File Coverage

src/ed25519/sc.c

Criterion	Covered	Total	%
statement	704	704	100.0
branch			n/a
condition			n/a
subroutine			n/a
pod			n/a
total	704	704	100.0

line	stmt	code
1		#include "fixedint.h"
2		#include "sc.h"
3
4	51	static uint64_t load_3(const unsigned char *in) {
5		uint64_t result;
6
7	51	result = (uint64_t) in[0];
8	51	result \|= ((uint64_t) in[1]) << 8;
9	51	result \|= ((uint64_t) in[2]) << 16;
10
11	51	return result;
12		}
13
14	57	static uint64_t load_4(const unsigned char *in) {
15		uint64_t result;
16
17	57	result = (uint64_t) in[0];
18	57	result \|= ((uint64_t) in[1]) << 8;
19	57	result \|= ((uint64_t) in[2]) << 16;
20	57	result \|= ((uint64_t) in[3]) << 24;
21
22	57	return result;
23		}
24
25		/*
26		Input:
27		s[0]+256s[1]+...+256^63s[63] = s
28
29		Output:
30		s[0]+256s[1]+...+256^31s[31] = s mod l
31		where l = 2^252 + 27742317777372353535851937790883648493.
32		Overwrites s in place.
33		*/
34
35	3	void sc_reduce(unsigned char *s) {
36	3	int64_t s0 = 2097151 & load_3(s);
37	3	int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
38	3	int64_t s2 = 2097151 & (load_3(s + 5) >> 2);
39	3	int64_t s3 = 2097151 & (load_4(s + 7) >> 7);
40	3	int64_t s4 = 2097151 & (load_4(s + 10) >> 4);
41	3	int64_t s5 = 2097151 & (load_3(s + 13) >> 1);
42	3	int64_t s6 = 2097151 & (load_4(s + 15) >> 6);
43	3	int64_t s7 = 2097151 & (load_3(s + 18) >> 3);
44	3	int64_t s8 = 2097151 & load_3(s + 21);
45	3	int64_t s9 = 2097151 & (load_4(s + 23) >> 5);
46	3	int64_t s10 = 2097151 & (load_3(s + 26) >> 2);
47	3	int64_t s11 = 2097151 & (load_4(s + 28) >> 7);
48	3	int64_t s12 = 2097151 & (load_4(s + 31) >> 4);
49	3	int64_t s13 = 2097151 & (load_3(s + 34) >> 1);
50	3	int64_t s14 = 2097151 & (load_4(s + 36) >> 6);
51	3	int64_t s15 = 2097151 & (load_3(s + 39) >> 3);
52	3	int64_t s16 = 2097151 & load_3(s + 42);
53	3	int64_t s17 = 2097151 & (load_4(s + 44) >> 5);
54	3	int64_t s18 = 2097151 & (load_3(s + 47) >> 2);
55	3	int64_t s19 = 2097151 & (load_4(s + 49) >> 7);
56	3	int64_t s20 = 2097151 & (load_4(s + 52) >> 4);
57	3	int64_t s21 = 2097151 & (load_3(s + 55) >> 1);
58	3	int64_t s22 = 2097151 & (load_4(s + 57) >> 6);
59	3	int64_t s23 = (load_4(s + 60) >> 3);
60		int64_t carry0;
61		int64_t carry1;
62		int64_t carry2;
63		int64_t carry3;
64		int64_t carry4;
65		int64_t carry5;
66		int64_t carry6;
67		int64_t carry7;
68		int64_t carry8;
69		int64_t carry9;
70		int64_t carry10;
71		int64_t carry11;
72		int64_t carry12;
73		int64_t carry13;
74		int64_t carry14;
75		int64_t carry15;
76		int64_t carry16;
77
78	3	s11 += s23 * 666643;
79	3	s12 += s23 * 470296;
80	3	s13 += s23 * 654183;
81	3	s14 -= s23 * 997805;
82	3	s15 += s23 * 136657;
83	3	s16 -= s23 * 683901;
84	3	s23 = 0;
85	3	s10 += s22 * 666643;
86	3	s11 += s22 * 470296;
87	3	s12 += s22 * 654183;
88	3	s13 -= s22 * 997805;
89	3	s14 += s22 * 136657;
90	3	s15 -= s22 * 683901;
91	3	s22 = 0;
92	3	s9 += s21 * 666643;
93	3	s10 += s21 * 470296;
94	3	s11 += s21 * 654183;
95	3	s12 -= s21 * 997805;
96	3	s13 += s21 * 136657;
