diff options
| -rw-r--r-- | src/Kbuild | 2 | ||||
| -rw-r--r-- | src/crypto/curve25519-avx-x86_64.S | 3639 | ||||
| -rw-r--r-- | src/crypto/curve25519.c | 79 | ||||
| -rw-r--r-- | src/crypto/curve25519.h | 2 | ||||
| -rw-r--r-- | src/main.c | 1 |
5 files changed, 3699 insertions, 24 deletions
@@ -8,7 +8,7 @@ ifeq ($(CONFIG_X86_64),y) wireguard-y += crypto/chacha20-ssse3-x86_64.o crypto/poly1305-sse2-x86_64.o avx_supported := $(call as-instr,vpxor %xmm0$(comma)%xmm0$(comma)%xmm0,yes,no) ifeq ($(avx_supported),yes) - wireguard-y += crypto/blake2s-avx-x86_64.o + wireguard-y += crypto/blake2s-avx-x86_64.o crypto/curve25519-avx-x86_64.o endif avx2_supported := $(call as-instr,vpgatherdd %ymm0$(comma)(%eax$(comma)%ymm1$(comma)4)$(comma)%ymm2,yes,no) ifeq ($(avx2_supported),yes) diff --git a/src/crypto/curve25519-avx-x86_64.S b/src/crypto/curve25519-avx-x86_64.S new file mode 100644 index 0000000..bc2796d --- /dev/null +++ b/src/crypto/curve25519-avx-x86_64.S @@ -0,0 +1,3639 @@ +/* + * Copyright (C) 2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. + * Based on algorithms from Tung Chou <blueprint@crypto.tw> + */ + +#include <linux/linkage.h> + +.data +.align 16 +curve25519_sandy2x_v0_0: .quad 0, 0 +curve25519_sandy2x_v1_0: .quad 1, 0 +curve25519_sandy2x_v2_1: .quad 2, 1 +curve25519_sandy2x_v9_0: .quad 9, 0 +curve25519_sandy2x_v9_9: .quad 9, 9 +curve25519_sandy2x_v19_19: .quad 19, 19 +curve25519_sandy2x_v38_1: .quad 38, 1 +curve25519_sandy2x_v38_38: .quad 38, 38 +curve25519_sandy2x_v121666_121666: .quad 121666, 121666 +curve25519_sandy2x_m25: .quad 33554431, 33554431 +curve25519_sandy2x_m26: .quad 67108863, 67108863 +curve25519_sandy2x_subc0: .quad 0x07FFFFDA, 0x03FFFFFE +curve25519_sandy2x_subc2: .quad 0x07FFFFFE, 0x03FFFFFE +curve25519_sandy2x_REDMASK51: .quad 0x0007FFFFFFFFFFFF + +.text +.align 32 +ENTRY(curve25519_sandy2x_fe51_mul) + mov %rsp,%r11 + and $31,%r11 + add $96,%r11 + sub %r11,%rsp + movq %r11,0(%rsp) + movq %r12,8(%rsp) + movq %r13,16(%rsp) + movq %r14,24(%rsp) + movq %r15,32(%rsp) + movq %rbx,40(%rsp) + movq %rbp,48(%rsp) + movq %rdi,56(%rsp) + mov %rdx,%rcx + movq 24(%rsi),%rdx + imulq $19,%rdx,%rax + movq %rax,64(%rsp) + mulq 16(%rcx) + mov %rax,%r8 + mov %rdx,%r9 + movq 32(%rsi),%rdx + imulq $19,%rdx,%rax + movq %rax,72(%rsp) + mulq 8(%rcx) + add %rax,%r8 + adc %rdx,%r9 + movq 0(%rsi),%rax + mulq 0(%rcx) + add %rax,%r8 + adc %rdx,%r9 + movq 0(%rsi),%rax + mulq 8(%rcx) + mov %rax,%r10 + mov %rdx,%r11 + movq 0(%rsi),%rax + mulq 16(%rcx) + mov %rax,%r12 + mov %rdx,%r13 + movq 0(%rsi),%rax + mulq 24(%rcx) + mov %rax,%r14 + mov %rdx,%r15 + movq 0(%rsi),%rax + mulq 32(%rcx) + mov %rax,%rbx + mov %rdx,%rbp + movq 8(%rsi),%rax + mulq 0(%rcx) + add %rax,%r10 + adc %rdx,%r11 + movq 8(%rsi),%rax + mulq 8(%rcx) + add %rax,%r12 + adc %rdx,%r13 + movq 8(%rsi),%rax + mulq 16(%rcx) + add %rax,%r14 + adc %rdx,%r15 + movq 8(%rsi),%rax + mulq 24(%rcx) + add %rax,%rbx + adc %rdx,%rbp + movq 8(%rsi),%rdx + imulq $19,%rdx,%rax + mulq 32(%rcx) + add %rax,%r8 + adc %rdx,%r9 + movq 16(%rsi),%rax + mulq 0(%rcx) + add %rax,%r12 + adc %rdx,%r13 + movq 16(%rsi),%rax + mulq 8(%rcx) + add %rax,%r14 + adc %rdx,%r15 + movq 16(%rsi),%rax + mulq 16(%rcx) + add %rax,%rbx + adc %rdx,%rbp + movq 16(%rsi),%rdx + imulq $19,%rdx,%rax + mulq 24(%rcx) + add %rax,%r8 + adc %rdx,%r9 + movq 16(%rsi),%rdx + imulq $19,%rdx,%rax + mulq 32(%rcx) + add %rax,%r10 + adc %rdx,%r11 + movq 24(%rsi),%rax + mulq 0(%rcx) + add %rax,%r14 + adc %rdx,%r15 + movq 24(%rsi),%rax + mulq 8(%rcx) + add %rax,%rbx + adc %rdx,%rbp + movq 64(%rsp),%rax + mulq 24(%rcx) + add %rax,%r10 + adc %rdx,%r11 + movq 64(%rsp),%rax + mulq 32(%rcx) + add %rax,%r12 + adc %rdx,%r13 + movq 32(%rsi),%rax + mulq 0(%rcx) + add %rax,%rbx + adc %rdx,%rbp + movq 72(%rsp),%rax + mulq 16(%rcx) + add %rax,%r10 + adc %rdx,%r11 + movq 72(%rsp),%rax + mulq 24(%rcx) + add %rax,%r12 + adc %rdx,%r13 + movq 72(%rsp),%rax + mulq 32(%rcx) + add %rax,%r14 + adc %rdx,%r15 + movq curve25519_sandy2x_REDMASK51(%rip),%rsi + shld $13,%r8,%r9 + and %rsi,%r8 + shld $13,%r10,%r11 + and %rsi,%r10 + add %r9,%r10 + shld $13,%r12,%r13 + and %rsi,%r12 + add %r11,%r12 + shld $13,%r14,%r15 + and %rsi,%r14 + add %r13,%r14 + shld $13,%rbx,%rbp + and %rsi,%rbx + add %r15,%rbx + imulq $19,%rbp,%rdx + add %rdx,%r8 + mov %r8,%rdx + shr $51,%rdx + add %r10,%rdx + mov %rdx,%rcx + shr $51,%rdx + and %rsi,%r8 + add %r12,%rdx + mov %rdx,%r9 + shr $51,%rdx + and %rsi,%rcx + add %r14,%rdx + mov %rdx,%rax + shr $51,%rdx + and %rsi,%r9 + add %rbx,%rdx + mov %rdx,%r10 + shr $51,%rdx + and %rsi,%rax + imulq $19,%rdx,%rdx + add %rdx,%r8 + and %rsi,%r10 + movq %r8,0(%rdi) + movq %rcx,8(%rdi) + movq %r9,16(%rdi) + movq %rax,24(%rdi) + movq %r10,32(%rdi) + movq 0(%rsp),%r11 + movq 8(%rsp),%r12 + movq 16(%rsp),%r13 + movq 24(%rsp),%r14 + movq 32(%rsp),%r15 + movq 40(%rsp),%rbx + movq 48(%rsp),%rbp + add %r11,%rsp + mov %rdi,%rax + mov %rsi,%rdx + ret +ENDPROC(curve25519_sandy2x_fe51_mul) + +.align 32 +ENTRY(curve25519_sandy2x_fe51_nsquare) + mov %rsp,%r11 + and $31,%r11 + add $64,%r11 + sub %r11,%rsp + movq %r11,0(%rsp) + movq %r12,8(%rsp) + movq %r13,16(%rsp) + movq %r14,24(%rsp) + movq %r15,32(%rsp) + movq %rbx,40(%rsp) + movq %rbp,48(%rsp) + movq 0(%rsi),%rcx + movq 8(%rsi),%r8 + movq 16(%rsi),%r9 + movq 24(%rsi),%rax + movq 32(%rsi),%rsi + movq %r9,16(%rdi) + movq %rax,24(%rdi) + movq %rsi,32(%rdi) + mov %rdx,%rsi + + .align 16 + ._loop: + sub $1,%rsi + mov %rcx,%rax + mul %rcx + add %rcx,%rcx + mov %rax,%r9 + mov %rdx,%r10 + mov %rcx,%rax + mul %r8 + mov %rax,%r11 + mov %rdx,%r12 + mov %rcx,%rax + mulq 16(%rdi) + mov %rax,%r13 + mov %rdx,%r14 + mov %rcx,%rax + mulq 24(%rdi) + mov %rax,%r15 + mov %rdx,%rbx + mov %rcx,%rax + mulq 32(%rdi) + mov %rax,%rcx + mov %rdx,%rbp + mov %r8,%rax + mul %r8 + add %r8,%r8 + add %rax,%r13 + adc %rdx,%r14 + mov %r8,%rax + mulq 16(%rdi) + add %rax,%r15 + adc %rdx,%rbx + mov %r8,%rax + imulq $19, %r8,%r8 + mulq 24(%rdi) + add %rax,%rcx + adc %rdx,%rbp + mov %r8,%rax + mulq 32(%rdi) + add %rax,%r9 + adc %rdx,%r10 + movq 16(%rdi),%rax + mulq 16(%rdi) + add %rax,%rcx + adc %rdx,%rbp + shld $13,%rcx,%rbp + movq 16(%rdi),%rax + imulq $38, %rax,%rax + mulq 24(%rdi) + add %rax,%r9 + adc %rdx,%r10 + shld $13,%r9,%r10 + movq 16(%rdi),%rax + imulq $38, %rax,%rax + mulq 32(%rdi) + add %rax,%r11 + adc %rdx,%r12 + movq 24(%rdi),%rax + imulq $19, %rax,%rax + mulq 24(%rdi) + add %rax,%r11 + adc %rdx,%r12 + shld $13,%r11,%r12 + movq 24(%rdi),%rax + imulq $38, %rax,%rax + mulq 32(%rdi) + add %rax,%r13 + adc %rdx,%r14 + shld $13,%r13,%r14 + movq 32(%rdi),%rax + imulq $19, %rax,%rax + mulq 32(%rdi) + add %rax,%r15 + adc %rdx,%rbx + shld $13,%r15,%rbx + movq curve25519_sandy2x_REDMASK51(%rip),%rdx + and %rdx,%rcx + add %rbx,%rcx + and %rdx,%r9 + and %rdx,%r11 + add %r10,%r11 + and %rdx,%r13 + add %r12,%r13 + and %rdx,%r15 + add %r14,%r15 + imulq $19, %rbp,%rbp + lea (%r9,%rbp),%r9 + mov %r9,%rax + shr $51,%r9 + add %r11,%r9 + and %rdx,%rax + mov %r9,%r8 + shr $51,%r9 + add %r13,%r9 + and %rdx,%r8 + mov %r9,%r10 + shr $51,%r9 + add %r15,%r9 + and %rdx,%r10 + movq %r10,16(%rdi) + mov %r9,%r10 + shr $51,%r9 + add %rcx,%r9 + and %rdx,%r10 + movq %r10,24(%rdi) + mov %r9,%r10 + shr $51,%r9 + imulq $19, %r9,%r9 + lea (%rax,%r9),%rcx + and %rdx,%r10 + movq %r10,32(%rdi) + cmp $0,%rsi + jne ._loop + + movq %rcx,0(%rdi) + movq %r8,8(%rdi) + movq 0(%rsp),%r11 + movq 8(%rsp),%r12 + movq 16(%rsp),%r13 + movq 24(%rsp),%r14 + movq 32(%rsp),%r15 + movq 40(%rsp),%rbx + movq 48(%rsp),%rbp + add %r11,%rsp + ret +ENDPROC(curve25519_sandy2x_fe51_nsquare) + +.align 32 +ENTRY(curve25519_sandy2x_fe51_pack) + mov %rsp,%r11 + and $31,%r11 + add $32,%r11 + sub %r11,%rsp + movq %r11,0(%rsp) + movq %r12,8(%rsp) + movq 0(%rsi),%rdx + movq 8(%rsi),%rcx + movq 16(%rsi),%r8 + movq 24(%rsi),%r9 + movq 32(%rsi),%rsi + movq curve25519_sandy2x_REDMASK51(%rip),%rax + lea -18(%rax),%r10 + mov $3,%r11 + + .align 16 + ._reduceloop: + mov %rdx,%r12 + shr $51,%r12 + and %rax,%rdx + add %r12,%rcx + mov %rcx,%r12 + shr $51,%r12 + and %rax,%rcx + add %r12,%r8 + mov %r8,%r12 + shr $51,%r12 + and %rax,%r8 + add %r12,%r9 + mov %r9,%r12 + shr $51,%r12 + and %rax,%r9 + add %r12,%rsi + mov %rsi,%r12 + shr $51,%r12 + and %rax,%rsi + imulq $19, %r12,%r12 + add %r12,%rdx + sub $1,%r11 + ja ._reduceloop + + mov $1,%r12 + cmp %r10,%rdx + cmovl %r11,%r12 + cmp %rax,%rcx + cmovne %r11,%r12 + cmp %rax,%r8 + cmovne %r11,%r12 + cmp %rax,%r9 + cmovne %r11,%r12 + cmp %rax,%rsi + cmovne %r11,%r12 + neg %r12 + and %r12,%rax + and %r12,%r10 + sub %r10,%rdx + sub %rax,%rcx + sub %rax,%r8 + sub %rax,%r9 + sub %rax,%rsi + mov %rdx,%rax + and $0xFF,%eax + movb %al,0(%rdi) + mov %rdx,%rax + shr $8,%rax + and $0xFF,%eax + movb %al,1(%rdi) + mov %rdx,%rax + shr $16,%rax + and $0xFF,%eax + movb %al,2(%rdi) + mov %rdx,%rax + shr $24,%rax + and $0xFF,%eax + movb %al,3(%rdi) + mov %rdx,%rax + shr $32,%rax + and $0xFF,%eax + movb %al,4(%rdi) + mov %rdx,%rax + shr $40,%rax + and $0xFF,%eax + movb %al,5(%rdi) + mov %rdx,%rdx + shr $48,%rdx + mov %rcx,%rax + shl $3,%rax + and $0xF8,%eax + xor %rdx,%rax + movb %al,6(%rdi) + mov %rcx,%rdx + shr $5,%rdx + and $0xFF,%edx + movb %dl,7(%rdi) + mov %rcx,%rdx + shr $13,%rdx + and $0xFF,%edx + movb %dl,8(%rdi) + mov %rcx,%rdx + shr $21,%rdx + and $0xFF,%edx + movb %dl,9(%rdi) + mov %rcx,%rdx + shr $29,%rdx + and $0xFF,%edx + movb %dl,10(%rdi) + mov %rcx,%rdx + shr $37,%rdx + and $0xFF,%edx + movb %dl,11(%rdi) + mov %rcx,%rdx + shr $45,%rdx + mov %r8,%rcx + shl $6,%rcx + and $0xC0,%ecx + xor %rdx,%rcx + movb %cl,12(%rdi) + mov %r8,%rdx + shr $2,%rdx + and $0xFF,%edx + movb %dl,13(%rdi) + mov %r8,%rdx + shr $10,%rdx + and $0xFF,%edx + movb %dl,14(%rdi) + mov %r8,%rdx + shr $18,%rdx + and $0xFF,%edx + movb %dl,15(%rdi) + mov %r8,%rdx + shr $26,%rdx + and $0xFF,%edx + movb %dl,16(%rdi) + mov %r8,%rdx + shr $34,%rdx + and $0xFF,%edx + movb %dl,17(%rdi) + mov %r8,%rdx + shr $42,%rdx + movb %dl,18(%rdi) + mov %r8,%rdx + shr $50,%rdx + mov %r9,%rcx + shl $1,%rcx + and $0xFE,%ecx + xor %rdx,%rcx + movb %cl,19(%rdi) + mov %r9,%rdx + shr $7,%rdx + and $0xFF,%edx + movb %dl,20(%rdi) + mov %r9,%rdx + shr $15,%rdx + and $0xFF,%edx + movb %dl,21(%rdi) + mov %r9,%rdx + shr $23,%rdx + and $0xFF,%edx + movb %dl,22(%rdi) + mov %r9,%rdx + shr $31,%rdx + and $0xFF,%edx + movb %dl,23(%rdi) + mov %r9,%rdx + shr $39,%rdx + and $0xFF,%edx + movb %dl,24(%rdi) + mov %r9,%rdx + shr $47,%rdx + mov %rsi,%rcx + shl $4,%rcx + and $0xF0,%ecx + xor %rdx,%rcx + movb %cl,25(%rdi) + mov %rsi,%rdx + shr $4,%rdx + and $0xFF,%edx + movb %dl,26(%rdi) + mov %rsi,%rdx + shr $12,%rdx + and $0xFF,%edx + movb %dl,27(%rdi) + mov %rsi,%rdx + shr $20,%rdx + and $0xFF,%edx + movb %dl,28(%rdi) + mov %rsi,%rdx + shr $28,%rdx + and $0xFF,%edx + movb %dl,29(%rdi) + mov %rsi,%rdx + shr $36,%rdx + and $0xFF,%edx + movb %dl,30(%rdi) + mov %rsi,%rsi + shr $44,%rsi + movb %sil,31(%rdi) + movq 0(%rsp),%r11 + movq 8(%rsp),%r12 + add %r11,%rsp + ret +ENDPROC(curve25519_sandy2x_fe51_pack) + +.align 32 +ENTRY(curve25519_sandy2x_ladder) + mov %rsp,%r11 + and $31,%r11 + add $1856,%r11 + sub %r11,%rsp + movq %r11,1824(%rsp) + movq %r12,1832(%rsp) + movq %r13,1840(%rsp) + movq %r14,1848(%rsp) + vmovdqa curve25519_sandy2x_v0_0(%rip),%xmm0 + vmovdqa curve25519_sandy2x_v1_0(%rip),%xmm1 + vmovdqu 0(%rdi),%xmm2 + vmovdqa %xmm2,0(%rsp) + vmovdqu 16(%rdi),%xmm2 + vmovdqa %xmm2,16(%rsp) + vmovdqu 32(%rdi),%xmm2 + vmovdqa %xmm2,32(%rsp) + vmovdqu 48(%rdi),%xmm2 + vmovdqa %xmm2,48(%rsp) + vmovdqu 64(%rdi),%xmm2 + vmovdqa %xmm2,64(%rsp) + vmovdqa %xmm1,80(%rsp) + vmovdqa %xmm0,96(%rsp) + vmovdqa %xmm0,112(%rsp) + vmovdqa %xmm0,128(%rsp) + vmovdqa %xmm0,144(%rsp) + vmovdqa %xmm1,%xmm0 + vpxor %xmm1,%xmm1,%xmm1 + vpxor %xmm2,%xmm2,%xmm2 + vpxor %xmm3,%xmm3,%xmm3 + vpxor %xmm4,%xmm4,%xmm4 + vpxor %xmm5,%xmm5,%xmm5 + vpxor %xmm6,%xmm6,%xmm6 + vpxor %xmm7,%xmm7,%xmm7 + vpxor %xmm8,%xmm8,%xmm8 + vpxor %xmm9,%xmm9,%xmm9 + vmovdqu 0(%rdi),%xmm10 + vmovdqa %xmm10,160(%rsp) + vmovdqu 16(%rdi),%xmm10 + vmovdqa %xmm10,176(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,192(%rsp) + vmovdqu 32(%rdi),%xmm10 + vmovdqa %xmm10,208(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,224(%rsp) + vmovdqu 48(%rdi),%xmm10 + vmovdqa %xmm10,240(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,256(%rsp) + vmovdqu 64(%rdi),%xmm10 + vmovdqa %xmm10,272(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,288(%rsp) + vmovdqu 8(%rdi),%xmm10 + vpmuludq curve25519_sandy2x_v2_1(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,304(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,320(%rsp) + vmovdqu 24(%rdi),%xmm10 + vpmuludq curve25519_sandy2x_v2_1(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,336(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,352(%rsp) + vmovdqu 40(%rdi),%xmm10 + vpmuludq curve25519_sandy2x_v2_1(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,368(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,384(%rsp) + vmovdqu 56(%rdi),%xmm10 + vpmuludq curve25519_sandy2x_v2_1(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,400(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,416(%rsp) + vmovdqu 0(%rdi),%xmm10 + vmovdqu 64(%rdi),%xmm11 + vblendps $12, %xmm11, %xmm10, %xmm10 + vpshufd $2,%xmm10,%xmm10 + vpmuludq curve25519_sandy2x_v38_1(%rip),%xmm10,%xmm10 + vmovdqa %xmm10,432(%rsp) + movq 0(%rsi),%rdx + movq 8(%rsi),%rcx + movq 16(%rsi),%r8 + movq 24(%rsi),%r9 + shrd $1,%rcx,%rdx + shrd $1,%r8,%rcx + shrd $1,%r9,%r8 + shr $1,%r9 + xorq 0(%rsi),%rdx + xorq 8(%rsi),%rcx + xorq 16(%rsi),%r8 + xorq 24(%rsi),%r9 + leaq 800(%rsp),%rsi + mov $64,%rax + + .align 16 + ._ladder_small_loop: + mov %rdx,%r10 + mov %rcx,%r11 + mov %r8,%r12 + mov %r9,%r13 + shr $1,%rdx + shr $1,%rcx + shr $1,%r8 + shr $1,%r9 + and $1,%r10d + and $1,%r11d + and $1,%r12d + and $1,%r13d + neg %r10 + neg %r11 + neg %r12 + neg %r13 + movl %r10d,0(%rsi) + movl %r11d,256(%rsi) + movl %r12d,512(%rsi) + movl %r13d,768(%rsi) + add $4,%rsi + sub $1,%rax + jne ._ladder_small_loop + mov $255,%rdx + add $760,%rsi + + .align 16 + ._ladder_loop: + sub $1,%rdx + vbroadcastss 0(%rsi),%xmm10 + sub $4,%rsi + vmovdqa 0(%rsp),%xmm11 + vmovdqa 80(%rsp),%xmm12 + vpxor %xmm11,%xmm0,%xmm13 + vpand %xmm10,%xmm13,%xmm13 + vpxor %xmm13,%xmm0,%xmm0 + vpxor %xmm13,%xmm11,%xmm11 + vpxor %xmm12,%xmm1,%xmm13 + vpand %xmm10,%xmm13,%xmm13 + vpxor %xmm13,%xmm1,%xmm1 + vpxor %xmm13,%xmm12,%xmm12 + vmovdqa 16(%rsp),%xmm13 + vmovdqa 96(%rsp),%xmm14 + vpxor %xmm13,%xmm2,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm2,%xmm2 + vpxor %xmm15,%xmm13,%xmm13 + vpxor %xmm14,%xmm3,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm3,%xmm3 + vpxor %xmm15,%xmm14,%xmm14 + vmovdqa %xmm13,0(%rsp) + vmovdqa %xmm14,16(%rsp) + vmovdqa 32(%rsp),%xmm13 + vmovdqa 112(%rsp),%xmm14 + vpxor %xmm13,%xmm4,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm4,%xmm4 + vpxor %xmm15,%xmm13,%xmm13 + vpxor %xmm14,%xmm5,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm5,%xmm5 + vpxor %xmm15,%xmm14,%xmm14 + vmovdqa %xmm13,32(%rsp) + vmovdqa %xmm14,80(%rsp) + vmovdqa 48(%rsp),%xmm13 + vmovdqa 128(%rsp),%xmm14 + vpxor %xmm13,%xmm6,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm6,%xmm6 + vpxor %xmm15,%xmm13,%xmm13 + vpxor %xmm14,%xmm7,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm7,%xmm7 + vpxor %xmm15,%xmm14,%xmm14 + vmovdqa %xmm13,48(%rsp) + vmovdqa %xmm14,96(%rsp) + vmovdqa 64(%rsp),%xmm13 + vmovdqa 144(%rsp),%xmm14 + vpxor %xmm13,%xmm8,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm8,%xmm8 + vpxor %xmm15,%xmm13,%xmm13 + vpxor %xmm14,%xmm9,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm9,%xmm9 + vpxor %xmm15,%xmm14,%xmm14 + vmovdqa %xmm13,64(%rsp) + vmovdqa %xmm14,112(%rsp) + vpaddq curve25519_sandy2x_subc0(%rip),%xmm11,%xmm10 + vpsubq %xmm12,%xmm10,%xmm10 + vpaddq %xmm12,%xmm11,%xmm11 + vpunpckhqdq %xmm10,%xmm11,%xmm12 + vpunpcklqdq %xmm10,%xmm11,%xmm10 + vpaddq %xmm1,%xmm0,%xmm11 + vpaddq curve25519_sandy2x_subc0(%rip),%xmm0,%xmm0 + vpsubq %xmm1,%xmm0,%xmm0 + vpunpckhqdq %xmm11,%xmm0,%xmm1 + vpunpcklqdq %xmm11,%xmm0,%xmm0 + vpmuludq %xmm0,%xmm10,%xmm11 + vpmuludq %xmm1,%xmm10,%xmm13 + vmovdqa %xmm1,128(%rsp) + vpaddq %xmm1,%xmm1,%xmm1 + vpmuludq %xmm0,%xmm12,%xmm14 + vmovdqa %xmm0,144(%rsp) + vpaddq %xmm14,%xmm13,%xmm13 + vpmuludq %xmm1,%xmm12,%xmm0 + vmovdqa %xmm1,448(%rsp) + vpaddq %xmm3,%xmm2,%xmm1 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm2,%xmm2 + vpsubq %xmm3,%xmm2,%xmm2 + vpunpckhqdq %xmm1,%xmm2,%xmm3 + vpunpcklqdq %xmm1,%xmm2,%xmm1 + vpmuludq %xmm1,%xmm10,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vpmuludq %xmm3,%xmm10,%xmm2 + vmovdqa %xmm3,464(%rsp) + vpaddq %xmm3,%xmm3,%xmm3 + vpmuludq %xmm1,%xmm12,%xmm14 + vmovdqa %xmm1,480(%rsp) + vpaddq %xmm14,%xmm2,%xmm2 + vpmuludq %xmm3,%xmm12,%xmm1 + vmovdqa %xmm3,496(%rsp) + vpaddq %xmm5,%xmm4,%xmm3 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm4,%xmm4 + vpsubq %xmm5,%xmm4,%xmm4 + vpunpckhqdq %xmm3,%xmm4,%xmm5 + vpunpcklqdq %xmm3,%xmm4,%xmm3 + vpmuludq %xmm3,%xmm10,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vpmuludq %xmm5,%xmm10,%xmm4 + vmovdqa %xmm5,512(%rsp) + vpaddq %xmm5,%xmm5,%xmm5 + vpmuludq %xmm3,%xmm12,%xmm14 + vmovdqa %xmm3,528(%rsp) + vpaddq %xmm14,%xmm4,%xmm4 + vpaddq %xmm7,%xmm6,%xmm3 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm6,%xmm6 + vpsubq %xmm7,%xmm6,%xmm6 + vpunpckhqdq %xmm3,%xmm6,%xmm7 + vpunpcklqdq %xmm3,%xmm6,%xmm3 + vpmuludq %xmm3,%xmm10,%xmm6 + vpmuludq %xmm5,%xmm12,%xmm14 + vmovdqa %xmm5,544(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm5,%xmm5 + vmovdqa %xmm5,560(%rsp) + vpaddq %xmm14,%xmm6,%xmm6 + vpmuludq %xmm7,%xmm10,%xmm5 + vmovdqa %xmm7,576(%rsp) + vpaddq %xmm7,%xmm7,%xmm7 + vpmuludq %xmm3,%xmm12,%xmm14 + vmovdqa %xmm3,592(%rsp) + vpaddq %xmm14,%xmm5,%xmm5 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vmovdqa %xmm3,608(%rsp) + vpaddq %xmm9,%xmm8,%xmm3 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm8,%xmm8 + vpsubq %xmm9,%xmm8,%xmm8 + vpunpckhqdq %xmm3,%xmm8,%xmm9 + vpunpcklqdq %xmm3,%xmm8,%xmm3 + vmovdqa %xmm3,624(%rsp) + vpmuludq %xmm7,%xmm12,%xmm8 + vmovdqa %xmm7,640(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm7,%xmm7 + vmovdqa %xmm7,656(%rsp) + vpmuludq %xmm3,%xmm10,%xmm7 + vpaddq %xmm7,%xmm8,%xmm8 + vpmuludq %xmm9,%xmm10,%xmm7 + vmovdqa %xmm9,672(%rsp) + vpaddq %xmm9,%xmm9,%xmm9 + vpmuludq %xmm3,%xmm12,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vmovdqa %xmm3,688(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm12,%xmm12 + vpmuludq %xmm9,%xmm12,%xmm3 + vmovdqa %xmm9,704(%rsp) + vpaddq %xmm3,%xmm11,%xmm11 + vmovdqa 0(%rsp),%xmm3 + vmovdqa 16(%rsp),%xmm9 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm3,%xmm10 + vpsubq %xmm9,%xmm10,%xmm10 + vpaddq %xmm9,%xmm3,%xmm3 + vpunpckhqdq %xmm10,%xmm3,%xmm9 + vpunpcklqdq %xmm10,%xmm3,%xmm3 + vpmuludq 144(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm0,%xmm0 + vpmuludq 128(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm2,%xmm2 + vpmuludq 480(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpmuludq 464(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm4,%xmm4 + vpmuludq 528(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm6,%xmm6 + vpmuludq 512(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm5,%xmm5 + vpmuludq 592(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpmuludq 576(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vpmuludq 624(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm11,%xmm11 + vpmuludq 672(%rsp),%xmm3,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 144(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpmuludq 448(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm1,%xmm1 + vpmuludq 480(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 496(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 528(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 544(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm8,%xmm8 + vpmuludq 592(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm9,%xmm9 + vpmuludq 640(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 624(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 704(%rsp),%xmm9,%xmm9 + vpaddq %xmm9,%xmm0,%xmm0 + vmovdqa 32(%rsp),%xmm3 + vmovdqa 80(%rsp),%xmm9 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm3,%xmm10 + vpsubq %xmm9,%xmm10,%xmm10 + vpaddq %xmm9,%xmm3,%xmm3 + vpunpckhqdq %xmm10,%xmm3,%xmm9 + vpunpcklqdq %xmm10,%xmm3,%xmm3 + vpmuludq 144(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpmuludq 128(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm4,%xmm4 + vpmuludq 480(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm6,%xmm6 + vpmuludq 464(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm5,%xmm5 + vpmuludq 528(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpmuludq 512(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vpmuludq 592(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm11,%xmm11 + vpmuludq 576(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm13,%xmm13 + vpmuludq 624(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm0,%xmm0 + vpmuludq 672(%rsp),%xmm3,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpmuludq 144(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 448(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 480(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 496(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm8,%xmm8 + vpmuludq 528(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm9,%xmm9 + vpmuludq 544(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 592(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 640(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm0,%xmm0 + vpmuludq 624(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpmuludq 704(%rsp),%xmm9,%xmm9 + vpaddq %xmm9,%xmm1,%xmm1 + vmovdqa 48(%rsp),%xmm3 + vmovdqa 96(%rsp),%xmm9 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm3,%xmm10 + vpsubq %xmm9,%xmm10,%xmm10 + vpaddq %xmm9,%xmm3,%xmm3 + vpunpckhqdq %xmm10,%xmm3,%xmm9 + vpunpcklqdq %xmm10,%xmm3,%xmm3 + vpmuludq 144(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm6,%xmm6 + vpmuludq 128(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm5,%xmm5 + vpmuludq 480(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpmuludq 464(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vpmuludq 528(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm11,%xmm11 + vpmuludq 512(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm13,%xmm13 + vpmuludq 592(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm0,%xmm0 + vpmuludq 576(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm2,%xmm2 + vpmuludq 624(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpmuludq 672(%rsp),%xmm3,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 144(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 448(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm8,%xmm8 + vpmuludq 480(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm9,%xmm9 + vpmuludq 496(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 528(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 544(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm0,%xmm0 + vpmuludq 592(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpmuludq 640(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm1,%xmm1 + vpmuludq 624(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 704(%rsp),%xmm9,%xmm9 + vpaddq %xmm9,%xmm6,%xmm6 + vmovdqa 64(%rsp),%xmm3 + vmovdqa 112(%rsp),%xmm9 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm3,%xmm10 + vpsubq %xmm9,%xmm10,%xmm10 + vpaddq %xmm9,%xmm3,%xmm3 + vpunpckhqdq %xmm10,%xmm3,%xmm9 + vpunpcklqdq %xmm10,%xmm3,%xmm3 + vpmuludq 144(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpmuludq 128(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vpmuludq 480(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm11,%xmm11 + vpmuludq 464(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm13,%xmm13 + vpmuludq 528(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm0,%xmm0 + vpmuludq 512(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm2,%xmm2 + vpmuludq 592(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpmuludq 576(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm4,%xmm4 + vpmuludq 624(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm6,%xmm6 + vpmuludq 672(%rsp),%xmm3,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 144(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm9,%xmm9 + vpmuludq 448(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 480(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 496(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm0,%xmm0 + vpmuludq 528(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpmuludq 544(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm1,%xmm1 + vpmuludq 592(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 640(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 624(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 704(%rsp),%xmm9,%xmm9 + vpaddq %xmm9,%xmm8,%xmm8 + vpsrlq $25,%xmm4,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpand curve25519_sandy2x_m25(%rip),%xmm4,%xmm4 + vpsrlq $26,%xmm11,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpand curve25519_sandy2x_m26(%rip),%xmm11,%xmm11 + vpsrlq $26,%xmm6,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpand curve25519_sandy2x_m26(%rip),%xmm6,%xmm6 + vpsrlq $25,%xmm13,%xmm3 + vpaddq %xmm3,%xmm0,%xmm0 + vpand curve25519_sandy2x_m25(%rip),%xmm13,%xmm13 + vpsrlq $25,%xmm5,%xmm3 + vpaddq %xmm3,%xmm8,%xmm8 + vpand curve25519_sandy2x_m25(%rip),%xmm5,%xmm5 + vpsrlq $26,%xmm0,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpand curve25519_sandy2x_m26(%rip),%xmm0,%xmm0 + vpsrlq $26,%xmm8,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpand curve25519_sandy2x_m26(%rip),%xmm8,%xmm8 + vpsrlq $25,%xmm2,%xmm3 + vpaddq %xmm3,%xmm1,%xmm1 + vpand curve25519_sandy2x_m25(%rip),%xmm2,%xmm2 + vpsrlq $25,%xmm7,%xmm3 + vpsllq $4,%xmm3,%xmm9 + vpaddq %xmm3,%xmm11,%xmm11 + vpsllq $1,%xmm3,%xmm3 + vpaddq %xmm3,%xmm9,%xmm9 + vpaddq %xmm9,%xmm11,%xmm11 + vpand curve25519_sandy2x_m25(%rip),%xmm7,%xmm7 + vpsrlq $26,%xmm1,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpand curve25519_sandy2x_m26(%rip),%xmm1,%xmm1 + vpsrlq $26,%xmm11,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpand curve25519_sandy2x_m26(%rip),%xmm11,%xmm11 + vpsrlq $25,%xmm4,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpand curve25519_sandy2x_m25(%rip),%xmm4,%xmm4 + vpunpcklqdq %xmm13,%xmm11,%xmm3 + vpunpckhqdq %xmm13,%xmm11,%xmm9 + vpaddq curve25519_sandy2x_subc0(%rip),%xmm9,%xmm10 + vpsubq %xmm3,%xmm10,%xmm10 + vpaddq %xmm9,%xmm3,%xmm3 + vpunpckhqdq %xmm3,%xmm10,%xmm9 + vpunpcklqdq %xmm3,%xmm10,%xmm10 + vpmuludq %xmm10,%xmm10,%xmm3 + vpaddq %xmm10,%xmm10,%xmm10 + vpmuludq %xmm9,%xmm10,%xmm11 + vpunpcklqdq %xmm2,%xmm0,%xmm12 + vpunpckhqdq %xmm2,%xmm0,%xmm0 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm0,%xmm2 + vpsubq %xmm12,%xmm2,%xmm2 + vpaddq %xmm0,%xmm12,%xmm12 + vpunpckhqdq %xmm12,%xmm2,%xmm0 + vpunpcklqdq %xmm12,%xmm2,%xmm2 + vpmuludq %xmm2,%xmm10,%xmm12 + vpaddq %xmm9,%xmm9,%xmm13 + vpmuludq %xmm13,%xmm9,%xmm9 + vpaddq %xmm9,%xmm12,%xmm12 + vpmuludq %xmm0,%xmm10,%xmm9 + vpmuludq %xmm2,%xmm13,%xmm14 + vpaddq %xmm14,%xmm9,%xmm9 + vpunpcklqdq %xmm4,%xmm1,%xmm14 + vpunpckhqdq %xmm4,%xmm1,%xmm1 