1 /* $OpenBSD: sntrup761.c,v 1.8 2024/09/16 05:37:05 djm Exp $ */
2
3 /*
4 * Public Domain, Authors:
5 * - Daniel J. Bernstein
6 * - Chitchanok Chuengsatiansup
7 * - Tanja Lange
8 * - Christine van Vredendaal
9 */
10
11 #include <string.h>
12 #include "crypto_api.h"
13
14 #define crypto_declassify(x, y) do {} while (0)
15
16 #define int8 crypto_int8
17 #define uint8 crypto_uint8
18 #define int16 crypto_int16
19 #define uint16 crypto_uint16
20 #define int32 crypto_int32
21 #define uint32 crypto_uint32
22 #define int64 crypto_int64
23 #define uint64 crypto_uint64
24 extern volatile crypto_int16 crypto_int16_optblocker;
25 extern volatile crypto_int32 crypto_int32_optblocker;
26 extern volatile crypto_int64 crypto_int64_optblocker;
27
28 /* from supercop-20240808/cryptoint/crypto_int16.h */
29 /* auto-generated: cd cryptoint; ./autogen */
30 /* cryptoint 20240806 */
31
32 #ifndef crypto_int16_h
33 #define crypto_int16_h
34
35 #define crypto_int16 int16_t
36 #define crypto_int16_unsigned uint16_t
37
38
39
40 __attribute__((unused))
41 static inline
crypto_int16_load(const unsigned char * crypto_int16_s)42 crypto_int16 crypto_int16_load(const unsigned char *crypto_int16_s) {
43 crypto_int16 crypto_int16_z = 0;
44 crypto_int16_z |= ((crypto_int16) (*crypto_int16_s++)) << 0;
45 crypto_int16_z |= ((crypto_int16) (*crypto_int16_s++)) << 8;
46 return crypto_int16_z;
47 }
48
49 __attribute__((unused))
50 static inline
crypto_int16_store(unsigned char * crypto_int16_s,crypto_int16 crypto_int16_x)51 void crypto_int16_store(unsigned char *crypto_int16_s,crypto_int16 crypto_int16_x) {
52 *crypto_int16_s++ = crypto_int16_x >> 0;
53 *crypto_int16_s++ = crypto_int16_x >> 8;
54 }
55
56 __attribute__((unused))
57 static inline
crypto_int16_negative_mask(crypto_int16 crypto_int16_x)58 crypto_int16 crypto_int16_negative_mask(crypto_int16 crypto_int16_x) {
59 #if defined(__GNUC__) && defined(__x86_64__)
60 __asm__ ("sarw $15,%0" : "+r"(crypto_int16_x) : : "cc");
61 return crypto_int16_x;
62 #elif defined(__GNUC__) && defined(__aarch64__)
63 crypto_int16 crypto_int16_y;
64 __asm__ ("sbfx %w0,%w1,15,1" : "=r"(crypto_int16_y) : "r"(crypto_int16_x) : );
65 return crypto_int16_y;
66 #else
67 crypto_int16_x >>= 16-6;
68 crypto_int16_x ^= crypto_int16_optblocker;
69 crypto_int16_x >>= 5;
70 return crypto_int16_x;
71 #endif
72 }
73
74 __attribute__((unused))
75 static inline
crypto_int16_unsigned_topbit_01(crypto_int16_unsigned crypto_int16_x)76 crypto_int16_unsigned crypto_int16_unsigned_topbit_01(crypto_int16_unsigned crypto_int16_x) {
77 #if defined(__GNUC__) && defined(__x86_64__)
78 __asm__ ("shrw $15,%0" : "+r"(crypto_int16_x) : : "cc");
79 return crypto_int16_x;
80 #elif defined(__GNUC__) && defined(__aarch64__)
81 crypto_int16 crypto_int16_y;
82 __asm__ ("ubfx %w0,%w1,15,1" : "=r"(crypto_int16_y) : "r"(crypto_int16_x) : );
83 return crypto_int16_y;
84 #else
85 crypto_int16_x >>= 16-6;
86 crypto_int16_x ^= crypto_int16_optblocker;
87 crypto_int16_x >>= 5;
88 return crypto_int16_x;
89 #endif
90 }
91
92 __attribute__((unused))
93 static inline
crypto_int16_negative_01(crypto_int16 crypto_int16_x)94 crypto_int16 crypto_int16_negative_01(crypto_int16 crypto_int16_x) {
95 return crypto_int16_unsigned_topbit_01(crypto_int16_x);
96 }
97
98 __attribute__((unused))
99 static inline
crypto_int16_topbit_mask(crypto_int16 crypto_int16_x)100 crypto_int16 crypto_int16_topbit_mask(crypto_int16 crypto_int16_x) {
101 return crypto_int16_negative_mask(crypto_int16_x);
102 }
103
104 __attribute__((unused))
105 static inline
crypto_int16_topbit_01(crypto_int16 crypto_int16_x)106 crypto_int16 crypto_int16_topbit_01(crypto_int16 crypto_int16_x) {
107 return crypto_int16_unsigned_topbit_01(crypto_int16_x);
108 }
109
110 __attribute__((unused))
111 static inline
crypto_int16_bottombit_mask(crypto_int16 crypto_int16_x)112 crypto_int16 crypto_int16_bottombit_mask(crypto_int16 crypto_int16_x) {
113 #if defined(__GNUC__) && defined(__x86_64__)
114 __asm__ ("andw $1,%0" : "+r"(crypto_int16_x) : : "cc");
115 return -crypto_int16_x;
116 #elif defined(__GNUC__) && defined(__aarch64__)
117 crypto_int16 crypto_int16_y;
118 __asm__ ("sbfx %w0,%w1,0,1" : "=r"(crypto_int16_y) : "r"(crypto_int16_x) : );
119 return crypto_int16_y;
120 #else
121 crypto_int16_x &= 1 ^ crypto_int16_optblocker;
122 return -crypto_int16_x;
123 #endif
124 }
125
126 __attribute__((unused))
127 static inline
crypto_int16_bottombit_01(crypto_int16 crypto_int16_x)128 crypto_int16 crypto_int16_bottombit_01(crypto_int16 crypto_int16_x) {
129 #if defined(__GNUC__) && defined(__x86_64__)
130 __asm__ ("andw $1,%0" : "+r"(crypto_int16_x) : : "cc");
131 return crypto_int16_x;
132 #elif defined(__GNUC__) && defined(__aarch64__)
133 crypto_int16 crypto_int16_y;
134 __asm__ ("ubfx %w0,%w1,0,1" : "=r"(crypto_int16_y) : "r"(crypto_int16_x) : );
135 return crypto_int16_y;
136 #else
137 crypto_int16_x &= 1 ^ crypto_int16_optblocker;
138 return crypto_int16_x;
139 #endif
140 }
141
142 __attribute__((unused))
143 static inline
crypto_int16_bitinrangepublicpos_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s)144 crypto_int16 crypto_int16_bitinrangepublicpos_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) {
145 #if defined(__GNUC__) && defined(__x86_64__)
146 __asm__ ("sarw %%cl,%0" : "+r"(crypto_int16_x) : "c"(crypto_int16_s) : "cc");
147 #elif defined(__GNUC__) && defined(__aarch64__)
148 __asm__ ("sxth %w0,%w0\n asr %w0,%w0,%w1" : "+&r"(crypto_int16_x) : "r"(crypto_int16_s) : );
149 #else
150 crypto_int16_x >>= crypto_int16_s ^ crypto_int16_optblocker;
151 #endif
152 return crypto_int16_bottombit_mask(crypto_int16_x);
153 }
154
155 __attribute__((unused))
156 static inline
crypto_int16_bitinrangepublicpos_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s)157 crypto_int16 crypto_int16_bitinrangepublicpos_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) {
158 #if defined(__GNUC__) && defined(__x86_64__)
159 __asm__ ("sarw %%cl,%0" : "+r"(crypto_int16_x) : "c"(crypto_int16_s) : "cc");
160 #elif defined(__GNUC__) && defined(__aarch64__)
161 __asm__ ("sxth %w0,%w0\n asr %w0,%w0,%w1" : "+&r"(crypto_int16_x) : "r"(crypto_int16_s) : );
162 #else
163 crypto_int16_x >>= crypto_int16_s ^ crypto_int16_optblocker;
164 #endif
165 return crypto_int16_bottombit_01(crypto_int16_x);
166 }
167
168 __attribute__((unused))
169 static inline
crypto_int16_shlmod(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s)170 crypto_int16 crypto_int16_shlmod(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) {
171 #if defined(__GNUC__) && defined(__x86_64__)
172 crypto_int16_s &= 15;
173 __asm__ ("shlw %%cl,%0" : "+r"(crypto_int16_x) : "c"(crypto_int16_s) : "cc");
174 #elif defined(__GNUC__) && defined(__aarch64__)
175 __asm__ ("and %w0,%w0,15\n and %w1,%w1,65535\n lsl %w1,%w1,%w0" : "+&r"(crypto_int16_s), "+r"(crypto_int16_x) : : );
176 #else
177 int crypto_int16_k, crypto_int16_l;
178 for (crypto_int16_l = 0,crypto_int16_k = 1;crypto_int16_k < 16;++crypto_int16_l,crypto_int16_k *= 2)
179 crypto_int16_x ^= (crypto_int16_x ^ (crypto_int16_x << crypto_int16_k)) & crypto_int16_bitinrangepublicpos_mask(crypto_int16_s,crypto_int16_l);
180 #endif
181 return crypto_int16_x;
182 }
183
184 __attribute__((unused))
185 static inline
crypto_int16_shrmod(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s)186 crypto_int16 crypto_int16_shrmod(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) {
187 #if defined(__GNUC__) && defined(__x86_64__)
188 crypto_int16_s &= 15;
189 __asm__ ("sarw %%cl,%0" : "+r"(crypto_int16_x) : "c"(crypto_int16_s) : "cc");
190 #elif defined(__GNUC__) && defined(__aarch64__)
191 __asm__ ("and %w0,%w0,15\n sxth %w1,%w1\n asr %w1,%w1,%w0" : "+&r"(crypto_int16_s), "+r"(crypto_int16_x) : : );
192 #else
193 int crypto_int16_k, crypto_int16_l;
194 for (crypto_int16_l = 0,crypto_int16_k = 1;crypto_int16_k < 16;++crypto_int16_l,crypto_int16_k *= 2)
195 crypto_int16_x ^= (crypto_int16_x ^ (crypto_int16_x >> crypto_int16_k)) & crypto_int16_bitinrangepublicpos_mask(crypto_int16_s,crypto_int16_l);
196 #endif
197 return crypto_int16_x;
198 }
199
200 __attribute__((unused))
201 static inline
crypto_int16_bitmod_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s)202 crypto_int16 crypto_int16_bitmod_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) {
203 crypto_int16_x = crypto_int16_shrmod(crypto_int16_x,crypto_int16_s);
204 return crypto_int16_bottombit_mask(crypto_int16_x);
205 }
206
207 __attribute__((unused))
208 static inline
crypto_int16_bitmod_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s)209 crypto_int16 crypto_int16_bitmod_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) {
210 crypto_int16_x = crypto_int16_shrmod(crypto_int16_x,crypto_int16_s);
211 return crypto_int16_bottombit_01(crypto_int16_x);
212 }
213
214 __attribute__((unused))
215 static inline
crypto_int16_nonzero_mask(crypto_int16 crypto_int16_x)216 crypto_int16 crypto_int16_nonzero_mask(crypto_int16 crypto_int16_x) {
217 #if defined(__GNUC__) && defined(__x86_64__)
218 crypto_int16 crypto_int16_q,crypto_int16_z;
219 __asm__ ("xorw %0,%0\n movw $-1,%1\n testw %2,%2\n cmovnew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc");
220 return crypto_int16_z;
221 #elif defined(__GNUC__) && defined(__aarch64__)
222 crypto_int16 crypto_int16_z;
223 __asm__ ("tst %w1,65535\n csetm %w0,ne" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc");
224 return crypto_int16_z;
225 #else
226 crypto_int16_x |= -crypto_int16_x;
227 return crypto_int16_negative_mask(crypto_int16_x);
228 #endif
229 }
230
231 __attribute__((unused))
232 static inline
crypto_int16_nonzero_01(crypto_int16 crypto_int16_x)233 crypto_int16 crypto_int16_nonzero_01(crypto_int16 crypto_int16_x) {
234 #if defined(__GNUC__) && defined(__x86_64__)
235 crypto_int16 crypto_int16_q,crypto_int16_z;
236 __asm__ ("xorw %0,%0\n movw $1,%1\n testw %2,%2\n cmovnew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc");
237 return crypto_int16_z;
238 #elif defined(__GNUC__) && defined(__aarch64__)
239 crypto_int16 crypto_int16_z;
240 __asm__ ("tst %w1,65535\n cset %w0,ne" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc");
241 return crypto_int16_z;
242 #else
243 crypto_int16_x |= -crypto_int16_x;
244 return crypto_int16_unsigned_topbit_01(crypto_int16_x);
245 #endif
246 }
247
248 __attribute__((unused))
249 static inline
crypto_int16_positive_mask(crypto_int16 crypto_int16_x)250 crypto_int16 crypto_int16_positive_mask(crypto_int16 crypto_int16_x) {
251 #if defined(__GNUC__) && defined(__x86_64__)
252 crypto_int16 crypto_int16_q,crypto_int16_z;
253 __asm__ ("xorw %0,%0\n movw $-1,%1\n testw %2,%2\n cmovgw %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc");
254 return crypto_int16_z;
255 #elif defined(__GNUC__) && defined(__aarch64__)
256 crypto_int16 crypto_int16_z;
257 __asm__ ("sxth %w0,%w1\n cmp %w0,0\n csetm %w0,gt" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc");
258 return crypto_int16_z;
259 #else
260 crypto_int16 crypto_int16_z = -crypto_int16_x;
261 crypto_int16_z ^= crypto_int16_x & crypto_int16_z;
262 return crypto_int16_negative_mask(crypto_int16_z);
263 #endif
264 }
265
266 __attribute__((unused))
267 static inline
crypto_int16_positive_01(crypto_int16 crypto_int16_x)268 crypto_int16 crypto_int16_positive_01(crypto_int16 crypto_int16_x) {
269 #if defined(__GNUC__) && defined(__x86_64__)
270 crypto_int16 crypto_int16_q,crypto_int16_z;
271 __asm__ ("xorw %0,%0\n movw $1,%1\n testw %2,%2\n cmovgw %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc");
272 return crypto_int16_z;
