diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml
index 69061e21dd..6139919b6c 100644
--- a/.github/workflows/basic.yml
+++ b/.github/workflows/basic.yml
@@ -49,13 +49,15 @@ jobs:
- name: Verify copy_from_upstream state after copy
working-directory: 'scripts/copy_from_upstream'
run: |
- python3 copy_from_upstream.py copy && \
- ! git status | grep -i modified
+ python3 copy_from_upstream.py -d copy && \
+ git status --porcelain && \
+ test -z "$(git status --porcelain)"
- name: Verify copy_from_upstream state after libjade
working-directory: 'scripts/copy_from_upstream'
run: |
- python3 copy_from_upstream.py libjade && \
- ! git status | grep -i modified
+ python3 copy_from_upstream.py -d libjade && \
+ git status --porcelain && \
+ test -z "$(git status --porcelain)"
buildcheck:
name: Check that code passes a basic build
diff --git a/scripts/copy_from_upstream/copy_from_upstream.py b/scripts/copy_from_upstream/copy_from_upstream.py
index 85eebf96b6..400ecc57a0 100755
--- a/scripts/copy_from_upstream/copy_from_upstream.py
+++ b/scripts/copy_from_upstream/copy_from_upstream.py
@@ -23,7 +23,8 @@
parser = argparse.ArgumentParser()
parser.add_argument("-v", "--verbosity", type=int)
-parser.add_argument("-k", "--keep_data", action='store_true')
+parser.add_argument("-k", "--keep_data", action='store_true', help='Keep upstream code in the "repos" folder')
+parser.add_argument("-d", "--delete", action='store_true', help='Delete untracked files from implementation directories')
parser.add_argument("operation", choices=["copy", "verify", "libjade"])
args = parser.parse_args()
@@ -34,6 +35,8 @@
keepdata = True if args.keep_data else False
+delete = True if args.delete else False
+
if 'LIBOQS_DIR' not in os.environ:
print("Must set environment variable LIBOQS_DIR")
exit(1)
@@ -543,6 +546,20 @@ def process_families(instructions, basedir, with_kat, with_generator, with_libja
try:
os.makedirs(os.path.join(basedir, 'src', family['type'], family['name']))
except:
+ if delete:
+ # clear out all subdirectories
+ with os.scandir(os.path.join(basedir, 'src', family['type'], family['name'])) as ls:
+ for entry in ls:
+ if entry.is_dir(follow_symlinks=False):
+ if with_libjade:
+ if not entry.name.startswith('libjade'):
+ continue
+ elif entry.name.startswith('libjade'):
+ continue
+ to_rm = os.path.join(basedir, 'src', family['type'], family['name'], entry.name)
+ if DEBUG > 3:
+ print("removing %s" % to_rm)
+ shutil.rmtree(to_rm)
pass
if 'common_deps' in family:
for common_dep in family['common_deps']:
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/LICENSE
deleted file mode 100644
index 670154e353..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/LICENSE
+++ /dev/null
@@ -1,116 +0,0 @@
-CC0 1.0 Universal
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator and
-subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for the
-purpose of contributing to a commons of creative, cultural and scientific
-works ("Commons") that the public can reliably and without fear of later
-claims of infringement build upon, modify, incorporate in other works, reuse
-and redistribute as freely as possible in any form whatsoever and for any
-purposes, including without limitation commercial purposes. These owners may
-contribute to the Commons to promote the ideal of a free culture and the
-further production of creative, cultural and scientific works, or to gain
-reputation or greater distribution for their Work in part through the use and
-efforts of others.
-
-For these and/or other purposes and motivations, and without any expectation
-of additional consideration or compensation, the person associating CC0 with a
-Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
-and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
-and publicly distribute the Work under its terms, with knowledge of his or her
-Copyright and Related Rights in the Work and the meaning and intended legal
-effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not limited
-to, the following:
-
- i. the right to reproduce, adapt, distribute, perform, display, communicate,
- and translate a Work;
-
- ii. moral rights retained by the original author(s) and/or performer(s);
-
- iii. publicity and privacy rights pertaining to a person's image or likeness
- depicted in a Work;
-
- iv. rights protecting against unfair competition in regards to a Work,
- subject to the limitations in paragraph 4(a), below;
-
- v. rights protecting the extraction, dissemination, use and reuse of data in
- a Work;
-
- vi. database rights (such as those arising under Directive 96/9/EC of the
- European Parliament and of the Council of 11 March 1996 on the legal
- protection of databases, and under any national implementation thereof,
- including any amended or successor version of such directive); and
-
- vii. other similar, equivalent or corresponding rights throughout the world
- based on applicable law or treaty, and any national implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention of,
-applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
-unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
-and Related Rights and associated claims and causes of action, whether now
-known or unknown (including existing as well as future claims and causes of
-action), in the Work (i) in all territories worldwide, (ii) for the maximum
-duration provided by applicable law or treaty (including future time
-extensions), (iii) in any current or future medium and for any number of
-copies, and (iv) for any purpose whatsoever, including without limitation
-commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
-the Waiver for the benefit of each member of the public at large and to the
-detriment of Affirmer's heirs and successors, fully intending that such Waiver
-shall not be subject to revocation, rescission, cancellation, termination, or
-any other legal or equitable action to disrupt the quiet enjoyment of the Work
-by the public as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason be
-judged legally invalid or ineffective under applicable law, then the Waiver
-shall be preserved to the maximum extent permitted taking into account
-Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
-is so judged Affirmer hereby grants to each affected person a royalty-free,
-non transferable, non sublicensable, non exclusive, irrevocable and
-unconditional license to exercise Affirmer's Copyright and Related Rights in
-the Work (i) in all territories worldwide, (ii) for the maximum duration
-provided by applicable law or treaty (including future time extensions), (iii)
-in any current or future medium and for any number of copies, and (iv) for any
-purpose whatsoever, including without limitation commercial, advertising or
-promotional purposes (the "License"). The License shall be deemed effective as
-of the date CC0 was applied by Affirmer to the Work. Should any part of the
-License for any reason be judged legally invalid or ineffective under
-applicable law, such partial invalidity or ineffectiveness shall not
-invalidate the remainder of the License, and in such case Affirmer hereby
-affirms that he or she will not (i) exercise any of his or her remaining
-Copyright and Related Rights in the Work or (ii) assert any associated claims
-and causes of action with respect to the Work, in either case contrary to
-Affirmer's express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
- surrendered, licensed or otherwise affected by this document.
-
- b. Affirmer offers the Work as-is and makes no representations or warranties
- of any kind concerning the Work, express, implied, statutory or otherwise,
- including without limitation warranties of title, merchantability, fitness
- for a particular purpose, non infringement, or the absence of latent or
- other defects, accuracy, or the present or absence of errors, whether or not
- discoverable, all to the greatest extent permissible under applicable law.
-
- c. Affirmer disclaims responsibility for clearing rights of other persons
- that may apply to the Work or any use thereof, including without limitation
- any person's Copyright and Related Rights in the Work. Further, Affirmer
- disclaims responsibility for obtaining any necessary consents, permissions
- or other rights required for any use of the Work.
-
- d. Affirmer understands and acknowledges that Creative Commons is not a
- party to this document and has no duty or obligation with respect to this
- CC0 or use of the Work.
-
-For more information, please see
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.c
deleted file mode 100644
index b956e9cb29..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.c
+++ /dev/null
@@ -1,91 +0,0 @@
-#include
-#include
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Specify which level of Merkle tree (the "layer") we're working on
- */
-void set_layer_addr(uint32_t addr[8], uint32_t layer) {
- ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer;
-}
-
-/*
- * Specify which Merkle tree within the level (the "tree address") we're working on
- */
-void set_tree_addr(uint32_t addr[8], uint64_t tree) {
- ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree );
-}
-
-/*
- * Specify the reason we'll use this address structure for, that is, what
- * hash will we compute with it. This is used so that unrelated types of
- * hashes don't accidentally get the same address structure. The type will be
- * one of the SPX_ADDR_TYPE constants
- */
-void set_type(uint32_t addr[8], uint32_t type) {
- ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type;
-}
-
-/*
- * Copy the layer and tree fields of the address structure. This is used
- * when we're doing multiple types of hashes within the same Merkle tree
- */
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
-}
-
-/* These functions are used for OTS addresses. */
-
-/*
- * Specify which Merkle leaf we're working on; that is, which OTS keypair
- * we're talking about.
- */
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair) {
- ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair;
-}
-
-/*
- * Copy the layer, tree and keypair fields of the address structure. This is
- * used when we're doing multiple things within the same OTS keypair
- */
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
- ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1];
-}
-
-/*
- * Specify which Merkle chain within the OTS we're working with
- * (the chain address)
- */
-void set_chain_addr(uint32_t addr[8], uint32_t chain) {
- ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain;
-}
-
-/*
- * Specify where in the Merkle chain we are
-* (the hash address)
- */
-void set_hash_addr(uint32_t addr[8], uint32_t hash) {
- ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash;
-}
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-/*
- * Specify the height of the node in the Merkle/FORS tree we are in
- * (the tree height)
- */
-void set_tree_height(uint32_t addr[8], uint32_t tree_height) {
- ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height;
-}
-
-/*
- * Specify the distance from the left edge of the node in the Merkle/FORS tree
- * (the tree index)
- */
-void set_tree_index(uint32_t addr[8], uint32_t tree_index) {
- u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.h
deleted file mode 100644
index 24a84eb40c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.h
+++ /dev/null
@@ -1,52 +0,0 @@
-#ifndef SPX_ADDRESS_H
-#define SPX_ADDRESS_H
-
-#include
-
-#include "params.h"
-
-/* The hash types that are passed to set_type */
-#define SPX_ADDR_TYPE_WOTS 0
-#define SPX_ADDR_TYPE_WOTSPK 1
-#define SPX_ADDR_TYPE_HASHTREE 2
-#define SPX_ADDR_TYPE_FORSTREE 3
-#define SPX_ADDR_TYPE_FORSPK 4
-#define SPX_ADDR_TYPE_WOTSPRF 5
-#define SPX_ADDR_TYPE_FORSPRF 6
-
-#define set_layer_addr SPX_NAMESPACE(set_layer_addr)
-void set_layer_addr(uint32_t addr[8], uint32_t layer);
-
-#define set_tree_addr SPX_NAMESPACE(set_tree_addr)
-void set_tree_addr(uint32_t addr[8], uint64_t tree);
-
-#define set_type SPX_NAMESPACE(set_type)
-void set_type(uint32_t addr[8], uint32_t type);
-
-/* Copies the layer and tree part of one address into the other */
-#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr)
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for WOTS and FORS addresses. */
-
-#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr)
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair);
-
-#define set_chain_addr SPX_NAMESPACE(set_chain_addr)
-void set_chain_addr(uint32_t addr[8], uint32_t chain);
-
-#define set_hash_addr SPX_NAMESPACE(set_hash_addr)
-void set_hash_addr(uint32_t addr[8], uint32_t hash);
-
-#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr)
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-#define set_tree_height SPX_NAMESPACE(set_tree_height)
-void set_tree_height(uint32_t addr[8], uint32_t tree_height);
-
-#define set_tree_index SPX_NAMESPACE(set_tree_index)
-void set_tree_index(uint32_t addr[8], uint32_t tree_index);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/api.h
deleted file mode 100644
index 8de96f7e64..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/api.h
+++ /dev/null
@@ -1,77 +0,0 @@
-#ifndef PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_API_H
-#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_API_H
-
-#include
-#include
-
-#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-128f-simple"
-
-#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 64
-#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 32
-#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_CRYPTO_BYTES 17088
-
-#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_CRYPTO_SEEDBYTES 48
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context.h
deleted file mode 100644
index 6e0a33f3b7..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef SPX_CONTEXT_H
-#define SPX_CONTEXT_H
-
-#include
-
-#include "params.h"
-
-typedef struct {
- uint8_t pub_seed[SPX_N];
- uint8_t sk_seed[SPX_N];
-} spx_ctx;
-
-#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function)
-void initialize_hash_function(spx_ctx *ctx);
-
-#define free_hash_function SPX_NAMESPACE(free_hash_function)
-void free_hash_function(spx_ctx *ctx);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context_shake.c
deleted file mode 100644
index 9614a103d3..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context_shake.c
+++ /dev/null
@@ -1,12 +0,0 @@
-#include "context.h"
-
-/* For SHAKE256, there is no immediate reason to initialize at the start,
- so this function is an empty operation. */
-void initialize_hash_function(spx_ctx *ctx) {
- (void)ctx; /* Suppress an 'unused parameter' warning. */
-}
-
-// in case the hash function api is heap-based.
-void free_hash_function(spx_ctx *ctx) {
- (void)ctx;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.h
deleted file mode 100644
index 70d1af9f14..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef SPX_F1600X2_H
-#define SPX_F1600X2_H
-
-#include
-
-extern uint64_t f1600_RC[24];
-extern void _f1600x2(uint64_t *a, uint64_t *rc);
-
-#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0)
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.s
deleted file mode 100644
index 640ed791ed..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.s
+++ /dev/null
@@ -1,143 +0,0 @@
-# From https://github.com/bwesterb/armed-keccak
-
-.macro round
- # Execute theta, but without xoring into the state yet.
- # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i].
- eor3.16b v25, v0, v5, v10
- eor3.16b v26, v1, v6, v11
- eor3.16b v27, v2, v7, v12
- eor3.16b v28, v3, v8, v13
- eor3.16b v29, v4, v9, v14
-
- eor3.16b v25, v25, v15, v20
- eor3.16b v26, v26, v16, v21
- eor3.16b v27, v27, v17, v22
- eor3.16b v28, v28, v18, v23
- eor3.16b v29, v29, v19, v24
-
- # d[0] = rotl(p[1], 1) ^ p[4]
- rax1.2d v30, v29, v26
- # d[3] = rotl(p[4], 1) ^ p[2]
- rax1.2d v29, v27, v29
- # d[1] = rotl(p[2], 1) ^ p[0]
- rax1.2d v27, v25, v27
- # d[4] = rotl(p[0], 1) ^ p[3]
- rax1.2d v25, v28, v25
- # d[2] = rotl(p[3], 1) ^ p[1]
- rax1.2d v28, v26, v28
-
- # Xor parities from step theta into the state at the same time
- # as executing rho and pi.
- eor.16b v0, v0, v30
- mov.16b v31, v1
- xar.2d v1, v6, v27, 20
- xar.2d v6, v9, v25, 44
- xar.2d v9, v22, v28, 3
- xar.2d v22, v14, v25, 25
- xar.2d v14, v20, v30, 46
- xar.2d v20, v2, v28, 2
- xar.2d v2, v12, v28, 21
- xar.2d v12, v13, v29, 39
- xar.2d v13, v19, v25, 56
- xar.2d v19, v23, v29, 8
- xar.2d v23, v15, v30, 23
- xar.2d v15, v4, v25, 37
- xar.2d v4, v24, v25, 50
- xar.2d v24, v21, v27, 62
- xar.2d v21, v8, v29, 9
- xar.2d v8, v16, v27, 19
- xar.2d v16, v5, v30, 28
- xar.2d v5, v3, v29, 36
- xar.2d v3, v18, v29, 43
- xar.2d v18, v17, v28, 49
- xar.2d v17, v11, v27, 54
- xar.2d v11, v7, v28, 58
- xar.2d v7, v10, v30, 61
- xar.2d v10, v31, v27, 63
-
- # Chi
- bcax.16b v25, v0, v2, v1
- bcax.16b v26, v1, v3, v2
- bcax.16b v2, v2, v4, v3
- bcax.16b v3, v3, v0, v4
- bcax.16b v4, v4, v1, v0
- mov.16b v0, v25
- mov.16b v1, v26
-
- bcax.16b v25, v5, v7, v6
- bcax.16b v26, v6, v8, v7
- bcax.16b v7, v7, v9, v8
- bcax.16b v8, v8, v5, v9
- bcax.16b v9, v9, v6, v5
- mov.16b v5, v25
- mov.16b v6, v26
-
- bcax.16b v25, v10, v12, v11
- bcax.16b v26, v11, v13, v12
- bcax.16b v12, v12, v14, v13
- bcax.16b v13, v13, v10, v14
- bcax.16b v14, v14, v11, v10
- mov.16b v10, v25
- mov.16b v11, v26
-
- bcax.16b v25, v15, v17, v16
- bcax.16b v26, v16, v18, v17
- bcax.16b v17, v17, v19, v18
- bcax.16b v18, v18, v15, v19
- bcax.16b v19, v19, v16, v15
- mov.16b v15, v25
- mov.16b v16, v26
-
- bcax.16b v25, v20, v22, v21
- bcax.16b v26, v21, v23, v22
- bcax.16b v22, v22, v24, v23
- bcax.16b v23, v23, v20, v24
- bcax.16b v24, v24, v21, v20
- mov.16b v20, v25
- mov.16b v21, v26
-
- # iota
- ld1r {v25.2d}, [x1], #8
- eor.16b v0, v0, v25
-.endm
-
-.align 4
-.global __f1600x2
-__f1600x2:
- stp d8, d9, [sp,#-16]!
- stp d10, d11, [sp,#-16]!
- stp d12, d13, [sp,#-16]!
- stp d14, d15, [sp,#-16]!
-
- mov x2, x0
- mov x3, #24
-
- ld1.2d {v0, v1, v2, v3}, [x0], #64
- ld1.2d {v4, v5, v6, v7}, [x0], #64
- ld1.2d {v8, v9, v10, v11}, [x0], #64
- ld1.2d {v12, v13, v14, v15}, [x0], #64
- ld1.2d {v16, v17, v18, v19}, [x0], #64
- ld1.2d {v20, v21, v22, v23}, [x0], #64
- ld1.2d {v24}, [x0]
-
-loop:
- round
-
- subs x3, x3, #1
- cbnz x3, loop
-
- mov x0, x2
- st1.2d {v0, v1, v2, v3}, [x0], #64
- st1.2d {v4, v5, v6, v7}, [x0], #64
- st1.2d {v8, v9, v10, v11}, [x0], #64
- st1.2d {v12, v13, v14, v15}, [x0], #64
- st1.2d {v16, v17, v18, v19}, [x0], #64
- st1.2d {v20, v21, v22, v23}, [x0], #64
- st1.2d {v24}, [x0]
-
- ldp d14, d15, [sp], #16
- ldp d12, d13, [sp], #16
- ldp d10, d11, [sp], #16
- ldp d8, d9, [sp], #16
-
- ret lr
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2_const.c
deleted file mode 100644
index e49c0ba149..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2_const.c
+++ /dev/null
@@ -1,30 +0,0 @@
-#include "f1600x2.h"
-
-uint64_t f1600_RC[24] = {
- 0x0000000000000001,
- 0x0000000000008082,
- 0x800000000000808A,
- 0x8000000080008000,
- 0x000000000000808B,
- 0x0000000080000001,
- 0x8000000080008081,
- 0x8000000000008009,
- 0x000000000000008A,
- 0x0000000000000088,
- 0x0000000080008009,
- 0x000000008000000A,
- 0x000000008000808B,
- 0x800000000000008B,
- 0x8000000000008089,
- 0x8000000000008003,
- 0x8000000000008002,
- 0x8000000000000080,
- 0x000000000000800A,
- 0x800000008000000A,
- 0x8000000080008081,
- 0x8000000000008080,
- 0x0000000080000001,
- 0x8000000080008008,
-};
-
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.c
deleted file mode 100644
index 4718c343bc..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-#include
-
-#include "fips202x2.h"
-#include "f1600x2.h"
-#include "fips202.h"
-
-uint64_t load64(const unsigned char *x) {
- unsigned long long r = 0, i;
-
- for (i = 0; i < 8; ++i) {
- r |= (unsigned long long)x[i] << 8 * i;
- }
- return r;
-}
-
-void store64(uint8_t *x, uint64_t u) {
- unsigned int i;
-
- for (i = 0; i < 8; ++i) {
- x[i] = (uint8_t)u;
- u >>= 8;
- }
-}
-
-static void keccak_absorb2x(uint64_t *s,
- unsigned int r,
- const unsigned char *m0,
- const unsigned char *m1,
- unsigned long long int mlen,
- unsigned char p) {
- unsigned long long i;
- unsigned char t0[200];
- unsigned char t1[200];
-
- while (mlen >= r) {
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(m0 + 8 * i);
- s[2 * i + 1] ^= load64(m1 + 8 * i);
- }
-
- f1600x2(s);
- mlen -= r;
- m0 += r;
- m1 += r;
- }
-
- for (i = 0; i < r; ++i) {
- t0[i] = 0;
- t1[i] = 0;
- }
- for (i = 0; i < mlen; ++i) {
- t0[i] = m0[i];
- t1[i] = m1[i];
- }
-
- t0[i] = p;
- t1[i] = p;
-
- t0[r - 1] |= 128;
- t1[r - 1] |= 128;
-
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(t0 + 8 * i);
- s[2 * i + 1] ^= load64(t1 + 8 * i);
- }
-}
-
-
-static void keccak_squeezeblocks2x(unsigned char *h0,
- unsigned char *h1,
- unsigned long long int nblocks,
- uint64_t *s,
- unsigned int r) {
- unsigned int i;
-
- while (nblocks > 0) {
- f1600x2(s);
- for (i = 0; i < (r >> 3); i++) {
- store64(h0 + 8 * i, s[2 * i + 0]);
- store64(h1 + 8 * i, s[2 * i + 1]);
- }
- h0 += r;
- h1 += r;
- nblocks--;
- }
-}
-
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE128_RATE];
- unsigned char t1[SHAKE128_RATE];
- unsigned int i;
-
- /* absorb 4 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE);
-
- out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
- out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
-
- if (outlen % SHAKE128_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE);
- for (i = 0; i < outlen % SHAKE128_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
-
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE256_RATE];
- unsigned char t1[SHAKE256_RATE];
- unsigned int i;
-
- /* absorb 2 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE);
-
- out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
- out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
-
- if (outlen % SHAKE256_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE);
- for (i = 0; i < outlen % SHAKE256_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.h
deleted file mode 100644
index 7ba58b35d8..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.h
+++ /dev/null
@@ -1,24 +0,0 @@
-#ifndef SPX_FIPS202X2_H
-#define SPX_FIPS202X2_H
-
-#include
-
-uint64_t load64(const unsigned char *x);
-void store64(uint8_t *x, uint64_t u);
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.c
deleted file mode 100644
index 39193d04e2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.c
+++ /dev/null
@@ -1,191 +0,0 @@
-#include
-#include
-#include
-
-#include "fors.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "thash.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- prf_addr(sk, ctx, fors_leaf_addr);
-}
-
-static void fors_gen_skx2(unsigned char *sk0,
- unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- prf_addrx2(sk0, sk1,
- ctx, fors_leaf_addrx2);
-}
-
-static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- thash(leaf, sk, 1, ctx, fors_leaf_addr);
-}
-
-static void fors_sk_to_leafx2(unsigned char *leaf0,
- unsigned char *leaf1,
- const unsigned char *sk0,
- const unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- thashx2(leaf0, leaf1,
- sk0, sk1,
- 1, ctx, fors_leaf_addrx2);
-}
-
-struct fors_gen_leaf_info {
- uint32_t leaf_addrx[2 * 8];
-};
-
-static void fors_gen_leafx2(unsigned char *leaf,
- const spx_ctx *ctx,
- uint32_t addr_idx, void *info) {
- struct fors_gen_leaf_info *fors_info = info;
- uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx;
- unsigned int j;
-
- /* Only set the parts that the caller doesn't set */
- for (j = 0; j < 2; j++) {
- set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j);
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF);
- }
-
- fors_gen_skx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-
- for (j = 0; j < 2; j++) {
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE);
- }
-
- fors_sk_to_leafx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-}
-
-/**
- * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- * Assumes indices has space for SPX_FORS_TREES integers.
- */
-static void message_to_indices(uint32_t *indices, const unsigned char *m) {
- unsigned int i, j;
- unsigned int offset = 0;
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- indices[i] = 0;
- for (j = 0; j < SPX_FORS_HEIGHT; j++) {
- indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j);
- offset++;
- }
- }
-}
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- uint32_t fors_tree_addr[2 * 8] = {0};
- struct fors_gen_leaf_info fors_info = {0};
- uint32_t *fors_leaf_addr = fors_info.leaf_addrx;
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- for (i = 0; i < 2; i++) {
- copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr);
- set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE);
- copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr);
- }
- copy_keypair_addr(fors_pk_addr, fors_addr);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Include the secret key part that produces the selected leaf node. */
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF);
- fors_gen_sk(sig, ctx, fors_tree_addr);
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- sig += SPX_N;
-
- /* Compute the authentication path for this leaf node. */
- treehashx2(roots + i * SPX_N, sig, ctx,
- indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2,
- fors_tree_addr, &fors_info);
-
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- unsigned char leaf[SPX_N];
- uint32_t fors_tree_addr[8] = {0};
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- copy_keypair_addr(fors_tree_addr, fors_addr);
- copy_keypair_addr(fors_pk_addr, fors_addr);
-
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Derive the leaf from the included secret key part. */
- fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr);
- sig += SPX_N;
-
- /* Derive the corresponding root node of this tree. */
- compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset,
- sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr);
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.h
deleted file mode 100644
index 509140a178..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#ifndef SPX_FORS_H
-#define SPX_FORS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_sign SPX_NAMESPACE(fors_sign)
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig)
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash.h
deleted file mode 100644
index f7c87d4c3c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash.h
+++ /dev/null
@@ -1,28 +0,0 @@
-#ifndef SPX_HASH_H
-#define SPX_HASH_H
-
-#include
-#include
-
-#include "context.h"
-#include "params.h"
-
-#define prf_addr SPX_NAMESPACE(prf_addr)
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]);
-
-#define gen_message_random SPX_NAMESPACE(gen_message_random)
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-#define hash_message SPX_NAMESPACE(hash_message)
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shake.c
deleted file mode 100644
index ff5e7ec918..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shake.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "hash.h"
-
-#include "address.h"
-#include "fips202.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Computes PRF(pk_seed, sk_seed, addr)
- */
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]) {
- unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES];
-
- memcpy(buf, ctx->pub_seed, SPX_N);
- memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES);
- memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N);
-
- shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES);
-}
-
-/**
- * Computes the message-dependent randomness R, using a secret seed and an
- * optional randomization value as well as the message.
- */
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, sk_prf, SPX_N);
- shake256_inc_absorb(&s_inc, optrand, SPX_N);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(R, SPX_N, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-}
-
-/**
- * Computes the message hash using R, the public key, and the message.
- * Outputs the message digest and the index of the leaf. The index is split in
- * the tree index and the leaf index, for convenient copying to an address.
- */
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
-#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1))
-#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8)
-#define SPX_LEAF_BITS SPX_TREE_HEIGHT
-#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8)
-#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES)
-
- unsigned char buf[SPX_DGST_BYTES];
- unsigned char *bufp = buf;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, R, SPX_N);
- shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-
- memcpy(digest, bufp, SPX_FORS_MSG_BYTES);
- bufp += SPX_FORS_MSG_BYTES;
-
-
- *tree = bytes_to_ull(bufp, SPX_TREE_BYTES);
- *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS);
- bufp += SPX_TREE_BYTES;
-
- *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES);
- *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shakex2.c
deleted file mode 100644
index 99571916a2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shakex2.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include
-#include
-
-#include "hashx2.h"
-
-#include "address.h"
-#include "f1600x2.h"
-#include "fips202x2.h"
-#include "params.h"
-
-/*
- * 2-way parallel version of prf_addr; takes 2x as much input and output
- */
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the fourway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
-
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->sk_seed + 8 * i);
- state[2 * (SPX_N / 8 + i + 4)] = x;
- state[2 * (SPX_N / 8 + i + 4) + 1] = x;
- }
-
- /* SHAKE domain separator and padding. */
- state[2 * (SPX_N / 4 + 4)] = 0x1f;
- state[2 * (SPX_N / 4 + 4) + 1] = 0x1f;
-
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hashx2.h
deleted file mode 100644
index 99b8873a9b..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hashx2.h
+++ /dev/null
@@ -1,14 +0,0 @@
-#ifndef SPX_HASHX2_H
-#define SPX_HASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define prf_addrx2 SPX_NAMESPACE(prf_addrx2)
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.c
deleted file mode 100644
index c94ee23939..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include
-#include
-
-#include "merkle.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-#include "utilsx2.h"
-#include "wots.h"
-#include "wotsx2.h"
-
-/*
- * This generates a Merkle signature (WOTS signature followed by the Merkle
- * authentication path).
- */
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf) {
- unsigned char *auth_path = sig + SPX_WOTS_BYTES;
- uint32_t tree_addrx2[2 * 8] = { 0 };
- int j;
- struct leaf_info_x2 info = { 0 };
- unsigned steps[ SPX_WOTS_LEN ];
-
- info.wots_sig = sig;
- chain_lengths(steps, root);
- info.wots_steps = steps;
-
- for (j = 0; j < 2; j++) {
- set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE);
- set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS);
- set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK);
- copy_subtree_addr(&tree_addrx2[8 * j], tree_addr);
- copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr);
- copy_subtree_addr(&info.pk_addr[8 * j], wots_addr);
- }
-
- info.wots_sign_leaf = idx_leaf;
-
- treehashx2(root, auth_path, ctx,
- idx_leaf, 0,
- SPX_TREE_HEIGHT,
- wots_gen_leafx2,
- tree_addrx2, &info);
-}
-
-/* Compute root node of the top-most subtree. */
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) {
- /* We do not need the auth path in key generation, but it simplifies the
- code to have just one treehash routine that computes both root and path
- in one function. */
- unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES];
- uint32_t top_tree_addr[8] = {0};
- uint32_t wots_addr[8] = {0};
-
- set_layer_addr(top_tree_addr, SPX_D - 1);
- set_layer_addr(wots_addr, SPX_D - 1);
-
- merkle_sign(auth_path, root, ctx,
- wots_addr, top_tree_addr,
- ~0 /* ~0 means "don't bother generating an auth path */ );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.h
deleted file mode 100644
index 769cf2e970..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef MERKLE_H_
-#define MERKLE_H_
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/* Generate a Merkle signature (WOTS signature followed by the Merkle */
-/* authentication path) */
-#define merkle_sign SPX_NAMESPACE(merkle_sign)
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf);
-
-/* Compute the root node of the top-most subtree. */
-#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root)
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx);
-
-#endif /* MERKLE_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/nistapi.h
deleted file mode 100644
index 3cb71afad4..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/nistapi.h
+++ /dev/null
@@ -1,87 +0,0 @@
-#ifndef SPX_API_H
-#define SPX_API_H
-
-#include
-#include
-
-#include "params.h"
-
-#define CRYPTO_ALGNAME "SPHINCS+"
-
-#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES
-#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES
-#define CRYPTO_BYTES SPX_BYTES
-#define CRYPTO_SEEDBYTES (3*SPX_N)
-
-/*
- * Returns the length of a secret key, in bytes
- */
-#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes)
-size_t crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes)
-size_t crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes)
-size_t crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes)
-size_t crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair)
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-#define crypto_sign SPX_NAMESPACE(crypto_sign)
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/params.h
deleted file mode 100644
index c28eb3ec56..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/params.h
+++ /dev/null
@@ -1,56 +0,0 @@
-#ifndef SPX_PARAMS_H
-#define SPX_PARAMS_H
-
-#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_##s
-
-/* Hash output length in bytes. */
-#define SPX_N 16
-/* Height of the hypertree. */
-#define SPX_FULL_HEIGHT 66
-/* Number of subtree layer. */
-#define SPX_D 22
-/* FORS tree dimensions. */
-#define SPX_FORS_HEIGHT 6
-#define SPX_FORS_TREES 33
-/* Winternitz parameter, */
-#define SPX_WOTS_W 16
-
-/* The hash function is defined by linking a different hash.c file, as opposed
- to setting a #define constant. */
-
-/* For clarity */
-#define SPX_ADDR_BYTES 32
-
-/* WOTS parameters. */
-#define SPX_WOTS_LOGW 4
-
-#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW)
-
-/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */
-#define SPX_WOTS_LEN2 3
-
-#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2)
-#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N)
-#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES
-
-/* Subtree size. */
-#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D)
-
-//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT
-// #error SPX_D should always divide SPX_FULL_HEIGHT
-//#endif
-
-/* FORS parameters. */
-#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8)
-#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N)
-#define SPX_FORS_PK_BYTES SPX_N
-
-/* Resulting SPX sizes. */
-#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\
- SPX_FULL_HEIGHT * SPX_N)
-#define SPX_PK_BYTES (2 * SPX_N)
-#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES)
-
-#include "shake_offsets.h"
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/shake_offsets.h
deleted file mode 100644
index 6b28d95d91..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/shake_offsets.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef SHAKE_OFFSETS_H_
-#define SHAKE_OFFSETS_H_
-
-/*
- * Offsets of various fields in the address structure when we use SHAKE as
- * the Sphincs+ hash function
- */
-
-#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */
-#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */
-#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */
-#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */
-#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */
-#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */
-#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */
-#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */
-#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */
-
-#define SPX_SHAKE 1
-
-#endif /* SHAKE_OFFSETS_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/sign.c
deleted file mode 100644
index 9d0c7d1b22..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/sign.c
+++ /dev/null
@@ -1,286 +0,0 @@
-#include
-#include
-#include
-
-#include "address.h"
-#include "context.h"
-#include "fors.h"
-#include "hash.h"
-#include "merkle.h"
-#include "nistapi.h"
-#include "params.h"
-#include "randombytes.h"
-#include "thash.h"
-#include "utils.h"
-#include "wots.h"
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t crypto_sign_secretkeybytes(void) {
- return CRYPTO_SECRETKEYBYTES;
-}
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t crypto_sign_publickeybytes(void) {
- return CRYPTO_PUBLICKEYBYTES;
-}
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t crypto_sign_bytes(void) {
- return CRYPTO_BYTES;
-}
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t crypto_sign_seedbytes(void) {
- return CRYPTO_SEEDBYTES;
-}
-
-/*
- * Generates an SPX key pair given a seed of length
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed) {
- spx_ctx ctx;
-
- /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */
- memcpy(sk, seed, CRYPTO_SEEDBYTES);
-
- memcpy(pk, sk + 2 * SPX_N, SPX_N);
-
- memcpy(ctx.pub_seed, pk, SPX_N);
- memcpy(ctx.sk_seed, sk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- /* Compute root node of the top-most subtree. */
- merkle_gen_root(sk + 3 * SPX_N, &ctx);
-
- // cleanup
- free_hash_function(&ctx);
-
- memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N);
-
- return 0;
-}
-
-/*
- * Generates an SPX key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seed[CRYPTO_SEEDBYTES];
- randombytes(seed, CRYPTO_SEEDBYTES);
- crypto_sign_seed_keypair(pk, sk, seed);
-
- return 0;
-}
-
-/**
- * Returns an array containing a detached signature.
- */
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk) {
- spx_ctx ctx;
-
- const uint8_t *sk_prf = sk + SPX_N;
- const uint8_t *pk = sk + 2 * SPX_N;
-
- uint8_t optrand[SPX_N];
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t root[SPX_N];
- uint32_t i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
-
- memcpy(ctx.sk_seed, sk, SPX_N);
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
-
- /* Optionally, signing can be made non-deterministic using optrand.
- This can help counter side-channel attacks that would benefit from
- getting a large number of traces when the signer uses the same nodes. */
- randombytes(optrand, SPX_N);
- /* Compute the digest randomization value. */
- gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx);
-
- /* Derive the message digest and leaf index from R, PK and M. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- /* Sign the message hash using FORS. */
- fors_sign(sig, root, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf);
- sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- free_hash_function(&ctx);
-
- *siglen = SPX_BYTES;
-
- return 0;
-}
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk) {
- spx_ctx ctx;
- const uint8_t *pub_root = pk + SPX_N;
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t wots_pk[SPX_WOTS_BYTES];
- uint8_t root[SPX_N];
- uint8_t leaf[SPX_N];
- unsigned int i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
- uint32_t wots_pk_addr[8] = {0};
-
- if (siglen != SPX_BYTES) {
- return -1;
- }
-
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
- set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK);
-
- /* Derive the message digest and leaf index from R || PK || M. */
- /* The additional SPX_N is a result of the hash domain separator. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- /* Layer correctly defaults to 0, so no need to set_layer_addr */
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- /* For each subtree.. */
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- copy_keypair_addr(wots_pk_addr, wots_addr);
-
- /* The WOTS public key is only correct if the signature was correct. */
- /* Initially, root is the FORS pk, but on subsequent iterations it is
- the root of the subtree below the currently processed subtree. */
- wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr);
- sig += SPX_WOTS_BYTES;
-
- /* Compute the leaf node using the WOTS public key. */
- thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr);
-
- /* Compute the root node of this subtree. */
- compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT,
- &ctx, tree_addr);
- sig += SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- // cleanup
- free_hash_function(&ctx);
-
- /* Check if the root node equals the root node in the public key. */
- if (memcmp(root, pub_root, SPX_N) != 0) {
- return -1;
- }
-
- return 0;
-}
-
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk) {
- size_t siglen;
-
- crypto_sign_signature(sm, &siglen, m, mlen, sk);
-
- memmove(sm + SPX_BYTES, m, mlen);
- *smlen = siglen + mlen;
-
- return 0;
-}
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk) {
- /* The API caller does not necessarily know what size a signature should be
- but SPHINCS+ signatures are always exactly SPX_BYTES. */
- if (smlen < SPX_BYTES) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- *mlen = smlen - SPX_BYTES;
-
- if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- /* If verification was successful, move the message to the right place. */
- memmove(m, sm + SPX_BYTES, *mlen);
-
- return 0;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash.h
deleted file mode 100644
index 8687ccfb4d..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef SPX_THASH_H
-#define SPX_THASH_H
-
-#include "context.h"
-#include "params.h"
-
-#include
-
-#define thash SPX_NAMESPACE(thash)
-void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash_shake_simplex2.c
deleted file mode 100644
index 892e453690..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash_shake_simplex2.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "thash.h"
-#include "thashx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-#include "f1600x2.h"
-#include "fips202x2.h"
-
-
-void thash(unsigned char *out,
- const unsigned char *in,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t addrx2 [2 * 8] = {
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7],
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7]
- };
- thashx2(out, out, in, in, inblocks, ctx, addrx2);
-}
-
-/**
- * 2-way parallel version of thash; takes 2x as much input and output
- */
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]) {
- if (inblocks == 1 || inblocks == 2) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the twoway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
-
- for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) {
- state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i);
- state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i);
- }
-
- /* Domain separator and padding. */
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f;
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
- } else {
- PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
-
- memcpy(buf0, ctx->pub_seed, SPX_N);
- memcpy(buf1, ctx->pub_seed, SPX_N);
- memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES);
- memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES);
- memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N);
- memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N);
-
- shake256x2(out0, out1, SPX_N,
- buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thashx2.h
deleted file mode 100644
index 040375e618..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thashx2.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef SPX_THASHX2_H
-#define SPX_THASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define thashx2 SPX_NAMESPACE(thashx2)
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.c
deleted file mode 100644
index 177b541fb9..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-
-#include "utils.h"
-
-#include "address.h"
-#include "hash.h"
-#include "params.h"
-#include "thash.h"
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in) {
- int i;
-
- /* Iterate over out in decreasing order, for big-endianness. */
- for (i = (signed int)outlen - 1; i >= 0; i--) {
- out[i] = in & 0xff;
- in = in >> 8;
- }
-}
-
-void u32_to_bytes(unsigned char *out, uint32_t in) {
- out[0] = (unsigned char)(in >> 24);
- out[1] = (unsigned char)(in >> 16);
- out[2] = (unsigned char)(in >> 8);
- out[3] = (unsigned char)in;
-}
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) {
- unsigned long long retval = 0;
- unsigned int i;
-
- for (i = 0; i < inlen; i++) {
- retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i));
- }
- return retval;
-}
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t i;
- unsigned char buffer[2 * SPX_N];
-
- /* If leaf_idx is odd (last bit = 1), current path element is a right child
- and auth_path has to go left. Otherwise it is the other way around. */
- if (leaf_idx & 1) {
- memcpy(buffer + SPX_N, leaf, SPX_N);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- memcpy(buffer, leaf, SPX_N);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
-
- for (i = 0; i < tree_height - 1; i++) {
- leaf_idx >>= 1;
- idx_offset >>= 1;
- /* Set the address of the node we're creating. */
- set_tree_height(addr, i + 1);
- set_tree_index(addr, leaf_idx + idx_offset);
-
- /* Pick the right or left neighbor, depending on parity of the node. */
- if (leaf_idx & 1) {
- thash(buffer + SPX_N, buffer, 2, ctx, addr);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- thash(buffer, buffer, 2, ctx, addr);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
- }
-
- /* The last iteration is exceptional; we do not copy an auth_path node. */
- leaf_idx >>= 1;
- idx_offset >>= 1;
- set_tree_height(addr, tree_height);
- set_tree_index(addr, leaf_idx + idx_offset);
- thash(root, buffer, 2, ctx, addr);
-}
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx * /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]) {
- PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N);
- PQCLEAN_VLA(unsigned int, heights, tree_height + 1);
- unsigned int offset = 0;
- uint32_t idx;
- uint32_t tree_idx;
-
- for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) {
- /* Add the next leaf node to the stack. */
- gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr);
- offset++;
- heights[offset - 1] = 0;
-
- /* If this is a node we need for the auth path.. */
- if ((leaf_idx ^ 0x1) == idx) {
- memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N);
- }
-
- /* While the top-most nodes are of equal height.. */
- while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) {
- /* Compute index of the new node, in the next layer. */
- tree_idx = (idx >> (heights[offset - 1] + 1));
-
- /* Set the address of the node we're creating. */
- set_tree_height(tree_addr, heights[offset - 1] + 1);
- set_tree_index(tree_addr,
- tree_idx + (idx_offset >> (heights[offset - 1] + 1)));
- /* Hash the top-most nodes from the stack together. */
- thash(stack + (offset - 2)*SPX_N,
- stack + (offset - 2)*SPX_N, 2, ctx, tree_addr);
- offset--;
- /* Note that the top-most node is now one layer higher. */
- heights[offset - 1]++;
-
- /* If this is a node we need for the auth path.. */
- if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) {
- memcpy(auth_path + heights[offset - 1]*SPX_N,
- stack + (offset - 1)*SPX_N, SPX_N);
- }
- }
- }
- memcpy(root, stack, SPX_N);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.h
deleted file mode 100644
index 64f5d5a53a..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.h
+++ /dev/null
@@ -1,58 +0,0 @@
-#ifndef SPX_UTILS_H
-#define SPX_UTILS_H
-
-#include
-
-#include "compat.h"
-#include "context.h"
-#include "params.h"
-
-
-/* To support MSVC use alloca() instead of VLAs. See #20. */
-
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes)
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in);
-#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes)
-void u32_to_bytes(unsigned char *out, uint32_t in);
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull)
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen);
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-#define compute_root SPX_NAMESPACE(compute_root)
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-#define treehash SPX_NAMESPACE(treehash)
-void treehash(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx *ctx /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]);
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.c
deleted file mode 100644
index 8736474e4f..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.c
+++ /dev/null
@@ -1,130 +0,0 @@
-#include
-
-#include "utilsx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-
-/*
- * Generate the entire Merkle tree, computing the authentication path for leaf_idx,
- * and the resulting root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE)
- *
- * This expects tree_addrx2 to be initialized to 2 parallel addr structures for
- * the Merkle tree nodes
- *
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This works by using the standard Merkle tree building algorithm, except
- * that each 'node' tracked is actually 2 consecutive nodes in the real tree.
