boringssl/ssl/test/runner/poly1305.go

// Copyright 2012 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package main

// Based on original, public domain implementation from NaCl by D. J.
// Bernstein.

import (
	"crypto/subtle"
	"math"
)

const (
	alpham80 = 0.00000000558793544769287109375
	alpham48 = 24.0
	alpham16 = 103079215104.0
	alpha0   = 6755399441055744.0
	alpha18  = 1770887431076116955136.0
	alpha32  = 29014219670751100192948224.0
	alpha50  = 7605903601369376408980219232256.0
	alpha64  = 124615124604835863084731911901282304.0
	alpha82  = 32667107224410092492483962313449748299776.0
	alpha96  = 535217884764734955396857238543560676143529984.0
	alpha112 = 35076039295941670036888435985190792471742381031424.0
	alpha130 = 9194973245195333150150082162901855101712434733101613056.0
	scale    = 0.0000000000000000000000000000000000000036734198463196484624023016788195177431833298649127735047148490821200539357960224151611328125
	offset0  = 6755408030990331.0
	offset1  = 29014256564239239022116864.0
	offset2  = 124615283061160854719918951570079744.0
	offset3  = 535219245894202480694386063513315216128475136.0
)

// poly1305Verify returns true if mac is a valid authenticator for m with the
// given key.
func poly1305Verify(mac *[16]byte, m []byte, key *[32]byte) bool {
	var tmp [16]byte
	poly1305Sum(&tmp, m, key)
	return subtle.ConstantTimeCompare(tmp[:], mac[:]) == 1
}

// poly1305Sum generates an authenticator for m using a one-time key and puts
// the 16-byte result into out. Authenticating two different messages with the
// same key allows an attacker to forge messages at will.
func poly1305Sum(out *[16]byte, m []byte, key *[32]byte) {
	r := key
	s := key[16:]
	var (
		y7        float64
		y6        float64
		y1        float64
		y0        float64
		y5        float64
		y4        float64
		x7        float64
		x6        float64
		x1        float64
		x0        float64
		y3        float64
		y2        float64
		x5        float64
		r3lowx0   float64
		x4        float64
		r0lowx6   float64
		x3        float64
		r3highx0  float64
		x2        float64
		r0highx6  float64
		r0lowx0   float64
		sr1lowx6  float64
		r0highx0  float64
		sr1highx6 float64
		sr3low    float64
		r1lowx0   float64
		sr2lowx6  float64
		r1highx0  float64
		sr2highx6 float64
		r2lowx0   float64
		sr3lowx6  float64
		r2highx0  float64
		sr3highx6 float64
		r1highx4  float64
		r1lowx4   float64
		r0highx4  float64
		r0lowx4   float64
		sr3highx4 float64
		sr3lowx4  float64
		sr2highx4 float64
		sr2lowx4  float64
		r0lowx2   float64
		r0highx2  float64
		r1lowx2   float64
		r1highx2  float64
		r2lowx2   float64
		r2highx2  float64
		sr3lowx2  float64
		sr3highx2 float64
		z0        float64
		z1        float64
		z2        float64
		z3        float64
		m0        int64
		m1        int64
		m2        int64
		m3        int64
		m00       uint32
		m01       uint32
		m02       uint32
		m03       uint32
		m10       uint32
		m11       uint32
		m12       uint32
		m13       uint32
		m20       uint32
		m21       uint32
		m22       uint32
		m23       uint32
		m30       uint32
		m31       uint32
		m32       uint32
		m33       uint64
		lbelow2   int32
		lbelow3   int32
		lbelow4   int32
		lbelow5   int32
		lbelow6   int32
		lbelow7   int32
		lbelow8   int32
		lbelow9   int32
		lbelow10  int32
		lbelow11  int32
		lbelow12  int32
		lbelow13  int32
		lbelow14  int32
		lbelow15  int32
		s00       uint32
		s01       uint32
		s02       uint32
		s03       uint32
		s10       uint32
		s11       uint32
		s12       uint32
		s13       uint32
		s20       uint32
		s21       uint32
		s22       uint32
		s23       uint32
		s30       uint32
		s31       uint32
		s32       uint32
		s33       uint32
		bits32    uint64
		f         uint64
		f0        uint64
		f1        uint64
		f2        uint64
		f3        uint64
		f4        uint64
		g         uint64
		g0        uint64
		g1        uint64
		g2        uint64
		g3        uint64
		g4        uint64
	)

