{ x := uint32(a - b + q) return fieldReduceOnce(x) } // fieldMontgomeryMul returns a * b * R⁻¹ mod q. func fieldMontgomeryMul(a, b fieldElement) fieldElement { x := uint64(a) * uint64(b) return fieldMontgomeryReduc(x) } // fieldMontgomeryReduc returns x * R⁻¹ mod q for x < q * R. func fieldMontgomeryReduc(x uint64) fieldElement { t := uint32(x) * qNegInv u := (x + uint64(t)*q) >> 32 return fieldReduceOnce(uint32(u)) } // fieldMontgomeryMulSu returns a * (b - c). This operation is fused to save a...