p256PointDoubleAsm(res, in *P256Point) // p256OrdElement is a P-256 scalar field element in [0, ord(G)-1] in the // Montgomery domain (with R 2²⁵⁶) as four uint64 limbs in little-endian order. type p256OrdElement [4]uint64 // p256OrdReduce ensures s is in the range [0, ord(G)-1]. func p256OrdReduce(s *p256OrdElement) { // Since 2 * ord(G) > 2²⁵⁶, we can just conditionally subtract ord(G), // keeping the result if it doesn't underflow. t0, b := bits.Sub64(s[0], 0xf3b9cac2fc632551, 0) t1, b := bits.Sub64(s[1],...