273 #elif defined(__GNUC__) && defined(__aarch64__)
274 crypto_int16 crypto_int16_z;
275 __asm__ ("sxth %w0,%w1\n cmp %w0,0\n cset %w0,gt" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc");
276 return crypto_int16_z;
277 #else
278 crypto_int16 crypto_int16_z = -crypto_int16_x;
279 crypto_int16_z ^= crypto_int16_x & crypto_int16_z;
280 return crypto_int16_unsigned_topbit_01(crypto_int16_z);
281 #endif
282 }
283
284 __attribute__((unused))
285 static inline
crypto_int16_zero_mask(crypto_int16 crypto_int16_x)286 crypto_int16 crypto_int16_zero_mask(crypto_int16 crypto_int16_x) {
287 #if defined(__GNUC__) && defined(__x86_64__)
288 crypto_int16 crypto_int16_q,crypto_int16_z;
289 __asm__ ("xorw %0,%0\n movw $-1,%1\n testw %2,%2\n cmovew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc");
290 return crypto_int16_z;
291 #elif defined(__GNUC__) && defined(__aarch64__)
292 crypto_int16 crypto_int16_z;
293 __asm__ ("tst %w1,65535\n csetm %w0,eq" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc");
294 return crypto_int16_z;
295 #else
296 return ~crypto_int16_nonzero_mask(crypto_int16_x);
297 #endif
298 }
299
300 __attribute__((unused))
301 static inline
crypto_int16_zero_01(crypto_int16 crypto_int16_x)302 crypto_int16 crypto_int16_zero_01(crypto_int16 crypto_int16_x) {
303 #if defined(__GNUC__) && defined(__x86_64__)
304 crypto_int16 crypto_int16_q,crypto_int16_z;
305 __asm__ ("xorw %0,%0\n movw $1,%1\n testw %2,%2\n cmovew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc");
306 return crypto_int16_z;
307 #elif defined(__GNUC__) && defined(__aarch64__)
308 crypto_int16 crypto_int16_z;
309 __asm__ ("tst %w1,65535\n cset %w0,eq" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc");
310 return crypto_int16_z;
311 #else
312 return 1-crypto_int16_nonzero_01(crypto_int16_x);
313 #endif
314 }
315
316 __attribute__((unused))
317 static inline
crypto_int16_unequal_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y)318 crypto_int16 crypto_int16_unequal_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) {
319 #if defined(__GNUC__) && defined(__x86_64__)
320 crypto_int16 crypto_int16_q,crypto_int16_z;
321 __asm__ ("xorw %0,%0\n movw $-1,%1\n cmpw %3,%2\n cmovnew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
322 return crypto_int16_z;
323 #elif defined(__GNUC__) && defined(__aarch64__)
324 crypto_int16 crypto_int16_z;
325 __asm__ ("and %w0,%w1,65535\n cmp %w0,%w2,uxth\n csetm %w0,ne" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
326 return crypto_int16_z;
327 #else
328 return crypto_int16_nonzero_mask(crypto_int16_x ^ crypto_int16_y);
329 #endif
330 }
331
332 __attribute__((unused))
333 static inline
crypto_int16_unequal_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y)334 crypto_int16 crypto_int16_unequal_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) {
335 #if defined(__GNUC__) && defined(__x86_64__)
336 crypto_int16 crypto_int16_q,crypto_int16_z;
337 __asm__ ("xorw %0,%0\n movw $1,%1\n cmpw %3,%2\n cmovnew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
338 return crypto_int16_z;
339 #elif defined(__GNUC__) && defined(__aarch64__)
340 crypto_int16 crypto_int16_z;
341 __asm__ ("and %w0,%w1,65535\n cmp %w0,%w2,uxth\n cset %w0,ne" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
342 return crypto_int16_z;
343 #else
344 return crypto_int16_nonzero_01(crypto_int16_x ^ crypto_int16_y);
345 #endif
346 }
347
348 __attribute__((unused))
349 static inline
crypto_int16_equal_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y)350 crypto_int16 crypto_int16_equal_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) {
351 #if defined(__GNUC__) && defined(__x86_64__)
352 crypto_int16 crypto_int16_q,crypto_int16_z;
353 __asm__ ("xorw %0,%0\n movw $-1,%1\n cmpw %3,%2\n cmovew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
354 return crypto_int16_z;
355 #elif defined(__GNUC__) && defined(__aarch64__)
356 crypto_int16 crypto_int16_z;
357 __asm__ ("and %w0,%w1,65535\n cmp %w0,%w2,uxth\n csetm %w0,eq" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
358 return crypto_int16_z;
359 #else
360 return ~crypto_int16_unequal_mask(crypto_int16_x,crypto_int16_y);
361 #endif
362 }
363
364 __attribute__((unused))
365 static inline
crypto_int16_equal_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y)366 crypto_int16 crypto_int16_equal_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) {
367 #if defined(__GNUC__) && defined(__x86_64__)
368 crypto_int16 crypto_int16_q,crypto_int16_z;
369 __asm__ ("xorw %0,%0\n movw $1,%1\n cmpw %3,%2\n cmovew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
370 return crypto_int16_z;
371 #elif defined(__GNUC__) && defined(__aarch64__)
372 crypto_int16 crypto_int16_z;
373 __asm__ ("and %w0,%w1,65535\n cmp %w0,%w2,uxth\n cset %w0,eq" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
374 return crypto_int16_z;
375 #else
376 return 1-crypto_int16_unequal_01(crypto_int16_x,crypto_int16_y);
377 #endif
378 }
379
380 __attribute__((unused))
381 static inline
crypto_int16_min(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y)382 crypto_int16 crypto_int16_min(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) {
383 #if defined(__GNUC__) && defined(__x86_64__)
384 __asm__ ("cmpw %1,%0\n cmovgw %1,%0" : "+r"(crypto_int16_x) : "r"(crypto_int16_y) : "cc");
385 return crypto_int16_x;
386 #elif defined(__GNUC__) && defined(__aarch64__)
387 __asm__ ("sxth %w0,%w0\n cmp %w0,%w1,sxth\n csel %w0,%w0,%w1,lt" : "+&r"(crypto_int16_x) : "r"(crypto_int16_y) : "cc");
388 return crypto_int16_x;
389 #else
390 crypto_int16 crypto_int16_r = crypto_int16_y ^ crypto_int16_x;
391 crypto_int16 crypto_int16_z = crypto_int16_y - crypto_int16_x;
392 crypto_int16_z ^= crypto_int16_r & (crypto_int16_z ^ crypto_int16_y);
393 crypto_int16_z = crypto_int16_negative_mask(crypto_int16_z);
394 crypto_int16_z &= crypto_int16_r;
395 return crypto_int16_x ^ crypto_int16_z;
396 #endif
397 }
398
399 __attribute__((unused))
400 static inline
crypto_int16_max(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y)401 crypto_int16 crypto_int16_max(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) {
402 #if defined(__GNUC__) && defined(__x86_64__)
403 __asm__ ("cmpw %1,%0\n cmovlw %1,%0" : "+r"(crypto_int16_x) : "r"(crypto_int16_y) : "cc");
404 return crypto_int16_x;
405 #elif defined(__GNUC__) && defined(__aarch64__)
406 __asm__ ("sxth %w0,%w0\n cmp %w0,%w1,sxth\n csel %w0,%w1,%w0,lt" : "+&r"(crypto_int16_x) : "r"(crypto_int16_y) : "cc");
407 return crypto_int16_x;
408 #else
409 crypto_int16 crypto_int16_r = crypto_int16_y ^ crypto_int16_x;
410 crypto_int16 crypto_int16_z = crypto_int16_y - crypto_int16_x;
411 crypto_int16_z ^= crypto_int16_r & (crypto_int16_z ^ crypto_int16_y);
412 crypto_int16_z = crypto_int16_negative_mask(crypto_int16_z);
413 crypto_int16_z &= crypto_int16_r;
414 return crypto_int16_y ^ crypto_int16_z;
415 #endif
416 }
417
418 __attribute__((unused))
419 static inline
crypto_int16_minmax(crypto_int16 * crypto_int16_p,crypto_int16 * crypto_int16_q)420 void crypto_int16_minmax(crypto_int16 *crypto_int16_p,crypto_int16 *crypto_int16_q) {
421 crypto_int16 crypto_int16_x = *crypto_int16_p;
422 crypto_int16 crypto_int16_y = *crypto_int16_q;
423 #if defined(__GNUC__) && defined(__x86_64__)
424 crypto_int16 crypto_int16_z;
425 __asm__ ("cmpw %2,%1\n movw %1,%0\n cmovgw %2,%1\n cmovgw %0,%2" : "=&r"(crypto_int16_z), "+&r"(crypto_int16_x), "+r"(crypto_int16_y) : : "cc");
426 *crypto_int16_p = crypto_int16_x;
427 *crypto_int16_q = crypto_int16_y;
428 #elif defined(__GNUC__) && defined(__aarch64__)
429 crypto_int16 crypto_int16_r, crypto_int16_s;
430 __asm__ ("sxth %w0,%w0\n cmp %w0,%w3,sxth\n csel %w1,%w0,%w3,lt\n csel %w2,%w3,%w0,lt" : "+&r"(crypto_int16_x), "=&r"(crypto_int16_r), "=r"(crypto_int16_s) : "r"(crypto_int16_y) : "cc");
431 *crypto_int16_p = crypto_int16_r;
432 *crypto_int16_q = crypto_int16_s;
433 #else
434 crypto_int16 crypto_int16_r = crypto_int16_y ^ crypto_int16_x;
435 crypto_int16 crypto_int16_z = crypto_int16_y - crypto_int16_x;
436 crypto_int16_z ^= crypto_int16_r & (crypto_int16_z ^ crypto_int16_y);
437 crypto_int16_z = crypto_int16_negative_mask(crypto_int16_z);
438 crypto_int16_z &= crypto_int16_r;
439 crypto_int16_x ^= crypto_int16_z;
440 crypto_int16_y ^= crypto_int16_z;
441 *crypto_int16_p = crypto_int16_x;
442 *crypto_int16_q = crypto_int16_y;
443 #endif
444 }
445
446 __attribute__((unused))
447 static inline
crypto_int16_smaller_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y)448 crypto_int16 crypto_int16_smaller_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) {
449 #if defined(__GNUC__) && defined(__x86_64__)
450 crypto_int16 crypto_int16_q,crypto_int16_z;
451 __asm__ ("xorw %0,%0\n movw $-1,%1\n cmpw %3,%2\n cmovlw %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
452 return crypto_int16_z;
453 #elif defined(__GNUC__) && defined(__aarch64__)
454 crypto_int16 crypto_int16_z;
455 __asm__ ("sxth %w0,%w1\n cmp %w0,%w2,sxth\n csetm %w0,lt" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
456 return crypto_int16_z;
457 #else
458 crypto_int16 crypto_int16_r = crypto_int16_x ^ crypto_int16_y;
459 crypto_int16 crypto_int16_z = crypto_int16_x - crypto_int16_y;
460 crypto_int16_z ^= crypto_int16_r & (crypto_int16_z ^ crypto_int16_x);
461 return crypto_int16_negative_mask(crypto_int16_z);
462 #endif
463 }
464
465 __attribute__((unused))
466 static inline
crypto_int16_smaller_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y)467 crypto_int16 crypto_int16_smaller_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) {
468 #if defined(__GNUC__) && defined(__x86_64__)
469 crypto_int16 crypto_int16_q,crypto_int16_z;
470 __asm__ ("xorw %0,%0\n movw $1,%1\n cmpw %3,%2\n cmovlw %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
471 return crypto_int16_z;
472 #elif defined(__GNUC__) && defined(__aarch64__)
473 crypto_int16 crypto_int16_z;
474 __asm__ ("sxth %w0,%w1\n cmp %w0,%w2,sxth\n cset %w0,lt" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
475 return crypto_int16_z;
476 #else
477 crypto_int16 crypto_int16_r = crypto_int16_x ^ crypto_int16_y;
478 crypto_int16 crypto_int16_z = crypto_int16_x - crypto_int16_y;
479 crypto_int16_z ^= crypto_int16_r & (crypto_int16_z ^ crypto_int16_x);
480 return crypto_int16_unsigned_topbit_01(crypto_int16_z);
481 #endif
482 }
483
484 __attribute__((unused))
485 static inline
crypto_int16_leq_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y)486 crypto_int16 crypto_int16_leq_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) {
487 #if defined(__GNUC__) && defined(__x86_64__)
488 crypto_int16 crypto_int16_q,crypto_int16_z;
489 __asm__ ("xorw %0,%0\n movw $-1,%1\n cmpw %3,%2\n cmovlew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
490 return crypto_int16_z;
491 #elif defined(__GNUC__) && defined(__aarch64__)
492 crypto_int16 crypto_int16_z;
493 __asm__ ("sxth %w0,%w1\n cmp %w0,%w2,sxth\n csetm %w0,le" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
494 return crypto_int16_z;
495 #else
496 return ~crypto_int16_smaller_mask(crypto_int16_y,crypto_int16_x);
497 #endif
498 }
499
500 __attribute__((unused))
501 static inline
crypto_int16_leq_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y)502 crypto_int16 crypto_int16_leq_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) {
503 #if defined(__GNUC__) && defined(__x86_64__)
504 crypto_int16 crypto_int16_q,crypto_int16_z;
505 __asm__ ("xorw %0,%0\n movw $1,%1\n cmpw %3,%2\n cmovlew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
506 return crypto_int16_z;
507 #elif defined(__GNUC__) && defined(__aarch64__)