	var p int32

	l := int32(len(m))

	r00 := uint32(r[0])

	r01 := uint32(r[1])

	r02 := uint32(r[2])
	r0 := int64(2151)

	r03 := uint32(r[3])
	r03 &= 15
	r0 <<= 51

	r10 := uint32(r[4])
	r10 &= 252
	r01 <<= 8
	r0 += int64(r00)

	r11 := uint32(r[5])
	r02 <<= 16
	r0 += int64(r01)

	r12 := uint32(r[6])
	r03 <<= 24
	r0 += int64(r02)

	r13 := uint32(r[7])
	r13 &= 15
	r1 := int64(2215)
	r0 += int64(r03)

	d0 := r0
	r1 <<= 51
	r2 := int64(2279)

	r20 := uint32(r[8])
	r20 &= 252
	r11 <<= 8
	r1 += int64(r10)

	r21 := uint32(r[9])
	r12 <<= 16
	r1 += int64(r11)

	r22 := uint32(r[10])
	r13 <<= 24
	r1 += int64(r12)

	r23 := uint32(r[11])
	r23 &= 15
	r2 <<= 51
	r1 += int64(r13)

	d1 := r1
	r21 <<= 8
	r2 += int64(r20)

	r30 := uint32(r[12])
	r30 &= 252
	r22 <<= 16
	r2 += int64(r21)

	r31 := uint32(r[13])
	r23 <<= 24
	r2 += int64(r22)

	r32 := uint32(r[14])
	r2 += int64(r23)
	r3 := int64(2343)

	d2 := r2
	r3 <<= 51

	r33 := uint32(r[15])
	r33 &= 15
	r31 <<= 8
	r3 += int64(r30)

	r32 <<= 16
	r3 += int64(r31)

	r33 <<= 24
	r3 += int64(r32)

	r3 += int64(r33)
	h0 := alpha32 - alpha32

	d3 := r3
	h1 := alpha32 - alpha32

	h2 := alpha32 - alpha32

	h3 := alpha32 - alpha32

	h4 := alpha32 - alpha32

	r0low := math.Float64frombits(uint64(d0))
	h5 := alpha32 - alpha32

	r1low := math.Float64frombits(uint64(d1))
	h6 := alpha32 - alpha32

	r2low := math.Float64frombits(uint64(d2))
	h7 := alpha32 - alpha32

	r0low -= alpha0

	r1low -= alpha32

	r2low -= alpha64

	r0high := r0low + alpha18

	r3low := math.Float64frombits(uint64(d3))

	r1high := r1low + alpha50
	sr1low := scale * r1low

	r2high := r2low + alpha82
	sr2low := scale * r2low

	r0high -= alpha18
	r0high_stack := r0high

	r3low -= alpha96

	r1high -= alpha50
	r1high_stack := r1high

	sr1high := sr1low + alpham80

	r0low -= r0high

	r2high -= alpha82
	sr3low = scale * r3low

	sr2high := sr2low + alpham48

	r1low -= r1high
	r1low_stack := r1low

	sr1high -= alpham80
	sr1high_stack := sr1high

	r2low -= r2high
	r2low_stack := r2low

	sr2high -= alpham48
	sr2high_stack := sr2high

	r3high := r3low + alpha112
	r0low_stack := r0low

	sr1low -= sr1high
	sr1low_stack := sr1low

	sr3high := sr3low + alpham16
	r2high_stack := r2high

	sr2low -= sr2high
	sr2low_stack := sr2low

	r3high -= alpha112
	r3high_stack := r3high

	sr3high -= alpham16
	sr3high_stack := sr3high

	r3low -= r3high
	r3low_stack := r3low

	sr3low -= sr3high
	sr3low_stack := sr3low

	if l < 16 {
		goto addatmost15bytes
	}

	m00 = uint32(m[p+0])
	m0 = 2151

	m0 <<= 51
	m1 = 2215
	m01 = uint32(m[p+1])

	m1 <<= 51
	m2 = 2279
	m02 = uint32(m[p+2])

