共有 100 个文件被更改,包括 164 次插入 和 28252 次删除
分列视图
Diff 选项
-
+54 -0.cmake/common.mk
-
+107 -333CMakeLists.txt
-
+3 -132README.md
-
+0 -8common/keccak4x/Makefile.Microsoft_nmake
-
+0 -21crypto_kem/frodo/frodokem1344shake/clean/LICENSE
-
+0 -19crypto_kem/frodo/frodokem1344shake/clean/Makefile.Microsoft_nmake
-
+0 -20crypto_kem/frodo/frodokem1344shake/clean/api.h
-
+0 -21crypto_kem/frodo/frodokem1344shake/clean/common.h
-
+0 -237crypto_kem/frodo/frodokem1344shake/clean/kem.c
-
+0 -79crypto_kem/frodo/frodokem1344shake/clean/matrix_shake.c
-
+0 -35crypto_kem/frodo/frodokem1344shake/clean/noise.c
-
+0 -27crypto_kem/frodo/frodokem1344shake/clean/params.h
-
+0 -264crypto_kem/frodo/frodokem1344shake/clean/util.c
-
+0 -21crypto_kem/frodo/frodokem1344shake/opt/LICENSE
-
+0 -19crypto_kem/frodo/frodokem1344shake/opt/Makefile.Microsoft_nmake
-
+0 -21crypto_kem/frodo/frodokem640shake/clean/LICENSE
-
+0 -19crypto_kem/frodo/frodokem640shake/clean/Makefile.Microsoft_nmake
-
+0 -20crypto_kem/frodo/frodokem640shake/clean/api.h
-
+0 -21crypto_kem/frodo/frodokem640shake/clean/common.h
-
+0 -237crypto_kem/frodo/frodokem640shake/clean/kem.c
-
+0 -79crypto_kem/frodo/frodokem640shake/clean/matrix_shake.c
-
+0 -35crypto_kem/frodo/frodokem640shake/clean/noise.c
-
+0 -27crypto_kem/frodo/frodokem640shake/clean/params.h
-
+0 -264crypto_kem/frodo/frodokem640shake/clean/util.c
-
+0 -21crypto_kem/frodo/frodokem640shake/opt/LICENSE
-
+0 -19crypto_kem/frodo/frodokem640shake/opt/Makefile.Microsoft_nmake
-
+0 -21crypto_kem/frodo/frodokem976shake/clean/LICENSE
-
+0 -19crypto_kem/frodo/frodokem976shake/clean/Makefile.Microsoft_nmake
-
+0 -20crypto_kem/frodo/frodokem976shake/clean/api.h
-
+0 -21crypto_kem/frodo/frodokem976shake/clean/common.h
-
+0 -237crypto_kem/frodo/frodokem976shake/clean/kem.c
-
+0 -79crypto_kem/frodo/frodokem976shake/clean/matrix_shake.c
-
+0 -35crypto_kem/frodo/frodokem976shake/clean/noise.c
-
+0 -27crypto_kem/frodo/frodokem976shake/clean/params.h
-
+0 -264crypto_kem/frodo/frodokem976shake/clean/util.c
-
+0 -21crypto_kem/frodo/frodokem976shake/opt/LICENSE
-
+0 -19crypto_kem/frodo/frodokem976shake/opt/Makefile.Microsoft_nmake
-
+0 -5crypto_kem/kyber/kyber1024/avx2/LICENSE
-
+0 -5crypto_kem/kyber/kyber1024/clean/LICENSE
-
+0 -23crypto_kem/kyber/kyber1024/clean/Makefile.Microsoft_nmake
-
+0 -5crypto_kem/kyber/kyber512/avx2/LICENSE
-
+0 -5crypto_kem/kyber/kyber512/clean/LICENSE
-
+0 -23crypto_kem/kyber/kyber512/clean/Makefile.Microsoft_nmake
-
+0 -5crypto_kem/kyber/kyber768/avx2/LICENSE
-
+0 -5crypto_kem/kyber/kyber768/clean/LICENSE
-
+0 -23crypto_kem/kyber/kyber768/clean/Makefile.Microsoft_nmake
-
+0 -16crypto_kem/mceliece/mceliece348864/avx/LICENSE
-
+0 -16crypto_kem/mceliece/mceliece348864/clean/LICENSE
-
+0 -24crypto_kem/mceliece/mceliece348864/clean/Makefile.Microsoft_nmake
-
+0 -16crypto_kem/mceliece/mceliece348864/sse/LICENSE
-
+0 -13crypto_kem/mceliece/mceliece348864/sse/aes256ctr.c
-
+0 -17crypto_kem/mceliece/mceliece348864/sse/aes256ctr.h
-
+0 -32crypto_kem/mceliece/mceliece348864/sse/api.h
-
+0 -287crypto_kem/mceliece/mceliece348864/sse/benes.c
-
+0 -15crypto_kem/mceliece/mceliece348864/sse/benes.h
-
+0 -220crypto_kem/mceliece/mceliece348864/sse/bm.c
-
+0 -17crypto_kem/mceliece/mceliece348864/sse/bm.h
-
+0 -32crypto_kem/mceliece/mceliece348864/sse/consts.S
-
+0 -448crypto_kem/mceliece/mceliece348864/sse/consts.inc
-
+0 -274crypto_kem/mceliece/mceliece348864/sse/controlbits.c
-
+0 -15crypto_kem/mceliece/mceliece348864/sse/controlbits.h
-
+0 -7crypto_kem/mceliece/mceliece348864/sse/crypto_hash.h
-
+0 -203crypto_kem/mceliece/mceliece348864/sse/decrypt.c
-
+0 -10crypto_kem/mceliece/mceliece348864/sse/decrypt.h
-
+0 -99crypto_kem/mceliece/mceliece348864/sse/encrypt.c
-
+0 -11crypto_kem/mceliece/mceliece348864/sse/encrypt.h
-
+0 -155crypto_kem/mceliece/mceliece348864/sse/fft.c
-
+0 -17crypto_kem/mceliece/mceliece348864/sse/fft.h
-
+0 -312crypto_kem/mceliece/mceliece348864/sse/fft_tr.c
-
+0 -13crypto_kem/mceliece/mceliece348864/sse/fft_tr.h
-
+0 -169crypto_kem/mceliece/mceliece348864/sse/gf.c
-
+0 -26crypto_kem/mceliece/mceliece348864/sse/gf.h
-
+0 -136crypto_kem/mceliece/mceliece348864/sse/operations.c
-
+0 -21crypto_kem/mceliece/mceliece348864/sse/params.h
-
+0 -329crypto_kem/mceliece/mceliece348864/sse/pk_gen.c
-
+0 -13crypto_kem/mceliece/mceliece348864/sse/pk_gen.h
-
+0 -448crypto_kem/mceliece/mceliece348864/sse/powers.inc
-
+0 -70crypto_kem/mceliece/mceliece348864/sse/scalars_2x.inc
-
+0 -98crypto_kem/mceliece/mceliece348864/sse/sk_gen.c
-
+0 -16crypto_kem/mceliece/mceliece348864/sse/sk_gen.h
-
+0 -740crypto_kem/mceliece/mceliece348864/sse/syndrome_asm.S
-
+0 -12crypto_kem/mceliece/mceliece348864/sse/transpose.c
-
+0 -16crypto_kem/mceliece/mceliece348864/sse/transpose.h
-
+0 -8145crypto_kem/mceliece/mceliece348864/sse/transpose_64x128_sp_asm.S
-
+0 -8467crypto_kem/mceliece/mceliece348864/sse/transpose_64x64_asm.S
-
+0 -354crypto_kem/mceliece/mceliece348864/sse/update_asm.S
-
+0 -106crypto_kem/mceliece/mceliece348864/sse/util.c
-
+0 -33crypto_kem/mceliece/mceliece348864/sse/util.h
-
+0 -17crypto_kem/mceliece/mceliece348864/sse/vec.c
-
+0 -11crypto_kem/mceliece/mceliece348864/sse/vec.h
-
+0 -143crypto_kem/mceliece/mceliece348864/sse/vec128.c
-
+0 -42crypto_kem/mceliece/mceliece348864/sse/vec128.h
-
+0 -1736crypto_kem/mceliece/mceliece348864/sse/vec128_mul_asm.S
-
+0 -1515crypto_kem/mceliece/mceliece348864/sse/vec_mul_asm.S
-
+0 -356crypto_kem/mceliece/mceliece348864/sse/vec_reduce_asm.S
-
+0 -16crypto_kem/mceliece/mceliece348864/vec/LICENSE
-
+0 -25crypto_kem/mceliece/mceliece348864/vec/Makefile.Microsoft_nmake
-
+0 -13crypto_kem/mceliece/mceliece348864/vec/aes256ctr.c
-
+0 -17crypto_kem/mceliece/mceliece348864/vec/aes256ctr.h
-
+0 -32crypto_kem/mceliece/mceliece348864/vec/api.h
+ 54
- 0
.cmake/common.mk
查看文件
| @@ -0,0 +1,54 @@ | |||
| # Common function for defining algorithm component | |||
| function(define_crypto_alg name namespace src inc test_src) | |||
| add_library( | |||
| pqclean_${name} | |||
| OBJECT | |||
| ${src} | |||
| ) | |||
| target_include_directories( | |||
| pqclean_${name} PRIVATE | |||
| src/common | |||
| ${inc} | |||
| ) | |||
| target_compile_definitions( | |||
| pqclean_${name} PRIVATE | |||
| -DPQCLEAN_NAMESPACE=${namespace} | |||
| ) | |||
| add_library( | |||
| pqclean_test_${name} | |||
| OBJECT | |||
| ${test_src} | |||
| ) | |||
| target_compile_definitions( | |||
| pqclean_test_${name} PRIVATE | |||
| -DPQCLEAN_NAMESPACE=${namespace} | |||
| ) | |||
| target_include_directories( | |||
| pqclean_test_${name} PRIVATE | |||
| src/common | |||
| ${inc} | |||
| ) | |||
| add_executable( | |||
| test_runner_${name} | |||
| ) | |||
| target_link_libraries( | |||
| test_runner_${name} | |||
| common | |||
| pqclean_${name} | |||
| pqclean_test_${name} | |||
| ) | |||
| endfunction() | |||
| function(define_kem_alg name namespace src inc) | |||
| define_crypto_alg(${name} ${namespace} "${src}" "${inc}" ${PROJECT_SOURCE_DIR}/test/kem/testvectors.c) | |||
| endfunction() | |||
| function(define_sig_alg name namespace src inc) | |||
| define_crypto_alg(${name} ${namespace} "${src}" "${inc}" ${PROJECT_SOURCE_DIR}/test/sign/testvectors.c) | |||
| endfunction() | |||
+ 107
- 333
CMakeLists.txt
查看文件
| @@ -66,6 +66,8 @@ if(CLANG) | |||
| -Wmissing-variable-declarations") | |||
| endif() | |||
| include(.cmake/common.mk) | |||
| # Control Debug/Release mode | |||
| if(CMAKE_BUILD_TYPE_LOWER STREQUAL "debug") | |||
| set(C_CXX_FLAGS "${C_CXX_FLAGS} -g3 -O0 -Wno-unused") | |||
| @@ -75,6 +77,7 @@ endif() | |||
| include_directories( | |||
| inc | |||
| src/common/ | |||
| src | |||
| ) | |||
| @@ -82,341 +85,125 @@ include_directories( | |||
| set(CMAKE_C_FLAGS "${C_CXX_FLAGS} -D${ARCH}") | |||
| set(CMAKE_CXX_FLAGS "${C_CXX_FLAGS} -D${ARCH}") | |||
| # Common function for defining algorithm component | |||
| function(define_crypto_alg name namespace src inc test_src) | |||
| add_library( | |||
| pqclean_${name} | |||
| OBJECT | |||
| ${src} | |||
| ) | |||
| target_include_directories( | |||
| pqclean_${name} PRIVATE | |||
| common | |||
| ${inc} | |||
| ) | |||
| target_compile_definitions( | |||
| pqclean_${name} PRIVATE | |||
| -DPQCLEAN_NAMESPACE=${namespace} | |||
| ) | |||
| add_library( | |||
| pqclean_test_${name} | |||
| OBJECT | |||
| ${test_src} | |||
| ) | |||
| target_compile_definitions( | |||
| pqclean_test_${name} PRIVATE | |||
| -DPQCLEAN_NAMESPACE=${namespace} | |||
| ) | |||
| target_include_directories( | |||
| pqclean_test_${name} PRIVATE | |||
| common | |||
| ${inc} | |||
| ) | |||
| add_executable( | |||
| test_runner_${name} | |||
| ) | |||
| target_link_libraries( | |||
| test_runner_${name} | |||
| common | |||
| pqclean_${name} | |||
| pqclean_test_${name} | |||
| ) | |||
| endfunction() | |||
| function(define_kem_alg name namespace src inc) | |||
| define_crypto_alg(${name} ${namespace} "${src}" "${inc}" test/crypto_kem/testvectors.c) | |||
| endfunction() | |||
| function(define_sig_alg name namespace src inc) | |||
| define_crypto_alg(${name} ${namespace} "${src}" "${inc}" test/crypto_sign/testvectors.c) | |||
| endfunction() | |||
| # Define sources of the components | |||
| set( | |||
| SRC_CLEAN_DILITHIUM2 | |||
| crypto_sign/dilithium/dilithium2/clean/ntt.c | |||
| crypto_sign/dilithium/dilithium2/clean/packing.c | |||
| crypto_sign/dilithium/dilithium2/clean/poly.c | |||
| crypto_sign/dilithium/dilithium2/clean/polyvec.c | |||
| crypto_sign/dilithium/dilithium2/clean/reduce.c | |||
| crypto_sign/dilithium/dilithium2/clean/rounding.c | |||
| crypto_sign/dilithium/dilithium2/clean/sign.c | |||
| crypto_sign/dilithium/dilithium2/clean/symmetric-shake.c | |||
| ) | |||
| set( | |||
| INC_CLEAN_DILITHIUM2 | |||
| crypto_sign/dilithium/dilithium2/clean | |||
| ) | |||
| define_sig_alg(dilithium2_clean | |||
| PQCLEAN_DILITHIUM2_CLEAN "${SRC_CLEAN_DILITHIUM2}" "${INC_CLEAN_DILITHIUM2}") | |||
| set( | |||
| SRC_CLEAN_DILITHIUM3 | |||
| crypto_sign/dilithium/dilithium3/clean/ntt.c | |||
| crypto_sign/dilithium/dilithium3/clean/packing.c | |||
| crypto_sign/dilithium/dilithium3/clean/poly.c | |||
| crypto_sign/dilithium/dilithium3/clean/polyvec.c | |||
| crypto_sign/dilithium/dilithium3/clean/reduce.c | |||
| crypto_sign/dilithium/dilithium3/clean/rounding.c | |||
| crypto_sign/dilithium/dilithium3/clean/sign.c | |||
| crypto_sign/dilithium/dilithium3/clean/symmetric-shake.c | |||
| ) | |||
| set( | |||
| INC_CLEAN_DILITHIUM3 | |||
| crypto_sign/dilithium/dilithium3/clean | |||
| ) | |||
| define_sig_alg(dilithium3_clean | |||
| PQCLEAN_DILITHIUM3_CLEAN "${SRC_CLEAN_DILITHIUM3}" "${INC_CLEAN_DILITHIUM3}") | |||
| set( | |||
| SRC_CLEAN_DILITHIUM5 | |||
| crypto_sign/dilithium/dilithium5/clean/ntt.c | |||
| crypto_sign/dilithium/dilithium5/clean/packing.c | |||
| crypto_sign/dilithium/dilithium5/clean/poly.c | |||
| crypto_sign/dilithium/dilithium5/clean/polyvec.c | |||
| crypto_sign/dilithium/dilithium5/clean/reduce.c | |||
| crypto_sign/dilithium/dilithium5/clean/rounding.c | |||
| crypto_sign/dilithium/dilithium5/clean/sign.c | |||
| crypto_sign/dilithium/dilithium5/clean/symmetric-shake.c | |||
| ) | |||
| set( | |||
| INC_CLEAN_DILITHIUM5 | |||
| crypto_sign/dilithium/dilithium5/clean | |||
| ) | |||
| define_sig_alg(dilithium5_clean | |||
| PQCLEAN_DILITHIUM5_CLEAN "${SRC_CLEAN_DILITHIUM5}" "${INC_CLEAN_DILITHIUM5}") | |||
| set( | |||
| SRC_CLEAN_KYBER512 | |||
| crypto_kem/kyber/kyber512/clean/cbd.c | |||
| crypto_kem/kyber/kyber512/clean/indcpa.c | |||
| crypto_kem/kyber/kyber512/clean/kem.c | |||
| crypto_kem/kyber/kyber512/clean/ntt.c | |||
| crypto_kem/kyber/kyber512/clean/poly.c | |||
| crypto_kem/kyber/kyber512/clean/polyvec.c | |||
| crypto_kem/kyber/kyber512/clean/reduce.c | |||
| crypto_kem/kyber/kyber512/clean/symmetric-shake.c | |||
| crypto_kem/kyber/kyber512/clean/verify.c | |||
| ) | |||
| set( | |||
| INC_CLEAN_KYBER512 | |||
| crypto_kem/kyber/kyber512/clean | |||
| ) | |||
| define_kem_alg(kyber512_clean | |||
| PQCLEAN_KYBER512_CLEAN "${SRC_CLEAN_KYBER512}" "${INC_CLEAN_KYBER512}") | |||
| set( | |||
| SRC_CLEAN_KYBER768 | |||
| crypto_kem/kyber/kyber768/clean/cbd.c | |||
| crypto_kem/kyber/kyber768/clean/indcpa.c | |||
| crypto_kem/kyber/kyber768/clean/kem.c | |||
| crypto_kem/kyber/kyber768/clean/ntt.c | |||
| crypto_kem/kyber/kyber768/clean/poly.c | |||
| crypto_kem/kyber/kyber768/clean/polyvec.c | |||
| crypto_kem/kyber/kyber768/clean/reduce.c | |||
| crypto_kem/kyber/kyber768/clean/symmetric-shake.c | |||
| crypto_kem/kyber/kyber768/clean/verify.c | |||
| ) | |||
| set( | |||
| INC_CLEAN_KYBER768 | |||
| crypto_kem/kyber/kyber768/clean | |||
| ) | |||
| define_kem_alg(kyber768_clean | |||
| PQCLEAN_KYBER768_CLEAN "${SRC_CLEAN_KYBER768}" "${INC_CLEAN_KYBER768}") | |||
| set( | |||
| SRC_CLEAN_KYBER1024 | |||
| crypto_kem/kyber/kyber1024/clean/cbd.c | |||
| crypto_kem/kyber/kyber1024/clean/indcpa.c | |||
| crypto_kem/kyber/kyber1024/clean/kem.c | |||
| crypto_kem/kyber/kyber1024/clean/ntt.c | |||
| crypto_kem/kyber/kyber1024/clean/poly.c | |||
| crypto_kem/kyber/kyber1024/clean/polyvec.c | |||
| crypto_kem/kyber/kyber1024/clean/reduce.c | |||
| crypto_kem/kyber/kyber1024/clean/symmetric-shake.c | |||
| crypto_kem/kyber/kyber1024/clean/verify.c | |||
| ) | |||
| set( | |||
| INC_CLEAN_KYBER1024 | |||
| crypto_kem/kyber/kyber1024/clean | |||
| ) | |||
| define_kem_alg(kyber1024_clean | |||
| PQCLEAN_KYBER1024_CLEAN "${SRC_CLEAN_KYBER1024}" "${INC_CLEAN_KYBER1024}") | |||
| add_subdirectory(src/sign/dilithium/dilithium2/clean) | |||
| add_subdirectory(src/sign/dilithium/dilithium3/clean) | |||
| add_subdirectory(src/sign/dilithium/dilithium5/clean) | |||
| add_subdirectory(src/sign/falcon/falcon-1024/clean) | |||
| add_subdirectory(src/sign/falcon/falcon-512/clean) | |||
| add_subdirectory(src/sign/rainbow/rainbowV-classic/clean) | |||
| add_subdirectory(src/sign/rainbow/rainbowI-classic/clean) | |||
| add_subdirectory(src/sign/rainbow/rainbowIII-classic/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-192f-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-256f-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-192f-robust/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-128f-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-256s-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-128s-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-128f-robust/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-192s-robust/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-128f-robust/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-128s-robust/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-256s-robust/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-192s-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-192s-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-192s-robust/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-192f-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-256s-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-128s-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-256f-robust/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-256f-robust/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-256f-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-256s-robust/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-128s-robust/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-128f-simple/clean) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-192f-robust/clean) | |||
| # AVX2 targets | |||
| if(${ARCH} STREQUAL "ARCH_x86_64") | |||
| set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -march=haswell") | |||
| set( | |||
| SRC_AVX2_DILITHIUM2 | |||
| crypto_sign/dilithium/dilithium2/avx2/consts.c | |||
| crypto_sign/dilithium/dilithium2/avx2/f1600x4.S | |||
| crypto_sign/dilithium/dilithium2/avx2/fips202x4.c | |||
| crypto_sign/dilithium/dilithium2/avx2/invntt.S | |||
| crypto_sign/dilithium/dilithium2/avx2/ntt.S | |||
| crypto_sign/dilithium/dilithium2/avx2/packing.c | |||
| crypto_sign/dilithium/dilithium2/avx2/pointwise.S | |||
| crypto_sign/dilithium/dilithium2/avx2/poly.c | |||
| crypto_sign/dilithium/dilithium2/avx2/polyvec.c | |||
| crypto_sign/dilithium/dilithium2/avx2/rejsample.c | |||
| crypto_sign/dilithium/dilithium2/avx2/rounding.c | |||
| crypto_sign/dilithium/dilithium2/avx2/shuffle.S | |||
| crypto_sign/dilithium/dilithium2/avx2/sign.c | |||
| crypto_sign/dilithium/dilithium2/avx2/symmetric-shake.c) | |||
| set( | |||
| INC_AVX2_DILITHIUM2 | |||
| crypto_sign/dilithium/dilithium2/avx2 | |||
| ) | |||
| define_sig_alg(dilithium2_avx2 | |||
| PQCLEAN_DILITHIUM2_AVX2 "${SRC_AVX2_DILITHIUM2}" "${INC_AVX2_DILITHIUM2}") | |||
| set( | |||
| SRC_AVX2_DILITHIUM3 | |||
| crypto_sign/dilithium/dilithium3/avx2/consts.c | |||
| crypto_sign/dilithium/dilithium3/avx2/f1600x4.S | |||
| crypto_sign/dilithium/dilithium3/avx2/fips202x4.c | |||
| crypto_sign/dilithium/dilithium3/avx2/invntt.S | |||
| crypto_sign/dilithium/dilithium3/avx2/ntt.S | |||
| crypto_sign/dilithium/dilithium3/avx2/packing.c | |||
| crypto_sign/dilithium/dilithium3/avx2/pointwise.S | |||
| crypto_sign/dilithium/dilithium3/avx2/poly.c | |||
| crypto_sign/dilithium/dilithium3/avx2/polyvec.c | |||
| crypto_sign/dilithium/dilithium3/avx2/rejsample.c | |||
| crypto_sign/dilithium/dilithium3/avx2/rounding.c | |||
| crypto_sign/dilithium/dilithium3/avx2/shuffle.S | |||
| crypto_sign/dilithium/dilithium3/avx2/sign.c | |||
| crypto_sign/dilithium/dilithium3/avx2/symmetric-shake.c) | |||
| set( | |||
| INC_AVX2_DILITHIUM3 | |||
| crypto_sign/dilithium/dilithium3/avx2 | |||
| ) | |||
| define_sig_alg(dilithium3_avx2 | |||
| PQCLEAN_DILITHIUM3_AVX2 "${SRC_AVX2_DILITHIUM3}" "${INC_AVX2_DILITHIUM3}") | |||
| set( | |||
| SRC_AVX2_DILITHIUM5 | |||
| crypto_sign/dilithium/dilithium5/avx2/consts.c | |||
| crypto_sign/dilithium/dilithium5/avx2/f1600x4.S | |||
| crypto_sign/dilithium/dilithium5/avx2/fips202x4.c | |||
| crypto_sign/dilithium/dilithium5/avx2/invntt.S | |||
| crypto_sign/dilithium/dilithium5/avx2/ntt.S | |||
| crypto_sign/dilithium/dilithium5/avx2/packing.c | |||
| crypto_sign/dilithium/dilithium5/avx2/pointwise.S | |||
| crypto_sign/dilithium/dilithium5/avx2/poly.c | |||
| crypto_sign/dilithium/dilithium5/avx2/polyvec.c | |||
| crypto_sign/dilithium/dilithium5/avx2/rejsample.c | |||
| crypto_sign/dilithium/dilithium5/avx2/rounding.c | |||
| crypto_sign/dilithium/dilithium5/avx2/shuffle.S | |||
| crypto_sign/dilithium/dilithium5/avx2/sign.c | |||
| crypto_sign/dilithium/dilithium5/avx2/symmetric-shake.c) | |||
| set( | |||
| INC_AVX2_DILITHIUM5 | |||
| crypto_sign/dilithium/dilithium5/avx2 | |||
| ) | |||
| define_sig_alg(dilithium5_avx2 | |||
| PQCLEAN_DILITHIUM5_AVX2 "${SRC_AVX2_DILITHIUM5}" "${INC_AVX2_DILITHIUM5}") | |||
| set( | |||
| SRC_AVX2_KYBER512 | |||
| crypto_kem/kyber/kyber512/avx2/cbd.c | |||
| crypto_kem/kyber/kyber512/avx2/consts.c | |||
| crypto_kem/kyber/kyber512/avx2/fips202x4.c | |||
| crypto_kem/kyber/kyber512/avx2/indcpa.c | |||
| crypto_kem/kyber/kyber512/avx2/kem.c | |||
| crypto_kem/kyber/kyber512/avx2/poly.c | |||
| crypto_kem/kyber/kyber512/avx2/polyvec.c | |||
| crypto_kem/kyber/kyber512/avx2/rejsample.c | |||
| crypto_kem/kyber/kyber512/avx2/symmetric-shake.c | |||
| crypto_kem/kyber/kyber512/avx2/verify.c | |||
| crypto_kem/kyber/kyber512/avx2/basemul.S | |||
| crypto_kem/kyber/kyber512/avx2/fq.S | |||
| crypto_kem/kyber/kyber512/avx2/invntt.S | |||
| crypto_kem/kyber/kyber512/avx2/ntt.S | |||
| crypto_kem/kyber/kyber512/avx2/shuffle.S | |||
| ) | |||
| set( | |||
| INC_AVX2_KYBER512 | |||
| crypto_kem/kyber/kyber512/avx2 | |||
| ) | |||
| define_kem_alg(kyber512_avx2 | |||
| PQCLEAN_KYBER512_AVX2 "${SRC_AVX2_KYBER512}" "${INC_AVX2_KYBER512}") | |||
| set( | |||
| SRC_AVX2_KYBER768 | |||
| crypto_kem/kyber/kyber768/avx2/cbd.c | |||
| crypto_kem/kyber/kyber768/avx2/consts.c | |||
| crypto_kem/kyber/kyber768/avx2/fips202x4.c | |||
| crypto_kem/kyber/kyber768/avx2/indcpa.c | |||
| crypto_kem/kyber/kyber768/avx2/kem.c | |||
| crypto_kem/kyber/kyber768/avx2/poly.c | |||
| crypto_kem/kyber/kyber768/avx2/polyvec.c | |||
| crypto_kem/kyber/kyber768/avx2/rejsample.c | |||
| crypto_kem/kyber/kyber768/avx2/symmetric-shake.c | |||
| crypto_kem/kyber/kyber768/avx2/verify.c | |||
| crypto_kem/kyber/kyber768/avx2/basemul.S | |||
| crypto_kem/kyber/kyber768/avx2/fq.S | |||
| crypto_kem/kyber/kyber768/avx2/invntt.S | |||
| crypto_kem/kyber/kyber768/avx2/ntt.S | |||
| crypto_kem/kyber/kyber768/avx2/shuffle.S | |||
| ) | |||
| set( | |||
| INC_AVX2_KYBER768 | |||
| crypto_kem/kyber/kyber768/avx2 | |||
| ) | |||
| define_kem_alg(kyber768_avx2 | |||
| PQCLEAN_KYBER768_AVX2 "${SRC_AVX2_KYBER768}" "${INC_AVX2_KYBER768}") | |||
| set( | |||
| SRC_AVX2_KYBER1024 | |||
| crypto_kem/kyber/kyber1024/avx2/cbd.c | |||
| crypto_kem/kyber/kyber1024/avx2/consts.c | |||
| crypto_kem/kyber/kyber1024/avx2/fips202x4.c | |||
| crypto_kem/kyber/kyber1024/avx2/indcpa.c | |||
| crypto_kem/kyber/kyber1024/avx2/kem.c | |||
| crypto_kem/kyber/kyber1024/avx2/poly.c | |||
| crypto_kem/kyber/kyber1024/avx2/polyvec.c | |||
| crypto_kem/kyber/kyber1024/avx2/rejsample.c | |||
| crypto_kem/kyber/kyber1024/avx2/symmetric-shake.c | |||
| crypto_kem/kyber/kyber1024/avx2/verify.c | |||
| crypto_kem/kyber/kyber1024/avx2/basemul.S | |||
| crypto_kem/kyber/kyber1024/avx2/fq.S | |||
| crypto_kem/kyber/kyber1024/avx2/invntt.S | |||
| crypto_kem/kyber/kyber1024/avx2/ntt.S | |||
| crypto_kem/kyber/kyber1024/avx2/shuffle.S | |||
| ) | |||
| set( | |||
| INC_AVX2_KYBER1024 | |||
| crypto_kem/kyber/kyber1024/avx2 | |||
| ) | |||
| define_kem_alg(kyber1024_avx2 | |||
| PQCLEAN_KYBER1024_AVX2 "${SRC_AVX2_KYBER1024}" "${INC_AVX2_KYBER1024}") | |||
| set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -march=native -mtune=native") | |||
| add_subdirectory(src/sign/falcon/falcon-512/avx2) | |||
| add_subdirectory(src/sign/falcon/falcon-1024/avx2) | |||
| add_subdirectory(src/sign/dilithium/dilithium2/avx2) | |||
| add_subdirectory(src/sign/dilithium/dilithium3/avx2) | |||
| add_subdirectory(src/sign/dilithium/dilithium5/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-128s-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-128f-robust/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-128s-robust/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-128f-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-192s-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-192f-robust/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-192s-robust/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-192f-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-256f-robust/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-256f-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-256s-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-shake256-256s-robust/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-128f-robust/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-128s-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-128s-robust/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-128f-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-192s-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-192f-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-192s-robust/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-192f-robust/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-256s-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-256f-robust/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-256f-simple/avx2) | |||
| add_subdirectory(src/sign/sphincs/sphincs-sha256-256s-robust/avx2) | |||
| endif() | |||
| # The rest of the library | |||
| set(SRC_COMMON_GENERIC | |||
| common/fips202.c | |||
| common/sp800-185.c | |||
| common/randombytes.c | |||
| src/common/aes.c | |||
| src/common/fips202.c | |||
| src/common/sp800-185.c | |||
| src/common/randombytes.c | |||
| src/common/sha2.c | |||
| ) | |||
| if(${ARCH} STREQUAL "ARCH_x86_64") | |||
| set(SRC_COMMON_AVX2 | |||
| common/keccak4x/KeccakP-1600-times4-SIMD256.c | |||
| ) | |||
| src/common/keccak4x/KeccakP-1600-times4-SIMD256.c | |||
| ) | |||
| # KEM - AVX2 | |||
| add_subdirectory(src/kem/kyber/kyber512/avx2) | |||
| add_subdirectory(src/kem/kyber/kyber768/avx2) | |||
| add_subdirectory(src/kem/kyber/kyber1024/avx2) | |||
| add_subdirectory(src/kem/saber/lightsaber/avx2) | |||
| add_subdirectory(src/kem/saber/firesaber/avx2) | |||
| add_subdirectory(src/kem/saber/saber/avx2) | |||
| add_subdirectory(src/kem/ntru/ntruhps4096821/avx2) | |||
| add_subdirectory(src/kem/ntru/ntruhps2048509/avx2) | |||
| add_subdirectory(src/kem/ntru/ntruhrss701/avx2) | |||
| add_subdirectory(src/kem/ntru/ntruhps2048677/avx2) | |||
| add_subdirectory(src/kem/ntru_prime/ntrulpr761/avx2) | |||
| add_subdirectory(src/kem/ntru_prime/ntrulpr653/avx2) | |||
| add_subdirectory(src/kem/ntru_prime/ntrulpr857/avx2) | |||
| endif() | |||
| # KEM - clean | |||
| add_subdirectory(src/kem/kyber/kyber512/clean) | |||
| add_subdirectory(src/kem/kyber/kyber768/clean) | |||
| add_subdirectory(src/kem/kyber/kyber1024/clean) | |||
| add_subdirectory(src/kem/saber/lightsaber/clean) | |||
| add_subdirectory(src/kem/saber/firesaber/clean) | |||
| add_subdirectory(src/kem/saber/saber/clean) | |||
| add_subdirectory(src/kem/frodo/frodokem640shake/clean) | |||
| add_subdirectory(src/kem/frodo/frodokem976shake/clean) | |||
| add_subdirectory(src/kem/frodo/frodokem1344shake/clean) | |||
| add_subdirectory(src/kem/ntru/ntruhps4096821/clean) | |||
| add_subdirectory(src/kem/ntru/ntruhps2048509/clean) | |||
| add_subdirectory(src/kem/ntru/ntruhrss701/clean) | |||
| add_subdirectory(src/kem/ntru/ntruhps2048677/clean) | |||
| add_subdirectory(src/kem/ntru_prime/ntrulpr761/clean) | |||
| add_subdirectory(src/kem/ntru_prime/ntrulpr653/clean) | |||
| add_subdirectory(src/kem/ntru_prime/ntrulpr857/clean) | |||
| add_library( | |||
| common | |||
| OBJECT | |||
| @@ -449,16 +236,3 @@ target_link_libraries( | |||
| pqclean_dilithium3_clean | |||
| pqclean_dilithium5_clean | |||
| ) | |||
| # TODO: this requires changes to testvectors.c | |||
| # add_executable( | |||
| # test | |||
| # ) | |||
| # | |||
| # target_link_libraries( | |||
| # test | |||
| # pqclean_s | |||
| # pqclean_test_dilithium2_clean | |||
| # pqclean_test_dilithium3_clean | |||
| # pqclean_test_dilithium5_clean | |||
| # ) | |||
+ 3
- 132
README.md
查看文件
| @@ -1,79 +1,8 @@ | |||
| # PQClean | |||
| # PQ Crypto Catalog | |||
| _[See the build status for each component here](.github/workflows/BADGES.md)_ | |||
| This is a repository of post-quantum schemes coppied from the submission to the NIST Post-Quantum Standarization. The sources were cloned from the PQClean project to form new library. The goal of the library is mainly experimentation. | |||
| **PQClean**, in short, is an effort to collect **clean** implementations of the post-quantum | |||
| schemes that are in the | |||
| [NIST post-quantum project](https://csrc.nist.gov/projects/post-quantum-cryptography). | |||
| The goal of PQClean is to provide *standalone implementations* that | |||
| * can easily be integrated into libraries such as [liboqs](https://openquantumsafe.org/#liboqs). | |||
| * can efficiently upstream into higher-level protocol integration efforts such as [Open Quantum Safe](https://openquantumsafe.org/#integrations); | |||
| * can easily be integrated into benchmarking frameworks such as [SUPERCOP](https://bench.cr.yp.to/supercop.html); | |||
| * can easily be integrated into frameworks targeting embedded platforms such as [pqm4](https://github.com/mupq/pqm4); | |||
| * are suitable starting points for architecture-specific optimized implementations; | |||
| * are suitable starting points for evaluation of implementation security; and | |||
| * are suitable targets for formal verification. | |||
| What PQClean is **not** aiming for is | |||
| * a build system producing an integrated library of all schemes; | |||
| * including benchmarking of implementations; and | |||
| * including integration into higher-level applications or protocols. | |||
| As a first main target, we are collecting C implementations that fulfill the requirements | |||
| listed below. We also accept optimised implementations, but still requiring high-quality, tested code. | |||
| Please also review our [guidelines for contributors](CONTRIBUTING.md) if you are interested in adding a scheme to PQClean. | |||
| ## Requirements on C implementations that are automatically checked | |||
| _The checking of items on this list is still being developed. Checked items should be working._ | |||
| * [x] Code is valid C99 | |||
| * [x] Passes functional tests | |||
| * [x] API functions do not write outside provided buffers | |||
| * [x] `api.h` cannot include external files | |||
| * [x] Compiles with `-Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes` with `gcc` and `clang` | |||
| * [x] `#if`/`#ifdef`s only for header encapsulation | |||
| * [x] Consistent test vectors across runs | |||
| * [x] Consistent test vectors on big-endian and little-endian machines | |||
| * [x] Consistent test vectors on 32-bit and 64-bit machines | |||
| * [x] `const` arguments are labeled as `const` | |||
| * [x] No errors/warnings reported by valgrind | |||
| * [x] No errors/warnings reported by address sanitizer | |||
| * [x] Only dependencies: `fips202.c`, `sha2.c`, `aes.c`, `randombytes.c` | |||
| * [x] API functions return `0` on success | |||
| * [x] No dynamic memory allocations (including variable-length arrays) | |||
| * [ ] No branching on secret data (dynamically checked using valgrind) | |||
| * [ ] No access to secret memory locations (dynamically checked using valgrind) | |||
| * [x] Separate subdirectories (without symlinks) for each parameter set of each scheme | |||
| * [x] Builds under Linux, MacOS, and Windows | |||
| * [x] Linux | |||
| * [x] MacOS | |||
| * [x] Windows | |||
| * [x] Makefile-based build for each separate scheme | |||
| * [x] Makefile-based build for Windows (`nmake`) | |||
| * [x] All exported symbols are namespaced with `PQCLEAN_SCHEMENAME_` | |||
| * [x] Each implementation comes with a `LICENSE` file (see below) | |||
| * [x] Each scheme comes with a `META.yml` file giving details about version of the algorithm, designers | |||
| * [x] Each individual implementation is specified in `META.yml`. | |||
| ## Requirements on C implementations that are manually checked | |||
| * Minimalist Makefiles | |||
| * No stringification macros | |||
| * Output-parameter pointers in functions are on the left | |||
| * All exported symbols are namespaced in place | |||
| * Integer types are of fixed size where relevant, using `stdint.h` types (optional, recommended) | |||
| * Integers used for indexing memory are of size `size_t` (optional, recommended) | |||
| * Variable declarations at the beginning (except in `for (size_t i=...`) (optional, recommended) | |||
| ## Schemes currently in PQClean | |||
| For the following schemes we have implementations of one or more of their parameter sets. | |||
| For all of these schemes we have clean C code, but for some we also have optimised code. | |||
| ## Schemes | |||
| ### Key Encapsulation Mechanisms | |||
| @@ -120,61 +49,3 @@ int PQCLEAN_SCHEME_IMPL_crypto_sign_verify( | |||
| const uint8_t *m, size_t mlen, | |||
| const uint8_t *pk); | |||
| ``` | |||
| ## Building PQClean | |||
| As noted above, PQClean is **not** meant to be built as a single library: it is a collection of source code that can be easily integrated into other libraries. The PQClean repository includes various test programs which do build various files, but you should not use the resulting binaries. | |||
| List of required dependencies: ``gcc or clang, make, python3, python-yaml library, valgrind, astyle (>= 3.0)``. | |||
| ## Using source code from PQClean in your own project | |||
| Each implementation directory in PQClean (e.g., crypto\_kem/kyber768\clean) can be extracted for use in your own project. You will need to: | |||
| 1. Copy the source code from the implementation's directory into your project. | |||
| 2. Add the files to your project's build system. | |||
