pq_crypto 0.4.2 → 0.5.0

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/auto.h

@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+/* References
+ * ==========
+ *
+ * - [HYBRID]
+ *   Hybrid scalar/vector implementations of Keccak and SPHINCS+ on AArch64
+ *   Becker, Kannwischer
+ *   https://eprint.iacr.org/2022/1243
+ */
+
+#ifndef MLD_FIPS202_NATIVE_AARCH64_AUTO_H
+#define MLD_FIPS202_NATIVE_AARCH64_AUTO_H
+/* Default FIPS202 assembly profile for AArch64 systems */
+
+/*
+ * Default logic to decide which implementation to use.
+ *
+ */
+
+/*
+ * Keccak-f1600
+ *
+ * - On Arm-based Apple CPUs, we pick a pure Neon implementation.
+ * - Otherwise, unless MLD_SYS_AARCH64_SLOW_BARREL_SHIFTER is set,
+ *   we use lazy-rotation scalar assembly from @[HYBRID].
+ * - Otherwise, if MLD_SYS_AARCH64_SLOW_BARREL_SHIFTER is set, we
+ *   fall back to the standard C implementation.
+ */
+#if defined(__ARM_FEATURE_SHA3) && defined(__APPLE__)
+#include "x1_v84a.h"
+#elif !defined(MLD_SYS_AARCH64_SLOW_BARREL_SHIFTER)
+#include "x1_scalar.h"
+#endif
+
+/*
+ * Keccak-f1600x2/x4
+ *
+ * The optimal implementation is highly CPU-specific; see @[HYBRID].
+ *
+ * For now, if v8.4-A is not implemented, we fall back to Keccak-f1600.
+ * If v8.4-A is implemented and we are on an Apple CPU, we use a plain
+ * Neon-based implementation.
+ * If v8.4-A is implemented and we are not on an Apple CPU, we use a
+ * scalar/Neon/Neon hybrid.
+ * The reason for this distinction is that Apple CPUs appear to implement
+ * the SHA3 instructions on all SIMD units, while Arm CPUs prior to Cortex-X4
+ * don't, and ordinary Neon instructions are still needed.
+ */
+#if defined(__ARM_FEATURE_SHA3)
+/*
+ * For Apple-M cores, we use a plain implementation leveraging SHA3
+ * instructions only.
+ */
+#if defined(__APPLE__)
+#include "x2_v84a.h"
+#else
+#include "x4_v8a_v84a_scalar.h"
+#endif
+
+#else /* __ARM_FEATURE_SHA3 */
+
+#include "x4_v8a_scalar.h"
+
+#endif /* !__ARM_FEATURE_SHA3 */
+
+#endif /* !MLD_FIPS202_NATIVE_AARCH64_AUTO_H */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/fips202_native_aarch64.h

@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+#ifndef MLD_FIPS202_NATIVE_AARCH64_SRC_FIPS202_NATIVE_AARCH64_H
+#define MLD_FIPS202_NATIVE_AARCH64_SRC_FIPS202_NATIVE_AARCH64_H
+
+
+#include "../../../../cbmc.h"
+#include "../../../../common.h"
+
+
+#define mld_keccakf1600_round_constants \
+  MLD_NAMESPACE(keccakf1600_round_constants)
+extern const uint64_t mld_keccakf1600_round_constants[];
+
+#define mld_keccak_f1600_x1_scalar_asm MLD_NAMESPACE(keccak_f1600_x1_scalar_asm)
+void mld_keccak_f1600_x1_scalar_asm(uint64_t state[25], const uint64_t rc[24])
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 1))
+  requires(rc == mld_keccakf1600_round_constants)
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 1))
+);
+
+#define mld_keccak_f1600_x1_v84a_asm MLD_NAMESPACE(keccak_f1600_x1_v84a_asm)
