480   widefelem tmp;  in felem_square_reduce()  local
481   felem_square(tmp, in);  in felem_square_reduce()
482   felem_reduce(out, tmp);  in felem_square_reduce()
486   widefelem tmp;  in felem_mul_reduce()  local
487   felem_mul(tmp, in1, in2);  in felem_mul_reduce()
488   felem_reduce(out, tmp);  in felem_mul_reduce()
497   int64_t tmp[4], a;  in felem_contract()  local
498   tmp[0] = in[0];  in felem_contract()
499   tmp[1] = in[1];  in felem_contract()
500   tmp[2] = in[2];  in felem_contract()
501   tmp[3] = in[3];  in felem_contract()
504   tmp[0] -= a;  in felem_contract()
505   tmp[1] += a << 40;  in felem_contract()
506   tmp[3] &= 0x00ffffffffffffff;  in felem_contract()
515   tmp[3] &= a ^ 0xffffffffffffffff;  in felem_contract()
516   tmp[2] &= a ^ 0xffffffffffffffff;  in felem_contract()
517   tmp[1] &= (a ^ 0xffffffffffffffff) | 0x000000ffffffffff;  in felem_contract()
518   tmp[0] -= 1 & a;  in felem_contract()
522   a = tmp[0] >> 63;  in felem_contract()
523   tmp[0] += two56 & a;  in felem_contract()
524   tmp[1] -= 1 & a;  in felem_contract()
527   tmp[2] += tmp[1] >> 56;  in felem_contract()
528   tmp[1] &= 0x00ffffffffffffff;  in felem_contract()
530   tmp[3] += tmp[2] >> 56;  in felem_contract()
531   tmp[2] &= 0x00ffffffffffffff;  in felem_contract()
534   out[0] = tmp[0];  in felem_contract()
535   out[1] = tmp[1];  in felem_contract()
536   out[2] = tmp[2];  in felem_contract()
537   out[3] = tmp[3];  in felem_contract()
566   widefelem tmp;  in felem_inv()  local
569   felem_square(tmp, in);  in felem_inv()
570   felem_reduce(ftmp, tmp); /* 2 */  in felem_inv()
571   felem_mul(tmp, in, ftmp);  in felem_inv()
572   felem_reduce(ftmp, tmp); /* 2^2 - 1 */  in felem_inv()
573   felem_square(tmp, ftmp);  in felem_inv()
574   felem_reduce(ftmp, tmp); /* 2^3 - 2 */  in felem_inv()
575   felem_mul(tmp, in, ftmp);  in felem_inv()
576   felem_reduce(ftmp, tmp); /* 2^3 - 1 */  in felem_inv()
577   felem_square(tmp, ftmp);  in felem_inv()
578   felem_reduce(ftmp2, tmp); /* 2^4 - 2 */  in felem_inv()
579   felem_square(tmp, ftmp2);  in felem_inv()
580   felem_reduce(ftmp2, tmp); /* 2^5 - 4 */  in felem_inv()
581   felem_square(tmp, ftmp2);  in felem_inv()
582   felem_reduce(ftmp2, tmp); /* 2^6 - 8 */  in felem_inv()
583   felem_mul(tmp, ftmp2, ftmp);  in felem_inv()
584   felem_reduce(ftmp, tmp); /* 2^6 - 1 */  in felem_inv()
585   felem_square(tmp, ftmp);  in felem_inv()
586   felem_reduce(ftmp2, tmp); /* 2^7 - 2 */  in felem_inv()
588     felem_square(tmp, ftmp2);  in felem_inv()
589     felem_reduce(ftmp2, tmp);  in felem_inv()
591   felem_mul(tmp, ftmp2, ftmp);  in felem_inv()
592   felem_reduce(ftmp2, tmp); /* 2^12 - 1 */  in felem_inv()
593   felem_square(tmp, ftmp2);  in felem_inv()
594   felem_reduce(ftmp3, tmp); /* 2^13 - 2 */  in felem_inv()
596     felem_square(tmp, ftmp3);  in felem_inv()
597     felem_reduce(ftmp3, tmp);  in felem_inv()
599   felem_mul(tmp, ftmp3, ftmp2);  in felem_inv()
600   felem_reduce(ftmp2, tmp); /* 2^24 - 1 */  in felem_inv()
601   felem_square(tmp, ftmp2);  in felem_inv()
