Curve.hs (37816B)
1 {-# LANGUAGE BangPatterns #-} 2 {-# LANGUAGE MagicHash #-} 3 {-# LANGUAGE NumericUnderscores #-} 4 {-# LANGUAGE PatternSynonyms #-} 5 {-# LANGUAGE ViewPatterns #-} 6 {-# LANGUAGE UnboxedSums #-} 7 {-# LANGUAGE UnboxedTuples #-} 8 {-# LANGUAGE UnliftedNewtypes #-} 9 10 -- | 11 -- Module: Numeric.Montgomery.Secp256k1.Curve 12 -- Copyright: (c) 2025 Jared Tobin 13 -- License: MIT 14 -- Maintainer: Jared Tobin <jared@ppad.tech> 15 -- 16 -- Montgomery form 'Wider' words, as well as arithmetic operations, with 17 -- domain derived from the secp256k1 elliptic curve field prime. 18 19 module Numeric.Montgomery.Secp256k1.Curve ( 20 -- * Montgomery form, secp256k1 field prime modulus 21 Montgomery(..) 22 , render 23 , to 24 , from 25 , zero 26 , one 27 28 -- * Comparison 29 , eq 30 , eq_vartime 31 32 -- * Reduction and retrieval 33 , redc 34 , redc# 35 , retr 36 , retr# 37 38 -- * Constant-time selection 39 , select 40 , select# 41 42 -- * Montgomery arithmetic 43 , add 44 , add# 45 , sub 46 , sub# 47 , mul 48 , mul# 49 , sqr 50 , sqr# 51 , neg 52 , neg# 53 , inv 54 , inv# 55 , sqrt_vartime 56 , sqrt# 57 , exp 58 , exp# 59 , odd# 60 , odd_vartime 61 ) where 62 63 import Control.DeepSeq 64 import qualified Data.Choice as C 65 import Data.Word.Limb (Limb(..)) 66 import qualified Data.Word.Limb as L 67 import qualified Data.Word.Wide as W 68 import Data.Word.Wider (Wider(..)) 69 import qualified Data.Word.Wider as WW 70 import GHC.Exts (Word(..), Word#) 71 import Prelude hiding (or, and, not, sqrt, exp) 72 73 -- montgomery arithmetic, specialized to the secp256k1 field prime modulus 74 -- 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F 75 76 -- | Montgomery-form 'Wider' words, on the Montgomery domain defined by 77 -- the secp256k1 field prime. 78 -- 79 -- >>> let one = 1 :: Montgomery 80 -- >>> one 81 -- 1 82 -- >>> putStrLn (render one) 83 -- (4294968273, 0, 0, 0) 84 data Montgomery = Montgomery !Limb4 85 86 -- | Render a 'Montgomery' value as a 'String', showing its individual 87 -- 'Limb's. 88 -- 89 -- >>> putStrLn (render 1) 90 -- (4294968273, 0, 0, 0) 91 render :: Montgomery -> String 92 render (Montgomery (L4 a b c d)) = 93 "(" <> show (W# a) <> ", " <> show (W# b) <> ", " 94 <> show (W# c) <> ", " <> show (W# d) <> ")" 95 96 instance Show Montgomery where 97 show = show . from 98 99 -- | Note that 'fromInteger' necessarily runs in variable time due 100 -- to conversion from the variable-size, potentially heap-allocated 101 -- 'Integer' type. 102 instance Num Montgomery where 103 a + b = add a b 104 a - b = sub a b 105 a * b = mul a b 106 negate a = neg a 107 abs = id 108 fromInteger = to . WW.to_vartime 109 signum (Montgomery (# l0, l1, l2, l3 #)) = 110 let !(Limb l) = l0 `L.or#` l1 `L.or#` l2 `L.or#` l3 111 !n = C.from_word_nonzero# l 112 !b = C.to_word# n 113 in Montgomery (# Limb b, Limb 0##, Limb 0##, Limb 0## #) 114 115 instance NFData Montgomery where 116 rnf (Montgomery a) = case a of (# _, _, _, _ #) -> () 117 118 -- utilities ------------------------------------------------------------------ 119 120 type Limb2 = (# Limb, Limb #) 121 122 type Limb4 = (# Limb, Limb, Limb, Limb #) 123 124 pattern L4 :: Word# -> Word# -> Word# -> Word# -> Limb4 125 pattern L4 w0 w1 w2 w3 = (# Limb w0, Limb w1, Limb w2, Limb w3 #) 126 {-# COMPLETE L4 #-} 127 128 -- Wide wrapping addition, when addend is only a limb. 129 wadd_w# :: Limb2 -> Limb -> Limb2 130 wadd_w# (# x_lo, x_hi #) y_lo = 131 let !(# s0, c0 #) = L.add_o# x_lo y_lo 132 !(# s1, _ #) = L.add_o# x_hi c0 133 in (# s0, s1 #) 134 {-# INLINE wadd_w# #-} 135 136 -- Truncate a wide word to a 'Limb'. 137 lo :: Limb2 -> Limb 138 lo (# l, _ #) = l 139 {-# INLINE lo #-} 140 141 -- comparison ----------------------------------------------------------------- 142 143 -- | Constant-time equality comparison. 144 eq :: Montgomery -> Montgomery -> C.Choice 145 eq (Montgomery (L4 a0 a1 a2 a3)) (Montgomery (L4 b0 b1 b2 b3)) = 146 C.eq_wider# (# a0, a1, a2, a3 #) (# b0, b1, b2, b3 #) 147 {-# INLINE eq #-} 148 149 -- | Variable-time equality comparison. 150 eq_vartime :: Montgomery -> Montgomery -> Bool 151 eq_vartime (Montgomery (Wider -> a)) (Montgomery (Wider -> b)) = 152 WW.eq_vartime a b 153 154 -- innards -------------------------------------------------------------------- 155 156 redc_inner# 157 :: Limb4 -- ^ upper limbs 158 -> Limb4 -- ^ lower limbs 159 -> (# Limb4, Limb #) -- ^ upper limbs, meta-carry 160 redc_inner# (# u0, u1, u2, u3 #) (# l0, l1, l2, l3 #) = 161 let !