+void mld_keccak_f1600_x1_v84a_asm(uint64_t state[25], const uint64_t rc[24])
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 1))
+  requires(rc == mld_keccakf1600_round_constants)
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 1))
+);
+
+#define mld_keccak_f1600_x2_v84a_asm MLD_NAMESPACE(keccak_f1600_x2_v84a_asm)
+void mld_keccak_f1600_x2_v84a_asm(uint64_t state[50], const uint64_t rc[24])
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 2))
+  requires(rc == mld_keccakf1600_round_constants)
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 2))
+);
+
+#define mld_keccak_f1600_x4_v8a_scalar_hybrid_asm \
+  MLD_NAMESPACE(keccak_f1600_x4_v8a_scalar_hybrid_asm)
+void mld_keccak_f1600_x4_v8a_scalar_hybrid_asm(uint64_t state[100],
+                                               const uint64_t rc[24])
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 4))
+  requires(rc == mld_keccakf1600_round_constants)
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 4))
+);
+
+#define mld_keccak_f1600_x4_v8a_v84a_scalar_hybrid_asm \
+  MLD_NAMESPACE(keccak_f1600_x4_v8a_v84a_scalar_hybrid_asm)
+void mld_keccak_f1600_x4_v8a_v84a_scalar_hybrid_asm(uint64_t state[100],
+                                                    const uint64_t rc[24])
+__contract__(
+  requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 4))
+  requires(rc == mld_keccakf1600_round_constants)
+  assigns(memory_slice(state, sizeof(uint64_t) * 25 * 4))
+);
+
+#endif /* !MLD_FIPS202_NATIVE_AARCH64_SRC_FIPS202_NATIVE_AARCH64_H */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x1_scalar_asm.S

@@ -0,0 +1,376 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * Copyright (c) The mldsa-native project authors
+ * Copyright (c) 2021-2022 Arm Limited
+ * Copyright (c) 2022 Matthias Kannwischer
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+// Author: Hanno Becker <hanno.becker@arm.com>
+// Author: Matthias Kannwischer <matthias@kannwischer.eu>
+
+/*yaml
+  Name: keccak_f1600_x1_scalar_asm
+  Description: AArch64 scalar implementation of Keccak-f[1600] permutation for single state
+  Signature: void mld_keccak_f1600_x1_scalar_asm(uint64_t state[25], const uint64_t rc[24])
+  ABI:
+    x0:
+      type: buffer
+      size_bytes: 200
+      permissions: read/write
+      c_parameter: uint64_t state[25]
+      description: Keccak state (25 x uint64_t)
+    x1:
+      type: buffer
+      size_bytes: 192
+      permissions: read-only
+      c_parameter: uint64_t const *rc
+      description: Round constants (24 x uint64_t)
+  Stack:
+    bytes: 128
+    description: register preservation and temporary storage
+*/
+
+#include "../../../../common.h"
+#if defined(MLD_FIPS202_AARCH64_NEED_X1_SCALAR) && \
+    !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
+
+/*
+ * WARNING: This file is auto-derived from the mldsa-native source file
+ *   dev/fips202/aarch64/src/keccak_f1600_x1_scalar_asm.S using scripts/simpasm. Do not modify it directly.
