Implementation notes: amd64, saber214, crypto_sign/dilithium3aes

Compiler output

poly.c: poly.c:50:9: error: always_inline function '_mm256_add_epi32' requires target feature 'avx2', but would be inlined into function 'crypto_sign_dilithium3aes_avx2_constbranchindex_poly_reduce' that is compiled without support for 'avx2'
poly.c:     g = _mm256_add_epi32(f,off);
poly.c:         ^
poly.c: poly.c:51:9: error: always_inline function '_mm256_srai_epi32' requires target feature 'avx2', but would be inlined into function 'crypto_sign_dilithium3aes_avx2_constbranchindex_poly_reduce' that is compiled without support for 'avx2'
poly.c:     g = _mm256_srai_epi32(g,23);
poly.c:         ^
poly.c: poly.c:52:9: error: always_inline function '_mm256_mullo_epi32' requires target feature 'avx2', but would be inlined into function 'crypto_sign_dilithium3aes_avx2_constbranchindex_poly_reduce' that is compiled without support for 'avx2'
poly.c:     g = _mm256_mullo_epi32(g,q);
poly.c:         ^
poly.c: poly.c:53:9: error: always_inline function '_mm256_sub_epi32' requires target feature 'avx2', but would be inlined into function 'crypto_sign_dilithium3aes_avx2_constbranchindex_poly_reduce' that is compiled without support for 'avx2'
poly.c:     f = _mm256_sub_epi32(f,g);
poly.c:         ^
poly.c: 4 errors generated.

Compiler output

aes256ctr.c: aes256ctr.c:90:3: error: '__builtin_ia32_aeskeygenassist128' needs target feature aes
aes256ctr.c:   BLOCK1(0x01);
aes256ctr.c:   ^
aes256ctr.c: aes256ctr.c:71:11: note: expanded from macro 'BLOCK1'
aes256ctr.c:   temp1 = _mm_aeskeygenassist_si128(temp2, IMM);                        \
aes256ctr.c:           ^
aes256ctr.c: /usr/lib/llvm-14/lib/clang/14.0.0/include/__wmmintrin_aes.h:136:13: note: expanded from macro '_mm_aeskeygenassist_si128'
aes256ctr.c:   ((__m128i)__builtin_ia32_aeskeygenassist128((__v2di)(__m128i)(C), (int)(R)))
aes256ctr.c:             ^
aes256ctr.c: aes256ctr.c:91:3: error: '__builtin_ia32_aeskeygenassist128' needs target feature aes
aes256ctr.c:   BLOCK2(0x01);
aes256ctr.c:   ^
aes256ctr.c: aes256ctr.c:81:11: note: expanded from macro 'BLOCK2'
aes256ctr.c:   temp1 = _mm_aeskeygenassist_si128(temp0, IMM);                        \
aes256ctr.c:           ^
aes256ctr.c: /usr/lib/llvm-14/lib/clang/14.0.0/include/__wmmintrin_aes.h:136:13: note: expanded from macro '_mm_aeskeygenassist_si128'
aes256ctr.c:   ((__m128i)__builtin_ia32_aeskeygenassist128((__v2di)(__m128i)(C), (int)(R)))
aes256ctr.c:             ^
aes256ctr.c: aes256ctr.c:93:3: error: '__builtin_ia32_aeskeygenassist128' needs target feature aes
aes256ctr.c:   BLOCK1(0x02);
aes256ctr.c:   ^
aes256ctr.c: aes256ctr.c:71:11: note: expanded from macro 'BLOCK1'
aes256ctr.c:   temp1 = _mm_aeskeygenassist_si128(temp2, IMM);                        \
aes256ctr.c:           ^
aes256ctr.c: /usr/lib/llvm-14/lib/clang/14.0.0/include/__wmmintrin_aes.h:136:13: note: expanded from macro '_mm_aeskeygenassist_si128'
aes256ctr.c: ...

