Home Explore Help
Sign In
SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git
1
0
Fork 0
Files
Branch: q-stable-2024-01-09
Branches Tags
ydb
/
contrib
/
restricted
/
aws
/
s2n
/
pq-crypto
/
kyber_r3
/
kyber512r3_cbd_avx2.c

kyber512r3_cbd_avx2.c 4.7 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137 
  1. #include <stdint.h>
    2. 

  2. #include "kyber512r3_params.h"
    3. 

  3. #include "kyber512r3_cbd_avx2.h"
    4. 

  4. 

  5. #if defined(S2N_KYBER512R3_AVX2_BMI2)
    6. 

  6. /*************************************************
    7. 

  7. * Name:        cbd2
    8. 

  8. *
    9. 

  9. * Description: Given an array of uniformly random bytes, compute
    10. 

  10. *              polynomial with coefficients distributed according to
    11. 

  11. *              a centered binomial distribution with parameter eta=2
    12. 

  12. *
    13. 

  13. * Arguments:   - poly *r: pointer to output polynomial
    14. 

  14. *              - const __m256i *buf: pointer to aligned input byte array
    15. 

  15. **************************************************/
    16. 

  16. static void cbd2(poly * restrict r, const __m256i buf[2*S2N_KYBER_512_R3_N/128])
    17. 

  17. { 
    18. 

  18.   unsigned int i;
    19. 

  19.   __m256i f0, f1, f2, f3;
    20. 

  20.   const __m256i mask55 = _mm256_set1_epi32(0x55555555);
    21. 

  21.   const __m256i mask33 = _mm256_set1_epi32(0x33333333);
    22. 

  22.   const __m256i mask03 = _mm256_set1_epi32(0x03030303);
    23. 

  23.   const __m256i mask0F = _mm256_set1_epi32(0x0F0F0F0F);
    24. 

  24. 

  25.   for(i = 0; i < S2N_KYBER_512_R3_N/64; i++) {
    26. 

  26.     f0 = _mm256_load_si256(&buf[i]);
    27. 

  27. 

  28.     f1 = _mm256_srli_epi16(f0, 1);
    29. 

  29.     f0 = _mm256_and_si256(mask55, f0);
    30. 

  30.     f1 = _mm256_and_si256(mask55, f1);
    31. 

  31.     f0 = _mm256_add_epi8(f0, f1);
    32. 

  32. 

  33.     f1 = _mm256_srli_epi16(f0, 2);
    34. 

  34.     f0 = _mm256_and_si256(mask33, f0);
    35. 

  35.     f1 = _mm256_and_si256(mask33, f1);
    36. 

  36.     f0 = _mm256_add_epi8(f0, mask33);
    37. 

  37.     f0 = _mm256_sub_epi8(f0, f1);
    38. 

  38. 

  39.     f1 = _mm256_srli_epi16(f0, 4);
    40. 

  40.     f0 = _mm256_and_si256(mask0F, f0);
    41. 

  41.     f1 = _mm256_and_si256(mask0F, f1);
    42. 

  42.     f0 = _mm256_sub_epi8(f0, mask03);
    43. 

  43.     f1 = _mm256_sub_epi8(f1, mask03);
    44. 

  44. 

  45.     f2 = _mm256_unpacklo_epi8(f0, f1);
    46. 

  46.     f3 = _mm256_unpackhi_epi8(f0, f1);
    47. 

  47. 

  48.     f0 = _mm256_cvtepi8_epi16(_mm256_castsi256_si128(f2));
    49. 

  49.     f1 = _mm256_cvtepi8_epi16(_mm256_extracti128_si256(f2,1));
    50. 

  50.     f2 = _mm256_cvtepi8_epi16(_mm256_castsi256_si128(f3));
    51. 

  51.     f3 = _mm256_cvtepi8_epi16(_mm256_extracti128_si256(f3,1));
    52. 

  52. 

  53.     _mm256_store_si256(&r->vec[4*i+0], f0);
    54. 

  54.     _mm256_store_si256(&r->vec[4*i+1], f2);
    55. 

  55.     _mm256_store_si256(&r->vec[4*i+2], f1);
    56. 

  56.     _mm256_store_si256(&r->vec[4*i+3], f3);
    57. 

  57.   }
    58. 

  58. }
    59. 

  59. 

  60. /*************************************************
    61. 

  61. * Name:        cbd3
    62. 

  62. *
    63. 

  63. * Description: Given an array of uniformly random bytes, compute
    64. 

  64. *              polynomial with coefficients distributed according to
    65. 

  65. *              a centered binomial distribution with parameter eta=3
    66. 

  66. *              This function is only needed for Kyber-512
    67. 

  67. *
    68. 

  68. * Arguments:   - poly *r: pointer to output polynomial
    69. 

  69. *              - const __m256i *buf: pointer to aligned input byte array
    70. 

