├── kex.c
├── README.txt
├── License.txt
├── Visual Studio
    ├── tests
    │   ├── tests.vcxproj.filters
    │   └── tests.vcxproj
    └── LatticeCrypto
    │   ├── LatticeCrypto.vcxproj.filters
    │   ├── LatticeCrypto.sln
    │   └── LatticeCrypto.vcxproj
├── AMD64
    ├── ntt_x64.c
    ├── consts.c
    ├── error_asm.S
    └── ntt_x64_asm.S
├── tests
    ├── test_extras.h
    ├── test_extras.c
    └── tests.c
├── makefile
├── random.c
├── LatticeCrypto_priv.h
├── generic
    └── ntt.c
├── LatticeCrypto.h
└── ntt_constants.c


/kex.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/b/LatticeCrypto/master/kex.c


--------------------------------------------------------------------------------
/README.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/b/LatticeCrypto/master/README.txt


--------------------------------------------------------------------------------
/License.txt:
--------------------------------------------------------------------------------
 1 | LatticeCrypto
 2 | 
 3 | Copyright (c) Microsoft Corporation
 4 | All rights reserved. 
 5 | 
 6 | MIT License
 7 | 
 8 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 
 9 | associated documentation files (the ""Software""), to deal in the Software without restriction,
10 | including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, 
11 | and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, 
12 | subject to the following conditions:
13 | 
14 | The above copyright notice and this permission notice shall be included in all copies or substantial 
15 | portions of the Software.
16 | 
17 | THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT 
18 | LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 
19 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 
20 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 
21 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Visual Studio/tests/tests.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClInclude Include="..\..\tests\test_extras.h">
19 |       <Filter>Header Files</Filter>
20 |     </ClInclude>
21 |     <ClInclude Include="..\..\LatticeCrypto.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="..\..\LatticeCrypto_priv.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClCompile Include="..\..\tests\test_extras.c">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |     <ClCompile Include="..\..\tests\tests.c">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |   </ItemGroup>
36 | </Project>


--------------------------------------------------------------------------------
/Visual Studio/LatticeCrypto/LatticeCrypto.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Source Files\generic">
17 |       <UniqueIdentifier>{d2c0b572-de10-4258-8700-245d332f161c}</UniqueIdentifier>
18 |     </Filter>
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClCompile Include="..\..\ntt_constants.c">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |     <ClCompile Include="..\..\kex.c">
25 |       <Filter>Source Files</Filter>
26 |     </ClCompile>
27 |     <ClCompile Include="..\..\generic\ntt.c">
28 |       <Filter>Source Files\generic</Filter>
29 |     </ClCompile>
30 |     <ClCompile Include="..\..\random.c">
31 |       <Filter>Source Files</Filter>
32 |     </ClCompile>
33 |   </ItemGroup>
34 |   <ItemGroup>
35 |     <ClInclude Include="..\..\LatticeCrypto.h">
36 |       <Filter>Header Files</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="..\..\LatticeCrypto_priv.h">
39 |       <Filter>Header Files</Filter>
40 |     </ClInclude>
41 |   </ItemGroup>
42 | </Project>


--------------------------------------------------------------------------------
/AMD64/ntt_x64.c:
--------------------------------------------------------------------------------
 1 | /****************************************************************************************
 2 | * LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
 3 | *
 4 | *    Copyright (c) Microsoft Corporation. All rights reserved.
 5 | *
 6 | *
 7 | * Abstract: NTT functions and other low-level operations
 8 | *
 9 | *****************************************************************************************/
10 | 
11 | #include "../LatticeCrypto_priv.h"
12 |     
13 | 
14 | void NTT_CT_std2rev_12289(int32_t* a, const int32_t* psi_rev, unsigned int N)
15 | {
16 |     NTT_CT_std2rev_12289_asm(a, psi_rev, N);
17 | }
18 | 
19 | 
20 | void INTT_GS_rev2std_12289(int32_t* a, const int32_t* omegainv_rev, const int32_t omegainv1N_rev, const int32_t Ninv, unsigned int N)
21 | {
22 |     INTT_GS_rev2std_12289_asm(a, omegainv_rev, omegainv1N_rev, Ninv, N);
23 | }
24 | 
25 | 
26 | void two_reduce12289(int32_t* a, unsigned int N)
27 | {
28 |     two_reduce12289_asm(a, N);
29 | }
30 | 
31 | 
32 | void pmul(int32_t* a, int32_t* b, int32_t* c, unsigned int N)
33 | {
34 |     pmul_asm(a, b, c, N);
35 | }
36 | 
37 | 
38 | void pmuladd(int32_t* a, int32_t* b, int32_t* c, int32_t* d, unsigned int N)
39 | {
40 |     pmuladd_asm(a, b, c, d, N);
41 | }
42 | 
43 | 
44 | void smul(int32_t* a, int32_t scalar, unsigned int N)
45 | {
46 |     unsigned int i; 
47 | 
48 |     for (i = 0; i < N; i++) {
49 |         a[i] = a[i]*scalar;
50 |     }
51 | }
52 | 
53 | 
54 | void correction(int32_t* a, int32_t p, unsigned int N)
55 | {  
56 |     unsigned int i; 
57 |     int32_t mask;
58 | 
59 |     for (i = 0; i < N; i++) {
60 |         mask = a[i] >> (4*sizeof(int32_t) - 1);
61 |         a[i] += (p & mask) - p;
62 |         mask = a[i] >> (4*sizeof(int32_t) - 1);
63 |         a[i] += (p & mask);
64 |     }
65 | }
66 | 


--------------------------------------------------------------------------------
/AMD64/consts.c:
--------------------------------------------------------------------------------
 1 | /****************************************************************************************
 2 | * LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
 3 | *
 4 | *    Copyright (c) Microsoft Corporation. All rights reserved.
 5 | *
 6 | *
 7 | * Abstract: constants for the x64 assembly implementation
 8 | *
 9 | *****************************************************************************************/
10 | 
11 | #include "../LatticeCrypto_priv.h"
12 | #include <stdint.h>
13 | 
14 | 
15 | uint32_t PRIME8x[8]      = {PARAMETER_Q, PARAMETER_Q, PARAMETER_Q, PARAMETER_Q, PARAMETER_Q, PARAMETER_Q, PARAMETER_Q, PARAMETER_Q};
16 | uint8_t ONE32x[32]       = {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1};
17 | uint32_t MASK12x8[8]     = {0xfff,0xfff,0xfff,0xfff,0xfff,0xfff,0xfff,0xfff};
18 | uint32_t PERM0246[4]     = {0,2,4,6};
19 | uint32_t PERM00224466[8] = {0,0,2,2,4,4,6,6};
20 | uint32_t PERM02134657[8] = {0,2,1,3,4,6,5,7};
21 | uint64_t PERM0145[4]     = {0,1,4,5};
22 | uint64_t PERM2367[4]     = {2,3,6,7};
23 | uint64_t MASK32[4]       = {0xffffffff,0,0xffffffff,0};
24 | uint64_t MASK42[4]       = {0x3fff0000000,0,0x3fff0000000,0};
25 | 
26 | uint64_t MASK14_1[4]     = {0x3fff,0,0x3fff,0};
27 | uint64_t MASK14_2[4]     = {0xFFFC000,0,0xFFFC000,0};
28 | uint64_t MASK14_3[4]     = {0x3FFF0000000,0,0x3FFF0000000,0};
29 | uint64_t MASK14_4[4]     = {0xFFFC0000000000,0,0xFFFC0000000000,0};
30 | 
31 | uint32_t ONE8x[8]        = {1,1,1,1,1,1,1,1};
32 | uint32_t THREE8x[8]      = {3,3,3,3,3,3,3,3};
33 | uint32_t FOUR8x[8]       = {4,4,4,4,4,4,4,4};
34 | uint32_t PARAM_Q4x8[8]   = {3073,3073,3073,3073,3073,3073,3073,3073};
35 | uint32_t PARAM_3Q4x8[8]  = {9217,9217,9217,9217,9217,9217,9217,9217};
36 | uint32_t PARAM_5Q4x8[8]  = {15362,15362,15362,15362,15362,15362,15362,15362};
37 | uint32_t PARAM_7Q4x8[8]  = {21506,21506,21506,21506,21506,21506,21506,21506};
38 | uint32_t PARAM_Q2x8[8]   = {6145,6145,6145,6145,6145,6145,6145,6145};
39 | uint32_t PARAM_3Q2x8[8]  = {18434,18434,18434,18434,18434,18434,18434,18434};
40 | 
41 | 


--------------------------------------------------------------------------------
/Visual Studio/LatticeCrypto/LatticeCrypto.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2013
 4 | VisualStudioVersion = 12.0.21005.1
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "tests", "..\tests\tests.vcxproj", "{C9639168-C3FF-4427-BC3B-D907FF11DE73}"
 7 | 	ProjectSection(ProjectDependencies) = postProject
 8 | 		{8283DD76-E88A-4B63-ABDE-33F014178413} = {8283DD76-E88A-4B63-ABDE-33F014178413}
 9 | 	EndProjectSection
10 | EndProject
11 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LatticeCrypto", "LatticeCrypto.vcxproj", "{8283DD76-E88A-4B63-ABDE-33F014178413}"
12 | EndProject
13 | Global
14 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
15 | 		Debug|Win32 = Debug|Win32
16 | 		Debug|x64 = Debug|x64
17 | 		Generic|Win32 = Generic|Win32
18 | 		Generic|x64 = Generic|x64
19 | 		Release|Win32 = Release|Win32
20 | 		Release|x64 = Release|x64
21 | 	EndGlobalSection
22 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
23 | 		{C9639168-C3FF-4427-BC3B-D907FF11DE73}.Debug|Win32.ActiveCfg = Debug|Win32
24 | 		{C9639168-C3FF-4427-BC3B-D907FF11DE73}.Debug|x64.ActiveCfg = Debug|x64
25 | 		{C9639168-C3FF-4427-BC3B-D907FF11DE73}.Generic|Win32.ActiveCfg = Generic|Win32
26 | 		{C9639168-C3FF-4427-BC3B-D907FF11DE73}.Generic|Win32.Build.0 = Generic|Win32
27 | 		{C9639168-C3FF-4427-BC3B-D907FF11DE73}.Generic|x64.ActiveCfg = Generic|x64
28 | 		{C9639168-C3FF-4427-BC3B-D907FF11DE73}.Generic|x64.Build.0 = Generic|x64
29 | 		{C9639168-C3FF-4427-BC3B-D907FF11DE73}.Release|Win32.ActiveCfg = Release|Win32
30 | 		{C9639168-C3FF-4427-BC3B-D907FF11DE73}.Release|x64.ActiveCfg = Release|x64
31 | 		{8283DD76-E88A-4B63-ABDE-33F014178413}.Debug|Win32.ActiveCfg = Debug|Win32
32 | 		{8283DD76-E88A-4B63-ABDE-33F014178413}.Debug|x64.ActiveCfg = Debug|x64
33 | 		{8283DD76-E88A-4B63-ABDE-33F014178413}.Generic|Win32.ActiveCfg = Generic|Win32
34 | 		{8283DD76-E88A-4B63-ABDE-33F014178413}.Generic|Win32.Build.0 = Generic|Win32
35 | 		{8283DD76-E88A-4B63-ABDE-33F014178413}.Generic|x64.ActiveCfg = Generic|x64
36 | 		{8283DD76-E88A-4B63-ABDE-33F014178413}.Generic|x64.Build.0 = Generic|x64
37 | 		{8283DD76-E88A-4B63-ABDE-33F014178413}.Release|Win32.ActiveCfg = Release|Win32
38 | 		{8283DD76-E88A-4B63-ABDE-33F014178413}.Release|x64.ActiveCfg = Release|x64
39 | 	EndGlobalSection
40 | 	GlobalSection(SolutionProperties) = preSolution
41 | 		HideSolutionNode = FALSE
42 | 	EndGlobalSection
43 | EndGlobal
44 | 


--------------------------------------------------------------------------------
/tests/test_extras.h:
--------------------------------------------------------------------------------
 1 | /****************************************************************************************
 2 | * LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
 3 | *
 4 | *    Copyright (c) Microsoft Corporation. All rights reserved.
 5 | *
 6 | *
 7 | * Abstract: utility header file for tests
 8 | *
 9 | *****************************************************************************************/  
10 | 
11 | #ifndef __TEST_EXTRAS_H__
12 | #define __TEST_EXTRAS_H__
13 | 
14 | 
15 | // For C++
16 | #ifdef __cplusplus
17 | extern "C" {
18 | #endif
19 | 
20 | 
21 | #include "../LatticeCrypto_priv.h"
22 | 
23 |     
24 | // Access system counter for benchmarking
25 | int64_t cpucycles(void);
26 | 
27 | // Generate "nbytes" of random values and output the result to random_array.
28 | // SECURITY NOTE: TO BE USED FOR TESTING ONLY.
29 | CRYPTO_STATUS random_bytes_test(unsigned int nbytes, unsigned char* random_array); 
30 | 
31 | // Generate "array_ndigits" of 32-bit values and output the result to extended_array.
32 | // SECURITY NOTE: TO BE USED FOR TESTING ONLY.
33 | CRYPTO_STATUS extendable_output_test(const unsigned char* seed, unsigned int seed_nbytes, unsigned int array_ndigits, uint32_t* extended_array);
34 |     
35 | // Generate "array_nbytes" of values and output the result to stream_array.
36 | // SECURITY NOTE: TO BE USED FOR TESTING ONLY.
37 | CRYPTO_STATUS stream_output_test(const unsigned char* seed, unsigned int seed_nbytes, unsigned char* nonce, unsigned int nonce_nbytes, unsigned int array_nbytes, unsigned char* stream_array);
38 | 
39 | // Generating a pseudo-random polynomial a[x] over GF(p) 
40 | // SECURITY NOTE: TO BE USED FOR TESTING ONLY.
41 | void random_poly_test(int32_t* a, unsigned int p, unsigned int pbits, unsigned int N);
42 | 
43 | // Comparing two polynomials over GF(p), a[x]=b[x]? : (0) a=b, (1) a!=b
44 | // NOTE: TO BE USED FOR TESTING ONLY.
45 | int compare_poly(int32_t* a, int32_t* b, unsigned int N); 
46 |     
47 | // Modular reduction
48 | // NOTE: TO BE USED FOR TESTING ONLY.
49 | int reduce(int a, int p);
50 | 
51 | // Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x]
52 | // NOTE: TO BE USED FOR TESTING ONLY.
53 | void mul_test(int32_t* a, int32_t* b, int32_t* c, uint32_t p, unsigned int N);                  
54 | 
55 | // Polynomial addition, c[x] = a[x] + b[x]  
56 | // NOTE: TO BE USED FOR TESTING ONLY.
57 | void add_test(int32_t* a, int32_t* b, int32_t* c, uint32_t p, unsigned int N);
58 | 
59 | 
60 | #ifdef __cplusplus
61 | }
62 | #endif
63 | 
64 | 
65 | #endif


--------------------------------------------------------------------------------
/makefile:
--------------------------------------------------------------------------------
 1 | ####  Makefile for compilation on Linux  ####
 2 | 
 3 | OPT=-O3     # Optimization option by default
 4 | 
 5 | ifeq "$(CC)" "gcc"
 6 |     COMPILER=gcc
 7 | else ifeq "$(CC)" "clang"
 8 |     COMPILER=clang
 9 | endif
10 | 
11 | ifeq "$(ARCH)" "x64"
12 |     ARCHITECTURE=_AMD64_
13 | else ifeq "$(ARCH)" "x86"
14 |     ARCHITECTURE=_X86_
15 | else ifeq "$(ARCH)" "ARM"
16 |     ARCHITECTURE=_ARM_
17 | endif
18 | 
19 | ADDITIONAL_SETTINGS=
20 | ifeq "$(SET)" "EXTENDED"
21 |     ADDITIONAL_SETTINGS=-fwrapv -fomit-frame-pointer -march=native
22 | endif
23 | 
24 | ifeq "$(ASM)" "TRUE"
25 |     USE_ASM=-D _ASM_
26 | endif
27 | 
28 | ifeq "$(GENERIC)" "TRUE"
29 |     USE_GENERIC=-D _GENERIC_
30 | endif
31 | 
32 | ifeq "$(AVX2)" "TRUE"
33 |     USE_AVX2=-D _AVX2_
34 |     SIMD=-mavx2
35 | endif
36 | 
37 | ifeq "$(ARCH)" "ARM"
38 |     ARM_SETTING=-lrt
39 | endif
40 | 
41 | cc=$(COMPILER)
42 | CFLAGS=-c $(OPT) $(ADDITIONAL_SETTINGS) $(SIMD) -D $(ARCHITECTURE) -D __LINUX__ $(USE_AVX2) $(USE_ASM) $(USE_GENERIC)
43 | LDFLAGS=
44 | ifeq "$(GENERIC)" "TRUE"
45 |     OTHER_OBJECTS=ntt.o
46 | else
47 | ifeq "$(ASM)" "TRUE"
48 |     OTHER_OBJECTS=ntt_x64.o consts.o
49 |     ASM_OBJECTS=ntt_x64_asm.o error_asm.o
50 | endif 
51 | endif
52 | OBJECTS=kex.o random.o ntt_constants.o $(ASM_OBJECTS) $(OTHER_OBJECTS)
53 | OBJECTS_TEST=tests.o test_extras.o $(OBJECTS)
54 | OBJECTS_ALL=$(OBJECTS) $(OBJECTS_TEST)
55 | 
56 | test: $(OBJECTS_TEST)
57 | 	$(CC) -o test $(OBJECTS_TEST) $(ARM_SETTING)
58 | 
59 | kex.o: kex.c LatticeCrypto_priv.h
60 | 	$(CC) $(CFLAGS) kex.c
61 | 
62 | random.o: random.c LatticeCrypto_priv.h
63 | 	$(CC) $(CFLAGS) random.c
64 | 
65 | ntt_constants.o: ntt_constants.c LatticeCrypto_priv.h
66 | 	$(CC) $(CFLAGS) ntt_constants.c
67 |     
68 | ifeq "$(GENERIC)" "TRUE"
69 |     ntt.o: generic/ntt.c LatticeCrypto_priv.h
70 | 	    $(CC) $(CFLAGS) generic/ntt.c 
71 | else   
72 | ifeq "$(ASM)" "TRUE"
73 |     ntt_x64.o: AMD64/ntt_x64.c
74 | 	    $(CC) $(CFLAGS) AMD64/ntt_x64.c
75 |     ntt_x64_asm.o: AMD64/ntt_x64_asm.S
76 | 	    $(CC) $(CFLAGS) AMD64/ntt_x64_asm.S
77 |     error_asm.o: AMD64/error_asm.S
78 | 	    $(CC) $(CFLAGS) AMD64/error_asm.S
79 |     consts.o: AMD64/consts.c
80 | 	    $(CC) $(CFLAGS) AMD64/consts.c
81 | endif
82 | endif
83 | 
84 | test_extras.o: tests/test_extras.c tests/test_extras.h LatticeCrypto_priv.h
85 | 	$(CC) $(CFLAGS) tests/test_extras.c
86 | 
87 | tests.o: tests/tests.c LatticeCrypto_priv.h
88 | 	$(CC) $(CFLAGS) tests/tests.c
89 | 
90 | .PHONY: clean
91 | 
92 | clean:
93 | 	rm -f test ntt.o ntt_x64.o ntt_x64_asm.o error_asm.o consts.o $(OBJECTS_ALL)
94 | 
95 | 


--------------------------------------------------------------------------------
/random.c:
--------------------------------------------------------------------------------
 1 | /****************************************************************************************
 2 | * LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
 3 | *
 4 | *    Copyright (c) Microsoft Corporation. All rights reserved.
 5 | *
 6 | *
 7 | * Abstract: wrappers for user-provided functions
 8 | *
 9 | *****************************************************************************************/
10 | 
11 | 
12 | #include "LatticeCrypto_priv.h"
13 | 
14 | 
15 | CRYPTO_STATUS random_bytes(unsigned int nbytes, unsigned char* random_array, RandomBytes RandomBytesFunction)
16 | { // Output "nbytes" of random values.
17 |   // It makes requests of random values to RandomBytesFunction. If successful, the output is given in "random_array".
18 |   // The caller is responsible for providing the "RandomBytesFunction" function passing random values as octets.
19 | 
20 |     if (random_array == NULL || RandomBytesFunction == NULL || nbytes == 0) {
21 |         return CRYPTO_ERROR_INVALID_PARAMETER;
22 |     }    
23 |     
24 |     return (RandomBytesFunction)(nbytes, random_array);
25 | }
26 | 
27 | 
28 | CRYPTO_STATUS extended_output(const unsigned char* seed, unsigned int seed_nbytes, unsigned int array_ndigits, uint32_t* extended_array, ExtendableOutput ExtendableOutputFunction)
29 | { // Output "array_ndigits" of values in [0, q-1] using an extendable-output function and a seed of size "seed_nbytes".
30 |   // It makes requests of values to ExtendableOutputFunction. If successful, the output is given in "extended_array".
31 |   // The caller is responsible for providing the "ExtendableOutputFunction" function passing values as 32-bit digits.
32 | 
33 |     if (seed == NULL || extended_array == NULL || ExtendableOutputFunction == NULL || seed_nbytes == 0 || array_ndigits == 0) {
34 |         return CRYPTO_ERROR_INVALID_PARAMETER;
35 |     }    
36 |     
37 |     return (ExtendableOutputFunction)(seed, seed_nbytes, array_ndigits, extended_array);
38 | }
39 | 
40 | 
41 | CRYPTO_STATUS stream_output(const unsigned char* seed, unsigned int seed_nbytes, unsigned char* nonce, unsigned int nonce_nbytes, unsigned int array_nbytes, unsigned char* stream_array, StreamOutput StreamOutputFunction)
42 | { // Output "array_nbytes" of values using a stream cipher, a seed of size "seed_nbytes" and a nonce of size "nonce_nbytes".  
43 |   // It makes requests of values to StreamOutputFunction. If successful, the output is given in "stream_array".
44 |   // The caller is responsible for providing the "StreamOutputFunction" function passing values as octets.
45 | 
46 |     if (seed == NULL || stream_array == NULL || StreamOutputFunction == NULL || seed_nbytes == 0 || nonce_nbytes == 0 || array_nbytes == 0) {
47 |         return CRYPTO_ERROR_INVALID_PARAMETER;
48 |     }    
49 |     
50 |     return (StreamOutputFunction)(seed, seed_nbytes, nonce, nonce_nbytes, array_nbytes, stream_array);
51 | }


