_ZN5Botan17ct_expand_top_bitITkNSt3__117unsigned_integralEmEET_S2_:
   28|     24|BOTAN_FORCE_INLINE constexpr T ct_expand_top_bit(T a) {
   29|     24|   const T top = CT::value_barrier<T>(a >> (sizeof(T) * 8 - 1));
   30|     24|   return static_cast<T>(0) - top;
   31|     24|}
_ZN5Botan10ct_is_zeroITkNSt3__117unsigned_integralEmEET_S2_:
   37|     24|BOTAN_FORCE_INLINE constexpr T ct_is_zero(T x) {
   38|     24|   return ct_expand_top_bit<T>(~x & (x - 1));
   39|     24|}
_ZN5Botan6chooseITkNSt3__117unsigned_integralEmEET_S2_S2_S2_:
  216|    360|BOTAN_FORCE_INLINE constexpr T choose(T mask, T a, T b) {
  217|       |   //return (mask & a) | (~mask & b);
  218|    360|   return (b ^ (mask & (a ^ b)));
  219|    360|}

_ZN5Botan2CT4MaskImE7is_zeroEm:
  437|     24|      static constexpr Mask<T> is_zero(T x) { return Mask<T>(ct_is_zero<T>(value_barrier<T>(x))); }
_ZNK5Botan2CT4MaskImE5valueEv:
  630|     48|      constexpr T value() const { return value_barrier<T>(m_mask); }
_ZNK5Botan2CT4MaskImEcoEv:
  533|     24|      constexpr Mask<T> operator~() const { return Mask<T>(~value()); }
_ZN5Botan2CT4MaskImE6expandEm:
  392|     24|      static constexpr Mask<T> expand(T v) { return ~Mask<T>::is_zero(value_barrier<T>(v)); }
_ZN5Botan2CT22conditional_assign_memImEENS0_4MaskIT_EES3_PS3_PKS3_m:
  749|     24|constexpr inline Mask<T> conditional_assign_mem(T cnd, T* dest, const T* src, size_t elems) {
  750|     24|   const auto mask = CT::Mask<T>::expand(cnd);
  751|     24|   mask.select_n(dest, src, dest, elems);
  752|     24|   return mask;
  753|     24|}
_ZN5Botan2CT4MaskImEC2Em:
  637|     48|      constexpr explicit Mask(T m) : m_mask(m) {}
_ZNK5Botan2CT4MaskImE8select_nEPmPKmS5_m:
  565|     24|      constexpr void select_n(T output[], const T x[], const T y[], size_t len) const {
  566|     24|         const T mask = value();
  567|    384|         for(size_t i = 0; i != len; ++i) {
  ------------------
  |  Branch (567:28): [True: 360, False: 24]
  ------------------
  568|    360|            output[i] = choose(mask, x[i], y[i]);
  569|    360|         }
  570|     24|      }

_ZN5Botan5word3ImEC2Ev:
  458|     24|      constexpr word3() : m_w(0) {}
_ZN5Botan5word3ImE3addEm:
  464|    720|      inline constexpr void add(W x) { m_w += x; }
_ZN5Botan5word3ImE10monty_stepEmm:
  472|    360|      inline constexpr W monty_step(W p0, W p_dash) {
  473|    360|         const W w0 = static_cast<W>(m_w);
  474|    360|         const W r = w0 * p_dash;
  475|    360|         mul(r, p0);
  476|    360|         m_w >>= WordInfo<W>::bits;
  477|    360|         return r;
  478|    360|      }
_ZN5Botan5word3ImE3mulEmm:
  460|  7.88k|      inline constexpr void mul(W x, W y) { m_w += static_cast<W3>(x) * y; }
_ZN5Botan5word3ImE7extractEv:
  466|    384|      inline constexpr W extract() {
  467|    384|         W r = static_cast<W>(m_w);
  468|    384|         m_w >>= WordInfo<W>::bits;
  469|    384|         return r;
  470|    384|      }
_ZN5Botan10word8_sub3ITkNS_8WordTypeEmEET_PS1_PKS1_S4_S1_:
  371|     20|inline constexpr auto word8_sub3(W z[8], const W x[8], const W y[8], W carry) -> W {
  372|     20|#if defined(BOTAN_MP_USE_X86_64_ASM)
  373|     20|   if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
  ------------------
  |  Branch (373:7): [True: 0, Folded]
  |  Branch (373:36): [True: 0, Folded]
  ------------------
  374|     20|      asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq"))
  375|     20|                   : [carry] "=r"(carry)
  376|     20|                   : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry)
  377|     20|                   : "cc", "memory");
  378|     20|      return carry;
  379|     20|   }
  380|      0|#endif
  381|       |
  382|      0|   z[0] = word_sub(x[0], y[0], &carry);
  383|      0|   z[1] = word_sub(x[1], y[1], &carry);
  384|      0|   z[2] = word_sub(x[2], y[2], &carry);
  385|      0|   z[3] = word_sub(x[3], y[3], &carry);
  386|      0|   z[4] = word_sub(x[4], y[4], &carry);
  387|      0|   z[5] = word_sub(x[5], y[5], &carry);
  388|      0|   z[6] = word_sub(x[6], y[6], &carry);
  389|      0|   z[7] = word_sub(x[7], y[7], &carry);
  390|      0|   return carry;
  391|     20|}
_ZN5Botan8word_subITkNS_8WordTypeEmEET_S1_S1_PS1_:
  320|    200|inline constexpr auto word_sub(W x, W y, W* carry) -> W {
  321|    200|#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_subc)
  322|    200|   if(!std::is_constant_evaluated()) {
  ------------------
  |  Branch (322:7): [True: 200, Folded]
  ------------------
  323|       |      if constexpr(std::same_as<W, unsigned int>) {
  324|       |         return __builtin_subc(x, y, *carry & 1, carry);
  325|    200|      } else if constexpr(std::same_as<W, unsigned long>) {
  326|    200|         return __builtin_subcl(x, y, *carry & 1, carry);
  327|       |      } else if constexpr(std::same_as<W, unsigned long long>) {
  328|       |         return __builtin_subcll(x, y, *carry & 1, carry);
  329|       |      }
  330|    200|   }
  331|      0|#endif
  332|       |
  333|      0|   const W cb = *carry & 1;
  334|    200|   W t0 = x - y;
  335|    200|   W c1 = (t0 > x);
  336|    200|   W z = t0 - cb;
  337|    200|   *carry = c1 | (z > t0);
  338|    200|   return z;
  339|    200|}

_ZN5Botan22bigint_monty_maybe_subITkNS_8WordTypeEmEEvmPT_S1_PKS1_S4_:
  225|     12|inline constexpr void bigint_monty_maybe_sub(size_t N, W z[], W x0, const W x[], const W p[]) {
  226|     12|   W borrow = 0;
  227|       |
  228|     12|   const size_t blocks = N - (N % 8);
  229|       |
  230|     32|   for(size_t i = 0; i != blocks; i += 8) {
  ------------------
  |  Branch (230:22): [True: 20, False: 12]
  ------------------
  231|     20|      borrow = word8_sub3(z + i, x + i, p + i, borrow);
  232|     20|   }
  233|       |
  234|     32|   for(size_t i = blocks; i != N; ++i) {
  ------------------
  |  Branch (234:27): [True: 20, False: 12]
  ------------------
  235|     20|      z[i] = word_sub(x[i], p[i], &borrow);
  236|     20|   }
  237|       |
  238|     12|   borrow = (x0 - borrow) > x0;
  239|       |
  240|     12|   CT::conditional_assign_mem(borrow, z, x, N);
  241|     12|}
_ZN5Botan22bigint_monty_maybe_subILm4ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_:
  254|      2|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) {
  255|      2|   W borrow = 0;
  256|       |
  257|     10|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (257:22): [True: 8, False: 2]
  ------------------
  258|      8|      z[i] = word_sub(x[i], y[i], &borrow);
  259|      8|   }
  260|       |
  261|      2|   borrow = (x0 - borrow) > x0;
  262|       |
  263|      2|   CT::conditional_assign_mem(borrow, z, x, N);
  264|      2|}
_ZN5Botan22bigint_monty_maybe_subILm6ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_:
  254|      2|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) {
  255|      2|   W borrow = 0;
  256|       |
  257|     14|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (257:22): [True: 12, False: 2]
  ------------------
  258|     12|      z[i] = word_sub(x[i], y[i], &borrow);
  259|     12|   }
  260|       |
  261|      2|   borrow = (x0 - borrow) > x0;
  262|       |
  263|      2|   CT::conditional_assign_mem(borrow, z, x, N);
  264|      2|}
_ZN5Botan22bigint_monty_maybe_subILm8ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_:
  254|      2|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) {
  255|      2|   W borrow = 0;
  256|       |
  257|     18|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (257:22): [True: 16, False: 2]
  ------------------
  258|     16|      z[i] = word_sub(x[i], y[i], &borrow);
  259|     16|   }
  260|       |
  261|      2|   borrow = (x0 - borrow) > x0;
  262|       |
  263|      2|   CT::conditional_assign_mem(borrow, z, x, N);
  264|      2|}
_ZN5Botan22bigint_monty_maybe_subILm16ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_:
  254|      2|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) {
  255|      2|   W borrow = 0;
  256|       |
  257|     34|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (257:22): [True: 32, False: 2]
  ------------------
  258|     32|      z[i] = word_sub(x[i], y[i], &borrow);
  259|     32|   }
  260|       |
  261|      2|   borrow = (x0 - borrow) > x0;
  262|       |
  263|      2|   CT::conditional_assign_mem(borrow, z, x, N);
  264|      2|}
_ZN5Botan22bigint_monty_maybe_subILm24ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_:
  254|      2|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) {
  255|      2|   W borrow = 0;
  256|       |
  257|     50|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (257:22): [True: 48, False: 2]
  ------------------
  258|     48|      z[i] = word_sub(x[i], y[i], &borrow);
  259|     48|   }
  260|       |
  261|      2|   borrow = (x0 - borrow) > x0;
  262|       |
  263|      2|   CT::conditional_assign_mem(borrow, z, x, N);
  264|      2|}
_ZN5Botan22bigint_monty_maybe_subILm32ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_:
  254|      2|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) {
  255|      2|   W borrow = 0;
  256|       |
  257|     66|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (257:22): [True: 64, False: 2]
  ------------------
  258|     64|      z[i] = word_sub(x[i], y[i], &borrow);
  259|     64|   }
  260|       |
  261|      2|   borrow = (x0 - borrow) > x0;
  262|       |
  263|      2|   CT::conditional_assign_mem(borrow, z, x, N);
  264|      2|}

_ZN5Botan2CT13value_barrierITkNSt3__117unsigned_integralEmQntsr3stdE7same_asIbT_EEES3_S3_:
   43|    120|constexpr inline T value_barrier(T x) {
   44|    120|   if(std::is_constant_evaluated()) {
  ------------------
  |  Branch (44:7): [Folded, False: 120]
  ------------------
   45|      0|      return x;
   46|    120|   } else {
   47|    120|#if defined(BOTAN_CT_VALUE_BARRIER_USE_ASM)
   48|       |      /*
   49|       |      * We may want a "stronger" statement such as
   50|       |      *     asm volatile("" : "+r,m"(x) : : "memory);
   51|       |      * (see https://theunixzoo.co.uk/blog/2021-10-14-preventing-optimisations.html)
   52|       |      * however the current approach seems sufficient with current compilers,
   53|       |      * and is minimally damaging with regards to degrading code generation.
   54|       |      */
   55|    120|      asm("" : "+r"(x) : /* no input */);  // NOLINT(*-no-assembler)
   56|    120|      return x;
   57|       |#elif defined(BOTAN_CT_VALUE_BARRIER_USE_VOLATILE)
   58|       |      volatile T vx = x;
   59|       |      return vx;
   60|       |#else
   61|       |      return x;
   62|       |#endif
   63|    120|   }
   64|    120|}

LLVMFuzzerInitialize:
   28|      2|extern "C" int LLVMFuzzerInitialize(int* /*argc*/, char*** /*argv*/) {
   29|       |   /*
   30|       |   * This disables the mlock pool, as overwrites within the pool are
   31|       |   * opaque to ASan or other instrumentation.
   32|       |   */
   33|      2|   ::setenv("BOTAN_MLOCK_POOL_SIZE", "0", 1);
   34|      2|   return 0;
   35|      2|}
LLVMFuzzerTestOneInput:
   39|     59|extern "C" int LLVMFuzzerTestOneInput(const uint8_t in[], size_t len) {
   40|     59|   if(len <= max_fuzzer_input_size) {
  ------------------
  |  Branch (40:7): [True: 49, False: 10]
  ------------------
   41|     49|      try {
   42|     49|         fuzz(std::span<const uint8_t>(in, len));
   43|     49|      } catch(const std::exception& e) {
   44|      0|         std::cerr << "Uncaught exception from fuzzer driver " << e.what() << "\n";
   45|      0|         abort();
   46|      0|      } catch(...) {
   47|      0|         std::cerr << "Uncaught exception from fuzzer driver (unknown type)\n";
   48|      0|         abort();
   49|      0|      }
   50|     49|   }
   51|     59|   return 0;
   52|     59|}

_Z16compare_word_vecPKmmS0_mPKc:
   37|     12|inline void compare_word_vec(const word x[], size_t x_len, const word y[], size_t y_len, const char* comparing) {
   38|     12|   const size_t common_words = std::min(x_len, y_len);
   39|       |
   40|    192|   for(size_t i = 0; i != common_words; ++i) {
  ------------------
  |  Branch (40:22): [True: 180, False: 12]
  ------------------
   41|    180|      if(x[i] != y[i]) {
  ------------------
  |  Branch (41:10): [True: 0, False: 180]
  ------------------
   42|      0|         dump_word_vec("x", x, x_len);
   43|      0|         dump_word_vec("y", y, y_len);
   44|      0|         FUZZER_WRITE_AND_CRASH("Comparison failed " << comparing);
  ------------------
  |  |   70|      0|   do {                                                                                                       \
  |  |   71|      0|      std::cerr << expr << " @ Line " << __LINE__ << " in " << __FILE__ << "\n"; /* NOLINT(*-macro-paren*) */ \
  |  |   72|      0|      abort();                                                                                                \
  |  |   73|      0|   } while(0)
  |  |  ------------------
  |  |  |  Branch (73:12): [Folded, False: 0]
  |  |  ------------------
  ------------------
   45|      0|      }
   46|    180|   }
   47|       |
   48|       |   // all other words must be zero
   49|     12|   for(size_t i = common_words; i != x_len; ++i) {
  ------------------
  |  Branch (49:33): [True: 0, False: 12]
  ------------------
   50|      0|      if(x[i] != 0) {
  ------------------
  |  Branch (50:10): [True: 0, False: 0]
  ------------------
   51|      0|         dump_word_vec("x", x, x_len);
   52|      0|         dump_word_vec("y", y, y_len);
   53|      0|         FUZZER_WRITE_AND_CRASH("Unexpected non-zero in high words of x " << comparing);
  ------------------
  |  |   70|      0|   do {                                                                                                       \
  |  |   71|      0|      std::cerr << expr << " @ Line " << __LINE__ << " in " << __FILE__ << "\n"; /* NOLINT(*-macro-paren*) */ \
  |  |   72|      0|      abort();                                                                                                \
  |  |   73|      0|   } while(0)
  |  |  ------------------
  |  |  |  Branch (73:12): [Folded, False: 0]
  |  |  ------------------
  ------------------
   54|      0|      }
   55|      0|   }
   56|     12|   for(size_t i = common_words; i != y_len; ++i) {
  ------------------
  |  Branch (56:33): [True: 0, False: 12]
  ------------------
   57|      0|      if(y[i] != 0) {
  ------------------
  |  Branch (57:10): [True: 0, False: 0]
  ------------------
   58|      0|         dump_word_vec("x", x, x_len);
   59|      0|         dump_word_vec("y", y, y_len);
   60|      0|         FUZZER_WRITE_AND_CRASH("Unexpected non-zero in high words of y " << comparing);
  ------------------
  |  |   70|      0|   do {                                                                                                       \
  |  |   71|      0|      std::cerr << expr << " @ Line " << __LINE__ << " in " << __FILE__ << "\n"; /* NOLINT(*-macro-paren*) */ \
  |  |   72|      0|      abort();                                                                                                \
  |  |   73|      0|   } while(0)
  |  |  ------------------
  |  |  |  Branch (73:12): [Folded, False: 0]
  |  |  ------------------
  ------------------
   61|      0|      }
   62|      0|   }
   63|     12|}

_Z4fuzzNSt3__14spanIKhLm18446744073709551615EEE:
   61|     49|void fuzz(std::span<const uint8_t> in) {
   62|     49|   if(in.empty() || in.size() % sizeof(word) != 0) {
  ------------------
  |  Branch (62:7): [True: 0, False: 49]
  |  Branch (62:21): [True: 35, False: 14]
  ------------------
   63|     35|      return;
   64|     35|   }
   65|       |
   66|     14|   const size_t words = in.size() / sizeof(word);
   67|       |
   68|     14|   switch(words) {
   69|      2|      case 4 * 3 + 1:
  ------------------
  |  Branch (69:7): [True: 2, False: 12]
  ------------------
   70|      2|         return fuzz_mp_redc<4>(in);
   71|      2|      case 6 * 3 + 1:
  ------------------
  |  Branch (71:7): [True: 2, False: 12]
  ------------------
   72|      2|         return fuzz_mp_redc<6>(in);
   73|      2|      case 8 * 3 + 1:
  ------------------
  |  Branch (73:7): [True: 2, False: 12]
  ------------------
   74|      2|         return fuzz_mp_redc<8>(in);
   75|      2|      case 16 * 3 + 1:
  ------------------
  |  Branch (75:7): [True: 2, False: 12]
  ------------------
   76|      2|         return fuzz_mp_redc<16>(in);
   77|      2|      case 24 * 3 + 1:
  ------------------
  |  Branch (77:7): [True: 2, False: 12]
  ------------------
   78|      2|         return fuzz_mp_redc<24>(in);
   79|      2|      case 32 * 3 + 1:
  ------------------
  |  Branch (79:7): [True: 2, False: 12]
  ------------------
   80|      2|         return fuzz_mp_redc<32>(in);
   81|      2|      default:
  ------------------
  |  Branch (81:7): [True: 2, False: 12]
  ------------------
   82|      2|         return;
   83|     14|   }
   84|     14|}
mp_redc.cpp:_ZN12_GLOBAL__N_112fuzz_mp_redcILm4EEEvNSt3__14spanIKhLm18446744073709551615EEE:
   12|      2|void fuzz_mp_redc(std::span<const uint8_t> in) {
   13|      2|   FUZZER_ASSERT_EQUAL(in.size(), (N * 3 + 1) * sizeof(word));
  ------------------
  |  |   79|      2|   do {                                                                                      \
  |  |   80|      2|      if((x) != (y)) {                                                                       \
  |  |  ------------------
  |  |  |  Branch (80:10): [True: 0, False: 2]
  |  |  ------------------
  |  |   81|      0|         FUZZER_WRITE_AND_CRASH(#x << " = " << (x) << " != " << #y << " = " << (y) << "\n"); \
  |  |  ------------------
  |  |  |  |   70|      0|   do {                                                                                                       \
  |  |  |  |   71|      0|      std::cerr << expr << " @ Line " << __LINE__ << " in " << __FILE__ << "\n"; /* NOLINT(*-macro-paren*) */ \
  |  |  |  |   72|      0|      abort();                                                                                                \
  |  |  |  |   73|      0|   } while(0)
  |  |  |  |  ------------------
  |  |  |  |  |  Branch (73:12): [Folded, False: 0]
  |  |  |  |  ------------------
  |  |  ------------------
  |  |   82|      0|      }                                                                                      \
  |  |   83|      2|   } while(0)
  |  |  ------------------
  |  |  |  Branch (83:12): [Folded, False: 2]
  |  |  ------------------
  ------------------
   14|       |
   15|      2|   word z[2 * N] = {0};
   16|       |
   17|      2|   word r_script[N] = {0};
   18|      2|   word r_ref[N] = {0};
   19|      2|   word p[N] = {0};
   20|      2|   word p_dash = 0;
   21|       |
   22|      2|   word ws[2 * (N + 1)] = {0};
   23|       |
   24|      2|   std::memcpy(z, in.data(), sizeof(z));
   25|      2|   std::memcpy(p, in.data() + sizeof(z), sizeof(p));
   26|      2|   std::memcpy(&p_dash, in.data() + sizeof(z) + sizeof(p), sizeof(p_dash));
   27|       |
   28|      2|   if(N == 4) {
  ------------------
  |  Branch (28:7): [True: 2, Folded]
  ------------------
   29|      2|      Botan::bigint_monty_redc_4(r_script, z, p, p_dash, ws);
   30|      2|   } else if(N == 6) {
  ------------------
  |  Branch (30:14): [Folded, False: 0]
  ------------------
   31|      0|      Botan::bigint_monty_redc_6(r_script, z, p, p_dash, ws);
   32|      0|   } else if(N == 8) {
  ------------------
  |  Branch (32:14): [Folded, False: 0]
  ------------------
   33|      0|      Botan::bigint_monty_redc_8(r_script, z, p, p_dash, ws);
   34|      0|   } else if(N == 16) {
  ------------------
  |  Branch (34:14): [Folded, False: 0]
  ------------------
   35|      0|      Botan::bigint_monty_redc_16(r_script, z, p, p_dash, ws);
   36|      0|   } else if(N == 24) {
  ------------------
  |  Branch (36:14): [Folded, False: 0]
  ------------------
   37|      0|      Botan::bigint_monty_redc_24(r_script, z, p, p_dash, ws);
   38|      0|   } else if(N == 32) {
  ------------------
  |  Branch (38:14): [Folded, False: 0]
  ------------------
   39|      0|      Botan::bigint_monty_redc_32(r_script, z, p, p_dash, ws);
   40|      0|   } else {
   41|      0|      std::abort();
   42|      0|   }
   43|       |
   44|      2|   Botan::bigint_monty_redc_generic(r_ref, z, 2 * N, p, N, p_dash, ws);
   45|       |
   46|     10|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (46:22): [True: 8, False: 2]
  ------------------
   47|      8|      if(r_script[i] != r_ref[i]) {
  ------------------
  |  Branch (47:10): [True: 0, False: 8]
  ------------------
   48|      0|         dump_word_vec("input", z, 2 * N);
   49|      0|         dump_word_vec("r_script", r_script, 2 * N);
   50|      0|         dump_word_vec("r_ref", r_ref, 2 * N);
   51|      0|         dump_word_vec("p", p, N);
   52|      0|         dump_word_vec("p_dash", &p_dash, 1);
   53|      0|         std::abort();
   54|      0|      }
   55|      8|   }
   56|      2|   compare_word_vec(r_script, N, r_ref, N, "redc generic vs specialized");
   57|      2|}
mp_redc.cpp:_ZN12_GLOBAL__N_112fuzz_mp_redcILm6EEEvNSt3__14spanIKhLm18446744073709551615EEE:
   12|      2|void fuzz_mp_redc(std::span<const uint8_t> in) {
   13|      2|   FUZZER_ASSERT_EQUAL(in.size(), (N * 3 + 1) * sizeof(word));
  ------------------
  |  |   79|      2|   do {                                                                                      \
  |  |   80|      2|      if((x) != (y)) {                                                                       \
  |  |  ------------------
  |  |  |  Branch (80:10): [True: 0, False: 2]
  |  |  ------------------
  |  |   81|      0|         FUZZER_WRITE_AND_CRASH(#x << " = " << (x) << " != " << #y << " = " << (y) << "\n"); \
  |  |  ------------------
  |  |  |  |   70|      0|   do {                                                                                                       \
  |  |  |  |   71|      0|      std::cerr << expr << " @ Line " << __LINE__ << " in " << __FILE__ << "\n"; /* NOLINT(*-macro-paren*) */ \
