rhys: gimli optimized for avr

Co-authored-by: Rhys Weatherley <rhys.weatherley@gmail.com>

gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/aead-common.c

+/*
+ * Copyright (C) 2020 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#include "aead-common.h"
+
+int aead_check_tag
+    (unsigned char *plaintext, unsigned long long plaintext_len,
+     const unsigned char *tag1, const unsigned char *tag2,
+     unsigned size)
+{
+    /* Set "accum" to -1 if the tags match, or 0 if they don't match */
+    int accum = 0;
+    while (size > 0) {
+        accum |= (*tag1++ ^ *tag2++);
+        --size;
+    }
+    accum = (accum - 1) >> 8;
+
+    /* Destroy the plaintext if the tag match failed */
+    while (plaintext_len > 0) {
+        *plaintext++ &= accum;
+        --plaintext_len;
+    }
+
+    /* If "accum" is 0, return -1, otherwise return 0 */
+    return ~accum;
+}
+
+int aead_check_tag_precheck
+    (unsigned char *plaintext, unsigned long long plaintext_len,
+     const unsigned char *tag1, const unsigned char *tag2,
+     unsigned size, int precheck)
+{
+    /* Set "accum" to -1 if the tags match, or 0 if they don't match */
+    int accum = 0;
+    while (size > 0) {
+        accum |= (*tag1++ ^ *tag2++);
+        --size;
+    }
+    accum = ((accum - 1) >> 8) & precheck;
+
+    /* Destroy the plaintext if the tag match failed */
+    while (plaintext_len > 0) {
+        *plaintext++ &= accum;
+        --plaintext_len;
+    }
+
+    /* If "accum" is 0, return -1, otherwise return 0 */
+    return ~accum;
+}

gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/aead-common.h

+/*
+ * Copyright (C) 2020 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifndef LWCRYPTO_AEAD_COMMON_H
+#define LWCRYPTO_AEAD_COMMON_H
+
+#include <stddef.h>
+
+/**
+ * \file aead-common.h
+ * \brief Definitions that are common across AEAD schemes.
+ *
+ * AEAD stands for "Authenticated Encryption with Associated Data".
+ * It is a standard API pattern for securely encrypting and
+ * authenticating packets of data.
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Encrypts and authenticates a packet with an AEAD scheme.
+ *
+ * \param c Buffer to receive the output.
+ * \param clen On exit, set to the length of the output which includes
+ * the ciphertext and the authentication tag.
+ * \param m Buffer that contains the plaintext message to encrypt.
+ * \param mlen Length of the plaintext message in bytes.
+ * \param ad Buffer that contains associated data to authenticate
+ * along with the packet but which does not need to be encrypted.
+ * \param adlen Length of the associated data in bytes.
+ * \param nsec Secret nonce - normally not used by AEAD schemes.
+ * \param npub Points to the public nonce for the packet.
+ * \param k Points to the key to use to encrypt the packet.
+ *
+ * \return 0 on success, or a negative value if there was an error in
+ * the parameters.
+ */
+typedef int (*aead_cipher_encrypt_t)
+    (unsigned char *c, unsigned long long *clen,
+     const unsigned char *m, unsigned long long mlen,
+     const unsigned char *ad, unsigned long long adlen,
+     const unsigned char *nsec,
+     const unsigned char *npub,
+     const unsigned char *k);
+
+/**
+ * \brief Decrypts and authenticates a packet with an AEAD scheme.
+ *
+ * \param m Buffer to receive the plaintext message on output.
+ * \param mlen Receives the length of the plaintext message on output.
+ * \param nsec Secret nonce - normally not used by AEAD schemes.
+ * \param c Buffer that contains the ciphertext and authentication
+ * tag to decrypt.
+ * \param clen Length of the input data in bytes, which includes the
+ * ciphertext and the authentication tag.
+ * \param ad Buffer that contains associated data to authenticate
+ * along with the packet but which does not need to be encrypted.
+ * \param adlen Length of the associated data in bytes.
+ * \param npub Points to the public nonce for the packet.
+ * \param k Points to the key to use to decrypt the packet.
+ *
+ * \return 0 on success, -1 if the authentication tag was incorrect,
+ * or some other negative number if there was an error in the parameters.
+ */
+typedef int (*aead_cipher_decrypt_t)
+    (unsigned char *m, unsigned long long *mlen,
+     unsigned char *nsec,
+     const unsigned char *c, unsigned long long clen,
+     const unsigned char *ad, unsigned long long adlen,
+     const unsigned char *npub,
+     const unsigned char *k);
+
+/**
+ * \brief Hashes a block of input data.
+ *
+ * \param out Buffer to receive the hash output.
+ * \param in Points to the input data to be hashed.
+ * \param inlen Length of the input data in bytes.
+ *
+ * \return Returns zero on success or -1 if there was an error in the
+ * parameters.
+ */
+typedef int (*aead_hash_t)
+    (unsigned char *out, const unsigned char *in, unsigned long long inlen);
+
+/**
+ * \brief Initializes the state for a hashing operation.
+ *
+ * \param state Hash state to be initialized.
+ */
+typedef void (*aead_hash_init_t)(void *state);
+
+/**
+ * \brief Updates a hash state with more input data.
+ *
+ * \param state Hash state to be updated.
+ * \param in Points to the input data to be incorporated into the state.
+ * \param inlen Length of the input data to be incorporated into the state.
+ */
+typedef void (*aead_hash_update_t)
+    (void *state, const unsigned char *in, unsigned long long inlen);
+
+/**
+ * \brief Returns the final hash value from a hashing operation.
+ *
+ * \param Hash state to be finalized.
+ * \param out Points to the output buffer to receive the hash value.
+ */
+typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out);
+
+/**
+ * \brief Aborbs more input data into an XOF state.
+ *
+ * \param state XOF state to be updated.
+ * \param in Points to the input data to be absorbed into the state.
+ * \param inlen Length of the input data to be absorbed into the state.
+ *
+ * \sa ascon_xof_init(), ascon_xof_squeeze()
+ */
+typedef void (*aead_xof_absorb_t)
+    (void *state, const unsigned char *in, unsigned long long inlen);
+
+/**
+ * \brief Squeezes output data from an XOF state.
+ *
+ * \param state XOF state to squeeze the output data from.
+ * \param out Points to the output buffer to receive the squeezed data.
+ * \param outlen Number of bytes of data to squeeze out of the state.
+ */
+typedef void (*aead_xof_squeeze_t)
+    (void *state, unsigned char *out, unsigned long long outlen);
+
+/**
+ * \brief No special AEAD features.
+ */
+#define AEAD_FLAG_NONE          0x0000
+
+/**
+ * \brief The natural byte order of the AEAD cipher is little-endian.
+ *
+ * If this flag is not present, then the natural byte order of the
+ * AEAD cipher should be assumed to be big-endian.
+ *
+ * The natural byte order may be useful when formatting packet sequence
+ * numbers as nonces.  The application needs to know whether the sequence
+ * number should be packed into the leading or trailing bytes of the nonce.
+ */
+#define AEAD_FLAG_LITTLE_ENDIAN 0x0001
+
+/**
+ * \brief Meta-information about an AEAD cipher.
+ */
+typedef struct
+{
+    const char *name;               /**< Name of the cipher */
+    unsigned key_len;               /**< Length of the key in bytes */
+    unsigned nonce_len;             /**< Length of the nonce in bytes */
+    unsigned tag_len;               /**< Length of the tag in bytes */
+    unsigned flags;                 /**< Flags for extra features */
+    aead_cipher_encrypt_t encrypt;  /**< AEAD encryption function */
+    aead_cipher_decrypt_t decrypt;  /**< AEAD decryption function */
+
+} aead_cipher_t;
+
+/**
+ * \brief Meta-information about a hash algorithm that is related to an AEAD.
+ *
+ * Regular hash algorithms should provide the "hash", "init", "update",
+ * and "finalize" functions.  Extensible Output Functions (XOF's) should
+ * proivde the "hash", "init", "absorb", and "squeeze" functions.
+ */
+typedef struct
+{
+    const char *name;           /**< Name of the hash algorithm */
+    size_t state_size;          /**< Size of the incremental state structure */
+    unsigned hash_len;          /**< Length of the hash in bytes */
+    unsigned flags;             /**< Flags for extra features */
+    aead_hash_t hash;           /**< All in one hashing function */
+    aead_hash_init_t init;      /**< Incremental hash/XOF init function */
+    aead_hash_update_t update;  /**< Incremental hash update function */
+    aead_hash_finalize_t finalize; /**< Incremental hash finalize function */
+    aead_xof_absorb_t absorb;   /**< Incremental XOF absorb function */
+    aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */
+
+} aead_hash_algorithm_t;
+
+/**
+ * \brief Check an authentication tag in constant time.
+ *
+ * \param plaintext Points to the plaintext data.
+ * \param plaintext_len Length of the plaintext in bytes.
+ * \param tag1 First tag to compare.
+ * \param tag2 Second tag to compare.
+ * \param tag_len Length of the tags in bytes.
+ *
+ * \return Returns -1 if the tag check failed or 0 if the check succeeded.
+ *
+ * If the tag check fails, then the \a plaintext will also be zeroed to
+ * prevent it from being used accidentally by the application when the
+ * ciphertext was invalid.
+ */
+int aead_check_tag
+    (unsigned char *plaintext, unsigned long long plaintext_len,
+     const unsigned char *tag1, const unsigned char *tag2,
+     unsigned tag_len);
+
+/**
+ * \brief Check an authentication tag in constant time with a previous check.
+ *
+ * \param plaintext Points to the plaintext data.
+ * \param plaintext_len Length of the plaintext in bytes.
+ * \param tag1 First tag to compare.
+ * \param tag2 Second tag to compare.
+ * \param tag_len Length of the tags in bytes.
+ * \param precheck Set to -1 if previous check succeeded or 0 if it failed.
+ *
+ * \return Returns -1 if the tag check failed or 0 if the check succeeded.
+ *
+ * If the tag check fails, then the \a plaintext will also be zeroed to
+ * prevent it from being used accidentally by the application when the
+ * ciphertext was invalid.
+ *
+ * This version can be used to incorporate other information about the
+ * correctness of the plaintext into the final result.
+ */
+int aead_check_tag_precheck
+    (unsigned char *plaintext, unsigned long long plaintext_len,
+     const unsigned char *tag1, const unsigned char *tag2,
+     unsigned tag_len, int precheck);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/api.h