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm1,%xmm4 + vpsubq %xmm14,%xmm4,%xmm4 + vpaddq %xmm1,%xmm14,%xmm14 + vpunpckhqdq %xmm14,%xmm4,%xmm1 + vpunpcklqdq %xmm14,%xmm4,%xmm4 + vmovdqa %xmm1,0(%rsp) + vpaddq %xmm1,%xmm1,%xmm1 + vmovdqa %xmm1,16(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm1,%xmm1 + vmovdqa %xmm1,32(%rsp) + vpmuludq %xmm4,%xmm10,%xmm1 + vpmuludq %xmm2,%xmm2,%xmm14 + vpaddq %xmm14,%xmm1,%xmm1 + vpmuludq 0(%rsp),%xmm10,%xmm14 + vpmuludq %xmm4,%xmm13,%xmm15 + vpaddq %xmm15,%xmm14,%xmm14 + vpunpcklqdq %xmm5,%xmm6,%xmm15 + vpunpckhqdq %xmm5,%xmm6,%xmm5 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm5,%xmm6 + vpsubq %xmm15,%xmm6,%xmm6 + vpaddq %xmm5,%xmm15,%xmm15 + vpunpckhqdq %xmm15,%xmm6,%xmm5 + vpunpcklqdq %xmm15,%xmm6,%xmm6 + vmovdqa %xmm6,48(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm6,%xmm6 + vmovdqa %xmm6,64(%rsp) + vmovdqa %xmm5,80(%rsp) + vpmuludq curve25519_sandy2x_v38_38(%rip),%xmm5,%xmm5 + vmovdqa %xmm5,96(%rsp) + vpmuludq 48(%rsp),%xmm10,%xmm5 + vpaddq %xmm0,%xmm0,%xmm6 + vpmuludq %xmm6,%xmm0,%xmm0 + vpaddq %xmm0,%xmm5,%xmm5 + vpmuludq 80(%rsp),%xmm10,%xmm0 + vpmuludq %xmm4,%xmm6,%xmm15 + vpaddq %xmm15,%xmm0,%xmm0 + vpmuludq %xmm6,%xmm13,%xmm15 + vpaddq %xmm15,%xmm1,%xmm1 + vpmuludq %xmm6,%xmm2,%xmm15 + vpaddq %xmm15,%xmm14,%xmm14 + vpunpcklqdq %xmm7,%xmm8,%xmm15 + vpunpckhqdq %xmm7,%xmm8,%xmm7 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm7,%xmm8 + vpsubq %xmm15,%xmm8,%xmm8 + vpaddq %xmm7,%xmm15,%xmm15 + vpunpckhqdq %xmm15,%xmm8,%xmm7 + vpunpcklqdq %xmm15,%xmm8,%xmm8 + vmovdqa %xmm8,112(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm8,%xmm8 + vmovdqa %xmm8,448(%rsp) + vpmuludq 112(%rsp),%xmm10,%xmm8 + vpmuludq %xmm7,%xmm10,%xmm10 + vpmuludq curve25519_sandy2x_v38_38(%rip),%xmm7,%xmm15 + vpmuludq %xmm15,%xmm7,%xmm7 + vpaddq %xmm7,%xmm8,%xmm8 + vpmuludq %xmm15,%xmm13,%xmm7 + vpaddq %xmm7,%xmm3,%xmm3 + vpmuludq %xmm15,%xmm2,%xmm7 + vpaddq %xmm7,%xmm11,%xmm11 + vpmuludq 80(%rsp),%xmm13,%xmm7 + vpaddq %xmm7,%xmm7,%xmm7 + vpaddq %xmm7,%xmm8,%xmm8 + vpmuludq 16(%rsp),%xmm13,%xmm7 + vpaddq %xmm7,%xmm5,%xmm5 + vpmuludq 48(%rsp),%xmm13,%xmm7 + vpaddq %xmm7,%xmm0,%xmm0 + vpmuludq 112(%rsp),%xmm13,%xmm7 + vpaddq %xmm7,%xmm10,%xmm10 + vpmuludq %xmm15,%xmm6,%xmm7 + vpaddq %xmm7,%xmm12,%xmm12 + vpmuludq %xmm15,%xmm4,%xmm7 + vpaddq %xmm7,%xmm9,%xmm9 + vpaddq %xmm2,%xmm2,%xmm2 + vpmuludq %xmm4,%xmm2,%xmm7 + vpaddq %xmm7,%xmm5,%xmm5 + vpmuludq 448(%rsp),%xmm2,%xmm7 + vpaddq %xmm7,%xmm3,%xmm3 + vpmuludq 448(%rsp),%xmm6,%xmm7 + vpaddq %xmm7,%xmm11,%xmm11 + vpmuludq 0(%rsp),%xmm2,%xmm7 + vpaddq %xmm7,%xmm0,%xmm0 + vpmuludq 48(%rsp),%xmm2,%xmm7 + vpaddq %xmm7,%xmm8,%xmm8 + vpmuludq 80(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 96(%rsp),%xmm4,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpmuludq %xmm4,%xmm4,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpaddq %xmm4,%xmm4,%xmm2 + vpmuludq 448(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm12,%xmm12 + vpmuludq 16(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vpmuludq 48(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm14,%xmm14 + vpmuludq 96(%rsp),%xmm6,%xmm4 + vpaddq %xmm4,%xmm3,%xmm3 + vmovdqa 16(%rsp),%xmm4 + vpmuludq 448(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm9,%xmm9 + vpmuludq 16(%rsp),%xmm6,%xmm4 + vpaddq %xmm4,%xmm8,%xmm8 + vpmuludq 48(%rsp),%xmm6,%xmm4 + vpaddq %xmm4,%xmm10,%xmm10 + vpmuludq 80(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm4,%xmm4 + vpaddq %xmm4,%xmm5,%xmm5 + vpmuludq 112(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm0,%xmm0 + vmovdqa 48(%rsp),%xmm4 + vpaddq %xmm4,%xmm4,%xmm4 + vpmuludq 448(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vmovdqa 80(%rsp),%xmm4 + vpaddq %xmm4,%xmm4,%xmm4 + vpmuludq 448(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm14,%xmm14 + vpmuludq 64(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm3,%xmm3 + vmovdqa 16(%rsp),%xmm4 + vpmuludq 64(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm11,%xmm11 + vmovdqa 16(%rsp),%xmm4 + vpmuludq 96(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm12,%xmm12 + vmovdqa 48(%rsp),%xmm4 + vpmuludq 96(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm9,%xmm9 + vpmuludq 0(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vmovdqa 32(%rsp),%xmm2 + vpmuludq 0(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm3,%xmm3 + vmovdqa 64(%rsp),%xmm2 + vpmuludq 48(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vmovdqa 96(%rsp),%xmm2 + vpmuludq 80(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm1,%xmm1 + vmovdqa 448(%rsp),%xmm2 + vpmuludq 112(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpsrlq $26,%xmm3,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpand curve25519_sandy2x_m26(%rip),%xmm3,%xmm3 + vpsrlq $25,%xmm14,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpand curve25519_sandy2x_m25(%rip),%xmm14,%xmm14 + vpsrlq $25,%xmm11,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpand curve25519_sandy2x_m25(%rip),%xmm11,%xmm11 + vpsrlq $26,%xmm5,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vpand curve25519_sandy2x_m26(%rip),%xmm5,%xmm5 + vpsrlq $26,%xmm12,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpand curve25519_sandy2x_m26(%rip),%xmm12,%xmm12 + vpsrlq $25,%xmm0,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpand curve25519_sandy2x_m25(%rip),%xmm0,%xmm0 + vpsrlq $25,%xmm9,%xmm2 + vpaddq %xmm2,%xmm1,%xmm1 + vpand curve25519_sandy2x_m25(%rip),%xmm9,%xmm9 + vpsrlq $26,%xmm8,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpand curve25519_sandy2x_m26(%rip),%xmm8,%xmm8 + vpsrlq $26,%xmm1,%xmm2 + vpaddq %xmm2,%xmm14,%xmm14 + vpand curve25519_sandy2x_m26(%rip),%xmm1,%xmm1 + vpsrlq $25,%xmm10,%xmm2 + vpsllq $4,%xmm2,%xmm4 + vpaddq %xmm2,%xmm3,%xmm3 + vpsllq $1,%xmm2,%xmm2 + vpaddq %xmm2,%xmm4,%xmm4 + vpaddq %xmm4,%xmm3,%xmm3 + vpand curve25519_sandy2x_m25(%rip),%xmm10,%xmm10 + vpsrlq $25,%xmm14,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpand curve25519_sandy2x_m25(%rip),%xmm14,%xmm14 + vpsrlq $26,%xmm3,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpand curve25519_sandy2x_m26(%rip),%xmm3,%xmm3 + vpunpckhqdq %xmm11,%xmm3,%xmm2 + vmovdqa %xmm2,0(%rsp) + vpshufd $0,%xmm3,%xmm2 + vpshufd $0,%xmm11,%xmm3 + vpmuludq 160(%rsp),%xmm2,%xmm4 + vpmuludq 432(%rsp),%xmm3,%xmm6 + vpaddq %xmm6,%xmm4,%xmm4 + vpmuludq 176(%rsp),%xmm2,%xmm6 + vpmuludq 304(%rsp),%xmm3,%xmm7 + vpaddq %xmm7,%xmm6,%xmm6 + vpmuludq 208(%rsp),%xmm2,%xmm7 + vpmuludq 336(%rsp),%xmm3,%xmm11 + vpaddq %xmm11,%xmm7,%xmm7 + vpmuludq 240(%rsp),%xmm2,%xmm11 + vpmuludq 368(%rsp),%xmm3,%xmm13 + vpaddq %xmm13,%xmm11,%xmm11 + vpmuludq 272(%rsp),%xmm2,%xmm2 + vpmuludq 400(%rsp),%xmm3,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpunpckhqdq %xmm9,%xmm12,%xmm3 + vmovdqa %xmm3,16(%rsp) + vpshufd $0,%xmm12,%xmm3 + vpshufd $0,%xmm9,%xmm9 + vpmuludq 288(%rsp),%xmm3,%xmm12 + vpaddq %xmm12,%xmm4,%xmm4 + vpmuludq 416(%rsp),%xmm9,%xmm12 + vpaddq %xmm12,%xmm4,%xmm4 + vpmuludq 160(%rsp),%xmm3,%xmm12 + vpaddq %xmm12,%xmm6,%xmm6 + vpmuludq 432(%rsp),%xmm9,%xmm12 + vpaddq %xmm12,%xmm6,%xmm6 + vpmuludq 176(%rsp),%xmm3,%xmm12 + vpaddq %xmm12,%xmm7,%xmm7 + vpmuludq 304(%rsp),%xmm9,%xmm12 + vpaddq %xmm12,%xmm7,%xmm7 + vpmuludq 208(%rsp),%xmm3,%xmm12 + vpaddq %xmm12,%xmm11,%xmm11 + vpmuludq 336(%rsp),%xmm9,%xmm12 + vpaddq %xmm12,%xmm11,%xmm11 + vpmuludq 240(%rsp),%xmm3,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpmuludq 368(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpunpckhqdq %xmm14,%xmm1,%xmm3 + vmovdqa %xmm3,32(%rsp) + vpshufd $0,%xmm1,%xmm1 + vpshufd $0,%xmm14,%xmm3 + vpmuludq 256(%rsp),%xmm1,%xmm9 + vpaddq %xmm9,%xmm4,%xmm4 + vpmuludq 384(%rsp),%xmm3,%xmm9 + vpaddq %xmm9,%xmm4,%xmm4 + vpmuludq 288(%rsp),%xmm1,%xmm9 + vpaddq %xmm9,%xmm6,%xmm6 + vpmuludq 416(%rsp),%xmm3,%xmm9 + vpaddq %xmm9,%xmm6,%xmm6 + vpmuludq 160(%rsp),%xmm1,%xmm9 + vpaddq %xmm9,%xmm7,%xmm7 + vpmuludq 432(%rsp),%xmm3,%xmm9 + vpaddq %xmm9,%xmm7,%xmm7 + vpmuludq 176(%rsp),%xmm1,%xmm9 + vpaddq %xmm9,%xmm11,%xmm11 + vpmuludq 304(%rsp),%xmm3,%xmm9 + vpaddq %xmm9,%xmm11,%xmm11 + vpmuludq 208(%rsp),%xmm1,%xmm1 + vpaddq %xmm1,%xmm2,%xmm2 + vpmuludq 336(%rsp),%xmm3,%xmm1 + vpaddq %xmm1,%xmm2,%xmm2 + vpunpckhqdq %xmm0,%xmm5,%xmm1 + vmovdqa %xmm1,48(%rsp) + vpshufd $0,%xmm5,%xmm1 + vpshufd $0,%xmm0,%xmm0 + vpmuludq 224(%rsp),%xmm1,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 352(%rsp),%xmm0,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 256(%rsp),%xmm1,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 384(%rsp),%xmm0,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 288(%rsp),%xmm1,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq 416(%rsp),%xmm0,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq 160(%rsp),%xmm1,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 432(%rsp),%xmm0,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 176(%rsp),%xmm1,%xmm1 + vpaddq %xmm1,%xmm2,%xmm2 + vpmuludq 304(%rsp),%xmm0,%xmm0 + vpaddq %xmm0,%xmm2,%xmm2 + vpunpckhqdq %xmm10,%xmm8,%xmm0 + vmovdqa %xmm0,64(%rsp) + vpshufd $0,%xmm8,%xmm0 + vpshufd $0,%xmm10,%xmm1 + vpmuludq 192(%rsp),%xmm0,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 320(%rsp),%xmm1,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 224(%rsp),%xmm0,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 352(%rsp),%xmm1,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 256(%rsp),%xmm0,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq 384(%rsp),%xmm1,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq 288(%rsp),%xmm0,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 416(%rsp),%xmm1,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 160(%rsp),%xmm0,%xmm0 + vpaddq %xmm0,%xmm2,%xmm2 + vpmuludq 432(%rsp),%xmm1,%xmm0 + vpaddq %xmm0,%xmm2,%xmm2 + vmovdqa %xmm4,80(%rsp) + vmovdqa %xmm6,96(%rsp) + vmovdqa %xmm7,112(%rsp) + vmovdqa %xmm11,448(%rsp) + vmovdqa %xmm2,496(%rsp) + vmovdqa 144(%rsp),%xmm0 + vpmuludq %xmm0,%xmm0,%xmm1 + vpaddq %xmm0,%xmm0,%xmm0 + vmovdqa 128(%rsp),%xmm2 + vpmuludq %xmm2,%xmm0,%xmm3 + vmovdqa 480(%rsp),%xmm4 + vpmuludq %xmm4,%xmm0,%xmm5 + vmovdqa 464(%rsp),%xmm6 + vpmuludq %xmm6,%xmm0,%xmm7 + vmovdqa 528(%rsp),%xmm8 + vpmuludq %xmm8,%xmm0,%xmm9 + vpmuludq 512(%rsp),%xmm0,%xmm10 + vpmuludq 592(%rsp),%xmm0,%xmm11 + vpmuludq 576(%rsp),%xmm0,%xmm12 + vpmuludq 624(%rsp),%xmm0,%xmm13 + vmovdqa 672(%rsp),%xmm14 + vpmuludq %xmm14,%xmm0,%xmm0 + vpmuludq curve25519_sandy2x_v38_38(%rip),%xmm14,%xmm15 + vpmuludq %xmm15,%xmm14,%xmm14 + vpaddq %xmm14,%xmm13,%xmm13 + vpaddq %xmm6,%xmm6,%xmm14 + vpmuludq %xmm14,%xmm6,%xmm6 + vpaddq %xmm6,%xmm11,%xmm11 + vpaddq %xmm2,%xmm2,%xmm6 + vpmuludq %xmm6,%xmm2,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpmuludq %xmm15,%xmm6,%xmm2 + vpaddq %xmm2,%xmm1,%xmm1 + vpmuludq %xmm15,%xmm4,%xmm2 + vpaddq %xmm2,%xmm3,%xmm3 + vpmuludq 544(%rsp),%xmm6,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpmuludq 592(%rsp),%xmm6,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 640(%rsp),%xmm6,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpmuludq 624(%rsp),%xmm6,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vpmuludq %xmm4,%xmm6,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpmuludq %xmm14,%xmm6,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpmuludq %xmm8,%xmm6,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq %xmm15,%xmm14,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpmuludq %xmm15,%xmm8,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpmuludq %xmm4,%xmm4,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpmuludq %xmm14,%xmm4,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpaddq %xmm4,%xmm4,%xmm2 + vpmuludq %xmm8,%xmm2,%xmm4 + vpaddq %xmm4,%xmm11,%xmm11 + vpmuludq 688(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vpmuludq 688(%rsp),%xmm14,%xmm4 + vpaddq %xmm4,%xmm3,%xmm3 + vpmuludq 512(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm12,%xmm12 + vpmuludq 592(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm13,%xmm13 + vpmuludq 576(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vpmuludq 656(%rsp),%xmm8,%xmm2 + vpaddq %xmm2,%xmm3,%xmm3 + vpmuludq %xmm8,%xmm14,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq %xmm8,%xmm8,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpaddq %xmm8,%xmm8,%xmm2 + vpmuludq 688(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm5,%xmm5 + vpmuludq 544(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm9,%xmm9 + vpmuludq 592(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm10,%xmm10 + vpmuludq 656(%rsp),%xmm14,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vmovdqa 544(%rsp),%xmm4 + vpmuludq 688(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm7,%xmm7 + vpmuludq 544(%rsp),%xmm14,%xmm4 + vpaddq %xmm4,%xmm13,%xmm13 + vpmuludq 592(%rsp),%xmm14,%xmm4 + vpaddq %xmm4,%xmm0,%xmm0 + vpmuludq 640(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm11,%xmm11 + vpmuludq 624(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm12,%xmm12 + vmovdqa 592(%rsp),%xmm4 + vpaddq %xmm4,%xmm4,%xmm4 + vpmuludq 688(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm9,%xmm9 + vpmuludq 608(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vmovdqa 544(%rsp),%xmm4 + vpmuludq 608(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm3,%xmm3 + vmovdqa 544(%rsp),%xmm4 + vpmuludq 656(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm5,%xmm5 + vmovdqa 592(%rsp),%xmm4 + vpmuludq 656(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm7,%xmm7 + vmovdqa 640(%rsp),%xmm4 + vpmuludq 688(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm10,%xmm10 + vpmuludq 512(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vmovdqa 560(%rsp),%xmm2 + vpmuludq 