	m2 <<= 51
	m3 = 2343
	m03 = uint32(m[p+3])

	m10 = uint32(m[p+4])
	m01 <<= 8
	m0 += int64(m00)

	m11 = uint32(m[p+5])
	m02 <<= 16
	m0 += int64(m01)

	m12 = uint32(m[p+6])
	m03 <<= 24
	m0 += int64(m02)

	m13 = uint32(m[p+7])
	m3 <<= 51
	m0 += int64(m03)

	m20 = uint32(m[p+8])
	m11 <<= 8
	m1 += int64(m10)

	m21 = uint32(m[p+9])
	m12 <<= 16
	m1 += int64(m11)

	m22 = uint32(m[p+10])
	m13 <<= 24
	m1 += int64(m12)

	m23 = uint32(m[p+11])
	m1 += int64(m13)

	m30 = uint32(m[p+12])
	m21 <<= 8
	m2 += int64(m20)

	m31 = uint32(m[p+13])
	m22 <<= 16
	m2 += int64(m21)

	m32 = uint32(m[p+14])
	m23 <<= 24
	m2 += int64(m22)

	m33 = uint64(m[p+15])
	m2 += int64(m23)

	d0 = m0
	m31 <<= 8
	m3 += int64(m30)

	d1 = m1
	m32 <<= 16
	m3 += int64(m31)

	d2 = m2
	m33 += 256

	m33 <<= 24
	m3 += int64(m32)

	m3 += int64(m33)
	d3 = m3

	p += 16
	l -= 16

	z0 = math.Float64frombits(uint64(d0))

	z1 = math.Float64frombits(uint64(d1))

	z2 = math.Float64frombits(uint64(d2))

	z3 = math.Float64frombits(uint64(d3))

	z0 -= alpha0

	z1 -= alpha32

	z2 -= alpha64

	z3 -= alpha96

	h0 += z0

	h1 += z1

	h3 += z2

	h5 += z3

	if l < 16 {
		goto multiplyaddatmost15bytes
	}

multiplyaddatleast16bytes:

