Upgrade github.com/cloudflare/circl to v1.6.1

go.mod

@@ -103,7 +103,7 @@ require (
 	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/andybalholm/brotli v1.1.1 // indirect
 	github.com/bits-and-blooms/bitset v1.10.0 // indirect
-	github.com/cloudflare/circl v1.5.0 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/coreos/go-iptables v0.7.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dblohm7/wingoes v0.0.0-20230929194252-e994401fc077 // indirect

go.sum

@@ -53,6 +53,8 @@ github.com/cilium/ebpf v0.11.0 h1:V8gS/bTCCjX9uUnkUFUpPsksM8n1lXBAvHcpiFk1X2Y=
 github.com/cilium/ebpf v0.11.0/go.mod h1:WE7CZAnqOL2RouJ4f1uyNhqr2P4CCvXFIqdRDUgWsVs=
 github.com/cloudflare/circl v1.5.0 h1:hxIWksrX6XN5a1L2TI/h53AGPhNHoUBo+TD1ms9+pys=
 github.com/cloudflare/circl v1.5.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
+github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cognusion/go-cache-lru v0.0.0-20170419142635-f73e2280ecea h1:9C2rdYRp8Vzwhm3sbFX0yYfB+70zKFRjn7cnPCucHSw=
 github.com/cognusion/go-cache-lru v0.0.0-20170419142635-f73e2280ecea/go.mod h1:MdyNkAe06D7xmJsf+MsLvbZKYNXuOHLKJrvw+x4LlcQ=
 github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=

vendor/github.com/cloudflare/circl/ecc/p384/LICENSE

@@ -1,26 +0,0 @@
-Copyright (c) 2018, Brendan McMillion. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice, this
-list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright notice,
-this list of conditions and the following disclaimer in the documentation and/or
-other materials provided with the distribution.
-
-3. Neither the name of the copyright holder nor the names of its contributors
-may be used to endorse or promote products derived from this software without
-specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/cloudflare/circl/ecc/p384/arith.go

@@ -1,149 +0,0 @@
-//go:build (!purego && arm64) || (!purego && amd64)
-// +build !purego,arm64 !purego,amd64
-
-package p384
-
-import (
-	"math/big"
-
-	"github.com/cloudflare/circl/internal/conv"
-)
-
-const sizeFp = 48
-
-type fp384 [sizeFp]byte
-
-func (e fp384) BigInt() *big.Int { return conv.BytesLe2BigInt(e[:]) }
-func (e fp384) String() string   { return conv.BytesLe2Hex(e[:]) }
-
-func (e *fp384) SetBigInt(b *big.Int) {
-	if b.BitLen() > 384 || b.Sign() < 0 {
-		b = new(big.Int).Mod(b, p.BigInt())
-	}
-	conv.BigInt2BytesLe(e[:], b)
-}
-
-func montEncode(c, a *fp384) { fp384Mul(c, a, &r2) }
-func montDecode(c, a *fp384) { fp384Mul(c, a, &fp384{1}) }
-func fp384Sqr(c, a *fp384)   { fp384Mul(c, a, a) }
-
-func fp384Inv(z, x *fp384) {
-	t0, t1, t2, t3, t4 := &fp384{}, &fp384{}, &fp384{}, &fp384{}, &fp384{}
-	/* alpha_1 */
-	fp384Sqr(t4, x)
-	/* alpha_2 */
-	fp384Mul(t4, t4, x)
-	/* alpha_3 */
-	fp384Sqr(t0, t4)
-	fp384Mul(t0, t0, x)
-	/* alpha_6 */
-	fp384Sqr(t1, t0)
-	fp384Sqr(t1, t1)
-	fp384Sqr(t1, t1)
-	fp384Mul(t1, t1, t0)
-	/* alpha_12 */
-	fp384Sqr(t2, t1)
-	for i := 0; i < 5; i++ {
-		fp384Sqr(t2, t2)
-	}
-	fp384Mul(t2, t2, t1)
-	/* alpha_15 */
-	for i := 0; i < 3; i++ {
-		fp384Sqr(t2, t2)
-	}
-	fp384Mul(t2, t2, t0)
-	/* alpha_30 */
-	fp384Sqr(t1, t2)
-	for i := 0; i < 14; i++ {
-		fp384Sqr(t1, t1)
-	}
-	fp384Mul(t1, t1, t2)
-	/* alpha_60 */
-	fp384Sqr(t3, t1)
-	for i := 0; i < 29; i++ {
-		fp384Sqr(t3, t3)
-	}
-	fp384Mul(t3, t3, t1)
-	/* T_3 = alpha_30^(2^2) */
-	fp384Sqr(t1, t1)
-	fp384Sqr(t1, t1)
-	/* alpha_32 */
-	*t0 = *t1
-	fp384Mul(t0, t0, t4)
-	/* T_3 = a^(2^32-3) = (alpha_30)^(2^2)*alpha_1 */
-	fp384Mul(t1, t1, x)
-	/* alpha_120 */
-	fp384Sqr(t4, t3)
-	for i := 0; i < 59; i++ {
-		fp384Sqr(t4, t4)
-	}
-	fp384Mul(t4, t4, t3)
-	/* alpha_240 */
-	fp384Sqr(t3, t4)
-	for i := 0; i < 119; i++ {
-		fp384Sqr(t3, t3)
-	}
-	fp384Mul(t3, t3, t4)
-	/* alpha_255 */
-	for i := 0; i < 15; i++ {
-		fp384Sqr(t3, t3)
-	}
-	fp384Mul(t3, t3, t2)
-	/* T_5 = a^(2^288-2^32-1) = (alpha_255)^(2^33)*alpha_32 */
-	for i := 0; i < 33; i++ {
-		fp384Sqr(t3, t3)
-	}
-	fp384Mul(t3, t3, t0)
-	/* T_1 = a^(2^384-2^128-2^96+2^32-3) = (T_1)^(2^96)*T_3 */
-	fp384Sqr(t4, t3)
-	for i := 0; i < 95; i++ {
-		fp384Sqr(t4, t4)
-	}
-	fp384Mul(z, t4, t1)
-}
-
-//go:noescape
-func fp384Cmov(x, y *fp384, b int)
-
-//go:noescape
-func fp384Neg(c, a *fp384)
-
-//go:noescape
-func fp384Add(c, a, b *fp384)
-
-//go:noescape
-func fp384Sub(c, a, b *fp384)
-
-//go:noescape
-func fp384Mul(c, a, b *fp384)
-
-var (
-	// p is the order of the base field, represented as little-endian 64-bit words.
-	p = fp384{
-		0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-	}
-	// pp satisfies r*rp - p*pp = 1 where rp and pp are both integers.
-	pp = fp384{ //nolint
-		0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
-		0x00, 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xfb, 0xff, 0xff, 0xff,
-		0xfa, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff, 0x02, 0x00, 0x00, 0x00,
-		0x0c, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
-	}
-	// r2 is R^2 where R = 2^384 mod p.
-	r2 = fp384{
-		0x01, 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
-		0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff,
-		0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
-		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	}
-	// bb is the Montgomery encoding of the curve parameter B.
-	bb = fp384{
-		0xcc, 0x2d, 0x41, 0x9d, 0x71, 0x88, 0x11, 0x08, 0xec, 0x32, 0x4c, 0x7a,
-		0xd8, 0xad, 0x29, 0xf7, 0x2e, 0x02, 0x20, 0x19, 0x9b, 0x20, 0xf2, 0x77,
-		0xe2, 0x8a, 0x93, 0x94, 0xee, 0x4b, 0x37, 0xe3, 0x94, 0x20, 0x02, 0x1f,
-		0xf4, 0x21, 0x2b, 0xb6, 0xf9, 0xbf, 0x4f, 0x60, 0x4b, 0x11, 0x08, 0xcd,
-	}
-)

vendor/github.com/cloudflare/circl/ecc/p384/arith_amd64.go

@@ -1,8 +0,0 @@
-//go:build amd64 && !purego
-// +build amd64,!purego
-
-package p384
-
-import "golang.org/x/sys/cpu"
-
-var hasBMI2 = cpu.X86.HasBMI2 //nolint

vendor/github.com/cloudflare/circl/ecc/p384/arith_amd64.s

@@ -1,730 +0,0 @@
-// +build amd64,!purego
-
-#include "textflag.h"
-
-#define storeBlock(a0,a1,a2,a3,a4,a5, r) \
-	MOVQ a0,  0+r \
-	MOVQ a1,  8+r \
-	MOVQ a2, 16+r \
-	MOVQ a3, 24+r \
-	MOVQ a4, 32+r \
-	MOVQ a5, 40+r
-
-#define loadBlock(r, a0,a1,a2,a3,a4,a5) \
-	MOVQ  0+r, a0 \
-	MOVQ  8+r, a1 \
-	MOVQ 16+r, a2 \
-	MOVQ 24+r, a3 \
-	MOVQ 32+r, a4 \
-	MOVQ 40+r, a5
-
-#define fp384Carry(a0,a1,a2,a3,a4,a5,a6, b0,b1,b2,b3,b4,b5,b6) \
-	\ // b = a-p
-	MOVQ a0, b0 \
-	MOVQ a1, b1 \
-	MOVQ a2, b2 \
-	MOVQ a3, b3 \
-	MOVQ a4, b4 \
-	MOVQ a5, b5 \
-	MOVQ a6, b6 \
-	\
-	SUBQ ·p+0(SB), b0 \
-	SBBQ ·p+8(SB), b1 \
-	SBBQ ·p+16(SB), b2 \
-	SBBQ ·p+24(SB), b3 \
-	SBBQ ·p+32(SB), b4 \
-	SBBQ ·p+40(SB), b5 \
-	SBBQ $0, b6 \
-	\
-	\ // if b is negative then return a
-	\ // else return b
-	CMOVQCC b0, a0 \
-	CMOVQCC b1, a1 \
-	CMOVQCC b2, a2 \
-	CMOVQCC b3, a3 \
-	CMOVQCC b4, a4 \
-	CMOVQCC b5, a5
-
-#define mul(a0,a1,a2,a3,a4,a5, rb, stack) \
-	\ // a0
-	MOVQ a0, AX \
-	MULQ 0+rb \
-	MOVQ AX, R8 \
-	MOVQ DX, R9 \
-	MOVQ a0, AX \
-	MULQ 8+rb \
-	ADDQ AX, R9 \
-	ADCQ $0, DX \
-	MOVQ DX, R10 \
-	MOVQ a0, AX \
-	MULQ 16+rb \
-	ADDQ AX, R10 \
-	ADCQ $0, DX \
-	MOVQ DX, R11 \
-	MOVQ a0, AX \
-	MULQ 24+rb \
-	ADDQ AX, R11 \
-	ADCQ $0, DX \
-	MOVQ DX, R12 \
-	MOVQ a0, AX \
-	MULQ 32+rb \
-	ADDQ AX, R12 \
-	ADCQ $0, DX \
-	MOVQ DX, R13 \
-	MOVQ a0, AX \
-	MULQ 40+rb \
-	ADDQ AX, R13 \
-	ADCQ $0, DX \
-	MOVQ DX, R14 \
-	\
-	storeBlock(R8,R9,R10,R11,R12,R13, 0+stack) \
-	MOVQ R14, 48+stack \
-	\
-	\ // a1
-	MOVQ a1, AX \
-	MULQ 0+rb \
-	MOVQ AX, R8 \
-	MOVQ DX, R9 \
-	MOVQ a1, AX \
-	MULQ 8+rb \
-	ADDQ AX, R9 \
-	ADCQ $0, DX \
-	MOVQ DX, R10 \
-	MOVQ a1, AX \
-	MULQ 16+rb \
-	ADDQ AX, R10 \
-	ADCQ $0, DX \
-	MOVQ DX, R11 \
-	MOVQ a1, AX \
-	MULQ 24+rb \
-	ADDQ AX, R11 \
-	ADCQ $0, DX \
-	MOVQ DX, R12 \
-	MOVQ a1, AX \
-	MULQ 32+rb \
-	ADDQ AX, R12 \
-	ADCQ $0, DX \
-	MOVQ DX, R13 \
-	MOVQ a1, AX \
-	MULQ 40+rb \
-	ADDQ AX, R13 \
-	ADCQ $0, DX \
-	MOVQ DX, R14 \
-	\
-	ADDQ 8+stack, R8 \
-	ADCQ 16+stack, R9 \
-	ADCQ 24+stack, R10 \
-	ADCQ 32+stack, R11 \
-	ADCQ 40+stack, R12 \
-	ADCQ 48+stack, R13 \
-	ADCQ $0, R14 \
-	storeBlock(R8,R9,R10,R11,R12,R13, 8+stack) \
-	MOVQ R14, 56+stack \
-	\
-	\ // a2
-	MOVQ a2, AX \
-	MULQ 0+rb \
-	MOVQ AX, R8 \
-	MOVQ DX, R9 \
-	MOVQ a2, AX \
-	MULQ 8+rb \
-	ADDQ AX, R9 \
-	ADCQ $0, DX \
-	MOVQ DX, R10 \
-	MOVQ a2, AX \
-	MULQ 16+rb \
-	ADDQ AX, R10 \
-	ADCQ $0, DX \
-	MOVQ DX, R11 \
-	MOVQ a2, AX \
-	MULQ 24+rb \
-	ADDQ AX, R11 \
-	ADCQ $0, DX \
-	MOVQ DX, R12 \
-	MOVQ a2, AX \
-	MULQ 32+rb \
-	ADDQ AX, R12 \
-	ADCQ $0, DX \
-	MOVQ DX, R13 \
-	MOVQ a2, AX \
-	MULQ 40+rb \
-	ADDQ AX, R13 \
-	ADCQ $0, DX \
-	MOVQ DX, R14 \
-	\
-	ADDQ 16+stack, R8 \
-	ADCQ 24+stack, R9 \
-	ADCQ 32+stack, R10 \
-	ADCQ 40+stack, R11 \
-	ADCQ 48+stack, R12 \
-	ADCQ 56+stack, R13 \
-	ADCQ $0, R14 \
-	storeBlock(R8,R9,R10,R11,R12,R13, 16+stack) \
-	MOVQ R14, 64+stack \
-	\
-	\ // a3
-	MOVQ a3, AX \
-	MULQ 0+rb \
-	MOVQ AX, R8 \
-	MOVQ DX, R9 \
-	MOVQ a3, AX \
-	MULQ 8+rb \
-	ADDQ AX, R9 \
-	ADCQ $0, DX \
-	MOVQ DX, R10 \
-	MOVQ a3, AX \
-	MULQ 16+rb \
-	ADDQ AX, R10 \
-	ADCQ $0, DX \
-	MOVQ DX, R11 \
-	MOVQ a3, AX \
-	MULQ 24+rb \
-	ADDQ AX, R11 \
-	ADCQ $0, DX \
-	MOVQ DX, R12 \
-	MOVQ a3, AX \
-	MULQ 32+rb \
-	ADDQ AX, R12 \
-	ADCQ $0, DX \
-	MOVQ DX, R13 \
-	MOVQ a3, AX \
-	MULQ 40+rb \
-	ADDQ AX, R13 \
-	ADCQ $0, DX \
-	MOVQ DX, R14 \
-	\
-	ADDQ 24+stack, R8 \
-	ADCQ 32+stack, R9 \
-	ADCQ 40+stack, R10 \
-	ADCQ 48+stack, R11 \
-	ADCQ 56+stack, R12 \
-	ADCQ 64+stack, R13 \
-	ADCQ $0, R14 \
-	storeBlock(R8,R9,R10,R11,R12,R13, 24+stack) \
-	MOVQ R14, 72+stack \
-	\
-	\ // a4
-	MOVQ a4, AX \
-	MULQ 0+rb \
-	MOVQ AX, R8 \
-	MOVQ DX, R9 \
-	MOVQ a4, AX \
-	MULQ 8+rb \
-	ADDQ AX, R9 \
-	ADCQ $0, DX \
-	MOVQ DX, R10 \
-	MOVQ a4, AX \
-	MULQ 16+rb \
-	ADDQ AX, R10 \
-	ADCQ $0, DX \
-	MOVQ DX, R11 \
-	MOVQ a4, AX \
-	MULQ 24+rb \
-	ADDQ AX, R11 \
-	ADCQ $0, DX \
-	MOVQ DX, R12 \
-	MOVQ a4, AX \
-	MULQ 32+rb \
-	ADDQ AX, R12 \
-	ADCQ $0, DX \
-	MOVQ DX, R13 \
-	MOVQ a4, AX \
-	MULQ 40+rb \
-	ADDQ AX, R13 \
-	ADCQ $0, DX \
-	MOVQ DX, R14 \
-	\
-	ADDQ 32+stack, R8 \
-	ADCQ 40+stack, R9 \
-	ADCQ 48+stack, R10 \
-	ADCQ 56+stack, R11 \
-	ADCQ 64+stack, R12 \
-	ADCQ 72+stack, R13 \
-	ADCQ $0, R14 \
-	storeBlock(R8,R9,R10,R11,R12,R13, 32+stack) \
-	MOVQ R14, 80+stack \
-	\
-	\ // a5
-	MOVQ a5, AX \
-	MULQ 0+rb \
-	MOVQ AX, R8 \
-	MOVQ DX, R9 \
-	MOVQ a5, AX \
-	MULQ 8+rb \
-	ADDQ AX, R9 \
-	ADCQ $0, DX \
-	MOVQ DX, R10 \
-	MOVQ a5, AX \
-	MULQ 16+rb \
-	ADDQ AX, R10 \
-	ADCQ $0, DX \
-	MOVQ DX, R11 \
-	MOVQ a5, AX \
-	MULQ 24+rb \
-	ADDQ AX, R11 \
-	ADCQ $0, DX \
-	MOVQ DX, R12 \
-	MOVQ a5, AX \
-	MULQ 32+rb \
-	ADDQ AX, R12 \
-	ADCQ $0, DX \
-	MOVQ DX, R13 \
-	MOVQ a5, AX \
-	MULQ 40+rb \
-	ADDQ AX, R13 \
-	ADCQ $0, DX \
-	MOVQ DX, R14 \
-	\
-	ADDQ 40+stack, R8 \
-	ADCQ 48+stack, R9 \
-	ADCQ 56+stack, R10 \
-	ADCQ 64+stack, R11 \
-	ADCQ 72+stack, R12 \
-	ADCQ 80+stack, R13 \
-	ADCQ $0, R14 \
-	storeBlock(R8,R9,R10,R11,R12,R13, 40+stack) \
-	MOVQ R14, 88+stack
-
-#define fp384Reduce(stack) \
-	\ // m = (T * P') mod R, store m in R8:R9:R10:R11:R12:R13
-	MOVQ ·pp+0(SB), AX \
-	MULQ 0+stack \
-	MOVQ AX, R8 ; MOVQ R8, 96+stack\
-	MOVQ DX, R9 \
-	MOVQ ·pp+0(SB), AX \
-	MULQ 8+stack \
-	ADDQ AX, R9 \
-	ADCQ $0, DX \
-	MOVQ DX, R10 \
-	MOVQ ·pp+0(SB), AX \
-	MULQ 16+stack \
-	ADDQ AX, R10 \
-	ADCQ $0, DX \
-	MOVQ DX, R11 \
-	MOVQ ·pp+0(SB), AX \
-	MULQ 24+stack \
-	ADDQ AX, R11 \
-	ADCQ $0, DX \
-	MOVQ DX, R12 \
-	MOVQ ·pp+0(SB), AX \
-	MULQ 32+stack \
-	ADDQ AX, R12 \
-	ADCQ $0, DX \
-	MOVQ DX, R13 \
-	MOVQ ·pp+0(SB), AX \
-	MULQ 40+stack \
-	ADDQ AX, R13 \
-	\
-	ADDQ 0+stack, R9 \
-	ADCQ 8+stack, R10 \
-	ADCQ 16+stack, R11 \
-	ADCQ 24+stack, R12 \
-	ADCQ 32+stack, R13 \
-	\
-	MOVQ ·pp+16(SB), AX \
-	MULQ 0+stack \
-	MOVQ AX, R14 \
-	MOVQ DX, R8 \
-	MOVQ ·pp+16(SB), AX \
-	MULQ 8+stack \
-	ADDQ AX, R8 \
-	ADCQ $0, DX \
-	MOVQ DX, BX \
-	MOVQ ·pp+16(SB), AX \
-	MULQ 16+stack \
-	ADDQ AX, BX \
-	ADCQ $0, DX \
-	MOVQ DX, CX \
-	MOVQ ·pp+16(SB), AX \
-	MULQ 24+stack \
-	ADDQ AX, CX \
-	\
-	ADDQ R14, R10 \
-	ADCQ R8, R11 \
-	ADCQ BX, R12 \
-	ADCQ CX, R13 \
-	\
-	MOVQ ·pp+24(SB), AX \
-	MULQ 0+stack \
-	MOVQ AX, R14 \
-	MOVQ DX, R8 \
-	MOVQ ·pp+24(SB), AX \
-	MULQ 8+stack \
-	ADDQ AX, R8 \
-	ADCQ $0, DX \
-	MOVQ DX, BX \
-	MOVQ ·pp+24(SB), AX \
-	MULQ 16+stack \
-	ADDQ AX, BX \
-	\
-	ADDQ R14, R11 \
-	ADCQ R8, R12 \
-	ADCQ BX, R13 \
-	\
-	MOVQ ·pp+32(SB), AX \
-	MULQ 0+stack \
-	MOVQ AX, R14 \
-	MOVQ DX, R8 \
-	MOVQ ·pp+32(SB), AX \
-	MULQ 8+stack \
-	ADDQ AX, R8 \
-	\
-	ADDQ R14, R12 \
-	ADCQ R8, R13 \
-	\
-	MOVQ ·pp+40(SB), AX \
-	MULQ 0+stack \
-	ADDQ AX, R13 \
-	\
-	MOVQ 96+stack, R8 \
-	\
-	storeBlock(R8,R9,R10,R11,R12,R13, 96+stack) \
-	\
-	\ // m * P
-	mul(·p+0(SB),·p+8(SB),·p+16(SB),·p+24(SB),·p+32(SB),·p+40(SB), 96+stack, 144+stack) \
-	\
-	\ // Add the 768-bit intermediate to m*N
-	MOVQ $0, R15 \
-	loadBlock(144+stack, R8,R9,R10,R11,R12,R13) \
-	loadBlock(192+stack, R14,SI,AX,BX,CX,DX) \
-	\
-	ADDQ 0+stack, R8 \
-	ADCQ 8+stack, R9 \
-	ADCQ 16+stack, R10 \
-	ADCQ 24+stack, R11 \
-	ADCQ 32+stack, R12 \
-	ADCQ 40+stack, R13 \
-	ADCQ 48+stack, R14 \
-	ADCQ 56+stack, SI \
-	ADCQ 64+stack, AX \
-	ADCQ 72+stack, BX \
-	ADCQ 80+stack, CX \
-	ADCQ 88+stack, DX \
-	ADCQ $0, R15 \
-	\
-	fp384Carry(R14,SI,AX,BX,CX,DX,R15, R8,R9,R10,R11,R12,R13,DI)
-
-#define mulBMI2(a0,a1,a2,a3,a4,a5, rb, stack) \
-	MOVQ a0, DX \
-	MULXQ 0+rb, R8, R9; MOVQ R8, 0+stack; MOVQ $0, R8 \
-	MULXQ 8+rb, AX, R10 \
-	ADDQ AX, R9 \
-	MULXQ 16+rb, AX, R11 \
-	ADCQ AX, R10 \
-	MULXQ 24+rb, AX, R12 \
-	ADCQ AX, R11 \
-	MULXQ 32+rb, AX, R13 \
-	ADCQ AX, R12 \
-	MULXQ 40+rb, AX, R14 \
-	ADCQ AX, R13 \
-	ADCQ $0, R14 \
-	\
-	MOVQ a1, DX \
-	MULXQ 0+rb, AX, BX \
-	ADDQ AX, R9; MOVQ R9, 8+stack; MOVL $0, R9 \
-	ADCQ BX, R10 \
-	MULXQ 16+rb, AX, BX \
-	ADCQ AX, R11 \
-	ADCQ BX, R12 \
-	MULXQ 32+rb, AX, BX \
-	ADCQ AX, R13 \
-	ADCQ BX, R14 \
-	ADCQ $0,  R8 \
-	MULXQ 8+rb, AX, BX \
-	ADDQ AX, R10 \
-	ADCQ BX, R11 \
-	MULXQ 24+rb, AX, BX \
-	ADCQ AX, R12 \
-	ADCQ BX, R13 \
-	MULXQ 40+rb, AX, BX \
-	ADCQ AX, R14 \
-	ADCQ BX, R8 \
-	ADCQ $0, R9 \
-	\
-	MOVQ a2, DX \
-	MULXQ 0+rb, AX, BX \
-	ADDQ AX, R10; MOVQ R10, 16+stack; MOVL $0, R10 \
-	ADCQ BX, R11 \
-	MULXQ 16+rb, AX, BX \
-	ADCQ AX, R12 \
-	ADCQ BX, R13 \
-	MULXQ 32+rb, AX, BX \
-	ADCQ AX, R14 \
-	ADCQ BX, R8 \
-	ADCQ $0, R9 \
-	MULXQ 8+rb, AX, BX \
-	ADDQ AX, R11 \
-	ADCQ BX, R12 \
-	MULXQ 24+rb, AX, BX \
-	ADCQ AX, R13 \
-	ADCQ BX, R14 \
-	MULXQ 40+rb, AX, BX \
-	ADCQ AX, R8 \
-	ADCQ BX, R9 \
-	ADCQ $0, R10 \
-	\
-	MOVQ a3, DX \
-	MULXQ 0+rb, AX, BX \
-	ADDQ AX, R11; MOVQ R11, 24+stack; MOVL $0, R11 \
-	ADCQ BX, R12 \
-	MULXQ 16+rb, AX, BX \
-	ADCQ AX, R13 \
-	ADCQ BX, R14 \
-	MULXQ 32+rb, AX, BX \
-	ADCQ AX, R8 \
-	ADCQ BX, R9 \
-	ADCQ $0, R10 \
-	MULXQ 8+rb, AX, BX \
-	ADDQ AX, R12 \
-	ADCQ BX, R13 \
-	MULXQ 24+rb, AX, BX \
-	ADCQ AX, R14 \
-	ADCQ BX, R8 \
-	MULXQ 40+rb, AX, BX \
-	ADCQ AX, R9 \
-	ADCQ BX, R10 \
-	ADCQ $0, R11 \
-	\
-	MOVQ a4, DX \
-	MULXQ 0+rb, AX, BX \
-	ADDQ AX, R12; MOVQ R12, 32+stack; MOVL $0, R12 \
-	ADCQ BX, R13 \
-	MULXQ 16+rb, AX, BX \
-	ADCQ AX, R14 \
-	ADCQ BX, R8 \
-	MULXQ 32+rb, AX, BX \
-	ADCQ AX, R9 \
-	ADCQ BX, R10 \
-	ADCQ $0, R11 \
-	MULXQ 8+rb, AX, BX \
-	ADDQ AX, R13 \
-	ADCQ BX, R14 \
-	MULXQ 24+rb, AX, BX \
-	ADCQ AX, R8 \
-	ADCQ BX, R9 \
-	MULXQ 40+rb, AX, BX \
-	ADCQ AX, R10 \
-	ADCQ BX, R11 \
-	ADCQ $0, R12 \
-	\
-	MOVQ a5, DX \
-	MULXQ 0+rb, AX, BX \
-	ADDQ AX, R13; MOVQ R13, 40+stack \
-	ADCQ BX, R14 \
-	MULXQ 16+rb, AX, BX \
-	ADCQ AX, R8 \
-	ADCQ BX, R9 \
-	MULXQ 32+rb, AX, BX \
-	ADCQ AX, R10 \
-	ADCQ BX, R11 \
-	ADCQ $0, R12 \
-	MULXQ 8+rb, AX, BX \
-	ADDQ AX, R14 \
-	ADCQ BX, R8 \
-	MULXQ 24+rb, AX, BX \
-	ADCQ AX, R9 \
-	ADCQ BX, R10 \
-	MULXQ 40+rb, AX, BX \
-	ADCQ AX, R11 \
-	ADCQ BX, R12
-
-#define fp384ReduceBMI2(stack) \
-	\ // m = (T * P') mod R, store m in R8:R9:R10:R11:R12:R13
-	MOVQ ·pp+0(SB), DX \
-	MULXQ 0+stack, R8, R9 \
-	MULXQ 8+stack, AX, R10 \
-	ADDQ AX, R9 \
-	MULXQ 16+stack, AX, R11 \
-	ADCQ AX, R10 \
-	MULXQ 24+stack, AX, R12 \
-	ADCQ AX, R11 \
-	MULXQ 32+stack, AX, R13 \
-	ADCQ AX, R12 \
-	MULXQ 40+stack, AX, BX \
-	ADCQ AX, R13 \
-	\
-	ADDQ 0+stack, R9 \
-	ADCQ 8+stack, R10 \
-	ADCQ 16+stack, R11 \
-	ADCQ 24+stack, R12 \
-	ADCQ 32+stack, R13 \
-	\
-	MOVQ ·pp+16(SB), DX \
-	MULXQ 0+stack, AX, BX \
-	ADDQ AX, R10 \
-	ADCQ BX, R11 \
-	MULXQ 16+stack, AX, BX \
-	ADCQ AX, R12 \
-	ADCQ BX, R13 \
-	MULXQ 8+stack, AX, BX \
-	ADDQ AX, R11 \
-	ADCQ BX, R12 \
-	MULXQ 24+stack, AX, BX \
-	ADCQ AX, R13 \
-	\
-	MOVQ ·pp+24(SB), DX \
-	MULXQ 0+stack, AX, BX \
-	ADDQ AX, R11 \
-	ADCQ BX, R12 \
-	MULXQ 16+stack, AX, BX \
-	ADCQ AX, R13 \
-	MULXQ 8+stack, AX, BX \
-	ADDQ AX, R12 \
-	ADCQ BX, R13 \
-	\
-	MOVQ ·pp+32(SB), DX \
-	MULXQ 0+stack, AX, BX \
-	ADDQ AX, R12 \
-	ADCQ BX, R13 \
-	MULXQ 8+stack, AX, BX \
-	ADDQ AX, R13 \
-	\
-	MOVQ ·pp+40(SB), DX \
-	MULXQ 0+stack, AX, BX \
-	ADDQ AX, R13 \
-	\
-	storeBlock(R8,R9,R10,R11,R12,R13, 96+stack) \
-	\
-	\ // m * P
-	mulBMI2(·p+0(SB),·p+8(SB),·p+16(SB),·p+24(SB),·p+32(SB),·p+40(SB), 96+stack, 144+stack) \
-	\
-	\ // Add the 768-bit intermediate to m*N
-	loadBlock(144+stack, AX,R13,BX,CX,DX,DI) \
-	\
-	ADDQ 0+stack,  AX \
-	ADCQ 8+stack, R13 \
-	ADCQ 16+stack, BX \
-	ADCQ 24+stack, CX \
-	ADCQ 32+stack, DX \
-	ADCQ 40+stack, DI \
-	ADCQ 48+stack, R14 \
-	ADCQ 56+stack, R8 \
-	ADCQ 64+stack, R9 \
-	ADCQ 72+stack, R10 \
-	ADCQ 80+stack, R11 \
-	ADCQ 88+stack, R12 \
-	MOVQ $0, 0+stack \
-	ADCQ $0, 0+stack \
-	\
-	fp384Carry(R14,R8,R9,R10,R11,R12, 0+stack, AX,R13,BX,CX,DX,DI,SI)
-
-TEXT ·fp384Neg(SB), NOSPLIT, $0-16
-	MOVQ ·p+0(SB), R8
-	MOVQ ·p+8(SB), R9
-	MOVQ ·p+16(SB), R10
-	MOVQ ·p+24(SB), R11
-	MOVQ ·p+32(SB), R12
-	MOVQ ·p+40(SB), R13
-
-	MOVQ a+8(FP), DI
-	SUBQ 0(DI), R8
-	SBBQ 8(DI), R9
-	SBBQ 16(DI), R10
-	SBBQ 24(DI), R11
-	SBBQ 32(DI), R12
-	SBBQ 40(DI), R13
-
-	MOVQ $0, R15
-	fp384Carry(R8,R9,R10,R11,R12,R13,R15, R14,AX,BX,CX,DX,DI,SI)
-
-	MOVQ c+0(FP), DI
-	storeBlock(R8,R9,R10,R11,R12,R13, 0(DI))
-	RET
-
-TEXT ·fp384Add(SB), NOSPLIT, $0-24
-	MOVQ a+8(FP), DI
-	MOVQ b+16(FP), SI
-
-	loadBlock(0(DI), R8,R9,R10,R11,R12,R13)
-	MOVQ $0, R15
-
-	ADDQ  0(SI), R8
-	ADCQ  8(SI), R9
-	ADCQ 16(SI), R10
-	ADCQ 24(SI), R11
-	ADCQ 32(SI), R12
-	ADCQ 40(SI), R13
-	ADCQ $0, R15
-
-	fp384Carry(R8,R9,R10,R11,R12,R13,R15, R14,AX,BX,CX,DX,DI,SI)
-
-	MOVQ c+0(FP), DI
-	storeBlock(R8,R9,R10,R11,R12,R13, 0(DI))
-	RET
-
-TEXT ·fp384Sub(SB), NOSPLIT, $0-24
-	MOVQ ·p+0(SB), R8
-	MOVQ ·p+8(SB), R9
-	MOVQ ·p+16(SB), R10
-	MOVQ ·p+24(SB), R11
-	MOVQ ·p+32(SB), R12
-	MOVQ ·p+40(SB), R13
-
-	MOVQ b+16(FP), DI
-	SUBQ 0(DI), R8
-	SBBQ 8(DI), R9
-	SBBQ 16(DI), R10
-	SBBQ 24(DI), R11
-	SBBQ 32(DI), R12
-	SBBQ 40(DI), R13
-
-	MOVQ $0, R15
-	MOVQ a+8(FP), DI
-	ADDQ 0(DI), R8
-	ADCQ 8(DI), R9
-	ADCQ 16(DI), R10
-	ADCQ 24(DI), R11
-	ADCQ 32(DI), R12
-	ADCQ 40(DI), R13
-	ADCQ $0, R15
-
-	fp384Carry(R8,R9,R10,R11,R12,R13,R15, R14,AX,BX,CX,DX,DI,SI)
-
-	MOVQ c+0(FP), DI
-	storeBlock(R8,R9,R10,R11,R12,R13, 0(DI))
-	RET
-
-TEXT ·fp384Mul(SB), NOSPLIT, $240-24
-	MOVQ a+8(FP), DI
-	MOVQ b+16(FP), SI
-
-	// Jump to a slightly different implementation if MULX isn't supported.
-	CMPB ·hasBMI2(SB), $0
-	JE   nobmi2Mul
-
-	// T = a * b
-	mulBMI2(0(DI),8(DI),16(DI),24(DI),32(DI),40(DI), 0(SI), 0(SP))
-	storeBlock(R14,R8,R9,R10,R11,R12, 48(SP))
-
-	// Reduce T.
-	fp384ReduceBMI2(0(SP))
-
-	MOVQ c+0(FP), DI
-	storeBlock(R14,R8,R9,R10,R11,R12, 0(DI))
-	JMP end
-
-nobmi2Mul:
-	// T = a * b
-	mul(0(DI),8(DI),16(DI),24(DI),32(DI),40(DI), 0(SI), 0(SP))
-
-	// Reduce T.
-	fp384Reduce(0(SP))
-
-	MOVQ c+0(FP), DI
-	storeBlock(R14,SI,AX,BX,CX,DX, 0(DI))
-
-end:
-	RET
-
-TEXT ·fp384Cmov(SB), NOSPLIT, $0
-    MOVQ x+0(FP), DI
-    MOVQ y+8(FP), SI
-    MOVQ b+16(FP), BX
-    TESTQ BX, BX
-    MOVQ  0(DI), AX; MOVQ  0(SI), DX; CMOVQNE DX, AX; MOVQ AX,  0(DI);
-    MOVQ  8(DI), AX; MOVQ  8(SI), DX; CMOVQNE DX, AX; MOVQ AX,  8(DI);
-    MOVQ 16(DI), AX; MOVQ 16(SI), DX; CMOVQNE DX, AX; MOVQ AX, 16(DI);
-    MOVQ 24(DI), AX; MOVQ 24(SI), DX; CMOVQNE DX, AX; MOVQ AX, 24(DI);
-    MOVQ 32(DI), AX; MOVQ 32(SI), DX; CMOVQNE DX, AX; MOVQ AX, 32(DI);
-    MOVQ 40(DI), AX; MOVQ 40(SI), DX; CMOVQNE DX, AX; MOVQ AX, 40(DI);
-    RET

