fiat_crypto/
poly1305_64.rs

1//! Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --lang Rust --inline poly1305 64 3 '2^130 - 5' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax
2//! curve description: poly1305
3//! machine_wordsize = 64 (from "64")
4//! requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax
5//! n = 3 (from "3")
6//! s-c = 2^130 - [(1, 5)] (from "2^130 - 5")
7//! tight_bounds_multiplier = 1 (from "")
8//!
9//! Computed values:
10//!   carry_chain = [0, 1, 2, 0, 1]
11//!   eval z = z[0] + (z[1] << 44) + (z[2] << 87)
12//!   bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128)
13//!   balance = [0x1ffffffffff6, 0xffffffffffe, 0xffffffffffe]
14
15#![allow(unused_parens)]
16#![allow(non_camel_case_types)]
17
18/// Since `Index` and `IndexMut` aren't callable in `const` contexts yet, this helper type helps unify
19/// arrays and user-defined array-wrapper types into a single type which can be indexed in `const`
20/// contexts. Once `const trait`s are stabilized this type can go away
21struct IndexConst<T: ?Sized>(T);
22
23impl<'a, T, const N: usize> IndexConst<&'a [T; N]> {
24    #[inline(always)]
25    #[allow(unused)]
26    const fn index(self, i: usize) -> &'a T {
27        &self.0[i]
28    }
29}
30impl<'a, 'b, T, const N: usize> IndexConst<&'a mut &'b mut [T; N]> {
31    #[inline(always)]
32    #[allow(unused)]
33    const fn index_mut(self, i: usize) -> &'a mut T {
34        &mut self.0[i]
35    }
36}
37
38/** fiat_poly1305_u1 represents values of 1 bits, stored in one byte. */
39pub type fiat_poly1305_u1 = u8;
40/** fiat_poly1305_i1 represents values of 1 bits, stored in one byte. */
41pub type fiat_poly1305_i1 = i8;
42/** fiat_poly1305_u2 represents values of 2 bits, stored in one byte. */
43pub type fiat_poly1305_u2 = u8;
44/** fiat_poly1305_i2 represents values of 2 bits, stored in one byte. */
45pub type fiat_poly1305_i2 = i8;
46
47/** The type fiat_poly1305_loose_field_element is a field element with loose bounds. */
48/** Bounds: [[0x0 ~> 0x300000000000], [0x0 ~> 0x180000000000], [0x0 ~> 0x180000000000]] */
49#[derive(Clone, Copy)]
50pub struct fiat_poly1305_loose_field_element(pub [u64; 3]);
51
52impl core::ops::Index<usize> for fiat_poly1305_loose_field_element {
53    type Output = u64;
54    #[inline]
55    fn index(&self, index: usize) -> &Self::Output {
56        &self.0[index]
57    }
58}
59
60impl core::ops::IndexMut<usize> for fiat_poly1305_loose_field_element {
61    #[inline]
62    fn index_mut(&mut self, index: usize) -> &mut Self::Output {
63        &mut self.0[index]
64    }
65}
66
67impl<'a> IndexConst<&'a fiat_poly1305_loose_field_element> {
68    #[allow(unused)]
69    #[inline(always)]
70    const fn index(self, i: usize) -> &'a u64 {
71        &self.0.0[i]
72    }
73}
74
75impl<'a, 'b> IndexConst<&'a mut &'b mut fiat_poly1305_loose_field_element> {
76    #[allow(unused)]
77    #[inline(always)]
78    const fn index_mut(self, i: usize) -> &'a mut u64 {
79        &mut self.0.0[i]
80    }
81}
82
83/** The type fiat_poly1305_tight_field_element is a field element with tight bounds. */
84/** Bounds: [[0x0 ~> 0x100000000000], [0x0 ~> 0x80000000000], [0x0 ~> 0x80000000000]] */
85#[derive(Clone, Copy)]
86pub struct fiat_poly1305_tight_field_element(pub [u64; 3]);
87
88impl core::ops::Index<usize> for fiat_poly1305_tight_field_element {
89    type Output = u64;
90    #[inline]
91    fn index(&self, index: usize) -> &Self::Output {
92        &self.0[index]
93    }
94}
95
96impl core::ops::IndexMut<usize> for fiat_poly1305_tight_field_element {
97    #[inline]
98    fn index_mut(&mut self, index: usize) -> &mut Self::Output {
99        &mut self.0[index]
100    }
101}
102
103impl<'a> IndexConst<&'a fiat_poly1305_tight_field_element> {
104    #[allow(unused)]
105    #[inline(always)]
106    const fn index(self, i: usize) -> &'a u64 {
107        &self.0.0[i]
108    }
109}
110
111impl<'a, 'b> IndexConst<&'a mut &'b mut fiat_poly1305_tight_field_element> {
112    #[allow(unused)]
113    #[inline(always)]
114    const fn index_mut(self, i: usize) -> &'a mut u64 {
115        &mut self.0.0[i]
116    }
117}
118
119
120/// The function fiat_poly1305_addcarryx_u44 is an addition with carry.