508 crypto_int16 crypto_int16_z;
509 __asm__ ("sxth %w0,%w1\n cmp %w0,%w2,sxth\n cset %w0,le" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc");
510 return crypto_int16_z;
511 #else
512 return 1-crypto_int16_smaller_01(crypto_int16_y,crypto_int16_x);
513 #endif
514 }
515
516 __attribute__((unused))
517 static inline
crypto_int16_ones_num(crypto_int16 crypto_int16_x)518 int crypto_int16_ones_num(crypto_int16 crypto_int16_x) {
519 crypto_int16_unsigned crypto_int16_y = crypto_int16_x;
520 const crypto_int16 C0 = 0x5555;
521 const crypto_int16 C1 = 0x3333;
522 const crypto_int16 C2 = 0x0f0f;
523 crypto_int16_y -= ((crypto_int16_y >> 1) & C0);
524 crypto_int16_y = (crypto_int16_y & C1) + ((crypto_int16_y >> 2) & C1);
525 crypto_int16_y = (crypto_int16_y + (crypto_int16_y >> 4)) & C2;
526 crypto_int16_y = (crypto_int16_y + (crypto_int16_y >> 8)) & 0xff;
527 return crypto_int16_y;
528 }
529
530 __attribute__((unused))
531 static inline
crypto_int16_bottomzeros_num(crypto_int16 crypto_int16_x)532 int crypto_int16_bottomzeros_num(crypto_int16 crypto_int16_x) {
533 #if defined(__GNUC__) && defined(__x86_64__)
534 crypto_int16 fallback = 16;
535 __asm__ ("bsfw %0,%0\n cmovew %1,%0" : "+&r"(crypto_int16_x) : "r"(fallback) : "cc");
536 return crypto_int16_x;
537 #elif defined(__GNUC__) && defined(__aarch64__)
538 int64_t crypto_int16_y;
539 __asm__ ("orr %w0,%w1,-65536\n rbit %w0,%w0\n clz %w0,%w0" : "=r"(crypto_int16_y) : "r"(crypto_int16_x) : );
540 return crypto_int16_y;
541 #else
542 crypto_int16 crypto_int16_y = crypto_int16_x ^ (crypto_int16_x-1);
543 crypto_int16_y = ((crypto_int16) crypto_int16_y) >> 1;
544 crypto_int16_y &= ~(crypto_int16_x & (((crypto_int16) 1) << (16-1)));
545 return crypto_int16_ones_num(crypto_int16_y);
546 #endif
547 }
548
549 #endif
550
551 /* from supercop-20240808/cryptoint/crypto_int32.h */
552 /* auto-generated: cd cryptoint; ./autogen */
553 /* cryptoint 20240806 */
554
555 #ifndef crypto_int32_h
556 #define crypto_int32_h
557
558 #define crypto_int32 int32_t
559 #define crypto_int32_unsigned uint32_t
560
561
562
563 __attribute__((unused))
564 static inline
crypto_int32_load(const unsigned char * crypto_int32_s)565 crypto_int32 crypto_int32_load(const unsigned char *crypto_int32_s) {
566 crypto_int32 crypto_int32_z = 0;
567 crypto_int32_z |= ((crypto_int32) (*crypto_int32_s++)) << 0;
568 crypto_int32_z |= ((crypto_int32) (*crypto_int32_s++)) << 8;
569 crypto_int32_z |= ((crypto_int32) (*crypto_int32_s++)) << 16;
570 crypto_int32_z |= ((crypto_int32) (*crypto_int32_s++)) << 24;
571 return crypto_int32_z;
572 }
573
574 __attribute__((unused))
575 static inline
crypto_int32_store(unsigned char * crypto_int32_s,crypto_int32 crypto_int32_x)576 void crypto_int32_store(unsigned char *crypto_int32_s,crypto_int32 crypto_int32_x) {
577 *crypto_int32_s++ = crypto_int32_x >> 0;
578 *crypto_int32_s++ = crypto_int32_x >> 8;
579 *crypto_int32_s++ = crypto_int32_x >> 16;
580 *crypto_int32_s++ = crypto_int32_x >> 24;
581 }
582
583 __attribute__((unused))
584 static inline
crypto_int32_negative_mask(crypto_int32 crypto_int32_x)585 crypto_int32 crypto_int32_negative_mask(crypto_int32 crypto_int32_x) {
586 #if defined(__GNUC__) && defined(__x86_64__)
587 __asm__ ("sarl $31,%0" : "+r"(crypto_int32_x) : : "cc");
588 return crypto_int32_x;
589 #elif defined(__GNUC__) && defined(__aarch64__)
590 crypto_int32 crypto_int32_y;
591 __asm__ ("asr %w0,%w1,31" : "=r"(crypto_int32_y) : "r"(crypto_int32_x) : );
592 return crypto_int32_y;
593 #else
594 crypto_int32_x >>= 32-6;
595 crypto_int32_x ^= crypto_int32_optblocker;
596 crypto_int32_x >>= 5;
597 return crypto_int32_x;
598 #endif
599 }
600
601 __attribute__((unused))
602 static inline
crypto_int32_unsigned_topbit_01(crypto_int32_unsigned crypto_int32_x)603 crypto_int32_unsigned crypto_int32_unsigned_topbit_01(crypto_int32_unsigned crypto_int32_x) {
604 #if defined(__GNUC__) && defined(__x86_64__)
605 __asm__ ("shrl $31,%0" : "+r"(crypto_int32_x) : : "cc");
606 return crypto_int32_x;
607 #elif defined(__GNUC__) && defined(__aarch64__)
608 crypto_int32 crypto_int32_y;
609 __asm__ ("lsr %w0,%w1,31" : "=r"(crypto_int32_y) : "r"(crypto_int32_x) : );
610 return crypto_int32_y;
611 #else
612 crypto_int32_x >>= 32-6;
613 crypto_int32_x ^= crypto_int32_optblocker;
614 crypto_int32_x >>= 5;
615 return crypto_int32_x;
616 #endif
617 }
618
619 __attribute__((unused))
620 static inline
crypto_int32_negative_01(crypto_int32 crypto_int32_x)621 crypto_int32 crypto_int32_negative_01(crypto_int32 crypto_int32_x) {
622 return crypto_int32_unsigned_topbit_01(crypto_int32_x);
623 }
624
625 __attribute__((unused))
626 static inline
crypto_int32_topbit_mask(crypto_int32 crypto_int32_x)627 crypto_int32 crypto_int32_topbit_mask(crypto_int32 crypto_int32_x) {
628 return crypto_int32_negative_mask(crypto_int32_x);
629 }
630
631 __attribute__((unused))
632 static inline
crypto_int32_topbit_01(crypto_int32 crypto_int32_x)633 crypto_int32 crypto_int32_topbit_01(crypto_int32 crypto_int32_x) {
634 return crypto_int32_unsigned_topbit_01(crypto_int32_x);
635 }
636
637 __attribute__((unused))
638 static inline
crypto_int32_bottombit_mask(crypto_int32 crypto_int32_x)639 crypto_int32 crypto_int32_bottombit_mask(crypto_int32 crypto_int32_x) {
640 #if defined(__GNUC__) && defined(__x86_64__)
641 __asm__ ("andl $1,%0" : "+r"(crypto_int32_x) : : "cc");
642 return -crypto_int32_x;
643 #elif defined(__GNUC__) && defined(__aarch64__)
644 crypto_int32 crypto_int32_y;
645 __asm__ ("sbfx %w0,%w1,0,1" : "=r"(crypto_int32_y) : "r"(crypto_int32_x) : );
646 return crypto_int32_y;
647 #else
648 crypto_int32_x &= 1 ^ crypto_int32_optblocker;
649 return -crypto_int32_x;
650 #endif
651 }
652
653 __attribute__((unused))
654 static inline
crypto_int32_bottombit_01(crypto_int32 crypto_int32_x)655 crypto_int32 crypto_int32_bottombit_01(crypto_int32 crypto_int32_x) {
656 #if defined(__GNUC__) && defined(__x86_64__)
657 __asm__ ("andl $1,%0" : "+r"(crypto_int32_x) : : "cc");
658 return crypto_int32_x;
659 #elif defined(__GNUC__) && defined(__aarch64__)
660 crypto_int32 crypto_int32_y;
661 __asm__ ("ubfx %w0,%w1,0,1" : "=r"(crypto_int32_y) : "r"(crypto_int32_x) : );
662 return crypto_int32_y;
663 #else
664 crypto_int32_x &= 1 ^ crypto_int32_optblocker;
665 return crypto_int32_x;
666 #endif
667 }
668
669 __attribute__((unused))
670 static inline
crypto_int32_bitinrangepublicpos_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s)671 crypto_int32 crypto_int32_bitinrangepublicpos_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) {
672 #if defined(__GNUC__) && defined(__x86_64__)
673 __asm__ ("sarl %%cl,%0" : "+r"(crypto_int32_x) : "c"(crypto_int32_s) : "cc");
674 #elif defined(__GNUC__) && defined(__aarch64__)
675 __asm__ ("asr %w0,%w0,%w1" : "+r"(crypto_int32_x) : "r"(crypto_int32_s) : );
676 #else
677 crypto_int32_x >>= crypto_int32_s ^ crypto_int32_optblocker;
678 #endif
679 return crypto_int32_bottombit_mask(crypto_int32_x);
680 }
681
682 __attribute__((unused))
683 static inline
crypto_int32_bitinrangepublicpos_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s)684 crypto_int32 crypto_int32_bitinrangepublicpos_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) {
685 #if defined(__GNUC__) && defined(__x86_64__)
686 __asm__ ("sarl %%cl,%0" : "+r"(crypto_int32_x) : "c"(crypto_int32_s) : "cc");
687 #elif defined(__GNUC__) && defined(__aarch64__)
688 __asm__ ("asr %w0,%w0,%w1" : "+r"(crypto_int32_x) : "r"(crypto_int32_s) : );
689 #else
690 crypto_int32_x >>= crypto_int32_s ^ crypto_int32_optblocker;
691 #endif
692 return crypto_int32_bottombit_01(crypto_int32_x);
693 }
694
695 __attribute__((unused))
696 static inline
crypto_int32_shlmod(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s)697 crypto_int32 crypto_int32_shlmod(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) {
698 #if defined(__GNUC__) && defined(__x86_64__)
699 __asm__ ("shll %%cl,%0" : "+r"(crypto_int32_x) : "c"(crypto_int32_s) : "cc");
700 #elif defined(__GNUC__) && defined(__aarch64__)
701 __asm__ ("lsl %w0,%w0,%w1" : "+r"(crypto_int32_x) : "r"(crypto_int32_s) : );
702 #else
703 int crypto_int32_k, crypto_int32_l;
704 for (crypto_int32_l = 0,crypto_int32_k = 1;crypto_int32_k < 32;++crypto_int32_l,crypto_int32_k *= 2)
705 crypto_int32_x ^= (crypto_int32_x ^ (crypto_int32_x << crypto_int32_k)) & crypto_int32_bitinrangepublicpos_mask(crypto_int32_s,crypto_int32_l);
706 #endif
707 return crypto_int32_x;
708 }
709
710 __attribute__((unused))
711 static inline
crypto_int32_shrmod(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s)712 crypto_int32 crypto_int32_shrmod(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) {
713 #if defined(__GNUC__) && defined(__x86_64__)
714 __asm__ ("sarl %%cl,%0" : "+r"(crypto_int32_x) : "c"(crypto_int32_s) : "cc");
715 #elif defined(__GNUC__) && defined(__aarch64__)
716 __asm__ ("asr %w0,%w0,%w1" : "+r"(crypto_int32_x) : "r"(crypto_int32_s) : );
717 #else
718 int crypto_int32_k, crypto_int32_l;
719 for (crypto_int32_l = 0,crypto_int32_k = 1;crypto_int32_k < 32;++crypto_int32_l,crypto_int32_k *= 2)
720 crypto_int32_x ^= (crypto_int32_x ^ (crypto_int32_x >> crypto_int32_k)) & crypto_int32_bitinrangepublicpos_mask(crypto_int32_s,crypto_int32_l);
721 #endif
722 return crypto_int32_x;
723 }
724
725 __attribute__((unused))
726 static inline
crypto_int32_bitmod_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s)727 crypto_int32 crypto_int32_bitmod_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) {
728 crypto_int32_x = crypto_int32_shrmod(crypto_int32_x,crypto_int32_s);
729 return crypto_int32_bottombit_mask(crypto_int32_x);
730 }
731
732 __attribute__((unused))
733 static inline
crypto_int32_bitmod_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s)734 crypto_int32 crypto_int32_bitmod_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) {
735 crypto_int32_x = crypto_int32_shrmod(crypto_int32_x,crypto_int32_s);
736 return crypto_int32_bottombit_01(crypto_int32_x);
737 }
738
739 __attribute__((unused))
740 static inline
crypto_int32_nonzero_mask(crypto_int32 crypto_int32_x)741 crypto_int32 crypto_int32_nonzero_mask(crypto_int32 crypto_int32_x) {
742 #if defined(__GNUC__) && defined(__x86_64__)
743 crypto_int32 crypto_int32_q,crypto_int32_z;
744 __asm__ ("xorl %0,%0\n movl $-1,%1\n testl %2,%2\n cmovnel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc");
745 return crypto_int32_z;
746 #elif defined(__GNUC__) && defined(__aarch64__)
747 crypto_int32 crypto_int32_z;
748 __asm__ ("cmp %w1,0\n csetm %w0,ne" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc");
749 return crypto_int32_z;
750 #else
751 crypto_int32_x |= -crypto_int32_x;
752 return crypto_int32_negative_mask(crypto_int32_x);
753 #endif
754 }
755
756 __attribute__((unused))
757 static inline
crypto_int32_nonzero_01(crypto_int32 crypto_int32_x)758 crypto_int32 crypto_int32_nonzero_01(crypto_int32 crypto_int32_x) {
759 #if defined(__GNUC__) && defined(__x86_64__)
760 crypto_int32 crypto_int32_q,crypto_int32_z;
761 __asm__ ("xorl %0,%0\n movl $1,%1\n testl %2,%2\n cmovnel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc");
762 return crypto_int32_z;
763 #elif defined(__GNUC__) && defined(__aarch64__)
764 crypto_int32 crypto_int32_z;
765 __asm__ ("cmp %w1,0\n cset %w0,ne" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc");
766 return crypto_int32_z;
767 #else
768 crypto_int32_x |= -crypto_int32_x;
769 return crypto_int32_unsigned_topbit_01(crypto_int32_x);
770 #endif
771 }
772
773 __attribute__((unused))
774 static inline