  |  |  |  |   72|      0|      abort();                                                                                                \
  |  |  |  |   73|      0|   } while(0)
  |  |  |  |  ------------------
  |  |  |  |  |  Branch (73:12): [Folded, False: 0]
  |  |  |  |  ------------------
  |  |  ------------------
  |  |   82|      0|      }                                                                                      \
  |  |   83|      2|   } while(0)
  |  |  ------------------
  |  |  |  Branch (83:12): [Folded, False: 2]
  |  |  ------------------
  ------------------
   14|       |
   15|      2|   word z[2 * N] = {0};
   16|       |
   17|      2|   word r_script[N] = {0};
   18|      2|   word r_ref[N] = {0};
   19|      2|   word p[N] = {0};
   20|      2|   word p_dash = 0;
   21|       |
   22|      2|   word ws[2 * (N + 1)] = {0};
   23|       |
   24|      2|   std::memcpy(z, in.data(), sizeof(z));
   25|      2|   std::memcpy(p, in.data() + sizeof(z), sizeof(p));
   26|      2|   std::memcpy(&p_dash, in.data() + sizeof(z) + sizeof(p), sizeof(p_dash));
   27|       |
   28|      2|   if(N == 4) {
  ------------------
  |  Branch (28:7): [Folded, False: 2]
  ------------------
   29|      0|      Botan::bigint_monty_redc_4(r_script, z, p, p_dash, ws);
   30|      2|   } else if(N == 6) {
  ------------------
  |  Branch (30:14): [True: 2, Folded]
  ------------------
   31|      2|      Botan::bigint_monty_redc_6(r_script, z, p, p_dash, ws);
   32|      2|   } else if(N == 8) {
  ------------------
  |  Branch (32:14): [Folded, False: 0]
  ------------------
   33|      0|      Botan::bigint_monty_redc_8(r_script, z, p, p_dash, ws);
   34|      0|   } else if(N == 16) {
  ------------------
  |  Branch (34:14): [Folded, False: 0]
  ------------------
   35|      0|      Botan::bigint_monty_redc_16(r_script, z, p, p_dash, ws);
   36|      0|   } else if(N == 24) {
  ------------------
  |  Branch (36:14): [Folded, False: 0]
  ------------------
   37|      0|      Botan::bigint_monty_redc_24(r_script, z, p, p_dash, ws);
   38|      0|   } else if(N == 32) {
  ------------------
  |  Branch (38:14): [Folded, False: 0]
  ------------------
   39|      0|      Botan::bigint_monty_redc_32(r_script, z, p, p_dash, ws);
   40|      0|   } else {
   41|      0|      std::abort();
   42|      0|   }
   43|       |
   44|      2|   Botan::bigint_monty_redc_generic(r_ref, z, 2 * N, p, N, p_dash, ws);
   45|       |
   46|     14|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (46:22): [True: 12, False: 2]
  ------------------
   47|     12|      if(r_script[i] != r_ref[i]) {
  ------------------
  |  Branch (47:10): [True: 0, False: 12]
  ------------------
   48|      0|         dump_word_vec("input", z, 2 * N);
   49|      0|         dump_word_vec("r_script", r_script, 2 * N);
   50|      0|         dump_word_vec("r_ref", r_ref, 2 * N);
   51|      0|         dump_word_vec("p", p, N);
   52|      0|         dump_word_vec("p_dash", &p_dash, 1);
   53|      0|         std::abort();
   54|      0|      }
   55|     12|   }
   56|      2|   compare_word_vec(r_script, N, r_ref, N, "redc generic vs specialized");
   57|      2|}
mp_redc.cpp:_ZN12_GLOBAL__N_112fuzz_mp_redcILm8EEEvNSt3__14spanIKhLm18446744073709551615EEE:
   12|      2|void fuzz_mp_redc(std::span<const uint8_t> in) {
   13|      2|   FUZZER_ASSERT_EQUAL(in.size(), (N * 3 + 1) * sizeof(word));
  ------------------
  |  |   79|      2|   do {                                                                                      \
  |  |   80|      2|      if((x) != (y)) {                                                                       \
  |  |  ------------------
  |  |  |  Branch (80:10): [True: 0, False: 2]
  |  |  ------------------
  |  |   81|      0|         FUZZER_WRITE_AND_CRASH(#x << " = " << (x) << " != " << #y << " = " << (y) << "\n"); \
  |  |  ------------------
  |  |  |  |   70|      0|   do {                                                                                                       \
  |  |  |  |   71|      0|      std::cerr << expr << " @ Line " << __LINE__ << " in " << __FILE__ << "\n"; /* NOLINT(*-macro-paren*) */ \
  |  |  |  |   72|      0|      abort();                                                                                                \
  |  |  |  |   73|      0|   } while(0)
  |  |  |  |  ------------------
  |  |  |  |  |  Branch (73:12): [Folded, False: 0]
  |  |  |  |  ------------------
  |  |  ------------------
  |  |   82|      0|      }                                                                                      \
  |  |   83|      2|   } while(0)
  |  |  ------------------
  |  |  |  Branch (83:12): [Folded, False: 2]
  |  |  ------------------
  ------------------
   14|       |
   15|      2|   word z[2 * N] = {0};
   16|       |
   17|      2|   word r_script[N] = {0};
   18|      2|   word r_ref[N] = {0};
   19|      2|   word p[N] = {0};
   20|      2|   word p_dash = 0;
   21|       |
   22|      2|   word ws[2 * (N + 1)] = {0};
   23|       |
   24|      2|   std::memcpy(z, in.data(), sizeof(z));
   25|      2|   std::memcpy(p, in.data() + sizeof(z), sizeof(p));
   26|      2|   std::memcpy(&p_dash, in.data() + sizeof(z) + sizeof(p), sizeof(p_dash));
   27|       |
   28|      2|   if(N == 4) {
  ------------------
  |  Branch (28:7): [Folded, False: 2]
  ------------------
   29|      0|      Botan::bigint_monty_redc_4(r_script, z, p, p_dash, ws);
   30|      2|   } else if(N == 6) {
  ------------------
  |  Branch (30:14): [Folded, False: 2]
  ------------------
   31|      0|      Botan::bigint_monty_redc_6(r_script, z, p, p_dash, ws);
   32|      2|   } else if(N == 8) {
  ------------------
  |  Branch (32:14): [True: 2, Folded]
  ------------------
   33|      2|      Botan::bigint_monty_redc_8(r_script, z, p, p_dash, ws);
   34|      2|   } else if(N == 16) {
  ------------------
  |  Branch (34:14): [Folded, False: 0]
  ------------------
   35|      0|      Botan::bigint_monty_redc_16(r_script, z, p, p_dash, ws);
   36|      0|   } else if(N == 24) {
  ------------------
  |  Branch (36:14): [Folded, False: 0]
  ------------------
   37|      0|      Botan::bigint_monty_redc_24(r_script, z, p, p_dash, ws);
   38|      0|   } else if(N == 32) {
  ------------------
  |  Branch (38:14): [Folded, False: 0]
  ------------------
   39|      0|      Botan::bigint_monty_redc_32(r_script, z, p, p_dash, ws);
   40|      0|   } else {
   41|      0|      std::abort();
   42|      0|   }
   43|       |
   44|      2|   Botan::bigint_monty_redc_generic(r_ref, z, 2 * N, p, N, p_dash, ws);
   45|       |
   46|     18|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (46:22): [True: 16, False: 2]
  ------------------
   47|     16|      if(r_script[i] != r_ref[i]) {
  ------------------
  |  Branch (47:10): [True: 0, False: 16]
  ------------------
   48|      0|         dump_word_vec("input", z, 2 * N);
   49|      0|         dump_word_vec("r_script", r_script, 2 * N);
   50|      0|         dump_word_vec("r_ref", r_ref, 2 * N);
   51|      0|         dump_word_vec("p", p, N);
   52|      0|         dump_word_vec("p_dash", &p_dash, 1);
   53|      0|         std::abort();
   54|      0|      }
   55|     16|   }
   56|      2|   compare_word_vec(r_script, N, r_ref, N, "redc generic vs specialized");
   57|      2|}
mp_redc.cpp:_ZN12_GLOBAL__N_112fuzz_mp_redcILm16EEEvNSt3__14spanIKhLm18446744073709551615EEE:
   12|      2|void fuzz_mp_redc(std::span<const uint8_t> in) {
   13|      2|   FUZZER_ASSERT_EQUAL(in.size(), (N * 3 + 1) * sizeof(word));
  ------------------
  |  |   79|      2|   do {                                                                                      \
  |  |   80|      2|      if((x) != (y)) {                                                                       \
  |  |  ------------------
  |  |  |  Branch (80:10): [True: 0, False: 2]
  |  |  ------------------
  |  |   81|      0|         FUZZER_WRITE_AND_CRASH(#x << " = " << (x) << " != " << #y << " = " << (y) << "\n"); \
  |  |  ------------------
  |  |  |  |   70|      0|   do {                                                                                                       \
  |  |  |  |   71|      0|      std::cerr << expr << " @ Line " << __LINE__ << " in " << __FILE__ << "\n"; /* NOLINT(*-macro-paren*) */ \
  |  |  |  |   72|      0|      abort();                                                                                                \
  |  |  |  |   73|      0|   } while(0)
  |  |  |  |  ------------------
  |  |  |  |  |  Branch (73:12): [Folded, False: 0]
  |  |  |  |  ------------------
  |  |  ------------------
  |  |   82|      0|      }                                                                                      \
  |  |   83|      2|   } while(0)
  |  |  ------------------
  |  |  |  Branch (83:12): [Folded, False: 2]
  |  |  ------------------
  ------------------
   14|       |
   15|      2|   word z[2 * N] = {0};
   16|       |
   17|      2|   word r_script[N] = {0};
   18|      2|   word r_ref[N] = {0};
   19|      2|   word p[N] = {0};
   20|      2|   word p_dash = 0;
   21|       |
   22|      2|   word ws[2 * (N + 1)] = {0};
   23|       |
   24|      2|   std::memcpy(z, in.data(), sizeof(z));
   25|      2|   std::memcpy(p, in.data() + sizeof(z), sizeof(p));
   26|      2|   std::memcpy(&p_dash, in.data() + sizeof(z) + sizeof(p), sizeof(p_dash));
   27|       |
   28|      2|   if(N == 4) {
  ------------------
  |  Branch (28:7): [Folded, False: 2]
  ------------------
   29|      0|      Botan::bigint_monty_redc_4(r_script, z, p, p_dash, ws);
   30|      2|   } else if(N == 6) {
  ------------------
  |  Branch (30:14): [Folded, False: 2]
  ------------------
   31|      0|      Botan::bigint_monty_redc_6(r_script, z, p, p_dash, ws);
   32|      2|   } else if(N == 8) {
  ------------------
  |  Branch (32:14): [Folded, False: 2]
  ------------------
   33|      0|      Botan::bigint_monty_redc_8(r_script, z, p, p_dash, ws);
   34|      2|   } else if(N == 16) {
  ------------------
  |  Branch (34:14): [True: 2, Folded]
  ------------------
   35|      2|      Botan::bigint_monty_redc_16(r_script, z, p, p_dash, ws);
   36|      2|   } else if(N == 24) {
  ------------------
  |  Branch (36:14): [Folded, False: 0]
  ------------------
   37|      0|      Botan::bigint_monty_redc_24(r_script, z, p, p_dash, ws);
   38|      0|   } else if(N == 32) {
  ------------------
  |  Branch (38:14): [Folded, False: 0]
  ------------------
   39|      0|      Botan::bigint_monty_redc_32(r_script, z, p, p_dash, ws);
   40|      0|   } else {
   41|      0|      std::abort();
   42|      0|   }
   43|       |
   44|      2|   Botan::bigint_monty_redc_generic(r_ref, z, 2 * N, p, N, p_dash, ws);
   45|       |
   46|     34|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (46:22): [True: 32, False: 2]
  ------------------
   47|     32|      if(r_script[i] != r_ref[i]) {
  ------------------
  |  Branch (47:10): [True: 0, False: 32]
  ------------------
   48|      0|         dump_word_vec("input", z, 2 * N);
   49|      0|         dump_word_vec("r_script", r_script, 2 * N);
   50|      0|         dump_word_vec("r_ref", r_ref, 2 * N);
   51|      0|         dump_word_vec("p", p, N);
   52|      0|         dump_word_vec("p_dash", &p_dash, 1);
   53|      0|         std::abort();
   54|      0|      }
   55|     32|   }
   56|      2|   compare_word_vec(r_script, N, r_ref, N, "redc generic vs specialized");
   57|      2|}
mp_redc.cpp:_ZN12_GLOBAL__N_112fuzz_mp_redcILm24EEEvNSt3__14spanIKhLm18446744073709551615EEE:
   12|      2|void fuzz_mp_redc(std::span<const uint8_t> in) {
   13|      2|   FUZZER_ASSERT_EQUAL(in.size(), (N * 3 + 1) * sizeof(word));
  ------------------
  |  |   79|      2|   do {                                                                                      \
  |  |   80|      2|      if((x) != (y)) {                                                                       \
  |  |  ------------------
  |  |  |  Branch (80:10): [True: 0, False: 2]
  |  |  ------------------
  |  |   81|      0|         FUZZER_WRITE_AND_CRASH(#x << " = " << (x) << " != " << #y << " = " << (y) << "\n"); \
  |  |  ------------------
  |  |  |  |   70|      0|   do {                                                                                                       \
  |  |  |  |   71|      0|      std::cerr << expr << " @ Line " << __LINE__ << " in " << __FILE__ << "\n"; /* NOLINT(*-macro-paren*) */ \
  |  |  |  |   72|      0|      abort();                                                                                                \
  |  |  |  |   73|      0|   } while(0)
  |  |  |  |  ------------------
  |  |  |  |  |  Branch (73:12): [Folded, False: 0]
  |  |  |  |  ------------------
  |  |  ------------------
  |  |   82|      0|      }                                                                                      \
  |  |   83|      2|   } while(0)
  |  |  ------------------
  |  |  |  Branch (83:12): [Folded, False: 2]
  |  |  ------------------
  ------------------
   14|       |
   15|      2|   word z[2 * N] = {0};
   16|       |
   17|      2|   word r_script[N] = {0};
   18|      2|   word r_ref[N] = {0};
   19|      2|   word p[N] = {0};
   20|      2|   word p_dash = 0;
   21|       |
   22|      2|   word ws[2 * (N + 1)] = {0};
   23|       |
   24|      2|   std::memcpy(z, in.data(), sizeof(z));
   25|      2|   std::memcpy(p, in.data() + sizeof(z), sizeof(p));
   26|      2|   std::memcpy(&p_dash, in.data() + sizeof(z) + sizeof(p), sizeof(p_dash));
   27|       |
   28|      2|   if(N == 4) {
  ------------------
  |  Branch (28:7): [Folded, False: 2]
  ------------------
   29|      0|      Botan::bigint_monty_redc_4(r_script, z, p, p_dash, ws);
   30|      2|   } else if(N == 6) {
  ------------------
  |  Branch (30:14): [Folded, False: 2]
  ------------------
   31|      0|      Botan::bigint_monty_redc_6(r_script, z, p, p_dash, ws);
   32|      2|   } else if(N == 8) {
  ------------------
  |  Branch (32:14): [Folded, False: 2]
  ------------------
   33|      0|      Botan::bigint_monty_redc_8(r_script, z, p, p_dash, ws);
   34|      2|   } else if(N == 16) {
  ------------------
  |  Branch (34:14): [Folded, False: 2]
  ------------------
   35|      0|      Botan::bigint_monty_redc_16(r_script, z, p, p_dash, ws);
   36|      2|   } else if(N == 24) {
  ------------------
  |  Branch (36:14): [True: 2, Folded]
  ------------------
   37|      2|      Botan::bigint_monty_redc_24(r_script, z, p, p_dash, ws);
   38|      2|   } else if(N == 32) {
  ------------------
  |  Branch (38:14): [Folded, False: 0]
  ------------------
   39|      0|      Botan::bigint_monty_redc_32(r_script, z, p, p_dash, ws);
   40|      0|   } else {
   41|      0|      std::abort();
   42|      0|   }
   43|       |
   44|      2|   Botan::bigint_monty_redc_generic(r_ref, z, 2 * N, p, N, p_dash, ws);
   45|       |
   46|     50|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (46:22): [True: 48, False: 2]
  ------------------
   47|     48|      if(r_script[i] != r_ref[i]) {
  ------------------
  |  Branch (47:10): [True: 0, False: 48]
  ------------------
   48|      0|         dump_word_vec("input", z, 2 * N);
   49|      0|         dump_word_vec("r_script", r_script, 2 * N);
   50|      0|         dump_word_vec("r_ref", r_ref, 2 * N);
   51|      0|         dump_word_vec("p", p, N);
   52|      0|         dump_word_vec("p_dash", &p_dash, 1);
   53|      0|         std::abort();
   54|      0|      }
   55|     48|   }
   56|      2|   compare_word_vec(r_script, N, r_ref, N, "redc generic vs specialized");
   57|      2|}
mp_redc.cpp:_ZN12_GLOBAL__N_112fuzz_mp_redcILm32EEEvNSt3__14spanIKhLm18446744073709551615EEE:
   12|      2|void fuzz_mp_redc(std::span<const uint8_t> in) {
   13|      2|   FUZZER_ASSERT_EQUAL(in.size(), (N * 3 + 1) * sizeof(word));
  ------------------
  |  |   79|      2|   do {                                                                                      \
  |  |   80|      2|      if((x) != (y)) {                                                                       \
  |  |  ------------------
  |  |  |  Branch (80:10): [True: 0, False: 2]
  |  |  ------------------
  |  |   81|      0|         FUZZER_WRITE_AND_CRASH(#x << " = " << (x) << " != " << #y << " = " << (y) << "\n"); \
  |  |  ------------------
  |  |  |  |   70|      0|   do {                                                                                                       \
  |  |  |  |   71|      0|      std::cerr << expr << " @ Line " << __LINE__ << " in " << __FILE__ << "\n"; /* NOLINT(*-macro-paren*) */ \
  |  |  |  |   72|      0|      abort();                                                                                                \
  |  |  |  |   73|      0|   } while(0)
  |  |  |  |  ------------------
  |  |  |  |  |  Branch (73:12): [Folded, False: 0]
  |  |  |  |  ------------------
  |  |  ------------------
  |  |   82|      0|      }                                                                                      \
  |  |   83|      2|   } while(0)
  |  |  ------------------
  |  |  |  Branch (83:12): [Folded, False: 2]
  |  |  ------------------
  ------------------
   14|       |
   15|      2|   word z[2 * N] = {0};
   16|       |
   17|      2|   word r_script[N] = {0};
   18|      2|   word r_ref[N] = {0};
   19|      2|   word p[N] = {0};
   20|      2|   word p_dash = 0;
   21|       |
   22|      2|   word ws[2 * (N + 1)] = {0};
   23|       |
   24|      2|   std::memcpy(z, in.data(), sizeof(z));
   25|      2|   std::memcpy(p, in.data() + sizeof(z), sizeof(p));
   26|      2|   std::memcpy(&p_dash, in.data() + sizeof(z) + sizeof(p), sizeof(p_dash));
   27|       |
   28|      2|   if(N == 4) {
  ------------------
  |  Branch (28:7): [Folded, False: 2]
  ------------------
   29|      0|      Botan::bigint_monty_redc_4(r_script, z, p, p_dash, ws);
   30|      2|   } else if(N == 6) {
  ------------------
  |  Branch (30:14): [Folded, False: 2]
  ------------------
   31|      0|      Botan::bigint_monty_redc_6(r_script, z, p, p_dash, ws);
   32|      2|   } else if(N == 8) {
  ------------------
  |  Branch (32:14): [Folded, False: 2]
  ------------------
   33|      0|      Botan::bigint_monty_redc_8(r_script, z, p, p_dash, ws);
   34|      2|   } else if(N == 16) {
  ------------------
  |  Branch (34:14): [Folded, False: 2]
  ------------------
   35|      0|      Botan::bigint_monty_redc_16(r_script, z, p, p_dash, ws);
   36|      2|   } else if(N == 24) {
  ------------------
  |  Branch (36:14): [Folded, False: 2]
  ------------------
   37|      0|      Botan::bigint_monty_redc_24(r_script, z, p, p_dash, ws);
   38|      2|   } else if(N == 32) {
  ------------------
  |  Branch (38:14): [True: 2, Folded]
  ------------------
   39|      2|      Botan::bigint_monty_redc_32(r_script, z, p, p_dash, ws);
   40|      2|   } else {
   41|      0|      std::abort();
   42|      0|   }
   43|       |
   44|      2|   Botan::bigint_monty_redc_generic(r_ref, z, 2 * N, p, N, p_dash, ws);
   45|       |
   46|     66|   for(size_t i = 0; i != N; ++i) {
  ------------------
  |  Branch (46:22): [True: 64, False: 2]
  ------------------
   47|     64|      if(r_script[i] != r_ref[i]) {
  ------------------
  |  Branch (47:10): [True: 0, False: 64]
  ------------------
   48|      0|         dump_word_vec("input", z, 2 * N);
   49|      0|         dump_word_vec("r_script", r_script, 2 * N);
   50|      0|         dump_word_vec("r_ref", r_ref, 2 * N);
   51|      0|         dump_word_vec("p", p, N);
   52|      0|         dump_word_vec("p_dash", &p_dash, 1);
   53|      0|         std::abort();
   54|      0|      }
   55|     64|   }
   56|      2|   compare_word_vec(r_script, N, r_ref, N, "redc generic vs specialized");
   57|      2|}

_ZN5Botan25bigint_monty_redc_genericEPmPKmmS2_mmS0_:
   91|     12|   word r[], const word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[]) {
   92|     12|   BOTAN_ARG_CHECK(z_size >= 2 * p_size && p_size > 0, "Invalid sizes for bigint_monty_redc_generic");
  ------------------
  |  |   35|     12|   do {                                                          \
  |  |   36|     12|      /* NOLINTNEXTLINE(*-simplify-boolean-expr) */              \
  |  |   37|     24|      if(!(expr)) {                                              \
  |  |  ------------------
  |  |  |  Branch (37:12): [True: 12, False: 0]
  |  |  |  Branch (37:12): [True: 12, False: 0]
  |  |  ------------------
  |  |   38|      0|         /* NOLINTNEXTLINE(bugprone-lambda-function-name) */     \
  |  |   39|      0|         Botan::throw_invalid_argument(msg, __func__, __FILE__); \
  |  |   40|      0|      }                                                          \
  |  |   41|     12|   } while(0)
  |  |  ------------------
  |  |  |  Branch (41:12): [Folded, False: 12]
  |  |  ------------------
  ------------------
   93|       |
   94|     12|   word3<word> accum;
   95|       |
   96|     12|   accum.add(z[0]);
   97|       |
   98|     12|   ws[0] = accum.monty_step(p[0], p_dash);
   99|       |
  100|    180|   for(size_t i = 1; i != p_size; ++i) {
  ------------------
  |  Branch (100:22): [True: 168, False: 12]
  ------------------
  101|    168|      mul_rev_range(accum, ws, p, i);
  102|    168|      accum.add(z[i]);
  103|    168|      ws[i] = accum.monty_step(p[0], p_dash);
  104|    168|   }
  105|       |
  106|    180|   for(size_t i = 0; i != p_size - 1; ++i) {
  ------------------
  |  Branch (106:22): [True: 168, False: 12]
  ------------------
  107|    168|      mul_rev_range(accum, &ws[i + 1], &p[i], p_size - (i + 1));
  108|    168|      accum.add(z[p_size + i]);
  109|    168|      ws[i] = accum.extract();
  110|    168|   }
  111|       |
  112|     12|   accum.add(z[2 * p_size - 1]);
  113|       |
  114|     12|   ws[p_size - 1] = accum.extract();
  115|       |   // w1 is the final part, which is not stored in the workspace
  116|     12|   const word w1 = accum.extract();
  117|       |
  118|       |   /*
  119|       |   * The result might need to be reduced mod p. To avoid a timing
  120|       |   * channel, always perform the subtraction. If in the computation
  121|       |   * of x - p a borrow is required then x was already < p.
