72  * A field element is encoded as five 64-bit integers, in basis 2^51.
77 #define MASK51   (((uint64_t)1 << 51) - (uint64_t)1)
87 	m = -(uint64_t)ctl;  in f255_cswap()
110  * On input, limbs must fit on 60 bits each. On output, result is
121 	 * We compute d = (2^255-19)*1024 + a - b. Since the limbs  in f255_sub()
123 	 * more than 2^264, but much less than 2^265-19456. This  in f255_sub()
128 	 * Initial carry is 19456, since we add 2^265-19456. Each  in f255_sub()
131 	w = a[0] - b[0] - 19456;  in f255_sub()
133 	cc = -(w >> 51) & 0x3FF;  in f255_sub()
134 	w = a[1] - b[1] - cc;  in f255_sub()
136 	cc = -(w >> 51) & 0x3FF;  in f255_sub()
137 	w = a[2] - b[2] - cc;  in f255_sub()
139 	cc = -(w >> 51) & 0x3FF;  in f255_sub()
140 	w = a[3] - b[3] - cc;  in f255_sub()
142 	cc = -(w >> 51) & 0x3FF;  in f255_sub()
143 	d[4] = ((uint64_t)1 << 61) + a[4] - b[4] - cc;  in f255_sub()
150 	d[0] += 19 * (d[4] >> 51);  in f255_sub()
160  * Note that lo < 2^51, but "hi" may be larger, if the input operands are
185  * On input, limbs must fit on 54 bits each.
198 	 * Since input limbs fit on 54 bits each, each individual  in f255_mul()
200 	 * sum will be at most 5*(2^57-1) + 4*(2^51-1) (for t[5]),  in f255_mul()
240 	 * words, using the rule that 2^255 = 19 in the field.  in f255_mul()
247 	t[0] += 19 * t[5];  in f255_mul()
248 	t[1] += 19 * t[6];  in f255_mul()
249 	t[2] += 19 * t[7];  in f255_mul()
250 	t[3] += 19 * t[8];  in f255_mul()
251 	t[4] += 19 * t[9];  in f255_mul()
273 	 * Since the limbs were 64-bit values, the top carry is at  in f255_mul()
277 	d[0] += 19 * cc;  in f255_mul()
282  * Input must have limbs of 60 bits at most.
307 	t[0] += 19 * (w >> 51);  in f255_mul_a24()
311 	 * t[0] is less than 2^51 + 19*8192, and other limbs are less  in f255_mul_a24()
328 	d[0] += 19 * (w >> 51);  in f255_mul_a24()
333  * On input, limbs must fit on 51 bits, except possibly the low limb,
342 	 * We add 19. If the result (in t[]) is below 2^255, then a[]  in f255_final_reduce()
343 	 * is already less than 2^255-19, thus already reduced.  in f255_final_reduce()
345 	 * have t = a - (2^255-19), and that's our result.  in f255_final_reduce()
347 	w = a[0] + 19;  in f255_final_reduce()
367 	cc = -cc;  in f255_final_reduce()
402 	x1[3] = (br_dec64le(&G[19]) >> 1) & MASK51;  in api_mul()
406 	 * We can use memset() to clear values, because exact-width types  in api_mul()
417 	 * The multiplier is provided in big-endian notation, and  in api_mul()
420 	memset(k, 0, (sizeof k) - kblen);  in api_mul()
421 	memcpy(k + (sizeof k) - kblen, kb, kblen);  in api_mul()
428 	for (i = 254; i >= 0; i --) {  in api_mul()
433 		kt = (k[31 - (i >> 3)] >> (i & 7)) & 1;  in api_mul()
450 		/* A = x_2 + z_2   -- limbs fit on 53 bits each */  in api_mul()
456 		/* B = x_2 - z_2 */  in api_mul()
462 		/* E = AA - BB */  in api_mul()
465 		/* C = x_3 + z_3   -- limbs fit on 53 bits each */  in api_mul()
468 		/* D = x_3 - z_3 */  in api_mul()
481 		/* z_3 = x_1 * (DA - CB)^2 */  in api_mul()
499 	 * Compute 1/z2 = z2^(p-2). Since p = 2^255-19, we can mutualize  in api_mul()
500 	 * most non-squarings. We use x1 and x3, now useless, as temporaries.  in api_mul()
516 	for (i = 14; i >= 0; i --) {  in api_mul()
530 	 * Encode the final x2 value in little-endian. We first assemble  in api_mul()
531 	 * the limbs into 64-bit values.  in api_mul()