	m2 = 2279
	m20 = uint32(m[p+8])
	y7 = h7 + alpha130

	m2 <<= 51
	m3 = 2343
	m21 = uint32(m[p+9])
	y6 = h6 + alpha130

	m3 <<= 51
	m0 = 2151
	m22 = uint32(m[p+10])
	y1 = h1 + alpha32

	m0 <<= 51
	m1 = 2215
	m23 = uint32(m[p+11])
	y0 = h0 + alpha32

	m1 <<= 51
	m30 = uint32(m[p+12])
	y7 -= alpha130

	m21 <<= 8
	m2 += int64(m20)
	m31 = uint32(m[p+13])
	y6 -= alpha130

	m22 <<= 16
	m2 += int64(m21)
	m32 = uint32(m[p+14])
	y1 -= alpha32

	m23 <<= 24
	m2 += int64(m22)
	m33 = uint64(m[p+15])
	y0 -= alpha32

	m2 += int64(m23)
	m00 = uint32(m[p+0])
	y5 = h5 + alpha96

	m31 <<= 8
	m3 += int64(m30)
	m01 = uint32(m[p+1])
	y4 = h4 + alpha96

	m32 <<= 16
	m02 = uint32(m[p+2])
	x7 = h7 - y7
	y7 *= scale

	m33 += 256
	m03 = uint32(m[p+3])
	x6 = h6 - y6
	y6 *= scale

	m33 <<= 24
	m3 += int64(m31)
	m10 = uint32(m[p+4])
	x1 = h1 - y1

	m01 <<= 8
	m3 += int64(m32)
	m11 = uint32(m[p+5])
	x0 = h0 - y0

	m3 += int64(m33)
	m0 += int64(m00)
	m12 = uint32(m[p+6])
	y5 -= alpha96

	m02 <<= 16
	m0 += int64(m01)
	m13 = uint32(m[p+7])
	y4 -= alpha96

	m03 <<= 24
	m0 += int64(m02)
	d2 = m2
	x1 += y7

	m0 += int64(m03)
	d3 = m3
	x0 += y6

	m11 <<= 8
	m1 += int64(m10)
	d0 = m0
	x7 += y5

	m12 <<= 16
	m1 += int64(m11)
	x6 += y4

	m13 <<= 24
	m1 += int64(m12)
	y3 = h3 + alpha64

	m1 += int64(m13)
	d1 = m1
	y2 = h2 + alpha64

	x0 += x1

	x6 += x7

	y3 -= alpha64
	r3low = r3low_stack

	y2 -= alpha64
	r0low = r0low_stack

	x5 = h5 - y5
	r3lowx0 = r3low * x0
	r3high = r3high_stack

	x4 = h4 - y4
	r0lowx6 = r0low * x6
	r0high = r0high_stack

	x3 = h3 - y3
	r3highx0 = r3high * x0
	sr1low = sr1low_stack

	x2 = h2 - y2
	r0highx6 = r0high * x6
	sr1high = sr1high_stack

	x5 += y3
	r0lowx0 = r0low * x0
	r1low = r1low_stack

	h6 = r3lowx0 + r0lowx6
	sr1lowx6 = sr1low * x6
	r1high = r1high_stack

	x4 += y2
	r0highx0 = r0high * x0
	sr2low = sr2low_stack

	h7 = r3highx0 + r0highx6
	sr1highx6 = sr1high * x6
	sr2high = sr2high_stack

	x3 += y1
	r1lowx0 = r1low * x0
	r2low = r2low_stack

	h0 = r0lowx0 + sr1lowx6
	sr2lowx6 = sr2low * x6
	r2high = r2high_stack

	x2 += y0
	r1highx0 = r1high * x0
	sr3low = sr3low_stack

	h1 = r0highx0 + sr1highx6
	sr2highx6 = sr2high * x6
	sr3high = sr3high_stack

	x4 += x5
	r2lowx0 = r2low * x0
	z2 = math.Float64frombits(uint64(d2))

	h2 = r1lowx0 + sr2lowx6
	sr3lowx6 = sr3low * x6

	x2 += x3
	r2highx0 = r2high * x0
	z3 = math.Float64frombits(uint64(d3))

	h3 = r1highx0 + sr2highx6
	sr3highx6 = sr3high * x6

	r1highx4 = r1high * x4
	z2 -= alpha64

	h4 = r2lowx0 + sr3lowx6
	r1lowx4 = r1low * x4

	r0highx4 = r0high * x4
	z3 -= alpha96

	h5 = r2highx0 + sr3highx6
	r0lowx4 = r0low * x4

	h7 += r1highx4
	sr3highx4 = sr3high * x4

	h6 += r1lowx4
	sr3lowx4 = sr3low * x4

	h5 += r0highx4
	sr2highx4 = sr2high * x4

	h4 += r0lowx4
	sr2lowx4 = sr2low * x4

	h3 += sr3highx4
	r0lowx2 = r0low * x2

	h2 += sr3lowx4
	r0highx2 = r0high * x2

	h1 += sr2highx4
	r1lowx2 = r1low * x2

	h0 += sr2lowx4
	r1highx2 = r1high * x2

	h2 += r0lowx2
	r2lowx2 = r2low * x2

	h3 += r0highx2
	r2highx2 = r2high * x2

	h4 += r1lowx2
	sr3lowx2 = sr3low * x2

	h5 += r1highx2
	sr3highx2 = sr3high * x2

	p += 16
	l -= 16
	h6 += r2lowx2

	h7 += r2highx2

	z1 = math.Float64frombits(uint64(d1))
	h0 += sr3lowx2

	z0 = math.Float64frombits(uint64(d0))
	h1 += sr3highx2

	z1 -= alpha32

	z0 -= alpha0

	h5 += z3

	h3 += z2

	h1 += z1

	h0 += z0

	if l >= 16 {
		goto multiplyaddatleast16bytes
	}

multiplyaddatmost15bytes:

	y7 = h7 + alpha130

	y6 = h6 + alpha130

	y1 = h1 + alpha32

	y0 = h0 + alpha32

	y7 -= alpha130

	y6 -= alpha130

	y1 -= alpha32

	y0 -= alpha32

	y5 = h5 + alpha96

	y4 = h4 + alpha96

	x7 = h7 - y7
	y7 *= scale

	x6 = h6 - y6
	y6 *= scale

	x1 = h1 - y1

	x0 = h0 - y0

	y5 -= alpha96

	y4 -= alpha96

	x1 += y7

	x0 += y6

	x7 += y5

	x6 += y4

	y3 = h3 + alpha64

	y2 = h2 + alpha64

	x0 += x1

	x6 += x7

	y3 -= alpha64
	r3low = r3low_stack

	y2 -= alpha64
	r0low = r0low_stack

	x5 = h5 - y5
	r3lowx0 = r3low * x0
	r3high = r3high_stack

	x4 = h4 - y4
	r0lowx6 = r0low * x6
	r0high = r0high_stack

	x3 = h3 - y3
	r3highx0 = r3high * x0
	sr1low = sr1low_stack

	x2 = h2 - y2
	r0highx6 = r0high * x6
	sr1high = sr1high_stack

	x5 += y3
	r0lowx0 = r0low * x0
	r1low = r1low_stack

	h6 = r3lowx0 + r0lowx6
	sr1lowx6 = sr1low * x6
	r1high = r1high_stack

	x4 += y2
	r0highx0 = r0high * x0
	sr2low = sr2low_stack

	h7 = r3highx0 + r0highx6
	sr1highx6 = sr1high * x6
	sr2high = sr2high_stack

	x3 += y1
	r1lowx0 = r1low * x0
	r2low = r2low_stack

	h0 = r0lowx0 + sr1lowx6
	sr2lowx6 = sr2low * x6
	r2high = r2high_stack

	x2 += y0
	r1highx0 = r1high * x0
	sr3low = sr3low_stack

	h1 = r0highx0 + sr1highx6
	sr2highx6 = sr2high * x6
	sr3high = sr3high_stack

	x4 += x5
	r2lowx0 = r2low * x0

	h2 = r1lowx0 + sr2lowx6
	sr3lowx6 = sr3low * x6

	x2 += x3
	r2highx0 = r2high * x0

	h3 = r1highx0 + sr2highx6
	sr3highx6 = sr3high * x6

	r1highx4 = r1high * x4

	h4 = r2lowx0 + sr3lowx6
	r1lowx4 = r1low * x4

	r0highx4 = r0high * x4

	h5 = r2highx0 + sr3highx6
	r0lowx4 = r0low * x4

	h7 += r1highx4
	sr3highx4 = sr3high * x4

	h6 += r1lowx4
	sr3lowx4 = sr3low * x4

	h5 += r0highx4
	sr2highx4 = sr2high * x4

	h4 += r0lowx4
	sr2lowx4 = sr2low * x4

	h3 += sr3highx4
	r0lowx2 = r0low * x2

	h2 += sr3lowx4
	r0highx2 = r0high * x2

	h1 += sr2highx4
	r1lowx2 = r1low * x2

	h0 += sr2lowx4
	r1highx2 = r1high * x2

	h2 += r0lowx2
	r2lowx2 = r2low * x2

	h3 += r0highx2
	r2highx2 = r2high * x2

	h4 += r1lowx2
	sr3lowx2 = sr3low * x2

	h5 += r1highx2
	sr3highx2 = sr3high * x2

	h6 += r2lowx2

	h7 += r2highx2

	h0 += sr3lowx2

	h1 += sr3highx2

addatmost15bytes:

	if l == 0 {
		goto nomorebytes
	}

	lbelow2 = l - 2

	lbelow3 = l - 3

	lbelow2 >>= 31
	lbelow4 = l - 4

	m00 = uint32(m[p+0])
	lbelow3 >>= 31
	p += lbelow2

	m01 = uint32(m[p+1])
	lbelow4 >>= 31
	p += lbelow3

	m02 = uint32(m[p+2])
	p += lbelow4
	m0 = 2151

	m03 = uint32(m[p+3])
	m0 <<= 51
	m1 = 2215

	m0 += int64(m00)
	m01 &^= uint32(lbelow2)

	m02 &^= uint32(lbelow3)
	m01 -= uint32(lbelow2)

	m01 <<= 8
	m03 &^= uint32(lbelow4)

	m0 += int64(m01)
	lbelow2 -= lbelow3

	m02 += uint32(lbelow2)
	lbelow3 -= lbelow4

	m02 <<= 16
	m03 += uint32(lbelow3)