  122|       |   *
  123|       |   * x starts at ws[0] and is p_size bytes long plus a possible high
  124|       |   * digit left over in w1.
  125|       |   *
  126|       |   * x - p starts at z[0] and is also p_size bytes long
  127|       |   *
  128|       |   * If borrow was set after the subtraction, then x was already less
  129|       |   * than p and the subtraction was not needed. In that case overwrite
  130|       |   * z[0:p_size] with the original x in ws[0:p_size].
  131|       |   *
  132|       |   * We only copy out p_size in the final step because we know
  133|       |   * the Montgomery result is < P
  134|       |   */
  135|       |
  136|     12|   bigint_monty_maybe_sub(p_size, r, w1, ws, p);
  137|     12|}
mp_monty.cpp:_ZN5Botan12_GLOBAL__N_113mul_rev_rangeERNS_5word3ImEEPKmS5_m:
   18|    336|BOTAN_FORCE_INLINE void mul_rev_range(word3<word>& accum, const word ws[], const word p[], size_t bound) {
   19|       |   /*
   20|       |   Unrolled version of:
   21|       |
   22|       |   for(size_t i = 0; i < bound; ++i) {
   23|       |      accum.mul(ws[i], p[bound - i]);
   24|       |   }
   25|       |   */
   26|       |
   27|    336|   size_t lower = 0;
   28|  1.08k|   while(lower < bound) {
  ------------------
  |  Branch (28:10): [True: 748, False: 336]
  ------------------
   29|    748|      const size_t upper = bound - lower;
   30|       |
   31|    748|      if(upper >= 16) {
  ------------------
  |  Branch (31:10): [True: 96, False: 652]
  ------------------
   32|     96|         accum.mul(ws[lower], p[upper]);
   33|     96|         accum.mul(ws[lower + 1], p[upper - 1]);
   34|     96|         accum.mul(ws[lower + 2], p[upper - 2]);
   35|     96|         accum.mul(ws[lower + 3], p[upper - 3]);
   36|     96|         accum.mul(ws[lower + 4], p[upper - 4]);
   37|     96|         accum.mul(ws[lower + 5], p[upper - 5]);
   38|     96|         accum.mul(ws[lower + 6], p[upper - 6]);
   39|     96|         accum.mul(ws[lower + 7], p[upper - 7]);
   40|     96|         accum.mul(ws[lower + 8], p[upper - 8]);
   41|     96|         accum.mul(ws[lower + 9], p[upper - 9]);
   42|     96|         accum.mul(ws[lower + 10], p[upper - 10]);
   43|     96|         accum.mul(ws[lower + 11], p[upper - 11]);
   44|     96|         accum.mul(ws[lower + 12], p[upper - 12]);
   45|     96|         accum.mul(ws[lower + 13], p[upper - 13]);
   46|     96|         accum.mul(ws[lower + 14], p[upper - 14]);
   47|     96|         accum.mul(ws[lower + 15], p[upper - 15]);
   48|     96|         lower += 16;
   49|    652|      } else if(upper >= 8) {
  ------------------
  |  Branch (49:17): [True: 128, False: 524]
  ------------------
   50|    128|         accum.mul(ws[lower], p[upper]);
   51|    128|         accum.mul(ws[lower + 1], p[upper - 1]);
   52|    128|         accum.mul(ws[lower + 2], p[upper - 2]);
   53|    128|         accum.mul(ws[lower + 3], p[upper - 3]);
   54|    128|         accum.mul(ws[lower + 4], p[upper - 4]);
   55|    128|         accum.mul(ws[lower + 5], p[upper - 5]);
   56|    128|         accum.mul(ws[lower + 6], p[upper - 6]);
   57|    128|         accum.mul(ws[lower + 7], p[upper - 7]);
   58|    128|         lower += 8;
   59|    524|      } else if(upper >= 4) {
  ------------------
  |  Branch (59:17): [True: 168, False: 356]
  ------------------
   60|    168|         accum.mul(ws[lower], p[upper]);
   61|    168|         accum.mul(ws[lower + 1], p[upper - 1]);
   62|    168|         accum.mul(ws[lower + 2], p[upper - 2]);
   63|    168|         accum.mul(ws[lower + 3], p[upper - 3]);
   64|    168|         lower += 4;
   65|    356|      } else if(upper >= 2) {
  ------------------
  |  Branch (65:17): [True: 176, False: 180]
  ------------------
   66|    176|         accum.mul(ws[lower], p[upper]);
   67|    176|         accum.mul(ws[lower + 1], p[upper - 1]);
   68|    176|         lower += 2;
   69|    180|      } else {
   70|    180|         accum.mul(ws[lower], p[upper]);
   71|    180|         lower += 1;
   72|    180|      }
   73|    748|   }
   74|    336|}

_ZN5Botan19bigint_monty_redc_4EPmPKmS2_mS0_:
   12|      2|void bigint_monty_redc_4(word r[4], const word z[8], const word p[4], word p_dash, word ws[4]) {
   13|      2|   word3<word> accum;
   14|      2|   accum.add(z[0]);
   15|      2|   ws[0] = accum.monty_step(p[0], p_dash);
   16|      2|   accum.mul(ws[0], p[1]);
   17|      2|   accum.add(z[1]);
   18|      2|   ws[1] = accum.monty_step(p[0], p_dash);
   19|      2|   accum.mul(ws[0], p[2]);
   20|      2|   accum.mul(ws[1], p[1]);
   21|      2|   accum.add(z[2]);
   22|      2|   ws[2] = accum.monty_step(p[0], p_dash);
   23|      2|   accum.mul(ws[0], p[3]);
   24|      2|   accum.mul(ws[1], p[2]);
   25|      2|   accum.mul(ws[2], p[1]);
   26|      2|   accum.add(z[3]);
   27|      2|   ws[3] = accum.monty_step(p[0], p_dash);
   28|      2|   accum.mul(ws[1], p[3]);
   29|      2|   accum.mul(ws[2], p[2]);
   30|      2|   accum.mul(ws[3], p[1]);
   31|      2|   accum.add(z[4]);
   32|      2|   ws[0] = accum.extract();
   33|      2|   accum.mul(ws[2], p[3]);
   34|      2|   accum.mul(ws[3], p[2]);
   35|      2|   accum.add(z[5]);
   36|      2|   ws[1] = accum.extract();
   37|      2|   accum.mul(ws[3], p[3]);
   38|      2|   accum.add(z[6]);
   39|      2|   ws[2] = accum.extract();
   40|      2|   accum.add(z[7]);
   41|      2|   ws[3] = accum.extract();
   42|      2|   const word w1 = accum.extract();
   43|      2|   bigint_monty_maybe_sub<4>(r, w1, ws, p);
   44|      2|}
_ZN5Botan19bigint_monty_redc_6EPmPKmS2_mS0_:
   46|      2|void bigint_monty_redc_6(word r[6], const word z[12], const word p[6], word p_dash, word ws[6]) {
   47|      2|   word3<word> accum;
   48|      2|   accum.add(z[0]);
   49|      2|   ws[0] = accum.monty_step(p[0], p_dash);
   50|      2|   accum.mul(ws[0], p[1]);
   51|      2|   accum.add(z[1]);
   52|      2|   ws[1] = accum.monty_step(p[0], p_dash);
   53|      2|   accum.mul(ws[0], p[2]);
   54|      2|   accum.mul(ws[1], p[1]);
   55|      2|   accum.add(z[2]);
   56|      2|   ws[2] = accum.monty_step(p[0], p_dash);
   57|      2|   accum.mul(ws[0], p[3]);
   58|      2|   accum.mul(ws[1], p[2]);
   59|      2|   accum.mul(ws[2], p[1]);
   60|      2|   accum.add(z[3]);
   61|      2|   ws[3] = accum.monty_step(p[0], p_dash);
   62|      2|   accum.mul(ws[0], p[4]);
   63|      2|   accum.mul(ws[1], p[3]);
   64|      2|   accum.mul(ws[2], p[2]);
   65|      2|   accum.mul(ws[3], p[1]);
   66|      2|   accum.add(z[4]);
   67|      2|   ws[4] = accum.monty_step(p[0], p_dash);
   68|      2|   accum.mul(ws[0], p[5]);
   69|      2|   accum.mul(ws[1], p[4]);
   70|      2|   accum.mul(ws[2], p[3]);
   71|      2|   accum.mul(ws[3], p[2]);
   72|      2|   accum.mul(ws[4], p[1]);
   73|      2|   accum.add(z[5]);
   74|      2|   ws[5] = accum.monty_step(p[0], p_dash);
   75|      2|   accum.mul(ws[1], p[5]);
   76|      2|   accum.mul(ws[2], p[4]);
   77|      2|   accum.mul(ws[3], p[3]);
   78|      2|   accum.mul(ws[4], p[2]);
   79|      2|   accum.mul(ws[5], p[1]);
   80|      2|   accum.add(z[6]);
   81|      2|   ws[0] = accum.extract();
   82|      2|   accum.mul(ws[2], p[5]);
   83|      2|   accum.mul(ws[3], p[4]);
   84|      2|   accum.mul(ws[4], p[3]);
   85|      2|   accum.mul(ws[5], p[2]);
   86|      2|   accum.add(z[7]);
   87|      2|   ws[1] = accum.extract();
   88|      2|   accum.mul(ws[3], p[5]);
   89|      2|   accum.mul(ws[4], p[4]);
   90|      2|   accum.mul(ws[5], p[3]);
   91|      2|   accum.add(z[8]);
   92|      2|   ws[2] = accum.extract();
   93|      2|   accum.mul(ws[4], p[5]);
   94|      2|   accum.mul(ws[5], p[4]);
   95|      2|   accum.add(z[9]);
   96|      2|   ws[3] = accum.extract();
   97|      2|   accum.mul(ws[5], p[5]);
   98|      2|   accum.add(z[10]);
   99|      2|   ws[4] = accum.extract();
  100|      2|   accum.add(z[11]);
  101|      2|   ws[5] = accum.extract();
  102|      2|   const word w1 = accum.extract();
  103|      2|   bigint_monty_maybe_sub<6>(r, w1, ws, p);
  104|      2|}
_ZN5Botan19bigint_monty_redc_8EPmPKmS2_mS0_:
  106|      2|void bigint_monty_redc_8(word r[8], const word z[16], const word p[8], word p_dash, word ws[8]) {
  107|      2|   word3<word> accum;
  108|      2|   accum.add(z[0]);
  109|      2|   ws[0] = accum.monty_step(p[0], p_dash);
  110|      2|   accum.mul(ws[0], p[1]);
  111|      2|   accum.add(z[1]);
  112|      2|   ws[1] = accum.monty_step(p[0], p_dash);
  113|      2|   accum.mul(ws[0], p[2]);
  114|      2|   accum.mul(ws[1], p[1]);
  115|      2|   accum.add(z[2]);
  116|      2|   ws[2] = accum.monty_step(p[0], p_dash);
  117|      2|   accum.mul(ws[0], p[3]);
  118|      2|   accum.mul(ws[1], p[2]);
  119|      2|   accum.mul(ws[2], p[1]);
  120|      2|   accum.add(z[3]);
  121|      2|   ws[3] = accum.monty_step(p[0], p_dash);
  122|      2|   accum.mul(ws[0], p[4]);
  123|      2|   accum.mul(ws[1], p[3]);
  124|      2|   accum.mul(ws[2], p[2]);
  125|      2|   accum.mul(ws[3], p[1]);
  126|      2|   accum.add(z[4]);
  127|      2|   ws[4] = accum.monty_step(p[0], p_dash);
  128|      2|   accum.mul(ws[0], p[5]);
  129|      2|   accum.mul(ws[1], p[4]);
  130|      2|   accum.mul(ws[2], p[3]);
  131|      2|   accum.mul(ws[3], p[2]);
  132|      2|   accum.mul(ws[4], p[1]);
  133|      2|   accum.add(z[5]);
  134|      2|   ws[5] = accum.monty_step(p[0], p_dash);
  135|      2|   accum.mul(ws[0], p[6]);
  136|      2|   accum.mul(ws[1], p[5]);
  137|      2|   accum.mul(ws[2], p[4]);
  138|      2|   accum.mul(ws[3], p[3]);
  139|      2|   accum.mul(ws[4], p[2]);
  140|      2|   accum.mul(ws[5], p[1]);
  141|      2|   accum.add(z[6]);
  142|      2|   ws[6] = accum.monty_step(p[0], p_dash);
  143|      2|   accum.mul(ws[0], p[7]);
  144|      2|   accum.mul(ws[1], p[6]);
  145|      2|   accum.mul(ws[2], p[5]);
  146|      2|   accum.mul(ws[3], p[4]);
  147|      2|   accum.mul(ws[4], p[3]);
  148|      2|   accum.mul(ws[5], p[2]);
  149|      2|   accum.mul(ws[6], p[1]);
  150|      2|   accum.add(z[7]);
  151|      2|   ws[7] = accum.monty_step(p[0], p_dash);
  152|      2|   accum.mul(ws[1], p[7]);
  153|      2|   accum.mul(ws[2], p[6]);
  154|      2|   accum.mul(ws[3], p[5]);
  155|      2|   accum.mul(ws[4], p[4]);
  156|      2|   accum.mul(ws[5], p[3]);
  157|      2|   accum.mul(ws[6], p[2]);
  158|      2|   accum.mul(ws[7], p[1]);
  159|      2|   accum.add(z[8]);
  160|      2|   ws[0] = accum.extract();
  161|      2|   accum.mul(ws[2], p[7]);
  162|      2|   accum.mul(ws[3], p[6]);
  163|      2|   accum.mul(ws[4], p[5]);
  164|      2|   accum.mul(ws[5], p[4]);
  165|      2|   accum.mul(ws[6], p[3]);
  166|      2|   accum.mul(ws[7], p[2]);
  167|      2|   accum.add(z[9]);
  168|      2|   ws[1] = accum.extract();
  169|      2|   accum.mul(ws[3], p[7]);
  170|      2|   accum.mul(ws[4], p[6]);
  171|      2|   accum.mul(ws[5], p[5]);
  172|      2|   accum.mul(ws[6], p[4]);
  173|      2|   accum.mul(ws[7], p[3]);
  174|      2|   accum.add(z[10]);
  175|      2|   ws[2] = accum.extract();
  176|      2|   accum.mul(ws[4], p[7]);
  177|      2|   accum.mul(ws[5], p[6]);
  178|      2|   accum.mul(ws[6], p[5]);
  179|      2|   accum.mul(ws[7], p[4]);
  180|      2|   accum.add(z[11]);
  181|      2|   ws[3] = accum.extract();
  182|      2|   accum.mul(ws[5], p[7]);
  183|      2|   accum.mul(ws[6], p[6]);
  184|      2|   accum.mul(ws[7], p[5]);
  185|      2|   accum.add(z[12]);
  186|      2|   ws[4] = accum.extract();
  187|      2|   accum.mul(ws[6], p[7]);
  188|      2|   accum.mul(ws[7], p[6]);
  189|      2|   accum.add(z[13]);
  190|      2|   ws[5] = accum.extract();
  191|      2|   accum.mul(ws[7], p[7]);
  192|      2|   accum.add(z[14]);
  193|      2|   ws[6] = accum.extract();
  194|      2|   accum.add(z[15]);
  195|      2|   ws[7] = accum.extract();
  196|      2|   const word w1 = accum.extract();
  197|      2|   bigint_monty_maybe_sub<8>(r, w1, ws, p);
  198|      2|}
_ZN5Botan20bigint_monty_redc_16EPmPKmS2_mS0_:
  386|      2|void bigint_monty_redc_16(word r[16], const word z[32], const word p[16], word p_dash, word ws[16]) {
  387|      2|   word3<word> accum;
  388|      2|   accum.add(z[0]);
  389|      2|   ws[0] = accum.monty_step(p[0], p_dash);
  390|      2|   accum.mul(ws[0], p[1]);
  391|      2|   accum.add(z[1]);
  392|      2|   ws[1] = accum.monty_step(p[0], p_dash);
  393|      2|   accum.mul(ws[0], p[2]);
  394|      2|   accum.mul(ws[1], p[1]);
  395|      2|   accum.add(z[2]);
  396|      2|   ws[2] = accum.monty_step(p[0], p_dash);
  397|      2|   accum.mul(ws[0], p[3]);
  398|      2|   accum.mul(ws[1], p[2]);
  399|      2|   accum.mul(ws[2], p[1]);
  400|      2|   accum.add(z[3]);
  401|      2|   ws[3] = accum.monty_step(p[0], p_dash);
  402|      2|   accum.mul(ws[0], p[4]);
  403|      2|   accum.mul(ws[1], p[3]);
  404|      2|   accum.mul(ws[2], p[2]);
  405|      2|   accum.mul(ws[3], p[1]);
  406|      2|   accum.add(z[4]);
  407|      2|   ws[4] = accum.monty_step(p[0], p_dash);
  408|      2|   accum.mul(ws[0], p[5]);
  409|      2|   accum.mul(ws[1], p[4]);
  410|      2|   accum.mul(ws[2], p[3]);
  411|      2|   accum.mul(ws[3], p[2]);
  412|      2|   accum.mul(ws[4], p[1]);
  413|      2|   accum.add(z[5]);
  414|      2|   ws[5] = accum.monty_step(p[0], p_dash);
  415|      2|   accum.mul(ws[0], p[6]);
  416|      2|   accum.mul(ws[1], p[5]);
  417|      2|   accum.mul(ws[2], p[4]);
  418|      2|   accum.mul(ws[3], p[3]);
  419|      2|   accum.mul(ws[4], p[2]);
  420|      2|   accum.mul(ws[5], p[1]);
  421|      2|   accum.add(z[6]);
  422|      2|   ws[6] = accum.monty_step(p[0], p_dash);
  423|      2|   accum.mul(ws[0], p[7]);
  424|      2|   accum.mul(ws[1], p[6]);
  425|      2|   accum.mul(ws[2], p[5]);
  426|      2|   accum.mul(ws[3], p[4]);
  427|      2|   accum.mul(ws[4], p[3]);
  428|      2|   accum.mul(ws[5], p[2]);
  429|      2|   accum.mul(ws[6], p[1]);
  430|      2|   accum.add(z[7]);
  431|      2|   ws[7] = accum.monty_step(p[0], p_dash);
  432|      2|   accum.mul(ws[0], p[8]);
  433|      2|   accum.mul(ws[1], p[7]);
  434|      2|   accum.mul(ws[2], p[6]);
  435|      2|   accum.mul(ws[3], p[5]);
  436|      2|   accum.mul(ws[4], p[4]);
  437|      2|   accum.mul(ws[5], p[3]);
  438|      2|   accum.mul(ws[6], p[2]);
  439|      2|   accum.mul(ws[7], p[1]);
  440|      2|   accum.add(z[8]);
  441|      2|   ws[8] = accum.monty_step(p[0], p_dash);
  442|      2|   accum.mul(ws[0], p[9]);
  443|      2|   accum.mul(ws[1], p[8]);
  444|      2|   accum.mul(ws[2], p[7]);
  445|      2|   accum.mul(ws[3], p[6]);
  446|      2|   accum.mul(ws[4], p[5]);
  447|      2|   accum.mul(ws[5], p[4]);
  448|      2|   accum.mul(ws[6], p[3]);
  449|      2|   accum.mul(ws[7], p[2]);
  450|      2|   accum.mul(ws[8], p[1]);
  451|      2|   accum.add(z[9]);
  452|      2|   ws[9] = accum.monty_step(p[0], p_dash);
  453|      2|   accum.mul(ws[0], p[10]);
  454|      2|   accum.mul(ws[1], p[9]);
  455|      2|   accum.mul(ws[2], p[8]);
  456|      2|   accum.mul(ws[3], p[7]);
  457|      2|   accum.mul(ws[4], p[6]);
  458|      2|   accum.mul(ws[5], p[5]);
  459|      2|   accum.mul(ws[6], p[4]);
  460|      2|   accum.mul(ws[7], p[3]);
  461|      2|   accum.mul(ws[8], p[2]);
  462|      2|   accum.mul(ws[9], p[1]);
  463|      2|   accum.add(z[10]);
  464|      2|   ws[10] = accum.monty_step(p[0], p_dash);
  465|      2|   accum.mul(ws[0], p[11]);
  466|      2|   accum.mul(ws[1], p[10]);
  467|      2|   accum.mul(ws[2], p[9]);
  468|      2|   accum.mul(ws[3], p[8]);
  469|      2|   accum.mul(ws[4], p[7]);
  470|      2|   accum.mul(ws[5], p[6]);
  471|      2|   accum.mul(ws[6], p[5]);
  472|      2|   accum.mul(ws[7], p[4]);
  473|      2|   accum.mul(ws[8], p[3]);
  474|      2|   accum.mul(ws[9], p[2]);
  475|      2|   accum.mul(ws[10], p[1]);
  476|      2|   accum.add(z[11]);
  477|      2|   ws[11] = accum.monty_step(p[0], p_dash);
  478|      2|   accum.mul(ws[0], p[12]);
  479|      2|   accum.mul(ws[1], p[11]);
  480|      2|   accum.mul(ws[2], p[10]);
  481|      2|   accum.mul(ws[3], p[9]);
  482|      2|   accum.mul(ws[4], p[8]);
  483|      2|   accum.mul(ws[5], p[7]);
  484|      2|   accum.mul(ws[6], p[6]);
  485|      2|   accum.mul(ws[7], p[5]);
  486|      2|   accum.mul(ws[8], p[4]);
  487|      2|   accum.mul(ws[9], p[3]);
  488|      2|   accum.mul(ws[10], p[2]);
  489|      2|   accum.mul(ws[11], p[1]);
  490|      2|   accum.add(z[12]);
  491|      2|   ws[12] = accum.monty_step(p[0], p_dash);
  492|      2|   accum.mul(ws[0], p[13]);
  493|      2|   accum.mul(ws[1], p[12]);