  70. **************************************************/
    71. 

  71. static void cbd3(poly * restrict r, const uint8_t buf[3*S2N_KYBER_512_R3_N/4+8])
    72. 

  72. {
    73. 

  73.   unsigned int i;
    74. 

  74.   __m256i f0, f1, f2, f3;
    75. 

  75.   const __m256i mask249 = _mm256_set1_epi32(0x249249);
    76. 

  76.   const __m256i mask6DB = _mm256_set1_epi32(0x6DB6DB);
    77. 

  77.   const __m256i mask07 = _mm256_set1_epi32(7);
    78. 

  78.   const __m256i mask70 = _mm256_set1_epi32(7 << 16);
    79. 

  79.   const __m256i mask3 = _mm256_set1_epi16(3);
    80. 

  80.   const __m256i shufbidx = _mm256_set_epi8(-1,15,14,13,-1,12,11,10,-1, 9, 8, 7,-1, 6, 5, 4,
    81. 

  81.                                            -1,11,10, 9,-1, 8, 7, 6,-1, 5, 4, 3,-1, 2, 1, 0);
    82. 

  82. 

  83.   for(i = 0; i < S2N_KYBER_512_R3_N/32; i++) {
    84. 

  84.     // correcting cast-align and cast-qual errors
    85. 

  85.     // old version: f0 = _mm256_loadu_si256((__m256i *)&buf[24*i]);
    86. 

  86.     f0 = _mm256_loadu_si256((const void *)&buf[24*i]);
    87. 

  87.     f0 = _mm256_permute4x64_epi64(f0,0x94);
    88. 

  88.     f0 = _mm256_shuffle_epi8(f0,shufbidx);
    89. 

  89. 

  90.     f1 = _mm256_srli_epi32(f0,1);
    91. 

  91.     f2 = _mm256_srli_epi32(f0,2);
    92. 

  92.     f0 = _mm256_and_si256(mask249,f0);
    93. 

  93.     f1 = _mm256_and_si256(mask249,f1);
    94. 

  94.     f2 = _mm256_and_si256(mask249,f2);
    95. 

  95.     f0 = _mm256_add_epi32(f0,f1);
    96. 

  96.     f0 = _mm256_add_epi32(f0,f2);
    97. 

  97. 

  98.     f1 = _mm256_srli_epi32(f0,3);
    99. 

  99.     f0 = _mm256_add_epi32(f0,mask6DB);
    100. 

  100.     f0 = _mm256_sub_epi32(f0,f1);
    101. 

  101. 

  102.     f1 = _mm256_slli_epi32(f0,10);
    103. 

  103.     f2 = _mm256_srli_epi32(f0,12);
    104. 

  104.     f3 = _mm256_srli_epi32(f0, 2);
    105. 

  105.     f0 = _mm256_and_si256(f0,mask07);
    106. 

  106.     f1 = _mm256_and_si256(f1,mask70);
    107. 

  107.     f2 = _mm256_and_si256(f2,mask07);
    108. 

  108.     f3 = _mm256_and_si256(f3,mask70);
    109. 

  109.     f0 = _mm256_add_epi16(f0,f1);
    110. 

  110.     f1 = _mm256_add_epi16(f2,f3);
    111. 

  111.     f0 = _mm256_sub_epi16(f0,mask3);
    112. 

  112.     f1 = _mm256_sub_epi16(f1,mask3);
    113. 

  113. 

  114.     f2 = _mm256_unpacklo_epi32(f0,f1);
    115. 

  115.     f3 = _mm256_unpackhi_epi32(f0,f1);
    116. 

  116. 

  117.     f0 = _mm256_permute2x128_si256(f2,f3,0x20);
    118. 

  118.     f1 = _mm256_permute2x128_si256(f2,f3,0x31);
    119. 

  119. 

  120.     _mm256_store_si256(&r->vec[2*i+0], f0);
    121. 

  121.     _mm256_store_si256(&r->vec[2*i+1], f1);
    122. 

  122.   }
    123. 

  123. }
    124. 

  124. 

  125. /* buf 32 bytes longer for cbd3 */
    126. 

  126. void poly_cbd_eta1_avx2(poly *r, const __m256i buf[S2N_KYBER_512_R3_ETA1*S2N_KYBER_512_R3_N/128+1])
    127. 

  127. {
    128. 

  128.   // correcting cast-align and cast-qual errors
    129. 

  129.   // old version: cbd3(r, (uint8_t *)buf);
    130. 

  130.   cbd3(r, (const void *)buf);
    131. 

  131. }
    132. 

  132. 

  133. void poly_cbd_eta2_avx2(poly *r, const __m256i buf[S2N_KYBER_512_R3_ETA2*S2N_KYBER_512_R3_N/128])
    134. 

  134. {
    135. 

  135.   cbd2(r, buf);
    136. 

  136. }
    137. 

  137. #endif
    138.