512(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm1,%xmm1 + vmovdqa 608(%rsp),%xmm2 + vpmuludq 592(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vmovdqa 656(%rsp),%xmm2 + vpmuludq 576(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vmovdqa 688(%rsp),%xmm2 + vpmuludq 624(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpsrlq $26,%xmm1,%xmm2 + vpaddq %xmm2,%xmm3,%xmm3 + vpand curve25519_sandy2x_m26(%rip),%xmm1,%xmm1 + vpsrlq $25,%xmm10,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpand curve25519_sandy2x_m25(%rip),%xmm10,%xmm10 + vpsrlq $25,%xmm3,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpand curve25519_sandy2x_m25(%rip),%xmm3,%xmm3 + vpsrlq $26,%xmm11,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpand curve25519_sandy2x_m26(%rip),%xmm11,%xmm11 + vpsrlq $26,%xmm5,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpand curve25519_sandy2x_m26(%rip),%xmm5,%xmm5 + vpsrlq $25,%xmm12,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpand curve25519_sandy2x_m25(%rip),%xmm12,%xmm12 + vpsrlq $25,%xmm7,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpand curve25519_sandy2x_m25(%rip),%xmm7,%xmm7 + vpsrlq $26,%xmm13,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vpand curve25519_sandy2x_m26(%rip),%xmm13,%xmm13 + vpsrlq $26,%xmm9,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpand curve25519_sandy2x_m26(%rip),%xmm9,%xmm9 + vpsrlq $25,%xmm0,%xmm2 + vpsllq $4,%xmm2,%xmm4 + vpaddq %xmm2,%xmm1,%xmm1 + vpsllq $1,%xmm2,%xmm2 + vpaddq %xmm2,%xmm4,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vpand curve25519_sandy2x_m25(%rip),%xmm0,%xmm0 + vpsrlq $25,%xmm10,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpand curve25519_sandy2x_m25(%rip),%xmm10,%xmm10 + vpsrlq $26,%xmm1,%xmm2 + vpaddq %xmm2,%xmm3,%xmm3 + vpand curve25519_sandy2x_m26(%rip),%xmm1,%xmm1 + vpunpckhqdq %xmm3,%xmm1,%xmm2 + vpunpcklqdq %xmm3,%xmm1,%xmm1 + vmovdqa %xmm1,464(%rsp) + vpaddq curve25519_sandy2x_subc0(%rip),%xmm2,%xmm3 + vpsubq %xmm1,%xmm3,%xmm3 + vpunpckhqdq %xmm3,%xmm2,%xmm1 + vpunpcklqdq %xmm3,%xmm2,%xmm2 + vmovdqa %xmm2,480(%rsp) + vmovdqa %xmm1,512(%rsp) + vpsllq $1,%xmm1,%xmm1 + vmovdqa %xmm1,528(%rsp) + vpmuludq curve25519_sandy2x_v121666_121666(%rip),%xmm3,%xmm3 + vmovdqa 80(%rsp),%xmm1 + vpunpcklqdq %xmm1,%xmm3,%xmm2 + vpunpckhqdq %xmm1,%xmm3,%xmm1 + vpunpckhqdq %xmm7,%xmm5,%xmm3 + vpunpcklqdq %xmm7,%xmm5,%xmm4 + vmovdqa %xmm4,544(%rsp) + vpaddq curve25519_sandy2x_subc2(%rip),%xmm3,%xmm5 + vpsubq %xmm4,%xmm5,%xmm5 + vpunpckhqdq %xmm5,%xmm3,%xmm4 + vpunpcklqdq %xmm5,%xmm3,%xmm3 + vmovdqa %xmm3,560(%rsp) + vmovdqa %xmm4,576(%rsp) + vpsllq $1,%xmm4,%xmm4 + vmovdqa %xmm4,592(%rsp) + vpmuludq curve25519_sandy2x_v121666_121666(%rip),%xmm5,%xmm5 + vmovdqa 96(%rsp),%xmm3 + vpunpcklqdq %xmm3,%xmm5,%xmm4 + vpunpckhqdq %xmm3,%xmm5,%xmm3 + vpunpckhqdq %xmm10,%xmm9,%xmm5 + vpunpcklqdq %xmm10,%xmm9,%xmm6 + vmovdqa %xmm6,608(%rsp) + vpaddq curve25519_sandy2x_subc2(%rip),%xmm5,%xmm7 + vpsubq %xmm6,%xmm7,%xmm7 + vpunpckhqdq %xmm7,%xmm5,%xmm6 + vpunpcklqdq %xmm7,%xmm5,%xmm5 + vmovdqa %xmm5,624(%rsp) + vmovdqa %xmm6,640(%rsp) + vpsllq $1,%xmm6,%xmm6 + vmovdqa %xmm6,656(%rsp) + vpmuludq curve25519_sandy2x_v121666_121666(%rip),%xmm7,%xmm7 + vmovdqa 112(%rsp),%xmm5 + vpunpcklqdq %xmm5,%xmm7,%xmm6 + vpunpckhqdq %xmm5,%xmm7,%xmm5 + vpunpckhqdq %xmm12,%xmm11,%xmm7 + vpunpcklqdq %xmm12,%xmm11,%xmm8 + vmovdqa %xmm8,672(%rsp) + vpaddq curve25519_sandy2x_subc2(%rip),%xmm7,%xmm9 + vpsubq %xmm8,%xmm9,%xmm9 + vpunpckhqdq %xmm9,%xmm7,%xmm8 + vpunpcklqdq %xmm9,%xmm7,%xmm7 + vmovdqa %xmm7,688(%rsp) + vmovdqa %xmm8,704(%rsp) + vpsllq $1,%xmm8,%xmm8 + vmovdqa %xmm8,720(%rsp) + vpmuludq curve25519_sandy2x_v121666_121666(%rip),%xmm9,%xmm9 + vmovdqa 448(%rsp),%xmm7 + vpunpcklqdq %xmm7,%xmm9,%xmm8 + vpunpckhqdq %xmm7,%xmm9,%xmm7 + vpunpckhqdq %xmm0,%xmm13,%xmm9 + vpunpcklqdq %xmm0,%xmm13,%xmm0 + vmovdqa %xmm0,448(%rsp) + vpaddq curve25519_sandy2x_subc2(%rip),%xmm9,%xmm10 + vpsubq %xmm0,%xmm10,%xmm10 + vpunpckhqdq %xmm10,%xmm9,%xmm0 + vpunpcklqdq %xmm10,%xmm9,%xmm9 + vmovdqa %xmm9,736(%rsp) + vmovdqa %xmm0,752(%rsp) + vpsllq $1,%xmm0,%xmm0 + vmovdqa %xmm0,768(%rsp) + vpmuludq curve25519_sandy2x_v121666_121666(%rip),%xmm10,%xmm10 + vmovdqa 496(%rsp),%xmm0 + vpunpcklqdq %xmm0,%xmm10,%xmm9 + vpunpckhqdq %xmm0,%xmm10,%xmm0 + vpsrlq $26,%xmm2,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpand curve25519_sandy2x_m26(%rip),%xmm2,%xmm2 + vpsrlq $25,%xmm5,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpand curve25519_sandy2x_m25(%rip),%xmm5,%xmm5 + vpsrlq $25,%xmm1,%xmm10 + vpaddq %xmm10,%xmm4,%xmm4 + vpand curve25519_sandy2x_m25(%rip),%xmm1,%xmm1 + vpsrlq $26,%xmm8,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpand curve25519_sandy2x_m26(%rip),%xmm8,%xmm8 + vpsrlq $26,%xmm4,%xmm10 + vpaddq %xmm10,%xmm3,%xmm3 + vpand curve25519_sandy2x_m26(%rip),%xmm4,%xmm4 + vpsrlq $25,%xmm7,%xmm10 + vpaddq %xmm10,%xmm9,%xmm9 + vpand curve25519_sandy2x_m25(%rip),%xmm7,%xmm7 + vpsrlq $25,%xmm3,%xmm10 + vpaddq %xmm10,%xmm6,%xmm6 + vpand curve25519_sandy2x_m25(%rip),%xmm3,%xmm3 + vpsrlq $26,%xmm9,%xmm10 + vpaddq %xmm10,%xmm0,%xmm0 + vpand curve25519_sandy2x_m26(%rip),%xmm9,%xmm9 + vpsrlq $26,%xmm6,%xmm10 + vpaddq %xmm10,%xmm5,%xmm5 + vpand curve25519_sandy2x_m26(%rip),%xmm6,%xmm6 + vpsrlq $25,%xmm0,%xmm10 + vpsllq $4,%xmm10,%xmm11 + vpaddq %xmm10,%xmm2,%xmm2 + vpsllq $1,%xmm10,%xmm10 + vpaddq %xmm10,%xmm11,%xmm11 + vpaddq %xmm11,%xmm2,%xmm2 + vpand curve25519_sandy2x_m25(%rip),%xmm0,%xmm0 + vpsrlq $25,%xmm5,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpand curve25519_sandy2x_m25(%rip),%xmm5,%xmm5 + vpsrlq $26,%xmm2,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpand curve25519_sandy2x_m26(%rip),%xmm2,%xmm2 + vpunpckhqdq %xmm1,%xmm2,%xmm10 + vmovdqa %xmm10,80(%rsp) + vpunpcklqdq %xmm1,%xmm2,%xmm1 + vpunpckhqdq %xmm3,%xmm4,%xmm2 + vmovdqa %xmm2,96(%rsp) + vpunpcklqdq %xmm3,%xmm4,%xmm2 + vpunpckhqdq %xmm5,%xmm6,%xmm3 + vmovdqa %xmm3,112(%rsp) + vpunpcklqdq %xmm5,%xmm6,%xmm3 + vpunpckhqdq %xmm7,%xmm8,%xmm4 + vmovdqa %xmm4,128(%rsp) + vpunpcklqdq %xmm7,%xmm8,%xmm4 + vpunpckhqdq %xmm0,%xmm9,%xmm5 + vmovdqa %xmm5,144(%rsp) + vpunpcklqdq %xmm0,%xmm9,%xmm0 + vmovdqa 464(%rsp),%xmm5 + vpaddq %xmm5,%xmm1,%xmm1 + vpunpcklqdq %xmm1,%xmm5,%xmm6 + vpunpckhqdq %xmm1,%xmm5,%xmm1 + vpmuludq 512(%rsp),%xmm6,%xmm5 + vpmuludq 480(%rsp),%xmm1,%xmm7 + vpaddq %xmm7,%xmm5,%xmm5 + vpmuludq 560(%rsp),%xmm6,%xmm7 + vpmuludq 528(%rsp),%xmm1,%xmm8 + vpaddq %xmm8,%xmm7,%xmm7 + vpmuludq 576(%rsp),%xmm6,%xmm8 + vpmuludq 560(%rsp),%xmm1,%xmm9 + vpaddq %xmm9,%xmm8,%xmm8 + vpmuludq 624(%rsp),%xmm6,%xmm9 + vpmuludq 592(%rsp),%xmm1,%xmm10 + vpaddq %xmm10,%xmm9,%xmm9 + vpmuludq 640(%rsp),%xmm6,%xmm10 + vpmuludq 624(%rsp),%xmm1,%xmm11 + vpaddq %xmm11,%xmm10,%xmm10 + vpmuludq 688(%rsp),%xmm6,%xmm11 + vpmuludq 656(%rsp),%xmm1,%xmm12 + vpaddq %xmm12,%xmm11,%xmm11 + vpmuludq 704(%rsp),%xmm6,%xmm12 + vpmuludq 688(%rsp),%xmm1,%xmm13 + vpaddq %xmm13,%xmm12,%xmm12 + vpmuludq 736(%rsp),%xmm6,%xmm13 + vpmuludq 720(%rsp),%xmm1,%xmm14 + vpaddq %xmm14,%xmm13,%xmm13 + vpmuludq 752(%rsp),%xmm6,%xmm14 + vpmuludq 736(%rsp),%xmm1,%xmm15 + vpaddq %xmm15,%xmm14,%xmm14 + vpmuludq 480(%rsp),%xmm6,%xmm6 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm1,%xmm1 + vpmuludq 768(%rsp),%xmm1,%xmm1 + vpaddq %xmm1,%xmm6,%xmm6 + vmovdqa 544(%rsp),%xmm1 + vpaddq %xmm1,%xmm2,%xmm2 + vpunpcklqdq %xmm2,%xmm1,%xmm15 + vpunpckhqdq %xmm2,%xmm1,%xmm1 + vpmuludq 480(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpmuludq 512(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpmuludq 560(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpmuludq 576(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 624(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpmuludq 640(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 688(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpmuludq 704(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm15,%xmm15 + vpmuludq 736(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm6,%xmm6 + vpmuludq 752(%rsp),%xmm15,%xmm15 + vpaddq %xmm15,%xmm5,%xmm5 + vpmuludq 480(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpmuludq 528(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpmuludq 560(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 592(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpmuludq 624(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 656(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpmuludq 688(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm1,%xmm1 + vpmuludq 720(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm6,%xmm6 + vpmuludq 736(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpmuludq 768(%rsp),%xmm1,%xmm1 + vpaddq %xmm1,%xmm7,%xmm7 + vmovdqa 608(%rsp),%xmm1 + vpaddq %xmm1,%xmm3,%xmm3 + vpunpcklqdq %xmm3,%xmm1,%xmm2 + vpunpckhqdq %xmm3,%xmm1,%xmm1 + vpmuludq 480(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm9,%xmm9 + vpmuludq 512(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm10,%xmm10 + vpmuludq 560(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 576(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm12,%xmm12 + vpmuludq 624(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 640(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm2,%xmm2 + vpmuludq 688(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 704(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 736(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq 752(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpmuludq 480(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 528(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpmuludq 560(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 592(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpmuludq 624(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm1,%xmm1 + vpmuludq 656(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm6,%xmm6 + vpmuludq 688(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpmuludq 720(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpmuludq 736(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpmuludq 768(%rsp),%xmm1,%xmm1 + vpaddq %xmm1,%xmm9,%xmm9 + vmovdqa 672(%rsp),%xmm1 + vpaddq %xmm1,%xmm4,%xmm4 + vpunpcklqdq %xmm4,%xmm1,%xmm2 + vpunpckhqdq %xmm4,%xmm1,%xmm1 + vpmuludq 480(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 512(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm12,%xmm12 + vpmuludq 560(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 576(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm2,%xmm2 + vpmuludq 624(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 640(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 688(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq 704(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm8,%xmm8 + vpmuludq 736(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm9,%xmm9 + vpmuludq 752(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 480(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 528(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpmuludq 560(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm1,%xmm1 + vpmuludq 592(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm6,%xmm6 + vpmuludq 624(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpmuludq 656(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpmuludq 688(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpmuludq 720(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpmuludq 736(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 768(%rsp),%xmm1,%xmm1 + vpaddq %xmm1,%xmm11,%xmm11 + vmovdqa 448(%rsp),%xmm1 + vpaddq %xmm1,%xmm0,%xmm0 + vpunpcklqdq %xmm0,%xmm1,%xmm2 + vpunpckhqdq %xmm0,%xmm1,%xmm0 + vpmuludq 480(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm13,%xmm13 + vpmuludq 512(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm2,%xmm2 + vpmuludq 560(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm6,%xmm6 + vpmuludq 576(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm5,%xmm5 + vpmuludq 624(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm7,%xmm7 + vpmuludq 640(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm8,%xmm8 + vpmuludq 688(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm9,%xmm9 + vpmuludq 704(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm10,%xmm10 + vpmuludq 736(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm11,%xmm11 + vpmuludq 752(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 480(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm0,%xmm0 + vpmuludq 528(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm6,%xmm6 + vpmuludq 560(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm5,%xmm5 + vpmuludq 592(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm7,%xmm7 + vpmuludq 624(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm8,%xmm8 + vpmuludq 656(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm9,%xmm9 + vpmuludq 688(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm10,%xmm10 + vpmuludq 720(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm11,%xmm11 + vpmuludq 736(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm12,%xmm12 + vpmuludq 768(%rsp),%xmm0,%xmm0 + vpaddq %xmm0,%xmm13,%xmm13 + vpsrlq $26,%xmm6,%xmm0 + vpaddq %xmm0,%xmm5,%xmm5 + vpand curve25519_sandy2x_m26(%rip),%xmm6,%xmm6 + vpsrlq $25,%xmm10,%xmm0 + vpaddq %xmm0,%xmm11,%xmm11 + vpand curve25519_sandy2x_m25(%rip),%xmm10,%xmm10 + vpsrlq $25,%xmm5,%xmm0 + vpaddq %xmm0,%xmm7,%xmm7 + vpand curve25519_sandy2x_m25(%rip),%xmm5,%xmm5 + vpsrlq $26,%xmm11,%xmm0 + vpaddq %xmm0,%xmm12,%xmm12 + vpand curve25519_sandy2x_m26(%rip),%xmm11,%xmm11 + vpsrlq $26,%xmm7,%xmm0 + vpaddq %xmm0,%xmm8,%xmm8 + vpand