+ */
+
+#if defined(__ELF__)
+.section .note.GNU-stack,"",@progbits
+#endif
+
+.text
+.balign 4
+.global MLD_ASM_NAMESPACE(keccak_f1600_x1_scalar_asm)
+MLD_ASM_FN_SYMBOL(keccak_f1600_x1_scalar_asm)
+
+        .cfi_startproc
+        sub	sp, sp, #0x80
+        .cfi_adjust_cfa_offset 0x80
+        stp	x19, x20, [sp, #0x20]
+        .cfi_rel_offset x19, 0x20
+        .cfi_rel_offset x20, 0x28
+        stp	x21, x22, [sp, #0x30]
+        .cfi_rel_offset x21, 0x30
+        .cfi_rel_offset x22, 0x38
+        stp	x23, x24, [sp, #0x40]
+        .cfi_rel_offset x23, 0x40
+        .cfi_rel_offset x24, 0x48
+        stp	x25, x26, [sp, #0x50]
+        .cfi_rel_offset x25, 0x50
+        .cfi_rel_offset x26, 0x58
+        stp	x27, x28, [sp, #0x60]
+        .cfi_rel_offset x27, 0x60
+        .cfi_rel_offset x28, 0x68
+        stp	x29, x30, [sp, #0x70]
+        .cfi_rel_offset x29, 0x70
+        .cfi_rel_offset x30, 0x78
+
+Lkeccak_f1600_x1_scalar_initial:
+        mov	x26, x1
+        str	x1, [sp, #0x8]
+        ldp	x1, x6, [x0]
+        ldp	x11, x16, [x0, #0x10]
+        ldp	x21, x2, [x0, #0x20]
+        ldp	x7, x12, [x0, #0x30]
+        ldp	x17, x22, [x0, #0x40]
+        ldp	x3, x8, [x0, #0x50]
+        ldp	x13, x28, [x0, #0x60]
+        ldp	x23, x4, [x0, #0x70]
+        ldp	x9, x14, [x0, #0x80]
+        ldp	x19, x24, [x0, #0x90]
+        ldp	x5, x10, [x0, #0xa0]
+        ldp	x15, x20, [x0, #0xb0]
+        ldr	x25, [x0, #0xc0]
+        str	x0, [sp]
+        eor	x30, x24, x25
+        eor	x27, x9, x10
+        eor	x0, x30, x21
+        eor	x26, x27, x6
+        eor	x27, x26, x7
+        eor	x29, x0, x22
+        eor	x26, x29, x23
+        eor	x29, x4, x5
+        eor	x30, x29, x1
+        eor	x0, x27, x8
+        eor	x29, x30, x2
+        eor	x30, x19, x20
+        eor	x30, x30, x16
+        eor	x27, x26, x0, ror #63
+        eor	x4, x4, x27
+        eor	x30, x30, x17
+        eor	x30, x30, x28
+        eor	x29, x29, x3
+        eor	x0, x0, x30, ror #63
+        eor	x30, x30, x29, ror #63
+        eor	x22, x22, x30
+        eor	x23, x23, x30
+        str	x23, [sp, #0x18]
+        eor	x23, x14, x15
+        eor	x14, x14, x0
+        eor	x23, x23, x11
+        eor	x15, x15, x0
+        eor	x1, x1, x27
+        eor	x23, x23, x12
+        eor	x23, x23, x13
+        eor	x11, x11, x0
+        eor	x29, x29, x23, ror #63
+        eor	x23, x23, x26, ror #63
+        eor	x26, x13, x0
+        eor	x13, x28, x23
+        eor	x28, x24, x30
+        eor	x24, x16, x23
+        eor	x16, x21, x30
+        eor	x21, x25, x30
+        eor	x30, x19, x23
+        eor	x19, x20, x23
+        eor	x20, x17, x23
+        eor	x17, x12, x0
+        eor	x0, x2, x27
+        eor	x2, x6, x29
+        eor	x6, x8, x29
+        bic	x8, x28, x13, ror #47
+        eor	x12, x3, x27
+        bic	x3, x13, x17, ror #19
+        eor	x5, x5, x27
+        ldr	x27, [sp, #0x18]
+        bic	x25, x17, x2, ror #5
+        eor	x9, x9, x29
+        eor	x23, x25, x5, ror #52
+        eor	x3, x3, x2, ror #24
+        eor	x8, x8, x17, ror #2
+        eor	x17, x10, x29
+        bic	x25, x12, x22, ror #47