121///
122/// Postconditions:
123///   out1 = (arg1 + arg2 + arg3) mod 2^44
124///   out2 = ⌊(arg1 + arg2 + arg3) / 2^44⌋
125///
126/// Input Bounds:
127///   arg1: [0x0 ~> 0x1]
128///   arg2: [0x0 ~> 0xfffffffffff]
129///   arg3: [0x0 ~> 0xfffffffffff]
130/// Output Bounds:
131///   out1: [0x0 ~> 0xfffffffffff]
132///   out2: [0x0 ~> 0x1]
133#[inline]
134pub const fn fiat_poly1305_addcarryx_u44(out1: &mut u64, out2: &mut fiat_poly1305_u1, arg1: fiat_poly1305_u1, arg2: u64, arg3: u64) {
135  let x1: u64 = (((arg1 as u64) + arg2) + arg3);
136  let x2: u64 = (x1 & 0xfffffffffff);
137  let x3: fiat_poly1305_u1 = ((x1 >> 44) as fiat_poly1305_u1);
138  *out1 = x2;
139  *out2 = x3;
140}
141
142/// The function fiat_poly1305_subborrowx_u44 is a subtraction with borrow.
143///
144/// Postconditions:
145///   out1 = (-arg1 + arg2 + -arg3) mod 2^44
146///   out2 = -⌊(-arg1 + arg2 + -arg3) / 2^44⌋
147///
148/// Input Bounds:
149///   arg1: [0x0 ~> 0x1]
150///   arg2: [0x0 ~> 0xfffffffffff]
151///   arg3: [0x0 ~> 0xfffffffffff]
152/// Output Bounds:
153///   out1: [0x0 ~> 0xfffffffffff]
154///   out2: [0x0 ~> 0x1]
155#[inline]
156pub const fn fiat_poly1305_subborrowx_u44(out1: &mut u64, out2: &mut fiat_poly1305_u1, arg1: fiat_poly1305_u1, arg2: u64, arg3: u64) {
157  let x1: i64 = ((((((arg2 as i128) - (arg1 as i128)) as i64) as i128) - (arg3 as i128)) as i64);
158  let x2: fiat_poly1305_i1 = ((x1 >> 44) as fiat_poly1305_i1);
159  let x3: u64 = (((x1 as i128) & (0xfffffffffff as i128)) as u64);
160  *out1 = x3;
161  *out2 = (((0x0 as fiat_poly1305_i2) - (x2 as fiat_poly1305_i2)) as fiat_poly1305_u1);
162}
163
164/// The function fiat_poly1305_addcarryx_u43 is an addition with carry.