| 3. Provide instantiations of any of the common cryptographic algorithms used by the implementation. This likely includes `common/randombytes.h` (a cryptographic random number generator), and possibly `common/sha2.h` (the SHA-2 hash function family), `common/aes.h` (AES implementations), `common/fips202.h` (the SHA-3 hash function family) and `common/sp800-185.h` (the cSHAKE family). | |||
| Regarding #2, adding the files to your project's build system, each implementation in PQClean is accompanied by example two makefiles that show how one could build the files for that implementation: | |||
| - The file `Makefile` which can be used with GNU Make, BSD Make, and possibly others. | |||
| - The file `Makefile.Microsoft_nmake` which can be used with Visual Studio's nmake. | |||
| ## Projects integrating PQClean-distributed source code | |||
| The following projects consume implementations from PQClean and provide their own wrappers around the implementations. | |||
| Their integration strategies may serve as examples for your own projects. | |||
| - **[pqcrypto crate](https://github.com/rustpq/pqcrypto)**: Rust integration that automatically generates wrappers from PQClean source code. | |||
| - **[mupq](https://github.com/mupq/)**: Runs the implementations from PQClean as reference implementations to compare with microcontroller-optimized code. | |||
| - **[Open Quantum Safe](https://github.com/open-quantum-safe/)**: The Open Quantum Safe project integrates implementations from PQClean into their [liboqs](https://github.com/open-quantum-safe/liboqs/) C library, which then exposes them via [C++](https://github.com/open-quantum-safe/liboqs-cpp), [C# / .NET](https://github.com/open-quantum-safe/liboqs-dotnet), and [Python](https://github.com/open-quantum-safe/liboqs-python) wrappers, as well as to forks of [OpenSSL](https://github.com/open-quantum-safe/openssl) and [OpenSSH](https://github.com/open-quantum-safe/openssh-portable). | |||
| ## License | |||
| Each subdirectory containing implementations contains a `LICENSE` file stating under what license that specific implementation is released. | |||
| The files in `common` contain licensing information at the top of the file (and are currently either public domain or MIT). | |||
| All other code in this repository is released under the conditions of [CC0](http://creativecommons.org/publicdomain/zero/1.0/). | |||
| ## Running tests locally | |||
| See https://github.com/PQClean/PQClean/wiki/Test-framework for details about the PQClean test framework. | |||
| While we run extensive automatic testing on Github Actions ((emulated) Linux builds, MacOS and Windows builds) and [Travis CI][travis-pqc] (Aarch64 builds), and most tests can also be run locally. | |||
| To do this, make sure the following is installed: | |||
| * Python 3.6+ | |||
| * `pytest` for python 3. | |||
| We also recommend installing ``pytest-xdist`` to allow running tests in parallel. | |||
| You will also need to make sure the submodules are initialized by running: | |||
| ``` | |||
| git submodule update --init | |||
| ``` | |||
| Run the Python-based tests by going into the `test` directory and running `pytest -v` or (recommended) `pytest -n=auto` for parallel testing. | |||
| You may also run `python3 <testmodule>` where `<testmodule>` is any of the files starting with `test_` in the `test/` folder. | |||
| [travis-pqc]: https://travis-ci.com/PQClean/PQClean/ | |||
+ 0
- 8
common/keccak4x/Makefile.Microsoft_nmake
查看文件
| @@ -1,8 +0,0 @@ | |||
| KeccakP-1600-times4-SIMD256.obj: KeccakP-1600-times4-SIMD256.c \ | |||
| align.h brg_endian.h KeccakP-1600-times4-SnP.h \ | |||
| KeccakP-1600-unrolling.macros SIMD256-config.h | |||
| $(CC) /nologo /c /O2 /W4 /WX /arch:AVX2 KeccakP-1600-times4-SIMD256.c | |||
| .PHONY: clean | |||
| clean: | |||
| $(RM) KeccakP-1600-times4-SIMD256.obj | |||
+ 0
- 21
crypto_kem/frodo/frodokem1344shake/clean/LICENSE
查看文件
| @@ -1,21 +0,0 @@ | |||
| MIT License | |||
| Copyright (c) Microsoft Corporation. All rights reserved. | |||
| Permission is hereby granted, free of charge, to any person obtaining a copy | |||
| of this software and associated documentation files (the "Software"), to deal | |||
| in the Software without restriction, including without limitation the rights | |||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |||
| copies of the Software, and to permit persons to whom the Software is | |||
| furnished to do so, subject to the following conditions: | |||
| The above copyright notice and this permission notice shall be included in all | |||
| copies or substantial portions of the Software. | |||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |||
| SOFTWARE | |||
+ 0
- 19
crypto_kem/frodo/frodokem1344shake/clean/Makefile.Microsoft_nmake
查看文件
| @@ -1,19 +0,0 @@ | |||
| # This Makefile can be used with Microsoft Visual Studio's nmake using the command: | |||
| # nmake /f Makefile.Microsoft_nmake | |||
| LIBRARY=libfrodokem1344shake_clean.lib | |||
| OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj | |||
| CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX | |||
| all: $(LIBRARY) | |||
| # Make sure objects are recompiled if headers change. | |||
| $(OBJECTS): *.h | |||
| $(LIBRARY): $(OBJECTS) | |||
| LIB.EXE /NOLOGO /WX /OUT:$@ $** | |||
| clean: | |||
| -DEL $(OBJECTS) | |||
| -DEL $(LIBRARY) | |||
+ 0
- 20
crypto_kem/frodo/frodokem1344shake/clean/api.h
查看文件
| @@ -1,20 +0,0 @@ | |||
| #ifndef PQCLEAN_FRODOKEM1344SHAKE_CLEAN_API_H | |||
| #define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_API_H | |||
| #include <stddef.h> | |||
| #include <stdint.h> | |||
| #define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES 43088 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH | |||
| #define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES 21520 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 | |||
| #define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_BYTES 32 | |||
| #define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES 21632 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8 | |||
| #define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_ALGNAME "FrodoKEM-1344-SHAKE" | |||
| int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); | |||
| int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); | |||
| int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); | |||
| #endif | |||
+ 0
- 21
crypto_kem/frodo/frodokem1344shake/clean/common.h
查看文件
| @@ -1,21 +0,0 @@ | |||
| #ifndef COMMON_H | |||
| #define COMMON_H | |||
| int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); | |||
| int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(uint16_t *s, size_t n); | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s); | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e); | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b); | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b); | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in); | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in); | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb); | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb); | |||
| int8_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len); | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector); | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n); | |||
| uint16_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(uint16_t n); | |||
| uint16_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_UINT16_TO_LE(uint16_t n); | |||
| #endif | |||
+ 0
- 237
crypto_kem/frodo/frodokem1344shake/clean/kem.c
查看文件
| @@ -1,237 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: Key Encapsulation Mechanism (KEM) based on Frodo | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include <string.h> | |||
| #include "fips202.h" | |||
| #include "randombytes.h" | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { | |||
| // FrodoKEM's key generation | |||
| // Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes) | |||
| // secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes) | |||
| uint8_t *pk_seedA = &pk[0]; | |||
| uint8_t *pk_b = &pk[BYTES_SEED_A]; | |||
| uint8_t *sk_s = &sk[0]; | |||
| uint8_t *sk_pk = &sk[CRYPTO_BYTES]; | |||
| uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; | |||
| uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; | |||
| uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE | |||
| uint8_t *randomness_s = &randomness[0]; // contains secret data | |||
| uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data | |||
| uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES]; | |||
| uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data | |||
| // Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key | |||
| randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A); | |||
| shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A); | |||
| // Generate S and E, and compute B = A*S + E. Generate A on-the-fly | |||
| shake_input_seedSE[0] = 0x5F; | |||
| memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES); | |||
| shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) { | |||
| S[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(S[i]); | |||
| } | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(S, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(E, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_as_plus_e(B, S, E, pk); | |||
| // Encode the second part of the public key | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); | |||
| // Add s, pk and S to the secret key | |||
| memcpy(sk_s, randomness_s, CRYPTO_BYTES); | |||
| memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES); | |||
| for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { | |||
| S[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_UINT16_TO_LE(S[i]); | |||
| } | |||
| memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR); | |||
| // Add H(pk) to the secret key | |||
| shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); | |||
| // Cleanup: | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(randomness, 2 * CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| return 0; | |||
| } | |||
| int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { | |||
| // FrodoKEM's key encapsulation | |||
| const uint8_t *pk_seedA = &pk[0]; | |||
| const uint8_t *pk_b = &pk[BYTES_SEED_A]; | |||
| uint8_t *ct_c1 = &ct[0]; | |||
| uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; | |||
| uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; | |||
| uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu | |||
| uint8_t *pkh = &G2in[0]; | |||
| uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data | |||
| uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data | |||
| uint8_t *seedSE = &G2out[0]; // contains secret data | |||
| uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data | |||
| uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k | |||
| uint8_t *Fin_ct = &Fin[0]; | |||
| uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data | |||
| uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data | |||
| // pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu) | |||
| shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); | |||
| randombytes(mu, BYTES_MU); | |||
| shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); | |||
| // Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly | |||
| shake_input_seedSE[0] = 0x96; | |||
| memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES); | |||
| shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { | |||
| Sp[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(Sp[i]); | |||
| } | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); | |||
| // Generate Epp, and compute V = Sp*B + Epp | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sb_plus_e(V, B, Sp, Epp); | |||
| // Encode mu, and compute C = V + enc(mu) (mod q) | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_encode(C, (uint16_t *)mu); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_add(C, V, C); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ); | |||
| // Compute ss = F(ct||KK) | |||
| memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); | |||
| memcpy(Fin_k, k, CRYPTO_BYTES); | |||
| shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); | |||
| // Cleanup: | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(mu, BYTES_MU); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| return 0; | |||
| } | |||
| int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { | |||
| // FrodoKEM's key decapsulation | |||
| uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; | |||
| uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0}; | |||
| uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| const uint8_t *ct_c1 = &ct[0]; | |||
| const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; | |||
| const uint8_t *sk_s = &sk[0]; | |||
| const uint8_t *sk_pk = &sk[CRYPTO_BYTES]; | |||
| const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; | |||
| uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; | |||
| const uint8_t *pk_seedA = &sk_pk[0]; | |||
| const uint8_t *pk_b = &sk_pk[BYTES_SEED_A]; | |||
| uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime | |||
| uint8_t *pkh = &G2in[0]; | |||
| uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data | |||
| uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data | |||
| uint8_t *seedSEprime = &G2out[0]; // contains secret data | |||
| uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data | |||
| uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k | |||
| uint8_t *Fin_ct = &Fin[0]; | |||
| uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data | |||
| uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data | |||
| for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { | |||
| S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8); | |||
| } | |||
| // Compute W = C - Bp*S (mod q), and decode the randomness mu | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_bs(W, Bp, S); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sub(W, C, W); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_decode((uint16_t *)muprime, W); | |||
| // Generate (seedSE' || k') = G_2(pkh || mu') | |||
| memcpy(pkh, sk_pkh, BYTES_PKHASH); | |||
| shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); | |||
| // Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly | |||
| shake_input_seedSEprime[0] = 0x96; | |||
| memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES); | |||
| shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES); | |||
| for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { | |||
| Sp[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(Sp[i]); | |||
| } | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA); | |||
| // Generate Epp, and compute W = Sp*B + Epp | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sb_plus_e(W, B, Sp, Epp); | |||
| // Encode mu, and compute CC = W + enc(mu') (mod q) | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_encode(CC, (uint16_t *)muprime); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_add(CC, W, CC); | |||
| // Prepare input to F | |||
| memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); | |||
| // Reducing BBp modulo q | |||
| for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { | |||
| BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| // If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s) | |||
| // Needs to avoid branching on secret data as per: | |||
| // Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum | |||
| // primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020. | |||
| int8_t selector = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR); | |||
| // If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s) | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector); | |||
| shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); | |||
| // Cleanup: | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(muprime, BYTES_MU); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES); | |||
| return 0; | |||
| } | |||
+ 0
- 79
crypto_kem/frodo/frodokem1344shake/clean/matrix_shake.c
查看文件
| @@ -1,79 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: matrix arithmetic functions used by the KEM | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include <string.h> | |||
| #include "fips202.h" | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { | |||
| // Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right. | |||
| // Inputs: s, e (N x N_BAR) | |||
| // Output: out = A*s + e (N x N_BAR) | |||
| int i, j, k; | |||
| int16_t A[PARAMS_N * PARAMS_N] = {0}; | |||
| uint8_t seed_A_separated[2 + BYTES_SEED_A]; | |||
| uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated; | |||
| memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A); | |||
| for (i = 0; i < PARAMS_N; i++) { | |||
| seed_A_origin[0] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i); | |||
| shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A); | |||
| } | |||
| for (i = 0; i < PARAMS_N * PARAMS_N; i++) { | |||
| A[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(A[i]); | |||
| } | |||
| memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); | |||
| for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e | |||
| for (k = 0; k < PARAMS_NBAR; k++) { | |||
| uint16_t sum = 0; | |||
| for (j = 0; j < PARAMS_N; j++) { | |||
| sum += A[i * PARAMS_N + j] * s[k * PARAMS_N + j]; | |||
| } | |||
| out[i * PARAMS_NBAR + k] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. | |||
| } | |||
| } | |||
| return 1; | |||
| } | |||
| int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { | |||
| // Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left. | |||
| // Inputs: s', e' (N_BAR x N) | |||
| // Output: out = s'*A + e' (N_BAR x N) | |||
| int i, j, k; | |||
| int16_t A[PARAMS_N * PARAMS_N] = {0}; | |||
| uint8_t seed_A_separated[2 + BYTES_SEED_A]; | |||
| uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated; | |||
| memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A); | |||
| for (i = 0; i < PARAMS_N; i++) { | |||
| seed_A_origin[0] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i); | |||
| shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A); | |||
| } | |||
| for (i = 0; i < PARAMS_N * PARAMS_N; i++) { | |||
| A[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(A[i]); | |||
| } | |||
| memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); | |||
| for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e | |||
| for (k = 0; k < PARAMS_NBAR; k++) { | |||
| uint16_t sum = 0; | |||
| for (j = 0; j < PARAMS_N; j++) { | |||
| sum += A[j * PARAMS_N + i] * s[k * PARAMS_N + j]; | |||
| } | |||
| out[k * PARAMS_N + i] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. | |||
| } | |||
| } | |||
| return 1; | |||
| } | |||
+ 0
- 35
crypto_kem/frodo/frodokem1344shake/clean/noise.c
查看文件
| @@ -1,35 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: noise sampling functions | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA; | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(uint16_t *s, size_t n) { | |||
| // Fills vector s with n samples from the noise distribution which requires 16 bits to sample. | |||
| // The distribution is specified by its CDF. | |||
| // Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output. | |||
| size_t i; | |||
| unsigned int j; | |||
| for (i = 0; i < n; ++i) { | |||
| uint16_t sample = 0; | |||
| uint16_t prnd = s[i] >> 1; // Drop the least significant bit | |||
| uint16_t sign = s[i] & 0x1; // Pick the least significant bit | |||
| // No need to compare with the last value. | |||
| for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) { | |||
| // Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits. | |||
| sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15; | |||
| } | |||
| // Assuming that sign is either 0 or 1, flips sample iff sign = 1 | |||
| s[i] = ((-sign) ^ sample) + sign; | |||
| } | |||
| } | |||
+ 0
- 27
crypto_kem/frodo/frodokem1344shake/clean/params.h
查看文件
| @@ -1,27 +0,0 @@ | |||
| #ifndef PARAMS_H | |||
| #define PARAMS_H | |||
| #define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES | |||
| #define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES | |||
| #define CRYPTO_BYTES PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_BYTES | |||
| #define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES | |||
| #define PARAMS_N 1344 | |||
| #define PARAMS_NBAR 8 | |||
| #define PARAMS_LOGQ 16 | |||
| #define PARAMS_Q (1 << PARAMS_LOGQ) | |||
| #define PARAMS_EXTRACTED_BITS 4 | |||
| #define PARAMS_STRIPE_STEP 8 | |||
| #define PARAMS_PARALLEL 4 | |||
| #define BYTES_SEED_A 16 | |||
| #define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8) | |||
| #define BYTES_PKHASH CRYPTO_BYTES | |||
| // Selecting SHAKE XOF function for the KEM and noise sampling | |||
| #define shake shake256 | |||
| // CDF table | |||
| #define CDF_TABLE_DATA {9142, 23462, 30338, 32361, 32725, 32765, 32767} | |||
| #define CDF_TABLE_LEN 7 | |||
| #endif | |||
+ 0
- 264
crypto_kem/frodo/frodokem1344shake/clean/util.c
查看文件
| @@ -1,264 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: additional functions for FrodoKEM | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include <string.h> | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| static inline uint8_t min(uint8_t x, uint8_t y) { | |||
| if (x < y) { | |||
| return x; | |||
| } | |||
| return y; | |||
| } | |||
| uint16_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(uint16_t n) { | |||
| return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8)); | |||
| } | |||
| uint16_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_UINT16_TO_LE(uint16_t n) { | |||
| uint16_t y; | |||
| uint8_t *z = (uint8_t *) &y; | |||
| z[0] = n & 0xFF; | |||
| z[1] = (n & 0xFF00) >> 8; | |||
| return y; | |||
| } | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) { | |||
| // Multiply by s on the right | |||
| // Inputs: b (N_BAR x N), s (N x N_BAR) | |||
| // Output: out = b*s (N_BAR x N_BAR) | |||
| int i, j, k; | |||
| for (i = 0; i < PARAMS_NBAR; i++) { | |||
| for (j = 0; j < PARAMS_NBAR; j++) { | |||
| out[i * PARAMS_NBAR + j] = 0; | |||
| for (k = 0; k < PARAMS_N; k++) { | |||
| out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); | |||
| } | |||
| out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) { | |||
| // Multiply by s on the left | |||
| // Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR) | |||
| // Output: out = s*b + e (N_BAR x N_BAR) | |||
| int i, j, k; | |||
| for (k = 0; k < PARAMS_NBAR; k++) { | |||
| for (i = 0; i < PARAMS_NBAR; i++) { | |||
| out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i]; | |||
| for (j = 0; j < PARAMS_N; j++) { | |||
| out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]); | |||
| } | |||
| out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b) { | |||
| // Add a and b | |||
| // Inputs: a, b (N_BAR x N_BAR) | |||
| // Output: c = a + b | |||
| for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { | |||
| out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) { | |||
| // Subtract a and b | |||
| // Inputs: a, b (N_BAR x N_BAR) | |||
| // Output: c = a - b | |||
| for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { | |||
| out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in) { | |||
| // Encoding | |||
| unsigned int i, j, npieces_word = 8; | |||
| unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; | |||
| uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1; | |||
| uint16_t *pos = out; | |||
| for (i = 0; i < nwords; i++) { | |||
| temp = 0; | |||
| for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { | |||
| temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j); | |||
| } | |||
| for (j = 0; j < npieces_word; j++) { | |||
| *pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS)); | |||
| temp >>= PARAMS_EXTRACTED_BITS; | |||
| pos++; | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in) { | |||
| // Decoding | |||
| unsigned int i, j, index = 0, npieces_word = 8; | |||
| unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; | |||
| uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1; | |||
| uint8_t *pos = (uint8_t *)out; | |||
| uint64_t templong; | |||
| for (i = 0; i < nwords; i++) { | |||
| templong = 0; | |||
| for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5) | |||
| temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS); | |||
| templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j); | |||
| index++; | |||
| } | |||
| for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { | |||
| pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF; | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) { | |||
| // Pack the input uint16 vector into a char output vector, copying lsb bits from each input element. | |||
| // If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied. | |||
| memset(out, 0, outlen); | |||
| size_t i = 0; // whole bytes already filled in | |||
| size_t j = 0; // whole uint16_t already copied | |||
| uint16_t w = 0; // the leftover, not yet copied | |||
| uint8_t bits = 0; // the number of lsb in w | |||
| while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { | |||
| /* | |||
| in: | | |********|********| | |||
| ^ | |||
| j | |||
| w : | ****| | |||
| ^ | |||
| bits | |||
| out:|**|**|**|**|**|**|**|**|* | | |||
| ^^ | |||
| ib | |||
| */ | |||
| uint8_t b = 0; // bits in out[i] already filled in | |||
| while (b < 8) { | |||
| int nbits = min(8 - b, bits); | |||
| uint16_t mask = (1 << nbits) - 1; | |||
| uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out | |||
| out[i] = out[i] + (t << (8 - b - nbits)); | |||
| b += (uint8_t) nbits; | |||
| bits -= (uint8_t) nbits; | |||
| w &= ~(mask << bits); // not strictly necessary; mostly for debugging | |||
| if (bits == 0) { | |||
| if (j < inlen) { | |||
| w = in[j]; | |||
| bits = lsb; | |||
| j++; | |||
| } else { | |||
| break; // the input vector is exhausted | |||
| } | |||
| } | |||
| } | |||
| if (b == 8) { // out[i] is filled in | |||
| i++; | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) { | |||
| // Unpack the input char vector into a uint16_t output vector, copying lsb bits | |||
| // for each output element from input. outlen must be at least ceil(inlen * 8 / lsb). | |||
| memset(out, 0, outlen * sizeof(uint16_t)); | |||
| size_t i = 0; // whole uint16_t already filled in | |||
| size_t j = 0; // whole bytes already copied | |||
| uint8_t w = 0; // the leftover, not yet copied | |||
| uint8_t bits = 0; // the number of lsb bits of w | |||
| while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { | |||
| /* | |||
| in: | | | | | | |**|**|... | |||
| ^ | |||
| j | |||
| w : | *| | |||
| ^ | |||
| bits | |||
| out:| *****| *****| *** | |... | |||
| ^ ^ | |||
| i b | |||
| */ | |||
| uint8_t b = 0; // bits in out[i] already filled in | |||
| while (b < lsb) { | |||
| int nbits = min(lsb - b, bits); | |||
| uint16_t mask = (1 << nbits) - 1; | |||
| uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out | |||
| out[i] = out[i] + (t << (lsb - b - nbits)); | |||
| b += (uint8_t) nbits; | |||
| bits -= (uint8_t) nbits; | |||
| w &= ~(mask << bits); // not strictly necessary; mostly for debugging | |||
| if (bits == 0) { | |||
| if (j < inlen) { | |||
| w = in[j]; | |||
| bits = 8; | |||
| j++; | |||
| } else { | |||
| break; // the input vector is exhausted | |||
| } | |||
| } | |||
| } | |||
| if (b == lsb) { // out[i] is filled in | |||
| i++; | |||
| } | |||
| } | |||
| } | |||
| int8_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) { | |||
| // Compare two arrays in constant time. | |||
| // Returns 0 if the byte arrays are equal, -1 otherwise. | |||
| uint16_t r = 0; | |||
| for (size_t i = 0; i < len; i++) { | |||
| r |= a[i] ^ b[i]; | |||
| } | |||
| r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); | |||
| return (int8_t)r; | |||
| } | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) { | |||
| // Select one of the two input arrays to be moved to r | |||
| // If (selector == 0) then load r with a, else if (selector == -1) load r with b | |||
| for (size_t i = 0; i < len; i++) { | |||
| r[i] = (~selector & a[i]) | (selector & b[i]); | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n) { | |||
| // Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed. | |||
| // This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing. | |||
| volatile uint8_t *v = mem; | |||
| for (size_t i = 0; i < n; i++) { | |||
| v[i] = 0; | |||
| } | |||
| } | |||
+ 0
- 21
crypto_kem/frodo/frodokem1344shake/opt/LICENSE
查看文件
| @@ -1,21 +0,0 @@ | |||
| MIT License | |||
| Copyright (c) Microsoft Corporation. All rights reserved. | |||
| Permission is hereby granted, free of charge, to any person obtaining a copy | |||
| of this software and associated documentation files (the "Software"), to deal | |||
| in the Software without restriction, including without limitation the rights | |||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |||
| copies of the Software, and to permit persons to whom the Software is | |||
| furnished to do so, subject to the following conditions: | |||
| The above copyright notice and this permission notice shall be included in all | |||
| copies or substantial portions of the Software. | |||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |||
| SOFTWARE | |||
+ 0
- 19
crypto_kem/frodo/frodokem1344shake/opt/Makefile.Microsoft_nmake
查看文件
| @@ -1,19 +0,0 @@ | |||
| # This Makefile can be used with Microsoft Visual Studio's nmake using the command: | |||
| # nmake /f Makefile.Microsoft_nmake | |||
| LIBRARY=libfrodokem1344shake_opt.lib | |||
| OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj | |||
| CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX | |||
| all: $(LIBRARY) | |||
| # Make sure objects are recompiled if headers change. | |||
| $(OBJECTS): *.h | |||
| $(LIBRARY): $(OBJECTS) | |||
| LIB.EXE /NOLOGO /WX /OUT:$@ $** | |||
| clean: | |||
| -DEL $(OBJECTS) | |||
| -DEL $(LIBRARY) | |||
+ 0
- 21
crypto_kem/frodo/frodokem640shake/clean/LICENSE
查看文件
| @@ -1,21 +0,0 @@ | |||
| MIT License | |||
| Copyright (c) Microsoft Corporation. All rights reserved. | |||
| Permission is hereby granted, free of charge, to any person obtaining a copy | |||
| of this software and associated documentation files (the "Software"), to deal | |||
| in the Software without restriction, including without limitation the rights | |||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |||
| copies of the Software, and to permit persons to whom the Software is | |||
| furnished to do so, subject to the following conditions: | |||
| The above copyright notice and this permission notice shall be included in all | |||
| copies or substantial portions of the Software. | |||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |||
| SOFTWARE | |||
+ 0
- 19
crypto_kem/frodo/frodokem640shake/clean/Makefile.Microsoft_nmake
查看文件
| @@ -1,19 +0,0 @@ | |||
| # This Makefile can be used with Microsoft Visual Studio's nmake using the command: | |||
| # nmake /f Makefile.Microsoft_nmake | |||
| LIBRARY=libfrodokem640shake_clean.lib | |||
| OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj | |||
| CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX | |||
| all: $(LIBRARY) | |||
| # Make sure objects are recompiled if headers change. | |||
| $(OBJECTS): *.h | |||
| $(LIBRARY): $(OBJECTS) | |||
| LIB.EXE /NOLOGO /WX /OUT:$@ $** | |||
| clean: | |||
| -DEL $(OBJECTS) | |||
| -DEL $(LIBRARY) | |||
+ 0
- 20
crypto_kem/frodo/frodokem640shake/clean/api.h
查看文件
| @@ -1,20 +0,0 @@ | |||
| #ifndef PQCLEAN_FRODOKEM640SHAKE_CLEAN_API_H | |||
| #define PQCLEAN_FRODOKEM640SHAKE_CLEAN_API_H | |||
| #include <stddef.h> | |||
| #include <stdint.h> | |||
| #define PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES 19888 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH | |||
| #define PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES 9616 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 | |||
| #define PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_BYTES 16 | |||