97	3	s14 -= s21 * 683901;
98	3	s21 = 0;
99	3	s8 += s20 * 666643;
100	3	s9 += s20 * 470296;
101	3	s10 += s20 * 654183;
102	3	s11 -= s20 * 997805;
103	3	s12 += s20 * 136657;
104	3	s13 -= s20 * 683901;
105	3	s20 = 0;
106	3	s7 += s19 * 666643;
107	3	s8 += s19 * 470296;
108	3	s9 += s19 * 654183;
109	3	s10 -= s19 * 997805;
110	3	s11 += s19 * 136657;
111	3	s12 -= s19 * 683901;
112	3	s19 = 0;
113	3	s6 += s18 * 666643;
114	3	s7 += s18 * 470296;
115	3	s8 += s18 * 654183;
116	3	s9 -= s18 * 997805;
117	3	s10 += s18 * 136657;
118	3	s11 -= s18 * 683901;
119	3	s18 = 0;
120	3	carry6 = (s6 + (1 << 20)) >> 21;
121	3	s7 += carry6;
122	3	s6 -= carry6 << 21;
123	3	carry8 = (s8 + (1 << 20)) >> 21;
124	3	s9 += carry8;
125	3	s8 -= carry8 << 21;
126	3	carry10 = (s10 + (1 << 20)) >> 21;
127	3	s11 += carry10;
128	3	s10 -= carry10 << 21;
129	3	carry12 = (s12 + (1 << 20)) >> 21;
130	3	s13 += carry12;
131	3	s12 -= carry12 << 21;
132	3	carry14 = (s14 + (1 << 20)) >> 21;
133	3	s15 += carry14;
134	3	s14 -= carry14 << 21;
135	3	carry16 = (s16 + (1 << 20)) >> 21;
136	3	s17 += carry16;
137	3	s16 -= carry16 << 21;
138	3	carry7 = (s7 + (1 << 20)) >> 21;
139	3	s8 += carry7;
140	3	s7 -= carry7 << 21;
141	3	carry9 = (s9 + (1 << 20)) >> 21;
142	3	s10 += carry9;
143	3	s9 -= carry9 << 21;
144	3	carry11 = (s11 + (1 << 20)) >> 21;
145	3	s12 += carry11;
146	3	s11 -= carry11 << 21;
147	3	carry13 = (s13 + (1 << 20)) >> 21;
148	3	s14 += carry13;
149	3	s13 -= carry13 << 21;
150	3	carry15 = (s15 + (1 << 20)) >> 21;
151	3	s16 += carry15;
152	3	s15 -= carry15 << 21;
153	3	s5 += s17 * 666643;
154	3	s6 += s17 * 470296;
155	3	s7 += s17 * 654183;
156	3	s8 -= s17 * 997805;
157	3	s9 += s17 * 136657;
158	3	s10 -= s17 * 683901;
159	3	s17 = 0;
160	3	s4 += s16 * 666643;
161	3	s5 += s16 * 470296;
162	3	s6 += s16 * 654183;
163	3	s7 -= s16 * 997805;
164	3	s8 += s16 * 136657;
165	3	s9 -= s16 * 683901;
166	3	s16 = 0;
167	3	s3 += s15 * 666643;
168	3	s4 += s15 * 470296;
169	3	s5 += s15 * 654183;
170	3	s6 -= s15 * 997805;
171	3	s7 += s15 * 136657;
172	3	s8 -= s15 * 683901;
173	3	s15 = 0;
174	3	s2 += s14 * 666643;
175	3	s3 += s14 * 470296;
176	3	s4 += s14 * 654183;
177	3	s5 -= s14 * 997805;
178	3	s6 += s14 * 136657;
179	3	s7 -= s14 * 683901;
180	3	s14 = 0;
181	3	s1 += s13 * 666643;
182	3	s2 += s13 * 470296;
183	3	s3 += s13 * 654183;
184	3	s4 -= s13 * 997805;
185	3	s5 += s13 * 136657;
186	3	s6 -= s13 * 683901;
187	3	s13 = 0;
188	3	s0 += s12 * 666643;
189	3	s1 += s12 * 470296;
190	3	s2 += s12 * 654183;
191	3	s3 -= s12 * 997805;
192	3	s4 += s12 * 136657;
193	3	s5 -= s12 * 683901;
194	3	s12 = 0;
195	3	carry0 = (s0 + (1 << 20)) >> 21;
196	3	s1 += carry0;
197	3	s0 -= carry0 << 21;
198	3	carry2 = (s2 + (1 << 20)) >> 21;
199	3	s3 += carry2;
200	3	s2 -= carry2 << 21;
201	3	carry4 = (s4 + (1 << 20)) >> 21;
202	3	s5 += carry4;
203	3	s4 -= carry4 << 21;
204	3	carry6 = (s6 + (1 << 20)) >> 21;
205	3	s7 += carry6;
206	3	s6 -= carry6 << 21;
207	3	carry8 = (s8 + (1 << 20)) >> 21;
208	3	s9 += carry8;
209	3	s8 -= carry8 << 21;
210	3	carry10 = (s10 + (1 << 20)) >> 21;