+#define CRYPTO_KEYBYTES 32
+#define CRYPTO_NSECBYTES 0 
+#define CRYPTO_NPUBBYTES 16 
+#define CRYPTO_ABYTES 16 
+#define CRYPTO_NOOVERLAP 1 

gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/encrypt.c

+
+#include "gimli24.h"
+
+int crypto_aead_encrypt
+    (unsigned char *c, unsigned long long *clen,
+     const unsigned char *m, unsigned long long mlen,
+     const unsigned char *ad, unsigned long long adlen,
+     const unsigned char *nsec,
+     const unsigned char *npub,
+     const unsigned char *k)
+{
+    return gimli24_aead_encrypt
+        (c, clen, m, mlen, ad, adlen, nsec, npub, k);
+}
+
+int crypto_aead_decrypt
+    (unsigned char *m, unsigned long long *mlen,
+     unsigned char *nsec,
+     const unsigned char *c, unsigned long long clen,
+     const unsigned char *ad, unsigned long long adlen,
+     const unsigned char *npub,
+     const unsigned char *k)
+{
+    return gimli24_aead_decrypt
+        (m, mlen, nsec, c, clen, ad, adlen, npub, k);
+}

gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/gimli24.h

+/*
+ * Copyright (C) 2020 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifndef LWCRYPTO_GIMLI24_H
+#define LWCRYPTO_GIMLI24_H
+
+#include "aead-common.h"
+
+/**
+ * \file gimli24.h
+ * \brief Gimli authenticated encryption algorithm.
+ *
+ * GIMLI-24-CIPHER has a 256-bit key, a 128-bit nonce, and a 128-bit tag.
+ * It is the spiritual successor to the widely used ChaCha20 and has a
+ * similar design.
+ *
+ * This library also includes an implementation of the hash algorithm
+ * GIMLI-24-HASH in both regular hashing and XOF modes.
+ *
+ * References: https://gimli.cr.yp.to/
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Size of the key for GIMLI-24.
+ */
+#define GIMLI24_KEY_SIZE 32
+
+/**
+ * \brief Size of the nonce for GIMLI-24.
+ */
+#define GIMLI24_NONCE_SIZE 16
+
+/**
+ * \brief Size of the authentication tag for GIMLI-24.
+ */
+#define GIMLI24_TAG_SIZE 16
+
+/**
+ * \brief Size of the hash output for GIMLI-24.
+ */
+#define GIMLI24_HASH_SIZE 32
+
+/**
+ * \brief State information for GIMLI-24-HASH incremental modes.
+ */
+typedef union
+{
+    struct {
+        unsigned char state[48]; /**< Current hash state */
+        unsigned char count;     /**< Number of bytes in the current block */
+        unsigned char mode;      /**< Hash mode: 0 for absorb, 1 for squeeze */
+    } s;                         /**< State */
+    unsigned long long align;    /**< For alignment of this structure */
+
+} gimli24_hash_state_t;
+
+/**
+ * \brief Meta-information block for the GIMLI-24 cipher.
+ */
+extern aead_cipher_t const gimli24_cipher;
+
+/**
+ * \brief Meta-information block for the GIMLI-24-HASH algorithm.
+ *
+ * This meta-information block can also be used in XOF mode.
+ */
+extern aead_hash_algorithm_t const gimli24_hash_algorithm;
+
+/**
+ * \brief Encrypts and authenticates a packet with GIMLI-24 using the
+ * full AEAD mode.
+ *
+ * \param c Buffer to receive the output.
+ * \param clen On exit, set to the length of the output which includes
+ * the ciphertext and the 16 byte authentication tag.
+ * \param m Buffer that contains the plaintext message to encrypt.
+ * \param mlen Length of the plaintext message in bytes.
+ * \param ad Buffer that contains associated data to authenticate
+ * along with the packet but which does not need to be encrypted.
+ * \param adlen Length of the associated data in bytes.
+ * \param nsec Secret nonce - not used by this algorithm.
+ * \param npub Points to the public nonce for the packet which must
+ * be 16 bytes in length.
+ * \param k Points to the 32 bytes of the key to use to encrypt the packet.
+ *
+ * \return 0 on success, or a negative value if there was an error in
+ * the parameters.
+ *
+ * \sa gimli24_aead_decrypt()
+ */
+int gimli24_aead_encrypt
+    (unsigned char *c, unsigned long long *clen,
+     const unsigned char *m, unsigned long long mlen,
+     const unsigned char *ad, unsigned long long adlen,
+     const unsigned char *nsec,
+     const unsigned char *npub,
+     const unsigned char *k);
+
+/**
+ * \brief Decrypts and authenticates a packet with GIMLI-24 using the
+ * full AEAD mode.
+ *
+ * \param m Buffer to receive the plaintext message on output.
+ * \param mlen Receives the length of the plaintext message on output.
+ * \param nsec Secret nonce - not used by this algorithm.
+ * \param c Buffer that contains the ciphertext and authentication
+ * tag to decrypt.
+ * \param clen Length of the input data in bytes, which includes the
+ * ciphertext and the 16 byte authentication tag.
+ * \param ad Buffer that contains associated data to authenticate
+ * along with the packet but which does not need to be encrypted.
+ * \param adlen Length of the associated data in bytes.
+ * \param npub Points to the public nonce for the packet which must
+ * be 16 bytes in length.
+ * \param k Points to the 32 bytes of the key to use to decrypt the packet.
+ *
+ * \return 0 on success, -1 if the authentication tag was incorrect,
+ * or some other negative number if there was an error in the parameters.
+ *
+ * \sa gimli24_aead_encrypt()
+ */
+int gimli24_aead_decrypt
+    (unsigned char *m, unsigned long long *mlen,
+     unsigned char *nsec,
+     const unsigned char *c, unsigned long long clen,
+     const unsigned char *ad, unsigned long long adlen,
+     const unsigned char *npub,
+     const unsigned char *k);
+
+/**
+ * \brief Hashes a block of input data with GIMLI-24 to generate a hash value.
+ *
+ * \param out Buffer to receive the hash output which must be at least
+ * GIMLI24_HASH_SIZE bytes in length.
+ * \param in Points to the input data to be hashed.
+ * \param inlen Length of the input data in bytes.
+ *
+ * \return Returns zero on success or -1 if there was an error in the
+ * parameters.
+ */
+int gimli24_hash
+    (unsigned char *out, const unsigned char *in, unsigned long long inlen);
+
+/**
+ * \brief Initializes the state for a GIMLI-24-HASH hashing operation.
+ *
+ * \param state Hash state to be initialized.
+ *
+ * \sa gimli24_hash_absorb(), gimli24_hash_squeeze(), gimli24_hash()
+ */
+void gimli24_hash_init(gimli24_hash_state_t *state);
+
+/**
+ * \brief Aborbs more input data into a GIMLI-24-HASH state.
+ *
+ * \param state Hash state to be updated.
+ * \param in Points to the input data to be absorbed into the state.
+ * \param inlen Length of the input data to be absorbed into the state.
+ *
+ * \sa gimli24_hash_init(), gimli24_hash_squeeze()
+ */
+void gimli24_hash_absorb
+    (gimli24_hash_state_t *state, const unsigned char *in,
+     unsigned long long inlen);
+
+/**
+ * \brief Squeezes output data from an GIMLI-24-HASH state.
+ *
+ * \param state Hash state to squeeze the output data from.
+ * \param out Points to the output buffer to receive the squeezed data.
+ * \param outlen Number of bytes of data to squeeze out of the state.
+ *
+ * \sa gimli24_hash_init(), gimli24_hash_absorb()
+ */
+void gimli24_hash_squeeze
+    (gimli24_hash_state_t *state, unsigned char *out,
+     unsigned long long outlen);
+
+/**
+ * \brief Returns the final hash value from a GIMLI-24-HASH hashing operation.
+ *
+ * \param state Hash state to be finalized.
+ * \param out Points to the output buffer to receive the hash value.
+ *
+ * \note This is a wrapper around gimli24_hash_squeeze() for a fixed length
+ * of GIMLI24_HASH_SIZE bytes.
+ *
+ * \sa gimli24_hash_init(), gimli24_hash_absorb()
+ */
+void gimli24_hash_finalize
+    (gimli24_hash_state_t *state, unsigned char *out);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/internal-gimli24.h

