Browse Source

Use CMake

tags/v0.0.1
Henry Case 3 years ago
parent
commit
9d3e07e8d8
100 changed files with 164 additions and 28252 deletions
  1. +54
    -0
      .cmake/common.mk
  2. +107
    -333
      CMakeLists.txt
  3. +3
    -132
      README.md
  4. +0
    -8
      common/keccak4x/Makefile.Microsoft_nmake
  5. +0
    -21
      crypto_kem/frodo/frodokem1344shake/clean/LICENSE
  6. +0
    -19
      crypto_kem/frodo/frodokem1344shake/clean/Makefile.Microsoft_nmake
  7. +0
    -20
      crypto_kem/frodo/frodokem1344shake/clean/api.h
  8. +0
    -21
      crypto_kem/frodo/frodokem1344shake/clean/common.h
  9. +0
    -237
      crypto_kem/frodo/frodokem1344shake/clean/kem.c
  10. +0
    -79
      crypto_kem/frodo/frodokem1344shake/clean/matrix_shake.c
  11. +0
    -35
      crypto_kem/frodo/frodokem1344shake/clean/noise.c
  12. +0
    -27
      crypto_kem/frodo/frodokem1344shake/clean/params.h
  13. +0
    -264
      crypto_kem/frodo/frodokem1344shake/clean/util.c
  14. +0
    -21
      crypto_kem/frodo/frodokem1344shake/opt/LICENSE
  15. +0
    -19
      crypto_kem/frodo/frodokem1344shake/opt/Makefile.Microsoft_nmake
  16. +0
    -21
      crypto_kem/frodo/frodokem640shake/clean/LICENSE
  17. +0
    -19
      crypto_kem/frodo/frodokem640shake/clean/Makefile.Microsoft_nmake
  18. +0
    -20
      crypto_kem/frodo/frodokem640shake/clean/api.h
  19. +0
    -21
      crypto_kem/frodo/frodokem640shake/clean/common.h
  20. +0
    -237
      crypto_kem/frodo/frodokem640shake/clean/kem.c
  21. +0
    -79
      crypto_kem/frodo/frodokem640shake/clean/matrix_shake.c
  22. +0
    -35
      crypto_kem/frodo/frodokem640shake/clean/noise.c
  23. +0
    -27
      crypto_kem/frodo/frodokem640shake/clean/params.h
  24. +0
    -264
      crypto_kem/frodo/frodokem640shake/clean/util.c
  25. +0
    -21
      crypto_kem/frodo/frodokem640shake/opt/LICENSE
  26. +0
    -19
      crypto_kem/frodo/frodokem640shake/opt/Makefile.Microsoft_nmake
  27. +0
    -21
      crypto_kem/frodo/frodokem976shake/clean/LICENSE
  28. +0
    -19
      crypto_kem/frodo/frodokem976shake/clean/Makefile.Microsoft_nmake
  29. +0
    -20
      crypto_kem/frodo/frodokem976shake/clean/api.h
  30. +0
    -21
      crypto_kem/frodo/frodokem976shake/clean/common.h
  31. +0
    -237
      crypto_kem/frodo/frodokem976shake/clean/kem.c
  32. +0
    -79
      crypto_kem/frodo/frodokem976shake/clean/matrix_shake.c
  33. +0
    -35
      crypto_kem/frodo/frodokem976shake/clean/noise.c
  34. +0
    -27
      crypto_kem/frodo/frodokem976shake/clean/params.h
  35. +0
    -264
      crypto_kem/frodo/frodokem976shake/clean/util.c
  36. +0
    -21
      crypto_kem/frodo/frodokem976shake/opt/LICENSE
  37. +0
    -19
      crypto_kem/frodo/frodokem976shake/opt/Makefile.Microsoft_nmake
  38. +0
    -5
      crypto_kem/kyber/kyber1024/avx2/LICENSE
  39. +0
    -5
      crypto_kem/kyber/kyber1024/clean/LICENSE
  40. +0
    -23
      crypto_kem/kyber/kyber1024/clean/Makefile.Microsoft_nmake
  41. +0
    -5
      crypto_kem/kyber/kyber512/avx2/LICENSE
  42. +0
    -5
      crypto_kem/kyber/kyber512/clean/LICENSE
  43. +0
    -23
      crypto_kem/kyber/kyber512/clean/Makefile.Microsoft_nmake
  44. +0
    -5
      crypto_kem/kyber/kyber768/avx2/LICENSE
  45. +0
    -5
      crypto_kem/kyber/kyber768/clean/LICENSE
  46. +0
    -23
      crypto_kem/kyber/kyber768/clean/Makefile.Microsoft_nmake
  47. +0
    -16
      crypto_kem/mceliece/mceliece348864/avx/LICENSE
  48. +0
    -16
      crypto_kem/mceliece/mceliece348864/clean/LICENSE
  49. +0
    -24
      crypto_kem/mceliece/mceliece348864/clean/Makefile.Microsoft_nmake
  50. +0
    -16
      crypto_kem/mceliece/mceliece348864/sse/LICENSE
  51. +0
    -13
      crypto_kem/mceliece/mceliece348864/sse/aes256ctr.c
  52. +0
    -17
      crypto_kem/mceliece/mceliece348864/sse/aes256ctr.h
  53. +0
    -32
      crypto_kem/mceliece/mceliece348864/sse/api.h
  54. +0
    -287
      crypto_kem/mceliece/mceliece348864/sse/benes.c
  55. +0
    -15
      crypto_kem/mceliece/mceliece348864/sse/benes.h
  56. +0
    -220
      crypto_kem/mceliece/mceliece348864/sse/bm.c
  57. +0
    -17
      crypto_kem/mceliece/mceliece348864/sse/bm.h
  58. +0
    -32
      crypto_kem/mceliece/mceliece348864/sse/consts.S
  59. +0
    -448
      crypto_kem/mceliece/mceliece348864/sse/consts.inc
  60. +0
    -274
      crypto_kem/mceliece/mceliece348864/sse/controlbits.c
  61. +0
    -15
      crypto_kem/mceliece/mceliece348864/sse/controlbits.h
  62. +0
    -7
      crypto_kem/mceliece/mceliece348864/sse/crypto_hash.h
  63. +0
    -203
      crypto_kem/mceliece/mceliece348864/sse/decrypt.c
  64. +0
    -10
      crypto_kem/mceliece/mceliece348864/sse/decrypt.h
  65. +0
    -99
      crypto_kem/mceliece/mceliece348864/sse/encrypt.c
  66. +0
    -11
      crypto_kem/mceliece/mceliece348864/sse/encrypt.h
  67. +0
    -155
      crypto_kem/mceliece/mceliece348864/sse/fft.c
  68. +0
    -17
      crypto_kem/mceliece/mceliece348864/sse/fft.h
  69. +0
    -312
      crypto_kem/mceliece/mceliece348864/sse/fft_tr.c
  70. +0
    -13
      crypto_kem/mceliece/mceliece348864/sse/fft_tr.h
  71. +0
    -169
      crypto_kem/mceliece/mceliece348864/sse/gf.c
  72. +0
    -26
      crypto_kem/mceliece/mceliece348864/sse/gf.h
  73. +0
    -136
      crypto_kem/mceliece/mceliece348864/sse/operations.c
  74. +0
    -21
      crypto_kem/mceliece/mceliece348864/sse/params.h
  75. +0
    -329
      crypto_kem/mceliece/mceliece348864/sse/pk_gen.c
  76. +0
    -13
      crypto_kem/mceliece/mceliece348864/sse/pk_gen.h
  77. +0
    -448
      crypto_kem/mceliece/mceliece348864/sse/powers.inc
  78. +0
    -70
      crypto_kem/mceliece/mceliece348864/sse/scalars_2x.inc
  79. +0
    -98
      crypto_kem/mceliece/mceliece348864/sse/sk_gen.c
  80. +0
    -16
      crypto_kem/mceliece/mceliece348864/sse/sk_gen.h
  81. +0
    -740
      crypto_kem/mceliece/mceliece348864/sse/syndrome_asm.S
  82. +0
    -12
      crypto_kem/mceliece/mceliece348864/sse/transpose.c
  83. +0
    -16
      crypto_kem/mceliece/mceliece348864/sse/transpose.h
  84. +0
    -8145
      crypto_kem/mceliece/mceliece348864/sse/transpose_64x128_sp_asm.S
  85. +0
    -8467
      crypto_kem/mceliece/mceliece348864/sse/transpose_64x64_asm.S
  86. +0
    -354
      crypto_kem/mceliece/mceliece348864/sse/update_asm.S
  87. +0
    -106
      crypto_kem/mceliece/mceliece348864/sse/util.c
  88. +0
    -33
      crypto_kem/mceliece/mceliece348864/sse/util.h
  89. +0
    -17
      crypto_kem/mceliece/mceliece348864/sse/vec.c
  90. +0
    -11
      crypto_kem/mceliece/mceliece348864/sse/vec.h
  91. +0
    -143
      crypto_kem/mceliece/mceliece348864/sse/vec128.c
  92. +0
    -42
      crypto_kem/mceliece/mceliece348864/sse/vec128.h
  93. +0
    -1736
      crypto_kem/mceliece/mceliece348864/sse/vec128_mul_asm.S
  94. +0
    -1515
      crypto_kem/mceliece/mceliece348864/sse/vec_mul_asm.S
  95. +0
    -356
      crypto_kem/mceliece/mceliece348864/sse/vec_reduce_asm.S
  96. +0
    -16
      crypto_kem/mceliece/mceliece348864/vec/LICENSE
  97. +0
    -25
      crypto_kem/mceliece/mceliece348864/vec/Makefile.Microsoft_nmake
  98. +0
    -13
      crypto_kem/mceliece/mceliece348864/vec/aes256ctr.c
  99. +0
    -17
      crypto_kem/mceliece/mceliece348864/vec/aes256ctr.h
  100. +0
    -32
      crypto_kem/mceliece/mceliece348864/vec/api.h

+ 54
- 0
.cmake/common.mk View File

@@ -0,0 +1,54 @@
# Common function for defining algorithm component
function(define_crypto_alg name namespace src inc test_src)
add_library(
pqclean_${name}
OBJECT
${src}
)

target_include_directories(
pqclean_${name} PRIVATE
src/common
${inc}
)

target_compile_definitions(
pqclean_${name} PRIVATE
-DPQCLEAN_NAMESPACE=${namespace}
)

add_library(
pqclean_test_${name}
OBJECT
${test_src}
)

target_compile_definitions(
pqclean_test_${name} PRIVATE
-DPQCLEAN_NAMESPACE=${namespace}
)

target_include_directories(
pqclean_test_${name} PRIVATE
src/common
${inc}
)

add_executable(
test_runner_${name}
)
target_link_libraries(
test_runner_${name}

common
pqclean_${name}
pqclean_test_${name}
)
endfunction()

function(define_kem_alg name namespace src inc)
define_crypto_alg(${name} ${namespace} "${src}" "${inc}" ${PROJECT_SOURCE_DIR}/test/kem/testvectors.c)
endfunction()
function(define_sig_alg name namespace src inc)
define_crypto_alg(${name} ${namespace} "${src}" "${inc}" ${PROJECT_SOURCE_DIR}/test/sign/testvectors.c)
endfunction()

+ 107
- 333
CMakeLists.txt View File

@@ -66,6 +66,8 @@ if(CLANG)
-Wmissing-variable-declarations")
endif()

include(.cmake/common.mk)

# Control Debug/Release mode
if(CMAKE_BUILD_TYPE_LOWER STREQUAL "debug")
set(C_CXX_FLAGS "${C_CXX_FLAGS} -g3 -O0 -Wno-unused")
@@ -75,6 +77,7 @@ endif()

include_directories(
inc
src/common/
src
)

@@ -82,341 +85,125 @@ include_directories(
set(CMAKE_C_FLAGS "${C_CXX_FLAGS} -D${ARCH}")
set(CMAKE_CXX_FLAGS "${C_CXX_FLAGS} -D${ARCH}")

# Common function for defining algorithm component
function(define_crypto_alg name namespace src inc test_src)
add_library(
pqclean_${name}
OBJECT
${src}
)

target_include_directories(
pqclean_${name} PRIVATE
common
${inc}
)

target_compile_definitions(
pqclean_${name} PRIVATE
-DPQCLEAN_NAMESPACE=${namespace}
)

add_library(
pqclean_test_${name}
OBJECT
${test_src}
)

target_compile_definitions(
pqclean_test_${name} PRIVATE
-DPQCLEAN_NAMESPACE=${namespace}
)

target_include_directories(
pqclean_test_${name} PRIVATE
common
${inc}
)

add_executable(
test_runner_${name}
)
target_link_libraries(
test_runner_${name}

common
pqclean_${name}
pqclean_test_${name}
)
endfunction()

function(define_kem_alg name namespace src inc)
define_crypto_alg(${name} ${namespace} "${src}" "${inc}" test/crypto_kem/testvectors.c)
endfunction()
function(define_sig_alg name namespace src inc)
define_crypto_alg(${name} ${namespace} "${src}" "${inc}" test/crypto_sign/testvectors.c)
endfunction()

# Define sources of the components
set(
SRC_CLEAN_DILITHIUM2
crypto_sign/dilithium/dilithium2/clean/ntt.c
crypto_sign/dilithium/dilithium2/clean/packing.c
crypto_sign/dilithium/dilithium2/clean/poly.c
crypto_sign/dilithium/dilithium2/clean/polyvec.c
crypto_sign/dilithium/dilithium2/clean/reduce.c
crypto_sign/dilithium/dilithium2/clean/rounding.c
crypto_sign/dilithium/dilithium2/clean/sign.c
crypto_sign/dilithium/dilithium2/clean/symmetric-shake.c
)

set(
INC_CLEAN_DILITHIUM2
crypto_sign/dilithium/dilithium2/clean
)
define_sig_alg(dilithium2_clean
PQCLEAN_DILITHIUM2_CLEAN "${SRC_CLEAN_DILITHIUM2}" "${INC_CLEAN_DILITHIUM2}")

set(
SRC_CLEAN_DILITHIUM3
crypto_sign/dilithium/dilithium3/clean/ntt.c
crypto_sign/dilithium/dilithium3/clean/packing.c
crypto_sign/dilithium/dilithium3/clean/poly.c
crypto_sign/dilithium/dilithium3/clean/polyvec.c
crypto_sign/dilithium/dilithium3/clean/reduce.c
crypto_sign/dilithium/dilithium3/clean/rounding.c
crypto_sign/dilithium/dilithium3/clean/sign.c
crypto_sign/dilithium/dilithium3/clean/symmetric-shake.c
)

set(
INC_CLEAN_DILITHIUM3
crypto_sign/dilithium/dilithium3/clean
)
define_sig_alg(dilithium3_clean
PQCLEAN_DILITHIUM3_CLEAN "${SRC_CLEAN_DILITHIUM3}" "${INC_CLEAN_DILITHIUM3}")

set(
SRC_CLEAN_DILITHIUM5
crypto_sign/dilithium/dilithium5/clean/ntt.c
crypto_sign/dilithium/dilithium5/clean/packing.c
crypto_sign/dilithium/dilithium5/clean/poly.c
crypto_sign/dilithium/dilithium5/clean/polyvec.c
crypto_sign/dilithium/dilithium5/clean/reduce.c
crypto_sign/dilithium/dilithium5/clean/rounding.c
crypto_sign/dilithium/dilithium5/clean/sign.c
crypto_sign/dilithium/dilithium5/clean/symmetric-shake.c
)

set(
INC_CLEAN_DILITHIUM5
crypto_sign/dilithium/dilithium5/clean
)

define_sig_alg(dilithium5_clean
PQCLEAN_DILITHIUM5_CLEAN "${SRC_CLEAN_DILITHIUM5}" "${INC_CLEAN_DILITHIUM5}")

set(
SRC_CLEAN_KYBER512
crypto_kem/kyber/kyber512/clean/cbd.c
crypto_kem/kyber/kyber512/clean/indcpa.c
crypto_kem/kyber/kyber512/clean/kem.c
crypto_kem/kyber/kyber512/clean/ntt.c
crypto_kem/kyber/kyber512/clean/poly.c
crypto_kem/kyber/kyber512/clean/polyvec.c
crypto_kem/kyber/kyber512/clean/reduce.c
crypto_kem/kyber/kyber512/clean/symmetric-shake.c
crypto_kem/kyber/kyber512/clean/verify.c
)
set(
INC_CLEAN_KYBER512
crypto_kem/kyber/kyber512/clean
)
define_kem_alg(kyber512_clean
PQCLEAN_KYBER512_CLEAN "${SRC_CLEAN_KYBER512}" "${INC_CLEAN_KYBER512}")

set(
SRC_CLEAN_KYBER768
crypto_kem/kyber/kyber768/clean/cbd.c
crypto_kem/kyber/kyber768/clean/indcpa.c
crypto_kem/kyber/kyber768/clean/kem.c
crypto_kem/kyber/kyber768/clean/ntt.c
crypto_kem/kyber/kyber768/clean/poly.c
crypto_kem/kyber/kyber768/clean/polyvec.c
crypto_kem/kyber/kyber768/clean/reduce.c
crypto_kem/kyber/kyber768/clean/symmetric-shake.c
crypto_kem/kyber/kyber768/clean/verify.c
)
set(
INC_CLEAN_KYBER768
crypto_kem/kyber/kyber768/clean
)
define_kem_alg(kyber768_clean
PQCLEAN_KYBER768_CLEAN "${SRC_CLEAN_KYBER768}" "${INC_CLEAN_KYBER768}")

set(
SRC_CLEAN_KYBER1024
crypto_kem/kyber/kyber1024/clean/cbd.c
crypto_kem/kyber/kyber1024/clean/indcpa.c
crypto_kem/kyber/kyber1024/clean/kem.c
crypto_kem/kyber/kyber1024/clean/ntt.c
crypto_kem/kyber/kyber1024/clean/poly.c
crypto_kem/kyber/kyber1024/clean/polyvec.c
crypto_kem/kyber/kyber1024/clean/reduce.c
crypto_kem/kyber/kyber1024/clean/symmetric-shake.c
crypto_kem/kyber/kyber1024/clean/verify.c
)
set(
INC_CLEAN_KYBER1024
crypto_kem/kyber/kyber1024/clean
)
define_kem_alg(kyber1024_clean
PQCLEAN_KYBER1024_CLEAN "${SRC_CLEAN_KYBER1024}" "${INC_CLEAN_KYBER1024}")
add_subdirectory(src/sign/dilithium/dilithium2/clean)
add_subdirectory(src/sign/dilithium/dilithium3/clean)
add_subdirectory(src/sign/dilithium/dilithium5/clean)
add_subdirectory(src/sign/falcon/falcon-1024/clean)
add_subdirectory(src/sign/falcon/falcon-512/clean)
add_subdirectory(src/sign/rainbow/rainbowV-classic/clean)
add_subdirectory(src/sign/rainbow/rainbowI-classic/clean)
add_subdirectory(src/sign/rainbow/rainbowIII-classic/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-192f-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-256f-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-192f-robust/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-128f-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-256s-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-128s-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-128f-robust/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-192s-robust/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-128f-robust/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-128s-robust/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-256s-robust/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-192s-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-192s-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-192s-robust/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-192f-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-256s-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-128s-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-shake256-256f-robust/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-256f-robust/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-256f-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-256s-robust/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-128s-robust/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-128f-simple/clean)
add_subdirectory(src/sign/sphincs/sphincs-sha256-192f-robust/clean)

# AVX2 targets
if(${ARCH} STREQUAL "ARCH_x86_64")

set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -march=haswell")

set(
SRC_AVX2_DILITHIUM2
crypto_sign/dilithium/dilithium2/avx2/consts.c
crypto_sign/dilithium/dilithium2/avx2/f1600x4.S
crypto_sign/dilithium/dilithium2/avx2/fips202x4.c
crypto_sign/dilithium/dilithium2/avx2/invntt.S
crypto_sign/dilithium/dilithium2/avx2/ntt.S
crypto_sign/dilithium/dilithium2/avx2/packing.c
crypto_sign/dilithium/dilithium2/avx2/pointwise.S
crypto_sign/dilithium/dilithium2/avx2/poly.c
crypto_sign/dilithium/dilithium2/avx2/polyvec.c
crypto_sign/dilithium/dilithium2/avx2/rejsample.c
crypto_sign/dilithium/dilithium2/avx2/rounding.c
crypto_sign/dilithium/dilithium2/avx2/shuffle.S
crypto_sign/dilithium/dilithium2/avx2/sign.c
crypto_sign/dilithium/dilithium2/avx2/symmetric-shake.c)
set(
INC_AVX2_DILITHIUM2
crypto_sign/dilithium/dilithium2/avx2
)
define_sig_alg(dilithium2_avx2
PQCLEAN_DILITHIUM2_AVX2 "${SRC_AVX2_DILITHIUM2}" "${INC_AVX2_DILITHIUM2}")

set(
SRC_AVX2_DILITHIUM3
crypto_sign/dilithium/dilithium3/avx2/consts.c
crypto_sign/dilithium/dilithium3/avx2/f1600x4.S
crypto_sign/dilithium/dilithium3/avx2/fips202x4.c
crypto_sign/dilithium/dilithium3/avx2/invntt.S
crypto_sign/dilithium/dilithium3/avx2/ntt.S
crypto_sign/dilithium/dilithium3/avx2/packing.c
crypto_sign/dilithium/dilithium3/avx2/pointwise.S
crypto_sign/dilithium/dilithium3/avx2/poly.c
crypto_sign/dilithium/dilithium3/avx2/polyvec.c
crypto_sign/dilithium/dilithium3/avx2/rejsample.c
crypto_sign/dilithium/dilithium3/avx2/rounding.c
crypto_sign/dilithium/dilithium3/avx2/shuffle.S
crypto_sign/dilithium/dilithium3/avx2/sign.c
crypto_sign/dilithium/dilithium3/avx2/symmetric-shake.c)
set(
INC_AVX2_DILITHIUM3
crypto_sign/dilithium/dilithium3/avx2
)
define_sig_alg(dilithium3_avx2
PQCLEAN_DILITHIUM3_AVX2 "${SRC_AVX2_DILITHIUM3}" "${INC_AVX2_DILITHIUM3}")

set(
SRC_AVX2_DILITHIUM5
crypto_sign/dilithium/dilithium5/avx2/consts.c
crypto_sign/dilithium/dilithium5/avx2/f1600x4.S
crypto_sign/dilithium/dilithium5/avx2/fips202x4.c
crypto_sign/dilithium/dilithium5/avx2/invntt.S
crypto_sign/dilithium/dilithium5/avx2/ntt.S
crypto_sign/dilithium/dilithium5/avx2/packing.c
crypto_sign/dilithium/dilithium5/avx2/pointwise.S
crypto_sign/dilithium/dilithium5/avx2/poly.c
crypto_sign/dilithium/dilithium5/avx2/polyvec.c
crypto_sign/dilithium/dilithium5/avx2/rejsample.c
crypto_sign/dilithium/dilithium5/avx2/rounding.c
crypto_sign/dilithium/dilithium5/avx2/shuffle.S
crypto_sign/dilithium/dilithium5/avx2/sign.c
crypto_sign/dilithium/dilithium5/avx2/symmetric-shake.c)
set(
INC_AVX2_DILITHIUM5
crypto_sign/dilithium/dilithium5/avx2
)
define_sig_alg(dilithium5_avx2
PQCLEAN_DILITHIUM5_AVX2 "${SRC_AVX2_DILITHIUM5}" "${INC_AVX2_DILITHIUM5}")

set(
SRC_AVX2_KYBER512
crypto_kem/kyber/kyber512/avx2/cbd.c
crypto_kem/kyber/kyber512/avx2/consts.c
crypto_kem/kyber/kyber512/avx2/fips202x4.c
crypto_kem/kyber/kyber512/avx2/indcpa.c
crypto_kem/kyber/kyber512/avx2/kem.c
crypto_kem/kyber/kyber512/avx2/poly.c
crypto_kem/kyber/kyber512/avx2/polyvec.c
crypto_kem/kyber/kyber512/avx2/rejsample.c
crypto_kem/kyber/kyber512/avx2/symmetric-shake.c
crypto_kem/kyber/kyber512/avx2/verify.c
crypto_kem/kyber/kyber512/avx2/basemul.S
crypto_kem/kyber/kyber512/avx2/fq.S
crypto_kem/kyber/kyber512/avx2/invntt.S
crypto_kem/kyber/kyber512/avx2/ntt.S
crypto_kem/kyber/kyber512/avx2/shuffle.S
)
set(
INC_AVX2_KYBER512
crypto_kem/kyber/kyber512/avx2
)
define_kem_alg(kyber512_avx2
PQCLEAN_KYBER512_AVX2 "${SRC_AVX2_KYBER512}" "${INC_AVX2_KYBER512}")

set(
SRC_AVX2_KYBER768
crypto_kem/kyber/kyber768/avx2/cbd.c
crypto_kem/kyber/kyber768/avx2/consts.c
crypto_kem/kyber/kyber768/avx2/fips202x4.c
crypto_kem/kyber/kyber768/avx2/indcpa.c
crypto_kem/kyber/kyber768/avx2/kem.c
crypto_kem/kyber/kyber768/avx2/poly.c
crypto_kem/kyber/kyber768/avx2/polyvec.c
crypto_kem/kyber/kyber768/avx2/rejsample.c
crypto_kem/kyber/kyber768/avx2/symmetric-shake.c
crypto_kem/kyber/kyber768/avx2/verify.c
crypto_kem/kyber/kyber768/avx2/basemul.S
crypto_kem/kyber/kyber768/avx2/fq.S
crypto_kem/kyber/kyber768/avx2/invntt.S
crypto_kem/kyber/kyber768/avx2/ntt.S
crypto_kem/kyber/kyber768/avx2/shuffle.S
)
set(
INC_AVX2_KYBER768
crypto_kem/kyber/kyber768/avx2
)
define_kem_alg(kyber768_avx2
PQCLEAN_KYBER768_AVX2 "${SRC_AVX2_KYBER768}" "${INC_AVX2_KYBER768}")

set(
SRC_AVX2_KYBER1024
crypto_kem/kyber/kyber1024/avx2/cbd.c
crypto_kem/kyber/kyber1024/avx2/consts.c
crypto_kem/kyber/kyber1024/avx2/fips202x4.c
crypto_kem/kyber/kyber1024/avx2/indcpa.c
crypto_kem/kyber/kyber1024/avx2/kem.c
crypto_kem/kyber/kyber1024/avx2/poly.c
crypto_kem/kyber/kyber1024/avx2/polyvec.c
crypto_kem/kyber/kyber1024/avx2/rejsample.c
crypto_kem/kyber/kyber1024/avx2/symmetric-shake.c
crypto_kem/kyber/kyber1024/avx2/verify.c
crypto_kem/kyber/kyber1024/avx2/basemul.S
crypto_kem/kyber/kyber1024/avx2/fq.S
crypto_kem/kyber/kyber1024/avx2/invntt.S
crypto_kem/kyber/kyber1024/avx2/ntt.S
crypto_kem/kyber/kyber1024/avx2/shuffle.S
)
set(
INC_AVX2_KYBER1024
crypto_kem/kyber/kyber1024/avx2
)
define_kem_alg(kyber1024_avx2
PQCLEAN_KYBER1024_AVX2 "${SRC_AVX2_KYBER1024}" "${INC_AVX2_KYBER1024}")

set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -march=native -mtune=native")
add_subdirectory(src/sign/falcon/falcon-512/avx2)
add_subdirectory(src/sign/falcon/falcon-1024/avx2)
add_subdirectory(src/sign/dilithium/dilithium2/avx2)
add_subdirectory(src/sign/dilithium/dilithium3/avx2)
add_subdirectory(src/sign/dilithium/dilithium5/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-128s-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-128f-robust/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-128s-robust/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-128f-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-192s-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-192f-robust/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-192s-robust/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-192f-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-256f-robust/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-256f-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-256s-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-shake256-256s-robust/avx2)

add_subdirectory(src/sign/sphincs/sphincs-sha256-128f-robust/avx2)
add_subdirectory(src/sign/sphincs/sphincs-sha256-128s-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-sha256-128s-robust/avx2)
add_subdirectory(src/sign/sphincs/sphincs-sha256-128f-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-sha256-192s-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-sha256-192f-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-sha256-192s-robust/avx2)
add_subdirectory(src/sign/sphincs/sphincs-sha256-192f-robust/avx2)

add_subdirectory(src/sign/sphincs/sphincs-sha256-256s-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-sha256-256f-robust/avx2)
add_subdirectory(src/sign/sphincs/sphincs-sha256-256f-simple/avx2)
add_subdirectory(src/sign/sphincs/sphincs-sha256-256s-robust/avx2)
endif()

# The rest of the library
set(SRC_COMMON_GENERIC
common/fips202.c
common/sp800-185.c
common/randombytes.c
src/common/aes.c
src/common/fips202.c
src/common/sp800-185.c
src/common/randombytes.c
src/common/sha2.c
)

if(${ARCH} STREQUAL "ARCH_x86_64")
set(SRC_COMMON_AVX2
common/keccak4x/KeccakP-1600-times4-SIMD256.c
)
src/common/keccak4x/KeccakP-1600-times4-SIMD256.c
)

# KEM - AVX2
add_subdirectory(src/kem/kyber/kyber512/avx2)
add_subdirectory(src/kem/kyber/kyber768/avx2)
add_subdirectory(src/kem/kyber/kyber1024/avx2)
add_subdirectory(src/kem/saber/lightsaber/avx2)
add_subdirectory(src/kem/saber/firesaber/avx2)
add_subdirectory(src/kem/saber/saber/avx2)
add_subdirectory(src/kem/ntru/ntruhps4096821/avx2)
add_subdirectory(src/kem/ntru/ntruhps2048509/avx2)
add_subdirectory(src/kem/ntru/ntruhrss701/avx2)
add_subdirectory(src/kem/ntru/ntruhps2048677/avx2)
add_subdirectory(src/kem/ntru_prime/ntrulpr761/avx2)
add_subdirectory(src/kem/ntru_prime/ntrulpr653/avx2)
add_subdirectory(src/kem/ntru_prime/ntrulpr857/avx2)
endif()

# KEM - clean
add_subdirectory(src/kem/kyber/kyber512/clean)
add_subdirectory(src/kem/kyber/kyber768/clean)
add_subdirectory(src/kem/kyber/kyber1024/clean)
add_subdirectory(src/kem/saber/lightsaber/clean)
add_subdirectory(src/kem/saber/firesaber/clean)
add_subdirectory(src/kem/saber/saber/clean)
add_subdirectory(src/kem/frodo/frodokem640shake/clean)
add_subdirectory(src/kem/frodo/frodokem976shake/clean)
add_subdirectory(src/kem/frodo/frodokem1344shake/clean)
add_subdirectory(src/kem/ntru/ntruhps4096821/clean)
add_subdirectory(src/kem/ntru/ntruhps2048509/clean)
add_subdirectory(src/kem/ntru/ntruhrss701/clean)
add_subdirectory(src/kem/ntru/ntruhps2048677/clean)
add_subdirectory(src/kem/ntru_prime/ntrulpr761/clean)
add_subdirectory(src/kem/ntru_prime/ntrulpr653/clean)
add_subdirectory(src/kem/ntru_prime/ntrulpr857/clean)

add_library(
common
OBJECT
@@ -449,16 +236,3 @@ target_link_libraries(
pqclean_dilithium3_clean
pqclean_dilithium5_clean
)

# TODO: this requires changes to testvectors.c
# add_executable(
# test
# )
#
# target_link_libraries(
# test
# pqclean_s
# pqclean_test_dilithium2_clean
# pqclean_test_dilithium3_clean
# pqclean_test_dilithium5_clean
# )

+ 3
- 132
README.md View File

@@ -1,79 +1,8 @@
# PQClean
# PQ Crypto Catalog

_[See the build status for each component here](.github/workflows/BADGES.md)_
This is a repository of post-quantum schemes coppied from the submission to the NIST Post-Quantum Standarization. The sources were cloned from the PQClean project to form new library. The goal of the library is mainly experimentation.