(# m0, m1, m2, m3 #) = 162 (# Limb 0xFFFFFFFEFFFFFC2F##, Limb 0xFFFFFFFFFFFFFFFF## 163 , Limb 0xFFFFFFFFFFFFFFFF##, Limb 0xFFFFFFFFFFFFFFFF## #) 164 !n = Limb 0xD838091DD2253531## 165 !w_0 = L.mul_w# l0 n 166 !(# _, c_00 #) = L.mac# w_0 m0 l0 (Limb 0##) 167 !(# l0_1, c_01 #) = L.mac# w_0 m1 l1 c_00 168 !(# l0_2, c_02 #) = L.mac# w_0 m2 l2 c_01 169 !(# l0_3, c_03 #) = L.mac# w_0 m3 l3 c_02 170 !(# u_0, mc_0 #) = L.add_c# u0 c_03 (Limb 0##) 171 !w_1 = L.mul_w# l0_1 n 172 !(# _, c_10 #) = L.mac# w_1 m0 l0_1 (Limb 0##) 173 !(# l1_1, c_11 #) = L.mac# w_1 m1 l0_2 c_10 174 !(# l1_2, c_12 #) = L.mac# w_1 m2 l0_3 c_11 175 !(# u1_3, c_13 #) = L.mac# w_1 m3 u_0 c_12 176 !(# u_1, mc_1 #) = L.add_c# u1 c_13 mc_0 177 !w_2 = L.mul_w# l1_1 n 178 !(# _, c_20 #) = L.mac# w_2 m0 l1_1 (Limb 0##) 179 !(# l2_1, c_21 #) = L.mac# w_2 m1 l1_2 c_20 180 !(# u2_2, c_22 #) = L.mac# w_2 m2 u1_3 c_21 181 !(# u2_3, c_23 #) = L.mac# w_2 m3 u_1 c_22 182 !(# u_2, mc_2 #) = L.add_c# u2 c_23 mc_1 183 !w_3 = L.mul_w# l2_1 n 184 !(# _, c_30 #) = L.mac# w_3 m0 l2_1 (Limb 0##) 185 !(# u3_1, c_31 #) = L.mac# w_3 m1 u2_2 c_30 186 !(# u3_2, c_32 #) = L.mac# w_3 m2 u2_3 c_31 187 !(# u3_3, c_33 #) = L.mac# w_3 m3 u_2 c_32 188 !(# u_3, mc_3 #) = L.add_c# u3 c_33 mc_2 189 in (# (# u3_1, u3_2, u3_3, u_3 #), mc_3 #) 190 {-# INLINE redc_inner# #-} 191 192 -- | Montgomery reduction. 193 redc# 194 :: Limb4 -- ^ lower limbs 195 -> Limb4 -- ^ upper limbs 196 -> Limb4 -- ^ result 197 redc# l u = 198 let -- field prime 199 !m = L4 0xFFFFFFFEFFFFFC2F## 0xFFFFFFFFFFFFFFFF## 200 0xFFFFFFFFFFFFFFFF## 0xFFFFFFFFFFFFFFFF## 201 !(# nu, mc #) = redc_inner# u l 202 in WW.sub_mod_c# nu mc m m 203 {-# INLINE redc# #-} 204 205 -- | Montgomery reduction. 206 -- 207 -- The first argument represents the low words, and the second the 208 -- high words, of an extra-large eight-limb word in Montgomery form. 209 redc 210 :: Montgomery -- ^ low wider-word, Montgomery form 211 -> Montgomery -- ^ high wider-word, Montgomery form 212 -> Montgomery -- ^ reduced value 213 redc (Montgomery l) (Montgomery u) = 214 let !res = redc# l u 215 in Montgomery res 216 217 retr_inner# 218 :: Limb4 -- ^ value in montgomery form 219 -> Limb4 -- ^ retrieved value 220 retr_inner# (# x0, x1, x2, x3 #) = 221 let !(# m0, m1, m2, m3 #) = 222 L4 0xFFFFFFFEFFFFFC2F## 0xFFFFFFFFFFFFFFFF## 223 0xFFFFFFFFFFFFFFFF## 0xFFFFFFFFFFFFFFFF## 224 !n = Limb 0xD838091DD2253531## 225 !u_0 = L.mul_w# x0 n 226 !(# _, o0 #) = L.mac# u_0 m0 x0 (Limb 0##) 227 !(# o0_1, p0_1 #) = L.mac# u_0 m1 (Limb 0##) o0 228 !(# p0_2, q0_2 #) = L.mac# u_0 m2 (Limb 0##) p0_1 229 !(# q0_3, r0_3 #) = L.mac# u_0 m3 (Limb 0##) q0_2 230 !u_1 = L.mul_w# (L.add_w# o0_1 x1) n 231 !(# _, o1 #) = L.mac# u_1 m0 x1 o0_1 232 !(# o1_1, p1_1 #) = L.mac# u_1 m1 p0_2 o1 233 !(# p1_2, q1_2 #) = L.mac# u_1 m2 q0_3 p1_1 234 !(# q1_3, r1_3 #) = L.mac# u_1 m3 r0_3 q1_2 235 !u_2 = L.mul_w# (L.add_w# o1_1 x2) n 236 !(# _, o2 #) = L.mac# u_2 m0 x2 o1_1 237 !(# o2_1, p2_1 #) = L.mac# u_2 m1 p1_2 o2 238 !(# p2_2, q2_2 #) = L.mac# u_2 m2 q1_3 p2_1 239 !(# q2_3, r2_3 #) = L.mac# u_2 m3 r1_3 q2_2 240 !u_3 = L.mul_w# (L.add_w# o2_1 x3) n 241 !(# _, o3 #) = L.mac# u_3 m0 x3 o2_1 242 !(# o3_1, p3_1 #) = L.mac# u_3 m1 p2_2 o3 243 !(# p3_2, q3_2 #) = L.mac# u_3 m2 q2_3 p3_1 244 !(# q3_3, r3_3 #) = L.mac# u_3 m3 r2_3 q3_2 245 in (# o3_1, p3_2, q3_3, r3_3 #) 246 {-# INLINE retr_inner# #-} 247 248 retr# 249 :: Limb4 -- montgomery form 250 -> Limb4 251 retr# f = retr_inner# f 252 {-# INLINE retr# #-} 253 254 -- | Retrieve a 'Montgomery' value from the Montgomery domain, producing 255 -- a 'Wider' word. 256 retr 257 :: Montgomery -- ^ value in montgomery form 258 -> Wider -- ^ retrieved value 259 retr (Montgomery f) = 260 let !res = retr# f 261 in (Wider res) 262 263 -- | Montgomery multiplication (FIOS), without conditional subtract. 264 mul_inner# 265 :: Limb4 -- ^ x 266 -> Limb4 -- ^ y 267 -> (# Limb4, Limb #) -- ^ product, meta-carry 268 mul_inner# (# x0, x1, x2, x3 #) (# y0, y1, y2, y3 #) = 269 let !(# m0, m1, m2, m3 #) = 270 L4 0xFFFFFFFEFFFFFC2F## 0xFFFFFFFFFFFFFFFF## 271 0xFFFFFFFFFFFFFFFF## 0xFFFFFFFFFFFFFFFF## 272 !n = Limb 0xD838091DD2253531## 273 !axy0 = L.mul_c# x0 y0 274 !u0 = L.mul_w# (lo axy0) n 275 !(# (# _, a0 #), c0 #) = W.add_o# (L.mul_c# u0 m0) axy0 276 !carry0 = (# a0, c0 #) 277 !axy0_1 = L.mul_c# x0 y1 278 !umc0_1 = W.add_w# (L.mul_c# u0 m1) carry0 279 !(# (# o0, ab0_1 #), c0_1 #) = W.add_o# axy0_1 umc0_1 280 !carry0_1 = (# ab0_1, c0_1 #) 281 !axy0_2 = L.mul_c# x0 y2 282 !umc0_2 = W.add_w# (L.mul_c# u0 m2) carry0_1 283 !