+/*
+ * Copyright (C) 2020 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifndef LW_INTERNAL_GIMLI24_H
+#define LW_INTERNAL_GIMLI24_H
+
+#include "internal-util.h"
+
+/**
+ * \file internal-gimli24.h
+ * \brief Internal implementation of the GIMLI-24 permutation.
+ *
+ * References: https://gimli.cr.yp.to/
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Permutes the GIMLI-24 state.
+ *
+ * \param state The GIMLI-24 state to be permuted.
+ *
+ * The input and output \a state will be in little-endian byte order.
+ */
+void gimli24_permute(uint32_t state[12]);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/aead-common.c

+/*
+ * Copyright (C) 2020 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#include "aead-common.h"
+
+int aead_check_tag
+    (unsigned char *plaintext, unsigned long long plaintext_len,
+     const unsigned char *tag1, const unsigned char *tag2,
+     unsigned size)
+{
+    /* Set "accum" to -1 if the tags match, or 0 if they don't match */
+    int accum = 0;
+    while (size > 0) {
+        accum |= (*tag1++ ^ *tag2++);
+        --size;
+    }
+    accum = (accum - 1) >> 8;
+
+    /* Destroy the plaintext if the tag match failed */
+    while (plaintext_len > 0) {
+        *plaintext++ &= accum;
+        --plaintext_len;
+    }
+
+    /* If "accum" is 0, return -1, otherwise return 0 */
+    return ~accum;
+}
+
+int aead_check_tag_precheck
+    (unsigned char *plaintext, unsigned long long plaintext_len,
+     const unsigned char *tag1, const unsigned char *tag2,
+     unsigned size, int precheck)
+{
+    /* Set "accum" to -1 if the tags match, or 0 if they don't match */
+    int accum = 0;
+    while (size > 0) {
+        accum |= (*tag1++ ^ *tag2++);
+        --size;
+    }
+    accum = ((accum - 1) >> 8) & precheck;
+
+    /* Destroy the plaintext if the tag match failed */
+    while (plaintext_len > 0) {
+        *plaintext++ &= accum;
+        --plaintext_len;
+    }
+
+    /* If "accum" is 0, return -1, otherwise return 0 */
+    return ~accum;
+}

gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/aead-common.h

+/*
+ * Copyright (C) 2020 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifndef LWCRYPTO_AEAD_COMMON_H
+#define LWCRYPTO_AEAD_COMMON_H
+
+#include <stddef.h>
+
+/**
+ * \file aead-common.h
+ * \brief Definitions that are common across AEAD schemes.
+ *
+ * AEAD stands for "Authenticated Encryption with Associated Data".
+ * It is a standard API pattern for securely encrypting and
+ * authenticating packets of data.
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Encrypts and authenticates a packet with an AEAD scheme.
+ *
+ * \param c Buffer to receive the output.
+ * \param clen On exit, set to the length of the output which includes
+ * the ciphertext and the authentication tag.
+ * \param m Buffer that contains the plaintext message to encrypt.
+ * \param mlen Length of the plaintext message in bytes.
+ * \param ad Buffer that contains associated data to authenticate
+ * along with the packet but which does not need to be encrypted.
+ * \param adlen Length of the associated data in bytes.
+ * \param nsec Secret nonce - normally not used by AEAD schemes.
+ * \param npub Points to the public nonce for the packet.
+ * \param k Points to the key to use to encrypt the packet.
+ *
+ * \return 0 on success, or a negative value if there was an error in
+ * the parameters.
+ */
+typedef int (*aead_cipher_encrypt_t)
+    (unsigned char *c, unsigned long long *clen,
+     const unsigned char *m, unsigned long long mlen,
+     const unsigned char *ad, unsigned long long adlen,
+     const unsigned char *nsec,
+     const unsigned char *npub,
+     const unsigned char *k);
+
+/**
+ * \brief Decrypts and authenticates a packet with an AEAD scheme.
+ *
+ * \param m Buffer to receive the plaintext message on output.
+ * \param mlen Receives the length of the plaintext message on output.
+ * \param nsec Secret nonce - normally not used by AEAD schemes.
+ * \param c Buffer that contains the ciphertext and authentication
+ * tag to decrypt.
+ * \param clen Length of the input data in bytes, which includes the
+ * ciphertext and the authentication tag.
+ * \param ad Buffer that contains associated data to authenticate
+ * along with the packet but which does not need to be encrypted.
+ * \param adlen Length of the associated data in bytes.
+ * \param npub Points to the public nonce for the packet.
+ * \param k Points to the key to use to decrypt the packet.
+ *
+ * \return 0 on success, -1 if the authentication tag was incorrect,
+ * or some other negative number if there was an error in the parameters.
+ */
+typedef int (*aead_cipher_decrypt_t)
+    (unsigned char *m, unsigned long long *mlen,
+     unsigned char *nsec,
+     const unsigned char *c, unsigned long long clen,
+     const unsigned char *ad, unsigned long long adlen,
+     const unsigned char *npub,
+     const unsigned char *k);
+
+/**
+ * \brief Hashes a block of input data.
+ *
+ * \param out Buffer to receive the hash output.
+ * \param in Points to the input data to be hashed.
+ * \param inlen Length of the input data in bytes.
+ *
+ * \return Returns zero on success or -1 if there was an error in the
+ * parameters.
+ */
+typedef int (*aead_hash_t)
+    (unsigned char *out, const unsigned char *in, unsigned long long inlen);
+
+/**
+ * \brief Initializes the state for a hashing operation.
+ *
+ * \param state Hash state to be initialized.
+ */
+typedef void (*aead_hash_init_t)(void *state);
+
+/**
+ * \brief Updates a hash state with more input data.
+ *
+ * \param state Hash state to be updated.
+ * \param in Points to the input data to be incorporated into the state.
+ * \param inlen Length of the input data to be incorporated into the state.
+ */
+typedef void (*aead_hash_update_t)
+    (void *state, const unsigned char *in, unsigned long long inlen);
+
+/**
+ * \brief Returns the final hash value from a hashing operation.
+ *
+ * \param Hash state to be finalized.
+ * \param out Points to the output buffer to receive the hash value.
+ */
+typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out);
+
+/**
+ * \brief Aborbs more input data into an XOF state.
+ *
+ * \param state XOF state to be updated.
+ * \param in Points to the input data to be absorbed into the state.
+ * \param inlen Length of the input data to be absorbed into the state.
+ *
+ * \sa ascon_xof_init(), ascon_xof_squeeze()
+ */
+typedef void (*aead_xof_absorb_t)