vendor/github.com/cloudflare/circl/ecc/p384/arith_arm64.s

@@ -1,511 +0,0 @@
-// +build arm64,!purego
-
-#include "textflag.h"
-
-TEXT ·fp384Cmov(SB), NOSPLIT, $0
-    MOVD x+0(FP), R0
-    MOVD y+8(FP), R1
-    MOVW b+16(FP), R2
-    CMP $0, R2
-    LDP   0(R0), (R3, R5)
-    LDP   0(R1), (R4, R6)
-    CSEL NE,R4,R3,R7
-    CSEL NE,R6,R5,R8
-    STP  (R7, R8),  0(R0)
-    LDP  16(R0), (R3, R5)
-    LDP  16(R1), (R4, R6)
-    CSEL NE,R4,R3,R7
-    CSEL NE,R6,R5,R8
-    STP  (R7, R8), 16(R0)
-    LDP  32(R0), (R3, R5)
-    LDP  32(R1), (R4, R6)
-    CSEL NE,R4,R3,R7
-    CSEL NE,R6,R5,R8
-    STP  (R7, R8), 32(R0)
-    RET
-
-// Compute c = -a mod p
-TEXT ·fp384Neg(SB), NOSPLIT, $0-16
-	MOVD	c+0(FP), R0
-	MOVD	a+8(FP), R1
-
-	// Load p in R2-R7, a in R8-R13
-	// Compute p-a in R8-R13
-	LDP	·p+0(SB), (R2, R3)
-	LDP	0(R1), (R8, R9)
-	SUBS	R8, R2, R8
-	SBCS	R9, R3, R9
-	LDP	·p+16(SB), (R4, R5)
-	LDP	16(R1), (R10, R11)
-	SBCS	R10, R4, R10
-	SBCS	R11, R5, R11
-	LDP	·p+32(SB), (R6, R7)
-	LDP	32(R1), (R12, R13)
-	SBCS	R12, R6, R12
-	SBC	R13, R7, R13
-
-	// Compute (p-a)-p in R2-R7
-	SUBS	R2,  R8, R2
-	SBCS	R3,  R9, R3
-	SBCS	R4, R10, R4
-	SBCS	R5, R11, R5
-	SBCS	R6, R12, R6
-	SBCS	R7, R13, R7
-
-	// If (p-a)-p < 0 (nearly always), return p-a
-	// Only return (p-a)-p for a = 0
-	// Store result in c
-	CSEL	CC, R8, R2, R2
-	CSEL	CC, R9, R3, R3
-	STP	(R2, R3), 0(R0)
-	CSEL	CC, R10, R4, R4
-	CSEL	CC, R11, R5, R5
-	STP	(R4, R5), 16(R0)
-	CSEL	CC, R12, R6, R6
-	CSEL	CC, R13, R7, R7
-	STP	(R6, R7), 32(R0)
-
-	RET
-
-// Compute c = a+b mod p
-TEXT ·fp384Add(SB), NOSPLIT, $0-24
-	MOVD	c+0(FP), R0
-	MOVD	a+8(FP), R1
-	MOVD	b+16(FP), R2
-
-	// Load a in R3-R8, b in R9-R14
-	// Compute a+b in R3-R9
-	LDP	0(R1), (R3, R4)
-	LDP	0(R2), (R9, R10)
-	ADDS	R9, R3
-	ADCS	R10, R4
-	LDP	16(R1), (R5, R6)
-	LDP	16(R2), (R11, R12)
-	ADCS	R11, R5
-	ADCS	R12, R6
-	LDP	32(R1), (R7, R8)
-	LDP	32(R2), (R13, R14)
-	ADCS	R13, R7
-	ADCS	R14, R8
-	ADC	ZR, ZR, R9
-
-	// Load p in R10-R15
-	LDP	·p+ 0(SB), (R10, R11)
-	LDP	·p+16(SB), (R12, R13)
-	LDP	·p+32(SB), (R14, R15)
-
-	// Compute a+b-p in R10-R16
-	SUBS	R10, R3, R10
-	SBCS	R11, R4, R11
-	SBCS	R12, R5, R12
-	SBCS	R13, R6, R13
-	SBCS	R14, R7, R14
-	SBCS	R15, R8, R15
-	SBCS	 ZR, R9, R16
-
-	// If a+b-p is negative, return a+b
-	// Store result in c
-	CSEL	CC, R3, R10, R3
-	CSEL	CC, R4, R11, R4
-	STP	(R3, R4), 0(R0)
-	CSEL	CC, R5, R12, R5
-	CSEL	CC, R6, R13, R6
-	STP	(R5, R6), 16(R0)
-	CSEL	CC, R7, R14, R7
-	CSEL	CC, R8, R15, R8
-	STP	(R7, R8), 32(R0)
-
-	RET
-
-// Compute c = a-b mod p
-TEXT ·fp384Sub(SB), NOSPLIT, $0-24
-	MOVD	c+0(FP), R0
-	MOVD	a+8(FP), R1
-	MOVD	b+16(FP), R2
-
-	// Load a in R3-R8, b in R9-R14
-	// Compute a-b in R3-R9
-	LDP	0(R1), (R3, R4)
-	LDP	0(R2), (R9, R10)
-	SUBS	R9, R3
-	SBCS	R10, R4
-	LDP	16(R1), (R5, R6)
-	LDP	16(R2), (R11, R12)
-	SBCS	R11, R5
-	SBCS	R12, R6
-	LDP	32(R1), (R7, R8)
-	LDP	32(R2), (R13, R14)
-	SBCS	R13, R7
-	SBCS	R14, R8
-	SBC	ZR, ZR, R9
-
-	// Load p in R10-R15
-	// If a-b < 0, (a-b)+p to R3-R8
-	// Store result in c
-	LDP	·p+ 0(SB), (R10, R11)
-	AND	R9, R10
-	LDP	·p+16(SB), (R12, R13)
-	AND	R9, R11
-	AND	R9, R12
-	LDP	·p+32(SB), (R14, R15)
-	AND	R9, R13
-	AND	R9, R14
-	AND	R9, R15
-
-	ADDS	R10, R3
-	ADCS	R11, R4
-	STP	(R3, R4), 0(R0)
-	ADCS	R12, R5
-	ADCS	R13, R6
-	STP	(R5, R6), 16(R0)
-	ADCS	R14, R7
-	ADC	R15, R8
-	STP	(R7, R8), 32(R0)
-
-	RET
-
-// Expects that A0*B0 is already in C0(low),C3(high) and A0*B1 in C1(low),C2(high)
-// C0 is not actually touched
-// Result of (A0-A2) * (B0-B2) will be in C0-C5
-// Inputs remain intact
-#define mul192x192comba(A0,A1,A2, B0,B1,B2, C0,C1,C2,C3,C4,C5, S0,S1,S2,S3) \
-	MUL	A1, B0, S2	\
-	UMULH	A1, B0, S3	\
-				\
-	ADDS	C3, C1		\
-	ADCS	ZR, C2		\
-	ADC	ZR, ZR, C3	\
-				\
-	MUL	A0, B2, S0	\
-	UMULH	A0, B2, S1	\
-				\
-	ADDS	S2, C1		\
-	ADCS	S3, C2		\
-	ADC	ZR, C3		\
-				\
-	MUL	A1, B1, S2	\
-	UMULH	A1, B1, S3	\
-				\
-	ADDS	S0, C2		\
-	ADCS	S1, C3		\
-	ADC	ZR, ZR, C4	\
-				\
-	MUL	A2, B0, S0	\
-	UMULH	A2, B0, S1	\
-				\
-	ADDS	S2, C2		\
-	ADCS	S3, C3		\
-	ADC	ZR, C4		\
-				\
-	MUL	A1, B2, S2	\
-	UMULH	A1, B2, S3	\
-				\
-	ADDS	S0, C2		\
-	ADCS	S1, C3		\
-	ADC	ZR, C4		\
-				\
-	MUL	A2, B1, S0	\
-	UMULH	A2, B1, S1	\
-				\
-	ADDS	S2, C3		\
-	ADCS	S3, C4		\
-	ADC	ZR, ZR, C5	\
-				\
-	MUL	A2, B2, S2	\
-	UMULH	A2, B2, S3	\
-				\
-	ADDS	S0, C3		\
-	ADCS	S1, C4		\
-	ADC	ZR, C5		\
-				\
-	ADDS	S2, C4		\
-	ADC	S3, C5
-
-
-// Assumes that there are at least 96 bytes left on the stack
-// Expects that X and Y point to input
-// X and Y get overwritten, Z0 will be in Y
-#define mul384x384karatsuba(X,Y, Z1,Z2,Z3,Z4,Z5,Z6,Z7,Z8,Z9,Z10,Z11, T0,T1,T2,T3,T4,T5,T6,T7,T8,T9,T10,T11,T12) \
-	/* Load a in Z1-Z6, b in T12,Z7-Z11 */ \
-	LDP	 0(X), ( Z1,  Z2)	\
-	LDP	 0(Y), (T12,  Z7)	\
-	MUL	Z1,  Z7, T1		\
-	UMULH	Z1, T12, T3		\
-	LDP	16(X), ( Z3,  Z4)	\
-	LDP	16(Y), ( Z8,  Z9)	\
-	MUL	Z1, T12, T0		\
-	UMULH	Z1,  Z7, T2		\
-	LDP	32(X), ( Z5,  Z6)	\
-	LDP	32(Y), (Z10, Z11)	\
-					\
-	/* Compute aL*bL in T0-T5 */	\
-	mul192x192comba(Z1,Z2,Z3, T12,Z7,Z8, T0,T1,T2,T3,T4,T5, T6,T7,T8,T9) \
-					\
-	/* Compute aH*bH in T6-T11, destroys aL and bL */ \
-	MUL	Z4, Z10, T7		\
-	MUL	Z4,  Z9, T6		\
-	UMULH	Z4,  Z9, T9		\
-	UMULH	Z4, Z10, T8		\
-	mul192x192comba(Z4,Z5,Z6, Z9,Z10,Z11, T6,T7,T8,T9,T10,T11, Z1,Z2,T12,Z7) \
-					\
-	/* Compute aL*bL + aH*bH in Z1-Z6,T12, destroys aH */ \
-	ADDS	T0,  T6,  Z1		\
-	ADCS	T1,  T7,  Z2		\
-	ADCS	T2,  T8,  Z3		\
-	ADCS	T3,  T9,  Z4		\
-	ADCS	T4, T10,  Z5		\
-	ADCS	T5, T11,  Z6		\
-	ADC	ZR,  ZR, T12		\
-					\
-	/* Add to T0-T11 and store on stack */ \
-	STP	( T0,  T1), -16(RSP)	\
-	ADDS	Z1, T3			\
-	STP	( T2,  T3), -32(RSP)	\
-	ADCS	Z2, T4			\
-	ADCS	Z3, T5			\
-	STP	( T4,  T5), -48(RSP)	\
-	ADCS	Z4, T6			\
-	ADCS	Z5, T7			\
-	STP	( T6,  T7), -64(RSP)	\
-	ADCS	Z6, T8			\
-	ADC	ZR, T12			\
-	STP	( T8,  T9), -80(RSP)	\
-	STP	(T10, T11), -96(RSP)	\
-					\
-	/* Load a to Z1-Z6 */		\
-	LDP	 0(X), (Z1, Z2)		\
-	LDP	16(X), (Z3, Z4)		\
-	LDP	32(X), (Z5, Z6)		\
-					\
-	/* Compute |aL-aH| to Z1-Z3, keep borrow in X */ \
-	SUBS	Z4, Z1			\
-	SBCS	Z5, Z2			\
-	SBCS	Z6, Z3			\
-	SBC	ZR, ZR, X		\
-	NEGS	Z1, Z4			\
-	NGCS	Z2, Z5			\
-	NGC	Z3, Z6			\
-	ADDS	$1, X			\
-					\
-	/* Load b to Z7-Z11,T0 */	\
-	LDP	 0(Y), ( Z7,  Z8)	\
-	LDP	16(Y), ( Z9, Z10)	\
-	LDP	32(Y), (Z11,  T0)	\
-					\
-	CSEL	EQ, Z4, Z1, Z1		\
-	CSEL	EQ, Z5, Z2 ,Z2		\
-	CSEL	EQ, Z6, Z3, Z3		\
-					\
-	/* Compute |bH-bL| to Z7-Z9, keep borrow in Y */ \
-	SUBS	Z7, Z10			\
-	SBCS	Z8, Z11			\
-	SBCS	Z9, T0			\
-	SBC	ZR, ZR, Y		\
-	NEGS	Z10, Z7			\
-	NGCS	Z11, Z8			\
-	NGC	T0, Z9			\
-	ADDS	$1, Y			\
-	CSEL	EQ, Z7, Z10, Z7		\
-	CSEL	EQ, Z8, Z11, Z8		\
-	CSEL	EQ, Z9,  T0, Z9		\
-					\
-	/* Combine borrows */		\
-	EOR	Y, X			\
-					\
-	/* Compute |aL-aH|*|bH-bL| to Z10,Z11,T0-T3 */ \
-	MUL	Z1, Z8, Z11		\
-	MUL	Z1, Z7, Z10		\
-	UMULH	Z1, Z8,  T0		\
-	UMULH	Z1, Z7,  T1		\
-	mul192x192comba(Z1,Z2,Z3, Z7,Z8,Z9, Z10,Z11,T0,T1,T2,T3, T4,T5,T6,T7) \
-					\
-	/* The result has to be negated if exactly one of the operands was negative */ \
-	NEGS	Z10,  Y			\
-	NGCS	Z11, Z1			\
-	NGCS	 T0, Z2			\
-	NGCS	 T1, Z3			\
-	NGCS	 T2, Z4			\
-	NGCS	 T3, Z5			\
-	NGC	 ZR, T4			\
-					\
-	AND	T4, X			\
-	CMP	$1, X			\
-	CSEL	EQ,  Y, Z10, Z10	\
-	CSEL	EQ, Z1, Z11, Z11	\
-	CSEL	EQ, Z2,  T0,  T0	\
-	CSEL	EQ, Z3,  T1,  T1	\
-	CSEL	EQ, Z4,  T2,  T2	\
-	CSEL	EQ, Z5,  T3,  T3	\
-					\
-	/* Add that to the middle part */ \
-	LDP	-16(RSP), (  Y,  Z1)	\
-	LDP	-32(RSP), ( Z2,  Z3)	\
-	LDP	-48(RSP), ( Z4,  Z5)	\
-	ADDS	Z10, Z3			\
-	ADCS	Z11, Z4			\
-	LDP	-64(RSP), ( Z6,  Z7)	\
-	ADCS	T0, Z5			\
-	ADCS	T1, Z6			\
-	LDP	-80(RSP), ( Z8,  Z9)	\
-	ADCS	T2, Z7			\
-	ADCS	T3, Z8			\
-	LDP	-96(RSP), (Z10, Z11)	\
-	ADCS	T12, Z9			\
-	ADCS	ZR, Z10			\
-	ADC	ZR, Z11			\
-	SUBS	X, Z9			\
-	SBCS	ZR, Z10			\
-	SBC	ZR, Z11
-
-// Compute c = a*b*R^-1 mod p
-TEXT ·fp384Mul(SB), NOSPLIT, $200-24
-	MOVD	c+0(FP), R0
-	MOVD	a+8(FP), R1
-	MOVD	b+16(FP), R2
-
-	// Compute a*b in R2-R13
-	mul384x384karatsuba(R1, R2, R3,R4,R5,R6,R7,R8,R9,R10,R11,R12,R13, R14,R15,R16,R17,R19,R20,R21,R22,R23,R24,R25,R26,R27)
-
-	// Store a*b on the stack
-	STP	( R2,  R3), -112(RSP)
-	STP	( R4,  R5), -128(RSP)
-	STP	( R6,  R7), -144(RSP)
-	STP	( R8,  R9), -160(RSP)
-	STP	(R10, R11), -176(RSP)
-	STP	(R12, R13), -192(RSP)
-
-	// Compute m = a*b*pp mod 2^384 in R19-R24
-	// Store it temporarily in c
-	MOVD	·pp+0(SB), R14
-	MUL	R14, R2, R19
-	UMULH	R14, R2, R20
-
-	MUL	R14, R3, R16
-	UMULH	R14, R3, R21
-	ADDS	R16, R20
-	ADC	 ZR, R21
-
-	MUL	R14, R4, R16
-	UMULH	R14, R4, R22
-	ADDS	R16, R21
-	ADC	 ZR, R22
-
-	MUL	R14, R5, R16
-	UMULH	R14, R5, R23
-	ADDS	R16, R22
-	ADC	 ZR, R23
-
-	MUL	R14, R6, R16
-	UMULH	R14, R6, R24
-	ADDS	R16, R23
-	ADC	 ZR, R24
-
-	MADD	R14, R24, R7, R24
-
-	// ·pp+8(SB) = 1, so we can just add
-	ADDS	R2, R20
-	STP	(R19, R20), 0(R0)
-	ADCS	R3, R21
-	ADCS	R4, R22
-	ADCS	R5, R23
-	ADC	R6, R24
-
-	LDP	·pp+16(SB), (R14, R15)
-	MUL	R14, R2, R8
-	UMULH	R14, R2, R9
-
-	MUL	R14, R3, R16
-	UMULH	R14, R3, R10
-	ADDS	R16, R9
-	ADC	 ZR, R10
-
-	MUL	R14, R4, R16
-	UMULH	R14, R4, R11
-	ADDS	R16, R10
-	ADC	 ZR, R11
-
-	MUL	R14, R5, R16
-	ADD	R16, R11
-
-	ADDS	 R8, R21
-	ADCS	 R9, R22
-	ADCS	R10, R23
-	ADC	R11, R24
-
-	MUL	R15, R2, R8
-	UMULH	R15, R2, R9
-
-	MUL	R15, R3, R16
-	UMULH	R15, R3, R10
-	ADDS	R16, R9
-	ADC	 ZR, R10
-
-	MADD	R15, R10, R4, R10
-
-	ADDS	R8, R22
-	STP	(R21, R22), 16(R0)
-	ADCS	R9, R23
-	ADC	R10, R24
-
-	LDP	·pp+32(SB), (R14, R15)
-	MUL	R14, R2, R8
-	UMULH	R14, R2, R9
-
-	MADD	R14, R9, R3, R9
-
-	ADDS	R8, R23
-	ADC	R9, R24
-
-	MADD	R15, R24, R2, R24
-	STP	(R23, R24), 32(R0)
-
-	// Compute m*p in R1-R12
-	MOVD	$·p(SB), R1
-	mul384x384karatsuba(R0, R1, R2,R3,R4,R5,R6,R7,R8,R9,R10,R11,R12, R13,R14,R15,R16,R17,R19,R20,R21,R22,R23,R24,R25,R26)
-
-	// Add a*b to m*p in R1-R12,R26
-	LDP	-112(RSP), (R13, R14)
-	ADDS	R13, R1
-	LDP	-128(RSP), (R15, R16)
-	ADCS	R14, R2
-	ADCS	R15, R3
-	LDP	-144(RSP), (R17, R19)
-	ADCS	R16, R4
-	ADCS	R17, R5
-	LDP	-160(RSP), (R20, R21)
-	ADCS	R19, R6
-	ADCS	R20, R7
-	LDP	-176(RSP), (R22, R23)
-	ADCS	R21, R8
-	ADCS	R22, R9
-	LDP	-192(RSP), (R24, R25)
-	ADCS	R23, R10
-	ADCS	R24, R11
-	ADCS	R25, R12
-	ADC	ZR, ZR, R26
-
-	// Reduce the top half mod p
-	LDP	·p+ 0(SB), (R13, R14)
-	SUBS	R13, R7, R13
-	LDP	·p+16(SB), (R15, R16)
-	SBCS	R14, R8, R14
-	SBCS	R15, R9, R15
-	LDP	·p+32(SB), (R17, R19)
-	SBCS	R16, R10, R16
-	SBCS	R17, R11, R17
-	SBCS	R19, R12, R19
-	SBCS	ZR, R26
-
-	// Store result in c
-	MOVD	c+0(FP), R0
-	CSEL	CC, R7, R13, R7
-	CSEL	CC, R8, R14, R8
-	STP	( R7,  R8),  0(R0)
-	CSEL	CC, R9, R15, R9
-	CSEL	CC, R10, R16, R10
-	STP	( R9, R10), 16(R0)
-	CSEL	CC, R11, R17, R11
-	CSEL	CC, R12, R19, R12
-	STP	(R11, R12), 32(R0)
-
-	RET