(# (# p0, ab0_2 #), c0_2 #) = W.add_o# axy0_2 umc0_2 284 !carry0_2 = (# ab0_2, c0_2 #) 285 !axy0_3 = L.mul_c# x0 y3 286 !umc0_3 = W.add_w# (L.mul_c# u0 m3) carry0_2 287 !(# (# q0, ab0_3 #), c0_3 #) = W.add_o# axy0_3 umc0_3 288 !carry0_3 = (# ab0_3, c0_3 #) 289 !(# r0, mc0 #) = carry0_3 290 !axy1 = wadd_w# (L.mul_c# x1 y0) o0 291 !u1 = L.mul_w# (lo axy1) n 292 !(# (# _, a1 #), c1 #) = W.add_o# (L.mul_c# u1 m0) axy1 293 !carry1 = (# a1, c1 #) 294 !axy1_1 = wadd_w# (L.mul_c# x1 y1) p0 295 !umc1_1 = W.add_w# (L.mul_c# u1 m1) carry1 296 !(# (# o1, ab1_1 #), c1_1 #) = W.add_o# axy1_1 umc1_1 297 !carry1_1 = (# ab1_1, c1_1 #) 298 !axy1_2 = wadd_w# (L.mul_c# x1 y2) q0 299 !umc1_2 = W.add_w# (L.mul_c# u1 m2) carry1_1 300 !(# (# p1, ab1_2 #), c1_2 #) = W.add_o# axy1_2 umc1_2 301 !carry1_2 = (# ab1_2, c1_2 #) 302 !axy1_3 = wadd_w# (L.mul_c# x1 y3) r0 303 !umc1_3 = W.add_w# (L.mul_c# u1 m3) carry1_2 304 !(# (# q1, ab1_3 #), c1_3 #) = W.add_o# axy1_3 umc1_3 305 !carry1_3 = (# ab1_3, c1_3 #) 306 !(# r1, mc1 #) = wadd_w# carry1_3 mc0 307 !axy2 = wadd_w# (L.mul_c# x2 y0) o1 308 !u2 = L.mul_w# (lo axy2) n 309 !(# (# _, a2 #), c2 #) = W.add_o# (L.mul_c# u2 m0) axy2 310 !carry2 = (# a2, c2 #) 311 !axy2_1 = wadd_w# (L.mul_c# x2 y1) p1 312 !umc2_1 = W.add_w# (L.mul_c# u2 m1) carry2 313 !(# (# o2, ab2_1 #), c2_1 #) = W.add_o# axy2_1 umc2_1 314 !carry2_1 = (# ab2_1, c2_1 #) 315 !axy2_2 = wadd_w# (L.mul_c# x2 y2) q1 316 !umc2_2 = W.add_w# (L.mul_c# u2 m2) carry2_1 317 !(# (# p2, ab2_2 #), c2_2 #) = W.add_o# axy2_2 umc2_2 318 !carry2_2 = (# ab2_2, c2_2 #) 319 !axy2_3 = wadd_w# (L.mul_c# x2 y3) r1 320 !umc2_3 = W.add_w# (L.mul_c# u2 m3) carry2_2 321 !(# (# q2, ab2_3 #), c2_3 #) = W.add_o# axy2_3 umc2_3 322 !carry2_3 = (# ab2_3, c2_3 #) 323 !(# r2, mc2 #) = wadd_w# carry2_3 mc1 324 !axy3 = wadd_w# (L.mul_c# x3 y0) o2 325 !u3 = L.mul_w# (lo axy3) n 326 !(# (# _, a3 #), c3 #) = W.add_o# (L.mul_c# u3 m0) axy3 327 !carry3 = (# a3, c3 #) 328 !axy3_1 = wadd_w# (L.mul_c# x3 y1) p2 329 !umc3_1 = W.add_w# (L.mul_c# u3 m1) carry3 330 !(# (# o3, ab3_1 #), c3_1 #) = W.add_o# axy3_1 umc3_1 331 !carry3_1 = (# ab3_1, c3_1 #) 332 !axy3_2 = wadd_w# (L.mul_c# x3 y2) q2 333 !umc3_2 = W.add_w# (L.mul_c# u3 m2) carry3_1 334 !(# (# p3, ab3_2 #), c3_2 #) = W.add_o# axy3_2 umc3_2 335 !carry3_2 = (# ab3_2, c3_2 #) 336 !axy3_3 = wadd_w# (L.mul_c# x3 y3) r2 337 !umc3_3 = W.add_w# (L.mul_c# u3 m3) carry3_2 338 !(# (# q3, ab3_3 #), c3_3 #) = W.add_o# axy3_3 umc3_3 339 !carry3_3 = (# ab3_3, c3_3 #) 340 !(# r3, mc3 #) = wadd_w# carry3_3 mc2 341 in (# (# o3, p3, q3, r3 #), mc3 #) 342 {-# INLINE mul_inner# #-} 343 344 mul# 345 :: Limb4 346 -> Limb4 347 -> Limb4 348 mul# a b = 349 let -- field prime 350 !m = L4 0xFFFFFFFEFFFFFC2F## 0xFFFFFFFFFFFFFFFF## 351 0xFFFFFFFFFFFFFFFF## 0xFFFFFFFFFFFFFFFF## 352 !(# nu, mc #) = mul_inner# a b 353 in WW.sub_mod_c# nu mc m m 354 {-# NOINLINE mul# #-} -- cannot be inlined without exploding comp time 355 356 -- | Multiplication in the Montgomery domain. 357 -- 358 -- Note that 'Montgomery' is an instance of 'Num', so you can use '*' 359 -- to apply this function. 360 -- 361 -- >>> 1 * 1 :: Montgomery 362 -- 1 363 mul 364 :: Montgomery -- ^ multiplicand in montgomery form 365 -> Montgomery -- ^ multiplier in montgomery form 366 -> Montgomery -- ^ montgomery product 367 mul (Montgomery a) (Montgomery b) = Montgomery (mul# a b) 368 369 to# 370 :: Limb4 -- ^ integer 371 -> Limb4 372 to# x = 373 let !r2 = L4 0x000007A2000E90A1## 0x1## 0## 0## -- r^2 mod m 374 in mul# x r2 375 {-# INLINE to# #-} 376 377 -- | Convert a 'Wider' word to the Montgomery domain. 378 to :: Wider -> Montgomery 379 to (Wider x) = Montgomery (to# x) 380 381 -- | Retrieve a 'Montgomery' word from the Montgomery domain. 382 -- 383 -- This function is a synonym for 'retr'. 384 from :: Montgomery -> Wider 385 from = retr 386 387 add# 388 :: Limb4 -- ^ augend 389 -> Limb4 -- ^ addend 390 -> Limb4 -- ^ sum 391 add# a b = 392 let -- field prime 393 !m = L4 0xFFFFFFFEFFFFFC2F## 0xFFFFFFFFFFFFFFFF## 394 0xFFFFFFFFFFFFFFFF## 0xFFFFFFFFFFFFFFFF## 395 in WW.add_mod# a b m 396 {-# INLINE add# #-} 397 398 -- | Addition in the Montgomery domain. 399 -- 400 -- Note that 'Montgomery' is an instance of 'Num', so you can use '+' 401 -- to apply this function. 