- * When we combine two logical nodes AB and WX, we perform the H
- * operation on adjacent real nodes, forming the parent logical node
- * (AB)(WX)
- *
- * When we get to the top level of the real tree (where there is only
- * one logical node), we continue this operation one more time; the right
- * most real node will by the actual root (and the other node will be
- * garbage). We follow the same thashx2 logic so that the 'extract
- * authentication path components' part of the loop is still executed (and
- * to simplify the code somewhat)
- */
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset,
- uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx *,
- uint32_t idx, void *info),
- uint32_t tree_addrx2[2 * 8],
- void *info) {
- /* This is where we keep the intermediate nodes */
- unsigned char stackx2[tree_height * 2 * SPX_N];
- uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */
- /* level, the left-most part of the tree isn't at the beginning */
- /* of current[]. These give the offset of the actual start */
-
- uint32_t idx;
- uint32_t max_idx = (1 << (tree_height - 1)) - 1;
- for (idx = 0;; idx++) {
- unsigned char current[2 * SPX_N]; /* Current logical node */
- gen_leafx2( current, ctx, 2 * idx + idx_offset,
- info );
-
- /* Now combine the freshly generated right node with previously */
- /* generated left ones */
- uint32_t internal_idx_offset = idx_offset;
- uint32_t internal_idx = idx;
- uint32_t internal_leaf = leaf_idx;
- uint32_t h; /* The height we are in the Merkle tree */
- for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) {
-
- /* Special processing if we're at the top of the tree */
- if (h >= tree_height - 1) {
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
- /* The tree indexing logic is a bit off in this case */
- /* Adjust it so that the left-most node of the part of */
- /* the tree that we're processing has index 0 */
- prev_left_adj = left_adj;
- left_adj = 2 - (1 << (tree_height - h - 1));
- }
-
- /* Check if we hit the top of the tree */
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
-
- /*
- * Check if one of the nodes we have is a part of the
- * authentication path; if it is, write it out
- */
- if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) {
- memcpy( &auth_path[ h * SPX_N ],
- ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N],
- SPX_N );
- }
-
- /*
- * Check if we're at a left child; if so, stop going up the stack
- * Exception: if we've reached the end of the tree, keep on going
- * (so we combine the last 2 nodes into the one root node in two
- * more iterations)
- */
- if ((internal_idx & 1) == 0 && idx < max_idx) {
- break;
- }
-
- /* Ok, we're at a right node (or doing the top 3 levels) */
- /* Now combine the left and right logical nodes together */
-
- /* Set the address of the node we're creating. */
- int j;
- internal_idx_offset >>= 1;
- for (j = 0; j < 2; j++) {
- set_tree_height(tree_addrx2 + j * 8, h + 1);
- set_tree_index(tree_addrx2 + j * 8,
- (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset );
- }
- unsigned char *left = &stackx2[h * 2 * SPX_N];
- thashx2( ¤t[0 * SPX_N],
- ¤t[1 * SPX_N],
- &left [0 * SPX_N],
- ¤t[0 * SPX_N],
- 2, ctx, tree_addrx2);
- }
-
- /* We've hit a left child; save the current for when we get the */
- /* corresponding right right */
- memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.h
deleted file mode 100644
index e09faddc43..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.h
+++ /dev/null
@@ -1,30 +0,0 @@
-#ifndef SPX_UTILSX2_H
-#define SPX_UTILSX2_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This implementation uses SIMD to compute internal nodes 2 at a time (in
- * parallel)
- */
-#define treehashx2 SPX_NAMESPACE(treehashx2)
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx * /* ctx */,
- uint32_t addr_idx, void *info),
- uint32_t tree_addrx2[2 * 8], void *info);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.c
deleted file mode 100644
index 3babe45e95..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.c
+++ /dev/null
@@ -1,259 +0,0 @@
-#include
-#include
-
-#include "wots.h"
-#include "wotsx2.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-// TODO clarify address expectations, and make them more uniform.
-// TODO i.e. do we expect types to be set already?
-// TODO and do we expect modifications or copies?
-
-/**
- * Computes up the chains
- */
-static void gen_chains(
- unsigned char *out,
- const unsigned char *in,
- unsigned int start[SPX_WOTS_LEN],
- const unsigned int steps[SPX_WOTS_LEN],
- const spx_ctx *ctx,
- uint32_t addr[8]) {
- uint32_t i, j, k, idx, watching;
- int done;
- unsigned char empty[SPX_N];
- unsigned char *bufs[4];
- uint32_t addrs[8 * 2];
-
- int l;
- uint16_t counts[SPX_WOTS_W] = { 0 };
- uint16_t idxs[SPX_WOTS_LEN];
- uint16_t total, newTotal;
-
- /* set addrs = {addr, addr} */
- for (j = 0; j < 2; j++) {
- memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8);
- }
-
- /* Initialize out with the value at position 'start'. */
- memcpy(out, in, SPX_WOTS_LEN * SPX_N);
-
- /* Sort the chains in reverse order by steps using counting sort. */
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- counts[steps[i]]++;
- }
- total = 0;
- for (l = SPX_WOTS_W - 1; l >= 0; l--) {
- newTotal = counts[l] + total;
- counts[l] = total;
- total = newTotal;
- }
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- idxs[counts[steps[i]]] = i;
- counts[steps[i]]++;
- }
-
- /* We got our work cut out for us: do it! */
- for (i = 0; i < SPX_WOTS_LEN; i += 2) {
- for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) {
- idx = idxs[i + j];
- set_chain_addr(addrs + j * 8, idx);
- bufs[j] = out + SPX_N * idx;
- }
-
- /* As the chains are sorted in reverse order, we know that the first
- * chain is the longest and the last one is the shortest. We keep
- * an eye on whether the last chain is done and then on the one before,
- * et cetera. */
- watching = 1;
- done = 0;
- while (i + watching >= SPX_WOTS_LEN) {
- bufs[watching] = &empty[0];
- watching--;
- }
-
- for (k = 0;; k++) {
- while (k == steps[idxs[i + watching]]) {
- bufs[watching] = &empty[0];
- if (watching == 0) {
- done = 1;
- break;
- }
- watching--;
- }
- if (done) {
- break;
- }
- for (j = 0; j < watching + 1; j++) {
- set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]);
- }
-
- thashx2(bufs[0], bufs[1],
- bufs[0], bufs[1], 1, ctx, addrs);
- }
- }
-}
-
-/**
- * base_w algorithm as described in draft.
- * Interprets an array of bytes as integers in base w.
- * This only works when log_w is a divisor of 8.
- */
-static void base_w(unsigned int *output, const int out_len,
- const unsigned char *input) {
- int in = 0;
- int out = 0;
- unsigned char total = 0;
- int bits = 0;
- int consumed;
-
- for (consumed = 0; consumed < out_len; consumed++) {
- if (bits == 0) {
- total = input[in];
- in++;
- bits += 8;
- }
- bits -= SPX_WOTS_LOGW;
- output[out] = (total >> bits) & (SPX_WOTS_W - 1);
- out++;
- }
-}
-
-/* Computes the WOTS+ checksum over a message (in base_w). */
-static void wots_checksum(unsigned int *csum_base_w,
- const unsigned int *msg_base_w) {
- unsigned int csum = 0;
- unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8];
- unsigned int i;
-
- /* Compute checksum. */
- for (i = 0; i < SPX_WOTS_LEN1; i++) {
- csum += SPX_WOTS_W - 1 - msg_base_w[i];
- }
-
- /* Convert checksum to base_w. */
- /* Make sure expected empty zero bits are the least significant bits. */
- csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8);
- ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum);
- base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes);
-}
-
-/* Takes a message and derives the matching chain lengths. */
-void chain_lengths(unsigned int *lengths, const unsigned char *msg) {
- base_w(lengths, SPX_WOTS_LEN1, msg);
- wots_checksum(lengths + SPX_WOTS_LEN1, lengths);
-}
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]) {
- unsigned int steps[SPX_WOTS_LEN];
- unsigned int start[SPX_WOTS_LEN];
- uint32_t i;
-
- chain_lengths(start, msg);
-
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- steps[i] = SPX_WOTS_W - 1 - start[i];
- }
-
- gen_chains(pk, sig, start, steps, ctx, addr);
-}
-
-/*
- * This generates 2 sequential WOTS public keys
- * It also generates the WOTS signature if leaf_info indicates
- * that we're signing with one of these WOTS keys
- */
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info) {
- struct leaf_info_x2 *info = v_info;
- uint32_t *leaf_addr = info->leaf_addr;
- uint32_t *pk_addr = info->pk_addr;
- unsigned int i, j, k;
- unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ];
- unsigned wots_offset = SPX_WOTS_BYTES;
- unsigned char *buffer;
- uint32_t wots_k_mask;
- unsigned wots_sign_index;
-
- if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) {
- /* We're traversing the leaf that's signing; generate the WOTS */
- /* signature */
- wots_k_mask = 0;
- wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */
- /* slots do the signatures come from */
- } else {
- /* Nope, we're just generating pk's; turn off the signature logic */
- wots_k_mask = ~0;
- wots_sign_index = 0;
- }
-
- for (j = 0; j < 2; j++) {
- set_keypair_addr( leaf_addr + j * 8, leaf_idx + j );
- set_keypair_addr( pk_addr + j * 8, leaf_idx + j );
- }
-
- for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) {
- uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */
- /* the step if we're generating a signature, ~0 if we're not */
-
- /* Start with the secret seed */
- for (j = 0; j < 2; j++) {
- set_chain_addr(leaf_addr + j * 8, i);
- set_hash_addr(leaf_addr + j * 8, 0);
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF);
- }
- prf_addrx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- ctx, leaf_addr);
- for (j = 0; j < 2; j++) {
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS);
- }
-
- /* Iterate down the WOTS chain */
- for (k = 0;; k++) {
- /* Check if one of the values we have needs to be saved as a */
- /* part of the WOTS signature */
- if (k == wots_k) {
- memcpy( info->wots_sig + i * SPX_N,
- buffer + wots_sign_index * wots_offset, SPX_N );
- }
-
- /* Check if we hit the top of the chain */
- if (k == SPX_WOTS_W - 1) {
- break;
- }
-
- /* Iterate one step on all 4 chains */
- for (j = 0; j < 2; j++) {
- set_hash_addr(leaf_addr + j * 8, k);
- }
- thashx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- 1, ctx, leaf_addr);
- }
- }
-
- /* Do the final thash to generate the public keys */
- thashx2(dest + 0 * SPX_N,
- dest + 1 * SPX_N,
- pk_buffer + 0 * wots_offset,
- pk_buffer + 1 * wots_offset,
- SPX_WOTS_LEN, ctx, pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.h
deleted file mode 100644
index 4e7692eeef..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.h
+++ /dev/null
@@ -1,25 +0,0 @@
-#ifndef SPX_WOTS_H
-#define SPX_WOTS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig)
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/*
- * Compute the chain lengths needed for a given message hash
- */
-#define chain_lengths SPX_NAMESPACE(chain_lengths)
-void chain_lengths(unsigned int *lengths, const unsigned char *msg);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wotsx2.h
deleted file mode 100644
index b58bb61f84..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wotsx2.h
+++ /dev/null
@@ -1,40 +0,0 @@
-#ifndef WOTSX2_H_
-#define WOTSX2_H_
-
-#include "params.h"
-#include
-
-/*
- * This is here to provide an interface to the internal wots_gen_leafx2
- * routine. While this routine is not referenced in the package outside of
- * wots.c, it is called from the stand-alone benchmark code to characterize
- * the performance
- */
-struct leaf_info_x2 {
- unsigned char *wots_sig;
- uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */
- uint32_t *wots_steps;
- uint32_t leaf_addr[2 * 8];
- uint32_t pk_addr[2 * 8];
-};
-
-/* Macro to set the leaf_info to something 'benign', that is, it would */
-/* run with the same time as it does during the real signing process */
-/* Used only by the benchmark code */
-#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \
- (info).wots_sig = 0; \
- (info).wots_sign_leaf = ~0; \
- (info).wots_steps = step_buffer; \
- int i; \
- for (i=0; i<2; i++) { \
- memcpy( &(info).leaf_addr[8*i], addr, 32 ); \
- memcpy( &(info).pk_addr[8*i], addr, 32 ); \
- } \
- }
-
-#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2)
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info);
-
-#endif /* WOTSX2_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/LICENSE
deleted file mode 100644
index 670154e353..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/LICENSE
+++ /dev/null
@@ -1,116 +0,0 @@
-CC0 1.0 Universal
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator and
-subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for the
-purpose of contributing to a commons of creative, cultural and scientific
-works ("Commons") that the public can reliably and without fear of later
-claims of infringement build upon, modify, incorporate in other works, reuse
-and redistribute as freely as possible in any form whatsoever and for any
-purposes, including without limitation commercial purposes. These owners may
-contribute to the Commons to promote the ideal of a free culture and the
-further production of creative, cultural and scientific works, or to gain
-reputation or greater distribution for their Work in part through the use and
-efforts of others.
-
-For these and/or other purposes and motivations, and without any expectation
-of additional consideration or compensation, the person associating CC0 with a
-Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
-and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
-and publicly distribute the Work under its terms, with knowledge of his or her
-Copyright and Related Rights in the Work and the meaning and intended legal
-effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not limited
-to, the following:
-
- i. the right to reproduce, adapt, distribute, perform, display, communicate,
- and translate a Work;
-
- ii. moral rights retained by the original author(s) and/or performer(s);
-
- iii. publicity and privacy rights pertaining to a person's image or likeness
- depicted in a Work;
-
- iv. rights protecting against unfair competition in regards to a Work,
- subject to the limitations in paragraph 4(a), below;
-
- v. rights protecting the extraction, dissemination, use and reuse of data in
- a Work;
-
- vi. database rights (such as those arising under Directive 96/9/EC of the
- European Parliament and of the Council of 11 March 1996 on the legal
- protection of databases, and under any national implementation thereof,
- including any amended or successor version of such directive); and
-
- vii. other similar, equivalent or corresponding rights throughout the world
- based on applicable law or treaty, and any national implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention of,
-applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
-unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
-and Related Rights and associated claims and causes of action, whether now
-known or unknown (including existing as well as future claims and causes of
-action), in the Work (i) in all territories worldwide, (ii) for the maximum
-duration provided by applicable law or treaty (including future time
-extensions), (iii) in any current or future medium and for any number of
-copies, and (iv) for any purpose whatsoever, including without limitation
-commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
-the Waiver for the benefit of each member of the public at large and to the
-detriment of Affirmer's heirs and successors, fully intending that such Waiver
-shall not be subject to revocation, rescission, cancellation, termination, or
-any other legal or equitable action to disrupt the quiet enjoyment of the Work
-by the public as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason be
-judged legally invalid or ineffective under applicable law, then the Waiver
-shall be preserved to the maximum extent permitted taking into account
-Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
-is so judged Affirmer hereby grants to each affected person a royalty-free,
-non transferable, non sublicensable, non exclusive, irrevocable and
-unconditional license to exercise Affirmer's Copyright and Related Rights in
-the Work (i) in all territories worldwide, (ii) for the maximum duration
-provided by applicable law or treaty (including future time extensions), (iii)
-in any current or future medium and for any number of copies, and (iv) for any
-purpose whatsoever, including without limitation commercial, advertising or
-promotional purposes (the "License"). The License shall be deemed effective as
-of the date CC0 was applied by Affirmer to the Work. Should any part of the
-License for any reason be judged legally invalid or ineffective under
-applicable law, such partial invalidity or ineffectiveness shall not
-invalidate the remainder of the License, and in such case Affirmer hereby
-affirms that he or she will not (i) exercise any of his or her remaining
-Copyright and Related Rights in the Work or (ii) assert any associated claims
-and causes of action with respect to the Work, in either case contrary to
-Affirmer's express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
- surrendered, licensed or otherwise affected by this document.
-
- b. Affirmer offers the Work as-is and makes no representations or warranties
- of any kind concerning the Work, express, implied, statutory or otherwise,
- including without limitation warranties of title, merchantability, fitness
- for a particular purpose, non infringement, or the absence of latent or
- other defects, accuracy, or the present or absence of errors, whether or not
- discoverable, all to the greatest extent permissible under applicable law.
-
- c. Affirmer disclaims responsibility for clearing rights of other persons
- that may apply to the Work or any use thereof, including without limitation
- any person's Copyright and Related Rights in the Work. Further, Affirmer
- disclaims responsibility for obtaining any necessary consents, permissions
- or other rights required for any use of the Work.
-
- d. Affirmer understands and acknowledges that Creative Commons is not a
- party to this document and has no duty or obligation with respect to this
- CC0 or use of the Work.
-
-For more information, please see
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.c
deleted file mode 100644
index d49d9f3b6b..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.c
+++ /dev/null
@@ -1,95 +0,0 @@
-#include
-#include
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Specify which level of Merkle tree (the "layer") we're working on
- */
-void set_layer_addr(uint32_t addr[8], uint32_t layer) {
- ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer;
-}
-
-/*
- * Specify which Merkle tree within the level (the "tree address") we're working on
- */
-void set_tree_addr(uint32_t addr[8], uint64_t tree) {
- ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree );
-}
-
-/*
- * Specify the reason we'll use this address structure for, that is, what
- * hash will we compute with it. This is used so that unrelated types of
- * hashes don't accidentally get the same address structure. The type will be
- * one of the SPX_ADDR_TYPE constants
- */
-void set_type(uint32_t addr[8], uint32_t type) {
- ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type;
-}
-
-/*
- * Copy the layer and tree fields of the address structure. This is used
- * when we're doing multiple types of hashes within the same Merkle tree
- */
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
-}
-
-/* These functions are used for OTS addresses. */
-
-/*
- * Specify which Merkle leaf we're working on; that is, which OTS keypair
- * we're talking about.
- */
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair) {
- /* We have > 256 OTS at the bottom of the Merkle tree; to specify */
- /* which one, we'd need to express it in two bytes */
- ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR2] = (unsigned char)(keypair >> 8);
- ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair;
-}
-
-/*
- * Copy the layer, tree and keypair fields of the address structure. This is
- * used when we're doing multiple things within the same OTS keypair
- */
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
- ((unsigned char *)out)[SPX_OFFSET_KP_ADDR2] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR2];
- ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1];
-}
-
-/*
- * Specify which Merkle chain within the OTS we're working with
- * (the chain address)
- */
-void set_chain_addr(uint32_t addr[8], uint32_t chain) {
- ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain;
-}
-
-/*
- * Specify where in the Merkle chain we are
-* (the hash address)
- */
-void set_hash_addr(uint32_t addr[8], uint32_t hash) {
- ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash;
-}
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-/*
- * Specify the height of the node in the Merkle/FORS tree we are in
- * (the tree height)
- */
-void set_tree_height(uint32_t addr[8], uint32_t tree_height) {
- ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height;
-}
-
-/*
- * Specify the distance from the left edge of the node in the Merkle/FORS tree
- * (the tree index)
- */
-void set_tree_index(uint32_t addr[8], uint32_t tree_index) {
- u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.h
deleted file mode 100644
index 24a84eb40c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.h
+++ /dev/null
@@ -1,52 +0,0 @@
-#ifndef SPX_ADDRESS_H
-#define SPX_ADDRESS_H
-
-#include
-
-#include "params.h"
-
-/* The hash types that are passed to set_type */
-#define SPX_ADDR_TYPE_WOTS 0
-#define SPX_ADDR_TYPE_WOTSPK 1
-#define SPX_ADDR_TYPE_HASHTREE 2
-#define SPX_ADDR_TYPE_FORSTREE 3
-#define SPX_ADDR_TYPE_FORSPK 4
-#define SPX_ADDR_TYPE_WOTSPRF 5
-#define SPX_ADDR_TYPE_FORSPRF 6
-
-#define set_layer_addr SPX_NAMESPACE(set_layer_addr)
-void set_layer_addr(uint32_t addr[8], uint32_t layer);
-
-#define set_tree_addr SPX_NAMESPACE(set_tree_addr)
-void set_tree_addr(uint32_t addr[8], uint64_t tree);
-
-#define set_type SPX_NAMESPACE(set_type)
-void set_type(uint32_t addr[8], uint32_t type);
-
-/* Copies the layer and tree part of one address into the other */
-#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr)
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for WOTS and FORS addresses. */
-
-#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr)
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair);
-
-#define set_chain_addr SPX_NAMESPACE(set_chain_addr)
-void set_chain_addr(uint32_t addr[8], uint32_t chain);
-
-#define set_hash_addr SPX_NAMESPACE(set_hash_addr)
-void set_hash_addr(uint32_t addr[8], uint32_t hash);
-
-#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr)
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-#define set_tree_height SPX_NAMESPACE(set_tree_height)
-void set_tree_height(uint32_t addr[8], uint32_t tree_height);
-
-#define set_tree_index SPX_NAMESPACE(set_tree_index)
-void set_tree_index(uint32_t addr[8], uint32_t tree_index);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/api.h
deleted file mode 100644
index 2db63eec43..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/api.h
+++ /dev/null
@@ -1,77 +0,0 @@
-#ifndef PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_API_H
-#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_API_H
-
-#include
-#include
-
-#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-128s-simple"
-
-#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 64
-#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 32
-#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_CRYPTO_BYTES 7856
-
-#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_CRYPTO_SEEDBYTES 48
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context.h
deleted file mode 100644
index 6e0a33f3b7..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef SPX_CONTEXT_H
-#define SPX_CONTEXT_H
-
-#include
-
-#include "params.h"
-
-typedef struct {
- uint8_t pub_seed[SPX_N];
- uint8_t sk_seed[SPX_N];
-} spx_ctx;
-
-#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function)
-void initialize_hash_function(spx_ctx *ctx);
-
-#define free_hash_function SPX_NAMESPACE(free_hash_function)
-void free_hash_function(spx_ctx *ctx);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context_shake.c
deleted file mode 100644
index 9614a103d3..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context_shake.c
+++ /dev/null
@@ -1,12 +0,0 @@
-#include "context.h"
-
-/* For SHAKE256, there is no immediate reason to initialize at the start,
- so this function is an empty operation. */
-void initialize_hash_function(spx_ctx *ctx) {
- (void)ctx; /* Suppress an 'unused parameter' warning. */
-}
-
-// in case the hash function api is heap-based.
-void free_hash_function(spx_ctx *ctx) {
- (void)ctx;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.h
deleted file mode 100644
index 70d1af9f14..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef SPX_F1600X2_H
-#define SPX_F1600X2_H
-
-#include
-
-extern uint64_t f1600_RC[24];
-extern void _f1600x2(uint64_t *a, uint64_t *rc);
-
-#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0)
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.s
deleted file mode 100644
index 640ed791ed..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.s
+++ /dev/null
@@ -1,143 +0,0 @@
-# From https://github.com/bwesterb/armed-keccak
-
-.macro round
- # Execute theta, but without xoring into the state yet.
- # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i].
- eor3.16b v25, v0, v5, v10
- eor3.16b v26, v1, v6, v11
- eor3.16b v27, v2, v7, v12
- eor3.16b v28, v3, v8, v13
- eor3.16b v29, v4, v9, v14
-
- eor3.16b v25, v25, v15, v20
- eor3.16b v26, v26, v16, v21
- eor3.16b v27, v27, v17, v22
- eor3.16b v28, v28, v18, v23
- eor3.16b v29, v29, v19, v24
-
- # d[0] = rotl(p[1], 1) ^ p[4]
- rax1.2d v30, v29, v26
- # d[3] = rotl(p[4], 1) ^ p[2]
- rax1.2d v29, v27, v29
- # d[1] = rotl(p[2], 1) ^ p[0]
- rax1.2d v27, v25, v27
- # d[4] = rotl(p[0], 1) ^ p[3]
- rax1.2d v25, v28, v25
- # d[2] = rotl(p[3], 1) ^ p[1]
- rax1.2d v28, v26, v28
-
- # Xor parities from step theta into the state at the same time
- # as executing rho and pi.
- eor.16b v0, v0, v30
- mov.16b v31, v1
- xar.2d v1, v6, v27, 20
- xar.2d v6, v9, v25, 44
- xar.2d v9, v22, v28, 3
- xar.2d v22, v14, v25, 25
- xar.2d v14, v20, v30, 46
- xar.2d v20, v2, v28, 2
- xar.2d v2, v12, v28, 21
- xar.2d v12, v13, v29, 39
- xar.2d v13, v19, v25, 56
- xar.2d v19, v23, v29, 8
- xar.2d v23, v15, v30, 23
- xar.2d v15, v4, v25, 37
- xar.2d v4, v24, v25, 50
- xar.2d v24, v21, v27, 62
- xar.2d v21, v8, v29, 9
- xar.2d v8, v16, v27, 19
- xar.2d v16, v5, v30, 28
- xar.2d v5, v3, v29, 36
- xar.2d v3, v18, v29, 43
- xar.2d v18, v17, v28, 49
- xar.2d v17, v11, v27, 54
- xar.2d v11, v7, v28, 58
- xar.2d v7, v10, v30, 61
- xar.2d v10, v31, v27, 63
-
- # Chi
- bcax.16b v25, v0, v2, v1
- bcax.16b v26, v1, v3, v2
- bcax.16b v2, v2, v4, v3
- bcax.16b v3, v3, v0, v4
- bcax.16b v4, v4, v1, v0
- mov.16b v0, v25
- mov.16b v1, v26
-
- bcax.16b v25, v5, v7, v6
- bcax.16b v26, v6, v8, v7
- bcax.16b v7, v7, v9, v8
- bcax.16b v8, v8, v5, v9
- bcax.16b v9, v9, v6, v5
- mov.16b v5, v25
- mov.16b v6, v26
-
- bcax.16b v25, v10, v12, v11
- bcax.16b v26, v11, v13, v12
- bcax.16b v12, v12, v14, v13
- bcax.16b v13, v13, v10, v14
- bcax.16b v14, v14, v11, v10
- mov.16b v10, v25
- mov.16b v11, v26
-
- bcax.16b v25, v15, v17, v16
- bcax.16b v26, v16, v18, v17
- bcax.16b v17, v17, v19, v18
- bcax.16b v18, v18, v15, v19
- bcax.16b v19, v19, v16, v15
- mov.16b v15, v25
- mov.16b v16, v26
-
- bcax.16b v25, v20, v22, v21
- bcax.16b v26, v21, v23, v22
- bcax.16b v22, v22, v24, v23
- bcax.16b v23, v23, v20, v24
- bcax.16b v24, v24, v21, v20
- mov.16b v20, v25
- mov.16b v21, v26
-
- # iota
- ld1r {v25.2d}, [x1], #8
- eor.16b v0, v0, v25
-.endm
-
-.align 4
-.global __f1600x2
-__f1600x2:
- stp d8, d9, [sp,#-16]!
- stp d10, d11, [sp,#-16]!
- stp d12, d13, [sp,#-16]!
- stp d14, d15, [sp,#-16]!
-
- mov x2, x0
- mov x3, #24
-
- ld1.2d {v0, v1, v2, v3}, [x0], #64
- ld1.2d {v4, v5, v6, v7}, [x0], #64
- ld1.2d {v8, v9, v10, v11}, [x0], #64
- ld1.2d {v12, v13, v14, v15}, [x0], #64
- ld1.2d {v16, v17, v18, v19}, [x0], #64
- ld1.2d {v20, v21, v22, v23}, [x0], #64
- ld1.2d {v24}, [x0]
-
-loop:
- round
-
- subs x3, x3, #1
- cbnz x3, loop
-
- mov x0, x2
- st1.2d {v0, v1, v2, v3}, [x0], #64
- st1.2d {v4, v5, v6, v7}, [x0], #64
- st1.2d {v8, v9, v10, v11}, [x0], #64
- st1.2d {v12, v13, v14, v15}, [x0], #64
- st1.2d {v16, v17, v18, v19}, [x0], #64
- st1.2d {v20, v21, v22, v23}, [x0], #64
- st1.2d {v24}, [x0]
-
- ldp d14, d15, [sp], #16
- ldp d12, d13, [sp], #16
- ldp d10, d11, [sp], #16
- ldp d8, d9, [sp], #16
-
- ret lr
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2_const.c
deleted file mode 100644
index e49c0ba149..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2_const.c
+++ /dev/null
@@ -1,30 +0,0 @@
-#include "f1600x2.h"
-
-uint64_t f1600_RC[24] = {
- 0x0000000000000001,
- 0x0000000000008082,
- 0x800000000000808A,
- 0x8000000080008000,
- 0x000000000000808B,
- 0x0000000080000001,
- 0x8000000080008081,
- 0x8000000000008009,
- 0x000000000000008A,
- 0x0000000000000088,
- 0x0000000080008009,
- 0x000000008000000A,
- 0x000000008000808B,
- 0x800000000000008B,
- 0x8000000000008089,
- 0x8000000000008003,
- 0x8000000000008002,
- 0x8000000000000080,
- 0x000000000000800A,
- 0x800000008000000A,
- 0x8000000080008081,
- 0x8000000000008080,
- 0x0000000080000001,
- 0x8000000080008008,
-};
-
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.c
deleted file mode 100644
index 4718c343bc..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-#include
-
-#include "fips202x2.h"
-#include "f1600x2.h"
-#include "fips202.h"
-
-uint64_t load64(const unsigned char *x) {
- unsigned long long r = 0, i;
-
- for (i = 0; i < 8; ++i) {
- r |= (unsigned long long)x[i] << 8 * i;
- }
- return r;
-}
-
-void store64(uint8_t *x, uint64_t u) {
- unsigned int i;
-
- for (i = 0; i < 8; ++i) {
- x[i] = (uint8_t)u;
- u >>= 8;
- }
-}
-
-static void keccak_absorb2x(uint64_t *s,
- unsigned int r,
- const unsigned char *m0,
- const unsigned char *m1,
- unsigned long long int mlen,
- unsigned char p) {
- unsigned long long i;
- unsigned char t0[200];
- unsigned char t1[200];
-
- while (mlen >= r) {
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(m0 + 8 * i);
- s[2 * i + 1] ^= load64(m1 + 8 * i);
- }
-
- f1600x2(s);
- mlen -= r;
- m0 += r;
- m1 += r;
- }
-
- for (i = 0; i < r; ++i) {
- t0[i] = 0;
- t1[i] = 0;
- }
- for (i = 0; i < mlen; ++i) {
- t0[i] = m0[i];
- t1[i] = m1[i];
- }
-
- t0[i] = p;
- t1[i] = p;
-
- t0[r - 1] |= 128;
- t1[r - 1] |= 128;
-
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(t0 + 8 * i);
- s[2 * i + 1] ^= load64(t1 + 8 * i);
- }
-}
-
-
-static void keccak_squeezeblocks2x(unsigned char *h0,
- unsigned char *h1,
- unsigned long long int nblocks,
- uint64_t *s,
- unsigned int r) {
- unsigned int i;
-
- while (nblocks > 0) {
- f1600x2(s);
- for (i = 0; i < (r >> 3); i++) {
- store64(h0 + 8 * i, s[2 * i + 0]);
- store64(h1 + 8 * i, s[2 * i + 1]);
- }
- h0 += r;
- h1 += r;
- nblocks--;
- }
-}
-
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE128_RATE];
- unsigned char t1[SHAKE128_RATE];
- unsigned int i;
-
- /* absorb 4 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE);
-
- out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
- out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
-
- if (outlen % SHAKE128_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE);
- for (i = 0; i < outlen % SHAKE128_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
-
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE256_RATE];
- unsigned char t1[SHAKE256_RATE];
- unsigned int i;
-
- /* absorb 2 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE);
-
- out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
- out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
-
- if (outlen % SHAKE256_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE);
- for (i = 0; i < outlen % SHAKE256_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.h
deleted file mode 100644
index 7ba58b35d8..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.h
+++ /dev/null
@@ -1,24 +0,0 @@
-#ifndef SPX_FIPS202X2_H
-#define SPX_FIPS202X2_H
-
-#include
-
-uint64_t load64(const unsigned char *x);
-void store64(uint8_t *x, uint64_t u);
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.c
deleted file mode 100644
index 39193d04e2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.c
+++ /dev/null
@@ -1,191 +0,0 @@
-#include
-#include
-#include
-
-#include "fors.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "thash.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- prf_addr(sk, ctx, fors_leaf_addr);
-}
-
-static void fors_gen_skx2(unsigned char *sk0,
- unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- prf_addrx2(sk0, sk1,
- ctx, fors_leaf_addrx2);
-}
-
-static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- thash(leaf, sk, 1, ctx, fors_leaf_addr);
-}
-
-static void fors_sk_to_leafx2(unsigned char *leaf0,
- unsigned char *leaf1,
- const unsigned char *sk0,
- const unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- thashx2(leaf0, leaf1,
- sk0, sk1,
- 1, ctx, fors_leaf_addrx2);
-}
-
-struct fors_gen_leaf_info {
- uint32_t leaf_addrx[2 * 8];
-};
-
-static void fors_gen_leafx2(unsigned char *leaf,
- const spx_ctx *ctx,
- uint32_t addr_idx, void *info) {
- struct fors_gen_leaf_info *fors_info = info;
- uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx;
- unsigned int j;
-
- /* Only set the parts that the caller doesn't set */
- for (j = 0; j < 2; j++) {
- set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j);
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF);
- }
-
- fors_gen_skx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-
- for (j = 0; j < 2; j++) {
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE);
- }
-
- fors_sk_to_leafx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-}
-
-/**
- * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- * Assumes indices has space for SPX_FORS_TREES integers.
- */
-static void message_to_indices(uint32_t *indices, const unsigned char *m) {
- unsigned int i, j;
- unsigned int offset = 0;
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- indices[i] = 0;
- for (j = 0; j < SPX_FORS_HEIGHT; j++) {
- indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j);
- offset++;
- }
- }
-}
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- uint32_t fors_tree_addr[2 * 8] = {0};
- struct fors_gen_leaf_info fors_info = {0};
- uint32_t *fors_leaf_addr = fors_info.leaf_addrx;
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- for (i = 0; i < 2; i++) {
- copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr);
- set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE);
- copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr);
- }
- copy_keypair_addr(fors_pk_addr, fors_addr);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Include the secret key part that produces the selected leaf node. */
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF);
- fors_gen_sk(sig, ctx, fors_tree_addr);
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- sig += SPX_N;
-
- /* Compute the authentication path for this leaf node. */
- treehashx2(roots + i * SPX_N, sig, ctx,
- indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2,
- fors_tree_addr, &fors_info);
-
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- unsigned char leaf[SPX_N];
- uint32_t fors_tree_addr[8] = {0};
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- copy_keypair_addr(fors_tree_addr, fors_addr);
- copy_keypair_addr(fors_pk_addr, fors_addr);
-
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Derive the leaf from the included secret key part. */
- fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr);
- sig += SPX_N;
-
- /* Derive the corresponding root node of this tree. */
- compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset,
- sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr);
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.h
deleted file mode 100644
index 509140a178..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#ifndef SPX_FORS_H
-#define SPX_FORS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_sign SPX_NAMESPACE(fors_sign)
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig)
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash.h
deleted file mode 100644
index f7c87d4c3c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash.h
+++ /dev/null
@@ -1,28 +0,0 @@
-#ifndef SPX_HASH_H
-#define SPX_HASH_H
-
-#include
-#include
-
-#include "context.h"
-#include "params.h"
-
-#define prf_addr SPX_NAMESPACE(prf_addr)
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]);
-
-#define gen_message_random SPX_NAMESPACE(gen_message_random)
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-#define hash_message SPX_NAMESPACE(hash_message)
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shake.c
deleted file mode 100644
index ff5e7ec918..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shake.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "hash.h"
-
-#include "address.h"
-#include "fips202.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Computes PRF(pk_seed, sk_seed, addr)
- */
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]) {
- unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES];
-
- memcpy(buf, ctx->pub_seed, SPX_N);
- memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES);
- memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N);
-
- shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES);
-}
-
-/**
- * Computes the message-dependent randomness R, using a secret seed and an
- * optional randomization value as well as the message.
- */
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, sk_prf, SPX_N);
- shake256_inc_absorb(&s_inc, optrand, SPX_N);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(R, SPX_N, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-}
-
-/**
- * Computes the message hash using R, the public key, and the message.
- * Outputs the message digest and the index of the leaf. The index is split in
- * the tree index and the leaf index, for convenient copying to an address.
- */
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
-#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1))
-#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8)
-#define SPX_LEAF_BITS SPX_TREE_HEIGHT
-#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8)
-#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES)
-
- unsigned char buf[SPX_DGST_BYTES];
- unsigned char *bufp = buf;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, R, SPX_N);
- shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-
- memcpy(digest, bufp, SPX_FORS_MSG_BYTES);
- bufp += SPX_FORS_MSG_BYTES;
-
-
- *tree = bytes_to_ull(bufp, SPX_TREE_BYTES);
- *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS);
- bufp += SPX_TREE_BYTES;
-
- *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES);
- *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shakex2.c
deleted file mode 100644
index 99571916a2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shakex2.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include
-#include
-
-#include "hashx2.h"
-
-#include "address.h"
-#include "f1600x2.h"
-#include "fips202x2.h"
-#include "params.h"
-
-/*
- * 2-way parallel version of prf_addr; takes 2x as much input and output
- */
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the fourway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
-
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->sk_seed + 8 * i);
- state[2 * (SPX_N / 8 + i + 4)] = x;
- state[2 * (SPX_N / 8 + i + 4) + 1] = x;
- }
-
- /* SHAKE domain separator and padding. */
- state[2 * (SPX_N / 4 + 4)] = 0x1f;
- state[2 * (SPX_N / 4 + 4) + 1] = 0x1f;
-
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hashx2.h
deleted file mode 100644
index 99b8873a9b..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hashx2.h
+++ /dev/null
@@ -1,14 +0,0 @@
-#ifndef SPX_HASHX2_H
-#define SPX_HASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define prf_addrx2 SPX_NAMESPACE(prf_addrx2)
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.c
deleted file mode 100644
index c94ee23939..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include
-#include
-
-#include "merkle.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-#include "utilsx2.h"
-#include "wots.h"
-#include "wotsx2.h"
-
-/*
- * This generates a Merkle signature (WOTS signature followed by the Merkle
- * authentication path).
