https://martin.kleppmann.com/2020/11/18/distributed-systems-and-elliptic-curves.html (see the second half of the post)

]]>Oh, the code’s there. **This blog just allows arbitrary HTML.**

alert(‘xss’);

]]>Not sure what happened, the form submission seems to have eaten half the code. Here it is in base64:

Zm9yIChpbnQgaSA9IDA7IGkgPCAxNjsgaSsrKSB7CiAgaWYgKGkgPT0gMCkgewogICAgcHJvcG91dFswXSA9IChwcm9waW5bMF0gJiAweGZmZmYpICsgKHByb3BpblsxNV0gPj4gMTUpICogMTkKICB9IGVsc2UgaWYgKGkgPT0gMTUpIHsKICAgIC8vIDI1NSBkb2Vzbid0IGRpdmlkZSBldmVubHkgaW50byAxNiBzbyB0aGlzIG9uZSBpcyBvbmx5IDE1IGJpdHMKICAgIHByb3BvdXRbMTVdID0gKHByb3BpblsxNV0gJiAweDdmZmYpICsgKHByb3BpblsxNF0gPj4gMTYpCiAgfSBlbHNlIHsKICAgIHByb3BvdXRbaV0gPSAocHJvcGluW2ldICYgMHhmZmZmKSArIChwcm9waW5baS0xXSA+PiAxNikKICB9Cn0=

]]>All the multiplication would still be 17-bit (since the carry bits are no longer normalized), collapsing partial sums would have the shifts and masks modified for 16 bits, and the new sloppy carry propagation would look like this:

for (int i = 0; i > 15) * 19

} else if (i == 15) {

// 255 doesn’t divide evenly into 16 so this one is only 15 bits

propout[15] = (propin[15] & 0x7fff) + (propin[14] >> 16)

} else {

propout[i] = (propin[i] & 0xffff) + (propin[i-1] >> 16)

}

}

Then do all your multiplication with these sloppy non-normalized numbers and then do one proper carry propagation at the end. Would require more multiplies and larger (272-bit) registers, but would remove most of the carry propagation

]]>No, they aren’t actual 6502 opcodes, we just used the format of the macro as a template to generate our machine code! It just so happened someone made a macro assembler for 6502 that was easily adapted to our purpose.

]]>