15 files changed, 129 insertions, 18 deletions

diff --git a/src/Specific/X25519/C32/CurveParameters.v b/src/Specific/X25519/C32/CurveParameters.v
index 5a1163f91..0ab20d299 100644
--- a/src/Specific/X25519/C32/CurveParameters.v
+++ b/src/Specific/X25519/C32/CurveParameters.v
@@ -18,7 +18,7 @@ Definition curve : CurveParameters :=
     a24 := Some 121665;
     coef_div_modulus := Some 2%nat;
 
-    goldilocks := Some false;
+    goldilocks := None;
     montgomery := false;
     freeze := Some true;
     ladderstep := false;
@@ -245,7 +245,8 @@ Definition curve : CurveParameters :=
       (output9, output8, output7, output6, output5, output4, output3, output2, output1, output0)
             );
 
-    upper_bound_of_exponent := None;
+    upper_bound_of_exponent_loose := None;
+    upper_bound_of_exponent_tight := None;
     allowable_bit_widths := None;
     freeze_extra_allowable_bit_widths := None;
     modinv_fuel := None
diff --git a/src/Specific/X25519/C32/feadd.v b/src/Specific/X25519/C32/feadd.v
new file mode 100644
index 000000000..f74cf9cef
--- /dev/null
+++ b/src/Specific/X25519/C32/feadd.v
@@ -0,0 +1,14 @@
+Require Import Crypto.Arithmetic.PrimeFieldTheorems.
+Require Import Crypto.Specific.X25519.C32.Synthesis.
+
+(* TODO : change this to field once field isomorphism happens *)
+Definition add :
+  { add : feBW_tight -> feBW_tight -> feBW_loose
+  | forall a b, phiBW_loose (add a b) = F.add (phiBW_tight a) (phiBW_tight b) }.
+Proof.
+  Set Ltac Profiling.
+  Time synthesize_add ().
+  Show Ltac Profile.
+Time Defined.
+
+Print Assumptions add.
diff --git a/src/Specific/X25519/C32/feaddDisplay.log b/src/Specific/X25519/C32/feaddDisplay.log
new file mode 100644
index 000000000..8a4c51148
--- /dev/null
+++ b/src/Specific/X25519/C32/feaddDisplay.log
@@ -0,0 +1,7 @@
+λ x x0 : word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32,
+Interp-η
+(λ var : Syntax.base_type → Type,
+ λ '(x20, x21, x19, x17, x15, x13, x11, x9, x7, x5, (x38, x39, x37, x35, x33, x31, x29, x27, x25, x23))%core,
+ ((x20 + x38), (x21 + x39), (x19 + x37), (x17 + x35), (x15 + x33), (x13 + x31), (x11 + x29), (x9 + x27), (x7 + x25), (x5 + x23)))
+(x, x0)%core
+     : word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 → word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 → ReturnType (uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t)
diff --git a/src/Specific/X25519/C32/feaddDisplay.v b/src/Specific/X25519/C32/feaddDisplay.v
new file mode 100644
index 000000000..2df58b8f5
--- /dev/null
+++ b/src/Specific/X25519/C32/feaddDisplay.v
@@ -0,0 +1,4 @@
+Require Import Crypto.Specific.X25519.C32.feadd.
+Require Import Crypto.Specific.Framework.IntegrationTestDisplayCommon.
+
+Check display add.
diff --git a/src/Specific/X25519/C32/fecarry.v b/src/Specific/X25519/C32/fecarry.v
new file mode 100644
index 000000000..e2f207757
--- /dev/null
+++ b/src/Specific/X25519/C32/fecarry.v
@@ -0,0 +1,14 @@
+Require Import Crypto.Arithmetic.PrimeFieldTheorems.
+Require Import Crypto.Specific.X25519.C32.Synthesis.
+
+(* TODO : change this to field once field isomorphism happens *)
+Definition carry :
+  { carry : feBW_loose -> feBW_tight
+  | forall a, phiBW_tight (carry a) = (phiBW_loose a) }.
+Proof.
+  Set Ltac Profiling.
+  Time synthesize_carry ().