- */
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf) {
- unsigned char *auth_path = sig + SPX_WOTS_BYTES;
- uint32_t tree_addrx2[2 * 8] = { 0 };
- int j;
- struct leaf_info_x2 info = { 0 };
- unsigned steps[ SPX_WOTS_LEN ];
-
- info.wots_sig = sig;
- chain_lengths(steps, root);
- info.wots_steps = steps;
-
- for (j = 0; j < 2; j++) {
- set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE);
- set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS);
- set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK);
- copy_subtree_addr(&tree_addrx2[8 * j], tree_addr);
- copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr);
- copy_subtree_addr(&info.pk_addr[8 * j], wots_addr);
- }
-
- info.wots_sign_leaf = idx_leaf;
-
- treehashx2(root, auth_path, ctx,
- idx_leaf, 0,
- SPX_TREE_HEIGHT,
- wots_gen_leafx2,
- tree_addrx2, &info);
-}
-
-/* Compute root node of the top-most subtree. */
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) {
- /* We do not need the auth path in key generation, but it simplifies the
- code to have just one treehash routine that computes both root and path
- in one function. */
- unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES];
- uint32_t top_tree_addr[8] = {0};
- uint32_t wots_addr[8] = {0};
-
- set_layer_addr(top_tree_addr, SPX_D - 1);
- set_layer_addr(wots_addr, SPX_D - 1);
-
- merkle_sign(auth_path, root, ctx,
- wots_addr, top_tree_addr,
- ~0 /* ~0 means "don't bother generating an auth path */ );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.h
deleted file mode 100644
index 769cf2e970..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef MERKLE_H_
-#define MERKLE_H_
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/* Generate a Merkle signature (WOTS signature followed by the Merkle */
-/* authentication path) */
-#define merkle_sign SPX_NAMESPACE(merkle_sign)
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf);
-
-/* Compute the root node of the top-most subtree. */
-#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root)
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx);
-
-#endif /* MERKLE_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/nistapi.h
deleted file mode 100644
index 3cb71afad4..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/nistapi.h
+++ /dev/null
@@ -1,87 +0,0 @@
-#ifndef SPX_API_H
-#define SPX_API_H
-
-#include
-#include
-
-#include "params.h"
-
-#define CRYPTO_ALGNAME "SPHINCS+"
-
-#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES
-#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES
-#define CRYPTO_BYTES SPX_BYTES
-#define CRYPTO_SEEDBYTES (3*SPX_N)
-
-/*
- * Returns the length of a secret key, in bytes
- */
-#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes)
-size_t crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes)
-size_t crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes)
-size_t crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes)
-size_t crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair)
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-#define crypto_sign SPX_NAMESPACE(crypto_sign)
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/params.h
deleted file mode 100644
index b269c9f84b..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/params.h
+++ /dev/null
@@ -1,56 +0,0 @@
-#ifndef SPX_PARAMS_H
-#define SPX_PARAMS_H
-
-#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_##s
-
-/* Hash output length in bytes. */
-#define SPX_N 16
-/* Height of the hypertree. */
-#define SPX_FULL_HEIGHT 63
-/* Number of subtree layer. */
-#define SPX_D 7
-/* FORS tree dimensions. */
-#define SPX_FORS_HEIGHT 12
-#define SPX_FORS_TREES 14
-/* Winternitz parameter, */
-#define SPX_WOTS_W 16
-
-/* The hash function is defined by linking a different hash.c file, as opposed
- to setting a #define constant. */
-
-/* For clarity */
-#define SPX_ADDR_BYTES 32
-
-/* WOTS parameters. */
-#define SPX_WOTS_LOGW 4
-
-#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW)
-
-/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */
-#define SPX_WOTS_LEN2 3
-
-#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2)
-#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N)
-#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES
-
-/* Subtree size. */
-#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D)
-
-//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT
-// #error SPX_D should always divide SPX_FULL_HEIGHT
-//#endif
-
-/* FORS parameters. */
-#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8)
-#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N)
-#define SPX_FORS_PK_BYTES SPX_N
-
-/* Resulting SPX sizes. */
-#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\
- SPX_FULL_HEIGHT * SPX_N)
-#define SPX_PK_BYTES (2 * SPX_N)
-#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES)
-
-#include "shake_offsets.h"
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/shake_offsets.h
deleted file mode 100644
index 6b28d95d91..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/shake_offsets.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef SHAKE_OFFSETS_H_
-#define SHAKE_OFFSETS_H_
-
-/*
- * Offsets of various fields in the address structure when we use SHAKE as
- * the Sphincs+ hash function
- */
-
-#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */
-#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */
-#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */
-#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */
-#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */
-#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */
-#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */
-#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */
-#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */
-
-#define SPX_SHAKE 1
-
-#endif /* SHAKE_OFFSETS_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/sign.c
deleted file mode 100644
index 9d0c7d1b22..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/sign.c
+++ /dev/null
@@ -1,286 +0,0 @@
-#include
-#include
-#include
-
-#include "address.h"
-#include "context.h"
-#include "fors.h"
-#include "hash.h"
-#include "merkle.h"
-#include "nistapi.h"
-#include "params.h"
-#include "randombytes.h"
-#include "thash.h"
-#include "utils.h"
-#include "wots.h"
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t crypto_sign_secretkeybytes(void) {
- return CRYPTO_SECRETKEYBYTES;
-}
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t crypto_sign_publickeybytes(void) {
- return CRYPTO_PUBLICKEYBYTES;
-}
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t crypto_sign_bytes(void) {
- return CRYPTO_BYTES;
-}
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t crypto_sign_seedbytes(void) {
- return CRYPTO_SEEDBYTES;
-}
-
-/*
- * Generates an SPX key pair given a seed of length
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed) {
- spx_ctx ctx;
-
- /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */
- memcpy(sk, seed, CRYPTO_SEEDBYTES);
-
- memcpy(pk, sk + 2 * SPX_N, SPX_N);
-
- memcpy(ctx.pub_seed, pk, SPX_N);
- memcpy(ctx.sk_seed, sk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- /* Compute root node of the top-most subtree. */
- merkle_gen_root(sk + 3 * SPX_N, &ctx);
-
- // cleanup
- free_hash_function(&ctx);
-
- memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N);
-
- return 0;
-}
-
-/*
- * Generates an SPX key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seed[CRYPTO_SEEDBYTES];
- randombytes(seed, CRYPTO_SEEDBYTES);
- crypto_sign_seed_keypair(pk, sk, seed);
-
- return 0;
-}
-
-/**
- * Returns an array containing a detached signature.
- */
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk) {
- spx_ctx ctx;
-
- const uint8_t *sk_prf = sk + SPX_N;
- const uint8_t *pk = sk + 2 * SPX_N;
-
- uint8_t optrand[SPX_N];
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t root[SPX_N];
- uint32_t i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
-
- memcpy(ctx.sk_seed, sk, SPX_N);
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
-
- /* Optionally, signing can be made non-deterministic using optrand.
- This can help counter side-channel attacks that would benefit from
- getting a large number of traces when the signer uses the same nodes. */
- randombytes(optrand, SPX_N);
- /* Compute the digest randomization value. */
- gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx);
-
- /* Derive the message digest and leaf index from R, PK and M. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- /* Sign the message hash using FORS. */
- fors_sign(sig, root, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf);
- sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- free_hash_function(&ctx);
-
- *siglen = SPX_BYTES;
-
- return 0;
-}
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk) {
- spx_ctx ctx;
- const uint8_t *pub_root = pk + SPX_N;
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t wots_pk[SPX_WOTS_BYTES];
- uint8_t root[SPX_N];
- uint8_t leaf[SPX_N];
- unsigned int i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
- uint32_t wots_pk_addr[8] = {0};
-
- if (siglen != SPX_BYTES) {
- return -1;
- }
-
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
- set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK);
-
- /* Derive the message digest and leaf index from R || PK || M. */
- /* The additional SPX_N is a result of the hash domain separator. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- /* Layer correctly defaults to 0, so no need to set_layer_addr */
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- /* For each subtree.. */
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- copy_keypair_addr(wots_pk_addr, wots_addr);
-
- /* The WOTS public key is only correct if the signature was correct. */
- /* Initially, root is the FORS pk, but on subsequent iterations it is
- the root of the subtree below the currently processed subtree. */
- wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr);
- sig += SPX_WOTS_BYTES;
-
- /* Compute the leaf node using the WOTS public key. */
- thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr);
-
- /* Compute the root node of this subtree. */
- compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT,
- &ctx, tree_addr);
- sig += SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- // cleanup
- free_hash_function(&ctx);
-
- /* Check if the root node equals the root node in the public key. */
- if (memcmp(root, pub_root, SPX_N) != 0) {
- return -1;
- }
-
- return 0;
-}
-
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk) {
- size_t siglen;
-
- crypto_sign_signature(sm, &siglen, m, mlen, sk);
-
- memmove(sm + SPX_BYTES, m, mlen);
- *smlen = siglen + mlen;
-
- return 0;
-}
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk) {
- /* The API caller does not necessarily know what size a signature should be
- but SPHINCS+ signatures are always exactly SPX_BYTES. */
- if (smlen < SPX_BYTES) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- *mlen = smlen - SPX_BYTES;
-
- if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- /* If verification was successful, move the message to the right place. */
- memmove(m, sm + SPX_BYTES, *mlen);
-
- return 0;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash.h
deleted file mode 100644
index 8687ccfb4d..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef SPX_THASH_H
-#define SPX_THASH_H
-
-#include "context.h"
-#include "params.h"
-
-#include
-
-#define thash SPX_NAMESPACE(thash)
-void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash_shake_simplex2.c
deleted file mode 100644
index 892e453690..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash_shake_simplex2.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "thash.h"
-#include "thashx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-#include "f1600x2.h"
-#include "fips202x2.h"
-
-
-void thash(unsigned char *out,
- const unsigned char *in,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t addrx2 [2 * 8] = {
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7],
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7]
- };
- thashx2(out, out, in, in, inblocks, ctx, addrx2);
-}
-
-/**
- * 2-way parallel version of thash; takes 2x as much input and output
- */
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]) {
- if (inblocks == 1 || inblocks == 2) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the twoway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
-
- for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) {
- state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i);
- state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i);
- }
-
- /* Domain separator and padding. */
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f;
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
- } else {
- PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
-
- memcpy(buf0, ctx->pub_seed, SPX_N);
- memcpy(buf1, ctx->pub_seed, SPX_N);
- memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES);
- memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES);
- memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N);
- memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N);
-
- shake256x2(out0, out1, SPX_N,
- buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thashx2.h
deleted file mode 100644
index 040375e618..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thashx2.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef SPX_THASHX2_H
-#define SPX_THASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define thashx2 SPX_NAMESPACE(thashx2)
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.c
deleted file mode 100644
index 177b541fb9..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-
-#include "utils.h"
-
-#include "address.h"
-#include "hash.h"
-#include "params.h"
-#include "thash.h"
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in) {
- int i;
-
- /* Iterate over out in decreasing order, for big-endianness. */
- for (i = (signed int)outlen - 1; i >= 0; i--) {
- out[i] = in & 0xff;
- in = in >> 8;
- }
-}
-
-void u32_to_bytes(unsigned char *out, uint32_t in) {
- out[0] = (unsigned char)(in >> 24);
- out[1] = (unsigned char)(in >> 16);
- out[2] = (unsigned char)(in >> 8);
- out[3] = (unsigned char)in;
-}
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) {
- unsigned long long retval = 0;
- unsigned int i;
-
- for (i = 0; i < inlen; i++) {
- retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i));
- }
- return retval;
-}
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t i;
- unsigned char buffer[2 * SPX_N];
-
- /* If leaf_idx is odd (last bit = 1), current path element is a right child
- and auth_path has to go left. Otherwise it is the other way around. */
- if (leaf_idx & 1) {
- memcpy(buffer + SPX_N, leaf, SPX_N);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- memcpy(buffer, leaf, SPX_N);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
-
- for (i = 0; i < tree_height - 1; i++) {
- leaf_idx >>= 1;
- idx_offset >>= 1;
- /* Set the address of the node we're creating. */
- set_tree_height(addr, i + 1);
- set_tree_index(addr, leaf_idx + idx_offset);
-
- /* Pick the right or left neighbor, depending on parity of the node. */
- if (leaf_idx & 1) {
- thash(buffer + SPX_N, buffer, 2, ctx, addr);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- thash(buffer, buffer, 2, ctx, addr);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
- }
-
- /* The last iteration is exceptional; we do not copy an auth_path node. */
- leaf_idx >>= 1;
- idx_offset >>= 1;
- set_tree_height(addr, tree_height);
- set_tree_index(addr, leaf_idx + idx_offset);
- thash(root, buffer, 2, ctx, addr);
-}
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx * /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]) {
- PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N);
- PQCLEAN_VLA(unsigned int, heights, tree_height + 1);
- unsigned int offset = 0;
- uint32_t idx;
- uint32_t tree_idx;
-
- for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) {
- /* Add the next leaf node to the stack. */
- gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr);
- offset++;
- heights[offset - 1] = 0;
-
- /* If this is a node we need for the auth path.. */
- if ((leaf_idx ^ 0x1) == idx) {
- memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N);
- }
-
- /* While the top-most nodes are of equal height.. */
- while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) {
- /* Compute index of the new node, in the next layer. */
- tree_idx = (idx >> (heights[offset - 1] + 1));
-
- /* Set the address of the node we're creating. */
- set_tree_height(tree_addr, heights[offset - 1] + 1);
- set_tree_index(tree_addr,
- tree_idx + (idx_offset >> (heights[offset - 1] + 1)));
- /* Hash the top-most nodes from the stack together. */
- thash(stack + (offset - 2)*SPX_N,
- stack + (offset - 2)*SPX_N, 2, ctx, tree_addr);
- offset--;
- /* Note that the top-most node is now one layer higher. */
- heights[offset - 1]++;
-
- /* If this is a node we need for the auth path.. */
- if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) {
- memcpy(auth_path + heights[offset - 1]*SPX_N,
- stack + (offset - 1)*SPX_N, SPX_N);
- }
- }
- }
- memcpy(root, stack, SPX_N);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.h
deleted file mode 100644
index 64f5d5a53a..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.h
+++ /dev/null
@@ -1,58 +0,0 @@
-#ifndef SPX_UTILS_H
-#define SPX_UTILS_H
-
-#include
-
-#include "compat.h"
-#include "context.h"
-#include "params.h"
-
-
-/* To support MSVC use alloca() instead of VLAs. See #20. */
-
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes)
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in);
-#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes)
-void u32_to_bytes(unsigned char *out, uint32_t in);
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull)
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen);
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-#define compute_root SPX_NAMESPACE(compute_root)
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-#define treehash SPX_NAMESPACE(treehash)
-void treehash(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx *ctx /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]);
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.c
deleted file mode 100644
index 8736474e4f..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.c
+++ /dev/null
@@ -1,130 +0,0 @@
-#include
-
-#include "utilsx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-
-/*
- * Generate the entire Merkle tree, computing the authentication path for leaf_idx,
- * and the resulting root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE)
- *
- * This expects tree_addrx2 to be initialized to 2 parallel addr structures for
- * the Merkle tree nodes
- *
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This works by using the standard Merkle tree building algorithm, except
- * that each 'node' tracked is actually 2 consecutive nodes in the real tree.
- * When we combine two logical nodes AB and WX, we perform the H
- * operation on adjacent real nodes, forming the parent logical node
- * (AB)(WX)
- *
- * When we get to the top level of the real tree (where there is only
- * one logical node), we continue this operation one more time; the right
- * most real node will by the actual root (and the other node will be
- * garbage). We follow the same thashx2 logic so that the 'extract
- * authentication path components' part of the loop is still executed (and
- * to simplify the code somewhat)
- */
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset,
- uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx *,
- uint32_t idx, void *info),
- uint32_t tree_addrx2[2 * 8],
- void *info) {
- /* This is where we keep the intermediate nodes */
- unsigned char stackx2[tree_height * 2 * SPX_N];
- uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */
- /* level, the left-most part of the tree isn't at the beginning */
- /* of current[]. These give the offset of the actual start */
-
- uint32_t idx;
- uint32_t max_idx = (1 << (tree_height - 1)) - 1;
- for (idx = 0;; idx++) {
- unsigned char current[2 * SPX_N]; /* Current logical node */
- gen_leafx2( current, ctx, 2 * idx + idx_offset,
- info );
-
- /* Now combine the freshly generated right node with previously */
- /* generated left ones */
- uint32_t internal_idx_offset = idx_offset;
- uint32_t internal_idx = idx;
- uint32_t internal_leaf = leaf_idx;
- uint32_t h; /* The height we are in the Merkle tree */
- for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) {
-
- /* Special processing if we're at the top of the tree */
- if (h >= tree_height - 1) {
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
- /* The tree indexing logic is a bit off in this case */
- /* Adjust it so that the left-most node of the part of */
- /* the tree that we're processing has index 0 */
- prev_left_adj = left_adj;
- left_adj = 2 - (1 << (tree_height - h - 1));
- }
-
- /* Check if we hit the top of the tree */
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
-
- /*
- * Check if one of the nodes we have is a part of the
- * authentication path; if it is, write it out
- */
- if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) {
- memcpy( &auth_path[ h * SPX_N ],
- ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N],
- SPX_N );
- }
-
- /*
- * Check if we're at a left child; if so, stop going up the stack
- * Exception: if we've reached the end of the tree, keep on going
- * (so we combine the last 2 nodes into the one root node in two
- * more iterations)
- */
- if ((internal_idx & 1) == 0 && idx < max_idx) {
- break;
- }
-
- /* Ok, we're at a right node (or doing the top 3 levels) */
- /* Now combine the left and right logical nodes together */
-
- /* Set the address of the node we're creating. */
- int j;
- internal_idx_offset >>= 1;
- for (j = 0; j < 2; j++) {
- set_tree_height(tree_addrx2 + j * 8, h + 1);
- set_tree_index(tree_addrx2 + j * 8,
- (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset );
- }
- unsigned char *left = &stackx2[h * 2 * SPX_N];
- thashx2( ¤t[0 * SPX_N],
- ¤t[1 * SPX_N],
- &left [0 * SPX_N],
- ¤t[0 * SPX_N],
- 2, ctx, tree_addrx2);
- }
-
- /* We've hit a left child; save the current for when we get the */
- /* corresponding right right */
- memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.h
deleted file mode 100644
index e09faddc43..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.h
+++ /dev/null
@@ -1,30 +0,0 @@
-#ifndef SPX_UTILSX2_H
-#define SPX_UTILSX2_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This implementation uses SIMD to compute internal nodes 2 at a time (in
- * parallel)
- */
-#define treehashx2 SPX_NAMESPACE(treehashx2)
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx * /* ctx */,
- uint32_t addr_idx, void *info),
- uint32_t tree_addrx2[2 * 8], void *info);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.c
deleted file mode 100644
index 3babe45e95..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.c
+++ /dev/null
@@ -1,259 +0,0 @@
-#include
-#include
-
-#include "wots.h"
-#include "wotsx2.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-// TODO clarify address expectations, and make them more uniform.
-// TODO i.e. do we expect types to be set already?
-// TODO and do we expect modifications or copies?
-
-/**
- * Computes up the chains
- */
-static void gen_chains(
- unsigned char *out,
- const unsigned char *in,
- unsigned int start[SPX_WOTS_LEN],
- const unsigned int steps[SPX_WOTS_LEN],
- const spx_ctx *ctx,
- uint32_t addr[8]) {
- uint32_t i, j, k, idx, watching;
- int done;
- unsigned char empty[SPX_N];
- unsigned char *bufs[4];
- uint32_t addrs[8 * 2];
-
- int l;
- uint16_t counts[SPX_WOTS_W] = { 0 };
- uint16_t idxs[SPX_WOTS_LEN];
- uint16_t total, newTotal;
-
- /* set addrs = {addr, addr} */
- for (j = 0; j < 2; j++) {
- memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8);
- }
-
- /* Initialize out with the value at position 'start'. */
- memcpy(out, in, SPX_WOTS_LEN * SPX_N);
-
- /* Sort the chains in reverse order by steps using counting sort. */
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- counts[steps[i]]++;
- }
- total = 0;
- for (l = SPX_WOTS_W - 1; l >= 0; l--) {
- newTotal = counts[l] + total;
- counts[l] = total;
- total = newTotal;
- }
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- idxs[counts[steps[i]]] = i;
- counts[steps[i]]++;
- }
-
- /* We got our work cut out for us: do it! */
- for (i = 0; i < SPX_WOTS_LEN; i += 2) {
- for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) {
- idx = idxs[i + j];
- set_chain_addr(addrs + j * 8, idx);
- bufs[j] = out + SPX_N * idx;
- }
-
- /* As the chains are sorted in reverse order, we know that the first
- * chain is the longest and the last one is the shortest. We keep
- * an eye on whether the last chain is done and then on the one before,
- * et cetera. */
- watching = 1;
- done = 0;
- while (i + watching >= SPX_WOTS_LEN) {
- bufs[watching] = &empty[0];
- watching--;
- }
-
- for (k = 0;; k++) {
- while (k == steps[idxs[i + watching]]) {
- bufs[watching] = &empty[0];
- if (watching == 0) {
- done = 1;
- break;
- }
- watching--;
- }
- if (done) {
- break;
- }
- for (j = 0; j < watching + 1; j++) {
- set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]);
- }
-
- thashx2(bufs[0], bufs[1],
- bufs[0], bufs[1], 1, ctx, addrs);
- }
- }
-}
-
-/**
- * base_w algorithm as described in draft.
- * Interprets an array of bytes as integers in base w.
- * This only works when log_w is a divisor of 8.
- */
-static void base_w(unsigned int *output, const int out_len,
- const unsigned char *input) {
- int in = 0;
- int out = 0;
- unsigned char total = 0;
- int bits = 0;
- int consumed;
-
- for (consumed = 0; consumed < out_len; consumed++) {
- if (bits == 0) {
- total = input[in];
- in++;
- bits += 8;
- }
- bits -= SPX_WOTS_LOGW;
- output[out] = (total >> bits) & (SPX_WOTS_W - 1);
- out++;
- }
-}
-
-/* Computes the WOTS+ checksum over a message (in base_w). */
-static void wots_checksum(unsigned int *csum_base_w,
- const unsigned int *msg_base_w) {
- unsigned int csum = 0;
- unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8];
- unsigned int i;
-
- /* Compute checksum. */
- for (i = 0; i < SPX_WOTS_LEN1; i++) {
- csum += SPX_WOTS_W - 1 - msg_base_w[i];
- }
-
- /* Convert checksum to base_w. */
- /* Make sure expected empty zero bits are the least significant bits. */
- csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8);
- ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum);
- base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes);
-}
-
-/* Takes a message and derives the matching chain lengths. */
-void chain_lengths(unsigned int *lengths, const unsigned char *msg) {
- base_w(lengths, SPX_WOTS_LEN1, msg);
- wots_checksum(lengths + SPX_WOTS_LEN1, lengths);
-}
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]) {
- unsigned int steps[SPX_WOTS_LEN];
- unsigned int start[SPX_WOTS_LEN];
- uint32_t i;
-
- chain_lengths(start, msg);
-
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- steps[i] = SPX_WOTS_W - 1 - start[i];
- }
-
- gen_chains(pk, sig, start, steps, ctx, addr);
-}
-
-/*
- * This generates 2 sequential WOTS public keys
- * It also generates the WOTS signature if leaf_info indicates
- * that we're signing with one of these WOTS keys
- */
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info) {
- struct leaf_info_x2 *info = v_info;
- uint32_t *leaf_addr = info->leaf_addr;
- uint32_t *pk_addr = info->pk_addr;
- unsigned int i, j, k;
- unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ];
- unsigned wots_offset = SPX_WOTS_BYTES;
- unsigned char *buffer;
- uint32_t wots_k_mask;
- unsigned wots_sign_index;
-
- if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) {
- /* We're traversing the leaf that's signing; generate the WOTS */
- /* signature */
- wots_k_mask = 0;
- wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */
- /* slots do the signatures come from */
- } else {
- /* Nope, we're just generating pk's; turn off the signature logic */
- wots_k_mask = ~0;
- wots_sign_index = 0;
- }
-
- for (j = 0; j < 2; j++) {
- set_keypair_addr( leaf_addr + j * 8, leaf_idx + j );
- set_keypair_addr( pk_addr + j * 8, leaf_idx + j );
- }
-
- for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) {
- uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */
- /* the step if we're generating a signature, ~0 if we're not */
-
- /* Start with the secret seed */
- for (j = 0; j < 2; j++) {
- set_chain_addr(leaf_addr + j * 8, i);
- set_hash_addr(leaf_addr + j * 8, 0);
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF);
- }
- prf_addrx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- ctx, leaf_addr);
- for (j = 0; j < 2; j++) {
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS);
- }
-
- /* Iterate down the WOTS chain */
- for (k = 0;; k++) {
- /* Check if one of the values we have needs to be saved as a */
- /* part of the WOTS signature */
- if (k == wots_k) {
- memcpy( info->wots_sig + i * SPX_N,
- buffer + wots_sign_index * wots_offset, SPX_N );
- }
-
- /* Check if we hit the top of the chain */
- if (k == SPX_WOTS_W - 1) {
- break;
- }
-
- /* Iterate one step on all 4 chains */
- for (j = 0; j < 2; j++) {
- set_hash_addr(leaf_addr + j * 8, k);
- }
- thashx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- 1, ctx, leaf_addr);
- }
- }
-
- /* Do the final thash to generate the public keys */
- thashx2(dest + 0 * SPX_N,
- dest + 1 * SPX_N,
- pk_buffer + 0 * wots_offset,
- pk_buffer + 1 * wots_offset,
- SPX_WOTS_LEN, ctx, pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.h
deleted file mode 100644
index 4e7692eeef..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.h
+++ /dev/null
@@ -1,25 +0,0 @@
-#ifndef SPX_WOTS_H
-#define SPX_WOTS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig)
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/*
- * Compute the chain lengths needed for a given message hash
- */
-#define chain_lengths SPX_NAMESPACE(chain_lengths)
-void chain_lengths(unsigned int *lengths, const unsigned char *msg);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wotsx2.h
deleted file mode 100644
index b58bb61f84..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wotsx2.h
+++ /dev/null
@@ -1,40 +0,0 @@
-#ifndef WOTSX2_H_
-#define WOTSX2_H_
-
-#include "params.h"
-#include
-
-/*
- * This is here to provide an interface to the internal wots_gen_leafx2
- * routine. While this routine is not referenced in the package outside of
- * wots.c, it is called from the stand-alone benchmark code to characterize
- * the performance
- */
-struct leaf_info_x2 {
- unsigned char *wots_sig;
- uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */
- uint32_t *wots_steps;
- uint32_t leaf_addr[2 * 8];
- uint32_t pk_addr[2 * 8];
-};
-
-/* Macro to set the leaf_info to something 'benign', that is, it would */
-/* run with the same time as it does during the real signing process */
-/* Used only by the benchmark code */
-#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \
- (info).wots_sig = 0; \
- (info).wots_sign_leaf = ~0; \
- (info).wots_steps = step_buffer; \
- int i; \
- for (i=0; i<2; i++) { \
- memcpy( &(info).leaf_addr[8*i], addr, 32 ); \
- memcpy( &(info).pk_addr[8*i], addr, 32 ); \
- } \
- }
-
-#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2)
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info);
-
-#endif /* WOTSX2_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/LICENSE
deleted file mode 100644
index 670154e353..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/LICENSE
+++ /dev/null
@@ -1,116 +0,0 @@
-CC0 1.0 Universal
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator and
-subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for the
-purpose of contributing to a commons of creative, cultural and scientific
-works ("Commons") that the public can reliably and without fear of later
-claims of infringement build upon, modify, incorporate in other works, reuse
-and redistribute as freely as possible in any form whatsoever and for any
-purposes, including without limitation commercial purposes. These owners may
-contribute to the Commons to promote the ideal of a free culture and the
-further production of creative, cultural and scientific works, or to gain
-reputation or greater distribution for their Work in part through the use and
-efforts of others.
-
-For these and/or other purposes and motivations, and without any expectation
-of additional consideration or compensation, the person associating CC0 with a
-Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
-and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
-and publicly distribute the Work under its terms, with knowledge of his or her
-Copyright and Related Rights in the Work and the meaning and intended legal
-effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not limited
-to, the following:
-
- i. the right to reproduce, adapt, distribute, perform, display, communicate,
- and translate a Work;
-
- ii. moral rights retained by the original author(s) and/or performer(s);
-
- iii. publicity and privacy rights pertaining to a person's image or likeness
- depicted in a Work;
-
- iv. rights protecting against unfair competition in regards to a Work,
- subject to the limitations in paragraph 4(a), below;
-
- v. rights protecting the extraction, dissemination, use and reuse of data in
- a Work;
-
- vi. database rights (such as those arising under Directive 96/9/EC of the
- European Parliament and of the Council of 11 March 1996 on the legal
- protection of databases, and under any national implementation thereof,
- including any amended or successor version of such directive); and
-
- vii. other similar, equivalent or corresponding rights throughout the world
- based on applicable law or treaty, and any national implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention of,
-applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
-unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
-and Related Rights and associated claims and causes of action, whether now
-known or unknown (including existing as well as future claims and causes of
-action), in the Work (i) in all territories worldwide, (ii) for the maximum
-duration provided by applicable law or treaty (including future time
-extensions), (iii) in any current or future medium and for any number of
-copies, and (iv) for any purpose whatsoever, including without limitation
-commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
-the Waiver for the benefit of each member of the public at large and to the
-detriment of Affirmer's heirs and successors, fully intending that such Waiver
-shall not be subject to revocation, rescission, cancellation, termination, or
-any other legal or equitable action to disrupt the quiet enjoyment of the Work
-by the public as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason be
-judged legally invalid or ineffective under applicable law, then the Waiver
-shall be preserved to the maximum extent permitted taking into account
-Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
-is so judged Affirmer hereby grants to each affected person a royalty-free,
-non transferable, non sublicensable, non exclusive, irrevocable and
-unconditional license to exercise Affirmer's Copyright and Related Rights in
-the Work (i) in all territories worldwide, (ii) for the maximum duration
-provided by applicable law or treaty (including future time extensions), (iii)
-in any current or future medium and for any number of copies, and (iv) for any
-purpose whatsoever, including without limitation commercial, advertising or
-promotional purposes (the "License"). The License shall be deemed effective as
-of the date CC0 was applied by Affirmer to the Work. Should any part of the
-License for any reason be judged legally invalid or ineffective under
-applicable law, such partial invalidity or ineffectiveness shall not
-invalidate the remainder of the License, and in such case Affirmer hereby
-affirms that he or she will not (i) exercise any of his or her remaining
-Copyright and Related Rights in the Work or (ii) assert any associated claims
-and causes of action with respect to the Work, in either case contrary to
-Affirmer's express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
- surrendered, licensed or otherwise affected by this document.
-
- b. Affirmer offers the Work as-is and makes no representations or warranties
- of any kind concerning the Work, express, implied, statutory or otherwise,
- including without limitation warranties of title, merchantability, fitness
- for a particular purpose, non infringement, or the absence of latent or
- other defects, accuracy, or the present or absence of errors, whether or not
- discoverable, all to the greatest extent permissible under applicable law.
-
- c. Affirmer disclaims responsibility for clearing rights of other persons
- that may apply to the Work or any use thereof, including without limitation
- any person's Copyright and Related Rights in the Work. Further, Affirmer
- disclaims responsibility for obtaining any necessary consents, permissions
- or other rights required for any use of the Work.
-
- d. Affirmer understands and acknowledges that Creative Commons is not a
- party to this document and has no duty or obligation with respect to this
- CC0 or use of the Work.
-
-For more information, please see
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.c
deleted file mode 100644
index b956e9cb29..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.c
+++ /dev/null
@@ -1,91 +0,0 @@
-#include
-#include
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Specify which level of Merkle tree (the "layer") we're working on
- */
-void set_layer_addr(uint32_t addr[8], uint32_t layer) {
- ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer;
-}
-
-/*
- * Specify which Merkle tree within the level (the "tree address") we're working on
- */
-void set_tree_addr(uint32_t addr[8], uint64_t tree) {
- ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree );
-}
-
-/*
- * Specify the reason we'll use this address structure for, that is, what
- * hash will we compute with it. This is used so that unrelated types of
- * hashes don't accidentally get the same address structure. The type will be
- * one of the SPX_ADDR_TYPE constants
- */
-void set_type(uint32_t addr[8], uint32_t type) {
- ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type;
-}
-
-/*
- * Copy the layer and tree fields of the address structure. This is used
- * when we're doing multiple types of hashes within the same Merkle tree
- */
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
-}
-
-/* These functions are used for OTS addresses. */
-
-/*
- * Specify which Merkle leaf we're working on; that is, which OTS keypair
- * we're talking about.
- */
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair) {
- ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair;
-}
-
-/*
- * Copy the layer, tree and keypair fields of the address structure. This is
- * used when we're doing multiple things within the same OTS keypair
- */
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
- ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1];
-}
-
-/*
- * Specify which Merkle chain within the OTS we're working with
- * (the chain address)
- */
-void set_chain_addr(uint32_t addr[8], uint32_t chain) {
- ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain;
-}
-
-/*
- * Specify where in the Merkle chain we are
-* (the hash address)
- */
-void set_hash_addr(uint32_t addr[8], uint32_t hash) {
- ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash;
-}
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-/*
- * Specify the height of the node in the Merkle/FORS tree we are in
- * (the tree height)
- */
-void set_tree_height(uint32_t addr[8], uint32_t tree_height) {
- ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height;
-}
-
-/*
- * Specify the distance from the left edge of the node in the Merkle/FORS tree
- * (the tree index)
- */
-void set_tree_index(uint32_t addr[8], uint32_t tree_index) {
- u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.h
deleted file mode 100644
index 24a84eb40c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.h
+++ /dev/null
@@ -1,52 +0,0 @@
-#ifndef SPX_ADDRESS_H
-#define SPX_ADDRESS_H
-
-#include
-
-#include "params.h"
-
-/* The hash types that are passed to set_type */
-#define SPX_ADDR_TYPE_WOTS 0
-#define SPX_ADDR_TYPE_WOTSPK 1
-#define SPX_ADDR_TYPE_HASHTREE 2
-#define SPX_ADDR_TYPE_FORSTREE 3
-#define SPX_ADDR_TYPE_FORSPK 4
-#define SPX_ADDR_TYPE_WOTSPRF 5
-#define SPX_ADDR_TYPE_FORSPRF 6
-
-#define set_layer_addr SPX_NAMESPACE(set_layer_addr)
-void set_layer_addr(uint32_t addr[8], uint32_t layer);
-
-#define set_tree_addr SPX_NAMESPACE(set_tree_addr)
-void set_tree_addr(uint32_t addr[8], uint64_t tree);
-
-#define set_type SPX_NAMESPACE(set_type)
-void set_type(uint32_t addr[8], uint32_t type);
-
-/* Copies the layer and tree part of one address into the other */
-#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr)
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for WOTS and FORS addresses. */
-
-#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr)
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair);
-
-#define set_chain_addr SPX_NAMESPACE(set_chain_addr)
-void set_chain_addr(uint32_t addr[8], uint32_t chain);
-
-#define set_hash_addr SPX_NAMESPACE(set_hash_addr)
-void set_hash_addr(uint32_t addr[8], uint32_t hash);
-
-#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr)
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-#define set_tree_height SPX_NAMESPACE(set_tree_height)
-void set_tree_height(uint32_t addr[8], uint32_t tree_height);
-
-#define set_tree_index SPX_NAMESPACE(set_tree_index)
-void set_tree_index(uint32_t addr[8], uint32_t tree_index);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/api.h
deleted file mode 100644
index 3e80e17f5d..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/api.h
+++ /dev/null
@@ -1,77 +0,0 @@
-#ifndef PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_API_H
-#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_API_H
-
-#include
-#include
-
-#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-192f-simple"
-
-#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 96
-#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 48
-#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_CRYPTO_BYTES 35664
-
-#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_CRYPTO_SEEDBYTES 72
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context.h
deleted file mode 100644
index 6e0a33f3b7..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef SPX_CONTEXT_H
-#define SPX_CONTEXT_H
-
-#include
-
-#include "params.h"
-
-typedef struct {
- uint8_t pub_seed[SPX_N];
- uint8_t sk_seed[SPX_N];
-} spx_ctx;
-
-#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function)
-void initialize_hash_function(spx_ctx *ctx);
-
-#define free_hash_function SPX_NAMESPACE(free_hash_function)
-void free_hash_function(spx_ctx *ctx);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context_shake.c
deleted file mode 100644
index 9614a103d3..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context_shake.c
+++ /dev/null
@@ -1,12 +0,0 @@
-#include "context.h"
-
-/* For SHAKE256, there is no immediate reason to initialize at the start,
- so this function is an empty operation. */
-void initialize_hash_function(spx_ctx *ctx) {
- (void)ctx; /* Suppress an 'unused parameter' warning. */
-}
-
-// in case the hash function api is heap-based.
-void free_hash_function(spx_ctx *ctx) {
- (void)ctx;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.h
deleted file mode 100644
index 70d1af9f14..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef SPX_F1600X2_H
-#define SPX_F1600X2_H
-
-#include
-
-extern uint64_t f1600_RC[24];
-extern void _f1600x2(uint64_t *a, uint64_t *rc);
-
-#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0)
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.s
deleted file mode 100644
index 640ed791ed..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.s
+++ /dev/null
@@ -1,143 +0,0 @@
-# From https://github.com/bwesterb/armed-keccak
-
-.macro round
- # Execute theta, but without xoring into the state yet.
- # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i].
- eor3.16b v25, v0, v5, v10
- eor3.16b v26, v1, v6, v11
- eor3.16b v27, v2, v7, v12
- eor3.16b v28, v3, v8, v13
- eor3.16b v29, v4, v9, v14
-
- eor3.16b v25, v25, v15, v20
- eor3.16b v26, v26, v16, v21
- eor3.16b v27, v27, v17, v22
- eor3.16b v28, v28, v18, v23
- eor3.16b v29, v29, v19, v24
-
- # d[0] = rotl(p[1], 1) ^ p[4]
- rax1.2d v30, v29, v26
- # d[3] = rotl(p[4], 1) ^ p[2]
- rax1.2d v29, v27, v29
- # d[1] = rotl(p[2], 1) ^ p[0]
- rax1.2d v27, v25, v27
- # d[4] = rotl(p[0], 1) ^ p[3]
- rax1.2d v25, v28, v25
- # d[2] = rotl(p[3], 1) ^ p[1]
- rax1.2d v28, v26, v28
-
- # Xor parities from step theta into the state at the same time
- # as executing rho and pi.
- eor.16b v0, v0, v30
- mov.16b v31, v1
- xar.2d v1, v6, v27, 20
- xar.2d v6, v9, v25, 44
- xar.2d v9, v22, v28, 3
- xar.2d v22, v14, v25, 25
- xar.2d v14, v20, v30, 46
- xar.2d v20, v2, v28, 2
- xar.2d v2, v12, v28, 21
- xar.2d v12, v13, v29, 39
- xar.2d v13, v19, v25, 56
- xar.2d v19, v23, v29, 8
- xar.2d v23, v15, v30, 23
- xar.2d v15, v4, v25, 37
- xar.2d v4, v24, v25, 50
- xar.2d v24, v21, v27, 62
- xar.2d v21, v8, v29, 9
- xar.2d v8, v16, v27, 19
- xar.2d v16, v5, v30, 28
- xar.2d v5, v3, v29, 36
- xar.2d v3, v18, v29, 43
- xar.2d v18, v17, v28, 49
- xar.2d v17, v11, v27, 54
- xar.2d v11, v7, v28, 58
- xar.2d v7, v10, v30, 61
- xar.2d v10, v31, v27, 63
-
- # Chi
- bcax.16b v25, v0, v2, v1
- bcax.16b v26, v1, v3, v2
- bcax.16b v2, v2, v4, v3
- bcax.16b v3, v3, v0, v4
- bcax.16b v4, v4, v1, v0
- mov.16b v0, v25
- mov.16b v1, v26
-
- bcax.16b v25, v5, v7, v6
- bcax.16b v26, v6, v8, v7
- bcax.16b v7, v7, v9, v8
- bcax.16b v8, v8, v5, v9
- bcax.16b v9, v9, v6, v5
- mov.16b v5, v25
- mov.16b v6, v26
-
- bcax.16b v25, v10, v12, v11
- bcax.16b v26, v11, v13, v12
- bcax.16b v12, v12, v14, v13
- bcax.16b v13, v13, v10, v14
- bcax.16b v14, v14, v11, v10
- mov.16b v10, v25
- mov.16b v11, v26
-
- bcax.16b v25, v15, v17, v16
- bcax.16b v26, v16, v18, v17
- bcax.16b v17, v17, v19, v18
- bcax.16b v18, v18, v15, v19
- bcax.16b v19, v19, v16, v15
- mov.16b v15, v25
- mov.16b v16, v26
-
- bcax.16b v25, v20, v22, v21
- bcax.16b v26, v21, v23, v22
- bcax.16b v22, v22, v24, v23
- bcax.16b v23, v23, v20, v24
- bcax.16b v24, v24, v21, v20
- mov.16b v20, v25
- mov.16b v21, v26
-
- # iota
- ld1r {v25.2d}, [x1], #8
- eor.16b v0, v0, v25
-.endm
-
-.align 4
-.global __f1600x2
-__f1600x2:
- stp d8, d9, [sp,#-16]!
- stp d10, d11, [sp,#-16]!
- stp d12, d13, [sp,#-16]!
- stp d14, d15, [sp,#-16]!