crypto_int32_positive_mask(crypto_int32 crypto_int32_x)775 crypto_int32 crypto_int32_positive_mask(crypto_int32 crypto_int32_x) {
776 #if defined(__GNUC__) && defined(__x86_64__)
777 crypto_int32 crypto_int32_q,crypto_int32_z;
778 __asm__ ("xorl %0,%0\n movl $-1,%1\n testl %2,%2\n cmovgl %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc");
779 return crypto_int32_z;
780 #elif defined(__GNUC__) && defined(__aarch64__)
781 crypto_int32 crypto_int32_z;
782 __asm__ ("cmp %w1,0\n csetm %w0,gt" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc");
783 return crypto_int32_z;
784 #else
785 crypto_int32 crypto_int32_z = -crypto_int32_x;
786 crypto_int32_z ^= crypto_int32_x & crypto_int32_z;
787 return crypto_int32_negative_mask(crypto_int32_z);
788 #endif
789 }
790
791 __attribute__((unused))
792 static inline
crypto_int32_positive_01(crypto_int32 crypto_int32_x)793 crypto_int32 crypto_int32_positive_01(crypto_int32 crypto_int32_x) {
794 #if defined(__GNUC__) && defined(__x86_64__)
795 crypto_int32 crypto_int32_q,crypto_int32_z;
796 __asm__ ("xorl %0,%0\n movl $1,%1\n testl %2,%2\n cmovgl %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc");
797 return crypto_int32_z;
798 #elif defined(__GNUC__) && defined(__aarch64__)
799 crypto_int32 crypto_int32_z;
800 __asm__ ("cmp %w1,0\n cset %w0,gt" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc");
801 return crypto_int32_z;
802 #else
803 crypto_int32 crypto_int32_z = -crypto_int32_x;
804 crypto_int32_z ^= crypto_int32_x & crypto_int32_z;
805 return crypto_int32_unsigned_topbit_01(crypto_int32_z);
806 #endif
807 }
808
809 __attribute__((unused))
810 static inline
crypto_int32_zero_mask(crypto_int32 crypto_int32_x)811 crypto_int32 crypto_int32_zero_mask(crypto_int32 crypto_int32_x) {
812 #if defined(__GNUC__) && defined(__x86_64__)
813 crypto_int32 crypto_int32_q,crypto_int32_z;
814 __asm__ ("xorl %0,%0\n movl $-1,%1\n testl %2,%2\n cmovel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc");
815 return crypto_int32_z;
816 #elif defined(__GNUC__) && defined(__aarch64__)
817 crypto_int32 crypto_int32_z;
818 __asm__ ("cmp %w1,0\n csetm %w0,eq" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc");
819 return crypto_int32_z;
820 #else
821 return ~crypto_int32_nonzero_mask(crypto_int32_x);
822 #endif
823 }
824
825 __attribute__((unused))
826 static inline
crypto_int32_zero_01(crypto_int32 crypto_int32_x)827 crypto_int32 crypto_int32_zero_01(crypto_int32 crypto_int32_x) {
828 #if defined(__GNUC__) && defined(__x86_64__)
829 crypto_int32 crypto_int32_q,crypto_int32_z;
830 __asm__ ("xorl %0,%0\n movl $1,%1\n testl %2,%2\n cmovel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc");
831 return crypto_int32_z;
832 #elif defined(__GNUC__) && defined(__aarch64__)
833 crypto_int32 crypto_int32_z;
834 __asm__ ("cmp %w1,0\n cset %w0,eq" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc");
835 return crypto_int32_z;
836 #else
837 return 1-crypto_int32_nonzero_01(crypto_int32_x);
838 #endif
839 }
840
841 __attribute__((unused))
842 static inline
crypto_int32_unequal_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y)843 crypto_int32 crypto_int32_unequal_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) {
844 #if defined(__GNUC__) && defined(__x86_64__)
845 crypto_int32 crypto_int32_q,crypto_int32_z;
846 __asm__ ("xorl %0,%0\n movl $-1,%1\n cmpl %3,%2\n cmovnel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
847 return crypto_int32_z;
848 #elif defined(__GNUC__) && defined(__aarch64__)
849 crypto_int32 crypto_int32_z;
850 __asm__ ("cmp %w1,%w2\n csetm %w0,ne" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
851 return crypto_int32_z;
852 #else
853 return crypto_int32_nonzero_mask(crypto_int32_x ^ crypto_int32_y);
854 #endif
855 }
856
857 __attribute__((unused))
858 static inline
crypto_int32_unequal_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y)859 crypto_int32 crypto_int32_unequal_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) {
860 #if defined(__GNUC__) && defined(__x86_64__)
861 crypto_int32 crypto_int32_q,crypto_int32_z;
862 __asm__ ("xorl %0,%0\n movl $1,%1\n cmpl %3,%2\n cmovnel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
863 return crypto_int32_z;
864 #elif defined(__GNUC__) && defined(__aarch64__)
865 crypto_int32 crypto_int32_z;
866 __asm__ ("cmp %w1,%w2\n cset %w0,ne" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
867 return crypto_int32_z;
868 #else
869 return crypto_int32_nonzero_01(crypto_int32_x ^ crypto_int32_y);
870 #endif
871 }
872
873 __attribute__((unused))
874 static inline
crypto_int32_equal_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y)875 crypto_int32 crypto_int32_equal_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) {
876 #if defined(__GNUC__) && defined(__x86_64__)
877 crypto_int32 crypto_int32_q,crypto_int32_z;
878 __asm__ ("xorl %0,%0\n movl $-1,%1\n cmpl %3,%2\n cmovel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
879 return crypto_int32_z;
880 #elif defined(__GNUC__) && defined(__aarch64__)
881 crypto_int32 crypto_int32_z;
882 __asm__ ("cmp %w1,%w2\n csetm %w0,eq" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
883 return crypto_int32_z;
884 #else
885 return ~crypto_int32_unequal_mask(crypto_int32_x,crypto_int32_y);
886 #endif
887 }
888
889 __attribute__((unused))
890 static inline
crypto_int32_equal_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y)891 crypto_int32 crypto_int32_equal_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) {
892 #if defined(__GNUC__) && defined(__x86_64__)
893 crypto_int32 crypto_int32_q,crypto_int32_z;
894 __asm__ ("xorl %0,%0\n movl $1,%1\n cmpl %3,%2\n cmovel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
895 return crypto_int32_z;
896 #elif defined(__GNUC__) && defined(__aarch64__)
897 crypto_int32 crypto_int32_z;
898 __asm__ ("cmp %w1,%w2\n cset %w0,eq" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
899 return crypto_int32_z;
900 #else
901 return 1-crypto_int32_unequal_01(crypto_int32_x,crypto_int32_y);
902 #endif
903 }
904
905 __attribute__((unused))
906 static inline
crypto_int32_min(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y)907 crypto_int32 crypto_int32_min(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) {
908 #if defined(__GNUC__) && defined(__x86_64__)
909 __asm__ ("cmpl %1,%0\n cmovgl %1,%0" : "+r"(crypto_int32_x) : "r"(crypto_int32_y) : "cc");
910 return crypto_int32_x;
911 #elif defined(__GNUC__) && defined(__aarch64__)
912 __asm__ ("cmp %w0,%w1\n csel %w0,%w0,%w1,lt" : "+r"(crypto_int32_x) : "r"(crypto_int32_y) : "cc");
913 return crypto_int32_x;
914 #else
915 crypto_int64 crypto_int32_r = (crypto_int64)crypto_int32_y ^ (crypto_int64)crypto_int32_x;
916 crypto_int64 crypto_int32_z = (crypto_int64)crypto_int32_y - (crypto_int64)crypto_int32_x;
917 crypto_int32_z ^= crypto_int32_r & (crypto_int32_z ^ crypto_int32_y);
918 crypto_int32_z = crypto_int32_negative_mask(crypto_int32_z);
919 crypto_int32_z &= crypto_int32_r;
920 return crypto_int32_x ^ crypto_int32_z;
921 #endif
922 }
923
924 __attribute__((unused))
925 static inline
crypto_int32_max(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y)926 crypto_int32 crypto_int32_max(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) {
927 #if defined(__GNUC__) && defined(__x86_64__)
928 __asm__ ("cmpl %1,%0\n cmovll %1,%0" : "+r"(crypto_int32_x) : "r"(crypto_int32_y) : "cc");
929 return crypto_int32_x;
930 #elif defined(__GNUC__) && defined(__aarch64__)
931 __asm__ ("cmp %w0,%w1\n csel %w0,%w1,%w0,lt" : "+r"(crypto_int32_x) : "r"(crypto_int32_y) : "cc");
932 return crypto_int32_x;
933 #else
934 crypto_int64 crypto_int32_r = (crypto_int64)crypto_int32_y ^ (crypto_int64)crypto_int32_x;
935 crypto_int64 crypto_int32_z = (crypto_int64)crypto_int32_y - (crypto_int64)crypto_int32_x;
936 crypto_int32_z ^= crypto_int32_r & (crypto_int32_z ^ crypto_int32_y);
937 crypto_int32_z = crypto_int32_negative_mask(crypto_int32_z);
938 crypto_int32_z &= crypto_int32_r;
939 return crypto_int32_y ^ crypto_int32_z;
940 #endif
941 }
942
943 __attribute__((unused))
944 static inline
crypto_int32_minmax(crypto_int32 * crypto_int32_p,crypto_int32 * crypto_int32_q)945 void crypto_int32_minmax(crypto_int32 *crypto_int32_p,crypto_int32 *crypto_int32_q) {
946 crypto_int32 crypto_int32_x = *crypto_int32_p;
947 crypto_int32 crypto_int32_y = *crypto_int32_q;
948 #if defined(__GNUC__) && defined(__x86_64__)
949 crypto_int32 crypto_int32_z;
950 __asm__ ("cmpl %2,%1\n movl %1,%0\n cmovgl %2,%1\n cmovgl %0,%2" : "=&r"(crypto_int32_z), "+&r"(crypto_int32_x), "+r"(crypto_int32_y) : : "cc");
951 *crypto_int32_p = crypto_int32_x;
952 *crypto_int32_q = crypto_int32_y;
953 #elif defined(__GNUC__) && defined(__aarch64__)
954 crypto_int32 crypto_int32_r, crypto_int32_s;
955 __asm__ ("cmp %w2,%w3\n csel %w0,%w2,%w3,lt\n csel %w1,%w3,%w2,lt" : "=&r"(crypto_int32_r), "=r"(crypto_int32_s) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
956 *crypto_int32_p = crypto_int32_r;
957 *crypto_int32_q = crypto_int32_s;
958 #else
959 crypto_int64 crypto_int32_r = (crypto_int64)crypto_int32_y ^ (crypto_int64)crypto_int32_x;
960 crypto_int64 crypto_int32_z = (crypto_int64)crypto_int32_y - (crypto_int64)crypto_int32_x;
961 crypto_int32_z ^= crypto_int32_r & (crypto_int32_z ^ crypto_int32_y);
962 crypto_int32_z = crypto_int32_negative_mask(crypto_int32_z);
963 crypto_int32_z &= crypto_int32_r;
964 crypto_int32_x ^= crypto_int32_z;
965 crypto_int32_y ^= crypto_int32_z;
966 *crypto_int32_p = crypto_int32_x;
967 *crypto_int32_q = crypto_int32_y;
968 #endif
969 }
970
971 __attribute__((unused))
972 static inline
crypto_int32_smaller_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y)973 crypto_int32 crypto_int32_smaller_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) {
974 #if defined(__GNUC__) && defined(__x86_64__)
975 crypto_int32 crypto_int32_q,crypto_int32_z;
976 __asm__ ("xorl %0,%0\n movl $-1,%1\n cmpl %3,%2\n cmovll %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
977 return crypto_int32_z;
978 #elif defined(__GNUC__) && defined(__aarch64__)
979 crypto_int32 crypto_int32_z;
980 __asm__ ("cmp %w1,%w2\n csetm %w0,lt" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
981 return crypto_int32_z;
982 #else
983 crypto_int32 crypto_int32_r = crypto_int32_x ^ crypto_int32_y;
984 crypto_int32 crypto_int32_z = crypto_int32_x - crypto_int32_y;
985 crypto_int32_z ^= crypto_int32_r & (crypto_int32_z ^ crypto_int32_x);
986 return crypto_int32_negative_mask(crypto_int32_z);
987 #endif
988 }
989
990 __attribute__((unused))
991 static inline
crypto_int32_smaller_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y)992 crypto_int32 crypto_int32_smaller_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) {
993 #if defined(__GNUC__) && defined(__x86_64__)
994 crypto_int32 crypto_int32_q,crypto_int32_z;
995 __asm__ ("xorl %0,%0\n movl $1,%1\n cmpl %3,%2\n cmovll %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
996 return crypto_int32_z;
997 #elif defined(__GNUC__) && defined(__aarch64__)
998 crypto_int32 crypto_int32_z;
999 __asm__ ("cmp %w1,%w2\n cset %w0,lt" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
1000 return crypto_int32_z;
1001 #else
1002 crypto_int32 crypto_int32_r = crypto_int32_x ^ crypto_int32_y;
1003 crypto_int32 crypto_int32_z = crypto_int32_x - crypto_int32_y;
1004 crypto_int32_z ^= crypto_int32_r & (crypto_int32_z ^ crypto_int32_x);
1005 return crypto_int32_unsigned_topbit_01(crypto_int32_z);
1006 #endif
1007 }
1008
1009 __attribute__((unused))
1010 static inline
