1 /* $OpenBSD: sntrup761.c,v 1.8 2024/09/16 05:37:05 djm Exp $ */ 2 3 /* 4 * Public Domain, Authors: 5 * - Daniel J. Bernstein 6 * - Chitchanok Chuengsatiansup 7 * - Tanja Lange 8 * - Christine van Vredendaal 9 */ 10 11 #include <string.h> 12 #include "crypto_api.h" 13 14 #define crypto_declassify(x, y) do {} while (0) 15 16 #define int8 crypto_int8 17 #define uint8 crypto_uint8 18 #define int16 crypto_int16 19 #define uint16 crypto_uint16 20 #define int32 crypto_int32 21 #define uint32 crypto_uint32 22 #define int64 crypto_int64 23 #define uint64 crypto_uint64 24 extern volatile crypto_int16 crypto_int16_optblocker; 25 extern volatile crypto_int32 crypto_int32_optblocker; 26 extern volatile crypto_int64 crypto_int64_optblocker; 27 28 /* from supercop-20240808/cryptoint/crypto_int16.h */ 29 /* auto-generated: cd cryptoint; ./autogen */ 30 /* cryptoint 20240806 */ 31 32 #ifndef crypto_int16_h 33 #define crypto_int16_h 34 35 #define crypto_int16 int16_t 36 #define crypto_int16_unsigned uint16_t 37 38 39 40 __attribute__((unused)) 41 static inline 42 crypto_int16 crypto_int16_load(const unsigned char *crypto_int16_s) { 43 crypto_int16 crypto_int16_z = 0; 44 crypto_int16_z |= ((crypto_int16) (*crypto_int16_s++)) << 0; 45 crypto_int16_z |= ((crypto_int16) (*crypto_int16_s++)) << 8; 46 return crypto_int16_z; 47 } 48 49 __attribute__((unused)) 50 static inline 51 void crypto_int16_store(unsigned char *crypto_int16_s,crypto_int16 crypto_int16_x) { 52 *crypto_int16_s++ = crypto_int16_x >> 0; 53 *crypto_int16_s++ = crypto_int16_x >> 8; 54 } 55 56 __attribute__((unused)) 57 static inline 58 crypto_int16 crypto_int16_negative_mask(crypto_int16 crypto_int16_x) { 59 #if defined(__GNUC__) && defined(__x86_64__) 60 __asm__ ("sarw $15,%0" : "+r"(crypto_int16_x) : : "cc"); 61 return crypto_int16_x; 62 #elif defined(__GNUC__) && defined(__aarch64__) 63 crypto_int16 crypto_int16_y; 64 __asm__ ("sbfx %w0,%w1,15,1" : "=r"(crypto_int16_y) : "r"(crypto_int16_x) : ); 65 return crypto_int16_y; 66 #else 67 crypto_int16_x >>= 16-6; 68 crypto_int16_x ^= crypto_int16_optblocker; 69 crypto_int16_x >>= 5; 70 return crypto_int16_x; 71 #endif 72 } 73 74 __attribute__((unused)) 75 static inline 76 crypto_int16_unsigned crypto_int16_unsigned_topbit_01(crypto_int16_unsigned crypto_int16_x) { 77 #if defined(__GNUC__) && defined(__x86_64__) 78 __asm__ ("shrw $15,%0" : "+r"(crypto_int16_x) : : "cc"); 79 return crypto_int16_x; 80 #elif defined(__GNUC__) && defined(__aarch64__) 81 crypto_int16 crypto_int16_y; 82 __asm__ ("ubfx %w0,%w1,15,1" : "=r"(crypto_int16_y) : "r"(crypto_int16_x) : ); 83 return crypto_int16_y; 84 #else 85 crypto_int16_x >>= 16-6; 86 crypto_int16_x ^= crypto_int16_optblocker; 87 crypto_int16_x >>= 5; 88 return crypto_int16_x; 89 #endif 90 } 91 92 __attribute__((unused)) 93 static inline 94 crypto_int16 crypto_int16_negative_01(crypto_int16 crypto_int16_x) { 95 return crypto_int16_unsigned_topbit_01(crypto_int16_x); 96 } 97 98 __attribute__((unused)) 99 static inline 100 crypto_int16 crypto_int16_topbit_mask(crypto_int16 crypto_int16_x) { 101 return crypto_int16_negative_mask(crypto_int16_x); 102 } 103 104 __attribute__((unused)) 105 static inline 106 crypto_int16 crypto_int16_topbit_01(crypto_int16 crypto_int16_x) { 107 return crypto_int16_unsigned_topbit_01(crypto_int16_x); 108 } 109 110 __attribute__((unused)) 111 static inline 112 crypto_int16 crypto_int16_bottombit_mask(crypto_int16 crypto_int16_x) { 113 #if defined(__GNUC__) && defined(__x86_64__) 114 __asm__ ("andw $1,%0" : "+r"(crypto_int16_x) : : "cc"); 115 return -crypto_int16_x; 116 #elif defined(__GNUC__) && defined(__aarch64__) 117 crypto_int16 crypto_int16_y; 118 __asm__ ("sbfx %w0,%w1,0,1" : "=r"(crypto_int16_y) : "r"(crypto_int16_x) : ); 119 return crypto_int16_y; 120 #else 121 crypto_int16_x &= 1 ^ crypto_int16_optblocker; 122 return -crypto_int16_x; 123 #endif 124 } 125 126 __attribute__((unused)) 127 static inline 128 crypto_int16 crypto_int16_bottombit_01(crypto_int16 crypto_int16_x) { 129 #if defined(__GNUC__) && defined(__x86_64__) 130 __asm__ ("andw $1,%0" : "+r"(crypto_int16_x) : : "cc"); 131 return crypto_int16_x; 132 #elif defined(__GNUC__) && defined(__aarch64__) 133 crypto_int16 crypto_int16_y; 134 __asm__ ("ubfx %w0,%w1,0,1" : "=r"(crypto_int16_y) : "r"(crypto_int16_x) : ); 135 return crypto_int16_y; 136 #else 137 crypto_int16_x &= 1 ^ crypto_int16_optblocker; 138 return crypto_int16_x; 139 #endif 140 } 141 142 __attribute__((unused)) 143 static inline 144 crypto_int16 crypto_int16_bitinrangepublicpos_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) { 145 #if defined(__GNUC__) && defined(__x86_64__) 146 __asm__ ("sarw %%cl,%0" : "+r"(crypto_int16_x) : "c"(crypto_int16_s) : "cc"); 147 #elif defined(__GNUC__) && defined(__aarch64__) 148 __asm__ ("sxth %w0,%w0\n asr %w0,%w0,%w1" : "+&r"(crypto_int16_x) : "r"(crypto_int16_s) : ); 149 #else 150 crypto_int16_x >>= crypto_int16_s ^ crypto_int16_optblocker; 151 #endif 152 return crypto_int16_bottombit_mask(crypto_int16_x); 153 } 154 155 __attribute__((unused)) 156 static inline 157 crypto_int16 crypto_int16_bitinrangepublicpos_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) { 158 #if defined(__GNUC__) && defined(__x86_64__) 159 __asm__ ("sarw %%cl,%0" : "+r"(crypto_int16_x) : "c"(crypto_int16_s) : "cc"); 160 #elif defined(__GNUC__) && defined(__aarch64__) 161 __asm__ ("sxth %w0,%w0\n asr %w0,%w0,%w1" : "+&r"(crypto_int16_x) : "r"(crypto_int16_s) : ); 162 #else 163 crypto_int16_x >>= crypto_int16_s ^ crypto_int16_optblocker; 164 #endif 165 return crypto_int16_bottombit_01(crypto_int16_x); 166 } 167 168 __attribute__((unused)) 169 static inline 170 crypto_int16 crypto_int16_shlmod(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) { 171 #if defined(__GNUC__) && defined(__x86_64__) 172 crypto_int16_s &= 15; 173 __asm__ ("shlw %%cl,%0" : "+r"(crypto_int16_x) : "c"(crypto_int16_s) : "cc"); 174 #elif defined(__GNUC__) && defined(__aarch64__) 175 __asm__ ("and %w0,%w0,15\n and %w1,%w1,65535\n lsl %w1,%w1,%w0" : "+&r"(crypto_int16_s), "+r"(crypto_int16_x) : : ); 176 #else 177 int crypto_int16_k, crypto_int16_l; 178 for (crypto_int16_l = 0,crypto_int16_k = 1;crypto_int16_k < 16;++crypto_int16_l,crypto_int16_k *= 2) 179 crypto_int16_x ^= (crypto_int16_x ^ (crypto_int16_x << crypto_int16_k)) & crypto_int16_bitinrangepublicpos_mask(crypto_int16_s,crypto_int16_l); 180 #endif 181 return crypto_int16_x; 182 } 183 184 __attribute__((unused)) 185 static inline 186 crypto_int16 crypto_int16_shrmod(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) { 187 #if defined(__GNUC__) && defined(__x86_64__) 188 crypto_int16_s &= 15; 189 __asm__ ("sarw %%cl,%0" : "+r"(crypto_int16_x) : "c"(crypto_int16_s) : "cc"); 190 #elif defined(__GNUC__) && defined(__aarch64__) 191 __asm__ ("and %w0,%w0,15\n sxth %w1,%w1\n asr %w1,%w1,%w0" : "+&r"(crypto_int16_s), "+r"(crypto_int16_x) : : ); 192 #else 193 int crypto_int16_k, crypto_int16_l; 194 for (crypto_int16_l = 0,crypto_int16_k = 1;crypto_int16_k < 16;++crypto_int16_l,crypto_int16_k *= 2) 195 crypto_int16_x ^= (crypto_int16_x ^ (crypto_int16_x >> crypto_int16_k)) & crypto_int16_bitinrangepublicpos_mask(crypto_int16_s,crypto_int16_l); 196 #endif 197 return crypto_int16_x; 198 } 199 200 __attribute__((unused)) 201 static inline 202 crypto_int16 crypto_int16_bitmod_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) { 203 crypto_int16_x = crypto_int16_shrmod(crypto_int16_x,crypto_int16_s); 204 return crypto_int16_bottombit_mask(crypto_int16_x); 205 } 206 207 __attribute__((unused)) 208 static inline 209 crypto_int16 crypto_int16_bitmod_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_s) { 210 crypto_int16_x = crypto_int16_shrmod(crypto_int16_x,crypto_int16_s); 211 return crypto_int16_bottombit_01(crypto_int16_x); 212 } 213 214 __attribute__((unused)) 215 static inline 216 crypto_int16 crypto_int16_nonzero_mask(crypto_int16 crypto_int16_x) { 217 #if defined(__GNUC__) && defined(__x86_64__) 218 crypto_int16 crypto_int16_q,crypto_int16_z; 219 __asm__ ("xorw %0,%0\n movw $-1,%1\n testw %2,%2\n cmovnew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc"); 220 return crypto_int16_z; 221 #elif defined(__GNUC__) && defined(__aarch64__) 222 crypto_int16 crypto_int16_z; 223 __asm__ ("tst %w1,65535\n csetm %w0,ne" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc"); 224 return crypto_int16_z; 225 #else 226 crypto_int16_x |= -crypto_int16_x; 227 return crypto_int16_negative_mask(crypto_int16_x); 228 #endif 229 } 230 231 __attribute__((unused)) 232 static inline 233 crypto_int16 crypto_int16_nonzero_01(crypto_int16 crypto_int16_x) { 234 #if defined(__GNUC__) && defined(__x86_64__) 235 crypto_int16 crypto_int16_q,crypto_int16_z; 236 __asm__ ("xorw %0,%0\n movw $1,%1\n testw %2,%2\n cmovnew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc"); 237 return crypto_int16_z; 238 #elif defined(__GNUC__) && defined(__aarch64__) 239 crypto_int16 crypto_int16_z; 240 __asm__ ("tst %w1,65535\n cset %w0,ne" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc"); 241 return crypto_int16_z; 242 #else 243 crypto_int16_x |= -crypto_int16_x; 244 return crypto_int16_unsigned_topbit_01(crypto_int16_x); 245 #endif 246 } 247 248 __attribute__((unused)) 249 static inline 250 crypto_int16 crypto_int16_positive_mask(crypto_int16 crypto_int16_x) { 251 #if defined(__GNUC__) && defined(__x86_64__) 252 crypto_int16 crypto_int16_q,crypto_int16_z; 253 __asm__ ("xorw %0,%0\n movw $-1,%1\n testw %2,%2\n cmovgw %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc"); 254 return crypto_int16_z; 255 #elif defined(__GNUC__) && defined(__aarch64__) 256 crypto_int16 crypto_int16_z; 257 __asm__ ("sxth %w0,%w1\n cmp %w0,0\n csetm %w0,gt" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc"); 258 return crypto_int16_z; 259 #else 260 crypto_int16 crypto_int16_z = -crypto_int16_x; 261 crypto_int16_z ^= crypto_int16_x & crypto_int16_z; 262 return crypto_int16_negative_mask(crypto_int16_z); 263 #endif 264 } 265 266 __attribute__((unused)) 267 static inline 268 crypto_int16 crypto_int16_positive_01(crypto_int16 crypto_int16_x) { 269 #if defined(__GNUC__) && defined(__x86_64__) 270 crypto_int16 crypto_int16_q,crypto_int16_z; 271 __asm__ ("xorw %0,%0\n movw $1,%1\n testw %2,%2\n cmovgw %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc"); 272 return crypto_int16_z; 273 #elif defined(__GNUC__) && defined(__aarch64__) 274 crypto_int16 crypto_int16_z; 275 __asm__ ("sxth %w0,%w1\n cmp %w0,0\n cset %w0,gt" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc"); 276 return crypto_int16_z; 277 #else 278 crypto_int16 crypto_int16_z = -crypto_int16_x; 279 crypto_int16_z ^= crypto_int16_x & crypto_int16_z; 280 return crypto_int16_unsigned_topbit_01(crypto_int16_z); 281 #endif 282 } 283 284 __attribute__((unused)) 285 static inline 286 crypto_int16 crypto_int16_zero_mask(crypto_int16 crypto_int16_x) { 287 #if defined(__GNUC__) && defined(__x86_64__) 288 crypto_int16 crypto_int16_q,crypto_int16_z; 289 __asm__ ("xorw %0,%0\n movw $-1,%1\n testw %2,%2\n cmovew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc"); 290 return crypto_int16_z; 291 #elif defined(__GNUC__) && defined(__aarch64__) 292 crypto_int16 crypto_int16_z; 293 __asm__ ("tst %w1,65535\n csetm %w0,eq" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc"); 294 return crypto_int16_z; 295 #else 296 return ~crypto_int16_nonzero_mask(crypto_int16_x); 297 #endif 298 } 299 300 __attribute__((unused)) 301 static inline 302 crypto_int16 crypto_int16_zero_01(crypto_int16 crypto_int16_x) { 303 #if defined(__GNUC__) && defined(__x86_64__) 304 crypto_int16 crypto_int16_q,crypto_int16_z; 305 __asm__ ("xorw %0,%0\n movw $1,%1\n testw %2,%2\n cmovew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc"); 306 return crypto_int16_z; 307 #elif defined(__GNUC__) && defined(__aarch64__) 308 crypto_int16 crypto_int16_z; 309 __asm__ ("tst %w1,65535\n cset %w0,eq" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc"); 310 return crypto_int16_z; 311 #else 312 return 1-crypto_int16_nonzero_01(crypto_int16_x); 313 #endif 314 } 315 316 __attribute__((unused)) 317 static inline 318 crypto_int16 crypto_int16_unequal_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) { 319 #if defined(__GNUC__) && defined(__x86_64__) 320 crypto_int16 crypto_int16_q,crypto_int16_z; 321 __asm__ ("xorw %0,%0\n movw $-1,%1\n cmpw %3,%2\n cmovnew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 322 return crypto_int16_z; 323 #elif defined(__GNUC__) && defined(__aarch64__) 324 crypto_int16 crypto_int16_z; 325 __asm__ ("and %w0,%w1,65535\n cmp %w0,%w2,uxth\n csetm %w0,ne" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 326 return crypto_int16_z; 327 #else 328 return crypto_int16_nonzero_mask(crypto_int16_x ^ crypto_int16_y); 329 #endif 330 } 331 332 __attribute__((unused)) 333 static inline 334 crypto_int16 crypto_int16_unequal_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) { 335 #if defined(__GNUC__) && defined(__x86_64__) 336 crypto_int16 crypto_int16_q,crypto_int16_z; 337 __asm__ ("xorw %0,%0\n movw $1,%1\n cmpw %3,%2\n cmovnew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 338 return crypto_int16_z; 339 #elif defined(__GNUC__) && defined(__aarch64__) 340 crypto_int16 crypto_int16_z; 341 __asm__ ("and %w0,%w1,65535\n cmp %w0,%w2,uxth\n cset %w0,ne" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 342 return crypto_int16_z; 343 #else 344 return crypto_int16_nonzero_01(crypto_int16_x ^ crypto_int16_y); 345 #endif 346 } 347 348 __attribute__((unused)) 349 static inline 350 crypto_int16 crypto_int16_equal_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) { 351 #if defined(__GNUC__) && defined(__x86_64__) 352 crypto_int16 crypto_int16_q,crypto_int16_z; 353 __asm__ ("xorw %0,%0\n movw $-1,%1\n cmpw %3,%2\n cmovew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 354 return crypto_int16_z; 355 #elif defined(__GNUC__) && defined(__aarch64__) 356 crypto_int16 crypto_int16_z; 357 __asm__ ("and %w0,%w1,65535\n cmp %w0,%w2,uxth\n csetm %w0,eq" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 358 return crypto_int16_z; 359 #else 360 return ~crypto_int16_unequal_mask(crypto_int16_x,crypto_int16_y); 361 #endif 362 } 363 364 __attribute__((unused)) 365 static inline 366 crypto_int16 crypto_int16_equal_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) { 367 #if defined(__GNUC__) && defined(__x86_64__) 368 crypto_int16 crypto_int16_q,crypto_int16_z; 369 __asm__ ("xorw %0,%0\n movw $1,%1\n cmpw %3,%2\n cmovew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 370 return crypto_int16_z; 371 #elif defined(__GNUC__) && defined(__aarch64__) 372 crypto_int16 crypto_int16_z; 373 __asm__ ("and %w0,%w1,65535\n cmp %w0,%w2,uxth\n cset %w0,eq" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 374 return crypto_int16_z; 375 #else 376 return 1-crypto_int16_unequal_01(crypto_int16_x,crypto_int16_y); 377 #endif 378 } 379 380 __attribute__((unused)) 381 static inline 382 crypto_int16 crypto_int16_min(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) { 383 #if defined(__GNUC__) && defined(__x86_64__) 384 __asm__ ("cmpw %1,%0\n cmovgw %1,%0" : "+r"(crypto_int16_x) : "r"(crypto_int16_y) : "cc"); 385 return crypto_int16_x; 386 #elif defined(__GNUC__) && defined(__aarch64__) 387 __asm__ ("sxth %w0,%w0\n cmp %w0,%w1,sxth\n csel %w0,%w0,%w1,lt" : "+&r"(crypto_int16_x) : "r"(crypto_int16_y) : "cc"); 388 return crypto_int16_x; 389 #else 390 crypto_int16 crypto_int16_r = crypto_int16_y ^ crypto_int16_x; 391 crypto_int16 crypto_int16_z = crypto_int16_y - crypto_int16_x; 392 crypto_int16_z ^= crypto_int16_r & (crypto_int16_z ^ crypto_int16_y); 393 crypto_int16_z = crypto_int16_negative_mask(crypto_int16_z); 394 crypto_int16_z &= crypto_int16_r; 395 return crypto_int16_x ^ crypto_int16_z; 396 #endif 397 } 398 399 __attribute__((unused)) 400 static inline 401 crypto_int16 crypto_int16_max(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) { 402 #if defined(__GNUC__) && defined(__x86_64__) 403 __asm__ ("cmpw %1,%0\n cmovlw %1,%0" : "+r"(crypto_int16_x) : "r"(crypto_int16_y) : "cc"); 404 return crypto_int16_x; 405 #elif defined(__GNUC__) && defined(__aarch64__) 406 __asm__ ("sxth %w0,%w0\n cmp %w0,%w1,sxth\n csel %w0,%w1,%w0,lt" : "+&r"(crypto_int16_x) : "r"(crypto_int16_y) : "cc"); 407 return crypto_int16_x; 408 #else 409 crypto_int16 crypto_int16_r = crypto_int16_y ^ crypto_int16_x; 410 crypto_int16 crypto_int16_z = crypto_int16_y - crypto_int16_x; 411 crypto_int16_z ^= crypto_int16_r & (crypto_int16_z ^ crypto_int16_y); 412 crypto_int16_z = crypto_int16_negative_mask(crypto_int16_z); 413 crypto_int16_z &= crypto_int16_r; 414 return crypto_int16_y ^ crypto_int16_z; 415 #endif 416 } 417 418 __attribute__((unused)) 419 static inline 420 void crypto_int16_minmax(crypto_int16 *crypto_int16_p,crypto_int16 *crypto_int16_q) { 421 crypto_int16 crypto_int16_x = *crypto_int16_p; 422 crypto_int16 crypto_int16_y = *crypto_int16_q; 423 #if defined(__GNUC__) && defined(__x86_64__) 424 crypto_int16 crypto_int16_z; 425 __asm__ ("cmpw %2,%1\n movw %1,%0\n cmovgw %2,%1\n cmovgw %0,%2" : "=&r"(crypto_int16_z), "+&r"(crypto_int16_x), "+r"(crypto_int16_y) : : "cc"); 426 *crypto_int16_p = crypto_int16_x; 427 *crypto_int16_q = crypto_int16_y; 428 #elif defined(__GNUC__) && defined(__aarch64__) 429 crypto_int16 crypto_int16_r, crypto_int16_s; 430 __asm__ ("sxth %w0,%w0\n cmp %w0,%w3,sxth\n csel %w1,%w0,%w3,lt\n csel %w2,%w3,%w0,lt" : "+&r"(crypto_int16_x), "=&r"(crypto_int16_r), "=r"(crypto_int16_s) : "r"(crypto_int16_y) : "cc"); 431 *crypto_int16_p = crypto_int16_r; 432 *crypto_int16_q = crypto_int16_s; 433 #else 434 crypto_int16 crypto_int16_r = crypto_int16_y ^ crypto_int16_x; 435 crypto_int16 crypto_int16_z = crypto_int16_y - crypto_int16_x; 436 crypto_int16_z ^= crypto_int16_r & (crypto_int16_z ^ crypto_int16_y); 437 crypto_int16_z = crypto_int16_negative_mask(crypto_int16_z); 438 crypto_int16_z &= crypto_int16_r; 439 crypto_int16_x ^= crypto_int16_z; 440 crypto_int16_y ^= crypto_int16_z; 441 *crypto_int16_p = crypto_int16_x; 442 *crypto_int16_q = crypto_int16_y; 443 #endif 444 } 445 446 __attribute__((unused)) 447 static inline 448 crypto_int16 crypto_int16_smaller_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) { 449 #if defined(__GNUC__) && defined(__x86_64__) 450 crypto_int16 crypto_int16_q,crypto_int16_z; 451 __asm__ ("xorw %0,%0\n movw $-1,%1\n cmpw %3,%2\n cmovlw %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 452 return crypto_int16_z; 453 #elif defined(__GNUC__) && defined(__aarch64__) 454 crypto_int16 crypto_int16_z; 455 __asm__ ("sxth %w0,%w1\n cmp %w0,%w2,sxth\n csetm %w0,lt" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 456 return crypto_int16_z; 457 #else 458 crypto_int16 crypto_int16_r = crypto_int16_x ^ crypto_int16_y; 459 crypto_int16 crypto_int16_z = crypto_int16_x - crypto_int16_y; 460 crypto_int16_z ^= crypto_int16_r & (crypto_int16_z ^ crypto_int16_x); 461 return crypto_int16_negative_mask(crypto_int16_z); 462 #endif 463 } 464 465 __attribute__((unused)) 466 static inline 467 crypto_int16 crypto_int16_smaller_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) { 468 #if defined(__GNUC__) && defined(__x86_64__) 469 crypto_int16 crypto_int16_q,crypto_int16_z; 470 __asm__ ("xorw %0,%0\n movw $1,%1\n cmpw %3,%2\n cmovlw %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 471 return crypto_int16_z; 472 #elif defined(__GNUC__) && defined(__aarch64__) 473 crypto_int16 crypto_int16_z; 474 __asm__ ("sxth %w0,%w1\n cmp %w0,%w2,sxth\n cset %w0,lt" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 475 return crypto_int16_z; 476 #else 477 crypto_int16 crypto_int16_r = crypto_int16_x ^ crypto_int16_y; 478 crypto_int16 crypto_int16_z = crypto_int16_x - crypto_int16_y; 479 crypto_int16_z ^= crypto_int16_r & (crypto_int16_z ^ crypto_int16_x); 480 return crypto_int16_unsigned_topbit_01(crypto_int16_z); 481 #endif 482 } 483 484 __attribute__((unused)) 485 static inline 486 crypto_int16 crypto_int16_leq_mask(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) { 487 #if defined(__GNUC__) && defined(__x86_64__) 488 crypto_int16 crypto_int16_q,crypto_int16_z; 489 __asm__ ("xorw %0,%0\n movw $-1,%1\n cmpw %3,%2\n cmovlew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 490 return crypto_int16_z; 491 #elif defined(__GNUC__) && defined(__aarch64__) 492 crypto_int16 crypto_int16_z; 493 __asm__ ("sxth %w0,%w1\n cmp %w0,%w2,sxth\n csetm %w0,le" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 494 return crypto_int16_z; 495 #else 496 return ~crypto_int16_smaller_mask(crypto_int16_y,crypto_int16_x); 497 #endif 498 } 499 500 __attribute__((unused)) 501 static inline 502 crypto_int16 crypto_int16_leq_01(crypto_int16 crypto_int16_x,crypto_int16 crypto_int16_y) { 503 #if defined(__GNUC__) && defined(__x86_64__) 504 crypto_int16 crypto_int16_q,crypto_int16_z; 505 __asm__ ("xorw %0,%0\n movw $1,%1\n cmpw %3,%2\n cmovlew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 506 return crypto_int16_z; 507 #elif defined(__GNUC__) && defined(__aarch64__) 508 crypto_int16 crypto_int16_z; 509 __asm__ ("sxth %w0,%w1\n cmp %w0,%w2,sxth\n cset %w0,le" : "=&r"(crypto_int16_z) : "r"(crypto_int16_x), "r"(crypto_int16_y) : "cc"); 510 return crypto_int16_z; 511 #else 512 return 1-crypto_int16_smaller_01(crypto_int16_y,crypto_int16_x); 513 #endif 514 } 515 516 __attribute__((unused)) 517 static inline 518 int crypto_int16_ones_num(crypto_int16 crypto_int16_x) { 519 crypto_int16_unsigned crypto_int16_y = crypto_int16_x; 520 const crypto_int16 C0 = 0x5555; 521 const crypto_int16 C1 = 0x3333; 522 const crypto_int16 C2 = 0x0f0f; 523 crypto_int16_y -= ((crypto_int16_y >> 1) & C0); 524 crypto_int16_y = (crypto_int16_y & C1) + ((crypto_int16_y >> 2) & C1); 525 crypto_int16_y = (crypto_int16_y + (crypto_int16_y >> 4)) & C2; 526 crypto_int16_y = (crypto_int16_y + (crypto_int16_y >> 8)) & 0xff; 527 return crypto_int16_y; 528 } 529 530 __attribute__((unused)) 531 static inline 532 int crypto_int16_bottomzeros_num(crypto_int16 crypto_int16_x) { 533 #if defined(__GNUC__) && defined(__x86_64__) 534 crypto_int16 fallback = 16; 535 __asm__ ("bsfw %0,%0\n cmovew %1,%0" : "+&r"(crypto_int16_x) : "r"(fallback) : "cc"); 536 return crypto_int16_x; 537 #elif defined(__GNUC__) && defined(__aarch64__) 538 int64_t crypto_int16_y; 539 __asm__ ("orr %w0,%w1,-65536\n rbit %w0,%w0\n clz %w0,%w0" : "=r"(crypto_int16_y) : "r"(crypto_int16_x) : ); 540 return crypto_int16_y; 541 #else 542 crypto_int16 crypto_int16_y = crypto_int16_x ^ (crypto_int16_x-1); 543 crypto_int16_y = ((crypto_int16) crypto_int16_y) >> 1; 544 crypto_int16_y &= ~(crypto_int16_x & (((crypto_int16) 1) << (16-1))); 545 return crypto_int16_ones_num(crypto_int16_y); 546 #endif 547 } 548 549 #endif 550 551 /* from supercop-20240808/cryptoint/crypto_int32.h */ 552 /* auto-generated: cd cryptoint; ./autogen */ 553 /* cryptoint 20240806 */ 554 555 #ifndef crypto_int32_h 556 #define crypto_int32_h 557 558 #define crypto_int32 int32_t 559 #define crypto_int32_unsigned uint32_t 560 561 562 563 __attribute__((unused)) 564 static inline 565 crypto_int32 crypto_int32_load(const unsigned char *crypto_int32_s) { 566 crypto_int32 crypto_int32_z = 0; 567 crypto_int32_z |= ((crypto_int32) (*crypto_int32_s++)) << 0; 568 crypto_int32_z |= ((crypto_int32) (*crypto_int32_s++)) << 8; 569 crypto_int32_z |= ((crypto_int32) (*crypto_int32_s++)) << 16; 570 crypto_int32_z |= ((crypto_int32) (*crypto_int32_s++)) << 24; 571 return crypto_int32_z; 572 } 573 574 __attribute__((unused)) 575 static inline 576 void crypto_int32_store(unsigned char *crypto_int32_s,crypto_int32 crypto_int32_x) { 577 *crypto_int32_s++ = crypto_int32_x >> 0; 578 *crypto_int32_s++ = crypto_int32_x >> 8; 579 *crypto_int32_s++ = crypto_int32_x >> 16; 580 *crypto_int32_s++ = crypto_int32_x >> 24; 581 } 582 583 __attribute__((unused)) 584 static inline 585 crypto_int32 crypto_int32_negative_mask(crypto_int32 crypto_int32_x) { 586 #if defined(__GNUC__) && defined(__x86_64__) 587 __asm__ ("sarl $31,%0" : "+r"(crypto_int32_x) : : "cc"); 588 return crypto_int32_x; 589 #elif defined(__GNUC__) && defined(__aarch64__) 590 crypto_int32 crypto_int32_y; 591 __asm__ ("asr %w0,%w1,31" : "=r"(crypto_int32_y) : "r"(crypto_int32_x) : ); 592 return crypto_int32_y; 593 #else 594 crypto_int32_x >>= 32-6; 595 crypto_int32_x ^= crypto_int32_optblocker; 596 crypto_int32_x >>= 5; 597 return crypto_int32_x; 598 #endif 599 } 600 601 __attribute__((unused)) 602 static inline 603 crypto_int32_unsigned crypto_int32_unsigned_topbit_01(crypto_int32_unsigned crypto_int32_x) { 604 #if defined(__GNUC__) && defined(__x86_64__) 605 __asm__ ("shrl $31,%0" : "+r"(crypto_int32_x) : : "cc"); 606 return crypto_int32_x; 607 #elif defined(__GNUC__) && defined(__aarch64__) 608 crypto_int32 crypto_int32_y; 609 __asm__ ("lsr %w0,%w1,31" : "=r"(crypto_int32_y) : "r"(crypto_int32_x) : ); 610 return crypto_int32_y; 611 #else 612 crypto_int32_x >>= 32-6; 613 crypto_int32_x ^= crypto_int32_optblocker; 614 crypto_int32_x >>= 5; 615 return crypto_int32_x; 616 #endif 617 } 618 619 __attribute__((unused)) 620 static inline 621 crypto_int32 crypto_int32_negative_01(crypto_int32 crypto_int32_x) { 622 return crypto_int32_unsigned_topbit_01(crypto_int32_x); 623 } 624 625 __attribute__((unused)) 626 static inline 627 crypto_int32 crypto_int32_topbit_mask(crypto_int32 crypto_int32_x) { 628 return crypto_int32_negative_mask(crypto_int32_x); 629 } 630 631 __attribute__((unused)) 632 static inline 633 crypto_int32 crypto_int32_topbit_01(crypto_int32 crypto_int32_x) { 634 return crypto_int32_unsigned_topbit_01(crypto_int32_x); 635 } 636 637 __attribute__((unused)) 638 static inline 639 crypto_int32 crypto_int32_bottombit_mask(crypto_int32 crypto_int32_x) { 640 #if defined(__GNUC__) && defined(__x86_64__) 641 __asm__ ("andl $1,%0" : "+r"(crypto_int32_x) : : "cc"); 642 return -crypto_int32_x; 643 #elif defined(__GNUC__) && defined(__aarch64__) 644 crypto_int32 crypto_int32_y; 645 __asm__ ("sbfx %w0,%w1,0,1" : "=r"(crypto_int32_y) : "r"(crypto_int32_x) : ); 646 return crypto_int32_y; 647 #else 648 crypto_int32_x &= 1 ^ crypto_int32_optblocker; 649 return -crypto_int32_x; 650 #endif 651 } 652 653 __attribute__((unused)) 654 static inline 655 crypto_int32 crypto_int32_bottombit_01(crypto_int32 crypto_int32_x) { 656 #if defined(__GNUC__) && defined(__x86_64__) 657 __asm__ ("andl $1,%0" : "+r"(crypto_int32_x) : : "cc"); 658 return crypto_int32_x; 659 #elif defined(__GNUC__) && defined(__aarch64__) 660 crypto_int32 crypto_int32_y; 661 __asm__ ("ubfx %w0,%w1,0,1" : "=r"(crypto_int32_y) : "r"(crypto_int32_x) : ); 662 return crypto_int32_y; 663 #else 664 crypto_int32_x &= 1 ^ crypto_int32_optblocker; 665 return crypto_int32_x; 666 #endif 667 } 668 669 __attribute__((unused)) 670 static inline 671 crypto_int32 crypto_int32_bitinrangepublicpos_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) { 672 #if defined(__GNUC__) && defined(__x86_64__) 673 __asm__ ("sarl %%cl,%0" : "+r"(crypto_int32_x) : "c"(crypto_int32_s) : "cc"); 674 #elif defined(__GNUC__) && defined(__aarch64__) 675 __asm__ ("asr %w0,%w0,%w1" : "+r"(crypto_int32_x) : "r"(crypto_int32_s) : ); 676 #else 677 crypto_int32_x >>= crypto_int32_s ^ crypto_int32_optblocker; 678 #endif 679 return crypto_int32_bottombit_mask(crypto_int32_x); 680 } 681 682 __attribute__((unused)) 683 static inline 684 crypto_int32 crypto_int32_bitinrangepublicpos_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) { 685 #if defined(__GNUC__) && defined(__x86_64__) 686 __asm__ ("sarl %%cl,%0" : "+r"(crypto_int32_x) : "c"(crypto_int32_s) : "cc"); 687 #elif defined(__GNUC__) && defined(__aarch64__) 688 __asm__ ("asr %w0,%w0,%w1" : "+r"(crypto_int32_x) : "r"(crypto_int32_s) : ); 689 #else 690 crypto_int32_x >>= crypto_int32_s ^ crypto_int32_optblocker; 691 #endif 692 return crypto_int32_bottombit_01(crypto_int32_x); 693 } 694 695 __attribute__((unused)) 696 static inline 697 crypto_int32 crypto_int32_shlmod(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) { 698 #if defined(__GNUC__) && defined(__x86_64__) 699 __asm__ ("shll %%cl,%0" : "+r"(crypto_int32_x) : "c"(crypto_int32_s) : "cc"); 700 #elif defined(__GNUC__) && defined(__aarch64__) 701 __asm__ ("lsl %w0,%w0,%w1" : "+r"(crypto_int32_x) : "r"(crypto_int32_s) : ); 702 #else 703 int crypto_int32_k, crypto_int32_l; 704 for (crypto_int32_l = 0,crypto_int32_k = 1;crypto_int32_k < 32;++crypto_int32_l,crypto_int32_k *= 2) 705 crypto_int32_x ^= (crypto_int32_x ^ (crypto_int32_x << crypto_int32_k)) & crypto_int32_bitinrangepublicpos_mask(crypto_int32_s,crypto_int32_l); 706 #endif 707 return crypto_int32_x; 708 } 709 710 __attribute__((unused)) 711 static inline 712 crypto_int32 crypto_int32_shrmod(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) { 713 #if defined(__GNUC__) && defined(__x86_64__) 714 __asm__ ("sarl %%cl,%0" : "+r"(crypto_int32_x) : "c"(crypto_int32_s) : "cc"); 715 #elif defined(__GNUC__) && defined(__aarch64__) 716 __asm__ ("asr %w0,%w0,%w1" : "+r"(crypto_int32_x) : "r"(crypto_int32_s) : ); 717 #else 718 int crypto_int32_k, crypto_int32_l; 719 for (crypto_int32_l = 0,crypto_int32_k = 1;crypto_int32_k < 32;++crypto_int32_l,crypto_int32_k *= 2) 720 crypto_int32_x ^= (crypto_int32_x ^ (crypto_int32_x >> crypto_int32_k)) & crypto_int32_bitinrangepublicpos_mask(crypto_int32_s,crypto_int32_l); 721 #endif 722 return crypto_int32_x; 723 } 724 725 __attribute__((unused)) 726 static inline 727 crypto_int32 crypto_int32_bitmod_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) { 728 crypto_int32_x = crypto_int32_shrmod(crypto_int32_x,crypto_int32_s); 729 return crypto_int32_bottombit_mask(crypto_int32_x); 730 } 731 732 __attribute__((unused)) 733 static inline 734 crypto_int32 crypto_int32_bitmod_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_s) { 735 crypto_int32_x = crypto_int32_shrmod(crypto_int32_x,crypto_int32_s); 736 return crypto_int32_bottombit_01(crypto_int32_x); 737 } 738 739 __attribute__((unused)) 740 static inline 741 crypto_int32 crypto_int32_nonzero_mask(crypto_int32 crypto_int32_x) { 742 #if defined(__GNUC__) && defined(__x86_64__) 743 crypto_int32 crypto_int32_q,crypto_int32_z; 744 __asm__ ("xorl %0,%0\n movl $-1,%1\n testl %2,%2\n cmovnel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc"); 745 return crypto_int32_z; 746 #elif defined(__GNUC__) && defined(__aarch64__) 747 crypto_int32 crypto_int32_z; 748 __asm__ ("cmp %w1,0\n csetm %w0,ne" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc"); 749 return crypto_int32_z; 750 #else 751 crypto_int32_x |= -crypto_int32_x; 752 return crypto_int32_negative_mask(crypto_int32_x); 753 #endif 754 } 755 756 __attribute__((unused)) 757 static inline 758 crypto_int32 crypto_int32_nonzero_01(crypto_int32 crypto_int32_x) { 759 #if defined(__GNUC__) && defined(__x86_64__) 760 crypto_int32 crypto_int32_q,crypto_int32_z; 761 __asm__ ("xorl %0,%0\n movl $1,%1\n testl %2,%2\n cmovnel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc"); 762 return crypto_int32_z; 763 #elif defined(__GNUC__) && defined(__aarch64__) 764 crypto_int32 crypto_int32_z; 765 __asm__ ("cmp %w1,0\n cset %w0,ne" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc"); 766 return crypto_int32_z; 767 #else 768 crypto_int32_x |= -crypto_int32_x; 769 return crypto_int32_unsigned_topbit_01(crypto_int32_x); 770 #endif 771 } 772 773 __attribute__((unused)) 774 static inline 775 crypto_int32 crypto_int32_positive_mask(crypto_int32 crypto_int32_x) { 776 #if defined(__GNUC__) && defined(__x86_64__) 