@pinkparrot/qsafe-mayo-wasm 0.0.3

package/mayo-c/src/AVX2/arithmetic_common.h

@@ -0,0 +1,159 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef ARITHMETIC_COMMON_H
+#define ARITHMETIC_COMMON_H
+
+#include <stdint.h>
+#include <immintrin.h>
+#include <mem.h>
+
+#define K_OVER_2 ((K_MAX+1)/2)
+
+static const unsigned char __gf16_mulbase[128] __attribute__((aligned(32))) = {
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+    0x00, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x03, 0x01, 0x07, 0x05, 0x0b, 0x09, 0x0f, 0x0d, 0x00, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x03, 0x01, 0x07, 0x05, 0x0b, 0x09, 0x0f, 0x0d,
+    0x00, 0x04, 0x08, 0x0c, 0x03, 0x07, 0x0b, 0x0f, 0x06, 0x02, 0x0e, 0x0a, 0x05, 0x01, 0x0d, 0x09, 0x00, 0x04, 0x08, 0x0c, 0x03, 0x07, 0x0b, 0x0f, 0x06, 0x02, 0x0e, 0x0a, 0x05, 0x01, 0x0d, 0x09,
+    0x00, 0x08, 0x03, 0x0b, 0x06, 0x0e, 0x05, 0x0d, 0x0c, 0x04, 0x0f, 0x07, 0x0a, 0x02, 0x09, 0x01, 0x00, 0x08, 0x03, 0x0b, 0x06, 0x0e, 0x05, 0x0d, 0x0c, 0x04, 0x0f, 0x07, 0x0a, 0x02, 0x09, 0x01
+};
+
+//
+// generate multiplication table for '4-bit' variable 'b'. Taken from OV paper!
+//
+static inline __m256i tbl32_gf16_multab2( uint8_t b ) {
+
+    __m256i bx = _mm256_set1_epi16( b & 0xf );
+    __m256i b1 = _mm256_srli_epi16( bx, 1 );
+
+    const __m256i tab0 = _mm256_load_si256((__m256i const *) (__gf16_mulbase + 32 * 0));
+    const __m256i tab1 = _mm256_load_si256((__m256i const *) (__gf16_mulbase + 32 * 1));
+    const __m256i tab2 = _mm256_load_si256((__m256i const *) (__gf16_mulbase + 32 * 2));
+    const __m256i tab3 = _mm256_load_si256((__m256i const *) (__gf16_mulbase + 32 * 3));
+
+    __m256i mask_1  = _mm256_set1_epi16(1);
+    __m256i mask_4  = _mm256_set1_epi16(4);
+    __m256i mask_0  = _mm256_setzero_si256();
+
+    return ( tab0 & _mm256_cmpgt_epi16( bx & mask_1, mask_0) )
+           ^ ( tab1 & _mm256_cmpgt_epi16( b1 & mask_1, mask_0) )
+           ^ ( tab2 & _mm256_cmpgt_epi16( bx & mask_4, mask_0) )
+           ^ ( tab3 & _mm256_cmpgt_epi16( b1 & mask_4, mask_0) );
+}
+
+static inline __m256i linear_transform_8x8_256b( __m256i tab_l, __m256i tab_h, __m256i v, __m256i mask_f ) {
+    return _mm256_shuffle_epi8(tab_l, v & mask_f)^_mm256_shuffle_epi8(tab_h, _mm256_srli_epi16(v, 4)&mask_f);
+}
+
+static inline __m256i gf16v_mul( __m256i a, uint8_t b ) {
+    __m256i multab_l = tbl32_gf16_multab2( b );
+    __m256i multab_h = _mm256_slli_epi16( multab_l, 4 );
+
+    return linear_transform_8x8_256b( multab_l, multab_h, a, _mm256_set1_epi8(0xf) );
+}
+
+#define O_AVX_ROUND_UP_ ((O_MAX + 1)/2*2)
+
+static 
+inline void mayo_O_multabs(const unsigned char *O, __m256i *O_multabs){
+    // build multiplication tables 
+    for (size_t r = 0; r < V_MAX; r++)