+  Show Ltac Profile.
+Time Defined.
+
+Print Assumptions carry.
diff --git a/src/Specific/X25519/C32/fecarryDisplay.log b/src/Specific/X25519/C32/fecarryDisplay.log
new file mode 100644
index 000000000..186e797bb
--- /dev/null
+++ b/src/Specific/X25519/C32/fecarryDisplay.log
@@ -0,0 +1,42 @@
+λ x : word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32,
+Interp-η
+(λ var : Syntax.base_type → Type,
+ λ '(x17, x18, x16, x14, x12, x10, x8, x6, x4, x2)%core,
+ uint32_t x19 = (x2 >> 0x1a);
+ uint32_t x20 = (x2 & 0x3ffffff);
+ uint32_t x21 = (x19 + x4);
+ uint32_t x22 = (x21 >> 0x19);
+ uint32_t x23 = (x21 & 0x1ffffff);
+ uint32_t x24 = (x22 + x6);
+ uint32_t x25 = (x24 >> 0x1a);
+ uint32_t x26 = (x24 & 0x3ffffff);
+ uint32_t x27 = (x25 + x8);
+ uint32_t x28 = (x27 >> 0x19);
+ uint32_t x29 = (x27 & 0x1ffffff);
+ uint32_t x30 = (x28 + x10);
+ uint32_t x31 = (x30 >> 0x1a);
+ uint32_t x32 = (x30 & 0x3ffffff);
+ uint32_t x33 = (x31 + x12);
+ uint32_t x34 = (x33 >> 0x19);
+ uint32_t x35 = (x33 & 0x1ffffff);
+ uint32_t x36 = (x34 + x14);
+ uint32_t x37 = (x36 >> 0x1a);
+ uint32_t x38 = (x36 & 0x3ffffff);
+ uint32_t x39 = (x37 + x16);
+ uint32_t x40 = (x39 >> 0x19);
+ uint32_t x41 = (x39 & 0x1ffffff);
+ uint32_t x42 = (x40 + x18);
+ uint32_t x43 = (x42 >> 0x1a);
+ uint32_t x44 = (x42 & 0x3ffffff);
+ uint32_t x45 = (x43 + x17);
+ uint32_t x46 = (x45 >> 0x19);
+ uint32_t x47 = (x45 & 0x1ffffff);
+ uint32_t x48 = (x20 + (0x13 * x46));
+ uint32_t x49 = (x48 >> 0x1a);
+ uint32_t x50 = (x48 & 0x3ffffff);
+ uint32_t x51 = (x49 + x23);
+ uint32_t x52 = (x51 >> 0x19);
+ uint32_t x53 = (x51 & 0x1ffffff);
+ return (Return x47, Return x44, Return x41, Return x38, Return x35, Return x32, Return x29, (x52 + x26), Return x53, Return x50))
+x
+     : word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 → ReturnType (uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t)
diff --git a/src/Specific/X25519/C32/fecarryDisplay.v b/src/Specific/X25519/C32/fecarryDisplay.v
new file mode 100644
index 000000000..0b40b86e4
--- /dev/null
+++ b/src/Specific/X25519/C32/fecarryDisplay.v
@@ -0,0 +1,4 @@
+Require Import Crypto.Specific.X25519.C32.fecarry.
+Require Import Crypto.Specific.Framework.IntegrationTestDisplayCommon.
+
+Check display carry.
diff --git a/src/Specific/X25519/C32/femul.v b/src/Specific/X25519/C32/femul.v
index bc62814e9..3f902f965 100644
--- a/src/Specific/X25519/C32/femul.v
+++ b/src/Specific/X25519/C32/femul.v
@@ -3,8 +3,8 @@ Require Import Crypto.Specific.X25519.C32.Synthesis.
 
 (* TODO : change this to field once field isomorphism happens *)
 Definition mul :
-  { mul : feBW -> feBW -> feBW
-  | forall a b, phiBW (mul a b) = F.mul (phiBW a) (phiBW b) }.
+  { mul : feBW_loose -> feBW_loose -> feBW_tight
+  | forall a b, phiBW_tight (mul a b) = F.mul (phiBW_loose a) (phiBW_loose b) }.
