decompose32(r) if hint == 1 { if r0 > 0 { r1 = (r1 + 1) % m } else { // Underflow is safe, because it operates modulo 256 (since the type // is byte), which is a multiple of m. r1 = (r1 - 1) % m } } return r1 } // makeHint32 implements MakeHint from FIPS 204 for γ2 = (q - 1) / 32. func makeHint32(ct0, w, cs2 fieldElement) byte { // v1 = HighBits(r + z) = HighBits(w - cs2 + ct0 - ct0) = HighBits(w - cs2) rPlusZ := fieldSub(w, cs2) v1 := highBits32(fieldFromMontgomery(rPlusZ)) // r1 = HighBits(r) = HighBits(w...