0; + let (x49, x50) = fiat_bign256_scalar_mulx_u64(x1, 0x1b5a5bc108b44a10); + let mut x51: u64 = 0; + let mut x52: u64 = 0; + let (x51, x52) = fiat_bign256_scalar_mulx_u64(x1, 0xfa44af61dbff9431); + let mut x53: u64 = 0; + let mut x54: fiat_bign256_scalar_u1 = 0; + let (x53, x54) = fiat_bign256_scalar_addcarryx_u64(0x0, x52, x49); + let mut x55: u64 = 0; + let mut x56: fiat_bign256_scalar_u1 = 0; + let (x55, x56) = fiat_bign256_scalar_addcarryx_u64(x54, x50, x47); + let mut x57: u64 = 0; + let mut x58: fiat_bign256_scalar_u1 = 0; + let (x57, x58) = fiat_bign256_scalar_addcarryx_u64(x56, x48, x45); + let mut x59: u64 = 0; + let mut x60: fiat_bign256_scalar_u1 = 0; + let (x59, x60) = fiat_bign256_scalar_addcarryx_u64(0x0, x37, x51); + let mut x61: u64 = 0; + let mut x62: fiat_bign256_scalar_u1 = 0; + let (x61, x62) = fiat_bign256_scalar_addcarryx_u64(x60, x39, x53); + let mut x63: u64 = 0; + let mut x64: fiat_bign256_scalar_u1 = 0; + let (x63, x64) = fiat_bign256_scalar_addcarryx_u64(x62, x41, x55); + let mut x65: u64 = 0; + let mut x66: fiat_bign256_scalar_u1 = 0; + let (x65, x66) = fiat_bign256_scalar_addcarryx_u64(x64, x43, x57); + let mut x67: u64 = 0; + let mut x68: u64 = 0; + let (x67, x68) = fiat_bign256_scalar_mulx_u64(x59, 0x8d64dbd30858d849); + let mut x69: u64 = 0; + let mut x70: u64 = 0; + let (x69, x70) = fiat_bign256_scalar_mulx_u64(x67, 0xffffffffffffffff); + let mut x71: u64 = 0; + let mut x72: u64 = 0; + let (x71, x72) = fiat_bign256_scalar_mulx_u64(x67, 0xffffffffffffffff); + let mut x73: u64 = 0; + let mut x74: u64 = 0; + let (x73, x74) = fiat_bign256_scalar_mulx_u64(x67, 0xd95c8ed60dfb4dfc); + let mut x75: u64 = 0; + let mut x76: u64 = 0; + let (x75, x76) = fiat_bign256_scalar_mulx_u64(x67, 0x7e5abf99263d6607); + let mut x77: u64 = 0; + let mut x78: fiat_bign256_scalar_u1 = 0; + let (x77, x78) = fiat_bign256_scalar_addcarryx_u64(0x0, x76, x73); + let mut x79: u64 = 0; + let mut x80: fiat_bign256_scalar_u1 = 0; + let (x79, x80) = fiat_bign256_scalar_addcarryx_u64(x78, x74, x71); + let mut x81: u64 = 0; + let mut x82: fiat_bign256_scalar_u1 = 0; + let (x81, x82) = fiat_bign256_scalar_addcarryx_u64(x80, x72, x69); + let mut x83: u64 = 0; + let mut x84: fiat_bign256_scalar_u1 = 0; + let (x83, x84) = fiat_bign256_scalar_addcarryx_u64(0x0, x59, x75); + let mut x85: u64 = 0; + let mut x86: fiat_bign256_scalar_u1 = 0; + let (x85, x86) = fiat_bign256_scalar_addcarryx_u64(x84, x61, x77); + let mut x87: u64 = 0; + let mut x88: fiat_bign256_scalar_u1 = 0; + let (x87, x88) = fiat_bign256_scalar_addcarryx_u64(x86, x63, x79); + let mut x89: u64 = 0; + let mut x90: fiat_bign256_scalar_u1 = 0; + let (x89, x90) = fiat_bign256_scalar_addcarryx_u64(x88, x65, x81); + let mut x91: u64 = 0; + let mut x92: fiat_bign256_scalar_u1 = 0; + let (x91, x92) = fiat_bign256_scalar_addcarryx_u64( + x90, + (((x66 as u64) + (x44 as u64)) + ((x58 as u64) + x46)), + ((x82 as u64) + x70), + ); + let mut x93: u64 = 0; + let mut x94: u64 = 0; + let (x93, x94) = fiat_bign256_scalar_mulx_u64(x2, 0x5d4edf1c149a55b); + let mut x95: u64 = 0; + let mut x96: u64 = 0; + let (x95, x96) = fiat_bign256_scalar_mulx_u64(x2, 0x4a6925c6a269dbf8); + let mut x97: u64 = 0; + let mut x98: u64 = 0; + let (x97, x98) = fiat_bign256_scalar_mulx_u64(x2, 0x1b5a5bc108b44a10); + let mut x99: u64 = 0; + let mut x100: u64 = 0; + let (x99, x100) = fiat_bign256_scalar_mulx_u64(x2, 0xfa44af61dbff9431); + let mut x101: u64 = 0; + let mut x102: fiat_bign256_scalar_u1 = 0; + let (x101, x102) = fiat_bign256_scalar_addcarryx_u64(0x0, x100, x97); + let mut x103: u64 = 0; + let mut x104: fiat_bign256_scalar_u1 = 0; + let (x103, x104) = fiat_bign256_scalar_addcarryx_u64(x102, x98, x95); + let mut x105: u64 = 0; + let mut x106: fiat_bign256_scalar_u1 = 0; + let (x105, x106) = fiat_bign256_scalar_addcarryx_u64(x104, x96, x93); + let mut x107: u64 = 0; + let mut x108: fiat_bign256_scalar_u1 = 0; + let (x107, x108) = fiat_bign256_scalar_addcarryx_u64(0x0, x85, x99); + let mut x109: u64 = 0; + let mut x110: fiat_bign256_scalar_u1 = 0; + let (x109, x110) = fiat_bign256_scalar_addcarryx_u64(x108, x87, x101); + let mut x111: u64 = 0; + let mut x112: fiat_bign256_scalar_u1 = 0; + let (x111, x112) = fiat_bign256_scalar_addcarryx_u64(x110, x89, x103); + let mut x113: u64 = 0; + let mut x114: fiat_bign256_scalar_u1 = 0; + let (x113, x114) = fiat_bign256_scalar_addcarryx_u64(x112, x91, x105); + let mut x115: u64 = 0; + let mut x116: u64 = 0; + let (x115, x116) = fiat_bign256_scalar_mulx_u64(x107, 0x8d64dbd30858d849); + let mut x117: u64 = 0; + let mut x118: u64 = 0; + let (x117, x118) = fiat_bign256_scalar_mulx_u64(x115, 0xffffffffffffffff); + let mut x119: u64 = 0; + let mut x120: u64 = 0; + let (x119, x120) = fiat_bign256_scalar_mulx_u64(x115, 0xffffffffffffffff); + let mut x121: u64 = 0; + let mut x122: u64 = 0; + let (x121, x122) = fiat_bign256_scalar_mulx_u64(x115, 0xd95c8ed60dfb4dfc); + let mut x123: u64 = 0; + let mut x124: u64 = 0; + let (x123, x124) = fiat_bign256_scalar_mulx_u64(x115, 0x7e5abf99263d6607); + let mut x125: u64 = 0; + let mut x126: fiat_bign256_scalar_u1 = 0; + let (x125, x126) = fiat_bign256_scalar_addcarryx_u64(0x0, x124, x121); + let mut x127: u64 = 0; + let mut x128: fiat_bign256_scalar_u1 = 0; + let (x127, x128) = fiat_bign256_scalar_addcarryx_u64(x126, x122, x119); + let mut x129: u64 = 0; + let mut x130: fiat_bign256_scalar_u1 = 0; + let (x129, x130) = fiat_bign256_scalar_addcarryx_u64(x128, x120, x117); + let mut x131: u64 = 0; + let mut x132: fiat_bign256_scalar_u1 = 0; + let (x131, x132) = fiat_bign256_scalar_addcarryx_u64(0x0, x107, x123); + let mut x133: u64 = 0; + let mut x134: fiat_bign256_scalar_u1 = 0; + let (x133, x134) = fiat_bign256_scalar_addcarryx_u64(x132, x109, x125); + let mut x135: u64 = 0; + let mut x136: fiat_bign256_scalar_u1 = 0; + let (x135, x136) = fiat_bign256_scalar_addcarryx_u64(x134, x111, x127); + let mut x137: u64 = 0; + let mut x138: fiat_bign256_scalar_u1 = 0; + let (x137, x138) = fiat_bign256_scalar_addcarryx_u64(x136, x113, x129); + let mut x139: u64 = 0; + let mut x140: fiat_bign256_scalar_u1 = 0; + let (x139, x140) = fiat_bign256_scalar_addcarryx_u64( + x138, + (((x114 as u64) + (x92 as u64)) + ((x106 as u64) + x94)), + ((x130 as u64) + x118), + ); + let mut x141: u64 = 0; + let mut x142: u64 = 0; + let (x141, x142) = fiat_bign256_scalar_mulx_u64(x3, 0x5d4edf1c149a55b); + let mut x143: u64 = 0; + let mut x144: u64 = 0; + let (x143, x144) = fiat_bign256_scalar_mulx_u64(x3, 0x4a6925c6a269dbf8); + let mut x145: u64 = 0; + let mut x146: u64 = 0; + let (x145, x146) = fiat_bign256_scalar_mulx_u64(x3, 0x1b5a5bc108b44a10); + let mut x147: u64 = 0; + let mut x148: u64 = 0; + let (x147, x148) = fiat_bign256_scalar_mulx_u64(x3, 0xfa44af61dbff9431); + let mut x149: u64 = 0; + let mut x150: fiat_bign256_scalar_u1 = 0; + let (x149, x150) = fiat_bign256_scalar_addcarryx_u64(0x0, x148, x145); + let mut x151: u64 = 0; + let mut x152: fiat_bign256_scalar_u1 = 0; + let (x151, x152) = fiat_bign256_scalar_addcarryx_u64(x150, x146, x143); + let mut x153: u64 = 0; + let mut x154: fiat_bign256_scalar_u1 = 0; + let (x153, x154) = fiat_bign256_scalar_addcarryx_u64(x152, x144, x141); + let mut x155: u64 = 0; + let mut x156: fiat_bign256_scalar_u1 = 0; + let (x155, x156) = fiat_bign256_scalar_addcarryx_u64(0x0, x133, x147); + let mut x157: u64 = 0; + let mut x158: fiat_bign256_scalar_u1 = 0; + let (x157, x158) = fiat_bign256_scalar_addcarryx_u64(x156, x135, x149); + let mut x159: u64 = 0; + let mut x160: fiat_bign256_scalar_u1 = 0; + let (x159, x160) = fiat_bign256_scalar_addcarryx_u64(x158, x137, x151); + let mut x161: u64 = 0; + let mut x162: fiat_bign256_scalar_u1 = 0; + let (x161, x162) = fiat_bign256_scalar_addcarryx_u64(x160, x139, x153); + let mut x163: u64 = 0; + let mut x164: u64 = 0; + let (x163, x164) = fiat_bign256_scalar_mulx_u64(x155, 0x8d64dbd30858d849); + let mut x165: u64 = 0; + let mut x166: u64 = 0; + let (x165, x166) = fiat_bign256_scalar_mulx_u64(x163, 0xffffffffffffffff); + let mut x167: u64 = 0; + let mut x168: u64 = 0; + let (x167, x168) = fiat_bign256_scalar_mulx_u64(x163, 0xffffffffffffffff); + let mut x169: u64 = 0; + let mut x170: u64 = 0; + let (x169, x170) = fiat_bign256_scalar_mulx_u64(x163, 0xd95c8ed60dfb4dfc); + let mut