Lines Matching full:52
75 * A field element is encoded as five 64-bit integers, in basis 2^52.
76 * Limbs may occasionally exceed 2^52.
86 #define MASK52 (BIT(52) - BIT(0))
131 cc = w >> 52; in f256_partial_reduce()
134 cc = w >> 52; in f256_partial_reduce()
137 cc = w >> 52; in f256_partial_reduce()
140 cc = w >> 52; in f256_partial_reduce()
144 a[0] += s; /* a[0] < 2^52 + 2^14 */ in f256_partial_reduce()
146 a[1] = w & MASK52; /* a[1] < 2^52 */ in f256_partial_reduce()
147 cc = -(w >> 52) & 0xFFF; /* cc < 16 */ in f256_partial_reduce()
149 a[2] = w & MASK52; /* a[2] < 2^52 */ in f256_partial_reduce()
152 a[3] = w & MASK52; /* a[3] < 2^52 */ in f256_partial_reduce()
187 cc = w >> 52; in f256_sub()
191 cc = w >> 52; in f256_sub()
195 cc = w >> 52; in f256_sub()
199 cc = w >> 52; in f256_sub()
208 * 0 <= t[0] <= 2^52 - 1 in f256_sub()
209 * 0 <= t[1] <= 2^52 - 1 in f256_sub()
210 * 2^5 <= t[2] <= 2^52 + 2^5 - 1 in f256_sub()
211 * 2^49 <= t[3] <= 2^52 + 2^49 - 1 in f256_sub()
219 d[0] = t[0] + s; /* d[0] <= 2^52 + 12287 */ in f256_sub()
221 d[1] = w & MASK52; /* d[1] <= 2^52 - 1 */ in f256_sub()
222 cc = -(w >> 52) & 0xFFF; /* cc <= 48 */ in f256_sub()
225 d[2] = w + (cc << 52); /* d[2] <= 2^52 + 31 */ in f256_sub()
228 d[3] = w + (cc << 52); /* t[3] <= 2^52 + 2^49 - 1 */ in f256_sub()
263 * the factor f fits on 52 bits, so f<<48 fits on in f256_montymul()
274 cc = (uint64_t)(z >> 52); in f256_montymul()
279 cc = (uint64_t)(z >> 52); in f256_montymul()
283 cc = (uint64_t)(z >> 52); in f256_montymul()
288 cc = (uint64_t)(z >> 52); in f256_montymul()
294 t[4] = (uint64_t)(z >> 52); in f256_montymul()
299 * fit on 52 bits each. in f256_montymul()
302 t[0] += s; /* t[0] < 2^52 + 2^14 */ in f256_montymul()
304 t[1] = w & MASK52; /* t[1] < 2^52 */ in f256_montymul()
305 cc = -(w >> 52) & 0xFFF; /* cc < 16 */ in f256_montymul()
307 t[2] = w & MASK52; /* t[2] < 2^52 */ in f256_montymul()
310 t[3] = w & MASK52; /* t[3] < 2^52 */ in f256_montymul()
344 * the factor f fits on 52 bits, so f<<48 fits on in f256_montymul()
356 cc = (zl >> 52) | (zh << 12); in f256_montymul()
366 cc = (zl >> 52) | (zh << 12); in f256_montymul()
374 cc = (zl >> 52) | (zh << 12); in f256_montymul()
384 cc = (zl >> 52) | (zh << 12); in f256_montymul()
396 t[4] = (zl >> 52) | (zh << 12); in f256_montymul()
401 * fit on 52 bits each. in f256_montymul()
404 t[0] += s; /* t[0] < 2^52 + 2^14 */ in f256_montymul()
406 t[1] = w & MASK52; /* t[1] < 2^52 */ in f256_montymul()
407 cc = -(w >> 52) & 0xFFF; /* cc < 16 */ in f256_montymul()
409 t[2] = w & MASK52; /* t[2] < 2^52 */ in f256_montymul()
412 t[3] = w & MASK52; /* t[3] < 2^52 */ in f256_montymul()
530 * On output, limbs a[0] to a[3] fit on 52 bits each, limb a[4] fits
540 * Propagate carries to ensure that limbs 0 to 3 fit on 52 bits. in f256_final_reduce()
546 cc = w >> 52; in f256_final_reduce()
557 * t[0] to t[3] fit in 52 bits each. in f256_final_reduce()
561 cc = w >> 52; in f256_final_reduce()
564 cc = w >> 52; in f256_final_reduce()
567 cc = w >> 52; in f256_final_reduce()
570 cc = w >> 52; in f256_final_reduce()
631 a[1] = ((w0 >> 52) | (w1 << 12)) & MASK52; in f256_decode()
646 w0 = a[0] | (a[1] << 52); in f256_encode()