vendor/github.com/cloudflare/circl/ecc/p384/doc.go

@@ -1,10 +0,0 @@
-// Package p384 provides optimized elliptic curve operations on the P-384 curve.
-//
-// These are some improvements over crypto/elliptic package:
-//   - Around 10x faster in amd64 architecture.
-//   - Reduced number of memory allocations.
-//   - Native support for arm64 architecture.
-//   - ScalarMult is performed using a constant-time algorithm.
-//   - ScalarBaseMult fallbacks into ScalarMult.
-//   - A new method included for double-point multiplication.
-package p384

vendor/github.com/cloudflare/circl/ecc/p384/p384.go

@@ -1,28 +0,0 @@
-package p384
-
-import (
-	"crypto/elliptic"
-	"math/big"
-)
-
-// Curve is used to provide the extended functionality and performance of
-// elliptic.Curve interface.
-type Curve interface {
-	elliptic.Curve
-	// IsAtInfinity returns True is the point is the identity point.
-	IsAtInfinity(X, Y *big.Int) bool
-	// CombinedMult calculates P=mG+nQ, where G is the generator and
-	// Q=(Qx,Qy). The scalars m and n are positive integers in big-endian form.
-	// Runs in non-constant time to be used in signature verification.
-	CombinedMult(Qx, Qy *big.Int, m, n []byte) (Px, Py *big.Int)
-}
-
-// Params returns the parameters for the curve. Note: The value returned by
-// this function fallbacks to the stdlib implementation of elliptic curve
-// operations. Use this method to only recover elliptic curve parameters.
-func (c curve) Params() *elliptic.CurveParams { return elliptic.P384().Params() }
-
-// IsAtInfinity returns True is the point is the identity point.
-func (c curve) IsAtInfinity(x, y *big.Int) bool {
-	return x.Sign() == 0 && y.Sign() == 0
-}

vendor/github.com/cloudflare/circl/ecc/p384/p384_generic.go

@@ -1,21 +0,0 @@
-//go:build purego || (!amd64 && !arm64)
-// +build purego !amd64,!arm64
-
-package p384
-
-import (
-	"crypto/elliptic"
-	"math/big"
-)
-
-type curve struct{ elliptic.Curve }
-
-func P384() Curve { return curve{elliptic.P384()} }
-
-// CombinedMult calculates P=mG+nQ, where G is the generator and Q=(x,y,z).
-// The scalars m and n are integers in big-endian form. Non-constant time.
-func (c curve) CombinedMult(xQ, yQ *big.Int, m, n []byte) (xP, yP *big.Int) {
-	x1, y1 := c.ScalarBaseMult(m)
-	x2, y2 := c.ScalarMult(xQ, yQ, n)
-	return c.Add(x1, y1, x2, y2)
-}

vendor/github.com/cloudflare/circl/ecc/p384/p384opt.go

@@ -1,181 +0,0 @@
-//go:build (!purego && arm64) || (!purego && amd64)
-// +build !purego,arm64 !purego,amd64
-
-package p384
-
-import (
-	"crypto/subtle"
-	"math/big"
-
-	"github.com/cloudflare/circl/math"
-)
-
-type curve struct{}
-
-// P384 returns a Curve which implements P-384 (see FIPS 186-3, section D.2.4).
-func P384() Curve { return curve{} }
-
-// IsOnCurve reports whether the given (x,y) lies on the curve.
-func (c curve) IsOnCurve(x, y *big.Int) bool {
-	x1, y1 := &fp384{}, &fp384{}
-	x1.SetBigInt(x)
-	y1.SetBigInt(y)
-	montEncode(x1, x1)
-	montEncode(y1, y1)
-
-	y2, x3 := &fp384{}, &fp384{}
-	fp384Sqr(y2, y1)
-	fp384Sqr(x3, x1)
-	fp384Mul(x3, x3, x1)
-
-	threeX := &fp384{}
-	fp384Add(threeX, x1, x1)
-	fp384Add(threeX, threeX, x1)
-
-	fp384Sub(x3, x3, threeX)
-	fp384Add(x3, x3, &bb)
-
-	return *y2 == *x3
-}
-
-// Add returns the sum of (x1,y1) and (x2,y2).
-func (c curve) Add(x1, y1, x2, y2 *big.Int) (x, y *big.Int) {
-	P := newAffinePoint(x1, y1).toJacobian()
-	P.mixadd(P, newAffinePoint(x2, y2))
-	return P.toAffine().toInt()
-}
-
-// Double returns 2*(x,y).
-func (c curve) Double(x1, y1 *big.Int) (x, y *big.Int) {
-	P := newAffinePoint(x1, y1).toJacobian()
-	P.double()
-	return P.toAffine().toInt()
-}
-
-// reduceScalar shorten a scalar modulo the order of the curve.
-func (c curve) reduceScalar(k []byte) []byte {
-	bigK := new(big.Int).SetBytes(k)
-	bigK.Mod(bigK, c.Params().N)
-	return bigK.FillBytes(make([]byte, sizeFp))
-}
-
-// toOdd performs k = (-k mod N) if k is even.
-func (c curve) toOdd(k []byte) ([]byte, int) {
-	var X, Y big.Int
-	X.SetBytes(k)
-	Y.Neg(&X).Mod(&Y, c.Params().N)
-	isEven := 1 - int(X.Bit(0))
-	x := X.Bytes()
-	y := Y.Bytes()
-
-	if len(x) < len(y) {
-		x = append(make([]byte, len(y)-len(x)), x...)
-	} else if len(x) > len(y) {
-		y = append(make([]byte, len(x)-len(y)), y...)
-	}
-	subtle.ConstantTimeCopy(isEven, x, y)
-	return x, isEven
-}
-
-// ScalarMult returns (Qx,Qy)=k*(Px,Py) where k is a number in big-endian form.
-func (c curve) ScalarMult(x1, y1 *big.Int, k []byte) (x, y *big.Int) {
-	return c.scalarMultOmega(x1, y1, k, 5)
-}
-
-func (c curve) scalarMultOmega(x1, y1 *big.Int, k []byte, omega uint) (x, y *big.Int) {
-	k = c.reduceScalar(k)
-	oddK, isEvenK := c.toOdd(k)
-
-	var scalar big.Int
-	scalar.SetBytes(oddK)
-	if scalar.Sign() == 0 {
-		return new(big.Int), new(big.Int)
-	}
-	const bitsN = uint(384)
-	L := math.SignedDigit(&scalar, omega, bitsN)
-
-	var R jacobianPoint
-	Q := zeroPoint().toJacobian()
-	TabP := newAffinePoint(x1, y1).oddMultiples(omega)
-	for i := len(L) - 1; i > 0; i-- {
-		for j := uint(0); j < omega-1; j++ {
-			Q.double()
-		}
-		idx := absolute(L[i]) >> 1
-		for j := range TabP {
-			R.cmov(&TabP[j], subtle.ConstantTimeEq(int32(j), idx))
-		}
-		R.cneg(int(L[i]>>31) & 1)
-		Q.add(Q, &R)
-	}
-	// Calculate the last iteration using complete addition formula.
-	for j := uint(0); j < omega-1; j++ {
-		Q.double()
-	}
-	idx := absolute(L[0]) >> 1
-	for j := range TabP {
-		R.cmov(&TabP[j], subtle.ConstantTimeEq(int32(j), idx))
-	}
-	R.cneg(int(L[0]>>31) & 1)
-	QQ := Q.toProjective()
-	QQ.completeAdd(QQ, R.toProjective())
-	QQ.cneg(isEvenK)
-	return QQ.toAffine().toInt()
-}
-
-// ScalarBaseMult returns k*G, where G is the base point of the group
-// and k is an integer in big-endian form.
-func (c curve) ScalarBaseMult(k []byte) (x, y *big.Int) {
-	params := c.Params()
-	return c.ScalarMult(params.Gx, params.Gy, k)
-}
-
-// CombinedMult calculates P=mG+nQ, where G is the generator and Q=(x,y,z).
-// The scalars m and n are integers in big-endian form. Non-constant time.
-func (c curve) CombinedMult(xQ, yQ *big.Int, m, n []byte) (xP, yP *big.Int) {
-	const nOmega = uint(5)
-	var k big.Int
-	k.SetBytes(m)
-	nafM := math.OmegaNAF(&k, baseOmega)
-	k.SetBytes(n)
-	nafN := math.OmegaNAF(&k, nOmega)
-
-	if len(nafM) > len(nafN) {
-		nafN = append(nafN, make([]int32, len(nafM)-len(nafN))...)
-	} else if len(nafM) < len(nafN) {
-		nafM = append(nafM, make([]int32, len(nafN)-len(nafM))...)
-	}
-
-	TabQ := newAffinePoint(xQ, yQ).oddMultiples(nOmega)
-	var jR jacobianPoint
-	var aR affinePoint
-	P := zeroPoint().toJacobian()
-	for i := len(nafN) - 1; i >= 0; i-- {
-		P.double()
-		// Generator point
-		if nafM[i] != 0 {
-			idxM := absolute(nafM[i]) >> 1
-			aR = baseOddMultiples[idxM]
-			if nafM[i] < 0 {
-				aR.neg()
-			}
-			P.mixadd(P, &aR)
-		}
-		// Input point
-		if nafN[i] != 0 {
-			idxN := absolute(nafN[i]) >> 1
-			jR = TabQ[idxN]
-			if nafN[i] < 0 {
-				jR.neg()
-			}
-			P.add(P, &jR)
-		}
-	}
-	return P.toAffine().toInt()
-}
-
-// absolute returns always a positive value.
-func absolute(x int32) int32 {
-	mask := x >> 31
-	return (x + mask) ^ mask
-}

vendor/github.com/cloudflare/circl/ecc/p384/point.go

@@ -1,358 +0,0 @@
-//go:build (!purego && arm64) || (!purego && amd64)
-// +build !purego,arm64 !purego,amd64
-
-package p384
-
-import (
-	"fmt"
-	"math/big"
-)
-
-// affinePoint represents an affine point of the curve. The point at
-// infinity is (0,0) leveraging that it is not an affine point.
-type affinePoint struct{ x, y fp384 }
-
-func newAffinePoint(x, y *big.Int) *affinePoint {
-	var P affinePoint
-	P.x.SetBigInt(x)
-	P.y.SetBigInt(y)
-	montEncode(&P.x, &P.x)
-	montEncode(&P.y, &P.y)
-	return &P
-}
-
-func zeroPoint() *affinePoint { return &affinePoint{} }
-
-func (ap affinePoint) String() string {
-	if ap.isZero() {
-		return "inf"
-	}
-	return fmt.Sprintf("x: %v\ny: %v", ap.x, ap.y)
-}
-
-func (ap *affinePoint) isZero() bool {
-	zero := fp384{}
-	return ap.x == zero && ap.y == zero
-}
-
-func (ap *affinePoint) neg() { fp384Neg(&ap.y, &ap.y) }
-
-func (ap *affinePoint) toInt() (x, y *big.Int) {
-	var x1, y1 fp384
-	montDecode(&x1, &ap.x)
-	montDecode(&y1, &ap.y)
-	return x1.BigInt(), y1.BigInt()
-}
-
-func (ap *affinePoint) toJacobian() *jacobianPoint {
-	var P jacobianPoint
-	if ap.isZero() {
-		montEncode(&P.x, &fp384{1})
-		montEncode(&P.y, &fp384{1})
-	} else {
-		P.x = ap.x
-		P.y = ap.y
-		montEncode(&P.z, &fp384{1})
-	}
-	return &P
-}
-
-func (ap *affinePoint) toProjective() *projectivePoint {
-	var P projectivePoint
-	if ap.isZero() {
-		montEncode(&P.y, &fp384{1})
-	} else {
-		P.x = ap.x
-		P.y = ap.y
-		montEncode(&P.z, &fp384{1})
-	}
-	return &P
-}
-
-// OddMultiples calculates the points iP for i={1,3,5,7,..., 2^(n-1)-1}
-// Ensure that 1 < n < 31, otherwise it returns an empty slice.
-func (ap affinePoint) oddMultiples(n uint) []jacobianPoint {
-	var t []jacobianPoint
-	if n > 1 && n < 31 {
-		P := ap.toJacobian()
-		s := int32(1) << (n - 1)
-		t = make([]jacobianPoint, s)
-		t[0] = *P
-		_2P := *P
-		_2P.double()
-		for i := int32(1); i < s; i++ {
-			t[i].add(&t[i-1], &_2P)
-		}
-	}
-	return t
-}
-
-// p2Point is a point in P^2
-type p2Point struct{ x, y, z fp384 }
-
-func (P *p2Point) String() string {
-	return fmt.Sprintf("x: %v\ny: %v\nz: %v", P.x, P.y, P.z)
-}
-
-func (P *p2Point) neg() { fp384Neg(&P.y, &P.y) }
-
-// condNeg if P is negated if b=1.
-func (P *p2Point) cneg(b int) {
-	var mY fp384
-	fp384Neg(&mY, &P.y)
-	fp384Cmov(&P.y, &mY, b)
-}
-
-// cmov sets P to Q if b=1.
-func (P *p2Point) cmov(Q *p2Point, b int) {
-	fp384Cmov(&P.x, &Q.x, b)
-	fp384Cmov(&P.y, &Q.y, b)
-	fp384Cmov(&P.z, &Q.z, b)
-}
-
-func (P *p2Point) toInt() (x, y, z *big.Int) {
-	var x1, y1, z1 fp384
-	montDecode(&x1, &P.x)
-	montDecode(&y1, &P.y)
-	montDecode(&z1, &P.z)
-	return x1.BigInt(), y1.BigInt(), z1.BigInt()
-}
-
-// jacobianPoint represents a point in Jacobian coordinates. The point at
-// infinity is any point (x,y,0) such that x and y are different from 0.
-type jacobianPoint struct{ p2Point }
-
-func (P *jacobianPoint) isZero() bool {
-	zero := fp384{}
-	return P.x != zero && P.y != zero && P.z == zero
-}
-
-func (P *jacobianPoint) toAffine() *affinePoint {
-	var aP affinePoint
-	z, z2 := &fp384{}, &fp384{}
-	fp384Inv(z, &P.z)
-	fp384Sqr(z2, z)
-	fp384Mul(&aP.x, &P.x, z2)
-	fp384Mul(&aP.y, &P.y, z)
-	fp384Mul(&aP.y, &aP.y, z2)
-	return &aP
-}
-
-func (P *jacobianPoint) cmov(Q *jacobianPoint, b int) { P.p2Point.cmov(&Q.p2Point, b) }
-
-// add calculates P=Q+R such that Q and R are different than the identity point,
-// and Q!==R. This function cannot be used for doublings.
-func (P *jacobianPoint) add(Q, R *jacobianPoint) {
-	if Q.isZero() {
-		*P = *R
-		return
-	} else if R.isZero() {
-		*P = *Q
-		return
-	}
-
-	// Cohen-Miyagi-Ono (1998)
-	// https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
-	X1, Y1, Z1 := &Q.x, &Q.y, &Q.z
-	X2, Y2, Z2 := &R.x, &R.y, &R.z
-	Z1Z1, Z2Z2, U1, U2 := &fp384{}, &fp384{}, &fp384{}, &fp384{}
-	H, HH, HHH, RR := &fp384{}, &fp384{}, &fp384{}, &fp384{}
-	V, t4, t5, t6, t7, t8 := &fp384{}, &fp384{}, &fp384{}, &fp384{}, &fp384{}, &fp384{}
-	t0, t1, t2, t3, S1, S2 := &fp384{}, &fp384{}, &fp384{}, &fp384{}, &fp384{}, &fp384{}
-	fp384Sqr(Z1Z1, Z1)     // Z1Z1 = Z1 ^ 2
-	fp384Sqr(Z2Z2, Z2)     // Z2Z2 = Z2 ^ 2
-	fp384Mul(U1, X1, Z2Z2) // U1 = X1 * Z2Z2
-	fp384Mul(U2, X2, Z1Z1) // U2 = X2 * Z1Z1
-	fp384Mul(t0, Z2, Z2Z2) // t0 = Z2 * Z2Z2
-	fp384Mul(S1, Y1, t0)   // S1 = Y1 * t0
-	fp384Mul(t1, Z1, Z1Z1) // t1 = Z1 * Z1Z1
-	fp384Mul(S2, Y2, t1)   // S2 = Y2 * t1
-	fp384Sub(H, U2, U1)    // H = U2 - U1
-	fp384Sqr(HH, H)        // HH = H ^ 2
-	fp384Mul(HHH, H, HH)   // HHH = H * HH
-	fp384Sub(RR, S2, S1)   // r = S2 - S1
-	fp384Mul(V, U1, HH)    // V = U1 * HH
-	fp384Sqr(t2, RR)       // t2 = r ^ 2
-	fp384Add(t3, V, V)     // t3 = V + V
-	fp384Sub(t4, t2, HHH)  // t4 = t2 - HHH
-	fp384Sub(&P.x, t4, t3) // X3 = t4 - t3
-	fp384Sub(t5, V, &P.x)  // t5 = V - X3
-	fp384Mul(t6, S1, HHH)  // t6 = S1 * HHH
-	fp384Mul(t7, RR, t5)   // t7 = r * t5
-	fp384Sub(&P.y, t7, t6) // Y3 = t7 - t6
-	fp384Mul(t8, Z2, H)    // t8 = Z2 * H
-	fp384Mul(&P.z, Z1, t8) // Z3 = Z1 * t8
-}
-
-// mixadd calculates P=Q+R such that P and Q different than the identity point,
-// and Q not in {P,-P, O}.
-func (P *jacobianPoint) mixadd(Q *jacobianPoint, R *affinePoint) {
-	if Q.isZero() {
-		*P = *R.toJacobian()
-		return
-	} else if R.isZero() {
-		*P = *Q
-		return
-	}
-
-	z1z1, u2 := &fp384{}, &fp384{}
-	fp384Sqr(z1z1, &Q.z)
-	fp384Mul(u2, &R.x, z1z1)
-
-	s2 := &fp384{}
-	fp384Mul(s2, &R.y, &Q.z)
-	fp384Mul(s2, s2, z1z1)
-	if Q.x == *u2 {
-		if Q.y != *s2 {
-			*P = *(zeroPoint().toJacobian())
-			return
-		}
-		*P = *Q
-		P.double()
-		return
-	}
-
-	h, r := &fp384{}, &fp384{}
-	fp384Sub(h, u2, &Q.x)
-	fp384Mul(&P.z, h, &Q.z)
-	fp384Sub(r, s2, &Q.y)
-
-	h2, h3 := &fp384{}, &fp384{}
-	fp384Sqr(h2, h)
-	fp384Mul(h3, h2, h)
-	h3y1 := &fp384{}
-	fp384Mul(h3y1, h3, &Q.y)
-
-	h2x1 := &fp384{}
-	fp384Mul(h2x1, h2, &Q.x)
-
-	fp384Sqr(&P.x, r)
-	fp384Sub(&P.x, &P.x, h3)
-	fp384Sub(&P.x, &P.x, h2x1)
-	fp384Sub(&P.x, &P.x, h2x1)
-
-	fp384Sub(&P.y, h2x1, &P.x)
-	fp384Mul(&P.y, &P.y, r)
-	fp384Sub(&P.y, &P.y, h3y1)
-}
-
-func (P *jacobianPoint) double() {
-	delta, gamma, alpha, alpha2 := &fp384{}, &fp384{}, &fp384{}, &fp384{}
-	fp384Sqr(delta, &P.z)
-	fp384Sqr(gamma, &P.y)
-	fp384Sub(alpha, &P.x, delta)
-	fp384Add(alpha2, &P.x, delta)
-	fp384Mul(alpha, alpha, alpha2)
-	*alpha2 = *alpha
-	fp384Add(alpha, alpha, alpha)
-	fp384Add(alpha, alpha, alpha2)
-
-	beta := &fp384{}
-	fp384Mul(beta, &P.x, gamma)
-
-	beta8 := &fp384{}
-	fp384Sqr(&P.x, alpha)
-	fp384Add(beta8, beta, beta)
-	fp384Add(beta8, beta8, beta8)
-	fp384Add(beta8, beta8, beta8)
-	fp384Sub(&P.x, &P.x, beta8)
-
-	fp384Add(&P.z, &P.y, &P.z)
-	fp384Sqr(&P.z, &P.z)
-	fp384Sub(&P.z, &P.z, gamma)
-	fp384Sub(&P.z, &P.z, delta)
-
-	fp384Add(beta, beta, beta)
-	fp384Add(beta, beta, beta)
-	fp384Sub(beta, beta, &P.x)
-
-	fp384Mul(&P.y, alpha, beta)
-
-	fp384Sqr(gamma, gamma)
-	fp384Add(gamma, gamma, gamma)
-	fp384Add(gamma, gamma, gamma)
-	fp384Add(gamma, gamma, gamma)
-	fp384Sub(&P.y, &P.y, gamma)
-}
-
-func (P *jacobianPoint) toProjective() *projectivePoint {
-	var hP projectivePoint
-	hP.y = P.y
-	fp384Mul(&hP.x, &P.x, &P.z)
-	fp384Sqr(&hP.z, &P.z)
-	fp384Mul(&hP.z, &hP.z, &P.z)
-	return &hP
-}
-
-// projectivePoint represents a point in projective homogeneous coordinates.
-// The point at infinity is (0,y,0) such that y is different from 0.
-type projectivePoint struct{ p2Point }
-
-func (P *projectivePoint) isZero() bool {
-	zero := fp384{}
-	return P.x == zero && P.y != zero && P.z == zero
-}
-
-func (P *projectivePoint) toAffine() *affinePoint {
-	var aP affinePoint
-	z := &fp384{}
-	fp384Inv(z, &P.z)
-	fp384Mul(&aP.x, &P.x, z)
-	fp384Mul(&aP.y, &P.y, z)
-	return &aP
-}
-
-// add calculates P=Q+R using complete addition formula for prime groups.
-func (P *projectivePoint) completeAdd(Q, R *projectivePoint) {
-	// Reference:
-	//   "Complete addition formulas for prime order elliptic curves" by
-	//   Costello-Renes-Batina. [Alg.4] (eprint.iacr.org/2015/1060).
-	X1, Y1, Z1 := &Q.x, &Q.y, &Q.z
-	X2, Y2, Z2 := &R.x, &R.y, &R.z
-	X3, Y3, Z3 := &fp384{}, &fp384{}, &fp384{}
-	t0, t1, t2, t3, t4 := &fp384{}, &fp384{}, &fp384{}, &fp384{}, &fp384{}
-	fp384Mul(t0, X1, X2)  // 1.  t0 ← X1 · X2
-	fp384Mul(t1, Y1, Y2)  // 2.  t1 ← Y1 · Y2
-	fp384Mul(t2, Z1, Z2)  // 3.  t2 ← Z1 · Z2
-	fp384Add(t3, X1, Y1)  // 4.  t3 ← X1 + Y1
-	fp384Add(t4, X2, Y2)  // 5.  t4 ← X2 + Y2
-	fp384Mul(t3, t3, t4)  // 6.  t3 ← t3 · t4
-	fp384Add(t4, t0, t1)  // 7.  t4 ← t0 + t1
-	fp384Sub(t3, t3, t4)  // 8.  t3 ← t3 − t4
-	fp384Add(t4, Y1, Z1)  // 9.  t4 ← Y1 + Z1
-	fp384Add(X3, Y2, Z2)  // 10. X3 ← Y2 + Z2
-	fp384Mul(t4, t4, X3)  // 11. t4 ← t4 · X3
-	fp384Add(X3, t1, t2)  // 12. X3 ← t1 + t2
-	fp384Sub(t4, t4, X3)  // 13. t4 ← t4 − X3
-	fp384Add(X3, X1, Z1)  // 14. X3 ← X1 + Z1
-	fp384Add(Y3, X2, Z2)  // 15. Y3 ← X2 + Z2
-	fp384Mul(X3, X3, Y3)  // 16. X3 ← X3 · Y3
-	fp384Add(Y3, t0, t2)  // 17. Y3 ← t0 + t2
-	fp384Sub(Y3, X3, Y3)  // 18. Y3 ← X3 − Y3
-	fp384Mul(Z3, &bb, t2) // 19. Z3 ←  b · t2
-	fp384Sub(X3, Y3, Z3)  // 20. X3 ← Y3 − Z3
-	fp384Add(Z3, X3, X3)  // 21. Z3 ← X3 + X3
-	fp384Add(X3, X3, Z3)  // 22. X3 ← X3 + Z3
-	fp384Sub(Z3, t1, X3)  // 23. Z3 ← t1 − X3
-	fp384Add(X3, t1, X3)  // 24. X3 ← t1 + X3
-	fp384Mul(Y3, &bb, Y3) // 25. Y3 ←  b · Y3
-	fp384Add(t1, t2, t2)  // 26. t1 ← t2 + t2
-	fp384Add(t2, t1, t2)  // 27. t2 ← t1 + t2
-	fp384Sub(Y3, Y3, t2)  // 28. Y3 ← Y3 − t2
-	fp384Sub(Y3, Y3, t0)  // 29. Y3 ← Y3 − t0
-	fp384Add(t1, Y3, Y3)  // 30. t1 ← Y3 + Y3
-	fp384Add(Y3, t1, Y3)  // 31. Y3 ← t1 + Y3
-	fp384Add(t1, t0, t0)  // 32. t1 ← t0 + t0
-	fp384Add(t0, t1, t0)  // 33. t0 ← t1 + t0
-	fp384Sub(t0, t0, t2)  // 34. t0 ← t0 − t2
-	fp384Mul(t1, t4, Y3)  // 35. t1 ← t4 · Y3
-	fp384Mul(t2, t0, Y3)  // 36. t2 ← t0 · Y3
-	fp384Mul(Y3, X3, Z3)  // 37. Y3 ← X3 · Z3
-	fp384Add(Y3, Y3, t2)  // 38. Y3 ← Y3 + t2
-	fp384Mul(X3, t3, X3)  // 39. X3 ← t3 · X3
-	fp384Sub(X3, X3, t1)  // 40. X3 ← X3 − t1
-	fp384Mul(Z3, t4, Z3)  // 41. Z3 ← t4 · Z3
-	fp384Mul(t1, t3, t0)  // 42. t1 ← t3 · t0
-	fp384Add(Z3, Z3, t1)  // 43. Z3 ← Z3 + t1
-	P.x, P.y, P.z = *X3, *Y3, *Z3
-}