777 crypto_int32 crypto_int32_q,crypto_int32_z; 778 __asm__ ("xorl %0,%0\n movl $-1,%1\n testl %2,%2\n cmovgl %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc"); 779 return crypto_int32_z; 780 #elif defined(__GNUC__) && defined(__aarch64__) 781 crypto_int32 crypto_int32_z; 782 __asm__ ("cmp %w1,0\n csetm %w0,gt" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc"); 783 return crypto_int32_z; 784 #else 785 crypto_int32 crypto_int32_z = -crypto_int32_x; 786 crypto_int32_z ^= crypto_int32_x & crypto_int32_z; 787 return crypto_int32_negative_mask(crypto_int32_z); 788 #endif 789 } 790 791 __attribute__((unused)) 792 static inline 793 crypto_int32 crypto_int32_positive_01(crypto_int32 crypto_int32_x) { 794 #if defined(__GNUC__) && defined(__x86_64__) 795 crypto_int32 crypto_int32_q,crypto_int32_z; 796 __asm__ ("xorl %0,%0\n movl $1,%1\n testl %2,%2\n cmovgl %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc"); 797 return crypto_int32_z; 798 #elif defined(__GNUC__) && defined(__aarch64__) 799 crypto_int32 crypto_int32_z; 800 __asm__ ("cmp %w1,0\n cset %w0,gt" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc"); 801 return crypto_int32_z; 802 #else 803 crypto_int32 crypto_int32_z = -crypto_int32_x; 804 crypto_int32_z ^= crypto_int32_x & crypto_int32_z; 805 return crypto_int32_unsigned_topbit_01(crypto_int32_z); 806 #endif 807 } 808 809 __attribute__((unused)) 810 static inline 811 crypto_int32 crypto_int32_zero_mask(crypto_int32 crypto_int32_x) { 812 #if defined(__GNUC__) && defined(__x86_64__) 813 crypto_int32 crypto_int32_q,crypto_int32_z; 814 __asm__ ("xorl %0,%0\n movl $-1,%1\n testl %2,%2\n cmovel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc"); 815 return crypto_int32_z; 816 #elif defined(__GNUC__) && defined(__aarch64__) 817 crypto_int32 crypto_int32_z; 818 __asm__ ("cmp %w1,0\n csetm %w0,eq" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc"); 819 return crypto_int32_z; 820 #else 821 return ~crypto_int32_nonzero_mask(crypto_int32_x); 822 #endif 823 } 824 825 __attribute__((unused)) 826 static inline 827 crypto_int32 crypto_int32_zero_01(crypto_int32 crypto_int32_x) { 828 #if defined(__GNUC__) && defined(__x86_64__) 829 crypto_int32 crypto_int32_q,crypto_int32_z; 830 __asm__ ("xorl %0,%0\n movl $1,%1\n testl %2,%2\n cmovel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x) : "cc"); 831 return crypto_int32_z; 832 #elif defined(__GNUC__) && defined(__aarch64__) 833 crypto_int32 crypto_int32_z; 834 __asm__ ("cmp %w1,0\n cset %w0,eq" : "=r"(crypto_int32_z) : "r"(crypto_int32_x) : "cc"); 835 return crypto_int32_z; 836 #else 837 return 1-crypto_int32_nonzero_01(crypto_int32_x); 838 #endif 839 } 840 841 __attribute__((unused)) 842 static inline 843 crypto_int32 crypto_int32_unequal_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) { 844 #if defined(__GNUC__) && defined(__x86_64__) 845 crypto_int32 crypto_int32_q,crypto_int32_z; 846 __asm__ ("xorl %0,%0\n movl $-1,%1\n cmpl %3,%2\n cmovnel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 847 return crypto_int32_z; 848 #elif defined(__GNUC__) && defined(__aarch64__) 849 crypto_int32 crypto_int32_z; 850 __asm__ ("cmp %w1,%w2\n csetm %w0,ne" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 851 return crypto_int32_z; 852 #else 853 return crypto_int32_nonzero_mask(crypto_int32_x ^ crypto_int32_y); 854 #endif 855 } 856 857 __attribute__((unused)) 858 static inline 859 crypto_int32 crypto_int32_unequal_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) { 860 #if defined(__GNUC__) && defined(__x86_64__) 861 crypto_int32 crypto_int32_q,crypto_int32_z; 862 __asm__ ("xorl %0,%0\n movl $1,%1\n cmpl %3,%2\n cmovnel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 863 return crypto_int32_z; 864 #elif defined(__GNUC__) && defined(__aarch64__) 865 crypto_int32 crypto_int32_z; 866 __asm__ ("cmp %w1,%w2\n cset %w0,ne" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 867 return crypto_int32_z; 868 #else 869 return crypto_int32_nonzero_01(crypto_int32_x ^ crypto_int32_y); 870 #endif 871 } 872 873 __attribute__((unused)) 874 static inline 875 crypto_int32 crypto_int32_equal_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) { 876 #if defined(__GNUC__) && defined(__x86_64__) 877 crypto_int32 crypto_int32_q,crypto_int32_z; 878 __asm__ ("xorl %0,%0\n movl $-1,%1\n cmpl %3,%2\n cmovel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 879 return crypto_int32_z; 880 #elif defined(__GNUC__) && defined(__aarch64__) 881 crypto_int32 crypto_int32_z; 882 __asm__ ("cmp %w1,%w2\n csetm %w0,eq" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 883 return crypto_int32_z; 884 #else 885 return ~crypto_int32_unequal_mask(crypto_int32_x,crypto_int32_y); 886 #endif 887 } 888 889 __attribute__((unused)) 890 static inline 891 crypto_int32 crypto_int32_equal_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) { 892 #if defined(__GNUC__) && defined(__x86_64__) 893 crypto_int32 crypto_int32_q,crypto_int32_z; 894 __asm__ ("xorl %0,%0\n movl $1,%1\n cmpl %3,%2\n cmovel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 895 return crypto_int32_z; 896 #elif defined(__GNUC__) && defined(__aarch64__) 897 crypto_int32 crypto_int32_z; 898 __asm__ ("cmp %w1,%w2\n cset %w0,eq" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 899 return crypto_int32_z; 900 #else 901 return 1-crypto_int32_unequal_01(crypto_int32_x,crypto_int32_y); 902 #endif 903 } 904 905 __attribute__((unused)) 906 static inline 907 crypto_int32 crypto_int32_min(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) { 908 #if defined(__GNUC__) && defined(__x86_64__) 909 __asm__ ("cmpl %1,%0\n cmovgl %1,%0" : "+r"(crypto_int32_x) : "r"(crypto_int32_y) : "cc"); 910 return crypto_int32_x; 911 #elif defined(__GNUC__) && defined(__aarch64__) 912 __asm__ ("cmp %w0,%w1\n csel %w0,%w0,%w1,lt" : "+r"(crypto_int32_x) : "r"(crypto_int32_y) : "cc"); 913 return crypto_int32_x; 914 #else 915 crypto_int64 crypto_int32_r = (crypto_int64)crypto_int32_y ^ (crypto_int64)crypto_int32_x; 916 crypto_int64 crypto_int32_z = (crypto_int64)crypto_int32_y - (crypto_int64)crypto_int32_x; 917 crypto_int32_z ^= crypto_int32_r & (crypto_int32_z ^ crypto_int32_y); 918 crypto_int32_z = crypto_int32_negative_mask(crypto_int32_z); 919 crypto_int32_z &= crypto_int32_r; 920 return crypto_int32_x ^ crypto_int32_z; 921 #endif 922 } 923 924 __attribute__((unused)) 925 static inline 926 crypto_int32 crypto_int32_max(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) { 927 #if defined(__GNUC__) && defined(__x86_64__) 928 __asm__ ("cmpl %1,%0\n cmovll %1,%0" : "+r"(crypto_int32_x) : "r"(crypto_int32_y) : "cc"); 929 return crypto_int32_x; 930 #elif defined(__GNUC__) && defined(__aarch64__) 931 __asm__ ("cmp %w0,%w1\n csel %w0,%w1,%w0,lt" : "+r"(crypto_int32_x) : "r"(crypto_int32_y) : "cc"); 932 return crypto_int32_x; 933 #else 934 crypto_int64 crypto_int32_r = (crypto_int64)crypto_int32_y ^ (crypto_int64)crypto_int32_x; 935 crypto_int64 crypto_int32_z = (crypto_int64)crypto_int32_y - (crypto_int64)crypto_int32_x; 936 crypto_int32_z ^= crypto_int32_r & (crypto_int32_z ^ crypto_int32_y); 937 crypto_int32_z = crypto_int32_negative_mask(crypto_int32_z); 938 crypto_int32_z &= crypto_int32_r; 939 return crypto_int32_y ^ crypto_int32_z; 940 #endif 941 } 942 943 __attribute__((unused)) 944 static inline 945 void crypto_int32_minmax(crypto_int32 *crypto_int32_p,crypto_int32 *crypto_int32_q) { 946 crypto_int32 crypto_int32_x = *crypto_int32_p; 947 crypto_int32 crypto_int32_y = *crypto_int32_q; 948 #if defined(__GNUC__) && defined(__x86_64__) 949 crypto_int32 crypto_int32_z; 950 __asm__ ("cmpl %2,%1\n movl %1,%0\n cmovgl %2,%1\n cmovgl %0,%2" : "=&r"(crypto_int32_z), "+&r"(crypto_int32_x), "+r"(crypto_int32_y) : : "cc"); 951 *crypto_int32_p = crypto_int32_x; 952 *crypto_int32_q = crypto_int32_y; 953 #elif defined(__GNUC__) && defined(__aarch64__) 954 crypto_int32 crypto_int32_r, crypto_int32_s; 955 __asm__ ("cmp %w2,%w3\n csel %w0,%w2,%w3,lt\n csel %w1,%w3,%w2,lt" : "=&r"(crypto_int32_r), "=r"(crypto_int32_s) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 956 *crypto_int32_p = crypto_int32_r; 957 *crypto_int32_q = crypto_int32_s; 958 #else 959 crypto_int64 crypto_int32_r = (crypto_int64)crypto_int32_y ^ (crypto_int64)crypto_int32_x; 960 crypto_int64 crypto_int32_z = (crypto_int64)crypto_int32_y - (crypto_int64)crypto_int32_x; 961 crypto_int32_z ^= crypto_int32_r & (crypto_int32_z ^ crypto_int32_y); 962 crypto_int32_z = crypto_int32_negative_mask(crypto_int32_z); 963 crypto_int32_z &= crypto_int32_r; 964 crypto_int32_x ^= crypto_int32_z; 965 crypto_int32_y ^= crypto_int32_z; 966 *crypto_int32_p = crypto_int32_x; 967 *crypto_int32_q = crypto_int32_y; 968 #endif 969 } 970 971 __attribute__((unused)) 972 static inline 973 crypto_int32 crypto_int32_smaller_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) { 974 #if defined(__GNUC__) && defined(__x86_64__) 975 crypto_int32 crypto_int32_q,crypto_int32_z; 976 __asm__ ("xorl %0,%0\n movl $-1,%1\n cmpl %3,%2\n cmovll %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 977 return crypto_int32_z; 978 #elif defined(__GNUC__) && defined(__aarch64__) 979 crypto_int32 crypto_int32_z; 980 __asm__ ("cmp %w1,%w2\n csetm %w0,lt" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 981 return crypto_int32_z; 982 #else 983 crypto_int32 crypto_int32_r = crypto_int32_x ^ crypto_int32_y; 984 crypto_int32 crypto_int32_z = crypto_int32_x - crypto_int32_y; 985 crypto_int32_z ^= crypto_int32_r & (crypto_int32_z ^ crypto_int32_x); 986 return crypto_int32_negative_mask(crypto_int32_z); 987 #endif 988 } 989 990 __attribute__((unused)) 991 static inline 992 crypto_int32 crypto_int32_smaller_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) { 993 #if defined(__GNUC__) && defined(__x86_64__) 994 crypto_int32 crypto_int32_q,crypto_int32_z; 995 __asm__ ("xorl %0,%0\n movl $1,%1\n cmpl %3,%2\n cmovll %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 996 return crypto_int32_z; 997 #elif defined(__GNUC__) && defined(__aarch64__) 998 crypto_int32 crypto_int32_z; 999 __asm__ ("cmp %w1,%w2\n cset %w0,lt" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 1000 return crypto_int32_z; 1001 #else 1002 crypto_int32 crypto_int32_r = crypto_int32_x ^ crypto_int32_y; 1003 crypto_int32 crypto_int32_z = crypto_int32_x - crypto_int32_y; 1004 crypto_int32_z ^= crypto_int32_r & (crypto_int32_z ^ crypto_int32_x); 1005 return crypto_int32_unsigned_topbit_01(crypto_int32_z); 1006 #endif 1007 } 1008 1009 __attribute__((unused)) 