**PQClean**, in short, is an effort to collect **clean** implementations of the post-quantum
schemes that are in the
[NIST post-quantum project](https://csrc.nist.gov/projects/post-quantum-cryptography).
The goal of PQClean is to provide *standalone implementations* that

* can easily be integrated into libraries such as [liboqs](https://openquantumsafe.org/#liboqs).
* can efficiently upstream into higher-level protocol integration efforts such as [Open Quantum Safe](https://openquantumsafe.org/#integrations);
* can easily be integrated into benchmarking frameworks such as [SUPERCOP](https://bench.cr.yp.to/supercop.html);
* can easily be integrated into frameworks targeting embedded platforms such as [pqm4](https://github.com/mupq/pqm4);
* are suitable starting points for architecture-specific optimized implementations;
* are suitable starting points for evaluation of implementation security; and
* are suitable targets for formal verification.

What PQClean is **not** aiming for is

* a build system producing an integrated library of all schemes;
* including benchmarking of implementations; and
* including integration into higher-level applications or protocols.

As a first main target, we are collecting C implementations that fulfill the requirements
listed below. We also accept optimised implementations, but still requiring high-quality, tested code.

Please also review our [guidelines for contributors](CONTRIBUTING.md) if you are interested in adding a scheme to PQClean.

## Requirements on C implementations that are automatically checked

_The checking of items on this list is still being developed. Checked items should be working._

* [x] Code is valid C99
* [x] Passes functional tests
* [x] API functions do not write outside provided buffers
* [x] `api.h` cannot include external files
* [x] Compiles with `-Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes` with `gcc` and `clang`
* [x] `#if`/`#ifdef`s only for header encapsulation
* [x] Consistent test vectors across runs
* [x] Consistent test vectors on big-endian and little-endian machines
* [x] Consistent test vectors on 32-bit and 64-bit machines
* [x] `const` arguments are labeled as `const`
* [x] No errors/warnings reported by valgrind
* [x] No errors/warnings reported by address sanitizer
* [x] Only dependencies: `fips202.c`, `sha2.c`, `aes.c`, `randombytes.c`
* [x] API functions return `0` on success
* [x] No dynamic memory allocations (including variable-length arrays)
* [ ] No branching on secret data (dynamically checked using valgrind)
* [ ] No access to secret memory locations (dynamically checked using valgrind)
* [x] Separate subdirectories (without symlinks) for each parameter set of each scheme
* [x] Builds under Linux, MacOS, and Windows
* [x] Linux
* [x] MacOS
* [x] Windows
* [x] Makefile-based build for each separate scheme
* [x] Makefile-based build for Windows (`nmake`)
* [x] All exported symbols are namespaced with `PQCLEAN_SCHEMENAME_`
* [x] Each implementation comes with a `LICENSE` file (see below)
* [x] Each scheme comes with a `META.yml` file giving details about version of the algorithm, designers
* [x] Each individual implementation is specified in `META.yml`.


## Requirements on C implementations that are manually checked

* Minimalist Makefiles
* No stringification macros
* Output-parameter pointers in functions are on the left
* All exported symbols are namespaced in place
* Integer types are of fixed size where relevant, using `stdint.h` types (optional, recommended)
* Integers used for indexing memory are of size `size_t` (optional, recommended)
* Variable declarations at the beginning (except in `for (size_t i=...`) (optional, recommended)

## Schemes currently in PQClean

For the following schemes we have implementations of one or more of their parameter sets.
For all of these schemes we have clean C code, but for some we also have optimised code.
## Schemes

### Key Encapsulation Mechanisms

@@ -120,61 +49,3 @@ int PQCLEAN_SCHEME_IMPL_crypto_sign_verify(
const uint8_t *m, size_t mlen,
const uint8_t *pk);
```

## Building PQClean

As noted above, PQClean is **not** meant to be built as a single library: it is a collection of source code that can be easily integrated into other libraries. The PQClean repository includes various test programs which do build various files, but you should not use the resulting binaries.

List of required dependencies: ``gcc or clang, make, python3, python-yaml library, valgrind, astyle (>= 3.0)``.

## Using source code from PQClean in your own project

Each implementation directory in PQClean (e.g., crypto\_kem/kyber768\clean) can be extracted for use in your own project. You will need to:

1. Copy the source code from the implementation's directory into your project.
2. Add the files to your project's build system.
3. Provide instantiations of any of the common cryptographic algorithms used by the implementation. This likely includes `common/randombytes.h` (a cryptographic random number generator), and possibly `common/sha2.h` (the SHA-2 hash function family), `common/aes.h` (AES implementations), `common/fips202.h` (the SHA-3 hash function family) and `common/sp800-185.h` (the cSHAKE family).

Regarding #2, adding the files to your project's build system, each implementation in PQClean is accompanied by example two makefiles that show how one could build the files for that implementation:

- The file `Makefile` which can be used with GNU Make, BSD Make, and possibly others.
- The file `Makefile.Microsoft_nmake` which can be used with Visual Studio's nmake.

## Projects integrating PQClean-distributed source code

The following projects consume implementations from PQClean and provide their own wrappers around the implementations.
Their integration strategies may serve as examples for your own projects.

- **[pqcrypto crate](https://github.com/rustpq/pqcrypto)**: Rust integration that automatically generates wrappers from PQClean source code.
- **[mupq](https://github.com/mupq/)**: Runs the implementations from PQClean as reference implementations to compare with microcontroller-optimized code.
- **[Open Quantum Safe](https://github.com/open-quantum-safe/)**: The Open Quantum Safe project integrates implementations from PQClean into their [liboqs](https://github.com/open-quantum-safe/liboqs/) C library, which then exposes them via [C++](https://github.com/open-quantum-safe/liboqs-cpp), [C# / .NET](https://github.com/open-quantum-safe/liboqs-dotnet), and [Python](https://github.com/open-quantum-safe/liboqs-python) wrappers, as well as to forks of [OpenSSL](https://github.com/open-quantum-safe/openssl) and [OpenSSH](https://github.com/open-quantum-safe/openssh-portable).

## License

Each subdirectory containing implementations contains a `LICENSE` file stating under what license that specific implementation is released.
The files in `common` contain licensing information at the top of the file (and are currently either public domain or MIT).
All other code in this repository is released under the conditions of [CC0](http://creativecommons.org/publicdomain/zero/1.0/).

## Running tests locally

See https://github.com/PQClean/PQClean/wiki/Test-framework for details about the PQClean test framework.

While we run extensive automatic testing on Github Actions ((emulated) Linux builds, MacOS and Windows builds) and [Travis CI][travis-pqc] (Aarch64 builds), and most tests can also be run locally.
To do this, make sure the following is installed:

* Python 3.6+
* `pytest` for python 3.

We also recommend installing ``pytest-xdist`` to allow running tests in parallel.

You will also need to make sure the submodules are initialized by running:

```
git submodule update --init
```

Run the Python-based tests by going into the `test` directory and running `pytest -v` or (recommended) `pytest -n=auto` for parallel testing.

You may also run `python3 <testmodule>` where `<testmodule>` is any of the files starting with `test_` in the `test/` folder.

[travis-pqc]: https://travis-ci.com/PQClean/PQClean/

+ 0
- 8
common/keccak4x/Makefile.Microsoft_nmake View File

@@ -1,8 +0,0 @@
KeccakP-1600-times4-SIMD256.obj: KeccakP-1600-times4-SIMD256.c \
align.h brg_endian.h KeccakP-1600-times4-SnP.h \
KeccakP-1600-unrolling.macros SIMD256-config.h
$(CC) /nologo /c /O2 /W4 /WX /arch:AVX2 KeccakP-1600-times4-SIMD256.c

.PHONY: clean
clean:
$(RM) KeccakP-1600-times4-SIMD256.obj

+ 0
- 21
crypto_kem/frodo/frodokem1344shake/clean/LICENSE View File

@@ -1,21 +0,0 @@
MIT License

Copyright (c) Microsoft Corporation. All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE

+ 0
- 19
crypto_kem/frodo/frodokem1344shake/clean/Makefile.Microsoft_nmake View File

@@ -1,19 +0,0 @@
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
# nmake /f Makefile.Microsoft_nmake

LIBRARY=libfrodokem1344shake_clean.lib
OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj

CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX

all: $(LIBRARY)

# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h

$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**

clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

+ 0
- 20
crypto_kem/frodo/frodokem1344shake/clean/api.h View File

@@ -1,20 +0,0 @@
#ifndef PQCLEAN_FRODOKEM1344SHAKE_CLEAN_API_H
#define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_API_H

#include <stddef.h>
#include <stdint.h>

#define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES 43088 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH
#define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES 21520 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8
#define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_BYTES 32
#define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES 21632 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8

#define PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_ALGNAME "FrodoKEM-1344-SHAKE"

int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);

int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);

int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);

#endif

+ 0
- 21
crypto_kem/frodo/frodokem1344shake/clean/common.h View File

@@ -1,21 +0,0 @@
#ifndef COMMON_H
#define COMMON_H

int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A);
int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A);
void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(uint16_t *s, size_t n);
void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s);
void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e);
void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b);
void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b);
void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in);
void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in);
void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb);
void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb);
int8_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len);
void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector);
void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n);
uint16_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(uint16_t n);
uint16_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_UINT16_TO_LE(uint16_t n);

#endif

+ 0
- 237
crypto_kem/frodo/frodokem1344shake/clean/kem.c View File

@@ -1,237 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: Key Encapsulation Mechanism (KEM) based on Frodo
*********************************************************************************************/

#include <stdint.h>
#include <string.h>

#include "fips202.h"
#include "randombytes.h"

#include "api.h"
#include "common.h"
#include "params.h"

int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) {
// FrodoKEM's key generation
// Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes)
// secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes)
uint8_t *pk_seedA = &pk[0];
uint8_t *pk_b = &pk[BYTES_SEED_A];
uint8_t *sk_s = &sk[0];
uint8_t *sk_pk = &sk[CRYPTO_BYTES];
uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES];
uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR];
uint16_t B[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data
uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data
uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE
uint8_t *randomness_s = &randomness[0]; // contains secret data
uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data
uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES];
uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data

// Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key
randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A);
shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A);

// Generate S and E, and compute B = A*S + E. Generate A on-the-fly
shake_input_seedSE[0] = 0x5F;
memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES);
shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES);
for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) {
S[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(S[i]);
}
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(S, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(E, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_as_plus_e(B, S, E, pk);

// Encode the second part of the public key
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ);

// Add s, pk and S to the secret key
memcpy(sk_s, randomness_s, CRYPTO_BYTES);
memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES);
for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) {
S[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_UINT16_TO_LE(S[i]);
}
memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR);

// Add H(pk) to the secret key
shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES);

// Cleanup:
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(randomness, 2 * CRYPTO_BYTES);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES);
return 0;
}


int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) {
// FrodoKEM's key encapsulation
const uint8_t *pk_seedA = &pk[0];
const uint8_t *pk_b = &pk[BYTES_SEED_A];
uint8_t *ct_c1 = &ct[0];
uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8];
uint16_t B[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data
uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0};
uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data
uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data
uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data
uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu
uint8_t *pkh = &G2in[0];
uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data
uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data
uint8_t *seedSE = &G2out[0]; // contains secret data
uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data
uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k
uint8_t *Fin_ct = &Fin[0];
uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data
uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data

// pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu)
shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES);
randombytes(mu, BYTES_MU);
shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU);

// Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly
shake_input_seedSE[0] = 0x96;
memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES);
shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES);
for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) {
Sp[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(Sp[i]);
}
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ);

// Generate Epp, and compute V = Sp*B + Epp
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sb_plus_e(V, B, Sp, Epp);

// Encode mu, and compute C = V + enc(mu) (mod q)
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_encode(C, (uint16_t *)mu);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_add(C, V, C);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ);

// Compute ss = F(ct||KK)
memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES);
memcpy(Fin_k, k, CRYPTO_BYTES);
shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES);

// Cleanup:
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(mu, BYTES_MU);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES);
return 0;
}


int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) {
// FrodoKEM's key decapsulation
uint16_t B[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data
uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0};
uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0};
uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data
uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data
uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data
const uint8_t *ct_c1 = &ct[0];
const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8];
const uint8_t *sk_s = &sk[0];
const uint8_t *sk_pk = &sk[CRYPTO_BYTES];
const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES];
uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data
const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR];
const uint8_t *pk_seedA = &sk_pk[0];
const uint8_t *pk_b = &sk_pk[BYTES_SEED_A];
uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime
uint8_t *pkh = &G2in[0];
uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data
uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data
uint8_t *seedSEprime = &G2out[0]; // contains secret data
uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data
uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k
uint8_t *Fin_ct = &Fin[0];
uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data
uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data

for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) {
S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8);
}

// Compute W = C - Bp*S (mod q), and decode the randomness mu
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_bs(W, Bp, S);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sub(W, C, W);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_decode((uint16_t *)muprime, W);

// Generate (seedSE' || k') = G_2(pkh || mu')
memcpy(pkh, sk_pkh, BYTES_PKHASH);
shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU);

// Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly
shake_input_seedSEprime[0] = 0x96;
memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES);
shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES);
for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) {
Sp[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(Sp[i]);
}
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA);

// Generate Epp, and compute W = Sp*B + Epp
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sb_plus_e(W, B, Sp, Epp);

// Encode mu, and compute CC = W + enc(mu') (mod q)
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_encode(CC, (uint16_t *)muprime);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_add(CC, W, CC);

// Prepare input to F
memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES);

// Reducing BBp modulo q
for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) {
BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1);
}

// If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s)
// Needs to avoid branching on secret data as per:
// Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum
// primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020.
int8_t selector = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR);
// If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s)
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector);
shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES);

// Cleanup:
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(muprime, BYTES_MU);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES);
PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES);
return 0;
}

+ 0
- 79
crypto_kem/frodo/frodokem1344shake/clean/matrix_shake.c View File

@@ -1,79 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: matrix arithmetic functions used by the KEM
*********************************************************************************************/

#include <stdint.h>
#include <string.h>

#include "fips202.h"

#include "api.h"
#include "common.h"
#include "params.h"

int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) {
// Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right.
// Inputs: s, e (N x N_BAR)
// Output: out = A*s + e (N x N_BAR)
int i, j, k;
int16_t A[PARAMS_N * PARAMS_N] = {0};

uint8_t seed_A_separated[2 + BYTES_SEED_A];
uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated;
memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A);
for (i = 0; i < PARAMS_N; i++) {
seed_A_origin[0] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i);
shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A);
}
for (i = 0; i < PARAMS_N * PARAMS_N; i++) {
A[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(A[i]);
}
memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t));

for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e
for (k = 0; k < PARAMS_NBAR; k++) {
uint16_t sum = 0;
for (j = 0; j < PARAMS_N; j++) {
sum += A[i * PARAMS_N + j] * s[k * PARAMS_N + j];
}
out[i * PARAMS_NBAR + k] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on.
}
}

return 1;
}


int PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) {
// Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left.
// Inputs: s', e' (N_BAR x N)
// Output: out = s'*A + e' (N_BAR x N)
int i, j, k;
int16_t A[PARAMS_N * PARAMS_N] = {0};

uint8_t seed_A_separated[2 + BYTES_SEED_A];
uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated;
memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A);
for (i = 0; i < PARAMS_N; i++) {
seed_A_origin[0] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i);
shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A);
}
for (i = 0; i < PARAMS_N * PARAMS_N; i++) {
A[i] = PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(A[i]);
}
memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t));

for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e
for (k = 0; k < PARAMS_NBAR; k++) {
uint16_t sum = 0;
for (j = 0; j < PARAMS_N; j++) {
sum += A[j * PARAMS_N + i] * s[k * PARAMS_N + j];
}
out[k * PARAMS_N + i] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on.
}
}

return 1;
}

+ 0
- 35
crypto_kem/frodo/frodokem1344shake/clean/noise.c View File

@@ -1,35 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: noise sampling functions
*********************************************************************************************/

#include <stdint.h>

#include "api.h"
#include "common.h"
#include "params.h"

static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA;

void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sample_n(uint16_t *s, size_t n) {
// Fills vector s with n samples from the noise distribution which requires 16 bits to sample.
// The distribution is specified by its CDF.
// Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output.
size_t i;
unsigned int j;

for (i = 0; i < n; ++i) {
uint16_t sample = 0;
uint16_t prnd = s[i] >> 1; // Drop the least significant bit
uint16_t sign = s[i] & 0x1; // Pick the least significant bit

// No need to compare with the last value.
for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) {
// Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits.
sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15;
}
// Assuming that sign is either 0 or 1, flips sample iff sign = 1
s[i] = ((-sign) ^ sample) + sign;
}
}

+ 0
- 27
crypto_kem/frodo/frodokem1344shake/clean/params.h View File

@@ -1,27 +0,0 @@
#ifndef PARAMS_H
#define PARAMS_H

#define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES
#define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES
#define CRYPTO_BYTES PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_BYTES
#define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM1344SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES

#define PARAMS_N 1344
#define PARAMS_NBAR 8
#define PARAMS_LOGQ 16
#define PARAMS_Q (1 << PARAMS_LOGQ)
#define PARAMS_EXTRACTED_BITS 4
#define PARAMS_STRIPE_STEP 8
#define PARAMS_PARALLEL 4
#define BYTES_SEED_A 16
#define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8)
#define BYTES_PKHASH CRYPTO_BYTES

// Selecting SHAKE XOF function for the KEM and noise sampling
#define shake shake256

// CDF table
#define CDF_TABLE_DATA {9142, 23462, 30338, 32361, 32725, 32765, 32767}
#define CDF_TABLE_LEN 7

#endif

+ 0
- 264
crypto_kem/frodo/frodokem1344shake/clean/util.c View File

@@ -1,264 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: additional functions for FrodoKEM
*********************************************************************************************/

#include <stdint.h>
#include <string.h>

#include "api.h"
#include "common.h"
#include "params.h"

static inline uint8_t min(uint8_t x, uint8_t y) {
if (x < y) {
return x;
}
return y;
}

uint16_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_LE_TO_UINT16(uint16_t n) {
return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8));
}

uint16_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_UINT16_TO_LE(uint16_t n) {
uint16_t y;
uint8_t *z = (uint8_t *) &y;
z[0] = n & 0xFF;
z[1] = (n & 0xFF00) >> 8;
return y;
}

void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) {
// Multiply by s on the right
// Inputs: b (N_BAR x N), s (N x N_BAR)
// Output: out = b*s (N_BAR x N_BAR)
int i, j, k;

for (i = 0; i < PARAMS_NBAR; i++) {
for (j = 0; j < PARAMS_NBAR; j++) {
out[i * PARAMS_NBAR + j] = 0;
for (k = 0; k < PARAMS_N; k++) {
out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]);
}
out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1);
}
}
}


void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) {
// Multiply by s on the left
// Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR)
// Output: out = s*b + e (N_BAR x N_BAR)
int i, j, k;

for (k = 0; k < PARAMS_NBAR; k++) {
for (i = 0; i < PARAMS_NBAR; i++) {
out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i];
for (j = 0; j < PARAMS_N; j++) {
out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]);
}
out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1);
}
}
}


void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b) {
// Add a and b
// Inputs: a, b (N_BAR x N_BAR)
// Output: c = a + b

for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) {
out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1);
}
}


void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) {
// Subtract a and b
// Inputs: a, b (N_BAR x N_BAR)
// Output: c = a - b

for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) {
out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1);
}
}


void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in) {
// Encoding
unsigned int i, j, npieces_word = 8;
unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8;
uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1;
uint16_t *pos = out;

for (i = 0; i < nwords; i++) {
temp = 0;
for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) {
temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j);
}
for (j = 0; j < npieces_word; j++) {
*pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS));
temp >>= PARAMS_EXTRACTED_BITS;
pos++;
}
}
}


void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in) {
// Decoding
unsigned int i, j, index = 0, npieces_word = 8;
unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8;
uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1;
uint8_t *pos = (uint8_t *)out;
uint64_t templong;

for (i = 0; i < nwords; i++) {
templong = 0;
for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5)
temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS);
templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j);
index++;
}
for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) {
pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF;
}
}
}


void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) {
// Pack the input uint16 vector into a char output vector, copying lsb bits from each input element.
// If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied.
memset(out, 0, outlen);

size_t i = 0; // whole bytes already filled in
size_t j = 0; // whole uint16_t already copied
uint16_t w = 0; // the leftover, not yet copied
uint8_t bits = 0; // the number of lsb in w

while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) {
/*
in: | | |********|********|
^
j
w : | ****|
^
bits
out:|**|**|**|**|**|**|**|**|* |
^^
ib
*/
uint8_t b = 0; // bits in out[i] already filled in
while (b < 8) {
int nbits = min(8 - b, bits);
uint16_t mask = (1 << nbits) - 1;
uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out
out[i] = out[i] + (t << (8 - b - nbits));
b += (uint8_t) nbits;
bits -= (uint8_t) nbits;
w &= ~(mask << bits); // not strictly necessary; mostly for debugging

if (bits == 0) {
if (j < inlen) {
w = in[j];
bits = lsb;
j++;
} else {
break; // the input vector is exhausted
}
}
}
if (b == 8) { // out[i] is filled in
i++;
}
}
}


void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) {
// Unpack the input char vector into a uint16_t output vector, copying lsb bits
// for each output element from input. outlen must be at least ceil(inlen * 8 / lsb).
memset(out, 0, outlen * sizeof(uint16_t));

size_t i = 0; // whole uint16_t already filled in
size_t j = 0; // whole bytes already copied
uint8_t w = 0; // the leftover, not yet copied
uint8_t bits = 0; // the number of lsb bits of w

while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) {
/*
in: | | | | | | |**|**|...
^
j
w : | *|
^
bits
out:| *****| *****| *** | |...
^ ^
i b
*/
uint8_t b = 0; // bits in out[i] already filled in
while (b < lsb) {
int nbits = min(lsb - b, bits);
uint16_t mask = (1 << nbits) - 1;
uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out
out[i] = out[i] + (t << (lsb - b - nbits));
b += (uint8_t) nbits;
bits -= (uint8_t) nbits;
w &= ~(mask << bits); // not strictly necessary; mostly for debugging

if (bits == 0) {
if (j < inlen) {
w = in[j];
bits = 8;
j++;
} else {
break; // the input vector is exhausted
}
}
}
if (b == lsb) { // out[i] is filled in
i++;
}
}
}


int8_t PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) {
// Compare two arrays in constant time.
// Returns 0 if the byte arrays are equal, -1 otherwise.
uint16_t r = 0;

for (size_t i = 0; i < len; i++) {
r |= a[i] ^ b[i];
}

r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}


void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) {
// Select one of the two input arrays to be moved to r
// If (selector == 0) then load r with a, else if (selector == -1) load r with b

for (size_t i = 0; i < len; i++) {
r[i] = (~selector & a[i]) | (selector & b[i]);
}
}


void PQCLEAN_FRODOKEM1344SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n) {
// Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed.
// This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing.
volatile uint8_t *v = mem;

for (size_t i = 0; i < n; i++) {
v[i] = 0;
}
}

+ 0
- 21
crypto_kem/frodo/frodokem1344shake/opt/LICENSE View File

@@ -1,21 +0,0 @@
MIT License

Copyright (c) Microsoft Corporation. All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE

+ 0
- 19
crypto_kem/frodo/frodokem1344shake/opt/Makefile.Microsoft_nmake View File

@@ -1,19 +0,0 @@
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
# nmake /f Makefile.Microsoft_nmake

LIBRARY=libfrodokem1344shake_opt.lib
OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj

CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX

all: $(LIBRARY)

# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h

$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**

clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

+ 0
- 21
crypto_kem/frodo/frodokem640shake/clean/LICENSE View File

@@ -1,21 +0,0 @@
MIT License

Copyright (c) Microsoft Corporation. All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE

+ 0
- 19
crypto_kem/frodo/frodokem640shake/clean/Makefile.Microsoft_nmake View File

@@ -1,19 +0,0 @@
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
# nmake /f Makefile.Microsoft_nmake

LIBRARY=libfrodokem640shake_clean.lib
OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj

CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX

all: $(LIBRARY)

# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h

$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**

clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

+ 0
- 20
crypto_kem/frodo/frodokem640shake/clean/api.h View File

@@ -1,20 +0,0 @@
#ifndef PQCLEAN_FRODOKEM640SHAKE_CLEAN_API_H
#define PQCLEAN_FRODOKEM640SHAKE_CLEAN_API_H

#include <stddef.h>
#include <stdint.h>

#define PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES 19888 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH
#define PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES 9616 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8
#define PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_BYTES 16
#define PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES 9720 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8

#define PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_ALGNAME "FrodoKEM-640-SHAKE"

int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);

int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);

int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);

#endif

+ 0
- 21
crypto_kem/frodo/frodokem640shake/clean/common.h View File

@@ -1,21 +0,0 @@
#ifndef COMMON_H
#define COMMON_H

int PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A);
int PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A);
void PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(uint16_t *s, size_t n);
void PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s);
void PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e);
void PQCLEAN_FRODOKEM640SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b);
void PQCLEAN_FRODOKEM640SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b);
void PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in);
void PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in);
void PQCLEAN_FRODOKEM640SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb);
void PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb);
int8_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len);
void PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector);
void PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n);
uint16_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(uint16_t n);
uint16_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_UINT16_TO_LE(uint16_t n);

#endif

+ 0
- 237
crypto_kem/frodo/frodokem640shake/clean/kem.c View File

@@ -1,237 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: Key Encapsulation Mechanism (KEM) based on Frodo
*********************************************************************************************/

#include <stdint.h>
#include <string.h>

#include "fips202.h"
#include "randombytes.h"

#include "api.h"
#include "common.h"
#include "params.h"

int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) {
// FrodoKEM's key generation
// Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes)
// secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes)
uint8_t *pk_seedA = &pk[0];
uint8_t *pk_b = &pk[BYTES_SEED_A];
uint8_t *sk_s = &sk[0];
uint8_t *sk_pk = &sk[CRYPTO_BYTES];
uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES];
uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR];
uint16_t B[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data
uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data
uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE
uint8_t *randomness_s = &randomness[0]; // contains secret data
uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data
uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES];
uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data

// Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key
randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A);
shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A);

// Generate S and E, and compute B = A*S + E. Generate A on-the-fly
shake_input_seedSE[0] = 0x5F;
memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES);
shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES);
for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) {
S[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(S[i]);
}
PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(S, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(E, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_as_plus_e(B, S, E, pk);

// Encode the second part of the public key
PQCLEAN_FRODOKEM640SHAKE_CLEAN_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ);

// Add s, pk and S to the secret key
memcpy(sk_s, randomness_s, CRYPTO_BYTES);
memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES);
for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) {
S[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_UINT16_TO_LE(S[i]);
}
memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR);

// Add H(pk) to the secret key
shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES);

// Cleanup:
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(randomness, 2 * CRYPTO_BYTES);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES);
return 0;
}


int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) {
// FrodoKEM's key encapsulation
const uint8_t *pk_seedA = &pk[0];
const uint8_t *pk_b = &pk[BYTES_SEED_A];
uint8_t *ct_c1 = &ct[0];
uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8];
uint16_t B[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data
uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0};
uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data
uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data
uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data
uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu
uint8_t *pkh = &G2in[0];
uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data
uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data
uint8_t *seedSE = &G2out[0]; // contains secret data
uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data
uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k
uint8_t *Fin_ct = &Fin[0];
uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data
uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data

// pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu)
shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES);
randombytes(mu, BYTES_MU);
shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU);

// Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly
shake_input_seedSE[0] = 0x96;
memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES);
shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES);
for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) {
Sp[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(Sp[i]);
}
PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ);

// Generate Epp, and compute V = Sp*B + Epp
PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sb_plus_e(V, B, Sp, Epp);

// Encode mu, and compute C = V + enc(mu) (mod q)
PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_encode(C, (uint16_t *)mu);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_add(C, V, C);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ);

// Compute ss = F(ct||KK)
memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES);
memcpy(Fin_k, k, CRYPTO_BYTES);
shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES);

// Cleanup:
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(mu, BYTES_MU);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES);
return 0;
}


int PQCLEAN_FRODOKEM640SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) {