vendor/github.com/cloudflare/circl/ecc/p384/tableBase.go

@@ -1,331 +0,0 @@
-//go:build (!purego && arm64) || (!purego && amd64)
-// +build !purego,arm64 !purego,amd64
-
-package p384
-
-const baseOmega = uint(7)
-
-// baseOddMultiples has [2*i+1] * G at position i.
-// Each coordinate has been multiplied by R=2^384
-var baseOddMultiples = [1 << (baseOmega - 1)]affinePoint{
-	// 1P
-	{
-		x: fp384{0x28, 0xb5, 0xc0, 0x49, 0x66, 0x75, 0xd0, 0x3d, 0x38, 0xce, 0xd6, 0xa0, 0xe2, 0x78, 0xe3, 0x20, 0x6e, 0x4d, 0x1b, 0x54, 0xfc, 0x3a, 0x9c, 0x87, 0xff, 0xe, 0xa3, 0x59, 0x84, 0x86, 0x54, 0x64, 0x2b, 0xde, 0x4e, 0x61, 0x23, 0xf7, 0x2f, 0x81, 0x13, 0x15, 0x9e, 0x29, 0xc2, 0xad, 0x3a, 0x4d},
-		y: fp384{0xfe, 0xa4, 0x3, 0x4b, 0xad, 0x3d, 0x4, 0x23, 0xac, 0xa9, 0xb4, 0x7b, 0xbf, 0xa8, 0xbf, 0xa1, 0x50, 0xb0, 0x83, 0x2e, 0x56, 0xe7, 0xad, 0x8b, 0xd9, 0xff, 0xf4, 0x68, 0x19, 0x52, 0xc3, 0xc6, 0x40, 0xa8, 0x69, 0x39, 0x26, 0x2, 0x80, 0xdd, 0xe9, 0xc5, 0x15, 0x5a, 0xc2, 0xab, 0x78, 0x2b},
-	},
-	// 3P
-	{
-		x: fp384{0x73, 0x40, 0xdc, 0xc1, 0xe6, 0xdb, 0xe4, 0x5, 0x9c, 0x77, 0x4f, 0xf0, 0xff, 0xa9, 0x4e, 0xc5, 0xf0, 0xcc, 0x70, 0xa1, 0xe9, 0x34, 0x20, 0x6b, 0x3e, 0x6c, 0x1c, 0xd5, 0x32, 0xd7, 0x48, 0x3a, 0x70, 0xa4, 0x3a, 0x26, 0x2d, 0x7e, 0x6f, 0xe3, 0xac, 0xc3, 0xc1, 0xe7, 0x68, 0xfe, 0x83, 0xd2},
-		y: fp384{0x57, 0xe1, 0x4e, 0xc0, 0x21, 0x48, 0x28, 0x7e, 0x6d, 0xe3, 0xe0, 0x7a, 0xa7, 0x89, 0xd7, 0x92, 0x46, 0x74, 0xf6, 0x4e, 0xc0, 0x63, 0x26, 0x13, 0xb4, 0xd0, 0xe1, 0xd2, 0x5a, 0x2d, 0x1, 0x68, 0x39, 0xb3, 0x2, 0x51, 0xb1, 0x68, 0xdb, 0xf6, 0xaf, 0x92, 0x32, 0x98, 0xfc, 0x65, 0x54, 0x46},
-	},
-	// 5P
-	{
-		x: fp384{0xdf, 0xf0, 0xf1, 0x68, 0xba, 0x5e, 0x59, 0xbb, 0x66, 0x34, 0x87, 0xcc, 0xcb, 0xc0, 0x85, 0xc1, 0x3b, 0x70, 0x3c, 0x29, 0xb5, 0xb1, 0x1e, 0x7f, 0xe6, 0x5, 0xcc, 0xaa, 0xf5, 0x2c, 0xdb, 0x60, 0xc6, 0xe4, 0xe8, 0xe2, 0x87, 0xb9, 0x76, 0xc6, 0xfb, 0x8f, 0x17, 0x1d, 0xb1, 0x26, 0xbb, 0xe1},
-		y: fp384{0x21, 0xfa, 0x73, 0x70, 0xa0, 0x4b, 0x69, 0x2b, 0x66, 0x45, 0xf3, 0x72, 0x2e, 0x6e, 0xc1, 0x22, 0x99, 0x5b, 0xc3, 0x1, 0x31, 0x1b, 0xb6, 0x80, 0x11, 0x4, 0x2c, 0x98, 0xaf, 0x7f, 0x23, 0x4b, 0x6d, 0x23, 0xde, 0x24, 0x40, 0x94, 0xc5, 0xe6, 0xa3, 0xe4, 0x9, 0xe2, 0xd6, 0xc9, 0xb1, 0x4d},
-	},
-	// 7P
-	{
-		x: fp384{0x2b, 0x22, 0x69, 0x7d, 0xd1, 0xb9, 0x13, 0xdf, 0xb1, 0x74, 0x47, 0x87, 0x5f, 0x41, 0xe6, 0x4c, 0x95, 0xaa, 0x1f, 0x21, 0xf8, 0xdc, 0x1e, 0x73, 0xed, 0x53, 0x97, 0x65, 0xd1, 0x15, 0x42, 0x5f, 0x55, 0xdf, 0xb2, 0x9d, 0x58, 0xdb, 0x93, 0xf8, 0x5b, 0x2, 0x89, 0x1c, 0x81, 0x9f, 0x2c, 0x93},
-		y: fp384{0x1e, 0xa6, 0x6, 0x77, 0x20, 0xb2, 0x96, 0x9, 0x79, 0x1c, 0x64, 0xa8, 0xd5, 0x49, 0x53, 0x13, 0x44, 0x8, 0x13, 0x50, 0x6f, 0xd7, 0xaa, 0x65, 0x80, 0xf7, 0xff, 0x1, 0x4, 0x7c, 0xf3, 0xf, 0x6, 0x7, 0x3b, 0x69, 0x8e, 0x23, 0x7f, 0xf5, 0x3e, 0x9b, 0x6c, 0xaf, 0xb6, 0x16, 0xa, 0xd9},
-	},
-	// 9P
-	{
-		x: fp384{0x2f, 0xb9, 0x53, 0x23, 0xe, 0x20, 0x5d, 0x2f, 0xf9, 0xe4, 0xd7, 0x3f, 0x29, 0x87, 0x5d, 0xe3, 0x5d, 0x74, 0x6d, 0xa9, 0x33, 0x48, 0x9, 0x26, 0x3f, 0xff, 0xbf, 0x3c, 0xc1, 0x1d, 0x35, 0xdc, 0x6a, 0x4d, 0xd5, 0xda, 0xc6, 0x64, 0xd4, 0x26, 0x6a, 0x6c, 0x63, 0x53, 0x1d, 0x1d, 0xab, 0x5c},
-		y: fp384{0xb0, 0xc0, 0x8e, 0xb1, 0x72, 0x30, 0x81, 0xf2, 0x2f, 0xaa, 0x42, 0xd7, 0x70, 0xe2, 0x77, 0x37, 0xc2, 0xa7, 0x3c, 0x3, 0xc7, 0x61, 0xf0, 0x27, 0xd8, 0xd0, 0xea, 0x68, 0xcc, 0xac, 0xec, 0xa6, 0x54, 0xa7, 0x69, 0xee, 0xf4, 0x29, 0x94, 0x7d, 0xc6, 0xf5, 0xe8, 0x31, 0x34, 0x63, 0x70, 0xe7},
-	},
-	// 11P
-	{
-		x: fp384{0x7d, 0x8c, 0x8b, 0xb6, 0x19, 0x8b, 0x70, 0xc7, 0xba, 0x7a, 0x37, 0x44, 0x7c, 0x7, 0x32, 0x45, 0x4f, 0xd6, 0xda, 0x6c, 0x70, 0x67, 0xcc, 0xd, 0x2, 0x66, 0x7b, 0x14, 0x56, 0xbf, 0xb8, 0x1, 0x79, 0x1d, 0x56, 0xf0, 0x85, 0x98, 0xd8, 0xf8, 0x37, 0xc4, 0xa9, 0x7b, 0xfc, 0xe9, 0x19, 0x9c},
-		y: fp384{0x25, 0xba, 0xc4, 0xbd, 0x46, 0xb1, 0x4e, 0x76, 0x83, 0x4b, 0x14, 0xac, 0x6b, 0xe4, 0x4f, 0x60, 0x80, 0xe7, 0x77, 0x8a, 0x29, 0x13, 0xe8, 0x3c, 0x2e, 0x68, 0x9e, 0xfe, 0x36, 0xf, 0x7, 0x2e, 0x7a, 0x28, 0x53, 0x3a, 0xc, 0x1d, 0x82, 0x41, 0x18, 0xf9, 0x33, 0x35, 0x9f, 0x2f, 0xa6, 0x9a},
-	},
-	// 13P
-	{
-		x: fp384{0xfb, 0xbd, 0xcc, 0x75, 0x7e, 0xeb, 0x7a, 0x9b, 0x95, 0x9a, 0x74, 0xf6, 0xc5, 0x28, 0x5e, 0xb2, 0xae, 0xd4, 0xb7, 0x33, 0x46, 0x8e, 0x7a, 0x8a, 0x56, 0xbd, 0xc1, 0xd9, 0xa8, 0x3, 0x52, 0xdb, 0x97, 0xdf, 0x22, 0xed, 0x65, 0x72, 0x65, 0xd2, 0x94, 0x3c, 0xf2, 0x8c, 0xe1, 0x56, 0x1c, 0xb5},
-		y: fp384{0x2d, 0x81, 0x3d, 0x6c, 0x59, 0x94, 0xd3, 0xf4, 0xc2, 0xe0, 0xca, 0x87, 0x1a, 0x8f, 0xe8, 0xd8, 0xe3, 0xf, 0x4d, 0xcf, 0x48, 0x2a, 0x9a, 0x78, 0x60, 0x8d, 0xc3, 0xfe, 0x2d, 0xac, 0xfe, 0xb7, 0xc3, 0xe, 0x49, 0x3b, 0x1c, 0xbd, 0xfd, 0x81, 0xe1, 0x79, 0x69, 0xcc, 0xb7, 0xad, 0x17, 0x46},
-	},
-	// 15P
-	{
-		x: fp384{0xa9, 0xf4, 0x9, 0x47, 0x88, 0xd8, 0x6a, 0x44, 0xd8, 0xab, 0x3d, 0xec, 0xe2, 0x10, 0x72, 0x2b, 0x34, 0x7b, 0xe0, 0x50, 0x95, 0xf1, 0xcc, 0x83, 0x75, 0x30, 0x9b, 0x78, 0x17, 0x9, 0x50, 0x59, 0x93, 0x59, 0x8, 0xeb, 0xd4, 0x1f, 0xc0, 0xf, 0x6b, 0x2, 0x3, 0x49, 0x6f, 0xd2, 0x62, 0xfb},
-		y: fp384{0xbb, 0x89, 0xe9, 0x6f, 0x9d, 0xcc, 0x9, 0x23, 0x86, 0xd5, 0x4b, 0x14, 0xbd, 0x9c, 0x60, 0x61, 0xc, 0x61, 0x6, 0xde, 0xa0, 0xd3, 0x23, 0x4b, 0x70, 0xf4, 0x98, 0xd8, 0x66, 0x28, 0xdc, 0xdd, 0x97, 0x57, 0xc, 0x40, 0x41, 0xfc, 0x33, 0x87, 0x16, 0x27, 0xbc, 0xd0, 0xfe, 0xc6, 0x68, 0x5a},
-	},
-	// 17P
-	{
-		x: fp384{0xd0, 0x3c, 0x4a, 0x4b, 0x30, 0xe1, 0x3, 0x89, 0x3e, 0xf4, 0xf1, 0x8f, 0x4c, 0xea, 0xa4, 0x3e, 0xd, 0xa1, 0x55, 0xf6, 0x2a, 0x3f, 0xfc, 0xe6, 0xfc, 0xfe, 0x4f, 0x52, 0x7d, 0x73, 0xe3, 0x7b, 0x5e, 0x45, 0x30, 0x53, 0x55, 0x28, 0x69, 0x9f, 0x70, 0xce, 0x75, 0xe4, 0x6e, 0x16, 0x4f, 0x52},
-		y: fp384{0x55, 0xf0, 0x12, 0x6c, 0xcd, 0x69, 0xcc, 0x3f, 0xda, 0xc0, 0xb9, 0xd5, 0xff, 0xb6, 0x23, 0x4e, 0x83, 0xf1, 0x6b, 0x33, 0x93, 0x69, 0xce, 0x49, 0x4a, 0x50, 0x54, 0x4a, 0x85, 0x6d, 0x7d, 0xf8, 0x7a, 0x67, 0xc2, 0xb3, 0xf1, 0x5d, 0xeb, 0x25, 0xc9, 0x64, 0xb1, 0x55, 0x6f, 0x98, 0x37, 0xac},
-	},
-	// 19P
-	{
-		x: fp384{0x8, 0x4c, 0xa8, 0xba, 0x4a, 0xed, 0xa2, 0x82, 0x12, 0xc9, 0xa8, 0x41, 0x5f, 0xcc, 0xc4, 0x22, 0x5e, 0xad, 0x4a, 0x15, 0x3b, 0x9c, 0x10, 0xca, 0x8e, 0x53, 0x38, 0xfc, 0x98, 0x12, 0x89, 0x23, 0xae, 0x2, 0x98, 0x53, 0x9c, 0x63, 0xb6, 0xb3, 0x6, 0xd7, 0x90, 0x3, 0x45, 0x1f, 0xf, 0xfa},
-		y: fp384{0xd0, 0x21, 0xdc, 0xb0, 0x5d, 0x8e, 0xb7, 0x46, 0xac, 0x2e, 0xda, 0xc3, 0x3c, 0x2d, 0xc7, 0xa8, 0x43, 0xf6, 0xf2, 0x6f, 0x78, 0xb3, 0x70, 0x91, 0xc3, 0x30, 0x7f, 0xb6, 0x9b, 0x79, 0x5a, 0x3f, 0x72, 0xb6, 0x64, 0x82, 0x77, 0xdc, 0xd1, 0x15, 0x64, 0x77, 0x57, 0xe9, 0x23, 0x7b, 0xd4, 0xa1},
-	},
-	// 21P
-	{
-		x: fp384{0x2f, 0xce, 0x22, 0x4, 0x51, 0x5e, 0x26, 0x8, 0x21, 0x9e, 0x2f, 0xdd, 0x96, 0xd4, 0xe0, 0x88, 0x5d, 0xf7, 0x77, 0x61, 0xa0, 0x8a, 0x12, 0x30, 0x69, 0xbe, 0x9e, 0xbd, 0x62, 0xab, 0x59, 0x2e, 0x37, 0xe5, 0xf0, 0x5d, 0x6c, 0xf, 0x1a, 0x1b, 0xb5, 0x12, 0xc0, 0xda, 0x26, 0xc6, 0x16, 0xab},
-		y: fp384{0xe7, 0x5d, 0x8c, 0x0, 0x4b, 0x21, 0x14, 0x80, 0xea, 0x7b, 0xf1, 0x38, 0x9e, 0xa, 0x74, 0xaa, 0x98, 0x90, 0x14, 0x8a, 0x49, 0xbb, 0x2e, 0x26, 0x59, 0xcd, 0x27, 0x85, 0x1e, 0x11, 0x54, 0xb4, 0x17, 0x58, 0xea, 0xac, 0x5a, 0xd1, 0x6a, 0x26, 0xba, 0xcc, 0x53, 0x13, 0x41, 0x4f, 0x82, 0x21},
-	},
-	// 23P
-	{
-		x: fp384{0x3b, 0x68, 0xe3, 0x12, 0x4d, 0xe7, 0xb4, 0xd1, 0xf6, 0x8e, 0x9b, 0x56, 0xb, 0xd2, 0xe, 0x99, 0x18, 0xa, 0x9c, 0x42, 0x25, 0xdd, 0xd3, 0xb9, 0x83, 0x17, 0x35, 0x2a, 0xab, 0xb8, 0x75, 0x1c, 0xf0, 0x32, 0x54, 0x90, 0x2b, 0xca, 0xe4, 0x61, 0x24, 0xf2, 0xa8, 0xee, 0x69, 0x6a, 0x82, 0x80},
-		y: fp384{0xad, 0xab, 0x52, 0xec, 0x6b, 0x3a, 0xc3, 0x7f, 0x13, 0x48, 0x5e, 0xa6, 0xf0, 0xa3, 0xcc, 0xb, 0xbe, 0xce, 0x27, 0xa5, 0x32, 0xa1, 0xd8, 0x7a, 0x7e, 0x2c, 0xf2, 0xea, 0x50, 0x89, 0x13, 0xf0, 0xc1, 0x18, 0x67, 0x56, 0x37, 0x24, 0x2d, 0x28, 0x59, 0x25, 0x21, 0xe2, 0xd, 0xcb, 0xfc, 0x9d},
-	},
-	// 25P
-	{
-		x: fp384{0x83, 0x3b, 0xce, 0x58, 0x27, 0x72, 0x93, 0x1e, 0x36, 0xfb, 0xb3, 0x3c, 0xfa, 0xd, 0x28, 0xbb, 0x4a, 0x17, 0xbe, 0xe2, 0xd2, 0xf3, 0xd0, 0x57, 0x1e, 0xbe, 0x8a, 0x20, 0x99, 0x1b, 0xd5, 0x9b, 0x24, 0x80, 0x24, 0xde, 0x50, 0xab, 0x9, 0x38, 0x31, 0x73, 0xbb, 0xa5, 0x2c, 0x6e, 0x9c, 0xc2},
-		y: fp384{0x5, 0x4f, 0x12, 0x61, 0x2e, 0xfd, 0x44, 0x99, 0x91, 0xe3, 0x9, 0x90, 0x4e, 0xbc, 0xcc, 0x83, 0xcc, 0xa3, 0x24, 0x94, 0x5, 0x8f, 0x62, 0x1, 0x44, 0x43, 0x8e, 0xea, 0x1d, 0xf5, 0xa2, 0xd6, 0x6e, 0xc9, 0xeb, 0x4c, 0x3d, 0x1a, 0x3e, 0xda, 0xdc, 0x9, 0x78, 0xe9, 0x42, 0xfb, 0xe6, 0x1f},
-	},
-	// 27P
-	{
-		x: fp384{0xe4, 0x66, 0x7d, 0x46, 0xd2, 0x82, 0x44, 0xa0, 0x1d, 0x29, 0x78, 0x4d, 0x93, 0x12, 0x19, 0xcf, 0xf9, 0x96, 0x23, 0x48, 0x68, 0x41, 0xd, 0x8e, 0xd0, 0x14, 0x8f, 0xd1, 0xd5, 0xe2, 0x28, 0x72, 0xfe, 0x58, 0x6a, 0x9c, 0x50, 0x8d, 0x7e, 0x2f, 0xec, 0x5a, 0x3e, 0x37, 0xe, 0x78, 0xca, 0xe8},
-		y: fp384{0xf8, 0xe9, 0x68, 0x1b, 0xd6, 0xd1, 0xaa, 0x42, 0xf4, 0xf8, 0xe2, 0x69, 0xf5, 0xd7, 0xa6, 0x58, 0xea, 0x1b, 0xda, 0x31, 0xfe, 0xad, 0x79, 0xd7, 0x85, 0x5a, 0xc8, 0x38, 0x6, 0x54, 0x26, 0x7d, 0xdf, 0x3c, 0x4d, 0xd4, 0x95, 0x71, 0xe6, 0x67, 0xd7, 0x4e, 0x13, 0xc5, 0xb, 0xa, 0x82, 0x17},
-	},
-	// 29P
-	{
-		x: fp384{0x70, 0x14, 0x2, 0xd3, 0xc5, 0x6a, 0x9d, 0x1, 0xd6, 0x43, 0x4, 0x78, 0x66, 0x6b, 0x84, 0x25, 0x47, 0x76, 0xc9, 0x55, 0xed, 0x15, 0x3c, 0xce, 0xf, 0xeb, 0x3f, 0xe, 0x49, 0x2d, 0xc2, 0x3d, 0xe4, 0x26, 0xdf, 0xa7, 0xcb, 0xb7, 0x65, 0x20, 0x1f, 0xea, 0x7c, 0x18, 0xe8, 0xa, 0xb0, 0xc8},
-		y: fp384{0xd3, 0xde, 0x5d, 0x86, 0xa0, 0x84, 0x52, 0x1a, 0xe2, 0x3d, 0xc8, 0x20, 0x49, 0x16, 0x3c, 0x29, 0xb3, 0x51, 0xe8, 0xcc, 0x26, 0x8d, 0x17, 0xab, 0xfb, 0x5, 0x45, 0x40, 0xb, 0xb1, 0x6d, 0x8e, 0x33, 0x20, 0xc8, 0x90, 0x71, 0x7e, 0xf5, 0xf6, 0x6c, 0xf1, 0x77, 0x59, 0x1, 0x1c, 0x2a, 0x1d},
-	},
-	// 31P
-	{
-		x: fp384{0xa4, 0x6, 0x89, 0x7c, 0x31, 0x89, 0x9c, 0xa3, 0xe6, 0x1e, 0x82, 0x9e, 0xdd, 0xec, 0xe7, 0xb6, 0xe6, 0x4f, 0xdf, 0xf0, 0x40, 0x83, 0xcf, 0x2e, 0x65, 0x49, 0xc1, 0x53, 0xc9, 0x7d, 0x2f, 0xd4, 0x85, 0x82, 0xba, 0xe3, 0xa3, 0x51, 0xfb, 0x1a, 0xd1, 0x5, 0x33, 0xa, 0x4, 0xc4, 0x7, 0x6c},
-		y: fp384{0xda, 0xc1, 0x7f, 0x12, 0x88, 0x32, 0xb8, 0xda, 0x8, 0x4b, 0x4c, 0x37, 0x9b, 0x69, 0xa, 0xbc, 0xdd, 0x20, 0xeb, 0x42, 0xab, 0x9b, 0x2a, 0x40, 0x1c, 0x7a, 0x5a, 0x4, 0x4f, 0x46, 0xdd, 0xd7, 0xc4, 0xec, 0xbe, 0x36, 0x6d, 0xd, 0x3d, 0x5b, 0x9d, 0xa1, 0x98, 0x63, 0x75, 0x3e, 0x5a, 0x47},
-	},
-	// 33P
-	{
-		x: fp384{0x63, 0xba, 0xb3, 0x2f, 0x38, 0x3a, 0x33, 0x61, 0x86, 0x3c, 0x94, 0x5b, 0x9d, 0xd, 0x33, 0xdf, 0xaf, 0xf3, 0x5e, 0x95, 0xee, 0xc7, 0xc7, 0xbb, 0xfb, 0x9e, 0xf0, 0x60, 0xc1, 0x1f, 0x63, 0xda, 0x0, 0xc4, 0xd5, 0x41, 0x26, 0x62, 0xaf, 0x68, 0x9d, 0x3e, 0x83, 0x6c, 0xa4, 0x97, 0x9e, 0xcc},
-		y: fp384{0x76, 0x5e, 0x62, 0x3a, 0x8e, 0x3e, 0xd7, 0x7f, 0x5e, 0xe5, 0x9, 0xc2, 0x24, 0x61, 0xbf, 0x13, 0x91, 0xb, 0xb9, 0x48, 0xea, 0x7c, 0x46, 0x8, 0xba, 0xa, 0x6f, 0xbb, 0xb9, 0x6e, 0x41, 0x8a, 0x72, 0x10, 0xc3, 0xb8, 0xa1, 0x93, 0xcc, 0x6f, 0xd7, 0xda, 0x57, 0x90, 0x61, 0x2b, 0xfd, 0xa7},
-	},
-	// 35P
-	{
-		x: fp384{0x9b, 0xec, 0x20, 0x37, 0x43, 0xb5, 0xa5, 0x58, 0xb4, 0x2f, 0x7c, 0x2d, 0xd5, 0x0, 0x38, 0xbb, 0xa, 0xbd, 0xe6, 0xdd, 0x20, 0x86, 0x50, 0x4a, 0xfd, 0x83, 0x25, 0xa0, 0x73, 0x62, 0xf1, 0x65, 0x23, 0x85, 0xc7, 0x4f, 0xe3, 0xd8, 0x2b, 0x83, 0xc6, 0x7b, 0x41, 0xe9, 0x75, 0x9f, 0x14, 0xd6},
-		y: fp384{0x2a, 0xb5, 0xee, 0x3d, 0xe9, 0x26, 0xb0, 0xfe, 0x56, 0x9, 0x5e, 0xa5, 0x88, 0x80, 0xe1, 0xc, 0xa2, 0x92, 0x80, 0x98, 0x98, 0x89, 0x1, 0x50, 0xee, 0x5e, 0xf3, 0x28, 0xab, 0x9f, 0xf1, 0x22, 0x5c, 0xd3, 0xcc, 0x52, 0x7f, 0x87, 0x8a, 0xac, 0x26, 0x3f, 0xe2, 0x30, 0xd8, 0x8a, 0x3a, 0xb1},
-	},
-	// 37P
-	{
-		x: fp384{0xa3, 0x61, 0x4f, 0xe4, 0x7d, 0xd5, 0x2, 0x2, 0xf2, 0xe, 0x63, 0xb5, 0x4b, 0x70, 0x27, 0x40, 0x5d, 0x4a, 0xb5, 0xf5, 0xdf, 0xe2, 0x29, 0xa1, 0x86, 0x2b, 0x48, 0x97, 0x75, 0xa, 0xb6, 0xac, 0x14, 0x71, 0xf2, 0x7e, 0xe8, 0xed, 0x61, 0x92, 0xb5, 0x58, 0xfc, 0xde, 0xf3, 0x28, 0xba, 0x1e},
-		y: fp384{0x9e, 0x58, 0xe5, 0x8b, 0xc9, 0xc0, 0x91, 0x6c, 0xee, 0x4b, 0x59, 0x14, 0xd5, 0x43, 0x16, 0x2f, 0x34, 0xa0, 0x2c, 0x5d, 0x43, 0x12, 0xa9, 0x2e, 0x1f, 0x7d, 0x4, 0x94, 0xa8, 0x49, 0x6, 0xb5, 0x37, 0xa3, 0x8c, 0x63, 0xb5, 0xcb, 0x4f, 0x28, 0x85, 0xbf, 0x85, 0xfe, 0xb7, 0x7, 0xe, 0xfa},
-	},
-	// 39P
-	{
-		x: fp384{0x42, 0xe, 0x6e, 0x50, 0x80, 0x4f, 0x89, 0x7d, 0x46, 0x2c, 0x3d, 0x8e, 0x4a, 0x24, 0x84, 0xd9, 0x6f, 0x0, 0x7f, 0x2b, 0x64, 0xdf, 0x7e, 0x6d, 0x30, 0x62, 0x9b, 0xde, 0x6d, 0xcd, 0xa1, 0x36, 0x65, 0x6, 0x6c, 0xb7, 0x40, 0x50, 0x98, 0xc9, 0xc2, 0x1f, 0x9b, 0xb8, 0xd6, 0xf4, 0x7d, 0x58},
-		y: fp384{0x7a, 0xae, 0x71, 0x6a, 0x47, 0x38, 0x6, 0x4c, 0x47, 0x47, 0x29, 0xe8, 0xb3, 0xa, 0x2b, 0x7b, 0xb8, 0x53, 0x31, 0xb5, 0x3a, 0x55, 0x5c, 0x34, 0xe2, 0x9f, 0x6d, 0x43, 0x53, 0xe4, 0x46, 0xb6, 0x40, 0x3, 0xd6, 0x1c, 0x5f, 0x35, 0x95, 0x1a, 0xfb, 0x68, 0x49, 0x7, 0x28, 0xc1, 0x7b, 0x2d},
-	},
-	// 41P
-	{
-		x: fp384{0x4c, 0xd1, 0xa6, 0xbc, 0x87, 0x8e, 0x14, 0xad, 0x1e, 0x20, 0x6a, 0x45, 0x4d, 0xd2, 0xdf, 0x41, 0xf3, 0x68, 0xd, 0xa8, 0x33, 0x29, 0xa8, 0x73, 0x35, 0xa0, 0x2c, 0x85, 0x8d, 0x6c, 0x74, 0x89, 0xae, 0x71, 0xfd, 0x95, 0x88, 0x77, 0xbc, 0xe3, 0x5d, 0x24, 0x92, 0xda, 0x2c, 0xcd, 0x64, 0x87},
-		y: fp384{0xe2, 0x23, 0xeb, 0x82, 0x47, 0x2c, 0xfe, 0xa2, 0x6e, 0x9d, 0x3c, 0xf, 0xe0, 0x62, 0xc7, 0x5a, 0x31, 0x6f, 0x64, 0x21, 0xe1, 0xc, 0x86, 0x57, 0x9a, 0x58, 0x9f, 0x4f, 0xc3, 0xd6, 0xc9, 0xbd, 0x2e, 0x27, 0x93, 0xd1, 0xc7, 0x52, 0x99, 0x67, 0xc5, 0xf1, 0x18, 0xeb, 0x2e, 0x70, 0xea, 0x82},