| #define PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES 9720 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8 | |||
| #define PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_ALGNAME "FrodoKEM-640-SHAKE" | |||
| int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); | |||
| int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); | |||
| int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); | |||
| #endif | |||
+ 0
- 21
crypto_kem/frodo/frodokem640shake/clean/common.h
查看文件
| @@ -1,21 +0,0 @@ | |||
| #ifndef COMMON_H | |||
| #define COMMON_H | |||
| int PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); | |||
| int PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(uint16_t *s, size_t n); | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s); | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e); | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b); | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b); | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in); | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in); | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb); | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb); | |||
| int8_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len); | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector); | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n); | |||
| uint16_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(uint16_t n); | |||
| uint16_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_UINT16_TO_LE(uint16_t n); | |||
| #endif | |||
+ 0
- 237
crypto_kem/frodo/frodokem640shake/clean/kem.c
查看文件
| @@ -1,237 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: Key Encapsulation Mechanism (KEM) based on Frodo | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include <string.h> | |||
| #include "fips202.h" | |||
| #include "randombytes.h" | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { | |||
| // FrodoKEM's key generation | |||
| // Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes) | |||
| // secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes) | |||
| uint8_t *pk_seedA = &pk[0]; | |||
| uint8_t *pk_b = &pk[BYTES_SEED_A]; | |||
| uint8_t *sk_s = &sk[0]; | |||
| uint8_t *sk_pk = &sk[CRYPTO_BYTES]; | |||
| uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; | |||
| uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; | |||
| uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE | |||
| uint8_t *randomness_s = &randomness[0]; // contains secret data | |||
| uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data | |||
| uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES]; | |||
| uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data | |||
| // Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key | |||
| randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A); | |||
| shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A); | |||
| // Generate S and E, and compute B = A*S + E. Generate A on-the-fly | |||
| shake_input_seedSE[0] = 0x5F; | |||
| memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES); | |||
| shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) { | |||
| S[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(S[i]); | |||
| } | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(S, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(E, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_as_plus_e(B, S, E, pk); | |||
| // Encode the second part of the public key | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); | |||
| // Add s, pk and S to the secret key | |||
| memcpy(sk_s, randomness_s, CRYPTO_BYTES); | |||
| memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES); | |||
| for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { | |||
| S[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_UINT16_TO_LE(S[i]); | |||
| } | |||
| memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR); | |||
| // Add H(pk) to the secret key | |||
| shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); | |||
| // Cleanup: | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(randomness, 2 * CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| return 0; | |||
| } | |||
| int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { | |||
| // FrodoKEM's key encapsulation | |||
| const uint8_t *pk_seedA = &pk[0]; | |||
| const uint8_t *pk_b = &pk[BYTES_SEED_A]; | |||
| uint8_t *ct_c1 = &ct[0]; | |||
| uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; | |||
| uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; | |||
| uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu | |||
| uint8_t *pkh = &G2in[0]; | |||
| uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data | |||
| uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data | |||
| uint8_t *seedSE = &G2out[0]; // contains secret data | |||
| uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data | |||
| uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k | |||
| uint8_t *Fin_ct = &Fin[0]; | |||
| uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data | |||
| uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data | |||
| // pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu) | |||
| shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); | |||
| randombytes(mu, BYTES_MU); | |||
| shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); | |||
| // Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly | |||
| shake_input_seedSE[0] = 0x96; | |||
| memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES); | |||
| shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { | |||
| Sp[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(Sp[i]); | |||
| } | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); | |||
| // Generate Epp, and compute V = Sp*B + Epp | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sb_plus_e(V, B, Sp, Epp); | |||
| // Encode mu, and compute C = V + enc(mu) (mod q) | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_encode(C, (uint16_t *)mu); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_add(C, V, C); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ); | |||
| // Compute ss = F(ct||KK) | |||
| memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); | |||
| memcpy(Fin_k, k, CRYPTO_BYTES); | |||
| shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); | |||
| // Cleanup: | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(mu, BYTES_MU); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| return 0; | |||
| } | |||
| int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { | |||
| // FrodoKEM's key decapsulation | |||
| uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; | |||
| uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0}; | |||
| uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| const uint8_t *ct_c1 = &ct[0]; | |||
| const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; | |||
| const uint8_t *sk_s = &sk[0]; | |||
| const uint8_t *sk_pk = &sk[CRYPTO_BYTES]; | |||
| const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; | |||
| uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; | |||
| const uint8_t *pk_seedA = &sk_pk[0]; | |||
| const uint8_t *pk_b = &sk_pk[BYTES_SEED_A]; | |||
| uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime | |||
| uint8_t *pkh = &G2in[0]; | |||
| uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data | |||
| uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data | |||
| uint8_t *seedSEprime = &G2out[0]; // contains secret data | |||
| uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data | |||
| uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k | |||
| uint8_t *Fin_ct = &Fin[0]; | |||
| uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data | |||
| uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data | |||
| for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { | |||
| S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8); | |||
| } | |||
| // Compute W = C - Bp*S (mod q), and decode the randomness mu | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_bs(W, Bp, S); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_sub(W, C, W); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_decode((uint16_t *)muprime, W); | |||
| // Generate (seedSE' || k') = G_2(pkh || mu') | |||
| memcpy(pkh, sk_pkh, BYTES_PKHASH); | |||
| shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); | |||
| // Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly | |||
| shake_input_seedSEprime[0] = 0x96; | |||
| memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES); | |||
| shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES); | |||
| for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { | |||
| Sp[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(Sp[i]); | |||
| } | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA); | |||
| // Generate Epp, and compute W = Sp*B + Epp | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sb_plus_e(W, B, Sp, Epp); | |||
| // Encode mu, and compute CC = W + enc(mu') (mod q) | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_encode(CC, (uint16_t *)muprime); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_add(CC, W, CC); | |||
| // Prepare input to F | |||
| memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); | |||
| // Reducing BBp modulo q | |||
| for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { | |||
| BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| // If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s) | |||
| // Needs to avoid branching on secret data as per: | |||
| // Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum | |||
| // primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020. | |||
| int8_t selector = PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR); | |||
| // If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s) | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector); | |||
| shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); | |||
| // Cleanup: | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(muprime, BYTES_MU); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES); | |||
| return 0; | |||
| } | |||
+ 0
- 79
crypto_kem/frodo/frodokem640shake/clean/matrix_shake.c
查看文件
| @@ -1,79 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: matrix arithmetic functions used by the KEM | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include <string.h> | |||
| #include "fips202.h" | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| int PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { | |||
| // Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right. | |||
| // Inputs: s, e (N x N_BAR) | |||
| // Output: out = A*s + e (N x N_BAR) | |||
| int i, j, k; | |||
| int16_t A[PARAMS_N * PARAMS_N] = {0}; | |||
| uint8_t seed_A_separated[2 + BYTES_SEED_A]; | |||
| uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated; | |||
| memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A); | |||
| for (i = 0; i < PARAMS_N; i++) { | |||
| seed_A_origin[0] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i); | |||
| shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A); | |||
| } | |||
| for (i = 0; i < PARAMS_N * PARAMS_N; i++) { | |||
| A[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(A[i]); | |||
| } | |||
| memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); | |||
| for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e | |||
| for (k = 0; k < PARAMS_NBAR; k++) { | |||
| uint16_t sum = 0; | |||
| for (j = 0; j < PARAMS_N; j++) { | |||
| sum += A[i * PARAMS_N + j] * s[k * PARAMS_N + j]; | |||
| } | |||
| out[i * PARAMS_NBAR + k] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. | |||
| } | |||
| } | |||
| return 1; | |||
| } | |||
| int PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { | |||
| // Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left. | |||
| // Inputs: s', e' (N_BAR x N) | |||
| // Output: out = s'*A + e' (N_BAR x N) | |||
| int i, j, k; | |||
| int16_t A[PARAMS_N * PARAMS_N] = {0}; | |||
| uint8_t seed_A_separated[2 + BYTES_SEED_A]; | |||
| uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated; | |||
| memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A); | |||
| for (i = 0; i < PARAMS_N; i++) { | |||
| seed_A_origin[0] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i); | |||
| shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A); | |||
| } | |||
| for (i = 0; i < PARAMS_N * PARAMS_N; i++) { | |||
| A[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(A[i]); | |||
| } | |||
| memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); | |||
| for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e | |||
| for (k = 0; k < PARAMS_NBAR; k++) { | |||
| uint16_t sum = 0; | |||
| for (j = 0; j < PARAMS_N; j++) { | |||
| sum += A[j * PARAMS_N + i] * s[k * PARAMS_N + j]; | |||
| } | |||
| out[k * PARAMS_N + i] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. | |||
| } | |||
| } | |||
| return 1; | |||
| } | |||
+ 0
- 35
crypto_kem/frodo/frodokem640shake/clean/noise.c
查看文件
| @@ -1,35 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: noise sampling functions | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA; | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(uint16_t *s, size_t n) { | |||
| // Fills vector s with n samples from the noise distribution which requires 16 bits to sample. | |||
| // The distribution is specified by its CDF. | |||
| // Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output. | |||
| size_t i; | |||
| unsigned int j; | |||
| for (i = 0; i < n; ++i) { | |||
| uint16_t sample = 0; | |||
| uint16_t prnd = s[i] >> 1; // Drop the least significant bit | |||
| uint16_t sign = s[i] & 0x1; // Pick the least significant bit | |||
| // No need to compare with the last value. | |||
| for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) { | |||
| // Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits. | |||
| sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15; | |||
| } | |||
| // Assuming that sign is either 0 or 1, flips sample iff sign = 1 | |||
| s[i] = ((-sign) ^ sample) + sign; | |||
| } | |||
| } | |||
+ 0
- 27
crypto_kem/frodo/frodokem640shake/clean/params.h
查看文件
| @@ -1,27 +0,0 @@ | |||
| #ifndef PARAMS_H | |||
| #define PARAMS_H | |||
| #define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES | |||
| #define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES | |||
| #define CRYPTO_BYTES PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_BYTES | |||
| #define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES | |||
| #define PARAMS_N 640 | |||
| #define PARAMS_NBAR 8 | |||
| #define PARAMS_LOGQ 15 | |||
| #define PARAMS_Q (1 << PARAMS_LOGQ) | |||
| #define PARAMS_EXTRACTED_BITS 2 | |||
| #define PARAMS_STRIPE_STEP 8 | |||
| #define PARAMS_PARALLEL 4 | |||
| #define BYTES_SEED_A 16 | |||
| #define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8) | |||
| #define BYTES_PKHASH CRYPTO_BYTES | |||
| // Selecting SHAKE XOF function for the KEM and noise sampling | |||
| #define shake shake128 | |||
| // CDF table | |||
| #define CDF_TABLE_DATA {4643, 13363, 20579, 25843, 29227, 31145, 32103, 32525, 32689, 32745, 32762, 32766, 32767} | |||
| #define CDF_TABLE_LEN 13 | |||
| #endif | |||
+ 0
- 264
crypto_kem/frodo/frodokem640shake/clean/util.c
查看文件
| @@ -1,264 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: additional functions for FrodoKEM | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include <string.h> | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| static inline uint8_t min(uint8_t x, uint8_t y) { | |||
| if (x < y) { | |||
| return x; | |||
| } | |||
| return y; | |||
| } | |||
| uint16_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(uint16_t n) { | |||
| return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8)); | |||
| } | |||
| uint16_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_UINT16_TO_LE(uint16_t n) { | |||
| uint16_t y; | |||
| uint8_t *z = (uint8_t *) &y; | |||
| z[0] = n & 0xFF; | |||
| z[1] = (n & 0xFF00) >> 8; | |||
| return y; | |||
| } | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) { | |||
| // Multiply by s on the right | |||
| // Inputs: b (N_BAR x N), s (N x N_BAR) | |||
| // Output: out = b*s (N_BAR x N_BAR) | |||
| int i, j, k; | |||
| for (i = 0; i < PARAMS_NBAR; i++) { | |||
| for (j = 0; j < PARAMS_NBAR; j++) { | |||
| out[i * PARAMS_NBAR + j] = 0; | |||
| for (k = 0; k < PARAMS_N; k++) { | |||
| out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); | |||
| } | |||
| out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) { | |||
| // Multiply by s on the left | |||
| // Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR) | |||
| // Output: out = s*b + e (N_BAR x N_BAR) | |||
| int i, j, k; | |||
| for (k = 0; k < PARAMS_NBAR; k++) { | |||
| for (i = 0; i < PARAMS_NBAR; i++) { | |||
| out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i]; | |||
| for (j = 0; j < PARAMS_N; j++) { | |||
| out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]); | |||
| } | |||
| out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b) { | |||
| // Add a and b | |||
| // Inputs: a, b (N_BAR x N_BAR) | |||
| // Output: c = a + b | |||
| for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { | |||
| out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) { | |||
| // Subtract a and b | |||
| // Inputs: a, b (N_BAR x N_BAR) | |||
| // Output: c = a - b | |||
| for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { | |||
| out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in) { | |||
| // Encoding | |||
| unsigned int i, j, npieces_word = 8; | |||
| unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; | |||
| uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1; | |||
| uint16_t *pos = out; | |||
| for (i = 0; i < nwords; i++) { | |||
| temp = 0; | |||
| for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { | |||
| temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j); | |||
| } | |||
| for (j = 0; j < npieces_word; j++) { | |||
| *pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS)); | |||
| temp >>= PARAMS_EXTRACTED_BITS; | |||
| pos++; | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in) { | |||
| // Decoding | |||
| unsigned int i, j, index = 0, npieces_word = 8; | |||
| unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; | |||
| uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1; | |||
| uint8_t *pos = (uint8_t *)out; | |||
| uint64_t templong; | |||
| for (i = 0; i < nwords; i++) { | |||
| templong = 0; | |||
| for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5) | |||
| temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS); | |||
| templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j); | |||
| index++; | |||
| } | |||
| for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { | |||
| pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF; | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) { | |||
| // Pack the input uint16 vector into a char output vector, copying lsb bits from each input element. | |||
| // If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied. | |||
| memset(out, 0, outlen); | |||
| size_t i = 0; // whole bytes already filled in | |||
| size_t j = 0; // whole uint16_t already copied | |||
| uint16_t w = 0; // the leftover, not yet copied | |||
| uint8_t bits = 0; // the number of lsb in w | |||
| while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { | |||
| /* | |||
| in: | | |********|********| | |||
| ^ | |||
| j | |||
| w : | ****| | |||
| ^ | |||
| bits | |||
| out:|**|**|**|**|**|**|**|**|* | | |||
| ^^ | |||
| ib | |||
| */ | |||
| uint8_t b = 0; // bits in out[i] already filled in | |||
| while (b < 8) { | |||
| int nbits = min(8 - b, bits); | |||
| uint16_t mask = (1 << nbits) - 1; | |||
| uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out | |||
| out[i] = out[i] + (t << (8 - b - nbits)); | |||
| b += (uint8_t) nbits; | |||
| bits -= (uint8_t) nbits; | |||
| w &= ~(mask << bits); // not strictly necessary; mostly for debugging | |||
| if (bits == 0) { | |||
| if (j < inlen) { | |||
| w = in[j]; | |||
| bits = lsb; | |||
| j++; | |||
| } else { | |||
| break; // the input vector is exhausted | |||
| } | |||
| } | |||
| } | |||
| if (b == 8) { // out[i] is filled in | |||
| i++; | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) { | |||
| // Unpack the input char vector into a uint16_t output vector, copying lsb bits | |||
| // for each output element from input. outlen must be at least ceil(inlen * 8 / lsb). | |||
| memset(out, 0, outlen * sizeof(uint16_t)); | |||
| size_t i = 0; // whole uint16_t already filled in | |||
| size_t j = 0; // whole bytes already copied | |||
| uint8_t w = 0; // the leftover, not yet copied | |||
| uint8_t bits = 0; // the number of lsb bits of w | |||
| while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { | |||
| /* | |||
| in: | | | | | | |**|**|... | |||
| ^ | |||
| j | |||
| w : | *| | |||
| ^ | |||
| bits | |||
| out:| *****| *****| *** | |... | |||
| ^ ^ | |||
| i b | |||
| */ | |||
| uint8_t b = 0; // bits in out[i] already filled in | |||
| while (b < lsb) { | |||
| int nbits = min(lsb - b, bits); | |||
| uint16_t mask = (1 << nbits) - 1; | |||
| uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out | |||
| out[i] = out[i] + (t << (lsb - b - nbits)); | |||
| b += (uint8_t) nbits; | |||
| bits -= (uint8_t) nbits; | |||
| w &= ~(mask << bits); // not strictly necessary; mostly for debugging | |||
| if (bits == 0) { | |||
| if (j < inlen) { | |||
| w = in[j]; | |||
| bits = 8; | |||
| j++; | |||
| } else { | |||
| break; // the input vector is exhausted | |||
| } | |||
| } | |||
| } | |||
| if (b == lsb) { // out[i] is filled in | |||
| i++; | |||
| } | |||
| } | |||
| } | |||
| int8_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) { | |||
| // Compare two arrays in constant time. | |||
| // Returns 0 if the byte arrays are equal, -1 otherwise. | |||
| uint16_t r = 0; | |||
| for (size_t i = 0; i < len; i++) { | |||
| r |= a[i] ^ b[i]; | |||
| } | |||
| r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); | |||
| return (int8_t)r; | |||
| } | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) { | |||
| // Select one of the two input arrays to be moved to r | |||
| // If (selector == 0) then load r with a, else if (selector == -1) load r with b | |||
| for (size_t i = 0; i < len; i++) { | |||
| r[i] = (~selector & a[i]) | (selector & b[i]); | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n) { | |||
| // Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed. | |||
| // This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing. | |||
| volatile uint8_t *v = mem; | |||
| for (size_t i = 0; i < n; i++) { | |||
| v[i] = 0; | |||
| } | |||
| } | |||
+ 0
- 21
crypto_kem/frodo/frodokem640shake/opt/LICENSE
查看文件
| @@ -1,21 +0,0 @@ | |||
| MIT License | |||
| Copyright (c) Microsoft Corporation. All rights reserved. | |||
| Permission is hereby granted, free of charge, to any person obtaining a copy | |||
| of this software and associated documentation files (the "Software"), to deal | |||
| in the Software without restriction, including without limitation the rights | |||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |||
| copies of the Software, and to permit persons to whom the Software is | |||
| furnished to do so, subject to the following conditions: | |||
| The above copyright notice and this permission notice shall be included in all | |||
| copies or substantial portions of the Software. | |||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |||
| SOFTWARE | |||
+ 0
- 19
crypto_kem/frodo/frodokem640shake/opt/Makefile.Microsoft_nmake
查看文件
| @@ -1,19 +0,0 @@ | |||
| # This Makefile can be used with Microsoft Visual Studio's nmake using the command: | |||
| # nmake /f Makefile.Microsoft_nmake | |||
| LIBRARY=libfrodokem640shake_opt.lib | |||
| OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj | |||
| CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX | |||
| all: $(LIBRARY) | |||
| # Make sure objects are recompiled if headers change. | |||
| $(OBJECTS): *.h | |||
| $(LIBRARY): $(OBJECTS) | |||
| LIB.EXE /NOLOGO /WX /OUT:$@ $** | |||
| clean: | |||
| -DEL $(OBJECTS) | |||
| -DEL $(LIBRARY) | |||
+ 0
- 21
crypto_kem/frodo/frodokem976shake/clean/LICENSE
查看文件
| @@ -1,21 +0,0 @@ | |||
| MIT License | |||
| Copyright (c) Microsoft Corporation. All rights reserved. | |||
| Permission is hereby granted, free of charge, to any person obtaining a copy | |||
| of this software and associated documentation files (the "Software"), to deal | |||
| in the Software without restriction, including without limitation the rights | |||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |||
| copies of the Software, and to permit persons to whom the Software is | |||
| furnished to do so, subject to the following conditions: | |||
| The above copyright notice and this permission notice shall be included in all | |||
| copies or substantial portions of the Software. | |||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |||
| SOFTWARE | |||
+ 0
- 19
crypto_kem/frodo/frodokem976shake/clean/Makefile.Microsoft_nmake
查看文件
| @@ -1,19 +0,0 @@ | |||
| # This Makefile can be used with Microsoft Visual Studio's nmake using the command: | |||
| # nmake /f Makefile.Microsoft_nmake | |||
| LIBRARY=libfrodokem976shake_clean.lib | |||
| OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj | |||
| CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX | |||
| all: $(LIBRARY) | |||
| # Make sure objects are recompiled if headers change. | |||
| $(OBJECTS): *.h | |||
| $(LIBRARY): $(OBJECTS) | |||
| LIB.EXE /NOLOGO /WX /OUT:$@ $** | |||
| clean: | |||
| -DEL $(OBJECTS) | |||
| -DEL $(LIBRARY) | |||
+ 0
- 20
crypto_kem/frodo/frodokem976shake/clean/api.h
查看文件
| @@ -1,20 +0,0 @@ | |||
| #ifndef PQCLEAN_FRODOKEM976SHAKE_CLEAN_API_H | |||
| #define PQCLEAN_FRODOKEM976SHAKE_CLEAN_API_H | |||
| #include <stddef.h> | |||
| #include <stdint.h> | |||
| #define PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES 31296 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH | |||
| #define PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES 15632 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 | |||
| #define PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_BYTES 24 | |||
| #define PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES 15744 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8 | |||
| #define PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_ALGNAME "FrodoKEM-976-SHAKE" | |||
| int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); | |||
| int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); | |||
| int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); | |||
| #endif | |||
+ 0
- 21
crypto_kem/frodo/frodokem976shake/clean/common.h
查看文件
| @@ -1,21 +0,0 @@ | |||
| #ifndef COMMON_H | |||
| #define COMMON_H | |||
| int PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); | |||
| int PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(uint16_t *s, size_t n); | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s); | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e); | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b); | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b); | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in); | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in); | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb); | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb); | |||
| int8_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len); | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector); | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n); | |||
| uint16_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(uint16_t n); | |||
| uint16_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_UINT16_TO_LE(uint16_t n); | |||
| #endif | |||
+ 0
- 237
crypto_kem/frodo/frodokem976shake/clean/kem.c
查看文件
| @@ -1,237 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: Key Encapsulation Mechanism (KEM) based on Frodo | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include <string.h> | |||
| #include "fips202.h" | |||
| #include "randombytes.h" | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { | |||
| // FrodoKEM's key generation | |||
| // Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes) | |||
| // secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes) | |||
| uint8_t *pk_seedA = &pk[0]; | |||
| uint8_t *pk_b = &pk[BYTES_SEED_A]; | |||
| uint8_t *sk_s = &sk[0]; | |||
| uint8_t *sk_pk = &sk[CRYPTO_BYTES]; | |||
| uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; | |||
| uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; | |||
| uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE | |||
| uint8_t *randomness_s = &randomness[0]; // contains secret data | |||
| uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data | |||
| uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES]; | |||
| uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data | |||
| // Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key | |||
| randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A); | |||
| shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A); | |||
| // Generate S and E, and compute B = A*S + E. Generate A on-the-fly | |||
| shake_input_seedSE[0] = 0x5F; | |||
| memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES); | |||
| shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) { | |||
| S[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(S[i]); | |||
| } | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(S, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(E, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_as_plus_e(B, S, E, pk); | |||
| // Encode the second part of the public key | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); | |||
| // Add s, pk and S to the secret key | |||
| memcpy(sk_s, randomness_s, CRYPTO_BYTES); | |||
| memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES); | |||
| for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { | |||
| S[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_UINT16_TO_LE(S[i]); | |||
| } | |||
| memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR); | |||
| // Add H(pk) to the secret key | |||
| shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); | |||
| // Cleanup: | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(randomness, 2 * CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| return 0; | |||
| } | |||
| int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { | |||
| // FrodoKEM's key encapsulation | |||
| const uint8_t *pk_seedA = &pk[0]; | |||
| const uint8_t *pk_b = &pk[BYTES_SEED_A]; | |||
| uint8_t *ct_c1 = &ct[0]; | |||
| uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; | |||
| uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; | |||
| uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu | |||
| uint8_t *pkh = &G2in[0]; | |||
| uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data | |||
| uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data | |||
| uint8_t *seedSE = &G2out[0]; // contains secret data | |||
| uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data | |||
| uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k | |||
| uint8_t *Fin_ct = &Fin[0]; | |||
| uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data | |||
| uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data | |||
| // pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu) | |||
| shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); | |||
| randombytes(mu, BYTES_MU); | |||
| shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); | |||
| // Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly | |||
| shake_input_seedSE[0] = 0x96; | |||
| memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES); | |||
| shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { | |||
| Sp[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(Sp[i]); | |||
| } | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); | |||
