libntl · victorshoup · Jun 20, 2021 · Aug 16, 2020 · Aug 16, 2020 · Jun 19, 2021
diff --git a/README b/README
@@ -1,5 +1,5 @@
-NTL  -- a library for doing numbery theory --  version 11.4.4
-Release date: 2021.03.05
+NTL  -- a library for doing numbery theory --  version 11.5.0
+Release date: 2021.06.20
 
 Author: Victor Shoup ([email protected])
 

diff --git a/doc/config.txt b/doc/config.txt
@@ -14,7 +14,8 @@ CXXFLAGS=-g -O2      # C++ complilation flags
 
 NATIVE=on            # compiles code targeted to current hardware
 
-TUNE=generic (or x86)# performance-tuning switch
+TUNE=generic         # performance-tuning switch  
+(or x86 or linux-s390x) 
 
 DEF_PREFIX=/usr/local# Default software directory
 
@@ -46,6 +47,8 @@ NTL_ENABLE_AVX_FFT=off # implement the small-prime FFT using AVX
 
 NTL_AVOID_AVX512=off # avoid using 512-bit AVX registers
 
+NTL_RANDOM_AES256CTR=off # implement pseudorandom generator using AES-256-CTR
+
 
 ########## Here are more detailed description of these variables.
 
@@ -72,15 +75,19 @@ NATIVE=on
 # their fullest potential.  Note that if CXXFLAGS contains an '-march=XXX'
 # option, then NATIVE will be turned off.
 
-TUNE=generic (or x86)
+TUNE=generic (or x86 or linux-s390x)
 
 # Switch to determine how various performance options get set
 #   auto        make runs a performance-tuning wizard 
 #   generic     should be OK for most platforms
 #   x86         should be well suited for most x86 platforms
+#   linux-s390x should be well suited for Linux on IBM Z platforms from z15 onward
 # More choices may be added in the future.
-# The default is 'x86' if the configuration script detects that it 
-# is running on an x86 machine; otherwise the default is 'generic'.
+# Right now, the default is
+# - x86, if configure detects that is is running on an x86 platform,
+# - linux-s390x, if configure detects that it is running on Linux on an IBM Z platform
+#   and the compiler is either gcc or clang, and
+# - generic, otherwise.
 
 
 ########## Installation path:
@@ -256,6 +263,22 @@ Even if available, this will avoid the use of 512-bit AVX registers.  This
 affects both Mat<zz_p> operations, as well as the AVX-based FFT (see above).
 
 
+########### Use AES-256-CTR based pseudorandom generator
+
+NTL_RANDOM_AES256CTR=off # implement pseudorandom generator using AES-256-CTR
+
+AES-256-CTR based pseudorandom generation may be faster than the
+default in case AES instruction set extensions are available on
+the processor and supported by the implementations.
+
+The implementation supports the following AES instruction set
+extensions if detected at build time:
+
+ x86         : AES-NI
+ linux-s390x : KMA
+
+Be aware of possible interoperability issues when changing
+the implementation of NTL's pseudorandom generator object.
 
 
 ########### Examples:

diff --git a/doc/tour-changes.html b/doc/tour-changes.html
@@ -16,6 +16,38 @@ <h1>
 </p>
 </h1>
 
+<p><hr><p>
+<h3>
+2021.06.20: Changes between NTL 11.4.4 and 11.5.0
+</h3>
+
+<ul>
+<li>
+Added a new configuration option <tt>NTL_RANDOM_AES256CTR</tt>.
+The default is <tt>off</tt>.
+Configure with <tt>NTL_RANDOM_AES256CTR=on</tt>
+to replace the default ChaCha20 Pseudo-Random Number Generator (PRNG)
+with 256-bit AES counter mode.
+On certain plaforms (modern <tt>x86</tt> and IBM System/390x),
+special instructions are exploited to improve performance.
+<p>
+Using AES in place of ChaCha may break inter-operability of 
+applications that depend on the behavior of the PRNG.
+<p>
+Using AES in place of ChaCha may affect the performance positively
+or negatively.
+On IBM System/390x, there is a marked performance improvement.
+On <tt>x86</tt> there may be a moderate performance improvement
+or degredation.
+On any other platforms, where there is no hardware support
+for AES (or none that is exploited by NTL),  there will likely be a marked performance
+degredation.
+
+<p>
+Thanks to Patrick Steuer for contributing this code.
+</ul>
+
+
 <p><hr><p>
 <h3>
 2021.03.05: Changes between NTL 11.4.3 and 11.4.4

diff --git a/doc/tour-unix.html b/doc/tour-unix.html
@@ -230,7 +230,8 @@ <h2>
 CXXFLAGS=-g -O2      # C++ complilation flags
 
