} func fieldSub(a, b fieldElement) fieldElement { x := uint16(a - b + q) return fieldReduceOnce(x) } const ( barrettMultiplier = 5039 // 2¹² * 2¹² / q barrettShift = 24 // log₂(2¹² * 2¹²) ) // fieldReduce reduces a value a < 2q² using Barrett reduction, to avoid // potentially variable-time division. func fieldReduce(a uint32) fieldElement { quotient := uint32((uint64(a) * barrettMultiplier) >> barrettShift) return fieldReduceOnce(uint16(a - quotient*q)) } func fieldMul(a, b fieldElement) fieldElement...