| // Generate Epp, and compute V = Sp*B + Epp | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sb_plus_e(V, B, Sp, Epp); | |||
| // Encode mu, and compute C = V + enc(mu) (mod q) | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_encode(C, (uint16_t *)mu); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_add(C, V, C); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ); | |||
| // Compute ss = F(ct||KK) | |||
| memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); | |||
| memcpy(Fin_k, k, CRYPTO_BYTES); | |||
| shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); | |||
| // Cleanup: | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(mu, BYTES_MU); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); | |||
| return 0; | |||
| } | |||
| int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { | |||
| // FrodoKEM's key decapsulation | |||
| uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; | |||
| uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0}; | |||
| uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0}; | |||
| uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data | |||
| uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| const uint8_t *ct_c1 = &ct[0]; | |||
| const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; | |||
| const uint8_t *sk_s = &sk[0]; | |||
| const uint8_t *sk_pk = &sk[CRYPTO_BYTES]; | |||
| const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; | |||
| uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data | |||
| const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; | |||
| const uint8_t *pk_seedA = &sk_pk[0]; | |||
| const uint8_t *pk_b = &sk_pk[BYTES_SEED_A]; | |||
| uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime | |||
| uint8_t *pkh = &G2in[0]; | |||
| uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data | |||
| uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data | |||
| uint8_t *seedSEprime = &G2out[0]; // contains secret data | |||
| uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data | |||
| uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k | |||
| uint8_t *Fin_ct = &Fin[0]; | |||
| uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data | |||
| uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data | |||
| for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { | |||
| S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8); | |||
| } | |||
| // Compute W = C - Bp*S (mod q), and decode the randomness mu | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_bs(W, Bp, S); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_sub(W, C, W); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_decode((uint16_t *)muprime, W); | |||
| // Generate (seedSE' || k') = G_2(pkh || mu') | |||
| memcpy(pkh, sk_pkh, BYTES_PKHASH); | |||
| shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); | |||
| // Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly | |||
| shake_input_seedSEprime[0] = 0x96; | |||
| memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES); | |||
| shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES); | |||
| for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { | |||
| Sp[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(Sp[i]); | |||
| } | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA); | |||
| // Generate Epp, and compute W = Sp*B + Epp | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sb_plus_e(W, B, Sp, Epp); | |||
| // Encode mu, and compute CC = W + enc(mu') (mod q) | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_encode(CC, (uint16_t *)muprime); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_add(CC, W, CC); | |||
| // Prepare input to F | |||
| memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); | |||
| // Reducing BBp modulo q | |||
| for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { | |||
| BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| // If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s) | |||
| // Needs to avoid branching on secret data as per: | |||
| // Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum | |||
| // primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020. | |||
| int8_t selector = PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR); | |||
| // If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s) | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector); | |||
| shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); | |||
| // Cleanup: | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(muprime, BYTES_MU); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); | |||
| PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES); | |||
| return 0; | |||
| } | |||
+ 0
- 79
crypto_kem/frodo/frodokem976shake/clean/matrix_shake.c
查看文件
| @@ -1,79 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: matrix arithmetic functions used by the KEM | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include <string.h> | |||
| #include "fips202.h" | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| int PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { | |||
| // Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right. | |||
| // Inputs: s, e (N x N_BAR) | |||
| // Output: out = A*s + e (N x N_BAR) | |||
| int i, j, k; | |||
| int16_t A[PARAMS_N * PARAMS_N] = {0}; | |||
| uint8_t seed_A_separated[2 + BYTES_SEED_A]; | |||
| uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated; | |||
| memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A); | |||
| for (i = 0; i < PARAMS_N; i++) { | |||
| seed_A_origin[0] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i); | |||
| shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A); | |||
| } | |||
| for (i = 0; i < PARAMS_N * PARAMS_N; i++) { | |||
| A[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(A[i]); | |||
| } | |||
| memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); | |||
| for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e | |||
| for (k = 0; k < PARAMS_NBAR; k++) { | |||
| uint16_t sum = 0; | |||
| for (j = 0; j < PARAMS_N; j++) { | |||
| sum += A[i * PARAMS_N + j] * s[k * PARAMS_N + j]; | |||
| } | |||
| out[i * PARAMS_NBAR + k] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. | |||
| } | |||
| } | |||
| return 1; | |||
| } | |||
| int PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { | |||
| // Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left. | |||
| // Inputs: s', e' (N_BAR x N) | |||
| // Output: out = s'*A + e' (N_BAR x N) | |||
| int i, j, k; | |||
| int16_t A[PARAMS_N * PARAMS_N] = {0}; | |||
| uint8_t seed_A_separated[2 + BYTES_SEED_A]; | |||
| uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated; | |||
| memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A); | |||
| for (i = 0; i < PARAMS_N; i++) { | |||
| seed_A_origin[0] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i); | |||
| shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A); | |||
| } | |||
| for (i = 0; i < PARAMS_N * PARAMS_N; i++) { | |||
| A[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(A[i]); | |||
| } | |||
| memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); | |||
| for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e | |||
| for (k = 0; k < PARAMS_NBAR; k++) { | |||
| uint16_t sum = 0; | |||
| for (j = 0; j < PARAMS_N; j++) { | |||
| sum += A[j * PARAMS_N + i] * s[k * PARAMS_N + j]; | |||
| } | |||
| out[k * PARAMS_N + i] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. | |||
| } | |||
| } | |||
| return 1; | |||
| } | |||
+ 0
- 35
crypto_kem/frodo/frodokem976shake/clean/noise.c
查看文件
| @@ -1,35 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: noise sampling functions | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA; | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(uint16_t *s, size_t n) { | |||
| // Fills vector s with n samples from the noise distribution which requires 16 bits to sample. | |||
| // The distribution is specified by its CDF. | |||
| // Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output. | |||
| size_t i; | |||
| unsigned int j; | |||
| for (i = 0; i < n; ++i) { | |||
| uint16_t sample = 0; | |||
| uint16_t prnd = s[i] >> 1; // Drop the least significant bit | |||
| uint16_t sign = s[i] & 0x1; // Pick the least significant bit | |||
| // No need to compare with the last value. | |||
| for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) { | |||
| // Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits. | |||
| sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15; | |||
| } | |||
| // Assuming that sign is either 0 or 1, flips sample iff sign = 1 | |||
| s[i] = ((-sign) ^ sample) + sign; | |||
| } | |||
| } | |||
+ 0
- 27
crypto_kem/frodo/frodokem976shake/clean/params.h
查看文件
| @@ -1,27 +0,0 @@ | |||
| #ifndef PARAMS_H | |||
| #define PARAMS_H | |||
| #define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES | |||
| #define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES | |||
| #define CRYPTO_BYTES PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_BYTES | |||
| #define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES | |||
| #define PARAMS_N 976 | |||
| #define PARAMS_NBAR 8 | |||
| #define PARAMS_LOGQ 16 | |||
| #define PARAMS_Q (1 << PARAMS_LOGQ) | |||
| #define PARAMS_EXTRACTED_BITS 3 | |||
| #define PARAMS_STRIPE_STEP 8 | |||
| #define PARAMS_PARALLEL 4 | |||
| #define BYTES_SEED_A 16 | |||
| #define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8) | |||
| #define BYTES_PKHASH CRYPTO_BYTES | |||
| // Selecting SHAKE XOF function for the KEM and noise sampling | |||
| #define shake shake256 | |||
| // CDF table | |||
| #define CDF_TABLE_DATA {5638, 15915, 23689, 28571, 31116, 32217, 32613, 32731, 32760, 32766, 32767} | |||
| #define CDF_TABLE_LEN 11 | |||
| #endif | |||
+ 0
- 264
crypto_kem/frodo/frodokem976shake/clean/util.c
查看文件
| @@ -1,264 +0,0 @@ | |||
| /******************************************************************************************** | |||
| * FrodoKEM: Learning with Errors Key Encapsulation | |||
| * | |||
| * Abstract: additional functions for FrodoKEM | |||
| *********************************************************************************************/ | |||
| #include <stdint.h> | |||
| #include <string.h> | |||
| #include "api.h" | |||
| #include "common.h" | |||
| #include "params.h" | |||
| static inline uint8_t min(uint8_t x, uint8_t y) { | |||
| if (x < y) { | |||
| return x; | |||
| } | |||
| return y; | |||
| } | |||
| uint16_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(uint16_t n) { | |||
| return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8)); | |||
| } | |||
| uint16_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_UINT16_TO_LE(uint16_t n) { | |||
| uint16_t y; | |||
| uint8_t *z = (uint8_t *) &y; | |||
| z[0] = n & 0xFF; | |||
| z[1] = (n & 0xFF00) >> 8; | |||
| return y; | |||
| } | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) { | |||
| // Multiply by s on the right | |||
| // Inputs: b (N_BAR x N), s (N x N_BAR) | |||
| // Output: out = b*s (N_BAR x N_BAR) | |||
| int i, j, k; | |||
| for (i = 0; i < PARAMS_NBAR; i++) { | |||
| for (j = 0; j < PARAMS_NBAR; j++) { | |||
| out[i * PARAMS_NBAR + j] = 0; | |||
| for (k = 0; k < PARAMS_N; k++) { | |||
| out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); | |||
| } | |||
| out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) { | |||
| // Multiply by s on the left | |||
| // Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR) | |||
| // Output: out = s*b + e (N_BAR x N_BAR) | |||
| int i, j, k; | |||
| for (k = 0; k < PARAMS_NBAR; k++) { | |||
| for (i = 0; i < PARAMS_NBAR; i++) { | |||
| out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i]; | |||
| for (j = 0; j < PARAMS_N; j++) { | |||
| out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]); | |||
| } | |||
| out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b) { | |||
| // Add a and b | |||
| // Inputs: a, b (N_BAR x N_BAR) | |||
| // Output: c = a + b | |||
| for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { | |||
| out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) { | |||
| // Subtract a and b | |||
| // Inputs: a, b (N_BAR x N_BAR) | |||
| // Output: c = a - b | |||
| for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { | |||
| out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1); | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in) { | |||
| // Encoding | |||
| unsigned int i, j, npieces_word = 8; | |||
| unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; | |||
| uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1; | |||
| uint16_t *pos = out; | |||
| for (i = 0; i < nwords; i++) { | |||
| temp = 0; | |||
| for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { | |||
| temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j); | |||
| } | |||
| for (j = 0; j < npieces_word; j++) { | |||
| *pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS)); | |||
| temp >>= PARAMS_EXTRACTED_BITS; | |||
| pos++; | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in) { | |||
| // Decoding | |||
| unsigned int i, j, index = 0, npieces_word = 8; | |||
| unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; | |||
| uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1; | |||
| uint8_t *pos = (uint8_t *)out; | |||
| uint64_t templong; | |||
| for (i = 0; i < nwords; i++) { | |||
| templong = 0; | |||
| for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5) | |||
| temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS); | |||
| templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j); | |||
| index++; | |||
| } | |||
| for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { | |||
| pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF; | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) { | |||
| // Pack the input uint16 vector into a char output vector, copying lsb bits from each input element. | |||
| // If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied. | |||
| memset(out, 0, outlen); | |||
| size_t i = 0; // whole bytes already filled in | |||
| size_t j = 0; // whole uint16_t already copied | |||
| uint16_t w = 0; // the leftover, not yet copied | |||
| uint8_t bits = 0; // the number of lsb in w | |||
| while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { | |||
| /* | |||
| in: | | |********|********| | |||
| ^ | |||
| j | |||
| w : | ****| | |||
| ^ | |||
| bits | |||
| out:|**|**|**|**|**|**|**|**|* | | |||
| ^^ | |||
| ib | |||
| */ | |||
| uint8_t b = 0; // bits in out[i] already filled in | |||
| while (b < 8) { | |||
| int nbits = min(8 - b, bits); | |||
| uint16_t mask = (1 << nbits) - 1; | |||
| uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out | |||
| out[i] = out[i] + (t << (8 - b - nbits)); | |||
| b += (uint8_t) nbits; | |||
| bits -= (uint8_t) nbits; | |||
| w &= ~(mask << bits); // not strictly necessary; mostly for debugging | |||
| if (bits == 0) { | |||
| if (j < inlen) { | |||
| w = in[j]; | |||
| bits = lsb; | |||
| j++; | |||
| } else { | |||
| break; // the input vector is exhausted | |||
| } | |||
| } | |||
| } | |||
| if (b == 8) { // out[i] is filled in | |||
| i++; | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) { | |||
| // Unpack the input char vector into a uint16_t output vector, copying lsb bits | |||
| // for each output element from input. outlen must be at least ceil(inlen * 8 / lsb). | |||
| memset(out, 0, outlen * sizeof(uint16_t)); | |||
| size_t i = 0; // whole uint16_t already filled in | |||
| size_t j = 0; // whole bytes already copied | |||
| uint8_t w = 0; // the leftover, not yet copied | |||
| uint8_t bits = 0; // the number of lsb bits of w | |||
| while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { | |||
| /* | |||
| in: | | | | | | |**|**|... | |||
| ^ | |||
| j | |||
| w : | *| | |||
| ^ | |||
| bits | |||
| out:| *****| *****| *** | |... | |||
| ^ ^ | |||
| i b | |||
| */ | |||
| uint8_t b = 0; // bits in out[i] already filled in | |||
| while (b < lsb) { | |||
| int nbits = min(lsb - b, bits); | |||
| uint16_t mask = (1 << nbits) - 1; | |||
| uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out | |||
| out[i] = out[i] + (t << (lsb - b - nbits)); | |||
| b += (uint8_t) nbits; | |||
| bits -= (uint8_t) nbits; | |||
| w &= ~(mask << bits); // not strictly necessary; mostly for debugging | |||
| if (bits == 0) { | |||
| if (j < inlen) { | |||
| w = in[j]; | |||
| bits = 8; | |||
| j++; | |||
| } else { | |||
| break; // the input vector is exhausted | |||
| } | |||
| } | |||
| } | |||
| if (b == lsb) { // out[i] is filled in | |||
| i++; | |||
| } | |||
| } | |||
| } | |||
| int8_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) { | |||
| // Compare two arrays in constant time. | |||
| // Returns 0 if the byte arrays are equal, -1 otherwise. | |||
| uint16_t r = 0; | |||
| for (size_t i = 0; i < len; i++) { | |||
| r |= a[i] ^ b[i]; | |||
| } | |||
| r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); | |||
| return (int8_t)r; | |||
| } | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) { | |||
| // Select one of the two input arrays to be moved to r | |||
| // If (selector == 0) then load r with a, else if (selector == -1) load r with b | |||
| for (size_t i = 0; i < len; i++) { | |||
| r[i] = (~selector & a[i]) | (selector & b[i]); | |||
| } | |||
| } | |||
| void PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n) { | |||
| // Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed. | |||
| // This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing. | |||
| volatile uint8_t *v = mem; | |||
| for (size_t i = 0; i < n; i++) { | |||
| v[i] = 0; | |||
| } | |||
| } | |||
+ 0
- 21
crypto_kem/frodo/frodokem976shake/opt/LICENSE
查看文件
| @@ -1,21 +0,0 @@ | |||
| MIT License | |||
| Copyright (c) Microsoft Corporation. All rights reserved. | |||
| Permission is hereby granted, free of charge, to any person obtaining a copy | |||
| of this software and associated documentation files (the "Software"), to deal | |||
| in the Software without restriction, including without limitation the rights | |||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |||
| copies of the Software, and to permit persons to whom the Software is | |||
| furnished to do so, subject to the following conditions: | |||
| The above copyright notice and this permission notice shall be included in all | |||
| copies or substantial portions of the Software. | |||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |||
| SOFTWARE | |||
+ 0
- 19
crypto_kem/frodo/frodokem976shake/opt/Makefile.Microsoft_nmake
查看文件
| @@ -1,19 +0,0 @@ | |||
| # This Makefile can be used with Microsoft Visual Studio's nmake using the command: | |||
| # nmake /f Makefile.Microsoft_nmake | |||
| LIBRARY=libfrodokem976shake_opt.lib | |||
| OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj | |||
| CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX | |||
| all: $(LIBRARY) | |||
| # Make sure objects are recompiled if headers change. | |||
| $(OBJECTS): *.h | |||
| $(LIBRARY): $(OBJECTS) | |||
| LIB.EXE /NOLOGO /WX /OUT:$@ $** | |||
| clean: | |||
| -DEL $(OBJECTS) | |||
| -DEL $(LIBRARY) | |||
+ 0
- 5
crypto_kem/kyber/kyber1024/avx2/LICENSE
查看文件
| @@ -1,5 +0,0 @@ | |||
| Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) | |||
| For Keccak and AES we are using public-domain | |||
| code from sources and by authors listed in | |||
| comments on top of the respective files. | |||
+ 0
- 5
crypto_kem/kyber/kyber1024/clean/LICENSE
查看文件
| @@ -1,5 +0,0 @@ | |||
| Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) | |||
| For Keccak and AES we are using public-domain | |||
| code from sources and by authors listed in | |||
| comments on top of the respective files. | |||
+ 0
- 23
crypto_kem/kyber/kyber1024/clean/Makefile.Microsoft_nmake
查看文件
| @@ -1,23 +0,0 @@ | |||
| # This Makefile can be used with Microsoft Visual Studio's nmake using the command: | |||
| # nmake /f Makefile.Microsoft_nmake | |||
| LIBRARY=libkyber1024_clean.lib | |||
| OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj | |||
| # Warning C4146 is raised when a unary minus operator is applied to an | |||
| # unsigned type; this has nonetheless been standard and portable for as | |||
| # long as there has been a C standard, and we need it for constant-time | |||
| # computations. Thus, we disable that spurious warning. | |||
| CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146 | |||
| all: $(LIBRARY) | |||
| # Make sure objects are recompiled if headers change. | |||
| $(OBJECTS): *.h | |||
| $(LIBRARY): $(OBJECTS) | |||
| LIB.EXE /NOLOGO /WX /OUT:$@ $** | |||
| clean: | |||
| -DEL $(OBJECTS) | |||
| -DEL $(LIBRARY) | |||
+ 0
- 5
crypto_kem/kyber/kyber512/avx2/LICENSE
查看文件
| @@ -1,5 +0,0 @@ | |||
| Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) | |||
| For Keccak and AES we are using public-domain | |||
| code from sources and by authors listed in | |||
| comments on top of the respective files. | |||
+ 0
- 5
crypto_kem/kyber/kyber512/clean/LICENSE
查看文件
| @@ -1,5 +0,0 @@ | |||
| Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) | |||
| For Keccak and AES we are using public-domain | |||
| code from sources and by authors listed in | |||
| comments on top of the respective files. | |||
+ 0
- 23
crypto_kem/kyber/kyber512/clean/Makefile.Microsoft_nmake
查看文件
| @@ -1,23 +0,0 @@ | |||
| # This Makefile can be used with Microsoft Visual Studio's nmake using the command: | |||
| # nmake /f Makefile.Microsoft_nmake | |||
| LIBRARY=libkyber512_clean.lib | |||
| OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj | |||
| # Warning C4146 is raised when a unary minus operator is applied to an | |||
| # unsigned type; this has nonetheless been standard and portable for as | |||
| # long as there has been a C standard, and we need it for constant-time | |||
| # computations. Thus, we disable that spurious warning. | |||
| CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146 | |||
| all: $(LIBRARY) | |||
| # Make sure objects are recompiled if headers change. | |||
| $(OBJECTS): *.h | |||
| $(LIBRARY): $(OBJECTS) | |||
| LIB.EXE /NOLOGO /WX /OUT:$@ $** | |||
| clean: | |||
| -DEL $(OBJECTS) | |||
| -DEL $(LIBRARY) | |||
+ 0
- 5
crypto_kem/kyber/kyber768/avx2/LICENSE
查看文件
| @@ -1,5 +0,0 @@ | |||
| Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) | |||
| For Keccak and AES we are using public-domain | |||
| code from sources and by authors listed in | |||
| comments on top of the respective files. | |||
+ 0
- 5
crypto_kem/kyber/kyber768/clean/LICENSE
查看文件
| @@ -1,5 +0,0 @@ | |||
| Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) | |||
| For Keccak and AES we are using public-domain | |||
| code from sources and by authors listed in | |||
| comments on top of the respective files. | |||
+ 0
- 23
crypto_kem/kyber/kyber768/clean/Makefile.Microsoft_nmake
查看文件
| @@ -1,23 +0,0 @@ | |||
| # This Makefile can be used with Microsoft Visual Studio's nmake using the command: | |||
| # nmake /f Makefile.Microsoft_nmake | |||
| LIBRARY=libkyber768_clean.lib | |||
| OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj | |||
| # Warning C4146 is raised when a unary minus operator is applied to an | |||
| # unsigned type; this has nonetheless been standard and portable for as | |||
| # long as there has been a C standard, and we need it for constant-time | |||
| # computations. Thus, we disable that spurious warning. | |||
| CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146 | |||
| all: $(LIBRARY) | |||
| # Make sure objects are recompiled if headers change. | |||
| $(OBJECTS): *.h | |||
| $(LIBRARY): $(OBJECTS) | |||
| LIB.EXE /NOLOGO /WX /OUT:$@ $** | |||
| clean: | |||
| -DEL $(OBJECTS) | |||
| -DEL $(LIBRARY) | |||
+ 0
- 16
crypto_kem/mceliece/mceliece348864/avx/LICENSE
查看文件
| @@ -1,16 +0,0 @@ | |||
| Public Domain. | |||
| Authors of Classic McEliece in alphabetical order: | |||
| Daniel J. Bernstein, University of Illinois at Chicago | |||
| Tung Chou, Osaka University | |||
| Tanja Lange, Technische Universiteit Eindhoven | |||
| Ingo von Maurich, self | |||
| Rafael Misoczki, Intel Corporation | |||
| Ruben Niederhagen, Fraunhofer SIT | |||
| Edoardo Persichetti, Florida Atlantic University | |||
| Christiane Peters, self | |||
| Peter Schwabe, Radboud University | |||
| Nicolas Sendrier, Inria | |||
| Jakub Szefer, Yale University | |||
| Wen Wang, Yale University | |||
+ 0
- 16
crypto_kem/mceliece/mceliece348864/clean/LICENSE
查看文件
| @@ -1,16 +0,0 @@ | |||
| Public Domain. | |||
| Authors of Classic McEliece in alphabetical order: | |||
| Daniel J. Bernstein, University of Illinois at Chicago | |||
| Tung Chou, Osaka University | |||
| Tanja Lange, Technische Universiteit Eindhoven | |||
| Ingo von Maurich, self | |||
| Rafael Misoczki, Intel Corporation | |||
| Ruben Niederhagen, Fraunhofer SIT | |||
| Edoardo Persichetti, Florida Atlantic University | |||
| Christiane Peters, self | |||
| Peter Schwabe, Radboud University | |||
| Nicolas Sendrier, Inria | |||
| Jakub Szefer, Yale University | |||
| Wen Wang, Yale University | |||
+ 0
- 24
crypto_kem/mceliece/mceliece348864/clean/Makefile.Microsoft_nmake
查看文件
| @@ -1,24 +0,0 @@ | |||
| # This Makefile can be used with GNU Make or BSD Make | |||
| LIBRARY = libmceliece348864_clean.lib | |||
| OBJECTS = aes256ctr.obj benes.obj bm.obj controlbits.obj decrypt.obj encrypt.obj gf.obj \ | |||
| operations.obj pk_gen.obj root.obj sk_gen.obj synd.obj transpose.obj util.obj | |||
| # Warning C4146 is raised when a unary minus operator is applied to an | |||
| # unsigned type; this has nonetheless been standard and portable for as | |||
| # long as there has been a C standard, and we do that a lot, especially | |||
| # for constant-time computations. Thus, we disable that spurious warning. | |||
| CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /wd4146 /WX | |||
| all: $(LIBRARY) | |||
| # Make sure objects are recompiled if headers change. | |||
| $(OBJECTS): *.h | |||
| $(LIBRARY): $(OBJECTS) | |||
| LIB.EXE /NOLOGO /WX /OUT:$@ $** | |||
| clean: | |||
| -DEL $(OBJECTS) | |||
| -DEL $(LIBRARY) | |||
+ 0
- 16
crypto_kem/mceliece/mceliece348864/sse/LICENSE
查看文件
| @@ -1,16 +0,0 @@ | |||
| Public Domain. | |||
| Authors of Classic McEliece in alphabetical order: | |||
| Daniel J. Bernstein, University of Illinois at Chicago | |||
| Tung Chou, Osaka University | |||
| Tanja Lange, Technische Universiteit Eindhoven | |||
| Ingo von Maurich, self | |||
| Rafael Misoczki, Intel Corporation | |||
| Ruben Niederhagen, Fraunhofer SIT | |||
| Edoardo Persichetti, Florida Atlantic University | |||
| Christiane Peters, self | |||
| Peter Schwabe, Radboud University | |||
| Nicolas Sendrier, Inria | |||
| Jakub Szefer, Yale University | |||
| Wen Wang, Yale University | |||
+ 0
- 13
crypto_kem/mceliece/mceliece348864/sse/aes256ctr.c
查看文件
| @@ -1,13 +0,0 @@ | |||
| #include "aes256ctr.h" | |||
| void PQCLEAN_MCELIECE348864_SSE_aes256ctr( | |||
| uint8_t *out, | |||
| size_t outlen, | |||
| const uint8_t nonce[AESCTR_NONCEBYTES], | |||
| const uint8_t key[AES256_KEYBYTES]) { | |||
| aes256ctx state; | |||
| aes256_ctr_keyexp(&state, key); | |||
| aes256_ctr(out, outlen, nonce, &state); | |||
| aes256_ctx_release(&state); | |||
| } | |||
+ 0
- 17
crypto_kem/mceliece/mceliece348864/sse/aes256ctr.h
查看文件
| @@ -1,17 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_AES256CTR_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_AES256CTR_H | |||
| #include <stddef.h> | |||
| #include <stdint.h> | |||
| #include "aes.h" | |||
| void PQCLEAN_MCELIECE348864_SSE_aes256ctr( | |||
| uint8_t *out, | |||
| size_t outlen, | |||
| const uint8_t nonce[AESCTR_NONCEBYTES], | |||
| const uint8_t key[AES256_KEYBYTES] | |||
| ); | |||
| #endif | |||
+ 0
- 32
crypto_kem/mceliece/mceliece348864/sse/api.h
查看文件
| @@ -1,32 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_API_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_API_H | |||
| #include <stdint.h> | |||
| #define PQCLEAN_MCELIECE348864_SSE_CRYPTO_ALGNAME "Classic McEliece 348864" | |||
| #define PQCLEAN_MCELIECE348864_SSE_CRYPTO_PUBLICKEYBYTES 261120 | |||
| #define PQCLEAN_MCELIECE348864_SSE_CRYPTO_SECRETKEYBYTES 6452 | |||
| #define PQCLEAN_MCELIECE348864_SSE_CRYPTO_CIPHERTEXTBYTES 128 | |||
| #define PQCLEAN_MCELIECE348864_SSE_CRYPTO_BYTES 32 | |||
| int PQCLEAN_MCELIECE348864_SSE_crypto_kem_enc( | |||
| uint8_t *c, | |||
| uint8_t *key, | |||
| const uint8_t *pk | |||
| ); | |||
| int PQCLEAN_MCELIECE348864_SSE_crypto_kem_dec( | |||
| uint8_t *key, | |||
| const uint8_t *c, | |||
| const uint8_t *sk | |||
| ); | |||
| int PQCLEAN_MCELIECE348864_SSE_crypto_kem_keypair | |||
| ( | |||
| uint8_t *pk, | |||
| uint8_t *sk | |||
| ); | |||
| #endif | |||
+ 0
- 287
crypto_kem/mceliece/mceliece348864/sse/benes.c
查看文件
| @@ -1,287 +0,0 @@ | |||
| /* | |||
| This file is for Benes network related functions | |||
| */ | |||
| #include "benes.h" | |||
| #include "params.h" | |||
| #include "transpose.h" | |||
| #include "util.h" | |||
| static void layer_0(uint64_t *bs, const uint64_t *cond) { | |||
| int x; | |||
| uint64_t diff; | |||
| for (x = 0; x < (1 << 6); x += 2) { | |||
| diff = bs[ x ] ^ bs[ x + 1 ]; | |||
| diff &= *cond++; | |||
| bs[ x ] ^= diff; | |||
| bs[ x + 1 ] ^= diff; | |||
| } | |||
| } | |||
| static void layer_1(uint64_t *bs, const uint64_t *cond) { | |||
| int x; | |||
| uint64_t diff; | |||
| for (x = 0; x < (1 << 6); x += 4) { | |||
| diff = bs[ x + 0 ] ^ bs[ x + 2 ]; | |||
| diff &= cond[0]; | |||
| bs[ x + 0 ] ^= diff; | |||
| bs[ x + 2 ] ^= diff; | |||
| diff = bs[ x + 1 ] ^ bs[ x + 3 ]; | |||
| diff &= cond[1]; | |||
| bs[ x + 1 ] ^= diff; | |||
| bs[ x + 3 ] ^= diff; | |||
| cond += 2; | |||
| } | |||
| } | |||
| static void layer_2(uint64_t *bs, const uint64_t *cond) { | |||
| int x; | |||
| uint64_t diff; | |||
| for (x = 0; x < (1 << 6); x += 8) { | |||
| diff = bs[ x + 0 ] ^ bs[ x + 4 ]; | |||
| diff &= cond[0]; | |||
| bs[ x + 0 ] ^= diff; | |||
| bs[ x + 4 ] ^= diff; | |||
| diff = bs[ x + 1 ] ^ bs[ x + 5 ]; | |||
| diff &= cond[1]; | |||
| bs[ x + 1 ] ^= diff; | |||
| bs[ x + 5 ] ^= diff; | |||
| diff = bs[ x + 2 ] ^ bs[ x + 6 ]; | |||
| diff &= cond[2]; | |||
| bs[ x + 2 ] ^= diff; | |||
| bs[ x + 6 ] ^= diff; | |||
| diff = bs[ x + 3 ] ^ bs[ x + 7 ]; | |||
| diff &= cond[3]; | |||
| bs[ x + 3 ] ^= diff; | |||
| bs[ x + 7 ] ^= diff; | |||
| cond += 4; | |||
| } | |||
| } | |||
| static void layer_3(uint64_t *bs, const uint64_t *cond) { | |||
| int x, s; | |||
| uint64_t diff; | |||
| for (x = 0; x < (1 << 6); x += 16) { | |||
| for (s = x; s < x + 8; s += 4) { | |||
| diff = bs[ s + 0 ] ^ bs[ s + 8 ]; | |||
| diff &= cond[0]; | |||
| bs[ s + 0 ] ^= diff; | |||
| bs[ s + 8 ] ^= diff; | |||
| diff = bs[ s + 1 ] ^ bs[ s + 9 ]; | |||
| diff &= cond[1]; | |||
| bs[ s + 1 ] ^= diff; | |||
| bs[ s + 9 ] ^= diff; | |||
| diff = bs[ s + 2 ] ^ bs[ s + 10 ]; | |||
| diff &= cond[2]; | |||
| bs[ s + 2 ] ^= diff; | |||
| bs[ s + 10 ] ^= diff; | |||
| diff = bs[ s + 3 ] ^ bs[ s + 11 ]; | |||
| diff &= cond[3]; | |||
| bs[ s + 3 ] ^= diff; | |||
| bs[ s + 11 ] ^= diff; | |||
| cond += 4; | |||
| } | |||
| } | |||
| } | |||
| static void layer_4(uint64_t *bs, const uint64_t *cond) { | |||
| int x, s; | |||
| uint64_t diff; | |||
| for (x = 0; x < (1 << 6); x += 32) { | |||
| for (s = x; s < x + 16; s += 4) { | |||
| diff = bs[ s + 0 ] ^ bs[ s + 16 ]; | |||
| diff &= cond[0]; | |||
| bs[ s + 0 ] ^= diff; | |||
| bs[ s + 16 ] ^= diff; | |||
| diff = bs[ s + 1 ] ^ bs[ s + 17 ]; | |||
| diff &= cond[1]; | |||
| bs[ s + 1 ] ^= diff; | |||
| bs[ s + 17 ] ^= diff; | |||
| diff = bs[ s + 2 ] ^ bs[ s + 18 ]; | |||
| diff &= cond[2]; | |||
| bs[ s + 2 ] ^= diff; | |||
| bs[ s + 18 ] ^= diff; | |||
| diff = bs[ s + 3 ] ^ bs[ s + 19 ]; | |||
| diff &= cond[3]; | |||
| bs[ s + 3 ] ^= diff; | |||
| bs[ s + 19 ] ^= diff; | |||
| cond += 4; | |||
| } | |||
| } | |||
| } | |||
| static void layer_5(uint64_t *bs, const uint64_t *cond) { | |||
| int x, s; | |||
| uint64_t diff; | |||
| for (x = 0; x < (1 << 6); x += 64) { | |||
| for (s = x; s < x + 32; s += 4) { | |||
| diff = bs[ s + 0 ] ^ bs[ s + 32 ]; | |||
| diff &= cond[0]; | |||
| bs[ s + 0 ] ^= diff; | |||