x171: u64 = 0; + let mut x172: u64 = 0; + let (x171, x172) = fiat_bign256_scalar_mulx_u64(x163, 0x7e5abf99263d6607); + let mut x173: u64 = 0; + let mut x174: fiat_bign256_scalar_u1 = 0; + let (x173, x174) = fiat_bign256_scalar_addcarryx_u64(0x0, x172, x169); + let mut x175: u64 = 0; + let mut x176: fiat_bign256_scalar_u1 = 0; + let (x175, x176) = fiat_bign256_scalar_addcarryx_u64(x174, x170, x167); + let mut x177: u64 = 0; + let mut x178: fiat_bign256_scalar_u1 = 0; + let (x177, x178) = fiat_bign256_scalar_addcarryx_u64(x176, x168, x165); + let mut x179: u64 = 0; + let mut x180: fiat_bign256_scalar_u1 = 0; + let (x179, x180) = fiat_bign256_scalar_addcarryx_u64(0x0, x155, x171); + let mut x181: u64 = 0; + let mut x182: fiat_bign256_scalar_u1 = 0; + let (x181, x182) = fiat_bign256_scalar_addcarryx_u64(x180, x157, x173); + let mut x183: u64 = 0; + let mut x184: fiat_bign256_scalar_u1 = 0; + let (x183, x184) = fiat_bign256_scalar_addcarryx_u64(x182, x159, x175); + let mut x185: u64 = 0; + let mut x186: fiat_bign256_scalar_u1 = 0; + let (x185, x186) = fiat_bign256_scalar_addcarryx_u64(x184, x161, x177); + let mut x187: u64 = 0; + let mut x188: fiat_bign256_scalar_u1 = 0; + let (x187, x188) = fiat_bign256_scalar_addcarryx_u64( + x186, + (((x162 as u64) + (x140 as u64)) + ((x154 as u64) + x142)), + ((x178 as u64) + x166), + ); + let mut x189: u64 = 0; + let mut x190: fiat_bign256_scalar_u1 = 0; + let (x189, x190) = fiat_bign256_scalar_subborrowx_u64(0x0, x181, 0x7e5abf99263d6607); + let mut x191: u64 = 0; + let mut x192: fiat_bign256_scalar_u1 = 0; + let (x191, x192) = fiat_bign256_scalar_subborrowx_u64(x190, x183, 0xd95c8ed60dfb4dfc); + let mut x193: u64 = 0; + let mut x194: fiat_bign256_scalar_u1 = 0; + let (x193, x194) = fiat_bign256_scalar_subborrowx_u64(x192, x185, 0xffffffffffffffff); + let mut x195: u64 = 0; + let mut x196: fiat_bign256_scalar_u1 = 0; + let (x195, x196) = fiat_bign256_scalar_subborrowx_u64(x194, x187, 0xffffffffffffffff); + let mut x197: u64 = 0; + let mut x198: fiat_bign256_scalar_u1 = 0; + let (x197, x198) = fiat_bign256_scalar_subborrowx_u64(x196, (x188 as u64), (0x0 as u64)); + let mut x199: u64 = 0; + let (x199) = fiat_bign256_scalar_cmovznz_u64(x198, x189, x181); + let mut x200: u64 = 0; + let (x200) = fiat_bign256_scalar_cmovznz_u64(x198, x191, x183); + let mut x201: u64 = 0; + let (x201) = fiat_bign256_scalar_cmovznz_u64(x198, x193, x185); + let mut x202: u64 = 0; + let (x202) = fiat_bign256_scalar_cmovznz_u64(x198, x195, x187); + out1[0] = x199; + out1[1] = x200; + out1[2] = x201; + out1[3] = x202; + out1 +} +#[doc = " The function fiat_bign256_scalar_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[inline] +pub const fn fiat_bign256_scalar_nonzero(arg1: &[u64; 4]) -> u64 { + let mut out1: u64 = 0; + let x1: u64 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3])))); + out1 = x1; + out1 +} +#[doc = " The function fiat_bign256_scalar_selectznz is a multi-limb conditional select."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " out1 = (if arg1 = 0 then arg2 else arg3)"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0x1]"] +#[doc = " arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[inline] +pub const fn fiat_bign256_scalar_selectznz( + arg1: fiat_bign256_scalar_u1, + arg2: &[u64; 4], + arg3: &[u64; 4], +) -> [u64; 4] { + let mut out1: [u64; 4] = [0; 4]; + let mut x1: u64 = 0; + let (x1) = fiat_bign256_scalar_cmovznz_u64(arg1, (arg2[0]), (arg3[0])); + let mut x2: u64 = 0; + let (x2) = fiat_bign256_scalar_cmovznz_u64(arg1, (arg2[1]), (arg3[1])); + let mut x3: u64 = 0; + let (x3) = fiat_bign256_scalar_cmovznz_u64(arg1, (arg2[2]), (arg3[2])); + let mut x4: u64 = 0; + let (x4) = fiat_bign256_scalar_cmovznz_u64(arg1, (arg2[3]), (arg3[3])); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1 +} +#[doc = " The function fiat_bign256_scalar_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = map (Ξ» x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)βŒ‹) [0..31]"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]"] +#[inline] +pub const fn fiat_bign256_scalar_to_bytes(arg1: &[u64; 4]) -> [u8; 32] { + let mut out1: [u8; 32] = [0; 32]; + let x1: u64 = (arg1[3]); + let x2: u64 = (arg1[2]); + let x3: u64 = (arg1[1]); + let x4: u64 = (arg1[0]); + let x5: u8 = ((x4 & (0xff as u64)) as u8); + let x6: u64 = (x4 >> 8); + let x7: u8 = ((x6 & (0xff as u64)) as u8); + let x8: u64 = (x6 >> 8); + let x9: u8 = ((x8 & (0xff as u64)) as u8); + let x10: u64 = (x8 >> 8); + let x11: u8 = ((x10 & (0xff as u64)) as u8); + let x12: u64 = (x10 >> 8); + let x13: u8 = ((x12 & (0xff as u64)) as u8); + let x14: u64 = (x12 >> 8); + let x15: u8 = ((x14 & (0xff as u64)) as u8); + let x16: u64 = (x14 >> 8); + let x17: u8 = ((x16 & (0xff as u64)) as u8); + let x18: u8 = ((x16 >> 8) as u8); + let x19: u8 = ((x3 & (0xff as u64)) as u8); + let x20: u64 = (x3 >> 8); + let x21: u8 = ((x20 & (0xff as u64)) as u8); + let x22: u64 = (x20 >> 8); + let x23: u8 = ((x22 & (0xff as u64)) as u8); + let x24: u64 = (x22 >> 8); + let x25: u8 = ((x24 & (0xff as u64)) as u8); + let x26: u64 = (x24 >> 8); + let x27: u8 = ((x26 & (0xff as u64)) as u8); + let x28: u64 = (x26 >> 8); + let x29: u8 = ((x28 & (0xff as u64)) as u8); + let x30: u64 = (x28 >> 8); + let x31: u8 = ((x30 & (0xff as u64)) as u8); + let x32: u8 = ((x30 >> 8) as u8); + let x33: u8 = ((x2 & (0xff as u64)) as u8); + let x34: u64 = (x2 >> 8); + let x35: u8 = ((x34 & (0xff as u64)) as u8); + let x36: u64 = (x34 >> 8); + let x37: u8 = ((x36 & (0xff as u64)) as u8); + let x38: u64 = (x36 >> 8); + let x39: u8 = ((x38 & (0xff as u64)) as u8); + let x40: u64 = (x38 >> 8); + let x41: u8 = ((x40 & (0xff as u64)) as u8); + let x42: u64 = (x40 >> 8); + let x43: u8 = ((x42 & (0xff as u64)) as u8); + let x44: u64 = (x42 >> 8); + let x45: u8 = ((x44 & (0xff as u64)) as u8); + let x46: u8 = ((x44 >> 8) as u8); + let x47: u8 = ((x1 & (0xff as u64)) as u8); + let x48: u64 = (x1 >> 8); + let x49: u8 = ((x48 & (0xff as u64)) as u8); + let x50: u64 = (x48 >> 8); + let x51: u8 = ((x50 & (0xff as u64)) as u8); + let x52: u64 = (x50 >> 8); + let x53: u8 = ((x52 & (0xff as u64)) as u8); + let x54: u64 = (x52 >> 8); + let x55: u8 = ((x54 & (0xff as u64)) as u8); + let x56: u64 = (x54 >> 8); + let x57: u8 = ((x56 & (0xff as u64)) as u8); + let x58: u64 = (x56 >> 8); + let x59: u8 = ((x58 & (0xff as u64)) as u8); + let x60: u8 = ((x58 >> 8) as u8); + out1[0] = x5; + out1[1] = x7; + out1[2] = x9; + out1[3] = x11; + out1[4] = x13; + out1[5] = x15; + out1[6] = x17; + out1[7] = x18; + out1[8] = x19; + out1[9] = x21; + out1[10] = x23; + out1[11] = x25; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x39; + out1[20] = x41; + out1[21] = x43; + out1[22] = x45; + out1[23] = x46; + out1[24] = x47; + out1[25] = x49; + out1[26] = x51; + out1[27] = x53; + out1[28] = x55; + out1[29] = x57; + out1[30] = x59; + out1[31] = x60; + out1 +} +#[doc = " The function fiat_bign256_scalar_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ bytes_eval arg1 < m"] +#[doc = " Postconditions:"] +#[doc = " eval out1 mod m = bytes_eval arg1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[inline] +pub const fn fiat_bign256_scalar_from_bytes(arg1: &[u8; 32]) -> [u64; 4] { + let mut out1: [u64; 4] = [0; 4]; + let x1: u64 = (((arg1[31]) as u64) << 56); + let x2: u64 = (((arg1[30]) as u64) << 48); + let x3: u64 = (((arg1[29]) as u64) << 40); + let x4: u64 = (((arg1[28]) as u64) << 32); + let x5: u64 = (((arg1[27]) as u64) << 24); + let x6: u64 = (((arg1[26]) as u64) << 16); + let x7: u64 = (((arg1[25]) as u64) << 8); + let x8: u8 = (arg1[24]); + let x9: u64 = (((arg1[23]) as u64) << 56); + let x10: u64 = (((arg1[22]) as u64) << 48); + let x11: u64 = (((arg1[21]) as u64) << 40); + let x12: u64 = (((arg1[20]) as u64) << 32); + let x13: u64 = (((arg1[19]) as u64) << 24); + let x14: u64 = (((arg1[18]) as u64) << 16); + let x15: u64 = (((arg1[17]) as u64) << 8); + let x16: u8 = (arg1[16]); + let x17: u64 = (((arg1[15]) as u64) << 56); + let x18: u64 = (((arg1[14]) as u64) << 48); + let x19: u64 = (((arg1[13]) as u64) << 40); + let x20: u64 = (((arg1[12]) as u64) << 32); + let x21: u64 = (((arg1[11]) as u64) << 24); + let x22: u64 = (((arg1[10]) as u64) << 16); + let x23: u64 = (((arg1[9]) as u64) << 8); + let x24: u8 = (arg1[8]); + let x25: u64 = (((arg1[7]) as u64) << 56); + let x26: u64 = (((arg1[6]) as u64) << 48); + let x27: u64 = (((arg1[5]) as u64) << 40); + let x28: u64 = (((arg1[4]) as u64) << 32); + let x29: u64 = (((arg1[3]) as u64) << 24); + let x30: u64 = (((arg1[2]) as u64) << 16); + let x31: u64 = (((arg1[1]) as u64) << 8); + let x32: u8 = (arg1[0]); + let x33: u64 = (x31 + (x32 as u64)); + let x34: u64 = (x30 + x33); + let x35: u64 = (x29 + x34); + let x36: u64 = (x28 + x35); + let x37: u64 = (x27 + x36); + let x38: u64 = (x26 + x37); + let x39: u64 = (x25 + x38); + let x40: u64 = (x23 + (x24 as u64)); + let x41: u64 = (x22 + x40); + let x42: u64 = (x21 + x41); + let x43: u64 = (x20 + x42); + let x44: u64 = (x19 + x43); + let x45: u64 = (x18 + x44); + let x46: u64 = (x17 + x45); + let x47: u64 = (x15 + (x16 as u64)); + let x48: u64 = (x14 + x47); + let x49: u64 = (x13 + x48); + let x50: u64 = (x12 + x49); + let x51: u64 = (x11 + x50); + let x52: u64 = (x10 + x51); + let x53: u64 = (x9 + x52); + let x54: u64 = (x7 + (x8 as u64)); + let x55: u64 = (x6 + x54); + let x56: u64 = (x5 + x55); + let x57: u64 = (x4 + x56); + let x58: u64 = (x3 + x57); + let x59: u64 = (x2 + x58); + let x60: u64 = (x1 + x59); + out1[0] = x39; + out1[1] = x46; + out1[2] = x53; + out1[3] = x60; + out1 +} +#[doc = " The function fiat_bign256_scalar_set_one returns the field element one in the Montgomery domain."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) mod m = 1 mod m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[inline] +pub const fn fiat_bign256_scalar_set_one() -> fiat_bign256_scalar_montgomery_domain_field_element { + let mut out1: fiat_bign256_scalar_montgomery_domain_field_element = [0; 4]; + out1[0] = 0x81a54066d9c299f9; + out1[1] = 0x26a37129f204b203; + out1[2] = (0x0 as u64); + out1[3] = (0x0 as u64); + out1 +} +#[doc = " The function fiat_bign256_scalar_msat returns the saturated representation of the prime modulus."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " twos_complement_eval out1 = m"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[inline] +pub const fn fiat_bign256_scalar_msat() -> [u64; 5] { + let mut out1: [u64; 5] = [0; 5]; + out1[0] = 0x7e5abf99263d6607; + out1[1] = 0xd95c8ed60dfb4dfc; + out1[2] = 0xffffffffffffffff; + out1[3] = 0xffffffffffffffff; + out1[4] = (0x0 as u64); + out1 +} +#[doc = " The function fiat_bign256_scalar_divstep computes a divstep."] +#[doc = ""] +#[doc = " Preconditions:"] +#[doc = " 0 ≀ eval arg4 < m"] +#[doc = " 0 ≀ eval arg5 < m"] +#[doc = " Postconditions:"] +#[doc = " out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1)"] +#[doc = " twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2)"] +#[doc = " twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2βŒ‹ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2βŒ‹)"] +#[doc = " eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m)"] +#[doc = " eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m)"] +#[doc = " 0 ≀ eval out5 < m"] +#[doc = " 0 ≀ eval out5 < m"] +#[doc = " 0 ≀ eval out2 < m"] +#[doc = " 0 ≀ eval out3 < m"] +#[doc = ""] +#[doc = " Input Bounds:"] +#[doc = " arg1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " Output Bounds:"] +#[doc = " out1: [0x0 ~> 0xffffffffffffffff]"] +#[doc = " out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[doc = " out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[inline] +pub const fn fiat_bign256_scalar_divstep( + arg1: u64, + arg2: &[u64; 5], + arg3: &[u64; 5], + arg4: &[u64; 4], + arg5: &[u64; 4], +) -> (u64, [u64; 5], [u64; 5], [u64; 4], [u64; 4]) { + let mut out1: u64 = 0; + let mut out2: [u64; 5] = [0; 5]; + let mut out3: [u64; 5] = [0; 5]; + let mut out4: [u64; 4] = [0; 4]; + let mut out5: [u64; 4] = [0; 4]; + let mut x1: u64 = 0; + let mut x2: fiat_bign256_scalar_u1 = 0; + let (x1, x2) = fiat_bign256_scalar_addcarryx_u64(0x0, (!arg1), (0x1 as u64)); + let x3: fiat_bign256_scalar_u1 = (((x1 >> 63) as fiat_bign256_scalar_u1) + & (((arg3[0]) & (0x1 as u64)) as fiat_bign256_scalar_u1)); + let mut x4: u64 = 0; + let mut x5: fiat_bign256_scalar_u1 = 0; + let (x4, x5) = fiat_bign256_scalar_addcarryx_u64(0x0, (!arg1), (0x1 as u64)); + let mut x6: u64 = 0; + let (x6) = fiat_bign256_scalar_cmovznz_u64(x3, arg1, x4); + let mut x7: u64 = 0; + let (x7) = fiat_bign256_scalar_cmovznz_u64(x3, (arg2[0]), (arg3[0])); + let mut x8: u64 = 0; + let (x8) = fiat_bign256_scalar_cmovznz_u64(x3, (arg2[1]), (arg3[1])); + let mut x9: u64 = 0; + let (x9) = fiat_bign256_scalar_cmovznz_u64(x3, (arg2[2]), (arg3[2])); + let mut x10: u64 = 0; + let (x10) = fiat_bign256_scalar_cmovznz_u64(x3, (arg2[3]), (arg3[3])); + let mut x11: u64 = 0; + let (x11) = fiat_bign256_scalar_cmovznz_u64(x3, (arg2[4]), (arg3[4])); + let mut x12: u64 = 0; + let mut x13: fiat_bign256_scalar_u1 = 0; + let (x12, x13) = fiat_bign256_scalar_addcarryx_u64(0x0, (0x1 as u64), (!(arg2[0]))); + let mut x14: u64 = 0; + let mut x15: fiat_bign256_scalar_u1 = 0; + let (x14, x15) = fiat_bign256_scalar_addcarryx_u64(x13, (0x0 as u64), (!(arg2[1]))); + let mut x16: u64 = 0; + let mut x17: fiat_bign256_scalar_u1 = 0; + let (x16, x17) = fiat_bign256_scalar_addcarryx_u64(x15, (0x0 as u64), (!(arg2[2]))); + let mut x18: u64 = 0; + let mut x19: fiat_bign256_scalar_u1 = 0; + let (x18, x19) = fiat_bign256_scalar_addcarryx_u64(x17, (0x0 as u64), (!(arg2[3]))); + let mut x20: u64 = 0; + let mut x21: fiat_bign256_scalar_u1 = 0; + let (x20, x21) = fiat_bign256_scalar_addcarryx_u64(x19, (0x0 as u64), (!(arg2[4]))); + let mut x22: u64 = 0; + let (x22) = fiat_bign256_scalar_cmovznz_u64(x3, (arg3[0]), x12); + let mut x23: u64 = 0; + let (x23) = fiat_bign256_scalar_cmovznz_u64(x3, (arg3[1]), x14); + let mut x24: u64 = 0; + let (x24) = fiat_bign256_scalar_cmovznz_u64(x3, (arg3[2]), x16); + let mut x25: u64 = 0; + let (x25) = fiat_bign256_scalar_cmovznz_u64(x3, (arg3[3]), x18); + let mut x26: u64 = 0; + let (x26) = fiat_bign256_scalar_cmovznz_u64(x3, (arg3[4]), x20); + let mut x27: u64 = 0; + let (x27) = fiat_bign256_scalar_cmovznz_u64(x3, (arg4[0]), (arg5[0])); + let mut x28: u64 = 0; + let (x28) = fiat_bign256_scalar_cmovznz_u64(x3, (arg4[1]), (arg5[1])); + let mut x29: u64 = 0; + let (x29) = fiat_bign256_scalar_cmovznz_u64(x3, (arg4[2]), (arg5[2])); + let mut x30: u64 = 0; + let (x30) = fiat_bign256_scalar_cmovznz_u64(x3, (arg4[3]), (arg5[3])); + let mut x31: u64 = 0; + let mut x32: fiat_bign256_scalar_u1 = 0; + let (x31, x32) = fiat_bign256_scalar_addcarryx_u64(0x0, x27, x27); + let mut x33: u64 = 0; + let mut x34: fiat_bign256_scalar_u1 = 0; + let (x33, x34) = fiat_bign256_scalar_addcarryx_u64(x32, x28, x28); + let mut x35: u64 = 0; + let mut x36: fiat_bign256_scalar_u1 = 0; + let (x35, x36) = fiat_bign256_scalar_addcarryx_u64(x34, x29, x29); + let mut x37: u64 = 0; + let mut x38: fiat_bign256_scalar_u1 = 0; + let (x37, x38) = fiat_bign256_scalar_addcarryx_u64(x36, x30, x30); + let mut x39: u64 = 0; + let mut x40: fiat_bign256_scalar_u1 = 0; + let (x39, x40) = fiat_bign256_scalar_subborrowx_u64(0x0, x31, 0x7e5abf99263d6607); + let mut x41: u64 = 0; + let mut x42: fiat_bign256_scalar_u1 = 0; + let (x41, x42) = fiat_bign256_scalar_subborrowx_u64(x40, x33, 0xd95c8ed60dfb4dfc); + let mut x43: u64 = 0; + let mut x44: fiat_bign256_scalar_u1 = 0; + let (x43, x44) = fiat_bign256_scalar_subborrowx_u64(x42, x35, 0xffffffffffffffff); + let mut x45: u64 = 0; + let mut x46: fiat_bign256_scalar_u1 = 0; + let (x45, x46) = fiat_bign256_scalar_subborrowx_u64(x44, x37, 0xffffffffffffffff); + let mut x47: u64 = 0; + let mut x48: fiat_bign256_scalar_u1 = 0; + let (x47, x48) = fiat_bign256_scalar_subborrowx_u64(x46, (x38 as u64), (0x0 as u64)); + let x49: u64 = (arg4[3]); + let x50: u64 = (arg4[2]); + let x51: u64 = (arg4[1]); + let x52: u64 = (arg4[0]); + let mut x53: u64 = 0; + let mut x54: fiat_bign256_scalar_u1 = 0; + let (x53, x54) = fiat_bign256_scalar_subborrowx_u64(0x0, (0x0 as u64), x52); + let mut x55: u64 = 0; + let mut x56: fiat_bign256_scalar_u1 = 0; + let (x55, x56) = fiat_bign256_scalar_subborrowx_u64(x54, (0x0 as u64), x51); + let mut x57: u64 = 0; + let mut x58: fiat_bign256_scalar_u1 = 0; + let (x57, x58) = fiat_bign256_scalar_subborrowx_u64(x56, (0x0 as u64), x50); + let mut x59: u64 = 0; + let mut x60: fiat_bign256_scalar_u1 = 0; + let (x59, x60) = fiat_bign256_scalar_subborrowx_u64(x58, (0x0 as u64), x49); + let mut x61: u64 = 0; + let (x61) = fiat_bign256_scalar_cmovznz_u64(x60, (0x0 as u64), 0xffffffffffffffff); + let mut x62: u64 = 0; + let mut x63: fiat_bign256_scalar_u1 = 0; + let (x62, x63) = fiat_bign256_scalar_addcarryx_u64(0x0, x53, (x61 & 0x7e5abf99263d6607)); + let mut x64: u64 = 0; + let mut x65: fiat_bign256_scalar_u1 = 0; + let (x64, x65) = fiat_bign256_scalar_addcarryx_u64(x63, x55, (x61 & 0xd95c8ed60dfb4dfc)); + let mut x66: u64 = 0; + let mut x67: fiat_bign256_scalar_u1 = 0; + let (x66, x67) = fiat_bign256_scalar_addcarryx_u64(x65, x57, x61); + let mut x68: u64 = 0; + let mut x69: fiat_bign256_scalar_u1 = 0; + let (x68, x69) = fiat_bign256_scalar_addcarryx_u64(x67, x59, x61); + let mut x70: u64 = 0; + let (x70) = fiat_bign256_scalar_cmovznz_u64(x3, (arg5[0]), x62); + let mut x71: u64 = 0; + let (x71) = fiat_bign256_scalar_cmovznz_u64(x3, (arg5[1]), x64); + let mut x72: u64 = 0; + let (x72) = fiat_bign256_scalar_cmovznz_u64(x3, (arg5[2]), x66); + let mut x73: u64 = 0; + let (x73) = fiat_bign256_scalar_cmovznz_u64(x3, (arg5[3]), x68); + let x74: fiat_bign256_scalar_u1 = ((x22 & (0x1 as u64)) as fiat_bign256_scalar_u1); + let mut x75: u64 = 0; + let (x75) = fiat_bign256_scalar_cmovznz_u64(x74, (0x0 as u64), x7); + let mut x76: u64 = 0; + let (x76) = fiat_bign256_scalar_cmovznz_u64(x74, (0x0 as u64), x8); + let mut x77: u64 = 0; + let (x77) = fiat_bign256_scalar_cmovznz_u64(x74, (0x0 as u64), x9); + let mut x78: u64 = 0; + let (x78) = fiat_bign256_scalar_cmovznz_u64(x74, (0x0 as u64), x10); + let mut x79: u64 = 0; + let (x79) = fiat_bign256_scalar_cmovznz_u64(x74, (0x0 as u64), x11); + let mut x80: u64 = 0; + let mut x81: fiat_bign256_scalar_u1 = 0; + let (x80, x81) = fiat_bign256_scalar_addcarryx_u64(0x0, x22, x75); + let mut x82: u64 = 0; + let mut x83: fiat_bign256_scalar_u1 = 0; + let (x82, x83) = fiat_bign256_scalar_addcarryx_u64(x81, x23, x76); + let mut x84: u64 = 0; + let mut x85: fiat_bign256_scalar_u1 = 0; + let (x84, x85) = fiat_bign256_scalar_addcarryx_u64(x83, x24, x77); + let mut x86: u64 = 0; + let mut x87: fiat_bign256_scalar_u1 = 0; + let (x86, x87) = fiat_bign256_scalar_addcarryx_u64(x85, x25, x78); + let mut x88: u64 = 0; + let mut x89: fiat_bign256_scalar_u1 = 0; + let (x88, x89) = fiat_bign256_scalar_addcarryx_u64(x87, x26, x79); + let mut x90: u64 = 0; + let (x90) = fiat_bign256_scalar_cmovznz_u64(x74, (0x0 as u64), x27); + let mut x91: u64 = 0; + let (x91) = fiat_bign256_scalar_cmovznz_u64(x74, (0x0 as u64), x28); + let mut x92: u64 = 0; + let (x92) = fiat_bign256_scalar_cmovznz_u64(x74, (0x0 as u64), x29); + let mut x93: u64 = 0; + let (x93) = fiat_bign256_scalar_cmovznz_u64(x74, (0x0 as u64), x30); + let mut x94: u64 = 0; + let mut x95: fiat_bign256_scalar_u1 = 0; + let (x94, x95) = fiat_bign256_scalar_addcarryx_u64(0x0, x70, x90); + let mut x96: u64 = 0; + let mut x97: fiat_bign256_scalar_u1 = 0; + let (x96, x97) = fiat_bign256_scalar_addcarryx_u64(x95, x71, x91); + let mut x98: u64 = 0; + let mut x99: fiat_bign256_scalar_u1 = 0; + let (x98, x99) = fiat_bign256_scalar_addcarryx_u64(x97, x72, x92); + let mut x100: u64 = 0; + let mut x101: fiat_bign256_scalar_u1 = 0; + let (x100, x101) = fiat_bign256_scalar_addcarryx_u64(x99, x73, x93); + let mut x102: u64 = 0; + let mut x103: fiat_bign256_scalar_u1 = 0; + let (x102, x103) = fiat_bign256_scalar_subborrowx_u64(0x0, x94, 0x7e5abf99263d6607); + let mut x104: u64 = 0; + let mut x105: fiat_bign256_scalar_u1 = 0; + let (x104, x105) = fiat_bign256_scalar_subborrowx_u64(x103, x96, 0xd95c8ed60dfb4dfc); + let mut x106: u64 = 0; + let mut x107: fiat_bign256_scalar_u1 = 0; + let (x106, x107) = fiat_bign256_scalar_subborrowx_u64(x105, x98, 0xffffffffffffffff); + let mut x108: u64 = 0; + let mut x109: fiat_bign256_scalar_u1 = 0; + let (x108, x109) = fiat_bign256_scalar_subborrowx_u64(x107, x100, 0xffffffffffffffff); + let mut x110: u64 = 0; + let mut x111: fiat_bign256_scalar_u1 = 0; + let (x110, x111) = fiat_bign256_scalar_subborrowx_u64(x109, (x101 as u64), (0x0 as u64)); + let mut x112: u64 = 0; + let mut x113: fiat_bign256_scalar_u1 = 0; + let (x112, x113) = fiat_bign256_scalar_addcarryx_u64(0x0, x6, (0x1 as u64)); + let x114: u64 = ((x80 >> 1) | ((x82 << 63) & 0xffffffffffffffff)); + let x115: u64 = ((x82 >> 1) | ((x84 << 63) & 0xffffffffffffffff)); + let x116: u64 = ((x84 >> 1) | ((x86 << 63) & 0xffffffffffffffff)); + let x117: u64 = ((x86 >> 1) | ((x88 << 63) & 0xffffffffffffffff)); + let x118: u64 = ((x88 & 0x8000000000000000) | (x88 >> 1)); + let mut x119: u64 = 0; + let (x119) = fiat_bign256_scalar_cmovznz_u64(x48, x39, x31); + let mut x120: u64 = 0; + let (x120) = fiat_bign256_scalar_cmovznz_u64(x48, x41, x33); + let mut x121: u64 = 0; + let (x121) = fiat_bign256_scalar_cmovznz_u64(x48, x43, x35); + let mut x122: u64 = 0; + let (x122) = fiat_bign256_scalar_cmovznz_u64(x48, x45, x37); + let mut x123: u64 = 0; + let (x123) = fiat_bign256_scalar_cmovznz_u64(x111, x102, x94); + let mut x124: u64 = 0; + let (x124) = fiat_bign256_scalar_cmovznz_u64(x111, x104, x96); + let mut x125: u64 = 0; + let (x125) = fiat_bign256_scalar_cmovznz_u64(x111, x106, x98); + let mut x126: u64 = 0; + let (x126) = fiat_bign256_scalar_cmovznz_u64(x111, x108, x100); + out1 = x112; + out2[0] = x7; + out2[1] = x8; + out2[2] = x9; + out2[3] = x10; + out2[4] = x11; + out3[0] = x114; + out3[1] = x115; + out3[2] = x116; + out3[3] = x117; + out3[4] = x118; + out4[0] = x119; + out4[1] = x120; + out4[2] = x121; + out4[3] = x122; + out5[0] = x123; + out5[1] = x124; + out5[2] = x125; + out5[3] = x126; + (out1, out2, out3, out4, out5) +} +#[doc = " The function fiat_bign256_scalar_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form)."] +#[doc = ""] +#[doc = " Postconditions:"] +#[doc = " eval (from_montgomery out1) = ⌊(m - 1) / 2βŒ‹^(if ⌊log2 mβŒ‹ + 1 < 46 then ⌊(49 * (⌊log2 mβŒ‹ + 1) + 80) / 17βŒ‹ else ⌊(49 * (⌊log2 mβŒ‹ + 1) + 57) / 17βŒ‹)"] +#[doc = " 0 ≀ eval out1 < m"] +#[doc = ""] +#[doc = " Output Bounds:"] +#[doc = " out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]"] +#[inline] +pub const fn fiat_bign256_scalar_divstep_precomp() -> [u64; 4] { + let mut out1: [u64; 4] = [0; 4]; + out1[0] = 0xeffe1f652465feb0; + out1[1] = 0xb12c827f1a30f6de; + out1[2] = 0xf63934f7445b1483; + out1[3] = 0x898f2e1e55dddae4; + out1 +} diff --git a/bign256/src/lib.rs b/bign256/src/lib.rs new file mode 100644 index 00000000..94a547bf --- /dev/null +++ b/bign256/src/lib.rs @@ -0,0 +1,106 @@ +#![no_std] +#![cfg_attr(docsrs, feature(doc_auto_cfg))] +#![doc = include_str!("../README.md")] +#![doc( + html_logo_url = "https://raw.githubusercontent.com/RustCrypto/meta/master/logo.svg", + html_favicon_url = "https://raw.githubusercontent.com/RustCrypto/meta/master/logo.svg" +)] +#![forbid(unsafe_code)] +#![warn( + clippy::mod_module_files, + clippy::unwrap_used, + missing_docs, + rust_2018_idioms, + unused_lifetimes, + unused_qualifications +)] + +pub mod arithmetic; + +#[cfg(any(feature = "test-vectors", test))] +pub mod test_vectors; + +pub use elliptic_curve; + +pub use arithmetic::field::FieldElement; + +#[cfg(feature = "pkcs8")] +pub use elliptic_curve::pkcs8; + +pub use elliptic_curve::{consts::U32, generic_array::GenericArray, FieldBytesEncoding}; + +pub use elliptic_curve::bigint::U256 as Uint; + +pub use arithmetic::{scalar::Scalar, AffinePoint, ProjectivePoint}; + +/// Order of BIGN P-256's elliptic curve group (i.e. scalar modulus) in hexadecimal. +const ORDER_HEX: &str = "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD95C8ED60DFB4DFC7E5ABF99263D6607"; + +/// BIGN P-256 elliptic curve. +/// +/// This curve is also known as bign-curve256v1 +/// and is specified in [STB 34.101.45-2013]: +/// Recommendations for Discrete Logarithm-based Cryptography: +/// Elliptic Curve Domain Parameters. +/// +/// +/// Its equation is `yΒ² = xΒ³ + ax + b` over a ~256-bit prime field. +/// +/// ```text +/// a = 115792089237316195423570985008687907853269984665640564039457584007913129639744 +/// b = 54189945433829174764701416670523239872420438478408031144987871676190519198705 +/// ``` +/// +/// [STB 34.101.45-2013]: https://apmi.bsu.by/assets/files/std/bign-spec294.pdf +#[derive(Copy, Clone, Debug, Default, Eq, PartialEq, PartialOrd, Ord)] +pub struct BignP256; + +impl elliptic_curve::Curve for BignP256 { + /// 256-bit integer type used for internally representing field elements. + type FieldBytesSize = U32; + type Uint = Uint; + + /// Order of BIGN P-256's elliptic curve group (i.e. scalar modulus). + const ORDER: Uint = Uint::from_be_hex(ORDER_HEX); +} + +impl elliptic_curve::PrimeCurve for BignP256 {} + +impl elliptic_curve::point::PointCompression for BignP256 { + /// BIGN P-256 points are typically uncompressed. + const COMPRESS_POINTS: bool = false; +} + +impl elliptic_curve::point::PointCompaction for BignP256 { + /// BIGN P-256 points are typically uncompressed. + const COMPACT_POINTS: bool = false; +} + +#[cfg(feature = "pkcs8")] +impl pkcs8::AssociatedOid for BignP256 { + const OID: pkcs8::ObjectIdentifier = + pkcs8::ObjectIdentifier::new_unwrap("1.2.112.0.2.0.34.101.45.1"); +} + +/// Compressed SEC1-encoded BIGN P256 curve point. +pub type CompressedPoint = GenericArray; + +/// BIGN P-256 field element serialized as bytes. +/// +/// Byte array containing a serialized field element value (base field or scalar). +pub type FieldBytes = elliptic_curve::FieldBytes; + +/// BIGN P-256 SEC1 encoded point. +pub type EncodedPoint = elliptic_curve::sec1::EncodedPoint; + +impl FieldBytesEncoding for Uint {} + +/// BIGN P-256 public key. +pub type PublicKey = elliptic_curve::PublicKey; + +/// BIGN P-256 secret key. +pub type SecretKey = elliptic_curve::SecretKey; + +/// Bit representation of a BIGN P-256 scalar field element. +#[cfg(feature = "bits")] +pub type ScalarBits = elliptic_curve::ScalarBits; diff --git a/bign256/src/test_vectors.rs b/bign256/src/test_vectors.rs new file mode 100644 index 00000000..2d106289 --- /dev/null +++ b/bign256/src/test_vectors.rs @@ -0,0 +1,5 @@ +//! secp256r1 test vectors. + +#[cfg(test)] +pub mod field; +pub mod group; diff --git a/bign256/src/test_vectors/field.rs b/bign256/src/test_vectors/field.rs new file mode 100644 index 00000000..ea5e5601 --- /dev/null +++ b/bign256/src/test_vectors/field.rs @@ -0,0 +1,257 @@ +//! Test vectors for the bign256 base field. + +use hex_literal::hex; + +/// Repeated doubling of the multiplicative identity. +pub const DBL_TEST_VECTORS: &[[u8; 32]] = &[ + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + hex!("0000000000000000000000000000000000000000000000000000000000000002"), + hex!("0000000000000000000000000000000000000000000000000000000000000004"), + hex!("0000000000000000000000000000000000000000000000000000000000000008"), + hex!("0000000000000000000000000000000000000000000000000000000000000010"), + hex!("0000000000000000000000000000000000000000000000000000000000000020"), + hex!("0000000000000000000000000000000000000000000000000000000000000040"), + hex!("0000000000000000000000000000000000000000000000000000000000000080"), + hex!("0000000000000000000000000000000000000000000000000000000000000100"), + hex!("0000000000000000000000000000000000000000000000000000000000000200"), + hex!("0000000000000000000000000000000000000000000000000000000000000400"), + hex!("0000000000000000000000000000000000000000000000000000000000000800"), + hex!("0000000000000000000000000000000000000000000000000000000000001000"), + hex!("0000000000000000000000000000000000000000000000000000000000002000"), + hex!("0000000000000000000000000000000000000000000000000000000000004000"), + hex!("0000000000000000000000000000000000000000000000000000000000008000"), + hex!("0000000000000000000000000000000000000000000000000000000000010000"), + hex!("0000000000000000000000000000000000000000000000000000000000020000"), + hex!("0000000000000000000000000000000000000000000000000000000000040000"), + hex!("0000000000000000000000000000000000000000000000000000000000080000"), + hex!("0000000000000000000000000000000000000000000000000000000000100000"), + hex!("0000000000000000000000000000000000000000000000000000000000200000"), + hex!("0000000000000000000000000000000000000000000000000000000000400000"), + hex!("0000000000000000000000000000000000000000000000000000000000800000"), + hex!("0000000000000000000000000000000000000000000000000000000001000000"), + hex!("0000000000000000000000000000000000000000000000000000000002000000"), + hex!("0000000000000000000000000000000000000000000000000000000004000000"), + hex!("0000000000000000000000000000000000000000000000000000000008000000"), + hex!("0000000000000000000000000000000000000000000000000000000010000000"), + hex!("0000000000000000000000000000000000000000000000000000000020000000"), + hex!("0000000000000000000000000000000000000000000000000000000040000000"), + hex!("0000000000000000000000000000000000000000000000000000000080000000"), + hex!("0000000000000000000000000000000000000000000000000000000100000000"), + hex!("0000000000000000000000000000000000000000000000000000000200000000"), + hex!("0000000000000000000000000000000000000000000000000000000400000000"), + hex!("0000000000000000000000000000000000000000000000000000000800000000"), + hex!("0000000000000000000000000000000000000000000000000000001000000000"), + hex!("0000000000000000000000000000000000000000000000000000002000000000"), + hex!("0000000000000000000000000000000000000000000000000000004000000000"), + hex!("0000000000000000000000000000000000000000000000000000008000000000"), + hex!("0000000000000000000000000000000000000000000000000000010000000000"), + hex!("0000000000000000000000000000000000000000000000000000020000000000"), + hex!("0000000000000000000000000000000000000000000000000000040000000000"), + hex!("0000000000000000000000000000000000000000000000000000080000000000"), + hex!("0000000000000000000000000000000000000000000000000000100000000000"), + hex!("0000000000000000000000000000000000000000000000000000200000000000"), + hex!("0000000000000000000000000000000000000000000000000000400000000000"), + hex!("0000000000000000000000000000000000000000000000000000800000000000"), + hex!("0000000000000000000000000000000000000000000000000001000000000000"), + hex!("0000000000000000000000000000000000000000000000000002000000000000"), + hex!("0000000000000000000000000000000000000000000000000004000000000000"), + hex!("0000000000000000000000000000000000000000000000000008000000000000"), + hex!("0000000000000000000000000000000000000000000000000010000000000000"), + hex!("0000000000000000000000000000000000000000000000000020000000000000"), + hex!("0000000000000000000000000000000000000000000000000040000000000000"), + hex!("0000000000000000000000000000000000000000000000000080000000000000"), + hex!("0000000000000000000000000000000000000000000000000100000000000000"), + hex!("0000000000000000000000000000000000000000000000000200000000000000"), + hex!("0000000000000000000000000000000000000000000000000400000000000000"), + hex!("0000000000000000000000000000000000000000000000000800000000000000"), + hex!("0000000000000000000000000000000000000000000000001000000000000000"), + hex!("0000000000000000000000000000000000000000000000002000000000000000"), + hex!("0000000000000000000000000000000000000000000000004000000000000000"), + hex!("0000000000000000000000000000000000000000000000008000000000000000"), + hex!("0000000000000000000000000000000000000000000000010000000000000000"), + hex!("0000000000000000000000000000000000000000000000020000000000000000"), + hex!("0000000000000000000000000000000000000000000000040000000000000000"), + hex!("0000000000000000000000000000000000000000000000080000000000000000"), + hex!("0000000000000000000000000000000000000000000000100000000000000000"), + hex!("0000000000000000000000000000000000000000000000200000000000000000"), + hex!("0000000000000000000000000000000000000000000000400000000000000000"), + hex!("0000000000000000000000000000000000000000000000800000000000000000"), + hex!("0000000000000000000000000000000000000000000001000000000000000000"), + hex!("0000000000000000000000000000000000000000000002000000000000000000"), + hex!("0000000000000000000000000000000000000000000004000000000000000000"), + hex!("0000000000000000000000000000000000000000000008000000000000000000"), + hex!("0000000000000000000000000000000000000000000010000000000000000000"), + hex!("0000000000000000000000000000000000000000000020000000000000000000"), + hex!("0000000000000000000000000000000000000000000040000000000000000000"), + hex!