+        eor	x29, x7, x29
+        bic	x10, x4, x27, ror #2
+        bic	x7, x5, x28, ror #10
+        eor	x10, x10, x20, ror #50
+        eor	x13, x7, x13, ror #57
+        bic	x7, x2, x5, ror #47
+        eor	x2, x25, x24, ror #39
+        bic	x25, x20, x11, ror #57
+        bic	x5, x17, x4, ror #25
+        eor	x25, x25, x17, ror #53
+        bic	x17, x11, x17, ror #60
+        eor	x28, x7, x28, ror #57
+        bic	x7, x9, x12, ror #42
+        eor	x7, x7, x22, ror #25
+        bic	x22, x22, x24, ror #56
+        bic	x24, x24, x15, ror #31
+        eor	x22, x22, x15, ror #23
+        bic	x20, x27, x20, ror #48
+        bic	x15, x15, x9, ror #16
+        eor	x12, x15, x12, ror #58
+        eor	x15, x5, x27, ror #27
+        eor	x5, x20, x11, ror #41
+        ldr	x11, [sp, #0x8]
+        eor	x20, x17, x4, ror #21
+        eor	x17, x24, x9, ror #47
+        mov	x24, #0x1               // =1
+        bic	x9, x0, x16, ror #9
+        str	x24, [sp, #0x10]
+        bic	x24, x29, x1, ror #44
+        bic	x27, x1, x21, ror #50
+        bic	x4, x26, x29, ror #63
+        eor	x1, x1, x4, ror #21
+        ldr	x11, [x11]
+        bic	x4, x21, x30, ror #57
+        eor	x21, x24, x21, ror #30
+        eor	x24, x9, x19, ror #44
+        bic	x9, x14, x6, ror #5
+        eor	x9, x9, x0, ror #43
+        bic	x0, x6, x0, ror #38
+        eor	x1, x1, x11
+        eor	x11, x4, x26, ror #35
+        eor	x4, x0, x16, ror #47
+        bic	x0, x16, x19, ror #35
+        eor	x16, x27, x30, ror #43
+        bic	x27, x30, x26, ror #42
+        bic	x26, x19, x14, ror #41
+        eor	x19, x0, x14, ror #12
+        eor	x14, x26, x6, ror #46
+        eor	x6, x27, x29, ror #41
+
+Lkeccak_f1600_x1_scalar_loop:
+        eor	x0, x15, x11, ror #52
+        eor	x0, x0, x13, ror #48
+        eor	x26, x8, x9, ror #57
+        eor	x27, x0, x14, ror #10
+        eor	x29, x16, x28, ror #63
+        eor	x26, x26, x6, ror #51
+        eor	x30, x23, x22, ror #50
+        eor	x0, x26, x10, ror #31
+        eor	x29, x29, x19, ror #37
+        eor	x27, x27, x12, ror #5
+        eor	x30, x30, x24, ror #34
+        eor	x0, x0, x7, ror #27
+        eor	x26, x30, x21, ror #26
+        eor	x26, x26, x25, ror #15
+        ror	x30, x27, #0x3e
+        eor	x30, x30, x26, ror #57
+        ror	x26, x26, #0x3a
+        eor	x16, x30, x16
+        eor	x28, x30, x28, ror #63
+        str	x28, [sp, #0x18]
+        eor	x29, x29, x17, ror #36
+        eor	x28, x1, x2, ror #61
+        eor	x19, x30, x19, ror #37
+        eor	x29, x29, x20, ror #2
+        eor	x28, x28, x4, ror #54
+        eor	x26, x26, x0, ror #55
+        eor	x28, x28, x3, ror #39
+        eor	x28, x28, x5, ror #25
+        ror	x0, x0, #0x38
+        eor	x0, x0, x29, ror #63
+        eor	x27, x28, x27, ror #61
+        eor	x13, x0, x13, ror #46
+        eor	x28, x29, x28, ror #63
+        eor	x29, x30, x20, ror #2
+        eor	x20, x26, x3, ror #39
+        eor	x11, x0, x11, ror #50
+        eor	x25, x28, x25, ror #9
+        eor	x3, x28, x21, ror #20
+        eor	x21, x26, x1
+        eor	x9, x27, x9, ror #49
+        eor	x24, x28, x24, ror #28