| bs[ s + 32 ] ^= diff; | |||
| diff = bs[ s + 1 ] ^ bs[ s + 33 ]; | |||
| diff &= cond[1]; | |||
| bs[ s + 1 ] ^= diff; | |||
| bs[ s + 33 ] ^= diff; | |||
| diff = bs[ s + 2 ] ^ bs[ s + 34 ]; | |||
| diff &= cond[2]; | |||
| bs[ s + 2 ] ^= diff; | |||
| bs[ s + 34 ] ^= diff; | |||
| diff = bs[ s + 3 ] ^ bs[ s + 35 ]; | |||
| diff &= cond[3]; | |||
| bs[ s + 3 ] ^= diff; | |||
| bs[ s + 35 ] ^= diff; | |||
| cond += 4; | |||
| } | |||
| } | |||
| } | |||
| /* input: bits, control bits as array of bytes */ | |||
| /* output: out, control bits as array of 128-bit vectors */ | |||
| void PQCLEAN_MCELIECE348864_SSE_load_bits(uint64_t out[][32], const unsigned char *bits) { | |||
| int i, low, block = 0; | |||
| uint64_t cond[64]; | |||
| // | |||
| for (low = 0; low <= 5; low++) { | |||
| for (i = 0; i < 64; i++) { | |||
| cond[i] = PQCLEAN_MCELIECE348864_SSE_load4(bits + block * 256 + i * 4); | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_transpose_64x64(cond); | |||
| for (i = 0; i < 32; i++) { | |||
| out[ block ][i] = cond[i]; | |||
| } | |||
| block++; | |||
| } | |||
| for (low = 0; low <= 5; low++) { | |||
| for (i = 0; i < 32; i++) { | |||
| out[ block ][i] = PQCLEAN_MCELIECE348864_SSE_load8(bits + block * 256 + i * 8); | |||
| } | |||
| block++; | |||
| } | |||
| for (low = 4; low >= 0; low--) { | |||
| for (i = 0; i < 32; i++) { | |||
| out[ block ][i] = PQCLEAN_MCELIECE348864_SSE_load8(bits + block * 256 + i * 8); | |||
| } | |||
| block++; | |||
| } | |||
| for (low = 5; low >= 0; low--) { | |||
| for (i = 0; i < 64; i++) { | |||
| cond[i] = PQCLEAN_MCELIECE348864_SSE_load4(bits + block * 256 + i * 4); | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_transpose_64x64(cond); | |||
| for (i = 0; i < 32; i++) { | |||
| out[ block ][i] = cond[i]; | |||
| } | |||
| block++; | |||
| } | |||
| } | |||
| /* input: r, sequence of bits to be permuted */ | |||
| /* cond, control bits as array of 128-bit vectors */ | |||
| /* rev, 0 for normal application; !0 for inverse */ | |||
| /* output: r, permuted bits */ | |||
| void PQCLEAN_MCELIECE348864_SSE_benes(uint64_t *r, uint64_t cond[][32], int rev) { | |||
| int block, inc; | |||
| uint64_t *bs = r; | |||
| // | |||
| if (rev == 0) { | |||
| block = 0; | |||
| inc = 1; | |||
| } else { | |||
| block = 22; | |||
| inc = -1; | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_transpose_64x64(bs); | |||
| layer_0(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_1(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_2(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_3(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_4(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_5(bs, cond[ block ]); | |||
| block += inc; | |||
| PQCLEAN_MCELIECE348864_SSE_transpose_64x64(bs); | |||
| layer_0(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_1(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_2(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_3(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_4(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_5(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_4(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_3(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_2(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_1(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_0(bs, cond[ block ]); | |||
| block += inc; | |||
| PQCLEAN_MCELIECE348864_SSE_transpose_64x64(bs); | |||
| layer_5(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_4(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_3(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_2(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_1(bs, cond[ block ]); | |||
| block += inc; | |||
| layer_0(bs, cond[ block ]); | |||
| //block += inc; | |||
| PQCLEAN_MCELIECE348864_SSE_transpose_64x64(bs); | |||
| } | |||
+ 0
- 15
crypto_kem/mceliece/mceliece348864/sse/benes.h
查看文件
| @@ -1,15 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_BENES_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_BENES_H | |||
| /* | |||
| This file is for Benes network related functions | |||
| */ | |||
| #include "gf.h" | |||
| #include "vec128.h" | |||
| void PQCLEAN_MCELIECE348864_SSE_load_bits(uint64_t /*out*/[][32], const unsigned char * /*bits*/); | |||
| void PQCLEAN_MCELIECE348864_SSE_benes(uint64_t * /*r*/, uint64_t /*cond*/[][32], int /*rev*/); | |||
| #endif | |||
+ 0
- 220
crypto_kem/mceliece/mceliece348864/sse/bm.c
查看文件
| @@ -1,220 +0,0 @@ | |||
| /* | |||
| This file is for the inversion-free Berlekamp-Massey algorithm | |||
| see https://ieeexplore.ieee.org/document/87857 | |||
| */ | |||
| #include "bm.h" | |||
| #include "gf.h" | |||
| #include "util.h" | |||
| #include "vec.h" | |||
| #include "vec128.h" | |||
| #include <assert.h> | |||
| #include <stdint.h> | |||
| extern void PQCLEAN_MCELIECE348864_SSE_update_asm(void *, gf, int); | |||
| extern gf PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm(uint64_t *); | |||
| static inline uint64_t mask_nonzero(gf a) { | |||
| uint64_t ret = a; | |||
| ret -= 1; | |||
| ret >>= 63; | |||
| ret -= 1; | |||
| return ret; | |||
| } | |||
| static inline uint64_t mask_leq(uint16_t a, uint16_t b) { | |||
| uint64_t a_tmp = a; | |||
| uint64_t b_tmp = b; | |||
| uint64_t ret = b_tmp - a_tmp; | |||
| ret >>= 63; | |||
| ret -= 1; | |||
| return ret; | |||
| } | |||
| static void vec_cmov(uint64_t out[][2], uint64_t mask) { | |||
| int i; | |||
| for (i = 0; i < GFBITS; i++) { | |||
| out[i][0] = (out[i][0] & ~mask) | (out[i][1] & mask); | |||
| } | |||
| } | |||
| static inline void interleave(vec128 *in, int idx0, int idx1, vec128 *mask, int b) { | |||
| int s = 1 << b; | |||
| vec128 x, y; | |||
| x = PQCLEAN_MCELIECE348864_SSE_vec128_or(PQCLEAN_MCELIECE348864_SSE_vec128_and(in[idx0], mask[0]), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sll_2x(PQCLEAN_MCELIECE348864_SSE_vec128_and(in[idx1], mask[0]), s)); | |||
| y = PQCLEAN_MCELIECE348864_SSE_vec128_or(PQCLEAN_MCELIECE348864_SSE_vec128_srl_2x(PQCLEAN_MCELIECE348864_SSE_vec128_and(in[idx0], mask[1]), s), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_and(in[idx1], mask[1])); | |||
| in[idx0] = x; | |||
| in[idx1] = y; | |||
| } | |||
| /* input: in, field elements in bitsliced form */ | |||
| /* output: out, field elements in non-bitsliced form */ | |||
| static inline void get_coefs(gf *out, vec128 *in) { | |||
| int i, k; | |||
| vec128 mask[4][2]; | |||
| vec128 buf[16]; | |||
| for (i = 0; i < GFBITS; i++) { | |||
| buf[i] = in[i]; | |||
| } | |||
| for (i = GFBITS; i < 16; i++) { | |||
| buf[i] = PQCLEAN_MCELIECE348864_SSE_vec128_setzero(); | |||
| } | |||
| mask[0][0] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0x5555); | |||
| mask[0][1] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0xAAAA); | |||
| mask[1][0] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0x3333); | |||
| mask[1][1] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0xCCCC); | |||
| mask[2][0] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0x0F0F); | |||
| mask[2][1] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0xF0F0); | |||
| mask[3][0] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0x00FF); | |||
| mask[3][1] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0xFF00); | |||
| interleave(buf, 0, 8, mask[3], 3); | |||
| interleave(buf, 1, 9, mask[3], 3); | |||
| interleave(buf, 2, 10, mask[3], 3); | |||
| interleave(buf, 3, 11, mask[3], 3); | |||
| interleave(buf, 4, 12, mask[3], 3); | |||
| interleave(buf, 5, 13, mask[3], 3); | |||
| interleave(buf, 6, 14, mask[3], 3); | |||
| interleave(buf, 7, 15, mask[3], 3); | |||
| interleave(buf, 0, 4, mask[2], 2); | |||
| interleave(buf, 1, 5, mask[2], 2); | |||
| interleave(buf, 2, 6, mask[2], 2); | |||
| interleave(buf, 3, 7, mask[2], 2); | |||
| interleave(buf, 8, 12, mask[2], 2); | |||
| interleave(buf, 9, 13, mask[2], 2); | |||
| interleave(buf, 10, 14, mask[2], 2); | |||
| interleave(buf, 11, 15, mask[2], 2); | |||
| interleave(buf, 0, 2, mask[1], 1); | |||
| interleave(buf, 1, 3, mask[1], 1); | |||
| interleave(buf, 4, 6, mask[1], 1); | |||
| interleave(buf, 5, 7, mask[1], 1); | |||
| interleave(buf, 8, 10, mask[1], 1); | |||
| interleave(buf, 9, 11, mask[1], 1); | |||
| interleave(buf, 12, 14, mask[1], 1); | |||
| interleave(buf, 13, 15, mask[1], 1); | |||
| interleave(buf, 0, 1, mask[0], 0); | |||
| interleave(buf, 2, 3, mask[0], 0); | |||
| interleave(buf, 4, 5, mask[0], 0); | |||
| interleave(buf, 6, 7, mask[0], 0); | |||
| interleave(buf, 8, 9, mask[0], 0); | |||
| interleave(buf, 10, 11, mask[0], 0); | |||
| interleave(buf, 12, 13, mask[0], 0); | |||
| interleave(buf, 14, 15, mask[0], 0); | |||
| for (i = 0; i < 16; i++) { | |||
| for (k = 0; k < 4; k++) { | |||
| out[ (4 * 0 + k) * 16 + i ] = (PQCLEAN_MCELIECE348864_SSE_vec128_extract(buf[i], 0) >> (k * 16)) & GFMASK; | |||
| out[ (4 * 1 + k) * 16 + i ] = (PQCLEAN_MCELIECE348864_SSE_vec128_extract(buf[i], 1) >> (k * 16)) & GFMASK; | |||
| } | |||
| } | |||
| } | |||
| /* input: in, sequence of field elements */ | |||
| /* output: out, minimal polynomial of in */ | |||
| void PQCLEAN_MCELIECE348864_SSE_bm(uint64_t out[ GFBITS ], vec128 in[ GFBITS ]) { | |||
| uint16_t i; | |||
| uint16_t N, L; | |||
| uint64_t prod[ GFBITS ]; | |||
| uint64_t in_tmp[ GFBITS ]; | |||
| uint64_t db[ GFBITS ][ 2 ]; | |||
| uint64_t BC_tmp[ GFBITS ][ 2 ]; | |||
| uint64_t BC[ GFBITS ][ 2 ]; | |||
| uint64_t mask, t; | |||
| gf d, b, c0 = 1; | |||
| gf coefs[SYS_T * 2]; | |||
| // init | |||
| BC[0][1] = 0; | |||
| BC[0][0] = 1; | |||
| BC[0][0] <<= 63; | |||
| for (i = 1; i < GFBITS; i++) { | |||
| BC[i][0] = BC[i][1] = 0; | |||
| } | |||
| b = 1; | |||
| L = 0; | |||
| // | |||
| get_coefs(coefs, in); | |||
| for (i = 0; i < GFBITS; i++) { | |||
| in_tmp[i] = 0; | |||
| } | |||
| for (N = 0; N < SYS_T * 2; N++) { | |||
| // computing d | |||
| PQCLEAN_MCELIECE348864_SSE_vec_mul_asm(prod, in_tmp, &BC[0][1], 16); | |||
| PQCLEAN_MCELIECE348864_SSE_update_asm(in_tmp, coefs[N], 8); | |||
| d = PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm(prod); | |||
| t = PQCLEAN_MCELIECE348864_SSE_gf_mul2(c0, coefs[N], b); | |||
| d ^= t & 0xFFFFFFFF; | |||
| // 3 cases | |||
| mask = mask_nonzero(d) & mask_leq(L * 2, N); | |||
| for (i = 0; i < GFBITS; i++) { | |||
| db[i][0] = (d >> i) & 1; | |||
| db[i][0] = -db[i][0]; | |||
| db[i][1] = (b >> i) & 1; | |||
| db[i][1] = -db[i][1]; | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul((vec128 *) BC_tmp, (vec128 *) db, (vec128 *) BC); | |||
| vec_cmov(BC, mask); | |||
| PQCLEAN_MCELIECE348864_SSE_update_asm(BC, mask & c0, 16); | |||
| for (i = 0; i < GFBITS; i++) { | |||
| BC[i][1] = BC_tmp[i][0] ^ BC_tmp[i][1]; | |||
| } | |||
| c0 = t >> 32; | |||
| b = (d & mask) | (b & ~mask); | |||
| L = ((N + 1 - L) & mask) | (L & ~mask); | |||
| } | |||
| c0 = PQCLEAN_MCELIECE348864_SSE_gf_inv(c0); | |||
| for (i = 0; i < GFBITS; i++) { | |||
| out[i] = (c0 >> i) & 1; | |||
| out[i] = -out[i]; | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec_mul_asm(out, out, &BC[0][1], 16); | |||
| } | |||
+ 0
- 17
crypto_kem/mceliece/mceliece348864/sse/bm.h
查看文件
| @@ -1,17 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_BM_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_BM_H | |||
| /* | |||
| This file is for the inversion-free Berlekamp-Massey algorithm | |||
| see https://ieeexplore.ieee.org/document/87857 | |||
| */ | |||
| #include <stdint.h> | |||
| #include "params.h" | |||
| #include "vec128.h" | |||
| void PQCLEAN_MCELIECE348864_SSE_bm(uint64_t *out, vec128 *in); | |||
| #endif | |||
+ 0
- 32
crypto_kem/mceliece/mceliece348864/sse/consts.S
查看文件
| @@ -1,32 +0,0 @@ | |||
| .data | |||
| # not supported on macos | |||
| #.section .rodata | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK0_0 | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK0_1 | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK1_0 | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK1_1 | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK2_0 | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK2_1 | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK3_0 | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK3_1 | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK4_0 | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK4_1 | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK5_0 | |||
| .globl PQCLEAN_MCELIECE348864_SSE_MASK5_1 | |||
| .p2align 4 | |||
| PQCLEAN_MCELIECE348864_SSE_MASK0_0: .quad 0x5555555555555555, 0x5555555555555555 | |||
| PQCLEAN_MCELIECE348864_SSE_MASK0_1: .quad 0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA | |||
| PQCLEAN_MCELIECE348864_SSE_MASK1_0: .quad 0x3333333333333333, 0x3333333333333333 | |||
| PQCLEAN_MCELIECE348864_SSE_MASK1_1: .quad 0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC | |||
| PQCLEAN_MCELIECE348864_SSE_MASK2_0: .quad 0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F | |||
| PQCLEAN_MCELIECE348864_SSE_MASK2_1: .quad 0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0 | |||
| PQCLEAN_MCELIECE348864_SSE_MASK3_0: .quad 0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF | |||
| PQCLEAN_MCELIECE348864_SSE_MASK3_1: .quad 0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00 | |||
| PQCLEAN_MCELIECE348864_SSE_MASK4_0: .quad 0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF | |||
| PQCLEAN_MCELIECE348864_SSE_MASK4_1: .quad 0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000 | |||
| PQCLEAN_MCELIECE348864_SSE_MASK5_0: .quad 0x00000000FFFFFFFF, 0x00000000FFFFFFFF | |||
| PQCLEAN_MCELIECE348864_SSE_MASK5_1: .quad 0xFFFFFFFF00000000, 0xFFFFFFFF00000000 | |||
+ 0
- 448
crypto_kem/mceliece/mceliece348864/sse/consts.inc
查看文件
| @@ -1,448 +0,0 @@ | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00F0FF0F00F0FF0, 0xF00F0FF0F00F0FF0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0xF0F00F0F0F0FF0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF00FF00FF0, 0x0FF00FF00FF00FF0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA5555AAAA5555AA, 0xAA5555AAAA5555AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00F0FF0F00F0FF0, 0xF00F0FF0F00F0FF0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0x33CCCC33CC3333CC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC33CC3333CC33CC, 0xCC33CC3333CC33CC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CC33CC33CC33CC, 0x33CC33CC33CC33CC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5A5A5A5A5A5A5A5A, 0x5A5A5A5A5A5A5A5A), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00F0FF0F00F0FF0, 0xF00F0FF0F00F0FF0), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3C3C3C3C3C3C3C3C, 0x3C3C3C3C3C3C3C3C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555AAAA5555AAAA, 0xAAAA5555AAAA5555), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC3333CCCC3333CC, 0xCC3333CCCC3333CC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33CC33CC33CC33C, 0xC33CC33CC33CC33C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55555555AAAAAAAA, 0x55555555AAAAAAAA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33333333CCCCCCCC, 0x33333333CCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FFFF00FF00, 0xFF00FF0000FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFFFFFF0000, 0x0000FFFFFFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0xF0F00F0F0F0FF0F0), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA5555AA55AA, 0x55AA55AAAA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC33CC3333CC33CC, 0xCC33CC3333CC33CC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0xCC3333CC33CCCC33), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55555555AAAAAAAA, 0x55555555AAAAAAAA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF0000FF00FFFF00, 0xFF0000FF00FFFF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC33CC3C33CC33C, 0xC33CC33C3CC33CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555AAAA5555AAAA, 0xAAAA5555AAAA5555), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF00FF00FF0, 0xF00FF00FF00FF00F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC33333333CCCC, 0x3333CCCCCCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0xFF0000FFFF0000FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33CC33CC33CC33C, 0xC33CC33CC33CC33C), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA5555AA55AA, 0x55AA55AAAA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CC33CCCC33CC33, 0x33CC33CCCC33CC33), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC3333CC33CCCC33, 0x33CCCC33CC3333CC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55555555AAAAAAAA, 0x55555555AAAAAAAA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF00FF0000FF, 0x00FFFF00FF0000FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC33CC3C33CC33C, 0xC33CC33C3CC33CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555AAAA5555AAAA, 0xAAAA5555AAAA5555), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF00FF00FF0, 0xF00FF00FF00FF00F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCCCCCC3333, 0xCCCC33333333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0xFF0000FFFF0000FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33CC33CC33CC33C, 0xC33CC33CC33CC33C), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6699669999669966, 0x9966996666996699), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0x33CCCC33CC3333CC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA5A5A5A55A5A5A5A, 0xA5A5A5A55A5A5A5A), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3C3CC3C3C3C33C3C, 0x3C3CC3C3C3C33C3C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3C3CC3C3C3C33C3C, 0x3C3CC3C3C3C33C3C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0xCC3333CC33CCCC33), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6699669999669966, 0x9966996666996699), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0x33CCCC33CC3333CC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5A5A5A5AA5A5A5A5, 0x5A5A5A5AA5A5A5A5), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC3C33C3C3C3CC3C3, 0xC3C33C3C3C3CC3C3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC3C33C3C3C3CC3C3, 0xC3C33C3C3C3CC3C3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0xCC3333CC33CCCC33), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6699669999669966, 0x9966996666996699), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC3333CC33CCCC33, 0xCC3333CC33CCCC33), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5A5A5A5AA5A5A5A5, 0x5A5A5A5AA5A5A5A5), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3C3CC3C3C3C33C3C, 0x3C3CC3C3C3C33C3C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3C3CC3C3C3C33C3C, 0x3C3CC3C3C3C33C3C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0xCC3333CC33CCCC33), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6699669999669966, 0x9966996666996699), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC3333CC33CCCC33, 0xCC3333CC33CCCC33), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA5A5A5A55A5A5A5A, 0xA5A5A5A55A5A5A5A), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC3C33C3C3C3CC3C3, 0xC3C33C3C3C3CC3C3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC3C33C3C3C3CC3C3, 0xC3C33C3C3C3CC3C3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0xCC3333CC33CCCC33), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0x00FFFF0000FFFF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0x0F0FF0F0F0F00F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF0000FFFF0000FF, 0xFF0000FFFF0000FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0FF0F0F0F00F0F, 0xF0F00F0F0F0FF0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF0000FFFF0000FF, 0xFF0000FFFF0000FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0x0F0FF0F0F0F00F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0x00FFFF0000FFFF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0FF0F0F0F00F0F, 0xF0F00F0F0F0FF0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0x00FFFF0000FFFF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0x0F0FF0F0F0F00F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF0000FFFF0000FF, 0xFF0000FFFF0000FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0FF0F0F0F00F0F, 0xF0F00F0F0F0FF0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF0000FFFF0000FF, 0xFF0000FFFF0000FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0x0F0FF0F0F0F00F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0x00FFFF0000FFFF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0FF0F0F0F00F0F, 0xF0F00F0F0F0FF0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
+ 0
- 274
crypto_kem/mceliece/mceliece348864/sse/controlbits.c
查看文件
| @@ -1,274 +0,0 @@ | |||
| /* | |||
| This file is for functions required for generating the control bits of the Benes network w.r.t. a random permutation | |||
| see the Lev-Pippenger-Valiant paper https://www.computer.org/csdl/trans/tc/1981/02/06312171.pdf | |||
| */ | |||
| #include "controlbits.h" | |||
| #include "params.h" | |||
| #include <stdint.h> | |||
| typedef uint8_t bit; | |||
| #define N (1 << GFBITS) | |||
| static bit is_smaller(uint32_t a, uint32_t b) { | |||
| uint32_t ret = 0; | |||
| ret = a - b; | |||
| ret >>= 31; | |||
| return (bit)ret; | |||
| } | |||
| static bit is_smaller_63b(uint64_t a, uint64_t b) { | |||
| uint64_t ret = 0; | |||
| ret = a - b; | |||
| ret >>= 63; | |||
| return (bit)ret; | |||
| } | |||
| static void cswap(uint32_t *x, uint32_t *y, bit swap) { | |||
| uint32_t m; | |||
| uint32_t d; | |||
| m = swap; | |||
| m = 0 - m; | |||
| d = (*x ^ *y); | |||
| d &= m; | |||
| *x ^= d; | |||
| *y ^= d; | |||
| } | |||
| static void cswap_63b(uint64_t *x, uint64_t *y, bit swap) { | |||
| uint64_t m; | |||
| uint64_t d; | |||
| m = swap; | |||
| m = 0 - m; | |||
| d = (*x ^ *y); | |||
| d &= m; | |||
| *x ^= d; | |||
| *y ^= d; | |||
| } | |||
| /* output x = min(input x,input y) */ | |||
| /* output y = max(input x,input y) */ | |||
| static void minmax(uint32_t *x, uint32_t *y) { | |||
| bit m; | |||
| m = is_smaller(*y, *x); | |||
| cswap(x, y, m); | |||
| } | |||
| static void minmax_63b(uint64_t *x, uint64_t *y) { | |||
| bit m; | |||
| m = is_smaller_63b(*y, *x); | |||
| cswap_63b(x, y, m); | |||
| } | |||
| /* merge first half of x[0],x[step],...,x[(2*n-1)*step] with second half */ | |||
| /* requires n to be a power of 2 */ | |||
| static void merge(int n, uint32_t *x, int step) { | |||
| int i; | |||
| if (n == 1) { | |||
| minmax(&x[0], &x[step]); | |||
| } else { | |||
| merge(n / 2, x, step * 2); | |||
| merge(n / 2, x + step, step * 2); | |||
| for (i = 1; i < 2 * n - 1; i += 2) { | |||
| minmax(&x[i * step], &x[(i + 1) * step]); | |||
| } | |||
| } | |||
| } | |||
| static void merge_63b(int n, uint64_t *x, int step) { | |||
| int i; | |||
| if (n == 1) { | |||
| minmax_63b(&x[0], &x[step]); | |||
| } else { | |||
| merge_63b(n / 2, x, step * 2); | |||
| merge_63b(n / 2, x + step, step * 2); | |||
| for (i = 1; i < 2 * n - 1; i += 2) { | |||
| minmax_63b(&x[i * step], &x[(i + 1) * step]); | |||
| } | |||
| } | |||
| } | |||
| /* sort x[0],x[1],...,x[n-1] in place */ | |||
| /* requires n to be a power of 2 */ | |||
| static void sort(int n, uint32_t *x) { | |||
| if (n <= 1) { | |||
| return; | |||
| } | |||
| sort(n / 2, x); | |||
| sort(n / 2, x + n / 2); | |||
| merge(n / 2, x, 1); | |||
| } | |||
| void PQCLEAN_MCELIECE348864_SSE_sort_63b(int n, uint64_t *x) { | |||
| if (n <= 1) { | |||
| return; | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_sort_63b(n / 2, x); | |||
| PQCLEAN_MCELIECE348864_SSE_sort_63b(n / 2, x + n / 2); | |||
| merge_63b(n / 2, x, 1); | |||
| } | |||
| /* y[pi[i]] = x[i] */ | |||
| /* requires n = 2^w */ | |||
| /* requires pi to be a permutation */ | |||
| static void composeinv(int n, uint32_t *y, const uint32_t *x, const uint32_t *pi) { // NC | |||
| int i; | |||
| uint32_t t[2 * N]; | |||
| for (i = 0; i < n; ++i) { | |||
| t[i] = x[i] | (pi[i] << 16); | |||
| } | |||
| sort(n, t); | |||
| for (i = 0; i < n; ++i) { | |||
| y[i] = t[i] & 0xFFFF; | |||
| } | |||
| } | |||
| /* ip[i] = j iff pi[i] = j */ | |||
| /* requires n = 2^w */ | |||
| /* requires pi to be a permutation */ | |||
| static void invert(int n, uint32_t *ip, const uint32_t *pi) { | |||
| int i; | |||
| for (i = 0; i < n; i++) { | |||
| ip[i] = i; | |||
| } | |||
| composeinv(n, ip, ip, pi); | |||
| } | |||
| static void flow(int w, uint32_t *x, const uint32_t *y, int t) { | |||
| bit m0; | |||
| bit m1; | |||
| uint32_t b; | |||
| uint32_t y_copy = *y; | |||
| m0 = is_smaller(*y & ((1 << w) - 1), *x & ((1 << w) - 1)); | |||
| m1 = is_smaller(0, t); | |||
| cswap(x, &y_copy, m0); | |||
| b = m0 & m1; | |||
| *x ^= b << w; | |||
| } | |||
| /* input: permutation pi */ | |||
| /* output: (2w-1)n/2 (or 0 if n==1) control bits c[0],c[step],c[2*step],... */ | |||
| /* requires n = 2^w */ | |||
| static void controlbitsfrompermutation(int w, int n, int step, int off, unsigned char *c, const uint32_t *pi) { | |||
| int i; | |||
| int j; | |||
| int k; | |||
| int t; | |||
| uint32_t ip[N] = {0}; | |||
| uint32_t I[2 * N] = {0}; | |||
| uint32_t P[2 * N] = {0}; | |||
| uint32_t PI[2 * N] = {0}; | |||
| uint32_t T[2 * N] = {0}; | |||
| uint32_t piflip[N] = {0}; | |||
| uint32_t subpi[2][N / 2] = {{0}}; | |||
| if (w == 1) { | |||
| c[ off / 8 ] |= (pi[0] & 1) << (off % 8); | |||
| } | |||
| if (w <= 1) { | |||
| return; | |||
| } | |||
| invert(n, ip, pi); | |||
| for (i = 0; i < n; ++i) { | |||
| I[i] = ip[i] | (1 << w); | |||
| I[n + i] = pi[i]; | |||
| } | |||
| for (i = 0; i < 2 * n; ++i) { | |||
| P[i] = (i >> w) + (i & ((1 << w) - 2)) + ((i & 1) << w); | |||
| } | |||
| for (t = 0; t < w; ++t) { | |||
| composeinv(2 * n, PI, P, I); | |||
| for (i = 0; i < 2 * n; ++i) { | |||
| flow(w, &P[i], &PI[i], t); | |||
| } | |||
| for (i = 0; i < 2 * n; ++i) { | |||
| T[i] = I[i ^ 1]; | |||
| } | |||
| composeinv(2 * n, I, I, T); | |||
| for (i = 0; i < 2 * n; ++i) { | |||
| T[i] = P[i ^ 1]; | |||
| } | |||
| for (i = 0; i < 2 * n; ++i) { | |||
| flow(w, &P[i], &T[i], 1); | |||
| } | |||
| } | |||
| for (i = 0; i < n; ++i) { | |||
| for (j = 0; j < w; ++j) { | |||
| piflip[i] = pi[i]; | |||
| } | |||
| } | |||
| for (i = 0; i < n / 2; ++i) { | |||
| c[ (off + i * step) / 8 ] |= ((P[i * 2] >> w) & 1) << ((off + i * step) % 8); | |||
| } | |||
| for (i = 0; i < n / 2; ++i) { | |||
| c[ (off + ((w - 1)*n + i) * step) / 8 ] |= ((P[n + i * 2] >> w) & 1) << ((off + ((w - 1) * n + i) * step) % 8); | |||
| } | |||
| for (i = 0; i < n / 2; ++i) { | |||
| cswap(&piflip[i * 2], &piflip[i * 2 + 1], (P[n + i * 2] >> w) & 1); | |||
| } | |||
| for (k = 0; k < 2; ++k) { | |||
| for (i = 0; i < n / 2; ++i) { | |||
| subpi[k][i] = piflip[i * 2 + k] >> 1; | |||
| } | |||
| } | |||
| for (k = 0; k < 2; ++k) { | |||
| controlbitsfrompermutation(w - 1, n / 2, step * 2, off + step * (n / 2 + k), c, subpi[k]); | |||
| } | |||
| } | |||
| /* input: pi, a permutation*/ | |||
| /* output: out, control bits w.r.t. pi */ | |||
| void PQCLEAN_MCELIECE348864_SSE_controlbits(unsigned char *out, const uint32_t *pi) { | |||
| unsigned int i; | |||
| unsigned char c[ (2 * GFBITS - 1) * (1 << GFBITS) / 16 ]; | |||
| for (i = 0; i < sizeof(c); i++) { | |||
| c[i] = 0; | |||
| } | |||
| controlbitsfrompermutation(GFBITS, (1 << GFBITS), 1, 0, c, pi); | |||
| for (i = 0; i < sizeof(c); i++) { | |||
| out[i] = c[i]; | |||
| } | |||
| } | |||
+ 0
- 15
crypto_kem/mceliece/mceliece348864/sse/controlbits.h
查看文件
| @@ -1,15 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_CONTROLBITS_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_CONTROLBITS_H | |||
| /* | |||
| This file is for functions required for generating the control bits of the Benes network w.r.t. a random permutation | |||
| see the Lev-Pippenger-Valiant paper https://www.computer.org/csdl/trans/tc/1981/02/06312171.pdf | |||
| */ | |||
| #include <stdint.h> | |||
| void PQCLEAN_MCELIECE348864_SSE_sort_63b(int n, uint64_t *x); | |||
| void PQCLEAN_MCELIECE348864_SSE_controlbits(unsigned char *out, const uint32_t *pi); | |||
| #endif | |||
+ 0
- 7
crypto_kem/mceliece/mceliece348864/sse/crypto_hash.h
查看文件
| @@ -1,7 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_CRYPTO_HASH_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_CRYPTO_HASH_H | |||
| #include "fips202.h" | |||
| #define crypto_hash_32b(out,in,inlen) shake256(out, 32, in, inlen) | |||
| #endif | |||
+ 0
- 203
crypto_kem/mceliece/mceliece348864/sse/decrypt.c
查看文件
| @@ -1,203 +0,0 @@ | |||
| /* | |||
| This file is for Niederreiter decryption | |||
| */ | |||
| #include "decrypt.h" | |||
| #include "benes.h" | |||
| #include "bm.h" | |||
| #include "fft.h" | |||
| #include "fft_tr.h" | |||
| #include "params.h" | |||
| #include "util.h" | |||
| #include <stdio.h> | |||
| static void scaling(vec128 out[][GFBITS], vec128 inv[][GFBITS], const unsigned char *sk, vec128 *recv) { | |||
| int i, j; | |||
| uint64_t irr_int[ GFBITS ]; | |||
| vec128 eval[32][ GFBITS ]; | |||
| vec128 tmp[ GFBITS ]; | |||
| // | |||
| PQCLEAN_MCELIECE348864_SSE_irr_load(irr_int, sk); | |||
| PQCLEAN_MCELIECE348864_SSE_fft(eval, irr_int); | |||
| for (i = 0; i < 32; i++) { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(eval[i], eval[i]); | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_copy(inv[0], eval[0]); | |||
| for (i = 1; i < 32; i++) { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(inv[i], inv[i - 1], eval[i]); | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_inv(tmp, inv[31]); | |||
| for (i = 30; i >= 0; i--) { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(inv[i + 1], tmp, inv[i]); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp, tmp, eval[i + 1]); | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_copy(inv[0], tmp); | |||
| // | |||
| for (i = 0; i < 32; i++) { | |||
| for (j = 0; j < GFBITS; j++) { | |||
| out[i][j] = PQCLEAN_MCELIECE348864_SSE_vec128_and(inv[i][j], recv[i]); | |||
| } | |||
| } | |||
| } | |||
| static void preprocess(vec128 *recv, const unsigned char *s) { | |||
| int i; | |||
| uint8_t r[ 512 ]; | |||
| for (i = 0; i < SYND_BYTES; i++) { | |||
| r[i] = s[i]; | |||
| } | |||
| for (i = SYND_BYTES; i < 512; i++) { | |||
| r[i] = 0; | |||
| } | |||
| for (i = 0; i < 32; i++) { | |||
| recv[i] = PQCLEAN_MCELIECE348864_SSE_load16(r + i * 16); | |||
| } | |||
| } | |||
| static void postprocess(unsigned char *e, vec128 *err) { | |||
| int i; | |||
| unsigned char error8[ (1 << GFBITS) / 8 ]; | |||
| uint64_t v[2]; | |||
| for (i = 0; i < 32; i++) { | |||
| v[0] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(err[i], 0); | |||
| v[1] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(err[i], 1); | |||
| PQCLEAN_MCELIECE348864_SSE_store8(error8 + i * 16 + 0, v[0]); | |||
| PQCLEAN_MCELIECE348864_SSE_store8(error8 + i * 16 + 8, v[1]); | |||
| } | |||
| for (i = 0; i < SYS_N / 8; i++) { | |||
| e[i] = error8[i]; | |||
| } | |||
| } | |||
| static void scaling_inv(vec128 out[][GFBITS], vec128 inv[][GFBITS], vec128 *recv) { | |||
| int i, j; | |||
| for (i = 0; i < 32; i++) { | |||
| for (j = 0; j < GFBITS; j++) { | |||
| out[i][j] = PQCLEAN_MCELIECE348864_SSE_vec128_and(inv[i][j], recv[i]); | |||
| } | |||
| } | |||
| } | |||
| static uint16_t weight_check(unsigned char *e, vec128 *error) { | |||
| int i; | |||
| uint16_t w0 = 0; | |||
| uint16_t w1 = 0; | |||
| uint16_t check; | |||
| for (i = 0; i < 32; i++) { | |||
| w0 += _mm_popcnt_u64( PQCLEAN_MCELIECE348864_SSE_vec128_extract(error[i], 0) ); | |||
| w0 += _mm_popcnt_u64( PQCLEAN_MCELIECE348864_SSE_vec128_extract(error[i], 1) ); | |||
| } | |||
| for (i = 0; i < SYS_N / 8; i++) { | |||
| w1 += _mm_popcnt_u32( e[i] ); | |||
| } | |||
| check = (w0 ^ SYS_T) | (w1 ^ SYS_T); | |||
| check -= 1; | |||
| check >>= 15; | |||
| return check; | |||
| } | |||
| static uint64_t synd_cmp(vec128 s0[ GFBITS ], vec128 s1[ GFBITS ]) { | |||
| int i; | |||
| vec128 diff; | |||
| diff = PQCLEAN_MCELIECE348864_SSE_vec128_xor(s0[0], s1[0]); | |||
| for (i = 1; i < GFBITS; i++) { | |||
| diff = PQCLEAN_MCELIECE348864_SSE_vec128_or(diff, PQCLEAN_MCELIECE348864_SSE_vec128_xor(s0[i], s1[i])); | |||
| } | |||
| return PQCLEAN_MCELIECE348864_SSE_vec128_testz(diff); | |||
| } | |||
| /* Niederreiter decryption with the Berlekamp decoder */ | |||
| /* intput: sk, secret key */ | |||