211	3	s11 += carry10;
212	3	s10 -= carry10 << 21;
213	3	carry1 = (s1 + (1 << 20)) >> 21;
214	3	s2 += carry1;
215	3	s1 -= carry1 << 21;
216	3	carry3 = (s3 + (1 << 20)) >> 21;
217	3	s4 += carry3;
218	3	s3 -= carry3 << 21;
219	3	carry5 = (s5 + (1 << 20)) >> 21;
220	3	s6 += carry5;
221	3	s5 -= carry5 << 21;
222	3	carry7 = (s7 + (1 << 20)) >> 21;
223	3	s8 += carry7;
224	3	s7 -= carry7 << 21;
225	3	carry9 = (s9 + (1 << 20)) >> 21;
226	3	s10 += carry9;
227	3	s9 -= carry9 << 21;
228	3	carry11 = (s11 + (1 << 20)) >> 21;
229	3	s12 += carry11;
230	3	s11 -= carry11 << 21;
231	3	s0 += s12 * 666643;
232	3	s1 += s12 * 470296;
233	3	s2 += s12 * 654183;
234	3	s3 -= s12 * 997805;
235	3	s4 += s12 * 136657;
236	3	s5 -= s12 * 683901;
237	3	s12 = 0;
238	3	carry0 = s0 >> 21;
239	3	s1 += carry0;
240	3	s0 -= carry0 << 21;
241	3	carry1 = s1 >> 21;
242	3	s2 += carry1;
243	3	s1 -= carry1 << 21;
244	3	carry2 = s2 >> 21;
245	3	s3 += carry2;
246	3	s2 -= carry2 << 21;
247	3	carry3 = s3 >> 21;
248	3	s4 += carry3;
249	3	s3 -= carry3 << 21;
250	3	carry4 = s4 >> 21;
251	3	s5 += carry4;
252	3	s4 -= carry4 << 21;
253	3	carry5 = s5 >> 21;
254	3	s6 += carry5;
255	3	s5 -= carry5 << 21;
256	3	carry6 = s6 >> 21;
257	3	s7 += carry6;
258	3	s6 -= carry6 << 21;
259	3	carry7 = s7 >> 21;
260	3	s8 += carry7;
261	3	s7 -= carry7 << 21;
262	3	carry8 = s8 >> 21;
263	3	s9 += carry8;
264	3	s8 -= carry8 << 21;
265	3	carry9 = s9 >> 21;
266	3	s10 += carry9;
267	3	s9 -= carry9 << 21;
268	3	carry10 = s10 >> 21;
269	3	s11 += carry10;
270	3	s10 -= carry10 << 21;
271	3	carry11 = s11 >> 21;
272	3	s12 += carry11;
273	3	s11 -= carry11 << 21;
274	3	s0 += s12 * 666643;
275	3	s1 += s12 * 470296;
276	3	s2 += s12 * 654183;
277	3	s3 -= s12 * 997805;
278	3	s4 += s12 * 136657;
279	3	s5 -= s12 * 683901;
280	3	s12 = 0;
281	3	carry0 = s0 >> 21;
282	3	s1 += carry0;
283	3	s0 -= carry0 << 21;
284	3	carry1 = s1 >> 21;
285	3	s2 += carry1;
286	3	s1 -= carry1 << 21;
287	3	carry2 = s2 >> 21;
288	3	s3 += carry2;
289	3	s2 -= carry2 << 21;
290	3	carry3 = s3 >> 21;
291	3	s4 += carry3;
292	3	s3 -= carry3 << 21;
293	3	carry4 = s4 >> 21;
294	3	s5 += carry4;
295	3	s4 -= carry4 << 21;
296	3	carry5 = s5 >> 21;
297	3	s6 += carry5;
298	3	s5 -= carry5 << 21;
299	3	carry6 = s6 >> 21;
300	3	s7 += carry6;
301	3	s6 -= carry6 << 21;
302	3	carry7 = s7 >> 21;
303	3	s8 += carry7;
304	3	s7 -= carry7 << 21;
305	3	carry8 = s8 >> 21;
306	3	s9 += carry8;
307	3	s8 -= carry8 << 21;
308	3	carry9 = s9 >> 21;
309	3	s10 += carry9;
310	3	s9 -= carry9 << 21;
311	3	carry10 = s10 >> 21;
312	3	s11 += carry10;
313	3	s10 -= carry10 << 21;
314
315	3	s[0] = (unsigned char) (s0 >> 0);
316	3	s[1] = (unsigned char) (s0 >> 8);
317	3	s[2] = (unsigned char) ((s0 >> 16) \| (s1 << 5));
318	3	s[3] = (unsigned char) (s1 >> 3);
319	3	s[4] = (unsigned char) (s1 >> 11);
320	3	s[5] = (unsigned char) ((s1 >> 19) \| (s2 << 2));
321	3	s[6] = (unsigned char) (s2 >> 6);
322	3	s[7] = (unsigned char) ((s2 >> 14) \| (s3 << 7));
323	3	s[8] = (unsigned char) (s3 >> 1);