602   felem_reduce(ftmp3, tmp); /* 2^25 - 2 */  in felem_inv()
604     felem_square(tmp, ftmp3);  in felem_inv()
605     felem_reduce(ftmp3, tmp);  in felem_inv()
607   felem_mul(tmp, ftmp3, ftmp2);  in felem_inv()
608   felem_reduce(ftmp3, tmp); /* 2^48 - 1 */  in felem_inv()
609   felem_square(tmp, ftmp3);  in felem_inv()
610   felem_reduce(ftmp4, tmp); /* 2^49 - 2 */  in felem_inv()
612     felem_square(tmp, ftmp4);  in felem_inv()
613     felem_reduce(ftmp4, tmp);  in felem_inv()
615   felem_mul(tmp, ftmp3, ftmp4);  in felem_inv()
616   felem_reduce(ftmp3, tmp); /* 2^96 - 1 */  in felem_inv()
617   felem_square(tmp, ftmp3);  in felem_inv()
618   felem_reduce(ftmp4, tmp); /* 2^97 - 2 */  in felem_inv()
620     felem_square(tmp, ftmp4);  in felem_inv()
621     felem_reduce(ftmp4, tmp);  in felem_inv()
623   felem_mul(tmp, ftmp2, ftmp4);  in felem_inv()
624   felem_reduce(ftmp2, tmp); /* 2^120 - 1 */  in felem_inv()
626     felem_square(tmp, ftmp2);  in felem_inv()
627     felem_reduce(ftmp2, tmp);  in felem_inv()
629   felem_mul(tmp, ftmp2, ftmp);  in felem_inv()
630   felem_reduce(ftmp, tmp); /* 2^126 - 1 */  in felem_inv()
631   felem_square(tmp, ftmp);  in felem_inv()
632   felem_reduce(ftmp, tmp); /* 2^127 - 2 */  in felem_inv()
633   felem_mul(tmp, ftmp, in);  in felem_inv()
634   felem_reduce(ftmp, tmp); /* 2^127 - 1 */  in felem_inv()
636     felem_square(tmp, ftmp);  in felem_inv()
637     felem_reduce(ftmp, tmp);  in felem_inv()
639   felem_mul(tmp, ftmp, ftmp3);  in felem_inv()
640   felem_reduce(out, tmp); /* 2^224 - 2^96 - 1 */  in felem_inv()
651     const limb tmp = copy & (in[i] ^ out[i]);  in copy_conditional()  local
652     out[i] ^= tmp;  in copy_conditional()
671   widefelem tmp, tmp2;  in point_double()  local
678   felem_square(tmp, z_in);  in point_double()
679   felem_reduce(delta, tmp);  in point_double()
682   felem_square(tmp, y_in);  in point_double()
683   felem_reduce(gamma, tmp);  in point_double()
686   felem_mul(tmp, x_in, gamma);  in point_double()
687   felem_reduce(beta, tmp);  in point_double()
696   felem_mul(tmp, ftmp, ftmp2);  in point_double()
698   felem_reduce(alpha, tmp);  in point_double()
701   felem_square(tmp, alpha);  in point_double()
706   felem_diff_128_64(tmp, ftmp);  in point_double()
708   felem_reduce(x_out, tmp);  in point_double()
716   felem_square(tmp, ftmp);  in point_double()
718   felem_diff_128_64(tmp, delta);  in point_double()
720   felem_reduce(z_out, tmp);  in point_double()
727   felem_mul(tmp, alpha, beta);  in point_double()
733   widefelem_diff(tmp, tmp2);  in point_double()
735   felem_reduce(y_out, tmp);  in point_double()
757   widefelem tmp, tmp2;  in point_add()  local
762     felem_square(tmp, z2);  in point_add()
763     felem_reduce(ftmp2, tmp);  in point_add()
766     felem_mul(tmp, ftmp2, z2);  in point_add()
767     felem_reduce(ftmp4, tmp);  in point_add()
787   felem_square(tmp, z1);  in point_add()
788   felem_reduce(ftmp, tmp);  in point_add()
791   felem_mul(tmp, ftmp, z1);  in point_add()
792   felem_reduce(ftmp3, tmp);  in point_add()
795   felem_mul(tmp, ftmp3, y2);  in point_add()
