156 	t[ 7] = MUL31(a[0], b[7])  in mul9()
163 		+ MUL31(a[7], b[0]);  in mul9()
165 		+ MUL31(a[1], b[7])  in mul9()
171 		+ MUL31(a[7], b[1])  in mul9()
174 		+ MUL31(a[2], b[7])  in mul9()
179 		+ MUL31(a[7], b[2])  in mul9()
182 		+ MUL31(a[3], b[7])  in mul9()
186 		+ MUL31(a[7], b[3])  in mul9()
189 		+ MUL31(a[4], b[7])  in mul9()
192 		+ MUL31(a[7], b[4])  in mul9()
195 		+ MUL31(a[5], b[7])  in mul9()
197 		+ MUL31(a[7], b[5])  in mul9()
200 		+ MUL31(a[6], b[7])  in mul9()
201 		+ MUL31(a[7], b[6])  in mul9()
204 		+ MUL31(a[7], b[7])  in mul9()
206 	t[15] = MUL31(a[7], b[8])  in mul9()
207 		+ MUL31(a[8], b[7]);  in mul9()
251 	t[ 7] = ((MUL31(a[0], a[7])  in square9()
257 		+ MUL31(a[1], a[7])  in square9()
261 		+ MUL31(a[2], a[7])  in square9()
266 		+ MUL31(a[3], a[7])  in square9()
269 		+ MUL31(a[4], a[7])  in square9()
273 		+ MUL31(a[5], a[7])) << 1);  in square9()
275 		+ MUL31(a[6], a[7])) << 1);  in square9()
276 	t[14] = MUL31(a[7], a[7])  in square9()
278 	t[15] = ((MUL31(a[7], a[8])) << 1);  in square9()
333 	d[7] += w << 14;  in add_f256()
370 	w = a[7] - b[7] + ARSH(w, 30) - 0x08000;  in sub_f256()
371 	d[7] = w & 0x3FFFFFFF;  in sub_f256()
378 	d[7] += w << 14;  in sub_f256()
397 	uint32_t z, c;  in mul_f256()  local
478 	z = (uint32_t)cc;  in mul_f256()
479 	d[3] -= z << 6;  in mul_f256()
480 	d[6] -= (z << 12) & 0x3FFFFFFF;  in mul_f256()
481 	d[7] -= ARSH(z, 18);  in mul_f256()
482 	d[7] += (z << 14) & 0x3FFFFFFF;  in mul_f256()
483 	d[8] += ARSH(z, 16);  in mul_f256()
484 	c = z >> 31;  in mul_f256()
488 	d[7] -= c << 14;  in mul_f256()
493 		w = d[i] + z;  in mul_f256()
495 		z = ARSH(w, 30);  in mul_f256()
509 	uint32_t z, c;  in square_f256()  local
590 	z = (uint32_t)cc;  in square_f256()
591 	d[3] -= z << 6;  in square_f256()
592 	d[6] -= (z << 12) & 0x3FFFFFFF;  in square_f256()
593 	d[7] -= ARSH(z, 18);  in square_f256()
594 	d[7] += (z << 14) & 0x3FFFFFFF;  in square_f256()
595 	d[8] += ARSH(z, 16);  in square_f256()
596 	c = z >> 31;  in square_f256()
600 	d[7] -= c << 14;  in square_f256()
605 		w = d[i] + z;  in square_f256()
607 		z = ARSH(w, 30);  in square_f256()
641  *   X = x / z^2
642  *   Y = y / z^3
643  * For the point at infinity, z = 0.
653 	uint32_t z[9];  member
660  *  - Otherwise, the 'z' coordinate is set to 1, and the 'x' and 'y'
671 	 * Invert z with a modular exponentiation: the modulus is  in p256_to_affine()
681 	 * Thus, we precompute z^(2^31-1) to speed things up.  in p256_to_affine()
683 	 * If z = 0 (point at infinity) then the modular exponentiation  in p256_to_affine()
689 	 * A simple square-and-multiply for z^(2^31-1). We could save about  in p256_to_affine()
693 	memcpy(t1, P->z, sizeof P->z);  in p256_to_affine()
696 		mul_f256(t1, t1, P->z);  in p256_to_affine()
701 	 * multiplications to set bits to 1; we multiply by the original z  in p256_to_affine()
704 	memcpy(t2, P->z, sizeof P->z);  in p256_to_affine()
717 			mul_f256(t2, t2, P->z);  in p256_to_affine()
723 	 * Now that we have 1/z, multiply x by 1/z^2 and y by 1/z^3.  in p256_to_affine()
733 	 * Multiply z by 1/z. If z = 0, then this will yield 0, otherwise  in p256_to_affine()
734 	 * this will set z to 1.  in p256_to_affine()
736 	mul_f256(P->z, P->z, t2);  in p256_to_affine()
737 	reduce_final_f256(P->z);  in p256_to_affine()
751 	 *   m = 3*(x + z^2)*(x - z^2)  in p256_double()
754 	 *   z' = 2*y*z  in p256_double()
758 	 *   - If y = 0 then z' = 0. But there is no such point in P-256  in p256_double()
760 	 *   - If z = 0 then z' = 0.  in p256_double()
765 	 * Compute z^2 in t1.  in p256_double()
767 	square_f256(t1, Q->z);  in p256_double()
770 	 * Compute x-z^2 in t2 and x+z^2 in t1.  in p256_double()
776 	 * Compute 3*(x+z^2)*(x-z^2) in t1.  in p256_double()
798 	 * Compute z' = 2*y*z.  in p256_double()
800 	mul_f256(t4, Q->y, Q->z);  in p256_double()
801 	add_f256(Q->z, t4, t4);  in p256_double()
868 	square_f256(t3, P2->z);  in p256_add()
870 	mul_f256(t4, P2->z, t3);  in p256_add()
876 	square_f256(t4, P1->z);  in p256_add()
878 	mul_f256(t5, P1->z, t4);  in p256_add()
921 	mul_f256(t1, P1->z, P2->z);  in p256_add()
922 	mul_f256(P1->z, t1, t2);  in p256_add()
985 	square_f256(t4, P1->z);  in p256_add_mixed()
987 	mul_f256(t5, P1->z, t4);  in p256_add_mixed()
1030 	mul_f256(P1->z, P1->z, t2);  in p256_add_mixed()
1090 	memset(P->z, 0, sizeof P->z);  in p256_decode()
1091 	P->z[0] = 1;  in p256_decode()
1286 	memset(T->z, 0, sizeof T->z);  in lookup_Gwin()
1287 	T->z[0] = 1;  in lookup_Gwin()
1416 	uint32_t r, t, z;  in api_muladd()  local
1436 	reduce_final_f256(P.z);  in api_muladd()
1437 	z = 0;  in api_muladd()
1439 		z |= P.z[i];  in api_muladd()
1441 	z = EQ(z, 0);  in api_muladd()
1445 	 * If z is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we  in api_muladd()
1448 	 *   z = 0, t = 0   return P (normal addition)  in api_muladd()
1449 	 *   z = 0, t = 1   return P (normal addition)  in api_muladd()
1450 	 *   z = 1, t = 0   return Q (a 'double' case)  in api_muladd()
1451 	 *   z = 1, t = 1   report an error (P+Q = 0)  in api_muladd()
1453 	CCOPY(z & ~t, &P, &Q, sizeof Q);  in api_muladd()
1456 	r &= ~(z & t);  in api_muladd()