324	3	s[9] = (unsigned char) (s3 >> 9);
325	3	s[10] = (unsigned char) ((s3 >> 17) \| (s4 << 4));
326	3	s[11] = (unsigned char) (s4 >> 4);
327	3	s[12] = (unsigned char) (s4 >> 12);
328	3	s[13] = (unsigned char) ((s4 >> 20) \| (s5 << 1));
329	3	s[14] = (unsigned char) (s5 >> 7);
330	3	s[15] = (unsigned char) ((s5 >> 15) \| (s6 << 6));
331	3	s[16] = (unsigned char) (s6 >> 2);
332	3	s[17] = (unsigned char) (s6 >> 10);
333	3	s[18] = (unsigned char) ((s6 >> 18) \| (s7 << 3));
334	3	s[19] = (unsigned char) (s7 >> 5);
335	3	s[20] = (unsigned char) (s7 >> 13);
336	3	s[21] = (unsigned char) (s8 >> 0);
337	3	s[22] = (unsigned char) (s8 >> 8);
338	3	s[23] = (unsigned char) ((s8 >> 16) \| (s9 << 5));
339	3	s[24] = (unsigned char) (s9 >> 3);
340	3	s[25] = (unsigned char) (s9 >> 11);
341	3	s[26] = (unsigned char) ((s9 >> 19) \| (s10 << 2));
342	3	s[27] = (unsigned char) (s10 >> 6);
343	3	s[28] = (unsigned char) ((s10 >> 14) \| (s11 << 7));
344	3	s[29] = (unsigned char) (s11 >> 1);
345	3	s[30] = (unsigned char) (s11 >> 9);
346	3	s[31] = (unsigned char) (s11 >> 17);
347	3	}
348
349
350
351		/*
352		Input:
353		a[0]+256a[1]+...+256^31a[31] = a
354		b[0]+256b[1]+...+256^31b[31] = b
355		c[0]+256c[1]+...+256^31c[31] = c
356
357		Output:
358		s[0]+256s[1]+...+256^31s[31] = (ab+c) mod l
359		where l = 2^252 + 27742317777372353535851937790883648493.
360		*/
361
362	1	void sc_muladd(unsigned char s, const unsigned char a, const unsigned char b, const unsigned char c) {
363	1	int64_t a0 = 2097151 & load_3(a);
364	1	int64_t a1 = 2097151 & (load_4(a + 2) >> 5);
365	1	int64_t a2 = 2097151 & (load_3(a + 5) >> 2);
366	1	int64_t a3 = 2097151 & (load_4(a + 7) >> 7);
367	1	int64_t a4 = 2097151 & (load_4(a + 10) >> 4);
368	1	int64_t a5 = 2097151 & (load_3(a + 13) >> 1);
369	1	int64_t a6 = 2097151 & (load_4(a + 15) >> 6);
370	1	int64_t a7 = 2097151 & (load_3(a + 18) >> 3);
371	1	int64_t a8 = 2097151 & load_3(a + 21);
372	1	int64_t a9 = 2097151 & (load_4(a + 23) >> 5);
373	1	int64_t a10 = 2097151 & (load_3(a + 26) >> 2);
374	1	int64_t a11 = (load_4(a + 28) >> 7);
375	1	int64_t b0 = 2097151 & load_3(b);
376	1	int64_t b1 = 2097151 & (load_4(b + 2) >> 5);
377	1	int64_t b2 = 2097151 & (load_3(b + 5) >> 2);
378	1	int64_t b3 = 2097151 & (load_4(b + 7) >> 7);
379	1	int64_t b4 = 2097151 & (load_4(b + 10) >> 4);
380	1	int64_t b5 = 2097151 & (load_3(b + 13) >> 1);
381	1	int64_t b6 = 2097151 & (load_4(b + 15) >> 6);
382	1	int64_t b7 = 2097151 & (load_3(b + 18) >> 3);
383	1	int64_t b8 = 2097151 & load_3(b + 21);
384	1	int64_t b9 = 2097151 & (load_4(b + 23) >> 5);
385	1	int64_t b10 = 2097151 & (load_3(b + 26) >> 2);
386	1	int64_t b11 = (load_4(b + 28) >> 7);
387	1	int64_t c0 = 2097151 & load_3(c);
388	1	int64_t c1 = 2097151 & (load_4(c + 2) >> 5);
389	1	int64_t c2 = 2097151 & (load_3(c + 5) >> 2);
390	1	int64_t c3 = 2097151 & (load_4(c + 7) >> 7);
391	1	int64_t c4 = 2097151 & (load_4(c + 10) >> 4);
392	1	int64_t c5 = 2097151 & (load_3(c + 13) >> 1);
393	1	int64_t c6 = 2097151 & (load_4(c + 15) >> 6);
