is in [0, 15]. func decompose32(r fieldElement) (r1 byte, r0 int32) { x := fieldFromMontgomery(r) r1 = highBits32(x) // r - r1 * (2 * γ2) mod± q r0 = int32(x) - int32(r1)*2*(q-1)/32 r0 = constantTimeSelectLe(q/2+1, r0, r0-q, r0) return r1, r0 } // useHint32 implements UseHint from FIPS 204 for γ2 = (q - 1) / 32. func useHint32(r fieldElement, hint byte) byte { const m = 16 // (q − 1) / (2 * γ2) r1, r0 := decompose32(r) if hint == 1 { if r0 > 0 { r1 = (r1 + 1) % m } else { // Underflow is safe, because...

addMul64(r0, a1_19, b4) r0 = addMul64(r0, a2_19, b3) r0 = addMul64(r0, a3_19, b2) r0 = addMul64(r0, a4_19, b1) // r1 = a0×b1 + a1×b0 + 19×(a2×b4 + a3×b3 + a4×b2) r1 := mul64(a0, b1) r1 = addMul64(r1, a1, b0) r1 = addMul64(r1, a2_19, b4) r1 = addMul64(r1, a3_19, b3) r1 = addMul64(r1, a4_19, b2) // r2 = a0×b2 + a1×b1 + a2×b0 + 19×(a3×b4 + a4×b3) r2 := mul64(a0, b2) r2 = addMul64(r2, a1, b1) r2 = addMul64(r2, a2, b0) r2 = addMul64(r2, a3_19, b4) r2 = addMul64(r2, a4_19, b3) // r3 = a0×b3 + a1×b2 + a2×b1...