--------------------------------------------------------------------------------
/LatticeCrypto_priv.h:
--------------------------------------------------------------------------------
  1 | /****************************************************************************************
  2 | * LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
  3 | *
  4 | *    Copyright (c) Microsoft Corporation. All rights reserved.
  5 | *
  6 | *
  7 | * Abstract: internal header file
  8 | *
  9 | *****************************************************************************************/  
 10 | 
 11 | #ifndef __LatticeCrypto_priv_H__
 12 | #define __LatticeCrypto_priv_H__
 13 | 
 14 | 
 15 | // For C++
 16 | #ifdef __cplusplus
 17 | extern "C" {
 18 | #endif
 19 | 
 20 | 
 21 | #include "LatticeCrypto.h"
 22 | 
 23 | 
 24 | // Basic constants            
 25 | #define PARAMETER_N         1024 
 26 | #define PARAMETER_Q         12289 
 27 | #define SEED_BYTES          256/8
 28 | #define ERROR_SEED_BYTES    256/8
 29 | #define NONCE_SEED_BYTES    256/8
 30 | #define PARAMETER_Q4        3073 
 31 | #define PARAMETER_3Q4       9217 
 32 | #define PARAMETER_5Q4       15362 
 33 | #define PARAMETER_7Q4       21506 
 34 | #define PARAMETER_Q2        6145 
 35 | #define PARAMETER_3Q2       18434
 36 |     
 37 | 
 38 | // Macro definitions
 39 | 
 40 | #define NBITS_TO_NWORDS(nbits)      (((nbits)+(sizeof(digit_t)*8)-1)/(sizeof(digit_t)*8))    // Conversion macro from number of bits to number of computer words
 41 | #define NBYTES_TO_NWORDS(nbytes)    (((nbytes)+sizeof(digit_t)-1)/sizeof(digit_t))           // Conversion macro from number of bytes to number of computer words
 42 | 
 43 | // Macro to avoid compiler warnings when detecting unreferenced parameters
 44 | #define UNREFERENCED_PARAMETER(PAR) (PAR)
 45 | 
 46 | 
 47 | /******************** Function prototypes *******************/
 48 | /******************* Polynomial functions *******************/
 49 | 
 50 | // Forward NTT
 51 | void NTT_CT_std2rev_12289(int32_t* a, const int32_t* psi_rev, unsigned int N);
 52 | void NTT_CT_std2rev_12289_asm(int32_t* a, const int32_t* psi_rev, unsigned int N);
 53 | 
 54 | // Inverse NTT
 55 | void INTT_GS_rev2std_12289(int32_t* a, const int32_t* omegainv_rev, const int32_t omegainv1N_rev, const int32_t Ninv, unsigned int N);
 56 | void INTT_GS_rev2std_12289_asm(int32_t* a, const int32_t* omegainv_rev, const int32_t omegainv1N_rev, const int32_t Ninv, unsigned int N);
 57 | 
 58 | // Reduction modulo q
 59 | int32_t reduce12289(int64_t a);
 60 | 
 61 | // Two merged reductions modulo q
 62 | int32_t reduce12289_2x(int64_t a);
 63 | 
 64 | // Two consecutive reductions modulo q
 65 | void two_reduce12289(int32_t* a, unsigned int N);
 66 | void two_reduce12289_asm(int32_t* a, unsigned int N);
 67 | 
 68 | // Correction modulo q
 69 | void correction(int32_t* a, int32_t p, unsigned int N);
 70 | 
 71 | // Component-wise multiplication
 72 | void pmul(int32_t* a, int32_t* b, int32_t* c, unsigned int N);
 73 | void pmul_asm(int32_t* a, int32_t* b, int32_t* c, unsigned int N);
 74 | 
 75 | // Component-wise multiplication and addition
 76 | void pmuladd(int32_t* a, int32_t* b, int32_t* c, int32_t* d, unsigned int N);
 77 | void pmuladd_asm(int32_t* a, int32_t* b, int32_t* c, int32_t* d, unsigned int N);
 78 | 
 79 | // Component-wise multiplication with scalar
 80 | void smul(int32_t* a, int32_t scalar, unsigned int N);
 81 | 
 82 | /******************* Key exchange functions *******************/
 83 | 
 84 | // Alice's message encoding
 85 | void encode_A(const uint32_t* pk, const unsigned char* seed, unsigned char* m);
 86 | 
 87 | // Alice's message decoding
 88 | void decode_A(const unsigned char* m, uint32_t *pk, unsigned char* seed); 
 89 |     
 90 | // Bob's message encoding
 91 | void encode_B(const uint32_t* pk, const uint32_t* rvec, unsigned char* m);
 92 |     
 93 | // Bob's message decoding
 94 | void decode_B(unsigned char* m, uint32_t* pk, uint32_t* rvec);
 95 | 
 96 | // Partial message encoding/decoding (assembly optimized) 
 97 | void encode_asm(const uint32_t* pk, unsigned char* m);
 98 | void decode_asm(const unsigned char* m, uint32_t *pk);
 99 | 
100 | // Reconciliation helper
101 | CRYPTO_STATUS HelpRec(const uint32_t* x, uint32_t* rvec, const unsigned char* seed, unsigned int nonce, StreamOutput StreamOutputFunction);
102 | 
103 | // Partial reconciliation helper (assembly optimized)        
104 | void helprec_asm(const uint32_t* x, uint32_t* rvec, unsigned char* random_bits);
105 | 
106 | // Reconciliation
107 | void Rec(const uint32_t *x, const uint32_t* rvec, unsigned char *key);
108 | void rec_asm(const uint32_t *x, const uint32_t* rvec, unsigned char *key);
109 | 
110 | // Error sampling
111 | CRYPTO_STATUS get_error(int32_t* e, unsigned char* seed, unsigned int nonce, StreamOutput StreamOutputFunction);
112 | 
113 | // Partial error sampling (assembly optimized)        
114 | void error_sampling_asm(unsigned char* stream, int32_t* e);
115 | 
116 | // Generation of parameter a
117 | CRYPTO_STATUS generate_a(uint32_t* a, const unsigned char* seed, ExtendableOutput ExtendableOutputFunction);
118 | 
119 | 
120 | #ifdef __cplusplus
121 | }
122 | #endif
123 | 
124 | 
125 | #endif
126 | 


--------------------------------------------------------------------------------
/generic/ntt.c:
--------------------------------------------------------------------------------
  1 | /****************************************************************************************
  2 | * LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
  3 | *
  4 | *    Copyright (c) Microsoft Corporation. All rights reserved.
  5 | *
  6 | *
  7 | * Abstract: NTT functions and other polynomial operations
  8 | *
  9 | *****************************************************************************************/
 10 | 
 11 | #include "../LatticeCrypto_priv.h"
 12 | 
 13 | const uint32_t mask12 = ((uint64_t)1 << 12) - 1;
 14 | 
 15 |     
 16 | int32_t reduce12289(int64_t a)
 17 | { // Reduction modulo q
 18 |     int32_t c0, c1;
 19 |    
 20 |     c0 = (int32_t)(a & mask12);
 21 |     c1 = (int32_t)(a >> 12);
 22 |  
 23 |     return (3*c0 - c1);
 24 | }
 25 | 
 26 |     
 27 | int32_t reduce12289_2x(int64_t a)
 28 | { // Two merged reductions modulo q
 29 |     int32_t c0, c1, c2;
 30 |    
 31 |     c0 = (int32_t)(a & mask12);
 32 |     c1 = (int32_t)((a >> 12) & mask12);
 33 |     c2 = (int32_t)(a >> 24);
 34 |  
 35 |     return (9*c0 - 3*c1 + c2);
 36 | }
 37 | 
 38 | 
 39 | void NTT_CT_std2rev_12289(int32_t* a, const int32_t* psi_rev, unsigned int N)
 40 | { // Forward NTT
 41 |     unsigned int m, i, j, j1, j2, k = N;
 42 |     int32_t S, U, V;
 43 | 
 44 |     for (m = 1; m < 128; m = 2*m) {
 45 |         k = k >> 1;
 46 |         for (i = 0; i < m; i++) {
 47 |             j1 = 2*i*k;
 48 |             j2 = j1+k-1;
 49 |             S = psi_rev[m+i];
 50 |             for (j = j1; j <= j2; j++) { 
 51 |                 U = a[j]; 
 52 |                 V = reduce12289((int64_t)a[j+k]*S);
 53 |                 a[j] = U+V;
 54 |                 a[j+k] = U-V;
 55 |             }
 56 |         }
 57 |     }
 58 | 
 59 |     k = 4;
 60 |     for (i = 0; i < 128; i++) {
 61 |         j1 = 8*i;
 62 |         j2 = j1+3;
 63 |         S = psi_rev[i+128];
 64 |         for (j = j1; j <= j2; j++) {
 65 |             U = reduce12289((int64_t)a[j]);
 66 |             V = reduce12289_2x((int64_t)a[j+4]*S);
 67 |             a[j] = U+V;
 68 |             a[j+4] = U-V;
 69 |         }
 70 |     }
 71 | 
 72 |     for (m = 256; m < N; m = 2*m) {
 73 |         k = k >> 1;
 74 |         for (i = 0; i < m; i++) {
 75 |             j1 = 2*i*k;
 76 |             j2 = j1+k-1;
 77 |             S = psi_rev[m+i];
 78 |             for (j = j1; j <= j2; j++) { 
 79 |                 U = a[j]; 
 80 |                 V = reduce12289((int64_t)a[j+k]*S); 
 81 |                 a[j] = U+V;
 82 |                 a[j+k] = U-V;
 83 |             }
 84 |         }
 85 |     }
 86 |     return;
 87 | }
 88 | 
 89 | 
 90 | void INTT_GS_rev2std_12289(int32_t* a, const int32_t* omegainv_rev, const int32_t omegainv1N_rev, const int32_t Ninv, unsigned int N)
 91 | { // Inverse NTT
 92 |     unsigned int m, h, i, j, j1, j2, k = 1;
 93 |     int32_t S, U, V;
 94 |     int64_t temp;
 95 | 
 96 |     for (m = N; m > 2; m >>= 1) {
 97 |         j1 = 0;
 98 |         h = m >> 1;
 99 |         for (i = 0; i < h; i++) {
100 |             j2 = j1+k-1;
101 |             S = omegainv_rev[h+i];
102 |             for (j = j1; j <= j2; j++) {
103 |                 U = a[j];
104 |                 V = a[j+k];
105 |                 a[j] = U+V;
106 |                 temp = (int64_t)(U-V)*S;
107 |                 if (m == 32) {
108 |                     a[j] = reduce12289((int64_t)a[j]);
109 |                     a[j+k] = reduce12289_2x(temp);
110 |                 } else {
111 |                     a[j+k] = reduce12289(temp);
112 |                 }
113 |              }
114 |              j1 = j1+2*k;
115 |         }
116 |         k = 2*k;
117 |     }
118 |     for (j = 0; j < k; j++) {
119 |         U = a[j];
120 |         V = a[j+k];
121 |         a[j] = reduce12289((int64_t)(U+V)*Ninv);
122 |         a[j+k] = reduce12289((int64_t)(U-V)*omegainv1N_rev);
123 |     }
124 |     return;
125 | }
126 | 
127 | 
128 | void two_reduce12289(int32_t* a, unsigned int N)
129 | { // Two consecutive reductions modulo q
130 |     unsigned int i; 
131 | 
132 |     for (i = 0; i < N; i++) {
133 |         a[i] = reduce12289((int64_t)a[i]);
134 |         a[i] = reduce12289((int64_t)a[i]);
135 |     }
136 | }
137 | 
138 | 
139 | void pmul(int32_t* a, int32_t* b, int32_t* c, unsigned int N)
140 | { // Component-wise multiplication
141 |     unsigned int i; 
142 | 
143 |     for (i = 0; i < N; i++) {
144 |         c[i] = reduce12289((int64_t)a[i]*b[i]);
145 |         c[i] = reduce12289((int64_t)c[i]);
146 |     }
147 | }
148 | 
149 | 
150 | void pmuladd(int32_t* a, int32_t* b, int32_t* c, int32_t* d, unsigned int N)
151 | { // Component-wise multiplication and addition
152 |     unsigned int i; 
153 | 
154 |     for (i = 0; i < N; i++) {
155 |         d[i] = reduce12289((int64_t)a[i]*b[i] + c[i]);
156 |         d[i] = reduce12289((int64_t)d[i]);
157 |     }
158 | }
159 | 
160 | 
161 | void smul(int32_t* a, int32_t scalar, unsigned int N)
162 | { // Component-wise multiplication with scalar
163 |     unsigned int i; 
164 | 
165 |     for (i = 0; i < N; i++) {
166 |         a[i] = a[i]*scalar;
167 |     }
168 | }
169 | 
170 | 
171 | void correction(int32_t* a, int32_t p, unsigned int N)
172 | { // Correction modulo q 
173 |     unsigned int i; 
174 |     int32_t mask;
175 | 
176 |     for (i = 0; i < N; i++) {
177 |         mask = a[i] >> (4*sizeof(int32_t) - 1);
178 |         a[i] += (p & mask) - p;
179 |         mask = a[i] >> (4*sizeof(int32_t) - 1);
180 |         a[i] += (p & mask);
181 |     }
182 | }
183 | 


--------------------------------------------------------------------------------
/tests/test_extras.c:
--------------------------------------------------------------------------------
  1 | /****************************************************************************************
  2 | * LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
  3 | *
  4 | *    Copyright (c) Microsoft Corporation. All rights reserved.
  5 | *
  6 | *
  7 | * Abstract: additional functions for testing
  8 | *
  9 | *****************************************************************************************/
 10 | 
 11 | 
 12 | #include "../LatticeCrypto_priv.h"
 13 | #include "test_extras.h"
 14 | #if (OS_TARGET == OS_WIN)
 15 |     #include <windows.h>
 16 |     #include <intrin.h>
 17 | #endif
 18 | #if (OS_TARGET == OS_LINUX) && (TARGET == TARGET_ARM)
 19 |     #include <time.h>
 20 | #endif
 21 | #include <stdlib.h> 
 22 | 
 23 | 
 24 | int64_t cpucycles(void)
 25 | { // Access system counter for benchmarking
 26 | #if (OS_TARGET == OS_WIN) && (TARGET == TARGET_AMD64 || TARGET == TARGET_x86)
 27 |     return __rdtsc();
 28 | #elif (OS_TARGET == OS_WIN) && (TARGET == TARGET_ARM)
 29 |     return __rdpmccntr64();
 30 | #elif (OS_TARGET == OS_LINUX) && (TARGET == TARGET_AMD64 || TARGET == TARGET_x86)
 31 |     unsigned int hi, lo;
 32 | 
 33 |     asm volatile ("rdtsc\n\t" : "=a" (lo), "=d"(hi));
 34 |     return ((int64_t)lo) | (((int64_t)hi) << 32);
 35 | #elif (OS_TARGET == OS_LINUX) && (TARGET == TARGET_ARM)
 36 |     struct timespec time;
 37 | 
 38 |     clock_gettime(CLOCK_REALTIME, &time);
 39 |     return (int64_t)(time.tv_sec*1e9 + time.tv_nsec);
 40 | #else
 41 |     return 0;            
 42 | #endif
 43 | }
 44 | 
 45 | 
 46 | CRYPTO_STATUS random_bytes_test(unsigned int nbytes, unsigned char* random_array)
 47 | { // Generate "nbytes" of random values and output the result to random_array.
 48 |   // SECURITY NOTE: TO BE USED FOR TESTING ONLY.
 49 |     unsigned int i;
 50 | 
 51 |     for (i = 0; i < nbytes; i++) {
 52 |         *(random_array + i) = (unsigned char)rand();    // nbytes of random values
 53 |     }
 54 | 
 55 |     return CRYPTO_SUCCESS;
 56 | }
 57 | 
 58 | 
 59 | CRYPTO_STATUS extendable_output_test(const unsigned char* seed, unsigned int seed_nbytes, unsigned int array_ndigits, uint32_t* extended_array)
 60 | { // Generate "array_ndigits" of 32-bit values and output the result to extended_array.
 61 |   // SECURITY NOTE: TO BE USED FOR TESTING ONLY.
 62 |     unsigned int count = 0;
 63 |     uint32_t digit;
 64 | 
 65 |     UNREFERENCED_PARAMETER(seed);
 66 |     UNREFERENCED_PARAMETER(seed_nbytes);
 67 |     UNREFERENCED_PARAMETER(array_ndigits);
 68 | 
 69 |     srand((unsigned int)seed[0]);
 70 | 
 71 |     while (count < array_ndigits) {
 72 |         random_bytes_test(2, (unsigned char*)&digit);   // Pull 2 bytes to get a 14-bit value
 73 |         digit &= 0x3FFF;
 74 |         if (digit < PARAMETER_Q) {                      // Take it if it is in [0, q-1]
 75 |             extended_array[count] = digit;
 76 |             count++;
 77 |         }
 78 |     }
 79 | 
 80 |     return CRYPTO_SUCCESS;
 81 | }
 82 | 
 83 | 
 84 | CRYPTO_STATUS stream_output_test(const unsigned char* seed, unsigned int seed_nbytes, unsigned char* nonce, unsigned int nonce_nbytes, unsigned int array_nbytes, unsigned char* stream_array)
 85 | { // Generate "array_nbytes" of values and output the result to stream_array.
 86 |   // SECURITY NOTE: TO BE USED FOR TESTING ONLY.
 87 |     
 88 |     UNREFERENCED_PARAMETER(seed);
 89 |     UNREFERENCED_PARAMETER(seed_nbytes);
 90 |     UNREFERENCED_PARAMETER(nonce);
 91 |     UNREFERENCED_PARAMETER(nonce_nbytes);
 92 | 
 93 |     random_bytes_test(array_nbytes, stream_array); 
 94 | 
 95 |     return CRYPTO_SUCCESS;
 96 | }
 97 | 
 98 | 
 99 | void random_poly_test(int32_t* a, unsigned int p, unsigned int pbits, unsigned int N)
100 | { // Generating a pseudo-random polynomial a[x] over GF(p) 
101 |   // SECURITY NOTE: TO BE USED FOR TESTING ONLY.
102 |     unsigned int i, mask = ((unsigned int)1 << pbits) - 1;
103 |     unsigned char* string = (unsigned char*)a;
104 | 
105 |     for (i = 0; i < N; i++) {
106 |         do {
107 |             *(string + 4*i)     = (unsigned char)rand();      // Obtain GF(p) coefficient
108 |             *(string + 4*i + 1) = (unsigned char)rand();
109 |             a[i] &= mask;
110 |         } while (a[i] >= (int32_t)p);
111 |     }
112 | }
113 | 
114 | 
115 | int compare_poly(int32_t* a, int32_t* b, unsigned int N)
116 | { // Comparing two polynomials over GF(p), a[x]=b[x]? : (0) a=b, (1) a!=b
117 |   // SECURITY NOTE: TO BE USED FOR TESTING ONLY.
118 |     unsigned int i;
119 | 
120 |     for (i = 0; i < N; i++)
121 |     {
122 |         if (a[i] != b[i]) 
123 |             return 1;
124 |     }
125 | 
126 |     return 0; 
127 | }
128 | 
129 | 
130 | int reduce(int a, int p)
131 | { // Modular reduction
132 |   // SECURITY NOTE: TO BE USED FOR TESTING ONLY.
133 |     a %= p;
134 |     if (a < 0) a += p;
135 | 
136 |     return a;
137 | }
138 | 
139 | 
140 | void mul_test(int32_t* a, int32_t* b, int32_t* c, uint32_t p, unsigned int N)                  
141 | { // Polynomial multiplication using the schoolbook method, c[x] = a[x]*b[x] 
142 |   // SECURITY NOTE: TO BE USED FOR TESTING ONLY.  
143 |     unsigned int i, j, index, mask = N - 1;
144 | 
145 |      for (i = 0; i < N; i++) c[i] = 0;
146 | 
147 |      for (i = 0; i < N; i++) {
148 |           for (j = 0; j < N; j++) {
149 |               index = (i+j) & mask;
150 |               if (i+j >= N) {
151 |                   c[index] = reduce(c[index] - (a[i]*b[j]), p);                
152 |               } else {
153 |                   c[index] = reduce(c[index] + (a[i]*b[j]), p); 
154 |               }
155 |           }
156 |      }
157 | }
158 | 
159 | 
160 | void add_test(int32_t* a, int32_t* b, int32_t* c, uint32_t p, unsigned int N)                  
161 | { // Polynomial addition, c[x] = a[x] + b[x] 
162 |   // SECURITY NOTE: TO BE USED FOR TESTING ONLY.    
163 |     unsigned int i;
164 | 
165 |      for (i = 0; i < N; i++) {
166 |           c[i] = reduce(a[i] + b[i], p); 
167 |      }
168 | }


--------------------------------------------------------------------------------
/Visual Studio/tests/tests.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|x64">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Generic|Win32">
 13 |       <Configuration>Generic</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Generic|x64">
 17 |       <Configuration>Generic</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Release|Win32">
 21 |       <Configuration>Release</Configuration>
 22 |       <Platform>Win32</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|x64">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>x64</Platform>
 27 |     </ProjectConfiguration>
 28 |   </ItemGroup>
 29 |   <ItemGroup>
 30 |     <ClInclude Include="..\..\LatticeCrypto.h" />
 31 |     <ClInclude Include="..\..\LatticeCrypto_priv.h" />
 32 |     <ClInclude Include="..\..\tests\test_extras.h" />
 33 |   </ItemGroup>
 34 |   <ItemGroup>
 35 |     <ClCompile Include="..\..\tests\tests.c" />
 36 |     <ClCompile Include="..\..\tests\test_extras.c" />
 37 |   </ItemGroup>
 38 |   <ItemGroup>
 39 |     <ProjectReference Include="..\LatticeCrypto\LatticeCrypto.vcxproj">
 40 |       <Project>{8283dd76-e88a-4b63-abde-33f014178413}</Project>
 41 |     </ProjectReference>
 42 |   </ItemGroup>
 43 |   <PropertyGroup Label="Globals">
 44 |     <ProjectGuid>{C9639168-C3FF-4427-BC3B-D907FF11DE73}</ProjectGuid>
 45 |     <Keyword>Win32Proj</Keyword>
 46 |     <RootNamespace>fp_tests</RootNamespace>
 47 |     <ProjectName>tests</ProjectName>
 48 |   </PropertyGroup>
 49 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 50 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 51 |     <ConfigurationType>Application</ConfigurationType>
 52 |     <UseDebugLibraries>true</UseDebugLibraries>
 53 |     <PlatformToolset>v120</PlatformToolset>
 54 |     <CharacterSet>Unicode</CharacterSet>
 55 |   </PropertyGroup>
 56 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 57 |     <ConfigurationType>Application</ConfigurationType>
 58 |     <UseDebugLibraries>true</UseDebugLibraries>
 59 |     <PlatformToolset>v120</PlatformToolset>
 60 |     <CharacterSet>Unicode</CharacterSet>
 61 |   </PropertyGroup>
 62 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 63 |     <ConfigurationType>Application</ConfigurationType>
 64 |     <UseDebugLibraries>false</UseDebugLibraries>
 65 |     <PlatformToolset>v120</PlatformToolset>
 66 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 67 |     <CharacterSet>Unicode</CharacterSet>
 68 |   </PropertyGroup>
 69 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 70 |     <ConfigurationType>Application</ConfigurationType>
 71 |     <UseDebugLibraries>false</UseDebugLibraries>
 72 |     <PlatformToolset>v120</PlatformToolset>
 73 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 74 |     <CharacterSet>Unicode</CharacterSet>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Generic|Win32'">
 77 |     <PlatformToolset>v120</PlatformToolset>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Generic|x64'" Label="Configuration">
 80 |     <PlatformToolset>v120</PlatformToolset>
 81 |   </PropertyGroup>
 82 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 83 |   <ImportGroup Label="ExtensionSettings">
 84 |   </ImportGroup>
 85 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 87 |   </ImportGroup>
 88 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
 89 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 90 |   </ImportGroup>
 91 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 92 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 93 |   </ImportGroup>
 94 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 95 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 96 |   </ImportGroup>
 97 |   <PropertyGroup Label="UserMacros" />
 98 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 99 |     <LinkIncremental>true</LinkIncremental>
100 |   </PropertyGroup>
101 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
102 |     <LinkIncremental>true</LinkIncremental>
103 |   </PropertyGroup>
104 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
105 |     <LinkIncremental>false</LinkIncremental>
106 |   </PropertyGroup>
107 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
108 |     <LinkIncremental>false</LinkIncremental>
109 |   </PropertyGroup>
110 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
111 |     <ClCompile>
112 |       <PrecompiledHeader>
113 |       </PrecompiledHeader>
114 |       <WarningLevel>Level4</WarningLevel>
115 |       <Optimization>Disabled</Optimization>
116 |       <PreprocessorDefinitions>__WINDOWS__; _X86_;</PreprocessorDefinitions>
117 |       <MinimalRebuild>false</MinimalRebuild>
118 |       <BasicRuntimeChecks>Default</BasicRuntimeChecks>
119 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
120 |       <FunctionLevelLinking>true</FunctionLevelLinking>
121 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
122 |     </ClCompile>
123 |     <Link>
124 |       <SubSystem>Console</SubSystem>
125 |       <GenerateDebugInformation>true</GenerateDebugInformation>
126 |     </Link>
127 |   </ItemDefinitionGroup>
128 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
129 |     <ClCompile>
130 |       <PrecompiledHeader>
131 |       </PrecompiledHeader>
132 |       <WarningLevel>Level4</WarningLevel>
133 |       <Optimization>Disabled</Optimization>
134 |       <PreprocessorDefinitions>__WINDOWS__; _AMD64_;</PreprocessorDefinitions>
135 |       <MinimalRebuild>false</MinimalRebuild>
136 |       <BasicRuntimeChecks>Default</BasicRuntimeChecks>
137 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
138 |       <FunctionLevelLinking>true</FunctionLevelLinking>
139 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
140 |       <EnableEnhancedInstructionSet>AdvancedVectorExtensions</EnableEnhancedInstructionSet>
141 |     </ClCompile>
142 |     <Link>
143 |       <SubSystem>Console</SubSystem>
144 |       <GenerateDebugInformation>true</GenerateDebugInformation>
145 |     </Link>
146 |   </ItemDefinitionGroup>
147 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
148 |     <ClCompile>
149 |       <WarningLevel>Level4</WarningLevel>
150 |       <PrecompiledHeader>
151 |       </PrecompiledHeader>
152 |       <Optimization>MaxSpeed</Optimization>
153 |       <FunctionLevelLinking>true</FunctionLevelLinking>
154 |       <IntrinsicFunctions>true</IntrinsicFunctions>
155 |       <PreprocessorDefinitions>__WINDOWS__; _X86_;</PreprocessorDefinitions>
156 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
157 |     </ClCompile>
158 |     <Link>
159 |       <SubSystem>Console</SubSystem>
160 |       <GenerateDebugInformation>true</GenerateDebugInformation>
161 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
162 |       <OptimizeReferences>true</OptimizeReferences>
163 |     </Link>
164 |   </ItemDefinitionGroup>
165 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
166 |     <ClCompile>
167 |       <WarningLevel>Level4</WarningLevel>
168 |       <PrecompiledHeader>
169 |       </PrecompiledHeader>
170 |       <Optimization>MaxSpeed</Optimization>
171 |       <FunctionLevelLinking>true</FunctionLevelLinking>
172 |       <IntrinsicFunctions>true</IntrinsicFunctions>
173 |       <PreprocessorDefinitions>__WINDOWS__; _AMD64_;</PreprocessorDefinitions>
174 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
175 |       <EnableEnhancedInstructionSet>AdvancedVectorExtensions</EnableEnhancedInstructionSet>
176 |     </ClCompile>
177 |     <Link>
178 |       <SubSystem>Console</SubSystem>
179 |       <GenerateDebugInformation>true</GenerateDebugInformation>
180 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
181 |       <OptimizeReferences>true</OptimizeReferences>
182 |     </Link>
183 |   </ItemDefinitionGroup>
184 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Generic|Win32'">
185 |     <ClCompile>
186 |       <WarningLevel>Level4</WarningLevel>
187 |       <WholeProgramOptimization>true</WholeProgramOptimization>
188 |       <IntrinsicFunctions>true</IntrinsicFunctions>
189 |       <PreprocessorDefinitions>__WINDOWS__; _X86_; _GENERIC_;</PreprocessorDefinitions>
190 |       <FunctionLevelLinking>true</FunctionLevelLinking>
191 |       <Optimization>MaxSpeed</Optimization>
192 |     </ClCompile>
193 |     <Link>
194 |       <LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
195 |       <GenerateDebugInformation>true</GenerateDebugInformation>
196 |     </Link>
197 |   </ItemDefinitionGroup>
198 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Generic|x64'">
199 |     <ClCompile>
200 |       <WarningLevel>Level4</WarningLevel>
201 |       <WholeProgramOptimization>true</WholeProgramOptimization>
202 |       <IntrinsicFunctions>true</IntrinsicFunctions>
203 |       <PreprocessorDefinitions>__WINDOWS__; _AMD64_; _GENERIC_;</PreprocessorDefinitions>
204 |       <FunctionLevelLinking>true</FunctionLevelLinking>
205 |       <EnableEnhancedInstructionSet>AdvancedVectorExtensions</EnableEnhancedInstructionSet>
206 |       <Optimization>MaxSpeed</Optimization>
207 |     </ClCompile>
208 |     <Link>
209 |       <LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
210 |       <GenerateDebugInformation>true</GenerateDebugInformation>
211 |     </Link>
212 |   </ItemDefinitionGroup>
213 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
214 |   <ImportGroup Label="ExtensionTargets">
215 |   </ImportGroup>
216 | </Project>