-
- mov x2, x0
- mov x3, #24
-
- ld1.2d {v0, v1, v2, v3}, [x0], #64
- ld1.2d {v4, v5, v6, v7}, [x0], #64
- ld1.2d {v8, v9, v10, v11}, [x0], #64
- ld1.2d {v12, v13, v14, v15}, [x0], #64
- ld1.2d {v16, v17, v18, v19}, [x0], #64
- ld1.2d {v20, v21, v22, v23}, [x0], #64
- ld1.2d {v24}, [x0]
-
-loop:
- round
-
- subs x3, x3, #1
- cbnz x3, loop
-
- mov x0, x2
- st1.2d {v0, v1, v2, v3}, [x0], #64
- st1.2d {v4, v5, v6, v7}, [x0], #64
- st1.2d {v8, v9, v10, v11}, [x0], #64
- st1.2d {v12, v13, v14, v15}, [x0], #64
- st1.2d {v16, v17, v18, v19}, [x0], #64
- st1.2d {v20, v21, v22, v23}, [x0], #64
- st1.2d {v24}, [x0]
-
- ldp d14, d15, [sp], #16
- ldp d12, d13, [sp], #16
- ldp d10, d11, [sp], #16
- ldp d8, d9, [sp], #16
-
- ret lr
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2_const.c
deleted file mode 100644
index e49c0ba149..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2_const.c
+++ /dev/null
@@ -1,30 +0,0 @@
-#include "f1600x2.h"
-
-uint64_t f1600_RC[24] = {
- 0x0000000000000001,
- 0x0000000000008082,
- 0x800000000000808A,
- 0x8000000080008000,
- 0x000000000000808B,
- 0x0000000080000001,
- 0x8000000080008081,
- 0x8000000000008009,
- 0x000000000000008A,
- 0x0000000000000088,
- 0x0000000080008009,
- 0x000000008000000A,
- 0x000000008000808B,
- 0x800000000000008B,
- 0x8000000000008089,
- 0x8000000000008003,
- 0x8000000000008002,
- 0x8000000000000080,
- 0x000000000000800A,
- 0x800000008000000A,
- 0x8000000080008081,
- 0x8000000000008080,
- 0x0000000080000001,
- 0x8000000080008008,
-};
-
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.c
deleted file mode 100644
index 4718c343bc..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-#include
-
-#include "fips202x2.h"
-#include "f1600x2.h"
-#include "fips202.h"
-
-uint64_t load64(const unsigned char *x) {
- unsigned long long r = 0, i;
-
- for (i = 0; i < 8; ++i) {
- r |= (unsigned long long)x[i] << 8 * i;
- }
- return r;
-}
-
-void store64(uint8_t *x, uint64_t u) {
- unsigned int i;
-
- for (i = 0; i < 8; ++i) {
- x[i] = (uint8_t)u;
- u >>= 8;
- }
-}
-
-static void keccak_absorb2x(uint64_t *s,
- unsigned int r,
- const unsigned char *m0,
- const unsigned char *m1,
- unsigned long long int mlen,
- unsigned char p) {
- unsigned long long i;
- unsigned char t0[200];
- unsigned char t1[200];
-
- while (mlen >= r) {
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(m0 + 8 * i);
- s[2 * i + 1] ^= load64(m1 + 8 * i);
- }
-
- f1600x2(s);
- mlen -= r;
- m0 += r;
- m1 += r;
- }
-
- for (i = 0; i < r; ++i) {
- t0[i] = 0;
- t1[i] = 0;
- }
- for (i = 0; i < mlen; ++i) {
- t0[i] = m0[i];
- t1[i] = m1[i];
- }
-
- t0[i] = p;
- t1[i] = p;
-
- t0[r - 1] |= 128;
- t1[r - 1] |= 128;
-
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(t0 + 8 * i);
- s[2 * i + 1] ^= load64(t1 + 8 * i);
- }
-}
-
-
-static void keccak_squeezeblocks2x(unsigned char *h0,
- unsigned char *h1,
- unsigned long long int nblocks,
- uint64_t *s,
- unsigned int r) {
- unsigned int i;
-
- while (nblocks > 0) {
- f1600x2(s);
- for (i = 0; i < (r >> 3); i++) {
- store64(h0 + 8 * i, s[2 * i + 0]);
- store64(h1 + 8 * i, s[2 * i + 1]);
- }
- h0 += r;
- h1 += r;
- nblocks--;
- }
-}
-
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE128_RATE];
- unsigned char t1[SHAKE128_RATE];
- unsigned int i;
-
- /* absorb 4 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE);
-
- out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
- out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
-
- if (outlen % SHAKE128_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE);
- for (i = 0; i < outlen % SHAKE128_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
-
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE256_RATE];
- unsigned char t1[SHAKE256_RATE];
- unsigned int i;
-
- /* absorb 2 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE);
-
- out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
- out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
-
- if (outlen % SHAKE256_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE);
- for (i = 0; i < outlen % SHAKE256_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.h
deleted file mode 100644
index 7ba58b35d8..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.h
+++ /dev/null
@@ -1,24 +0,0 @@
-#ifndef SPX_FIPS202X2_H
-#define SPX_FIPS202X2_H
-
-#include
-
-uint64_t load64(const unsigned char *x);
-void store64(uint8_t *x, uint64_t u);
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.c
deleted file mode 100644
index 39193d04e2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.c
+++ /dev/null
@@ -1,191 +0,0 @@
-#include
-#include
-#include
-
-#include "fors.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "thash.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- prf_addr(sk, ctx, fors_leaf_addr);
-}
-
-static void fors_gen_skx2(unsigned char *sk0,
- unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- prf_addrx2(sk0, sk1,
- ctx, fors_leaf_addrx2);
-}
-
-static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- thash(leaf, sk, 1, ctx, fors_leaf_addr);
-}
-
-static void fors_sk_to_leafx2(unsigned char *leaf0,
- unsigned char *leaf1,
- const unsigned char *sk0,
- const unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- thashx2(leaf0, leaf1,
- sk0, sk1,
- 1, ctx, fors_leaf_addrx2);
-}
-
-struct fors_gen_leaf_info {
- uint32_t leaf_addrx[2 * 8];
-};
-
-static void fors_gen_leafx2(unsigned char *leaf,
- const spx_ctx *ctx,
- uint32_t addr_idx, void *info) {
- struct fors_gen_leaf_info *fors_info = info;
- uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx;
- unsigned int j;
-
- /* Only set the parts that the caller doesn't set */
- for (j = 0; j < 2; j++) {
- set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j);
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF);
- }
-
- fors_gen_skx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-
- for (j = 0; j < 2; j++) {
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE);
- }
-
- fors_sk_to_leafx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-}
-
-/**
- * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- * Assumes indices has space for SPX_FORS_TREES integers.
- */
-static void message_to_indices(uint32_t *indices, const unsigned char *m) {
- unsigned int i, j;
- unsigned int offset = 0;
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- indices[i] = 0;
- for (j = 0; j < SPX_FORS_HEIGHT; j++) {
- indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j);
- offset++;
- }
- }
-}
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- uint32_t fors_tree_addr[2 * 8] = {0};
- struct fors_gen_leaf_info fors_info = {0};
- uint32_t *fors_leaf_addr = fors_info.leaf_addrx;
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- for (i = 0; i < 2; i++) {
- copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr);
- set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE);
- copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr);
- }
- copy_keypair_addr(fors_pk_addr, fors_addr);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Include the secret key part that produces the selected leaf node. */
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF);
- fors_gen_sk(sig, ctx, fors_tree_addr);
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- sig += SPX_N;
-
- /* Compute the authentication path for this leaf node. */
- treehashx2(roots + i * SPX_N, sig, ctx,
- indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2,
- fors_tree_addr, &fors_info);
-
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- unsigned char leaf[SPX_N];
- uint32_t fors_tree_addr[8] = {0};
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- copy_keypair_addr(fors_tree_addr, fors_addr);
- copy_keypair_addr(fors_pk_addr, fors_addr);
-
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Derive the leaf from the included secret key part. */
- fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr);
- sig += SPX_N;
-
- /* Derive the corresponding root node of this tree. */
- compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset,
- sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr);
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.h
deleted file mode 100644
index 509140a178..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#ifndef SPX_FORS_H
-#define SPX_FORS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_sign SPX_NAMESPACE(fors_sign)
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig)
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash.h
deleted file mode 100644
index f7c87d4c3c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash.h
+++ /dev/null
@@ -1,28 +0,0 @@
-#ifndef SPX_HASH_H
-#define SPX_HASH_H
-
-#include
-#include
-
-#include "context.h"
-#include "params.h"
-
-#define prf_addr SPX_NAMESPACE(prf_addr)
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]);
-
-#define gen_message_random SPX_NAMESPACE(gen_message_random)
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-#define hash_message SPX_NAMESPACE(hash_message)
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shake.c
deleted file mode 100644
index ff5e7ec918..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shake.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "hash.h"
-
-#include "address.h"
-#include "fips202.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Computes PRF(pk_seed, sk_seed, addr)
- */
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]) {
- unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES];
-
- memcpy(buf, ctx->pub_seed, SPX_N);
- memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES);
- memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N);
-
- shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES);
-}
-
-/**
- * Computes the message-dependent randomness R, using a secret seed and an
- * optional randomization value as well as the message.
- */
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, sk_prf, SPX_N);
- shake256_inc_absorb(&s_inc, optrand, SPX_N);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(R, SPX_N, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-}
-
-/**
- * Computes the message hash using R, the public key, and the message.
- * Outputs the message digest and the index of the leaf. The index is split in
- * the tree index and the leaf index, for convenient copying to an address.
- */
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
-#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1))
-#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8)
-#define SPX_LEAF_BITS SPX_TREE_HEIGHT
-#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8)
-#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES)
-
- unsigned char buf[SPX_DGST_BYTES];
- unsigned char *bufp = buf;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, R, SPX_N);
- shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-
- memcpy(digest, bufp, SPX_FORS_MSG_BYTES);
- bufp += SPX_FORS_MSG_BYTES;
-
-
- *tree = bytes_to_ull(bufp, SPX_TREE_BYTES);
- *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS);
- bufp += SPX_TREE_BYTES;
-
- *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES);
- *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shakex2.c
deleted file mode 100644
index 99571916a2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shakex2.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include
-#include
-
-#include "hashx2.h"
-
-#include "address.h"
-#include "f1600x2.h"
-#include "fips202x2.h"
-#include "params.h"
-
-/*
- * 2-way parallel version of prf_addr; takes 2x as much input and output
- */
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the fourway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
-
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->sk_seed + 8 * i);
- state[2 * (SPX_N / 8 + i + 4)] = x;
- state[2 * (SPX_N / 8 + i + 4) + 1] = x;
- }
-
- /* SHAKE domain separator and padding. */
- state[2 * (SPX_N / 4 + 4)] = 0x1f;
- state[2 * (SPX_N / 4 + 4) + 1] = 0x1f;
-
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hashx2.h
deleted file mode 100644
index 99b8873a9b..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hashx2.h
+++ /dev/null
@@ -1,14 +0,0 @@
-#ifndef SPX_HASHX2_H
-#define SPX_HASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define prf_addrx2 SPX_NAMESPACE(prf_addrx2)
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.c
deleted file mode 100644
index c94ee23939..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include
-#include
-
-#include "merkle.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-#include "utilsx2.h"
-#include "wots.h"
-#include "wotsx2.h"
-
-/*
- * This generates a Merkle signature (WOTS signature followed by the Merkle
- * authentication path).
- */
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf) {
- unsigned char *auth_path = sig + SPX_WOTS_BYTES;
- uint32_t tree_addrx2[2 * 8] = { 0 };
- int j;
- struct leaf_info_x2 info = { 0 };
- unsigned steps[ SPX_WOTS_LEN ];
-
- info.wots_sig = sig;
- chain_lengths(steps, root);
- info.wots_steps = steps;
-
- for (j = 0; j < 2; j++) {
- set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE);
- set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS);
- set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK);
- copy_subtree_addr(&tree_addrx2[8 * j], tree_addr);
- copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr);
- copy_subtree_addr(&info.pk_addr[8 * j], wots_addr);
- }
-
- info.wots_sign_leaf = idx_leaf;
-
- treehashx2(root, auth_path, ctx,
- idx_leaf, 0,
- SPX_TREE_HEIGHT,
- wots_gen_leafx2,
- tree_addrx2, &info);
-}
-
-/* Compute root node of the top-most subtree. */
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) {
- /* We do not need the auth path in key generation, but it simplifies the
- code to have just one treehash routine that computes both root and path
- in one function. */
- unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES];
- uint32_t top_tree_addr[8] = {0};
- uint32_t wots_addr[8] = {0};
-
- set_layer_addr(top_tree_addr, SPX_D - 1);
- set_layer_addr(wots_addr, SPX_D - 1);
-
- merkle_sign(auth_path, root, ctx,
- wots_addr, top_tree_addr,
- ~0 /* ~0 means "don't bother generating an auth path */ );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.h
deleted file mode 100644
index 769cf2e970..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef MERKLE_H_
-#define MERKLE_H_
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/* Generate a Merkle signature (WOTS signature followed by the Merkle */
-/* authentication path) */
-#define merkle_sign SPX_NAMESPACE(merkle_sign)
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf);
-
-/* Compute the root node of the top-most subtree. */
-#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root)
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx);
-
-#endif /* MERKLE_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/nistapi.h
deleted file mode 100644
index 3cb71afad4..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/nistapi.h
+++ /dev/null
@@ -1,87 +0,0 @@
-#ifndef SPX_API_H
-#define SPX_API_H
-
-#include
-#include
-
-#include "params.h"
-
-#define CRYPTO_ALGNAME "SPHINCS+"
-
-#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES
-#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES
-#define CRYPTO_BYTES SPX_BYTES
-#define CRYPTO_SEEDBYTES (3*SPX_N)
-
-/*
- * Returns the length of a secret key, in bytes
- */
-#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes)
-size_t crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes)
-size_t crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes)
-size_t crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes)
-size_t crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair)
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-#define crypto_sign SPX_NAMESPACE(crypto_sign)
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/params.h
deleted file mode 100644
index 6a93983ca4..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/params.h
+++ /dev/null
@@ -1,56 +0,0 @@
-#ifndef SPX_PARAMS_H
-#define SPX_PARAMS_H
-
-#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_##s
-
-/* Hash output length in bytes. */
-#define SPX_N 24
-/* Height of the hypertree. */
-#define SPX_FULL_HEIGHT 66
-/* Number of subtree layer. */
-#define SPX_D 22
-/* FORS tree dimensions. */
-#define SPX_FORS_HEIGHT 8
-#define SPX_FORS_TREES 33
-/* Winternitz parameter, */
-#define SPX_WOTS_W 16
-
-/* The hash function is defined by linking a different hash.c file, as opposed
- to setting a #define constant. */
-
-/* For clarity */
-#define SPX_ADDR_BYTES 32
-
-/* WOTS parameters. */
-#define SPX_WOTS_LOGW 4
-
-#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW)
-
-/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */
-#define SPX_WOTS_LEN2 3
-
-#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2)
-#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N)
-#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES
-
-/* Subtree size. */
-#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D)
-
-//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT
-// #error SPX_D should always divide SPX_FULL_HEIGHT
-//#endif
-
-/* FORS parameters. */
-#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8)
-#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N)
-#define SPX_FORS_PK_BYTES SPX_N
-
-/* Resulting SPX sizes. */
-#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\
- SPX_FULL_HEIGHT * SPX_N)
-#define SPX_PK_BYTES (2 * SPX_N)
-#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES)
-
-#include "shake_offsets.h"
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/shake_offsets.h
deleted file mode 100644
index 6b28d95d91..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/shake_offsets.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef SHAKE_OFFSETS_H_
-#define SHAKE_OFFSETS_H_
-
-/*
- * Offsets of various fields in the address structure when we use SHAKE as
- * the Sphincs+ hash function
- */
-
-#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */
-#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */
-#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */
-#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */
-#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */
-#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */
-#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */
-#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */
-#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */
-
-#define SPX_SHAKE 1
-
-#endif /* SHAKE_OFFSETS_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/sign.c
deleted file mode 100644
index 9d0c7d1b22..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/sign.c
+++ /dev/null
@@ -1,286 +0,0 @@
-#include
-#include
-#include
-
-#include "address.h"
-#include "context.h"
-#include "fors.h"
-#include "hash.h"
-#include "merkle.h"
-#include "nistapi.h"
-#include "params.h"
-#include "randombytes.h"
-#include "thash.h"
-#include "utils.h"
-#include "wots.h"
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t crypto_sign_secretkeybytes(void) {
- return CRYPTO_SECRETKEYBYTES;
-}
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t crypto_sign_publickeybytes(void) {
- return CRYPTO_PUBLICKEYBYTES;
-}
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t crypto_sign_bytes(void) {
- return CRYPTO_BYTES;
-}
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t crypto_sign_seedbytes(void) {
- return CRYPTO_SEEDBYTES;
-}
-
-/*
- * Generates an SPX key pair given a seed of length
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed) {
- spx_ctx ctx;
-
- /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */
- memcpy(sk, seed, CRYPTO_SEEDBYTES);
-
- memcpy(pk, sk + 2 * SPX_N, SPX_N);
-
- memcpy(ctx.pub_seed, pk, SPX_N);
- memcpy(ctx.sk_seed, sk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- /* Compute root node of the top-most subtree. */
- merkle_gen_root(sk + 3 * SPX_N, &ctx);
-
- // cleanup
- free_hash_function(&ctx);
-
- memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N);
-
- return 0;
-}
-
-/*
- * Generates an SPX key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seed[CRYPTO_SEEDBYTES];
- randombytes(seed, CRYPTO_SEEDBYTES);
- crypto_sign_seed_keypair(pk, sk, seed);
-
- return 0;
-}
-
-/**
- * Returns an array containing a detached signature.
- */
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk) {
- spx_ctx ctx;
-
- const uint8_t *sk_prf = sk + SPX_N;
- const uint8_t *pk = sk + 2 * SPX_N;
-
- uint8_t optrand[SPX_N];
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t root[SPX_N];
- uint32_t i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
-
- memcpy(ctx.sk_seed, sk, SPX_N);
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
-
- /* Optionally, signing can be made non-deterministic using optrand.
- This can help counter side-channel attacks that would benefit from
- getting a large number of traces when the signer uses the same nodes. */
- randombytes(optrand, SPX_N);
- /* Compute the digest randomization value. */
- gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx);
-
- /* Derive the message digest and leaf index from R, PK and M. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- /* Sign the message hash using FORS. */
- fors_sign(sig, root, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf);
- sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- free_hash_function(&ctx);
-
- *siglen = SPX_BYTES;
-
- return 0;
-}
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk) {
- spx_ctx ctx;
- const uint8_t *pub_root = pk + SPX_N;
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t wots_pk[SPX_WOTS_BYTES];
- uint8_t root[SPX_N];
- uint8_t leaf[SPX_N];
- unsigned int i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
- uint32_t wots_pk_addr[8] = {0};
-
- if (siglen != SPX_BYTES) {
- return -1;
- }
-
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
- set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK);
-
- /* Derive the message digest and leaf index from R || PK || M. */
- /* The additional SPX_N is a result of the hash domain separator. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- /* Layer correctly defaults to 0, so no need to set_layer_addr */
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- /* For each subtree.. */
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- copy_keypair_addr(wots_pk_addr, wots_addr);
-
- /* The WOTS public key is only correct if the signature was correct. */
- /* Initially, root is the FORS pk, but on subsequent iterations it is
- the root of the subtree below the currently processed subtree. */
- wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr);
- sig += SPX_WOTS_BYTES;
-
- /* Compute the leaf node using the WOTS public key. */
- thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr);
-
- /* Compute the root node of this subtree. */
- compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT,
- &ctx, tree_addr);
- sig += SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- // cleanup
- free_hash_function(&ctx);
-
- /* Check if the root node equals the root node in the public key. */
- if (memcmp(root, pub_root, SPX_N) != 0) {
- return -1;
- }
-
- return 0;
-}
-
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk) {
- size_t siglen;
-
- crypto_sign_signature(sm, &siglen, m, mlen, sk);
-
- memmove(sm + SPX_BYTES, m, mlen);
- *smlen = siglen + mlen;
-
- return 0;
-}
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk) {
- /* The API caller does not necessarily know what size a signature should be
- but SPHINCS+ signatures are always exactly SPX_BYTES. */
- if (smlen < SPX_BYTES) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- *mlen = smlen - SPX_BYTES;
-
- if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- /* If verification was successful, move the message to the right place. */
- memmove(m, sm + SPX_BYTES, *mlen);
-
- return 0;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash.h
deleted file mode 100644
index 8687ccfb4d..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef SPX_THASH_H
-#define SPX_THASH_H
-
-#include "context.h"
-#include "params.h"
-
-#include
-
-#define thash SPX_NAMESPACE(thash)
-void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash_shake_simplex2.c
deleted file mode 100644
index 892e453690..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash_shake_simplex2.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "thash.h"
-#include "thashx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-#include "f1600x2.h"
-#include "fips202x2.h"
-
-
-void thash(unsigned char *out,
- const unsigned char *in,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t addrx2 [2 * 8] = {
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7],
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7]
- };
- thashx2(out, out, in, in, inblocks, ctx, addrx2);
-}
-
-/**
- * 2-way parallel version of thash; takes 2x as much input and output
- */
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]) {
- if (inblocks == 1 || inblocks == 2) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the twoway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
-
- for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) {
- state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i);
- state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i);
- }
-
- /* Domain separator and padding. */
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f;
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
- } else {
- PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
-
- memcpy(buf0, ctx->pub_seed, SPX_N);
- memcpy(buf1, ctx->pub_seed, SPX_N);
- memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES);
- memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES);
- memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N);
- memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N);
-
- shake256x2(out0, out1, SPX_N,
- buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thashx2.h
deleted file mode 100644
index 040375e618..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thashx2.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef SPX_THASHX2_H
-#define SPX_THASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define thashx2 SPX_NAMESPACE(thashx2)
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.c
deleted file mode 100644
index 177b541fb9..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-
-#include "utils.h"
-
-#include "address.h"
-#include "hash.h"
-#include "params.h"
-#include "thash.h"
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in) {
- int i;
-
- /* Iterate over out in decreasing order, for big-endianness. */
- for (i = (signed int)outlen - 1; i >= 0; i--) {
- out[i] = in & 0xff;
- in = in >> 8;
- }
-}
-
-void u32_to_bytes(unsigned char *out, uint32_t in) {
- out[0] = (unsigned char)(in >> 24);
- out[1] = (unsigned char)(in >> 16);
- out[2] = (unsigned char)(in >> 8);
- out[3] = (unsigned char)in;
-}
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) {
- unsigned long long retval = 0;
- unsigned int i;
-
- for (i = 0; i < inlen; i++) {
- retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i));
- }
- return retval;
-}
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t i;
- unsigned char buffer[2 * SPX_N];
-
- /* If leaf_idx is odd (last bit = 1), current path element is a right child
- and auth_path has to go left. Otherwise it is the other way around. */
- if (leaf_idx & 1) {
- memcpy(buffer + SPX_N, leaf, SPX_N);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- memcpy(buffer, leaf, SPX_N);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
-
- for (i = 0; i < tree_height - 1; i++) {
- leaf_idx >>= 1;
- idx_offset >>= 1;
- /* Set the address of the node we're creating. */
- set_tree_height(addr, i + 1);
- set_tree_index(addr, leaf_idx + idx_offset);
-
- /* Pick the right or left neighbor, depending on parity of the node. */
- if (leaf_idx & 1) {
- thash(buffer + SPX_N, buffer, 2, ctx, addr);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- thash(buffer, buffer, 2, ctx, addr);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
- }
-
- /* The last iteration is exceptional; we do not copy an auth_path node. */
- leaf_idx >>= 1;
- idx_offset >>= 1;
- set_tree_height(addr, tree_height);
- set_tree_index(addr, leaf_idx + idx_offset);
- thash(root, buffer, 2, ctx, addr);
-}
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx * /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]) {
- PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N);
- PQCLEAN_VLA(unsigned int, heights, tree_height + 1);
- unsigned int offset = 0;
- uint32_t idx;
- uint32_t tree_idx;
-
- for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) {
- /* Add the next leaf node to the stack. */
- gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr);
- offset++;
- heights[offset - 1] = 0;
-
- /* If this is a node we need for the auth path.. */
- if ((leaf_idx ^ 0x1) == idx) {
- memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N);
- }
-
- /* While the top-most nodes are of equal height.. */
- while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) {
- /* Compute index of the new node, in the next layer. */
- tree_idx = (idx >> (heights[offset - 1] + 1));
-
- /* Set the address of the node we're creating. */
- set_tree_height(tree_addr, heights[offset - 1] + 1);
- set_tree_index(tree_addr,
- tree_idx + (idx_offset >> (heights[offset - 1] + 1)));
- /* Hash the top-most nodes from the stack together. */
- thash(stack + (offset - 2)*SPX_N,
- stack + (offset - 2)*SPX_N, 2, ctx, tree_addr);
- offset--;
- /* Note that the top-most node is now one layer higher. */
- heights[offset - 1]++;
-
- /* If this is a node we need for the auth path.. */
- if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) {
- memcpy(auth_path + heights[offset - 1]*SPX_N,
- stack + (offset - 1)*SPX_N, SPX_N);
- }
- }
- }
- memcpy(root, stack, SPX_N);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.h
deleted file mode 100644
index 64f5d5a53a..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.h
+++ /dev/null
@@ -1,58 +0,0 @@
-#ifndef SPX_UTILS_H
-#define SPX_UTILS_H
-
-#include
-
-#include "compat.h"
-#include "context.h"
-#include "params.h"
-
-
-/* To support MSVC use alloca() instead of VLAs. See #20. */
-
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes)
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in);
-#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes)
-void u32_to_bytes(unsigned char *out, uint32_t in);
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull)
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen);
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-#define compute_root SPX_NAMESPACE(compute_root)
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-#define treehash SPX_NAMESPACE(treehash)
-void treehash(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx *ctx /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]);
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.c
deleted file mode 100644
index 8736474e4f..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.c
+++ /dev/null
@@ -1,130 +0,0 @@
-#include
-
-#include "utilsx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-
-/*
- * Generate the entire Merkle tree, computing the authentication path for leaf_idx,
- * and the resulting root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE)
- *
- * This expects tree_addrx2 to be initialized to 2 parallel addr structures for
- * the Merkle tree nodes
- *
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This works by using the standard Merkle tree building algorithm, except
- * that each 'node' tracked is actually 2 consecutive nodes in the real tree.
- * When we combine two logical nodes AB and WX, we perform the H
- * operation on adjacent real nodes, forming the parent logical node
- * (AB)(WX)
- *
- * When we get to the top level of the real tree (where there is only
- * one logical node), we continue this operation one more time; the right
- * most real node will by the actual root (and the other node will be
- * garbage). We follow the same thashx2 logic so that the 'extract
- * authentication path components' part of the loop is still executed (and
- * to simplify the code somewhat)
- */
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset,
- uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx *,
- uint32_t idx, void *info),
- uint32_t tree_addrx2[2 * 8],
- void *info) {
- /* This is where we keep the intermediate nodes */
- unsigned char stackx2[tree_height * 2 * SPX_N];
- uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */
- /* level, the left-most part of the tree isn't at the beginning */
- /* of current[]. These give the offset of the actual start */
-
- uint32_t idx;
- uint32_t max_idx = (1 << (tree_height - 1)) - 1;
- for (idx = 0;; idx++) {
- unsigned char current[2 * SPX_N]; /* Current logical node */
- gen_leafx2( current, ctx, 2 * idx + idx_offset,
- info );
-
- /* Now combine the freshly generated right node with previously */
- /* generated left ones */
- uint32_t internal_idx_offset = idx_offset;
- uint32_t internal_idx = idx;
- uint32_t internal_leaf = leaf_idx;
- uint32_t h; /* The height we are in the Merkle tree */
- for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) {
-
- /* Special processing if we're at the top of the tree */
- if (h >= tree_height - 1) {
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
- /* The tree indexing logic is a bit off in this case */
- /* Adjust it so that the left-most node of the part of */
- /* the tree that we're processing has index 0 */
- prev_left_adj = left_adj;
- left_adj = 2 - (1 << (tree_height - h - 1));
- }
-
- /* Check if we hit the top of the tree */
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
-
- /*
- * Check if one of the nodes we have is a part of the
- * authentication path; if it is, write it out
- */
- if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) {
- memcpy( &auth_path[ h * SPX_N ],
- ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N],
- SPX_N );
- }
-
- /*
- * Check if we're at a left child; if so, stop going up the stack
- * Exception: if we've reached the end of the tree, keep on going
- * (so we combine the last 2 nodes into the one root node in two
- * more iterations)
- */
- if ((internal_idx & 1) == 0 && idx < max_idx) {
- break;
- }
-
- /* Ok, we're at a right node (or doing the top 3 levels) */
- /* Now combine the left and right logical nodes together */
-
- /* Set the address of the node we're creating. */
- int j;
- internal_idx_offset >>= 1;
- for (j = 0; j < 2; j++) {
- set_tree_height(tree_addrx2 + j * 8, h + 1);
- set_tree_index(tree_addrx2 + j * 8,
- (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset );
- }
- unsigned char *left = &stackx2[h * 2 * SPX_N];
- thashx2( ¤t[0 * SPX_N],
- ¤t[1 * SPX_N],
- &left [0 * SPX_N],
- ¤t[0 * SPX_N],
- 2, ctx, tree_addrx2);
- }
-
- /* We've hit a left child; save the current for when we get the */
- /* corresponding right right */
- memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.h
deleted file mode 100644
index e09faddc43..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.h
+++ /dev/null
@@ -1,30 +0,0 @@
-#ifndef SPX_UTILSX2_H
-#define SPX_UTILSX2_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This implementation uses SIMD to compute internal nodes 2 at a time (in
- * parallel)
- */
-#define treehashx2 SPX_NAMESPACE(treehashx2)
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx * /* ctx */,
- uint32_t addr_idx, void *info),
- uint32_t tree_addrx2[2 * 8], void *info);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.c
deleted file mode 100644
index 3babe45e95..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.c
+++ /dev/null
@@ -1,259 +0,0 @@
-#include
-#include
-
-#include "wots.h"
-#include "wotsx2.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-// TODO clarify address expectations, and make them more uniform.
-// TODO i.e. do we expect types to be set already?
-// TODO and do we expect modifications or copies?
-
-/**
- * Computes up the chains
- */
-static void gen_chains(
- unsigned char *out,
- const unsigned char *in,
- unsigned int start[SPX_WOTS_LEN],
- const unsigned int steps[SPX_WOTS_LEN],
- const spx_ctx *ctx,
- uint32_t addr[8]) {
- uint32_t i, j, k, idx, watching;
- int done;
- unsigned char empty[SPX_N];
- unsigned char *bufs[4];
- uint32_t addrs[8 * 2];
-
- int l;
- uint16_t counts[SPX_WOTS_W] = { 0 };
- uint16_t idxs[SPX_WOTS_LEN];
- uint16_t total, newTotal;
-
- /* set addrs = {addr, addr} */
- for (j = 0; j < 2; j++) {
- memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8);
- }
-
- /* Initialize out with the value at position 'start'. */
- memcpy(out, in, SPX_WOTS_LEN * SPX_N);
-
- /* Sort the chains in reverse order by steps using counting sort. */
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- counts[steps[i]]++;
- }
- total = 0;
- for (l = SPX_WOTS_W - 1; l >= 0; l--) {
- newTotal = counts[l] + total;
- counts[l] = total;
- total = newTotal;
- }
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- idxs[counts[steps[i]]] = i;
- counts[steps[i]]++;
- }
-
- /* We got our work cut out for us: do it! */
- for (i = 0; i < SPX_WOTS_LEN; i += 2) {
- for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) {
- idx = idxs[i + j];
- set_chain_addr(addrs + j * 8, idx);
- bufs[j] = out + SPX_N * idx;
- }
-
- /* As the chains are sorted in reverse order, we know that the first
- * chain is the longest and the last one is the shortest. We keep
- * an eye on whether the last chain is done and then on the one before,
- * et cetera. */
- watching = 1;
- done = 0;
- while (i + watching >= SPX_WOTS_LEN) {
- bufs[watching] = &empty[0];
- watching--;
- }
-
- for (k = 0;; k++) {
- while (k == steps[idxs[i + watching]]) {
- bufs[watching] = &empty[0];
- if (watching == 0) {
- done = 1;
- break;
- }
- watching--;
- }
- if (done) {
- break;
- }
- for (j = 0; j < watching + 1; j++) {
- set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]);
- }
-
- thashx2(bufs[0], bufs[1],
- bufs[0], bufs[1], 1, ctx, addrs);
- }
- }
-}
-
-/**
- * base_w algorithm as described in draft.
- * Interprets an array of bytes as integers in base w.
- * This only works when log_w is a divisor of 8.
- */
-static void base_w(unsigned int *output, const int out_len,
- const unsigned char *input) {
- int in = 0;
- int out = 0;
- unsigned char total = 0;
- int bits = 0;
- int consumed;
-
- for (consumed = 0; consumed < out_len; consumed++) {
- if (bits == 0) {
- total = input[in];
- in++;
- bits += 8;
- }
- bits -= SPX_WOTS_LOGW;
- output[out] = (total >> bits) & (SPX_WOTS_W - 1);
- out++;
- }
-}
-
-/* Computes the WOTS+ checksum over a message (in base_w). */
-static void wots_checksum(unsigned int *csum_base_w,
- const unsigned int *msg_base_w) {
- unsigned int csum = 0;
- unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8];
- unsigned int i;
-
- /* Compute checksum. */
- for (i = 0; i < SPX_WOTS_LEN1; i++) {
- csum += SPX_WOTS_W - 1 - msg_base_w[i];
- }
-
- /* Convert checksum to base_w. */
- /* Make sure expected empty zero bits are the least significant bits. */
- csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8);
- ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum);
- base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes);
-}
-
-/* Takes a message and derives the matching chain lengths. */
-void chain_lengths(unsigned int *lengths, const unsigned char *msg) {
- base_w(lengths, SPX_WOTS_LEN1, msg);
- wots_checksum(lengths + SPX_WOTS_LEN1, lengths);
-}
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]) {
- unsigned int steps[SPX_WOTS_LEN];
- unsigned int start[SPX_WOTS_LEN];
- uint32_t i;
-
- chain_lengths(start, msg);
-
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- steps[i] = SPX_WOTS_W - 1 - start[i];
- }
-
- gen_chains(pk, sig, start, steps, ctx, addr);
-}
-
-/*
- * This generates 2 sequential WOTS public keys
- * It also generates the WOTS signature if leaf_info indicates
- * that we're signing with one of these WOTS keys
- */
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info) {
- struct leaf_info_x2 *info = v_info;
- uint32_t *leaf_addr = info->leaf_addr;
- uint32_t *pk_addr = info->pk_addr;
- unsigned int i, j, k;
- unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ];
- unsigned wots_offset = SPX_WOTS_BYTES;
- unsigned char *buffer;
- uint32_t wots_k_mask;
- unsigned wots_sign_index;
-
- if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) {
- /* We're traversing the leaf that's signing; generate the WOTS */
- /* signature */
- wots_k_mask = 0;
- wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */
- /* slots do the signatures come from */
- } else {
- /* Nope, we're just generating pk's; turn off the signature logic */
- wots_k_mask = ~0;
- wots_sign_index = 0;
- }
-
- for (j = 0; j < 2; j++) {
- set_keypair_addr( leaf_addr + j * 8, leaf_idx + j );
- set_keypair_addr( pk_addr + j * 8, leaf_idx + j );
- }
-
- for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) {
- uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */
- /* the step if we're generating a signature, ~0 if we're not */
-
- /* Start with the secret seed */
- for (j = 0; j < 2; j++) {
- set_chain_addr(leaf_addr + j * 8, i);
- set_hash_addr(leaf_addr + j * 8, 0);
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF);
- }
- prf_addrx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- ctx, leaf_addr);
- for (j = 0; j < 2; j++) {
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS);
- }
-
- /* Iterate down the WOTS chain */
- for (k = 0;; k++) {
- /* Check if one of the values we have needs to be saved as a */
- /* part of the WOTS signature */
- if (k == wots_k) {
- memcpy( info->wots_sig + i * SPX_N,
- buffer + wots_sign_index * wots_offset, SPX_N );
- }
-
- /* Check if we hit the top of the chain */
- if (k == SPX_WOTS_W - 1) {
- break;
- }
-
- /* Iterate one step on all 4 chains */
- for (j = 0; j < 2; j++) {
- set_hash_addr(leaf_addr + j * 8, k);
- }
- thashx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- 1, ctx, leaf_addr);
- }
- }
-
- /* Do the final thash to generate the public keys */
- thashx2(dest + 0 * SPX_N,
- dest + 1 * SPX_N,
- pk_buffer + 0 * wots_offset,
- pk_buffer + 1 * wots_offset,
- SPX_WOTS_LEN, ctx, pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.h
deleted file mode 100644
index 4e7692eeef..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.h
+++ /dev/null
@@ -1,25 +0,0 @@
-#ifndef SPX_WOTS_H
-#define SPX_WOTS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig)
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/*
- * Compute the chain lengths needed for a given message hash
- */
-#define chain_lengths SPX_NAMESPACE(chain_lengths)
-void chain_lengths(unsigned int *lengths, const unsigned char *msg);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wotsx2.h
deleted file mode 100644
index b58bb61f84..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wotsx2.h
+++ /dev/null
@@ -1,40 +0,0 @@
-#ifndef WOTSX2_H_
-#define WOTSX2_H_
-
-#include "params.h"
-#include
-
-/*
- * This is here to provide an interface to the internal wots_gen_leafx2
- * routine. While this routine is not referenced in the package outside of
- * wots.c, it is called from the stand-alone benchmark code to characterize
- * the performance
- */
-struct leaf_info_x2 {
- unsigned char *wots_sig;
- uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */
- uint32_t *wots_steps;
- uint32_t leaf_addr[2 * 8];
- uint32_t pk_addr[2 * 8];
-};
-
-/* Macro to set the leaf_info to something 'benign', that is, it would */
-/* run with the same time as it does during the real signing process */
-/* Used only by the benchmark code */
-#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \
- (info).wots_sig = 0; \
- (info).wots_sign_leaf = ~0; \
- (info).wots_steps = step_buffer; \
- int i; \
- for (i=0; i<2; i++) { \
- memcpy( &(info).leaf_addr[8*i], addr, 32 ); \
- memcpy( &(info).pk_addr[8*i], addr, 32 ); \
- } \
- }
-
-#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2)
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info);
-
-#endif /* WOTSX2_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/LICENSE
deleted file mode 100644
index 670154e353..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/LICENSE
+++ /dev/null
@@ -1,116 +0,0 @@
-CC0 1.0 Universal
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator and
-subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for the
-purpose of contributing to a commons of creative, cultural and scientific
-works ("Commons") that the public can reliably and without fear of later
-claims of infringement build upon, modify, incorporate in other works, reuse
-and redistribute as freely as possible in any form whatsoever and for any
-purposes, including without limitation commercial purposes. These owners may
-contribute to the Commons to promote the ideal of a free culture and the
-further production of creative, cultural and scientific works, or to gain
-reputation or greater distribution for their Work in part through the use and
-efforts of others.
-
-For these and/or other purposes and motivations, and without any expectation
-of additional consideration or compensation, the person associating CC0 with a
-Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
-and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
-and publicly distribute the Work under its terms, with knowledge of his or her
-Copyright and Related Rights in the Work and the meaning and intended legal
-effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not limited
-to, the following:
-
- i. the right to reproduce, adapt, distribute, perform, display, communicate,
- and translate a Work;
-
- ii. moral rights retained by the original author(s) and/or performer(s);
-
- iii. publicity and privacy rights pertaining to a person's image or likeness
- depicted in a Work;
-
- iv. rights protecting against unfair competition in regards to a Work,
- subject to the limitations in paragraph 4(a), below;
-
- v. rights protecting the extraction, dissemination, use and reuse of data in
- a Work;
-
- vi. database rights (such as those arising under Directive 96/9/EC of the
- European Parliament and of the Council of 11 March 1996 on the legal
- protection of databases, and under any national implementation thereof,
- including any amended or successor version of such directive); and
-
- vii. other similar, equivalent or corresponding rights throughout the world
- based on applicable law or treaty, and any national implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention of,
-applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
-unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
-and Related Rights and associated claims and causes of action, whether now
-known or unknown (including existing as well as future claims and causes of
-action), in the Work (i) in all territories worldwide, (ii) for the maximum
-duration provided by applicable law or treaty (including future time
-extensions), (iii) in any current or future medium and for any number of
-copies, and (iv) for any purpose whatsoever, including without limitation
-commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
-the Waiver for the benefit of each member of the public at large and to the
-detriment of Affirmer's heirs and successors, fully intending that such Waiver
-shall not be subject to revocation, rescission, cancellation, termination, or
-any other legal or equitable action to disrupt the quiet enjoyment of the Work
-by the public as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason be
-judged legally invalid or ineffective under applicable law, then the Waiver
-shall be preserved to the maximum extent permitted taking into account
-Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
-is so judged Affirmer hereby grants to each affected person a royalty-free,
-non transferable, non sublicensable, non exclusive, irrevocable and
-unconditional license to exercise Affirmer's Copyright and Related Rights in
-the Work (i) in all territories worldwide, (ii) for the maximum duration
-provided by applicable law or treaty (including future time extensions), (iii)
-in any current or future medium and for any number of copies, and (iv) for any
-purpose whatsoever, including without limitation commercial, advertising or
-promotional purposes (the "License"). The License shall be deemed effective as
-of the date CC0 was applied by Affirmer to the Work. Should any part of the
-License for any reason be judged legally invalid or ineffective under
-applicable law, such partial invalidity or ineffectiveness shall not
-invalidate the remainder of the License, and in such case Affirmer hereby
-affirms that he or she will not (i) exercise any of his or her remaining
-Copyright and Related Rights in the Work or (ii) assert any associated claims
-and causes of action with respect to the Work, in either case contrary to
-Affirmer's express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
- surrendered, licensed or otherwise affected by this document.