 Proof.
   Set Ltac Profiling.
   Time synthesize_mul ().
diff --git a/src/Specific/X25519/C32/femulDisplay.log b/src/Specific/X25519/C32/femulDisplay.log
index 7564ec007..1650f4c9d 100644
--- a/src/Specific/X25519/C32/femulDisplay.log
+++ b/src/Specific/X25519/C32/femulDisplay.log
@@ -66,18 +66,18 @@ Interp-η
  uint64_t x101 = (x100 >> 0x19);
  uint32_t x102 = ((uint32_t)x100 & 0x1ffffff);
  uint64_t x103 = (x101 + x67);
- uint32_t x104 = (uint32_t) (x103 >> 0x1a);
+ uint64_t x104 = (x103 >> 0x1a);
  uint32_t x105 = ((uint32_t)x103 & 0x3ffffff);
  uint64_t x106 = (x104 + x64);
- uint32_t x107 = (uint32_t) (x106 >> 0x19);
+ uint64_t x107 = (x106 >> 0x19);
  uint32_t x108 = ((uint32_t)x106 & 0x1ffffff);
  uint64_t x109 = (x107 + x61);
- uint32_t x110 = (uint32_t) (x109 >> 0x1a);
+ uint64_t x110 = (x109 >> 0x1a);
  uint32_t x111 = ((uint32_t)x109 & 0x3ffffff);
  uint64_t x112 = (x110 + x49);
- uint32_t x113 = (uint32_t) (x112 >> 0x19);
+ uint64_t x113 = (x112 >> 0x19);
  uint32_t x114 = ((uint32_t)x112 & 0x1ffffff);
- uint64_t x115 = (x87 + ((uint64_t)0x13 * x113));
+ uint64_t x115 = (x87 + (0x13 * x113));
  uint32_t x116 = (uint32_t) (x115 >> 0x1a);
  uint32_t x117 = ((uint32_t)x115 & 0x3ffffff);
  uint32_t x118 = (x116 + x90);
diff --git a/src/Specific/X25519/C32/fesquare.v b/src/Specific/X25519/C32/fesquare.v
index 2bea3bf8b..169e20cbd 100644
--- a/src/Specific/X25519/C32/fesquare.v
+++ b/src/Specific/X25519/C32/fesquare.v
@@ -3,8 +3,8 @@ Require Import Crypto.Specific.X25519.C32.Synthesis.
 
 (* TODO : change this to field once field isomorphism happens *)
 Definition square :
-  { square : feBW -> feBW
-  | forall a, phiBW (square a) = F.mul (phiBW a) (phiBW a) }.
+  { square : feBW_loose -> feBW_tight
+  | forall a, phiBW_tight (square a) = F.mul (phiBW_loose a) (phiBW_loose a) }.
 Proof.
   Set Ltac Profiling.
   Time synthesize_square ().
diff --git a/src/Specific/X25519/C32/fesquareDisplay.log b/src/Specific/X25519/C32/fesquareDisplay.log
index dc270a356..06c5bc75f 100644
--- a/src/Specific/X25519/C32/fesquareDisplay.log
+++ b/src/Specific/X25519/C32/fesquareDisplay.log
@@ -66,18 +66,18 @@ Interp-η
  uint64_t x80 = (x79 >> 0x19);
  uint32_t x81 = ((uint32_t)x79 & 0x1ffffff);
  uint64_t x82 = (x80 + x46);
- uint32_t x83 = (uint32_t) (x82 >> 0x1a);
+ uint64_t x83 = (x82 >> 0x1a);
  uint32_t x84 = ((uint32_t)x82 & 0x3ffffff);
  uint64_t x85 = (x83 + x43);
- uint32_t x86 = (uint32_t) (x85 >> 0x19);
+ uint64_t x86 = (x85 >> 0x19);
  uint32_t x87 = ((uint32_t)x85 & 0x1ffffff);
  uint64_t x88 = (x86 + x40);
- uint32_t x89 = (uint32_t) (x88 >> 0x1a);
+ uint64_t x89 = (x88 >> 0x1a);
  uint32_t x90 = ((uint32_t)x88 & 0x3ffffff);
  uint64_t x91 = (x89 + x28);
- uint32_t x92 = (uint32_t) (x91 >> 0x19);
+ uint64_t x92 = (x91 >> 0x19);
  uint32_t x93 = ((uint32_t)x91 & 0x1ffffff);
- uint64_t x94 = (x66 + ((uint64_t)0x13 * x92));
+ uint64_t x94 = (x66 + (0x13 * x92));
  uint32_t x95 = (uint32_t) (x94 >> 0x1a);
  uint32_t x96 = ((uint32_t)x94 & 0x3ffffff);
  uint32_t x97 = (x95 + x69);
diff --git a/src/Specific/X25519/C32/fesub.v b/src/Specific/X25519/C32/fesub.v
new file mode 100644
index 000000000..30e06cd5d
--- /dev/null
+++ b/src/Specific/X25519/C32/fesub.v
@@ -0,0 +1,14 @@
+Require Import Crypto.Arithmetic.PrimeFieldTheorems.
