@pinkparrot/qsafe-mayo-wasm 0.0.3

package/mayo-c/src/common/fips202.h

@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef FIPS202_H
+#define FIPS202_H
+
+#include <stddef.h>
+
+int shake128(unsigned char *output, size_t outputByteLen, const unsigned char *input, size_t inputByteLen);
+int shake256(unsigned char *output, size_t outputByteLen, const unsigned char *input, size_t inputByteLen);
+
+#endif
+

package/mayo-c/src/common/mem.c

@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdint.h>
+
+void mayo_secure_free(void *mem, size_t size) {
+    if (mem) {
+        typedef void *(*memset_t)(void *, int, size_t);
+        static volatile memset_t memset_func = memset;
+        memset_func(mem, 0, size);
+        free(mem);
+    }
+}
+void mayo_secure_clear(void *mem, size_t size) {
+    typedef void *(*memset_t)(void *, int, size_t);
+    static volatile memset_t memset_func = memset;
+    memset_func(mem, 0, size);
+}

package/mayo-c/src/common/randombytes_ctrdrbg.c

@@ -0,0 +1,141 @@
+// SPDX-License-Identifier: Apache-2.0 and Unknown
+//
+/*
+NIST-developed software is provided by NIST as a public service. You may use, copy, and distribute copies of the software in any medium, provided that you keep intact this entire notice. You may improve, modify, and create derivative works of the software or any portion of the software, and you may copy and distribute such modifications or works. Modified works should carry a notice stating that you changed the software and should note the date and nature of any such change. Please explicitly acknowledge the National Institute of Standards and Technology as the source of the software.
+
+NIST-developed software is expressly provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT, OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND DATA ACCURACY. NIST NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE SOFTWARE.
+
+You are solely responsible for determining the appropriateness of using and distributing the software and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This software is not intended to be used in any situation where a failure could cause risk of injury or damage to property. The software developed by NIST employees is not subject to copyright protection within the United States.
+*/
+
+#include <string.h>
+
+#include <aes_ctr.h>
+
+#ifdef ENABLE_CT_TESTING
+#include <valgrind/memcheck.h>
+#endif
+
+#define RNG_SUCCESS      0
+#define RNG_BAD_MAXLEN  -1
+#define RNG_BAD_OUTBUF  -2
+#define RNG_BAD_REQ_LEN -3
+
+static __inline void AES256_ECB(unsigned char *key, unsigned char *ctr, unsigned char *buffer) {
+    AES_ECB_encrypt(ctr, key, buffer);
+}
+
+typedef struct {
+    unsigned char   buffer[16];
+    int             buffer_pos;
+    unsigned long   length_remaining;
+    unsigned char   key[32];
+    unsigned char   ctr[16];
+} AES_XOF_struct;
+
+typedef struct {
+    unsigned char   Key[32];
+    unsigned char   V[16];
+    int             reseed_counter;
+} AES256_CTR_DRBG_struct;
+
+
+void
+AES256_CTR_DRBG_Update(unsigned char *provided_data,
+                       unsigned char *Key,
+                       unsigned char *V);
+
+AES256_CTR_DRBG_struct  DRBG_ctx;
+
+static void
+randombytes_init_nist(unsigned char *entropy_input,
+                      unsigned char *personalization_string,
+                      int security_strength) {
+    unsigned char   seed_material[48];
+
+    (void)security_strength;  // Unused parameter
+    memcpy(seed_material, entropy_input, 48);
+    if (personalization_string)