// FrodoKEM's key decapsulation
uint16_t B[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data
uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0};
uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0};
uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data
uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data
uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data
const uint8_t *ct_c1 = &ct[0];
const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8];
const uint8_t *sk_s = &sk[0];
const uint8_t *sk_pk = &sk[CRYPTO_BYTES];
const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES];
uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data
const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR];
const uint8_t *pk_seedA = &sk_pk[0];
const uint8_t *pk_b = &sk_pk[BYTES_SEED_A];
uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime
uint8_t *pkh = &G2in[0];
uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data
uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data
uint8_t *seedSEprime = &G2out[0]; // contains secret data
uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data
uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k
uint8_t *Fin_ct = &Fin[0];
uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data
uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data

for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) {
S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8);
}

// Compute W = C - Bp*S (mod q), and decode the randomness mu
PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_bs(W, Bp, S);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_sub(W, C, W);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_decode((uint16_t *)muprime, W);

// Generate (seedSE' || k') = G_2(pkh || mu')
memcpy(pkh, sk_pkh, BYTES_PKHASH);
shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU);

// Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly
shake_input_seedSEprime[0] = 0x96;
memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES);
shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES);
for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) {
Sp[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(Sp[i]);
}
PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA);

// Generate Epp, and compute W = Sp*B + Epp
PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sb_plus_e(W, B, Sp, Epp);

// Encode mu, and compute CC = W + enc(mu') (mod q)
PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_encode(CC, (uint16_t *)muprime);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_add(CC, W, CC);

// Prepare input to F
memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES);

// Reducing BBp modulo q
for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) {
BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1);
}

// If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s)
// Needs to avoid branching on secret data as per:
// Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum
// primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020.
int8_t selector = PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR);
// If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s)
PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector);
shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES);

// Cleanup:
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(muprime, BYTES_MU);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES);
PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES);
return 0;
}

+ 0
- 79
crypto_kem/frodo/frodokem640shake/clean/matrix_shake.c View File

@@ -1,79 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: matrix arithmetic functions used by the KEM
*********************************************************************************************/

#include <stdint.h>
#include <string.h>

#include "fips202.h"

#include "api.h"
#include "common.h"
#include "params.h"

int PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) {
// Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right.
// Inputs: s, e (N x N_BAR)
// Output: out = A*s + e (N x N_BAR)
int i, j, k;
int16_t A[PARAMS_N * PARAMS_N] = {0};

uint8_t seed_A_separated[2 + BYTES_SEED_A];
uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated;
memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A);
for (i = 0; i < PARAMS_N; i++) {
seed_A_origin[0] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i);
shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A);
}
for (i = 0; i < PARAMS_N * PARAMS_N; i++) {
A[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(A[i]);
}
memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t));

for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e
for (k = 0; k < PARAMS_NBAR; k++) {
uint16_t sum = 0;
for (j = 0; j < PARAMS_N; j++) {
sum += A[i * PARAMS_N + j] * s[k * PARAMS_N + j];
}
out[i * PARAMS_NBAR + k] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on.
}
}

return 1;
}


int PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) {
// Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left.
// Inputs: s', e' (N_BAR x N)
// Output: out = s'*A + e' (N_BAR x N)
int i, j, k;
int16_t A[PARAMS_N * PARAMS_N] = {0};

uint8_t seed_A_separated[2 + BYTES_SEED_A];
uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated;
memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A);
for (i = 0; i < PARAMS_N; i++) {
seed_A_origin[0] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i);
shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A);
}
for (i = 0; i < PARAMS_N * PARAMS_N; i++) {
A[i] = PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(A[i]);
}
memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t));

for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e
for (k = 0; k < PARAMS_NBAR; k++) {
uint16_t sum = 0;
for (j = 0; j < PARAMS_N; j++) {
sum += A[j * PARAMS_N + i] * s[k * PARAMS_N + j];
}
out[k * PARAMS_N + i] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on.
}
}

return 1;
}

+ 0
- 35
crypto_kem/frodo/frodokem640shake/clean/noise.c View File

@@ -1,35 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: noise sampling functions
*********************************************************************************************/

#include <stdint.h>

#include "api.h"
#include "common.h"
#include "params.h"

static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA;

void PQCLEAN_FRODOKEM640SHAKE_CLEAN_sample_n(uint16_t *s, size_t n) {
// Fills vector s with n samples from the noise distribution which requires 16 bits to sample.
// The distribution is specified by its CDF.
// Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output.
size_t i;
unsigned int j;

for (i = 0; i < n; ++i) {
uint16_t sample = 0;
uint16_t prnd = s[i] >> 1; // Drop the least significant bit
uint16_t sign = s[i] & 0x1; // Pick the least significant bit

// No need to compare with the last value.
for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) {
// Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits.
sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15;
}
// Assuming that sign is either 0 or 1, flips sample iff sign = 1
s[i] = ((-sign) ^ sample) + sign;
}
}

+ 0
- 27
crypto_kem/frodo/frodokem640shake/clean/params.h View File

@@ -1,27 +0,0 @@
#ifndef PARAMS_H
#define PARAMS_H

#define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES
#define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES
#define CRYPTO_BYTES PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_BYTES
#define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM640SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES

#define PARAMS_N 640
#define PARAMS_NBAR 8
#define PARAMS_LOGQ 15
#define PARAMS_Q (1 << PARAMS_LOGQ)
#define PARAMS_EXTRACTED_BITS 2
#define PARAMS_STRIPE_STEP 8
#define PARAMS_PARALLEL 4
#define BYTES_SEED_A 16
#define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8)
#define BYTES_PKHASH CRYPTO_BYTES

// Selecting SHAKE XOF function for the KEM and noise sampling
#define shake shake128

// CDF table
#define CDF_TABLE_DATA {4643, 13363, 20579, 25843, 29227, 31145, 32103, 32525, 32689, 32745, 32762, 32766, 32767}
#define CDF_TABLE_LEN 13

#endif

+ 0
- 264
crypto_kem/frodo/frodokem640shake/clean/util.c View File

@@ -1,264 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: additional functions for FrodoKEM
*********************************************************************************************/

#include <stdint.h>
#include <string.h>

#include "api.h"
#include "common.h"
#include "params.h"

static inline uint8_t min(uint8_t x, uint8_t y) {
if (x < y) {
return x;
}
return y;
}

uint16_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_LE_TO_UINT16(uint16_t n) {
return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8));
}

uint16_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_UINT16_TO_LE(uint16_t n) {
uint16_t y;
uint8_t *z = (uint8_t *) &y;
z[0] = n & 0xFF;
z[1] = (n & 0xFF00) >> 8;
return y;
}

void PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) {
// Multiply by s on the right
// Inputs: b (N_BAR x N), s (N x N_BAR)
// Output: out = b*s (N_BAR x N_BAR)
int i, j, k;

for (i = 0; i < PARAMS_NBAR; i++) {
for (j = 0; j < PARAMS_NBAR; j++) {
out[i * PARAMS_NBAR + j] = 0;
for (k = 0; k < PARAMS_N; k++) {
out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]);
}
out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1);
}
}
}


void PQCLEAN_FRODOKEM640SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) {
// Multiply by s on the left
// Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR)
// Output: out = s*b + e (N_BAR x N_BAR)
int i, j, k;

for (k = 0; k < PARAMS_NBAR; k++) {
for (i = 0; i < PARAMS_NBAR; i++) {
out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i];
for (j = 0; j < PARAMS_N; j++) {
out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]);
}
out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1);
}
}
}


void PQCLEAN_FRODOKEM640SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b) {
// Add a and b
// Inputs: a, b (N_BAR x N_BAR)
// Output: c = a + b

for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) {
out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1);
}
}


void PQCLEAN_FRODOKEM640SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) {
// Subtract a and b
// Inputs: a, b (N_BAR x N_BAR)
// Output: c = a - b

for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) {
out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1);
}
}


void PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in) {
// Encoding
unsigned int i, j, npieces_word = 8;
unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8;
uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1;
uint16_t *pos = out;

for (i = 0; i < nwords; i++) {
temp = 0;
for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) {
temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j);
}
for (j = 0; j < npieces_word; j++) {
*pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS));
temp >>= PARAMS_EXTRACTED_BITS;
pos++;
}
}
}


void PQCLEAN_FRODOKEM640SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in) {
// Decoding
unsigned int i, j, index = 0, npieces_word = 8;
unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8;
uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1;
uint8_t *pos = (uint8_t *)out;
uint64_t templong;

for (i = 0; i < nwords; i++) {
templong = 0;
for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5)
temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS);
templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j);
index++;
}
for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) {
pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF;
}
}
}


void PQCLEAN_FRODOKEM640SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) {
// Pack the input uint16 vector into a char output vector, copying lsb bits from each input element.
// If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied.
memset(out, 0, outlen);

size_t i = 0; // whole bytes already filled in
size_t j = 0; // whole uint16_t already copied
uint16_t w = 0; // the leftover, not yet copied
uint8_t bits = 0; // the number of lsb in w

while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) {
/*
in: | | |********|********|
^
j
w : | ****|
^
bits
out:|**|**|**|**|**|**|**|**|* |
^^
ib
*/
uint8_t b = 0; // bits in out[i] already filled in
while (b < 8) {
int nbits = min(8 - b, bits);
uint16_t mask = (1 << nbits) - 1;
uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out
out[i] = out[i] + (t << (8 - b - nbits));
b += (uint8_t) nbits;
bits -= (uint8_t) nbits;
w &= ~(mask << bits); // not strictly necessary; mostly for debugging

if (bits == 0) {
if (j < inlen) {
w = in[j];
bits = lsb;
j++;
} else {
break; // the input vector is exhausted
}
}
}
if (b == 8) { // out[i] is filled in
i++;
}
}
}


void PQCLEAN_FRODOKEM640SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) {
// Unpack the input char vector into a uint16_t output vector, copying lsb bits
// for each output element from input. outlen must be at least ceil(inlen * 8 / lsb).
memset(out, 0, outlen * sizeof(uint16_t));

size_t i = 0; // whole uint16_t already filled in
size_t j = 0; // whole bytes already copied
uint8_t w = 0; // the leftover, not yet copied
uint8_t bits = 0; // the number of lsb bits of w

while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) {
/*
in: | | | | | | |**|**|...
^
j
w : | *|
^
bits
out:| *****| *****| *** | |...
^ ^
i b
*/
uint8_t b = 0; // bits in out[i] already filled in
while (b < lsb) {
int nbits = min(lsb - b, bits);
uint16_t mask = (1 << nbits) - 1;
uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out
out[i] = out[i] + (t << (lsb - b - nbits));
b += (uint8_t) nbits;
bits -= (uint8_t) nbits;
w &= ~(mask << bits); // not strictly necessary; mostly for debugging

if (bits == 0) {
if (j < inlen) {
w = in[j];
bits = 8;
j++;
} else {
break; // the input vector is exhausted
}
}
}
if (b == lsb) { // out[i] is filled in
i++;
}
}
}


int8_t PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) {
// Compare two arrays in constant time.
// Returns 0 if the byte arrays are equal, -1 otherwise.
uint16_t r = 0;

for (size_t i = 0; i < len; i++) {
r |= a[i] ^ b[i];
}

r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}


void PQCLEAN_FRODOKEM640SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) {
// Select one of the two input arrays to be moved to r
// If (selector == 0) then load r with a, else if (selector == -1) load r with b

for (size_t i = 0; i < len; i++) {
r[i] = (~selector & a[i]) | (selector & b[i]);
}
}


void PQCLEAN_FRODOKEM640SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n) {
// Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed.
// This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing.
volatile uint8_t *v = mem;

for (size_t i = 0; i < n; i++) {
v[i] = 0;
}
}

+ 0
- 21
crypto_kem/frodo/frodokem640shake/opt/LICENSE View File

@@ -1,21 +0,0 @@
MIT License

Copyright (c) Microsoft Corporation. All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE

+ 0
- 19
crypto_kem/frodo/frodokem640shake/opt/Makefile.Microsoft_nmake View File

@@ -1,19 +0,0 @@
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
# nmake /f Makefile.Microsoft_nmake

LIBRARY=libfrodokem640shake_opt.lib
OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj

CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX

all: $(LIBRARY)

# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h

$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**

clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

+ 0
- 21
crypto_kem/frodo/frodokem976shake/clean/LICENSE View File

@@ -1,21 +0,0 @@
MIT License

Copyright (c) Microsoft Corporation. All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE

+ 0
- 19
crypto_kem/frodo/frodokem976shake/clean/Makefile.Microsoft_nmake View File

@@ -1,19 +0,0 @@
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
# nmake /f Makefile.Microsoft_nmake

LIBRARY=libfrodokem976shake_clean.lib
OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj

CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX

all: $(LIBRARY)

# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h

$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**

clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

+ 0
- 20
crypto_kem/frodo/frodokem976shake/clean/api.h View File

@@ -1,20 +0,0 @@
#ifndef PQCLEAN_FRODOKEM976SHAKE_CLEAN_API_H
#define PQCLEAN_FRODOKEM976SHAKE_CLEAN_API_H

#include <stddef.h>
#include <stdint.h>

#define PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES 31296 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH
#define PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES 15632 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8
#define PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_BYTES 24
#define PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES 15744 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8

#define PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_ALGNAME "FrodoKEM-976-SHAKE"

int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);

int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);

int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);

#endif

+ 0
- 21
crypto_kem/frodo/frodokem976shake/clean/common.h View File

@@ -1,21 +0,0 @@
#ifndef COMMON_H
#define COMMON_H

int PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A);
int PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A);
void PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(uint16_t *s, size_t n);
void PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s);
void PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e);
void PQCLEAN_FRODOKEM976SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b);
void PQCLEAN_FRODOKEM976SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b);
void PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in);
void PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in);
void PQCLEAN_FRODOKEM976SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb);
void PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb);
int8_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len);
void PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector);
void PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n);
uint16_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(uint16_t n);
uint16_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_UINT16_TO_LE(uint16_t n);

#endif

+ 0
- 237
crypto_kem/frodo/frodokem976shake/clean/kem.c View File

@@ -1,237 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: Key Encapsulation Mechanism (KEM) based on Frodo
*********************************************************************************************/

#include <stdint.h>
#include <string.h>

#include "fips202.h"
#include "randombytes.h"

#include "api.h"
#include "common.h"
#include "params.h"

int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) {
// FrodoKEM's key generation
// Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes)
// secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes)
uint8_t *pk_seedA = &pk[0];
uint8_t *pk_b = &pk[BYTES_SEED_A];
uint8_t *sk_s = &sk[0];
uint8_t *sk_pk = &sk[CRYPTO_BYTES];
uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES];
uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR];
uint16_t B[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data
uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data
uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE
uint8_t *randomness_s = &randomness[0]; // contains secret data
uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data
uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES];
uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data

// Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key
randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A);
shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A);

// Generate S and E, and compute B = A*S + E. Generate A on-the-fly
shake_input_seedSE[0] = 0x5F;
memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES);
shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES);
for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) {
S[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(S[i]);
}
PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(S, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(E, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_as_plus_e(B, S, E, pk);

// Encode the second part of the public key
PQCLEAN_FRODOKEM976SHAKE_CLEAN_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ);

// Add s, pk and S to the secret key
memcpy(sk_s, randomness_s, CRYPTO_BYTES);
memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES);
for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) {
S[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_UINT16_TO_LE(S[i]);
}
memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR);

// Add H(pk) to the secret key
shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES);

// Cleanup:
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(randomness, 2 * CRYPTO_BYTES);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES);
return 0;
}


int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) {
// FrodoKEM's key encapsulation
const uint8_t *pk_seedA = &pk[0];
const uint8_t *pk_b = &pk[BYTES_SEED_A];
uint8_t *ct_c1 = &ct[0];
uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8];
uint16_t B[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data
uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0};
uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data
uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data
uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data
uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu
uint8_t *pkh = &G2in[0];
uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data
uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data
uint8_t *seedSE = &G2out[0]; // contains secret data
uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data
uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k
uint8_t *Fin_ct = &Fin[0];
uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data
uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data

// pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu)
shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES);
randombytes(mu, BYTES_MU);
shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU);

// Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly
shake_input_seedSE[0] = 0x96;
memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES);
shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES);
for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) {
Sp[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(Sp[i]);
}
PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ);

// Generate Epp, and compute V = Sp*B + Epp
PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sb_plus_e(V, B, Sp, Epp);

// Encode mu, and compute C = V + enc(mu) (mod q)
PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_encode(C, (uint16_t *)mu);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_add(C, V, C);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ);

// Compute ss = F(ct||KK)
memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES);
memcpy(Fin_k, k, CRYPTO_BYTES);
shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES);

// Cleanup:
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(mu, BYTES_MU);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES);
return 0;
}


int PQCLEAN_FRODOKEM976SHAKE_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) {
// FrodoKEM's key decapsulation
uint16_t B[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data
uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0};
uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0};
uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0};
uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data
uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data
uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data
const uint8_t *ct_c1 = &ct[0];
const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8];
const uint8_t *sk_s = &sk[0];
const uint8_t *sk_pk = &sk[CRYPTO_BYTES];
const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES];
uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data
const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR];
const uint8_t *pk_seedA = &sk_pk[0];
const uint8_t *pk_b = &sk_pk[BYTES_SEED_A];
uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime
uint8_t *pkh = &G2in[0];
uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data
uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data
uint8_t *seedSEprime = &G2out[0]; // contains secret data
uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data
uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k
uint8_t *Fin_ct = &Fin[0];
uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data
uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data

for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) {
S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8);
}

// Compute W = C - Bp*S (mod q), and decode the randomness mu
PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_bs(W, Bp, S);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_sub(W, C, W);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_decode((uint16_t *)muprime, W);

// Generate (seedSE' || k') = G_2(pkh || mu')
memcpy(pkh, sk_pkh, BYTES_PKHASH);
shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU);

// Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly
shake_input_seedSEprime[0] = 0x96;
memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES);
shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES);
for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) {
Sp[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(Sp[i]);
}
PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA);

// Generate Epp, and compute W = Sp*B + Epp
PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sb_plus_e(W, B, Sp, Epp);

// Encode mu, and compute CC = W + enc(mu') (mod q)
PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_encode(CC, (uint16_t *)muprime);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_add(CC, W, CC);

// Prepare input to F
memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES);

// Reducing BBp modulo q
for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) {
BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1);
}

// If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s)
// Needs to avoid branching on secret data as per:
// Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum
// primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020.
int8_t selector = PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR);
// If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s)
PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector);
shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES);

// Cleanup:
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t));
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(muprime, BYTES_MU);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES);
PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES);
return 0;
}

+ 0
- 79
crypto_kem/frodo/frodokem976shake/clean/matrix_shake.c View File

@@ -1,79 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: matrix arithmetic functions used by the KEM
*********************************************************************************************/

#include <stdint.h>
#include <string.h>

#include "fips202.h"

#include "api.h"
#include "common.h"
#include "params.h"

int PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) {
// Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right.
// Inputs: s, e (N x N_BAR)
// Output: out = A*s + e (N x N_BAR)
int i, j, k;
int16_t A[PARAMS_N * PARAMS_N] = {0};

uint8_t seed_A_separated[2 + BYTES_SEED_A];
uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated;
memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A);
for (i = 0; i < PARAMS_N; i++) {
seed_A_origin[0] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i);
shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A);
}
for (i = 0; i < PARAMS_N * PARAMS_N; i++) {
A[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(A[i]);
}
memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t));

for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e
for (k = 0; k < PARAMS_NBAR; k++) {
uint16_t sum = 0;
for (j = 0; j < PARAMS_N; j++) {
sum += A[i * PARAMS_N + j] * s[k * PARAMS_N + j];
}
out[i * PARAMS_NBAR + k] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on.
}
}

return 1;
}


int PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) {
// Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left.
// Inputs: s', e' (N_BAR x N)
// Output: out = s'*A + e' (N_BAR x N)
int i, j, k;
int16_t A[PARAMS_N * PARAMS_N] = {0};

uint8_t seed_A_separated[2 + BYTES_SEED_A];
uint16_t *seed_A_origin = (uint16_t *)&seed_A_separated;
memcpy(&seed_A_separated[2], seed_A, BYTES_SEED_A);
for (i = 0; i < PARAMS_N; i++) {
seed_A_origin[0] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_UINT16_TO_LE((uint16_t) i);
shake128((uint8_t *)(A + i * PARAMS_N), (unsigned long long)(2 * PARAMS_N), seed_A_separated, 2 + BYTES_SEED_A);
}
for (i = 0; i < PARAMS_N * PARAMS_N; i++) {
A[i] = PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(A[i]);
}
memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t));

for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e
for (k = 0; k < PARAMS_NBAR; k++) {
uint16_t sum = 0;
for (j = 0; j < PARAMS_N; j++) {
sum += A[j * PARAMS_N + i] * s[k * PARAMS_N + j];
}
out[k * PARAMS_N + i] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on.
}
}

return 1;
}

+ 0
- 35
crypto_kem/frodo/frodokem976shake/clean/noise.c View File

@@ -1,35 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: noise sampling functions
*********************************************************************************************/

#include <stdint.h>

#include "api.h"
#include "common.h"
#include "params.h"

static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA;

void PQCLEAN_FRODOKEM976SHAKE_CLEAN_sample_n(uint16_t *s, size_t n) {
// Fills vector s with n samples from the noise distribution which requires 16 bits to sample.
// The distribution is specified by its CDF.
// Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output.
size_t i;
unsigned int j;

for (i = 0; i < n; ++i) {
uint16_t sample = 0;
uint16_t prnd = s[i] >> 1; // Drop the least significant bit
uint16_t sign = s[i] & 0x1; // Pick the least significant bit

// No need to compare with the last value.
for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) {
// Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits.
sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15;
}
// Assuming that sign is either 0 or 1, flips sample iff sign = 1
s[i] = ((-sign) ^ sample) + sign;
}
}

+ 0
- 27
crypto_kem/frodo/frodokem976shake/clean/params.h View File

@@ -1,27 +0,0 @@
#ifndef PARAMS_H
#define PARAMS_H

#define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_SECRETKEYBYTES
#define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_PUBLICKEYBYTES
#define CRYPTO_BYTES PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_BYTES
#define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM976SHAKE_CLEAN_CRYPTO_CIPHERTEXTBYTES

#define PARAMS_N 976
#define PARAMS_NBAR 8
#define PARAMS_LOGQ 16
#define PARAMS_Q (1 << PARAMS_LOGQ)
#define PARAMS_EXTRACTED_BITS 3
#define PARAMS_STRIPE_STEP 8
#define PARAMS_PARALLEL 4
#define BYTES_SEED_A 16
#define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8)
#define BYTES_PKHASH CRYPTO_BYTES

// Selecting SHAKE XOF function for the KEM and noise sampling
#define shake shake256

// CDF table
#define CDF_TABLE_DATA {5638, 15915, 23689, 28571, 31116, 32217, 32613, 32731, 32760, 32766, 32767}
#define CDF_TABLE_LEN 11

#endif

+ 0
- 264
crypto_kem/frodo/frodokem976shake/clean/util.c View File

@@ -1,264 +0,0 @@