| /* c, ciphertext (syndrome) */ | |||
| /* output: e, error vector */ | |||
| /* return: 0 for success; 1 for failure */ | |||
| int PQCLEAN_MCELIECE348864_SSE_decrypt(unsigned char *e, const unsigned char *sk, const unsigned char *c) { | |||
| int i; | |||
| uint16_t check_synd; | |||
| uint16_t check_weight; | |||
| vec128 inv[ 32 ][ GFBITS ]; | |||
| vec128 scaled[ 32 ][ GFBITS ]; | |||
| vec128 eval[ 32 ][ GFBITS ]; | |||
| vec128 error[ 32 ]; | |||
| vec128 s_priv[ GFBITS ]; | |||
| vec128 s_priv_cmp[ GFBITS ]; | |||
| uint64_t locator[ GFBITS ]; | |||
| vec128 recv[ 32 ]; | |||
| vec128 allone; | |||
| uint64_t bits_int[23][32]; | |||
| // Berlekamp decoder | |||
| preprocess(recv, c); | |||
| PQCLEAN_MCELIECE348864_SSE_load_bits(bits_int, sk + IRR_BYTES); | |||
| PQCLEAN_MCELIECE348864_SSE_benes((uint64_t *) recv, bits_int, 1); | |||
| scaling(scaled, inv, sk, recv); | |||
| PQCLEAN_MCELIECE348864_SSE_fft_tr(s_priv, scaled); | |||
| PQCLEAN_MCELIECE348864_SSE_bm(locator, s_priv); | |||
| PQCLEAN_MCELIECE348864_SSE_fft(eval, locator); | |||
| // reencryption and weight check | |||
| allone = PQCLEAN_MCELIECE348864_SSE_vec128_setbits(1); | |||
| for (i = 0; i < 32; i++) { | |||
| error[i] = PQCLEAN_MCELIECE348864_SSE_vec128_or_reduce(eval[i]); | |||
| error[i] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(error[i], allone); | |||
| } | |||
| scaling_inv(scaled, inv, error); | |||
| PQCLEAN_MCELIECE348864_SSE_fft_tr(s_priv_cmp, scaled); | |||
| check_synd = synd_cmp(s_priv, s_priv_cmp); | |||
| // | |||
| PQCLEAN_MCELIECE348864_SSE_benes((uint64_t *) error, bits_int, 0); | |||
| postprocess(e, error); | |||
| check_weight = weight_check(e, error); | |||
| return 1 - (check_synd & check_weight); | |||
| } | |||
+ 0
- 10
crypto_kem/mceliece/mceliece348864/sse/decrypt.h
查看文件
| @@ -1,10 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_DECRYPT_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_DECRYPT_H | |||
| /* | |||
| This file is for Nieddereiter decryption | |||
| */ | |||
| int PQCLEAN_MCELIECE348864_SSE_decrypt(unsigned char * /*e*/, const unsigned char * /*sk*/, const unsigned char * /*c*/); | |||
| #endif | |||
+ 0
- 99
crypto_kem/mceliece/mceliece348864/sse/encrypt.c
查看文件
| @@ -1,99 +0,0 @@ | |||
| /* | |||
| This file is for Niederreiter encryption | |||
| */ | |||
| #include "encrypt.h" | |||
| #include "gf.h" | |||
| #include "params.h" | |||
| #include "randombytes.h" | |||
| #include "util.h" | |||
| #include <stddef.h> | |||
| #include <stdint.h> | |||
| #include <stdio.h> | |||
| #include <string.h> | |||
| /* input: public key pk, error vector e */ | |||
| /* output: syndrome s */ | |||
| extern void PQCLEAN_MCELIECE348864_SSE_syndrome_asm(unsigned char *s, const unsigned char *pk, unsigned char *e); | |||
| /* output: e, an error vector of weight t */ | |||
| static void gen_e(unsigned char *e) { | |||
| size_t i, j; | |||
| int eq, count; | |||
| uint16_t ind_[ SYS_T * 2 ]; | |||
| uint16_t ind[ SYS_T * 2 ]; | |||
| uint64_t e_int[ (SYS_N + 63) / 64 ]; | |||
| uint64_t one = 1; | |||
| uint64_t mask; | |||
| uint64_t val[ SYS_T ]; | |||
| while (1) { | |||
| randombytes((uint8_t *)ind_, sizeof(ind_)); | |||
| for (i = 0; i < SYS_T * 2; i++) { | |||
| ind_[i] &= GFMASK; | |||
| } | |||
| count = 0; | |||
| for (i = 0; i < SYS_T * 2; i++) { | |||
| if (ind_[i] < SYS_N) { | |||
| ind[ count++ ] = ind_[i]; | |||
| } | |||
| } | |||
| if (count < SYS_T) { | |||
| continue; | |||
| } | |||
| // check for repetition | |||
| eq = 0; | |||
| for (i = 1; i < SYS_T; i++) { | |||
| for (j = 0; j < i; j++) { | |||
| if (ind[i] == ind[j]) { | |||
| eq = 1; | |||
| } | |||
| } | |||
| } | |||
| if (eq == 0) { | |||
| break; | |||
| } | |||
| } | |||
| for (j = 0; j < SYS_T; j++) { | |||
| val[j] = one << (ind[j] & 63); | |||
| } | |||
| for (i = 0; i < (SYS_N + 63) / 64; i++) { | |||
| e_int[i] = 0; | |||
| for (j = 0; j < SYS_T; j++) { | |||
| mask = i ^ (ind[j] >> 6); | |||
| mask -= 1; | |||
| mask >>= 63; | |||
| mask = -mask; | |||
| e_int[i] |= val[j] & mask; | |||
| } | |||
| } | |||
| for (i = 0; i < (SYS_N + 63) / 64 - 1; i++) { | |||
| PQCLEAN_MCELIECE348864_SSE_store8(e, e_int[i]); | |||
| e += 8; | |||
| } | |||
| for (j = 0; j < (SYS_N % 64); j += 8) { | |||
| e[ j / 8 ] = (e_int[i] >> j) & 0xFF; | |||
| } | |||
| } | |||
| void PQCLEAN_MCELIECE348864_SSE_encrypt(unsigned char *s, unsigned char *e, const unsigned char *pk) { | |||
| gen_e(e); | |||
| PQCLEAN_MCELIECE348864_SSE_syndrome_asm(s, pk, e); | |||
| } | |||
+ 0
- 11
crypto_kem/mceliece/mceliece348864/sse/encrypt.h
查看文件
| @@ -1,11 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_ENCRYPT_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_ENCRYPT_H | |||
| /* | |||
| This file is for Niederreiter encryption | |||
| */ | |||
| void PQCLEAN_MCELIECE348864_SSE_encrypt(unsigned char * /*s*/, unsigned char * /*e*/, const unsigned char * /*pk*/); | |||
| #endif | |||
+ 0
- 155
crypto_kem/mceliece/mceliece348864/sse/fft.c
查看文件
| @@ -1,155 +0,0 @@ | |||
| /* | |||
| This file is for the Gao-Mateer FFT | |||
| sse http://www.math.clemson.edu/~sgao/papers/GM10.pdf | |||
| */ | |||
| #include "fft.h" | |||
| #include "vec.h" | |||
| #include "vec128.h" | |||
| /* input: in, polynomial in bitsliced form */ | |||
| /* output: in, result of applying the radix conversions on in */ | |||
| static void radix_conversions(uint64_t *in) { | |||
| int i, j, k; | |||
| const uint64_t mask[5][2] = { | |||
| {0x8888888888888888, 0x4444444444444444}, | |||
| {0xC0C0C0C0C0C0C0C0, 0x3030303030303030}, | |||
| {0xF000F000F000F000, 0x0F000F000F000F00}, | |||
| {0xFF000000FF000000, 0x00FF000000FF0000}, | |||
| {0xFFFF000000000000, 0x0000FFFF00000000} | |||
| }; | |||
| const uint64_t s[5][GFBITS] = { | |||
| #include "scalars.inc" | |||
| }; | |||
| // | |||
| for (j = 0; j <= 4; j++) { | |||
| for (i = 0; i < GFBITS; i++) { | |||
| for (k = 4; k >= j; k--) { | |||
| in[i] ^= (in[i] & mask[k][0]) >> (1 << k); | |||
| in[i] ^= (in[i] & mask[k][1]) >> (1 << k); | |||
| } | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec_mul(in, in, s[j]); // scaling | |||
| } | |||
| } | |||
| /* input: in, result of applying the radix conversions to the input polynomial */ | |||
| /* output: out, evaluation results (by applying the FFT butterflies) */ | |||
| static void butterflies(vec128 out[][ GFBITS ], const uint64_t *in) { | |||
| int i, j, k, s, b; | |||
| uint64_t t0, t1; | |||
| const vec128 consts[ 32 ][ GFBITS ] = { | |||
| #include "consts.inc" | |||
| }; | |||
| uint64_t consts_ptr = 0; | |||
| const uint8_t reversal[64] = { | |||
| 0, 32, 16, 48, 8, 40, 24, 56, | |||
| 4, 36, 20, 52, 12, 44, 28, 60, | |||
| 2, 34, 18, 50, 10, 42, 26, 58, | |||
| 6, 38, 22, 54, 14, 46, 30, 62, | |||
| 1, 33, 17, 49, 9, 41, 25, 57, | |||
| 5, 37, 21, 53, 13, 45, 29, 61, | |||
| 3, 35, 19, 51, 11, 43, 27, 59, | |||
| 7, 39, 23, 55, 15, 47, 31, 63 | |||
| }; | |||
| // boradcast | |||
| vec128 tmp[ GFBITS ]; | |||
| vec128 x[ GFBITS ], y[ GFBITS ]; | |||
| for (j = 0; j < 64; j += 4) { | |||
| for (i = 0; i < GFBITS; i++) { | |||
| t0 = (in[i] >> reversal[j + 0]) & 1; | |||
| t0 = -t0; | |||
| t1 = (in[i] >> reversal[j + 2]) & 1; | |||
| t1 = -t1; | |||
| out[j / 2 + 0][i] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(t0, t1); | |||
| t0 = (in[i] >> reversal[j + 1]) & 1; | |||
| t0 = -t0; | |||
| t1 = (in[i] >> reversal[j + 3]) & 1; | |||
| t1 = -t1; | |||
| out[j / 2 + 1][i] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(t0, t1); | |||
| } | |||
| } | |||
| // | |||
| for (i = 0; i < 32; i += 2) { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp, out[i + 1], consts[ 0 ]); | |||
| for (b = 0; b < GFBITS; b++) { | |||
| out[i + 0][b] ^= tmp[b]; | |||
| } | |||
| for (b = 0; b < GFBITS; b++) { | |||
| out[i + 1][b] ^= out[i + 0][b]; | |||
| } | |||
| for (b = 0; b < GFBITS; b++) { | |||
| x[b] = PQCLEAN_MCELIECE348864_SSE_vec128_unpack_low(out[i + 0][b], out[i + 1][b]); | |||
| } | |||
| for (b = 0; b < GFBITS; b++) { | |||
| y[b] = PQCLEAN_MCELIECE348864_SSE_vec128_unpack_high(out[i + 0][b], out[i + 1][b]); | |||
| } | |||
| for (b = 0; b < GFBITS; b++) { | |||
| out[i + 0][b] = x[b]; | |||
| } | |||
| for (b = 0; b < GFBITS; b++) { | |||
| out[i + 1][b] = y[b]; | |||
| } | |||
| } | |||
| consts_ptr += 1; | |||
| for (i = 0; i <= 4; i++) { | |||
| s = 1 << i; | |||
| for (j = 0; j < 32; j += 2 * s) { | |||
| for (k = j; k < j + s; k++) { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp, out[k + s], consts[ consts_ptr + (k - j) ]); | |||
| for (b = 0; b < GFBITS; b++) { | |||
| out[k][b] ^= tmp[b]; | |||
| } | |||
| for (b = 0; b < GFBITS; b++) { | |||
| out[k + s][b] ^= out[k][b]; | |||
| } | |||
| } | |||
| } | |||
| consts_ptr += s; | |||
| } | |||
| // adding the part contributed by x^64 | |||
| vec128 powers[32][GFBITS] = { | |||
| #include "powers.inc" | |||
| }; | |||
| for (i = 0; i < 32; i++) { | |||
| for (b = 0; b < GFBITS; b++) { | |||
| out[i][b] ^= powers[i][b]; | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_MCELIECE348864_SSE_fft(vec128 out[][ GFBITS ], uint64_t *in) { | |||
| radix_conversions(in); | |||
| butterflies(out, in); | |||
| } | |||
+ 0
- 17
crypto_kem/mceliece/mceliece348864/sse/fft.h
查看文件
| @@ -1,17 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_FFT_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_FFT_H | |||
| /* | |||
| This file is for the Gao-Mateer FFT | |||
| sse http://www.math.clemson.edu/~sgao/papers/GM10.pdf | |||
| */ | |||
| #include <stdint.h> | |||
| #include "params.h" | |||
| #include "vec128.h" | |||
| void PQCLEAN_MCELIECE348864_SSE_fft(vec128 /*out*/[][GFBITS], uint64_t * /*in*/); | |||
| #endif | |||
+ 0
- 312
crypto_kem/mceliece/mceliece348864/sse/fft_tr.c
查看文件
| @@ -1,312 +0,0 @@ | |||
| /* | |||
| This file is for transpose of the Gao-Mateer FFT | |||
| Functions with names ending with _tr are (roughly) the transpose of the corresponding functions in fft.c | |||
| */ | |||
| #include "fft_tr.h" | |||
| #include "transpose.h" | |||
| #include "vec.h" | |||
| #include "vec128.h" | |||
| #include <stdint.h> | |||
| static void radix_conversions_tr(vec128 in[ GFBITS ]) { | |||
| int i, j, k; | |||
| const vec128 mask[10] = { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x2222222222222222, 0x2222222222222222), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x4444444444444444, 0x4444444444444444), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0C0C0C0C0C0C0C0C, 0x0C0C0C0C0C0C0C0C), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3030303030303030, 0x3030303030303030), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00F000F000F000F0, 0x00F000F000F000F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F000F000F000F00, 0x0F000F000F000F00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FF000000FF00, 0x0000FF000000FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF000000FF0000, 0x00FF000000FF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000000FFFF0000, 0x00000000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF00000000, 0x0000FFFF00000000) | |||
| }; | |||
| const vec128 s[5][GFBITS] = { | |||
| #include "scalars_2x.inc" | |||
| }; | |||
| uint64_t v0, v1; | |||
| // | |||
| for (j = 5; j >= 0; j--) { | |||
| if (j < 5) { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(in, in, s[j]); | |||
| } | |||
| for (i = 0; i < GFBITS; i++) { | |||
| for (k = j; k <= 4; k++) { | |||
| in[i] ^= PQCLEAN_MCELIECE348864_SSE_vec128_sll_2x(in[i] & mask[2 * k + 0], 1 << k); | |||
| in[i] ^= PQCLEAN_MCELIECE348864_SSE_vec128_sll_2x(in[i] & mask[2 * k + 1], 1 << k); | |||
| } | |||
| } | |||
| for (i = 0; i < GFBITS; i++) { | |||
| v0 = PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[i], 0); | |||
| v1 = PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[i], 1); | |||
| v1 ^= v0 >> 32; | |||
| v1 ^= v1 << 32; | |||
| in[i] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(v0, v1); | |||
| } | |||
| } | |||
| } | |||
| static void butterflies_tr(vec128 out[ GFBITS ], vec128 in[][ GFBITS ]) { | |||
| int i, j, k, s, b; | |||
| uint64_t t[ GFBITS ]; | |||
| uint64_t pre[6][ GFBITS ]; | |||
| uint64_t out64[2][GFBITS]; | |||
| vec128 p2[ 6 ]; | |||
| vec128 buf[64]; | |||
| vec128 tt[ GFBITS ]; | |||
| vec128 x[ GFBITS ], y[ GFBITS ]; | |||
| const vec128 consts[ 32 ][ GFBITS ] = { | |||
| #include "consts.inc" | |||
| }; | |||
| uint64_t consts_ptr = 32; | |||
| const uint8_t reversal[64] = { | |||
| 0, 32, 16, 48, 8, 40, 24, 56, | |||
| 4, 36, 20, 52, 12, 44, 28, 60, | |||
| 2, 34, 18, 50, 10, 42, 26, 58, | |||
| 6, 38, 22, 54, 14, 46, 30, 62, | |||
| 1, 33, 17, 49, 9, 41, 25, 57, | |||
| 5, 37, 21, 53, 13, 45, 29, 61, | |||
| 3, 35, 19, 51, 11, 43, 27, 59, | |||
| 7, 39, 23, 55, 15, 47, 31, 63 | |||
| }; | |||
| const uint16_t beta[6] = {8, 1300, 3408, 1354, 2341, 1154}; | |||
| // butterflies | |||
| for (i = 4; i >= 0; i--) { | |||
| s = 1 << i; | |||
| consts_ptr -= s; | |||
| for (j = 0; j < 32; j += 2 * s) { | |||
| for (k = j; k < j + s; k++) { | |||
| for (b = 0; b < GFBITS; b++) { | |||
| in[k][b] ^= in[k + s][b]; | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(tt, in[k], consts[ consts_ptr + (k - j) ]); | |||
| for (b = 0; b < GFBITS; b++) { | |||
| in[k + s][b] ^= tt[b]; | |||
| } | |||
| } | |||
| } | |||
| } | |||
| for (i = 0; i < 32; i += 2) { | |||
| for (b = 0; b < GFBITS; b++) { | |||
| x[b] = PQCLEAN_MCELIECE348864_SSE_vec128_unpack_low(in[i + 0][b], in[i + 1][b]); | |||
| } | |||
| for (b = 0; b < GFBITS; b++) { | |||
| y[b] = PQCLEAN_MCELIECE348864_SSE_vec128_unpack_high(in[i + 0][b], in[i + 1][b]); | |||
| } | |||
| for (b = 0; b < GFBITS; b++) { | |||
| in[i + 0][b] = x[b] ^ y[b]; | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(tt, in[i + 0], consts[ 0 ]); | |||
| for (b = 0; b < GFBITS; b++) { | |||
| in[i + 1][b] = y[b] ^ tt[b]; | |||
| } | |||
| } | |||
| // transpose | |||
| for (i = 0; i < GFBITS; i += 2) { | |||
| for (j = 0; j < 64; j += 4) { | |||
| buf[ reversal[j + 0] ] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 0][i + 0], 0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 0][i + 1], 0)); | |||
| buf[ reversal[j + 1] ] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 1][i + 0], 0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 1][i + 1], 0)); | |||
| buf[ reversal[j + 2] ] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 0][i + 0], 1), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 0][i + 1], 1)); | |||
| buf[ reversal[j + 3] ] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 1][i + 0], 1), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 1][i + 1], 1)); | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_transpose_64x128_sp(buf); | |||
| p2[0] = buf[32]; | |||
| buf[33] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[33], buf[32]); | |||
| p2[1] = buf[33]; | |||
| buf[35] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[35], buf[33]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[35]); | |||
| buf[34] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[34], buf[35]); | |||
| p2[2] = buf[34]; | |||
| buf[38] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[38], buf[34]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[38]); | |||
| buf[39] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[39], buf[38]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[39]); | |||
| buf[37] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[37], buf[39]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[37]); | |||
| buf[36] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[36], buf[37]); | |||
| p2[3] = buf[36]; | |||
| buf[44] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[44], buf[36]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[44]); | |||
| buf[45] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[45], buf[44]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[45]); | |||
| buf[47] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[47], buf[45]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[47]); | |||
| buf[46] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[46], buf[47]); | |||
| p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[46]); | |||
| buf[42] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[42], buf[46]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[42]); | |||
| buf[43] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[43], buf[42]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[43]); | |||
| buf[41] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[41], buf[43]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[41]); | |||
| buf[40] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[40], buf[41]); | |||
| p2[4] = buf[40]; | |||
| buf[56] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[56], buf[40]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[56]); | |||
| buf[57] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[57], buf[56]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[57]); | |||
| buf[59] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[59], buf[57]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[59]); | |||
| buf[58] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[58], buf[59]); | |||
| p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[58]); | |||
| buf[62] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[62], buf[58]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[62]); | |||
| buf[63] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[63], buf[62]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[63]); | |||
| buf[61] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[61], buf[63]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[61]); | |||
| buf[60] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[60], buf[61]); | |||
| p2[3] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[3], buf[60]); | |||
| buf[52] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[52], buf[60]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[52]); | |||
| buf[53] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[53], buf[52]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[53]); | |||
| buf[55] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[55], buf[53]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[55]); | |||
| buf[54] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[54], buf[55]); | |||
| p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[54]); | |||
| buf[50] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[50], buf[54]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[50]); | |||
| buf[51] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[51], buf[50]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[51]); | |||
| buf[49] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[49], buf[51]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[49]); | |||
| buf[48] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[48], buf[49]); | |||
| p2[5] = buf[48]; | |||
| buf[16] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[16], buf[48]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[16]); | |||
| buf[17] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[17], buf[16]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[17]); | |||
| buf[19] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[19], buf[17]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[19]); | |||
| buf[18] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[18], buf[19]); | |||
| p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[18]); | |||
| buf[22] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[22], buf[18]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[22]); | |||
| buf[23] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[23], buf[22]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[23]); | |||
| buf[21] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[21], buf[23]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[21]); | |||
| buf[20] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[20], buf[21]); | |||
| p2[3] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[3], buf[20]); | |||
| buf[28] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[28], buf[20]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[28]); | |||
| buf[29] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[29], buf[28]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[29]); | |||
| buf[31] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[31], buf[29]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[31]); | |||
| buf[30] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[30], buf[31]); | |||
| p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[30]); | |||
| buf[26] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[26], buf[30]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[26]); | |||
| buf[27] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[27], buf[26]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[27]); | |||
| buf[25] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[25], buf[27]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[25]); | |||
| buf[24] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[24], buf[25]); | |||
| p2[4] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[4], buf[24]); | |||
| buf[8] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[8], buf[24]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[8]); | |||
| buf[9] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[9], buf[8]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[9]); | |||
| buf[11] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[11], buf[9]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[11]); | |||
| buf[10] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[10], buf[11]); | |||
| p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[10]); | |||
| buf[14] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[14], buf[10]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[14]); | |||
| buf[15] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[15], buf[14]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[15]); | |||
| buf[13] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[13], buf[15]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[13]); | |||
| buf[12] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[12], buf[13]); | |||
| p2[3] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[3], buf[12]); | |||
| buf[4] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[4], buf[12]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[4]); | |||
| buf[5] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[5], buf[4]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[5]); | |||
| buf[7] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[7], buf[5]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[7]); | |||
| buf[6] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[6], buf[7]); | |||
| p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[6]); | |||
| buf[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[2], buf[6]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[2]); | |||
| buf[3] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[3], buf[2]); | |||
| p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[3]); | |||
| buf[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[1], buf[3]); | |||
| p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[1]); | |||
| buf[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[0], buf[1]); | |||
| for (j = 0; j < 6; j++) { | |||
| pre[j][i + 0] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(p2[j], 0); | |||
| pre[j][i + 1] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(p2[j], 1); | |||
| } | |||
| out64[0][i + 0] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(buf[0], 0); | |||
| out64[0][i + 1] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(buf[0], 1); | |||
| } | |||
| // | |||
| for (j = 0; j < GFBITS; j++) { | |||
| t[j] = (beta[0] >> j) & 1; | |||
| t[j] = -t[j]; | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec_mul(out64[1], pre[0], t); | |||
| for (i = 1; i < 6; i++) { | |||
| for (j = 0; j < GFBITS; j++) { | |||
| t[j] = (beta[i] >> j) & 1; | |||
| t[j] = -t[j]; | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec_mul(t, pre[i], t); | |||
| PQCLEAN_MCELIECE348864_SSE_vec_add(out64[1], out64[1], t); | |||
| } | |||
| for (b = 0; b < GFBITS; b++) { | |||
| out[b] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(out64[0][b], out64[1][b]); | |||
| } | |||
| } | |||
| void PQCLEAN_MCELIECE348864_SSE_fft_tr(vec128 out[GFBITS], vec128 in[][ GFBITS ]) { | |||
| butterflies_tr(out, in); | |||
| radix_conversions_tr(out); | |||
| } | |||
+ 0
- 13
crypto_kem/mceliece/mceliece348864/sse/fft_tr.h
查看文件
| @@ -1,13 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_FFT_TR_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_FFT_TR_H | |||
| /* | |||
| This file is for transpose of the Gao-Mateer FFT | |||
| */ | |||
| #include "params.h" | |||
| #include "vec128.h" | |||
| void PQCLEAN_MCELIECE348864_SSE_fft_tr(vec128 /*out*/[GFBITS], vec128 /*in*/[][ GFBITS ]); | |||
| #endif | |||
+ 0
- 169
crypto_kem/mceliece/mceliece348864/sse/gf.c
查看文件
| @@ -1,169 +0,0 @@ | |||
| /* | |||
| This file is for functions for field arithmetic | |||
| */ | |||
| #include "gf.h" | |||
| #include "params.h" | |||
| gf PQCLEAN_MCELIECE348864_SSE_gf_iszero(gf a) { | |||
| uint32_t t = a; | |||
| t -= 1; | |||
| t >>= 20; | |||
| return (gf) t; | |||
| } | |||
| gf PQCLEAN_MCELIECE348864_SSE_gf_add(gf in0, gf in1) { | |||
| return in0 ^ in1; | |||
| } | |||
| gf PQCLEAN_MCELIECE348864_SSE_gf_mul(gf in0, gf in1) { | |||
| int i; | |||
| uint32_t tmp; | |||
| uint32_t t0; | |||
| uint32_t t1; | |||
| uint32_t t; | |||
| t0 = in0; | |||
| t1 = in1; | |||
| tmp = t0 * (t1 & 1); | |||
| for (i = 1; i < GFBITS; i++) { | |||
| tmp ^= (t0 * (t1 & (1 << i))); | |||
| } | |||
| t = tmp & 0x7FC000; | |||
| tmp ^= t >> 9; | |||
| tmp ^= t >> 12; | |||
| t = tmp & 0x3000; | |||
| tmp ^= t >> 9; | |||
| tmp ^= t >> 12; | |||
| return tmp & ((1 << GFBITS) - 1); | |||
| } | |||
| /* input: field element in */ | |||
| /* return: in^2 */ | |||
| static inline gf gf_sq(gf in) { | |||
| const uint32_t B[] = {0x55555555, 0x33333333, 0x0F0F0F0F, 0x00FF00FF}; | |||
| uint32_t x = in; | |||
| uint32_t t; | |||
| x = (x | (x << 8)) & B[3]; | |||
| x = (x | (x << 4)) & B[2]; | |||
| x = (x | (x << 2)) & B[1]; | |||
| x = (x | (x << 1)) & B[0]; | |||
| t = x & 0x7FC000; | |||
| x ^= t >> 9; | |||
| x ^= t >> 12; | |||
| t = x & 0x3000; | |||
| x ^= t >> 9; | |||
| x ^= t >> 12; | |||
| return x & ((1 << GFBITS) - 1); | |||
| } | |||
| gf PQCLEAN_MCELIECE348864_SSE_gf_inv(gf in) { | |||
| gf tmp_11; | |||
| gf tmp_1111; | |||
| gf out = in; | |||
| out = gf_sq(out); | |||
| tmp_11 = PQCLEAN_MCELIECE348864_SSE_gf_mul(out, in); // 11 | |||
| out = gf_sq(tmp_11); | |||
| out = gf_sq(out); | |||
| tmp_1111 = PQCLEAN_MCELIECE348864_SSE_gf_mul(out, tmp_11); // 1111 | |||
| out = gf_sq(tmp_1111); | |||
| out = gf_sq(out); | |||
| out = gf_sq(out); | |||
| out = gf_sq(out); | |||
| out = PQCLEAN_MCELIECE348864_SSE_gf_mul(out, tmp_1111); // 11111111 | |||
| out = gf_sq(out); | |||
| out = gf_sq(out); | |||
| out = PQCLEAN_MCELIECE348864_SSE_gf_mul(out, tmp_11); // 1111111111 | |||
| out = gf_sq(out); | |||
| out = PQCLEAN_MCELIECE348864_SSE_gf_mul(out, in); // 11111111111 | |||
| return gf_sq(out); // 111111111110 | |||
| } | |||
| /* input: field element den, num */ | |||
| /* return: (num/den) */ | |||
| gf PQCLEAN_MCELIECE348864_SSE_gf_frac(gf den, gf num) { | |||
| return PQCLEAN_MCELIECE348864_SSE_gf_mul(PQCLEAN_MCELIECE348864_SSE_gf_inv(den), num); | |||
| } | |||
| /* input: in0, in1 in GF((2^m)^t)*/ | |||
| /* output: out = in0*in1 */ | |||
| void PQCLEAN_MCELIECE348864_SSE_GF_mul(gf *out, const gf *in0, const gf *in1) { | |||
| int i, j; | |||
| gf prod[ SYS_T * 2 - 1 ]; | |||
| for (i = 0; i < SYS_T * 2 - 1; i++) { | |||
| prod[i] = 0; | |||
| } | |||
| for (i = 0; i < SYS_T; i++) { | |||
| for (j = 0; j < SYS_T; j++) { | |||
| prod[i + j] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(in0[i], in1[j]); | |||
| } | |||
| } | |||
| // | |||
| for (i = (SYS_T - 1) * 2; i >= SYS_T; i--) { | |||
| prod[i - SYS_T + 9] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(prod[i], (gf) 877); | |||
| prod[i - SYS_T + 7] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(prod[i], (gf) 2888); | |||
| prod[i - SYS_T + 5] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(prod[i], (gf) 1781); | |||
| prod[i - SYS_T + 0] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(prod[i], (gf) 373); | |||
| } | |||
| for (i = 0; i < SYS_T; i++) { | |||
| out[i] = prod[i]; | |||
| } | |||
| } | |||
| /* 2 field multiplications */ | |||
| uint64_t PQCLEAN_MCELIECE348864_SSE_gf_mul2(gf a, gf b0, gf b1) { | |||
| int i; | |||
| uint64_t tmp = 0; | |||
| uint64_t t0; | |||
| uint64_t t1; | |||
| uint64_t t; | |||
| uint64_t mask = 0x0000000100000001; | |||
| t0 = a; | |||
| t1 = b1; | |||
| t1 = (t1 << 32) | b0; | |||
| for (i = 0; i < GFBITS; i++) { | |||
| tmp ^= t0 * (t1 & mask); | |||
| mask += mask; | |||
| } | |||
| // | |||
| t = tmp & 0x007FC000007FC000; | |||
| tmp ^= (t >> 9) ^ (t >> 12); | |||
| t = tmp & 0x0000300000003000; | |||
| tmp ^= (t >> 9) ^ (t >> 12); | |||
| return tmp & 0x00000FFF00000FFF; | |||
| } | |||
+ 0
- 26
crypto_kem/mceliece/mceliece348864/sse/gf.h
查看文件
| @@ -1,26 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_GF_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_GF_H | |||
| /* | |||
| This file is for functions for field arithmetic | |||
| */ | |||
| #include "params.h" | |||
| #include <stdint.h> | |||
| typedef uint16_t gf; | |||
| gf PQCLEAN_MCELIECE348864_SSE_gf_iszero(gf /*a*/); | |||
| gf PQCLEAN_MCELIECE348864_SSE_gf_add(gf /*in0*/, gf /*in1*/); | |||
| gf PQCLEAN_MCELIECE348864_SSE_gf_mul(gf /*in0*/, gf /*in1*/); | |||
| gf PQCLEAN_MCELIECE348864_SSE_gf_frac(gf /*den*/, gf /*num*/); | |||
| gf PQCLEAN_MCELIECE348864_SSE_gf_inv(gf /*in*/); | |||
| void PQCLEAN_MCELIECE348864_SSE_GF_mul(gf * /*out*/, const gf * /*in0*/, const gf * /*in1*/); | |||
| /* 2 field multiplications */ | |||
| uint64_t PQCLEAN_MCELIECE348864_SSE_gf_mul2(gf a, gf b0, gf b1); | |||
| #endif | |||
+ 0
- 136
crypto_kem/mceliece/mceliece348864/sse/operations.c
查看文件
| @@ -1,136 +0,0 @@ | |||
| #include "api.h" | |||
| #include "aes256ctr.h" | |||
| #include "controlbits.h" | |||
| #include "crypto_hash.h" | |||
| #include "decrypt.h" | |||
| #include "encrypt.h" | |||
| #include "params.h" | |||
| #include "pk_gen.h" | |||
| #include "randombytes.h" | |||
| #include "sk_gen.h" | |||
| #include "util.h" | |||
| #include <stdint.h> | |||
| #include <string.h> | |||
| int PQCLEAN_MCELIECE348864_SSE_crypto_kem_enc( | |||
| uint8_t *c, | |||
| uint8_t *key, | |||
| const uint8_t *pk | |||
| ) { | |||
| uint8_t two_e[ 1 + SYS_N / 8 ] = {2}; | |||
| uint8_t *e = two_e + 1; | |||
| uint8_t one_ec[ 1 + SYS_N / 8 + (SYND_BYTES + 32) ] = {1}; | |||
| PQCLEAN_MCELIECE348864_SSE_encrypt(c, e, pk); | |||
| crypto_hash_32b(c + SYND_BYTES, two_e, sizeof(two_e)); | |||
| memcpy(one_ec + 1, e, SYS_N / 8); | |||
| memcpy(one_ec + 1 + SYS_N / 8, c, SYND_BYTES + 32); | |||
| crypto_hash_32b(key, one_ec, sizeof(one_ec)); | |||
| return 0; | |||
| } | |||
| int PQCLEAN_MCELIECE348864_SSE_crypto_kem_dec( | |||
| uint8_t *key, | |||
| const uint8_t *c, | |||
| const uint8_t *sk | |||
| ) { | |||
| int i; | |||
| uint8_t ret_confirm = 0; | |||
| uint8_t ret_decrypt = 0; | |||
| uint16_t m; | |||
| uint8_t conf[32]; | |||
| uint8_t two_e[ 1 + SYS_N / 8 ] = {2}; | |||
| uint8_t *e = two_e + 1; | |||
| uint8_t preimage[ 1 + SYS_N / 8 + (SYND_BYTES + 32) ]; | |||
| uint8_t *x = preimage; | |||
| // | |||
| ret_decrypt = (uint8_t)PQCLEAN_MCELIECE348864_SSE_decrypt(e, sk + SYS_N / 8, c); | |||
| crypto_hash_32b(conf, two_e, sizeof(two_e)); | |||
| for (i = 0; i < 32; i++) { | |||
| ret_confirm |= conf[i] ^ c[SYND_BYTES + i]; | |||
| } | |||
| m = ret_decrypt | ret_confirm; | |||
| m -= 1; | |||
| m >>= 8; | |||
| *x++ = (~m & 0) | (m & 1); | |||
| for (i = 0; i < SYS_N / 8; i++) { | |||