+        for (int i = 0; i < 48; i++) {
+            seed_material[i] ^= personalization_string[i];
+        }
+    memset(DRBG_ctx.Key, 0x00, 32);
+    memset(DRBG_ctx.V, 0x00, 16);
+    AES256_CTR_DRBG_Update(seed_material, DRBG_ctx.Key, DRBG_ctx.V);
+    DRBG_ctx.reseed_counter = 1;
+}
+
+static int
+randombytes_nist(unsigned char *x, size_t xlen) {
+    unsigned char   block[16];
+    size_t          i = 0;
+
+    while ( xlen > 0 ) {
+        //increment V
+        for (int j = 15; j >= 0; j--) {
+            if ( DRBG_ctx.V[j] == 0xff ) {
+                DRBG_ctx.V[j] = 0x00;
+            } else {
+                DRBG_ctx.V[j]++;
+                break;
+            }
+        }
+        AES256_ECB(DRBG_ctx.Key, DRBG_ctx.V, block);
+        if ( xlen > 15 ) {
+            memcpy(x + i, block, 16);
+            i += 16;
+            xlen -= 16;
+        } else {
+            memcpy(x + i, block, xlen);
+            i += xlen;
+            xlen = 0;
+        }
+    }
+    AES256_CTR_DRBG_Update(NULL, DRBG_ctx.Key, DRBG_ctx.V);
+    DRBG_ctx.reseed_counter++;
+
+    return 0;
+}
+
+void
+AES256_CTR_DRBG_Update(unsigned char *provided_data,
+                       unsigned char *Key,
+                       unsigned char *V) {
+    unsigned char   temp[48];
+
+    for (int i = 0; i < 3; i++) {
+        //increment V
+        for (int j = 15; j >= 0; j--) {
+            if ( V[j] == 0xff ) {
+                V[j] = 0x00;
+            } else {
+                V[j]++;
+                break;
+            }
+        }
+
+        AES256_ECB(Key, V, temp + 16 * i);
+    }
+    if ( provided_data != NULL )
+        for (int i = 0; i < 48; i++) {
+            temp[i] ^= provided_data[i];
+        }
+    memcpy(Key, temp, 32);
+    memcpy(V, temp + 32, 16);
+}
+
+int randombytes(unsigned char *random_array, size_t nbytes) {
+    int ret = randombytes_nist(random_array, nbytes);
+#ifdef ENABLE_CT_TESTING
+    VALGRIND_MAKE_MEM_UNDEFINED(random_array, ret);
+#endif
+    return ret;
+}
+
+void
+randombytes_init(unsigned char *entropy_input,
+                 unsigned char *personalization_string,
+                 int security_strength) {
+    return randombytes_init_nist(entropy_input, personalization_string, security_strength);
+}
+

package/mayo-c/src/common/randombytes_system.c

@@ -0,0 +1,399 @@
+// SPDX-License-Identifier: MIT
+
+/*
+The MIT License
+Copyright (c) 2017 Daan Sprenkels <hello@dsprenkels.com>
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+
+#ifdef ENABLE_CT_TESTING
+#include <valgrind/memcheck.h>
+#endif
+
+// In the case that are compiling on linux, we need to define _GNU_SOURCE
+// *before* randombytes.h is included. Otherwise SYS_getrandom will not be
+// declared.
+#if defined(__linux__) || defined(__GNU__)
+# define _GNU_SOURCE
+#endif /* defined(__linux__) || defined(__GNU__) */
+
+#include <randombytes.h>
+
+#if defined(_WIN32)
+/* Windows */
+# include <windows.h>
+# include <wincrypt.h> /* CryptAcquireContext, CryptGenRandom */
+#endif /* defined(_WIN32) */
+
+/* wasi */
+#if defined(__wasi__)
+#include <stdlib.h>
+#endif
+
+/* kFreeBSD */
+#if defined(__FreeBSD_kernel__) && defined(__GLIBC__)
+# define GNU_KFREEBSD
+#endif
+
+#if defined(__linux__) || defined(__GNU__) || defined(GNU_KFREEBSD)
+/* Linux */
+// We would need to include <linux/random.h>, but not every target has access
+// to the linux headers. We only need RNDGETENTCNT, so we instead inline it.
+// RNDGETENTCNT is originally defined in `include/uapi/linux/random.h` in the
+// linux repo.