165///
166/// Postconditions:
167///   out1 = (arg1 + arg2 + arg3) mod 2^43
168///   out2 = ⌊(arg1 + arg2 + arg3) / 2^43⌋
169///
170/// Input Bounds:
171///   arg1: [0x0 ~> 0x1]
172///   arg2: [0x0 ~> 0x7ffffffffff]
173///   arg3: [0x0 ~> 0x7ffffffffff]
174/// Output Bounds:
175///   out1: [0x0 ~> 0x7ffffffffff]
176///   out2: [0x0 ~> 0x1]
177#[inline]
178pub const fn fiat_poly1305_addcarryx_u43(out1: &mut u64, out2: &mut fiat_poly1305_u1, arg1: fiat_poly1305_u1, arg2: u64, arg3: u64) {
179  let x1: u64 = (((arg1 as u64) + arg2) + arg3);
180  let x2: u64 = (x1 & 0x7ffffffffff);
181  let x3: fiat_poly1305_u1 = ((x1 >> 43) as fiat_poly1305_u1);
182  *out1 = x2;
183  *out2 = x3;
184}
185
186/// The function fiat_poly1305_subborrowx_u43 is a subtraction with borrow.
187///
188/// Postconditions:
189///   out1 = (-arg1 + arg2 + -arg3) mod 2^43
190///   out2 = -⌊(-arg1 + arg2 + -arg3) / 2^43⌋
191///
192/// Input Bounds:
193///   arg1: [0x0 ~> 0x1]
194///   arg2: [0x0 ~> 0x7ffffffffff]
195///   arg3: [0x0 ~> 0x7ffffffffff]
196/// Output Bounds:
197///   out1: [0x0 ~> 0x7ffffffffff]
198///   out2: [0x0 ~> 0x1]
199#[inline]
200pub const fn fiat_poly1305_subborrowx_u43(out1: &mut u64, out2: &mut fiat_poly1305_u1, arg1: fiat_poly1305_u1, arg2: u64, arg3: u64) {
201  let x1: i64 = ((((((arg2 as i128) - (arg1 as i128)) as i64) as i128) - (arg3 as i128)) as i64);
202  let x2: fiat_poly1305_i1 = ((x1 >> 43) as fiat_poly1305_i1);
203  let x3: u64 = (((x1 as i128) & (0x7ffffffffff as i128)) as u64);
204  *out1 = x3;
205  *out2 = (((0x0 as fiat_poly1305_i2) - (x2 as fiat_poly1305_i2)) as fiat_poly1305_u1);
206}
207
208/// The function fiat_poly1305_cmovznz_u64 is a single-word conditional move.
209///
210/// Postconditions:
211///   out1 = (if arg1 = 0 then arg2 else arg3)
212///
213/// Input Bounds:
214///   arg1: [0x0 ~> 0x1]
215///   arg2: [0x0 ~> 0xffffffffffffffff]
216///   arg3: [0x0 ~> 0xffffffffffffffff]
217/// Output Bounds:
218///   out1: [0x0 ~> 0xffffffffffffffff]
219#[inline]
220pub const fn fiat_poly1305_cmovznz_u64(out1: &mut u64, arg1: fiat_poly1305_u1, arg2: u64, arg3: u64) {
221  let x1: fiat_poly1305_u1 = (!(!arg1));
222  let x2: u64 = ((((((0x0 as fiat_poly1305_i2) - (x1 as fiat_poly1305_i2)) as fiat_poly1305_i1) as i128) & (0xffffffffffffffff as i128)) as u64);
223  let x3: u64 = ((x2 & arg3) | ((!x2) & arg2));
224  *out1 = x3;
225}
226
227/// The function fiat_poly1305_carry_mul multiplies two field elements and reduces the result.
