@pinkparrot/qsafe-mayo-wasm 0.0.3

package/mayo-c/src/arithmetic.h

@@ -0,0 +1,124 @@
+
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef ARITHMETIC_H
+#define ARITHMETIC_H
+
+#include <stdint.h>
+#include <mayo.h>
+#include <stdint.h>
+#include <stddef.h>
+
+#if defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__)
+#ifndef TARGET_BIG_ENDIAN
+#define TARGET_BIG_ENDIAN
+#endif
+#endif
+
+#define uint32_t_blocker MAYO_NAMESPACE(uint32_t_blocker)
+extern volatile uint32_t uint32_t_blocker;
+#define uint64_t_blocker MAYO_NAMESPACE(uint64_t_blocker)
+extern volatile uint64_t uint64_t_blocker;
+#define unsigned_char_blocker MAYO_NAMESPACE(unsigned_char_blocker)
+extern volatile unsigned char unsigned_char_blocker;
+
+#if !(((!defined(__clang__) && defined(__GNUC__) && __GNUC__ <= 12)) && (defined(__x86_64__) || defined(_M_X64)))
+// a > b -> b - a is negative
+// returns 0xFFFFFFFF if true, 0x00000000 if false
+static inline uint32_t ct_is_greater_than(int a, int b) {
+    int32_t diff = b - a;
+    return ((uint32_t) (diff >> (8*sizeof(uint32_t)-1)) ^ uint32_t_blocker);
+}
+
+// a > b -> b - a is negative
+// returns 0xFFFFFFFF if true, 0x00000000 if false
+static inline uint64_t ct_64_is_greater_than(int a, int b) {
+    int64_t diff = ((int64_t) b) - ((int64_t) a);
+    return ((uint64_t) (diff >> (8*sizeof(uint64_t)-1)) ^ uint64_t_blocker);
+}
+
+// if a == b -> 0x00000000, else 0xFFFFFFFF
+static inline uint32_t ct_compare_32(int a, int b) {
+    return ((uint32_t)((-(int32_t)(a ^ b)) >> (8*sizeof(uint32_t)-1)) ^ uint32_t_blocker);
+}
+
+// if a == b -> 0x0000000000000000, else 0xFFFFFFFFFFFFFFFF
+static inline uint64_t ct_compare_64(int a, int b) {
+    return ((uint64_t)((-(int64_t)(a ^ b)) >> (8*sizeof(uint64_t)-1)) ^ uint64_t_blocker);
+}
+
+// if a == b -> 0x00, else 0xFF
+static inline unsigned char ct_compare_8(unsigned char a, unsigned char b) {
+    return ((int8_t)((-(int32_t)(a ^ b)) >> (8*sizeof(uint32_t)-1)) ^ unsigned_char_blocker);
+}
+#else
+// a > b -> b - a is negative
+// returns 0xFFFFFFFF if true, 0x00000000 if false
+static inline uint32_t ct_is_greater_than(int a, int b) {
+    int32_t diff = b - a;
+    return ((uint32_t) (diff >> (8*sizeof(uint32_t)-1)));
+}
+
+// a > b -> b - a is negative
+// returns 0xFFFFFFFF if true, 0x00000000 if false
+static inline uint64_t ct_64_is_greater_than(int a, int b) {
+    int64_t diff = ((int64_t) b) - ((int64_t) a);
+    return ((uint64_t) (diff >> (8*sizeof(uint64_t)-1)));
+}
+
+// if a == b -> 0x00000000, else 0xFFFFFFFF
+static inline uint32_t ct_compare_32(int a, int b) {
+    return ((uint32_t)((-(int32_t)(a ^ b)) >> (8*sizeof(uint32_t)-1)));
+}
+
+// if a == b -> 0x0000000000000000, else 0xFFFFFFFFFFFFFFFF
+static inline uint64_t ct_compare_64(int a, int b) {
+    return ((uint64_t)((-(int64_t)(a ^ b)) >> (8*sizeof(uint64_t)-1)));
+}
+
+// if a == b -> 0x00, else 0xFF
+static inline unsigned char ct_compare_8(unsigned char a, unsigned char b) {
+    return ((int8_t)((-(int32_t)(a ^ b)) >> (8*sizeof(uint32_t)-1)));
+}
+#endif
+
+#if defined(MAYO_AVX) || defined(MAYO_NEON)
+    #include <shuffle_arithmetic.h>
+#elif defined(MAYO_M4)
