pq-code-package
diff --git a/‎dev/aarch64_clean/src/polyw1_pack_32_asm.S‎
Lines changed: 87 additions & 0 deletions b/‎dev/aarch64_clean/src/polyw1_pack_32_asm.S‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎dev/aarch64_clean/src/polyw1_pack_88_asm.S‎
Lines changed: 131 additions & 0 deletions b/‎dev/aarch64_clean/src/polyw1_pack_88_asm.S‎
Lines changed: 131 additions & 0 deletions
diff --git a/‎dev/aarch64_opt/src/polyw1_pack_32_asm.S‎
Lines changed: 87 additions & 0 deletions b/‎dev/aarch64_opt/src/polyw1_pack_32_asm.S‎
Lines changed: 87 additions & 0 deletions
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#include "../../../common.h"
+#if defined(MLD_ARITH_BACKEND_AARCH64) && !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) && \
+           (defined(MLD_CONFIG_MULTILEVEL_WITH_SHARED) || \
+            MLD_CONFIG_PARAMETER_SET == 65 || MLD_CONFIG_PARAMETER_SET == 87)
+/* simpasm: header-end */
+
+/*
+ * polyw1_pack_32: Pack w1 polynomial for GAMMA2 = (Q-1)/32.
+ *
+ * Each coefficient is in [0, 15] (4 bits) stored in a 32-bit word.
+ * Pack 2 coefficients per byte: r[i] = a[2i] | (a[2i+1] << 4)
+ * 256 coefficients -> 128 output bytes.
+ *
+ * Process 32 coefficients per iteration (8 iterations):
+ *   Use TBL to extract the low byte from each 32-bit lane,
+ *   then UZP to separate even/odd and pack with shift + OR.
+ */
+
+        output          .req x0
+        input           .req x1
+        count           .req x2
+        tmp             .req x3
+
+        vidx            .req v20
+
+.text
+.global MLD_ASM_NAMESPACE(polyw1_pack_32_asm)
+.balign 4
+MLD_ASM_FN_SYMBOL(polyw1_pack_32_asm)
+
+        /* Set up TBL index to extract byte 0 from each 32-bit lane.
+         * For 4 consecutive Q-registers (64 bytes), the low byte of each
+         * 32-bit lane is at positions 0,4,8,12, 16,20,24,28, ... */
+        movz tmp, #0x0400
+        movk tmp, #0x0C08, lsl 16
+        movk tmp, #0x1410, lsl 32
+        movk tmp, #0x1C18, lsl 48
+        mov vidx.d[0], tmp
+        movz tmp, #0x2420
+        movk tmp, #0x2C28, lsl 16
+        movk tmp, #0x3430, lsl 32
+        movk tmp, #0x3C38, lsl 48
+        mov vidx.d[1], tmp
+
+        mov count, #(256 / 32)
+
+polyw1_pack_32_loop:
+        /* Load coefficients 0..15 and extract low bytes */
+        ldp q0, q1, [input, #0*16]
+        ldp q2, q3, [input, #2*16]
+        tbl v16.16b, {v0.16b-v3.16b}, vidx.16b
+
+        /* Load coefficients 16..31 and extract low bytes */
+        ldp q0, q1, [input, #4*16]
+        ldp q2, q3, [input, #6*16]
+        add input, input, #8*16
+        tbl v17.16b, {v0.16b-v3.16b}, vidx.16b
+
+        /* Deinterleave: even = a[0],a[2],...; odd = a[1],a[3],... */
+        uzp1 v0.16b, v16.16b, v17.16b
+        uzp2 v1.16b, v16.16b, v17.16b
+
+        /* Pack: even | (odd << 4) */
+        shl v1.16b, v1.16b, #4
+        orr v0.16b, v0.16b, v1.16b
+
+        str q0, [output], #16
+
+        subs count, count, #1
+        bne polyw1_pack_32_loop
+
+        ret
+
+        .unreq output
+        .unreq input
+        .unreq count
+        .unreq tmp
+        .unreq vidx
+/* simpasm: footer-start */
+#endif /* MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED && \
+          (MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLD_CONFIG_PARAMETER_SET == 65 \
+          || MLD_CONFIG_PARAMETER_SET == 87) */
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#include "../../../common.h"
+#if defined(MLD_ARITH_BACKEND_AARCH64) && !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) && \
+           (defined(MLD_CONFIG_MULTILEVEL_WITH_SHARED) || MLD_CONFIG_PARAMETER_SET == 44)
+/* simpasm: header-end */
+
+/*
+ * polyw1_pack_88: Pack w1 polynomial for GAMMA2 = (Q-1)/88.