 NATIVE=on            # Compiles code targeted to the current hardware (see below)
-TUNE=generic (or x86)# Performance-tuning switch (see below)
+TUNE=generic         # performance-tuning switch (see below)
+(or x86 or linux-s390x)
 
 DEF_PREFIX=/usr/local# Default software directory
 
@@ -409,11 +410,22 @@ <h2>
 <ul>
 <li> <tt>generic</tt>: chooses options that should be OK for most platforms
 <li> <tt>x86</tt>: chooses options that should be well suited for most x86 platforms
+<li> <tt>linux-s390x</tt>: chooses options that should be well suited for Linux on IBM Z platforms from z15 onward.
 </ul>
 More choices may be added in the future.
-Right now, the default is <tt>x86</tt> if the <tt>configure</tt>
-detects that is is running on an x86 platform,
-and <tt>generic</tt> otherwise.
+Right now, the default is 
+<ul>
+<li>
+<tt>x86</tt>, if <tt>configure</tt>
+detects that is is running on an x86 platform, 
+<li>
+<tt>linux-s390x</tt>, if 
+<tt>configure</tt> detects that it is running on Linux on an IBM Z platform
+and the compiler is either gcc or clang, and 
+<li>
+<tt>generic</tt>,
+otherwise.
+</ul>
 
 
 

diff --git a/include/NTL/ALL_FEATURES.h b/include/NTL/ALL_FEATURES.h
@@ -13,4 +13,6 @@
 #include <NTL/HAVE_CHRONO_TIME.h>
 #include <NTL/HAVE_MACOS_TIME.h>
 #include <NTL/HAVE_POSIX_TIME.h>
+#include <NTL/HAVE_AES_NI.h>
+#include <NTL/HAVE_KMA.h>
 
diff --git a/include/NTL/REPORT_ALL_FEATURES.h b/include/NTL/REPORT_ALL_FEATURES.h
@@ -55,3 +55,11 @@
    std::cerr << "NTL_HAVE_POSIX_TIME\n";
 #endif
 
+#ifdef NTL_HAVE_AES_NI
+   std::cerr << "NTL_HAVE_AES_NI\n";
+#endif
+
+#ifdef NTL_HAVE_KMA
+   std::cerr << "NTL_HAVE_KMA\n";
+#endif
+
diff --git a/include/NTL/linux_s390x.h b/include/NTL/linux_s390x.h
@@ -0,0 +1,67 @@
+#ifndef LINUX_S390X_H
+#define LINUX_S390X_H
+
+#if defined(__s390x__) && defined(__linux__) \
+    && (defined(__GNUC__) || defined(__clang__))
+
+#define LINUX_S390X
+
+#include <sys/auxv.h>
+
+/* message-security-assist extension 8 */
+#define MSA8                     146
+/* Map a facility bit number or function code to its bit mask. */
+#define MASK64(n)                  \
+           (1ULL << (63 - (n) % 64))
+/* Map a facility bit number or function code to its offset. */
+#define OFF64(n)            (n / 64)
+
+/* Function codes */
+#define CPACF_KMA_QUERY            0
+#define CPACF_KMA_GCM_AES_256     20
+
+/* Function code flags */
+#define CPACF_KMA_LAAD         0x200  /* Last-AAD */
+#define CPACF_KMA_HS           0x400  /* Hash-subkey Supplied */
+
+static inline unsigned long
+stfle(unsigned long flist[], unsigned long nmemb)
+{
+   register unsigned long r0 __asm__("0") = (unsigned long)nmemb - 1;
+
+   __asm__ volatile(
+      ".insn s,%[opc]<<16,0(%[flist])"
+      : "+d" (r0)
+      : [flist] "a" (flist), [opc] "i" (0xb2b0)
+      : "memory", "cc"
+   );
+
+   return r0 + 1;
+}
+
+/*  KMA (cipher message with authentication) */
+static inline void
+cpacf_kma(unsigned long fc, void *param, unsigned char *out, const unsigned char *aad,
+    unsigned long aadlen, const unsigned char *in, unsigned long inlen)
+{
+   register unsigned long r0 __asm__("0") = (unsigned long)fc;
+   register unsigned long r1 __asm__("1") = (unsigned long)param;
+   register unsigned long r2 __asm__("2") = (unsigned long)in;
+   register unsigned long r3 __asm__("3") = (unsigned long)inlen;
+   register unsigned long r4 __asm__("4") = (unsigned long)aad;
+   register unsigned long r5 __asm__("5") = (unsigned long)aadlen;
+   register unsigned long r6 __asm__("6") = (unsigned long)out;
+
+   __asm__ volatile(
+      "0:     .insn   rrf,%[opc]<<16,%[out],%[in],%[aad],0\n"
+      "       brc     1,0b\n"     /* partial completion */
+      : [out] "+a" (r6),
+        [in] "+a" (r2), [inlen] "+d" (r3),
+        [aad] "+a" (r4), [aadlen] "+d" (r5)
+      : [fc] "d" (r0), [param] "a" (r1), [opc] "i" (0xb929)
+      : "cc", "memory"
+   );
+}
+
+#endif
+#endif
diff --git a/include/NTL/version.h b/include/NTL/version.h
@@ -2,11 +2,11 @@
 #ifndef NTL_version__H
 #define NTL_version__H
 