+    {
+        size_t c = 0;
+        for (; c + 1  < O_MAX; c+=2)
+        {
+            O_multabs[O_AVX_ROUND_UP_/2*r + c/2] = tbl32_gf16_multab2(O[O_MAX*r + c]) ^ _mm256_slli_epi16(tbl32_gf16_multab2(O[O_MAX*r + c + 1]), 4);
+        }
+#if O_MAX % 2 == 1
+        {
+            O_multabs[O_AVX_ROUND_UP_/2*r + c/2] = tbl32_gf16_multab2(O[O_MAX*r + c]);
+        }
+#endif
+    }
+}
+
+
+static 
+inline void mayo_V_multabs(const unsigned char *V, __m256i *V_multabs){
+    // build multiplication tables 
+    size_t r;
+    for (size_t c = 0; c < V_MAX; c++)
+    {
+        for (r = 0; r+1 < K_MAX; r+= 2)
+        {
+            V_multabs[K_OVER_2*c +  r/2] = tbl32_gf16_multab2(V[V_MAX*r + c]) ^ _mm256_slli_epi16(tbl32_gf16_multab2(V[V_MAX*(r+1) + c]), 4);
+        }
+#if K_MAX % 2 == 1
+        V_multabs[K_OVER_2*c + r/2] = tbl32_gf16_multab2(V[V_MAX*r + c]);
+#endif
+    }
+}
+
+static const unsigned char mayo_gf16_mul[512] __attribute__((aligned(32))) = {
+    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 
+    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+    0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07, 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f, 
+    0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07, 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
+    0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e, 0x03,0x01,0x07,0x05,0x0b,0x09,0x0f,0x0d, 
+    0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e, 0x03,0x01,0x07,0x05,0x0b,0x09,0x0f,0x0d,
+    0x00,0x03,0x06,0x05,0x0c,0x0f,0x0a,0x09, 0x0b,0x08,0x0d,0x0e,0x07,0x04,0x01,0x02, 
+    0x00,0x03,0x06,0x05,0x0c,0x0f,0x0a,0x09, 0x0b,0x08,0x0d,0x0e,0x07,0x04,0x01,0x02,
+    0x00,0x04,0x08,0x0c,0x03,0x07,0x0b,0x0f, 0x06,0x02,0x0e,0x0a,0x05,0x01,0x0d,0x09, 
+    0x00,0x04,0x08,0x0c,0x03,0x07,0x0b,0x0f, 0x06,0x02,0x0e,0x0a,0x05,0x01,0x0d,0x09,
+    0x00,0x05,0x0a,0x0f,0x07,0x02,0x0d,0x08, 0x0e,0x0b,0x04,0x01,0x09,0x0c,0x03,0x06, 
+    0x00,0x05,0x0a,0x0f,0x07,0x02,0x0d,0x08, 0x0e,0x0b,0x04,0x01,0x09,0x0c,0x03,0x06,
+    0x00,0x06,0x0c,0x0a,0x0b,0x0d,0x07,0x01, 0x05,0x03,0x09,0x0f,0x0e,0x08,0x02,0x04, 
+    0x00,0x06,0x0c,0x0a,0x0b,0x0d,0x07,0x01, 0x05,0x03,0x09,0x0f,0x0e,0x08,0x02,0x04,
+    0x00,0x07,0x0e,0x09,0x0f,0x08,0x01,0x06, 0x0d,0x0a,0x03,0x04,0x02,0x05,0x0c,0x0b, 
+    0x00,0x07,0x0e,0x09,0x0f,0x08,0x01,0x06, 0x0d,0x0a,0x03,0x04,0x02,0x05,0x0c,0x0b,
+    0x00,0x08,0x03,0x0b,0x06,0x0e,0x05,0x0d, 0x0c,0x04,0x0f,0x07,0x0a,0x02,0x09,0x01, 
+    0x00,0x08,0x03,0x0b,0x06,0x0e,0x05,0x0d, 0x0c,0x04,0x0f,0x07,0x0a,0x02,0x09,0x01,
+    0x00,0x09,0x01,0x08,0x02,0x0b,0x03,0x0a, 0x04,0x0d,0x05,0x0c,0x06,0x0f,0x07,0x0e, 