+        eor	x1, x30, x17, ror #36
+        eor	x14, x0, x14, ror #8
+        eor	x22, x28, x22, ror #44
+        eor	x8, x27, x8, ror #56
+        eor	x17, x27, x7, ror #19
+        eor	x15, x0, x15, ror #62
+        bic	x7, x20, x22, ror #47
+        eor	x4, x26, x4, ror #54
+        eor	x0, x0, x12, ror #3
+        eor	x28, x28, x23, ror #58
+        eor	x23, x26, x2, ror #61
+        eor	x26, x26, x5, ror #25
+        eor	x2, x7, x16, ror #39
+        bic	x7, x9, x20, ror #42
+        bic	x30, x15, x9, ror #16
+        eor	x7, x7, x22, ror #25
+        eor	x12, x30, x20, ror #58
+        bic	x20, x22, x16, ror #56
+        eor	x30, x27, x6, ror #43
+        eor	x22, x20, x15, ror #23
+        bic	x6, x19, x13, ror #42
+        eor	x6, x6, x17, ror #41
+        bic	x5, x13, x17, ror #63
+        eor	x5, x21, x5, ror #21
+        bic	x17, x17, x21, ror #44
+        eor	x27, x27, x10, ror #23
+        bic	x21, x21, x25, ror #50
+        bic	x20, x27, x4, ror #25
+        bic	x10, x16, x15, ror #31
+        eor	x16, x21, x19, ror #43
+        eor	x21, x17, x25, ror #30
+        bic	x19, x25, x19, ror #57
+        ldr	x25, [sp, #0x10]
+        eor	x17, x10, x9, ror #47
+        ldr	x9, [sp, #0x8]
+        eor	x15, x20, x28, ror #27
+        bic	x20, x4, x28, ror #2
+        eor	x10, x20, x1, ror #50
+        bic	x20, x11, x27, ror #60
+        eor	x20, x20, x4, ror #21
+        bic	x4, x28, x1, ror #48
+        bic	x1, x1, x11, ror #57
+        ldr	x28, [x9, x25, lsl #3]
+        ldr	x9, [sp, #0x18]
+        add	x25, x25, #0x1
+        str	x25, [sp, #0x10]
+        cmp	x25, #0x17
+        eor	x25, x1, x27, ror #53
+        bic	x27, x30, x26, ror #47
+        eor	x1, x5, x28
+        eor	x5, x4, x11, ror #41
+        eor	x11, x19, x13, ror #35
+        bic	x13, x26, x24, ror #10
+        eor	x28, x27, x24, ror #57
+        bic	x27, x24, x9, ror #47
+        bic	x19, x23, x3, ror #9
+        bic	x4, x29, x14, ror #41
+        eor	x24, x19, x29, ror #44
+        bic	x29, x3, x29, ror #35
+        eor	x13, x13, x9, ror #57
+        eor	x19, x29, x14, ror #12
+        bic	x29, x9, x0, ror #19
+        bic	x14, x14, x8, ror #5
+        eor	x9, x14, x23, ror #43
+        eor	x14, x4, x8, ror #46
+        bic	x23, x8, x23, ror #38
+        eor	x8, x27, x0, ror #2
+        eor	x4, x23, x3, ror #47
+        bic	x3, x0, x30, ror #5
+        eor	x23, x3, x26, ror #52
+        eor	x3, x29, x30, ror #24
+        b.le	Lkeccak_f1600_x1_scalar_loop
+        ror	x6, x6, #0x2b
+        ror	x11, x11, #0x32
+        ror	x21, x21, #0x14
+        ror	x2, x2, #0x3d
+        ror	x7, x7, #0x13
+        ror	x12, x12, #0x3
+        ror	x17, x17, #0x24
+        ror	x22, x22, #0x2c
+        ror	x3, x3, #0x27
+        ror	x8, x8, #0x38
+        ror	x13, x13, #0x2e
+        ror	x28, x28, #0x3f
+        ror	x23, x23, #0x3a
+        ror	x4, x4, #0x36
+        ror	x9, x9, #0x31
+        ror	x14, x14, #0x8
+        ror	x19, x19, #0x25
+        ror	x24, x24, #0x1c
+        ror	x5, x5, #0x19
+        ror	x10, x10, #0x17
+        ror	x15, x15, #0x3e
+        ror	x20, x20, #0x2