  494|      2|   accum.mul(ws[2], p[11]);
  495|      2|   accum.mul(ws[3], p[10]);
  496|      2|   accum.mul(ws[4], p[9]);
  497|      2|   accum.mul(ws[5], p[8]);
  498|      2|   accum.mul(ws[6], p[7]);
  499|      2|   accum.mul(ws[7], p[6]);
  500|      2|   accum.mul(ws[8], p[5]);
  501|      2|   accum.mul(ws[9], p[4]);
  502|      2|   accum.mul(ws[10], p[3]);
  503|      2|   accum.mul(ws[11], p[2]);
  504|      2|   accum.mul(ws[12], p[1]);
  505|      2|   accum.add(z[13]);
  506|      2|   ws[13] = accum.monty_step(p[0], p_dash);
  507|      2|   accum.mul(ws[0], p[14]);
  508|      2|   accum.mul(ws[1], p[13]);
  509|      2|   accum.mul(ws[2], p[12]);
  510|      2|   accum.mul(ws[3], p[11]);
  511|      2|   accum.mul(ws[4], p[10]);
  512|      2|   accum.mul(ws[5], p[9]);
  513|      2|   accum.mul(ws[6], p[8]);
  514|      2|   accum.mul(ws[7], p[7]);
  515|      2|   accum.mul(ws[8], p[6]);
  516|      2|   accum.mul(ws[9], p[5]);
  517|      2|   accum.mul(ws[10], p[4]);
  518|      2|   accum.mul(ws[11], p[3]);
  519|      2|   accum.mul(ws[12], p[2]);
  520|      2|   accum.mul(ws[13], p[1]);
  521|      2|   accum.add(z[14]);
  522|      2|   ws[14] = accum.monty_step(p[0], p_dash);
  523|      2|   accum.mul(ws[0], p[15]);
  524|      2|   accum.mul(ws[1], p[14]);
  525|      2|   accum.mul(ws[2], p[13]);
  526|      2|   accum.mul(ws[3], p[12]);
  527|      2|   accum.mul(ws[4], p[11]);
  528|      2|   accum.mul(ws[5], p[10]);
  529|      2|   accum.mul(ws[6], p[9]);
  530|      2|   accum.mul(ws[7], p[8]);
  531|      2|   accum.mul(ws[8], p[7]);
  532|      2|   accum.mul(ws[9], p[6]);
  533|      2|   accum.mul(ws[10], p[5]);
  534|      2|   accum.mul(ws[11], p[4]);
  535|      2|   accum.mul(ws[12], p[3]);
  536|      2|   accum.mul(ws[13], p[2]);
  537|      2|   accum.mul(ws[14], p[1]);
  538|      2|   accum.add(z[15]);
  539|      2|   ws[15] = accum.monty_step(p[0], p_dash);
  540|      2|   accum.mul(ws[1], p[15]);
  541|      2|   accum.mul(ws[2], p[14]);
  542|      2|   accum.mul(ws[3], p[13]);
  543|      2|   accum.mul(ws[4], p[12]);
  544|      2|   accum.mul(ws[5], p[11]);
  545|      2|   accum.mul(ws[6], p[10]);
  546|      2|   accum.mul(ws[7], p[9]);
  547|      2|   accum.mul(ws[8], p[8]);
  548|      2|   accum.mul(ws[9], p[7]);
  549|      2|   accum.mul(ws[10], p[6]);
  550|      2|   accum.mul(ws[11], p[5]);
  551|      2|   accum.mul(ws[12], p[4]);
  552|      2|   accum.mul(ws[13], p[3]);
  553|      2|   accum.mul(ws[14], p[2]);
  554|      2|   accum.mul(ws[15], p[1]);
  555|      2|   accum.add(z[16]);
  556|      2|   ws[0] = accum.extract();
  557|      2|   accum.mul(ws[2], p[15]);
  558|      2|   accum.mul(ws[3], p[14]);
  559|      2|   accum.mul(ws[4], p[13]);
  560|      2|   accum.mul(ws[5], p[12]);
  561|      2|   accum.mul(ws[6], p[11]);
  562|      2|   accum.mul(ws[7], p[10]);
  563|      2|   accum.mul(ws[8], p[9]);
  564|      2|   accum.mul(ws[9], p[8]);
  565|      2|   accum.mul(ws[10], p[7]);
  566|      2|   accum.mul(ws[11], p[6]);
  567|      2|   accum.mul(ws[12], p[5]);
  568|      2|   accum.mul(ws[13], p[4]);
  569|      2|   accum.mul(ws[14], p[3]);
  570|      2|   accum.mul(ws[15], p[2]);
  571|      2|   accum.add(z[17]);
  572|      2|   ws[1] = accum.extract();
  573|      2|   accum.mul(ws[3], p[15]);
  574|      2|   accum.mul(ws[4], p[14]);
  575|      2|   accum.mul(ws[5], p[13]);
  576|      2|   accum.mul(ws[6], p[12]);
  577|      2|   accum.mul(ws[7], p[11]);
  578|      2|   accum.mul(ws[8], p[10]);
  579|      2|   accum.mul(ws[9], p[9]);
  580|      2|   accum.mul(ws[10], p[8]);
  581|      2|   accum.mul(ws[11], p[7]);
  582|      2|   accum.mul(ws[12], p[6]);
  583|      2|   accum.mul(ws[13], p[5]);
  584|      2|   accum.mul(ws[14], p[4]);
  585|      2|   accum.mul(ws[15], p[3]);
  586|      2|   accum.add(z[18]);
  587|      2|   ws[2] = accum.extract();
  588|      2|   accum.mul(ws[4], p[15]);
  589|      2|   accum.mul(ws[5], p[14]);
  590|      2|   accum.mul(ws[6], p[13]);
  591|      2|   accum.mul(ws[7], p[12]);
  592|      2|   accum.mul(ws[8], p[11]);
  593|      2|   accum.mul(ws[9], p[10]);
  594|      2|   accum.mul(ws[10], p[9]);
  595|      2|   accum.mul(ws[11], p[8]);
  596|      2|   accum.mul(ws[12], p[7]);
  597|      2|   accum.mul(ws[13], p[6]);
  598|      2|   accum.mul(ws[14], p[5]);
  599|      2|   accum.mul(ws[15], p[4]);
  600|      2|   accum.add(z[19]);
  601|      2|   ws[3] = accum.extract();
  602|      2|   accum.mul(ws[5], p[15]);
  603|      2|   accum.mul(ws[6], p[14]);
  604|      2|   accum.mul(ws[7], p[13]);
  605|      2|   accum.mul(ws[8], p[12]);
  606|      2|   accum.mul(ws[9], p[11]);
  607|      2|   accum.mul(ws[10], p[10]);
  608|      2|   accum.mul(ws[11], p[9]);
  609|      2|   accum.mul(ws[12], p[8]);
  610|      2|   accum.mul(ws[13], p[7]);
  611|      2|   accum.mul(ws[14], p[6]);
  612|      2|   accum.mul(ws[15], p[5]);
  613|      2|   accum.add(z[20]);
  614|      2|   ws[4] = accum.extract();
  615|      2|   accum.mul(ws[6], p[15]);
  616|      2|   accum.mul(ws[7], p[14]);
  617|      2|   accum.mul(ws[8], p[13]);
  618|      2|   accum.mul(ws[9], p[12]);
  619|      2|   accum.mul(ws[10], p[11]);
  620|      2|   accum.mul(ws[11], p[10]);
  621|      2|   accum.mul(ws[12], p[9]);
  622|      2|   accum.mul(ws[13], p[8]);
  623|      2|   accum.mul(ws[14], p[7]);
  624|      2|   accum.mul(ws[15], p[6]);
  625|      2|   accum.add(z[21]);
  626|      2|   ws[5] = accum.extract();
  627|      2|   accum.mul(ws[7], p[15]);
  628|      2|   accum.mul(ws[8], p[14]);
  629|      2|   accum.mul(ws[9], p[13]);
  630|      2|   accum.mul(ws[10], p[12]);
  631|      2|   accum.mul(ws[11], p[11]);
  632|      2|   accum.mul(ws[12], p[10]);
  633|      2|   accum.mul(ws[13], p[9]);
  634|      2|   accum.mul(ws[14], p[8]);
  635|      2|   accum.mul(ws[15], p[7]);
  636|      2|   accum.add(z[22]);
  637|      2|   ws[6] = accum.extract();
  638|      2|   accum.mul(ws[8], p[15]);
  639|      2|   accum.mul(ws[9], p[14]);
  640|      2|   accum.mul(ws[10], p[13]);
  641|      2|   accum.mul(ws[11], p[12]);
  642|      2|   accum.mul(ws[12], p[11]);
  643|      2|   accum.mul(ws[13], p[10]);
  644|      2|   accum.mul(ws[14], p[9]);
  645|      2|   accum.mul(ws[15], p[8]);
  646|      2|   accum.add(z[23]);
  647|      2|   ws[7] = accum.extract();
  648|      2|   accum.mul(ws[9], p[15]);
  649|      2|   accum.mul(ws[10], p[14]);
  650|      2|   accum.mul(ws[11], p[13]);
  651|      2|   accum.mul(ws[12], p[12]);
  652|      2|   accum.mul(ws[13], p[11]);
  653|      2|   accum.mul(ws[14], p[10]);
  654|      2|   accum.mul(ws[15], p[9]);
  655|      2|   accum.add(z[24]);
  656|      2|   ws[8] = accum.extract();
  657|      2|   accum.mul(ws[10], p[15]);
  658|      2|   accum.mul(ws[11], p[14]);
  659|      2|   accum.mul(ws[12], p[13]);
  660|      2|   accum.mul(ws[13], p[12]);
  661|      2|   accum.mul(ws[14], p[11]);
  662|      2|   accum.mul(ws[15], p[10]);
  663|      2|   accum.add(z[25]);
  664|      2|   ws[9] = accum.extract();
  665|      2|   accum.mul(ws[11], p[15]);
  666|      2|   accum.mul(ws[12], p[14]);
  667|      2|   accum.mul(ws[13], p[13]);
  668|      2|   accum.mul(ws[14], p[12]);
  669|      2|   accum.mul(ws[15], p[11]);
  670|      2|   accum.add(z[26]);
  671|      2|   ws[10] = accum.extract();
  672|      2|   accum.mul(ws[12], p[15]);
  673|      2|   accum.mul(ws[13], p[14]);
  674|      2|   accum.mul(ws[14], p[13]);
  675|      2|   accum.mul(ws[15], p[12]);
  676|      2|   accum.add(z[27]);
  677|      2|   ws[11] = accum.extract();
  678|      2|   accum.mul(ws[13], p[15]);
  679|      2|   accum.mul(ws[14], p[14]);
  680|      2|   accum.mul(ws[15], p[13]);
  681|      2|   accum.add(z[28]);
  682|      2|   ws[12] = accum.extract();
  683|      2|   accum.mul(ws[14], p[15]);
  684|      2|   accum.mul(ws[15], p[14]);
  685|      2|   accum.add(z[29]);
  686|      2|   ws[13] = accum.extract();
  687|      2|   accum.mul(ws[15], p[15]);
  688|      2|   accum.add(z[30]);
  689|      2|   ws[14] = accum.extract();
  690|      2|   accum.add(z[31]);
  691|      2|   ws[15] = accum.extract();
  692|      2|   const word w1 = accum.extract();
  693|      2|   bigint_monty_maybe_sub<16>(r, w1, ws, p);
  694|      2|}
_ZN5Botan20bigint_monty_redc_24EPmPKmS2_mS0_:
  696|      2|void bigint_monty_redc_24(word r[24], const word z[48], const word p[24], word p_dash, word ws[24]) {
  697|      2|   word3<word> accum;
  698|      2|   accum.add(z[0]);
  699|      2|   ws[0] = accum.monty_step(p[0], p_dash);
  700|      2|   accum.mul(ws[0], p[1]);
  701|      2|   accum.add(z[1]);
  702|      2|   ws[1] = accum.monty_step(p[0], p_dash);
  703|      2|   accum.mul(ws[0], p[2]);
  704|      2|   accum.mul(ws[1], p[1]);
  705|      2|   accum.add(z[2]);
  706|      2|   ws[2] = accum.monty_step(p[0], p_dash);
  707|      2|   accum.mul(ws[0], p[3]);
  708|      2|   accum.mul(ws[1], p[2]);
  709|      2|   accum.mul(ws[2], p[1]);
  710|      2|   accum.add(z[3]);
  711|      2|   ws[3] = accum.monty_step(p[0], p_dash);
  712|      2|   accum.mul(ws[0], p[4]);
  713|      2|   accum.mul(ws[1], p[3]);
  714|      2|   accum.mul(ws[2], p[2]);
  715|      2|   accum.mul(ws[3], p[1]);
  716|      2|   accum.add(z[4]);
  717|      2|   ws[4] = accum.monty_step(p[0], p_dash);
  718|      2|   accum.mul(ws[0], p[5]);
  719|      2|   accum.mul(ws[1], p[4]);
  720|      2|   accum.mul(ws[2], p[3]);
  721|      2|   accum.mul(ws[3], p[2]);
  722|      2|   accum.mul(ws[4], p[1]);
  723|      2|   accum.add(z[5]);
  724|      2|   ws[5] = accum.monty_step(p[0], p_dash);
  725|      2|   accum.mul(ws[0], p[6]);
  726|      2|   accum.mul(ws[1], p[5]);
  727|      2|   accum.mul(ws[2], p[4]);
  728|      2|   accum.mul(ws[3], p[3]);
  729|      2|   accum.mul(ws[4], p[2]);
  730|      2|   accum.mul(ws[5], p[1]);
  731|      2|   accum.add(z[6]);
  732|      2|   ws[6] = accum.monty_step(p[0], p_dash);
  733|      2|   accum.mul(ws[0], p[7]);
  734|      2|   accum.mul(ws[1], p[6]);
  735|      2|   accum.mul(ws[2], p[5]);
  736|      2|   accum.mul(ws[3], p[4]);
  737|      2|   accum.mul(ws[4], p[3]);
  738|      2|   accum.mul(ws[5], p[2]);
  739|      2|   accum.mul(ws[6], p[1]);
  740|      2|   accum.add(z[7]);
  741|      2|   ws[7] = accum.monty_step(p[0], p_dash);
  742|      2|   accum.mul(ws[0], p[8]);
  743|      2|   accum.mul(ws[1], p[7]);
  744|      2|   accum.mul(ws[2], p[6]);
  745|      2|   accum.mul(ws[3], p[5]);
  746|      2|   accum.mul(ws[4], p[4]);
  747|      2|   accum.mul(ws[5], p[3]);
  748|      2|   accum.mul(ws[6], p[2]);
  749|      2|   accum.mul(ws[7], p[1]);
  750|      2|   accum.add(z[8]);
  751|      2|   ws[8] = accum.monty_step(p[0], p_dash);
  752|      2|   accum.mul(ws[0], p[9]);
  753|      2|   accum.mul(ws[1], p[8]);
  754|      2|   accum.mul(ws[2], p[7]);
  755|      2|   accum.mul(ws[3], p[6]);
  756|      2|   accum.mul(ws[4], p[5]);
  757|      2|   accum.mul(ws[5], p[4]);
  758|      2|   accum.mul(ws[6], p[3]);
  759|      2|   accum.mul(ws[7], p[2]);
  760|      2|   accum.mul(ws[8], p[1]);
  761|      2|   accum.add(z[9]);
  762|      2|   ws[9] = accum.monty_step(p[0], p_dash);
  763|      2|   accum.mul(ws[0], p[10]);
  764|      2|   accum.mul(ws[1], p[9]);
  765|      2|   accum.mul(ws[2], p[8]);
  766|      2|   accum.mul(ws[3], p[7]);
  767|      2|   accum.mul(ws[4], p[6]);
  768|      2|   accum.mul(ws[5], p[5]);
  769|      2|   accum.mul(ws[6], p[4]);
  770|      2|   accum.mul(ws[7], p[3]);
  771|      2|   accum.mul(ws[8], p[2]);
  772|      2|   accum.mul(ws[9], p[1]);
  773|      2|   accum.add(z[10]);
  774|      2|   ws[10] = accum.monty_step(p[0], p_dash);
  775|      2|   accum.mul(ws[0], p[11]);
  776|      2|   accum.mul(ws[1], p[10]);
  777|      2|   accum.mul(ws[2], p[9]);
  778|      2|   accum.mul(ws[3], p[8]);
  779|      2|   accum.mul(ws[4], p[7]);
  780|      2|   accum.mul(ws[5], p[6]);
  781|      2|   accum.mul(ws[6], p[5]);
  782|      2|   accum.mul(ws[7], p[4]);
  783|      2|   accum.mul(ws[8], p[3]);
  784|      2|   accum.mul(ws[9], p[2]);
  785|      2|   accum.mul(ws[10], p[1]);
  786|      2|   accum.add(z[11]);
  787|      2|   ws[11] = accum.monty_step(p[0], p_dash);
  788|      2|   accum.mul(ws[0], p[12]);
  789|      2|   accum.mul(ws[1], p[11]);
  790|      2|   accum.mul(ws[2], p[10]);
  791|      2|   accum.mul(ws[3], p[9]);
  792|      2|   accum.mul(ws[4], p[8]);
  793|      2|   accum.mul(ws[5], p[7]);
  794|      2|   accum.mul(ws[6], p[6]);
  795|      2|   accum.mul(ws[7], p[5]);
  796|      2|   accum.mul(ws[8], p[4]);
  797|      2|   accum.mul(ws[9], p[3]);
  798|      2|   accum.mul(ws[10], p[2]);
  799|      2|   accum.mul(ws[11], p[1]);
  800|      2|   accum.add(z[12]);
  801|      2|   ws[12] = accum.monty_step(p[0], p_dash);
  802|      2|   accum.mul(ws[0], p[13]);
  803|      2|   accum.mul(ws[1], p[12]);
  804|      2|   accum.mul(ws[2], p[11]);
  805|      2|   accum.mul(ws[3], p[10]);
  806|      2|   accum.mul(ws[4], p[9]);
  807|      2|   accum.mul(ws[5], p[8]);
  808|      2|   accum.mul(ws[6], p[7]);
  809|      2|   accum.mul(ws[7], p[6]);
  810|      2|   accum.mul(ws[8], p[5]);
  811|      2|   accum.mul(ws[9], p[4]);
  812|      2|   accum.mul(ws[10], p[3]);
  813|      2|   accum.mul(ws[11], p[2]);
  814|      2|   accum.mul(ws[12], p[1]);
  815|      2|   accum.add(z[13]);
  816|      2|   ws[13] = accum.monty_step(p[0], p_dash);
  817|      2|   accum.mul(ws[0], p[14]);
  818|      2|   accum.mul(ws[1], p[13]);
  819|      2|   accum.mul(ws[2], p[12]);
  820|      2|   accum.mul(ws[3], p[11]);
  821|      2|   accum.mul(ws[4], p[10]);
  822|      2|   accum.mul(ws[5], p[9]);
  823|      2|   accum.mul(ws[6], p[8]);
  824|      2|   accum.mul(ws[7], p[7]);
  825|      2|   accum.mul(ws[8], p[6]);
  826|      2|   accum.mul(ws[9], p[5]);
  827|      2|   accum.mul(ws[10], p[4]);
  828|      2|   accum.mul(ws[11], p[3]);
  829|      2|   accum.mul(ws[12], p[2]);
  830|      2|   accum.mul(ws[13], p[1]);
  831|      2|   accum.add(z[14]);
  832|      2|   ws[14] = accum.monty_step(p[0], p_dash);
  833|      2|   accum.mul(ws[0], p[15]);
  834|      2|   accum.mul(ws[1], p[14]);
  835|      2|   accum.mul(ws[2], p[13]);
  836|      2|   accum.mul(ws[3], p[12]);
  837|      2|   accum.mul(ws[4], p[11]);
  838|      2|   accum.mul(ws[5], p[10]);
  839|      2|   accum.mul(ws[6], p[9]);
  840|      2|   accum.mul(ws[7], p[8]);
  841|      2|   accum.mul(ws[8], p[7]);
  842|      2|   accum.mul(ws[9], p[6]);
  843|      2|   accum.mul(ws[10], p[5]);
  844|      2|   accum.mul(ws[11], p[4]);
  845|      2|   accum.mul(ws[12], p[3]);
  846|      2|   accum.mul(ws[13], p[2]);
  847|      2|   accum.mul(ws[14], p[1]);
  848|      2|   accum.add(z[15]);
  849|      2|   ws[15] = accum.monty_step(p[0], p_dash);
  850|      2|   accum.mul(ws[0], p[16]);
  851|      2|   accum.mul(ws[1], p[15]);
  852|      2|   accum.mul(ws[2], p[14]);
  853|      2|   accum.mul(ws[3], p[13]);
  854|      2|   accum.mul(ws[4], p[12]);
  855|      2|   accum.mul(ws[5], p[11]);
  856|      2|   accum.mul(ws[6], p[10]);
  857|      2|   accum.mul(ws[7], p[9]);
  858|      2|   accum.mul(ws[8], p[8]);
  859|      2|   accum.mul(ws[9], p[7]);
  860|      2|   accum.mul(ws[10], p[6]);
  861|      2|   accum.mul(ws[11], p[5]);
  862|      2|   accum.mul(ws[12], p[4]);
  863|      2|   accum.mul(ws[13], p[3]);
  864|      2|   accum.mul(ws[14], p[2]);
  865|      2|   accum.mul(ws[15], p[1]);
  866|      2|   accum.add(z[16]);
  867|      2|   ws[16] = accum.monty_step(p[0], p_dash);
  868|      2|   accum.mul(ws[0], p[17]);
  869|      2|   accum.mul(ws[1], p[16]);
  870|      2|   accum.mul(ws[2], p[15]);
  871|      2|   accum.mul(ws[3], p[14]);
  872|      2|   accum.mul(ws[4], p[13]);
  873|      2|   accum.mul(ws[5], p[12]);
  874|      2|   accum.mul(ws[6], p[11]);
  875|      2|   accum.mul(ws[7], p[10]);
  876|      2|   accum.mul(ws[8], p[9]);
  877|      2|   accum.mul(ws[9], p[8]);
  878|      2|   accum.mul(ws[10], p[7]);
  879|      2|   accum.mul(ws[11], p[6]);
  880|      2|   accum.mul(ws[12], p[5]);
  881|      2|   accum.mul(ws[13], p[4]);
  882|      2|   accum.mul(ws[14], p[3]);
  883|      2|   accum.mul(ws[15], p[2]);
  884|      2|   accum.mul(ws[16], p[1]);
  885|      2|   accum.add(z[17]);
  886|      2|   ws[17] = accum.monty_step(p[0], p_dash);
  887|      2|   accum.mul(ws[0], p[18]);
  888|      2|   accum.mul(ws[1], p[17]);
  889|      2|   accum.mul(ws[2], p[16]);
  890|      2|   accum.mul(ws[3], p[15]);
  891|      2|   accum.mul(ws[4], p[14]);