394	1	int64_t c7 = 2097151 & (load_3(c + 18) >> 3);
395	1	int64_t c8 = 2097151 & load_3(c + 21);
396	1	int64_t c9 = 2097151 & (load_4(c + 23) >> 5);
397	1	int64_t c10 = 2097151 & (load_3(c + 26) >> 2);
398	1	int64_t c11 = (load_4(c + 28) >> 7);
399		int64_t s0;
400		int64_t s1;
401		int64_t s2;
402		int64_t s3;
403		int64_t s4;
404		int64_t s5;
405		int64_t s6;
406		int64_t s7;
407		int64_t s8;
408		int64_t s9;
409		int64_t s10;
410		int64_t s11;
411		int64_t s12;
412		int64_t s13;
413		int64_t s14;
414		int64_t s15;
415		int64_t s16;
416		int64_t s17;
417		int64_t s18;
418		int64_t s19;
419		int64_t s20;
420		int64_t s21;
421		int64_t s22;
422		int64_t s23;
423		int64_t carry0;
424		int64_t carry1;
425		int64_t carry2;
426		int64_t carry3;
427		int64_t carry4;
428		int64_t carry5;
429		int64_t carry6;
430		int64_t carry7;
431		int64_t carry8;
432		int64_t carry9;
433		int64_t carry10;
434		int64_t carry11;
435		int64_t carry12;
436		int64_t carry13;
437		int64_t carry14;
438		int64_t carry15;
439		int64_t carry16;
440		int64_t carry17;
441		int64_t carry18;
442		int64_t carry19;
443		int64_t carry20;
444		int64_t carry21;
445		int64_t carry22;
446
447	1	s0 = c0 + a0 * b0;
448	1	s1 = c1 + a0 * b1 + a1 * b0;
449	1	s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
450	1	s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
451	1	s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
452	1	s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
453	1	s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
454	1	s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0;
455	1	s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0;
456	1	s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
457	1	s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
458	1	s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
459	1	s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
460	1	s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
461	1	s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3;
462	1	s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4;
463	1	s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
464	1	s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
465	1	s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
466	1	s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
467	1	s20 = a9 * b11 + a10 * b10 + a11 * b9;
468	1	s21 = a10 * b11 + a11 * b10;
469	1	s22 = a11 * b11;
470	1	s23 = 0;
471	1	carry0 = (s0 + (1 << 20)) >> 21;
472	1	s1 += carry0;
473	1	s0 -= carry0 << 21;
474	1	carry2 = (s2 + (1 << 20)) >> 21;
475	1	s3 += carry2;
476	1	s2 -= carry2 << 21;
477	1	carry4 = (s4 + (1 << 20)) >> 21;
478	1	s5 += carry4;
479	1	s4 -= carry4 << 21;
480	1	carry6 = (s6 + (1 << 20)) >> 21;
481	1	s7 += carry6;
482	1	s6 -= carry6 << 21;
483	1	carry8 = (s8 + (1 << 20)) >> 21;
484	1	s9 += carry8;
485	1	s8 -= carry8 << 21;
486	1	carry10 = (s10 + (1 << 20)) >> 21;
487	1	s11 += carry10;
488	1	s10 -= carry10 << 21;
489	1	carry12 = (s12 + (1 << 20)) >> 21;
490	1	s13 += carry12;