/********************************************************************************************
* FrodoKEM: Learning with Errors Key Encapsulation
*
* Abstract: additional functions for FrodoKEM
*********************************************************************************************/

#include <stdint.h>
#include <string.h>

#include "api.h"
#include "common.h"
#include "params.h"

static inline uint8_t min(uint8_t x, uint8_t y) {
if (x < y) {
return x;
}
return y;
}

uint16_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_LE_TO_UINT16(uint16_t n) {
return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8));
}

uint16_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_UINT16_TO_LE(uint16_t n) {
uint16_t y;
uint8_t *z = (uint8_t *) &y;
z[0] = n & 0xFF;
z[1] = (n & 0xFF00) >> 8;
return y;
}

void PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) {
// Multiply by s on the right
// Inputs: b (N_BAR x N), s (N x N_BAR)
// Output: out = b*s (N_BAR x N_BAR)
int i, j, k;

for (i = 0; i < PARAMS_NBAR; i++) {
for (j = 0; j < PARAMS_NBAR; j++) {
out[i * PARAMS_NBAR + j] = 0;
for (k = 0; k < PARAMS_N; k++) {
out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]);
}
out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1);
}
}
}


void PQCLEAN_FRODOKEM976SHAKE_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) {
// Multiply by s on the left
// Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR)
// Output: out = s*b + e (N_BAR x N_BAR)
int i, j, k;

for (k = 0; k < PARAMS_NBAR; k++) {
for (i = 0; i < PARAMS_NBAR; i++) {
out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i];
for (j = 0; j < PARAMS_N; j++) {
out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]);
}
out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1);
}
}
}


void PQCLEAN_FRODOKEM976SHAKE_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b) {
// Add a and b
// Inputs: a, b (N_BAR x N_BAR)
// Output: c = a + b

for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) {
out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1);
}
}


void PQCLEAN_FRODOKEM976SHAKE_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) {
// Subtract a and b
// Inputs: a, b (N_BAR x N_BAR)
// Output: c = a - b

for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) {
out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1);
}
}


void PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_encode(uint16_t *out, const uint16_t *in) {
// Encoding
unsigned int i, j, npieces_word = 8;
unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8;
uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1;
uint16_t *pos = out;

for (i = 0; i < nwords; i++) {
temp = 0;
for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) {
temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j);
}
for (j = 0; j < npieces_word; j++) {
*pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS));
temp >>= PARAMS_EXTRACTED_BITS;
pos++;
}
}
}


void PQCLEAN_FRODOKEM976SHAKE_CLEAN_key_decode(uint16_t *out, const uint16_t *in) {
// Decoding
unsigned int i, j, index = 0, npieces_word = 8;
unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8;
uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1;
uint8_t *pos = (uint8_t *)out;
uint64_t templong;

for (i = 0; i < nwords; i++) {
templong = 0;
for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5)
temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS);
templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j);
index++;
}
for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) {
pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF;
}
}
}


void PQCLEAN_FRODOKEM976SHAKE_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) {
// Pack the input uint16 vector into a char output vector, copying lsb bits from each input element.
// If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied.
memset(out, 0, outlen);

size_t i = 0; // whole bytes already filled in
size_t j = 0; // whole uint16_t already copied
uint16_t w = 0; // the leftover, not yet copied
uint8_t bits = 0; // the number of lsb in w

while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) {
/*
in: | | |********|********|
^
j
w : | ****|
^
bits
out:|**|**|**|**|**|**|**|**|* |
^^
ib
*/
uint8_t b = 0; // bits in out[i] already filled in
while (b < 8) {
int nbits = min(8 - b, bits);
uint16_t mask = (1 << nbits) - 1;
uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out
out[i] = out[i] + (t << (8 - b - nbits));
b += (uint8_t) nbits;
bits -= (uint8_t) nbits;
w &= ~(mask << bits); // not strictly necessary; mostly for debugging

if (bits == 0) {
if (j < inlen) {
w = in[j];
bits = lsb;
j++;
} else {
break; // the input vector is exhausted
}
}
}
if (b == 8) { // out[i] is filled in
i++;
}
}
}


void PQCLEAN_FRODOKEM976SHAKE_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) {
// Unpack the input char vector into a uint16_t output vector, copying lsb bits
// for each output element from input. outlen must be at least ceil(inlen * 8 / lsb).
memset(out, 0, outlen * sizeof(uint16_t));

size_t i = 0; // whole uint16_t already filled in
size_t j = 0; // whole bytes already copied
uint8_t w = 0; // the leftover, not yet copied
uint8_t bits = 0; // the number of lsb bits of w

while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) {
/*
in: | | | | | | |**|**|...
^
j
w : | *|
^
bits
out:| *****| *****| *** | |...
^ ^
i b
*/
uint8_t b = 0; // bits in out[i] already filled in
while (b < lsb) {
int nbits = min(lsb - b, bits);
uint16_t mask = (1 << nbits) - 1;
uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out
out[i] = out[i] + (t << (lsb - b - nbits));
b += (uint8_t) nbits;
bits -= (uint8_t) nbits;
w &= ~(mask << bits); // not strictly necessary; mostly for debugging

if (bits == 0) {
if (j < inlen) {
w = in[j];
bits = 8;
j++;
} else {
break; // the input vector is exhausted
}
}
}
if (b == lsb) { // out[i] is filled in
i++;
}
}
}


int8_t PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) {
// Compare two arrays in constant time.
// Returns 0 if the byte arrays are equal, -1 otherwise.
uint16_t r = 0;

for (size_t i = 0; i < len; i++) {
r |= a[i] ^ b[i];
}

r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1);
return (int8_t)r;
}


void PQCLEAN_FRODOKEM976SHAKE_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) {
// Select one of the two input arrays to be moved to r
// If (selector == 0) then load r with a, else if (selector == -1) load r with b

for (size_t i = 0; i < len; i++) {
r[i] = (~selector & a[i]) | (selector & b[i]);
}
}


void PQCLEAN_FRODOKEM976SHAKE_CLEAN_clear_bytes(uint8_t *mem, size_t n) {
// Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed.
// This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing.
volatile uint8_t *v = mem;

for (size_t i = 0; i < n; i++) {
v[i] = 0;
}
}

+ 0
- 21
crypto_kem/frodo/frodokem976shake/opt/LICENSE View File

@@ -1,21 +0,0 @@
MIT License

Copyright (c) Microsoft Corporation. All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE

+ 0
- 19
crypto_kem/frodo/frodokem976shake/opt/Makefile.Microsoft_nmake View File

@@ -1,19 +0,0 @@
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
# nmake /f Makefile.Microsoft_nmake

LIBRARY=libfrodokem976shake_opt.lib
OBJECTS=kem.obj matrix_shake.obj noise.obj util.obj

CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX

all: $(LIBRARY)

# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h

$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**

clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

+ 0
- 5
crypto_kem/kyber/kyber1024/avx2/LICENSE View File

@@ -1,5 +0,0 @@
Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)

For Keccak and AES we are using public-domain
code from sources and by authors listed in
comments on top of the respective files.

+ 0
- 5
crypto_kem/kyber/kyber1024/clean/LICENSE View File

@@ -1,5 +0,0 @@
Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)

For Keccak and AES we are using public-domain
code from sources and by authors listed in
comments on top of the respective files.

+ 0
- 23
crypto_kem/kyber/kyber1024/clean/Makefile.Microsoft_nmake View File

@@ -1,23 +0,0 @@
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
# nmake /f Makefile.Microsoft_nmake

LIBRARY=libkyber1024_clean.lib
OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj

# Warning C4146 is raised when a unary minus operator is applied to an
# unsigned type; this has nonetheless been standard and portable for as
# long as there has been a C standard, and we need it for constant-time
# computations. Thus, we disable that spurious warning.
CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146

all: $(LIBRARY)

# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h

$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**

clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

+ 0
- 5
crypto_kem/kyber/kyber512/avx2/LICENSE View File

@@ -1,5 +0,0 @@
Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)

For Keccak and AES we are using public-domain
code from sources and by authors listed in
comments on top of the respective files.

+ 0
- 5
crypto_kem/kyber/kyber512/clean/LICENSE View File

@@ -1,5 +0,0 @@
Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)

For Keccak and AES we are using public-domain
code from sources and by authors listed in
comments on top of the respective files.

+ 0
- 23
crypto_kem/kyber/kyber512/clean/Makefile.Microsoft_nmake View File

@@ -1,23 +0,0 @@
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
# nmake /f Makefile.Microsoft_nmake

LIBRARY=libkyber512_clean.lib
OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj

# Warning C4146 is raised when a unary minus operator is applied to an
# unsigned type; this has nonetheless been standard and portable for as
# long as there has been a C standard, and we need it for constant-time
# computations. Thus, we disable that spurious warning.
CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146

all: $(LIBRARY)

# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h

$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**

clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

+ 0
- 5
crypto_kem/kyber/kyber768/avx2/LICENSE View File

@@ -1,5 +0,0 @@
Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)

For Keccak and AES we are using public-domain
code from sources and by authors listed in
comments on top of the respective files.

+ 0
- 5
crypto_kem/kyber/kyber768/clean/LICENSE View File

@@ -1,5 +0,0 @@
Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)

For Keccak and AES we are using public-domain
code from sources and by authors listed in
comments on top of the respective files.

+ 0
- 23
crypto_kem/kyber/kyber768/clean/Makefile.Microsoft_nmake View File

@@ -1,23 +0,0 @@
# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
# nmake /f Makefile.Microsoft_nmake

LIBRARY=libkyber768_clean.lib
OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj

# Warning C4146 is raised when a unary minus operator is applied to an
# unsigned type; this has nonetheless been standard and portable for as
# long as there has been a C standard, and we need it for constant-time
# computations. Thus, we disable that spurious warning.
CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146

all: $(LIBRARY)

# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h

$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**

clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

+ 0
- 16
crypto_kem/mceliece/mceliece348864/avx/LICENSE View File

@@ -1,16 +0,0 @@
Public Domain.

Authors of Classic McEliece in alphabetical order:

Daniel J. Bernstein, University of Illinois at Chicago
Tung Chou, Osaka University
Tanja Lange, Technische Universiteit Eindhoven
Ingo von Maurich, self
Rafael Misoczki, Intel Corporation
Ruben Niederhagen, Fraunhofer SIT
Edoardo Persichetti, Florida Atlantic University
Christiane Peters, self
Peter Schwabe, Radboud University
Nicolas Sendrier, Inria
Jakub Szefer, Yale University
Wen Wang, Yale University

+ 0
- 16
crypto_kem/mceliece/mceliece348864/clean/LICENSE View File

@@ -1,16 +0,0 @@
Public Domain.

Authors of Classic McEliece in alphabetical order:

Daniel J. Bernstein, University of Illinois at Chicago
Tung Chou, Osaka University
Tanja Lange, Technische Universiteit Eindhoven
Ingo von Maurich, self
Rafael Misoczki, Intel Corporation
Ruben Niederhagen, Fraunhofer SIT
Edoardo Persichetti, Florida Atlantic University
Christiane Peters, self
Peter Schwabe, Radboud University
Nicolas Sendrier, Inria
Jakub Szefer, Yale University
Wen Wang, Yale University

+ 0
- 24
crypto_kem/mceliece/mceliece348864/clean/Makefile.Microsoft_nmake View File

@@ -1,24 +0,0 @@
# This Makefile can be used with GNU Make or BSD Make

LIBRARY = libmceliece348864_clean.lib

OBJECTS = aes256ctr.obj benes.obj bm.obj controlbits.obj decrypt.obj encrypt.obj gf.obj \
operations.obj pk_gen.obj root.obj sk_gen.obj synd.obj transpose.obj util.obj

# Warning C4146 is raised when a unary minus operator is applied to an
# unsigned type; this has nonetheless been standard and portable for as
# long as there has been a C standard, and we do that a lot, especially
# for constant-time computations. Thus, we disable that spurious warning.
CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /wd4146 /WX

all: $(LIBRARY)

# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h

$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**

clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

+ 0
- 16
crypto_kem/mceliece/mceliece348864/sse/LICENSE View File

@@ -1,16 +0,0 @@
Public Domain.

Authors of Classic McEliece in alphabetical order:

Daniel J. Bernstein, University of Illinois at Chicago
Tung Chou, Osaka University
Tanja Lange, Technische Universiteit Eindhoven
Ingo von Maurich, self
Rafael Misoczki, Intel Corporation
Ruben Niederhagen, Fraunhofer SIT
Edoardo Persichetti, Florida Atlantic University
Christiane Peters, self
Peter Schwabe, Radboud University
Nicolas Sendrier, Inria
Jakub Szefer, Yale University
Wen Wang, Yale University

+ 0
- 13
crypto_kem/mceliece/mceliece348864/sse/aes256ctr.c View File

@@ -1,13 +0,0 @@
#include "aes256ctr.h"

void PQCLEAN_MCELIECE348864_SSE_aes256ctr(
uint8_t *out,
size_t outlen,
const uint8_t nonce[AESCTR_NONCEBYTES],
const uint8_t key[AES256_KEYBYTES]) {

aes256ctx state;
aes256_ctr_keyexp(&state, key);
aes256_ctr(out, outlen, nonce, &state);
aes256_ctx_release(&state);
}

+ 0
- 17
crypto_kem/mceliece/mceliece348864/sse/aes256ctr.h View File

@@ -1,17 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_AES256CTR_H
#define PQCLEAN_MCELIECE348864_SSE_AES256CTR_H

#include <stddef.h>
#include <stdint.h>

#include "aes.h"


void PQCLEAN_MCELIECE348864_SSE_aes256ctr(
uint8_t *out,
size_t outlen,
const uint8_t nonce[AESCTR_NONCEBYTES],
const uint8_t key[AES256_KEYBYTES]
);

#endif

+ 0
- 32
crypto_kem/mceliece/mceliece348864/sse/api.h View File

@@ -1,32 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_API_H
#define PQCLEAN_MCELIECE348864_SSE_API_H

#include <stdint.h>

#define PQCLEAN_MCELIECE348864_SSE_CRYPTO_ALGNAME "Classic McEliece 348864"
#define PQCLEAN_MCELIECE348864_SSE_CRYPTO_PUBLICKEYBYTES 261120
#define PQCLEAN_MCELIECE348864_SSE_CRYPTO_SECRETKEYBYTES 6452
#define PQCLEAN_MCELIECE348864_SSE_CRYPTO_CIPHERTEXTBYTES 128
#define PQCLEAN_MCELIECE348864_SSE_CRYPTO_BYTES 32


int PQCLEAN_MCELIECE348864_SSE_crypto_kem_enc(
uint8_t *c,
uint8_t *key,
const uint8_t *pk
);

int PQCLEAN_MCELIECE348864_SSE_crypto_kem_dec(
uint8_t *key,
const uint8_t *c,
const uint8_t *sk
);

int PQCLEAN_MCELIECE348864_SSE_crypto_kem_keypair
(
uint8_t *pk,
uint8_t *sk
);

#endif


+ 0
- 287
crypto_kem/mceliece/mceliece348864/sse/benes.c View File

@@ -1,287 +0,0 @@
/*
This file is for Benes network related functions
*/
#include "benes.h"

#include "params.h"
#include "transpose.h"
#include "util.h"

static void layer_0(uint64_t *bs, const uint64_t *cond) {
int x;
uint64_t diff;

for (x = 0; x < (1 << 6); x += 2) {
diff = bs[ x ] ^ bs[ x + 1 ];
diff &= *cond++;
bs[ x ] ^= diff;
bs[ x + 1 ] ^= diff;
}
}

static void layer_1(uint64_t *bs, const uint64_t *cond) {
int x;
uint64_t diff;

for (x = 0; x < (1 << 6); x += 4) {
diff = bs[ x + 0 ] ^ bs[ x + 2 ];
diff &= cond[0];
bs[ x + 0 ] ^= diff;
bs[ x + 2 ] ^= diff;

diff = bs[ x + 1 ] ^ bs[ x + 3 ];
diff &= cond[1];
bs[ x + 1 ] ^= diff;
bs[ x + 3 ] ^= diff;

cond += 2;
}
}

static void layer_2(uint64_t *bs, const uint64_t *cond) {
int x;
uint64_t diff;

for (x = 0; x < (1 << 6); x += 8) {
diff = bs[ x + 0 ] ^ bs[ x + 4 ];
diff &= cond[0];
bs[ x + 0 ] ^= diff;
bs[ x + 4 ] ^= diff;

diff = bs[ x + 1 ] ^ bs[ x + 5 ];
diff &= cond[1];
bs[ x + 1 ] ^= diff;
bs[ x + 5 ] ^= diff;

diff = bs[ x + 2 ] ^ bs[ x + 6 ];
diff &= cond[2];
bs[ x + 2 ] ^= diff;
bs[ x + 6 ] ^= diff;

diff = bs[ x + 3 ] ^ bs[ x + 7 ];
diff &= cond[3];
bs[ x + 3 ] ^= diff;
bs[ x + 7 ] ^= diff;

cond += 4;
}
}

static void layer_3(uint64_t *bs, const uint64_t *cond) {
int x, s;
uint64_t diff;

for (x = 0; x < (1 << 6); x += 16) {
for (s = x; s < x + 8; s += 4) {
diff = bs[ s + 0 ] ^ bs[ s + 8 ];
diff &= cond[0];
bs[ s + 0 ] ^= diff;
bs[ s + 8 ] ^= diff;

diff = bs[ s + 1 ] ^ bs[ s + 9 ];
diff &= cond[1];
bs[ s + 1 ] ^= diff;
bs[ s + 9 ] ^= diff;

diff = bs[ s + 2 ] ^ bs[ s + 10 ];
diff &= cond[2];
bs[ s + 2 ] ^= diff;
bs[ s + 10 ] ^= diff;

diff = bs[ s + 3 ] ^ bs[ s + 11 ];
diff &= cond[3];
bs[ s + 3 ] ^= diff;
bs[ s + 11 ] ^= diff;

cond += 4;
}
}
}

static void layer_4(uint64_t *bs, const uint64_t *cond) {
int x, s;
uint64_t diff;

for (x = 0; x < (1 << 6); x += 32) {
for (s = x; s < x + 16; s += 4) {
diff = bs[ s + 0 ] ^ bs[ s + 16 ];
diff &= cond[0];
bs[ s + 0 ] ^= diff;
bs[ s + 16 ] ^= diff;

diff = bs[ s + 1 ] ^ bs[ s + 17 ];
diff &= cond[1];
bs[ s + 1 ] ^= diff;
bs[ s + 17 ] ^= diff;

diff = bs[ s + 2 ] ^ bs[ s + 18 ];
diff &= cond[2];
bs[ s + 2 ] ^= diff;
bs[ s + 18 ] ^= diff;

diff = bs[ s + 3 ] ^ bs[ s + 19 ];
diff &= cond[3];
bs[ s + 3 ] ^= diff;
bs[ s + 19 ] ^= diff;

cond += 4;
}
}
}

static void layer_5(uint64_t *bs, const uint64_t *cond) {
int x, s;
uint64_t diff;

for (x = 0; x < (1 << 6); x += 64) {
for (s = x; s < x + 32; s += 4) {
diff = bs[ s + 0 ] ^ bs[ s + 32 ];
diff &= cond[0];
bs[ s + 0 ] ^= diff;
bs[ s + 32 ] ^= diff;

diff = bs[ s + 1 ] ^ bs[ s + 33 ];
diff &= cond[1];
bs[ s + 1 ] ^= diff;
bs[ s + 33 ] ^= diff;

diff = bs[ s + 2 ] ^ bs[ s + 34 ];
diff &= cond[2];
bs[ s + 2 ] ^= diff;
bs[ s + 34 ] ^= diff;

diff = bs[ s + 3 ] ^ bs[ s + 35 ];
diff &= cond[3];
bs[ s + 3 ] ^= diff;
bs[ s + 35 ] ^= diff;

cond += 4;
}
}
}

/* input: bits, control bits as array of bytes */
/* output: out, control bits as array of 128-bit vectors */
void PQCLEAN_MCELIECE348864_SSE_load_bits(uint64_t out[][32], const unsigned char *bits) {
int i, low, block = 0;

uint64_t cond[64];

//

for (low = 0; low <= 5; low++) {
for (i = 0; i < 64; i++) {
cond[i] = PQCLEAN_MCELIECE348864_SSE_load4(bits + block * 256 + i * 4);
}
PQCLEAN_MCELIECE348864_SSE_transpose_64x64(cond);

for (i = 0; i < 32; i++) {
out[ block ][i] = cond[i];
}
block++;
}

for (low = 0; low <= 5; low++) {
for (i = 0; i < 32; i++) {
out[ block ][i] = PQCLEAN_MCELIECE348864_SSE_load8(bits + block * 256 + i * 8);
}
block++;
}

for (low = 4; low >= 0; low--) {
for (i = 0; i < 32; i++) {
out[ block ][i] = PQCLEAN_MCELIECE348864_SSE_load8(bits + block * 256 + i * 8);
}
block++;
}

for (low = 5; low >= 0; low--) {
for (i = 0; i < 64; i++) {
cond[i] = PQCLEAN_MCELIECE348864_SSE_load4(bits + block * 256 + i * 4);
}
PQCLEAN_MCELIECE348864_SSE_transpose_64x64(cond);

for (i = 0; i < 32; i++) {
out[ block ][i] = cond[i];
}
block++;
}
}

/* input: r, sequence of bits to be permuted */
/* cond, control bits as array of 128-bit vectors */
/* rev, 0 for normal application; !0 for inverse */
/* output: r, permuted bits */
void PQCLEAN_MCELIECE348864_SSE_benes(uint64_t *r, uint64_t cond[][32], int rev) {
int block, inc;

uint64_t *bs = r;

//

if (rev == 0) {
block = 0;
inc = 1;
} else {
block = 22;
inc = -1;
}

PQCLEAN_MCELIECE348864_SSE_transpose_64x64(bs);

layer_0(bs, cond[ block ]);
block += inc;
layer_1(bs, cond[ block ]);
block += inc;
layer_2(bs, cond[ block ]);
block += inc;
layer_3(bs, cond[ block ]);
block += inc;
layer_4(bs, cond[ block ]);
block += inc;
layer_5(bs, cond[ block ]);
block += inc;

PQCLEAN_MCELIECE348864_SSE_transpose_64x64(bs);

layer_0(bs, cond[ block ]);
block += inc;
layer_1(bs, cond[ block ]);
block += inc;
layer_2(bs, cond[ block ]);
block += inc;
layer_3(bs, cond[ block ]);
block += inc;
layer_4(bs, cond[ block ]);
block += inc;
layer_5(bs, cond[ block ]);
block += inc;
layer_4(bs, cond[ block ]);
block += inc;
layer_3(bs, cond[ block ]);
block += inc;
layer_2(bs, cond[ block ]);
block += inc;
layer_1(bs, cond[ block ]);
block += inc;
layer_0(bs, cond[ block ]);
block += inc;

PQCLEAN_MCELIECE348864_SSE_transpose_64x64(bs);

layer_5(bs, cond[ block ]);
block += inc;
layer_4(bs, cond[ block ]);
block += inc;
layer_3(bs, cond[ block ]);
block += inc;
layer_2(bs, cond[ block ]);
block += inc;
layer_1(bs, cond[ block ]);
block += inc;
layer_0(bs, cond[ block ]);
//block += inc;

PQCLEAN_MCELIECE348864_SSE_transpose_64x64(bs);
}


+ 0
- 15
crypto_kem/mceliece/mceliece348864/sse/benes.h View File

@@ -1,15 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_BENES_H
#define PQCLEAN_MCELIECE348864_SSE_BENES_H
/*
This file is for Benes network related functions
*/


#include "gf.h"
#include "vec128.h"

void PQCLEAN_MCELIECE348864_SSE_load_bits(uint64_t /*out*/[][32], const unsigned char * /*bits*/);
void PQCLEAN_MCELIECE348864_SSE_benes(uint64_t * /*r*/, uint64_t /*cond*/[][32], int /*rev*/);

#endif


+ 0
- 220
crypto_kem/mceliece/mceliece348864/sse/bm.c View File

@@ -1,220 +0,0 @@
/*
This file is for the inversion-free Berlekamp-Massey algorithm
see https://ieeexplore.ieee.org/document/87857
*/

#include "bm.h"

#include "gf.h"
#include "util.h"
#include "vec.h"
#include "vec128.h"

#include <assert.h>
#include <stdint.h>

extern void PQCLEAN_MCELIECE348864_SSE_update_asm(void *, gf, int);
extern gf PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm(uint64_t *);

static inline uint64_t mask_nonzero(gf a) {
uint64_t ret = a;

ret -= 1;
ret >>= 63;
ret -= 1;

return ret;
}

static inline uint64_t mask_leq(uint16_t a, uint16_t b) {
uint64_t a_tmp = a;
uint64_t b_tmp = b;
uint64_t ret = b_tmp - a_tmp;

ret >>= 63;
ret -= 1;

return ret;
}

static void vec_cmov(uint64_t out[][2], uint64_t mask) {
int i;

for (i = 0; i < GFBITS; i++) {
out[i][0] = (out[i][0] & ~mask) | (out[i][1] & mask);
}
}

static inline void interleave(vec128 *in, int idx0, int idx1, vec128 *mask, int b) {
int s = 1 << b;

vec128 x, y;

x = PQCLEAN_MCELIECE348864_SSE_vec128_or(PQCLEAN_MCELIECE348864_SSE_vec128_and(in[idx0], mask[0]),
PQCLEAN_MCELIECE348864_SSE_vec128_sll_2x(PQCLEAN_MCELIECE348864_SSE_vec128_and(in[idx1], mask[0]), s));

y = PQCLEAN_MCELIECE348864_SSE_vec128_or(PQCLEAN_MCELIECE348864_SSE_vec128_srl_2x(PQCLEAN_MCELIECE348864_SSE_vec128_and(in[idx0], mask[1]), s),
PQCLEAN_MCELIECE348864_SSE_vec128_and(in[idx1], mask[1]));

in[idx0] = x;
in[idx1] = y;
}

/* input: in, field elements in bitsliced form */
/* output: out, field elements in non-bitsliced form */
static inline void get_coefs(gf *out, vec128 *in) {
int i, k;

vec128 mask[4][2];
vec128 buf[16];

for (i = 0; i < GFBITS; i++) {
buf[i] = in[i];
}
for (i = GFBITS; i < 16; i++) {
buf[i] = PQCLEAN_MCELIECE348864_SSE_vec128_setzero();
}

mask[0][0] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0x5555);
mask[0][1] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0xAAAA);
mask[1][0] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0x3333);
mask[1][1] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0xCCCC);
mask[2][0] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0x0F0F);
mask[2][1] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0xF0F0);
mask[3][0] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0x00FF);
mask[3][1] = PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(0xFF00);

interleave(buf, 0, 8, mask[3], 3);
interleave(buf, 1, 9, mask[3], 3);
interleave(buf, 2, 10, mask[3], 3);
interleave(buf, 3, 11, mask[3], 3);
interleave(buf, 4, 12, mask[3], 3);
interleave(buf, 5, 13, mask[3], 3);
interleave(buf, 6, 14, mask[3], 3);
interleave(buf, 7, 15, mask[3], 3);

interleave(buf, 0, 4, mask[2], 2);
interleave(buf, 1, 5, mask[2], 2);
interleave(buf, 2, 6, mask[2], 2);
interleave(buf, 3, 7, mask[2], 2);
interleave(buf, 8, 12, mask[2], 2);
interleave(buf, 9, 13, mask[2], 2);
interleave(buf, 10, 14, mask[2], 2);
interleave(buf, 11, 15, mask[2], 2);

interleave(buf, 0, 2, mask[1], 1);
interleave(buf, 1, 3, mask[1], 1);
interleave(buf, 4, 6, mask[1], 1);
interleave(buf, 5, 7, mask[1], 1);
interleave(buf, 8, 10, mask[1], 1);
interleave(buf, 9, 11, mask[1], 1);
interleave(buf, 12, 14, mask[1], 1);
interleave(buf, 13, 15, mask[1], 1);

interleave(buf, 0, 1, mask[0], 0);
interleave(buf, 2, 3, mask[0], 0);
interleave(buf, 4, 5, mask[0], 0);
interleave(buf, 6, 7, mask[0], 0);
interleave(buf, 8, 9, mask[0], 0);
interleave(buf, 10, 11, mask[0], 0);
interleave(buf, 12, 13, mask[0], 0);
interleave(buf, 14, 15, mask[0], 0);

for (i = 0; i < 16; i++) {
for (k = 0; k < 4; k++) {
out[ (4 * 0 + k) * 16 + i ] = (PQCLEAN_MCELIECE348864_SSE_vec128_extract(buf[i], 0) >> (k * 16)) & GFMASK;
out[ (4 * 1 + k) * 16 + i ] = (PQCLEAN_MCELIECE348864_SSE_vec128_extract(buf[i], 1) >> (k * 16)) & GFMASK;
}
}
}

/* input: in, sequence of field elements */
/* output: out, minimal polynomial of in */
void PQCLEAN_MCELIECE348864_SSE_bm(uint64_t out[ GFBITS ], vec128 in[ GFBITS ]) {
uint16_t i;
uint16_t N, L;

uint64_t prod[ GFBITS ];
uint64_t in_tmp[ GFBITS ];

uint64_t db[ GFBITS ][ 2 ];
uint64_t BC_tmp[ GFBITS ][ 2 ];
uint64_t BC[ GFBITS ][ 2 ];

uint64_t mask, t;

gf d, b, c0 = 1;

gf coefs[SYS_T * 2];

// init

BC[0][1] = 0;
BC[0][0] = 1;
BC[0][0] <<= 63;

for (i = 1; i < GFBITS; i++) {
BC[i][0] = BC[i][1] = 0;
}

b = 1;
L = 0;

//

get_coefs(coefs, in);

for (i = 0; i < GFBITS; i++) {
in_tmp[i] = 0;
}

for (N = 0; N < SYS_T * 2; N++) {
// computing d

PQCLEAN_MCELIECE348864_SSE_vec_mul_asm(prod, in_tmp, &BC[0][1], 16);

PQCLEAN_MCELIECE348864_SSE_update_asm(in_tmp, coefs[N], 8);

d = PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm(prod);

t = PQCLEAN_MCELIECE348864_SSE_gf_mul2(c0, coefs[N], b);

d ^= t & 0xFFFFFFFF;

// 3 cases

mask = mask_nonzero(d) & mask_leq(L * 2, N);

for (i = 0; i < GFBITS; i++) {
db[i][0] = (d >> i) & 1;
db[i][0] = -db[i][0];
db[i][1] = (b >> i) & 1;
db[i][1] = -db[i][1];
}

PQCLEAN_MCELIECE348864_SSE_vec128_mul((vec128 *) BC_tmp, (vec128 *) db, (vec128 *) BC);

vec_cmov(BC, mask);

PQCLEAN_MCELIECE348864_SSE_update_asm(BC, mask & c0, 16);

for (i = 0; i < GFBITS; i++) {
BC[i][1] = BC_tmp[i][0] ^ BC_tmp[i][1];
}

c0 = t >> 32;
b = (d & mask) | (b & ~mask);
L = ((N + 1 - L) & mask) | (L & ~mask);

}

c0 = PQCLEAN_MCELIECE348864_SSE_gf_inv(c0);

for (i = 0; i < GFBITS; i++) {
out[i] = (c0 >> i) & 1;
out[i] = -out[i];
}

PQCLEAN_MCELIECE348864_SSE_vec_mul_asm(out, out, &BC[0][1], 16);
}


+ 0
- 17
crypto_kem/mceliece/mceliece348864/sse/bm.h View File

@@ -1,17 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_BM_H
#define PQCLEAN_MCELIECE348864_SSE_BM_H
/*
This file is for the inversion-free Berlekamp-Massey algorithm
see https://ieeexplore.ieee.org/document/87857
*/


#include <stdint.h>

#include "params.h"
#include "vec128.h"

void PQCLEAN_MCELIECE348864_SSE_bm(uint64_t *out, vec128 *in);

#endif


+ 0
- 32
crypto_kem/mceliece/mceliece348864/sse/consts.S View File

@@ -1,32 +0,0 @@
.data

# not supported on macos
#.section .rodata
.globl PQCLEAN_MCELIECE348864_SSE_MASK0_0
.globl PQCLEAN_MCELIECE348864_SSE_MASK0_1
.globl PQCLEAN_MCELIECE348864_SSE_MASK1_0
.globl PQCLEAN_MCELIECE348864_SSE_MASK1_1
.globl PQCLEAN_MCELIECE348864_SSE_MASK2_0
.globl PQCLEAN_MCELIECE348864_SSE_MASK2_1
.globl PQCLEAN_MCELIECE348864_SSE_MASK3_0
.globl PQCLEAN_MCELIECE348864_SSE_MASK3_1
.globl PQCLEAN_MCELIECE348864_SSE_MASK4_0
.globl PQCLEAN_MCELIECE348864_SSE_MASK4_1
.globl PQCLEAN_MCELIECE348864_SSE_MASK5_0
.globl PQCLEAN_MCELIECE348864_SSE_MASK5_1

.p2align 4

PQCLEAN_MCELIECE348864_SSE_MASK0_0: .quad 0x5555555555555555, 0x5555555555555555
PQCLEAN_MCELIECE348864_SSE_MASK0_1: .quad 0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA
PQCLEAN_MCELIECE348864_SSE_MASK1_0: .quad 0x3333333333333333, 0x3333333333333333
PQCLEAN_MCELIECE348864_SSE_MASK1_1: .quad 0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC
PQCLEAN_MCELIECE348864_SSE_MASK2_0: .quad 0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F
PQCLEAN_MCELIECE348864_SSE_MASK2_1: .quad 0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0
PQCLEAN_MCELIECE348864_SSE_MASK3_0: .quad 0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF
PQCLEAN_MCELIECE348864_SSE_MASK3_1: .quad 0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00
PQCLEAN_MCELIECE348864_SSE_MASK4_0: .quad 0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF
PQCLEAN_MCELIECE348864_SSE_MASK4_1: .quad 0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000
PQCLEAN_MCELIECE348864_SSE_MASK5_0: .quad 0x00000000FFFFFFFF, 0x00000000FFFFFFFF
PQCLEAN_MCELIECE348864_SSE_MASK5_1: .quad 0xFFFFFFFF00000000, 0xFFFFFFFF00000000


+ 0
- 448
crypto_kem/mceliece/mceliece348864/sse/consts.inc View File

@@ -1,448 +0,0 @@