-#define NTL_VERSION "11.4.4"
+#define NTL_VERSION "11.5.0"
 
 #define NTL_MAJOR_VERSION  (11)
-#define NTL_MINOR_VERSION  (4)
-#define NTL_REVISION       (4)
+#define NTL_MINOR_VERSION  (5)
+#define NTL_REVISION       (0)
 
 #endif
 
diff --git a/src/CheckAES_NI.cpp b/src/CheckAES_NI.cpp
@@ -0,0 +1,25 @@
+#include <NTL/ctools.h>
+
+#include <cstdlib>
+#include <iostream>
+
+#include <wmmintrin.h>
+#include <emmintrin.h>
+#include <tmmintrin.h>
+
+using namespace std;
+
+#if (NTL_BITS_PER_LONG != 64)
+#error "NTL_BITS_PER_LONG != 64"
+#endif
+
+int main()
+{
+  __m128i a=_mm_cvtsi64x_si128(atol("17"));
+  __m128i key=_mm_cvtsi64x_si128(atol("42"));
+  a = _mm_aesenclast_si128(a, key);
+  long x = _mm_cvtsi128_si64x(a);
+  if (x != atol("7161677110969590696")) return -1;
+
+  return 0;
+}
diff --git a/src/CheckKMA.cpp b/src/CheckKMA.cpp
@@ -0,0 +1,40 @@
+#include <NTL/ctools.h>
+
+#include <cstdlib>
+#include <iostream>
+
+#include "linux_s390x.h"
+
+using namespace std;
+
+#if !defined(LINUX_S390X)
+#error "KMA not supported"
+#endif
+
+int main()
+{
+#if defined(AT_HWCAP) && defined(HWCAP_S390_STFLE)
+   unsigned long hwcap, facility_list_nmemb;
+   uint64_t status_word[2], facility_list[3];
+
+   /* Check for STFLE. */
+   hwcap = getauxval(AT_HWCAP);
+   if (!(hwcap & HWCAP_S390_STFLE))
+      return -1;
+
+   /* Query facility list. */
+   facility_list_nmemb = stfle(facility_list, 3);
+
+   /* Check MSA8. */
+   if (facility_list_nmemb >= OFF64(MSA8) + 1
+       && (facility_list[OFF64(MSA8)] & MASK64(MSA8))) {
+         cpacf_kma(CPACF_KMA_QUERY, &status_word, NULL, NULL, 0, NULL, 0);
+
+         if (status_word[OFF64(CPACF_KMA_GCM_AES_256)]
+             & MASK64(CPACF_KMA_GCM_AES_256)) {
+            return 0;
+         }
+   }
+#endif
+   return -1;
+}
diff --git a/src/DIRNAME b/src/DIRNAME
@@ -1 +1 @@
-ntl-11.4.4
+ntl-11.5.0
diff --git a/src/DispSettings.cpp b/src/DispSettings.cpp
@@ -188,6 +188,11 @@ cout << "Performance Options:\n";
 #endif
 
 
+#ifdef NTL_RANDOM_AES256CTR
+   cout << "NTL_RANDOM_AES256CTR\n";
+#endif
+
+
    cout << "***************************/\n";
    cout << "\n\n";