402 -- 403 -- >>> 1 + 1 :: Montgomery 404 -- 2 405 add :: Montgomery -> Montgomery -> Montgomery 406 add (Montgomery a) (Montgomery b) = Montgomery (add# a b) 407 408 sub# 409 :: Limb4 -- ^ minuend 410 -> Limb4 -- ^ subtrahend 411 -> Limb4 -- ^ difference 412 sub# a b = 413 let -- field prime 414 !m = L4 0xFFFFFFFEFFFFFC2F## 0xFFFFFFFFFFFFFFFF## 415 0xFFFFFFFFFFFFFFFF## 0xFFFFFFFFFFFFFFFF## 416 in WW.sub_mod# a b m 417 {-# INLINE sub# #-} 418 419 -- | Subtraction in the Montgomery domain. 420 -- 421 -- Note that 'Montgomery' is an instance of 'Num', so you can use '-' 422 -- to apply this function. 423 -- 424 -- >>> 1 - 1 :: Montgomery 425 -- 0 426 sub :: Montgomery -> Montgomery -> Montgomery 427 sub (Montgomery a) (Montgomery b) = Montgomery (sub# a b) 428 429 neg# 430 :: Limb4 -- ^ argument 431 -> Limb4 -- ^ modular negation 432 neg# a = sub# (L4 0## 0## 0## 0##) a 433 {-# INLINE neg# #-} 434 435 -- | Additive inverse in the Montgomery domain. 436 -- 437 -- Note that 'Montgomery' is an instance of 'Num', so you can use 'negate' 438 -- to apply this function. 439 -- 440 -- >>> negate 1 :: Montgomery 441 -- 115792089237316195423570985008687907853269984665640564039457584007908834671662 442 -- >>> (negate 1 :: Montgomery) + 1 443 -- 0 444 neg :: Montgomery -> Montgomery 445 neg (Montgomery a) = Montgomery (neg# a) 446 447 sqr# :: Limb4 -> Limb4 448 sqr# a = 449 let !(# l, h #) = WW.sqr# a 450 in redc# l h 451 {-# NOINLINE sqr# #-} -- cannot be inlined without exploding comp time 452 453 -- | Squaring in the Montgomery domain. 454 -- 455 -- >>> sqr 1 456 -- 1 457 -- >>> sqr 2 458 -- 4 459 -- >>> sqr (negate 2) 460 -- 4 461 sqr :: Montgomery -> Montgomery 462 sqr (Montgomery a) = Montgomery (mul# a a) 463 464 -- | Zero (the additive unit) in the Montgomery domain. 465 zero :: Montgomery 466 zero = Montgomery (L4 0## 0## 0## 0##) 467 468 -- | One (the multiplicative unit) in the Montgomery domain. 469 one :: Montgomery 470 one = Montgomery (L4 0x1000003D1## 0## 0## 0##) 471 472 -- generated by etc/generate_inv.sh 473 inv# 474 :: Limb4 475 -> Limb4 476 inv# a = 477 let 478 !t1 = sqr# a 479 !t2 = mul# t1 a 480 !t3 = sqr# t2 481 !t4 = sqr# t3 482 !t5 = mul# t4 t2 483 !t6 = sqr# t5 484 !t7 = sqr# t6 485 !t8 = sqr# t7 486 !t9 = sqr# t8 487 !t10 = mul# t9 t5 488 !t11 = sqr# t10 489 !t12 = sqr# t11 490 !t13 = sqr# t12 491 !t14 = sqr# t13 492 !t15 = sqr# t14 493 !t16 = sqr# t15 494 !t17 = sqr# t16 495 !t18 = sqr# t17 496 !t19 = mul# t18 t10 497 !t20 = sqr# t19 498 !t21 = sqr# t20 499 !t22 = sqr# t21 500 !t23 = sqr# t22 501 !t24 = sqr# t23 502 !t25 = sqr# t24 503 !t26 = sqr# t25 504 !t27 = sqr# t26 505 !t28 = sqr# t27 506 !t29 = sqr# t28 507 !t30 = sqr# t29 508 !t31 = sqr# t30 509 !t32 = sqr# t31 510 !t33 = sqr# t32 511 !t34 = sqr# t33 512 !t35 = sqr# t34 513 !t36 = mul# t35 t19 514 !t37 = sqr# t36 515 !t38 = sqr# t37 516 !t39 = sqr# t38 517 !t40 = sqr# t39 518 !t41 = sqr# t40 519 !t42 = sqr# t41 520 !t43 = sqr# t42 521 !t44 = sqr# t43 522 !t45 = sqr# t44 523 !t46 = sqr# t45 524 !t47 = sqr# t46 525 !t48 = sqr# t47 526 !t49 = sqr# t48 527 !t50 = sqr# t49 528 !t51 = sqr# t50 529 !t52 = sqr# t51 530 !t53 = sqr# t52 531 !t54 = sqr# t53 532 !t55 = sqr# t54 533 !t56 = sqr# t55 534 !t57 = sqr# t56 535 !t58 = sqr# t57 536 !t59 = sqr# t58 537 !t60 = sqr# t59 538 !t61 = sqr# t60 539 !t62 = sqr# t61 540 !t63 = sqr# t62 541 !t64 = sqr# t63 542 !t65 = sqr# t64 543 !t66 = sqr# t65 544 !t67 = sqr# t66 545 !t68 = sqr# t67 546 !t69 = mul# t68 t36 547 !t70 = sqr# t69 548 !t71 = sqr# t70 549 !t72 = sqr# t71 550 !t73 = sqr# t72 551 !t74 = sqr# t73 552 !t75 = sqr# t74 553 !t76 = sqr# t75 554 !t77 = sqr# t76 555 !t78 = sqr# t77 556 !t79 = sqr# t78 557 !t80 = sqr# t79 558 !t81 = sqr# t80 559 !t82 = sqr# t81 560 !t83 = sqr# t82 561 !t84 = sqr# t83 562 !t85 = sqr# t84 563 !t86 = sqr# t85 564 !t87 = sqr# t86 565 !t88 = sqr# t87 566 !t89 = sqr# t88 567 !t90 = sqr# t89 568 !t91 = sqr# t90 569 !t92 = sqr# t91 570 !t93 = sqr# t92 571 !t94 = sqr# t93 572 !t95 = sqr# t94 573 !t96 = sqr# t95 574 !t97 = sqr# t96 575 !t98 = sqr# t97 576 !t99 = sqr# t98 577 !t100 = sqr# t99 578 !t101 = sqr# t100 579 !t102 = sqr# t101 580 !t103 = sqr# t102 581 !t104 = sqr# t103 582 !t105 = sqr# t104 583 !t106 = sqr# t105 584 !t107 = sqr# t106 585 !t108 = sqr# t107 586 !t109 = sqr# t108 587 !t110 = sqr# t109 588 !t111 = sqr# t110 589 !t112 = sqr# t111 590 !t113 = sqr# t112 591 !t114 = sqr# t113 592 !t115 = sqr# t114 593 !t116 = sqr# t115 594 !t117 = sqr# t116 595 !t118 = sqr# t117 596 !t119 = sqr# t118 597 !t120 = sqr# t119 598 !t121 = sqr# t120 599 !t122 = sqr# t121 600 !t123 = sqr# t122 601 !t124 = sqr# t123 602 !t125 = sqr# t124 603 !t126 = sqr# t125 604 !t127 = sqr# t126 