crypto_int32_leq_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y)1011 crypto_int32 crypto_int32_leq_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) {
1012 #if defined(__GNUC__) && defined(__x86_64__)
1013 crypto_int32 crypto_int32_q,crypto_int32_z;
1014 __asm__ ("xorl %0,%0\n movl $-1,%1\n cmpl %3,%2\n cmovlel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
1015 return crypto_int32_z;
1016 #elif defined(__GNUC__) && defined(__aarch64__)
1017 crypto_int32 crypto_int32_z;
1018 __asm__ ("cmp %w1,%w2\n csetm %w0,le" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
1019 return crypto_int32_z;
1020 #else
1021 return ~crypto_int32_smaller_mask(crypto_int32_y,crypto_int32_x);
1022 #endif
1023 }
1024
1025 __attribute__((unused))
1026 static inline
crypto_int32_leq_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y)1027 crypto_int32 crypto_int32_leq_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) {
1028 #if defined(__GNUC__) && defined(__x86_64__)
1029 crypto_int32 crypto_int32_q,crypto_int32_z;
1030 __asm__ ("xorl %0,%0\n movl $1,%1\n cmpl %3,%2\n cmovlel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
1031 return crypto_int32_z;
1032 #elif defined(__GNUC__) && defined(__aarch64__)
1033 crypto_int32 crypto_int32_z;
1034 __asm__ ("cmp %w1,%w2\n cset %w0,le" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc");
1035 return crypto_int32_z;
1036 #else
1037 return 1-crypto_int32_smaller_01(crypto_int32_y,crypto_int32_x);
1038 #endif
1039 }
1040
1041 __attribute__((unused))
1042 static inline
crypto_int32_ones_num(crypto_int32 crypto_int32_x)1043 int crypto_int32_ones_num(crypto_int32 crypto_int32_x) {
1044 crypto_int32_unsigned crypto_int32_y = crypto_int32_x;
1045 const crypto_int32 C0 = 0x55555555;
1046 const crypto_int32 C1 = 0x33333333;
1047 const crypto_int32 C2 = 0x0f0f0f0f;
1048 crypto_int32_y -= ((crypto_int32_y >> 1) & C0);
1049 crypto_int32_y = (crypto_int32_y & C1) + ((crypto_int32_y >> 2) & C1);
1050 crypto_int32_y = (crypto_int32_y + (crypto_int32_y >> 4)) & C2;
1051 crypto_int32_y += crypto_int32_y >> 8;
1052 crypto_int32_y = (crypto_int32_y + (crypto_int32_y >> 16)) & 0xff;
1053 return crypto_int32_y;
1054 }
1055
1056 __attribute__((unused))
1057 static inline
crypto_int32_bottomzeros_num(crypto_int32 crypto_int32_x)1058 int crypto_int32_bottomzeros_num(crypto_int32 crypto_int32_x) {
1059 #if defined(__GNUC__) && defined(__x86_64__)
1060 crypto_int32 fallback = 32;
1061 __asm__ ("bsfl %0,%0\n cmovel %1,%0" : "+&r"(crypto_int32_x) : "r"(fallback) : "cc");
1062 return crypto_int32_x;
1063 #elif defined(__GNUC__) && defined(__aarch64__)
1064 int64_t crypto_int32_y;
1065 __asm__ ("rbit %w0,%w1\n clz %w0,%w0" : "=r"(crypto_int32_y) : "r"(crypto_int32_x) : );
1066 return crypto_int32_y;
1067 #else
1068 crypto_int32 crypto_int32_y = crypto_int32_x ^ (crypto_int32_x-1);
1069 crypto_int32_y = ((crypto_int32) crypto_int32_y) >> 1;
1070 crypto_int32_y &= ~(crypto_int32_x & (((crypto_int32) 1) << (32-1)));
1071 return crypto_int32_ones_num(crypto_int32_y);
1072 #endif
1073 }
1074
1075 #endif
1076
1077 /* from supercop-20240808/cryptoint/crypto_int64.h */
1078 /* auto-generated: cd cryptoint; ./autogen */
1079 /* cryptoint 20240806 */
1080
1081 #ifndef crypto_int64_h
1082 #define crypto_int64_h
1083
1084 #define crypto_int64 int64_t
1085 #define crypto_int64_unsigned uint64_t
1086
1087
1088
1089 __attribute__((unused))
1090 static inline
crypto_int64_load(const unsigned char * crypto_int64_s)1091 crypto_int64 crypto_int64_load(const unsigned char *crypto_int64_s) {
1092 crypto_int64 crypto_int64_z = 0;
1093 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 0;
1094 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 8;
1095 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 16;
1096 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 24;
1097 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 32;
1098 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 40;
1099 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 48;
1100 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 56;
1101 return crypto_int64_z;
1102 }
1103
1104 __attribute__((unused))
1105 static inline
crypto_int64_store(unsigned char * crypto_int64_s,crypto_int64 crypto_int64_x)1106 void crypto_int64_store(unsigned char *crypto_int64_s,crypto_int64 crypto_int64_x) {
1107 *crypto_int64_s++ = crypto_int64_x >> 0;
1108 *crypto_int64_s++ = crypto_int64_x >> 8;
1109 *crypto_int64_s++ = crypto_int64_x >> 16;
1110 *crypto_int64_s++ = crypto_int64_x >> 24;
1111 *crypto_int64_s++ = crypto_int64_x >> 32;
1112 *crypto_int64_s++ = crypto_int64_x >> 40;
1113 *crypto_int64_s++ = crypto_int64_x >> 48;
1114 *crypto_int64_s++ = crypto_int64_x >> 56;
1115 }
1116
1117 __attribute__((unused))
1118 static inline
crypto_int64_negative_mask(crypto_int64 crypto_int64_x)1119 crypto_int64 crypto_int64_negative_mask(crypto_int64 crypto_int64_x) {
1120 #if defined(__GNUC__) && defined(__x86_64__)
1121 __asm__ ("sarq $63,%0" : "+r"(crypto_int64_x) : : "cc");
1122 return crypto_int64_x;
1123 #elif defined(__GNUC__) && defined(__aarch64__)
1124 crypto_int64 crypto_int64_y;
1125 __asm__ ("asr %0,%1,63" : "=r"(crypto_int64_y) : "r"(crypto_int64_x) : );
1126 return crypto_int64_y;
1127 #else
1128 crypto_int64_x >>= 64-6;
1129 crypto_int64_x ^= crypto_int64_optblocker;
1130 crypto_int64_x >>= 5;
1131 return crypto_int64_x;
1132 #endif
1133 }
1134
1135 __attribute__((unused))
1136 static inline
crypto_int64_unsigned_topbit_01(crypto_int64_unsigned crypto_int64_x)1137 crypto_int64_unsigned crypto_int64_unsigned_topbit_01(crypto_int64_unsigned crypto_int64_x) {
1138 #if defined(__GNUC__) && defined(__x86_64__)
1139 __asm__ ("shrq $63,%0" : "+r"(crypto_int64_x) : : "cc");
1140 return crypto_int64_x;
1141 #elif defined(__GNUC__) && defined(__aarch64__)
1142 crypto_int64 crypto_int64_y;
1143 __asm__ ("lsr %0,%1,63" : "=r"(crypto_int64_y) : "r"(crypto_int64_x) : );
1144 return crypto_int64_y;
1145 #else
1146 crypto_int64_x >>= 64-6;
1147 crypto_int64_x ^= crypto_int64_optblocker;
1148 crypto_int64_x >>= 5;
1149 return crypto_int64_x;
1150 #endif
1151 }
1152
1153 __attribute__((unused))
1154 static inline
crypto_int64_negative_01(crypto_int64 crypto_int64_x)1155 crypto_int64 crypto_int64_negative_01(crypto_int64 crypto_int64_x) {
1156 return crypto_int64_unsigned_topbit_01(crypto_int64_x);
1157 }
1158
1159 __attribute__((unused))
1160 static inline
crypto_int64_topbit_mask(crypto_int64 crypto_int64_x)1161 crypto_int64 crypto_int64_topbit_mask(crypto_int64 crypto_int64_x) {
1162 return crypto_int64_negative_mask(crypto_int64_x);
1163 }
1164
1165 __attribute__((unused))
1166 static inline
crypto_int64_topbit_01(crypto_int64 crypto_int64_x)1167 crypto_int64 crypto_int64_topbit_01(crypto_int64 crypto_int64_x) {
1168 return crypto_int64_unsigned_topbit_01(crypto_int64_x);
1169 }
1170
1171 __attribute__((unused))
1172 static inline
crypto_int64_bottombit_mask(crypto_int64 crypto_int64_x)1173 crypto_int64 crypto_int64_bottombit_mask(crypto_int64 crypto_int64_x) {
1174 #if defined(__GNUC__) && defined(__x86_64__)
1175 __asm__ ("andq $1,%0" : "+r"(crypto_int64_x) : : "cc");
1176 return -crypto_int64_x;
1177 #elif defined(__GNUC__) && defined(__aarch64__)
1178 crypto_int64 crypto_int64_y;
1179 __asm__ ("sbfx %0,%1,0,1" : "=r"(crypto_int64_y) : "r"(crypto_int64_x) : );
1180 return crypto_int64_y;
1181 #else
1182 crypto_int64_x &= 1 ^ crypto_int64_optblocker;
1183 return -crypto_int64_x;
1184 #endif
1185 }
1186
1187 __attribute__((unused))
1188 static inline
crypto_int64_bottombit_01(crypto_int64 crypto_int64_x)1189 crypto_int64 crypto_int64_bottombit_01(crypto_int64 crypto_int64_x) {
1190 #if defined(__GNUC__) && defined(__x86_64__)
1191 __asm__ ("andq $1,%0" : "+r"(crypto_int64_x) : : "cc");
1192 return crypto_int64_x;
1193 #elif defined(__GNUC__) && defined(__aarch64__)
1194 crypto_int64 crypto_int64_y;
1195 __asm__ ("ubfx %0,%1,0,1" : "=r"(crypto_int64_y) : "r"(crypto_int64_x) : );
1196 return crypto_int64_y;
1197 #else
1198 crypto_int64_x &= 1 ^ crypto_int64_optblocker;
1199 return crypto_int64_x;
1200 #endif
1201 }
1202
1203 __attribute__((unused))
1204 static inline
crypto_int64_bitinrangepublicpos_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s)1205 crypto_int64 crypto_int64_bitinrangepublicpos_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) {
1206 #if defined(__GNUC__) && defined(__x86_64__)
1207 __asm__ ("sarq %%cl,%0" : "+r"(crypto_int64_x) : "c"(crypto_int64_s) : "cc");
1208 #elif defined(__GNUC__) && defined(__aarch64__)
1209 __asm__ ("asr %0,%0,%1" : "+r"(crypto_int64_x) : "r"(crypto_int64_s) : );
1210 #else
1211 crypto_int64_x >>= crypto_int64_s ^ crypto_int64_optblocker;
1212 #endif
1213 return crypto_int64_bottombit_mask(crypto_int64_x);
1214 }
1215
1216 __attribute__((unused))
1217 static inline
crypto_int64_bitinrangepublicpos_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s)1218 crypto_int64 crypto_int64_bitinrangepublicpos_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) {
1219 #if defined(__GNUC__) && defined(__x86_64__)
1220 __asm__ ("sarq %%cl,%0" : "+r"(crypto_int64_x) : "c"(crypto_int64_s) : "cc");
1221 #elif defined(__GNUC__) && defined(__aarch64__)
1222 __asm__ ("asr %0,%0,%1" : "+r"(crypto_int64_x) : "r"(crypto_int64_s) : );
1223 #else
1224 crypto_int64_x >>= crypto_int64_s ^ crypto_int64_optblocker;
1225 #endif
1226 return crypto_int64_bottombit_01(crypto_int64_x);
1227 }
1228
1229 __attribute__((unused))
1230 static inline
crypto_int64_shlmod(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s)1231 crypto_int64 crypto_int64_shlmod(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) {
1232 #if defined(__GNUC__) && defined(__x86_64__)
1233 __asm__ ("shlq %%cl,%0" : "+r"(crypto_int64_x) : "c"(crypto_int64_s) : "cc");
1234 #elif defined(__GNUC__) && defined(__aarch64__)
1235 __asm__ ("lsl %0,%0,%1" : "+r"(crypto_int64_x) : "r"(crypto_int64_s) : );
1236 #else
1237 int crypto_int64_k, crypto_int64_l;
1238 for (crypto_int64_l = 0,crypto_int64_k = 1;crypto_int64_k < 64;++crypto_int64_l,crypto_int64_k *= 2)
1239 crypto_int64_x ^= (crypto_int64_x ^ (crypto_int64_x << crypto_int64_k)) & crypto_int64_bitinrangepublicpos_mask(crypto_int64_s,crypto_int64_l);
1240 #endif
1241 return crypto_int64_x;
1242 }
1243
1244 __attribute__((unused))
1245 static inline
crypto_int64_shrmod(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s)1246 crypto_int64 crypto_int64_shrmod(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) {
1247 #if defined(__GNUC__) && defined(__x86_64__)
1248 __asm__ ("sarq %%cl,%0" : "+r"(crypto_int64_x) : "c"(crypto_int64_s) : "cc");
1249 #elif defined(__GNUC__) && defined(__aarch64__)
1250 __asm__ ("asr %0,%0,%1" : "+r"(crypto_int64_x) : "r"(crypto_int64_s) : );
1251 #else
1252 int crypto_int64_k, crypto_int64_l;
1253 for (crypto_int64_l = 0,crypto_int64_k = 1;crypto_int64_k < 64;++crypto_int64_l,crypto_int64_k *= 2)
1254 crypto_int64_x ^= (crypto_int64_x ^ (crypto_int64_x >> crypto_int64_k)) & crypto_int64_bitinrangepublicpos_mask(crypto_int64_s,crypto_int64_l);
1255 #endif
1256 return crypto_int64_x;
1257 }
1258
1259 __attribute__((unused))
1260 static inline
crypto_int64_bitmod_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s)1261 crypto_int64 crypto_int64_bitmod_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) {
1262 crypto_int64_x = crypto_int64_shrmod(crypto_int64_x,crypto_int64_s);
1263 return crypto_int64_bottombit_mask(crypto_int64_x);
1264 }
1265
1266 __attribute__((unused))
1267 static inline
crypto_int64_bitmod_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s)1268 crypto_int64 crypto_int64_bitmod_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) {