228///
229/// Postconditions:
230///   eval out1 mod m = (eval arg1 * eval arg2) mod m
231///
232#[inline]
233pub const fn fiat_poly1305_carry_mul(mut out1: &mut fiat_poly1305_tight_field_element, arg1: &fiat_poly1305_loose_field_element, arg2: &fiat_poly1305_loose_field_element) {
234  let x1: u128 = (((*IndexConst(arg1).index(2)) as u128) * (((*IndexConst(arg2).index(2)) * 0x5) as u128));
235  let x2: u128 = (((*IndexConst(arg1).index(2)) as u128) * (((*IndexConst(arg2).index(1)) * 0xa) as u128));
236  let x3: u128 = (((*IndexConst(arg1).index(1)) as u128) * (((*IndexConst(arg2).index(2)) * 0xa) as u128));
237  let x4: u128 = (((*IndexConst(arg1).index(2)) as u128) * ((*IndexConst(arg2).index(0)) as u128));
238  let x5: u128 = (((*IndexConst(arg1).index(1)) as u128) * (((*IndexConst(arg2).index(1)) * 0x2) as u128));
239  let x6: u128 = (((*IndexConst(arg1).index(1)) as u128) * ((*IndexConst(arg2).index(0)) as u128));
240  let x7: u128 = (((*IndexConst(arg1).index(0)) as u128) * ((*IndexConst(arg2).index(2)) as u128));
241  let x8: u128 = (((*IndexConst(arg1).index(0)) as u128) * ((*IndexConst(arg2).index(1)) as u128));
242  let x9: u128 = (((*IndexConst(arg1).index(0)) as u128) * ((*IndexConst(arg2).index(0)) as u128));
243  let x10: u128 = (x9 + (x3 + x2));
244  let x11: u64 = ((x10 >> 44) as u64);
245  let x12: u64 = ((x10 & (0xfffffffffff as u128)) as u64);
246  let x13: u128 = (x7 + (x5 + x4));
247  let x14: u128 = (x8 + (x6 + x1));
248  let x15: u128 = ((x11 as u128) + x14);
249  let x16: u64 = ((x15 >> 43) as u64);
250  let x17: u64 = ((x15 & (0x7ffffffffff as u128)) as u64);
251  let x18: u128 = ((x16 as u128) + x13);
252  let x19: u64 = ((x18 >> 43) as u64);
253  let x20: u64 = ((x18 & (0x7ffffffffff as u128)) as u64);
254  let x21: u64 = (x19 * 0x5);
255  let x22: u64 = (x12 + x21);
256  let x23: u64 = (x22 >> 44);
257  let x24: u64 = (x22 & 0xfffffffffff);
258  let x25: u64 = (x23 + x17);
259  let x26: fiat_poly1305_u1 = ((x25 >> 43) as fiat_poly1305_u1);
260  let x27: u64 = (x25 & 0x7ffffffffff);
261  let x28: u64 = ((x26 as u64) + x20);
262  *IndexConst(&mut out1).index_mut(0) = x24;
263  *IndexConst(&mut out1).index_mut(1) = x27;
264  *IndexConst(&mut out1).index_mut(2) = x28;
265}
266
267/// The function fiat_poly1305_carry_square squares a field element and reduces the result.
268///
269/// Postconditions:
270///   eval out1 mod m = (eval arg1 * eval arg1) mod m
271///
272#[inline]
273pub const fn fiat_poly1305_carry_square(mut out1: &mut fiat_poly1305_tight_field_element, arg1: &fiat_poly1305_loose_field_element) {
274  let x1: u64 = ((*IndexConst(arg1).index(2)) * 0x5);
275  let x2: u64 = (x1 * 0x2);
276  let x3: u64 = ((*IndexConst(arg1).index(2)) * 0x2);
277  let x4: u64 = ((*IndexConst(arg1).index(1)) * 0x2);
278  let x5: u128 = (((*IndexConst(arg1).index(2)) as u128) * (x1 as u128));
279  let x6: u128 = (((*IndexConst(arg1).index(1)) as u128) * ((x2 * 0x2) as u128));
280  let x7: u128 = (((*IndexConst(arg1).index(1)) as u128) * (((*IndexConst(arg1).index(1)) * 0x2) as u128));
281  let x8: u128 = (((*IndexConst(arg1).index(0)) as u128) * (x3 as u128));
282  let x9: u128 = (((*IndexConst(arg1).index(0)) as u128) * (x4 as u128));
283  let x10: u128 = (((*IndexConst(arg1).index(0)) as u128) * ((*IndexConst(arg1).index(0)) as u128));
284  let x11: u128 = (x10 + x6);
285  let x12: u64 = ((x11 >> 44) as u64);
286  let x13: u64 = ((x11 & (0xfffffffffff as u128)) as u64);
287  let x14: u128 = (x8 + x7);
288  let x15: u128 = (x9 + x5);
289  let x16: u128 = ((x12 as u128) + x15);
290  let x17: u64 = ((x16 >> 43) as u64);
291  let x18: u64 = ((x16 & (0x7ffffffffff as u128)) as u64);
292  let x19: u128 = ((x17 as u128) + x14);
293  let x20: u64 = ((x19 >> 43) as u64);
294  let x21: u64 = ((x19 & (0x7ffffffffff as u128)) as u64);
295  let x22: u64 = (x20 * 0x5);
296  let x23: u64 = (x13 + x22);
297  let x24: u64 = (x23 >> 44);
298  let x25: u64 = (x23 & 0xfffffffffff);
299  let x26: u64 = (x24 + x18);
300  let x27: fiat_poly1305_u1 = ((x26 >> 43) as fiat_poly1305_u1);
301  let x28: u64 = (x26 & 0x7ffffffffff);
302  let x29: u64 = ((x27 as u64) + x21);
303  *IndexConst(&mut out1).index_mut(0) = x25;
304  *IndexConst(&mut out1).index_mut(1) = x28;
305  *IndexConst(&mut out1).index_mut(2) = x29;
306}
307
308/// The function fiat_poly1305_carry reduces a field element.