--------------------------------------------------------------------------------
/LatticeCrypto.h:
--------------------------------------------------------------------------------
  1 | /****************************************************************************************
  2 | * LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
  3 | *
  4 | *    Copyright (c) Microsoft Corporation. All rights reserved.
  5 | *
  6 | *
  7 | * Abstract: main header file
  8 | *
  9 | *****************************************************************************************/  
 10 | 
 11 | #ifndef __LatticeCrypto_H__
 12 | #define __LatticeCrypto_H__
 13 | 
 14 | 
 15 | // For C++
 16 | #ifdef __cplusplus
 17 | extern "C" {
 18 | #endif
 19 | 
 20 | 
 21 | #include <stdint.h>
 22 | #include <stdbool.h>
 23 | #include <stddef.h>
 24 | 
 25 | 
 26 | // Definition of operating system
 27 | 
 28 | #define OS_WIN       1
 29 | #define OS_LINUX     2
 30 | 
 31 | #if defined(__WINDOWS__)        // Microsoft Windows OS
 32 |     #define OS_TARGET OS_WIN
 33 | #elif defined(__LINUX__)        // Linux OS
 34 |     #define OS_TARGET OS_LINUX 
 35 | #else
 36 |     #error -- "Unsupported OS"
 37 | #endif
 38 | 
 39 | 
 40 | // Definition of compiler
 41 | 
 42 | #define COMPILER_VC      1
 43 | #define COMPILER_GCC     2
 44 | #define COMPILER_CLANG   3
 45 | 
 46 | #if defined(_MSC_VER)           // Microsoft Visual C compiler
 47 |     #define COMPILER COMPILER_VC
 48 | #elif defined(__GNUC__)         // GNU GCC compiler
 49 |     #define COMPILER COMPILER_GCC   
 50 | #elif defined(__clang__)        // Clang compiler
 51 |     #define COMPILER COMPILER_CLANG   
 52 | #else
 53 |     #error -- "Unsupported COMPILER"
 54 | #endif
 55 | 
 56 | 
 57 | // Definition of the targeted architecture and basic data types
 58 |     
 59 | #define TARGET_AMD64        1
 60 | #define TARGET_x86          2
 61 | #define TARGET_ARM          3
 62 | 
 63 | #if defined(_AMD64_)
 64 |     #define TARGET TARGET_AMD64
 65 |     #define RADIX           64
 66 |     typedef uint64_t        digit_t;        // Unsigned 64-bit digit
 67 |     typedef int64_t         sdigit_t;       // Signed 64-bit digit   
 68 | #elif defined(_X86_)
 69 |     #define TARGET TARGET_x86
 70 |     #define RADIX           32
 71 |     typedef uint32_t        digit_t;        // Unsigned 32-bit digit
 72 |     typedef int32_t         sdigit_t;       // Signed 32-bit digit
 73 | #elif defined(_ARM_)
 74 |     #define TARGET TARGET_ARM
 75 |     #define RADIX           32
 76 |     typedef uint32_t        digit_t;        // Unsigned 32-bit digit
 77 |     typedef int32_t         sdigit_t;       // Signed 32-bit digit
 78 | #else
 79 |     #error -- "Unsupported ARCHITECTURE"
 80 | #endif
 81 | 
 82 | 
 83 | // Instruction support
 84 | 
 85 | #define NO_SIMD_SUPPORT 0
 86 | #define AVX_SUPPORT     1
 87 | #define AVX2_SUPPORT    2
 88 | 
 89 | #if defined(_AVX2_)
 90 |     #define SIMD_SUPPORT AVX2_SUPPORT       // AVX2 support selection 
 91 | #elif defined(_AVX_)
 92 |     #define SIMD_SUPPORT AVX_SUPPORT        // AVX support selection 
 93 | #else
 94 |     #define SIMD_SUPPORT NO_SIMD_SUPPORT
 95 | #endif
 96 | 
 97 | #if defined(_ASM_)                          // Assembly support selection
 98 |     #define ASM_SUPPORT
 99 | #endif
100 | 
101 | #if defined(_GENERIC_)                      // Selection of generic, portable implementation
102 |     #define GENERIC_IMPLEMENTATION
103 | #endif
104 | 
105 | 
106 | // Unsupported configurations
107 |                          
108 | #if defined(ASM_SUPPORT) && (OS_TARGET == OS_WIN)
109 |     #error -- "Assembly is not supported on this platform"
110 | #endif        
111 | 
112 | #if defined(ASM_SUPPORT) && defined(GENERIC_IMPLEMENTATION)
113 |     #error -- "Unsupported configuration"
114 | #endif        
115 | 
116 | #if (SIMD_SUPPORT != NO_SIMD_SUPPORT) && defined(GENERIC_IMPLEMENTATION)
117 |     #error -- "Unsupported configuration"
118 | #endif
119 | 
120 | #if (TARGET != TARGET_AMD64) && !defined(GENERIC_IMPLEMENTATION)
121 |     #error -- "Unsupported configuration"
122 | #endif
123 | 
124 | #if (OS_TARGET == OS_LINUX) && defined(ASM_SUPPORT) && (SIMD_SUPPORT != AVX2_SUPPORT)
125 |     #error -- "Unsupported configuration"
126 | #endif
127 | 
128 | 
129 | // Definitions of the error-handling type and error codes
130 | 
131 | typedef enum {
132 |     CRYPTO_SUCCESS,                          // 0x00
133 |     CRYPTO_ERROR,                            // 0x01
134 |     CRYPTO_ERROR_DURING_TEST,                // 0x02
135 |     CRYPTO_ERROR_UNKNOWN,                    // 0x03
136 |     CRYPTO_ERROR_NOT_IMPLEMENTED,            // 0x04
137 |     CRYPTO_ERROR_NO_MEMORY,                  // 0x05
138 |     CRYPTO_ERROR_INVALID_PARAMETER,          // 0x06
139 |     CRYPTO_ERROR_SHARED_KEY,                 // 0x07
140 |     CRYPTO_ERROR_TOO_MANY_ITERATIONS,        // 0x08
141 |     CRYPTO_ERROR_END_OF_LIST
142 | } CRYPTO_STATUS;
143 | 
144 | #define CRYPTO_STATUS_TYPE_SIZE (CRYPTO_ERROR_END_OF_LIST)       
145 | 
146 | 
147 | // Definitions of the error messages
148 | // NOTE: they must match the error codes above
149 | 
150 | #define CRYPTO_MSG_SUCCESS                                "CRYPTO_SUCCESS"
151 | #define CRYPTO_MSG_ERROR                                  "CRYPTO_ERROR"
152 | #define CRYPTO_MSG_ERROR_DURING_TEST                      "CRYPTO_ERROR_DURING_TEST"
153 | #define CRYPTO_MSG_ERROR_UNKNOWN                          "CRYPTO_ERROR_UNKNOWN"
154 | #define CRYPTO_MSG_ERROR_NOT_IMPLEMENTED                  "CRYPTO_ERROR_NOT_IMPLEMENTED"
155 | #define CRYPTO_MSG_ERROR_NO_MEMORY                        "CRYPTO_ERROR_NO_MEMORY"
156 | #define CRYPTO_MSG_ERROR_INVALID_PARAMETER                "CRYPTO_ERROR_INVALID_PARAMETER"
157 | #define CRYPTO_MSG_ERROR_SHARED_KEY                       "CRYPTO_ERROR_SHARED_KEY"
158 | #define CRYPTO_MSG_ERROR_TOO_MANY_ITERATIONS              "CRYPTO_ERROR_TOO_MANY_ITERATIONS"                                                            
159 | 
160 | 
161 | // Definition of type "RandomBytes" to implement callback function outputting "nbytes" of random values to "random_array"
162 | typedef CRYPTO_STATUS (*RandomBytes)(unsigned int nbytes, unsigned char* random_array);                                                   
163 | 
164 | // Definition of type "ExtendableOutput" to implement callback function outputting 32-bit "array_ndigits" of values to "extended_array"
165 | typedef CRYPTO_STATUS (*ExtendableOutput)(const unsigned char* seed, unsigned int seed_nbytes, unsigned int array_ndigits, uint32_t* extended_array);                                                  
166 | 
167 | // Definition of type "StreamOutput" to implement callback function outputting 32-bit "array_ndigits" of values to "stream_array"
168 | typedef CRYPTO_STATUS (*StreamOutput)(const unsigned char* seed, unsigned int seed_nbytes, unsigned char* nonce, unsigned int nonce_nbytes, unsigned int array_nbytes, unsigned char* stream_array);
169 | 
170 | 
171 | // Basic key-exchange constants  
172 | #define PKA_BYTES           1824      // Alice's public key size 
173 | #define PKB_BYTES           2048      // Bob's public key size 
174 | #define SHAREDKEY_BYTES     32        // Shared key size 
175 | 
176 | 
177 | // This data struct is initialized during setup with user-provided functions
178 | typedef struct
179 | {
180 |     RandomBytes      RandomBytesFunction;               // Function providing random bytes
181 |     ExtendableOutput ExtendableOutputFunction;          // Extendable output function
182 |     StreamOutput     StreamOutputFunction;              // Stream cipher function
183 | } LatticeCryptoStruct, *PLatticeCryptoStruct;
184 | 
185 | 
186 | /******************** Function prototypes *******************/
187 | /*********************** Auxiliary API **********************/ 
188 | 
189 | // Clear digits from memory. "nwords" indicates the number of digits to be zeroed.
190 | extern void clear_words(void* mem, digit_t nwords);
191 | 
192 | // Output "nbytes" of random values.
193 | // It makes requests of random values to RandomBytesFunction. If successful, the output is given in "random_array".
194 | // The caller is responsible for providing the "RandomBytesFunction" function passing random value as octets.
195 | CRYPTO_STATUS random_bytes(unsigned int nbytes, unsigned char* random_array, RandomBytes RandomBytesFunction);
196 | 
197 | // Output "array_ndigits" of values in [0, q-1] using an extendable-output function and a seed of size "seed_nbytes".   
198 | // It makes requests of values to ExtendableOutputFunction. If successful, the output is given in "extended_array".
199 | // The caller is responsible for providing the "ExtendableOutputFunction" function passing values as 32-bit digits. 
200 | CRYPTO_STATUS extended_output(const unsigned char* seed, unsigned int seed_nbytes, unsigned int array_ndigits, uint32_t* extended_array, ExtendableOutput ExtendableOutputFunction);
201 | 
202 | // Output "array_nbytes" of values using a stream cipher, a seed of size "seed_nbytes" and a nonce of size "nonce_nbytes".  
203 | // It makes requests of values to StreamOutputFunction. If successful, the output is given in "stream_array".
204 | // The caller is responsible for providing the "StreamOutputFunction" function passing values as octets.  
205 | CRYPTO_STATUS stream_output(const unsigned char* seed, unsigned int seed_nbytes, unsigned char* nonce, unsigned int nonce_nbytes, unsigned int array_nbytes, unsigned char* stream_array, StreamOutput StreamOutputFunction);
206 | 
207 | // Dynamic allocation of memory for LatticeCrypto structure. It should be called before initialization with LatticeCrypto_initialize(). Returns NULL on error.
208 | PLatticeCryptoStruct LatticeCrypto_allocate(void); 
209 | 
210 | // Initialize structure pLatticeCrypto with user-provided functions: RandomBytesFunction, ExtendableOutputFunction and StreamOutputFunction.
211 | CRYPTO_STATUS LatticeCrypto_initialize(PLatticeCryptoStruct pLatticeCrypto, RandomBytes RandomBytesFunction, ExtendableOutput ExtendableOutputFunction, StreamOutput StreamOutputFunction);
212 | 
213 | // Output error/success message for a given CRYPTO_STATUS
214 | const char* LatticeCrypto_get_error_message(CRYPTO_STATUS Status);
215 | 
216 | /*********************** Key exchange API ***********************/ 
217 | 
218 | // Alice's key generation 
219 | // It produces a private key SecretKeyA and computes the public key PublicKeyA.
220 | // Outputs: the private key SecretKeyA that consists of a 32-bit signed 1024-element array (4096 bytes in total)
221 | //          the public key PublicKeyA that occupies 1824 bytes
222 | // pLatticeCrypto must be set up in advance using LatticeCrypto_initialize().
223 | CRYPTO_STATUS KeyGeneration_A(int32_t* SecretKeyA, unsigned char* PublicKeyA, PLatticeCryptoStruct pLatticeCrypto);
224 | 
225 | // Bob's key generation and shared secret computation
226 | // It produces a private key and computes the public key PublicKeyB. In combination with Alice's public key PublicKeyA, it computes 
227 | // the shared secret SharedSecretB.
228 | // Input:   Alice's public key PublicKeyA that consists of 1824 bytes
229 | // Outputs: the public key PublicKeyB that occupies 2048 bytes.
230 | //          the 256-bit shared secret SharedSecretB.
231 | // pLatticeCrypto must be set up in advance using LatticeCrypto_initialize().
232 | CRYPTO_STATUS SecretAgreement_B(unsigned char* PublicKeyA, unsigned char* SharedSecretB, unsigned char* PublicKeyB, PLatticeCryptoStruct pLatticeCrypto);
233 | 
234 | // Alice's shared secret computation 
235 | // It computes the shared secret SharedSecretA using Bob's public key PublicKeyB and Alice's private key SecretKeyA.
236 | // Inputs: Bob's public key PublicKeyB that consists of 2048 bytes
237 | //         the private key SecretKeyA that consists of a 32-bit signed 1024-element array (4096 bytes in total)
238 | // Output: the 256-bit shared secret SharedSecretA.
239 | // pLatticeCrypto must be set up in advance using LatticeCrypto_initialize().
240 | CRYPTO_STATUS SecretAgreement_A(unsigned char* PublicKeyB, int32_t* SecretKeyA, unsigned char* SharedSecretA);
241 | 
242 | 
243 | #ifdef __cplusplus
244 | }
245 | #endif
246 | 
247 | 
248 | #endif
249 | 


--------------------------------------------------------------------------------
/Visual Studio/LatticeCrypto/LatticeCrypto.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|x64">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Generic|Win32">
 13 |       <Configuration>Generic</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Generic|x64">
 17 |       <Configuration>Generic</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Release|Win32">
 21 |       <Configuration>Release</Configuration>
 22 |       <Platform>Win32</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|x64">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>x64</Platform>
 27 |     </ProjectConfiguration>
 28 |   </ItemGroup>
 29 |   <PropertyGroup Label="Globals">
 30 |     <ProjectGuid>{8283DD76-E88A-4B63-ABDE-33F014178413}</ProjectGuid>
 31 |     <Keyword>Win32Proj</Keyword>
 32 |     <RootNamespace>isoECClib</RootNamespace>
 33 |   </PropertyGroup>
 34 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 36 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 37 |     <UseDebugLibraries>true</UseDebugLibraries>
 38 |     <PlatformToolset>v120</PlatformToolset>
 39 |     <CharacterSet>Unicode</CharacterSet>
 40 |   </PropertyGroup>
 41 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 42 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 43 |     <UseDebugLibraries>true</UseDebugLibraries>
 44 |     <PlatformToolset>v120</PlatformToolset>
 45 |     <CharacterSet>Unicode</CharacterSet>
 46 |   </PropertyGroup>
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 48 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 49 |     <UseDebugLibraries>false</UseDebugLibraries>
 50 |     <PlatformToolset>v120</PlatformToolset>
 51 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 52 |     <CharacterSet>Unicode</CharacterSet>
 53 |   </PropertyGroup>
 54 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 55 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 56 |     <UseDebugLibraries>false</UseDebugLibraries>
 57 |     <PlatformToolset>v120</PlatformToolset>
 58 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 59 |     <CharacterSet>Unicode</CharacterSet>
 60 |   </PropertyGroup>
 61 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Generic|Win32'" Label="Configuration">
 62 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 63 |     <UseDebugLibraries>false</UseDebugLibraries>
 64 |     <PlatformToolset>v120</PlatformToolset>
 65 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 66 |     <CharacterSet>Unicode</CharacterSet>
 67 |   </PropertyGroup>
 68 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Generic|x64'" Label="Configuration">
 69 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 70 |     <UseDebugLibraries>false</UseDebugLibraries>
 71 |     <PlatformToolset>v120</PlatformToolset>
 72 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 73 |     <CharacterSet>Unicode</CharacterSet>
 74 |   </PropertyGroup>
 75 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 76 |   <ImportGroup Label="ExtensionSettings">
 77 |   </ImportGroup>
 78 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 79 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 80 |   </ImportGroup>
 81 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
 82 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 83 |   </ImportGroup>
 84 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 85 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 86 |   </ImportGroup>
 87 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 88 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 89 |   </ImportGroup>
 90 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Generic|Win32'" Label="PropertySheets">
 91 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 92 |   </ImportGroup>
 93 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Generic|x64'" Label="PropertySheets">
 94 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 95 |   </ImportGroup>
 96 |   <PropertyGroup Label="UserMacros" />
 97 |   <PropertyGroup />
 98 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 99 |     <ClCompile>
100 |       <PrecompiledHeader>
101 |       </PrecompiledHeader>
102 |       <WarningLevel>Level4</WarningLevel>
103 |       <Optimization>Disabled</Optimization>
104 |       <PreprocessorDefinitions>__WINDOWS__; _X86_; _GENERIC_;</PreprocessorDefinitions>
105 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
106 |       <IntrinsicFunctions>false</IntrinsicFunctions>
107 |       <WholeProgramOptimization>false</WholeProgramOptimization>
108 |       <MinimalRebuild>false</MinimalRebuild>
109 |       <BasicRuntimeChecks>Default</BasicRuntimeChecks>
110 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
111 |       <FunctionLevelLinking>true</FunctionLevelLinking>
112 |     </ClCompile>
113 |     <Link>
114 |       <SubSystem>Windows</SubSystem>
115 |       <GenerateDebugInformation>true</GenerateDebugInformation>
116 |     </Link>
117 |   </ItemDefinitionGroup>
118 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
119 |     <ClCompile>
120 |       <PrecompiledHeader>
121 |       </PrecompiledHeader>
122 |       <WarningLevel>Level4</WarningLevel>
123 |       <Optimization>Disabled</Optimization>
124 |       <PreprocessorDefinitions>__WINDOWS__; _AMD64_; _GENERIC_;</PreprocessorDefinitions>
125 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
126 |       <IntrinsicFunctions>false</IntrinsicFunctions>
127 |       <WholeProgramOptimization>false</WholeProgramOptimization>
128 |       <MinimalRebuild>true</MinimalRebuild>
129 |       <BasicRuntimeChecks>Default</BasicRuntimeChecks>
130 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
131 |       <FunctionLevelLinking>
132 |       </FunctionLevelLinking>
133 |       <EnableEnhancedInstructionSet>AdvancedVectorExtensions</EnableEnhancedInstructionSet>
134 |     </ClCompile>
135 |     <Link>
136 |       <SubSystem>Windows</SubSystem>
137 |       <GenerateDebugInformation>true</GenerateDebugInformation>
138 |     </Link>
139 |   </ItemDefinitionGroup>
140 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
141 |     <ClCompile>
142 |       <WarningLevel>Level4</WarningLevel>
143 |       <PrecompiledHeader>
144 |       </PrecompiledHeader>
145 |       <Optimization>MaxSpeed</Optimization>
146 |       <FunctionLevelLinking>true</FunctionLevelLinking>
147 |       <IntrinsicFunctions>true</IntrinsicFunctions>
148 |       <PreprocessorDefinitions>__WINDOWS__; _X86_; _GENERIC_;</PreprocessorDefinitions>
149 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
150 |     </ClCompile>
151 |     <Link>
152 |       <SubSystem>Windows</SubSystem>
153 |       <GenerateDebugInformation>true</GenerateDebugInformation>
154 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
155 |       <OptimizeReferences>true</OptimizeReferences>
156 |     </Link>
157 |   </ItemDefinitionGroup>
158 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
159 |     <ClCompile>
160 |       <WarningLevel>Level4</WarningLevel>
161 |       <PrecompiledHeader>
162 |       </PrecompiledHeader>
163 |       <Optimization>MaxSpeed</Optimization>
164 |       <FunctionLevelLinking>true</FunctionLevelLinking>
165 |       <IntrinsicFunctions>true</IntrinsicFunctions>
166 |       <PreprocessorDefinitions>__WINDOWS__; _AMD64_; _GENERIC_;</PreprocessorDefinitions>
167 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
168 |       <EnableEnhancedInstructionSet>AdvancedVectorExtensions</EnableEnhancedInstructionSet>
169 |     </ClCompile>
170 |     <Link>
171 |       <SubSystem>Windows</SubSystem>
172 |       <GenerateDebugInformation>true</GenerateDebugInformation>
173 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
174 |       <OptimizeReferences>true</OptimizeReferences>
175 |     </Link>
176 |   </ItemDefinitionGroup>
177 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Generic|Win32'">
178 |     <ClCompile>
179 |       <WarningLevel>Level4</WarningLevel>
180 |       <PrecompiledHeader>
181 |       </PrecompiledHeader>
182 |       <Optimization>MaxSpeed</Optimization>
183 |       <FunctionLevelLinking>true</FunctionLevelLinking>
184 |       <IntrinsicFunctions>true</IntrinsicFunctions>
185 |       <PreprocessorDefinitions>__WINDOWS__; _X86_; _GENERIC_;</PreprocessorDefinitions>
186 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
187 |     </ClCompile>
188 |     <Link>
189 |       <SubSystem>Windows</SubSystem>
190 |       <GenerateDebugInformation>true</GenerateDebugInformation>
191 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
192 |       <OptimizeReferences>true</OptimizeReferences>
193 |     </Link>
194 |   </ItemDefinitionGroup>
195 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Generic|x64'">
196 |     <ClCompile>
197 |       <WarningLevel>Level4</WarningLevel>
198 |       <PrecompiledHeader>
199 |       </PrecompiledHeader>
200 |       <Optimization>MaxSpeed</Optimization>
201 |       <FunctionLevelLinking>true</FunctionLevelLinking>
202 |       <IntrinsicFunctions>true</IntrinsicFunctions>
203 |       <PreprocessorDefinitions>__WINDOWS__; _AMD64_; _GENERIC_;</PreprocessorDefinitions>
204 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
205 |       <EnableEnhancedInstructionSet>AdvancedVectorExtensions</EnableEnhancedInstructionSet>
206 |     </ClCompile>
207 |     <Link>
208 |       <SubSystem>Windows</SubSystem>
209 |       <GenerateDebugInformation>true</GenerateDebugInformation>
210 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
211 |       <OptimizeReferences>true</OptimizeReferences>
212 |     </Link>
213 |   </ItemDefinitionGroup>
214 |   <ItemGroup>
215 |     <ClCompile Include="..\..\generic\ntt.c" />
216 |     <ClCompile Include="..\..\kex.c" />
217 |     <ClCompile Include="..\..\ntt_constants.c" />
218 |     <ClCompile Include="..\..\random.c" />
219 |   </ItemGroup>
220 |   <ItemGroup>
221 |     <ClInclude Include="..\..\LatticeCrypto.h" />
222 |     <ClInclude Include="..\..\LatticeCrypto_priv.h" />
223 |   </ItemGroup>
224 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
225 |   <ImportGroup Label="ExtensionTargets">
226 |   </ImportGroup>
227 | </Project>