	m03 <<= 24
	m0 += int64(m02)

	m0 += int64(m03)
	lbelow5 = l - 5

	lbelow6 = l - 6
	lbelow7 = l - 7

	lbelow5 >>= 31
	lbelow8 = l - 8

	lbelow6 >>= 31
	p += lbelow5

	m10 = uint32(m[p+4])
	lbelow7 >>= 31
	p += lbelow6

	m11 = uint32(m[p+5])
	lbelow8 >>= 31
	p += lbelow7

	m12 = uint32(m[p+6])
	m1 <<= 51
	p += lbelow8

	m13 = uint32(m[p+7])
	m10 &^= uint32(lbelow5)
	lbelow4 -= lbelow5

	m10 += uint32(lbelow4)
	lbelow5 -= lbelow6

	m11 &^= uint32(lbelow6)
	m11 += uint32(lbelow5)

	m11 <<= 8
	m1 += int64(m10)

	m1 += int64(m11)
	m12 &^= uint32(lbelow7)

	lbelow6 -= lbelow7
	m13 &^= uint32(lbelow8)

	m12 += uint32(lbelow6)
	lbelow7 -= lbelow8

	m12 <<= 16
	m13 += uint32(lbelow7)

	m13 <<= 24
	m1 += int64(m12)

	m1 += int64(m13)
	m2 = 2279

	lbelow9 = l - 9
	m3 = 2343

	lbelow10 = l - 10
	lbelow11 = l - 11

	lbelow9 >>= 31
	lbelow12 = l - 12

	lbelow10 >>= 31
	p += lbelow9

	m20 = uint32(m[p+8])
	lbelow11 >>= 31
	p += lbelow10

	m21 = uint32(m[p+9])
	lbelow12 >>= 31
	p += lbelow11

	m22 = uint32(m[p+10])
	m2 <<= 51
	p += lbelow12

	m23 = uint32(m[p+11])
	m20 &^= uint32(lbelow9)
	lbelow8 -= lbelow9

	m20 += uint32(lbelow8)
	lbelow9 -= lbelow10

	m21 &^= uint32(lbelow10)
	m21 += uint32(lbelow9)

	m21 <<= 8
	m2 += int64(m20)

	m2 += int64(m21)
	m22 &^= uint32(lbelow11)

	lbelow10 -= lbelow11
	m23 &^= uint32(lbelow12)

	m22 += uint32(lbelow10)
	lbelow11 -= lbelow12

	m22 <<= 16
	m23 += uint32(lbelow11)

	m23 <<= 24
	m2 += int64(m22)

	m3 <<= 51
	lbelow13 = l - 13

	lbelow13 >>= 31
	lbelow14 = l - 14

	lbelow14 >>= 31
	p += lbelow13
	lbelow15 = l - 15

	m30 = uint32(m[p+12])
	lbelow15 >>= 31
	p += lbelow14

	m31 = uint32(m[p+13])
	p += lbelow15
	m2 += int64(m23)

	m32 = uint32(m[p+14])
	m30 &^= uint32(lbelow13)
	lbelow12 -= lbelow13

	m30 += uint32(lbelow12)
	lbelow13 -= lbelow14

	m3 += int64(m30)
	m31 &^= uint32(lbelow14)

	m31 += uint32(lbelow13)
	m32 &^= uint32(lbelow15)

	m31 <<= 8
	lbelow14 -= lbelow15

	m3 += int64(m31)
	m32 += uint32(lbelow14)
	d0 = m0

	m32 <<= 16
	m33 = uint64(lbelow15 + 1)
	d1 = m1

	m33 <<= 24
	m3 += int64(m32)
	d2 = m2

	m3 += int64(m33)
	d3 = m3

	z3 = math.Float64frombits(uint64(d3))

	z2 = math.Float64frombits(uint64(d2))

	z1 = math.Float64frombits(uint64(d1))

	z0 = math.Float64frombits(uint64(d0))

