fieldElement) (r1 byte, r0 int32) { x := fieldFromMontgomery(r) r1 = highBits32(x) // r - r1 * (2 * γ2) mod± q r0 = int32(x) - int32(r1)*2*(q-1)/32 r0 = constantTimeSelectLe(q/2+1, r0, r0-q, r0) return r1, r0 } // useHint32 implements UseHint from FIPS 204 for γ2 = (q - 1) / 32. func useHint32(r fieldElement, hint byte) byte { const m = 16 // (q − 1) / (2 * γ2) r1, r0 := decompose32(r) if hint == 1 { if r0 > 0 { r1 = (r1 + 1) % m } else { // Underflow is safe, because it operates modulo 256 (since the...