34 	 * Implementation notes: we split the 130-bit values into ten  in poly1305_inner()
35 	 * 13-bit words. This gives us some space for carries and allows  in poly1305_inner()
36 	 * using only 32x32->32 multiplications, which are way faster than  in poly1305_inner()
37 	 * 32x32->64 multiplications on the ARM Cortex-M0/M0+, and also  in poly1305_inner()
38 	 * help in making constant-time code on the Cortex-M3.  in poly1305_inner()
40 	 * Since we compute modulo 2^130-5, the "upper words" become  in poly1305_inner()
45 	 * In each loop iteration, a[] and r[] words are 13-bit each,  in poly1305_inner()
58 		 * If there is a partial block, right-pad it with zeros.  in poly1305_inner()
68 		 * Decode next block and apply the "high bit"; that value  in poly1305_inner()
73 		v >>= 13;  in poly1305_inner()
77 		v >>= 13;  in poly1305_inner()
80 		v >>= 13;  in poly1305_inner()
84 		v >>= 13;  in poly1305_inner()
88 		v >>= 13;  in poly1305_inner()
91 		v >>= 13;  in poly1305_inner()
95 		v >>= 13;  in poly1305_inner()
98 		v = br_dec16le(buf + 13);  in poly1305_inner()
100 		v >>= 13;  in poly1305_inner()
106 		 * all r[] values fit on 13 bits. Thus products fit on  in poly1305_inner()
108 		 * a 32-bit word and still have some room for carries.  in poly1305_inner()
115 		 * The extended words of r[] may be larger than 13 bits  in poly1305_inner()
116 		 * (they are 5 times a 13-bit word) so the full summation  in poly1305_inner()
117 		 * may yield values up to 46 times a 27-bit word, which  in poly1305_inner()
118 		 * does not fit on a 32-bit word. To avoid that issue, we  in poly1305_inner()
127 				+ MUL15(a[0], r[u + 9 - 0])  in poly1305_inner()
128 				+ MUL15(a[1], r[u + 9 - 1])  in poly1305_inner()
129 				+ MUL15(a[2], r[u + 9 - 2])  in poly1305_inner()
130 				+ MUL15(a[3], r[u + 9 - 3])  in poly1305_inner()
131 				+ MUL15(a[4], r[u + 9 - 4]);  in poly1305_inner()
133 			cc1 = s >> 13;  in poly1305_inner()
140 				+ MUL15(a[5], r[u + 9 - 5])  in poly1305_inner()
141 				+ MUL15(a[6], r[u + 9 - 6])  in poly1305_inner()
142 				+ MUL15(a[7], r[u + 9 - 7])  in poly1305_inner()
143 				+ MUL15(a[8], r[u + 9 - 8])  in poly1305_inner()
144 				+ MUL15(a[9], r[u + 9 - 9]);  in poly1305_inner()
146 			cc2 = s >> 13;  in poly1305_inner()
157 		a[1] += z >> 13;  in poly1305_inner()
160 		len -= 16;  in poly1305_inner()
197 	 * Decode the 'r' value into 13-bit words, with the "clamping"  in br_poly1305_ctmul32_run()
202 	r[10] = z >> 13;  in br_poly1305_ctmul32_run()
205 	r[12] = z >> 13;  in br_poly1305_ctmul32_run()
207 	r[13] = z & 0x1FFF;  in br_poly1305_ctmul32_run()
208 	r[14] = z >> 13;  in br_poly1305_ctmul32_run()
211 	r[16] = z >> 13;  in br_poly1305_ctmul32_run()
214 	r[18] = z >> 13;  in br_poly1305_ctmul32_run()
217 	 * Extend r[] with the 5x factor pre-applied.  in br_poly1305_ctmul32_run()
240 	 * and applying the '2^130 = -5 mod p' rule. Note that the output  in br_poly1305_ctmul32_run()
242 	 * acc[1] may be (very slightly) above 2^13. A single loop back  in br_poly1305_ctmul32_run()
249 		cc = z >> 13;  in br_poly1305_ctmul32_run()
253 	acc[1] += z >> 13;  in br_poly1305_ctmul32_run()
256 	 * We may still have a value in the 2^130-5..2^130-1 range, in  in br_poly1305_ctmul32_run()
258 	 * in constant-time, between 'acc' and 'acc-p',  in br_poly1305_ctmul32_run()
264 	acc[0] = MUX(ctl, acc[0] - 0x1FFB, acc[0]);  in br_poly1305_ctmul32_run()
266 		acc[i] &= ~(-ctl);  in br_poly1305_ctmul32_run()
270 	 * Convert back the accumulator to 32-bit words, and add the  in br_poly1305_ctmul32_run()
274 	z = acc[0] + (acc[1] << 13) + br_dec16le(pkey + 16);  in br_poly1305_ctmul32_run()