+# define RNDGETENTCNT 0x80045200
+
+# include <assert.h>
+# include <errno.h>
+# include <fcntl.h>
+# include <poll.h>
+# include <stdint.h>
+# include <stdio.h>
+# include <sys/ioctl.h>
+# if (defined(__linux__) || defined(__GNU__)) && defined(__GLIBC__) && ((__GLIBC__ > 2) || (__GLIBC_MINOR__ > 24))
+#  define USE_GLIBC
+#  include <sys/random.h>
+# endif /* (defined(__linux__) || defined(__GNU__)) && defined(__GLIBC__) && ((__GLIBC__ > 2) || (__GLIBC_MINOR__ > 24)) */
+# include <sys/stat.h>
+# include <sys/syscall.h>
+# include <sys/types.h>
+# include <unistd.h>
+
+// We need SSIZE_MAX as the maximum read len from /dev/urandom
+# if !defined(SSIZE_MAX)
+#  define SSIZE_MAX (SIZE_MAX / 2 - 1)
+# endif /* defined(SSIZE_MAX) */
+
+#endif /* defined(__linux__) || defined(__GNU__) || defined(GNU_KFREEBSD) */
+
+
+#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
+/* Dragonfly, FreeBSD, NetBSD, OpenBSD (has arc4random) */
+# include <sys/param.h>
+# if defined(BSD)
+#  include <stdlib.h>
+# endif
+/* GNU/Hurd defines BSD in sys/param.h which causes problems later */
+# if defined(__GNU__)
+#  undef BSD
+# endif
+#endif
+
+#if defined(__EMSCRIPTEN__)
+# include <assert.h>
+# include <emscripten.h>
+# include <errno.h>
+# include <stdbool.h>
+#endif /* defined(__EMSCRIPTEN__) */
+
+
+#if defined(_WIN32)
+static int randombytes_win32_randombytes(void* buf, size_t n)
+{
+	HCRYPTPROV ctx;
+	BOOL tmp;
+	DWORD to_read = 0;
+	const size_t MAX_DWORD = 0xFFFFFFFF;
+
+	tmp = CryptAcquireContext(&ctx, NULL, NULL, PROV_RSA_FULL,
+	                          CRYPT_VERIFYCONTEXT);
+	if (tmp == FALSE) return -1;
+
+	while (n > 0) {
+		to_read = (DWORD)(n < MAX_DWORD ? n : MAX_DWORD);
+		tmp = CryptGenRandom(ctx, to_read, (BYTE*) buf);
+		if (tmp == FALSE) return -1;
+		buf = ((char*)buf) + to_read;
+		n -= to_read;
+	}
+
+	tmp = CryptReleaseContext(ctx, 0);
+	if (tmp == FALSE) return -1;
+
+	return 0;
+}
+#endif /* defined(_WIN32) */
+
+#if defined(__wasi__)
+static int randombytes_wasi_randombytes(void *buf, size_t n) {
+	arc4random_buf(buf, n);
+	return 0;
+}
+#endif /* defined(__wasi__) */
+
+#if (defined(__linux__) || defined(__GNU__)) && (defined(USE_GLIBC) || defined(SYS_getrandom))
+# if defined(USE_GLIBC)
+// getrandom is declared in glibc.
+# elif defined(SYS_getrandom)
+static ssize_t getrandom(void *buf, size_t buflen, unsigned int flags) {
+	return syscall(SYS_getrandom, buf, buflen, flags);
+}
+# endif
+
+static int randombytes_linux_randombytes_getrandom(void *buf, size_t n)
+{
+	/* I have thought about using a separate PRF, seeded by getrandom, but
+	 * it turns out that the performance of getrandom is good enough
+	 * (250 MB/s on my laptop).