1269 crypto_int64_x = crypto_int64_shrmod(crypto_int64_x,crypto_int64_s);
1270 return crypto_int64_bottombit_01(crypto_int64_x);
1271 }
1272
1273 __attribute__((unused))
1274 static inline
crypto_int64_nonzero_mask(crypto_int64 crypto_int64_x)1275 crypto_int64 crypto_int64_nonzero_mask(crypto_int64 crypto_int64_x) {
1276 #if defined(__GNUC__) && defined(__x86_64__)
1277 crypto_int64 crypto_int64_q,crypto_int64_z;
1278 __asm__ ("xorq %0,%0\n movq $-1,%1\n testq %2,%2\n cmovneq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc");
1279 return crypto_int64_z;
1280 #elif defined(__GNUC__) && defined(__aarch64__)
1281 crypto_int64 crypto_int64_z;
1282 __asm__ ("cmp %1,0\n csetm %0,ne" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc");
1283 return crypto_int64_z;
1284 #else
1285 crypto_int64_x |= -crypto_int64_x;
1286 return crypto_int64_negative_mask(crypto_int64_x);
1287 #endif
1288 }
1289
1290 __attribute__((unused))
1291 static inline
crypto_int64_nonzero_01(crypto_int64 crypto_int64_x)1292 crypto_int64 crypto_int64_nonzero_01(crypto_int64 crypto_int64_x) {
1293 #if defined(__GNUC__) && defined(__x86_64__)
1294 crypto_int64 crypto_int64_q,crypto_int64_z;
1295 __asm__ ("xorq %0,%0\n movq $1,%1\n testq %2,%2\n cmovneq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc");
1296 return crypto_int64_z;
1297 #elif defined(__GNUC__) && defined(__aarch64__)
1298 crypto_int64 crypto_int64_z;
1299 __asm__ ("cmp %1,0\n cset %0,ne" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc");
1300 return crypto_int64_z;
1301 #else
1302 crypto_int64_x |= -crypto_int64_x;
1303 return crypto_int64_unsigned_topbit_01(crypto_int64_x);
1304 #endif
1305 }
1306
1307 __attribute__((unused))
1308 static inline
crypto_int64_positive_mask(crypto_int64 crypto_int64_x)1309 crypto_int64 crypto_int64_positive_mask(crypto_int64 crypto_int64_x) {
1310 #if defined(__GNUC__) && defined(__x86_64__)
1311 crypto_int64 crypto_int64_q,crypto_int64_z;
1312 __asm__ ("xorq %0,%0\n movq $-1,%1\n testq %2,%2\n cmovgq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc");
1313 return crypto_int64_z;
1314 #elif defined(__GNUC__) && defined(__aarch64__)
1315 crypto_int64 crypto_int64_z;
1316 __asm__ ("cmp %1,0\n csetm %0,gt" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc");
1317 return crypto_int64_z;
1318 #else
1319 crypto_int64 crypto_int64_z = -crypto_int64_x;
1320 crypto_int64_z ^= crypto_int64_x & crypto_int64_z;
1321 return crypto_int64_negative_mask(crypto_int64_z);
1322 #endif
1323 }
1324
1325 __attribute__((unused))
1326 static inline
crypto_int64_positive_01(crypto_int64 crypto_int64_x)1327 crypto_int64 crypto_int64_positive_01(crypto_int64 crypto_int64_x) {
1328 #if defined(__GNUC__) && defined(__x86_64__)
1329 crypto_int64 crypto_int64_q,crypto_int64_z;
1330 __asm__ ("xorq %0,%0\n movq $1,%1\n testq %2,%2\n cmovgq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc");
1331 return crypto_int64_z;
1332 #elif defined(__GNUC__) && defined(__aarch64__)
1333 crypto_int64 crypto_int64_z;
1334 __asm__ ("cmp %1,0\n cset %0,gt" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc");
1335 return crypto_int64_z;
1336 #else
1337 crypto_int64 crypto_int64_z = -crypto_int64_x;
1338 crypto_int64_z ^= crypto_int64_x & crypto_int64_z;
1339 return crypto_int64_unsigned_topbit_01(crypto_int64_z);
1340 #endif
1341 }
1342
1343 __attribute__((unused))
1344 static inline
crypto_int64_zero_mask(crypto_int64 crypto_int64_x)1345 crypto_int64 crypto_int64_zero_mask(crypto_int64 crypto_int64_x) {
1346 #if defined(__GNUC__) && defined(__x86_64__)
1347 crypto_int64 crypto_int64_q,crypto_int64_z;
1348 __asm__ ("xorq %0,%0\n movq $-1,%1\n testq %2,%2\n cmoveq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc");
1349 return crypto_int64_z;
1350 #elif defined(__GNUC__) && defined(__aarch64__)
1351 crypto_int64 crypto_int64_z;
1352 __asm__ ("cmp %1,0\n csetm %0,eq" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc");
1353 return crypto_int64_z;
1354 #else
1355 return ~crypto_int64_nonzero_mask(crypto_int64_x);
1356 #endif
1357 }
1358
1359 __attribute__((unused))
1360 static inline
crypto_int64_zero_01(crypto_int64 crypto_int64_x)1361 crypto_int64 crypto_int64_zero_01(crypto_int64 crypto_int64_x) {
1362 #if defined(__GNUC__) && defined(__x86_64__)
1363 crypto_int64 crypto_int64_q,crypto_int64_z;
1364 __asm__ ("xorq %0,%0\n movq $1,%1\n testq %2,%2\n cmoveq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc");
1365 return crypto_int64_z;
1366 #elif defined(__GNUC__) && defined(__aarch64__)
1367 crypto_int64 crypto_int64_z;
1368 __asm__ ("cmp %1,0\n cset %0,eq" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc");
1369 return crypto_int64_z;
1370 #else
1371 return 1-crypto_int64_nonzero_01(crypto_int64_x);
1372 #endif
1373 }
1374
1375 __attribute__((unused))
1376 static inline
crypto_int64_unequal_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y)1377 crypto_int64 crypto_int64_unequal_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) {
1378 #if defined(__GNUC__) && defined(__x86_64__)
1379 crypto_int64 crypto_int64_q,crypto_int64_z;
1380 __asm__ ("xorq %0,%0\n movq $-1,%1\n cmpq %3,%2\n cmovneq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1381 return crypto_int64_z;
1382 #elif defined(__GNUC__) && defined(__aarch64__)
1383 crypto_int64 crypto_int64_z;
1384 __asm__ ("cmp %1,%2\n csetm %0,ne" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1385 return crypto_int64_z;
1386 #else
1387 return crypto_int64_nonzero_mask(crypto_int64_x ^ crypto_int64_y);
1388 #endif
1389 }
1390
1391 __attribute__((unused))
1392 static inline
crypto_int64_unequal_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y)1393 crypto_int64 crypto_int64_unequal_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) {
1394 #if defined(__GNUC__) && defined(__x86_64__)
1395 crypto_int64 crypto_int64_q,crypto_int64_z;
1396 __asm__ ("xorq %0,%0\n movq $1,%1\n cmpq %3,%2\n cmovneq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1397 return crypto_int64_z;
1398 #elif defined(__GNUC__) && defined(__aarch64__)
1399 crypto_int64 crypto_int64_z;
1400 __asm__ ("cmp %1,%2\n cset %0,ne" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1401 return crypto_int64_z;
1402 #else
1403 return crypto_int64_nonzero_01(crypto_int64_x ^ crypto_int64_y);
1404 #endif
1405 }
1406
1407 __attribute__((unused))
1408 static inline
crypto_int64_equal_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y)1409 crypto_int64 crypto_int64_equal_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) {
1410 #if defined(__GNUC__) && defined(__x86_64__)
1411 crypto_int64 crypto_int64_q,crypto_int64_z;
1412 __asm__ ("xorq %0,%0\n movq $-1,%1\n cmpq %3,%2\n cmoveq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1413 return crypto_int64_z;
1414 #elif defined(__GNUC__) && defined(__aarch64__)
1415 crypto_int64 crypto_int64_z;
1416 __asm__ ("cmp %1,%2\n csetm %0,eq" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1417 return crypto_int64_z;
1418 #else
1419 return ~crypto_int64_unequal_mask(crypto_int64_x,crypto_int64_y);
1420 #endif
1421 }
1422
1423 __attribute__((unused))
1424 static inline
crypto_int64_equal_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y)1425 crypto_int64 crypto_int64_equal_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) {
1426 #if defined(__GNUC__) && defined(__x86_64__)
1427 crypto_int64 crypto_int64_q,crypto_int64_z;
1428 __asm__ ("xorq %0,%0\n movq $1,%1\n cmpq %3,%2\n cmoveq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1429 return crypto_int64_z;
1430 #elif defined(__GNUC__) && defined(__aarch64__)
1431 crypto_int64 crypto_int64_z;
1432 __asm__ ("cmp %1,%2\n cset %0,eq" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1433 return crypto_int64_z;
1434 #else
1435 return 1-crypto_int64_unequal_01(crypto_int64_x,crypto_int64_y);
1436 #endif
1437 }
1438
1439 __attribute__((unused))
1440 static inline
crypto_int64_min(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y)1441 crypto_int64 crypto_int64_min(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) {
1442 #if defined(__GNUC__) && defined(__x86_64__)
1443 __asm__ ("cmpq %1,%0\n cmovgq %1,%0" : "+r"(crypto_int64_x) : "r"(crypto_int64_y) : "cc");
1444 return crypto_int64_x;
1445 #elif defined(__GNUC__) && defined(__aarch64__)
1446 __asm__ ("cmp %0,%1\n csel %0,%0,%1,lt" : "+r"(crypto_int64_x) : "r"(crypto_int64_y) : "cc");
1447 return crypto_int64_x;
1448 #else
1449 crypto_int64 crypto_int64_r = crypto_int64_y ^ crypto_int64_x;
1450 crypto_int64 crypto_int64_z = crypto_int64_y - crypto_int64_x;
1451 crypto_int64_z ^= crypto_int64_r & (crypto_int64_z ^ crypto_int64_y);
1452 crypto_int64_z = crypto_int64_negative_mask(crypto_int64_z);
1453 crypto_int64_z &= crypto_int64_r;
1454 return crypto_int64_x ^ crypto_int64_z;
1455 #endif
1456 }
1457
1458 __attribute__((unused))
1459 static inline
crypto_int64_max(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y)1460 crypto_int64 crypto_int64_max(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) {
1461 #if defined(__GNUC__) && defined(__x86_64__)
1462 __asm__ ("cmpq %1,%0\n cmovlq %1,%0" : "+r"(crypto_int64_x) : "r"(crypto_int64_y) : "cc");
1463 return crypto_int64_x;
1464 #elif defined(__GNUC__) && defined(__aarch64__)
1465 __asm__ ("cmp %0,%1\n csel %0,%1,%0,lt" : "+r"(crypto_int64_x) : "r"(crypto_int64_y) : "cc");
1466 return crypto_int64_x;
1467 #else
1468 crypto_int64 crypto_int64_r = crypto_int64_y ^ crypto_int64_x;
1469 crypto_int64 crypto_int64_z = crypto_int64_y - crypto_int64_x;
1470 crypto_int64_z ^= crypto_int64_r & (crypto_int64_z ^ crypto_int64_y);
1471 crypto_int64_z = crypto_int64_negative_mask(crypto_int64_z);
1472 crypto_int64_z &= crypto_int64_r;
1473 return crypto_int64_y ^ crypto_int64_z;
1474 #endif
1475 }
1476
1477 __attribute__((unused))
1478 static inline
crypto_int64_minmax(crypto_int64 * crypto_int64_p,crypto_int64 * crypto_int64_q)1479 void crypto_int64_minmax(crypto_int64 *crypto_int64_p,crypto_int64 *crypto_int64_q) {
1480 crypto_int64 crypto_int64_x = *crypto_int64_p;
1481 crypto_int64 crypto_int64_y = *crypto_int64_q;
1482 #if defined(__GNUC__) && defined(__x86_64__)
1483 crypto_int64 crypto_int64_z;
1484 __asm__ ("cmpq %2,%1\n movq %1,%0\n cmovgq %2,%1\n cmovgq %0,%2" : "=&r"(crypto_int64_z), "+&r"(crypto_int64_x), "+r"(crypto_int64_y) : : "cc");
1485 *crypto_int64_p = crypto_int64_x;
1486 *crypto_int64_q = crypto_int64_y;
1487 #elif defined(__GNUC__) && defined(__aarch64__)
1488 crypto_int64 crypto_int64_r, crypto_int64_s;
1489 __asm__ ("cmp %2,%3\n csel %0,%2,%3,lt\n csel %1,%3,%2,lt" : "=&r"(crypto_int64_r), "=r"(crypto_int64_s) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1490 *crypto_int64_p = crypto_int64_r;
1491 *crypto_int64_q = crypto_int64_s;
1492 #else
1493 crypto_int64 crypto_int64_r = crypto_int64_y ^ crypto_int64_x;
1494 crypto_int64 crypto_int64_z = crypto_int64_y - crypto_int64_x;
1495 crypto_int64_z ^= crypto_int64_r & (crypto_int64_z ^ crypto_int64_y);
1496 crypto_int64_z = crypto_int64_negative_mask(crypto_int64_z);
1497 crypto_int64_z &= crypto_int64_r;
1498 crypto_int64_x ^= crypto_int64_z;
1499 crypto_int64_y ^= crypto_int64_z;
1500 *crypto_int64_p = crypto_int64_x;
1501 *crypto_int64_q = crypto_int64_y;
1502 #endif
1503 }
1504
1505 __attribute__((unused))
1506 static inline
crypto_int64_smaller_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y)1507 crypto_int64 crypto_int64_smaller_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) {
1508 #if defined(__GNUC__) && defined(__x86_64__)