-	},
-	// 43P
-	{
-		x: fp384{0x44, 0x6d, 0x84, 0x0, 0x55, 0x93, 0xfa, 0x37, 0x8c, 0xbc, 0x78, 0x5, 0xc5, 0x2f, 0x11, 0x9, 0x3d, 0x94, 0xc4, 0x39, 0xb2, 0xf5, 0xd9, 0xda, 0x86, 0xbd, 0x6d, 0x41, 0xf0, 0xf5, 0x14, 0x73, 0x56, 0xfb, 0xfe, 0x1, 0xa9, 0x95, 0xf0, 0x5c, 0x93, 0xb3, 0xda, 0x22, 0xad, 0x8b, 0x17, 0x35},
-		y: fp384{0xa7, 0xf1, 0xba, 0x36, 0x1b, 0xfc, 0x79, 0xcf, 0x98, 0x54, 0x9e, 0x74, 0x2d, 0xe4, 0x7e, 0x1b, 0xbb, 0x14, 0xe3, 0xed, 0xa9, 0x8a, 0xe7, 0xbc, 0xdf, 0x28, 0x6, 0xbd, 0xf6, 0xe0, 0xf8, 0xaa, 0x48, 0xf9, 0xcb, 0x15, 0x94, 0xb0, 0x74, 0xa9, 0x78, 0x2b, 0x63, 0xc9, 0x63, 0x1f, 0x3f, 0x8f},
-	},
-	// 45P
-	{
-		x: fp384{0x5b, 0xda, 0xdd, 0x4f, 0x56, 0x11, 0xc4, 0xd4, 0x12, 0x91, 0xad, 0x73, 0xc6, 0x65, 0xaf, 0xd4, 0x59, 0x8f, 0xeb, 0x39, 0xbb, 0xe0, 0xe8, 0xff, 0x13, 0xcf, 0x6f, 0x8d, 0xe, 0xc, 0x4, 0xb0, 0x99, 0xb5, 0x2b, 0x1f, 0xc6, 0xc0, 0xe1, 0x99, 0x5, 0x34, 0xac, 0xb2, 0x58, 0xc8, 0x94, 0x9c},
-		y: fp384{0x5d, 0xd8, 0xee, 0x6e, 0xd7, 0x78, 0x88, 0x8f, 0x3f, 0xca, 0xfc, 0x51, 0x43, 0xf5, 0xb2, 0x62, 0x18, 0x69, 0xb5, 0xe5, 0xa9, 0x44, 0x3b, 0xeb, 0x93, 0x4e, 0x23, 0xb7, 0x76, 0x66, 0xf9, 0x16, 0x9e, 0xf1, 0x2a, 0xbd, 0x22, 0x77, 0x47, 0x17, 0x85, 0xa4, 0x83, 0xdb, 0x79, 0x29, 0xeb, 0x42},
-	},
-	// 47P
-	{
-		x: fp384{0xca, 0x68, 0xc6, 0xf0, 0x7d, 0x8f, 0x88, 0x6f, 0x6c, 0xc6, 0xd, 0x5f, 0x78, 0x88, 0xc7, 0x65, 0xa0, 0x7, 0x5b, 0x5f, 0x12, 0x85, 0xb1, 0xbf, 0xd0, 0xac, 0x78, 0xd8, 0xf7, 0xbf, 0xa, 0x78, 0x50, 0xf9, 0xc, 0x57, 0xb1, 0x21, 0x4f, 0x50, 0x71, 0x33, 0x23, 0xda, 0xc5, 0x37, 0x5b, 0xea},
-		y: fp384{0xd1, 0x7e, 0x43, 0x22, 0xbd, 0xe8, 0x7a, 0x48, 0xb7, 0xf9, 0x9c, 0x24, 0x58, 0x17, 0x70, 0x9c, 0xff, 0x34, 0xfb, 0x98, 0xa8, 0x62, 0x65, 0xf8, 0x91, 0xfc, 0xe0, 0x65, 0xa2, 0xa1, 0xee, 0xdf, 0x23, 0xfc, 0x20, 0x2e, 0x91, 0x6, 0xf0, 0xee, 0x8b, 0x2a, 0xa7, 0xdf, 0xc7, 0xfe, 0x9d, 0xac},
-	},
-	// 49P
-	{
-		x: fp384{0xc6, 0x36, 0x71, 0x69, 0xef, 0x3a, 0x5c, 0xfa, 0xb8, 0x6f, 0xea, 0xa5, 0x63, 0xaf, 0xa5, 0x8e, 0xa4, 0x65, 0xe3, 0x42, 0x65, 0x15, 0x69, 0xa6, 0x86, 0x33, 0x6e, 0x5b, 0x11, 0x6c, 0xc5, 0x47, 0x56, 0x3f, 0xa0, 0xce, 0x2b, 0x83, 0x97, 0x11, 0x9e, 0xea, 0xe4, 0x50, 0xb2, 0xb, 0x47, 0xb},
-		y: fp384{0x12, 0x57, 0xb2, 0x13, 0x43, 0xc7, 0x13, 0x31, 0x48, 0x7d, 0x49, 0xd2, 0x4e, 0x17, 0x6c, 0x8d, 0xe8, 0xeb, 0xc9, 0x49, 0xee, 0x86, 0x44, 0xfc, 0xd3, 0xbd, 0x82, 0x7f, 0xd5, 0xed, 0x87, 0x24, 0x2f, 0xbe, 0x57, 0x5b, 0x41, 0x64, 0x1e, 0x77, 0xdb, 0x2b, 0x8b, 0xe2, 0x18, 0xc5, 0x1c, 0x2d},
-	},
-	// 51P
-	{
-		x: fp384{0x8d, 0xac, 0x70, 0x20, 0xc7, 0xca, 0x4c, 0x2c, 0xb8, 0x22, 0x4a, 0xec, 0xca, 0xc0, 0x47, 0x19, 0xd9, 0x78, 0x5a, 0x8c, 0x59, 0xfb, 0xe0, 0xa5, 0xe7, 0x4d, 0xa8, 0x41, 0xd2, 0xe8, 0x4a, 0x46, 0x27, 0xbc, 0xaa, 0xda, 0xe9, 0x16, 0xba, 0x3d, 0x3c, 0xcb, 0x35, 0x4f, 0x50, 0x4a, 0x63, 0x16},
-		y: fp384{0x4f, 0xc8, 0x6e, 0xb1, 0xf9, 0x8b, 0xc1, 0xad, 0x35, 0xdd, 0x59, 0x73, 0x7e, 0x6, 0x4d, 0x32, 0xf0, 0x43, 0x5, 0x57, 0xc3, 0xc0, 0xea, 0xda, 0x36, 0x7d, 0x88, 0x3c, 0x0, 0x40, 0x22, 0xb, 0xd, 0x1a, 0x3f, 0x37, 0xe2, 0x89, 0x94, 0xc6, 0x97, 0xd, 0xaa, 0xcb, 0x7d, 0x4, 0x8b, 0x51},
-	},
-	// 53P
-	{
-		x: fp384{0xef, 0x49, 0xde, 0xfb, 0xc6, 0xdd, 0x1b, 0x3b, 0xcc, 0x15, 0x9, 0x8a, 0x26, 0x7c, 0xed, 0xda, 0xa2, 0x22, 0x4, 0xf, 0x61, 0x10, 0x1, 0xb, 0x16, 0x4b, 0xc5, 0xa7, 0x74, 0x5c, 0x48, 0xcf, 0xe2, 0xaa, 0xc3, 0x15, 0xe6, 0xc4, 0x2e, 0x64, 0xea, 0x83, 0xf3, 0xe0, 0x10, 0x8f, 0xba, 0xa8},
-		y: fp384{0x1, 0x85, 0x61, 0x95, 0xb4, 0x54, 0x20, 0x2a, 0x8b, 0xfa, 0x9e, 0x8, 0x42, 0x64, 0xec, 0xeb, 0x3e, 0xa8, 0x2f, 0x4e, 0x9a, 0xa1, 0x86, 0x57, 0x63, 0x99, 0x6, 0x39, 0xd1, 0x1a, 0xc7, 0xd2, 0xe2, 0x65, 0x17, 0x48, 0x9a, 0x3d, 0xc9, 0xad, 0x85, 0x94, 0xcc, 0x7e, 0xeb, 0xe3, 0xf2, 0xed},
-	},
-	// 55P
-	{
-		x: fp384{0x67, 0x33, 0x9f, 0x6, 0x60, 0x5f, 0xab, 0xbc, 0x3c, 0xec, 0x18, 0x17, 0xbc, 0x22, 0x66, 0xfd, 0xd6, 0x42, 0xa1, 0xe3, 0x67, 0x78, 0xfb, 0xa4, 0xb3, 0xae, 0x5f, 0x8, 0xbf, 0xd8, 0x78, 0x60, 0x4f, 0x55, 0xf4, 0x60, 0xda, 0xbf, 0x5c, 0xfa, 0x8, 0xd4, 0xc, 0x69, 0xd1, 0xd5, 0xfc, 0xb3},
-		y: fp384{0x84, 0x78, 0x1f, 0x28, 0x7d, 0xee, 0xbd, 0x4e, 0xa7, 0x63, 0xa, 0x18, 0xaa, 0x23, 0xaf, 0x82, 0x61, 0x9f, 0x7, 0x3d, 0x7c, 0x10, 0xe3, 0x8d, 0xf8, 0x34, 0x23, 0xbe, 0xcb, 0xb5, 0xc6, 0x17, 0x6, 0xfa, 0xd0, 0x97, 0x39, 0xe7, 0x91, 0x6a, 0xd4, 0xee, 0xce, 0x14, 0x73, 0x25, 0x60, 0x74},
-	},
-	// 57P
-	{
-		x: fp384{0x5c, 0x86, 0x7f, 0xf9, 0x1c, 0xa6, 0x4b, 0xb1, 0xd, 0x8b, 0x4b, 0x69, 0xc1, 0xe4, 0xba, 0x73, 0x62, 0xbf, 0x4b, 0xac, 0xdf, 0x67, 0x49, 0xa1, 0xe0, 0x46, 0xf4, 0x9b, 0x50, 0xd1, 0x9d, 0x1e, 0xef, 0xce, 0x99, 0x1c, 0xeb, 0xf3, 0x52, 0xc0, 0x89, 0xc1, 0x78, 0x7a, 0xa0, 0x7f, 0x4d, 0x81},
-		y: fp384{0x5d, 0xb0, 0x74, 0xab, 0x83, 0xa4, 0x1, 0xa1, 0x65, 0x7b, 0x73, 0xa1, 0x58, 0xc2, 0x88, 0x77, 0x3c, 0xa1, 0x9, 0xe8, 0xb7, 0xba, 0x60, 0xd, 0x5b, 0x1d, 0xc8, 0x73, 0xc4, 0x7b, 0x42, 0x8f, 0xfc, 0xc1, 0x52, 0x29, 0x55, 0x30, 0xe1, 0xd2, 0x63, 0xdf, 0x26, 0x4b, 0x9a, 0x3b, 0x82, 0xa},
-	},
-	// 59P
-	{
-		x: fp384{0xc9, 0x64, 0xbf, 0x27, 0xe2, 0x7c, 0x46, 0xaf, 0x4c, 0x97, 0x29, 0xf9, 0x97, 0x68, 0xca, 0xdf, 0x38, 0x27, 0x32, 0x5c, 0x59, 0x3b, 0x47, 0x64, 0x15, 0xe3, 0xd0, 0x1e, 0xcf, 0x17, 0xa9, 0x96, 0xb9, 0x4d, 0xe6, 0xd, 0x5b, 0x43, 0x3, 0x37, 0x46, 0xb6, 0x67, 0x92, 0x67, 0x39, 0xa0, 0x9b},
-		y: fp384{0xbe, 0x2f, 0x52, 0x3a, 0xae, 0x2a, 0xc, 0xdf, 0xf0, 0xef, 0x35, 0xb3, 0x41, 0xb7, 0xbd, 0x41, 0x3, 0x97, 0x5, 0x7b, 0xdd, 0x2e, 0xcf, 0xac, 0xce, 0x3c, 0x46, 0x28, 0x30, 0x4b, 0xb3, 0x6f, 0x19, 0xca, 0xe3, 0xd9, 0xb, 0xba, 0xd9, 0x96, 0xc1, 0x55, 0x46, 0x50, 0x12, 0x6f, 0x33, 0xff},
-	},
-	// 61P
-	{
-		x: fp384{0xe0, 0xa6, 0x60, 0xfc, 0xd3, 0x1f, 0xda, 0x48, 0xe8, 0x41, 0x22, 0x22, 0x34, 0x5a, 0xfb, 0x54, 0x80, 0xe0, 0x2a, 0x77, 0x4f, 0xe3, 0x35, 0x60, 0xd0, 0x82, 0x29, 0x33, 0xf2, 0x7f, 0xf7, 0x5f, 0xfd, 0x51, 0xfe, 0x0, 0x73, 0x46, 0x66, 0x23, 0x6, 0xa0, 0x6b, 0xef, 0x49, 0xa0, 0x3e, 0xc9},
-		y: fp384{0x66, 0x12, 0x38, 0x7d, 0x17, 0xf1, 0x40, 0x66, 0xac, 0xf4, 0xe9, 0x6a, 0xcd, 0x32, 0x4d, 0x39, 0xeb, 0x3, 0xd3, 0x70, 0x53, 0x88, 0xa7, 0xe6, 0x67, 0x57, 0x27, 0xe5, 0xff, 0x19, 0xda, 0xd, 0x23, 0x6d, 0x46, 0x1, 0x72, 0xc7, 0xa6, 0xb0, 0x29, 0x98, 0xc6, 0x1f, 0x45, 0x11, 0xcc, 0xc4},
-	},
-	// 63P
-	{
-		x: fp384{0xc0, 0x89, 0xed, 0xaa, 0xd7, 0xe6, 0xc0, 0xc5, 0x96, 0x18, 0x9a, 0x14, 0xd6, 0xea, 0xe8, 0x6c, 0x8f, 0x9f, 0x94, 0x8c, 0x45, 0xf7, 0x50, 0x7a, 0xaa, 0x71, 0x2b, 0x6e, 0xf7, 0x35, 0x7e, 0xcd, 0x7a, 0x9f, 0x4, 0x9a, 0x51, 0x9e, 0x15, 0xf6, 0x1e, 0x2d, 0xe5, 0xf1, 0xb0, 0xf0, 0x9b, 0x1c},
-		y: fp384{0x80, 0x2c, 0x20, 0x18, 0xf5, 0xc1, 0xb6, 0x3b, 0x1a, 0x7b, 0xcd, 0x1e, 0x62, 0x5f, 0x3a, 0x8d, 0x19, 0x7f, 0xd1, 0x88, 0xe8, 0x34, 0xb0, 0x3b, 0x8d, 0x4, 0xd4, 0x97, 0x49, 0xbd, 0x89, 0xdc, 0x22, 0xdf, 0x35, 0x37, 0x8e, 0x7b, 0xaf, 0xf5, 0xe8, 0x89, 0xa6, 0xa0, 0x12, 0x37, 0xbb, 0x52},
-	},
-	// 65P
-	{
-		x: fp384{0x79, 0x96, 0x9b, 0x83, 0x54, 0x94, 0x46, 0x8e, 0x9f, 0x27, 0x1d, 0xd, 0x3b, 0xa4, 0xcd, 0xbe, 0x80, 0x3c, 0xb6, 0xed, 0x15, 0xdc, 0x9e, 0xcf, 0x2, 0xf0, 0xd5, 0xbd, 0x8a, 0xec, 0x97, 0x45, 0x53, 0x22, 0xb, 0x65, 0xb2, 0x50, 0x3, 0x8b, 0x6f, 0x26, 0xd4, 0x5f, 0x6a, 0x3a, 0x4c, 0xb8},
-		y: fp384{0xf9, 0x79, 0xfc, 0x30, 0x3d, 0xd8, 0x16, 0xe, 0xd3, 0x95, 0xd9, 0x3a, 0x83, 0x87, 0xa4, 0xb6, 0x66, 0xc2, 0x2b, 0xde, 0x2c, 0x4b, 0x78, 0xab, 0xdd, 0x66, 0x9d, 0x88, 0x6d, 0x3d, 0x76, 0x19, 0x87, 0xf0, 0xf9, 0xc8, 0x24, 0x6c, 0x86, 0xa2, 0xc9, 0xb1, 0x5b, 0xa5, 0x28, 0x25, 0x6f, 0xea},
-	},
-	// 67P
-	{
-		x: fp384{0xca, 0x72, 0x17, 0x8b, 0xbc, 0x5c, 0xfc, 0x6e, 0x68, 0x4f, 0x63, 0xb, 0x3b, 0xdd, 0xc7, 0xea, 0x85, 0x61, 0x5d, 0xa5, 0xda, 0x5e, 0xd7, 0x65, 0xf7, 0xd8, 0xf3, 0x6e, 0x7e, 0x63, 0x6e, 0x55, 0x25, 0x9d, 0x90, 0x90, 0x4d, 0x3e, 0xaf, 0xf9, 0x5a, 0x3, 0x53, 0xe1, 0x48, 0xca, 0x62, 0xe4},
-		y: fp384{0xd1, 0x9e, 0x10, 0xa, 0x7b, 0x3b, 0x76, 0x52, 0x6, 0x5d, 0x78, 0x42, 0xa6, 0xb1, 0x4a, 0x10, 0xbc, 0xe4, 0x59, 0x3f, 0xed, 0x35, 0x7e, 0x1a, 0x3, 0xc0, 0xeb, 0xc6, 0x46, 0xb7, 0x90, 0x59, 0xf9, 0xc5, 0x62, 0x13, 0xf0, 0x6b, 0x6a, 0x9, 0x94, 0x49, 0x79, 0xac, 0x8a, 0xcb, 0x22, 0x83},
-	},
-	// 69P
-	{
-		x: fp384{0x52, 0x27, 0xc, 0x67, 0x74, 0xdf, 0xd3, 0xf8, 0x28, 0x5e, 0x11, 0xa1, 0x59, 0x28, 0xcb, 0x5c, 0x1b, 0x98, 0x19, 0xf, 0xaa, 0xc8, 0x66, 0xcc, 0x65, 0xfd, 0xab, 0x25, 0xb1, 0xc8, 0xbc, 0xd4, 0xca, 0x3c, 0xdd, 0x4f, 0x16, 0xee, 0x86, 0x2c, 0xf4, 0x35, 0xf7, 0xa3, 0x78, 0x5d, 0xd6, 0x59},
-		y: fp384{0xce, 0x55, 0xc, 0x7c, 0x28, 0xde, 0x5a, 0x3, 0x4d, 0x99, 0xd3, 0x45, 0x62, 0x9d, 0x76, 0x57, 0xa4, 0x23, 0xd4, 0x2b, 0x89, 0xe4, 0x3a, 0xd1, 0xbc, 0x66, 0xed, 0x82, 0x48, 0xee, 0xce, 0xa, 0x32, 0x7a, 0x16, 0x73, 0x8b, 0x9e, 0x2c, 0x6f, 0x7a, 0xbd, 0x1d, 0x27, 0x0, 0x1, 0xcd, 0xfb},
-	},
-	// 71P
-	{
-		x: fp384{0xb1, 0xfc, 0xfe, 0xef, 0x45, 0xce, 0x2e, 0xc4, 0x41, 0x14, 0xb1, 0xab, 0xb3, 0x31, 0x57, 0xbf, 0x92, 0xa, 0x8d, 0xe5, 0xcf, 0x15, 0xba, 0x93, 0x54, 0xac, 0x8, 0x35, 0x14, 0xde, 0xbb, 0x27, 0xda, 0x5d, 0x25, 0xfe, 0x38, 0x37, 0x12, 0x2b, 0x70, 0xcd, 0x7e, 0x53, 0x5a, 0xaa, 0x4f, 0xb},
-		y: fp384{0xc6, 0x83, 0xec, 0xdd, 0x84, 0xd0, 0x44, 0x6a, 0x3d, 0x52, 0x1, 0x8, 0x4d, 0x3c, 0x79, 0x86, 0x19, 0xe3, 0xb3, 0x25, 0x50, 0x28, 0x4f, 0x15, 0x3a, 0x37, 0x64, 0xce, 0xf1, 0xda, 0x44, 0x21, 0x66, 0x95, 0x13, 0x7, 0xee, 0x24, 0xb9, 0xbd, 0x1c, 0xd0, 0x2a, 0x73, 0x28, 0xea, 0xa7, 0xf9},
-	},
-	// 73P
-	{
-		x: fp384{0x2, 0xa7, 0x51, 0xd8, 0x32, 0x5c, 0x38, 0x43, 0x3b, 0x96, 0xe8, 0x1d, 0xb1, 0xa9, 0xc2, 0xa9, 0x24, 0x9b, 0x8b, 0xdf, 0xb, 0x23, 0x8d, 0x5b, 0xc2, 0x31, 0x37, 0x2d, 0x25, 0xa9, 0x29, 0x90, 0xd2, 0xa7, 0xca, 0xe8, 0x4d, 0xb0, 0x8d, 0xb0, 0x3c, 0x67, 0xf4, 0x2b, 0xe7, 0x83, 0x9d, 0xb8},
-		y: fp384{0x24, 0x44, 0xf2, 0xe1, 0xbf, 0x39, 0xfd, 0xa8, 0x16, 0xd6, 0xe8, 0xe1, 0xd6, 0xb6, 0x89, 0x9f, 0x6e, 0x21, 0x1d, 0x4f, 0x7b, 0xc8, 0x9f, 0xaf, 0x59, 0x5a, 0x26, 0x92, 0x3, 0x1e, 0xe2, 0x4, 0x73, 0x63, 0xb8, 0x87, 0x3, 0x74, 0x15, 0xb, 0x62, 0xa1, 0x98, 0x7c, 0x3b, 0xaf, 0x65, 0x6f},
-	},
-	// 75P
-	{
-		x: fp384{0xde, 0x3, 0x73, 0x86, 0x14, 0x40, 0x5d, 0x6b, 0xef, 0xb7, 0xa, 0x42, 0xa, 0xc4, 0xcb, 0xc8, 0x96, 0x9a, 0x54, 0x91, 0x89, 0xcf, 0x28, 0x5b, 0x66, 0x8f, 0x2f, 0x39, 0xb4, 0x31, 0x46, 0x5d, 0xc8, 0xb5, 0x67, 0xf3, 0x3d, 0xe2, 0x7e, 0x4a, 0x15, 0x7a, 0xca, 0xe6, 0xf, 0xae, 0xe0, 0xa1},
-		y: fp384{0x7c, 0xa2, 0x9f, 0x13, 0xe1, 0x5e, 0x65, 0x2a, 0x1, 0xb9, 0xfa, 0x50, 0xc4, 0xc2, 0x31, 0xa5, 0x71, 0xed, 0xa, 0x43, 0x69, 0xab, 0x62, 0x67, 0x1d, 0x2e, 0x40, 0xf0, 0xe3, 0x39, 0xe2, 0x64, 0x45, 0xe4, 0x7f, 0x95, 0x42, 0x0, 0x87, 0xd7, 0x62, 0x65, 0x7d, 0x41, 0x62, 0xd8, 0x42, 0xfd},
-	},
-	// 77P
-	{
-		x: fp384{0x3f, 0x1a, 0x50, 0x2a, 0xc1, 0x34, 0x21, 0x9f, 0xa7, 0x93, 0x47, 0x33, 0x40, 0x9b, 0x4a, 0x11, 0x25, 0x61, 0x2a, 0x21, 0xc0, 0xb6, 0xcc, 0x27, 0xa3, 0x78, 0xce, 0x98, 0xb9, 0x30, 0xa9, 0xc, 0x27, 0x26, 0xa1, 0x28, 0xb, 0x6, 0x2e, 0x74, 0x16, 0x98, 0x5c, 0xfa, 0x7, 0x36, 0xd2, 0x63},
-		y: fp384{0xdc, 0x91, 0x1f, 0xec, 0xa4, 0xcb, 0x4d, 0x77, 0x23, 0x1d, 0x4d, 0xf3, 0x2e, 0x7e, 0xcd, 0x34, 0x3d, 0x3c, 0xfd, 0x49, 0xe, 0x85, 0x0, 0x15, 0xb2, 0xcf, 0xc9, 0x30, 0x0, 0x95, 0x3, 0xdd, 0xa6, 0x41, 0x29, 0x57, 0xe5, 0xc3, 0x61, 0xce, 0x2e, 0xfd, 0x2c, 0x30, 0x75, 0x10, 0x4b, 0xd4},
-	},
-	// 79P
-	{
-		x: fp384{0x24, 0xc2, 0xa6, 0xe9, 0xd4, 0xd9, 0x11, 0xca, 0x85, 0x45, 0xb7, 0xc3, 0x48, 0xc2, 0xda, 0x2c, 0x71, 0x55, 0xca, 0x4, 0xa2, 0x1, 0x89, 0xe5, 0xf0, 0x1, 0x5d, 0xd1, 0x2d, 0x31, 0x1c, 0x49, 0x7c, 0xcb, 0x69, 0x70, 0x8a, 0x81, 0xcc, 0xb3, 0xda, 0x12, 0x39, 0xd5, 0xa5, 0x45, 0xb2, 0x23},
-		y: fp384{0x63, 0xb1, 0xb0, 0xa6, 0x8b, 0x83, 0xf7, 0x30, 0x52, 0x55, 0x77, 0x32, 0x3e, 0xeb, 0x52, 0xa0, 0xc1, 0x5e, 0xb9, 0xee, 0xe9, 0x43, 0x32, 0x40, 0xb3, 0x2e, 0x63, 0x8, 0x1b, 0x30, 0x7b, 0x61, 0xf9, 0x81, 0x2, 0xf3, 0xc9, 0x66, 0x1c, 0x94, 0x55, 0xb2, 0x7a, 0x1d, 0xf8, 0x28, 0x97, 0x4b},
-	},
-	// 81P
-	{
-		x: fp384{0x82, 0xf6, 0x6, 0xdb, 0xcb, 0xd3, 0xbd, 0x3c, 0x85, 0x87, 0xc0, 0x86, 0x3e, 0x47, 0x45, 0xde, 0xfb, 0x1b, 0x7b, 0xe0, 0x60, 0x35, 0xcb, 0xd8, 0xaf, 0x38, 0xf1, 0xea, 0x8f, 0x11, 0xc3, 0xf2, 0xaf, 0x6f, 0x43, 0x9f, 0x85, 0x8a, 0x23, 0x11, 0x4f, 0x34, 0xdf, 0x7c, 0xe3, 0xc2, 0x84, 0x9},
-		y: fp384{0x4f, 0x58, 0x82, 0xc3, 0x17, 0x3c, 0x8, 0xe1, 0x40, 0xa2, 0x6f, 0x73, 0xd4, 0x14, 0x9a, 0x95, 0x7d, 0x63, 0xf2, 0x18, 0xf0, 0xd2, 0xad, 0x56, 0x8d, 0x27, 0xdd, 0xe5, 0x5e, 0x7a, 0x4, 0x1, 0xa7, 0x6, 0x27, 0xae, 0x63, 0x8d, 0xe3, 0x5d, 0x7e, 0xb8, 0x45, 0x97, 0x60, 0xb7, 0xd7, 0x9d},
-	},
-	// 83P
-	{
-		x: fp384{0x71, 0x40, 0xe9, 0x44, 0xbf, 0xf0, 0x61, 0x8e, 0xb4, 0x5e, 0xf0, 0xd2, 0x7e, 0x84, 0xcf, 0x44, 0xeb, 0x94, 0x66, 0x4a, 0xd, 0xaa, 0x87, 0x84, 0xb5, 0xaa, 0xa4, 0xc7, 0xa1, 0x8c, 0xb8, 0xee, 0x26, 0x89, 0xa, 0x52, 0x3, 0xaa, 0x5b, 0xc2, 0x5, 0x78, 0x3d, 0xc0, 0x6a, 0xb1, 0x75, 0xa0},
-		y: fp384{0xc3, 0x70, 0xd9, 0x13, 0x8a, 0xa4, 0x57, 0xc3, 0x3e, 0x64, 0x9, 0x60, 0x70, 0x13, 0x3c, 0x4e, 0x29, 0x4, 0xe6, 0x49, 0x57, 0xa9, 0x21, 0xcf, 0xda, 0xbc, 0x51, 0x22, 0xba, 0x62, 0xa2, 0xa, 0xe4, 0x78, 0x3c, 0x56, 0xd0, 0x7c, 0x2a, 0xb7, 0xf9, 0x1c, 0xce, 0x69, 0xda, 0xfe, 0x3d, 0x77},
-	},
-	// 85P
-	{
-		x: fp384{0x2d, 0x76, 0x6, 0x9b, 0xdf, 0x2c, 0x5d, 0x93, 0x5a, 0x25, 0x7, 0x82, 0xb8, 0xbb, 0x48, 0x21, 0xd8, 0x53, 0x31, 0x5, 0xdd, 0xca, 0xbd, 0x7b, 0x57, 0x6a, 0x25, 0x73, 0xff, 0xaa, 0x53, 0xd9, 0x1, 0x6f, 0x4e, 0x11, 0xe1, 0x8f, 0xa0, 0xb0, 0x4d, 0x4d, 0xe6, 0x46, 0x54, 0x2, 0x35, 0xc8},