+Require Import Crypto.Specific.X25519.C32.Synthesis.
+
+(* TODO : change this to field once field isomorphism happens *)
+Definition sub :
+  { sub : feBW_tight -> feBW_tight -> feBW_loose
+  | forall a b, phiBW_loose (sub a b) = F.sub (phiBW_tight a) (phiBW_tight b) }.
+Proof.
+  Set Ltac Profiling.
+  Time synthesize_sub ().
+  Show Ltac Profile.
+Time Defined.
+
+Print Assumptions sub.
diff --git a/src/Specific/X25519/C32/fesubDisplay.log b/src/Specific/X25519/C32/fesubDisplay.log
new file mode 100644
index 000000000..bb18a6a51
--- /dev/null
+++ b/src/Specific/X25519/C32/fesubDisplay.log
@@ -0,0 +1,7 @@
+λ x x0 : word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32,
+Interp-η
+(λ var : Syntax.base_type → Type,
+ λ '(x20, x21, x19, x17, x15, x13, x11, x9, x7, x5, (x38, x39, x37, x35, x33, x31, x29, x27, x25, x23))%core,
+ (((0x3fffffe + x20) - x38), ((0x7fffffe + x21) - x39), ((0x3fffffe + x19) - x37), ((0x7fffffe + x17) - x35), ((0x3fffffe + x15) - x33), ((0x7fffffe + x13) - x31), ((0x3fffffe + x11) - x29), ((0x7fffffe + x9) - x27), ((0x3fffffe + x7) - x25), ((0x7ffffda + x5) - x23)))
+(x, x0)%core
+     : word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 → word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 * word32 → ReturnType (uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t * uint32_t)
diff --git a/src/Specific/X25519/C32/fesubDisplay.v b/src/Specific/X25519/C32/fesubDisplay.v
new file mode 100644
index 000000000..9a35e2289
--- /dev/null
+++ b/src/Specific/X25519/C32/fesubDisplay.v
@@ -0,0 +1,4 @@
+Require Import Crypto.Specific.X25519.C32.fesub.
+Require Import Crypto.Specific.Framework.IntegrationTestDisplayCommon.
+
+Check display sub.
diff --git a/src/Specific/X25519/C32/freeze.v b/src/Specific/X25519/C32/freeze.v
index bac5a019f..31098197f 100644
--- a/src/Specific/X25519/C32/freeze.v
+++ b/src/Specific/X25519/C32/freeze.v
@@ -3,8 +3,8 @@ Require Import Crypto.Specific.X25519.C32.Synthesis.
 
 (* TODO : change this to field once field isomorphism happens *)
 Definition freeze :
-  { freeze : feBW -> feBW
-  | forall a, phiBW (freeze a) = phiBW a }.
+  { freeze : feBW_tight -> feBW_limbwidths
+  | forall a, phiBW_limbwidths (freeze a) = phiBW_tight a }.
 Proof.
   Set Ltac Profiling.
   Time synthesize_freeze ().