curve25519_sandy2x_m26(%rip),%xmm7,%xmm7 + vpsrlq $25,%xmm12,%xmm0 + vpaddq %xmm0,%xmm13,%xmm13 + vpand curve25519_sandy2x_m25(%rip),%xmm12,%xmm12 + vpsrlq $25,%xmm8,%xmm0 + vpaddq %xmm0,%xmm9,%xmm9 + vpand curve25519_sandy2x_m25(%rip),%xmm8,%xmm8 + vpsrlq $26,%xmm13,%xmm0 + vpaddq %xmm0,%xmm14,%xmm14 + vpand curve25519_sandy2x_m26(%rip),%xmm13,%xmm13 + vpsrlq $26,%xmm9,%xmm0 + vpaddq %xmm0,%xmm10,%xmm10 + vpand curve25519_sandy2x_m26(%rip),%xmm9,%xmm9 + vpsrlq $25,%xmm14,%xmm0 + vpsllq $4,%xmm0,%xmm1 + vpaddq %xmm0,%xmm6,%xmm6 + vpsllq $1,%xmm0,%xmm0 + vpaddq %xmm0,%xmm1,%xmm1 + vpaddq %xmm1,%xmm6,%xmm6 + vpand curve25519_sandy2x_m25(%rip),%xmm14,%xmm14 + vpsrlq $25,%xmm10,%xmm0 + vpaddq %xmm0,%xmm11,%xmm11 + vpand curve25519_sandy2x_m25(%rip),%xmm10,%xmm10 + vpsrlq $26,%xmm6,%xmm0 + vpaddq %xmm0,%xmm5,%xmm5 + vpand curve25519_sandy2x_m26(%rip),%xmm6,%xmm6 + vpunpckhqdq %xmm5,%xmm6,%xmm1 + vpunpcklqdq %xmm5,%xmm6,%xmm0 + vpunpckhqdq %xmm8,%xmm7,%xmm3 + vpunpcklqdq %xmm8,%xmm7,%xmm2 + vpunpckhqdq %xmm10,%xmm9,%xmm5 + vpunpcklqdq %xmm10,%xmm9,%xmm4 + vpunpckhqdq %xmm12,%xmm11,%xmm7 + vpunpcklqdq %xmm12,%xmm11,%xmm6 + vpunpckhqdq %xmm14,%xmm13,%xmm9 + vpunpcklqdq %xmm14,%xmm13,%xmm8 + cmp $0,%rdx + jne ._ladder_loop + vmovdqu %xmm1,160(%rdi) + vmovdqu %xmm0,80(%rdi) + vmovdqu %xmm3,176(%rdi) + vmovdqu %xmm2,96(%rdi) + vmovdqu %xmm5,192(%rdi) + vmovdqu %xmm4,112(%rdi) + vmovdqu %xmm7,208(%rdi) + vmovdqu %xmm6,128(%rdi) + vmovdqu %xmm9,224(%rdi) + vmovdqu %xmm8,144(%rdi) + movq 1824(%rsp),%r11 + movq 1832(%rsp),%r12 + movq 1840(%rsp),%r13 + movq 1848(%rsp),%r14 + add %r11,%rsp + ret +ENDPROC(curve25519_sandy2x_ladder) + +.align 32 +ENTRY(curve25519_sandy2x_ladder_base) + mov %rsp,%r11 + and $31,%r11 + add $1568,%r11 + sub %r11,%rsp + movq %r11,1536(%rsp) + movq %r12,1544(%rsp) + movq %r13,1552(%rsp) + vmovdqa curve25519_sandy2x_v0_0(%rip),%xmm0 + vmovdqa curve25519_sandy2x_v1_0(%rip),%xmm1 + vmovdqa curve25519_sandy2x_v9_0(%rip),%xmm2 + vmovdqa %xmm2,0(%rsp) + vmovdqa %xmm0,16(%rsp) + vmovdqa %xmm0,32(%rsp) + vmovdqa %xmm0,48(%rsp) + vmovdqa %xmm0,64(%rsp) + vmovdqa %xmm1,80(%rsp) + vmovdqa %xmm0,96(%rsp) + vmovdqa %xmm0,112(%rsp) + vmovdqa %xmm0,128(%rsp) + vmovdqa %xmm0,144(%rsp) + vmovdqa %xmm1,%xmm0 + vpxor %xmm1,%xmm1,%xmm1 + vpxor %xmm2,%xmm2,%xmm2 + vpxor %xmm3,%xmm3,%xmm3 + vpxor %xmm4,%xmm4,%xmm4 + vpxor %xmm5,%xmm5,%xmm5 + vpxor %xmm6,%xmm6,%xmm6 + vpxor %xmm7,%xmm7,%xmm7 + vpxor %xmm8,%xmm8,%xmm8 + vpxor %xmm9,%xmm9,%xmm9 + movq 0(%rsi),%rdx + movq 8(%rsi),%rcx + movq 16(%rsi),%r8 + movq 24(%rsi),%r9 + shrd $1,%rcx,%rdx + shrd $1,%r8,%rcx + shrd $1,%r9,%r8 + shr $1,%r9 + xorq 0(%rsi),%rdx + xorq 8(%rsi),%rcx + xorq 16(%rsi),%r8 + xorq 24(%rsi),%r9 + leaq 512(%rsp),%rsi + mov $64,%rax + + .align 16 + ._ladder_base_small_loop: + mov %rdx,%r10 + mov %rcx,%r11 + mov %r8,%r12 + mov %r9,%r13 + shr $1,%rdx + shr $1,%rcx + shr $1,%r8 + shr $1,%r9 + and $1,%r10d + and $1,%r11d + and $1,%r12d + and $1,%r13d + neg %r10 + neg %r11 + neg %r12 + neg %r13 + movl %r10d,0(%rsi) + movl %r11d,256(%rsi) + movl %r12d,512(%rsi) + movl %r13d,768(%rsi) + add $4,%rsi + sub $1,%rax + jne ._ladder_base_small_loop + mov $255,%rdx + add $760,%rsi + + .align 16 + ._ladder_base_loop: + sub $1,%rdx + vbroadcastss 0(%rsi),%xmm10 + sub $4,%rsi + vmovdqa 0(%rsp),%xmm11 + vmovdqa 80(%rsp),%xmm12 + vpxor %xmm11,%xmm0,%xmm13 + vpand %xmm10,%xmm13,%xmm13 + vpxor %xmm13,%xmm0,%xmm0 + vpxor %xmm13,%xmm11,%xmm11 + vpxor %xmm12,%xmm1,%xmm13 + vpand %xmm10,%xmm13,%xmm13 + vpxor %xmm13,%xmm1,%xmm1 + vpxor %xmm13,%xmm12,%xmm12 + vmovdqa 16(%rsp),%xmm13 + vmovdqa 96(%rsp),%xmm14 + vpxor %xmm13,%xmm2,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm2,%xmm2 + vpxor %xmm15,%xmm13,%xmm13 + vpxor %xmm14,%xmm3,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm3,%xmm3 + vpxor %xmm15,%xmm14,%xmm14 + vmovdqa %xmm13,0(%rsp) + vmovdqa %xmm14,16(%rsp) + vmovdqa 32(%rsp),%xmm13 + vmovdqa 112(%rsp),%xmm14 + vpxor %xmm13,%xmm4,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm4,%xmm4 + vpxor %xmm15,%xmm13,%xmm13 + vpxor %xmm14,%xmm5,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm5,%xmm5 + vpxor %xmm15,%xmm14,%xmm14 + vmovdqa %xmm13,32(%rsp) + vmovdqa %xmm14,80(%rsp) + vmovdqa 48(%rsp),%xmm13 + vmovdqa 128(%rsp),%xmm14 + vpxor %xmm13,%xmm6,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm6,%xmm6 + vpxor %xmm15,%xmm13,%xmm13 + vpxor %xmm14,%xmm7,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm7,%xmm7 + vpxor %xmm15,%xmm14,%xmm14 + vmovdqa %xmm13,48(%rsp) + vmovdqa %xmm14,96(%rsp) + vmovdqa 64(%rsp),%xmm13 + vmovdqa 144(%rsp),%xmm14 + vpxor %xmm13,%xmm8,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm8,%xmm8 + vpxor %xmm15,%xmm13,%xmm13 + vpxor %xmm14,%xmm9,%xmm15 + vpand %xmm10,%xmm15,%xmm15 + vpxor %xmm15,%xmm9,%xmm9 + vpxor %xmm15,%xmm14,%xmm14 + vmovdqa %xmm13,64(%rsp) + vmovdqa %xmm14,112(%rsp) + vpaddq curve25519_sandy2x_subc0(%rip),%xmm11,%xmm10 + vpsubq %xmm12,%xmm10,%xmm10 + vpaddq %xmm12,%xmm11,%xmm11 + vpunpckhqdq %xmm10,%xmm11,%xmm12 + vpunpcklqdq %xmm10,%xmm11,%xmm10 + vpaddq %xmm1,%xmm0,%xmm11 + vpaddq curve25519_sandy2x_subc0(%rip),%xmm0,%xmm0 + vpsubq %xmm1,%xmm0,%xmm0 + vpunpckhqdq %xmm11,%xmm0,%xmm1 + vpunpcklqdq %xmm11,%xmm0,%xmm0 + vpmuludq %xmm0,%xmm10,%xmm11 + vpmuludq %xmm1,%xmm10,%xmm13 + vmovdqa %xmm1,128(%rsp) + vpaddq %xmm1,%xmm1,%xmm1 + vpmuludq %xmm0,%xmm12,%xmm14 + vmovdqa %xmm0,144(%rsp) + vpaddq %xmm14,%xmm13,%xmm13 + vpmuludq %xmm1,%xmm12,%xmm0 + vmovdqa %xmm1,160(%rsp) + vpaddq %xmm3,%xmm2,%xmm1 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm2,%xmm2 + vpsubq %xmm3,%xmm2,%xmm2 + vpunpckhqdq %xmm1,%xmm2,%xmm3 + vpunpcklqdq %xmm1,%xmm2,%xmm1 + vpmuludq %xmm1,%xmm10,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vpmuludq %xmm3,%xmm10,%xmm2 + vmovdqa %xmm3,176(%rsp) + vpaddq %xmm3,%xmm3,%xmm3 + vpmuludq %xmm1,%xmm12,%xmm14 + vmovdqa %xmm1,192(%rsp) + vpaddq %xmm14,%xmm2,%xmm2 + vpmuludq %xmm3,%xmm12,%xmm1 + vmovdqa %xmm3,208(%rsp) + vpaddq %xmm5,%xmm4,%xmm3 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm4,%xmm4 + vpsubq %xmm5,%xmm4,%xmm4 + vpunpckhqdq %xmm3,%xmm4,%xmm5 + vpunpcklqdq %xmm3,%xmm4,%xmm3 + vpmuludq %xmm3,%xmm10,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vpmuludq %xmm5,%xmm10,%xmm4 + vmovdqa %xmm5,224(%rsp) + vpaddq %xmm5,%xmm5,%xmm5 + vpmuludq %xmm3,%xmm12,%xmm14 + vmovdqa %xmm3,240(%rsp) + vpaddq %xmm14,%xmm4,%xmm4 + vpaddq %xmm7,%xmm6,%xmm3 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm6,%xmm6 + vpsubq %xmm7,%xmm6,%xmm6 + vpunpckhqdq %xmm3,%xmm6,%xmm7 + vpunpcklqdq %xmm3,%xmm6,%xmm3 + vpmuludq %xmm3,%xmm10,%xmm6 + vpmuludq %xmm5,%xmm12,%xmm14 + vmovdqa %xmm5,256(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm5,%xmm5 + vmovdqa %xmm5,272(%rsp) + vpaddq %xmm14,%xmm6,%xmm6 + vpmuludq %xmm7,%xmm10,%xmm5 + vmovdqa %xmm7,288(%rsp) + vpaddq %xmm7,%xmm7,%xmm7 + vpmuludq %xmm3,%xmm12,%xmm14 + vmovdqa %xmm3,304(%rsp) + vpaddq %xmm14,%xmm5,%xmm5 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vmovdqa %xmm3,320(%rsp) + vpaddq %xmm9,%xmm8,%xmm3 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm8,%xmm8 + vpsubq %xmm9,%xmm8,%xmm8 + vpunpckhqdq %xmm3,%xmm8,%xmm9 + vpunpcklqdq %xmm3,%xmm8,%xmm3 + vmovdqa %xmm3,336(%rsp) + vpmuludq %xmm7,%xmm12,%xmm8 + vmovdqa %xmm7,352(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm7,%xmm7 + vmovdqa %xmm7,368(%rsp) + vpmuludq %xmm3,%xmm10,%xmm7 + vpaddq %xmm7,%xmm8,%xmm8 + vpmuludq %xmm9,%xmm10,%xmm7 + vmovdqa %xmm9,384(%rsp) + vpaddq %xmm9,%xmm9,%xmm9 + vpmuludq %xmm3,%xmm12,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vmovdqa %xmm3,400(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm12,%xmm12 + vpmuludq %xmm9,%xmm12,%xmm3 + vmovdqa %xmm9,416(%rsp) + vpaddq %xmm3,%xmm11,%xmm11 + vmovdqa 0(%rsp),%xmm3 + vmovdqa 16(%rsp),%xmm9 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm3,%xmm10 + vpsubq %xmm9,%xmm10,%xmm10 + vpaddq %xmm9,%xmm3,%xmm3 + vpunpckhqdq %xmm10,%xmm3,%xmm9 + vpunpcklqdq %xmm10,%xmm3,%xmm3 + vpmuludq 144(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm0,%xmm0 + vpmuludq 128(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm2,%xmm2 + vpmuludq 192(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpmuludq 176(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm4,%xmm4 + vpmuludq 240(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm6,%xmm6 + vpmuludq 224(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm5,%xmm5 + vpmuludq 304(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpmuludq 288(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vpmuludq 336(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm11,%xmm11 + vpmuludq 384(%rsp),%xmm3,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 144(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpmuludq 160(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm1,%xmm1 + vpmuludq 192(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 208(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 240(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 256(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm8,%xmm8 + vpmuludq 304(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm9,%xmm9 + vpmuludq 352(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 336(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 416(%rsp),%xmm9,%xmm9 + vpaddq %xmm9,%xmm0,%xmm0 + vmovdqa 32(%rsp),%xmm3 + vmovdqa 80(%rsp),%xmm9 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm3,%xmm10 + vpsubq %xmm9,%xmm10,%xmm10 + vpaddq %xmm9,%xmm3,%xmm3 + vpunpckhqdq %xmm10,%xmm3,%xmm9 + vpunpcklqdq %xmm10,%xmm3,%xmm3 + vpmuludq 144(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpmuludq 128(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm4,%xmm4 + vpmuludq 192(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm6,%xmm6 + vpmuludq 176(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm5,%xmm5 + vpmuludq 240(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpmuludq 224(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vpmuludq 304(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm11,%xmm11 + vpmuludq 288(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm13,%xmm13 + vpmuludq 336(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm0,%xmm0 + vpmuludq 384(%rsp),%xmm3,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpmuludq 144(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 160(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 192(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 208(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm8,%xmm8 + vpmuludq 240(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm9,%xmm9 + vpmuludq 256(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 304(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 352(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm0,%xmm0 + vpmuludq 336(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpmuludq 416(%rsp),%xmm9,%xmm9 + vpaddq %xmm9,%xmm1,%xmm1 + vmovdqa 48(%rsp),%xmm3 + vmovdqa 96(%rsp),%xmm9 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm3,%xmm10 + vpsubq %xmm9,%xmm10,%xmm10 + vpaddq %xmm9,%xmm3,%xmm3 + vpunpckhqdq %xmm10,%xmm3,%xmm9 + vpunpcklqdq %xmm10,%xmm3,%xmm3 + vpmuludq 144(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm6,%xmm6 + vpmuludq 128(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm5,%xmm5 + vpmuludq 192(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpmuludq 176(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vpmuludq 240(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm11,%xmm11 + vpmuludq 224(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm13,%xmm13 + vpmuludq 304(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm0,%xmm0 + vpmuludq 288(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm2,%xmm2 + vpmuludq 336(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpmuludq 384(%rsp),%xmm3,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 144(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 160(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm8,%xmm8 + vpmuludq 192(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm9,%xmm9 + vpmuludq 208(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 240(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 256(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm0,%xmm0 + vpmuludq 304(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpmuludq 352(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm1,%xmm1 + vpmuludq 336(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 416(%rsp),%xmm9,%xmm9 + vpaddq %xmm9,%xmm6,%xmm6 + vmovdqa 64(%rsp),%xmm3 + vmovdqa 112(%rsp),%xmm9 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm3,%xmm10 + vpsubq %xmm9,%xmm10,%xmm10 + vpaddq %xmm9,%xmm3,%xmm3 + vpunpckhqdq %xmm10,%xmm3,%xmm9 + vpunpcklqdq %xmm10,%xmm3,%xmm3 + vpmuludq 144(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpmuludq 128(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm3,%xmm3 + vpmuludq 192(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm11,%xmm11 + vpmuludq 176(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm13,%xmm13 + vpmuludq 240(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm0,%xmm0 + vpmuludq 224(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm2,%xmm2 + vpmuludq 304(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpmuludq 288(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm4,%xmm4 + vpmuludq 336(%rsp),%xmm3,%xmm10 + vpaddq %xmm10,%xmm6,%xmm6 + vpmuludq 384(%rsp),%xmm3,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 144(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm9,%xmm9 + vpmuludq 160(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 