	z3 -= alpha96

	z2 -= alpha64

	z1 -= alpha32

	z0 -= alpha0

	h5 += z3

	h3 += z2

	h1 += z1

	h0 += z0

	y7 = h7 + alpha130

	y6 = h6 + alpha130

	y1 = h1 + alpha32

	y0 = h0 + alpha32

	y7 -= alpha130

	y6 -= alpha130

	y1 -= alpha32

	y0 -= alpha32

	y5 = h5 + alpha96

	y4 = h4 + alpha96

	x7 = h7 - y7
	y7 *= scale

	x6 = h6 - y6
	y6 *= scale

	x1 = h1 - y1

	x0 = h0 - y0

	y5 -= alpha96

	y4 -= alpha96

	x1 += y7

	x0 += y6

	x7 += y5

	x6 += y4

	y3 = h3 + alpha64

	y2 = h2 + alpha64

	x0 += x1

	x6 += x7

	y3 -= alpha64
	r3low = r3low_stack

	y2 -= alpha64
	r0low = r0low_stack

	x5 = h5 - y5
	r3lowx0 = r3low * x0
	r3high = r3high_stack

	x4 = h4 - y4
	r0lowx6 = r0low * x6
	r0high = r0high_stack

	x3 = h3 - y3
	r3highx0 = r3high * x0
	sr1low = sr1low_stack

	x2 = h2 - y2
	r0highx6 = r0high * x6
	sr1high = sr1high_stack

	x5 += y3
	r0lowx0 = r0low * x0
	r1low = r1low_stack

	h6 = r3lowx0 + r0lowx6
	sr1lowx6 = sr1low * x6
	r1high = r1high_stack

	x4 += y2
	r0highx0 = r0high * x0
	sr2low = sr2low_stack

	h7 = r3highx0 + r0highx6
	sr1highx6 = sr1high * x6
	sr2high = sr2high_stack

	x3 += y1
	r1lowx0 = r1low * x0
	r2low = r2low_stack

	h0 = r0lowx0 + sr1lowx6
	sr2lowx6 = sr2low * x6
	r2high = r2high_stack

	x2 += y0
	r1highx0 = r1high * x0
	sr3low = sr3low_stack

	h1 = r0highx0 + sr1highx6
	sr2highx6 = sr2high * x6
	sr3high = sr3high_stack

	x4 += x5
	r2lowx0 = r2low * x0

	h2 = r1lowx0 + sr2lowx6
	sr3lowx6 = sr3low * x6

	x2 += x3
	r2highx0 = r2high * x0

	h3 = r1highx0 + sr2highx6
	sr3highx6 = sr3high * x6

	r1highx4 = r1high * x4

	h4 = r2lowx0 + sr3lowx6
	r1lowx4 = r1low * x4

	r0highx4 = r0high * x4

	h5 = r2highx0 + sr3highx6
	r0lowx4 = r0low * x4

	h7 += r1highx4
	sr3highx4 = sr3high * x4

	h6 += r1lowx4
	sr3lowx4 = sr3low * x4

	h5 += r0highx4
	sr2highx4 = sr2high * x4

	h4 += r0lowx4
	sr2lowx4 = sr2low * x4

	h3 += sr3highx4
	r0lowx2 = r0low * x2

	h2 += sr3lowx4
	r0highx2 = r0high * x2

	h1 += sr2highx4
	r1lowx2 = r1low * x2

	h0 += sr2lowx4
	r1highx2 = r1high * x2

	h2 += r0lowx2
	r2lowx2 = r2low * x2

	h3 += r0highx2
	r2highx2 = r2high * x2

	h4 += r1lowx2
	sr3lowx2 = sr3low * x2

	h5 += r1highx2
	sr3highx2 = sr3high * x2

	h6 += r2lowx2

	h7 += r2highx2

	h0 += sr3lowx2

	h1 += sr3highx2

nomorebytes:

	y7 = h7 + alpha130

	y0 = h0 + alpha32

	y1 = h1 + alpha32

	y2 = h2 + alpha64

	y7 -= alpha130

	y3 = h3 + alpha64

	y4 = h4 + alpha96

	y5 = h5 + alpha96

	x7 = h7 - y7
	y7 *= scale

	y0 -= alpha32

	y1 -= alpha32

	y2 -= alpha64

	h6 += x7

	y3 -= alpha64

	y4 -= alpha96

	y5 -= alpha96

	y6 = h6 + alpha130

	x0 = h0 - y0

	x1 = h1 - y1

	x2 = h2 - y2

	y6 -= alpha130

	x0 += y7

	x3 = h3 - y3

	x4 = h4 - y4

	x5 = h5 - y5

	x6 = h6 - y6

	y6 *= scale

	x2 += y0

	x3 += y1

	x4 += y2

	x0 += y6

	x5 += y3

	x6 += y4

	x2 += x3

	x0 += x1

	x4 += x5

	x6 += y5

	x2 += offset1
	d1 = int64(math.Float64bits(x2))