-
- b. Affirmer offers the Work as-is and makes no representations or warranties
- of any kind concerning the Work, express, implied, statutory or otherwise,
- including without limitation warranties of title, merchantability, fitness
- for a particular purpose, non infringement, or the absence of latent or
- other defects, accuracy, or the present or absence of errors, whether or not
- discoverable, all to the greatest extent permissible under applicable law.
-
- c. Affirmer disclaims responsibility for clearing rights of other persons
- that may apply to the Work or any use thereof, including without limitation
- any person's Copyright and Related Rights in the Work. Further, Affirmer
- disclaims responsibility for obtaining any necessary consents, permissions
- or other rights required for any use of the Work.
-
- d. Affirmer understands and acknowledges that Creative Commons is not a
- party to this document and has no duty or obligation with respect to this
- CC0 or use of the Work.
-
-For more information, please see
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.c
deleted file mode 100644
index d49d9f3b6b..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.c
+++ /dev/null
@@ -1,95 +0,0 @@
-#include
-#include
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Specify which level of Merkle tree (the "layer") we're working on
- */
-void set_layer_addr(uint32_t addr[8], uint32_t layer) {
- ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer;
-}
-
-/*
- * Specify which Merkle tree within the level (the "tree address") we're working on
- */
-void set_tree_addr(uint32_t addr[8], uint64_t tree) {
- ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree );
-}
-
-/*
- * Specify the reason we'll use this address structure for, that is, what
- * hash will we compute with it. This is used so that unrelated types of
- * hashes don't accidentally get the same address structure. The type will be
- * one of the SPX_ADDR_TYPE constants
- */
-void set_type(uint32_t addr[8], uint32_t type) {
- ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type;
-}
-
-/*
- * Copy the layer and tree fields of the address structure. This is used
- * when we're doing multiple types of hashes within the same Merkle tree
- */
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
-}
-
-/* These functions are used for OTS addresses. */
-
-/*
- * Specify which Merkle leaf we're working on; that is, which OTS keypair
- * we're talking about.
- */
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair) {
- /* We have > 256 OTS at the bottom of the Merkle tree; to specify */
- /* which one, we'd need to express it in two bytes */
- ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR2] = (unsigned char)(keypair >> 8);
- ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair;
-}
-
-/*
- * Copy the layer, tree and keypair fields of the address structure. This is
- * used when we're doing multiple things within the same OTS keypair
- */
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
- ((unsigned char *)out)[SPX_OFFSET_KP_ADDR2] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR2];
- ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1];
-}
-
-/*
- * Specify which Merkle chain within the OTS we're working with
- * (the chain address)
- */
-void set_chain_addr(uint32_t addr[8], uint32_t chain) {
- ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain;
-}
-
-/*
- * Specify where in the Merkle chain we are
-* (the hash address)
- */
-void set_hash_addr(uint32_t addr[8], uint32_t hash) {
- ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash;
-}
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-/*
- * Specify the height of the node in the Merkle/FORS tree we are in
- * (the tree height)
- */
-void set_tree_height(uint32_t addr[8], uint32_t tree_height) {
- ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height;
-}
-
-/*
- * Specify the distance from the left edge of the node in the Merkle/FORS tree
- * (the tree index)
- */
-void set_tree_index(uint32_t addr[8], uint32_t tree_index) {
- u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.h
deleted file mode 100644
index 24a84eb40c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.h
+++ /dev/null
@@ -1,52 +0,0 @@
-#ifndef SPX_ADDRESS_H
-#define SPX_ADDRESS_H
-
-#include
-
-#include "params.h"
-
-/* The hash types that are passed to set_type */
-#define SPX_ADDR_TYPE_WOTS 0
-#define SPX_ADDR_TYPE_WOTSPK 1
-#define SPX_ADDR_TYPE_HASHTREE 2
-#define SPX_ADDR_TYPE_FORSTREE 3
-#define SPX_ADDR_TYPE_FORSPK 4
-#define SPX_ADDR_TYPE_WOTSPRF 5
-#define SPX_ADDR_TYPE_FORSPRF 6
-
-#define set_layer_addr SPX_NAMESPACE(set_layer_addr)
-void set_layer_addr(uint32_t addr[8], uint32_t layer);
-
-#define set_tree_addr SPX_NAMESPACE(set_tree_addr)
-void set_tree_addr(uint32_t addr[8], uint64_t tree);
-
-#define set_type SPX_NAMESPACE(set_type)
-void set_type(uint32_t addr[8], uint32_t type);
-
-/* Copies the layer and tree part of one address into the other */
-#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr)
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for WOTS and FORS addresses. */
-
-#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr)
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair);
-
-#define set_chain_addr SPX_NAMESPACE(set_chain_addr)
-void set_chain_addr(uint32_t addr[8], uint32_t chain);
-
-#define set_hash_addr SPX_NAMESPACE(set_hash_addr)
-void set_hash_addr(uint32_t addr[8], uint32_t hash);
-
-#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr)
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-#define set_tree_height SPX_NAMESPACE(set_tree_height)
-void set_tree_height(uint32_t addr[8], uint32_t tree_height);
-
-#define set_tree_index SPX_NAMESPACE(set_tree_index)
-void set_tree_index(uint32_t addr[8], uint32_t tree_index);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/api.h
deleted file mode 100644
index 59e16cd734..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/api.h
+++ /dev/null
@@ -1,77 +0,0 @@
-#ifndef PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_API_H
-#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_API_H
-
-#include
-#include
-
-#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-192s-simple"
-
-#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 96
-#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 48
-#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_CRYPTO_BYTES 16224
-
-#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_CRYPTO_SEEDBYTES 72
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context.h
deleted file mode 100644
index 6e0a33f3b7..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef SPX_CONTEXT_H
-#define SPX_CONTEXT_H
-
-#include
-
-#include "params.h"
-
-typedef struct {
- uint8_t pub_seed[SPX_N];
- uint8_t sk_seed[SPX_N];
-} spx_ctx;
-
-#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function)
-void initialize_hash_function(spx_ctx *ctx);
-
-#define free_hash_function SPX_NAMESPACE(free_hash_function)
-void free_hash_function(spx_ctx *ctx);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context_shake.c
deleted file mode 100644
index 9614a103d3..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context_shake.c
+++ /dev/null
@@ -1,12 +0,0 @@
-#include "context.h"
-
-/* For SHAKE256, there is no immediate reason to initialize at the start,
- so this function is an empty operation. */
-void initialize_hash_function(spx_ctx *ctx) {
- (void)ctx; /* Suppress an 'unused parameter' warning. */
-}
-
-// in case the hash function api is heap-based.
-void free_hash_function(spx_ctx *ctx) {
- (void)ctx;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.h
deleted file mode 100644
index 70d1af9f14..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef SPX_F1600X2_H
-#define SPX_F1600X2_H
-
-#include
-
-extern uint64_t f1600_RC[24];
-extern void _f1600x2(uint64_t *a, uint64_t *rc);
-
-#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0)
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.s
deleted file mode 100644
index 640ed791ed..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.s
+++ /dev/null
@@ -1,143 +0,0 @@
-# From https://github.com/bwesterb/armed-keccak
-
-.macro round
- # Execute theta, but without xoring into the state yet.
- # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i].
- eor3.16b v25, v0, v5, v10
- eor3.16b v26, v1, v6, v11
- eor3.16b v27, v2, v7, v12
- eor3.16b v28, v3, v8, v13
- eor3.16b v29, v4, v9, v14
-
- eor3.16b v25, v25, v15, v20
- eor3.16b v26, v26, v16, v21
- eor3.16b v27, v27, v17, v22
- eor3.16b v28, v28, v18, v23
- eor3.16b v29, v29, v19, v24
-
- # d[0] = rotl(p[1], 1) ^ p[4]
- rax1.2d v30, v29, v26
- # d[3] = rotl(p[4], 1) ^ p[2]
- rax1.2d v29, v27, v29
- # d[1] = rotl(p[2], 1) ^ p[0]
- rax1.2d v27, v25, v27
- # d[4] = rotl(p[0], 1) ^ p[3]
- rax1.2d v25, v28, v25
- # d[2] = rotl(p[3], 1) ^ p[1]
- rax1.2d v28, v26, v28
-
- # Xor parities from step theta into the state at the same time
- # as executing rho and pi.
- eor.16b v0, v0, v30
- mov.16b v31, v1
- xar.2d v1, v6, v27, 20
- xar.2d v6, v9, v25, 44
- xar.2d v9, v22, v28, 3
- xar.2d v22, v14, v25, 25
- xar.2d v14, v20, v30, 46
- xar.2d v20, v2, v28, 2
- xar.2d v2, v12, v28, 21
- xar.2d v12, v13, v29, 39
- xar.2d v13, v19, v25, 56
- xar.2d v19, v23, v29, 8
- xar.2d v23, v15, v30, 23
- xar.2d v15, v4, v25, 37
- xar.2d v4, v24, v25, 50
- xar.2d v24, v21, v27, 62
- xar.2d v21, v8, v29, 9
- xar.2d v8, v16, v27, 19
- xar.2d v16, v5, v30, 28
- xar.2d v5, v3, v29, 36
- xar.2d v3, v18, v29, 43
- xar.2d v18, v17, v28, 49
- xar.2d v17, v11, v27, 54
- xar.2d v11, v7, v28, 58
- xar.2d v7, v10, v30, 61
- xar.2d v10, v31, v27, 63
-
- # Chi
- bcax.16b v25, v0, v2, v1
- bcax.16b v26, v1, v3, v2
- bcax.16b v2, v2, v4, v3
- bcax.16b v3, v3, v0, v4
- bcax.16b v4, v4, v1, v0
- mov.16b v0, v25
- mov.16b v1, v26
-
- bcax.16b v25, v5, v7, v6
- bcax.16b v26, v6, v8, v7
- bcax.16b v7, v7, v9, v8
- bcax.16b v8, v8, v5, v9
- bcax.16b v9, v9, v6, v5
- mov.16b v5, v25
- mov.16b v6, v26
-
- bcax.16b v25, v10, v12, v11
- bcax.16b v26, v11, v13, v12
- bcax.16b v12, v12, v14, v13
- bcax.16b v13, v13, v10, v14
- bcax.16b v14, v14, v11, v10
- mov.16b v10, v25
- mov.16b v11, v26
-
- bcax.16b v25, v15, v17, v16
- bcax.16b v26, v16, v18, v17
- bcax.16b v17, v17, v19, v18
- bcax.16b v18, v18, v15, v19
- bcax.16b v19, v19, v16, v15
- mov.16b v15, v25
- mov.16b v16, v26
-
- bcax.16b v25, v20, v22, v21
- bcax.16b v26, v21, v23, v22
- bcax.16b v22, v22, v24, v23
- bcax.16b v23, v23, v20, v24
- bcax.16b v24, v24, v21, v20
- mov.16b v20, v25
- mov.16b v21, v26
-
- # iota
- ld1r {v25.2d}, [x1], #8
- eor.16b v0, v0, v25
-.endm
-
-.align 4
-.global __f1600x2
-__f1600x2:
- stp d8, d9, [sp,#-16]!
- stp d10, d11, [sp,#-16]!
- stp d12, d13, [sp,#-16]!
- stp d14, d15, [sp,#-16]!
-
- mov x2, x0
- mov x3, #24
-
- ld1.2d {v0, v1, v2, v3}, [x0], #64
- ld1.2d {v4, v5, v6, v7}, [x0], #64
- ld1.2d {v8, v9, v10, v11}, [x0], #64
- ld1.2d {v12, v13, v14, v15}, [x0], #64
- ld1.2d {v16, v17, v18, v19}, [x0], #64
- ld1.2d {v20, v21, v22, v23}, [x0], #64
- ld1.2d {v24}, [x0]
-
-loop:
- round
-
- subs x3, x3, #1
- cbnz x3, loop
-
- mov x0, x2
- st1.2d {v0, v1, v2, v3}, [x0], #64
- st1.2d {v4, v5, v6, v7}, [x0], #64
- st1.2d {v8, v9, v10, v11}, [x0], #64
- st1.2d {v12, v13, v14, v15}, [x0], #64
- st1.2d {v16, v17, v18, v19}, [x0], #64
- st1.2d {v20, v21, v22, v23}, [x0], #64
- st1.2d {v24}, [x0]
-
- ldp d14, d15, [sp], #16
- ldp d12, d13, [sp], #16
- ldp d10, d11, [sp], #16
- ldp d8, d9, [sp], #16
-
- ret lr
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2_const.c
deleted file mode 100644
index e49c0ba149..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2_const.c
+++ /dev/null
@@ -1,30 +0,0 @@
-#include "f1600x2.h"
-
-uint64_t f1600_RC[24] = {
- 0x0000000000000001,
- 0x0000000000008082,
- 0x800000000000808A,
- 0x8000000080008000,
- 0x000000000000808B,
- 0x0000000080000001,
- 0x8000000080008081,
- 0x8000000000008009,
- 0x000000000000008A,
- 0x0000000000000088,
- 0x0000000080008009,
- 0x000000008000000A,
- 0x000000008000808B,
- 0x800000000000008B,
- 0x8000000000008089,
- 0x8000000000008003,
- 0x8000000000008002,
- 0x8000000000000080,
- 0x000000000000800A,
- 0x800000008000000A,
- 0x8000000080008081,
- 0x8000000000008080,
- 0x0000000080000001,
- 0x8000000080008008,
-};
-
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.c
deleted file mode 100644
index 4718c343bc..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-#include
-
-#include "fips202x2.h"
-#include "f1600x2.h"
-#include "fips202.h"
-
-uint64_t load64(const unsigned char *x) {
- unsigned long long r = 0, i;
-
- for (i = 0; i < 8; ++i) {
- r |= (unsigned long long)x[i] << 8 * i;
- }
- return r;
-}
-
-void store64(uint8_t *x, uint64_t u) {
- unsigned int i;
-
- for (i = 0; i < 8; ++i) {
- x[i] = (uint8_t)u;
- u >>= 8;
- }
-}
-
-static void keccak_absorb2x(uint64_t *s,
- unsigned int r,
- const unsigned char *m0,
- const unsigned char *m1,
- unsigned long long int mlen,
- unsigned char p) {
- unsigned long long i;
- unsigned char t0[200];
- unsigned char t1[200];
-
- while (mlen >= r) {
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(m0 + 8 * i);
- s[2 * i + 1] ^= load64(m1 + 8 * i);
- }
-
- f1600x2(s);
- mlen -= r;
- m0 += r;
- m1 += r;
- }
-
- for (i = 0; i < r; ++i) {
- t0[i] = 0;
- t1[i] = 0;
- }
- for (i = 0; i < mlen; ++i) {
- t0[i] = m0[i];
- t1[i] = m1[i];
- }
-
- t0[i] = p;
- t1[i] = p;
-
- t0[r - 1] |= 128;
- t1[r - 1] |= 128;
-
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(t0 + 8 * i);
- s[2 * i + 1] ^= load64(t1 + 8 * i);
- }
-}
-
-
-static void keccak_squeezeblocks2x(unsigned char *h0,
- unsigned char *h1,
- unsigned long long int nblocks,
- uint64_t *s,
- unsigned int r) {
- unsigned int i;
-
- while (nblocks > 0) {
- f1600x2(s);
- for (i = 0; i < (r >> 3); i++) {
- store64(h0 + 8 * i, s[2 * i + 0]);
- store64(h1 + 8 * i, s[2 * i + 1]);
- }
- h0 += r;
- h1 += r;
- nblocks--;
- }
-}
-
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE128_RATE];
- unsigned char t1[SHAKE128_RATE];
- unsigned int i;
-
- /* absorb 4 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE);
-
- out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
- out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
-
- if (outlen % SHAKE128_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE);
- for (i = 0; i < outlen % SHAKE128_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
-
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE256_RATE];
- unsigned char t1[SHAKE256_RATE];
- unsigned int i;
-
- /* absorb 2 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE);
-
- out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
- out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
-
- if (outlen % SHAKE256_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE);
- for (i = 0; i < outlen % SHAKE256_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.h
deleted file mode 100644
index 7ba58b35d8..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.h
+++ /dev/null
@@ -1,24 +0,0 @@
-#ifndef SPX_FIPS202X2_H
-#define SPX_FIPS202X2_H
-
-#include
-
-uint64_t load64(const unsigned char *x);
-void store64(uint8_t *x, uint64_t u);
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.c
deleted file mode 100644
index 39193d04e2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.c
+++ /dev/null
@@ -1,191 +0,0 @@
-#include
-#include
-#include
-
-#include "fors.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "thash.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- prf_addr(sk, ctx, fors_leaf_addr);
-}
-
-static void fors_gen_skx2(unsigned char *sk0,
- unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- prf_addrx2(sk0, sk1,
- ctx, fors_leaf_addrx2);
-}
-
-static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- thash(leaf, sk, 1, ctx, fors_leaf_addr);
-}
-
-static void fors_sk_to_leafx2(unsigned char *leaf0,
- unsigned char *leaf1,
- const unsigned char *sk0,
- const unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- thashx2(leaf0, leaf1,
- sk0, sk1,
- 1, ctx, fors_leaf_addrx2);
-}
-
-struct fors_gen_leaf_info {
- uint32_t leaf_addrx[2 * 8];
-};
-
-static void fors_gen_leafx2(unsigned char *leaf,
- const spx_ctx *ctx,
- uint32_t addr_idx, void *info) {
- struct fors_gen_leaf_info *fors_info = info;
- uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx;
- unsigned int j;
-
- /* Only set the parts that the caller doesn't set */
- for (j = 0; j < 2; j++) {
- set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j);
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF);
- }
-
- fors_gen_skx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-
- for (j = 0; j < 2; j++) {
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE);
- }
-
- fors_sk_to_leafx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-}
-
-/**
- * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- * Assumes indices has space for SPX_FORS_TREES integers.
- */
-static void message_to_indices(uint32_t *indices, const unsigned char *m) {
- unsigned int i, j;
- unsigned int offset = 0;
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- indices[i] = 0;
- for (j = 0; j < SPX_FORS_HEIGHT; j++) {
- indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j);
- offset++;
- }
- }
-}
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- uint32_t fors_tree_addr[2 * 8] = {0};
- struct fors_gen_leaf_info fors_info = {0};
- uint32_t *fors_leaf_addr = fors_info.leaf_addrx;
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- for (i = 0; i < 2; i++) {
- copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr);
- set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE);
- copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr);
- }
- copy_keypair_addr(fors_pk_addr, fors_addr);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Include the secret key part that produces the selected leaf node. */
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF);
- fors_gen_sk(sig, ctx, fors_tree_addr);
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- sig += SPX_N;
-
- /* Compute the authentication path for this leaf node. */
- treehashx2(roots + i * SPX_N, sig, ctx,
- indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2,
- fors_tree_addr, &fors_info);
-
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- unsigned char leaf[SPX_N];
- uint32_t fors_tree_addr[8] = {0};
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- copy_keypair_addr(fors_tree_addr, fors_addr);
- copy_keypair_addr(fors_pk_addr, fors_addr);
-
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Derive the leaf from the included secret key part. */
- fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr);
- sig += SPX_N;
-
- /* Derive the corresponding root node of this tree. */
- compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset,
- sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr);
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.h
deleted file mode 100644
index 509140a178..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#ifndef SPX_FORS_H
-#define SPX_FORS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_sign SPX_NAMESPACE(fors_sign)
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig)
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash.h
deleted file mode 100644
index f7c87d4c3c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash.h
+++ /dev/null
@@ -1,28 +0,0 @@
-#ifndef SPX_HASH_H
-#define SPX_HASH_H
-
-#include
-#include
-
-#include "context.h"
-#include "params.h"
-
-#define prf_addr SPX_NAMESPACE(prf_addr)
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]);
-
-#define gen_message_random SPX_NAMESPACE(gen_message_random)
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-#define hash_message SPX_NAMESPACE(hash_message)
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shake.c
deleted file mode 100644
index ff5e7ec918..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shake.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "hash.h"
-
-#include "address.h"
-#include "fips202.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Computes PRF(pk_seed, sk_seed, addr)
- */
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]) {
- unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES];
-
- memcpy(buf, ctx->pub_seed, SPX_N);
- memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES);
- memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N);
-
- shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES);
-}
-
-/**
- * Computes the message-dependent randomness R, using a secret seed and an
- * optional randomization value as well as the message.
- */
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, sk_prf, SPX_N);
- shake256_inc_absorb(&s_inc, optrand, SPX_N);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(R, SPX_N, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-}
-
-/**
- * Computes the message hash using R, the public key, and the message.
- * Outputs the message digest and the index of the leaf. The index is split in
- * the tree index and the leaf index, for convenient copying to an address.
- */
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
-#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1))
-#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8)
-#define SPX_LEAF_BITS SPX_TREE_HEIGHT
-#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8)
-#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES)
-
- unsigned char buf[SPX_DGST_BYTES];
- unsigned char *bufp = buf;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, R, SPX_N);
- shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-
- memcpy(digest, bufp, SPX_FORS_MSG_BYTES);
- bufp += SPX_FORS_MSG_BYTES;
-
-
- *tree = bytes_to_ull(bufp, SPX_TREE_BYTES);
- *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS);
- bufp += SPX_TREE_BYTES;
-
- *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES);
- *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shakex2.c
deleted file mode 100644
index 99571916a2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shakex2.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include
-#include
-
-#include "hashx2.h"
-
-#include "address.h"
-#include "f1600x2.h"
-#include "fips202x2.h"
-#include "params.h"
-
-/*
- * 2-way parallel version of prf_addr; takes 2x as much input and output
- */
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the fourway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
-
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->sk_seed + 8 * i);
- state[2 * (SPX_N / 8 + i + 4)] = x;
- state[2 * (SPX_N / 8 + i + 4) + 1] = x;
- }
-
- /* SHAKE domain separator and padding. */
- state[2 * (SPX_N / 4 + 4)] = 0x1f;
- state[2 * (SPX_N / 4 + 4) + 1] = 0x1f;
-
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hashx2.h
deleted file mode 100644
index 99b8873a9b..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hashx2.h
+++ /dev/null
@@ -1,14 +0,0 @@
-#ifndef SPX_HASHX2_H
-#define SPX_HASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define prf_addrx2 SPX_NAMESPACE(prf_addrx2)
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.c
deleted file mode 100644
index c94ee23939..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include
-#include
-
-#include "merkle.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-#include "utilsx2.h"
-#include "wots.h"
-#include "wotsx2.h"
-
-/*
- * This generates a Merkle signature (WOTS signature followed by the Merkle
- * authentication path).
- */
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf) {
- unsigned char *auth_path = sig + SPX_WOTS_BYTES;
- uint32_t tree_addrx2[2 * 8] = { 0 };
- int j;
- struct leaf_info_x2 info = { 0 };
- unsigned steps[ SPX_WOTS_LEN ];
-
- info.wots_sig = sig;
- chain_lengths(steps, root);
- info.wots_steps = steps;
-
- for (j = 0; j < 2; j++) {
- set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE);
- set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS);
- set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK);
- copy_subtree_addr(&tree_addrx2[8 * j], tree_addr);
- copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr);
- copy_subtree_addr(&info.pk_addr[8 * j], wots_addr);
- }
-
- info.wots_sign_leaf = idx_leaf;
-
- treehashx2(root, auth_path, ctx,
- idx_leaf, 0,
- SPX_TREE_HEIGHT,
- wots_gen_leafx2,
- tree_addrx2, &info);
-}
-
-/* Compute root node of the top-most subtree. */
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) {
- /* We do not need the auth path in key generation, but it simplifies the
- code to have just one treehash routine that computes both root and path
- in one function. */
- unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES];
- uint32_t top_tree_addr[8] = {0};
- uint32_t wots_addr[8] = {0};
-
- set_layer_addr(top_tree_addr, SPX_D - 1);
- set_layer_addr(wots_addr, SPX_D - 1);
-
- merkle_sign(auth_path, root, ctx,
- wots_addr, top_tree_addr,
- ~0 /* ~0 means "don't bother generating an auth path */ );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.h
deleted file mode 100644
index 769cf2e970..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef MERKLE_H_
-#define MERKLE_H_
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/* Generate a Merkle signature (WOTS signature followed by the Merkle */
-/* authentication path) */
-#define merkle_sign SPX_NAMESPACE(merkle_sign)
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf);
-
-/* Compute the root node of the top-most subtree. */
-#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root)
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx);
-
-#endif /* MERKLE_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/nistapi.h
deleted file mode 100644
index 3cb71afad4..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/nistapi.h
+++ /dev/null
@@ -1,87 +0,0 @@
-#ifndef SPX_API_H
-#define SPX_API_H
-
-#include
-#include
-
-#include "params.h"
-
-#define CRYPTO_ALGNAME "SPHINCS+"
-
-#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES
-#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES
-#define CRYPTO_BYTES SPX_BYTES
-#define CRYPTO_SEEDBYTES (3*SPX_N)
-
-/*
- * Returns the length of a secret key, in bytes
- */
-#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes)
-size_t crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes)
-size_t crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes)
-size_t crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes)
-size_t crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair)
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-#define crypto_sign SPX_NAMESPACE(crypto_sign)
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/params.h
deleted file mode 100644
index 650f74916a..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/params.h
+++ /dev/null
@@ -1,56 +0,0 @@
-#ifndef SPX_PARAMS_H
-#define SPX_PARAMS_H
-
-#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_##s
-
-/* Hash output length in bytes. */
-#define SPX_N 24
-/* Height of the hypertree. */
-#define SPX_FULL_HEIGHT 63
-/* Number of subtree layer. */
-#define SPX_D 7
-/* FORS tree dimensions. */
-#define SPX_FORS_HEIGHT 14
-#define SPX_FORS_TREES 17
-/* Winternitz parameter, */
-#define SPX_WOTS_W 16
-
-/* The hash function is defined by linking a different hash.c file, as opposed
- to setting a #define constant. */
-
-/* For clarity */
-#define SPX_ADDR_BYTES 32
-
-/* WOTS parameters. */
-#define SPX_WOTS_LOGW 4
-
-#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW)
-
-/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */
-#define SPX_WOTS_LEN2 3
-
-#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2)
-#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N)
-#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES
-
-/* Subtree size. */
-#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D)
-
-//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT
-// #error SPX_D should always divide SPX_FULL_HEIGHT
-//#endif
-
-/* FORS parameters. */
-#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8)
-#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N)
-#define SPX_FORS_PK_BYTES SPX_N
-
-/* Resulting SPX sizes. */
-#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\
- SPX_FULL_HEIGHT * SPX_N)
-#define SPX_PK_BYTES (2 * SPX_N)
-#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES)
-
-#include "shake_offsets.h"
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/shake_offsets.h
deleted file mode 100644
index 6b28d95d91..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/shake_offsets.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef SHAKE_OFFSETS_H_
-#define SHAKE_OFFSETS_H_
-
-/*
- * Offsets of various fields in the address structure when we use SHAKE as
- * the Sphincs+ hash function
- */
-
-#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */
-#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */
-#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */
-#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */
-#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */
-#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */
-#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */
-#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */
-#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */
-
-#define SPX_SHAKE 1
-
-#endif /* SHAKE_OFFSETS_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/sign.c
deleted file mode 100644
index 9d0c7d1b22..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/sign.c
+++ /dev/null
@@ -1,286 +0,0 @@
-#include
-#include
-#include
-
-#include "address.h"
-#include "context.h"
-#include "fors.h"
-#include "hash.h"
-#include "merkle.h"
-#include "nistapi.h"
-#include "params.h"
-#include "randombytes.h"
-#include "thash.h"
-#include "utils.h"
-#include "wots.h"
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t crypto_sign_secretkeybytes(void) {
- return CRYPTO_SECRETKEYBYTES;
-}
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t crypto_sign_publickeybytes(void) {
- return CRYPTO_PUBLICKEYBYTES;
-}
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t crypto_sign_bytes(void) {
- return CRYPTO_BYTES;
-}
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t crypto_sign_seedbytes(void) {
- return CRYPTO_SEEDBYTES;
-}
-
-/*
- * Generates an SPX key pair given a seed of length
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed) {
- spx_ctx ctx;
-
- /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */
- memcpy(sk, seed, CRYPTO_SEEDBYTES);
-
- memcpy(pk, sk + 2 * SPX_N, SPX_N);
-
- memcpy(ctx.pub_seed, pk, SPX_N);
- memcpy(ctx.sk_seed, sk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- /* Compute root node of the top-most subtree. */
- merkle_gen_root(sk + 3 * SPX_N, &ctx);
-
- // cleanup
- free_hash_function(&ctx);
-
- memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N);
-
- return 0;
-}
-
-/*
- * Generates an SPX key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seed[CRYPTO_SEEDBYTES];
- randombytes(seed, CRYPTO_SEEDBYTES);
- crypto_sign_seed_keypair(pk, sk, seed);
-
- return 0;
-}
-
-/**
- * Returns an array containing a detached signature.
- */
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk) {
- spx_ctx ctx;
-
- const uint8_t *sk_prf = sk + SPX_N;
- const uint8_t *pk = sk + 2 * SPX_N;
-
- uint8_t optrand[SPX_N];
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t root[SPX_N];
- uint32_t i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
-
- memcpy(ctx.sk_seed, sk, SPX_N);
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
-
- /* Optionally, signing can be made non-deterministic using optrand.
- This can help counter side-channel attacks that would benefit from
- getting a large number of traces when the signer uses the same nodes. */
- randombytes(optrand, SPX_N);
- /* Compute the digest randomization value. */
- gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx);
-
- /* Derive the message digest and leaf index from R, PK and M. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- /* Sign the message hash using FORS. */
- fors_sign(sig, root, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf);
- sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- free_hash_function(&ctx);
-
- *siglen = SPX_BYTES;
-
- return 0;
-}
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk) {
- spx_ctx ctx;
- const uint8_t *pub_root = pk + SPX_N;
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t wots_pk[SPX_WOTS_BYTES];
- uint8_t root[SPX_N];
- uint8_t leaf[SPX_N];
- unsigned int i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
- uint32_t wots_pk_addr[8] = {0};
-
- if (siglen != SPX_BYTES) {
- return -1;
- }
-
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
- set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK);
-
- /* Derive the message digest and leaf index from R || PK || M. */
- /* The additional SPX_N is a result of the hash domain separator. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- /* Layer correctly defaults to 0, so no need to set_layer_addr */
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- /* For each subtree.. */
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- copy_keypair_addr(wots_pk_addr, wots_addr);
-
- /* The WOTS public key is only correct if the signature was correct. */
- /* Initially, root is the FORS pk, but on subsequent iterations it is
- the root of the subtree below the currently processed subtree. */
- wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr);
- sig += SPX_WOTS_BYTES;
-
- /* Compute the leaf node using the WOTS public key. */
- thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr);
-
- /* Compute the root node of this subtree. */
- compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT,
- &ctx, tree_addr);
- sig += SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- // cleanup
- free_hash_function(&ctx);
-
- /* Check if the root node equals the root node in the public key. */
- if (memcmp(root, pub_root, SPX_N) != 0) {
- return -1;
- }
-
- return 0;
-}
-
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk) {
- size_t siglen;
-
- crypto_sign_signature(sm, &siglen, m, mlen, sk);
-
- memmove(sm + SPX_BYTES, m, mlen);
- *smlen = siglen + mlen;
-
- return 0;
-}
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk) {
- /* The API caller does not necessarily know what size a signature should be
- but SPHINCS+ signatures are always exactly SPX_BYTES. */
- if (smlen < SPX_BYTES) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- *mlen = smlen - SPX_BYTES;
-
- if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- /* If verification was successful, move the message to the right place. */
- memmove(m, sm + SPX_BYTES, *mlen);
-
- return 0;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash.h
deleted file mode 100644
index 8687ccfb4d..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef SPX_THASH_H
-#define SPX_THASH_H
-
-#include "context.h"
-#include "params.h"
-
-#include
-
-#define thash SPX_NAMESPACE(thash)
-void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash_shake_simplex2.c
deleted file mode 100644
index 892e453690..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash_shake_simplex2.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "thash.h"
-#include "thashx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-#include "f1600x2.h"
-#include "fips202x2.h"
-
-
-void thash(unsigned char *out,
- const unsigned char *in,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t addrx2 [2 * 8] = {
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7],
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7]
- };
- thashx2(out, out, in, in, inblocks, ctx, addrx2);
-}
-
-/**
- * 2-way parallel version of thash; takes 2x as much input and output
- */
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]) {
- if (inblocks == 1 || inblocks == 2) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the twoway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
-
- for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) {
- state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i);
- state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i);
- }
-
- /* Domain separator and padding. */
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f;
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
- } else {
- PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
-
- memcpy(buf0, ctx->pub_seed, SPX_N);
- memcpy(buf1, ctx->pub_seed, SPX_N);
- memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES);
- memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES);
- memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N);
- memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N);
-
- shake256x2(out0, out1, SPX_N,
- buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thashx2.h
deleted file mode 100644
index 040375e618..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thashx2.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef SPX_THASHX2_H
-#define SPX_THASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define thashx2 SPX_NAMESPACE(thashx2)
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.c
deleted file mode 100644
index 177b541fb9..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-
-#include "utils.h"
-
-#include "address.h"
-#include "hash.h"
-#include "params.h"
-#include "thash.h"
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in) {
- int i;
-
- /* Iterate over out in decreasing order, for big-endianness. */
- for (i = (signed int)outlen - 1; i >= 0; i--) {
- out[i] = in & 0xff;
- in = in >> 8;
- }
-}
-
-void u32_to_bytes(unsigned char *out, uint32_t in) {
- out[0] = (unsigned char)(in >> 24);
- out[1] = (unsigned char)(in >> 16);
- out[2] = (unsigned char)(in >> 8);
- out[3] = (unsigned char)in;
-}
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) {
- unsigned long long retval = 0;
- unsigned int i;
-
- for (i = 0; i < inlen; i++) {
- retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i));
- }
- return retval;
-}
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t i;
- unsigned char buffer[2 * SPX_N];
-
- /* If leaf_idx is odd (last bit = 1), current path element is a right child
- and auth_path has to go left. Otherwise it is the other way around. */
- if (leaf_idx & 1) {
- memcpy(buffer + SPX_N, leaf, SPX_N);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- memcpy(buffer, leaf, SPX_N);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
-
- for (i = 0; i < tree_height - 1; i++) {
- leaf_idx >>= 1;
- idx_offset >>= 1;
- /* Set the address of the node we're creating. */
- set_tree_height(addr, i + 1);
- set_tree_index(addr, leaf_idx + idx_offset);
-
- /* Pick the right or left neighbor, depending on parity of the node. */
- if (leaf_idx & 1) {
- thash(buffer + SPX_N, buffer, 2, ctx, addr);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- thash(buffer, buffer, 2, ctx, addr);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
- }
-
- /* The last iteration is exceptional; we do not copy an auth_path node. */
- leaf_idx >>= 1;
- idx_offset >>= 1;
- set_tree_height(addr, tree_height);
- set_tree_index(addr, leaf_idx + idx_offset);
- thash(root, buffer, 2, ctx, addr);
-}
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx * /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]) {
- PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N);
- PQCLEAN_VLA(unsigned int, heights, tree_height + 1);
- unsigned int offset = 0;
- uint32_t idx;
- uint32_t tree_idx;
-
- for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) {
- /* Add the next leaf node to the stack. */
- gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr);
- offset++;
- heights[offset - 1] = 0;
-
- /* If this is a node we need for the auth path.. */
- if ((leaf_idx ^ 0x1) == idx) {
- memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N);
- }
-
- /* While the top-most nodes are of equal height.. */
- while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) {
- /* Compute index of the new node, in the next layer. */
- tree_idx = (idx >> (heights[offset - 1] + 1));
-
- /* Set the address of the node we're creating. */
- set_tree_height(tree_addr, heights[offset - 1] + 1);
- set_tree_index(tree_addr,
- tree_idx + (idx_offset >> (heights[offset - 1] + 1)));
- /* Hash the top-most nodes from the stack together. */
- thash(stack + (offset - 2)*SPX_N,
- stack + (offset - 2)*SPX_N, 2, ctx, tree_addr);
- offset--;
- /* Note that the top-most node is now one layer higher. */
- heights[offset - 1]++;
-
- /* If this is a node we need for the auth path.. */
- if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) {
- memcpy(auth_path + heights[offset - 1]*SPX_N,
- stack + (offset - 1)*SPX_N, SPX_N);
- }
- }
- }
- memcpy(root, stack, SPX_N);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.h
deleted file mode 100644
index 64f5d5a53a..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.h
+++ /dev/null
@@ -1,58 +0,0 @@
-#ifndef SPX_UTILS_H
-#define SPX_UTILS_H
-
-#include
-
-#include "compat.h"
-#include "context.h"
-#include "params.h"
-
-
-/* To support MSVC use alloca() instead of VLAs. See #20. */
-
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes)
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in);
-#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes)
-void u32_to_bytes(unsigned char *out, uint32_t in);
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull)
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen);
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-#define compute_root SPX_NAMESPACE(compute_root)
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-#define treehash SPX_NAMESPACE(treehash)
-void treehash(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx *ctx /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]);
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.c
deleted file mode 100644
index 8736474e4f..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.c
+++ /dev/null
@@ -1,130 +0,0 @@
-#include
-
-#include "utilsx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-
-/*
- * Generate the entire Merkle tree, computing the authentication path for leaf_idx,
- * and the resulting root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE)
- *
- * This expects tree_addrx2 to be initialized to 2 parallel addr structures for
- * the Merkle tree nodes
- *
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This works by using the standard Merkle tree building algorithm, except
- * that each 'node' tracked is actually 2 consecutive nodes in the real tree.
- * When we combine two logical nodes AB and WX, we perform the H
- * operation on adjacent real nodes, forming the parent logical node
- * (AB)(WX)
- *
- * When we get to the top level of the real tree (where there is only
- * one logical node), we continue this operation one more time; the right
- * most real node will by the actual root (and the other node will be
- * garbage). We follow the same thashx2 logic so that the 'extract
- * authentication path components' part of the loop is still executed (and
- * to simplify the code somewhat)
- */
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset,
- uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx *,
- uint32_t idx, void *info),
- uint32_t tree_addrx2[2 * 8],
- void *info) {
- /* This is where we keep the intermediate nodes */
- unsigned char stackx2[tree_height * 2 * SPX_N];
- uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */
- /* level, the left-most part of the tree isn't at the beginning */
- /* of current[]. These give the offset of the actual start */
-
- uint32_t idx;
- uint32_t max_idx = (1 << (tree_height - 1)) - 1;
- for (idx = 0;; idx++) {
- unsigned char current[2 * SPX_N]; /* Current logical node */
- gen_leafx2( current, ctx, 2 * idx + idx_offset,
- info );
-
- /* Now combine the freshly generated right node with previously */
- /* generated left ones */
- uint32_t internal_idx_offset = idx_offset;
- uint32_t internal_idx = idx;
- uint32_t internal_leaf = leaf_idx;
- uint32_t h; /* The height we are in the Merkle tree */
- for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) {
-
- /* Special processing if we're at the top of the tree */
- if (h >= tree_height - 1) {
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
- /* The tree indexing logic is a bit off in this case */
- /* Adjust it so that the left-most node of the part of */
- /* the tree that we're processing has index 0 */
- prev_left_adj = left_adj;
- left_adj = 2 - (1 << (tree_height - h - 1));
- }
-
- /* Check if we hit the top of the tree */
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
-
- /*
- * Check if one of the nodes we have is a part of the
- * authentication path; if it is, write it out
- */
- if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) {
- memcpy( &auth_path[ h * SPX_N ],
- ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N],
- SPX_N );
- }
-
- /*
- * Check if we're at a left child; if so, stop going up the stack
- * Exception: if we've reached the end of the tree, keep on going
- * (so we combine the last 2 nodes into the one root node in two
- * more iterations)
- */
- if ((internal_idx & 1) == 0 && idx < max_idx) {
- break;
- }
-
- /* Ok, we're at a right node (or doing the top 3 levels) */
- /* Now combine the left and right logical nodes together */
-
- /* Set the address of the node we're creating. */
- int j;
- internal_idx_offset >>= 1;
- for (j = 0; j < 2; j++) {
- set_tree_height(tree_addrx2 + j * 8, h + 1);
- set_tree_index(tree_addrx2 + j * 8,
- (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset );
- }
- unsigned char *left = &stackx2[h * 2 * SPX_N];
- thashx2( ¤t[0 * SPX_N],
- ¤t[1 * SPX_N],
- &left [0 * SPX_N],
- ¤t[0 * SPX_N],
- 2, ctx, tree_addrx2);
- }
-
- /* We've hit a left child; save the current for when we get the */
- /* corresponding right right */
- memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.h
deleted file mode 100644
index e09faddc43..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.h
+++ /dev/null
@@ -1,30 +0,0 @@
-#ifndef SPX_UTILSX2_H
-#define SPX_UTILSX2_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This implementation uses SIMD to compute internal nodes 2 at a time (in
- * parallel)
- */
-#define treehashx2 SPX_NAMESPACE(treehashx2)
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx * /* ctx */,
- uint32_t addr_idx, void *info),
- uint32_t tree_addrx2[2 * 8], void *info);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.c
deleted file mode 100644
index 3babe45e95..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.c
+++ /dev/null
@@ -1,259 +0,0 @@
-#include
-#include
-
-#include "wots.h"
-#include "wotsx2.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-// TODO clarify address expectations, and make them more uniform.