  892|      2|   accum.mul(ws[5], p[13]);
  893|      2|   accum.mul(ws[6], p[12]);
  894|      2|   accum.mul(ws[7], p[11]);
  895|      2|   accum.mul(ws[8], p[10]);
  896|      2|   accum.mul(ws[9], p[9]);
  897|      2|   accum.mul(ws[10], p[8]);
  898|      2|   accum.mul(ws[11], p[7]);
  899|      2|   accum.mul(ws[12], p[6]);
  900|      2|   accum.mul(ws[13], p[5]);
  901|      2|   accum.mul(ws[14], p[4]);
  902|      2|   accum.mul(ws[15], p[3]);
  903|      2|   accum.mul(ws[16], p[2]);
  904|      2|   accum.mul(ws[17], p[1]);
  905|      2|   accum.add(z[18]);
  906|      2|   ws[18] = accum.monty_step(p[0], p_dash);
  907|      2|   accum.mul(ws[0], p[19]);
  908|      2|   accum.mul(ws[1], p[18]);
  909|      2|   accum.mul(ws[2], p[17]);
  910|      2|   accum.mul(ws[3], p[16]);
  911|      2|   accum.mul(ws[4], p[15]);
  912|      2|   accum.mul(ws[5], p[14]);
  913|      2|   accum.mul(ws[6], p[13]);
  914|      2|   accum.mul(ws[7], p[12]);
  915|      2|   accum.mul(ws[8], p[11]);
  916|      2|   accum.mul(ws[9], p[10]);
  917|      2|   accum.mul(ws[10], p[9]);
  918|      2|   accum.mul(ws[11], p[8]);
  919|      2|   accum.mul(ws[12], p[7]);
  920|      2|   accum.mul(ws[13], p[6]);
  921|      2|   accum.mul(ws[14], p[5]);
  922|      2|   accum.mul(ws[15], p[4]);
  923|      2|   accum.mul(ws[16], p[3]);
  924|      2|   accum.mul(ws[17], p[2]);
  925|      2|   accum.mul(ws[18], p[1]);
  926|      2|   accum.add(z[19]);
  927|      2|   ws[19] = accum.monty_step(p[0], p_dash);
  928|      2|   accum.mul(ws[0], p[20]);
  929|      2|   accum.mul(ws[1], p[19]);
  930|      2|   accum.mul(ws[2], p[18]);
  931|      2|   accum.mul(ws[3], p[17]);
  932|      2|   accum.mul(ws[4], p[16]);
  933|      2|   accum.mul(ws[5], p[15]);
  934|      2|   accum.mul(ws[6], p[14]);
  935|      2|   accum.mul(ws[7], p[13]);
  936|      2|   accum.mul(ws[8], p[12]);
  937|      2|   accum.mul(ws[9], p[11]);
  938|      2|   accum.mul(ws[10], p[10]);
  939|      2|   accum.mul(ws[11], p[9]);
  940|      2|   accum.mul(ws[12], p[8]);
  941|      2|   accum.mul(ws[13], p[7]);
  942|      2|   accum.mul(ws[14], p[6]);
  943|      2|   accum.mul(ws[15], p[5]);
  944|      2|   accum.mul(ws[16], p[4]);
  945|      2|   accum.mul(ws[17], p[3]);
  946|      2|   accum.mul(ws[18], p[2]);
  947|      2|   accum.mul(ws[19], p[1]);
  948|      2|   accum.add(z[20]);
  949|      2|   ws[20] = accum.monty_step(p[0], p_dash);
  950|      2|   accum.mul(ws[0], p[21]);
  951|      2|   accum.mul(ws[1], p[20]);
  952|      2|   accum.mul(ws[2], p[19]);
  953|      2|   accum.mul(ws[3], p[18]);
  954|      2|   accum.mul(ws[4], p[17]);
  955|      2|   accum.mul(ws[5], p[16]);
  956|      2|   accum.mul(ws[6], p[15]);
  957|      2|   accum.mul(ws[7], p[14]);
  958|      2|   accum.mul(ws[8], p[13]);
  959|      2|   accum.mul(ws[9], p[12]);
  960|      2|   accum.mul(ws[10], p[11]);
  961|      2|   accum.mul(ws[11], p[10]);
  962|      2|   accum.mul(ws[12], p[9]);
  963|      2|   accum.mul(ws[13], p[8]);
  964|      2|   accum.mul(ws[14], p[7]);
  965|      2|   accum.mul(ws[15], p[6]);
  966|      2|   accum.mul(ws[16], p[5]);
  967|      2|   accum.mul(ws[17], p[4]);
  968|      2|   accum.mul(ws[18], p[3]);
  969|      2|   accum.mul(ws[19], p[2]);
  970|      2|   accum.mul(ws[20], p[1]);
  971|      2|   accum.add(z[21]);
  972|      2|   ws[21] = accum.monty_step(p[0], p_dash);
  973|      2|   accum.mul(ws[0], p[22]);
  974|      2|   accum.mul(ws[1], p[21]);
  975|      2|   accum.mul(ws[2], p[20]);
  976|      2|   accum.mul(ws[3], p[19]);
  977|      2|   accum.mul(ws[4], p[18]);
  978|      2|   accum.mul(ws[5], p[17]);
  979|      2|   accum.mul(ws[6], p[16]);
  980|      2|   accum.mul(ws[7], p[15]);
  981|      2|   accum.mul(ws[8], p[14]);
  982|      2|   accum.mul(ws[9], p[13]);
  983|      2|   accum.mul(ws[10], p[12]);
  984|      2|   accum.mul(ws[11], p[11]);
  985|      2|   accum.mul(ws[12], p[10]);
  986|      2|   accum.mul(ws[13], p[9]);
  987|      2|   accum.mul(ws[14], p[8]);
  988|      2|   accum.mul(ws[15], p[7]);
  989|      2|   accum.mul(ws[16], p[6]);
  990|      2|   accum.mul(ws[17], p[5]);
  991|      2|   accum.mul(ws[18], p[4]);
  992|      2|   accum.mul(ws[19], p[3]);
  993|      2|   accum.mul(ws[20], p[2]);
  994|      2|   accum.mul(ws[21], p[1]);
  995|      2|   accum.add(z[22]);
  996|      2|   ws[22] = accum.monty_step(p[0], p_dash);
  997|      2|   accum.mul(ws[0], p[23]);
  998|      2|   accum.mul(ws[1], p[22]);
  999|      2|   accum.mul(ws[2], p[21]);
 1000|      2|   accum.mul(ws[3], p[20]);
 1001|      2|   accum.mul(ws[4], p[19]);
 1002|      2|   accum.mul(ws[5], p[18]);
 1003|      2|   accum.mul(ws[6], p[17]);
 1004|      2|   accum.mul(ws[7], p[16]);
 1005|      2|   accum.mul(ws[8], p[15]);
 1006|      2|   accum.mul(ws[9], p[14]);
 1007|      2|   accum.mul(ws[10], p[13]);
 1008|      2|   accum.mul(ws[11], p[12]);
 1009|      2|   accum.mul(ws[12], p[11]);
 1010|      2|   accum.mul(ws[13], p[10]);
 1011|      2|   accum.mul(ws[14], p[9]);
 1012|      2|   accum.mul(ws[15], p[8]);
 1013|      2|   accum.mul(ws[16], p[7]);
 1014|      2|   accum.mul(ws[17], p[6]);
 1015|      2|   accum.mul(ws[18], p[5]);
 1016|      2|   accum.mul(ws[19], p[4]);
 1017|      2|   accum.mul(ws[20], p[3]);
 1018|      2|   accum.mul(ws[21], p[2]);
 1019|      2|   accum.mul(ws[22], p[1]);
 1020|      2|   accum.add(z[23]);
 1021|      2|   ws[23] = accum.monty_step(p[0], p_dash);
 1022|      2|   accum.mul(ws[1], p[23]);
 1023|      2|   accum.mul(ws[2], p[22]);
 1024|      2|   accum.mul(ws[3], p[21]);
 1025|      2|   accum.mul(ws[4], p[20]);
 1026|      2|   accum.mul(ws[5], p[19]);
 1027|      2|   accum.mul(ws[6], p[18]);
 1028|      2|   accum.mul(ws[7], p[17]);
 1029|      2|   accum.mul(ws[8], p[16]);
 1030|      2|   accum.mul(ws[9], p[15]);
 1031|      2|   accum.mul(ws[10], p[14]);
 1032|      2|   accum.mul(ws[11], p[13]);
 1033|      2|   accum.mul(ws[12], p[12]);
 1034|      2|   accum.mul(ws[13], p[11]);
 1035|      2|   accum.mul(ws[14], p[10]);
 1036|      2|   accum.mul(ws[15], p[9]);
 1037|      2|   accum.mul(ws[16], p[8]);
 1038|      2|   accum.mul(ws[17], p[7]);
 1039|      2|   accum.mul(ws[18], p[6]);
 1040|      2|   accum.mul(ws[19], p[5]);
 1041|      2|   accum.mul(ws[20], p[4]);
 1042|      2|   accum.mul(ws[21], p[3]);
 1043|      2|   accum.mul(ws[22], p[2]);
 1044|      2|   accum.mul(ws[23], p[1]);
 1045|      2|   accum.add(z[24]);
 1046|      2|   ws[0] = accum.extract();
 1047|      2|   accum.mul(ws[2], p[23]);
 1048|      2|   accum.mul(ws[3], p[22]);
 1049|      2|   accum.mul(ws[4], p[21]);
 1050|      2|   accum.mul(ws[5], p[20]);
 1051|      2|   accum.mul(ws[6], p[19]);
 1052|      2|   accum.mul(ws[7], p[18]);
 1053|      2|   accum.mul(ws[8], p[17]);
 1054|      2|   accum.mul(ws[9], p[16]);
 1055|      2|   accum.mul(ws[10], p[15]);
 1056|      2|   accum.mul(ws[11], p[14]);
 1057|      2|   accum.mul(ws[12], p[13]);
 1058|      2|   accum.mul(ws[13], p[12]);
 1059|      2|   accum.mul(ws[14], p[11]);
 1060|      2|   accum.mul(ws[15], p[10]);
 1061|      2|   accum.mul(ws[16], p[9]);
 1062|      2|   accum.mul(ws[17], p[8]);
 1063|      2|   accum.mul(ws[18], p[7]);
 1064|      2|   accum.mul(ws[19], p[6]);
 1065|      2|   accum.mul(ws[20], p[5]);
 1066|      2|   accum.mul(ws[21], p[4]);
 1067|      2|   accum.mul(ws[22], p[3]);
 1068|      2|   accum.mul(ws[23], p[2]);
 1069|      2|   accum.add(z[25]);
 1070|      2|   ws[1] = accum.extract();
 1071|      2|   accum.mul(ws[3], p[23]);
 1072|      2|   accum.mul(ws[4], p[22]);
 1073|      2|   accum.mul(ws[5], p[21]);
 1074|      2|   accum.mul(ws[6], p[20]);
 1075|      2|   accum.mul(ws[7], p[19]);
 1076|      2|   accum.mul(ws[8], p[18]);
 1077|      2|   accum.mul(ws[9], p[17]);
 1078|      2|   accum.mul(ws[10], p[16]);
 1079|      2|   accum.mul(ws[11], p[15]);
 1080|      2|   accum.mul(ws[12], p[14]);
 1081|      2|   accum.mul(ws[13], p[13]);
 1082|      2|   accum.mul(ws[14], p[12]);
 1083|      2|   accum.mul(ws[15], p[11]);
 1084|      2|   accum.mul(ws[16], p[10]);
 1085|      2|   accum.mul(ws[17], p[9]);
 1086|      2|   accum.mul(ws[18], p[8]);
 1087|      2|   accum.mul(ws[19], p[7]);
 1088|      2|   accum.mul(ws[20], p[6]);
 1089|      2|   accum.mul(ws[21], p[5]);
 1090|      2|   accum.mul(ws[22], p[4]);
 1091|      2|   accum.mul(ws[23], p[3]);
 1092|      2|   accum.add(z[26]);
 1093|      2|   ws[2] = accum.extract();
 1094|      2|   accum.mul(ws[4], p[23]);
 1095|      2|   accum.mul(ws[5], p[22]);
 1096|      2|   accum.mul(ws[6], p[21]);
 1097|      2|   accum.mul(ws[7], p[20]);
 1098|      2|   accum.mul(ws[8], p[19]);
 1099|      2|   accum.mul(ws[9], p[18]);
 1100|      2|   accum.mul(ws[10], p[17]);
 1101|      2|   accum.mul(ws[11], p[16]);
 1102|      2|   accum.mul(ws[12], p[15]);
 1103|      2|   accum.mul(ws[13], p[14]);
 1104|      2|   accum.mul(ws[14], p[13]);
 1105|      2|   accum.mul(ws[15], p[12]);
 1106|      2|   accum.mul(ws[16], p[11]);
 1107|      2|   accum.mul(ws[17], p[10]);
 1108|      2|   accum.mul(ws[18], p[9]);
 1109|      2|   accum.mul(ws[19], p[8]);
 1110|      2|   accum.mul(ws[20], p[7]);
 1111|      2|   accum.mul(ws[21], p[6]);
 1112|      2|   accum.mul(ws[22], p[5]);
 1113|      2|   accum.mul(ws[23], p[4]);
 1114|      2|   accum.add(z[27]);
 1115|      2|   ws[3] = accum.extract();
 1116|      2|   accum.mul(ws[5], p[23]);
 1117|      2|   accum.mul(ws[6], p[22]);
 1118|      2|   accum.mul(ws[7], p[21]);
 1119|      2|   accum.mul(ws[8], p[20]);
 1120|      2|   accum.mul(ws[9], p[19]);
 1121|      2|   accum.mul(ws[10], p[18]);
 1122|      2|   accum.mul(ws[11], p[17]);
 1123|      2|   accum.mul(ws[12], p[16]);
 1124|      2|   accum.mul(ws[13], p[15]);
 1125|      2|   accum.mul(ws[14], p[14]);
 1126|      2|   accum.mul(ws[15], p[13]);
 1127|      2|   accum.mul(ws[16], p[12]);
 1128|      2|   accum.mul(ws[17], p[11]);
 1129|      2|   accum.mul(ws[18], p[10]);
 1130|      2|   accum.mul(ws[19], p[9]);
 1131|      2|   accum.mul(ws[20], p[8]);
 1132|      2|   accum.mul(ws[21], p[7]);
 1133|      2|   accum.mul(ws[22], p[6]);
 1134|      2|   accum.mul(ws[23], p[5]);
 1135|      2|   accum.add(z[28]);
 1136|      2|   ws[4] = accum.extract();
 1137|      2|   accum.mul(ws[6], p[23]);
 1138|      2|   accum.mul(ws[7], p[22]);
 1139|      2|   accum.mul(ws[8], p[21]);
 1140|      2|   accum.mul(ws[9], p[20]);
 1141|      2|   accum.mul(ws[10], p[19]);
 1142|      2|   accum.mul(ws[11], p[18]);
 1143|      2|   accum.mul(ws[12], p[17]);
 1144|      2|   accum.mul(ws[13], p[16]);
 1145|      2|   accum.mul(ws[14], p[15]);
 1146|      2|   accum.mul(ws[15], p[14]);
 1147|      2|   accum.mul(ws[16], p[13]);
 1148|      2|   accum.mul(ws[17], p[12]);
 1149|      2|   accum.mul(ws[18], p[11]);
 1150|      2|   accum.mul(ws[19], p[10]);
 1151|      2|   accum.mul(ws[20], p[9]);
 1152|      2|   accum.mul(ws[21], p[8]);
 1153|      2|   accum.mul(ws[22], p[7]);
 1154|      2|   accum.mul(ws[23], p[6]);
 1155|      2|   accum.add(z[29]);
 1156|      2|   ws[5] = accum.extract();
 1157|      2|   accum.mul(ws[7], p[23]);
 1158|      2|   accum.mul(ws[8], p[22]);
 1159|      2|   accum.mul(ws[9], p[21]);
 1160|      2|   accum.mul(ws[10], p[20]);
 1161|      2|   accum.mul(ws[11], p[19]);
 1162|      2|   accum.mul(ws[12], p[18]);
 1163|      2|   accum.mul(ws[13], p[17]);
 1164|      2|   accum.mul(ws[14], p[16]);
 1165|      2|   accum.mul(ws[15], p[15]);
 1166|      2|   accum.mul(ws[16], p[14]);
 1167|      2|   accum.mul(ws[17], p[13]);
 1168|      2|   accum.mul(ws[18], p[12]);
 1169|      2|   accum.mul(ws[19], p[11]);
 1170|      2|   accum.mul(ws[20], p[10]);
 1171|      2|   accum.mul(ws[21], p[9]);
 1172|      2|   accum.mul(ws[22], p[8]);
 1173|      2|   accum.mul(ws[23], p[7]);
 1174|      2|   accum.add(z[30]);
 1175|      2|   ws[6] = accum.extract();
 1176|      2|   accum.mul(ws[8], p[23]);
 1177|      2|   accum.mul(ws[9], p[22]);
 1178|      2|   accum.mul(ws[10], p[21]);
 1179|      2|   accum.mul(ws[11], p[20]);
 1180|      2|   accum.mul(ws[12], p[19]);
 1181|      2|   accum.mul(ws[13], p[18]);
 1182|      2|   accum.mul(ws[14], p[17]);
 1183|      2|   accum.mul(ws[15], p[16]);
 1184|      2|   accum.mul(ws[16], p[15]);
 1185|      2|   accum.mul(ws[17], p[14]);
 1186|      2|   accum.mul(ws[18], p[13]);
 1187|      2|   accum.mul(ws[19], p[12]);
 1188|      2|   accum.mul(ws[20], p[11]);
 1189|      2|   accum.mul(ws[21], p[10]);
 1190|      2|   accum.mul(ws[22], p[9]);
 1191|      2|   accum.mul(ws[23], p[8]);
 1192|      2|   accum.add(z[31]);
 1193|      2|   ws[7] = accum.extract();
 1194|      2|   accum.mul(ws[9], p[23]);
 1195|      2|   accum.mul(ws[10], p[22]);
 1196|      2|   accum.mul(ws[11], p[21]);
 1197|      2|   accum.mul(ws[12], p[20]);
 1198|      2|   accum.mul(ws[13], p[19]);
 1199|      2|   accum.mul(ws[14], p[18]);
 1200|      2|   accum.mul(ws[15], p[17]);
 1201|      2|   accum.mul(ws[16], p[16]);
 1202|      2|   accum.mul(ws[17], p[15]);
 1203|      2|   accum.mul(ws[18], p[14]);
 1204|      2|   accum.mul(ws[19], p[13]);
 1205|      2|   accum.mul(ws[20], p[12]);
 1206|      2|   accum.mul(ws[21], p[11]);
 1207|      2|   accum.mul(ws[22], p[10]);
 1208|      2|   accum.mul(ws[23], p[9]);
 1209|      2|   accum.add(z[32]);
 1210|      2|   ws[8] = accum.extract();
 1211|      2|   accum.mul(ws[10], p[23]);
 1212|      2|   accum.mul(ws[11], p[22]);
 1213|      2|   accum.mul(ws[12], p[21]);
 1214|      2|   accum.mul(ws[13], p[20]);
 1215|      2|   accum.mul(ws[14], p[19]);
 1216|      2|   accum.mul(ws[15], p[18]);
 1217|      2|   accum.mul(ws[16], p[17]);
 1218|      2|   accum.mul(ws[17], p[16]);
 1219|      2|   accum.mul(ws[18], p[15]);
 1220|      2|   accum.mul(ws[19], p[14]);
 1221|      2|   accum.mul(ws[20], p[13]);
 1222|      2|   accum.mul(ws[21], p[12]);
 1223|      2|   accum.mul(ws[22], p[11]);
 1224|      2|   accum.mul(ws[23], p[10]);
 1225|      2|   accum.add(z[33]);
 1226|      2|   ws[9] = accum.extract();
 1227|      2|   accum.mul(ws[11], p[23]);
 1228|      2|   accum.mul(ws[12], p[22]);
 1229|      2|   accum.mul(ws[13], p[21]);
 1230|      2|   accum.mul(ws[14], p[20]);
 1231|      2|   accum.mul(ws[15], p[19]);
 1232|      2|   accum.mul(ws[16], p[18]);
 1233|      2|   accum.mul(ws[17], p[17]);
 1234|      2|   accum.mul(ws[18], p[16]);
 1235|      2|   accum.mul(ws[19], p[15]);
 1236|      2|   accum.mul(ws[20], p[14]);
 1237|      2|   accum.mul(ws[21], p[13]);
 1238|      2|   accum.mul(ws[22], p[12]);
 1239|      2|   accum.mul(ws[23], p[11]);
 1240|      2|   accum.add(z[34]);
 1241|      2|   ws[10] = accum.extract();
 1242|      2|   accum.mul(ws[12], p[23]);
 1243|      2|   accum.mul(ws[13], p[22]);
 1244|      2|   accum.mul(ws[14], p[21]);
 1245|      2|   accum.mul(ws[15], p[20]);
 1246|      2|   accum.mul(ws[16], p[19]);
 1247|      2|   accum.mul(ws[17], p[18]);
 1248|      2|   accum.mul(ws[18], p[17]);
 1249|      2|   accum.mul(ws[19], p[16]);
 1250|      2|   accum.mul(ws[20], p[15]);
 1251|      2|   accum.mul(ws[21], p[14]);
 1252|      2|   accum.mul(ws[22], p[13]);
 1253|      2|   accum.mul(ws[23], p[12]);
 1254|      2|   accum.add(z[35]);
 1255|      2|   ws[11] = accum.extract();
 1256|      2|   accum.mul(ws[13], p[23]);
 1257|      2|   accum.mul(ws[14], p[22]);
 1258|      2|   accum.mul(ws[15], p[21]);
 1259|      2|   accum.mul(ws[16], p[20]);
 1260|      2|   accum.mul(ws[17], p[19]);
 1261|      2|   accum.mul(ws[18], p[18]);
 1262|      2|   accum.mul(ws[19], p[17]);
 1263|      2|   accum.mul(ws[20], p[16]);
 1264|      2|   accum.mul(ws[21], p[15]);
 1265|      2|   accum.mul(ws[22], p[14]);
 1266|      2|   accum.mul(ws[23], p[13]);
 1267|      2|   accum.add(z[36]);
 1268|      2|   ws[12] = accum.extract();
 1269|      2|   accum.mul(ws[14], p[23]);
 1270|      2|   accum.mul(ws[15], p[22]);
 1271|      2|   accum.mul(ws[16], p[21]);
 1272|      2|   accum.mul(ws[17], p[20]);
 1273|      2|   accum.mul(ws[18], p[19]);
 1274|      2|   accum.mul(ws[19], p[18]);
 1275|      2|   accum.mul(ws[20], p[17]);
 1276|      2|   accum.mul(ws[21], p[16]);
 1277|      2|   accum.mul(ws[22], p[15]);
 1278|      2|   accum.mul(ws[23], p[14]);
 1279|      2|   accum.add(z[37]);
 1280|      2|   ws[13] = accum.extract();
 1281|      2|   accum.mul(ws[15], p[23]);
 1282|      2|   accum.mul(ws[16], p[22]);
 1283|      2|   accum.mul(ws[17], p[21]);
 1284|      2|   accum.mul(ws[18], p[20]);
 1285|      2|   accum.mul(ws[19], p[19]);
 1286|      2|   accum.mul(ws[20], p[18]);
 1287|      2|   accum.mul(ws[21], p[17]);
 1288|      2|   accum.mul(ws[22], p[16]);