("0000000000000000000000000000000000000000000080000000000000000000"), + hex!("0000000000000000000000000000000000000000000100000000000000000000"), + hex!("0000000000000000000000000000000000000000000200000000000000000000"), + hex!("0000000000000000000000000000000000000000000400000000000000000000"), + hex!("0000000000000000000000000000000000000000000800000000000000000000"), + hex!("0000000000000000000000000000000000000000001000000000000000000000"), + hex!("0000000000000000000000000000000000000000002000000000000000000000"), + hex!("0000000000000000000000000000000000000000004000000000000000000000"), + hex!("0000000000000000000000000000000000000000008000000000000000000000"), + hex!("0000000000000000000000000000000000000000010000000000000000000000"), + hex!("0000000000000000000000000000000000000000020000000000000000000000"), + hex!("0000000000000000000000000000000000000000040000000000000000000000"), + hex!("0000000000000000000000000000000000000000080000000000000000000000"), + hex!("0000000000000000000000000000000000000000100000000000000000000000"), + hex!("0000000000000000000000000000000000000000200000000000000000000000"), + hex!("0000000000000000000000000000000000000000400000000000000000000000"), + hex!("0000000000000000000000000000000000000000800000000000000000000000"), + hex!("0000000000000000000000000000000000000001000000000000000000000000"), + hex!("0000000000000000000000000000000000000002000000000000000000000000"), + hex!("0000000000000000000000000000000000000004000000000000000000000000"), + hex!("0000000000000000000000000000000000000008000000000000000000000000"), + hex!("0000000000000000000000000000000000000010000000000000000000000000"), + hex!("0000000000000000000000000000000000000020000000000000000000000000"), + hex!("0000000000000000000000000000000000000040000000000000000000000000"), + hex!("0000000000000000000000000000000000000080000000000000000000000000"), + hex!("0000000000000000000000000000000000000100000000000000000000000000"), + hex!("0000000000000000000000000000000000000200000000000000000000000000"), + hex!("0000000000000000000000000000000000000400000000000000000000000000"), + hex!("0000000000000000000000000000000000000800000000000000000000000000"), + hex!("0000000000000000000000000000000000001000000000000000000000000000"), + hex!("0000000000000000000000000000000000002000000000000000000000000000"), + hex!("0000000000000000000000000000000000004000000000000000000000000000"), + hex!("0000000000000000000000000000000000008000000000000000000000000000"), + hex!("0000000000000000000000000000000000010000000000000000000000000000"), + hex!("0000000000000000000000000000000000020000000000000000000000000000"), + hex!("0000000000000000000000000000000000040000000000000000000000000000"), + hex!("0000000000000000000000000000000000080000000000000000000000000000"), + hex!("0000000000000000000000000000000000100000000000000000000000000000"), + hex!("0000000000000000000000000000000000200000000000000000000000000000"), + hex!("0000000000000000000000000000000000400000000000000000000000000000"), + hex!("0000000000000000000000000000000000800000000000000000000000000000"), + hex!("0000000000000000000000000000000001000000000000000000000000000000"), + hex!("0000000000000000000000000000000002000000000000000000000000000000"), + hex!("0000000000000000000000000000000004000000000000000000000000000000"), + hex!("0000000000000000000000000000000008000000000000000000000000000000"), + hex!("0000000000000000000000000000000010000000000000000000000000000000"), + hex!("0000000000000000000000000000000020000000000000000000000000000000"), + hex!("0000000000000000000000000000000040000000000000000000000000000000"), + hex!("0000000000000000000000000000000080000000000000000000000000000000"), + hex!("0000000000000000000000000000000100000000000000000000000000000000"), + hex!("0000000000000000000000000000000200000000000000000000000000000000"), + hex!("0000000000000000000000000000000400000000000000000000000000000000"), + hex!("0000000000000000000000000000000800000000000000000000000000000000"), + hex!("0000000000000000000000000000001000000000000000000000000000000000"), + hex!("0000000000000000000000000000002000000000000000000000000000000000"), + hex!("0000000000000000000000000000004000000000000000000000000000000000"), + hex!("0000000000000000000000000000008000000000000000000000000000000000"), + hex!("0000000000000000000000000000010000000000000000000000000000000000"), + hex!("0000000000000000000000000000020000000000000000000000000000000000"), + hex!("0000000000000000000000000000040000000000000000000000000000000000"), + hex!("0000000000000000000000000000080000000000000000000000000000000000"), + hex!("0000000000000000000000000000100000000000000000000000000000000000"), + hex!("0000000000000000000000000000200000000000000000000000000000000000"), + hex!("0000000000000000000000000000400000000000000000000000000000000000"), + hex!("0000000000000000000000000000800000000000000000000000000000000000"), + hex!("0000000000000000000000000001000000000000000000000000000000000000"), + hex!("0000000000000000000000000002000000000000000000000000000000000000"), + hex!("0000000000000000000000000004000000000000000000000000000000000000"), + hex!("0000000000000000000000000008000000000000000000000000000000000000"), + hex!("0000000000000000000000000010000000000000000000000000000000000000"), + hex!("0000000000000000000000000020000000000000000000000000000000000000"), + hex!("0000000000000000000000000040000000000000000000000000000000000000"), + hex!("0000000000000000000000000080000000000000000000000000000000000000"), + hex!("0000000000000000000000000100000000000000000000000000000000000000"), + hex!("0000000000000000000000000200000000000000000000000000000000000000"), + hex!("0000000000000000000000000400000000000000000000000000000000000000"), + hex!("0000000000000000000000000800000000000000000000000000000000000000"), + hex!("0000000000000000000000001000000000000000000000000000000000000000"), + hex!("0000000000000000000000002000000000000000000000000000000000000000"), + hex!("0000000000000000000000004000000000000000000000000000000000000000"), + hex!("0000000000000000000000008000000000000000000000000000000000000000"), + hex!("0000000000000000000000010000000000000000000000000000000000000000"), + hex!("0000000000000000000000020000000000000000000000000000000000000000"), + hex!("0000000000000000000000040000000000000000000000000000000000000000"), + hex!("0000000000000000000000080000000000000000000000000000000000000000"), + hex!("0000000000000000000000100000000000000000000000000000000000000000"), + hex!("0000000000000000000000200000000000000000000000000000000000000000"), + hex!("0000000000000000000000400000000000000000000000000000000000000000"), + hex!("0000000000000000000000800000000000000000000000000000000000000000"), + hex!("0000000000000000000001000000000000000000000000000000000000000000"), + hex!("0000000000000000000002000000000000000000000000000000000000000000"), + hex!("0000000000000000000004000000000000000000000000000000000000000000"), + hex!("0000000000000000000008000000000000000000000000000000000000000000"), + hex!("0000000000000000000010000000000000000000000000000000000000000000"), + hex!("0000000000000000000020000000000000000000000000000000000000000000"), + hex!("0000000000000000000040000000000000000000000000000000000000000000"), + hex!("0000000000000000000080000000000000000000000000000000000000000000"), + hex!("0000000000000000000100000000000000000000000000000000000000000000"), + hex!("0000000000000000000200000000000000000000000000000000000000000000"), + hex!("0000000000000000000400000000000000000000000000000000000000000000"), + hex!("0000000000000000000800000000000000000000000000000000000000000000"), + hex!("0000000000000000001000000000000000000000000000000000000000000000"), + hex!("0000000000000000002000000000000000000000000000000000000000000000"), + hex!("0000000000000000004000000000000000000000000000000000000000000000"), + hex!("0000000000000000008000000000000000000000000000000000000000000000"), + hex!("0000000000000000010000000000000000000000000000000000000000000000"), + hex!("0000000000000000020000000000000000000000000000000000000000000000"), + hex!("0000000000000000040000000000000000000000000000000000000000000000"), + hex!("0000000000000000080000000000000000000000000000000000000000000000"), + hex!