605 !t128 = sqr# t127 606 !t129 = sqr# t128 607 !t130 = sqr# t129 608 !t131 = sqr# t130 609 !t132 = sqr# t131 610 !t133 = sqr# t132 611 !t134 = mul# t133 t69 612 !t135 = sqr# t134 613 !t136 = sqr# t135 614 !t137 = sqr# t136 615 !t138 = sqr# t137 616 !t139 = sqr# t138 617 !t140 = sqr# t139 618 !t141 = sqr# t140 619 !t142 = sqr# t141 620 !t143 = sqr# t142 621 !t144 = sqr# t143 622 !t145 = sqr# t144 623 !t146 = sqr# t145 624 !t147 = sqr# t146 625 !t148 = sqr# t147 626 !t149 = sqr# t148 627 !t150 = sqr# t149 628 !t151 = sqr# t150 629 !t152 = sqr# t151 630 !t153 = sqr# t152 631 !t154 = sqr# t153 632 !t155 = sqr# t154 633 !t156 = sqr# t155 634 !t157 = sqr# t156 635 !t158 = sqr# t157 636 !t159 = sqr# t158 637 !t160 = sqr# t159 638 !t161 = sqr# t160 639 !t162 = sqr# t161 640 !t163 = sqr# t162 641 !t164 = sqr# t163 642 !t165 = sqr# t164 643 !t166 = sqr# t165 644 !t167 = sqr# t166 645 !t168 = sqr# t167 646 !t169 = sqr# t168 647 !t170 = sqr# t169 648 !t171 = sqr# t170 649 !t172 = sqr# t171 650 !t173 = sqr# t172 651 !t174 = sqr# t173 652 !t175 = sqr# t174 653 !t176 = sqr# t175 654 !t177 = sqr# t176 655 !t178 = sqr# t177 656 !t179 = sqr# t178 657 !t180 = sqr# t179 658 !t181 = sqr# t180 659 !t182 = sqr# t181 660 !t183 = sqr# t182 661 !t184 = sqr# t183 662 !t185 = sqr# t184 663 !t186 = sqr# t185 664 !t187 = sqr# t186 665 !t188 = sqr# t187 666 !t189 = sqr# t188 667 !t190 = sqr# t189 668 !t191 = sqr# t190 669 !t192 = sqr# t191 670 !t193 = sqr# t192 671 !t194 = sqr# t193 672 !t195 = sqr# t194 673 !t196 = sqr# t195 674 !t197 = sqr# t196 675 !t198 = sqr# t197 676 !t199 = mul# t198 t69 677 !t200 = sqr# t199 678 !t201 = sqr# t200 679 !t202 = sqr# t201 680 !t203 = sqr# t202 681 !t204 = sqr# t203 682 !t205 = sqr# t204 683 !t206 = sqr# t205 684 !t207 = sqr# t206 685 !t208 = sqr# t207 686 !t209 = sqr# t208 687 !t210 = sqr# t209 688 !t211 = sqr# t210 689 !t212 = sqr# t211 690 !t213 = sqr# t212 691 !t214 = sqr# t213 692 !t215 = sqr# t214 693 !t216 = mul# t215 t19 694 !t217 = sqr# t216 695 !t218 = sqr# t217 696 !t219 = sqr# t218 697 !t220 = sqr# t219 698 !t221 = sqr# t220 699 !t222 = sqr# t221 700 !t223 = sqr# t222 701 !t224 = sqr# t223 702 !t225 = mul# t224 t10 703 !t226 = sqr# t225 704 !t227 = sqr# t226 705 !t228 = sqr# t227 706 !t229 = sqr# t228 707 !t230 = mul# t229 t5 708 !t231 = sqr# t230 709 !t232 = sqr# t231 710 !t233 = mul# t232 t2 711 !t234 = sqr# t233 712 !t235 = mul# t234 a 713 !t236 = sqr# t19 714 !t237 = sqr# t236 715 !t238 = sqr# t237 716 !t239 = sqr# t238 717 !t240 = mul# t239 t5 718 !t241 = sqr# t240 719 !t242 = sqr# t241 720 !t243 = mul# t242 t2 721 !t244 = sqr# t235 722 !t245 = sqr# t244 723 !t246 = sqr# t245 724 !t247 = sqr# t246 725 !t248 = sqr# t247 726 !t249 = sqr# t248 727 !t250 = sqr# t249 728 !t251 = sqr# t250 729 !t252 = sqr# t251 730 !t253 = sqr# t252 731 !t254 = sqr# t253 732 !t255 = sqr# t254 733 !t256 = sqr# t255 734 !t257 = sqr# t256 735 !t258 = sqr# t257 736 !t259 = sqr# t258 737 !t260 = sqr# t259 738 !t261 = sqr# t260 739 !t262 = sqr# t261 740 !t263 = sqr# t262 741 !t264 = sqr# t263 742 !t265 = sqr# t264 743 !t266 = sqr# t265 744 !t267 = mul# t266 t243 745 !t268 = sqr# t267 746 !t269 = sqr# t268 747 !t270 = sqr# t269 748 !t271 = sqr# t270 749 !t272 = sqr# t271 750 !t273 = mul# t272 a 751 !t274 = sqr# t273 752 !t275 = sqr# t274 753 !t276 = sqr# t275 754 !t277 = mul# t276 t2 755 !t278 = sqr# t277 756 !t279 = sqr# t278 757 !t280 = mul# t279 a 758 !r = t280 759 in r 760 {-# INLINE inv# #-} 761 762 -- | Multiplicative inverse in the Montgomery domain. 763 -- 764 -- >> inv 2 765 -- 57896044618658097711785492504343953926634992332820282019728792003954417335832 766 -- >> inv 2 * 2 767 -- 1 768 inv :: Montgomery -> Montgomery 769 inv (Montgomery w) = Montgomery (inv# w) 770 771 -- | Square root (Tonelli-Shanks) in the Montgomery domain. 772 -- 773 -- Returns 'Nothing' if the square root doesn't exist. 