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00F0FF0F00F0FF0, 0xF00F0FF0F00F0FF0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0xF0F00F0F0F0FF0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF00FF00FF0, 0x0FF00FF00FF00FF0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA5555AAAA5555AA, 0xAA5555AAAA5555AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00F0FF0F00F0FF0, 0xF00F0FF0F00F0FF0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0x33CCCC33CC3333CC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC33CC3333CC33CC, 0xCC33CC3333CC33CC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CC33CC33CC33CC, 0x33CC33CC33CC33CC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5A5A5A5A5A5A5A5A, 0x5A5A5A5A5A5A5A5A),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00F0FF0F00F0FF0, 0xF00F0FF0F00F0FF0),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3C3C3C3C3C3C3C3C, 0x3C3C3C3C3C3C3C3C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555AAAA5555AAAA, 0xAAAA5555AAAA5555),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC3333CCCC3333CC, 0xCC3333CCCC3333CC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33CC33CC33CC33C, 0xC33CC33CC33CC33C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55555555AAAAAAAA, 0x55555555AAAAAAAA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33333333CCCCCCCC, 0x33333333CCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FFFF00FF00, 0xFF00FF0000FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFFFFFF0000, 0x0000FFFFFFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0xF0F00F0F0F0FF0F0),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA5555AA55AA, 0x55AA55AAAA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC33CC3333CC33CC, 0xCC33CC3333CC33CC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0xCC3333CC33CCCC33),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55555555AAAAAAAA, 0x55555555AAAAAAAA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF0000FF00FFFF00, 0xFF0000FF00FFFF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC33CC3C33CC33C, 0xC33CC33C3CC33CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555AAAA5555AAAA, 0xAAAA5555AAAA5555),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF00FF00FF0, 0xF00FF00FF00FF00F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC33333333CCCC, 0x3333CCCCCCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0xFF0000FFFF0000FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33CC33CC33CC33C, 0xC33CC33CC33CC33C),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA5555AA55AA, 0x55AA55AAAA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CC33CCCC33CC33, 0x33CC33CCCC33CC33),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC3333CC33CCCC33, 0x33CCCC33CC3333CC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55555555AAAAAAAA, 0x55555555AAAAAAAA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF00FF0000FF, 0x00FFFF00FF0000FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC33CC3C33CC33C, 0xC33CC33C3CC33CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555AAAA5555AAAA, 0xAAAA5555AAAA5555),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF00FF00FF0, 0xF00FF00FF00FF00F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCCCCCC3333, 0xCCCC33333333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0xFF0000FFFF0000FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33CC33CC33CC33C, 0xC33CC33CC33CC33C),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6699669999669966, 0x9966996666996699),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0x33CCCC33CC3333CC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA5A5A5A55A5A5A5A, 0xA5A5A5A55A5A5A5A),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3C3CC3C3C3C33C3C, 0x3C3CC3C3C3C33C3C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3C3CC3C3C3C33C3C, 0x3C3CC3C3C3C33C3C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0xCC3333CC33CCCC33),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6699669999669966, 0x9966996666996699),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0x33CCCC33CC3333CC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5A5A5A5AA5A5A5A5, 0x5A5A5A5AA5A5A5A5),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC3C33C3C3C3CC3C3, 0xC3C33C3C3C3CC3C3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC3C33C3C3C3CC3C3, 0xC3C33C3C3C3CC3C3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0xCC3333CC33CCCC33),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6699669999669966, 0x9966996666996699),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC3333CC33CCCC33, 0xCC3333CC33CCCC33),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5A5A5A5AA5A5A5A5, 0x5A5A5A5AA5A5A5A5),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3C3CC3C3C3C33C3C, 0x3C3CC3C3C3C33C3C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3C3CC3C3C3C33C3C, 0x3C3CC3C3C3C33C3C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0xCC3333CC33CCCC33),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6699669999669966, 0x9966996666996699),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCC3333CC33CCCC33, 0xCC3333CC33CCCC33),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA5A5A5A55A5A5A5A, 0xA5A5A5A55A5A5A5A),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC3C33C3C3C3CC3C3, 0xC3C33C3C3C3CC3C3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC3C33C3C3C3CC3C3, 0xC3C33C3C3C3CC3C3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x33CCCC33CC3333CC, 0xCC3333CC33CCCC33),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0x00FFFF0000FFFF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0x0F0FF0F0F0F00F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF0000FFFF0000FF, 0xFF0000FFFF0000FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0FF0F0F0F00F0F, 0xF0F00F0F0F0FF0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF0000FFFF0000FF, 0xFF0000FFFF0000FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0x0F0FF0F0F0F00F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0x00FFFF0000FFFF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0FF0F0F0F00F0F, 0xF0F00F0F0F0FF0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0x00FFFF0000FFFF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0x0F0FF0F0F0F00F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF0000FFFF0000FF, 0xFF0000FFFF0000FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0FF0F0F0F00F0F, 0xF0F00F0F0F0FF0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF0000FFFF0000FF, 0xFF0000FFFF0000FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF00FF00F0FF00FF0, 0x0FF00FF0F00FF00F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F00F0F0F0FF0F0, 0x0F0FF0F0F0F00F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669699696696996, 0x9669699696696996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x9669966996699669, 0x9669966996699669),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x6996699669966996, 0x6996699669966996),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FFFF0000FFFF00, 0x00FFFF0000FFFF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0FF00FF0F00FF00F, 0xF00FF00F0FF00FF0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0FF0F0F0F00F0F, 0xF0F00F0F0F0FF0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0x3CC3C33CC33C3CC3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xA55A5AA55AA5A55A, 0xA55A5AA55AA5A55A),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xC33C3CC33CC3C33C, 0xC33C3CC33CC3C33C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3CC3C33C3CC3C33C, 0x3CC3C33C3CC3C33C),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFF00000000, 0xFFFFFFFF00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCCCCCCCCCCCCCC, 0xCCCCCCCCCCCCCCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},

+ 0
- 274
crypto_kem/mceliece/mceliece348864/sse/controlbits.c View File

@@ -1,274 +0,0 @@
/*
This file is for functions required for generating the control bits of the Benes network w.r.t. a random permutation
see the Lev-Pippenger-Valiant paper https://www.computer.org/csdl/trans/tc/1981/02/06312171.pdf
*/

#include "controlbits.h"

#include "params.h"

#include <stdint.h>

typedef uint8_t bit;

#define N (1 << GFBITS)

static bit is_smaller(uint32_t a, uint32_t b) {
uint32_t ret = 0;

ret = a - b;
ret >>= 31;

return (bit)ret;
}

static bit is_smaller_63b(uint64_t a, uint64_t b) {
uint64_t ret = 0;

ret = a - b;
ret >>= 63;

return (bit)ret;
}

static void cswap(uint32_t *x, uint32_t *y, bit swap) {
uint32_t m;
uint32_t d;

m = swap;
m = 0 - m;

d = (*x ^ *y);
d &= m;
*x ^= d;
*y ^= d;
}

static void cswap_63b(uint64_t *x, uint64_t *y, bit swap) {
uint64_t m;
uint64_t d;

m = swap;
m = 0 - m;

d = (*x ^ *y);
d &= m;
*x ^= d;
*y ^= d;
}

/* output x = min(input x,input y) */
/* output y = max(input x,input y) */

static void minmax(uint32_t *x, uint32_t *y) {
bit m;

m = is_smaller(*y, *x);
cswap(x, y, m);
}

static void minmax_63b(uint64_t *x, uint64_t *y) {
bit m;

m = is_smaller_63b(*y, *x);
cswap_63b(x, y, m);
}

/* merge first half of x[0],x[step],...,x[(2*n-1)*step] with second half */
/* requires n to be a power of 2 */

static void merge(int n, uint32_t *x, int step) {
int i;
if (n == 1) {
minmax(&x[0], &x[step]);
} else {
merge(n / 2, x, step * 2);
merge(n / 2, x + step, step * 2);
for (i = 1; i < 2 * n - 1; i += 2) {
minmax(&x[i * step], &x[(i + 1) * step]);
}
}
}

static void merge_63b(int n, uint64_t *x, int step) {
int i;
if (n == 1) {
minmax_63b(&x[0], &x[step]);
} else {
merge_63b(n / 2, x, step * 2);
merge_63b(n / 2, x + step, step * 2);
for (i = 1; i < 2 * n - 1; i += 2) {
minmax_63b(&x[i * step], &x[(i + 1) * step]);
}
}
}

/* sort x[0],x[1],...,x[n-1] in place */
/* requires n to be a power of 2 */

static void sort(int n, uint32_t *x) {
if (n <= 1) {
return;
}
sort(n / 2, x);
sort(n / 2, x + n / 2);
merge(n / 2, x, 1);
}

void PQCLEAN_MCELIECE348864_SSE_sort_63b(int n, uint64_t *x) {
if (n <= 1) {
return;
}
PQCLEAN_MCELIECE348864_SSE_sort_63b(n / 2, x);
PQCLEAN_MCELIECE348864_SSE_sort_63b(n / 2, x + n / 2);
merge_63b(n / 2, x, 1);
}

/* y[pi[i]] = x[i] */
/* requires n = 2^w */
/* requires pi to be a permutation */
static void composeinv(int n, uint32_t *y, const uint32_t *x, const uint32_t *pi) { // NC
int i;
uint32_t t[2 * N];

for (i = 0; i < n; ++i) {
t[i] = x[i] | (pi[i] << 16);
}

sort(n, t);

for (i = 0; i < n; ++i) {
y[i] = t[i] & 0xFFFF;
}
}

/* ip[i] = j iff pi[i] = j */
/* requires n = 2^w */
/* requires pi to be a permutation */
static void invert(int n, uint32_t *ip, const uint32_t *pi) {
int i;

for (i = 0; i < n; i++) {
ip[i] = i;
}

composeinv(n, ip, ip, pi);
}


static void flow(int w, uint32_t *x, const uint32_t *y, int t) {
bit m0;
bit m1;

uint32_t b;
uint32_t y_copy = *y;

m0 = is_smaller(*y & ((1 << w) - 1), *x & ((1 << w) - 1));
m1 = is_smaller(0, t);

cswap(x, &y_copy, m0);
b = m0 & m1;
*x ^= b << w;
}

/* input: permutation pi */
/* output: (2w-1)n/2 (or 0 if n==1) control bits c[0],c[step],c[2*step],... */
/* requires n = 2^w */
static void controlbitsfrompermutation(int w, int n, int step, int off, unsigned char *c, const uint32_t *pi) {
int i;
int j;
int k;
int t;
uint32_t ip[N] = {0};
uint32_t I[2 * N] = {0};
uint32_t P[2 * N] = {0};
uint32_t PI[2 * N] = {0};
uint32_t T[2 * N] = {0};
uint32_t piflip[N] = {0};
uint32_t subpi[2][N / 2] = {{0}};

if (w == 1) {
c[ off / 8 ] |= (pi[0] & 1) << (off % 8);
}
if (w <= 1) {
return;
}

invert(n, ip, pi);

for (i = 0; i < n; ++i) {
I[i] = ip[i] | (1 << w);
I[n + i] = pi[i];
}

for (i = 0; i < 2 * n; ++i) {
P[i] = (i >> w) + (i & ((1 << w) - 2)) + ((i & 1) << w);
}

for (t = 0; t < w; ++t) {
composeinv(2 * n, PI, P, I);

for (i = 0; i < 2 * n; ++i) {
flow(w, &P[i], &PI[i], t);
}

for (i = 0; i < 2 * n; ++i) {
T[i] = I[i ^ 1];
}

composeinv(2 * n, I, I, T);

for (i = 0; i < 2 * n; ++i) {
T[i] = P[i ^ 1];
}

for (i = 0; i < 2 * n; ++i) {
flow(w, &P[i], &T[i], 1);
}
}

for (i = 0; i < n; ++i) {
for (j = 0; j < w; ++j) {
piflip[i] = pi[i];
}
}

for (i = 0; i < n / 2; ++i) {
c[ (off + i * step) / 8 ] |= ((P[i * 2] >> w) & 1) << ((off + i * step) % 8);
}
for (i = 0; i < n / 2; ++i) {
c[ (off + ((w - 1)*n + i) * step) / 8 ] |= ((P[n + i * 2] >> w) & 1) << ((off + ((w - 1) * n + i) * step) % 8);
}

for (i = 0; i < n / 2; ++i) {
cswap(&piflip[i * 2], &piflip[i * 2 + 1], (P[n + i * 2] >> w) & 1);
}

for (k = 0; k < 2; ++k) {
for (i = 0; i < n / 2; ++i) {
subpi[k][i] = piflip[i * 2 + k] >> 1;
}
}

for (k = 0; k < 2; ++k) {
controlbitsfrompermutation(w - 1, n / 2, step * 2, off + step * (n / 2 + k), c, subpi[k]);
}
}

/* input: pi, a permutation*/
/* output: out, control bits w.r.t. pi */
void PQCLEAN_MCELIECE348864_SSE_controlbits(unsigned char *out, const uint32_t *pi) {
unsigned int i;
unsigned char c[ (2 * GFBITS - 1) * (1 << GFBITS) / 16 ];

for (i = 0; i < sizeof(c); i++) {
c[i] = 0;
}

controlbitsfrompermutation(GFBITS, (1 << GFBITS), 1, 0, c, pi);

for (i = 0; i < sizeof(c); i++) {
out[i] = c[i];
}
}


+ 0
- 15
crypto_kem/mceliece/mceliece348864/sse/controlbits.h View File

@@ -1,15 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_CONTROLBITS_H
#define PQCLEAN_MCELIECE348864_SSE_CONTROLBITS_H
/*
This file is for functions required for generating the control bits of the Benes network w.r.t. a random permutation
see the Lev-Pippenger-Valiant paper https://www.computer.org/csdl/trans/tc/1981/02/06312171.pdf
*/


#include <stdint.h>

void PQCLEAN_MCELIECE348864_SSE_sort_63b(int n, uint64_t *x);
void PQCLEAN_MCELIECE348864_SSE_controlbits(unsigned char *out, const uint32_t *pi);

#endif


+ 0
- 7
crypto_kem/mceliece/mceliece348864/sse/crypto_hash.h View File

@@ -1,7 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_CRYPTO_HASH_H
#define PQCLEAN_MCELIECE348864_SSE_CRYPTO_HASH_H
#include "fips202.h"

#define crypto_hash_32b(out,in,inlen) shake256(out, 32, in, inlen)

#endif

+ 0
- 203
crypto_kem/mceliece/mceliece348864/sse/decrypt.c View File

@@ -1,203 +0,0 @@
/*
This file is for Niederreiter decryption
*/

#include "decrypt.h"

#include "benes.h"
#include "bm.h"
#include "fft.h"
#include "fft_tr.h"
#include "params.h"
#include "util.h"

#include <stdio.h>

static void scaling(vec128 out[][GFBITS], vec128 inv[][GFBITS], const unsigned char *sk, vec128 *recv) {
int i, j;

uint64_t irr_int[ GFBITS ];
vec128 eval[32][ GFBITS ];
vec128 tmp[ GFBITS ];

//

PQCLEAN_MCELIECE348864_SSE_irr_load(irr_int, sk);

PQCLEAN_MCELIECE348864_SSE_fft(eval, irr_int);

for (i = 0; i < 32; i++) {
PQCLEAN_MCELIECE348864_SSE_vec128_sq(eval[i], eval[i]);
}

PQCLEAN_MCELIECE348864_SSE_vec128_copy(inv[0], eval[0]);

for (i = 1; i < 32; i++) {
PQCLEAN_MCELIECE348864_SSE_vec128_mul(inv[i], inv[i - 1], eval[i]);
}

PQCLEAN_MCELIECE348864_SSE_vec128_inv(tmp, inv[31]);

for (i = 30; i >= 0; i--) {
PQCLEAN_MCELIECE348864_SSE_vec128_mul(inv[i + 1], tmp, inv[i]);
PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp, tmp, eval[i + 1]);
}

PQCLEAN_MCELIECE348864_SSE_vec128_copy(inv[0], tmp);

//

for (i = 0; i < 32; i++) {
for (j = 0; j < GFBITS; j++) {
out[i][j] = PQCLEAN_MCELIECE348864_SSE_vec128_and(inv[i][j], recv[i]);
}
}
}

static void preprocess(vec128 *recv, const unsigned char *s) {
int i;
uint8_t r[ 512 ];

for (i = 0; i < SYND_BYTES; i++) {
r[i] = s[i];
}

for (i = SYND_BYTES; i < 512; i++) {
r[i] = 0;
}

for (i = 0; i < 32; i++) {
recv[i] = PQCLEAN_MCELIECE348864_SSE_load16(r + i * 16);
}
}

static void postprocess(unsigned char *e, vec128 *err) {
int i;
unsigned char error8[ (1 << GFBITS) / 8 ];
uint64_t v[2];

for (i = 0; i < 32; i++) {
v[0] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(err[i], 0);
v[1] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(err[i], 1);

PQCLEAN_MCELIECE348864_SSE_store8(error8 + i * 16 + 0, v[0]);
PQCLEAN_MCELIECE348864_SSE_store8(error8 + i * 16 + 8, v[1]);
}

for (i = 0; i < SYS_N / 8; i++) {
e[i] = error8[i];
}
}

static void scaling_inv(vec128 out[][GFBITS], vec128 inv[][GFBITS], vec128 *recv) {
int i, j;

for (i = 0; i < 32; i++) {
for (j = 0; j < GFBITS; j++) {
out[i][j] = PQCLEAN_MCELIECE348864_SSE_vec128_and(inv[i][j], recv[i]);
}
}
}

static uint16_t weight_check(unsigned char *e, vec128 *error) {
int i;
uint16_t w0 = 0;
uint16_t w1 = 0;
uint16_t check;

for (i = 0; i < 32; i++) {
w0 += _mm_popcnt_u64( PQCLEAN_MCELIECE348864_SSE_vec128_extract(error[i], 0) );
w0 += _mm_popcnt_u64( PQCLEAN_MCELIECE348864_SSE_vec128_extract(error[i], 1) );
}

for (i = 0; i < SYS_N / 8; i++) {
w1 += _mm_popcnt_u32( e[i] );
}

check = (w0 ^ SYS_T) | (w1 ^ SYS_T);
check -= 1;
check >>= 15;

return check;
}

static uint64_t synd_cmp(vec128 s0[ GFBITS ], vec128 s1[ GFBITS ]) {
int i;
vec128 diff;

diff = PQCLEAN_MCELIECE348864_SSE_vec128_xor(s0[0], s1[0]);

for (i = 1; i < GFBITS; i++) {
diff = PQCLEAN_MCELIECE348864_SSE_vec128_or(diff, PQCLEAN_MCELIECE348864_SSE_vec128_xor(s0[i], s1[i]));
}

return PQCLEAN_MCELIECE348864_SSE_vec128_testz(diff);
}

/* Niederreiter decryption with the Berlekamp decoder */
/* intput: sk, secret key */
/* c, ciphertext (syndrome) */
/* output: e, error vector */
/* return: 0 for success; 1 for failure */
int PQCLEAN_MCELIECE348864_SSE_decrypt(unsigned char *e, const unsigned char *sk, const unsigned char *c) {
int i;

uint16_t check_synd;
uint16_t check_weight;

vec128 inv[ 32 ][ GFBITS ];
vec128 scaled[ 32 ][ GFBITS ];
vec128 eval[ 32 ][ GFBITS ];

vec128 error[ 32 ];

vec128 s_priv[ GFBITS ];
vec128 s_priv_cmp[ GFBITS ];

uint64_t locator[ GFBITS ];

vec128 recv[ 32 ];
vec128 allone;

uint64_t bits_int[23][32];

// Berlekamp decoder

preprocess(recv, c);

PQCLEAN_MCELIECE348864_SSE_load_bits(bits_int, sk + IRR_BYTES);
PQCLEAN_MCELIECE348864_SSE_benes((uint64_t *) recv, bits_int, 1);

scaling(scaled, inv, sk, recv);

PQCLEAN_MCELIECE348864_SSE_fft_tr(s_priv, scaled);

PQCLEAN_MCELIECE348864_SSE_bm(locator, s_priv);

PQCLEAN_MCELIECE348864_SSE_fft(eval, locator);

// reencryption and weight check

allone = PQCLEAN_MCELIECE348864_SSE_vec128_setbits(1);

for (i = 0; i < 32; i++) {
error[i] = PQCLEAN_MCELIECE348864_SSE_vec128_or_reduce(eval[i]);
error[i] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(error[i], allone);
}

scaling_inv(scaled, inv, error);
PQCLEAN_MCELIECE348864_SSE_fft_tr(s_priv_cmp, scaled);

check_synd = synd_cmp(s_priv, s_priv_cmp);

//

PQCLEAN_MCELIECE348864_SSE_benes((uint64_t *) error, bits_int, 0);

postprocess(e, error);

check_weight = weight_check(e, error);

return 1 - (check_synd & check_weight);
}


+ 0
- 10
crypto_kem/mceliece/mceliece348864/sse/decrypt.h View File

@@ -1,10 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_DECRYPT_H
#define PQCLEAN_MCELIECE348864_SSE_DECRYPT_H
/*
This file is for Nieddereiter decryption
*/

int PQCLEAN_MCELIECE348864_SSE_decrypt(unsigned char * /*e*/, const unsigned char * /*sk*/, const unsigned char * /*c*/);

#endif


+ 0
- 99
crypto_kem/mceliece/mceliece348864/sse/encrypt.c View File

@@ -1,99 +0,0 @@
/*
This file is for Niederreiter encryption
*/

#include "encrypt.h"

#include "gf.h"
#include "params.h"
#include "randombytes.h"
#include "util.h"

#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>

/* input: public key pk, error vector e */
/* output: syndrome s */
extern void PQCLEAN_MCELIECE348864_SSE_syndrome_asm(unsigned char *s, const unsigned char *pk, unsigned char *e);

/* output: e, an error vector of weight t */
static void gen_e(unsigned char *e) {
size_t i, j;
int eq, count;

uint16_t ind_[ SYS_T * 2 ];
uint16_t ind[ SYS_T * 2 ];
uint64_t e_int[ (SYS_N + 63) / 64 ];
uint64_t one = 1;
uint64_t mask;
uint64_t val[ SYS_T ];

while (1) {
randombytes((uint8_t *)ind_, sizeof(ind_));

for (i = 0; i < SYS_T * 2; i++) {
ind_[i] &= GFMASK;
}

count = 0;
for (i = 0; i < SYS_T * 2; i++) {
if (ind_[i] < SYS_N) {
ind[ count++ ] = ind_[i];
}
}

if (count < SYS_T) {
continue;
}

// check for repetition

eq = 0;

for (i = 1; i < SYS_T; i++) {
for (j = 0; j < i; j++) {
if (ind[i] == ind[j]) {
eq = 1;
}
}
}

if (eq == 0) {
break;
}
}

for (j = 0; j < SYS_T; j++) {
val[j] = one << (ind[j] & 63);
}

for (i = 0; i < (SYS_N + 63) / 64; i++) {
e_int[i] = 0;

for (j = 0; j < SYS_T; j++) {
mask = i ^ (ind[j] >> 6);
mask -= 1;
mask >>= 63;
mask = -mask;

e_int[i] |= val[j] & mask;
}
}

for (i = 0; i < (SYS_N + 63) / 64 - 1; i++) {
PQCLEAN_MCELIECE348864_SSE_store8(e, e_int[i]);
e += 8;
}

for (j = 0; j < (SYS_N % 64); j += 8) {
e[ j / 8 ] = (e_int[i] >> j) & 0xFF;
}
}

void PQCLEAN_MCELIECE348864_SSE_encrypt(unsigned char *s, unsigned char *e, const unsigned char *pk) {
gen_e(e);
PQCLEAN_MCELIECE348864_SSE_syndrome_asm(s, pk, e);
}


+ 0
- 11
crypto_kem/mceliece/mceliece348864/sse/encrypt.h View File

@@ -1,11 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_ENCRYPT_H
#define PQCLEAN_MCELIECE348864_SSE_ENCRYPT_H
/*
This file is for Niederreiter encryption
*/


void PQCLEAN_MCELIECE348864_SSE_encrypt(unsigned char * /*s*/, unsigned char * /*e*/, const unsigned char * /*pk*/);

#endif


+ 0
- 155
crypto_kem/mceliece/mceliece348864/sse/fft.c View File

@@ -1,155 +0,0 @@
/*
This file is for the Gao-Mateer FFT
sse http://www.math.clemson.edu/~sgao/papers/GM10.pdf
*/

#include "fft.h"

#include "vec.h"
#include "vec128.h"

/* input: in, polynomial in bitsliced form */
/* output: in, result of applying the radix conversions on in */
static void radix_conversions(uint64_t *in) {
int i, j, k;

const uint64_t mask[5][2] = {
{0x8888888888888888, 0x4444444444444444},
{0xC0C0C0C0C0C0C0C0, 0x3030303030303030},
{0xF000F000F000F000, 0x0F000F000F000F00},
{0xFF000000FF000000, 0x00FF000000FF0000},
{0xFFFF000000000000, 0x0000FFFF00000000}
};

const uint64_t s[5][GFBITS] = {
#include "scalars.inc"
};

//

for (j = 0; j <= 4; j++) {
for (i = 0; i < GFBITS; i++) {
for (k = 4; k >= j; k--) {
in[i] ^= (in[i] & mask[k][0]) >> (1 << k);
in[i] ^= (in[i] & mask[k][1]) >> (1 << k);
}
}

PQCLEAN_MCELIECE348864_SSE_vec_mul(in, in, s[j]); // scaling
}
}

/* input: in, result of applying the radix conversions to the input polynomial */
/* output: out, evaluation results (by applying the FFT butterflies) */
static void butterflies(vec128 out[][ GFBITS ], const uint64_t *in) {
int i, j, k, s, b;

uint64_t t0, t1;

const vec128 consts[ 32 ][ GFBITS ] = {
#include "consts.inc"
};

uint64_t consts_ptr = 0;

const uint8_t reversal[64] = {
0, 32, 16, 48, 8, 40, 24, 56,
4, 36, 20, 52, 12, 44, 28, 60,
2, 34, 18, 50, 10, 42, 26, 58,
6, 38, 22, 54, 14, 46, 30, 62,
1, 33, 17, 49, 9, 41, 25, 57,
5, 37, 21, 53, 13, 45, 29, 61,
3, 35, 19, 51, 11, 43, 27, 59,
7, 39, 23, 55, 15, 47, 31, 63
};

// boradcast

vec128 tmp[ GFBITS ];
vec128 x[ GFBITS ], y[ GFBITS ];

for (j = 0; j < 64; j += 4) {
for (i = 0; i < GFBITS; i++) {
t0 = (in[i] >> reversal[j + 0]) & 1;
t0 = -t0;
t1 = (in[i] >> reversal[j + 2]) & 1;
t1 = -t1;

out[j / 2 + 0][i] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(t0, t1);

t0 = (in[i] >> reversal[j + 1]) & 1;
t0 = -t0;
t1 = (in[i] >> reversal[j + 3]) & 1;
t1 = -t1;

out[j / 2 + 1][i] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(t0, t1);
}
}

//


for (i = 0; i < 32; i += 2) {
PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp, out[i + 1], consts[ 0 ]);

for (b = 0; b < GFBITS; b++) {
out[i + 0][b] ^= tmp[b];
}
for (b = 0; b < GFBITS; b++) {
out[i + 1][b] ^= out[i + 0][b];
}

for (b = 0; b < GFBITS; b++) {
x[b] = PQCLEAN_MCELIECE348864_SSE_vec128_unpack_low(out[i + 0][b], out[i + 1][b]);
}
for (b = 0; b < GFBITS; b++) {
y[b] = PQCLEAN_MCELIECE348864_SSE_vec128_unpack_high(out[i + 0][b], out[i + 1][b]);
}

for (b = 0; b < GFBITS; b++) {
out[i + 0][b] = x[b];
}
for (b = 0; b < GFBITS; b++) {
out[i + 1][b] = y[b];
}
}

consts_ptr += 1;

for (i = 0; i <= 4; i++) {
s = 1 << i;

for (j = 0; j < 32; j += 2 * s) {
for (k = j; k < j + s; k++) {
PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp, out[k + s], consts[ consts_ptr + (k - j) ]);

for (b = 0; b < GFBITS; b++) {
out[k][b] ^= tmp[b];
}
for (b = 0; b < GFBITS; b++) {
out[k + s][b] ^= out[k][b];
}
}
}

consts_ptr += s;
}

// adding the part contributed by x^64

vec128 powers[32][GFBITS] = {
#include "powers.inc"
};

for (i = 0; i < 32; i++) {
for (b = 0; b < GFBITS; b++) {
out[i][b] ^= powers[i][b];
}
}
}

void PQCLEAN_MCELIECE348864_SSE_fft(vec128 out[][ GFBITS ], uint64_t *in) {
radix_conversions(in);
butterflies(out, in);
}


+ 0
- 17
crypto_kem/mceliece/mceliece348864/sse/fft.h View File

@@ -1,17 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_FFT_H
#define PQCLEAN_MCELIECE348864_SSE_FFT_H
/*
This file is for the Gao-Mateer FFT
sse http://www.math.clemson.edu/~sgao/papers/GM10.pdf
*/


#include <stdint.h>

#include "params.h"
#include "vec128.h"

void PQCLEAN_MCELIECE348864_SSE_fft(vec128 /*out*/[][GFBITS], uint64_t * /*in*/);

#endif


+ 0
- 312
crypto_kem/mceliece/mceliece348864/sse/fft_tr.c View File

@@ -1,312 +0,0 @@
/*
This file is for transpose of the Gao-Mateer FFT
Functions with names ending with _tr are (roughly) the transpose of the corresponding functions in fft.c
*/

#include "fft_tr.h"

#include "transpose.h"
#include "vec.h"
#include "vec128.h"

#include <stdint.h>

static void radix_conversions_tr(vec128 in[ GFBITS ]) {
int i, j, k;

const vec128 mask[10] = {
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x2222222222222222, 0x2222222222222222),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x4444444444444444, 0x4444444444444444),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0C0C0C0C0C0C0C0C, 0x0C0C0C0C0C0C0C0C),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3030303030303030, 0x3030303030303030),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00F000F000F000F0, 0x00F000F000F000F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F000F000F000F00, 0x0F000F000F000F00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FF000000FF00, 0x0000FF000000FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF000000FF0000, 0x00FF000000FF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000000FFFF0000, 0x00000000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF00000000, 0x0000FFFF00000000)
};

const vec128 s[5][GFBITS] = {
#include "scalars_2x.inc"
};

uint64_t v0, v1;

//

for (j = 5; j >= 0; j--) {

if (j < 5) {
PQCLEAN_MCELIECE348864_SSE_vec128_mul(in, in, s[j]);
}

for (i = 0; i < GFBITS; i++) {
for (k = j; k <= 4; k++) {
in[i] ^= PQCLEAN_MCELIECE348864_SSE_vec128_sll_2x(in[i] & mask[2 * k + 0], 1 << k);
in[i] ^= PQCLEAN_MCELIECE348864_SSE_vec128_sll_2x(in[i] & mask[2 * k + 1], 1 << k);
}
}

for (i = 0; i < GFBITS; i++) {
v0 = PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[i], 0);
v1 = PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[i], 1);

v1 ^= v0 >> 32;
v1 ^= v1 << 32;

in[i] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(v0, v1);
}
}
}

static void butterflies_tr(vec128 out[ GFBITS ], vec128 in[][ GFBITS ]) {
int i, j, k, s, b;

uint64_t t[ GFBITS ];
uint64_t pre[6][ GFBITS ];

uint64_t out64[2][GFBITS];

vec128 p2[ 6 ];
vec128 buf[64];
vec128 tt[ GFBITS ];
vec128 x[ GFBITS ], y[ GFBITS ];

const vec128 consts[ 32 ][ GFBITS ] = {
#include "consts.inc"
};

uint64_t consts_ptr = 32;

const uint8_t reversal[64] = {
0, 32, 16, 48, 8, 40, 24, 56,
4, 36, 20, 52, 12, 44, 28, 60,
2, 34, 18, 50, 10, 42, 26, 58,
6, 38, 22, 54, 14, 46, 30, 62,
1, 33, 17, 49, 9, 41, 25, 57,
5, 37, 21, 53, 13, 45, 29, 61,
3, 35, 19, 51, 11, 43, 27, 59,
7, 39, 23, 55, 15, 47, 31, 63
};

const uint16_t beta[6] = {8, 1300, 3408, 1354, 2341, 1154};

// butterflies

for (i = 4; i >= 0; i--) {
s = 1 << i;
consts_ptr -= s;

for (j = 0; j < 32; j += 2 * s) {
for (k = j; k < j + s; k++) {
for (b = 0; b < GFBITS; b++) {
in[k][b] ^= in[k + s][b];
}
PQCLEAN_MCELIECE348864_SSE_vec128_mul(tt, in[k], consts[ consts_ptr + (k - j) ]);
for (b = 0; b < GFBITS; b++) {
in[k + s][b] ^= tt[b];
}
}
}
}

for (i = 0; i < 32; i += 2) {
for (b = 0; b < GFBITS; b++) {
x[b] = PQCLEAN_MCELIECE348864_SSE_vec128_unpack_low(in[i + 0][b], in[i + 1][b]);
}
for (b = 0; b < GFBITS; b++) {
y[b] = PQCLEAN_MCELIECE348864_SSE_vec128_unpack_high(in[i + 0][b], in[i + 1][b]);
}

for (b = 0; b < GFBITS; b++) {
in[i + 0][b] = x[b] ^ y[b];
}
PQCLEAN_MCELIECE348864_SSE_vec128_mul(tt, in[i + 0], consts[ 0 ]);
for (b = 0; b < GFBITS; b++) {
in[i + 1][b] = y[b] ^ tt[b];
}
}

// transpose

for (i = 0; i < GFBITS; i += 2) {
for (j = 0; j < 64; j += 4) {
buf[ reversal[j + 0] ] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 0][i + 0], 0),
PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 0][i + 1], 0));
buf[ reversal[j + 1] ] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 1][i + 0], 0),
PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 1][i + 1], 0));
buf[ reversal[j + 2] ] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 0][i + 0], 1),
PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 0][i + 1], 1));
buf[ reversal[j + 3] ] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 1][i + 0], 1),
PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[j / 2 + 1][i + 1], 1));
}

PQCLEAN_MCELIECE348864_SSE_transpose_64x128_sp(buf);

p2[0] = buf[32];
buf[33] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[33], buf[32]);
p2[1] = buf[33];
buf[35] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[35], buf[33]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[35]);
buf[34] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[34], buf[35]);
p2[2] = buf[34];
buf[38] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[38], buf[34]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[38]);
buf[39] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[39], buf[38]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[39]);
buf[37] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[37], buf[39]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[37]);
buf[36] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[36], buf[37]);
p2[3] = buf[36];
buf[44] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[44], buf[36]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[44]);
buf[45] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[45], buf[44]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[45]);
buf[47] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[47], buf[45]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[47]);
buf[46] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[46], buf[47]);
p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[46]);
buf[42] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[42], buf[46]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[42]);
buf[43] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[43], buf[42]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[43]);
buf[41] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[41], buf[43]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[41]);
buf[40] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[40], buf[41]);
p2[4] = buf[40];
buf[56] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[56], buf[40]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[56]);
buf[57] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[57], buf[56]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[57]);
buf[59] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[59], buf[57]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[59]);
buf[58] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[58], buf[59]);
p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[58]);
buf[62] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[62], buf[58]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[62]);
buf[63] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[63], buf[62]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[63]);
buf[61] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[61], buf[63]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[61]);
buf[60] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[60], buf[61]);
p2[3] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[3], buf[60]);
buf[52] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[52], buf[60]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[52]);
buf[53] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[53], buf[52]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[53]);
buf[55] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[55], buf[53]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[55]);
buf[54] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[54], buf[55]);
p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[54]);
buf[50] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[50], buf[54]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[50]);
buf[51] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[51], buf[50]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[51]);
buf[49] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[49], buf[51]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[49]);
buf[48] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[48], buf[49]);
p2[5] = buf[48];
buf[16] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[16], buf[48]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[16]);
buf[17] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[17], buf[16]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[17]);
buf[19] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[19], buf[17]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[19]);
buf[18] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[18], buf[19]);
p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[18]);
buf[22] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[22], buf[18]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[22]);
buf[23] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[23], buf[22]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[23]);
buf[21] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[21], buf[23]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[21]);
buf[20] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[20], buf[21]);
p2[3] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[3], buf[20]);
buf[28] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[28], buf[20]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[28]);
buf[29] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[29], buf[28]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[29]);
buf[31] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[31], buf[29]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[31]);
buf[30] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[30], buf[31]);
p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[30]);
buf[26] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[26], buf[30]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[26]);
buf[27] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[27], buf[26]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[27]);
buf[25] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[25], buf[27]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[25]);
buf[24] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[24], buf[25]);
p2[4] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[4], buf[24]);
buf[8] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[8], buf[24]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[8]);
buf[9] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[9], buf[8]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[9]);