1509 crypto_int64 crypto_int64_q,crypto_int64_z;
1510 __asm__ ("xorq %0,%0\n movq $-1,%1\n cmpq %3,%2\n cmovlq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1511 return crypto_int64_z;
1512 #elif defined(__GNUC__) && defined(__aarch64__)
1513 crypto_int64 crypto_int64_z;
1514 __asm__ ("cmp %1,%2\n csetm %0,lt" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1515 return crypto_int64_z;
1516 #else
1517 crypto_int64 crypto_int64_r = crypto_int64_x ^ crypto_int64_y;
1518 crypto_int64 crypto_int64_z = crypto_int64_x - crypto_int64_y;
1519 crypto_int64_z ^= crypto_int64_r & (crypto_int64_z ^ crypto_int64_x);
1520 return crypto_int64_negative_mask(crypto_int64_z);
1521 #endif
1522 }
1523
1524 __attribute__((unused))
1525 static inline
crypto_int64_smaller_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y)1526 crypto_int64 crypto_int64_smaller_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) {
1527 #if defined(__GNUC__) && defined(__x86_64__)
1528 crypto_int64 crypto_int64_q,crypto_int64_z;
1529 __asm__ ("xorq %0,%0\n movq $1,%1\n cmpq %3,%2\n cmovlq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1530 return crypto_int64_z;
1531 #elif defined(__GNUC__) && defined(__aarch64__)
1532 crypto_int64 crypto_int64_z;
1533 __asm__ ("cmp %1,%2\n cset %0,lt" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1534 return crypto_int64_z;
1535 #else
1536 crypto_int64 crypto_int64_r = crypto_int64_x ^ crypto_int64_y;
1537 crypto_int64 crypto_int64_z = crypto_int64_x - crypto_int64_y;
1538 crypto_int64_z ^= crypto_int64_r & (crypto_int64_z ^ crypto_int64_x);
1539 return crypto_int64_unsigned_topbit_01(crypto_int64_z);
1540 #endif
1541 }
1542
1543 __attribute__((unused))
1544 static inline
crypto_int64_leq_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y)1545 crypto_int64 crypto_int64_leq_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) {
1546 #if defined(__GNUC__) && defined(__x86_64__)
1547 crypto_int64 crypto_int64_q,crypto_int64_z;
1548 __asm__ ("xorq %0,%0\n movq $-1,%1\n cmpq %3,%2\n cmovleq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1549 return crypto_int64_z;
1550 #elif defined(__GNUC__) && defined(__aarch64__)
1551 crypto_int64 crypto_int64_z;
1552 __asm__ ("cmp %1,%2\n csetm %0,le" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1553 return crypto_int64_z;
1554 #else
1555 return ~crypto_int64_smaller_mask(crypto_int64_y,crypto_int64_x);
1556 #endif
1557 }
1558
1559 __attribute__((unused))
1560 static inline
crypto_int64_leq_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y)1561 crypto_int64 crypto_int64_leq_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) {
1562 #if defined(__GNUC__) && defined(__x86_64__)
1563 crypto_int64 crypto_int64_q,crypto_int64_z;
1564 __asm__ ("xorq %0,%0\n movq $1,%1\n cmpq %3,%2\n cmovleq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1565 return crypto_int64_z;
1566 #elif defined(__GNUC__) && defined(__aarch64__)
1567 crypto_int64 crypto_int64_z;
1568 __asm__ ("cmp %1,%2\n cset %0,le" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc");
1569 return crypto_int64_z;
1570 #else
1571 return 1-crypto_int64_smaller_01(crypto_int64_y,crypto_int64_x);
1572 #endif
1573 }
1574
1575 __attribute__((unused))
1576 static inline
crypto_int64_ones_num(crypto_int64 crypto_int64_x)1577 int crypto_int64_ones_num(crypto_int64 crypto_int64_x) {
1578 crypto_int64_unsigned crypto_int64_y = crypto_int64_x;
1579 const crypto_int64 C0 = 0x5555555555555555;
1580 const crypto_int64 C1 = 0x3333333333333333;
1581 const crypto_int64 C2 = 0x0f0f0f0f0f0f0f0f;
1582 crypto_int64_y -= ((crypto_int64_y >> 1) & C0);
1583 crypto_int64_y = (crypto_int64_y & C1) + ((crypto_int64_y >> 2) & C1);
1584 crypto_int64_y = (crypto_int64_y + (crypto_int64_y >> 4)) & C2;
1585 crypto_int64_y += crypto_int64_y >> 8;
1586 crypto_int64_y += crypto_int64_y >> 16;
1587 crypto_int64_y = (crypto_int64_y + (crypto_int64_y >> 32)) & 0xff;
1588 return crypto_int64_y;
1589 }
1590
1591 __attribute__((unused))
1592 static inline
crypto_int64_bottomzeros_num(crypto_int64 crypto_int64_x)1593 int crypto_int64_bottomzeros_num(crypto_int64 crypto_int64_x) {
1594 #if defined(__GNUC__) && defined(__x86_64__)
1595 crypto_int64 fallback = 64;
1596 __asm__ ("bsfq %0,%0\n cmoveq %1,%0" : "+&r"(crypto_int64_x) : "r"(fallback) : "cc");
1597 return crypto_int64_x;
1598 #elif defined(__GNUC__) && defined(__aarch64__)
1599 int64_t crypto_int64_y;
1600 __asm__ ("rbit %0,%1\n clz %0,%0" : "=r"(crypto_int64_y) : "r"(crypto_int64_x) : );
1601 return crypto_int64_y;
1602 #else
1603 crypto_int64 crypto_int64_y = crypto_int64_x ^ (crypto_int64_x-1);
1604 crypto_int64_y = ((crypto_int64) crypto_int64_y) >> 1;
1605 crypto_int64_y &= ~(crypto_int64_x & (((crypto_int64) 1) << (64-1)));
1606 return crypto_int64_ones_num(crypto_int64_y);
1607 #endif
1608 }
1609
1610 #endif
1611
1612 /* from supercop-20240808/crypto_sort/int32/portable4/sort.c */
1613 #define int32_MINMAX(a,b) crypto_int32_minmax(&a,&b)
1614
crypto_sort_int32(void * array,long long n)1615 static void crypto_sort_int32(void *array,long long n)
1616 {
1617 long long top,p,q,r,i,j;
1618 int32 *x = array;
1619
1620 if (n < 2) return;
1621 top = 1;
1622 while (top < n - top) top += top;
1623
1624 for (p = top;p >= 1;p >>= 1) {
1625 i = 0;
1626 while (i + 2 * p <= n) {
1627 for (j = i;j < i + p;++j)
1628 int32_MINMAX(x[j],x[j+p]);
1629 i += 2 * p;
1630 }
1631 for (j = i;j < n - p;++j)
1632 int32_MINMAX(x[j],x[j+p]);
1633
1634 i = 0;
1635 j = 0;
1636 for (q = top;q > p;q >>= 1) {
1637 if (j != i) for (;;) {
1638 if (j == n - q) goto done;
1639 int32 a = x[j + p];
1640 for (r = q;r > p;r >>= 1)
1641 int32_MINMAX(a,x[j + r]);
1642 x[j + p] = a;
1643 ++j;
1644 if (j == i + p) {
1645 i += 2 * p;
1646 break;
1647 }
1648 }
1649 while (i + p <= n - q) {
1650 for (j = i;j < i + p;++j) {
1651 int32 a = x[j + p];
1652 for (r = q;r > p;r >>= 1)
1653 int32_MINMAX(a,x[j+r]);
1654 x[j + p] = a;
1655 }
1656 i += 2 * p;
1657 }
1658 /* now i + p > n - q */
1659 j = i;
1660 while (j < n - q) {
1661 int32 a = x[j + p];
1662 for (r = q;r > p;r >>= 1)
1663 int32_MINMAX(a,x[j+r]);
1664 x[j + p] = a;
1665 ++j;
1666 }
1667
1668 done: ;
1669 }
1670 }
1671 }
1672
1673 /* from supercop-20240808/crypto_sort/uint32/useint32/sort.c */
1674
1675 /* can save time by vectorizing xor loops */
1676 /* can save time by integrating xor loops with int32_sort */
1677
crypto_sort_uint32(void * array,long long n)1678 static void crypto_sort_uint32(void *array,long long n)
1679 {
1680 crypto_uint32 *x = array;
1681 long long j;
1682 for (j = 0;j < n;++j) x[j] ^= 0x80000000;
1683 crypto_sort_int32(array,n);
1684 for (j = 0;j < n;++j) x[j] ^= 0x80000000;
1685 }
1686
1687 /* from supercop-20240808/crypto_kem/sntrup761/compact/kem.c */
1688 // 20240806 djb: some automated conversion to cryptoint
1689
1690 #define p 761
1691 #define q 4591
1692 #define w 286
1693 #define q12 ((q - 1) / 2)
1694 typedef int8_t small;
1695 typedef int16_t Fq;
1696 #define Hash_bytes 32
1697 #define Small_bytes ((p + 3) / 4)
1698 typedef small Inputs[p];
1699 #define SecretKeys_bytes (2 * Small_bytes)
1700 #define Confirm_bytes 32
1701
F3_freeze(int16_t x)1702 static small F3_freeze(int16_t x) { return x - 3 * ((10923 * x + 16384) >> 15); }
1703
Fq_freeze(int32_t x)1704 static Fq Fq_freeze(int32_t x) {
1705 const int32_t q16 = (0x10000 + q / 2) / q;
1706 const int32_t q20 = (0x100000 + q / 2) / q;
1707 const int32_t q28 = (0x10000000 + q / 2) / q;
1708 x -= q * ((q16 * x) >> 16);
1709 x -= q * ((q20 * x) >> 20);
1710 return x - q * ((q28 * x + 0x8000000) >> 28);
1711 }
1712
Weightw_mask(small * r)1713 static int Weightw_mask(small *r) {
1714 int i, weight = 0;
1715 for (i = 0; i < p; ++i) weight += crypto_int64_bottombit_01(r[i]);
1716 return crypto_int16_nonzero_mask(weight - w);
1717 }
1718
uint32_divmod_uint14(uint32_t * Q,uint16_t * r,uint32_t x,uint16_t m)1719 static void uint32_divmod_uint14(uint32_t *Q, uint16_t *r, uint32_t x, uint16_t m) {
1720 uint32_t qpart, mask, v = 0x80000000 / m;
1721 qpart = (x * (uint64_t)v) >> 31;
1722 x -= qpart * m;
1723 *Q = qpart;
1724 qpart = (x * (uint64_t)v) >> 31;
1725 x -= qpart * m;
1726 *Q += qpart;
1727 x -= m;
1728 *Q += 1;
1729 mask = crypto_int32_negative_mask(x);
1730 x += mask & (uint32_t)m;
1731 *Q += mask;
1732 *r = x;
1733 }
1734
uint32_mod_uint14(uint32_t x,uint16_t m)1735 static uint16_t uint32_mod_uint14(uint32_t x, uint16_t m) {
1736 uint32_t Q;
1737 uint16_t r;
1738 uint32_divmod_uint14(&Q, &r, x, m);
1739 return r;
1740 }
1741
Encode(unsigned char * out,const uint16_t * R,const uint16_t * M,long long len)1742 static void Encode(unsigned char *out, const uint16_t *R, const uint16_t *M, long long len) {
1743 if (len == 1) {
1744 uint16_t r = R[0], m = M[0];
1745 while (m > 1) {
1746 *out++ = r;
1747 r >>= 8;
1748 m = (m + 255) >> 8;
1749 }
1750 }
1751 if (len > 1) {
1752 uint16_t R2[(len + 1) / 2], M2[(len + 1) / 2];
1753 long long i;
1754 for (i = 0; i < len - 1; i += 2) {
1755 uint32_t m0 = M[i];
1756 uint32_t r = R[i] + R[i + 1] * m0;
1757 uint32_t m = M[i + 1] * m0;
1758 while (m >= 16384) {
1759 *out++ = r;
1760 r >>= 8;
1761 m = (m + 255) >> 8;
1762 }
1763 R2[i / 2] = r;
1764 M2[i / 2] = m;
1765 }
1766 if (i < len) {
1767 R2[i / 2] = R[i];
1768 M2[i / 2] = M[i];
1769 }
1770 Encode(out, R2, M2, (len + 1) / 2);
1771 }
1772 }
1773
Decode(uint16_t * out,const unsigned char * S,const uint16_t * M,long long len)1774 static void Decode(uint16_t *out, const unsigned char *S, const uint16_t *M, long long len) {
1775 if (len == 1) {
1776 if (M[0] == 1)
1777 *out = 0;
1778 else if (M[0] <= 256)
1779 *out = uint32_mod_uint14(S[0], M[0]);
1780 else
1781 *out = uint32_mod_uint14(S[0] + (((uint16_t)S[1]) << 8), M[0]);
1782 }
1783 if (len > 1) {
1784 uint16_t R2[(len + 1) / 2], M2[(len + 1) / 2], bottomr[len / 2];
1785 uint32_t bottomt[len / 2];
1786 long long i;
1787 for (i = 0; i < len - 1; i += 2) {
1788 uint32_t m = M[i] * (uint32_t)M[i + 1];
1789 if (m > 256 * 16383) {
1790 bottomt[i / 2] = 256 * 256;
1791 bottomr[i / 2] = S[0] + 256 * S[1];
1792 S += 2;
1793 M2[i / 2] = (((m + 255) >> 8) + 255) >> 8;
1794 } else if (m >= 16384) {
1795 bottomt[i / 2] = 256;
1796 bottomr[i / 2] = S[0];
1797 S += 1;
1798 M2[i / 2] = (m + 255) >> 8;
1799 } else {
1800 bottomt[i / 2] = 1;
1801 bottomr[i / 2] = 0;
1802 M2[i / 2] = m;
1803 }
1804 }
1805 if (i < len) M2[i / 2] = M[i];
1806 Decode(R2, S, M2, (len + 1) / 2);
1807 for (i = 0; i < len - 1; i += 2) {
1808 uint32_t r1, r = bottomr[i / 2];
1809 uint16_t r0;
1810 r += bottomt[i / 2] * R2[i / 2];
1811 uint32_divmod_uint14(&r1, &r0, r, M[i]);
1812 r1 = uint32_mod_uint14(r1, M[i + 1]);
1813 *out++ = r0;
1814 *out++ = r1;
1815 }
1816 if (i < len) *out++ = R2[i / 2];
1817 }
1818 }
1819
R3_fromRq(small * out,const Fq * r)1820 static void R3_fromRq(small *out, const Fq *r) {
1821 int i;
1822 for (i = 0; i < p; ++i) out[i] = F3_freeze(r[i]);
1823 }
1824
R3_mult(small * h,const small * f,const small * g)1825 static void R3_mult(small *h, const small *f, const small *g) {
1826 int16_t fg[p + p - 1];
1827 int i, j;
1828 for (i = 0; i < p + p - 1; ++i) fg[i] = 0;
1829 for (i = 0; i < p; ++i)
1830 for (j = 0; j < p; ++j) fg[i + j] += f[i] * (int16_t)g[j];
1831 for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i];
1832 for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i];
1833 for (i = 0; i < p; ++i) h[i] = F3_freeze(fg[i]);
1834 }
1835
R3_recip(small * out,const small * in)1836 static int R3_recip(small *out, const small *in) {
1837 small f[p + 1], g[p + 1], v[p + 1], r[p + 1];