+    (void *state, const unsigned char *in, unsigned long long inlen);
+
+/**
+ * \brief Squeezes output data from an XOF state.
+ *
+ * \param state XOF state to squeeze the output data from.
+ * \param out Points to the output buffer to receive the squeezed data.
+ * \param outlen Number of bytes of data to squeeze out of the state.
+ */
+typedef void (*aead_xof_squeeze_t)
+    (void *state, unsigned char *out, unsigned long long outlen);
+
+/**
+ * \brief No special AEAD features.
+ */
+#define AEAD_FLAG_NONE          0x0000
+
+/**
+ * \brief The natural byte order of the AEAD cipher is little-endian.
+ *
+ * If this flag is not present, then the natural byte order of the
+ * AEAD cipher should be assumed to be big-endian.
+ *
+ * The natural byte order may be useful when formatting packet sequence
+ * numbers as nonces.  The application needs to know whether the sequence
+ * number should be packed into the leading or trailing bytes of the nonce.
+ */
+#define AEAD_FLAG_LITTLE_ENDIAN 0x0001
+
+/**
+ * \brief Meta-information about an AEAD cipher.
+ */
+typedef struct
+{
+    const char *name;               /**< Name of the cipher */
+    unsigned key_len;               /**< Length of the key in bytes */
+    unsigned nonce_len;             /**< Length of the nonce in bytes */
+    unsigned tag_len;               /**< Length of the tag in bytes */
+    unsigned flags;                 /**< Flags for extra features */
+    aead_cipher_encrypt_t encrypt;  /**< AEAD encryption function */
+    aead_cipher_decrypt_t decrypt;  /**< AEAD decryption function */
+
+} aead_cipher_t;
+
+/**
+ * \brief Meta-information about a hash algorithm that is related to an AEAD.
+ *
+ * Regular hash algorithms should provide the "hash", "init", "update",
+ * and "finalize" functions.  Extensible Output Functions (XOF's) should
+ * proivde the "hash", "init", "absorb", and "squeeze" functions.
+ */
+typedef struct
+{
+    const char *name;           /**< Name of the hash algorithm */
+    size_t state_size;          /**< Size of the incremental state structure */
+    unsigned hash_len;          /**< Length of the hash in bytes */
+    unsigned flags;             /**< Flags for extra features */
+    aead_hash_t hash;           /**< All in one hashing function */
+    aead_hash_init_t init;      /**< Incremental hash/XOF init function */
+    aead_hash_update_t update;  /**< Incremental hash update function */
+    aead_hash_finalize_t finalize; /**< Incremental hash finalize function */
+    aead_xof_absorb_t absorb;   /**< Incremental XOF absorb function */
+    aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */
+
+} aead_hash_algorithm_t;
+
+/**
+ * \brief Check an authentication tag in constant time.
+ *
+ * \param plaintext Points to the plaintext data.
+ * \param plaintext_len Length of the plaintext in bytes.
+ * \param tag1 First tag to compare.
+ * \param tag2 Second tag to compare.
+ * \param tag_len Length of the tags in bytes.
+ *
+ * \return Returns -1 if the tag check failed or 0 if the check succeeded.
+ *
+ * If the tag check fails, then the \a plaintext will also be zeroed to
+ * prevent it from being used accidentally by the application when the
+ * ciphertext was invalid.
+ */
+int aead_check_tag
+    (unsigned char *plaintext, unsigned long long plaintext_len,
+     const unsigned char *tag1, const unsigned char *tag2,
+     unsigned tag_len);
+
+/**
+ * \brief Check an authentication tag in constant time with a previous check.
+ *
+ * \param plaintext Points to the plaintext data.
+ * \param plaintext_len Length of the plaintext in bytes.
+ * \param tag1 First tag to compare.
+ * \param tag2 Second tag to compare.
+ * \param tag_len Length of the tags in bytes.
+ * \param precheck Set to -1 if previous check succeeded or 0 if it failed.
+ *
+ * \return Returns -1 if the tag check failed or 0 if the check succeeded.
+ *
+ * If the tag check fails, then the \a plaintext will also be zeroed to
+ * prevent it from being used accidentally by the application when the
+ * ciphertext was invalid.
+ *
+ * This version can be used to incorporate other information about the
+ * correctness of the plaintext into the final result.
+ */
+int aead_check_tag_precheck
+    (unsigned char *plaintext, unsigned long long plaintext_len,
+     const unsigned char *tag1, const unsigned char *tag2,
+     unsigned tag_len, int precheck);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/api.h