-		y: fp384{0x57, 0xc1, 0xdb, 0x0, 0xd8, 0xba, 0xcf, 0xe7, 0x69, 0xe9, 0xfb, 0x71, 0x2, 0xae, 0x2a, 0x39, 0x14, 0xe3, 0xeb, 0xb, 0x2a, 0xa7, 0x22, 0x74, 0xf2, 0x52, 0xaf, 0x2c, 0xd2, 0x55, 0xd4, 0xc3, 0x95, 0x51, 0x89, 0xe2, 0x9f, 0x83, 0x31, 0xa2, 0x13, 0xf2, 0x93, 0xc9, 0x92, 0x8d, 0x21, 0x6c},
-	},
-	// 87P
-	{
-		x: fp384{0x2e, 0x37, 0xa0, 0x4a, 0x2e, 0xa0, 0x11, 0x4f, 0x75, 0x77, 0x96, 0x10, 0x30, 0x47, 0x42, 0x59, 0x95, 0x91, 0x80, 0x8b, 0xba, 0xc1, 0xe, 0xdf, 0xf1, 0x3a, 0x3c, 0x9a, 0x8d, 0x92, 0xa, 0xf3, 0x2e, 0x6b, 0x7b, 0x38, 0x20, 0x3, 0x84, 0xc4, 0x22, 0xbb, 0x0, 0xa5, 0x17, 0x34, 0x1b, 0x1c},
-		y: fp384{0xf2, 0x66, 0x32, 0xbf, 0xc7, 0xe6, 0xe, 0x69, 0x81, 0x96, 0x90, 0xa7, 0x74, 0x6d, 0x24, 0x18, 0x8f, 0xa8, 0x84, 0xf9, 0x54, 0x24, 0xdf, 0xde, 0x9, 0x9f, 0x55, 0xe7, 0x75, 0x41, 0x94, 0x31, 0xb7, 0x4d, 0x7b, 0xe, 0x88, 0x81, 0xac, 0xbd, 0x68, 0xfe, 0x96, 0xe9, 0xae, 0x6f, 0x4, 0x9f},
-	},
-	// 89P
-	{
-		x: fp384{0xac, 0xd4, 0x71, 0x2d, 0x4b, 0x9, 0x62, 0xc, 0xe0, 0x63, 0xf1, 0x4b, 0xdc, 0x9f, 0xa4, 0x18, 0x1f, 0x72, 0x96, 0x0, 0xb, 0xf3, 0x3d, 0x46, 0x7b, 0x5b, 0xe5, 0xc8, 0x4a, 0x64, 0xd3, 0x67, 0xb6, 0xe2, 0xe0, 0x19, 0x9d, 0xd2, 0x3d, 0xd6, 0x61, 0x73, 0x4b, 0x16, 0xde, 0x5, 0xd1, 0xd0},
-		y: fp384{0x8e, 0x18, 0x17, 0x2, 0x4e, 0x5c, 0x86, 0xe5, 0x7e, 0xcf, 0x93, 0x20, 0x1b, 0xb7, 0x61, 0x78, 0x3c, 0x25, 0xaa, 0x2d, 0x51, 0xf0, 0xcc, 0x65, 0xc0, 0xe4, 0x4d, 0xb, 0x9, 0x1, 0x77, 0x14, 0xd9, 0x62, 0xb9, 0x40, 0x35, 0x24, 0x28, 0x1d, 0xf3, 0x37, 0xdf, 0xb8, 0x39, 0xe9, 0xc7, 0x1},
-	},
-	// 91P
-	{
-		x: fp384{0x58, 0x8, 0xba, 0x9c, 0x9c, 0x40, 0xea, 0x5d, 0x63, 0x3f, 0xae, 0x14, 0x1b, 0x42, 0xc2, 0x35, 0x8a, 0x61, 0xc2, 0xbb, 0x34, 0xe5, 0xf6, 0xa4, 0x5f, 0x4f, 0xd7, 0x42, 0x7d, 0x97, 0x4b, 0xb0, 0xb7, 0x3e, 0xdc, 0x59, 0x27, 0x38, 0xe7, 0xe7, 0xb0, 0x23, 0xf2, 0x8b, 0x34, 0x52, 0xf, 0xeb},
-		y: fp384{0x58, 0x51, 0xc7, 0xf, 0x67, 0x51, 0x1c, 0x99, 0x6d, 0x2c, 0xde, 0x3f, 0x1a, 0x81, 0x12, 0xd0, 0x3d, 0x34, 0x36, 0x92, 0x31, 0xb3, 0xd0, 0x9, 0xa0, 0xcb, 0xa2, 0x63, 0xc8, 0xe0, 0x78, 0xcb, 0x78, 0x84, 0xb8, 0x9a, 0xbd, 0xb3, 0x9, 0xb, 0xe2, 0xc6, 0x16, 0xf1, 0x3, 0xc7, 0xca, 0x47},
-	},
-	// 93P
-	{
-		x: fp384{0xaf, 0x80, 0x2d, 0xe3, 0x71, 0x4d, 0xd1, 0xeb, 0x5e, 0x67, 0x80, 0x53, 0x4f, 0xc2, 0x1c, 0x1b, 0xcd, 0x42, 0x61, 0xb1, 0x64, 0x47, 0x63, 0x1c, 0xe, 0xb0, 0xfd, 0x7c, 0xde, 0x45, 0x35, 0x7a, 0x54, 0x51, 0xd1, 0xcf, 0x89, 0x16, 0xf9, 0x2d, 0xd7, 0xa2, 0xa, 0x43, 0xb3, 0x55, 0x33, 0x81},
-		y: fp384{0x7e, 0xca, 0xf2, 0x85, 0xc9, 0xe2, 0xdc, 0x16, 0x79, 0xbb, 0x3a, 0xe0, 0xf7, 0x3, 0xe3, 0xd9, 0x98, 0x66, 0xb0, 0x3c, 0x10, 0xa8, 0x7c, 0xfe, 0xcb, 0xd, 0x67, 0x71, 0x5b, 0x42, 0x2a, 0x57, 0xe5, 0x68, 0xa2, 0x90, 0x54, 0x39, 0x1b, 0xc7, 0x9, 0x9d, 0xbf, 0x66, 0x8f, 0xf3, 0x71, 0xc0},
-	},
-	// 95P
-	{
-		x: fp384{0x91, 0x3c, 0xbc, 0xd, 0x63, 0xf2, 0xc0, 0xf, 0xb1, 0xcb, 0xc0, 0x9b, 0x16, 0xca, 0x74, 0x9f, 0x77, 0x89, 0xf9, 0xe, 0x9d, 0x7b, 0x60, 0x4a, 0x79, 0x2b, 0x7d, 0xa2, 0xef, 0xb, 0xe9, 0xb, 0xe1, 0x23, 0x7f, 0xad, 0xb5, 0xb, 0x7b, 0x25, 0xe4, 0xd1, 0xea, 0x2f, 0xe5, 0x2f, 0xf4, 0xb8},
-		y: fp384{0x92, 0xb5, 0x93, 0x5f, 0x31, 0xe4, 0x78, 0xde, 0x7d, 0x61, 0x79, 0xfd, 0xeb, 0xe7, 0x5f, 0x50, 0xfb, 0xf9, 0x99, 0xdd, 0x14, 0x3f, 0xcc, 0x45, 0x91, 0xb5, 0xc7, 0x3b, 0xe8, 0x64, 0xf, 0x8c, 0xf9, 0x93, 0xab, 0x55, 0xed, 0x4d, 0x36, 0x65, 0x6e, 0x28, 0xdf, 0x42, 0xa5, 0x4b, 0x6d, 0xbb},
-	},
-	// 97P
-	{
-		x: fp384{0xe2, 0x54, 0x5c, 0x7f, 0x5d, 0x3, 0xd2, 0x7c, 0x2c, 0x49, 0x49, 0x4a, 0x0, 0xdb, 0xf0, 0xc1, 0x98, 0x8f, 0x27, 0x65, 0x30, 0x3e, 0x27, 0x8f, 0x9d, 0x9d, 0xef, 0x6f, 0xd1, 0x1e, 0x24, 0x10, 0x16, 0x96, 0x6, 0xac, 0x1b, 0xe5, 0xb1, 0x87, 0x7f, 0x80, 0xd, 0x17, 0xcd, 0x1a, 0x8, 0x8c},
-		y: fp384{0x98, 0xb5, 0x73, 0x1c, 0xea, 0x51, 0x50, 0x0, 0xf4, 0x5b, 0x86, 0xd6, 0x12, 0x55, 0xeb, 0xe4, 0xd3, 0x5d, 0xe0, 0x30, 0xf4, 0x4e, 0xd2, 0xd7, 0x9e, 0xa3, 0x89, 0x78, 0xed, 0xe4, 0x47, 0xcb, 0x64, 0x69, 0xf5, 0xc4, 0x91, 0x24, 0x3e, 0x4c, 0x6, 0x30, 0xf0, 0xc4, 0x8e, 0xb7, 0xc6, 0x83},
-	},
-	// 99P
-	{
-		x: fp384{0xa1, 0x84, 0x5f, 0xb0, 0xa9, 0x35, 0x38, 0x6e, 0x4e, 0x17, 0xaa, 0x41, 0xf, 0x9e, 0x4f, 0xbb, 0x69, 0xa4, 0x8b, 0x70, 0x7c, 0x17, 0x41, 0x1b, 0xbd, 0xf8, 0xc8, 0x79, 0xb4, 0xe6, 0xb2, 0xb9, 0xbd, 0xd6, 0xd9, 0x82, 0x9, 0xae, 0x9c, 0xd4, 0x3a, 0x22, 0x28, 0xbb, 0x0, 0x5f, 0x8c, 0x64},
-		y: fp384{0xa5, 0xc4, 0x8c, 0x5d, 0x76, 0x85, 0xf4, 0x4, 0x8d, 0xa3, 0xa0, 0x81, 0xdd, 0x96, 0x30, 0xfe, 0xe1, 0x47, 0x82, 0x70, 0x8f, 0x13, 0x75, 0x66, 0x8, 0xea, 0xa0, 0xd1, 0xd8, 0x59, 0xf7, 0xd6, 0x98, 0xd, 0x19, 0x76, 0xb1, 0x93, 0x74, 0x1f, 0xbd, 0x63, 0x2d, 0x32, 0x8b, 0x69, 0xe1, 0x3},
-	},
-	// 101P
-	{
-		x: fp384{0xac, 0xde, 0x8a, 0x9b, 0xf6, 0xc6, 0x66, 0x8e, 0x70, 0x6d, 0xc6, 0x50, 0xfe, 0xf5, 0x39, 0xb5, 0x1a, 0xfb, 0xcc, 0x2e, 0x2c, 0xcd, 0xdd, 0x73, 0xfc, 0x5c, 0x8b, 0x8b, 0xad, 0x1f, 0x3b, 0xd7, 0x10, 0x87, 0xa1, 0x47, 0x35, 0x94, 0xdd, 0x9c, 0xdb, 0x14, 0xc8, 0x7b, 0xbf, 0x92, 0x23, 0x7e},
-		y: fp384{0xe8, 0x74, 0x8f, 0x6c, 0xc0, 0x93, 0x41, 0x91, 0x4d, 0xc0, 0x67, 0x1d, 0x21, 0xdc, 0xed, 0xff, 0x93, 0x86, 0xd6, 0xa, 0x85, 0x41, 0xef, 0x1f, 0x54, 0x80, 0x3e, 0xf5, 0x9a, 0x1d, 0x3e, 0xa7, 0x4, 0xc1, 0xe, 0x42, 0x6f, 0x65, 0x9b, 0x90, 0xde, 0xe1, 0x2, 0x17, 0x36, 0x2d, 0x87, 0x73},
-	},
-	// 103P
-	{
-		x: fp384{0x5f, 0x5d, 0x35, 0x21, 0xaa, 0xab, 0x4c, 0xd2, 0xbd, 0x2, 0xd4, 0xaf, 0xe, 0xb1, 0xcb, 0xdd, 0xe1, 0x1d, 0xc2, 0x29, 0x43, 0xd1, 0xf0, 0xd3, 0xfc, 0x84, 0x3d, 0xf2, 0x94, 0x5a, 0xd9, 0x1a, 0xd, 0x53, 0xda, 0xe3, 0x2, 0x79, 0x3a, 0x11, 0x48, 0x10, 0x67, 0x64, 0x8e, 0xa8, 0xd, 0x59},
-		y: fp384{0xda, 0xf0, 0x5b, 0x92, 0x82, 0x82, 0xa5, 0xf4, 0xb, 0x6e, 0x2e, 0xe6, 0xe7, 0xe4, 0x52, 0x1a, 0xfd, 0x4d, 0x6f, 0xd8, 0x4e, 0xbb, 0xeb, 0x97, 0xc3, 0xd1, 0xfa, 0x58, 0xc3, 0xd1, 0x1b, 0x60, 0x52, 0x5, 0xe4, 0x2d, 0xa6, 0xd5, 0xe2, 0xd6, 0xed, 0xdb, 0x73, 0x72, 0x37, 0x71, 0x9e, 0xc},
-	},
-	// 105P
-	{
-		x: fp384{0x45, 0x28, 0x80, 0xe5, 0x85, 0x19, 0xe9, 0xe6, 0xbc, 0x1, 0xe2, 0xa6, 0xae, 0xd6, 0x67, 0xc3, 0xbe, 0x23, 0x2c, 0xdd, 0xe5, 0x30, 0x7f, 0x7, 0xe3, 0x75, 0x50, 0x27, 0x9c, 0xf3, 0x2e, 0x86, 0x42, 0x65, 0x80, 0x1a, 0x44, 0x75, 0x2c, 0x2, 0x9c, 0xd0, 0xeb, 0x99, 0x3a, 0x3e, 0xab, 0xd0},
-		y: fp384{0xb8, 0x28, 0x90, 0xd9, 0x60, 0xef, 0x67, 0x7d, 0x6b, 0x13, 0xad, 0xa9, 0x4f, 0x36, 0xcf, 0xa5, 0x8c, 0xff, 0x1f, 0xa9, 0xa9, 0x23, 0x2c, 0x37, 0x60, 0x25, 0x20, 0x47, 0x95, 0x7a, 0xd5, 0xd3, 0x23, 0x19, 0x2f, 0x15, 0x45, 0xf1, 0xba, 0xce, 0xa5, 0x73, 0x89, 0x6d, 0x2c, 0xe7, 0x3a, 0xcc},
-	},
-	// 107P
-	{
-		x: fp384{0x23, 0x3f, 0x36, 0xf4, 0xe1, 0xe8, 0x18, 0xd7, 0x90, 0x14, 0x76, 0x4f, 0x20, 0x1e, 0xc2, 0x73, 0x46, 0x5d, 0x7, 0xa0, 0x25, 0xec, 0xc6, 0x27, 0xd0, 0x40, 0x3f, 0x75, 0x56, 0xf4, 0xd4, 0xcc, 0x22, 0x16, 0xa9, 0x60, 0x49, 0x4c, 0x99, 0x50, 0x48, 0xb, 0x74, 0x3f, 0x79, 0x4d, 0x96, 0x77},
-		y: fp384{0x2, 0xed, 0x47, 0xf6, 0xe2, 0x55, 0xc9, 0xf4, 0x79, 0x3d, 0x19, 0xe4, 0x9a, 0xc7, 0x4f, 0x84, 0x9f, 0x3f, 0x7f, 0xa2, 0xd1, 0x74, 0x83, 0x48, 0x63, 0x94, 0x65, 0xb8, 0x45, 0xad, 0xd6, 0x95, 0x39, 0x8e, 0x43, 0xc7, 0x78, 0x9f, 0xd9, 0xe1, 0xf2, 0xed, 0xfc, 0x2a, 0x17, 0xa7, 0x82, 0x51},
-	},
-	// 109P
-	{
-		x: fp384{0xfa, 0xb1, 0xde, 0xb2, 0x27, 0x2e, 0xfc, 0xe, 0x4b, 0x18, 0xc1, 0x3c, 0x83, 0x35, 0x7d, 0x9c, 0xc8, 0xbd, 0xdc, 0xa8, 0xf8, 0xc5, 0x41, 0x58, 0xbb, 0x3a, 0xd9, 0xf0, 0x8a, 0xa5, 0x11, 0xa9, 0x87, 0xf8, 0xcf, 0xb9, 0x33, 0x8c, 0xd1, 0x3c, 0x3, 0x24, 0x3f, 0xf1, 0xbb, 0x27, 0x3c, 0x6e},
-		y: fp384{0xe6, 0x3a, 0x53, 0xea, 0x12, 0x17, 0x39, 0x5b, 0x5, 0x4c, 0x29, 0x54, 0xb, 0xd9, 0xcd, 0x35, 0xf4, 0xda, 0x60, 0xf5, 0xb4, 0x7f, 0xb5, 0x2d, 0x1d, 0x41, 0xa1, 0xf5, 0xca, 0x33, 0xad, 0x75, 0x68, 0x75, 0x7c, 0x7f, 0x4e, 0x9a, 0xe1, 0x87, 0x5, 0x77, 0x8c, 0x19, 0x56, 0x6c, 0xc4, 0xf4},
-	},
-	// 111P
-	{
-		x: fp384{0xb8, 0x74, 0xbe, 0x5, 0x48, 0xb7, 0xb3, 0x8d, 0xab, 0x5f, 0x76, 0x0, 0x50, 0x80, 0xe0, 0x8, 0xd9, 0x7f, 0x44, 0x50, 0xb, 0x72, 0x44, 0x67, 0x3, 0xbe, 0x27, 0xc7, 0x12, 0x20, 0x55, 0x27, 0x7f, 0x66, 0x2, 0x8b, 0x51, 0x7b, 0x90, 0xc3, 0x14, 0xef, 0xbd, 0xb9, 0xbc, 0xaa, 0x58, 0xa1},
-		y: fp384{0x6f, 0xc5, 0x9c, 0xf4, 0x3, 0xfa, 0xdd, 0xaa, 0x96, 0xfb, 0x5, 0xe3, 0xe4, 0xbe, 0x95, 0x10, 0x19, 0x26, 0xc3, 0x93, 0xbc, 0x54, 0xff, 0xa2, 0x85, 0x26, 0xeb, 0x4a, 0xf9, 0xe1, 0xf8, 0xcc, 0xfe, 0xd9, 0x0, 0x23, 0xb8, 0x47, 0x4b, 0xc6, 0xa9, 0x9d, 0x27, 0x8, 0x68, 0x77, 0xca, 0x9},
-	},
-	// 113P
-	{
-		x: fp384{0x12, 0xda, 0xb, 0x9b, 0xb7, 0x86, 0x5b, 0xf8, 0x72, 0x35, 0xe3, 0xbb, 0xd1, 0x16, 0xc6, 0xd2, 0x7f, 0xd2, 0x2b, 0x85, 0xef, 0x15, 0x22, 0xe7, 0xc5, 0x7f, 0x9b, 0x13, 0x9, 0x5b, 0x81, 0xe9, 0xc2, 0xa0, 0x7f, 0x8d, 0x4, 0xdb, 0x5b, 0x4a, 0x86, 0xa9, 0x86, 0xff, 0x17, 0xcd, 0x9f, 0x86},
-		y: fp384{0xbe, 0xf6, 0xda, 0x91, 0x17, 0x52, 0x78, 0x32, 0x4, 0x4d, 0x66, 0xd6, 0xf1, 0x7, 0xc0, 0xb9, 0x29, 0x20, 0xb1, 0xe7, 0x2a, 0x72, 0x98, 0x69, 0x67, 0xbb, 0x31, 0xfc, 0xd9, 0xde, 0x7f, 0xbf, 0x57, 0x77, 0xb8, 0x31, 0x7c, 0xd1, 0xe, 0x3d, 0x4b, 0x94, 0xf7, 0x55, 0xf2, 0x3d, 0xb, 0xa1},
-	},
-	// 115P
-	{
-		x: fp384{0x56, 0x8f, 0x49, 0x34, 0x3b, 0x67, 0x4e, 0xaa, 0x6d, 0x45, 0x43, 0xa0, 0xb3, 0xf7, 0x20, 0x91, 0x26, 0x88, 0xa4, 0x26, 0xf3, 0x68, 0xe8, 0x33, 0xfd, 0x6b, 0x40, 0x32, 0xf4, 0xcc, 0x7a, 0xa9, 0x46, 0x7, 0xc5, 0x23, 0x41, 0x2a, 0x44, 0x84, 0x2d, 0x98, 0x50, 0x73, 0x65, 0x69, 0x4c, 0x27},
-		y: fp384{0xaa, 0x9e, 0xdc, 0x95, 0xfb, 0xb7, 0x6, 0x31, 0x41, 0xe2, 0x7a, 0xec, 0xb1, 0x1d, 0xbf, 0x3e, 0x86, 0x5b, 0x8a, 0x84, 0xb8, 0x39, 0xdc, 0x0, 0xc6, 0x2e, 0x31, 0xf6, 0x3a, 0x34, 0x9a, 0xdf, 0x3, 0x1f, 0x12, 0xcf, 0x32, 0x9e, 0x2, 0x75, 0xdb, 0x11, 0x5a, 0xcf, 0xf6, 0xbd, 0xc5, 0xc0},
-	},
-	// 117P
-	{
-		x: fp384{0x9a, 0x55, 0x23, 0x7, 0xa8, 0xe7, 0xcc, 0xfd, 0x70, 0xd0, 0x29, 0xa2, 0xe, 0xb3, 0x32, 0x95, 0x61, 0x79, 0x85, 0xfe, 0x94, 0x52, 0x3e, 0x61, 0x8d, 0x73, 0xea, 0x9a, 0x9a, 0x74, 0x9e, 0xad, 0x53, 0xba, 0xac, 0x23, 0xae, 0x6b, 0x7a, 0x51, 0x8b, 0x56, 0x23, 0x78, 0xcd, 0x74, 0x67, 0xf2},
-		y: fp384{0x4d, 0x11, 0x53, 0xae, 0xa1, 0x67, 0x7, 0x94, 0x7b, 0x5, 0x8c, 0xeb, 0x4b, 0x3a, 0xcb, 0xc6, 0x0, 0xf6, 0xae, 0x6, 0x5f, 0xc0, 0x99, 0x6d, 0x81, 0x84, 0x79, 0xb2, 0x8d, 0x9b, 0x72, 0xa6, 0x5b, 0x58, 0xf1, 0xbf, 0x82, 0x65, 0x54, 0x7a, 0x73, 0x97, 0xb0, 0x82, 0xb0, 0x9a, 0x50, 0x70},
-	},
-	// 119P
-	{
-		x: fp384{0xd1, 0xd8, 0x29, 0x73, 0xac, 0x95, 0x25, 0x73, 0xc4, 0xbc, 0x73, 0xab, 0x8d, 0x7, 0xf9, 0x59, 0xde, 0x9d, 0xcf, 0x21, 0xb4, 0xe7, 0x55, 0xcd, 0x27, 0xab, 0x5f, 0x87, 0xa1, 0xb, 0x63, 0xa4, 0xcd, 0xf4, 0x9c, 0xec, 0xb8, 0x7f, 0x16, 0x13, 0x77, 0x5, 0x8b, 0x99, 0x57, 0x5c, 0xfc, 0xd2},
-		y: fp384{0x6f, 0x1b, 0xf5, 0x5f, 0xc1, 0x60, 0x13, 0x76, 0xeb, 0x9c, 0xcf, 0x6, 0xf2, 0x96, 0xdb, 0xb2, 0x46, 0x8f, 0xdc, 0x99, 0x48, 0xa6, 0x77, 0xd6, 0xe5, 0xb7, 0x9, 0x91, 0xbc, 0xca, 0x9e, 0xeb, 0xa3, 0xb7, 0x21, 0x92, 0xac, 0xb1, 0x1b, 0x9a, 0xcd, 0xa5, 0x40, 0x8a, 0x28, 0x36, 0x65, 0xb1},
-	},
-	// 121P
-	{
-		x: fp384{0x8d, 0xfa, 0x9d, 0x18, 0x40, 0xba, 0x98, 0x51, 0x1e, 0xab, 0x96, 0xa8, 0xe3, 0x16, 0x9a, 0x8c, 0xe4, 0x44, 0x67, 0xba, 0xd6, 0xd5, 0x33, 0x6c, 0x8a, 0x77, 0x72, 0x77, 0xd4, 0xfb, 0x9a, 0xc2, 0xe0, 0xf7, 0x29, 0x93, 0x95, 0x3c, 0xdf, 0x65, 0x81, 0xdb, 0x91, 0x38, 0x1e, 0x3f, 0xcd, 0x79},
-		y: fp384{0x9b, 0x1, 0x84, 0xd7, 0xb, 0x8f, 0xaa, 0xca, 0x62, 0x8e, 0x2, 0xe9, 0x6b, 0x4f, 0x40, 0xf5, 0x85, 0x89, 0x4d, 0xae, 0x54, 0x7a, 0x50, 0x95, 0x1b, 0xf2, 0x16, 0xb7, 0xa8, 0x39, 0x1d, 0x9c, 0x7e, 0x5b, 0x26, 0xf8, 0xf9, 0xd, 0x3d, 0x47, 0x16, 0x9, 0x4d, 0xc6, 0xa1, 0xed, 0xae, 0x11},
-	},
-	// 123P
-	{
-		x: fp384{0x80, 0xb, 0x4c, 0xc, 0x48, 0x98, 0x11, 0x15, 0xfe, 0x18, 0x10, 0x2a, 0x4a, 0x7d, 0xb0, 0x46, 0x7b, 0x90, 0x80, 0xea, 0xeb, 0xc3, 0xa9, 0x14, 0x5, 0x44, 0x95, 0x42, 0xee, 0x5, 0x3d, 0x4b, 0xd2, 0x18, 0x4, 0x55, 0x78, 0xfd, 0xd6, 0xd4, 0xa6, 0x82, 0xdc, 0x21, 0x63, 0x4f, 0x4a, 0x8e},
-		y: fp384{0xd9, 0xb9, 0x78, 0xa1, 0xf7, 0xd7, 0xe4, 0x1b, 0x9f, 0x8c, 0x78, 0x70, 0x4, 0xba, 0xc6, 0x83, 0xe8, 0xf7, 0x30, 0x9f, 0x3e, 0xaf, 0x82, 0x5a, 0x7b, 0x44, 0x8f, 0x49, 0xf, 0xab, 0x86, 0x8a, 0x33, 0xcf, 0x5c, 0xc2, 0xec, 0xbc, 0xba, 0x3, 0xdd, 0x8a, 0x79, 0x1a, 0xed, 0x62, 0xc4, 0x74},
-	},
-	// 125P
-	{
-		x: fp384{0xbb, 0x44, 0xfb, 0x3c, 0xbc, 0xb8, 0x12, 0x96, 0xda, 0x6a, 0x9d, 0x71, 0x77, 0x56, 0xf2, 0x70, 0xe2, 0x14, 0xf6, 0x46, 0xaa, 0x65, 0xea, 0x50, 0x6d, 0x35, 0x50, 0x34, 0xcf, 0xa8, 0x36, 0x94, 0xac, 0x3, 0x67, 0x3, 0xad, 0xeb, 0xd6, 0x7a, 0xae, 0x48, 0xcf, 0x45, 0xb2, 0xda, 0xb2, 0x3},
-		y: fp384{0x1e, 0x6, 0x17, 0x41, 0x2a, 0x3d, 0x95, 0x21, 0xa4, 0x55, 0x4f, 0xed, 0x30, 0xb7, 0x3f, 0xdf, 0x8e, 0xab, 0x19, 0xe1, 0x41, 0x36, 0xf5, 0xec, 0xaa, 0x87, 0x91, 0x21, 0xbc, 0x41, 0x1f, 0x55, 0x2, 0x58, 0x9, 0xb0, 0x4b, 0xa7, 0xd5, 0x7c, 0xcb, 0x5c, 0xf3, 0x72, 0xf5, 0xbf, 0x33, 0x89},
-	},
-	// 127P
-	{
-		x: fp384{0xec, 0x1, 0xa1, 0xec, 0x46, 0x32, 0x75, 0xf7, 0xaf, 0x4, 0x96, 0x56, 0x4c, 0xfa, 0xac, 0x2a, 0x79, 0x62, 0x2c, 0x52, 0x34, 0x8f, 0xf2, 0xee, 0xf, 0x1e, 0x23, 0x74, 0x38, 0xe6, 0xfd, 0x96, 0x9d, 0xf0, 0xe0, 0xd6, 0x1b, 0xb1, 0x2b, 0xa9, 0xb4, 0x5d, 0x39, 0xf, 0x74, 0x4e, 0xe3, 0xbb},
-		y: fp384{0xf9, 0x3c, 0x94, 0xbf, 0xdd, 0x59, 0x6e, 0xaa, 0xaa, 0xd5, 0x8a, 0x1, 0xbe, 0xbd, 0x98, 0x56, 0x19, 0xc5, 0x67, 0xa4, 0x44, 0x2a, 0xd2, 0x88, 0xe, 0xb, 0x18, 0xad, 0x39, 0xe3, 0x29, 0x9e, 0x94, 0x2f, 0x7b, 0x36, 0x2e, 0x83, 0xd6, 0xf3, 0x69, 0x80, 0x94, 0xe3, 0x61, 0x2a, 0xe9, 0xc7},
-	},
-}