("0000000000000000100000000000000000000000000000000000000000000000"), + hex!("0000000000000000200000000000000000000000000000000000000000000000"), + hex!("0000000000000000400000000000000000000000000000000000000000000000"), + hex!("0000000000000000800000000000000000000000000000000000000000000000"), + hex!("0000000000000001000000000000000000000000000000000000000000000000"), + hex!("0000000000000002000000000000000000000000000000000000000000000000"), + hex!("0000000000000004000000000000000000000000000000000000000000000000"), + hex!("0000000000000008000000000000000000000000000000000000000000000000"), + hex!("0000000000000010000000000000000000000000000000000000000000000000"), + hex!("0000000000000020000000000000000000000000000000000000000000000000"), + hex!("0000000000000040000000000000000000000000000000000000000000000000"), + hex!("0000000000000080000000000000000000000000000000000000000000000000"), + hex!("0000000000000100000000000000000000000000000000000000000000000000"), + hex!("0000000000000200000000000000000000000000000000000000000000000000"), + hex!("0000000000000400000000000000000000000000000000000000000000000000"), + hex!("0000000000000800000000000000000000000000000000000000000000000000"), + hex!("0000000000001000000000000000000000000000000000000000000000000000"), + hex!("0000000000002000000000000000000000000000000000000000000000000000"), + hex!("0000000000004000000000000000000000000000000000000000000000000000"), + hex!("0000000000008000000000000000000000000000000000000000000000000000"), + hex!("0000000000010000000000000000000000000000000000000000000000000000"), + hex!("0000000000020000000000000000000000000000000000000000000000000000"), + hex!("0000000000040000000000000000000000000000000000000000000000000000"), + hex!("0000000000080000000000000000000000000000000000000000000000000000"), + hex!("0000000000100000000000000000000000000000000000000000000000000000"), + hex!("0000000000200000000000000000000000000000000000000000000000000000"), + hex!("0000000000400000000000000000000000000000000000000000000000000000"), + hex!("0000000000800000000000000000000000000000000000000000000000000000"), + hex!("0000000001000000000000000000000000000000000000000000000000000000"), + hex!("0000000002000000000000000000000000000000000000000000000000000000"), + hex!("0000000004000000000000000000000000000000000000000000000000000000"), + hex!("0000000008000000000000000000000000000000000000000000000000000000"), + hex!("0000000010000000000000000000000000000000000000000000000000000000"), + hex!("0000000020000000000000000000000000000000000000000000000000000000"), + hex!("0000000040000000000000000000000000000000000000000000000000000000"), + hex!("0000000080000000000000000000000000000000000000000000000000000000"), + hex!("0000000100000000000000000000000000000000000000000000000000000000"), + hex!("0000000200000000000000000000000000000000000000000000000000000000"), + hex!("0000000400000000000000000000000000000000000000000000000000000000"), + hex!("0000000800000000000000000000000000000000000000000000000000000000"), + hex!("0000001000000000000000000000000000000000000000000000000000000000"), + hex!("0000002000000000000000000000000000000000000000000000000000000000"), + hex!("0000004000000000000000000000000000000000000000000000000000000000"), + hex!("0000008000000000000000000000000000000000000000000000000000000000"), + hex!("0000010000000000000000000000000000000000000000000000000000000000"), + hex!("0000020000000000000000000000000000000000000000000000000000000000"), + hex!("0000040000000000000000000000000000000000000000000000000000000000"), + hex!("0000080000000000000000000000000000000000000000000000000000000000"), + hex!("0000100000000000000000000000000000000000000000000000000000000000"), + hex!("0000200000000000000000000000000000000000000000000000000000000000"), + hex!("0000400000000000000000000000000000000000000000000000000000000000"), + hex!("0000800000000000000000000000000000000000000000000000000000000000"), + hex!("0001000000000000000000000000000000000000000000000000000000000000"), + hex!("0002000000000000000000000000000000000000000000000000000000000000"), + hex!("0004000000000000000000000000000000000000000000000000000000000000"), + hex!("0008000000000000000000000000000000000000000000000000000000000000"), + hex!("0010000000000000000000000000000000000000000000000000000000000000"), + hex!("0020000000000000000000000000000000000000000000000000000000000000"), + hex!("0040000000000000000000000000000000000000000000000000000000000000"), + hex!("0080000000000000000000000000000000000000000000000000000000000000"), + hex!("0100000000000000000000000000000000000000000000000000000000000000"), + hex!("0200000000000000000000000000000000000000000000000000000000000000"), +]; diff --git a/bign256/src/test_vectors/group.rs b/bign256/src/test_vectors/group.rs new file mode 100644 index 00000000..606d089a --- /dev/null +++ b/bign256/src/test_vectors/group.rs @@ -0,0 +1,257 @@ +//! Test vectors for the bign256 group. + +use hex_literal::hex; + +/// Repeated addition of the generator. +/// +/// These are the first 20 test vectors, generated by sagemath snippet. +pub const ADD_TEST_VECTORS: &[([u8; 32], [u8; 32])] = &[ + // k = 1,..,20, p += G + ( + hex!("2D8419E3D905D21E3611261DADC95BB35583090C2CADD0C807F53BB3828F0995"), + hex!("E62690D81BDC754EFAF5B2770054564849621E8A933A7ECD6C02387649CF258A"), + ), + ( + hex!("37C58ED5CDF4EFFB78272CF0662E92F5E012060C2B1C234BCC9D10854989824E"), + hex!("FD9BC9B3DACB85B94160E112D35F312702C169757A1E7AE3F0EF177B32283E84"), + ), + ( + hex!("A9D6F12F1D785C67F9B4D24B79910E5E73CCB26A1D2F8399CDD386FEF301E913"), + hex!("EEDD42E79372C116A1312E079707ED43AECCD0E92EED529B6DDC7532B8436DE5"), + ), + ( + hex!("5EA08F541F6EF3C7B1F27749009FFFBBCC73111F11120D3E1B6E9C7A3612F746"), + hex!("D1AAABE31BD369F378F8A0BC9D70EEBEC7825976283D482130239EECC4F3A751"), + ), + ( + hex!("A0FB2B18D0D8EC130266C201FD8E183AEE98BF9572BE4DC0C8EBDF11AD0042CC"), + hex!("271CCC56A71BAC6BCE3967AD0F4D55AA04064BC8A9A10B78F3B37B543800891B"), + ), + ( + hex!("0BBBCD4AA459206972B08AF9C2347B54B9B644F2255F6C4B65F739A8255F9844"), + hex!("BB717EE3A1ADC18B42F39F89AB9AEC0230CF648505069A267686DBF5339135EC"), + ), + ( + hex!("D2DDA2788DDE65AA2C69A2C0385B83FD1E71C5F4597473A4EB882152DF36A2F2"), + hex!("22E0DD3784B2F9CCB8A0B6BE1BC346C5B43B483BE921514A9C144CA1A16AB769"), + ), + ( + hex!("79F11C784808A342FE222B63C88569133F277364F8FF99C9F8471B9FF356C80E"), + hex!("505D4B3F56A5DA430C1CB5F96D48BCD21949B9E50148D7D1D64833AE8E8D516B"), + ), + ( + hex!("BE4F901ABEB39DC3296E2F7E0280161C73233FCDEFDDF4AA8F4FF06609BE626E"), + hex!("1F07AC58BBBFA32FAF018B57C1ABF695EB1D94D68238B8AAE5C64C6309010C6C"), + ), + ( + hex!("114A842FCC2FA6134609628A1134BAE6E66E7A55B68DDEBC228A0EA683053728"), + hex!("92A593D312418AB18A477BE0FFBC3E57D90B7B9F926BA341FDC820B760D77C1B"), + ), + ( + hex!("7D977BA61750C5FF7268EF42BB61F82CAB5C29C2A66F3125431E849B7F3CCC92"), + hex!("DE12ABD5AE3D05C3029FF5D67FBE8B4DC1F265D0F2621B1856DD87DA21863E53"), + ), + ( + hex!("30C22C4C43480DBAB81DDDAF0A7314902B4C78E1B8049B2D460CDB49A89D4719"), + hex!("6C2823BE77CC67A9DA30128AB9D3C6EC4442CC74FFB6AC1133AAC6D571A36BBC"), + ), + ( + hex!("0856EC054262EFFE7447882B6091B84EDD50275D3A28DF889E58B3DEA362D93E"), + hex!("1E1FE5B1743973ECCC10AF281E2BF4E67286AA3392834035DDC2D8B067C958E5"), + ), + ( + hex!("848DB896BBC34C7646A20FF90B236A09751E87859DBE869A2162E86EB173B694"), + hex!("7B878E51A85222552159249A5775A49C4795601F778E0951184872459DF41E52"), + ), + ( + hex!("34CABA51C517420709A74B25375D1AE0118658ED207BE486420923513D48A3C9"), + hex!("2E1B6EA8F878EF9EE211E2BCA4154EF5921106BC627DC51C86325F3584B6DB15"), + ), + ( + hex!("4E73E64716ADB633867A67557BBEC25DB2DA57B04470BE05342C527A12B60812"), + hex!("3FED9A288B2CFD04B442EE7619963A2B76CBB778D1F9BC412DB0097A9CE19182"), + ), + ( + hex!("F0C2838004F0269626E33D73A102AB60BBED4DEA53BB8C0EDC30D97498DFF2F8"), + hex!("4503E16CF013FAE5E9F4BDF4862F74528A8DE7CF829E6D9B39D48AB93548E60C"), + ), + ( + hex!("F5E8FE87AB33E6B544A960101F8BED5F24A718FD98997E36E7F4FDD375EEE70B"), + hex!("FDCFDCE29FB9CDC89134A46E85A30DF8A599A94E8B54BEA3B75AB5C1714B91BD"), + ), + ( + hex!("1230402EBB4A981C19506708F779C265D1695DF2132F17099D0E54BA1C46D945"), + hex!("FBB7A79A4E5F631E1FD59501F221FA2FAE93F8E2CD7D4D87E1003324C327EEB7"), + ), + ( + hex!("006A714979F622DBC2685A296CACA8067694D3ADC75F9F9A97F3BBA424DD2670"), + hex!