 1289|      2|   accum.mul(ws[23], p[15]);
 1290|      2|   accum.add(z[38]);
 1291|      2|   ws[14] = accum.extract();
 1292|      2|   accum.mul(ws[16], p[23]);
 1293|      2|   accum.mul(ws[17], p[22]);
 1294|      2|   accum.mul(ws[18], p[21]);
 1295|      2|   accum.mul(ws[19], p[20]);
 1296|      2|   accum.mul(ws[20], p[19]);
 1297|      2|   accum.mul(ws[21], p[18]);
 1298|      2|   accum.mul(ws[22], p[17]);
 1299|      2|   accum.mul(ws[23], p[16]);
 1300|      2|   accum.add(z[39]);
 1301|      2|   ws[15] = accum.extract();
 1302|      2|   accum.mul(ws[17], p[23]);
 1303|      2|   accum.mul(ws[18], p[22]);
 1304|      2|   accum.mul(ws[19], p[21]);
 1305|      2|   accum.mul(ws[20], p[20]);
 1306|      2|   accum.mul(ws[21], p[19]);
 1307|      2|   accum.mul(ws[22], p[18]);
 1308|      2|   accum.mul(ws[23], p[17]);
 1309|      2|   accum.add(z[40]);
 1310|      2|   ws[16] = accum.extract();
 1311|      2|   accum.mul(ws[18], p[23]);
 1312|      2|   accum.mul(ws[19], p[22]);
 1313|      2|   accum.mul(ws[20], p[21]);
 1314|      2|   accum.mul(ws[21], p[20]);
 1315|      2|   accum.mul(ws[22], p[19]);
 1316|      2|   accum.mul(ws[23], p[18]);
 1317|      2|   accum.add(z[41]);
 1318|      2|   ws[17] = accum.extract();
 1319|      2|   accum.mul(ws[19], p[23]);
 1320|      2|   accum.mul(ws[20], p[22]);
 1321|      2|   accum.mul(ws[21], p[21]);
 1322|      2|   accum.mul(ws[22], p[20]);
 1323|      2|   accum.mul(ws[23], p[19]);
 1324|      2|   accum.add(z[42]);
 1325|      2|   ws[18] = accum.extract();
 1326|      2|   accum.mul(ws[20], p[23]);
 1327|      2|   accum.mul(ws[21], p[22]);
 1328|      2|   accum.mul(ws[22], p[21]);
 1329|      2|   accum.mul(ws[23], p[20]);
 1330|      2|   accum.add(z[43]);
 1331|      2|   ws[19] = accum.extract();
 1332|      2|   accum.mul(ws[21], p[23]);
 1333|      2|   accum.mul(ws[22], p[22]);
 1334|      2|   accum.mul(ws[23], p[21]);
 1335|      2|   accum.add(z[44]);
 1336|      2|   ws[20] = accum.extract();
 1337|      2|   accum.mul(ws[22], p[23]);
 1338|      2|   accum.mul(ws[23], p[22]);
 1339|      2|   accum.add(z[45]);
 1340|      2|   ws[21] = accum.extract();
 1341|      2|   accum.mul(ws[23], p[23]);
 1342|      2|   accum.add(z[46]);
 1343|      2|   ws[22] = accum.extract();
 1344|      2|   accum.add(z[47]);
 1345|      2|   ws[23] = accum.extract();
 1346|      2|   const word w1 = accum.extract();
 1347|      2|   bigint_monty_maybe_sub<24>(r, w1, ws, p);
 1348|      2|}
_ZN5Botan20bigint_monty_redc_32EPmPKmS2_mS0_:
 1350|      2|void bigint_monty_redc_32(word r[32], const word z[64], const word p[32], word p_dash, word ws[32]) {
 1351|      2|   word3<word> accum;
 1352|      2|   accum.add(z[0]);
 1353|      2|   ws[0] = accum.monty_step(p[0], p_dash);
 1354|      2|   accum.mul(ws[0], p[1]);
 1355|      2|   accum.add(z[1]);
 1356|      2|   ws[1] = accum.monty_step(p[0], p_dash);
 1357|      2|   accum.mul(ws[0], p[2]);
 1358|      2|   accum.mul(ws[1], p[1]);
 1359|      2|   accum.add(z[2]);
 1360|      2|   ws[2] = accum.monty_step(p[0], p_dash);
 1361|      2|   accum.mul(ws[0], p[3]);
 1362|      2|   accum.mul(ws[1], p[2]);
 1363|      2|   accum.mul(ws[2], p[1]);
 1364|      2|   accum.add(z[3]);
 1365|      2|   ws[3] = accum.monty_step(p[0], p_dash);
 1366|      2|   accum.mul(ws[0], p[4]);
 1367|      2|   accum.mul(ws[1], p[3]);
 1368|      2|   accum.mul(ws[2], p[2]);
 1369|      2|   accum.mul(ws[3], p[1]);
 1370|      2|   accum.add(z[4]);
 1371|      2|   ws[4] = accum.monty_step(p[0], p_dash);
 1372|      2|   accum.mul(ws[0], p[5]);
 1373|      2|   accum.mul(ws[1], p[4]);
 1374|      2|   accum.mul(ws[2], p[3]);
 1375|      2|   accum.mul(ws[3], p[2]);
 1376|      2|   accum.mul(ws[4], p[1]);
 1377|      2|   accum.add(z[5]);
 1378|      2|   ws[5] = accum.monty_step(p[0], p_dash);
 1379|      2|   accum.mul(ws[0], p[6]);
 1380|      2|   accum.mul(ws[1], p[5]);
 1381|      2|   accum.mul(ws[2], p[4]);
 1382|      2|   accum.mul(ws[3], p[3]);
 1383|      2|   accum.mul(ws[4], p[2]);
 1384|      2|   accum.mul(ws[5], p[1]);
 1385|      2|   accum.add(z[6]);
 1386|      2|   ws[6] = accum.monty_step(p[0], p_dash);
 1387|      2|   accum.mul(ws[0], p[7]);
 1388|      2|   accum.mul(ws[1], p[6]);
 1389|      2|   accum.mul(ws[2], p[5]);
 1390|      2|   accum.mul(ws[3], p[4]);
 1391|      2|   accum.mul(ws[4], p[3]);
 1392|      2|   accum.mul(ws[5], p[2]);
 1393|      2|   accum.mul(ws[6], p[1]);
 1394|      2|   accum.add(z[7]);
 1395|      2|   ws[7] = accum.monty_step(p[0], p_dash);
 1396|      2|   accum.mul(ws[0], p[8]);
 1397|      2|   accum.mul(ws[1], p[7]);
 1398|      2|   accum.mul(ws[2], p[6]);
 1399|      2|   accum.mul(ws[3], p[5]);
 1400|      2|   accum.mul(ws[4], p[4]);
 1401|      2|   accum.mul(ws[5], p[3]);
 1402|      2|   accum.mul(ws[6], p[2]);
 1403|      2|   accum.mul(ws[7], p[1]);
 1404|      2|   accum.add(z[8]);
 1405|      2|   ws[8] = accum.monty_step(p[0], p_dash);
 1406|      2|   accum.mul(ws[0], p[9]);
 1407|      2|   accum.mul(ws[1], p[8]);
 1408|      2|   accum.mul(ws[2], p[7]);
 1409|      2|   accum.mul(ws[3], p[6]);
 1410|      2|   accum.mul(ws[4], p[5]);
 1411|      2|   accum.mul(ws[5], p[4]);
 1412|      2|   accum.mul(ws[6], p[3]);
 1413|      2|   accum.mul(ws[7], p[2]);
 1414|      2|   accum.mul(ws[8], p[1]);
 1415|      2|   accum.add(z[9]);
 1416|      2|   ws[9] = accum.monty_step(p[0], p_dash);
 1417|      2|   accum.mul(ws[0], p[10]);
 1418|      2|   accum.mul(ws[1], p[9]);
 1419|      2|   accum.mul(ws[2], p[8]);
 1420|      2|   accum.mul(ws[3], p[7]);
 1421|      2|   accum.mul(ws[4], p[6]);
 1422|      2|   accum.mul(ws[5], p[5]);
 1423|      2|   accum.mul(ws[6], p[4]);
 1424|      2|   accum.mul(ws[7], p[3]);
 1425|      2|   accum.mul(ws[8], p[2]);
 1426|      2|   accum.mul(ws[9], p[1]);
 1427|      2|   accum.add(z[10]);
 1428|      2|   ws[10] = accum.monty_step(p[0], p_dash);
 1429|      2|   accum.mul(ws[0], p[11]);
 1430|      2|   accum.mul(ws[1], p[10]);
 1431|      2|   accum.mul(ws[2], p[9]);
 1432|      2|   accum.mul(ws[3], p[8]);
 1433|      2|   accum.mul(ws[4], p[7]);
 1434|      2|   accum.mul(ws[5], p[6]);
 1435|      2|   accum.mul(ws[6], p[5]);
 1436|      2|   accum.mul(ws[7], p[4]);
 1437|      2|   accum.mul(ws[8], p[3]);
 1438|      2|   accum.mul(ws[9], p[2]);
 1439|      2|   accum.mul(ws[10], p[1]);
 1440|      2|   accum.add(z[11]);
 1441|      2|   ws[11] = accum.monty_step(p[0], p_dash);
 1442|      2|   accum.mul(ws[0], p[12]);
 1443|      2|   accum.mul(ws[1], p[11]);
 1444|      2|   accum.mul(ws[2], p[10]);
 1445|      2|   accum.mul(ws[3], p[9]);
 1446|      2|   accum.mul(ws[4], p[8]);
 1447|      2|   accum.mul(ws[5], p[7]);
 1448|      2|   accum.mul(ws[6], p[6]);
 1449|      2|   accum.mul(ws[7], p[5]);
 1450|      2|   accum.mul(ws[8], p[4]);
 1451|      2|   accum.mul(ws[9], p[3]);
 1452|      2|   accum.mul(ws[10], p[2]);
 1453|      2|   accum.mul(ws[11], p[1]);
 1454|      2|   accum.add(z[12]);
 1455|      2|   ws[12] = accum.monty_step(p[0], p_dash);
 1456|      2|   accum.mul(ws[0], p[13]);
 1457|      2|   accum.mul(ws[1], p[12]);
 1458|      2|   accum.mul(ws[2], p[11]);
 1459|      2|   accum.mul(ws[3], p[10]);
 1460|      2|   accum.mul(ws[4], p[9]);
 1461|      2|   accum.mul(ws[5], p[8]);
 1462|      2|   accum.mul(ws[6], p[7]);
 1463|      2|   accum.mul(ws[7], p[6]);
 1464|      2|   accum.mul(ws[8], p[5]);
 1465|      2|   accum.mul(ws[9], p[4]);
 1466|      2|   accum.mul(ws[10], p[3]);
 1467|      2|   accum.mul(ws[11], p[2]);
 1468|      2|   accum.mul(ws[12], p[1]);
 1469|      2|   accum.add(z[13]);
 1470|      2|   ws[13] = accum.monty_step(p[0], p_dash);
 1471|      2|   accum.mul(ws[0], p[14]);
 1472|      2|   accum.mul(ws[1], p[13]);
 1473|      2|   accum.mul(ws[2], p[12]);
 1474|      2|   accum.mul(ws[3], p[11]);
 1475|      2|   accum.mul(ws[4], p[10]);
 1476|      2|   accum.mul(ws[5], p[9]);
 1477|      2|   accum.mul(ws[6], p[8]);
 1478|      2|   accum.mul(ws[7], p[7]);
 1479|      2|   accum.mul(ws[8], p[6]);
 1480|      2|   accum.mul(ws[9], p[5]);
 1481|      2|   accum.mul(ws[10], p[4]);
 1482|      2|   accum.mul(ws[11], p[3]);
 1483|      2|   accum.mul(ws[12], p[2]);
 1484|      2|   accum.mul(ws[13], p[1]);
 1485|      2|   accum.add(z[14]);
 1486|      2|   ws[14] = accum.monty_step(p[0], p_dash);
 1487|      2|   accum.mul(ws[0], p[15]);
 1488|      2|   accum.mul(ws[1], p[14]);
 1489|      2|   accum.mul(ws[2], p[13]);
 1490|      2|   accum.mul(ws[3], p[12]);
 1491|      2|   accum.mul(ws[4], p[11]);
 1492|      2|   accum.mul(ws[5], p[10]);
 1493|      2|   accum.mul(ws[6], p[9]);
 1494|      2|   accum.mul(ws[7], p[8]);
 1495|      2|   accum.mul(ws[8], p[7]);
 1496|      2|   accum.mul(ws[9], p[6]);
 1497|      2|   accum.mul(ws[10], p[5]);
 1498|      2|   accum.mul(ws[11], p[4]);
 1499|      2|   accum.mul(ws[12], p[3]);
 1500|      2|   accum.mul(ws[13], p[2]);
 1501|      2|   accum.mul(ws[14], p[1]);
 1502|      2|   accum.add(z[15]);
 1503|      2|   ws[15] = accum.monty_step(p[0], p_dash);
 1504|      2|   accum.mul(ws[0], p[16]);
 1505|      2|   accum.mul(ws[1], p[15]);
 1506|      2|   accum.mul(ws[2], p[14]);
 1507|      2|   accum.mul(ws[3], p[13]);
 1508|      2|   accum.mul(ws[4], p[12]);
 1509|      2|   accum.mul(ws[5], p[11]);
 1510|      2|   accum.mul(ws[6], p[10]);
 1511|      2|   accum.mul(ws[7], p[9]);
 1512|      2|   accum.mul(ws[8], p[8]);
 1513|      2|   accum.mul(ws[9], p[7]);
 1514|      2|   accum.mul(ws[10], p[6]);
 1515|      2|   accum.mul(ws[11], p[5]);
 1516|      2|   accum.mul(ws[12], p[4]);
 1517|      2|   accum.mul(ws[13], p[3]);
 1518|      2|   accum.mul(ws[14], p[2]);
 1519|      2|   accum.mul(ws[15], p[1]);
 1520|      2|   accum.add(z[16]);
 1521|      2|   ws[16] = accum.monty_step(p[0], p_dash);
 1522|      2|   accum.mul(ws[0], p[17]);
 1523|      2|   accum.mul(ws[1], p[16]);
 1524|      2|   accum.mul(ws[2], p[15]);
 1525|      2|   accum.mul(ws[3], p[14]);
 1526|      2|   accum.mul(ws[4], p[13]);
 1527|      2|   accum.mul(ws[5], p[12]);
 1528|      2|   accum.mul(ws[6], p[11]);
 1529|      2|   accum.mul(ws[7], p[10]);
 1530|      2|   accum.mul(ws[8], p[9]);
 1531|      2|   accum.mul(ws[9], p[8]);
 1532|      2|   accum.mul(ws[10], p[7]);
 1533|      2|   accum.mul(ws[11], p[6]);
 1534|      2|   accum.mul(ws[12], p[5]);
 1535|      2|   accum.mul(ws[13], p[4]);
 1536|      2|   accum.mul(ws[14], p[3]);
 1537|      2|   accum.mul(ws[15], p[2]);
 1538|      2|   accum.mul(ws[16], p[1]);
 1539|      2|   accum.add(z[17]);
 1540|      2|   ws[17] = accum.monty_step(p[0], p_dash);
 1541|      2|   accum.mul(ws[0], p[18]);
 1542|      2|   accum.mul(ws[1], p[17]);
 1543|      2|   accum.mul(ws[2], p[16]);
 1544|      2|   accum.mul(ws[3], p[15]);
 1545|      2|   accum.mul(ws[4], p[14]);
 1546|      2|   accum.mul(ws[5], p[13]);
 1547|      2|   accum.mul(ws[6], p[12]);
 1548|      2|   accum.mul(ws[7], p[11]);
 1549|      2|   accum.mul(ws[8], p[10]);
 1550|      2|   accum.mul(ws[9], p[9]);
 1551|      2|   accum.mul(ws[10], p[8]);
 1552|      2|   accum.mul(ws[11], p[7]);
 1553|      2|   accum.mul(ws[12], p[6]);
 1554|      2|   accum.mul(ws[13], p[5]);
 1555|      2|   accum.mul(ws[14], p[4]);
 1556|      2|   accum.mul(ws[15], p[3]);
 1557|      2|   accum.mul(ws[16], p[2]);
 1558|      2|   accum.mul(ws[17], p[1]);
 1559|      2|   accum.add(z[18]);
 1560|      2|   ws[18] = accum.monty_step(p[0], p_dash);
 1561|      2|   accum.mul(ws[0], p[19]);
 1562|      2|   accum.mul(ws[1], p[18]);
 1563|      2|   accum.mul(ws[2], p[17]);
 1564|      2|   accum.mul(ws[3], p[16]);
 1565|      2|   accum.mul(ws[4], p[15]);
 1566|      2|   accum.mul(ws[5], p[14]);
 1567|      2|   accum.mul(ws[6], p[13]);
 1568|      2|   accum.mul(ws[7], p[12]);
 1569|      2|   accum.mul(ws[8], p[11]);
 1570|      2|   accum.mul(ws[9], p[10]);
 1571|      2|   accum.mul(ws[10], p[9]);
 1572|      2|   accum.mul(ws[11], p[8]);
 1573|      2|   accum.mul(ws[12], p[7]);
 1574|      2|   accum.mul(ws[13], p[6]);
 1575|      2|   accum.mul(ws[14], p[5]);
 1576|      2|   accum.mul(ws[15], p[4]);
 1577|      2|   accum.mul(ws[16], p[3]);
 1578|      2|   accum.mul(ws[17], p[2]);
 1579|      2|   accum.mul(ws[18], p[1]);
 1580|      2|   accum.add(z[19]);
 1581|      2|   ws[19] = accum.monty_step(p[0], p_dash);
 1582|      2|   accum.mul(ws[0], p[20]);
 1583|      2|   accum.mul(ws[1], p[19]);
 1584|      2|   accum.mul(ws[2], p[18]);
 1585|      2|   accum.mul(ws[3], p[17]);
 1586|      2|   accum.mul(ws[4], p[16]);
 1587|      2|   accum.mul(ws[5], p[15]);
 1588|      2|   accum.mul(ws[6], p[14]);
 1589|      2|   accum.mul(ws[7], p[13]);
 1590|      2|   accum.mul(ws[8], p[12]);
 1591|      2|   accum.mul(ws[9], p[11]);
 1592|      2|   accum.mul(ws[10], p[10]);
 1593|      2|   accum.mul(ws[11], p[9]);
 1594|      2|   accum.mul(ws[12], p[8]);
 1595|      2|   accum.mul(ws[13], p[7]);
 1596|      2|   accum.mul(ws[14], p[6]);
 1597|      2|   accum.mul(ws[15], p[5]);
 1598|      2|   accum.mul(ws[16], p[4]);
 1599|      2|   accum.mul(ws[17], p[3]);
 1600|      2|   accum.mul(ws[18], p[2]);
 1601|      2|   accum.mul(ws[19], p[1]);
 1602|      2|   accum.add(z[20]);
 1603|      2|   ws[20] = accum.monty_step(p[0], p_dash);
 1604|      2|   accum.mul(ws[0], p[21]);
 1605|      2|   accum.mul(ws[1], p[20]);
 1606|      2|   accum.mul(ws[2], p[19]);
 1607|      2|   accum.mul(ws[3], p[18]);
 1608|      2|   accum.mul(ws[4], p[17]);
 1609|      2|   accum.mul(ws[5], p[16]);
 1610|      2|   accum.mul(ws[6], p[15]);
 1611|      2|   accum.mul(ws[7], p[14]);
 1612|      2|   accum.mul(ws[8], p[13]);
 1613|      2|   accum.mul(ws[9], p[12]);
 1614|      2|   accum.mul(ws[10], p[11]);
 1615|      2|   accum.mul(ws[11], p[10]);
 1616|      2|   accum.mul(ws[12], p[9]);
 1617|      2|   accum.mul(ws[13], p[8]);
 1618|      2|   accum.mul(ws[14], p[7]);
 1619|      2|   accum.mul(ws[15], p[6]);
 1620|      2|   accum.mul(ws[16], p[5]);
 1621|      2|   accum.mul(ws[17], p[4]);
 1622|      2|   accum.mul(ws[18], p[3]);
 1623|      2|   accum.mul(ws[19], p[2]);
 1624|      2|   accum.mul(ws[20], p[1]);
 1625|      2|   accum.add(z[21]);
 1626|      2|   ws[21] = accum.monty_step(p[0], p_dash);
 1627|      2|   accum.mul(ws[0], p[22]);
 1628|      2|   accum.mul(ws[1], p[21]);
 1629|      2|   accum.mul(ws[2], p[20]);
 1630|      2|   accum.mul(ws[3], p[19]);
 1631|      2|   accum.mul(ws[4], p[18]);
 1632|      2|   accum.mul(ws[5], p[17]);
 1633|      2|   accum.mul(ws[6], p[16]);
 1634|      2|   accum.mul(ws[7], p[15]);
 1635|      2|   accum.mul(ws[8], p[14]);
 1636|      2|   accum.mul(ws[9], p[13]);
 1637|      2|   accum.mul(ws[10], p[12]);
 1638|      2|   accum.mul(ws[11], p[11]);
 1639|      2|   accum.mul(ws[12], p[10]);
 1640|      2|   accum.mul(ws[13], p[9]);
 1641|      2|   accum.mul(ws[14], p[8]);
 1642|      2|   accum.mul(ws[15], p[7]);
 1643|      2|   accum.mul(ws[16], p[6]);
 1644|      2|   accum.mul(ws[17], p[5]);
 1645|      2|   accum.mul(ws[18], p[4]);
 1646|      2|   accum.mul(ws[19], p[3]);
 1647|      2|   accum.mul(ws[20], p[2]);
 1648|      2|   accum.mul(ws[21], p[1]);
 1649|      2|   accum.add(z[22]);
 1650|      2|   ws[22] = accum.monty_step(p[0], p_dash);
 1651|      2|   accum.mul(ws[0], p[23]);
 1652|      2|   accum.mul(ws[1], p[22]);
 1653|      2|   accum.mul(ws[2], p[21]);
 1654|      2|   accum.mul(ws[3], p[20]);
 1655|      2|   accum.mul(ws[4], p[19]);
 1656|      2|   accum.mul(ws[5], p[18]);
 1657|      2|   accum.mul(ws[6], p[17]);
 1658|      2|   accum.mul(ws[7], p[16]);
 1659|      2|   accum.mul(ws[8], p[15]);
 1660|      2|   accum.mul(ws[9], p[14]);
 1661|      2|   accum.mul(ws[10], p[13]);
 1662|      2|   accum.mul(ws[11], p[12]);
 1663|      2|   accum.mul(ws[12], p[11]);
 1664|      2|   accum.mul(ws[13], p[10]);
 1665|      2|   accum.mul(ws[14], p[9]);
 1666|      2|   accum.mul(ws[15], p[8]);
 1667|      2|   accum.mul(ws[16], p[7]);
 1668|      2|   accum.mul(ws[17], p[6]);
 1669|      2|   accum.mul(ws[18], p[5]);
 1670|      2|   accum.mul(ws[19], p[4]);
 1671|      2|   accum.mul(ws[20], p[3]);
 1672|      2|   accum.mul(ws[21], p[2]);
 1673|      2|   accum.mul(ws[22], p[1]);
 1674|      2|   accum.add(z[23]);
 1675|      2|   ws[23] = accum.monty_step(p[0], p_dash);
 1676|      2|   accum.mul(ws[0], p[24]);
 1677|      2|   accum.mul(ws[1], p[23]);
 1678|      2|   accum.mul(ws[2], p[22]);
 1679|      2|   accum.mul(ws[3], p[21]);
 1680|      2|   accum.mul(ws[4], p[20]);
 1681|      2|   accum.mul(ws[5], p[19]);
 1682|      2|   accum.mul(ws[6], p[18]);
 1683|      2|   accum.mul(ws[7], p[17]);