+    #include <m4_arithmetic.h>
+#else
+    #include <generic_arithmetic.h>
+#endif
+
+static
+inline void vec_mul_add_u64(const int legs, const uint64_t *in, unsigned char a, uint64_t *acc) {
+    uint32_t tab = mul_table(a);
+
+    uint64_t lsb_ask = 0x1111111111111111ULL;
+
+    for(int i=0; i < legs; i++){
+        acc[i] ^= ( in[i]       & lsb_ask) * (tab & 0xff)
+                ^ ((in[i] >> 1) & lsb_ask) * ((tab >> 8)  & 0xf)
+                ^ ((in[i] >> 2) & lsb_ask) * ((tab >> 16) & 0xf)
+                ^ ((in[i] >> 3) & lsb_ask) * ((tab >> 24) & 0xf);
+    }
+}
+
+// Calculate Upper in KeyGen
+#define m_upper MAYO_NAMESPACE(m_upper)
+void m_upper(const mayo_params_t* p, const uint64_t *in, uint64_t *out, int size);
+
+// Sample solution in Sign
+#define sample_solution MAYO_NAMESPACE(sample_solution)
+int sample_solution(const mayo_params_t *p, unsigned char *A, const unsigned char *y, const unsigned char *r, unsigned char *x, int k, int o, int m, int A_cols);
+
+#if defined(__GNUC__) || defined(__clang__)
+#define BSWAP32(i) __builtin_bswap32((i))
+#define BSWAP64(i) __builtin_bswap64((i))
+#else
+#define BSWAP32(i) ((((i) >> 24) & 0xff) | (((i) >> 8) & 0xff00) | (((i) & 0xff00) << 8) | ((i) << 24))
+#define BSWAP64(i) ((BSWAP32((i) >> 32) & 0xffffffff) | (BSWAP32(i) << 32))
+#endif
+
+#endif
+

package/mayo-c/src/common/aes128ctr.c

@@ -0,0 +1,293 @@
+// SPDX-License-Identifier: Apache-2.0 and MIT and Public Domain
+
+#ifdef ENABLE_AESNI
+
+#include <mem.h>
+#include <stdint.h>
+#include <string.h>
+#include <tmmintrin.h>
+#include <wmmintrin.h>
+
+// Adapted from liboqs/src/common/aes which in turn takes it from:
+// crypto_core/aes128ncrypt/dolbeau/aesenc-int
+// (https://bench.cr.yp.to/supercop.html)
+static inline void aes128ni_setkey_encrypt(const unsigned char *key,
+        __m128i rkeys[11]) {
+    __m128i key0 = _mm_loadu_si128((const __m128i *)(key + 0));
+    __m128i temp0, temp1, temp4;
+    int idx = 0;
+
+    temp0 = key0;
+
+#define BLOCK1(IMM)                                                            \
+  temp1 = _mm_aeskeygenassist_si128(temp0, IMM);                               \
+  rkeys[idx++] = temp0;                                                        \
+  temp4 = _mm_slli_si128(temp0, 4);                                            \
+  temp0 = _mm_xor_si128(temp0, temp4);                                         \
+  temp4 = _mm_slli_si128(temp0, 8);                                            \
+  temp0 = _mm_xor_si128(temp0, temp4);                                         \
+  temp1 = _mm_shuffle_epi32(temp1, 0xff);                                      \
+  temp0 = _mm_xor_si128(temp0, temp1)
+
+    BLOCK1(0x01);
+    BLOCK1(0x02);
+    BLOCK1(0x04);
+    BLOCK1(0x08);
+    BLOCK1(0x10);
+    BLOCK1(0x20);
+    BLOCK1(0x40);
+    BLOCK1(0x80);
+    BLOCK1(0x1b);
+    BLOCK1(0x36);
+    rkeys[idx++] = temp0;
+}
+
+void oqs_aes128_load_schedule_ni(const uint8_t *key, void **_schedule) {
+    *_schedule = malloc(11 * sizeof(__m128i));
+    // assert(*_schedule != NULL);
+    __m128i *schedule = (__m128i *)*_schedule;
+    aes128ni_setkey_encrypt(key, schedule);
+}
+
+void oqs_aes128_free_schedule_ni(void *schedule) {