192(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 208(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm0,%xmm0 + vpmuludq 240(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpmuludq 256(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm1,%xmm1 + vpmuludq 304(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpmuludq 352(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 336(%rsp),%xmm9,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 416(%rsp),%xmm9,%xmm9 + vpaddq %xmm9,%xmm8,%xmm8 + vpsrlq $25,%xmm4,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpand curve25519_sandy2x_m25(%rip),%xmm4,%xmm4 + vpsrlq $26,%xmm11,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpand curve25519_sandy2x_m26(%rip),%xmm11,%xmm11 + vpsrlq $26,%xmm6,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpand curve25519_sandy2x_m26(%rip),%xmm6,%xmm6 + vpsrlq $25,%xmm13,%xmm3 + vpaddq %xmm3,%xmm0,%xmm0 + vpand curve25519_sandy2x_m25(%rip),%xmm13,%xmm13 + vpsrlq $25,%xmm5,%xmm3 + vpaddq %xmm3,%xmm8,%xmm8 + vpand curve25519_sandy2x_m25(%rip),%xmm5,%xmm5 + vpsrlq $26,%xmm0,%xmm3 + vpaddq %xmm3,%xmm2,%xmm2 + vpand curve25519_sandy2x_m26(%rip),%xmm0,%xmm0 + vpsrlq $26,%xmm8,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpand curve25519_sandy2x_m26(%rip),%xmm8,%xmm8 + vpsrlq $25,%xmm2,%xmm3 + vpaddq %xmm3,%xmm1,%xmm1 + vpand curve25519_sandy2x_m25(%rip),%xmm2,%xmm2 + vpsrlq $25,%xmm7,%xmm3 + vpsllq $4,%xmm3,%xmm9 + vpaddq %xmm3,%xmm11,%xmm11 + vpsllq $1,%xmm3,%xmm3 + vpaddq %xmm3,%xmm9,%xmm9 + vpaddq %xmm9,%xmm11,%xmm11 + vpand curve25519_sandy2x_m25(%rip),%xmm7,%xmm7 + vpsrlq $26,%xmm1,%xmm3 + vpaddq %xmm3,%xmm4,%xmm4 + vpand curve25519_sandy2x_m26(%rip),%xmm1,%xmm1 + vpsrlq $26,%xmm11,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpand curve25519_sandy2x_m26(%rip),%xmm11,%xmm11 + vpsrlq $25,%xmm4,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpand curve25519_sandy2x_m25(%rip),%xmm4,%xmm4 + vpunpcklqdq %xmm13,%xmm11,%xmm3 + vpunpckhqdq %xmm13,%xmm11,%xmm9 + vpaddq curve25519_sandy2x_subc0(%rip),%xmm9,%xmm10 + vpsubq %xmm3,%xmm10,%xmm10 + vpaddq %xmm9,%xmm3,%xmm3 + vpunpckhqdq %xmm3,%xmm10,%xmm9 + vpunpcklqdq %xmm3,%xmm10,%xmm10 + vpmuludq %xmm10,%xmm10,%xmm3 + vpaddq %xmm10,%xmm10,%xmm10 + vpmuludq %xmm9,%xmm10,%xmm11 + vpunpcklqdq %xmm2,%xmm0,%xmm12 + vpunpckhqdq %xmm2,%xmm0,%xmm0 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm0,%xmm2 + vpsubq %xmm12,%xmm2,%xmm2 + vpaddq %xmm0,%xmm12,%xmm12 + vpunpckhqdq %xmm12,%xmm2,%xmm0 + vpunpcklqdq %xmm12,%xmm2,%xmm2 + vpmuludq %xmm2,%xmm10,%xmm12 + vpaddq %xmm9,%xmm9,%xmm13 + vpmuludq %xmm13,%xmm9,%xmm9 + vpaddq %xmm9,%xmm12,%xmm12 + vpmuludq %xmm0,%xmm10,%xmm9 + vpmuludq %xmm2,%xmm13,%xmm14 + vpaddq %xmm14,%xmm9,%xmm9 + vpunpcklqdq %xmm4,%xmm1,%xmm14 + vpunpckhqdq %xmm4,%xmm1,%xmm1 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm1,%xmm4 + vpsubq %xmm14,%xmm4,%xmm4 + vpaddq %xmm1,%xmm14,%xmm14 + vpunpckhqdq %xmm14,%xmm4,%xmm1 + vpunpcklqdq %xmm14,%xmm4,%xmm4 + vmovdqa %xmm1,0(%rsp) + vpaddq %xmm1,%xmm1,%xmm1 + vmovdqa %xmm1,16(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm1,%xmm1 + vmovdqa %xmm1,32(%rsp) + vpmuludq %xmm4,%xmm10,%xmm1 + vpmuludq %xmm2,%xmm2,%xmm14 + vpaddq %xmm14,%xmm1,%xmm1 + vpmuludq 0(%rsp),%xmm10,%xmm14 + vpmuludq %xmm4,%xmm13,%xmm15 + vpaddq %xmm15,%xmm14,%xmm14 + vpunpcklqdq %xmm5,%xmm6,%xmm15 + vpunpckhqdq %xmm5,%xmm6,%xmm5 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm5,%xmm6 + vpsubq %xmm15,%xmm6,%xmm6 + vpaddq %xmm5,%xmm15,%xmm15 + vpunpckhqdq %xmm15,%xmm6,%xmm5 + vpunpcklqdq %xmm15,%xmm6,%xmm6 + vmovdqa %xmm6,48(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm6,%xmm6 + vmovdqa %xmm6,64(%rsp) + vmovdqa %xmm5,80(%rsp) + vpmuludq curve25519_sandy2x_v38_38(%rip),%xmm5,%xmm5 + vmovdqa %xmm5,96(%rsp) + vpmuludq 48(%rsp),%xmm10,%xmm5 + vpaddq %xmm0,%xmm0,%xmm6 + vpmuludq %xmm6,%xmm0,%xmm0 + vpaddq %xmm0,%xmm5,%xmm5 + vpmuludq 80(%rsp),%xmm10,%xmm0 + vpmuludq %xmm4,%xmm6,%xmm15 + vpaddq %xmm15,%xmm0,%xmm0 + vpmuludq %xmm6,%xmm13,%xmm15 + vpaddq %xmm15,%xmm1,%xmm1 + vpmuludq %xmm6,%xmm2,%xmm15 + vpaddq %xmm15,%xmm14,%xmm14 + vpunpcklqdq %xmm7,%xmm8,%xmm15 + vpunpckhqdq %xmm7,%xmm8,%xmm7 + vpaddq curve25519_sandy2x_subc2(%rip),%xmm7,%xmm8 + vpsubq %xmm15,%xmm8,%xmm8 + vpaddq %xmm7,%xmm15,%xmm15 + vpunpckhqdq %xmm15,%xmm8,%xmm7 + vpunpcklqdq %xmm15,%xmm8,%xmm8 + vmovdqa %xmm8,112(%rsp) + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm8,%xmm8 + vmovdqa %xmm8,160(%rsp) + vpmuludq 112(%rsp),%xmm10,%xmm8 + vpmuludq %xmm7,%xmm10,%xmm10 + vpmuludq curve25519_sandy2x_v38_38(%rip),%xmm7,%xmm15 + vpmuludq %xmm15,%xmm7,%xmm7 + vpaddq %xmm7,%xmm8,%xmm8 + vpmuludq %xmm15,%xmm13,%xmm7 + vpaddq %xmm7,%xmm3,%xmm3 + vpmuludq %xmm15,%xmm2,%xmm7 + vpaddq %xmm7,%xmm11,%xmm11 + vpmuludq 80(%rsp),%xmm13,%xmm7 + vpaddq %xmm7,%xmm7,%xmm7 + vpaddq %xmm7,%xmm8,%xmm8 + vpmuludq 16(%rsp),%xmm13,%xmm7 + vpaddq %xmm7,%xmm5,%xmm5 + vpmuludq 48(%rsp),%xmm13,%xmm7 + vpaddq %xmm7,%xmm0,%xmm0 + vpmuludq 112(%rsp),%xmm13,%xmm7 + vpaddq %xmm7,%xmm10,%xmm10 + vpmuludq %xmm15,%xmm6,%xmm7 + vpaddq %xmm7,%xmm12,%xmm12 + vpmuludq %xmm15,%xmm4,%xmm7 + vpaddq %xmm7,%xmm9,%xmm9 + vpaddq %xmm2,%xmm2,%xmm2 + vpmuludq %xmm4,%xmm2,%xmm7 + vpaddq %xmm7,%xmm5,%xmm5 + vpmuludq 160(%rsp),%xmm2,%xmm7 + vpaddq %xmm7,%xmm3,%xmm3 + vpmuludq 160(%rsp),%xmm6,%xmm7 + vpaddq %xmm7,%xmm11,%xmm11 + vpmuludq 0(%rsp),%xmm2,%xmm7 + vpaddq %xmm7,%xmm0,%xmm0 + vpmuludq 48(%rsp),%xmm2,%xmm7 + vpaddq %xmm7,%xmm8,%xmm8 + vpmuludq 80(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 96(%rsp),%xmm4,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpmuludq %xmm4,%xmm4,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpaddq %xmm4,%xmm4,%xmm2 + vpmuludq 160(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm12,%xmm12 + vpmuludq 16(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vpmuludq 48(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm14,%xmm14 + vpmuludq 96(%rsp),%xmm6,%xmm4 + vpaddq %xmm4,%xmm3,%xmm3 + vmovdqa 16(%rsp),%xmm4 + vpmuludq 160(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm9,%xmm9 + vpmuludq 16(%rsp),%xmm6,%xmm4 + vpaddq %xmm4,%xmm8,%xmm8 + vpmuludq 48(%rsp),%xmm6,%xmm4 + vpaddq %xmm4,%xmm10,%xmm10 + vpmuludq 80(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm4,%xmm4 + vpaddq %xmm4,%xmm5,%xmm5 + vpmuludq 112(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm0,%xmm0 + vmovdqa 48(%rsp),%xmm4 + vpaddq %xmm4,%xmm4,%xmm4 + vpmuludq 160(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vmovdqa 80(%rsp),%xmm4 + vpaddq %xmm4,%xmm4,%xmm4 + vpmuludq 160(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm14,%xmm14 + vpmuludq 64(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm3,%xmm3 + vmovdqa 16(%rsp),%xmm4 + vpmuludq 64(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm11,%xmm11 + vmovdqa 16(%rsp),%xmm4 + vpmuludq 96(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm12,%xmm12 + vmovdqa 48(%rsp),%xmm4 + vpmuludq 96(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm9,%xmm9 + vpmuludq 0(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vmovdqa 32(%rsp),%xmm2 + vpmuludq 0(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm3,%xmm3 + vmovdqa 64(%rsp),%xmm2 + vpmuludq 48(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vmovdqa 96(%rsp),%xmm2 + vpmuludq 80(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm1,%xmm1 + vmovdqa 160(%rsp),%xmm2 + vpmuludq 112(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpsrlq $26,%xmm3,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpand curve25519_sandy2x_m26(%rip),%xmm3,%xmm3 + vpsrlq $25,%xmm14,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpand curve25519_sandy2x_m25(%rip),%xmm14,%xmm14 + vpsrlq $25,%xmm11,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpand curve25519_sandy2x_m25(%rip),%xmm11,%xmm11 + vpsrlq $26,%xmm5,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vpand curve25519_sandy2x_m26(%rip),%xmm5,%xmm5 + vpsrlq $26,%xmm12,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpand curve25519_sandy2x_m26(%rip),%xmm12,%xmm12 + vpsrlq $25,%xmm0,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpand curve25519_sandy2x_m25(%rip),%xmm0,%xmm0 + vpsrlq $25,%xmm9,%xmm2 + vpaddq %xmm2,%xmm1,%xmm1 + vpand curve25519_sandy2x_m25(%rip),%xmm9,%xmm9 + vpsrlq $26,%xmm8,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpand curve25519_sandy2x_m26(%rip),%xmm8,%xmm8 + vpsrlq $26,%xmm1,%xmm2 + vpaddq %xmm2,%xmm14,%xmm14 + vpand curve25519_sandy2x_m26(%rip),%xmm1,%xmm1 + vpsrlq $25,%xmm10,%xmm2 + vpsllq $4,%xmm2,%xmm4 + vpaddq %xmm2,%xmm3,%xmm3 + vpsllq $1,%xmm2,%xmm2 + vpaddq %xmm2,%xmm4,%xmm4 + vpaddq %xmm4,%xmm3,%xmm3 + vpand curve25519_sandy2x_m25(%rip),%xmm10,%xmm10 + vpsrlq $25,%xmm14,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpand curve25519_sandy2x_m25(%rip),%xmm14,%xmm14 + vpsrlq $26,%xmm3,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpand curve25519_sandy2x_m26(%rip),%xmm3,%xmm3 + vpunpckhqdq %xmm11,%xmm3,%xmm2 + vmovdqa %xmm2,0(%rsp) + vpunpcklqdq %xmm11,%xmm3,%xmm2 + vpmuludq curve25519_sandy2x_v9_9(%rip),%xmm2,%xmm2 + vmovdqa %xmm2,80(%rsp) + vpunpckhqdq %xmm9,%xmm12,%xmm2 + vmovdqa %xmm2,16(%rsp) + vpunpcklqdq %xmm9,%xmm12,%xmm2 + vpmuludq curve25519_sandy2x_v9_9(%rip),%xmm2,%xmm2 + vmovdqa %xmm2,96(%rsp) + vpunpckhqdq %xmm14,%xmm1,%xmm2 + vmovdqa %xmm2,32(%rsp) + vpunpcklqdq %xmm14,%xmm1,%xmm1 + vpmuludq curve25519_sandy2x_v9_9(%rip),%xmm1,%xmm1 + vmovdqa %xmm1,112(%rsp) + vpunpckhqdq %xmm0,%xmm5,%xmm1 + vmovdqa %xmm1,48(%rsp) + vpunpcklqdq %xmm0,%xmm5,%xmm0 + vpmuludq curve25519_sandy2x_v9_9(%rip),%xmm0,%xmm0 + vmovdqa %xmm0,160(%rsp) + vpunpckhqdq %xmm10,%xmm8,%xmm0 + vmovdqa %xmm0,64(%rsp) + vpunpcklqdq %xmm10,%xmm8,%xmm0 + vpmuludq curve25519_sandy2x_v9_9(%rip),%xmm0,%xmm0 + vmovdqa %xmm0,208(%rsp) + vmovdqa 144(%rsp),%xmm0 + vpmuludq %xmm0,%xmm0,%xmm1 + vpaddq %xmm0,%xmm0,%xmm0 + vmovdqa 128(%rsp),%xmm2 + vpmuludq %xmm2,%xmm0,%xmm3 + vmovdqa 192(%rsp),%xmm4 + vpmuludq %xmm4,%xmm0,%xmm5 + vmovdqa 176(%rsp),%xmm6 + vpmuludq %xmm6,%xmm0,%xmm7 + vmovdqa 240(%rsp),%xmm8 + vpmuludq %xmm8,%xmm0,%xmm9 + vpmuludq 224(%rsp),%xmm0,%xmm10 + vpmuludq 304(%rsp),%xmm0,%xmm11 + vpmuludq 288(%rsp),%xmm0,%xmm12 + vpmuludq 336(%rsp),%xmm0,%xmm13 + vmovdqa 384(%rsp),%xmm14 + vpmuludq %xmm14,%xmm0,%xmm0 + vpmuludq curve25519_sandy2x_v38_38(%rip),%xmm14,%xmm15 + vpmuludq %xmm15,%xmm14,%xmm14 + vpaddq %xmm14,%xmm13,%xmm13 + vpaddq %xmm6,%xmm6,%xmm14 + vpmuludq %xmm14,%xmm6,%xmm6 + vpaddq %xmm6,%xmm11,%xmm11 + vpaddq %xmm2,%xmm2,%xmm6 + vpmuludq %xmm6,%xmm2,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpmuludq %xmm15,%xmm6,%xmm2 + vpaddq %xmm2,%xmm1,%xmm1 + vpmuludq %xmm15,%xmm4,%xmm2 + vpaddq %xmm2,%xmm3,%xmm3 + vpmuludq 256(%rsp),%xmm6,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpmuludq 304(%rsp),%xmm6,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 352(%rsp),%xmm6,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpmuludq 336(%rsp),%xmm6,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vpmuludq %xmm4,%xmm6,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpmuludq %xmm14,%xmm6,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpmuludq %xmm8,%xmm6,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq %xmm15,%xmm14,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpmuludq %xmm15,%xmm8,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpmuludq %xmm4,%xmm4,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpmuludq %xmm14,%xmm4,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpaddq %xmm4,%xmm4,%xmm2 + vpmuludq %xmm8,%xmm2,%xmm4 + vpaddq %xmm4,%xmm11,%xmm11 + vpmuludq 400(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vpmuludq 400(%rsp),%xmm14,%xmm4 + vpaddq %xmm4,%xmm3,%xmm3 + vpmuludq 224(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm12,%xmm12 + vpmuludq 304(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm13,%xmm13 + vpmuludq 288(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vpmuludq 368(%rsp),%xmm8,%xmm2 + vpaddq %xmm2,%xmm3,%xmm3 + vpmuludq %xmm8,%xmm14,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq %xmm8,%xmm8,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpaddq %xmm8,%xmm8,%xmm2 + vpmuludq 400(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm5,%xmm5 + vpmuludq 256(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm9,%xmm9 + vpmuludq 304(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm10,%xmm10 + vpmuludq 368(%rsp),%xmm14,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vmovdqa 256(%rsp),%xmm4 + vpmuludq 400(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm7,%xmm7 + vpmuludq 256(%rsp),%xmm14,%xmm4 + vpaddq %xmm4,%xmm13,%xmm13 + vpmuludq 304(%rsp),%xmm14,%xmm4 + vpaddq %xmm4,%xmm0,%xmm0 + vpmuludq 352(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm11,%xmm11 + vpmuludq 336(%rsp),%xmm15,%xmm4 + vpaddq %xmm4,%xmm12,%xmm12 + vmovdqa 304(%rsp),%xmm4 + vpaddq %xmm4,%xmm4,%xmm4 + vpmuludq 400(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm9,%xmm9 + vpmuludq 320(%rsp),%xmm2,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vmovdqa 256(%rsp),%xmm4 + vpmuludq 320(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm3,%xmm3 + vmovdqa 256(%rsp),%xmm4 + vpmuludq 368(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm5,%xmm5 + vmovdqa 304(%rsp),%xmm4 + vpmuludq 368(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm7,%xmm7 + vmovdqa 352(%rsp),%xmm4 + vpmuludq 400(%rsp),%xmm4,%xmm4 + vpaddq %xmm4,%xmm10,%xmm10 + vpmuludq 224(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vmovdqa 272(%rsp),%xmm2 + vpmuludq 224(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm1,%xmm1 + vmovdqa 320(%rsp),%xmm2 + vpmuludq 304(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vmovdqa 