vendor/github.com/cloudflare/circl/hpke/algs.go

@@ -4,7 +4,7 @@ import (
 	"crypto"
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/elliptic"
+	"crypto/ecdh"
 	_ "crypto/sha256" // Linking sha256.
 	_ "crypto/sha512" // Linking sha512.
 	"fmt"
@@ -13,9 +13,9 @@ import (
 
 	"github.com/cloudflare/circl/dh/x25519"
 	"github.com/cloudflare/circl/dh/x448"
-	"github.com/cloudflare/circl/ecc/p384"
 	"github.com/cloudflare/circl/kem"
 	"github.com/cloudflare/circl/kem/kyber/kyber768"
+	"github.com/cloudflare/circl/kem/xwing"
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/hkdf"
 )
@@ -39,6 +39,8 @@ const (
 	// KEM_X25519_KYBER768_DRAFT00 is a hybrid KEM built on DHKEM(X25519, HKDF-SHA256)
 	// and Kyber768Draft00
 	KEM_X25519_KYBER768_DRAFT00 KEM = 0x30
+	// KEM_XWING is a hybrid KEM using X25519 and ML-KEM-768.
+	KEM_XWING KEM = 0x647a
 )
 
 // IsValid returns true if the KEM identifier is supported by the HPKE package.
@@ -49,7 +51,8 @@ func (k KEM) IsValid() bool {
 		KEM_P521_HKDF_SHA512,
 		KEM_X25519_HKDF_SHA256,
 		KEM_X448_HKDF_SHA512,
-		KEM_X25519_KYBER768_DRAFT00:
+		KEM_X25519_KYBER768_DRAFT00,
+		KEM_XWING:
 		return true
 	default:
 		return false
@@ -58,7 +61,7 @@ func (k KEM) IsValid() bool {
 
 // Scheme returns an instance of a KEM that supports authentication. Panics if
 // the KEM identifier is invalid.
-func (k KEM) Scheme() kem.AuthScheme {
+func (k KEM) Scheme() kem.Scheme {
 	switch k {
 	case KEM_P256_HKDF_SHA256:
 		return dhkemp256hkdfsha256
@@ -72,6 +75,8 @@ func (k KEM) Scheme() kem.AuthScheme {
 		return dhkemx448hkdfsha512
 	case KEM_X25519_KYBER768_DRAFT00:
 		return hybridkemX25519Kyber768
+	case KEM_XWING:
+		return kemXwing
 	default:
 		panic(ErrInvalidKEM)
 	}
@@ -237,22 +242,23 @@ var (
 	dhkemp256hkdfsha256, dhkemp384hkdfsha384, dhkemp521hkdfsha512 shortKEM
 	dhkemx25519hkdfsha256, dhkemx448hkdfsha512                    xKEM
 	hybridkemX25519Kyber768                                       hybridKEM
+	kemXwing                                                      genericNoAuthKEM
 )
 
 func init() {
-	dhkemp256hkdfsha256.Curve = elliptic.P256()
+	dhkemp256hkdfsha256.Curve = ecdh.P256()
 	dhkemp256hkdfsha256.dhKemBase.id = KEM_P256_HKDF_SHA256
 	dhkemp256hkdfsha256.dhKemBase.name = "HPKE_KEM_P256_HKDF_SHA256"
 	dhkemp256hkdfsha256.dhKemBase.Hash = crypto.SHA256
 	dhkemp256hkdfsha256.dhKemBase.dhKEM = dhkemp256hkdfsha256
 
-	dhkemp384hkdfsha384.Curve = p384.P384()
+	dhkemp384hkdfsha384.Curve = ecdh.P384()
 	dhkemp384hkdfsha384.dhKemBase.id = KEM_P384_HKDF_SHA384
 	dhkemp384hkdfsha384.dhKemBase.name = "HPKE_KEM_P384_HKDF_SHA384"
 	dhkemp384hkdfsha384.dhKemBase.Hash = crypto.SHA384
 	dhkemp384hkdfsha384.dhKemBase.dhKEM = dhkemp384hkdfsha384
 
-	dhkemp521hkdfsha512.Curve = elliptic.P521()
+	dhkemp521hkdfsha512.Curve = ecdh.P521()
 	dhkemp521hkdfsha512.dhKemBase.id = KEM_P521_HKDF_SHA512
 	dhkemp521hkdfsha512.dhKemBase.name = "HPKE_KEM_P521_HKDF_SHA512"
 	dhkemp521hkdfsha512.dhKemBase.Hash = crypto.SHA512
@@ -275,4 +281,7 @@ func init() {
 	hybridkemX25519Kyber768.kemBase.Hash = crypto.SHA256
 	hybridkemX25519Kyber768.kemA = dhkemx25519hkdfsha256
 	hybridkemX25519Kyber768.kemB = kyber768.Scheme()
+
+	kemXwing.Scheme = xwing.Scheme()
+	kemXwing.name = "HPKE_KEM_XWING"
 }

vendor/github.com/cloudflare/circl/hpke/genericnoauthkem.go

@@ -0,0 +1,27 @@
+package hpke
+
+// Shim to use generic KEM (kem.Scheme) as HPKE KEM.
+
+import (
+	"github.com/cloudflare/circl/internal/sha3"
+	"github.com/cloudflare/circl/kem"
+)
+
+// genericNoAuthKEM wraps a generic KEM (kem.Scheme) to be used as a HPKE KEM.
+type genericNoAuthKEM struct {
+	kem.Scheme
+	name string
+}
+
+func (h genericNoAuthKEM) Name() string { return h.name }
+
+// HPKE requires DeriveKeyPair() to take any seed larger than the private key
+// size, whereas typical KEMs expect a specific seed size. We'll just use
+// SHAKE256 to hash it to the right size as in X-Wing.
+func (h genericNoAuthKEM) DeriveKeyPair(seed []byte) (kem.PublicKey, kem.PrivateKey) {
+	seed2 := make([]byte, h.Scheme.SeedSize())
+	hh := sha3.NewShake256()
+	_, _ = hh.Write(seed)
+	_, _ = hh.Read(seed2)
+	return h.Scheme.DeriveKeyPair(seed2)
+}

vendor/github.com/cloudflare/circl/hpke/hpke.go

@@ -224,7 +224,12 @@ func (s *Sender) allSetup(rnd io.Reader) ([]byte, Sealer, error) {
 	case modeBase, modePSK:
 		enc, ss, err = scheme.EncapsulateDeterministically(s.pkR, seed)
 	case modeAuth, modeAuthPSK:
-		enc, ss, err = scheme.AuthEncapsulateDeterministically(s.pkR, s.skS, seed)
+		authScheme, ok := scheme.(kem.AuthScheme)
+		if !ok {
+			return nil, nil, ErrInvalidAuthKEM
+		}
+
+		enc, ss, err = authScheme.AuthEncapsulateDeterministically(s.pkR, s.skS, seed)
 	}
 	if err != nil {
 		return nil, nil, err
@@ -246,7 +251,12 @@ func (r *Receiver) allSetup() (Opener, error) {
 	case modeBase, modePSK:
 		ss, err = scheme.Decapsulate(r.skR, r.enc)
 	case modeAuth, modeAuthPSK:
-		ss, err = scheme.AuthDecapsulate(r.skR, r.enc, r.pkS)
+		authScheme, ok := scheme.(kem.AuthScheme)
+		if !ok {
+			return nil, ErrInvalidAuthKEM
+		}
+
+		ss, err = authScheme.AuthDecapsulate(r.skR, r.enc, r.pkS)
 	}
 	if err != nil {
 		return nil, err
@@ -263,9 +273,11 @@ var (
 	ErrInvalidHPKESuite       = errors.New("hpke: invalid HPKE suite")
 	ErrInvalidKDF             = errors.New("hpke: invalid KDF identifier")
 	ErrInvalidKEM             = errors.New("hpke: invalid KEM identifier")
+	ErrInvalidAuthKEM         = errors.New("hpke: KEM does not support Auth mode")
 	ErrInvalidAEAD            = errors.New("hpke: invalid AEAD identifier")
 	ErrInvalidKEMPublicKey    = errors.New("hpke: invalid KEM public key")
 	ErrInvalidKEMPrivateKey   = errors.New("hpke: invalid KEM private key")
 	ErrInvalidKEMSharedSecret = errors.New("hpke: invalid KEM shared secret")
+	ErrInvalidKEMDeriveKey    = errors.New("hpke: too many tries to derive KEM key")
 	ErrAEADSeqOverflows       = errors.New("hpke: AEAD sequence number overflows")
 )

vendor/github.com/cloudflare/circl/hpke/shortkem.go

@@ -1,18 +1,16 @@
 package hpke
 
 import (
-	"crypto/elliptic"
+	"crypto/ecdh"
 	"crypto/rand"
-	"crypto/subtle"
 	"fmt"
-	"math/big"
 
 	"github.com/cloudflare/circl/kem"
 )
 
 type shortKEM struct {
 	dhKemBase
-	elliptic.Curve
+	ecdh.Curve
 }
 
 func (s shortKEM) PrivateKeySize() int        { return s.byteSize() }
@@ -21,19 +19,40 @@ func (s shortKEM) CiphertextSize() int        { return 1 + 2*s.byteSize() }
 func (s shortKEM) PublicKeySize() int         { return 1 + 2*s.byteSize() }
 func (s shortKEM) EncapsulationSeedSize() int { return s.byteSize() }
 
-func (s shortKEM) byteSize() int { return (s.Params().BitSize + 7) / 8 }
+func (s shortKEM) byteSize() int {
+	var bits int
+	switch s.Curve {
+	case ecdh.P256():
+		bits = 256
+	case ecdh.P384():
+		bits = 384
+	case ecdh.P521():
+		bits = 521
+	default:
+		panic(ErrInvalidKEM)
+	}
+
+	return (bits + 7) / 8
+}
 
 func (s shortKEM) sizeDH() int { return s.byteSize() }
 func (s shortKEM) calcDH(dh []byte, sk kem.PrivateKey, pk kem.PublicKey) error {
-	PK := pk.(*shortKEMPubKey)
-	SK := sk.(*shortKEMPrivKey)
-	l := len(dh)
-	x, _ := s.ScalarMult(PK.x, PK.y, SK.priv) // only x-coordinate is used.
-	if x.Sign() == 0 {
-		return ErrInvalidKEMSharedSecret
+	PK, ok := pk.(*shortKEMPubKey)
+	if !ok {
+		return ErrInvalidKEMPublicKey
+	}
+
+	SK, ok := sk.(*shortKEMPrivKey)
+	if !ok {
+		return ErrInvalidKEMPrivateKey
+	}
+
+	x, err := SK.priv.ECDH(&PK.pub)
+	if err != nil {
+		return err
 	}
-	b := x.Bytes()
-	copy(dh[l-len(b):l], b)
+
+	copy(dh, x)
 	return nil
 }
 
@@ -49,122 +68,84 @@ func (s shortKEM) DeriveKeyPair(seed []byte) (kem.PublicKey, kem.PrivateKey) {
 	}
 
 	bitmask := byte(0xFF)
-	if s.Params().BitSize == 521 {
+	if s.Curve == ecdh.P521() {
 		bitmask = 0x01
 	}
 
 	dkpPrk := s.labeledExtract([]byte(""), []byte("dkp_prk"), seed)
-	var bytes []byte
-	ctr := 0
-	for skBig := new(big.Int); skBig.Sign() == 0 || skBig.Cmp(s.Params().N) >= 0; ctr++ {
-		if ctr > 255 {
-			panic("derive key error")
-		}
-		bytes = s.labeledExpand(
+	for ctr := 0; ctr <= 255; ctr++ {
+		bytes := s.labeledExpand(
 			dkpPrk,
 			[]byte("candidate"),
 			[]byte{byte(ctr)},
 			uint16(s.byteSize()),
 		)
 		bytes[0] &= bitmask
-		skBig.SetBytes(bytes)
+		sk, err := s.UnmarshalBinaryPrivateKey(bytes)
+		if err == nil {
+			return sk.Public(), sk
+		}
 	}
-	l := s.PrivateKeySize()
-	sk := &shortKEMPrivKey{s, make([]byte, l), nil}
-	copy(sk.priv[l-len(bytes):], bytes)
-	return sk.Public(), sk
+
+	panic(ErrInvalidKEMDeriveKey)
 }
 
 func (s shortKEM) GenerateKeyPair() (kem.PublicKey, kem.PrivateKey, error) {
-	sk, x, y, err := elliptic.GenerateKey(s, rand.Reader)
-	pub := &shortKEMPubKey{s, x, y}
-	return pub, &shortKEMPrivKey{s, sk, pub}, err
+	key, err := s.Curve.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	sk := &shortKEMPrivKey{s, key}
+	return sk.Public(), sk, err
 }
 
 func (s shortKEM) UnmarshalBinaryPrivateKey(data []byte) (kem.PrivateKey, error) {
-	l := s.PrivateKeySize()
-	if len(data) < l {
-		return nil, ErrInvalidKEMPrivateKey
-	}
-	sk := &shortKEMPrivKey{s, make([]byte, l), nil}
-	copy(sk.priv[l-len(data):l], data[:l])
-	if !sk.validate() {
-		return nil, ErrInvalidKEMPrivateKey
+	key, err := s.Curve.NewPrivateKey(data)
+	if err != nil {
+		return nil, err
 	}
 
-	return sk, nil
+	return &shortKEMPrivKey{s, key}, nil
 }
 
 func (s shortKEM) UnmarshalBinaryPublicKey(data []byte) (kem.PublicKey, error) {
-	x, y := elliptic.Unmarshal(s, data)
-	if x == nil {
-		return nil, ErrInvalidKEMPublicKey
-	}
-	key := &shortKEMPubKey{s, x, y}
-	if !key.validate() {
-		return nil, ErrInvalidKEMPublicKey
+	key, err := s.Curve.NewPublicKey(data)
+	if err != nil {
+		return nil, err
 	}
-	return key, nil
+
+	return &shortKEMPubKey{s, *key}, nil
 }
 
 type shortKEMPubKey struct {
 	scheme shortKEM
-	x, y   *big.Int
+	pub    ecdh.PublicKey
 }
 
-func (k *shortKEMPubKey) String() string {
-	return fmt.Sprintf("x: %v\ny: %v", k.x.Text(16), k.y.Text(16))
-}
-func (k *shortKEMPubKey) Scheme() kem.Scheme { return k.scheme }
-func (k *shortKEMPubKey) MarshalBinary() ([]byte, error) {
-	return elliptic.Marshal(k.scheme, k.x, k.y), nil
-}
+func (k *shortKEMPubKey) String() string                 { return fmt.Sprintf("%x", k.pub.Bytes()) }
+func (k *shortKEMPubKey) Scheme() kem.Scheme             { return k.scheme }
+func (k *shortKEMPubKey) MarshalBinary() ([]byte, error) { return k.pub.Bytes(), nil }
 
 func (k *shortKEMPubKey) Equal(pk kem.PublicKey) bool {
 	k1, ok := pk.(*shortKEMPubKey)
-	return ok &&
-		k.scheme.Params().Name == k1.scheme.Params().Name &&
-		k.x.Cmp(k1.x) == 0 &&
-		k.y.Cmp(k1.y) == 0
-}
-
-func (k *shortKEMPubKey) validate() bool {
-	p := k.scheme.Params().P
-	notAtInfinity := k.x.Sign() > 0 && k.y.Sign() > 0
-	lessThanP := k.x.Cmp(p) < 0 && k.y.Cmp(p) < 0
-	onCurve := k.scheme.IsOnCurve(k.x, k.y)
-	return notAtInfinity && lessThanP && onCurve
+	return ok && k.scheme == k1.scheme && k.pub.Equal(&k1.pub)
 }
 
 type shortKEMPrivKey struct {
 	scheme shortKEM
-	priv   []byte
-	pub    *shortKEMPubKey
+	priv   *ecdh.PrivateKey
 }
 
-func (k *shortKEMPrivKey) String() string     { return fmt.Sprintf("%x", k.priv) }
-func (k *shortKEMPrivKey) Scheme() kem.Scheme { return k.scheme }
-func (k *shortKEMPrivKey) MarshalBinary() ([]byte, error) {
-	return append(make([]byte, 0, k.scheme.PrivateKeySize()), k.priv...), nil
-}
+func (k *shortKEMPrivKey) String() string                 { return fmt.Sprintf("%x", k.priv.Bytes()) }
+func (k *shortKEMPrivKey) Scheme() kem.Scheme             { return k.scheme }
+func (k *shortKEMPrivKey) MarshalBinary() ([]byte, error) { return k.priv.Bytes(), nil }
 
 func (k *shortKEMPrivKey) Equal(pk kem.PrivateKey) bool {
 	k1, ok := pk.(*shortKEMPrivKey)
-	return ok &&
-		k.scheme.Params().Name == k1.scheme.Params().Name &&
-		subtle.ConstantTimeCompare(k.priv, k1.priv) == 1
+	return ok && k.scheme == k1.scheme && k.priv.Equal(k1.priv)
 }
 
 func (k *shortKEMPrivKey) Public() kem.PublicKey {
-	if k.pub == nil {
-		x, y := k.scheme.ScalarBaseMult(k.priv)
-		k.pub = &shortKEMPubKey{k.scheme, x, y}
-	}
-	return k.pub
-}
-
-func (k *shortKEMPrivKey) validate() bool {
-	n := new(big.Int).SetBytes(k.priv)
-	order := k.scheme.Curve.Params().N
-	return len(k.priv) == k.scheme.PrivateKeySize() && n.Cmp(order) < 0
+	return &shortKEMPubKey{k.scheme, *k.priv.PublicKey()}
 }

vendor/github.com/cloudflare/circl/internal/conv/conv.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"math/big"
 	"strings"
+
+	"golang.org/x/crypto/cryptobyte"
 )
 
 // BytesLe2Hex returns an hexadecimal string of a number stored in a
@@ -138,3 +140,34 @@ func BigInt2Uint64Le(z []uint64, x *big.Int) {
 		z[i] = 0
 	}
 }
+
+// MarshalBinary encodes a value into a byte array in a format readable by UnmarshalBinary.
+func MarshalBinary(v cryptobyte.MarshalingValue) ([]byte, error) {
+	const DefaultSize = 32
+	b := cryptobyte.NewBuilder(make([]byte, 0, DefaultSize))
+	b.AddValue(v)
+	return b.Bytes()
+}
+
+// MarshalBinaryLen encodes a value into an array of n bytes in a format readable by UnmarshalBinary.
+func MarshalBinaryLen(v cryptobyte.MarshalingValue, length uint) ([]byte, error) {
+	b := cryptobyte.NewFixedBuilder(make([]byte, 0, length))
+	b.AddValue(v)
+	return b.Bytes()
+}
+
+// A UnmarshalingValue decodes itself from a cryptobyte.String and advances the pointer.
+// It reports whether the read was successful.
+type UnmarshalingValue interface {
+	Unmarshal(*cryptobyte.String) bool
+}
+
+// UnmarshalBinary recovers a value from a byte array.
+// It returns an error if the read was unsuccessful.
+func UnmarshalBinary(v UnmarshalingValue, data []byte) (err error) {
+	s := cryptobyte.String(data)
+	if data == nil || !v.Unmarshal(&s) || !s.Empty() {
+		err = fmt.Errorf("cannot read %T from input string", v)
+	}
+	return
+}

vendor/github.com/cloudflare/circl/kem/mlkem/mlkem768/kyber.go

@@ -0,0 +1,407 @@
+// Code generated from pkg.templ.go. DO NOT EDIT.
+
+// Package mlkem768 implements the IND-CCA2 secure key encapsulation mechanism
+// ML-KEM-768 as defined in FIPS203.
+package mlkem768
+
+import (
+	"bytes"
+	"crypto/subtle"
+	"io"
+
+	cryptoRand "crypto/rand"
+	"github.com/cloudflare/circl/internal/sha3"
+	"github.com/cloudflare/circl/kem"
+	cpapke "github.com/cloudflare/circl/pke/kyber/kyber768"
+)
+
+const (
+	// Size of seed for NewKeyFromSeed
+	KeySeedSize = cpapke.KeySeedSize + 32
+
+	// Size of seed for EncapsulateTo.
+	EncapsulationSeedSize = 32
+
+	// Size of the established shared key.
+	SharedKeySize = 32
+
+	// Size of the encapsulated shared key.
+	CiphertextSize = cpapke.CiphertextSize
+
+	// Size of a packed public key.
+	PublicKeySize = cpapke.PublicKeySize
+
+	// Size of a packed private key.
+	PrivateKeySize = cpapke.PrivateKeySize + cpapke.PublicKeySize + 64
+)
+
+// Type of a ML-KEM-768 public key
+type PublicKey struct {
+	pk *cpapke.PublicKey
+
+	hpk [32]byte // H(pk)
+}
+
+// Type of a ML-KEM-768 private key
+type PrivateKey struct {
+	sk  *cpapke.PrivateKey
+	pk  *cpapke.PublicKey
+	hpk [32]byte // H(pk)
+	z   [32]byte
+}
+
+// NewKeyFromSeed derives a public/private keypair deterministically
+// from the given seed.
+//
+// Panics if seed is not of length KeySeedSize.
+func NewKeyFromSeed(seed []byte) (*PublicKey, *PrivateKey) {
+	var sk PrivateKey
+	var pk PublicKey
+
+	if len(seed) != KeySeedSize {
+		panic("seed must be of length KeySeedSize")
+	}
+
+	pk.pk, sk.sk = cpapke.NewKeyFromSeedMLKEM(seed[:cpapke.KeySeedSize])
+	sk.pk = pk.pk
+	copy(sk.z[:], seed[cpapke.KeySeedSize:])
+
+	// Compute H(pk)
+	var ppk [cpapke.PublicKeySize]byte
+	sk.pk.Pack(ppk[:])
+	h := sha3.New256()
+	h.Write(ppk[:])
+	h.Read(sk.hpk[:])
+	copy(pk.hpk[:], sk.hpk[:])
+
+	return &pk, &sk
+}
+
+// GenerateKeyPair generates public and private keys using entropy from rand.
+// If rand is nil, crypto/rand.Reader will be used.
+func GenerateKeyPair(rand io.Reader) (*PublicKey, *PrivateKey, error) {
+	var seed [KeySeedSize]byte
+	if rand == nil {
+		rand = cryptoRand.Reader
+	}
+	_, err := io.ReadFull(rand, seed[:])
+	if err != nil {
+		return nil, nil, err
+	}
+	pk, sk := NewKeyFromSeed(seed[:])
+	return pk, sk, nil
+}
+
+// EncapsulateTo generates a shared key and ciphertext that contains it
+// for the public key using randomness from seed and writes the shared key
+// to ss and ciphertext to ct.
+//
+// Panics if ss, ct or seed are not of length SharedKeySize, CiphertextSize
+// and EncapsulationSeedSize respectively.
+//
+// seed may be nil, in which case crypto/rand.Reader is used to generate one.
+func (pk *PublicKey) EncapsulateTo(ct, ss []byte, seed []byte) {
+	if seed == nil {
+		seed = make([]byte, EncapsulationSeedSize)
+		if _, err := cryptoRand.Read(seed[:]); err != nil {
+			panic(err)
+		}
+	} else {
+		if len(seed) != EncapsulationSeedSize {
+			panic("seed must be of length EncapsulationSeedSize")
+		}
+	}
+
+	if len(ct) != CiphertextSize {
+		panic("ct must be of length CiphertextSize")
+	}
+
+	if len(ss) != SharedKeySize {
+		panic("ss must be of length SharedKeySize")
+	}
+
+	var m [32]byte
+	copy(m[:], seed)
+
+	// (K', r) = G(m ‖ H(pk))
+	var kr [64]byte
+	g := sha3.New512()
+	g.Write(m[:])
+	g.Write(pk.hpk[:])
+	g.Read(kr[:])
+
+	// c = Kyber.CPAPKE.Enc(pk, m, r)
+	pk.pk.EncryptTo(ct, m[:], kr[32:])
+
+	copy(ss, kr[:SharedKeySize])
+}
+
+// DecapsulateTo computes the shared key which is encapsulated in ct
+// for the private key.
+//
+// Panics if ct or ss are not of length CiphertextSize and SharedKeySize
+// respectively.
+func (sk *PrivateKey) DecapsulateTo(ss, ct []byte) {
+	if len(ct) != CiphertextSize {
+		panic("ct must be of length CiphertextSize")
+	}
+
+	if len(ss) != SharedKeySize {
+		panic("ss must be of length SharedKeySize")
+	}
+
+	// m' = Kyber.CPAPKE.Dec(sk, ct)
+	var m2 [32]byte
+	sk.sk.DecryptTo(m2[:], ct)
+
+	// (K'', r') = G(m' ‖ H(pk))
+	var kr2 [64]byte
+	g := sha3.New512()
+	g.Write(m2[:])
+	g.Write(sk.hpk[:])
+	g.Read(kr2[:])
+
+	// c' = Kyber.CPAPKE.Enc(pk, m', r')
+	var ct2 [CiphertextSize]byte
+	sk.pk.EncryptTo(ct2[:], m2[:], kr2[32:])
+
+	var ss2 [SharedKeySize]byte
+
+	// Compute shared secret in case of rejection: ss₂ = PRF(z ‖ c)
+	prf := sha3.NewShake256()
+	prf.Write(sk.z[:])
+	prf.Write(ct[:CiphertextSize])
+	prf.Read(ss2[:])
+
+	// Set ss2 to the real shared secret if c = c'.
+	subtle.ConstantTimeCopy(
+		subtle.ConstantTimeCompare(ct, ct2[:]),
+		ss2[:],
+		kr2[:SharedKeySize],
+	)
+
+	copy(ss, ss2[:])
+}
+
+// Packs sk to buf.
+//
+// Panics if buf is not of size PrivateKeySize.
+func (sk *PrivateKey) Pack(buf []byte) {
+	if len(buf) != PrivateKeySize {
+		panic("buf must be of length PrivateKeySize")
+	}
+
+	sk.sk.Pack(buf[:cpapke.PrivateKeySize])
+	buf = buf[cpapke.PrivateKeySize:]
+	sk.pk.Pack(buf[:cpapke.PublicKeySize])
+	buf = buf[cpapke.PublicKeySize:]
+	copy(buf, sk.hpk[:])
+	buf = buf[32:]
+	copy(buf, sk.z[:])
+}
+
+// Unpacks sk from buf.
+//
+// Panics if buf is not of size PrivateKeySize.
+//
+// Returns an error if buf is not of size PrivateKeySize, or private key
+// doesn't pass the ML-KEM decapsulation key check.
+func (sk *PrivateKey) Unpack(buf []byte) error {
+	if len(buf) != PrivateKeySize {
+		return kem.ErrPrivKeySize
+	}
+
+	sk.sk = new(cpapke.PrivateKey)
+	sk.sk.Unpack(buf[:cpapke.PrivateKeySize])
+	buf = buf[cpapke.PrivateKeySize:]
+	sk.pk = new(cpapke.PublicKey)
+	sk.pk.Unpack(buf[:cpapke.PublicKeySize])
+	var hpk [32]byte
+	h := sha3.New256()
+	h.Write(buf[:cpapke.PublicKeySize])
+	h.Read(hpk[:])
+	buf = buf[cpapke.PublicKeySize:]
+	copy(sk.hpk[:], buf[:32])
+	copy(sk.z[:], buf[32:])
+	if !bytes.Equal(hpk[:], sk.hpk[:]) {
+		return kem.ErrPrivKey
+	}
+	return nil
+}
+
+// Packs pk to buf.
+//
+// Panics if buf is not of size PublicKeySize.
+func (pk *PublicKey) Pack(buf []byte) {
+	if len(buf) != PublicKeySize {
+		panic("buf must be of length PublicKeySize")
+	}
+
+	pk.pk.Pack(buf)
+}
+
+// Unpacks pk from buf.
+//
+// Returns an error if buf is not of size PublicKeySize, or the public key
+// is not normalized.
+func (pk *PublicKey) Unpack(buf []byte) error {
+	if len(buf) != PublicKeySize {
+		return kem.ErrPubKeySize
+	}
+
+	pk.pk = new(cpapke.PublicKey)
+	if err := pk.pk.UnpackMLKEM(buf); err != nil {
+		return err
+	}
+
+	// Compute cached H(pk)
+	h := sha3.New256()
+	h.Write(buf)
+	h.Read(pk.hpk[:])
+
+	return nil
+}
+
+// Boilerplate down below for the KEM scheme API.
+
+type scheme struct{}
+
+var sch kem.Scheme = &scheme{}
+
+// Scheme returns a KEM interface.
+func Scheme() kem.Scheme { return sch }
+
+func (*scheme) Name() string               { return "ML-KEM-768" }
+func (*scheme) PublicKeySize() int         { return PublicKeySize }
+func (*scheme) PrivateKeySize() int        { return PrivateKeySize }
+func (*scheme) SeedSize() int              { return KeySeedSize }
+func (*scheme) SharedKeySize() int         { return SharedKeySize }
+func (*scheme) CiphertextSize() int        { return CiphertextSize }
+func (*scheme) EncapsulationSeedSize() int { return EncapsulationSeedSize }
+
+func (sk *PrivateKey) Scheme() kem.Scheme { return sch }
+func (pk *PublicKey) Scheme() kem.Scheme  { return sch }
+
+func (sk *PrivateKey) MarshalBinary() ([]byte, error) {
+	var ret [PrivateKeySize]byte
+	sk.Pack(ret[:])
+	return ret[:], nil
+}
+
+func (sk *PrivateKey) Equal(other kem.PrivateKey) bool {
+	oth, ok := other.(*PrivateKey)
+	if !ok {
+		return false
+	}
+	if sk.pk == nil && oth.pk == nil {
+		return true
+	}
+	if sk.pk == nil || oth.pk == nil {
+		return false
+	}
+	if !bytes.Equal(sk.hpk[:], oth.hpk[:]) ||
+		subtle.ConstantTimeCompare(sk.z[:], oth.z[:]) != 1 {
+		return false
+	}
+	return sk.sk.Equal(oth.sk)
+}
+
+func (pk *PublicKey) Equal(other kem.PublicKey) bool {
+	oth, ok := other.(*PublicKey)
+	if !ok {
+		return false
+	}
+	if pk.pk == nil && oth.pk == nil {
+		return true
+	}
+	if pk.pk == nil || oth.pk == nil {
+		return false
+	}
+	return bytes.Equal(pk.hpk[:], oth.hpk[:])
+}
+
+func (sk *PrivateKey) Public() kem.PublicKey {
+	pk := new(PublicKey)
+	pk.pk = sk.pk
+	copy(pk.hpk[:], sk.hpk[:])
+	return pk
+}
+
+func (pk *PublicKey) MarshalBinary() ([]byte, error) {
+	var ret [PublicKeySize]byte
+	pk.Pack(ret[:])
+	return ret[:], nil
+}
+
+func (*scheme) GenerateKeyPair() (kem.PublicKey, kem.PrivateKey, error) {
+	return GenerateKeyPair(cryptoRand.Reader)
+}
+
+func (*scheme) DeriveKeyPair(seed []byte) (kem.PublicKey, kem.PrivateKey) {
+	if len(seed) != KeySeedSize {
+		panic(kem.ErrSeedSize)
+	}
+	return NewKeyFromSeed(seed[:])
+}
+
+func (*scheme) Encapsulate(pk kem.PublicKey) (ct, ss []byte, err error) {
+	ct = make([]byte, CiphertextSize)
+	ss = make([]byte, SharedKeySize)
+
+	pub, ok := pk.(*PublicKey)
+	if !ok {
+		return nil, nil, kem.ErrTypeMismatch
+	}
+	pub.EncapsulateTo(ct, ss, nil)
+	return
+}
+
+func (*scheme) EncapsulateDeterministically(pk kem.PublicKey, seed []byte) (
+	ct, ss []byte, err error) {
+	if len(seed) != EncapsulationSeedSize {
+		return nil, nil, kem.ErrSeedSize
+	}
+
+	ct = make([]byte, CiphertextSize)
+	ss = make([]byte, SharedKeySize)
+
+	pub, ok := pk.(*PublicKey)
+	if !ok {
+		return nil, nil, kem.ErrTypeMismatch
+	}
+	pub.EncapsulateTo(ct, ss, seed)
+	return
+}
+
+func (*scheme) Decapsulate(sk kem.PrivateKey, ct []byte) ([]byte, error) {
+	if len(ct) != CiphertextSize {
+		return nil, kem.ErrCiphertextSize
+	}
+
+	priv, ok := sk.(*PrivateKey)
+	if !ok {
+		return nil, kem.ErrTypeMismatch
+	}
+	ss := make([]byte, SharedKeySize)
+	priv.DecapsulateTo(ss, ct)
+	return ss, nil
+}
+
+func (*scheme) UnmarshalBinaryPublicKey(buf []byte) (kem.PublicKey, error) {
+	var ret PublicKey
+	if err := ret.Unpack(buf); err != nil {
+		return nil, err
+	}
+	return &ret, nil
+}
+
+func (*scheme) UnmarshalBinaryPrivateKey(buf []byte) (kem.PrivateKey, error) {
+	if len(buf) != PrivateKeySize {
+		return nil, kem.ErrPrivKeySize
+	}
+	var ret PrivateKey
+	if err := ret.Unpack(buf); err != nil {
+		return nil, err
+	}
+	return &ret, nil
+}