buf[11] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[11], buf[9]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[11]);
buf[10] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[10], buf[11]);
p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[10]);
buf[14] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[14], buf[10]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[14]);
buf[15] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[15], buf[14]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[15]);
buf[13] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[13], buf[15]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[13]);
buf[12] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[12], buf[13]);
p2[3] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[3], buf[12]);
buf[4] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[4], buf[12]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[4]);
buf[5] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[5], buf[4]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[5]);
buf[7] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[7], buf[5]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[7]);
buf[6] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[6], buf[7]);
p2[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[2], buf[6]);
buf[2] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[2], buf[6]);
p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[2]);
buf[3] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[3], buf[2]);
p2[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[1], buf[3]);
buf[1] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[1], buf[3]);

p2[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(p2[0], buf[1]);
buf[0] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(buf[0], buf[1]);

for (j = 0; j < 6; j++) {
pre[j][i + 0] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(p2[j], 0);
pre[j][i + 1] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(p2[j], 1);
}

out64[0][i + 0] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(buf[0], 0);
out64[0][i + 1] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(buf[0], 1);
}

//

for (j = 0; j < GFBITS; j++) {
t[j] = (beta[0] >> j) & 1;
t[j] = -t[j];
}

PQCLEAN_MCELIECE348864_SSE_vec_mul(out64[1], pre[0], t);

for (i = 1; i < 6; i++) {
for (j = 0; j < GFBITS; j++) {
t[j] = (beta[i] >> j) & 1;
t[j] = -t[j];
}

PQCLEAN_MCELIECE348864_SSE_vec_mul(t, pre[i], t);
PQCLEAN_MCELIECE348864_SSE_vec_add(out64[1], out64[1], t);
}

for (b = 0; b < GFBITS; b++) {
out[b] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(out64[0][b], out64[1][b]);
}
}

void PQCLEAN_MCELIECE348864_SSE_fft_tr(vec128 out[GFBITS], vec128 in[][ GFBITS ]) {
butterflies_tr(out, in);
radix_conversions_tr(out);
}


+ 0
- 13
crypto_kem/mceliece/mceliece348864/sse/fft_tr.h View File

@@ -1,13 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_FFT_TR_H
#define PQCLEAN_MCELIECE348864_SSE_FFT_TR_H
/*
This file is for transpose of the Gao-Mateer FFT
*/

#include "params.h"
#include "vec128.h"

void PQCLEAN_MCELIECE348864_SSE_fft_tr(vec128 /*out*/[GFBITS], vec128 /*in*/[][ GFBITS ]);

#endif


+ 0
- 169
crypto_kem/mceliece/mceliece348864/sse/gf.c View File

@@ -1,169 +0,0 @@
/*
This file is for functions for field arithmetic
*/

#include "gf.h"

#include "params.h"

gf PQCLEAN_MCELIECE348864_SSE_gf_iszero(gf a) {
uint32_t t = a;

t -= 1;
t >>= 20;

return (gf) t;
}

gf PQCLEAN_MCELIECE348864_SSE_gf_add(gf in0, gf in1) {
return in0 ^ in1;
}

gf PQCLEAN_MCELIECE348864_SSE_gf_mul(gf in0, gf in1) {
int i;

uint32_t tmp;
uint32_t t0;
uint32_t t1;
uint32_t t;

t0 = in0;
t1 = in1;

tmp = t0 * (t1 & 1);

for (i = 1; i < GFBITS; i++) {
tmp ^= (t0 * (t1 & (1 << i)));
}

t = tmp & 0x7FC000;
tmp ^= t >> 9;
tmp ^= t >> 12;

t = tmp & 0x3000;
tmp ^= t >> 9;
tmp ^= t >> 12;

return tmp & ((1 << GFBITS) - 1);
}

/* input: field element in */
/* return: in^2 */
static inline gf gf_sq(gf in) {
const uint32_t B[] = {0x55555555, 0x33333333, 0x0F0F0F0F, 0x00FF00FF};

uint32_t x = in;
uint32_t t;

x = (x | (x << 8)) & B[3];
x = (x | (x << 4)) & B[2];
x = (x | (x << 2)) & B[1];
x = (x | (x << 1)) & B[0];

t = x & 0x7FC000;
x ^= t >> 9;
x ^= t >> 12;

t = x & 0x3000;
x ^= t >> 9;
x ^= t >> 12;

return x & ((1 << GFBITS) - 1);
}

gf PQCLEAN_MCELIECE348864_SSE_gf_inv(gf in) {
gf tmp_11;
gf tmp_1111;

gf out = in;

out = gf_sq(out);
tmp_11 = PQCLEAN_MCELIECE348864_SSE_gf_mul(out, in); // 11

out = gf_sq(tmp_11);
out = gf_sq(out);
tmp_1111 = PQCLEAN_MCELIECE348864_SSE_gf_mul(out, tmp_11); // 1111

out = gf_sq(tmp_1111);
out = gf_sq(out);
out = gf_sq(out);
out = gf_sq(out);
out = PQCLEAN_MCELIECE348864_SSE_gf_mul(out, tmp_1111); // 11111111

out = gf_sq(out);
out = gf_sq(out);
out = PQCLEAN_MCELIECE348864_SSE_gf_mul(out, tmp_11); // 1111111111

out = gf_sq(out);
out = PQCLEAN_MCELIECE348864_SSE_gf_mul(out, in); // 11111111111

return gf_sq(out); // 111111111110
}

/* input: field element den, num */
/* return: (num/den) */
gf PQCLEAN_MCELIECE348864_SSE_gf_frac(gf den, gf num) {
return PQCLEAN_MCELIECE348864_SSE_gf_mul(PQCLEAN_MCELIECE348864_SSE_gf_inv(den), num);
}

/* input: in0, in1 in GF((2^m)^t)*/
/* output: out = in0*in1 */
void PQCLEAN_MCELIECE348864_SSE_GF_mul(gf *out, const gf *in0, const gf *in1) {
int i, j;

gf prod[ SYS_T * 2 - 1 ];

for (i = 0; i < SYS_T * 2 - 1; i++) {
prod[i] = 0;
}

for (i = 0; i < SYS_T; i++) {
for (j = 0; j < SYS_T; j++) {
prod[i + j] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(in0[i], in1[j]);
}
}

//

for (i = (SYS_T - 1) * 2; i >= SYS_T; i--) {
prod[i - SYS_T + 9] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(prod[i], (gf) 877);
prod[i - SYS_T + 7] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(prod[i], (gf) 2888);
prod[i - SYS_T + 5] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(prod[i], (gf) 1781);
prod[i - SYS_T + 0] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(prod[i], (gf) 373);
}

for (i = 0; i < SYS_T; i++) {
out[i] = prod[i];
}
}

/* 2 field multiplications */
uint64_t PQCLEAN_MCELIECE348864_SSE_gf_mul2(gf a, gf b0, gf b1) {
int i;

uint64_t tmp = 0;
uint64_t t0;
uint64_t t1;
uint64_t t;
uint64_t mask = 0x0000000100000001;

t0 = a;
t1 = b1;
t1 = (t1 << 32) | b0;

for (i = 0; i < GFBITS; i++) {
tmp ^= t0 * (t1 & mask);
mask += mask;
}

//

t = tmp & 0x007FC000007FC000;
tmp ^= (t >> 9) ^ (t >> 12);

t = tmp & 0x0000300000003000;
tmp ^= (t >> 9) ^ (t >> 12);

return tmp & 0x00000FFF00000FFF;
}


+ 0
- 26
crypto_kem/mceliece/mceliece348864/sse/gf.h View File

@@ -1,26 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_GF_H
#define PQCLEAN_MCELIECE348864_SSE_GF_H
/*
This file is for functions for field arithmetic
*/


#include "params.h"

#include <stdint.h>

typedef uint16_t gf;

gf PQCLEAN_MCELIECE348864_SSE_gf_iszero(gf /*a*/);
gf PQCLEAN_MCELIECE348864_SSE_gf_add(gf /*in0*/, gf /*in1*/);
gf PQCLEAN_MCELIECE348864_SSE_gf_mul(gf /*in0*/, gf /*in1*/);
gf PQCLEAN_MCELIECE348864_SSE_gf_frac(gf /*den*/, gf /*num*/);
gf PQCLEAN_MCELIECE348864_SSE_gf_inv(gf /*in*/);

void PQCLEAN_MCELIECE348864_SSE_GF_mul(gf * /*out*/, const gf * /*in0*/, const gf * /*in1*/);

/* 2 field multiplications */
uint64_t PQCLEAN_MCELIECE348864_SSE_gf_mul2(gf a, gf b0, gf b1);

#endif


+ 0
- 136
crypto_kem/mceliece/mceliece348864/sse/operations.c View File

@@ -1,136 +0,0 @@
#include "api.h"

#include "aes256ctr.h"
#include "controlbits.h"
#include "crypto_hash.h"
#include "decrypt.h"
#include "encrypt.h"
#include "params.h"
#include "pk_gen.h"
#include "randombytes.h"
#include "sk_gen.h"
#include "util.h"

#include <stdint.h>
#include <string.h>

int PQCLEAN_MCELIECE348864_SSE_crypto_kem_enc(
uint8_t *c,
uint8_t *key,
const uint8_t *pk
) {
uint8_t two_e[ 1 + SYS_N / 8 ] = {2};
uint8_t *e = two_e + 1;
uint8_t one_ec[ 1 + SYS_N / 8 + (SYND_BYTES + 32) ] = {1};

PQCLEAN_MCELIECE348864_SSE_encrypt(c, e, pk);

crypto_hash_32b(c + SYND_BYTES, two_e, sizeof(two_e));

memcpy(one_ec + 1, e, SYS_N / 8);
memcpy(one_ec + 1 + SYS_N / 8, c, SYND_BYTES + 32);

crypto_hash_32b(key, one_ec, sizeof(one_ec));

return 0;
}

int PQCLEAN_MCELIECE348864_SSE_crypto_kem_dec(
uint8_t *key,
const uint8_t *c,
const uint8_t *sk
) {
int i;

uint8_t ret_confirm = 0;
uint8_t ret_decrypt = 0;

uint16_t m;

uint8_t conf[32];
uint8_t two_e[ 1 + SYS_N / 8 ] = {2};
uint8_t *e = two_e + 1;
uint8_t preimage[ 1 + SYS_N / 8 + (SYND_BYTES + 32) ];
uint8_t *x = preimage;

//

ret_decrypt = (uint8_t)PQCLEAN_MCELIECE348864_SSE_decrypt(e, sk + SYS_N / 8, c);

crypto_hash_32b(conf, two_e, sizeof(two_e));

for (i = 0; i < 32; i++) {
ret_confirm |= conf[i] ^ c[SYND_BYTES + i];
}

m = ret_decrypt | ret_confirm;
m -= 1;
m >>= 8;

*x++ = (~m & 0) | (m & 1);
for (i = 0; i < SYS_N / 8; i++) {
*x++ = (~m & sk[i]) | (m & e[i]);
}
for (i = 0; i < SYND_BYTES + 32; i++) {
*x++ = c[i];
}

crypto_hash_32b(key, preimage, sizeof(preimage));

return 0;
}

int PQCLEAN_MCELIECE348864_SSE_crypto_kem_keypair
(
uint8_t *pk,
uint8_t *sk
) {
int i;
uint8_t seed[ 32 ];
uint8_t r[ SYS_T * 2 + (1 << GFBITS)*sizeof(uint32_t) + SYS_N / 8 + 32 ];
uint8_t nonce[ 16 ] = {0};
uint8_t *rp;

gf f[ SYS_T ]; // element in GF(2^mt)
gf irr[ SYS_T ]; // Goppa polynomial
uint32_t perm[ 1 << GFBITS ]; // random permutation

randombytes(seed, sizeof(seed));

while (1) {
rp = r;
PQCLEAN_MCELIECE348864_SSE_aes256ctr(r, sizeof(r), nonce, seed);
memcpy(seed, &r[ sizeof(r) - 32 ], 32);

for (i = 0; i < SYS_T; i++) {
f[i] = PQCLEAN_MCELIECE348864_SSE_load2(rp + i * 2);
}
rp += sizeof(f);
if (PQCLEAN_MCELIECE348864_SSE_genpoly_gen(irr, f)) {
continue;
}

for (i = 0; i < (1 << GFBITS); i++) {
perm[i] = PQCLEAN_MCELIECE348864_SSE_load4(rp + i * 4);
}
rp += sizeof(perm);
if (PQCLEAN_MCELIECE348864_SSE_perm_check(perm)) {
continue;
}

for (i = 0; i < SYS_T; i++) {
PQCLEAN_MCELIECE348864_SSE_store2(sk + SYS_N / 8 + i * 2, irr[i]);
}
if (PQCLEAN_MCELIECE348864_SSE_pk_gen(pk, perm, sk + SYS_N / 8)) {
continue;
}

memcpy(sk, rp, SYS_N / 8);
PQCLEAN_MCELIECE348864_SSE_controlbits(sk + SYS_N / 8 + IRR_BYTES, perm);

break;
}

return 0;
}


+ 0
- 21
crypto_kem/mceliece/mceliece348864/sse/params.h View File

@@ -1,21 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_PARAMS_H
#define PQCLEAN_MCELIECE348864_SSE_PARAMS_H

#define GFBITS 12
#define SYS_N 3488
#define SYS_T 64

#define COND_BYTES ((1 << (GFBITS-4))*(2*GFBITS - 1))
#define IRR_BYTES (SYS_T * 2)

#define PK_NROWS (SYS_T*GFBITS)
#define PK_NCOLS (SYS_N - PK_NROWS)
#define PK_ROW_BYTES ((PK_NCOLS + 7)/8)

#define SK_BYTES (SYS_N/8 + IRR_BYTES + COND_BYTES)
#define SYND_BYTES ((PK_NROWS + 7)/8)

#define GFMASK ((1 << GFBITS) - 1)

#endif


+ 0
- 329
crypto_kem/mceliece/mceliece348864/sse/pk_gen.c View File

@@ -1,329 +0,0 @@
/*
This file is for public-key generation
*/

#include "pk_gen.h"

#include "benes.h"
#include "controlbits.h"
#include "fft.h"
#include "params.h"
#include "transpose.h"
#include "util.h"

#include <stdint.h>

#include <immintrin.h>

#define min(a, b) (((a) < (b)) ? (a) : (b))

static void de_bitslicing(uint64_t *out, vec128 in[][GFBITS]) {
int i, j, r;
uint64_t u = 0;

for (i = 0; i < (1 << GFBITS); i++) {
out[i] = 0 ;
}

for (i = 0; i < 32; i++) {
for (j = GFBITS - 1; j >= 0; j--) {
u = PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[i][j], 0);
for (r = 0; r < 64; r++) {
out[i * 128 + 0 * 64 + r] <<= 1;
out[i * 128 + 0 * 64 + r] |= (u >> r) & 1;
}
u = PQCLEAN_MCELIECE348864_SSE_vec128_extract(in[i][j], 1);
for (r = 0; r < 64; r++) {
out[i * 128 + 1 * 64 + r] <<= 1;
out[i * 128 + 1 * 64 + r] |= (u >> r) & 1;
}
}
}
}

static void to_bitslicing_2x(vec128 out0[][GFBITS], vec128 out1[][GFBITS], const uint64_t *in) {
int i, j, k, r;
uint64_t u[2] = {0};

for (i = 0; i < 32; i++) {
for (j = GFBITS - 1; j >= 0; j--) {
for (k = 0; k < 2; k++) {
for (r = 63; r >= 0; r--) {
u[k] <<= 1;
u[k] |= (in[i * 128 + k * 64 + r] >> (j + GFBITS)) & 1;
}
}

out1[i][j] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(u[0], u[1]);
}

for (j = GFBITS - 1; j >= 0; j--) {
for (k = 0; k < 2; k++) {
for (r = 63; r >= 0; r--) {
u[k] <<= 1;
u[k] |= (in[i * 128 + k * 64 + r] >> j) & 1;
}
}

out0[i][GFBITS - 1 - j] = PQCLEAN_MCELIECE348864_SSE_vec128_set2x(u[0], u[1]);
}
}
}

/* return number of trailing zeros of the non-zero input in */
static inline int ctz(uint64_t in) {
return (int)_tzcnt_u64(in);
}

static inline uint64_t same_mask(uint16_t x, uint16_t y) {
uint64_t mask;

mask = x ^ y;
mask -= 1;
mask >>= 63;
mask = -mask;

return mask;
}

static int mov_columns(uint64_t mat[][ ((SYS_N + 127) / 128) * 2 ], uint32_t *perm) {
int i, j, k, s, block_idx, row;
uint64_t buf[64], ctz_list[32], t, d, mask;

row = GFBITS * SYS_T - 32;
block_idx = row / 64;

// extract the 32x64 matrix

for (i = 0; i < 32; i++) {
buf[i] = (mat[ row + i ][ block_idx + 0 ] >> 32) |
(mat[ row + i ][ block_idx + 1 ] << 32);
}

// compute the column indices of pivots by Gaussian elimination.
// the indices are stored in ctz_list

for (i = 0; i < 32; i++) {
t = buf[i];
for (j = i + 1; j < 32; j++) {
t |= buf[j];
}

if (t == 0) {
return -1; // return if buf is not full rank
}

ctz_list[i] = s = ctz(t);

for (j = i + 1; j < 32; j++) {
mask = (buf[i] >> s) & 1;
mask -= 1;
buf[i] ^= buf[j] & mask;
}
for (j = 0; j < i; j++) {
mask = (buf[j] >> s) & 1;
mask = -mask;
buf[j] ^= buf[i] & mask;
}
for (j = i + 1; j < 32; j++) {
mask = (buf[j] >> s) & 1;
mask = -mask;
buf[j] ^= buf[i] & mask;
}
}

// updating permutation

for (j = 0; j < 32; j++) {
for (k = j + 1; k < 64; k++) {
d = perm[ row + j ] ^ perm[ row + k ];
d &= same_mask(k, ctz_list[j]);
perm[ row + j ] ^= d;
perm[ row + k ] ^= d;
}
}

// moving columns of mat according to the column indices of pivots

for (i = 0; i < GFBITS * SYS_T; i += 64) {

for (j = 0; j < min(64, GFBITS * SYS_T - i); j++) {
buf[j] = (mat[ i + j ][ block_idx + 0 ] >> 32) |
(mat[ i + j ][ block_idx + 1 ] << 32);
}

PQCLEAN_MCELIECE348864_SSE_transpose_64x64(buf);

for (j = 0; j < 32; j++) {
for (k = j + 1; k < 64; k++) {
d = buf[ j ] ^ buf[ k ];
d &= same_mask(k, ctz_list[j]);
buf[ j ] ^= d;
buf[ k ] ^= d;
}
}

PQCLEAN_MCELIECE348864_SSE_transpose_64x64(buf);

for (j = 0; j < min(64, GFBITS * SYS_T - i); j++) {
mat[ i + j ][ block_idx + 0 ] = (mat[ i + j ][ block_idx + 0 ] << 32 >> 32) | (buf[j] << 32);
mat[ i + j ][ block_idx + 1 ] = (mat[ i + j ][ block_idx + 1 ] >> 32 << 32) | (buf[j] >> 32);
}
}

return 0;
}

#define NBLOCKS1_H ((SYS_N + 63) / 64)
#define NBLOCKS2_H ((SYS_N + 127) / 128)
#define NBLOCKS_I ((GFBITS * SYS_T + 63) / 64)

int PQCLEAN_MCELIECE348864_SSE_pk_gen(unsigned char *pk, uint32_t *perm, const unsigned char *sk) {
int i, j, k;
int row, c;

uint64_t mat[ GFBITS * SYS_T ][ NBLOCKS2_H * 2 ];
uint64_t ops[ GFBITS * SYS_T ][ NBLOCKS_I ];

uint64_t mask;

uint64_t irr_int[ GFBITS ];

vec128 consts[32][ GFBITS ];
vec128 eval[ 32 ][ GFBITS ];
vec128 prod[ 32 ][ GFBITS ];
vec128 tmp[ GFBITS ];

uint64_t list[1 << GFBITS];

// compute the inverses

PQCLEAN_MCELIECE348864_SSE_irr_load(irr_int, sk);

PQCLEAN_MCELIECE348864_SSE_fft(eval, irr_int);

PQCLEAN_MCELIECE348864_SSE_vec128_copy(prod[0], eval[0]);

for (i = 1; i < 32; i++) {
PQCLEAN_MCELIECE348864_SSE_vec128_mul(prod[i], prod[i - 1], eval[i]);
}

PQCLEAN_MCELIECE348864_SSE_vec128_inv(tmp, prod[31]);

for (i = 30; i >= 0; i--) {
PQCLEAN_MCELIECE348864_SSE_vec128_mul(prod[i + 1], prod[i], tmp);
PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp, tmp, eval[i + 1]);
}

PQCLEAN_MCELIECE348864_SSE_vec128_copy(prod[0], tmp);

// fill matrix

de_bitslicing(list, prod);

for (i = 0; i < (1 << GFBITS); i++) {
list[i] <<= GFBITS;
list[i] |= i;
list[i] |= ((uint64_t) perm[i]) << 31;
}

PQCLEAN_MCELIECE348864_SSE_sort_63b(1 << GFBITS, list);

to_bitslicing_2x(consts, prod, list);

for (i = 0; i < (1 << GFBITS); i++) {
perm[i] = list[i] & GFMASK;
}

for (j = 0; j < NBLOCKS2_H; j++) {
for (k = 0; k < GFBITS; k++) {
mat[ k ][ 2 * j + 0 ] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(prod[ j ][ k ], 0);
mat[ k ][ 2 * j + 1 ] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(prod[ j ][ k ], 1);
}
}

for (i = 1; i < SYS_T; i++) {
for (j = 0; j < NBLOCKS2_H; j++) {
PQCLEAN_MCELIECE348864_SSE_vec128_mul(prod[j], prod[j], consts[j]);

for (k = 0; k < GFBITS; k++) {
mat[ i * GFBITS + k ][ 2 * j + 0 ] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(prod[ j ][ k ], 0);
mat[ i * GFBITS + k ][ 2 * j + 1 ] = PQCLEAN_MCELIECE348864_SSE_vec128_extract(prod[ j ][ k ], 1);
}
}
}

// gaussian elimination

for (i = 0; i < PK_NROWS; i++) {
for (j = 0; j < NBLOCKS_I; j++) {
ops[ i ][ j ] = 0;
}
}

for (i = 0; i < PK_NROWS; i++) {
ops[ i ][ i / 64 ] = 1;
ops[ i ][ i / 64 ] <<= (i % 64);
}

for (row = 0; row < PK_NROWS; row++) {
i = row >> 6;
j = row & 63;

if (row == GFBITS * SYS_T - 32) {
if (mov_columns(mat, perm)) {
return -1;
}
}

for (k = row + 1; k < PK_NROWS; k++) {
mask = mat[ row ][ i ] >> j;
mask &= 1;
mask -= 1;

for (c = 0; c < NBLOCKS1_H; c++) {
mat[ row ][ c ] ^= mat[ k ][ c ] & mask;
}
}

if ( ((mat[ row ][ i ] >> j) & 1) == 0 ) { // return if not systematic
return -1;
}

for (k = 0; k < row; k++) {
mask = mat[ k ][ i ] >> j;
mask &= 1;
mask = -mask;

for (c = 0; c < NBLOCKS1_H; c++) {
mat[ k ][ c ] ^= mat[ row ][ c ] & mask;
}
}

for (k = row + 1; k < PK_NROWS; k++) {
mask = mat[ k ][ i ] >> j;
mask &= 1;
mask = -mask;

for (c = 0; c < NBLOCKS1_H; c++) {
mat[ k ][ c ] ^= mat[ row ][ c ] & mask;
}
}
}

for (i = 0; i < GFBITS * SYS_T; i++) {
for (j = NBLOCKS_I; j < NBLOCKS1_H - 1; j++) {
PQCLEAN_MCELIECE348864_SSE_store8(pk, mat[i][j]);
pk += 8;
}

PQCLEAN_MCELIECE348864_SSE_store_i(pk, mat[i][j], PK_ROW_BYTES % 8);

pk += PK_ROW_BYTES % 8;
}

//

return 0;
}


+ 0
- 13
crypto_kem/mceliece/mceliece348864/sse/pk_gen.h View File

@@ -1,13 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_PK_GEN_H
#define PQCLEAN_MCELIECE348864_SSE_PK_GEN_H
/*
This file is for public-key generation
*/


#include "gf.h"

int PQCLEAN_MCELIECE348864_SSE_pk_gen(unsigned char * /*pk*/, uint32_t * /*perm*/, const unsigned char * /*sk*/);

#endif


+ 0
- 448
crypto_kem/mceliece/mceliece348864/sse/powers.inc View File

@@ -1,448 +0,0 @@
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3333CCCC3333CCCC, 0x3333CCCC3333CCCC),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x55AA55AA55AA55AA, 0xAA55AA55AA55AA55),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFF00FF00FF00FF00, 0xFF00FF00FF00FF00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAAAAAAAAAAAAAAAA, 0xAAAAAAAAAAAAAAAA),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F00F0F0F0F, 0xF0F0F0F00F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFF0000FFFF0000, 0xFFFF0000FFFF0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000FFFF0000FFFF, 0x0000FFFF0000FFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xAA55AA55AA55AA55, 0x55AA55AA55AA55AA),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0F0F0F0FF0F0F0F0, 0x0F0F0F0FF0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00FF00FF00FF00FF, 0x00FF00FF00FF00FF),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xF0F0F0F0F0F0F0F0, 0xF0F0F0F0F0F0F0F0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xCCCC3333CCCC3333, 0xCCCC3333CCCC3333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x5555555555555555, 0x5555555555555555),
},

+ 0
- 70
crypto_kem/mceliece/mceliece348864/sse/scalars_2x.inc View File

@@ -1,70 +0,0 @@
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xf3cfc030fc30f003, 0x000c03c0c3c0330c),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3fcf0f003c00c00c, 0xf330cffcc00f33c0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x30033cc300c0c03c, 0xccf330f00f3c0333),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xccff0f3c0f30f0c0, 0xff03fff3ff0cf0c0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0300c03ff303c3f0, 0x3cc3fcf00fcc303c),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3fff3c0ff0ccccc0, 0x0f000c0fc30303f3),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xf3fff0c00f3c3cc0, 0xcf0fc3ff333ccf3c),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x3003333fffc3c000, 0x003f3fc3c0ff333f),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0ff30fffc3fff300, 0x3cc3f0f3cf0ff00f),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffc0f300f0f0cc00, 0xf3f33cc03fc30cc0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xc0cff3fccc3cfc00, 0x3cc330cfc333f33f),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xfc3c03f0f330c000, 0x3cc0303ff3c3fffc),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x000f00000000f00f, 0x0f00f00f00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000f00f00000f0, 0xf00000000000f000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0f00000f00000f00, 0x00000f00000000f0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xf00f00f00f000000, 0x0f00f00000f00000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00f00000000000f0, 0x000f00000f00f00f),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000f00000000, 0x00f00f00f00f0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xf00000000f00f000, 0x0f00f00000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00f00f00000f0000, 0x000000000f000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000f00000f00f00, 0x00f00000000f00f0),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x000f00f00f00f000, 0x0000f00f00000f00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00f00f0000000000, 0xf00000f00000f00f),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000f00000, 0x00000f00f00f00f0),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ff00ff0000ff, 0xff00ffffff000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ff000000ff00, 0xff0000ffff000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xff0000ff00ff0000, 0xffff00ffff000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffff0000ff000000, 0xff00ffffffffff00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00ff00ff00ff0000, 0x00000000ff00ff00),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ffffff000000, 0xffffffff00ff0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00ffff00ff000000, 0x00ffffff00ff0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffff0000ff0000, 0xffff00ffff00ffff),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffff00ffff00ff00, 0xffff0000ffffffff),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ff0000000000, 0xff00000000ff0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffff00ff000000, 0x000000ff00ff00ff),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00ff000000000000, 0x00ff00ff00ffff00),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x000000000000ffff, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000000ffff0000, 0xffff000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffff000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000000ffff0000, 0xffff00000000ffff),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ffff00000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000ffff00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000000ffff0000, 0xffff00000000ffff),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000ffff00000000, 0x00000000ffff0000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffff00000000ffff),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x00000000ffff0000),
},
{
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x00000000ffffffff, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffffff00000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffffff00000000, 0x00000000ffffffff),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffff00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffff00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffffff00000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffff00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffffffffffff),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0xffffffff00000000, 0xffffffff00000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0x0000000000000000),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffffffffffff),
PQCLEAN_MCELIECE348864_SSE_vec128_set2x(0x0000000000000000, 0xffffffff00000000),
},

+ 0
- 98
crypto_kem/mceliece/mceliece348864/sse/sk_gen.c View File

@@ -1,98 +0,0 @@
/*
This file is for secret-key generation
*/

#include "sk_gen.h"

#include "controlbits.h"
#include "gf.h"
#include "params.h"
#include "util.h"

/* input: f, element in GF((2^m)^t) */
/* output: out, minimal polynomial of f */
/* return: 0 for success and -1 for failure */
int PQCLEAN_MCELIECE348864_SSE_genpoly_gen(gf *out, gf *f) {
int i, j, k, c;

gf mat[ SYS_T + 1 ][ SYS_T ];
gf mask, inv, t;

// fill matrix

mat[0][0] = 1;

for (i = 1; i < SYS_T; i++) {
mat[0][i] = 0;
}

for (i = 0; i < SYS_T; i++) {
mat[1][i] = f[i];
}

for (j = 2; j <= SYS_T; j++) {
PQCLEAN_MCELIECE348864_SSE_GF_mul(mat[j], mat[j - 1], f);
}

// gaussian

for (j = 0; j < SYS_T; j++) {
for (k = j + 1; k < SYS_T; k++) {
mask = PQCLEAN_MCELIECE348864_SSE_gf_iszero(mat[ j ][ j ]);

for (c = j; c < SYS_T + 1; c++) {
mat[ c ][ j ] ^= mat[ c ][ k ] & mask;
}

}

if ( mat[ j ][ j ] == 0 ) { // return if not systematic
return -1;
}

inv = PQCLEAN_MCELIECE348864_SSE_gf_inv(mat[j][j]);

for (c = j; c < SYS_T + 1; c++) {
mat[ c ][ j ] = PQCLEAN_MCELIECE348864_SSE_gf_mul(mat[ c ][ j ], inv) ;
}

for (k = 0; k < SYS_T; k++) {
if (k != j) {
t = mat[ j ][ k ];

for (c = j; c < SYS_T + 1; c++) {
mat[ c ][ k ] ^= PQCLEAN_MCELIECE348864_SSE_gf_mul(mat[ c ][ j ], t);
}
}
}
}

for (i = 0; i < SYS_T; i++) {
out[i] = mat[ SYS_T ][ i ];
}

return 0;
}

/* input: permutation p represented as a list of 32-bit intergers */
/* output: -1 if some interger repeats in p */
/* 0 otherwise */
int PQCLEAN_MCELIECE348864_SSE_perm_check(const uint32_t *p) {
int i;
uint64_t list[1 << GFBITS];

for (i = 0; i < (1 << GFBITS); i++) {
list[i] = p[i];
}

PQCLEAN_MCELIECE348864_SSE_sort_63b(1 << GFBITS, list);

for (i = 1; i < (1 << GFBITS); i++) {
if (list[i - 1] == list[i]) {
return -1;
}
}

return 0;
}


+ 0
- 16
crypto_kem/mceliece/mceliece348864/sse/sk_gen.h View File

@@ -1,16 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_SK_GEN_H
#define PQCLEAN_MCELIECE348864_SSE_SK_GEN_H
/*
This file is for secret-key generation
*/


#include "gf.h"

#include <stdint.h>

int PQCLEAN_MCELIECE348864_SSE_genpoly_gen(gf * /*out*/, gf * /*f*/);
int PQCLEAN_MCELIECE348864_SSE_perm_check(const uint32_t * /*p*/);

#endif


+ 0
- 740
crypto_kem/mceliece/mceliece348864/sse/syndrome_asm.S View File

@@ -1,740 +0,0 @@

# qhasm: int64 input_0

# qhasm: int64 input_1

# qhasm: int64 input_2

# qhasm: int64 input_3

# qhasm: int64 input_4

# qhasm: int64 input_5

# qhasm: stack64 input_6

# qhasm: stack64 input_7

# qhasm: int64 caller_r11

# qhasm: int64 caller_r12

# qhasm: int64 caller_r13

# qhasm: int64 caller_r14

# qhasm: int64 caller_r15

# qhasm: int64 caller_rbx

# qhasm: int64 caller_rbp

# qhasm: int64 b64

# qhasm: int64 synd

# qhasm: int64 addr

# qhasm: int64 c

# qhasm: int64 c_all

# qhasm: int64 row

# qhasm: int64 p

# qhasm: int64 e

# qhasm: int64 s

# qhasm: reg128 pp

# qhasm: reg128 ee

# qhasm: reg128 ss

# qhasm: int64 buf_ptr

# qhasm: stack128 buf

# qhasm: enter syndrome_asm
.p2align 5
.global _PQCLEAN_MCELIECE348864_SSE_syndrome_asm
.global PQCLEAN_MCELIECE348864_SSE_syndrome_asm
_PQCLEAN_MCELIECE348864_SSE_syndrome_asm:
PQCLEAN_MCELIECE348864_SSE_syndrome_asm:
mov %rsp,%r11
and $31,%r11
add $32,%r11
sub %r11,%rsp

# qhasm: input_1 += 260780
# asm 1: add $260780,<input_1=int64#2
# asm 2: add $260780,<input_1=%rsi
add $260780,%rsi

# qhasm: buf_ptr = &buf
# asm 1: leaq <buf=stack128#1,>buf_ptr=int64#4
# asm 2: leaq <buf=0(%rsp),>buf_ptr=%rcx
leaq 0(%rsp),%rcx

# qhasm: row = 768
# asm 1: mov $768,>row=int64#5
# asm 2: mov $768,>row=%r8
mov $768,%r8

# qhasm: loop:
._loop:

# qhasm: row -= 1
# asm 1: sub $1,<row=int64#5
# asm 2: sub $1,<row=%r8
sub $1,%r8

# qhasm: ss = mem128[ input_1 + 0 ]
# asm 1: movdqu 0(<input_1=int64#2),>ss=reg128#1
# asm 2: movdqu 0(<input_1=%rsi),>ss=%xmm0
movdqu 0(%rsi),%xmm0

# qhasm: ee = mem128[ input_2 + 96 ]
# asm 1: movdqu 96(<input_2=int64#3),>ee=reg128#2
# asm 2: movdqu 96(<input_2=%rdx),>ee=%xmm1
movdqu 96(%rdx),%xmm1

# qhasm: ss &= ee
# asm 1: pand <ee=reg128#2,<ss=reg128#1
# asm 2: pand <ee=%xmm1,<ss=%xmm0
pand %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 16 ]
# asm 1: movdqu 16(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 16(<input_1=%rsi),>pp=%xmm1
movdqu 16(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 112 ]
# asm 1: movdqu 112(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 112(<input_2=%rdx),>ee=%xmm2
movdqu 112(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 32 ]
# asm 1: movdqu 32(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 32(<input_1=%rsi),>pp=%xmm1
movdqu 32(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 128 ]
# asm 1: movdqu 128(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 128(<input_2=%rdx),>ee=%xmm2
movdqu 128(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 48 ]
# asm 1: movdqu 48(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 48(<input_1=%rsi),>pp=%xmm1
movdqu 48(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 144 ]
# asm 1: movdqu 144(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 144(<input_2=%rdx),>ee=%xmm2
movdqu 144(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 64 ]
# asm 1: movdqu 64(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 64(<input_1=%rsi),>pp=%xmm1
movdqu 64(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 160 ]
# asm 1: movdqu 160(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 160(<input_2=%rdx),>ee=%xmm2
movdqu 160(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 80 ]
# asm 1: movdqu 80(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 80(<input_1=%rsi),>pp=%xmm1
movdqu 80(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 176 ]
# asm 1: movdqu 176(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 176(<input_2=%rdx),>ee=%xmm2
movdqu 176(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 96 ]
# asm 1: movdqu 96(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 96(<input_1=%rsi),>pp=%xmm1
movdqu 96(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 192 ]
# asm 1: movdqu 192(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 192(<input_2=%rdx),>ee=%xmm2
movdqu 192(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 112 ]
# asm 1: movdqu 112(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 112(<input_1=%rsi),>pp=%xmm1
movdqu 112(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 208 ]
# asm 1: movdqu 208(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 208(<input_2=%rdx),>ee=%xmm2
movdqu 208(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 128 ]
# asm 1: movdqu 128(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 128(<input_1=%rsi),>pp=%xmm1
movdqu 128(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 224 ]
# asm 1: movdqu 224(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 224(<input_2=%rdx),>ee=%xmm2
movdqu 224(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 144 ]
# asm 1: movdqu 144(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 144(<input_1=%rsi),>pp=%xmm1
movdqu 144(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 240 ]
# asm 1: movdqu 240(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 240(<input_2=%rdx),>ee=%xmm2
movdqu 240(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 160 ]
# asm 1: movdqu 160(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 160(<input_1=%rsi),>pp=%xmm1
movdqu 160(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 256 ]
# asm 1: movdqu 256(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 256(<input_2=%rdx),>ee=%xmm2
movdqu 256(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 176 ]
# asm 1: movdqu 176(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 176(<input_1=%rsi),>pp=%xmm1
movdqu 176(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 272 ]
# asm 1: movdqu 272(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 272(<input_2=%rdx),>ee=%xmm2
movdqu 272(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 192 ]
# asm 1: movdqu 192(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 192(<input_1=%rsi),>pp=%xmm1
movdqu 192(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 288 ]