	x0 += offset0
	d0 = int64(math.Float64bits(x0))

	x4 += offset2
	d2 = int64(math.Float64bits(x4))

	x6 += offset3
	d3 = int64(math.Float64bits(x6))

	f0 = uint64(d0)

	f1 = uint64(d1)
	bits32 = math.MaxUint64

	f2 = uint64(d2)
	bits32 >>= 32

	f3 = uint64(d3)
	f = f0 >> 32

	f0 &= bits32
	f &= 255

	f1 += f
	g0 = f0 + 5

	g = g0 >> 32
	g0 &= bits32

	f = f1 >> 32
	f1 &= bits32

	f &= 255
	g1 = f1 + g

	g = g1 >> 32
	f2 += f

	f = f2 >> 32
	g1 &= bits32

	f2 &= bits32
	f &= 255

	f3 += f
	g2 = f2 + g

	g = g2 >> 32
	g2 &= bits32

	f4 = f3 >> 32
	f3 &= bits32

	f4 &= 255
	g3 = f3 + g

	g = g3 >> 32
	g3 &= bits32

	g4 = f4 + g

	g4 = g4 - 4
	s00 = uint32(s[0])

	f = uint64(int64(g4) >> 63)
	s01 = uint32(s[1])

	f0 &= f
	g0 &^= f
	s02 = uint32(s[2])

	f1 &= f
	f0 |= g0
	s03 = uint32(s[3])

	g1 &^= f
	f2 &= f
	s10 = uint32(s[4])

	f3 &= f
	g2 &^= f
	s11 = uint32(s[5])

	g3 &^= f
	f1 |= g1
	s12 = uint32(s[6])

	f2 |= g2
	f3 |= g3
	s13 = uint32(s[7])

	s01 <<= 8
	f0 += uint64(s00)
	s20 = uint32(s[8])

	s02 <<= 16
	f0 += uint64(s01)
	s21 = uint32(s[9])

	s03 <<= 24
	f0 += uint64(s02)
	s22 = uint32(s[10])

	s11 <<= 8
	f1 += uint64(s10)
	s23 = uint32(s[11])

	s12 <<= 16
	f1 += uint64(s11)
	s30 = uint32(s[12])

	s13 <<= 24
	f1 += uint64(s12)
	s31 = uint32(s[13])

	f0 += uint64(s03)
	f1 += uint64(s13)
	s32 = uint32(s[14])

	s21 <<= 8
	f2 += uint64(s20)
	s33 = uint32(s[15])

	s22 <<= 16
	f2 += uint64(s21)

	s23 <<= 24
	f2 += uint64(s22)

	s31 <<= 8
	f3 += uint64(s30)

	s32 <<= 16
	f3 += uint64(s31)

	s33 <<= 24
	f3 += uint64(s32)

	f2 += uint64(s23)
	f3 += uint64(s33)

	out[0] = byte(f0)
	f0 >>= 8
	out[1] = byte(f0)
	f0 >>= 8
	out[2] = byte(f0)
	f0 >>= 8
	out[3] = byte(f0)
	f0 >>= 8
	f1 += f0

	out[4] = byte(f1)
	f1 >>= 8
	out[5] = byte(f1)
	f1 >>= 8
	out[6] = byte(f1)
	f1 >>= 8
	out[7] = byte(f1)
	f1 >>= 8
	f2 += f1

	out[8] = byte(f2)
	f2 >>= 8
	out[9] = byte(f2)
	f2 >>= 8
	out[10] = byte(f2)
	f2 >>= 8
	out[11] = byte(f2)
	f2 >>= 8
	f3 += f2

	out[12] = byte(f3)
	f3 >>= 8
	out[13] = byte(f3)
	f3 >>= 8
	out[14] = byte(f3)
	f3 >>= 8
	out[15] = byte(f3)
}