+        ror	x25, x25, #0x9
+        ldr	x0, [sp]
+        stp	x1, x6, [x0]
+        stp	x11, x16, [x0, #0x10]
+        stp	x21, x2, [x0, #0x20]
+        stp	x7, x12, [x0, #0x30]
+        stp	x17, x22, [x0, #0x40]
+        stp	x3, x8, [x0, #0x50]
+        stp	x13, x28, [x0, #0x60]
+        stp	x23, x4, [x0, #0x70]
+        stp	x9, x14, [x0, #0x80]
+        stp	x19, x24, [x0, #0x90]
+        stp	x5, x10, [x0, #0xa0]
+        stp	x15, x20, [x0, #0xb0]
+        str	x25, [x0, #0xc0]
+        ldp	x19, x20, [sp, #0x20]
+        .cfi_restore x19
+        .cfi_restore x20
+        ldp	x21, x22, [sp, #0x30]
+        .cfi_restore x21
+        .cfi_restore x22
+        ldp	x23, x24, [sp, #0x40]
+        .cfi_restore x23
+        .cfi_restore x24
+        ldp	x25, x26, [sp, #0x50]
+        .cfi_restore x25
+        .cfi_restore x26
+        ldp	x27, x28, [sp, #0x60]
+        .cfi_restore x27
+        .cfi_restore x28
+        ldp	x29, x30, [sp, #0x70]
+        .cfi_restore x29
+        .cfi_restore x30
+        add	sp, sp, #0x80
+        .cfi_adjust_cfa_offset -0x80
+        ret
+        .cfi_endproc
+
+MLD_ASM_FN_SIZE(keccak_f1600_x1_scalar_asm)
+
+#endif /* MLD_FIPS202_AARCH64_NEED_X1_SCALAR && \
+          !MLD_CONFIG_MULTILEVEL_NO_SHARED */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x1_v84a_asm.S

@@ -0,0 +1,204 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * Copyright (c) The mldsa-native project authors
+ * Copyright (c) 2021-2022 Arm Limited
+ * Copyright (c) 2022 Matthias Kannwischer
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+/* References
+ * ==========
+ *
+ * - [HYBRID]
+ *   Hybrid scalar/vector implementations of Keccak and SPHINCS+ on AArch64
+ *   Becker, Kannwischer
+ *   https://eprint.iacr.org/2022/1243
+ */
+
+/*yaml
+  Name: keccak_f1600_x1_v84a_asm
+  Description: AArch64 ARMv8.4-A implementation of Keccak-f[1600] permutation for single state
+  Signature: void mld_keccak_f1600_x1_v84a_asm(uint64_t state[25], const uint64_t rc[24])
+  ABI:
+    x0:
+      type: buffer
+      size_bytes: 200
+      permissions: read/write
+      c_parameter: uint64_t state[25]
+      description: Keccak state (25 x uint64_t)
+    x1:
+      type: buffer
+      size_bytes: 192
+      permissions: read-only
+      c_parameter: const uint64_t rc[24]
+      description: Round constants (24 x uint64_t)
+  Stack:
+    bytes: 64
+    description: register preservation
+*/
+
+//
+// Author: Hanno Becker <hanno.becker@arm.com>
+// Author: Matthias Kannwischer <matthias@kannwischer.eu>
+//
+// This implementation is essentially from the paper @[HYBRID].
+// The only difference is interleaving/deinterleaving of Keccak state
+// during load and store, so that the caller need not do this.
+//
+
+#include "../../../../common.h"
+#if defined(MLD_FIPS202_AARCH64_NEED_X1_V84A) && \
+    !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
+
+#if defined(__ARM_FEATURE_SHA3)
+
+/*
+ * WARNING: This file is auto-derived from the mldsa-native source file
+ *   dev/fips202/aarch64/src/keccak_f1600_x1_v84a_asm.S using scripts/simpasm. Do not modify it directly.