309///
310/// Postconditions:
311///   eval out1 mod m = eval arg1 mod m
312///
313#[inline]
314pub const fn fiat_poly1305_carry(mut out1: &mut fiat_poly1305_tight_field_element, arg1: &fiat_poly1305_loose_field_element) {
315  let x1: u64 = (*IndexConst(arg1).index(0));
316  let x2: u64 = ((x1 >> 44) + (*IndexConst(arg1).index(1)));
317  let x3: u64 = ((x2 >> 43) + (*IndexConst(arg1).index(2)));
318  let x4: u64 = ((x1 & 0xfffffffffff) + ((x3 >> 43) * 0x5));
319  let x5: u64 = ((((x4 >> 44) as fiat_poly1305_u1) as u64) + (x2 & 0x7ffffffffff));
320  let x6: u64 = (x4 & 0xfffffffffff);
321  let x7: u64 = (x5 & 0x7ffffffffff);
322  let x8: u64 = ((((x5 >> 43) as fiat_poly1305_u1) as u64) + (x3 & 0x7ffffffffff));
323  *IndexConst(&mut out1).index_mut(0) = x6;
324  *IndexConst(&mut out1).index_mut(1) = x7;
325  *IndexConst(&mut out1).index_mut(2) = x8;
326}
327
328/// The function fiat_poly1305_add adds two field elements.
329///
330/// Postconditions:
331///   eval out1 mod m = (eval arg1 + eval arg2) mod m
332///
333#[inline]
334pub const fn fiat_poly1305_add(mut out1: &mut fiat_poly1305_loose_field_element, arg1: &fiat_poly1305_tight_field_element, arg2: &fiat_poly1305_tight_field_element) {
335  let x1: u64 = ((*IndexConst(arg1).index(0)) + (*IndexConst(arg2).index(0)));
336  let x2: u64 = ((*IndexConst(arg1).index(1)) + (*IndexConst(arg2).index(1)));
337  let x3: u64 = ((*IndexConst(arg1).index(2)) + (*IndexConst(arg2).index(2)));
338  *IndexConst(&mut out1).index_mut(0) = x1;
339  *IndexConst(&mut out1).index_mut(1) = x2;
340  *IndexConst(&mut out1).index_mut(2) = x3;
341}
342
343/// The function fiat_poly1305_sub subtracts two field elements.
344///
345/// Postconditions:
346///   eval out1 mod m = (eval arg1 - eval arg2) mod m
347///
348#[inline]
349pub const fn fiat_poly1305_sub(mut out1: &mut fiat_poly1305_loose_field_element, arg1: &fiat_poly1305_tight_field_element, arg2: &fiat_poly1305_tight_field_element) {
350  let x1: u64 = ((0x1ffffffffff6 + (*IndexConst(arg1).index(0))) - (*IndexConst(arg2).index(0)));
351  let x2: u64 = ((0xffffffffffe + (*IndexConst(arg1).index(1))) - (*IndexConst(arg2).index(1)));
352  let x3: u64 = ((0xffffffffffe + (*IndexConst(arg1).index(2))) - (*IndexConst(arg2).index(2)));
353  *IndexConst(&mut out1).index_mut(0) = x1;
354  *IndexConst(&mut out1).index_mut(1) = x2;
355  *IndexConst(&mut out1).index_mut(2) = x3;
356}
357
358/// The function fiat_poly1305_opp negates a field element.