+	 */
+	size_t offset = 0, chunk;
+	int ret;
+	while (n > 0) {
+		/* getrandom does not allow chunks larger than 33554431 */
+		chunk = n <= 33554431 ? n : 33554431;
+		do {
+			ret = getrandom((char *)buf + offset, chunk, 0);
+		} while (ret == -1 && errno == EINTR);
+		if (ret < 0) return ret;
+		offset += ret;
+		n -= ret;
+	}
+	assert(n == 0);
+	return 0;
+}
+#endif /* (defined(__linux__) || defined(__GNU__)) && (defined(USE_GLIBC) || defined(SYS_getrandom)) */
+
+#if (defined(__linux__) || defined(GNU_KFREEBSD)) && !defined(SYS_getrandom)
+
+# if defined(__linux__)
+static int randombytes_linux_read_entropy_ioctl(int device, int *entropy)
+{
+	return ioctl(device, RNDGETENTCNT, entropy);
+}
+
+static int randombytes_linux_read_entropy_proc(FILE *stream, int *entropy)
+{
+	int retcode;
+	do {
+		rewind(stream);
+		retcode = fscanf(stream, "%d", entropy);
+	} while (retcode != 1 && errno == EINTR);
+	if (retcode != 1) {
+		return -1;
+	}
+	return 0;
+}
+
+static int randombytes_linux_wait_for_entropy(int device)
+{
+	/* We will block on /dev/random, because any increase in the OS' entropy
+	 * level will unblock the request. I use poll here (as does libsodium),
+	 * because we don't *actually* want to read from the device. */
+	enum { IOCTL, PROC } strategy = IOCTL;
+	const int bits = 128;
+	struct pollfd pfd;
+	int fd;
+	FILE *proc_file;
+	int retcode, retcode_error = 0; // Used as return codes throughout this function
+	int entropy = 0;
+
+	/* If the device has enough entropy already, we will want to return early */
+	retcode = randombytes_linux_read_entropy_ioctl(device, &entropy);
+	// printf("errno: %d (%s)\n", errno, strerror(errno));
+	if (retcode != 0 && (errno == ENOTTY || errno == ENOSYS)) {
+		// The ioctl call on /dev/urandom has failed due to a
+		//   - ENOTTY (unsupported action), or
+		//   - ENOSYS (invalid ioctl; this happens on MIPS, see #22).
+		//
+		// We will fall back to reading from
+		// `/proc/sys/kernel/random/entropy_avail`.  This less ideal,
+		// because it allocates a file descriptor, and it may not work
+		// in a chroot.  But at this point it seems we have no better
+		// options left.
+		strategy = PROC;
+		// Open the entropy count file
+		proc_file = fopen("/proc/sys/kernel/random/entropy_avail", "r");
+		if (proc_file == NULL) {
+			return -1;
+		}
+	} else if (retcode != 0) {
+		// Unrecoverable ioctl error
+		return -1;
+	}
+	if (entropy >= bits) {
+		return 0;
+	}
+
+	do {
+		fd = open("/dev/random", O_RDONLY);
+	} while (fd == -1 && errno == EINTR); /* EAGAIN will not occur */
+	if (fd == -1) {
+		/* Unrecoverable IO error */
+		return -1;
+	}
+
+	pfd.fd = fd;
+	pfd.events = POLLIN;
+	for (;;) {
+		retcode = poll(&pfd, 1, -1);
+		if (retcode == -1 && (errno == EINTR || errno == EAGAIN)) {
+			continue;
+		} else if (retcode == 1) {
+			if (strategy == IOCTL) {
+				retcode = randombytes_linux_read_entropy_ioctl(device, &entropy);
+			} else if (strategy == PROC) {
+				retcode = randombytes_linux_read_entropy_proc(proc_file, &entropy);
+			} else {
+				return -1; // Unreachable
+			}
+