+    0x00,0x09,0x01,0x08,0x02,0x0b,0x03,0x0a, 0x04,0x0d,0x05,0x0c,0x06,0x0f,0x07,0x0e,
+    0x00,0x0a,0x07,0x0d,0x0e,0x04,0x09,0x03, 0x0f,0x05,0x08,0x02,0x01,0x0b,0x06,0x0c, 
+    0x00,0x0a,0x07,0x0d,0x0e,0x04,0x09,0x03, 0x0f,0x05,0x08,0x02,0x01,0x0b,0x06,0x0c,
+    0x00,0x0b,0x05,0x0e,0x0a,0x01,0x0f,0x04, 0x07,0x0c,0x02,0x09,0x0d,0x06,0x08,0x03, 
+    0x00,0x0b,0x05,0x0e,0x0a,0x01,0x0f,0x04, 0x07,0x0c,0x02,0x09,0x0d,0x06,0x08,0x03,
+    0x00,0x0c,0x0b,0x07,0x05,0x09,0x0e,0x02, 0x0a,0x06,0x01,0x0d,0x0f,0x03,0x04,0x08, 
+    0x00,0x0c,0x0b,0x07,0x05,0x09,0x0e,0x02, 0x0a,0x06,0x01,0x0d,0x0f,0x03,0x04,0x08,
+    0x00,0x0d,0x09,0x04,0x01,0x0c,0x08,0x05, 0x02,0x0f,0x0b,0x06,0x03,0x0e,0x0a,0x07, 
+    0x00,0x0d,0x09,0x04,0x01,0x0c,0x08,0x05, 0x02,0x0f,0x0b,0x06,0x03,0x0e,0x0a,0x07,
+    0x00,0x0e,0x0f,0x01,0x0d,0x03,0x02,0x0c, 0x09,0x07,0x06,0x08,0x04,0x0a,0x0b,0x05, 
+    0x00,0x0e,0x0f,0x01,0x0d,0x03,0x02,0x0c, 0x09,0x07,0x06,0x08,0x04,0x0a,0x0b,0x05,
+    0x00,0x0f,0x0d,0x02,0x09,0x06,0x04,0x0b, 0x01,0x0e,0x0c,0x03,0x08,0x07,0x05,0x0a, 
+    0x00,0x0f,0x0d,0x02,0x09,0x06,0x04,0x0b, 0x01,0x0e,0x0c,0x03,0x08,0x07,0x05,0x0a};
+
+
+static 
+inline void mayo_S1_multabs(const unsigned char *S1, __m256i *S1_multabs) {
+    size_t r;
+    for (size_t c = 0; c < V_MAX; c++)
+    {
+        for (r = 0; r+1 < K_MAX; r+= 2)
+        {
+            S1_multabs[K_OVER_2*c +  r/2] = _mm256_load_si256((__m256i *)(mayo_gf16_mul + 32*S1[V_MAX*r + c])) 
+                                          ^ _mm256_slli_epi16(_mm256_load_si256((__m256i *)(mayo_gf16_mul + 32*S1[V_MAX*(r+1) + c])), 4);
+        }
+#if K_MAX % 2 == 1
+        S1_multabs[K_OVER_2*c +  r/2] = _mm256_load_si256((__m256i *)(mayo_gf16_mul + 32*S1[V_MAX*r + c]));
+#endif
+    }
+}
+
+static 
+inline void mayo_S2_multabs(const unsigned char *S2, __m256i *S2_multabs) {
+    // build multiplication tables 
+    size_t r;
+    for (size_t c = 0; c < O_MAX; c++)
+    {
+        for (r = 0; r+1 < K_MAX; r+= 2)
+        {
+            S2_multabs[K_OVER_2*c +  r/2] = _mm256_load_si256((__m256i *)(mayo_gf16_mul + 32*S2[O_MAX*r + c])) 
+                                          ^ _mm256_slli_epi16(_mm256_load_si256((__m256i *)(mayo_gf16_mul + 32*S2[O_MAX*(r+1) + c])), 4);
+        }
+#if K_MAX % 2 == 1
+        S2_multabs[K_OVER_2*c +  r/2] = _mm256_load_si256((__m256i *)(mayo_gf16_mul + 32*S2[O_MAX*r + c])) ;
+#endif
+    }
+}
+
+#endif
+

package/mayo-c/src/AVX2/echelon_form.h

@@ -0,0 +1,91 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#include <immintrin.h>
+#include <stdint.h>
+
+
+#define MAYO_MAX(x, y) (((x) > (y)) ? (x) : (y))
+#define MAYO_MIN(x, y) (((x) < (y)) ? (x) : (y))
+
+
+//
+// generate multiplication table for '4-bit' variable 'b'. From https://eprint.iacr.org/2023/059/.