Compiler output

poly.c: poly.c:1053:52: warning: argument 2 of type 'const uint8_t[652]' {aka 'const unsigned char[652]'} with mismatched bound [-Warray-parameter=]
poly.c:  1053 | void polyz_unpack(poly * restrict r, const uint8_t a[POLYZ_PACKEDBYTES+12]) {
poly.c:       |                                      ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
poly.c: In file included from poly.c:6:
poly.c: poly.h:111:42: note: previously declared as 'const uint8_t[654]' {aka 'const unsigned char[654]'}
poly.c:   111 | void polyz_unpack(poly *r, const uint8_t a[POLYZ_PACKEDBYTES+14]);
poly.c:       |                            ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
poly.c: poly.c:1119:26: warning: argument 1 of type 'uint8_t[128]' {aka 'unsigned char[128]'} with mismatched bound [-Warray-parameter=]
poly.c:  1119 | void polyw1_pack(uint8_t r[POLYW1_PACKEDBYTES], const poly * restrict a) {
poly.c:       |                  ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
poly.c: In file included from poly.c:6:
poly.c: poly.h:114:26: note: previously declared as 'uint8_t[136]' {aka 'unsigned char[136]'}
poly.c:   114 | void polyw1_pack(uint8_t r[POLYW1_PACKEDBYTES+8], const poly *a);
poly.c:       |                  ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
poly.c: In file included from /usr/lib/gcc/x86_64-linux-gnu/11/include/immintrin.h:47,
poly.c:                  from poly.c:2:
poly.c: poly.c: In function 'crypto_sign_dilithium3aes_avx2_constbranchindex_poly_reduce':
poly.c: /usr/lib/gcc/x86_64-linux-gnu/11/include/avx2intrin.h:815:1: error: inlining failed in call to 'always_inline' '_mm256_sub_epi32': target specific option mismatch
poly.c:   815 | _mm256_sub_epi32 (__m256i __A, __m256i __B)
poly.c:       | ^~~~~~~~~~~~~~~~
poly.c: poly.c:53:9: note: called from here
poly.c:    53 |     f = _mm256_sub_epi32(f,g);
poly.c:       |         ^~~~~~~~~~~~~~~~~~~~~
poly.c: In file included from /usr/lib/gcc/x86_64-linux-gnu/11/include/immintrin.h:47,
poly.c:                  from poly.c:2:
poly.c: ...

Compiler output

aes256ctr.c: aes256ctr.c:557:64: warning: argument 3 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Warray-parameter=]
aes256ctr.c:   557 | void aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t *key, const uint8_t *nonce)
aes256ctr.c:       |                                                 ~~~~~~~~~~~~~~~^~~
aes256ctr.c: In file included from aes256ctr.c:27:
aes256ctr.c: aes256ctr.h:21:34: note: previously declared as an array 'const uint8_t[32]' {aka 'const unsigned char[32]'}
aes256ctr.c:    21 |                    const uint8_t key[32],
aes256ctr.c:       |                    ~~~~~~~~~~~~~~^~~~~~~
aes256ctr.c: aes256ctr.c:557:84: warning: argument 4 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Warray-parameter=]
aes256ctr.c:   557 | void aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t *key, const uint8_t *nonce)
aes256ctr.c:       |                                                                     ~~~~~~~~~~~~~~~^~~~~
aes256ctr.c: In file included from aes256ctr.c:27:
aes256ctr.c: aes256ctr.h:22:34: note: previously declared as an array 'const uint8_t[12]' {aka 'const unsigned char[12]'}
aes256ctr.c:    22 |                    const uint8_t nonce[12]);
aes256ctr.c:       |                    ~~~~~~~~~~~~~~^~~~~~~~~
aes256ctr.c: aes256ctr.c:565:54: warning: argument 2 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Warray-parameter=]
aes256ctr.c:   565 | void aes256ctr_init(aes256ctr_ctx *s, const uint8_t *key, const uint8_t *nonce)
aes256ctr.c:       |                                       ~~~~~~~~~~~~~~~^~~
aes256ctr.c: In file included from aes256ctr.c:27:
aes256ctr.c: aes256ctr.h:26:35: note: previously declared as an array 'const uint8_t[32]' {aka 'const unsigned char[32]'}
aes256ctr.c:    26 |                     const uint8_t key[32],
aes256ctr.c:       |                     ~~~~~~~~~~~~~~^~~~~~~
aes256ctr.c: aes256ctr.c:565:74: warning: argument 3 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Warray-parameter=]
aes256ctr.c:   565 | void aes256ctr_init(aes256ctr_ctx *s, const uint8_t *key, const uint8_t *nonce)
aes256ctr.c:       |                                                           ~~~~~~~~~~~~~~~^~~~~
aes256ctr.c: In file included from aes256ctr.c:27:
aes256ctr.c: ...

