// does NOT ignore top bit
internal static void fe_frombytes2(out FieldElement h, ReadOnlySpan <byte> data)
{
Int64 h0 = load_4(data);
Int64 h1 = load_3(data.Slice(4)) << 6;
Int64 h2 = load_3(data.Slice(7)) << 5;
Int64 h3 = load_3(data.Slice(10)) << 3;
Int64 h4 = load_3(data.Slice(13)) << 2;
Int64 h5 = load_4(data.Slice(16));
Int64 h6 = load_3(data.Slice(20)) << 7;
Int64 h7 = load_3(data.Slice(23)) << 5;
Int64 h8 = load_3(data.Slice(26)) << 4;
Int64 h9 = load_3(data.Slice(29)) << 2;
Int64 carry0;
Int64 carry1;
Int64 carry2;
Int64 carry3;
Int64 carry4;
Int64 carry5;
Int64 carry6;
Int64 carry7;
Int64 carry8;
Int64 carry9;
carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
h.x0 = (int)h0;
h.x1 = (int)h1;
h.x2 = (int)h2;
h.x3 = (int)h3;
h.x4 = (int)h4;
h.x5 = (int)h5;
h.x6 = (int)h6;
h.x7 = (int)h7;
h.x8 = (int)h8;
h.x9 = (int)h9;
}
/* * h = -f * * Preconditions: |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. * * Postconditions: |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */ internal static void fe_neg(out FieldElement h, in FieldElement f)
/*
* h = f * 121666
* Can overlap h with f.
*
* Preconditions:
|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*
* Postconditions:
|h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
*/
public static void fe_mul121666(out FieldElement h, in FieldElement f)
/*
* h = f - g
* Can overlap h with f or g.
*
* Preconditions:
|f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
*
* Postconditions:
|h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
internal static void fe_sub(out FieldElement h, in FieldElement f, in FieldElement g)
/*
* Replace (f,g) with (g,f) if b == 1;
* replace (f,g) with (f,g) if b == 0.
*
* Preconditions: b in {0,1}.
*/
public static void fe_cswap(ref FieldElement f, ref FieldElement g, uint b)
{
Int32 f0 = f.x0;
Int32 f1 = f.x1;
Int32 f2 = f.x2;
Int32 f3 = f.x3;
Int32 f4 = f.x4;
Int32 f5 = f.x5;
Int32 f6 = f.x6;
Int32 f7 = f.x7;
Int32 f8 = f.x8;
Int32 f9 = f.x9;
Int32 g0 = g.x0;
Int32 g1 = g.x1;
Int32 g2 = g.x2;
Int32 g3 = g.x3;
Int32 g4 = g.x4;
Int32 g5 = g.x5;
Int32 g6 = g.x6;
Int32 g7 = g.x7;
Int32 g8 = g.x8;
Int32 g9 = g.x9;
Int32 x0 = f0 ^ g0;
Int32 x1 = f1 ^ g1;
Int32 x2 = f2 ^ g2;
Int32 x3 = f3 ^ g3;
Int32 x4 = f4 ^ g4;
Int32 x5 = f5 ^ g5;
Int32 x6 = f6 ^ g6;
Int32 x7 = f7 ^ g7;
Int32 x8 = f8 ^ g8;
Int32 x9 = f9 ^ g9;
int negb = unchecked ((int)-b);
x0 &= negb;
x1 &= negb;
x2 &= negb;
x3 &= negb;
x4 &= negb;
x5 &= negb;
x6 &= negb;
x7 &= negb;
x8 &= negb;
x9 &= negb;
f.x0 = f0 ^ x0;
f.x1 = f1 ^ x1;
f.x2 = f2 ^ x2;
f.x3 = f3 ^ x3;
f.x4 = f4 ^ x4;
f.x5 = f5 ^ x5;
f.x6 = f6 ^ x6;
f.x7 = f7 ^ x7;
f.x8 = f8 ^ x8;
f.x9 = f9 ^ x9;
g.x0 = g0 ^ x0;
g.x1 = g1 ^ x1;
g.x2 = g2 ^ x2;
g.x3 = g3 ^ x3;
g.x4 = g4 ^ x4;
g.x5 = g5 ^ x5;
g.x6 = g6 ^ x6;
g.x7 = g7 ^ x7;
g.x8 = g8 ^ x8;
g.x9 = g9 ^ x9;
}
public static void scalarmult(out FieldElement q, ReadOnlySpan <byte> n, in FieldElement p)
/*
* Replace (f,g) with (g,g) if b == 1;
* replace (f,g) with (f,g) if b == 0.
*
* Preconditions: b in {0,1}.
*/
//void fe_cmov(fe f,const fe g,unsigned int b)
internal static void fe_cmov(ref FieldElement f, in FieldElement g, int b)