368(%rsp),%xmm2 + vpmuludq 288(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vmovdqa 400(%rsp),%xmm2 + vpmuludq 336(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpsrlq $26,%xmm1,%xmm2 + vpaddq %xmm2,%xmm3,%xmm3 + vpand curve25519_sandy2x_m26(%rip),%xmm1,%xmm1 + vpsrlq $25,%xmm10,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpand curve25519_sandy2x_m25(%rip),%xmm10,%xmm10 + vpsrlq $25,%xmm3,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpand curve25519_sandy2x_m25(%rip),%xmm3,%xmm3 + vpsrlq $26,%xmm11,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpand curve25519_sandy2x_m26(%rip),%xmm11,%xmm11 + vpsrlq $26,%xmm5,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpand curve25519_sandy2x_m26(%rip),%xmm5,%xmm5 + vpsrlq $25,%xmm12,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpand curve25519_sandy2x_m25(%rip),%xmm12,%xmm12 + vpsrlq $25,%xmm7,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpand curve25519_sandy2x_m25(%rip),%xmm7,%xmm7 + vpsrlq $26,%xmm13,%xmm2 + vpaddq %xmm2,%xmm0,%xmm0 + vpand curve25519_sandy2x_m26(%rip),%xmm13,%xmm13 + vpsrlq $26,%xmm9,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpand curve25519_sandy2x_m26(%rip),%xmm9,%xmm9 + vpsrlq $25,%xmm0,%xmm2 + vpsllq $4,%xmm2,%xmm4 + vpaddq %xmm2,%xmm1,%xmm1 + vpsllq $1,%xmm2,%xmm2 + vpaddq %xmm2,%xmm4,%xmm4 + vpaddq %xmm4,%xmm1,%xmm1 + vpand curve25519_sandy2x_m25(%rip),%xmm0,%xmm0 + vpsrlq $25,%xmm10,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpand curve25519_sandy2x_m25(%rip),%xmm10,%xmm10 + vpsrlq $26,%xmm1,%xmm2 + vpaddq %xmm2,%xmm3,%xmm3 + vpand curve25519_sandy2x_m26(%rip),%xmm1,%xmm1 + vpunpckhqdq %xmm3,%xmm1,%xmm2 + vpunpcklqdq %xmm3,%xmm1,%xmm1 + vmovdqa %xmm1,176(%rsp) + vpaddq curve25519_sandy2x_subc0(%rip),%xmm2,%xmm3 + vpsubq %xmm1,%xmm3,%xmm3 + vpunpckhqdq %xmm3,%xmm2,%xmm1 + vpunpcklqdq %xmm3,%xmm2,%xmm2 + vmovdqa %xmm2,192(%rsp) + vmovdqa %xmm1,224(%rsp) + vpsllq $1,%xmm1,%xmm1 + vmovdqa %xmm1,240(%rsp) + vpmuludq curve25519_sandy2x_v121666_121666(%rip),%xmm3,%xmm3 + vmovdqa 80(%rsp),%xmm1 + vpunpcklqdq %xmm1,%xmm3,%xmm2 + vpunpckhqdq %xmm1,%xmm3,%xmm1 + vpunpckhqdq %xmm7,%xmm5,%xmm3 + vpunpcklqdq %xmm7,%xmm5,%xmm4 + vmovdqa %xmm4,256(%rsp) + vpaddq curve25519_sandy2x_subc2(%rip),%xmm3,%xmm5 + vpsubq %xmm4,%xmm5,%xmm5 + vpunpckhqdq %xmm5,%xmm3,%xmm4 + vpunpcklqdq %xmm5,%xmm3,%xmm3 + vmovdqa %xmm3,272(%rsp) + vmovdqa %xmm4,288(%rsp) + vpsllq $1,%xmm4,%xmm4 + vmovdqa %xmm4,304(%rsp) + vpmuludq curve25519_sandy2x_v121666_121666(%rip),%xmm5,%xmm5 + vmovdqa 96(%rsp),%xmm3 + vpunpcklqdq %xmm3,%xmm5,%xmm4 + vpunpckhqdq %xmm3,%xmm5,%xmm3 + vpunpckhqdq %xmm10,%xmm9,%xmm5 + vpunpcklqdq %xmm10,%xmm9,%xmm6 + vmovdqa %xmm6,320(%rsp) + vpaddq curve25519_sandy2x_subc2(%rip),%xmm5,%xmm7 + vpsubq %xmm6,%xmm7,%xmm7 + vpunpckhqdq %xmm7,%xmm5,%xmm6 + vpunpcklqdq %xmm7,%xmm5,%xmm5 + vmovdqa %xmm5,336(%rsp) + vmovdqa %xmm6,352(%rsp) + vpsllq $1,%xmm6,%xmm6 + vmovdqa %xmm6,368(%rsp) + vpmuludq curve25519_sandy2x_v121666_121666(%rip),%xmm7,%xmm7 + vmovdqa 112(%rsp),%xmm5 + vpunpcklqdq %xmm5,%xmm7,%xmm6 + vpunpckhqdq %xmm5,%xmm7,%xmm5 + vpunpckhqdq %xmm12,%xmm11,%xmm7 + vpunpcklqdq %xmm12,%xmm11,%xmm8 + vmovdqa %xmm8,384(%rsp) + vpaddq curve25519_sandy2x_subc2(%rip),%xmm7,%xmm9 + vpsubq %xmm8,%xmm9,%xmm9 + vpunpckhqdq %xmm9,%xmm7,%xmm8 + vpunpcklqdq %xmm9,%xmm7,%xmm7 + vmovdqa %xmm7,400(%rsp) + vmovdqa %xmm8,416(%rsp) + vpsllq $1,%xmm8,%xmm8 + vmovdqa %xmm8,432(%rsp) + vpmuludq curve25519_sandy2x_v121666_121666(%rip),%xmm9,%xmm9 + vmovdqa 160(%rsp),%xmm7 + vpunpcklqdq %xmm7,%xmm9,%xmm8 + vpunpckhqdq %xmm7,%xmm9,%xmm7 + vpunpckhqdq %xmm0,%xmm13,%xmm9 + vpunpcklqdq %xmm0,%xmm13,%xmm0 + vmovdqa %xmm0,160(%rsp) + vpaddq curve25519_sandy2x_subc2(%rip),%xmm9,%xmm10 + vpsubq %xmm0,%xmm10,%xmm10 + vpunpckhqdq %xmm10,%xmm9,%xmm0 + vpunpcklqdq %xmm10,%xmm9,%xmm9 + vmovdqa %xmm9,448(%rsp) + vmovdqa %xmm0,464(%rsp) + vpsllq $1,%xmm0,%xmm0 + vmovdqa %xmm0,480(%rsp) + vpmuludq curve25519_sandy2x_v121666_121666(%rip),%xmm10,%xmm10 + vmovdqa 208(%rsp),%xmm0 + vpunpcklqdq %xmm0,%xmm10,%xmm9 + vpunpckhqdq %xmm0,%xmm10,%xmm0 + vpsrlq $26,%xmm2,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpand curve25519_sandy2x_m26(%rip),%xmm2,%xmm2 + vpsrlq $25,%xmm5,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpand curve25519_sandy2x_m25(%rip),%xmm5,%xmm5 + vpsrlq $25,%xmm1,%xmm10 + vpaddq %xmm10,%xmm4,%xmm4 + vpand curve25519_sandy2x_m25(%rip),%xmm1,%xmm1 + vpsrlq $26,%xmm8,%xmm10 + vpaddq %xmm10,%xmm7,%xmm7 + vpand curve25519_sandy2x_m26(%rip),%xmm8,%xmm8 + vpsrlq $26,%xmm4,%xmm10 + vpaddq %xmm10,%xmm3,%xmm3 + vpand curve25519_sandy2x_m26(%rip),%xmm4,%xmm4 + vpsrlq $25,%xmm7,%xmm10 + vpaddq %xmm10,%xmm9,%xmm9 + vpand curve25519_sandy2x_m25(%rip),%xmm7,%xmm7 + vpsrlq $25,%xmm3,%xmm10 + vpaddq %xmm10,%xmm6,%xmm6 + vpand curve25519_sandy2x_m25(%rip),%xmm3,%xmm3 + vpsrlq $26,%xmm9,%xmm10 + vpaddq %xmm10,%xmm0,%xmm0 + vpand curve25519_sandy2x_m26(%rip),%xmm9,%xmm9 + vpsrlq $26,%xmm6,%xmm10 + vpaddq %xmm10,%xmm5,%xmm5 + vpand curve25519_sandy2x_m26(%rip),%xmm6,%xmm6 + vpsrlq $25,%xmm0,%xmm10 + vpsllq $4,%xmm10,%xmm11 + vpaddq %xmm10,%xmm2,%xmm2 + vpsllq $1,%xmm10,%xmm10 + vpaddq %xmm10,%xmm11,%xmm11 + vpaddq %xmm11,%xmm2,%xmm2 + vpand curve25519_sandy2x_m25(%rip),%xmm0,%xmm0 + vpsrlq $25,%xmm5,%xmm10 + vpaddq %xmm10,%xmm8,%xmm8 + vpand curve25519_sandy2x_m25(%rip),%xmm5,%xmm5 + vpsrlq $26,%xmm2,%xmm10 + vpaddq %xmm10,%xmm1,%xmm1 + vpand curve25519_sandy2x_m26(%rip),%xmm2,%xmm2 + vpunpckhqdq %xmm1,%xmm2,%xmm10 + vmovdqa %xmm10,80(%rsp) + vpunpcklqdq %xmm1,%xmm2,%xmm1 + vpunpckhqdq %xmm3,%xmm4,%xmm2 + vmovdqa %xmm2,96(%rsp) + vpunpcklqdq %xmm3,%xmm4,%xmm2 + vpunpckhqdq %xmm5,%xmm6,%xmm3 + vmovdqa %xmm3,112(%rsp) + vpunpcklqdq %xmm5,%xmm6,%xmm3 + vpunpckhqdq %xmm7,%xmm8,%xmm4 + vmovdqa %xmm4,128(%rsp) + vpunpcklqdq %xmm7,%xmm8,%xmm4 + vpunpckhqdq %xmm0,%xmm9,%xmm5 + vmovdqa %xmm5,144(%rsp) + vpunpcklqdq %xmm0,%xmm9,%xmm0 + vmovdqa 176(%rsp),%xmm5 + vpaddq %xmm5,%xmm1,%xmm1 + vpunpcklqdq %xmm1,%xmm5,%xmm6 + vpunpckhqdq %xmm1,%xmm5,%xmm1 + vpmuludq 224(%rsp),%xmm6,%xmm5 + vpmuludq 192(%rsp),%xmm1,%xmm7 + vpaddq %xmm7,%xmm5,%xmm5 + vpmuludq 272(%rsp),%xmm6,%xmm7 + vpmuludq 240(%rsp),%xmm1,%xmm8 + vpaddq %xmm8,%xmm7,%xmm7 + vpmuludq 288(%rsp),%xmm6,%xmm8 + vpmuludq 272(%rsp),%xmm1,%xmm9 + vpaddq %xmm9,%xmm8,%xmm8 + vpmuludq 336(%rsp),%xmm6,%xmm9 + vpmuludq 304(%rsp),%xmm1,%xmm10 + vpaddq %xmm10,%xmm9,%xmm9 + vpmuludq 352(%rsp),%xmm6,%xmm10 + vpmuludq 336(%rsp),%xmm1,%xmm11 + vpaddq %xmm11,%xmm10,%xmm10 + vpmuludq 400(%rsp),%xmm6,%xmm11 + vpmuludq 368(%rsp),%xmm1,%xmm12 + vpaddq %xmm12,%xmm11,%xmm11 + vpmuludq 416(%rsp),%xmm6,%xmm12 + vpmuludq 400(%rsp),%xmm1,%xmm13 + vpaddq %xmm13,%xmm12,%xmm12 + vpmuludq 448(%rsp),%xmm6,%xmm13 + vpmuludq 432(%rsp),%xmm1,%xmm14 + vpaddq %xmm14,%xmm13,%xmm13 + vpmuludq 464(%rsp),%xmm6,%xmm14 + vpmuludq 448(%rsp),%xmm1,%xmm15 + vpaddq %xmm15,%xmm14,%xmm14 + vpmuludq 192(%rsp),%xmm6,%xmm6 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm1,%xmm1 + vpmuludq 480(%rsp),%xmm1,%xmm1 + vpaddq %xmm1,%xmm6,%xmm6 + vmovdqa 256(%rsp),%xmm1 + vpaddq %xmm1,%xmm2,%xmm2 + vpunpcklqdq %xmm2,%xmm1,%xmm15 + vpunpckhqdq %xmm2,%xmm1,%xmm1 + vpmuludq 192(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpmuludq 224(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpmuludq 272(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpmuludq 288(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 336(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpmuludq 352(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 400(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpmuludq 416(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm15,%xmm15 + vpmuludq 448(%rsp),%xmm15,%xmm2 + vpaddq %xmm2,%xmm6,%xmm6 + vpmuludq 464(%rsp),%xmm15,%xmm15 + vpaddq %xmm15,%xmm5,%xmm5 + vpmuludq 192(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpmuludq 240(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpmuludq 272(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 304(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpmuludq 336(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 368(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpmuludq 400(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm1,%xmm1 + vpmuludq 432(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm6,%xmm6 + vpmuludq 448(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpmuludq 480(%rsp),%xmm1,%xmm1 + vpaddq %xmm1,%xmm7,%xmm7 + vmovdqa 320(%rsp),%xmm1 + vpaddq %xmm1,%xmm3,%xmm3 + vpunpcklqdq %xmm3,%xmm1,%xmm2 + vpunpckhqdq %xmm3,%xmm1,%xmm1 + vpmuludq 192(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm9,%xmm9 + vpmuludq 224(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm10,%xmm10 + vpmuludq 272(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 288(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm12,%xmm12 + vpmuludq 336(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 352(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm2,%xmm2 + vpmuludq 400(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 416(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 448(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq 464(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpmuludq 192(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 240(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm11,%xmm11 + vpmuludq 272(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 304(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpmuludq 336(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm1,%xmm1 + vpmuludq 368(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm6,%xmm6 + vpmuludq 400(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpmuludq 432(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpmuludq 448(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpmuludq 480(%rsp),%xmm1,%xmm1 + vpaddq %xmm1,%xmm9,%xmm9 + vmovdqa 384(%rsp),%xmm1 + vpaddq %xmm1,%xmm4,%xmm4 + vpunpcklqdq %xmm4,%xmm1,%xmm2 + vpunpckhqdq %xmm4,%xmm1,%xmm1 + vpmuludq 192(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm11,%xmm11 + vpmuludq 224(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm12,%xmm12 + vpmuludq 272(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm13,%xmm13 + vpmuludq 288(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm2,%xmm2 + vpmuludq 336(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm6,%xmm6 + vpmuludq 352(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm5,%xmm5 + vpmuludq 400(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm7,%xmm7 + vpmuludq 416(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm8,%xmm8 + vpmuludq 448(%rsp),%xmm2,%xmm3 + vpaddq %xmm3,%xmm9,%xmm9 + vpmuludq 464(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 192(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 240(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm13,%xmm13 + vpmuludq 272(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm1,%xmm1 + vpmuludq 304(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm6,%xmm6 + vpmuludq 336(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm5,%xmm5 + vpmuludq 368(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm7,%xmm7 + vpmuludq 400(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm8,%xmm8 + vpmuludq 432(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm9,%xmm9 + vpmuludq 448(%rsp),%xmm1,%xmm2 + vpaddq %xmm2,%xmm10,%xmm10 + vpmuludq 480(%rsp),%xmm1,%xmm1 + vpaddq %xmm1,%xmm11,%xmm11 + vmovdqa 160(%rsp),%xmm1 + vpaddq %xmm1,%xmm0,%xmm0 + vpunpcklqdq %xmm0,%xmm1,%xmm2 + vpunpckhqdq %xmm0,%xmm1,%xmm0 + vpmuludq 192(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm13,%xmm13 + vpmuludq 224(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm2,%xmm2 + vpmuludq 272(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm6,%xmm6 + vpmuludq 288(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm5,%xmm5 + vpmuludq 336(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm7,%xmm7 + vpmuludq 352(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm8,%xmm8 + vpmuludq 400(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm9,%xmm9 + vpmuludq 416(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm10,%xmm10 + vpmuludq 448(%rsp),%xmm2,%xmm1 + vpaddq %xmm1,%xmm11,%xmm11 + vpmuludq 464(%rsp),%xmm2,%xmm2 + vpaddq %xmm2,%xmm12,%xmm12 + vpmuludq 192(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm14,%xmm14 + vpmuludq curve25519_sandy2x_v19_19(%rip),%xmm0,%xmm0 + vpmuludq 240(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm6,%xmm6 + vpmuludq 272(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm5,%xmm5 + vpmuludq 304(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm7,%xmm7 + vpmuludq 336(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm8,%xmm8 + vpmuludq 368(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm9,%xmm9 + vpmuludq 400(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm10,%xmm10 + vpmuludq 432(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm11,%xmm11 + vpmuludq 448(%rsp),%xmm0,%xmm1 + vpaddq %xmm1,%xmm12,%xmm12 + vpmuludq 480(%rsp),%xmm0,%xmm0 + vpaddq %xmm0,%xmm13,%xmm13 + vpsrlq $26,%xmm6,%xmm0 + vpaddq %xmm0,%xmm5,%xmm5 + vpand curve25519_sandy2x_m26(%rip),%xmm6,%xmm6 + vpsrlq $25,%xmm10,%xmm0 + vpaddq %xmm0,%xmm11,%xmm11 + vpand curve25519_sandy2x_m25(%rip),%xmm10,%xmm10 + vpsrlq $25,%xmm5,%xmm0 + vpaddq %xmm0,%xmm7,%xmm7 + vpand curve25519_sandy2x_m25(%rip),%xmm5,%xmm5 + vpsrlq $26,%xmm11,%xmm0 + vpaddq %xmm0,%xmm12,%xmm12 + vpand curve25519_sandy2x_m26(%rip),%xmm11,%xmm11 + vpsrlq $26,%xmm7,%xmm0 + vpaddq %xmm0,%xmm8,%xmm8 + vpand curve25519_sandy2x_m26(%rip),%xmm7,%xmm7 + vpsrlq $25,%xmm12,%xmm0 + vpaddq %xmm0,%xmm13,%xmm13 + vpand curve25519_sandy2x_m25(%rip),%xmm12,%xmm12 + vpsrlq $25,%xmm8,%xmm0 + vpaddq %xmm0,%xmm9,%xmm9 + vpand curve25519_sandy2x_m25(%rip),%xmm8,%xmm8 + vpsrlq $26,%xmm13,%xmm0 + vpaddq %xmm0,%xmm14,%xmm14 + vpand curve25519_sandy2x_m26(%rip),%xmm13,%xmm13 + vpsrlq $26,%xmm9,%xmm0 + vpaddq %xmm0,%xmm10,%xmm10 + vpand curve25519_sandy2x_m26(%rip),%xmm9,%xmm9 + vpsrlq $25,%xmm14,%xmm0 + vpsllq $4,%xmm0,%xmm1 + vpaddq %xmm0,%xmm6,%xmm6 + vpsllq $1,%xmm0,%xmm0 + vpaddq %xmm0,%xmm1,%xmm1 + vpaddq %xmm1,%xmm6,%xmm6 + vpand curve25519_sandy2x_m25(%rip),%xmm14,%xmm14 + vpsrlq $25,%xmm10,%xmm0 + vpaddq %xmm0,%xmm11,%xmm11 + vpand curve25519_sandy2x_m25(%rip),%xmm10,%xmm10 + vpsrlq $26,%xmm6,%xmm0 + vpaddq %xmm0,%xmm5,%xmm5 + vpand curve25519_sandy2x_m26(%rip),%xmm6,%xmm6 + vpunpckhqdq %xmm5,%xmm6,%xmm1 + vpunpcklqdq %xmm5,%xmm6,%xmm0 + vpunpckhqdq %xmm8,%xmm7,%xmm3 + vpunpcklqdq %xmm8,%xmm7,%xmm2 + vpunpckhqdq %xmm10,%xmm9,%xmm5 + vpunpcklqdq %xmm10,%xmm9,%xmm4 + vpunpckhqdq %xmm12,%xmm11,%xmm7 + vpunpcklqdq %xmm12,%xmm11,%xmm6 + vpunpckhqdq %xmm14,%xmm13,%xmm9 + vpunpcklqdq %xmm14,%xmm13,%xmm8 + cmp $0,%rdx + jne ._ladder_base_loop + vmovdqu %xmm1,80(%rdi) + vmovdqu %xmm0,0(%rdi) + vmovdqu %xmm3,96(%rdi) + vmovdqu %xmm2,16(%rdi) + vmovdqu %xmm5,112(%rdi) + vmovdqu %xmm4,32(%rdi) + vmovdqu %xmm7,128(%rdi) + vmovdqu %xmm6,48(%rdi) + vmovdqu %xmm9,144(%rdi) + vmovdqu %xmm8,64(%rdi) + movq 1536(%rsp),%r11 + movq 1544(%rsp),%r12 + movq 1552(%rsp),%r13 + add %r11,%rsp + ret +ENDPROC(curve25519_sandy2x_ladder_base) + +ENTRY(curve25519_sandy2x_fe_frombytes) + pushq %r14 + pushq %r13 + pushq %r12 + pushq %rbp + pushq %rbx + movzbl 5(%rsi), %r9d + movzbl 6(%rsi), %eax + movzbl 4(%rsi), %edx + movzbl 11(%rsi), %r10d + movzbl 7(%rsi), %ecx + movzbl 20(%rsi), %r14d + movzbl 23(%rsi), %r11d + salq $8, %r9 + movzbl 27(%rsi), %r12d + movl (%rsi), %r8d + salq $16, %rax + movzbl 29(%rsi), %r13d + movl 16(%rsi), %ebx + orq %rax, %r9 + movzbl 9(%rsi), %eax + salq $8, %r10 + orq %rdx, %r9 + movzbl 8(%rsi), %edx + salq $8, %r12 + salq $6, %r9 + salq $16, %rax + salq $8, %rdx + orq %rax, %rdx + movzbl 12(%rsi), %eax + orq %rcx, %rdx + movzbl 10(%rsi), %ecx + salq $5, %rdx + salq $16, %rax + orq %rax, %r10 + movzbl 14(%rsi), %eax + orq %rcx, %r10 + movzbl 13(%rsi), %ecx + salq $3, %r10 + salq $8, %rax + movq %rax, %rbp + movzbl 15(%rsi), %eax + salq $16, %rax + orq %rax, %rbp + movzbl 22(%rsi), %eax + orq %rcx, %rbp + movzbl 21(%rsi), %ecx + salq $16, %rax + salq $8, %rcx + orq %rax, %rcx + movzbl 24(%rsi), %eax + orq %r14, %rcx + salq $7, %rcx + movq %rcx, %r14 + movzbl 25(%rsi), %ecx + salq $8, %rax + salq $16, %rcx + orq %rcx, %rax + movzbl 28(%rsi), %ecx + orq %r11, %rax + movzbl 26(%rsi), %r11d + salq $5, %rax + salq $16, %rcx + orq %rcx, %r12 + movzbl 30(%rsi), %ecx + orq %r11, %r12 + movzbl 31(%rsi), %r11d + movq %rax, %rsi + salq $4, %r12 + shrq $25, %rsi + andl $33554431, %eax + addq %r12, %rsi + movl %r8d, %r12d + shrq $26, %r8 + salq $8, %rcx + andl $67108863, %r12d + salq $16, %r11 + orq %rcx, %r11 + movq %r9, %rcx + andl $33554431, %r9d + shrq $25, %rcx + orq %r13, %r11 + movq %r10, %r13 + addq %rcx, %rdx + movl %ebx, %ecx + andl $33554431, %r13d + addq %r8, %r9 + shrq $25, %rcx + movq %rdx, %r8 + shrq $26, %rdx + addq %r14, %rcx + shrq $25, %r10 + movl %r12d, %r14d + addq %r13, %rdx + andl $8388607, %r11d + movq %r14, (%rdi) + movq %r9, 8(%rdi) + andl $33554431, %ebx + movq %rdx, 24(%rdi) + leaq (%r10,%rbp,4), %rdx + andl $67108863, %r8d + movq %rbx, 40(%rdi) + movq %r8, 16(%rdi) + movq %rdx, 32(%rdi) + movq %rcx, %rdx + shrq $26, %rcx + addq %rax, %rcx + movq %rsi, %rax + shrq $26, %rsi + andl $67108863, %eax + andl $67108863, %edx + movq %rcx, 56(%rdi) + movq %rax, 64(%rdi) + leaq (%rsi,%r11,4), %rax + movq %rdx, 48(%rdi) + popq %rbx + movq %rax, 72(%rdi) + popq %rbp + popq %r12 + popq %r13 + popq %r14 + ret +ENDPROC(curve25519_sandy2x_fe_frombytes) + +ENTRY(curve25519_sandy2x_fe51_invert) + pushq %rbp + pushq %rbx + movq %rdi, %rbp + movl $1, %edx + movq %rsi, %rbx + subq $440, %rsp + movq %rsp, %rdi + call curve25519_sandy2x_fe51_nsquare + leaq 384(%rsp), %rdi + movq %rsp, %rsi + movl $1, %edx + call curve25519_sandy2x_fe51_nsquare + leaq 384(%rsp), %rsi + movl $1, %edx + movq %rsi, %rdi + call curve25519_sandy2x_fe51_nsquare + leaq 384(%rsp), %rsi + leaq 48(%rsp), %rdi + movq %rbx, %rdx + call curve25519_sandy2x_fe51_mul + leaq 48(%rsp), %rsi + leaq 96(%rsp), %rdi + movq %rsp, %rdx + call curve25519_sandy2x_fe51_mul + leaq 96(%rsp), %rsi + leaq 384(%rsp), %rdi + movl $1, %edx + call curve25519_sandy2x_fe51_nsquare + leaq 48(%rsp), %rdx + leaq 384(%rsp), %rsi + leaq 144(%rsp), %rdi + call curve25519_sandy2x_fe51_mul + leaq 144(%rsp), %rsi + leaq 384(%rsp), %rdi + movl $5, %edx + call curve25519_sandy2x_fe51_nsquare + leaq 144(%rsp), %rdx + leaq 384(%rsp), %rsi + leaq 192(%rsp), %rdi + call curve25519_sandy2x_fe51_mul + leaq 192(%rsp), %rsi + leaq 384(%rsp), %rdi + movl $10, %edx + call curve25519_sandy2x_fe51_nsquare + leaq 192(%rsp), %rdx + leaq 384(%rsp), %rsi + leaq 240(%rsp), %rdi + call curve25519_sandy2x_fe51_mul + leaq 240(%rsp), %rsi + leaq 384(%rsp), %rdi + movl $20, %edx + call curve25519_sandy2x_fe51_nsquare + leaq 384(%rsp), %rsi + leaq 240(%rsp), %rdx + movq %rsi, %rdi + call curve25519_sandy2x_fe51_mul + leaq 384(%rsp), %rsi + movl $10, %edx + movq %rsi, %rdi + call curve25519_sandy2x_fe51_nsquare + leaq 192(%rsp), %rdx + leaq 384(%rsp), %rsi + leaq 288(%rsp), %rdi + call curve25519_sandy2x_fe51_mul + leaq 288(%rsp), %rsi + leaq 384(%rsp), %rdi + movl $50, %edx + call curve25519_sandy2x_fe51_nsquare + leaq 288(%rsp), %rdx + leaq 384(%rsp), %rsi + leaq 336(%rsp), %rdi + call curve25519_sandy2x_fe51_mul + leaq 336(%rsp), %rsi + leaq 384(%rsp), %rdi + movl $100, %edx + call curve25519_sandy2x_fe51_nsquare + leaq 384(%rsp), %rsi + leaq 336(%rsp), %rdx + movq %rsi, %rdi + call curve25519_sandy2x_fe51_mul + leaq 384(%rsp), %rsi + movl $50, %edx + movq %rsi, %rdi + call curve25519_sandy2x_fe51_nsquare + leaq 384(%rsp), %rsi + leaq 288(%rsp), %rdx + movq %rsi, %rdi + call curve25519_sandy2x_fe51_mul + leaq 384(%rsp), %rsi + movl $5, %edx + movq %rsi, %rdi + call curve25519_sandy2x_fe51_nsquare + leaq 96(%rsp), %rdx + leaq 384(%rsp), %rsi + movq %rbp, %rdi + call curve25519_sandy2x_fe51_mul + addq $440, %rsp + popq %rbx + popq %rbp + ret +ENDPROC(curve25519_sandy2x_fe51_invert) + +ENTRY(curve25519_sandy2x) + pushq %rbx + movq %rdi, %rbx + subq $368, %rsp + movq (%rsi), %rax + leaq 128(%rsp), %rdi + movq %rax, (%rsp) + movq 8(%rsi), %rax + andb $-8, (%rsp) + movq %rax, 8(%rsp) + movq 16(%rsi), %rax + movq %rax, 16(%rsp) + movq 24(%rsi), %rax + movq %rdx, %rsi + movq %rax, 24(%rsp) + shrq $56, %rax + andl $127, %eax + orl $64, %eax + movb %al, 31(%rsp) + call curve25519_sandy2x_fe_frombytes + leaq 128(%rsp), %rdi + movq %rsp, %rsi + call curve25519_sandy2x_ladder + movl $26, %eax + shlx %rax, 296(%rsp), %rax + leaq 80(%rsp), %rsi + addq 288(%rsp), %rax + movq %rsi, %rdi + movq %rax, 80(%rsp) + movl $26, %eax + shlx %rax, 312(%rsp), %rax + addq 304(%rsp), %rax + movq %rax, 88(%rsp) + movl $26, %eax + shlx %rax, 328(%rsp), %rax + addq 320(%rsp), %rax + movq %rax, 96(%rsp) + movl $26, %eax + shlx %rax, 344(%rsp), %rax + addq 336(%rsp), %rax + movq %rax, 104(%rsp) + movl $26, %eax + shlx %rax, 360(%rsp), %rax + addq 352(%rsp), %rax + movq %rax, 112(%rsp) + movl $26, %eax + shlx %rax, 216(%rsp), %rax + addq 208(%rsp), %rax + movq %rax, 32(%rsp) + movl $26, %eax + shlx %rax, 232(%rsp), %rax + addq 224(%rsp), %rax + movq %rax, 40(%rsp) + movl $26, %eax + shlx %rax, 248(%rsp), %rax + addq 240(%rsp), %rax + movq %rax, 48(%rsp) + movl $26, %eax + shlx %rax, 264(%rsp), %rax + addq 256(%rsp), %rax + movq %rax, 56(%rsp) + movl $26, %eax + shlx %rax, 280(%rsp), %rax + addq 272(%rsp), %rax + movq %rax, 64(%rsp) + call curve25519_sandy2x_fe51_invert + leaq 32(%rsp), %rsi + leaq 80(%rsp), %rdx + movq %rsi, %rdi + call curve25519_sandy2x_fe51_mul + leaq 32(%rsp), %rsi + movq %rbx, %rdi + call curve25519_sandy2x_fe51_pack + addq $368, %rsp + popq %rbx + ret +ENDPROC(curve25519_sandy2x) + +ENTRY(curve25519_sandy2x_base) + pushq %rbx + movq %rdi, %rbx + subq $368, %rsp + movq (%rsi), %rax + leaq 128(%rsp), %rdi + movq %rax, (%rsp) + movq 8(%rsi), %rax + andb $-8, (%rsp) + movq %rax, 8(%rsp) + movq 16(%rsi), %rax + movq %rax, 16(%rsp) + movq 24(%rsi), %rax + movq %rsp, %rsi + movq %rax, 24(%rsp) + shrq $56, %rax + andl $127, %eax + orl $64, %eax + movb %al, 31(%rsp) + call curve25519_sandy2x_ladder_base + movl $26, %eax + shlx %rax, 216(%rsp), %rax + leaq 80(%rsp), %rsi + addq 208(%rsp), %rax + movq %rsi, %rdi + movq %rax, 80(%rsp) + movl $26, %eax + shlx %rax, 232(%rsp), %rax + addq 224(%rsp), %rax + movq %rax, 88(%rsp) + movl $26, %eax + shlx %rax, 248(%rsp), %rax + addq 240(%rsp), %rax + movq %rax, 96(%rsp) + movl $26, %eax + shlx %rax, 264(%rsp), %rax + addq 256(%rsp), %rax + movq %rax, 104(%rsp) + movl $26, %eax + shlx %rax, 280(%rsp), %rax + addq 272(%rsp), %rax + movq %rax, 112(%rsp) + movl $26, %eax + shlx %rax, 136(%rsp), %rax + addq 128(%rsp), %rax + movq %rax, 32(%rsp) + movl $26, %eax + shlx %rax, 152(%rsp), %rax + addq 144(%rsp), %rax + movq %rax, 40(%rsp) + movl $26, %eax + shlx %rax, 168(%rsp), %rax + addq 160(%rsp), %rax + movq %rax, 48(%rsp) + movl $26, %eax + shlx %rax, 184(%rsp), %rax + addq 176(%rsp), %rax + movq %rax, 56(%rsp) + movl $26, %eax + shlx %rax, 200(%rsp), %rax + addq 192(%rsp), %rax + movq %rax, 64(%rsp) + call curve25519_sandy2x_fe51_invert + leaq 32(%rsp), %rsi + leaq 80(%rsp), %rdx + movq %rsi, %rdi + call curve25519_sandy2x_fe51_mul + leaq 32(%rsp), %rsi + movq %rbx, %rdi + call curve25519_sandy2x_fe51_pack + addq $368, %rsp + popq %rbx + ret +ENDPROC(curve25519_sandy2x_base) diff --git a/src/crypto/curve25519.c b/src/crypto/curve25519.c index 6a1bcd0..539c31a 100644 --- a/src/crypto/curve25519.c +++ b/src/crypto/curve25519.c @@ -10,6 +10,22 @@ #include <linux/random.h> #include <crypto/algapi.h> +#ifdef CONFIG_X86_64 +#include <asm/cpufeature.h> +#include <asm/processor.h> +#include <asm/fpu/api.h> +#include <asm/simd.h> +static bool curve25519_use_avx __read_mostly = false; +void curve25519_fpu_init(void) +{ + curve25519_use_avx = boot_cpu_has(X86_FEATURE_AVX); +} +asmlinkage void curve25519_sandy2x(u8 *q, const u8 *n, const u8 *p); +asmlinkage void curve25519_sandy2x_base(u8 *q, const u8 *n); +#else +void curve25519_fpu_init(void) { } +#endif + static __always_inline void normalize_secret(u8 secret[CURVE25519_POINT_SIZE]) { secret[0] &= 248; @@ -395,25 +411,42 @@ static void crecip(felem out, const felem z) void curve25519(u8 mypublic[CURVE25519_POINT_SIZE], const u8 secret[CURVE25519_POINT_SIZE], const u8 basepoint[CURVE25519_POINT_SIZE]) { - limb bp[5], x[5], z[5], zmone[5]; - u8 e[32]; - - memcpy(e, secret, 32); - normalize_secret(e); - - fexpand(bp, basepoint); - cmult(x, z, e, bp); - crecip(zmone, z); - fmul(z, x, zmone); - fcontract(mypublic, z); - - memzero_explicit(e, sizeof(e)); - memzero_explicit(bp, sizeof(bp)); - memzero_explicit(x, sizeof(x)); - memzero_explicit(z, sizeof(z)); - memzero_explicit(zmone, sizeof(zmone)); + if (curve25519_use_avx && irq_fpu_usable()) { + kernel_fpu_begin(); + curve25519_sandy2x(mypublic, secret, basepoint); + kernel_fpu_end(); + } else { + limb bp[5], x[5], z[5], zmone[5]; + u8 e[32]; + + memcpy(e, secret, 32); + normalize_secret(e); + + fexpand(bp, basepoint); + cmult(x, z, e, bp); + crecip(zmone, z); + fmul(z, x, zmone); + fcontract(mypublic, z); + + memzero_explicit(e, sizeof(e)); + memzero_explicit(bp, sizeof(bp)); + memzero_explicit(x, sizeof(x)); + memzero_explicit(z, sizeof(z)); + memzero_explicit(zmone, sizeof(zmone)); + } } +void curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[CURVE25519_POINT_SIZE]) +{ + if (curve25519_use_avx && irq_fpu_usable()) { + kernel_fpu_begin(); + curve25519_sandy2x_base(pub, secret); + kernel_fpu_end(); + } else { + static const u8 basepoint[CURVE25519_POINT_SIZE] = { 9 }; + curve25519(pub, secret, basepoint); + } +} #else typedef s64 limb; @@ -1223,6 +1256,12 @@ void curve25519(u8 mypublic[CURVE25519_POINT_SIZE], const u8 secret[CURVE25519_P memzero_explicit(z, sizeof(z)); memzero_explicit(zmone, sizeof(zmone)); } + +void curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[CURVE25519_POINT_SIZE]) +{ + static const u8 basepoint[CURVE25519_POINT_SIZE] = { 9 }; + curve25519(pub, secret, basepoint); +} #endif void curve25519_generate_secret(u8 secret[CURVE25519_POINT_SIZE]) @@ -1231,10 +1270,4 @@ void curve25519_generate_secret(u8 secret[CURVE25519_POINT_SIZE]) normalize_secret(secret); } -void curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[CURVE25519_POINT_SIZE]) -{ - static const u8 basepoint[CURVE25519_POINT_SIZE] = { 9 }; - curve25519(pub, secret, basepoint); -} - #include "../selftest/curve25519.h" diff --git a/src/crypto/curve25519.h b/src/crypto/curve25519.h index 620302c..8e440a1 100644 --- a/src/crypto/curve25519.h +++ b/src/crypto/curve25519.h @@ -13,6 +13,8 @@ void curve25519(u8 mypublic[CURVE25519_POINT_SIZE], const u8 secret[CURVE25519_P void curve25519_generate_secret(u8 secret[CURVE25519_POINT_SIZE]); void curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[CURVE25519_POINT_SIZE]); +void curve25519_fpu_init(void); + #ifdef DEBUG bool curve25519_selftest(void); #endif @@ -19,6 +19,7 @@ static int __init mod_init(void) chacha20poly1305_fpu_init(); blake2s_fpu_init(); + curve25519_fpu_init(); #ifdef DEBUG if (!routing_table_selftest() || !packet_counter_selftest() || !curve25519_selftest() || !chacha20poly1305_selftest() || !blake2s_selftest()) return -ENOTRECOVERABLE; |