-// TODO i.e. do we expect types to be set already?
-// TODO and do we expect modifications or copies?
-
-/**
- * Computes up the chains
- */
-static void gen_chains(
- unsigned char *out,
- const unsigned char *in,
- unsigned int start[SPX_WOTS_LEN],
- const unsigned int steps[SPX_WOTS_LEN],
- const spx_ctx *ctx,
- uint32_t addr[8]) {
- uint32_t i, j, k, idx, watching;
- int done;
- unsigned char empty[SPX_N];
- unsigned char *bufs[4];
- uint32_t addrs[8 * 2];
-
- int l;
- uint16_t counts[SPX_WOTS_W] = { 0 };
- uint16_t idxs[SPX_WOTS_LEN];
- uint16_t total, newTotal;
-
- /* set addrs = {addr, addr} */
- for (j = 0; j < 2; j++) {
- memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8);
- }
-
- /* Initialize out with the value at position 'start'. */
- memcpy(out, in, SPX_WOTS_LEN * SPX_N);
-
- /* Sort the chains in reverse order by steps using counting sort. */
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- counts[steps[i]]++;
- }
- total = 0;
- for (l = SPX_WOTS_W - 1; l >= 0; l--) {
- newTotal = counts[l] + total;
- counts[l] = total;
- total = newTotal;
- }
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- idxs[counts[steps[i]]] = i;
- counts[steps[i]]++;
- }
-
- /* We got our work cut out for us: do it! */
- for (i = 0; i < SPX_WOTS_LEN; i += 2) {
- for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) {
- idx = idxs[i + j];
- set_chain_addr(addrs + j * 8, idx);
- bufs[j] = out + SPX_N * idx;
- }
-
- /* As the chains are sorted in reverse order, we know that the first
- * chain is the longest and the last one is the shortest. We keep
- * an eye on whether the last chain is done and then on the one before,
- * et cetera. */
- watching = 1;
- done = 0;
- while (i + watching >= SPX_WOTS_LEN) {
- bufs[watching] = &empty[0];
- watching--;
- }
-
- for (k = 0;; k++) {
- while (k == steps[idxs[i + watching]]) {
- bufs[watching] = &empty[0];
- if (watching == 0) {
- done = 1;
- break;
- }
- watching--;
- }
- if (done) {
- break;
- }
- for (j = 0; j < watching + 1; j++) {
- set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]);
- }
-
- thashx2(bufs[0], bufs[1],
- bufs[0], bufs[1], 1, ctx, addrs);
- }
- }
-}
-
-/**
- * base_w algorithm as described in draft.
- * Interprets an array of bytes as integers in base w.
- * This only works when log_w is a divisor of 8.
- */
-static void base_w(unsigned int *output, const int out_len,
- const unsigned char *input) {
- int in = 0;
- int out = 0;
- unsigned char total = 0;
- int bits = 0;
- int consumed;
-
- for (consumed = 0; consumed < out_len; consumed++) {
- if (bits == 0) {
- total = input[in];
- in++;
- bits += 8;
- }
- bits -= SPX_WOTS_LOGW;
- output[out] = (total >> bits) & (SPX_WOTS_W - 1);
- out++;
- }
-}
-
-/* Computes the WOTS+ checksum over a message (in base_w). */
-static void wots_checksum(unsigned int *csum_base_w,
- const unsigned int *msg_base_w) {
- unsigned int csum = 0;
- unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8];
- unsigned int i;
-
- /* Compute checksum. */
- for (i = 0; i < SPX_WOTS_LEN1; i++) {
- csum += SPX_WOTS_W - 1 - msg_base_w[i];
- }
-
- /* Convert checksum to base_w. */
- /* Make sure expected empty zero bits are the least significant bits. */
- csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8);
- ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum);
- base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes);
-}
-
-/* Takes a message and derives the matching chain lengths. */
-void chain_lengths(unsigned int *lengths, const unsigned char *msg) {
- base_w(lengths, SPX_WOTS_LEN1, msg);
- wots_checksum(lengths + SPX_WOTS_LEN1, lengths);
-}
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]) {
- unsigned int steps[SPX_WOTS_LEN];
- unsigned int start[SPX_WOTS_LEN];
- uint32_t i;
-
- chain_lengths(start, msg);
-
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- steps[i] = SPX_WOTS_W - 1 - start[i];
- }
-
- gen_chains(pk, sig, start, steps, ctx, addr);
-}
-
-/*
- * This generates 2 sequential WOTS public keys
- * It also generates the WOTS signature if leaf_info indicates
- * that we're signing with one of these WOTS keys
- */
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info) {
- struct leaf_info_x2 *info = v_info;
- uint32_t *leaf_addr = info->leaf_addr;
- uint32_t *pk_addr = info->pk_addr;
- unsigned int i, j, k;
- unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ];
- unsigned wots_offset = SPX_WOTS_BYTES;
- unsigned char *buffer;
- uint32_t wots_k_mask;
- unsigned wots_sign_index;
-
- if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) {
- /* We're traversing the leaf that's signing; generate the WOTS */
- /* signature */
- wots_k_mask = 0;
- wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */
- /* slots do the signatures come from */
- } else {
- /* Nope, we're just generating pk's; turn off the signature logic */
- wots_k_mask = ~0;
- wots_sign_index = 0;
- }
-
- for (j = 0; j < 2; j++) {
- set_keypair_addr( leaf_addr + j * 8, leaf_idx + j );
- set_keypair_addr( pk_addr + j * 8, leaf_idx + j );
- }
-
- for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) {
- uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */
- /* the step if we're generating a signature, ~0 if we're not */
-
- /* Start with the secret seed */
- for (j = 0; j < 2; j++) {
- set_chain_addr(leaf_addr + j * 8, i);
- set_hash_addr(leaf_addr + j * 8, 0);
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF);
- }
- prf_addrx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- ctx, leaf_addr);
- for (j = 0; j < 2; j++) {
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS);
- }
-
- /* Iterate down the WOTS chain */
- for (k = 0;; k++) {
- /* Check if one of the values we have needs to be saved as a */
- /* part of the WOTS signature */
- if (k == wots_k) {
- memcpy( info->wots_sig + i * SPX_N,
- buffer + wots_sign_index * wots_offset, SPX_N );
- }
-
- /* Check if we hit the top of the chain */
- if (k == SPX_WOTS_W - 1) {
- break;
- }
-
- /* Iterate one step on all 4 chains */
- for (j = 0; j < 2; j++) {
- set_hash_addr(leaf_addr + j * 8, k);
- }
- thashx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- 1, ctx, leaf_addr);
- }
- }
-
- /* Do the final thash to generate the public keys */
- thashx2(dest + 0 * SPX_N,
- dest + 1 * SPX_N,
- pk_buffer + 0 * wots_offset,
- pk_buffer + 1 * wots_offset,
- SPX_WOTS_LEN, ctx, pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.h
deleted file mode 100644
index 4e7692eeef..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.h
+++ /dev/null
@@ -1,25 +0,0 @@
-#ifndef SPX_WOTS_H
-#define SPX_WOTS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig)
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/*
- * Compute the chain lengths needed for a given message hash
- */
-#define chain_lengths SPX_NAMESPACE(chain_lengths)
-void chain_lengths(unsigned int *lengths, const unsigned char *msg);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wotsx2.h
deleted file mode 100644
index b58bb61f84..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wotsx2.h
+++ /dev/null
@@ -1,40 +0,0 @@
-#ifndef WOTSX2_H_
-#define WOTSX2_H_
-
-#include "params.h"
-#include
-
-/*
- * This is here to provide an interface to the internal wots_gen_leafx2
- * routine. While this routine is not referenced in the package outside of
- * wots.c, it is called from the stand-alone benchmark code to characterize
- * the performance
- */
-struct leaf_info_x2 {
- unsigned char *wots_sig;
- uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */
- uint32_t *wots_steps;
- uint32_t leaf_addr[2 * 8];
- uint32_t pk_addr[2 * 8];
-};
-
-/* Macro to set the leaf_info to something 'benign', that is, it would */
-/* run with the same time as it does during the real signing process */
-/* Used only by the benchmark code */
-#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \
- (info).wots_sig = 0; \
- (info).wots_sign_leaf = ~0; \
- (info).wots_steps = step_buffer; \
- int i; \
- for (i=0; i<2; i++) { \
- memcpy( &(info).leaf_addr[8*i], addr, 32 ); \
- memcpy( &(info).pk_addr[8*i], addr, 32 ); \
- } \
- }
-
-#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2)
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info);
-
-#endif /* WOTSX2_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/LICENSE
deleted file mode 100644
index 670154e353..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/LICENSE
+++ /dev/null
@@ -1,116 +0,0 @@
-CC0 1.0 Universal
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator and
-subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for the
-purpose of contributing to a commons of creative, cultural and scientific
-works ("Commons") that the public can reliably and without fear of later
-claims of infringement build upon, modify, incorporate in other works, reuse
-and redistribute as freely as possible in any form whatsoever and for any
-purposes, including without limitation commercial purposes. These owners may
-contribute to the Commons to promote the ideal of a free culture and the
-further production of creative, cultural and scientific works, or to gain
-reputation or greater distribution for their Work in part through the use and
-efforts of others.
-
-For these and/or other purposes and motivations, and without any expectation
-of additional consideration or compensation, the person associating CC0 with a
-Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
-and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
-and publicly distribute the Work under its terms, with knowledge of his or her
-Copyright and Related Rights in the Work and the meaning and intended legal
-effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not limited
-to, the following:
-
- i. the right to reproduce, adapt, distribute, perform, display, communicate,
- and translate a Work;
-
- ii. moral rights retained by the original author(s) and/or performer(s);
-
- iii. publicity and privacy rights pertaining to a person's image or likeness
- depicted in a Work;
-
- iv. rights protecting against unfair competition in regards to a Work,
- subject to the limitations in paragraph 4(a), below;
-
- v. rights protecting the extraction, dissemination, use and reuse of data in
- a Work;
-
- vi. database rights (such as those arising under Directive 96/9/EC of the
- European Parliament and of the Council of 11 March 1996 on the legal
- protection of databases, and under any national implementation thereof,
- including any amended or successor version of such directive); and
-
- vii. other similar, equivalent or corresponding rights throughout the world
- based on applicable law or treaty, and any national implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention of,
-applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
-unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
-and Related Rights and associated claims and causes of action, whether now
-known or unknown (including existing as well as future claims and causes of
-action), in the Work (i) in all territories worldwide, (ii) for the maximum
-duration provided by applicable law or treaty (including future time
-extensions), (iii) in any current or future medium and for any number of
-copies, and (iv) for any purpose whatsoever, including without limitation
-commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
-the Waiver for the benefit of each member of the public at large and to the
-detriment of Affirmer's heirs and successors, fully intending that such Waiver
-shall not be subject to revocation, rescission, cancellation, termination, or
-any other legal or equitable action to disrupt the quiet enjoyment of the Work
-by the public as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason be
-judged legally invalid or ineffective under applicable law, then the Waiver
-shall be preserved to the maximum extent permitted taking into account
-Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
-is so judged Affirmer hereby grants to each affected person a royalty-free,
-non transferable, non sublicensable, non exclusive, irrevocable and
-unconditional license to exercise Affirmer's Copyright and Related Rights in
-the Work (i) in all territories worldwide, (ii) for the maximum duration
-provided by applicable law or treaty (including future time extensions), (iii)
-in any current or future medium and for any number of copies, and (iv) for any
-purpose whatsoever, including without limitation commercial, advertising or
-promotional purposes (the "License"). The License shall be deemed effective as
-of the date CC0 was applied by Affirmer to the Work. Should any part of the
-License for any reason be judged legally invalid or ineffective under
-applicable law, such partial invalidity or ineffectiveness shall not
-invalidate the remainder of the License, and in such case Affirmer hereby
-affirms that he or she will not (i) exercise any of his or her remaining
-Copyright and Related Rights in the Work or (ii) assert any associated claims
-and causes of action with respect to the Work, in either case contrary to
-Affirmer's express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
- surrendered, licensed or otherwise affected by this document.
-
- b. Affirmer offers the Work as-is and makes no representations or warranties
- of any kind concerning the Work, express, implied, statutory or otherwise,
- including without limitation warranties of title, merchantability, fitness
- for a particular purpose, non infringement, or the absence of latent or
- other defects, accuracy, or the present or absence of errors, whether or not
- discoverable, all to the greatest extent permissible under applicable law.
-
- c. Affirmer disclaims responsibility for clearing rights of other persons
- that may apply to the Work or any use thereof, including without limitation
- any person's Copyright and Related Rights in the Work. Further, Affirmer
- disclaims responsibility for obtaining any necessary consents, permissions
- or other rights required for any use of the Work.
-
- d. Affirmer understands and acknowledges that Creative Commons is not a
- party to this document and has no duty or obligation with respect to this
- CC0 or use of the Work.
-
-For more information, please see
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.c
deleted file mode 100644
index b956e9cb29..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.c
+++ /dev/null
@@ -1,91 +0,0 @@
-#include
-#include
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Specify which level of Merkle tree (the "layer") we're working on
- */
-void set_layer_addr(uint32_t addr[8], uint32_t layer) {
- ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer;
-}
-
-/*
- * Specify which Merkle tree within the level (the "tree address") we're working on
- */
-void set_tree_addr(uint32_t addr[8], uint64_t tree) {
- ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree );
-}
-
-/*
- * Specify the reason we'll use this address structure for, that is, what
- * hash will we compute with it. This is used so that unrelated types of
- * hashes don't accidentally get the same address structure. The type will be
- * one of the SPX_ADDR_TYPE constants
- */
-void set_type(uint32_t addr[8], uint32_t type) {
- ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type;
-}
-
-/*
- * Copy the layer and tree fields of the address structure. This is used
- * when we're doing multiple types of hashes within the same Merkle tree
- */
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
-}
-
-/* These functions are used for OTS addresses. */
-
-/*
- * Specify which Merkle leaf we're working on; that is, which OTS keypair
- * we're talking about.
- */
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair) {
- ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair;
-}
-
-/*
- * Copy the layer, tree and keypair fields of the address structure. This is
- * used when we're doing multiple things within the same OTS keypair
- */
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
- ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1];
-}
-
-/*
- * Specify which Merkle chain within the OTS we're working with
- * (the chain address)
- */
-void set_chain_addr(uint32_t addr[8], uint32_t chain) {
- ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain;
-}
-
-/*
- * Specify where in the Merkle chain we are
-* (the hash address)
- */
-void set_hash_addr(uint32_t addr[8], uint32_t hash) {
- ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash;
-}
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-/*
- * Specify the height of the node in the Merkle/FORS tree we are in
- * (the tree height)
- */
-void set_tree_height(uint32_t addr[8], uint32_t tree_height) {
- ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height;
-}
-
-/*
- * Specify the distance from the left edge of the node in the Merkle/FORS tree
- * (the tree index)
- */
-void set_tree_index(uint32_t addr[8], uint32_t tree_index) {
- u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.h
deleted file mode 100644
index 24a84eb40c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.h
+++ /dev/null
@@ -1,52 +0,0 @@
-#ifndef SPX_ADDRESS_H
-#define SPX_ADDRESS_H
-
-#include
-
-#include "params.h"
-
-/* The hash types that are passed to set_type */
-#define SPX_ADDR_TYPE_WOTS 0
-#define SPX_ADDR_TYPE_WOTSPK 1
-#define SPX_ADDR_TYPE_HASHTREE 2
-#define SPX_ADDR_TYPE_FORSTREE 3
-#define SPX_ADDR_TYPE_FORSPK 4
-#define SPX_ADDR_TYPE_WOTSPRF 5
-#define SPX_ADDR_TYPE_FORSPRF 6
-
-#define set_layer_addr SPX_NAMESPACE(set_layer_addr)
-void set_layer_addr(uint32_t addr[8], uint32_t layer);
-
-#define set_tree_addr SPX_NAMESPACE(set_tree_addr)
-void set_tree_addr(uint32_t addr[8], uint64_t tree);
-
-#define set_type SPX_NAMESPACE(set_type)
-void set_type(uint32_t addr[8], uint32_t type);
-
-/* Copies the layer and tree part of one address into the other */
-#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr)
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for WOTS and FORS addresses. */
-
-#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr)
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair);
-
-#define set_chain_addr SPX_NAMESPACE(set_chain_addr)
-void set_chain_addr(uint32_t addr[8], uint32_t chain);
-
-#define set_hash_addr SPX_NAMESPACE(set_hash_addr)
-void set_hash_addr(uint32_t addr[8], uint32_t hash);
-
-#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr)
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-#define set_tree_height SPX_NAMESPACE(set_tree_height)
-void set_tree_height(uint32_t addr[8], uint32_t tree_height);
-
-#define set_tree_index SPX_NAMESPACE(set_tree_index)
-void set_tree_index(uint32_t addr[8], uint32_t tree_index);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/api.h
deleted file mode 100644
index 3d21ff3dfe..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/api.h
+++ /dev/null
@@ -1,77 +0,0 @@
-#ifndef PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_API_H
-#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_API_H
-
-#include
-#include
-
-#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-256f-simple"
-
-#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 128
-#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 64
-#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_CRYPTO_BYTES 49856
-
-#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_CRYPTO_SEEDBYTES 96
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context.h
deleted file mode 100644
index 6e0a33f3b7..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef SPX_CONTEXT_H
-#define SPX_CONTEXT_H
-
-#include
-
-#include "params.h"
-
-typedef struct {
- uint8_t pub_seed[SPX_N];
- uint8_t sk_seed[SPX_N];
-} spx_ctx;
-
-#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function)
-void initialize_hash_function(spx_ctx *ctx);
-
-#define free_hash_function SPX_NAMESPACE(free_hash_function)
-void free_hash_function(spx_ctx *ctx);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context_shake.c
deleted file mode 100644
index 9614a103d3..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context_shake.c
+++ /dev/null
@@ -1,12 +0,0 @@
-#include "context.h"
-
-/* For SHAKE256, there is no immediate reason to initialize at the start,
- so this function is an empty operation. */
-void initialize_hash_function(spx_ctx *ctx) {
- (void)ctx; /* Suppress an 'unused parameter' warning. */
-}
-
-// in case the hash function api is heap-based.
-void free_hash_function(spx_ctx *ctx) {
- (void)ctx;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.h
deleted file mode 100644
index 70d1af9f14..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef SPX_F1600X2_H
-#define SPX_F1600X2_H
-
-#include
-
-extern uint64_t f1600_RC[24];
-extern void _f1600x2(uint64_t *a, uint64_t *rc);
-
-#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0)
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.s
deleted file mode 100644
index 640ed791ed..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.s
+++ /dev/null
@@ -1,143 +0,0 @@
-# From https://github.com/bwesterb/armed-keccak
-
-.macro round
- # Execute theta, but without xoring into the state yet.
- # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i].
- eor3.16b v25, v0, v5, v10
- eor3.16b v26, v1, v6, v11
- eor3.16b v27, v2, v7, v12
- eor3.16b v28, v3, v8, v13
- eor3.16b v29, v4, v9, v14
-
- eor3.16b v25, v25, v15, v20
- eor3.16b v26, v26, v16, v21
- eor3.16b v27, v27, v17, v22
- eor3.16b v28, v28, v18, v23
- eor3.16b v29, v29, v19, v24
-
- # d[0] = rotl(p[1], 1) ^ p[4]
- rax1.2d v30, v29, v26
- # d[3] = rotl(p[4], 1) ^ p[2]
- rax1.2d v29, v27, v29
- # d[1] = rotl(p[2], 1) ^ p[0]
- rax1.2d v27, v25, v27
- # d[4] = rotl(p[0], 1) ^ p[3]
- rax1.2d v25, v28, v25
- # d[2] = rotl(p[3], 1) ^ p[1]
- rax1.2d v28, v26, v28
-
- # Xor parities from step theta into the state at the same time
- # as executing rho and pi.
- eor.16b v0, v0, v30
- mov.16b v31, v1
- xar.2d v1, v6, v27, 20
- xar.2d v6, v9, v25, 44
- xar.2d v9, v22, v28, 3
- xar.2d v22, v14, v25, 25
- xar.2d v14, v20, v30, 46
- xar.2d v20, v2, v28, 2
- xar.2d v2, v12, v28, 21
- xar.2d v12, v13, v29, 39
- xar.2d v13, v19, v25, 56
- xar.2d v19, v23, v29, 8
- xar.2d v23, v15, v30, 23
- xar.2d v15, v4, v25, 37
- xar.2d v4, v24, v25, 50
- xar.2d v24, v21, v27, 62
- xar.2d v21, v8, v29, 9
- xar.2d v8, v16, v27, 19
- xar.2d v16, v5, v30, 28
- xar.2d v5, v3, v29, 36
- xar.2d v3, v18, v29, 43
- xar.2d v18, v17, v28, 49
- xar.2d v17, v11, v27, 54
- xar.2d v11, v7, v28, 58
- xar.2d v7, v10, v30, 61
- xar.2d v10, v31, v27, 63
-
- # Chi
- bcax.16b v25, v0, v2, v1
- bcax.16b v26, v1, v3, v2
- bcax.16b v2, v2, v4, v3
- bcax.16b v3, v3, v0, v4
- bcax.16b v4, v4, v1, v0
- mov.16b v0, v25
- mov.16b v1, v26
-
- bcax.16b v25, v5, v7, v6
- bcax.16b v26, v6, v8, v7
- bcax.16b v7, v7, v9, v8
- bcax.16b v8, v8, v5, v9
- bcax.16b v9, v9, v6, v5
- mov.16b v5, v25
- mov.16b v6, v26
-
- bcax.16b v25, v10, v12, v11
- bcax.16b v26, v11, v13, v12
- bcax.16b v12, v12, v14, v13
- bcax.16b v13, v13, v10, v14
- bcax.16b v14, v14, v11, v10
- mov.16b v10, v25
- mov.16b v11, v26
-
- bcax.16b v25, v15, v17, v16
- bcax.16b v26, v16, v18, v17
- bcax.16b v17, v17, v19, v18
- bcax.16b v18, v18, v15, v19
- bcax.16b v19, v19, v16, v15
- mov.16b v15, v25
- mov.16b v16, v26
-
- bcax.16b v25, v20, v22, v21
- bcax.16b v26, v21, v23, v22
- bcax.16b v22, v22, v24, v23
- bcax.16b v23, v23, v20, v24
- bcax.16b v24, v24, v21, v20
- mov.16b v20, v25
- mov.16b v21, v26
-
- # iota
- ld1r {v25.2d}, [x1], #8
- eor.16b v0, v0, v25
-.endm
-
-.align 4
-.global __f1600x2
-__f1600x2:
- stp d8, d9, [sp,#-16]!
- stp d10, d11, [sp,#-16]!
- stp d12, d13, [sp,#-16]!
- stp d14, d15, [sp,#-16]!
-
- mov x2, x0
- mov x3, #24
-
- ld1.2d {v0, v1, v2, v3}, [x0], #64
- ld1.2d {v4, v5, v6, v7}, [x0], #64
- ld1.2d {v8, v9, v10, v11}, [x0], #64
- ld1.2d {v12, v13, v14, v15}, [x0], #64
- ld1.2d {v16, v17, v18, v19}, [x0], #64
- ld1.2d {v20, v21, v22, v23}, [x0], #64
- ld1.2d {v24}, [x0]
-
-loop:
- round
-
- subs x3, x3, #1
- cbnz x3, loop
-
- mov x0, x2
- st1.2d {v0, v1, v2, v3}, [x0], #64
- st1.2d {v4, v5, v6, v7}, [x0], #64
- st1.2d {v8, v9, v10, v11}, [x0], #64
- st1.2d {v12, v13, v14, v15}, [x0], #64
- st1.2d {v16, v17, v18, v19}, [x0], #64
- st1.2d {v20, v21, v22, v23}, [x0], #64
- st1.2d {v24}, [x0]
-
- ldp d14, d15, [sp], #16
- ldp d12, d13, [sp], #16
- ldp d10, d11, [sp], #16
- ldp d8, d9, [sp], #16
-
- ret lr
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2_const.c
deleted file mode 100644
index e49c0ba149..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2_const.c
+++ /dev/null
@@ -1,30 +0,0 @@
-#include "f1600x2.h"
-
-uint64_t f1600_RC[24] = {
- 0x0000000000000001,
- 0x0000000000008082,
- 0x800000000000808A,
- 0x8000000080008000,
- 0x000000000000808B,
- 0x0000000080000001,
- 0x8000000080008081,
- 0x8000000000008009,
- 0x000000000000008A,
- 0x0000000000000088,
- 0x0000000080008009,
- 0x000000008000000A,
- 0x000000008000808B,
- 0x800000000000008B,
- 0x8000000000008089,
- 0x8000000000008003,
- 0x8000000000008002,
- 0x8000000000000080,
- 0x000000000000800A,
- 0x800000008000000A,
- 0x8000000080008081,
- 0x8000000000008080,
- 0x0000000080000001,
- 0x8000000080008008,
-};
-
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.c
deleted file mode 100644
index 4718c343bc..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-#include
-
-#include "fips202x2.h"
-#include "f1600x2.h"
-#include "fips202.h"
-
-uint64_t load64(const unsigned char *x) {
- unsigned long long r = 0, i;
-
- for (i = 0; i < 8; ++i) {
- r |= (unsigned long long)x[i] << 8 * i;
- }
- return r;
-}
-
-void store64(uint8_t *x, uint64_t u) {
- unsigned int i;
-
- for (i = 0; i < 8; ++i) {
- x[i] = (uint8_t)u;
- u >>= 8;
- }
-}
-
-static void keccak_absorb2x(uint64_t *s,
- unsigned int r,
- const unsigned char *m0,
- const unsigned char *m1,
- unsigned long long int mlen,
- unsigned char p) {
- unsigned long long i;
- unsigned char t0[200];
- unsigned char t1[200];
-
- while (mlen >= r) {
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(m0 + 8 * i);
- s[2 * i + 1] ^= load64(m1 + 8 * i);
- }
-
- f1600x2(s);
- mlen -= r;
- m0 += r;
- m1 += r;
- }
-
- for (i = 0; i < r; ++i) {
- t0[i] = 0;
- t1[i] = 0;
- }
- for (i = 0; i < mlen; ++i) {
- t0[i] = m0[i];
- t1[i] = m1[i];
- }
-
- t0[i] = p;
- t1[i] = p;
-
- t0[r - 1] |= 128;
- t1[r - 1] |= 128;
-
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(t0 + 8 * i);
- s[2 * i + 1] ^= load64(t1 + 8 * i);
- }
-}
-
-
-static void keccak_squeezeblocks2x(unsigned char *h0,
- unsigned char *h1,
- unsigned long long int nblocks,
- uint64_t *s,
- unsigned int r) {
- unsigned int i;
-
- while (nblocks > 0) {
- f1600x2(s);
- for (i = 0; i < (r >> 3); i++) {
- store64(h0 + 8 * i, s[2 * i + 0]);
- store64(h1 + 8 * i, s[2 * i + 1]);
- }
- h0 += r;
- h1 += r;
- nblocks--;
- }
-}
-
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE128_RATE];
- unsigned char t1[SHAKE128_RATE];
- unsigned int i;
-
- /* absorb 4 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE);
-
- out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
- out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
-
- if (outlen % SHAKE128_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE);
- for (i = 0; i < outlen % SHAKE128_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
-
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE256_RATE];
- unsigned char t1[SHAKE256_RATE];
- unsigned int i;
-
- /* absorb 2 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE);
-
- out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
- out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
-
- if (outlen % SHAKE256_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE);
- for (i = 0; i < outlen % SHAKE256_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.h
deleted file mode 100644
index 7ba58b35d8..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.h
+++ /dev/null
@@ -1,24 +0,0 @@
-#ifndef SPX_FIPS202X2_H
-#define SPX_FIPS202X2_H
-
-#include
-
-uint64_t load64(const unsigned char *x);
-void store64(uint8_t *x, uint64_t u);
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.c
deleted file mode 100644
index 39193d04e2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.c
+++ /dev/null
@@ -1,191 +0,0 @@
-#include
-#include
-#include
-
-#include "fors.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "thash.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- prf_addr(sk, ctx, fors_leaf_addr);
-}
-
-static void fors_gen_skx2(unsigned char *sk0,
- unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- prf_addrx2(sk0, sk1,
- ctx, fors_leaf_addrx2);
-}
-
-static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- thash(leaf, sk, 1, ctx, fors_leaf_addr);
-}
-
-static void fors_sk_to_leafx2(unsigned char *leaf0,
- unsigned char *leaf1,
- const unsigned char *sk0,
- const unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- thashx2(leaf0, leaf1,
- sk0, sk1,
- 1, ctx, fors_leaf_addrx2);
-}
-
-struct fors_gen_leaf_info {
- uint32_t leaf_addrx[2 * 8];
-};
-
-static void fors_gen_leafx2(unsigned char *leaf,
- const spx_ctx *ctx,
- uint32_t addr_idx, void *info) {
- struct fors_gen_leaf_info *fors_info = info;
- uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx;
- unsigned int j;
-
- /* Only set the parts that the caller doesn't set */
- for (j = 0; j < 2; j++) {
- set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j);
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF);
- }
-
- fors_gen_skx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-
- for (j = 0; j < 2; j++) {
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE);
- }
-
- fors_sk_to_leafx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-}
-
-/**
- * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- * Assumes indices has space for SPX_FORS_TREES integers.
- */
-static void message_to_indices(uint32_t *indices, const unsigned char *m) {
- unsigned int i, j;
- unsigned int offset = 0;
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- indices[i] = 0;
- for (j = 0; j < SPX_FORS_HEIGHT; j++) {
- indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j);
- offset++;
- }
- }
-}
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- uint32_t fors_tree_addr[2 * 8] = {0};
- struct fors_gen_leaf_info fors_info = {0};
- uint32_t *fors_leaf_addr = fors_info.leaf_addrx;
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- for (i = 0; i < 2; i++) {
- copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr);
- set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE);
- copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr);
- }
- copy_keypair_addr(fors_pk_addr, fors_addr);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Include the secret key part that produces the selected leaf node. */
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF);
- fors_gen_sk(sig, ctx, fors_tree_addr);
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- sig += SPX_N;
-
- /* Compute the authentication path for this leaf node. */
- treehashx2(roots + i * SPX_N, sig, ctx,
- indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2,
- fors_tree_addr, &fors_info);
-
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- unsigned char leaf[SPX_N];
- uint32_t fors_tree_addr[8] = {0};
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- copy_keypair_addr(fors_tree_addr, fors_addr);
- copy_keypair_addr(fors_pk_addr, fors_addr);
-
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Derive the leaf from the included secret key part. */
- fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr);
- sig += SPX_N;
-
- /* Derive the corresponding root node of this tree. */
- compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset,
- sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr);
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.h
deleted file mode 100644
index 509140a178..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#ifndef SPX_FORS_H
-#define SPX_FORS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_sign SPX_NAMESPACE(fors_sign)
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig)
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash.h
deleted file mode 100644
index f7c87d4c3c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash.h
+++ /dev/null
@@ -1,28 +0,0 @@
-#ifndef SPX_HASH_H
-#define SPX_HASH_H
-
-#include
-#include
-
-#include "context.h"
-#include "params.h"
-
-#define prf_addr SPX_NAMESPACE(prf_addr)
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]);
-
-#define gen_message_random SPX_NAMESPACE(gen_message_random)
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-#define hash_message SPX_NAMESPACE(hash_message)
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shake.c
deleted file mode 100644
index ff5e7ec918..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shake.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "hash.h"
-
-#include "address.h"
-#include "fips202.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Computes PRF(pk_seed, sk_seed, addr)
- */
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]) {
- unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES];
-
- memcpy(buf, ctx->pub_seed, SPX_N);
- memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES);
- memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N);
-
- shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES);
-}
-
-/**
- * Computes the message-dependent randomness R, using a secret seed and an
- * optional randomization value as well as the message.
- */
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, sk_prf, SPX_N);
- shake256_inc_absorb(&s_inc, optrand, SPX_N);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(R, SPX_N, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-}
-
-/**
- * Computes the message hash using R, the public key, and the message.
- * Outputs the message digest and the index of the leaf. The index is split in
- * the tree index and the leaf index, for convenient copying to an address.
- */
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
-#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1))
-#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8)
-#define SPX_LEAF_BITS SPX_TREE_HEIGHT
-#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8)
-#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES)
-
- unsigned char buf[SPX_DGST_BYTES];
- unsigned char *bufp = buf;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, R, SPX_N);
- shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-
- memcpy(digest, bufp, SPX_FORS_MSG_BYTES);
- bufp += SPX_FORS_MSG_BYTES;
-
-
- *tree = bytes_to_ull(bufp, SPX_TREE_BYTES);
- *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS);
- bufp += SPX_TREE_BYTES;
-
- *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES);
- *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shakex2.c
deleted file mode 100644
index 99571916a2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shakex2.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include
-#include
-
-#include "hashx2.h"
-
-#include "address.h"
-#include "f1600x2.h"
-#include "fips202x2.h"
-#include "params.h"
-
-/*
- * 2-way parallel version of prf_addr; takes 2x as much input and output
- */
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the fourway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
-
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->sk_seed + 8 * i);
- state[2 * (SPX_N / 8 + i + 4)] = x;
- state[2 * (SPX_N / 8 + i + 4) + 1] = x;
- }
-
- /* SHAKE domain separator and padding. */
- state[2 * (SPX_N / 4 + 4)] = 0x1f;
- state[2 * (SPX_N / 4 + 4) + 1] = 0x1f;
-
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hashx2.h
deleted file mode 100644
index 99b8873a9b..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hashx2.h
+++ /dev/null
@@ -1,14 +0,0 @@
-#ifndef SPX_HASHX2_H
-#define SPX_HASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define prf_addrx2 SPX_NAMESPACE(prf_addrx2)
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.c
deleted file mode 100644
index c94ee23939..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include
-#include
-
-#include "merkle.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-#include "utilsx2.h"
-#include "wots.h"
-#include "wotsx2.h"
-
-/*
- * This generates a Merkle signature (WOTS signature followed by the Merkle
- * authentication path).
- */
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf) {
- unsigned char *auth_path = sig + SPX_WOTS_BYTES;
- uint32_t tree_addrx2[2 * 8] = { 0 };
- int j;
- struct leaf_info_x2 info = { 0 };
- unsigned steps[ SPX_WOTS_LEN ];
-
- info.wots_sig = sig;
- chain_lengths(steps, root);
- info.wots_steps = steps;
-
- for (j = 0; j < 2; j++) {
- set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE);
- set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS);
- set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK);
- copy_subtree_addr(&tree_addrx2[8 * j], tree_addr);
- copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr);
- copy_subtree_addr(&info.pk_addr[8 * j], wots_addr);
- }
-
- info.wots_sign_leaf = idx_leaf;
-
- treehashx2(root, auth_path, ctx,
- idx_leaf, 0,
- SPX_TREE_HEIGHT,
- wots_gen_leafx2,
- tree_addrx2, &info);
-}
-
-/* Compute root node of the top-most subtree. */
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) {
- /* We do not need the auth path in key generation, but it simplifies the
- code to have just one treehash routine that computes both root and path
- in one function. */
- unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES];
- uint32_t top_tree_addr[8] = {0};
- uint32_t wots_addr[8] = {0};
-
- set_layer_addr(top_tree_addr, SPX_D - 1);
- set_layer_addr(wots_addr, SPX_D - 1);
-
- merkle_sign(auth_path, root, ctx,
- wots_addr, top_tree_addr,
- ~0 /* ~0 means "don't bother generating an auth path */ );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.h
deleted file mode 100644
index 769cf2e970..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef MERKLE_H_
-#define MERKLE_H_
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/* Generate a Merkle signature (WOTS signature followed by the Merkle */
-/* authentication path) */
-#define merkle_sign SPX_NAMESPACE(merkle_sign)
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf);
-
-/* Compute the root node of the top-most subtree. */
-#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root)
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx);
-
-#endif /* MERKLE_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/nistapi.h
deleted file mode 100644
index 3cb71afad4..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/nistapi.h
+++ /dev/null
@@ -1,87 +0,0 @@
-#ifndef SPX_API_H
-#define SPX_API_H
-
-#include
-#include
-
-#include "params.h"
-
-#define CRYPTO_ALGNAME "SPHINCS+"
-
-#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES
-#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES
-#define CRYPTO_BYTES SPX_BYTES
-#define CRYPTO_SEEDBYTES (3*SPX_N)
-
-/*
- * Returns the length of a secret key, in bytes
- */
-#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes)
-size_t crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes)
-size_t crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes)
-size_t crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes)
-size_t crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair)
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-#define crypto_sign SPX_NAMESPACE(crypto_sign)
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/params.h
deleted file mode 100644
index 218f392dab..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/params.h
+++ /dev/null
@@ -1,56 +0,0 @@
-#ifndef SPX_PARAMS_H
-#define SPX_PARAMS_H
-
-#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_##s
-
-/* Hash output length in bytes. */
-#define SPX_N 32
-/* Height of the hypertree. */
-#define SPX_FULL_HEIGHT 68
-/* Number of subtree layer. */
-#define SPX_D 17
-/* FORS tree dimensions. */
-#define SPX_FORS_HEIGHT 9
-#define SPX_FORS_TREES 35
-/* Winternitz parameter, */
-#define SPX_WOTS_W 16
-
-/* The hash function is defined by linking a different hash.c file, as opposed
- to setting a #define constant. */
-
-/* For clarity */
-#define SPX_ADDR_BYTES 32
-
-/* WOTS parameters. */
-#define SPX_WOTS_LOGW 4
-
-#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW)
-
-/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */
-#define SPX_WOTS_LEN2 3
-
-#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2)
-#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N)
-#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES
-
-/* Subtree size. */
-#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D)
-
-//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT
-// #error SPX_D should always divide SPX_FULL_HEIGHT
-//#endif
-
-/* FORS parameters. */
-#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8)
-#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N)
-#define SPX_FORS_PK_BYTES SPX_N
-
-/* Resulting SPX sizes. */
-#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\
- SPX_FULL_HEIGHT * SPX_N)
-#define SPX_PK_BYTES (2 * SPX_N)
-#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES)
-
-#include "shake_offsets.h"
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/shake_offsets.h
deleted file mode 100644
index 6b28d95d91..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/shake_offsets.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef SHAKE_OFFSETS_H_
-#define SHAKE_OFFSETS_H_
-
-/*
- * Offsets of various fields in the address structure when we use SHAKE as
- * the Sphincs+ hash function
- */
-
-#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */
-#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */
-#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */
-#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */
-#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */
-#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */
-#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */
-#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */
-#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */
-
-#define SPX_SHAKE 1
-
-#endif /* SHAKE_OFFSETS_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/sign.c
deleted file mode 100644
index 9d0c7d1b22..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/sign.c
+++ /dev/null
@@ -1,286 +0,0 @@
-#include
-#include
-#include
-
-#include "address.h"
-#include "context.h"
-#include "fors.h"
-#include "hash.h"
-#include "merkle.h"
-#include "nistapi.h"
-#include "params.h"
-#include "randombytes.h"
-#include "thash.h"
-#include "utils.h"
-#include "wots.h"
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t crypto_sign_secretkeybytes(void) {
- return CRYPTO_SECRETKEYBYTES;
-}
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t crypto_sign_publickeybytes(void) {
- return CRYPTO_PUBLICKEYBYTES;
-}
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t crypto_sign_bytes(void) {
- return CRYPTO_BYTES;
-}
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t crypto_sign_seedbytes(void) {
- return CRYPTO_SEEDBYTES;
-}
-
-/*
- * Generates an SPX key pair given a seed of length
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed) {
- spx_ctx ctx;
-
- /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */
- memcpy(sk, seed, CRYPTO_SEEDBYTES);
-
- memcpy(pk, sk + 2 * SPX_N, SPX_N);
-
- memcpy(ctx.pub_seed, pk, SPX_N);
- memcpy(ctx.sk_seed, sk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- /* Compute root node of the top-most subtree. */
- merkle_gen_root(sk + 3 * SPX_N, &ctx);
-
- // cleanup
- free_hash_function(&ctx);
-
- memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N);
-
- return 0;
-}
-
-/*
- * Generates an SPX key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seed[CRYPTO_SEEDBYTES];
- randombytes(seed, CRYPTO_SEEDBYTES);
- crypto_sign_seed_keypair(pk, sk, seed);
-
- return 0;
-}
-
-/**
- * Returns an array containing a detached signature.
- */
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk) {
- spx_ctx ctx;
-
- const uint8_t *sk_prf = sk + SPX_N;
- const uint8_t *pk = sk + 2 * SPX_N;
-
- uint8_t optrand[SPX_N];
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t root[SPX_N];
- uint32_t i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
-
- memcpy(ctx.sk_seed, sk, SPX_N);
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
-
- /* Optionally, signing can be made non-deterministic using optrand.