1010 static inline 1011 crypto_int32 crypto_int32_leq_mask(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) { 1012 #if defined(__GNUC__) && defined(__x86_64__) 1013 crypto_int32 crypto_int32_q,crypto_int32_z; 1014 __asm__ ("xorl %0,%0\n movl $-1,%1\n cmpl %3,%2\n cmovlel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 1015 return crypto_int32_z; 1016 #elif defined(__GNUC__) && defined(__aarch64__) 1017 crypto_int32 crypto_int32_z; 1018 __asm__ ("cmp %w1,%w2\n csetm %w0,le" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 1019 return crypto_int32_z; 1020 #else 1021 return ~crypto_int32_smaller_mask(crypto_int32_y,crypto_int32_x); 1022 #endif 1023 } 1024 1025 __attribute__((unused)) 1026 static inline 1027 crypto_int32 crypto_int32_leq_01(crypto_int32 crypto_int32_x,crypto_int32 crypto_int32_y) { 1028 #if defined(__GNUC__) && defined(__x86_64__) 1029 crypto_int32 crypto_int32_q,crypto_int32_z; 1030 __asm__ ("xorl %0,%0\n movl $1,%1\n cmpl %3,%2\n cmovlel %1,%0" : "=&r"(crypto_int32_z), "=&r"(crypto_int32_q) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 1031 return crypto_int32_z; 1032 #elif defined(__GNUC__) && defined(__aarch64__) 1033 crypto_int32 crypto_int32_z; 1034 __asm__ ("cmp %w1,%w2\n cset %w0,le" : "=r"(crypto_int32_z) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 1035 return crypto_int32_z; 1036 #else 1037 return 1-crypto_int32_smaller_01(crypto_int32_y,crypto_int32_x); 1038 #endif 1039 } 1040 1041 __attribute__((unused)) 1042 static inline 1043 int crypto_int32_ones_num(crypto_int32 crypto_int32_x) { 1044 crypto_int32_unsigned crypto_int32_y = crypto_int32_x; 1045 const crypto_int32 C0 = 0x55555555; 1046 const crypto_int32 C1 = 0x33333333; 1047 const crypto_int32 C2 = 0x0f0f0f0f; 1048 crypto_int32_y -= ((crypto_int32_y >> 1) & C0); 1049 crypto_int32_y = (crypto_int32_y & C1) + ((crypto_int32_y >> 2) & C1); 1050 crypto_int32_y = (crypto_int32_y + (crypto_int32_y >> 4)) & C2; 1051 crypto_int32_y += crypto_int32_y >> 8; 1052 crypto_int32_y = (crypto_int32_y + (crypto_int32_y >> 16)) & 0xff; 1053 return crypto_int32_y; 1054 } 1055 1056 __attribute__((unused)) 1057 static inline 1058 int crypto_int32_bottomzeros_num(crypto_int32 crypto_int32_x) { 1059 #if defined(__GNUC__) && defined(__x86_64__) 1060 crypto_int32 fallback = 32; 1061 __asm__ ("bsfl %0,%0\n cmovel %1,%0" : "+&r"(crypto_int32_x) : "r"(fallback) : "cc"); 1062 return crypto_int32_x; 1063 #elif defined(__GNUC__) && defined(__aarch64__) 1064 int64_t crypto_int32_y; 1065 __asm__ ("rbit %w0,%w1\n clz %w0,%w0" : "=r"(crypto_int32_y) : "r"(crypto_int32_x) : ); 1066 return crypto_int32_y; 1067 #else 1068 crypto_int32 crypto_int32_y = crypto_int32_x ^ (crypto_int32_x-1); 1069 crypto_int32_y = ((crypto_int32) crypto_int32_y) >> 1; 1070 crypto_int32_y &= ~(crypto_int32_x & (((crypto_int32) 1) << (32-1))); 1071 return crypto_int32_ones_num(crypto_int32_y); 1072 #endif 1073 } 1074 1075 #endif 1076 1077 /* from supercop-20240808/cryptoint/crypto_int64.h */ 1078 /* auto-generated: cd cryptoint; ./autogen */ 1079 /* cryptoint 20240806 */ 1080 1081 #ifndef crypto_int64_h 1082 #define crypto_int64_h 1083 1084 #define crypto_int64 int64_t 1085 #define crypto_int64_unsigned uint64_t 1086 1087 1088 1089 __attribute__((unused)) 1090 static inline 1091 crypto_int64 crypto_int64_load(const unsigned char *crypto_int64_s) { 1092 crypto_int64 crypto_int64_z = 0; 1093 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 0; 1094 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 8; 1095 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 16; 1096 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 24; 1097 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 32; 1098 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 40; 1099 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 48; 1100 crypto_int64_z |= ((crypto_int64) (*crypto_int64_s++)) << 56; 1101 return crypto_int64_z; 1102 } 1103 1104 __attribute__((unused)) 1105 static inline 1106 void crypto_int64_store(unsigned char *crypto_int64_s,crypto_int64 crypto_int64_x) { 1107 *crypto_int64_s++ = crypto_int64_x >> 0; 1108 *crypto_int64_s++ = crypto_int64_x >> 8; 1109 *crypto_int64_s++ = crypto_int64_x >> 16; 1110 *crypto_int64_s++ = crypto_int64_x >> 24; 1111 *crypto_int64_s++ = crypto_int64_x >> 32; 1112 *crypto_int64_s++ = crypto_int64_x >> 40; 1113 *crypto_int64_s++ = crypto_int64_x >> 48; 1114 *crypto_int64_s++ = crypto_int64_x >> 56; 1115 } 1116 1117 __attribute__((unused)) 1118 static inline 1119 crypto_int64 crypto_int64_negative_mask(crypto_int64 crypto_int64_x) { 1120 #if defined(__GNUC__) && defined(__x86_64__) 1121 __asm__ ("sarq $63,%0" : "+r"(crypto_int64_x) : : "cc"); 1122 return crypto_int64_x; 1123 #elif defined(__GNUC__) && defined(__aarch64__) 1124 crypto_int64 crypto_int64_y; 1125 __asm__ ("asr %0,%1,63" : "=r"(crypto_int64_y) : "r"(crypto_int64_x) : ); 1126 return crypto_int64_y; 1127 #else 1128 crypto_int64_x >>= 64-6; 1129 crypto_int64_x ^= crypto_int64_optblocker; 1130 crypto_int64_x >>= 5; 1131 return crypto_int64_x; 1132 #endif 1133 } 1134 1135 __attribute__((unused)) 1136 static inline 1137 crypto_int64_unsigned crypto_int64_unsigned_topbit_01(crypto_int64_unsigned crypto_int64_x) { 1138 #if defined(__GNUC__) && defined(__x86_64__) 1139 __asm__ ("shrq $63,%0" : "+r"(crypto_int64_x) : : "cc"); 1140 return crypto_int64_x; 1141 #elif defined(__GNUC__) && defined(__aarch64__) 1142 crypto_int64 crypto_int64_y; 1143 __asm__ ("lsr %0,%1,63" : "=r"(crypto_int64_y) : "r"(crypto_int64_x) : ); 1144 return crypto_int64_y; 1145 #else 1146 crypto_int64_x >>= 64-6; 1147 crypto_int64_x ^= crypto_int64_optblocker; 1148 crypto_int64_x >>= 5; 1149 return crypto_int64_x; 1150 #endif 1151 } 1152 1153 __attribute__((unused)) 1154 static inline 1155 crypto_int64 crypto_int64_negative_01(crypto_int64 crypto_int64_x) { 1156 return crypto_int64_unsigned_topbit_01(crypto_int64_x); 1157 } 1158 1159 __attribute__((unused)) 1160 static inline 1161 crypto_int64 crypto_int64_topbit_mask(crypto_int64 crypto_int64_x) { 1162 return crypto_int64_negative_mask(crypto_int64_x); 1163 } 1164 1165 __attribute__((unused)) 1166 static inline 1167 crypto_int64 crypto_int64_topbit_01(crypto_int64 crypto_int64_x) { 1168 return crypto_int64_unsigned_topbit_01(crypto_int64_x); 1169 } 1170 1171 __attribute__((unused)) 1172 static inline 1173 crypto_int64 crypto_int64_bottombit_mask(crypto_int64 crypto_int64_x) { 1174 #if defined(__GNUC__) && defined(__x86_64__) 1175 __asm__ ("andq $1,%0" : "+r"(crypto_int64_x) : : "cc"); 1176 return -crypto_int64_x; 1177 #elif defined(__GNUC__) && defined(__aarch64__) 1178 crypto_int64 crypto_int64_y; 1179 __asm__ ("sbfx %0,%1,0,1" : "=r"(crypto_int64_y) : "r"(crypto_int64_x) : ); 1180 return crypto_int64_y; 1181 #else 1182 crypto_int64_x &= 1 ^ crypto_int64_optblocker; 1183 return -crypto_int64_x; 1184 #endif 1185 } 1186 1187 __attribute__((unused)) 1188 static inline 1189 crypto_int64 crypto_int64_bottombit_01(crypto_int64 crypto_int64_x) { 1190 #if defined(__GNUC__) && defined(__x86_64__) 1191 __asm__ ("andq $1,%0" : "+r"(crypto_int64_x) : : "cc"); 1192 return crypto_int64_x; 1193 #elif defined(__GNUC__) && defined(__aarch64__) 1194 crypto_int64 crypto_int64_y; 1195 __asm__ ("ubfx %0,%1,0,1" : "=r"(crypto_int64_y) : "r"(crypto_int64_x) : ); 1196 return crypto_int64_y; 1197 #else 1198 crypto_int64_x &= 1 ^ crypto_int64_optblocker; 1199 return crypto_int64_x; 1200 #endif 1201 } 1202 1203 __attribute__((unused)) 1204 static inline 1205 crypto_int64 crypto_int64_bitinrangepublicpos_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) { 1206 #if defined(__GNUC__) && defined(__x86_64__) 1207 __asm__ ("sarq %%cl,%0" : "+r"(crypto_int64_x) : "c"(crypto_int64_s) : "cc"); 1208 #elif defined(__GNUC__) && defined(__aarch64__) 1209 __asm__ ("asr %0,%0,%1" : "+r"(crypto_int64_x) : "r"(crypto_int64_s) : ); 1210 #else 1211 crypto_int64_x >>= crypto_int64_s ^ crypto_int64_optblocker; 1212 #endif 1213 return crypto_int64_bottombit_mask(crypto_int64_x); 1214 } 1215 1216 __attribute__((unused)) 1217 static inline 1218 crypto_int64 crypto_int64_bitinrangepublicpos_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) { 1219 #if defined(__GNUC__) && defined(__x86_64__) 1220 __asm__ ("sarq %%cl,%0" : "+r"(crypto_int64_x) : "c"(crypto_int64_s) : "cc"); 1221 #elif defined(__GNUC__) && defined(__aarch64__) 1222 __asm__ ("asr %0,%0,%1" : "+r"(crypto_int64_x) : "r"(crypto_int64_s) : ); 1223 #else 1224 crypto_int64_x >>= crypto_int64_s ^ crypto_int64_optblocker; 1225 #endif 1226 return crypto_int64_bottombit_01(crypto_int64_x); 1227 } 1228 1229 __attribute__((unused)) 1230 static inline 1231 crypto_int64 crypto_int64_shlmod(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) { 1232 #if defined(__GNUC__) && defined(__x86_64__) 1233 __asm__ ("shlq %%cl,%0" : "+r"(crypto_int64_x) : "c"(crypto_int64_s) : "cc"); 1234 #elif defined(__GNUC__) && defined(__aarch64__) 1235 __asm__ ("lsl %0,%0,%1" : "+r"(crypto_int64_x) : "r"(crypto_int64_s) : ); 1236 #else 1237 int crypto_int64_k, crypto_int64_l; 1238 for (crypto_int64_l = 0,crypto_int64_k = 1;crypto_int64_k < 64;++crypto_int64_l,crypto_int64_k *= 2) 1239 crypto_int64_x ^= (crypto_int64_x ^ (crypto_int64_x << crypto_int64_k)) & crypto_int64_bitinrangepublicpos_mask(crypto_int64_s,crypto_int64_l); 1240 #endif 1241 return crypto_int64_x; 1242 } 1243 1244 __attribute__((unused)) 1245 static inline 1246 crypto_int64 crypto_int64_shrmod(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) { 1247 #if defined(__GNUC__) && defined(__x86_64__) 1248 __asm__ ("sarq %%cl,%0" : "+r"(crypto_int64_x) : "c"(crypto_int64_s) : "cc"); 1249 #elif defined(__GNUC__) && defined(__aarch64__) 1250 __asm__ ("asr %0,%0,%1" : "+r"(crypto_int64_x) : "r"(crypto_int64_s) : ); 1251 #else 1252 int crypto_int64_k, crypto_int64_l; 1253 for (crypto_int64_l = 0,crypto_int64_k = 1;crypto_int64_k < 64;++crypto_int64_l,crypto_int64_k *= 2) 1254 crypto_int64_x ^= (crypto_int64_x ^ (crypto_int64_x >> crypto_int64_k)) & crypto_int64_bitinrangepublicpos_mask(crypto_int64_s,crypto_int64_l); 1255 #endif 1256 return crypto_int64_x; 1257 } 1258 1259 __attribute__((unused)) 1260 static inline 1261 crypto_int64 crypto_int64_bitmod_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) { 1262 crypto_int64_x = crypto_int64_shrmod(crypto_int64_x,crypto_int64_s); 1263 return crypto_int64_bottombit_mask(crypto_int64_x); 1264 } 1265 1266 __attribute__((unused)) 1267 static inline 1268 crypto_int64 