+//
+static inline __m256i tbl32_gf16_multab( uint8_t b ) {
+    __m256i bx = _mm256_set1_epi16( b & 0xf );
+    __m256i b1 = _mm256_srli_epi16( bx, 1 );
+
+    const __m256i tab0 = _mm256_load_si256((__m256i const *) (__gf16_mulbase + 32 * 0));
+    const __m256i tab1 = _mm256_load_si256((__m256i const *) (__gf16_mulbase + 32 * 1));
+    const __m256i tab2 = _mm256_load_si256((__m256i const *) (__gf16_mulbase + 32 * 2));
+    const __m256i tab3 = _mm256_load_si256((__m256i const *) (__gf16_mulbase + 32 * 3));
+
+    __m256i mask_1  = _mm256_set1_epi16(1);
+    __m256i mask_4  = _mm256_set1_epi16(4);
+    __m256i mask_0  = _mm256_setzero_si256();
+
+    return ( tab0 & _mm256_cmpgt_epi16( bx & mask_1, mask_0) )
+           ^ ( tab1 & _mm256_cmpgt_epi16( b1 & mask_1, mask_0) )
+           ^ ( tab2 & _mm256_cmpgt_epi16( bx & mask_4, mask_0) )
+           ^ ( tab3 & _mm256_cmpgt_epi16( b1 & mask_4, mask_0) );
+}
+
+/* put matrix in row echelon form with ones on first nonzero entries in constant time*/
+static inline void EF(unsigned char *A, int _nrows, int _ncols) {
+
+    (void) _nrows;
+    (void) _ncols;
+
+    #define nrows M_MAX
+    #define ncols (K_MAX * O_MAX + 1)
+
+    #define AVX_REGS_PER_ROW ((K_MAX * O_MAX + 1 + 31) / 32)
+    #define MAX_COLS (AVX_REGS_PER_ROW * 32)
+
+    __m256i _pivot_row[AVX_REGS_PER_ROW];
+    __m256i A_avx[AVX_REGS_PER_ROW* M_MAX];
+
+    unsigned char* pivot_row_bytes = (unsigned char*) _pivot_row;
+    unsigned char* A_bytes = (unsigned char*) A_avx;
+
+    // load A in the tail of AVX2 registers
+    for (int i = 0; i < nrows; i++) {
+        for (int j = 0; j < ncols; j++)
+        {
+            A_bytes[i*MAX_COLS + (MAX_COLS - ncols) + j] = A[ i*ncols + j ];
+        }
+    }
+
+    // pivot row is secret, pivot col is not
+    unsigned char inverse;
+    int pivot_row = 0;
+    int pivot_col = MAYO_MAX(MAX_COLS - ncols,0);
+    for (; pivot_col < MAX_COLS-160; pivot_col++) {
+        #include "echelon_form_loop.h"
+    }
+    for (; pivot_col < MAX_COLS-128; pivot_col++) {
+        #include "echelon_form_loop.h"
+    }
+    for (; pivot_col < MAX_COLS-96; pivot_col++) {
+        #include "echelon_form_loop.h"
+    }
+    for (; pivot_col < MAX_COLS-64; pivot_col++) {
+        #include "echelon_form_loop.h"
+    }
+    for (; pivot_col < MAX_COLS-32; pivot_col++) {
+        #include "echelon_form_loop.h"
+    }
+    for (; pivot_col < MAX_COLS; pivot_col++) {
+        #include "echelon_form_loop.h"
+    }
+
+    // write the matrix A back
+    for (int i = 0; i < nrows; i++) {
+        for (int j = 0; j < ncols; j++) {
+            A[i * ncols + j] = A_bytes[i*AVX_REGS_PER_ROW*32 + (MAX_COLS - ncols) + j];
+        }
+    }
