55  * If the current accumulator is a = a0 + a1*W + a2*W^2 (where W = 2^44)
56  * and r = r0 + r1*W + r2*W^2, then:
58  *   a*r = (a0*r0)
59  *       + (a0*r1 + a1*r0) * W
60  *       + (a0*r2 + a1*r1 + a2*r0) * W^2
64  * We want to reduce that value modulo p = 2^130-5, so W^3 = 20 mod p,
68  *  b0 = a0*r0 + a1*u2 + a2*u1
69  *  b1 = a0*r1 + a1*r0 + a2*u2
70  *  b2 = a0*r2 + a1*r1 + a2*r0
75  *  b0 = a0*r0 + a1*u2 + a2*t1
76  *  b1 = a0*r1 + a1*r0 + a2*t2
77  *  b2 = a0*r2 + a1*r1 + a2*r0
113 		MUL128(mxhi, mxlo, a0, m0); \  in poly1305_inner_big()
125 	uint64_t a0, a1, a2;  in poly1305_inner_big()  local
130 	r2 = r[2];  in poly1305_inner_big()
134 	a0 = acc[0];  in poly1305_inner_big()
136 	a2 = acc[2];  in poly1305_inner_big()
148 		a0 += v0;  in poly1305_inner_big()
154 		a0 = c0 + 20 * d2;  in poly1305_inner_big()
163 		a0 += v0;  in poly1305_inner_big()
169 		a0 = c0 + 20 * d2;  in poly1305_inner_big()
178 		a0 += v0;  in poly1305_inner_big()
184 		a0 = c0 + 20 * d2;  in poly1305_inner_big()
193 		a0 += v0;  in poly1305_inner_big()
199 		a0 = c0 + 20 * d2;  in poly1305_inner_big()
203 		a1 += a0 >> 44;  in poly1305_inner_big()
204 		a0 &= MASK44;  in poly1305_inner_big()
207 		a0 += 20 * (a2 >> 44);  in poly1305_inner_big()
213 	acc[0] = a0;  in poly1305_inner_big()
215 	acc[2] = a2;  in poly1305_inner_big()
224 	uint64_t a0, a1, a2;  in poly1305_inner_small()  local
229 	r2 = r[2];  in poly1305_inner_small()
233 	a0 = acc[0];  in poly1305_inner_small()
235 	a2 = acc[2];  in poly1305_inner_small()
256 		a0 += v0;  in poly1305_inner_small()
262 		MUL128(mxhi, mxlo, a0, m0); \  in poly1305_inner_small()
279 		a0 = c0 + 20 * d2;  in poly1305_inner_small()
283 		a1 += a0 >> 44;  in poly1305_inner_small()
284 		a0 &= MASK44;  in poly1305_inner_small()
287 		a0 += 20 * (a2 >> 44);  in poly1305_inner_small()
293 	acc[0] = a0;  in poly1305_inner_small()
295 	acc[2] = a2;  in poly1305_inner_small()
367 	r[2] = (r1 >> 4) & ~(uint64_t)0xFFFFF;  in br_poly1305_ctmulq_run()
370 	r[5] = 20 * r[2];  in br_poly1305_ctmulq_run()
378 	acc[2] = 0;  in br_poly1305_ctmulq_run()
393 	 * 2^44). Two loops shall be sufficient.  in br_poly1305_ctmulq_run()
397 	acc[2] += (acc[1] >> 44);  in br_poly1305_ctmulq_run()
399 	acc[0] += 5 * (acc[2] >> 42);  in br_poly1305_ctmulq_run()
400 	acc[2] &= MASK42;  in br_poly1305_ctmulq_run()
403 	acc[2] += (acc[1] >> 44);  in br_poly1305_ctmulq_run()
405 	acc[0] += 5 * (acc[2] >> 42);  in br_poly1305_ctmulq_run()
406 	acc[2] &= MASK42;  in br_poly1305_ctmulq_run()
409 	 * The value may still fall in the 2^130-5..2^130-1 range, in  in br_poly1305_ctmulq_run()
416 	v2 = (uint32_t)(acc[1] >> 20) | ((uint32_t)acc[2] << 24);  in br_poly1305_ctmulq_run()
417 	v3 = (uint32_t)(acc[2] >> 8);  in br_poly1305_ctmulq_run()
418 	v4 = (uint32_t)(acc[2] >> 40);  in br_poly1305_ctmulq_run()
431 	 * Add the "s" value. This is done modulo 2^128. Don't forget  in br_poly1305_ctmulq_run()