+ */
+
+#if defined(__ELF__)
+.section .note.GNU-stack,"",@progbits
+#endif
+
+.text
+.balign 4
+.global MLD_ASM_NAMESPACE(keccak_f1600_x1_v84a_asm)
+MLD_ASM_FN_SYMBOL(keccak_f1600_x1_v84a_asm)
+
+        .cfi_startproc
+        sub	sp, sp, #0x40
+        .cfi_adjust_cfa_offset 0x40
+        stp	d8, d9, [sp]
+        .cfi_rel_offset d8, 0x0
+        .cfi_rel_offset d9, 0x8
+        stp	d10, d11, [sp, #0x10]
+        .cfi_rel_offset d10, 0x10
+        .cfi_rel_offset d11, 0x18
+        stp	d12, d13, [sp, #0x20]
+        .cfi_rel_offset d12, 0x20
+        .cfi_rel_offset d13, 0x28
+        stp	d14, d15, [sp, #0x30]
+        .cfi_rel_offset d14, 0x30
+        .cfi_rel_offset d15, 0x38
+        ldp	d0, d1, [x0]
+        ldp	d2, d3, [x0, #0x10]
+        ldp	d4, d5, [x0, #0x20]
+        ldp	d6, d7, [x0, #0x30]
+        ldp	d8, d9, [x0, #0x40]
+        ldp	d10, d11, [x0, #0x50]
+        ldp	d12, d13, [x0, #0x60]
+        ldp	d14, d15, [x0, #0x70]
+        ldp	d16, d17, [x0, #0x80]
+        ldp	d18, d19, [x0, #0x90]
+        ldp	d20, d21, [x0, #0xa0]
+        ldp	d22, d23, [x0, #0xb0]
+        ldr	d24, [x0, #0xc0]
+        mov	x2, #0x18               // =24
+
+Lkeccak_f1600_x1_v84a_loop:
+        eor3	v30.16b, v0.16b, v5.16b, v10.16b
+        eor3	v29.16b, v1.16b, v6.16b, v11.16b
+        eor3	v28.16b, v2.16b, v7.16b, v12.16b
+        eor3	v27.16b, v3.16b, v8.16b, v13.16b
+        eor3	v26.16b, v4.16b, v9.16b, v14.16b
+        eor3	v30.16b, v30.16b, v15.16b, v20.16b
+        eor3	v29.16b, v29.16b, v16.16b, v21.16b
+        eor3	v28.16b, v28.16b, v17.16b, v22.16b
+        eor3	v27.16b, v27.16b, v18.16b, v23.16b
+        eor3	v26.16b, v26.16b, v19.16b, v24.16b
+        rax1	v25.2d, v30.2d, v28.2d
+        rax1	v28.2d, v28.2d, v26.2d
+        rax1	v26.2d, v26.2d, v29.2d
+        rax1	v29.2d, v29.2d, v27.2d
+        rax1	v27.2d, v27.2d, v30.2d
+        eor	v30.16b, v0.16b, v26.16b
+        xar	v0.2d, v2.2d, v29.2d, #0x2
+        xar	v2.2d, v12.2d, v29.2d, #0x15
+        xar	v12.2d, v13.2d, v28.2d, #0x27
+        xar	v13.2d, v19.2d, v27.2d, #0x38
+        xar	v19.2d, v23.2d, v28.2d, #0x8
+        xar	v23.2d, v15.2d, v26.2d, #0x17
+        xar	v15.2d, v1.2d, v25.2d, #0x3f
+        xar	v1.2d, v8.2d, v28.2d, #0x9
+        xar	v8.2d, v16.2d, v25.2d, #0x13
+        xar	v16.2d, v7.2d, v29.2d, #0x3a
+        xar	v7.2d, v10.2d, v26.2d, #0x3d
+        xar	v10.2d, v3.2d, v28.2d, #0x24
+        xar	v3.2d, v18.2d, v28.2d, #0x2b
+        xar	v18.2d, v17.2d, v29.2d, #0x31
+        xar	v17.2d, v11.2d, v25.2d, #0x36
+        xar	v11.2d, v9.2d, v27.2d, #0x2c
+        xar	v9.2d, v22.2d, v29.2d, #0x3
+        xar	v22.2d, v14.2d, v27.2d, #0x19