vendor/github.com/cloudflare/circl/kem/xwing/scheme.go

@@ -0,0 +1,140 @@
+package xwing
+
+import (
+	"bytes"
+	cryptoRand "crypto/rand"
+	"crypto/subtle"
+
+	"github.com/cloudflare/circl/kem"
+	"github.com/cloudflare/circl/kem/mlkem/mlkem768"
+)
+
+// This file contains the boilerplate code to connect X-Wing to the
+// generic KEM API.
+
+// Returns the generic KEM interface for  X-Wing PQ/T hybrid KEM.
+func Scheme() kem.Scheme { return scheme{} }
+
+type scheme struct{}
+
+func (scheme) Name() string               { return "X-Wing" }
+func (scheme) PublicKeySize() int         { return PublicKeySize }
+func (scheme) PrivateKeySize() int        { return PrivateKeySize }
+func (scheme) SeedSize() int              { return SeedSize }
+func (scheme) EncapsulationSeedSize() int { return EncapsulationSeedSize }
+func (scheme) SharedKeySize() int         { return SharedKeySize }
+func (scheme) CiphertextSize() int        { return CiphertextSize }
+func (*PrivateKey) Scheme() kem.Scheme    { return scheme{} }
+func (*PublicKey) Scheme() kem.Scheme     { return scheme{} }
+
+func (sch scheme) Encapsulate(pk kem.PublicKey) (ct, ss []byte, err error) {
+	var seed [EncapsulationSeedSize]byte
+	_, err = cryptoRand.Read(seed[:])
+	if err != nil {
+		return
+	}
+	return sch.EncapsulateDeterministically(pk, seed[:])
+}
+
+func (scheme) EncapsulateDeterministically(
+	pk kem.PublicKey, seed []byte,
+) ([]byte, []byte, error) {
+	if len(seed) != EncapsulationSeedSize {
+		return nil, nil, kem.ErrSeedSize
+	}
+	pub, ok := pk.(*PublicKey)
+	if !ok {
+		return nil, nil, kem.ErrTypeMismatch
+	}
+	var (
+		ct [CiphertextSize]byte
+		ss [SharedKeySize]byte
+	)
+	pub.EncapsulateTo(ct[:], ss[:], seed)
+	return ct[:], ss[:], nil
+}
+
+func (scheme) UnmarshalBinaryPublicKey(buf []byte) (kem.PublicKey, error) {
+	var pk PublicKey
+	if len(buf) != PublicKeySize {
+		return nil, kem.ErrPubKeySize
+	}
+
+	if err := pk.Unpack(buf); err != nil {
+		return nil, err
+	}
+	return &pk, nil
+}
+
+func (scheme) UnmarshalBinaryPrivateKey(buf []byte) (kem.PrivateKey, error) {
+	var sk PrivateKey
+	if len(buf) != PrivateKeySize {
+		return nil, kem.ErrPrivKeySize
+	}
+
+	sk.Unpack(buf)
+	return &sk, nil
+}
+
+func (sk *PrivateKey) MarshalBinary() ([]byte, error) {
+	var ret [PrivateKeySize]byte
+	sk.Pack(ret[:])
+	return ret[:], nil
+}
+
+func (sk *PrivateKey) Equal(other kem.PrivateKey) bool {
+	oth, ok := other.(*PrivateKey)
+	if !ok {
+		return false
+	}
+	return sk.m.Equal(&oth.m) &&
+		subtle.ConstantTimeCompare(oth.x[:], sk.x[:]) == 1
+}
+
+func (sk *PrivateKey) Public() kem.PublicKey {
+	var pk PublicKey
+	pk.m = *(sk.m.Public().(*mlkem768.PublicKey))
+	pk.x = sk.xpk
+	return &pk
+}
+
+func (pk *PublicKey) Equal(other kem.PublicKey) bool {
+	oth, ok := other.(*PublicKey)
+	if !ok {
+		return false
+	}
+	return pk.m.Equal(&oth.m) && bytes.Equal(pk.x[:], oth.x[:])
+}
+
+func (pk *PublicKey) MarshalBinary() ([]byte, error) {
+	var ret [PublicKeySize]byte
+	pk.Pack(ret[:])
+	return ret[:], nil
+}
+
+func (scheme) DeriveKeyPair(seed []byte) (kem.PublicKey, kem.PrivateKey) {
+	sk, pk := DeriveKeyPair(seed)
+	return pk, sk
+}
+
+func (scheme) GenerateKeyPair() (kem.PublicKey, kem.PrivateKey, error) {
+	sk, pk, err := GenerateKeyPair(nil)
+	return pk, sk, err
+}
+
+func (scheme) Decapsulate(sk kem.PrivateKey, ct []byte) ([]byte, error) {
+	if len(ct) != CiphertextSize {
+		return nil, kem.ErrCiphertextSize
+	}
+
+	var ss [SharedKeySize]byte
+
+	priv, ok := sk.(*PrivateKey)
+	if !ok {
+		return nil, kem.ErrTypeMismatch
+	}
+
+	priv.DecapsulateTo(ss[:], ct[:])
+
+	return ss[:], nil
+}

vendor/github.com/cloudflare/circl/kem/xwing/xwing.go

@@ -0,0 +1,316 @@
+// Package xwing implements the X-Wing PQ/T hybrid KEM
+//
+//	https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem
+//
+// Implements the final version (-05).
+package xwing
+
+import (
+	cryptoRand "crypto/rand"
+	"errors"
+	"io"
+
+	"github.com/cloudflare/circl/dh/x25519"
+	"github.com/cloudflare/circl/internal/sha3"
+	"github.com/cloudflare/circl/kem"
+	"github.com/cloudflare/circl/kem/mlkem/mlkem768"
+)
+
+// An X-Wing private key.
+type PrivateKey struct {
+	seed [32]byte
+	m    mlkem768.PrivateKey
+	x    x25519.Key
+	xpk  x25519.Key
+}
+
+// An X-Wing public key.
+type PublicKey struct {
+	m mlkem768.PublicKey
+	x x25519.Key
+}
+
+const (
+	// Size of a seed of a keypair
+	SeedSize = 32
+
+	// Size of an X-Wing public key
+	PublicKeySize = 1216
+
+	// Size of an X-Wing private key
+	PrivateKeySize = 32
+
+	// Size of the seed passed to EncapsulateTo
+	EncapsulationSeedSize = 64
+
+	// Size of the established shared key
+	SharedKeySize = 32
+
+	// Size of an X-Wing ciphertext.
+	CiphertextSize = 1120
+)
+
+func combiner(
+	out []byte,
+	ssm *[mlkem768.SharedKeySize]byte,
+	ssx *x25519.Key,
+	ctx *x25519.Key,
+	pkx *x25519.Key,
+) {
+	h := sha3.New256()
+	_, _ = h.Write(ssm[:])
+	_, _ = h.Write(ssx[:])
+	_, _ = h.Write(ctx[:])
+	_, _ = h.Write(pkx[:])
+
+	//   \./
+	//   /^\
+	_, _ = h.Write([]byte(`\.//^\`))
+
+	_, _ = h.Read(out[:])
+}
+
+// Packs sk to buf.
+//
+// Panics if buf is not of size PrivateKeySize
+func (sk *PrivateKey) Pack(buf []byte) {
+	if len(buf) != PrivateKeySize {
+		panic(kem.ErrPrivKeySize)
+	}
+	copy(buf, sk.seed[:])
+}
+
+// Packs pk to buf.
+//
+// Panics if buf is not of size PublicKeySize.
+func (pk *PublicKey) Pack(buf []byte) {
+	if len(buf) != PublicKeySize {
+		panic(kem.ErrPubKeySize)
+	}
+	pk.m.Pack(buf[:mlkem768.PublicKeySize])
+	copy(buf[mlkem768.PublicKeySize:], pk.x[:])
+}
+
+// DeriveKeyPair derives a public/private keypair deterministically
+// from the given seed.
+//
+// Panics if seed is not of length SeedSize.
+func DeriveKeyPair(seed []byte) (*PrivateKey, *PublicKey) {
+	var (
+		sk PrivateKey
+		pk PublicKey
+	)
+
+	deriveKeyPair(seed, &sk, &pk)
+
+	return &sk, &pk
+}
+
+func deriveKeyPair(seed []byte, sk *PrivateKey, pk *PublicKey) {
+	if len(seed) != SeedSize {
+		panic(kem.ErrSeedSize)
+	}
+
+	var seedm [mlkem768.KeySeedSize]byte
+
+	copy(sk.seed[:], seed)
+
+	h := sha3.NewShake256()
+	_, _ = h.Write(seed)
+	_, _ = h.Read(seedm[:])
+	_, _ = h.Read(sk.x[:])
+
+	pkm, skm := mlkem768.NewKeyFromSeed(seedm[:])
+	sk.m = *skm
+	pk.m = *pkm
+
+	x25519.KeyGen(&pk.x, &sk.x)
+	sk.xpk = pk.x
+}
+
+// DeriveKeyPairPacked derives a keypair like DeriveKeyPair, and
+// returns them packed.
+func DeriveKeyPairPacked(seed []byte) ([]byte, []byte) {
+	sk, pk := DeriveKeyPair(seed)
+	var (
+		ppk [PublicKeySize]byte
+		psk [PrivateKeySize]byte
+	)
+	pk.Pack(ppk[:])
+	sk.Pack(psk[:])
+	return psk[:], ppk[:]
+}
+
+// GenerateKeyPair generates public and private keys using entropy from rand.
+// If rand is nil, crypto/rand.Reader will be used.
+func GenerateKeyPair(rand io.Reader) (*PrivateKey, *PublicKey, error) {
+	var seed [SeedSize]byte
+	if rand == nil {
+		rand = cryptoRand.Reader
+	}
+	_, err := io.ReadFull(rand, seed[:])
+	if err != nil {
+		return nil, nil, err
+	}
+	sk, pk := DeriveKeyPair(seed[:])
+	return sk, pk, nil
+}
+
+// GenerateKeyPairPacked generates a keypair like GenerateKeyPair, and
+// returns them packed.
+func GenerateKeyPairPacked(rand io.Reader) ([]byte, []byte, error) {
+	sk, pk, err := GenerateKeyPair(rand)
+	if err != nil {
+		return nil, nil, err
+	}
+	var (
+		ppk [PublicKeySize]byte
+		psk [PrivateKeySize]byte
+	)
+	pk.Pack(ppk[:])
+	sk.Pack(psk[:])
+	return psk[:], ppk[:], nil
+}
+
+// Encapsulate generates a shared key and ciphertext that contains it
+// for the public key pk using randomness from seed.
+//
+// seed may be nil, in which case crypto/rand.Reader is used.
+//
+// Warning: note that the order of the returned ss and ct matches the
+// X-Wing standard, which is the reverse of the Circl KEM API.
+//
+// Returns ErrPubKey if ML-KEM encapsulation key check fails.
+//
+// Panics if pk is not of size PublicKeySize, or randomness could not
+// be read from crypto/rand.Reader.
+func Encapsulate(pk, seed []byte) (ss, ct []byte, err error) {
+	var pub PublicKey
+	if err := pub.Unpack(pk); err != nil {
+		return nil, nil, err
+	}
+	ct = make([]byte, CiphertextSize)
+	ss = make([]byte, SharedKeySize)
+	pub.EncapsulateTo(ct, ss, seed)
+	return ss, ct, nil
+}
+
+// Decapsulate computes the shared key which is encapsulated in ct
+// for the private key sk.
+//
+// Panics if sk or ct are not of length PrivateKeySize and CiphertextSize
+// respectively.
+func Decapsulate(ct, sk []byte) (ss []byte) {
+	var priv PrivateKey
+	priv.Unpack(sk)
+	ss = make([]byte, SharedKeySize)
+	priv.DecapsulateTo(ss, ct)
+	return ss
+}
+
+// Raised when passing a byte slice of the wrong size for the shared
+// secret to the EncapsulateTo or DecapsulateTo functions.
+var ErrSharedKeySize = errors.New("wrong size for shared key")
+
+// EncapsulateTo generates a shared key and ciphertext that contains it
+// for the public key using randomness from seed and writes the shared key
+// to ss and ciphertext to ct.
+//
+// Panics if ss, ct or seed are not of length SharedKeySize, CiphertextSize
+// and EncapsulationSeedSize respectively.
+//
+// seed may be nil, in which case crypto/rand.Reader is used to generate one.
+func (pk *PublicKey) EncapsulateTo(ct, ss, seed []byte) {
+	if seed == nil {
+		seed = make([]byte, EncapsulationSeedSize)
+		if _, err := cryptoRand.Read(seed[:]); err != nil {
+			panic(err)
+		}
+	} else {
+		if len(seed) != EncapsulationSeedSize {
+			panic(kem.ErrSeedSize)
+		}
+	}
+
+	if len(ct) != CiphertextSize {
+		panic(kem.ErrCiphertextSize)
+	}
+
+	if len(ss) != SharedKeySize {
+		panic(ErrSharedKeySize)
+	}
+
+	var (
+		seedm [32]byte
+		ekx   x25519.Key
+		ctx   x25519.Key
+		ssx   x25519.Key
+		ssm   [mlkem768.SharedKeySize]byte
+	)
+
+	copy(seedm[:], seed[:32])
+	copy(ekx[:], seed[32:])
+
+	x25519.KeyGen(&ctx, &ekx)
+	// A peer public key with low order points results in an all-zeroes
+	// shared secret. Ignored for now pending clarification in the spec,
+	// https://github.com/dconnolly/draft-connolly-cfrg-xwing-kem/issues/28
+	x25519.Shared(&ssx, &ekx, &pk.x)
+	pk.m.EncapsulateTo(ct[:mlkem768.CiphertextSize], ssm[:], seedm[:])
+
+	combiner(ss, &ssm, &ssx, &ctx, &pk.x)
+	copy(ct[mlkem768.CiphertextSize:], ctx[:])
+}
+
+// DecapsulateTo computes the shared key which is encapsulated in ct
+// for the private key.
+//
+// Panics if ct or ss are not of length CiphertextSize and SharedKeySize
+// respectively.
+func (sk *PrivateKey) DecapsulateTo(ss, ct []byte) {
+	if len(ct) != CiphertextSize {
+		panic(kem.ErrCiphertextSize)
+	}
+	if len(ss) != SharedKeySize {
+		panic(ErrSharedKeySize)
+	}
+
+	ctm := ct[:mlkem768.CiphertextSize]
+
+	var (
+		ssm [mlkem768.SharedKeySize]byte
+		ssx x25519.Key
+		ctx x25519.Key
+	)
+
+	copy(ctx[:], ct[mlkem768.CiphertextSize:])
+
+	sk.m.DecapsulateTo(ssm[:], ctm)
+	// A peer public key with low order points results in an all-zeroes
+	// shared secret. Ignored for now pending clarification in the spec,
+	// https://github.com/dconnolly/draft-connolly-cfrg-xwing-kem/issues/28
+	x25519.Shared(&ssx, &sk.x, &ctx)
+	combiner(ss, &ssm, &ssx, &ctx, &sk.xpk)
+}
+
+// Unpacks pk from buf.
+//
+// Panics if buf is not of size PublicKeySize.
+//
+// Returns ErrPubKey if pk fails the ML-KEM encapsulation key check.
+func (pk *PublicKey) Unpack(buf []byte) error {
+	if len(buf) != PublicKeySize {
+		panic(kem.ErrPubKeySize)
+	}
+
+	copy(pk.x[:], buf[mlkem768.PublicKeySize:])
+	return pk.m.Unpack(buf[:mlkem768.PublicKeySize])
+}
+
+// Unpacks sk from buf.
+//
+// Panics if buf is not of size PrivateKeySize.
+func (sk *PrivateKey) Unpack(buf []byte) {
+	var pk PublicKey
+	deriveKeyPair(buf, sk, &pk)
+}

vendor/github.com/cloudflare/circl/math/primes.go

@@ -1,34 +0,0 @@
-package math
-
-import (
-	"crypto/rand"
-	"io"
-	"math/big"
-)
-
-// IsSafePrime reports whether p is (probably) a safe prime.
-// The prime p=2*q+1 is safe prime if both p and q are primes.
-// Note that ProbablyPrime is not suitable for judging primes
-// that an adversary may have crafted to fool the test.
-func IsSafePrime(p *big.Int) bool {
-	pdiv2 := new(big.Int).Rsh(p, 1)
-	return p.ProbablyPrime(20) && pdiv2.ProbablyPrime(20)
-}
-
-// SafePrime returns a number of the given bit length that is a safe prime with high probability.
-// The number returned p=2*q+1 is a safe prime if both p and q are primes.
-// SafePrime will return error for any error returned by rand.Read or if bits < 2.
-func SafePrime(random io.Reader, bits int) (*big.Int, error) {
-	one := big.NewInt(1)
-	p := new(big.Int)
-	for {
-		q, err := rand.Prime(random, bits-1)
-		if err != nil {
-			return nil, err
-		}
-		p.Lsh(q, 1).Add(p, one)
-		if p.ProbablyPrime(20) {
-			return p, nil
-		}
-	}
-}

vendor/github.com/cloudflare/circl/math/wnaf.go

@@ -1,84 +0,0 @@
-// Package math provides some utility functions for big integers.
-package math
-
-import "math/big"
-
-// SignedDigit obtains the signed-digit recoding of n and returns a list L of
-// digits such that n = sum( L[i]*2^(i*(w-1)) ), and each L[i] is an odd number
-// in the set {±1, ±3, ..., ±2^(w-1)-1}. The third parameter ensures that the
-// output has ceil(l/(w-1)) digits.
-//
-// Restrictions:
-//   - n is odd and n > 0.
-//   - 1 < w < 32.
-//   - l >= bit length of n.
-//
-// References:
-//   - Alg.6 in "Exponent Recoding and Regular Exponentiation Algorithms"
-//     by Joye-Tunstall. http://doi.org/10.1007/978-3-642-02384-2_21
-//   - Alg.6 in "Selecting Elliptic Curves for Cryptography: An Efficiency and
-//     Security Analysis" by Bos et al. http://doi.org/10.1007/s13389-015-0097-y
-func SignedDigit(n *big.Int, w, l uint) []int32 {
-	if n.Sign() <= 0 || n.Bit(0) == 0 {
-		panic("n must be non-zero, odd, and positive")
-	}
-	if w <= 1 || w >= 32 {
-		panic("Verify that 1 < w < 32")
-	}
-	if uint(n.BitLen()) > l {
-		panic("n is too big to fit in l digits")
-	}
-	lenN := (l + (w - 1) - 1) / (w - 1) // ceil(l/(w-1))
-	L := make([]int32, lenN+1)
-	var k, v big.Int
-	k.Set(n)
-
-	var i uint
-	for i = 0; i < lenN; i++ {
-		words := k.Bits()
-		value := int32(words[0] & ((1 << w) - 1))
-		value -= int32(1) << (w - 1)
-		L[i] = value
-		v.SetInt64(int64(value))
-		k.Sub(&k, &v)
-		k.Rsh(&k, w-1)
-	}
-	L[i] = int32(k.Int64())
-	return L
-}
-
-// OmegaNAF obtains the window-w Non-Adjacent Form of a positive number n and
-// 1 < w < 32. The returned slice L holds n = sum( L[i]*2^i ).
-//
-// Reference:
-//   - Alg.9 "Efficient arithmetic on Koblitz curves" by Solinas.
-//     http://doi.org/10.1023/A:1008306223194
-func OmegaNAF(n *big.Int, w uint) (L []int32) {
-	if n.Sign() < 0 {
-		panic("n must be positive")
-	}
-	if w <= 1 || w >= 32 {
-		panic("Verify that 1 < w < 32")
-	}
-
-	L = make([]int32, n.BitLen()+1)
-	var k, v big.Int
-	k.Set(n)
-
-	i := 0
-	for ; k.Sign() > 0; i++ {
-		value := int32(0)
-		if k.Bit(0) == 1 {
-			words := k.Bits()
-			value = int32(words[0] & ((1 << w) - 1))
-			if value >= (int32(1) << (w - 1)) {
-				value -= int32(1) << w
-			}
-			v.SetInt64(int64(value))
-			k.Sub(&k, &v)
-		}
-		L[i] = value
-		k.Rsh(&k, 1)
-	}
-	return L[:i]
-}

vendor/modules.txt

@@ -96,17 +96,17 @@ github.com/cespare/xxhash
 # github.com/cheekybits/genny v0.0.0-20170328200008-9127e812e1e9
 ## explicit
 github.com/cheekybits/genny/generic
-# github.com/cloudflare/circl v1.5.0
+# github.com/cloudflare/circl v1.6.1
 ## explicit; go 1.22.0
 github.com/cloudflare/circl/dh/x25519
 github.com/cloudflare/circl/dh/x448
-github.com/cloudflare/circl/ecc/p384
 github.com/cloudflare/circl/hpke
 github.com/cloudflare/circl/internal/conv
 github.com/cloudflare/circl/internal/sha3
 github.com/cloudflare/circl/kem
 github.com/cloudflare/circl/kem/kyber/kyber768
-github.com/cloudflare/circl/math
+github.com/cloudflare/circl/kem/mlkem/mlkem768
+github.com/cloudflare/circl/kem/xwing
 github.com/cloudflare/circl/math/fp25519
 github.com/cloudflare/circl/math/fp448
 github.com/cloudflare/circl/pke/kyber/internal/common