491	1	s12 -= carry12 << 21;
492	1	carry14 = (s14 + (1 << 20)) >> 21;
493	1	s15 += carry14;
494	1	s14 -= carry14 << 21;
495	1	carry16 = (s16 + (1 << 20)) >> 21;
496	1	s17 += carry16;
497	1	s16 -= carry16 << 21;
498	1	carry18 = (s18 + (1 << 20)) >> 21;
499	1	s19 += carry18;
500	1	s18 -= carry18 << 21;
501	1	carry20 = (s20 + (1 << 20)) >> 21;
502	1	s21 += carry20;
503	1	s20 -= carry20 << 21;
504	1	carry22 = (s22 + (1 << 20)) >> 21;
505	1	s23 += carry22;
506	1	s22 -= carry22 << 21;
507	1	carry1 = (s1 + (1 << 20)) >> 21;
508	1	s2 += carry1;
509	1	s1 -= carry1 << 21;
510	1	carry3 = (s3 + (1 << 20)) >> 21;
511	1	s4 += carry3;
512	1	s3 -= carry3 << 21;
513	1	carry5 = (s5 + (1 << 20)) >> 21;
514	1	s6 += carry5;
515	1	s5 -= carry5 << 21;
516	1	carry7 = (s7 + (1 << 20)) >> 21;
517	1	s8 += carry7;
518	1	s7 -= carry7 << 21;
519	1	carry9 = (s9 + (1 << 20)) >> 21;
520	1	s10 += carry9;
521	1	s9 -= carry9 << 21;
522	1	carry11 = (s11 + (1 << 20)) >> 21;
523	1	s12 += carry11;
524	1	s11 -= carry11 << 21;
525	1	carry13 = (s13 + (1 << 20)) >> 21;
526	1	s14 += carry13;
527	1	s13 -= carry13 << 21;
528	1	carry15 = (s15 + (1 << 20)) >> 21;
529	1	s16 += carry15;
530	1	s15 -= carry15 << 21;
531	1	carry17 = (s17 + (1 << 20)) >> 21;
532	1	s18 += carry17;
533	1	s17 -= carry17 << 21;
534	1	carry19 = (s19 + (1 << 20)) >> 21;
535	1	s20 += carry19;
536	1	s19 -= carry19 << 21;
537	1	carry21 = (s21 + (1 << 20)) >> 21;
538	1	s22 += carry21;
539	1	s21 -= carry21 << 21;
540	1	s11 += s23 * 666643;
541	1	s12 += s23 * 470296;
542	1	s13 += s23 * 654183;
543	1	s14 -= s23 * 997805;
544	1	s15 += s23 * 136657;
545	1	s16 -= s23 * 683901;
546	1	s23 = 0;
547	1	s10 += s22 * 666643;
548	1	s11 += s22 * 470296;
549	1	s12 += s22 * 654183;
550	1	s13 -= s22 * 997805;
551	1	s14 += s22 * 136657;
552	1	s15 -= s22 * 683901;
553	1	s22 = 0;
554	1	s9 += s21 * 666643;
555	1	s10 += s21 * 470296;
556	1	s11 += s21 * 654183;
557	1	s12 -= s21 * 997805;
558	1	s13 += s21 * 136657;
559	1	s14 -= s21 * 683901;
560	1	s21 = 0;
561	1	s8 += s20 * 666643;
562	1	s9 += s20 * 470296;
563	1	s10 += s20 * 654183;
564	1	s11 -= s20 * 997805;
565	1	s12 += s20 * 136657;
566	1	s13 -= s20 * 683901;
567	1	s20 = 0;
568	1	s7 += s19 * 666643;
569	1	s8 += s19 * 470296;
570	1	s9 += s19 * 654183;
571	1	s10 -= s19 * 997805;
572	1	s11 += s19 * 136657;
573	1	s12 -= s19 * 683901;
574	1	s19 = 0;
575	1	s6 += s18 * 666643;
576	1	s7 += s18 * 470296;
577	1	s8 += s18 * 654183;
578	1	s9 -= s18 * 997805;
579	1	s10 += s18 * 136657;
580	1	s11 -= s18 * 683901;
581	1	s18 = 0;
582	1	carry6 = (s6 + (1 << 20)) >> 21;
583	1	s7 += carry6;
584	1	s6 -= carry6 << 21;
585	1	carry8 = (s8 + (1 << 20)) >> 21;
586	1	s9 += carry8;
587	1	s8 -= carry8 << 21;
588	1	carry10 = (s10 + (1 << 20)) >> 21;
589	1	s11 += carry10;
590	1	s10 -= carry10 << 21;
591	1	carry12 = (s12 + (1 << 20)) >> 21;
592	1	s13 += carry12;
593	1	s12 -= carry12 << 21;
594	1	carry14 = (s14 + (1 << 20)) >> 21;
595	1	s15 += carry14;
596	1	s14 -= carry14 << 21;
597	1	carry16 = (s16 + (1 << 20)) >> 21;
598	1	s17 += carry16;