("F4FD78EDF21FB1C4A23DD0B0FFD281FC35184F13D2B5D779DB7253E88097F121"), + ), +]; + +/// Scalar multiplication with the generator. +/// +/// These are the test vectors from sagemath snippet,that are not part of [`ADD_TEST_VECTORS`]. +/// k values is from NIST-P256 test vectors +pub const MUL_TEST_VECTORS: &[([u8; 32], [u8; 32], [u8; 32])] = &[ + ( + hex!("BCE6EE467AA910ADD6FB47DF33EC4825582596B8C694DB7B403129C9427CF647"), + hex!("1D89D067B0EB566FBA7CA700A48AA90026F9584AFAA33139B890BCB21729140E"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("321D9319C3BE889BA0FD29C2E2688ABF39308A712A1D81446ED1ABC789E52CA9"), + hex!("E3B297D31A709BCD61B9861069EAEB8162237F970C11245C7E1761E2FC802B7A"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("132175D5AE957336F608DC53257205D81B088C5BDF048AF2C83B47784D70617C"), + hex!("1ADF305FCF83BA7C5B035615290644A70D381F50666D9B907673385CBCBD4791"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("BC01F7A6067E4529252C7E6F8F7D6EFA7889B8455ED042F0DE0870B419653658"), + hex!("65037BB63611DFE97DC043ED085181A4AA3A0D1D54C77C36135182ACF444265D"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("8E13BE6EAB0F05B8F0C07509DC8C17922B354ED5CF5E88D732E4EE031735319B"), + hex!("F0F23BA15E570754D21773E9D7B3D471B239415A29BB23D2C33DB3082D32966D"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("5859FC33184C7A38EE37FA61F13A47C96FF3E2D1A21347DF32297E3A7FA19FCD"), + hex!("F37B8AFF67104403A992853E307C988CE8F148E5A5D9F0091B094EC3E11CF0C0"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("1CF0FC9B67C3496E6104C6FE4CFEB03C582D6121E17B27FF5F163697021B1CA3"), + hex!("7ED1D7E43E06686AD6A050982927E54894022A55A872165CEDD82F1936800AC9"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("5251712A9696E4D3F4CC1C4B26877C200335311B03C9D53C8FC2ACE8ECECA49C"), + hex!("B04C72917AF4AAFA772314D49A2B899CD5D1D4F71FD0F18882050E61CEC361F9"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("7EF4573793DE5E95C749C810952408750B669FBFC4F177C27D74E66B95617258"), + hex!("6F7372A2DA5690F539834B9A8DD1910120E148C74F9376391F2DD41F8529DB57"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("85E00E5546713D9F2F5C8E605CA49AA16FA77CE3A3323B463599C31289697E37"), + hex!("CC258D7CA2CB8ACD629701844FE26AFE2029E127A59024E9885174E8BC35BB3F"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("796F1AA06F3366EF6C74822CD69D274D73FD7947D99E5A388D87525613C0164F"), + hex!("69FB53A5AE70C701BFCE800A78676265E87F3EDF6A1059A438B2A16A291DFEB9"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("660CEBCB17AAC38F454210254037CDE84ED2671B7C6B3531995DFAA478F01F20"), + hex!("3E752FDD0749DE0128C2A9237875413FB0C7866E9CD0F86B248272676728B6DF"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("108E86DBB15D670F952C36DDBADC381B7EE06052DED0C1FC369BC721F537BC21"), + hex!("35CA247AF507BE8B5FA662AFB35EB9F3DA55CB4E67FF048FA2757EBCF8ABF046"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("62B8EBD7808F1A50B851D9080984B4A23181AF1CC60F2DE11F80CABBE27E213E"), + hex!("52A44CCB834C87D5CAA20C1B42260F9EDC1C30731C2F2F14AE2D52A7AF243794"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("DD219D558AF61D9099822705054BA6F23F1378A5F482B1EC5AAD69138065B1D6"), + hex!("2C51E0EDE3618C1057E0360BECF3A550FE95E6096B9CD9326C0FEF0B68506859"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("6C9E47CE0CCA48F4EDB53D0A02459C8D00BC670C82A4D091ADA36A158DB74DCB"), + hex!("7896936848785A4CCBBE5B39A3111EB3D36895B4ECDD911F3CBC4F08B0CE0FFC"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("A320F2ED3C408FEB68BB456A75E14B943DA7B02B0C8A76A5737DE66F008148C4"), + hex!("C6AC14D4F31C17D720AD8A4711BD0DB84D9AE8FC6070289EA1883775D410C690"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("84221BA012EFC0694EC2DDB3B6B003FB92CD329F193D2A0A316050391DF99667"), + hex!("E91DA84671D47149BD8343291CB00F4639E90828A005176F58541F2A0DCDF185"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("F4BD16F5E8BE79055EE7B62FF8FE9381A20D2182CCE62CA77C740C7B627C0384"), + hex!("38B1E87028B46FF7742999AABB634D713DA2810C159A004E8A2C13CAF2428D96"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("99773AFF98782D076D6D759943BC1F3E9DD57A464E622A7E23ADC96413A55841"), + hex!("9BA741511B2EB4465A9CB0B21133A47A1FD9163B7946289C31221EC60E1FF8B5"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("1666D4DA3F23A9CF7EB2CE3DEF0ACB5C781F7EF080F169DF887EB39ED0CCBD48"), + hex!("C4779DF3C1F5DAAE8C0DB77BE0CF9D49F249647360A867C36A20047CF5D18CDC"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("F7D96B2CE1766AC5DF7C0CF5CDE463101334182908635F43F24B61975DE671BF"), + hex!("04B069AD735EE63E50AE27E5D7EDD6257134C6E8D8CA3AE3040001A9855682A2"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("2F78EF54DD714BA141A893B9DEF9C14AA47900440C8C42ED90AE05D2E8665E21"), + hex!("1DDE14D0959610C2966258889FD025666B746765FCA36F6025309026145EFD3A"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("3B1514BF33F6EC2C5FEEA324D04F06ECBC516B358400D67B67181029F4AF8AC9"), + hex!("0F7917B7EEAF7E7836D5FD8BDB488858CFE2E78BD9FA66757EF4D89BFAA27F69"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("67CC0FDF4E1735A5FCB98168158945DDE241FBA39BE2B35A5CD904CA5EB88A52"), + hex!("2C9B912969C98E7B7ED01CCDB9F32951A529BA77F40DC79B2241DA3D6FAD6C00"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("97C9D36D07BDAA3846CDAE30E68EA4D5A84896A7A94056B4424B08B58E41BB84"), + hex!("B528D08C013362D444A9A345570E59B2E5265720B8B4F128ED6700994618990B"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("AED8D377B262039F5FA3625CBE7DDAD5129B350B9A54CE58B4E51C36DB2355B5"), + hex!("8A8B1F284CE3D769477334C6569FCFB6BAE71E8E5E1509873366A7695961B06C"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("5C01A3FEB3B295E76F091B20E652ED48A59F9AEC46CBA86160A96B59BFF6276D"), + hex!("502DBD20E1F58654546891CB66480C52155A0A45F7BD2FDE2563F2E0D5F5CD2B"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("FA2879ADDCD74E29E049EAAD5279A01987D08EF515693E721572EEF5D0445278"), + hex!("332FEE155643CEFD408350C49CC776E1589770F217B2F47389FFBAE3AA8F9DE4"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("D0B331A63DD4815CEF494557A5CA040296E19737E0D84A8AB95C0B7404799584"), + hex!("4E982EF880233592068F58E117BE4A13EC544FB10248E10821EE4037A5466C86"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("51A0F158FF49D20AE469441FC627516DCB1D1161119A7B9F9531D52C8F26A36A"), + hex!("5047FC9B8057392D20057845073F58AF80DE2C1DB80D8C814AFE6C21A4033581"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), + ( + hex!("F02838F64C02057A1191C490C51501A5C261A3201A0330E1A31B67FE121C9434"), + hex!("172B364C2952F8ED8771B3B152DF85A8039E9F6D7B2669E90078D2D47393902B"), + hex!("0000000000000000000000000000000000000000000000000000000000000001"), + ), +]; diff --git a/bign256/tests/projective.rs b/bign256/tests/projective.rs new file mode 100644 index 00000000..6845f423 --- /dev/null +++ b/bign256/tests/projective.rs @@ -0,0 +1,27 @@ +//! Projective arithmetic tests. + +#![cfg(all(feature = "arithmetic", feature = "test-vectors"))] + +use elliptic_curve::{ + group::{ff::PrimeField, GroupEncoding}, + sec1::{self, ToEncodedPoint}, +}; +use p256::{ + test_vectors::group::{ADD_TEST_VECTORS, MUL_TEST_VECTORS}, + AffinePoint, ProjectivePoint, Scalar, +}; +use primeorder::{impl_projective_arithmetic_tests, Double}; + +impl_projective_arithmetic_tests!( + AffinePoint, + ProjectivePoint, + Scalar, + ADD_TEST_VECTORS, + MUL_TEST_VECTORS +); + +#[test] +fn projective_identity_to_bytes() { + // This is technically an invalid SEC1 encoding, but is preferable to panicking. + assert_eq!([0; 33], ProjectivePoint::IDENTITY.to_bytes().as_slice()); +} diff --git a/bign256/tests/scalar.rs b/bign256/tests/scalar.rs new file mode 100644 index 00000000..b86eb1af --- /dev/null +++ b/bign256/tests/scalar.rs @@ -0,0 +1,22 @@ +//! Scalar arithmetic tests. + +#![cfg(feature = "arithmetic")] + +use bign256::{Scalar, U256}; +use elliptic_curve::ops::{Invert, Reduce}; +use proptest::prelude::*; + +prop_compose! { + fn scalar()(bytes in any::<[u8; 32]>()) -> Scalar { + >::reduce_bytes(&bytes.into()) + } +} + +proptest! { + #[test] + fn invert_and_invert_vartime_are_equivalent(w in scalar()) { + let inv: Option = w.invert().into(); + let inv_vartime: Option = w.invert_vartime().into(); + prop_assert_eq!(inv, inv_vartime); + } +}