--------------------------------------------------------------------------------
/tests/tests.c:
--------------------------------------------------------------------------------
  1 | /****************************************************************************************
  2 | * LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
  3 | *
  4 | *    Copyright (c) Microsoft Corporation. All rights reserved.
  5 | *
  6 | *
  7 | * Abstract: testing code
  8 | *
  9 | *****************************************************************************************/
 10 | 
 11 | #include "../LatticeCrypto_priv.h"
 12 | #include "test_extras.h"
 13 | #include <stdio.h>
 14 | #include <malloc.h>
 15 | 
 16 | extern const int32_t psi_rev_ntt1024_12289[PARAMETER_N];
 17 | extern const int32_t omegainv_rev_ntt1024_12289[PARAMETER_N];
 18 | extern const int32_t omegainv7N_rev_ntt1024_12289;
 19 | extern const int32_t omegainv10N_rev_ntt1024_12289;
 20 | extern const int32_t Ninv8_ntt1024_12289;
 21 | extern const int32_t Ninv11_ntt1024_12289;
 22 | 
 23 | // Benchmark and test parameters  
 24 | #define BENCH_LOOPS       1000       // Number of iterations per bench
 25 | #define TEST_LOOPS        100        // Number of iterations per test
 26 | 
 27 | 
 28 | bool ntt_test()
 29 | { // Tests for the NTT functions
 30 |     bool OK = true;
 31 |     int n, passed;
 32 |     int32_t a[PARAMETER_N], b[PARAMETER_N], c[PARAMETER_N], d[PARAMETER_N], e[PARAMETER_N], f[PARAMETER_N], g[PARAMETER_N], ff[PARAMETER_N];
 33 |     unsigned int pbits = 14;
 34 | 
 35 |     printf("\n--------------------------------------------------------------------------------------------------------\n\n"); 
 36 |     printf("Testing NTT functions: \n\n"); 
 37 | 
 38 |     passed = 1;
 39 |     for (n=0; n<TEST_LOOPS; n++)
 40 |     {   
 41 |         // Testing NTT-based polynomial multiplication
 42 |         random_poly_test(a, PARAMETER_Q, pbits, PARAMETER_N); random_poly_test(b, PARAMETER_Q, pbits, PARAMETER_N); 
 43 | 
 44 |         mul_test(a, b, c, PARAMETER_Q, PARAMETER_N);
 45 |         NTT_CT_std2rev_12289(a, psi_rev_ntt1024_12289, PARAMETER_N);
 46 |         NTT_CT_std2rev_12289(b, psi_rev_ntt1024_12289, PARAMETER_N);
 47 |         pmul(a, b, d, PARAMETER_N);
 48 |         correction(d, PARAMETER_Q, PARAMETER_N);
 49 |         INTT_GS_rev2std_12289(d, omegainv_rev_ntt1024_12289, omegainv7N_rev_ntt1024_12289, Ninv8_ntt1024_12289, PARAMETER_N);
 50 |         two_reduce12289(d, PARAMETER_N);
 51 |         correction(d, PARAMETER_Q, PARAMETER_N);
 52 |         if (compare_poly(c, d, PARAMETER_N)!=0) { passed = 0; break; }
 53 |                 
 54 |         // Emulating NTT operations in the key exchange                
 55 |         random_poly_test(a, PARAMETER_Q, pbits, PARAMETER_N); random_poly_test(b, PARAMETER_Q, pbits, PARAMETER_N); 
 56 |         random_poly_test(c, PARAMETER_Q, pbits, PARAMETER_N); random_poly_test(d, PARAMETER_Q, pbits, PARAMETER_N); 
 57 |         random_poly_test(e, PARAMETER_Q, pbits, PARAMETER_N); 
 58 | 
 59 |         mul_test(a, b, f, PARAMETER_Q, PARAMETER_N);
 60 |         add_test(f, c, f, PARAMETER_Q, PARAMETER_N);
 61 |         mul_test(f, d, ff, PARAMETER_Q, PARAMETER_N);
 62 |         add_test(ff, e, f, PARAMETER_Q, PARAMETER_N);
 63 |         NTT_CT_std2rev_12289(a, psi_rev_ntt1024_12289, PARAMETER_N);
 64 |         NTT_CT_std2rev_12289(b, psi_rev_ntt1024_12289, PARAMETER_N);
 65 |         NTT_CT_std2rev_12289(c, psi_rev_ntt1024_12289, PARAMETER_N);
 66 |         smul(c, 3, PARAMETER_N);
 67 |         pmuladd(a, b, c, g, PARAMETER_N);
 68 |         correction(g, PARAMETER_Q, PARAMETER_N);
 69 |         NTT_CT_std2rev_12289(d, psi_rev_ntt1024_12289, PARAMETER_N);
 70 |         NTT_CT_std2rev_12289(e, psi_rev_ntt1024_12289, PARAMETER_N);
 71 |         smul(e, 81, PARAMETER_N);
 72 |         pmuladd(g, d, e, g, PARAMETER_N);
 73 |         correction(g, PARAMETER_Q, PARAMETER_N);
 74 |         INTT_GS_rev2std_12289(g, omegainv_rev_ntt1024_12289, omegainv10N_rev_ntt1024_12289, Ninv11_ntt1024_12289, PARAMETER_N);
 75 |         two_reduce12289(g, PARAMETER_N);
 76 |         correction(g, PARAMETER_Q, PARAMETER_N);
 77 |         if (compare_poly(f, g, PARAMETER_N)!=0) { passed = 0; break; }
 78 |     } 
 79 |     if (passed==1) printf("  INTT/NTT tests................................................................. PASSED");
 80 |     else { printf("  NTT/INTT tests... FAILED"); printf("\n"); return false; }
 81 |     printf("\n");
 82 |     
 83 |     return OK;
 84 | }
 85 | 
 86 | 
 87 | bool ntt_run()
 88 | {
 89 |     bool OK = true;
 90 |     int n;
 91 |     unsigned long long cycles, cycles1, cycles2;
 92 |     int32_t a[PARAMETER_N];
 93 | 
 94 |     printf("\n--------------------------------------------------------------------------------------------------------\n\n"); 
 95 |     printf("Benchmarking NTT functions: \n\n");
 96 |     
 97 |     cycles = 0;
 98 |     for (n=0; n<BENCH_LOOPS; n++)
 99 |     {
100 |         cycles1 = cpucycles(); 
101 |         NTT_CT_std2rev_12289(a, psi_rev_ntt1024_12289, PARAMETER_N);
102 |         cycles2 = cpucycles();
103 |         cycles = cycles+(cycles2-cycles1);
104 |     }
105 |     printf("  NTT runs in ................................................................... %8lld cycles", cycles/BENCH_LOOPS);
106 |     printf("\n"); 
107 |     
108 |     cycles = 0;
109 |     for (n=0; n<BENCH_LOOPS; n++)
110 |     {
111 |         cycles1 = cpucycles(); 
112 |         INTT_GS_rev2std_12289(a, omegainv_rev_ntt1024_12289, omegainv7N_rev_ntt1024_12289, Ninv8_ntt1024_12289, PARAMETER_N);
113 |         cycles2 = cpucycles();
114 |         cycles = cycles+(cycles2-cycles1);
115 |     }
116 |     printf("  INTT runs in .................................................................. %8lld cycles", cycles/BENCH_LOOPS);
117 |     printf("\n"); 
118 |     
119 |     return OK;
120 | }
121 | 
122 | 
123 | CRYPTO_STATUS kex_test()
124 | { // Tests for the key exchange
125 |     int n, passed;
126 |     int32_t SecretKeyA[PARAMETER_N];
127 |     unsigned char PublicKeyA[PKA_BYTES], PublicKeyB[PKB_BYTES], SharedSecretA[SHAREDKEY_BYTES], SharedSecretB[SHAREDKEY_BYTES];
128 |     PLatticeCryptoStruct pLatticeCrypto;
129 |     RandomBytes RandomBytesFunction = random_bytes_test;
130 |     ExtendableOutput ExtendableOutputFunction = extendable_output_test;
131 |     StreamOutput StreamOutputFunction = stream_output_test;
132 |     CRYPTO_STATUS Status = CRYPTO_SUCCESS;
133 | 
134 |     printf("\n--------------------------------------------------------------------------------------------------------\n\n"); 
135 |     printf("Testing the key exchange: \n\n"); 
136 | 
137 |     pLatticeCrypto = LatticeCrypto_allocate();
138 |     Status = LatticeCrypto_initialize(pLatticeCrypto, RandomBytesFunction, ExtendableOutputFunction, StreamOutputFunction);
139 |     if (Status != CRYPTO_SUCCESS) {
140 |         goto cleanup;
141 |     }
142 | 
143 |     passed = 1;
144 |     for (n=0; n<TEST_LOOPS; n++)
145 |     {   
146 |         Status = KeyGeneration_A(SecretKeyA, PublicKeyA, pLatticeCrypto);
147 |         if (Status != CRYPTO_SUCCESS) {
148 |             goto cleanup;
149 |         }    
150 |         Status = SecretAgreement_B(PublicKeyA, SharedSecretB, PublicKeyB, pLatticeCrypto);
151 |         if (Status != CRYPTO_SUCCESS) {
152 |             goto cleanup;
153 |         }    
154 |         Status = SecretAgreement_A(PublicKeyB, SecretKeyA, SharedSecretA);
155 |         if (Status != CRYPTO_SUCCESS) {
156 |             goto cleanup;
157 |         }    
158 | 
159 |         if (compare_poly((int32_t*)SharedSecretA, (int32_t*)SharedSecretB, SHAREDKEY_BYTES/4)!=0) { passed = 0; break; }
160 |     } 
161 |     if (passed==1) printf("  Key exchange tests............................................................. PASSED");
162 |     else { printf("  Key exchange tests... FAILED"); printf("\n"); Status = CRYPTO_ERROR_SHARED_KEY; goto cleanup; }
163 |     printf("\n");
164 |     
165 | cleanup:
166 |     free(pLatticeCrypto);
167 |     clear_words((void*)SecretKeyA, NBYTES_TO_NWORDS(4*PARAMETER_N));
168 |     clear_words((void*)PublicKeyA, NBYTES_TO_NWORDS(PKA_BYTES));
169 |     clear_words((void*)SharedSecretA, NBYTES_TO_NWORDS(SHAREDKEY_BYTES));
170 |     clear_words((void*)PublicKeyB, NBYTES_TO_NWORDS(PKB_BYTES));
171 |     clear_words((void*)SharedSecretB, NBYTES_TO_NWORDS(SHAREDKEY_BYTES));
172 |     
173 |     return Status;
174 | }
175 | 
176 | 
177 | CRYPTO_STATUS kex_run()
178 | {
179 |     int n;
180 |     unsigned long long cycles, cycles1, cycles2;
181 |     int32_t SecretKeyA[PARAMETER_N];
182 |     unsigned char PublicKeyA[PKA_BYTES], PublicKeyB[PKB_BYTES], SharedSecretA[SHAREDKEY_BYTES], SharedSecretB[SHAREDKEY_BYTES];
183 |     PLatticeCryptoStruct pLatticeCrypto;
184 |     RandomBytes RandomBytesFunction = random_bytes_test;
185 |     ExtendableOutput ExtendableOutputFunction = extendable_output_test;
186 |     StreamOutput StreamOutputFunction = stream_output_test;
187 |     CRYPTO_STATUS Status = CRYPTO_SUCCESS;
188 | 
189 |     printf("\n--------------------------------------------------------------------------------------------------------\n\n"); 
190 |     printf("Benchmarking key exchange functions: \n\n");  
191 |     
192 |     pLatticeCrypto = LatticeCrypto_allocate();
193 |     Status = LatticeCrypto_initialize(pLatticeCrypto, RandomBytesFunction, ExtendableOutputFunction, StreamOutputFunction);
194 |     if (Status != CRYPTO_SUCCESS) {
195 |         goto cleanup;
196 |     }
197 |     
198 |     cycles = 0;
199 |     for (n=0; n<BENCH_LOOPS; n++)
200 |     {
201 |         cycles1 = cpucycles(); 
202 |         Status = KeyGeneration_A(SecretKeyA, PublicKeyA, pLatticeCrypto);
203 |         if (Status != CRYPTO_SUCCESS) {
204 |             goto cleanup;
205 |         }    
206 |         cycles2 = cpucycles();
207 |         cycles = cycles+(cycles2-cycles1);
208 |     }
209 |     printf("  Alice's key generation runs in ................................................ %8lld cycles", cycles/BENCH_LOOPS);
210 |     printf("\n");   
211 |     
212 |     cycles = 0;
213 |     for (n=0; n<BENCH_LOOPS; n++)
214 |     {
215 |         cycles1 = cpucycles(); 
216 |         Status = SecretAgreement_B(PublicKeyA, SharedSecretB, PublicKeyB, pLatticeCrypto);
217 |         if (Status != CRYPTO_SUCCESS) {
218 |             goto cleanup;
219 |         }    
220 |         cycles2 = cpucycles();
221 |         cycles = cycles+(cycles2-cycles1);
222 |     }
223 |     printf("  Bob's shared key computation runs in .......................................... %8lld cycles", cycles/BENCH_LOOPS);
224 |     printf("\n");   
225 |     
226 |     cycles = 0;
227 |     for (n=0; n<BENCH_LOOPS; n++)
228 |     {
229 |         cycles1 = cpucycles(); 
230 |         Status = SecretAgreement_A(PublicKeyB, SecretKeyA, SharedSecretA);
231 |         if (Status != CRYPTO_SUCCESS) {
232 |             goto cleanup;
233 |         }    
234 |         cycles2 = cpucycles();
235 |         cycles = cycles+(cycles2-cycles1);
236 |     }
237 |     printf("  Alice's shared key computation runs in ........................................ %8lld cycles", cycles/BENCH_LOOPS);
238 |     printf("\n");
239 |     
240 | cleanup:
241 |     free(pLatticeCrypto);
242 |     clear_words((void*)SecretKeyA, NBYTES_TO_NWORDS(4*PARAMETER_N));
243 |     clear_words((void*)PublicKeyA, NBYTES_TO_NWORDS(PKA_BYTES));
244 |     clear_words((void*)SharedSecretA, NBYTES_TO_NWORDS(SHAREDKEY_BYTES));
245 |     clear_words((void*)PublicKeyB, NBYTES_TO_NWORDS(PKB_BYTES));
246 |     clear_words((void*)SharedSecretB, NBYTES_TO_NWORDS(SHAREDKEY_BYTES)); 
247 |     
248 |     return Status;
249 | }
250 | 
251 | 
252 | int main()
253 | {
254 |     bool OK = true;
255 |     CRYPTO_STATUS Status = CRYPTO_SUCCESS;
256 | 
257 |     OK = OK && ntt_test();   // Test NTT functions
258 |     OK = OK && ntt_run();    // Benchmark NTT functions
259 |     if (OK == false) {
260 |         return true;
261 |     }
262 | 
263 |     Status = kex_test();     // Test key exchange 
264 |     if (Status != CRYPTO_SUCCESS) {
265 |         printf("\n\n   Error detected: %s \n\n", LatticeCrypto_get_error_message(Status));
266 |         return false;
267 |     }
268 |     Status = kex_run();      // Benchmark key exchange
269 |     if (Status != CRYPTO_SUCCESS) {
270 |         printf("\n\n   Error detected: %s \n\n", LatticeCrypto_get_error_message(Status));
271 |         return false;
272 |     }
273 | 
274 |     return true;
275 | }
276 | 