+        xar	v14.2d, v20.2d, v26.2d, #0x2e
+        xar	v20.2d, v4.2d, v27.2d, #0x25
+        xar	v4.2d, v24.2d, v27.2d, #0x32
+        xar	v24.2d, v21.2d, v25.2d, #0x3e
+        xar	v21.2d, v5.2d, v26.2d, #0x1c
+        xar	v27.2d, v6.2d, v25.2d, #0x14
+        ld1r	{ v31.2d }, [x1], #8
+        bcax	v5.16b, v10.16b, v7.16b, v11.16b
+        bcax	v6.16b, v11.16b, v8.16b, v7.16b
+        bcax	v7.16b, v7.16b, v9.16b, v8.16b
+        bcax	v8.16b, v8.16b, v10.16b, v9.16b
+        bcax	v9.16b, v9.16b, v11.16b, v10.16b
+        bcax	v10.16b, v15.16b, v12.16b, v16.16b
+        bcax	v11.16b, v16.16b, v13.16b, v12.16b
+        bcax	v12.16b, v12.16b, v14.16b, v13.16b
+        bcax	v13.16b, v13.16b, v15.16b, v14.16b
+        bcax	v14.16b, v14.16b, v16.16b, v15.16b
+        bcax	v15.16b, v20.16b, v17.16b, v21.16b
+        bcax	v16.16b, v21.16b, v18.16b, v17.16b
+        bcax	v17.16b, v17.16b, v19.16b, v18.16b
+        bcax	v18.16b, v18.16b, v20.16b, v19.16b
+        bcax	v19.16b, v19.16b, v21.16b, v20.16b
+        bcax	v20.16b, v0.16b, v22.16b, v1.16b
+        bcax	v21.16b, v1.16b, v23.16b, v22.16b
+        bcax	v22.16b, v22.16b, v24.16b, v23.16b
+        bcax	v23.16b, v23.16b, v0.16b, v24.16b
+        bcax	v24.16b, v24.16b, v1.16b, v0.16b
+        bcax	v0.16b, v30.16b, v2.16b, v27.16b
+        bcax	v1.16b, v27.16b, v3.16b, v2.16b
+        bcax	v2.16b, v2.16b, v4.16b, v3.16b
+        bcax	v3.16b, v3.16b, v30.16b, v4.16b
+        bcax	v4.16b, v4.16b, v27.16b, v30.16b
+        eor	v0.16b, v0.16b, v31.16b
+        sub	x2, x2, #0x1
+        cbnz	x2, Lkeccak_f1600_x1_v84a_loop
+        stp	d0, d1, [x0]
+        stp	d2, d3, [x0, #0x10]
+        stp	d4, d5, [x0, #0x20]
+        stp	d6, d7, [x0, #0x30]
+        stp	d8, d9, [x0, #0x40]
+        stp	d10, d11, [x0, #0x50]
+        stp	d12, d13, [x0, #0x60]
+        stp	d14, d15, [x0, #0x70]
+        stp	d16, d17, [x0, #0x80]
+        stp	d18, d19, [x0, #0x90]
+        stp	d20, d21, [x0, #0xa0]
+        stp	d22, d23, [x0, #0xb0]
+        str	d24, [x0, #0xc0]
+        ldp	d8, d9, [sp]
+        .cfi_restore d8
+        .cfi_restore d9
+        ldp	d10, d11, [sp, #0x10]
+        .cfi_restore d10
+        .cfi_restore d11
+        ldp	d12, d13, [sp, #0x20]
+        .cfi_restore d12
+        .cfi_restore d13
+        ldp	d14, d15, [sp, #0x30]
+        .cfi_restore d14
+        .cfi_restore d15
+        add	sp, sp, #0x40
+        .cfi_adjust_cfa_offset -0x40
+        ret
+        .cfi_endproc
+
+MLD_ASM_FN_SIZE(keccak_f1600_x1_v84a_asm)
+
+#endif /* __ARM_FEATURE_SHA3 */
+
+#endif /* MLD_FIPS202_AARCH64_NEED_X1_V84A && !MLD_CONFIG_MULTILEVEL_NO_SHARED \
+        */