774 -- 775 -- Note that the square root calculation itself is performed in 776 -- constant time; we branch only when casting to 'Maybe' at the end. 777 -- 778 -- >>> sqrt_vartime 4 779 -- Just 2 780 -- >>> sqrt_vartime 15 781 -- Just 69211104694897500952317515077652022726490027694212560352756646854116994689233 782 -- >>> (*) <$> sqrt_vartime 15 <*> sqrt_vartime 15 783 -- Just 15 784 sqrt_vartime :: Montgomery -> Maybe Montgomery 785 sqrt_vartime (Montgomery n) = case sqrt# n of 786 (# a, c #) 787 | C.decide c -> Just $! Montgomery a 788 | otherwise -> Nothing 789 790 -- generated by etc/generate_sqrt.sh 791 sqrt# 792 :: Limb4 793 -> (# Limb4, C.Choice #) 794 sqrt# a = 795 let !t0 = L4 0x1000003D1## 0## 0## 0## 796 !t1 = sqr# t0 797 !t2 = sqr# t1 798 !t3 = sqr# t2 799 !t4 = mul# a t3 800 !t5 = sqr# t4 801 !t6 = mul# a t5 802 !t7 = sqr# t6 803 !t8 = mul# a t7 804 !t9 = sqr# t8 805 !t10 = mul# a t9 806 !t11 = sqr# t10 807 !t12 = mul# a t11 808 !t13 = sqr# t12 809 !t14 = mul# a t13 810 !t15 = sqr# t14 811 !t16 = mul# a t15 812 !t17 = sqr# t16 813 !t18 = mul# a t17 814 !t19 = sqr# t18 815 !t20 = mul# a t19 816 !t21 = sqr# t20 817 !t22 = mul# a t21 818 !t23 = sqr# t22 819 !t24 = mul# a t23 820 !t25 = sqr# t24 821 !t26 = mul# a t25 822 !t27 = sqr# t26 823 !t28 = mul# a t27 824 !t29 = sqr# t28 825 !t30 = mul# a t29 826 !t31 = sqr# t30 827 !t32 = mul# a t31 828 !t33 = sqr# t32 829 !t34 = mul# a t33 830 !t35 = sqr# t34 831 !t36 = mul# a t35 832 !t37 = sqr# t36 833 !t38 = mul# a t37 834 !t39 = sqr# t38 835 !t40 = mul# a t39 836 !t41 = sqr# t40 837 !t42 = mul# a t41 838 !t43 = sqr# t42 839 !t44 = mul# a t43 840 !t45 = sqr# t44 841 !t46 = mul# a t45 842 !t47 = sqr# t46 843 !t48 = mul# a t47 844 !t49 = sqr# t48 845 !t50 = mul# a t49 846 !t51 = sqr# t50 847 !t52 = mul# a t51 848 !t53 = sqr# t52 849 !t54 = mul# a t53 850 !t55 = sqr# t54 851 !t56 = mul# a t55 852 !t57 = sqr# t56 853 !t58 = mul# a t57 854 !t59 = sqr# t58 855 !t60 = mul# a t59 856 !t61 = sqr# t60 857 !t62 = mul# a t61 858 !t63 = sqr# t62 859 !t64 = mul# a t63 860 !t65 = sqr# t64 861 !t66 = mul# a t65 862 !t67 = sqr# t66 863 !t68 = mul# a t67 864 !t69 = sqr# t68 865 !t70 = mul# a t69 866 !t71 = sqr# t70 867 !t72 = mul# a t71 868 !t73 = sqr# t72 869 !t74 = mul# a t73 870 !t75 = sqr# t74 871 !t76 = mul# a t75 872 !t77 = sqr# t76 873 !t78 = mul# a t77 874 !t79 = sqr# t78 875 !t80 = mul# a t79 876 !t81 = sqr# t80 877 !t82 = mul# a t81 878 !t83 = sqr# t82 879 !t84 = mul# a t83 880 !t85 = sqr# t84 881 !t86 = mul# a t85 882 !t87 = sqr# t86 883 !t88 = mul# a t87 884 !t89 = sqr# t88 885 !t90 = mul# a t89 886 !t91 = sqr# t90 887 !t92 = mul# a t91 888 !t93 = sqr# t92 889 !t94 = mul# a t93 890 !t95 = sqr# t94 891 !t96 = mul# a t95 892 !t97 = sqr# t96 893 !t98 = mul# a t97 894 !t99 = sqr# t98 895 !t100 = mul# a t99 896 !t101 = sqr# t100 897 !t102 = mul# a t101 898 !t103 = sqr# t102 899 !t104 = mul# a t103 900 !t105 = sqr# t104 901 !t106 = mul# a t105 902 !t107 = sqr# t106 903 !t108 = mul# a t107 904 !t109 = sqr# t108 905 !t110 = mul# a t109 906 !t111 = sqr# t110 907 !t112 = mul# a t111 908 !t113 = sqr# t112 909 !t114 = mul# a t113 910 !t115 = sqr# t114 911 !t116 = mul# a t115 912 !t117 = sqr# t116 913 !t118 = mul# a t117 914 !t119 = sqr# t118 915 !t120 = mul# a t119 916 !t121 = sqr# t120 917 !t122 = mul# a t121 918 !t123 = sqr# t122 919 !t124 = mul# a t123 920 !t125 = sqr# t124 921 !t126 = mul# a t125 922 !t127 = sqr# t126 923 !t128 = mul# a t127 924 !t129 = sqr# t128 925 !t130 = mul# a t129 926 !t131 = sqr# t130 927 !t132 = mul# a t131 928 !t133 = sqr# t132 929 !t134 = mul# a t133 930 !t135 = sqr# t134 931 !t136 = mul# a t135 932 !t137 = sqr# t136 933 !t138 = mul# a t137 934 !t139 = sqr# t138 935 !t140 = mul# a t139 936 !t141 = sqr# t140 937 !t142 = mul# a t141 938 !t143 = sqr# t142 939 !t144 = mul# a t143 940 !t145 = sqr# t144 941 !t146 = mul# a t145 942 !t147 = sqr# t146 943 !t148 = mul# a t147 944 !t149 = sqr# t148 945 !t150 = mul# a t149 946 !t151 = sqr# t150 947 !t152 = mul# a t151 948 !t153 = sqr# t152 949 !t154 = mul# a t153 950 !t155 = sqr# t154 951 !t156 = mul# a t155 952 !t157 = sqr# t156 953 !t158 = mul# a t157 954 !t159 = sqr# t158 955 !t160 = mul# a t159 956 !t161 = sqr# t160 957 !t162 = mul# a t161 958 !t163 = sqr# t162 959 !t164 = mul# a t163 960 !t165 = sqr# t164 961 !t166 = mul# a t165 962 !t167 = sqr# t166 963 !t168 = mul# a t167 964 !t169 = sqr# t168 965 !t170 = mul# a t169 966 !t171 = sqr# t170 967 !t172 = mul# a t171 968 !t173 = sqr# t172 969 !t174 = mul# a t173 970 !t175 = sqr# t174 971 !t176 = mul# a t175 972 !t177 = sqr# t176 973 !t178 = mul# a t177 974 !t179 = sqr# t178 975 !t180 = mul# a t179 976 !t181 = sqr# t180 977 !t182 = mul# a t181 978 !t183 = sqr# t182 979 !t184 = mul# a t183 980 !t185 = sqr# t184 981 !t186 = mul# a t185 982 !t187 = sqr# t186 983 !t188 = mul# a t187 984 !t189 = sqr# t188 985 !t190 = mul# a t189 986 !t191 = sqr# t190 987 !t192 = mul# a t191 988 !t193 = sqr# t192 989 !t194 = mul# a t193 990 !t195 = sqr# t194 991 !t196 = mul# a t195 992 !t197 = sqr# t196 993 !t198 = mul# a t197 994 !t199 = sqr# t198 995 !t200 = mul# a t199 996 !t201 = sqr# t200 997 !t202 = mul# a t201 998 !t203 = sqr# t202 999 !t204 = mul# a t203 1000 !t205 = sqr# t204 1001 !t206 = mul# a t205 1002 !t207 = sqr# t206 1003 !t208 = mul# a t207 1004 !t209 = sqr# t208 1005 !t210 = mul# a t209 1006 !t211 = sqr# t210 1007 !t212 = mul# a t211 1008 !t213 = sqr# t212 1009 !t214 = mul# a t213 1010 !t215 = sqr# t214 1011 !t216 = mul# a t215 1012 !t217 = sqr# t216 1013 !t218 = mul# a t217 1014 !t219 = sqr# t218 1015 !t220 = mul# a t219 1016 !t221 = sqr# t220 1017 !t222 = mul# a t221 1018 !t223 = sqr# t222 1019 !t224 = mul# a t223 1020 !t225 = sqr# t224 1021 !t226 = mul# a t225 1022 !t227 = sqr# t226 1023 !t228 = mul# a t227 1024 !t229 = sqr# t228 1025 !t230 = mul# a t229 1026 !t231 = sqr# t230 1027 !t232 = mul# a t231 1028 !t233 = sqr# t232 1029 !t234 = mul# a t233 1030 !t235 = sqr# t234 1031 !t236 = mul# a t235 1032 !t237 = sqr# t236 1033 !t238 = mul# a t237 1034 !t239 = sqr# t238 1035 !t240 = mul# a t239 1036 !t241 = sqr# t240 1037 !t242 = mul# a t241 1038 !t243 = sqr# t242 1039 !t244 = mul# a t243 1040 !t245 = sqr# t244 1041 !t246 = mul# a t245 1042 !t247 = sqr# t246 1043 !t248 = mul# a t247 1044 !t249 = sqr# t248 1045 !t250 = mul# a t249 1046 !t251 = sqr# t250 1047 !t252 = mul# a t251 1048 !t253 = sqr# t252 1049 !t254 = mul# a t253 1050 !t255 = sqr# t254 1051 !t256 = mul# a t255 1052 !t257 = sqr# t256 1053 !t258 = mul# a t257 1054 !t259 = sqr# t258 1055 !t260 = mul# a t259 1056 !t261 = sqr# t260 1057 !t262 = mul# a t261 1058 !t263 = sqr# t262 1059 !t264 = mul# a t263 1060 !t265 = sqr# t264 1061 !t266 = mul# a t265 1062 !t267 = sqr# t266 1063 !t268 = mul# a t267 1064 !t269 = sqr# t268 1065 !t270 = mul# a t269 1066 !t271 = sqr# t270 1067 !t272 = mul# a t271 1068 !t273 = sqr# t272 1069 !t274 = mul# a t273 1070 !t275 = sqr# t274 1071 !t276 = mul# a t275 1072 !t277 = sqr# t276 1073 !t278 = mul# a t277 1074 !t279 = sqr# t278 1075 !t280 = mul# a t279 1076 !t281 = sqr# t280 1077 !t282 = mul# a t281 1078 !t283 = sqr# t282 1079 !t284 = mul# a t283 1080 !t285 = sqr# t284 1081 !t286 = mul# a t285 1082 !t287 = sqr# t286 1083 !t288 = mul# a t287 1084 !t289 = sqr# t288 1085 !t290 = mul# a t289 1086 !t291 = sqr# t290 1087 !t292 = mul# a t291 1088 !t293 = sqr# t292 1089 !t294 = mul# a t293 1090 !t295 = sqr# t294 1091 !t296 = mul# a t295 1092 !t297 = sqr# t296 1093 !t298 = mul# a t297 1094 !t299 = sqr# t298 1095 !t300 = mul# a t299 1096 !t301 = sqr# t300 1097 !t302 = mul# a t301 1098 !t303 = sqr# t302 1099 !t304 = mul# a t303 1100 !t305 = sqr# t304 1101 !t306 = mul# a t305 1102 !t307 = sqr# t306 1103 !t308 = mul# a t307 1104 !t309 = sqr# t308 1105 !t310 = mul# a t309 1106 !t311 = sqr# t310 1107 !t312 = mul# a t311 1108 !t313 = sqr# t312 1109 !t314 = mul# a t313 1110 !t315 = sqr# t314 1111 !t316 = mul# a t315 1112 !t317 = sqr# t316 1113 !t318 = mul# a t317 1114 !t319 = sqr# t318 1115 !t320 = mul# a t319 1116 !t321 = sqr# t320 1117 !t322 = mul# a t321 1118 !t323 = sqr# t322 1119 !t324 = mul# a t323 1120 !t325 = sqr# t324 1121 !t326 = mul# a t325 1122 !t327 = sqr# t326 1123 !t328 = mul# a t327 1124 !t329 = sqr# t328 1125 !t330 = mul# a t329 1126 !t331 = sqr# t330 1127 !t332 = mul# a t331 1128 !t333 = sqr# t332 1129 !t334 = mul# a t333 1130 !t335 = sqr# t334 1131 !t336 = mul# a t335 1132 !t337 = sqr# t336 1133 !t338 = mul# a t337 1134 !t339 = sqr# t338 1135 !t340 = mul# a t339 1136 !t341 = sqr# t340 1137 !t342 = mul# a t341 1138 !t343 = sqr# t342 1139 !t344 = mul# a t343 1140 !t345 = sqr# t344 1141 !t346 = mul# a t345 1142 !t347 = sqr# t346 1143 !t348 = mul# a t347 1144 !t349 = sqr# t348 1145 !t350 = mul# a t349 1146 !t351 = sqr# t350 1147 !t352 = mul# a t351 1148 !t353 = sqr# t352 1149 !t354 = mul# a t353 1150 !t355 = sqr# t354 1151 !t356 = mul# a t355 1152 !t357 = sqr# t356 1153 !t358 = mul# a t357 1154 !t359 = sqr# t358 1155 !t360 = mul# a t359 1156 !t361 = sqr# t360 1157 !t362 = mul# a t361 1158 !t363 = sqr# t362 1159 !t364 = mul# a t363 1160 !t365 = sqr# t364 1161 !t366 = mul# a t365 1162 !t367 = sqr# t366 1163 !t368 = mul# a t367 1164 !t369 = sqr# t368 1165 !t370 = mul# a t369 1166 !t371 = sqr# t370 1167 !t372 = mul# a t371 1168 !t373 = sqr# t372 1169 !t374 = mul# a t373 1170 !t375 = sqr# t374 1171 !t376 = mul# a t375 1172 !t377 = sqr# t376 1173 !t378 = mul# a t377 1174 !t379 = sqr# t378 1175 !t380 = mul# a t379 1176 !t381 = sqr# t380 1177 !t382 = mul# a t381 1178 !t383 = sqr# t382 1179 !t384 = mul# a t383 1180 !t385 = sqr# t384 1181 !t386 = mul# a t385 1182 !t387 = sqr# t386 1183 !t388 = mul# a t387 1184 !t389 = sqr# t388 1185 !t390 = mul# a