--------------------------------------------------------------------------------
/AMD64/error_asm.S:
--------------------------------------------------------------------------------
  1 | //****************************************************************************************
  2 | // LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
  3 | //
  4 | //    Copyright (c) Microsoft Corporation. All rights reserved.
  5 | //
  6 | //
  7 | // Abstract: functions for error sampling and reconciliation in x64 assembly using AVX2 
  8 | //           vector instructions for Linux 
  9 | //
 10 | //****************************************************************************************  
 11 | 
 12 | .intel_syntax noprefix 
 13 | 
 14 | // Registers that are used for parameter passing:
 15 | #define reg_p1  rdi
 16 | #define reg_p2  rsi
 17 | #define reg_p3  rdx
 18 | #define reg_p4  rcx
 19 | #define reg_p5  r8
 20 | 
 21 | 
 22 | .text
 23 | //***********************************************************************
 24 | //  Error sampling from psi_12
 25 | //  Operation: c [reg_p2] <- sampling(a) [reg_p1]
 26 | //*********************************************************************** 
 27 | .global error_sampling_asm
 28 | error_sampling_asm:  
 29 |   vmovdqu    ymm7, ONE32x 
 30 |   movq       r11, 384
 31 |   movq       r10, 32
 32 |   movq       r8, 24
 33 |   xor        rax, rax
 34 |   xor        rcx, rcx
 35 | loop1:
 36 |   vmovdqu    ymm0, YMMWORD PTR [reg_p1+4*rax]        // sample
 37 |   vmovdqu    ymm2, YMMWORD PTR [reg_p1+4*rax+32]     // sample
 38 |   vmovdqu    ymm4, YMMWORD PTR [reg_p1+4*rax+64]     // sample
 39 |   movq       r9, 2
 40 | 
 41 | loop1b:
 42 |   vpand      ymm1, ymm0, ymm7                        // Collecting 8 bits for first sample
 43 |   vpsrlw     ymm0, ymm0, 1 
 44 |   vpand      ymm3, ymm0, ymm7
 45 |   vpaddb     ymm1, ymm1, ymm3
 46 |   vpsrlw     ymm0, ymm0, 1 
 47 |   vpand      ymm3, ymm0, ymm7
 48 |   vpaddb     ymm1, ymm1, ymm3
 49 |   vpsrlw     ymm0, ymm0, 1 
 50 |   vpand      ymm3, ymm0, ymm7
 51 |   vpaddb     ymm1, ymm1, ymm3
 52 |   vpsrlw     ymm0, ymm0, 1 
 53 |   vpand      ymm3, ymm0, ymm7
 54 |   vpaddb     ymm1, ymm1, ymm3
 55 |   vpsrlw     ymm0, ymm0, 1 
 56 |   vpand      ymm3, ymm0, ymm7
 57 |   vpaddb     ymm1, ymm1, ymm3
 58 |   vpsrlw     ymm0, ymm0, 1 
 59 |   vpand      ymm3, ymm0, ymm7
 60 |   vpaddb     ymm1, ymm1, ymm3
 61 |   vpsrlw     ymm0, ymm0, 1 
 62 |   vpand      ymm3, ymm0, ymm7
 63 |   vpaddb     ymm1, ymm1, ymm3
 64 |   
 65 |   vpand      ymm3, ymm2, ymm7                        // Adding next 4 bits
 66 |   vpaddb     ymm1, ymm1, ymm3
 67 |   vpsrlw     ymm2, ymm2, 1 
 68 |   vpand      ymm3, ymm2, ymm7
 69 |   vpaddb     ymm1, ymm1, ymm3
 70 |   vpsrlw     ymm2, ymm2, 1 
 71 |   vpand      ymm3, ymm2, ymm7
 72 |   vpaddb     ymm1, ymm1, ymm3
 73 |   vpsrlw     ymm2, ymm2, 1 
 74 |   vpand      ymm3, ymm2, ymm7
 75 |   vpaddb     ymm1, ymm1, ymm3
 76 |   
 77 |   vpsrlw     ymm2, ymm2, 1                           // Collecting 4-bits for second sample
 78 |   vpand      ymm5, ymm2, ymm7
 79 |   vpsrlw     ymm2, ymm2, 1 
 80 |   vpand      ymm3, ymm2, ymm7
 81 |   vpaddb     ymm5, ymm5, ymm3
 82 |   vpsrlw     ymm2, ymm2, 1 
 83 |   vpand      ymm3, ymm2, ymm7
 84 |   vpaddb     ymm5, ymm5, ymm3
 85 |   vpsrlw     ymm2, ymm2, 1 
 86 |   vpand      ymm3, ymm2, ymm7
 87 |   vpaddb     ymm5, ymm5, ymm3
 88 |   
 89 |   vpand      ymm3, ymm4, ymm7                        // Adding next 8 bits
 90 |   vpaddb     ymm5, ymm5, ymm3
 91 |   vpsrlw     ymm4, ymm4, 1 
 92 |   vpand      ymm3, ymm4, ymm7
 93 |   vpaddb     ymm5, ymm5, ymm3
 94 |   vpsrlw     ymm4, ymm4, 1 
 95 |   vpand      ymm3, ymm4, ymm7
 96 |   vpaddb     ymm5, ymm5, ymm3
 97 |   vpsrlw     ymm4, ymm4, 1 
 98 |   vpand      ymm3, ymm4, ymm7
 99 |   vpaddb     ymm5, ymm5, ymm3
100 |   vpsrlw     ymm4, ymm4, 1 
101 |   vpand      ymm3, ymm4, ymm7
102 |   vpaddb     ymm5, ymm5, ymm3
103 |   vpsrlw     ymm4, ymm4, 1 
104 |   vpand      ymm3, ymm4, ymm7
105 |   vpaddb     ymm5, ymm5, ymm3
106 |   vpsrlw     ymm4, ymm4, 1 
107 |   vpand      ymm3, ymm4, ymm7
108 |   vpaddb     ymm5, ymm5, ymm3
109 |   vpsrlw     ymm4, ymm4, 1 
110 |   vpand      ymm3, ymm4, ymm7
111 |   vpaddb     ymm5, ymm5, ymm3
112 | 
113 |   vpsubb     ymm5, ymm1, ymm5
114 |   vpermq     ymm3, ymm5, 0x0e 
115 |   vpmovsxbd  ymm6, xmm5
116 |   vpsrldq    ymm5, ymm5, 8 
117 |   vpmovsxbd  ymm7, xmm5 
118 |   vpmovsxbd  ymm8, xmm3
119 |   vpsrldq    ymm3, ymm3, 8 
120 |   vpmovsxbd  ymm9, xmm3
121 |   vmovdqu    YMMWORD PTR [reg_p2+4*rcx], ymm6
122 |   vmovdqu    YMMWORD PTR [reg_p2+4*rcx+32], ymm7
123 |   vmovdqu    YMMWORD PTR [reg_p2+4*rcx+64], ymm8
124 |   vmovdqu    YMMWORD PTR [reg_p2+4*rcx+96], ymm9
125 |   
126 |   add        rcx, r10        // i+32
127 |   vpsrlw     ymm0, ymm0, 1 
128 |   vpsrlw     ymm2, ymm2, 1 
129 |   vpsrlw     ymm4, ymm4, 1 
130 |   dec        r9
131 |   jnz        loop1b
132 |         
133 |   add        rax, r8         // j+24        
134 |   cmp        rax, r11
135 |   jl         loop1
136 |   ret
137 | 
138 | 
139 | //***********************************************************************
140 | //  Reconciliation helper function
141 | //  Operation: c [reg_p2] <- function(a) [reg_p1]
142 | //             [reg_p3] points to random bits
143 | //*********************************************************************** 
144 | .global helprec_asm
145 | helprec_asm:  
146 |   vmovdqu    ymm8, ONE8x 
147 |   movq       r11, 256
148 |   movq       r10, 8
149 |   xor        rax, rax
150 |   vmovdqu    ymm4, YMMWORD PTR [reg_p3]              // rbits
151 | loop2:
152 |   vmovdqu    ymm0, YMMWORD PTR [reg_p1+4*rax]        // x
153 |   vmovdqu    ymm1, YMMWORD PTR [reg_p1+4*rax+4*256]  // x+256
154 |   vmovdqu    ymm2, YMMWORD PTR [reg_p1+4*rax+4*512]  // x+512
155 |   vmovdqu    ymm3, YMMWORD PTR [reg_p1+4*rax+4*768]  // x+768
156 | 
157 |   vpand      ymm5, ymm4, ymm8                        // Collecting 8 random bits
158 |   vpslld     ymm0, ymm0, 1                           // 2*x - rbits
159 |   vpslld     ymm1, ymm1, 1 
160 |   vpslld     ymm2, ymm2, 1 
161 |   vpslld     ymm3, ymm3, 1 
162 |   vpsubd     ymm0, ymm0, ymm5
163 |   vpsubd     ymm1, ymm1, ymm5
164 |   vpsubd     ymm2, ymm2, ymm5
165 |   vpsubd     ymm3, ymm3, ymm5
166 |     
167 |   vmovdqu    ymm15, PARAM_Q4x8 
168 |   vmovdqu    ymm7, FOUR8x
169 |   vmovdqu    ymm8, ymm7
170 |   vmovdqu    ymm9, ymm7
171 |   vmovdqu    ymm10, ymm7
172 |   vpsubd     ymm6, ymm0, ymm15
173 |   vpsrld     ymm6, ymm6, 31 
174 |   vpsubd     ymm7, ymm7, ymm6
175 |   vpsubd     ymm6, ymm1, ymm15
176 |   vpsrld     ymm6, ymm6, 31 
177 |   vpsubd     ymm8, ymm8, ymm6
178 |   vpsubd     ymm6, ymm2, ymm15
179 |   vpsrld     ymm6, ymm6, 31 
180 |   vpsubd     ymm9, ymm9, ymm6
181 |   vpsubd     ymm6, ymm3, ymm15
182 |   vpsrld     ymm6, ymm6, 31 
183 |   vpsubd     ymm10, ymm10, ymm6
184 |   vmovdqu    ymm15, PARAM_3Q4x8 
185 |   vpsubd     ymm6, ymm0, ymm15
186 |   vpsrld     ymm6, ymm6, 31 
187 |   vpsubd     ymm7, ymm7, ymm6
188 |   vpsubd     ymm6, ymm1, ymm15
189 |   vpsrld     ymm6, ymm6, 31 
190 |   vpsubd     ymm8, ymm8, ymm6
191 |   vpsubd     ymm6, ymm2, ymm15
192 |   vpsrld     ymm6, ymm6, 31 
193 |   vpsubd     ymm9, ymm9, ymm6
194 |   vpsubd     ymm6, ymm3, ymm15
195 |   vpsrld     ymm6, ymm6, 31 
196 |   vpsubd     ymm10, ymm10, ymm6
197 |   vmovdqu    ymm15, PARAM_5Q4x8 
198 |   vpsubd     ymm6, ymm0, ymm15
199 |   vpsrld     ymm6, ymm6, 31 
200 |   vpsubd     ymm7, ymm7, ymm6
201 |   vpsubd     ymm6, ymm1, ymm15
202 |   vpsrld     ymm6, ymm6, 31 
203 |   vpsubd     ymm8, ymm8, ymm6
204 |   vpsubd     ymm6, ymm2, ymm15
205 |   vpsrld     ymm6, ymm6, 31 
206 |   vpsubd     ymm9, ymm9, ymm6
207 |   vpsubd     ymm6, ymm3, ymm15
208 |   vpsrld     ymm6, ymm6, 31 
209 |   vpsubd     ymm10, ymm10, ymm6
210 |   vmovdqu    ymm15, PARAM_7Q4x8 
211 |   vpsubd     ymm6, ymm0, ymm15
212 |   vpsrld     ymm6, ymm6, 31 
213 |   vpsubd     ymm7, ymm7, ymm6                        // v0[0]
214 |   vpsubd     ymm6, ymm1, ymm15
215 |   vpsrld     ymm6, ymm6, 31 
216 |   vpsubd     ymm8, ymm8, ymm6                        // v0[1]
217 |   vpsubd     ymm6, ymm2, ymm15
218 |   vpsrld     ymm6, ymm6, 31 
219 |   vpsubd     ymm9, ymm9, ymm6                        // v0[2]
220 |   vpsubd     ymm6, ymm3, ymm15
221 |   vpsrld     ymm6, ymm6, 31 
222 |   vpsubd     ymm10, ymm10, ymm6                      // v0[3]  
223 |     
224 |   vmovdqu    ymm15, PARAM_Q2x8 
225 |   vmovdqu    ymm11, THREE8x
226 |   vmovdqu    ymm12, ymm11
227 |   vmovdqu    ymm13, ymm11
228 |   vmovdqu    ymm14, ymm11
229 |   vpsubd     ymm6, ymm0, ymm15
230 |   vpsrld     ymm6, ymm6, 31 
231 |   vpsubd     ymm11, ymm11, ymm6
232 |   vpsubd     ymm6, ymm1, ymm15
233 |   vpsrld     ymm6, ymm6, 31 
234 |   vpsubd     ymm12, ymm12, ymm6
235 |   vpsubd     ymm6, ymm2, ymm15
236 |   vpsrld     ymm6, ymm6, 31 
237 |   vpsubd     ymm13, ymm13, ymm6
238 |   vpsubd     ymm6, ymm3, ymm15
239 |   vpsrld     ymm6, ymm6, 31 
240 |   vpsubd     ymm14, ymm14, ymm6
241 |   vmovdqu    ymm15, PARAM_3Q2x8 
242 |   vpsubd     ymm6, ymm0, ymm15
243 |   vpsrld     ymm6, ymm6, 31 
244 |   vpsubd     ymm11, ymm11, ymm6
245 |   vpsubd     ymm6, ymm1, ymm15
246 |   vpsrld     ymm6, ymm6, 31 
247 |   vpsubd     ymm12, ymm12, ymm6
248 |   vpsubd     ymm6, ymm2, ymm15
249 |   vpsrld     ymm6, ymm6, 31 
250 |   vpsubd     ymm13, ymm13, ymm6
251 |   vpsubd     ymm6, ymm3, ymm15
252 |   vpsrld     ymm6, ymm6, 31 
253 |   vpsubd     ymm14, ymm14, ymm6
254 |   vmovdqu    ymm15, PRIME8x  
255 |   vpsubd     ymm6, ymm0, ymm15
256 |   vpsrld     ymm6, ymm6, 31 
257 |   vpsubd     ymm11, ymm11, ymm6                      // v1[0]
258 |   vpsubd     ymm6, ymm1, ymm15
259 |   vpsrld     ymm6, ymm6, 31 
260 |   vpsubd     ymm12, ymm12, ymm6                      // v1[1]
261 |   vpsubd     ymm6, ymm2, ymm15
262 |   vpsrld     ymm6, ymm6, 31 
263 |   vpsubd     ymm13, ymm13, ymm6                      // v1[2]
264 |   vpsubd     ymm6, ymm3, ymm15
265 |   vpsrld     ymm6, ymm6, 31 
266 |   vpsubd     ymm14, ymm14, ymm6                      // v1[3]
267 | 
268 |   vpmulld    ymm6, ymm7, ymm15 
269 |   vpslld     ymm0, ymm0, 1 
270 |   vpsubd     ymm0, ymm0, ymm6
271 |   vpabsd     ymm0, ymm0
272 |   vpmulld    ymm6, ymm8, ymm15 
273 |   vpslld     ymm1, ymm1, 1 
274 |   vpsubd     ymm1, ymm1, ymm6
275 |   vpabsd     ymm1, ymm1
276 |   vpaddd     ymm0, ymm0, ymm1
277 |   vpmulld    ymm6, ymm9, ymm15 
278 |   vpslld     ymm2, ymm2, 1 
279 |   vpsubd     ymm2, ymm2, ymm6
280 |   vpabsd     ymm2, ymm2
281 |   vpaddd     ymm0, ymm0, ymm2
282 |   vpmulld    ymm6, ymm10, ymm15 
283 |   vpslld     ymm3, ymm3, 1 
284 |   vpsubd     ymm3, ymm3, ymm6
285 |   vpabsd     ymm3, ymm3
286 |   vpaddd     ymm0, ymm0, ymm3                        // norm
287 |   vpsubd     ymm0, ymm0, ymm15
288 |   vpsrad     ymm0, ymm0, 31                          // If norm < q then norm = 0xff...ff, else norm = 0
289 |   
290 |   vpxor      ymm7, ymm7, ymm11                       // v0[i] = (norm & (v0[i] ^ v1[i])) ^ v1[i]
291 |   vpand      ymm7, ymm7, ymm0
292 |   vpxor      ymm7, ymm7, ymm11
293 |   vpxor      ymm8, ymm8, ymm12
294 |   vpand      ymm8, ymm8, ymm0
295 |   vpxor      ymm8, ymm8, ymm12
296 |   vpxor      ymm9, ymm9, ymm13
297 |   vpand      ymm9, ymm9, ymm0
298 |   vpxor      ymm9, ymm9, ymm13
299 |   vpxor      ymm10, ymm10, ymm14
300 |   vpand      ymm10, ymm10, ymm0
301 |   vpxor      ymm10, ymm10, ymm14
302 |   
303 |   vmovdqu    ymm15, THREE8x
304 |   vmovdqu    ymm14, ONE8x
305 |   vpsubd     ymm7, ymm7, ymm10
306 |   vpand      ymm7, ymm7, ymm15
307 |   vpsubd     ymm8, ymm8, ymm10
308 |   vpand      ymm8, ymm8, ymm15
309 |   vpsubd     ymm9, ymm9, ymm10
310 |   vpand      ymm9, ymm9, ymm15 
311 |   vpslld     ymm10, ymm10, 1 
312 |   vpxor      ymm0, ymm0, ymm14
313 |   vpand      ymm0, ymm0, ymm14
314 |   vpaddd     ymm10, ymm0, ymm10
315 |   vpand      ymm10, ymm10, ymm15 
316 |   
317 |   vpsrld     ymm4, ymm4, 1 
318 |   vmovdqu    YMMWORD PTR [reg_p2+4*rax], ymm7
319 |   vmovdqu    YMMWORD PTR [reg_p2+4*rax+4*256], ymm8
320 |   vmovdqu    YMMWORD PTR [reg_p2+4*rax+4*512], ymm9
321 |   vmovdqu    YMMWORD PTR [reg_p2+4*rax+4*768], ymm10
322 | 
323 |   add        rax, r10             // j+8 
324 |   add        rcx, r9
325 |   cmp        rax, r11             
326 |   jl         loop2
327 |   ret
328 | 
329 | 
330 | //***********************************************************************
331 | //  Reconciliation function
332 | //  Operation: c [reg_p3] <- function(a [reg_p1], b [reg_p2])
333 | //*********************************************************************** 
334 | .global rec_asm
335 | rec_asm:  
336 |   vpxor      ymm12, ymm12, ymm12 
337 |   vmovdqu    ymm15, PRIME8x   
338 |   vpslld     ymm14, ymm15, 2                         // 4*Q  
339 |   vpslld     ymm13, ymm15, 3                         // 8*Q
340 |   vpsubd     ymm12, ymm12, ymm13                     // -8*Q
341 |   vpxor      ymm11, ymm12, ymm13                     // 8*Q ^ -8*Q
342 |   vmovdqu    ymm10, ONE8x 
343 |   movq       r11, 256
344 |   movq       r10, 8
345 |   xor        rax, rax
346 |   xor        rcx, rcx
347 | loop3:
348 |   vmovdqu    ymm0, YMMWORD PTR [reg_p1+4*rax]        // x
349 |   vmovdqu    ymm1, YMMWORD PTR [reg_p1+4*rax+4*256]  // x+256
350 |   vmovdqu    ymm2, YMMWORD PTR [reg_p1+4*rax+4*512]  // x+512
351 |   vmovdqu    ymm3, YMMWORD PTR [reg_p1+4*rax+4*768]  // x+768
352 |   vmovdqu    ymm4, YMMWORD PTR [reg_p2+4*rax]        // rvec
353 |   vmovdqu    ymm5, YMMWORD PTR [reg_p2+4*rax+4*256]  // rvec+256
354 |   vmovdqu    ymm6, YMMWORD PTR [reg_p2+4*rax+4*512]  // rvec+512
355 |   vmovdqu    ymm7, YMMWORD PTR [reg_p2+4*rax+4*768]  // rvec+768
356 |   
357 |   vpslld     ymm8, ymm4, 1                           // 2*rvec + rvec
358 |   vpaddd     ymm4, ymm7, ymm8
359 |   vpslld     ymm8, ymm5, 1 
360 |   vpaddd     ymm5, ymm7, ymm8
361 |   vpslld     ymm8, ymm6, 1 
362 |   vpaddd     ymm6, ymm7, ymm8
363 |   vpmulld    ymm4, ymm4, ymm15
364 |   vpmulld    ymm5, ymm5, ymm15
365 |   vpmulld    ymm6, ymm6, ymm15
366 |   vpmulld    ymm7, ymm7, ymm15
367 |   vpslld     ymm0, ymm0, 3                           // 8*x
368 |   vpslld     ymm1, ymm1, 3 
369 |   vpslld     ymm2, ymm2, 3 
370 |   vpslld     ymm3, ymm3, 3 
371 |   vpsubd     ymm0, ymm0, ymm4                        // t[i]
372 |   vpsubd     ymm1, ymm1, ymm5
373 |   vpsubd     ymm2, ymm2, ymm6
374 |   vpsubd     ymm3, ymm3, ymm7
375 |   
376 |   vpsrad     ymm8, ymm0, 31                          // mask1
377 |   vpabsd     ymm4, ymm0
378 |   vpsubd     ymm4, ymm14, ymm4
379 |   vpsrad     ymm4, ymm4, 31                          // mask2                       
380 |   vpand      ymm8, ymm8, ymm11                       // (mask1 & (8*PARAMETER_Q ^ -8*PARAMETER_Q)) ^ -8*PARAMETER_Q
381 |   vpxor      ymm8, ymm8, ymm12
382 |   vpand      ymm4, ymm4, ymm8
383 |   vpaddd     ymm0, ymm0, ymm4
384 |   vpabsd     ymm0, ymm0  
385 |   vpsrad     ymm8, ymm1, 31                          // mask1
386 |   vpabsd     ymm4, ymm1
387 |   vpsubd     ymm4, ymm14, ymm4
388 |   vpsrad     ymm4, ymm4, 31                          // mask2                       
389 |   vpand      ymm8, ymm8, ymm11                       // (mask1 & (8*PARAMETER_Q ^ -8*PARAMETER_Q)) ^ -8*PARAMETER_Q
390 |   vpxor      ymm8, ymm8, ymm12
391 |   vpand      ymm4, ymm4, ymm8
392 |   vpaddd     ymm1, ymm1, ymm4
393 |   vpabsd     ymm1, ymm1
394 |   vpaddd     ymm0, ymm0, ymm1
395 |   vpsrad     ymm8, ymm2, 31                          // mask1
396 |   vpabsd     ymm4, ymm2
397 |   vpsubd     ymm4, ymm14, ymm4
398 |   vpsrad     ymm4, ymm4, 31                          // mask2                       
399 |   vpand      ymm8, ymm8, ymm11                       // (mask1 & (8*PARAMETER_Q ^ -8*PARAMETER_Q)) ^ -8*PARAMETER_Q
400 |   vpxor      ymm8, ymm8, ymm12
401 |   vpand      ymm4, ymm4, ymm8
402 |   vpaddd     ymm2, ymm2, ymm4
403 |   vpabsd     ymm2, ymm2
404 |   vpaddd     ymm0, ymm0, ymm2
405 |   vpsrad     ymm8, ymm3, 31                          // mask1
406 |   vpabsd     ymm4, ymm3
407 |   vpsubd     ymm4, ymm14, ymm4
408 |   vpsrad     ymm4, ymm4, 31                          // mask2                       
409 |   vpand      ymm8, ymm8, ymm11                       // (mask1 & (8*PARAMETER_Q ^ -8*PARAMETER_Q)) ^ -8*PARAMETER_Q
410 |   vpxor      ymm8, ymm8, ymm12
411 |   vpand      ymm4, ymm4, ymm8
412 |   vpaddd     ymm3, ymm3, ymm4
413 |   vpabsd     ymm3, ymm3
414 |   vpaddd     ymm0, ymm0, ymm3                        // norm
415 | 
416 |   vpsubd     ymm0, ymm13, ymm0                       // If norm < PARAMETER_Q then result = 1, else result = 0
417 |   vpsrld     ymm0, ymm0, 31                            
418 |   vpxor      ymm0, ymm0, ymm10
419 | 
420 |   vpsrlq     ymm1, ymm0, 31
421 |   vpor       ymm1, ymm0, ymm1 
422 |   vpsllq     ymm2, ymm1, 2
423 |   vpsrldq    ymm2, ymm2, 8
424 |   vpor       ymm1, ymm2, ymm1 
425 |   vpsllq     ymm2, ymm1, 4
426 |   vpermq     ymm2, ymm2, 0x56
427 |   vpor       ymm0, ymm1, ymm2 
428 |   vmovq      r9, xmm0
429 |   
430 |   mov        BYTE PTR [reg_p3+rcx], r9b
431 | 
432 |   add        rax, r10             // j+8 
433 |   inc        rcx
434 |   cmp        rax, r11             
435 |   jl         loop3
436 |   ret
437 | 