1838 int sign, swap, t, i, loop, delta = 1;
1839 for (i = 0; i < p + 1; ++i) v[i] = 0;
1840 for (i = 0; i < p + 1; ++i) r[i] = 0;
1841 r[0] = 1;
1842 for (i = 0; i < p; ++i) f[i] = 0;
1843 f[0] = 1;
1844 f[p - 1] = f[p] = -1;
1845 for (i = 0; i < p; ++i) g[p - 1 - i] = in[i];
1846 g[p] = 0;
1847 for (loop = 0; loop < 2 * p - 1; ++loop) {
1848 for (i = p; i > 0; --i) v[i] = v[i - 1];
1849 v[0] = 0;
1850 sign = -g[0] * f[0];
1851 swap = crypto_int16_negative_mask(-delta) & crypto_int16_nonzero_mask(g[0]);
1852 delta ^= swap & (delta ^ -delta);
1853 delta += 1;
1854 for (i = 0; i < p + 1; ++i) {
1855 t = swap & (f[i] ^ g[i]);
1856 f[i] ^= t;
1857 g[i] ^= t;
1858 t = swap & (v[i] ^ r[i]);
1859 v[i] ^= t;
1860 r[i] ^= t;
1861 }
1862 for (i = 0; i < p + 1; ++i) g[i] = F3_freeze(g[i] + sign * f[i]);
1863 for (i = 0; i < p + 1; ++i) r[i] = F3_freeze(r[i] + sign * v[i]);
1864 for (i = 0; i < p; ++i) g[i] = g[i + 1];
1865 g[p] = 0;
1866 }
1867 sign = f[0];
1868 for (i = 0; i < p; ++i) out[i] = sign * v[p - 1 - i];
1869 return crypto_int16_nonzero_mask(delta);
1870 }
1871
Rq_mult_small(Fq * h,const Fq * f,const small * g)1872 static void Rq_mult_small(Fq *h, const Fq *f, const small *g) {
1873 int32_t fg[p + p - 1];
1874 int i, j;
1875 for (i = 0; i < p + p - 1; ++i) fg[i] = 0;
1876 for (i = 0; i < p; ++i)
1877 for (j = 0; j < p; ++j) fg[i + j] += f[i] * (int32_t)g[j];
1878 for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i];
1879 for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i];
1880 for (i = 0; i < p; ++i) h[i] = Fq_freeze(fg[i]);
1881 }
1882
Rq_mult3(Fq * h,const Fq * f)1883 static void Rq_mult3(Fq *h, const Fq *f) {
1884 int i;
1885 for (i = 0; i < p; ++i) h[i] = Fq_freeze(3 * f[i]);
1886 }
1887
Fq_recip(Fq a1)1888 static Fq Fq_recip(Fq a1) {
1889 int i = 1;
1890 Fq ai = a1;
1891 while (i < q - 2) {
1892 ai = Fq_freeze(a1 * (int32_t)ai);
1893 i += 1;
1894 }
1895 return ai;
1896 }
1897
Rq_recip3(Fq * out,const small * in)1898 static int Rq_recip3(Fq *out, const small *in) {
1899 Fq f[p + 1], g[p + 1], v[p + 1], r[p + 1], scale;
1900 int swap, t, i, loop, delta = 1;
1901 int32_t f0, g0;
1902 for (i = 0; i < p + 1; ++i) v[i] = 0;
1903 for (i = 0; i < p + 1; ++i) r[i] = 0;
1904 r[0] = Fq_recip(3);
1905 for (i = 0; i < p; ++i) f[i] = 0;
1906 f[0] = 1;
1907 f[p - 1] = f[p] = -1;
1908 for (i = 0; i < p; ++i) g[p - 1 - i] = in[i];
1909 g[p] = 0;
1910 for (loop = 0; loop < 2 * p - 1; ++loop) {
1911 for (i = p; i > 0; --i) v[i] = v[i - 1];
1912 v[0] = 0;
1913 swap = crypto_int16_negative_mask(-delta) & crypto_int16_nonzero_mask(g[0]);
1914 delta ^= swap & (delta ^ -delta);
1915 delta += 1;
1916 for (i = 0; i < p + 1; ++i) {
1917 t = swap & (f[i] ^ g[i]);
1918 f[i] ^= t;
1919 g[i] ^= t;
1920 t = swap & (v[i] ^ r[i]);
1921 v[i] ^= t;
1922 r[i] ^= t;
1923 }
1924 f0 = f[0];
1925 g0 = g[0];
1926 for (i = 0; i < p + 1; ++i) g[i] = Fq_freeze(f0 * g[i] - g0 * f[i]);
1927 for (i = 0; i < p + 1; ++i) r[i] = Fq_freeze(f0 * r[i] - g0 * v[i]);
1928 for (i = 0; i < p; ++i) g[i] = g[i + 1];
1929 g[p] = 0;
1930 }
1931 scale = Fq_recip(f[0]);
1932 for (i = 0; i < p; ++i) out[i] = Fq_freeze(scale * (int32_t)v[p - 1 - i]);
1933 return crypto_int16_nonzero_mask(delta);
1934 }
1935
Round(Fq * out,const Fq * a)1936 static void Round(Fq *out, const Fq *a) {
1937 int i;
1938 for (i = 0; i < p; ++i) out[i] = a[i] - F3_freeze(a[i]);
1939 }
1940
Short_fromlist(small * out,const uint32_t * in)1941 static void Short_fromlist(small *out, const uint32_t *in) {
1942 uint32_t L[p];
1943 int i;
1944 for (i = 0; i < w; ++i) L[i] = in[i] & (uint32_t)-2;
1945 for (i = w; i < p; ++i) L[i] = (in[i] & (uint32_t)-3) | 1;
1946 crypto_sort_uint32(L, p);
1947 for (i = 0; i < p; ++i) out[i] = (L[i] & 3) - 1;
1948 }
1949
Hash_prefix(unsigned char * out,int b,const unsigned char * in,int inlen)1950 static void Hash_prefix(unsigned char *out, int b, const unsigned char *in, int inlen) {
1951 unsigned char x[inlen + 1], h[64];
1952 int i;
1953 x[0] = b;
1954 for (i = 0; i < inlen; ++i) x[i + 1] = in[i];
1955 crypto_hash_sha512(h, x, inlen + 1);
1956 for (i = 0; i < 32; ++i) out[i] = h[i];
1957 }
1958
urandom32(void)1959 static uint32_t urandom32(void) {
1960 unsigned char c[4];
1961 uint32_t result = 0;
1962 int i;
1963 randombytes(c, 4);
1964 for (i = 0; i < 4; ++i) result += ((uint32_t)c[i]) << (8 * i);
1965 return result;
1966 }
1967
Short_random(small * out)1968 static void Short_random(small *out) {
1969 uint32_t L[p];
1970 int i;
1971 for (i = 0; i < p; ++i) L[i] = urandom32();
1972 Short_fromlist(out, L);
1973 }
1974
Small_random(small * out)1975 static void Small_random(small *out) {
1976 int i;
1977 for (i = 0; i < p; ++i) out[i] = (((urandom32() & 0x3fffffff) * 3) >> 30) - 1;
1978 }
1979
KeyGen(Fq * h,small * f,small * ginv)1980 static void KeyGen(Fq *h, small *f, small *ginv) {
1981 small g[p];
1982 Fq finv[p];
1983 for (;;) {
1984 int result;
1985 Small_random(g);
1986 result = R3_recip(ginv, g);
1987 crypto_declassify(&result, sizeof result);
1988 if (result == 0) break;
1989 }
1990 Short_random(f);
1991 Rq_recip3(finv, f);
1992 Rq_mult_small(h, finv, g);
1993 }
1994
Encrypt(Fq * c,const small * r,const Fq * h)1995 static void Encrypt(Fq *c, const small *r, const Fq *h) {
1996 Fq hr[p];
1997 Rq_mult_small(hr, h, r);
1998 Round(c, hr);
1999 }
2000
Decrypt(small * r,const Fq * c,const small * f,const small * ginv)2001 static void Decrypt(small *r, const Fq *c, const small *f, const small *ginv) {
2002 Fq cf[p], cf3[p];
2003 small e[p], ev[p];
2004 int mask, i;
2005 Rq_mult_small(cf, c, f);
2006 Rq_mult3(cf3, cf);
2007 R3_fromRq(e, cf3);
2008 R3_mult(ev, e, ginv);
2009 mask = Weightw_mask(ev);
2010 for (i = 0; i < w; ++i) r[i] = ((ev[i] ^ 1) & ~mask) ^ 1;
2011 for (i = w; i < p; ++i) r[i] = ev[i] & ~mask;
2012 }
2013
Small_encode(unsigned char * s,const small * f)2014 static void Small_encode(unsigned char *s, const small *f) {
2015 int i, j;
2016 for (i = 0; i < p / 4; ++i) {
2017 small x = 0;
2018 for (j = 0;j < 4;++j) x += (*f++ + 1) << (2 * j);
2019 *s++ = x;
2020 }
2021 *s = *f++ + 1;
2022 }
2023
Small_decode(small * f,const unsigned char * s)2024 static void Small_decode(small *f, const unsigned char *s) {
2025 int i, j;
2026 for (i = 0; i < p / 4; ++i) {
2027 unsigned char x = *s++;
2028 for (j = 0;j < 4;++j) *f++ = ((small)((x >> (2 * j)) & 3)) - 1;
2029 }
2030 *f++ = ((small)(*s & 3)) - 1;
2031 }
2032
Rq_encode(unsigned char * s,const Fq * r)2033 static void Rq_encode(unsigned char *s, const Fq *r) {
2034 uint16_t R[p], M[p];
2035 int i;
2036 for (i = 0; i < p; ++i) R[i] = r[i] + q12;
2037 for (i = 0; i < p; ++i) M[i] = q;
2038 Encode(s, R, M, p);
2039 }
2040
Rq_decode(Fq * r,const unsigned char * s)2041 static void Rq_decode(Fq *r, const unsigned char *s) {
2042 uint16_t R[p], M[p];
2043 int i;
2044 for (i = 0; i < p; ++i) M[i] = q;
2045 Decode(R, s, M, p);
2046 for (i = 0; i < p; ++i) r[i] = ((Fq)R[i]) - q12;
2047 }
2048
Rounded_encode(unsigned char * s,const Fq * r)2049 static void Rounded_encode(unsigned char *s, const Fq *r) {
2050 uint16_t R[p], M[p];
2051 int i;
2052 for (i = 0; i < p; ++i) R[i] = ((r[i] + q12) * 10923) >> 15;
2053 for (i = 0; i < p; ++i) M[i] = (q + 2) / 3;
2054 Encode(s, R, M, p);
2055 }
2056
Rounded_decode(Fq * r,const unsigned char * s)2057 static void Rounded_decode(Fq *r, const unsigned char *s) {
2058 uint16_t R[p], M[p];
2059 int i;
2060 for (i = 0; i < p; ++i) M[i] = (q + 2) / 3;
2061 Decode(R, s, M, p);
2062 for (i = 0; i < p; ++i) r[i] = R[i] * 3 - q12;
2063 }
2064
ZKeyGen(unsigned char * pk,unsigned char * sk)2065 static void ZKeyGen(unsigned char *pk, unsigned char *sk) {
2066 Fq h[p];
2067 small f[p], v[p];
2068 KeyGen(h, f, v);
2069 Rq_encode(pk, h);
2070 Small_encode(sk, f);
2071 Small_encode(sk + Small_bytes, v);
2072 }
2073
ZEncrypt(unsigned char * C,const Inputs r,const unsigned char * pk)2074 static void ZEncrypt(unsigned char *C, const Inputs r, const unsigned char *pk) {
2075 Fq h[p], c[p];
2076 Rq_decode(h, pk);
2077 Encrypt(c, r, h);
2078 Rounded_encode(C, c);
2079 }
2080
ZDecrypt(Inputs r,const unsigned char * C,const unsigned char * sk)2081 static void ZDecrypt(Inputs r, const unsigned char *C, const unsigned char *sk) {
2082 small f[p], v[p];
2083 Fq c[p];
2084 Small_decode(f, sk);
2085 Small_decode(v, sk + Small_bytes);
2086 Rounded_decode(c, C);
2087 Decrypt(r, c, f, v);
2088 }
2089
HashConfirm(unsigned char * h,const unsigned char * r,const unsigned char * cache)2090 static void HashConfirm(unsigned char *h, const unsigned char *r, const unsigned char *cache) {
2091 unsigned char x[Hash_bytes * 2];
2092 int i;
2093 Hash_prefix(x, 3, r, Small_bytes);
2094 for (i = 0; i < Hash_bytes; ++i) x[Hash_bytes + i] = cache[i];
2095 Hash_prefix(h, 2, x, sizeof x);
2096 }
2097
HashSession(unsigned char * k,int b,const unsigned char * y,const unsigned char * z)2098 static void HashSession(unsigned char *k, int b, const unsigned char *y, const unsigned char *z) {
2099 unsigned char x[Hash_bytes + crypto_kem_sntrup761_CIPHERTEXTBYTES];
2100 int i;
2101 Hash_prefix(x, 3, y, Small_bytes);
2102 for (i = 0; i < crypto_kem_sntrup761_CIPHERTEXTBYTES; ++i) x[Hash_bytes + i] = z[i];
2103 Hash_prefix(k, b, x, sizeof x);
2104 }
2105
crypto_kem_sntrup761_keypair(unsigned char * pk,unsigned char * sk)2106 int crypto_kem_sntrup761_keypair(unsigned char *pk, unsigned char *sk) {
2107 int i;
2108 ZKeyGen(pk, sk);
2109 sk += SecretKeys_bytes;
2110 for (i = 0; i < crypto_kem_sntrup761_PUBLICKEYBYTES; ++i) *sk++ = pk[i];
2111 randombytes(sk, Small_bytes);
2112 Hash_prefix(sk + Small_bytes, 4, pk, crypto_kem_sntrup761_PUBLICKEYBYTES);
2113 return 0;
2114 }
2115
Hide(unsigned char * c,unsigned char * r_enc,const Inputs r,const unsigned char * pk,const unsigned char * cache)2116 static void Hide(unsigned char *c, unsigned char *r_enc, const Inputs r, const unsigned char *pk, const unsigned char *cache) {
2117 Small_encode(r_enc, r);
2118 ZEncrypt(c, r, pk);
2119 HashConfirm(c + crypto_kem_sntrup761_CIPHERTEXTBYTES - Confirm_bytes, r_enc, cache);
2120 }
2121
crypto_kem_sntrup761_enc(unsigned char * c,unsigned char * k,const unsigned char * pk)2122 int crypto_kem_sntrup761_enc(unsigned char *c, unsigned char *k, const unsigned char *pk) {
2123 Inputs r;
2124 unsigned char r_enc[Small_bytes], cache[Hash_bytes];
2125 Hash_prefix(cache, 4, pk, crypto_kem_sntrup761_PUBLICKEYBYTES);
2126 Short_random(r);
2127 Hide(c, r_enc, r, pk, cache);
2128 HashSession(k, 1, r_enc, c);
2129 return 0;
2130 }
2131
Ciphertexts_diff_mask(const unsigned char * c,const unsigned char * c2)2132 static int Ciphertexts_diff_mask(const unsigned char *c, const unsigned char *c2) {
2133 uint16_t differentbits = 0;
2134 int len = crypto_kem_sntrup761_CIPHERTEXTBYTES;
2135 while (len-- > 0) differentbits |= (*c++) ^ (*c2++);
2136 return (crypto_int64_bitmod_01((differentbits - 1),8)) - 1;
2137 }
2138
crypto_kem_sntrup761_dec(unsigned char * k,const unsigned char * c,const unsigned char * sk)2139 int crypto_kem_sntrup761_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk) {
2140 const unsigned char *pk = sk + SecretKeys_bytes;
2141 const unsigned char *rho = pk + crypto_kem_sntrup761_PUBLICKEYBYTES;
2142 const unsigned char *cache = rho + Small_bytes;
2143 Inputs r;
2144 unsigned char r_enc[Small_bytes], cnew[crypto_kem_sntrup761_CIPHERTEXTBYTES];
2145 int mask, i;
2146 ZDecrypt(r, c, sk);
2147 Hide(cnew, r_enc, r, pk, cache);
2148 mask = Ciphertexts_diff_mask(c, cnew);
2149 for (i = 0; i < Small_bytes; ++i) r_enc[i] ^= mask & (r_enc[i] ^ rho[i]);
2150 HashSession(k, 1 + mask, r_enc, c);
2151 return 0;
2152 }
2153
2154