Compiler output

aes256ctr.c: aes256ctr.c:557:64: warning: argument 3 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Warray-parameter=]
aes256ctr.c:   557 | void aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t *key, const uint8_t *nonce)
aes256ctr.c:       |                                                 ~~~~~~~~~~~~~~~^~~
aes256ctr.c: In file included from aes256ctr.c:27:
aes256ctr.c: aes256ctr.h:21:34: note: previously declared as an array 'const uint8_t[32]' {aka 'const unsigned char[32]'}
aes256ctr.c:    21 |                    const uint8_t key[32],
aes256ctr.c:       |                    ~~~~~~~~~~~~~~^~~~~~~
aes256ctr.c: aes256ctr.c:557:84: warning: argument 4 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Warray-parameter=]
aes256ctr.c:   557 | void aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t *key, const uint8_t *nonce)
aes256ctr.c:       |                                                                     ~~~~~~~~~~~~~~~^~~~~
aes256ctr.c: In file included from aes256ctr.c:27:
aes256ctr.c: aes256ctr.h:22:34: note: previously declared as an array 'const uint8_t[12]' {aka 'const unsigned char[12]'}
aes256ctr.c:    22 |                    const uint8_t nonce[12]);
aes256ctr.c:       |                    ~~~~~~~~~~~~~~^~~~~~~~~
aes256ctr.c: aes256ctr.c:565:54: warning: argument 2 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Warray-parameter=]
aes256ctr.c:   565 | void aes256ctr_init(aes256ctr_ctx *s, const uint8_t *key, const uint8_t *nonce)
aes256ctr.c:       |                                       ~~~~~~~~~~~~~~~^~~
aes256ctr.c: In file included from aes256ctr.c:27:
aes256ctr.c: aes256ctr.h:26:35: note: previously declared as an array 'const uint8_t[32]' {aka 'const unsigned char[32]'}
aes256ctr.c:    26 |                     const uint8_t key[32],
aes256ctr.c:       |                     ~~~~~~~~~~~~~~^~~~~~~
aes256ctr.c: aes256ctr.c:565:74: warning: argument 3 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Warray-parameter=]
aes256ctr.c:   565 | void aes256ctr_init(aes256ctr_ctx *s, const uint8_t *key, const uint8_t *nonce)
aes256ctr.c:       |                                                           ~~~~~~~~~~~~~~~^~~~~
aes256ctr.c: In file included from aes256ctr.c:27:
aes256ctr.c: ...
polyvec.c: polyvec.c: In function 'crypto_sign_dilithium3aes_ref_constbranchindex_polyvecl_uniform_gamma1':
polyvec.c: <command-line>: warning: 'crypto_sign_dilithium3aes_ref_constbranchindex_poly_uniform_gamma1' reading 48 bytes from a region of size 32 [-Wstringop-overread]
polyvec.c: <command-line>: note: in definition of macro 'CRYPTO_NAMESPACE'
polyvec.c: poly.h:51:29: note: in expansion of macro 'DILITHIUM_NAMESPACE'
polyvec.c:    51 | #define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
polyvec.c:       |                             ^~~~~~~~~~~~~~~~~~~
polyvec.c: polyvec.c:47:5: note: in expansion of macro 'poly_uniform_gamma1'
polyvec.c:    47 |     poly_uniform_gamma1(&v->vec[i], seed, L*nonce + i);
polyvec.c:       |     ^~~~~~~~~~~~~~~~~~~
polyvec.c: <command-line>: note: referencing argument 2 of type 'const uint8_t *' {aka 'const unsigned char *'}
polyvec.c: <command-line>: note: in definition of macro 'CRYPTO_NAMESPACE'
polyvec.c: poly.h:51:29: note: in expansion of macro 'DILITHIUM_NAMESPACE'
polyvec.c:    51 | #define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
polyvec.c:       |                             ^~~~~~~~~~~~~~~~~~~
polyvec.c: polyvec.c:47:5: note: in expansion of macro 'poly_uniform_gamma1'
polyvec.c:    47 |     poly_uniform_gamma1(&v->vec[i], seed, L*nonce + i);
polyvec.c:       |     ^~~~~~~~~~~~~~~~~~~
polyvec.c: <command-line>: note: in a call to function 'crypto_sign_dilithium3aes_ref_constbranchindex_poly_uniform_gamma1'
polyvec.c: <command-line>: note: in definition of macro 'CRYPTO_NAMESPACE'
polyvec.c: poly.h:51:29: note: in expansion of macro 'DILITHIUM_NAMESPACE'
polyvec.c:    51 | #define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
polyvec.c:       |                             ^~~~~~~~~~~~~~~~~~~
polyvec.c: poly.h:52:6: note: in expansion of macro 'poly_uniform_gamma1'
polyvec.c:    52 | void poly_uniform_gamma1(poly *a,
polyvec.c:       |      ^~~~~~~~~~~~~~~~~~~