+ *
+ * Each coefficient is in [0, 43] (6 bits) stored in a 32-bit word.
+ * Pack 4 coefficients into 3 bytes:
+ *   r[3i+0] =  a[4i+0]       | (a[4i+1] << 6)
+ *   r[3i+1] = (a[4i+1] >> 2) | (a[4i+2] << 4)
+ *   r[3i+2] = (a[4i+2] >> 4) | (a[4i+3] << 2)
+ * 256 coefficients -> 192 output bytes.
+ *
+ * Process 16 coefficients per iteration (16 iterations):
+ *   Use two TBL operations to extract and rearrange coefficient bytes
+ *   from the 32-bit input lanes directly into the output layout,
+ *   then variable-shift and OR to produce packed output.
+ *
+ * Each output byte is the OR of a "left" and "right" component:
+ *   Byte position in triplet:  0         1           2
+ *   Left component:            a[4i+0]   a[4i+1]>>2  a[4i+2]>>4
+ *   Right component:           a[4i+1]<<6 a[4i+2]<<4  a[4i+3]<<2
+ *
+ * left_idx selects the left coefficient from the 4 input Q-registers.
+ * right_idx = left_idx + 4 (next coefficient in the 32-bit word layout).
+ * left_shifts = {0, -2, -4, 0, -2, -4, ...} (signed for USHL)
+ * right_shifts = left_shifts + 6
+ */
+
+        output          .req x0
+        input           .req x1
+        count           .req x2
+        tmp             .req x3
+
+        left_idx        .req v20
+        right_idx       .req v21
+        left_shifts     .req v22
+        right_shifts    .req v23
+
+.text
+.global MLD_ASM_NAMESPACE(polyw1_pack_88_asm)
+.balign 4
+MLD_ASM_FN_SYMBOL(polyw1_pack_88_asm)
+
+        /* Set up left_idx: for each output byte, which source byte to read.
+         * Input layout: 4 Q-regs = 64 bytes; coeff k is at byte 4*k in
+         * the concatenated table {v0-v3}.
+         *
+         * Output triplet i (out[3i+0..2]):
+         *   left reads  a[4i+0], a[4i+1], a[4i+2]  -> table indices 16i+0, 16i+4, 16i+8
+         *   right reads a[4i+1], a[4i+2], a[4i+3]  -> table indices 16i+4, 16i+8, 16i+12
+         *
+         * left_idx  = {0,4,8, 16,20,24, 32,36,40, 48,52,56, 0x80,0x80,0x80,0x80} */
+        movz tmp, #0x0400
+        movk tmp, #0x1008, lsl 16
+        movk tmp, #0x1814, lsl 32
+        movk tmp, #0x2420, lsl 48
+        mov left_idx.d[0], tmp
+        movz tmp, #0x3028
+        movk tmp, #0x3834, lsl 16
+        movk tmp, #0x8080, lsl 32
+        movk tmp, #0x8080, lsl 48
+        mov left_idx.d[1], tmp
+
+        /* right_idx = left_idx + 4 (selects the next coefficient).
+         * Padding bytes become 0x84 which is >= 64, so TBL returns 0. */
+        movi v24.16b, #4
+        add right_idx.16b, left_idx.16b, v24.16b
+
+        /* Set up left_shifts: {0, -2, -4, 0, -2, -4, ...} (repeating per triplet).