crypto_int64_bitmod_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) { 1269 crypto_int64_x = crypto_int64_shrmod(crypto_int64_x,crypto_int64_s); 1270 return crypto_int64_bottombit_01(crypto_int64_x); 1271 } 1272 1273 __attribute__((unused)) 1274 static inline 1275 crypto_int64 crypto_int64_nonzero_mask(crypto_int64 crypto_int64_x) { 1276 #if defined(__GNUC__) && defined(__x86_64__) 1277 crypto_int64 crypto_int64_q,crypto_int64_z; 1278 __asm__ ("xorq %0,%0\n movq $-1,%1\n testq %2,%2\n cmovneq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc"); 1279 return crypto_int64_z; 1280 #elif defined(__GNUC__) && defined(__aarch64__) 1281 crypto_int64 crypto_int64_z; 1282 __asm__ ("cmp %1,0\n csetm %0,ne" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc"); 1283 return crypto_int64_z; 1284 #else 1285 crypto_int64_x |= -crypto_int64_x; 1286 return crypto_int64_negative_mask(crypto_int64_x); 1287 #endif 1288 } 1289 1290 __attribute__((unused)) 1291 static inline 1292 crypto_int64 crypto_int64_nonzero_01(crypto_int64 crypto_int64_x) { 1293 #if defined(__GNUC__) && defined(__x86_64__) 1294 crypto_int64 crypto_int64_q,crypto_int64_z; 1295 __asm__ ("xorq %0,%0\n movq $1,%1\n testq %2,%2\n cmovneq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc"); 1296 return crypto_int64_z; 1297 #elif defined(__GNUC__) && defined(__aarch64__) 1298 crypto_int64 crypto_int64_z; 1299 __asm__ ("cmp %1,0\n cset %0,ne" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc"); 1300 return crypto_int64_z; 1301 #else 1302 crypto_int64_x |= -crypto_int64_x; 1303 return crypto_int64_unsigned_topbit_01(crypto_int64_x); 1304 #endif 1305 } 1306 1307 __attribute__((unused)) 1308 static inline 1309 crypto_int64 crypto_int64_positive_mask(crypto_int64 crypto_int64_x) { 1310 #if defined(__GNUC__) && defined(__x86_64__) 1311 crypto_int64 crypto_int64_q,crypto_int64_z; 1312 __asm__ ("xorq %0,%0\n movq $-1,%1\n testq %2,%2\n cmovgq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc"); 1313 return crypto_int64_z; 1314 #elif defined(__GNUC__) && defined(__aarch64__) 1315 crypto_int64 crypto_int64_z; 1316 __asm__ ("cmp %1,0\n csetm %0,gt" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc"); 1317 return crypto_int64_z; 1318 #else 1319 crypto_int64 crypto_int64_z = -crypto_int64_x; 1320 crypto_int64_z ^= crypto_int64_x & crypto_int64_z; 1321 return crypto_int64_negative_mask(crypto_int64_z); 1322 #endif 1323 } 1324 1325 __attribute__((unused)) 1326 static inline 1327 crypto_int64 crypto_int64_positive_01(crypto_int64 crypto_int64_x) { 1328 #if defined(__GNUC__) && defined(__x86_64__) 1329 crypto_int64 crypto_int64_q,crypto_int64_z; 1330 __asm__ ("xorq %0,%0\n movq $1,%1\n testq %2,%2\n cmovgq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc"); 1331 return crypto_int64_z; 1332 #elif defined(__GNUC__) && defined(__aarch64__) 1333 crypto_int64 crypto_int64_z; 1334 __asm__ ("cmp %1,0\n cset %0,gt" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc"); 1335 return crypto_int64_z; 1336 #else 1337 crypto_int64 crypto_int64_z = -crypto_int64_x; 1338 crypto_int64_z ^= crypto_int64_x & crypto_int64_z; 1339 return crypto_int64_unsigned_topbit_01(crypto_int64_z); 1340 #endif 1341 } 1342 1343 __attribute__((unused)) 1344 static inline 1345 crypto_int64 crypto_int64_zero_mask(crypto_int64 crypto_int64_x) { 1346 #if defined(__GNUC__) && defined(__x86_64__) 1347 crypto_int64 crypto_int64_q,crypto_int64_z; 1348 __asm__ ("xorq %0,%0\n movq $-1,%1\n testq %2,%2\n cmoveq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc"); 1349 return crypto_int64_z; 1350 #elif defined(__GNUC__) && defined(__aarch64__) 1351 crypto_int64 crypto_int64_z; 1352 __asm__ ("cmp %1,0\n csetm %0,eq" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc"); 1353 return crypto_int64_z; 1354 #else 1355 return ~crypto_int64_nonzero_mask(crypto_int64_x); 1356 #endif 1357 } 1358 1359 __attribute__((unused)) 1360 static inline 1361 crypto_int64 crypto_int64_zero_01(crypto_int64 crypto_int64_x) { 1362 #if defined(__GNUC__) && defined(__x86_64__) 1363 crypto_int64 crypto_int64_q,crypto_int64_z; 1364 __asm__ ("xorq %0,%0\n movq $1,%1\n testq %2,%2\n cmoveq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x) : "cc"); 1365 return crypto_int64_z; 1366 #elif defined(__GNUC__) && defined(__aarch64__) 1367 crypto_int64 crypto_int64_z; 1368 __asm__ ("cmp %1,0\n cset %0,eq" : "=r"(crypto_int64_z) : "r"(crypto_int64_x) : "cc"); 1369 return crypto_int64_z; 1370 #else 1371 return 1-crypto_int64_nonzero_01(crypto_int64_x); 1372 #endif 1373 } 1374 1375 __attribute__((unused)) 1376 static inline 1377 crypto_int64 crypto_int64_unequal_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) { 1378 #if defined(__GNUC__) && defined(__x86_64__) 1379 crypto_int64 crypto_int64_q,crypto_int64_z; 1380 __asm__ ("xorq %0,%0\n movq $-1,%1\n cmpq %3,%2\n cmovneq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1381 return crypto_int64_z; 1382 #elif defined(__GNUC__) && defined(__aarch64__) 1383 crypto_int64 crypto_int64_z; 1384 __asm__ ("cmp %1,%2\n csetm %0,ne" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1385 return crypto_int64_z; 1386 #else 1387 return crypto_int64_nonzero_mask(crypto_int64_x ^ crypto_int64_y); 1388 #endif 1389 } 1390 1391 __attribute__((unused)) 1392 static inline 1393 crypto_int64 crypto_int64_unequal_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) { 1394 #if defined(__GNUC__) && defined(__x86_64__) 1395 crypto_int64 crypto_int64_q,crypto_int64_z; 1396 __asm__ ("xorq %0,%0\n movq $1,%1\n cmpq %3,%2\n cmovneq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1397 return crypto_int64_z; 1398 #elif defined(__GNUC__) && defined(__aarch64__) 1399 crypto_int64 crypto_int64_z; 1400 __asm__ ("cmp %1,%2\n cset %0,ne" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1401 return crypto_int64_z; 1402 #else 1403 return crypto_int64_nonzero_01(crypto_int64_x ^ crypto_int64_y); 1404 #endif 1405 } 1406 1407 __attribute__((unused)) 1408 static inline 1409 crypto_int64 crypto_int64_equal_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) { 1410 #if defined(__GNUC__) && defined(__x86_64__) 1411 crypto_int64 crypto_int64_q,crypto_int64_z; 1412 __asm__ ("xorq %0,%0\n movq $-1,%1\n cmpq %3,%2\n cmoveq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1413 return crypto_int64_z; 1414 #elif defined(__GNUC__) && defined(__aarch64__) 1415 crypto_int64 crypto_int64_z; 1416 __asm__ ("cmp %1,%2\n csetm %0,eq" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1417 return crypto_int64_z; 1418 #else 1419 return ~crypto_int64_unequal_mask(crypto_int64_x,crypto_int64_y); 1420 #endif 1421 } 1422 1423 __attribute__((unused)) 1424 static inline 1425 crypto_int64 crypto_int64_equal_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) { 1426 #if defined(__GNUC__) && defined(__x86_64__) 1427 crypto_int64 crypto_int64_q,crypto_int64_z; 1428 __asm__ ("xorq %0,%0\n movq $1,%1\n cmpq %3,%2\n cmoveq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1429 return crypto_int64_z; 1430 #elif defined(__GNUC__) && defined(__aarch64__) 1431 crypto_int64 crypto_int64_z; 1432 __asm__ ("cmp %1,%2\n cset %0,eq" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1433 return crypto_int64_z; 1434 #else 1435 return 1-crypto_int64_unequal_01(crypto_int64_x,crypto_int64_y); 1436 #endif 1437 } 1438 1439 __attribute__((unused)) 1440 static inline 1441 crypto_int64 crypto_int64_min(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) { 1442 #if defined(__GNUC__) && defined(__x86_64__) 1443 __asm__ ("cmpq %1,%0\n cmovgq %1,%0" : "+r"(crypto_int64_x) : "r"(crypto_int64_y) : "cc"); 1444 return crypto_int64_x; 1445 #elif defined(__GNUC__) && defined(__aarch64__) 1446 __asm__ ("cmp %0,%1\n csel %0,%0,%1,lt" : "+r"(crypto_int64_x) : "r"(crypto_int64_y) : "cc"); 1447 return crypto_int64_x; 1448 #else 1449 crypto_int64 crypto_int64_r = crypto_int64_y ^ crypto_int64_x; 1450 crypto_int64 crypto_int64_z = crypto_int64_y - crypto_int64_x; 1451 crypto_int64_z ^= crypto_int64_r & (crypto_int64_z ^ crypto_int64_y); 1452 crypto_int64_z = crypto_int64_negative_mask(crypto_int64_z); 1453 crypto_int64_z &= crypto_int64_r; 1454 return crypto_int64_x ^ crypto_int64_z; 1455 #endif 1456 } 1457 1458 __attribute__((unused)) 1459 static inline 1460 crypto_int64 crypto_int64_max(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) { 1461 #if defined(__GNUC__) && defined(__x86_64__) 1462 __asm__ ("cmpq %1,%0\n cmovlq %1,%0" : "+r"(crypto_int64_x) : "r"(crypto_int64_y) : "cc"); 1463 return crypto_int64_x; 1464 #elif defined(__GNUC__) && defined(__aarch64__) 1465 __asm__ ("cmp %0,%1\n csel %0,%1,%0,lt" : "+r"(crypto_int64_x) : "r"(crypto_int64_y) : "cc"); 1466 return crypto_int64_x; 1467 #else 1468 crypto_int64 crypto_int64_r = crypto_int64_y ^ crypto_int64_x; 1469 crypto_int64 crypto_int64_z = crypto_int64_y - crypto_int64_x; 1470 crypto_int64_z ^= crypto_int64_r & (crypto_int64_z ^ crypto_int64_y); 1471 crypto_int64_z = crypto_int64_negative_mask(crypto_int64_z); 1472 crypto_int64_z &= crypto_int64_r; 1473 return crypto_int64_y ^ crypto_int64_z; 1474 #endif 1475 } 1476 1477 __attribute__((unused)) 1478 static inline 1479 void crypto_int64_minmax(crypto_int64 *crypto_int64_p,crypto_int64 *crypto_int64_q) { 1480 crypto_int64 crypto_int64_x = *crypto_int64_p; 1481 crypto_int64 crypto_int64_y = *crypto_int64_q; 1482 #if defined(__GNUC__) && defined(__x86_64__) 1483 crypto_int64 crypto_int64_z; 1484 __asm__ ("cmpq %2,%1\n movq %1,%0\n cmovgq %2,%1\n cmovgq %0,%2" : "=&r"(crypto_int64_z), "+&r"(crypto_int64_x), "+r"(crypto_int64_y) : : "cc"); 1485 *crypto_int64_p = crypto_int64_x; 1486 *crypto_int64_q = crypto_int64_y; 1487 #elif defined(__GNUC__) && defined(__aarch64__) 1488 crypto_int64 crypto_int64_r, crypto_int64_s; 1489 __asm__ ("cmp %2,%3\n csel %0,%2,%3,lt\n csel %1,%3,%2,lt" : "=&r"(crypto_int64_r), "=r"(crypto_int64_s) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1490 *crypto_int64_p = crypto_int64_r; 1491 *crypto_int64_q = crypto_int64_s; 1492 #else 1493 crypto_int64 crypto_int64_r = crypto_int64_y ^ crypto_int64_x; 1494 crypto_int64 crypto_int64_z = crypto_int64_y - crypto_int64_x; 1495 crypto_int64_z ^= crypto_int64_r & (crypto_int64_z ^ crypto_int64_y); 1496 crypto_int64_z = crypto_int64_negative_mask(crypto_int64_z); 1497 crypto_int64_z &= crypto_int64_r; 1498 crypto_int64_x ^= crypto_int64_z; 1499 crypto_int64_y ^= crypto_int64_z; 1500 *crypto_int64_p = crypto_int64_x; 1501 *crypto_int64_q = crypto_int64_y; 1502 #endif 1503 } 1504 1505 __attribute__((unused)) 1506 static inline 1507 crypto_int64 crypto_int64_smaller_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) { 1508 #if defined(__GNUC__) && defined(__x86_64__) 1509 crypto_int64 crypto_int64_q,crypto_int64_z; 1510 __asm__ ("xorq %0,%0\n movq $-1,%1\n cmpq %3,%2\n cmovlq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1511 return crypto_int64_z; 1512 #elif defined(__GNUC__) && defined(__aarch64__) 1513 crypto_int64 crypto_int64_z; 1514 __asm__ ("cmp %1,%2\n csetm %0,lt" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1515 return crypto_int64_z; 1516 #else 1517 crypto_int64 crypto_int64_r = crypto_int64_x ^ crypto_int64_y; 1518 crypto_int64 crypto_int64_z = crypto_int64_x - crypto_int64_y; 1519 crypto_int64_z ^= crypto_int64_r & (crypto_int64_z ^ crypto_int64_x); 1520 return crypto_int64_negative_mask(crypto_int64_z); 1521 #endif 1522 } 1523 1524 __attribute__((unused)) 1525 static inline 1526 crypto_int64 crypto_int64_smaller_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) { 1527 #if defined(__GNUC__) && defined(__x86_64__) 1528 crypto_int64 crypto_int64_q,crypto_int64_z; 1529 __asm__ ("xorq %0,%0\n movq $1,%1\n cmpq %3,%2\n cmovlq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1530 return crypto_int64_z; 1531 #elif defined(__GNUC__) && defined(__aarch64__) 1532 crypto_int64 crypto_int64_z; 1533 __asm__ ("cmp %1,%2\n cset %0,lt" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1534 return crypto_int64_z; 1535 #else 1536 crypto_int64 crypto_int64_r = crypto_int64_x ^ crypto_int64_y; 1537 crypto_int64 crypto_int64_z = crypto_int64_x - crypto_int64_y; 1538 crypto_int64_z ^= crypto_int64_r & (crypto_int64_z ^ crypto_int64_x); 1539 return crypto_int64_unsigned_topbit_01(crypto_int64_z); 1540 #endif 1541 } 1542 1543 __attribute__((unused)) 1544 static inline 1545 crypto_int64 crypto_int64_leq_mask(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) { 1546 #if defined(__GNUC__) && defined(__x86_64__) 1547 crypto_int64 crypto_int64_q,crypto_int64_z; 1548 __asm__ ("xorq %0,%0\n movq $-1,%1\n cmpq %3,%2\n cmovleq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1549 return crypto_int64_z; 1550 #elif defined(__GNUC__) && defined(__aarch64__) 1551 crypto_int64 crypto_int64_z; 1552 __asm__ ("cmp %1,%2\n csetm %0,le" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1553 return crypto_int64_z; 1554 #else 1555 return ~crypto_int64_smaller_mask(crypto_int64_y,crypto_int64_x); 1556 #endif 1557 } 1558 1559 __attribute__((unused)) 1560 static inline 1561 crypto_int64 crypto_int64_leq_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_y) { 1562 #if defined(__GNUC__) && defined(__x86_64__) 1563 crypto_int64 crypto_int64_q,crypto_int64_z; 1564 __asm__ ("xorq %0,%0\n movq $1,%1\n cmpq %3,%2\n cmovleq %1,%0" : "=&r"(crypto_int64_z), "=&r"(crypto_int64_q) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1565 return crypto_int64_z; 1566 #elif defined(__GNUC__) && defined(__aarch64__) 1567 crypto_int64 crypto_int64_z; 1568 __asm__ ("cmp %1,%2\n cset %0,le" : "=r"(crypto_int64_z) : "r"(crypto_int64_x), "r"(crypto_int64_y) : "cc"); 1569 return crypto_int64_z; 1570 #else 1571 return 1-crypto_int64_smaller_01(crypto_int64_y,crypto_int64_x); 1572 #endif 1573 } 1574 1575 __attribute__((unused)) 1576 static inline 1577 int crypto_int64_ones_num(crypto_int64 crypto_int64_x) { 1578 crypto_int64_unsigned crypto_int64_y = crypto_int64_x; 1579 const crypto_int64 C0 = 0x5555555555555555; 1580 const crypto_int64 C1 = 0x3333333333333333; 1581 const crypto_int64 C2 = 0x0f0f0f0f0f0f0f0f; 1582 crypto_int64_y -= ((crypto_int64_y >> 1) & C0); 1583 crypto_int64_y = (crypto_int64_y & C1) + ((crypto_int64_y >> 2) & C1); 1584 crypto_int64_y = (crypto_int64_y + (crypto_int64_y >> 4)) & C2; 1585 crypto_int64_y += crypto_int64_y >> 8; 1586 crypto_int64_y += crypto_int64_y >> 16; 1587 crypto_int64_y = (crypto_int64_y + (crypto_int64_y >> 32)) & 0xff; 1588 return crypto_int64_y; 1589 } 1590 1591 __attribute__((unused)) 1592 static inline 1593 int crypto_int64_bottomzeros_num(crypto_int64 crypto_int64_x) { 1594 #if defined(__GNUC__) && defined(__x86_64__) 1595 crypto_int64 fallback = 64; 1596 __asm__ ("bsfq %0,%0\n cmoveq %1,%0" : "+&r"(crypto_int64_x) : "r"(fallback) : "cc"); 1597 return crypto_int64_x; 1598 #elif defined(__GNUC__) && defined(__aarch64__) 1599 int64_t crypto_int64_y; 1600 __asm__ ("rbit %0,%1\n clz %0,%0" : "=r"(crypto_int64_y) : "r"(crypto_int64_x) : ); 1601 return crypto_int64_y; 1602 #else 1603 crypto_int64 crypto_int64_y = crypto_int64_x ^ (crypto_int64_x-1); 1604 crypto_int64_y = ((crypto_int64) crypto_int64_y) >> 1; 1605 crypto_int64_y &= ~(crypto_int64_x & (((crypto_int64) 1) << (64-1))); 1606 return crypto_int64_ones_num(crypto_int64_y); 1607 #endif 1608 } 1609 1610 #endif 1611 1612 /* from supercop-20240808/crypto_sort/int32/portable4/sort.c */ 1613 #define int32_MINMAX(a,b) crypto_int32_minmax(&a,&b) 1614 1615 static void crypto_sort_int32(void *array,long long n) 1616 { 1617 long long top,p,q,r,i,j; 1618 int32 *x = array; 1619 1620 if (n < 2) return; 1621 top = 1; 1622 while (top < n - top) top += top; 1623 1624 for (p = top;p >= 1;p >>= 1) { 1625 i = 0; 1626 while (i + 2 * p <= n) { 1627 for (j = i;j < i + p;++j) 1628 int32_MINMAX(x[j],x[j+p]); 1629 i += 2 * p; 1630 } 1631 for (j = i;j < n - p;++j) 1632 int32_MINMAX(x[j],x[j+p]); 1633 1634 i = 0; 1635 j = 0; 1636 for (q = top;q > p;q >>= 1) { 1637 if (j != i) for (;;) { 1638 if (j == n - q) goto done; 1639 int32 a = x[j + p]; 1640 for (r = q;r > p;r >>= 1) 1641 int32_MINMAX(a,x[j + r]); 1642 x[j + p] = a; 1643 ++j; 1644 if (j == i + p) { 1645 i += 2 * p; 1646 break; 1647 } 1648 } 1649 while (i + p <= n - q) { 1650 for (j = i;j < i + p;++j) { 1651 int32 a = x[j + p]; 1652 for (r = q;r > p;r >>= 1) 1653 int32_MINMAX(a,x[j+r]); 1654 x[j + p] = a; 1655 } 1656 i += 2 * p; 1657 } 1658 /* now i + p > n - q */ 1659 j = i; 1660 while (j < n - q) { 1661 int32 a = x[j + p]; 1662 for (r = q;r > p;r >>= 1) 1663 int32_MINMAX(a,x[j+r]); 1664 x[j + p] = a; 1665 ++j; 1666 } 1667 1668 done: ; 1669 } 1670 } 1671 } 1672 1673 /* from supercop-20240808/crypto_sort/uint32/useint32/sort.c */ 1674 1675 /* can save time by vectorizing xor loops */ 1676 /* can save time by integrating xor loops with int32_sort */ 1677 1678 static void crypto_sort_uint32(void *array,long long n) 1679 { 1680 crypto_uint32 *x = array; 1681 long long j; 1682 for (j = 0;j < n;++j) x[j] ^= 0x80000000; 1683 crypto_sort_int32(array,n); 1684 for (j = 0;j < n;++j) x[j] ^= 0x80000000; 1685 } 1686 1687 /* from supercop-20240808/crypto_kem/sntrup761/compact/kem.c */ 1688 // 20240806 djb: some automated conversion to cryptoint 1689 1690 #define p 761 1691 #define q 4591 1692 #define w 286 1693 #define q12 ((q - 1) / 2) 1694 typedef int8_t small; 1695 typedef int16_t Fq; 1696 #define Hash_bytes 32 1697 #define Small_bytes ((p + 3) / 4) 1698 typedef small Inputs[p]; 1699 #define SecretKeys_bytes (2 * Small_bytes) 1700 #define Confirm_bytes 32 1701 1702 static small F3_freeze(int16_t x) { return x - 3 * ((10923 * x + 16384) >> 15); } 1703 1704 static Fq Fq_freeze(int32_t x) { 1705 const int32_t q16 = (0x10000 + q / 2) / q; 1706 const int32_t q20 = (0x100000 + q / 2) / q; 1707 const int32_t q28 = (0x10000000 + q / 2) / q; 1708 x -= q * ((q16 * x) >> 16); 1709 x -= q * ((q20 * x) >> 20); 1710 return x - q * ((q28 * x + 0x8000000) >> 28); 1711 } 1712 1713 static int Weightw_mask(small *r) { 1714 int i, weight = 0; 1715 for (i = 0; i < p; ++i) weight += crypto_int64_bottombit_01(r[i]); 1716 return crypto_int16_nonzero_mask(weight - w); 1717 } 1718 1719 static void uint32_divmod_uint14(uint32_t *Q, uint16_t *r, uint32_t x, uint16_t m) { 1720 uint32_t qpart, mask, v = 0x80000000 / m; 1721 qpart = (x * (uint64_t)v) >> 31; 1722 x -= qpart * m; 1723 *Q = qpart; 1724 qpart = (x * (uint64_t)v) >> 31; 1725 x -= qpart * m; 1726 *Q += qpart; 1727 x -= m; 1728 *Q += 1; 1729 mask = crypto_int32_negative_mask(x); 1730 x += mask & (uint32_t)m; 1731 *Q += mask; 1732 *r = x; 1733 } 1734 1735 static uint16_t uint32_mod_uint14(uint32_t x, uint16_t m) { 1736 uint32_t Q; 1737 uint16_t r; 1738 uint32_divmod_uint14(&Q, &r, x, m); 1739 return r; 1740 } 1741 1742 static void Encode(unsigned char *out, const uint16_t *R, const uint16_t *M, long long len) { 1743 if (len == 1) { 1744 uint16_t r = R[0], m = M[0]; 1745 while (m > 1) { 1746 *out++ = r; 1747 r >>= 8; 1748 m = (m + 255) >> 8; 1749 } 1750 } 1751 if (len > 1) { 1752 uint16_t R2[(len + 1) / 2], M2[(len + 1) / 2]; 1753 long long i; 1754 for (i = 0; i < len - 1; i += 2) { 1755 uint32_t m0 = M[i]; 1756 uint32_t r = R[i] + R[i + 1] * m0; 1757 uint32_t m = M[i + 1] * m0; 1758 while (m >= 16384) { 1759 *out++ = r; 1760 r >>= 8; 1761 m = (m + 255) >> 8; 1762 } 1763 R2[i / 2] = r; 1764 M2[i / 2] = m; 1765 } 1766 if (i < len) { 1767 R2[i / 2] = R[i]; 1768 M2[i / 2] = M[i]; 1769 } 1770 Encode(out, R2, M2, (len + 1) / 2); 1771 } 1772 } 1773 1774 static void Decode(uint16_t *out, const unsigned char *S, const uint16_t *M, long long len) { 1775 if (len == 1) { 1776 if (M[0] == 1) 1777 *out = 0; 1778 else if (M[0] <= 256) 1779 *out = uint32_mod_uint14(S[0], M[0]); 1780 else 1781 *out = uint32_mod_uint14(S[0] + (((uint16_t)S[1]) << 8), M[0]); 1782 } 1783 if (len > 1) { 1784 uint16_t R2[(len + 1) / 2], M2[(len + 1) / 2], bottomr[len / 2]; 1785 uint32_t bottomt[len / 2]; 1786 long long i; 1787 for (i = 0; i < len - 1; i += 2) { 1788 uint32_t m = M[i] * (uint32_t)M[i + 1]; 1789 if (m > 256 * 16383) { 1790 bottomt[i / 2] = 256 * 256; 1791 bottomr[i / 2] = S[0] + 256 * S[1]; 1792 S += 2; 1793 M2[i / 2] = (((m + 255) >> 8) + 255) >> 8; 1794 } else if (m >= 16384) { 1795 bottomt[i / 2] = 256; 1796 bottomr[i / 2] = S[0]; 1797 S += 1; 1798 M2[i / 2] = (m + 255) >> 8; 1799 } else { 1800 bottomt[i / 2] = 1; 1801 bottomr[i / 2] = 0; 1802 M2[i / 2] = m; 1803 } 1804 } 1805 if (i < len) M2[i / 2] = M[i]; 1806 Decode(R2, S, M2, (len + 1) / 2); 1807 for (i = 0; i < len - 1; i += 2) { 1808 uint32_t r1, r = bottomr[i / 2]; 1809 uint16_t r0; 1810 r += bottomt[i / 2] * R2[i / 2]; 1811 uint32_divmod_uint14(&r1, &r0, r, M[i]); 1812 r1 = uint32_mod_uint14(r1, M[i + 1]); 1813 *out++ = r0; 1814 *out++ = r1; 1815 } 1816 if (i < len) *out++ = R2[i / 2]; 1817 } 1818 } 1819 1820 static void R3_fromRq(small *out, const Fq *r) { 1821 int i; 1822 for (i = 0; i < p; ++i) out[i] = F3_freeze(r[i]); 1823 } 1824 1825 static void R3_mult(small *h, const small *f, const small *g) { 1826 int16_t fg[p + p - 1]; 1827 