799   felem_diff_128_64(tmp, ftmp4);  in point_add()
801   felem_reduce(ftmp3, tmp);  in point_add()
804   felem_mul(tmp, ftmp, x2);  in point_add()
808   felem_diff_128_64(tmp, ftmp2);  in point_add()
810   felem_reduce(ftmp, tmp);  in point_add()
826     felem_mul(tmp, z1, z2);  in point_add()
827     felem_reduce(ftmp5, tmp);  in point_add()
834   felem_mul(tmp, ftmp, ftmp5);  in point_add()
835   felem_reduce(z_out, tmp);  in point_add()
839   felem_square(tmp, ftmp);  in point_add()
840   felem_reduce(ftmp, tmp);  in point_add()
843   felem_mul(tmp, ftmp, ftmp5);  in point_add()
844   felem_reduce(ftmp5, tmp);  in point_add()
847   felem_mul(tmp, ftmp2, ftmp);  in point_add()
848   felem_reduce(ftmp2, tmp);  in point_add()
851   felem_mul(tmp, ftmp4, ftmp5);  in point_add()
883   widefelem_diff(tmp2, tmp);  in point_add()
944   felem nq[3], tmp[4];  in batch_mul()  local
969       select_point(bits, 16, g_pre_comp[1], tmp);  in batch_mul()
973                   tmp[0], tmp[1], tmp[2]);  in batch_mul()
975         memcpy(nq, tmp, 3 * sizeof(felem));  in batch_mul()
985       select_point(bits, 16, g_pre_comp[0], tmp);  in batch_mul()
986       point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */, tmp[0],  in batch_mul()
987                 tmp[1], tmp[2]);  in batch_mul()
1003         select_point(digit, 17, pre_comp[num], tmp);  in batch_mul()
1004         felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative point */  in batch_mul()
1005         copy_conditional(tmp[1], tmp[3], sign);  in batch_mul()
1008           point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], mixed, tmp[0],  in batch_mul()
1009                     tmp[1], tmp[2]);  in batch_mul()
1011           memcpy(nq, tmp, 3 * sizeof(felem));  in batch_mul()
1073   widefelem tmp;  in ec_GFp_nistp224_point_get_affine_coordinates()  local
1087   felem_square(tmp, z2);  in ec_GFp_nistp224_point_get_affine_coordinates()
1088   felem_reduce(z1, tmp);  in ec_GFp_nistp224_point_get_affine_coordinates()
1089   felem_mul(tmp, x_in, z1);  in ec_GFp_nistp224_point_get_affine_coordinates()
1090   felem_reduce(x_in, tmp);  in ec_GFp_nistp224_point_get_affine_coordinates()
1097   felem_mul(tmp, z1, z2);  in ec_GFp_nistp224_point_get_affine_coordinates()
1098   felem_reduce(z1, tmp);  in ec_GFp_nistp224_point_get_affine_coordinates()
1099   felem_mul(tmp, y_in, z1);  in ec_GFp_nistp224_point_get_affine_coordinates()
1100   felem_reduce(y_in, tmp);  in ec_GFp_nistp224_point_get_affine_coordinates()
1144   felem_bytearray tmp;  in ec_GFp_nistp224_points_mul()  local
1209           num_bytes = BN_bn2bin(tmp_scalar, tmp);  in ec_GFp_nistp224_points_mul()
1211           num_bytes = BN_bn2bin(p_scalar, tmp);  in ec_GFp_nistp224_points_mul()
1214         flip_endian(secrets[i], tmp, num_bytes);  in ec_GFp_nistp224_points_mul()
1255       num_bytes = BN_bn2bin(tmp_scalar, tmp);  in ec_GFp_nistp224_points_mul()
1257       num_bytes = BN_bn2bin(g_scalar, tmp);  in ec_GFp_nistp224_points_mul()
1260     flip_endian(g_secret, tmp, num_bytes);  in ec_GFp_nistp224_points_mul()