--------------------------------------------------------------------------------
/ntt_constants.c:
--------------------------------------------------------------------------------
  1 | /****************************************************************************************
  2 | * LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
  3 | *
  4 | *    Copyright (c) Microsoft Corporation. All rights reserved.
  5 | *
  6 | *
  7 | * Abstract: fixed constants for the Number Theoretic Transform (NTT)
  8 | *
  9 | *****************************************************************************************/ 
 10 | 
 11 | #include "LatticeCrypto_priv.h"
 12 | 
 13 | 
 14 | // N^-1 * prime_scale^-8
 15 | const int32_t Ninv8_ntt1024_12289 = 8350;
 16 | // N^-1 * prime_scale^-7 * omegainv_rev_ntt1024_12289[1]
 17 | const int32_t omegainv7N_rev_ntt1024_12289 = 795;
 18 | // N^-1 * prime_scale^-11
 19 | const int32_t Ninv11_ntt1024_12289 = 2585;
 20 | // N^-1 * prime_scale^-10 * omegainv_rev_ntt1024_12289[1]
 21 | const int32_t omegainv10N_rev_ntt1024_12289 = 10953;
 22 | 
 23 | 
 24 | // Index-reversed matrices containing powers of psi (psi_rev_nttxxx_yyy) and inverse powers of omega (omegainv_rev_nttxxx_yyy),
 25 | // where xxx is parameter N and yyy is the prime q.
 26 | 
 27 | const int32_t psi_rev_ntt1024_12289[1024] = {
 28 | 8193, 493, 6845, 9908, 1378, 10377, 7952, 435, 10146, 1065, 404, 7644, 1207, 3248, 11121, 5277, 2437, 3646, 2987, 6022, 9867, 6250, 10102, 9723, 1002, 7278, 4284, 7201, 
 29 | 875, 3780, 1607, 4976, 8146, 4714, 242, 1537, 3704, 9611, 5019, 545, 5084, 10657, 4885, 11272, 3066, 12262, 3763, 10849, 2912, 5698, 11935, 4861, 7277, 9808, 11244, 2859, 
 30 | 7188, 1067, 2401, 11847, 390, 11516, 8511, 3833, 2780, 7094, 4895, 1484, 2305, 5042, 8236, 2645, 7875, 9442, 2174, 7917, 1689, 3364, 4057, 3271, 10863, 4654, 1777, 10626, 
 31 | 3636, 7351, 9585, 6998, 160, 3149, 4437, 12286, 10123, 3915, 7370, 12176, 4048, 2249, 2884, 1153, 9103, 6882, 2126, 10659, 3510, 5332, 2865, 9919, 9320, 8311, 9603, 9042, 
 32 | 3016, 12046, 9289, 11618, 7098, 3136, 9890, 3400, 2178, 1544, 5559, 420, 8304, 4905, 476, 3531, 9326, 4896, 9923, 3051, 3091, 81, 1000, 4320, 1177, 8034, 9521, 10654, 11563, 
 33 | 7678, 10436, 12149, 3014, 9088, 5086, 1326, 11119, 2319, 11334, 790, 2747, 7443, 3135, 3712, 1062, 9995, 7484, 8736, 9283, 2744, 11726, 2975, 9664, 949, 7468, 9650, 7266, 
 34 | 5828, 6561, 7698, 3328, 6512, 1351, 7311, 8155, 5736, 722, 10984, 4043, 7143, 10810, 1, 8668, 2545, 3504, 8747, 11077, 1646, 9094, 5860, 1759, 8582, 3694, 7110, 8907, 11934, 
 35 | 8058, 9741, 9558, 3932, 5911, 4890, 3637, 8830, 5542, 12144, 5755, 7657, 7901, 11029, 11955, 9863, 10861, 1696, 3284, 2881, 7197, 2089, 9000, 2013, 729, 9048, 11809, 2842, 
 36 | 11267, 9, 6498, 544, 2468, 339, 1381, 2525, 8112, 3584, 6958, 4989, 10616, 8011, 5374, 9452, 12159, 4354, 9893, 7837, 3296, 8340, 7222, 2197, 118, 2476, 5767, 827, 8541, 
 37 | 11336, 3434, 3529, 2908, 12071, 2361, 1843, 3030, 8174, 6147, 9842, 8326, 576, 10335, 10238, 10484, 9407, 11836, 5908, 418, 3772, 7515, 5429, 7552, 10996, 12133, 2767, 3969, 
 38 | 8298, 6413, 10008, 2031, 5333, 10800, 9789, 10706, 5942, 1263, 49, 5915, 10806, 11939, 10777, 1815, 5383, 3202, 4493, 6920, 10232, 1975, 8532, 2925, 347, 4754, 1858, 11863, 
 39 | 8974, 9551, 5868, 9634, 5735,11566, 12115, 10596, 3009, 6190, 11994, 6523, 652, 3762, 9370, 4016, 4077, 8561, 4049, 5990, 11130, 11143, 948, 325, 1404, 6992, 6119, 8333, 
 40 | 10929, 1200, 5184, 2555, 6122, 1594, 10327, 7183, 5961, 2692, 12121, 4298, 3329, 5919, 4433, 8455,7032, 1747, 3123, 3054, 6803, 5782, 10723, 9341, 2503, 683, 2459, 3656, 
 41 | 64, 4240, 3570, 835, 6065, 4046, 11580, 10970, 3150, 10331, 4322, 2078, 1112, 4079, 11231, 441, 922, 1050, 4536, 6844, 8429, 2683, 11099, 3818, 6171, 8500, 12142, 6833, 4449, 
 42 | 4749, 6752, 7500, 7822, 8214, 6974, 7965, 7373, 2169, 522, 5079, 3262, 10316, 6715, 1278, 9945, 3514, 11248, 11271, 5925, 468, 3988, 382, 11973, 5339, 6843, 6196, 8579, 2033, 
 43 | 8291, 1922, 3879, 11035, 973, 6854, 10930, 5206, 6760, 3199, 56, 3565, 654, 1702, 10302, 5862, 6153, 5415, 8646, 11889, 10561, 7341, 6152, 7232, 4698, 8844, 4780, 10240, 4912, 
 44 | 1321, 12097, 7048, 2920, 3127, 4169, 11502, 3482, 11279, 5468, 5874, 11612, 6055, 8953, 52, 3174, 10966, 9523, 151, 2127, 3957, 2839, 9784, 6383, 1579, 431, 7507, 5886, 3029, 
 45 | 6695, 4213, 504, 11684, 2302, 8689, 9026, 4624, 6212, 11868, 4080, 6221, 8687, 1003, 8757, 241, 58, 5009, 10333, 885, 6281, 3438, 9445, 11314, 8077, 6608, 3477, 142, 1105, 
 46 | 8841, 343, 4538, 1908, 1208, 4727, 7078, 10423, 10125, 6873, 11573, 10179, 416, 814, 1705, 2450, 8700, 717, 9307, 1373, 8186, 2429, 10568, 10753, 7228, 11071, 438, 8774, 5993, 
 47 | 3278, 4209, 6877, 3449, 1136, 3708, 3238, 2926, 1826, 4489, 3171, 8024, 8611, 1928, 464, 3205, 8930, 7080, 1092, 10900, 10221, 11943, 4404, 9126, 4032, 7449, 6127, 8067, 10763, 
 48 | 125, 540, 8921, 8062, 612, 8051, 12229, 9572, 9089, 10754, 10029, 68, 6453, 7723, 4781, 4924, 1014, 448, 3942, 5232, 1327, 8682, 3744, 7326, 3056, 9761, 5845, 5588, 412, 7187, 
 49 | 3975, 4883, 3087, 6454, 2257, 7784, 5676, 1417, 8400, 11710, 5596, 5987, 9175, 2769, 5966, 212, 6555, 11113, 5508, 11014, 1125, 4860, 10844, 1131, 4267, 6636, 2275, 9828, 5063, 
 50 | 4176, 3765, 1518, 8794, 4564, 10224, 5826, 3534, 3961, 4145, 10533, 506, 11034, 6505, 10897, 2674, 10077, 3338, 9013, 3511, 6811, 11111, 2776, 1165, 2575, 8881, 10347, 377, 
 51 | 4578, 11914, 10669, 10104, 392, 10453, 425, 9489, 193, 2231, 6197, 1038, 11366, 6204, 8122, 2894, 3654, 10975, 10545, 6599, 2455, 11951, 3947, 20, 5002, 5163, 4608, 8946, 8170, 
 52 | 10138, 1522, 8665, 10397, 3344, 5598, 10964, 6565, 11260, 1945, 11041, 9847, 7174, 4939, 2148, 6330, 3959, 5797, 4913, 3528, 8054, 3825, 8914, 9998, 4335, 8896, 9342, 3982, 
 53 | 6680, 11653, 7790, 6617, 1737, 622, 10485, 10886, 6195, 7100, 1687, 406, 12143, 5268, 9389, 12050, 994, 7735, 5464, 7383, 4670, 512, 364, 9929, 3028, 5216, 5518, 1226, 7550, 
 54 | 8038, 7043, 7814, 11053, 3017, 3121, 7584, 2600, 11232, 6780, 12085, 5219, 1409, 9600, 4605, 8151, 12109, 463, 8882, 8308, 10821, 9247, 10945, 9806, 2054, 6203, 6643, 3120, 
 55 | 6105, 8348, 8536, 6919, 8753, 11007, 8717, 9457, 2021, 9060, 4730, 3929, 10583, 3723, 845, 1936, 7, 5054, 3154, 3285, 4360, 3805, 11522, 2213, 4153, 12239, 12073, 5526, 769, 
 56 | 4099, 3944, 5604, 5530, 11024, 9282, 2171, 3480, 7434, 8520, 3232, 11996, 9656, 1406, 2945, 5349, 7207, 4590, 11607, 11309, 5202, 844, 7082, 4050, 8016, 9068, 9694, 8452, 7000, 
 57 | 5662, 567, 2941, 8619, 3808, 4987, 2373, 5135, 63, 7605, 3360, 11839, 10345, 578, 6921, 7628, 510, 5386, 2622, 7806, 5703, 10783, 9224, 11379, 5900, 4719, 11538, 3502, 5789, 
 58 | 10631, 5618, 826, 5043, 3090, 10891, 9951, 7596, 2293, 11872, 6151, 3469, 4443, 8871, 1555, 1802, 5103, 1891, 1223, 2334, 7878, 1590, 881, 365, 1927, 11274, 4510, 9652, 2946, 
 59 | 6828, 1280, 614, 10918, 12265, 7250, 6742, 9804, 11385, 2276, 11307, 2593, 879, 7899, 8071, 3454, 8531, 3795, 9021, 5776, 1849, 7766, 7988, 457, 8, 530, 9663, 7785, 11511, 3578, 
 60 | 7592, 10588, 3466, 8972, 9757, 3332, 139, 2046, 2940, 10808, 9332, 874, 2301, 5650, 12119, 150, 648, 8000, 9982, 9416, 2827, 2434, 11498, 6481, 12268, 9754, 11169, 11823, 11259, 
 61 | 3821, 10608, 2929, 6263, 4649, 6320, 9687, 10388, 502, 5118, 8496, 6226, 10716, 8443, 7624, 6883, 9269, 6616, 8620, 5287, 944, 7519, 6125, 1882, 11249, 10254, 5410, 1251, 1790, 
 62 | 5275, 8449, 10447, 4113, 72, 2828, 4352, 7455, 2712, 11048, 7911, 3451, 4094, 6508, 3045, 11194, 2643, 1783, 7211, 4974, 7724, 9811, 9449, 3019, 4194, 2730, 6878, 10421, 2253, 
 63 | 4518, 9195, 7469, 11129, 9173, 12100, 1763, 2209, 9617, 5170, 865, 1279, 1694, 10759, 8420, 4423, 10555, 3815, 5832, 10939
 64 | };
 65 | 
 66 | 
 67 | const int32_t omegainv_rev_ntt1024_12289[1024] = {
 68 | 8193, 11796, 2381, 5444, 11854, 4337, 1912, 10911, 7012, 1168, 9041, 11082, 4645, 11885, 11224, 2143, 7313, 10682, 8509, 11414, 5088, 8005, 5011, 11287, 2566, 2187, 6039, 2422, 
 69 | 6267, 9302, 8643, 9852, 8456, 3778, 773, 11899, 442, 9888, 11222, 5101, 9430, 1045, 2481, 5012, 7428, 354, 6591, 9377, 1440, 8526, 27, 9223, 1017, 7404, 1632, 7205, 11744, 7270, 
 70 | 2678, 8585, 10752, 12047, 7575, 4143, 8758, 11813, 7384, 3985, 11869, 6730, 10745, 10111, 8889, 2399, 9153, 5191, 671, 3000, 243, 9273, 3247, 2686, 3978, 2969, 2370, 9424, 6957, 
 71 | 8779, 1630, 10163, 5407, 3186, 11136, 9405, 10040, 8241, 113, 4919, 8374, 2166, 3, 7852, 9140, 12129, 5291, 2704, 4938, 8653, 1663, 10512, 7635, 1426, 9018, 8232, 8925, 10600, 4372, 
 72 | 10115, 2847, 4414, 9644, 4053, 7247, 9984, 10805, 7394, 5195, 9509, 953, 3748, 11462, 6522, 9813, 12171, 10092, 5067, 3949, 8993, 4452, 2396, 7935, 130, 2837, 6915, 4278, 1673, 7300, 
 73 | 5331, 8705, 4177, 9764, 10908, 11950, 9821, 11745, 5791, 12280, 1022, 9447, 480, 3241, 11560, 10276, 3289, 10200, 5092, 9408, 9005, 10593, 1428, 2426, 334, 1260, 4388, 4632, 6534, 
 74 | 145, 6747, 3459, 8652, 7399, 6378, 8357, 2731, 2548, 4231, 355, 3382, 5179, 8595, 3707, 10530, 6429, 3195, 10643, 1212, 3542, 8785, 9744, 3621, 12288, 1479, 5146, 8246, 1305, 11567, 
 75 | 6553, 4134, 4978, 10938, 5777, 8961, 4591, 5728, 6461, 5023, 2639, 4821, 11340, 2625, 9314, 563, 9545, 3006, 3553, 4805, 2294, 11227, 8577, 9154, 4846, 9542, 11499, 955, 9970, 1170, 
 76 | 10963, 7203, 3201, 9275, 140, 1853, 4611, 726, 1635, 2768, 4255, 11112, 7969, 11289, 12208, 9198, 9238, 2366, 7393, 2963, 11184, 12147, 8812, 5681, 4212, 975, 2844, 8851, 6008, 11404, 
 77 | 1956, 7280, 12231, 12048, 3532, 11286, 3602, 6068, 8209, 421, 6077, 7665, 3263, 3600, 9987, 605, 11785, 8076, 5594, 9260, 6403, 4782, 11858, 10710, 5906, 2505, 9450, 8332, 10162, 
 78 | 12138, 2766, 1323, 9115, 12237, 3336, 6234, 677, 6415, 6821, 1010, 8807, 787, 8120, 9162, 9369, 5241, 192, 10968, 7377, 2049, 7509, 3445, 7591, 5057, 6137, 4948, 1728, 400, 3643, 
 79 | 6874, 6136, 6427, 1987, 10587, 11635, 8724, 12233, 9090, 5529, 7083, 1359, 5435, 11316, 1254, 8410, 10367, 3998, 10256, 3710, 6093, 5446, 6950, 316, 11907, 8301, 11821, 6364, 1018, 
 80 | 1041, 8775, 2344, 11011, 5574, 1973, 9027, 7210, 11767, 10120, 4916, 4324, 5315, 4075, 4467, 4789, 5537, 7540, 7840, 5456, 147, 3789, 6118, 8471, 1190, 9606, 3860, 5445, 7753, 11239, 
 81 | 11367, 11848, 1058, 8210, 11177, 10211, 7967, 1958, 9139, 1319, 709, 8243, 6224, 11454, 8719, 8049, 12225, 8633, 9830, 11606, 9786, 2948, 1566, 6507, 5486, 9235, 9166, 10542, 5257, 
 82 | 3834, 7856, 6370, 8960, 7991, 168, 9597, 6328, 5106, 1962, 10695, 6167, 9734, 7105, 11089, 1360, 3956, 6170, 5297, 10885, 11964, 11341, 1146, 1159, 6299, 8240, 3728, 8212, 8273, 2919, 
 83 | 8527, 11637, 5766, 295, 6099, 9280, 1693, 174, 723, 6554, 2655, 6421, 2738, 3315, 426, 10431, 7535, 11942, 9364, 3757, 10314, 2057, 5369, 7796, 9087, 6906, 10474, 1512, 350, 1483, 
 84 | 6374, 12240, 11026, 6347, 1583, 2500, 1489, 6956, 10258, 2281, 5876, 3991, 8320, 9522, 156, 1293, 4737, 6860, 4774, 8517, 11871, 6381, 453, 2882, 1805, 2051, 1954, 11713, 3963, 2447, 
 85 | 6142, 4115, 9259, 10446, 9928, 218, 9381, 8760, 8855, 1350, 6457, 8474, 1734, 7866, 3869, 1530, 10595, 11010, 11424, 7119, 2672, 10080, 10526, 189, 3116, 1160, 4820, 3094, 7771, 10036, 
 86 | 1868, 5411, 9559, 8095, 9270, 2840, 2478, 4565, 7315, 5078, 10506, 9646, 1095, 9244, 5781, 8195, 8838, 4378, 1241, 9577, 4834, 7937, 9461, 12217, 8176, 1842, 3840, 7014, 10499, 11038, 
 87 | 6879, 2035, 1040, 10407, 6164, 4770, 11345, 7002, 3669, 5673, 3020, 5406, 4665, 3846, 1573, 6063, 3793, 7171, 11787, 1901, 2602, 5969, 7640, 6026, 9360, 1681, 8468, 1030, 466, 1120, 
 88 | 2535, 21, 5808, 791, 9855, 9462, 2873, 2307, 4289, 11641, 12139, 170, 6639, 9988, 11415, 2957, 1481, 9349, 10243, 12150, 8957, 2532, 3317, 8823, 1701, 4697, 8711, 778, 4504, 2626, 
 89 | 11759, 12281, 11832, 4301, 4523, 10440, 6513, 3268, 8494, 3758, 8835, 4218, 4390, 11410, 9696, 982, 10013, 904, 2485, 5547, 5039, 24, 1371, 11675, 11009, 5461, 9343, 2637, 7779, 1015, 
 90 | 10362, 11924, 11408, 10699, 4411, 9955, 11066, 10398, 7186, 10487, 10734, 3418, 7846, 8820, 6138, 417, 9996, 4693, 2338, 1398, 9199, 7246, 11463, 6671, 1658, 6500, 8787, 751, 7570, 
 91 | 6389, 910, 3065, 1506, 6586, 4483, 9667, 6903, 11779, 4661, 5368, 11711, 1944, 450, 8929, 4684, 12226, 7154, 9916, 7302, 8481, 3670, 9348, 11722, 6627, 5289, 3837, 2595, 3221, 4273, 
 92 | 8239, 5207, 11445, 7087, 980, 682, 7699, 5082, 6940, 9344, 10883, 2633, 293, 9057, 3769, 4855, 8809, 10118, 3007, 1265, 6759, 6685, 8345, 8190, 11520, 6763, 216, 50, 8136, 10076, 767, 
 93 | 8484, 7929, 9004, 9135, 7235, 12282, 10353, 11444, 8566, 1706, 8360, 7559, 3229, 10268, 2832, 3572, 1282, 3536, 5370, 3753, 3941, 6184, 9169, 5646, 6086, 10235, 2483, 1344, 3042, 1468, 
 94 | 3981, 3407, 11826, 180, 4138, 7684, 2689, 10880, 7070, 204, 5509, 1057, 9689, 4705, 9168, 9272, 1236, 4475, 5246, 4251, 4739, 11063, 6771, 7073, 9261, 2360, 11925, 11777, 7619, 4906, 
 95 | 6825, 4554, 11295, 239, 2900, 7021, 146, 11883, 10602, 5189, 6094, 1403, 1804, 11667, 10552, 5672, 4499, 636, 5609, 8307, 2947, 3393, 7954, 2291, 3375, 8464, 4235, 8761, 7376, 6492, 
 96 | 8330, 5959, 10141, 7350, 5115, 2442, 1248, 10344, 1029, 5724, 1325, 6691, 8945, 1892, 3624, 10767, 2151, 4119, 3343, 7681, 7126, 7287, 12269, 8342, 338, 9834, 5690, 1744, 1314, 8635, 
 97 | 9395, 4167, 6085, 923, 11251, 6092, 10058, 12096, 2800, 11864, 1836, 11897, 2185, 1620, 375, 7711, 11912, 1942, 3408, 9714, 11124, 9513, 1178, 5478, 8778, 3276, 8951, 2212, 9615, 1392, 
 98 | 5784, 1255, 11783, 1756, 8144, 8328, 8755, 6463, 2065, 7725, 3495, 10771, 8524, 8113, 7226, 2461, 10014, 5653, 8022, 11158, 1445, 7429, 11164, 1275, 6781, 1176, 5734, 12077, 6323, 9520, 
 99 | 3114, 6302, 6693, 579, 3889, 10872, 6613, 4505, 10032, 5835, 9202, 7406, 8314, 5102, 11877, 6701, 6444, 2528, 9233, 4963, 8545, 3607, 10962, 7057, 8347, 11841, 11275, 7365, 7508, 4566, 
100 | 5836, 12221, 2260, 1535, 3200, 2717, 60, 4238, 11677, 4227, 3368, 11749, 12164, 1526, 4222, 6162, 4840, 8257, 3163, 7885, 346, 2068, 1389, 11197, 5209, 3359, 9084, 11825, 10361, 3678, 
101 | 4265, 9118, 7800, 10463, 9363, 9051, 8581, 11153, 8840, 5412, 8080, 9011, 6296, 3515, 11851, 1218, 5061, 1536, 1721, 9860, 4103, 10916, 2982, 11572, 3589, 9839, 10584, 11475, 11873, 
102 | 2110, 716, 5416, 2164, 1866, 5211, 7562, 11081, 10381, 7751, 11946, 3448
103 | };
104 | 
105 |                             
106 | const int32_t psi_rev_ntt512_12289[512] = {
107 | 8193, 493, 6845, 9908, 1378, 10377, 7952, 435, 10146, 1065, 404, 7644, 1207, 3248, 11121, 5277, 2437, 3646, 2987, 6022, 9867, 6250, 10102, 9723, 1002, 7278, 4284, 7201, 875, 3780, 1607, 
108 | 4976, 8146, 4714, 242, 1537, 3704, 9611, 5019, 545, 5084, 10657, 4885, 11272, 3066, 12262, 3763, 10849, 2912, 5698, 11935, 4861, 7277, 9808, 11244, 2859, 7188, 1067, 2401, 11847, 390, 
109 | 11516, 8511, 3833, 2780, 7094, 4895, 1484, 2305, 5042, 8236, 2645, 7875, 9442, 2174, 7917, 1689, 3364, 4057, 3271, 10863, 4654, 1777, 10626, 3636, 7351, 9585, 6998, 160, 3149, 4437, 
110 | 12286, 10123, 3915, 7370, 12176, 4048, 2249, 2884, 1153, 9103, 6882, 2126, 10659, 3510, 5332, 2865, 9919, 9320, 8311, 9603, 9042, 3016, 12046, 9289, 11618, 7098, 3136, 9890, 3400, 2178, 
111 | 1544, 5559, 420, 8304, 4905, 476, 3531, 9326, 4896, 9923, 3051, 3091, 81, 1000, 4320, 1177, 8034, 9521, 10654, 11563, 7678, 10436, 12149, 3014, 9088, 5086, 1326, 11119, 2319, 11334, 790, 
112 | 2747, 7443, 3135, 3712, 1062, 9995, 7484, 8736, 9283, 2744, 11726, 2975, 9664, 949, 7468, 9650, 7266, 5828, 6561, 7698, 3328, 6512, 1351, 7311, 8155, 5736, 722, 10984, 4043, 7143, 10810, 
113 | 1, 8668, 2545, 3504, 8747, 11077, 1646, 9094, 5860, 1759, 8582, 3694, 7110, 8907, 11934, 8058, 9741, 9558, 3932, 5911, 4890, 3637, 8830, 5542, 12144, 5755, 7657, 7901, 11029, 11955, 9863, 
114 | 10861, 1696, 3284, 2881, 7197, 2089, 9000, 2013, 729, 9048, 11809, 2842, 11267, 9, 6498, 544, 2468, 339, 1381, 2525, 8112, 3584, 6958, 4989, 10616, 8011, 5374, 9452, 12159, 4354, 9893, 
115 | 7837, 3296, 8340, 7222, 2197, 118, 2476, 5767, 827, 8541, 11336, 8855, 8760, 9381, 218, 9928, 10446, 9259, 4115, 6142, 2447, 3963, 11713, 1954, 2051, 1805, 2882, 453, 6381, 11871, 8517, 
116 | 4774, 6860, 4737, 1293, 156, 9522, 8320, 3991, 5876, 2281, 10258, 6956, 1489, 2500, 1583, 6347, 11026, 12240, 6374, 1483, 350, 1512, 10474, 6906, 9087, 7796, 5369, 2057, 10314, 3757, 
117 | 9364, 11942, 7535, 10431, 426, 3315, 2738, 6421, 2655, 6554, 723, 174, 1693, 9280, 6099, 295, 5766, 11637, 8527, 2919, 8273, 8212, 3728, 8240, 6299, 1159, 1146, 11341, 11964, 10885, 5297, 
118 | 6170, 3956, 1360, 11089, 7105, 9734, 6167, 10695, 1962, 5106, 6328, 9597, 168, 7991, 8960, 6370, 7856, 3834, 5257, 10542, 9166, 9235, 5486, 6507, 1566, 2948, 9786, 11606, 9830, 8633, 
119 | 12225, 8049, 8719, 11454, 6224, 8243, 709, 1319, 9139, 1958, 7967, 10211, 11177, 8210, 1058, 11848, 11367, 11239, 7753, 5445, 3860, 9606, 1190, 8471, 6118, 3789, 147, 5456, 7840, 7540, 
120 | 5537, 4789, 4467, 4075, 5315, 4324, 4916, 10120, 11767, 7210, 9027, 1973, 5574, 11011, 2344, 8775, 1041, 1018, 6364, 11821, 8301, 11907, 316, 6950, 5446, 6093, 3710, 10256, 3998, 10367, 
121 | 8410, 1254, 11316, 5435, 1359, 7083, 5529, 9090, 12233, 8724, 11635, 10587, 1987, 6427, 6136, 6874, 3643, 400, 1728, 4948, 6137, 5057, 7591, 3445, 7509, 2049, 7377, 10968, 192, 5241, 9369, 
122 | 9162, 8120, 787, 8807, 1010, 6821, 6415, 677, 6234, 3336, 12237, 9115, 1323, 2766, 12138, 10162, 8332, 9450, 2505, 5906, 10710, 11858, 4782, 6403, 9260, 5594, 8076, 11785, 605, 9987, 3600, 
123 | 3263, 7665, 6077, 421, 8209, 6068, 3602, 11286, 3532, 12048, 12231, 7280, 1956, 11404, 6008, 8851, 2844, 975, 4212, 5681, 8812, 12147, 11184
124 | };
125 | 
126 | 
127 | const int32_t omegainv_rev_ntt512_12289[512] = {
128 | 8193, 11796, 2381, 5444, 11854, 4337, 1912, 10911, 7012, 1168, 9041, 11082, 4645, 11885, 11224, 2143, 7313, 10682, 8509, 11414, 5088, 8005, 5011, 11287, 2566, 2187, 6039, 2422, 6267, 9302, 
129 | 8643, 9852, 8456, 3778, 773, 11899, 442, 9888, 11222, 5101, 9430, 1045, 2481, 5012, 7428, 354, 6591, 9377, 1440, 8526, 27, 9223, 1017, 7404, 1632, 7205, 11744, 7270, 2678, 8585, 10752, 
130 | 12047, 7575, 4143, 8758, 11813, 7384, 3985, 11869, 6730, 10745, 10111, 8889, 2399, 9153, 5191, 671, 3000, 243, 9273, 3247, 2686, 3978, 2969, 2370, 9424, 6957, 8779, 1630, 10163, 5407, 3186, 
131 | 11136, 9405, 10040, 8241, 113, 4919, 8374, 2166, 3, 7852, 9140, 12129, 5291, 2704, 4938, 8653, 1663, 10512, 7635, 1426, 9018, 8232, 8925, 10600, 4372, 10115, 2847, 4414, 9644, 4053, 7247, 
132 | 9984, 10805, 7394, 5195, 9509, 953, 3748, 11462, 6522, 9813, 12171, 10092, 5067, 3949, 8993, 4452, 2396, 7935, 130, 2837, 6915, 4278, 1673, 7300, 5331, 8705, 4177, 9764, 10908, 11950, 9821, 
133 | 11745, 5791, 12280, 1022, 9447, 480, 3241, 11560, 10276, 3289, 10200, 5092, 9408, 9005, 10593, 1428, 2426, 334, 1260, 4388, 4632, 6534, 145, 6747, 3459, 8652, 7399, 6378, 8357, 2731, 2548, 
134 | 4231, 355, 3382, 5179, 8595, 3707, 10530, 6429, 3195, 10643, 1212, 3542, 8785, 9744, 3621, 12288, 1479, 5146, 8246, 1305, 11567, 6553, 4134, 4978, 10938, 5777, 8961, 4591, 5728, 6461, 5023, 
135 | 2639, 4821, 11340, 2625, 9314, 563, 9545, 3006, 3553, 4805, 2294, 11227, 8577, 9154, 4846, 9542, 11499, 955, 9970, 1170, 10963, 7203, 3201, 9275, 140, 1853, 4611, 726, 1635, 2768, 4255, 
136 | 11112, 7969, 11289, 12208, 9198, 9238, 2366, 7393, 2963, 1105, 142, 3477, 6608, 8077, 11314, 9445, 3438, 6281, 885, 10333, 5009, 58, 241, 8757, 1003, 8687, 6221, 4080, 11868, 6212, 4624, 
137 | 9026, 8689, 2302, 11684, 504, 4213, 6695, 3029, 5886, 7507, 431, 1579, 6383, 9784, 2839, 3957, 2127, 151, 9523, 10966, 3174, 52, 8953, 6055, 11612, 5874, 5468, 11279, 3482, 11502, 4169, 
138 | 3127, 2920, 7048, 12097, 1321, 4912, 10240, 4780, 8844, 4698, 7232, 6152, 7341, 10561, 11889, 8646, 5415, 6153, 5862, 10302, 1702, 654, 3565, 56, 3199, 6760, 5206, 10930, 6854, 973, 11035, 
139 | 3879, 1922, 8291, 2033, 8579, 6196, 6843, 5339, 11973, 382, 3988, 468, 5925, 11271, 11248, 3514, 9945, 1278, 6715, 10316, 3262, 5079, 522, 2169, 7373, 7965, 6974, 8214, 7822, 7500, 6752, 
140 | 4749, 4449, 6833, 12142, 8500, 6171, 3818, 11099, 2683, 8429, 6844, 4536, 1050, 922, 441, 11231, 4079, 1112, 2078, 4322, 10331, 3150, 10970, 11580, 4046, 6065, 835, 3570, 4240, 64, 3656, 
141 | 2459, 683, 2503, 9341, 10723, 5782, 6803, 3054, 3123, 1747, 7032, 8455, 4433, 5919, 3329, 4298, 12121, 2692, 5961, 7183, 10327, 1594, 6122, 2555, 5184, 1200, 10929, 8333, 6119, 6992, 1404, 
142 | 325, 948, 11143, 11130, 5990, 4049, 8561, 4077, 4016, 9370, 3762, 652, 6523, 11994, 6190, 3009, 10596, 12115, 11566, 5735, 9634, 5868, 9551, 8974, 11863, 1858, 4754, 347, 2925, 8532, 1975, 
143 | 10232, 6920, 4493, 3202, 5383, 1815, 10777, 11939, 10806, 5915, 49, 1263, 5942, 10706, 9789, 10800, 5333, 2031, 10008, 6413, 8298, 3969, 2767, 12133, 10996, 7552, 5429, 7515, 3772, 418, 5908, 
144 | 11836, 9407, 10484, 10238, 10335, 576, 8326, 9842, 6147, 8174, 3030, 1843, 2361, 12071, 2908, 3529, 3434
145 | };