 1684|      2|   accum.mul(ws[8], p[16]);
 1685|      2|   accum.mul(ws[9], p[15]);
 1686|      2|   accum.mul(ws[10], p[14]);
 1687|      2|   accum.mul(ws[11], p[13]);
 1688|      2|   accum.mul(ws[12], p[12]);
 1689|      2|   accum.mul(ws[13], p[11]);
 1690|      2|   accum.mul(ws[14], p[10]);
 1691|      2|   accum.mul(ws[15], p[9]);
 1692|      2|   accum.mul(ws[16], p[8]);
 1693|      2|   accum.mul(ws[17], p[7]);
 1694|      2|   accum.mul(ws[18], p[6]);
 1695|      2|   accum.mul(ws[19], p[5]);
 1696|      2|   accum.mul(ws[20], p[4]);
 1697|      2|   accum.mul(ws[21], p[3]);
 1698|      2|   accum.mul(ws[22], p[2]);
 1699|      2|   accum.mul(ws[23], p[1]);
 1700|      2|   accum.add(z[24]);
 1701|      2|   ws[24] = accum.monty_step(p[0], p_dash);
 1702|      2|   accum.mul(ws[0], p[25]);
 1703|      2|   accum.mul(ws[1], p[24]);
 1704|      2|   accum.mul(ws[2], p[23]);
 1705|      2|   accum.mul(ws[3], p[22]);
 1706|      2|   accum.mul(ws[4], p[21]);
 1707|      2|   accum.mul(ws[5], p[20]);
 1708|      2|   accum.mul(ws[6], p[19]);
 1709|      2|   accum.mul(ws[7], p[18]);
 1710|      2|   accum.mul(ws[8], p[17]);
 1711|      2|   accum.mul(ws[9], p[16]);
 1712|      2|   accum.mul(ws[10], p[15]);
 1713|      2|   accum.mul(ws[11], p[14]);
 1714|      2|   accum.mul(ws[12], p[13]);
 1715|      2|   accum.mul(ws[13], p[12]);
 1716|      2|   accum.mul(ws[14], p[11]);
 1717|      2|   accum.mul(ws[15], p[10]);
 1718|      2|   accum.mul(ws[16], p[9]);
 1719|      2|   accum.mul(ws[17], p[8]);
 1720|      2|   accum.mul(ws[18], p[7]);
 1721|      2|   accum.mul(ws[19], p[6]);
 1722|      2|   accum.mul(ws[20], p[5]);
 1723|      2|   accum.mul(ws[21], p[4]);
 1724|      2|   accum.mul(ws[22], p[3]);
 1725|      2|   accum.mul(ws[23], p[2]);
 1726|      2|   accum.mul(ws[24], p[1]);
 1727|      2|   accum.add(z[25]);
 1728|      2|   ws[25] = accum.monty_step(p[0], p_dash);
 1729|      2|   accum.mul(ws[0], p[26]);
 1730|      2|   accum.mul(ws[1], p[25]);
 1731|      2|   accum.mul(ws[2], p[24]);
 1732|      2|   accum.mul(ws[3], p[23]);
 1733|      2|   accum.mul(ws[4], p[22]);
 1734|      2|   accum.mul(ws[5], p[21]);
 1735|      2|   accum.mul(ws[6], p[20]);
 1736|      2|   accum.mul(ws[7], p[19]);
 1737|      2|   accum.mul(ws[8], p[18]);
 1738|      2|   accum.mul(ws[9], p[17]);
 1739|      2|   accum.mul(ws[10], p[16]);
 1740|      2|   accum.mul(ws[11], p[15]);
 1741|      2|   accum.mul(ws[12], p[14]);
 1742|      2|   accum.mul(ws[13], p[13]);
 1743|      2|   accum.mul(ws[14], p[12]);
 1744|      2|   accum.mul(ws[15], p[11]);
 1745|      2|   accum.mul(ws[16], p[10]);
 1746|      2|   accum.mul(ws[17], p[9]);
 1747|      2|   accum.mul(ws[18], p[8]);
 1748|      2|   accum.mul(ws[19], p[7]);
 1749|      2|   accum.mul(ws[20], p[6]);
 1750|      2|   accum.mul(ws[21], p[5]);
 1751|      2|   accum.mul(ws[22], p[4]);
 1752|      2|   accum.mul(ws[23], p[3]);
 1753|      2|   accum.mul(ws[24], p[2]);
 1754|      2|   accum.mul(ws[25], p[1]);
 1755|      2|   accum.add(z[26]);
 1756|      2|   ws[26] = accum.monty_step(p[0], p_dash);
 1757|      2|   accum.mul(ws[0], p[27]);
 1758|      2|   accum.mul(ws[1], p[26]);
 1759|      2|   accum.mul(ws[2], p[25]);
 1760|      2|   accum.mul(ws[3], p[24]);
 1761|      2|   accum.mul(ws[4], p[23]);
 1762|      2|   accum.mul(ws[5], p[22]);
 1763|      2|   accum.mul(ws[6], p[21]);
 1764|      2|   accum.mul(ws[7], p[20]);
 1765|      2|   accum.mul(ws[8], p[19]);
 1766|      2|   accum.mul(ws[9], p[18]);
 1767|      2|   accum.mul(ws[10], p[17]);
 1768|      2|   accum.mul(ws[11], p[16]);
 1769|      2|   accum.mul(ws[12], p[15]);
 1770|      2|   accum.mul(ws[13], p[14]);
 1771|      2|   accum.mul(ws[14], p[13]);
 1772|      2|   accum.mul(ws[15], p[12]);
 1773|      2|   accum.mul(ws[16], p[11]);
 1774|      2|   accum.mul(ws[17], p[10]);
 1775|      2|   accum.mul(ws[18], p[9]);
 1776|      2|   accum.mul(ws[19], p[8]);
 1777|      2|   accum.mul(ws[20], p[7]);
 1778|      2|   accum.mul(ws[21], p[6]);
 1779|      2|   accum.mul(ws[22], p[5]);
 1780|      2|   accum.mul(ws[23], p[4]);
 1781|      2|   accum.mul(ws[24], p[3]);
 1782|      2|   accum.mul(ws[25], p[2]);
 1783|      2|   accum.mul(ws[26], p[1]);
 1784|      2|   accum.add(z[27]);
 1785|      2|   ws[27] = accum.monty_step(p[0], p_dash);
 1786|      2|   accum.mul(ws[0], p[28]);
 1787|      2|   accum.mul(ws[1], p[27]);
 1788|      2|   accum.mul(ws[2], p[26]);
 1789|      2|   accum.mul(ws[3], p[25]);
 1790|      2|   accum.mul(ws[4], p[24]);
 1791|      2|   accum.mul(ws[5], p[23]);
 1792|      2|   accum.mul(ws[6], p[22]);
 1793|      2|   accum.mul(ws[7], p[21]);
 1794|      2|   accum.mul(ws[8], p[20]);
 1795|      2|   accum.mul(ws[9], p[19]);
 1796|      2|   accum.mul(ws[10], p[18]);
 1797|      2|   accum.mul(ws[11], p[17]);
 1798|      2|   accum.mul(ws[12], p[16]);
 1799|      2|   accum.mul(ws[13], p[15]);
 1800|      2|   accum.mul(ws[14], p[14]);
 1801|      2|   accum.mul(ws[15], p[13]);
 1802|      2|   accum.mul(ws[16], p[12]);
 1803|      2|   accum.mul(ws[17], p[11]);
 1804|      2|   accum.mul(ws[18], p[10]);
 1805|      2|   accum.mul(ws[19], p[9]);
 1806|      2|   accum.mul(ws[20], p[8]);
 1807|      2|   accum.mul(ws[21], p[7]);
 1808|      2|   accum.mul(ws[22], p[6]);
 1809|      2|   accum.mul(ws[23], p[5]);
 1810|      2|   accum.mul(ws[24], p[4]);
 1811|      2|   accum.mul(ws[25], p[3]);
 1812|      2|   accum.mul(ws[26], p[2]);
 1813|      2|   accum.mul(ws[27], p[1]);
 1814|      2|   accum.add(z[28]);
 1815|      2|   ws[28] = accum.monty_step(p[0], p_dash);
 1816|      2|   accum.mul(ws[0], p[29]);
 1817|      2|   accum.mul(ws[1], p[28]);
 1818|      2|   accum.mul(ws[2], p[27]);
 1819|      2|   accum.mul(ws[3], p[26]);
 1820|      2|   accum.mul(ws[4], p[25]);
 1821|      2|   accum.mul(ws[5], p[24]);
 1822|      2|   accum.mul(ws[6], p[23]);
 1823|      2|   accum.mul(ws[7], p[22]);
 1824|      2|   accum.mul(ws[8], p[21]);
 1825|      2|   accum.mul(ws[9], p[20]);
 1826|      2|   accum.mul(ws[10], p[19]);
 1827|      2|   accum.mul(ws[11], p[18]);
 1828|      2|   accum.mul(ws[12], p[17]);
 1829|      2|   accum.mul(ws[13], p[16]);
 1830|      2|   accum.mul(ws[14], p[15]);
 1831|      2|   accum.mul(ws[15], p[14]);
 1832|      2|   accum.mul(ws[16], p[13]);
 1833|      2|   accum.mul(ws[17], p[12]);
 1834|      2|   accum.mul(ws[18], p[11]);
 1835|      2|   accum.mul(ws[19], p[10]);
 1836|      2|   accum.mul(ws[20], p[9]);
 1837|      2|   accum.mul(ws[21], p[8]);
 1838|      2|   accum.mul(ws[22], p[7]);
 1839|      2|   accum.mul(ws[23], p[6]);
 1840|      2|   accum.mul(ws[24], p[5]);
 1841|      2|   accum.mul(ws[25], p[4]);
 1842|      2|   accum.mul(ws[26], p[3]);
 1843|      2|   accum.mul(ws[27], p[2]);
 1844|      2|   accum.mul(ws[28], p[1]);
 1845|      2|   accum.add(z[29]);
 1846|      2|   ws[29] = accum.monty_step(p[0], p_dash);
 1847|      2|   accum.mul(ws[0], p[30]);
 1848|      2|   accum.mul(ws[1], p[29]);
 1849|      2|   accum.mul(ws[2], p[28]);
 1850|      2|   accum.mul(ws[3], p[27]);
 1851|      2|   accum.mul(ws[4], p[26]);
 1852|      2|   accum.mul(ws[5], p[25]);
 1853|      2|   accum.mul(ws[6], p[24]);
 1854|      2|   accum.mul(ws[7], p[23]);
 1855|      2|   accum.mul(ws[8], p[22]);
 1856|      2|   accum.mul(ws[9], p[21]);
 1857|      2|   accum.mul(ws[10], p[20]);
 1858|      2|   accum.mul(ws[11], p[19]);
 1859|      2|   accum.mul(ws[12], p[18]);
 1860|      2|   accum.mul(ws[13], p[17]);
 1861|      2|   accum.mul(ws[14], p[16]);
 1862|      2|   accum.mul(ws[15], p[15]);
 1863|      2|   accum.mul(ws[16], p[14]);
 1864|      2|   accum.mul(ws[17], p[13]);
 1865|      2|   accum.mul(ws[18], p[12]);
 1866|      2|   accum.mul(ws[19], p[11]);
 1867|      2|   accum.mul(ws[20], p[10]);
 1868|      2|   accum.mul(ws[21], p[9]);
 1869|      2|   accum.mul(ws[22], p[8]);
 1870|      2|   accum.mul(ws[23], p[7]);
 1871|      2|   accum.mul(ws[24], p[6]);
 1872|      2|   accum.mul(ws[25], p[5]);
 1873|      2|   accum.mul(ws[26], p[4]);
 1874|      2|   accum.mul(ws[27], p[3]);
 1875|      2|   accum.mul(ws[28], p[2]);
 1876|      2|   accum.mul(ws[29], p[1]);
 1877|      2|   accum.add(z[30]);
 1878|      2|   ws[30] = accum.monty_step(p[0], p_dash);
 1879|      2|   accum.mul(ws[0], p[31]);
 1880|      2|   accum.mul(ws[1], p[30]);
 1881|      2|   accum.mul(ws[2], p[29]);
 1882|      2|   accum.mul(ws[3], p[28]);
 1883|      2|   accum.mul(ws[4], p[27]);
 1884|      2|   accum.mul(ws[5], p[26]);
 1885|      2|   accum.mul(ws[6], p[25]);
 1886|      2|   accum.mul(ws[7], p[24]);
 1887|      2|   accum.mul(ws[8], p[23]);
 1888|      2|   accum.mul(ws[9], p[22]);
 1889|      2|   accum.mul(ws[10], p[21]);
 1890|      2|   accum.mul(ws[11], p[20]);
 1891|      2|   accum.mul(ws[12], p[19]);
 1892|      2|   accum.mul(ws[13], p[18]);
 1893|      2|   accum.mul(ws[14], p[17]);
 1894|      2|   accum.mul(ws[15], p[16]);
 1895|      2|   accum.mul(ws[16], p[15]);
 1896|      2|   accum.mul(ws[17], p[14]);
 1897|      2|   accum.mul(ws[18], p[13]);
 1898|      2|   accum.mul(ws[19], p[12]);
 1899|      2|   accum.mul(ws[20], p[11]);
 1900|      2|   accum.mul(ws[21], p[10]);
 1901|      2|   accum.mul(ws[22], p[9]);
 1902|      2|   accum.mul(ws[23], p[8]);
 1903|      2|   accum.mul(ws[24], p[7]);
 1904|      2|   accum.mul(ws[25], p[6]);
 1905|      2|   accum.mul(ws[26], p[5]);
 1906|      2|   accum.mul(ws[27], p[4]);
 1907|      2|   accum.mul(ws[28], p[3]);
 1908|      2|   accum.mul(ws[29], p[2]);
 1909|      2|   accum.mul(ws[30], p[1]);
 1910|      2|   accum.add(z[31]);
 1911|      2|   ws[31] = accum.monty_step(p[0], p_dash);
 1912|      2|   accum.mul(ws[1], p[31]);
 1913|      2|   accum.mul(ws[2], p[30]);
 1914|      2|   accum.mul(ws[3], p[29]);
 1915|      2|   accum.mul(ws[4], p[28]);
 1916|      2|   accum.mul(ws[5], p[27]);
 1917|      2|   accum.mul(ws[6], p[26]);
 1918|      2|   accum.mul(ws[7], p[25]);
 1919|      2|   accum.mul(ws[8], p[24]);
 1920|      2|   accum.mul(ws[9], p[23]);
 1921|      2|   accum.mul(ws[10], p[22]);
 1922|      2|   accum.mul(ws[11], p[21]);
 1923|      2|   accum.mul(ws[12], p[20]);
 1924|      2|   accum.mul(ws[13], p[19]);
 1925|      2|   accum.mul(ws[14], p[18]);
 1926|      2|   accum.mul(ws[15], p[17]);
 1927|      2|   accum.mul(ws[16], p[16]);
 1928|      2|   accum.mul(ws[17], p[15]);
 1929|      2|   accum.mul(ws[18], p[14]);
 1930|      2|   accum.mul(ws[19], p[13]);
 1931|      2|   accum.mul(ws[20], p[12]);
 1932|      2|   accum.mul(ws[21], p[11]);
 1933|      2|   accum.mul(ws[22], p[10]);
 1934|      2|   accum.mul(ws[23], p[9]);
 1935|      2|   accum.mul(ws[24], p[8]);
 1936|      2|   accum.mul(ws[25], p[7]);
 1937|      2|   accum.mul(ws[26], p[6]);
 1938|      2|   accum.mul(ws[27], p[5]);
 1939|      2|   accum.mul(ws[28], p[4]);
 1940|      2|   accum.mul(ws[29], p[3]);
 1941|      2|   accum.mul(ws[30], p[2]);
 1942|      2|   accum.mul(ws[31], p[1]);
 1943|      2|   accum.add(z[32]);
 1944|      2|   ws[0] = accum.extract();
 1945|      2|   accum.mul(ws[2], p[31]);
 1946|      2|   accum.mul(ws[3], p[30]);
 1947|      2|   accum.mul(ws[4], p[29]);
 1948|      2|   accum.mul(ws[5], p[28]);
 1949|      2|   accum.mul(ws[6], p[27]);
 1950|      2|   accum.mul(ws[7], p[26]);
 1951|      2|   accum.mul(ws[8], p[25]);
 1952|      2|   accum.mul(ws[9], p[24]);
 1953|      2|   accum.mul(ws[10], p[23]);
 1954|      2|   accum.mul(ws[11], p[22]);
 1955|      2|   accum.mul(ws[12], p[21]);
 1956|      2|   accum.mul(ws[13], p[20]);
 1957|      2|   accum.mul(ws[14], p[19]);
 1958|      2|   accum.mul(ws[15], p[18]);
 1959|      2|   accum.mul(ws[16], p[17]);
 1960|      2|   accum.mul(ws[17], p[16]);
 1961|      2|   accum.mul(ws[18], p[15]);
 1962|      2|   accum.mul(ws[19], p[14]);
 1963|      2|   accum.mul(ws[20], p[13]);
 1964|      2|   accum.mul(ws[21], p[12]);
 1965|      2|   accum.mul(ws[22], p[11]);
 1966|      2|   accum.mul(ws[23], p[10]);
 1967|      2|   accum.mul(ws[24], p[9]);
 1968|      2|   accum.mul(ws[25], p[8]);
 1969|      2|   accum.mul(ws[26], p[7]);
 1970|      2|   accum.mul(ws[27], p[6]);
 1971|      2|   accum.mul(ws[28], p[5]);
 1972|      2|   accum.mul(ws[29], p[4]);
 1973|      2|   accum.mul(ws[30], p[3]);
 1974|      2|   accum.mul(ws[31], p[2]);
 1975|      2|   accum.add(z[33]);
 1976|      2|   ws[1] = accum.extract();
 1977|      2|   accum.mul(ws[3], p[31]);
 1978|      2|   accum.mul(ws[4], p[30]);
 1979|      2|   accum.mul(ws[5], p[29]);
 1980|      2|   accum.mul(ws[6], p[28]);
 1981|      2|   accum.mul(ws[7], p[27]);
 1982|      2|   accum.mul(ws[8], p[26]);
 1983|      2|   accum.mul(ws[9], p[25]);
 1984|      2|   accum.mul(ws[10], p[24]);
 1985|      2|   accum.mul(ws[11], p[23]);
 1986|      2|   accum.mul(ws[12], p[22]);
 1987|      2|   accum.mul(ws[13], p[21]);
 1988|      2|   accum.mul(ws[14], p[20]);
 1989|      2|   accum.mul(ws[15], p[19]);
 1990|      2|   accum.mul(ws[16], p[18]);
 1991|      2|   accum.mul(ws[17], p[17]);
 1992|      2|   accum.mul(ws[18], p[16]);
 1993|      2|   accum.mul(ws[19], p[15]);
 1994|      2|   accum.mul(ws[20], p[14]);
 1995|      2|   accum.mul(ws[21], p[13]);
 1996|      2|   accum.mul(ws[22], p[12]);
 1997|      2|   accum.mul(ws[23], p[11]);
 1998|      2|   accum.mul(ws[24], p[10]);
 1999|      2|   accum.mul(ws[25], p[9]);
 2000|      2|   accum.mul(ws[26], p[8]);
 2001|      2|   accum.mul(ws[27], p[7]);
 2002|      2|   accum.mul(ws[28], p[6]);
 2003|      2|   accum.mul(ws[29], p[5]);
 2004|      2|   accum.mul(ws[30], p[4]);
 2005|      2|   accum.mul(ws[31], p[3]);
 2006|      2|   accum.add(z[34]);
 2007|      2|   ws[2] = accum.extract();
 2008|      2|   accum.mul(ws[4], p[31]);
 2009|      2|   accum.mul(ws[5], p[30]);
 2010|      2|   accum.mul(ws[6], p[29]);
 2011|      2|   accum.mul(ws[7], p[28]);
 2012|      2|   accum.mul(ws[8], p[27]);
 2013|      2|   accum.mul(ws[9], p[26]);
 2014|      2|   accum.mul(ws[10], p[25]);
 2015|      2|   accum.mul(ws[11], p[24]);
 2016|      2|   accum.mul(ws[12], p[23]);
 2017|      2|   accum.mul(ws[13], p[22]);
 2018|      2|   accum.mul(ws[14], p[21]);
 2019|      2|   accum.mul(ws[15], p[20]);
 2020|      2|   accum.mul(ws[16], p[19]);
 2021|      2|   accum.mul(ws[17], p[18]);
 2022|      2|   accum.mul(ws[18], p[17]);
 2023|      2|   accum.mul(ws[19], p[16]);
 2024|      2|   accum.mul(ws[20], p[15]);
 2025|      2|   accum.mul(ws[21], p[14]);
 2026|      2|   accum.mul(ws[22], p[13]);
 2027|      2|   accum.mul(ws[23], p[12]);
 2028|      2|   accum.mul(ws[24], p[11]);
 2029|      2|   accum.mul(ws[25], p[10]);
 2030|      2|   accum.mul(ws[26], p[9]);
 2031|      2|   accum.mul(ws[27], p[8]);
 2032|      2|   accum.mul(ws[28], p[7]);
 2033|      2|   accum.mul(ws[29], p[6]);
 2034|      2|   accum.mul(ws[30], p[5]);
 2035|      2|   accum.mul(ws[31], p[4]);
 2036|      2|   accum.add(z[35]);
 2037|      2|   ws[3] = accum.extract();
 2038|      2|   accum.mul(ws[5], p[31]);
 2039|      2|   accum.mul(ws[6], p[30]);
 2040|      2|   accum.mul(ws[7], p[29]);
 2041|      2|   accum.mul(ws[8], p[28]);
 2042|      2|   accum.mul(ws[9], p[27]);
 2043|      2|   accum.mul(ws[10], p[26]);
 2044|      2|   accum.mul(ws[11], p[25]);
 2045|      2|   accum.mul(ws[12], p[24]);
 2046|      2|   accum.mul(ws[13], p[23]);
 2047|      2|   accum.mul(ws[14], p[22]);
 2048|      2|   accum.mul(ws[15], p[21]);
 2049|      2|   accum.mul(ws[16], p[20]);
 2050|      2|   accum.mul(ws[17], p[19]);
 2051|      2|   accum.mul(ws[18], p[18]);
 2052|      2|   accum.mul(ws[19], p[17]);
 2053|      2|   accum.mul(ws[20], p[16]);
 2054|      2|   accum.mul(ws[21], p[15]);
 2055|      2|   accum.mul(ws[22], p[14]);
 2056|      2|   accum.mul(ws[23], p[13]);
 2057|      2|   accum.mul(ws[24], p[12]);
 2058|      2|   accum.mul(ws[25], p[11]);
 2059|      2|   accum.mul(ws[26], p[10]);
 2060|      2|   accum.mul(ws[27], p[9]);
 2061|      2|   accum.mul(ws[28], p[8]);
 2062|      2|   accum.mul(ws[29], p[7]);
 2063|      2|   accum.mul(ws[30], p[6]);
 2064|      2|   accum.mul(ws[31], p[5]);
 2065|      2|   accum.add(z[36]);
 2066|      2|   ws[4] = accum.extract();
 2067|      2|   accum.mul(ws[6], p[31]);
 2068|      2|   accum.mul(ws[7], p[30]);
 2069|      2|   accum.mul(ws[8], p[29]);
 2070|      2|   accum.mul(ws[9], p[28]);
 2071|      2|   accum.mul(ws[10], p[27]);
 2072|      2|   accum.mul(ws[11], p[26]);
 2073|      2|   accum.mul(ws[12], p[25]);
 2074|      2|   accum.mul(ws[13], p[24]);
 2075|      2|   accum.mul(ws[14], p[23]);
 2076|      2|   accum.mul(ws[15], p[22]);
 2077|      2|   accum.mul(ws[16], p[21]);
 2078|      2|   accum.mul(ws[17], p[20]);