+    if (schedule != NULL) {
+        mayo_secure_free(schedule, 11 * sizeof(__m128i));
+    }
+}
+
+// Single encryption
+static inline void aes128ni_encrypt(const __m128i rkeys[11], __m128i nv,
+                                    unsigned char *out) {
+    __m128i temp = _mm_xor_si128(nv, rkeys[0]);
+    temp = _mm_aesenc_si128(temp, rkeys[1]);
+    temp = _mm_aesenc_si128(temp, rkeys[2]);
+    temp = _mm_aesenc_si128(temp, rkeys[3]);
+    temp = _mm_aesenc_si128(temp, rkeys[4]);
+    temp = _mm_aesenc_si128(temp, rkeys[5]);
+    temp = _mm_aesenc_si128(temp, rkeys[6]);
+    temp = _mm_aesenc_si128(temp, rkeys[7]);
+    temp = _mm_aesenc_si128(temp, rkeys[8]);
+    temp = _mm_aesenc_si128(temp, rkeys[9]);
+    temp = _mm_aesenclast_si128(temp, rkeys[10]);
+    _mm_storeu_si128((__m128i *)(out), temp);
+}
+
+// 4x interleaved encryption
+static inline void aes128ni_encrypt_x4(const __m128i rkeys[11], __m128i n0,
+                                       __m128i n1, __m128i n2, __m128i n3,
+                                       unsigned char *out) {
+    __m128i temp0 = _mm_xor_si128(n0, rkeys[0]);
+    __m128i temp1 = _mm_xor_si128(n1, rkeys[0]);
+    __m128i temp2 = _mm_xor_si128(n2, rkeys[0]);
+    __m128i temp3 = _mm_xor_si128(n3, rkeys[0]);
+
+#define AESNENCX4(IDX)                                                         \
+  temp0 = _mm_aesenc_si128(temp0, rkeys[IDX]);                                 \
+  temp1 = _mm_aesenc_si128(temp1, rkeys[IDX]);                                 \
+  temp2 = _mm_aesenc_si128(temp2, rkeys[IDX]);                                 \
+  temp3 = _mm_aesenc_si128(temp3, rkeys[IDX])
+
+    AESNENCX4(1);
+    AESNENCX4(2);
+    AESNENCX4(3);
+    AESNENCX4(4);
+    AESNENCX4(5);
+    AESNENCX4(6);
+    AESNENCX4(7);
+    AESNENCX4(8);
+    AESNENCX4(9);
+
+    temp0 = _mm_aesenclast_si128(temp0, rkeys[10]);
+    temp1 = _mm_aesenclast_si128(temp1, rkeys[10]);
+    temp2 = _mm_aesenclast_si128(temp2, rkeys[10]);
+    temp3 = _mm_aesenclast_si128(temp3, rkeys[10]);
+
+    _mm_storeu_si128((__m128i *)(out + 0), temp0);
+    _mm_storeu_si128((__m128i *)(out + 16), temp1);
+    _mm_storeu_si128((__m128i *)(out + 32), temp2);
+    _mm_storeu_si128((__m128i *)(out + 48), temp3);
+}
+
+// Not for general use: IV = 0, nonce = 0
+static void oqs_aes128_ctr_enc_sch_ni(const void *schedule, uint8_t *out,
+                                      size_t out_len) {
+    __m128i mask =
+        _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 7, 6, 5, 4, 3, 2, 1, 0);
+    __m128i block = _mm_set_epi64x(0, 0);
+    // block = _mm_xor_si128(block, block); // set to zero
+
+    while (out_len >= 64) {
+        __m128i nv0 = block;
+        __m128i nv1 = _mm_shuffle_epi8(
+                          _mm_add_epi64(_mm_shuffle_epi8(block, mask), _mm_set_epi64x(1, 0)),
+                          mask);
+        __m128i nv2 = _mm_shuffle_epi8(
+                          _mm_add_epi64(_mm_shuffle_epi8(block, mask), _mm_set_epi64x(2, 0)),
+                          mask);
+        __m128i nv3 = _mm_shuffle_epi8(
+                          _mm_add_epi64(_mm_shuffle_epi8(block, mask), _mm_set_epi64x(3, 0)),