- This can help counter side-channel attacks that would benefit from
- getting a large number of traces when the signer uses the same nodes. */
- randombytes(optrand, SPX_N);
- /* Compute the digest randomization value. */
- gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx);
-
- /* Derive the message digest and leaf index from R, PK and M. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- /* Sign the message hash using FORS. */
- fors_sign(sig, root, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf);
- sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- free_hash_function(&ctx);
-
- *siglen = SPX_BYTES;
-
- return 0;
-}
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk) {
- spx_ctx ctx;
- const uint8_t *pub_root = pk + SPX_N;
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t wots_pk[SPX_WOTS_BYTES];
- uint8_t root[SPX_N];
- uint8_t leaf[SPX_N];
- unsigned int i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
- uint32_t wots_pk_addr[8] = {0};
-
- if (siglen != SPX_BYTES) {
- return -1;
- }
-
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
- set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK);
-
- /* Derive the message digest and leaf index from R || PK || M. */
- /* The additional SPX_N is a result of the hash domain separator. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- /* Layer correctly defaults to 0, so no need to set_layer_addr */
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- /* For each subtree.. */
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- copy_keypair_addr(wots_pk_addr, wots_addr);
-
- /* The WOTS public key is only correct if the signature was correct. */
- /* Initially, root is the FORS pk, but on subsequent iterations it is
- the root of the subtree below the currently processed subtree. */
- wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr);
- sig += SPX_WOTS_BYTES;
-
- /* Compute the leaf node using the WOTS public key. */
- thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr);
-
- /* Compute the root node of this subtree. */
- compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT,
- &ctx, tree_addr);
- sig += SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- // cleanup
- free_hash_function(&ctx);
-
- /* Check if the root node equals the root node in the public key. */
- if (memcmp(root, pub_root, SPX_N) != 0) {
- return -1;
- }
-
- return 0;
-}
-
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk) {
- size_t siglen;
-
- crypto_sign_signature(sm, &siglen, m, mlen, sk);
-
- memmove(sm + SPX_BYTES, m, mlen);
- *smlen = siglen + mlen;
-
- return 0;
-}
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk) {
- /* The API caller does not necessarily know what size a signature should be
- but SPHINCS+ signatures are always exactly SPX_BYTES. */
- if (smlen < SPX_BYTES) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- *mlen = smlen - SPX_BYTES;
-
- if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- /* If verification was successful, move the message to the right place. */
- memmove(m, sm + SPX_BYTES, *mlen);
-
- return 0;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash.h
deleted file mode 100644
index 8687ccfb4d..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef SPX_THASH_H
-#define SPX_THASH_H
-
-#include "context.h"
-#include "params.h"
-
-#include
-
-#define thash SPX_NAMESPACE(thash)
-void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash_shake_simplex2.c
deleted file mode 100644
index 892e453690..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash_shake_simplex2.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "thash.h"
-#include "thashx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-#include "f1600x2.h"
-#include "fips202x2.h"
-
-
-void thash(unsigned char *out,
- const unsigned char *in,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t addrx2 [2 * 8] = {
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7],
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7]
- };
- thashx2(out, out, in, in, inblocks, ctx, addrx2);
-}
-
-/**
- * 2-way parallel version of thash; takes 2x as much input and output
- */
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]) {
- if (inblocks == 1 || inblocks == 2) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the twoway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
-
- for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) {
- state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i);
- state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i);
- }
-
- /* Domain separator and padding. */
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f;
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
- } else {
- PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
-
- memcpy(buf0, ctx->pub_seed, SPX_N);
- memcpy(buf1, ctx->pub_seed, SPX_N);
- memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES);
- memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES);
- memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N);
- memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N);
-
- shake256x2(out0, out1, SPX_N,
- buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thashx2.h
deleted file mode 100644
index 040375e618..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thashx2.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef SPX_THASHX2_H
-#define SPX_THASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define thashx2 SPX_NAMESPACE(thashx2)
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.c
deleted file mode 100644
index 177b541fb9..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-
-#include "utils.h"
-
-#include "address.h"
-#include "hash.h"
-#include "params.h"
-#include "thash.h"
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in) {
- int i;
-
- /* Iterate over out in decreasing order, for big-endianness. */
- for (i = (signed int)outlen - 1; i >= 0; i--) {
- out[i] = in & 0xff;
- in = in >> 8;
- }
-}
-
-void u32_to_bytes(unsigned char *out, uint32_t in) {
- out[0] = (unsigned char)(in >> 24);
- out[1] = (unsigned char)(in >> 16);
- out[2] = (unsigned char)(in >> 8);
- out[3] = (unsigned char)in;
-}
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) {
- unsigned long long retval = 0;
- unsigned int i;
-
- for (i = 0; i < inlen; i++) {
- retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i));
- }
- return retval;
-}
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t i;
- unsigned char buffer[2 * SPX_N];
-
- /* If leaf_idx is odd (last bit = 1), current path element is a right child
- and auth_path has to go left. Otherwise it is the other way around. */
- if (leaf_idx & 1) {
- memcpy(buffer + SPX_N, leaf, SPX_N);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- memcpy(buffer, leaf, SPX_N);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
-
- for (i = 0; i < tree_height - 1; i++) {
- leaf_idx >>= 1;
- idx_offset >>= 1;
- /* Set the address of the node we're creating. */
- set_tree_height(addr, i + 1);
- set_tree_index(addr, leaf_idx + idx_offset);
-
- /* Pick the right or left neighbor, depending on parity of the node. */
- if (leaf_idx & 1) {
- thash(buffer + SPX_N, buffer, 2, ctx, addr);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- thash(buffer, buffer, 2, ctx, addr);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
- }
-
- /* The last iteration is exceptional; we do not copy an auth_path node. */
- leaf_idx >>= 1;
- idx_offset >>= 1;
- set_tree_height(addr, tree_height);
- set_tree_index(addr, leaf_idx + idx_offset);
- thash(root, buffer, 2, ctx, addr);
-}
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx * /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]) {
- PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N);
- PQCLEAN_VLA(unsigned int, heights, tree_height + 1);
- unsigned int offset = 0;
- uint32_t idx;
- uint32_t tree_idx;
-
- for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) {
- /* Add the next leaf node to the stack. */
- gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr);
- offset++;
- heights[offset - 1] = 0;
-
- /* If this is a node we need for the auth path.. */
- if ((leaf_idx ^ 0x1) == idx) {
- memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N);
- }
-
- /* While the top-most nodes are of equal height.. */
- while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) {
- /* Compute index of the new node, in the next layer. */
- tree_idx = (idx >> (heights[offset - 1] + 1));
-
- /* Set the address of the node we're creating. */
- set_tree_height(tree_addr, heights[offset - 1] + 1);
- set_tree_index(tree_addr,
- tree_idx + (idx_offset >> (heights[offset - 1] + 1)));
- /* Hash the top-most nodes from the stack together. */
- thash(stack + (offset - 2)*SPX_N,
- stack + (offset - 2)*SPX_N, 2, ctx, tree_addr);
- offset--;
- /* Note that the top-most node is now one layer higher. */
- heights[offset - 1]++;
-
- /* If this is a node we need for the auth path.. */
- if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) {
- memcpy(auth_path + heights[offset - 1]*SPX_N,
- stack + (offset - 1)*SPX_N, SPX_N);
- }
- }
- }
- memcpy(root, stack, SPX_N);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.h
deleted file mode 100644
index 64f5d5a53a..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.h
+++ /dev/null
@@ -1,58 +0,0 @@
-#ifndef SPX_UTILS_H
-#define SPX_UTILS_H
-
-#include
-
-#include "compat.h"
-#include "context.h"
-#include "params.h"
-
-
-/* To support MSVC use alloca() instead of VLAs. See #20. */
-
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes)
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in);
-#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes)
-void u32_to_bytes(unsigned char *out, uint32_t in);
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull)
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen);
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-#define compute_root SPX_NAMESPACE(compute_root)
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-#define treehash SPX_NAMESPACE(treehash)
-void treehash(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx *ctx /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]);
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.c
deleted file mode 100644
index 8736474e4f..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.c
+++ /dev/null
@@ -1,130 +0,0 @@
-#include
-
-#include "utilsx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-
-/*
- * Generate the entire Merkle tree, computing the authentication path for leaf_idx,
- * and the resulting root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE)
- *
- * This expects tree_addrx2 to be initialized to 2 parallel addr structures for
- * the Merkle tree nodes
- *
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This works by using the standard Merkle tree building algorithm, except
- * that each 'node' tracked is actually 2 consecutive nodes in the real tree.
- * When we combine two logical nodes AB and WX, we perform the H
- * operation on adjacent real nodes, forming the parent logical node
- * (AB)(WX)
- *
- * When we get to the top level of the real tree (where there is only
- * one logical node), we continue this operation one more time; the right
- * most real node will by the actual root (and the other node will be
- * garbage). We follow the same thashx2 logic so that the 'extract
- * authentication path components' part of the loop is still executed (and
- * to simplify the code somewhat)
- */
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset,
- uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx *,
- uint32_t idx, void *info),
- uint32_t tree_addrx2[2 * 8],
- void *info) {
- /* This is where we keep the intermediate nodes */
- unsigned char stackx2[tree_height * 2 * SPX_N];
- uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */
- /* level, the left-most part of the tree isn't at the beginning */
- /* of current[]. These give the offset of the actual start */
-
- uint32_t idx;
- uint32_t max_idx = (1 << (tree_height - 1)) - 1;
- for (idx = 0;; idx++) {
- unsigned char current[2 * SPX_N]; /* Current logical node */
- gen_leafx2( current, ctx, 2 * idx + idx_offset,
- info );
-
- /* Now combine the freshly generated right node with previously */
- /* generated left ones */
- uint32_t internal_idx_offset = idx_offset;
- uint32_t internal_idx = idx;
- uint32_t internal_leaf = leaf_idx;
- uint32_t h; /* The height we are in the Merkle tree */
- for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) {
-
- /* Special processing if we're at the top of the tree */
- if (h >= tree_height - 1) {
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
- /* The tree indexing logic is a bit off in this case */
- /* Adjust it so that the left-most node of the part of */
- /* the tree that we're processing has index 0 */
- prev_left_adj = left_adj;
- left_adj = 2 - (1 << (tree_height - h - 1));
- }
-
- /* Check if we hit the top of the tree */
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
-
- /*
- * Check if one of the nodes we have is a part of the
- * authentication path; if it is, write it out
- */
- if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) {
- memcpy( &auth_path[ h * SPX_N ],
- ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N],
- SPX_N );
- }
-
- /*
- * Check if we're at a left child; if so, stop going up the stack
- * Exception: if we've reached the end of the tree, keep on going
- * (so we combine the last 2 nodes into the one root node in two
- * more iterations)
- */
- if ((internal_idx & 1) == 0 && idx < max_idx) {
- break;
- }
-
- /* Ok, we're at a right node (or doing the top 3 levels) */
- /* Now combine the left and right logical nodes together */
-
- /* Set the address of the node we're creating. */
- int j;
- internal_idx_offset >>= 1;
- for (j = 0; j < 2; j++) {
- set_tree_height(tree_addrx2 + j * 8, h + 1);
- set_tree_index(tree_addrx2 + j * 8,
- (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset );
- }
- unsigned char *left = &stackx2[h * 2 * SPX_N];
- thashx2( ¤t[0 * SPX_N],
- ¤t[1 * SPX_N],
- &left [0 * SPX_N],
- ¤t[0 * SPX_N],
- 2, ctx, tree_addrx2);
- }
-
- /* We've hit a left child; save the current for when we get the */
- /* corresponding right right */
- memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.h
deleted file mode 100644
index e09faddc43..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.h
+++ /dev/null
@@ -1,30 +0,0 @@
-#ifndef SPX_UTILSX2_H
-#define SPX_UTILSX2_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This implementation uses SIMD to compute internal nodes 2 at a time (in
- * parallel)
- */
-#define treehashx2 SPX_NAMESPACE(treehashx2)
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx * /* ctx */,
- uint32_t addr_idx, void *info),
- uint32_t tree_addrx2[2 * 8], void *info);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.c
deleted file mode 100644
index 3babe45e95..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.c
+++ /dev/null
@@ -1,259 +0,0 @@
-#include
-#include
-
-#include "wots.h"
-#include "wotsx2.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-// TODO clarify address expectations, and make them more uniform.
-// TODO i.e. do we expect types to be set already?
-// TODO and do we expect modifications or copies?
-
-/**
- * Computes up the chains
- */
-static void gen_chains(
- unsigned char *out,
- const unsigned char *in,
- unsigned int start[SPX_WOTS_LEN],
- const unsigned int steps[SPX_WOTS_LEN],
- const spx_ctx *ctx,
- uint32_t addr[8]) {
- uint32_t i, j, k, idx, watching;
- int done;
- unsigned char empty[SPX_N];
- unsigned char *bufs[4];
- uint32_t addrs[8 * 2];
-
- int l;
- uint16_t counts[SPX_WOTS_W] = { 0 };
- uint16_t idxs[SPX_WOTS_LEN];
- uint16_t total, newTotal;
-
- /* set addrs = {addr, addr} */
- for (j = 0; j < 2; j++) {
- memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8);
- }
-
- /* Initialize out with the value at position 'start'. */
- memcpy(out, in, SPX_WOTS_LEN * SPX_N);
-
- /* Sort the chains in reverse order by steps using counting sort. */
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- counts[steps[i]]++;
- }
- total = 0;
- for (l = SPX_WOTS_W - 1; l >= 0; l--) {
- newTotal = counts[l] + total;
- counts[l] = total;
- total = newTotal;
- }
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- idxs[counts[steps[i]]] = i;
- counts[steps[i]]++;
- }
-
- /* We got our work cut out for us: do it! */
- for (i = 0; i < SPX_WOTS_LEN; i += 2) {
- for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) {
- idx = idxs[i + j];
- set_chain_addr(addrs + j * 8, idx);
- bufs[j] = out + SPX_N * idx;
- }
-
- /* As the chains are sorted in reverse order, we know that the first
- * chain is the longest and the last one is the shortest. We keep
- * an eye on whether the last chain is done and then on the one before,
- * et cetera. */
- watching = 1;
- done = 0;
- while (i + watching >= SPX_WOTS_LEN) {
- bufs[watching] = &empty[0];
- watching--;
- }
-
- for (k = 0;; k++) {
- while (k == steps[idxs[i + watching]]) {
- bufs[watching] = &empty[0];
- if (watching == 0) {
- done = 1;
- break;
- }
- watching--;
- }
- if (done) {
- break;
- }
- for (j = 0; j < watching + 1; j++) {
- set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]);
- }
-
- thashx2(bufs[0], bufs[1],
- bufs[0], bufs[1], 1, ctx, addrs);
- }
- }
-}
-
-/**
- * base_w algorithm as described in draft.
- * Interprets an array of bytes as integers in base w.
- * This only works when log_w is a divisor of 8.
- */
-static void base_w(unsigned int *output, const int out_len,
- const unsigned char *input) {
- int in = 0;
- int out = 0;
- unsigned char total = 0;
- int bits = 0;
- int consumed;
-
- for (consumed = 0; consumed < out_len; consumed++) {
- if (bits == 0) {
- total = input[in];
- in++;
- bits += 8;
- }
- bits -= SPX_WOTS_LOGW;
- output[out] = (total >> bits) & (SPX_WOTS_W - 1);
- out++;
- }
-}
-
-/* Computes the WOTS+ checksum over a message (in base_w). */
-static void wots_checksum(unsigned int *csum_base_w,
- const unsigned int *msg_base_w) {
- unsigned int csum = 0;
- unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8];
- unsigned int i;
-
- /* Compute checksum. */
- for (i = 0; i < SPX_WOTS_LEN1; i++) {
- csum += SPX_WOTS_W - 1 - msg_base_w[i];
- }
-
- /* Convert checksum to base_w. */
- /* Make sure expected empty zero bits are the least significant bits. */
- csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8);
- ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum);
- base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes);
-}
-
-/* Takes a message and derives the matching chain lengths. */
-void chain_lengths(unsigned int *lengths, const unsigned char *msg) {
- base_w(lengths, SPX_WOTS_LEN1, msg);
- wots_checksum(lengths + SPX_WOTS_LEN1, lengths);
-}
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]) {
- unsigned int steps[SPX_WOTS_LEN];
- unsigned int start[SPX_WOTS_LEN];
- uint32_t i;
-
- chain_lengths(start, msg);
-
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- steps[i] = SPX_WOTS_W - 1 - start[i];
- }
-
- gen_chains(pk, sig, start, steps, ctx, addr);
-}
-
-/*
- * This generates 2 sequential WOTS public keys
- * It also generates the WOTS signature if leaf_info indicates
- * that we're signing with one of these WOTS keys
- */
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info) {
- struct leaf_info_x2 *info = v_info;
- uint32_t *leaf_addr = info->leaf_addr;
- uint32_t *pk_addr = info->pk_addr;
- unsigned int i, j, k;
- unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ];
- unsigned wots_offset = SPX_WOTS_BYTES;
- unsigned char *buffer;
- uint32_t wots_k_mask;
- unsigned wots_sign_index;
-
- if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) {
- /* We're traversing the leaf that's signing; generate the WOTS */
- /* signature */
- wots_k_mask = 0;
- wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */
- /* slots do the signatures come from */
- } else {
- /* Nope, we're just generating pk's; turn off the signature logic */
- wots_k_mask = ~0;
- wots_sign_index = 0;
- }
-
- for (j = 0; j < 2; j++) {
- set_keypair_addr( leaf_addr + j * 8, leaf_idx + j );
- set_keypair_addr( pk_addr + j * 8, leaf_idx + j );
- }
-
- for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) {
- uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */
- /* the step if we're generating a signature, ~0 if we're not */
-
- /* Start with the secret seed */
- for (j = 0; j < 2; j++) {
- set_chain_addr(leaf_addr + j * 8, i);
- set_hash_addr(leaf_addr + j * 8, 0);
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF);
- }
- prf_addrx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- ctx, leaf_addr);
- for (j = 0; j < 2; j++) {
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS);
- }
-
- /* Iterate down the WOTS chain */
- for (k = 0;; k++) {
- /* Check if one of the values we have needs to be saved as a */
- /* part of the WOTS signature */
- if (k == wots_k) {
- memcpy( info->wots_sig + i * SPX_N,
- buffer + wots_sign_index * wots_offset, SPX_N );
- }
-
- /* Check if we hit the top of the chain */
- if (k == SPX_WOTS_W - 1) {
- break;
- }
-
- /* Iterate one step on all 4 chains */
- for (j = 0; j < 2; j++) {
- set_hash_addr(leaf_addr + j * 8, k);
- }
- thashx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- 1, ctx, leaf_addr);
- }
- }
-
- /* Do the final thash to generate the public keys */
- thashx2(dest + 0 * SPX_N,
- dest + 1 * SPX_N,
- pk_buffer + 0 * wots_offset,
- pk_buffer + 1 * wots_offset,
- SPX_WOTS_LEN, ctx, pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.h
deleted file mode 100644
index 4e7692eeef..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.h
+++ /dev/null
@@ -1,25 +0,0 @@
-#ifndef SPX_WOTS_H
-#define SPX_WOTS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig)
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/*
- * Compute the chain lengths needed for a given message hash
- */
-#define chain_lengths SPX_NAMESPACE(chain_lengths)
-void chain_lengths(unsigned int *lengths, const unsigned char *msg);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wotsx2.h
deleted file mode 100644
index b58bb61f84..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wotsx2.h
+++ /dev/null
@@ -1,40 +0,0 @@
-#ifndef WOTSX2_H_
-#define WOTSX2_H_
-
-#include "params.h"
-#include
-
-/*
- * This is here to provide an interface to the internal wots_gen_leafx2
- * routine. While this routine is not referenced in the package outside of
- * wots.c, it is called from the stand-alone benchmark code to characterize
- * the performance
- */
-struct leaf_info_x2 {
- unsigned char *wots_sig;
- uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */
- uint32_t *wots_steps;
- uint32_t leaf_addr[2 * 8];
- uint32_t pk_addr[2 * 8];
-};
-
-/* Macro to set the leaf_info to something 'benign', that is, it would */
-/* run with the same time as it does during the real signing process */
-/* Used only by the benchmark code */
-#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \
- (info).wots_sig = 0; \
- (info).wots_sign_leaf = ~0; \
- (info).wots_steps = step_buffer; \
- int i; \
- for (i=0; i<2; i++) { \
- memcpy( &(info).leaf_addr[8*i], addr, 32 ); \
- memcpy( &(info).pk_addr[8*i], addr, 32 ); \
- } \
- }
-
-#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2)
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info);
-
-#endif /* WOTSX2_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/LICENSE
deleted file mode 100644
index 670154e353..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/LICENSE
+++ /dev/null
@@ -1,116 +0,0 @@
-CC0 1.0 Universal
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator and
-subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for the
-purpose of contributing to a commons of creative, cultural and scientific
-works ("Commons") that the public can reliably and without fear of later
-claims of infringement build upon, modify, incorporate in other works, reuse
-and redistribute as freely as possible in any form whatsoever and for any
-purposes, including without limitation commercial purposes. These owners may
-contribute to the Commons to promote the ideal of a free culture and the
-further production of creative, cultural and scientific works, or to gain
-reputation or greater distribution for their Work in part through the use and
-efforts of others.
-
-For these and/or other purposes and motivations, and without any expectation
-of additional consideration or compensation, the person associating CC0 with a
-Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
-and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
-and publicly distribute the Work under its terms, with knowledge of his or her
-Copyright and Related Rights in the Work and the meaning and intended legal
-effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not limited
-to, the following:
-
- i. the right to reproduce, adapt, distribute, perform, display, communicate,
- and translate a Work;
-
- ii. moral rights retained by the original author(s) and/or performer(s);
-
- iii. publicity and privacy rights pertaining to a person's image or likeness
- depicted in a Work;
-
- iv. rights protecting against unfair competition in regards to a Work,
- subject to the limitations in paragraph 4(a), below;
-
- v. rights protecting the extraction, dissemination, use and reuse of data in
- a Work;
-
- vi. database rights (such as those arising under Directive 96/9/EC of the
- European Parliament and of the Council of 11 March 1996 on the legal
- protection of databases, and under any national implementation thereof,
- including any amended or successor version of such directive); and
-
- vii. other similar, equivalent or corresponding rights throughout the world
- based on applicable law or treaty, and any national implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention of,
-applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
-unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
-and Related Rights and associated claims and causes of action, whether now
-known or unknown (including existing as well as future claims and causes of
-action), in the Work (i) in all territories worldwide, (ii) for the maximum
-duration provided by applicable law or treaty (including future time
-extensions), (iii) in any current or future medium and for any number of
-copies, and (iv) for any purpose whatsoever, including without limitation
-commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
-the Waiver for the benefit of each member of the public at large and to the
-detriment of Affirmer's heirs and successors, fully intending that such Waiver
-shall not be subject to revocation, rescission, cancellation, termination, or
-any other legal or equitable action to disrupt the quiet enjoyment of the Work
-by the public as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason be
-judged legally invalid or ineffective under applicable law, then the Waiver
-shall be preserved to the maximum extent permitted taking into account
-Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
-is so judged Affirmer hereby grants to each affected person a royalty-free,
-non transferable, non sublicensable, non exclusive, irrevocable and
-unconditional license to exercise Affirmer's Copyright and Related Rights in
-the Work (i) in all territories worldwide, (ii) for the maximum duration
-provided by applicable law or treaty (including future time extensions), (iii)
-in any current or future medium and for any number of copies, and (iv) for any
-purpose whatsoever, including without limitation commercial, advertising or
-promotional purposes (the "License"). The License shall be deemed effective as
-of the date CC0 was applied by Affirmer to the Work. Should any part of the
-License for any reason be judged legally invalid or ineffective under
-applicable law, such partial invalidity or ineffectiveness shall not
-invalidate the remainder of the License, and in such case Affirmer hereby
-affirms that he or she will not (i) exercise any of his or her remaining
-Copyright and Related Rights in the Work or (ii) assert any associated claims
-and causes of action with respect to the Work, in either case contrary to
-Affirmer's express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
- surrendered, licensed or otherwise affected by this document.
-
- b. Affirmer offers the Work as-is and makes no representations or warranties
- of any kind concerning the Work, express, implied, statutory or otherwise,
- including without limitation warranties of title, merchantability, fitness
- for a particular purpose, non infringement, or the absence of latent or
- other defects, accuracy, or the present or absence of errors, whether or not
- discoverable, all to the greatest extent permissible under applicable law.
-
- c. Affirmer disclaims responsibility for clearing rights of other persons
- that may apply to the Work or any use thereof, including without limitation
- any person's Copyright and Related Rights in the Work. Further, Affirmer
- disclaims responsibility for obtaining any necessary consents, permissions
- or other rights required for any use of the Work.
-
- d. Affirmer understands and acknowledges that Creative Commons is not a
- party to this document and has no duty or obligation with respect to this
- CC0 or use of the Work.
-
-For more information, please see
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.c
deleted file mode 100644
index b956e9cb29..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.c
+++ /dev/null
@@ -1,91 +0,0 @@
-#include
-#include
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Specify which level of Merkle tree (the "layer") we're working on
- */
-void set_layer_addr(uint32_t addr[8], uint32_t layer) {
- ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer;
-}
-
-/*
- * Specify which Merkle tree within the level (the "tree address") we're working on
- */
-void set_tree_addr(uint32_t addr[8], uint64_t tree) {
- ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree );
-}
-
-/*
- * Specify the reason we'll use this address structure for, that is, what
- * hash will we compute with it. This is used so that unrelated types of
- * hashes don't accidentally get the same address structure. The type will be
- * one of the SPX_ADDR_TYPE constants
- */
-void set_type(uint32_t addr[8], uint32_t type) {
- ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type;
-}
-
-/*
- * Copy the layer and tree fields of the address structure. This is used
- * when we're doing multiple types of hashes within the same Merkle tree
- */
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
-}
-
-/* These functions are used for OTS addresses. */
-
-/*
- * Specify which Merkle leaf we're working on; that is, which OTS keypair
- * we're talking about.
- */
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair) {
- ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair;
-}
-
-/*
- * Copy the layer, tree and keypair fields of the address structure. This is
- * used when we're doing multiple things within the same OTS keypair
- */
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) {
- memcpy( out, in, SPX_OFFSET_TREE + 8 );
- ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1];
-}
-
-/*
- * Specify which Merkle chain within the OTS we're working with
- * (the chain address)
- */
-void set_chain_addr(uint32_t addr[8], uint32_t chain) {
- ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain;
-}
-
-/*
- * Specify where in the Merkle chain we are
-* (the hash address)
- */
-void set_hash_addr(uint32_t addr[8], uint32_t hash) {
- ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash;
-}
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-/*
- * Specify the height of the node in the Merkle/FORS tree we are in
- * (the tree height)
- */
-void set_tree_height(uint32_t addr[8], uint32_t tree_height) {
- ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height;
-}
-
-/*
- * Specify the distance from the left edge of the node in the Merkle/FORS tree
- * (the tree index)
- */
-void set_tree_index(uint32_t addr[8], uint32_t tree_index) {
- u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.h
deleted file mode 100644
index 24a84eb40c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.h
+++ /dev/null
@@ -1,52 +0,0 @@
-#ifndef SPX_ADDRESS_H
-#define SPX_ADDRESS_H
-
-#include
-
-#include "params.h"
-
-/* The hash types that are passed to set_type */
-#define SPX_ADDR_TYPE_WOTS 0
-#define SPX_ADDR_TYPE_WOTSPK 1
-#define SPX_ADDR_TYPE_HASHTREE 2
-#define SPX_ADDR_TYPE_FORSTREE 3
-#define SPX_ADDR_TYPE_FORSPK 4
-#define SPX_ADDR_TYPE_WOTSPRF 5
-#define SPX_ADDR_TYPE_FORSPRF 6
-
-#define set_layer_addr SPX_NAMESPACE(set_layer_addr)
-void set_layer_addr(uint32_t addr[8], uint32_t layer);
-
-#define set_tree_addr SPX_NAMESPACE(set_tree_addr)
-void set_tree_addr(uint32_t addr[8], uint64_t tree);
-
-#define set_type SPX_NAMESPACE(set_type)
-void set_type(uint32_t addr[8], uint32_t type);
-
-/* Copies the layer and tree part of one address into the other */
-#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr)
-void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for WOTS and FORS addresses. */
-
-#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr)
-void set_keypair_addr(uint32_t addr[8], uint32_t keypair);
-
-#define set_chain_addr SPX_NAMESPACE(set_chain_addr)
-void set_chain_addr(uint32_t addr[8], uint32_t chain);
-
-#define set_hash_addr SPX_NAMESPACE(set_hash_addr)
-void set_hash_addr(uint32_t addr[8], uint32_t hash);
-
-#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr)
-void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]);
-
-/* These functions are used for all hash tree addresses (including FORS). */
-
-#define set_tree_height SPX_NAMESPACE(set_tree_height)
-void set_tree_height(uint32_t addr[8], uint32_t tree_height);
-
-#define set_tree_index SPX_NAMESPACE(set_tree_index)
-void set_tree_index(uint32_t addr[8], uint32_t tree_index);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/api.h
deleted file mode 100644
index 00b9ae1655..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/api.h
+++ /dev/null
@@ -1,77 +0,0 @@
-#ifndef PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_API_H
-#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_API_H
-
-#include
-#include
-
-#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-256s-simple"
-
-#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 128
-#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 64
-#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_CRYPTO_BYTES 29792
-
-#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_CRYPTO_SEEDBYTES 96
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context.h
deleted file mode 100644
index 6e0a33f3b7..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef SPX_CONTEXT_H
-#define SPX_CONTEXT_H
-
-#include
-
-#include "params.h"
-
-typedef struct {
- uint8_t pub_seed[SPX_N];
- uint8_t sk_seed[SPX_N];
-} spx_ctx;
-
-#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function)
-void initialize_hash_function(spx_ctx *ctx);
-
-#define free_hash_function SPX_NAMESPACE(free_hash_function)
-void free_hash_function(spx_ctx *ctx);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context_shake.c
deleted file mode 100644
index 9614a103d3..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context_shake.c
+++ /dev/null
@@ -1,12 +0,0 @@
-#include "context.h"
-
-/* For SHAKE256, there is no immediate reason to initialize at the start,
- so this function is an empty operation. */
-void initialize_hash_function(spx_ctx *ctx) {
- (void)ctx; /* Suppress an 'unused parameter' warning. */
-}
-
-// in case the hash function api is heap-based.
-void free_hash_function(spx_ctx *ctx) {
- (void)ctx;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.h
deleted file mode 100644
index 70d1af9f14..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef SPX_F1600X2_H
-#define SPX_F1600X2_H
-
-#include
-
-extern uint64_t f1600_RC[24];
-extern void _f1600x2(uint64_t *a, uint64_t *rc);
-
-#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0)
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.s
deleted file mode 100644
index 640ed791ed..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.s
+++ /dev/null
@@ -1,143 +0,0 @@
-# From https://github.com/bwesterb/armed-keccak
-
-.macro round
- # Execute theta, but without xoring into the state yet.
- # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i].
- eor3.16b v25, v0, v5, v10
- eor3.16b v26, v1, v6, v11
- eor3.16b v27, v2, v7, v12
- eor3.16b v28, v3, v8, v13
- eor3.16b v29, v4, v9, v14
-
- eor3.16b v25, v25, v15, v20
- eor3.16b v26, v26, v16, v21
- eor3.16b v27, v27, v17, v22
- eor3.16b v28, v28, v18, v23
- eor3.16b v29, v29, v19, v24
-
- # d[0] = rotl(p[1], 1) ^ p[4]
- rax1.2d v30, v29, v26
- # d[3] = rotl(p[4], 1) ^ p[2]
- rax1.2d v29, v27, v29
- # d[1] = rotl(p[2], 1) ^ p[0]
- rax1.2d v27, v25, v27
- # d[4] = rotl(p[0], 1) ^ p[3]
- rax1.2d v25, v28, v25
- # d[2] = rotl(p[3], 1) ^ p[1]
- rax1.2d v28, v26, v28
-
- # Xor parities from step theta into the state at the same time
- # as executing rho and pi.
- eor.16b v0, v0, v30
- mov.16b v31, v1
- xar.2d v1, v6, v27, 20
- xar.2d v6, v9, v25, 44
- xar.2d v9, v22, v28, 3
- xar.2d v22, v14, v25, 25
- xar.2d v14, v20, v30, 46
- xar.2d v20, v2, v28, 2
- xar.2d v2, v12, v28, 21
- xar.2d v12, v13, v29, 39
- xar.2d v13, v19, v25, 56
- xar.2d v19, v23, v29, 8
- xar.2d v23, v15, v30, 23
- xar.2d v15, v4, v25, 37
- xar.2d v4, v24, v25, 50
- xar.2d v24, v21, v27, 62
- xar.2d v21, v8, v29, 9
- xar.2d v8, v16, v27, 19
- xar.2d v16, v5, v30, 28
- xar.2d v5, v3, v29, 36
- xar.2d v3, v18, v29, 43
- xar.2d v18, v17, v28, 49
- xar.2d v17, v11, v27, 54
- xar.2d v11, v7, v28, 58
- xar.2d v7, v10, v30, 61
- xar.2d v10, v31, v27, 63
-
- # Chi
- bcax.16b v25, v0, v2, v1
- bcax.16b v26, v1, v3, v2
- bcax.16b v2, v2, v4, v3
- bcax.16b v3, v3, v0, v4
- bcax.16b v4, v4, v1, v0
- mov.16b v0, v25
- mov.16b v1, v26
-
- bcax.16b v25, v5, v7, v6
- bcax.16b v26, v6, v8, v7
- bcax.16b v7, v7, v9, v8
- bcax.16b v8, v8, v5, v9
- bcax.16b v9, v9, v6, v5
- mov.16b v5, v25
- mov.16b v6, v26
-
- bcax.16b v25, v10, v12, v11
- bcax.16b v26, v11, v13, v12
- bcax.16b v12, v12, v14, v13
- bcax.16b v13, v13, v10, v14
- bcax.16b v14, v14, v11, v10
- mov.16b v10, v25
- mov.16b v11, v26
-
- bcax.16b v25, v15, v17, v16
- bcax.16b v26, v16, v18, v17
- bcax.16b v17, v17, v19, v18
- bcax.16b v18, v18, v15, v19
- bcax.16b v19, v19, v16, v15
- mov.16b v15, v25
- mov.16b v16, v26
-
- bcax.16b v25, v20, v22, v21
- bcax.16b v26, v21, v23, v22
- bcax.16b v22, v22, v24, v23
- bcax.16b v23, v23, v20, v24
- bcax.16b v24, v24, v21, v20
- mov.16b v20, v25
- mov.16b v21, v26
-
- # iota
- ld1r {v25.2d}, [x1], #8
- eor.16b v0, v0, v25
-.endm
-
-.align 4
-.global __f1600x2
-__f1600x2:
- stp d8, d9, [sp,#-16]!
- stp d10, d11, [sp,#-16]!
- stp d12, d13, [sp,#-16]!
- stp d14, d15, [sp,#-16]!
-
- mov x2, x0
- mov x3, #24
-
- ld1.2d {v0, v1, v2, v3}, [x0], #64
- ld1.2d {v4, v5, v6, v7}, [x0], #64
- ld1.2d {v8, v9, v10, v11}, [x0], #64
- ld1.2d {v12, v13, v14, v15}, [x0], #64
- ld1.2d {v16, v17, v18, v19}, [x0], #64
- ld1.2d {v20, v21, v22, v23}, [x0], #64
- ld1.2d {v24}, [x0]
-
-loop:
- round
-
- subs x3, x3, #1
- cbnz x3, loop
-
- mov x0, x2
- st1.2d {v0, v1, v2, v3}, [x0], #64
- st1.2d {v4, v5, v6, v7}, [x0], #64
- st1.2d {v8, v9, v10, v11}, [x0], #64
- st1.2d {v12, v13, v14, v15}, [x0], #64
- st1.2d {v16, v17, v18, v19}, [x0], #64
- st1.2d {v20, v21, v22, v23}, [x0], #64
- st1.2d {v24}, [x0]
-
- ldp d14, d15, [sp], #16
- ldp d12, d13, [sp], #16
- ldp d10, d11, [sp], #16
- ldp d8, d9, [sp], #16
-
- ret lr
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2_const.c
deleted file mode 100644
index e49c0ba149..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2_const.c
+++ /dev/null
@@ -1,30 +0,0 @@
-#include "f1600x2.h"
-
-uint64_t f1600_RC[24] = {
- 0x0000000000000001,
- 0x0000000000008082,
- 0x800000000000808A,
- 0x8000000080008000,
- 0x000000000000808B,
- 0x0000000080000001,
- 0x8000000080008081,
- 0x8000000000008009,
- 0x000000000000008A,
- 0x0000000000000088,
- 0x0000000080008009,
- 0x000000008000000A,
- 0x000000008000808B,
- 0x800000000000008B,
- 0x8000000000008089,
- 0x8000000000008003,
- 0x8000000000008002,
- 0x8000000000000080,
- 0x000000000000800A,
- 0x800000008000000A,
- 0x8000000080008081,
- 0x8000000000008080,
- 0x0000000080000001,
- 0x8000000080008008,
-};
-
-
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.c
deleted file mode 100644
index 4718c343bc..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-#include
-
-#include "fips202x2.h"
-#include "f1600x2.h"
-#include "fips202.h"
-
-uint64_t load64(const unsigned char *x) {
- unsigned long long r = 0, i;
-
- for (i = 0; i < 8; ++i) {
- r |= (unsigned long long)x[i] << 8 * i;
- }
- return r;
-}
-
-void store64(uint8_t *x, uint64_t u) {
- unsigned int i;
-
- for (i = 0; i < 8; ++i) {
- x[i] = (uint8_t)u;
- u >>= 8;
- }
-}
-
-static void keccak_absorb2x(uint64_t *s,
- unsigned int r,
- const unsigned char *m0,
- const unsigned char *m1,
- unsigned long long int mlen,
- unsigned char p) {
- unsigned long long i;
- unsigned char t0[200];
- unsigned char t1[200];
-
- while (mlen >= r) {
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(m0 + 8 * i);
- s[2 * i + 1] ^= load64(m1 + 8 * i);
- }
-
- f1600x2(s);
- mlen -= r;
- m0 += r;
- m1 += r;
- }
-
- for (i = 0; i < r; ++i) {
- t0[i] = 0;
- t1[i] = 0;
- }
- for (i = 0; i < mlen; ++i) {
- t0[i] = m0[i];
- t1[i] = m1[i];
- }
-
- t0[i] = p;
- t1[i] = p;
-
- t0[r - 1] |= 128;
- t1[r - 1] |= 128;
-
- for (i = 0; i < r / 8; ++i) {
- s[2 * i + 0] ^= load64(t0 + 8 * i);
- s[2 * i + 1] ^= load64(t1 + 8 * i);
- }
-}
-
-
-static void keccak_squeezeblocks2x(unsigned char *h0,
- unsigned char *h1,
- unsigned long long int nblocks,
- uint64_t *s,
- unsigned int r) {
- unsigned int i;
-
- while (nblocks > 0) {
- f1600x2(s);
- for (i = 0; i < (r >> 3); i++) {
- store64(h0 + 8 * i, s[2 * i + 0]);
- store64(h1 + 8 * i, s[2 * i + 1]);
- }
- h0 += r;
- h1 += r;
- nblocks--;
- }
-}
-
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE128_RATE];
- unsigned char t1[SHAKE128_RATE];
- unsigned int i;
-
- /* absorb 4 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE);
-
- out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
- out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
-
- if (outlen % SHAKE128_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE);
- for (i = 0; i < outlen % SHAKE128_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
-
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen) {
- uint64_t s[50] = {0};
- unsigned char t0[SHAKE256_RATE];
- unsigned char t1[SHAKE256_RATE];
- unsigned int i;
-
- /* absorb 2 message of identical length in parallel */
- keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F);
-
- /* Squeeze output */
- keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE);
-
- out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
- out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
-
- if (outlen % SHAKE256_RATE) {
- keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE);
- for (i = 0; i < outlen % SHAKE256_RATE; i++) {
- out0[i] = t0[i];
- out1[i] = t1[i];
- }
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.h
deleted file mode 100644
index 7ba58b35d8..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.h
+++ /dev/null
@@ -1,24 +0,0 @@
-#ifndef SPX_FIPS202X2_H
-#define SPX_FIPS202X2_H
-
-#include
-
-uint64_t load64(const unsigned char *x);
-void store64(uint8_t *x, uint64_t u);
-
-
-void shake128x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-void shake256x2(unsigned char *out0,
- unsigned char *out1,
- unsigned long long outlen,
- unsigned char *in0,
- unsigned char *in1,
- unsigned long long inlen);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.c
deleted file mode 100644
index 39193d04e2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.c
+++ /dev/null
@@ -1,191 +0,0 @@
-#include
-#include
-#include
-
-#include "fors.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "thash.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- prf_addr(sk, ctx, fors_leaf_addr);
-}
-
-static void fors_gen_skx2(unsigned char *sk0,
- unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- prf_addrx2(sk0, sk1,
- ctx, fors_leaf_addrx2);
-}
-
-static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addr[8]) {
- thash(leaf, sk, 1, ctx, fors_leaf_addr);
-}
-
-static void fors_sk_to_leafx2(unsigned char *leaf0,
- unsigned char *leaf1,
- const unsigned char *sk0,
- const unsigned char *sk1,
- const spx_ctx *ctx,
- uint32_t fors_leaf_addrx2[2 * 8]) {
- thashx2(leaf0, leaf1,
- sk0, sk1,
- 1, ctx, fors_leaf_addrx2);
-}
-
-struct fors_gen_leaf_info {
- uint32_t leaf_addrx[2 * 8];
-};
-
-static void fors_gen_leafx2(unsigned char *leaf,
- const spx_ctx *ctx,
- uint32_t addr_idx, void *info) {
- struct fors_gen_leaf_info *fors_info = info;
- uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx;
- unsigned int j;
-
- /* Only set the parts that the caller doesn't set */
- for (j = 0; j < 2; j++) {
- set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j);
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF);
- }
-
- fors_gen_skx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-
- for (j = 0; j < 2; j++) {
- set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE);
- }
-
- fors_sk_to_leafx2(leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- leaf + 0 * SPX_N,
- leaf + 1 * SPX_N,
- ctx, fors_leaf_addrx2);
-}
-
-/**
- * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- * Assumes indices has space for SPX_FORS_TREES integers.