t389 1186 !t391 = sqr# t390 1187 !t392 = mul# a t391 1188 !t393 = sqr# t392 1189 !t394 = mul# a t393 1190 !t395 = sqr# t394 1191 !t396 = mul# a t395 1192 !t397 = sqr# t396 1193 !t398 = mul# a t397 1194 !t399 = sqr# t398 1195 !t400 = mul# a t399 1196 !t401 = sqr# t400 1197 !t402 = mul# a t401 1198 !t403 = sqr# t402 1199 !t404 = mul# a t403 1200 !t405 = sqr# t404 1201 !t406 = mul# a t405 1202 !t407 = sqr# t406 1203 !t408 = mul# a t407 1204 !t409 = sqr# t408 1205 !t410 = mul# a t409 1206 !t411 = sqr# t410 1207 !t412 = mul# a t411 1208 !t413 = sqr# t412 1209 !t414 = mul# a t413 1210 !t415 = sqr# t414 1211 !t416 = mul# a t415 1212 !t417 = sqr# t416 1213 !t418 = mul# a t417 1214 !t419 = sqr# t418 1215 !t420 = mul# a t419 1216 !t421 = sqr# t420 1217 !t422 = mul# a t421 1218 !t423 = sqr# t422 1219 !t424 = mul# a t423 1220 !t425 = sqr# t424 1221 !t426 = mul# a t425 1222 !t427 = sqr# t426 1223 !t428 = mul# a t427 1224 !t429 = sqr# t428 1225 !t430 = mul# a t429 1226 !t431 = sqr# t430 1227 !t432 = mul# a t431 1228 !t433 = sqr# t432 1229 !t434 = mul# a t433 1230 !t435 = sqr# t434 1231 !t436 = mul# a t435 1232 !t437 = sqr# t436 1233 !t438 = mul# a t437 1234 !t439 = sqr# t438 1235 !t440 = mul# a t439 1236 !t441 = sqr# t440 1237 !t442 = mul# a t441 1238 !t443 = sqr# t442 1239 !t444 = mul# a t443 1240 !t445 = sqr# t444 1241 !t446 = mul# a t445 1242 !t447 = sqr# t446 1243 !t448 = mul# a t447 1244 !t449 = sqr# t448 1245 !t450 = sqr# t449 1246 !t451 = mul# a t450 1247 !t452 = sqr# t451 1248 !t453 = mul# a t452 1249 !t454 = sqr# t453 1250 !t455 = mul# a t454 1251 !t456 = sqr# t455 1252 !t457 = mul# a t456 1253 !t458 = sqr# t457 1254 !t459 = mul# a t458 1255 !t460 = sqr# t459 1256 !t461 = mul# a t460 1257 !t462 = sqr# t461 1258 !t463 = mul# a t462 1259 !t464 = sqr# t463 1260 !t465 = mul# a t464 1261 !t466 = sqr# t465 1262 !t467 = mul# a t466 1263 !t468 = sqr# t467 1264 !t469 = mul# a t468 1265 !t470 = sqr# t469 1266 !t471 = mul# a t470 1267 !t472 = sqr# t471 1268 !t473 = mul# a t472 1269 !t474 = sqr# t473 1270 !t475 = mul# a t474 1271 !t476 = sqr# t475 1272 !t477 = mul# a t476 1273 !t478 = sqr# t477 1274 !t479 = mul# a t478 1275 !t480 = sqr# t479 1276 !t481 = mul# a t480 1277 !t482 = sqr# t481 1278 !t483 = mul# a t482 1279 !t484 = sqr# t483 1280 !t485 = mul# a t484 1281 !t486 = sqr# t485 1282 !t487 = mul# a t486 1283 !t488 = sqr# t487 1284 !t489 = mul# a t488 1285 !t490 = sqr# t489 1286 !t491 = mul# a t490 1287 !t492 = sqr# t491 1288 !t493 = mul# a t492 1289 !t494 = sqr# t493 1290 !t495 = sqr# t494 1291 !t496 = sqr# t495 1292 !t497 = sqr# t496 1293 !t498 = sqr# t497 1294 !t499 = mul# a t498 1295 !t500 = sqr# t499 1296 !t501 = mul# a t500 1297 !t502 = sqr# t501 1298 !t503 = sqr# t502 1299 !r = t503 1300 in (# r, WW.eq# (sqr# r) a #) 1301 {-# INLINE sqrt# #-} 1302 1303 -- | Exponentiation in the Montgomery domain. 1304 -- 1305 -- >>> exp 2 3 1306 -- 8 1307 -- >>> exp 2 10 1308 -- 1024 1309 exp :: Montgomery -> Wider -> Montgomery 1310 exp (Montgomery b) (Wider e) = Montgomery (exp# b e) 1311 1312 exp# 1313 :: Limb4 1314 -> Limb4 1315 -> Limb4 1316 exp# b e = 1317 let !o = L4 0x1000003D1## 0## 0## 0## 1318 loop !r !m !ex n = case n of 1319 0 -> r 1320 _ -> 1321 let !(# ne, bit #) = WW.shr1_c# ex 1322 !candidate = mul# r m 1323 !nr = select# r candidate bit 1324 !nm = sqr# m 1325 in loop nr nm ne (n - 1) 1326 in loop o b e (256 :: Word) 1327 {-# INLINE exp# #-} 1328 1329 odd# :: Limb4 -> C.Choice 1330 odd# = WW.odd# 1331 {-# INLINE odd# #-} 1332 1333 -- | Check if a 'Montgomery' value is odd. 1334 -- 1335 -- Note that the comparison is performed in constant time, but we 1336 -- branch when converting to 'Bool'. 1337 -- 1338 -- >>> odd 1 1339 -- True 1340 -- >>> odd 2 1341 -- False 1342 -- >>> Data.Word.Wider.odd (retr 3) -- parity is preserved 1343 -- True 1344 odd_vartime :: Montgomery -> Bool 1345 odd_vartime (Montgomery m) = C.decide (odd# m) 1346 1347 -- constant-time selection ---------------------------------------------------- 1348 1349 select# 1350 :: Limb4 -- ^ a 1351 -> Limb4 -- ^ b 1352 -> C.Choice -- ^ c 1353 -> Limb4 -- ^ result 1354 select# = WW.select# 1355 {-# INLINE select# #-} 1356 1357 -- | Return a if c is truthy, otherwise return b. 1358 -- 1359 -- >>> import qualified Data.Choice as C 1360 -- >>> select 0 1 (C.true# ()) 1361 -- 1 1362 select 1363 :: Montgomery -- ^ a 1364 -> Montgomery -- ^ b 1365 -> C.Choice -- ^ c 1366 -> Montgomery -- ^ result 1367 select (Montgomery a) (Montgomery b) c = Montgomery (select# a b c) 1368