+			if (retcode != 0) {
+				// Unrecoverable I/O error
+				retcode_error = retcode;
+				break;
+			}
+			if (entropy >= bits) {
+				break;
+			}
+		} else {
+			// Unreachable: poll() should only return -1 or 1
+			retcode_error = -1;
+			break;
+		}
+	}
+	do {
+		retcode = close(fd);
+	} while (retcode == -1 && errno == EINTR);
+	if (strategy == PROC) {
+		do {
+			retcode = fclose(proc_file);
+		} while (retcode == -1 && errno == EINTR);
+	}
+	if (retcode_error != 0) {
+		return retcode_error;
+	}
+	return retcode;
+}
+# endif /* defined(__linux__) */
+
+
+static int randombytes_linux_randombytes_urandom(void *buf, size_t n)
+{
+	int fd;
+	size_t offset = 0, count;
+	ssize_t tmp;
+	do {
+		fd = open("/dev/urandom", O_RDONLY);
+	} while (fd == -1 && errno == EINTR);
+	if (fd == -1) return -1;
+# if defined(__linux__)
+	if (randombytes_linux_wait_for_entropy(fd) == -1) return -1;
+# endif
+
+	while (n > 0) {
+		count = n <= SSIZE_MAX ? n : SSIZE_MAX;
+		tmp = read(fd, (char *)buf + offset, count);
+		if (tmp == -1 && (errno == EAGAIN || errno == EINTR)) {
+			continue;
+		}
+		if (tmp == -1) return -1; /* Unrecoverable IO error */
+		offset += tmp;
+		n -= tmp;
+	}
+	close(fd);
+	assert(n == 0);
+	return 0;
+}
+#endif /* defined(__linux__) && !defined(SYS_getrandom) */
+
+
+#if defined(BSD)
+static int randombytes_bsd_randombytes(void *buf, size_t n)
+{
+	arc4random_buf(buf, n);
+	return 0;
+}
+#endif /* defined(BSD) */
+
+
+#if defined(__EMSCRIPTEN__)
+static int randombytes_js_randombytes_nodejs(void *buf, size_t n) {
+	const int ret = EM_ASM_INT({
+		var crypto;
+		try {
+			crypto = require('crypto');
+		} catch (error) {
+			return -2;
+		}
+		try {
+			writeArrayToMemory(crypto.randomBytes($1), $0);
+			return 0;
+		} catch (error) {
+			return -1;
+		}
+	}, buf, n);
+	switch (ret) {
+	case 0:
+		return 0;
+	case -1:
+		errno = EINVAL;
+		return -1;
+	case -2:
+		errno = ENOSYS;
+		return -1;
+	}
+	assert(false); // Unreachable
+}
+#endif /* defined(__EMSCRIPTEN__) */
+
+
+static int randombytes_select(void *buf, size_t n)
+{
+#if defined(__EMSCRIPTEN__)
+	return randombytes_js_randombytes_nodejs(buf, n);   
+#elif defined(__linux__) || defined(__GNU__) || defined(GNU_KFREEBSD)
+# if defined(USE_GLIBC)
+	/* Use getrandom system call */
+	return randombytes_linux_randombytes_getrandom(buf, n);
+# elif defined(SYS_getrandom)
+	/* Use getrandom system call */
+	return randombytes_linux_randombytes_getrandom(buf, n);
+# else
+	/* When we have enough entropy, we can read from /dev/urandom */
+	return randombytes_linux_randombytes_urandom(buf, n);
+# endif
+#elif defined(BSD)
+	/* Use arc4random system call */
+	return randombytes_bsd_randombytes(buf, n);
+#elif defined(_WIN32)
+	/* Use windows API */
+	return randombytes_win32_randombytes(buf, n);
+#elif defined(__wasi__)
+	/* Use WASI */
+	return randombytes_wasi_randombytes(buf, n);
+#else
+# error "randombytes(...) is not supported on this platform"
+#endif
+}
+
+int randombytes(unsigned char *x, size_t xlen) {
+
+    int ret = randombytes_select(x, (size_t) xlen);
+#ifdef ENABLE_CT_TESTING