int i, j; 1828 for (i = 0; i < p + p - 1; ++i) fg[i] = 0; 1829 for (i = 0; i < p; ++i) 1830 for (j = 0; j < p; ++j) fg[i + j] += f[i] * (int16_t)g[j]; 1831 for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i]; 1832 for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i]; 1833 for (i = 0; i < p; ++i) h[i] = F3_freeze(fg[i]); 1834 } 1835 1836 static int R3_recip(small *out, const small *in) { 1837 small f[p + 1], g[p + 1], v[p + 1], r[p + 1]; 1838 int sign, swap, t, i, loop, delta = 1; 1839 for (i = 0; i < p + 1; ++i) v[i] = 0; 1840 for (i = 0; i < p + 1; ++i) r[i] = 0; 1841 r[0] = 1; 1842 for (i = 0; i < p; ++i) f[i] = 0; 1843 f[0] = 1; 1844 f[p - 1] = f[p] = -1; 1845 for (i = 0; i < p; ++i) g[p - 1 - i] = in[i]; 1846 g[p] = 0; 1847 for (loop = 0; loop < 2 * p - 1; ++loop) { 1848 for (i = p; i > 0; --i) v[i] = v[i - 1]; 1849 v[0] = 0; 1850 sign = -g[0] * f[0]; 1851 swap = crypto_int16_negative_mask(-delta) & crypto_int16_nonzero_mask(g[0]); 1852 delta ^= swap & (delta ^ -delta); 1853 delta += 1; 1854 for (i = 0; i < p + 1; ++i) { 1855 t = swap & (f[i] ^ g[i]); 1856 f[i] ^= t; 1857 g[i] ^= t; 1858 t = swap & (v[i] ^ r[i]); 1859 v[i] ^= t; 1860 r[i] ^= t; 1861 } 1862 for (i = 0; i < p + 1; ++i) g[i] = F3_freeze(g[i] + sign * f[i]); 1863 for (i = 0; i < p + 1; ++i) r[i] = F3_freeze(r[i] + sign * v[i]); 1864 for (i = 0; i < p; ++i) g[i] = g[i + 1]; 1865 g[p] = 0; 1866 } 1867 sign = f[0]; 1868 for (i = 0; i < p; ++i) out[i] = sign * v[p - 1 - i]; 1869 return crypto_int16_nonzero_mask(delta); 1870 } 1871 1872 static void Rq_mult_small(Fq *h, const Fq *f, const small *g) { 1873 int32_t fg[p + p - 1]; 1874 int i, j; 1875 for (i = 0; i < p + p - 1; ++i) fg[i] = 0; 1876 for (i = 0; i < p; ++i) 1877 for (j = 0; j < p; ++j) fg[i + j] += f[i] * (int32_t)g[j]; 1878 for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i]; 1879 for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i]; 1880 for (i = 0; i < p; ++i) h[i] = Fq_freeze(fg[i]); 1881 } 1882 1883 static void Rq_mult3(Fq *h, const Fq *f) { 1884 int i; 1885 for (i = 0; i < p; ++i) h[i] = Fq_freeze(3 * f[i]); 1886 } 1887 1888 static Fq Fq_recip(Fq a1) { 1889 int i = 1; 1890 Fq ai = a1; 1891 while (i < q - 2) { 1892 ai = Fq_freeze(a1 * (int32_t)ai); 1893 i += 1; 1894 } 1895 return ai; 1896 } 1897 1898 static int Rq_recip3(Fq *out, const small *in) { 1899 Fq f[p + 1], g[p + 1], v[p + 1], r[p + 1], scale; 1900 int swap, t, i, loop, delta = 1; 1901 int32_t f0, g0; 1902 for (i = 0; i < p + 1; ++i) v[i] = 0; 1903 for (i = 0; i < p + 1; ++i) r[i] = 0; 1904 r[0] = Fq_recip(3); 1905 for (i = 0; i < p; ++i) f[i] = 0; 1906 f[0] = 1; 1907 f[p - 1] = f[p] = -1; 1908 for (i = 0; i < p; ++i) g[p - 1 - i] = in[i]; 1909 g[p] = 0; 1910 for (loop = 0; loop < 2 * p - 1; ++loop) { 1911 for (i = p; i > 0; --i) v[i] = v[i - 1]; 1912 v[0] = 0; 1913 swap = crypto_int16_negative_mask(-delta) & crypto_int16_nonzero_mask(g[0]); 1914 delta ^= swap & (delta ^ -delta); 1915 delta += 1; 1916 for (i = 0; i < p + 1; ++i) { 1917 t = swap & (f[i] ^ g[i]); 1918 f[i] ^= t; 1919 g[i] ^= t; 1920 t = swap & (v[i] ^ r[i]); 1921 v[i] ^= t; 1922 r[i] ^= t; 1923 } 1924 f0 = f[0]; 1925 g0 = g[0]; 1926 for (i = 0; i < p + 1; ++i) g[i] = Fq_freeze(f0 * g[i] - g0 * f[i]); 1927 for (i = 0; i < p + 1; ++i) r[i] = Fq_freeze(f0 * r[i] - g0 * v[i]); 1928 for (i = 0; i < p; ++i) g[i] = g[i + 1]; 1929 g[p] = 0; 1930 } 1931 scale = Fq_recip(f[0]); 1932 for (i = 0; i < p; ++i) out[i] = Fq_freeze(scale * (int32_t)v[p - 1 - i]); 1933 return crypto_int16_nonzero_mask(delta); 1934 } 1935 1936 static void Round(Fq *out, const Fq *a) { 1937 int i; 1938 for (i = 0; i < p; ++i) out[i] = a[i] - F3_freeze(a[i]); 1939 } 1940 1941 static void Short_fromlist(small *out, const uint32_t *in) { 1942 uint32_t L[p]; 1943 int i; 1944 for (i = 0; i < w; ++i) L[i] = in[i] & (uint32_t)-2; 1945 for (i = w; i < p; ++i) L[i] = (in[i] & (uint32_t)-3) | 1; 1946 crypto_sort_uint32(L, p); 1947 for (i = 0; i < p; ++i) out[i] = (L[i] & 3) - 1; 1948 } 1949 1950 static void Hash_prefix(unsigned char *out, int b, const unsigned char *in, int inlen) { 1951 unsigned char x[inlen + 1], h[64]; 1952 int i; 1953 x[0] = b; 1954 for (i = 0; i < inlen; ++i) x[i + 1] = in[i]; 1955 crypto_hash_sha512(h, x, inlen + 1); 1956 for (i = 0; i < 32; ++i) out[i] = h[i]; 1957 } 1958 1959 static uint32_t urandom32(void) { 1960 unsigned char c[4]; 1961 uint32_t result = 0; 1962 int i; 1963 randombytes(c, 4); 1964 for (i = 0; i < 4; ++i) result += ((uint32_t)c[i]) << (8 * i); 1965 return result; 1966 } 1967 1968 static void Short_random(small *out) { 1969 uint32_t L[p]; 1970 int i; 1971 for (i = 0; i < p; ++i) L[i] = urandom32(); 1972 Short_fromlist(out, L); 1973 } 1974 1975 static void Small_random(small *out) { 1976 int i; 1977 for (i = 0; i < p; ++i) out[i] = (((urandom32() & 0x3fffffff) * 3) >> 30) - 1; 1978 } 1979 1980 static void KeyGen(Fq *h, small *f, small *ginv) { 1981 small g[p]; 1982 Fq finv[p]; 1983 for (;;) { 1984 int result; 1985 Small_random(g); 1986 result = R3_recip(ginv, g); 1987 crypto_declassify(&result, sizeof result); 1988 if (result == 0) break; 1989 } 1990 Short_random(f); 1991 Rq_recip3(finv, f); 1992 Rq_mult_small(h, finv, g); 1993 } 1994 1995 static void Encrypt(Fq *c, const small *r, const Fq *h) { 1996 Fq hr[p]; 1997 Rq_mult_small(hr, h, r); 1998 Round(c, hr); 1999 } 2000 2001 static void Decrypt(small *r, const Fq *c, const small *f, const small *ginv) { 2002 Fq cf[p], cf3[p]; 2003 small e[p], ev[p]; 2004 int mask, i; 2005 Rq_mult_small(cf, c, f); 2006 Rq_mult3(cf3, cf); 2007 R3_fromRq(e, cf3); 2008 R3_mult(ev, e, ginv); 2009 mask = Weightw_mask(ev); 2010 for (i = 0; i < w; ++i) r[i] = ((ev[i] ^ 1) & ~mask) ^ 1; 2011 for (i = w; i < p; ++i) r[i] = ev[i] & ~mask; 2012 } 2013 2014 static void Small_encode(unsigned char *s, const small *f) { 2015 int i, j; 2016 for (i = 0; i < p / 4; ++i) { 2017 small x = 0; 2018 for (j = 0;j < 4;++j) x += (*f++ + 1) << (2 * j); 2019 *s++ = x; 2020 } 2021 *s = *f++ + 1; 2022 } 2023 2024 static void Small_decode(small *f, const unsigned char *s) { 2025 int i, j; 2026 for (i = 0; i < p / 4; ++i) { 2027 unsigned char x = *s++; 2028 for (j = 0;j < 4;++j) *f++ = ((small)((x >> (2 * j)) & 3)) - 1; 2029 } 2030 *f++ = ((small)(*s & 3)) - 1; 2031 } 2032 2033 static void Rq_encode(unsigned char *s, const Fq *r) { 2034 uint16_t R[p], M[p]; 2035 int i; 2036 for (i = 0; i < p; ++i) R[i] = r[i] + q12; 2037 for (i = 0; i < p; ++i) M[i] = q; 2038 Encode(s, R, M, p); 2039 } 2040 2041 static void Rq_decode(Fq *r, const unsigned char *s) { 2042 uint16_t R[p], M[p]; 2043 int i; 2044 for (i = 0; i < p; ++i) M[i] = q; 2045 Decode(R, s, M, p); 2046 for (i = 0; i < p; ++i) r[i] = ((Fq)R[i]) - q12; 2047 } 2048 2049 static void Rounded_encode(unsigned char *s, const Fq *r) { 2050 uint16_t R[p], M[p]; 2051 int i; 2052 for (i = 0; i < p; ++i) R[i] = ((r[i] + q12) * 10923) >> 15; 2053 for (i = 0; i < p; ++i) M[i] = (q + 2) / 3; 2054 Encode(s, R, M, p); 2055 } 2056 2057 static void Rounded_decode(Fq *r, const unsigned char *s) { 2058 uint16_t R[p], M[p]; 2059 int i; 2060 for (i = 0; i < p; ++i) M[i] = (q + 2) / 3; 2061 Decode(R, s, M, p); 2062 for (i = 0; i < p; ++i) r[i] = R[i] * 3 - q12; 2063 } 2064 2065 static void ZKeyGen(unsigned char *pk, unsigned char *sk) { 2066 Fq h[p]; 2067 small f[p], v[p]; 2068 KeyGen(h, f, v); 2069 Rq_encode(pk, h); 2070 Small_encode(sk, f); 2071 Small_encode(sk + Small_bytes, v); 2072 } 2073 2074 static void ZEncrypt(unsigned char *C, const Inputs r, const unsigned char *pk) { 2075 Fq h[p], c[p]; 2076 Rq_decode(h, pk); 2077 Encrypt(c, r, h); 2078 Rounded_encode(C, c); 2079 } 2080 2081 static void ZDecrypt(Inputs r, const unsigned char *C, const unsigned char *sk) { 2082 small f[p], v[p]; 2083 Fq c[p]; 2084 Small_decode(f, sk); 2085 Small_decode(v, sk + Small_bytes); 2086 Rounded_decode(c, C); 2087 Decrypt(r, c, f, v); 2088 } 2089 2090 static void HashConfirm(unsigned char *h, const unsigned char *r, const unsigned char *cache) { 2091 unsigned char x[Hash_bytes * 2]; 2092 int i; 2093 Hash_prefix(x, 3, r, Small_bytes); 2094 for (i = 0; i < Hash_bytes; ++i) x[Hash_bytes + i] = cache[i]; 2095 Hash_prefix(h, 2, x, sizeof x); 2096 } 2097 2098 static void HashSession(unsigned char *k, int b, const unsigned char *y, const unsigned char *z) { 2099 unsigned char x[Hash_bytes + crypto_kem_sntrup761_CIPHERTEXTBYTES]; 2100 int i; 2101 Hash_prefix(x, 3, y, Small_bytes); 2102 for (i = 0; i < crypto_kem_sntrup761_CIPHERTEXTBYTES; ++i) x[Hash_bytes + i] = z[i]; 2103 Hash_prefix(k, b, x, sizeof x); 2104 } 2105 2106 int crypto_kem_sntrup761_keypair(unsigned char *pk, unsigned char *sk) { 2107 int i; 2108 ZKeyGen(pk, sk); 2109 sk += SecretKeys_bytes; 2110 for (i = 0; i < crypto_kem_sntrup761_PUBLICKEYBYTES; ++i) *sk++ = pk[i]; 2111 randombytes(sk, Small_bytes); 2112 Hash_prefix(sk + Small_bytes, 4, pk, crypto_kem_sntrup761_PUBLICKEYBYTES); 2113 return 0; 2114 } 2115 2116 static void Hide(unsigned char *c, unsigned char *r_enc, const Inputs r, const unsigned char *pk, const unsigned char *cache) { 2117 Small_encode(r_enc, r); 2118 ZEncrypt(c, r, pk); 2119 HashConfirm(c + crypto_kem_sntrup761_CIPHERTEXTBYTES - Confirm_bytes, r_enc, cache); 2120 } 2121 2122 int crypto_kem_sntrup761_enc(unsigned char *c, unsigned char *k, const unsigned char *pk) { 2123 Inputs r; 2124 unsigned char r_enc[Small_bytes], cache[Hash_bytes]; 2125 Hash_prefix(cache, 4, pk, crypto_kem_sntrup761_PUBLICKEYBYTES); 2126 Short_random(r); 2127 Hide(c, r_enc, r, pk, cache); 2128 HashSession(k, 1, r_enc, c); 2129 return 0; 2130 } 2131 2132 static int Ciphertexts_diff_mask(const unsigned char *c, const unsigned char *c2) { 2133 uint16_t differentbits = 0; 2134 int len = crypto_kem_sntrup761_CIPHERTEXTBYTES; 2135 while (len-- > 0) differentbits |= (*c++) ^ (*c2++); 2136 return (crypto_int64_bitmod_01((differentbits - 1),8)) - 1; 2137 } 2138 2139 int crypto_kem_sntrup761_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk) { 2140 const unsigned char *pk = sk + SecretKeys_bytes; 2141 const unsigned char *rho = pk + crypto_kem_sntrup761_PUBLICKEYBYTES; 2142 const unsigned char *cache = rho + Small_bytes; 2143 Inputs r; 2144 unsigned char r_enc[Small_bytes], cnew[crypto_kem_sntrup761_CIPHERTEXTBYTES]; 2145 int mask, i; 2146 ZDecrypt(r, c, sk); 2147 Hide(cnew, r_enc, r, pk, cache); 2148 mask = Ciphertexts_diff_mask(c, cnew); 2149 for (i = 0; i < Small_bytes; ++i) r_enc[i] ^= mask & (r_enc[i] ^ rho[i]); 2150 HashSession(k, 1 + mask, r_enc, c); 2151 return 0; 2152 } 2153 2154