TIMECOP error (can be valgrind bug)

Process terminating with default action of signal 4 (SIGILL)
 Illegal opcode at address 0x112261
   at 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex_blocks_xop (chacha.S:101)
   by 0x...: ??? (in /home/djb/supercop-data/saber214/amd64/try/c/clang_-march=native_-O2_-fwrapv_-Qunused-arguments_-fPIC_-fPIE_-gdwarf-4_-Wall/constbranchindex/crypto_sign/dilithium3aes/ref/work/try-timecop)
   by 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex (crypto_stream.c:14)
   by 0x...: crypto_rng_chacha20_ref_constbranchindex (rng.c:23)
   by 0x...: randombytes_internal (knownrandombytes.c:37)
   by 0x...: randombytes (knownrandombytes.c:56)
   by 0x...: crypto_sign_dilithium3aes_ref_constbranchindex_keypair (sign.c:32)
   by 0x...: test (try.c:128)
   by 0x...: main (try-anything.c:345)

TIMECOP error (can be valgrind bug)

Process terminating with default action of signal 4 (SIGILL)
 Illegal opcode at address 0x1141A1
   at 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex_blocks_xop (chacha.S:101)
   by 0x...: ??? (in /home/djb/supercop-data/saber214/amd64/try/c/clang_-march=native_-O3_-fwrapv_-Qunused-arguments_-fPIC_-fPIE_-gdwarf-4_-Wall/constbranchindex/crypto_sign/dilithium3aes/ref/work/try-timecop)
   by 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex (crypto_stream.c:14)
   by 0x...: crypto_rng_chacha20_ref_constbranchindex (rng.c:23)
   by 0x...: randombytes_internal (knownrandombytes.c:37)
   by 0x...: randombytes (knownrandombytes.c:56)
   by 0x...: crypto_sign_dilithium3aes_ref_constbranchindex_keypair (sign.c:32)
   by 0x...: test (try.c:128)
   by 0x...: main (try-anything.c:345)

TIMECOP error (can be valgrind bug)

Process terminating with default action of signal 4 (SIGILL)
 Illegal opcode at address 0x10FAE1
   at 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex_blocks_xop (chacha.S:101)
   by 0x...: ??? (in /home/djb/supercop-data/saber214/amd64/try/c/clang_-march=native_-O_-fwrapv_-Qunused-arguments_-fPIC_-fPIE_-gdwarf-4_-Wall/constbranchindex/crypto_sign/dilithium3aes/ref/work/try-timecop)
   by 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex (crypto_stream.c:14)
   by 0x...: crypto_rng_chacha20_ref_constbranchindex (rng.c:23)
   by 0x...: randombytes_internal (knownrandombytes.c:37)
   by 0x...: randombytes (knownrandombytes.c:56)
   by 0x...: crypto_sign_dilithium3aes_ref_constbranchindex_keypair (sign.c:32)
   by 0x...: test (try.c:128)
   by 0x...: main (try-anything.c:345)