 2079|      2|   accum.mul(ws[18], p[19]);
 2080|      2|   accum.mul(ws[19], p[18]);
 2081|      2|   accum.mul(ws[20], p[17]);
 2082|      2|   accum.mul(ws[21], p[16]);
 2083|      2|   accum.mul(ws[22], p[15]);
 2084|      2|   accum.mul(ws[23], p[14]);
 2085|      2|   accum.mul(ws[24], p[13]);
 2086|      2|   accum.mul(ws[25], p[12]);
 2087|      2|   accum.mul(ws[26], p[11]);
 2088|      2|   accum.mul(ws[27], p[10]);
 2089|      2|   accum.mul(ws[28], p[9]);
 2090|      2|   accum.mul(ws[29], p[8]);
 2091|      2|   accum.mul(ws[30], p[7]);
 2092|      2|   accum.mul(ws[31], p[6]);
 2093|      2|   accum.add(z[37]);
 2094|      2|   ws[5] = accum.extract();
 2095|      2|   accum.mul(ws[7], p[31]);
 2096|      2|   accum.mul(ws[8], p[30]);
 2097|      2|   accum.mul(ws[9], p[29]);
 2098|      2|   accum.mul(ws[10], p[28]);
 2099|      2|   accum.mul(ws[11], p[27]);
 2100|      2|   accum.mul(ws[12], p[26]);
 2101|      2|   accum.mul(ws[13], p[25]);
 2102|      2|   accum.mul(ws[14], p[24]);
 2103|      2|   accum.mul(ws[15], p[23]);
 2104|      2|   accum.mul(ws[16], p[22]);
 2105|      2|   accum.mul(ws[17], p[21]);
 2106|      2|   accum.mul(ws[18], p[20]);
 2107|      2|   accum.mul(ws[19], p[19]);
 2108|      2|   accum.mul(ws[20], p[18]);
 2109|      2|   accum.mul(ws[21], p[17]);
 2110|      2|   accum.mul(ws[22], p[16]);
 2111|      2|   accum.mul(ws[23], p[15]);
 2112|      2|   accum.mul(ws[24], p[14]);
 2113|      2|   accum.mul(ws[25], p[13]);
 2114|      2|   accum.mul(ws[26], p[12]);
 2115|      2|   accum.mul(ws[27], p[11]);
 2116|      2|   accum.mul(ws[28], p[10]);
 2117|      2|   accum.mul(ws[29], p[9]);
 2118|      2|   accum.mul(ws[30], p[8]);
 2119|      2|   accum.mul(ws[31], p[7]);
 2120|      2|   accum.add(z[38]);
 2121|      2|   ws[6] = accum.extract();
 2122|      2|   accum.mul(ws[8], p[31]);
 2123|      2|   accum.mul(ws[9], p[30]);
 2124|      2|   accum.mul(ws[10], p[29]);
 2125|      2|   accum.mul(ws[11], p[28]);
 2126|      2|   accum.mul(ws[12], p[27]);
 2127|      2|   accum.mul(ws[13], p[26]);
 2128|      2|   accum.mul(ws[14], p[25]);
 2129|      2|   accum.mul(ws[15], p[24]);
 2130|      2|   accum.mul(ws[16], p[23]);
 2131|      2|   accum.mul(ws[17], p[22]);
 2132|      2|   accum.mul(ws[18], p[21]);
 2133|      2|   accum.mul(ws[19], p[20]);
 2134|      2|   accum.mul(ws[20], p[19]);
 2135|      2|   accum.mul(ws[21], p[18]);
 2136|      2|   accum.mul(ws[22], p[17]);
 2137|      2|   accum.mul(ws[23], p[16]);
 2138|      2|   accum.mul(ws[24], p[15]);
 2139|      2|   accum.mul(ws[25], p[14]);
 2140|      2|   accum.mul(ws[26], p[13]);
 2141|      2|   accum.mul(ws[27], p[12]);
 2142|      2|   accum.mul(ws[28], p[11]);
 2143|      2|   accum.mul(ws[29], p[10]);
 2144|      2|   accum.mul(ws[30], p[9]);
 2145|      2|   accum.mul(ws[31], p[8]);
 2146|      2|   accum.add(z[39]);
 2147|      2|   ws[7] = accum.extract();
 2148|      2|   accum.mul(ws[9], p[31]);
 2149|      2|   accum.mul(ws[10], p[30]);
 2150|      2|   accum.mul(ws[11], p[29]);
 2151|      2|   accum.mul(ws[12], p[28]);
 2152|      2|   accum.mul(ws[13], p[27]);
 2153|      2|   accum.mul(ws[14], p[26]);
 2154|      2|   accum.mul(ws[15], p[25]);
 2155|      2|   accum.mul(ws[16], p[24]);
 2156|      2|   accum.mul(ws[17], p[23]);
 2157|      2|   accum.mul(ws[18], p[22]);
 2158|      2|   accum.mul(ws[19], p[21]);
 2159|      2|   accum.mul(ws[20], p[20]);
 2160|      2|   accum.mul(ws[21], p[19]);
 2161|      2|   accum.mul(ws[22], p[18]);
 2162|      2|   accum.mul(ws[23], p[17]);
 2163|      2|   accum.mul(ws[24], p[16]);
 2164|      2|   accum.mul(ws[25], p[15]);
 2165|      2|   accum.mul(ws[26], p[14]);
 2166|      2|   accum.mul(ws[27], p[13]);
 2167|      2|   accum.mul(ws[28], p[12]);
 2168|      2|   accum.mul(ws[29], p[11]);
 2169|      2|   accum.mul(ws[30], p[10]);
 2170|      2|   accum.mul(ws[31], p[9]);
 2171|      2|   accum.add(z[40]);
 2172|      2|   ws[8] = accum.extract();
 2173|      2|   accum.mul(ws[10], p[31]);
 2174|      2|   accum.mul(ws[11], p[30]);
 2175|      2|   accum.mul(ws[12], p[29]);
 2176|      2|   accum.mul(ws[13], p[28]);
 2177|      2|   accum.mul(ws[14], p[27]);
 2178|      2|   accum.mul(ws[15], p[26]);
 2179|      2|   accum.mul(ws[16], p[25]);
 2180|      2|   accum.mul(ws[17], p[24]);
 2181|      2|   accum.mul(ws[18], p[23]);
 2182|      2|   accum.mul(ws[19], p[22]);
 2183|      2|   accum.mul(ws[20], p[21]);
 2184|      2|   accum.mul(ws[21], p[20]);
 2185|      2|   accum.mul(ws[22], p[19]);
 2186|      2|   accum.mul(ws[23], p[18]);
 2187|      2|   accum.mul(ws[24], p[17]);
 2188|      2|   accum.mul(ws[25], p[16]);
 2189|      2|   accum.mul(ws[26], p[15]);
 2190|      2|   accum.mul(ws[27], p[14]);
 2191|      2|   accum.mul(ws[28], p[13]);
 2192|      2|   accum.mul(ws[29], p[12]);
 2193|      2|   accum.mul(ws[30], p[11]);
 2194|      2|   accum.mul(ws[31], p[10]);
 2195|      2|   accum.add(z[41]);
 2196|      2|   ws[9] = accum.extract();
 2197|      2|   accum.mul(ws[11], p[31]);
 2198|      2|   accum.mul(ws[12], p[30]);
 2199|      2|   accum.mul(ws[13], p[29]);
 2200|      2|   accum.mul(ws[14], p[28]);
 2201|      2|   accum.mul(ws[15], p[27]);
 2202|      2|   accum.mul(ws[16], p[26]);
 2203|      2|   accum.mul(ws[17], p[25]);
 2204|      2|   accum.mul(ws[18], p[24]);
 2205|      2|   accum.mul(ws[19], p[23]);
 2206|      2|   accum.mul(ws[20], p[22]);
 2207|      2|   accum.mul(ws[21], p[21]);
 2208|      2|   accum.mul(ws[22], p[20]);
 2209|      2|   accum.mul(ws[23], p[19]);
 2210|      2|   accum.mul(ws[24], p[18]);
 2211|      2|   accum.mul(ws[25], p[17]);
 2212|      2|   accum.mul(ws[26], p[16]);
 2213|      2|   accum.mul(ws[27], p[15]);
 2214|      2|   accum.mul(ws[28], p[14]);
 2215|      2|   accum.mul(ws[29], p[13]);
 2216|      2|   accum.mul(ws[30], p[12]);
 2217|      2|   accum.mul(ws[31], p[11]);
 2218|      2|   accum.add(z[42]);
 2219|      2|   ws[10] = accum.extract();
 2220|      2|   accum.mul(ws[12], p[31]);
 2221|      2|   accum.mul(ws[13], p[30]);
 2222|      2|   accum.mul(ws[14], p[29]);
 2223|      2|   accum.mul(ws[15], p[28]);
 2224|      2|   accum.mul(ws[16], p[27]);
 2225|      2|   accum.mul(ws[17], p[26]);
 2226|      2|   accum.mul(ws[18], p[25]);
 2227|      2|   accum.mul(ws[19], p[24]);
 2228|      2|   accum.mul(ws[20], p[23]);
 2229|      2|   accum.mul(ws[21], p[22]);
 2230|      2|   accum.mul(ws[22], p[21]);
 2231|      2|   accum.mul(ws[23], p[20]);
 2232|      2|   accum.mul(ws[24], p[19]);
 2233|      2|   accum.mul(ws[25], p[18]);
 2234|      2|   accum.mul(ws[26], p[17]);
 2235|      2|   accum.mul(ws[27], p[16]);
 2236|      2|   accum.mul(ws[28], p[15]);
 2237|      2|   accum.mul(ws[29], p[14]);
 2238|      2|   accum.mul(ws[30], p[13]);
 2239|      2|   accum.mul(ws[31], p[12]);
 2240|      2|   accum.add(z[43]);
 2241|      2|   ws[11] = accum.extract();
 2242|      2|   accum.mul(ws[13], p[31]);
 2243|      2|   accum.mul(ws[14], p[30]);
 2244|      2|   accum.mul(ws[15], p[29]);
 2245|      2|   accum.mul(ws[16], p[28]);
 2246|      2|   accum.mul(ws[17], p[27]);
 2247|      2|   accum.mul(ws[18], p[26]);
 2248|      2|   accum.mul(ws[19], p[25]);
 2249|      2|   accum.mul(ws[20], p[24]);
 2250|      2|   accum.mul(ws[21], p[23]);
 2251|      2|   accum.mul(ws[22], p[22]);
 2252|      2|   accum.mul(ws[23], p[21]);
 2253|      2|   accum.mul(ws[24], p[20]);
 2254|      2|   accum.mul(ws[25], p[19]);
 2255|      2|   accum.mul(ws[26], p[18]);
 2256|      2|   accum.mul(ws[27], p[17]);
 2257|      2|   accum.mul(ws[28], p[16]);
 2258|      2|   accum.mul(ws[29], p[15]);
 2259|      2|   accum.mul(ws[30], p[14]);
 2260|      2|   accum.mul(ws[31], p[13]);
 2261|      2|   accum.add(z[44]);
 2262|      2|   ws[12] = accum.extract();
 2263|      2|   accum.mul(ws[14], p[31]);
 2264|      2|   accum.mul(ws[15], p[30]);
 2265|      2|   accum.mul(ws[16], p[29]);
 2266|      2|   accum.mul(ws[17], p[28]);
 2267|      2|   accum.mul(ws[18], p[27]);
 2268|      2|   accum.mul(ws[19], p[26]);
 2269|      2|   accum.mul(ws[20], p[25]);
 2270|      2|   accum.mul(ws[21], p[24]);
 2271|      2|   accum.mul(ws[22], p[23]);
 2272|      2|   accum.mul(ws[23], p[22]);
 2273|      2|   accum.mul(ws[24], p[21]);
 2274|      2|   accum.mul(ws[25], p[20]);
 2275|      2|   accum.mul(ws[26], p[19]);
 2276|      2|   accum.mul(ws[27], p[18]);
 2277|      2|   accum.mul(ws[28], p[17]);
 2278|      2|   accum.mul(ws[29], p[16]);
 2279|      2|   accum.mul(ws[30], p[15]);
 2280|      2|   accum.mul(ws[31], p[14]);
 2281|      2|   accum.add(z[45]);
 2282|      2|   ws[13] = accum.extract();
 2283|      2|   accum.mul(ws[15], p[31]);
 2284|      2|   accum.mul(ws[16], p[30]);
 2285|      2|   accum.mul(ws[17], p[29]);
 2286|      2|   accum.mul(ws[18], p[28]);
 2287|      2|   accum.mul(ws[19], p[27]);
 2288|      2|   accum.mul(ws[20], p[26]);
 2289|      2|   accum.mul(ws[21], p[25]);
 2290|      2|   accum.mul(ws[22], p[24]);
 2291|      2|   accum.mul(ws[23], p[23]);
 2292|      2|   accum.mul(ws[24], p[22]);
 2293|      2|   accum.mul(ws[25], p[21]);
 2294|      2|   accum.mul(ws[26], p[20]);
 2295|      2|   accum.mul(ws[27], p[19]);
 2296|      2|   accum.mul(ws[28], p[18]);
 2297|      2|   accum.mul(ws[29], p[17]);
 2298|      2|   accum.mul(ws[30], p[16]);
 2299|      2|   accum.mul(ws[31], p[15]);
 2300|      2|   accum.add(z[46]);
 2301|      2|   ws[14] = accum.extract();
 2302|      2|   accum.mul(ws[16], p[31]);
 2303|      2|   accum.mul(ws[17], p[30]);
 2304|      2|   accum.mul(ws[18], p[29]);
 2305|      2|   accum.mul(ws[19], p[28]);
 2306|      2|   accum.mul(ws[20], p[27]);
 2307|      2|   accum.mul(ws[21], p[26]);
 2308|      2|   accum.mul(ws[22], p[25]);
 2309|      2|   accum.mul(ws[23], p[24]);
 2310|      2|   accum.mul(ws[24], p[23]);
 2311|      2|   accum.mul(ws[25], p[22]);
 2312|      2|   accum.mul(ws[26], p[21]);
 2313|      2|   accum.mul(ws[27], p[20]);
 2314|      2|   accum.mul(ws[28], p[19]);
 2315|      2|   accum.mul(ws[29], p[18]);
 2316|      2|   accum.mul(ws[30], p[17]);
 2317|      2|   accum.mul(ws[31], p[16]);
 2318|      2|   accum.add(z[47]);
 2319|      2|   ws[15] = accum.extract();
 2320|      2|   accum.mul(ws[17], p[31]);
 2321|      2|   accum.mul(ws[18], p[30]);
 2322|      2|   accum.mul(ws[19], p[29]);
 2323|      2|   accum.mul(ws[20], p[28]);
 2324|      2|   accum.mul(ws[21], p[27]);
 2325|      2|   accum.mul(ws[22], p[26]);
 2326|      2|   accum.mul(ws[23], p[25]);
 2327|      2|   accum.mul(ws[24], p[24]);
 2328|      2|   accum.mul(ws[25], p[23]);
 2329|      2|   accum.mul(ws[26], p[22]);
 2330|      2|   accum.mul(ws[27], p[21]);
 2331|      2|   accum.mul(ws[28], p[20]);
 2332|      2|   accum.mul(ws[29], p[19]);
 2333|      2|   accum.mul(ws[30], p[18]);
 2334|      2|   accum.mul(ws[31], p[17]);
 2335|      2|   accum.add(z[48]);
 2336|      2|   ws[16] = accum.extract();
 2337|      2|   accum.mul(ws[18], p[31]);
 2338|      2|   accum.mul(ws[19], p[30]);
 2339|      2|   accum.mul(ws[20], p[29]);
 2340|      2|   accum.mul(ws[21], p[28]);
 2341|      2|   accum.mul(ws[22], p[27]);
 2342|      2|   accum.mul(ws[23], p[26]);
 2343|      2|   accum.mul(ws[24], p[25]);
 2344|      2|   accum.mul(ws[25], p[24]);
 2345|      2|   accum.mul(ws[26], p[23]);
 2346|      2|   accum.mul(ws[27], p[22]);
 2347|      2|   accum.mul(ws[28], p[21]);
 2348|      2|   accum.mul(ws[29], p[20]);
 2349|      2|   accum.mul(ws[30], p[19]);
 2350|      2|   accum.mul(ws[31], p[18]);
 2351|      2|   accum.add(z[49]);
 2352|      2|   ws[17] = accum.extract();
 2353|      2|   accum.mul(ws[19], p[31]);
 2354|      2|   accum.mul(ws[20], p[30]);
 2355|      2|   accum.mul(ws[21], p[29]);
 2356|      2|   accum.mul(ws[22], p[28]);
 2357|      2|   accum.mul(ws[23], p[27]);
 2358|      2|   accum.mul(ws[24], p[26]);
 2359|      2|   accum.mul(ws[25], p[25]);
 2360|      2|   accum.mul(ws[26], p[24]);
 2361|      2|   accum.mul(ws[27], p[23]);
 2362|      2|   accum.mul(ws[28], p[22]);
 2363|      2|   accum.mul(ws[29], p[21]);
 2364|      2|   accum.mul(ws[30], p[20]);
 2365|      2|   accum.mul(ws[31], p[19]);
 2366|      2|   accum.add(z[50]);
 2367|      2|   ws[18] = accum.extract();
 2368|      2|   accum.mul(ws[20], p[31]);
 2369|      2|   accum.mul(ws[21], p[30]);
 2370|      2|   accum.mul(ws[22], p[29]);
 2371|      2|   accum.mul(ws[23], p[28]);
 2372|      2|   accum.mul(ws[24], p[27]);
 2373|      2|   accum.mul(ws[25], p[26]);
 2374|      2|   accum.mul(ws[26], p[25]);
 2375|      2|   accum.mul(ws[27], p[24]);
 2376|      2|   accum.mul(ws[28], p[23]);
 2377|      2|   accum.mul(ws[29], p[22]);
 2378|      2|   accum.mul(ws[30], p[21]);
 2379|      2|   accum.mul(ws[31], p[20]);
 2380|      2|   accum.add(z[51]);
 2381|      2|   ws[19] = accum.extract();
 2382|      2|   accum.mul(ws[21], p[31]);
 2383|      2|   accum.mul(ws[22], p[30]);
 2384|      2|   accum.mul(ws[23], p[29]);
 2385|      2|   accum.mul(ws[24], p[28]);
 2386|      2|   accum.mul(ws[25], p[27]);
 2387|      2|   accum.mul(ws[26], p[26]);
 2388|      2|   accum.mul(ws[27], p[25]);
 2389|      2|   accum.mul(ws[28], p[24]);
 2390|      2|   accum.mul(ws[29], p[23]);
 2391|      2|   accum.mul(ws[30], p[22]);
 2392|      2|   accum.mul(ws[31], p[21]);
 2393|      2|   accum.add(z[52]);
 2394|      2|   ws[20] = accum.extract();
 2395|      2|   accum.mul(ws[22], p[31]);
 2396|      2|   accum.mul(ws[23], p[30]);
 2397|      2|   accum.mul(ws[24], p[29]);
 2398|      2|   accum.mul(ws[25], p[28]);
 2399|      2|   accum.mul(ws[26], p[27]);
 2400|      2|   accum.mul(ws[27], p[26]);
 2401|      2|   accum.mul(ws[28], p[25]);
 2402|      2|   accum.mul(ws[29], p[24]);
 2403|      2|   accum.mul(ws[30], p[23]);
 2404|      2|   accum.mul(ws[31], p[22]);
 2405|      2|   accum.add(z[53]);
 2406|      2|   ws[21] = accum.extract();
 2407|      2|   accum.mul(ws[23], p[31]);
 2408|      2|   accum.mul(ws[24], p[30]);
 2409|      2|   accum.mul(ws[25], p[29]);
 2410|      2|   accum.mul(ws[26], p[28]);
 2411|      2|   accum.mul(ws[27], p[27]);
 2412|      2|   accum.mul(ws[28], p[26]);
 2413|      2|   accum.mul(ws[29], p[25]);
 2414|      2|   accum.mul(ws[30], p[24]);
 2415|      2|   accum.mul(ws[31], p[23]);
 2416|      2|   accum.add(z[54]);
 2417|      2|   ws[22] = accum.extract();
 2418|      2|   accum.mul(ws[24], p[31]);
 2419|      2|   accum.mul(ws[25], p[30]);
 2420|      2|   accum.mul(ws[26], p[29]);
 2421|      2|   accum.mul(ws[27], p[28]);
 2422|      2|   accum.mul(ws[28], p[27]);
 2423|      2|   accum.mul(ws[29], p[26]);
 2424|      2|   accum.mul(ws[30], p[25]);
 2425|      2|   accum.mul(ws[31], p[24]);
 2426|      2|   accum.add(z[55]);
 2427|      2|   ws[23] = accum.extract();
 2428|      2|   accum.mul(ws[25], p[31]);
 2429|      2|   accum.mul(ws[26], p[30]);
 2430|      2|   accum.mul(ws[27], p[29]);
 2431|      2|   accum.mul(ws[28], p[28]);
 2432|      2|   accum.mul(ws[29], p[27]);
 2433|      2|   accum.mul(ws[30], p[26]);
 2434|      2|   accum.mul(ws[31], p[25]);
 2435|      2|   accum.add(z[56]);
 2436|      2|   ws[24] = accum.extract();
 2437|      2|   accum.mul(ws[26], p[31]);
 2438|      2|   accum.mul(ws[27], p[30]);
 2439|      2|   accum.mul(ws[28], p[29]);
 2440|      2|   accum.mul(ws[29], p[28]);
 2441|      2|   accum.mul(ws[30], p[27]);
 2442|      2|   accum.mul(ws[31], p[26]);
 2443|      2|   accum.add(z[57]);
 2444|      2|   ws[25] = accum.extract();
 2445|      2|   accum.mul(ws[27], p[31]);
 2446|      2|   accum.mul(ws[28], p[30]);
 2447|      2|   accum.mul(ws[29], p[29]);
 2448|      2|   accum.mul(ws[30], p[28]);
 2449|      2|   accum.mul(ws[31], p[27]);
 2450|      2|   accum.add(z[58]);
 2451|      2|   ws[26] = accum.extract();
 2452|      2|   accum.mul(ws[28], p[31]);
 2453|      2|   accum.mul(ws[29], p[30]);
 2454|      2|   accum.mul(ws[30], p[29]);
 2455|      2|   accum.mul(ws[31], p[28]);
 2456|      2|   accum.add(z[59]);
 2457|      2|   ws[27] = accum.extract();
 2458|      2|   accum.mul(ws[29], p[31]);
 2459|      2|   accum.mul(ws[30], p[30]);
 2460|      2|   accum.mul(ws[31], p[29]);
 2461|      2|   accum.add(z[60]);
 2462|      2|   ws[28] = accum.extract();
 2463|      2|   accum.mul(ws[30], p[31]);
 2464|      2|   accum.mul(ws[31], p[30]);
 2465|      2|   accum.add(z[61]);
 2466|      2|   ws[29] = accum.extract();
 2467|      2|   accum.mul(ws[31], p[31]);
 2468|      2|   accum.add(z[62]);
 2469|      2|   ws[30] = accum.extract();
 2470|      2|   accum.add(z[63]);
 2471|      2|   ws[31] = accum.extract();
 2472|      2|   const word w1 = accum.extract();
 2473|      2|   bigint_monty_maybe_sub<32>(r, w1, ws, p);
 2474|      2|}