+                          mask);
+        aes128ni_encrypt_x4(schedule, nv0, nv1, nv2, nv3, out);
+        block = _mm_shuffle_epi8(
+                    _mm_add_epi64(_mm_shuffle_epi8(block, mask), _mm_set_epi64x(4, 0)),
+                    mask);
+        out += 64;
+        out_len -= 64;
+    }
+    while (out_len >= 16) {
+        aes128ni_encrypt(schedule, block, out);
+        out += 16;
+        out_len -= 16;
+        block = _mm_shuffle_epi8(
+                    _mm_add_epi64(_mm_shuffle_epi8(block, mask), _mm_set_epi64x(1, 0)),
+                    mask);
+    }
+    if (out_len > 0) {
+        uint8_t tmp[16];
+        aes128ni_encrypt(schedule, block, tmp);
+        memcpy(out, tmp, out_len);
+    }
+}
+
+int AES_128_CTR_NI(unsigned char *output, size_t outputByteLen,
+                   const unsigned char *input, size_t inputByteLen) {
+    void *schedule = NULL;
+    oqs_aes128_load_schedule_ni(input, &schedule);
+    oqs_aes128_ctr_enc_sch_ni(schedule, output, outputByteLen);
+    oqs_aes128_free_schedule_ni(schedule);
+    return (int)outputByteLen;
+}
+
+// 4-Round AES...
+
+// From crypto_core/aes128ncrypt/dolbeau/aesenc-int
+static inline void aes128r4ni_setkey_encrypt(const unsigned char *key,
+        __m128i rkeys[5]) {
+    __m128i key0 = _mm_loadu_si128((const __m128i *)(key + 0));
+    __m128i temp0, temp1, temp4;
+    int idx = 0;
+
+    temp0 = key0;
+
+    /* blockshift-based block by Cedric Bourrasset */
+#define BLOCK1(IMM)                                                            \
+  temp1 = _mm_aeskeygenassist_si128(temp0, IMM);                               \
+  rkeys[idx++] = temp0;                                                        \
+  temp4 = _mm_slli_si128(temp0, 4);                                            \
+  temp0 = _mm_xor_si128(temp0, temp4);                                         \
+  temp4 = _mm_slli_si128(temp0, 8);                                            \
+  temp0 = _mm_xor_si128(temp0, temp4);                                         \
+  temp1 = _mm_shuffle_epi32(temp1, 0xff);                                      \
+  temp0 = _mm_xor_si128(temp0, temp1)
+
+    BLOCK1(0x01);
+    BLOCK1(0x02);
+    BLOCK1(0x04);
+    BLOCK1(0x08);
+    rkeys[idx++] = temp0;
+}
+
+void oqs_aes128r4_load_schedule_ni(const uint8_t *key, void **_schedule) {
+    *_schedule = malloc(5 * sizeof(__m128i));
+    // assert(*_schedule != NULL);
+    __m128i *schedule = (__m128i *)*_schedule;
+    aes128r4ni_setkey_encrypt(key, schedule);
+}
+
+void oqs_aes128r4_free_schedule_ni(void *schedule) {
+    if (schedule != NULL) {
+        mayo_secure_free(schedule, 5 * sizeof(__m128i));
+    }
+}
+
+// Single encryption
+static inline void aes128r4ni_encrypt(const __m128i rkeys[5], __m128i nv,
+                                      unsigned char *out) {
+    __m128i temp = _mm_xor_si128(nv, rkeys[0]);
+    temp = _mm_aesenc_si128(temp, rkeys[1]);
+    temp = _mm_aesenc_si128(temp, rkeys[2]);
+    temp = _mm_aesenc_si128(temp, rkeys[3]);
+    temp = _mm_aesenclast_si128(temp, rkeys[4]);
+    _mm_storeu_si128((__m128i *)(out), temp);
+}
+
+// 4x interleaved encryption