- */
-static void message_to_indices(uint32_t *indices, const unsigned char *m) {
- unsigned int i, j;
- unsigned int offset = 0;
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- indices[i] = 0;
- for (j = 0; j < SPX_FORS_HEIGHT; j++) {
- indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j);
- offset++;
- }
- }
-}
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- uint32_t fors_tree_addr[2 * 8] = {0};
- struct fors_gen_leaf_info fors_info = {0};
- uint32_t *fors_leaf_addr = fors_info.leaf_addrx;
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- for (i = 0; i < 2; i++) {
- copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr);
- set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE);
- copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr);
- }
- copy_keypair_addr(fors_pk_addr, fors_addr);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Include the secret key part that produces the selected leaf node. */
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF);
- fors_gen_sk(sig, ctx, fors_tree_addr);
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- sig += SPX_N;
-
- /* Compute the authentication path for this leaf node. */
- treehashx2(roots + i * SPX_N, sig, ctx,
- indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2,
- fors_tree_addr, &fors_info);
-
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]) {
- uint32_t indices[SPX_FORS_TREES];
- unsigned char roots[SPX_FORS_TREES * SPX_N];
- unsigned char leaf[SPX_N];
- uint32_t fors_tree_addr[8] = {0};
- uint32_t fors_pk_addr[8] = {0};
- uint32_t idx_offset;
- unsigned int i;
-
- copy_keypair_addr(fors_tree_addr, fors_addr);
- copy_keypair_addr(fors_pk_addr, fors_addr);
-
- set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);
- set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK);
-
- message_to_indices(indices, m);
-
- for (i = 0; i < SPX_FORS_TREES; i++) {
- idx_offset = i * (1 << SPX_FORS_HEIGHT);
-
- set_tree_height(fors_tree_addr, 0);
- set_tree_index(fors_tree_addr, indices[i] + idx_offset);
-
- /* Derive the leaf from the included secret key part. */
- fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr);
- sig += SPX_N;
-
- /* Derive the corresponding root node of this tree. */
- compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset,
- sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr);
- sig += SPX_N * SPX_FORS_HEIGHT;
- }
-
- /* Hash horizontally across all tree roots to derive the public key. */
- thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.h
deleted file mode 100644
index 509140a178..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#ifndef SPX_FORS_H
-#define SPX_FORS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Signs a message m, deriving the secret key from sk_seed and the FTS address.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_sign SPX_NAMESPACE(fors_sign)
-void fors_sign(unsigned char *sig, unsigned char *pk,
- const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-/**
- * Derives the FORS public key from a signature.
- * This can be used for verification by comparing to a known public key, or to
- * subsequently verify a signature on the derived public key. The latter is the
- * typical use-case when used as an FTS below an OTS in a hypertree.
- * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
- */
-#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig)
-void fors_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *m,
- const spx_ctx *ctx,
- const uint32_t fors_addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash.h
deleted file mode 100644
index f7c87d4c3c..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash.h
+++ /dev/null
@@ -1,28 +0,0 @@
-#ifndef SPX_HASH_H
-#define SPX_HASH_H
-
-#include
-#include
-
-#include "context.h"
-#include "params.h"
-
-#define prf_addr SPX_NAMESPACE(prf_addr)
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]);
-
-#define gen_message_random SPX_NAMESPACE(gen_message_random)
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-#define hash_message SPX_NAMESPACE(hash_message)
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx);
-
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shake.c
deleted file mode 100644
index ff5e7ec918..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shake.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "hash.h"
-
-#include "address.h"
-#include "fips202.h"
-#include "params.h"
-#include "utils.h"
-
-/*
- * Computes PRF(pk_seed, sk_seed, addr)
- */
-void prf_addr(unsigned char *out, const spx_ctx *ctx,
- const uint32_t addr[8]) {
- unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES];
-
- memcpy(buf, ctx->pub_seed, SPX_N);
- memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES);
- memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N);
-
- shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES);
-}
-
-/**
- * Computes the message-dependent randomness R, using a secret seed and an
- * optional randomization value as well as the message.
- */
-void gen_message_random(unsigned char *R, const unsigned char *sk_prf,
- const unsigned char *optrand,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, sk_prf, SPX_N);
- shake256_inc_absorb(&s_inc, optrand, SPX_N);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(R, SPX_N, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-}
-
-/**
- * Computes the message hash using R, the public key, and the message.
- * Outputs the message digest and the index of the leaf. The index is split in
- * the tree index and the leaf index, for convenient copying to an address.
- */
-void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
- const unsigned char *R, const unsigned char *pk,
- const unsigned char *m, size_t mlen,
- const spx_ctx *ctx) {
- (void)ctx;
-#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1))
-#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8)
-#define SPX_LEAF_BITS SPX_TREE_HEIGHT
-#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8)
-#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES)
-
- unsigned char buf[SPX_DGST_BYTES];
- unsigned char *bufp = buf;
- shake256incctx s_inc;
-
- shake256_inc_init(&s_inc);
- shake256_inc_absorb(&s_inc, R, SPX_N);
- shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES);
- shake256_inc_absorb(&s_inc, m, mlen);
- shake256_inc_finalize(&s_inc);
- shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc);
- shake256_inc_ctx_release(&s_inc);
-
- memcpy(digest, bufp, SPX_FORS_MSG_BYTES);
- bufp += SPX_FORS_MSG_BYTES;
-
-
- *tree = bytes_to_ull(bufp, SPX_TREE_BYTES);
- *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS);
- bufp += SPX_TREE_BYTES;
-
- *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES);
- *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shakex2.c
deleted file mode 100644
index 99571916a2..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shakex2.c
+++ /dev/null
@@ -1,52 +0,0 @@
-#include
-#include
-
-#include "hashx2.h"
-
-#include "address.h"
-#include "f1600x2.h"
-#include "fips202x2.h"
-#include "params.h"
-
-/*
- * 2-way parallel version of prf_addr; takes 2x as much input and output
- */
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the fourway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
-
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->sk_seed + 8 * i);
- state[2 * (SPX_N / 8 + i + 4)] = x;
- state[2 * (SPX_N / 8 + i + 4) + 1] = x;
- }
-
- /* SHAKE domain separator and padding. */
- state[2 * (SPX_N / 4 + 4)] = 0x1f;
- state[2 * (SPX_N / 4 + 4) + 1] = 0x1f;
-
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hashx2.h
deleted file mode 100644
index 99b8873a9b..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hashx2.h
+++ /dev/null
@@ -1,14 +0,0 @@
-#ifndef SPX_HASHX2_H
-#define SPX_HASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define prf_addrx2 SPX_NAMESPACE(prf_addrx2)
-void prf_addrx2(unsigned char *out0,
- unsigned char *out1,
- const spx_ctx *ctx,
- const uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.c
deleted file mode 100644
index c94ee23939..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.c
+++ /dev/null
@@ -1,64 +0,0 @@
-#include
-#include
-
-#include "merkle.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-#include "utilsx2.h"
-#include "wots.h"
-#include "wotsx2.h"
-
-/*
- * This generates a Merkle signature (WOTS signature followed by the Merkle
- * authentication path).
- */
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf) {
- unsigned char *auth_path = sig + SPX_WOTS_BYTES;
- uint32_t tree_addrx2[2 * 8] = { 0 };
- int j;
- struct leaf_info_x2 info = { 0 };
- unsigned steps[ SPX_WOTS_LEN ];
-
- info.wots_sig = sig;
- chain_lengths(steps, root);
- info.wots_steps = steps;
-
- for (j = 0; j < 2; j++) {
- set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE);
- set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS);
- set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK);
- copy_subtree_addr(&tree_addrx2[8 * j], tree_addr);
- copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr);
- copy_subtree_addr(&info.pk_addr[8 * j], wots_addr);
- }
-
- info.wots_sign_leaf = idx_leaf;
-
- treehashx2(root, auth_path, ctx,
- idx_leaf, 0,
- SPX_TREE_HEIGHT,
- wots_gen_leafx2,
- tree_addrx2, &info);
-}
-
-/* Compute root node of the top-most subtree. */
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) {
- /* We do not need the auth path in key generation, but it simplifies the
- code to have just one treehash routine that computes both root and path
- in one function. */
- unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES];
- uint32_t top_tree_addr[8] = {0};
- uint32_t wots_addr[8] = {0};
-
- set_layer_addr(top_tree_addr, SPX_D - 1);
- set_layer_addr(wots_addr, SPX_D - 1);
-
- merkle_sign(auth_path, root, ctx,
- wots_addr, top_tree_addr,
- ~0 /* ~0 means "don't bother generating an auth path */ );
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.h
deleted file mode 100644
index 769cf2e970..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef MERKLE_H_
-#define MERKLE_H_
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/* Generate a Merkle signature (WOTS signature followed by the Merkle */
-/* authentication path) */
-#define merkle_sign SPX_NAMESPACE(merkle_sign)
-void merkle_sign(uint8_t *sig, unsigned char *root,
- const spx_ctx *ctx,
- uint32_t wots_addr[8], uint32_t tree_addr[8],
- uint32_t idx_leaf);
-
-/* Compute the root node of the top-most subtree. */
-#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root)
-void merkle_gen_root(unsigned char *root, const spx_ctx *ctx);
-
-#endif /* MERKLE_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/nistapi.h
deleted file mode 100644
index 3cb71afad4..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/nistapi.h
+++ /dev/null
@@ -1,87 +0,0 @@
-#ifndef SPX_API_H
-#define SPX_API_H
-
-#include
-#include
-
-#include "params.h"
-
-#define CRYPTO_ALGNAME "SPHINCS+"
-
-#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES
-#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES
-#define CRYPTO_BYTES SPX_BYTES
-#define CRYPTO_SEEDBYTES (3*SPX_N)
-
-/*
- * Returns the length of a secret key, in bytes
- */
-#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes)
-size_t crypto_sign_secretkeybytes(void);
-
-/*
- * Returns the length of a public key, in bytes
- */
-#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes)
-size_t crypto_sign_publickeybytes(void);
-
-/*
- * Returns the length of a signature, in bytes
- */
-#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes)
-size_t crypto_sign_bytes(void);
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes)
-size_t crypto_sign_seedbytes(void);
-
-/*
- * Generates a SPHINCS+ key pair given a seed.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair)
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed);
-
-/*
- * Generates a SPHINCS+ key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [root || PUB_SEED]
- */
-#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-/**
- * Returns an array containing a detached signature.
- */
-#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-#define crypto_sign SPX_NAMESPACE(crypto_sign)
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/params.h
deleted file mode 100644
index 3541803381..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/params.h
+++ /dev/null
@@ -1,56 +0,0 @@
-#ifndef SPX_PARAMS_H
-#define SPX_PARAMS_H
-
-#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_##s
-
-/* Hash output length in bytes. */
-#define SPX_N 32
-/* Height of the hypertree. */
-#define SPX_FULL_HEIGHT 64
-/* Number of subtree layer. */
-#define SPX_D 8
-/* FORS tree dimensions. */
-#define SPX_FORS_HEIGHT 14
-#define SPX_FORS_TREES 22
-/* Winternitz parameter, */
-#define SPX_WOTS_W 16
-
-/* The hash function is defined by linking a different hash.c file, as opposed
- to setting a #define constant. */
-
-/* For clarity */
-#define SPX_ADDR_BYTES 32
-
-/* WOTS parameters. */
-#define SPX_WOTS_LOGW 4
-
-#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW)
-
-/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */
-#define SPX_WOTS_LEN2 3
-
-#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2)
-#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N)
-#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES
-
-/* Subtree size. */
-#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D)
-
-//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT
-// #error SPX_D should always divide SPX_FULL_HEIGHT
-//#endif
-
-/* FORS parameters. */
-#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8)
-#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N)
-#define SPX_FORS_PK_BYTES SPX_N
-
-/* Resulting SPX sizes. */
-#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\
- SPX_FULL_HEIGHT * SPX_N)
-#define SPX_PK_BYTES (2 * SPX_N)
-#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES)
-
-#include "shake_offsets.h"
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/shake_offsets.h
deleted file mode 100644
index 6b28d95d91..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/shake_offsets.h
+++ /dev/null
@@ -1,21 +0,0 @@
-#ifndef SHAKE_OFFSETS_H_
-#define SHAKE_OFFSETS_H_
-
-/*
- * Offsets of various fields in the address structure when we use SHAKE as
- * the Sphincs+ hash function
- */
-
-#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */
-#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */
-#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */
-#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */
-#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */
-#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */
-#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */
-#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */
-#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */
-
-#define SPX_SHAKE 1
-
-#endif /* SHAKE_OFFSETS_H_ */
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/sign.c
deleted file mode 100644
index 9d0c7d1b22..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/sign.c
+++ /dev/null
@@ -1,286 +0,0 @@
-#include
-#include
-#include
-
-#include "address.h"
-#include "context.h"
-#include "fors.h"
-#include "hash.h"
-#include "merkle.h"
-#include "nistapi.h"
-#include "params.h"
-#include "randombytes.h"
-#include "thash.h"
-#include "utils.h"
-#include "wots.h"
-
-/*
- * Returns the length of a secret key, in bytes
- */
-size_t crypto_sign_secretkeybytes(void) {
- return CRYPTO_SECRETKEYBYTES;
-}
-
-/*
- * Returns the length of a public key, in bytes
- */
-size_t crypto_sign_publickeybytes(void) {
- return CRYPTO_PUBLICKEYBYTES;
-}
-
-/*
- * Returns the length of a signature, in bytes
- */
-size_t crypto_sign_bytes(void) {
- return CRYPTO_BYTES;
-}
-
-/*
- * Returns the length of the seed required to generate a key pair, in bytes
- */
-size_t crypto_sign_seedbytes(void) {
- return CRYPTO_SEEDBYTES;
-}
-
-/*
- * Generates an SPX key pair given a seed of length
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk,
- const uint8_t *seed) {
- spx_ctx ctx;
-
- /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */
- memcpy(sk, seed, CRYPTO_SEEDBYTES);
-
- memcpy(pk, sk + 2 * SPX_N, SPX_N);
-
- memcpy(ctx.pub_seed, pk, SPX_N);
- memcpy(ctx.sk_seed, sk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- /* Compute root node of the top-most subtree. */
- merkle_gen_root(sk + 3 * SPX_N, &ctx);
-
- // cleanup
- free_hash_function(&ctx);
-
- memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N);
-
- return 0;
-}
-
-/*
- * Generates an SPX key pair.
- * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]
- * Format pk: [PUB_SEED || root]
- */
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seed[CRYPTO_SEEDBYTES];
- randombytes(seed, CRYPTO_SEEDBYTES);
- crypto_sign_seed_keypair(pk, sk, seed);
-
- return 0;
-}
-
-/**
- * Returns an array containing a detached signature.
- */
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk) {
- spx_ctx ctx;
-
- const uint8_t *sk_prf = sk + SPX_N;
- const uint8_t *pk = sk + 2 * SPX_N;
-
- uint8_t optrand[SPX_N];
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t root[SPX_N];
- uint32_t i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
-
- memcpy(ctx.sk_seed, sk, SPX_N);
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
-
- /* Optionally, signing can be made non-deterministic using optrand.
- This can help counter side-channel attacks that would benefit from
- getting a large number of traces when the signer uses the same nodes. */
- randombytes(optrand, SPX_N);
- /* Compute the digest randomization value. */
- gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx);
-
- /* Derive the message digest and leaf index from R, PK and M. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- /* Sign the message hash using FORS. */
- fors_sign(sig, root, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf);
- sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- free_hash_function(&ctx);
-
- *siglen = SPX_BYTES;
-
- return 0;
-}
-
-/**
- * Verifies a detached signature and message under a given public key.
- */
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk) {
- spx_ctx ctx;
- const uint8_t *pub_root = pk + SPX_N;
- uint8_t mhash[SPX_FORS_MSG_BYTES];
- uint8_t wots_pk[SPX_WOTS_BYTES];
- uint8_t root[SPX_N];
- uint8_t leaf[SPX_N];
- unsigned int i;
- uint64_t tree;
- uint32_t idx_leaf;
- uint32_t wots_addr[8] = {0};
- uint32_t tree_addr[8] = {0};
- uint32_t wots_pk_addr[8] = {0};
-
- if (siglen != SPX_BYTES) {
- return -1;
- }
-
- memcpy(ctx.pub_seed, pk, SPX_N);
-
- /* This hook allows the hash function instantiation to do whatever
- preparation or computation it needs, based on the public seed. */
- initialize_hash_function(&ctx);
-
- set_type(wots_addr, SPX_ADDR_TYPE_WOTS);
- set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE);
- set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK);
-
- /* Derive the message digest and leaf index from R || PK || M. */
- /* The additional SPX_N is a result of the hash domain separator. */
- hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx);
- sig += SPX_N;
-
- /* Layer correctly defaults to 0, so no need to set_layer_addr */
- set_tree_addr(wots_addr, tree);
- set_keypair_addr(wots_addr, idx_leaf);
-
- fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr);
- sig += SPX_FORS_BYTES;
-
- /* For each subtree.. */
- for (i = 0; i < SPX_D; i++) {
- set_layer_addr(tree_addr, i);
- set_tree_addr(tree_addr, tree);
-
- copy_subtree_addr(wots_addr, tree_addr);
- set_keypair_addr(wots_addr, idx_leaf);
-
- copy_keypair_addr(wots_pk_addr, wots_addr);
-
- /* The WOTS public key is only correct if the signature was correct. */
- /* Initially, root is the FORS pk, but on subsequent iterations it is
- the root of the subtree below the currently processed subtree. */
- wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr);
- sig += SPX_WOTS_BYTES;
-
- /* Compute the leaf node using the WOTS public key. */
- thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr);
-
- /* Compute the root node of this subtree. */
- compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT,
- &ctx, tree_addr);
- sig += SPX_TREE_HEIGHT * SPX_N;
-
- /* Update the indices for the next layer. */
- idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));
- tree = tree >> SPX_TREE_HEIGHT;
- }
-
- // cleanup
- free_hash_function(&ctx);
-
- /* Check if the root node equals the root node in the public key. */
- if (memcmp(root, pub_root, SPX_N) != 0) {
- return -1;
- }
-
- return 0;
-}
-
-
-/**
- * Returns an array containing the signature followed by the message.
- */
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk) {
- size_t siglen;
-
- crypto_sign_signature(sm, &siglen, m, mlen, sk);
-
- memmove(sm + SPX_BYTES, m, mlen);
- *smlen = siglen + mlen;
-
- return 0;
-}
-
-/**
- * Verifies a given signature-message pair under a given public key.
- */
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk) {
- /* The API caller does not necessarily know what size a signature should be
- but SPHINCS+ signatures are always exactly SPX_BYTES. */
- if (smlen < SPX_BYTES) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- *mlen = smlen - SPX_BYTES;
-
- if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) {
- memset(m, 0, smlen);
- *mlen = 0;
- return -1;
- }
-
- /* If verification was successful, move the message to the right place. */
- memmove(m, sm + SPX_BYTES, *mlen);
-
- return 0;
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash.h
deleted file mode 100644
index 8687ccfb4d..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef SPX_THASH_H
-#define SPX_THASH_H
-
-#include "context.h"
-#include "params.h"
-
-#include
-
-#define thash SPX_NAMESPACE(thash)
-void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash_shake_simplex2.c
deleted file mode 100644
index 892e453690..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash_shake_simplex2.c
+++ /dev/null
@@ -1,83 +0,0 @@
-#include
-#include
-
-#include "thash.h"
-#include "thashx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "utils.h"
-
-#include "f1600x2.h"
-#include "fips202x2.h"
-
-
-void thash(unsigned char *out,
- const unsigned char *in,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t addrx2 [2 * 8] = {
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7],
- addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7]
- };
- thashx2(out, out, in, in, inblocks, ctx, addrx2);
-}
-
-/**
- * 2-way parallel version of thash; takes 2x as much input and output
- */
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]) {
- if (inblocks == 1 || inblocks == 2) {
- /* As we write and read only a few quadwords, it is more efficient to
- * build and extract from the twoway SHAKE256 state by hand. */
- uint64_t state[50] = {0};
- for (int i = 0; i < SPX_N / 8; i++) {
- uint64_t x = load64(ctx->pub_seed + 8 * i);
- state[2 * i] = x;
- state[2 * i + 1] = x;
- }
- for (int i = 0; i < 4; i++) {
- state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32)
- | (uint64_t)addrx2[2 * i];
- state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32)
- | (uint64_t)addrx2[8 + 2 * i];
- }
-
- for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) {
- state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i);
- state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i);
- }
-
- /* Domain separator and padding. */
- state[2 * 16] = 0x80ULL << 56;
- state[2 * 16 + 1] = 0x80ULL << 56;
-
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f;
- state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f;
-
- f1600x2(state);
-
- for (int i = 0; i < SPX_N / 8; i++) {
- store64(out0 + 8 * i, state[2 * i]);
- store64(out1 + 8 * i, state[2 * i + 1]);
- }
- } else {
- PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
-
- memcpy(buf0, ctx->pub_seed, SPX_N);
- memcpy(buf1, ctx->pub_seed, SPX_N);
- memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES);
- memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES);
- memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N);
- memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N);
-
- shake256x2(out0, out1, SPX_N,
- buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thashx2.h
deleted file mode 100644
index 040375e618..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thashx2.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef SPX_THASHX2_H
-#define SPX_THASHX2_H
-
-#include "context.h"
-#include "params.h"
-#include
-
-#define thashx2 SPX_NAMESPACE(thashx2)
-void thashx2(unsigned char *out0,
- unsigned char *out1,
- const unsigned char *in0,
- const unsigned char *in1,
- unsigned int inblocks,
- const spx_ctx *ctx, uint32_t addrx2[2 * 8]);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.c
deleted file mode 100644
index 177b541fb9..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.c
+++ /dev/null
@@ -1,148 +0,0 @@
-#include
-
-#include "utils.h"
-
-#include "address.h"
-#include "hash.h"
-#include "params.h"
-#include "thash.h"
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in) {
- int i;
-
- /* Iterate over out in decreasing order, for big-endianness. */
- for (i = (signed int)outlen - 1; i >= 0; i--) {
- out[i] = in & 0xff;
- in = in >> 8;
- }
-}
-
-void u32_to_bytes(unsigned char *out, uint32_t in) {
- out[0] = (unsigned char)(in >> 24);
- out[1] = (unsigned char)(in >> 16);
- out[2] = (unsigned char)(in >> 8);
- out[3] = (unsigned char)in;
-}
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) {
- unsigned long long retval = 0;
- unsigned int i;
-
- for (i = 0; i < inlen; i++) {
- retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i));
- }
- return retval;
-}
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]) {
- uint32_t i;
- unsigned char buffer[2 * SPX_N];
-
- /* If leaf_idx is odd (last bit = 1), current path element is a right child
- and auth_path has to go left. Otherwise it is the other way around. */
- if (leaf_idx & 1) {
- memcpy(buffer + SPX_N, leaf, SPX_N);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- memcpy(buffer, leaf, SPX_N);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
-
- for (i = 0; i < tree_height - 1; i++) {
- leaf_idx >>= 1;
- idx_offset >>= 1;
- /* Set the address of the node we're creating. */
- set_tree_height(addr, i + 1);
- set_tree_index(addr, leaf_idx + idx_offset);
-
- /* Pick the right or left neighbor, depending on parity of the node. */
- if (leaf_idx & 1) {
- thash(buffer + SPX_N, buffer, 2, ctx, addr);
- memcpy(buffer, auth_path, SPX_N);
- } else {
- thash(buffer, buffer, 2, ctx, addr);
- memcpy(buffer + SPX_N, auth_path, SPX_N);
- }
- auth_path += SPX_N;
- }
-
- /* The last iteration is exceptional; we do not copy an auth_path node. */
- leaf_idx >>= 1;
- idx_offset >>= 1;
- set_tree_height(addr, tree_height);
- set_tree_index(addr, leaf_idx + idx_offset);
- thash(root, buffer, 2, ctx, addr);
-}
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx * /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]) {
- PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N);
- PQCLEAN_VLA(unsigned int, heights, tree_height + 1);
- unsigned int offset = 0;
- uint32_t idx;
- uint32_t tree_idx;
-
- for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) {
- /* Add the next leaf node to the stack. */
- gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr);
- offset++;
- heights[offset - 1] = 0;
-
- /* If this is a node we need for the auth path.. */
- if ((leaf_idx ^ 0x1) == idx) {
- memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N);
- }
-
- /* While the top-most nodes are of equal height.. */
- while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) {
- /* Compute index of the new node, in the next layer. */
- tree_idx = (idx >> (heights[offset - 1] + 1));
-
- /* Set the address of the node we're creating. */
- set_tree_height(tree_addr, heights[offset - 1] + 1);
- set_tree_index(tree_addr,
- tree_idx + (idx_offset >> (heights[offset - 1] + 1)));
- /* Hash the top-most nodes from the stack together. */
- thash(stack + (offset - 2)*SPX_N,
- stack + (offset - 2)*SPX_N, 2, ctx, tree_addr);
- offset--;
- /* Note that the top-most node is now one layer higher. */
- heights[offset - 1]++;
-
- /* If this is a node we need for the auth path.. */
- if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) {
- memcpy(auth_path + heights[offset - 1]*SPX_N,
- stack + (offset - 1)*SPX_N, SPX_N);
- }
- }
- }
- memcpy(root, stack, SPX_N);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.h
deleted file mode 100644
index 64f5d5a53a..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.h
+++ /dev/null
@@ -1,58 +0,0 @@
-#ifndef SPX_UTILS_H
-#define SPX_UTILS_H
-
-#include
-
-#include "compat.h"
-#include "context.h"
-#include "params.h"
-
-
-/* To support MSVC use alloca() instead of VLAs. See #20. */
-
-
-/**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
-#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes)
-void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in);
-#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes)
-void u32_to_bytes(unsigned char *out, uint32_t in);
-
-/**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
-#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull)
-unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen);
-
-/**
- * Computes a root node given a leaf and an auth path.
- * Expects address to be complete other than the tree_height and tree_index.
- */
-#define compute_root SPX_NAMESPACE(compute_root)
-void compute_root(unsigned char *root, const unsigned char *leaf,
- uint32_t leaf_idx, uint32_t idx_offset,
- const unsigned char *auth_path, uint32_t tree_height,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- */
-#define treehash SPX_NAMESPACE(treehash)
-void treehash(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leaf)(
- unsigned char * /* leaf */,
- const spx_ctx *ctx /* ctx */,
- uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */),
- uint32_t tree_addr[8]);
-
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.c
deleted file mode 100644
index 8736474e4f..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.c
+++ /dev/null
@@ -1,130 +0,0 @@
-#include
-
-#include "utilsx2.h"
-
-#include "address.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-
-/*
- * Generate the entire Merkle tree, computing the authentication path for leaf_idx,
- * and the resulting root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE)
- *
- * This expects tree_addrx2 to be initialized to 2 parallel addr structures for
- * the Merkle tree nodes
- *
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This works by using the standard Merkle tree building algorithm, except
- * that each 'node' tracked is actually 2 consecutive nodes in the real tree.
- * When we combine two logical nodes AB and WX, we perform the H
- * operation on adjacent real nodes, forming the parent logical node
- * (AB)(WX)
- *
- * When we get to the top level of the real tree (where there is only
- * one logical node), we continue this operation one more time; the right
- * most real node will by the actual root (and the other node will be
- * garbage). We follow the same thashx2 logic so that the 'extract
- * authentication path components' part of the loop is still executed (and
- * to simplify the code somewhat)
- */
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset,
- uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx *,
- uint32_t idx, void *info),
- uint32_t tree_addrx2[2 * 8],
- void *info) {
- /* This is where we keep the intermediate nodes */
- unsigned char stackx2[tree_height * 2 * SPX_N];
- uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */
- /* level, the left-most part of the tree isn't at the beginning */
- /* of current[]. These give the offset of the actual start */
-
- uint32_t idx;
- uint32_t max_idx = (1 << (tree_height - 1)) - 1;
- for (idx = 0;; idx++) {
- unsigned char current[2 * SPX_N]; /* Current logical node */
- gen_leafx2( current, ctx, 2 * idx + idx_offset,
- info );
-
- /* Now combine the freshly generated right node with previously */
- /* generated left ones */
- uint32_t internal_idx_offset = idx_offset;
- uint32_t internal_idx = idx;
- uint32_t internal_leaf = leaf_idx;
- uint32_t h; /* The height we are in the Merkle tree */
- for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) {
-
- /* Special processing if we're at the top of the tree */
- if (h >= tree_height - 1) {
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
- /* The tree indexing logic is a bit off in this case */
- /* Adjust it so that the left-most node of the part of */
- /* the tree that we're processing has index 0 */
- prev_left_adj = left_adj;
- left_adj = 2 - (1 << (tree_height - h - 1));
- }
-
- /* Check if we hit the top of the tree */
- if (h == tree_height) {
- /* We hit the root; return it */
- memcpy( root, ¤t[1 * SPX_N], SPX_N );
- return;
- }
-
- /*
- * Check if one of the nodes we have is a part of the
- * authentication path; if it is, write it out
- */
- if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) {
- memcpy( &auth_path[ h * SPX_N ],
- ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N],
- SPX_N );
- }
-
- /*
- * Check if we're at a left child; if so, stop going up the stack
- * Exception: if we've reached the end of the tree, keep on going
- * (so we combine the last 2 nodes into the one root node in two
- * more iterations)
- */
- if ((internal_idx & 1) == 0 && idx < max_idx) {
- break;
- }
-
- /* Ok, we're at a right node (or doing the top 3 levels) */
- /* Now combine the left and right logical nodes together */
-
- /* Set the address of the node we're creating. */
- int j;
- internal_idx_offset >>= 1;
- for (j = 0; j < 2; j++) {
- set_tree_height(tree_addrx2 + j * 8, h + 1);
- set_tree_index(tree_addrx2 + j * 8,
- (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset );
- }
- unsigned char *left = &stackx2[h * 2 * SPX_N];
- thashx2( ¤t[0 * SPX_N],
- ¤t[1 * SPX_N],
- &left [0 * SPX_N],
- ¤t[0 * SPX_N],
- 2, ctx, tree_addrx2);
- }
-
- /* We've hit a left child; save the current for when we get the */
- /* corresponding right right */
- memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N);
- }
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.h
deleted file mode 100644
index e09faddc43..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.h
+++ /dev/null
@@ -1,30 +0,0 @@
-#ifndef SPX_UTILSX2_H
-#define SPX_UTILSX2_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * For a given leaf index, computes the authentication path and the resulting
- * root node using Merkle's TreeHash algorithm.
- * Expects the layer and tree parts of the tree_addr to be set, as well as the
- * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE).
- * Applies the offset idx_offset to indices before building addresses, so that
- * it is possible to continue counting indices across trees.
- *
- * This implementation uses SIMD to compute internal nodes 2 at a time (in
- * parallel)
- */
-#define treehashx2 SPX_NAMESPACE(treehashx2)
-void treehashx2(unsigned char *root, unsigned char *auth_path,
- const spx_ctx *ctx,
- uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height,
- void (*gen_leafx2)(
- unsigned char * /* Where to write the leaves */,
- const spx_ctx * /* ctx */,
- uint32_t addr_idx, void *info),
- uint32_t tree_addrx2[2 * 8], void *info);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.c
deleted file mode 100644
index 3babe45e95..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.c
+++ /dev/null
@@ -1,259 +0,0 @@
-#include
-#include
-
-#include "wots.h"
-#include "wotsx2.h"
-
-#include "address.h"
-#include "hash.h"
-#include "hashx2.h"
-#include "params.h"
-#include "thashx2.h"
-#include "utils.h"
-#include "utilsx2.h"
-
-// TODO clarify address expectations, and make them more uniform.
-// TODO i.e. do we expect types to be set already?
-// TODO and do we expect modifications or copies?
-
-/**
- * Computes up the chains
- */
-static void gen_chains(
- unsigned char *out,
- const unsigned char *in,
- unsigned int start[SPX_WOTS_LEN],
- const unsigned int steps[SPX_WOTS_LEN],
- const spx_ctx *ctx,
- uint32_t addr[8]) {
- uint32_t i, j, k, idx, watching;
- int done;
- unsigned char empty[SPX_N];
- unsigned char *bufs[4];
- uint32_t addrs[8 * 2];
-
- int l;
- uint16_t counts[SPX_WOTS_W] = { 0 };
- uint16_t idxs[SPX_WOTS_LEN];
- uint16_t total, newTotal;
-
- /* set addrs = {addr, addr} */
- for (j = 0; j < 2; j++) {
- memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8);
- }
-
- /* Initialize out with the value at position 'start'. */
- memcpy(out, in, SPX_WOTS_LEN * SPX_N);
-
- /* Sort the chains in reverse order by steps using counting sort. */
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- counts[steps[i]]++;
- }
- total = 0;
- for (l = SPX_WOTS_W - 1; l >= 0; l--) {
- newTotal = counts[l] + total;
- counts[l] = total;
- total = newTotal;
- }
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- idxs[counts[steps[i]]] = i;
- counts[steps[i]]++;
- }
-
- /* We got our work cut out for us: do it! */
- for (i = 0; i < SPX_WOTS_LEN; i += 2) {
- for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) {
- idx = idxs[i + j];
- set_chain_addr(addrs + j * 8, idx);
- bufs[j] = out + SPX_N * idx;
- }
-
- /* As the chains are sorted in reverse order, we know that the first
- * chain is the longest and the last one is the shortest. We keep
- * an eye on whether the last chain is done and then on the one before,
- * et cetera. */
- watching = 1;
- done = 0;
- while (i + watching >= SPX_WOTS_LEN) {
- bufs[watching] = &empty[0];
- watching--;
- }
-
- for (k = 0;; k++) {
- while (k == steps[idxs[i + watching]]) {
- bufs[watching] = &empty[0];
- if (watching == 0) {
- done = 1;
- break;
- }
- watching--;
- }
- if (done) {
- break;
- }
- for (j = 0; j < watching + 1; j++) {
- set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]);
- }
-
- thashx2(bufs[0], bufs[1],
- bufs[0], bufs[1], 1, ctx, addrs);
- }
- }
-}
-
-/**
- * base_w algorithm as described in draft.
- * Interprets an array of bytes as integers in base w.
- * This only works when log_w is a divisor of 8.
- */
-static void base_w(unsigned int *output, const int out_len,
- const unsigned char *input) {
- int in = 0;
- int out = 0;
- unsigned char total = 0;
- int bits = 0;
- int consumed;
-
- for (consumed = 0; consumed < out_len; consumed++) {
- if (bits == 0) {
- total = input[in];
- in++;
- bits += 8;
- }
- bits -= SPX_WOTS_LOGW;
- output[out] = (total >> bits) & (SPX_WOTS_W - 1);
- out++;
- }
-}
-
-/* Computes the WOTS+ checksum over a message (in base_w). */
-static void wots_checksum(unsigned int *csum_base_w,
- const unsigned int *msg_base_w) {
- unsigned int csum = 0;
- unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8];
- unsigned int i;
-
- /* Compute checksum. */
- for (i = 0; i < SPX_WOTS_LEN1; i++) {
- csum += SPX_WOTS_W - 1 - msg_base_w[i];
- }
-
- /* Convert checksum to base_w. */
- /* Make sure expected empty zero bits are the least significant bits. */
- csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8);
- ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum);
- base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes);
-}
-
-/* Takes a message and derives the matching chain lengths. */
-void chain_lengths(unsigned int *lengths, const unsigned char *msg) {
- base_w(lengths, SPX_WOTS_LEN1, msg);
- wots_checksum(lengths + SPX_WOTS_LEN1, lengths);
-}
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]) {
- unsigned int steps[SPX_WOTS_LEN];
- unsigned int start[SPX_WOTS_LEN];
- uint32_t i;
-
- chain_lengths(start, msg);
-
- for (i = 0; i < SPX_WOTS_LEN; i++) {
- steps[i] = SPX_WOTS_W - 1 - start[i];
- }
-
- gen_chains(pk, sig, start, steps, ctx, addr);
-}
-
-/*
- * This generates 2 sequential WOTS public keys
- * It also generates the WOTS signature if leaf_info indicates
- * that we're signing with one of these WOTS keys
- */
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info) {
- struct leaf_info_x2 *info = v_info;
- uint32_t *leaf_addr = info->leaf_addr;
- uint32_t *pk_addr = info->pk_addr;
- unsigned int i, j, k;
- unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ];
- unsigned wots_offset = SPX_WOTS_BYTES;
- unsigned char *buffer;
- uint32_t wots_k_mask;
- unsigned wots_sign_index;
-
- if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) {
- /* We're traversing the leaf that's signing; generate the WOTS */
- /* signature */
- wots_k_mask = 0;
- wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */
- /* slots do the signatures come from */
- } else {
- /* Nope, we're just generating pk's; turn off the signature logic */
- wots_k_mask = ~0;
- wots_sign_index = 0;
- }
-
- for (j = 0; j < 2; j++) {
- set_keypair_addr( leaf_addr + j * 8, leaf_idx + j );
- set_keypair_addr( pk_addr + j * 8, leaf_idx + j );
- }
-
- for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) {
- uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */
- /* the step if we're generating a signature, ~0 if we're not */
-
- /* Start with the secret seed */
- for (j = 0; j < 2; j++) {
- set_chain_addr(leaf_addr + j * 8, i);
- set_hash_addr(leaf_addr + j * 8, 0);
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF);
- }
- prf_addrx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- ctx, leaf_addr);
- for (j = 0; j < 2; j++) {
- set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS);
- }
-
- /* Iterate down the WOTS chain */
- for (k = 0;; k++) {
- /* Check if one of the values we have needs to be saved as a */
- /* part of the WOTS signature */
- if (k == wots_k) {
- memcpy( info->wots_sig + i * SPX_N,
- buffer + wots_sign_index * wots_offset, SPX_N );
- }
-
- /* Check if we hit the top of the chain */
- if (k == SPX_WOTS_W - 1) {
- break;
- }
-
- /* Iterate one step on all 4 chains */
- for (j = 0; j < 2; j++) {
- set_hash_addr(leaf_addr + j * 8, k);
- }
- thashx2(buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- buffer + 0 * wots_offset,
- buffer + 1 * wots_offset,
- 1, ctx, leaf_addr);
- }
- }
-
- /* Do the final thash to generate the public keys */
- thashx2(dest + 0 * SPX_N,
- dest + 1 * SPX_N,
- pk_buffer + 0 * wots_offset,
- pk_buffer + 1 * wots_offset,
- SPX_WOTS_LEN, ctx, pk_addr);
-}
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.h
deleted file mode 100644
index 4e7692eeef..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.h
+++ /dev/null
@@ -1,25 +0,0 @@
-#ifndef SPX_WOTS_H
-#define SPX_WOTS_H
-
-#include
-
-#include "context.h"
-#include "params.h"
-
-/**
- * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
- *
- * Writes the computed public key to 'pk'.
- */
-#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig)
-void wots_pk_from_sig(unsigned char *pk,
- const unsigned char *sig, const unsigned char *msg,
- const spx_ctx *ctx, uint32_t addr[8]);
-
-/*
- * Compute the chain lengths needed for a given message hash
- */
-#define chain_lengths SPX_NAMESPACE(chain_lengths)
-void chain_lengths(unsigned int *lengths, const unsigned char *msg);
-
-#endif
diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wotsx2.h
deleted file mode 100644
index b58bb61f84..0000000000
--- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wotsx2.h
+++ /dev/null
@@ -1,40 +0,0 @@
-#ifndef WOTSX2_H_
-#define WOTSX2_H_
-
-#include "params.h"
-#include
-
-/*
- * This is here to provide an interface to the internal wots_gen_leafx2
- * routine. While this routine is not referenced in the package outside of
- * wots.c, it is called from the stand-alone benchmark code to characterize
- * the performance
- */
-struct leaf_info_x2 {
- unsigned char *wots_sig;
- uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */
- uint32_t *wots_steps;
- uint32_t leaf_addr[2 * 8];
- uint32_t pk_addr[2 * 8];
-};
-
-/* Macro to set the leaf_info to something 'benign', that is, it would */
-/* run with the same time as it does during the real signing process */
-/* Used only by the benchmark code */
-#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \
- (info).wots_sig = 0; \
- (info).wots_sign_leaf = ~0; \
- (info).wots_steps = step_buffer; \
- int i; \
- for (i=0; i<2; i++) { \
- memcpy( &(info).leaf_addr[8*i], addr, 32 ); \
- memcpy( &(info).pk_addr[8*i], addr, 32 ); \
- } \
- }
-
-#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2)
-void wots_gen_leafx2(unsigned char *dest,
- const spx_ctx *ctx,
- uint32_t leaf_idx, void *v_info);
-
-#endif /* WOTSX2_H_ */