+    VALGRIND_MAKE_MEM_UNDEFINED(x, xlen);
+#endif
+    return ret;
+}
+
+void randombytes_init(unsigned char *entropy_input,
+                      unsigned char *personalization_string,
+                      int security_strength) {
+    (void) entropy_input;
+    (void) personalization_string;
+    (void) security_strength;
+}
+

package/mayo-c/src/generic/arithmetic_dynamic.h

@@ -0,0 +1,68 @@
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef ARITHMETIC_DYNAMIC_H
+#define ARITHMETIC_DYNAMIC_H
+
+#include <stdint.h>
+#include <simple_arithmetic.h>
+
+static
+inline void m_vec_copy(int m_vec_limbs, const uint64_t *in, uint64_t *out) {
+    for (int i = 0; i < m_vec_limbs; i++) {
+        out[i] = in[i];
+    }
+}
+
+static
+inline void m_vec_add(int m_vec_limbs, const uint64_t *in, uint64_t *acc) {
+    for (int i = 0; i < m_vec_limbs; i++) {
+        acc[i] ^= in[i];
+    }
+}
+
+static inline
+void m_vec_mul_add(int m_vec_limbs, const uint64_t *in, unsigned char a, uint64_t *acc) {
+    for(int i=0; i < m_vec_limbs; i++){
+        acc[i] ^= gf16v_mul_u64(in[i], a);
+    }
+}
+
+inline
+static void m_vec_mul_add_x (int m_vec_limbs, const uint64_t *in, uint64_t *acc) {
+    uint64_t mask_msb = 0x8888888888888888ULL;
+    for(int i=0; i < m_vec_limbs; i++){
+        uint64_t t = in[i] & mask_msb;
+        acc[i] ^= ((in[i] ^ t) << 1) ^ ((t >> 3) * 3);
+    }
+}
+
+inline
+static void m_vec_mul_add_x_inv (int m_vec_limbs, const uint64_t *in, uint64_t *acc) {
+    uint64_t mask_lsb = 0x1111111111111111ULL;
+    for(int i=0; i < m_vec_limbs; i++){
+        uint64_t t = in[i] & mask_lsb;
+        acc[i] ^= ((in[i] ^ t) >> 1) ^ (t * 9);
+    }
+}
+
+static
+inline void m_vec_multiply_bins (int m_vec_limbs, uint64_t *bins, uint64_t *out) {
+
+    m_vec_mul_add_x_inv (m_vec_limbs, bins +  5 * m_vec_limbs, bins +  10 * m_vec_limbs);
+    m_vec_mul_add_x (m_vec_limbs, bins + 11 * m_vec_limbs, bins + 12 * m_vec_limbs);
+    m_vec_mul_add_x_inv (m_vec_limbs, bins +  10 * m_vec_limbs, bins +  7 * m_vec_limbs);
+    m_vec_mul_add_x (m_vec_limbs, bins + 12 * m_vec_limbs, bins +  6 * m_vec_limbs);
+    m_vec_mul_add_x_inv (m_vec_limbs, bins +  7 * m_vec_limbs, bins +  14 * m_vec_limbs);
+    m_vec_mul_add_x (m_vec_limbs, bins +  6 * m_vec_limbs, bins +  3 * m_vec_limbs);
+    m_vec_mul_add_x_inv (m_vec_limbs, bins +  14 * m_vec_limbs, bins +  15 * m_vec_limbs);
+    m_vec_mul_add_x (m_vec_limbs, bins +  3 * m_vec_limbs, bins +  8 * m_vec_limbs);
+    m_vec_mul_add_x_inv (m_vec_limbs, bins +  15 * m_vec_limbs, bins +  13 * m_vec_limbs);
+    m_vec_mul_add_x (m_vec_limbs, bins +  8 * m_vec_limbs, bins +  4 * m_vec_limbs);
+    m_vec_mul_add_x_inv (m_vec_limbs, bins +  13 * m_vec_limbs, bins +  9 * m_vec_limbs);
+    m_vec_mul_add_x (m_vec_limbs, bins +  4 * m_vec_limbs, bins +  2 * m_vec_limbs);
+    m_vec_mul_add_x_inv (m_vec_limbs, bins +   9 * m_vec_limbs, bins +  1 * m_vec_limbs);
+    m_vec_mul_add_x (m_vec_limbs, bins +  2 * m_vec_limbs, bins +  1 * m_vec_limbs);
+    m_vec_copy (m_vec_limbs, bins + m_vec_limbs, out);
+}
+
+#endif