359///
360/// Postconditions:
361///   eval out1 mod m = -eval arg1 mod m
362///
363#[inline]
364pub const fn fiat_poly1305_opp(mut out1: &mut fiat_poly1305_loose_field_element, arg1: &fiat_poly1305_tight_field_element) {
365  let x1: u64 = (0x1ffffffffff6 - (*IndexConst(arg1).index(0)));
366  let x2: u64 = (0xffffffffffe - (*IndexConst(arg1).index(1)));
367  let x3: u64 = (0xffffffffffe - (*IndexConst(arg1).index(2)));
368  *IndexConst(&mut out1).index_mut(0) = x1;
369  *IndexConst(&mut out1).index_mut(1) = x2;
370  *IndexConst(&mut out1).index_mut(2) = x3;
371}
372
373/// The function fiat_poly1305_selectznz is a multi-limb conditional select.
374///
375/// Postconditions:
376///   out1 = (if arg1 = 0 then arg2 else arg3)
377///
378/// Input Bounds:
379///   arg1: [0x0 ~> 0x1]
380///   arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
381///   arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
382/// Output Bounds:
383///   out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]
384#[inline]
385pub const fn fiat_poly1305_selectznz(mut out1: &mut [u64; 3], arg1: fiat_poly1305_u1, arg2: &[u64; 3], arg3: &[u64; 3]) {
386  let mut x1: u64 = 0;
387  fiat_poly1305_cmovznz_u64(&mut x1, arg1, (*IndexConst(arg2).index(0)), (*IndexConst(arg3).index(0)));
388  let mut x2: u64 = 0;
389  fiat_poly1305_cmovznz_u64(&mut x2, arg1, (*IndexConst(arg2).index(1)), (*IndexConst(arg3).index(1)));
390  let mut x3: u64 = 0;
391  fiat_poly1305_cmovznz_u64(&mut x3, arg1, (*IndexConst(arg2).index(2)), (*IndexConst(arg3).index(2)));
392  *IndexConst(&mut out1).index_mut(0) = x1;
393  *IndexConst(&mut out1).index_mut(1) = x2;
394  *IndexConst(&mut out1).index_mut(2) = x3;
395}
396
397/// The function fiat_poly1305_to_bytes serializes a field element to bytes in little-endian order.
398///
399/// Postconditions:
400///   out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..16]
401///
402/// Output Bounds:
403///   out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]]
404#[inline]
405pub const fn fiat_poly1305_to_bytes(mut out1: &mut [u8; 17], arg1: &fiat_poly1305_tight_field_element) {
406  let mut x1: u64 = 0;
407  let mut x2: fiat_poly1305_u1 = 0;
408  fiat_poly1305_subborrowx_u44(&mut x1, &mut x2, 0x0, (*IndexConst(arg1).index(0)), 0xffffffffffb);
409  let mut x3: u64 = 0;
410  let mut x4: fiat_poly1305_u1 = 0;
411  fiat_poly1305_subborrowx_u43(&mut x3, &mut x4, x2, (*IndexConst(arg1).index(1)), 0x7ffffffffff);
412  let mut x5: u64 = 0;
413  let mut x6: fiat_poly1305_u1 = 0;
414  fiat_poly1305_subborrowx_u43(&mut x5, &mut x6, x4, (*IndexConst(arg1).index(2)), 0x7ffffffffff);
415  let mut x7: u64 = 0;
416  fiat_poly1305_cmovznz_u64(&mut x7, x6, (0x0 as u64), 0xffffffffffffffff);
417  let mut x8: u64 = 0;
418  let mut x9: fiat_poly1305_u1 = 0;