--------------------------------------------------------------------------------
/AMD64/ntt_x64_asm.S:
--------------------------------------------------------------------------------
  1 | //****************************************************************************************
  2 | // LatticeCrypto: an efficient post-quantum Ring-Learning With Errors cryptography library
  3 | //
  4 | //    Copyright (c) Microsoft Corporation. All rights reserved.
  5 | //
  6 | //
  7 | // Abstract: NTT functions in x64 assembly using AVX2 vector instructions for Linux 
  8 | //
  9 | //****************************************************************************************  
 10 | 
 11 | .intel_syntax noprefix 
 12 | 
 13 | // Registers that are used for parameter passing:
 14 | #define reg_p1  rdi
 15 | #define reg_p2  rsi
 16 | #define reg_p3  rdx
 17 | #define reg_p4  rcx
 18 | #define reg_p5  r8
 19 | 
 20 | 
 21 | .text
 22 | //***********************************************************************
 23 | //  Forward NTT
 24 | //  Operation: a [reg_p1] <- NTT(a) [reg_p1], 
 25 | //             [reg_p2] points to table and 
 26 | //             reg_p3 contains parameter n
 27 | //*********************************************************************** 
 28 | .global NTT_CT_std2rev_12289_asm
 29 | NTT_CT_std2rev_12289_asm:
 30 |   push       r12
 31 |   push       r13
 32 |   push       r14
 33 | 
 34 | // Stages m=1 -> m=32
 35 |   mov        r9, 1            // m = 1
 36 |   mov        rax, reg_p3 
 37 |   mov        r12, reg_p3      
 38 |   shr        r12, 4           // n/16
 39 |   vmovdqu    ymm14, MASK12x8
 40 |   vmovdqu    ymm12, PERM0246
 41 |   mov        r14, 16
 42 |   mov        rcx, 11
 43 | loop1:
 44 |   shr        rax, 1           // k = k/2
 45 |   dec        rcx 
 46 |   xor        rdx, rdx         // i = 0
 47 | loop2:
 48 |   mov        r10, rdx
 49 |   mov        r11, rax
 50 |   dec        r11
 51 |   shl        r10, cl          // j1
 52 |   add        r11, r10         // j2
 53 |   mov        r13, r9
 54 |   add        r13, rdx         // m+i
 55 |   vbroadcastss ymm11, DWORD PTR [reg_p2+4*r13]   // S
 56 | 
 57 | loop3:
 58 |   mov        r13, r10
 59 |   add        r13, rax         // j+k
 60 |   vpmovsxdq  ymm1, XMMWORD PTR [reg_p1+4*r13]    // a[j+k]
 61 |   vpmovsxdq  ymm3, XMMWORD PTR [reg_p1+4*r13+16] // a[j+k]
 62 |   vpmovsxdq  ymm5, XMMWORD PTR [reg_p1+4*r13+32] // a[j+k]
 63 |   vpmovsxdq  ymm7, XMMWORD PTR [reg_p1+4*r13+48] // a[j+k]
 64 |   
 65 |   vpmuldq    ymm1, ymm1, ymm11                   // a[j+k].S
 66 |   vpmuldq    ymm3, ymm3, ymm11                   
 67 |   vpmuldq    ymm5, ymm5, ymm11                   
 68 |   vpmuldq    ymm7, ymm7, ymm11   
 69 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*r10]    // U = a[j]
 70 | 
 71 |   vmovdqu    ymm13, ymm1
 72 |   vpand      ymm1, ymm14, ymm1                   // c0
 73 |   vpsrlq     ymm13, ymm13, 12                    // c1
 74 |   vpslld     ymm15, ymm1, 1                      // 2*c0
 75 |   vpsubd     ymm13, ymm1, ymm13                  // c0-c1
 76 |   vpaddd     ymm13, ymm13, ymm15                 // V = 3*c0-c1    
 77 |   vpsubd     ymm1, ymm0, ymm13                   // a[j+k] = U - V
 78 |   vpaddd     ymm0, ymm0, ymm13                   // a[j] = U + V   
 79 |   vpermd     ymm1, ymm12, ymm1 
 80 |   vpermd     ymm0, ymm12, ymm0 
 81 |   vpmovsxdq  ymm2, XMMWORD PTR [reg_p1+4*r10+16] // U = a[j]
 82 | 
 83 |   vmovdqu    ymm13, ymm3
 84 |   vpand      ymm3, ymm14, ymm3                   // c0
 85 |   vpsrlq     ymm13, ymm13, 12                    // c1
 86 |   vpslld     ymm15, ymm3, 1                      // 2*c0
 87 |   vpsubd     ymm13, ymm3, ymm13                  // c0-c1
 88 |   vpaddd     ymm13, ymm13, ymm15                 // V = 3*c0-c1    
 89 |   vpsubd     ymm3, ymm2, ymm13                   // a[j+k] = U - V
 90 |   vpaddd     ymm2, ymm2, ymm13                   // a[j] = U + V  
 91 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10], xmm0
 92 |   vmovdqu    XMMWORD PTR [reg_p1+4*r13], xmm1 
 93 |   vpermd     ymm3, ymm12, ymm3 
 94 |   vpermd     ymm2, ymm12, ymm2 
 95 |   vpmovsxdq  ymm4, XMMWORD PTR [reg_p1+4*r10+32] // U = a[j]
 96 | 
 97 |   vmovdqu    ymm13, ymm5
 98 |   vpand      ymm5, ymm14, ymm5                   // c0
 99 |   vpsrlq     ymm13, ymm13, 12                    // c1
100 |   vpslld     ymm15, ymm5, 1                      // 2*c0
101 |   vpsubd     ymm13, ymm5, ymm13                  // c0-c1
102 |   vpaddd     ymm13, ymm13, ymm15                 // V = 3*c0-c1    
103 |   vpsubd     ymm5, ymm4, ymm13                   // a[j+k] = U - V
104 |   vpaddd     ymm4, ymm4, ymm13                   // a[j] = U + V  
105 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+16], xmm2
106 |   vmovdqu    XMMWORD PTR [reg_p1+4*r13+16], xmm3 
107 |   vpermd     ymm5, ymm12, ymm5 
108 |   vpermd     ymm4, ymm12, ymm4 
109 |   vpmovsxdq  ymm6, XMMWORD PTR [reg_p1+4*r10+48] // U = a[j]
110 | 
111 |   vmovdqu    ymm13, ymm7
112 |   vpand      ymm7, ymm14, ymm7                   // c0
113 |   vpsrlq     ymm13, ymm13, 12                    // c1
114 |   vpslld     ymm15, ymm7, 1                      // 2*c0
115 |   vpsubd     ymm13, ymm7, ymm13                  // c0-c1
116 |   vpaddd     ymm13, ymm13, ymm15                 // V = 3*c0-c1    
117 |   vpsubd     ymm7, ymm6, ymm13                   // a[j+k] = U - V
118 |   vpaddd     ymm6, ymm6, ymm13                   // a[j] = U + V 
119 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+32], xmm4
120 |   vmovdqu    XMMWORD PTR [reg_p1+4*r13+32], xmm5  
121 |   vpermd     ymm6, ymm12, ymm6   
122 |   vpermd     ymm7, ymm12, ymm7 
123 |   vmovdqu    XMMWORD PTR [reg_p1+4*r13+48], xmm7
124 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+48], xmm6
125 |   
126 |   add        r10, r14
127 |   cmp        r10, r11
128 |   jl         loop3
129 |   inc        rdx
130 |   cmp        rdx, r9
131 |   jl         loop2
132 |   shl        r9, 1
133 |   cmp        r9, r12
134 |   jl         loop1
135 |    
136 | // Stage m=64
137 |   xor        rdx, rdx         // i = 0
138 |   xor        r10, r10         // j1 = 0
139 | loop4:
140 |   vbroadcastss ymm11, DWORD PTR [reg_p2+4*rdx+4*64] // S
141 |   vpmovsxdq  ymm1, XMMWORD PTR [reg_p1+4*r10+32] // a[j+k]
142 |   vpmovsxdq  ymm3, XMMWORD PTR [reg_p1+4*r10+48] // a[j+k]
143 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*r10]    // U = a[j]
144 |   vpmovsxdq  ymm2, XMMWORD PTR [reg_p1+4*r10+16] // U = a[j]
145 |   vpmuldq    ymm1, ymm1, ymm11                   // a[j+k].S
146 |   vpmuldq    ymm3, ymm3, ymm11                   // a[j+k].S
147 | 
148 |   vmovdqu    ymm13, ymm1
149 |   vpand      ymm1, ymm14, ymm1                   // c0
150 |   vpsrlq     ymm13, ymm13, 12                    // c1
151 |   vpslld     ymm15, ymm1, 1                      // 2*c0
152 |   vpsubd     ymm13, ymm1, ymm13                  // c0-c1
153 |   vpaddd     ymm13, ymm13, ymm15                 // V = 3*c0-c1 
154 |   
155 |   vmovdqu    ymm10, ymm3
156 |   vpand      ymm3, ymm14, ymm3                   // c0
157 |   vpsrlq     ymm10, ymm10, 12                    // c1
158 |   vpslld     ymm15, ymm3, 1                      // 2*c0
159 |   vpsubd     ymm10, ymm3, ymm10                  // c0-c1
160 |   vpaddd     ymm10, ymm10, ymm15                 // V = 3*c0-c1    
161 |   
162 |   vpsubd     ymm1, ymm0, ymm13                   // a[j+k] = U - V
163 |   vpaddd     ymm0, ymm0, ymm13                   // a[j] = U + V    
164 |   vpsubd     ymm3, ymm2, ymm10                   // a[j+k] = U - V
165 |   vpaddd     ymm2, ymm2, ymm10                   // a[j] = U + V 
166 |   
167 |   vpermd     ymm0, ymm12, ymm0 
168 |   vpermd     ymm1, ymm12, ymm1 
169 |   vpermd     ymm2, ymm12, ymm2 
170 |   vpermd     ymm3, ymm12, ymm3 
171 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10], xmm0
172 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+32], xmm1
173 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+16], xmm2
174 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+48], xmm3
175 |   
176 |   add        r10, r14        // j+16 
177 |   inc        rdx             // i+1
178 |   cmp        rdx, r9
179 |   jl         loop4
180 |    
181 | // Stage m=128
182 |   shl        r9, 1
183 |   xor        rdx, rdx         // i = 0
184 |   xor        r10, r10         // j1 = 0
185 |   mov        r13, 8 
186 | loop6:
187 |   vbroadcastss ymm2, DWORD PTR [reg_p2+4*rdx+4*128] // S
188 |   vpmovsxdq  ymm1, XMMWORD PTR [reg_p1+4*r10+16] // a[j+k]
189 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*r10]    // U = a[j]
190 |   vpmuldq    ymm1, ymm1, ymm2                    // a[j+k].S
191 |   
192 |   vmovdqu    ymm3, ymm0
193 |   vpand      ymm0, ymm14, ymm0                   // c0
194 |   vpsrad     ymm3, ymm3, 12                      // c1
195 |   vpslld     ymm4, ymm0, 1                       // 2*c0
196 |   vpsubd     ymm3, ymm0, ymm3                    // c0-c1
197 |   vpaddd     ymm0, ymm3, ymm4                    // U = 3*c0-c1    
198 |   
199 |   vmovdqu    ymm3, ymm1
200 |   vpand      ymm1, ymm14, ymm1                   // c0
201 |   vpsrlq     ymm4, ymm3, 24                      // c2
202 |   vpsrad     ymm3, ymm3, 12                      // xc1
203 |   vpand      ymm3, ymm14, ymm3                   // c1
204 |   vpslld     ymm5, ymm1, 3                       // 8*c0
205 |   vpaddd     ymm4, ymm1, ymm4                    // c0+c2
206 |   vpaddd     ymm4, ymm4, ymm5                    // 9*c0+c2
207 |   vpslld     ymm5, ymm3, 1                       // 2*c1
208 |   vpaddd     ymm1, ymm0, ymm3                    // U+c1
209 |   vpsubd     ymm0, ymm0, ymm3                    // U-c1
210 |   vpsubd     ymm4, ymm4, ymm5                    // 9*c0-2*c1+c2
211 |   vpaddd     ymm0, ymm0, ymm4                    // U+(9*c0-3*c1+c2)
212 |   vpsubd     ymm1, ymm1, ymm4                    // U-(9*c0-3*c1+c2)
213 |   vpermd     ymm0, ymm12, ymm0 
214 |   vpermd     ymm1, ymm12, ymm1 
215 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10], xmm0
216 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+16], xmm1
217 | 
218 |   add        r10, r13        // j+8
219 |   inc        rdx             // i+1
220 |   cmp        rdx, r9
221 |   jl         loop6
222 | 
223 | // Stage m=256 
224 |   vmovdqu    ymm9, PERM02134657  
225 |   shl        r9, 1
226 |   xor        rdx, rdx         // i = 0
227 |   xor        r10, r10         // j1 = 0
228 |   mov        r14, 32
229 | loop7:
230 |   vpmovsxdq  ymm2, XMMWORD PTR [reg_p2+4*rdx+4*256]    // S = psi[m+i]->psi[m+i+3]
231 |   vpermq     ymm8, ymm2, 0x50   
232 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*r10]    // U = a[j]->a[j+3]
233 |   vpmovsxdq  ymm1, XMMWORD PTR [reg_p1+4*r10+16] // a[j+k]->a[j+k+3]
234 |   vpermq     ymm3, ymm0, 0x4e    
235 |   vinserti128 ymm0, ymm0, xmm1, 1                // U
236 |   vpblendd   ymm1, ymm1, ymm3, 15
237 |   vpmuldq    ymm3, ymm1, ymm8                    // a[j+k].S
238 |   vmovdqu    ymm4, ymm3
239 |   vpand      ymm3, ymm14, ymm3                   // c0
240 |   vpsrlq     ymm4, ymm4, 12                      // c1
241 |   vpslld     ymm5, ymm3, 1                       // 2*c0
242 |   vpsubd     ymm4, ymm3, ymm4                    // c0-c1
243 |   vpaddd     ymm4, ymm4, ymm5                    // V = 3*c0-c1     
244 |   vpsubd     ymm1, ymm0, ymm4                    // a[j+k] = U - V
245 |   vpaddd     ymm0, ymm0, ymm4                    // a[j] = U + V 
246 |   vpslldq    ymm1, ymm1, 4    
247 |   vpblendd   ymm0, ymm0, ymm1, 0xaa
248 |   vpermd     ymm0, ymm9, ymm0 
249 |   vmovdqu    YMMWORD PTR [reg_p1+4*r10], ymm0
250 |   
251 |   vpermq     ymm8, ymm2, 0xfa   
252 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*r10+32] // U = a[j]->a[j+3]
253 |   vpmovsxdq  ymm1, XMMWORD PTR [reg_p1+4*r10+48] // a[j+k]->a[j+k+3]
254 |   vpermq     ymm3, ymm0, 0x4e    
255 |   vinserti128 ymm0, ymm0, xmm1, 1                // U
256 |   vpblendd   ymm1, ymm1, ymm3, 15
257 |   vpmuldq    ymm3, ymm1, ymm8                    // a[j+k].S
258 |   vmovdqu    ymm4, ymm3
259 |   vpand      ymm3, ymm14, ymm3                   // c0
260 |   vpsrlq     ymm4, ymm4, 12                      // c1
261 |   vpslld     ymm5, ymm3, 1                       // 2*c0
262 |   vpsubd     ymm4, ymm3, ymm4                    // c0-c1
263 |   vpaddd     ymm4, ymm4, ymm5                    // V = 3*c0-c1     
264 |   vpsubd     ymm1, ymm0, ymm4                    // a[j+k] = U - V
265 |   vpaddd     ymm0, ymm0, ymm4                    // a[j] = U + V 
266 |   vpslldq    ymm1, ymm1, 4    
267 |   vpblendd   ymm0, ymm0, ymm1, 0xaa
268 |   vpermd     ymm0, ymm9, ymm0 
269 |   vmovdqu    YMMWORD PTR [reg_p1+4*r10+32], ymm0
270 | 
271 |   vpmovsxdq  ymm2, XMMWORD PTR [reg_p2+4*rdx+4*256+16]  // S = psi[m+i]->psi[m+i+3] 
272 |   vpermq     ymm8, ymm2, 0x50   
273 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*r10+64] // U = a[j]->a[j+3]
274 |   vpmovsxdq  ymm1, XMMWORD PTR [reg_p1+4*r10+80] // a[j+k]->a[j+k+3]
275 |   vpermq     ymm3, ymm0, 0x4e    
276 |   vinserti128 ymm0, ymm0, xmm1, 1                // U
277 |   vpblendd   ymm1, ymm1, ymm3, 15
278 |   vpmuldq    ymm3, ymm1, ymm8                    // a[j+k].S
279 |   vmovdqu    ymm4, ymm3
280 |   vpand      ymm3, ymm14, ymm3                   // c0
281 |   vpsrlq     ymm4, ymm4, 12                      // c1
282 |   vpslld     ymm5, ymm3, 1                       // 2*c0
283 |   vpsubd     ymm4, ymm3, ymm4                    // c0-c1
284 |   vpaddd     ymm4, ymm4, ymm5                    // V = 3*c0-c1     
285 |   vpsubd     ymm1, ymm0, ymm4                    // a[j+k] = U - V
286 |   vpaddd     ymm0, ymm0, ymm4                    // a[j] = U + V 
287 |   vpslldq    ymm1, ymm1, 4    
288 |   vpblendd   ymm0, ymm0, ymm1, 0xaa
289 |   vpermd     ymm0, ymm9, ymm0 
290 |   vmovdqu    YMMWORD PTR [reg_p1+4*r10+64], ymm0
291 |           
292 |   vpermq     ymm8, ymm2, 0xfa   
293 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*r10+96]  // U = a[j]->a[j+3]
294 |   vpmovsxdq  ymm1, XMMWORD PTR [reg_p1+4*r10+112] // a[j+k]->a[j+k+3]
295 |   vpermq     ymm3, ymm0, 0x4e    
296 |   vinserti128 ymm0, ymm0, xmm1, 1                // U
297 |   vpblendd   ymm1, ymm1, ymm3, 15
298 |   vpmuldq    ymm3, ymm1, ymm8                    // a[j+k].S
299 |   vmovdqu    ymm4, ymm3
300 |   vpand      ymm3, ymm14, ymm3                   // c0
301 |   vpsrlq     ymm4, ymm4, 12                      // c1
302 |   vpslld     ymm5, ymm3, 1                       // 2*c0
303 |   vpsubd     ymm4, ymm3, ymm4                    // c0-c1
304 |   vpaddd     ymm4, ymm4, ymm5                    // V = 3*c0-c1     
305 |   vpsubd     ymm1, ymm0, ymm4                    // a[j+k] = U - V
306 |   vpaddd     ymm0, ymm0, ymm4                    // a[j] = U + V 
307 |   vpslldq    ymm1, ymm1, 4    
308 |   vpblendd   ymm0, ymm0, ymm1, 0xaa
309 |   vpermd     ymm0, ymm9, ymm0 
310 |   vmovdqu    YMMWORD PTR [reg_p1+4*r10+96], ymm0
311 |          
312 |   add        r10, r14        // j+32
313 |   add        rdx, r13        // i+8
314 |   cmp        rdx, r9
315 |   jl         loop7
316 | 
317 | // Stage m=512
318 |   vmovdqu    ymm9, PERM00224466
319 |   shl        r9, 1            // m = n/2 
320 |   xor        rdx, rdx         // i = 0
321 |   xor        r10, r10         // j1 = 0
322 |   mov        r14, 4
323 | loop8:
324 |   vpmovsxdq  ymm2, XMMWORD PTR [reg_p2+4*rdx+4*512] // S
325 |   vmovdqu    ymm0, YMMWORD PTR [reg_p1+4*r10]    // U = a[j]
326 |   vmovdqu    ymm1, YMMWORD PTR [reg_p1+4*r10+4]  // a[j+k]
327 |   vpmuldq    ymm3, ymm1, ymm2                    // a[j+k].S
328 |   vmovdqu    ymm4, ymm3
329 |   vpand      ymm3, ymm14, ymm3                   // c0
330 |   vpsrlq     ymm4, ymm4, 12                      // c1
331 |   vpslld     ymm5, ymm3, 1                       // 2*c0
332 |   vpsubd     ymm4, ymm3, ymm4                    // c0-c1
333 |   vpaddd     ymm4, ymm4, ymm5                    // V = 3*c0-c1     
334 |   vpsubd     ymm1, ymm0, ymm4                    // a[j+k] = U - V
335 |   vpaddd     ymm0, ymm0, ymm4                    // a[j] = U + V 
336 |   vpermd     ymm1, ymm9, ymm1 
337 |   vpblendd   ymm0, ymm0, ymm1, 0xaa
338 |   vmovdqu    YMMWORD PTR [reg_p1+4*r10], ymm0
339 |   
340 |   add        r10, r13        // j+8
341 |   add        rdx, r14        // i+4
342 |   cmp        rdx, r9
343 |   jl         loop8
344 | 
345 |   pop        r14
346 |   pop        r13
347 |   pop        r12
348 |   ret
349 | 
350 | 
351 | //***********************************************************************
352 | //  Inverse NTT
353 | //  Operation: a [reg_p1] <- INTT(a) [reg_p1], 
354 | //             [reg_p2] points to table
355 | //             reg_p3 and reg_p4 point to constants for scaling and
356 | //             reg_p5 contains parameter n
357 | //*********************************************************************** 
358 | .global INTT_GS_rev2std_12289_asm
359 | INTT_GS_rev2std_12289_asm:
360 |   push       r12
361 |   push       r13
362 |   push       r14
363 |   push       r15
364 |   push       rbx
365 | 
366 | // Stage m=1024
367 |   vmovdqu    ymm9, PERM00224466
368 |   vmovdqu    ymm14, MASK12x8  
369 |   mov        r12, reg_p5           
370 |   shr        r12, 1          // n/2 = 512
371 |   xor        r15, r15        // i = 0
372 |   xor        r10, r10        // j1 = 0
373 |   mov        r13, 8
374 |   mov        r14, 4
375 | loop1b:
376 |   vmovdqu    ymm1, YMMWORD PTR [reg_p1+4*r10+4]       // V = a[j+k]    
377 |   vmovdqu    ymm0, YMMWORD PTR [reg_p1+4*r10]         // U = a[j]
378 |   vpmovsxdq  ymm2, XMMWORD PTR [reg_p2+4*r15+4*512]   // S
379 |   vpsubd     ymm3, ymm0, ymm1                         // U - V
380 |   vpaddd     ymm0, ymm0, ymm1                         // U + V 
381 |   vpmuldq    ymm3, ymm3, ymm2                         // (U - V).S
382 |   vmovdqu    ymm4, ymm3
383 |   vpand      ymm3, ymm14, ymm3                        // c0
384 |   vpsrlq     ymm4, ymm4, 12                           // c1
385 |   vpslld     ymm5, ymm3, 1                            // 2*c0
386 |   vpsubd     ymm4, ymm3, ymm4                         // c0-c1
387 |   vpaddd     ymm1, ymm4, ymm5                         // 3*c0-c1 
388 |   vpermd     ymm1, ymm9, ymm1 
389 |   vpblendd   ymm0, ymm0, ymm1, 0xaa
390 |   vmovdqu    YMMWORD PTR [reg_p1+4*r10], ymm0
391 | 
392 |   add        r10, r13        // j+8
393 |   add        r15, r14        // i+4
394 |   cmp        r15, r12
395 |   jl         loop1b
396 |   
397 | // Stage m=512 
398 |   vmovdqu    ymm9, PERM02134657
399 |   vmovdqu    ymm13, PERM0145
400 |   vmovdqu    ymm15, PERM2367   
401 |   shr        r12, 1          // n/4 = 256
402 |   xor        r15, r15        // i = 0
403 |   xor        r10, r10        // j1 = 0
404 |   mov        r14, 32
405 | loop2b:
406 |   vpmovsxdq  ymm2, XMMWORD PTR [reg_p2+4*r15+4*256]   // S = psi[m+i]->psi[m+i+3]
407 |   vpermq     ymm8, ymm2, 0x50   
408 |   vmovdqu    ymm0, YMMWORD PTR [reg_p1+4*r10]         // U = a[j]->a[j+7]
409 |   vpermd     ymm1, ymm15, ymm0 
410 |   vpermd     ymm0, ymm13, ymm0  
411 |   vpsubd     ymm3, ymm0, ymm1                         // U - V
412 |   vpaddd     ymm0, ymm0, ymm1                         // U + V 
413 |   vpmuldq    ymm3, ymm3, ymm8                         // (U - V).S
414 |   vmovdqu    ymm4, ymm3
415 |   vpand      ymm3, ymm14, ymm3                        // c0
416 |   vpsrlq     ymm4, ymm4, 12                           // c1
417 |   vpslld     ymm5, ymm3, 1                            // 2*c0
418 |   vpsubd     ymm4, ymm3, ymm4                         // c0-c1
419 |   vpaddd     ymm1, ymm4, ymm5                         // 3*c0-c1
420 |   vpslldq    ymm1, ymm1, 4    
421 |   vpblendd   ymm0, ymm0, ymm1, 0xaa
422 |   vpermd     ymm0, ymm9, ymm0 
423 |   vmovdqu    YMMWORD PTR [reg_p1+4*r10], ymm0
424 |   
425 |   vpermq     ymm8, ymm2, 0xfa   
426 |   vmovdqu    ymm0, YMMWORD PTR [reg_p1+4*r10+32]      // U = a[j]->a[j+7]
427 |   vpermd     ymm1, ymm15, ymm0 
428 |   vpermd     ymm0, ymm13, ymm0  
429 |   vpsubd     ymm3, ymm0, ymm1                         // U - V
430 |   vpaddd     ymm0, ymm0, ymm1                         // U + V 
431 |   vpmuldq    ymm3, ymm3, ymm8                         // (U - V).S
432 |   vmovdqu    ymm4, ymm3
433 |   vpand      ymm3, ymm14, ymm3                        // c0
434 |   vpsrlq     ymm4, ymm4, 12                           // c1
435 |   vpslld     ymm5, ymm3, 1                            // 2*c0
436 |   vpsubd     ymm4, ymm3, ymm4                         // c0-c1
437 |   vpaddd     ymm1, ymm4, ymm5                         // 3*c0-c1
438 |   vpslldq    ymm1, ymm1, 4    
439 |   vpblendd   ymm0, ymm0, ymm1, 0xaa
440 |   vpermd     ymm0, ymm9, ymm0
441 |   vmovdqu    YMMWORD PTR [reg_p1+4*r10+32], ymm0
442 | 
443 |   vpmovsxdq  ymm2, XMMWORD PTR [reg_p2+4*r15+4*256+16]// S = psi[m+i]->psi[m+i+3] 
444 |   vpermq     ymm8, ymm2, 0x50   
445 |   vmovdqu    ymm0, YMMWORD PTR [reg_p1+4*r10+64]      // U = a[j]->a[j+7]
446 |   vpermd     ymm1, ymm15, ymm0 
447 |   vpermd     ymm0, ymm13, ymm0  
448 |   vpsubd     ymm3, ymm0, ymm1                         // U - V
449 |   vpaddd     ymm0, ymm0, ymm1                         // U + V 
450 |   vpmuldq    ymm3, ymm3, ymm8                         // (U - V).S
451 |   vmovdqu    ymm4, ymm3
452 |   vpand      ymm3, ymm14, ymm3                        // c0
453 |   vpsrlq     ymm4, ymm4, 12                           // c1
454 |   vpslld     ymm5, ymm3, 1                            // 2*c0
455 |   vpsubd     ymm4, ymm3, ymm4                         // c0-c1
456 |   vpaddd     ymm1, ymm4, ymm5                         // 3*c0-c1
457 |   vpslldq    ymm1, ymm1, 4    
458 |   vpblendd   ymm0, ymm0, ymm1, 0xaa
459 |   vpermd     ymm0, ymm9, ymm0
460 |   vmovdqu    YMMWORD PTR [reg_p1+4*r10+64], ymm0
461 |          
462 |   vpermq     ymm8, ymm2, 0xfa   
463 |   vmovdqu    ymm0, YMMWORD PTR [reg_p1+4*r10+96]      // U = a[j]->a[j+7]
464 |   vpermd     ymm1, ymm15, ymm0 
465 |   vpermd     ymm0, ymm13, ymm0  
466 |   vpsubd     ymm3, ymm0, ymm1                         // U - V
467 |   vpaddd     ymm0, ymm0, ymm1                         // U + V 