+         * USHL interprets each byte as signed: negative = right shift. */
+        movz tmp, #0xFE00
+        movk tmp, #0x00FC, lsl 16
+        movk tmp, #0xFCFE, lsl 32
+        movk tmp, #0xFE00, lsl 48
+        mov left_shifts.d[0], tmp
+        movz tmp, #0x00FC
+        movk tmp, #0xFCFE, lsl 16
+        mov left_shifts.d[1], tmp
+
+        /* right_shifts = left_shifts + 6 */
+        movi v24.16b, #6
+        add right_shifts.16b, left_shifts.16b, v24.16b
+
+        mov count, #(256 / 16)
+
+polyw1_pack_88_loop:
+        /* Load 16 int32 coefficients */
+        ldp q0, q1, [input, #0*16]
+        ldp q2, q3, [input, #2*16]
+        add input, input, #4*16
+
+        /* Extract and rearrange: left and right components */
+        tbl v4.16b, {v0.16b-v3.16b}, left_idx.16b
+        tbl v5.16b, {v0.16b-v3.16b}, right_idx.16b
+
+        /* Apply variable shifts */
+        ushl v4.16b, v4.16b, left_shifts.16b
+        ushl v5.16b, v5.16b, right_shifts.16b
+
+        /* Combine */
+        orr v4.16b, v4.16b, v5.16b
+
+        /* Store 12 bytes: 8 + 4 */
+        str d4, [output], #8
+        st1 {v4.s}[2], [output], #4
+
+        subs count, count, #1
+        bne polyw1_pack_88_loop
+
+        ret
+
+        .unreq output
+        .unreq input
+        .unreq count
+        .unreq tmp
+        .unreq left_idx
+        .unreq right_idx
+        .unreq left_shifts
+        .unreq right_shifts
+/* simpasm: footer-start */
+#endif /* MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED && \
+          (MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLD_CONFIG_PARAMETER_SET == 44) \
+        */
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#include "../../../common.h"
+#if defined(MLD_ARITH_BACKEND_AARCH64) && !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) && \
+           (defined(MLD_CONFIG_MULTILEVEL_WITH_SHARED) || \
+            MLD_CONFIG_PARAMETER_SET == 65 || MLD_CONFIG_PARAMETER_SET == 87)
+/* simpasm: header-end */
+
+/*
+ * polyw1_pack_32: Pack w1 polynomial for GAMMA2 = (Q-1)/32.
+ *
+ * Each coefficient is in [0, 15] (4 bits) stored in a 32-bit word.
+ * Pack 2 coefficients per byte: r[i] = a[2i] | (a[2i+1] << 4)
+ * 256 coefficients -> 128 output bytes.
+ *
+ * Process 32 coefficients per iteration (8 iterations):
+ *   Use TBL to extract the low byte from each 32-bit lane,
+ *   then UZP to separate even/odd and pack with shift + OR.
+ */
+
+        output          .req x0
+        input           .req x1
+        count           .req x2
+        tmp             .req x3
+
+        vidx            .req v20
+
+.text
+.global MLD_ASM_NAMESPACE(polyw1_pack_32_asm)
+.balign 4
+MLD_ASM_FN_SYMBOL(polyw1_pack_32_asm)
+
+        /* Set up TBL index to extract byte 0 from each 32-bit lane.
+         * For 4 consecutive Q-registers (64 bytes), the low byte of each
+         * 32-bit lane is at positions 0,4,8,12, 16,20,24,28, ... */
+        movz tmp, #0x0400
+        movk tmp, #0x0C08, lsl 16
+        movk tmp, #0x1410, lsl 32
+        movk tmp, #0x1C18, lsl 48
+        mov vidx.d[0], tmp
+        movz tmp, #0x2420
+        movk tmp, #0x2C28, lsl 16
+        movk tmp, #0x3430, lsl 32
+        movk tmp, #0x3C38, lsl 48
+        mov vidx.d[1], tmp
+
+        mov count, #(256 / 32)
+
+polyw1_pack_32_loop:
+        /* Load coefficients 0..15 and extract low bytes */
+        ldp q0, q1, [input, #0*16]
+        ldp q2, q3, [input, #2*16]
+        tbl v16.16b, {v0.16b-v3.16b}, vidx.16b
+
+        /* Load coefficients 16..31 and extract low bytes */
+        ldp q0, q1, [input, #4*16]
+        ldp q2, q3, [input, #6*16]
+        add input, input, #8*16
+        tbl v17.16b, {v0.16b-v3.16b}, vidx.16b
+
+        /* Deinterleave: even = a[0],a[2],...; odd = a[1],a[3],... */
+        uzp1 v0.16b, v16.16b, v17.16b
+        uzp2 v1.16b, v16.16b, v17.16b
+
+        /* Pack: even | (odd << 4) */
+        shl v1.16b, v1.16b, #4
+        orr v0.16b, v0.16b, v1.16b
+
+        str q0, [output], #16
+
+        subs count, count, #1
+        bne polyw1_pack_32_loop
+
+        ret
+
+        .unreq output
+        .unreq input
+        .unreq count
+        .unreq tmp
+        .unreq vidx
+/* simpasm: footer-start */
+#endif /* MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED && \
+          (MLD_CONFIG_MULTILEVEL_WITH_SHARED || MLD_CONFIG_PARAMETER_SET == 65 \
+          || MLD_CONFIG_PARAMETER_SET == 87) */