+    mayo_secure_clear(_pivot_row, AVX_REGS_PER_ROW * 32);
+    mayo_secure_clear(A_avx, AVX_REGS_PER_ROW * 32 * nrows);
+}
+

package/mayo-c/src/AVX2/echelon_form_loop.h

@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: Apache-2.0
+
+int pivot_col_rounded = pivot_col/32;
+
+int pivot_row_lower_bound = MAYO_MAX(0, pivot_col + nrows - MAX_COLS);
+int pivot_row_upper_bound = MAYO_MIN(nrows - 1, pivot_col - MAX_COLS + ncols);
+/* the pivot row is guaranteed to be between these lower and upper bounds if A has full rank*/
+
+/* zero out pivot row */
+for (int i = pivot_col_rounded; i < AVX_REGS_PER_ROW; i++) {
+    _pivot_row[i] = _mm256_set1_epi8(0);
+}
+
+/* try to get a pivot row in constant time */
+unsigned char pivot = 0;
+uint32_t pivot_is_zero = -1;
+for (int row = pivot_row_lower_bound;
+        row <= MAYO_MIN(nrows - 1, pivot_row_upper_bound + 32); row++) {
+    uint32_t is_pivot_row = ~ct_compare_32(row, pivot_row);
+    uint32_t below_pivot_row = ct_is_greater_than(row, pivot_row);
+    __m256i mask = _mm256_set1_epi32( is_pivot_row | (below_pivot_row & pivot_is_zero) );
+    for (int j = pivot_col_rounded; j < AVX_REGS_PER_ROW; j++) {
+        _pivot_row[j] ^= mask & A_avx[row * AVX_REGS_PER_ROW + j];
+    }
+    pivot = pivot_row_bytes[pivot_col];
+    pivot_is_zero = ~ct_compare_32((int) pivot, 0);
+}
+
+/* multiply pivot row by inverse of pivot */
+inverse = inverse_f(pivot);
+__m256i inverse_multab = tbl32_gf16_multab(inverse);
+
+for (int j = pivot_col_rounded; j < AVX_REGS_PER_ROW; j++) {
+    _pivot_row[j] = _mm256_shuffle_epi8(inverse_multab, _pivot_row[j]);
+}
+
+/* conditionally write pivot row to the correct row, if there is a nonzero pivot */
+/* eliminate entries below pivot */
+for (int row = pivot_row_lower_bound; row < nrows; row++) {
+    unsigned char below_pivot =  (unsigned char) (ct_is_greater_than(row, pivot_row));
+    unsigned char elt_to_elim = A_bytes[row*AVX_REGS_PER_ROW*32 + pivot_col];
+
+    __m256i multab = tbl32_gf16_multab(below_pivot & elt_to_elim);
+    if (row <= pivot_row_upper_bound) {
+        __m256i mask = _mm256_set1_epi32(~ct_compare_32(row, pivot_row) & ~pivot_is_zero);
+        for (int col = pivot_col_rounded; col < AVX_REGS_PER_ROW; col++) { 
+            A_avx[row*AVX_REGS_PER_ROW + col] = _mm256_blendv_epi8(A_avx[row*AVX_REGS_PER_ROW + col], _pivot_row[col], mask) ^
+                                                    _mm256_shuffle_epi8(multab, _pivot_row[col]);
+        }
+    } else {
+        for (int j = pivot_col_rounded; j < AVX_REGS_PER_ROW; j++) {
+            A_avx[row*AVX_REGS_PER_ROW + j] ^= _mm256_shuffle_epi8(multab, _pivot_row[j]);
+        }
+    }
+}
+
+pivot_row += (-(int32_t)(~pivot_is_zero));
+