419  fiat_poly1305_addcarryx_u44(&mut x8, &mut x9, 0x0, x1, (x7 & 0xffffffffffb));
420  let mut x10: u64 = 0;
421  let mut x11: fiat_poly1305_u1 = 0;
422  fiat_poly1305_addcarryx_u43(&mut x10, &mut x11, x9, x3, (x7 & 0x7ffffffffff));
423  let mut x12: u64 = 0;
424  let mut x13: fiat_poly1305_u1 = 0;
425  fiat_poly1305_addcarryx_u43(&mut x12, &mut x13, x11, x5, (x7 & 0x7ffffffffff));
426  let x14: u64 = (x12 << 7);
427  let x15: u64 = (x10 << 4);
428  let x16: u8 = ((x8 & (0xff as u64)) as u8);
429  let x17: u64 = (x8 >> 8);
430  let x18: u8 = ((x17 & (0xff as u64)) as u8);
431  let x19: u64 = (x17 >> 8);
432  let x20: u8 = ((x19 & (0xff as u64)) as u8);
433  let x21: u64 = (x19 >> 8);
434  let x22: u8 = ((x21 & (0xff as u64)) as u8);
435  let x23: u64 = (x21 >> 8);
436  let x24: u8 = ((x23 & (0xff as u64)) as u8);
437  let x25: u8 = ((x23 >> 8) as u8);
438  let x26: u64 = (x15 + (x25 as u64));
439  let x27: u8 = ((x26 & (0xff as u64)) as u8);
440  let x28: u64 = (x26 >> 8);
441  let x29: u8 = ((x28 & (0xff as u64)) as u8);
442  let x30: u64 = (x28 >> 8);
443  let x31: u8 = ((x30 & (0xff as u64)) as u8);
444  let x32: u64 = (x30 >> 8);
445  let x33: u8 = ((x32 & (0xff as u64)) as u8);
446  let x34: u64 = (x32 >> 8);
447  let x35: u8 = ((x34 & (0xff as u64)) as u8);
448  let x36: u8 = ((x34 >> 8) as u8);
449  let x37: u64 = (x14 + (x36 as u64));
450  let x38: u8 = ((x37 & (0xff as u64)) as u8);
451  let x39: u64 = (x37 >> 8);
452  let x40: u8 = ((x39 & (0xff as u64)) as u8);
453  let x41: u64 = (x39 >> 8);
454  let x42: u8 = ((x41 & (0xff as u64)) as u8);
455  let x43: u64 = (x41 >> 8);
456  let x44: u8 = ((x43 & (0xff as u64)) as u8);
457  let x45: u64 = (x43 >> 8);
458  let x46: u8 = ((x45 & (0xff as u64)) as u8);
459  let x47: u64 = (x45 >> 8);
460  let x48: u8 = ((x47 & (0xff as u64)) as u8);
461  let x49: u8 = ((x47 >> 8) as u8);
462  *IndexConst(&mut out1).index_mut(0) = x16;
463  *IndexConst(&mut out1).index_mut(1) = x18;
464  *IndexConst(&mut out1).index_mut(2) = x20;
465  *IndexConst(&mut out1).index_mut(3) = x22;
466  *IndexConst(&mut out1).index_mut(4) = x24;
467  *IndexConst(&mut out1).index_mut(5) = x27;
468  *IndexConst(&mut out1).index_mut(6) = x29;
469  *IndexConst(&mut out1).index_mut(7) = x31;
470  *IndexConst(&mut out1).index_mut(8) = x33;
471  *IndexConst(&mut out1).index_mut(9) = x35;
472  *IndexConst(&mut out1).index_mut(10) = x38;
473  *IndexConst(&mut out1).index_mut(11) = x40;
474  *IndexConst(&mut out1).index_mut(12) = x42;
475  *IndexConst(&mut out1).index_mut(13) = x44;
476  *IndexConst(&mut out1).index_mut(14) = x46;
477  *IndexConst(&mut out1).index_mut(15) = x48;
478  *IndexConst(&mut out1).index_mut(16) = x49;
479}
480
481/// The function fiat_poly1305_from_bytes deserializes a field element from bytes in little-endian order.