599	1	s16 -= carry16 << 21;
600	1	carry7 = (s7 + (1 << 20)) >> 21;
601	1	s8 += carry7;
602	1	s7 -= carry7 << 21;
603	1	carry9 = (s9 + (1 << 20)) >> 21;
604	1	s10 += carry9;
605	1	s9 -= carry9 << 21;
606	1	carry11 = (s11 + (1 << 20)) >> 21;
607	1	s12 += carry11;
608	1	s11 -= carry11 << 21;
609	1	carry13 = (s13 + (1 << 20)) >> 21;
610	1	s14 += carry13;
611	1	s13 -= carry13 << 21;
612	1	carry15 = (s15 + (1 << 20)) >> 21;
613	1	s16 += carry15;
614	1	s15 -= carry15 << 21;
615	1	s5 += s17 * 666643;
616	1	s6 += s17 * 470296;
617	1	s7 += s17 * 654183;
618	1	s8 -= s17 * 997805;
619	1	s9 += s17 * 136657;
620	1	s10 -= s17 * 683901;
621	1	s17 = 0;
622	1	s4 += s16 * 666643;
623	1	s5 += s16 * 470296;
624	1	s6 += s16 * 654183;
625	1	s7 -= s16 * 997805;
626	1	s8 += s16 * 136657;
627	1	s9 -= s16 * 683901;
628	1	s16 = 0;
629	1	s3 += s15 * 666643;
630	1	s4 += s15 * 470296;
631	1	s5 += s15 * 654183;
632	1	s6 -= s15 * 997805;
633	1	s7 += s15 * 136657;
634	1	s8 -= s15 * 683901;
635	1	s15 = 0;
636	1	s2 += s14 * 666643;
637	1	s3 += s14 * 470296;
638	1	s4 += s14 * 654183;
639	1	s5 -= s14 * 997805;
640	1	s6 += s14 * 136657;
641	1	s7 -= s14 * 683901;
642	1	s14 = 0;
643	1	s1 += s13 * 666643;
644	1	s2 += s13 * 470296;
645	1	s3 += s13 * 654183;
646	1	s4 -= s13 * 997805;
647	1	s5 += s13 * 136657;
648	1	s6 -= s13 * 683901;
649	1	s13 = 0;
650	1	s0 += s12 * 666643;
651	1	s1 += s12 * 470296;
652	1	s2 += s12 * 654183;
653	1	s3 -= s12 * 997805;
654	1	s4 += s12 * 136657;
655	1	s5 -= s12 * 683901;
656	1	s12 = 0;
657	1	carry0 = (s0 + (1 << 20)) >> 21;
658	1	s1 += carry0;
659	1	s0 -= carry0 << 21;
660	1	carry2 = (s2 + (1 << 20)) >> 21;
661	1	s3 += carry2;
662	1	s2 -= carry2 << 21;
663	1	carry4 = (s4 + (1 << 20)) >> 21;
664	1	s5 += carry4;
665	1	s4 -= carry4 << 21;
666	1	carry6 = (s6 + (1 << 20)) >> 21;
667	1	s7 += carry6;
668	1	s6 -= carry6 << 21;
669	1	carry8 = (s8 + (1 << 20)) >> 21;
670	1	s9 += carry8;
671	1	s8 -= carry8 << 21;
672	1	carry10 = (s10 + (1 << 20)) >> 21;
673	1	s11 += carry10;
674	1	s10 -= carry10 << 21;
675	1	carry1 = (s1 + (1 << 20)) >> 21;
676	1	s2 += carry1;
677	1	s1 -= carry1 << 21;
678	1	carry3 = (s3 + (1 << 20)) >> 21;
679	1	s4 += carry3;
680	1	s3 -= carry3 << 21;
681	1	carry5 = (s5 + (1 << 20)) >> 21;
682	1	s6 += carry5;
683	1	s5 -= carry5 << 21;
684	1	carry7 = (s7 + (1 << 20)) >> 21;
685	1	s8 += carry7;
686	1	s7 -= carry7 << 21;
687	1	carry9 = (s9 + (1 << 20)) >> 21;
688	1	s10 += carry9;
689	1	s9 -= carry9 << 21;
690	1	carry11 = (s11 + (1 << 20)) >> 21;
691	1	s12 += carry11;
692	1	s11 -= carry11 << 21;
693	1	s0 += s12 * 666643;
694	1	s1 += s12 * 470296;
695	1	s2 += s12 * 654183;
696	1	s3 -= s12 * 997805;
697	1	s4 += s12 * 136657;
698	1	s5 -= s12 * 683901;
699	1	s12 = 0;
700	1	carry0 = s0 >> 21;
701	1	s1 += carry0;
702	1	s0 -= carry0 << 21;
703	1	carry1 = s1 >> 21;
704	1	s2 += carry1;
705	1	s1 -= carry1 << 21;
706	1	carry2 = s2 >> 21;
707	1	s3 += carry2;
708	1	s2 -= carry2 << 21;
709	1	carry3 = s3 >> 21;
710	1	s4 += carry3;
711	1	s3 -= carry3 << 21;
712	1	carry4 = s4 >> 21;