| *x++ = (~m & sk[i]) | (m & e[i]); | |||
| } | |||
| for (i = 0; i < SYND_BYTES + 32; i++) { | |||
| *x++ = c[i]; | |||
| } | |||
| crypto_hash_32b(key, preimage, sizeof(preimage)); | |||
| return 0; | |||
| } | |||
| int PQCLEAN_MCELIECE348864_SSE_crypto_kem_keypair | |||
| ( | |||
| uint8_t *pk, | |||
| uint8_t *sk | |||
| ) { | |||
| int i; | |||
| uint8_t seed[ 32 ]; | |||
| uint8_t r[ SYS_T * 2 + (1 << GFBITS)*sizeof(uint32_t) + SYS_N / 8 + 32 ]; | |||
| uint8_t nonce[ 16 ] = {0}; | |||
| uint8_t *rp; | |||
| gf f[ SYS_T ]; // element in GF(2^mt) | |||
| gf irr[ SYS_T ]; // Goppa polynomial | |||
| uint32_t perm[ 1 << GFBITS ]; // random permutation | |||
| randombytes(seed, sizeof(seed)); | |||
| while (1) { | |||
| rp = r; | |||
| PQCLEAN_MCELIECE348864_SSE_aes256ctr(r, sizeof(r), nonce, seed); | |||
| memcpy(seed, &r[ sizeof(r) - 32 ], 32); | |||
| for (i = 0; i < SYS_T; i++) { | |||
| f[i] = PQCLEAN_MCELIECE348864_SSE_load2(rp + i * 2); | |||
| } | |||
| rp += sizeof(f); | |||
| if (PQCLEAN_MCELIECE348864_SSE_genpoly_gen(irr, f)) { | |||
| continue; | |||
| } | |||
| for (i = 0; i < (1 << GFBITS); i++) { | |||
| perm[i] = PQCLEAN_MCELIECE348864_SSE_load4(rp + i * 4); | |||
| } | |||
| rp += sizeof(perm); | |||
| if (PQCLEAN_MCELIECE348864_SSE_perm_check(perm)) { | |||
| continue; | |||
| } | |||
| for (i = 0; i < SYS_T; i++) { | |||
| PQCLEAN_MCELIECE348864_SSE_store2(sk + SYS_N / 8 + i * 2, irr[i]); | |||
| } | |||
| if (PQCLEAN_MCELIECE348864_SSE_pk_gen(pk, perm, sk + SYS_N / 8)) { | |||
| continue; | |||
| } | |||
| memcpy(sk, rp, SYS_N / 8); | |||
| PQCLEAN_MCELIECE348864_SSE_controlbits(sk + SYS_N / 8 + IRR_BYTES, perm); | |||
| break; | |||
| } | |||
| return 0; | |||
| } | |||
+ 0
- 21
crypto_kem/mceliece/mceliece348864/sse/params.h
查看文件
| @@ -1,21 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_PARAMS_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_PARAMS_H | |||
| #define GFBITS 12 | |||
| #define SYS_N 3488 | |||
| #define SYS_T 64 | |||
| #define COND_BYTES ((1 << (GFBITS-4))*(2*GFBITS - 1)) | |||
| #define IRR_BYTES (SYS_T * 2) | |||
| #define PK_NROWS (SYS_T*GFBITS) | |||
| #define PK_NCOLS (SYS_N - PK_NROWS) | |||
| #define PK_ROW_BYTES ((PK_NCOLS + 7)/8) | |||
| #define SK_BYTES (SYS_N/8 + IRR_BYTES + COND_BYTES) | |||
| #define SYND_BYTES ((PK_NROWS + 7)/8) | |||
| #define GFMASK ((1 << GFBITS) - 1) | |||
| #endif | |||
+ 0
- 329
crypto_kem/mceliece/mceliece348864/sse/pk_gen.c
查看文件
| @@ -1,329 +0,0 @@ | |||
| /* | |||
| This file is for public-key generation | |||
| */ | |||
| #include "pk_gen.h" | |||
| #include "benes.h" | |||
| #include "controlbits.h" | |||
| #include "fft.h" | |||
| #include "params.h" | |||
| #include "transpose.h" | |||
| #include "util.h" | |||
| #include <stdint.h> | |||
| #include <immintrin.h> | |||
| #define min(a, b) (((a) < (b)) ? (a) : (b)) | |||
| static void de_bitslicing(uint64_t *out, vec128 in[][GFBITS]) { | |||
| int i, j, r; | |||
| uint64_t u = 0; | |||
| for (i = 0; i < (1 << GFBITS); i++) { | |||
| out[i] = 0 ; | |||
| } | |||
| for (i = 0; i < 32; i++) { | |||
| for (j = GFBITS - 1; j >= 0; j--) { | |||
| u = PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[i][j], 0); | |||
| for (r = 0; r < 64; r++) { | |||
| out[i * 128 + 0 * 64 + r] <<= 1; | |||
| out[i * 128 + 0 * 64 + r] |= (u >> r) & 1; | |||
| } | |||
| u = PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[i][j], 1); | |||
| for (r = 0; r < 64; r++) { | |||
| out[i * 128 + 1 * 64 + r] <<= 1; | |||
| out[i * 128 + 1 * 64 + r] |= (u >> r) & 1; | |||
| } | |||
| } | |||
| } | |||
| } | |||
| static void to_bitslicing_2x(vec128 out0[][GFBITS], vec128 out1[][GFBITS], const uint64_t *in) { | |||
| int i, j, k, r; | |||
| uint64_t u[2] = {0}; | |||
| for (i = 0; i < 32; i++) { | |||
| for (j = GFBITS - 1; j >= 0; j--) { | |||
| for (k = 0; k < 2; k++) { | |||
| for (r = 63; r >= 0; r--) { | |||
| u[k] <<= 1; | |||
| u[k] |= (in[i * 128 + k * 64 + r] >> (j + GFBITS)) & 1; | |||
| } | |||
| } | |||
| out1[i][j] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(u[0], u[1]); | |||
| } | |||
| for (j = GFBITS - 1; j >= 0; j--) { | |||
| for (k = 0; k < 2; k++) { | |||
| for (r = 63; r >= 0; r--) { | |||
| u[k] <<= 1; | |||
| u[k] |= (in[i * 128 + k * 64 + r] >> j) & 1; | |||
| } | |||
| } | |||
| out0[i][GFBITS - 1 - j] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(u[0], u[1]); | |||
| } | |||
| } | |||
| } | |||
| /* return number of trailing zeros of the non-zero input in */ | |||
| static inline int ctz(uint64_t in) { | |||
| return (int)_tzcnt_u64(in); | |||
| } | |||
| static inline uint64_t same_mask(uint16_t x, uint16_t y) { | |||
| uint64_t mask; | |||
| mask = x ^ y; | |||
| mask -= 1; | |||
| mask >>= 63; | |||
| mask = -mask; | |||
| return mask; | |||
| } | |||
| static int mov_columns(uint64_t mat[][ ((SYS_N + 127) / 128) * 2 ], uint32_t *perm) { | |||
| int i, j, k, s, block_idx, row; | |||
| uint64_t buf[64], ctz_list[32], t, d, mask; | |||
| row = GFBITS * SYS_T - 32; | |||
| block_idx = row / 64; | |||
| // extract the 32x64 matrix | |||
| for (i = 0; i < 32; i++) { | |||
| buf[i] = (mat[ row + i ][ block_idx + 0 ] >> 32) | | |||
| (mat[ row + i ][ block_idx + 1 ] << 32); | |||
| } | |||
| // compute the column indices of pivots by Gaussian elimination. | |||
| // the indices are stored in ctz_list | |||
| for (i = 0; i < 32; i++) { | |||
| t = buf[i]; | |||
| for (j = i + 1; j < 32; j++) { | |||
| t |= buf[j]; | |||
| } | |||
| if (t == 0) { | |||
| return -1; // return if buf is not full rank | |||
| } | |||
| ctz_list[i] = s = ctz(t); | |||
| for (j = i + 1; j < 32; j++) { | |||
| mask = (buf[i] >> s) & 1; | |||
| mask -= 1; | |||
| buf[i] ^= buf[j] & mask; | |||
| } | |||
| for (j = 0; j < i; j++) { | |||
| mask = (buf[j] >> s) & 1; | |||
| mask = -mask; | |||
| buf[j] ^= buf[i] & mask; | |||
| } | |||
| for (j = i + 1; j < 32; j++) { | |||
| mask = (buf[j] >> s) & 1; | |||
| mask = -mask; | |||
| buf[j] ^= buf[i] & mask; | |||
| } | |||
| } | |||
| // updating permutation | |||
| for (j = 0; j < 32; j++) { | |||
| for (k = j + 1; k < 64; k++) { | |||
| d = perm[ row + j ] ^ perm[ row + k ]; | |||
| d &= same_mask(k, ctz_list[j]); | |||
| perm[ row + j ] ^= d; | |||
| perm[ row + k ] ^= d; | |||
| } | |||
| } | |||
| // moving columns of mat according to the column indices of pivots | |||
| for (i = 0; i < GFBITS * SYS_T; i += 64) { | |||
| for (j = 0; j < min(64, GFBITS * SYS_T - i); j++) { | |||
| buf[j] = (mat[ i + j ][ block_idx + 0 ] >> 32) | | |||
| (mat[ i + j ][ block_idx + 1 ] << 32); | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_transpose_64x64(buf); | |||
| for (j = 0; j < 32; j++) { | |||
| for (k = j + 1; k < 64; k++) { | |||
| d = buf[ j ] ^ buf[ k ]; | |||
| d &= same_mask(k, ctz_list[j]); | |||
| buf[ j ] ^= d; | |||
| buf[ k ] ^= d; | |||
| } | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_transpose_64x64(buf); | |||
| for (j = 0; j < min(64, GFBITS * SYS_T - i); j++) { | |||
| mat[ i + j ][ block_idx + 0 ] = (mat[ i + j ][ block_idx + 0 ] << 32 >> 32) | (buf[j] << 32); | |||
| mat[ i + j ][ block_idx + 1 ] = (mat[ i + j ][ block_idx + 1 ] >> 32 << 32) | (buf[j] >> 32); | |||
| } | |||
| } | |||
| return 0; | |||
| } | |||
| #define NBLOCKS1_H ((SYS_N + 63) / 64) | |||
| #define NBLOCKS2_H ((SYS_N + 127) / 128) | |||
| #define NBLOCKS_I ((GFBITS * SYS_T + 63) / 64) | |||
| int PQCLEAN_MCELIECE348864_SSE_pk_gen(unsigned char *pk, uint32_t *perm, const unsigned char *sk) { | |||
| int i, j, k; | |||
| int row, c; | |||
| uint64_t mat[ GFBITS * SYS_T ][ NBLOCKS2_H * 2 ]; | |||
| uint64_t ops[ GFBITS * SYS_T ][ NBLOCKS_I ]; | |||
| uint64_t mask; | |||
| uint64_t irr_int[ GFBITS ]; | |||
| vec128 consts[32][ GFBITS ]; | |||
| vec128 eval[ 32 ][ GFBITS ]; | |||
| vec128 prod[ 32 ][ GFBITS ]; | |||
| vec128 tmp[ GFBITS ]; | |||
| uint64_t list[1 << GFBITS]; | |||
| // compute the inverses | |||
| PQCLEAN_MCELIECE348864_SSE_irr_load(irr_int, sk); | |||
| PQCLEAN_MCELIECE348864_SSE_fft(eval, irr_int); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_copy(prod[0], eval[0]); | |||
| for (i = 1; i < 32; i++) { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(prod[i], prod[i - 1], eval[i]); | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_inv(tmp, prod[31]); | |||
| for (i = 30; i >= 0; i--) { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(prod[i + 1], prod[i], tmp); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp, tmp, eval[i + 1]); | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_copy(prod[0], tmp); | |||
| // fill matrix | |||
| de_bitslicing(list, prod); | |||
| for (i = 0; i < (1 << GFBITS); i++) { | |||
| list[i] <<= GFBITS; | |||
| list[i] |= i; | |||
| list[i] |= ((uint64_t) perm[i]) << 31; | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_sort_63b(1 << GFBITS, list); | |||
| to_bitslicing_2x(consts, prod, list); | |||
| for (i = 0; i < (1 << GFBITS); i++) { | |||
| perm[i] = list[i] & GFMASK; | |||
| } | |||
| for (j = 0; j < NBLOCKS2_H; j++) { | |||
| for (k = 0; k < GFBITS; k++) { | |||
| mat[ k ][ 2 * j + 0 ] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(prod[ j ][ k ], 0); | |||
| mat[ k ][ 2 * j + 1 ] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(prod[ j ][ k ], 1); | |||
| } | |||
| } | |||
| for (i = 1; i < SYS_T; i++) { | |||
| for (j = 0; j < NBLOCKS2_H; j++) { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(prod[j], prod[j], consts[j]); | |||
| for (k = 0; k < GFBITS; k++) { | |||
| mat[ i * GFBITS + k ][ 2 * j + 0 ] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(prod[ j ][ k ], 0); | |||
| mat[ i * GFBITS + k ][ 2 * j + 1 ] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(prod[ j ][ k ], 1); | |||
| } | |||
| } | |||
| } | |||
| // gaussian elimination | |||
| for (i = 0; i < PK_NROWS; i++) { | |||
| for (j = 0; j < NBLOCKS_I; j++) { | |||
| ops[ i ][ j ] = 0; | |||
| } | |||
| } | |||
| for (i = 0; i < PK_NROWS; i++) { | |||
| ops[ i ][ i / 64 ] = 1; | |||
| ops[ i ][ i / 64 ] <<= (i % 64); | |||
| } | |||
| for (row = 0; row < PK_NROWS; row++) { | |||
| i = row >> 6; | |||
| j = row & 63; | |||
| if (row == GFBITS * SYS_T - 32) { | |||
| if (mov_columns(mat, perm)) { | |||
| return -1; | |||
| } | |||
| } | |||
| for (k = row + 1; k < PK_NROWS; k++) { | |||
| mask = mat[ row ][ i ] >> j; | |||
| mask &= 1; | |||
| mask -= 1; | |||
| for (c = 0; c < NBLOCKS1_H; c++) { | |||
| mat[ row ][ c ] ^= mat[ k ][ c ] & mask; | |||
| } | |||
| } | |||
| if ( ((mat[ row ][ i ] >> j) & 1) == 0 ) { // return if not systematic | |||
| return -1; | |||
| } | |||
| for (k = 0; k < row; k++) { | |||
| mask = mat[ k ][ i ] >> j; | |||
| mask &= 1; | |||
| mask = -mask; | |||
| for (c = 0; c < NBLOCKS1_H; c++) { | |||
| mat[ k ][ c ] ^= mat[ row ][ c ] & mask; | |||
| } | |||
| } | |||
| for (k = row + 1; k < PK_NROWS; k++) { | |||
| mask = mat[ k ][ i ] >> j; | |||
| mask &= 1; | |||
| mask = -mask; | |||
| for (c = 0; c < NBLOCKS1_H; c++) { | |||
| mat[ k ][ c ] ^= mat[ row ][ c ] & mask; | |||
| } | |||
| } | |||
| } | |||
| for (i = 0; i < GFBITS * SYS_T; i++) { | |||
| for (j = NBLOCKS_I; j < NBLOCKS1_H - 1; j++) { | |||
| PQCLEAN_MCELIECE348864_SSE_store8(pk, mat[i][j]); | |||
| pk += 8; | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_store_i(pk, mat[i][j], PK_ROW_BYTES % 8); | |||
| pk += PK_ROW_BYTES % 8; | |||
| } | |||
| // | |||
| return 0; | |||
| } | |||
+ 0
- 13
crypto_kem/mceliece/mceliece348864/sse/pk_gen.h
查看文件
| @@ -1,13 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_PK_GEN_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_PK_GEN_H | |||
| /* | |||
| This file is for public-key generation | |||
| */ | |||
| #include "gf.h" | |||
| int PQCLEAN_MCELIECE348864_SSE_pk_gen(unsigned char * /*pk*/, uint32_t * /*perm*/, const unsigned char * /*sk*/); | |||
| #endif | |||
+ 0
- 448
crypto_kem/mceliece/mceliece348864/sse/powers.inc
查看文件
| @@ -1,448 +0,0 @@ | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555), | |||
| }, | |||
+ 0
- 70
crypto_kem/mceliece/mceliece348864/sse/scalars_2x.inc
查看文件
| @@ -1,70 +0,0 @@ | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xf3cfc030fc30f003, 0x000c03c0c3c0330c), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3fcf0f003c00c00c, 0xf330cffcc00f33c0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x30033cc300c0c03c, 0xccf330f00f3c0333), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xccff0f3c0f30f0c0, 0xff03fff3ff0cf0c0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0300c03ff303c3f0, 0x3cc3fcf00fcc303c), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3fff3c0ff0ccccc0, 0x0f000c0fc30303f3), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xf3fff0c00f3c3cc0, 0xcf0fc3ff333ccf3c), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3003333fffc3c000, 0x003f3fc3c0ff333f), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0ff30fffc3fff300, 0x3cc3f0f3cf0ff00f), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffc0f300f0f0cc00, 0xf3f33cc03fc30cc0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xc0cff3fccc3cfc00, 0x3cc330cfc333f33f), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xfc3c03f0f330c000, 0x3cc0303ff3c3fffc), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x000f00000000f00f, 0x0f00f00f00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000f00f00000f0, 0xf00000000000f000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0f00000f00000f00, 0x00000f00000000f0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xf00f00f00f000000, 0x0f00f00000f00000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00f00000000000f0, 0x000f00000f00f00f), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000f00000000, 0x00f00f00f00f0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xf00000000f00f000, 0x0f00f00000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00f00f00000f0000, 0x000000000f000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000f00000f00f00, 0x00f00000000f00f0), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x000f00f00f00f000, 0x0000f00f00000f00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00f00f0000000000, 0xf00000f00000f00f), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000f00000, 0x00000f00f00f00f0), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ff00ff0000ff, 0xff00ffffff000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ff000000ff00, 0xff0000ffff000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xff0000ff00ff0000, 0xffff00ffff000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffff0000ff000000, 0xff00ffffffffff00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00ff00ff00ff0000, 0x00000000ff00ff00), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ffffff000000, 0xffffffff00ff0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00ffff00ff000000, 0x00ffffff00ff0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffff0000ff0000, 0xffff00ffff00ffff), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffff00ffff00ff00, 0xffff0000ffffffff), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ff0000000000, 0xff00000000ff0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffff00ff000000, 0x000000ff00ff00ff), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00ff000000000000, 0x00ff00ff00ffff00), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x000000000000ffff, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000000ffff0000, 0xffff000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffff000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000000ffff0000, 0xffff00000000ffff), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ffff00000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000ffff00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000000ffff0000, 0xffff00000000ffff), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ffff00000000, 0x00000000ffff0000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffff00000000ffff), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x00000000ffff0000), | |||
| }, | |||
| { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000000ffffffff, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffffff00000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffffff00000000, 0x00000000ffffffff), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffff00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffff00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffffff00000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffff00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffffffffffff), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffffff00000000, 0xffffffff00000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffffffffffff), | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffff00000000), | |||
| }, | |||
+ 0
- 98
crypto_kem/mceliece/mceliece348864/sse/sk_gen.c
查看文件
| @@ -1,98 +0,0 @@ | |||
| /* | |||
| This file is for secret-key generation | |||
| */ | |||
| #include "sk_gen.h" | |||
| #include "controlbits.h" | |||
| #include "gf.h" | |||
| #include "params.h" | |||
| #include "util.h" | |||
| /* input: f, element in GF((2^m)^t) */ | |||
| /* output: out, minimal polynomial of f */ | |||
| /* return: 0 for success and -1 for failure */ | |||
| int PQCLEAN_MCELIECE348864_SSE_genpoly_gen(gf *out, gf *f) { | |||
| int i, j, k, c; | |||
| gf mat[ SYS_T + 1 ][ SYS_T ]; | |||
| gf mask, inv, t; | |||
| // fill matrix | |||
| mat[0][0] = 1; | |||
| for (i = 1; i < SYS_T; i++) { | |||
| mat[0][i] = 0; | |||
| } | |||
| for (i = 0; i < SYS_T; i++) { | |||
| mat[1][i] = f[i]; | |||
| } | |||
| for (j = 2; j <= SYS_T; j++) { | |||
| PQCLEAN_MCELIECE348864_SSE_GF_mul(mat[j], mat[j - 1], f); | |||
| } | |||
| // gaussian | |||
| for (j = 0; j < SYS_T; j++) { | |||
| for (k = j + 1; k < SYS_T; k++) { | |||
| mask = PQCLEAN_MCELIECE348864_SSE_gf_iszero(mat[ j ][ j ]); | |||
| for (c = j; c < SYS_T + 1; c++) { | |||
| mat[ c ][ j ] ^= mat[ c ][ k ] & mask; | |||
| } | |||
| } | |||
| if ( mat[ j ][ j ] == 0 ) { // return if not systematic | |||
| return -1; | |||
| } | |||
| inv = PQCLEAN_MCELIECE348864_SSE_gf_inv(mat[j][j]); | |||
| for (c = j; c < SYS_T + 1; c++) { | |||
| mat[ c ][ j ] = PQCLEAN_MCELIECE348864_SSE_gf_mul(mat[ c ][ j ], inv) ; | |||
| } | |||
| for (k = 0; k < SYS_T; k++) { | |||
| if (k != j) { | |||
| t = mat[ j ][ k ]; | |||
| for (c = j; c < SYS_T + 1; c++) { | |||
| mat[ c ][ k ] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(mat[ c ][ j ], t); | |||
| } | |||
| } | |||
| } | |||
| } | |||
| for (i = 0; i < SYS_T; i++) { | |||
| out[i] = mat[ SYS_T ][ i ]; | |||
| } | |||
| return 0; | |||
| } | |||
| /* input: permutation p represented as a list of 32-bit intergers */ | |||
| /* output: -1 if some interger repeats in p */ | |||
| /* 0 otherwise */ | |||
| int PQCLEAN_MCELIECE348864_SSE_perm_check(const uint32_t *p) { | |||
| int i; | |||
| uint64_t list[1 << GFBITS]; | |||
| for (i = 0; i < (1 << GFBITS); i++) { | |||
| list[i] = p[i]; | |||
| } | |||
| PQCLEAN_MCELIECE348864_SSE_sort_63b(1 << GFBITS, list); | |||
| for (i = 1; i < (1 << GFBITS); i++) { | |||
| if (list[i - 1] == list[i]) { | |||
| return -1; | |||
| } | |||
| } | |||
| return 0; | |||
| } | |||
+ 0
- 16
crypto_kem/mceliece/mceliece348864/sse/sk_gen.h
查看文件
| @@ -1,16 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_SK_GEN_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_SK_GEN_H | |||
| /* | |||
| This file is for secret-key generation | |||
| */ | |||
| #include "gf.h" | |||
| #include <stdint.h> | |||
| int PQCLEAN_MCELIECE348864_SSE_genpoly_gen(gf * /*out*/, gf * /*f*/); | |||
| int PQCLEAN_MCELIECE348864_SSE_perm_check(const uint32_t * /*p*/); | |||
| #endif | |||
+ 0
- 740
crypto_kem/mceliece/mceliece348864/sse/syndrome_asm.S
查看文件
| @@ -1,740 +0,0 @@ | |||
| # qhasm: int64 input_0 | |||
| # qhasm: int64 input_1 | |||
| # qhasm: int64 input_2 | |||
| # qhasm: int64 input_3 | |||
| # qhasm: int64 input_4 | |||
| # qhasm: int64 input_5 | |||
| # qhasm: stack64 input_6 | |||
| # qhasm: stack64 input_7 | |||
| # qhasm: int64 caller_r11 | |||
| # qhasm: int64 caller_r12 | |||
| # qhasm: int64 caller_r13 | |||
| # qhasm: int64 caller_r14 | |||
| # qhasm: int64 caller_r15 | |||
| # qhasm: int64 caller_rbx | |||
| # qhasm: int64 caller_rbp | |||
| # qhasm: int64 b64 | |||
| # qhasm: int64 synd | |||
| # qhasm: int64 addr | |||
| # qhasm: int64 c | |||
| # qhasm: int64 c_all | |||
| # qhasm: int64 row | |||
| # qhasm: int64 p | |||
| # qhasm: int64 e | |||
| # qhasm: int64 s | |||
| # qhasm: reg128 pp | |||
| # qhasm: reg128 ee | |||
| # qhasm: reg128 ss | |||
| # qhasm: int64 buf_ptr | |||
| # qhasm: stack128 buf | |||
| # qhasm: enter syndrome_asm | |||
| .p2align 5 | |||
| .global _PQCLEAN_MCELIECE348864_SSE_syndrome_asm | |||
| .global PQCLEAN_MCELIECE348864_SSE_syndrome_asm | |||
| _PQCLEAN_MCELIECE348864_SSE_syndrome_asm: | |||
| PQCLEAN_MCELIECE348864_SSE_syndrome_asm: | |||
| mov %rsp,%r11 | |||
| and $31,%r11 | |||
| add $32,%r11 | |||
| sub %r11,%rsp | |||
| # qhasm: input_1 += 260780 | |||
| # asm 1: add $260780,<input_1=int64#2 | |||
| # asm 2: add $260780,<input_1=%rsi | |||
| add $260780,%rsi | |||
| # qhasm: buf_ptr = &buf | |||
| # asm 1: leaq <buf=stack128#1,>buf_ptr=int64#4 | |||
| # asm 2: leaq <buf=0(%rsp),>buf_ptr=%rcx | |||
| leaq 0(%rsp),%rcx | |||
| # qhasm: row = 768 | |||
| # asm 1: mov $768,>row=int64#5 | |||
| # asm 2: mov $768,>row=%r8 | |||
| mov $768,%r8 | |||
| # qhasm: loop: | |||
| ._loop: | |||
| # qhasm: row -= 1 | |||
| # asm 1: sub $1,<row=int64#5 | |||
| # asm 2: sub $1,<row=%r8 | |||
| sub $1,%r8 | |||
| # qhasm: ss = mem128[ input_1 + 0 ] | |||
| # asm 1: movdqu 0(<input_1=int64#2),>ss=reg128#1 | |||
| # asm 2: movdqu 0(<input_1=%rsi),>ss=%xmm0 | |||
| movdqu 0(%rsi),%xmm0 | |||
| # qhasm: ee = mem128[ input_2 + 96 ] | |||
| # asm 1: movdqu 96(<input_2=int64#3),>ee=reg128#2 | |||
| # asm 2: movdqu 96(<input_2=%rdx),>ee=%xmm1 | |||
| movdqu 96(%rdx),%xmm1 | |||
| # qhasm: ss &= ee | |||
| # asm 1: pand <ee=reg128#2,<ss=reg128#1 | |||
| # asm 2: pand <ee=%xmm1,<ss=%xmm0 | |||
| pand %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 16 ] | |||
| # asm 1: movdqu 16(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 16(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 16(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 112 ] | |||
| # asm 1: movdqu 112(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 112(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 112(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 32 ] | |||
| # asm 1: movdqu 32(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 32(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 32(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 128 ] | |||
| # asm 1: movdqu 128(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 128(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 128(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 48 ] | |||
| # asm 1: movdqu 48(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 48(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 48(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 144 ] | |||
| # asm 1: movdqu 144(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 144(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 144(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 64 ] | |||
| # asm 1: movdqu 64(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 64(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 64(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 160 ] | |||
| # asm 1: movdqu 160(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 160(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 160(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 80 ] | |||
| # asm 1: movdqu 80(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 80(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 80(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 176 ] | |||
| # asm 1: movdqu 176(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 176(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 176(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 96 ] | |||
| # asm 1: movdqu 96(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 96(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 96(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 192 ] | |||
| # asm 1: movdqu 192(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 192(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 192(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 112 ] | |||
| # asm 1: movdqu 112(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 112(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 112(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 208 ] | |||
| # asm 1: movdqu 208(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 208(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 208(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 128 ] | |||
| # asm 1: movdqu 128(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 128(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 128(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 224 ] | |||
| # asm 1: movdqu 224(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 224(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 224(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 144 ] | |||
| # asm 1: movdqu 144(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 144(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 144(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 240 ] | |||
| # asm 1: movdqu 240(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 240(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 240(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 160 ] | |||
| # asm 1: movdqu 160(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 160(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 160(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 256 ] | |||
| # asm 1: movdqu 256(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 256(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 256(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 176 ] | |||
| # asm 1: movdqu 176(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 176(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 176(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 272 ] | |||
| # asm 1: movdqu 272(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 272(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 272(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 192 ] | |||
| # asm 1: movdqu 192(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 192(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 192(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 288 ] | |||
| # asm 1: movdqu 288(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 288(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 288(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 208 ] | |||
| # asm 1: movdqu 208(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 208(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 208(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 304 ] | |||
| # asm 1: movdqu 304(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 304(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 304(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 224 ] | |||
| # asm 1: movdqu 224(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 224(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 224(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 320 ] | |||
| # asm 1: movdqu 320(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 320(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 320(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 240 ] | |||
| # asm 1: movdqu 240(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 240(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 240(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 336 ] | |||
| # asm 1: movdqu 336(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 336(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 336(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 256 ] | |||
| # asm 1: movdqu 256(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 256(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 256(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 352 ] | |||
| # asm 1: movdqu 352(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 352(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 352(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 272 ] | |||
| # asm 1: movdqu 272(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 272(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 272(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 368 ] | |||
| # asm 1: movdqu 368(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 368(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 368(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 288 ] | |||
| # asm 1: movdqu 288(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 288(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 288(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 384 ] | |||
| # asm 1: movdqu 384(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 384(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 384(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 304 ] | |||
| # asm 1: movdqu 304(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 304(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 304(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 400 ] | |||
| # asm 1: movdqu 400(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 400(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 400(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: pp = mem128[ input_1 + 320 ] | |||
| # asm 1: movdqu 320(<input_1=int64#2),>pp=reg128#2 | |||
| # asm 2: movdqu 320(<input_1=%rsi),>pp=%xmm1 | |||
| movdqu 320(%rsi),%xmm1 | |||
| # qhasm: ee = mem128[ input_2 + 416 ] | |||
| # asm 1: movdqu 416(<input_2=int64#3),>ee=reg128#3 | |||
| # asm 2: movdqu 416(<input_2=%rdx),>ee=%xmm2 | |||
| movdqu 416(%rdx),%xmm2 | |||
| # qhasm: pp &= ee | |||
| # asm 1: pand <ee=reg128#3,<pp=reg128#2 | |||
| # asm 2: pand <ee=%xmm2,<pp=%xmm1 | |||
| pand %xmm2,%xmm1 | |||
| # qhasm: ss ^= pp | |||
| # asm 1: pxor <pp=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <pp=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: buf = ss | |||
| # asm 1: movdqa <ss=reg128#1,>buf=stack128#1 | |||
| # asm 2: movdqa <ss=%xmm0,>buf=0(%rsp) | |||
| movdqa %xmm0,0(%rsp) | |||
| # qhasm: s = *(uint32 *)(input_1 + 336) | |||
| # asm 1: movl 336(<input_1=int64#2),>s=int64#6d | |||
| # asm 2: movl 336(<input_1=%rsi),>s=%r9d | |||
| movl 336(%rsi),%r9d | |||
| # qhasm: e = *(uint32 *)(input_2 + 432) | |||
| # asm 1: movl 432(<input_2=int64#3),>e=int64#7d | |||
| # asm 2: movl 432(<input_2=%rdx),>e=%eax | |||
| movl 432(%rdx),%eax | |||
| # qhasm: s &= e | |||
| # asm 1: and <e=int64#7,<s=int64#6 | |||
| # asm 2: and <e=%rax,<s=%r9 | |||
| and %rax,%r9 | |||
| # qhasm: c_all = count(s) | |||
| # asm 1: popcnt <s=int64#6, >c_all=int64#6 | |||
| # asm 2: popcnt <s=%r9, >c_all=%r9 | |||
| popcnt %r9, %r9 | |||
| # qhasm: b64 = mem64[ buf_ptr + 0 ] | |||
| # asm 1: movq 0(<buf_ptr=int64#4),>b64=int64#7 | |||
| # asm 2: movq 0(<buf_ptr=%rcx),>b64=%rax | |||
| movq 0(%rcx),%rax | |||
| # qhasm: c = count(b64) | |||
| # asm 1: popcnt <b64=int64#7, >c=int64#7 | |||
| # asm 2: popcnt <b64=%rax, >c=%rax | |||
| popcnt %rax, %rax | |||
| # qhasm: c_all ^= c | |||
| # asm 1: xor <c=int64#7,<c_all=int64#6 | |||
| # asm 2: xor <c=%rax,<c_all=%r9 | |||
| xor %rax,%r9 | |||
| # qhasm: b64 = mem64[ buf_ptr + 8 ] | |||
| # asm 1: movq 8(<buf_ptr=int64#4),>b64=int64#7 | |||
| # asm 2: movq 8(<buf_ptr=%rcx),>b64=%rax | |||
| movq 8(%rcx),%rax | |||
| # qhasm: c = count(b64) | |||
| # asm 1: popcnt <b64=int64#7, >c=int64#7 | |||
| # asm 2: popcnt <b64=%rax, >c=%rax | |||
| popcnt %rax, %rax | |||
| # qhasm: c_all ^= c | |||
| # asm 1: xor <c=int64#7,<c_all=int64#6 | |||
| # asm 2: xor <c=%rax,<c_all=%r9 | |||
| xor %rax,%r9 | |||
| # qhasm: addr = row | |||
| # asm 1: mov <row=int64#5,>addr=int64#7 | |||