+#define CRYPTO_BYTES 32

gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/gimli24.h

+/*
+ * Copyright (C) 2020 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifndef LWCRYPTO_GIMLI24_H
+#define LWCRYPTO_GIMLI24_H
+
+#include "aead-common.h"
+
+/**
+ * \file gimli24.h
+ * \brief Gimli authenticated encryption algorithm.
+ *
+ * GIMLI-24-CIPHER has a 256-bit key, a 128-bit nonce, and a 128-bit tag.
+ * It is the spiritual successor to the widely used ChaCha20 and has a
+ * similar design.
+ *
+ * This library also includes an implementation of the hash algorithm
+ * GIMLI-24-HASH in both regular hashing and XOF modes.
+ *
+ * References: https://gimli.cr.yp.to/
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Size of the key for GIMLI-24.
+ */
+#define GIMLI24_KEY_SIZE 32
+
+/**
+ * \brief Size of the nonce for GIMLI-24.
+ */
+#define GIMLI24_NONCE_SIZE 16
+
+/**
+ * \brief Size of the authentication tag for GIMLI-24.
+ */
+#define GIMLI24_TAG_SIZE 16
+
+/**
+ * \brief Size of the hash output for GIMLI-24.
+ */
+#define GIMLI24_HASH_SIZE 32
+
+/**
+ * \brief State information for GIMLI-24-HASH incremental modes.
+ */
+typedef union
+{
+    struct {
+        unsigned char state[48]; /**< Current hash state */
+        unsigned char count;     /**< Number of bytes in the current block */
+        unsigned char mode;      /**< Hash mode: 0 for absorb, 1 for squeeze */
+    } s;                         /**< State */
+    unsigned long long align;    /**< For alignment of this structure */
+
+} gimli24_hash_state_t;
+
+/**
+ * \brief Meta-information block for the GIMLI-24 cipher.
+ */
+extern aead_cipher_t const gimli24_cipher;
+
+/**
+ * \brief Meta-information block for the GIMLI-24-HASH algorithm.
+ *
+ * This meta-information block can also be used in XOF mode.
+ */
+extern aead_hash_algorithm_t const gimli24_hash_algorithm;
+
+/**
+ * \brief Encrypts and authenticates a packet with GIMLI-24 using the
+ * full AEAD mode.
+ *
+ * \param c Buffer to receive the output.
+ * \param clen On exit, set to the length of the output which includes
+ * the ciphertext and the 16 byte authentication tag.
+ * \param m Buffer that contains the plaintext message to encrypt.
+ * \param mlen Length of the plaintext message in bytes.
+ * \param ad Buffer that contains associated data to authenticate
+ * along with the packet but which does not need to be encrypted.
+ * \param adlen Length of the associated data in bytes.
+ * \param nsec Secret nonce - not used by this algorithm.
+ * \param npub Points to the public nonce for the packet which must
+ * be 16 bytes in length.
+ * \param k Points to the 32 bytes of the key to use to encrypt the packet.
+ *
+ * \return 0 on success, or a negative value if there was an error in
+ * the parameters.
+ *
+ * \sa gimli24_aead_decrypt()
+ */
+int gimli24_aead_encrypt
+    (unsigned char *c, unsigned long long *clen,
+     const unsigned char *m, unsigned long long mlen,
+     const unsigned char *ad, unsigned long long adlen,
+     const unsigned char *nsec,
+     const unsigned char *npub,
+     const unsigned char *k);
+
+/**
+ * \brief Decrypts and authenticates a packet with GIMLI-24 using the
+ * full AEAD mode.
+ *
+ * \param m Buffer to receive the plaintext message on output.
+ * \param mlen Receives the length of the plaintext message on output.
+ * \param nsec Secret nonce - not used by this algorithm.
+ * \param c Buffer that contains the ciphertext and authentication
+ * tag to decrypt.
+ * \param clen Length of the input data in bytes, which includes the
+ * ciphertext and the 16 byte authentication tag.
+ * \param ad Buffer that contains associated data to authenticate
+ * along with the packet but which does not need to be encrypted.
+ * \param adlen Length of the associated data in bytes.
+ * \param npub Points to the public nonce for the packet which must
+ * be 16 bytes in length.
+ * \param k Points to the 32 bytes of the key to use to decrypt the packet.
+ *
+ * \return 0 on success, -1 if the authentication tag was incorrect,
+ * or some other negative number if there was an error in the parameters.
+ *
+ * \sa gimli24_aead_encrypt()
+ */
+int gimli24_aead_decrypt
+    (unsigned char *m, unsigned long long *mlen,
+     unsigned char *nsec,
+     const unsigned char *c, unsigned long long clen,
+     const unsigned char *ad, unsigned long long adlen,
+     const unsigned char *npub,
+     const unsigned char *k);
+
+/**
+ * \brief Hashes a block of input data with GIMLI-24 to generate a hash value.
+ *
+ * \param out Buffer to receive the hash output which must be at least
+ * GIMLI24_HASH_SIZE bytes in length.
+ * \param in Points to the input data to be hashed.
+ * \param inlen Length of the input data in bytes.
+ *
+ * \return Returns zero on success or -1 if there was an error in the
+ * parameters.
+ */
+int gimli24_hash
+    (unsigned char *out, const unsigned char *in, unsigned long long inlen);
+
+/**
+ * \brief Initializes the state for a GIMLI-24-HASH hashing operation.
+ *
+ * \param state Hash state to be initialized.
+ *
+ * \sa gimli24_hash_absorb(), gimli24_hash_squeeze(), gimli24_hash()
+ */
+void gimli24_hash_init(gimli24_hash_state_t *state);
+
+/**
+ * \brief Aborbs more input data into a GIMLI-24-HASH state.
+ *
+ * \param state Hash state to be updated.
+ * \param in Points to the input data to be absorbed into the state.
+ * \param inlen Length of the input data to be absorbed into the state.
+ *
+ * \sa gimli24_hash_init(), gimli24_hash_squeeze()
+ */
+void gimli24_hash_absorb
+    (gimli24_hash_state_t *state, const unsigned char *in,
+     unsigned long long inlen);
+
+/**
+ * \brief Squeezes output data from an GIMLI-24-HASH state.
+ *
+ * \param state Hash state to squeeze the output data from.
+ * \param out Points to the output buffer to receive the squeezed data.
+ * \param outlen Number of bytes of data to squeeze out of the state.
+ *
+ * \sa gimli24_hash_init(), gimli24_hash_absorb()
+ */
+void gimli24_hash_squeeze
+    (gimli24_hash_state_t *state, unsigned char *out,
+     unsigned long long outlen);
+
+/**
+ * \brief Returns the final hash value from a GIMLI-24-HASH hashing operation.
+ *
+ * \param state Hash state to be finalized.
+ * \param out Points to the output buffer to receive the hash value.
+ *
+ * \note This is a wrapper around gimli24_hash_squeeze() for a fixed length
+ * of GIMLI24_HASH_SIZE bytes.
+ *
+ * \sa gimli24_hash_init(), gimli24_hash_absorb()
+ */
+void gimli24_hash_finalize
+    (gimli24_hash_state_t *state, unsigned char *out);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/hash.c

