122 	return &pp[curve - BR_EC_secp256r1];  in id_to_curve()
129  * -- three values, x, y and z, in Montgomery representation
130  * -- affine coordinates are X = x / z^2 and Y = y / z^3
131  * -- for the point at infinity, z = 0
142  *    MSUB(d, a)       d = d-a (modular)
199  *   m = 3*(x + z^2)*(x - z^2)
200  *   x' = m^2 - 2*s
201  *   y' = m*(s - x') - 8*y^4
215 	 * Compute z^2 (in t1).
220 	 * Compute x-z^2 (in t2) and then x+z^2 (in t1).
227 	 * Compute m = 3*(x+z^2)*(x-z^2) (in t1).
235 	 * Compute s = 4*x*y^2 (in t2) and 2*y^2 (in t3).
243 	 * Compute x' = m^2 - 2*s.
250 	 * Compute z' = 2*y*z.
257 	 * Compute y' = m*(s - x') - 8*y^4. Note that we already have
276  *   h = u2 - u1
277  *   r = s2 - s1
278  *   x3 = r^2 - h^3 - 2 * u1 * h^2
279  *   y3 = r * (u1 * h^2 - x3) - s1 * h^3
287  * -- if s1 == s2 then P1 and/or P2 is infinity, or P1 == P2
288  * -- if s1 != s2 then P1 + P2 == infinity (but neither P1 or P2 is infinity)
291  * -- P1 = 0 and P2 != 0
292  * -- P1 != 0 and P2 = 0
293  * -- P1 = P2
300  * -- Both points are on the same horizontal line (same Y coordinate).
301  * -- Both points are infinity.
302  * -- One point is infinity and the other is on line Y = 0.
305  * source points are non-infinity, then remains only the case where the
310  * -- If the returned value is not the point at infinity, then it was properly
312  * -- Otherwise, if the returned flag is 1, then P1+P2 = 0, and the result
314  * -- Otherwise (result is infinity, flag is 0), then P1 = P2 and we should
321 	 * Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).
329 	 * Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).
337 	 * Compute h = u2 - u1 (in t2) and r = s2 - s1 (in t4).
348 	 * Compute u1*h^2 (in t6) and h^3 (in t5).
355 	 * Compute x3 = r^2 - h^3 - 2*u1*h^2.
364 	 * Compute y3 = r*(u1*h^2 - x3) - s1*h^3.
372 	 * Compute z3 = h*z1*z2.
383  * -- Coordinates x and y have been freshly decoded in P1 (but not
385  * -- P2x, P2y and P2z are set to, respectively, R^2, b*R and 1.
395 	/* Compute x^3 in t1. */
407 	/* Compute y^2 in t2. */
410 	/* Compare y^2 with x^3 - 3*x + b; they must match. */
429 	/* Compute z^3 in t2. */
437 	/* Compute y. */
441 	/* Compute (1/z^2) in t3. */
444 	/* Compute x. */
464 	memcpy(t[P1x], P1->c, 3 * I31_LEN * sizeof(uint32_t));  in run_code()
465 	memcpy(t[P2x], P2->c, 3 * I31_LEN * sizeof(uint32_t));  in run_code()
491 			ctl |= NOT(br_i31_sub(t[d], cc->p, 0));  in run_code()
492 			br_i31_sub(t[d], cc->p, ctl);  in run_code()
495 			br_i31_add(t[d], cc->p, br_i31_sub(t[d], t[a], 1));  in run_code()
498 			br_i31_montymul(t[d], t[a], t[b], cc->p, cc->p0i);  in run_code()
501 			plen = (cc->p[0] - (cc->p[0] >> 5) + 7) >> 3;  in run_code()
502 			br_i31_encode(tp, plen, cc->p);  in run_code()
503 			tp[plen - 1] -= 2;  in run_code()
505 				cc->p, cc->p0i, t[a], t[b]);  in run_code()
516 	memcpy(P1->c, t[P1x], 3 * I31_LEN * sizeof(uint32_t));  in run_code()
535 	P->c[0][0] = P->c[1][0] = P->c[2][0] = cc->p[0];  in point_zero()
555 	 * We do a simple double-and-add ladder with a 2-bit window  in point_mul()
578 	while (xlen -- > 0) {  in point_mul()
581 		for (k = 6; k >= 0; k -= 2) {  in point_mul()
613 	 * -- first byte is 0x04;  in point_decode()
614 	 * -- coordinates X and Y use unsigned big-endian, with the same  in point_decode()
623 	 * much used in practice (there are or were patent-related  in point_decode()
635 	plen = (cc->p[0] - (cc->p[0] >> 5) + 7) >> 3;  in point_decode()
639 	r = br_i31_decode_mod(P->c[0], buf + 1, plen, cc->p);  in point_decode()
640 	r &= br_i31_decode_mod(P->c[1], buf + 1 + plen, plen, cc->p);  in point_decode()
654 	zlen = ((cc->p[0] + 63) >> 5) * sizeof(uint32_t);  in point_decode()
655 	memcpy(Q.c[0], cc->R2, zlen);  in point_decode()
656 	memcpy(Q.c[1], cc->b, zlen);  in point_decode()
657 	set_one(Q.c[2], cc->p);  in point_decode()
676 	xbl = cc->p[0];  in point_encode()
677 	xbl -= (xbl >> 5);  in point_encode()
681 	set_one(T.c[2], cc->p);  in point_encode()
707 	*len = cd->generator_len;  in api_generator()
708 	return cd->generator;  in api_generator()
717 	*len = cd->order_len;  in api_order()
718 	return cd->order;  in api_order()
738 	if (Glen != cc->point_len) {  in api_mul()
776 	if (len != cc->point_len) {  in api_muladd()
790 	 * We want to compute P+Q. Since the base points A and B are distinct  in api_muladd()
791 	 * from infinity, and the multipliers are non-zero and lower than the  in api_muladd()
792 	 * curve order, then we know that P and Q are non-infinity. This  in api_muladd()
794 	 * -- If P = Q then we must use point_double().  in api_muladd()
795 	 * -- If P+Q = 0 then we must report an error.  in api_muladd()