468 |   vpmuldq    ymm3, ymm3, ymm8                         // (U - V).S
469 |   vmovdqu    ymm4, ymm3
470 |   vpand      ymm3, ymm14, ymm3                        // c0
471 |   vpsrlq     ymm4, ymm4, 12                           // c1
472 |   vpslld     ymm5, ymm3, 1                            // 2*c0
473 |   vpsubd     ymm4, ymm3, ymm4                         // c0-c1
474 |   vpaddd     ymm1, ymm4, ymm5                         // 3*c0-c1
475 |   vpslldq    ymm1, ymm1, 4    
476 |   vpblendd   ymm0, ymm0, ymm1, 0xaa
477 |   vpermd     ymm0, ymm9, ymm0
478 |   vmovdqu    YMMWORD PTR [reg_p1+4*r10+96], ymm0
479 |          
480 |   add        r10, r14        // j+32
481 |   add        r15, r13        // i+8
482 |   cmp        r15, r12
483 |   jl         loop2b
484 |      
485 | // Stage m=256 
486 |   vmovdqu    ymm12, PERM0246   
487 |   shr        r12, 1          // n/8 = 128
488 |   xor        r15, r15        // i = 0
489 |   xor        r10, r10        // j1 = 0
490 | loop3b:
491 |   vbroadcastss ymm2, DWORD PTR [reg_p2+4*r15+4*128]   // S
492 |   vpmovsxdq  ymm1, XMMWORD PTR [reg_p1+4*r10+16]      // V = a[j+k]
493 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*r10]         // U = a[j]
494 |   vpsubd     ymm3, ymm0, ymm1                         // U - V
495 |   vpaddd     ymm0, ymm0, ymm1                         // U + V 
496 |   vpmuldq    ymm3, ymm3, ymm2                         // (U - V).S
497 |   vmovdqu    ymm4, ymm3
498 |   vpand      ymm3, ymm14, ymm3                        // c0
499 |   vpsrlq     ymm4, ymm4, 12                           // c1
500 |   vpslld     ymm5, ymm3, 1                            // 2*c0
501 |   vpsubd     ymm4, ymm3, ymm4                         // c0-c1
502 |   vpaddd     ymm1, ymm4, ymm5                         // 3*c0-c1 
503 |   vpermd     ymm0, ymm12, ymm0 
504 |   vpermd     ymm1, ymm12, ymm1 
505 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10], xmm0
506 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+16], xmm1
507 |   
508 |   add        r10, r13        // j+8
509 |   inc        r15             // i+1
510 |   cmp        r15, r12
511 |   jl         loop3b
512 |      
513 | // Stage m=128
514 |   shr        r12, 1          // n/16 = 64
515 |   xor        r15, r15        // i = 0
516 |   xor        r10, r10        // j1 = 0
517 |   mov        r14, 16 
518 | loop4b:
519 |   vbroadcastss ymm11, DWORD PTR [reg_p2+4*r15+4*64]   // S
520 |   vpmovsxdq  ymm13, XMMWORD PTR [reg_p1+4*r10+32]     // V = a[j+k]
521 |   vpmovsxdq  ymm15, XMMWORD PTR [reg_p1+4*r10+48]     // V = a[j+k]
522 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*r10]         // U = a[j]
523 |   vpmovsxdq  ymm2, XMMWORD PTR [reg_p1+4*r10+16]      // U = a[j]
524 |   vpsubd     ymm1, ymm0, ymm13                        // U - V
525 |   vpaddd     ymm0, ymm0, ymm13                        // U + V 
526 |   vpsubd     ymm3, ymm2, ymm15                        // U - V
527 |   vpaddd     ymm2, ymm2, ymm15                        // U + V   
528 |   vpmuldq    ymm1, ymm1, ymm11                        // (U - V).S
529 |   vpmuldq    ymm3, ymm3, ymm11                        // (U - V).S
530 |   
531 |   vmovdqu    ymm13, ymm1
532 |   vpand      ymm1, ymm14, ymm1                        // c0
533 |   vpsrlq     ymm13, ymm13, 12                         // c1
534 |   vpslld     ymm15, ymm1, 1                           // 2*c0
535 |   vpsubd     ymm13, ymm1, ymm13                       // c0-c1
536 |   vpaddd     ymm1, ymm13, ymm15                       // 3*c0-c1    
537 | 
538 |   vmovdqu    ymm13, ymm3
539 |   vpand      ymm3, ymm14, ymm3                        // c0
540 |   vpsrlq     ymm13, ymm13, 12                         // c1
541 |   vpslld     ymm15, ymm3, 1                           // 2*c0
542 |   vpsubd     ymm13, ymm3, ymm13                       // c0-c1
543 |   vpaddd     ymm3, ymm13, ymm15                       // 3*c0-c1 
544 |   
545 |   vpermd     ymm0, ymm12, ymm0 
546 |   vpermd     ymm1, ymm12, ymm1 
547 |   vpermd     ymm2, ymm12, ymm2 
548 |   vpermd     ymm3, ymm12, ymm3 
549 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10], xmm0
550 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+32], xmm1
551 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+16], xmm2
552 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+48], xmm3
553 |   
554 |   add        r10, r14        // j+16 
555 |   inc        r15             // i+1
556 |   cmp        r15, r12
557 |   jl         loop4b
558 |   
559 | // Stages m=64 -> m=4  
560 |   mov        r9, 5            // 5 iterations
561 |   mov        rax, 8 
562 | loop5b:
563 |   shl        rax, 1          // k = 2*k
564 |   shr        r12, 1          // m/2
565 |   xor        r15, r15        // i = 0
566 |   xor        r8, r8        
567 | loop6b:
568 |   mov        r10, r8         // Load j1
569 |   mov        r11, rax
570 |   dec        r11
571 |   add        r11, r10        // j2
572 |   mov        r13, r12
573 |   add        r13, r15        // m/2+i
574 |   vbroadcastss ymm9, DWORD PTR [reg_p2+4*r13]         // S
575 |   mov        rbx, 4
576 | 
577 | loop7b:
578 |   mov        r13, r10
579 |   add        r13, rax         // j+k
580 |   vpmovsxdq  ymm10, XMMWORD PTR [reg_p1+4*r13]        // V = a[j+k]
581 |   vpmovsxdq  ymm11, XMMWORD PTR [reg_p1+4*r13+16]     // V = a[j+k]
582 |   vpmovsxdq  ymm13, XMMWORD PTR [reg_p1+4*r13+32]     // V = a[j+k]
583 |   vpmovsxdq  ymm15, XMMWORD PTR [reg_p1+4*r13+48]     // V = a[j+k]
584 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*r10]         // U = a[j]
585 |   vpmovsxdq  ymm2, XMMWORD PTR [reg_p1+4*r10+16]      // U = a[j]
586 |   vpmovsxdq  ymm4, XMMWORD PTR [reg_p1+4*r10+32]      // U = a[j]
587 |   vpmovsxdq  ymm6, XMMWORD PTR [reg_p1+4*r10+48]      // U = a[j]
588 |   
589 |   vpsubd     ymm1, ymm0, ymm10                        // U - V
590 |   vpaddd     ymm0, ymm0, ymm10                        // U + V 
591 |   vpsubd     ymm3, ymm2, ymm11                        // U - V
592 |   vpaddd     ymm2, ymm2, ymm11                        // U + V 
593 |   vpsubd     ymm5, ymm4, ymm13                        // U - V
594 |   vpaddd     ymm4, ymm4, ymm13                        // U + V 
595 |   vpsubd     ymm7, ymm6, ymm15                        // U - V
596 |   vpaddd     ymm6, ymm6, ymm15                        // U + V 
597 | 
598 |   vpmuldq    ymm1, ymm1, ymm9                         // (U - V).S
599 |   vpmuldq    ymm3, ymm3, ymm9                   
600 |   vpmuldq    ymm5, ymm5, ymm9                   
601 |   vpmuldq    ymm7, ymm7, ymm9   
602 |   
603 |   vmovdqu    ymm13, ymm1
604 |   vpand      ymm1, ymm14, ymm1                        // c0
605 |   vpsrlq     ymm13, ymm13, 12                         // c1
606 |   vpslld     ymm15, ymm1, 1                           // 2*c0
607 |   vpsubd     ymm13, ymm1, ymm13                       // c0-c1
608 |   vpaddd     ymm1, ymm13, ymm15                       // 3*c0-c1 
609 | 
610 |   cmp        r9, rbx 
611 |   jne        skip1
612 |   vmovdqu    ymm13, ymm0
613 |   vpand      ymm0, ymm14, ymm0                        // c0
614 |   vpsrad     ymm13, ymm13, 12                         // c1       
615 |   vpslld     ymm15, ymm0, 1                           // 2*c0
616 |   vpsubd     ymm13, ymm0, ymm13                       // c0-c1
617 |   vpaddd     ymm0, ymm13, ymm15                       // 3*c0-c1
618 | 
619 |   vmovdqu    ymm13, ymm1
620 |   vpand      ymm1, ymm14, ymm1                        // c0
621 |   vpsrad     ymm13, ymm13, 12                         // c1
622 |   vpslld     ymm15, ymm1, 1                           // 2*c0
623 |   vpsubd     ymm13, ymm1, ymm13                       // c0-c1
624 |   vpaddd     ymm1, ymm13, ymm15                       // 3*c0-c1
625 | skip1:
626 |   vpermd     ymm1, ymm12, ymm1 
627 |   vpermd     ymm0, ymm12, ymm0 
628 | 
629 |   vmovdqu    ymm13, ymm3
630 |   vpand      ymm3, ymm14, ymm3                        // c0
631 |   vpsrlq     ymm13, ymm13, 12                         // c1
632 |   vpslld     ymm15, ymm3, 1                           // 2*c0
633 |   vpsubd     ymm13, ymm3, ymm13                       // c0-c1
634 |   vpaddd     ymm3, ymm13, ymm15                       // 3*c0-c1 
635 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10], xmm0
636 |   vmovdqu    XMMWORD PTR [reg_p1+4*r13], xmm1 
637 | 
638 |   cmp        r9, rbx 
639 |   jne        skip2
640 |   vmovdqu    ymm13, ymm2
641 |   vpand      ymm2, ymm14, ymm2                        // c0
642 |   vpsrad     ymm13, ymm13, 12                         // c1       
643 |   vpslld     ymm15, ymm2, 1                           // 2*c0
644 |   vpsubd     ymm13, ymm2, ymm13                       // c0-c1
645 |   vpaddd     ymm2, ymm13, ymm15                       // 3*c0-c1
646 | 
647 |   vmovdqu    ymm13, ymm3
648 |   vpand      ymm3, ymm14, ymm3                        // c0
649 |   vpsrad     ymm13, ymm13, 12                         // c1
650 |   vpslld     ymm15, ymm3, 1                           // 2*c0
651 |   vpsubd     ymm13, ymm3, ymm13                       // c0-c1
652 |   vpaddd     ymm3, ymm13, ymm15                       // 3*c0-c1
653 | skip2:
654 |   vpermd     ymm3, ymm12, ymm3 
655 |   vpermd     ymm2, ymm12, ymm2 
656 | 
657 |   vmovdqu    ymm13, ymm5
658 |   vpand      ymm5, ymm14, ymm5                        // c0
659 |   vpsrlq     ymm13, ymm13, 12                         // c1
660 |   vpslld     ymm15, ymm5, 1                           // 2*c0
661 |   vpsubd     ymm13, ymm5, ymm13                       // c0-c1
662 |   vpaddd     ymm5, ymm13, ymm15                       // 3*c0-c1 
663 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+16], xmm2
664 |   vmovdqu    XMMWORD PTR [reg_p1+4*r13+16], xmm3 
665 | 
666 |   cmp        r9, rbx 
667 |   jne        skip3
668 |   vmovdqu    ymm13, ymm4
669 |   vpand      ymm4, ymm14, ymm4                        // c0
670 |   vpsrad     ymm13, ymm13, 12                         // c1       
671 |   vpslld     ymm15, ymm4, 1                           // 2*c0
672 |   vpsubd     ymm13, ymm4, ymm13                       // c0-c1
673 |   vpaddd     ymm4, ymm13, ymm15                       // 3*c0-c1
674 | 
675 |   vmovdqu    ymm13, ymm5
676 |   vpand      ymm5, ymm14, ymm5                        // c0
677 |   vpsrad     ymm13, ymm13, 12                         // c1
678 |   vpslld     ymm15, ymm5, 1                           // 2*c0
679 |   vpsubd     ymm13, ymm5, ymm13                       // c0-c1
680 |   vpaddd     ymm5, ymm13, ymm15                       // 3*c0-c1
681 | skip3:
682 |   vpermd     ymm5, ymm12, ymm5 
683 |   vpermd     ymm4, ymm12, ymm4 
684 | 
685 |   vmovdqu    ymm13, ymm7
686 |   vpand      ymm7, ymm14, ymm7                        // c0
687 |   vpsrlq     ymm13, ymm13, 12                         // c1
688 |   vpslld     ymm15, ymm7, 1                           // 2*c0
689 |   vpsubd     ymm13, ymm7, ymm13                       // c0-c1
690 |   vpaddd     ymm7, ymm13, ymm15                       // 3*c0-c1 
691 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+32], xmm4
692 |   vmovdqu    XMMWORD PTR [reg_p1+4*r13+32], xmm5  
693 | 
694 |   cmp        r9, rbx 
695 |   jne        skip4
696 |   vmovdqu    ymm13, ymm6
697 |   vpand      ymm6, ymm14, ymm6                        // c0
698 |   vpsrad     ymm13, ymm13, 12                         // c1       
699 |   vpslld     ymm15, ymm6, 1                           // 2*c0
700 |   vpsubd     ymm13, ymm6, ymm13                       // c0-c1
701 |   vpaddd     ymm6, ymm13, ymm15                       // 3*c0-c1
702 | 
703 |   vmovdqu    ymm13, ymm7
704 |   vpand      ymm7, ymm14, ymm7                        // c0
705 |   vpsrad     ymm13, ymm13, 12                         // c1
706 |   vpslld     ymm15, ymm7, 1                           // 2*c0
707 |   vpsubd     ymm13, ymm7, ymm13                       // c0-c1
708 |   vpaddd     ymm7, ymm13, ymm15                       // 3*c0-c1
709 | skip4:
710 |   vpermd     ymm7, ymm12, ymm7 
711 |   vpermd     ymm6, ymm12, ymm6   
712 |   vmovdqu    XMMWORD PTR [reg_p1+4*r13+48], xmm7
713 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+48], xmm6
714 |   
715 |   add        r10, r14
716 |   cmp        r10, r11
717 |   jl         loop7b
718 |   mov        rbx, rax
719 |   shl        rbx, 1          // 2*k
720 |   add        r8, rbx         // j1+2*k
721 |   inc        r15
722 |   cmp        r15, r12
723 |   jl         loop6b
724 |   dec        r9
725 |   jnz        loop5b
726 |        
727 | // Scaling step
728 |   shl        rax, 1          // k = 2*k = 512
729 |   xor        r10, r10        // j = 0
730 |   mov        r14, 4 
731 |   movq       xmm0, reg_p3
732 |   vbroadcastsd ymm10, xmm0                            // S = omegainv1N_rev
733 |   movq       xmm0, reg_p4
734 |   vbroadcastsd ymm11, xmm0                            // T = Ninv
735 | loop8b:
736 |   vpmovsxdq  ymm13, XMMWORD PTR [reg_p1+4*r10+4*512]  // V = a[j+k]
737 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*r10]         // U = a[j]
738 |   vpsubd     ymm1, ymm0, ymm13                        // U - V
739 |   vpaddd     ymm0, ymm0, ymm13                        // U + V  
740 |   vpmuldq    ymm1, ymm1, ymm10                        // (U - V).S
741 |   vpmuldq    ymm0, ymm0, ymm11                        // (U + V).T
742 |   
743 |   vmovdqu    ymm13, ymm0
744 |   vpand      ymm0, ymm14, ymm0                        // c0
745 |   vpsrlq     ymm13, ymm13, 12                         // c1
746 |   vpslld     ymm15, ymm0, 1                           // 2*c0
747 |   vpsubd     ymm13, ymm0, ymm13                       // c0-c1
748 |   vpaddd     ymm0, ymm13, ymm15                       // 3*c0-c1    
749 | 
750 |   vmovdqu    ymm13, ymm1
751 |   vpand      ymm1, ymm14, ymm1                        // c0
752 |   vpsrlq     ymm13, ymm13, 12                         // c1
753 |   vpslld     ymm15, ymm1, 1                           // 2*c0
754 |   vpsubd     ymm13, ymm1, ymm13                       // c0-c1
755 |   vpaddd     ymm1, ymm13, ymm15                       // 3*c0-c1 
756 |   
757 |   vpermd     ymm0, ymm12, ymm0 
758 |   vpermd     ymm1, ymm12, ymm1 
759 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10], xmm0
760 |   vmovdqu    XMMWORD PTR [reg_p1+4*r10+4*512], xmm1
761 |   
762 |   add        r10, r14        // j+4 
763 |   cmp        r10, rax
764 |   jl         loop8b  
765 | loop9b:
766 |   pop        rbx
767 |   pop        r15
768 |   pop        r14
769 |   pop        r13
770 |   pop        r12
771 |   ret
772 | 
773 | 
774 | //***********************************************************************
775 | //  Component-wise multiplication and addition
776 | //  Operation: d [reg_p4] <- a [reg_p1] * b [reg_p2] + c [reg_p3]
777 | //             reg_p5 contains parameter n
778 | //*********************************************************************** 
779 | .global pmuladd_asm
780 | pmuladd_asm:
781 |   vmovdqu    ymm5, PERM0246
782 |   vmovdqu    ymm6, MASK12x8 
783 |   xor        rax, rax
784 |   movq       r11, 4
785 | lazo2:
786 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*rax]   // a
787 |   vpmovsxdq  ymm1, XMMWORD PTR [reg_p2+4*rax]   // b
788 |   vpmovsxdq  ymm2, XMMWORD PTR [reg_p3+4*rax]   // c
789 |   vpmuldq    ymm0, ymm1, ymm0 
790 |   vpaddq     ymm0, ymm2, ymm0                    
791 | 
792 |   vmovdqu    ymm3, ymm0
793 |   vpand      ymm0, ymm6, ymm0                   // c0
794 |   vpsrlq     ymm3, ymm3, 12                     // c1
795 |   vpslld     ymm4, ymm0, 1                      // 2*c0
796 |   vpsubd     ymm3, ymm0, ymm3                   // c0-c1
797 |   vpaddd     ymm0, ymm3, ymm4                   // 3*c0-c1 
798 | 
799 |   vmovdqu    ymm3, ymm0
800 |   vpand      ymm0, ymm6, ymm0                   // c0
801 |   vpsrad     ymm3, ymm3, 12                     // c1       
802 |   vpslld     ymm4, ymm0, 1                      // 2*c0
803 |   vpsubd     ymm3, ymm0, ymm3                   // c0-c1
804 |   vpaddd     ymm0, ymm3, ymm4                   // 3*c0-c1
805 | 
806 |   vpermd     ymm0, ymm5, ymm0 
807 |   vmovdqu    XMMWORD PTR [reg_p4+4*rax], xmm0
808 | 
809 |   add        rax, r11                           // j+4
810 |   cmp        rax, reg_p5
811 |   jl         lazo2
812 |   ret
813 | 
814 | 
815 | //***********************************************************************
816 | //  Component-wise multiplication
817 | //  Operation: c [reg_p3] <- a [reg_p1] * b [reg_p2]
818 | //             reg_p4 contains parameter n
819 | //*********************************************************************** 
820 | .global pmul_asm
821 | pmul_asm: 
822 |   vmovdqu    ymm5, PERM0246
823 |   vmovdqu    ymm6, MASK12x8 
824 |   xor        rax, rax
825 |   movq       r11, 4
826 | lazo3:
827 |   vpmovsxdq  ymm0, XMMWORD PTR [reg_p1+4*rax]   // a
828 |   vpmovsxdq  ymm1, XMMWORD PTR [reg_p2+4*rax]   // b
829 |   vpmuldq    ymm0, ymm1, ymm0                    
830 | 
831 |   vmovdqu    ymm3, ymm0
832 |   vpand      ymm0, ymm6, ymm0                   // c0
833 |   vpsrlq     ymm3, ymm3, 12                     // c1
834 |   vpslld     ymm4, ymm0, 1                      // 2*c0
835 |   vpsubd     ymm3, ymm0, ymm3                   // c0-c1
836 |   vpaddd     ymm0, ymm3, ymm4                   // 3*c0-c1 
837 | 
838 |   vmovdqu    ymm3, ymm0
839 |   vpand      ymm0, ymm6, ymm0                   // c0
840 |   vpsrad     ymm3, ymm3, 12                     // c1       
841 |   vpslld     ymm4, ymm0, 1                      // 2*c0
842 |   vpsubd     ymm3, ymm0, ymm3                   // c0-c1
843 |   vpaddd     ymm0, ymm3, ymm4                   // 3*c0-c1
844 | 
845 |   vpermd     ymm0, ymm5, ymm0 
846 |   vmovdqu    XMMWORD PTR [reg_p3+4*rax], xmm0
847 | 
848 |   add        rax, r11                           // j+4
849 |   cmp        rax, reg_p4
850 |   jl         lazo3
851 |   ret
852 | 
853 | 
854 | //***********************************************************************
855 | //  Two consecutive reductions
856 | //  Operation: c [reg_p1] <- a [reg_p1]
857 | //             reg_p2 contains parameter n
858 | //*********************************************************************** 
859 | .global two_reduce12289_asm
860 | two_reduce12289_asm: 
861 |   vmovdqu    ymm6, MASK12x8 
862 |   vmovdqu    ymm7, PRIME8x
863 |   xor        rax, rax
864 |   movq       r11, 8
865 | lazo4:
866 |   vmovdqu    ymm0, YMMWORD PTR [reg_p1+4*rax]   // a
867 | 
868 |   vmovdqu    ymm3, ymm0
869 |   vpand      ymm0, ymm6, ymm0                   // c0
870 |   vpsrad     ymm3, ymm3, 12                     // c1
871 |   vpslld     ymm4, ymm0, 1                      // 2*c0
872 |   vpsubd     ymm3, ymm0, ymm3                   // c0-c1
873 |   vpaddd     ymm0, ymm3, ymm4                   // 3*c0-c1 
874 | 
875 |   vmovdqu    ymm3, ymm0
876 |   vpand      ymm0, ymm6, ymm0                   // c0
877 |   vpsrad     ymm3, ymm3, 12                     // c1       
878 |   vpslld     ymm4, ymm0, 1                      // 2*c0
879 |   vpsubd     ymm3, ymm0, ymm3                   // c0-c1
880 |   vpaddd     ymm0, ymm3, ymm4                   // 3*c0-c1
881 | 
882 |   vpsrad     ymm2, ymm0, 31
883 |   vpand      ymm2, ymm7, ymm2
884 |   vpaddd     ymm2, ymm0, ymm2
885 |   vpsubd     ymm0, ymm2, ymm7
886 | 
887 |   vpsrad     ymm2, ymm0, 31
888 |   vpand      ymm2, ymm7, ymm2
889 |   vpaddd     ymm0, ymm0, ymm2
890 | 
891 |   vmovdqu    YMMWORD PTR [reg_p1+4*rax], ymm0
892 | 
893 |   add        rax, r11                           // j+8
894 |   cmp        rax, reg_p2
895 |   jl         lazo4
896 |   ret
897 | 
898 | 
899 | //***********************************************************************
900 | //  Encoding
901 | //  Operation: c [reg_p2] <- a [reg_p1]
902 | //*********************************************************************** 
903 | .global encode_asm
904 | encode_asm: 
905 |   vmovdqu    ymm6, MASK32 
906 |   vmovdqu    ymm7, MASK42
907 |   mov        r9, 1024
908 |   xor        rax, rax
909 |   xor        r10, r10
910 |   mov        r11, 14
911 |   mov        rcx, 8
912 | lazo5:
913 |   vmovdqu    ymm0, YMMWORD PTR [reg_p1+4*rax]   // a
914 | 
915 |   vpsrlq     ymm1, ymm0, 18  
916 |   vpsllq     ymm2, ymm0, 4
917 |   vpand      ymm0, ymm0, ymm6
918 |   vpsrldq    ymm2, ymm2, 5   
919 |   vpsrlq     ymm3, ymm1, 4
920 |   vpand      ymm1, ymm1, ymm6
921 |   vpand      ymm2, ymm2, ymm7
922 |   vpsrldq    ymm3, ymm3, 4 
923 |   vpor       ymm0, ymm0, ymm1
924 |   vpor       ymm0, ymm0, ymm2 
925 |   vpor       ymm0, ymm0, ymm3 
926 |   vpermq     ymm1, ymm0, 0x0e   
927 | 
928 |   vmovdqu    XMMWORD PTR [reg_p2+r10], xmm0
929 |   vmovdqu    XMMWORD PTR [reg_p2+r10+7], xmm1
930 | 
931 |   add        r10, r11
932 |   add        rax, rcx        // j+8
933 |   cmp        rax, r9
934 |   jl         lazo5
935 |   ret
936 | 
937 | 
938 | //***********************************************************************
939 | //  Decoding
940 | //  Operation: c [reg_p2] <- a [reg_p1]
941 | //*********************************************************************** 
942 | .global decode_asm
943 | decode_asm: 
944 |   vmovdqu    ymm6, MASK14_1 
945 |   vmovdqu    ymm7, MASK14_2
946 |   vmovdqu    ymm8, MASK14_3
947 |   vmovdqu    ymm9, MASK14_4
948 |   mov        r9, 1024
949 |   xor        rax, rax
950 |   xor        r10, r10
951 |   mov        r11, 14
952 |   mov        rcx, 8
953 | lazo6:
954 |   vmovdqu    xmm0, XMMWORD PTR [reg_p1+r10]
955 |   vmovdqu    xmm1, XMMWORD PTR [reg_p1+r10+7]
956 |   vinserti128 ymm0, ymm0, xmm1, 1               
957 | 
958 |   vpand      ymm1, ymm0, ymm6
959 |   vpand      ymm2, ymm0, ymm7
960 |   vpand      ymm3, ymm0, ymm8
961 |   vpand      ymm4, ymm0, ymm9
962 |    
963 |   vpsllq     ymm2, ymm2, 18 
964 |   vpsllq     ymm3, ymm3, 4
965 |   vpslldq    ymm3, ymm3, 4 
966 |   vpsrlq     ymm4, ymm4, 2
967 |   vpslldq    ymm4, ymm4, 7
968 | 
969 |   vpor       ymm1, ymm1, ymm2 
970 |   vpor       ymm1, ymm1, ymm3 
971 |   vpor       ymm1, ymm1, ymm4 
972 |   
973 |   vmovdqu    YMMWORD PTR [reg_p2+4*rax], ymm1   
974 | 
975 |   add        r10, r11
976 |   add        rax, rcx            // j+8
977 |   cmp        rax, r9
978 |   jl         lazo6
979 |   ret


--------------------------------------------------------------------------------