713	1	s5 += carry4;
714	1	s4 -= carry4 << 21;
715	1	carry5 = s5 >> 21;
716	1	s6 += carry5;
717	1	s5 -= carry5 << 21;
718	1	carry6 = s6 >> 21;
719	1	s7 += carry6;
720	1	s6 -= carry6 << 21;
721	1	carry7 = s7 >> 21;
722	1	s8 += carry7;
723	1	s7 -= carry7 << 21;
724	1	carry8 = s8 >> 21;
725	1	s9 += carry8;
726	1	s8 -= carry8 << 21;
727	1	carry9 = s9 >> 21;
728	1	s10 += carry9;
729	1	s9 -= carry9 << 21;
730	1	carry10 = s10 >> 21;
731	1	s11 += carry10;
732	1	s10 -= carry10 << 21;
733	1	carry11 = s11 >> 21;
734	1	s12 += carry11;
735	1	s11 -= carry11 << 21;
736	1	s0 += s12 * 666643;
737	1	s1 += s12 * 470296;
738	1	s2 += s12 * 654183;
739	1	s3 -= s12 * 997805;
740	1	s4 += s12 * 136657;
741	1	s5 -= s12 * 683901;
742	1	s12 = 0;
743	1	carry0 = s0 >> 21;
744	1	s1 += carry0;
745	1	s0 -= carry0 << 21;
746	1	carry1 = s1 >> 21;
747	1	s2 += carry1;
748	1	s1 -= carry1 << 21;
749	1	carry2 = s2 >> 21;
750	1	s3 += carry2;
751	1	s2 -= carry2 << 21;
752	1	carry3 = s3 >> 21;
753	1	s4 += carry3;
754	1	s3 -= carry3 << 21;
755	1	carry4 = s4 >> 21;
756	1	s5 += carry4;
757	1	s4 -= carry4 << 21;
758	1	carry5 = s5 >> 21;
759	1	s6 += carry5;
760	1	s5 -= carry5 << 21;
761	1	carry6 = s6 >> 21;
762	1	s7 += carry6;
763	1	s6 -= carry6 << 21;
764	1	carry7 = s7 >> 21;
765	1	s8 += carry7;
766	1	s7 -= carry7 << 21;
767	1	carry8 = s8 >> 21;
768	1	s9 += carry8;
769	1	s8 -= carry8 << 21;
770	1	carry9 = s9 >> 21;
771	1	s10 += carry9;
772	1	s9 -= carry9 << 21;
773	1	carry10 = s10 >> 21;
774	1	s11 += carry10;
775	1	s10 -= carry10 << 21;
776
777	1	s[0] = (unsigned char) (s0 >> 0);
778	1	s[1] = (unsigned char) (s0 >> 8);
779	1	s[2] = (unsigned char) ((s0 >> 16) \| (s1 << 5));
780	1	s[3] = (unsigned char) (s1 >> 3);
781	1	s[4] = (unsigned char) (s1 >> 11);
782	1	s[5] = (unsigned char) ((s1 >> 19) \| (s2 << 2));
783	1	s[6] = (unsigned char) (s2 >> 6);
784	1	s[7] = (unsigned char) ((s2 >> 14) \| (s3 << 7));
785	1	s[8] = (unsigned char) (s3 >> 1);
786	1	s[9] = (unsigned char) (s3 >> 9);
787	1	s[10] = (unsigned char) ((s3 >> 17) \| (s4 << 4));
788	1	s[11] = (unsigned char) (s4 >> 4);
789	1	s[12] = (unsigned char) (s4 >> 12);
790	1	s[13] = (unsigned char) ((s4 >> 20) \| (s5 << 1));
791	1	s[14] = (unsigned char) (s5 >> 7);
792	1	s[15] = (unsigned char) ((s5 >> 15) \| (s6 << 6));
793	1	s[16] = (unsigned char) (s6 >> 2);
794	1	s[17] = (unsigned char) (s6 >> 10);
795	1	s[18] = (unsigned char) ((s6 >> 18) \| (s7 << 3));
796	1	s[19] = (unsigned char) (s7 >> 5);
797	1	s[20] = (unsigned char) (s7 >> 13);
798	1	s[21] = (unsigned char) (s8 >> 0);
799	1	s[22] = (unsigned char) (s8 >> 8);
800	1	s[23] = (unsigned char) ((s8 >> 16) \| (s9 << 5));
801	1	s[24] = (unsigned char) (s9 >> 3);
802	1	s[25] = (unsigned char) (s9 >> 11);
803	1	s[26] = (unsigned char) ((s9 >> 19) \| (s10 << 2));
804	1	s[27] = (unsigned char) (s10 >> 6);
805	1	s[28] = (unsigned char) ((s10 >> 14) \| (s11 << 7));
806	1	s[29] = (unsigned char) (s11 >> 1);
807	1	s[30] = (unsigned char) (s11 >> 9);
808	1	s[31] = (unsigned char) (s11 >> 17);
809	1	}