func (e *P224Element) Sub(t1, t2 *P224Element) *P224Element {
	p224Sub(&e.x, &t1.x, &t2.x)
	return e
}

// Mul sets e = t1 * t2, and returns e.
func (e *P224Element) Mul(t1, t2 *P224Element) *P224Element {
	p224Mul(&e.x, &t1.x, &t2.x)
	return e
}

// Square sets e = t * t, and returns e.
func (e *P224Element) Square(t *P224Element) *P224Element {
	p224Square(&e.x, &t.x)
	return e

	//	x48     = x31 << 17 + x17
	//	x96     = x48 << 48 + x48
	//	x127    = x96 << 31 + x31
	//	return    x127 << 97 + x96
	//

	var z = new(P224Element).Set(e)
	var t0 = new(P224Element)
	var t1 = new(P224Element)
	var t2 = new(P224Element)

	z.Square(x)
	t0.Mul(x, z)
	z.Square(t0)
	z.Mul(x, z)
	t1.Square(z)
	for s := 1; s < 3; s++ {
		t1.Square(t1)
	}
	t1.Mul(z, t1)
	t2.Square(t1)

	// prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2.

	t0 := new(fiat.P224Element).Mul(p1.x, p2.x)  // t0 := X1 * X2
	t1 := new(fiat.P224Element).Mul(p1.y, p2.y)  // t1 := Y1 * Y2
	t2 := new(fiat.P224Element).Mul(p1.z, p2.z)  // t2 := Z1 * Z2
	t3 := new(fiat.P224Element).Add(p1.x, p1.y)  // t3 := X1 + Y1
	t4 := new(fiat.P224Element).Add(p2.x, p2.y)  // t4 := X2 + Y2
	t3.Mul(t3, t4)                               // t3 := t3 * t4

	// v = x^(2^127-1)^2 * x
	v := new(fiat.P224Element).Square(r)
	v.Mul(v, x)

	// r = x^(2^127-1) * x
	r.Mul(r, x)

	// for i = n-1 down to 1:
	//     w = v^(2^(i-1))
	//     if w == -1 then:
	//         v <- v*GG[n-i]
	//         r <- r*GG[n-i-1]

	var p224MinusOne = new(fiat.P224Element).Sub(
		new(fiat.P224Element), new(fiat.P224Element).One())

	for i := 96 - 1; i >= 1; i-- {

package fiat_test

import (
	"crypto/internal/nistec/fiat"
	"testing"
)

func BenchmarkMul(b *testing.B) {
	b.Run("P224", func(b *testing.B) {
		v := new(fiat.P224Element).One()
		b.ReportAllocs()
		b.ResetTimer()
		for i := 0; i < b.N; i++ {
			v.Mul(v, v)
		}
	})
	b.Run("P384", func(b *testing.B) {
		v := new(fiat.P384Element).One()
		b.ReportAllocs()
		b.ResetTimer()

	"io"
	"log"
	"os"
	"os/exec"
	"text/template"
)

var curves = []struct {
	Element  string
	Prime    string
	Prefix   string
	FiatType string
	BytesLen int
}{
	{
		Element:  "P224Element",
		Prime:    "2^224 - 2^96 + 1",
		Prefix:   "p224",
		FiatType: "[4]uint64",
		BytesLen: 28,
	},
	// The P-256 fiat implementation is used only on 32-bit architectures, but

	"strings"
	"text/template"
)

var curves = []struct {
	P         string
	Element   string
	Params    *elliptic.CurveParams
	BuildTags string
}{
	{
		P:       "P224",
		Element: "fiat.P224Element",
		Params:  elliptic.P224().Params(),
	},
	{
		P:         "P256",
		Element:   "fiat.P256Element",
		Params:    elliptic.P256().Params(),
		BuildTags: "(!amd64 && !arm64 && !ppc64le && !s390x) || purego",
	},