+static inline void aes128r4ni_encrypt_x4(const __m128i rkeys[5], __m128i n0,
+        __m128i n1, __m128i n2, __m128i n3,
+        unsigned char *out) {
+    __m128i temp0 = _mm_xor_si128(n0, rkeys[0]);
+    __m128i temp1 = _mm_xor_si128(n1, rkeys[0]);
+    __m128i temp2 = _mm_xor_si128(n2, rkeys[0]);
+    __m128i temp3 = _mm_xor_si128(n3, rkeys[0]);
+
+#define AESNENCX4(IDX)                                                         \
+  temp0 = _mm_aesenc_si128(temp0, rkeys[IDX]);                                 \
+  temp1 = _mm_aesenc_si128(temp1, rkeys[IDX]);                                 \
+  temp2 = _mm_aesenc_si128(temp2, rkeys[IDX]);                                 \
+  temp3 = _mm_aesenc_si128(temp3, rkeys[IDX])
+
+    AESNENCX4(1);
+    AESNENCX4(2);
+    AESNENCX4(3);
+
+    temp0 = _mm_aesenclast_si128(temp0, rkeys[4]);
+    temp1 = _mm_aesenclast_si128(temp1, rkeys[4]);
+    temp2 = _mm_aesenclast_si128(temp2, rkeys[4]);
+    temp3 = _mm_aesenclast_si128(temp3, rkeys[4]);
+
+    _mm_storeu_si128((__m128i *)(out + 0), temp0);
+    _mm_storeu_si128((__m128i *)(out + 16), temp1);
+    _mm_storeu_si128((__m128i *)(out + 32), temp2);
+    _mm_storeu_si128((__m128i *)(out + 48), temp3);
+}
+
+// Not for general use: IV = 0, nonce = 0
+static void oqs_aes128r4_ctr_enc_sch_ni(const void *schedule, uint8_t *out,
+                                        size_t out_len) {
+    __m128i mask =
+        _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 7, 6, 5, 4, 3, 2, 1, 0);
+    __m128i block = _mm_set_epi64x(0, 0);
+
+    while (out_len >= 64) {
+        __m128i nv0 = block;
+        __m128i nv1 = _mm_shuffle_epi8(
+                          _mm_add_epi64(_mm_shuffle_epi8(block, mask), _mm_set_epi64x(1, 0)),
+                          mask);
+        __m128i nv2 = _mm_shuffle_epi8(
+                          _mm_add_epi64(_mm_shuffle_epi8(block, mask), _mm_set_epi64x(2, 0)),
+                          mask);
+        __m128i nv3 = _mm_shuffle_epi8(
+                          _mm_add_epi64(_mm_shuffle_epi8(block, mask), _mm_set_epi64x(3, 0)),
+                          mask);
+        aes128r4ni_encrypt_x4(schedule, nv0, nv1, nv2, nv3, out);
+        block = _mm_shuffle_epi8(
+                    _mm_add_epi64(_mm_shuffle_epi8(block, mask), _mm_set_epi64x(4, 0)),
+                    mask);
+        out += 64;
+        out_len -= 64;
+    }
+    while (out_len >= 16) {
+        aes128r4ni_encrypt(schedule, block, out);
+        out += 16;
+        out_len -= 16;
+        block = _mm_shuffle_epi8(
+                    _mm_add_epi64(_mm_shuffle_epi8(block, mask), _mm_set_epi64x(1, 0)),
+                    mask);
+    }
+    if (out_len > 0) {
+        uint8_t tmp[16];
+        aes128r4ni_encrypt(schedule, block, tmp);
+        memcpy(out, tmp, out_len);
+    }
+}
+
+int AES_128_CTR_4R_NI(unsigned char *output, size_t outputByteLen,
+                      const unsigned char *input, size_t inputByteLen) {
+    void *schedule = NULL;
+    oqs_aes128r4_load_schedule_ni(input, &schedule);
+    oqs_aes128r4_ctr_enc_sch_ni(schedule, output, outputByteLen);
+    oqs_aes128r4_free_schedule_ni(schedule);
+    return (int)outputByteLen;
+}
+#endif
+