TIMECOP error (can be valgrind bug)

Process terminating with default action of signal 4 (SIGILL)
 Illegal opcode at address 0x10EA21
   at 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex_blocks_xop (chacha.S:101)
   by 0x...: ??? (in /home/djb/supercop-data/saber214/amd64/try/c/clang_-march=native_-Os_-fwrapv_-Qunused-arguments_-fPIC_-fPIE_-gdwarf-4_-Wall/constbranchindex/crypto_sign/dilithium3aes/ref/work/try-timecop)
   by 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex (crypto_stream.c:14)
   by 0x...: crypto_rng_chacha20_ref_constbranchindex (rng.c:23)
   by 0x...: randombytes_internal (knownrandombytes.c:37)
   by 0x...: randombytes (knownrandombytes.c:56)
   by 0x...: crypto_sign_dilithium3aes_ref_constbranchindex_keypair (sign.c:32)
   by 0x...: test (try.c:128)
   by 0x...: main (try-anything.c:345)

TIMECOP error (can be valgrind bug)

Process terminating with default action of signal 4 (SIGILL)
 Illegal opcode at address 0x1145A1
   at 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex_blocks_xop (chacha.S:101)
   by 0x...: ??? (in /home/djb/supercop-data/saber214/amd64/try/c/clang_-mcpu=native_-O3_-fwrapv_-Qunused-arguments_-fPIC_-fPIE_-gdwarf-4_-Wall/constbranchindex/crypto_sign/dilithium3aes/ref/work/try-timecop)
   by 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex (crypto_stream.c:14)
   by 0x...: crypto_rng_chacha20_ref_constbranchindex (rng.c:23)
   by 0x...: randombytes_internal (knownrandombytes.c:37)
   by 0x...: randombytes (knownrandombytes.c:56)
   by 0x...: crypto_sign_dilithium3aes_ref_constbranchindex_keypair (sign.c:32)
   by 0x...: test (try.c:128)
   by 0x...: main (try-anything.c:345)

TIMECOP error (can be valgrind bug)

Process terminating with default action of signal 4 (SIGILL)
 Illegal opcode at address 0x10F521
   at 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex_blocks_xop (chacha.S:101)
   by 0x...: ??? (in /home/djb/supercop-data/saber214/amd64/try/c/gcc_-march=native_-mtune=native_-O_-fwrapv_-fPIC_-fPIE_-gdwarf-4_-Wall/constbranchindex/crypto_sign/dilithium3aes/ref/work/try-timecop)
   by 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex (crypto_stream.c:14)
   by 0x...: crypto_rng_chacha20_ref_constbranchindex (rng.c:23)
   by 0x...: randombytes_internal (knownrandombytes.c:37)
   by 0x...: randombytes (knownrandombytes.c:56)
   by 0x...: crypto_sign_dilithium3aes_ref_constbranchindex_keypair (sign.c:32)
   by 0x...: test (try.c:128)
   by 0x...: main (try-anything.c:345)

TIMECOP error (can be valgrind bug)

Process terminating with default action of signal 4 (SIGILL)
 Illegal opcode at address 0x10EAE1
   at 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex_blocks_xop (chacha.S:101)
   by 0x...: ??? (in /home/djb/supercop-data/saber214/amd64/try/c/gcc_-march=native_-mtune=native_-Os_-fwrapv_-fPIC_-fPIE_-gdwarf-4_-Wall/constbranchindex/crypto_sign/dilithium3aes/ref/work/try-timecop)
   by 0x...: crypto_stream_chacha20_moon_xop_64_constbranchindex (crypto_stream.c:14)
   by 0x...: crypto_rng_chacha20_ref_constbranchindex (rng.c:23)
   by 0x...: randombytes_internal (knownrandombytes.c:37)
   by 0x...: randombytes (knownrandombytes.c:56)
   by 0x...: crypto_sign_dilithium3aes_ref_constbranchindex_keypair (sign.c:32)
   by 0x...: test (try.c:128)
   by 0x...: main (try-anything.c:345)