// prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2.

	t0 := new(fiat.P256Element).Mul(p1.x, p2.x)  // t0 := X1 * X2
	t1 := new(fiat.P256Element).Mul(p1.y, p2.y)  // t1 := Y1 * Y2
	t2 := new(fiat.P256Element).Mul(p1.z, p2.z)  // t2 := Z1 * Z2
	t3 := new(fiat.P256Element).Add(p1.x, p1.y)  // t3 := X1 + Y1
	t4 := new(fiat.P256Element).Add(p2.x, p2.y)  // t4 := X2 + Y2
	t3.Mul(t3, t4)                               // t3 := t3 * t4

// license that can be found in the LICENSE file.

// Code generated by addchain. DO NOT EDIT.

package fiat

// Invert sets e = 1/x, and returns e.
//
// If x == 0, Invert returns e = 0.
func (e *P256Element) Invert(x *P256Element) *P256Element {
	// Inversion is implemented as exponentiation with exponent p − 2.
	// The sequence of 12 multiplications and 255 squarings is derived from the

func (e *P256Element) Sub(t1, t2 *P256Element) *P256Element {
	p256Sub(&e.x, &t1.x, &t2.x)
	return e
}

// Mul sets e = t1 * t2, and returns e.
func (e *P256Element) Mul(t1, t2 *P256Element) *P256Element {
	p256Mul(&e.x, &t1.x, &t2.x)
	return e
}

// Square sets e = t * t, and returns e.
func (e *P256Element) Square(t *P256Element) *P256Element {
	p256Square(&e.x, &t.x)
	return e

	"math/bits"
	"runtime"
	"unsafe"
)

// p256Element is a P-256 base field element in [0, P-1] in the Montgomery
// domain (with R 2²⁵⁶) as four limbs in little-endian order value.
type p256Element [4]uint64

// p256One is one in the Montgomery domain.
var p256One = p256Element{0x0000000000000001, 0xffffffff00000000,
	0xffffffffffffffff, 0x00000000fffffffe}

var p256Zero = p256Element{}

		})

		for k := 0; k < 6; k++ {
			base.Double(base)
		}
	}
}

func testP256AffineTable(t *testing.T, base *P256Point, table *p256AffineTable) {
	p := NewP256Point()
	zInv := new(p256Element)
	zInvSq := new(p256Element)

	for j := 0; j < 32; j++ {
		p.Add(p, base)

		// Convert p to affine coordinates.
		p256Inverse(zInv, &p.z)
		p256Sqr(zInvSq, zInv, 1)
		p256Mul(zInv, zInv, zInvSq)

	JMP ·p256BigToLittle(SB)
/* ---------------------------------------*/
// func p256LittleToBig(res *[32]byte, in *p256Element)
TEXT ·p256LittleToBig(SB),NOSPLIT,$0
	JMP ·p256BigToLittle(SB)
/* ---------------------------------------*/
// func p256BigToLittle(res *p256Element, in *[32]byte)
TEXT ·p256BigToLittle(SB),NOSPLIT,$0
	MOVQ res+0(FP), res_ptr
	MOVQ in+8(FP), x_ptr

	MOVQ (8*0)(x_ptr), acc0

	JMP	·p256BigToLittle(SB)
/* ---------------------------------------*/
// func p256LittleToBig(res *[32]byte, in *p256Element)
TEXT ·p256LittleToBig(SB),NOSPLIT,$0
	JMP	·p256BigToLittle(SB)
/* ---------------------------------------*/
// func p256BigToLittle(res *p256Element, in *[32]byte)
TEXT ·p256BigToLittle(SB),NOSPLIT,$0
	MOVD	res+0(FP), res_ptr
	MOVD	in+8(FP), a_ptr

	LDP	0*16(a_ptr), (acc0, acc1)

	// The P-256 fiat implementation is used only on 32-bit architectures, but
	// the uint32 fiat code is for some reason slower than the uint64 one. That
	// suggests there is a wide margin for improvement.
	{
		Element:  "P256Element",
		Prime:    "2^256 - 2^224 + 2^192 + 2^96 - 1",
		Prefix:   "p256",
		FiatType: "[4]uint64",
		BytesLen: 32,
	},
	{
		Element:  "P384Element",
		Prime:    "2^384 - 2^128 - 2^96 + 2^32 - 1",

TEXT ·p256OrdBigToLittle(SB), NOSPLIT, $0
	JMP ·p256BigToLittle(SB)

// ---------------------------------------
// func p256LittleToBig(res *[32]byte, in *p256Element)
TEXT ·p256LittleToBig(SB), NOSPLIT, $0
	JMP ·p256BigToLittle(SB)

// func p256BigToLittle(res *p256Element, in *[32]byte)
#define res_ptr   R1
#define in_ptr   R2
#define T1L   V2
#define T1H   V3

TEXT ·p256BigToLittle(SB), NOSPLIT, $0

#undef SEL1
#undef SEL2

// The following functions all reverse the byte order.

//func p256BigToLittle(res *p256Element, in *[32]byte)
TEXT ·p256BigToLittle(SB), NOSPLIT, $0-16
	MOVD	res+0(FP), R3
	MOVD	in+8(FP), R4
	BR	p256InternalEndianSwap<>(SB)

//func p256LittleToBig(res *[32]byte, in *p256Element)
TEXT ·p256LittleToBig(SB), NOSPLIT, $0-16
	MOVD	res+0(FP), R3
	MOVD	in+8(FP), R4
	BR	p256InternalEndianSwap<>(SB)