482///
483/// Postconditions:
484///   eval out1 mod m = bytes_eval arg1 mod m
485///
486/// Input Bounds:
487///   arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x3]]
488#[inline]
489pub const fn fiat_poly1305_from_bytes(mut out1: &mut fiat_poly1305_tight_field_element, arg1: &[u8; 17]) {
490  let x1: u64 = (((*IndexConst(arg1).index(16)) as u64) << 41);
491  let x2: u64 = (((*IndexConst(arg1).index(15)) as u64) << 33);
492  let x3: u64 = (((*IndexConst(arg1).index(14)) as u64) << 25);
493  let x4: u64 = (((*IndexConst(arg1).index(13)) as u64) << 17);
494  let x5: u64 = (((*IndexConst(arg1).index(12)) as u64) << 9);
495  let x6: u64 = (((*IndexConst(arg1).index(11)) as u64) * (0x2 as u64));
496  let x7: u64 = (((*IndexConst(arg1).index(10)) as u64) << 36);
497  let x8: u64 = (((*IndexConst(arg1).index(9)) as u64) << 28);
498  let x9: u64 = (((*IndexConst(arg1).index(8)) as u64) << 20);
499  let x10: u64 = (((*IndexConst(arg1).index(7)) as u64) << 12);
500  let x11: u64 = (((*IndexConst(arg1).index(6)) as u64) << 4);
501  let x12: u64 = (((*IndexConst(arg1).index(5)) as u64) << 40);
502  let x13: u64 = (((*IndexConst(arg1).index(4)) as u64) << 32);
503  let x14: u64 = (((*IndexConst(arg1).index(3)) as u64) << 24);
504  let x15: u64 = (((*IndexConst(arg1).index(2)) as u64) << 16);
505  let x16: u64 = (((*IndexConst(arg1).index(1)) as u64) << 8);
506  let x17: u8 = (*IndexConst(arg1).index(0));
507  let x18: u64 = (x16 + (x17 as u64));
508  let x19: u64 = (x15 + x18);
509  let x20: u64 = (x14 + x19);
510  let x21: u64 = (x13 + x20);
511  let x22: u64 = (x12 + x21);
512  let x23: u64 = (x22 & 0xfffffffffff);
513  let x24: u8 = ((x22 >> 44) as u8);
514  let x25: u64 = (x11 + (x24 as u64));
515  let x26: u64 = (x10 + x25);
516  let x27: u64 = (x9 + x26);
517  let x28: u64 = (x8 + x27);
518  let x29: u64 = (x7 + x28);
519  let x30: u64 = (x29 & 0x7ffffffffff);
520  let x31: fiat_poly1305_u1 = ((x29 >> 43) as fiat_poly1305_u1);
521  let x32: u64 = (x6 + (x31 as u64));
522  let x33: u64 = (x5 + x32);
523  let x34: u64 = (x4 + x33);
524  let x35: u64 = (x3 + x34);
525  let x36: u64 = (x2 + x35);
526  let x37: u64 = (x1 + x36);
527  *IndexConst(&mut out1).index_mut(0) = x23;
528  *IndexConst(&mut out1).index_mut(1) = x30;
529  *IndexConst(&mut out1).index_mut(2) = x37;
530}
531
532/// The function fiat_poly1305_relax is the identity function converting from tight field elements to loose field elements.
533///
534/// Postconditions:
535///   out1 = arg1
536///
537#[inline]
538pub const fn fiat_poly1305_relax(mut out1: &mut fiat_poly1305_loose_field_element, arg1: &fiat_poly1305_tight_field_element) {
539  let x1: u64 = (*IndexConst(arg1).index(0));
540  let x2: u64 = (*IndexConst(arg1).index(1));
541  let x3: u64 = (*IndexConst(arg1).index(2));
542  *IndexConst(&mut out1).index_mut(0) = x1;
543  *IndexConst(&mut out1).index_mut(1) = x2;
544  *IndexConst(&mut out1).index_mut(2) = x3;
545}