| # asm 2: mov <row=%r8,>addr=%rax | |||
| mov %r8,%rax | |||
| # qhasm: (uint64) addr >>= 3 | |||
| # asm 1: shr $3,<addr=int64#7 | |||
| # asm 2: shr $3,<addr=%rax | |||
| shr $3,%rax | |||
| # qhasm: addr += input_0 | |||
| # asm 1: add <input_0=int64#1,<addr=int64#7 | |||
| # asm 2: add <input_0=%rdi,<addr=%rax | |||
| add %rdi,%rax | |||
| # qhasm: synd = *(uint8 *) (addr + 0) | |||
| # asm 1: movzbq 0(<addr=int64#7),>synd=int64#8 | |||
| # asm 2: movzbq 0(<addr=%rax),>synd=%r10 | |||
| movzbq 0(%rax),%r10 | |||
| # qhasm: synd <<= 1 | |||
| # asm 1: shl $1,<synd=int64#8 | |||
| # asm 2: shl $1,<synd=%r10 | |||
| shl $1,%r10 | |||
| # qhasm: (uint32) c_all &= 1 | |||
| # asm 1: and $1,<c_all=int64#6d | |||
| # asm 2: and $1,<c_all=%r9d | |||
| and $1,%r9d | |||
| # qhasm: synd |= c_all | |||
| # asm 1: or <c_all=int64#6,<synd=int64#8 | |||
| # asm 2: or <c_all=%r9,<synd=%r10 | |||
| or %r9,%r10 | |||
| # qhasm: *(uint8 *) (addr + 0) = synd | |||
| # asm 1: movb <synd=int64#8b,0(<addr=int64#7) | |||
| # asm 2: movb <synd=%r10b,0(<addr=%rax) | |||
| movb %r10b,0(%rax) | |||
| # qhasm: input_1 -= 340 | |||
| # asm 1: sub $340,<input_1=int64#2 | |||
| # asm 2: sub $340,<input_1=%rsi | |||
| sub $340,%rsi | |||
| # qhasm: =? row-0 | |||
| # asm 1: cmp $0,<row=int64#5 | |||
| # asm 2: cmp $0,<row=%r8 | |||
| cmp $0,%r8 | |||
| # comment:fp stack unchanged by jump | |||
| # qhasm: goto loop if != | |||
| jne ._loop | |||
| # qhasm: ss = mem128[ input_0 + 0 ] | |||
| # asm 1: movdqu 0(<input_0=int64#1),>ss=reg128#1 | |||
| # asm 2: movdqu 0(<input_0=%rdi),>ss=%xmm0 | |||
| movdqu 0(%rdi),%xmm0 | |||
| # qhasm: ee = mem128[ input_2 + 0 ] | |||
| # asm 1: movdqu 0(<input_2=int64#3),>ee=reg128#2 | |||
| # asm 2: movdqu 0(<input_2=%rdx),>ee=%xmm1 | |||
| movdqu 0(%rdx),%xmm1 | |||
| # qhasm: ss ^= ee | |||
| # asm 1: pxor <ee=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <ee=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: mem128[ input_0 + 0 ] = ss | |||
| # asm 1: movdqu <ss=reg128#1,0(<input_0=int64#1) | |||
| # asm 2: movdqu <ss=%xmm0,0(<input_0=%rdi) | |||
| movdqu %xmm0,0(%rdi) | |||
| # qhasm: ss = mem128[ input_0 + 16 ] | |||
| # asm 1: movdqu 16(<input_0=int64#1),>ss=reg128#1 | |||
| # asm 2: movdqu 16(<input_0=%rdi),>ss=%xmm0 | |||
| movdqu 16(%rdi),%xmm0 | |||
| # qhasm: ee = mem128[ input_2 + 16 ] | |||
| # asm 1: movdqu 16(<input_2=int64#3),>ee=reg128#2 | |||
| # asm 2: movdqu 16(<input_2=%rdx),>ee=%xmm1 | |||
| movdqu 16(%rdx),%xmm1 | |||
| # qhasm: ss ^= ee | |||
| # asm 1: pxor <ee=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <ee=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: mem128[ input_0 + 16 ] = ss | |||
| # asm 1: movdqu <ss=reg128#1,16(<input_0=int64#1) | |||
| # asm 2: movdqu <ss=%xmm0,16(<input_0=%rdi) | |||
| movdqu %xmm0,16(%rdi) | |||
| # qhasm: ss = mem128[ input_0 + 32 ] | |||
| # asm 1: movdqu 32(<input_0=int64#1),>ss=reg128#1 | |||
| # asm 2: movdqu 32(<input_0=%rdi),>ss=%xmm0 | |||
| movdqu 32(%rdi),%xmm0 | |||
| # qhasm: ee = mem128[ input_2 + 32 ] | |||
| # asm 1: movdqu 32(<input_2=int64#3),>ee=reg128#2 | |||
| # asm 2: movdqu 32(<input_2=%rdx),>ee=%xmm1 | |||
| movdqu 32(%rdx),%xmm1 | |||
| # qhasm: ss ^= ee | |||
| # asm 1: pxor <ee=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <ee=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: mem128[ input_0 + 32 ] = ss | |||
| # asm 1: movdqu <ss=reg128#1,32(<input_0=int64#1) | |||
| # asm 2: movdqu <ss=%xmm0,32(<input_0=%rdi) | |||
| movdqu %xmm0,32(%rdi) | |||
| # qhasm: ss = mem128[ input_0 + 48 ] | |||
| # asm 1: movdqu 48(<input_0=int64#1),>ss=reg128#1 | |||
| # asm 2: movdqu 48(<input_0=%rdi),>ss=%xmm0 | |||
| movdqu 48(%rdi),%xmm0 | |||
| # qhasm: ee = mem128[ input_2 + 48 ] | |||
| # asm 1: movdqu 48(<input_2=int64#3),>ee=reg128#2 | |||
| # asm 2: movdqu 48(<input_2=%rdx),>ee=%xmm1 | |||
| movdqu 48(%rdx),%xmm1 | |||
| # qhasm: ss ^= ee | |||
| # asm 1: pxor <ee=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <ee=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: mem128[ input_0 + 48 ] = ss | |||
| # asm 1: movdqu <ss=reg128#1,48(<input_0=int64#1) | |||
| # asm 2: movdqu <ss=%xmm0,48(<input_0=%rdi) | |||
| movdqu %xmm0,48(%rdi) | |||
| # qhasm: ss = mem128[ input_0 + 64 ] | |||
| # asm 1: movdqu 64(<input_0=int64#1),>ss=reg128#1 | |||
| # asm 2: movdqu 64(<input_0=%rdi),>ss=%xmm0 | |||
| movdqu 64(%rdi),%xmm0 | |||
| # qhasm: ee = mem128[ input_2 + 64 ] | |||
| # asm 1: movdqu 64(<input_2=int64#3),>ee=reg128#2 | |||
| # asm 2: movdqu 64(<input_2=%rdx),>ee=%xmm1 | |||
| movdqu 64(%rdx),%xmm1 | |||
| # qhasm: ss ^= ee | |||
| # asm 1: pxor <ee=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <ee=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: mem128[ input_0 + 64 ] = ss | |||
| # asm 1: movdqu <ss=reg128#1,64(<input_0=int64#1) | |||
| # asm 2: movdqu <ss=%xmm0,64(<input_0=%rdi) | |||
| movdqu %xmm0,64(%rdi) | |||
| # qhasm: ss = mem128[ input_0 + 80 ] | |||
| # asm 1: movdqu 80(<input_0=int64#1),>ss=reg128#1 | |||
| # asm 2: movdqu 80(<input_0=%rdi),>ss=%xmm0 | |||
| movdqu 80(%rdi),%xmm0 | |||
| # qhasm: ee = mem128[ input_2 + 80 ] | |||
| # asm 1: movdqu 80(<input_2=int64#3),>ee=reg128#2 | |||
| # asm 2: movdqu 80(<input_2=%rdx),>ee=%xmm1 | |||
| movdqu 80(%rdx),%xmm1 | |||
| # qhasm: ss ^= ee | |||
| # asm 1: pxor <ee=reg128#2,<ss=reg128#1 | |||
| # asm 2: pxor <ee=%xmm1,<ss=%xmm0 | |||
| pxor %xmm1,%xmm0 | |||
| # qhasm: mem128[ input_0 + 80 ] = ss | |||
| # asm 1: movdqu <ss=reg128#1,80(<input_0=int64#1) | |||
| # asm 2: movdqu <ss=%xmm0,80(<input_0=%rdi) | |||
| movdqu %xmm0,80(%rdi) | |||
| # qhasm: return | |||
| add %r11,%rsp | |||
| ret | |||
+ 0
- 12
crypto_kem/mceliece/mceliece348864/sse/transpose.c
查看文件
| @@ -1,12 +0,0 @@ | |||
| #include "transpose.h" | |||
| extern void PQCLEAN_MCELIECE348864_SSE_transpose_64x64_asm(uint64_t *); | |||
| void PQCLEAN_MCELIECE348864_SSE_transpose_64x64(uint64_t *in) { | |||
| PQCLEAN_MCELIECE348864_SSE_transpose_64x64_asm(in); | |||
| } | |||
| extern void PQCLEAN_MCELIECE348864_SSE_transpose_64x128_sp_asm(vec128 *); | |||
| void PQCLEAN_MCELIECE348864_SSE_transpose_64x128_sp(vec128 *in) { | |||
| PQCLEAN_MCELIECE348864_SSE_transpose_64x128_sp_asm(in); | |||
| } | |||
+ 0
- 16
crypto_kem/mceliece/mceliece348864/sse/transpose.h
查看文件
| @@ -1,16 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_TRANSPOSE_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_TRANSPOSE_H | |||
| /* | |||
| This file is for matrix transposition | |||
| */ | |||
| #include "vec128.h" | |||
| #include <stdint.h> | |||
| void PQCLEAN_MCELIECE348864_SSE_transpose_64x64(uint64_t *in); | |||
| void PQCLEAN_MCELIECE348864_SSE_transpose_64x128_sp(vec128 *in); | |||
| #endif | |||
+ 0
- 8145
crypto_kem/mceliece/mceliece348864/sse/transpose_64x128_sp_asm.S
文件差异内容过多而无法显示
查看文件
+ 0
- 8467
crypto_kem/mceliece/mceliece348864/sse/transpose_64x64_asm.S
文件差异内容过多而无法显示
查看文件
+ 0
- 354
crypto_kem/mceliece/mceliece348864/sse/update_asm.S
查看文件
| @@ -1,354 +0,0 @@ | |||
| # qhasm: int64 input_0 | |||
| # qhasm: int64 input_1 | |||
| # qhasm: int64 input_2 | |||
| # qhasm: int64 input_3 | |||
| # qhasm: int64 input_4 | |||
| # qhasm: int64 input_5 | |||
| # qhasm: stack64 input_6 | |||
| # qhasm: stack64 input_7 | |||
| # qhasm: int64 caller_r11 | |||
| # qhasm: int64 caller_r12 | |||
| # qhasm: int64 caller_r13 | |||
| # qhasm: int64 caller_r14 | |||
| # qhasm: int64 caller_r15 | |||
| # qhasm: int64 caller_rbx | |||
| # qhasm: int64 caller_rbp | |||
| # qhasm: int64 s0 | |||
| # qhasm: int64 s1 | |||
| # qhasm: enter update_asm | |||
| .p2align 5 | |||
| .global _PQCLEAN_MCELIECE348864_SSE_update_asm | |||
| .global PQCLEAN_MCELIECE348864_SSE_update_asm | |||
| _PQCLEAN_MCELIECE348864_SSE_update_asm: | |||
| PQCLEAN_MCELIECE348864_SSE_update_asm: | |||
| mov %rsp,%r11 | |||
| and $31,%r11 | |||
| add $0,%r11 | |||
| sub %r11,%rsp | |||
| # qhasm: s1 = input_1 | |||
| # asm 1: mov <input_1=int64#2,>s1=int64#2 | |||
| # asm 2: mov <input_1=%rsi,>s1=%rsi | |||
| mov %rsi,%rsi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: s0 = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>s0=int64#4 | |||
| # asm 2: movq 0(<input_0=%rdi),>s0=%rcx | |||
| movq 0(%rdi),%rcx | |||
| # qhasm: s0 = (s1 s0) >> 1 | |||
| # asm 1: shrd $1,<s1=int64#2,<s0=int64#4 | |||
| # asm 2: shrd $1,<s1=%rsi,<s0=%rcx | |||
| shrd $1,%rsi,%rcx | |||
| # qhasm: (uint64) s1 >>= 1 | |||
| # asm 1: shr $1,<s1=int64#2 | |||
| # asm 2: shr $1,<s1=%rsi | |||
| shr $1,%rsi | |||
| # qhasm: mem64[ input_0 + 0 ] = s0 | |||
| # asm 1: movq <s0=int64#4,0(<input_0=int64#1) | |||
| # asm 2: movq <s0=%rcx,0(<input_0=%rdi) | |||
| movq %rcx,0(%rdi) | |||
| # qhasm: input_0 += input_2 | |||
| # asm 1: add <input_2=int64#3,<input_0=int64#1 | |||
| # asm 2: add <input_2=%rdx,<input_0=%rdi | |||
| add %rdx,%rdi | |||
| # qhasm: return | |||
| add %r11,%rsp | |||
| ret | |||
+ 0
- 106
crypto_kem/mceliece/mceliece348864/sse/util.c
查看文件
| @@ -1,106 +0,0 @@ | |||
| /* | |||
| This file is for loading/storing data in a little-endian fashion | |||
| */ | |||
| #include "util.h" | |||
| void PQCLEAN_MCELIECE348864_SSE_store_i(unsigned char *out, uint64_t in, int i) { | |||
| int j; | |||
| for (j = 0; j < i; j++) { | |||
| out[j] = (in >> (j * 8)) & 0xFF; | |||
| } | |||
| } | |||
| void PQCLEAN_MCELIECE348864_SSE_store2(unsigned char *dest, gf a) { | |||
| dest[0] = a & 0xFF; | |||
| dest[1] = a >> 8; | |||
| } | |||
| uint16_t PQCLEAN_MCELIECE348864_SSE_load2(const unsigned char *src) { | |||
| uint16_t a; | |||
| a = src[1]; | |||
| a <<= 8; | |||
| a |= src[0]; | |||
| return a & GFMASK; | |||
| } | |||
| uint32_t PQCLEAN_MCELIECE348864_SSE_load4(const unsigned char *src) { | |||
| uint32_t a; | |||
| a = src[3]; | |||
| a <<= 8; | |||
| a |= src[2]; | |||
| a <<= 8; | |||
| a |= src[1]; | |||
| a <<= 8; | |||
| a |= src[0]; | |||
| return a; | |||
| } | |||
| void PQCLEAN_MCELIECE348864_SSE_irr_load(uint64_t *out, const unsigned char *in) { | |||
| int i, j; | |||
| uint16_t irr[ SYS_T + 1 ]; | |||
| for (i = 0; i < SYS_T; i++) { | |||
| irr[i] = PQCLEAN_MCELIECE348864_SSE_load2(in + i * 2); | |||
| irr[i] &= GFMASK; | |||
| } | |||
| irr[ SYS_T ] = 1; | |||
| for (i = 0; i < GFBITS; i++) { | |||
| out[i] = 0; | |||
| } | |||
| for (i = SYS_T; i >= 0; i--) { | |||
| for (j = 0; j < GFBITS; j++) { | |||
| out[j] <<= 1; | |||
| out[j] |= (irr[i] >> j) & 1; | |||
| } | |||
| } | |||
| } | |||
| void PQCLEAN_MCELIECE348864_SSE_store8(unsigned char *out, uint64_t in) { | |||
| out[0] = (in >> 0x00) & 0xFF; | |||
| out[1] = (in >> 0x08) & 0xFF; | |||
| out[2] = (in >> 0x10) & 0xFF; | |||
| out[3] = (in >> 0x18) & 0xFF; | |||
| out[4] = (in >> 0x20) & 0xFF; | |||
| out[5] = (in >> 0x28) & 0xFF; | |||
| out[6] = (in >> 0x30) & 0xFF; | |||
| out[7] = (in >> 0x38) & 0xFF; | |||
| } | |||
| uint64_t PQCLEAN_MCELIECE348864_SSE_load8(const unsigned char *in) { | |||
| int i; | |||
| uint64_t ret = in[7]; | |||
| for (i = 6; i >= 0; i--) { | |||
| ret <<= 8; | |||
| ret |= in[i]; | |||
| } | |||
| return ret; | |||
| } | |||
| gf PQCLEAN_MCELIECE348864_SSE_bitrev(gf a) { | |||
| a = ((a & 0x00FF) << 8) | ((a & 0xFF00) >> 8); | |||
| a = ((a & 0x0F0F) << 4) | ((a & 0xF0F0) >> 4); | |||
| a = ((a & 0x3333) << 2) | ((a & 0xCCCC) >> 2); | |||
| a = ((a & 0x5555) << 1) | ((a & 0xAAAA) >> 1); | |||
| return a >> 4; | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_load16(const unsigned char *in) { | |||
| return PQCLEAN_MCELIECE348864_SSE_vec128_set2x( PQCLEAN_MCELIECE348864_SSE_load8(in), PQCLEAN_MCELIECE348864_SSE_load8(in + 8) ); | |||
| } | |||
| void PQCLEAN_MCELIECE348864_SSE_store16(unsigned char *out, vec128 in) { | |||
| PQCLEAN_MCELIECE348864_SSE_store8(out + 0, PQCLEAN_MCELIECE348864_SSE_vec128_extract(in, 0)); | |||
| PQCLEAN_MCELIECE348864_SSE_store8(out + 8, PQCLEAN_MCELIECE348864_SSE_vec128_extract(in, 1)); | |||
| } | |||
+ 0
- 33
crypto_kem/mceliece/mceliece348864/sse/util.h
查看文件
| @@ -1,33 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_UTIL_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_UTIL_H | |||
| /* | |||
| This file is for loading/storing data in a little-endian fashion | |||
| */ | |||
| #include "gf.h" | |||
| #include "vec128.h" | |||
| #include <stdint.h> | |||
| void PQCLEAN_MCELIECE348864_SSE_store_i(unsigned char *out, uint64_t in, int i); | |||
| void PQCLEAN_MCELIECE348864_SSE_store2(unsigned char *dest, gf a); | |||
| uint16_t PQCLEAN_MCELIECE348864_SSE_load2(const unsigned char *src); | |||
| uint32_t PQCLEAN_MCELIECE348864_SSE_load4(const unsigned char *src); | |||
| void PQCLEAN_MCELIECE348864_SSE_irr_load(uint64_t *out, const unsigned char *in); | |||
| void PQCLEAN_MCELIECE348864_SSE_store8(unsigned char *out, uint64_t in); | |||
| uint64_t PQCLEAN_MCELIECE348864_SSE_load8(const unsigned char *in); | |||
| gf PQCLEAN_MCELIECE348864_SSE_bitrev(gf a); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_load16(const unsigned char *in); | |||
| void PQCLEAN_MCELIECE348864_SSE_store16(unsigned char *out, vec128 in); | |||
| #endif | |||
+ 0
- 17
crypto_kem/mceliece/mceliece348864/sse/vec.c
查看文件
| @@ -1,17 +0,0 @@ | |||
| #include "vec.h" | |||
| #include "params.h" | |||
| void PQCLEAN_MCELIECE348864_SSE_vec_mul(uint64_t *h, const uint64_t *f, const uint64_t *g) { | |||
| PQCLEAN_MCELIECE348864_SSE_vec_mul_asm(h, f, g, 8); | |||
| } | |||
| void PQCLEAN_MCELIECE348864_SSE_vec_add(uint64_t *h, const uint64_t *f, const uint64_t *g) { | |||
| int b; | |||
| for (b = 0; b < GFBITS; b++) { | |||
| h[b] = f[b] ^ g[b]; | |||
| } | |||
| } | |||
+ 0
- 11
crypto_kem/mceliece/mceliece348864/sse/vec.h
查看文件
| @@ -1,11 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_VEC_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_VEC_H | |||
| #include <stdint.h> | |||
| extern void PQCLEAN_MCELIECE348864_SSE_vec_mul_asm(uint64_t *, const uint64_t *, const uint64_t *, int); | |||
| void PQCLEAN_MCELIECE348864_SSE_vec_mul(uint64_t *h, const uint64_t *f, const uint64_t *g); | |||
| void PQCLEAN_MCELIECE348864_SSE_vec_add(uint64_t *h, const uint64_t *f, const uint64_t *g); | |||
| #endif | |||
+ 0
- 143
crypto_kem/mceliece/mceliece348864/sse/vec128.c
查看文件
| @@ -1,143 +0,0 @@ | |||
| /* | |||
| This file is for functions related to 128-bit vectors | |||
| including functions for bitsliced field operations | |||
| */ | |||
| #include "vec128.h" | |||
| #include "params.h" | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(uint16_t a) { | |||
| return _mm_set1_epi16(a); | |||
| } | |||
| int PQCLEAN_MCELIECE348864_SSE_vec128_testz(vec128 a) { | |||
| return _mm_testz_si128(a, a); | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_setzero(void) { | |||
| return _mm_setzero_si128(); | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_and(vec128 a, vec128 b) { | |||
| return _mm_and_si128(a, b); | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_xor(vec128 a, vec128 b) { | |||
| return _mm_xor_si128(a, b); | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_or(vec128 a, vec128 b) { | |||
| return _mm_or_si128(a, b); | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_sll_2x(vec128 a, int s) { | |||
| return _mm_slli_epi64(a, s); | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_srl_2x(vec128 a, int s) { | |||
| return _mm_srli_epi64(a, s); | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_set2x(uint64_t a0, uint64_t a1) { | |||
| return _mm_set_epi64x(a1, a0); | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_unpack_low(vec128 a, vec128 b) { | |||
| return _mm_unpacklo_epi64(a, b); | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_unpack_high(vec128 a, vec128 b) { | |||
| return _mm_unpackhi_epi64(a, b); | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_setbits(uint64_t a) { | |||
| return _mm_set1_epi64x(-a); | |||
| } | |||
| void PQCLEAN_MCELIECE348864_SSE_vec128_copy(vec128 *dest, const vec128 *src) { | |||
| int i; | |||
| for (i = 0; i < GFBITS; i++) { | |||
| dest[i] = src[i]; | |||
| } | |||
| } | |||
| void PQCLEAN_MCELIECE348864_SSE_vec128_add(vec128 *c, const vec128 *a, const vec128 *b) { | |||
| int i; | |||
| for (i = 0; i < GFBITS; i++) { | |||
| c[i] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(a[i], b[i]); | |||
| } | |||
| } | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_or_reduce(const vec128 *a) { | |||
| int i; | |||
| vec128 ret; | |||
| ret = a[0]; | |||
| for (i = 1; i < GFBITS; i++) { | |||
| ret = PQCLEAN_MCELIECE348864_SSE_vec128_or(ret, a[i]); | |||
| } | |||
| return ret; | |||
| } | |||
| /* bitsliced field multiplications */ | |||
| void PQCLEAN_MCELIECE348864_SSE_vec128_mul(vec128 *h, vec128 *f, const vec128 *g) { | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul_asm(h, f, g, 16); | |||
| } | |||
| /* bitsliced field squarings */ | |||
| void PQCLEAN_MCELIECE348864_SSE_vec128_sq(vec128 *out, const vec128 *in) { | |||
| int i; | |||
| vec128 result[GFBITS]; | |||
| result[0] = in[0] ^ in[6]; | |||
| result[1] = in[11]; | |||
| result[2] = in[1] ^ in[7]; | |||
| result[3] = in[6]; | |||
| result[4] = in[2] ^ in[11] ^ in[8]; | |||
| result[5] = in[7]; | |||
| result[6] = in[3] ^ in[9]; | |||
| result[7] = in[8]; | |||
| result[8] = in[4] ^ in[10]; | |||
| result[9] = in[9]; | |||
| result[10] = in[5] ^ in[11]; | |||
| result[11] = in[10]; | |||
| for (i = 0; i < GFBITS; i++) { | |||
| out[i] = result[i]; | |||
| } | |||
| } | |||
| /* bitsliced field inverses */ | |||
| void PQCLEAN_MCELIECE348864_SSE_vec128_inv(vec128 *out, const vec128 *in) { | |||
| vec128 tmp_11[ GFBITS ]; | |||
| vec128 tmp_1111[ GFBITS ]; | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_copy(out, in); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp_11, out, in); // 11 | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, tmp_11); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp_1111, out, tmp_11); // 1111 | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, tmp_1111); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(out, out, tmp_1111); // 11111111 | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(out, out, tmp_11); // 1111111111 | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out); | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_mul(out, out, in); // 11111111111 | |||
| PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out); // 111111111110 | |||
| } | |||
+ 0
- 42
crypto_kem/mceliece/mceliece348864/sse/vec128.h
查看文件
| @@ -1,42 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_SSE_VEC128_H | |||
| #define PQCLEAN_MCELIECE348864_SSE_VEC128_H | |||
| /* | |||
| This file is for functions related to 128-bit vectors | |||
| including functions for bitsliced field operations | |||
| */ | |||
| #include <immintrin.h> | |||
| #include <stdint.h> | |||
| typedef __m128i vec128; | |||
| // this needs to be a macro, because | |||
| // _mm_extract_epi64 requires a literal int argument. | |||
| #define PQCLEAN_MCELIECE348864_SSE_vec128_extract(a, i) ((uint64_t) _mm_extract_epi64((vec128) (a), (i))) | |||
| int PQCLEAN_MCELIECE348864_SSE_vec128_testz(vec128 a); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(uint16_t a); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_setzero(void); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_and(vec128 a, vec128 b); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_xor(vec128 a, vec128 b); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_or(vec128 a, vec128 b); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_sll_2x(vec128 a, int s); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_srl_2x(vec128 a, int s); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_set2x(uint64_t a0, uint64_t a1); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_unpack_low(vec128 a, vec128 b); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_unpack_high(vec128 a, vec128 b); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_setbits(uint64_t a); | |||
| void PQCLEAN_MCELIECE348864_SSE_vec128_copy(vec128 *dest, const vec128 *src); | |||
| void PQCLEAN_MCELIECE348864_SSE_vec128_add(vec128 *c, const vec128 *a, const vec128 *b); | |||
| vec128 PQCLEAN_MCELIECE348864_SSE_vec128_or_reduce(const vec128 *a); | |||
| extern void PQCLEAN_MCELIECE348864_SSE_vec128_mul_asm(vec128 *, vec128 *, const vec128 *, int); | |||
| /* bitsliced field multiplications */ | |||
| void PQCLEAN_MCELIECE348864_SSE_vec128_mul(vec128 *h, vec128 *f, const vec128 *g); | |||
| void PQCLEAN_MCELIECE348864_SSE_vec128_sq(vec128 * /*out*/, const vec128 * /*in*/); | |||
| void PQCLEAN_MCELIECE348864_SSE_vec128_inv(vec128 * /*out*/, const vec128 * /*in*/); | |||
| #endif | |||
+ 0
- 1736
crypto_kem/mceliece/mceliece348864/sse/vec128_mul_asm.S
文件差异内容过多而无法显示
查看文件
+ 0
- 1515
crypto_kem/mceliece/mceliece348864/sse/vec_mul_asm.S
文件差异内容过多而无法显示
查看文件
+ 0
- 356
crypto_kem/mceliece/mceliece348864/sse/vec_reduce_asm.S
查看文件
| @@ -1,356 +0,0 @@ | |||
| # qhasm: int64 input_0 | |||
| # qhasm: int64 input_1 | |||
| # qhasm: int64 input_2 | |||
| # qhasm: int64 input_3 | |||
| # qhasm: int64 input_4 | |||
| # qhasm: int64 input_5 | |||
| # qhasm: stack64 input_6 | |||
| # qhasm: stack64 input_7 | |||
| # qhasm: int64 caller_r11 | |||
| # qhasm: int64 caller_r12 | |||
| # qhasm: int64 caller_r13 | |||
| # qhasm: int64 caller_r14 | |||
| # qhasm: int64 caller_r15 | |||
| # qhasm: int64 caller_rbx | |||
| # qhasm: int64 caller_rbp | |||
| # qhasm: int64 t | |||
| # qhasm: int64 c | |||
| # qhasm: int64 r | |||
| # qhasm: enter vec_reduce_asm | |||
| .p2align 5 | |||
| .global _PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm | |||
| .global PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm | |||
| _PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm: | |||
| PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm: | |||
| mov %rsp,%r11 | |||
| and $31,%r11 | |||
| add $0,%r11 | |||
| sub %r11,%rsp | |||
| # qhasm: r = 0 | |||
| # asm 1: mov $0,>r=int64#7 | |||
| # asm 2: mov $0,>r=%rax | |||
| mov $0,%rax | |||
| # qhasm: t = mem64[ input_0 + 88 ] | |||
| # asm 1: movq 88(<input_0=int64#1),>t=int64#2 | |||
| # asm 2: movq 88(<input_0=%rdi),>t=%rsi | |||
| movq 88(%rdi),%rsi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#2, >c=int64#2 | |||
| # asm 2: popcnt <t=%rsi, >c=%rsi | |||
| popcnt %rsi, %rsi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#2d | |||
| # asm 2: and $1,<c=%esi | |||
| and $1,%esi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#2,<r=int64#7 | |||
| # asm 2: or <c=%rsi,<r=%rax | |||
| or %rsi,%rax | |||
| # qhasm: t = mem64[ input_0 + 80 ] | |||
| # asm 1: movq 80(<input_0=int64#1),>t=int64#2 | |||
| # asm 2: movq 80(<input_0=%rdi),>t=%rsi | |||
| movq 80(%rdi),%rsi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#2, >c=int64#2 | |||
| # asm 2: popcnt <t=%rsi, >c=%rsi | |||
| popcnt %rsi, %rsi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#2d | |||
| # asm 2: and $1,<c=%esi | |||
| and $1,%esi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#2,<r=int64#7 | |||
| # asm 2: or <c=%rsi,<r=%rax | |||
| or %rsi,%rax | |||
| # qhasm: t = mem64[ input_0 + 72 ] | |||
| # asm 1: movq 72(<input_0=int64#1),>t=int64#2 | |||
| # asm 2: movq 72(<input_0=%rdi),>t=%rsi | |||
| movq 72(%rdi),%rsi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#2, >c=int64#2 | |||
| # asm 2: popcnt <t=%rsi, >c=%rsi | |||
| popcnt %rsi, %rsi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#2d | |||
| # asm 2: and $1,<c=%esi | |||
| and $1,%esi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#2,<r=int64#7 | |||
| # asm 2: or <c=%rsi,<r=%rax | |||
| or %rsi,%rax | |||
| # qhasm: t = mem64[ input_0 + 64 ] | |||
| # asm 1: movq 64(<input_0=int64#1),>t=int64#2 | |||
| # asm 2: movq 64(<input_0=%rdi),>t=%rsi | |||
| movq 64(%rdi),%rsi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#2, >c=int64#2 | |||
| # asm 2: popcnt <t=%rsi, >c=%rsi | |||
| popcnt %rsi, %rsi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#2d | |||
| # asm 2: and $1,<c=%esi | |||
| and $1,%esi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#2,<r=int64#7 | |||
| # asm 2: or <c=%rsi,<r=%rax | |||
| or %rsi,%rax | |||
| # qhasm: t = mem64[ input_0 + 56 ] | |||
| # asm 1: movq 56(<input_0=int64#1),>t=int64#2 | |||
| # asm 2: movq 56(<input_0=%rdi),>t=%rsi | |||
| movq 56(%rdi),%rsi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#2, >c=int64#2 | |||
| # asm 2: popcnt <t=%rsi, >c=%rsi | |||
| popcnt %rsi, %rsi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#2d | |||
| # asm 2: and $1,<c=%esi | |||
| and $1,%esi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#2,<r=int64#7 | |||
| # asm 2: or <c=%rsi,<r=%rax | |||
| or %rsi,%rax | |||
| # qhasm: t = mem64[ input_0 + 48 ] | |||
| # asm 1: movq 48(<input_0=int64#1),>t=int64#2 | |||
| # asm 2: movq 48(<input_0=%rdi),>t=%rsi | |||
| movq 48(%rdi),%rsi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#2, >c=int64#2 | |||
| # asm 2: popcnt <t=%rsi, >c=%rsi | |||
| popcnt %rsi, %rsi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#2d | |||
| # asm 2: and $1,<c=%esi | |||
| and $1,%esi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#2,<r=int64#7 | |||
| # asm 2: or <c=%rsi,<r=%rax | |||
| or %rsi,%rax | |||
| # qhasm: t = mem64[ input_0 + 40 ] | |||
| # asm 1: movq 40(<input_0=int64#1),>t=int64#2 | |||
| # asm 2: movq 40(<input_0=%rdi),>t=%rsi | |||
| movq 40(%rdi),%rsi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#2, >c=int64#2 | |||
| # asm 2: popcnt <t=%rsi, >c=%rsi | |||
| popcnt %rsi, %rsi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#2d | |||
| # asm 2: and $1,<c=%esi | |||
| and $1,%esi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#2,<r=int64#7 | |||
| # asm 2: or <c=%rsi,<r=%rax | |||
| or %rsi,%rax | |||
| # qhasm: t = mem64[ input_0 + 32 ] | |||
| # asm 1: movq 32(<input_0=int64#1),>t=int64#2 | |||
| # asm 2: movq 32(<input_0=%rdi),>t=%rsi | |||
| movq 32(%rdi),%rsi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#2, >c=int64#2 | |||
| # asm 2: popcnt <t=%rsi, >c=%rsi | |||
| popcnt %rsi, %rsi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#2d | |||
| # asm 2: and $1,<c=%esi | |||
| and $1,%esi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#2,<r=int64#7 | |||
| # asm 2: or <c=%rsi,<r=%rax | |||
| or %rsi,%rax | |||
| # qhasm: t = mem64[ input_0 + 24 ] | |||
| # asm 1: movq 24(<input_0=int64#1),>t=int64#2 | |||
| # asm 2: movq 24(<input_0=%rdi),>t=%rsi | |||
| movq 24(%rdi),%rsi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#2, >c=int64#2 | |||
| # asm 2: popcnt <t=%rsi, >c=%rsi | |||
| popcnt %rsi, %rsi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#2d | |||
| # asm 2: and $1,<c=%esi | |||
| and $1,%esi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#2,<r=int64#7 | |||
| # asm 2: or <c=%rsi,<r=%rax | |||
| or %rsi,%rax | |||
| # qhasm: t = mem64[ input_0 + 16 ] | |||
| # asm 1: movq 16(<input_0=int64#1),>t=int64#2 | |||
| # asm 2: movq 16(<input_0=%rdi),>t=%rsi | |||
| movq 16(%rdi),%rsi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#2, >c=int64#2 | |||
| # asm 2: popcnt <t=%rsi, >c=%rsi | |||
| popcnt %rsi, %rsi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#2d | |||
| # asm 2: and $1,<c=%esi | |||
| and $1,%esi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#2,<r=int64#7 | |||
| # asm 2: or <c=%rsi,<r=%rax | |||
| or %rsi,%rax | |||
| # qhasm: t = mem64[ input_0 + 8 ] | |||
| # asm 1: movq 8(<input_0=int64#1),>t=int64#2 | |||
| # asm 2: movq 8(<input_0=%rdi),>t=%rsi | |||
| movq 8(%rdi),%rsi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#2, >c=int64#2 | |||
| # asm 2: popcnt <t=%rsi, >c=%rsi | |||
| popcnt %rsi, %rsi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#2d | |||
| # asm 2: and $1,<c=%esi | |||
| and $1,%esi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#2,<r=int64#7 | |||
| # asm 2: or <c=%rsi,<r=%rax | |||
| or %rsi,%rax | |||
| # qhasm: t = mem64[ input_0 + 0 ] | |||
| # asm 1: movq 0(<input_0=int64#1),>t=int64#1 | |||
| # asm 2: movq 0(<input_0=%rdi),>t=%rdi | |||
| movq 0(%rdi),%rdi | |||
| # qhasm: c = count(t) | |||
| # asm 1: popcnt <t=int64#1, >c=int64#1 | |||
| # asm 2: popcnt <t=%rdi, >c=%rdi | |||
| popcnt %rdi, %rdi | |||
| # qhasm: (uint32) c &= 1 | |||
| # asm 1: and $1,<c=int64#1d | |||
| # asm 2: and $1,<c=%edi | |||
| and $1,%edi | |||
| # qhasm: r <<= 1 | |||
| # asm 1: shl $1,<r=int64#7 | |||
| # asm 2: shl $1,<r=%rax | |||
| shl $1,%rax | |||
| # qhasm: r |= c | |||
| # asm 1: or <c=int64#1,<r=int64#7 | |||
| # asm 2: or <c=%rdi,<r=%rax | |||
| or %rdi,%rax | |||
| # qhasm: return r | |||
| add %r11,%rsp | |||
| ret | |||
+ 0
- 16
crypto_kem/mceliece/mceliece348864/vec/LICENSE
查看文件
| @@ -1,16 +0,0 @@ | |||
| Public Domain. | |||
| Authors of Classic McEliece in alphabetical order: | |||
| Daniel J. Bernstein, University of Illinois at Chicago | |||
| Tung Chou, Osaka University | |||
| Tanja Lange, Technische Universiteit Eindhoven | |||
| Ingo von Maurich, self | |||
| Rafael Misoczki, Intel Corporation | |||
| Ruben Niederhagen, Fraunhofer SIT | |||
| Edoardo Persichetti, Florida Atlantic University | |||
| Christiane Peters, self | |||
| Peter Schwabe, Radboud University | |||
| Nicolas Sendrier, Inria | |||
| Jakub Szefer, Yale University | |||
| Wen Wang, Yale University | |||
+ 0
- 25
crypto_kem/mceliece/mceliece348864/vec/Makefile.Microsoft_nmake
查看文件
| @@ -1,25 +0,0 @@ | |||
| # This Makefile can be used with GNU Make or BSD Make | |||
| LIBRARY = libmceliece348864_vec.lib | |||
| OBJECTS = aes256ctr.obj benes.obj bm.obj controlbits.obj decrypt.obj \ | |||
| encrypt.obj fft.obj fft_tr.obj gf.obj operations.obj pk_gen.obj \ | |||
| sk_gen.obj transpose.obj util.obj vec.obj | |||
| # Warning C4146 is raised when a unary minus operator is applied to an | |||
| # unsigned type; this has nonetheless been standard and portable for as | |||
| # long as there has been a C standard, and we do that a lot, especially | |||
| # for constant-time computations. Thus, we disable that spurious warning. | |||
| CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /wd4146 /WX | |||
| all: $(LIBRARY) | |||
| # Make sure objects are recompiled if headers change. | |||
| $(OBJECTS): *.h *.inc | |||
| $(LIBRARY): $(OBJECTS) | |||
| LIB.EXE /NOLOGO /WX /OUT:$@ $** | |||
| clean: | |||
| -DEL $(OBJECTS) | |||
| -DEL $(LIBRARY) | |||
+ 0
- 13
crypto_kem/mceliece/mceliece348864/vec/aes256ctr.c
查看文件
| @@ -1,13 +0,0 @@ | |||
| #include "aes256ctr.h" | |||
| void PQCLEAN_MCELIECE348864_VEC_aes256ctr( | |||
| uint8_t *out, | |||
| size_t outlen, | |||
| const uint8_t nonce[AESCTR_NONCEBYTES], | |||
| const uint8_t key[AES256_KEYBYTES]) { | |||
| aes256ctx state; | |||
| aes256_ctr_keyexp(&state, key); | |||
| aes256_ctr(out, outlen, nonce, &state); | |||
| aes256_ctx_release(&state); | |||
| } | |||
+ 0
- 17
crypto_kem/mceliece/mceliece348864/vec/aes256ctr.h
查看文件
| @@ -1,17 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_VEC_AES256CTR_H | |||
| #define PQCLEAN_MCELIECE348864_VEC_AES256CTR_H | |||
| #include <stddef.h> | |||
| #include <stdint.h> | |||
| #include "aes.h" | |||
| void PQCLEAN_MCELIECE348864_VEC_aes256ctr( | |||
| uint8_t *out, | |||
| size_t outlen, | |||
| const uint8_t nonce[AESCTR_NONCEBYTES], | |||
| const uint8_t key[AES256_KEYBYTES] | |||
| ); | |||
| #endif | |||
+ 0
- 32
crypto_kem/mceliece/mceliece348864/vec/api.h
查看文件
| @@ -1,32 +0,0 @@ | |||
| #ifndef PQCLEAN_MCELIECE348864_VEC_API_H | |||
| #define PQCLEAN_MCELIECE348864_VEC_API_H | |||
| #include <stdint.h> | |||
| #define PQCLEAN_MCELIECE348864_VEC_CRYPTO_ALGNAME "Classic McEliece 348864" | |||
| #define PQCLEAN_MCELIECE348864_VEC_CRYPTO_PUBLICKEYBYTES 261120 | |||
| #define PQCLEAN_MCELIECE348864_VEC_CRYPTO_SECRETKEYBYTES 6452 | |||
| #define PQCLEAN_MCELIECE348864_VEC_CRYPTO_CIPHERTEXTBYTES 128 | |||
| #define PQCLEAN_MCELIECE348864_VEC_CRYPTO_BYTES 32 | |||
| int PQCLEAN_MCELIECE348864_VEC_crypto_kem_enc( | |||
| uint8_t *c, | |||
| uint8_t *key, | |||
| const uint8_t *pk | |||
| ); | |||
| int PQCLEAN_MCELIECE348864_VEC_crypto_kem_dec( | |||
| uint8_t *key, | |||
| const uint8_t *c, | |||
| const uint8_t *sk | |||
| ); | |||
| int PQCLEAN_MCELIECE348864_VEC_crypto_kem_keypair | |||
| ( | |||
| uint8_t *pk, | |||
| uint8_t *sk | |||
| ); | |||
| #endif | |||