# asm 1: movdqu 288(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 288(<input_2=%rdx),>ee=%xmm2
movdqu 288(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 208 ]
# asm 1: movdqu 208(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 208(<input_1=%rsi),>pp=%xmm1
movdqu 208(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 304 ]
# asm 1: movdqu 304(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 304(<input_2=%rdx),>ee=%xmm2
movdqu 304(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 224 ]
# asm 1: movdqu 224(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 224(<input_1=%rsi),>pp=%xmm1
movdqu 224(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 320 ]
# asm 1: movdqu 320(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 320(<input_2=%rdx),>ee=%xmm2
movdqu 320(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 240 ]
# asm 1: movdqu 240(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 240(<input_1=%rsi),>pp=%xmm1
movdqu 240(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 336 ]
# asm 1: movdqu 336(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 336(<input_2=%rdx),>ee=%xmm2
movdqu 336(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 256 ]
# asm 1: movdqu 256(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 256(<input_1=%rsi),>pp=%xmm1
movdqu 256(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 352 ]
# asm 1: movdqu 352(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 352(<input_2=%rdx),>ee=%xmm2
movdqu 352(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 272 ]
# asm 1: movdqu 272(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 272(<input_1=%rsi),>pp=%xmm1
movdqu 272(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 368 ]
# asm 1: movdqu 368(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 368(<input_2=%rdx),>ee=%xmm2
movdqu 368(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 288 ]
# asm 1: movdqu 288(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 288(<input_1=%rsi),>pp=%xmm1
movdqu 288(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 384 ]
# asm 1: movdqu 384(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 384(<input_2=%rdx),>ee=%xmm2
movdqu 384(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 304 ]
# asm 1: movdqu 304(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 304(<input_1=%rsi),>pp=%xmm1
movdqu 304(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 400 ]
# asm 1: movdqu 400(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 400(<input_2=%rdx),>ee=%xmm2
movdqu 400(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: pp = mem128[ input_1 + 320 ]
# asm 1: movdqu 320(<input_1=int64#2),>pp=reg128#2
# asm 2: movdqu 320(<input_1=%rsi),>pp=%xmm1
movdqu 320(%rsi),%xmm1

# qhasm: ee = mem128[ input_2 + 416 ]
# asm 1: movdqu 416(<input_2=int64#3),>ee=reg128#3
# asm 2: movdqu 416(<input_2=%rdx),>ee=%xmm2
movdqu 416(%rdx),%xmm2

# qhasm: pp &= ee
# asm 1: pand <ee=reg128#3,<pp=reg128#2
# asm 2: pand <ee=%xmm2,<pp=%xmm1
pand %xmm2,%xmm1

# qhasm: ss ^= pp
# asm 1: pxor <pp=reg128#2,<ss=reg128#1
# asm 2: pxor <pp=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: buf = ss
# asm 1: movdqa <ss=reg128#1,>buf=stack128#1
# asm 2: movdqa <ss=%xmm0,>buf=0(%rsp)
movdqa %xmm0,0(%rsp)

# qhasm: s = *(uint32 *)(input_1 + 336)
# asm 1: movl 336(<input_1=int64#2),>s=int64#6d
# asm 2: movl 336(<input_1=%rsi),>s=%r9d
movl 336(%rsi),%r9d

# qhasm: e = *(uint32 *)(input_2 + 432)
# asm 1: movl 432(<input_2=int64#3),>e=int64#7d
# asm 2: movl 432(<input_2=%rdx),>e=%eax
movl 432(%rdx),%eax

# qhasm: s &= e
# asm 1: and <e=int64#7,<s=int64#6
# asm 2: and <e=%rax,<s=%r9
and %rax,%r9

# qhasm: c_all = count(s)
# asm 1: popcnt <s=int64#6, >c_all=int64#6
# asm 2: popcnt <s=%r9, >c_all=%r9
popcnt %r9, %r9

# qhasm: b64 = mem64[ buf_ptr + 0 ]
# asm 1: movq 0(<buf_ptr=int64#4),>b64=int64#7
# asm 2: movq 0(<buf_ptr=%rcx),>b64=%rax
movq 0(%rcx),%rax

# qhasm: c = count(b64)
# asm 1: popcnt <b64=int64#7, >c=int64#7
# asm 2: popcnt <b64=%rax, >c=%rax
popcnt %rax, %rax

# qhasm: c_all ^= c
# asm 1: xor <c=int64#7,<c_all=int64#6
# asm 2: xor <c=%rax,<c_all=%r9
xor %rax,%r9

# qhasm: b64 = mem64[ buf_ptr + 8 ]
# asm 1: movq 8(<buf_ptr=int64#4),>b64=int64#7
# asm 2: movq 8(<buf_ptr=%rcx),>b64=%rax
movq 8(%rcx),%rax

# qhasm: c = count(b64)
# asm 1: popcnt <b64=int64#7, >c=int64#7
# asm 2: popcnt <b64=%rax, >c=%rax
popcnt %rax, %rax

# qhasm: c_all ^= c
# asm 1: xor <c=int64#7,<c_all=int64#6
# asm 2: xor <c=%rax,<c_all=%r9
xor %rax,%r9

# qhasm: addr = row
# asm 1: mov <row=int64#5,>addr=int64#7
# asm 2: mov <row=%r8,>addr=%rax
mov %r8,%rax

# qhasm: (uint64) addr >>= 3
# asm 1: shr $3,<addr=int64#7
# asm 2: shr $3,<addr=%rax
shr $3,%rax

# qhasm: addr += input_0
# asm 1: add <input_0=int64#1,<addr=int64#7
# asm 2: add <input_0=%rdi,<addr=%rax
add %rdi,%rax

# qhasm: synd = *(uint8 *) (addr + 0)
# asm 1: movzbq 0(<addr=int64#7),>synd=int64#8
# asm 2: movzbq 0(<addr=%rax),>synd=%r10
movzbq 0(%rax),%r10

# qhasm: synd <<= 1
# asm 1: shl $1,<synd=int64#8
# asm 2: shl $1,<synd=%r10
shl $1,%r10

# qhasm: (uint32) c_all &= 1
# asm 1: and $1,<c_all=int64#6d
# asm 2: and $1,<c_all=%r9d
and $1,%r9d

# qhasm: synd |= c_all
# asm 1: or <c_all=int64#6,<synd=int64#8
# asm 2: or <c_all=%r9,<synd=%r10
or %r9,%r10

# qhasm: *(uint8 *) (addr + 0) = synd
# asm 1: movb <synd=int64#8b,0(<addr=int64#7)
# asm 2: movb <synd=%r10b,0(<addr=%rax)
movb %r10b,0(%rax)

# qhasm: input_1 -= 340
# asm 1: sub $340,<input_1=int64#2
# asm 2: sub $340,<input_1=%rsi
sub $340,%rsi

# qhasm: =? row-0
# asm 1: cmp $0,<row=int64#5
# asm 2: cmp $0,<row=%r8
cmp $0,%r8
# comment:fp stack unchanged by jump

# qhasm: goto loop if !=
jne ._loop

# qhasm: ss = mem128[ input_0 + 0 ]
# asm 1: movdqu 0(<input_0=int64#1),>ss=reg128#1
# asm 2: movdqu 0(<input_0=%rdi),>ss=%xmm0
movdqu 0(%rdi),%xmm0

# qhasm: ee = mem128[ input_2 + 0 ]
# asm 1: movdqu 0(<input_2=int64#3),>ee=reg128#2
# asm 2: movdqu 0(<input_2=%rdx),>ee=%xmm1
movdqu 0(%rdx),%xmm1

# qhasm: ss ^= ee
# asm 1: pxor <ee=reg128#2,<ss=reg128#1
# asm 2: pxor <ee=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: mem128[ input_0 + 0 ] = ss
# asm 1: movdqu <ss=reg128#1,0(<input_0=int64#1)
# asm 2: movdqu <ss=%xmm0,0(<input_0=%rdi)
movdqu %xmm0,0(%rdi)

# qhasm: ss = mem128[ input_0 + 16 ]
# asm 1: movdqu 16(<input_0=int64#1),>ss=reg128#1
# asm 2: movdqu 16(<input_0=%rdi),>ss=%xmm0
movdqu 16(%rdi),%xmm0

# qhasm: ee = mem128[ input_2 + 16 ]
# asm 1: movdqu 16(<input_2=int64#3),>ee=reg128#2
# asm 2: movdqu 16(<input_2=%rdx),>ee=%xmm1
movdqu 16(%rdx),%xmm1

# qhasm: ss ^= ee
# asm 1: pxor <ee=reg128#2,<ss=reg128#1
# asm 2: pxor <ee=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: mem128[ input_0 + 16 ] = ss
# asm 1: movdqu <ss=reg128#1,16(<input_0=int64#1)
# asm 2: movdqu <ss=%xmm0,16(<input_0=%rdi)
movdqu %xmm0,16(%rdi)

# qhasm: ss = mem128[ input_0 + 32 ]
# asm 1: movdqu 32(<input_0=int64#1),>ss=reg128#1
# asm 2: movdqu 32(<input_0=%rdi),>ss=%xmm0
movdqu 32(%rdi),%xmm0

# qhasm: ee = mem128[ input_2 + 32 ]
# asm 1: movdqu 32(<input_2=int64#3),>ee=reg128#2
# asm 2: movdqu 32(<input_2=%rdx),>ee=%xmm1
movdqu 32(%rdx),%xmm1

# qhasm: ss ^= ee
# asm 1: pxor <ee=reg128#2,<ss=reg128#1
# asm 2: pxor <ee=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: mem128[ input_0 + 32 ] = ss
# asm 1: movdqu <ss=reg128#1,32(<input_0=int64#1)
# asm 2: movdqu <ss=%xmm0,32(<input_0=%rdi)
movdqu %xmm0,32(%rdi)

# qhasm: ss = mem128[ input_0 + 48 ]
# asm 1: movdqu 48(<input_0=int64#1),>ss=reg128#1
# asm 2: movdqu 48(<input_0=%rdi),>ss=%xmm0
movdqu 48(%rdi),%xmm0

# qhasm: ee = mem128[ input_2 + 48 ]
# asm 1: movdqu 48(<input_2=int64#3),>ee=reg128#2
# asm 2: movdqu 48(<input_2=%rdx),>ee=%xmm1
movdqu 48(%rdx),%xmm1

# qhasm: ss ^= ee
# asm 1: pxor <ee=reg128#2,<ss=reg128#1
# asm 2: pxor <ee=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: mem128[ input_0 + 48 ] = ss
# asm 1: movdqu <ss=reg128#1,48(<input_0=int64#1)
# asm 2: movdqu <ss=%xmm0,48(<input_0=%rdi)
movdqu %xmm0,48(%rdi)

# qhasm: ss = mem128[ input_0 + 64 ]
# asm 1: movdqu 64(<input_0=int64#1),>ss=reg128#1
# asm 2: movdqu 64(<input_0=%rdi),>ss=%xmm0
movdqu 64(%rdi),%xmm0

# qhasm: ee = mem128[ input_2 + 64 ]
# asm 1: movdqu 64(<input_2=int64#3),>ee=reg128#2
# asm 2: movdqu 64(<input_2=%rdx),>ee=%xmm1
movdqu 64(%rdx),%xmm1

# qhasm: ss ^= ee
# asm 1: pxor <ee=reg128#2,<ss=reg128#1
# asm 2: pxor <ee=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: mem128[ input_0 + 64 ] = ss
# asm 1: movdqu <ss=reg128#1,64(<input_0=int64#1)
# asm 2: movdqu <ss=%xmm0,64(<input_0=%rdi)
movdqu %xmm0,64(%rdi)

# qhasm: ss = mem128[ input_0 + 80 ]
# asm 1: movdqu 80(<input_0=int64#1),>ss=reg128#1
# asm 2: movdqu 80(<input_0=%rdi),>ss=%xmm0
movdqu 80(%rdi),%xmm0

# qhasm: ee = mem128[ input_2 + 80 ]
# asm 1: movdqu 80(<input_2=int64#3),>ee=reg128#2
# asm 2: movdqu 80(<input_2=%rdx),>ee=%xmm1
movdqu 80(%rdx),%xmm1

# qhasm: ss ^= ee
# asm 1: pxor <ee=reg128#2,<ss=reg128#1
# asm 2: pxor <ee=%xmm1,<ss=%xmm0
pxor %xmm1,%xmm0

# qhasm: mem128[ input_0 + 80 ] = ss
# asm 1: movdqu <ss=reg128#1,80(<input_0=int64#1)
# asm 2: movdqu <ss=%xmm0,80(<input_0=%rdi)
movdqu %xmm0,80(%rdi)

# qhasm: return
add %r11,%rsp
ret

+ 0
- 12
crypto_kem/mceliece/mceliece348864/sse/transpose.c View File

@@ -1,12 +0,0 @@
#include "transpose.h"

extern void PQCLEAN_MCELIECE348864_SSE_transpose_64x64_asm(uint64_t *);
void PQCLEAN_MCELIECE348864_SSE_transpose_64x64(uint64_t *in) {
PQCLEAN_MCELIECE348864_SSE_transpose_64x64_asm(in);
}

extern void PQCLEAN_MCELIECE348864_SSE_transpose_64x128_sp_asm(vec128 *);

void PQCLEAN_MCELIECE348864_SSE_transpose_64x128_sp(vec128 *in) {
PQCLEAN_MCELIECE348864_SSE_transpose_64x128_sp_asm(in);
}

+ 0
- 16
crypto_kem/mceliece/mceliece348864/sse/transpose.h View File

@@ -1,16 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_TRANSPOSE_H
#define PQCLEAN_MCELIECE348864_SSE_TRANSPOSE_H
/*
This file is for matrix transposition
*/


#include "vec128.h"

#include <stdint.h>

void PQCLEAN_MCELIECE348864_SSE_transpose_64x64(uint64_t *in);
void PQCLEAN_MCELIECE348864_SSE_transpose_64x128_sp(vec128 *in);

#endif


+ 0
- 8145
crypto_kem/mceliece/mceliece348864/sse/transpose_64x128_sp_asm.S
File diff suppressed because it is too large
View File


+ 0
- 8467
crypto_kem/mceliece/mceliece348864/sse/transpose_64x64_asm.S
File diff suppressed because it is too large
View File


+ 0
- 354
crypto_kem/mceliece/mceliece348864/sse/update_asm.S View File

@@ -1,354 +0,0 @@

# qhasm: int64 input_0

# qhasm: int64 input_1

# qhasm: int64 input_2

# qhasm: int64 input_3

# qhasm: int64 input_4

# qhasm: int64 input_5

# qhasm: stack64 input_6

# qhasm: stack64 input_7

# qhasm: int64 caller_r11

# qhasm: int64 caller_r12

# qhasm: int64 caller_r13

# qhasm: int64 caller_r14

# qhasm: int64 caller_r15

# qhasm: int64 caller_rbx

# qhasm: int64 caller_rbp

# qhasm: int64 s0

# qhasm: int64 s1

# qhasm: enter update_asm
.p2align 5
.global _PQCLEAN_MCELIECE348864_SSE_update_asm
.global PQCLEAN_MCELIECE348864_SSE_update_asm
_PQCLEAN_MCELIECE348864_SSE_update_asm:
PQCLEAN_MCELIECE348864_SSE_update_asm:
mov %rsp,%r11
and $31,%r11
add $0,%r11
sub %r11,%rsp

# qhasm: s1 = input_1
# asm 1: mov <input_1=int64#2,>s1=int64#2
# asm 2: mov <input_1=%rsi,>s1=%rsi
mov %rsi,%rsi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: s0 = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>s0=int64#4
# asm 2: movq 0(<input_0=%rdi),>s0=%rcx
movq 0(%rdi),%rcx

# qhasm: s0 = (s1 s0) >> 1
# asm 1: shrd $1,<s1=int64#2,<s0=int64#4
# asm 2: shrd $1,<s1=%rsi,<s0=%rcx
shrd $1,%rsi,%rcx

# qhasm: (uint64) s1 >>= 1
# asm 1: shr $1,<s1=int64#2
# asm 2: shr $1,<s1=%rsi
shr $1,%rsi

# qhasm: mem64[ input_0 + 0 ] = s0
# asm 1: movq <s0=int64#4,0(<input_0=int64#1)
# asm 2: movq <s0=%rcx,0(<input_0=%rdi)
movq %rcx,0(%rdi)

# qhasm: input_0 += input_2
# asm 1: add <input_2=int64#3,<input_0=int64#1
# asm 2: add <input_2=%rdx,<input_0=%rdi
add %rdx,%rdi

# qhasm: return
add %r11,%rsp
ret

+ 0
- 106
crypto_kem/mceliece/mceliece348864/sse/util.c View File

@@ -1,106 +0,0 @@
/*
This file is for loading/storing data in a little-endian fashion
*/

#include "util.h"

void PQCLEAN_MCELIECE348864_SSE_store_i(unsigned char *out, uint64_t in, int i) {
int j;

for (j = 0; j < i; j++) {
out[j] = (in >> (j * 8)) & 0xFF;
}
}

void PQCLEAN_MCELIECE348864_SSE_store2(unsigned char *dest, gf a) {
dest[0] = a & 0xFF;
dest[1] = a >> 8;
}

uint16_t PQCLEAN_MCELIECE348864_SSE_load2(const unsigned char *src) {
uint16_t a;

a = src[1];
a <<= 8;
a |= src[0];

return a & GFMASK;
}

uint32_t PQCLEAN_MCELIECE348864_SSE_load4(const unsigned char *src) {
uint32_t a;

a = src[3];
a <<= 8;
a |= src[2];
a <<= 8;
a |= src[1];
a <<= 8;
a |= src[0];

return a;
}

void PQCLEAN_MCELIECE348864_SSE_irr_load(uint64_t *out, const unsigned char *in) {
int i, j;
uint16_t irr[ SYS_T + 1 ];

for (i = 0; i < SYS_T; i++) {
irr[i] = PQCLEAN_MCELIECE348864_SSE_load2(in + i * 2);
irr[i] &= GFMASK;
}

irr[ SYS_T ] = 1;

for (i = 0; i < GFBITS; i++) {
out[i] = 0;
}

for (i = SYS_T; i >= 0; i--) {
for (j = 0; j < GFBITS; j++) {
out[j] <<= 1;
out[j] |= (irr[i] >> j) & 1;
}
}
}

void PQCLEAN_MCELIECE348864_SSE_store8(unsigned char *out, uint64_t in) {
out[0] = (in >> 0x00) & 0xFF;
out[1] = (in >> 0x08) & 0xFF;
out[2] = (in >> 0x10) & 0xFF;
out[3] = (in >> 0x18) & 0xFF;
out[4] = (in >> 0x20) & 0xFF;
out[5] = (in >> 0x28) & 0xFF;
out[6] = (in >> 0x30) & 0xFF;
out[7] = (in >> 0x38) & 0xFF;
}

uint64_t PQCLEAN_MCELIECE348864_SSE_load8(const unsigned char *in) {
int i;
uint64_t ret = in[7];

for (i = 6; i >= 0; i--) {
ret <<= 8;
ret |= in[i];
}

return ret;
}

gf PQCLEAN_MCELIECE348864_SSE_bitrev(gf a) {
a = ((a & 0x00FF) << 8) | ((a & 0xFF00) >> 8);
a = ((a & 0x0F0F) << 4) | ((a & 0xF0F0) >> 4);
a = ((a & 0x3333) << 2) | ((a & 0xCCCC) >> 2);
a = ((a & 0x5555) << 1) | ((a & 0xAAAA) >> 1);

return a >> 4;
}

vec128 PQCLEAN_MCELIECE348864_SSE_load16(const unsigned char *in) {
return PQCLEAN_MCELIECE348864_SSE_vec128_set2x( PQCLEAN_MCELIECE348864_SSE_load8(in), PQCLEAN_MCELIECE348864_SSE_load8(in + 8) );
}

void PQCLEAN_MCELIECE348864_SSE_store16(unsigned char *out, vec128 in) {
PQCLEAN_MCELIECE348864_SSE_store8(out + 0, PQCLEAN_MCELIECE348864_SSE_vec128_extract(in, 0));
PQCLEAN_MCELIECE348864_SSE_store8(out + 8, PQCLEAN_MCELIECE348864_SSE_vec128_extract(in, 1));
}

+ 0
- 33
crypto_kem/mceliece/mceliece348864/sse/util.h View File

@@ -1,33 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_UTIL_H
#define PQCLEAN_MCELIECE348864_SSE_UTIL_H
/*
This file is for loading/storing data in a little-endian fashion
*/


#include "gf.h"
#include "vec128.h"

#include <stdint.h>

void PQCLEAN_MCELIECE348864_SSE_store_i(unsigned char *out, uint64_t in, int i);
void PQCLEAN_MCELIECE348864_SSE_store2(unsigned char *dest, gf a);

uint16_t PQCLEAN_MCELIECE348864_SSE_load2(const unsigned char *src);

uint32_t PQCLEAN_MCELIECE348864_SSE_load4(const unsigned char *src);

void PQCLEAN_MCELIECE348864_SSE_irr_load(uint64_t *out, const unsigned char *in);

void PQCLEAN_MCELIECE348864_SSE_store8(unsigned char *out, uint64_t in);

uint64_t PQCLEAN_MCELIECE348864_SSE_load8(const unsigned char *in);

gf PQCLEAN_MCELIECE348864_SSE_bitrev(gf a);

vec128 PQCLEAN_MCELIECE348864_SSE_load16(const unsigned char *in);

void PQCLEAN_MCELIECE348864_SSE_store16(unsigned char *out, vec128 in);

#endif


+ 0
- 17
crypto_kem/mceliece/mceliece348864/sse/vec.c View File

@@ -1,17 +0,0 @@

#include "vec.h"

#include "params.h"

void PQCLEAN_MCELIECE348864_SSE_vec_mul(uint64_t *h, const uint64_t *f, const uint64_t *g) {
PQCLEAN_MCELIECE348864_SSE_vec_mul_asm(h, f, g, 8);
}

void PQCLEAN_MCELIECE348864_SSE_vec_add(uint64_t *h, const uint64_t *f, const uint64_t *g) {
int b;

for (b = 0; b < GFBITS; b++) {
h[b] = f[b] ^ g[b];
}
}


+ 0
- 11
crypto_kem/mceliece/mceliece348864/sse/vec.h View File

@@ -1,11 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_VEC_H
#define PQCLEAN_MCELIECE348864_SSE_VEC_H

#include <stdint.h>

extern void PQCLEAN_MCELIECE348864_SSE_vec_mul_asm(uint64_t *, const uint64_t *, const uint64_t *, int);

void PQCLEAN_MCELIECE348864_SSE_vec_mul(uint64_t *h, const uint64_t *f, const uint64_t *g);
void PQCLEAN_MCELIECE348864_SSE_vec_add(uint64_t *h, const uint64_t *f, const uint64_t *g);

#endif

+ 0
- 143
crypto_kem/mceliece/mceliece348864/sse/vec128.c View File

@@ -1,143 +0,0 @@
/*
This file is for functions related to 128-bit vectors
including functions for bitsliced field operations
*/

#include "vec128.h"

#include "params.h"

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(uint16_t a) {
return _mm_set1_epi16(a);
}

int PQCLEAN_MCELIECE348864_SSE_vec128_testz(vec128 a) {
return _mm_testz_si128(a, a);
}

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_setzero(void) {
return _mm_setzero_si128();
}

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_and(vec128 a, vec128 b) {
return _mm_and_si128(a, b);
}

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_xor(vec128 a, vec128 b) {
return _mm_xor_si128(a, b);
}

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_or(vec128 a, vec128 b) {
return _mm_or_si128(a, b);
}

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_sll_2x(vec128 a, int s) {
return _mm_slli_epi64(a, s);
}

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_srl_2x(vec128 a, int s) {
return _mm_srli_epi64(a, s);
}

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_set2x(uint64_t a0, uint64_t a1) {
return _mm_set_epi64x(a1, a0);
}

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_unpack_low(vec128 a, vec128 b) {
return _mm_unpacklo_epi64(a, b);
}

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_unpack_high(vec128 a, vec128 b) {
return _mm_unpackhi_epi64(a, b);
}

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_setbits(uint64_t a) {
return _mm_set1_epi64x(-a);
}

void PQCLEAN_MCELIECE348864_SSE_vec128_copy(vec128 *dest, const vec128 *src) {
int i;

for (i = 0; i < GFBITS; i++) {
dest[i] = src[i];
}
}

void PQCLEAN_MCELIECE348864_SSE_vec128_add(vec128 *c, const vec128 *a, const vec128 *b) {
int i;

for (i = 0; i < GFBITS; i++) {
c[i] = PQCLEAN_MCELIECE348864_SSE_vec128_xor(a[i], b[i]);
}
}

vec128 PQCLEAN_MCELIECE348864_SSE_vec128_or_reduce(const vec128 *a) {
int i;
vec128 ret;

ret = a[0];
for (i = 1; i < GFBITS; i++) {
ret = PQCLEAN_MCELIECE348864_SSE_vec128_or(ret, a[i]);
}

return ret;
}

/* bitsliced field multiplications */
void PQCLEAN_MCELIECE348864_SSE_vec128_mul(vec128 *h, vec128 *f, const vec128 *g) {
PQCLEAN_MCELIECE348864_SSE_vec128_mul_asm(h, f, g, 16);
}

/* bitsliced field squarings */
void PQCLEAN_MCELIECE348864_SSE_vec128_sq(vec128 *out, const vec128 *in) {
int i;
vec128 result[GFBITS];

result[0] = in[0] ^ in[6];
result[1] = in[11];
result[2] = in[1] ^ in[7];
result[3] = in[6];
result[4] = in[2] ^ in[11] ^ in[8];
result[5] = in[7];
result[6] = in[3] ^ in[9];
result[7] = in[8];
result[8] = in[4] ^ in[10];
result[9] = in[9];
result[10] = in[5] ^ in[11];
result[11] = in[10];

for (i = 0; i < GFBITS; i++) {
out[i] = result[i];
}
}

/* bitsliced field inverses */
void PQCLEAN_MCELIECE348864_SSE_vec128_inv(vec128 *out, const vec128 *in) {
vec128 tmp_11[ GFBITS ];
vec128 tmp_1111[ GFBITS ];

PQCLEAN_MCELIECE348864_SSE_vec128_copy(out, in);

PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out);
PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp_11, out, in); // 11

PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, tmp_11);
PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out);
PQCLEAN_MCELIECE348864_SSE_vec128_mul(tmp_1111, out, tmp_11); // 1111

PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, tmp_1111);
PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out);
PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out);
PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out);
PQCLEAN_MCELIECE348864_SSE_vec128_mul(out, out, tmp_1111); // 11111111

PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out);
PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out);
PQCLEAN_MCELIECE348864_SSE_vec128_mul(out, out, tmp_11); // 1111111111

PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out);
PQCLEAN_MCELIECE348864_SSE_vec128_mul(out, out, in); // 11111111111

PQCLEAN_MCELIECE348864_SSE_vec128_sq(out, out); // 111111111110
}


+ 0
- 42
crypto_kem/mceliece/mceliece348864/sse/vec128.h View File

@@ -1,42 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_SSE_VEC128_H
#define PQCLEAN_MCELIECE348864_SSE_VEC128_H
/*
This file is for functions related to 128-bit vectors
including functions for bitsliced field operations
*/


#include <immintrin.h>
#include <stdint.h>

typedef __m128i vec128;

// this needs to be a macro, because
// _mm_extract_epi64 requires a literal int argument.
#define PQCLEAN_MCELIECE348864_SSE_vec128_extract(a, i) ((uint64_t) _mm_extract_epi64((vec128) (a), (i)))

int PQCLEAN_MCELIECE348864_SSE_vec128_testz(vec128 a);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_set1_16b(uint16_t a);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_setzero(void);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_and(vec128 a, vec128 b);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_xor(vec128 a, vec128 b);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_or(vec128 a, vec128 b);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_sll_2x(vec128 a, int s);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_srl_2x(vec128 a, int s);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_set2x(uint64_t a0, uint64_t a1);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_unpack_low(vec128 a, vec128 b);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_unpack_high(vec128 a, vec128 b);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_setbits(uint64_t a);
void PQCLEAN_MCELIECE348864_SSE_vec128_copy(vec128 *dest, const vec128 *src);
void PQCLEAN_MCELIECE348864_SSE_vec128_add(vec128 *c, const vec128 *a, const vec128 *b);
vec128 PQCLEAN_MCELIECE348864_SSE_vec128_or_reduce(const vec128 *a);

extern void PQCLEAN_MCELIECE348864_SSE_vec128_mul_asm(vec128 *, vec128 *, const vec128 *, int);

/* bitsliced field multiplications */
void PQCLEAN_MCELIECE348864_SSE_vec128_mul(vec128 *h, vec128 *f, const vec128 *g);

void PQCLEAN_MCELIECE348864_SSE_vec128_sq(vec128 * /*out*/, const vec128 * /*in*/);
void PQCLEAN_MCELIECE348864_SSE_vec128_inv(vec128 * /*out*/, const vec128 * /*in*/);

#endif

+ 0
- 1736
crypto_kem/mceliece/mceliece348864/sse/vec128_mul_asm.S
File diff suppressed because it is too large
View File


+ 0
- 1515
crypto_kem/mceliece/mceliece348864/sse/vec_mul_asm.S
File diff suppressed because it is too large
View File


+ 0
- 356
crypto_kem/mceliece/mceliece348864/sse/vec_reduce_asm.S View File

@@ -1,356 +0,0 @@

# qhasm: int64 input_0

# qhasm: int64 input_1

# qhasm: int64 input_2

# qhasm: int64 input_3

# qhasm: int64 input_4

# qhasm: int64 input_5

# qhasm: stack64 input_6

# qhasm: stack64 input_7

# qhasm: int64 caller_r11

# qhasm: int64 caller_r12

# qhasm: int64 caller_r13

# qhasm: int64 caller_r14

# qhasm: int64 caller_r15

# qhasm: int64 caller_rbx

# qhasm: int64 caller_rbp

# qhasm: int64 t

# qhasm: int64 c

# qhasm: int64 r

# qhasm: enter vec_reduce_asm
.p2align 5
.global _PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm
.global PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm
_PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm:
PQCLEAN_MCELIECE348864_SSE_vec_reduce_asm:
mov %rsp,%r11
and $31,%r11
add $0,%r11
sub %r11,%rsp

# qhasm: r = 0
# asm 1: mov $0,>r=int64#7
# asm 2: mov $0,>r=%rax
mov $0,%rax

# qhasm: t = mem64[ input_0 + 88 ]
# asm 1: movq 88(<input_0=int64#1),>t=int64#2
# asm 2: movq 88(<input_0=%rdi),>t=%rsi
movq 88(%rdi),%rsi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#2, >c=int64#2
# asm 2: popcnt <t=%rsi, >c=%rsi
popcnt %rsi, %rsi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#2d
# asm 2: and $1,<c=%esi
and $1,%esi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#2,<r=int64#7
# asm 2: or <c=%rsi,<r=%rax
or %rsi,%rax

# qhasm: t = mem64[ input_0 + 80 ]
# asm 1: movq 80(<input_0=int64#1),>t=int64#2
# asm 2: movq 80(<input_0=%rdi),>t=%rsi
movq 80(%rdi),%rsi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#2, >c=int64#2
# asm 2: popcnt <t=%rsi, >c=%rsi
popcnt %rsi, %rsi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#2d
# asm 2: and $1,<c=%esi
and $1,%esi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#2,<r=int64#7
# asm 2: or <c=%rsi,<r=%rax
or %rsi,%rax

# qhasm: t = mem64[ input_0 + 72 ]
# asm 1: movq 72(<input_0=int64#1),>t=int64#2
# asm 2: movq 72(<input_0=%rdi),>t=%rsi
movq 72(%rdi),%rsi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#2, >c=int64#2
# asm 2: popcnt <t=%rsi, >c=%rsi
popcnt %rsi, %rsi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#2d
# asm 2: and $1,<c=%esi
and $1,%esi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#2,<r=int64#7
# asm 2: or <c=%rsi,<r=%rax
or %rsi,%rax

# qhasm: t = mem64[ input_0 + 64 ]
# asm 1: movq 64(<input_0=int64#1),>t=int64#2
# asm 2: movq 64(<input_0=%rdi),>t=%rsi
movq 64(%rdi),%rsi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#2, >c=int64#2
# asm 2: popcnt <t=%rsi, >c=%rsi
popcnt %rsi, %rsi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#2d
# asm 2: and $1,<c=%esi
and $1,%esi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#2,<r=int64#7
# asm 2: or <c=%rsi,<r=%rax
or %rsi,%rax

# qhasm: t = mem64[ input_0 + 56 ]
# asm 1: movq 56(<input_0=int64#1),>t=int64#2
# asm 2: movq 56(<input_0=%rdi),>t=%rsi
movq 56(%rdi),%rsi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#2, >c=int64#2
# asm 2: popcnt <t=%rsi, >c=%rsi
popcnt %rsi, %rsi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#2d
# asm 2: and $1,<c=%esi
and $1,%esi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#2,<r=int64#7
# asm 2: or <c=%rsi,<r=%rax
or %rsi,%rax

# qhasm: t = mem64[ input_0 + 48 ]
# asm 1: movq 48(<input_0=int64#1),>t=int64#2
# asm 2: movq 48(<input_0=%rdi),>t=%rsi
movq 48(%rdi),%rsi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#2, >c=int64#2
# asm 2: popcnt <t=%rsi, >c=%rsi
popcnt %rsi, %rsi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#2d
# asm 2: and $1,<c=%esi
and $1,%esi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#2,<r=int64#7
# asm 2: or <c=%rsi,<r=%rax
or %rsi,%rax

# qhasm: t = mem64[ input_0 + 40 ]
# asm 1: movq 40(<input_0=int64#1),>t=int64#2
# asm 2: movq 40(<input_0=%rdi),>t=%rsi
movq 40(%rdi),%rsi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#2, >c=int64#2
# asm 2: popcnt <t=%rsi, >c=%rsi
popcnt %rsi, %rsi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#2d
# asm 2: and $1,<c=%esi
and $1,%esi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#2,<r=int64#7
# asm 2: or <c=%rsi,<r=%rax
or %rsi,%rax

# qhasm: t = mem64[ input_0 + 32 ]
# asm 1: movq 32(<input_0=int64#1),>t=int64#2
# asm 2: movq 32(<input_0=%rdi),>t=%rsi
movq 32(%rdi),%rsi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#2, >c=int64#2
# asm 2: popcnt <t=%rsi, >c=%rsi
popcnt %rsi, %rsi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#2d
# asm 2: and $1,<c=%esi
and $1,%esi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#2,<r=int64#7
# asm 2: or <c=%rsi,<r=%rax
or %rsi,%rax

# qhasm: t = mem64[ input_0 + 24 ]
# asm 1: movq 24(<input_0=int64#1),>t=int64#2
# asm 2: movq 24(<input_0=%rdi),>t=%rsi
movq 24(%rdi),%rsi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#2, >c=int64#2
# asm 2: popcnt <t=%rsi, >c=%rsi
popcnt %rsi, %rsi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#2d
# asm 2: and $1,<c=%esi
and $1,%esi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#2,<r=int64#7
# asm 2: or <c=%rsi,<r=%rax
or %rsi,%rax

# qhasm: t = mem64[ input_0 + 16 ]
# asm 1: movq 16(<input_0=int64#1),>t=int64#2
# asm 2: movq 16(<input_0=%rdi),>t=%rsi
movq 16(%rdi),%rsi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#2, >c=int64#2
# asm 2: popcnt <t=%rsi, >c=%rsi
popcnt %rsi, %rsi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#2d
# asm 2: and $1,<c=%esi
and $1,%esi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#2,<r=int64#7
# asm 2: or <c=%rsi,<r=%rax
or %rsi,%rax

# qhasm: t = mem64[ input_0 + 8 ]
# asm 1: movq 8(<input_0=int64#1),>t=int64#2
# asm 2: movq 8(<input_0=%rdi),>t=%rsi
movq 8(%rdi),%rsi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#2, >c=int64#2
# asm 2: popcnt <t=%rsi, >c=%rsi
popcnt %rsi, %rsi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#2d
# asm 2: and $1,<c=%esi
and $1,%esi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#2,<r=int64#7
# asm 2: or <c=%rsi,<r=%rax
or %rsi,%rax

# qhasm: t = mem64[ input_0 + 0 ]
# asm 1: movq 0(<input_0=int64#1),>t=int64#1
# asm 2: movq 0(<input_0=%rdi),>t=%rdi
movq 0(%rdi),%rdi

# qhasm: c = count(t)
# asm 1: popcnt <t=int64#1, >c=int64#1
# asm 2: popcnt <t=%rdi, >c=%rdi
popcnt %rdi, %rdi

# qhasm: (uint32) c &= 1
# asm 1: and $1,<c=int64#1d
# asm 2: and $1,<c=%edi
and $1,%edi

# qhasm: r <<= 1
# asm 1: shl $1,<r=int64#7
# asm 2: shl $1,<r=%rax
shl $1,%rax

# qhasm: r |= c
# asm 1: or <c=int64#1,<r=int64#7
# asm 2: or <c=%rdi,<r=%rax
or %rdi,%rax

# qhasm: return r
add %r11,%rsp
ret

+ 0
- 16
crypto_kem/mceliece/mceliece348864/vec/LICENSE View File

@@ -1,16 +0,0 @@
Public Domain.

Authors of Classic McEliece in alphabetical order:

Daniel J. Bernstein, University of Illinois at Chicago
Tung Chou, Osaka University
Tanja Lange, Technische Universiteit Eindhoven
Ingo von Maurich, self
Rafael Misoczki, Intel Corporation
Ruben Niederhagen, Fraunhofer SIT
Edoardo Persichetti, Florida Atlantic University
Christiane Peters, self
Peter Schwabe, Radboud University
Nicolas Sendrier, Inria
Jakub Szefer, Yale University
Wen Wang, Yale University

+ 0
- 25
crypto_kem/mceliece/mceliece348864/vec/Makefile.Microsoft_nmake View File

@@ -1,25 +0,0 @@
# This Makefile can be used with GNU Make or BSD Make

LIBRARY = libmceliece348864_vec.lib

OBJECTS = aes256ctr.obj benes.obj bm.obj controlbits.obj decrypt.obj \
encrypt.obj fft.obj fft_tr.obj gf.obj operations.obj pk_gen.obj \
sk_gen.obj transpose.obj util.obj vec.obj

# Warning C4146 is raised when a unary minus operator is applied to an
# unsigned type; this has nonetheless been standard and portable for as
# long as there has been a C standard, and we do that a lot, especially
# for constant-time computations. Thus, we disable that spurious warning.
CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /wd4146 /WX

all: $(LIBRARY)

# Make sure objects are recompiled if headers change.
$(OBJECTS): *.h *.inc

$(LIBRARY): $(OBJECTS)
LIB.EXE /NOLOGO /WX /OUT:$@ $**

clean:
-DEL $(OBJECTS)
-DEL $(LIBRARY)

+ 0
- 13
crypto_kem/mceliece/mceliece348864/vec/aes256ctr.c View File

@@ -1,13 +0,0 @@
#include "aes256ctr.h"

void PQCLEAN_MCELIECE348864_VEC_aes256ctr(
uint8_t *out,
size_t outlen,
const uint8_t nonce[AESCTR_NONCEBYTES],
const uint8_t key[AES256_KEYBYTES]) {

aes256ctx state;
aes256_ctr_keyexp(&state, key);
aes256_ctr(out, outlen, nonce, &state);
aes256_ctx_release(&state);
}

+ 0
- 17
crypto_kem/mceliece/mceliece348864/vec/aes256ctr.h View File

@@ -1,17 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_VEC_AES256CTR_H
#define PQCLEAN_MCELIECE348864_VEC_AES256CTR_H

#include <stddef.h>
#include <stdint.h>

#include "aes.h"


void PQCLEAN_MCELIECE348864_VEC_aes256ctr(
uint8_t *out,
size_t outlen,
const uint8_t nonce[AESCTR_NONCEBYTES],
const uint8_t key[AES256_KEYBYTES]
);

#endif

+ 0
- 32
crypto_kem/mceliece/mceliece348864/vec/api.h View File

@@ -1,32 +0,0 @@
#ifndef PQCLEAN_MCELIECE348864_VEC_API_H
#define PQCLEAN_MCELIECE348864_VEC_API_H

#include <stdint.h>

#define PQCLEAN_MCELIECE348864_VEC_CRYPTO_ALGNAME "Classic McEliece 348864"
#define PQCLEAN_MCELIECE348864_VEC_CRYPTO_PUBLICKEYBYTES 261120
#define PQCLEAN_MCELIECE348864_VEC_CRYPTO_SECRETKEYBYTES 6452
#define PQCLEAN_MCELIECE348864_VEC_CRYPTO_CIPHERTEXTBYTES 128
#define PQCLEAN_MCELIECE348864_VEC_CRYPTO_BYTES 32


int PQCLEAN_MCELIECE348864_VEC_crypto_kem_enc(
uint8_t *c,
uint8_t *key,
const uint8_t *pk
);

int PQCLEAN_MCELIECE348864_VEC_crypto_kem_dec(
uint8_t *key,
const uint8_t *c,
const uint8_t *sk
);

int PQCLEAN_MCELIECE348864_VEC_crypto_kem_keypair
(
uint8_t *pk,
uint8_t *sk
);

#endif


Some files were not shown because too many files changed in this diff

Loading…
Cancel
Save