+
+#include "gimli24.h"
+
+int crypto_hash
+    (unsigned char *out, const unsigned char *in, unsigned long long inlen)
+{
+    return gimli24_hash(out, in, inlen);
+}

gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-gimli24.c

+/*
+ * Copyright (C) 2020 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#include "internal-gimli24.h"
+
+#if !defined(__AVR__)
+
+/* Apply the SP-box to a specific column in the state array */
+#define GIMLI24_SP(s0, s4, s8) \
+    do { \
+        x = leftRotate24(s0); \
+        y = leftRotate9(s4); \
+        s4 = y ^ x ^ ((x | s8) << 1); \
+        s0 = s8 ^ y ^ ((x & y) << 3); \
+        s8 = x ^ (s8 << 1) ^ ((y & s8) << 2); \
+    } while (0)
+
+void gimli24_permute(uint32_t state[12])
+{
+    uint32_t s0, s1, s2, s3, s4,  s5;
+    uint32_t s6, s7, s8, s9, s10, s11;
+    uint32_t x, y;
+    unsigned round;
+
+    /* Load the state into local variables and convert from little-endian */
+#if defined(LW_UTIL_LITTLE_ENDIAN)
+    s0  = state[0];
+    s1  = state[1];
+    s2  = state[2];
+    s3  = state[3];
+    s4  = state[4];
+    s5  = state[5];
+    s6  = state[6];
+    s7  = state[7];
+    s8  = state[8];
+    s9  = state[9];
+    s10 = state[10];
+    s11 = state[11];
+#else
+    s0  = le_load_word32((const unsigned char *)(&(state[0])));
+    s1  = le_load_word32((const unsigned char *)(&(state[1])));
+    s2  = le_load_word32((const unsigned char *)(&(state[2])));
+    s3  = le_load_word32((const unsigned char *)(&(state[3])));
+    s4  = le_load_word32((const unsigned char *)(&(state[4])));
+    s5  = le_load_word32((const unsigned char *)(&(state[5])));
+    s6  = le_load_word32((const unsigned char *)(&(state[6])));
+    s7  = le_load_word32((const unsigned char *)(&(state[7])));
+    s8  = le_load_word32((const unsigned char *)(&(state[8])));
+    s9  = le_load_word32((const unsigned char *)(&(state[9])));
+    s10 = le_load_word32((const unsigned char *)(&(state[10])));
+    s11 = le_load_word32((const unsigned char *)(&(state[11])));
+#endif
+
+    /* Unroll and perform the rounds 4 at a time */
+    for (round = 24; round > 0; round -= 4) {
+        /* Round 0: SP-box, small swap, add round constant */
+        GIMLI24_SP(s0, s4, s8);
+        GIMLI24_SP(s1, s5, s9);
+        GIMLI24_SP(s2, s6, s10);
+        GIMLI24_SP(s3, s7, s11);
+        x = s0;
+        y = s2;
+        s0 = s1 ^ 0x9e377900U ^ round;
+        s1 = x;
+        s2 = s3;
+        s3 = y;
+
+        /* Round 1: SP-box only */
+        GIMLI24_SP(s0, s4, s8);
+        GIMLI24_SP(s1, s5, s9);
+        GIMLI24_SP(s2, s6, s10);
+        GIMLI24_SP(s3, s7, s11);
+
+        /* Round 2: SP-box, big swap */
+        GIMLI24_SP(s0, s4, s8);
+        GIMLI24_SP(s1, s5, s9);
+        GIMLI24_SP(s2, s6, s10);
+        GIMLI24_SP(s3, s7, s11);
+        x = s0;
+        y = s1;
+        s0 = s2;
+        s1 = s3;
+        s2 = x;
+        s3 = y;
+
+        /* Round 3: SP-box only */
+        GIMLI24_SP(s0, s4, s8);
+        GIMLI24_SP(s1, s5, s9);
+        GIMLI24_SP(s2, s6, s10);
+        GIMLI24_SP(s3, s7, s11);
+    }
+
+    /* Convert state to little-endian if the platform is not little-endian */
+#if defined(LW_UTIL_LITTLE_ENDIAN)
+    state[0]  = s0;
+    state[1]  = s1;
+    state[2]  = s2;
+    state[3]  = s3;
+    state[4]  = s4;
+    state[5]  = s5;
+    state[6]  = s6;
+    state[7]  = s7;
+    state[8]  = s8;
+    state[9]  = s9;
+    state[10] = s10;
+    state[11] = s11;
+#else
+    le_store_word32(((unsigned char *)(&(state[0]))),  s0);
+    le_store_word32(((unsigned char *)(&(state[1]))),  s1);
+    le_store_word32(((unsigned char *)(&(state[2]))),  s2);
+    le_store_word32(((unsigned char *)(&(state[3]))),  s3);
+    le_store_word32(((unsigned char *)(&(state[4]))),  s4);
+    le_store_word32(((unsigned char *)(&(state[5]))),  s5);
+    le_store_word32(((unsigned char *)(&(state[6]))),  s6);
+    le_store_word32(((unsigned char *)(&(state[7]))),  s7);
+    le_store_word32(((unsigned char *)(&(state[8]))),  s8);
+    le_store_word32(((unsigned char *)(&(state[9]))),  s9);
+    le_store_word32(((unsigned char *)(&(state[10]))), s10);
+    le_store_word32(((unsigned char *)(&(state[11]))), s11);
+#endif
+}
+
+#endif /* !__AVR__ */

gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-gimli24.h

+/*
+ * Copyright (C) 2020 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifndef LW_INTERNAL_GIMLI24_H
+#define LW_INTERNAL_GIMLI24_H
+
+#include "internal-util.h"
+
+/**
+ * \file internal-gimli24.h
+ * \brief Internal implementation of the GIMLI-24 permutation.
+ *
+ * References: https://gimli.cr.yp.to/
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Permutes the GIMLI-24 state.
+ *
+ * \param state The GIMLI-24 state to be permuted.
+ *
+ * The input and output \a state will be in little-endian byte order.
+ */
+void gimli24_permute(uint32_t state[12]);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif