diff --git a/cmd/cloudflared/tunnel/cmd.go b/cmd/cloudflared/tunnel/cmd.go index aeb80747..f3f8d92c 100644 --- a/cmd/cloudflared/tunnel/cmd.go +++ b/cmd/cloudflared/tunnel/cmd.go @@ -262,7 +262,11 @@ func StartServer( wg.Add(1) go func() { defer wg.Done() - errC <- runDNSProxyServer(c, dnsReadySignal, shutdownC, generalLogger) + if c.IsSet("proxy-dns-odoh") { + errC <- runDNSProxyServer(c, dnsReadySignal, shutdownC, generalLogger, true) + } else { + errC <- runDNSProxyServer(c, dnsReadySignal, shutdownC, generalLogger, false) + } }() } else { close(dnsReadySignal) @@ -1015,6 +1019,30 @@ func configureProxyDNSFlags(shouldHide bool) []cli.Flag { EnvVars: []string{"TUNNEL_DNS_BOOTSTRAP"}, Hidden: shouldHide, }), + altsrc.NewBoolFlag(&cli.BoolFlag{ + Name: "proxy-dns-odoh", + Usage: "Runs an Oblivious DNS over HTTPS client.", + EnvVars: []string{"TUNNEL_DNS_ODOH"}, + Hidden: shouldHide, + }), + altsrc.NewStringFlag(&cli.StringFlag{ + Name: "proxy-dns-odoh-target", + Usage: "ODoH target URL", + Value: "https://1.1.1.1/dns-query", + EnvVars: []string{"TUNNEL_DNS_ODOH_TARGET"}, + }), + altsrc.NewStringFlag(&cli.StringFlag{ + Name: "proxy-dns-odoh-proxy", + Usage: "ODoH proxy URL", + Value: "https://odoh1.surfdomeinen.nl/proxy", + EnvVars: []string{"TUNNEL_DNS_ODOH_PROXY"}, + }), + altsrc.NewBoolFlag(&cli.BoolFlag{ + Name: "proxy-dns-odoh-useproxy", + Usage: "Set flag to enable proxy usage", + Value: false, + EnvVars: []string{"TUNNEL_DNS_ODOH_USE_PROXY"}, + }), } } diff --git a/cmd/cloudflared/tunnel/server.go b/cmd/cloudflared/tunnel/server.go index 832f5a97..0885759b 100644 --- a/cmd/cloudflared/tunnel/server.go +++ b/cmd/cloudflared/tunnel/server.go @@ -9,22 +9,56 @@ import ( "github.com/pkg/errors" ) -func runDNSProxyServer(c *cli.Context, dnsReadySignal, shutdownC chan struct{}, logger logger.Service) error { +func runDNSProxyServer(c *cli.Context, dnsReadySignal, shutdownC chan struct{}, logger logger.Service, odoh bool) error { port := c.Int("proxy-dns-port") if port <= 0 || port > 65535 { return errors.New("The 'proxy-dns-port' must be a valid port number in <1, 65535> range.") } - listener, err := tunneldns.CreateListener(c.String("proxy-dns-address"), uint16(port), c.StringSlice("proxy-dns-upstream"), c.StringSlice("proxy-dns-bootstrap"), logger) + var listener *tunneldns.Listener + var err error + if odoh { + listener, err = tunneldns.CreateObliviousDNSListener( + c.String("proxy-dns-address"), + uint16(port), + c.String("proxy-dns-odoh-target"), + c.String("proxy-dns-odoh-proxy"), + c.Bool("proxy-dns-odoh-useproxy"), + logger, + ) + } else { + listener, err = tunneldns.CreateListener( + c.String("proxy-dns-address"), + uint16(port), + c.StringSlice("proxy-dns-upstream"), + c.StringSlice("proxy-dns-bootstrap"), + logger, + ) + } + + // Update odohconfig + go listener.UpdateOdohConfig() + if err != nil { close(dnsReadySignal) listener.Stop() - return errors.Wrap(err, "Cannot create the DNS over HTTPS proxy server") + if odoh { + return errors.Wrap(err, "Cannot create the Oblivious DNS over HTTPS proxy server") + } else { + return errors.Wrap(err, "Cannot create the DNS over HTTPS proxy server") + } } err = listener.Start(dnsReadySignal) - if err != nil { - return errors.Wrap(err, "Cannot start the DNS over HTTPS proxy server") + if odoh { + if err != nil { + return errors.Wrap(err, "Cannot start the Oblivious DNS over HTTPS proxy server") + } + } else { + if err != nil { + return errors.Wrap(err, "Cannot start the DNS over HTTPS proxy server") + } } + <-shutdownC listener.Stop() return nil diff --git a/go.mod b/go.mod index 9a1b780f..2b8ec901 100644 --- a/go.mod +++ b/go.mod @@ -11,11 +11,11 @@ require ( github.com/certifi/gocertifi v0.0.0-20200211180108-c7c1fbc02894 // indirect github.com/cloudflare/brotli-go v0.0.0-20191101163834-d34379f7ff93 github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc + github.com/cloudflare/odoh-go v0.1.3 github.com/coredns/coredns v1.7.0 github.com/coreos/go-oidc v0.0.0-20171002155002-a93f71fdfe73 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf github.com/denisenkom/go-mssqldb v0.0.0-20191001013358-cfbb681360f0 - github.com/equinox-io/equinox v1.2.0 // indirect github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51 // indirect github.com/facebookgo/freeport v0.0.0-20150612182905-d4adf43b75b9 // indirect github.com/facebookgo/grace v0.0.0-20180706040059-75cf19382434 @@ -42,7 +42,7 @@ require ( github.com/kylelemons/godebug v1.1.0 // indirect github.com/lib/pq v1.2.0 github.com/mattn/go-sqlite3 v1.11.0 - github.com/miekg/dns v1.1.31 + github.com/miekg/dns v1.1.32 github.com/mitchellh/go-homedir v1.1.0 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect @@ -51,9 +51,8 @@ require ( github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect github.com/prometheus/client_golang v1.7.1 github.com/prometheus/common v0.13.0 // indirect - github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5 // indirect github.com/rivo/tview v0.0.0-20200712113419-c65badfc3d92 - github.com/stretchr/testify v1.6.0 + github.com/stretchr/testify v1.6.1 github.com/urfave/cli/v2 v2.2.0 github.com/xo/dburl v0.0.0-20191005012637-293c3298d6c0 golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a diff --git a/go.sum b/go.sum index cd99d28e..51ccd7af 100644 --- a/go.sum +++ b/go.sum @@ -12,6 +12,7 @@ cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bP cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0 h1:Dg9iHVQfrhq82rUNu9ZxUDrJLaxFUe/HlCVaLyRruq8= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= @@ -32,38 +33,50 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRqYosuDstRB9un7SOx2k/9ckA= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +git.schwanenlied.me/yawning/x448.git v0.0.0-20170617130356-01b048fb03d6 h1:w8IZgCntCe0RuBJp+dENSMwEBl/k8saTgJ5hPca5IWw= +git.schwanenlied.me/yawning/x448.git v0.0.0-20170617130356-01b048fb03d6/go.mod h1:wQaGCqEu44ykB17jZHCevrgSVl3KJnwQBObUtrKU4uU= github.com/Azure/azure-sdk-for-go v32.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v40.6.0+incompatible h1:ULjp/a/UsBfnZcl45jjywhcBKex/k/A1cG9s9NapLFw= github.com/Azure/azure-sdk-for-go v40.6.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/go-autorest/autorest v0.1.0/go.mod h1:AKyIcETwSUFxIcs/Wnq/C+kwCtlEYGUVd7FPNb2slmg= github.com/Azure/go-autorest/autorest v0.5.0/go.mod h1:9HLKlQjVBH6U3oDfsXOeVc56THsLPw1L03yban4xThw= github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= +github.com/Azure/go-autorest/autorest v0.10.2 h1:NuSF3gXetiHyUbVdneJMEVyPUYAe5wh+aN08JYAf1tI= github.com/Azure/go-autorest/autorest v0.10.2/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= github.com/Azure/go-autorest/autorest/adal v0.1.0/go.mod h1:MeS4XhScH55IST095THyTxElntu7WqB7pNbZo8Q5G3E= github.com/Azure/go-autorest/autorest/adal v0.2.0/go.mod h1:MeS4XhScH55IST095THyTxElntu7WqB7pNbZo8Q5G3E= github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.8.2 h1:O1X4oexUxnZCaEUGsvMnr8ZGj8HI37tNezwY4npRqA0= github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= github.com/Azure/go-autorest/autorest/azure/auth v0.1.0/go.mod h1:Gf7/i2FUpyb/sGBLIFxTBzrNzBo7aPXXE3ZVeDRwdpM= +github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 h1:iM6UAvjR97ZIeR93qTcwpKNMpV+/FTWjwEbuPD495Tk= github.com/Azure/go-autorest/autorest/azure/auth v0.4.2/go.mod h1:90gmfKdlmKgfjUpnCEpOJzsUEjrWDSLwHIG73tSXddM= github.com/Azure/go-autorest/autorest/azure/cli v0.1.0/go.mod h1:Dk8CUAt/b/PzkfeRsWzVG9Yj3ps8mS8ECztu43rdU8U= +github.com/Azure/go-autorest/autorest/azure/cli v0.3.1 h1:LXl088ZQlP0SBppGFsRZonW6hSvwgL5gRByMbvUbx8U= github.com/Azure/go-autorest/autorest/azure/cli v0.3.1/go.mod h1:ZG5p860J94/0kI9mNJVoIoLgXcirM2gF5i2kWloofxw= github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/date v0.2.0 h1:yW+Zlqf26583pE43KhfnhFcdmSWlm5Ew6bxipnr/tbM= github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/to v0.2.0 h1:nQOZzFCudTh+TvquAtCRjM01VEYx85e9qbwt5ncW4L8= github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= +github.com/Azure/go-autorest/logger v0.1.0 h1:ruG4BSDXONFRrZZJ2GUXDiUyVpayPmb1GnWeHDdaNKY= github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= github.com/Azure/go-autorest/tracing v0.1.0/go.mod h1:ROEEAFwXycQw7Sn3DXNtEedEvdeRAgDr0izn4z5Ij88= +github.com/Azure/go-autorest/tracing v0.5.0 h1:TRn4WjSnkcSy5AEG3pnbtFSwNtwzjr4VYyQflFE619k= github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DATA-DOG/go-sqlmock v1.3.3 h1:CWUqKXe0s8A2z6qCgkP4Kru7wC11YoAnoupUKFDnH08= github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= +github.com/DataDog/datadog-go v3.5.0+incompatible h1:AShr9cqkF+taHjyQgcBcQUt/ZNK+iPq4ROaZwSX5c/U= github.com/DataDog/datadog-go v3.5.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/DataDog/zstd v1.3.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= @@ -109,12 +122,15 @@ github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+Ce github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/bkaradzic/go-lz4 v1.0.0 h1:RXc4wYsyz985CkXXeX04y4VnZFGG8Rd43pRaHsOXAKk= github.com/bkaradzic/go-lz4 v1.0.0/go.mod h1:0YdlkowM3VswSROI7qDxhRvJ3sLhlFrRRwjwegp5jy4= github.com/caddyserver/caddy v1.0.5 h1:5B1Hs0UF2x2tggr2X9jL2qOZtDXbIWQb9YLbmlxHSuM= github.com/caddyserver/caddy v1.0.5/go.mod h1:AnFHB+/MrgRC+mJAvuAgQ38ePzw+wKeW0wzENpdQQKY= github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= +github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= +github.com/cenkalti/backoff/v4 v4.0.2 h1:JIufpQLbh4DkbQoii76ItQIUFzevQSqOLZca4eamEDs= github.com/cenkalti/backoff/v4 v4.0.2/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -126,15 +142,23 @@ github.com/cheekybits/genny v1.0.0/go.mod h1:+tQajlRqAUrPI7DOSpB0XAqZYtQakVtB7wX github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/cisco/go-hpke v0.0.0-20201023221920-2866d2aa0603 h1:dszdCFyug261XPbbU9YQA+8CnpPJm1svHDeCHd8vhRI= +github.com/cisco/go-hpke v0.0.0-20201023221920-2866d2aa0603/go.mod h1:AyK7f6CWiLAvOFmAyCEF5xDN51zS6PIZgj3Qq7hla1Y= +github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b h1:Ves2turKTX7zruivAcUOQg155xggcbv3suVdbKCBQNM= +github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b/go.mod h1:0AZAV7lYvynZQ5ErHlGMKH+4QYMyNCFd+AiL9MlrCYA= github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cloudflare/brotli-go v0.0.0-20191101163834-d34379f7ff93 h1:QrGfkZDnMxcWHaYDdB7CmqS9i26OAnUj/xcus/abYkY= github.com/cloudflare/brotli-go v0.0.0-20191101163834-d34379f7ff93/go.mod h1:QiTe66jFdP7cUKMCCf/WrvDyYdtdmdZfVcdoLbzaKVY= +github.com/cloudflare/circl v1.0.0 h1:64b6pyfCFbYm623ncIkYGNZaOcmIbyd+CjyMi2L9vdI= +github.com/cloudflare/circl v1.0.0/go.mod h1:MhjB3NEEhJbTOdLLq964NIUisXDxaE1WkQPUxtgZXiY= github.com/cloudflare/cloudflare-go v0.10.2/go.mod h1:qhVI5MKwBGhdNU89ZRz2plgYutcJ5PCekLxXn56w6SY= github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc h1:Dvk3ySBsOm5EviLx6VCyILnafPcQinXGP5jbTdHUJgE= github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc/go.mod h1:HlgKKR8V5a1wroIDDIz3/A+T+9Janfq+7n1P5sEFdi0= github.com/cloudflare/golz4 v0.0.0-20150217214814-ef862a3cdc58 h1:F1EaeKL/ta07PY/k9Os/UFtwERei2/XzGemhpGnBKNg= github.com/cloudflare/golz4 v0.0.0-20150217214814-ef862a3cdc58/go.mod h1:EOBUe0h4xcZ5GoxqC5SDxFQ8gwyZPKQoEzownBlhI80= +github.com/cloudflare/odoh-go v0.1.3 h1:kI0ANqbcLfKZHZOJ6myyEMWReQTy6ZOybSBFpg2yTsM= +github.com/cloudflare/odoh-go v0.1.3/go.mod h1:+8PrCWF56ioFtPx7VyhT8fL/IM6cJtPNh9IecQ1EIxg= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= @@ -146,6 +170,7 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU= github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd/v22 v22.0.0 h1:XJIw/+VlJ+87J+doOxznsAWIdmWuViOVhkQamW5YV28= github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/license-bill-of-materials v0.0.0-20190913234955-13baff47494e/go.mod h1:4xMOusJ7xxc84WclVxKT8+lNfGYDwojOUC2OQNCwcj4= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= @@ -160,10 +185,13 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/decker502/dnspod-go v0.2.0/go.mod h1:qsurYu1FgxcDwfSwXJdLt4kRsBLZeosEb9uq4Sy+08g= github.com/denisenkom/go-mssqldb v0.0.0-20191001013358-cfbb681360f0 h1:epsH3lb7KVbXHYk7LYGN5EiE0MxcevHU85CKITJ0wUY= github.com/denisenkom/go-mssqldb v0.0.0-20191001013358-cfbb681360f0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= +github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dnaeon/go-vcr v0.0.0-20180814043457-aafff18a5cc2/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/dnsimple/dnsimple-go v0.30.0/go.mod h1:O5TJ0/U6r7AfT8niYNlmohpLbCSG+c71tQlGr9SeGrg= +github.com/dnstap/golang-dnstap v0.2.0 h1:+NrmP4mkaTeKYV7xJ5FXpUxRn0RpcgoQcsOCTS8WQPk= github.com/dnstap/golang-dnstap v0.2.0/go.mod h1:s1PfVYYVmTMgCSPtho4LKBDecEHJWtiVDPNv78Z985U= github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= @@ -179,16 +207,19 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/equinox-io/equinox v1.2.0 h1:bBS7Ou+Y7Jwgmy8TWSYxEh85WctuFn7FPlgbUzX4DBA= -github.com/equinox-io/equinox v1.2.0/go.mod h1:6s3HJB0PYUNgs0mxmI8fHdfVl3TQ25ieA/PVfr+eyVo= github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/exoscale/egoscale v0.18.1/go.mod h1:Z7OOdzzTOz1Q1PjQXumlz9Wn/CddH0zSYdCF3rnBKXE= +github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51 h1:0JZ+dUmQeA8IIVUMzysrX4/AKuQwWhV2dYQuPZdvdSQ= github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51/go.mod h1:Yg+htXGokKKdzcwhuNDwVvN+uBxDGXJ7G/VN1d8fa64= +github.com/facebookgo/freeport v0.0.0-20150612182905-d4adf43b75b9 h1:wWke/RUCl7VRjQhwPlR/v0glZXNYzBHdNUzf/Am2Nmg= github.com/facebookgo/freeport v0.0.0-20150612182905-d4adf43b75b9/go.mod h1:uPmAp6Sws4L7+Q/OokbWDAK1ibXYhB3PXFP1kol5hPg= github.com/facebookgo/grace v0.0.0-20180706040059-75cf19382434 h1:mOp33BLbcbJ8fvTAmZacbBiOASfxN+MLcLxymZCIrGE= github.com/facebookgo/grace v0.0.0-20180706040059-75cf19382434/go.mod h1:KigFdumBXUPSwzLDbeuzyt0elrL7+CP7TKuhrhT4bcU= +github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 h1:JWuenKqqX8nojtoVVWjGfOF9635RETekkoH6Cc9SX0A= github.com/facebookgo/stack v0.0.0-20160209184415-751773369052/go.mod h1:UbMTZqLaRiH3MsBH8va0n7s1pQYcu3uTb8G4tygF4Zg= +github.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870 h1:E2s37DuLxFhQDg5gKsWoLBOB0n+ZW8s599zru8FJ2/Y= github.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870/go.mod h1:5tD+neXqOorC30/tWg0LCSkrqj/AR6gu8yY8/fpw1q0= +github.com/farsightsec/golang-framestream v0.0.0-20190425193708-fa4b164d59b8 h1:/iPdQppoAsTfML+yqFSq2EBChiEMnRkh5WvhFgtWwcU= github.com/farsightsec/golang-framestream v0.0.0-20190425193708-fa4b164d59b8/go.mod h1:eNde4IQyEiA5br02AouhEHCu3p3UzrCdFR4LuQHklMI= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= @@ -196,6 +227,7 @@ github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjr github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= +github.com/frankban/quicktest v1.10.0 h1:Gfh+GAJZOAoKZsIZeZbdn2JF10kN1XHNvjsvQK8gVkE= github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= @@ -245,6 +277,7 @@ github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFG github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A= github.com/golang-collections/collections v0.0.0-20130729185459-604e922904d3 h1:zN2lZNZRflqFyxVaTIU61KNKQ9C0055u9CAfpmqUvo4= @@ -255,6 +288,7 @@ github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfU github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= @@ -289,9 +323,11 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -308,11 +344,14 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.1.0 h1:rVsPeBmXbYv4If/cumu1AzZPwV58q433hvONV1UEZoI= github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= github.com/gophercloud/gophercloud v0.3.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gophercloud/gophercloud v0.9.0 h1:eJHQQFguQRv2FatH2d2VXH2ueTe2XzjgjwFjFS7SGcs= github.com/gophercloud/gophercloud v0.9.0/go.mod h1:gmC5oQqMDOMO1t1gq5DquX/yAU808e/4mzjjDA76+Ss= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= @@ -348,6 +387,7 @@ github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= @@ -358,9 +398,11 @@ github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmK github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df/go.mod h1:QMZY7/J/KSQEhKWFeDesPjMj+wCHReeknARU3wqlyN4= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.9 h1:UauaLniWCFHWd+Jp9oCEkTBj8VO/9DKg3PV3VCNMDIg= github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= +github.com/infobloxopen/go-trees v0.0.0-20190313150506-2af4e13f9062 h1:d3VSuNcgTCn21dNMm8g412Fck/XWFmMj4nJhhHT7ZZ0= github.com/infobloxopen/go-trees v0.0.0-20190313150506-2af4e13f9062/go.mod h1:PcNJqIlcX/dj3DTG/+QQnRvSgTMG6CLpRMjWcv4+J6w= github.com/jimstudt/http-authentication v0.0.0-20140401203705-3eca13d6893a/go.mod h1:wK6yTYYcgjHE1Z1QtXACPDjcFJyBskHEdagmnq3vsP8= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= @@ -392,13 +434,16 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxv github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kshvakov/clickhouse v1.3.11 h1:dtzTJY0fCA+MWkLyuKZaNPkmSwdX4gh8+Klic9NB1Lw= github.com/kshvakov/clickhouse v1.3.11/go.mod h1:/SVBAcqF3u7rxQ9sTWCZwf8jzzvxiZGeQvtmSF2BBEc= github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/labbsr0x/bindman-dns-webhook v1.0.2/go.mod h1:p6b+VCXIR8NYKpDr8/dg1HKfQoRHCdcsROXKvmoehKA= github.com/labbsr0x/goh v1.0.1/go.mod h1:8K2UhVoaWXcCU7Lxoa2omWnC8gyW8px7/lmO61c027w= @@ -435,8 +480,8 @@ github.com/mholt/certmagic v0.8.3/go.mod h1:91uJzK5K8IWtYQqTi5R2tsxV1pCde+wdGfaR github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.29/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= -github.com/miekg/dns v1.1.31 h1:sJFOl9BgwbYAWOGEwr61FU28pqsBNdpRBnhGXtO06Oo= -github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/miekg/dns v1.1.32 h1:MDaYYzWOYscpvDOEgPMT1c1mebCZmIdxZI/J161OdJU= +github.com/miekg/dns v1.1.32/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= @@ -468,6 +513,7 @@ github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxzi github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uYLpLIr5fm8diHn0JbqRycJi6w0Ms= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nrdcg/auroradns v1.0.0/go.mod h1:6JPXKzIRzZzMqtTDgueIhTi6rFf1QvYE/HzqidhOhjw= github.com/nrdcg/goinwx v0.6.1/go.mod h1:XPiut7enlbEdntAqalBIqcYcTEVhpv/dKWgDCX2SwKQ= @@ -484,6 +530,7 @@ github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGV github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= +github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492 h1:lM6RxxfUMrYL/f8bWEUqdXrANWtrL7Nndbm9iFN0DlU= github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis= github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74= github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= @@ -491,9 +538,11 @@ github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFSt github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= github.com/openzipkin-contrib/zipkin-go-opentracing v0.3.5/go.mod h1:uVHyebswE1cCXr2A73cRM2frx5ld1RJUCJkFNZ90ZiI= +github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5 h1:ZCnq+JUrvXcDVhX/xRolRBZifmabN1HcS1wrPSvxhrU= github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxSfWAKL3wpBW7V8scJMt8N8gnaMCS9E/cA= github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= +github.com/openzipkin/zipkin-go v0.2.2 h1:nY8Hti+WKaP0cRsSeQ026wU03QsM762XBeCXBb9NAWI= github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= github.com/oracle/oci-go-sdk v7.0.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= github.com/ovh/go-ovh v0.0.0-20181109152953-ba5adb4cf014/go.mod h1:joRatxRJaZBsY3JAOEMcoOp05CnZzsx4scTxi95DHyQ= @@ -502,9 +551,11 @@ github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FI github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/philhofer/fwd v1.0.0 h1:UbZqGr5Y38ApvM/V/jEljVxwocdweyH+vmYvRPBnbqQ= github.com/philhofer/fwd v1.0.0/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU= github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= +github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI= github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -543,7 +594,6 @@ github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= -github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= github.com/prometheus/procfs v0.0.11/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFBS8= @@ -551,7 +601,6 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/prometheus v2.5.0+incompatible/go.mod h1:oAIUtOny2rjMX0OWN5vPR5/q/twIROJvdqnQKDdil/s= github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2/go.mod h1:7tZKcyumwBO6qip7RNQ5r77yrssm9bfCowcLEBcU5IA= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5/go.mod h1:GEXHk5HgEKCvEIIrSpFI3ozzG5xOKA2DVlEX/gGnewM= github.com/rivo/tview v0.0.0-20200712113419-c65badfc3d92 h1:rqaqSUdaW+OBbjnsrOoiaJv43mSRARuvsAuirmdxu7E= github.com/rivo/tview v0.0.0-20200712113419-c65badfc3d92/go.mod h1:6lkG1x+13OShEf0EaOCaTQYyB7d5nSbb181KtjlS+84= github.com/rivo/uniseg v0.1.0 h1:+2KBaVoUmb9XzDsrx/Ct0W/EYOSFf/nWTauy++DprtY= @@ -582,6 +631,7 @@ github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTd github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= @@ -592,10 +642,10 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.6.0 h1:jlIyCplCJFULU/01vCkhKuTyc3OorI3bJFuw6obfgho= -github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/timewasted/linode v0.0.0-20160829202747-37e84520dcf7/go.mod h1:imsgLplxEC/etjIhdr3dNzV3JeT27LbVu5pYWm0JCBY= -github.com/tinylib/msgp v1.1.0/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE= +github.com/tinylib/msgp v1.1.2 h1:gWmO7n0Ys2RBEb7GPYB9Ujq8Mk5p2U08lRnmMcGy6BQ= github.com/tinylib/msgp v1.1.2/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/transip/gotransip v0.0.0-20190812104329-6d8d9179b66f/go.mod h1:i0f4R4o2HM0m3DZYQWsj6/MEowD57VzoH0v3d7igeFY= @@ -617,6 +667,7 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.etcd.io/etcd v0.5.0-alpha.5.0.20200306183522-221f0cc107cb h1:TcJ8iNja1CH/h/3QcsydKL5krb0MIPjMJLYgzClNaSQ= go.etcd.io/etcd v0.5.0-alpha.5.0.20200306183522-221f0cc107cb/go.mod h1:VZB9Yx4s43MHItytoe8jcvaEFEgF2QzHDZGfQ/XQjvQ= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= @@ -624,17 +675,21 @@ go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4 h1:LYy1Hy3MJdrCdMwwzxA/dRok4ejH+RwNGbuoD9fCjto= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= +go.uber.org/atomic v1.6.0 h1:Ezj3JGmsOnG1MoRWQkPBsKLe9DwWD9QeXzTRzzldNVk= go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= +go.uber.org/multierr v1.5.0 h1:KCa4XfM8CWFCpxXRGok+Q0SS/0XBhMDbHHGABQLvD2A= go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= go.uber.org/ratelimit v0.0.0-20180316092928-c15da0234277/go.mod h1:2X8KaoNd1J0lZV+PxJk/5+DGbO/tpwLR1m++a7FnB/Y= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= +go.uber.org/zap v1.14.1 h1:nYDKopTbvAPq/NrUVZwT15y2lpROBiLLyoRTbXOYWOo= go.uber.org/zap v1.14.1/go.mod h1:Mb2vm2krFEG5DV0W9qcHBYFtp/Wku1cvYaqPsS/WYfc= golang.org/x/crypto v0.0.0-20180621125126-a49355c7e3f8/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -765,6 +820,7 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190626150813-e07cf5db2756/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -811,6 +867,7 @@ golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -865,6 +922,7 @@ golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= @@ -883,6 +941,7 @@ google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0M google.golang.org/api v0.26.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0 h1:yfrXXP61wVuLb0vBcG6qaOoIoqYEzOQS8jum51jkv2w= google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -956,11 +1015,13 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +gopkg.in/DataDog/dd-trace-go.v1 v1.24.1 h1:CGQIcKZxAsFtMTUiXw0TxBWwj+l+b2bS2V8l1bIsfk4= gopkg.in/DataDog/dd-trace-go.v1 v1.24.1/go.mod h1:DVp8HmDh8PuTu2Z0fVVlBsyWaC++fzwVCaGWylTe3tg= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/coreos/go-oidc.v2 v2.1.0 h1:E8PjVFdj/SLDKB0hvb70KTbMbYVHjqztiQdSkIg8E+I= @@ -969,6 +1030,7 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= gopkg.in/h2non/gock.v1 v1.0.15/go.mod h1:sX4zAkdYX1TRGJ2JY156cFspQn4yRWn6p9EMdODlynE= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.44.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= @@ -1002,21 +1064,28 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +k8s.io/api v0.18.3 h1:2AJaUQdgUZLoDZHrun21PW2Nx9+ll6cUzvn3IKhSIn0= k8s.io/api v0.18.3/go.mod h1:UOaMwERbqJMfeeeHc8XJKawj4P9TgDRnViIqqBeH2QA= +k8s.io/apimachinery v0.18.3 h1:pOGcbVAhxADgUYnjS08EFXs9QMl8qaH5U4fr5LGUrSk= k8s.io/apimachinery v0.18.3/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= +k8s.io/client-go v0.18.3 h1:QaJzz92tsN67oorwzmoB0a9r9ZVHuD5ryjbCKP0U22k= k8s.io/client-go v0.18.3/go.mod h1:4a/dpQEvzAhT1BbuWW09qvIaGw6Gbu1gZYiQZIi1DMw= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= +k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89 h1:d4vVOjXm687F1iLSP2q3lyPPuyvTUt3aVoBpi2DqRsU= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= +sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E= sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= zombiezen.com/go/capnproto2 v2.18.0+incompatible h1:mwfXZniffG5mXokQGHUJWGnqIBggoPfT/CEwon9Yess= diff --git a/tunneldns/https_upstream.go b/tunneldns/https_upstream.go index b4c756fa..30db719e 100644 --- a/tunneldns/https_upstream.go +++ b/tunneldns/https_upstream.go @@ -12,30 +12,47 @@ import ( "time" "github.com/cloudflare/cloudflared/logger" + odoh "github.com/cloudflare/odoh-go" "github.com/miekg/dns" "github.com/pkg/errors" "golang.org/x/net/http2" ) const ( - defaultTimeout = 5 * time.Second + defaultTimeout = 10 * time.Second + odohConfigDuration = 3600 * time.Second + targetHostname = "odoh.cloudflare-dns.com." ) +// ObliviousDoHCtx maintains info needed for the ODoH service +type ObliviousDoHCtx struct { + useproxy bool + target *url.URL + queryCtx *odoh.QueryContext +} + // UpstreamHTTPS is the upstream implementation for DNS over HTTPS service type UpstreamHTTPS struct { client *http.Client endpoint *url.URL bootstraps []string + odoh *ObliviousDoHCtx logger logger.Service } // NewUpstreamHTTPS creates a new DNS over HTTPS upstream from endpoint -func NewUpstreamHTTPS(endpoint string, bootstraps []string, logger logger.Service) (Upstream, error) { +func NewUpstreamHTTPS(endpoint string, bootstraps []string, odohCtx *ObliviousDoHCtx, logger logger.Service) (Upstream, error) { u, err := url.Parse(endpoint) if err != nil { return nil, err } - return &UpstreamHTTPS{client: configureClient(u.Hostname()), endpoint: u, bootstraps: bootstraps, logger: logger}, nil + return &UpstreamHTTPS{ + client: configureClient(u.Hostname()), + endpoint: u, + bootstraps: bootstraps, + odoh: odohCtx, + logger: logger, + }, nil } // Exchange provides an implementation for the Upstream interface @@ -45,35 +62,95 @@ func (u *UpstreamHTTPS) Exchange(ctx context.Context, query *dns.Msg) (*dns.Msg, return nil, errors.Wrap(err, "failed to pack DNS query") } - if len(query.Question) > 0 && query.Question[0].Name == fmt.Sprintf("%s.", u.endpoint.Hostname()) { - for _, bootstrap := range u.bootstraps { - endpoint, client, err := configureBootstrap(bootstrap) - if err != nil { - u.logger.Errorf("failed to configure boostrap upstream %s: %s", bootstrap, err) - continue + if u.odoh == nil { + if len(query.Question) > 0 && query.Question[0].Name == fmt.Sprintf("%s.", u.endpoint.Hostname()) { + for _, bootstrap := range u.bootstraps { + endpoint, client, err := configureBootstrap(bootstrap) + if err != nil { + u.logger.Errorf("failed to configure boostrap upstream %s: %s", bootstrap, err) + continue + } + msg, err := exchange(queryBuf, query.Id, endpoint, client, u.odoh, u.logger) + if err != nil { + u.logger.Errorf("failed to connect to a boostrap upstream %s: %s", bootstrap, err) + continue + } + return msg, nil } - msg, err := exchange(queryBuf, query.Id, endpoint, client, u.logger) - if err != nil { - u.logger.Errorf("failed to connect to a boostrap upstream %s: %s", bootstrap, err) - continue - } - return msg, nil + return nil, fmt.Errorf("failed to reach any bootstrap upstream: %v", u.bootstraps) } - return nil, fmt.Errorf("failed to reach any bootstrap upstream: %v", u.bootstraps) + } else { + odohQuery, queryCtx, err := createOdohQuery(queryBuf, OdohConfig) + if err != nil { + u.logger.Errorf("failed to create oblivious query: %s", err) + } + queryBuf = odohQuery + u.odoh.queryCtx = &queryCtx } + return exchange(queryBuf, query.Id, u.endpoint, u.client, u.odoh, u.logger) - return exchange(queryBuf, query.Id, u.endpoint, u.client, u.logger) } -func exchange(msg []byte, queryID uint16, endpoint *url.URL, client *http.Client, logger logger.Service) (*dns.Msg, error) { +func createOdohQuery(dnsMessage []byte, publicKey odoh.ObliviousDoHConfigContents) ([]byte, odoh.QueryContext, error) { + odohQuery := odoh.CreateObliviousDNSQuery(dnsMessage, 0) + encryptedMessage, queryContext, err := publicKey.EncryptQuery(odohQuery) + if err != nil { + return nil, odoh.QueryContext{}, err + } + return encryptedMessage.Marshal(), queryContext, nil +} + +// FetchObliviousDoHConfig fetches `odohconfig` by querying the target server for HTTPS records. +func FetchObliviousDoHConfig(client *http.Client, msg []byte, dohResolver *url.URL) (*odoh.ObliviousDoHConfigs, error) { + buf, err := exchangeWireformat(msg, dohResolver, client, nil) + if err != nil { + return nil, err + } + + response := &dns.Msg{} + if err := response.Unpack(buf); err != nil { + return nil, errors.Wrap(err, "failed to unpack HTTPS DNS response from body") + } + + // extracts `odohconfig` from the https record + for _, answer := range response.Answer { + httpsResponse, ok := answer.(*dns.HTTPS) + if ok { + for _, value := range httpsResponse.Value { + if value.Key() == 32769 { + parameter, ok := value.(*dns.SVCBLocal) + if ok { + odohConfigs, err := odoh.UnmarshalObliviousDoHConfigs(parameter.Data) + if err == nil { + return &odohConfigs, nil + } + } + } + } + } + } + + return nil, nil +} + +func exchange(msg []byte, queryID uint16, endpoint *url.URL, client *http.Client, odohCtx *ObliviousDoHCtx, logger logger.Service) (*dns.Msg, error) { // No content negotiation for now, use DNS wire format - buf, backendErr := exchangeWireformat(msg, endpoint, client) + buf, backendErr := exchangeWireformat(msg, endpoint, client, odohCtx) if backendErr == nil { response := &dns.Msg{} + if odohCtx != nil { + odohQueryResponse, err := odoh.UnmarshalDNSMessage(buf) + if err != nil { + return nil, errors.Wrap(err, "failed to deserialize ObliviousDoHMessage from response") + } + buf, err = odohCtx.queryCtx.OpenAnswer(odohQueryResponse) + if err != nil { + return nil, errors.Wrap(err, "failed to decrypt encrypted response") + } + } if err := response.Unpack(buf); err != nil { return nil, errors.Wrap(err, "failed to unpack DNS response from body") } - response.Id = queryID return response, nil } @@ -83,16 +160,28 @@ func exchange(msg []byte, queryID uint16, endpoint *url.URL, client *http.Client } // Perform message exchange with the default UDP wireformat defined in current draft -// https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https -func exchangeWireformat(msg []byte, endpoint *url.URL, client *http.Client) ([]byte, error) { +// https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https for DoH and +// https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh-03 for ODoH +func exchangeWireformat(msg []byte, endpoint *url.URL, client *http.Client, odoh *ObliviousDoHCtx) ([]byte, error) { req, err := http.NewRequest("POST", endpoint.String(), bytes.NewBuffer(msg)) if err != nil { return nil, errors.Wrap(err, "failed to create an HTTPS request") } - req.Header.Add("Content-Type", "application/dns-message") + if odoh != nil { + req.Header.Add("Content-Type", "application/oblivious-dns-message") + req.Header.Add("Accept", "application/oblivious-dns-message") + req.Header.Add("Cache-Control", "no-cache, no-store") + if odoh.useproxy { + queries := req.URL.Query() + queries.Add("targethost", odoh.target.Hostname()) + queries.Add("targetpath", "/dns-query") + req.URL.RawQuery = queries.Encode() + } + } else { + req.Header.Add("Content-Type", "application/dns-message") + } req.Host = endpoint.Host - resp, err := client.Do(req) if err != nil { return nil, errors.Wrap(err, "failed to perform an HTTPS request") diff --git a/tunneldns/tunnel.go b/tunneldns/tunnel.go index d18b96ab..be9beb4f 100644 --- a/tunneldns/tunnel.go +++ b/tunneldns/tunnel.go @@ -2,15 +2,20 @@ package tunneldns import ( "net" + "net/http" + "net/url" "os" "os/signal" "strconv" "sync" "syscall" + "time" "github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil" "github.com/cloudflare/cloudflared/logger" "github.com/cloudflare/cloudflared/metrics" + odoh "github.com/cloudflare/odoh-go" + "github.com/miekg/dns" "github.com/coredns/coredns/core/dnsserver" "github.com/coredns/coredns/plugin" @@ -26,6 +31,12 @@ type Listener struct { logger logger.Service } +const ( + dohResolver = "https://1.1.1.1/dns-query" +) + +var OdohConfig odoh.ObliviousDoHConfigContents + func Command(hidden bool) *cli.Command { return &cli.Command{ Name: "proxy-dns", @@ -63,6 +74,33 @@ func Command(hidden bool) *cli.Command { EnvVars: []string{"TUNNEL_DNS_BOOTSTRAP"}, }, }, + Subcommands: []*cli.Command{ + { + Name: "odoh", + Action: cliutil.ErrorHandler(RunOdoh), + Usage: "Runs an Oblivious DNS over HTTPS client.", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "target", + Usage: "ODoH target URL", + Value: "https://1.1.1.1/dns-query", + EnvVars: []string{"TUNNEL_DNS_ODOH_TARGET"}, + }, + &cli.StringFlag{ + Name: "proxy", + Usage: "ODoH proxy URL", + Value: "https://odoh1.surfdomeinen.nl/proxy", + EnvVars: []string{"TUNNEL_DNS_ODOH_PROXY"}, + }, + &cli.BoolFlag{ + Name: "useproxy", + Usage: "Set flag to enable proxy usage", + Value: false, + EnvVars: []string{"TUNNEL_DNS_ODOH_USE_PROXY"}, + }, + }, + }, + }, ArgsUsage: " ", // can't be the empty string or we get the default output Hidden: hidden, } @@ -82,7 +120,13 @@ func Run(c *cli.Context) error { go metrics.ServeMetrics(metricsListener, nil, nil, logger) - listener, err := CreateListener(c.String("address"), uint16(c.Uint("port")), c.StringSlice("upstream"), c.StringSlice("bootstrap"), logger) + listener, err := CreateListener( + c.String("address"), + uint16(c.Uint("port")), + c.StringSlice("upstream"), + c.StringSlice("bootstrap"), + logger, + ) if err != nil { logger.Errorf("Failed to create the listeners: %s", err) return err @@ -111,6 +155,59 @@ func Run(c *cli.Context) error { return err } +// RunOdoh implements a foreground runner +func RunOdoh(c *cli.Context) error { + logger, err := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog) + if err != nil { + return cliutil.PrintLoggerSetupError("error setting up logger", err) + } + + metricsListener, err := net.Listen("tcp", c.String("metrics")) + if err != nil { + logger.Fatalf("Failed to open the metrics listener: %s", err) + } + + go metrics.ServeMetrics(metricsListener, nil, nil, logger) + + listener, err := CreateObliviousDNSListener( + c.String("address"), + uint16(c.Uint("port")), + c.String("target"), + c.String("proxy"), + c.Bool("useproxy"), + logger, + ) + if err != nil { + logger.Errorf("Failed to create the listeners: %s", err) + return err + } + + // Update odohconfig + go listener.UpdateOdohConfig() + + // Try to start the server + readySignal := make(chan struct{}) + err = listener.Start(readySignal) + if err != nil { + logger.Errorf("Failed to start the listeners: %s", err) + return listener.Stop() + } + <-readySignal + + // Wait for signal + signals := make(chan os.Signal, 10) + signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT) + defer signal.Stop(signals) + <-signals + + // Shut down server + err = listener.Stop() + if err != nil { + logger.Errorf("failed to stop: %s", err) + } + return err +} + // Create a CoreDNS server plugin from configuration func createConfig(address string, port uint16, p plugin.Handler) *dnsserver.Config { c := &dnsserver.Config{ @@ -127,7 +224,8 @@ func createConfig(address string, port uint16, p plugin.Handler) *dnsserver.Conf // Start blocks for serving requests func (l *Listener) Start(readySignal chan struct{}) error { defer close(readySignal) - l.logger.Infof("Starting DNS over HTTPS proxy server on: %s", l.server.Address()) + + l.logger.Infof("Starting DNS proxy server on: %s", l.server.Address()) // Start UDP listener if udp, err := l.server.ListenPacket(); err == nil { @@ -153,6 +251,26 @@ func (l *Listener) Start(readySignal chan struct{}) error { return errors.Wrap(err, "failed to create a TCP listener") } +// UpdateOdohConfig periodically updates odoh configs +// Currently supports `odoh.cloudflare-dns.com.`. +func (l *Listener) UpdateOdohConfig() { + l.logger.Infof("Starting Oblivious DoH key updates") + dohResolver, _ := url.Parse(dohResolver) + client := http.Client{} + dnsQuery := new(dns.Msg) + dnsQuery.SetQuestion(targetHostname, dns.TypeHTTPS) + dnsQuery.RecursionDesired = true + packedDNSQuery, _ := dnsQuery.Pack() + for { + configs, err := FetchObliviousDoHConfig(&client, packedDNSQuery, dohResolver) + if err != nil { + l.logger.Errorf("odoh config not updated with err ", err) + } + OdohConfig = configs.Configs[0].Contents + time.Sleep(odohConfigDuration) + } +} + // Stop signals server shutdown and blocks until completed func (l *Listener) Stop() error { if err := l.server.Stop(); err != nil { @@ -169,17 +287,48 @@ func CreateListener(address string, port uint16, upstreams []string, bootstraps upstreamList := make([]Upstream, 0) for _, url := range upstreams { logger.Infof("Adding DNS upstream - url: %s", url) - upstream, err := NewUpstreamHTTPS(url, bootstraps, logger) + upstream, err := NewUpstreamHTTPS(url, bootstraps, nil, logger) if err != nil { return nil, errors.Wrap(err, "failed to create HTTPS upstream") } upstreamList = append(upstreamList, upstream) } + return buildListenerFromUpstream(upstreamList, address, port, logger) +} + +// CreateObliviousDNSListener configures the server and bound sockets +func CreateObliviousDNSListener(address string, port uint16, target string, proxy string, useproxy bool, logger logger.Service) (*Listener, error) { + logger.Infof("Adding Oblivious DoH target - url: %s", target) + var upstream Upstream + var err error + targetURL, err := url.Parse(target) + if err != nil { + return nil, err + } + odohCtx := ObliviousDoHCtx{ + useproxy: useproxy, + target: targetURL, + } + if useproxy { + logger.Infof("Adding Oblivious DoH proxy - url: %s", proxy) + upstream, err = NewUpstreamHTTPS(proxy, nil, &odohCtx, logger) + } else { + logger.Infof("No Oblivious DoH proxy is set") + upstream, err = NewUpstreamHTTPS(target, nil, &odohCtx, logger) + } + if err != nil { + return nil, errors.Wrap(err, "failed to create HTTPS upstream") + } + + return buildListenerFromUpstream([]Upstream{upstream}, address, port, logger) +} + +func buildListenerFromUpstream(upstreams []Upstream, address string, port uint16, logger logger.Service) (*Listener, error) { // Create a local cache with HTTPS proxy plugin chain := cache.New() chain.Next = ProxyPlugin{ - Upstreams: upstreamList, + Upstreams: upstreams, } // Format an endpoint diff --git a/vendor/git.schwanenlied.me/yawning/x448.git/LICENSE.txt b/vendor/git.schwanenlied.me/yawning/x448.git/LICENSE.txt new file mode 100644 index 00000000..1184f29c --- /dev/null +++ b/vendor/git.schwanenlied.me/yawning/x448.git/LICENSE.txt @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2014-2015 Cryptography Research, Inc. +Copyright (c) 2015 Yawning Angel. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/git.schwanenlied.me/yawning/x448.git/README.md b/vendor/git.schwanenlied.me/yawning/x448.git/README.md new file mode 100644 index 00000000..5dfb57d3 --- /dev/null +++ b/vendor/git.schwanenlied.me/yawning/x448.git/README.md @@ -0,0 +1,13 @@ +### x448 - curve448 ECDH +#### Yawning Angel (yawning at schwanenlied dot me) + +A straight forward port of Michael Hamburg's x448 code to Go lang. + +See: https://www.rfc-editor.org/rfc/rfc7748.txt + +If you're familiar with how to use golang.org/x/crypto/curve25519, you will be +right at home with using x448, since the functions are the same. Generate a +random secret key, ScalarBaseMult() to get the public key, etc etc etc. + +Both routines return 0 on success, -1 on failure which MUST be checked, and +the handshake aborted on failure. diff --git a/vendor/git.schwanenlied.me/yawning/x448.git/x448.go b/vendor/git.schwanenlied.me/yawning/x448.git/x448.go new file mode 100644 index 00000000..97a68e19 --- /dev/null +++ b/vendor/git.schwanenlied.me/yawning/x448.git/x448.go @@ -0,0 +1,114 @@ +// The MIT License (MIT) +// +// Copyright (c) 2014-2015 Cryptography Research, Inc. +// Copyright (c) 2015 Yawning Angel. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + +// Package x448 provides an implementation of scalar multiplication on the +// elliptic curve known as curve448. +// +// See https://tools.ietf.org/html/draft-irtf-cfrg-curves-11 +package x448 // import "git.schwanenlied.me/yawning/x448.git" + +const ( + x448Bytes = 56 + edwardsD = -39081 +) + +var basePoint = [56]byte{ + 5, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, +} + +func ScalarMult(out, scalar, base *[56]byte) int { + var x1, x2, z2, x3, z3, t1, t2 gf + x1.deser(base) + x2.cpy(&one) + z2.cpy(&zero) + x3.cpy(&x1) + z3.cpy(&one) + + var swap limbUint + + for t := int(448 - 1); t >= 0; t-- { + sb := scalar[t/8] + + // Scalar conditioning. + if t/8 == 0 { + sb &= 0xFC + } else if t/8 == x448Bytes-1 { + sb |= 0x80 + } + + kT := (limbUint)((sb >> ((uint)(t) % 8)) & 1) + kT = -kT // Set to all 0s or all 1s + + swap ^= kT + x2.condSwap(&x3, swap) + z2.condSwap(&z3, swap) + swap = kT + + t1.add(&x2, &z2) // A = x2 + z2 + t2.sub(&x2, &z2) // B = x2 - z2 + z2.sub(&x3, &z3) // D = x3 - z3 + x2.mul(&t1, &z2) // DA + z2.add(&z3, &x3) // C = x3 + z3 + x3.mul(&t2, &z2) // CB + z3.sub(&x2, &x3) // DA-CB + z2.sqr(&z3) // (DA-CB)^2 + z3.mul(&x1, &z2) // z3 = x1(DA-CB)^2 + z2.add(&x2, &x3) // (DA+CB) + x3.sqr(&z2) // x3 = (DA+CB)^2 + + z2.sqr(&t1) // AA = A^2 + t1.sqr(&t2) // BB = B^2 + x2.mul(&z2, &t1) // x2 = AA*BB + t2.sub(&z2, &t1) // E = AA-BB + + t1.mlw(&t2, -edwardsD) // E*-d = a24*E + t1.add(&t1, &z2) // AA + a24*E + z2.mul(&t2, &t1) // z2 = E(AA+a24*E) + } + + // Finish + x2.condSwap(&x3, swap) + z2.condSwap(&x3, swap) + z2.inv(&z2) + x1.mul(&x2, &z2) + x1.ser(out) + + // As with X25519, both sides MUST check, without leaking extra + // information about the value of K, whether the resulting shared K is + // the all-zero value and abort if so. + var nz limbSint + for _, v := range out { + nz |= (limbSint)(v) + } + nz = (nz - 1) >> 8 // 0 = succ, -1 = fail + + // return value: 0 = succ, -1 = fail + return (int)(nz) +} + +func ScalarBaseMult(out, scalar *[56]byte) int { + return ScalarMult(out, scalar, &basePoint) +} diff --git a/vendor/git.schwanenlied.me/yawning/x448.git/x448_ref.go b/vendor/git.schwanenlied.me/yawning/x448.git/x448_ref.go new file mode 100644 index 00000000..59626e1f --- /dev/null +++ b/vendor/git.schwanenlied.me/yawning/x448.git/x448_ref.go @@ -0,0 +1,778 @@ +// The MIT License (MIT) +// +// Copyright (c) 2014-2015 Cryptography Research, Inc. +// Copyright (c) 2015 Yawning Angel. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + +package x448 + +// This should really use 64 bit limbs, but Go is fucking retarded and doesn't +// have __(u)int128_t, so the 32 bit code it is, at a hefty performance +// penalty. Fuck my life, I'm going to have to bust out PeachPy to get this +// to go fast aren't I. + +const ( + wBits = 32 + lBits = (wBits * 7 / 8) + x448Limbs = (448 / lBits) + lMask = (1 << lBits) - 1 +) + +type limbUint uint32 +type limbSint int32 + +type gf struct { + limb [x448Limbs]uint32 +} + +var zero = gf{[x448Limbs]uint32{0}} +var one = gf{[x448Limbs]uint32{1}} +var p = gf{[x448Limbs]uint32{ + lMask, lMask, lMask, lMask, lMask, lMask, lMask, lMask, + lMask - 1, lMask, lMask, lMask, lMask, lMask, lMask, lMask, +}} + +// cpy copies x = y. +func (x *gf) cpy(y *gf) { + // for i, v := range y.limb { + // x.limb[i] = v + // } + + copy(x.limb[:], y.limb[:]) +} + +// mul multiplies c = a * b. (PERF) +func (c *gf) mul(a, b *gf) { + var aa gf + aa.cpy(a) + + // + // This is *by far* the most CPU intesive routine in the code. + // + + // var accum [x448Limbs]uint64 + // for i, bv := range b.limb { + // for j, aav := range aa.limb { + // accum[(i+j)%x448Limbs] += (uint64)(bv) * (uint64)(aav) + // } + // aa.limb[(x448Limbs-1-i)^(x448Limbs/2)] += aa.limb[x448Limbs-1-i] + // } + + // So fucking stupid that this is actually a fairly massive gain. + var accum0, accum1, accum2, accum3, accum4, accum5, accum6, accum7, accum8, accum9, accum10, accum11, accum12, accum13, accum14, accum15 uint64 + var bv uint64 + + bv = (uint64)(b.limb[0]) + accum0 += bv * (uint64)(aa.limb[0]) + accum1 += bv * (uint64)(aa.limb[1]) + accum2 += bv * (uint64)(aa.limb[2]) + accum3 += bv * (uint64)(aa.limb[3]) + accum4 += bv * (uint64)(aa.limb[4]) + accum5 += bv * (uint64)(aa.limb[5]) + accum6 += bv * (uint64)(aa.limb[6]) + accum7 += bv * (uint64)(aa.limb[7]) + accum8 += bv * (uint64)(aa.limb[8]) + accum9 += bv * (uint64)(aa.limb[9]) + accum10 += bv * (uint64)(aa.limb[10]) + accum11 += bv * (uint64)(aa.limb[11]) + accum12 += bv * (uint64)(aa.limb[12]) + accum13 += bv * (uint64)(aa.limb[13]) + accum14 += bv * (uint64)(aa.limb[14]) + accum15 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-0)^(x448Limbs/2)] += aa.limb[x448Limbs-1-0] + + bv = (uint64)(b.limb[1]) + accum1 += bv * (uint64)(aa.limb[0]) + accum2 += bv * (uint64)(aa.limb[1]) + accum3 += bv * (uint64)(aa.limb[2]) + accum4 += bv * (uint64)(aa.limb[3]) + accum5 += bv * (uint64)(aa.limb[4]) + accum6 += bv * (uint64)(aa.limb[5]) + accum7 += bv * (uint64)(aa.limb[6]) + accum8 += bv * (uint64)(aa.limb[7]) + accum9 += bv * (uint64)(aa.limb[8]) + accum10 += bv * (uint64)(aa.limb[9]) + accum11 += bv * (uint64)(aa.limb[10]) + accum12 += bv * (uint64)(aa.limb[11]) + accum13 += bv * (uint64)(aa.limb[12]) + accum14 += bv * (uint64)(aa.limb[13]) + accum15 += bv * (uint64)(aa.limb[14]) + accum0 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-1)^(x448Limbs/2)] += aa.limb[x448Limbs-1-1] + + bv = (uint64)(b.limb[2]) + accum2 += bv * (uint64)(aa.limb[0]) + accum3 += bv * (uint64)(aa.limb[1]) + accum4 += bv * (uint64)(aa.limb[2]) + accum5 += bv * (uint64)(aa.limb[3]) + accum6 += bv * (uint64)(aa.limb[4]) + accum7 += bv * (uint64)(aa.limb[5]) + accum8 += bv * (uint64)(aa.limb[6]) + accum9 += bv * (uint64)(aa.limb[7]) + accum10 += bv * (uint64)(aa.limb[8]) + accum11 += bv * (uint64)(aa.limb[9]) + accum12 += bv * (uint64)(aa.limb[10]) + accum13 += bv * (uint64)(aa.limb[11]) + accum14 += bv * (uint64)(aa.limb[12]) + accum15 += bv * (uint64)(aa.limb[13]) + accum0 += bv * (uint64)(aa.limb[14]) + accum1 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-2)^(x448Limbs/2)] += aa.limb[x448Limbs-1-2] + + bv = (uint64)(b.limb[3]) + accum3 += bv * (uint64)(aa.limb[0]) + accum4 += bv * (uint64)(aa.limb[1]) + accum5 += bv * (uint64)(aa.limb[2]) + accum6 += bv * (uint64)(aa.limb[3]) + accum7 += bv * (uint64)(aa.limb[4]) + accum8 += bv * (uint64)(aa.limb[5]) + accum9 += bv * (uint64)(aa.limb[6]) + accum10 += bv * (uint64)(aa.limb[7]) + accum11 += bv * (uint64)(aa.limb[8]) + accum12 += bv * (uint64)(aa.limb[9]) + accum13 += bv * (uint64)(aa.limb[10]) + accum14 += bv * (uint64)(aa.limb[11]) + accum15 += bv * (uint64)(aa.limb[12]) + accum0 += bv * (uint64)(aa.limb[13]) + accum1 += bv * (uint64)(aa.limb[14]) + accum2 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-3)^(x448Limbs/2)] += aa.limb[x448Limbs-1-3] + + bv = (uint64)(b.limb[4]) + accum4 += bv * (uint64)(aa.limb[0]) + accum5 += bv * (uint64)(aa.limb[1]) + accum6 += bv * (uint64)(aa.limb[2]) + accum7 += bv * (uint64)(aa.limb[3]) + accum8 += bv * (uint64)(aa.limb[4]) + accum9 += bv * (uint64)(aa.limb[5]) + accum10 += bv * (uint64)(aa.limb[6]) + accum11 += bv * (uint64)(aa.limb[7]) + accum12 += bv * (uint64)(aa.limb[8]) + accum13 += bv * (uint64)(aa.limb[9]) + accum14 += bv * (uint64)(aa.limb[10]) + accum15 += bv * (uint64)(aa.limb[11]) + accum0 += bv * (uint64)(aa.limb[12]) + accum1 += bv * (uint64)(aa.limb[13]) + accum2 += bv * (uint64)(aa.limb[14]) + accum3 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-4)^(x448Limbs/2)] += aa.limb[x448Limbs-1-4] + + bv = (uint64)(b.limb[5]) + accum5 += bv * (uint64)(aa.limb[0]) + accum6 += bv * (uint64)(aa.limb[1]) + accum7 += bv * (uint64)(aa.limb[2]) + accum8 += bv * (uint64)(aa.limb[3]) + accum9 += bv * (uint64)(aa.limb[4]) + accum10 += bv * (uint64)(aa.limb[5]) + accum11 += bv * (uint64)(aa.limb[6]) + accum12 += bv * (uint64)(aa.limb[7]) + accum13 += bv * (uint64)(aa.limb[8]) + accum14 += bv * (uint64)(aa.limb[9]) + accum15 += bv * (uint64)(aa.limb[10]) + accum0 += bv * (uint64)(aa.limb[11]) + accum1 += bv * (uint64)(aa.limb[12]) + accum2 += bv * (uint64)(aa.limb[13]) + accum3 += bv * (uint64)(aa.limb[14]) + accum4 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-5)^(x448Limbs/2)] += aa.limb[x448Limbs-1-5] + + bv = (uint64)(b.limb[6]) + accum6 += bv * (uint64)(aa.limb[0]) + accum7 += bv * (uint64)(aa.limb[1]) + accum8 += bv * (uint64)(aa.limb[2]) + accum9 += bv * (uint64)(aa.limb[3]) + accum10 += bv * (uint64)(aa.limb[4]) + accum11 += bv * (uint64)(aa.limb[5]) + accum12 += bv * (uint64)(aa.limb[6]) + accum13 += bv * (uint64)(aa.limb[7]) + accum14 += bv * (uint64)(aa.limb[8]) + accum15 += bv * (uint64)(aa.limb[9]) + accum0 += bv * (uint64)(aa.limb[10]) + accum1 += bv * (uint64)(aa.limb[11]) + accum2 += bv * (uint64)(aa.limb[12]) + accum3 += bv * (uint64)(aa.limb[13]) + accum4 += bv * (uint64)(aa.limb[14]) + accum5 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-6)^(x448Limbs/2)] += aa.limb[x448Limbs-1-6] + + bv = (uint64)(b.limb[7]) + accum7 += bv * (uint64)(aa.limb[0]) + accum8 += bv * (uint64)(aa.limb[1]) + accum9 += bv * (uint64)(aa.limb[2]) + accum10 += bv * (uint64)(aa.limb[3]) + accum11 += bv * (uint64)(aa.limb[4]) + accum12 += bv * (uint64)(aa.limb[5]) + accum13 += bv * (uint64)(aa.limb[6]) + accum14 += bv * (uint64)(aa.limb[7]) + accum15 += bv * (uint64)(aa.limb[8]) + accum0 += bv * (uint64)(aa.limb[9]) + accum1 += bv * (uint64)(aa.limb[10]) + accum2 += bv * (uint64)(aa.limb[11]) + accum3 += bv * (uint64)(aa.limb[12]) + accum4 += bv * (uint64)(aa.limb[13]) + accum5 += bv * (uint64)(aa.limb[14]) + accum6 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-7)^(x448Limbs/2)] += aa.limb[x448Limbs-1-7] + + bv = (uint64)(b.limb[8]) + accum8 += bv * (uint64)(aa.limb[0]) + accum9 += bv * (uint64)(aa.limb[1]) + accum10 += bv * (uint64)(aa.limb[2]) + accum11 += bv * (uint64)(aa.limb[3]) + accum12 += bv * (uint64)(aa.limb[4]) + accum13 += bv * (uint64)(aa.limb[5]) + accum14 += bv * (uint64)(aa.limb[6]) + accum15 += bv * (uint64)(aa.limb[7]) + accum0 += bv * (uint64)(aa.limb[8]) + accum1 += bv * (uint64)(aa.limb[9]) + accum2 += bv * (uint64)(aa.limb[10]) + accum3 += bv * (uint64)(aa.limb[11]) + accum4 += bv * (uint64)(aa.limb[12]) + accum5 += bv * (uint64)(aa.limb[13]) + accum6 += bv * (uint64)(aa.limb[14]) + accum7 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-8)^(x448Limbs/2)] += aa.limb[x448Limbs-1-8] + + bv = (uint64)(b.limb[9]) + accum9 += bv * (uint64)(aa.limb[0]) + accum10 += bv * (uint64)(aa.limb[1]) + accum11 += bv * (uint64)(aa.limb[2]) + accum12 += bv * (uint64)(aa.limb[3]) + accum13 += bv * (uint64)(aa.limb[4]) + accum14 += bv * (uint64)(aa.limb[5]) + accum15 += bv * (uint64)(aa.limb[6]) + accum0 += bv * (uint64)(aa.limb[7]) + accum1 += bv * (uint64)(aa.limb[8]) + accum2 += bv * (uint64)(aa.limb[9]) + accum3 += bv * (uint64)(aa.limb[10]) + accum4 += bv * (uint64)(aa.limb[11]) + accum5 += bv * (uint64)(aa.limb[12]) + accum6 += bv * (uint64)(aa.limb[13]) + accum7 += bv * (uint64)(aa.limb[14]) + accum8 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-9)^(x448Limbs/2)] += aa.limb[x448Limbs-1-9] + + bv = (uint64)(b.limb[10]) + accum10 += bv * (uint64)(aa.limb[0]) + accum11 += bv * (uint64)(aa.limb[1]) + accum12 += bv * (uint64)(aa.limb[2]) + accum13 += bv * (uint64)(aa.limb[3]) + accum14 += bv * (uint64)(aa.limb[4]) + accum15 += bv * (uint64)(aa.limb[5]) + accum0 += bv * (uint64)(aa.limb[6]) + accum1 += bv * (uint64)(aa.limb[7]) + accum2 += bv * (uint64)(aa.limb[8]) + accum3 += bv * (uint64)(aa.limb[9]) + accum4 += bv * (uint64)(aa.limb[10]) + accum5 += bv * (uint64)(aa.limb[11]) + accum6 += bv * (uint64)(aa.limb[12]) + accum7 += bv * (uint64)(aa.limb[13]) + accum8 += bv * (uint64)(aa.limb[14]) + accum9 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-10)^(x448Limbs/2)] += aa.limb[x448Limbs-1-10] + + bv = (uint64)(b.limb[11]) + accum11 += bv * (uint64)(aa.limb[0]) + accum12 += bv * (uint64)(aa.limb[1]) + accum13 += bv * (uint64)(aa.limb[2]) + accum14 += bv * (uint64)(aa.limb[3]) + accum15 += bv * (uint64)(aa.limb[4]) + accum0 += bv * (uint64)(aa.limb[5]) + accum1 += bv * (uint64)(aa.limb[6]) + accum2 += bv * (uint64)(aa.limb[7]) + accum3 += bv * (uint64)(aa.limb[8]) + accum4 += bv * (uint64)(aa.limb[9]) + accum5 += bv * (uint64)(aa.limb[10]) + accum6 += bv * (uint64)(aa.limb[11]) + accum7 += bv * (uint64)(aa.limb[12]) + accum8 += bv * (uint64)(aa.limb[13]) + accum9 += bv * (uint64)(aa.limb[14]) + accum10 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-11)^(x448Limbs/2)] += aa.limb[x448Limbs-1-11] + + bv = (uint64)(b.limb[12]) + accum12 += bv * (uint64)(aa.limb[0]) + accum13 += bv * (uint64)(aa.limb[1]) + accum14 += bv * (uint64)(aa.limb[2]) + accum15 += bv * (uint64)(aa.limb[3]) + accum0 += bv * (uint64)(aa.limb[4]) + accum1 += bv * (uint64)(aa.limb[5]) + accum2 += bv * (uint64)(aa.limb[6]) + accum3 += bv * (uint64)(aa.limb[7]) + accum4 += bv * (uint64)(aa.limb[8]) + accum5 += bv * (uint64)(aa.limb[9]) + accum6 += bv * (uint64)(aa.limb[10]) + accum7 += bv * (uint64)(aa.limb[11]) + accum8 += bv * (uint64)(aa.limb[12]) + accum9 += bv * (uint64)(aa.limb[13]) + accum10 += bv * (uint64)(aa.limb[14]) + accum11 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-12)^(x448Limbs/2)] += aa.limb[x448Limbs-1-12] + + bv = (uint64)(b.limb[13]) + accum13 += bv * (uint64)(aa.limb[0]) + accum14 += bv * (uint64)(aa.limb[1]) + accum15 += bv * (uint64)(aa.limb[2]) + accum0 += bv * (uint64)(aa.limb[3]) + accum1 += bv * (uint64)(aa.limb[4]) + accum2 += bv * (uint64)(aa.limb[5]) + accum3 += bv * (uint64)(aa.limb[6]) + accum4 += bv * (uint64)(aa.limb[7]) + accum5 += bv * (uint64)(aa.limb[8]) + accum6 += bv * (uint64)(aa.limb[9]) + accum7 += bv * (uint64)(aa.limb[10]) + accum8 += bv * (uint64)(aa.limb[11]) + accum9 += bv * (uint64)(aa.limb[12]) + accum10 += bv * (uint64)(aa.limb[13]) + accum11 += bv * (uint64)(aa.limb[14]) + accum12 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-13)^(x448Limbs/2)] += aa.limb[x448Limbs-1-13] + + bv = (uint64)(b.limb[14]) + accum14 += bv * (uint64)(aa.limb[0]) + accum15 += bv * (uint64)(aa.limb[1]) + accum0 += bv * (uint64)(aa.limb[2]) + accum1 += bv * (uint64)(aa.limb[3]) + accum2 += bv * (uint64)(aa.limb[4]) + accum3 += bv * (uint64)(aa.limb[5]) + accum4 += bv * (uint64)(aa.limb[6]) + accum5 += bv * (uint64)(aa.limb[7]) + accum6 += bv * (uint64)(aa.limb[8]) + accum7 += bv * (uint64)(aa.limb[9]) + accum8 += bv * (uint64)(aa.limb[10]) + accum9 += bv * (uint64)(aa.limb[11]) + accum10 += bv * (uint64)(aa.limb[12]) + accum11 += bv * (uint64)(aa.limb[13]) + accum12 += bv * (uint64)(aa.limb[14]) + accum13 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-14)^(x448Limbs/2)] += aa.limb[x448Limbs-1-14] + + bv = (uint64)(b.limb[15]) + accum15 += bv * (uint64)(aa.limb[0]) + accum0 += bv * (uint64)(aa.limb[1]) + accum1 += bv * (uint64)(aa.limb[2]) + accum2 += bv * (uint64)(aa.limb[3]) + accum3 += bv * (uint64)(aa.limb[4]) + accum4 += bv * (uint64)(aa.limb[5]) + accum5 += bv * (uint64)(aa.limb[6]) + accum6 += bv * (uint64)(aa.limb[7]) + accum7 += bv * (uint64)(aa.limb[8]) + accum8 += bv * (uint64)(aa.limb[9]) + accum9 += bv * (uint64)(aa.limb[10]) + accum10 += bv * (uint64)(aa.limb[11]) + accum11 += bv * (uint64)(aa.limb[12]) + accum12 += bv * (uint64)(aa.limb[13]) + accum13 += bv * (uint64)(aa.limb[14]) + accum14 += bv * (uint64)(aa.limb[15]) + aa.limb[(x448Limbs-1-15)^(x448Limbs/2)] += aa.limb[x448Limbs-1-15] + + // accum[x448Limbs-1] += accum[x448Limbs-2] >> lBits + // accum[x448Limbs-2] &= lMask + // accum[x448Limbs/2] += accum[x448Limbs-1] >> lBits + accum15 += accum14 >> lBits + accum14 &= lMask + accum8 += accum15 >> lBits + + // for j := uint(0); j < x448Limbs; j++ { + // accum[j] += accum[(j-1)%x448Limbs] >> lBits + // accum[(j-1)%x448Limbs] &= lMask + // } + accum0 += accum15 >> lBits + accum15 &= lMask + accum1 += accum0 >> lBits + accum0 &= lMask + accum2 += accum1 >> lBits + accum1 &= lMask + accum3 += accum2 >> lBits + accum2 &= lMask + accum4 += accum3 >> lBits + accum3 &= lMask + accum5 += accum4 >> lBits + accum4 &= lMask + accum6 += accum5 >> lBits + accum5 &= lMask + accum7 += accum6 >> lBits + accum6 &= lMask + accum8 += accum7 >> lBits + accum7 &= lMask + accum9 += accum8 >> lBits + accum8 &= lMask + accum10 += accum9 >> lBits + accum9 &= lMask + accum11 += accum10 >> lBits + accum10 &= lMask + accum12 += accum11 >> lBits + accum11 &= lMask + accum13 += accum12 >> lBits + accum12 &= lMask + accum14 += accum13 >> lBits + accum13 &= lMask + accum15 += accum14 >> lBits + accum14 &= lMask + + // for j, accv := range accum { + // c.limb[j] = (uint32)(accv) + // } + c.limb[0] = (uint32)(accum0) + c.limb[1] = (uint32)(accum1) + c.limb[2] = (uint32)(accum2) + c.limb[3] = (uint32)(accum3) + c.limb[4] = (uint32)(accum4) + c.limb[5] = (uint32)(accum5) + c.limb[6] = (uint32)(accum6) + c.limb[7] = (uint32)(accum7) + c.limb[8] = (uint32)(accum8) + c.limb[9] = (uint32)(accum9) + c.limb[10] = (uint32)(accum10) + c.limb[11] = (uint32)(accum11) + c.limb[12] = (uint32)(accum12) + c.limb[13] = (uint32)(accum13) + c.limb[14] = (uint32)(accum14) + c.limb[15] = (uint32)(accum15) +} + +// sqr squares (c = x * x). Just calls multiply. (PERF) +func (c *gf) sqr(x *gf) { + c.mul(x, x) +} + +// isqrt inverse square roots (y = 1/sqrt(x)), using an addition chain. +func (y *gf) isqrt(x *gf) { + var a, b, c gf + c.sqr(x) + + // XXX/Yawning, could unroll, but this is called only once. + + // STEP(b,x,1); + b.mul(x, &c) + c.cpy(&b) + for i := 0; i < 1; i++ { + c.sqr(&c) + } + + // STEP(b,x,3); + b.mul(x, &c) + c.cpy(&b) + for i := 0; i < 3; i++ { + c.sqr(&c) + } + + //STEP(a,b,3); + a.mul(&b, &c) + c.cpy(&a) + for i := 0; i < 3; i++ { + c.sqr(&c) + } + + // STEP(a,b,9); + a.mul(&b, &c) + c.cpy(&a) + for i := 0; i < 9; i++ { + c.sqr(&c) + } + + // STEP(b,a,1); + b.mul(&a, &c) + c.cpy(&b) + for i := 0; i < 1; i++ { + c.sqr(&c) + } + + // STEP(a,x,18); + a.mul(x, &c) + c.cpy(&a) + for i := 0; i < 18; i++ { + c.sqr(&c) + } + + // STEP(a,b,37); + a.mul(&b, &c) + c.cpy(&a) + for i := 0; i < 37; i++ { + c.sqr(&c) + } + + // STEP(b,a,37); + b.mul(&a, &c) + c.cpy(&b) + for i := 0; i < 37; i++ { + c.sqr(&c) + } + + // STEP(b,a,111); + b.mul(&a, &c) + c.cpy(&b) + for i := 0; i < 111; i++ { + c.sqr(&c) + } + + // STEP(a,b,1); + a.mul(&b, &c) + c.cpy(&a) + for i := 0; i < 1; i++ { + c.sqr(&c) + } + + // STEP(b,x,223); + b.mul(x, &c) + c.cpy(&b) + for i := 0; i < 223; i++ { + c.sqr(&c) + } + + y.mul(&a, &c) +} + +// inv inverses (y = 1/x). +func (y *gf) inv(x *gf) { + var z, w gf + z.sqr(x) // x^2 + w.isqrt(&z) // +- 1/sqrt(x^2) = +- 1/x + z.sqr(&w) // 1/x^2 + w.mul(x, &z) // 1/x + y.cpy(&w) +} + +// reduce weakly reduces mod p +func (x *gf) reduce() { + x.limb[x448Limbs/2] += x.limb[x448Limbs-1] >> lBits + + // for j := uint(0); j < x448Limbs; j++ { + // x.limb[j] += x.limb[(j-1)%x448Limbs] >> lBits + // x.limb[(j-1)%x448Limbs] &= lMask + // } + x.limb[0] += x.limb[15] >> lBits + x.limb[15] &= lMask + x.limb[1] += x.limb[0] >> lBits + x.limb[0] &= lMask + x.limb[2] += x.limb[1] >> lBits + x.limb[1] &= lMask + x.limb[3] += x.limb[2] >> lBits + x.limb[2] &= lMask + x.limb[4] += x.limb[3] >> lBits + x.limb[3] &= lMask + x.limb[5] += x.limb[4] >> lBits + x.limb[4] &= lMask + x.limb[6] += x.limb[5] >> lBits + x.limb[5] &= lMask + x.limb[7] += x.limb[6] >> lBits + x.limb[6] &= lMask + x.limb[8] += x.limb[7] >> lBits + x.limb[7] &= lMask + x.limb[9] += x.limb[8] >> lBits + x.limb[8] &= lMask + x.limb[10] += x.limb[9] >> lBits + x.limb[9] &= lMask + x.limb[11] += x.limb[10] >> lBits + x.limb[10] &= lMask + x.limb[12] += x.limb[11] >> lBits + x.limb[11] &= lMask + x.limb[13] += x.limb[12] >> lBits + x.limb[12] &= lMask + x.limb[14] += x.limb[13] >> lBits + x.limb[13] &= lMask + x.limb[15] += x.limb[14] >> lBits + x.limb[14] &= lMask +} + +// add adds mod p. Conservatively always weak-reduces. (PERF) +func (x *gf) add(y, z *gf) { + // for i, yv := range y.limb { + // x.limb[i] = yv + z.limb[i] + // } + x.limb[0] = y.limb[0] + z.limb[0] + x.limb[1] = y.limb[1] + z.limb[1] + x.limb[2] = y.limb[2] + z.limb[2] + x.limb[3] = y.limb[3] + z.limb[3] + x.limb[4] = y.limb[4] + z.limb[4] + x.limb[5] = y.limb[5] + z.limb[5] + x.limb[6] = y.limb[6] + z.limb[6] + x.limb[7] = y.limb[7] + z.limb[7] + x.limb[8] = y.limb[8] + z.limb[8] + x.limb[9] = y.limb[9] + z.limb[9] + x.limb[10] = y.limb[10] + z.limb[10] + x.limb[11] = y.limb[11] + z.limb[11] + x.limb[12] = y.limb[12] + z.limb[12] + x.limb[13] = y.limb[13] + z.limb[13] + x.limb[14] = y.limb[14] + z.limb[14] + x.limb[15] = y.limb[15] + z.limb[15] + + x.reduce() +} + +// sub subtracts mod p. Conservatively always weak-reduces. (PERF) +func (x *gf) sub(y, z *gf) { + // for i, yv := range y.limb { + // x.limb[i] = yv - z.limb[i] + 2*p.limb[i] + // } + x.limb[0] = y.limb[0] - z.limb[0] + 2*lMask + x.limb[1] = y.limb[1] - z.limb[1] + 2*lMask + x.limb[2] = y.limb[2] - z.limb[2] + 2*lMask + x.limb[3] = y.limb[3] - z.limb[3] + 2*lMask + x.limb[4] = y.limb[4] - z.limb[4] + 2*lMask + x.limb[5] = y.limb[5] - z.limb[5] + 2*lMask + x.limb[6] = y.limb[6] - z.limb[6] + 2*lMask + x.limb[7] = y.limb[7] - z.limb[7] + 2*lMask + x.limb[8] = y.limb[8] - z.limb[8] + 2*(lMask-1) + x.limb[9] = y.limb[9] - z.limb[9] + 2*lMask + x.limb[10] = y.limb[10] - z.limb[10] + 2*lMask + x.limb[11] = y.limb[11] - z.limb[11] + 2*lMask + x.limb[12] = y.limb[12] - z.limb[12] + 2*lMask + x.limb[13] = y.limb[13] - z.limb[13] + 2*lMask + x.limb[14] = y.limb[14] - z.limb[14] + 2*lMask + x.limb[15] = y.limb[15] - z.limb[15] + 2*lMask + + x.reduce() +} + +// condSwap swaps x and y in constant time. +func (x *gf) condSwap(y *gf, swap limbUint) { + // for i, xv := range x.limb { + // s := (xv ^ y.limb[i]) & (uint32)(swap) // Sort of dumb, oh well. + // x.limb[i] ^= s + // y.limb[i] ^= s + // } + + var s uint32 + + s = (x.limb[0] ^ y.limb[0]) & (uint32)(swap) + x.limb[0] ^= s + y.limb[0] ^= s + s = (x.limb[1] ^ y.limb[1]) & (uint32)(swap) + x.limb[1] ^= s + y.limb[1] ^= s + s = (x.limb[2] ^ y.limb[2]) & (uint32)(swap) + x.limb[2] ^= s + y.limb[2] ^= s + s = (x.limb[3] ^ y.limb[3]) & (uint32)(swap) + x.limb[3] ^= s + y.limb[3] ^= s + s = (x.limb[4] ^ y.limb[4]) & (uint32)(swap) + x.limb[4] ^= s + y.limb[4] ^= s + s = (x.limb[5] ^ y.limb[5]) & (uint32)(swap) + x.limb[5] ^= s + y.limb[5] ^= s + s = (x.limb[6] ^ y.limb[6]) & (uint32)(swap) + x.limb[6] ^= s + y.limb[6] ^= s + s = (x.limb[7] ^ y.limb[7]) & (uint32)(swap) + x.limb[7] ^= s + y.limb[7] ^= s + s = (x.limb[8] ^ y.limb[8]) & (uint32)(swap) + x.limb[8] ^= s + y.limb[8] ^= s + s = (x.limb[9] ^ y.limb[9]) & (uint32)(swap) + x.limb[9] ^= s + y.limb[9] ^= s + s = (x.limb[10] ^ y.limb[10]) & (uint32)(swap) + x.limb[10] ^= s + y.limb[10] ^= s + s = (x.limb[11] ^ y.limb[11]) & (uint32)(swap) + x.limb[11] ^= s + y.limb[11] ^= s + s = (x.limb[12] ^ y.limb[12]) & (uint32)(swap) + x.limb[12] ^= s + y.limb[12] ^= s + s = (x.limb[13] ^ y.limb[13]) & (uint32)(swap) + x.limb[13] ^= s + y.limb[13] ^= s + s = (x.limb[14] ^ y.limb[14]) & (uint32)(swap) + x.limb[14] ^= s + y.limb[14] ^= s + s = (x.limb[15] ^ y.limb[15]) & (uint32)(swap) + x.limb[15] ^= s + y.limb[15] ^= s +} + +// mlw multiplies by a signed int. NOT CONSTANT TIME wrt the sign of the int, +// but that's ok because it's only ever called with w = -edwardsD. Just uses +// a full multiply. (PERF) +func (a *gf) mlw(b *gf, w int) { + if w > 0 { + ww := gf{[x448Limbs]uint32{(uint32)(w)}} + a.mul(b, &ww) + } else { + // This branch is *NEVER* taken with the current code. + panic("mul called with negative w") + ww := gf{[x448Limbs]uint32{(uint32)(-w)}} + a.mul(b, &ww) + a.sub(&zero, a) + } +} + +// canon canonicalizes. +func (a *gf) canon() { + a.reduce() + + // Subtract p with borrow. + var carry int64 + for i, v := range a.limb { + carry = carry + (int64)(v) - (int64)(p.limb[i]) + a.limb[i] = (uint32)(carry & lMask) + carry >>= lBits + } + + addback := carry + carry = 0 + + // Add it back. + for i, v := range a.limb { + carry = carry + (int64)(v) + (int64)(p.limb[i]&(uint32)(addback)) + a.limb[i] = uint32(carry & lMask) + carry >>= lBits + } +} + +// deser deserializes into the limb representation. +func (s *gf) deser(ser *[x448Bytes]byte) { + var buf uint64 + bits := uint(0) + k := 0 + + for i, v := range ser { + buf |= (uint64)(v) << bits + for bits += 8; (bits >= lBits || i == x448Bytes-1) && k < x448Limbs; bits, buf = bits-lBits, buf>>lBits { + s.limb[k] = (uint32)(buf & lMask) + k++ + } + } +} + +// ser serializes into byte representation. +func (a *gf) ser(ser *[x448Bytes]byte) { + a.canon() + k := 0 + bits := uint(0) + var buf uint64 + for i, v := range a.limb { + buf |= (uint64)(v) << bits + for bits += lBits; (bits >= 8 || i == x448Limbs-1) && k < x448Bytes; bits, buf = bits-8, buf>>8 { + ser[k] = (byte)(buf) + k++ + } + } +} + +func init() { + if x448Limbs != 16 { + panic("x448Limbs != 16, unrolled loops likely broken") + } +} diff --git a/vendor/github.com/cisco/go-hpke/LICENSE b/vendor/github.com/cisco/go-hpke/LICENSE new file mode 100644 index 00000000..a6995a82 --- /dev/null +++ b/vendor/github.com/cisco/go-hpke/LICENSE @@ -0,0 +1,25 @@ +BSD 2-Clause License + +Copyright (c) 2020, Cisco Systems +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/cisco/go-hpke/README.md b/vendor/github.com/cisco/go-hpke/README.md new file mode 100644 index 00000000..b5dcc962 --- /dev/null +++ b/vendor/github.com/cisco/go-hpke/README.md @@ -0,0 +1,21 @@ +# HPKE + +[![Coverage Status](https://coveralls.io/repos/github/cisco/go-hpke/badge.svg?branch=ci)](https://coveralls.io/github/cisco/go-hpke?branch=ci) + +This repo provides a Go implementation of the HPKE primitive proposed for discussion at CFRG. + +https://tools.ietf.org/html/draft-irtf-cfrg-hpke + +## Test vector generation + +To generate test vectors, run: + +``` +$ HPKE_TEST_VECTORS_OUT=test-vectors.json go test -v -run TestVectorGenerate +``` + +To check test vectors, run: + +``` +$ HPKE_TEST_VECTORS_IN=test-vectors.json go test -v -run TestVectorVerify +``` diff --git a/vendor/github.com/cisco/go-hpke/crypto.go b/vendor/github.com/cisco/go-hpke/crypto.go new file mode 100644 index 00000000..a5ed1a37 --- /dev/null +++ b/vendor/github.com/cisco/go-hpke/crypto.go @@ -0,0 +1,990 @@ +package hpke + +import ( + "bytes" + "crypto" + "crypto/aes" + "crypto/cipher" + "crypto/elliptic" + "crypto/hmac" + "crypto/rand" + "crypto/subtle" + "encoding/binary" + "fmt" + "io" + "math/big" + mrand "math/rand" + + _ "crypto/sha256" + _ "crypto/sha512" + + "git.schwanenlied.me/yawning/x448.git" + "github.com/cloudflare/circl/dh/sidh" + "golang.org/x/crypto/chacha20poly1305" + "golang.org/x/crypto/curve25519" +) + +//////// +// DHKEM + +type dhScheme interface { + ID() KEMID + DeriveKeyPair(ikm []byte) (KEMPrivateKey, KEMPublicKey, error) + Serialize(pk KEMPublicKey) []byte + Deserialize(enc []byte) (KEMPublicKey, error) + DH(priv KEMPrivateKey, pub KEMPublicKey) ([]byte, error) + PublicKeySize() int + PrivateKeySize() int + + SerializePrivate(sk KEMPrivateKey) []byte + DeserializePrivate(enc []byte) (KEMPrivateKey, error) + + internalKDF() KDFScheme +} + +type dhkemScheme struct { + group dhScheme + skE KEMPrivateKey +} + +func (s dhkemScheme) ID() KEMID { + return s.group.ID() +} + +func (s dhkemScheme) DeriveKeyPair(ikm []byte) (KEMPrivateKey, KEMPublicKey, error) { + return s.group.DeriveKeyPair(ikm) +} + +func (s dhkemScheme) Serialize(pk KEMPublicKey) []byte { + return s.group.Serialize(pk) +} + +func (s dhkemScheme) SerializePrivate(sk KEMPrivateKey) []byte { + return s.group.SerializePrivate(sk) +} + +func (s dhkemScheme) Deserialize(enc []byte) (KEMPublicKey, error) { + return s.group.Deserialize(enc) +} + +func (s dhkemScheme) DeserializePrivate(enc []byte) (KEMPrivateKey, error) { + return s.group.DeserializePrivate(enc) +} + +func (s *dhkemScheme) setEphemeralKeyPair(skE KEMPrivateKey) { + s.skE = skE +} + +func (s dhkemScheme) getEphemeralKeyPair(rand io.Reader) (KEMPrivateKey, KEMPublicKey, error) { + if s.skE != nil { + return s.skE, s.skE.PublicKey(), nil + } + + ikm := make([]byte, s.PrivateKeySize()) + rand.Read(ikm) + + return s.group.DeriveKeyPair(ikm) +} + +func (s dhkemScheme) extractAndExpand(dh []byte, kemContext []byte, Nsecret int) []byte { + suiteID := kemSuiteFromID(s.ID()) + eae_prk := s.group.internalKDF().LabeledExtract(nil, suiteID, "eae_prk", dh) + return s.group.internalKDF().LabeledExpand(eae_prk, suiteID, "shared_secret", kemContext, Nsecret) +} + +func (s dhkemScheme) Encap(rand io.Reader, pkR KEMPublicKey) ([]byte, []byte, error) { + skE, pkE, err := s.getEphemeralKeyPair(rand) + if err != nil { + return nil, nil, err + } + + dh, err := s.group.DH(skE, pkR) + if err != nil { + return nil, nil, err + } + + enc := s.group.Serialize(pkE) + pkRm := s.group.Serialize(pkR) + + kemContext := make([]byte, len(enc)+len(pkRm)) + copy(kemContext, enc) + copy(kemContext[len(enc):], pkRm) + + Nsecret := s.group.internalKDF().OutputSize() + sharedSecret := s.extractAndExpand(dh, kemContext, Nsecret) + + return sharedSecret, enc, nil +} + +func (s dhkemScheme) Decap(enc []byte, skR KEMPrivateKey) ([]byte, error) { + pkE, err := s.group.Deserialize(enc) + if err != nil { + return nil, err + } + + dh, err := s.group.DH(skR, pkE) + if err != nil { + return nil, err + } + + pkRm := s.group.Serialize(skR.PublicKey()) + + kemContext := make([]byte, len(enc)+len(pkRm)) + copy(kemContext, enc) + copy(kemContext[len(enc):], pkRm) + + Nsecret := s.group.internalKDF().OutputSize() + sharedSecret := s.extractAndExpand(dh, kemContext, Nsecret) + + return sharedSecret, nil +} + +func (s dhkemScheme) AuthEncap(rand io.Reader, pkR KEMPublicKey, skS KEMPrivateKey) ([]byte, []byte, error) { + skE, pkE, err := s.getEphemeralKeyPair(rand) + if err != nil { + return nil, nil, err + } + + dhER, err := s.group.DH(skE, pkR) + if err != nil { + return nil, nil, err + } + + dhIR, err := s.group.DH(skS, pkR) + if err != nil { + return nil, nil, err + } + + dh := append(dhER, dhIR...) + + enc := s.group.Serialize(pkE) + pkRm := s.group.Serialize(pkR) + pkSm := s.group.Serialize(skS.PublicKey()) + + Nenc := len(enc) + Npk := len(pkRm) + Nsk := len(pkSm) + kemContext := make([]byte, Nenc+Npk+Nsk) + copy(kemContext[:Nenc], enc) + copy(kemContext[Nenc:Nenc+Npk], pkRm) + copy(kemContext[Nenc+Npk:], pkSm) + + Nsecret := s.group.internalKDF().OutputSize() + sharedSecret := s.extractAndExpand(dh, kemContext, Nsecret) + + return sharedSecret, enc, nil +} + +func (s dhkemScheme) AuthDecap(enc []byte, skR KEMPrivateKey, pkS KEMPublicKey) ([]byte, error) { + pkE, err := s.group.Deserialize(enc) + if err != nil { + return nil, err + } + + dhER, err := s.group.DH(skR, pkE) + if err != nil { + return nil, err + } + + dhIR, err := s.group.DH(skR, pkS) + if err != nil { + return nil, err + } + + dh := append(dhER, dhIR...) + + pkRm := s.group.Serialize(skR.PublicKey()) + pkSm := s.group.Serialize(pkS) + + Nenc := len(enc) + Npk := len(pkRm) + Nsk := len(pkSm) + kemContext := make([]byte, Nenc+Npk+Nsk) + copy(kemContext[:Nenc], enc) + copy(kemContext[Nenc:Nenc+Npk], pkRm) + copy(kemContext[Nenc+Npk:], pkSm) + + Nsecret := s.group.internalKDF().OutputSize() + sharedSecret := s.extractAndExpand(dh, kemContext, Nsecret) + + return sharedSecret, nil +} + +func (s dhkemScheme) PublicKeySize() int { + return s.group.PublicKeySize() +} + +func (s dhkemScheme) PrivateKeySize() int { + return s.group.PrivateKeySize() +} + +//////////////////////// +// ECDH with NIST curves + +type ecdhPrivateKey struct { + curve elliptic.Curve + d []byte + x, y *big.Int +} + +func (priv ecdhPrivateKey) PublicKey() KEMPublicKey { + return &ecdhPublicKey{priv.curve, priv.x, priv.y} +} + +type ecdhPublicKey struct { + curve elliptic.Curve + x, y *big.Int +} + +type ecdhScheme struct { + curve elliptic.Curve + KDF KDFScheme + skE KEMPrivateKey +} + +func (s ecdhScheme) internalKDF() KDFScheme { + return s.KDF +} + +func (s ecdhScheme) ID() KEMID { + switch s.curve.Params().Name { + case "P-256": + return DHKEM_P256 + case "P-521": + return DHKEM_P521 + } + panic(fmt.Sprintf("Unsupported curve: %s", s.curve.Params().Name)) +} + +func (s ecdhScheme) privateKeyBitmask() uint8 { + switch s.curve.Params().Name { + case "P-256": + return 0xFF + case "P-521": + return 0x01 + } + panic(fmt.Sprintf("Unsupported curve: %s", s.curve.Params().Name)) +} + +func (s ecdhScheme) DeriveKeyPair(ikm []byte) (KEMPrivateKey, KEMPublicKey, error) { + suiteID := kemSuiteFromID(s.ID()) + dkp_prk := s.KDF.LabeledExtract(nil, suiteID, "dkp_prk", ikm) + counter := 0 + for { + if counter > 255 { + return nil, nil, fmt.Errorf("Error deriving key pair") + } + + bytes := s.KDF.LabeledExpand(dkp_prk, suiteID, "candidate", []byte{uint8(counter)}, s.PrivateKeySize()) + bytes[0] = bytes[0] & s.privateKeyBitmask() + + sk, err := s.DeserializePrivate(bytes) + if err == nil { + return sk, sk.PublicKey(), nil + } + + counter = counter + 1 + } + + return nil, nil, fmt.Errorf("Error deriving key pair") +} + +func (s ecdhScheme) Serialize(pk KEMPublicKey) []byte { + if pk == nil { + return nil + } + raw := pk.(*ecdhPublicKey) + return elliptic.Marshal(raw.curve, raw.x, raw.y) +} + +func (s ecdhScheme) SerializePrivate(sk KEMPrivateKey) []byte { + if sk == nil { + return nil + } + + raw := sk.(*ecdhPrivateKey) + copied := make([]byte, len(raw.d)) + copy(copied, raw.d) + return copied +} + +func (s ecdhScheme) Deserialize(enc []byte) (KEMPublicKey, error) { + x, y := elliptic.Unmarshal(s.curve, enc) + if x == nil { + return nil, fmt.Errorf("Error deserializing public key") + } + + return &ecdhPublicKey{s.curve, x, y}, nil +} + +func (s ecdhScheme) DeserializePrivate(enc []byte) (KEMPrivateKey, error) { + if enc == nil { + return nil, fmt.Errorf("Invalid input") + } + + x, y := s.curve.Params().ScalarBaseMult(enc) + return &ecdhPrivateKey{s.curve, enc, x, y}, nil +} + +func (s ecdhScheme) DH(priv KEMPrivateKey, pub KEMPublicKey) ([]byte, error) { + ecdhPriv, ok := priv.(*ecdhPrivateKey) + if !ok { + return nil, fmt.Errorf("Private key not suitable for ECDH") + } + + ecdhPub, ok := pub.(*ecdhPublicKey) + if !ok { + return nil, fmt.Errorf("Public key not suitable for ECDH") + } + + x, _ := s.curve.Params().ScalarMult(ecdhPub.x, ecdhPub.y, ecdhPriv.d) + xx := x.Bytes() + + size := (s.curve.Params().BitSize + 7) >> 3 + pad := make([]byte, size-len(xx)) + dh := append(pad, xx...) + + return dh, nil +} + +func (s ecdhScheme) PublicKeySize() int { + feSize := (s.curve.Params().BitSize + 7) >> 3 + return 1 + 2*feSize +} + +func (s ecdhScheme) PrivateKeySize() int { + return (s.curve.Params().BitSize + 7) >> 3 +} + +/////////////////// +// ECDH with X25519 + +type x25519PrivateKey struct { + val [32]byte +} + +func (priv x25519PrivateKey) PublicKey() KEMPublicKey { + pub := &x25519PublicKey{} + curve25519.ScalarBaseMult(&pub.val, &priv.val) + return pub +} + +type x25519PublicKey struct { + val [32]byte +} + +type x25519Scheme struct { + skE KEMPrivateKey +} + +func (s x25519Scheme) internalKDF() KDFScheme { + return hkdfScheme{hash: crypto.SHA256} +} + +func (s x25519Scheme) ID() KEMID { + return DHKEM_X25519 +} + +func (s x25519Scheme) DeriveKeyPair(ikm []byte) (KEMPrivateKey, KEMPublicKey, error) { + suiteID := kemSuiteFromID(s.ID()) + dkp_prk := s.internalKDF().LabeledExtract(nil, suiteID, "dkp_prk", ikm) + sk_bytes := s.internalKDF().LabeledExpand(dkp_prk, suiteID, "sk", nil, s.PrivateKeySize()) + sk, err := s.DeserializePrivate(sk_bytes) + if err != nil { + return nil, nil, err + } else { + return sk, sk.PublicKey(), nil + } +} + +func (s x25519Scheme) Serialize(pk KEMPublicKey) []byte { + if pk == nil { + return nil + } + raw := pk.(*x25519PublicKey) + return raw.val[:] +} + +func (s x25519Scheme) SerializePrivate(sk KEMPrivateKey) []byte { + if sk == nil { + return nil + } + raw := sk.(*x25519PrivateKey) + return raw.val[:] +} + +func (s x25519Scheme) Deserialize(enc []byte) (KEMPublicKey, error) { + if len(enc) != 32 { + return nil, fmt.Errorf("Error deserializing X25519 public key") + } + + pub := &x25519PublicKey{} + copy(pub.val[:], enc) + return pub, nil +} + +func (s x25519Scheme) DeserializePrivate(enc []byte) (KEMPrivateKey, error) { + if enc == nil { + return nil, fmt.Errorf("Invalid input") + } + + if len(enc) != 32 { + return nil, fmt.Errorf("Error deserializing X25519 private key") + } + + key := &x25519PrivateKey{} + copy(key.val[:], enc[0:32]) + return key, nil +} + +func (s x25519Scheme) DH(priv KEMPrivateKey, pub KEMPublicKey) ([]byte, error) { + xPriv, ok := priv.(*x25519PrivateKey) + if !ok { + return nil, fmt.Errorf("Private key not suitable for X25519: %+v", priv) + } + + xPub, ok := pub.(*x25519PublicKey) + if !ok { + return nil, fmt.Errorf("Private key not suitable for X25519") + } + + sharedSecret, err := curve25519.X25519(xPriv.val[:], xPub.val[:]) + return sharedSecret, err +} + +func (s x25519Scheme) PublicKeySize() int { + return 32 +} + +func (s x25519Scheme) PrivateKeySize() int { + return 32 +} + +/////////////////// +// ECDH with X448 + +type x448PrivateKey struct { + val [56]byte +} + +func (priv x448PrivateKey) PublicKey() KEMPublicKey { + pub := &x448PublicKey{} + x448.ScalarBaseMult(&pub.val, &priv.val) + return pub +} + +type x448PublicKey struct { + val [56]byte +} + +type x448Scheme struct { + skE KEMPrivateKey +} + +func (s x448Scheme) internalKDF() KDFScheme { + return hkdfScheme{hash: crypto.SHA512} +} + +func (s x448Scheme) ID() KEMID { + return DHKEM_X448 +} + +func (s x448Scheme) DeriveKeyPair(ikm []byte) (KEMPrivateKey, KEMPublicKey, error) { + suiteID := kemSuiteFromID(s.ID()) + dkp_prk := s.internalKDF().LabeledExtract(nil, suiteID, "dkp_prk", ikm) + sk_bytes := s.internalKDF().LabeledExpand(dkp_prk, suiteID, "sk", nil, s.PrivateKeySize()) + sk, err := s.DeserializePrivate(sk_bytes) + if err != nil { + return nil, nil, err + } else { + return sk, sk.PublicKey(), nil + } +} + +func (s x448Scheme) Serialize(pk KEMPublicKey) []byte { + if pk == nil { + return nil + } + raw := pk.(*x448PublicKey) + return raw.val[:] +} + +func (s x448Scheme) SerializePrivate(sk KEMPrivateKey) []byte { + if sk == nil { + return nil + } + raw := sk.(*x448PrivateKey) + return raw.val[:] +} + +func (s x448Scheme) Deserialize(enc []byte) (KEMPublicKey, error) { + if len(enc) != 56 { + return nil, fmt.Errorf("Error deserializing X448 public key") + } + + pub := &x448PublicKey{} + copy(pub.val[:], enc) + return pub, nil +} + +func (s x448Scheme) DeserializePrivate(enc []byte) (KEMPrivateKey, error) { + if enc == nil { + return nil, fmt.Errorf("Invalid input") + } + + if len(enc) != 56 { + return nil, fmt.Errorf("Error deserializing X448 private key") + } + + key := &x448PrivateKey{} + copy(key.val[:], enc[0:56]) + return key, nil +} + +func (s x448Scheme) DH(priv KEMPrivateKey, pub KEMPublicKey) ([]byte, error) { + xPriv, ok := priv.(*x448PrivateKey) + if !ok { + return nil, fmt.Errorf("Private key not suitable for X448: %+v", priv) + } + + xPub, ok := pub.(*x448PublicKey) + if !ok { + return nil, fmt.Errorf("Public key not suitable for X448: %+v", pub) + } + + var sharedSecret, zero [56]byte + x448.ScalarMult(&sharedSecret, &xPriv.val, &xPub.val) + if subtle.ConstantTimeCompare(sharedSecret[:], zero[:]) == 1 { + return nil, fmt.Errorf("bad input point: low order point") + } + + return sharedSecret[:], nil +} + +func (s x448Scheme) PublicKeySize() int { + return 56 +} + +func (s x448Scheme) PrivateKeySize() int { + return 56 +} + +/////// +// SIKE + +type sikePublicKey struct { + field uint8 + pub *sidh.PublicKey +} + +type sikePrivateKey struct { + field uint8 + priv *sidh.PrivateKey + pub *sidh.PublicKey +} + +func (priv sikePrivateKey) PublicKey() KEMPublicKey { + return &sikePublicKey{priv.field, priv.pub} +} + +type sikeScheme struct { + field uint8 + KDF KDFScheme +} + +func (s sikeScheme) internalKDF() KDFScheme { + return s.KDF +} + +func (s sikeScheme) ID() KEMID { + switch s.field { + case sidh.Fp503: + return KEM_SIKE503 + case sidh.Fp751: + return KEM_SIKE751 + } + panic(fmt.Sprintf("Unsupported field: %d", s.field)) +} + +func (s sikeScheme) generateKeyPair(rand io.Reader) (KEMPrivateKey, KEMPublicKey, error) { + rawPriv := sidh.NewPrivateKey(s.field, sidh.KeyVariantSike) + err := rawPriv.Generate(rand) + if err != nil { + return nil, nil, err + } + + rawPub := sidh.NewPublicKey(s.field, sidh.KeyVariantSike) + rawPriv.GeneratePublicKey(rawPub) + + priv := &sikePrivateKey{s.field, rawPriv, rawPub} + return priv, priv.PublicKey(), nil +} + +func (s sikeScheme) DeriveKeyPair(ikm []byte) (KEMPrivateKey, KEMPublicKey, error) { + // Note: DeriveKeyPair is not specified for SIKE, so we just use IKM to + // seed a DRBG, and then re-use the other APIs for generating key pairs + // from randomness. + var seed int64 + ikmReader := bytes.NewReader(ikm) + if err := binary.Read(ikmReader, binary.BigEndian, &seed); err != nil { + return nil, nil, fmt.Errorf("Error deriving key pair") + } + + source := mrand.NewSource(seed) + return s.generateKeyPair(mrand.New(source)) +} + +func (s sikeScheme) Serialize(pk KEMPublicKey) []byte { + if pk == nil { + return nil + } + raw := pk.(*sikePublicKey) + out := make([]byte, raw.pub.Size()) + raw.pub.Export(out) + return out +} + +func (s sikeScheme) SerializePrivate(sk KEMPrivateKey) []byte { + panic("Not implemented") + return nil +} + +func (s sikeScheme) Deserialize(enc []byte) (KEMPublicKey, error) { + rawPub := sidh.NewPublicKey(s.field, sidh.KeyVariantSike) + if len(enc) != rawPub.Size() { + return nil, fmt.Errorf("Invalid public key size: got %d, expected %d", len(enc), rawPub.Size()) + } + + err := rawPub.Import(enc) + if err != nil { + return nil, err + } + + return &sikePublicKey{s.field, rawPub}, nil +} + +func (s sikeScheme) DeserializePrivate(enc []byte) (KEMPrivateKey, error) { + panic("Not implemented") + return nil, nil +} + +func (s sikeScheme) newKEM(rand io.Reader) (*sidh.KEM, error) { + switch s.field { + case sidh.Fp503: + return sidh.NewSike503(rand), nil + case sidh.Fp751: + return sidh.NewSike751(rand), nil + } + return nil, fmt.Errorf("Invalid field") +} + +func (s sikeScheme) Encap(rand io.Reader, pkR KEMPublicKey) ([]byte, []byte, error) { + raw := pkR.(*sikePublicKey) + + kem, err := s.newKEM(rand) + if err != nil { + return nil, nil, err + } + + enc := make([]byte, kem.CiphertextSize()) + sharedSecret := make([]byte, s.KDF.OutputSize()) + err = kem.Encapsulate(enc, sharedSecret, raw.pub) + if err != nil { + return nil, nil, err + } + + return sharedSecret, enc, nil +} + +type panicReader struct{} + +func (p panicReader) Read(unused []byte) (int, error) { + panic("Should not read") +} + +func (s sikeScheme) Decap(enc []byte, skR KEMPrivateKey) ([]byte, error) { + raw := skR.(*sikePrivateKey) + + kem, err := s.newKEM(panicReader{}) + if err != nil { + return nil, err + } + + sharedSecret := make([]byte, s.KDF.OutputSize()) + err = kem.Decapsulate(sharedSecret, raw.priv, raw.pub, enc) + if err != nil { + return nil, err + } + + return sharedSecret, nil +} + +func (s sikeScheme) PublicKeySize() int { + rawPub := sidh.NewPublicKey(s.field, sidh.KeyVariantSike) + return rawPub.Size() +} + +func (s sikeScheme) PrivateKeySize() int { + rawPriv := sidh.NewPrivateKey(s.field, sidh.KeyVariantSike) + err := rawPriv.Generate(rand.Reader) + if err != nil { + panic("PrivateKeySize failed") + } + + return rawPriv.Size() +} + +func (s sikeScheme) setEphemeralKeyPair(skE KEMPrivateKey) { + panic("SIKE cannot use a pre-set ephemeral key pair") +} + +////////// +// AES-GCM + +type aesgcmScheme struct { + keySize int +} + +func (s aesgcmScheme) ID() AEADID { + switch s.keySize { + case 16: + return AEAD_AESGCM128 + case 32: + return AEAD_AESGCM256 + } + panic(fmt.Sprintf("Unsupported key size: %d", s.keySize)) + +} + +func (s aesgcmScheme) New(key []byte) (cipher.AEAD, error) { + if len(key) != s.keySize { + return nil, fmt.Errorf("Incorrect key size %d != %d", len(key), s.keySize) + } + + block, err := aes.NewCipher(key) + if err != nil { + return nil, err + } + + return cipher.NewGCM(block) +} + +func (s aesgcmScheme) KeySize() int { + return s.keySize +} + +func (s aesgcmScheme) NonceSize() int { + return 12 +} + +////////// +// ChaCha20-Poly1305 + +type chachaPolyScheme struct { +} + +func (s chachaPolyScheme) ID() AEADID { + return AEAD_CHACHA20POLY1305 +} + +func (s chachaPolyScheme) New(key []byte) (cipher.AEAD, error) { + return chacha20poly1305.New(key) +} + +func (s chachaPolyScheme) KeySize() int { + return chacha20poly1305.KeySize +} + +func (s chachaPolyScheme) NonceSize() int { + return chacha20poly1305.NonceSize +} + +/////// +// HKDF + +type hkdfScheme struct { + hash crypto.Hash +} + +func (s hkdfScheme) ID() KDFID { + switch s.hash { + case crypto.SHA256: + return KDF_HKDF_SHA256 + case crypto.SHA384: + return KDF_HKDF_SHA384 + case crypto.SHA512: + return KDF_HKDF_SHA512 + } + panic(fmt.Sprintf("Unsupported hash: %d", s.hash)) +} + +func (s hkdfScheme) Hash(message []byte) []byte { + h := s.hash.New() + h.Write(message) + return h.Sum(nil) +} + +func (s hkdfScheme) Extract(salt, ikm []byte) []byte { + saltOrZero := salt + + // if [salt is] not provided, it is set to a string of HashLen zeros + if salt == nil { + saltOrZero = make([]byte, s.hash.Size()) + } + + h := hmac.New(s.hash.New, saltOrZero) + h.Write(ikm) + return h.Sum(nil) +} + +func (s hkdfScheme) Expand(prk, info []byte, outLen int) []byte { + out := []byte{} + T := []byte{} + i := byte(1) + for len(out) < outLen { + block := append(T, info...) + block = append(block, i) + + h := hmac.New(s.hash.New, prk) + h.Write(block) + + T = h.Sum(nil) + out = append(out, T...) + i++ + } + return out[:outLen] +} + +func (s hkdfScheme) LabeledExtract(salt []byte, suiteID []byte, label string, ikm []byte) []byte { + labeledIKM := append([]byte(rfcLabel), suiteID...) + labeledIKM = append(labeledIKM, []byte(label)...) + labeledIKM = append(labeledIKM, ikm...) + return s.Extract(salt, labeledIKM) +} + +func (s hkdfScheme) LabeledExpand(prk []byte, suiteID []byte, label string, info []byte, L int) []byte { + if L > (1 << 16) { + panic("Expand length cannot be larger than 2^16") + } + + lengthBuffer := make([]byte, 2) + binary.BigEndian.PutUint16(lengthBuffer, uint16(L)) + labeledLength := append(lengthBuffer, []byte(rfcLabel)...) + labeledInfo := append(labeledLength, suiteID...) + labeledInfo = append(labeledInfo, []byte(label)...) + labeledInfo = append(labeledInfo, info...) + + return s.Expand(prk, labeledInfo, L) +} + +func (s hkdfScheme) OutputSize() int { + return s.hash.Size() +} + +/////////////////////////// +// Pre-defined KEM identifiers + +type KEMID uint16 + +const ( + DHKEM_P256 KEMID = 0x0010 + DHKEM_P521 KEMID = 0x0012 + DHKEM_X25519 KEMID = 0x0020 + DHKEM_X448 KEMID = 0x0021 + KEM_SIKE503 KEMID = 0xFFFE + KEM_SIKE751 KEMID = 0xFFFF +) + +var kems = map[KEMID]KEMScheme{ + DHKEM_X25519: &dhkemScheme{group: x25519Scheme{}}, + DHKEM_X448: &dhkemScheme{group: x448Scheme{}}, + DHKEM_P256: &dhkemScheme{group: ecdhScheme{curve: elliptic.P256(), KDF: hkdfScheme{hash: crypto.SHA256}}}, + DHKEM_P521: &dhkemScheme{group: ecdhScheme{curve: elliptic.P521(), KDF: hkdfScheme{hash: crypto.SHA512}}}, + KEM_SIKE503: &sikeScheme{field: sidh.Fp503, KDF: hkdfScheme{hash: crypto.SHA512}}, + KEM_SIKE751: &sikeScheme{field: sidh.Fp751, KDF: hkdfScheme{hash: crypto.SHA512}}, +} + +func newKEMScheme(kemID KEMID) (KEMScheme, bool) { + switch kemID { + case DHKEM_X25519: + return &dhkemScheme{group: x25519Scheme{}}, true + case DHKEM_X448: + return &dhkemScheme{group: x448Scheme{}}, true + case DHKEM_P256: + return &dhkemScheme{group: ecdhScheme{curve: elliptic.P256(), KDF: hkdfScheme{hash: crypto.SHA256}}}, true + case DHKEM_P521: + return &dhkemScheme{group: ecdhScheme{curve: elliptic.P521(), KDF: hkdfScheme{hash: crypto.SHA512}}}, true + case KEM_SIKE503: + return &sikeScheme{field: sidh.Fp503, KDF: hkdfScheme{hash: crypto.SHA512}}, true + case KEM_SIKE751: + return &sikeScheme{field: sidh.Fp751, KDF: hkdfScheme{hash: crypto.SHA512}}, true + default: + return nil, false + } +} + +/////////////////////////// +// Pre-defined KDF identifiers + +type KDFID uint16 + +const ( + KDF_HKDF_SHA256 KDFID = 0x0001 + KDF_HKDF_SHA384 KDFID = 0x0002 + KDF_HKDF_SHA512 KDFID = 0x0003 +) + +var kdfs = map[KDFID]KDFScheme{ + KDF_HKDF_SHA256: hkdfScheme{hash: crypto.SHA256}, + KDF_HKDF_SHA384: hkdfScheme{hash: crypto.SHA384}, + KDF_HKDF_SHA512: hkdfScheme{hash: crypto.SHA512}, +} + +/////////////////////////// +// Pre-defined AEAD identifiers + +type AEADID uint16 + +const ( + AEAD_AESGCM128 AEADID = 0x0001 + AEAD_AESGCM256 AEADID = 0x0002 + AEAD_CHACHA20POLY1305 AEADID = 0x0003 +) + +var aeads = map[AEADID]AEADScheme{ + AEAD_AESGCM128: aesgcmScheme{keySize: 16}, + AEAD_AESGCM256: aesgcmScheme{keySize: 32}, + AEAD_CHACHA20POLY1305: chachaPolyScheme{}, +} + +func AssembleCipherSuite(kemID KEMID, kdfID KDFID, aeadID AEADID) (CipherSuite, error) { + kem, ok := newKEMScheme(kemID) + if !ok { + return CipherSuite{}, fmt.Errorf("Unknown KEM id") + } + + kdf, ok := kdfs[kdfID] + if !ok { + return CipherSuite{}, fmt.Errorf("Unknown KDF id") + } + + aead, ok := aeads[aeadID] + if !ok { + return CipherSuite{}, fmt.Errorf("Unknown AEAD id") + } + + return CipherSuite{ + KEM: kem, + KDF: kdf, + AEAD: aead, + }, nil +} + +////////// +// Helpers + +func kemSuiteFromID(id KEMID) []byte { + idBuffer := make([]byte, 2) + binary.BigEndian.PutUint16(idBuffer, uint16(id)) + return append([]byte("KEM"), idBuffer...) +} diff --git a/vendor/github.com/cisco/go-hpke/format_vectors.py b/vendor/github.com/cisco/go-hpke/format_vectors.py new file mode 100644 index 00000000..e521e16a --- /dev/null +++ b/vendor/github.com/cisco/go-hpke/format_vectors.py @@ -0,0 +1,133 @@ +import sys +import json +import textwrap + +ordered_keys = [ + # Mode and ciphersuite parameters + "mode", "kem_id", "kdf_id", "aead_id", "info", + # Private key material + "ikmE", "pkEm", "skEm", + "ikmR", "pkRm", "skRm", + "ikmS", "pkSm", "skSm", + "psk", "psk_id", + # Derived context + "enc", "shared_secret", "key_schedule_context", "secret", "key", "base_nonce", "exporter_secret", +] + +ordered_encryption_keys = [ + "plaintext", "aad", "nonce", "ciphertext", +] + +encryption_count_keys = [ + 0, 1, 2, 4, 10, 32, 255, 256, 257 +] + +def entry_kem(entry): + return kemMap[entry["kem_id"]] + +def entry_kem_value(entry): + return entry["kem_id"] + +def entry_kdf(entry): + return kdfMap[entry["kdf_id"]] + +def entry_kdf_value(entry): + return entry["kdf_id"] + +def entry_aead(entry): + return aeadMap[entry["aead_id"]] + +def entry_aead_value(entry): + return entry["aead_id"] + +def entry_mode(entry): + return modeMap[entry["mode"]] + +def entry_mode_value(entry): + return entry["mode"] + +modeBase = 0x00 +modePSK = 0x01 +modeAuth = 0x02 +modeAuthPSK = 0x03 +modeMap = {modeBase: "Base", modePSK: "PSK", modeAuth: "Auth", modeAuthPSK: "AuthPSK"} + +kem_idP256 = 0x0010 +kem_idP521 = 0x0012 +kem_idX25519 = 0x0020 +kemMap = {kem_idX25519: "DHKEM(X25519, HKDF-SHA256)", kem_idP256: "DHKEM(P-256, HKDF-SHA256)", kem_idP521: "DHKEM(P-521, HKDF-SHA512)"} + +kdf_idSHA256 = 0x0001 +kdf_idSHA512 = 0x0003 +kdfMap = {kdf_idSHA256: "HKDF-SHA256", kdf_idSHA512: "HKDF-SHA512"} + +aead_idAES128GCM = 0x0001 +aead_idAES256GCM = 0x0002 +aead_idChaCha20Poly1305 = 0x0003 +aeadMap = {aead_idAES128GCM: "AES-128-GCM", aead_idAES256GCM: "AES-256-GCM", aead_idChaCha20Poly1305: "ChaCha20Poly1305"} + +class CipherSuite(object): + def __init__(self, kem_id, kdf_id, aead_id): + self.kem_id = kem_id + self.kdf_id = kdf_id + self.aead_id = aead_id + + def __str__(self): + return kemMap[self.kem_id] + ", " + kdfMap[self.kdf_id] + ", " + aeadMap[self.aead_id] + + def __repr__(self): + return str(self) + + def matches_vector(self, vector): + return self.kem_id == entry_kem_value(vector) and self.kdf_id == entry_kdf_value(vector) and self.aead_id == entry_aead_value(vector) + +testSuites = [ + CipherSuite(kem_idX25519, kdf_idSHA256, aead_idAES128GCM), + CipherSuite(kem_idX25519, kdf_idSHA256, aead_idChaCha20Poly1305), + CipherSuite(kem_idP256, kdf_idSHA256, aead_idAES128GCM), + CipherSuite(kem_idP256, kdf_idSHA512, aead_idAES128GCM), + CipherSuite(kem_idP256, kdf_idSHA256, aead_idChaCha20Poly1305), + CipherSuite(kem_idP521, kdf_idSHA512, aead_idAES256GCM), +] + +def wrap_line(value): + return textwrap.fill(value, width=72) + +def format_encryption(entry, count): + formatted = wrap_line("sequence number: %d" % count) + "\n" + for key in ordered_encryption_keys: + if key in entry: + formatted = formatted + wrap_line(key + ": " + str(entry[key])) + "\n" + return formatted + +def format_encryptions(entry, mode): + formatted = "~~~\n" + for seq_number in encryption_count_keys: + for i, encryption in enumerate(entry["encryptions"]): + if i == seq_number: + formatted = formatted + format_encryption(encryption, i) + if i < len(entry["encryptions"]) - 1: + formatted = formatted + "\n" + return formatted + "~~~" + +def format_vector(entry, mode): + formatted = "~~~\n" + for key in ordered_keys: + if key in entry: + formatted = formatted + wrap_line(key + ": " + str(entry[key])) + "\n" + return formatted + "~~~\n" + +with open(sys.argv[1], "r") as fh: + data = json.load(fh) + for suite in testSuites: + print("## " + str(suite)) + print("") + for mode in [modeBase, modePSK, modeAuth, modeAuthPSK]: + for vector in data: + if suite.matches_vector(vector): + if mode == entry_mode_value(vector): + print("### " + modeMap[mode] + " Setup Information") + print(format_vector(vector, mode)) + print("#### Encryptions") + print(format_encryptions(vector, mode)) + print("") diff --git a/vendor/github.com/cisco/go-hpke/go.mod b/vendor/github.com/cisco/go-hpke/go.mod new file mode 100644 index 00000000..6a2ec2be --- /dev/null +++ b/vendor/github.com/cisco/go-hpke/go.mod @@ -0,0 +1,10 @@ +module github.com/cisco/go-hpke + +go 1.14 + +require ( + git.schwanenlied.me/yawning/x448.git v0.0.0-20170617130356-01b048fb03d6 + github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b + github.com/cloudflare/circl v1.0.0 + golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a +) diff --git a/vendor/github.com/cisco/go-hpke/go.sum b/vendor/github.com/cisco/go-hpke/go.sum new file mode 100644 index 00000000..6a1b6e4f --- /dev/null +++ b/vendor/github.com/cisco/go-hpke/go.sum @@ -0,0 +1,26 @@ +git.schwanenlied.me/yawning/x448.git v0.0.0-20170617130356-01b048fb03d6 h1:w8IZgCntCe0RuBJp+dENSMwEBl/k8saTgJ5hPca5IWw= +git.schwanenlied.me/yawning/x448.git v0.0.0-20170617130356-01b048fb03d6/go.mod h1:wQaGCqEu44ykB17jZHCevrgSVl3KJnwQBObUtrKU4uU= +github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b h1:Ves2turKTX7zruivAcUOQg155xggcbv3suVdbKCBQNM= +github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b/go.mod h1:0AZAV7lYvynZQ5ErHlGMKH+4QYMyNCFd+AiL9MlrCYA= +github.com/cloudflare/circl v1.0.0 h1:64b6pyfCFbYm623ncIkYGNZaOcmIbyd+CjyMi2L9vdI= +github.com/cloudflare/circl v1.0.0/go.mod h1:MhjB3NEEhJbTOdLLq964NIUisXDxaE1WkQPUxtgZXiY= +github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a h1:vclmkQCjlDX5OydZ9wv8rBCcS0QyQY66Mpf/7BZbInM= +golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed h1:uPxWBzB3+mlnjy9W58qY1j/cjyFjutgw/Vhan2zLy/A= +golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/vendor/github.com/cisco/go-hpke/hpke.go b/vendor/github.com/cisco/go-hpke/hpke.go new file mode 100644 index 00000000..81b1bf29 --- /dev/null +++ b/vendor/github.com/cisco/go-hpke/hpke.go @@ -0,0 +1,549 @@ +package hpke + +import ( + "bytes" + "crypto/cipher" + "encoding/binary" + "fmt" + "io" + "log" + + "github.com/cisco/go-tls-syntax" +) + +const ( + debug = true + rfcLabel = "HPKE-06" +) + +type KEMPrivateKey interface { + PublicKey() KEMPublicKey +} + +type KEMPublicKey interface{} + +type KEMScheme interface { + ID() KEMID + DeriveKeyPair(ikm []byte) (KEMPrivateKey, KEMPublicKey, error) + Serialize(pk KEMPublicKey) []byte + Deserialize(enc []byte) (KEMPublicKey, error) + Encap(rand io.Reader, pkR KEMPublicKey) ([]byte, []byte, error) + Decap(enc []byte, skR KEMPrivateKey) ([]byte, error) + PublicKeySize() int + PrivateKeySize() int + + SerializePrivate(sk KEMPrivateKey) []byte + DeserializePrivate(enc []byte) (KEMPrivateKey, error) + + setEphemeralKeyPair(sk KEMPrivateKey) +} + +type AuthKEMScheme interface { + KEMScheme + AuthEncap(rand io.Reader, pkR KEMPublicKey, skS KEMPrivateKey) ([]byte, []byte, error) + AuthDecap(enc []byte, skR KEMPrivateKey, pkS KEMPublicKey) ([]byte, error) +} + +type KDFScheme interface { + ID() KDFID + Hash(message []byte) []byte + Extract(salt, ikm []byte) []byte + Expand(prk, info []byte, L int) []byte + LabeledExtract(salt []byte, suiteID []byte, label string, ikm []byte) []byte + LabeledExpand(prk []byte, suiteID []byte, label string, info []byte, L int) []byte + OutputSize() int +} + +type AEADScheme interface { + ID() AEADID + New(key []byte) (cipher.AEAD, error) + KeySize() int + NonceSize() int +} + +type CipherSuite struct { + KEM KEMScheme + KDF KDFScheme + AEAD AEADScheme +} + +func (suite CipherSuite) ID() []byte { + suiteID := make([]byte, 6) + binary.BigEndian.PutUint16(suiteID, uint16(suite.KEM.ID())) + binary.BigEndian.PutUint16(suiteID[2:], uint16(suite.KDF.ID())) + binary.BigEndian.PutUint16(suiteID[4:], uint16(suite.AEAD.ID())) + return append([]byte("HPKE"), suiteID...) +} + +type Mode uint8 + +const ( + modeBase Mode = 0x00 + modePSK Mode = 0x01 + modeAuth Mode = 0x02 + modeAuthPSK Mode = 0x03 +) + +func logString(val string) { + if debug { + log.Printf("%s", val) + } +} + +func logVal(name string, value []byte) { + if debug { + log.Printf(" %6s %x", name, value) + } +} + +/////// +// Core + +func defaultPSK(suite CipherSuite) []byte { + return []byte{} +} + +func defaultPSKID(suite CipherSuite) []byte { + return []byte{} +} + +func verifyPSKInputs(suite CipherSuite, mode Mode, psk, pskID []byte) error { + defaultPSK := defaultPSK(suite) + defaultPSKID := defaultPSKID(suite) + pskMode := map[Mode]bool{modePSK: true, modeAuthPSK: true} + + gotPSK := !bytes.Equal(psk, defaultPSK) + gotPSKID := !bytes.Equal(pskID, defaultPSKID) + + switch { + case gotPSK != gotPSKID: + return fmt.Errorf("Inconsistent PSK inputs [%d] [%v] [%v]", mode, gotPSK, gotPSKID) + case gotPSK && !pskMode[mode]: + return fmt.Errorf("PSK input provided when not needed [%d]", mode) + case !gotPSK && pskMode[mode]: + return fmt.Errorf("Missing required PSK input [%d]", mode) + } + + return nil +} + +type hpkeContext struct { + mode Mode + pskIDHash []byte `tls:"head=none"` + infoHash []byte `tls:"head=none"` +} + +type contextParameters struct { + suite CipherSuite + keyScheduleContext []byte + secret []byte +} + +func (cp contextParameters) aeadKey() []byte { + return cp.suite.KDF.LabeledExpand(cp.secret, cp.suite.ID(), "key", cp.keyScheduleContext, cp.suite.AEAD.KeySize()) +} + +func (cp contextParameters) exporterSecret() []byte { + return cp.suite.KDF.LabeledExpand(cp.secret, cp.suite.ID(), "exp", cp.keyScheduleContext, cp.suite.KDF.OutputSize()) +} + +func (cp contextParameters) aeadBaseNonce() []byte { + return cp.suite.KDF.LabeledExpand(cp.secret, cp.suite.ID(), "base_nonce", cp.keyScheduleContext, cp.suite.AEAD.NonceSize()) +} + +type setupParameters struct { + sharedSecret []byte + enc []byte +} + +func keySchedule(suite CipherSuite, mode Mode, sharedSecret, info, psk, pskID []byte) (contextParameters, error) { + err := verifyPSKInputs(suite, mode, psk, pskID) + if err != nil { + return contextParameters{}, err + } + + suiteID := suite.ID() + pskIDHash := suite.KDF.LabeledExtract(nil, suiteID, "psk_id_hash", pskID) + infoHash := suite.KDF.LabeledExtract(nil, suiteID, "info_hash", info) + + contextStruct := hpkeContext{mode, pskIDHash, infoHash} + keyScheduleContext, err := syntax.Marshal(contextStruct) + if err != nil { + return contextParameters{}, err + } + + secret := suite.KDF.LabeledExtract(sharedSecret, suiteID, "secret", psk) + + params := contextParameters{ + suite: suite, + keyScheduleContext: keyScheduleContext, + secret: secret, + } + + return params, nil +} + +// contextRole specifies the role of a party in possession of a Context: if +// equal to `contextRoleSender`, then the party is the sender; if equal to +// `contextRoleReceiver`, then the party is the receiver. +type contextRole uint8 + +const ( + contextRoleSender contextRole = 0x00 + contextRoleReceiver contextRole = 0x01 +) + +// context represents an HPKE context encoded on the wire. +type context struct { + // Marshaled fields + Role contextRole + KEMID KEMID + KDFID KDFID + AEADID AEADID + ExporterSecret []byte `tls:"head=1"` + Key []byte `tls:"head=1"` + BaseNonce []byte `tls:"head=1"` + Seq uint64 + + // Operational structures + aead cipher.AEAD `tls:"omit"` + suite CipherSuite `tls:"omit"` + + // Historical record + nonces [][]byte `tls:"omit"` + setupParams setupParameters `tls:"omit"` + contextParams contextParameters `tls:"omit"` +} + +func newContext(role contextRole, suite CipherSuite, setupParams setupParameters, contextParams contextParameters) (context, error) { + key := contextParams.aeadKey() + baseNonce := contextParams.aeadBaseNonce() + exporterSecret := contextParams.exporterSecret() + + aead, err := suite.AEAD.New(key) + if err != nil { + return context{}, err + } + + ctx := context{ + Role: role, + KEMID: suite.KEM.ID(), + KDFID: suite.KDF.ID(), + AEADID: suite.AEAD.ID(), + ExporterSecret: exporterSecret, + Key: key, + BaseNonce: baseNonce, + Seq: 0, + aead: aead, + suite: suite, + setupParams: setupParams, + contextParams: contextParams, + } + + return ctx, nil +} + +func unmarshalContext(role contextRole, opaque []byte) (context, error) { + var ctx context + var err error + if _, err = syntax.Unmarshal(opaque, &ctx); err != nil { + return context{}, err + } + + if ctx.Role != role { + return context{}, fmt.Errorf("role mismatch") + } + + ctx.suite, err = AssembleCipherSuite(ctx.KEMID, ctx.KDFID, ctx.AEADID) + if err != nil { + return context{}, err + } + + // Construct AEAD and validate the key length. + ctx.aead, err = ctx.suite.AEAD.New(ctx.Key) + if err != nil { + return context{}, err + } + + // Validate the nonce length. + if len(ctx.BaseNonce) != ctx.aead.NonceSize() { + return context{}, fmt.Errorf("base nonce length: got %d; want %d", len(ctx.BaseNonce), ctx.aead.NonceSize()) + } + + // Validate the exporter secret length. + if len(ctx.ExporterSecret) != ctx.suite.KDF.OutputSize() { + return context{}, fmt.Errorf("exporter secret length: got %d; want %d", len(ctx.ExporterSecret), ctx.suite.KDF.OutputSize()) + } + + return ctx, nil +} + +func (ctx *context) computeNonce() []byte { + buf := make([]byte, 8) + binary.BigEndian.PutUint64(buf, ctx.Seq) + + Nn := len(ctx.BaseNonce) + nonce := make([]byte, Nn) + copy(nonce, ctx.BaseNonce) + for i := range buf { + nonce[Nn-8+i] ^= buf[i] + } + + ctx.nonces = append(ctx.nonces, nonce) + return nonce +} + +func (ctx *context) incrementSeq() { + ctx.Seq += 1 + if ctx.Seq == 0 { + panic("sequence number wrapped") + } +} + +func (ctx *context) Export(context []byte, L int) []byte { + return ctx.suite.KDF.LabeledExpand(ctx.ExporterSecret, ctx.suite.ID(), "sec", context, L) +} + +func (ctx *context) Marshal() ([]byte, error) { + return syntax.Marshal(ctx) +} + +type EncryptContext struct { + context +} + +func newEncryptContext(suite CipherSuite, setupParams setupParameters, contextParams contextParameters) (*EncryptContext, error) { + ctx, err := newContext(contextRoleSender, suite, setupParams, contextParams) + if err != nil { + return nil, err + } + + return &EncryptContext{ctx}, nil +} + +func (ctx *EncryptContext) Seal(aad, pt []byte) []byte { + ct := ctx.aead.Seal(nil, ctx.computeNonce(), pt, aad) + ctx.incrementSeq() + return ct +} + +func UnmarshalEncryptContext(opaque []byte) (*EncryptContext, error) { + ctx, err := unmarshalContext(contextRoleSender, opaque) + if err != nil { + return nil, err + } + + return &EncryptContext{ctx}, nil +} + +type DecryptContext struct { + context +} + +func newDecryptContext(suite CipherSuite, setupParams setupParameters, contextParams contextParameters) (*DecryptContext, error) { + ctx, err := newContext(contextRoleReceiver, suite, setupParams, contextParams) + if err != nil { + return nil, err + } + + return &DecryptContext{ctx}, nil +} + +func (ctx *DecryptContext) Open(aad, ct []byte) ([]byte, error) { + pt, err := ctx.aead.Open(nil, ctx.computeNonce(), ct, aad) + if err != nil { + return nil, err + } + + ctx.incrementSeq() + return pt, nil +} + +func UnmarshalDecryptContext(opaque []byte) (*DecryptContext, error) { + ctx, err := unmarshalContext(contextRoleReceiver, opaque) + if err != nil { + return nil, err + } + + return &DecryptContext{ctx}, nil +} + +/////// +// Base + +func SetupBaseS(suite CipherSuite, rand io.Reader, pkR KEMPublicKey, info []byte) ([]byte, *EncryptContext, error) { + // sharedSecret, enc = Encap(pkR) + sharedSecret, enc, err := suite.KEM.Encap(rand, pkR) + if err != nil { + return nil, nil, err + } + + setupParams := setupParameters{ + sharedSecret: sharedSecret, + enc: enc, + } + + params, err := keySchedule(suite, modeBase, sharedSecret, info, defaultPSK(suite), defaultPSKID(suite)) + if err != nil { + return nil, nil, err + } + + ctx, err := newEncryptContext(suite, setupParams, params) + return enc, ctx, err +} + +func SetupBaseR(suite CipherSuite, skR KEMPrivateKey, enc, info []byte) (*DecryptContext, error) { + // sharedSecret = Decap(enc, skR) + sharedSecret, err := suite.KEM.Decap(enc, skR) + if err != nil { + return nil, err + } + + setupParams := setupParameters{ + sharedSecret: sharedSecret, + enc: enc, + } + + params, err := keySchedule(suite, modeBase, sharedSecret, info, defaultPSK(suite), defaultPSKID(suite)) + if err != nil { + return nil, err + } + + return newDecryptContext(suite, setupParams, params) +} + +////// +// PSK + +func SetupPSKS(suite CipherSuite, rand io.Reader, pkR KEMPublicKey, psk, pskID, info []byte) ([]byte, *EncryptContext, error) { + // sharedSecret, enc = Encap(pkR) + sharedSecret, enc, err := suite.KEM.Encap(rand, pkR) + if err != nil { + return nil, nil, err + } + + setupParams := setupParameters{ + sharedSecret: sharedSecret, + enc: enc, + } + + params, err := keySchedule(suite, modePSK, sharedSecret, info, psk, pskID) + if err != nil { + return nil, nil, err + } + + ctx, err := newEncryptContext(suite, setupParams, params) + return enc, ctx, err +} + +func SetupPSKR(suite CipherSuite, skR KEMPrivateKey, enc, psk, pskID, info []byte) (*DecryptContext, error) { + // sharedSecret = Decap(enc, skR) + sharedSecret, err := suite.KEM.Decap(enc, skR) + if err != nil { + return nil, err + } + + setupParams := setupParameters{ + sharedSecret: sharedSecret, + enc: enc, + } + + params, err := keySchedule(suite, modePSK, sharedSecret, info, psk, pskID) + if err != nil { + return nil, err + } + + return newDecryptContext(suite, setupParams, params) +} + +/////// +// Auth + +func SetupAuthS(suite CipherSuite, rand io.Reader, pkR KEMPublicKey, skS KEMPrivateKey, info []byte) ([]byte, *EncryptContext, error) { + // sharedSecret, enc = AuthEncap(pkR, skS) + auth := suite.KEM.(AuthKEMScheme) + sharedSecret, enc, err := auth.AuthEncap(rand, pkR, skS) + if err != nil { + return nil, nil, err + } + + setupParams := setupParameters{ + sharedSecret: sharedSecret, + enc: enc, + } + + params, err := keySchedule(suite, modeAuth, sharedSecret, info, defaultPSK(suite), defaultPSKID(suite)) + if err != nil { + return nil, nil, err + } + + ctx, err := newEncryptContext(suite, setupParams, params) + return enc, ctx, err +} + +func SetupAuthR(suite CipherSuite, skR KEMPrivateKey, pkS KEMPublicKey, enc, info []byte) (*DecryptContext, error) { + // sharedSecret = AuthDecap(enc, skR, pkS) + auth := suite.KEM.(AuthKEMScheme) + sharedSecret, err := auth.AuthDecap(enc, skR, pkS) + if err != nil { + return nil, err + } + + setupParams := setupParameters{ + sharedSecret: sharedSecret, + enc: enc, + } + + params, err := keySchedule(suite, modeAuth, sharedSecret, info, defaultPSK(suite), defaultPSKID(suite)) + if err != nil { + return nil, err + } + + return newDecryptContext(suite, setupParams, params) +} + +///////////// +// PSK + Auth + +func SetupAuthPSKS(suite CipherSuite, rand io.Reader, pkR KEMPublicKey, skS KEMPrivateKey, psk, pskID, info []byte) ([]byte, *EncryptContext, error) { + // sharedSecret, enc = AuthEncap(pkR, skS) + auth := suite.KEM.(AuthKEMScheme) + sharedSecret, enc, err := auth.AuthEncap(rand, pkR, skS) + if err != nil { + return nil, nil, err + } + + setupParams := setupParameters{ + sharedSecret: sharedSecret, + enc: enc, + } + + params, err := keySchedule(suite, modeAuthPSK, sharedSecret, info, psk, pskID) + if err != nil { + return nil, nil, err + } + + ctx, err := newEncryptContext(suite, setupParams, params) + return enc, ctx, err +} + +func SetupAuthPSKR(suite CipherSuite, skR KEMPrivateKey, pkS KEMPublicKey, enc, psk, pskID, info []byte) (*DecryptContext, error) { + // sharedSecret = AuthDecap(enc, skR, pkS) + auth := suite.KEM.(AuthKEMScheme) + sharedSecret, err := auth.AuthDecap(enc, skR, pkS) + if err != nil { + return nil, err + } + + setupParams := setupParameters{ + sharedSecret: sharedSecret, + enc: enc, + } + + params, err := keySchedule(suite, modeAuthPSK, sharedSecret, info, psk, pskID) + if err != nil { + return nil, err + } + + return newDecryptContext(suite, setupParams, params) +} diff --git a/vendor/github.com/cisco/go-hpke/test-vectors.json b/vendor/github.com/cisco/go-hpke/test-vectors.json new file mode 100644 index 00000000..959f9cac --- /dev/null +++ b/vendor/github.com/cisco/go-hpke/test-vectors.json @@ -0,0 +1 @@ +[{"mode":3,"kem_id":32,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"dac5811bb6ef87bfcb7577124c4cb5c2103d156ad51516deb0c487656e3c8f53","ikmS":"b7217615b0cebcede8faacd6ecb2fc02aa851fdf848a7df3d2b306926b952cbc","ikmE":"f871b2fc590796b717271b58363eff47c03eb32cd4ddd7092a84a83c0e213099","skRm":"bda08eebf8604c869d1ccba95efb949f4c2be90dcc5f4257a8c9bb6fca361353","skSm":"d4ec9b1f2d523a57f143a68cdddf55ac53000c5ad83ff2b837561b737c3ba4f1","skEm":"e8b6765de63a22813e817c76514c29f323fc45f9bf9ae4c44656bcee34e2af84","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"8d905b3edb4b5b6c0aad27534df83fdd235c8dca728e49cedac31ead2a0d0120","pkSm":"be0a8b0c00e240d96da5774e7e3150c2485741f563d36e50fcd1beeb1c22414c","pkEm":"5e6959d5e3c91b9e0200b56d6aeab2e241c1a22ab8e9241b1ccbf67385b1ad1c","enc":"5e6959d5e3c91b9e0200b56d6aeab2e241c1a22ab8e9241b1ccbf67385b1ad1c","shared_secret":"cf200c84e5acc776c8aeea345a15582cd8c0ba0fb723eb2e8f419609e76f2067","key_schedule_context":"039091352b85603e6962c46b744ea932dc3817e8f943688182965d3b6bcca57426b78d74d1e5a553aec6506b75c00b4f71a132eedae22fbf04fb3b279548a3a2d4","secret":"adc063c2e88fb33fb82b3e858c39521a835e781469ceceda36f02e9f9796f99f","key":"87e80807cd21e97780a221cf4a368745","base_nonce":"d1ee7ab4b49a25bd72495dfa","exporter_secret":"6cb400778edf6bda3484324f64dc3e92fc588e744071efdc971c10acbeaa9d29","encryptions":[{"aad":"436f756e742d30","ciphertext":"aa532682464887cc887b0de5c7a38478517b7861daab0b2c413f255500c62e72a7521d03b2093dff01fdff973c","nonce":"d1ee7ab4b49a25bd72495dfa","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"ae92879b0ec1823009f582dd9866109b2a1791dfdbf2b6224cfa9150df56f0439f879be0e167d6b8d0716b6b3a","nonce":"d1ee7ab4b49a25bd72495dfb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"6633b2f9a6098fe193c6871840416e9569dbf277684406b24e3c224042d64e33eced64dad493d028118718d203","nonce":"d1ee7ab4b49a25bd72495df8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"87b18cc8970c93badbcae356bed0dbeae797838ab1370474ac69b2d7043a2e8352cdccde9b496d62b6d8da65d7","nonce":"d1ee7ab4b49a25bd72495df9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"47cac76fa05297258ef24b5506ed8edc9db6db1a9c6e7372dc776c15cccfd0676697e895add2026283d107412f","nonce":"d1ee7ab4b49a25bd72495dfe","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"7516989339131b6eed682342674d49ee47fbe78655e165ae3020d73b6820412b2272bb3e99b156f7e7d266467e","nonce":"d1ee7ab4b49a25bd72495dff","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"7f61394a57003631cc4668ca7bebae6194f1e89df2cc42773be0d665a13410ff002ef8f4f606f544eaa7d967b6","nonce":"d1ee7ab4b49a25bd72495dfc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"a1eefa9c9881762c8d8e748f03978ec8f76629b39f0d8e67374b5cfa1e807e95140faaf86d4f301b854a10bd52","nonce":"d1ee7ab4b49a25bd72495dfd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"5b0336e21769ac215f6f1e7cf96711314cd15bf34cf5ae05ab9e752f76f64dbfd1b312d1ea501d5a68e1edcbe3","nonce":"d1ee7ab4b49a25bd72495df2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"86ea743060bb9ce7b4f5c3999519fed41daf28b401a6dc961fce6c01fba27e06a6d26942d445e04f1a78541dc9","nonce":"d1ee7ab4b49a25bd72495df3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"1d0fcdb187878f9559f8db71ab321f7e39f1be0d7a14b29f504da74996900b51"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"2bc2b8b2fa98a5193b78fda3ea6983b974a813ba3529b1fdd6187a09db8d59bb"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"37b8aa3c98cf48e5db6b386919cb4731f9d6c0d51bb4314867c5a3d582a40da6"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"b52c361b7e3eb81361ed4f2cd35b97786e1c14f0b49a1329183efdbf34222c86"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"d7c10ae41e0a8f4fd16a3033f23f0f5f4a45a7bd22e5bb64807a71ccbdbe1deb"}]},{"mode":0,"kem_id":32,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"abd1bdbdbc6a93626ecd60ce370be0a7692a5bcd23f64bb31b49d173ef2ae142","ikmE":"aeea7f66a27908ed74e1683c78cdb2a4cecdd18f137849b48574f32a26faef4c","skRm":"962d632ff26d18aa91100cfeca4d4e4718120db04b47cf3464bb484855ce6060","skEm":"a9ad994a1707393707189316bcfb7b4ed6a17f6433cdeffc3dc86e1499891182","pkRm":"24b6dc8a1204af22fe603e2d58d13e7809ca3dc2ea9c382b3db1f67099de417c","pkEm":"c0e0c191310a241cec4b5561f950241782d806681f0141a18d76b797f218926b","enc":"c0e0c191310a241cec4b5561f950241782d806681f0141a18d76b797f218926b","shared_secret":"597ab8cc0eb6b23316ce1c68141cac031bbda320de77321e2b6b6d65ac194a91","key_schedule_context":"00dd53f4a24da94754dd05f363191d063a9803d098415c2c82eedfae1e5b44f897b78d74d1e5a553aec6506b75c00b4f71a132eedae22fbf04fb3b279548a3a2d4","secret":"81d22129a18c2b621a6934b92e5c2e5909ac25e91e919ef49777b3d8b0b83e77","key":"4a26337d347f7da7589802b371f43612","base_nonce":"eb69bd04cb4ca670028b8ca1","exporter_secret":"bf093d0af494357ece150c1f055b998b5a9cc0762f0056ad176a6b05abe724e5","encryptions":[{"aad":"436f756e742d30","ciphertext":"335d6dc57e081c3cc427820259b5ccbbf92dd36a49cd485ff6efa52eecb05c6b3192c38d7f381fcf54dfbfb4ed","nonce":"eb69bd04cb4ca670028b8ca1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"24d265d6356e2e0da091669b450ad58caf639aad24e9b6cce5c3db31314fdc738c2e35023d60cb37b6c67c1cbc","nonce":"eb69bd04cb4ca670028b8ca0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"5635ec146007438566458a2e0f739e55bcd8796fc2bbd7bc5b3fc90d1e683154aa05df24a7d6717a8aa42c464b","nonce":"eb69bd04cb4ca670028b8ca3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"2b514664109cd100d5100dc8758a92a7f8c5ab9ee49c8bfc988b381a7bd06b47fb65d2aa45a319b6058c651444","nonce":"eb69bd04cb4ca670028b8ca2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"6122cdf93d261f97641ff6c97dc47051bbf7bce4aa79d34b5899a3697dffa973161c2fa2585dc2fb8e8838ca69","nonce":"eb69bd04cb4ca670028b8ca5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"87d9887762d0ba132d54a34042c7951af44d6e7a412e090ab9ce71357dd916ca1008107e4f0bbb2231a9bab68b","nonce":"eb69bd04cb4ca670028b8ca4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"74c276e658ea5c799f4d2125e47778e0748606f8b868830bb62e5092d69a899125c751ce494b484baf0a843033","nonce":"eb69bd04cb4ca670028b8ca7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"b60c41c7e2fe944b6fa78baffbb5e2b3a2d8ae1dbda01ad544ecfe4b33573082452a1f9210c9a80a22f61b10d7","nonce":"eb69bd04cb4ca670028b8ca6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"fffd3c3791385eaa56c399886cdb099655b05c8202ec50d7fc5b36ead697c6e24b20c9f367ac230336f07829b9","nonce":"eb69bd04cb4ca670028b8ca9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"f157256f02f047f3bbdec21e742fe90e189e92472f5305690fd7283e186a335680666a1be870f0536e2ca095e0","nonce":"eb69bd04cb4ca670028b8ca8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"22232b04680891f8001a97b61b112ed4428da0e56d43dbce62322103b7a13c19"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"6b7072bd691a1325a41efee40d29662d1644b4b7c608876bcbfcc4a533e8b235"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"5b4acdd170b53c45ed42009f1d7364d921a7c4786a15264313372d415670464c"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"e6230007f905f8afeca2a87fe482fc9e6be86757dff1e11e66e0d264c89c5d63"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"fa114266eafac086d9636159825f8ff5020ef75b7160fb7ecfd9ea6e8260adb9"}]},{"mode":1,"kem_id":32,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"f397fa9ba4273f6279263ec9c1b9f548df24668bd27ec54e738acdb9a09482b1","ikmE":"b844a92c54efda77b22b49d5dc535a258f08c5ccf6bc06ea65312eada769d03c","skRm":"3f4d57bcb202ef2ea4fa74129300443d3624e884711f2220922038f00228d847","skEm":"ed2f4a36fe0b65002eeeb0b1164ac6590e957030fee9c022918974228e9f31c9","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"c51ad290b51ca67af168519c158e80b4c145a137d98b01a3c36b925cf2477238","pkEm":"08ef45b1707edd21d54ade5ae6a064c9e12ffff7fd433d465275328bd2f2b854","enc":"08ef45b1707edd21d54ade5ae6a064c9e12ffff7fd433d465275328bd2f2b854","shared_secret":"01272a23d2faf0d8c6d2877f5a16a242dead2e8bf47c5fe70c6417525d517d99","key_schedule_context":"019091352b85603e6962c46b744ea932dc3817e8f943688182965d3b6bcca57426b78d74d1e5a553aec6506b75c00b4f71a132eedae22fbf04fb3b279548a3a2d4","secret":"ce50ed49df7446daf5d141f6755bf83959373ab1cc2f91d9357c80fb7421b055","key":"ee8c9766201015d15781fd44cac7f1c3","base_nonce":"2934e6fdcfde6082c0a0d801","exporter_secret":"dddfd9a4c934fd24a6c516798589b974e2bcf56768eb3e8fc1db9cf4a5faeae4","encryptions":[{"aad":"436f756e742d30","ciphertext":"631ff50870c97321b4522c53d9aae355a4e619fd86ba21ecf21c92f29f82049b6a4cfe8ada5e2a109380f4e359","nonce":"2934e6fdcfde6082c0a0d801","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"cf9b5ce5e7d053f6df4add39ee77b46c67e69553a6b198703b429594b9cf259617b611e5de1ef8549d9fcc6887","nonce":"2934e6fdcfde6082c0a0d800","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"2749f18cbc8c1c3e7b24c3ee31f305aa7c79c3ae32667acfccb4774e72fe09b036c7c7454662c8482bceaf90e6","nonce":"2934e6fdcfde6082c0a0d803","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"a6b12296d36fa60c362c0a53c976954530ea0cccf0ee94ccc1bf72194a3c28102641d9c61ed573b16d4f645590","nonce":"2934e6fdcfde6082c0a0d802","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"70626c901d3bca657bf292e0bb45924ce68f8ba587f3ff644f4dc782c65482e74ca43be23651d3115879748b53","nonce":"2934e6fdcfde6082c0a0d805","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"1f4e73e20b4947433beddf125090a45a8ae66975d3c8d32195d0ea56f11a422a5d85797120403791dcaf8f6e2c","nonce":"2934e6fdcfde6082c0a0d804","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"0c787a56cc5f378f78fbb0dff3d0b79f9c846a79b7119540695f4f55c4890223f4c84f6e204c1e2ea0730d9082","nonce":"2934e6fdcfde6082c0a0d807","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"d6b265748a0b848e1ba7632c92b4185924a9af692b0e783af56f988be80aba194400455f70c2db620e05ee0ee1","nonce":"2934e6fdcfde6082c0a0d806","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"31e4ea5c32c612ffcded1790be20969c9a2b2e41b66f6d709ef3225634aa0b30659271d834f7a0855833754c41","nonce":"2934e6fdcfde6082c0a0d809","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"caea185242ac47be475e5f9a3abfd525f23d151aa4774877cdd19917cb22ca2c2e3b6434f0edcaae2d4095fddb","nonce":"2934e6fdcfde6082c0a0d808","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"f37bbaabdbc28e542f2732df6a222867b81b13d053c238e55d3a0bea0bd42bd5"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"dfc2ffabcddaa2d4996a47329ea49f29bb097f3fd608c5f46bc3d8af0fa95141"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"d29b09be994332f1fa30bad35a243c2a5aae77fe9a7fbd86bf22c7482c352dd9"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"e3474d875a328f66f9f296d7b9424e4982681fed1609a1f2279f73144127efb1"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"88f2a57fe0d2c931e4f604a16d8f18deb28b1f181ff979e2106cc1becc8868dd"}]},{"mode":2,"kem_id":32,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"ccb1760741a61301e116de07e6102622a59e8f656e3849d9bc06bf7a42f15202","ikmS":"7cb3c7cc1d9fb5602a168618550134ac605cfaa4edee1cb7c4ed63c1a9f70e5d","ikmE":"61ba8545c7d1fbac3c9ad0f421e5cc765aaf83d37813a73e844f7ca0626baeeb","skRm":"a30264987e3e0788d15884d8bc8f68e992a458beea9fa76eef988634ab6e3871","skSm":"a149a28cd14e0377a7027ff917957cdf7bdb0112705766feae69e862a6e31204","skEm":"3776290d71ecc1469362654c3153a06850b37f3663af524746fd4f132772bcfb","pkRm":"f585a67b9a90aebfdea9afb3d87e831d2835dbaa81a5b9aa8a3fa398f70bd339","pkSm":"95c628f9bba9b1c4ceb4a8bd163dbc3f65dddc43633d3c89d3cce1b916376f51","pkEm":"712e675619b1264ce6989a6633c9c3803b650e6b21d6df925f37d44732dc5419","enc":"712e675619b1264ce6989a6633c9c3803b650e6b21d6df925f37d44732dc5419","shared_secret":"23b651d892180f8acc73576c5d42eaa5342bb739693c74922a0cf79d94a70ea2","key_schedule_context":"02dd53f4a24da94754dd05f363191d063a9803d098415c2c82eedfae1e5b44f897b78d74d1e5a553aec6506b75c00b4f71a132eedae22fbf04fb3b279548a3a2d4","secret":"3d4bd6559bc2799c4c062cc8789c64d58efd4962ffc13054931c699836df5071","key":"00f52e955f0f80a666a6269b60b0fbd4","base_nonce":"a4bc781fb4f5fef299ce0d5e","exporter_secret":"81eadf5daaa95e7fee6081234d08346f9935b4d87464d5b5e8ec2b2d286db96a","encryptions":[{"aad":"436f756e742d30","ciphertext":"d281d68ca7c77c4b3470dc7644ff894b1b90a5042483951be5175fbb1e0bc212567d7dc92988a5b28d55cf1461","nonce":"a4bc781fb4f5fef299ce0d5e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"1758d81bd0c477f6c978096eda1da5944ebc3df18649b2f9238bbd5b9fdefc1fe8e27e2d228d0dd9195712d2a9","nonce":"a4bc781fb4f5fef299ce0d5f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"14ce17eb0727402cff771d3f3dbe648bcb537f3dbfaa7496ea79ab5264e6e7063990fa5c36aa8fe5473e5bff73","nonce":"a4bc781fb4f5fef299ce0d5c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"bd6b35571e22caea1bb44cdd7a28cbc3aab96f2f13ca861c664d09fc24aa1bf521dcf1be23dd44ac6350b555a9","nonce":"a4bc781fb4f5fef299ce0d5d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"b923925381a4c1fdc6c9563f976e487311aa91eedb691013cb05c98d1e96d2e124cc302fa00d831176d6649693","nonce":"a4bc781fb4f5fef299ce0d5a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"77be85d66375dc945d9e14b89d1f702233c71e568859886f4e45fc8c50c87cba28f0e4cf51bc302fa297d3cc51","nonce":"a4bc781fb4f5fef299ce0d5b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"1b4df1c15026c3b248efe402ba71b6298ec4aaf32a00b4153348614a110932b788ccf93f583aafe0ce2588daed","nonce":"a4bc781fb4f5fef299ce0d58","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"bee35ecef8fadcd3e5937c1e0ad64922963b72e3fa5b91da615c58f73155b20409caf88f79923831fd62680214","nonce":"a4bc781fb4f5fef299ce0d59","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"4527ecbe454622740c1c807d124f4a1f6ee5d557480d6916fce848d2234f48599d8c6e52cd3278c03937d104e1","nonce":"a4bc781fb4f5fef299ce0d56","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"0018bbeebce2d3b9f9d0ee6f07c73d0c2b53bd7a22ec6ae12690f0d15f28fba8fb93468582694695f6b9b8c35e","nonce":"a4bc781fb4f5fef299ce0d57","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"9b204cd2c49f88cb6f4f4490115f9a761ca16025aa45aba84b75f6d9ca75d213"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"8310552325386b0718b8fe400ac021f8af4c4add3c942750ff061d6b7a533c38"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"12785feba2c07e15019b5019e1a69f59cb82e47c7b667167d6e8319a6bcfb6d5"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"9cfe136bbf5cda965292e6ee8b69f75419ba0b4be4ebfddcfed72a5473ff6433"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"6a6958b8bbd9d66332532303769ff4a35fa0d3a306aac2135ad10475023f98c3"}]},{"mode":2,"kem_id":32,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"b510164bb369440db964e1d00e1c5277b9bf5a9b8dc0ee4054e8cef27d053634","ikmS":"e5ea8650e625680b229db672e5be3dde92b19ef535519c80aaca2cae6bda0846","ikmE":"e32f15e34f15670ba11594f2134d17ee53adc324f96b9ed57996a296719558ae","skRm":"f7632b0bf0e0a1e40caf8247b937d2cb9034cf2a8cd63eb4af73a7c3cc0b518e","skSm":"d436fa207c065a9d73444688f1046da924c8148bd1cc3f500cc7d553d90e7536","skEm":"ec05683a6b7b854089df8a05b74865c73a842ae714b3d652defc111eef6341a2","pkRm":"80c35c1c5531998b4dec40bd8d0c83e434b0cf0f5148f633e03613b4d93e9f6c","pkSm":"38981750552164cac0487557ed9e1794a9e1fbb78e9b07ef6b5525baa7649a11","pkEm":"69aa1824d66ef34cf46fc6bedccdcd970ab11661623d40cdd20922d41046da77","enc":"69aa1824d66ef34cf46fc6bedccdcd970ab11661623d40cdd20922d41046da77","shared_secret":"80b0307dcf744e67c7b86b1bee7dd28ca793ce6065f41e0a617531ce6227ca9c","key_schedule_context":"024cf1920febcaec74c44096d7585fe5fe20217f036a51118dc809ceb40af44fdac4bab26daecdd2c61d27578e7519b40e025c242522847e2cfdda9f8693a45db3","secret":"c206b7e9496a35b19b74f4833e79177e619307a7af1c9ef117047ba655994c70","key":"327f6efcf0915b81b44ef4c9357a73ce219410b640f7da70325a2c42f0527a34","base_nonce":"5d4cb8339a2ecbf70a46a7bd","exporter_secret":"d7616373d04d7d281ead768ed64b9d92312a725241e28f43bc511f67bde8ba22","encryptions":[{"aad":"436f756e742d30","ciphertext":"d1ed0c92b539644b66e8d00618da1da3004ca511818f449f2939b54acff3e19d7cd6ec0e3e81e1b5002acc6d6f","nonce":"5d4cb8339a2ecbf70a46a7bd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"d78d83d6505bac3232c46b94df74c507564a1a83ce4dd5d9059d02675f738280ef0430e503565518459002868e","nonce":"5d4cb8339a2ecbf70a46a7bc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"f83c9e5a444c232efe8104e7c887bb35eaa422ef70f6514da18838f2a315e1fcdc49ebe1df32f62acfecb833f2","nonce":"5d4cb8339a2ecbf70a46a7bf","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"27e3ff4d855fd5067dd022200767bc1f4f996f41bad4da7c0a3eebfdca9207d45988cd5883b0cd2a80b324d7a7","nonce":"5d4cb8339a2ecbf70a46a7be","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"f120254f65341f0e773a2eeaf28e0065b03644f247f98ba5205f477a20c73992c36714b91ffd50f23bf76a17c5","nonce":"5d4cb8339a2ecbf70a46a7b9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"62c0419c3c4a64371e20ed5cc55e008c3c710cbcf46f91d64cffaaac6de75c1321df95d4324aee4388a4b4ac9d","nonce":"5d4cb8339a2ecbf70a46a7b8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"6071a422a8e6a9a9650119cf33b8b307b16eb0cdb5cf708c31837b8c9e63d76d84b0a98bbd7905eae9c9209279","nonce":"5d4cb8339a2ecbf70a46a7bb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"8c3b2cf0183876778c39cc66579a4d3b856f7ca3115e7cb9fe065f8fba3a886a605fdbcbbd88028c450bcf5fa7","nonce":"5d4cb8339a2ecbf70a46a7ba","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"2047f1d88918669cf51786a67713261a62ea9b96ae72061743314c2f519726b2cc0d5d11cc95a73df69baab030","nonce":"5d4cb8339a2ecbf70a46a7b5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"449fa9a877a7ad04954159be46c84463ec71bbd13e358339fe2325823f98e532071206b89bfb55611b4b90d92e","nonce":"5d4cb8339a2ecbf70a46a7b4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"3660fe4fa7f6275a511b44c9f6e16417b87c05cc5a27cf889c10e668407cc9c9"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"5bb47a3ea6c1610a729b9e06a2062a13dab5f9fe2d163cbd59af36e175ecb1f3"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"fec88b97adf15eaff2e89dbb87531b3cb4f55b785b01c70d165eb264d0dc1b2e"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"8ac5df52842097aef10065ea086dbacf1d605dabd76e3f48194324391ba1d677"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"694ad22952793050681b4711ed6b89b82c8e394a0e4d4398cd99bc0da42b6236"}]},{"mode":3,"kem_id":32,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"e3a7b3627c57519cfa55314f7338ab6d1ee423ff922550200778550ae271db23","ikmS":"a999ebec1b61c54ed4890771ce8832d3aa34eb798f050c0d3633e4d767db298c","ikmE":"83bc45a8a549b5d47fbdec0419318ad3147a7340997cd6fd25adfe48cbfbe5b0","skRm":"1e66624500cf49e1a8d9c531d13aaa89a5ddc50f95829ab25ce294eb0880dee7","skSm":"cfd6b086b57a90d4b95eca43eaccce43a30bc975270c7e0dc0a6139733315756","skEm":"d337e120da54279350520d7f5e63c32148cddc4896aa9653126c4a6794498113","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"0f2ff3f9af8baef670fb4161fe14e1d657ba2e6eb02e1de3a0e3ff498c395e4b","pkSm":"a486667d8fa5b73f4ca4ca4f3c35f171eff2d650ff99157b4359fcf28e53ca31","pkEm":"04208e1008cb40208a637096d2b5c97814bb491d111b45ee1c05586e8ee9f66d","enc":"04208e1008cb40208a637096d2b5c97814bb491d111b45ee1c05586e8ee9f66d","shared_secret":"16e641014ea22fda492eda69feaf5814f2ad7fccf8c02841f70c85607055af32","key_schedule_context":"030bb152e51a0226c42c0adde62a86f014e70f1ad10d23b69f01a26d9b457edfd7c4bab26daecdd2c61d27578e7519b40e025c242522847e2cfdda9f8693a45db3","secret":"b5f8f27041e9356c694922ca2c76de32e353f85e1ebdb8c1da0da75b49415a2d","key":"89d059f834c6e73202024add8ec3b621dc8f71b5dec2118e1ea06c56f20e4c19","base_nonce":"bd854ec243c9cde043387249","exporter_secret":"2b08dc4ab85dbb7952840286e4df1ec32874df88d7829abfcc8ad5f5ef881599","encryptions":[{"aad":"436f756e742d30","ciphertext":"46bed3d8b2cf08d8cd87249fd8959b8e1082ae16fd1188881dd4ad3030696bf315ee03115c85ecdcdc6e4d5b84","nonce":"bd854ec243c9cde043387249","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"a1f0268e8f9097a01f92cb1ae95f9d20d8f30670997c3742995a9a4ebc94084feec5c4ff30dd198078e417bd25","nonce":"bd854ec243c9cde043387248","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"f9b44df2078afb67c7e4291eb09d3c7a5b9707a8a56a02a7c0cb4787a7d791bd368e13019d0249315fe5b677d9","nonce":"bd854ec243c9cde04338724b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"af16188793c6f226fbe156fda8b53c147435de0fd47661af00fbaee6b0ea3394770bd6353e19e2dae76e3a19e2","nonce":"bd854ec243c9cde04338724a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"e275cad4ddb042f111ce15ef367f9e588e83270f306a293f70da0859a3870dd2bca9692ee201cece5b3d2aae2e","nonce":"bd854ec243c9cde04338724d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"8764e797a45819cdaa65b6fcfee9d42bc6758af7b19d18f64aec84964a4c436635e575c5991c6afaf17b58a0e6","nonce":"bd854ec243c9cde04338724c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"d0422241f5d962c809719d7d5f0f07d6da9bb43fe8cea42637a894352fa20fc230b200d6cbedd0ee29abfc9996","nonce":"bd854ec243c9cde04338724f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"13bcfbe3386bcdc9f0ad7aa4496f6e63a5fe46d1edbbb6d1b03e26f4c18912cba1e758fe9f0adcfec21d0e4c03","nonce":"bd854ec243c9cde04338724e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"0eeeedb04e541e191f7cc2bd35d62d9a0a47c252058974f38b4ed8e5e052dd2147a7a8a2ed2430b6015148cb1d","nonce":"bd854ec243c9cde043387241","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"a6457548acbd205226ad23ba16acb6306062a2944c1a5885621f99f6c123c234ac9674b48409f25149e7582976","nonce":"bd854ec243c9cde043387240","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"290ed8ad2514d7e9681f97ac18e14e07f176616ec4fda2e50ed3450de05bc2ca"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"0723511b6f02fd748fbc9ebe16f7a15f7d4d478bba1b3eec982f215f1ef97026"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"5dc06266dfb2d235b859857c0d9c1d684a1695035ec5e558f58a174d2baa0fe8"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"8c80cc963b9a644bdddd3c4d70b9b80c03a94d60a881af8937f4a02fa0237719"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"75042d8cf2de2d5b2e2c1443aaccb2619d732229fa4388b94466debe7bfce2b9"}]},{"mode":0,"kem_id":32,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"fd65e8fae487078c4b3935bb1f8bcc557ae16ab6cb0cedffc939e31af62c1947","ikmE":"fba563af495167e07c3d3dcbc562d67b033052192207945ded7fac42f77b6b26","skRm":"ff718a2b5935899e2a78486bd290d17a6fe5cf3a30a3a1c96327003543366cf0","skEm":"1046ae40c4745100f31d841f3ec5f2272ff79ee73740a7ab105fc88ffade43d4","pkRm":"648c104511f94d4011042dde20dbce8bdc6870a815fd96f64247a8796e7b7222","pkEm":"6ff3f9694ae8112639cfd2e997b91ad6e2c64ae6fea138c57160d98b200f4e1b","enc":"6ff3f9694ae8112639cfd2e997b91ad6e2c64ae6fea138c57160d98b200f4e1b","shared_secret":"9b536dcaf0ebd630794c5a4d8b1d4a57a54ca4bf5e806e29c1c8c5c26f0838bc","key_schedule_context":"004cf1920febcaec74c44096d7585fe5fe20217f036a51118dc809ceb40af44fdac4bab26daecdd2c61d27578e7519b40e025c242522847e2cfdda9f8693a45db3","secret":"db651bb58a397ebc5efd6f3651fb5a4cb54b696d79738dcfc211b31c4733b7da","key":"343307fc03a6949290b623406e2688f9e98f143898fcfb50c97379bd30fb067c","base_nonce":"7638d321591b094499c4ee09","exporter_secret":"fd92f3f8fe2d95188bd24c92d26edf0b6da76bb4b5f001a0617a1a0e4f027945","encryptions":[{"aad":"436f756e742d30","ciphertext":"58b193e8f6f2b8706cbb7b122b3080dac1a358314908147eb0e0e88f58cd8712f468aa4c95c22251630bdee16d","nonce":"7638d321591b094499c4ee09","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"7e7bf319f24cf4c54e9b76cf1d89989d45009cd852ab659d3e3816379031f26b70906c8e9560105d73c7917932","nonce":"7638d321591b094499c4ee08","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"0e2cd6f7cc52ff5ce1e4893745c79c97d5d9ddbd76ace11c132dd110d7fb13c7bfd8b2338279273ef0537d857c","nonce":"7638d321591b094499c4ee0b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"0d905f76a2189a43b2d91dca903fd8ec4a983c4cdac27d25956331e1aa5473a7fbe27e4ce7cdcc3749f8cd68df","nonce":"7638d321591b094499c4ee0a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"efe5480ff1761fa3107ec613e23f2f0f144e037589aa0ca8a0f83f40838c3b67f3f6412cedc40f2bd42e61d0e5","nonce":"7638d321591b094499c4ee0d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"b6a9002de88c1b525d7c831564d9a4c665ce20eeaf79cedda8b3041a5857cf6cd3aeba72d218731c3ce2e9955a","nonce":"7638d321591b094499c4ee0c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"8020cccb43fb6c2321c11c52d592a5e18d799756b3850505320ab785b2f2f2ef2f7f183451f5daa56e42102b0b","nonce":"7638d321591b094499c4ee0f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"bea9dbfaa8e480782e08c8418fc3d2cdd80bf34809df6f38ae8eeb91ba0a063faaa648188295711120f894efba","nonce":"7638d321591b094499c4ee0e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"ae10be5c1f3ccd8b008e3be7e440203924830884505539e62122b4f2474f836c435499ff21ba27623727c54f4d","nonce":"7638d321591b094499c4ee01","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"d127e0b8d59ea79bb40f1e7b596791a590a34852a4893f9dbdf1cb8d7d442b91fe871a802ac3477231d86a5f0d","nonce":"7638d321591b094499c4ee00","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"cc9c43595f895c99d5765f97c5591bb9057e8761a185fa0a1594feb19436ac7f"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"85dd591288281f82723275022a3c399ac0ecb6260e6f0c4592997a527a22ad7e"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"66b7640219069ddb831c13bcc6c1da4142ca2005bbd766a6918a1d08c55a6b03"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"9da86dd08c43dcbc6815997ece1141e783854d17004b4047277f9a7819d79812"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"998e6fe4e2f299693dbba54e0004ee66a46f2e3a06a6f479b87f3f48273fdbcb"}]},{"mode":1,"kem_id":32,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"a51ad91490a485de94460f9adfaad4c07529d9b902bcffd6ae4c92e1883832c2","ikmE":"fd709c6fbf16a47a6ae00f38d9070eb0faa6e54874cf61ff235990d94f8b4f17","skRm":"bf57d4cc2813ca2de5a81c0ffb6b16acef167c4154cba35e112a42d8eb398bc5","skEm":"c7b2c6492864ddf43fe5cb399c841e840a3c592a5ab16aea18515afe6915657b","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"c2dfce3de8129e6bdbd81a1607983ff9dc36dadaa230d79848acb6c1239b8066","pkEm":"f1ec4a6b305915773a7eb13f5635f33a43b79d3657e29074bacb55908bdd690f","enc":"f1ec4a6b305915773a7eb13f5635f33a43b79d3657e29074bacb55908bdd690f","shared_secret":"ab67035e5436f6a40cc563bd62fede3a597bf2b2dbcfa5d3f5662e66345d02dd","key_schedule_context":"010bb152e51a0226c42c0adde62a86f014e70f1ad10d23b69f01a26d9b457edfd7c4bab26daecdd2c61d27578e7519b40e025c242522847e2cfdda9f8693a45db3","secret":"68b2f3f8a73abdb5d5bf1602e3169cc33e15fd495b58a1983aa6b052693491dc","key":"24354b408134dbeff08ce107872be7744b525493ad896b9f48c0a6d2d663d94d","base_nonce":"447f2aab6ec8a35c35225a51","exporter_secret":"d4b23dc18beff168d688d9954a6b59deac7c8984c191987f9bde663d2bf16231","encryptions":[{"aad":"436f756e742d30","ciphertext":"99705a13dcd795937f35ebdfdaac59e0cd5ab7661ca509084ab0928a0a88fd89501a3b1324671fab1cac21c865","nonce":"447f2aab6ec8a35c35225a51","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"58e452f408338257fab440b538685e1f4d26436fb6949ae4f4877eafc54214909df6ce2108fc549bb83853779f","nonce":"447f2aab6ec8a35c35225a50","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"b0fca48f1140fc1e1d88b5b3bc4a0d992d7ce3c30d03549a71e70d2bfe13a4a8a5466edcab6669c28ef474b07b","nonce":"447f2aab6ec8a35c35225a53","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"0aed642839cf841c3abf12fb8d6a0bf3dc74bc79b6f1a26926dd8b6e95e762898c571174b1f98b73f9f2f089fd","nonce":"447f2aab6ec8a35c35225a52","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"3c4f2afcc4cc1fe3805a3e6fec2f1b4b5d79ba7eb598590dfc1faca7c91165aa6ba5c0998b9d96a386fee6f432","nonce":"447f2aab6ec8a35c35225a55","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"3002fb7a52b8cf08ec18d2508a1a0e832f9df2ddd82d5a951c7c3b5a81d4e662fcef037b6d10d8ae83b19eac72","nonce":"447f2aab6ec8a35c35225a54","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"f1ca1c8967008769fcb28c5bc5c53f482b3c87a6c6c83c6e4a9b5bbf13add60d91a495418330a771e70c841f25","nonce":"447f2aab6ec8a35c35225a57","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"1a48c2d5466d638bd195d0b2927fdef78cc617bb163c1a4770bd298fc2f4eaa6dc58863e55becc45fd5e9f0884","nonce":"447f2aab6ec8a35c35225a56","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"5e4e5062e2f5426b69c01aa9558a33f9743c3c3d59931775ce271f62b15da658e5bc7585450641dcb17d20d9f5","nonce":"447f2aab6ec8a35c35225a59","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"17677f9ce9b6908528f49acd5b94169f23113818cd84fc893eec4a595ac1f0b74e9799e7635fa46cdf77ef713e","nonce":"447f2aab6ec8a35c35225a58","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"cc13ad8c6c3abd9bd2ab27316bb5b447a81f6d6bc154631d1e6e940bd31b7a9b"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"c3e4aad9ee5b77cbccfa4050a7de57d5ac388b587d87b09ebdba1fa49915ae19"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"2348fa0a2515c4a06e2d9d829d0a81a62dcba87dcaefc8aeeae6a24347f2cb34"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"5ae39ae94a1346137e56f3cded00963c8d2ccb7488616a6b14a3de8dc52c360a"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"f7644653f009d405bbcf945f4b1052f4f711c1292103d8408cc2209baa1d2590"}]},{"mode":0,"kem_id":32,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"1fe5d18ae06c13f5935e7b70cb12467fe1336d51ad29c701e825807564c66f49","ikmE":"e6db7c99dbf71950e161c1dc94e0a839570e73625ad4fa1b412c9bfc277e4dd7","skRm":"093338b7868ba79cbb9d241d5cf98805f4c99dc950e1f5626763a1a1c3622143","skEm":"8ab9cec1b84975bb808fd52ea3ec3db7541394931fa87f8790331cd72ea8f11e","pkRm":"686518db886444feb06aa8fdc79e4f316e73688b95f65ad0415b59ad795aa21f","pkEm":"88f61165926c051570dfc248f0cfc37c4b11a1a895434016489107c032d9c00b","enc":"88f61165926c051570dfc248f0cfc37c4b11a1a895434016489107c032d9c00b","shared_secret":"04e388e35e2bd0515185b89e5e4947bc9d5f54de04f92c069e7da15fe6f94e6e","key_schedule_context":"00baa0bb3cdf58aef2e3fd558b9def8ad7f7f902e7a6c83f2564ca3e9eeb3d26f222e12f3643e2ad9a56477d7c83c86837ec8333a41879b3acfa67bcae5d3201c2","secret":"061677e748c296fa35ac7a4082cc25999a17c535bf3c0b8cb0df6f98313cd312","key":"7cc9621305d73e66883c5a885e72bd034429bb7dc0fe642f868bdf9d976aec14","base_nonce":"389ddc5b510fa102b88d84fc","exporter_secret":"6bcc60bc26f2dff630094439b71661027633896239b65bbc14f235f2943e2f10","encryptions":[{"aad":"436f756e742d30","ciphertext":"565c7799ffe0206e805afc68c6eac226912dff0b66771d8f0cccd446ed7d8e01b65631f329971bc2d500de01e6","nonce":"389ddc5b510fa102b88d84fc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"83543f4f623e873a743e12fe6efa5e62ad957e2b2f54500d979f4239464e448e346a7a741fc0648c4ebb5c6f9a","nonce":"389ddc5b510fa102b88d84fd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"8569052539e4eca44c55a76098cb0656373741ddf247e77cac795f8560291b5f9e43f0993adade99e791a11194","nonce":"389ddc5b510fa102b88d84fe","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"b133399bf6e7fa305daa0b8416733755ac93ea8be66fae1734d5cc7e457aa316e43d884c3d90303fc62c98a618","nonce":"389ddc5b510fa102b88d84ff","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"f53e4e0fa091d21046e81d9b45b5e4b9a066f0675cff34aec99b5c6b52a6f004df99c99c3aa16b0529bb6a3c02","nonce":"389ddc5b510fa102b88d84f8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"9e337093874cf00dd338edc0d6f1b9e36c45a85f9c40c59a6e80db3fa53b74c23812059a448dadbe9d96e757fa","nonce":"389ddc5b510fa102b88d84f9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"2adc56d445e83bf76aaea9841357563a7d59cd412699e4b25d50fc14f17194fcbc16200b00a258568a27e96f0e","nonce":"389ddc5b510fa102b88d84fa","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"6e90b36796c693c9028e071e1f828d816eeb55aed87ec628f0c4dc73f0ae1bf460e0811d1ce3627be4594c99da","nonce":"389ddc5b510fa102b88d84fb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"bb7d3a26c9f1c2b15d215b335e337b99c1b60901e3557067143f55c9a358b8c1b3edca631bf07dc8a9a0add405","nonce":"389ddc5b510fa102b88d84f4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"a36d9d10b88c7cee28e48b404eaf0c341c854d8787678a066244bd006a092e5e634ac1c7537ec6569d35d87aca","nonce":"389ddc5b510fa102b88d84f5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"b788187928819a007fe7c50f562b3406f28e7234855d4804c272e6fafdfeefe5"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"d6612af7041c963446f88d6240d15098ccfe399cd4e560c2ed2eae0cd0ccf782"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"297b93c53a0c67b08c3d96c3e12dadeff7152288b01f971a0aeb841e8eae5660"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"123518a83cedcb8527d265e14c0c508d3a6ed4ea4745ff4c7ad98667aa257879"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"39f7740e713b628d37820d8228333ea9c9744ce5144bb0910372e803c77d0dd5"}]},{"mode":1,"kem_id":32,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"ff466df325f7af1218565ac427be9a4ef7a67d17b3ea054e24f77f9238c31740","ikmE":"9ea75ee00835ca5dc1ee2ce23c59da21730357f5d0f2e6289d173c78f29a64a6","skRm":"411fa280602e4f4c5fec81b79890601ee9cfab0a6a59c0377029e6b5c0db7ff8","skEm":"d07f991de9da9811f138a6f7fd96de0baab88b25c82420a09575822764f3c29e","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"99929c876362d508fadc7f118a6a68db3a51a62fe16bbc6e9f31263277e1d656","pkEm":"1454408a7aeb88bde53885a755a7539532b062e32fb0c0e89dda26670eb31448","enc":"1454408a7aeb88bde53885a755a7539532b062e32fb0c0e89dda26670eb31448","shared_secret":"567cc379a4607daae2367a07d1cedd1acc6526a9573784d044fe23c66fa15247","key_schedule_context":"018f4d1acd9ce69745cd8822fb9818aa352a419a838cac98226401609cc3a5adf122e12f3643e2ad9a56477d7c83c86837ec8333a41879b3acfa67bcae5d3201c2","secret":"384ac772905ceca911c34fe5cda9c1a6ad9f6830fbce059c206efd97cfbb78a9","key":"bf9d8a77c8af0e88c47e0529a516e4dd6696050cad98191a43ed10bb5f8cbc7a","base_nonce":"3d8b9c18dd4e1baae0fdab65","exporter_secret":"97eb28db41bb6b8dc28c185a500f95d9934c2213b668dd96058ce2c4b96071db","encryptions":[{"aad":"436f756e742d30","ciphertext":"c2c68163e488cf935f46c789cb97ffed984dd6bf25fc4bac7e5cd0d9c124f4eeb17d6f0473f32fd4b343f2ea5e","nonce":"3d8b9c18dd4e1baae0fdab65","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"b5f70959c7d6c6b7c4183c29940be8a06e2f20e533dbfb6a9bdd00cceb149590c79b1d6e2afad008055aceeada","nonce":"3d8b9c18dd4e1baae0fdab64","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"9039d024fc47ba265bbf3d21f7fc2f8d70183f5517a750d449aad8a786b961066c32f412892f8c7dbc523484ab","nonce":"3d8b9c18dd4e1baae0fdab67","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"ab02f01d98f03fd4ac34e418477d2dc064699318e0282c714f1a5820965b7beab523a13a93574c5ce06c03ee67","nonce":"3d8b9c18dd4e1baae0fdab66","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"6de9424fb29e982664afd4ea5a052b8e7734fc54e48906e2eb301128ebde0fd08140ab4113837d8b2ff000d95f","nonce":"3d8b9c18dd4e1baae0fdab61","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"809b403341892c83907047499055d7da25080ec6961e64198bd1e18d4af827c4124fb7735098bb63dfb086eab6","nonce":"3d8b9c18dd4e1baae0fdab60","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"593d891a0fe8c2bcd8b1f8150b44fa2e2590b065a2a03b7d26afbc10e905b4e63aeb193422419851cea78dd7e3","nonce":"3d8b9c18dd4e1baae0fdab63","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"cdb8f9785ec055f1c672f0e859f8b165a7defdda4cec06a2fd596add6d1f15d0cbff0372e9f773af1942d4c420","nonce":"3d8b9c18dd4e1baae0fdab62","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"79718a479225660f1a290380c87df763238a00c889e6b4544a53c67bd4c581cf9f322d1b899b1db392625d9615","nonce":"3d8b9c18dd4e1baae0fdab6d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"07497e6949a2f288520ebebd2126817d42558cef5a288ddcd64425abbd8c13052266632e938609cf6bdb64b9dd","nonce":"3d8b9c18dd4e1baae0fdab6c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"78d411918383415d892193bb17e6fd4477209262149b09db0b271d3c6d9cf56d"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"47b72d4b6457886a850f77f6ffb143cc085a8518e7da32755d0fd3ff47c8f065"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"7b80da0c994cdaf801459ff67e773c5cb213d7a076e065f8106973303af96dbe"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"bda1beb561a18eae6f3ced196e4948c6c45a531f0290ba1b499e02e37b746717"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"2e050c1d7d8f0f390933caf0e5ba372fd7941350a5e876fecc866efa48678202"}]},{"mode":2,"kem_id":32,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"eb7c46705977a091956c897860b4a89299974c87df2ee6ccdf22717ec9fd75d3","ikmS":"dd336c1304b27bdce3566ec52b4b3789e1c60b3779e0570310a927207a6599fe","ikmE":"84426b359454fcc560c1a604114668b82e5cc1eb8888b6ac851bcaeb6a88bdbb","skRm":"77837b3fb3da2e597f825824fc08f1928178566c22900bf62563e3600f82ea26","skSm":"c00be70502345af976d93cc989d8af81204f004a9acf0d0ec52cfc9fdecdd048","skEm":"b5a8823ee2d4a776c0884cf71ae4ba85c38f7df824dd54b5ba0ce48e37673f21","pkRm":"704b03f578e3ff1d0e817a54c9bd16188bbb6f31df7ad7ecc751f62fae083041","pkSm":"31ab97e05742184dcac1caa625545a7f331c6a904e9512b942ca5c0d252f9c60","pkEm":"5f5578bf7598a6cb08d26d153b23ad668b87ea0b41f60dc584c76b8713114364","enc":"5f5578bf7598a6cb08d26d153b23ad668b87ea0b41f60dc584c76b8713114364","shared_secret":"ac2ef7a8fb39b1ff8842f5e36f15f3d0d07799539dd3f67ec3b9b07ae11c9a9e","key_schedule_context":"02baa0bb3cdf58aef2e3fd558b9def8ad7f7f902e7a6c83f2564ca3e9eeb3d26f222e12f3643e2ad9a56477d7c83c86837ec8333a41879b3acfa67bcae5d3201c2","secret":"7d53f789e3e8751357281aa9676feb691294a41b9d791cd9dd452e1ae8a98c3e","key":"7b60c156a684de9fd3a3fc00ebe5818863e358396c351f55debd9f1791d7eaf5","base_nonce":"0b8715034a10d5f83128a121","exporter_secret":"175de3b993c1748505c22a342687f7d65de2b728e23d2224ed2d5f76dd96a1b5","encryptions":[{"aad":"436f756e742d30","ciphertext":"b435d9c71701bc4739d3e31e6c26833ca0c97e1104b97ceab14487b031b968ae50be5595f0ab7251193949c661","nonce":"0b8715034a10d5f83128a121","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"ccca12b4bdde4df8c96449d699de93fb91c7f4c924e7d21e7297414b02515259a8427ea7d935fdf4866ec8a735","nonce":"0b8715034a10d5f83128a120","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"e52f0e055e123b3dacf9fb875627038022227056abb646320f60842fd32df4f21af2f859aafa8dd3fb848a9215","nonce":"0b8715034a10d5f83128a123","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"2e664d8127f7c5da0c90e99faf48b42b6dd88f166a105b3fb2d2cd1c39542a5fa70f9a5b3518d985bd378145b8","nonce":"0b8715034a10d5f83128a122","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"63606f670576d6ad99dce7288cd6db9c0ec4f61463463efd310f1f15b8ee2dc379a7bcfa204f4c540b68796f97","nonce":"0b8715034a10d5f83128a125","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"705e2bbb9e336ff37e48b80a2f3b3d241991cb930b3d05cacdbd7460698bdc987f7c4b194b22142d1f828692f1","nonce":"0b8715034a10d5f83128a124","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"17eb9eaa06f5c5075a078756936cf8dc3e9e4fdb8d0cd1bd556acd1809372d0e4db3fb1415e1aecb5390ee254d","nonce":"0b8715034a10d5f83128a127","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"c11fecf4f414165d7c131ae9a1cf6cb5221e68eebbb0a0d5bf59ca9f2d4f92a042dd8c42afd7fd044e5b624ae8","nonce":"0b8715034a10d5f83128a126","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"2855604f020e75bb7843a55f01d23067fda4053379113f56fce68ef0724b888dba02a6861af433d157186ddd45","nonce":"0b8715034a10d5f83128a129","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"c6c7567035af0aace89ce9066e5ae1934d65b1426c1663cf53ac77d0d3ee4ef23bcdc5692e6c46604c1ca1234f","nonce":"0b8715034a10d5f83128a128","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"08f02e44f7dc6d11a42cf80ec09b0a705245bed523c536c9b8cf63adfa21afba"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"d8ebb5cfe6cd25d5dbb3566622e00df49818d345e98c15836c03dd36664afd44"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"97a85292e517b9fe015785b1fe80db4bfb6263ca75564cba190ad45790f5494b"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"bf1e5213d79aaba043151c694f86dbf2a9eeb969a001f5de32764197f1425d0f"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"2af1a042e65a11324b96a16229f966412a7c2be655d499defa5d0d2e6675ac27"}]},{"mode":3,"kem_id":32,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"7ec31ce49447b439a0f7cb43a69833d3c21edeef18fa17f34befb35c165b5404","ikmS":"5eab876124411d8b719ddaf5d9852c39f3fcd3030f2394e71cfc740d6bdd39c4","ikmE":"c6625b7c169502921f9747d1c09cf3e939942e25d71df94b5a277420c0b4c31a","skRm":"7d2078c31bc33d2a3ab791abcb07cc0ab88010008bceb81f370bc2dd10778ea0","skSm":"bbc9f81474d6feddcea0d67c65222f8fe39f786c374a25ea2b7ecce2d217a507","skEm":"30fd53afff1d2b617f7762c8996f902beeeb397cb4d49a8462818d25593b074f","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"f81e343776a4a4efd2a0aef59764b633510777bcfc31c58b38e965eff151692c","pkSm":"8efd166f8b2abe66b2c5102edb277cd8a6d0b7b70598515dd0a6eb01df5f7f6c","pkEm":"df852d0a1319c41605a8e84875ea5c34c0ae7e8ef75fb21384ec6d0cac86b454","enc":"df852d0a1319c41605a8e84875ea5c34c0ae7e8ef75fb21384ec6d0cac86b454","shared_secret":"ffe759047b8f1316d76c582aab7bb96fad198941c677d9dde7677b77cfa20c49","key_schedule_context":"038f4d1acd9ce69745cd8822fb9818aa352a419a838cac98226401609cc3a5adf122e12f3643e2ad9a56477d7c83c86837ec8333a41879b3acfa67bcae5d3201c2","secret":"22fe906986553716ac35635912c6e8be0397919bc68922ed97afa511aabd5574","key":"7cee5237e47dc15ea1ffc0b1bb2458efdd5c01b03c694e05947a3fc980ac2ffb","base_nonce":"e0feb73651c4becb6ad8bc74","exporter_secret":"b75fec1e6ff0e1e52ab92c96f7d95224773abfde87ad41d6c9c9f1fe9b9f22c8","encryptions":[{"aad":"436f756e742d30","ciphertext":"6b2adfec058045436e0ddf14c2d0d3f4fe2d45adf4d4338b0af898b523ba3bbdbeeb6f44d482a27999d5beb9ea","nonce":"e0feb73651c4becb6ad8bc74","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"beaccfdc1504e709dbd2f53240d719fdcfac30f4fd2686e3aec273364197a8ade49bf3840a9d4befd3dc055f63","nonce":"e0feb73651c4becb6ad8bc75","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"aaca27cf3320005ab6002d2d66c50b79096b0593ca5ef3ba908fdbe90990e00f15751e617dc55088d40b795e1f","nonce":"e0feb73651c4becb6ad8bc76","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"e83572f34f151a8f6da8d779409dbac21eb9b7f813a097df5621eb8e8760b1a5685532b29a17e0e3c25a9d412e","nonce":"e0feb73651c4becb6ad8bc77","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"2503c601c09991e8a8545593b0e8d7514f7db11764540b23b5744358451839ad54842079a74d75fe26b3bbfa7c","nonce":"e0feb73651c4becb6ad8bc70","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"b3d8bae94f83295ed4367092745bee8827c93525e1503560efb48511bff30b93115bb8391d44b0f01a701b1495","nonce":"e0feb73651c4becb6ad8bc71","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"8ff3c3b9110754848b956d542142c6e2878458b4e7bc162be464b0679d71fc2e6dca851882de79550f91ee6dc7","nonce":"e0feb73651c4becb6ad8bc72","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"986b932e024d1ec0c5378a5c1c054fdb50a700bcb76bfea3f929cb059ca8c1f8366f66cf10778f75544fb6ed49","nonce":"e0feb73651c4becb6ad8bc73","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"7e21e67a8de344bd8bbe01109117addf9326e92b46c923de35a54ba5e996635723bf2439ea3358668e994fe70f","nonce":"e0feb73651c4becb6ad8bc7c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"02ddaaa159f9b409b8039d965f14b12a8178565c3ad633cd813fb0b66f2bf49fa1d57ccbf1ce05dac09db5b67f","nonce":"e0feb73651c4becb6ad8bc7d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"738c59790666682c58dcce82901c4b63de3d99f9a99e6104b811a1fde4d88ebf"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"28477984d0b9b4b80238044ec99da80724a1df57d96e7fb69e4b54629434bc34"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"0e56635319fb00212e886cab710163cb10b10e26db0b33971e80669b85ba3990"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"21e8ed6df82a19c3bc77bff377fbed8cfd83ec7254084eaf2505f21521b59255"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"b74805f3a9f1fbeb1d4b79af865ffb38a9eeff285e8e7ef41fb67622948ec103"}]},{"mode":2,"kem_id":32,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"18a6d71ccdf94ea7d572bccee86ebb217a44d869847f4a4e92c92c9e6e66099b","ikmS":"ccda4a41837b2e6f1735080af0af4256af8aa2108cc7623ad0cedafed8de81a3","ikmE":"daca9eadd55a5098bdc20d2928e0877639eee9955f30b79b9613ca74a65df9fc","skRm":"9338afc21296c4f55b6921d33f5bd30bc79d41ccfdd414dee3a5bc5758d1efa3","skSm":"aeb180f3de091ce45999157766cb6a1cad30942ca6ab5f57c66ab1d214518c9a","skEm":"7fea44083ec2bac0c7d6c5d06308b17f009b246d9e9cf9ebc93949ac28ca5da9","pkRm":"994a2dee390a7cee1f37496fcdd219a6bd6f0f41abd579a57ddc98b7e8f89968","pkSm":"ae8250f1f0def6d116f899d1a1974caa874ad4c5dd471e920fd2a8f1e8338d7c","pkEm":"7626a81eef8b3c3002be0c0617402e2bd2b6d2d23629487ccd1ec0d717d30850","enc":"7626a81eef8b3c3002be0c0617402e2bd2b6d2d23629487ccd1ec0d717d30850","shared_secret":"6fb6297f0fc0bc5971bdd187bdc6a9a98042b507d102798f1ebf96394f41952b","key_schedule_context":"0216571e1ba833f9be6e5259ff6da3cdfb064e4ddfe863b6ebe7520198c194c245c722fefe1a60d531940d3b1138c4c517cea168710ccf76091fa0d7ab05a5ce53871980111ad9b978e4398f2f10cd5945d8372597cb034f9cacb3701db20d3e5ffdf305093d5ff3491069f119ee4a0a4aaae16b04154171f9a705f2208a731bf9","secret":"c0014772817de6e57faa7d464879d14d2d2b00d574590ad42753086868b44f0de7e5f9abdf18ad1c9d5951d65ef19a8d489ceab8d335062bdb82912000db922b","key":"df9a7d0f376379d4267576c0a9100dc0","base_nonce":"aa75dacfcc3a7a0def2828c2","exporter_secret":"308696f04b3d200c34e03576cac813735d2552944ff549c9f584b441f6f6547dd3b2a65056a33ebc426d221a6631a0d6d1213419448e9535f65f268b129d8017","encryptions":[{"aad":"436f756e742d30","ciphertext":"d363dc4a3ebf3926c915cf3c0fb472293549eb7371e595519992faba57c9c0aff03da69ce4e69e947233a15a1f","nonce":"aa75dacfcc3a7a0def2828c2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"9ea50a071f00cd6bf823118d966a03113da55b4b4adbcf462a18897a3f3dd86a0a4e212de15764bd6367417dec","nonce":"aa75dacfcc3a7a0def2828c3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"cedbbce176cfb0a6dd23d218504791f71ca09bc03b07c2999dc696a8e47b9a856440a0345794646243288d0471","nonce":"aa75dacfcc3a7a0def2828c0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"b60aa9d5cadd47e7e4557a6d5c5327a841be50e8f3cdc3a46562994f5128d99d42970a81490000286b5e7298c0","nonce":"aa75dacfcc3a7a0def2828c1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"6c9c4e134cf7d1145cdbdafe2e40c97c0e096d3ca716fdc8dc8403427e7aa62d9e4cd081544539d5474a40e291","nonce":"aa75dacfcc3a7a0def2828c6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"93f8021f9a1968fcc08b587fcd50124b676b292d13529bbcc790212dcc63345d0f25f02990989e5a55bcb4e459","nonce":"aa75dacfcc3a7a0def2828c7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"40cb6fc2a065363a9f1fd6c5d09e3646d2ef6f7fec4ced233eb9de2b3aae03d55ea22893b6be106b0c9f713b4b","nonce":"aa75dacfcc3a7a0def2828c4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"0a0c6b639900ce8729c5a059014511684ffc2af8dee0481a3931e285006cff38885e44e0f6e044e9f7d4e0daa3","nonce":"aa75dacfcc3a7a0def2828c5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"1d1ee7961a76ce872ed5b69fba372b22008c67db37cf490bc100c6fb060da5072be6f66c2bfe5d0871f5b5164b","nonce":"aa75dacfcc3a7a0def2828ca","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"1fce0ef8405b6b4922de59c3509790c2c001c7a0cf40cc2aea16333f1e9dadf6093cb77ae7b33c93b609746dc7","nonce":"aa75dacfcc3a7a0def2828cb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"1c123bb8d4e007f5ef869db49a1712082f96ed3dab1bf8f6bd39bf5279a8dcaa"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"e15a476ec656c2a5105d1abe4984fba1713a67fdda64794fdc89cc35a66b36f6"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"ea7b233c0bf60bdd18765ecc5b78822e77f541dd27dbc29dcba12ea3256a3669"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"27443efee34c68b4b2803447140972855e436b969ce1446e0f296987cd89e8b4"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"7aa4244c8dd7d728dd31498d33c6c6af74d0de38d012f21027af5c9dced14697"}]},{"mode":3,"kem_id":32,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"c000415f6237f513e34c551606b68b8b71f6b5fd0ad83c96614282006fb36608","ikmS":"faeb3e052fe954aafb064073effd4dd08c7724d9f16ca8a97bb865c83fa229f3","ikmE":"cb892b6a78ef40700810a422fe6d2e166264a1e6a404a2fdae590bfd2483af35","skRm":"8538ce3e142fd6766d3a2db1566d1219c2ad8bbcdda06e00e726072964332541","skSm":"953bb5bb215ddbfa705523172394f5f031b9442417f046e850093c1410cec566","skEm":"9dacfbf8d266340e2f67825487955637b6709f6bbdb20d44eafdf8f959c408b5","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"f745771086617d726a383ce7eab47c1d45e2e1ec44c0f40e0cfb798ead24dc70","pkSm":"91e9453368ff9062ca5d94b18c411efee782cc6a2b2805189738206aa7af0a37","pkEm":"8e906d439980b80e21943decfdd471f34814622f6d69cfc574ae7fe345bab82d","enc":"8e906d439980b80e21943decfdd471f34814622f6d69cfc574ae7fe345bab82d","shared_secret":"8ab458fe3642c9a0501e27c80dc8a9bad5259ed0bedc9f44d6c43bd2e7c097cc","key_schedule_context":"03e6055a5b6f19acafaf1b8bfa7989c3559a26717d5c7ceee921a4553435887ff9ecf029e5e701adf1be8df82f382929565deabb50839bbbd5e2f549a169c9d79d871980111ad9b978e4398f2f10cd5945d8372597cb034f9cacb3701db20d3e5ffdf305093d5ff3491069f119ee4a0a4aaae16b04154171f9a705f2208a731bf9","secret":"294bf7f52ad90bf8a2714147f46850f94cc4d950628a7d54d3768fee6c3c13a4de558c4081b0116a659bc540b96f69f8dbfbf0306680ed160aa2623f43b08cd4","key":"0a191c9596344edee553cee39dafb4b7","base_nonce":"08515713a2ac7436cb02da04","exporter_secret":"6afcaa792eddd9e21e72431661872f7d1b6ca94f82d7ab1c98f2e9dff94b88be9c3172faeecfe3bade6c9a8f21e5627b63f5b447ad37103999bc259ef4ba9bbe","encryptions":[{"aad":"436f756e742d30","ciphertext":"5d6e1ce723623f4aaf11a1e5b0723e49e2e06aef0e4880a87bdf36f5e9c405e1e43efe6d15cef0a94e60d4804c","nonce":"08515713a2ac7436cb02da04","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"55a3300ba132371c18e6307c9eb288a6f3ae2e461954688f1e613b35cce349ae271f467e96f5866cdb6509f6e0","nonce":"08515713a2ac7436cb02da05","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"053a6f0dc37f7c1eab20e8056a1fc8740f7892a4ded53443187ff12203c19fc0b6477b67cb346fe70bebf831df","nonce":"08515713a2ac7436cb02da06","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"bb5f4a9c40ff20e73a1428cdb114cc8c33270e6a3f09043344a1f3743db1c899b19dd212f8e640fe415b970d0d","nonce":"08515713a2ac7436cb02da07","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"b8d12a0607732e9cd6c70f16aabcd5a40c2bcf6709808164a55e4f768a5462c65c08d70b4cb8fdb40fade2e0fa","nonce":"08515713a2ac7436cb02da00","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"992d8e7ef5353ff96b8011f17baa1aafffc68233dd4053097057f4cde690f86efdb41bd0f8a45e043fc4daad83","nonce":"08515713a2ac7436cb02da01","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"97299ff2d0615a6c8e1fe5c604aced3ab537ead07ed8036637a9c1154bdddeab710481c6b8272f81b66589eb02","nonce":"08515713a2ac7436cb02da02","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"d578df30ab7df1f7fe0512968577b6751a598e0455353e2602271654e13adde1aba75e259d3c38033aac85ed7c","nonce":"08515713a2ac7436cb02da03","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"7224a15d9de52eadde04eb3951f13a34e584222207a8fc0f9aaa05781aeeedd2c329c64bf0215f35ecb4deb527","nonce":"08515713a2ac7436cb02da0c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"738a71398a3670affb10b7bbadf71d20838c701cc4db10429580a6d58ce47d451706aa996186930f177cb1ec22","nonce":"08515713a2ac7436cb02da0d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"99eec4489a34b83395273d2f2aedf9d82792a20cb8090bb5fc67693ba91c858d"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"00af6b218537ac24150ffd7973769d747a2d35a767292cac78393e5c813bbd3e"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"13c6acec454f40270b718e5bd7b48da99199bfd1256291b2446fefc2dec7677b"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"431e945a5bcb4a6a1d879e05049ea0bb9f4f31e9e808902dd4637a4996c7471d"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"d4b1f2fc2b17b052fb555fb84c73966afdb69848b5eb4c1faefa2ac50dd8140c"}]},{"mode":0,"kem_id":32,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"66abdddeeb37d3b305daa33876b36f4dcf6a7edec7abfa5296d361bbce57dbe8","ikmE":"b7a9101bbcb1c62e877e6ec41147f080e5393b1819f6d36ef40cb4e6be76d6c0","skRm":"4a434d958ed83719e9a743939018858656982511a4d9d9f319914619e960a490","skEm":"b3f4017f560375b6baa950a1d829bd69d66657d5512acffb4c3aabd93e60c522","pkRm":"6f07211d5f56a092932a1d8a062bc080911059b5ed1cd85b7111929a3aee6f0b","pkEm":"216339b05d8d6b70515795dc86a60716b54d13ce0a0c8de6b247eb6555579451","enc":"216339b05d8d6b70515795dc86a60716b54d13ce0a0c8de6b247eb6555579451","shared_secret":"59a5b5bad10b06dce9a6036884d597d0d3363a3f1e16262bef987c6f40fc6b4e","key_schedule_context":"0016571e1ba833f9be6e5259ff6da3cdfb064e4ddfe863b6ebe7520198c194c245c722fefe1a60d531940d3b1138c4c517cea168710ccf76091fa0d7ab05a5ce53871980111ad9b978e4398f2f10cd5945d8372597cb034f9cacb3701db20d3e5ffdf305093d5ff3491069f119ee4a0a4aaae16b04154171f9a705f2208a731bf9","secret":"f3757f249f1fdc71578c903708aab46ee51d6adba61b529e76742a4be5840814080daa7c4ef9eb202d3bb054bc1507f142cf1efb3d437c5ee8f61fd139568376","key":"165cd7a918eb5d927d317cad12e514c8","base_nonce":"5148df097c58c5b61d6448c2","exporter_secret":"bf6d98a679d20bfbca7e21e8ea0ab68cde9944ed8cf1345ead78d2d5e7ad61e6ec74c3fc4bccf2dc6ce7ae103bb1c7c8db35cde9082d11b7afb72cca53f32fb0","encryptions":[{"aad":"436f756e742d30","ciphertext":"cefaaf1a2eb5cc41d2535b632acc11df61f48c744d8261099df0b870f0874dd29ddbf9c88f85ecee037f5d3b51","nonce":"5148df097c58c5b61d6448c2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"fb9a24a4e879fe5c1e79485600fd3733bb1371cee013db092439b5e07a764b950bf3f3d58f65834df64bc6c291","nonce":"5148df097c58c5b61d6448c3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"a7b09eaa17c68e5db0f45d270c48fbd4e0e2bc0e58ba9be1726f3083b7e8f6921f291394b37d511e721a2d12b6","nonce":"5148df097c58c5b61d6448c0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"c5e1ad3659f0a28636c21260a9394d7cf3f0f71b8ec2a859b3b0b67023801165c2c3f0316c056a745237d8fc24","nonce":"5148df097c58c5b61d6448c1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"0ed7ae7c6cbf0418815daf64a6b1f9746c4c81de7fbacc5f910e6153f503ac6b2c795e5b9fa07e72b7abd9cf03","nonce":"5148df097c58c5b61d6448c6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"0f197dce32bdaa88904bf68cf2238082894b2aea54c1aaf8c98dd479d54193b692b2b62706037ca39cd752bee7","nonce":"5148df097c58c5b61d6448c7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"490662b6c3eee14e853a33f308875bc6b42357afb1798602d60825625cf865448634d396498866db47974d0562","nonce":"5148df097c58c5b61d6448c4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"b11a7934ff299de3ea0b0977a86fa08c17e0a84f194e32ac76ec2d0f6fac6a3b0a489ecb6f12ed76dc15690dc1","nonce":"5148df097c58c5b61d6448c5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"538fbf0ca730a51ba67d9a41846b50d343dd85321a2d5c4942a7f9aa4138fa64297914423f37e3b811ad94bd84","nonce":"5148df097c58c5b61d6448ca","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"88ecdd3855c554f9d76f381a179ec7a33df4140fbf0bbed7fbbc438e05255cc5daf8d1ef6874375178a98b9643","nonce":"5148df097c58c5b61d6448cb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"d626313b17cc70e64b97a4156e2b629420e9b0ac4b872fb3daccd5f1f261bf6c"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"9e0fd0835ddc43a71ec79c6b881dfeff633f305b7fdd250f6a53262f85165157"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"a1ff4f1acd3f32020f99e252c988ddaf93457ee0be06040c4da1b6628728bad9"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"27cb5c6f7da8b1f2ba3048aaeadfc4fb010a141d73d73fef15e8fe8b7a48a19e"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"92bce120c4cfc5a1279a452b916349ba3fa86c6cd55dd27373d8ca3918c12e91"}]},{"mode":1,"kem_id":32,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"727cdb4cbf861298395da6b9f193fce5995272496e0bb9617dffe18ef5938695","ikmE":"5a345aa109da48b1be80b948272635ea1cc4465c2f64ca46a366d9047876c8dd","skRm":"598b32f64299241ba51ee04e046f64ac3496a45db8dd9c36307ceb6f66596b2a","skEm":"6912c0979f2c515ccf8b97a6cf929525ee913d39531da2937e3783142da97ecb","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"ad95ad6a0dd2deee156b857767cd42045c5687d75387d2d60880fa8ce938780e","pkEm":"28733320a12e4b4ea4abbd499b05434157811d566d3e2b9cb8fcb117a19a747b","enc":"28733320a12e4b4ea4abbd499b05434157811d566d3e2b9cb8fcb117a19a747b","shared_secret":"14d74a6407173de21a5727aec4310b9b9c2391ac2d9a80839d12fdd55f3d1d01","key_schedule_context":"01e6055a5b6f19acafaf1b8bfa7989c3559a26717d5c7ceee921a4553435887ff9ecf029e5e701adf1be8df82f382929565deabb50839bbbd5e2f549a169c9d79d871980111ad9b978e4398f2f10cd5945d8372597cb034f9cacb3701db20d3e5ffdf305093d5ff3491069f119ee4a0a4aaae16b04154171f9a705f2208a731bf9","secret":"6f7c3366048be4620b530604aad4bf2f4663ef8e27053dc04652dc040ac5252517759f1734e89b86b80d5f1d6b967ec002c0f7061df23f64e8fd875f0217e5c2","key":"21b9b917e633da4c156885b615abea7e","base_nonce":"9c70c4fb36f8dd9466ce2d76","exporter_secret":"5691f6a5df1fb45fdf7220d5487e0ffb3786c259edec3dcf2ddd0924bdd412bc0fa0e90344f10754805586a86c236492cebfef8231e7d66ba50d9d97dd6a379e","encryptions":[{"aad":"436f756e742d30","ciphertext":"431048c52aa623ec768484e3ba052e38657ecd49c4c9871686bb3a0a10498f915eefdaa8ea3f470a1138ea73dc","nonce":"9c70c4fb36f8dd9466ce2d76","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"66e76b77a7ba6438d7470d1dfec3f30c51877e6b2d9b3fd6bd812fe90c9e27cfb970e33afdbdc73e607242fe75","nonce":"9c70c4fb36f8dd9466ce2d77","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"95e36e5f2e2a5493976fbb9305c7ddeea5a939912c3efd31d7cd1d99f7ac3060fed4e7ca617ce61c2c78d4f9d6","nonce":"9c70c4fb36f8dd9466ce2d74","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"b8cfa0ed68582346c35b46345aa47b23ed37e623d9742dcca3957e5f3f5ccb7c09ad36f049ed2821e508ede774","nonce":"9c70c4fb36f8dd9466ce2d75","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"738502fa78e4200afd9040d8b4891d6163b4a90730fbb5e574162bac68cec24622efab3d8e5716169925b1e443","nonce":"9c70c4fb36f8dd9466ce2d72","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"99d6b3d9fea26986ed579bd2524fb6ab541beb66fba7c2f76bcea94f56ea9918da728cc40e31885537858df2dd","nonce":"9c70c4fb36f8dd9466ce2d73","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"4f671466f3c1f9042a0e2cfd050ece7fc0622c150bf8d6c4d640dc315f4df2f809c4bfb629944556b0f1401483","nonce":"9c70c4fb36f8dd9466ce2d70","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"5ec36b8cbf12f8b6b353f1c40e5e9b4d07b891a624ddd8093731e6145f121003a41848a2d07da2a925673845e6","nonce":"9c70c4fb36f8dd9466ce2d71","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"ac613634bc4c5f6fec10908aa7d3ddebd5d843aafd75493eab54e94ecfd834882bb766d5bc4f7694c292af4dc9","nonce":"9c70c4fb36f8dd9466ce2d7e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"b5e1ce9d48b1b5e8db427dc74f527def5db71eee7f19c9028f0aaa377612cbdd2393ed312af6193bbcf5bb1d3c","nonce":"9c70c4fb36f8dd9466ce2d7f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"1db10c7aa0d4ec860d6d5b186530105bd7b3bc6b2eee1214ed603502a01cdb12"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"18e999e8cba19eb0924a1355363236a24b00452807c15d4a86512ec528e1748d"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"0f011cf42f21098940d85e73feccac27188591b1ee016f10d9955bd3f85de3bc"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"37c86a6ce95c015e3f6783305b4eb617b0dde02d5938b9d3d57fb985abbb932a"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"c3c2b5f401cc0b4ec5d24eb51b6d840f0703ce6e692c6739202095c2932434ce"}]},{"mode":1,"kem_id":32,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"d5a954475a8ba61ccdcf840f0938c35cc9033185946a6aee0b732fca6615213f","ikmE":"89d148010bb6a1c36673da5ca6bd4970e1fbf7e5db0654dcdb507d495602cd9c","skRm":"bf5a16e53836fe8d4bb8fb8181f1c54feae3c46f377089b02dcb8d78fcd714c8","skEm":"cb0c63eee79d27725e7c6739815e204dad7b79f4a5e5a32711dd363679d624ce","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"bce3a58a6e2cba00f89e4db38d8280df07111fd53543c9b134151e327c1b8471","pkEm":"9a3b56c6d5c7e52fee389719c1a7e61d57ee0a5bbb1f74f7d315879181c23537","enc":"9a3b56c6d5c7e52fee389719c1a7e61d57ee0a5bbb1f74f7d315879181c23537","shared_secret":"9f05b7d220a3695811c9fb19cfcfdeb8fd4e89bd8d025da2b98806bebbd42dc1","key_schedule_context":"018aa734a1dbd943c602514bf863b1ba8a3a5c3238c8031c24541492180eb21c3061e3a125ef4a2ee8a8e04598f0911820700de2698b4f919892e1ea559258ca57b785be840f99d4c14d4e12d0d5b44424e52c8026ab15bff8589a4644ba2771d75eee9278c5e1282a28cf2c1a4692fb081d4c96edc7b87eee77ec8639ca722d6b","secret":"721ea5d31737cf280b040785b1ecd20eb400dc94ed5e27b6cc9e66baece10bb6ccde15f920d0f008fcb39956393833b0b07c46b4e0d8289f10ae6166b91eb9ca","key":"8fe8d9257678ec9bffc5f033e00a7368953d7fe841f3beac93afe8cf0aa1898e","base_nonce":"dd41350ccf70255ffe6e08b1","exporter_secret":"28806fa8f6ce842d5dbeb0f92bc059d1222381e33d74b78317ff6238e24f59b7e92e43e26a2b7b3a9e8076e8bfc71d4eb288c4dd5ad9899da90fa9789852ff65","encryptions":[{"aad":"436f756e742d30","ciphertext":"07562e4127a4c91da18a377b4a5041dcf841c1b797be33f8ab20d4527d6340c790def6dad566b7c82d8aea2dc8","nonce":"dd41350ccf70255ffe6e08b1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"eed1aa065d12bf305add069920819574e4300e7a0a533dcd59324064c27a82d19983131545c1b6fc09542558c4","nonce":"dd41350ccf70255ffe6e08b0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"9a87c83a3acac8a459bd29b1a96f97e41bb3561a2d8015c04a833670193dd812ede8495606ef6f88fd7042e014","nonce":"dd41350ccf70255ffe6e08b3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"96ee86d604a7a45e0d06271cdb733b2f1b1dbe9fda2468327112598d9157d5d12a9b430442b0316085d5e4a3dd","nonce":"dd41350ccf70255ffe6e08b2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"00519e9563bad719fdf06657d0fe52ed255b8371073f2a4ab80c1f90a48750d026d29fb7e061533d34cfb60e29","nonce":"dd41350ccf70255ffe6e08b5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"5b12c09a46e2e166fd89db2fbed916516b8daae36edf40126c81ade8d36ac06e3233d6ecb7af017f0ed83e2c56","nonce":"dd41350ccf70255ffe6e08b4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"47f03aa5bbf320a0ba9ef6cf41ab966ff270ece76d40f7a6de636594b30069f28918dadedd6b6e0f9000c194ef","nonce":"dd41350ccf70255ffe6e08b7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"3d85decc1d0a908aa0943649535ed0171ee590d57ca44baaec36e931d7aee5863d96ccdfb57b4d9477d24fe85e","nonce":"dd41350ccf70255ffe6e08b6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"b3d0e78a72df3f61f5e49bd4c7c776a53288a460753fe6058d5d030547e582ff59150967c9025b078985152f9e","nonce":"dd41350ccf70255ffe6e08b9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"6dd147a92d8aaa9e7fdba95847f2d0a77fd1033b2f575efbf18ec635584aa345f2ee9b75054a681d7e891052c0","nonce":"dd41350ccf70255ffe6e08b8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"898f162f326c41fd3d1c4ec67c1ecdb7d3775a81cba73c528be0517022bc7ab3"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"47877ec5dcb02fc32cad54838701483e95b2cc45d92a02ca52ac52cc458f05fd"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"910480600844c219959ef72262f7aa6e7ddbd23fd9cac6527e484cbb2376fbf0"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"73b06aae6423da6adee28ef30d73cf9277962f24aa032773a66217c0111b8944"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"7575c432eb95779ab4104b749b10cbdb3594ce7fe96bfe576dae1121f5ddb5e3"}]},{"mode":2,"kem_id":32,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"d595f4e293cecc95e6e3050f2b65014b80c14299f33b1b93bfa0dc12ed0c52ce","ikmS":"5070bb0ce65d36e9c4630b10fd0cf32496112f1351930f812247e80c8a581023","ikmE":"43f80ec394d2f8be69196533428e92f47e34acf476920f638d7ff0e7dd86d92f","skRm":"a0f18e1ccb854b2bac5176727b9a11a00dcb6bf60a5f2865da9e6123808d5602","skSm":"da47a64d71d7c9587cff484d7f81e326e954c01895b1c1b172699317671bc717","skEm":"1f5143bde5e97efefc241ec65247cfbc1ceaf328d6199b0719d55ca11fb5279c","pkRm":"1adc70b21d89b3866194fc180cbb1d2dcf3b229869458c838cb52612c99fea01","pkSm":"2ccf6e228e746dc9dbc8b0cbd956a6f1478de9eabe910a8f705336ec881a6a11","pkEm":"5f8d0b91ba256ef364a9b82f5fc005f92e6837bba12d1801e91109e06d52934f","enc":"5f8d0b91ba256ef364a9b82f5fc005f92e6837bba12d1801e91109e06d52934f","shared_secret":"61cf79f2b044f51753d2163343536d64c8d1e06819604f0b47047b37e3bfbe1a","key_schedule_context":"02d60e60aef7284e158640dba679c2be1de6fcc95abc0fe68282623aa4f381fa2d50809a94bfa4a4d3d50b30d76803339a207fb334a9792ad9848ad1eec8a64878b785be840f99d4c14d4e12d0d5b44424e52c8026ab15bff8589a4644ba2771d75eee9278c5e1282a28cf2c1a4692fb081d4c96edc7b87eee77ec8639ca722d6b","secret":"7a8346a56f52b08b799ac3e9a1b6cae80efc84cdd199fc7fdadd9e096c9210759d134c1a5673a59eaf61dc309f5fe515651804291cb790cb6e7bd0db2a5ba043","key":"0bb4f9f61ef8069f138633f33d275279b39d1f19bde9fb8d49cca9202edc57d2","base_nonce":"7a9b43fa7a786d1c41346309","exporter_secret":"29fefb0ee4b660ef004ff497e26656cf0dd4a44d28dcd70bedddf6b37cb93abcbdca4a9f8e136ed51549e13eecf8d2029f146692179ca613ade45710f640c9e2","encryptions":[{"aad":"436f756e742d30","ciphertext":"c73d39ca742b74a4fc700bd19a26a93b8ea0c8e0e94baa397e9e83d530631530c2b9c65a46fd2795c105d48190","nonce":"7a9b43fa7a786d1c41346309","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"adf1607852bdae1b4417d5ecde1d7c276ac235429d730185750ef4fdd0555c00bdd36f8c6344419f5b5cc9e9f6","nonce":"7a9b43fa7a786d1c41346308","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"3937c19b725ff9854f3ac2fd35dfad7d5bc5b20ad754a013defc68ebf5d98e6f6a734fe1cb5ca93d5f7da261ad","nonce":"7a9b43fa7a786d1c4134630b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"ae13816222e69b934aa5a7e4fac87e82f3add8f8f002b978a52a1a2f9826bea945722a49defef2bc9fc5471827","nonce":"7a9b43fa7a786d1c4134630a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"bc996558fd2c9b7d7a94b7efd3d5dbd0586f990a6055636a83598ef9bf6e208df3594037fc3f2eaac4564a9f48","nonce":"7a9b43fa7a786d1c4134630d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"28299d27fc27327e66d0d93f186b05d86c839893b9688dad97307a9d1db5058b5fce3d8472482cb55bc9485a90","nonce":"7a9b43fa7a786d1c4134630c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"6977621bb2d7d34498573b4d808178273445ed66e3619aff46fba95aef70f6d62813fa086e32ce1303d889ef5d","nonce":"7a9b43fa7a786d1c4134630f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"697b682805da24f044c3475a5f544fb37d7a4ad3f8b2c87b6a5cc3e3fbd6b877d66b4d8892a1230539d2231125","nonce":"7a9b43fa7a786d1c4134630e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"f0107d92411894fbac2eb178be9f5570843bfa471849ea9ecf6b38151461fc055b03011e48ddda1a1e0ee6ecd7","nonce":"7a9b43fa7a786d1c41346301","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"365ff8abc839c5daebbda05f8c21c97de0fc2e8d565d9ae990f805793e47a7bb0218c6627f0a15ce85a3116a86","nonce":"7a9b43fa7a786d1c41346300","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"1fc995ecd18ee5c9b0ad16362d3abee75f15cf2d2efadab0156e4615d5a834f3"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"a6b31bdbe8412d81eaa0e386582d54fde58c39604ef9b8e6d6511f91781e4393"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"a140e45e6b0f6350d5bb3aa5d0968eb7043e2c8f977964e6ce0434fadc830c73"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"bf7721bcb6750aadfc8ffe27bb876a85d58792b3d41edf9e4ddf8bdf8ffa6194"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"8d78633c9c9c983c0c963b9c4bef3a07e5486dc0595946f15bdc6449e9b678b4"}]},{"mode":3,"kem_id":32,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"e9652069d06da8f55f2e7918fc5094ab25be894202b23711a169db53bf34aa2c","ikmS":"6021a397f08ee1a184a71f047b0c51b68c0ef18b5e6351aaa6b801e15f310fef","ikmE":"453ac61fa75c59516fbf6fbcbc6bbe5d69f067f73755a1abf694a6a9a66760d1","skRm":"b1cacbe8d65aa0e3eebbf32b8af4469e4c3769a8f6110153e8ecf6819c10ac70","skSm":"c3b2c7aee54d0763a215355e6f2e2234e1a34aef31fa8a0f8364f9845d8eed5d","skEm":"9491685c2f448c506eed3a3bc5aa5d1f0bdcd8bbfc34254d3590d71bed2b1039","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"b32e1f6c12211bd8572fac9ce0265ed0e9e11f55afc22a5872e0ac863c02de59","pkSm":"706aba93e8df4662ec1c8c37cfd06629134947a4522c6535dc50149717d72f45","pkEm":"89d3754826270441e3f249388a48f714ff4b2cbf24cbd6cba4fbf38183026f35","enc":"89d3754826270441e3f249388a48f714ff4b2cbf24cbd6cba4fbf38183026f35","shared_secret":"0a829b803b9b6212c228c54511c4d06b5edef92514c2596b8adbde8c1424ce1b","key_schedule_context":"038aa734a1dbd943c602514bf863b1ba8a3a5c3238c8031c24541492180eb21c3061e3a125ef4a2ee8a8e04598f0911820700de2698b4f919892e1ea559258ca57b785be840f99d4c14d4e12d0d5b44424e52c8026ab15bff8589a4644ba2771d75eee9278c5e1282a28cf2c1a4692fb081d4c96edc7b87eee77ec8639ca722d6b","secret":"a60545711d3be731af9ac344d9436d96271cb2c3e350677540d353752dfcf67565690ab2858795dd10e492d61567a21e134aea41a1ee0aeab1d4ddbf84d218be","key":"83802c589603ee4cf385267a76db1d6a921ceec60d87e7c92a8d0a09fd288612","base_nonce":"9341df2201a1e6e306c7fa75","exporter_secret":"a7df2f590fd737f5f483306e502cbccda3e3802933194bdd4c3169e9716dcaba4c7f2575a83d89fd2b17f4b7996df3a079cded67e3030a574ac539ac5919aee8","encryptions":[{"aad":"436f756e742d30","ciphertext":"cae79429cd6bb01a8fcb65c877ff427b510e45cdeb448d55e83b5d1689c9315f4c7bb8912407571151419e4e48","nonce":"9341df2201a1e6e306c7fa75","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"7e3185d35b2d29d377800297afeaf0717f408a4f97dcad2ebda75252018e472ba4c0e1bfc0ed404fffa056922c","nonce":"9341df2201a1e6e306c7fa74","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"b8b7310765e64a87aad5a9f9f03e3eba77bb10b09d36a10c5ac6fdee3af3f93751c31d6bb571e609dbb55a93a5","nonce":"9341df2201a1e6e306c7fa77","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"dbcdeea67b6699036fbdab41459edf134222b3e54001bc07c7ba9b7bc91542aca63f8cdd6f5d1ef64daa7bccbd","nonce":"9341df2201a1e6e306c7fa76","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"dff41003410bb0336af70caa40a84e9c9e9b4675dfb86b85ae0241bed5c9e1f1eddd8832cb3f4345355c009368","nonce":"9341df2201a1e6e306c7fa71","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"804d1929fb43b4250520220cb5e386e41e2b84336c19f015aae8304f3297ae84bdde3a31765a722ee49f9c98ea","nonce":"9341df2201a1e6e306c7fa70","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"29f19f3bde44855fe83546ca2a93b048aeeb469d64f95ec1c2724606eaf4e4a7c4d33257dbe31cf134b9ac1641","nonce":"9341df2201a1e6e306c7fa73","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"401d5fc9f0db851d084c702ecf5d95038d664a7a6fd6ac740a7005938bf5a40b5a0098142ae5187f5c5967715d","nonce":"9341df2201a1e6e306c7fa72","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"7e25ef81cff688be3cc963775abc4a6d03b290f4c8f53d290a7040efa6584500fe77fd86fdd1884e847ce221f1","nonce":"9341df2201a1e6e306c7fa7d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"d1519b0187dcd4d233c4fede7dcca2a03320cd60f1533dc48dcd0357a390dd7f87fa3ca60e0a3b12cd45a1cf22","nonce":"9341df2201a1e6e306c7fa7c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"dbdb52a6bbdc1f0cc635838e8fdfc1451affef9438edcd8046f9f4e66bc4ddf2"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"5155432757160edcacb07fc9e4c1e6c2df2b4f119e9c3921160f12c56a4ff17a"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"db315b96a7738c72262eaae06e70c98ed6010ff53a562aa03484e6fc3594e128"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"9ebeef886f7998529026ee20d08eafbd5afd1513ce3e933e9e68cc03aa3017b1"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"778ea090b5ccd341b4b8f1e74ad3bbf1cecf2d870c5558b552fc9cdfe018e01b"}]},{"mode":0,"kem_id":32,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"e4903aa7544bcf2b6f8207ec500a93ef7ff0707d3d7835fb65dbf7c1ff108959","ikmE":"4dd369f871e57787c8b441ef211fe3deda5adb705ed69c71d61b2a847a0584b1","skRm":"2f0ec0507ce2ed1ffddf9584500f4985dfb4be835fd1cc3328add2bc79ef0195","skEm":"1333f4e05f4d851324de4db2f8554134b7d3961cb0ba250c1f47cbe1b0600b1a","pkRm":"e9de542fb5bf9d9edb037f8a822fe38e3960f550cc6e0a4e9b71a6ffd569d976","pkEm":"cb9d066684714ca8bf551be56ac1abd6b33ef82b4be65d74f44fc9b8fb0d580e","enc":"cb9d066684714ca8bf551be56ac1abd6b33ef82b4be65d74f44fc9b8fb0d580e","shared_secret":"076bd7c3ae4a5d8a6b6bc7e27c32eb583bc7f90596125396e1f28d14893e8bdc","key_schedule_context":"00d60e60aef7284e158640dba679c2be1de6fcc95abc0fe68282623aa4f381fa2d50809a94bfa4a4d3d50b30d76803339a207fb334a9792ad9848ad1eec8a64878b785be840f99d4c14d4e12d0d5b44424e52c8026ab15bff8589a4644ba2771d75eee9278c5e1282a28cf2c1a4692fb081d4c96edc7b87eee77ec8639ca722d6b","secret":"2eb1e8ec2ee5e81223ec9fef2f0c4167f6e34aac035f31242342836c6212a9f52d02283e130781a79ceae56452c2715d97f0db7371af05e84839b59708f0a8a2","key":"afc22c0473127fdebcf2c0d1fd25c637d7837e4efceead5a8888aefcd5f5020b","base_nonce":"be042d298ad2a21b3eb7c6c2","exporter_secret":"03fde6f3b0dd652244f66a5b9b1194bbf9e10034b153f3ea0e8a2414ff9841b38dd5ce42a608b34bd5c452d8c7ab4cd44831fbcc688a57163686b303c93a792a","encryptions":[{"aad":"436f756e742d30","ciphertext":"906422bbbf69a3e7b53d7b77f85f43e08374719dd1b29f8295cc0a4c77d1032a1c4afbebd4e76e1f295f3a84cd","nonce":"be042d298ad2a21b3eb7c6c2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"914ba1daeab6256551fa4eb79f712fc84d47c4d9a298435e9a7b7de166727a51342a07594a89faba29929cf929","nonce":"be042d298ad2a21b3eb7c6c3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"a38241422d70a57d27b3c89de539146a3551c4d0ec9b61d2cbe943d0752ab353f01b9622614623809f704ce610","nonce":"be042d298ad2a21b3eb7c6c0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"37167acd824dd39a8d0ef4b46111bbe45ceed154c60e636f999e93e1ba612faa28e3eb3bede64d0f251b5a5270","nonce":"be042d298ad2a21b3eb7c6c1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"d7282b9973c6f94a1c4bd209e879e77461c40fe4a5b15ef59a23c24d83759dd8c275da425121524d6b266cd715","nonce":"be042d298ad2a21b3eb7c6c6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"45b2ec536b8e2428058b4d68bf5b586e568c85e05c75ea2586d55048ff8e2ef5b4b78471995f900be0822a691c","nonce":"be042d298ad2a21b3eb7c6c7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"335a41107bb1a8c584466fbbfa4702e4cca09ab264e3b2fcc0f269258ffd9e2713591fc00dff76f88bb137812f","nonce":"be042d298ad2a21b3eb7c6c4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"5b01a1afe100ce80b7a8d3913a97693a928787e04cb2466f543519382bd66d5ed2332368b540bb6ab5c069b807","nonce":"be042d298ad2a21b3eb7c6c5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"53adc9b00ca2f1e3b80b51f68c46ff2fa605679733977ea5c33afd28ca2d60971a58a22030bc5da3d6a369719e","nonce":"be042d298ad2a21b3eb7c6ca","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"6a6f62b94842ad233ee717dc7dc955e47289116a5a8c1969c36bc3eef689791450351fd1abe6f930cfc86c499f","nonce":"be042d298ad2a21b3eb7c6cb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"290bfa6f346ee2c99f6a86d89f253ebc3940ba5dc38efefce8fd8b06f1632096"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"7f4a7988eafbb28ab013d9f28525383d430e2e4b3e41a8443ed5b611dd4af255"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"7ede8a9f4977d109e6a1d797440e3102c3bb4c91eeb53c99695c9b0e4ecfcc53"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"a7d3da7f5df2f8131f69d779e82a602671e954e1d1c14dbd5b3acf88bb60fa19"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"36623a25e58da2688d33ff5437514824475bd851014180903f27f7bb67bd5662"}]},{"mode":0,"kem_id":32,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"f9d34f90690b2b85f340346f9e6e1875d817e177294886d0bd46cb5e134241f2","ikmE":"7f69563c91c381eca8f45ab2091f0d679c376bf8ba2e5fa47cfaf934f0556831","skRm":"3b7a1cc0f49cb2185e2007ce380f980ed28865a79797a500fce499d8f8c4bad8","skEm":"a1a3c737fd525447032b5da3b3989902ea6136f56a5fdb4ce0516d933eb16a25","pkRm":"14de02d5a59d75272e23c4bbe8a517c3216d90c1201c92f5d7926313aa5b5758","pkEm":"c28a0acae7d2d4c531e6c957f0f96a488c998e0d2a5c514241c8be801581db67","enc":"c28a0acae7d2d4c531e6c957f0f96a488c998e0d2a5c514241c8be801581db67","shared_secret":"639f395c3e657321c368d5a208c705a0b71d8ea8aa085bebd11e8512b894e9d0","key_schedule_context":"0098dddbe3fd1c4cbc3b010a8095fdfd46fac8b3a4d738edba4742761184b45fe93611cc8da1c43143a89d62e7a69daed11b8acc134ba396b5c5bd8fcaccfb0492d1f338b4ee3c11acb9f9ecf121b7abf51f3d4fd5ca25e3e2de759a045362b4ceef829302d5f995565f048acc778d39d87f8e0a7ce313d662df9b5784ce8018b5","secret":"27eebbbc9722f69e58b0554468f559d86f6512f572db92f2f8312a1eb56686f0a5c2301c185dfcc5e4962c9515c4e799af9918b516303497177d520ec8028ba3","key":"3a694f00f6ca3b971cd42491f3ee56c6199c931efe51e5790cf0ae174e42adb2","base_nonce":"52500b00ea24ee9728327b5f","exporter_secret":"0758e2dbfcfd697d077042228d81e1a4425382a864a408675c632e7227bc7f36233f7c2a0e30321a2a6b70def858106d57424f5dbb7cc9168738cffe3f0eef91","encryptions":[{"aad":"436f756e742d30","ciphertext":"9a9554da5d392323101ee79354383cae25ecffd9a0875aff11cfed13951fcedd97b2d8b541990d1d9eb39b24bd","nonce":"52500b00ea24ee9728327b5f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"072a00147eedf7a1b312fefc314c866ce54c21d0894da02335fc11f98c2b19d54f4b076b9ccd62288926b39bb3","nonce":"52500b00ea24ee9728327b5e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"000d88f58aebb04d8c9ca7dcd0f59c8b922347a80427850253c046d53a8d3f780fb25d6c5f4047a01e8d22bfb7","nonce":"52500b00ea24ee9728327b5d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"38af9bd74a0486607b4b4fac1e1d0fd9beb09128083bf312c9257d615a59cc2d3291d11905ce7d10c61142a439","nonce":"52500b00ea24ee9728327b5c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"a851eaea82c6dd23e5912cbd13c5bb86929456dbe2f7ae359be9174bd557976d13e6c7e926c2d2d066c5e85433","nonce":"52500b00ea24ee9728327b5b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"f98c651da01f9d273dfe253db217f5883fa4826bf2f5e34a3027d0494afce180676ddf694bd0f705bbce684fc4","nonce":"52500b00ea24ee9728327b5a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"1e8a05edcd031fd0e80df12efed749e31f13d72bdab5d24f245d9eaba170a66ff74b13c3ca0ccec0198903f713","nonce":"52500b00ea24ee9728327b59","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"5c1843931d73965be023d10851c032f813ff2c607869aea4c78982b5910a0d2a7c8d690f7bdab96e132d0b77ec","nonce":"52500b00ea24ee9728327b58","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"aca346c9e189b0329e8f9d958cbb042a5e6ef84ef1b419b9d6d3d0d2cb92106d435b43cfc73f32933647cb0d7c","nonce":"52500b00ea24ee9728327b57","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"8ca1fdf23cf5e679bf20c59f1ac013c301a3d0f970666e0310d1d33712d7efba047a3d525db45f09d4d3e8bcec","nonce":"52500b00ea24ee9728327b56","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"c8f52e5bcda758ea4109e5ac85f5c1255706d5fa7beed858db62efcf35a8709d"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"e925c3b9e73c43ddcf1177e57de286cceab7fd8f579b5894503209a8bd7d30ba"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"2b7e006f3094fa095d5643cb298fd51d805270b0127bc685cfd917b05f0279f5"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"bb3b7c9363bc963c2070400f9df43ecd46a00953063ab41efe5b95162cd6bd2e"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"6ede32ba79460d1b7fc6aace32368a2545a9c0c39a7f173c9c00768b9829fbdd"}]},{"mode":1,"kem_id":32,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"6b3e07772c90acefa97a55f1e52f6be31581ea90a5831f9223cd32788bc960cc","ikmE":"1ab1c208b999101186cb7cf194acebb85ca9240cecb47aff48d2d000310ce055","skRm":"e390d7128a73e50e57670511105f5247e06af75b9e1823e9f2addb6855ce27c1","skEm":"a60eaa98e34695504b8b28e9d802a94ef6c788e3a595d208095b3540ff32fbac","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"6bcad6ee1e1556a6c07ebf1504272423eb30e2f83d1e5889cdac4118b5b29835","pkEm":"261342646c84833899f89c9cc87abdc0fb22c9a40c1d1916ed85996ac6c8f87d","enc":"261342646c84833899f89c9cc87abdc0fb22c9a40c1d1916ed85996ac6c8f87d","shared_secret":"76fa55022c88a843266c4a4c0c76c16b508412a70474ee0d752d2dd73ac3f068","key_schedule_context":"01cddfe8b4ed085e2b4002297e05afcff4ae6445808c8eb83f9ef2763cba52d437a974f5a5e370599012940ebfed83b55d4bb710b881047b358a55652632d79dcfd1f338b4ee3c11acb9f9ecf121b7abf51f3d4fd5ca25e3e2de759a045362b4ceef829302d5f995565f048acc778d39d87f8e0a7ce313d662df9b5784ce8018b5","secret":"0b4a4277f454e44bfe221816edb7682b325c2b5712558261bde5f16779d53253b61c8d83147f2aef83c035cbbbbc9e7ee7c9d70e2a33c0be723c054cf1ace4b4","key":"3f36961b6335c99853d32f1bdfe3320a3c7f175466c3ed389856798e8fa20543","base_nonce":"8a87522faae38e2f56f98d19","exporter_secret":"8c3580cf7f701c6bb0fc4fc011450a25273e354caa788f9437b84448ad2011fc48371a1ac1764924f8dad22c2b8ce957b737f532d1900a38e243d7c79079252f","encryptions":[{"aad":"436f756e742d30","ciphertext":"014023aad5e03b19c0a6ad12edc416394ef4d266eee48cc7ebf608e9ead30abcdf1bb3bce7a2d05ff7616ed5bc","nonce":"8a87522faae38e2f56f98d19","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"7a11551b7b3384e326ff428ead4b69646238d99ba1f241cd5dc8db679e80c7ef9a42fecaa3f3f9c717bcb6632c","nonce":"8a87522faae38e2f56f98d18","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"3c1cbdc75e8e04c8f69bf0a483a9bb8561ef950b995b3a6a1d5427ed93a3f32cb5bd1189847c9cfbd015aa891b","nonce":"8a87522faae38e2f56f98d1b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"7e24f5372d9cd3e0107215f771f08a1a4e0038a0bd006259777f4b34031863d87efe9e4abe621c3a30a65fa1ee","nonce":"8a87522faae38e2f56f98d1a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"1881c36111e597dc3644aabba0a89c3e9cee16e0731181ebf265bd0106abd659fb21644b9e72068afadb26ba24","nonce":"8a87522faae38e2f56f98d1d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"7693df8131b301e5306bbb21eecf612692b69fee616a98a1c86484ece7280b178f1bd192f62ac67043e9cc90a8","nonce":"8a87522faae38e2f56f98d1c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"fbe05f5e9fac35f7481151bc9f3be91ba1aa4cfcca673071b60d86f3455a856819228cc96c45268db8e5414c5b","nonce":"8a87522faae38e2f56f98d1f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"1af9ede9625cd8381c2b65410d8b875adfb8d4953ab871da8f2d5993b8b81b47fe39058eade33e969e7dc9ba32","nonce":"8a87522faae38e2f56f98d1e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"086d0a3a8236e5278d0cae8f5e9f5d462c7ab6d3b9e18b799b28594f9827af39e9d6d90e27bcffaa67d9b39203","nonce":"8a87522faae38e2f56f98d11","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"4b34fbb8d1f801d88fc154255a9574577907792b9814ddc60c5b431ad0d7ff7de7d1993f17d4c4684a45cc0c6a","nonce":"8a87522faae38e2f56f98d10","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"e00d965cb0b4d9e5c3252d49363679189e77511d95a0a1f977fb114b2c72895a"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"5e95799e6a866c41eac43e0304bc34f01894aad9f203f4d5b08e57217f54de68"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"e471843fc7af838fabd95a181fe151f2f160ec4f9318be190ddd06969f26b349"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"30a63047304364056dceb2628863e5f342b9c40b1b62e6cf40801f8d0b5b8ab3"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"a2b2f5fa1a915ba5ce6a69be9d25fd2166e49a313671c98fa0cfd206c0ab9520"}]},{"mode":2,"kem_id":32,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"58f1be80aa431db468ab7cecb69684b193ba5cff9a3c3c8a9dd9cfe9065c3ade","ikmS":"d5a950ec8eae85fb1b2e67d20fa9f6239ad1d39c0eaf4df7c37761f48686cc36","ikmE":"57a700d21d1cb5ac88bbc53905e1d3e869407d4b3002d38d5a15a0e3316acca6","skRm":"4b03c556225a4af2e1c46bde2401a19ac415020c3bd1200113237ca4892a13db","skSm":"7ec176ba85e89eee0294da347234508663c567fe2b69412a3ad99995e7405676","skEm":"393e3fff0e6f09b6e323bad78bd4e94d2ede2f529e0723832817f7b5a8e3146a","pkRm":"3f586791abc9ba3a9ccfb6dadaeee0fdb1b4552fbc2708647a33a39a1f647106","pkSm":"e2aadfe8d59d20aa9e85fcdcfd048e0d491afa8fced9436622123e430eb6b626","pkEm":"ef6141a8231b3cdac24899249cc58a40c8f6d6450251c10429a9829d63f68104","enc":"ef6141a8231b3cdac24899249cc58a40c8f6d6450251c10429a9829d63f68104","shared_secret":"2773d27e3fa0395e6473d1a7a4053d9ecd2cb8b573e99ba174771a956cc397b6","key_schedule_context":"0298dddbe3fd1c4cbc3b010a8095fdfd46fac8b3a4d738edba4742761184b45fe93611cc8da1c43143a89d62e7a69daed11b8acc134ba396b5c5bd8fcaccfb0492d1f338b4ee3c11acb9f9ecf121b7abf51f3d4fd5ca25e3e2de759a045362b4ceef829302d5f995565f048acc778d39d87f8e0a7ce313d662df9b5784ce8018b5","secret":"416c26ec5f42160cc2eca2a6eb707811c551801221735074e69531f4fff24191236f41a3649e749a8b9869b389208eaf504cdb6ccba498b3fd87a076403ee061","key":"71e304ff9e35c1f6efa13ea3ab89d8d0bb81457d5a8f8db3b4b0a84bc4a6c703","base_nonce":"7caa778ae0149d3e3d31b127","exporter_secret":"167eda8ed2475cd73c5d2a27ee624d6b58843d791c76f62021798decc986bc461c43244e58daf4a08205ff34d8fb2f1db5491d865fef89aa206fd48f340a505a","encryptions":[{"aad":"436f756e742d30","ciphertext":"fd6367aac26ed510e65811aab83009cdc57c510bbcddcd7a9c8d866dd968592a7b80897dea2f456c53a77c94e6","nonce":"7caa778ae0149d3e3d31b127","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"3425a39a6deb0b0c9f6ce9ffb13c576f641a4fb0e19a92704fa93feb84e6927f151c97a73567ebaddc83907050","nonce":"7caa778ae0149d3e3d31b126","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"d7df1c4ebeb273491b448d62f0d9144d72f8499ff4cd94dd7e1d847041c43ca57ad00f39b50e07de1cde00549d","nonce":"7caa778ae0149d3e3d31b125","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"2f9986c6c80e038ad0dbfa4aed05adfdfc16eb36eca09f9430fa10d0283ff035f0c14b0234808541c29c28ff72","nonce":"7caa778ae0149d3e3d31b124","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"a24ed69327b2bfc03cd09e2d478c00c9f3140ac2710c6c0a239407dca9b1fa5d348155a4c541e4dd7f0d9a7d9f","nonce":"7caa778ae0149d3e3d31b123","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"cd5e92fbcc3622f2bafbac4c368b370b523f522cbef1a63cd7b8b6df8a33f06c478327f1ddb3747946fd450780","nonce":"7caa778ae0149d3e3d31b122","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"3f7711755ad0d1c46d008b06f1c59eac50fa87bc064f14fd81b2ebdde35fd3ca35e9689bc2177fe00224f0e6db","nonce":"7caa778ae0149d3e3d31b121","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"856d3998287b665dc33fde7b26dac34f5d5e74576d1714829c5b6fd362d8a9df0a4289d23790339c3e5566bdd6","nonce":"7caa778ae0149d3e3d31b120","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"b397bcf47847ef77ed3a8dcd38e254074a966726614a8994bf9ba9d7f9abde5e6144365ede56c51f17fb8ae108","nonce":"7caa778ae0149d3e3d31b12f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"5d43fcdf1fb80278ff274e7d498c8f3f1084b835ffd3950907b9dc49f3f8c942e9aa4b22a873cae1f1eb0f5625","nonce":"7caa778ae0149d3e3d31b12e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"34a92366e572263d813a1827f6706b839ad737d783b5767deef9f83afb1236cd"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"c88b4e0acaf4f9411d01c07fb2422178b490e620552b5f26ba433c8f82c44183"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"9b3e12569214a4ec6fa50c90e564a9ec10ceb6777458be38ca190fc9d13d6c57"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"e2b9f8fbc0a4bb7fb54e0f0cbada408653edd46f3faf25a7bd88e4899693cc2b"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"3d66f4133875cf617daf67b1eca8263c6fd16765acc8e8872af40d1f7e855e9e"}]},{"mode":3,"kem_id":32,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"d0ba8792add1e1090ed7790a61a566c0d31654e683505cbebf2aab54ce10f323","ikmS":"844c68b3f610cd7e1c8eb5e979b4a2c0a53061b5dc92fc6c9b22ea619d0577fe","ikmE":"68fb0c64d18dafdd3003867f8ddf404b75fc34ad3ee8f1becb90eb1e29d9c806","skRm":"5f4fbcc383621b28c0c5b800ef5fec7ac08cc4de661cfb081082575f8a10696e","skSm":"65c744dd2a9d3c04a4a2d2876db77319e9697c14cd76376677d97523e5f12d12","skEm":"817e46cf8466189dc80c12bf8b193a01482b43ea7395e2f91147aa72e9aaa8fc","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"aa50ddf8938c32655668b4bf0cf03b9145a503addf5c9811509b57ba580beb00","pkSm":"d240879e72693a61bc1a4017fb1fdd3f1907a58fac44a3959b0c440d09f3526f","pkEm":"60ed84ff90b03b4c0bd343977c911a419a74613a9c5a41e5ba8c6f373b87c92c","enc":"60ed84ff90b03b4c0bd343977c911a419a74613a9c5a41e5ba8c6f373b87c92c","shared_secret":"171b6d93b83f90be76a623fdfb69393848724ccb03570c9490c964ce695b2ef9","key_schedule_context":"03cddfe8b4ed085e2b4002297e05afcff4ae6445808c8eb83f9ef2763cba52d437a974f5a5e370599012940ebfed83b55d4bb710b881047b358a55652632d79dcfd1f338b4ee3c11acb9f9ecf121b7abf51f3d4fd5ca25e3e2de759a045362b4ceef829302d5f995565f048acc778d39d87f8e0a7ce313d662df9b5784ce8018b5","secret":"4f30723d8bdafbd9148f5c39e09555fe3ceab494e44a446a4ef646b264e9e00ac18d7a197be4e6cbcb2d7bd31456e8404e30fac2f914a3cb0b1ab32e67e357de","key":"cec78f94f7d3a6acde96aa5a0fb7a1c5a65b72b11e29114e058612e8258b19ee","base_nonce":"eefe2a6f9d8721e706e816aa","exporter_secret":"114da86c841a425fd0d92d1b29e7d6bf3564f43deec98c3adc33d25208d1d8ad8ea178a0632d974188439f2e594e281bb34420d403e2fa8e951daacfc54c2e66","encryptions":[{"aad":"436f756e742d30","ciphertext":"62e65bb500c25ab33877f51f5b5eee65b3abfcb8fc1cfc77477879e3f6af608ef0a3dd9da776037d913207492c","nonce":"eefe2a6f9d8721e706e816aa","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"78a8736067869efc68ba90c2fa9b36a83347112ac051870a2dd04f5c6e076c9f07283c0bfed8a4026a83d78fb9","nonce":"eefe2a6f9d8721e706e816ab","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"72194a91917f6206c1053fec39fd18a19e4defd2b4815a9e05e0593ed8b3650e5666865647820a52bf41c848cc","nonce":"eefe2a6f9d8721e706e816a8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"f5fc8f4f11b4a00d558655cca3a4b1649f3648e66e5c6f531e877d9e0cbf7d0fa5ab1880f1765c364379e539ec","nonce":"eefe2a6f9d8721e706e816a9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"197a4d4ccce06e708f50dded07d7f7dd05e08a1f8b34e5539c1ac1a28c05f106dc5f01803bf85914a2f23adb73","nonce":"eefe2a6f9d8721e706e816ae","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"1ce7109124c731e92f90042b79acf38ae069a6f1ea1db22bc825762350a8653d542321aad636fcbe0956258c58","nonce":"eefe2a6f9d8721e706e816af","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"113fe717a566f25aa06b28abceba8759839fe107551ef793b92d91263c62a0f46f2c76613810329ef5949aec3d","nonce":"eefe2a6f9d8721e706e816ac","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"881f0ace6fe6148832fd80bdc6803675da716ebd09c60d2f30c1cf6d22457c305bb733497a756cbbbb5f6b1ff7","nonce":"eefe2a6f9d8721e706e816ad","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"d847ee4c040fc41265654d310461e87bb12c82294551ee1abc14a498460511be62ff3fe4fe3f4471f31f40b507","nonce":"eefe2a6f9d8721e706e816a2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"b28f5f7f7eabe1fa2ae256133fae63c66f73c848aefba0967e0c8eacde0dc1204951f39456a57caef313dc246f","nonce":"eefe2a6f9d8721e706e816a3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"7615c5b3baca23804f9c95ec49c8026702a1af2fcdb131703a3dd8ee759f9e23"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"3bf72cd4dd5a0bd4c956eed0ad15dda2ad1a65b463e97abf0b14919c74488ed1"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"00c4f2e5efd77b24ea9c5ef1c3b8fa55f18a170650a68b80c9658fe5df84ed5a"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"cef635d418972e79b67545c2afe6c86b66700ce2498d1f643f38c24ceabcb27c"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"ef677cf45e9ead1c32c0898b74393b09e8588b3259afd07bda130f749b68ba17"}]},{"mode":1,"kem_id":33,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"081d6b9cc31ae4556ce6dfb31d3f458a78fe002af91df10359496698e70bf40571ed5a3298dc63384208fd66827a81f3343ae1a47e94c866","ikmE":"124e65676961b6dd208bede450c1664522ae382f254a99cfd081043281376288451d185d9c4e31d16b87e2a4e1954ac176482aeed60ef1b6","skRm":"65791972998b7deeac3901853f8ad60aea52b9215d78fd645fb198e86c734eef9d9330b844b4ee0e9f7b951ca59eaeba9d3904e06fa31750","skEm":"c288b1182b2fe2dc4c2abaf5eb7a97ac3c04549c200de7e3690824e06286b2fece8f561e65136d66eb77e01cb8fe49ea653fc22313a10842","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"6271dc82a11ada775d8e6ee3177acb59f49647aa52728a0c6227f59721d04006a99cc9c9ab4506d4c12e71d1f05c1370329aa306d367ea9d","pkEm":"60b7ca7d8419fd386eb641b6abc5ee4db3b0b772eb8099288816c74c3273268ea1ff15906a8e5b103793ca1798cfd2400ad53e852ce5b92d","enc":"60b7ca7d8419fd386eb641b6abc5ee4db3b0b772eb8099288816c74c3273268ea1ff15906a8e5b103793ca1798cfd2400ad53e852ce5b92d","shared_secret":"05cb1cafe9eed693cbf7c913ec648185502fd96b025f23056d1b69517637562358a22219b2b19373624f037a94a3f20fe1738cfc5e6503f0e938af3c7dfd888c","key_schedule_context":"0104da3938cf23bee85c3bf2903b6f903ac152e003b37bde60c1524a32bf4950c7f076ac072f72b57a7020f47bff902cea62b17933f5ff258f50be80513a6d825f","secret":"951f11951f95158a4bf94f9117e356ba4cc257a78a949eb4a321d9368e6587e5","key":"328a95d66bd70745c5511298944e5672","base_nonce":"d05920446ccfae2fd51cdbd3","exporter_secret":"2df6488c36984514d1f959e1e21e62c13645f2af943cce106631569981ee6f52","encryptions":[{"aad":"436f756e742d30","ciphertext":"a23676450a315535ed4f48517ed5ade113db4991fb9fbf2ebbb745e5e69466e8b45422619af3767ceba8412463","nonce":"d05920446ccfae2fd51cdbd3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"b952514cb40637df46daaadb92bc6ff261aeb50c33c650f79f9e243ea22d56a064e32849cbd8e6e74c4d1d8834","nonce":"d05920446ccfae2fd51cdbd2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"6926e20bdf1fee038ae5ec3cdb05817fb68950585aba06d5794e1b674d31ed84bacefd43e2fe96167b7900e578","nonce":"d05920446ccfae2fd51cdbd1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"fc83c8d724ae88919811db8d48179b5ace42dc02c0576aff430bb4b6f0571245950a635958798e70cb9ac50233","nonce":"d05920446ccfae2fd51cdbd0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"6a53feac23a82e2711fd93a9591bd756927b0c8d91d95b353cf97e7b82fa680206f0a97f7f0b9e92439e28eaaa","nonce":"d05920446ccfae2fd51cdbd7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"01c7bce1d19f5e9f5a75232ee13c7beef50776904c47c950567accb3e792f6694a745189d2652b78aa5dbddf8f","nonce":"d05920446ccfae2fd51cdbd6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"d0b6c15441ee148d27d1ee8c2d06ef0a2363935ca8305703692860bccfa0a3d044520795b3d514d4de953e921c","nonce":"d05920446ccfae2fd51cdbd5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"d047b70bffd1c547ff0f4402fba1873dd06266ea86220c194ee9713c179a7b8f7270eac7415de4cc943761616e","nonce":"d05920446ccfae2fd51cdbd4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"189df632c2b9aaa411006219f94b86a2c7dab87752b28142cedd769a36ac3f8463ae8ae15a65f61da3d6f08b17","nonce":"d05920446ccfae2fd51cdbdb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"b00081a555dae0ea3ca2eb1876364881d87f59ed014d13039dc77e9e59eb38c8b30078ec6b599695684d914573","nonce":"d05920446ccfae2fd51cdbda","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"c9ba5ef0215db870a22fd8b066fc3dfca4ad4390d22cece10b87607f95da9cc2"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"57c8c3f5fe35056560b7cdce705355dbf528bab7530ab78b34e2471d464c52bf"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"6472ddfd0978ad6855b9697e33cbc2605b442a9cb8e63a45308a85fee26f1947"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"392ed9b8ac2f1cbd66188681e6abaa17e18222dd5ad553c6242add468be75cae"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"224a36f546ba9fd7e3f855e26e01b6cfb5ecfafc4742f7d1e13a4631a80971e0"}]},{"mode":2,"kem_id":33,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"d29e03eb9726ada13f157f707f680b41aad3ec1d332739d9f5760aa180aaa2ca5f0f9ff8b31d8f5fb0749af87047c7916f2466bf26db6b9c","ikmS":"72fbcce906f8f5e3fb51da28930f98b7b5ba33ed96a08e1d3179eb0a0cd540e98f2ec666773d381d2a89bde19cd61bb379cfeab6e10919e9","ikmE":"dd72f3b97a6c6a1804b907f8f5ef920bbc17268eb1d31d57d74cb6a4453fd24fe2f5e80700ad77c24819c5fe9061f52394e7e1d88dc2f52f","skRm":"e7163f77248dcc141425298017d139f82b2bd155abcc47ab1fd6c004b8f37e0de6dcd66d133a804afda2f88b06ab815c1c0b6b47c9a11bfb","skSm":"df99add9f70833e95e3d89f93f7beba042fdc515c57efc099cb26faa6b44f51ca6af11ce778601e771ea3ad315cbad9356f6c9af22c7665d","skEm":"5bbdc37f82d8e1cf23886e837259b7f5674b0286bc66eca353d61e96f112b75fe04dd20f388617aa48fc0dd1628ceddbb420d648919f6381","pkRm":"c75d01f5a8879c27448db1c287e6097fedf5aa808610061cdf1b72c9bcb6bef0ddeefa192a4f2c3c96d05e750d45f8b1c5e1ec2e0c08ecf8","pkSm":"21eb2d5c49869b13597f61c13e3392d7c75fb0d6d136529a5a51d8cf59a3516f2543372e4d57e27988f1950f852f506ce7f3ce6e00be911f","pkEm":"6eab43ee452cff826911b7dae63e28bade5fa9a07495989e1bb00e97552311b8dc51b48bf06200a3bdde4c321d8b99fab309a229973bd5e4","enc":"6eab43ee452cff826911b7dae63e28bade5fa9a07495989e1bb00e97552311b8dc51b48bf06200a3bdde4c321d8b99fab309a229973bd5e4","shared_secret":"f2c01f8ca6eab07e4ebd6d5c512a150f651e840095ddd7849aaa9656b0acb3f19aac260739cd7415cc0766dba2db37c6158dec1aae614d0d1f7cd8867cb91700","key_schedule_context":"021a9777662c34c2b582efd36b1d07e4d5f3682111728464fcfc1620be20c7992af076ac072f72b57a7020f47bff902cea62b17933f5ff258f50be80513a6d825f","secret":"67966375c87394396360552cdb0caa82f00396544772d86d0f1632d876a72ecf","key":"5a055d8e2dbf74818c8a72feab2456f7","base_nonce":"1d71575dc51c0a097b4f3695","exporter_secret":"90f7cd60c4fb6a1452cacca48ca0010835f36dec3cd079dd81e7f80d3b491687","encryptions":[{"aad":"436f756e742d30","ciphertext":"3d534eed6ff41dfe272fae9439bb7fa5be1068f17f29e3bc253696a1ac5fecee4e26f261905096bee34bf371f1","nonce":"1d71575dc51c0a097b4f3695","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"8e9c7965333607220199361f5ac6aee3384bc3b15e4525f8f06a912d6db54750f3e71106197b2354fa8bbe6b16","nonce":"1d71575dc51c0a097b4f3694","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"4525f754bbd0f2a8d5a125e107ab26be2a995cff5986e78f64b613c81797e4fe6ab171ca05669a7568ec187458","nonce":"1d71575dc51c0a097b4f3697","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"ad63f283ca19f57b101c16c4b54f3d41831acd0ba30bc56b111a624571769d7e83b3e6912ece48e8c5ee93a6c4","nonce":"1d71575dc51c0a097b4f3696","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"ba96594c838f3b4cd6f11464b1fb556413ecd52bde4f40a67822e04a70f2df52010c36f6aaba6466e61304cff1","nonce":"1d71575dc51c0a097b4f3691","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"2f6a7e5ac398c4ec5c61954f22129ef27665e93f71e2470ef143196f9e9f42e6054b8ab1a1fac0195a05aac4a9","nonce":"1d71575dc51c0a097b4f3690","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"23372d2b346226954369e50128defc4063c5c296d42fed31e12ae0d1f4c8722ba4f3b35f04da1141c3a07f660e","nonce":"1d71575dc51c0a097b4f3693","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"36bdaa20d9c61f6176763f8265daab1d77b43742046014dc308e2d743d261e1e499497033a70a713477b3c21cb","nonce":"1d71575dc51c0a097b4f3692","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"f33c0d11af1dd9b36db275773284d1db9213e4f58ab90d16bfdca4730ee786bd9de16f7dd4cad888ed1f59ce03","nonce":"1d71575dc51c0a097b4f369d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"ca72704b4b5b4928bad35f4486bebe843d4929aa1e21fc2d3f07bfc40f8de9246ba9c5b1d7d43abc2fe5e62535","nonce":"1d71575dc51c0a097b4f369c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"0a6f7ce3b1cb3a21ba0c553906f054ab48be2401d09eb5b39d4cbb599b3e9cca"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"593f6394b27f264d467ad4c3b160aa89a59765160be3c1287cf2f7743a15daa7"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"8b29b96770292cabf63cbc7ec0feb6f16252461276865905776679ddb59df74c"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"c057a982e93107961ab571b5e9c41709605ff46a21ba0d5660b2d2c105314279"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"5e9400ba939aaf07c99838233468c57ae12f9d3d3c0d243e0d49436e0fd66115"}]},{"mode":3,"kem_id":33,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"ad869ebc6449aeb65bc9c8888beb68b2ce8c88f9b3526d6cba55d56e89e04df0feced5abb53f736f3a276782237db026cbdb180afb50dd4d","ikmS":"d4a36e908de3a466f7ab6d5a096a36714310d516b4c2745822b9ba40d8f8f1394630b70220865593b415daea24f64a1d5b37c6381ab60c03","ikmE":"b33f7a11818e60a32edd4c6f9916682a72cee592b0322021fa9226d8f51f044d3383391096d690c7b585b4ab168936cf02972d60e63c7587","skRm":"3f121398badf76afcd4ed81095cce76ce3410b1112d2d1589a4fbcba43647be648ade034d5fdebb150295a3cab7487fc788b30bf66e5a69f","skSm":"c858b1d0670e7df5f0d89853353aeea141f6f242f38adddee40e98a90ba5798e714d32a9925dfd898365d88950b9c01fedb82cce90fe6ea9","skEm":"7ada63a1df7224c607cc4f6b525774235777601848ef109e13986344fa7d3999d8ebff1a5944cad24afb0fabba9936c4693efb0d31d38d5d","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"f8a3a1fc17026d7efc7f8da88243d908fff56326b54942abb75275ffa3b129b68e4b6adecd060fc0bc194eff82265a6e9e1af1c530cde187","pkSm":"512655225ff22367ad408e2fb11e944fe420973d7be93f67cb96d170dd509ed5a93bd5eda1353997a4e9d9692be1644b89e50aaa981153ca","pkEm":"1b0011b9739b2e166b450f370225e5b080cd6e88e39fc66acc89d1e3876c175e2980bb76577c191bd967aaa5a880f0fc5937207999e84302","enc":"1b0011b9739b2e166b450f370225e5b080cd6e88e39fc66acc89d1e3876c175e2980bb76577c191bd967aaa5a880f0fc5937207999e84302","shared_secret":"1b9da06198f6a31aeddeb433980dd89ae397cde81fa31c1bd7d69f5e5037ba531e64641491662cd647ea9bf0385b403d390aedf801d4944f5aa1946a2aadfaf5","key_schedule_context":"0304da3938cf23bee85c3bf2903b6f903ac152e003b37bde60c1524a32bf4950c7f076ac072f72b57a7020f47bff902cea62b17933f5ff258f50be80513a6d825f","secret":"a4f51ca33560ea2354c11bf46a0c4f7145f7ab568a342061d60c0df1c5a3e82a","key":"2e75302beae8a758e04851820dbbef4b","base_nonce":"654fb7ad0fac7e4473c2f1c9","exporter_secret":"e4e8cf375ba52aae4e5cbfeea46e8636b0d44fb1303df23b90f75d39097152ca","encryptions":[{"aad":"436f756e742d30","ciphertext":"5f90c9a4063a6d62cf8a7476726032a9203312d78342ad166d05ca423c7d8197a8deb75911d4b036947a0a3d33","nonce":"654fb7ad0fac7e4473c2f1c9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"734fd796e3e80a48213960a122453ae49644c772c3763731313f8cc83e9e76e80b80a10499dba60dce7678f533","nonce":"654fb7ad0fac7e4473c2f1c8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"0c0d456150743055554dea1b3a85a42e16e6554bbc89ac447f0c99b0796b6a147e30decc74dac41dc700b49356","nonce":"654fb7ad0fac7e4473c2f1cb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"79d4d4d038bb98e17bf06cf5117341aebe1753d34834fef9fb171ee6e32e1273fec1b78fe766ce7cac2b194d33","nonce":"654fb7ad0fac7e4473c2f1ca","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"6988d98ee1d6f523a976f47c1f92fc9df79b8da6f5e6cc90372d0ad247974b769fa3ca680e3f56443c9ab940e0","nonce":"654fb7ad0fac7e4473c2f1cd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"2057955205f0d655552a39cfebb9cffca023aa7d531590d75286c4d21541a23aa01ae33ffd486c46253b2e5252","nonce":"654fb7ad0fac7e4473c2f1cc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"debf15a6d68151c21148f7ed4cb559d60f46577265819aeeb0e71a974060fb3d966c954f6e76824e8db70c29e5","nonce":"654fb7ad0fac7e4473c2f1cf","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"e4108f844d7b5e290e1fe89da10059edfbba46a219c66f56114eeb4b6f2f8482b8370086fd92507b1837ab33fb","nonce":"654fb7ad0fac7e4473c2f1ce","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"1ae267d5d9c87c7013172486a8ef4199284d45bd81a140cc5674f16ba7a9b45a577beb477d3bfb713052d2a2f0","nonce":"654fb7ad0fac7e4473c2f1c1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"4466697a8a31cc27acec8f6176b30702db3b21306c1d407b590787bc305209bf773e304d88edc7af19e18a82e9","nonce":"654fb7ad0fac7e4473c2f1c0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"363ea11172126dd4689c527b0acd9210a05d2a59bce6bc09af31ba712125afe9"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"000cfe2e5be4d4d43d9b7b71acdb43e7fa4f2f81bb3f4f97e8a1b491e6df50c2"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"06348a5a2a735e5fa6391993d122136f2ebb35705fa9c376417a9fb96bcf7f4a"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"c5ad8b71a3b4b800a4a122305657e14dad0661fd561a82629438dfd9728c6ed1"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"df76093bf5a46bdac4efad4675460322af3dfebaba49a368e55f1032ab0901b0"}]},{"mode":0,"kem_id":33,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"2251c78b25cf66e724142788666fb65cdea2204c242fd6a249063e71381dfc4afcc38525fce5d6b75db2f51c372666e5b93fddfdb413839b","ikmE":"bd0204ac7bf1f27ba261d1a2506fe5bea7dccbde81d8b1752c3e2f22842a3a919e0daf98d41d072e977b01b524089a715c9144d964422b2b","skRm":"0d162932d0532f2c297a918ec504fcfcceab6b743fa099c94c790ff1458683d7e5b12e6dd044ae4ad9d30faca69bbd76c1d092150d0cf33c","skEm":"901cfd1940a88cbc72a2f82ff3f0c4f71cf55e2e50beefaa7a09c21fb5bf0655dcfc45a3db2367d2610d9c44ca85777a56360719b11176d4","pkRm":"23febae6369924bf0509f14a599d26f4e8a21f5f310b8aaae69c0e94f9442d74d834f7af5ccbb9bd27177e14921176570c04276af22c5884","pkEm":"fc94f660846ee68e6a29709589ba90d76d8a5d047ad3ca4bf051d6eaf84898d873601573b08e5ac38f4ccba7887ad8651178212dfe8606b4","enc":"fc94f660846ee68e6a29709589ba90d76d8a5d047ad3ca4bf051d6eaf84898d873601573b08e5ac38f4ccba7887ad8651178212dfe8606b4","shared_secret":"f3954a6c7e439d252cce05fd2f3cc506b5a66d5eb2df3d7b5d3bb487bffe3b3bc6a1ebce890b545081cca0d76fb0a4042668eff99977ffbfc41763a70a5ed388","key_schedule_context":"001a9777662c34c2b582efd36b1d07e4d5f3682111728464fcfc1620be20c7992af076ac072f72b57a7020f47bff902cea62b17933f5ff258f50be80513a6d825f","secret":"42a7f586e01932361b852d5ffa8dce28f81ff4e058b5bc7df32275f0011638db","key":"7aab869ffb35291ac8c03ce07090f322","base_nonce":"68aa71be0116fb759233951d","exporter_secret":"02c99126e7b1902f9c8ea1f315eb9ff492bf41503383fda8041bdcad4d0ca433","encryptions":[{"aad":"436f756e742d30","ciphertext":"1fc6bcb3254f648191680b156341304588cec5eb5d82f6f86b330a142dad78a8b2806784fa48a5de8231b893b8","nonce":"68aa71be0116fb759233951d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"3be85554698845afd3658c9c7d93ec793e6b9b57e6118140fa85c0e6840ba3dc56ee0edf9c65d01b5f41b9ba56","nonce":"68aa71be0116fb759233951c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"285e3fac32506c77eb4705715d746ad77245ab8e46e3ffe43ba8b163bbe0e16950f17b1e579add303bd1b1861f","nonce":"68aa71be0116fb759233951f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"bb0b30b42cd34be851d203a8b584ea897be88461ea242bc157ef065028266ba389e1b470bedc2f6df710ebe7a2","nonce":"68aa71be0116fb759233951e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"d7aacad5a2a9280be244b1f51e99e106b7360e2ea574c2cd0027703c4596f3e2dfecddd679aeb895517fe7337e","nonce":"68aa71be0116fb7592339519","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"2b0e2569e70f068d548240900877f0858d742afe69b5464ef14b370123a0e5d172b22b1e5ca1133eddee3b5a83","nonce":"68aa71be0116fb7592339518","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"04508d62c04c749c1c7b81a90837bc6060eafd3c25bfa431545122ec32482e940a95a19fa55ddc2ca4766ff080","nonce":"68aa71be0116fb759233951b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"e48df6ae0d0a3fbb7afe0a42280b0d0662b1d7bc08588c179d0c8ae131d90e2c0b09c827971cfcd6c70b6e3d70","nonce":"68aa71be0116fb759233951a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"e31d04010fd0746a3e0b8d15255cd37580db877afa06ae3ed0d20b72e5eb739d8e5798ba010206c6dac5e9a12b","nonce":"68aa71be0116fb7592339515","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"f1cd154148e364f9485aad23974fe54e020da3905b6346866cd8f312ac53dd32c90fcbb63f23fb2a50bf66d78c","nonce":"68aa71be0116fb7592339514","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"9624d16c6e13b21c5b4a11af3851f88d07eddf9cf4169829be957f1e551f1633"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"48dd0873681dcf7174534ca488faaecfba4a89f5e18bb6d6c55d6d35e9a47f3b"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"0faeff6a2bd5608b693665e2f2a47fb7a624638fe57a6eceb35bf476e76527ea"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"b89bd6bcf05ecc17e6c685259a322f9742580835892e8553ffc511d909c351f6"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"59bb086f0dbb64a0ea2f00bfa0a4bcf2f8454c018c42194a338aa0f2eac548d6"}]},{"mode":2,"kem_id":33,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"94ef75acb9f3ae1748a18aa3e3338727407933b0c48b02e1e43ea47cc43626f0eb07b365ce9e69343abf9445a580db587e54183438d276cc","ikmS":"8bd378f702a6ad5e15d8ff02d275d1e984b35871e5d52b5a4d65f66b50dc7e83fd4992b5a33bcff6ac1bdb110372f6d51bd35a9ab1146c98","ikmE":"31e3ffb59450e7cc4786ee69cff473856d6200b40ee2436bcd8e6e8f46fc382e190e987dec0be3c2672c206037932282c257b122763f7021","skRm":"a2f8b377a78ff0a6b3323a24f17b8b2a8ec8b58a3c265449e571bbaab23b345bf144d9900e6da9331a7e83b779f44a254727576835ec822a","skSm":"3d62b24ea1f1dd1278e4c40bf514b211941fd9d2834cbe232ab0d223e31ce5f8c8582f1babe7396aa802a665e4f1c92feab7bc3659174326","skEm":"d05c158f562d7d350860740d4e3d807c468774ca569a986c56f108fba2632e09b930af0a1a58ee8625b8b90ddb30b076feb031fd4bd0d4ce","pkRm":"cb85dd291cc44e1daef76b4b12c3eb558daf07bc7dcf2178793b5edd90ea9c725122f476c7bb80a66036246f4e917e9bd9a17d30c82612cd","pkSm":"7735de11da6036eff62a60970e30e00ec58247e9a465c6f9d63e3c2b94c27b49bddc0917179dee0c3eca7b7826aaa731a6078af6df284b1f","pkEm":"e1a59074fb504e8e6f380e10310537a80251e5dc45f82aaa6ba2afeeba09180fed019bb1b0bfd2226ade8f12fcf21d3f9832c90d7154c85e","enc":"e1a59074fb504e8e6f380e10310537a80251e5dc45f82aaa6ba2afeeba09180fed019bb1b0bfd2226ade8f12fcf21d3f9832c90d7154c85e","shared_secret":"c0b32547e9adfdfe3a0060a8fb71838bfa30ff5543467bab26e8ad45c627ba8759d5d258609a9d3fec82b45defb0ca5d1058a26ea324db1340448ab5da52462a","key_schedule_context":"02d737cf3cd16911a2fc854cc0e2074a36e9bbe2a30ea168f53d6ec11cea9588f7188b3606fa74c6dc67ccb1bab3f8f1ad8d916b99c262b2f612a0e1eadf1fa0d3","secret":"c3f13807f164c8d297c17d9bebc136946b097a3d74713979d714834f0df5af31","key":"1dadbcc9364658cb1d3c7b10ed64723a56aabb8ccece8c3e1339685a2c5ce272","base_nonce":"e4c787425a11ee60af083f5d","exporter_secret":"41a5fb2084f80d0adabd4f148ccc291aff7d28e96005284858b662d17ebd524a","encryptions":[{"aad":"436f756e742d30","ciphertext":"c3e8c820538c4bee3918d5467fb88d6b887f477a117037922d235afd23dbaf8a6dc9f582c29ad1948dd4095927","nonce":"e4c787425a11ee60af083f5d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"641bb32e23e3f9b7fcd56f577d499e8ccb15ecb0814a4d09e10319ee641e4ecf860d92fcd56992a4e492a77725","nonce":"e4c787425a11ee60af083f5c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"db752effac2f656e0686b7a8752e42138a864b7dd07eeab586cfc0317e63965c9147af000cfed49db0741a75bc","nonce":"e4c787425a11ee60af083f5f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"c099136a70b53f2f372073dc2bea7c57e0b72cd8b0e5504de451fe0ee0f5821a06a5260f95e1bdde9ac27291fc","nonce":"e4c787425a11ee60af083f5e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"814f81ca651a310179e12ee147f3ab09ff69f5d2145cc784815fe636b72807773c61d2d6dcb8c66448a459e5d2","nonce":"e4c787425a11ee60af083f59","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"d48ebab64513db88c0e8210da578692ce1d8935b0a6d2ff9622858da3b38c2e5ebbe465d2db767a4ede7687118","nonce":"e4c787425a11ee60af083f58","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"105b6cea39d25104fc7a462127a6dc23b29f66c16d72a3c2122f46c0a97528d4849a59fea1fa44163e2dc0def7","nonce":"e4c787425a11ee60af083f5b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"e4b26d21f41bea3e2f8a85713d266abe2faf6f9a69cb94a9cb7d4c775c565fbac043f2525b9fce9f07768779ce","nonce":"e4c787425a11ee60af083f5a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"ff1990aeb15e1de9bfb41018e36069ccb6a60fff920246c48aa51a2b0d8c63a4989b069c0b27281a47626592b4","nonce":"e4c787425a11ee60af083f55","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"de918ef6e7a01c3c7eea7bfa3f645c85fcd5ef22c36139b0388763971403b9cc202b0602058d28d9a3b9f4821c","nonce":"e4c787425a11ee60af083f54","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"086029a650baddd18d1f49ed4f3b4ff6f2f87381defbad454e94d17f75e7811f"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"396687c501009e827f9669d6118fe3d578abf2f5d5fb773048c0607960ce7f53"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"dab9a740835c4332bf3391a3cd75ba86ef5f138c4fb38e824bcc70005c8949ba"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"4aef8417f20d8adfc97d816a7738f95648c2ea5ec737380a09d67f82022fa708"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"6256d993ba1fadbf89206948e2844549cf9e500743fbc00b8d5815ec6bb0ff54"}]},{"mode":3,"kem_id":33,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"67386b829c73eb43c8c2d4ace55730202a28811aa454fa6c7ff24f541a14dfc0c128d6a82f105373634a2ff06df1ac9319622dd900b1ff45","ikmS":"c421235ba4bac277abcb85177d2ec661f71661522eaded361e1b15702022599cbb1c8500c2a8c68821de95925e3ad137e34db1d4c6765d9a","ikmE":"8ec926cfe440ee9500467097d4961795593ac22119073f5e9164e685259606217e81f6ca0c17c9c7311f782c7a60fb4c1dc2a12c659c2b23","skRm":"1bacdf8776e72b9d9f8f0c0e267a816f3329241cc815411182627233875de4006c1265f160a165f73cadb7cce6251f48785d868a879011e4","skSm":"035287a258a85d91879ef40b663a42d437a36ec80725675020bad336fe2e7ae80fd12b9cd12522d8a1bc22ca0ac6033b366c5603d3093ace","skEm":"81a1eb37cb192e46051ae6574d6404026431142c4530c6eed19179db4b3c2f6f9a47906260f74ffd9305ac3f4a9a7047f050ed37a1d7154a","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"2afb873daf2ca126de5de587f8b69f93652374aa2c0e3659431802eccf707b6740fc18a6da03e9b162b0bec3aa562c8394710423aa193deb","pkSm":"c1304949e4e1df9957a889af71a762d4db88263e9567dcee1e5a260b76e240afdecc1c40be505dda61813f215f7eb212bd1e1d0a7f4f5db7","pkEm":"b1e0702cc3525c3f46407d8924968d98fb07019b8f18a122d6e572fd4f17795bc22be844b28fd7fa7880635de7725d699295391b70a86f93","enc":"b1e0702cc3525c3f46407d8924968d98fb07019b8f18a122d6e572fd4f17795bc22be844b28fd7fa7880635de7725d699295391b70a86f93","shared_secret":"cee5dd8aa41fbca24ce1841dcbbcd79d1b805bbaa830cb29938022be3246785bd3488779a68970e4bcdff3b8d613622983e94bea43e3d6bf88537073b0318b12","key_schedule_context":"03fc1fe46b921b2552fb089128ffaaf0e4b7b632bae1c536b45e4fb97f06fc400d188b3606fa74c6dc67ccb1bab3f8f1ad8d916b99c262b2f612a0e1eadf1fa0d3","secret":"a43200f3e5a1a957647c446368c97c34d8b3381aa8e256db4ae0bd6cd7af4e48","key":"3995bfdf4c647c0381da93e7883e7c210b01c47debec0168ff851dda147687ae","base_nonce":"5478c50cd07485601f1eb6a1","exporter_secret":"1d520b5bbfbd355b77b07b72bc2f4b9a71989ebea325e28105dd5b1d7b340fbe","encryptions":[{"aad":"436f756e742d30","ciphertext":"69f2f12bd1613f77e7c79d86b7f954317df8d891ad50ffbedc64f4d5f9a14a543b2817f5b0b1ada2a9c0aae66b","nonce":"5478c50cd07485601f1eb6a1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"e73d9759010c10c57865e80ea6d87ecd27c74f092df6d93fdd2b6cfc8c4f640e9b955afa7c575edaa6cd2f2a46","nonce":"5478c50cd07485601f1eb6a0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"81eceb113f934e1538c0749a7d9dea0da7267a48206f402a0b3238d1fa26d21c4824ba957583ce882ed1b5ad96","nonce":"5478c50cd07485601f1eb6a3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"6f09ccd192fd86f8001aea9b5545b6846af830aa1acdebb43dc0587cfac0b1609412c5b07744753f8d125dc7da","nonce":"5478c50cd07485601f1eb6a2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"6b037ba2efc8cb0d2f08e9db807183bfbb544a2b17dd9220d7e895b089588af1e3395a906946cd3ce6fb1be49f","nonce":"5478c50cd07485601f1eb6a5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"65267543bd8f82273dc3102af18c58810f341ad0512c91dd5976e2e72d8eed5032b8a7e0105d13e69586250ad8","nonce":"5478c50cd07485601f1eb6a4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"2cfa6789b462b236fa8ad2421e75e422933aeb8698830280947996affc7e61fbbce611cf291baebe5bdab66bdf","nonce":"5478c50cd07485601f1eb6a7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"8e993db72613c619ca2c7d4248efbd7a322af521317f2961a823b48ee6c9a70eccdf83b16212522b6635a82120","nonce":"5478c50cd07485601f1eb6a6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"19c05dc56a9168d286e52dea1563a7bd271d2b5e5b194c7d89e1bb02329cd3db726c6261dc5244cc6032d44c28","nonce":"5478c50cd07485601f1eb6a9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"b9605990051b2a3af4ebc90f2a173e2481ef8796b6ebe542cf315f0196edacc20b25acfcacae8fb4414345f4b2","nonce":"5478c50cd07485601f1eb6a8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"68b3e3cd64e25005605ad5da7484a75386496134bd5f40bd08b56da3ce5ca1ed"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"b352b8fe23c154f01a73bc8d8a3f8edffdc41b97ccf38ff16a7e12e1213ac3b3"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"77d0b7e293d92fbd144934d41f7a4ade93e2fb93fac859c3d59c57159fb7eca4"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"c8bdcb88ab2bf311b536e0acaf7b71e6a3df9e5237863a30947198c3da98ba51"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"3b11aa13388818913eab1637a9d870b552e6341dd123b733b8766bdc19d4b9f7"}]},{"mode":0,"kem_id":33,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"9e2200a1c21e0d6eacb68d4cd41defedb5b69a7a661176339138ba0453908a0f0f549a6a6f9ddccba0224cf5b9eaf9f537cc987beb8c6736","ikmE":"b33d70dcc8644cc100a865afb97fdfe894a1abd47d3db555cd5941c93df9380b1ea4dfa621145ecd6258af07f68fa26940cd751519302593","skRm":"307d08c2671075b9b2dd0351f1ad9e939deeb765eb7c90e126f8b80948bc125c6cdcd0e36052ce4732c992a6334e5227fbebcc0d29cfc60e","skEm":"38cd61678a76a56fa5dcfc099b45e25250f60f4755728dabdb8d6ccd908a942bd6a2065fc47b8a252df3ca0fa857970e293282a00694ddd2","pkRm":"bda795d2c4c430b4ebe8b63914b29325af2391ef77e44ef3ad9a4af0bae5928ac38f05c37deaa6f409d6dde170b228b21d8703ff4a486015","pkEm":"3957dbad73b8840bbad422aa393d8a34a30ab43d64fc217258e8d67c5b0061606ff57464cd5e1890ce379864def80e64439417b7e4360e5a","enc":"3957dbad73b8840bbad422aa393d8a34a30ab43d64fc217258e8d67c5b0061606ff57464cd5e1890ce379864def80e64439417b7e4360e5a","shared_secret":"dcfd5d326cad595f0d2ce6424c7ce28c60cb41288b92be6e7c9223dc2ea28a897f94cf41a9d44b94fa57cf26e543fd92297da9e407d9c208d96051984feedb8f","key_schedule_context":"00d737cf3cd16911a2fc854cc0e2074a36e9bbe2a30ea168f53d6ec11cea9588f7188b3606fa74c6dc67ccb1bab3f8f1ad8d916b99c262b2f612a0e1eadf1fa0d3","secret":"9717b0fb9c420d1e7207462e4031fe2f30d6315c1f5b286142d8c0633869b3cc","key":"38f89bb984b737c109e0d7b2f6f2128adf7f36282d4ebb514b5c9f0e0bd5c235","base_nonce":"2ddd146977ad2300301f2e46","exporter_secret":"bf41aaa2072913ec03895c66102a1b039e9105a989d0559e5dd7381181659e14","encryptions":[{"aad":"436f756e742d30","ciphertext":"444bcc250483c3c407558a45f9f83c49e441975e01321595aa2b6cc820249a902c1283e2d1484be3163ff41ebc","nonce":"2ddd146977ad2300301f2e46","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"aceca74bd0555674365e6a21719a0fb0baaccbc873f54bc7ac74544d76544fc26e54d5b3190836062cfd98b9c1","nonce":"2ddd146977ad2300301f2e47","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"5fd9c778fd836b968e18027414bac89c77a40465ee6b01cabdebb0781df270cfbb2469bb2a41f93e682e3ba761","nonce":"2ddd146977ad2300301f2e44","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"226b48fe5780f6e9fbf754ae99fade005c84ce212769e8ce15c8108e52fd9625efc7fead35d727cc6ed84c3353","nonce":"2ddd146977ad2300301f2e45","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"b54de2ea75f549a6e626a78674e00fffad6b8705ada4d5277d452d5fffb315bf4ea7e819bae3d76c7919994dfc","nonce":"2ddd146977ad2300301f2e42","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"873e110aac9a2cefc709e3b2690fd6bf6af71d235065f5d948cb4c567245433ff8cc2d1e6153cb68d2d52004b8","nonce":"2ddd146977ad2300301f2e43","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"319b21b376a4e066b2e398cb11c0e1665394271dfdfecf56d9ecd1c32bbe9f794b27b1ef67a4f0d5e49cd2175b","nonce":"2ddd146977ad2300301f2e40","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"32f990f60b0cf588d4d8217d3137dae1ffc1f7958db4e760784fcb1e7127769b313aac1d8f8fb391eefbb7dcee","nonce":"2ddd146977ad2300301f2e41","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"eb34f805afd62dc8cfbdd87ac60ad7537de9bafca583a486de6711c0abeca3cb3ed04993a215ed078a761d6069","nonce":"2ddd146977ad2300301f2e4e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"29eed18f94b302fae1b270b9afe6abb0a4e9ff6646264b5847d36e3bf64c21f05da858486788bced8ae0f5e9b6","nonce":"2ddd146977ad2300301f2e4f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"d205ea279efc698d06dfa9da671336841ba23e0ea3d992253598265eae39576e"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"b1498397b0121c59c1136132a82c78d2794f0e3a008969908c0838454b6c238b"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"2a4a0d74e6bcab0f7e94d498d50ff704da057ec46a9ab467a9968ae2d72207a4"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"47e76a0837d0e6d3eb3aa240bad435784cc92239acf21efe3e5938566873b744"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"8a44b2f800da9f442f172323f323f81812bbb166767e581d1b571d8a4590d6ef"}]},{"mode":1,"kem_id":33,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"faaa42dd3791a8d6d417da9b71d3d32e1e28f07ad703079f76de619e5dabb2fc0546eabd2244e766b34ba318a7c2c6d6a3536be20b29744d","ikmE":"1658c1530eceb711331f6694626fff4e815fafb780f155ee0f2280085d1230c964c2bed4d76dc3aa91ad8ebc411d5948760b180a1ee17cca","skRm":"8bcc2e38c28d99264f0656a2f56e65f7e8b215a0578dd5f32c880ebebbdf0c42f6a9bc12cff075bfdae578fe1de5b364b725a64f81361643","skEm":"7acb11a38b021d00e25e7ebeb89344daa446acf406739f5de8ec3589d9bc75100f0846e21201332fd122322f68798cd4c8345d07ad55d6f7","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"64ac4bc9c28dcbf54571753fbc0688073fab0cb38c4b6a83153a2601dd7816907c3487926257427ceeeccd649bbd06c174bce55e677d1c81","pkEm":"d1a5f24a6dbb0b54b481a75578cdfe2ca70d722239ff740cb0118a910ad158a9ba1d15613e7b79f5f37d2fd14de807c594622d80921a7c0f","enc":"d1a5f24a6dbb0b54b481a75578cdfe2ca70d722239ff740cb0118a910ad158a9ba1d15613e7b79f5f37d2fd14de807c594622d80921a7c0f","shared_secret":"afdbe99b4fcc353ff62eee92912762402e927bb042e427590b4f56a3ca57a4ed2c1375da225632038e8dd4f5df4e33a276e2d5ce6ea11a60780972fa2952e126","key_schedule_context":"01fc1fe46b921b2552fb089128ffaaf0e4b7b632bae1c536b45e4fb97f06fc400d188b3606fa74c6dc67ccb1bab3f8f1ad8d916b99c262b2f612a0e1eadf1fa0d3","secret":"7ff3b56f9b8a7e5b96f33f90f8766d3d6591118ddad21fcaf4e6f6a97c07e694","key":"7dd54f9fe0ff637cd16da1e6d8c930bccd34e01da822a6bf940f440fba8015b9","base_nonce":"92cf6d5f965f849733aa4d09","exporter_secret":"097bafac138f1c08bf6368a2bfce63a3c8510c9425e34e7bbf26a053c2494d8c","encryptions":[{"aad":"436f756e742d30","ciphertext":"56cbf686e40054bc465cd3540c31bd6545275e6a52c76389c9234c9f6d2e19d84e4dfb5617580a9f60a08e7468","nonce":"92cf6d5f965f849733aa4d09","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"1788f5379094a97a9196cb98279a49ccaad3cfd9641f494be3370684e4c5d11baa24bc41fec960dc19ffb361a1","nonce":"92cf6d5f965f849733aa4d08","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"4e42c1cb5677380c15b72b5a958b8c1a336bcd8024acdb259298179ddca4d20c48b605fb08893c88500015a713","nonce":"92cf6d5f965f849733aa4d0b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"a5ac5cb06151c687cae43317705d382a31a3c2107002bf033f5590f5a4a873a6c9929842cb5c7e48841a3e8c9e","nonce":"92cf6d5f965f849733aa4d0a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"32a72f4a7be996fea5aa39251e6d89cef41901abbb150f61cb0961d489e6bc90d0a25bbc0b1e9ae56b91da07ce","nonce":"92cf6d5f965f849733aa4d0d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"f296cbfbdb13f3ee357ed5eaacf70dc79a641be249188b57ecad2db36f8c0b71b97e0a51eb86f0e501b6bbf03d","nonce":"92cf6d5f965f849733aa4d0c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"09680a99b7bad83611f00055f96c21f829c8d759945bd2d3ad3d818f190e4c6302aaf6a3996b805d0926dcb2ab","nonce":"92cf6d5f965f849733aa4d0f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"6c0c83b581f656d86fdd12aaf523f203abdd31698bdc9db610cd2c9fc3fab293f5664af153761012f7036b695c","nonce":"92cf6d5f965f849733aa4d0e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"0badf1898d70cfec0cdb1e2524b269d5d74a9e3ef78f48c9da64d2d44e55a92d976fdbde0ee7f093e353e3b5d0","nonce":"92cf6d5f965f849733aa4d01","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"41c912b8f81e47f13834f741bd85394edffec60c4eeb4c28c5928f2cee47a275bac7d279d3a532f74c9d133058","nonce":"92cf6d5f965f849733aa4d00","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"2f503a74840ad8c3eca3ab0dc173bbb9c42c538a74db19b75ef4b2d7a9d1de72"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"57dd49fe533e68c0efd2d42529d675ee3027e685c0bdba08fe8e2ceaab495a31"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"8ddb5c4db0d7e422bf16c45b4339250bd8504ef901a9f71881c000c6dee5650c"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"6e8f465204d09c7151bd6188960ab23468f6b543881ad5c6f9a7cd65678b45ed"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"d240515e6a702c1e855eb6895caee11e2de780b014b45f33222f2544e698427a"}]},{"mode":3,"kem_id":33,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"e06ade43d089f368b33461fb797ad4f5939158aa41409c9f74da41791714bcc1b958cb3689ceed0ff56f7d1d6773beeb6d266b45ea982fc1","ikmS":"e6b47dcc1ee1a4a6bfb4fb9772cb82a1ec863e2018f671426b4f9e880e449b56725ed8b0f2e73fe07bddf2a9baf1acd1545e04fa6ace9881","ikmE":"79264835776b088f944c2f7ef390714411f2c5e221a2352ce35157621264288efd096e3ed097b0c22e92cd8044bbc0a272b09eb0c9e3ef9a","skRm":"ec9da4fa2b24cbd8f548359897abc395329555bbad3b27b9b82edcc0f35300832eedf5d2da5882e1e8e310096932754bcff44cebb9025efd","skSm":"08548ed4b6b8055b24407b42d052c312c0a7e35dd7c0ff6d82b22efaba129a1a22aba234f11463978a4008f9e2309896fae8b0bfe1a6ef42","skEm":"1d082de2c89715c5afafbc10542f748fae8cff520eca0165880796eede4166fe45dee7c990fe8d585b29b62039691ad6d8858090e1d1dfa1","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"f3dccefe31881660192d12627533ee712d6dd21a0d28a5aec790e76c32b3b1cf6a195e3ec71177d0418027a80ff8df0aa30a1685121df2ad","pkSm":"21e222ca48e630e0ce1b5cfc9d5adb8e2a85dff2c88f7a32930969f31c062451dd4829a80a99e6fe26f18cb08f6c5ce6ec55453e3b2ec64a","pkEm":"08352cb377f4bd1e4e8658ad33b648a5aba4836a9c8c3f77559d5b73bfbf1052b47cb6849dc497650ad427839a327d8397bfd0d8d59e5265","enc":"08352cb377f4bd1e4e8658ad33b648a5aba4836a9c8c3f77559d5b73bfbf1052b47cb6849dc497650ad427839a327d8397bfd0d8d59e5265","shared_secret":"fbc4f4f7a8b09dcfc6d870c1a4ab7fd9f74ec244a00702435432951b7ddaf537cbefdc3a093afc052854cf0f8b9b94bf40daa9c5637abe07174aef3738c5de99","key_schedule_context":"03a894f0513767458c74cb8040e86482178077ef698df4443a4dc48a67b71acfe5472fb7c66187213ac6b247bb86d991edca04cae8363ebb23f3cae1b8f0bab85e","secret":"ad85247ed19fd34ce1d7be18a0c01c49b4cb338975cfb89b7094238cd2335244","key":"966d630c729c82acd8ba9c337d0f311d5214e395b7c42c63268865908cc0aa46","base_nonce":"a3ff9418ecbe612ed5568545","exporter_secret":"d330c784cb1f618392f4648bf86d3798968a32762c9fc1772bbd05e0bd46c04f","encryptions":[{"aad":"436f756e742d30","ciphertext":"0e285f5b80f1c5235e284b21df877a5a0b1811e72c749307edce040cf737c2bd7616da030b330d359e555df565","nonce":"a3ff9418ecbe612ed5568545","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"f9d01b6c35feab091b15ea6d24a9240cca66ea9f0f584a6d7c1813172e3a508f5ca6fb1fd8306b1e7e8f34e5ae","nonce":"a3ff9418ecbe612ed5568544","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"61f8395fbedf95c961f3d2e6e54ff9ab91b98bfca6ef8ca1240e08c793e9b1d3de03384fd3b79e8b5418649fdf","nonce":"a3ff9418ecbe612ed5568547","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"aa6afd82daa102d4065a44439479d0d1af7ad88f4306dde235e49cf6bd6cb91c125b7d90ffc3f68d2c507319ac","nonce":"a3ff9418ecbe612ed5568546","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"c625dff83219eb508ff34682c784a52dec9c6d6da1504fcef4467628f438de8cbf95ddd68a0c96da4ee2517a73","nonce":"a3ff9418ecbe612ed5568541","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"8a35fcd23239ea54105e5753080f3fff87ba748ced004d9ffef3abe2790985387d140b34569257a12e062b91b0","nonce":"a3ff9418ecbe612ed5568540","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"c2cde39f3f35eff3545c73ca845dae8388b7bad1c38cffa85f3a0c52e1225d7963094aff4d8ad35a4a58e184bb","nonce":"a3ff9418ecbe612ed5568543","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"4fba8d7c594e4f8e61a9d2634561dcd60ccdac1e8e502998affc8e759bb7e11e4b340100c51648bfda7eb32eef","nonce":"a3ff9418ecbe612ed5568542","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"71a5813e2d750ee9b1b694ab7241d8af4e01b3f42e7a20cac281da8389f3d943cfd49251b765e136a695aad3e2","nonce":"a3ff9418ecbe612ed556854d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"7eb79d95fe879afb93bde68d9abf4edaa231e49ce61c7e5dfa6618d537a1512f0df0b68add91806084172b3aee","nonce":"a3ff9418ecbe612ed556854c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"65317b023f597130ec05bc1b6c6a02b2cd38257f12f4f99f918d9c9f625a5a75"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"aff2879c348991bd648e65adc91c4155933e7680e9152a1d6021950536364f4d"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"e8d1c3d1b1271a7998091457da8e7ec297d01f460fc63ed49fe59dc942e5df00"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"c0125402f752b98c0df32d9c9fc7d549c4ab55fad7eda59ac83c8dc59f97e276"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"311284ab431fbe4f3dc0e36206f9569c9d9c4570c495239634b1ee77f9a18d41"}]},{"mode":0,"kem_id":33,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"d1851908e34cce4362089631a3f385a4a3d63b24c642f80d63f98e63e73be09d107fec23dc256e18ea207a9c85a1c990ae015dc13b1bcd61","ikmE":"a5b5768deee27b76bc51db24cdea8760317fda170d74c7c5c4e0a5ae6fdad0c47724e0d06d978f7b0bc343ac4a5c8fd324fd4cc8b0f0b881","skRm":"1f74d380196c08bb752189bf1e3ec7b3d025c781ce271253b5728da24b5af8974384afe943c00f328b283e0a9794598e13a539aba1206d3e","skEm":"6cdd5c86d489b28d3cb6d45a951fede0bae403b631d9629b686f4524a1c7c2e3018bf306756ceadef56ce549d19894147ce4e25fd35aad38","pkRm":"f8ee8546e0c41b0cc202fbec570a8e7404912ae809aa2bb842868dff0ce1f09da1522f480844a16285d1384cf4adb37014632ae2d2a5461f","pkEm":"fb81d5b44cdd40938d510fe6bdccc0990ddeaf4718289dc59a29700a5cc0decd6d700f3c74f0cb497bf29390cbfebeeb81f15e881b454ef1","enc":"fb81d5b44cdd40938d510fe6bdccc0990ddeaf4718289dc59a29700a5cc0decd6d700f3c74f0cb497bf29390cbfebeeb81f15e881b454ef1","shared_secret":"f83b54e952795ac4696572aa9033d28aaff291dbadf832a71b130b1e7d36a4fb497ba982d5b5f1664e1bb0c625e4ab4ae6d2c48fcefeb0ff0ad67bdfcd6241f7","key_schedule_context":"00f29a2a276aa29c0455b7c5b6b10b6020cf42efd0d19c359e1476b6a825d22ffb472fb7c66187213ac6b247bb86d991edca04cae8363ebb23f3cae1b8f0bab85e","secret":"322f77a7fc60beff9a33c880c715ac9270ac207a884fa030cd7c1ee852953c5b","key":"fd2a038d04da8a319e71cc643ffcc9f7a3ff38ab665c144ffaf97fddb01ba7dd","base_nonce":"6a9b70d955752e04402fe459","exporter_secret":"d7a1efc00efe33d72fa693e2ecd1b8513b6a015698ce57c990b256c61fb4fd36","encryptions":[{"aad":"436f756e742d30","ciphertext":"997e30b5bd2a2082c4b090173413f601145e417c414a9571028f118c06dfdcfb046f81c83ff096de77e60c7c1d","nonce":"6a9b70d955752e04402fe459","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"485e95794b987cc8ca8b1312dc65d2f0f194e1de1f520a2f1c2edbf5f94ab9606e01d8d5d3bf9252f4985e9f9c","nonce":"6a9b70d955752e04402fe458","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"7ca8e176797c29861bb9e71a7e43a01071782dabb218949741e6e6950efb6f5cc3bdc1c81c45e39afc12303476","nonce":"6a9b70d955752e04402fe45b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"9ca39f0af4780fc87fe493ef9e88633dc3af2ec6be37aa7b386d6d7e4cca4fc529cf9dba38a716d5f4c1d0ba24","nonce":"6a9b70d955752e04402fe45a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"1c8219e5c688b2d6c92d452ca18917c33632f7e8d44fd05af00a07f8c57e1367af834099beeb294192c44f9be2","nonce":"6a9b70d955752e04402fe45d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"141a4f82156abb4a61c3bfb5e70a305a18aa26e4abbad6660b0ad8e68ff4db47cbc039c2dfeab19c75c083352f","nonce":"6a9b70d955752e04402fe45c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"568711450e1c0164f658bae86ffa3caff45537f5a27d1cf739598605824c3da65f53901b4dda457fcb60f6ebb0","nonce":"6a9b70d955752e04402fe45f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"3ded71b17d6487ad20263241dfd8be4ae569c820b39322d40a005957f35c587fa748d84a9b07e7411546c5ee97","nonce":"6a9b70d955752e04402fe45e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"1c7dbf6372170a0c3808c1a5d348bcb5cb7cfdac39d22b35fd92da9f1f8a786953c47cc9d545f2aaf1f493c34d","nonce":"6a9b70d955752e04402fe451","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"f50486c9e1f71b4400ed03e5bde1f8cc360bca4f3f9bacd4dce60354a24ff54af90d204aef492290af51e54474","nonce":"6a9b70d955752e04402fe450","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"249185e8fe8215877f4e9ff04eb929d38e0176f0a09c0167a379015088af12a4"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"4d0965f01411fd147e4460cc3f093e7e60b1798def360e4091c7a15b8e3c1992"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"1ca86bc9c373f7cf019863d2a29a22de5e99ee5d5a58613705a07ac94734b55b"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"33c964b361a4e9246f173242d0904112ce5042b815b68015c65b843e9cf81463"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"090d5b74b71f77abc895d2661c32cda6dd06b58ad53473775bd914ce907d7683"}]},{"mode":1,"kem_id":33,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"e650d8d5ae52aeb7d8e4ffe1001bdc3e30c28a9718c69799802dbd5e7a982968c56864701e5656c458c634fa3c9c17737f8acd7606023d25","ikmE":"c7dde495053add71ecc57d9ef1a789a859ed73a6645072bbf06264e5b93c27eaf1deb50d67b08c1c5babbbd29c8668d0cd3fe4d8fe939297","skRm":"04dadb1627cf4702430eadb25cf720122f83e9e10f2fc3c7da940d2579072b5087ca7a89a4a91f4dd0eb39600ed36ce76494afb6304c5935","skEm":"8a81e02b51d2000a27bfe51539189d241ad9bbf334af86f2e883b5e431a3f8dec8a8398e43c396672eabfb5b6c114d3b4345dcfd76ecf1ef","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"f355afb6fcba7020c4e85926b7be5632b9631d9f5099a364431a36a093e9c82ea35bb83c9d8990e839b6ce2d3765455bbdf14c97e5e9b049","pkEm":"50a61f8fddb9f4988ff468a5c30bbe2edf35d267c93b5dbb2c7b133fc5b23f339f19d37d7aa4a88c303cbfbff57b23d850bc3175bfc4844b","enc":"50a61f8fddb9f4988ff468a5c30bbe2edf35d267c93b5dbb2c7b133fc5b23f339f19d37d7aa4a88c303cbfbff57b23d850bc3175bfc4844b","shared_secret":"473245963fcfe33210a7318be8c4bfcece89996359388355a1e3b59539aa6e3a81012622691bdbdbd3090618f1cf87b9bc9f945166dc27be00d70f6ccb23189f","key_schedule_context":"01a894f0513767458c74cb8040e86482178077ef698df4443a4dc48a67b71acfe5472fb7c66187213ac6b247bb86d991edca04cae8363ebb23f3cae1b8f0bab85e","secret":"37ba1c197d84e200e5f58e511f08a1ae02e044d2468e7239020c33604cb07cdd","key":"b7f0ef6ca194da58ad0ab8286e4681dc4a36733e600b0fc4412e83fd8037072c","base_nonce":"3d2ef9719013f2c9ed6500fd","exporter_secret":"ab31d8f09c19abc5d7b845b1078705755f705d3c47783011682b79ebbed3c8c9","encryptions":[{"aad":"436f756e742d30","ciphertext":"9826f3726df52462295ec0936dfb6375fb88eb853ab3fcea46da36d042ae3918705e7b2444f8ea839d2dde5ec5","nonce":"3d2ef9719013f2c9ed6500fd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"9fd6e1e576d8c927808b1ff26ab3b89e83fdb09d3dfccedbfdb63e89d0d89d2939296722b655713f36aaf23bfc","nonce":"3d2ef9719013f2c9ed6500fc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"81e6cc65cc2d0581c8c50430abab4aebe6a0a5bf4309e8d18fda01e2a186a99e1d973841b66da4abcc78075c95","nonce":"3d2ef9719013f2c9ed6500ff","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"48ba582ced4cf4844c3de6543e14645af21514361a561f69da5ac0341b373e2c842b65c7322b77432496dbf9a4","nonce":"3d2ef9719013f2c9ed6500fe","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"5622b479dc0a39393d31de5a25cd92249e2e9118d2a8b4d10ca2f2f46aa01ceee0e11504b369533e343c764734","nonce":"3d2ef9719013f2c9ed6500f9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"bde5e4c88d7965c44b9c263ae3b4d9ad81d7e46d46c5e77d5eede44161e7a4bc4c9238a291f81c3bb1a74ba228","nonce":"3d2ef9719013f2c9ed6500f8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"2de6f9f31d8aa5367a288ff7e57dce782454dcf4f7b6b627183cb2a698547e05466a26ebdcba4bc8e91a4e0361","nonce":"3d2ef9719013f2c9ed6500fb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"02476bb6a922f0edd021160db18078b9a84027bec27b8314456fa9fb05f5ee587a57b11000cfb6d0781cfb5adb","nonce":"3d2ef9719013f2c9ed6500fa","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"5f9fa70a702964d6faf2fcbd192d2115dfc8dc0f9cf3c7dd88b96b67ee44e74af6edabd6303f0aafb12429e315","nonce":"3d2ef9719013f2c9ed6500f5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"726c42851d5840df26984b72672eae6e6e0aaf199067957faa87580be6fabe19754ced10f90920a077590b2030","nonce":"3d2ef9719013f2c9ed6500f4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"55c571d2fb693a30cf20e11ef8c0ee55f69827dd18d6b312357bddc028272533"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"b6f0c48409d114e02e584cdcd47d9e5870dd308af0be7eb43ede0b739e3d98ff"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"5169d37e78e332490457ee8d9626f61f2fb8934c4b651d6f7a010f077127bb4b"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"50b9ed29ea1ade01229c6f8ad2dcd983fe8c4bf4750a3a3f6e9b46bf5e5f0d76"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"a0c1b5e1e7b31edbdcd34a0455645cd38587963101e40d9bc651f609544f713b"}]},{"mode":2,"kem_id":33,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"600802de2534a260fc54c89a7d0cda42692d02e5340b1b4fb3a458c84b54c11dee20a4bd9f9b9f1484a78ef393f9c34062a30ef42637c021","ikmS":"331d7110c1f26623930804fb93baf76138587942725ad9409327e23468b79f6770c1358fd42f57d29b14ea682146c5e43d5b1cb0e985d2dd","ikmE":"8c3726fa7e5b2d850567029399f8ad47f8a6871b41f0ad1024c9025441a6103a07d34f6c16edde1f35bc2759b487d8f8bbfcaf220940052b","skRm":"03e19ccb4744bbdf62ea640c7404e2897300c2ebeb4acd9c1b17787fc4358309ce6bda21d63fe2b74e558c1d3dda205af85171a3776a45a0","skSm":"251de725d4e6cc212dbb8e687fbee34544cb23317fd02501940139d1cdd362f4fcfc1439b589749decb13097d90398fb100ee380adc1657b","skEm":"3666869290ed6783efe6d1b4a3b5fc6b5819465091ece04c3ddb9798e4096460bcfefeb27313bc2ab774a500f86aba0ae1697cfff8d219ff","pkRm":"3a59caaed032e92d6fab1019c87b2d264139e5da2498a6df264f96088d89d8a2f4af7e36ca041377be86c13116cac1cdc3fddf1774411238","pkSm":"dad64cfb09a717353de52019f0c3f71bb571b49c489d91969e4c948756c844d1c3a4db2492b61cb30bfcb8e9c285ae68d5fd721577cbaf00","pkEm":"8a0bdb418e02d70a3b8ac3cbf875dce01de4b53536e7424a17135ede3638938d532c82167c425a7df9541d0e603341fed7471658b25505f4","enc":"8a0bdb418e02d70a3b8ac3cbf875dce01de4b53536e7424a17135ede3638938d532c82167c425a7df9541d0e603341fed7471658b25505f4","shared_secret":"1a595f79553c03e701e07e400ea359b5f94ef54df6dcec8264a6c9b51839ca02479fe2bb8d4d9fc2695663f2323526a9763cea118b53bcf0de3dea71bb32c97d","key_schedule_context":"02f29a2a276aa29c0455b7c5b6b10b6020cf42efd0d19c359e1476b6a825d22ffb472fb7c66187213ac6b247bb86d991edca04cae8363ebb23f3cae1b8f0bab85e","secret":"cdd6b8540e0f183e4a5dcdea4a9f017bfcd31e9a1446510b880001d5316203ed","key":"71a12286fb863327c8b4a84900f38d419922e2c07cb2a7e04c5a8148c9376fba","base_nonce":"ae66e2cf8ee47554ea7eb3e5","exporter_secret":"d0504fe9be2c376ef4d6e752776f28f53f8f414347c747dd74c774f4ab849491","encryptions":[{"aad":"436f756e742d30","ciphertext":"40812bfc018387d52f90cef243a0a833cce3e4146650c0c848b45441c2b02b6e32efe143ce1a3512a4f2a3fc05","nonce":"ae66e2cf8ee47554ea7eb3e5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"10cfd5bf2f851fdeb51aa9013f5ffb6e16f925152294de493a5f2fbea905a45dd5138775d10393cf99ea94cc20","nonce":"ae66e2cf8ee47554ea7eb3e4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"b5a4160d2a7459fa50c0c9333e610bd35836cafcf8012b9bb709a6806c563ede95a6b8215775354c7f7a413522","nonce":"ae66e2cf8ee47554ea7eb3e7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"f636145076d71a6dbb837c285efed74f554e9214f329344524a17e44b781a2a070223b4ca547373f30963810e1","nonce":"ae66e2cf8ee47554ea7eb3e6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"8a57eaa30faffaccf52622327c617a96ecfc36aa8319e51eefbb13bb2e884efaa7d459bc4fe96ff188325e4410","nonce":"ae66e2cf8ee47554ea7eb3e1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"960e51f2f331df6b54256e5b1845b546e3cf03b1038b52c22e9a3cc9dcaa4d6ca1d3f5a7b2851fd354403215db","nonce":"ae66e2cf8ee47554ea7eb3e0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"293e66b8cc28b7e1e76ade5a0548c6bf82c262a3d9ca6d0a97e678bcb35cb6597dc9779b43fe2f66393d6a6685","nonce":"ae66e2cf8ee47554ea7eb3e3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"4e6c98f547296e4aa074851ad61adae7c21600bf55666306f4d378c9aeb151f554089fcfbd53a66b809cb3ed9a","nonce":"ae66e2cf8ee47554ea7eb3e2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"41e421798608d464dff72897b4be1cc4237859a8715d26da867697b6b9b55339e478f435f9b759ba8b97131997","nonce":"ae66e2cf8ee47554ea7eb3ed","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"d4a486c0a040bb975d69b5a5941c2427d1a58ead5b348b2b15228f9f1f08b09a159d1c78d0f064e2a581397845","nonce":"ae66e2cf8ee47554ea7eb3ec","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"0efd57a03752f30d3534101e930e6fbe8c6fea08de985c38810c82cb2f513c8a"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"0b47f417c57555823609f4c2d294d7663445fd85e9a61702332a4aafd19541f8"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"90e8611535f00a322dcdc92ddb155bebff2ba530d4b592b6e35f5d4f65af882d"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"a0cebc5e832837faa443d13dac77632765dad16e09e4e26031849baf1045366c"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"91d6f222cc6bc58876d552b7a9512af8b143b78d6712376deb36c697c9f5d73a"}]},{"mode":0,"kem_id":33,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"59b1762260fe599a30a3912f186daa961d59e5bc30705c6b07422e15042cccf3db246cabd4998352784c3ce08163e8cb2313e230d28a1641","ikmE":"73e9d8944e36414343487c0fb4b9c40a1e7acc17e2ca85d7ef4973a4a62608c8d096a1e729c27d856d75d1081f0a7e25a9c8ede16bdddae1","skRm":"a6b24c9d5c143f552237c8b6b6b97504e98342258539f0a8afdde21777e722ffb91fc6d030854b583b1aa7e8ed2a362b606d1c725b4ef24a","skEm":"c99390c12c563421198b75fc8b9bdae4df7adbfdf959a22ad48c344e6f008c7a7e8b6538657b07dbee5c06f511113f6a0fde72127ae5910a","pkRm":"94fed3ec8feaf00cbea94b26fdd2a8bb5531eaf6b095c84cc480c7af19613a5c5d6caca727d503741bbecd7d4f7882629e5367fb994c215b","pkEm":"2f1ef442a701ef0b0511ab35a403d98e18a368d62eecf6532405c90f7686a6fd04d0b93f1923eda0edc2d00e09b54b9d37f9fc08834d8125","enc":"2f1ef442a701ef0b0511ab35a403d98e18a368d62eecf6532405c90f7686a6fd04d0b93f1923eda0edc2d00e09b54b9d37f9fc08834d8125","shared_secret":"4c20c4f37dbc885b18368ec2b0a17ffb08a967e1e6c1ddec06f863867f043de0c603354b60c69345f30ab64185e22bea83af95566e1c350d265f0897a7b50dfd","key_schedule_context":"004b5e11906b2f1848e8520a6aa315c44b870d2fe09bc563396953ded5038119660f67aa8b0686366018d84b95394880470c8001e78df6fd35d86044ccdd51aeafe2b7d113bf03e9997d6839f7054856607754c3ece11b4ad7eed4f5ae6b1d9652b5e47e7759d7e3a38887409e3d139d6e7fa5a55750e5e74016dedeb1bc5ad6bd","secret":"96bbd6fbe41e072049e53c19e52a1a9dde44ddf3c2203a679efef817f925d2cbbced0f677ee54fddbdbbc2322b12fea53524312b564a02efa8000b7b77354d27","key":"64e6434f30ca949d9bdcfd969489e344","base_nonce":"bf36a589b70169c89f5917d9","exporter_secret":"6f5220cb95a14e47304f5df4855df5664013f56d97726c94866eadeb2c3a2408c249b8011d1a385125e424ced37c2bde460191935908ad2004e12bdd3671ddbe","encryptions":[{"aad":"436f756e742d30","ciphertext":"bc3cf678e17bb413dc18cd3f7251b9fb329bc6881021b2b7582d4b957a8a050f8296c77f9369bfbc78646a028a","nonce":"bf36a589b70169c89f5917d9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"9d04b70ff266d56c9e7ea88e9e6d28b13c5a0faa2006a4134f3d7a6627aef7c66f85e0ea2e7a1f1633bb7e0949","nonce":"bf36a589b70169c89f5917d8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"1c507698b8035a08772ba2f8eab76489be8ca18cbf269956f5608c94be9dcb6e1fe05d79b3100d931581f3c666","nonce":"bf36a589b70169c89f5917db","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"64517378efc8d0ee238a251586b5ecd5d013862ef90dd688ebfcf8e9bfdcc563eb3bd0991d8552588a92d8b9e7","nonce":"bf36a589b70169c89f5917da","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"490e87a349bc933f7c884c50457b86ee53756baf4b7f8c6a4b6f16023ac8ea31c6fe36cefdc9df991e1683fc00","nonce":"bf36a589b70169c89f5917dd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"22da5b4f9704ed7f6141cc8f609bbbe34e53c295474696c9ae241af21ab602cc4ba89a5fcf763513ac2f3c1db5","nonce":"bf36a589b70169c89f5917dc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"c83d9ec1d8e7ac9c1c153bce2c03bd6e21805acb101cd54f0ae5dee6571610d820ba5980a633f36b3027099a92","nonce":"bf36a589b70169c89f5917df","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"a06053e5f9d8c3c2ea65263706fe16980f2975b0a273e2e77077552df3eda4a8fd0e6ee385c14edb4898891c67","nonce":"bf36a589b70169c89f5917de","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"51a097f418114ea5cda21b0759310103197b048413f0591663d666b15af5616cb58bb5783627fb2168519cfd2a","nonce":"bf36a589b70169c89f5917d1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"5590378799907ffcecc8440255752a45650d74abf370c7e9c6f8c0a018efdefa2dc11d3fbf8a8d8f40200b2b71","nonce":"bf36a589b70169c89f5917d0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"824ed7c4a2c073c59c84a9f46a0c191a0f1b83728c55e54daa13c55e852ffe70"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"a5adf5b5ca2f33e0b7e34ce01a0c7d6d7be16374d2374464fb99a78681a937e6"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"b8594655ad6940690799552a84b831efb4bd7bf0027ecd7a15ab745d691ea177"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"b2535cd43a9373835a8da3cdeefa82dc20b9eb58b813f6ebae90e9cd109364ab"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"37cbdaf96495898756b04cc67cc461d4586622b2cf83f38c660ed7c4bf80be59"}]},{"mode":1,"kem_id":33,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"33c9b6ab765feec034c8046ad2dc3a0b351040e6aed5813b50f41728dc8faf3cc04f0c84b02637868e1e5abc129a9bf09229df5246f25650","ikmE":"959180f32a6def09ab93b6844b8da0fa821e423bc426d041e903d544b4e3c30224e99efee84f0a049681762a957fb6597872b312ee9b0cd0","skRm":"146485314924f8c8e0df88eabdaa3fa26d48738c0252df8bb58b341935809ee5ee596c51a2d7cf5ab3b9cd818b4cba5816468672a7e93a5c","skEm":"1bc1d36da513b6379aa983440317baffbbf6ee237d27e8e3520802065d76388a03d41cbdbbe93aa56bd4d338523567b1ec3a5116301e1034","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"f8a65c936ae7295e29c45dc13a7eb5b00a83d5d0b295ab57461d3fd77acc52cac1f3044d04a57d45b5afdb6eddcdaa54d4c77b30a3c82114","pkEm":"e281f088ac5d18c717564d752a0761c3867096628d7bc6a866d47f0850414284e2db0ccf7a2c53dfdba98f93fc26524d51f8351cc6bb6ea4","enc":"e281f088ac5d18c717564d752a0761c3867096628d7bc6a866d47f0850414284e2db0ccf7a2c53dfdba98f93fc26524d51f8351cc6bb6ea4","shared_secret":"56e8c712135055055ecdf0e6a57cdb9387506fe7ad4110dcbc4c76a0b018382809215872a699b7fe59e88ee07189ea4025b08d9f7493d4c9c063b622dbf1d392","key_schedule_context":"01bf2a4b8887c8a5aa0ffbc15b024a30215daea4c766dd11032f0fee7a2c8bedec91ffab4a16701aeb8003f5b62cd6c97fae41ad96b5a12f110508030cb6f146dce2b7d113bf03e9997d6839f7054856607754c3ece11b4ad7eed4f5ae6b1d9652b5e47e7759d7e3a38887409e3d139d6e7fa5a55750e5e74016dedeb1bc5ad6bd","secret":"c538570831149c0bf450de958045058bf6cf4a8e951daedefdbc1d84f8de44a1c681eae24233459a53fa7ade7a8ccbd33663410102df284b2c0c6b50dc4d0193","key":"7bfb435b2cea0e8320a2400fbd0714b2","base_nonce":"e4a6f42ae9c5bd54cecfa5be","exporter_secret":"18e19ddb57afaa3182cf211e12c4da6d3fd7ca764da5ebae1776b7947880b0e785e85e8f3caf257052aa8f775ea12a97cee756ffdfd9f7e8b443e46fcae38da4","encryptions":[{"aad":"436f756e742d30","ciphertext":"2bde4f6939fa413b78cc3fa6923db398e0c54a84f9acbdcc6e1763776b4275a0aa5064a0e8602a1e8e294fc7ce","nonce":"e4a6f42ae9c5bd54cecfa5be","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"e6128b45bde9a1f0d91b1b9301ea0afd40eafd2d4950d9929688d2c8fb6f0103f42f7a3341e3a6bddaed282487","nonce":"e4a6f42ae9c5bd54cecfa5bf","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"f8c4f2064b42920e1007c6b80d3450f91da06ee7a7126cc02aab6e5a419be640c82f2e2137af3a332c9bdec0fa","nonce":"e4a6f42ae9c5bd54cecfa5bc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"c612f9afec11c825e5b0fd322f3763e7039ba43a7f943500d3c564093417af87130327a1f2b3bae933d4674af4","nonce":"e4a6f42ae9c5bd54cecfa5bd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"694de9ac0011f97d53e4c2439dbfc3439351cf544ce7cf534d5bc813953d55a160544777052fb8ac7d62d67239","nonce":"e4a6f42ae9c5bd54cecfa5ba","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"09086a3ffbca274442a02e5ddb79fadccec68829875b00670a2d5cfa2899e1b2fc27f248caf8484f6c7764975f","nonce":"e4a6f42ae9c5bd54cecfa5bb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"788006a7e61bd6e63a810f97089793e61ad134bc73af1c8a8eded214f5a292147d1576557a78a9a31df449743a","nonce":"e4a6f42ae9c5bd54cecfa5b8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"383154510bb22eb8cf87ac648779074cb397c6664762d1ee7f796fa5ce72e9346048898fd1f01273107c203d17","nonce":"e4a6f42ae9c5bd54cecfa5b9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"3f95fce391fbc6110079ea7cbfc18573561804cccf33a232a33f9b01f8475ca140938cebc00f669b98808f4286","nonce":"e4a6f42ae9c5bd54cecfa5b6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"6c9d0f1d4164caf9cc722037907b5b4b2328fa080278d5ff1582e05af150814391cf514fedbf8b05f4eacce664","nonce":"e4a6f42ae9c5bd54cecfa5b7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"a8e19abde9509e0a0e2b246e66f286573d0b7f762996474f76270be465f26065"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"a88dbd2c70f9fc14e7abe5230dcc0236b8a88e2ee0a1511f8b0cb8c02ebc90be"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"9a83839553a9100a26ca01f8ae376a233af9a592e61c48f6f0d72cc0b2416b08"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"7ca8299b27a0e76f49955ebddb6f53cec01b26da9e5a870e6c9ab87055ce0be8"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"aba2a47ab5679b3f5685aa3c91c93ac92bc7889f243e11bfd8aed5ee50777f77"}]},{"mode":2,"kem_id":33,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"20cf88eda7b9484dd5037ec8e64f3d563f81a0619cfeacdc919fb9ff2090d4ab8607161c9b00fc087a117f4f992917dd074c0dc3954aff44","ikmS":"fd9992e9c744c28d328f874f78f38e9f29ca43797b444c682d0d3ccda40a1f61d27ee5d883c188460295b7d26a4df91c24e6360fd9598ae2","ikmE":"9320a399a404efc700bdaa5d8345cbb0641d18f765b2018397ae321dca47202938eb3f402649b6456e4b90b307a4e7a732b83ddd065b6b8d","skRm":"c697e8b58324890fbcef11ea981bf505749d62b6a53af654c29c636675a9738a0b0434009d406457b796ff2b79f5308dd0ba05d80b936ca8","skSm":"c84da663d480db00fa19350b694f3f83b570f13a2a765c61696c7d7e5b31f2cb6bd73504b1181d673c084fcbfa52aeaf26b6cbcdbf32debc","skEm":"6c4947acc0cb16df7820b54810c084b9b2e10b49c08d6023cda791b07cc348b3e06412a1c7f7da47ccbfada15e291a92473b48979b09908a","pkRm":"36cbcdb3607188bacb7ef5296c9fae74e21112b1c38183243cf3ec5ff2888d52a6d5d52052998e8188323892526a5f1c4ba99fba4fe35e04","pkSm":"c13b9bdcf1e66cbfe542fe25e73104e1bce387c4a006c1d8495e82985a75b3639de0b5e3823b6049ffdc3f0902a90c65ac56560ada0a6093","pkEm":"3e4bad425d624983c9ceaafbf4b610e517198250ef4211dd48a848c397f80270f0c96b062b9c00038fe7d8fed3144fee1f03bec663852aa0","enc":"3e4bad425d624983c9ceaafbf4b610e517198250ef4211dd48a848c397f80270f0c96b062b9c00038fe7d8fed3144fee1f03bec663852aa0","shared_secret":"b25ad6d2f79cad2d3f42ef6650eca278f1354d145bd3c8da110aeaa6efb3f5fe2d9aabd7eaab2dfd1cca067d44174aa7d1e92d38ed79783f0cf56c8b91785f45","key_schedule_context":"024b5e11906b2f1848e8520a6aa315c44b870d2fe09bc563396953ded5038119660f67aa8b0686366018d84b95394880470c8001e78df6fd35d86044ccdd51aeafe2b7d113bf03e9997d6839f7054856607754c3ece11b4ad7eed4f5ae6b1d9652b5e47e7759d7e3a38887409e3d139d6e7fa5a55750e5e74016dedeb1bc5ad6bd","secret":"46800b940cd26b651f52dd79db05a6bcb9cefb7672d840184e39542dadeb0528b0ddc90981fb07d08bd68fcd6d0aaea98f1eea59c686c0a9f9cf100d07782465","key":"528a6327e2d9f390fb5210944b4c0340","base_nonce":"cac877fb7bac787653102874","exporter_secret":"d1c69b2f42f5410ec9dc7f34eb4d62fc80e877871a9a913d79268a3b2bf212715451e98075e4fa82c62e675ff77855aac861ab995369e63e37d1c2ef295db337","encryptions":[{"aad":"436f756e742d30","ciphertext":"607e62fd9f215f733932955aa1956f00bdeb0b1d7a7a8a1e19aaec33ef4241e4242e988da083c31894e7209d23","nonce":"cac877fb7bac787653102874","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"2b4df6aefe1a1eee9ee280e670f2c8f5d184396f138d9b2e1bc1e184aff94398e889054245b4c864e1ffd1318d","nonce":"cac877fb7bac787653102875","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"df24b10c59f918b5d4ba0b3a2106ea3f5be1d6f7d5d2ace2df2bef43166bbf4afef722f09b315f888b1a44d0e3","nonce":"cac877fb7bac787653102876","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"03a766f7adbb9bb7fa8489731eebe580e94cdedca73d5699f23a74ed8ffaf26749073a10c01e60ea041dc309a5","nonce":"cac877fb7bac787653102877","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"06357474811641db8a5e05447c055fbc536de858e9ad3da86111ebff9f11310c63b1b0837ab163f6b73670ec79","nonce":"cac877fb7bac787653102870","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"877dc7253f27140f71048b10b659b8320c66dfaf38879025cd43a339d3d393a1e778bd69b36bb23ad1a6aaed8e","nonce":"cac877fb7bac787653102871","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"6d04a0b98ea9ddc04bce04c818cdf700dc4a66f92b4992e23f666aa8ffe7d4c6ccc8171be7d25253e8b9e93d6d","nonce":"cac877fb7bac787653102872","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"fd491b6c5b1a9fc12ddf5c77d18c6888f5182e5d877b465288872f4f53038246dbc4f9c0b6504357224e5d16b8","nonce":"cac877fb7bac787653102873","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"24a5ca046a94b407ea28335d4380bb76955065ab5fe95ba9c860e98dcf2a4e0acb315971e7fd21988e1db4a0e5","nonce":"cac877fb7bac78765310287c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"d7711c46397b17ac7030bdd06f57ed57aa36c7c66a532bcf16dcf854d8a3bcc6396d147d198ae1de0ee28872fe","nonce":"cac877fb7bac78765310287d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"1816c217db9fb2740d2ede6e856385b15741643ca06f28bcd61b01b267c28e89"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"bfb6f3a85d5c87bcc50104c35826ed9365aed36066221b7ef4aba48868316e62"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"9da414fbd589f40f8f3c605d098bbbcd845ff41d6e5e5d56fe6a1c53cd0ace5e"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"07b7b2002e049040d6f34d63d133319cb1c1fa506700fe972b615772ab00b17f"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"e12ef49ac472f7f78df0179e86a6439e951f303498724a6bcea16eb7bb56d9f0"}]},{"mode":3,"kem_id":33,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"1a1bad3999f6e2fc9db5f2d8244af8efb018568925ab6f4448cac9a8bed635648709402757cfabb882cc0528dfb043d98948b42d23088915","ikmS":"78563bdbedfca25333ded061fe66304a2b2b922d41bb3d2d9647ed486705edd70fa6d2d3b1dae39a047b702ebc5ad47190e221af90e20f74","ikmE":"e4ff55881001d657320713a8aeb7a9788a51f463235a1945c78f39eb09fad9693bc7dd5ad1c3476074b122b2d1070e2b0000000000000000","skRm":"d80c28e13821a0275f9df564f68ab9f8f9b81caec9a13f154824ec5bf25cb236617c93979d3235f09e5124197426030581f7d6a6387957ff","skSm":"47051529d4580ae6f9d46c6e16432640e0ba11ce2d7e05647404e8c04f0e33bdda527241df045016f174ad2a63df3a7069df413643de1fec","skEm":"49d38d302f07fce5d3a37c73f0a730452ff6e76771a5d2ba7aeb825120097ace5fff97fa7378a6648279531882a2e305e4afd411bf4f6789","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"77dcddaeb716ba7f06dc6889eaefff79018c306ab9816b737ee0168be141fe54ae38b345d2b062116ea45aa65f3f0da4f68e20a4eabf907d","pkSm":"4a42caea47feea709a8db5b3d95f5c1bf7ff3eaeebc0cc43aa571f00a93daea8472c0cf55c0b4ccb2ec9ac81b243f579f34e7d6ef79e35c9","pkEm":"f1b846b4811c781b5d74cba4b279900a87784a94ec482ac7b1d3ffc0ae87f184c499b786459e9ea8ed7497cf9668b3dfef42be5ebe80f7e0","enc":"f1b846b4811c781b5d74cba4b279900a87784a94ec482ac7b1d3ffc0ae87f184c499b786459e9ea8ed7497cf9668b3dfef42be5ebe80f7e0","shared_secret":"6e71fa1d0126d73f32fd30d89adcb94cb7d7c3ed8264685c2a0f5e9e6df948cded2f612d1770bc1d65668f163f7a93f1de7fafa230c4c71749f0fdb05e541de7","key_schedule_context":"03bf2a4b8887c8a5aa0ffbc15b024a30215daea4c766dd11032f0fee7a2c8bedec91ffab4a16701aeb8003f5b62cd6c97fae41ad96b5a12f110508030cb6f146dce2b7d113bf03e9997d6839f7054856607754c3ece11b4ad7eed4f5ae6b1d9652b5e47e7759d7e3a38887409e3d139d6e7fa5a55750e5e74016dedeb1bc5ad6bd","secret":"cb6bd23830dd3571f451acfe2722b5e51caae324c93985c829f26807b666136f1610818a32f8a1369562c5dbca73f28620a81f16053edf249c78865bfe75c778","key":"9f13475a0419d28d1cb4878b3f4acecd","base_nonce":"b8c6f7da987eca97b565d98d","exporter_secret":"072107a6c12535b3a060f5ee226a8f9b7df9dceaa41c1308a904a4bf42280a7afe7fe668ef50c9f0b118aa25a7e972fa7d13dc3359d7503e471311ad6dcb4756","encryptions":[{"aad":"436f756e742d30","ciphertext":"14d81faf2f3f49f24a17ab6585270063fca3195c5f576199d1b4a02ec7876cd0ff4350784343ecbae4c3aa9588","nonce":"b8c6f7da987eca97b565d98d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"5b9916881741529d362982cd43162b97ce4da56e6f54b6ccec29545b1dca50a97c1f92f0016381e6cfbd4eaaf1","nonce":"b8c6f7da987eca97b565d98c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"7f41a18179e54deab1a4d32a44df2300f87d6481cfb3c56ecb68c500dc231b3aeaa68fa73382e373d354ee14ff","nonce":"b8c6f7da987eca97b565d98f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"a30de7acb8cf00fcec6cafc84b9fc6a337896b14ad608ee0d797ceba2d0bcaf7266d76bbaa6d72e02f3e99e987","nonce":"b8c6f7da987eca97b565d98e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"dd30ef7b075b2ec362c7387e0d4ca04f99c27a639d148051a9bbaaa17a4188383bdfce9f52079c2fa9c44c3482","nonce":"b8c6f7da987eca97b565d989","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"69751487d6f413bb298ab957f6543474b30a696e14bce327575bc99f31716c13c22bc2bb053236abb0d43959e9","nonce":"b8c6f7da987eca97b565d988","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"59608df47c69394668529e2eb78f2bc27e4c8731250283954b7db98ebadde84f855f703ad09d67d24acbc08622","nonce":"b8c6f7da987eca97b565d98b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"8e551341f36a3f549a5566e1a395ce66649fa56981afa47a4e4979216959cf4bcd6ccda286bf88f5d54590cc95","nonce":"b8c6f7da987eca97b565d98a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"2d72a89e4dfdfbc4f1ddd51bc4910ae33be35b72c589ab67d37deaca4d87e676281fe30e70bf09778e8a225774","nonce":"b8c6f7da987eca97b565d985","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"d8e8e61f62976bfbe4627831253facc3f8fa74c92b0ea824eedef2343f7ebcee4e65046ec05b830f3951049496","nonce":"b8c6f7da987eca97b565d984","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"7d804853f20a19fb3e724384a2051ad00804406575db47fe1838a457f15ebc9d"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"326e118f853af7d0e5a4bf4200a0ba895df69937ee492e92476299bb5c983eb4"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"797fb27e0eb01b13d29cea9b23898282c8c7d3f5aac3cb633fa5ff3ef55262ce"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"e81c892f522e4f41cc948aa7b56324f6720ee75ee7a1d330d3bd43b0510201aa"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"f8365010f0fbf3b925fc41494fbcd5b9ae849eac101e80f1f341aa93fab9d6a8"}]},{"mode":3,"kem_id":33,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"fbebf389acb01e96b20ae694ad8fe50ae29d7364c78bf385bacbeaf71b3d142bc7bc82c3f8822495a84a438e0806778f3db8573be7a3ed96","ikmS":"5968f52a5097b26be83dd0e28ed8b10db4feaddf9763e15eff45bdfe984c2ffff4e055b27be93fec8ab71a73c5c349cec34315bf85c7586b","ikmE":"5f70cabec3f5d2c9068966955e2bdb0538154e7998839aa2b09f804f42527f0675a4d2dce5b72a63b24019cd5a0a97d5e31ff04a40a63aa5","skRm":"8b8ed1cf0b9b5f8046c688d893b0ca01d581e76ed9c5782ee7d35c87beea7ac805384f62485574571044aef6bf559f122f82ec0682e32de4","skSm":"bb59ccc3a070f2f6eb709aa8a44d19ee689c0e30ac9192fba47006d17bef0de30744c14762d296cc606dfe0db0c30700fb62d2ce9a112064","skEm":"f37a3c2fa71be0efff486fdb37182c1ba055125dcf766615d4115fcc780f709534f17012f185a636356e3c0ebb369af679417e1392c66724","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"e2518f44c752dcc23442518f5365934569e63ce8bc78aadd772b36d702d598783e1cf5b278ba4da02ea9a6787b383498fe469c244146a108","pkSm":"ee2703bbf65b0cf759deb6fb7b5af047b37510930f0960aa5b6162c9202ecff974f02ef29590fcb9b6a4770ed5364888881efaeb9ca7166d","pkEm":"451021295b764d339c543cc494e11950638cd5950025a7b3930a958992586f4a80969b1b4ef43362338132e3a8c50144396915a32934e1b4","enc":"451021295b764d339c543cc494e11950638cd5950025a7b3930a958992586f4a80969b1b4ef43362338132e3a8c50144396915a32934e1b4","shared_secret":"c293b176d1148e571005fc537b190ad977c72cbcbd60b092be6efeb088accd19df56537523f5bf2aea64547fa6aa68b49b208743b9ce2197b8b9ccc3bd12b445","key_schedule_context":"03062ac32e53aa3a18c4e3a13006d70d29c06daab695ecbea36b038ff7403c1ae06be71c50352e9d5d67d2de4fe23fabc906a91c98f060782c6b1b68d45838fe40b2a53a6e0b59f0691a173475b0e7b9ce80595b366962810200e858b34193d838dde13c1c80c68ad9004b62fda20c8e32f0bead5927e76103e23c5d2b7999ab4d","secret":"86f95d410231c771146677e50c4f32b28f26050ec73c9e8f76a938ad1322625740187b83354f4c9a0b26e097df0b1937f893dfae6739567fa924aa4df6d315b5","key":"b823b797e6e3a558993a6d341781d41f73f0107c1b61213bd53d1011ae2d1b93","base_nonce":"56e3795a46840548dde15346","exporter_secret":"db3cd26463e70d84e9845dc952f376b7528116f772cf695f942d1fabc341f8b23d1b8ec1787b8852d27781fec53babf514f579fdace5b9a2d7d951fe38f251da","encryptions":[{"aad":"436f756e742d30","ciphertext":"7a755bbf3a038ed7d612a20933ad4a54496f26d01dffccd3b037a09bb94c1b1c9a86f1c1ccae85e0000e75a343","nonce":"56e3795a46840548dde15346","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"797ee9ba25baf9bc83ca3231e9326e372a07f7aee904754cc3892cf56ab7690a8dedd497d5da0d995e066eb685","nonce":"56e3795a46840548dde15347","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"4efec95c2802d56fde901b55c2bbd976cfa8b6ded4b2e4da5e937e051b1f4e0b48f0914454eca6da42e93c25e4","nonce":"56e3795a46840548dde15344","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"8d12bbf9858854dc2d060790165cba6e4e7f609cb2ac7625b08cdbbde90dd0187974626aff46811d98a6449c88","nonce":"56e3795a46840548dde15345","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"437a1973c0252e9633ab4e12587e3ff82f6d7873816fa998f307477d09bfb08bd8c59c85942fc25c7bfef2e4e1","nonce":"56e3795a46840548dde15342","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"b66783c2e2535d45deaa5442d38aa96355783f797942a67004ab5a041c455ee94764f845a56489dee1c287de20","nonce":"56e3795a46840548dde15343","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"58d554c925368307f8660b73d6df0644751bbfba3ec8d9081e59d2e70085c79d7e287dd838fdc8b51ec0437ba0","nonce":"56e3795a46840548dde15340","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"176871c089ab54cdc189cd5dc453016ab7181c507a5647877435172bfb6824bfe237de12faa48fba105d17d401","nonce":"56e3795a46840548dde15341","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"9775a1bdcf788b4bd3c13edeac68d8795f25c96f49ff2dc45a45c7c9171da18e399d7c9223907a0e62e88e094c","nonce":"56e3795a46840548dde1534e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"615f1b9d2c2b09e78f590e76c44d3c59e3ef91205304a68340393ed9f8e12e474fe444af8c75ab567cbfae8824","nonce":"56e3795a46840548dde1534f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"7e7896f7d6dfcec9b8aa90acf6e5625c13fb5ec7a8d25ac7974613f9b1192ee6"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"2a5dba1c01043c2e6af2b061f60740b8c69255e4e2abddb1d62f045ffea81d22"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"346ca06ddc3eb857918f05dcd419c96dec18b88406660540d32873d291c276be"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"d6bac5f177d44be8ddba676e503672b02985841b3b92bf326fd2fcabeeffdd3b"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"cfd9773196fe07a97863459b2f75480af4e00c86fc6c0da8e38a53fb664314e3"}]},{"mode":0,"kem_id":33,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"ab222f8ea3fd78ab4c6618e7d474f3cbef1a77174fe1a5ab2c4bf0cfd325fa0eaf4e89dc6d5ce29154dd424a4a03b867fcbe2bfeae0d618e","ikmE":"f1a1c2fb01167be9af14c51b2eca8c024c3d884ab25377f9e2a247acb1764b60acfb87e6ab275100009505d14e48016c768019386287d847","skRm":"1c704863c209f85bd9b0a486d78005e5db4d9d2cf38828bcc075e80a060d7dc531ccaf377777149a834a66872ec07b02bafa85f69736879d","skEm":"71d5339cbd38ebdaacf0fcadd7482cece4a59e53cb8e19d398d9176e840c28abe8c52364d16dda86a59c13ed683c682339b907b311feb885","pkRm":"7f095b550c1a413be7171305038c9acc3fe6e686da51f6e6fc3a83da0484408566aaddfc4a3b5cbdbf447fbfc76f5426e07cb84e78baecae","pkEm":"830fd44b2fe8274277effccac0a51a949af1644ee09ba87fefba0e7dd58eb06de7b66480b3be2cadc1722dd58f68df750013b3051c4f4fb2","enc":"830fd44b2fe8274277effccac0a51a949af1644ee09ba87fefba0e7dd58eb06de7b66480b3be2cadc1722dd58f68df750013b3051c4f4fb2","shared_secret":"aaa1d9b3bb5d5f7b14174c8be262d7e8d1e7435c8e3b31c45a086ead6c1f4d46a9e4d884ee413d91a46a927436d5652ac9f6d2f073ff62ab6224401b2f86816b","key_schedule_context":"00d00d787664cf3be7a2d7bba59834b6786d8da72afea4b02069029df0a77f505f815faf527b50a16250136ab7a6957327467e7d0e3221b1d3dee504166ab0e819b2a53a6e0b59f0691a173475b0e7b9ce80595b366962810200e858b34193d838dde13c1c80c68ad9004b62fda20c8e32f0bead5927e76103e23c5d2b7999ab4d","secret":"f19cd9add7aa6b05a560376cbd89de4e6197c33ce35af209b7f8376d2d581fe486516aeaee01ea10f2990af0a770cbc2d54f4bb9740f495b5cfb773b30a7fd1b","key":"fa82f550a5712e8749c07f41c153dba10b8dfa69383558af8ca13aff4917c1f0","base_nonce":"8d52c509705dfd2f88b614a9","exporter_secret":"c488f6f6bd152c8f4d23606465cb8f74e8a18a1f8c3639e887418e7b58890de8f80526063744f1b9ab292ff723ac4bec1d1c60b4457eae75cc1cbf322d321af1","encryptions":[{"aad":"436f756e742d30","ciphertext":"39637a870645751d82e1aad7d65e6c5273feb44d5525082b38fab9af3a6935914ff120ccfee2da6578bd0094df","nonce":"8d52c509705dfd2f88b614a9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"1cddf0152eaee2b5b3ae890b819396f00826750e339ae5c8de6c5bbfdb48c7a906d1e76b99b865a87a0ae23ff2","nonce":"8d52c509705dfd2f88b614a8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"8b24989f809648b31fc4789553cc92a18d986e78e5857f3e81387e338d65fec9fbd2577f5d48bf573d1b99f12e","nonce":"8d52c509705dfd2f88b614ab","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"eb3bbd6b48b36575e008657c83c0e8743d726d3c8f2d0ced03ec43d0999533110ae42b196a4f6565b2e003ffb5","nonce":"8d52c509705dfd2f88b614aa","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"f70b5870685d7ddb2eaf52a8189a8bf65d0f3be1d35ec904000621ab287fa7f530335c8652a70015cacfdf7995","nonce":"8d52c509705dfd2f88b614ad","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"4a49880d0d1b072528f577c4e10580f64ee7e289c93e02660cfc1b4f688cda020874b91ce8ec2d201b9170b5a3","nonce":"8d52c509705dfd2f88b614ac","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"567638fbb84ad7c80a6a5d9052c7f91a77bd1b2e5b3b0ce58b6e0b09655668f84aaf24a2fd9eeb661a9a18692a","nonce":"8d52c509705dfd2f88b614af","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"858956280d1915cfee51f686ebb3cf70363fb641632044726634653ac232a3a2feae8ce2c841f4964e293fb647","nonce":"8d52c509705dfd2f88b614ae","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"b9ac901f4076238f8dc7c2620e8161cdc9b1ab2ea8ecc26030b6bc2c135a5d36780e3cf18e170d4d092969852f","nonce":"8d52c509705dfd2f88b614a1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"89debe592c1ccd637af508cc3b5e99109409e88aa65b12742b80dfffb227dbcb83b96cc8dc26f7db73d7c626fe","nonce":"8d52c509705dfd2f88b614a0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"d47fc55a3537b4c2cb776dcbece1b193d5b1824b3ef786ccebaf62da1dabd16b"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"447a4d29f61ce7ec7f4be64e75b370f001bed852167cca187a9ebcaeb9586b27"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"58289f05768a29ad18014e05d7320133e7f1997f41f4da808ea422e2e8b86945"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"ea146c4bda0682a3bb264dcf8dc69ccc0ed62cd9a15245767bc0461b77288e77"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"a20878f69233a53c5fa5257fcb8c60e3dbbd87e12985c683f3633ecf5afc4057"}]},{"mode":1,"kem_id":33,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"3ce2237cd10bbba8d24e0267a017971f16ea9c01cfa557dddb6f01fb11cf414f9a9998c916c5f19b14a0e7a8499561c3c3ae078f66257463","ikmE":"348f78ab34abcebaf0b567890b69b741bfc2006197fa107e1ec3370c95705031c5e8dcca93c0f981ab18dc8e53df455a5135f14fbf3ad293","skRm":"633bc852d4d9aa5de82d459f89a9cd79cc83a81d03bce61c2220f0da0f95bd4a31693f51dd54f268f5ef46277ec3da913eda0adceebfcba7","skEm":"ddc43b63314014e94e4ba2306ff3fdb42ded43d4a2849ea6fdeaa257e5ab843e8f82d95f270b786694d1869426c21908873c64605fb3acd6","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"28d64999d6a1169447c97aeb45b679fd9d35b55d703c0e46f9eec350a63712d007530035dcf3fa7ae4da89f3bdd11d9f07d46d18f1770ee8","pkEm":"9feabd4acef355f98b37eaff60827332846d8fe1ebd5b6e8291942b72784d4b0b32eb49a8b2cb84a4f41678ad6a19fca210e431dc8e4af7d","enc":"9feabd4acef355f98b37eaff60827332846d8fe1ebd5b6e8291942b72784d4b0b32eb49a8b2cb84a4f41678ad6a19fca210e431dc8e4af7d","shared_secret":"e694bbca6b2cc01ba205209dd53457bae18c63cca0cea72cf38156a1cc617d714935e82e0057b0d6e9de63589b5de5084d35324e1e39aff1152b423b2de7f167","key_schedule_context":"01062ac32e53aa3a18c4e3a13006d70d29c06daab695ecbea36b038ff7403c1ae06be71c50352e9d5d67d2de4fe23fabc906a91c98f060782c6b1b68d45838fe40b2a53a6e0b59f0691a173475b0e7b9ce80595b366962810200e858b34193d838dde13c1c80c68ad9004b62fda20c8e32f0bead5927e76103e23c5d2b7999ab4d","secret":"a5412081ff9cb34a732a199185b8450b73a0d8620ad3a4079c3824af7d1a670949e91e908bd3e428e81314237be6c89b16cc0af2e40171ee42c7f9cd7025014f","key":"9e3b6e3760a51db4d9cf31de66ba0b51a7058740a8b9ab6e87d42baea61ec7f3","base_nonce":"75f99479d67900a9bd3c1576","exporter_secret":"5d34600d7c72ff005441fc318689cde3ebc1f6848ecced8316a87761ab90bcab0dc90e436e201f1f3c6ddcb6d89467696eb193639cacd1574d6ed2991a830a52","encryptions":[{"aad":"436f756e742d30","ciphertext":"ffe9fe10c47d8e62fb946a636904acc398e2a043fe437b2a170ccea3022528700af14b4203087edea5f658ccf4","nonce":"75f99479d67900a9bd3c1576","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"a4fc7c60f66feacbe6d2f81f99aa3771c0860c0b2d9106cbe3e602eb08c2c719d1c211c61fe64555ad053f93c2","nonce":"75f99479d67900a9bd3c1577","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"21c9beba55127b48e116fd0c51646a6800809a53aa37b73cd93d94caf2f9e4c8ca58e675f754d9d3b849c4ff26","nonce":"75f99479d67900a9bd3c1574","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"b10794ce2dbda77096911acb03b6da2a345b8498d88f511e822ace9967afc9e6590885a2a916e4d11e41733ed0","nonce":"75f99479d67900a9bd3c1575","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"9ee7a5aaed43b6ec0adc9d7bea1fea54dad3cae0a1b5de00552ed0469561bca0d627f7b64aabc41f74a8eed16b","nonce":"75f99479d67900a9bd3c1572","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"7960387001a5793c8ea4e64d1dd848504b8cfa59b8c2a2e9e921c9275ecdbb6d891196b101707cd2a6fa9964f8","nonce":"75f99479d67900a9bd3c1573","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"f599e9a56499355d1139e07a4cd2c1aa0a5b479e38ae57eeb633fc6efda05ff5982fec2cb77886385784885cd6","nonce":"75f99479d67900a9bd3c1570","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"8027d81e76a35386883209c319961002e996ff9ec997553c59b6fbca96751c5b3584e5c560c744386dabc98d7b","nonce":"75f99479d67900a9bd3c1571","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"31e70cbb1ab9a55bd44ce101cba1c07fc3eb3f1594dbcdc7e046031ef49d7a0687cbfabb9e0b1359dd6ef37e8c","nonce":"75f99479d67900a9bd3c157e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"c455cc106108004f41b77c86ea3e40330217eaf704ddc28905e2de4a3b8bde8247cb58aeac6c4724e4ae5a64b6","nonce":"75f99479d67900a9bd3c157f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"687f97238c0f9f05ef6e4f4cc1d4611dfcf3facf4a873c2beb86e8975daef392"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"546c88bf03b2c8968439b7ce0907e98a1d75ef3e41fb13b6e3ec87a116b7fa73"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"5079444f670cb8181e5e68eefd606813c5c1776ab30d69893093863e28102666"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"082fae6ae468d06d8c9ce1904daf4c86a3dbbfe1bb498a5263c1292339c28ea3"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"f261cfef25f8f5155b61d49e1067d381c7103d294093ea423f033b0b9e7d6f68"}]},{"mode":2,"kem_id":33,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"fcea17b9e0c53c8776ac111bc3078e314e28cf32f3fd52dc444036fe5fbd0c0c15905b6c872f8a97efc5e8bbe6a09e6b9cc19b616bfeebbb","ikmS":"1afaf24c4b14cd4a8ac2804daa62638d5387d8c7915c9cc769066d4886100fd3e1d8b3f7592bf86ab716561995ef990d425883e1eda455f4","ikmE":"2cee4acc8600232625272238e7d84eed814dfef798942bfda10e65a03505b37fa0e8878929affef53ed0d727fb83961a1fea2a4c963c9f87","skRm":"898419e1515858374865a9d29d3ec67faf2572eacd57d3db3475839acc94347955f1afa8a2bafc8db614a5388ed0560c8ddfc0b19f522e2b","skSm":"803eafeeea3a59599956d0f66c148e2f1154bb8bec4b74435ec344846fcdcd11138774a1f89a8d7aed02d91368869a2a1351e90cc5e2dbad","skEm":"728c2ad8c5412dced9757e4c867c328f3712c2f2a09f0f051fe1cbedb6c9d229833a1bcff39c28e9c339a167c9692597d2d4158bba58fd37","pkRm":"eff3c5d6799f3c78c0afcc171a0155b6538312e7c256f8955ad73433c5e1ca291460bfcf8f1f924c5e27e32c53733a82bb60ea837f3b0619","pkSm":"a5000f0229705588f1c70b98fde35322e4991374585766deaa8b626d2e6b3f8a2119c7bebf8b15749c75c0a6b0a445cf11273e7371ec5019","pkEm":"eaa3d1ecac364ed4bb13c859c900be6a8c8b2645ffd08808e5f8c4753f7809304833577404314bb156e5ffa5605e2552396fc99033d36e5a","enc":"eaa3d1ecac364ed4bb13c859c900be6a8c8b2645ffd08808e5f8c4753f7809304833577404314bb156e5ffa5605e2552396fc99033d36e5a","shared_secret":"14602d5cc7221f7fa4291c88bcd59110b33648399900d05e56d72bf214f6f24dd008835cfc5f54d0f498d62cf3d9703062b18891a6a2724086262b58bbf4bcc3","key_schedule_context":"02d00d787664cf3be7a2d7bba59834b6786d8da72afea4b02069029df0a77f505f815faf527b50a16250136ab7a6957327467e7d0e3221b1d3dee504166ab0e819b2a53a6e0b59f0691a173475b0e7b9ce80595b366962810200e858b34193d838dde13c1c80c68ad9004b62fda20c8e32f0bead5927e76103e23c5d2b7999ab4d","secret":"f318b92b01db858ba4446e7ae500af61d84a1c1e9bc2ff0161209f8a6fdd71262120a6002fec915c22f22d10e481a6d67e3e05e55a8f3a261371e66bcdc606a6","key":"6a37ce61a97d404e9f1f4a467808ba374f217680b4f6112e88ea51bff0a431fa","base_nonce":"346d65c1f3b267be8cbdaaac","exporter_secret":"7674493a9789389511f5a0811acab1ba61f3fba8bb62ce8a6a34da77ff2412e50cc76ea83174b0052ba31a95d8979312785612d4ac76fdcc2f36f46941349b0b","encryptions":[{"aad":"436f756e742d30","ciphertext":"0334a3f71c473e4a29dcf8326c7e83e6bbb58c4b35e6724b624cd876a97abb0607885d2e93832144981d766a02","nonce":"346d65c1f3b267be8cbdaaac","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"80e84bcdb1fa02cce4c815f3cb5c4f54e7cd1ec6eca722ed8042c41e13f74764da8c98a649c7c236c79f9d17b6","nonce":"346d65c1f3b267be8cbdaaad","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"88c91a2cf2fa0cdbce4329df62da818a344deeadf8a4cf9d4f30128a875a3e852a46b44d7b96c876201ef33071","nonce":"346d65c1f3b267be8cbdaaae","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"169e40b0a3665daa2835439ce4fa5750967124283c554949c492ef986e19d0f2d68e17a2b9e1f7a9afaf72352a","nonce":"346d65c1f3b267be8cbdaaaf","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"8e87e362827739d31878cc3df9152d2d0ee7ecdc6d7def4ac5d6bcab73f2eab8a1f1360a6f3d9e72beb98219d7","nonce":"346d65c1f3b267be8cbdaaa8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"faf4553501e0c5490d13f8ced1833c4c0456cbb282a3e0852ca8028da3c92ecbd749ebde3fec720f8f88528db6","nonce":"346d65c1f3b267be8cbdaaa9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"f4db544aedd1d50f6a648ad3426d377871ddea674ceb0d25cf36a340766596db7e9b48479a783f956f2c449f5b","nonce":"346d65c1f3b267be8cbdaaaa","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"a866f4294f465c3aed94e5b302abdb819ce96243afe352ac75329fc484a18d487a1966cf04bf828c34c61e96b8","nonce":"346d65c1f3b267be8cbdaaab","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"8a9690a03789b661e8993bf1dd896bbd6a4465bb470b7ec7c474a670ac48c29c3c8fbae522e337e82762db1885","nonce":"346d65c1f3b267be8cbdaaa4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"ff9caeba6ddb71e40e8ab610438acc227ffc05b4f49d50cd4e68a6c8a4da060de1c52fba1de6f2680f30cd1343","nonce":"346d65c1f3b267be8cbdaaa5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"d2730af9f8aa24740fb19a94a74081f08205b7f264f67d8ae4fee56883154faa"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"263c5a529480a63b09717c5d9f8f66327d8eefffdb893872944ceb17a32a5911"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"fb0d8fc6ae016fea046c0b1a0e4d3814fec7a1ccd12afc4965a4b57b37c65844"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"cee0496b02bca385a16d4725eff303b4e6d7db715b7c519e4d96c9581ede9261"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"006fc466be28ccce76836ceb53f75302ab18694cb9f1d96ff3ddd9d547ed5f22"}]},{"mode":2,"kem_id":33,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"d88eec8846a2142ed9ce1bcc9e5ae86aa5b901f784287dd82a17bc04711788b412940924d5002f7d5fdb2f24f287f82869561d1c7ccb2043","ikmS":"46c55e2c961758b6a2970f94030d807cd03497be934e45443a05981ee0f2f7485c59c70c11a5dd76e31c00896b6a792fef221fe2068bd838","ikmE":"abe1ebdcbea500f8a74d59ca4045034ac15e83766602279fd9943e6fb2dc005881d7a90ef18e41b1bc0dcc453c099b9a90d53fbffa7821d0","skRm":"f2d28273bbfe278f0258074e02448c5f0fa584b64ec1b97677d53388ac18e4bfe87a2b8f5e0ccdc27e1da0e64aa298fe4917f2f49e4ed8dd","skSm":"863488d6443f43c80377b7ad4225f1ad5d4d95a582af84d70b019450665b0800606d425e50f21f5234414f47e79e939ff8186d4b0317bf7a","skEm":"a71ca67bc53135aec8077802cfebfe437182e0bebb3145eac1da4948a80fb5503fa7f6c60ee4f61d973a400ce9bf2bdaae77b8c4d1c525b7","pkRm":"f58aa90ddfef970e2f28b576da139b3f9fb461a603a5188321c48372768bcb12641bb3d55ecc87b9523a4faa32e406b55af9712831fc460a","pkSm":"c2d119313bf3178c694ce828b3bc25539a1aba2478cce3440ce2097f18a14f6f43febee77e6505306b0096830d877e4d4538b8b1185a7e4b","pkEm":"e8f4245bf98eef3a73a935f1c210a85f039617a5ff51a99f8a7dd06817e18fad36bb062a7c47e3dd386a84d47f2726b4b43997f10748d565","enc":"e8f4245bf98eef3a73a935f1c210a85f039617a5ff51a99f8a7dd06817e18fad36bb062a7c47e3dd386a84d47f2726b4b43997f10748d565","shared_secret":"3124f10311aa65911606d9b7883cc1c70246deb6c46a134816386f5b6306bd3b019ace50074f6df270897d7335888f10b9133ea54e041101840ffa35e3c9dbaa","key_schedule_context":"02abdf4e709d854b0b426599bfa3c454ac104a68cfca8e1e3bb8a472dba390073e850a01ec6ccb79deaf227d321eb2d66f51709bdf9be9ce9005da7665b29da71e42ea85d8988da1292e30fe117d85d73e319ed4ec05f7fbd0602c1d5f043c8d004d6e0ae0226f1a5354ddda9be71c8626ef1208597d2593261c17ab7fa512f90f","secret":"7db2b6ba91d32061a7d4e5e12a83c6da98d9570daed7b28807520182a1a228bb350ad211c4b6b7b09f931ae7c3094d280cdc58ef453434b6c9776b8a93dfbbec","key":"a4002ef40cf5261247fcbe23b43ce1654c5438d6f2b3583575ff2437c8c88d9f","base_nonce":"cee8efdaa021e3645fb6cb26","exporter_secret":"081b7740ac972605f1082b1294204c52942d7c985939dd9ce4442373bc59008337d17d8b848a15e8ddcfefa7708a34bbda39a5aa75e40e8061c84806eedd992e","encryptions":[{"aad":"436f756e742d30","ciphertext":"8d522831c89e37dd3b80fb6ebd60528a2f0a9e33bbd218d99ccf85fbedbcd9da3ed6f4eba428966b64981ddaa2","nonce":"cee8efdaa021e3645fb6cb26","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"2a1cd8259428629963332ee817678e8ffb69a9a110cfb7977aa17f1cfcdca62c2b67d84ef34419f4aeb7da576b","nonce":"cee8efdaa021e3645fb6cb27","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"6d24c7e4bfd9d8ba90a5686621ce40c1fc85cb3a1c611f5b1ce2aded42175ec628ca201c75c6b89a16d3a773b0","nonce":"cee8efdaa021e3645fb6cb24","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"d3ae651b71b6669ca85712dfad5a57451968ddf105643953878deb070434ef1f3b9794649e417d24b047c7502b","nonce":"cee8efdaa021e3645fb6cb25","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"7a7f8a72751eeb6d0db9e1e3221027afc94fb4e2cecd2672e9c502fa7d43abf8fa8beb1130702a4225f29954e3","nonce":"cee8efdaa021e3645fb6cb22","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"6fe089b30382e5cd29719ff996db5ebfca57e78a42589a9cd41032c5c0f22180490ddcf5a9b13559091a54115f","nonce":"cee8efdaa021e3645fb6cb23","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"b29083b517eca19ba558760377dde8e7b6448501ae18ea78e3cd7018882a6b5cbbe713383f20ec9d5a5b975a3c","nonce":"cee8efdaa021e3645fb6cb20","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"853a2768eab8ad08d0b8295ff3b62b585ddbe223fecc1ab828825fdf2ee4750241dd5dbdb9bee67326abd2e04b","nonce":"cee8efdaa021e3645fb6cb21","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"c47b5c7fad5f94420872c5da1ff0f3adbd18a0b0758b32a031159ea09e24ef0b5a8501ed1c4fdbf6f041d72450","nonce":"cee8efdaa021e3645fb6cb2e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"efd25fd223b255835e9f7bd004d8ea63f39c538846e8a7608f48c17d02d22dbe51da8771c9ac59a319d1e1f044","nonce":"cee8efdaa021e3645fb6cb2f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"feb092e041bcd7fb07e85fbab3ab05661cd5bff437cef9722b03b392c27dce57"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"867a7eeab1c1845fe097bccd932a01db7fffeebf13e3587a9e32f3dafc5ea192"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"b0d19dba7d3ccc1ff5031c2b96dc8cd5067975c3d69f5435352e30fc42c53dea"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"bc753117decfa4158b9602b909f5e877c67f2e74c01c4b026d8523b12c27eb6f"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"ac5f4ec086feefe0569d6be0fa95905d8998a412611142be5760d29917d0d532"}]},{"mode":3,"kem_id":33,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"0f1748be77ec0024aa8f3b792e7c9dec4f705386f3c750bb08567ee12cf2c85779429a1a98316ad972b534d6de308072fc8e61f5d5adfca0","ikmS":"b8ddf29ed118c9c21eee777e4eb4daa4dbf4450b8cef8797981f39565f156e5044bd773cbcd00472cfaabb0d1ab559ccbbd9dca6ac1312ac","ikmE":"d891bca8415b836e3b07bc3f54ee0459779eb24d125f1f53cd302e0c9864231282ac6e8b6c7a6dc2958f0046cb31ad92f707cdd7b165ecf4","skRm":"61dfeededf73a1ce0f235329e4e14f09d36dba3efa1a62cbda964ac58f7f845af9ef9a9a46007ddb711a44a7352d420505d61ab0ce082145","skSm":"3313442d9e31f4f78777f34feb0831cc1410f58323f74db99a226f54be59c20b4fd0c572a49020bb84939efc7f38b61176c814127e42420a","skEm":"de93edddd7ab12dbe51df399ef51b56d702d380fa7d037cd5f74373243f0020feb6f425ba5d71c6c6ef66b04460c13c190a29c78db095978","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"c77a6ad044b95ab031a144bfc7300a959c0dddd997dc6b258b0e721a3e3dd3ae7aa0b82e3bb69b95c77a09ba1999232d436f64fd22f900c9","pkSm":"618a2a893d92fdc157a44fb3157b7cedb303d0b19b75bc37887d7e635ac635fac4b149b36b02b67be04be7e036b832c2367eac71b1d81a59","pkEm":"15293fda531c20cf00563434ee1c3697492b897b10a3fcfccc30624761a9c1a5186020fbf46361f1d8c4a398094ca00ba47767b8ecd1ea76","enc":"15293fda531c20cf00563434ee1c3697492b897b10a3fcfccc30624761a9c1a5186020fbf46361f1d8c4a398094ca00ba47767b8ecd1ea76","shared_secret":"0ade0b1bdc0d1a9777a37e6e08def529be86ad82d2230be6bf2019000f61b7d2d354105796b19da12c3d08a3e7a6d234abf139f366eb195a622fd648d76d9885","key_schedule_context":"03bc1881e2b28af20f75dc480bd2297da96e87cfa2b4f1f0d27a38ebf28771463f43150e911faa2b9a12aa3cf9f19149cfb05b0c932ca3ffe53d83b26444718e6842ea85d8988da1292e30fe117d85d73e319ed4ec05f7fbd0602c1d5f043c8d004d6e0ae0226f1a5354ddda9be71c8626ef1208597d2593261c17ab7fa512f90f","secret":"4e260186e0270badc168660595add57b19076d030e866c40704a86a53e6fc9c8ea001a28240ea36c44ac789788fce506c7f971fa39e9cbb5706ec05e6991aa86","key":"04678baa54bca2e63f9747342981ff566d71e8bf7539832eed11ba3feea34f37","base_nonce":"aef014e2062bc0acf7f2ae2f","exporter_secret":"04fa6459f03b5e0c525d03a8e0680ea71e43cff32b1573d0d229949abcd364dad69e111f38fe27a60c3cbf352073885b249ff30e3d0b7bf7a269ad73b6fb46ff","encryptions":[{"aad":"436f756e742d30","ciphertext":"69a3868f4933b29abec36b0969500f9be5d2c3fb6886ce6e75ca3b1f502e4ef030b6fccdba39111edac508fed5","nonce":"aef014e2062bc0acf7f2ae2f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"4ec0399b865e5761a39db30e1caba5a426f8b1f0dca54161647ebc280951fd4ae294e454e7c2ea52090c9d48b0","nonce":"aef014e2062bc0acf7f2ae2e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"c8885c74d77cf720d0fcb064fdd5b186baa9e5e774c439fc54aad935f784e6f3a90a9cba82e15b9d8bb59a4a34","nonce":"aef014e2062bc0acf7f2ae2d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"021d0367233ff96f751f4a11865d496616e8fda48fbe3bace36a9bd2a63c8ae935efc4fd3aaa4b9c58cf4af329","nonce":"aef014e2062bc0acf7f2ae2c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"f23251142c8f639fd48039f301384d0a5fa378cd3aecbdd81aa551bafb626bda83cab5c4aba30f06b1f51324de","nonce":"aef014e2062bc0acf7f2ae2b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"73c42f10966b842a7e19ccaa26f8a65f434f8e65a2ece51bd09e991616e0b57dbea1449305022042f80c081179","nonce":"aef014e2062bc0acf7f2ae2a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"26ec084b16583ecfdf258dec6db50b6280df9d4875c85d3bd799909f37417955768a9ae427a03107b6175be608","nonce":"aef014e2062bc0acf7f2ae29","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"e13e6377543237d6ab57f7ccd4fd92fd5f4698dee6fed6e63fbeaa8b8d72ff1dfb54d74e33cac0b1c139fbaad2","nonce":"aef014e2062bc0acf7f2ae28","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"dac893cf123343304a947d302fc726dec40b5d14c509c7852c5ca3552e61f6b09a7e7147e7ceed4e196e431d59","nonce":"aef014e2062bc0acf7f2ae27","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"1fca87cab88f8cbe8370595a4543d5477b2992fb6e3989d541fe80f803962ce3d0a548dea1342c2dfe703c668f","nonce":"aef014e2062bc0acf7f2ae26","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"1f5554b2582d5f21ae19128bc6faf2db7e16e2dd455e3f38f28dd5ec4c80e57e"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"87d9a913c18e84361a44d564c00c667dd4a8cb86cb24c1efea3b0453754a6fca"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"586bdaea76a8d510e270b0730a8769b21ef0ee432d28b2fd37717908d9b9e3c5"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"d22aa3d0525ae4261a460f5dee55c9791836cc373a314a4229605191cdea8811"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"99c60bc0f611c12381faf0cd3ab986381dde65782013a04dc84a625aecebb54c"}]},{"mode":0,"kem_id":33,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"9b3157f5802dacb8b55d1e114f6732a9a237ba2a73697a54361e4b399da7e14e835aa5216aa25184699f431278a7dacffa30b89c0203e86c","ikmE":"a17a0f18698823dba09d80bd4028e3c0e8f1877fe691f7f4e759cd8ed7750ed6a8f0c7e1ec6b7aa95c88c314bb3cc783aabff63dc034b0d0","skRm":"6f322456e2c55ee2f34e94212a68db5a4f15f53b1299358ed075f926a1e3e5af3c477ec0a5fe6b7f30b5713592c739af8d7aa5402c944542","skEm":"1f466b41b21b29f65f2ad87b3a191a27b8811628f033ad4d36c0482fb697ebe9258e3b78564a22b5751510e9b0ab5d22570e7c91c999bbcd","pkRm":"7b2c6d4f43638ad5ee02758f9ee7853a9035148ad3f6a0d5d80a9bb1e91878310fd194a9ba07b6c4f13272373e9616fa173b6b7ead643e28","pkEm":"eb079dd83799e89d0ef128a152419805aeddb7f854eef2a3e3cb18e8487d0188b02cc4d221cd2628e51a9b8cdd1485f88b50d7fdb18cc44f","enc":"eb079dd83799e89d0ef128a152419805aeddb7f854eef2a3e3cb18e8487d0188b02cc4d221cd2628e51a9b8cdd1485f88b50d7fdb18cc44f","shared_secret":"0756a1b28347da5c75828a8b31def20a81ea8d5560b0ae4246fd4c84222e2a61151a9d7c447747b0f64ca77324f24372e6c058959a794265d4b24c3dac545e36","key_schedule_context":"00abdf4e709d854b0b426599bfa3c454ac104a68cfca8e1e3bb8a472dba390073e850a01ec6ccb79deaf227d321eb2d66f51709bdf9be9ce9005da7665b29da71e42ea85d8988da1292e30fe117d85d73e319ed4ec05f7fbd0602c1d5f043c8d004d6e0ae0226f1a5354ddda9be71c8626ef1208597d2593261c17ab7fa512f90f","secret":"a284161547fad16d5ee8717b7a001cb9f5f07a1555cd6489454d01149999ee33bc06fc77e208f12ddda524aedf0a38b6432634c5357344a0c260df22771f2094","key":"48e0590ad9ccc9776d100c564884041ccaf828d925040989752282f7a06bb50d","base_nonce":"9661fd879d4992084ce77541","exporter_secret":"1a6f2aea95ea82586b538d139c6554926a44c1a854e0497f02552015b2bfdbc59f83b3c64ce60a50bc19a449e2fdc6b887f3d3a850c41056e2548c45f9019f86","encryptions":[{"aad":"436f756e742d30","ciphertext":"c16bfed5d4bfb3c2ba31f6f7e15b973e4bc79749e155c4f4efd246a3a1bcac6ccfe06b4a7640425d8451167c66","nonce":"9661fd879d4992084ce77541","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"4e8e7808c807f378d6435ecbe2eb1c54422874a3e998322429004a5f22d6a443428979ff26c275e757448834fc","nonce":"9661fd879d4992084ce77540","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"32f8d8e9e08422d0473ee8cf2a4dae6a0b087f4664fca971e4496af5b21e6b7572f53034732a72aed69b73bc4d","nonce":"9661fd879d4992084ce77543","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"239a4d6180c3d7d594ade525ec4e2c93a5ceec81c7ccd192e66872cff2bf6727e2882a3c71e3552e700118fdb1","nonce":"9661fd879d4992084ce77542","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"7922b91c7fad18dfbbd1faf3b16f8b4193ebe957fdc16d056778f4808e568c097861ac38a51cf534da5bae6a57","nonce":"9661fd879d4992084ce77545","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"cf8bfbadc19506a23cc161ad7ad38c19fde78cf7e5642b586e3988be3ea0b30c2ec52983158b8b9a171a5100f6","nonce":"9661fd879d4992084ce77544","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"4275d41d66e59fba3e95185c7f1fc8051b474da56566a1aac45b1a06a7980f43ad9d3a9f1aca4035e502000078","nonce":"9661fd879d4992084ce77547","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"af0803b1ad452d98ac4383e8ef69b9afe5c68f08201ccebd3e841c63f3aba973945bb79b1b6cb396afe7e11795","nonce":"9661fd879d4992084ce77546","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"41631d5b3b299642fbc3424c4ba4c870cf8d0c2de881f66ff06e96d296132cbc1815772429c1589840f73860c5","nonce":"9661fd879d4992084ce77549","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"7b219757ebf8fada13b1d9e1fdb5606ee3061447cae39f6f760d7570a1bd3b71c6344e66938e39372bc0106964","nonce":"9661fd879d4992084ce77548","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"ce2d4096252ab1dc0e925747bf71df859b51f8f6fe54618d5bbe7d47215f3fc8"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"209643a75d627a74856c701682f79f467de632d129c0ea8f421cf47aeb4d25e7"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"405eae7497096c4e8ce7183b84772f5d84ba61fbd4dc458d39b5a3004074467f"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"731fbe9c1b1d6e5f659ed384709c3ef5f9312b6699323376122cbc157c1f7db8"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"6e43c5285b97ba878ac4f9498773a794e4f2062b47e724ca1c4738b3c5fc31fd"}]},{"mode":1,"kem_id":33,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"957f3ba30546a4ff80edb1adcdc91e09fe9af4bf2c83bef03ba46d5d9da9ac731efb241ad4452b793db4097fc2598fd9cb7344cf42e80c79","ikmE":"8d3018fde33f31a1a590ed8bc47b6912fef3b340fad09d705dbbb7513691ed6fef64daaed8c6079fb2513605a2effa79e189c32c2a03391d","skRm":"5b55a50393a1dbe57d86e5957ea704437e3b05bf82c045b0f74463d58aa57c10b0b565ecb89ecd675f52fc379ffb852d4d08a629734a5f40","skEm":"edc21654e2b8c72b8b616c9d4898969f6386c483f74030673fe060a8f64f0a0f9e50a2cf20548bb67b2f2c43631b9fb761ce09df60c921c8","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"82df00bc29a4893401a919afc484825afc1447c1976a73d93a413889579c4f67a0bf58f82210e0a5ec2c0d626c135aa0ad1649eab80aa32e","pkEm":"4dacc1fa48f9aafc10c0bf62072fe04f04e090cf9fc52424002e75cfce8d8bf1d448fe06d2cf9dd37b68407fb64bf935aa5efc365a793ca2","enc":"4dacc1fa48f9aafc10c0bf62072fe04f04e090cf9fc52424002e75cfce8d8bf1d448fe06d2cf9dd37b68407fb64bf935aa5efc365a793ca2","shared_secret":"e579e454cb9390858fcc0cf51f139ae3bf95c3f6f2eec7c1c2e3323565994a398c35955de86453989ec68b5d6a87beb632cb45ef5295c38a692615b8cb29ba5f","key_schedule_context":"01bc1881e2b28af20f75dc480bd2297da96e87cfa2b4f1f0d27a38ebf28771463f43150e911faa2b9a12aa3cf9f19149cfb05b0c932ca3ffe53d83b26444718e6842ea85d8988da1292e30fe117d85d73e319ed4ec05f7fbd0602c1d5f043c8d004d6e0ae0226f1a5354ddda9be71c8626ef1208597d2593261c17ab7fa512f90f","secret":"1ae7fae04a8c2d9b57e7cf7d7b0ae44be20e485a3b9ad90abf36d89410357b3a8dd7635460ed5c1882df531ab517f7f6e934bc16f2780cd56dbfac23951059de","key":"e784eec48f8059dc1cc74a85486c7aa129564ddbd759515a82412e084f401f04","base_nonce":"910f3e565f0400f62fadaab2","exporter_secret":"b641a30c2e98bea0a9f7e0be4583ca57525d5bea58e47afdab39a658806c7c567cc22a96e5870eed7153cc1c6a4cbcb7ac1792f833651091ce6533c02d5b2ebb","encryptions":[{"aad":"436f756e742d30","ciphertext":"44c4c974b62b8c614aba53d1c75945dc43402c398ce338070b143e7fe5ded671b05d66198b6e9e09ac6072b27d","nonce":"910f3e565f0400f62fadaab2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"030f29c72c9e7baa400caa6f10f1e41073b047c00783f84d39770967210bdde2362a1e5682b41f544ed2ee7328","nonce":"910f3e565f0400f62fadaab3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"f85b729f6b4bc319ef249bf40069206aee05c415ca7908b09cfc93f927c33fb6d847a22ed093bcb118b3e51927","nonce":"910f3e565f0400f62fadaab0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"d6a880f86b6c129865ca5545009b8d6e54f7b9fa347d438a114894789994886a26c45973b738c86785cf054fff","nonce":"910f3e565f0400f62fadaab1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"c3f6cc55f600820f75ceadb87026ae0263f16c4a7156a56918dcb060ffaf8508a1b8bf66949a458897e3f66cae","nonce":"910f3e565f0400f62fadaab6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"87547e2ff8392ed9a79ae7baaa6728b8b376aac90dbd1b4e6e1cd7c5edc33662af894de03b0558693ab91a5558","nonce":"910f3e565f0400f62fadaab7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"3ab2f0b33423974f4a9cd5442de19a60bf911abb4249384244a175194cd8bc484391c5fea9ebfc4cefc4156641","nonce":"910f3e565f0400f62fadaab4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"5259b4838adbb4447b243bd876e7de9f346b8306767671855252b08ed95b11dcef9d59d87f2038a2fe44bcc075","nonce":"910f3e565f0400f62fadaab5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"3a5a3178e1b6822415228bfc0ebb71bf2ef9424c0cd6f7bf06b28e77e4956421a914146ea3fa75b117d1b5d240","nonce":"910f3e565f0400f62fadaaba","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"977c24ff99985f507b62eb15301ef82587c1352831b8df78c5b36d27aa42e6ed901af5ddf3256e1214dc74296e","nonce":"910f3e565f0400f62fadaabb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"5e3e649194198505fdfa863b55c6d0e3d39d7539a5283fd129d62ae244774b7b"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"ee7f9cde0b2a29468112ca0127958a038f9ed2b5a6cc3d64e678b224ce216010"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"d3aa4e9ef4d5a85214f993f2df50b430b8ff80abc0fbb328442dcb93173d0f2d"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"3e34a02e5bec0a0626224b4a85afd2d7cfa068df93a045d18277177c27693e9d"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"0c97d9bd204a8e770fab190dedf332c5d17aaaa2438a543adcd1bb7fd96a6588"}]},{"mode":0,"kem_id":16,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"a151c8fb89b14aa01179e4d20d9be219f89f7c9cf9f7e6729469fcd2bb42a160","ikmE":"c2d6e0563b462428dcd11ae2751b7f393f8ae77441368ec3f77d4af7ccf2eaf6","skRm":"5926b1761e4aa5cb9e7f5012ae512b073d46e2623d13ad8c6a9e4db5c23ae968","skEm":"03b6a42d680d0b01b991fc9d72e2de3b17617dc2c5bcce6a4fd11b614bc15314","pkRm":"041d7e55dbf88682883af691a159f08dcb989e70526d9c40ee8a2bd52765239dedc00fa26daaaaad437fde9c09389fe1e167003bcabffe4dab1f3c0362f116395e","pkEm":"04d87d3fd7736f9d298b28558884b35f10b191ecb97518d1d8d76e64769df3fa89c7e7f84de9c716644da1941dc2cfb2d21e3afd0bc689a7399b640d2826be1daf","enc":"04d87d3fd7736f9d298b28558884b35f10b191ecb97518d1d8d76e64769df3fa89c7e7f84de9c716644da1941dc2cfb2d21e3afd0bc689a7399b640d2826be1daf","shared_secret":"3bd9ae52eb641c3894ba2a5d8ea91c7d77ca9c40d849346718f04a89e2c1ad8c","key_schedule_context":"007a447b53a1bab6377f6d0fcd13c880e84b7b6f8c9d48909c2681378f2dae2f735fb35e69f4b2ad8cb96fdecc61f90a4e3168e52786bc426eada7863da4b00f23","secret":"2f88adf5b016af0daab5ac6d3a76f3b5589f24b21a360b35ec70929c236b28c5","key":"0fd52ee3a0e69f07b5e06d3d66809636","base_nonce":"e600e78a5a3d65233af584ae","exporter_secret":"346bf9ca82872f60b26dcb84bc1ddf0afcb2a2e5518b6ae217b8bd35c0c058ac","encryptions":[{"aad":"436f756e742d30","ciphertext":"54ac300163108d866abcec78cc545cd846400f256b60a6d9ee88258139e7a0fde07e49c57dcca90b51fa1455f9","nonce":"e600e78a5a3d65233af584ae","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"895d73700939883a2fe14ce58b32cee713b901d1b25d397a8e9245db5203e40815c23857bb688a49b5d99921f1","nonce":"e600e78a5a3d65233af584af","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"2fecd64d0622720f03c48853a1551d34a0a8197d47f7f88567d5eb87a012e7112048fbf3e5d44e2c8651f25355","nonce":"e600e78a5a3d65233af584ac","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"5282992b3018b6ffdecc7979318d20ea3d627b2dea0ff8a8f60a000daf90ca1bc29260e8f7ec81f5d011e06841","nonce":"e600e78a5a3d65233af584ad","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"cd76caa31481270121cfac7e342189e2d709f6669db789712a20b74c9b77bfcb17b3cc1b431682d3f567ed3ba5","nonce":"e600e78a5a3d65233af584aa","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"18213d374e48dabb35de04aa99e0071d33f0a3684017828fa9bb93107247b7d3f7247f0a2ed5c4e174721bc818","nonce":"e600e78a5a3d65233af584ab","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"b116477bc586c4e5815bb909b08b4a432389997e4a9c929c452abba5f89b4507ff716c8704c05c8449acf2c521","nonce":"e600e78a5a3d65233af584a8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"835300bed347f00bd35c7064cfd790d58df7feef1e36ecede9840b346f05e55e4f07c5ad00db391b7e8c0389bd","nonce":"e600e78a5a3d65233af584a9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"06d598077bf3ec423932956bec2c9d85919b0fa2dc6a6e68e6b302fc69078e7b3971ae1f24ec646f091eda2cff","nonce":"e600e78a5a3d65233af584a6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"49947fc10faafa3fd94052b98a27564b20405135251cd1eaa7b05fd77a49939a4b0c1810f39b9050098a888c5b","nonce":"e600e78a5a3d65233af584a7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"ef25dc1d7563f992477ece9a62e97d02a494fe81deeeba97898f955933d717a3"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"1599b2926e47d24bdbd09fda1265840a78f8c9aba8e986b1870886d621aacebd"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"b192ab3e71ae0f07d203d636cf247826774950628d2524314c20fdf41d6be578"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"5165d8f4f5ca38d94560d0c3c707d1452c44756d430c5a3c6437378adfdb0d98"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"e97f2c23e641229342ff99412c24070bd287944ab7c156d3f4047375cd70dfbe"}]},{"mode":1,"kem_id":16,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"5a26a3f833ff310e40490b64f2d1242507c68942b5a0aa8b54ef0c4d808d76c2","ikmE":"cd65a61c16c60521ec1faac25892833902630c52579607f96c1730d78eee76f9","skRm":"06d40be89301804c4dc5c4c18cb7a324f1ac274fa00ae9c8f0b775a13d3b053e","skEm":"da5cec76fc687ec7f94b36d2957076138b8adca8de909fa210c46eaebd8a210f","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"04d88eb8708ca3f3057ccea791c7ac8b8d3015b70feec5c0464916302dd082cd2bf03986744df0e738580ccefa70c4d433dcc9f58f355903106d5bd1ed37f9deda","pkEm":"0410fee0b5c84d5d4943544aebf9191e3ac37eb2f16242c761c58fae576b031ca99ef34a09ee1a07c6b633ad8bd6f8938990d5c7e3597eb46714e662283afe075e","enc":"0410fee0b5c84d5d4943544aebf9191e3ac37eb2f16242c761c58fae576b031ca99ef34a09ee1a07c6b633ad8bd6f8938990d5c7e3597eb46714e662283afe075e","shared_secret":"75e2e2d97227966f3b9a9977ce74853c0d958e8be79f22d8ba5ad2f6b17bb5eb","key_schedule_context":"01fb64c721c330b25c0f399265499887256e6888b3316ace66dd64c5d6b22282cc5fb35e69f4b2ad8cb96fdecc61f90a4e3168e52786bc426eada7863da4b00f23","secret":"9107ba91b2cfd2b39110f38b9c2779c7ee9d07c96c4da353b3b8500a02999760","key":"17d7cc27e2816f772822a0da2f88f24a","base_nonce":"7a6fec5b0216b199cc5e694d","exporter_secret":"fd3272ad3dbf90b6b493389d0c050668383cfff5146ca940d489e5c9992e017a","encryptions":[{"aad":"436f756e742d30","ciphertext":"930d40263062ed4abc460cf40ee06166af6468243ba5e83c20d22982698738700ce786697770bfb1d3d164212e","nonce":"7a6fec5b0216b199cc5e694d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"78403c3ce76342c2fb60181aed1dbd82b7b6437702a9a921a879f250d6e1a1711c167a2d25bbdd80c101c39cc4","nonce":"7a6fec5b0216b199cc5e694c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"5f1a99e78c7be58baa08f25ef9717bf6c6040c931b6493ca86375583e98bb4b1ba3f2afa7681e27703ccca2db0","nonce":"7a6fec5b0216b199cc5e694f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"47e48aca0e9c22a18a7b0573a5df8cf36b2c11da5656a53f7b0f3ef9302ec36a8096cd6db37495b31bb349bd35","nonce":"7a6fec5b0216b199cc5e694e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"636a38d3469a01677d10fe3a90b3e7a1f7ac17d8133a76b8eee04d9c9f21d9d25f262bc1babf177fd69370698c","nonce":"7a6fec5b0216b199cc5e6949","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"6e24c5d554d9a19d7318d815c7db5c17ee91065e7780efdb9bb86877b290f2fdbb3d0edf15e6da3db0ca519f97","nonce":"7a6fec5b0216b199cc5e6948","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"8cc2e6749df700783804ee98590871bb2ae7e945e5654de5bc28ed3a775645e9041d3c9243d21a789a5b514a08","nonce":"7a6fec5b0216b199cc5e694b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"d3e89e5fb850410f508c75a10cf4b9421e8e4e50af49393520a6e8e70e5f0ec62ce14630305c82884b763335d2","nonce":"7a6fec5b0216b199cc5e694a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"4aa240fb689c9c945963d0a1866162da00fd4626ac50140a70e126ac9df889586598fae6115250aa570c0d6fb5","nonce":"7a6fec5b0216b199cc5e6945","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"cee03077cee8171bba1a01030300daa48d790ead67b0b1fc1d80ced718ebb8ba0980acefed16e906a8db0fb8a1","nonce":"7a6fec5b0216b199cc5e6944","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"9deb1ae32fae330e73ebeb7f1eaf6b59f0c1f645864773c8aa5c7434710de40b"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"8fefa7c36e587d23cf3b62696029d1ee3d23ed0c2316119e14bfd56537f9482d"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"5e1f48ba0b99a737e3610b7298682f3b1d4c3fe88a98469e71a72e055affa4ef"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"c8f68380e2f8b3ee8ca0ab00e674578455ba9c8049920f492d88b6c0d75fdfce"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"56e3aefe156247cec3e1056af0af9d1333feb641dc468d5b377c3da36ad75f1d"}]},{"mode":2,"kem_id":16,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"f086d33367a3a84e19952884921ee2b85991930914966d361f32f351fb4ff89b","ikmS":"0c0b18a897a19fce357f1252a234f4f0e2848c47b6ce63526ba19e1c72f27123","ikmE":"44b411d436ec2da7df2cccfdd5dfc40da2a0ca4484909c72447b3db041f6a584","skRm":"45e4e30c491c19adc0291c0bdc20b7116db4bd9278d0abc8527fd002abbf90e0","skSm":"6842a489949b3f5485cfad58b499bfef0bb6a04c82d5fd35686188f413940a6a","skEm":"88b4539b0c0bf5a9c8cdd9739dd8aa048f86a442bf4c78ab50abc70d167b246d","pkRm":"043623ba5cf1dde3c981465c42a67315d50581ff717e2f96b7417193112ab1bddec7c190ff419e681994882014a24ad9fb667b3c05b6def61914232d49cedfa28e","pkSm":"047a1e82380c43f8d25b20730c260d69f43382cbe18a4900175082c6d0e8e5c69d65df338bb9b559cd763261b32f9b19d567b6a4b39467b8cdc418029a5c3bc528","pkEm":"040751ebaaa346f6054bc7d5c860d0f0a7a2a99a2acd895931eae283925f47c52cac6db4564ba5ff4cf90a01677a6b58858996320972daf5765b034b79a99cce63","enc":"040751ebaaa346f6054bc7d5c860d0f0a7a2a99a2acd895931eae283925f47c52cac6db4564ba5ff4cf90a01677a6b58858996320972daf5765b034b79a99cce63","shared_secret":"411b95dfad87b35f351b6c46e3648f11dae8ed2acdaff312cdcf815c5bab4506","key_schedule_context":"027a447b53a1bab6377f6d0fcd13c880e84b7b6f8c9d48909c2681378f2dae2f735fb35e69f4b2ad8cb96fdecc61f90a4e3168e52786bc426eada7863da4b00f23","secret":"834360c190568f718a227fb5db150d00e7d6bf5ce3913bd54bd09996b1390c86","key":"d6b5186f6926e1b023c937bce90c987c","base_nonce":"600420b21fdc71f0e8950aca","exporter_secret":"6de6f35fb6c1bd21f29399c95806393dfd4ea1cec6221d96b6d9df46b63b17bf","encryptions":[{"aad":"436f756e742d30","ciphertext":"a2af5511a54771d4e52754989ae3401f8a11d858fafaf1114934537297a443ab4cb8d56f94bb63a137fadaf364","nonce":"600420b21fdc71f0e8950aca","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"c20f6915e20c5bd52d90517adfb32e3b16a3bf616565d1d06b5c2f71cf120e517c54549ff6380e1a75a492e1a1","nonce":"600420b21fdc71f0e8950acb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"60c2f24bbb1c8567786b1bf7e14a3a63d1a7573be9a0b28d851ed3410aebb1d727fd510436af9d3e10345209ac","nonce":"600420b21fdc71f0e8950ac8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"ed87318c16a8be4e3e64da5f463d0adfce44dd89829122f4aafbb410494ce021f5c6e2281e3debfc7cb7dfbf58","nonce":"600420b21fdc71f0e8950ac9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"b90366af226a67798236afa0ca8d7e01aa7d640a7573e36ded80640b219740883b281d230bca18e65418d31cdc","nonce":"600420b21fdc71f0e8950ace","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"17f8a42788fae8c68401d038081ae8fa07c35e848c3f9ae1f08b571c5a0946928d686091f285896273556f7844","nonce":"600420b21fdc71f0e8950acf","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"4064506c5e9b8aeffef28cbb7c935206e421828cd5ade51a13bc4f9d4f733d84d1f3228d64a376cdc52da3e034","nonce":"600420b21fdc71f0e8950acc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"db8daea6febeea353e904492430a1cdb0d94b6a83e55f00c1c3333028feb6f77369cf017d5cbeacfd897772ac9","nonce":"600420b21fdc71f0e8950acd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"1026998e59a3359299856c1fb485836d2a72e0483c35ee1ddf1ab4b2f6ed82443def8504c7ac06d6fb283443e5","nonce":"600420b21fdc71f0e8950ac2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"1b1c666fdcee22b71520743bc5c5ddcae922dd6decf572d69d76cf0cc39d4368f483c3d30735372585b4e2b36c","nonce":"600420b21fdc71f0e8950ac3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"eb35b04efd61532c3d39dbfda6e7e902df7973096d90713e205eecf6caef27bb"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"700268665ce394ebfb4889cb84a1d90ab0f563ce41871d00008678642b9a88b2"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"516490b386ed0a9ac61973a0bf6917d1412f2ab7af38b06086fe1caac29f91fb"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"75cd0694fba11d3f1fac2d5782158c6fbfc13ab6a7349ed49409a7039136dcdd"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"81ddbb727dbb9e56b3e22f7111e1bba6d3944dcdea83b9638178a1f6516a1fad"}]},{"mode":3,"kem_id":16,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"20bc00029306aa0ff54261a5ac95f6f934cfb66af4384f1480629ddd3089b2d2","ikmS":"3195324916db982280f8e4468ef34edefd4ccd2711de4f1d0918b07c43d9b54b","ikmE":"f1e31c5719d46d17731602fa275ee344b49cee3a69054cba82a43d14d678cabf","skRm":"1e28e6529111ef36e509ed68520cb82d48a81185f2a581757844c491d66dcd54","skSm":"ea73b7a891d98dbe8710872d2a1c66dcf553d82ed738c7f85311adc1a135d032","skEm":"93f489267fc41fd1b98841d86582579f8005430ec4e3ceafd5d7c066ba1f35ba","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"04c8af786979740ab7e4a6e6ae9ceee612d63c2f9f872d48be6cb171f00d5c3aeaa237dfd4196e66d2618d63a39c2db4df0645d1fddb885226edc00b1b958b8ea9","pkSm":"04c2db335b313786cf07937406724bf9b2768f10ea9caacac01b4c6816da70b113b9666644297f859f82df7f05529faae26df3e6d594ac6560e9a76683b92335ff","pkEm":"048dc12b41a63591598030d930e8c261ddd4ccc60e6953064715262e445273a6335d7b485f05e749cdcf619b591a2fbaf4932cbd914291e3ee98a82d2b343155d7","enc":"048dc12b41a63591598030d930e8c261ddd4ccc60e6953064715262e445273a6335d7b485f05e749cdcf619b591a2fbaf4932cbd914291e3ee98a82d2b343155d7","shared_secret":"e1f0f22785552b81da2135dd4ec7b42f866c100e0aebfa3052ab2eeaf1553624","key_schedule_context":"03fb64c721c330b25c0f399265499887256e6888b3316ace66dd64c5d6b22282cc5fb35e69f4b2ad8cb96fdecc61f90a4e3168e52786bc426eada7863da4b00f23","secret":"be906fa96afe7a86bac7b4a118fd81df67e1f92ec957be42c9d202595d460124","key":"3ddf39ecb897dea14a0cf577546b500a","base_nonce":"0bdfe200cd8f9ec9ad72a2f9","exporter_secret":"f19f5a1f6414b3e80a532d0b471efbe7c1a9288cc6c4732fd4440cd6460179b6","encryptions":[{"aad":"436f756e742d30","ciphertext":"f621e10430dd371729307bc7dfe7192444aaa355d9c013a37af44c364b86200811cb869c46a30ef99c1def1ac0","nonce":"0bdfe200cd8f9ec9ad72a2f9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"34cf7820a526a64f3965bafd145a1d5acd8b7b004a2de4392bc46821a31325377f0df53ff332828186ae8f1181","nonce":"0bdfe200cd8f9ec9ad72a2f8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"187733575ef97c4d6898311b523350360c18668cbf04d9fd5ea41b11e5809c5ad95f04badf87b2f24e29b546c8","nonce":"0bdfe200cd8f9ec9ad72a2fb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"109ea58eea81a7d40b294014f5366ae39391f89ecab700eaa69e71e9db9e58570fca008034438fb8936e073286","nonce":"0bdfe200cd8f9ec9ad72a2fa","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"e8cdba03c6e016f615558c1dc5494cd5ef259a015336e566e1713293c6760d741d4489b73df460caac65e78dcb","nonce":"0bdfe200cd8f9ec9ad72a2fd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"6849afc302ebedeeb6203991abdf34c9d7efac24dbaa98d702917160a232ede016b29f415606c989214039296a","nonce":"0bdfe200cd8f9ec9ad72a2fc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"8209e5146237dad0a7928a5a9eb7a526c339476729cc8c535b44da599a9930e8a834a3cc9907d09bef7d341771","nonce":"0bdfe200cd8f9ec9ad72a2ff","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"d582b44f0b4d4d3a4d8a9754b34ae13a3e5fb65ca0d833f4f770e27c88f76940da90750bf51e3d01767efcc919","nonce":"0bdfe200cd8f9ec9ad72a2fe","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"a36fb85a418521399c121611adbf47f91240698782ec9000e7eb7edf6ec773499efa71aa5a686c20501049d9d6","nonce":"0bdfe200cd8f9ec9ad72a2f1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"91b48532882dd14fed5be7882483de844d3e9378da247a2f9ebd579f4c196050bc493322583f9f4563e18af5b1","nonce":"0bdfe200cd8f9ec9ad72a2f0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"17f93643e12c9faf2a367286201332aeb6467e51f4f8fc399d5292a5468ce172"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"53a5ab3ea351998efa2132d4fd223e289033ecde6a7f07738e615806becc3ed7"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"f6482ebe2a5172e35cac232a763d3ec2bb6518a2e9f87e5d0e5904ae71e3226e"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"bf13b88444e1a72e56c7de4d30e7cf56cb4e5234e6f0da388b7c91875a6d2407"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"402bd19cc17427e60de8ae7be78197c43ac7e0d18862d7db2e93ca1eacc0d143"}]},{"mode":0,"kem_id":16,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"231212d9008db283c917561bcc00f41639f8e6ab6b2937bbba15e92bd1c804db","ikmE":"17cbaa6dab71e291bc06cfbf2d9ea81c601ee6d00b11fd761ace39e3c86470ee","skRm":"1bf3995c882c4adfb554d5cfe8f22004f88cbf3547d132aa99893ecd0db33dd4","skEm":"2c3b939afeebd688c6334ec7d3554b354573190042f2bf5920bd75cb09cc48ce","pkRm":"049dd2541d909b3162cdeb60e12c730a858744dc3b528520abc51722802351d0f46f25630fc3dac162cc12fe20094b5316d149c5bdfa4371fce8f5408ddee51d0d","pkEm":"04ad2adb0b4ddb449e41be00e50e374a17f1c2c2f23721555f321c51d76ef062e2f6efd1bf98c124c84c962a025ca019095fdf773055ddd57afdb3caa2af5d5954","enc":"04ad2adb0b4ddb449e41be00e50e374a17f1c2c2f23721555f321c51d76ef062e2f6efd1bf98c124c84c962a025ca019095fdf773055ddd57afdb3caa2af5d5954","shared_secret":"25719db324bbd99ac4e9c5bc77fafc636df3e34ea48a122275d34dd96e4db68a","key_schedule_context":"006fd829cfd57fc357ee6fc0f05acf5783334ac56816c087a1c6fec40420d4ccdc668b736f5cb8ced2f59b0647e1a5d28baa0dfa3f67e249b2febf30eb7a4c1693","secret":"579474d5704414bd5be335892fdf02f76d51bc4d65eb1ecac57c5ee0aac64985","key":"d212aca803e56db6e3314bd6a94ee9e4fd5a08c2ce1ef3543a1559dae4113b23","base_nonce":"5b9f28f5b18b7fb4bdd47554","exporter_secret":"933818c1e20a7b5387bda85f53cda9e70f608a7cfb271cc76eaa62785c77d22e","encryptions":[{"aad":"436f756e742d30","ciphertext":"7ec18ce173d3be3b9d4c80b75678f05aa3c2a1f151ce7690a7fadf2fa238c9d4c165e8a2007fa8aced0da854dd","nonce":"5b9f28f5b18b7fb4bdd47554","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"472bfaa04fea8caacb9cd6e851b4fd963eb9b4b332e816545c811441876bec930ede296384265e3334b90ab227","nonce":"5b9f28f5b18b7fb4bdd47555","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"03c3bb85c2afe6cfdf178195b55c2a9adc2032ea54dc0e94ad4ca9a764a7d98f72ea8c77446dfe62623798475a","nonce":"5b9f28f5b18b7fb4bdd47556","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"118341dc148f0b60f62e50d3b0c36998da4629dc1ba4fb95e859b368c5f47ee24cde33d84a12dd61cdbab44fce","nonce":"5b9f28f5b18b7fb4bdd47557","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"20af65af81219d4510532b4b29273ecd0e59deea1bf978e149a699759b105720249c8ffd760a1531c3ef656103","nonce":"5b9f28f5b18b7fb4bdd47550","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"6ce20215d35261a05f94fd746b99a673aac9389ac3329439807ae12e9f61c24309ebaee0431ce696b60652f878","nonce":"5b9f28f5b18b7fb4bdd47551","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"46f9c211a0938b5101a295df7f201eb434d9995d61d715c98068a7acdd75779f94d222e790d18e6089aaa178ff","nonce":"5b9f28f5b18b7fb4bdd47552","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"26d9dde3ed7a374407e68f4c0caf030ddfdc118ab4ccb9ca5e4b2e0e103870af53d7ebc9018fde85177d202bc2","nonce":"5b9f28f5b18b7fb4bdd47553","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"3f3506153ca1fe90923952280929763e6f753e43a491486d558c18202cc5c6d215bb62f44e9a4d0f730656d901","nonce":"5b9f28f5b18b7fb4bdd4755c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"0a94e5c8f309137bcd1fa672a77935914d14e83e61415b976ac50c6ee2cddad032b15752c2742424334a2878b5","nonce":"5b9f28f5b18b7fb4bdd4755d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"87d0f71a6dc7f3fe2b9322424bc035d8a850ac69af904feba346b2b37ff587ca"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"a09459c971bec8dfcfc07e4a411503afcf202f22eb54b04aee25c5eb6dfb22e3"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"67cc9997441dc063dcc84c634a59b282105e7e49d55c1f7867679cfea9416271"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"2cc82d13843c65dceecd5d0662328c4e0ceb1d9b0fadafd491a32479cec29892"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"8bfbb42ba66bb4271c694510bd4f3e1aae9a8a90938d55714f72ef8734e9ebdc"}]},{"mode":1,"kem_id":16,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"38095eb6e4dd9a291c338b72a3d05b096c5297f710680bdb4196be29119c6368","ikmE":"63d520e053586268e532bc263f658c88340f01f5198c93819d93da12419ace0a","skRm":"e069110a95c2dd72365da285a065e1ce015c2dec917f50e8bc399b327214a639","skEm":"6aec11690cf0e7cee1ac14479d1e360319b180e1e364486f0f9d348110eff3a2","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"046574331d1692f2b076b107e13d492e01b5c81a55df051989311c184e73a0d81fb621494c356a9ac5f3a09db49885cc0633a06873c0ce0067e2e0207d7840dd63","pkEm":"046e08567341b79d90356d7ff0b1ab269fc8f4a53f83240486496a4232945ea3da8922bb3afb6f54ad3adad95e74409132c06b5b17f6f09864aed0e53f0d18aa04","enc":"046e08567341b79d90356d7ff0b1ab269fc8f4a53f83240486496a4232945ea3da8922bb3afb6f54ad3adad95e74409132c06b5b17f6f09864aed0e53f0d18aa04","shared_secret":"731d433a60ca6057059d10e90434000c043c033c513dfa46a776878318e2a439","key_schedule_context":"0152fc139b306ff32bd9ce03ab2957858f6499b7c2f3a5a77c9bb2501888d035f7668b736f5cb8ced2f59b0647e1a5d28baa0dfa3f67e249b2febf30eb7a4c1693","secret":"8aca8102955a14072feddcfc3636f622df61837537abaa216ca94435130018c7","key":"4a2060d8ed0eae2c6df89b45214746e18cb78adef99cf8f847eba53f351d53b4","base_nonce":"68e244a56300b79b963b8a5d","exporter_secret":"92fa4b51b3a896528bcd6eb389f077eaddebff4f93d323d677b21d6ee2d12825","encryptions":[{"aad":"436f756e742d30","ciphertext":"a010070dc5b776c9285935dfd394b0af3b0661d7ea4a87194ecd7291908b5d0445b8d6ee10a8ddce53b7f265e2","nonce":"68e244a56300b79b963b8a5d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"90a2577d9b30f48532702e11fe030a3f3b96127a91d3ce61de71b29a808452cf96f6c7ed393d8dec0d73c23693","nonce":"68e244a56300b79b963b8a5c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"1fa2caf069d3ea2b858683dfb88452f858de5d985a4e1dacebfe1659aa5b09bf5c715f277a1e9119a640798978","nonce":"68e244a56300b79b963b8a5f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"5ff60544d3318c9c6e84ac9bec9002f2936695525d1ba66312461a01db2b813f8b18327e9d6455d634bc2d5d8f","nonce":"68e244a56300b79b963b8a5e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"6c3e15c6354863bb6266cfa81ddc10b5c5d0067b4004cb9fe9ef89d6d096f09a6ceac0f3970795f1727395ea98","nonce":"68e244a56300b79b963b8a59","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"0daeaa1454466f48fa740c821cfb9a37cb9c8677117ea2e725c73fbc4341f4eb899fd6957f6bbccb2b83dc02ba","nonce":"68e244a56300b79b963b8a58","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"ac66c809913f213f07a0f276d81baf282bf6df65b3a0da80510dc81e624938f122c65962d2d1ffb6cfc42b08f6","nonce":"68e244a56300b79b963b8a5b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"61453ea86ee3c0b309d670cad27c8da5c0f333c5a5ac42a651f84a715f83a56ec77108ab64608302f580c59b75","nonce":"68e244a56300b79b963b8a5a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"1968e057836501669d127aa3b651e14651052a1e64cf03bc18c7ae7dbaa19afabce4d28bee5db3abbd86dcfa03","nonce":"68e244a56300b79b963b8a55","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"3886239b62e7329ce1045c688f88293549313cc0319d0fd467db90657c351747aa1ddfe959ca8a9dd684885cf7","nonce":"68e244a56300b79b963b8a54","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"ccac9f25a7f592fd4bd945dfdd47704109f6c576ee1d17600abc84a1a0b7a3c9"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"d063695d4bff240e2b7e1035e914ec06bf56c72ec47a0758ca64ad2ba1c6d954"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"6937758cd2a734440f905ddbb18481a53dc0d430030a92f041dd866605345c92"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"3c526e5697385e504b9d9d4c209e270e5628d7e457c70c3e78578daafd5f5857"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"f0617899ca18110212c81045ac59c8840888f65c39ebda5d0f9bf6c08ef7aea2"}]},{"mode":2,"kem_id":16,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"5bae2e3772316788613ef0750925bd7f4ff2043b9d46d00839a29fe13c11709c","ikmS":"cb5c358b6ddfb4a6356b1f5e17b88143e29c6bf30a52a6f35508dabaeb165f03","ikmE":"e8b47b59331a773f0d66606f9ba4fd710b75b2d31ce3ad81d7dba34285d03712","skRm":"6566c72395a1030fbdb9582005f038ddfe0fc91378c32d4c2cfef35a6e2b8b7c","skSm":"b860671e0691615fd2c545e0e250c8bc82d87ce5757b05436c20ab63dd172518","skEm":"03754fa72663cb001b82c71763989a9b91d07afda08e4c4f5a4e954e1a2ef02c","pkRm":"04df22131be9fe026e7e5b15a853cc1b8feef333cdb8c66d4f908414260c658b7cc40a3cf30f9f81184495ca56247625028fba4e52e1a5e221203bbf64899db197","pkSm":"04607f6fddf0fb227d6ed02aa43f15797a65ac68e3e5b8e310845d65b1d8c43282c6f06b1341c4a74ba9e1a0061d08d6888be753d6dd36a315d616c89bdb56052b","pkEm":"04208127b2ae93138b5c4d57222c7e6fcfb77b6d7e80259c1d9e9ba5b839ea4c1ff2b8d916535402ca155e074e82f75d39b4884e6ba1128a9374e12af7c7fd98a7","enc":"04208127b2ae93138b5c4d57222c7e6fcfb77b6d7e80259c1d9e9ba5b839ea4c1ff2b8d916535402ca155e074e82f75d39b4884e6ba1128a9374e12af7c7fd98a7","shared_secret":"dacac53d011bdc1c9ebf5e7e2d125f3c5515261eceff343315266ed265a6b7ea","key_schedule_context":"026fd829cfd57fc357ee6fc0f05acf5783334ac56816c087a1c6fec40420d4ccdc668b736f5cb8ced2f59b0647e1a5d28baa0dfa3f67e249b2febf30eb7a4c1693","secret":"720cf9dd8b925ba81319513e81f8d29a3cd5061a1d6032b9038a207702fd4f1c","key":"a72ac89b225de71c6cddd3f94edc8a054e67f62bd5583560b33c6be70caad857","base_nonce":"25b5418e446f8138e4dd6621","exporter_secret":"3899189de7639fea0eac832c2948920c5ac5a605b77c64dceae1dbbe7ce42b10","encryptions":[{"aad":"436f756e742d30","ciphertext":"69d3f657325caf51a02ad2c7766e92b8fe57033fcf71bddb7b8de0b6ce4bdfa029cc791f9f54f6e1321dae6728","nonce":"25b5418e446f8138e4dd6621","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"1ebd6094fcd6d5673e888c905d2482fef316b2068d2e201f50d5e33b3afc77e2e52d7fb53701b31e50e34ae629","nonce":"25b5418e446f8138e4dd6620","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"c6d8f2f51fb8d406c109becffe4ca11ab902762f48e1f647ad56dfa0a100fe428cdba72e3e58e82910855890cc","nonce":"25b5418e446f8138e4dd6623","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"4746a33b6a429fe076b646ebc7b0e6925c9e042d0d88640032056efd1703cc7607e6a5ae9e9f1588d216ae012d","nonce":"25b5418e446f8138e4dd6622","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"1a32ca8292839c1fd27dffe6bd8de26e2caf4f6ba41e88267949d68af9e5214a84db864066b7ff4cc75618ba4d","nonce":"25b5418e446f8138e4dd6625","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"3219c61a061c0d399be236293cc1ad7112fb3657fbf50c4791297856ddb3e8d18e6abd63b6f6d1bac68a83213f","nonce":"25b5418e446f8138e4dd6624","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"8afdde4162d581f0fd01e148f8b8af68d04b0393e768b15b7343cd350aad0f78977781fefec064d051b53ac295","nonce":"25b5418e446f8138e4dd6627","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"93894c9a53bbfc9c7caae809c9163fef10c3beb2d088fc84e7b2f6e58976d13b0320e9a7111e2bf63dd6fe3abd","nonce":"25b5418e446f8138e4dd6626","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"0c818edbc2c6fbac2b8165ca7c4adfec859d9d25a00d5860029122d702bc2566db278e6790d5cb687a5bd6e92a","nonce":"25b5418e446f8138e4dd6629","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"7a1e0fbf8b0b803c5c3db8d30b1f13f62a037158357b08049e180ea41ebaa5fb36780189dd44105de4edecc374","nonce":"25b5418e446f8138e4dd6628","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"494b902d1d65e871b0c006d259283c6c675e952438bc5a272a9328c67f4ea2f7"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"5491b0a0c34e749fd731ed8d62b770bf82b96d06ae150ef5ebec814288de2f31"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"aa194ebeb26aa5aaccc2d65e73640ccddf6f869db1c5c465084317d86999fc45"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"0ef9c653e0a9550f7770dc20ee1c19f452aa16c702a1359c975c3586210580e8"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"53ea4660353b15fe2c3073b8371cec3df9425552cf0fa42a9c13fd7a966644ab"}]},{"mode":3,"kem_id":16,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"9411fb490c7582060009e78b58146929b186e9eb9938d26a0670d0e9d8c6eb40","ikmS":"100d8513f27896d1e3a594b6e7eb2ac710db4daff34d0df98004e35e77890089","ikmE":"c4b1f3b7a6e6f56954b67b0cdaeb6e0f4acb84ddf834ccc8a6b6356d27a713e2","skRm":"11bcea652badd026ef6d51ebd89f8248a1cf599206f560d86743c451f3cc48dd","skSm":"47f2c4230793b60b2e161ee7cdd20ba5b734deb7d4b56f7d6c5b6e195f14f859","skEm":"cf98ae22e5f59e41f0a17e822a8b84e946c1afd8a4204c8a36ae367af8331728","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"04c5568e3eeed5ceef5a4b2aadccc1dfadece5ec26b15afdcfa0109c5f61e856d12c69756d5fa111e67291125ca2244b9f7ea6bb7771c0f88ed992affdb9a647e3","pkSm":"042c8dca61394781fd4dfee585e660efaf891687e24adf8b8ff5f0bb806a2e197a286294a7a1d35d4e29a5ac044905d2ff6a53e2f3d85eb5069ba87bc62cd50d39","pkEm":"048faa24f6eeb3e6cc06d9edb36f1ffd8e96a2e5535693e928dae248990fe4aa27c90b584c6f2bd99ccd7d0bd7f61060daa157d8594e115a2ab68ffa46c84c7cb2","enc":"048faa24f6eeb3e6cc06d9edb36f1ffd8e96a2e5535693e928dae248990fe4aa27c90b584c6f2bd99ccd7d0bd7f61060daa157d8594e115a2ab68ffa46c84c7cb2","shared_secret":"26aa480537259d4887063725757762f665e232113a5f3cf3c776b5f3f5ae10c9","key_schedule_context":"0352fc139b306ff32bd9ce03ab2957858f6499b7c2f3a5a77c9bb2501888d035f7668b736f5cb8ced2f59b0647e1a5d28baa0dfa3f67e249b2febf30eb7a4c1693","secret":"6843e5d732753426f68a5b39acbca4dce84e4ccfee7e707ee313a8919a2d0bd1","key":"85bedaee56b54f830bf3cf569bb1fb53157be83c5814c5887f5a52612685167a","base_nonce":"1c09e214c347f1cca2b0820e","exporter_secret":"7f61ccc833b3bb57c8fd01f81a14040613df9e442576a2f750e5e8b2eef38c22","encryptions":[{"aad":"436f756e742d30","ciphertext":"12eac1d0395c4a895ec450152abad2748d3613dc1f4f0cd2b949b1d1872ed507ee4e1e0324c019875528292d65","nonce":"1c09e214c347f1cca2b0820e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"7babda011d4fe86aecc8731aec485124a50524b99bf25bb9e68554cfc02f2beba1850b0065f4f7f4ab29607439","nonce":"1c09e214c347f1cca2b0820f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"b8814d9ab3dd08973bd592539816572e3f663c0516d7eacde066ed2779652a86d5249dbd3e7296c03553e56c9f","nonce":"1c09e214c347f1cca2b0820c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"e2c2fbfa86c3a424ac31f118e603f753ae4592f36c48c42f8c54462225da2549744f4d7bec4b9e4148342fa47c","nonce":"1c09e214c347f1cca2b0820d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"e2994bec10eeb6ab49b778e11e8bf9f775c7d69087f530900a6840bbc7fd08da85cda11c872ef6b3c0de731e80","nonce":"1c09e214c347f1cca2b0820a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"bf570cc24fa89bf4f4ebc09d49bf25a05dd34e5550ed17b0cf670efca915ad4bbbca2ac3e09ff25292d0981261","nonce":"1c09e214c347f1cca2b0820b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"76e518ddf61c14e5e0e84002bc52ea3f62f3c78cf4b2cea0a49f7d9a375e33280df4f01862a7b678c44c44518b","nonce":"1c09e214c347f1cca2b08208","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"7d6de7ef840584ddac3b766500d473f83acbf9ecece6d5a313f5fcd7d7ec26cf6bad4587cf5fda1c11c1584dbc","nonce":"1c09e214c347f1cca2b08209","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"eae172c62b2b2bd209dd60e3deee6c63fec3b1512dc1dbc849593763eb0f9253ff2b11ef9c6c36d0b52bee7f39","nonce":"1c09e214c347f1cca2b08206","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"e50eb310b7e6fec6e3e53d1ef871048a3ffdf9d1ee8cb01c8cefa4ed1f0459db340e3537270f79fe434fdc6a7b","nonce":"1c09e214c347f1cca2b08207","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"6e4b370fe846e04e8fbf3ca2c7f9291c4d57a954838326070d2db4b12e94ddbe"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"dcc9958f238b1ae6c1746d2bab38ff297d3c17427f2d206f4e5bc3d4f9bdeef2"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"7863f752485370a7374512e1284ad0340e7084056266761288fb3a778cc73a48"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"7e7e5bdd381f9a4bbfc0ca04383e4c1ef271e2262179fd2ea28625400ed0a0fa"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"9cec7ef97eb523232d767e6e219dae10bd7da30c8d870074ab0e64f78b5249ff"}]},{"mode":0,"kem_id":16,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"8631d12766a40a29da27db30c6212393deed11cc867fea03425b98926ae6488a","ikmE":"e0f0dab9d8048df91179e88cde564724c1c3ca8e875f37d88ba7f4d5d16f83de","skRm":"cf4a8f69812b6a39f9848667b8c2ffa83a8238e947e09e727634fa642038c64f","skEm":"8929d4cb06b78f2deb9286aac94b9000bd0213bf67a11cd7152df92770464536","pkRm":"040c6caf5009d40017e9b7a94aaa1f202790f71a120905b32e8ae052394c8305460cb2d9869d247d68c53841b8472c4b42ca5c800117daa19642b99f0b42305cdc","pkEm":"04b77c0a26f5aa878ecc39977a9d7e9d8565a156de557d01a6fc750f8f9c145fc323de336f1a4fb81939edfde5ab4c3509ac9a3b727e3b42d10fd3246e3725e946","enc":"04b77c0a26f5aa878ecc39977a9d7e9d8565a156de557d01a6fc750f8f9c145fc323de336f1a4fb81939edfde5ab4c3509ac9a3b727e3b42d10fd3246e3725e946","shared_secret":"8e6cb80d94b213aafee0252ebc7f6ec8223e14799e44f2ec0d8c28832ad8bd98","key_schedule_context":"00712f80079bf04cb297132973d915af2772f9861f8d6324ae66125ba4ef6ab7e3136812e221b08af3c969408f8cdcda2ce9d7868aad8ef22f6cc26232c25f331f","secret":"5bc6766e4d24759da7d1fa9324e50ccb7d2ff2fd3323bcc96b45123fe0c316b8","key":"21eb85fb3e6c09e7b56b15b5359ee2ef6ca4a6c9ba9bf7332dbbb0acaa281722","base_nonce":"232ee3ab28c6a6fd73dd2d89","exporter_secret":"036e7f66e2d1ea2e60ae8a44064d9ddcc460f4b274f999aad3eb0a3e85722985","encryptions":[{"aad":"436f756e742d30","ciphertext":"b262f7b9dd1ab19b749d12a455ed386e46f2567f8fed7f8829612fd02058a4b633a5e07b36e77d6328050779a0","nonce":"232ee3ab28c6a6fd73dd2d89","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"e8ab13d29fbeaf1064bcc36f80fef4e73ff0fcd8f19549c31dee904e56801feffe8d020904d4d993920428e185","nonce":"232ee3ab28c6a6fd73dd2d88","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"d4c867df1925a90f71ed0b09c284ac1e3a5855ae67f559fd523570e1512f201ac9c395c12eca2f54a386f0293e","nonce":"232ee3ab28c6a6fd73dd2d8b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"90943dfd7d92383f9f88c1771802546ed52c7c8dfc8881631d29cb114107f6bde6607f91e4d2c9cc9c6151cb40","nonce":"232ee3ab28c6a6fd73dd2d8a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"c000060cf00378632de78e30905155bc56a88fb180711ffd7c1b0b995ef68b73d12579fb3da98118e4d549840d","nonce":"232ee3ab28c6a6fd73dd2d8d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"0b53d8642c8187c238ea16e174f3999aed4d9c9f1df0cefd1cf08ec9680b75f883e642c3cbe1db420a990a31fd","nonce":"232ee3ab28c6a6fd73dd2d8c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"fb768c88e2b49fd4c70ea2544c7edc337251871ccb8843e55d01972bd266f705d004b0db69f90ba455524563d1","nonce":"232ee3ab28c6a6fd73dd2d8f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"fc60206fc26802b19d4120f0b9347791d954f00c91b434822ce4ac4825b13a1cc826f14f24f599d9f32051922f","nonce":"232ee3ab28c6a6fd73dd2d8e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"3eb349208fdba7c3095f5884c56b8b6e025018908032f1121fefb1814cd8aae08d8b02b397edb3bfe1241fea29","nonce":"232ee3ab28c6a6fd73dd2d81","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"7bb16d0174a201169a785e4efc4916afdbb6483e20392727a7e38aaa24561b7bd254ba3f013873cf421b81a0e5","nonce":"232ee3ab28c6a6fd73dd2d80","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"49b69d48760878e9629118ca5436b8e8a749d6abc82dcd780c467e4d96c26f45"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"276ac513dc25012025e0c58ba8a8586a3ae09912387e76f7a5f822bfeca97401"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"bf3c63cc223b45a8b548937179434c130d9b999d626596868c3d17ede3ace546"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"9359435b32e19dd532d9c2ddd37d614aef157bfb9642d444c0c2f97acab02783"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"e96dad174c3f6d8cadd61b38247d31675eab629e2e8f311b3892727c9e4f4cff"}]},{"mode":1,"kem_id":16,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"868fb5786edd2243377dcfa89be06156dcdf42f759140c3dac743d32a6fa1231","ikmE":"633dbcfb541f4ed3a3bae122e91ac240051e1fe1f1794c7fa122c98dd9b54622","skRm":"37eefea9f39564bf464290f5f275855ed06c3e134b4daa4d6ce541ccb46e8f93","skEm":"2b8e63d364b906a9e08fa365496d36330dc51b98e3736e1c9c0398ef7debebad","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"043a164f0032d102743c6c9728d836e9302de12dc57c8c7fc48adc4177bac6d9905cc1f98809a5877cff47890d019762ef3ecf7eb1a31a29ae70e4e2a8c2d5f769","pkEm":"04f590d541c3483e8787720fa3d0832afd3e7985a59da0ca62d26b81d25b229108f0579b48a4329b00b0f664ae25b2e159c1d68e87723819c77976e8452e659773","enc":"04f590d541c3483e8787720fa3d0832afd3e7985a59da0ca62d26b81d25b229108f0579b48a4329b00b0f664ae25b2e159c1d68e87723819c77976e8452e659773","shared_secret":"614ab0482de395f6a2da4749b741aca4c7493a69a9e6f812977477e2a85d178f","key_schedule_context":"014676a8bd153b28d8133100b9fcdb79438c549578bda55d61d9d3fbb4747aa127136812e221b08af3c969408f8cdcda2ce9d7868aad8ef22f6cc26232c25f331f","secret":"3f226427c7ee4494c1bffbd502e74f74214a845515a6476ed42c2f48508e2a77","key":"eaa348a0dcc27a94c3343055d44e00a8c05d3a80843576d4f3a46a565f8716d1","base_nonce":"a8d5ec94a90b7a17a9a051fc","exporter_secret":"9440a7c4a1648b0c28504b0b33ce9d6d8638228dcd024109eb3c46c5e6d2221f","encryptions":[{"aad":"436f756e742d30","ciphertext":"d2e8709c29d5cc33e08ca4919fe8997b9e17e317e6362c7e4ecfc63d9059b515f3d4b7707789b35843949a34f0","nonce":"a8d5ec94a90b7a17a9a051fc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"213405009ecd645d0e02bb1b409c644b07f3f2306a168c1322dd1def7cc591b3293750a3bcd045876695350267","nonce":"a8d5ec94a90b7a17a9a051fd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"aa8dbfc760da2c8db6137de4e51d5801fb7e96786c907161e7c251511d8847f0e2e11ef6a722a6c5fe73b7d665","nonce":"a8d5ec94a90b7a17a9a051fe","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"2ff2a68c8b2df0a6a9fc41649624881347d6e6f9239e8a1e51e5da471e905587c824f605cd0a76f66de6868ef8","nonce":"a8d5ec94a90b7a17a9a051ff","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"e01af02e5a3bffc565d07775e1c3bacd9bd4c42f7f662859b4f1141c45b1cc435ddcc919e3d9f03f4cdd218c3b","nonce":"a8d5ec94a90b7a17a9a051f8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"a01c21d340d897e2539df5729c9aa05c53ccc23a20e0a080c2b9bc71ec18d6eb15b26bfd7e4039f1ed3ddbba6c","nonce":"a8d5ec94a90b7a17a9a051f9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"ffad1e707ed9cf41231566fa1018dd347f15d9349c13bbf30b0ee3e42b1a555e0c52a1a62f8505b9bacdb1f09d","nonce":"a8d5ec94a90b7a17a9a051fa","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"0ecdcdadf9a9802ea0504a1aa8a1271cd40d02e2bdfc68a93fb4f790dd4239fd82315e066196d52d793347a895","nonce":"a8d5ec94a90b7a17a9a051fb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"d18101d9c20bdf16e87aec55cdd10836ecb7822c06c3622264a33b5128c08f4daa435f17673359c41691ebe710","nonce":"a8d5ec94a90b7a17a9a051f4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"5aa422fd49e30cb191e522ac95f5589664d741e2a70d22a93ecbf9ba5daa1c4876eecde28feb9207d73585b8d5","nonce":"a8d5ec94a90b7a17a9a051f5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"a20650a867e40a616551b5aafd5f70fdfebc01c068651f524d658951fd132d01"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"fad6329954d943f5408f9d9d3b33800e00d8e2b534a205a42ff78ab95a9f75da"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"afba19d990db27c104b1c9045924f7a0f1553d10f67b279f9882b4abf08ad074"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"98400d581c397fa70e44959b2598f96d455a45c2a0b1fae44e2113d639cc7c16"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"f6133f2412ddf8ccab180f6dfa9f4929d05442f042ddab62fa18920cc3c97627"}]},{"mode":2,"kem_id":16,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"5fecaa4996b9b8f8149e693a4116b289ea811f723f5e3c5c4de650b6b8dd488d","ikmS":"86ced8d69c042e2f841e52377a2df41d2dabaef29bf33f13e59a110c8dd6dec0","ikmE":"9a48a5a818738852bee994eae0970dddd985baa5a22d9b70e517e2e2ea256897","skRm":"53e94fead0955df4f23894c111e032bd4827ab1e7885de707da502a5933c9d6c","skSm":"da190973722f114aeee91457e1430e195c9db04a334de208c3bfac4be52ac4ba","skEm":"47c29f10ed8486915bc9fec7b792d73acb142e4039e9cc769e1b1851a03ab7b6","pkRm":"048eddef8f522083dc7eddd8c73a5fbc0736ad80ec873b246396d19ef64fcb5fdf3909877d0d1850c1be7266ba51deb47868378382709685a68501469437433c5e","pkSm":"0442fa025ca01e60d0698427e0df08f8d7a3d3f2c166e53ddcc8d9113b3b1bc8dca9347536995af4321803c577cc309f66dc4eb081f3921b03762486d8f3bc873b","pkEm":"04dd28ee2ec063b5bdffdacd44d0a96de4afb3a48809e85df9512fb6e6562335b13396505ac40f1a5d4c68c87f9827b6b7c7846c6c4374cf39fc05c1c36a066dec","enc":"04dd28ee2ec063b5bdffdacd44d0a96de4afb3a48809e85df9512fb6e6562335b13396505ac40f1a5d4c68c87f9827b6b7c7846c6c4374cf39fc05c1c36a066dec","shared_secret":"de4b941daec4970a338f9223f1c7f2f45099c3e4bedbfab9dce55867c735247a","key_schedule_context":"02712f80079bf04cb297132973d915af2772f9861f8d6324ae66125ba4ef6ab7e3136812e221b08af3c969408f8cdcda2ce9d7868aad8ef22f6cc26232c25f331f","secret":"e017161ddfbf7d1af64ee3a64751d7000f1d9a3d9e2429ef518f7a2849f64753","key":"a691cb9718de7143b49952ca044a706ceec63db5add26be6b9f2bcb993b0a7a0","base_nonce":"8174759a6e6a4da5e0e6f2dc","exporter_secret":"b9f391098f5ce77f0cbe38f65651a39e97d05c7fa8fe5a353a2bac127863b349","encryptions":[{"aad":"436f756e742d30","ciphertext":"70d7e3bb084c736b195264a1e468c1b623f3fc6e4ac0e7a5d2bdd999e9728bded4d2df89975f1ec33f7d5100f2","nonce":"8174759a6e6a4da5e0e6f2dc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"d4e7dc4f56f5c61cd82a8995c5145bb117bf2b3f9ea9e1016c37ea85ffcf2d120cc2d359cedea98840e7657c69","nonce":"8174759a6e6a4da5e0e6f2dd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"71d9c0c928a0eaa21c19c2e572afab6486ebc63305abba7184b63749bd3558e6103d8f40b81c98b1ab06486512","nonce":"8174759a6e6a4da5e0e6f2de","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"c8a6d00a2bc8f51ddd527cc859acc09ea2c5dc2607f9acb8666e18dad4d3d2cbf549a80d0dadb0df36f5c803e5","nonce":"8174759a6e6a4da5e0e6f2df","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"8032316e0032bff0c5fedbc1143089fdcc5ed55f45f0eba79fccfa637cfed54e33be93f788946360e6be107f0c","nonce":"8174759a6e6a4da5e0e6f2d8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"11596a98dc7bfe2bb69bad8214c1b1747582c4753b7d50052d8c6027f05e4667afb905f5cf0aef0700d499c329","nonce":"8174759a6e6a4da5e0e6f2d9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"69881f54d8a58e8c8a877ace5b3bed686455440458597e5c1cc7eb1cb7f6150d04db046dcd9a11be6fb75e6541","nonce":"8174759a6e6a4da5e0e6f2da","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"c04e3c5bf9f63098cc290be550a2054d30a84bf16110e4e1c87f54edd3bf24f0619b3674260d470fc9ffd96a4a","nonce":"8174759a6e6a4da5e0e6f2db","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"eac49e8d35443f897e85a28c6f1a3e9ffb54d385ae835ecaf89adc400e67e05611734238338deb9e6f98736869","nonce":"8174759a6e6a4da5e0e6f2d4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"251378d8f37771be9141fa9eefc1ea469e62ec77ced666f7be424e228320b532011fc28eb2192fc3bbff774afe","nonce":"8174759a6e6a4da5e0e6f2d5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"eddd9c3593183bf3ae39ed95c3b908ef1f05a87f52a2d5a7e99cb55a37f22dd9"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"a80ede2ebc08c82583f7b00bc2583bb3467b243f302e76d6e5f93936918e5988"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"8102b40937cff180075494b1fd3a25f2b6e9383d33048022c442beb7dbcb1870"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"e1accfda3ccadb8cb9f426bb43d34a26950fa1aa8afeb9e50c73108cd4060976"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"39421db1acf1f4ba19eecda1a6d9d88d2d846521efad7c786d6cbc686946d5c2"}]},{"mode":3,"kem_id":16,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"e0cf6dcaa0301cff4c954f13aca3a33847080bed381e10cbb925b65cbd84be45","ikmS":"9cb99b0e0728a183fb5edaa1215bc4d0a684edbb1f7a3d21596a0debcfe22bdb","ikmE":"2d3eac4d3b012f2d30306294b08d4ea42cc45805868aa740e21cde8c514b3d2b","skRm":"58708856d6d9e51986295ec0bff022d6fdef314eb1c503689da68fb6a9c618d8","skSm":"2e5bb8c1afee91b261681b3d8d25693750dd5b1ce486ff27670b4a322b1714d6","skEm":"bd04a2cef903e21d7b4c852dbc8d24652c0ed3138cf39a34d1fcfc8f612bd6ef","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"049ac0a9b1cfc148b65b534a1a87cbda34dca8c77ece1bae6db491cd74c5e9c2f82a4d66730461269f7e89d12dad0da111f67544045dbbf889630c4e6a5d4b444b","pkSm":"045fd7b9d3c7447b4de9d8d23e788cb093294de2d4e70078bd1534b49a77405f62c2365dc60556c4314be5c41120c27dc0ec861babbfdce218e2e7a6d509289ae7","pkEm":"04f094d0df7d8fe624ee07483e652028c33c52a8f6ddfba514519a6601ef5dab37ed2f61700899b54440a912ae4cb96eac3257f38e25edbfb4dd2104464e22e606","enc":"04f094d0df7d8fe624ee07483e652028c33c52a8f6ddfba514519a6601ef5dab37ed2f61700899b54440a912ae4cb96eac3257f38e25edbfb4dd2104464e22e606","shared_secret":"67da48d09ef8e21f471825afed1a53496b2d0987f001b1e935dfa9b31a894eb8","key_schedule_context":"034676a8bd153b28d8133100b9fcdb79438c549578bda55d61d9d3fbb4747aa127136812e221b08af3c969408f8cdcda2ce9d7868aad8ef22f6cc26232c25f331f","secret":"d1c6d034b14137ad8505ad0e7e3c0618d98190b34fddbccb5f2d598e77facc24","key":"9d584d9c7dae753728e081ed9aec65c69fdbd151277eb7355e62359fe5b141f3","base_nonce":"d5c5e74e0a041b2a4bc325ba","exporter_secret":"459119ff2ba0e6a582dbdd4e2a0bfa6dd7889a2a33a27f42128bc867577ac2d2","encryptions":[{"aad":"436f756e742d30","ciphertext":"b738af7dfa18b2371454db62ff9a65a7b2d397df5884c5c8708a33816de21f5fee2934243d2bbc8d7341e59fb8","nonce":"d5c5e74e0a041b2a4bc325ba","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"c01e972c1f47958b76586088e61702da11ed8843471805a34bd7893ae157226b78717b54c86d51f48ab14fb046","nonce":"d5c5e74e0a041b2a4bc325bb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"1731dd9cbf720930285194b54b96dbcfd3c6a2bf2c9985d59a274c3950a76b1503a5ffe7bbb575b7ffbc1b256f","nonce":"d5c5e74e0a041b2a4bc325b8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"782260b2e938289b272b3d4f117f8dd43c210d2692b5ce5a5a327852029111561add40ca0b838e2ba932596039","nonce":"d5c5e74e0a041b2a4bc325b9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"186245431aebeecaeb94841a657cd6c65384407aa55c5c0b711b11cc50ea31447e27a624c0dd458240f207042a","nonce":"d5c5e74e0a041b2a4bc325be","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"7e174b47178b091ee8a41485c38dd5d710e4e7af456570c800da8ce473954ef4d1cb0724e90efac9118d82ed5f","nonce":"d5c5e74e0a041b2a4bc325bf","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"0b0deb66c85187bc7ee96081be6c2b82325c2458352d84ae07ebf00643c9af81ed60f716fb998d9f5389d1501a","nonce":"d5c5e74e0a041b2a4bc325bc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"f9d79c2989260767c6ae4f33b49ce615ee7ff93004c7acdadfa9e8b2e6d3fc0c35b85e86b786ffc4392f850643","nonce":"d5c5e74e0a041b2a4bc325bd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"0004d9fa741ef73c5644bb3333aac5253099a7e56c74d1657e660494a1fa7a4dae33c89f0f1c9b37a118e755c0","nonce":"d5c5e74e0a041b2a4bc325b2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"eb43cdc0887b405dd663de3c1b9ffa5d9f2288c3b2b4b3486cc8cc7147881303fd2aa975443d41915c8a2b3b70","nonce":"d5c5e74e0a041b2a4bc325b3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"0cbe9e73da8f2df40fcdd7b4475e103f7ce5f2ba06fbd304a9759382768df1e8"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"81f80b8dccd5456964ba0351396d796b7759798f35eb15a0a547a9232b6594ad"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"68a62fa792994bbc3a09a8827a4114909ae5331356b7b3f60d43f541d25b89e7"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"061e12edd39fdc058fb7fcaeab82be1039cf3b0699b932f5af32921b3bafae04"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"1cded950e95048cb9749170f20b25047dc2b6492c70d6749ff4fd46fee9768b7"}]},{"mode":2,"kem_id":16,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"2515ad4e290990457d32804017fac9ea64b12530ca96bf672457f2e8e3081ef8","ikmS":"de7f6bc86cf4981dbc7fe721ab75f21fc25e5b8cc53c1aec4c26a267b0fe0c4a","ikmE":"68c8fdb5e2ab785d40d8e19d603302424b86730f95376510f5efb9e2d7beb399","skRm":"630e699798e40f44376a5338e1a55d34c56ee4bb9eadc3a3b8e8af2268aa99b0","skSm":"f7e343ab7202daaa8323c761fdd55e9aa731f5e51004eb275ea0b756ad68735a","skEm":"c4f2ba54647f1a8b4bc0595de268bcf8638fd113c8d29b0a99797c6bb9c77039","pkRm":"043b87d34584500b9dcdc9f1e14239d5afb6fcbe13d6e8cabcbe7834ea1e8343b1cddb4919a430aa2b8c7f6184198cd8e7cda8d328841f3ba20ff609c94ec73129","pkSm":"040ffacc268984341672d70322e61278f98e0fb3b58b93c28ae5b1c88a5437ea3151056246c66594763d3768afb41a407e3648b5e1e2d0d093a3f7e645722c6f78","pkEm":"043e689135086e1d50a9a1a8e98ef07fa349ed0b38dee660b3290b395dc68a82d616fe7ec88fc8b51c233fc5fbcf0183b6523bf0d3d56abb1ab7f13e42bd412cfc","enc":"043e689135086e1d50a9a1a8e98ef07fa349ed0b38dee660b3290b395dc68a82d616fe7ec88fc8b51c233fc5fbcf0183b6523bf0d3d56abb1ab7f13e42bd412cfc","shared_secret":"26168ce20aaecdf9b5b7e39952a3a1f04606fe2a4f40504447d134e6fc9927d7","key_schedule_context":"02f86054b6a97a160a8eabaf21ac0186ad4fea8e6eb33c984fefc264eb8f098c90368daa9c96dcc998d12330b913f6c4cdd54cec86cc624a9e8aaf94dd3bb351b066e461a725080580fc1de13a535af76baea621a8f452cf0e9a638f1011105114b4db515d224bada4a152dbaad88a1594e11564230c6795a333b19a32d9b5cdef","secret":"9528b9af7242a468beecae11149985a243e45e457ae7095e6359f5d11b9d23cd3d70898a58c0c3436b4ba1ba6e29eba8b4652ddf94c7fc0be62f62ac95594235","key":"013ff3c369a34c9925416108e5021832","base_nonce":"e0859b137501087175a47736","exporter_secret":"d87677a22a015fcfd6eeacfe85ea8d86f3efd9ebd6aafab7c0af1f25f85e61f73655e016c998997401678b3859aea88a350deea5bf42fa4d7c0e08785529ec2c","encryptions":[{"aad":"436f756e742d30","ciphertext":"199730562ebcda96b952bb4c1679160f883e11b7cd22b0382e1a1900e651b463b4a20cac8172c986fa3bc8674c","nonce":"e0859b137501087175a47736","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"08a9755af097728fb169eb5a7f8d71b1bb64db116dd224fcba9dcdda8758d5a5f808fea14abd9221b7de3e42d5","nonce":"e0859b137501087175a47737","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"29dd7b9e8b2584979f41f7a49ef3cf44073332928842a472703db6907d5a7322d3789a3b152581fd4cf1fed12a","nonce":"e0859b137501087175a47734","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"03737856ed6844b1ace31054364897229ba2aac4bce62503e6fa582ed3eb932823d8f9a1ca8db24932e9aef6e1","nonce":"e0859b137501087175a47735","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"7116e095d941f0eeacda263256a84ceaf2036cb5e62d70ab51b9abac3a0248ba05db9a92b554d46b70d95eed0b","nonce":"e0859b137501087175a47732","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"c2273156f4eb1f243032e8f875b32ddd18347d06e4777065206dfca662588980575338e0a11cc75ac580492e7b","nonce":"e0859b137501087175a47733","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"d707e18f665ffa1021a348ea6b8a958fd9a352453298e948ec62114b85141d5a15becd2961c41fb121f8ecb62f","nonce":"e0859b137501087175a47730","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"9b99e36f1225c55a580539d61dc5b508417b3e3df100e1d3322c62f2514026e714259ea02d8310b310e0e52d2f","nonce":"e0859b137501087175a47731","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"476058cdceb0c655514eec13ae72fb44873465128cfb3141a119eeab6100880eb9520594135aad25f9e3f537d8","nonce":"e0859b137501087175a4773e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"736241bd857235a9a747ca21ae1e6a21f4ce1a607aa92a510bbdb7e1a9b3fafa680365da7dee7030543564d828","nonce":"e0859b137501087175a4773f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"36447e14d4106a8a6c7030cbd4557b1a3724283a39364a486844339ec0295006"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"33cbdfa8bf8d7d5321f3524cb2974d683d84b07c9429cd907550c5cb5a87487e"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"8849bf51ec1186b8e506c237704fd44cd02ef9f9eba1a0936f3a3e85da265588"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"232f25f0115707859ee0e86053ca98c24cb27536aa959187aa942b5bf4c90812"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"ca3355e926f248e20d7e72c4a503f337a08f78896630ec2b49756d73988f7df7"}]},{"mode":3,"kem_id":16,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"7fd25ee13dabf03b1c0ddf6e3783359c41f7d6d00c4c1de11c84717fedd116f4","ikmS":"1ebce4f3797f572e3bd8ab50221cec3cee00d1dafce422868e8675180cea8b1c","ikmE":"350fb9a73792726fe33b6faa8b5886c20f20cd4ec86655a8e1e3c743296c031c","skRm":"03e6c9ce027915238a6e608438017d0d78ab4ca4ccb67e92db06a1223607b2b5","skSm":"e58743265359c750432048509d7bdbb8c7751132b8e2a06db2bb31f997274943","skEm":"7002ac94376d0b2915f2e3d68e7f9ae7ebd3ffb75a1ebbf69364c7fc37e4310c","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"046fb17b269fee0f44e1ec51ebffab2600be2acff2d1493152051d6b4bf8b13c79548447c01cc06c31c1052a186f14452dd8c34b0fe86303e6e22cac74db075d8f","pkSm":"047768a06eaa2056c0e1f6e85372f36248557ceb8f8689e997ff55554e0b46f6858f84578fa974854ab967493b17b3ee41b81fa375983d5883f1e822da4df6f3c8","pkEm":"0405e9014a495584b8412c4a89c0e63f91a68937d2c210e30b609dc67867f156cce61f572f8811f3f62e449b17c487d7ef7c2fe8111911d3f6d933dc5c1019f00b","enc":"0405e9014a495584b8412c4a89c0e63f91a68937d2c210e30b609dc67867f156cce61f572f8811f3f62e449b17c487d7ef7c2fe8111911d3f6d933dc5c1019f00b","shared_secret":"ecac648d227aa5abe35aa5c2554b9c47c28318be36614a05b6245b65961deb66","key_schedule_context":"0375285841348a413918874e96b9703074fa763f2bee449918c13b5bb660b8d21636f88958e593fc9b64692dd669510ca2c96a893e74eef89592b98ccffe182e7466e461a725080580fc1de13a535af76baea621a8f452cf0e9a638f1011105114b4db515d224bada4a152dbaad88a1594e11564230c6795a333b19a32d9b5cdef","secret":"0bb3618d86f58982e6f64540ac181bee2bcfa846aa3c96676db5e50fda0ae4000280e6069f78286c10f1fe6968daa1d4437da60ec1e67e2a9313d6a0dc309f39","key":"4bf6942c3bee1c7d2c553fb8243540c4","base_nonce":"41d06b0d126741ea40f4d423","exporter_secret":"f3361a31dcc4630f4074d8fd22014adfb653ae14e7b93e75c63c8e5530fb0e1bbc4ff51282643704f184db1207931b05e316f14b0909d30da1525767e1c6ad10","encryptions":[{"aad":"436f756e742d30","ciphertext":"74f8ae051c78215fa7cbcb947fe4841bf83e8c8df4ecb098f1becc7a2fc13f2d3002b9425dabac4b46f71379d4","nonce":"41d06b0d126741ea40f4d423","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"e7880d6a18bf8f73fb0191caf778e7588e60e4e431fecbeb5f0caa7d499282f1307b62749f9f921d7468e071d1","nonce":"41d06b0d126741ea40f4d422","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"0102770e928d5b70ce5e5f3ddccf158047d271edf839e5c084b9a2952c9254b0d007b16cea4da47fe099ebd67c","nonce":"41d06b0d126741ea40f4d421","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"e00d1d16a6b1e0233bbca922664ef54e5599af9c68aa7d0cda4093151a8e51bba9abbec00f4fb6a731bd1d2255","nonce":"41d06b0d126741ea40f4d420","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"f1c0ff5f25b63f146fa845abd9e5bcad869d54bea554225f0ad1af4d2fd407bade4bd19b9c4fbd4b1707b7e66d","nonce":"41d06b0d126741ea40f4d427","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"aa7c48e69fe47f55cc7a3da374794d9845fd9503091f92ff0a6737dabf7d71be4b5b4f015a3a8580fd19da03ab","nonce":"41d06b0d126741ea40f4d426","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"d316ca8ecc659ead83acb83065bdcda2d7665bb36c6b3fffa11117d1e0bce7c4f122eab18afff966802b3a7514","nonce":"41d06b0d126741ea40f4d425","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"136e2c7256a65aeb3f1e8eaa90fdb5f2d152779c749614407c2f491868bf6db254f2ee262e11c815bd21ac1f77","nonce":"41d06b0d126741ea40f4d424","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"741d33dcf4df45f6d6419f320baabec4e90c848646d7b77190af0b4fe4c6355a072558ea10379b3b079e2f9502","nonce":"41d06b0d126741ea40f4d42b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"c9b8654ed5b5b9b6eb47b28c4aef0ca677bff06c0fc1312caf0e422f31701a8e71afbdb2cf8fc00e4bc5beb8fe","nonce":"41d06b0d126741ea40f4d42a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"bc21c68e42e2955949a1d711241099591b6170d638beb1f202e1166879fe3cbd"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"e605aff823e26a792ff7b4a48ec3e5c75d18cb7d78a146975c88e5086171421b"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"00cc001aad36f55919b023cf3b2850375cd07c4ce7a7d68c92f180f4e82d4987"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"ae632df1e888426ad3cabc22f9457c853e42f6ad6b27528b1954ad9813662e4e"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"9777b861dad08ec129586ab77e3e338d2d2d4456d263622126216d2872be448e"}]},{"mode":0,"kem_id":16,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"4f834307d9ca149ab6e466683b785c39036d03ba9adc2b33fc81f61fdae7af37","ikmE":"48c38c94c5e795fc4831db96e0a12bdef58ae7ca15ebed51b076abbc0d7eae7f","skRm":"6bf955ba7bf5a029b99b4887914cb0fbd986ef0b7b174e81d7886dbe461a58e7","skEm":"b60190e4e06861c1f08f6bd88255343cfd3adbf0c5e95c12db4aa700b179ff04","pkRm":"04635b5736a8fb0d061eb72b56703d4e189cdedf10bcab51185df62c0d1ce10fd517c2bf65a7db78803b719c9bd40019c9ca7ba5ed85d39a25f701d824e2abf838","pkEm":"04b0dffb41cb1bbeceba2edc61685283953d769382bb57273fa6d0225563d3af270e45b1c76865bd2bf084dc3bb0ed85b6ef6e1c45b50cc4b4af8ededb2c30b832","enc":"04b0dffb41cb1bbeceba2edc61685283953d769382bb57273fa6d0225563d3af270e45b1c76865bd2bf084dc3bb0ed85b6ef6e1c45b50cc4b4af8ededb2c30b832","shared_secret":"c01f6897b67f0080522c715a8b210ca084935c7b336d78e928829859505e6c31","key_schedule_context":"00f86054b6a97a160a8eabaf21ac0186ad4fea8e6eb33c984fefc264eb8f098c90368daa9c96dcc998d12330b913f6c4cdd54cec86cc624a9e8aaf94dd3bb351b066e461a725080580fc1de13a535af76baea621a8f452cf0e9a638f1011105114b4db515d224bada4a152dbaad88a1594e11564230c6795a333b19a32d9b5cdef","secret":"4486b04a796de07c94ffdaaa3cb46850e28d09c3b002efd7e73844c7522d72592bf1cb9a9955724e5dbfa87bb01b99720d018e720fdd00675e04a9a1c735bc15","key":"4c5052eeac392a723d9c542fd1b5f13d","base_nonce":"9d044887cc13296bb133f078","exporter_secret":"95eb311c16798af18c64f4e7e303271f196ec3f2ea01e98392ff62f6dba96033c20be4b7b0e6260ca6b1f91e791eb6b716200d28f86c32cedb36aea705669226","encryptions":[{"aad":"436f756e742d30","ciphertext":"430753baba52ac0a239582f36d88201783b2320313824049ccb34b5e8025fee743a8e1ac24eedee909c1449fbe","nonce":"9d044887cc13296bb133f078","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"ecdcf40f6085994db3dd19a05133b13b19e828b6d8fb337478cae0f3fdfce9bb33eb5f5eca06aaba2b7790e777","nonce":"9d044887cc13296bb133f079","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"7f5a0f2e756292d316de5975e6b912617565200849df6f99189549380595510203977b595f122143608aff4afe","nonce":"9d044887cc13296bb133f07a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"e2b819c48e199ac2fb03afe351913519995596de3968cd6a71b6a0b01813ca806340d8e6841adc6c6bdfc79854","nonce":"9d044887cc13296bb133f07b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"3fbbb8aefa4e86ab305fdbd0fdc84345a8d04892ce7959e85900d8b66b1df1e34ff0fcea2918e0d9e39820fc57","nonce":"9d044887cc13296bb133f07c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"479fed2f7bea30e7d18a46bd97c28462d204d41c6dc8e791befe552a87946f11d0c40b7bb5a9c0f2ac857ab192","nonce":"9d044887cc13296bb133f07d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"99ce90043f4c92d74e542174713dd911a85832f57f9d10390692b1ba031614b73c88dade8cf66f2065e7c0a557","nonce":"9d044887cc13296bb133f07e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"b119e1333bf67981313243c349a3d703dd4c3dcbfb9cb43681b0788fe50fc60c5d25785f73aeb3c107202ee212","nonce":"9d044887cc13296bb133f07f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"1557a8a2913e3717fc64f1adfc4807adb9d5f48fa7120a83c458247a4060d4f5857be7b89df8c32313d96f518c","nonce":"9d044887cc13296bb133f070","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"196d1a3050445536211b5bafa1bdfad5feb8aef7a5e1fb04b0e5ce4bacda97f0781cf8d597213da465513ea17f","nonce":"9d044887cc13296bb133f071","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"2449a802537fada23e1b1ee7c14463633983ea5a2c57928edaefe7504d28e8f7"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"6bf6780aa62e4e77765ea1cefe6d0e1abcda810c1a5779233eacd0e8b45bde60"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"36ed2eed764e35bf367ab6b2eae3b18c1eebd203989f71677b7697542512a5e1"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"0e17a59d1a0c8a617584350090f1802e2d60e38e347bfbee7472deb1b02d7e62"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"01271a51ad67f481180d24f445a46a256ced37d10e0614ee6df5e67e55b2f8fb"}]},{"mode":1,"kem_id":16,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"231fb8a1da79f445cefc9151126c2b061c0ed85a522b4f4f51b47fa1aa3ca4e8","ikmE":"6dc74a019dc1a07ea58fff30a12a02b392cf6fb71106a1961ba9218c36ec5767","skRm":"4d86fc30a96fbb68f17e6aea34a22378ac35fc665b3dc75a3786db566081f765","skEm":"2bc9e7c4814db122269927854062b9661d31ce8a30c01d14d19c8d6573c4fa9d","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"045a5ca3b658192a2edff68f1c4bdf06d94b6ecf12c77e97cda1c25632aac2ee1814baad65bb8e74435ad8e981498e42d421da6c375dd57c26fa55f15e98ded325","pkEm":"044330878a84912a6afd8a757c80da9e2b165cda67218833a94926d0271864b9c819997bbaa3263bf59a1ae8d651fa4df132e70cbb932b78105ad1725c1dab78f7","enc":"044330878a84912a6afd8a757c80da9e2b165cda67218833a94926d0271864b9c819997bbaa3263bf59a1ae8d651fa4df132e70cbb932b78105ad1725c1dab78f7","shared_secret":"a845f078d7b2aa77b3e29b47c4f75047e4f0b5f979a0da185c706946d1af642e","key_schedule_context":"0175285841348a413918874e96b9703074fa763f2bee449918c13b5bb660b8d21636f88958e593fc9b64692dd669510ca2c96a893e74eef89592b98ccffe182e7466e461a725080580fc1de13a535af76baea621a8f452cf0e9a638f1011105114b4db515d224bada4a152dbaad88a1594e11564230c6795a333b19a32d9b5cdef","secret":"0539c721fe19e0ebbc682743916663db305d0e8f98238fa6e6741c2b47d5922103ec4c6df65323d19df5ea601cf298dfc395e84f6c1ea336b3359d746150b6c7","key":"8a9e8436c51f4e815f372e150faeeb3f","base_nonce":"908b18fab98797582ebe567b","exporter_secret":"0435e8f3fde8dacc10385dcf721601be7f9414c2ad96ac6062453089a6c4f3c8275a81bfc4f0c61f802c0758661eb9164cab1af459eb2f724a355eb6638b2320","encryptions":[{"aad":"436f756e742d30","ciphertext":"6b0f19cd57c4006f9bd90d03ff37297571bc54c086e918fb79ee33f37029353021e428cf1d4fd73abcb087864d","nonce":"908b18fab98797582ebe567b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"ed3e0ddaa9d38f7c9079cbb7b422d09dd5bfdfd4dd220cdbf98450f6dec680a862b0f4f1fa804d94bbfa52d751","nonce":"908b18fab98797582ebe567a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"7a9b9fa8ea75c22f6e65b3be64991be208ee849399011c93401a63af75bda268cc7c3b55f7e3b89eb5a06af0c3","nonce":"908b18fab98797582ebe5679","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"0dfa6223637868196f5ef721e50b743238b6223e8cc530b4f6cb22e496408d08cd40d3ca2ea60cd9d0f1716713","nonce":"908b18fab98797582ebe5678","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"4a8ef4033ccbeeed3fadaa9cbd0b4573338241c549434b416a3260d168a5184869d0afe4dce58d5a8bc08fdef3","nonce":"908b18fab98797582ebe567f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"05eaa85aa9bc13b459028587d52d2241009d99624bf6cd9bd8264856304f657ab20550c7b11802c71b61041123","nonce":"908b18fab98797582ebe567e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"bf6614921fd53d140ec7151ed638d43a8804a9af772d84bd50fdafec978601c2ae34d2962d9d6cec5ec1db5251","nonce":"908b18fab98797582ebe567d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"e17d399cd3200a7cc5192f7d2f6260407b92a735b693f66954ddac0cc8934ad70a15031d8c2eae8470f81396e5","nonce":"908b18fab98797582ebe567c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"12117297935fb0f3f7ae942411a3d7dbb2efb610b17e3897c09d77cded959bdcd636081a33b24c21ea0a2ce7f4","nonce":"908b18fab98797582ebe5673","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"42c29f1c071987921e633888f707313628e3e8423be7b0ce3a46f27b4f53ee2637b41859881000c8ad7a60041b","nonce":"908b18fab98797582ebe5672","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"c4d4dcc74602029495e921721ff8df00b77c3da771535fa636a1aded7d6821a4"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"923d03ac9a7d708632eddc0227dee88b6af735dd2900b320b16e921588ef618e"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"23f7ee9b74543bd0be45d502f682a26fa29386e3545da97104769e4059726ed6"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"3412416426be28ed4f8028edb43ed842e49ff4ce2aa677bd7ca093dd0043fd44"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"3b437e9a38fa131539f9530efb423fbadbb7b195a50e3d988aeaedda02a20d17"}]},{"mode":0,"kem_id":16,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"3236ad12cee0724eaefe4b6bfe3bb18a8160969a797b9c60d6e121857e3b313f","ikmE":"0f9383ef28f4f14c9419ce2dbc28a5819b2edc481619aba4407bad59ea0b53c0","skRm":"25ff0b5cdc7d9d5d4f304d985c1f845d543076596d1eef50e4b546d0ee4f8a87","skEm":"aa12e927ecbc23b22350e8ad94ad620691627338b620c7887c1522dc0feffa79","pkRm":"048ff4784af67d98d93fae2bcdce9ba993293643606255e11de9711c887a408b9a443ae2bae3e22f27bcd7b77e36963de49de60f8227416b11479e5b0e8eedece0","pkEm":"049f46a182b7c6053fbd5022bef08963b0920496db7a668d26cbfb46fe9f3f8a6dea8459fdd3d332c8d776719ff4bf4c22a39c8d9f3dd5410cfba2fe77c8f85e37","enc":"049f46a182b7c6053fbd5022bef08963b0920496db7a668d26cbfb46fe9f3f8a6dea8459fdd3d332c8d776719ff4bf4c22a39c8d9f3dd5410cfba2fe77c8f85e37","shared_secret":"1f4fcf15813fd554794c2bc8b2cbdf675cc1ca3bfdbd16e9af8f7ba07c3b17e3","key_schedule_context":"00d1a27fbf42e02986d04a9d8dc149cbbc44f16a9063b10b309ae733f1971875097382ed7fdd3b177831cfe8e3524ebd8c6527fa73e769a8f16b59976b520fa0b9474bd947a7f8e62c71da669be905a183accb37118a3d70de689d1124830a224abcad8260c735c52ad1a82767db7cb4cdbd0deb6b1b2f5ba0f2032101a8224d4f","secret":"bc194e9217820b4b264ebe1de4a66a8f5b21fe4d9fbb4a7013d5866ffa2dd6c9c9b2af49c9abc794acf05b1faf925e85ebf4c9efe57a66bb436109a477226edd","key":"68a113f3843e3409e98387d3500708c92bf2b4b11c29cbd729d2761f426bbf44","base_nonce":"add4bcca9de1672299043094","exporter_secret":"4f7cd51c8109f675cbad683573e67d7ca20b6b54c6a66f7b23a124a38f7cdba06fae78f882aba0fad984bcd95fe3081bbdd1290b0361e3dd19e814969220b2f3","encryptions":[{"aad":"436f756e742d30","ciphertext":"6026a258f4bc5dd343995ba53e470bddaaded1be8f4807040bd0fc229c5335cf6e19b14c45960217a81784aa9f","nonce":"add4bcca9de1672299043094","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"e38efb6ede007d49ace01c6c479c8b524fe64558a2d8bbe8e27bad5e0e0008754bc1e74c0c89ccd98d323cbaee","nonce":"add4bcca9de1672299043095","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"080dbe74225e9830febbd8605e7651999f10cc78ccdd6e9ab4109d02d41e130b3bf2ba61250fb3dec5028db0f4","nonce":"add4bcca9de1672299043096","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"952c40dbe7815e044741ca440d9bc2a82061f405f744548e860e287e73d12517a838158eee2e54cd62bc6bbe3a","nonce":"add4bcca9de1672299043097","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"bf79c368588c6204ba8a5ecb578747beaa03ffabe777f66b4b8cbbbf24fad39258673bbca0ddafb78903ec3036","nonce":"add4bcca9de1672299043090","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"cad4a836ed034b2670121a68e6a3cd66e55fc682e87e644c9b48232a55e3c128c385443782770ac9cf8279b0b1","nonce":"add4bcca9de1672299043091","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"f6a57fe2833ec0a36503b0484e6879a79be4e1b8b3fa4d025530c58d896aa4c8a71830efa47ad95a13ea4e5239","nonce":"add4bcca9de1672299043092","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"7459a3342ebb1cbb12dca5ec810ce7b86bf1e124a1bb05b5934dafb9d22063f88b37b603b05129d8da8e52bf3a","nonce":"add4bcca9de1672299043093","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"f8ca9f67a6c49b304125f88cd2604735ca1f620bf090f74e2521f1d3c4c8865d7d722744ac0733eb87d4c365b5","nonce":"add4bcca9de167229904309c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"70d3005bf3b3fdd8b383faeb9511cb37ae7923b5fe7b129bfca090541bcea3e94907b5ee529d5cadda73047169","nonce":"add4bcca9de167229904309d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"28114318e249a3f2f9c3e8886744d35d2e0fcab8eb75f39a817de3f0aa415aa9"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"5f968fced1a770df2b201f271c1cc1456a9dde5a71f5f79fbb39286fad0af224"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"635a642ade2fdd8de1120711309be9a7b60f00538c7b20cdb206e592220dc1d2"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"e30e57c6cc4835f57f39a3304ddeae1e2c0e510826dcaa4893466f6cf3066f86"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"3a8e3dc252c36da713b41a111bfdef468e166b62c3ebc27216a80bbc7a208349"}]},{"mode":1,"kem_id":16,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"4c9663397dc7f09f0b433e3970db866fef608db4a056f487952d4584277e73f7","ikmE":"04e3d2e5d114669b1c1a1bc96b0e706d60d8fe651b27754227a71a56974a690b","skRm":"4fcdbc1751b85df56d56ad2a484ab9a3df598c5c9718a243c8640da7e7289b41","skEm":"3bb0d086aeae6425bd1fa99f9e5210d3b8634a820be6d0873999961203e0f048","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"04ebae21f544ca096dd79d846c52397df52c274fb61ab416acddcb47967e9c1c0caca90bf35eba514b213fa61525b9c9c137cdb38508c4b619fab3f88130b4e34c","pkEm":"04b53b65cd527b5407c5f15a3fb38391f5dc90762f44d045060f259c959f8a89831ec23fb44680462544205e1384ebc1024e34edfb007254e91d55894be8eef9e7","enc":"04b53b65cd527b5407c5f15a3fb38391f5dc90762f44d045060f259c959f8a89831ec23fb44680462544205e1384ebc1024e34edfb007254e91d55894be8eef9e7","shared_secret":"14f92e52b113948d2dcaeeab6712a6221a5fc70bc0a015fefca7d28d127cd8cc","key_schedule_context":"01ed8a80867a28c3428e2f286d84884ade814449350298d50469ce9fee130651db1938ad615c0d87624f68dcaabb5d1db344eb6f0b88068358380771ad25a69ec0474bd947a7f8e62c71da669be905a183accb37118a3d70de689d1124830a224abcad8260c735c52ad1a82767db7cb4cdbd0deb6b1b2f5ba0f2032101a8224d4f","secret":"ba1ea4d300cc18a4d07971c882888be02a15a942412ee868872be664d58a13ed3fb6ab9d9e35d669f317cd3e9d88aec714298b3951ab4ecffefd653d698f558d","key":"7b902229abeac87d3281bbbbc367d9f21a683ed5f26ae61612454814b282e8cf","base_nonce":"5364ba2f21176eeec109de55","exporter_secret":"37f22ce0993d2b948bc92986ddefa842e9f9aa9e69da6210edda0b7eabfdf9d9c142efdbcffceaa705b7f7fde127284ecdb83cb997116510e77527276468e35f","encryptions":[{"aad":"436f756e742d30","ciphertext":"afed7ea5b274640799dc4b497b44e4cd6051fe3f49dc551245ac164ae088c20483d1ae8bb17fa7914b26b74344","nonce":"5364ba2f21176eeec109de55","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"57f9a9e954ce8de926e09f33e1c3a5981b3abdd7e23b093f0a6b5b282af1d09512b6f4e4e8cbf97ba7d51b4efa","nonce":"5364ba2f21176eeec109de54","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"fd430fd7caf4574456ee299d270aee585ae01df263f29783a86c22ace1746b21b5847d0c128e36894f47ced4b1","nonce":"5364ba2f21176eeec109de57","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"26cd857121454706256d320eda9efca379d0d8f3b6764ba51deca530309922f2d695614a1709b47362e0220875","nonce":"5364ba2f21176eeec109de56","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"5d25b5bfa60a48ac5ed418547622979a2b3cd480a2c7d9d9aec44fb7aa99d707789a4a6b3077eb56eebe01109e","nonce":"5364ba2f21176eeec109de51","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"e795a25b3bba61d0a9c5b2dc28a7736e6c2cc212cd3ee0953c139a07aeb103dc3ebe777935da471eed1448576d","nonce":"5364ba2f21176eeec109de50","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"7424d91003d8fba027274484463eb7270fee4cce1c16c343da317ed85ea68d69d553b07ac063d14008fb35ae91","nonce":"5364ba2f21176eeec109de53","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"0e8948d673ce86e936534209155f78319311172ffdc46b61eb7b01f99a948378e2ee4ddd7b8260dfc1c8febe05","nonce":"5364ba2f21176eeec109de52","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"8998227b57b19c0f7be5c91fd47025ebc78d8c96895882465a3974bbd48de85c05acc4af97910fe4a9c5a4fb9e","nonce":"5364ba2f21176eeec109de5d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"e198ab1e1899746b96b491e5c33e96a288da2a0c533522535557fbc873c30111c286699b2c59e7eaf2913ad29f","nonce":"5364ba2f21176eeec109de5c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"b3c2e659174cea940749c9d6f9cc626246b80877ad3de22b5a9be3649e5549ad"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"8b8d8716461805b2813cdd8121d9225a31e2bcf506c18760182a1c6676212871"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"0b7277352249bc9935bb4774915b42c520457cbe46ed23716609612541b85d2a"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"a8c4700c230ac054f7e0bb4048a70fd86ef43e991e8e301b7aca6252b56d37b9"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"034a6de031172ef1cb5dfc31266a30a47dc4b79504c97aedb4977c06231e24c3"}]},{"mode":2,"kem_id":16,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"1b4a51ca2eb5602dc3376d85932fe1fd39221b8b5109e886b437b62d52e56459","ikmS":"c4ad7b9b923367434ba4cc7da0cdc0d57299ee0575f0544f8db7f0306a0f5ca2","ikmE":"dfa561d432cc9b63e1156ec04557ae05fc903bf16cfdff29e73a6fdef20f1b7a","skRm":"6e259ecd17ce582da704887518527a6eb1bbd9523c60505702794e1f8ab63198","skSm":"186fff0939de39e621aeeba3ba35ac1703052487516460e7feddfa7ace4b7e67","skEm":"4e55b3022afba69ed9185abe57d76133501b8da4b5815c723b7f0e79e8b7e695","pkRm":"0476ce32e1718cca4f6299c682c5428cd8417c4e0bb96b68367d8c06db2c1f0512759068f4c4f1e0bb349b40f71401c9f81e52e19dfc46f0f238e65dd4f3a50f15","pkSm":"043496d2192a3eca05d1d3f94ec7d57557a7aaead787c02b22e9736419743bbecf6eb1c6a29160e47e5270369a15aebc6a264e6746e47cda7d74d4df8ac95d283a","pkEm":"04785b38cec7684a614354a076c37da76386d1dc4814b26843c2a0f0ebc57fd84ad73d8cf2ace537b37188997d3a033d6a9d1c020f27caac0655f38101d1cfe0d8","enc":"04785b38cec7684a614354a076c37da76386d1dc4814b26843c2a0f0ebc57fd84ad73d8cf2ace537b37188997d3a033d6a9d1c020f27caac0655f38101d1cfe0d8","shared_secret":"30aa3622b913786ab5c899168ab6db0fdbbbf73e17c0d4d90a3cfd05ee114f69","key_schedule_context":"02d1a27fbf42e02986d04a9d8dc149cbbc44f16a9063b10b309ae733f1971875097382ed7fdd3b177831cfe8e3524ebd8c6527fa73e769a8f16b59976b520fa0b9474bd947a7f8e62c71da669be905a183accb37118a3d70de689d1124830a224abcad8260c735c52ad1a82767db7cb4cdbd0deb6b1b2f5ba0f2032101a8224d4f","secret":"21b1562df6062b3ac1f0029bafedb838a88d0d1db17661b492537dd9e158e18bfc1a3b91f9d72f6d8abb15592c6c5eede162b03c4590ae67297520039db38037","key":"299185446b87dc11e90d84d2504372699ca068fbbbed812e0d71184e85ba8b38","base_nonce":"37946565ea90e64ea23ff708","exporter_secret":"22000e352e0f5578857a03076aa59338135109b8f066b0a961475b60c3e3409dd2846bf6e1508b2f43c3daedc0a2602d1a373defd8f2a23f5f1238a384a91555","encryptions":[{"aad":"436f756e742d30","ciphertext":"dfa0c4ce0f8929bc7bf52d94337cf0d434871e35997211c9bb68a1fc5c7cdd9ebeab3a14c851f9474882f02a32","nonce":"37946565ea90e64ea23ff708","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"c346485145f8d9d659fb237c013609f98781911ddfd04fd36887a1f1cec85ea6373454dde8f941a5c302922946","nonce":"37946565ea90e64ea23ff709","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"08db85fc07909985681e00021df31ec1e769e7db4218d1d5801a0e46aa2cb8301aa642a12bf948c2a47d78b320","nonce":"37946565ea90e64ea23ff70a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"acb84ae403305323b69401bd2185e05725f38263ca130a6f95dc2f21c3a184d080921b7aa9e8dcdce925efada5","nonce":"37946565ea90e64ea23ff70b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"ad9143467e8f1ca40d4fe1284c3875c10c4eb462d2f35f219e9e2f817ee900b04d4ad7c6666155c31ff9a42fb4","nonce":"37946565ea90e64ea23ff70c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"e0d37ea059fb1b780eae8d1a2fc4019a12ceb5ae35d2c990f93799a1c5e2661fe5c8ee00e9a10918026ea5b784","nonce":"37946565ea90e64ea23ff70d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"abc18a2fb70bbb918b26ff37b860d7c86ab540857118893a655b0544af64c48dd274d1b8e7a3963727977cdcad","nonce":"37946565ea90e64ea23ff70e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"300480197cabe7a1826ab4e8bccff0382258d1bbd94fe7418120c861932ad8563c3a4470d8cb4002a4d2dd6823","nonce":"37946565ea90e64ea23ff70f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"47a1bd603d02c93028cfa32c0ef89876109bd95092f584447c9f8a4fe44381fba33ed5e7fed917c81ad1bde6f7","nonce":"37946565ea90e64ea23ff700","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"e0fe06b8b7bbfa5d82919ceba724d4f4d9432745ad52bbb179edb7a2c4ef97173a129c378fa4ae39debf7a8bec","nonce":"37946565ea90e64ea23ff701","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"d0cfed34cbbb191f2f4ede8fbca5c43c036fa1f67d2e83d0edbb32f493f0e9f7"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"5e01c307f1c8c12ff6e0a6591d2a1438e4cc3bec346211986bb785ec84fae922"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"f43010c2d91220d11a5dde627076843981f686672c02e03a7b98e992727f42ce"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"964c8514cbb590b9e5122753914747ac01d03c95bacbda77839771a02d45aef5"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"a7686050d03bbe2646af28e8498f8188cd69e2b5876c5d78234713f3dba6a28f"}]},{"mode":3,"kem_id":16,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"517dcaca65c2c898f03db175dc4f78ea173a7c481ce95f2a6363748b792f73a7","ikmS":"e1b665c9821c7894092953c97d37f9cadf2311ee4b0d84700eedf100d5e5dc6f","ikmE":"c6986d806ccd701ab58580b67eb1cddecfb500b9b8956f34b22ef4200dec242b","skRm":"443e98c56da924f30aba234a6a6e0438e2519b34d22f253ff777e84855e6d7ba","skSm":"54d8f395eaed4e4acf50cde3d60042a05f2639f8284e0ea6a6c9414ba57e7241","skEm":"617cd223f6b54364a9753d8cb734ff08872a95b99d4fa837f0a7ca4950433bc7","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"04c989e7ea7de3079b0158627db31116a7bcdbd3cc71199835f0c83781b6bcb0dc3cba90ce027ef5742829e24d858ea248b6b4e30879cd76eed17c370ccdd41b1e","pkSm":"0466227dbfdd87d63003fdc6574a9563315d976126ad1fb7f80d55c24560a6e02056a14c233e7d851b47fc211554b879c07b51d7e8e19e3700e3b1cbb400f763dc","pkEm":"046362cc99c544e033a46f972c0914ac933cea81f92f51b8ab69214771edad72054f6133d6e3c4d886750dd6f3be7fc922208c5a2bdfd7f17a08839ca76be2a3d0","enc":"046362cc99c544e033a46f972c0914ac933cea81f92f51b8ab69214771edad72054f6133d6e3c4d886750dd6f3be7fc922208c5a2bdfd7f17a08839ca76be2a3d0","shared_secret":"566b9ec6803fb95399d71d885ce6d7651a30f9f60d4134407d6fe54ea81c7837","key_schedule_context":"03ed8a80867a28c3428e2f286d84884ade814449350298d50469ce9fee130651db1938ad615c0d87624f68dcaabb5d1db344eb6f0b88068358380771ad25a69ec0474bd947a7f8e62c71da669be905a183accb37118a3d70de689d1124830a224abcad8260c735c52ad1a82767db7cb4cdbd0deb6b1b2f5ba0f2032101a8224d4f","secret":"b95e0460dcfe2ac1c2578e1d6b2ca50c838c59fbc2c1767596b2e3d8e590b006e970468629e0e2f4b4a7d59175674cee8860b0ad2e70a7ab6b0d07c2e169098c","key":"858abc1ab1f268a97728ae2b3d38b9abe49133e98f8d00f59df242b05db3a258","base_nonce":"66fc15ec173d0c160e1709b6","exporter_secret":"9fb4507da51ed8e516aead825e8b5d93f590ca2ba364a906278648adf02817e5978032b763049809351131860766a7e8619995553e2662d633a810a4f87ecb98","encryptions":[{"aad":"436f756e742d30","ciphertext":"d97a4787f00e8cd4dfe80c6db8413d08c907a5aa01e64d90b53a043cb4178f886fc43a7a3098c009ec090155c4","nonce":"66fc15ec173d0c160e1709b6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"1c11cd9bc5b4e83e5c2a7372a16783bb56172e78491b22f5aac47f3e9903ab4bf3fe63cf91e8b4f28a1f5c7fb6","nonce":"66fc15ec173d0c160e1709b7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"b7f45c3d33241d50e0a763be27ad5660e9a17f610fe3149c26595a35769899b1a289c2d2a54a8ad696421624b3","nonce":"66fc15ec173d0c160e1709b4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"ae142db4a876f6289f35b9980142f8a19f338c89896769e9bd3e95c490d2751adf291706f8a01de45e236985d3","nonce":"66fc15ec173d0c160e1709b5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"14f80995d32b3bf4f05b9962bcba6adec731b0aab7ea6c4d6dbcd5138a9ae1dea4ba744f49dc5c98fa0a2c1abb","nonce":"66fc15ec173d0c160e1709b2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"ec3d546666afd77be68f2c3dac75486c32b185e6aad3375d4033bbde31303ab487e5bd3b5301c27475873857aa","nonce":"66fc15ec173d0c160e1709b3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"3ebcebb8b52366089bbd4e55595dd7b9b2153c302ea47d29017624c46982285e78048f6b8a8307456ba1261c14","nonce":"66fc15ec173d0c160e1709b0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"6563066e93551fadad4e532d3517ee8b4842a6e5eaa6f331d7b552522147417d364ccab39aba2581e26ef15435","nonce":"66fc15ec173d0c160e1709b1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"772e23da3588e0a70370d8b3a8c1367d64922bd8bb3f84d1d95c8e4c7c22569bd0242db0d4e1a28a0b743e7d63","nonce":"66fc15ec173d0c160e1709be","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"18712b28584e543392642298e9bf24f62612f4ff924438ca45cedf7f85bfd23fa9fcf95c0adb6fdefbf40f6c0f","nonce":"66fc15ec173d0c160e1709bf","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"70c06bfb135a0de982a7db46584a7aca80ebe5680c59fe63b2a4224396f91549"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"157f01e82ab182eea9c041b0703b4593508487c6dc6a1892dee0a4a863729370"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"c222d607b3c64e8390638faf3e3f17c47b3fef6a4bd3322259be236e47e28764"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"00069c4b534c0ac9aab4fb8ca9c7229c4c56a665d7a1b78eccd3dde4348c1f25"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"87cd747f65a58337523b0424dcb0e1a5fdd248a3d53bb10f3e6ee882c5066eb0"}]},{"mode":0,"kem_id":16,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"f44c5781084bb4fce1d793a236436240b54d46508ba9e2562f63163f0c958ece","ikmE":"a7fbc0fb90778f3bac10c6bd6015c3ce97cb2fa67b7618750bb27da125ac9dc8","skRm":"eed7001a94a568985b806d1fa93e52526e1f8343e36cef050abe2916f0a8ab24","skEm":"d96f28115394a64dd394c32d24cc6fc8daf291530196a361aa7c64519ad9b96f","pkRm":"04e56211ae2e3a54bdf610ff515f01efbf959cc4902de88be8763ead6de3087d8afbac1a0352f7da22d1b0d784c505a495623afe5196546577be7f9036a711b6b8","pkEm":"04ab4707e0688b2bb96217078eb06840609e7f532e4a1515f7897c1f247471a56f4fcceb588d8624156416eca1aba502d3ae8fb59f17362cc75306be397f1c5169","enc":"04ab4707e0688b2bb96217078eb06840609e7f532e4a1515f7897c1f247471a56f4fcceb588d8624156416eca1aba502d3ae8fb59f17362cc75306be397f1c5169","shared_secret":"d056229475f6704f40c0ec93ac753c46bbf5e785dfd4783b25a64bb046aecd8e","key_schedule_context":"00e8a9ce0d004eb1e61c18eda5156d1d5ca2e7f8343c5077cec50e238d26929c9ece463cb3fc8b2aeddd1bd5b55360ac7a64f66167e03e012cee38d5e95c9b85fdcceb15d1278ffecb7ba5236fb8b6982aea228acbedd6ec5dfdd9bb6f83a3622bf4f6de8dfb054038b8f7966a00c93b03f5464bbaa76e87cd432bafdfe7724098","secret":"04c0c60940512ee357462f8ff2a9b93b04ac7c95aa664d60d6caac37bdec134cf2398ea99c1ec99bdbaad8ad2cb715e7b2402b7b7757e5544c3a46c4f727c843","key":"0382e265a7e52b8122bef4404e3ae9c28a14cae9c5260434e1d3d1074d6d3b8c","base_nonce":"57aa1b827e308b19394c87ef","exporter_secret":"cf53fcd10fd8f19466d9ad85c669b09fdbc74b0622effab4bcceaba9e6d7b98d1d32cfdbaa7448c4400d27b8be386d7458f3cb8ed3e540c170a9aa32454d8183","encryptions":[{"aad":"436f756e742d30","ciphertext":"9e2848bcc182c08162da72c67dfb39430025540fd75db3fba34e96b7bc18afa2604e3c2002ab2587f47263c744","nonce":"57aa1b827e308b19394c87ef","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"b625c73e061604c9a15fd48ffb6690cd3800979cd6da3acd0e16036e6bd211a3d6c2a19c1ba6701cab34b230f2","nonce":"57aa1b827e308b19394c87ee","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"9f7e25a23194d3e077df54e172e5dd48a80eff60f193fa1894eed4224e72455fe96893c81a6d91b0604998666c","nonce":"57aa1b827e308b19394c87ed","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"d69da33ccd84663049e214c151dcc26ca18308eaef9baaa76bea554606f1717c007d98d76955cafaae454edf7c","nonce":"57aa1b827e308b19394c87ec","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"4dfb18c71992b824c5f7224932298912742b2fa8316523637598735d36f1df97c0cc9b108e37b739747a9f110d","nonce":"57aa1b827e308b19394c87eb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"ca48d91626170066a2ff40968f65a6bec46eb694a2110b4833a60bb1f3bd0aad5aa127397deef841abe2b41113","nonce":"57aa1b827e308b19394c87ea","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"7aecb49309c0f29ff8e5fced6c5d85879ad04c67c4df57966e3ff1a8f133db3ec19da8f77942918b3a1669bc5e","nonce":"57aa1b827e308b19394c87e9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"0886d6888ef439ae0b0846bb0625c75d25b2d8cdfc57974087e31b5b5ae0462cbccff524deec320cbec6de27d4","nonce":"57aa1b827e308b19394c87e8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"3e65c0911a4a0a8004aa5371aa7a7ef87d9fc652f601ff1b1a3746354549ecc570b8aa5d73c026179ced87273f","nonce":"57aa1b827e308b19394c87e7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"acbab189c13e48c76fc35e50b31b1d4508b772f0cf399a016e0cd9f76bfea9f0246a77642d173917e0c07bebd6","nonce":"57aa1b827e308b19394c87e6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"c9324d4911c499e228724661d8c57a6d052f6673727b39567c96aab7fc2a1c74"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"45f6f7fdeedcc1a46f660e2dc5ead9b295d42d7f5a0dcb5e3cbc084933365c99"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"6b24781fa8effde4040697cb1c3aaa4dda2f2a562a0b6e43f6c877875aaf351e"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"93d26f9053ef785bab8e1fd532dbe417c4a422825a8d175dab1ce661a1396224"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"223cd3170bd9f49fb8d117a87a8f59d0ac9b35a5e9b72eecce6bb76f1ea84055"}]},{"mode":1,"kem_id":16,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"8bb1234bdb7ac5a9f70cc88b640f6f747526ec387d40726d37f08847c79d5a17","ikmE":"f5f91765cdc98a08b36a74ff96a9571a6028819f889b4f4f9415bad6eb778b0c","skRm":"ca80e805123c90711eab7fc6ad25c0a4cb08e83b1ddd5272d51806260f5e3f68","skEm":"181d002135a9357a67d281354c599bc5c5af7b7697ad4856580d86bf437b4a12","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"0475e2c91ba7835794f3e957347fa911065d43ab057a2646499be57d6954761081594ae2287e70c72c1824fbfed1d9afe223b802dc16d4f63e2b8b071eb23d0fd1","pkEm":"047a56e230c94b509b7d574ed67d645d7c408da7b8b17e0cdeed6bd12124c84f5d8c90317515efbf5ab50a927eaa27504e23a5bbe3e159ffbab48fd5753bd54907","enc":"047a56e230c94b509b7d574ed67d645d7c408da7b8b17e0cdeed6bd12124c84f5d8c90317515efbf5ab50a927eaa27504e23a5bbe3e159ffbab48fd5753bd54907","shared_secret":"d1d6d4c7b582f98a43ab15a4a6bf41a16bf81187c737b4a32ed7349488be277c","key_schedule_context":"01e37fbe9ca087c4427897916bdbcdeb188cb0da7c600db20026824682861fca4ad026d0e84dab01a4cb9f38a1bf9d06e8b5e0d5e6c0236a6433400b567942c2c6cceb15d1278ffecb7ba5236fb8b6982aea228acbedd6ec5dfdd9bb6f83a3622bf4f6de8dfb054038b8f7966a00c93b03f5464bbaa76e87cd432bafdfe7724098","secret":"f933dff581394fc2bba46562acf139521790a28232050b4cb48798a7eb2b0182cda372556dadec277181989d848243d7fceedf3e5d5faecc1e582a4c15039c5a","key":"9ae3e6eb6a74c3f59377e1ddf6e60c4a21af8e79d6799ea5a9c1abb1029066f3","base_nonce":"b6870de5385b4032aa8e3d0f","exporter_secret":"190ddecfbc632ffb1caf13cdf757ae254e9d4a28092de7ee5d70b6aab39cee0e708346bc1e5f2a807f213235e4d8c79d99f6e857616a9501a2a3f3ce0b4816ca","encryptions":[{"aad":"436f756e742d30","ciphertext":"90a1127c386a192a8c7601c7119a30714b115b0a4b1ed3adfd7f8c86e591f1af43cf37271b606935aa8b71f90c","nonce":"b6870de5385b4032aa8e3d0f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"3e8bf0e6a0468c054cc2e65c6d241e6760b0078193391ebf5f854d299c856e416734be60adf84cf59f16bf45ce","nonce":"b6870de5385b4032aa8e3d0e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"6899d3c37562a13d041db4ecd2b9a7e118d70f8c55b3968010e7f490b18cac41e1266b33c6615b24908fa04dba","nonce":"b6870de5385b4032aa8e3d0d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"889fde65a5f4dad1f3a098169d64b54fa7d38683f7a5609e3edf2f772199b74c07f8ec8263dc11f1770df5abf7","nonce":"b6870de5385b4032aa8e3d0c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"687ef8c7b3775bb7e51f793af5750d3f32062272d31ea2f7c812a21c06f5ab1bca63d8792e7b75de669dbe24f3","nonce":"b6870de5385b4032aa8e3d0b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"0f3798fda24daa09469d63ff89adeb95fb4922d3ee57d8d77affccacea475987de062dc06dd4bb5e59ea08becd","nonce":"b6870de5385b4032aa8e3d0a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"6c0203b4bf10d6d85471681ef8dade08a7ade99e50e4f6f8f87dbb05c1861da6543dbffb3d6de7c0fdfcad81c6","nonce":"b6870de5385b4032aa8e3d09","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"ef27d417af23be375853161f9eb7797b096879c37e530f92c2320306228863bf856b33be0f92d46b6b8330e9cc","nonce":"b6870de5385b4032aa8e3d08","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"5897bbd238129c1e56e8107474680b79db3527be75c2e3895773970059487929830aeeee6b77328e2e0fbcf164","nonce":"b6870de5385b4032aa8e3d07","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"e0f4cf91a8de79c190080172d350dae881f2cd89c38f0311385389b2d4e2569e633a83ce2dd32825d29fc7319b","nonce":"b6870de5385b4032aa8e3d06","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"2b1d2317dc30083162b3f845c8e31708768fc3f4d17225ce11d880cd402f9039"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"524b7846fd5c8fee7922883e1c93428056b6ca5b847de180697fec2a95465749"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"8a18392455440b8c4e9a842801143124748339abd05a419d6ca040a218f3aff5"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"5fd6cf25ec355be718da6ef5dea44e94ba8f379d268b690165a5788309e361f2"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"be1e6e5f38713d80d47a5dd3c66f2d71aa0b4f8a4c524c43b236cda83ca959a0"}]},{"mode":2,"kem_id":16,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"dd9cee1f9aa858ba59af634b4f0b782de4915bf90c13a1986b26bd0c54555f8a","ikmS":"f144b19a3d990b6d9c0ce0fef7346d19b2959d79aa1cddf010d24d3f7737f70d","ikmE":"d139d5e57c9b64db951033f1efdbc5aed738ebcf40cfdb9b18d2d4e762257fea","skRm":"7058db6e5f4bac935b90f5ab63de4758493c17970cf818196d3c00b4fb1ea179","skSm":"89285c55c5f6e70e3204b9e2d26ae6bf942580b648c05af066ed3bb7f840f3d3","skEm":"0beb11a2009ce4777bfc1593d9756e59e3c80fb5aadf6785c841ea7be39ae293","pkRm":"045740e5b58e15f10090a1e2855976a64a16d81e41d93f39fe6f4312d69c5cd08b402916b200a7861fb88e584fe5020a0c705e60a432b12b3522e1df7717334f1e","pkSm":"04792d1383bc22987a649ee326f8d369c117a1440680ce86fe7d383f3c5980d845a5b666734d686bd2df354bf5f07030d8ef324dfa6ed92daa3ed2195bf078d611","pkEm":"045e6e8b57d49d4719e6c0fb0985b535a925bf3c2d92625bd93d7cef609828ea88ba56cc02e1724feff1d170d36ce947096a5cb6d66d00c9fba4ea8f4ebcad7c80","enc":"045e6e8b57d49d4719e6c0fb0985b535a925bf3c2d92625bd93d7cef609828ea88ba56cc02e1724feff1d170d36ce947096a5cb6d66d00c9fba4ea8f4ebcad7c80","shared_secret":"c83e61b45f0e46b73478f3a868c81c79a1f8db17500518e73e1956aa6fdebfb8","key_schedule_context":"02e8a9ce0d004eb1e61c18eda5156d1d5ca2e7f8343c5077cec50e238d26929c9ece463cb3fc8b2aeddd1bd5b55360ac7a64f66167e03e012cee38d5e95c9b85fdcceb15d1278ffecb7ba5236fb8b6982aea228acbedd6ec5dfdd9bb6f83a3622bf4f6de8dfb054038b8f7966a00c93b03f5464bbaa76e87cd432bafdfe7724098","secret":"af12f7b5d48767e4bc478404479160106da30777237f4f032192730f681fd0ea7e59e76c55e271d288352e0ae98b31118c6df5af1475ce1cfa4dbc4bcce791c6","key":"9098a91b71feab91c9d783208d4a11f0cc9e106fb8188f1d389b46ebf2a32d22","base_nonce":"ef68dd3f41d318ac4993d2ee","exporter_secret":"1ff5e6693383990e94b496a508f71fa50799cbdfffc33a4c63d178e59e071b52b47751c946a801c6d33a431377f7120d36164d8f92378e6323a9fbd32ca86fd5","encryptions":[{"aad":"436f756e742d30","ciphertext":"407cde14a2fe6d79d3209b3c6032c2410c5f9788fda1fa033f3d4c2d84b2507e7fa94d1d0cf7bb416109dd50c6","nonce":"ef68dd3f41d318ac4993d2ee","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"5e97dc5822dd27eb29f5a79e07f93753c795da7c8058968fa7b75ef3ad1c18e0a7f6ca44c135b2c91d297174c5","nonce":"ef68dd3f41d318ac4993d2ef","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"9df13d658c2b2f1f5e891b4f82fe0accd14f95ec4cd6e83b402884a75b17d8225da2b2f2a5b2f2e561061f5104","nonce":"ef68dd3f41d318ac4993d2ec","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"96d0fdd416206e8b13920019f0b6361db194125a5e5897392f6b8aa3ac819023ae7ab0f2140551113a292cbe69","nonce":"ef68dd3f41d318ac4993d2ed","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"a30a535b2a7b578d5ffbad3a80907db30d45b23afb0069bd688d255847957717410db934e8df1bf943aafca600","nonce":"ef68dd3f41d318ac4993d2ea","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"84a2dba3babb10be08ef602028ab006c14ae3f75e74b7c8bfd0990dc92d6abe06dcfce5fbd93fe76b9dfe44593","nonce":"ef68dd3f41d318ac4993d2eb","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"4041c96f3df6ba0e1600f2731ec6e90cf105b349fd429787502913466ad8116dacc233c05fbe2cf6d8a161fe7e","nonce":"ef68dd3f41d318ac4993d2e8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"d17815b77a497e176599c31407aafe6c7195d0d5ef33ae3fa118a8f90c8528a28e4010aa2acce5bf1b729bfbed","nonce":"ef68dd3f41d318ac4993d2e9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"4357162195b78605305dcf362eb2c389f429e245616a282faad88561a01f85a569523d0152a634b7ee76f290e6","nonce":"ef68dd3f41d318ac4993d2e6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"1ad85c3dae40db4918ac5b037fc357af5c24d8355cb391402bf861ee21799259e579852c1115adad3f5f28309d","nonce":"ef68dd3f41d318ac4993d2e7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"e89632d4347e6f7e200836a3d2b091629aff4376f2fc8a1727b1d1cf10c3cbbd"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"8eeac68889ca0523c934f36350dcce4baeeae2fb66c5ed75013823b510c181c2"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"94986c976bf72d937fdb4f94637e5a510d314d19b19e5f4f3409faa531d11df0"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"f574d4a16ef377105be9c96d8b0ae8f8c509ba2f14eb18b8f9c4d833ae201b3f"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"6e7dcd4570b771b8a1f93722ea582502a74936ff5b10c45bfb3c73be6f62b6bf"}]},{"mode":3,"kem_id":16,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"a1c81d76edd35265a15655b33efebcdad1426b5f2b5fccc41714b3aa987bb5a6","ikmS":"da0ca9ca042e6ec7003bafdbb2854294480cf7e290a02053d6b8baf53ee34dca","ikmE":"52bb6164888b4b6e68a12ff744da4a0499d551894807284eb790fd5684082839","skRm":"acda0dc1856c588c87b7e81e566638bc7f0b96509bcdf1d5cd936cd73256f275","skSm":"db661b69da3d221cbc8f92ae9ee424788d9d75752c9f862aebc92215b111aa81","skEm":"a72c527dc0e11cae17fab00d7f0fee143fb35ec4a27666510ad113624550ecfd","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"044e88fbb6d06977e8642a01aa891804516a59ac4eeef8d0727dffce716f1a1c2b80cd4a61b1c420bfc1fe79ec937f16253c6d9e750b34489b9fa680839d90bfc4","pkSm":"041c2f8d0a45fa610abbd1d5eb01f7ae0a4ad9dd3b3686b7a4eee2c5a3e5ea3e62d9d04c6fb01f6e2a8596fc8fe9ac1e777f1a5ade4ea69b208dcc0784ce7477be","pkEm":"0425bd3a8225fa8a8379e72c33bfdad57dfbed69dee056f2ada3d2b3dab34f8996da4234252e35395b1b45a493c9613721e4304a272837039ae610e96e2b983aee","enc":"0425bd3a8225fa8a8379e72c33bfdad57dfbed69dee056f2ada3d2b3dab34f8996da4234252e35395b1b45a493c9613721e4304a272837039ae610e96e2b983aee","shared_secret":"4b7ded482708803f30e23c22a9826c70279bb1e4b7c09a54454da7504a9839e8","key_schedule_context":"03e37fbe9ca087c4427897916bdbcdeb188cb0da7c600db20026824682861fca4ad026d0e84dab01a4cb9f38a1bf9d06e8b5e0d5e6c0236a6433400b567942c2c6cceb15d1278ffecb7ba5236fb8b6982aea228acbedd6ec5dfdd9bb6f83a3622bf4f6de8dfb054038b8f7966a00c93b03f5464bbaa76e87cd432bafdfe7724098","secret":"2d7a4c6213b913bece8e7ec638c3d88c0b2d746dfbd9ab8e3d1c2f41be5d2ee53b0e195c1bbedd3a7c9292f845a2e772e0864ab1faa3d34e19578028077b3168","key":"9a303a9a10b665248d57350e7657fc6b06314c09256217adcd5e463fb727434c","base_nonce":"33dfb940cf8634ad77eb341b","exporter_secret":"12c9df9cf5459a6c143e810564c5f1440d57aafc494ab53e75a719c113de59540d03ccb8a7b9bca65c9464e804e1e79c0ba99900aa99e21a278e2b4bc0e357f9","encryptions":[{"aad":"436f756e742d30","ciphertext":"b7d72c8f79b52a30f49b78e1ed73293c0eb25084a08312e2fc0c656f8b32590012eb0595cdc265035643f7de18","nonce":"33dfb940cf8634ad77eb341b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"e197adc95feaf311fc7f7f2da0fcb5f33a97a0b1d2512cded0e92f7f435672702b0f030b09f0f8548e97e52507","nonce":"33dfb940cf8634ad77eb341a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"c9b2bbba918b2e9383270d61f6b5c07e9e1fb2e6266b5f44955ac6181a435db46550424535c5b3943fb3252fbc","nonce":"33dfb940cf8634ad77eb3419","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"a82925a4d81cae9801a6fc2d638c13c95aa7706871ce0bb50b6bb5bb6d160afd11a8ccc93e63a7149cfe2c8118","nonce":"33dfb940cf8634ad77eb3418","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"8d929d5b92926ffdb6dbb2f0e2780f0f719d83787c55ede27f8574f19364f60c56387fc7687ed28954edb1f2c8","nonce":"33dfb940cf8634ad77eb341f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"dd56d593e552a762b07a357bb63d5d571d62e0590a66d8de69f1f51ce6b826e65bced9c7f1747b98bc3e0b11ad","nonce":"33dfb940cf8634ad77eb341e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"23f598944c90b0c76d849138a7fe2359e8bbb540ede148da0980d33c404ad60f0a62d0bcfd0f065b64aa0f46f7","nonce":"33dfb940cf8634ad77eb341d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"985e60210a99040e6d90719362c0749d42008a0181d4e81ffa25dbe437deb3fd8087b437fe1762619f5ef2df6f","nonce":"33dfb940cf8634ad77eb341c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"69de80ce1ead2ef313d0df35337bcd86ffc0a1fa476b7b111f0ab82f34715a0651e33a1fd910fe2e7eaec15724","nonce":"33dfb940cf8634ad77eb3413","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"c1ae53fc7d8e218af223404ea83e690f0690c05a825f86220a305841d267f4dbf2d7638335ae61064705590d0a","nonce":"33dfb940cf8634ad77eb3412","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"c1146466f130a28b43729ce9901f84829b80615c245d6cff8c5c106270851366"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"c747eca44714720c82d7a97a3e9ae68badea9bfcbe8d2234167ecfdc6daa6926"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"a913347cd2d2c45d22dc333592622c6bf66cbe6148ffeaa970904c9e731da338"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"71d9fbd2b3e51635783d15da5c10c03ef752dbcbfcfa504949ddd9b6e72180c3"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"ba3eb455e841d3de6d40660edb81013231baf6432955512a99e9c02eff3a95a3"}]},{"mode":1,"kem_id":18,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"6326c9aefd2e6117299fcd0257802f9534d1e335f4a7dc58af8bc67dd149d1cf44648d6ff984ec9b6c6dccf186ae25e076aa14d681fc9811560a34a7af0b7b870ac3","ikmE":"658cdda2b07b6e5290e3c81a355b27fa91d5835addf359538297104108255afca30aa114007d5ee59235e89b5f6d5559d96e69c593322ed444fb5822ffd66bfae361","skRm":"014b21d30762834758799cba8310bab1152cb60a76dba276e5accb7d1ad469b7bc59bdea1bc1aed6b5893aebe927cee07d905094af9ba0cc7c1e496ee7704e12465f","skEm":"005ccc2b46dfd2e3d22b90db68a8bbf9dcde64b393d3d0c242179bf9c3912ff53269ff1d0217f3d01c2b5de4aad8182ec76e6bbbd094540e1416b29d2e1bd10e93cf","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"04014610c34625d4fdf3f43ab0a89655d24312fbf553bfcd10fa325522dd6de7bc764d2455ee91949d4c5b2891daf7a88fe76316b782e0c45bff6e4b30624f6ba3287901585e59cbf49e6090333d0fcfe75584a29470d6fdd77541e84e4c79acf5747684539312437ce6ad8a59a2ed1516e99a2783417a100ab13444e8d4fb066fdc4eebd3","pkEm":"0400a9057e902915bd10059ee204cb63dc0a72737a34b48659bd77befe15d1d508cf3131ef0e67463020d256df880112c4c1e632083a8a25a20821e7ceda29a4d3ab7201c011cf37a9559af27c1829f195864feb4f2df9038bf770929d083d432e6f3db006e9a13a3b6077c02777025298fdf005d26dba00dac2a8e67fc7f909d03424517c","enc":"0400a9057e902915bd10059ee204cb63dc0a72737a34b48659bd77befe15d1d508cf3131ef0e67463020d256df880112c4c1e632083a8a25a20821e7ceda29a4d3ab7201c011cf37a9559af27c1829f195864feb4f2df9038bf770929d083d432e6f3db006e9a13a3b6077c02777025298fdf005d26dba00dac2a8e67fc7f909d03424517c","shared_secret":"34d74491a24846f5bb7040bdf4117e152d9fb44be7de1295498501422d7a10eebd85c04344fdf67142ac1fdd527670c20d1a2ab27d00fa5bdf8ae4553143919f","key_schedule_context":"019abf81864a074a43c028d854d2ad96fb15064474531113eb1343402531354c4e60939fb0614a5e9671df04a0a528809e55ebd0d1b1cfc4dcdba54f9547749d08","secret":"f15fd12ac4ed5965b1e5a417400f1e4027f9bed1621fe799a3dbeabf789ea0a5","key":"09007f898877348d3b58b4ad02f24c48","base_nonce":"c032723cf5101d9bf2df3257","exporter_secret":"423885d0c528187f4071c833c382c559bdc322ce04be4595f354b24438137b99","encryptions":[{"aad":"436f756e742d30","ciphertext":"c33c0326b746bc76a3780b86d9ad0aa26b148eaf39bf7d96beeaf03e47353fa4e24ee5aaf7c5a8df10ce0c4967","nonce":"c032723cf5101d9bf2df3257","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"75ae68386b2db45163b0b20581e713996cbef3a09d0bb104e6003eee6371e1e6c2d769c593efef1f6f60e951ad","nonce":"c032723cf5101d9bf2df3256","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"e258a0fc8de9b865ce1cd16864bf737a95442904cdcc96a6fe911aec214d4de8cfc646a269f76516b7a9394452","nonce":"c032723cf5101d9bf2df3255","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"4993ddeb797dcd0a9e89799ba9c6fc67db474a6f8e09cc9e25875527392404bb5989bc9dbaf150d96fad743d5c","nonce":"c032723cf5101d9bf2df3254","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"d6d4d181061b93b7854ab9d85fcc6b757d1c42038912746ad92eaec21824e32b9b62485f883756625de0c47035","nonce":"c032723cf5101d9bf2df3253","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"df029a25deeca94e63bc1809f68f0454b4bc98df5584f8cb4922376080aee1afabb4d578db2ac6dd1eee1888f6","nonce":"c032723cf5101d9bf2df3252","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"03435b8f567fdba0674cb6f465e7a50a8803113b6fb7eaab30f4eafc757f2d88486e15442eac566a186ebd0f53","nonce":"c032723cf5101d9bf2df3251","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"a367d02ad275848e9bce93eb1356532e28bcd89bc1326a277d9d94319da64ba8a5e89f27af4f0f2bff99a274be","nonce":"c032723cf5101d9bf2df3250","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"589dd12af8f8e084d22818f7c847749168c8e067d3017795ab5c8ef5abf7756f1c2eea65a8d436c3960af22863","nonce":"c032723cf5101d9bf2df325f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"a5646638210e25b43cc9721ab0b5382862d858753208e4f7cf7cfb320f83a281517f93a4c092f1dbe269ae88d7","nonce":"c032723cf5101d9bf2df325e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"7a94c51d60f2e32e1550fd5fe06fa78ec004fe0d6fd8313ac2013683bbe8c7ec"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"4701a3bcd67a010e1e3c02260b322e15b4a4c143377f313f50a360a653badd6a"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"32017268020d3ea5da9ca55a361db4950bb02aa4af1d866f933a73c6ae4dd39e"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"144575f0057f5f30befddc05b9d1466a1efec549946cd40f71d96ea9bdbab431"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"ad42bc5772fe4e55cc69902725d80f88632cfa1522a240c345f7ec6c8df3f975"}]},{"mode":2,"kem_id":18,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"71601d8f0ccea1ba104c893d3b8fbd59a6f1324858bf2b3b5aeccc13f2f059599c80d4682ae1f76e9797e2a7720d2d223e17a68876b0cad450fc57001228784a8eb2","ikmS":"dd8c1263358652362a1fc9f938083581209ab87df8fed5bb5fea44459efbe1ff47232232f51139fa4c7f5bf67855bb001f66b6e12ff62d7e362288da4b88125850d3","ikmE":"514129fe9f3ae1aaf31871ccdb5b3284ed9a72329ffcf726dd2e2e4559cc659f616aef461775e5b7a8a25557cc94e3a46709c0baa060a4bd655f3b5f1475e8975683","skRm":"01f6e6c318cbbef4049c7ec5ac5e6847226c087b2350658f1d42a20b231c7b13a4782263e4f79b79d6c155131dd413c73244ef4a9fa66f9058e5d5c94eeb28baa9f2","skSm":"01678d078cc1d5bdb49b5f5700d187226254403649639c21329f0b21fc8f7edf2f3cb23f111bf43d39038d71a47ae88fd57f9ad892a96f41661fb936b811f44f43fd","skEm":"0031171575bf4202b337d0a125f8d58ca13b91396ecaf18d72f07dff462e92ecfa98223c3d90a71fda26452debaa25e6b76d8e15c4f9fb9d71d75218303ddb973a81","pkRm":"040152973bcbdbaa986f4f4a4bed0367fc52ddf1e712ee5295e3f83ef514b7d4bd70482597e52930e216cb3105cc1c1bd43775a0f68972f17881300f7ed65a0ebe9466000510c8da8816d2e520f71751019a70b4d8d0f2e07452b66b6be222aaf1e2b7d2d9d610ebf053d424201ddf1a42b9acd58110b76558d212b963b48c65b55bdc8a9d","pkSm":"0400a0e34f35217686a55ad29c9f593c4c421d47621f429b5386fec2776714608efafb5c893575fe66c2ba554b82250d027f4a024058c63c6f8a49360e9742d944a47100709c09b42e34218c20e0e97772eca5a33227707052871b538754e0ef5653191a98494241b5853c37dbc8bf29b1eee97b45139d0ac4bcdceb4aa1e31d053481abe1","pkEm":"0400e051970ba3b0bcb5bf7cdd8f8e34bcf138b6f63a938af0e9a4e1f46f28270a30e2800c52e292eff059028839ce6bfc9657382c4dbf5bff987d9cac725662cda4d00146b5ae2beb766ad298603734f3ad6d8a6e018a2e7be738bb4f3cf41bc1465b13b87893703b5cd41f5a6dc4e649df99804af5c8e58cf88e64b512247c4f3c9302fd","enc":"0400e051970ba3b0bcb5bf7cdd8f8e34bcf138b6f63a938af0e9a4e1f46f28270a30e2800c52e292eff059028839ce6bfc9657382c4dbf5bff987d9cac725662cda4d00146b5ae2beb766ad298603734f3ad6d8a6e018a2e7be738bb4f3cf41bc1465b13b87893703b5cd41f5a6dc4e649df99804af5c8e58cf88e64b512247c4f3c9302fd","shared_secret":"836b20e5a90d635cfadb01f9af1f032b91a7a689d49979a6dc2dd048447bafcc24e02e39a76f106ddd0f4ff085ab452f409fde3c679f311d0787e80fe171cdbc","key_schedule_context":"023fcb9fec4e9b2eb7bf4f168797fb1ef0f5a1f6d73119a9387ac0c86e3f6c658b60939fb0614a5e9671df04a0a528809e55ebd0d1b1cfc4dcdba54f9547749d08","secret":"d5b8b7a71834ff692201c0d72bebacb0bc0ae9647b70381b3311b333a80e31cd","key":"2f535ab8e8ed0cf1f16643c18c6c9e5e","base_nonce":"73ae1054af94025c97762a1b","exporter_secret":"546957c394d4cc9984fd968bbb82646891eef141bdf34e8c90a7d33d42feb7cc","encryptions":[{"aad":"436f756e742d30","ciphertext":"48f9a2681fc3adbec124fbb036ba4f2e4c4fad5b1a4de52467fc1ca2e5fe8062b3b95fa6f23d951076079b9ad2","nonce":"73ae1054af94025c97762a1b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"dabee209cb0dd301df0b5405d6bb803d6ab2ba1294bd3f2f8490d453baa0fae365a357ae810e976c1d08bae647","nonce":"73ae1054af94025c97762a1a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"b7e2bffe04b014f9b741124ce4958972caea5084aba3217581f81dc212269ca15eb88efa244560b3727272962e","nonce":"73ae1054af94025c97762a19","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"5972b9844d376017ab6bbd391c5734897e50e2dce030496dff98643d06b461fd18f0a96d69f62c9491471022da","nonce":"73ae1054af94025c97762a18","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"9ae9eb262c5302165bcc5761c41a8025a66450d9a64caa7e5c3f319f175334b6343de9752b97d475f40ad8e2ca","nonce":"73ae1054af94025c97762a1f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"f67ee56a46970566fd2c380a5b6315f5f5f6e3e5d0804fdf87390f02147dc56da4b949c0c325b72386be496dd7","nonce":"73ae1054af94025c97762a1e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"9db63113deb323e22f194894d9bea1929a1e071a99afcf33b5fdf29028bb7242f6e8cd23db64706c35124b2212","nonce":"73ae1054af94025c97762a1d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"f2eec03dbe647c060fc996e07a85f67344903fab7bb1b0745eee00784e572fc99ddc3d136744612abfe680ad9a","nonce":"73ae1054af94025c97762a1c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"ce925b00e83c295efe910ad5e353a00b7fb9809d0a44f15a6628528feff5be40357c56b85e38dd7b8caed5b887","nonce":"73ae1054af94025c97762a13","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"45bdc537f5c766e65c4d3233eabd7812a0f7795d78d3f3ad9f11ed8ff002009a0fc8c0efaea75dcde4d99a7387","nonce":"73ae1054af94025c97762a12","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"231ca24aec986ba446887adee6b392c0166d0eed77b4c78fa53f04a0c86f238c"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"72c201062c3652d1d57261a22fb3e76ddcd99094bcdcc02fb903a01f3cfe8e4a"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"43c9bc416fdf4258f99a90be4935d1ad7ed3d640c8bbcf5d92a8fc13fc3ab625"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"f8fc4273d594ac09bfdc12b381c56d4b581f2b4a18ff08af258119f0bce368ba"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"701cf284249492a05cde845e473dc98513cc667177890c6a91bb086a550a464e"}]},{"mode":3,"kem_id":18,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"d0a85a4f26acc2954be6bff71cd1a249000ca63fc3ed8c47090ffbb128ed71cf32e3ccefe6326bf238bcb405f46bc6c392001fab14813d1c38a18ca06b058eddd63d","ikmS":"05721117f02501ee0466808df5eda4c564d0501e21f1fdb3390a0dbec0cc2b9fa5b9d0dee0503bb2157f12d9a62fa37f79dd7522349b1c6f00102c2dda1bb4c3013d","ikmE":"53a94e402cbbdbc218019f70742aa1054a734b0ecbb5a9e9df6ce20e386dcc483d3543e8a028093f034c60091df40ef878012b10fb04cc446830239345a250f6a002","skRm":"01f355e0edb15ce9d79bc85b615c842102efe2a8c8f985d6fa59215efbe81e662a233642a349a88068a3fb713810b4f50b925c03d07bd445bde9c7962d225bfe4e16","skSm":"0076fc1778522fb09a0119b0b8f39cbec9a14b96b605055c50716e6355797e0a7575d9c6c2ccd5dcd513c0f1a0ae24d83ce5882e3099346949fe1411ab58f4f7bcbf","skEm":"014982e2c0f9b0388d63b620d32c008104e1e387080ed1445b80de30523604b6f6c1886d63d127865c2fcea9d5770808494d449876eff4690bcf7a2014f91b5f82a7","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"04014f47f8a0383aa364374ff8b82f2e0b51f11547c9133cde6b4b4412b9dca1ecb9925f652a2df76f45b901910e5735e8f527f4722c3c14ab0c71665c4b0da2f0387a01b29082115c5f5a39097bc2cf223e85935874cc657bf4a5e08b1a66dc6c4448e7bb4c126c894a81bf30fc6955231f2bfd7a12c49327c56e7c4a4281905b6cc53dae","pkSm":"0400b68f01cf80e41fc1f277ca01c583749486171492b4ec69d84085954af5c64df117443651e9332efe40e359ddd8943d4868db421876b98d7a3052c844bcf7551e3c00ba4adbd4b41928bf0ea1e598a85a1c5658adb1bcbc2a169dacafbf40a28bb0868c4e367d972e383601c3e01499de52c094f65e2196963043b3dba158fd73e33225","pkEm":"0401999c182c4da9fae244f659573eefcb207a60a2a9c47daed5471dd9b2a225ceb0efc127aacadf50f473a401d17fdc0667a5e73ac5e0d1184701e2251db6c011bdda003b40aa2e4033bed8243fd227620f87a36fd689e51ce03e8a280b6d0dea15888d1f66a7ee169eb81d5d48ea1dcd11d1a2cb5421de6437643ff8aa86321bf1eed021","enc":"0401999c182c4da9fae244f659573eefcb207a60a2a9c47daed5471dd9b2a225ceb0efc127aacadf50f473a401d17fdc0667a5e73ac5e0d1184701e2251db6c011bdda003b40aa2e4033bed8243fd227620f87a36fd689e51ce03e8a280b6d0dea15888d1f66a7ee169eb81d5d48ea1dcd11d1a2cb5421de6437643ff8aa86321bf1eed021","shared_secret":"08fc16708e07e5c4803096c74aa82f9f01248cb1dd15d1728f84389c43bec5e4b342af2132a04c87926a1df3f3e382bbc946456eef49dd15d8a75a1f722b55a4","key_schedule_context":"039abf81864a074a43c028d854d2ad96fb15064474531113eb1343402531354c4e60939fb0614a5e9671df04a0a528809e55ebd0d1b1cfc4dcdba54f9547749d08","secret":"93749af3761bec46ccb7835a2fd84a17ee15e6b64a207a52793c9f424ddc3f93","key":"456eef5d59f2f9deb8e04c4ca6f6bc98","base_nonce":"c4ac875c13dadc39352ce647","exporter_secret":"5c3638550562c41592042fe9ab6bad24c40093bc9301fb53325ba377fa2f5acd","encryptions":[{"aad":"436f756e742d30","ciphertext":"68ed1760555d80ca1573222892d986da5abb3379f4f7024cc7f2e93797bb2ecccecff14abc9e7e1046c4ccdea9","nonce":"c4ac875c13dadc39352ce647","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"fcd8beb4e2e8659a0f4a884960304115382ca39c1691dc1d47846e2031e809a62ddb7f8bafc4c86517929bc309","nonce":"c4ac875c13dadc39352ce646","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"0aa316b579ea53fed3c669c163caf77ee84b524978f382abfa131dbbd1a41d1b1e13fd4fe693596577a75699c5","nonce":"c4ac875c13dadc39352ce645","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"542341e8e90cdbef167dc061b5356f986991347ece9ae0130bf86040b23544fe8f8399b2604c84412788ebcf76","nonce":"c4ac875c13dadc39352ce644","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"32ffd79f886d8e0115bb0ba2fb2af30523756d8824587d92c6560b39bccd3756f0d7f163effcdf673519218bad","nonce":"c4ac875c13dadc39352ce643","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"8dab4b03279e677f5da21c5a454a9917ae34d81e99c2cf9d836fea1d54e7e6868b75357209dd72bb7e7aa08936","nonce":"c4ac875c13dadc39352ce642","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"891c1c39382217876cd4bbdb15c77e5c70b304dc363f58dc289511e7c3d996c60ed902de4fcec63708182cc14a","nonce":"c4ac875c13dadc39352ce641","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"db8fff752837ed367fca4f50efd2beef6fdc76b881f65b152e093988f51e2824d5b8c8f25b5059807c61d4795e","nonce":"c4ac875c13dadc39352ce640","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"60a33dba46597916403d9ca8bdec5cd682cb4b1f873d43cca55e83a918dc0ea7d4bb252bd92714ccf86182aee1","nonce":"c4ac875c13dadc39352ce64f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"3bdac85b7dfe984079d90814ef258f47178f520c2dc06d2e1c9ed55f8d325790fefa5b536362c6f3ce7190fb1d","nonce":"c4ac875c13dadc39352ce64e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"98bd4fd5d33dda3f10a2e47b31f5f011da506250a7bcadea01a732272f310309"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"debce6ab06ccd3ccc71c53bf401782fbc6fc90c9ac06ee16c6836b0bde91930b"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"39208066eb4f470d6ab53d84d631d18587cd7581770997712eb075ac4c7f60c9"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"143d0d46cb7cd97d648123e58de09f1bb8f72ab14ba3b7b2badeb7f460492162"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"e34483241b67e6a814cc4735a0543d7cf48b68159488168b0263a5f69bb67e03"}]},{"mode":0,"kem_id":18,"kdf_id":1,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"111df2c3d66b7b780821520c39e4cbf97a31ad257ca788ba000f052534bcaaf9ccc2233310a039e5e39e5a54db335932c24f0b9df6b4fd1010cb914bb46eafd64b9b","ikmE":"61fe190f814a522190d74f95bc249feccf2c4e38acf38b604ab1f458089943016d75353ab657a75463d6510da47269030fa2e83ee0d2bfc6de786b00417d3908a1f4","skRm":"019b573b407de7787177cbcdc9884b439f6222b267324218c0b68bfc38dbd10379fa8162ea401f7142fb8a1afe40f39ddc403466892522fecfe245af10456c41564a","skEm":"0133115cb131747ad3c2317cd22f8659f6d6233d40788f3a5f47b21bb5507edb52acd12948b838788c216a8eef0388f7b33b720cd5ec4b7c2ed1bbbd8f02a4ff9f97","pkRm":"04008e4f6cff2b854cd3f7f12fe527f0c23e92178f1f65510500c5bc5f5261d13f01c71ed3895681234ee1051c0a91df9ca79f306a01ec11d439816898bda732d9e6350034349604c321ce3a9c3240a5b6b0f816d1a52f225f91101d3983b6086463b3266485dd098b6ca75f1a4d43904134bc281c300c166c15cc20cefa1636b2f5e43c26","pkEm":"0400e6cd0d6c6d730c692109a894302174c9fec7ac18f8e5f65abf9202c9353ed4812b25782f7b3d2017cef4f0b08e6c54e8bf4c883c0bdc220c8a96dace7b97868b1d01003d74b936dbd840c5b6f76c870f15a4b51f68a29baa2b0012b163602465ffecab52cf6205a1dc39bea68d283dd3822b9dce7beabcd01d7c82917443d4820fe591","enc":"0400e6cd0d6c6d730c692109a894302174c9fec7ac18f8e5f65abf9202c9353ed4812b25782f7b3d2017cef4f0b08e6c54e8bf4c883c0bdc220c8a96dace7b97868b1d01003d74b936dbd840c5b6f76c870f15a4b51f68a29baa2b0012b163602465ffecab52cf6205a1dc39bea68d283dd3822b9dce7beabcd01d7c82917443d4820fe591","shared_secret":"a08ef6d0dcfbd25b831f400907a3913056d9850c3114e7c69aba5efbf8de17246a854366b91253ec2fdbeae081309db24c64073934c651d3eee9c21929a78904","key_schedule_context":"003fcb9fec4e9b2eb7bf4f168797fb1ef0f5a1f6d73119a9387ac0c86e3f6c658b60939fb0614a5e9671df04a0a528809e55ebd0d1b1cfc4dcdba54f9547749d08","secret":"1b8bc1534443c5d7415f999ebc9bd93eac7ef70de662e94786941c86aefccc49","key":"0cd8580b9100cc3d4602d8ca2c020270","base_nonce":"28ccf9497cd75f26fb23c869","exporter_secret":"97f9d795140d3d6b0ba48b5fe355dc7ea56339c90ae2e86a7eb6baddc88b3903","encryptions":[{"aad":"436f756e742d30","ciphertext":"4817fcbdcfb8aca088eecf4e0395e640f7f5bbed88a68bc33e9bc15001d879df7b64194549ae327db3e3d3c9ba","nonce":"28ccf9497cd75f26fb23c869","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"5df1ca7d953b8b3d3e8fa2303fe50d9386b1c3672408c9ac7ea2f48e99088098f5aaa4a18608d5bed27b7a7ccf","nonce":"28ccf9497cd75f26fb23c868","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"668275aa1dee719f5dbd22da45eacd354eea1e508c04b15c6be879355f2788d8c14b2e71a1fad2de64fd0455f5","nonce":"28ccf9497cd75f26fb23c86b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"554980f191a413b8cd052d88580c9b86d026cf4f54aa9e16466fe7db4347a23e478ca68d96bbc0af945b8370b2","nonce":"28ccf9497cd75f26fb23c86a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"5d4576de85613ef418f719f2ebe99c8381803a81a1b13f9bdaf248b457f6bb4167a7963f5df1f1c1388eb0bc4b","nonce":"28ccf9497cd75f26fb23c86d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"3eab2ebe2983b52e6d0c0bfcff4501e238186a0a041d7820563ce03350969d7ddc67f9048625b753151e424a02","nonce":"28ccf9497cd75f26fb23c86c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"9c9cb5768c49249ebcaadc2bd69764c06c0bc0d9d864e206b9616d295b2b03aff216aa19cb45d6cc53f06eb8ec","nonce":"28ccf9497cd75f26fb23c86f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"d6861a1d3d7409b3bc6d6144488ca48e8e13815b355b35b003fdb3883ff9e8a42c29ea11de02575bad53e903fd","nonce":"28ccf9497cd75f26fb23c86e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"d02d5df35b102f30e0ea0e9255e74de7ee933cea731a5844e57ffb675066d7d954892df16db382f1114154f2cb","nonce":"28ccf9497cd75f26fb23c861","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"03119e85d628a4184f07d7468cb5fc90a734a58ac4b59674391f7f58ccab7496b0555d6b58ed70922801de51d1","nonce":"28ccf9497cd75f26fb23c860","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"26a40e8a470b876839851dc6ee78ac33d1c722746f36609d0592a170b0c970a5"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"e7e2ed2e620aa44284563a2ea24adbb9f766da4864af56762c47dcc7f7f46845"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"ad186bc648517b5ff9dc6ec8c9e367cc33993a362ed7cee25b3c6154f898e36a"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"072d754951d93e211677bf416f2c87e1006df32c152bdd0b8697ae69087e4432"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"2ce1fc30f0c0616ec6077b5b000f6d646b06acae6d1812745008a43f47c0c298"}]},{"mode":0,"kem_id":18,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"ab1a43849c1811b14c9e64344296e9060161fcf29dfe0c3866bcc28e9772f16cea19c97f95be413e6931f54d3a0c879c4ec183f5b8e1a596f4dbfd8791cb5c8f2bd6","ikmE":"3d20421590f1d956edf7b1194ce4701bbf82b54a8a18c79c762ffc438352b5ffa6af83941ab2ae0eeae9145e86cad4ee5568a10f23e5aeb93ab236811a4e5b43aaeb","skRm":"00c374d559348c7dd44255cb3dd1b329d2c26c67d32fb8594677e97f42b2ca87f0a2716b41a0010ee931cb65a7b09d8d702e2d599a33fa94b9ab07ffaab317a7360b","skEm":"01b913a94728616ad2ac1727242d8fff55a31e046085b6d543fe1e7a337073ccba74a2323b1ba5fe7a7a2af3e237f6305b085be2ff60b239841509186e5280da1116","pkRm":"04012c009e31594d652a6a558a73b86af450b2947ac4bda6b2df83743bb58f73d847a72583113995a76456f5c9dab5c89b22219048cf92b5851d509631c6635467f02a0010f7102bae4293bd06cd29a34c0ccc052002f0424b6f30c3cd9bb5f7eda8a62f4c564d02385ee202b154930092e2fb2c0a7f4c3b323dde892d2c941f1967b4541d","pkEm":"0401d64b87f4915d691bd37997c2f681fdd16f9e36b34a41c10dbff138c1ccb0eef1ca9cd81c41ed5d7d0ccb8b022242deeb08241e4bbace6bebf11adebeb5a0ca3c3901ecc27f85609a2a3baa9245b164b21160076599add852db0ed4bcf1b07ef92284665b31b377b0ff1353af9c0e21951db67c200a554e763c73d4a4ff298fbf391fdf","enc":"0401d64b87f4915d691bd37997c2f681fdd16f9e36b34a41c10dbff138c1ccb0eef1ca9cd81c41ed5d7d0ccb8b022242deeb08241e4bbace6bebf11adebeb5a0ca3c3901ecc27f85609a2a3baa9245b164b21160076599add852db0ed4bcf1b07ef92284665b31b377b0ff1353af9c0e21951db67c200a554e763c73d4a4ff298fbf391fdf","shared_secret":"062f95909e8743e62a3ee334d056b8bb54d6e33ad45363996a7af59a1bef72c27f40604902dfda935dacb49da50faf0b82d3e568bc4e31f71e385c0339fc342f","key_schedule_context":"00c22bbb004b280397d8c7a3178b0e87cc664d6fbd8fc72151c4973a2d51f26405a55a464535cb968c3679ea20eeae1f3da07508875ad6f0775a793724b55d3ccb","secret":"50dc5fddc37d9a92ebeb563c4b12cfa9627f1954f667d0abd92c0f756d695188","key":"100fa80e46271d6d7d41271d81c5d74036c3a60013533042d448a18b0d11ffae","base_nonce":"a32eab5bc8094a8dbe345b0b","exporter_secret":"2cdc2a55cb41ba4a1b7a02b221786427b2826958af0c275c34b1aa5d954ee381","encryptions":[{"aad":"436f756e742d30","ciphertext":"36aad0922aec91f30fd6bc057a63c738196322e0b75007ef6b8dda3145516b4a62343820b605e3022b8e6c4f5e","nonce":"a32eab5bc8094a8dbe345b0b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"4a6aa71627f4e8b0315cb9ff026789e4d31e3a47c1aa147f5423b7a36fef7229a4ee52307bda826bac3116befe","nonce":"a32eab5bc8094a8dbe345b0a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"297502af011186de94a8a0f9c47ffa07fc6c0936b2f5603d65a754c12d273081b8c87e9dbb351f8e6bbbffacfb","nonce":"a32eab5bc8094a8dbe345b09","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"e251d486fbf02b09de5b244f6204ffd7531e1a4e0e5c21425e2fe2af1c1d0ced28106ab2c074da7ef4e4d9b900","nonce":"a32eab5bc8094a8dbe345b08","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"72d9a5bd3abdf18ec616b76063934043875e6c44c72b64347978b5ba58a284de4d5971e7263501f1b589f38bd4","nonce":"a32eab5bc8094a8dbe345b0f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"ce0e3a921bceb113c745e48ffb2dfd43a56bdc83abdd0b281ebb8e93cf05dc38b6eac78fe23c82b5fecfea7dd0","nonce":"a32eab5bc8094a8dbe345b0e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"14bbb3e57b87d7f0ba3808768e14af9bad4c5f50966ee52e6e6f128645960ad1e329860218b24475daeab551b3","nonce":"a32eab5bc8094a8dbe345b0d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"007d0c9665e5f09e38370fe8a5225434396cc4f1037bcae0ec37bb5909c352ab34499530361d8a58b48832e003","nonce":"a32eab5bc8094a8dbe345b0c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"3202bea08d9ecc34ef72bee3972f7e4ac74a398f01a2ee9083ece51f11ae2e36b2ee0dc59befbabc1bb3af89f2","nonce":"a32eab5bc8094a8dbe345b03","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"e4625f277727142d6fec29a269e0cbb7499eff4b4d41b8db35bdc5ef926ef02020baa8823c4aa2675ffebf746b","nonce":"a32eab5bc8094a8dbe345b02","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"4277da3159fbec62d7358482ef6eb7ea0b86cb8f23ca53b453a991ee3a0de38d"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"540012b704de24117ce9bf54b1cbb53b3aa661bfc8a66a4c2dd3b3884ca08943"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"36e96625cbf5e00a0a5b05e9fc8d6ee368f88f420a3f288c21fb247a37be77aa"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"507410f9f117ba1ff95bfa29e13596887981146784db60c9e3a7d5bc5f44c5e2"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"15e2bf0d636a8fd961c807ef74726b05e6df58a3693a58789c31955ba7942440"}]},{"mode":1,"kem_id":18,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"a35c027251cd3212c342b691e94b737f5392775fe7c0a35656de3c8f7ea2705aa6ec7638189a64377bcaae45187d97a77be47425a81363325b8678d3f3dd338520ed","ikmE":"c055639801dcd7b4da7eec9ce54682dcfb9d6854f167bce084c81fdadfd0777ea98e1a3242afb3101bd9d7a2ee26da5e912e109de417ca4ad221431bf9921675f30f","skRm":"01f7028c22b97d5545202c5e1739ae5824234a8fa9d5f2240fe5c5d709ffad2de3df42528d8916bcfc80054129a8b4a91d41ab4eeffd72d1d39b362da70a3add3978","skEm":"0180b13cd49a4c37b3068cb6131d611586afe6debf1ef1dca9c58f62be7e282958a90cee5b3bd586df6bb340bf621e2c0ec2f30b38f2b4cd84d2c655fce7d7d0887e","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"040066993dfd16def99016c3973d84e137c0d80583e2fc98c8b566d9a274db9365ba34adc6d24c509286a5f3cc1e4b0406994514a2b11879f13c8d63b7f573a4dbf474018bbd538615fcf6b3d338ca395396c5896e97546a8ec90528ba51bea05af5d3b748ee4954a5f08e2c42adcb2667f8391953a7f00f6950b12a0d49d0d9de1d9c22a5","pkEm":"040163175c8ab640f2e9adb3846dfd32bed1b4b00b500d46e847d450c3a3cfa94dd93bddbe8bdd850686ef21d0691ac0ef4fb6d7fa8323a4297266adaef9bc92f2df75003d598b54bba570468d7ef443ae1a5cd4a87a1dd491085dd5cb3c4ee31069a4b266e13bb6517736adcfe31f570df4de1facbeb22681d5129c1fa2d919f0ed90b703","enc":"040163175c8ab640f2e9adb3846dfd32bed1b4b00b500d46e847d450c3a3cfa94dd93bddbe8bdd850686ef21d0691ac0ef4fb6d7fa8323a4297266adaef9bc92f2df75003d598b54bba570468d7ef443ae1a5cd4a87a1dd491085dd5cb3c4ee31069a4b266e13bb6517736adcfe31f570df4de1facbeb22681d5129c1fa2d919f0ed90b703","shared_secret":"518ab327dcf22a918bd04dd635e5c7952c936e05cb40f6ec76077865a23b980fe62d6b205df4169e6379e1ce690bdfbacbd49e753c48221121078a679ee9ae8e","key_schedule_context":"015f297d9380c73a70f85bd58e35098a8f715a136ac4fb4c5ca84c340d438aa347a55a464535cb968c3679ea20eeae1f3da07508875ad6f0775a793724b55d3ccb","secret":"8f2ac4cad78d8f411af39052acfac8244bc8828369e32d7080b78a3390dc84cd","key":"5fad0d4587bfde6da73bf087964384564bc41d76d9f8eb4b132b6c1e152c9564","base_nonce":"131da941721c4caf90668c05","exporter_secret":"cbbc7c0e55bce7d78ee06b590752e77d8e3c7ee53618b688b98e9d857a628280","encryptions":[{"aad":"436f756e742d30","ciphertext":"feb9da9ea0da5ac6d6cb6d34cbdf36e46ba690b7c2e5cceee35fec156754b0b826af939640cebfa70c2c8ea782","nonce":"131da941721c4caf90668c05","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"8a8240c48c7a7b2a5d20befeb92ace59aa83090076a7199785518953a8e57f58a86e329498e2621d628b2e84ff","nonce":"131da941721c4caf90668c04","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"e35dac97c9ef658f4acd5e11b7e2da44dba78099cd3a0d7883bdd9a9e1ab2b630f9cd77dcae9e29fef2442bac9","nonce":"131da941721c4caf90668c07","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"443bf1cd80e7f647c24144c12df77c50c3c36e8b46291945ee1ac4da28d64f0408e415f081b264ad33d19417a7","nonce":"131da941721c4caf90668c06","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"a175f7f9cde36e9f8b4f875fcc7263a31911a25708382b0a536cfc28d600d2dc1a2d4d75aaa0cabf76104e7bfc","nonce":"131da941721c4caf90668c01","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"ffb6528899a7e27fd937dd4b9830b27779144d594e233e1180f4204cd0b698d8e06924fb49fbfba1fadae3307e","nonce":"131da941721c4caf90668c00","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"d01ba2326d70e7d702302c36c1c772da6806d826cbc8159be9cd01281398e8456f43bb73e1238a36faa2c85087","nonce":"131da941721c4caf90668c03","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"f3e76b250367f9f32d52457c1ac63b1d721bae9ab8b243fe3a12dc2d661b786a97b849aa4e15644ada7a071121","nonce":"131da941721c4caf90668c02","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"7c834e32f513c9f0b195bd468ce5f75e4b4c6329e480e9006d69729c51063b35ca35b34c35dc492fc5451d8749","nonce":"131da941721c4caf90668c0d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"a12872d0cf1325fe6bbd59a7e26d683e4dc1aa9180e03e85e3391aa74fa08c91b3d7997d67861274cf2c5d9c5e","nonce":"131da941721c4caf90668c0c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"602d86b9853a4a67eed3465503e420dc52f12f136fd30bb15d608a7472a6878e"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"0faa19030ecd54dd97eeec1de1a848a77fd5b4aaf1407ec4dcc00f0eb0325b2d"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"2b4482e2d9fd20ee323a890150f552e4e05d2ac217daf5486040da1c3b2ee8e8"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"1e3ac89b8a2502b6debe07fec8b4bbf3f27b0e30d9b9e805df793db9ce3f7df7"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"2e65350c86e0e00b874d1bcb97cfbfb8aeacd6bbf75c928a1ba17f442052c57b"}]},{"mode":2,"kem_id":18,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"599e03027556ed74624d056d4ec889faba2fd8696df331afb3c4761d9b8e8ada0947e915c11e18387a7f777e4f5c2c7ca01e584d167b951d0b62bec5d3e54bbc30af","ikmS":"bf9da89f761cf2b0a8f6d08e3cca8a9993867c07bf14c8cb8103f76980caea909702611dd59b8fad23f39f0f89d789413ead2f2e177ba0a9065df9f8331539cc1e4c","ikmE":"1ddaf3549a5ce7fb663f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000","skRm":"0103c315b2297b8898bbf0831ec97a9330af35ba510ab35b83dd3ee2499ba6c08504568798542b604e687131e0a6e226cc4b4ee035fe7b5101e9a4740c0706a72d07","skSm":"0091f4d96943c9de1dd6dabefe144b586dc04a6d6330eba57f13dcee6ecb385edb9c1a81ad2a418c5e2191b3d8a63114c18b7e6e57c410493efc25806c9604061235","skEm":"0070fde1288da3c21887fe3b1cfd7665564d4786382b013f8cbe81dfdc8921222b9a2e1de0fb6ee13fce840b1a9828af0bf9f360b8ca0eee78648ec79a9c60b3aba0","pkRm":"0401e47da2d3b25c3cfe4cb7794fabbc7e61a4aeb76c7d089c8cae8d4ad7eee0d276650f09c146386e80ec5cb863ffdc1980367ae6fdb7b21d55f24fcc22157cf5538b000d654bc0563b73614e4007d53a27d9453a2f5f2808bda59e33cda72a500eec53b738989feb2a9b5358d7298e2a3647426fa2e4c09dc082cad03d1832bb0dcdcd7a","pkSm":"04018b003592f92b6ce7a4c961c5b7cc117ba064f8de379dc8e0df39c96344ec769ff2c5cb7016c88b5fb27fd3da2fe0b581e7fedcb4f5d47e38cc1b61dbfb748073cd003e5b89bd9c4f076233ec2fdfd96786f68ce3295bb7090d9547c898e5ef0eb7a736c68ca5c47d24abd078c497c04f0eebdc7b8c2d827e99a277347c154326a9bdfd","pkEm":"04007a38daee96e1bcb7f1bce6d968d7b529cb264c2fe317812515cad13ee4934a4653f9e9874c4e8e32eb6b56a0f0ab88acd48d2a2cc10ade111a6b3e6412e7d521bf01bc7efe113a448c6053fd4aa914e72dd63e30d57fa70d40d85643e57622bf502db256ea9b0b72f122643f23d71aeddf3fd8c853a7b3cbab4d920cad28585273c411","enc":"04007a38daee96e1bcb7f1bce6d968d7b529cb264c2fe317812515cad13ee4934a4653f9e9874c4e8e32eb6b56a0f0ab88acd48d2a2cc10ade111a6b3e6412e7d521bf01bc7efe113a448c6053fd4aa914e72dd63e30d57fa70d40d85643e57622bf502db256ea9b0b72f122643f23d71aeddf3fd8c853a7b3cbab4d920cad28585273c411","shared_secret":"bf93946faca928a2eea98765f110a3c0580b4268ba7618741a5fb0397d39f2bb1eb141082c74c881e88226f4a07c7c16c6b5627b824480403cac30781567df70","key_schedule_context":"02c22bbb004b280397d8c7a3178b0e87cc664d6fbd8fc72151c4973a2d51f26405a55a464535cb968c3679ea20eeae1f3da07508875ad6f0775a793724b55d3ccb","secret":"ca1fe3ff5d665a62dd65eb4d81bc7e92f2235dc67212c3970db2f31e1ad885f0","key":"1a5aae1800de5ca71df43c911afd30cc313a861e9254a346155c4889efd59542","base_nonce":"9260958ae575b55922ca7bf1","exporter_secret":"5907cb3bdf457fdfd090f714ac220c8e4f664fa3c81976493601b00f6b2a72ad","encryptions":[{"aad":"436f756e742d30","ciphertext":"8b7b113e9b2d4edf4ebcdbd208e2b83abb7fbe226a2e83b2ee4b03057691fd65ede8d4ad75c5759a7575511f50","nonce":"9260958ae575b55922ca7bf1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"a626b167e213af24b3083ac2d271ba15c1eea8c1e07e84a8ac757b85f6893329bfbcf55e1abad615ec56e988f3","nonce":"9260958ae575b55922ca7bf0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"c6aa66f5e4aa404dcd200ebf929d0a3e101d6ffc088c3ff62c5190e7c6a3db7cb2e7b15e3e5c455a10c33f5526","nonce":"9260958ae575b55922ca7bf3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"aa3b14d8240dda27d4e8b9ea4bd8951f5c4b54864dedc6d7fafea3ae4b4a25a0769e41ee8d9089b2bdd70a5cc3","nonce":"9260958ae575b55922ca7bf2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"0ea83cac290a69fab5f52635961387e80ce1acc8c6f16469920a46a885ffe1690127746c2fd1d5d3bae60065bf","nonce":"9260958ae575b55922ca7bf5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"1cb82c9ac1afb95a62330e910f3cd5d3ea2d9fb814c8160be167eaa31754063eeec2d2d317d4d66d6bda508326","nonce":"9260958ae575b55922ca7bf4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"75bd0581e928ddfbb3e938823bf371f2c3fd86468155fe66d2f38794f96ad3b6dde903b1b3416a4bc8d0d6a7a2","nonce":"9260958ae575b55922ca7bf7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"393cd9944a8ce69f7c63e49bc6daf0817976d3ccec595e70ff78954c94d39a6058267e34aa071f27c79a0273e8","nonce":"9260958ae575b55922ca7bf6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"d752962bf3e5ba88e7cd091b61828943f2e19854a15baba87fc61d49fd902819aee793baa48f422637e62c6548","nonce":"9260958ae575b55922ca7bf9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"7c7a0c44401b458840df20369f296776496c14a25da73891754941ad72325f98c9f655b18523c906825421e424","nonce":"9260958ae575b55922ca7bf8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"8f37b400102b54424953977efdfefae07055ef0e772f99fdfde278474c75b5cb"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"d98b2d5171f8a5a737ae3870ed6c2fd0d5de2129d1cc7403e595ba348a37ca09"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"1b28d24e200b743e4835b1dfce232978c63520ab554bf01441b3588ab98a03f7"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"48536381776f0e6cde5c9ffb24fabfda37745dcf2c3acb8437431c3505cb95bf"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"4afeb4c22f448b24f903580b1bdad46e5193dec9aa8d56b3ca9db4b9ffaff8f6"}]},{"mode":3,"kem_id":18,"kdf_id":1,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"ca5e8b86d07542f1d644723ab6607acd66ce3d6cb1a310731811b7752e5f01689d45662e8f199d4ded5e544765fe6a138b9d2287620244f3dac031688502dae28ddd","ikmS":"73c4ec7602d5c11da5965af5cdaf5c992caa760c2efe414f910292e7c0ea45877ea1413e1de92d5a6b8798b2f4cd0769c3cb7c79e472ac8dd97a884875f15e925dcb","ikmE":"234846e684d4d368c1f36483f45322c3c2f9d0d091c2f907d19abeb1e6b47cd8c7e9ec42c76d861b6542af987cfee2d7f4237f746b15964997071255538532baa401","skRm":"013dda76a76b5f7dfb1df487dc77c8aee591e003da0edfc98e5d32536ecc2b9bd28693e5edf3950d93c55e1dc94dafeba5f9f06a8b0ffd7f02bcfe8ec6304808aece","skSm":"01aa0a55bfec475a873759a5dccabba2fe01fe6826fec9cc77368c404a2cdf89cc5a671f47f8166de746b91e8f134073dc4025394693bfb997e87768e6d230573c76","skEm":"01d887711e4f74dc8be8cadf05a71c840fcb1232bb51aa60df3fcc34e6320c8750c87974c8a0d6014db156c618ea088027fd291adf55f876b1560df278c8018f0a5d","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"040008bc6fe181ebdc427a18e53a542140449f29d401864f9f310403234b8bbb4b7edebf3f6b164dc326d22d244ab8aba49eab60ed8af6c5d6821a83c9998c751770ce01c3ee44088d6043feb2bad48eeb67bef8043029d9642d5fb9d63f135bf8e237dfad704efd34940948f3d8c50b3d6850cd0315152aba2ac91d21838992dfeecc71ce","pkSm":"0401d25355517f57414acd869c70d1272da04c014dc7cfd5cf1ca3244e4252df7d8ece8cf098a75522d9234658f024caa653599542bdea56787d4e0a8e30d6745008fa00da918d8e137f3b272c7d12a8b3688ef4067c5f1ea1a8dac64bbef1d79852976004027fce247f990c5857b8d703ed7e92d2e20637bf8e14a82879518eb4063dad07","pkEm":"0400a83535e4b413d1c0752c76e1f18134234bb168cf6289a50c7078fe0993393e2b88131c3cae987955ca17fa50b105ebb5e863039ccda4d0f859ad1556685bbe38c700b376c944f1e3ad4ab801337c7f981abd4fb635b59345730f98c1427835d8fa65624c335086a71b73e0291d87e1ff5560fabf56c2704c9b14b6713313edda606236","enc":"0400a83535e4b413d1c0752c76e1f18134234bb168cf6289a50c7078fe0993393e2b88131c3cae987955ca17fa50b105ebb5e863039ccda4d0f859ad1556685bbe38c700b376c944f1e3ad4ab801337c7f981abd4fb635b59345730f98c1427835d8fa65624c335086a71b73e0291d87e1ff5560fabf56c2704c9b14b6713313edda606236","shared_secret":"f781bc19583647ea59352fb42bf725aa92275db56be5666c075f72c37e7e1199f70102bee7c92fcd98ddb9641f3c173873c8142f737b7c5b78a0f920d77efe04","key_schedule_context":"035f297d9380c73a70f85bd58e35098a8f715a136ac4fb4c5ca84c340d438aa347a55a464535cb968c3679ea20eeae1f3da07508875ad6f0775a793724b55d3ccb","secret":"4b6b0c9c64da77868d126cb320de7db25b6cbd2ffea0cc994962494663f3e38f","key":"f3c1c16cb93e7075d926ccbdd68c2b0a53bb8ac5a3d8fd0e180bcde15d80fbef","base_nonce":"6221231aff673e72754a29c1","exporter_secret":"dbc34309c5d6155d3f7354427e57c5526c1ff1b74b18780cdbe16f1beb2bc2f5","encryptions":[{"aad":"436f756e742d30","ciphertext":"39a072367492fc5ef11aeb99fd4a3f27d55ad2795e46d105b5965f6d595bc68b77d45da43aff9b3ae316786952","nonce":"6221231aff673e72754a29c1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"ba30d8f1e75598250acc399708285c28767b474e035ee076b051bc8c4a88f644ad4e2fbce755bda23d5cfbdc19","nonce":"6221231aff673e72754a29c0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"42b2b2dababb0f2ff7df1619a8d7294992c26cdcb9daa43724ef1f18e0a4056144efc7ab8bf8eaca2b4d4f06b8","nonce":"6221231aff673e72754a29c3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"3e79b324dda10329d2da21360df8507c6f40dbf74decbb22225eb3e3777a5c6fc5224f4117db54e22736a38f17","nonce":"6221231aff673e72754a29c2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"d10398ffa46b474209b328c952bb5b8aa23505dd5eef928eeeba6e6f10d769b9f494d7f90b022a19605a6147d2","nonce":"6221231aff673e72754a29c5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"a3aa5111457f1ecfaed96383158841a1a39e37062747fe081f6234ef1f469078a8f1339d52ddb0c1f4a0917e3f","nonce":"6221231aff673e72754a29c4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"f9452b5f84e8da2d96593decf5e74e3c4bc71d23996903487cdeb2ea7d50021110b2924c0d930384ffef56d78a","nonce":"6221231aff673e72754a29c7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"268e88116c36cacb785d3cdf07928cda7d2670f28d2a0d1da3533a6fc30ef8e230cf26d152fe12daca9e1d2119","nonce":"6221231aff673e72754a29c6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"8c7c8786e1283ce261dd0094a5de74f20381f72a4cc6fc2e3bb6250b47ef2ebc4280f6258e4d33e942829788dd","nonce":"6221231aff673e72754a29c9","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"15516f6bdb3dabb58d6db63d5e241dfda13034361d30fc9fff2f36742fdbba46bb541e22aea0dc35da1117affc","nonce":"6221231aff673e72754a29c8","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"0ecbcb35912329afbf28dacacbb8cf250db075ceba7cdc44dac10b4c74f73faf"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"69e96cea9d0b7764dd55a4ada002246101c7a3654b51b66fc60064f8452a3ecb"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"fdc71404d2a84f3507f4d71e97cfe2f848f60d93d163e2d430f175f76bdbded4"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"63c7f5f529fc1a0adc02144aa747020b45f17aaf5027d057d00ff54762a29bdc"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"75037a4ca08ac10b19c997ae357e755df22f7d0f132b997c975a030ec43654e7"}]},{"mode":0,"kem_id":18,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"450053eb0235ef084df963f59d7521d287b2512ce6a3ae610b131954b450694810e63103d8994732421c25942787558a4e83853a4570c36ea17eadbc728967b5a7fd","ikmE":"9cdcbce915a18b666605035706ff11fe26d77f6bb4ff830d27b454ffda60b172a390ec8ba0f394d6e8d701ce7492e53974b334682c22e761f64bcf59c51cfa570183","skRm":"003e492dd770f64375bf275f2bbb31498fb16df2b5e5bbbc8fe04e90b52d0052c90eb8a6e18b45f0401c23b1fb006b9e7b18ec01c75d2c9c1efd17dd2e592b8b2c60","skEm":"003b05b67c7f494c9be15e5a99c2c8a9b85e4377a6e2f4b1def6094e0d2841f30411aabeaf075c67e3e80163d9dbe7a0edfb7bdbb4db7892ceb87972d3d52dfdf20f","pkRm":"04015d1b61478d03160625e69937fa8be8574372eee207a0a51a5a7a7fb8a9251b4434eb5e995b43328b8f9c4aa12263059c4690b53ee15bfca8857a9d521905551aaa00178c7d17e035d3fdfdc89e61e5985e4c9d9b8b2947093bd802c0bf222f1f6baaabb5e0fc8477688ac0c87febe456df1e39dfc7ff3ae3c5fd29bfc4c0e7d908e55d","pkEm":"040143d511351947f74ba6ee97cc73fb6bac33873e8441527fd81a4635bb6ae0787dafbd4f9f157916e908c8a9163e1e28ee5a736c3a053b0e1d8c546a114516e0f79201a7aa41f1716f7d3915e3a53df58c8fb25d0d55fbccdc2c6fe9c6cc92717b7434b9698a3cde6d4de1b08353ada8477023dcb6bdd550227fe1a7a56fa57dac152411","enc":"040143d511351947f74ba6ee97cc73fb6bac33873e8441527fd81a4635bb6ae0787dafbd4f9f157916e908c8a9163e1e28ee5a736c3a053b0e1d8c546a114516e0f79201a7aa41f1716f7d3915e3a53df58c8fb25d0d55fbccdc2c6fe9c6cc92717b7434b9698a3cde6d4de1b08353ada8477023dcb6bdd550227fe1a7a56fa57dac152411","shared_secret":"5028b95815e55d533348df7a2f3520113dad71f2e58673e560354eaddee70bccbb255b4dca3320fd299d4eded36f73ad3b67fc950faef1201f5009743522a395","key_schedule_context":"00bbbc7388778a0907432f1571c4aae56571af513bd50891e1a3b808a3128d7d60ff78a6b37a7c1d2a3efff27a2a44609b9c72f78f5a8de83e791676321f549016","secret":"a60811aa0adddfa1d7385797668aca3933cc8dbdf5713efa164cd1c1bd336703","key":"2869c89a52c4c817fe646831ec8d812fc8765df1f99e39f237ab0e9405665e65","base_nonce":"a206f2b95e5eb8a2be6d9402","exporter_secret":"2916ed739378c759d1cd69113b0f1b65fcbbb1381c1d891d1f31da3c079a7399","encryptions":[{"aad":"436f756e742d30","ciphertext":"644c4415435d7b5586c6e3308b15e4b54602cd449c552f38eb864810202c58af8feeb36fd6cd166f06c151483e","nonce":"a206f2b95e5eb8a2be6d9402","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"a910741fb7a965c92b358816706052540a1613820b19b113257158c75ebe78528558c5f2460c07d18c912c0d35","nonce":"a206f2b95e5eb8a2be6d9403","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"edf25433d7167e079cdd38a34582867340b7c1541c1cd3ee9683da909dd969754d230313d41e7269020f8939d7","nonce":"a206f2b95e5eb8a2be6d9400","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"7679cbc243f5fc43911a3f248ff833875285c1f1c8d56779a22a4f49b9bc1b527828bef7f5f4e83928a4134613","nonce":"a206f2b95e5eb8a2be6d9401","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"2c87a818fefd8b44dd7c46b75b51c07612c09dcc81e97fb79684eb174d60de007b76e6f943a0aba5e9bfd002d9","nonce":"a206f2b95e5eb8a2be6d9406","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"30f3b4ee448b086b4f3556e674d4d49e108c83d48c01ab7b3e712fcbae0f37a4fd1a25de3c0bff11f4c714a775","nonce":"a206f2b95e5eb8a2be6d9407","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"c57382606e36cd166648c698a61160484799a685113d4679b7ad3775177068a1a4185d28daba32eb7b340aab2d","nonce":"a206f2b95e5eb8a2be6d9404","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"e1fef863d6792c92b9a45c53722f3a3311a6066bf2f6a2d08e7e283557896a83e665ed6601215f8ea2844dfeb6","nonce":"a206f2b95e5eb8a2be6d9405","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"ce93e19fff69bf443b6cc8206a3ce544d8f8fafdcbd45c4ab7bb897d7b853288ef9d80cf63ac9a0cd20e3479da","nonce":"a206f2b95e5eb8a2be6d940a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"0c81f928fc485420762bd2d698000b23a27e28f095d1ceaf754beab31a3ff6d17fc8361f6935d8dcdda71187d3","nonce":"a206f2b95e5eb8a2be6d940b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"02e43233846e64ef2eaaabb9208c0fc823ddb05c603b22a1e7049f794e96c2a3"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"fcc4a90be63458acd7d11ddcd0a948ad521de04089260ff00b6ea1853d9432a5"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"8984bfe1bd88d10e5fa44e313dfc8b45f18aa673e403219599dc0d2eced7fa46"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"6fc14b442943c6f68c20ac59ecdb881551e436041b6703f3e33f4bd6c5fa11e0"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"2a0078026683b907f59cc56e6c836dfa1a64a157a5a6f325dbc708e166efd03e"}]},{"mode":1,"kem_id":18,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"1cd89edc0e38d2ed7b3b7f7d1310035788df198e40e1f073194ba0f1192a218ec947243a6e19c791b1cfa1546b5960948f2b91146490180466ec80664bf0aa945716","ikmE":"0ff08b7b0fc2cf06686d4c12d3ceaf0d732567a05594ab9a4b0d44d57aafe6d1216fa6f54da078f572dbba2b23e0a481097381592c13863f6346419faf00cae82973","skRm":"00ba5855519bde89c56a8cd6358b28c901480b24b20fac27848a0eeb7f08af7ca5bf3118371ee0bdc986d0a63f572f52f84eac6a73e4259a9dc9bbb679f85e9eba50","skEm":"01d4ba4f1fe4a3b34f2b72353036fafee665778fdf8c2965b741137f3b706d63c6c7e0afbf5e9d3e2d937b65577439c43eedae971e5a1eeeab14869c14adaa3bb3b4","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"04014e57aa9a9349459b84759df0a1913e04472f4d2e94f2252e5236137e7eb761935afb390c4f6944bfab6f617ae595b57d3c1352dd7cf3c97ed655fd9283f4065e2d00168d663b77d7508ffa70e567e70a3aac9927a165d893653d5f0c93c3319d8101aa40e4e09e9596243b8d2164a6856fc43f7cf871eed231119f3cf4d52ab6988ba5","pkEm":"040145a30e76794a7fba78c6ec35291ebe8c1aa79425727811c65c0a3829841ff047cefac862dc608ca1fd539c5a1e848d227301983f2131d1f2d19c096b80815a428a01a1469a39029401234107356951f1a97a989c861d4e84efcceb78d09a658ab2ca5e74b002ee40df0cea724282a2e2c6b75c2a4baca138b07ae16a23c36cba21a854","enc":"040145a30e76794a7fba78c6ec35291ebe8c1aa79425727811c65c0a3829841ff047cefac862dc608ca1fd539c5a1e848d227301983f2131d1f2d19c096b80815a428a01a1469a39029401234107356951f1a97a989c861d4e84efcceb78d09a658ab2ca5e74b002ee40df0cea724282a2e2c6b75c2a4baca138b07ae16a23c36cba21a854","shared_secret":"f405b7cb2237525ae95c88589de3443d866e10d9cacd3ea34cf5f40ebcbb8a2cbc26c1692766a1b66a9498cad9b5e80ccd29e703361bc8559e1c848c6b955e6b","key_schedule_context":"0179a99bdcba371c6229859d370979957913c7bda9a818b9dff1e40126c5dd9f32ff78a6b37a7c1d2a3efff27a2a44609b9c72f78f5a8de83e791676321f549016","secret":"866481cfd1464b65f217e5a927527bfe48391400093aacf013a7a1f16513f102","key":"e8efaa10aeadd4a948f481cb1744cf942f65aff618ef017bf6e35003bd006f10","base_nonce":"b956d8945923b95008c341f4","exporter_secret":"cfe8d8eee2beb47ceea9d42f9d899d84d62b918142f761d6f9fa4004ecb720ca","encryptions":[{"aad":"436f756e742d30","ciphertext":"a9ad3ab8fd92f505cc4997776132687d978ee95dcb10570a206ec147f7c1945414d728faca031656c2b3056878","nonce":"b956d8945923b95008c341f4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"81fc0a954deb914b43189dbab2ab70c698d193df8ba6633f2bed59290147ba9568573e8d71089a6ce95ea24d45","nonce":"b956d8945923b95008c341f5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"915a4e1a664a58f69535b92d01012d360acabf9385ddd4399e631b5d4798c996c43882c9a717dcf93b228ffe46","nonce":"b956d8945923b95008c341f6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"9d97b8233873a47002953a51520ec639b8476fca5ea927d00f30ef6ae19304f55f0790b5a5dacfe8926e2609a7","nonce":"b956d8945923b95008c341f7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"e3e4c7996218f1beb9efcf79c23d805ac32464f1ea43f9ddd3eb59e11266c1486baf633eb3a1d418e842c40156","nonce":"b956d8945923b95008c341f0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"4b2b83067975fd1460b693c2497d112fbace8a0207933ea7d5264d4e6928fdfa73c6e3c3213978a3e9e413bc2e","nonce":"b956d8945923b95008c341f1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"b89d9d7184e9f9c69ca6c04a906c3f3fbea54727c9eb8371fbdd22ba564a4de434508e9f1c32265604c84b6ff2","nonce":"b956d8945923b95008c341f2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"2a2a772dd8ec2aafe98e3d02c6486fdd7a8f0c560091fdeee73030d51fe3edac10009c326a58e395786ccb5d90","nonce":"b956d8945923b95008c341f3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"4387694e85b08db1c8893057ff9d262f1d3408b6fa3290c7a13cb26299e3647aa255c878203495a25b3ba58ea7","nonce":"b956d8945923b95008c341fc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"051b8dc17f32c1a34ce98ae6ed3b97fb723fb753a46aa138a0b20459fd13f0d3c20cf9d6803dbd837120ac3525","nonce":"b956d8945923b95008c341fd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"90d3638034d178f4bc19e7747a5f65b1066c97d19a72cdd9c15247fb9ab09901"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"7f74f79496a41ff2893da041742d1111a66233c746a7f2378091bf32eee394b9"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"5b7e39572df926460b5ef54a6240d1e74eee5e15d3eda56a4c6fde0a9a300a78"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"a2eab5bdbb9464bad34c0a8d4d6794299655a6ac90308d9af3eb9b184bf11f22"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"f9969196b52b2fdaac50edccab6ccbfdf9a0f609c804868a3ff3bdd4b3491192"}]},{"mode":2,"kem_id":18,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"edf8f41f33120c314d7eb95c28ccf50145a3434634b17059494ff46a23d4ac115a56fd29244e00af5c9f203c369cecb6682ce46b6c90f52dca0f3ae78537d2867c3d","ikmS":"7a2d6af03f21b36357e73fd0183d17417fa411bdf8a1d0844dad9ff417b383e6df3630265c561d6b48ce4b87d301cc9324e64396f0154f7b98613b364978fc2d5324","ikmE":"facfe51afeee08200d6aeefec5cb2bc79b7c5d5e5986ffae15e7b5a63b42b3225b480919d0d97238e65f3d072857c82bb8099943a41b67a070679747a5a23afcd4b4","skRm":"00ab6452b881744e6ecc38965a99ea330177e6d175fcbfe0de48873021bb1a5b680f83adbd45920e744961be034cff6f61fefe77fed124d49317a60790cd8ec8b3cf","skSm":"014f6767650f188f58f8f3ee5ccbc36f5777bf07901c599a702dfa9dedc5b55ceee8d275678896cfb9fdfe06783ad001fa32fd43bd16080f3ce7514c801f0ce051e8","skEm":"01ac24fb7de0f6e038458beb0ff9f4eccd936004cd809e912c9878ea8b23f16e9b20b9b3f25929feb457c52fbb91d2b9364186df927e1bd1ddd03054ff1a50f983a3","pkRm":"040112fc0a05d1a13d80a2e57e11435183754098e18d52dc6d0bbd11adb32f3c45e64fd9939ecef46a9b79758bcb967afe3714babb1540a60f069b22dc70d04dc1304201c62e9bc3cb555c9a68b30d44d96639d541b8b4eedda0aec5607861adedc629185274b4a3604ca5548ed6c0a341c9e6a42828da10ce0d7cb333d6194b7abae64c16","pkSm":"0401a5eb92faff865fb834547c3391ecef18558c6a8ea86e339c8d7695c8861c1cffdaa64210b1a8707c522c5e0f6bac98a6e7fc376ca5802b93d7ccad0bb67497b28f0199058aa9ee61c425d5f662ddf836dcdbac28a0bdc73a889f3c1ef251552f9d9842eb771457f4e60eab8632800a6af35ef91285f97c2de9598827a0929fb67a1815","pkEm":"040169b99e2da9e0aee31f3b3e2d9f8a037ed94ca298f8695710fc09e77563c5073c55c256723e41d71b181f474986e930b6f7fa094d9cc4dd05bb2d5b9ebbd5363f2d01facd241b20579f234cd885f7a5bfd67426ba6e82752f0b91d47ae466eb4878a6fe14fbbe5fbe700c48b22b1cb56d7628614b8a6227a4a9e12b540fab6fdf5432b8","enc":"040169b99e2da9e0aee31f3b3e2d9f8a037ed94ca298f8695710fc09e77563c5073c55c256723e41d71b181f474986e930b6f7fa094d9cc4dd05bb2d5b9ebbd5363f2d01facd241b20579f234cd885f7a5bfd67426ba6e82752f0b91d47ae466eb4878a6fe14fbbe5fbe700c48b22b1cb56d7628614b8a6227a4a9e12b540fab6fdf5432b8","shared_secret":"6158a53f0281ca98db73f65b72cd1bdb921de06a4cacce44bd59f49594c26f6300d2095974a468ca10c9d79c31cc5d0a40ec84f220446e8b7dcc8d0d014e6b92","key_schedule_context":"02bbbc7388778a0907432f1571c4aae56571af513bd50891e1a3b808a3128d7d60ff78a6b37a7c1d2a3efff27a2a44609b9c72f78f5a8de83e791676321f549016","secret":"c0b1f4b5eb524816cfe772d7657797a99acae4af58b5a21f109a58f257aae251","key":"57f2902eb4bbd71e0a58c5435a5c5d71da616dd34f7e469096410febbd78cdbb","base_nonce":"79b8a354430c1a43c8e406e7","exporter_secret":"bf65135809a7872aec55f133f7da75c914317393dfdf62400f14b8a989a8734e","encryptions":[{"aad":"436f756e742d30","ciphertext":"7a1af50e738cfd1633bb4c1a953b6d48f432bc509ae11b3c014fe94ed23587ef89885d000d1d2b641612f60fe6","nonce":"79b8a354430c1a43c8e406e7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"5c5292c68af5d51d087e6a0e5be96ebfbf4cfb27f5e1f68e2c11b73706ec365a16664594f22883012e1ff3e287","nonce":"79b8a354430c1a43c8e406e6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"b868b7dbe440eed0c13890b1dfdc8e49510494bbf04079257423c6bd7519adcdaa6d28c24ee8955d9d12f33aeb","nonce":"79b8a354430c1a43c8e406e5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"de3307acfa9a9d60aa35c18024a888060660f3ad76c3af493d0f1d8c60c16def21c8a020861f26ab5eaa3452de","nonce":"79b8a354430c1a43c8e406e4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"bb8151c95217fba5307cf4513ddd35fc476deaeb43a3cc4700d5a21032f278dab4c38d7c76ca6331ea3cd797a9","nonce":"79b8a354430c1a43c8e406e3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"54827ea165f923baee4342f1f8889f61c3adf0a1b204759e022ac2353779985f60126f6c5e0f3c9cd8840df930","nonce":"79b8a354430c1a43c8e406e2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"55a7280e22c4d2035333b415010b87335a93aa118e408f7ea9aa54dcf1ae4b22117d76c21eb1e825a4fbdef31c","nonce":"79b8a354430c1a43c8e406e1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"cfeea0cafe89d2495d455fa4e0e3cb8867bdc5763183f9a32ebd4ad390dcb6dd9f32a7d7e419611acc806ac3a6","nonce":"79b8a354430c1a43c8e406e0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"058719fbe4ce3e47f82885e5f6c880ed641e21ef218e87f77e3cb73481a9855f604422888a5242735bfb971753","nonce":"79b8a354430c1a43c8e406ef","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"54dd3cb388a396c53794a7466d0c8777a09e50cc237884ce12dd5c94a6e305246115701e9d1349c334f91aa586","nonce":"79b8a354430c1a43c8e406ee","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"dad6e9f763b58754bba088c3a2b9836ecacf89b580960e5bcb33f86db1f2e7df"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"b1a4764c60a946351c828e91542959aad5a62cded549e7767fefcb46be42b64d"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"cf62bd89e85707a7cc5847ff053db604e1ebd71d8cfedf3a0e87c7f3b86ca433"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"18ff1af47b1fc6714fd9a279b6daa259e00466beafedf816410b20a7a886dc01"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"ad045ef40b585e7a8481d181370fee0536d4bcf2460bc56a5f0dbe689a9c7fd1"}]},{"mode":3,"kem_id":18,"kdf_id":1,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"a33779152d528327192218f4a4d5fc697533e706fcd45dc13f2bef3607d16c31aafd3824e525ec0c9e9c4bdacb8dd573710c7487fc60276978f5248ca4670cbe04a2","ikmS":"0416fed56a2b1dacb0c3259a4597c770e4880b713a9c370e65d4c9c33b178693a3bb9a04aedeba76254de5b4b49e82b113fa3c022994d8b557e93d814a54ff301fd9","ikmE":"c9e59adff578faded99e5d9361e73f88cb8676eb901e185bf372e7c7bc359a885aea68660f71d8136ce557f72b34a0e91ff0c05fde5b5bafb1060677b23d01ffd51f","skRm":"01da432b7ba53b2eaf32aa6be8e93f30fc95eae8522bd2b3125562504823890e790533e8a538fa2efa623af50fbb434467b91dd7feea32dbc0b438b9cf497479fa0f","skSm":"01441d47cd1ccd65054df630f8e8a740a2d027cb691fc88703b24bd9536bf504a4b358dd529ccccb22cee82077bb53afaf08d3601cc301391d8b7a9a28192e85c796","skEm":"00d2b2bf1101a706b3db21d79917a9c35ab9ab4b1b7abf49badc4b7c520d6f14db6c218df2420235f0aad0b23b3e9c5c29eb1e3b549d7a8011a54d59d9ea128c7b04","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"040085d04711eaa4953f40f9b32c3fc4196f2ce1c3e46e9901a02a6eb249ea019852b06c7b089173195a82d7fc2f2d4f0d3cb382773c885a9462ba6a89810c9b6ff46f012e430199e634c58b95b54ca9cf6dc5bd7c96a934f731b708f3fa7ad92336a2cb8edf51fd2519d7c43f1f4a08372e2d92c700eaa5b48e2343eef1754c283e89c7ae","pkSm":"0400c21290ae720fef2234758bb61f3a18dfd776c1f59446100583b3d0134b6d8381cab0bf7c2e9ee3ba85b262191da929fa6abb0dde05efb22372ecf712157381f1d00021c738ffeaa8e10dc93c3519e4501f092e8facefbaa22c6761d02bcf2e91e65a8fb213d09011991d4803d322b8a2dd94b0850a79a3bff49107dfc32b25bb30ae09","pkEm":"04004a266ef9cfbcb3e68f8bb79fc441bff700c956a92db336a085cb92c2f2a4e7e7ae867cf165038de074e4dc5fd102d1d383b64161d11db6563b5ddd4645e5943405018dd196121bd8ec196acfdc108eb56906a416b81eb9451fc111b37198674f8c48d2f6bb14e2992c1d11081d76a0b4c847a9196bd709e7837c6a9a6dec171190b29a","enc":"04004a266ef9cfbcb3e68f8bb79fc441bff700c956a92db336a085cb92c2f2a4e7e7ae867cf165038de074e4dc5fd102d1d383b64161d11db6563b5ddd4645e5943405018dd196121bd8ec196acfdc108eb56906a416b81eb9451fc111b37198674f8c48d2f6bb14e2992c1d11081d76a0b4c847a9196bd709e7837c6a9a6dec171190b29a","shared_secret":"898d8117d6756eb6882b8d3e709d4a4865808f7f0e3a63ddcf25c6d451308af9c335c900bd6d24ca1445a700f623b5e1c6300bbd29dabd504b15fb042a63991c","key_schedule_context":"0379a99bdcba371c6229859d370979957913c7bda9a818b9dff1e40126c5dd9f32ff78a6b37a7c1d2a3efff27a2a44609b9c72f78f5a8de83e791676321f549016","secret":"95387798722f01fcd1d25a597cdc9e15b6cced0bc97d9debda2e7f249c5ce4d1","key":"d3f82bd14c864d7ab665338d81154d2e8d1adfada2f5025b97c28f34548354f6","base_nonce":"c69ed08c34b2dfbab7274412","exporter_secret":"fdf8589197cc76c6d07d2c7a800645c90dd2f1b97544979d6cc9a3958cbbd094","encryptions":[{"aad":"436f756e742d30","ciphertext":"2b4cbd4dc7870bc3cb90b7dc433e85a044377302d7359be1241e5a59d02200921c3ef513d982dda7bd83eaa007","nonce":"c69ed08c34b2dfbab7274412","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"1731886431bd1c6f7b4e2d73a4fa89066d0271ecf53ef1e86ca01dacbdfe8f9347949ec20b82db420eec0fe82a","nonce":"c69ed08c34b2dfbab7274413","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"371e03cedb381753bb627f7e6e20a5c4bcf777c6e991bdf5d151e263346821a602e384a3981c005a467009795b","nonce":"c69ed08c34b2dfbab7274410","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"e334e4d845fca929a6f6ba3258066d4c93678740f56847b8ae5025484bcddfaa6480726fdf1774350ee4d4e533","nonce":"c69ed08c34b2dfbab7274411","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"bdaa9f0e7e04a1e9bdb7a5f1315a569ed2b192b0a3544dac41f73209db4fc7db81e2c2defea192e87b26b79490","nonce":"c69ed08c34b2dfbab7274416","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"e46dc8b970101a5ccbbf86895de2fea537ec15de97cc652c0e24b799bf89d6967b10449493c121ae4ca24aa9ad","nonce":"c69ed08c34b2dfbab7274417","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"2489048abe4c42a1c3c9b74006d2d78c7d5a448970d9255ec2e57f64e362e62c8c4c8a316da95658f0addb948a","nonce":"c69ed08c34b2dfbab7274414","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"edc0dc46f3c066c578f0b017ca6d0852d8adcf1bf44d4e935872cd07f7629aff60f487eb7c3ea54e79336b7702","nonce":"c69ed08c34b2dfbab7274415","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"6e2f48fb2a14b072bed2bf633eefb4826cf13ca7e4be74501d44a911f1d146b6e35b5a802e22d276daa240f928","nonce":"c69ed08c34b2dfbab727441a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"b577d3d821c47059e5a412915fc44dcce1fc71941029d1cc46322a9587f714f450a5a0d48198cf478e3ac72f41","nonce":"c69ed08c34b2dfbab727441b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"4d36f4fce437d64c03184107051bc382d6123c5f1e139381b6ac7479d79bfa3b"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"65a80cd28c2095e1f183d5420308a0886456372733bc315dbddf6c871b0159ad"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"203f5578eba460fa6c5305f6a5ab200eff38c7707a3baa52a614c4e5d5a757e3"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"cd49e045e4098ff50db3ccf82270a2c000831b7ce02bd9c3cfe83722d5bf039f"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"e0f45a480b9e6422948ec8bf515528ba2c42edf0fac9b49f3067f3cbc891f7d3"}]},{"mode":0,"kem_id":18,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"9ead1f335c3d1dfb90b9f8465736ad72192c12d4afdc24367bc1177614910afe486e7a16ac9a65c6d8da773509f9cf4c7068de99fd08845f8a4e7a202246b10f6bae","ikmE":"7a8d539daccc7c12fb2f54887591825a3fa2cc77d273e33dae31fc3350d665481fd3074f47b414d5d8b9cc150bdf5474acafd9491ecdf7879a67a328a0ad023bffec","skRm":"015d785c80aaabff3d19714297027c1e0ff21030cf65fce12612f9fd38676c382a08fa75d737f510c020e3157dae4b8807b795ee554247b40eb974b8a3cf9e3367f7","skEm":"01c89afce2b9b19cacc851c48af2f8a30589e5bf0ed6318d7bea7d9fc7516c044ce139c5937f0cb9c844581ecc9f4b9faf752a1a074b7930d04d74e5f1567646cc5f","pkRm":"04014d68983f9751df275586101f5c2ad244e9b8515c865e6687440fc04f23f4c49d7723b57239da4209054343e4f37a1250533877e4e2d27f31a9e86a81bad70cf33800a0e96fcde3b8ffbe8b1d0796e657b8987918005daf2eae26ae129fa661d52838d8991a961b7d18a259d912ff760df04b838132b283469ab2f765462f27c057b452","pkEm":"04000a95790a1330fb7e6ff811be19ec155716d296c265d0bcddb1f8fcc5f5e6d7fbc1430d0fe3b668dc9f3f392457732b950cd0061aa93520c2c724ac7905000dcc8e01c6b4a345715bac3ca69b1ec1dd2910a1072efa4ad1bd02b0c894cc7122cc5f30aaf2388835093ffd80dc5cf48919ef1358a1aab225785d1ad90712e6675eed209e","enc":"04000a95790a1330fb7e6ff811be19ec155716d296c265d0bcddb1f8fcc5f5e6d7fbc1430d0fe3b668dc9f3f392457732b950cd0061aa93520c2c724ac7905000dcc8e01c6b4a345715bac3ca69b1ec1dd2910a1072efa4ad1bd02b0c894cc7122cc5f30aaf2388835093ffd80dc5cf48919ef1358a1aab225785d1ad90712e6675eed209e","shared_secret":"d8a88fbdd7f2163bf085996f30c5e9ab5879c0170a1e3edc3d8b11a1eb2f991ede78cfaa1df5ccc4e65eac5e40b4129f274e34c84efa8770ffb8f0fb173316da","key_schedule_context":"00639045a40334be6d23d485310021c5407aac8efde4d8f65bc498019c5967059b0a03e62f460becd82a17b9387937085e61c542dffa84133a6aece03e6d44c7ddea4b86dede13e5e74e4c459d2d765052175dfb2cb6d05f64057cd593ecc90ed3c80b39646833fde0dba49c6d16ca85acb42408ffd8bd9dd62d992f93285a599d","secret":"89b533fc33ab8ae4f4c59b084583e93a5b412038931dfe7194d9317261f4e77668ce21c7550db9014533e700fa3430ced3a91560b063c6798d08e8dd6c53788b","key":"d60c1de68a8be2dcfb7be809018d3336","base_nonce":"cd062a68a4af985ac3441c2f","exporter_secret":"22d7ac22606d6ad8c1ef9d1901b168d11d9e7439e0611eb5175340420fc1dc2347af04561452c4123572593a5b35b6ed7b49f7f76bab01ffea473c2ea40f6e5e","encryptions":[{"aad":"436f756e742d30","ciphertext":"1bb2302276a0bfa2d14d16de1a5433f19469d51059c09c5b6a721b1c27a1f33f3f4eae3706fdd92f95d940669d","nonce":"cd062a68a4af985ac3441c2f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"3731569468e62afb124cb655b96087a87d15a49b3f0ac9c8fdcbc49e7a1348529541070a6419f6dc366d5cffca","nonce":"cd062a68a4af985ac3441c2e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"d60e15105ccc5c29bf8a42598d81d9a5b582e00bc044a705ee1f7f248dd00e1b45a77a7224b28c215cd4e24d5c","nonce":"cd062a68a4af985ac3441c2d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"fcb42833338e5dc9d53999888b6eede5566b8293e4f1931863bd7239d023f5641090dfe247da61a6b1f181026a","nonce":"cd062a68a4af985ac3441c2c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"7752550b3e9d502b1fa13a13c77f33fb6e5c4b858753bbc7491d2a5ca3039def147c6c42120b9489e481ec1ff7","nonce":"cd062a68a4af985ac3441c2b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"41fa8a59a5cf7d20dcf9ce217c35296994e622a6a81e7ffecd00ba83a77b3e67293b559b55fab12829594646e6","nonce":"cd062a68a4af985ac3441c2a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"8c12888e1123e6436b87dbc312526dde2b914b343de68366fbd0866318e37613e32dc4b88a18b89ddf4fb0f7a0","nonce":"cd062a68a4af985ac3441c29","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"04989d319fb9af97585a1ee2cd1a0deefc66067f74c81cdd383aa8abeb48eeb71e6e55767061717d5797697adb","nonce":"cd062a68a4af985ac3441c28","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"67f8c02298010601b6624565ff5012b3c47f989f30f17f4f84188e2723f71d04e5dae955e010b6da431cb334bf","nonce":"cd062a68a4af985ac3441c27","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"9141f6ba1c331e97a09220cfcbddc7d7122280f19c0db95144be89e08cb4ad6cf4df2143d409d23236ddbaf56f","nonce":"cd062a68a4af985ac3441c26","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"8057a5a19bebc002f51e971ac3a3e7438abef139c47f1db81e131cb197247ca5"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"b930dae227489142e4636a9966cfa52cd034682597b64df1869b0b8fa756ace9"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"a3e63c5f3dd808ae6669ac0f000424ee3f7663b625835c1497e2f2f3d6d50fe1"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"7c8052300bcd267638b9766c11e91a22ceb259850d5e2006e6c10f87760520c1"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"fd0131c1943b9e503fcb7614dbceaf49bd1d65e12fea05a248a5dba7c3401d96"}]},{"mode":1,"kem_id":18,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"d079d7e12642ef41731533e3d24f7d93a046ffb411227176832d5fa6b47c6ac5ad62bc88d76b45499cd4a39b49e250714f77c403b6991327f3492e61ff256812368d","ikmE":"9274ea84a806a63bbaea9bc9113d7b06a1ef557427687a6cc4f0c049cd46cb8433c6c5deb310a374a9a4e3be4da8e7b2fd526faaf19ca18322f862542c9af47bae56","skRm":"00f6a5a38846a6ae76f3a2f9bf231e8af7fc059e7838d3ffc894eb5c8ff5bbf9688ea4d989bef865d8298c9ff0dfcfde23f4f682124204bb27e956c6f8f94a149270","skEm":"01d5d17e838bd3101c8544f6b7c44d7c4e9358c174662fb0c32601fc66cc274471018124847a94072bb8eacd3c480bce8884a7632d51cde144e65a526ad019b9ebcb","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"0401098d956b31e51d9e1b70c339f74f1ff427f603a777570239012e3731146cb09399e41a98e066bccb0bd7e1fa73e15ae3331984903bf0b92eeedff127d882ddbe77012f94d1f7cd0eaf1d40c8837b39feeac92668c71a118e0f43ed9ac2277a4b04a813a9ef437e022f35b7fd6f0be41617d14cb9243c2d1df8a27b9245df61a99b8cb8","pkEm":"0401ecf4aed3ac8d35f565d84b448e71887c5997f384ea97b15eb88bd033b1dd40e4a4bf6a4c18f1729a11f2411b81c80de0db0d7344f876b3f19cd56a75ed546ef4fe01456b31644d0db2bebd76c0bcc6e9fad4b61951f3ebba510a931db7ba7f65916165527cee85f5628a1bcd70a341cb614c31adf3c678091ec08aef00accec18e9f4b","enc":"0401ecf4aed3ac8d35f565d84b448e71887c5997f384ea97b15eb88bd033b1dd40e4a4bf6a4c18f1729a11f2411b81c80de0db0d7344f876b3f19cd56a75ed546ef4fe01456b31644d0db2bebd76c0bcc6e9fad4b61951f3ebba510a931db7ba7f65916165527cee85f5628a1bcd70a341cb614c31adf3c678091ec08aef00accec18e9f4b","shared_secret":"ebfbecb696a4e291e2760c27c956fa2671c573f3f7543d3a512cf05858efaa14acfdf8c00bbfc4c861159de7e0eeed4208c578e2eefca83fb9f6e19419990533","key_schedule_context":"019c2d945bc632d61af591358b86024ea695daf24b3cb0f2aac6e251df1bd4b1cbaa95725f3b2ead5ada20d0c5f69946ab3ba46ae6297f1844db4de1406634e47fea4b86dede13e5e74e4c459d2d765052175dfb2cb6d05f64057cd593ecc90ed3c80b39646833fde0dba49c6d16ca85acb42408ffd8bd9dd62d992f93285a599d","secret":"a120937e23f49eaa174dd9a4f994aebdc7dc716f97c2d7c08ea9edfa6e9f7eee45bd57cc9adfaad8ab1e36d02b2d8062314910912d365f920b671c041a69ace1","key":"cfa092d42a1044d621fcf18e32c0df89","base_nonce":"ea743e6251e662d262ff4455","exporter_secret":"86f6371322f63ee5f80b00200a8a8339cfda2d62850eb989aa5665be23563a7389cbeed6e683479e24b6731e318e55d42cd01754d3ef714632c9bf4f7001f545","encryptions":[{"aad":"436f756e742d30","ciphertext":"22a36541ceeccaf5239d18817378d87c6a968c28a7e603db6c83bd221da99440c98553d2339dd09c69f9755a86","nonce":"ea743e6251e662d262ff4455","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"206f3127c64b490dfdcb5582adc4f0eb006afeffb6d23f27b345b9696a83b5ac793b6364d3b4a1a6d65ddd6629","nonce":"ea743e6251e662d262ff4454","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"c7e956df1aa3bb21a7e16764538068913e02fba62ccad9e762c667b4b90c9ccffa338ec6d72bfee17bcb95d1f4","nonce":"ea743e6251e662d262ff4457","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"1d8cce647ace754f7b879c86b7855d12348fe9933519bca078ba7f69f84824c435528bf08713f12bc034837e88","nonce":"ea743e6251e662d262ff4456","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"58c9e504b0a1e5b66f3995319f9cbedf0c0426e318b405f635a754792583ed8ce3fa4c562a7c471eebdef04089","nonce":"ea743e6251e662d262ff4451","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"c96af77837296da23e75bd919faa23d32add4397bb09b2d9063ed3cadd63d7fffba99ae27f70cff1d2ce1f6dfa","nonce":"ea743e6251e662d262ff4450","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"d8326483558f3b84c8b1b7f3578d68a9db1520ec8381c5ba25409ac99617774aa566c90bca23afdf408ccce2ce","nonce":"ea743e6251e662d262ff4453","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"397855ff278c629f21dbe35180cb9f72c12cf88657fef10fbd366cbc9d1ff3eadc4b7288c5f36860bcfc63b8a5","nonce":"ea743e6251e662d262ff4452","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"72b7e74b819966e84e5dd820c5f996eba6cd3b8f093883d7e48ebb432d59a38a29aadc167cf77e3c1c20c9dee6","nonce":"ea743e6251e662d262ff445d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"95d4fcda243894902782251eae98d108eb750be4d09e52e64b1a5dde156d3ee402ebeef10078262a9d79c0281d","nonce":"ea743e6251e662d262ff445c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"438f485877c25e271c93430cea17b07e6cafeb24dfc6fe0f21097e097d943a97"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"ba202dda6fe73bdc9f3c3bee21bf28d4ec061059277da9c315425c8b01d9595d"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"e417e5ca29870e073d0d6da7af6f0d6c8fb62c24c1dfc7b2879f3ba12c537be1"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"45e1cc77896eacc0de73fe455aad3e497cf1f50bc2fada825affd1dd0744e393"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"58d0b25b7e586194cfa009299d895ea9c2f36b297f08d33dd0d2b44232bfe5ed"}]},{"mode":2,"kem_id":18,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"c0723a7173f81019908bd79b56fafdfd6a892a1dc8dbaac7a5e9f363be4c140a63598534f291bc2f903f95e4a5387f56657d480d2db697882190fddf7bd69cdf4c4f","ikmS":"ae115777bd0d5eff1fa1f7df3a716731bbde87354cad14a7da6557af3aeda5850baa6a4d07676d04694fe202ec817d774d448a4b39e0262326945c338472f318ac2d","ikmE":"8defe90750648822d10e3fc0d1a6b4266c9663c96432ad172af1297e3f48230d6c5a69846e26a4a3c30db0fa9cf754660a3327f0265fcf312db853ab7b2cd2a69e71","skRm":"00fca88b826bb82bf795ae89c10034ac5bf68f3c452fc3f54de342ea109888781db491af5868ce0b0eff978e95e0de9473bd8ea5f5cf054dd0058e80ece501587ef1","skSm":"0042f093da85518b67e33342f467f03f8b6b62c3b98b319ce968e1412e2ba5be12dcc4fe12a82d5102084485bb95fb97f460cf4715892991c8c97df81429014f3a65","skEm":"00b32827444dc9fede639425cdfbe9923bfcbf7678ffced010f20336d1ec6f59bc28aa0c7f91d515005a35d956d58debf9bdfa1f8d681f8dc07d65f696bb66b1cd17","pkRm":"040066bb780495d88e8d1555eb9bfd5779097f3f0d79445bfa74309c7cc2e0ba8e4c65b13bde146118d4bd0208b46a71defc77e6d025b1c622262a85d525785347ea7c00f38c29bd99e58b735e3d944d3c5863779295b00d49a3322ea3083c39f8935eed9b3dbb7ab100a521e32f49f696ce9ed5b60e8b9441b04ef2178d2828bf32f3ff46","pkSm":"04008bfe0e30fd473cd35265cae67e6b2122febbe89259493a481b1bc28fcd4b8aca2729b509c709514b4e40075268f3e8f3c380756da3b7cb819be0957c700372258401a11c4181ca6ad402fc64099eb1f83b73315d5a7d19b119a172cbf8a43fbb4afe0e414aa923a4b995b0b3e4b2653a6a176cf82ab140a10736c81375374ba8b30c27","pkEm":"0400e2521426a84387de9bed65ebfe46b7584195a5eb573836a6940d9aad90e925b0da9b21d6f07219e94881010ab748905ee214b1168d6b310a3f32b2c55e9d4b052100e153b25be1628e7b7dbd8b41b902552826333d08d60555268bbfb893234be6a26a24d1fb5b3b3e12c300095b2e2222f32afd65d3f070f04748fb11efe7ab4723b9","enc":"0400e2521426a84387de9bed65ebfe46b7584195a5eb573836a6940d9aad90e925b0da9b21d6f07219e94881010ab748905ee214b1168d6b310a3f32b2c55e9d4b052100e153b25be1628e7b7dbd8b41b902552826333d08d60555268bbfb893234be6a26a24d1fb5b3b3e12c300095b2e2222f32afd65d3f070f04748fb11efe7ab4723b9","shared_secret":"949bbcfece10e50944369800c437f61a2cb6388f788374a1908c5c034abf166b762b227552ed5d17d9d66065931c12f5d41e6f0604e1dded97e5a1045bc3ff26","key_schedule_context":"02639045a40334be6d23d485310021c5407aac8efde4d8f65bc498019c5967059b0a03e62f460becd82a17b9387937085e61c542dffa84133a6aece03e6d44c7ddea4b86dede13e5e74e4c459d2d765052175dfb2cb6d05f64057cd593ecc90ed3c80b39646833fde0dba49c6d16ca85acb42408ffd8bd9dd62d992f93285a599d","secret":"4aa700bd396b3809164243d5d76559ac1bbe40f7a78a6bc0dd9713d31f8fe10892dc0ae300cc1120fc1c972f5242dee21be5db04af6616f13d06cfbc1daa94f9","key":"e2f0f691fa6fd0433acff2b3ef24b7ee","base_nonce":"c97e0d2ce4538651a42d0973","exporter_secret":"d1d5f50014eed5e6b930e55dd13237e19643430de4ff72066a5f7ab8551478d33823df609cbfc44d5b076993b39859f26eb89a0055479d6b307268248ef2edc8","encryptions":[{"aad":"436f756e742d30","ciphertext":"e57fb11ec7e3ba95c0f172889bf519b9c4788b12348778bb774e69cddbd473a14b510313eda72fc8e7c1532457","nonce":"c97e0d2ce4538651a42d0973","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"722b14ceb87a16b0d16d36095ac6b021b1c9c82bc0cf43d42853dde2bbedb0df940a2d2a404788a006551e77d4","nonce":"c97e0d2ce4538651a42d0972","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"4cce65ec9e574eee27c1c895987e1a1b2b5fa40d00e79312e4cc8d126d6a806654286c490d3d1b0ddcb549a64a","nonce":"c97e0d2ce4538651a42d0971","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"bc9ce66c7d4bebefe21c0b76d1465146beb1fe0c2242b600b4e652303056353a0d131e38ba067c37c94bfbf2d1","nonce":"c97e0d2ce4538651a42d0970","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"592327c4d4b0f365eb314ceb721f6a02a9046982f06d2bfdaeb04b229d41b34b050ec2a7b5a05eace4a8d88755","nonce":"c97e0d2ce4538651a42d0977","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"50fbc81935adebfbbac39a1c94a896367126c0ee9b7109de2f140a6e33fdeb0847aeef8bacf162484922708e6b","nonce":"c97e0d2ce4538651a42d0976","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"ee647fe7ef582ebaeee78b3d17aa9f0f6cda0f922d832a992e81983d318e10710c6ade39fa8664bf8c964fcd10","nonce":"c97e0d2ce4538651a42d0975","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"e222efa9bb3d5122ba3eabb0278d275db964244a6690e6ec61f56f16ca97f742800dab78369181406ae9331c68","nonce":"c97e0d2ce4538651a42d0974","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"c7a22f8695da1988c6d888abefc527d05d44db4fe4eda4e546e6016c40f8f64c0f4ae8b5385fe356836c111c91","nonce":"c97e0d2ce4538651a42d097b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"164a7c79a82a16de6a2ad749e42104d88d43da2fa0de432965b5667cb2d118fc3ef27d5ec376b5418fc79651bc","nonce":"c97e0d2ce4538651a42d097a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"7bd8e30694c68002c971cb68134c8849dee2106c9ec0d5dacf605bda3c870834"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"a69956eb0a5f256e7f6401fbad6d832422350a2ebdbc935973bcf597d9a14279"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"50586cd7b52ba44e7eefb39b73554dd34b36d5eccb526f60fcdaaeab5ce301db"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"bb05a134017c586f6e83925b87b8a8ab9619f8ddceb0f5ec7fb6b9e32da7ceb9"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"194af16d3746834e373c1e4d8dbb703e32eca9fbe3f14e346edaccb4ffbd9256"}]},{"mode":3,"kem_id":18,"kdf_id":3,"aead_id":1,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"cc3393f3541fb5653085d22d4482eecdf5006239822a934bfbcece5abcdec34555f1ff9c23eb5e744111be02b35499b7fdea2d65fcd01a3f878d03f8c171fd13619d","ikmS":"394229599d39e383e472586786deac3f673a19ad7081d0f6459fff14e18e035a5ba209b35dcbcd20ea6d9f7f121e7e0b3509f408c7fb0af6840f42ca645de74f3da2","ikmE":"3e6e65931c2515a982961eab84221faa72bd38a8444a7bbdb38ed90e9ada1c620630e9bc99c9117561b895fa45dde92e2cfe247b046a3defbed9e44482826d954d64","skRm":"000fc25c7e4b06f26fb5ec8b26151bbf46ef95358ae36a8f3054e17364ce98bfb66178c0f6c02e87784c1e47362d3c8e12239e94c40e18bffda02e3d5cad7e1bcc4d","skSm":"01bc8595730b53baf5e9bb2930784f40ac6989d20983b8662e524ec835ffb08125b6c797a6eb0a2af6bfa88f87bb80cb376005e21063cf390d25931ed6ef83cc2140","skEm":"00929f5192f02d6c647214dbbaefbee54922720a8b63d1885244977249c57f5205abcc9e87b116c8194a695a3a61b575b318dd0682e9a245efe558232c1019a04083","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"0401ab83700c8e095972951c02c8785d54a867479bcee4c42cd8e6e62ffa8765eff64ad689e32b884fb0e13c6d5390916ad9ed777b121a930908ea4f96466396d0407e01a788110cd71d45feafc2f2a42499ce85c410a08885d848069ddc6e674a5ac94aa38f757ebb3c6f4347cd5362533ed16cf614440de070d635ff43382ba2761a3463","pkSm":"0400e83c9f901570a6ab0a5060ece430f69bf9379e25fc4a8b5d2bd52b885bdcd57bd54f0b6a50d36832dc4f18a469fba4082e77890dd58d5f4d4fbedb66a8a3b97655003c8ad9c11492fc584d1566d459631f504acd73d1bb23e367ecdf3781cd503566f796b88462444d5b91ff074ff858d58620b447985248b64ba1faf0bacd0ed04959","pkEm":"0401bb8737526136330866f4236301271f6ddbd5415eb7844319b700410d4f5a284613f938b6271ed0bb0721cf0dd40ae4d8735e8b06e7fb5081cbb1cd7ae38f4a63db01d06a296afff12dd1a4b5d75ad3f34c057807d96992e4f6a56906383e938c252afc7b29d96de932bac492d21133123554f0ec008681e6b9c49b3f2e5b5b7cd7f4de","enc":"0401bb8737526136330866f4236301271f6ddbd5415eb7844319b700410d4f5a284613f938b6271ed0bb0721cf0dd40ae4d8735e8b06e7fb5081cbb1cd7ae38f4a63db01d06a296afff12dd1a4b5d75ad3f34c057807d96992e4f6a56906383e938c252afc7b29d96de932bac492d21133123554f0ec008681e6b9c49b3f2e5b5b7cd7f4de","shared_secret":"81ad15afcf2b4d2122eca4a267cfa9488af7c4dc2f9aaac1d76ad6a5add9bb705bb4112ca84445842c5ba5f9251727bac3a7d7a844ab92c859ad000ae11465dd","key_schedule_context":"039c2d945bc632d61af591358b86024ea695daf24b3cb0f2aac6e251df1bd4b1cbaa95725f3b2ead5ada20d0c5f69946ab3ba46ae6297f1844db4de1406634e47fea4b86dede13e5e74e4c459d2d765052175dfb2cb6d05f64057cd593ecc90ed3c80b39646833fde0dba49c6d16ca85acb42408ffd8bd9dd62d992f93285a599d","secret":"d5aa15f03b830f3f41346c3db11cbda7bb543574ef1fd964bb4b6e27d2ce6f517b00c5c7cd05b984ceb87bf29736f302c78eba81183d187074724487ac08b900","key":"e63d3865821a6dd26ec2c2b40efe79df","base_nonce":"c1bc2f383e42fb8706b7a5f4","exporter_secret":"48b006dab5737050c0ad4e3611af092f4ea7855722c68bd2dd1974db035c33d262565fce48cde8fe5de3dbd6365700021e1948fe9a4d19fd5ccaa2f9a0b8388a","encryptions":[{"aad":"436f756e742d30","ciphertext":"09f3260ac6f0968549e063811950e1ebf7d6eb5fb2cfc17a2437005e54fe104aac6daad85b89d23bdc78cffb54","nonce":"c1bc2f383e42fb8706b7a5f4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"2ae0bafe29786363e59138812951f3ebff284dff63a53ec873acd9f7e5bb7da4f1acdd45a7cb3249689ae2c478","nonce":"c1bc2f383e42fb8706b7a5f5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"1cde67b8715399a8ed7105859f07425bb3fe84859b78f8eed5d65a3e65b505d190777e1b01b6f41a9f0cf95109","nonce":"c1bc2f383e42fb8706b7a5f6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"98b985abe4c824e5d7bd4552a8ee590a232c9eb365ef1224f360a420e3812153c3a42b64408ddddab2a680b681","nonce":"c1bc2f383e42fb8706b7a5f7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"be2ab6ceb18da2783d1e859c722f76f29c4e0b7248285e0053a8f1130c4762d3663d7a91224a788686b049be07","nonce":"c1bc2f383e42fb8706b7a5f0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"03d29162241978c088e274cab0dc0e322e6c6ea3086ada2a2c9042dccf5d0542c7711644a7c531f63c8f29f961","nonce":"c1bc2f383e42fb8706b7a5f1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"a997fa48de4028398549cd5f993f8e4c0f55f893e117a2e1bcc124f0f3352b71db54b5b6be4e76b98b704298b3","nonce":"c1bc2f383e42fb8706b7a5f2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"ef9793084357b6a55f79915b35111b835ed1649e9e61b1e937475b1b6c89eb9c00c7af6d74ef8f566260aac1a4","nonce":"c1bc2f383e42fb8706b7a5f3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"e3bf894a51f47e60fff77d467458fafccc51c783b958732fdfa9e92ad4ba5772d63ee7b216f06002a1ac4ea964","nonce":"c1bc2f383e42fb8706b7a5fc","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"601b8ce05580ce9577158fdba40ee3e138018ec18a99350a4f8302f0f777e9fadc4dc3bb6d62ed1075f8e6bd37","nonce":"c1bc2f383e42fb8706b7a5fd","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"2918b11bf5c01c13d811905ed564064fc56348287fd07340727ccde4e5289a07"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"8b5497014270335120adaf435e492387b4217db75423cb71fd921c320816d148"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"6733ac1668d8ba9bab69c9f17e36fd594f776f75274761af8fafecf8da17c664"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"95f665706d22a178c6bc69b94c599b3912a7c2b2ef4805d7f2a5c18ad21846fa"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"df56417207c65103695fa92966eda0ff66f40fc1aee7e048a1dd58e3c8a6b4aa"}]},{"mode":2,"kem_id":18,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"8a2c91df00036ba826b82041d8f8b6ac834d523bf2e0171cf2782fa8fa41c3c31f8d45608c72ff8fa93144cd7b35c2a2fb54d22d5026310527eac62c2e0b96773062","ikmS":"fae9a20e8d7c5a1a204525efcbaa8429d1176d07a754040edb280a436c245e0dcce2a33daaa77d60cc86d369e393f3e85bcbe873db3d52b652fd0c06269084a6b007","ikmE":"c2316dd8bfa4db4dbf0ac90df3ca30ec6da4defbd69c3fc6776d508c52bec2a76137d1bb6943999c2c5cb02e4817608e78e43742bdd9312bcd20df0c035c00190e4a","skRm":"00a7cf114d6c13ade5d78ccc4b27f968f90f9f27819d31a6cdbd6c11e61a7e7aabf0db61a1f405b9b454b2f067fdd46bec852762c597bc696a048690655e9e768640","skSm":"01e1e52612a71b64eb9de08c0ef1ca891b9ed723b58d623303502bda1c2acd271ea05de956d039132698b8a9b77f0fae19dbc58be07efef2404dbfe7d1f8e2826b6f","skEm":"001e0b948783f29b151c500ded773a6d1926057167bab99b9952219c3652fa6bec0a78179c3cff83f401fb8196cf186d496283f740e219719a82a0f31d069af78554","pkRm":"04002c079495bcdb3bafa978f1d93bb0125ed910cf599f9e0b2d14327b789b5da80663a9c50b5b89c5d8b8b8887dd4c11f0c0a002ef6940566db9896e8dd44b68602bb0093c0db3418ff336818b16069acfa6c1a5757e39cf5e333e975233d81291daeb62722983cb66df5f23e573f350d1c87204d6c78ba1b7199a8b59cef3f21eedb3d25","pkSm":"04000bf67ae5fe0233920946aae997a0267c995e0ad80c7633fe58a4e9aa20a617d5233a814fb49b42f56f914ef4c2fe05302781f80207e0610f8c6d7eb525cbdbc0fd0086c4d6a7c7a941b11fb35c6396bfcf9724ba20d758591a3b42b0140ccd7495ce1d76967f16b15824d95714e9d874ce0e4f6f58f6505d600b0a9583bcccfa329cb8","pkEm":"0400acdf9d4a40e646288121b6573382edead36cc4620f2739238b5c3dd95cf2890e5c469f72ea74b2a0a57e3c8023b094186023f6420ea6c66172f811c43c48132e9b01d93039f746f2fcaa3a502b2a61145211a9aa6881e911331a512d5c8f24ead2427e1a17b6065b22fa33a80912cdba4a05678e5f26ff569acb626883dfe127a282d8","enc":"0400acdf9d4a40e646288121b6573382edead36cc4620f2739238b5c3dd95cf2890e5c469f72ea74b2a0a57e3c8023b094186023f6420ea6c66172f811c43c48132e9b01d93039f746f2fcaa3a502b2a61145211a9aa6881e911331a512d5c8f24ead2427e1a17b6065b22fa33a80912cdba4a05678e5f26ff569acb626883dfe127a282d8","shared_secret":"c354d393741a742f918607d4de524d69ae543a4dec35f4adcbaa0a26e24f066bd477f6e0ab1561fa6719aa34986a1108301d847a0c6e7955b285c36876dd2749","key_schedule_context":"027037eb32f87d04083a2f21fbda9aa88523d237843169bc6643fe41b40f434ab776efe42da9db94c9b0b07bbab6536526de944469c381fc4f9d728b9933adbb1015143a0ef0c7be1dca97f49c6338ddf0ad6d2d8014dcdd624e461c938d103f6c55a6f539ca17eecf653cff7e419697dbe0e24e2697e22e738bf2c8486127f358","secret":"ff1a97a8454418e7bbb561185226d08962f3164226dd8f715a760e97eb43f8839d29f7a0b4c843580b6c4cc95af2e00fc78ccbba42242b69fbcc89999d45a9b8","key":"b070b9d9fa237daaa06bb8a49add65dd91cff2c7979adb5ec938313bd1401f4c","base_nonce":"31e7de26d7d371a6cce99164","exporter_secret":"364fe2d94e142cf2565e91551ac3c702a835a3dfe8a34cd7026b6b08af8708d0904355985832cfed62907d8afa49d11ab642aebfe496cd80f5a57677d7c3f21d","encryptions":[{"aad":"436f756e742d30","ciphertext":"f651583be32099943ece1339906bec82d51b3c2e3ed528934bb713b060350400aa70042a0f05a7e658f2881d42","nonce":"31e7de26d7d371a6cce99164","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"f02280b71c1fdb8027e19a539b041ddcbbee2a6b2f7921f10b1974a2f417e69a6a54faa637427d4dcd1ca615a7","nonce":"31e7de26d7d371a6cce99165","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"7e64904fe6ba42df1a57fab8d99d8c21fc7fcc56c284f7385e96132e9a9595fedba212934c8da87404b908ab25","nonce":"31e7de26d7d371a6cce99166","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"e6f20eb40602df5a7e8adf7d1178d2604477c9e3b60d911d739653dc219a9c4388e14ae44ef66e1ab9f375ee89","nonce":"31e7de26d7d371a6cce99167","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"4c0991e04e6c9f33d02c75ac787089997deebf520c0ae2c5b71d02f3ba0846f4aef46aef76a31cea667cbda0cd","nonce":"31e7de26d7d371a6cce99160","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"706068a2dc0c366b40e9e071e607c439468f4adeda877635d094a13fde4c1eaa3ccf37e7401d75e4d91c65325c","nonce":"31e7de26d7d371a6cce99161","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"7b888316b0d150bf390c899abe343191f732b97cb317d0360dc170e888dfa9f8674b2e322f278e18aefeb3b943","nonce":"31e7de26d7d371a6cce99162","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"7bf4fabeb72a10af798f1a59951b79eb942b3d5dee80a629ad5380319a3008bef0400b804cffac1027de4f7afd","nonce":"31e7de26d7d371a6cce99163","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"76f0d1d93484d0877848d4137d4a238b88c3c0f7888d984521b6fa7a04538a08b693a72d74c70c4aa18dc5748a","nonce":"31e7de26d7d371a6cce9916c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"f720092e20945afb2fff4d7fe6da845ef0c8a32e51021b01fcb68e8ad3f01369d4653ab4bee44f8b16f2353da8","nonce":"31e7de26d7d371a6cce9916d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"b72b7f215869880c8856ea4e105e9aa2f977ce759bbdff1cc27473600a56ba6b"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"47e813120dddcff8f84c28742b103f10232ecba5de21f4a32597b9647bc5b1d1"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"7f9e7a61a6ab775f20cff323eecc6cb0f3dea5f69a7a773a8d5db3466e043e06"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"215894d303ad618054f4f7a6aab21eeb2b65c5f558d9d21b383c32a522999695"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"1a0f54f1c795049134070d2723695e337b0d8f02873d81de931b9b25c31d229c"}]},{"mode":3,"kem_id":18,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"1f091f9d1a2e7fab0e7a546b035f569ea9f87ee320d0ba71f34bbea99417312837ccbfaaf5e2f1b9fbd67c85a17b86f0c245f99eee696b8a9e414104bf94816d0db0","ikmS":"7a8c31b96e751d449704375101e3cae1491ab144cdfa38a9f1133abba580e6dc47500ed2f236d7d08ca3a708e04e83ff88868b52bba61965dc8dec8a368becabf6fb","ikmE":"9fd78763744077736caa96eeaf15b20eece41e3ae367a6e8b099f5b7496fac2cdd9f73848ba07bad395bd47c58082216b3df0beca4d69e89676729c4c6a915e7ba00","skRm":"0033358145912ac9bf630fe80195d65e70c04de7e4643de51214d3534e7ed5c5007c3ccf933605d2f849430d203b25d9c32e3079ecd202bb55a8664e9176f659e65a","skSm":"01ee8110d8a8c0d2c8c15799043ef7e97782450b72e84200fb93d477babe12dce66b66040a36207bd454a18dfeb18ccb8a456507fd5f2cf0bbac536059e298798a66","skEm":"00c6f76b0c21fb1e1e364311b69faf9f8a14e6b93013804c922e504929cd60013e9b22a69185bf3c81832418a85c1da93fcb2b5d69f1717dc4a60d560d7daa88df4d","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"04010eaeedc54f8a07239f165db3851cd8fdf391c129e3f9a38d96c5d57a30ae1f148e47c7ac5711311a1762e7296ea177ea019e88b0842b6d3c2b70dc2eac49d40a4a006cb7c61b44a4a9228c13bee408352433d3a77f0c6b438cd67eb0a79704eb3c6a0bc86be5ca4d21df67671b16d6dd5f6d989a13420b5d533b6e21d9c7a1c7ba7d51","pkSm":"0401b1d07b118c38123e8dff3b95af2695a36f8b4ef6abc62937b5c7c056c11c8a75f7e7779f1e9ab252a03ea1fffd5c40de31ef153036fad5f07f095c10a6bb7513cf0058c3b7334fa02a6f7d45e20f9961717fd64529f487dcdc5d55221c2c338ad5d349e692b2559ff1f8114c51fd01f9ddb9e06679fa6d3ee05ba25788a50cffc35002","pkEm":"0401af80bcc7cd2ffb487fe23c81a45497f0691b8ce9e40d2a9c1225a7f319d2b960883c647cad870ef497b850a2b4a106089c63212d8e4f5d08008a8857d1356c10f3012700194dd6aa7d59a0c3d4515c9abd8d748fd16207f8b7ea210c521e76771479bc0287b64f54ab5b749f66fc9d078c7c8c7c4de9e82bcfcec7521398ea2bf2258f","enc":"0401af80bcc7cd2ffb487fe23c81a45497f0691b8ce9e40d2a9c1225a7f319d2b960883c647cad870ef497b850a2b4a106089c63212d8e4f5d08008a8857d1356c10f3012700194dd6aa7d59a0c3d4515c9abd8d748fd16207f8b7ea210c521e76771479bc0287b64f54ab5b749f66fc9d078c7c8c7c4de9e82bcfcec7521398ea2bf2258f","shared_secret":"7548852ef9d446d03f92ea919323461d7fdd5769629a9bb44e1edbbec6c760c4b3aaa2a4a3ab93c840eef0ddf8cf60d8c922323e9c2dd1bf0d9fe027f3981554","key_schedule_context":"031b6c4c7206605da6ce250983c276ee8064ddf2e60a62feb697a5ca87ccf078a197c945aebad60fe7ea5a7f7ff722f3f6611f6eb1d95a8696ef33ddc6970e224d15143a0ef0c7be1dca97f49c6338ddf0ad6d2d8014dcdd624e461c938d103f6c55a6f539ca17eecf653cff7e419697dbe0e24e2697e22e738bf2c8486127f358","secret":"d0e1f134b0c81951a9ba13a172183c69489ad2fb576f0d447f32a9980de2223d921dd52020c38d4f3964bace61e2898a39d7c2cd93b364e7c3ecf222f529ee49","key":"0569d78ca02ce459ba6e64594dedff532aaaaf32d21df33d5851c8a9eb497aea","base_nonce":"8845a89539032a7b97b99c42","exporter_secret":"0d26eaeff8f5a19930b3ee774ea38a27251b067b42f8239964ebf8184cca6da717b9a5602ace3e31cb968a5102725d166b0abafe28b37af99667db452889197f","encryptions":[{"aad":"436f756e742d30","ciphertext":"861bc50c5de38f9703b44b063d99f4b75d1066e26b36993b7b0f9558b0dd81a837c0081cd62777e75e51fd666d","nonce":"8845a89539032a7b97b99c42","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"32bdeb7fa8872c6f262a00ff3739f040aaceda4f49851e61703f7bce8de5e5a6050017a070961aa0cc201ef31f","nonce":"8845a89539032a7b97b99c43","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"27bfff118f8f1c313088b86997e9f290634601525aa423108519747d453b55bb3200dad7e5f3fc34eb978e2515","nonce":"8845a89539032a7b97b99c40","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"5ac314949d09a352b605cb107dd1eb07de83928d05a74a104588491a3a594b5ebc42c2affe82bf2478d2a2d20b","nonce":"8845a89539032a7b97b99c41","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"837cf03ee02e8beca8c18df80c500c17473ff9b06b68e9bfa510dbe011717efaba4fac8586d792422057515a9a","nonce":"8845a89539032a7b97b99c46","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"263d0d46e777aeca44ce5f38f98a1dc9fa3f4f4a8218b1653705410d927899562bdca8256122f7de307bc7548e","nonce":"8845a89539032a7b97b99c47","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"c133d09314847fe577f6876f8cd1f099cb1e44dbc2b0076d89b68576290ed03384a4922ad5c116ea39556aed7c","nonce":"8845a89539032a7b97b99c44","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"6b2d3a72d55215261363fe43bf8b124d396ad5c84914c95665ec2a173672d6ba90f88f42b1bcefab896d206c82","nonce":"8845a89539032a7b97b99c45","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"e5a63cd123c6c660be9d354572256495f3ba6c0718389aa3fb37eb5b4d18ded4f9a62ab8a3625266a3b2c9edb6","nonce":"8845a89539032a7b97b99c4a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"ec0038310215d0202eb46a94184bfccaceddfdb8ebd9b3098a4ff7758c9ad705350bae7112936bdd09f99bd197","nonce":"8845a89539032a7b97b99c4b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"1461ba057b6b9b46aa85727aaf4aec423761cd24ef199a14064d2252b1556790"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"49159c3a95c49724e08cdfa388839d4c51eace3b1721ec9feb745cb6bbc914c9"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"d182be8f6db79edecb5c3bbddb55a602bf8b41174ee89995eec97054bfa2d24d"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"20e92a4254c7d81e96e51ba5f4b4f8344e25e03e910c155fd5501fc29c8c8385"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"c14d98e02a952a63c9ed52907f71ef2ed006d65cac1a4d320de1b6b90edd458b"}]},{"mode":0,"kem_id":18,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"155c094bdcaae025aeaba3f1f40861e8844d8cad0be766735419f54a512be141336b1012fb345d60efaa5398b84ae54c1af5efc65b58f3aadc6ef165447884054579","ikmE":"be2ac9c1bbbaea5106d1ecb929a9ac1d794f3cb452beadcea9ebf34ac394a44c4d6aeb928c6879f959959a01fef44159ac1e45cf14d0237d7507bf3f948e187dcc83","skRm":"00c019c8754b7c0bbd53a7d1fe45426716480aacb51c0b884d2930c828ffcf9386bbac68d575bfff1ddb5f36f3d1c67221c9f9ae447468634d6f53d0787911d8bd3e","skEm":"009fa7bf58b6ebc840342b133c96aebc8b1f3b14a8fde84f3e4e0f93dec3f4775b7e5d008a921443b802c02573d43267c7940c4d190eb840f25b6226ab52862e7704","pkRm":"0400547399dfb2d510456b9d115cdf9ff0b723b1935f6f887b6f194fd28be253f3f67140e6ef0cf5e01b3906166b119d733c2ba5fcd9f8d0f5d483945cddfeddb7472701a8b46dfe2bfc2b31bd351d3de4bb58473e77ab8dc60370940ef1f6597b6ab21c4f0783dc733f8a3a676b83c4593a9b53caef619082d0648d5f37433d9fd83be7fd","pkEm":"04008c77c7d7ed204546bb71ba8abb853e11b3cb16222468caa78c70b3af7c4a5c44a576bac9b9dba8e64645585ba361e511543db0ff5db7432dc0042fe87bbd67cecd0187f2666138ba2bf8fb22e9c85a9a4667254a450f4c0a911174ee0e0e75a7db50b8002d3d560d4b3a165f74eb5f6304f49aba335a2a56e4a63c905370b575345e03","enc":"04008c77c7d7ed204546bb71ba8abb853e11b3cb16222468caa78c70b3af7c4a5c44a576bac9b9dba8e64645585ba361e511543db0ff5db7432dc0042fe87bbd67cecd0187f2666138ba2bf8fb22e9c85a9a4667254a450f4c0a911174ee0e0e75a7db50b8002d3d560d4b3a165f74eb5f6304f49aba335a2a56e4a63c905370b575345e03","shared_secret":"0a97bf3e2961df3c4bfeb480eb267436274affe17943012598f74dbaddf6f384c0f360a5d1a707969596fd222f44e09c223908410e2c3982ce6bca07ae07a878","key_schedule_context":"007037eb32f87d04083a2f21fbda9aa88523d237843169bc6643fe41b40f434ab776efe42da9db94c9b0b07bbab6536526de944469c381fc4f9d728b9933adbb1015143a0ef0c7be1dca97f49c6338ddf0ad6d2d8014dcdd624e461c938d103f6c55a6f539ca17eecf653cff7e419697dbe0e24e2697e22e738bf2c8486127f358","secret":"e23bb98c9bdfa178bd89811a3b1f486178eb1449145a98ca489936205f0858aab32a4df39496b973aaad8fdcec12d1b93f290b087d7173f60f94b7545f29cd4b","key":"37b094cd8b6bd140b9021d7af86e16d15e7f0d481131abb6e8d84206603da03f","base_nonce":"988ee9e8df73c86a7f39df9f","exporter_secret":"defc34fd38f315bb4b2ea799a8ff40ca0ed3c46fde1d678a3d407c8ed861883b3b30350572d6b1549186a6323e50f7e520070f01d9c041947c093f15abede750","encryptions":[{"aad":"436f756e742d30","ciphertext":"8387d555228110552e8833cb801873962935bbb6d93d57b1b590b9b8cac23fe8d020c03e45054d0c61d9d6aa13","nonce":"988ee9e8df73c86a7f39df9f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"46446bc59525a433fad7ba13920f8dcb25927506908a804e01c03a66d904c0c9bc1c0ba509d0ac8deb70104750","nonce":"988ee9e8df73c86a7f39df9e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"c14fcf07ab82618cbd781676eddbcdf66672a20ceab590bcd895e76d40a7c915224ca7c542982f71970a1cdf93","nonce":"988ee9e8df73c86a7f39df9d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"5fdc87ef3b8c6419165937d0a56eeac5bea1c7db0962744f3dd012e605faf96009a97c4417d6105a54464a5c98","nonce":"988ee9e8df73c86a7f39df9c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"5f2430907fe41e587e36baf8ebbd701afa0d5de5a09fb76fef79748c462236554b82e3eae7dd337c60752c55a9","nonce":"988ee9e8df73c86a7f39df9b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"4182af2b78be29a94a5829a479068fc75fd0452ef8801a6b498fbc7630699e3339a7608beb2be65eb410e209b5","nonce":"988ee9e8df73c86a7f39df9a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"dbd14040080f8e9be5a511f543de03b3a353767e38d2ca40970c82577ffe1cee152088237e169e78afc5a65ee7","nonce":"988ee9e8df73c86a7f39df99","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"83b0b3c683f7ced766a87aa9118f71b636ec6573cdc4006ff9eea7c467c444609b3c70644c1aa111e85a3b4d2a","nonce":"988ee9e8df73c86a7f39df98","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"3e3fb90145c730ca8700e0b6f56b92a80d3e1b365720a5f3a49210966a2de3c189e1b38afb217a9649ce7b0d81","nonce":"988ee9e8df73c86a7f39df97","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"80be6d660aa73b2c484169eb64d15e58b61ca0dbf1baa32ae28a530edac29316cbe2a671ad1b34f44155400df4","nonce":"988ee9e8df73c86a7f39df96","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"637533179b9ef4b87d2d21c89f82d6fd1601f2eb7c0ad4335dea67242ea32807"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"829b8842750b4387dadd3dbc58358874e4408249454514a052aeb21d9c097be1"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"9d49840581364bf408cc9d6b95e19ef6184005b5004cd7d92d33083c3608c1ab"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"79a16c13233139fc57c8a5c084a6eb07f4b18aca7f7966aaa54c5c0c7c834045"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"cf4e3276f90926249000de6fda6ca42ec4c15c5f181d20d0a3c0631c0537e0e0"}]},{"mode":1,"kem_id":18,"kdf_id":3,"aead_id":2,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"a1acea380521e7912b00b8de94a29ddb0a11a3cdb3e9af1963832f6ca7490cf758050507bc4e56f1149e08194ac9f8cb5250b16d7dcdeb05b19ad9dadbe929480a38","ikmE":"3a710273326b2e8d0d30e06118c45c33e49d2a3cadd77c74b259927fe763c44a039f6b30987c85c2f078d265c1915a4f05b22a5a90ab33ead991e6e9668c18f25efc","skRm":"01e7f821a744c8dfcd54112293cb012bebdc5c909d8e08c572c4c2b36c49994a33db7f9911e3bb0af4d93133f2c69f0f0d56c0180055f4ca8a6022d1e8911658bcce","skEm":"006a39dcdaf64afc1c7659ad4f3b4994b06b337ecc1558fae6381a6cf40b8b979a43a8402b9abbe424de9f405e4967f6f120e9fef0f7ab2c35c6a44d8c03842cb6c4","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"0400cefe649b1fc8d3eae6a72b5f709fd3cb4b9cc5c898bd97bee28a2034954ac948748c2b18bfcc26fe3f4feecdbb3c71302eefd40cb86f06341fcd9fcb479610e1fb013ec76bd669e4b8b1dfcccf4665b50df0d9e637eedac392d7037bec5f88fffb33b7928fa3cd2937d31c917bc7e49518576eb0699aebca24c5bb6685e34df1bbda51","pkEm":"0400765e888bd8d5a3422636779166ca24835426af445fe840f988126b4c523ea8e4b39736decbb7f7bb8b44f92ebd5f74724e5bc02763a0fe528b564028d90cea6e72019e1fef25327dd60abbca875390fea852fd39761bcda5f5bc7ec3910c93861ba4c8fa4659a923bbdadbba248076bebca3809f766465d69f02b1e580f3301b3dd277","enc":"0400765e888bd8d5a3422636779166ca24835426af445fe840f988126b4c523ea8e4b39736decbb7f7bb8b44f92ebd5f74724e5bc02763a0fe528b564028d90cea6e72019e1fef25327dd60abbca875390fea852fd39761bcda5f5bc7ec3910c93861ba4c8fa4659a923bbdadbba248076bebca3809f766465d69f02b1e580f3301b3dd277","shared_secret":"0eba70f00ec2b1fad2e399817e3da4286f9a4760cbfa577837abcd6718c0a537d0db6d0252bd66f268a74aacbee700de707ad252d2bc7c336c5a633fdf141300","key_schedule_context":"011b6c4c7206605da6ce250983c276ee8064ddf2e60a62feb697a5ca87ccf078a197c945aebad60fe7ea5a7f7ff722f3f6611f6eb1d95a8696ef33ddc6970e224d15143a0ef0c7be1dca97f49c6338ddf0ad6d2d8014dcdd624e461c938d103f6c55a6f539ca17eecf653cff7e419697dbe0e24e2697e22e738bf2c8486127f358","secret":"b2372fe44ad0636d0718e3605d097e83e7950292c105de126df3431d8b2dabaef6f16e4877f97373aa626cd8c701884c2a85643e2c5780c7ff1165a3c5ae940e","key":"136795c572aa0ad39740479af168a5d29d0d0a8b40a7d5f3d3e4f6c071da2389","base_nonce":"dafd3fe12a47fbdd54f12c34","exporter_secret":"63c872cc5a6b35d9b394f76d593f79f3030ab1eb50316fd0b2d2e612e3c604a63de8ecbe606b4b427cdcef3101be1d8cb8cc5986f1471b4d73a735fa26ad03b8","encryptions":[{"aad":"436f756e742d30","ciphertext":"0d250f45c25844227fc2ad7a41b20e22ff86649c6c3226426d9b8471fea80ec320716b885a3496c6438514936b","nonce":"dafd3fe12a47fbdd54f12c34","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"6a489c4d7dab4fdf70a12b2ad44f9fdff0b1f07298fe97a157ca192ba5a5179a8b35154522f805e2ddb391ccf1","nonce":"dafd3fe12a47fbdd54f12c35","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"dfa6fdd898e59911e80b4497d49ab48bc6d89dfbadff457b84a8f9c48fd69435bf38c74ec12e72e3beded30833","nonce":"dafd3fe12a47fbdd54f12c36","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"871a00c3a0423a91f1478ec5c2d30a625dd97dcd06ece1be5171394ae1f45c974fa4ec822bff7e1888159d4e46","nonce":"dafd3fe12a47fbdd54f12c37","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"09185e9bcf976a72d5bfee4dbbd53f4948dba9495dc2212dc5ce3e40f4d15b0cfa269815f83f2fafc203d66a00","nonce":"dafd3fe12a47fbdd54f12c30","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"96abf5e8a0192576e1d72510346dff62731abd6a1974e1d312ba3bb5ec8b6b29ab8eafe54ef2b6c039f4595795","nonce":"dafd3fe12a47fbdd54f12c31","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"e3b6e2a88fde935b6c958c6e55267b5742d5a09b5ebc42fe5337bb2197d34f991fe8b81a261726ea5d6d4dedba","nonce":"dafd3fe12a47fbdd54f12c32","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"e03448f229a28844bfc956abbd911c5b11776f91393eb2d1dcffb7f11eadb526b98c151e2fcf9146bd74b499d6","nonce":"dafd3fe12a47fbdd54f12c33","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"96fb8e02bbab20225310fe1beeeb64b9eb364c0bd7b18b1c3fb05c0078cdcee1f8c0a94647b1b820a927a83987","nonce":"dafd3fe12a47fbdd54f12c3c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"09e8f929f4815f58c0b421dd897d4624836f33abcb8b1a6fa6f18ea478c0c8d9b61574cb54e65c1b647dd19250","nonce":"dafd3fe12a47fbdd54f12c3d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"b127b3d06d3d026a728dc9c9a893f0efe5654b4a662041011cc54ff1f06b0580"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"edfdb55f9fd82cb04352740d9cf397b56021286c52dd84f36b12baef0d4d2485"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"5f38d40920bce02afc711c55a9503d721e7a3a2b36690316f7f5ced30a140057"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"be2f336aa31f265bcb7caa2fa26713afc8796f125e9307d0f591c87b94a9dab7"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"fb17736f0ea61d1ad5dfe7ce7e1df2d46ddc3e24cfb1ef3266f75fed66f34a50"}]},{"mode":0,"kem_id":18,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"dd3d97cb558cd0e6d43986f162e4bfbf8e1baf113e3aaea01628e79198ff7db367308134c258c32ceb9aa80a0571800b9b5c150e4696aa4f4f660b215027f399e4ba","ikmE":"205febfc00125dd28b0375ab7958f10a92833ce128ae89fc437e6033f65075253657e4ff17e2eaeb62180da0c3e656f94cd3367e5f0300b1215f119d0d7ad1449797","skRm":"001465364bb735863dd91d319c57ccd1d14fdfd06cfe673333cf828cc41fa2032db5bd0c9f8dbe4009e832f0ad70558f93ad1b96f0d1eb2b9dc67f9427a5fd174b8f","skEm":"006c12cec3441fc3281c3979c375a46385cb9e16aa1217edd320994464f203789033ed62a2b92a7def5ce6bb5f0c8647c491e91216e107b7604daf3584004acf21b7","pkRm":"0401fe639ee845f598db0cd5e1dda6765e02b4f5267d826612323452c246865a1ebecf928a7c4c7ffbd74e3ef990fcf298385cc64e2d093ccd34afa3e114ebb328103e01cfea3c31676440696a3125824f200c6015997f6f31d3aa15ccffa5dba3faa2e2a61f83793f45f8e67f9062f3b740feb30ba3432e9e39f3d76d795d89dd23b420f1","pkEm":"0400d8cd57d99af3f6360d6de977ffd459e66da43948b71aea1308cb78d8026364a1ebb23e5bfe42b7358ff5ccf701af52114ed599e064234ea2d6c515b6b4fa975de101809b536fe04ba4acc1e367c7389533e96754ea16e8d8ffca61bc86a64642e8f249bf0440fc43d13bad84531cbf75f57a0742126cedcb1ef9410817bfc66f542150","enc":"0400d8cd57d99af3f6360d6de977ffd459e66da43948b71aea1308cb78d8026364a1ebb23e5bfe42b7358ff5ccf701af52114ed599e064234ea2d6c515b6b4fa975de101809b536fe04ba4acc1e367c7389533e96754ea16e8d8ffca61bc86a64642e8f249bf0440fc43d13bad84531cbf75f57a0742126cedcb1ef9410817bfc66f542150","shared_secret":"a51aab0a190392dab01e9d5be3f69a060acb24d1488b19dc88cb597c56081e419b89a287bbc7bd91bffc419f5f11b65825eb408d9949b0a500af44269788813e","key_schedule_context":"008544e624c72bfd3494510fee58506f33e0cb474a1a446fbb908341de0f21b6c6b6389cddb4056bb1af6df5dae10568e6df5c30de1c688611dd2c9191647ad6afb3876947c22187d4b28f2b58594249fe7214e461614a6e9064944e083be6a2bcc8a781d1864fafcccca5c9ad90a90a3d04c6771108743a140bb6bd8de8dec322","secret":"c5f0b40ef20c754d8284de545236e92a48403c4f9bfde8e15de886dd813747670722976b74baa7c6ea4584ca99530ac1219bf2f7f0dcc555c0fa6b43bb2032d6","key":"9f3ed51e1bc638c1e99be9ab308f98f7dfa7792a09e81b356e73fbed44d57828","base_nonce":"98e331961fa9aad9798b8a01","exporter_secret":"df59aab81c81140c139aa168b799bd0de5a4903407cdfbf97d159b5f207040cb6de6a436548e03a921696a32c07f4d703224ce7bcb63142775bc948e1fdb810a","encryptions":[{"aad":"436f756e742d30","ciphertext":"806976ca19e0a55ea810e310fd585ebee29b644c472ba6888a93a5995737c3b622009cbde174aeb88d6a5710bf","nonce":"98e331961fa9aad9798b8a01","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"d0088e0320be41476e1fe0887459e825fbaefaff887b4f9dfcc34644527e2cad4b2da0d619e7f8946d12d3f02e","nonce":"98e331961fa9aad9798b8a00","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"bad22933953f5e38743e25a3b073b2c9c75ab2a7ab8d78e7facc4da9ab01eaee6acf549e74252abf426c72615b","nonce":"98e331961fa9aad9798b8a03","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"f32acc4df5e92aba99a831c2090d0f4bdc0cf950924c1b6ba063d5115d80564deeaa08d95ce892f5a102b4e37f","nonce":"98e331961fa9aad9798b8a02","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"8d0e7f66c076b55514123e7ffdf45326edc4a72cab4907e5f2a0478b128f286e61614244f6c7142b724f8825e4","nonce":"98e331961fa9aad9798b8a05","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"0b16cc1fedfdd02c76a753f9d5e6c0cf387fa6ba3d9035edb8f5fb694e6322aecc74037e2835972313190894d6","nonce":"98e331961fa9aad9798b8a04","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"ad9dde3934c3ce1797777580650f92b935242d537025ed5ca050b5709590194cb53f02ef6b5dbc35589ec75440","nonce":"98e331961fa9aad9798b8a07","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"b7ba15578aadd1c5b3d353ed86ac09e57cadae4bd9a9c16231d44cd5a050ed2edb08b1bea62bf4d8cfca610c38","nonce":"98e331961fa9aad9798b8a06","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"6020046ea797903572c1d3f43eec779cb0bb4568dd2344b8c611f6d77e31e4f9f982426fa9c11cd50c7f159f28","nonce":"98e331961fa9aad9798b8a09","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"20e98ba0f090348283c0077e7cf4e63f3a48afa2d58b4cad5b27c9959fd865c93692f90986ca4f9f48c2adce9e","nonce":"98e331961fa9aad9798b8a08","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"0bb61a67732a29a30b4770288e16e35da95fe8cfb7ddc51c5bb39086bc8b8266"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"f1a0e30e27fb7e6ade4b3e3ad281e8496bdec275e56c92ece7cb5e7206c10e37"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"10c6176206079856ccce9c725a3e2d1a30200b790fae8081bfb983ccf9288686"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"e3cb2ae9b064313995839f41c91a33ecfbdb82d0ed5205e1918a8c692c5d5ad9"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"854402849ad09edee9c99f01c7d185a39ddb574496c92f4e7447bca09f460e9d"}]},{"mode":1,"kem_id":18,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"a4b382dd501b3f2af04cb256f4440e61843a8d9f20d9327d6fcd1803c08eb20eb85cef2c3a8ace7544319be08350d22a463fb275931bd48ff3c3b365b07071633cfe","ikmE":"18a8ac72884b31b912140bc55daaef6043813221b7a48799f5016765eb730397360c83422fbdb44f858f2153cc19a6213ff4120b0662d0b3836d67370fdfe03a7bee","skRm":"018d100455176a3e39eca703eab3f09f082e7722bdeaf0ccf7986b70b2b9ae95a66c9984e0f68a4c3cef4f47a0626fcecea983a09675269214459ca4a1dad620f7a6","skEm":"01805a85ccf06de3a1ac546148e11e39f67b8916f98fac18e2ca26406fe32c4620ae336b154ccb9834d491d3a88c8404cc6bce742ab5a1c535b7509bffb209490870","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"0400bf5892ad7d30464658f863108fbd4019f19688f5afab4505da091bf1082a621c597f61470821bf3645462f8cbc6ad88ca49e7330d176a6178a574ae2218f11060c00fd9e77a357e55d2eb4489c535dc9a988b1cdfd347a7eb5241cea64391f443bfad089f4e3c2f586fb64ee3b55cb65b990b8413df1609780a15f51f2868945033b20","pkEm":"0400e7163ef70ff9acf58714d9e1cdc7eab5be68c6e747af76a3d5845c405e5073cae3930f03c3ef63bd06229470c4a5a6fa7f1fec438d0e1d65d45d70d4dbe6658e8f0189c343a089e446ff781059e2ed26f0a1b7b571746e09709141761fc359200d7b5db2aaca03d69e88d8f96013dbb4427c3795b24c7773c25db96284d8bec2e6fd58","enc":"0400e7163ef70ff9acf58714d9e1cdc7eab5be68c6e747af76a3d5845c405e5073cae3930f03c3ef63bd06229470c4a5a6fa7f1fec438d0e1d65d45d70d4dbe6658e8f0189c343a089e446ff781059e2ed26f0a1b7b571746e09709141761fc359200d7b5db2aaca03d69e88d8f96013dbb4427c3795b24c7773c25db96284d8bec2e6fd58","shared_secret":"ebd04162fc74c4e4dc6e96b5245ffb7ef10c332b310d0b4d7bd42c828c9839b7e6ae1b12a9d53ca5d441e2633994edb1f41509143eee781da5e07fa5f56c8b9a","key_schedule_context":"014d85fbe979ff87b24e604cc26481ee926c0cc54029dea89f61c329771b8b83e1dc0b583df05f8e70142f7b1b14d03bba3b1dff0d251bcdc09eab80ac55411960b3876947c22187d4b28f2b58594249fe7214e461614a6e9064944e083be6a2bcc8a781d1864fafcccca5c9ad90a90a3d04c6771108743a140bb6bd8de8dec322","secret":"2889c049ab0338d94b701db56ddf643b3551caaae4588c6b1f19988747d8d8f4a4a8dbf6d5cad278c540531b523c6deb905475cff5bc7dcae4fe0927abc5b321","key":"ca48746009e74bf0decc1f83ec789a029470c4cae5dcdd889d252650a50b415c","base_nonce":"9a5074130c5fc57ebe232cf7","exporter_secret":"54a5ea1b47f6e8f3e9c15960a7037a27abf2c45e3671c8bef776876bb17fc2f15b7eb49d7e25ab6dbdb1c8cf6b3435bb961009e238a4017191a5184683fd6297","encryptions":[{"aad":"436f756e742d30","ciphertext":"6fc9aa5ac9d5ff3d879acd7aee466d77ce7694f29490a353c5f7ef1cadbbc279f0c63d12b13e041ab24704430a","nonce":"9a5074130c5fc57ebe232cf7","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"0c7a6e774dd63b7a1e14f362e9a9c850af55cca3a6cd3fad0d4ca311d5ede85866ab05e0fe012f76a49173bc89","nonce":"9a5074130c5fc57ebe232cf6","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"7ba60f081e6a93c2699529c4062838c441e7107fda8987dabe2068d05c13594c77ae77508db6ed03e6f32e6da5","nonce":"9a5074130c5fc57ebe232cf5","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"b8b590ef5ae043b1c65d6d7a459d4540498552eb1ea06427c12907c5412cfbb29d4398c9e81efe13665eb3017c","nonce":"9a5074130c5fc57ebe232cf4","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"7e525c532c8f56a723807f7305c85c6422e638aebf89425c42a78fa503116ed01b9ca0f230adec1efd16255810","nonce":"9a5074130c5fc57ebe232cf3","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"43071f20b9c676b3e5494e0650395f63a5eafbbfd7d5fd3034fb8ec5643b9ef920ea47bf0b21b553d2d533d9d8","nonce":"9a5074130c5fc57ebe232cf2","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"59428a58d4ea5f1d94de0e0340751dbaf9113a4b734a49b0c510b19c0188438ad042e4f88d06115aada7221064","nonce":"9a5074130c5fc57ebe232cf1","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"7f650cd2b9b376a397ff05251c369cfbbba2859652e89fadcc0eea399e0767bbb7315862d51c8e4f7ca107d6fd","nonce":"9a5074130c5fc57ebe232cf0","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"6bf2515f8ea7cda2392ec567b19eb7602dc3ef80019ee80c0af76404d9ee6c3dce38b62a6ff75a7041f20ffe7e","nonce":"9a5074130c5fc57ebe232cff","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"b07d8b2993b04f66c65948d472668595a73e96336eabcf5ff536973bdd615b619113cddbfc1d81d7df8e69707a","nonce":"9a5074130c5fc57ebe232cfe","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"13ae95be860285ed70b230df9791f6e3523d66ef445480b6058ace085ca8e86f"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"30000b9feadc3da6ea333144a4daf68c8d50ebd7509023a49b3afa30fd0fc539"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"58e911cb325de3a27525a5f0f476bec1e8edaa41edb0c895ba4af61abcba3a94"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"71f2b87e100630eb52f1c682719c3e362bd74011f960cce51b3362b789ea0e38"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"63e8f077ddcc272268c1f607b4e28b8d0bf527141fd82bcf578b8d1496da0e94"}]},{"mode":2,"kem_id":18,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"f0235b601710f093ac9eae75ce49ed69cae9c14cf51e645aaced65c3aac74dad7a50a7581b141f96e5714494d6f9e40ab6010a9631fb62986fa8f43df7b8c0794aed","ikmS":"39ec511db6faf3bb9f5b2f0b1306413190c69aca3436935b368501af413fc147493ca1985254063004a83f65b6b500f4f8bd466d3ee300e255277fc67add52a6adca","ikmE":"e3013fb36955731cb07b188334757ac0cf61b7bc254819b286dd396d9e3134d2aa6febd93c6a0250a3cc4c4cefdca5e3324775e9d3ce2d7b01c3f88f9de337580d69","skRm":"0160e7e5f4370e9f55b1180f9e68a3ccd33e5f9e933518c2479ef93bb82402278cb2469189853de5836174d4a8c624057ea1d6c9c1863df430a783c15e1b16b39365","skSm":"007863b8c1e5a37a4a9e43b52f2a5a897a03e759c787b7cea7421833a9f47c76aff80dc9f3c24251027d209db6265b3e2f36f00a9ed8432d536b7cbbfd1229f02f0c","skEm":"006fc3291f4e271735e37db189651f23d3d4db2b68a62081d2b842b84779642a346fa209cffadf0698cabfb11cf27e73ea5ef80575547fa8b43ca42d2fe64ebdac2a","pkRm":"04011cd5ad7c330111b598b57526d05a022013b4348b63ac2f91628ed99621f983d85cd5038fe2f37a49be8a12c469283761afd2c20117976fece32770ced3abe7b762013afbd740625e8356a421560746d39f192683005945b1023a197f7e3a771079385d3060848576a76c24a1aacda8da69592979e1c6562995824485d771a7810833c6","pkSm":"0401d12931873a7dcf3b9a67415fa09f2bb383394491fb8ceaa57d9a93618dd2c2a8ffe701fe7119f41d17125a1775bc02b4a92fc6920671dae36b4a25e8b0d426ad2601240eca273aa9971a9979fef493466e84c18192a7bacab83b741f1fa4c0d597bf06ba97bf269f1815bb2d21ba3a3eff4fdd58fca79314014f5cb4d9a09a00486b9e","pkEm":"0400efa982596a41e8b2088f8318ab209bbc52d20f6fcd7490622d2ecb97dd3d6ab501b386f6af1ec608917b210152b690237c81f075febafb7f4c8cd62f1639a5369a01d74a9147d39c7bf8bf05b5dcdfedc092c937a26f21865e7b429c692eeca12f3430d1f9992ad3a64bb332990226da68d55f60b7aeea8883b39dc469f1aca14d835d","enc":"0400efa982596a41e8b2088f8318ab209bbc52d20f6fcd7490622d2ecb97dd3d6ab501b386f6af1ec608917b210152b690237c81f075febafb7f4c8cd62f1639a5369a01d74a9147d39c7bf8bf05b5dcdfedc092c937a26f21865e7b429c692eeca12f3430d1f9992ad3a64bb332990226da68d55f60b7aeea8883b39dc469f1aca14d835d","shared_secret":"c090842cafd0b8654e343104f8b35a9a80f4803ae269081b729854ca9b018888809bb699ae123fa5eab9f41ba37ad23ad0b88369f9977494e4373cc1bfa7765f","key_schedule_context":"028544e624c72bfd3494510fee58506f33e0cb474a1a446fbb908341de0f21b6c6b6389cddb4056bb1af6df5dae10568e6df5c30de1c688611dd2c9191647ad6afb3876947c22187d4b28f2b58594249fe7214e461614a6e9064944e083be6a2bcc8a781d1864fafcccca5c9ad90a90a3d04c6771108743a140bb6bd8de8dec322","secret":"b10f696fe775675486ecea9ce511bc8e704d8203ef18b94abc2bc414ae912a95436bd7281b29341c52d4837bbe0f5431e79fbd160ea3f01463a3ddee61a09ff4","key":"4cdf1980777e325e5ac8da0e374f4055ac85c94b2e8f1ac24540e3eaaa5193b2","base_nonce":"e8d1619cba1b13d463ea6d3c","exporter_secret":"00eba238da3a766cfcf98fb0522ba6a66607c1b2f79261261f433ffc16bcef136ffe13a75591d2c8df028975a108c68e31b0ae6f4aafdc238244569e1805d6ba","encryptions":[{"aad":"436f756e742d30","ciphertext":"3f1d36a4065f34254a7c4a36f9239a9c6d15b866c752f07d2d0b24dbee73156646e4663e1ba384711d4406ab06","nonce":"e8d1619cba1b13d463ea6d3c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"450776563f2b089d1a8635254040e73a43ff77a68ad306009a9b87448ee8c8a6f189332a313a06e7f903fc9e25","nonce":"e8d1619cba1b13d463ea6d3d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"33d2326a2cd2915d9caa56ade227e532240a411988e1837463e8786b513ef867829753afa8017ff5034c3c1ac6","nonce":"e8d1619cba1b13d463ea6d3e","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"d0df332fb9e8207e603b490ab8925a8a889b28a32cc1f605e460ec48caa3390e38d7f83024439b9bddf8fb6503","nonce":"e8d1619cba1b13d463ea6d3f","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"a7e7b7170665fbf628429b4b9403138a97cc1a0b9688f87418e9e933bd65204e8db9667e33b3ea7e31d4c9380f","nonce":"e8d1619cba1b13d463ea6d38","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"0708a141c57998f7c6555b0127a18420aa353128d372d26783ca55c1f65189bd3631427a7e6c0f8642280b5228","nonce":"e8d1619cba1b13d463ea6d39","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"71ed33e263aa1e58468a8dbf3abba3378b0232d1279d13730eb78d33521edcec53c8e4671cde2df6ea4a7ef400","nonce":"e8d1619cba1b13d463ea6d3a","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"c2ade3a148d0f0959333944f507dc155843d0280d791bae14e1bfdd6755939f71da138959d1e19f227be197840","nonce":"e8d1619cba1b13d463ea6d3b","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"f267324bdb751d0bc0e8b5dd61215708fa0805ba676f66666a6e9d25bbf23e3f28fac7b74d63f5b0a5940cf491","nonce":"e8d1619cba1b13d463ea6d34","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"b95bd027ba40f767eaba7de561386fe1d7472222462f1f53ac63aa8cd4f671867278b29d4eced758e17f6486dc","nonce":"e8d1619cba1b13d463ea6d35","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"a19e799562c292a4057e8426e8c7f6f512f186c5a5c3bbedc72de2a2c9ffb733"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"e357b3906325c231d15452f07044c11f9636039a8168a0eefbffa2feb65e18f5"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"e7e3d527c76987d8ef083081d673a11daafb4728d84091216948a59386a91b7d"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"a14d68b1195f0d5555c4f82b14f150e636906b2ae8db8cc8e8f5c72d92ee935c"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"5c5997a2b39ce85d9ffef87f8a8732ddad6bda261624aba6acd4b284255eb283"}]},{"mode":3,"kem_id":18,"kdf_id":3,"aead_id":3,"info":"4f6465206f6e2061204772656369616e2055726e","ikmR":"9c754d7aa72c9adf7c5ff2124fddf064a634fe1172e5e583214f175504535cb5daea7b69cb4de020eb58a4e80a4ffd50a063cb4708a7de937ec1db87c538a81c7244","ikmS":"af24824181f89ebbeb0cd1260f53cacb79d3557d976c4f0eb754b3248ec2c8b9a0d25cbb230e0d9e384e84ebb2d7c74858625342851d5f3d6b28901074efff114eae","ikmE":"7cab4c1d2629b20132e821af4f6bc3f5b83960307bd7212451c0505764b81293fcdff4281b716e6ddb16c0a037b25bf1fd1b37b20a894d291e6a48ecf794ffe63233","skRm":"013751d151ce7ea64c6721580057a0ef13b24a8a585d5a23699426fc270a4b6c09db013d94774e958b7aabc33b47c485e4c26d891f5babccd7b1d50ed8dae499ca4c","skSm":"0109c37737bba3fd7cbbd9648ae1986f938d6a56094dd64e5f55555fcb941ab9c41c43cd9205b9d3967c7d02df0525e7c1e66fdea906162fc9f282aa7cfb9fc50a1e","skEm":"0098b8b1ede755170f144664e6fe99e979a21290dc8d08472ed4b5f5ff56271f564370549d5b8ff2ffca994d56842c02d5571c77507e2c145f0ac65bacce55762e8e","psk":"0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82","psk_id":"456e6e796e20447572696e206172616e204d6f726961","pkRm":"040026350e6288b3b0efb2a5ce816c1e939be23339166160c3a07daa578842f0d9b464fd9fb4ae34f4773b059a6cad5b111b132f875e6fe22a5df17738e6c7b8621d7801f71dbc19be0e682e424e50cfa0ba25c2149283388ef5e2538c3cb1b7934cc647eb17f8ac4402e725a809b9c667c6be09f3930f4a3c629473b5c6ea61d8c546a810","pkSm":"04018039d73b34369a2becad3896f12bf407f403eaec9e7fc6153e9403172014b996e9927cc5a14467efba303f994c897c996e0c659aaf7effd4ed72a10012522d2eb000454bd5bd8ed4cb7162cb18ecc32788278dc6f936497b26a17dbb4d9c3f4210f83ae6dcdde786a2d336b73e26dc59216a3fcf782f9df9219d19dcea506b757f413f","pkEm":"0400d196003f5c753b8f21f7644c77fb49a6f2431b2037d51ecd889205622d9ad713871369ac4af7ef0106ece29cea5ca70671fe2c62c6da0579af3e712dfd5de1acee005d751d9cfb60a249cffce4360e6c96242d213f43622b7632d64f026ef85d26f4d26c616aae37536187375db87483e3a49fdef9e65abfc8aec8bd6b48522953579c","enc":"0400d196003f5c753b8f21f7644c77fb49a6f2431b2037d51ecd889205622d9ad713871369ac4af7ef0106ece29cea5ca70671fe2c62c6da0579af3e712dfd5de1acee005d751d9cfb60a249cffce4360e6c96242d213f43622b7632d64f026ef85d26f4d26c616aae37536187375db87483e3a49fdef9e65abfc8aec8bd6b48522953579c","shared_secret":"4dcb630d4c0a1e8e98e90e808e3e094e56d276647e08a5dbf72c7266b2c0a34264d0a6888a50d0dd362695359114ad14df7f9f9eb8a834f2c534349c7247306a","key_schedule_context":"034d85fbe979ff87b24e604cc26481ee926c0cc54029dea89f61c329771b8b83e1dc0b583df05f8e70142f7b1b14d03bba3b1dff0d251bcdc09eab80ac55411960b3876947c22187d4b28f2b58594249fe7214e461614a6e9064944e083be6a2bcc8a781d1864fafcccca5c9ad90a90a3d04c6771108743a140bb6bd8de8dec322","secret":"ed09e27693fd840bed36a392670aa482d34f328dd529bef80296e070e7837eadc4277d56def4edecb9d727a13867cb17a8ba86f77f33a11b747ec6138051fc09","key":"b123fe377e33749a1f70157820fc017303fd3b7c4ecd341baed21d6600b8d486","base_nonce":"85f6bba2f814b4fd5f2fba94","exporter_secret":"a4a2e1900b6ffe8ea7f8b10774fdf07e63eb00c32b7f8f57e65ff85af3d7f27725c0efce7f348e65d540af33c22b5d07bab8b10cd0e2d86717f88ca71b3cf1be","encryptions":[{"aad":"436f756e742d30","ciphertext":"3fc8200446cca9336d004ad7358d51cf9ad7a88e9bbd5110b74cbd1a4ffcbc7e306529627b19e68f1fe1e4a3e9","nonce":"85f6bba2f814b4fd5f2fba94","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d31","ciphertext":"037e930da7c6d237bce7db7789bcbc29eb039282417c8430ff25c9f64e5d70512201c7387d36913ae86235d1d7","nonce":"85f6bba2f814b4fd5f2fba95","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d32","ciphertext":"3cc0f5c1238a0d8218d30c8c96337c7589dc4c80a58e392e1b89d15fb1a8e3e0d94daca3afec674349b30ddcc8","nonce":"85f6bba2f814b4fd5f2fba96","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d33","ciphertext":"79301aa5db452fc1ef47c8446e34525f86ddff167a73156b4aaa5e0470e336f38b70faaec11246e7de31597f16","nonce":"85f6bba2f814b4fd5f2fba97","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d34","ciphertext":"93f382da7498f1df7b18f34c2dcc1054ee59c91f961265710efa8818df223a4ff9f805f72b7e714d5d7099d103","nonce":"85f6bba2f814b4fd5f2fba90","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d35","ciphertext":"4d579557bebed28a48803e0f65a228f5158c960253909b05ff6552be8c8ad4b1e316c1f9a1fd0ba85f480e9fca","nonce":"85f6bba2f814b4fd5f2fba91","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d36","ciphertext":"2d6299255a50ea897f377a02fd4799e775c01622d5e56aabd29735f3385e95184f7595f090ce8f88b1acd54cf0","nonce":"85f6bba2f814b4fd5f2fba92","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d37","ciphertext":"0f3b8ee29f66b093cf0425f68c57330c287d5ad1f15c03eeca88e8467a71b0d893d7d558a228f85e9b1852fa3f","nonce":"85f6bba2f814b4fd5f2fba93","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d38","ciphertext":"88932ef568731cf98831ffe86aed2e4431a8e2b084f13dbddcac89395188cacb7bcc649fe59d121c16db5d6cdb","nonce":"85f6bba2f814b4fd5f2fba9c","plaintext":"4265617574792069732074727574682c20747275746820626561757479"},{"aad":"436f756e742d39","ciphertext":"10034a8cef98b7d9b75f9269cd14bcb5faeaf25790e026934794002c08a4189ae8ec47a62678b4fa6023434cab","nonce":"85f6bba2f814b4fd5f2fba9d","plaintext":"4265617574792069732074727574682c20747275746820626561757479"}],"exports":[{"exportContext":"436f6e746578742d30","exportLength":32,"exportValue":"a206fb4343d0b8559308590ebbe2e6b24294a3b41f84e80a7e7d59b74b53d0b9"},{"exportContext":"436f6e746578742d31","exportLength":32,"exportValue":"a38a774b0b7a9b6809849bf394580533850b155429a3bbe4a4b9339cf5bdeacd"},{"exportContext":"436f6e746578742d32","exportLength":32,"exportValue":"190618ce1b09fa9accd3e81cf9f00527d71c7d942b0dc47d62649b46601151c7"},{"exportContext":"436f6e746578742d33","exportLength":32,"exportValue":"f406002f792e8073816fbebfccb7583cf7b61343aeaeb088d225575fd03f3afb"},{"exportContext":"436f6e746578742d34","exportLength":32,"exportValue":"8c158991d1cff30e30114fcc133b73889b1d58cd25fe93cfbea9d499935d47ac"}]}] \ No newline at end of file diff --git a/vendor/github.com/cisco/go-tls-syntax/.gitignore b/vendor/github.com/cisco/go-tls-syntax/.gitignore new file mode 100644 index 00000000..66fd13c9 --- /dev/null +++ b/vendor/github.com/cisco/go-tls-syntax/.gitignore @@ -0,0 +1,15 @@ +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, built with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# Dependency directories (remove the comment below to include it) +# vendor/ diff --git a/vendor/github.com/cisco/go-tls-syntax/LICENSE b/vendor/github.com/cisco/go-tls-syntax/LICENSE new file mode 100644 index 00000000..a6995a82 --- /dev/null +++ b/vendor/github.com/cisco/go-tls-syntax/LICENSE @@ -0,0 +1,25 @@ +BSD 2-Clause License + +Copyright (c) 2020, Cisco Systems +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/cisco/go-tls-syntax/README.md b/vendor/github.com/cisco/go-tls-syntax/README.md new file mode 100644 index 00000000..60dd7440 --- /dev/null +++ b/vendor/github.com/cisco/go-tls-syntax/README.md @@ -0,0 +1,105 @@ +[![Coverage Status](https://coveralls.io/repos/github/cisco/go-tls-syntax/badge.svg)](https://coveralls.io/github/cisco/go-tls-syntax) + +TLS Syntax +========== + +TLS defines [its own syntax](https://tlswg.github.io/tls13-spec/#rfc.section.3) +for describing structures used in that protocol. To facilitate the reuse of +this serialization format in other context, this module maps that syntax to +the Go structure syntax, taking advantage of Go's type annotations to encode +non-type information carried in the TLS presentation format. + +For example, in the TLS specification, a ClientHello message has the following +structure: + +~~~~~ +uint16 ProtocolVersion; +opaque Random[32]; +uint8 CipherSuite[2]; +enum { server_name(0), ... (65535)} ExtensionType; + +struct { + ExtensionType extension_type; + opaque extension_data<0..2^16-1>; +} Extension; + +struct { + ProtocolVersion legacy_version = 0x0303; /* TLS v1.2 */ + Random random; + opaque legacy_session_id<0..32>; + CipherSuite cipher_suites<2..2^16-2>; + opaque legacy_compression_methods<1..2^8-1>; + Extension extensions<0..2^16-1>; +} ClientHello; +~~~~~ + +This maps to the following Go type definitions: + +~~~~~ +type protocolVersion uint16 +type random [32]byte +type cipherSuite uint16 // or [2]byte + +type ExtensionType uint16 + +const ( + ExtensionTypeServerName ExtensionType = 0 + // ... +) + +type Extension struct { + ExtensionType ExtensionType + ExtensionData []byte `tls:"head=2"` +} + +type ClientHello struct { + LegacyVersion ProtocolVersion + Random Random + LegacySessionID []byte `tls:"head=1,max=32"` + CipherSuites []CipherSuite `tls:"head=2,min=2"` + LegacyCompressionMethods []byte `tls:"head=1,min=1"` + Extensions []Extension `tls:"head=2"` +} +~~~~~ + +Then you can just declare, marshal, and unmarshal structs just like you would +with, say JSON. + +The available annotations are as follows (with supported types noted): + +* `omit`: Do not encode/decode this field (for: any) +* `head=n`: Encode the length header as an `n`-byte integer (for: slice) +* `head=varint`: Encode the length header as a [QUIC-style + varint](https://tools.ietf.org/html/draft-ietf-quic-transport-27#section-16) + (for: slice) +* `head=none`: Omit the length header on encode; consume the remainder of the + buffer on decode (for: slice) +* `min`: The minimum length of the vector, in bytes (for: slice) +* `max`: The maximum length of the vector, in bytes (for: slice) +* `varint`: Encode the value as a QUIC-style varint (for: + uint8, uint16, uint32, uint64) +* `optional`: Encode a pointer value as an [MLS-style + optional](https://github.com/mlswg/mls-protocol/blob/master/draft-ietf-mls-protocol.md#tree-hashes) + (for: pointer) + +The `Marshaler` and `Unmarshaler` interfaces play the same role as in +`encoding/json`, i.e., they let the type define its own encoding directly. The +`Validator` interface allows a type to define validation rules to be applied +when marshaling or unmarshaling. The latter is especially helpful for `enum` +values. + +## Not supported + +* The `select()` syntax for creating alternate version of the same struct (see, + e.g., the KeyShare extension) + +* The backreference syntax for array lengths or select parameters, as in `opaque + fragment[TLSPlaintext.length]`. Note, however, that in cases where the length + immediately preceds the array, these can be reframed as vectors with + appropriate sizes. + +## History + +This code was originally part of the [mint](https://github.com/bifurcation/mint) +TLS 1.3 stack, and has been moved to this repository with the agreement of the +contributors. Please see that repo for history before the move. diff --git a/vendor/github.com/cisco/go-tls-syntax/decode.go b/vendor/github.com/cisco/go-tls-syntax/decode.go new file mode 100644 index 00000000..f2e3d6b2 --- /dev/null +++ b/vendor/github.com/cisco/go-tls-syntax/decode.go @@ -0,0 +1,456 @@ +package syntax + +import ( + "bytes" + "fmt" + "reflect" + "runtime" + "sync" +) + +func Unmarshal(data []byte, v interface{}) (int, error) { + // Check for well-formedness. + // Avoids filling out half a data structure + // before discovering a JSON syntax error. + d := decodeState{} + d.Write(data) + return d.unmarshal(v) +} + +// Unmarshaler is the interface implemented by types that can +// unmarshal a TLS description of themselves. Note that unlike the +// JSON unmarshaler interface, it is not known a priori how much of +// the input data will be consumed. So the Unmarshaler must state +// how much of the input data it consumed. +type Unmarshaler interface { + UnmarshalTLS([]byte) (int, error) +} + +type decodeState struct { + bytes.Buffer +} + +func (d *decodeState) unmarshal(v interface{}) (read int, err error) { + defer func() { + if r := recover(); r != nil { + if _, ok := r.(runtime.Error); ok { + panic(r) + } + if s, ok := r.(string); ok { + panic(s) + } + err = r.(error) + } + }() + + rv := reflect.ValueOf(v) + if rv.Kind() != reflect.Ptr || rv.IsNil() { + return 0, fmt.Errorf("Invalid unmarshal target (non-pointer or nil)") + } + + read = d.value(rv) + return read, nil +} + +func (e *decodeState) value(v reflect.Value) int { + return valueDecoder(v)(e, v, fieldOptions{}) +} + +type decoderFunc func(e *decodeState, v reflect.Value, opts fieldOptions) int + +func valueDecoder(v reflect.Value) decoderFunc { + return typeDecoder(v.Type().Elem()) +} + +var decoderCache sync.Map // map[reflect.Type]decoderFunc + +func typeDecoder(t reflect.Type) decoderFunc { + if fi, ok := decoderCache.Load(t); ok { + return fi.(decoderFunc) + } + + // XXX(RLB): Wait group based support for recursive types omitted + + // Compute the real decoder and replace the indirect func with it. + f := newTypeDecoder(t) + decoderCache.Store(t, f) + return f +} + +var ( + unmarshalerType = reflect.TypeOf(new(Unmarshaler)).Elem() + uint8Type = reflect.TypeOf(uint8(0)) +) + +func newTypeDecoder(t reflect.Type) decoderFunc { + var dec decoderFunc + if t.Kind() != reflect.Ptr && reflect.PtrTo(t).Implements(unmarshalerType) { + dec = unmarshalerDecoder + } else { + switch t.Kind() { + case reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64: + dec = uintDecoder + case reflect.Array: + dec = newArrayDecoder(t) + case reflect.Slice: + dec = newSliceDecoder(t) + case reflect.Map: + dec = newMapDecoder(t) + case reflect.Struct: + dec = newStructDecoder(t) + case reflect.Ptr: + dec = newPointerDecoder(t) + default: + panic(fmt.Errorf("Unsupported type (%s)", t)) + } + } + + if reflect.PtrTo(t).Implements(validatorType) { + dec = newValidatorDecoder(dec) + } + + return dec +} + +///// Specific decoders below + +func omitDecoder(d *decodeState, v reflect.Value, opts fieldOptions) int { + return 0 +} + +////////// + +func unmarshalerDecoder(d *decodeState, v reflect.Value, opts fieldOptions) int { + um, ok := v.Interface().(Unmarshaler) + if !ok { + panic(fmt.Errorf("Non-Unmarshaler passed to unmarshalerEncoder")) + } + + read, err := um.UnmarshalTLS(d.Bytes()) + if err != nil { + panic(err) + } + + if read > d.Len() { + panic(fmt.Errorf("Invalid return value from UnmarshalTLS")) + } + + d.Next(read) + return read +} + +////////// + +func newValidatorDecoder(raw decoderFunc) decoderFunc { + return func(d *decodeState, v reflect.Value, opts fieldOptions) int { + read := raw(d, v, opts) + + val, ok := v.Interface().(Validator) + if !ok { + panic(fmt.Errorf("Non-Validator passed to validatorDecoder")) + } + + if err := val.ValidForTLS(); err != nil { + panic(fmt.Errorf("Decoded invalid TLS value: %v", err)) + } + + return read + } +} + +////////// + +func uintDecoder(d *decodeState, v reflect.Value, opts fieldOptions) int { + if opts.varint { + return varintDecoder(d, v, opts) + } + + uintLen := int(v.Elem().Type().Size()) + buf := d.Next(uintLen) + if len(buf) != uintLen { + panic(fmt.Errorf("Insufficient data to read uint")) + } + + return setUintFromBuffer(v, buf) +} + +func varintDecoder(d *decodeState, v reflect.Value, opts fieldOptions) int { + l, val := readVarint(d) + + uintLen := int(v.Elem().Type().Size()) + if uintLen < l { + panic(fmt.Errorf("Uint too small to fit varint: %d < %d", uintLen, l)) + } + + v.Elem().SetUint(val) + + return l +} + +func readVarint(d *decodeState) (int, uint64) { + // Read the first octet and decide the size of the presented varint + first := d.Next(1) + if len(first) != 1 { + panic(fmt.Errorf("Insufficient data to read varint length")) + } + + twoBits := uint(first[0] >> 6) + varintLen := 1 << twoBits + + rest := d.Next(varintLen - 1) + if len(rest) != varintLen-1 { + panic(fmt.Errorf("Insufficient data to read varint")) + } + + buf := append(first, rest...) + buf[0] &= 0x3f + + return len(buf), decodeUintFromBuffer(buf) +} + +func decodeUintFromBuffer(buf []byte) uint64 { + val := uint64(0) + for _, b := range buf { + val = (val << 8) + uint64(b) + } + + return val +} + +func setUintFromBuffer(v reflect.Value, buf []byte) int { + v.Elem().SetUint(decodeUintFromBuffer(buf)) + return len(buf) +} + +////////// + +type arrayDecoder struct { + elemDec decoderFunc +} + +func (ad *arrayDecoder) decode(d *decodeState, v reflect.Value, opts fieldOptions) int { + n := v.Elem().Type().Len() + read := 0 + for i := 0; i < n; i += 1 { + read += ad.elemDec(d, v.Elem().Index(i).Addr(), opts) + } + return read +} + +func newArrayDecoder(t reflect.Type) decoderFunc { + dec := &arrayDecoder{typeDecoder(t.Elem())} + return dec.decode +} + +////////// + +func decodeLength(d *decodeState, opts fieldOptions) (int, int) { + read := 0 + length := 0 + switch { + case opts.omitHeader: + read = 0 + length = d.Len() + + case opts.varintHeader: + var length64 uint64 + read, length64 = readVarint(d) + length = int(length64) + + case opts.headerSize > 0: + lengthBytes := d.Next(int(opts.headerSize)) + if len(lengthBytes) != int(opts.headerSize) { + panic(fmt.Errorf("Not enough data to read header")) + } + read = len(lengthBytes) + length = int(decodeUintFromBuffer(lengthBytes)) + + default: + panic(fmt.Errorf("Cannot decode a slice without a header length")) + } + + // Check that the length is OK + if opts.maxSize > 0 && length > opts.maxSize { + panic(fmt.Errorf("Length of vector exceeds declared max")) + } + if length < opts.minSize { + panic(fmt.Errorf("Length of vector below declared min")) + } + + return read, length +} + +////////// + +type sliceDecoder struct { + elementType reflect.Type + elementDec decoderFunc +} + +func (sd *sliceDecoder) decode(d *decodeState, v reflect.Value, opts fieldOptions) int { + // Determine the length of the vector + read, length := decodeLength(d, opts) + + // Decode elements + elemData := d.Next(length) + if len(elemData) != length { + panic(fmt.Errorf("Not enough data to read elements")) + } + + // For opaque values, we can return a reference instead of making a new slice + if v.Elem().Type().Elem() == uint8Type { + v.Elem().Set(reflect.ValueOf(elemData)) + return read + length + } + + // For other values, we need to decode the raw data + elemBuf := &decodeState{} + elemBuf.Write(elemData) + elems := []reflect.Value{} + for elemBuf.Len() > 0 { + elem := reflect.New(sd.elementType) + read += sd.elementDec(elemBuf, elem, opts) + elems = append(elems, elem) + } + + v.Elem().Set(reflect.MakeSlice(v.Elem().Type(), len(elems), len(elems))) + for i := 0; i < len(elems); i += 1 { + v.Elem().Index(i).Set(elems[i].Elem()) + } + return read +} + +func newSliceDecoder(t reflect.Type) decoderFunc { + dec := &sliceDecoder{ + elementType: t.Elem(), + elementDec: typeDecoder(t.Elem()), + } + return dec.decode +} + +////////// + +type mapDecoder struct { + keyType reflect.Type + valType reflect.Type + keyDec decoderFunc + valDec decoderFunc +} + +func (md mapDecoder) decode(d *decodeState, v reflect.Value, opts fieldOptions) int { + // Determine the length of the data + read, length := decodeLength(d, opts) + + // Decode key/value pairs + elemData := d.Next(length) + if len(elemData) != length { + panic(fmt.Errorf("Not enough data to read elements")) + } + + mapType := reflect.MapOf(md.keyType, md.valType) + v.Elem().Set(reflect.MakeMap(mapType)) + + nullOpts := fieldOptions{} + elemBuf := &decodeState{} + elemBuf.Write(elemData) + for elemBuf.Len() > 0 { + key := reflect.New(md.keyType) + read += md.keyDec(elemBuf, key, nullOpts) + + val := reflect.New(md.valType) + read += md.valDec(elemBuf, val, nullOpts) + + v.Elem().SetMapIndex(key.Elem(), val.Elem()) + } + + return read +} + +func newMapDecoder(t reflect.Type) decoderFunc { + md := mapDecoder{ + keyType: t.Key(), + valType: t.Elem(), + keyDec: typeDecoder(t.Key()), + valDec: typeDecoder(t.Elem()), + } + + return md.decode +} + +////////// + +type structDecoder struct { + fieldOpts []fieldOptions + fieldDecs []decoderFunc +} + +func (sd *structDecoder) decode(d *decodeState, v reflect.Value, opts fieldOptions) int { + read := 0 + for i := range sd.fieldDecs { + read += sd.fieldDecs[i](d, v.Elem().Field(i).Addr(), sd.fieldOpts[i]) + } + return read +} + +func newStructDecoder(t reflect.Type) decoderFunc { + n := t.NumField() + sd := structDecoder{ + fieldOpts: make([]fieldOptions, n), + fieldDecs: make([]decoderFunc, n), + } + + for i := 0; i < n; i += 1 { + f := t.Field(i) + + tag := f.Tag.Get("tls") + opts := parseTag(tag) + + if !opts.ValidForType(f.Type) { + panic(fmt.Errorf("Tags invalid for field type")) + } + + sd.fieldOpts[i] = opts + if sd.fieldOpts[i].omit { + sd.fieldDecs[i] = omitDecoder + } else { + sd.fieldDecs[i] = typeDecoder(f.Type) + } + } + + return sd.decode +} + +////////// + +type pointerDecoder struct { + base decoderFunc +} + +func (pd *pointerDecoder) decode(d *decodeState, v reflect.Value, opts fieldOptions) int { + readBase := 0 + if opts.optional { + readBase = 1 + flag := d.Next(1) + switch flag[0] { + case optionalFlagAbsent: + indir := v.Elem() + indir.Set(reflect.Zero(indir.Type())) + return 1 + + case optionalFlagPresent: + // No action; continue as normal + + default: + panic(fmt.Errorf("Invalid flag byte for optional: [%x]", flag)) + } + } + + v.Elem().Set(reflect.New(v.Elem().Type().Elem())) + return readBase + pd.base(d, v.Elem(), opts) +} + +func newPointerDecoder(t reflect.Type) decoderFunc { + baseDecoder := typeDecoder(t.Elem()) + pd := pointerDecoder{base: baseDecoder} + return pd.decode +} diff --git a/vendor/github.com/cisco/go-tls-syntax/encode.go b/vendor/github.com/cisco/go-tls-syntax/encode.go new file mode 100644 index 00000000..3bc507fb --- /dev/null +++ b/vendor/github.com/cisco/go-tls-syntax/encode.go @@ -0,0 +1,411 @@ +package syntax + +import ( + "bytes" + "fmt" + "reflect" + "runtime" + "sort" + "sync" +) + +func Marshal(v interface{}) ([]byte, error) { + e := &encodeState{} + err := e.marshal(v, fieldOptions{}) + if err != nil { + return nil, err + } + return e.Bytes(), nil +} + +// Marshaler is the interface implemented by types that +// have a defined TLS encoding. +type Marshaler interface { + MarshalTLS() ([]byte, error) +} + +type encodeState struct { + bytes.Buffer +} + +func (e *encodeState) marshal(v interface{}, opts fieldOptions) (err error) { + defer func() { + if r := recover(); r != nil { + if _, ok := r.(runtime.Error); ok { + panic(r) + } + if s, ok := r.(string); ok { + panic(s) + } + err = r.(error) + } + }() + e.reflectValue(reflect.ValueOf(v), opts) + return nil +} + +func (e *encodeState) reflectValue(v reflect.Value, opts fieldOptions) { + valueEncoder(v)(e, v, opts) +} + +type encoderFunc func(e *encodeState, v reflect.Value, opts fieldOptions) + +func valueEncoder(v reflect.Value) encoderFunc { + if !v.IsValid() { + panic(fmt.Errorf("Cannot encode an invalid value")) + } + return typeEncoder(v.Type()) +} + +var encoderCache sync.Map // map[reflect.Type]encoderFunc + +func typeEncoder(t reflect.Type) encoderFunc { + if fi, ok := encoderCache.Load(t); ok { + return fi.(encoderFunc) + } + + // XXX(RLB): Wait group based support for recursive types omitted + + // Compute the real encoder and replace the indirect func with it. + f := newTypeEncoder(t) + encoderCache.Store(t, f) + return f +} + +var ( + marshalerType = reflect.TypeOf(new(Marshaler)).Elem() +) + +func newTypeEncoder(t reflect.Type) encoderFunc { + var enc encoderFunc + if t.Implements(marshalerType) { + enc = marshalerEncoder + } else { + switch t.Kind() { + case reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64: + enc = uintEncoder + case reflect.Array: + enc = newArrayEncoder(t) + case reflect.Slice: + enc = newSliceEncoder(t) + case reflect.Struct: + enc = newStructEncoder(t) + case reflect.Map: + enc = newMapEncoder(t) + case reflect.Ptr: + enc = newPointerEncoder(t) + default: + panic(fmt.Errorf("Unsupported type (%s)", t)) + } + } + + if t.Implements(validatorType) { + enc = newValidatorEncoder(enc) + } + + return enc +} + +///// Specific encoders below + +func omitEncoder(e *encodeState, v reflect.Value, opts fieldOptions) { + // This space intentionally left blank +} + +////////// + +func marshalerEncoder(e *encodeState, v reflect.Value, opts fieldOptions) { + if v.Kind() == reflect.Ptr && v.IsNil() && !opts.optional { + panic(fmt.Errorf("Cannot encode nil pointer")) + } + + if v.Kind() == reflect.Ptr && opts.optional { + if v.IsNil() { + writeUint(e, uint64(optionalFlagAbsent), 1) + return + } + + writeUint(e, uint64(optionalFlagPresent), 1) + } + + m, ok := v.Interface().(Marshaler) + if !ok { + panic(fmt.Errorf("Non-Marshaler passed to marshalerEncoder")) + } + + b, err := m.MarshalTLS() + if err == nil { + _, err = e.Write(b) + } + + if err != nil { + panic(err) + } +} + +////////// + +func newValidatorEncoder(raw encoderFunc) encoderFunc { + return func(e *encodeState, v reflect.Value, opts fieldOptions) { + if v.Kind() == reflect.Ptr && v.IsNil() { + // Cannot validate nil values; just pass through to encoder + raw(e, v, opts) + return + } + + val, ok := v.Interface().(Validator) + if !ok { + panic(fmt.Errorf("Non-Validator passed to validatorEncoder")) + } + + if err := val.ValidForTLS(); err != nil { + panic(fmt.Errorf("Invalid TLS value: %v", err)) + } + + raw(e, v, opts) + } +} + +////////// + +func uintEncoder(e *encodeState, v reflect.Value, opts fieldOptions) { + if opts.varint { + varintEncoder(e, v, opts) + return + } + + writeUint(e, v.Uint(), int(v.Type().Size())) +} + +func varintEncoder(e *encodeState, v reflect.Value, opts fieldOptions) { + writeVarint(e, v.Uint()) +} + +func writeVarint(e *encodeState, u uint64) { + if (u >> 62) > 0 { + panic(fmt.Errorf("uint value is too big for varint")) + } + + var varintLen int + for _, len := range []uint{1, 2, 4, 8} { + if u < (uint64(1) << (8*len - 2)) { + varintLen = int(len) + break + } + } + + twoBits := map[int]uint64{1: 0x00, 2: 0x01, 4: 0x02, 8: 0x03}[varintLen] + shift := uint(8*varintLen - 2) + writeUint(e, u|(twoBits<> uint(8*(len-i-1)))) + } +} + +////////// + +type arrayEncoder struct { + elemEnc encoderFunc +} + +func (ae *arrayEncoder) encode(e *encodeState, v reflect.Value, opts fieldOptions) { + n := v.Len() + for i := 0; i < n; i += 1 { + ae.elemEnc(e, v.Index(i), opts) + } +} + +func newArrayEncoder(t reflect.Type) encoderFunc { + enc := &arrayEncoder{typeEncoder(t.Elem())} + return enc.encode +} + +////////// + +func encodeLength(e *encodeState, n int, opts fieldOptions) { + if opts.maxSize > 0 && n > opts.maxSize { + panic(fmt.Errorf("Encoded length more than max [%d > %d]", n, opts.maxSize)) + } + if n < opts.minSize { + panic(fmt.Errorf("Encoded length less than min [%d < %d]", n, opts.minSize)) + } + + switch { + case opts.omitHeader: + // None. + + case opts.varintHeader: + writeVarint(e, uint64(n)) + + case opts.headerSize > 0: + if n>>uint(8*opts.headerSize) > 0 { + panic(fmt.Errorf("Encoded length too long for header length [%d, %d]", n, opts.headerSize)) + } + + writeUint(e, uint64(n), int(opts.headerSize)) + + default: + panic(fmt.Errorf("Cannot encode a slice without a header length")) + } +} + +////////// + +type sliceEncoder struct { + ae *arrayEncoder +} + +func (se *sliceEncoder) encode(e *encodeState, v reflect.Value, opts fieldOptions) { + arrayState := &encodeState{} + se.ae.encode(arrayState, v, opts) + + encodeLength(e, arrayState.Len(), opts) + e.Write(arrayState.Bytes()) +} + +func newSliceEncoder(t reflect.Type) encoderFunc { + enc := &sliceEncoder{&arrayEncoder{typeEncoder(t.Elem())}} + return enc.encode +} + +////////// + +type structEncoder struct { + fieldOpts []fieldOptions + fieldEncs []encoderFunc +} + +func (se *structEncoder) encode(e *encodeState, v reflect.Value, opts fieldOptions) { + for i := range se.fieldEncs { + se.fieldEncs[i](e, v.Field(i), se.fieldOpts[i]) + } +} + +func newStructEncoder(t reflect.Type) encoderFunc { + n := t.NumField() + se := structEncoder{ + fieldOpts: make([]fieldOptions, n), + fieldEncs: make([]encoderFunc, n), + } + + for i := 0; i < n; i += 1 { + f := t.Field(i) + tag := f.Tag.Get("tls") + opts := parseTag(tag) + + if !opts.ValidForType(f.Type) { + panic(fmt.Errorf("Tags invalid for field type")) + } + + se.fieldOpts[i] = opts + if opts.omit { + se.fieldEncs[i] = omitEncoder + } else { + se.fieldEncs[i] = typeEncoder(f.Type) + } + } + + return se.encode +} + +////////// + +type mapEncoder struct { + keyEnc encoderFunc + valEnc encoderFunc +} + +type encMap struct { + keyEncs [][]byte + valEncs [][]byte +} + +func (em encMap) Len() int { return len(em.keyEncs) } + +func (em *encMap) Swap(i, j int) { + em.keyEncs[i], em.keyEncs[j] = em.keyEncs[j], em.keyEncs[i] + em.valEncs[i], em.valEncs[j] = em.valEncs[j], em.valEncs[i] +} + +func (em encMap) Less(i, j int) bool { + return bytes.Compare(em.keyEncs[i], em.keyEncs[j]) < 0 +} + +func (em encMap) Size() int { + size := 0 + for i := range em.keyEncs { + size += len(em.keyEncs[i]) + len(em.valEncs[i]) + } + return size +} + +func (em encMap) Encode(e *encodeState) { + for i := range em.keyEncs { + e.Write(em.keyEncs[i]) + e.Write(em.valEncs[i]) + } +} + +func (me *mapEncoder) encode(e *encodeState, v reflect.Value, opts fieldOptions) { + enc := &encMap{ + keyEncs: make([][]byte, v.Len()), + valEncs: make([][]byte, v.Len()), + } + nullOpts := fieldOptions{} + it := v.MapRange() + for i := 0; i < enc.Len() && it.Next(); i++ { + keyState := &encodeState{} + me.keyEnc(keyState, it.Key(), nullOpts) + enc.keyEncs[i] = keyState.Bytes() + + valState := &encodeState{} + me.valEnc(valState, it.Value(), nullOpts) + enc.valEncs[i] = valState.Bytes() + } + + sort.Sort(enc) + + encodeLength(e, enc.Size(), opts) + enc.Encode(e) +} + +func newMapEncoder(t reflect.Type) encoderFunc { + me := mapEncoder{ + keyEnc: typeEncoder(t.Key()), + valEnc: typeEncoder(t.Elem()), + } + + return me.encode +} + +////////// + +type pointerEncoder struct { + base encoderFunc +} + +func (pe pointerEncoder) encode(e *encodeState, v reflect.Value, opts fieldOptions) { + if v.IsNil() && !opts.optional { + panic(fmt.Errorf("Cannot encode nil pointer")) + } + + if opts.optional { + if v.IsNil() { + writeUint(e, uint64(optionalFlagAbsent), 1) + return + } + + writeUint(e, uint64(optionalFlagPresent), 1) + } + + pe.base(e, v.Elem(), opts) +} + +func newPointerEncoder(t reflect.Type) encoderFunc { + baseEncoder := typeEncoder(t.Elem()) + pe := pointerEncoder{base: baseEncoder} + return pe.encode +} diff --git a/vendor/github.com/cisco/go-tls-syntax/go.mod b/vendor/github.com/cisco/go-tls-syntax/go.mod new file mode 100644 index 00000000..a54991c1 --- /dev/null +++ b/vendor/github.com/cisco/go-tls-syntax/go.mod @@ -0,0 +1,5 @@ +module github.com/cisco/go-tls-syntax + +go 1.14 + +require github.com/stretchr/testify v1.6.1 diff --git a/vendor/github.com/cisco/go-tls-syntax/go.sum b/vendor/github.com/cisco/go-tls-syntax/go.sum new file mode 100644 index 00000000..56d62e7c --- /dev/null +++ b/vendor/github.com/cisco/go-tls-syntax/go.sum @@ -0,0 +1,10 @@ +github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/vendor/github.com/cisco/go-tls-syntax/go.yml b/vendor/github.com/cisco/go-tls-syntax/go.yml new file mode 100644 index 00000000..d31e87f9 --- /dev/null +++ b/vendor/github.com/cisco/go-tls-syntax/go.yml @@ -0,0 +1,37 @@ +name: Go + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + + build: + name: Build + runs-on: ubuntu-latest + steps: + + - name: Set up Go 1.x + uses: actions/setup-go@v2 + with: + go-version: ^1.13 + id: go + + - name: Check out code into the Go module directory + uses: actions/checkout@v2 + + - name: Get dependencies + run: | + go get -v -t -d ./... + if [ -f Gopkg.toml ]; then + curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh + dep ensure + fi + + - name: Build + run: go build -v . + + - name: Test + run: go test -v . diff --git a/vendor/github.com/cisco/go-tls-syntax/stream.go b/vendor/github.com/cisco/go-tls-syntax/stream.go new file mode 100644 index 00000000..322f3490 --- /dev/null +++ b/vendor/github.com/cisco/go-tls-syntax/stream.go @@ -0,0 +1,76 @@ +package syntax + +/// +/// Write Stream +/// + +type WriteStream struct { + buffer []byte +} + +func NewWriteStream() *WriteStream { + return &WriteStream{} +} + +func (s *WriteStream) Data() []byte { + return s.buffer +} + +func (s *WriteStream) Write(val interface{}) error { + enc, err := Marshal(val) + if err != nil { + return err + } + s.buffer = append(s.buffer, enc...) + return nil +} + +func (s *WriteStream) WriteAll(vals ...interface{}) error { + for _, val := range vals { + err := s.Write(val) + if err != nil { + return err + } + } + return nil +} + +/// +/// ReadStream +/// + +type ReadStream struct { + buffer []byte + cursor int +} + +func NewReadStream(data []byte) *ReadStream { + return &ReadStream{data, 0} +} + +func (s *ReadStream) Read(val interface{}) (int, error) { + read, err := Unmarshal(s.buffer[s.cursor:], val) + if err != nil { + return 0, err + } + + s.cursor += read + return read, nil +} + +func (s *ReadStream) ReadAll(vals ...interface{}) (int, error) { + read := 0 + for _, val := range vals { + readHere, err := s.Read(val) + if err != nil { + return 0, err + } + + read += readHere + } + return read, nil +} + +func (s *ReadStream) Position() int { + return s.cursor +} diff --git a/vendor/github.com/cisco/go-tls-syntax/tags.go b/vendor/github.com/cisco/go-tls-syntax/tags.go new file mode 100644 index 00000000..7734eea9 --- /dev/null +++ b/vendor/github.com/cisco/go-tls-syntax/tags.go @@ -0,0 +1,173 @@ +package syntax + +import ( + "fmt" + "reflect" + "strconv" + "strings" +) + +// Allow types to mark themselves as valid for TLS to marshal/unmarshal +type Validator interface { + ValidForTLS() error +} + +var ( + validatorType = reflect.TypeOf(new(Validator)).Elem() +) + +// `tls:"head=2,min=2,max=255,varint"` + +type fieldOptions struct { + omitHeader bool // whether to omit the slice header + varintHeader bool // whether to encode the header length as a varint + headerSize int // length of length in bytes + minSize int // minimum vector size in bytes + maxSize int // maximum vector size in bytes + + varint bool // whether to encode as a varint + optional bool // whether to encode pointer as optional + omit bool // whether to skip a field +} + +func mutuallyExclusive(vals []bool) bool { + set := 0 + for _, val := range vals { + if val { + set += 1 + } + } + return set <= 1 +} + +func (opts fieldOptions) Consistent() bool { + // No more than one of the header options must be set + headerPaths := []bool{opts.omitHeader, opts.varintHeader, opts.headerSize > 1} + if !mutuallyExclusive(headerPaths) { + return false + } + + // Max must be greater than min + if opts.maxSize > 0 && opts.minSize > opts.maxSize { + return false + } + + // varint and optional are mutually exclusive with each other, and with the slice options + headerOpts := (opts.omitHeader || opts.varintHeader || opts.headerSize > 1 || opts.maxSize > 0 || opts.minSize > 0) + encodePaths := []bool{headerOpts, opts.varint, opts.optional} + if !mutuallyExclusive(encodePaths) { + return false + } + + // Omit is mutually exclusive with everything else + otherThanOmit := (headerOpts || opts.varint || opts.optional) + if !mutuallyExclusive([]bool{opts.omit, otherThanOmit}) { + return false + } + + return true +} + +func (opts fieldOptions) ValidForType(t reflect.Type) bool { + headerType := t.Kind() == reflect.Slice || t.Kind() == reflect.Map + headerTags := opts.omitHeader || opts.varintHeader || (opts.headerSize != 0) || + (opts.minSize != 0) || (opts.maxSize != 0) + if headerTags && !headerType { + return false + } + + uintRequired := opts.varint + if uintRequired { + switch t.Kind() { + case reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64: + default: + return false + } + } + + ptrRequired := opts.optional + if ptrRequired && t.Kind() != reflect.Ptr { + return false + } + + return true +} + +var ( + varintOption = "varint" + optionalOption = "optional" + omitOption = "omit" + + headOptionNone = "none" + headOptionVarint = "varint" + headValueNoHead = uint(255) + headValueVarint = uint(254) + + optionalFlagAbsent uint8 = 0 + optionalFlagPresent uint8 = 1 +) + +func atoi(a string) int { + i, err := strconv.Atoi(a) + if err != nil { + panic(fmt.Errorf("Invalid header size: %v", err)) + } + return i +} + +// parseTag parses a struct field's "tls" tag as a comma-separated list of +// name=value pairs, where the values MUST be unsigned integers, or in +// the special case of head, "none" or "varint" +func parseTag(tag string) fieldOptions { + opts := fieldOptions{} + for _, token := range strings.Split(tag, ",") { + parts := strings.Split(token, "=") + + // Handle name-only entries + if len(parts) == 1 { + switch parts[0] { + case varintOption: + opts.varint = true + case optionalOption: + opts.optional = true + case omitOption: + opts.omit = true + default: + // XXX(rlb): Ignoring unknown fields + } + continue + } + + if len(parts) != 2 || len(parts[0]) == 0 || len(parts[1]) == 0 { + panic(fmt.Errorf("Malformed tag")) + } + + // Handle name=value entries + switch parts[0] { + case "head": + switch { + case parts[1] == headOptionNone: + opts.omitHeader = true + case parts[1] == headOptionVarint: + opts.varintHeader = true + default: + opts.headerSize = atoi(parts[1]) + } + + case "min": + opts.minSize = atoi(parts[1]) + + case "max": + opts.maxSize = atoi(parts[1]) + + default: + // XXX(rlb): Ignoring unknown fields + } + } + + if !opts.Consistent() { + panic(fmt.Errorf("Inconsistent options")) + } + + return opts +} diff --git a/vendor/github.com/cloudflare/circl/LICENSE b/vendor/github.com/cloudflare/circl/LICENSE new file mode 100644 index 00000000..67edaa90 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/LICENSE @@ -0,0 +1,57 @@ +Copyright (c) 2019 Cloudflare. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Cloudflare nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +======================================================================== + +Copyright (c) 2009 The Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/doc.go b/vendor/github.com/cloudflare/circl/dh/sidh/doc.go new file mode 100644 index 00000000..bbfdaa69 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/doc.go @@ -0,0 +1,30 @@ +// Package sidh provides implementation of experimental post-quantum +// Supersingular Isogeny Diffie-Hellman (SIDH) as well as Supersingular +// Isogeny Key Encapsulation (SIKE). +// +// It comes with implementations of 2 different field arithmetic +// implementations sidh.Fp503 and sidh.Fp751. +// +// | Algoirthm | Public Key Size | Shared Secret Size | Ciphertext Size | +// |-----------|-----------------|--------------------|-----------------| +// | SIDH/p503 | 376 | 126 | N/A | +// | SIDH/p751 | 564 | 188 | N/A | +// | SIKE/p503 | 376 | 16 | 402 | +// | SIKE/p751 | 564 | 24 | 596 | +// +// In order to instantiate SIKE/p751 KEM one needs to create a KEM object +// and allocate internal structures. This can be done with NewSike751 helper. +// After that kem can be used multiple times. +// +// var kem = sike.NewSike751(rand.Reader) +// kem.Encapsulate(ciphertext, sharedSecret, publicBob) +// kem.Decapsulate(sharedSecret, privateBob, PublicBob, ciphertext) +// +// Code is optimized for AMD64 and aarch64. Generic implementation +// is provided for other architectures. +// +// References: +// - [SIDH] https://eprint.iacr.org/2011/506 +// - [SIKE] http://www.sike.org/files/SIDH-spec.pdf +// +package sidh diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/doc.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/doc.go new file mode 100644 index 00000000..f606f420 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/doc.go @@ -0,0 +1,2 @@ +// Package common provides types, variables, constants and functions commonly used in SIDH or SIKE. +package common diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/params.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/params.go new file mode 100644 index 00000000..3be1c45f --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/params.go @@ -0,0 +1,24 @@ +package common + +import "fmt" + +// Keeps mapping: SIDH prime field ID to domain parameters +var sidhParams = make(map[uint8]SidhParams) + +// Params returns domain parameters corresponding to finite field and identified by +// `id` provieded by the caller. Function panics in case `id` wasn't registered earlier. +func Params(id uint8) *SidhParams { + if val, ok := sidhParams[id]; ok { + return &val + } + panic("sidh: SIDH Params ID unregistered") +} + +// Registers SIDH parameters for particular field. +func Register(id uint8, p *SidhParams) { + if _, ok := sidhParams[id]; ok { + msg := fmt.Sprintf("sidh: Field with id %d already registered", id) + panic(msg) + } + sidhParams[id] = *p +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/types.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/types.go new file mode 100644 index 00000000..ae06af4d --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/types.go @@ -0,0 +1,103 @@ +package common + +const ( + // corresponds to words in P751 + FpMaxWords = 12 + // corresponds to byte size of P751 SIDH private key for B + MaxSidhPrivateKeyBsz = 48 + // corresponds to byte size of P751 SIKE private key for B + MaxSikePrivateKeyBsz = MaxSidhPrivateKeyBsz + MaxMsgBsz + // corresponds to SIKE max length of 'n' (see 1.4 of SIKE spec in NIST PQC round 1) + MaxMsgBsz = 40 + // corresponds to byte size of shared secret generated by SIKEp751 + MaxSharedSecretBsz = 188 + // correponds to by size of the P751 public key + MaxPublicKeySz = 3 * FpMaxWords * 64 + // correponds to by size of the ciphertext produced by SIKE/P751 + MaxCiphertextBsz = MaxMsgBsz + MaxPublicKeySz +) + +// Id's correspond to bitlength of the prime field characteristic +// Currently Fp751 is the only one supported by this implementation +const ( + Fp503 uint8 = iota + Fp751 +) + +// Representation of an element of the base field F_p. +// +// No particular meaning is assigned to the representation -- it could represent +// an element in Montgomery form, or not. Tracking the meaning of the field +// element is left to higher types. +type Fp [FpMaxWords]uint64 + +// Represents an intermediate product of two elements of the base field F_p. +type FpX2 [2 * FpMaxWords]uint64 + +// Represents an element of the extended field Fp^2 = Fp(x+i) +type Fp2 struct { + A Fp + B Fp +} + +type DomainParams struct { + // P, Q and R=P-Q base points + AffineP, AffineQ, AffineR Fp2 + // Size of a compuatation strategy for x-torsion group + IsogenyStrategy []uint32 + // Max size of secret key for x-torsion group + SecretBitLen uint + // Max size of secret key for x-torsion group + SecretByteLen uint +} + +type SidhParams struct { + ID uint8 + // Bytelen of P + Bytelen int + // The public key size, in bytes. + PublicKeySize int + // The shared secret size, in bytes. + SharedSecretSize int + // 2- and 3-torsion group parameter definitions + A, B DomainParams + // Precomputed identity element in the Fp2 in Montgomery domain + OneFp2 Fp2 + // Precomputed 1/2 in the Fp2 in Montgomery domain + HalfFp2 Fp2 + // Length of SIKE secret message. Must be one of {24,32,40}, + // depending on size of prime field used (see [SIKE], 1.4 and 5.1) + MsgLen int + // Length of SIKE ephemeral KEM key (see [SIKE], 1.4 and 5.1) + KemSize int + // Byte size of ciphertext that KEM produces + CiphertextSize int +} + +// Stores curve projective parameters equivalent to A/C. Meaning of the +// values depends on the context. When working with isogenies over +// subgroup that are powers of: +// * three then (A:C) ~ (A+2C:A-2C) +// * four then (A:C) ~ (A+2C: 4C) +// See Appendix A of SIKE for more details +type CurveCoefficientsEquiv struct { + A Fp2 + C Fp2 +} + +// A point on the projective line P^1(F_{p^2}). +// +// This represents a point on the Kummer line of a Montgomery curve. The +// curve is specified by a ProjectiveCurveParameters struct. +type ProjectivePoint struct { + X Fp2 + Z Fp2 +} + +// A point on the projective line P^1(F_{p^2}). +// +// This is used to work projectively with the curve coefficients. +type ProjectiveCurveParameters struct { + A Fp2 + C Fp2 +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/utils.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/utils.go new file mode 100644 index 00000000..a8b9bd6b --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/common/utils.go @@ -0,0 +1,46 @@ +package common + +// Constant time select. +// if pick == 1 (out = in1) +// if pick == 0 (out = in2) +// else out is undefined +func Cpick(pick int, out, in1, in2 []byte) { + var which = byte((int8(pick << 7)) >> 7) + for i := range out { + out[i] = (in1[i] & which) | (in2[i] & ^which) + } +} + +// Read 2*bytelen(p) bytes into the given ExtensionFieldElement. +// +// It is an error to call this function if the input byte slice is less than 2*bytelen(p) bytes long. +func BytesToFp2(fp2 *Fp2, input []byte, bytelen int) { + if len(input) < 2*bytelen { + panic("input byte slice too short") + } + + for i := 0; i < bytelen; i++ { + j := i / 8 + k := uint64(i % 8) + fp2.A[j] |= uint64(input[i]) << (8 * k) + fp2.B[j] |= uint64(input[i+bytelen]) << (8 * k) + } +} + +// Convert the input to wire format. +// +// The output byte slice must be at least 2*bytelen(p) bytes long. +func Fp2ToBytes(output []byte, fp2 *Fp2, bytelen int) { + if len(output) < 2*bytelen { + panic("output byte slice too short") + } + + // convert to bytes in little endian form + for i := 0; i < bytelen; i++ { + // set i = j*8 + k + tmp := i / 8 + k := uint64(i % 8) + output[i] = byte(fp2.A[tmp] >> (8 * k)) + output[i+bytelen] = byte(fp2.B[tmp] >> (8 * k)) + } +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_amd64.s b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_amd64.s new file mode 100644 index 00000000..41022c8a --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_amd64.s @@ -0,0 +1,1673 @@ +// +build amd64,!noasm + +#include "textflag.h" + +// p503 +#define P503_0 $0xFFFFFFFFFFFFFFFF +#define P503_1 $0xFFFFFFFFFFFFFFFF +#define P503_2 $0xFFFFFFFFFFFFFFFF +#define P503_3 $0xABFFFFFFFFFFFFFF +#define P503_4 $0x13085BDA2211E7A0 +#define P503_5 $0x1B9BF6C87B7E7DAF +#define P503_6 $0x6045C6BDDA77A4D0 +#define P503_7 $0x004066F541811E1E + +// p503+1 +#define P503P1_3 $0xAC00000000000000 +#define P503P1_4 $0x13085BDA2211E7A0 +#define P503P1_5 $0x1B9BF6C87B7E7DAF +#define P503P1_6 $0x6045C6BDDA77A4D0 +#define P503P1_7 $0x004066F541811E1E + +// p503x2 +#define P503X2_0 $0xFFFFFFFFFFFFFFFE +#define P503X2_1 $0xFFFFFFFFFFFFFFFF +#define P503X2_2 $0xFFFFFFFFFFFFFFFF +#define P503X2_3 $0x57FFFFFFFFFFFFFF +#define P503X2_4 $0x2610B7B44423CF41 +#define P503X2_5 $0x3737ED90F6FCFB5E +#define P503X2_6 $0xC08B8D7BB4EF49A0 +#define P503X2_7 $0x0080CDEA83023C3C + +#define REG_P1 DI +#define REG_P2 SI +#define REG_P3 DX + +// Performs schoolbook multiplication of 2 256-bit numbers. This optimized version +// uses MULX instruction. Macro smashes value in DX. +// Input: I0 and I1. +// Output: O +// All the other arguments are resgisters, used for storing temporary values +#define MULS256_MULX(O, I0, I1, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9) \ + MOVQ I0, DX \ + MULXQ I1, T1, T0 \ // T0:T1 = A0*B0 + MOVQ T1, O \ // O[0] + MULXQ 8+I1, T2, T1 \ // T1:T2 = U0*V1 + ADDQ T2, T0 \ + MULXQ 16+I1, T3, T2 \ // T2:T3 = U0*V2 + ADCQ T3, T1 \ + MULXQ 24+I1, T4, T3 \ // T3:T4 = U0*V3 + ADCQ T4, T2 \ + \ // Column U1 + MOVQ 8+I0, DX \ + ADCQ $0, T3 \ + MULXQ 0+I1, T4, T5 \ // T5:T4 = U1*V0 + MULXQ 8+I1, T7, T6 \ // T6:T7 = U1*V1 + ADDQ T7, T5 \ + MULXQ 16+I1, T8, T7 \ // T7:T8 = U1*V2 + ADCQ T8, T6 \ + MULXQ 24+I1, T9, T8 \ // T8:T9 = U1*V3 + ADCQ T9, T7 \ + ADCQ $0, T8 \ + ADDQ T0, T4 \ + MOVQ T4, 8+O \ // O[1] + ADCQ T1, T5 \ + ADCQ T2, T6 \ + ADCQ T3, T7 \ + \ // Column U2 + MOVQ 16+I0, DX \ + ADCQ $0, T8 \ + MULXQ 0+I1, T0, T1 \ // T1:T0 = U2*V0 + MULXQ 8+I1, T3, T2 \ // T2:T3 = U2*V1 + ADDQ T3, T1 \ + MULXQ 16+I1, T4, T3 \ // T3:T4 = U2*V2 + ADCQ T4, T2 \ + MULXQ 24+I1, T9, T4 \ // T4:T9 = U2*V3 + ADCQ T9, T3 \ + \ // Column U3 + MOVQ 24+I0, DX \ + ADCQ $0, T4 \ + ADDQ T5, T0 \ + MOVQ T0, 16+O \ // O[2] + ADCQ T6, T1 \ + ADCQ T7, T2 \ + ADCQ T8, T3 \ + ADCQ $0, T4 \ + MULXQ 0+I1, T0, T5 \ // T5:T0 = U3*V0 + MULXQ 8+I1, T7, T6 \ // T6:T7 = U3*V1 + ADDQ T7, T5 \ + MULXQ 16+I1, T8, T7 \ // T7:T8 = U3*V2 + ADCQ T8, T6 \ + MULXQ 24+I1, T9, T8 \ // T8:T9 = U3*V3 + ADCQ T9, T7 \ + ADCQ $0, T8 \ + \ // Add values in remaining columns + ADDQ T0, T1 \ + MOVQ T1, 24+O \ // O[3] + ADCQ T5, T2 \ + MOVQ T2, 32+O \ // O[4] + ADCQ T6, T3 \ + MOVQ T3, 40+O \ // O[5] + ADCQ T7, T4 \ + MOVQ T4, 48+O \ // O[6] + ADCQ $0, T8 \ // O[7] + MOVQ T8, 56+O + +// Performs schoolbook multiplication of 2 256-bit numbers. This optimized version +// uses ADOX, ADCX and MULX instructions. Macro smashes values in AX and DX. +// Input: I0 and I1. +// Output: O +// All the other arguments resgisters are used for storing temporary values +#define MULS256_MULX_ADCX_ADOX(O, I0, I1, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9) \ + \ // U0[0] + MOVQ 0+I0, DX \ // MULX requires multiplayer in DX + \ // T0:T1 = I1*DX + MULXQ I1, T1, T0 \ // T0:T1 = U0*V0 (low:high) + MOVQ T1, O \ // O0[0] + MULXQ 8+I1, T2, T1 \ // T2:T1 = U0*V1 + XORQ AX, AX \ + ADOXQ T2, T0 \ + MULXQ 16+I1, T3, T2 \ // T2:T3 = U0*V2 + ADOXQ T3, T1 \ + MULXQ 24+I1, T4, T3 \ // T3:T4 = U0*V3 + ADOXQ T4, T2 \ + \ // Column U1 + MOVQ 8+I0, DX \ + MULXQ I1, T4, T5 \ // T5:T4 = U1*V0 + ADOXQ AX, T3 \ + XORQ AX, AX \ + MULXQ 8+I1, T7, T6 \ // T6:T7 = U1*V1 + ADOXQ T0, T4 \ + MOVQ T4, 8+O \ // O[1] + ADCXQ T7, T5 \ + MULXQ 16+I1, T8, T7 \ // T7:T8 = U1*V2 + ADCXQ T8, T6 \ + ADOXQ T1, T5 \ + MULXQ 24+I1, T9, T8 \ // T8:T9 = U1*V3 + ADCXQ T9, T7 \ + ADCXQ AX, T8 \ + ADOXQ T2, T6 \ + \ // Column U2 + MOVQ 16+I0, DX \ + MULXQ I1, T0, T1 \ // T1:T0 = U2*V0 + ADOXQ T3, T7 \ + ADOXQ AX, T8 \ + XORQ AX, AX \ + MULXQ 8+I1, T3, T2 \ // T2:T3 = U2*V1 + ADOXQ T5, T0 \ + MOVQ T0, 16+O \ // O[2] + ADCXQ T3, T1 \ + MULXQ 16+I1, T4, T3 \ // T3:T4 = U2*V2 + ADCXQ T4, T2 \ + ADOXQ T6, T1 \ + MULXQ 24+I1, T9, T4 \ // T9:T4 = U2*V3 + ADCXQ T9, T3 \ + MOVQ 24+I0, DX \ + ADCXQ AX, T4 \ + \ + ADOXQ T7, T2 \ + ADOXQ T8, T3 \ + ADOXQ AX, T4 \ + \ // Column U3 + MULXQ I1, T0, T5 \ // T5:T0 = U3*B0 + XORQ AX, AX \ + MULXQ 8+I1, T7, T6 \ // T6:T7 = U3*B1 + ADCXQ T7, T5 \ + ADOXQ T0, T1 \ + MULXQ 16+I1, T8, T7 \ // T7:T8 = U3*V2 + ADCXQ T8, T6 \ + ADOXQ T5, T2 \ + MULXQ 24+I1, T9, T8 \ // T8:T9 = U3*V3 + ADCXQ T9, T7 \ + ADCXQ AX, T8 \ + \ + ADOXQ T6, T3 \ + ADOXQ T7, T4 \ + ADOXQ AX, T8 \ + MOVQ T1, 24+O \ // O[3] + MOVQ T2, 32+O \ // O[4] + MOVQ T3, 40+O \ // O[5] + MOVQ T4, 48+O \ // O[6] and O[7] below + MOVQ T8, 56+O + +// Template of a macro that performs schoolbook multiplication of 128-bit with 320-bit +// number. It uses MULX instruction This template must be customized with functions +// performing ADD (add1, add2) and ADD-with-carry (adc1, adc2). addX/adcX may or may +// not be instructions that use two independent carry chains. +// Input: +// * I0 128-bit number +// * I1 320-bit number +// * add1, add2: instruction performing integer addition and starting carry chain +// * adc1, adc2: instruction performing integer addition with carry +// Output: T[0-6] registers +#define MULS_128x320(I0, I1, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, add1, add2, adc1, adc2) \ + \ // Column 0 + MOVQ I0, DX \ + MULXQ I1+24(SB), T0, T1 \ + MULXQ I1+32(SB), T4, T2 \ + XORQ AX, AX \ + MULXQ I1+40(SB), T5, T3 \ + add1 T4, T1 \ + adc1 T5, T2 \ + MULXQ I1+48(SB), T7, T4 \ + adc1 T7, T3 \ + MULXQ I1+56(SB), T6, T5 \ + adc1 T6, T4 \ + adc1 AX, T5 \ + \ // Column 1 + MOVQ 8+I0, DX \ + MULXQ I1+24(SB), T6, T7 \ + add2 T6, T1 \ + adc2 T7, T2 \ + MULXQ I1+32(SB), T8, T6 \ + adc2 T6, T3 \ + MULXQ I1+40(SB), T7, T9 \ + adc2 T9, T4 \ + MULXQ I1+48(SB), T9, T6 \ + adc2 T6, T5 \ + MULXQ I1+56(SB), DX, T6 \ + adc2 AX, T6 \ + \ // Output + XORQ AX, AX \ + add1 T8, T2 \ + adc1 T7, T3 \ + adc1 T9, T4 \ + adc1 DX, T5 \ + adc1 AX, T6 + +// Multiplies 128-bit with 320-bit integer. Optimized with MULX instruction. +#define MULS_128x320_MULX(I0, I1, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9) \ + MULS_128x320(I0, I1, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, ADDQ, ADDQ, ADCQ, ADCQ) + +// Multiplies 128-bit with 320-bit integer. Optimized with MULX, ADOX and ADCX instructions +#define MULS_128x320_MULX_ADCX_ADOX(I0, I1, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9) \ + MULS_128x320(I0, I1, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, ADOXQ, ADCXQ, ADOXQ, ADCXQ) + +// Template of a macro performing multiplication of two 512-bit numbers. It uses one +// level of Karatsuba and one level of schoolbook multiplication. Template must be +// customized with macro performing schoolbook multiplication. +// Input: +// * I0, I1 - two 512-bit numbers +// * MULS - either MULS256_MULX or MULS256_MULX_ADCX_ADOX +// Output: OUT - 1024-bit long +#define MUL(OUT, I0, I1, MULS) \ + \ // R[8-11]: U1+U0 + XORQ AX, AX \ + MOVQ ( 0)(I0), R8 \ + MOVQ ( 8)(I0), R9 \ + MOVQ (16)(I0), R10 \ + MOVQ (24)(I0), R11 \ + ADDQ (32)(I0), R8 \ + ADCQ (40)(I0), R9 \ + ADCQ (48)(I0), R10 \ + ADCQ (56)(I0), R11 \ + SBBQ $0, AX \ // store mask + MOVQ R8, ( 0)(SP) \ + MOVQ R9, ( 8)(SP) \ + MOVQ R10, (16)(SP) \ + MOVQ R11, (24)(SP) \ + \ + \ // R[12-15]: V1+V0 + XORQ BX, BX \ + MOVQ ( 0)(I1), R12 \ + MOVQ ( 8)(I1), R13 \ + MOVQ (16)(I1), R14 \ + MOVQ (24)(I1), R15 \ + ADDQ (32)(I1), R12 \ + ADCQ (40)(I1), R13 \ + ADCQ (48)(I1), R14 \ + ADCQ (56)(I1), R15 \ + SBBQ $0, BX \ // store mask + MOVQ R12, (32)(SP) \ + MOVQ R13, (40)(SP) \ + MOVQ R14, (48)(SP) \ + MOVQ R15, (56)(SP) \ + \ // Prepare mask for U0+U1 (U1+U0 mod 256^4 if U1+U0 sets carry flag, otherwise 0) + ANDQ AX, R12 \ + ANDQ AX, R13 \ + ANDQ AX, R14 \ + ANDQ AX, R15 \ + \ // Prepare mask for V0+V1 (V1+V0 mod 256^4 if U1+U0 sets carry flag, otherwise 0) + ANDQ BX, R8 \ + ANDQ BX, R9 \ + ANDQ BX, R10 \ + ANDQ BX, R11 \ + \ // res = masked(U0+U1) + masked(V0 + V1) + ADDQ R12, R8 \ + ADCQ R13, R9 \ + ADCQ R14, R10 \ + ADCQ R15, R11 \ + \ // SP[64-96] <- res + MOVQ R8, (64)(SP) \ + MOVQ R9, (72)(SP) \ + MOVQ R10, (80)(SP) \ + MOVQ R11, (88)(SP) \ + \ // BP will be used for schoolbook multiplication below + MOVQ BP, 96(SP) \ + \ // (U1+U0)*(V1+V0) + MULS((64)(OUT), 0(SP), 32(SP), R8, R9, R10, R11, R12, R13, R14, R15, BX, BP) \ + \ // U0 x V0 + MULS(0(OUT), 0(I0), 0(I1), R8, R9, R10, R11, R12, R13, R14, R15, BX, BP) \ + \ // U1 x V1 + MULS(0(SP), 32(I0), 32(I1), R8, R9, R10, R11, R12, R13, R14, R15, BX, BP) \ + \ // Recover BP + MOVQ 96(SP), BP \ + \ // Final part of schoolbook multiplication; R[8-11] = (U0+U1) x (V0+V1) + MOVQ (64)(SP), R8 \ + MOVQ (72)(SP), R9 \ + MOVQ (80)(SP), R10 \ + MOVQ (88)(SP), R11 \ + MOVQ (96)(OUT), AX \ + ADDQ AX, R8 \ + MOVQ (104)(OUT), AX \ + ADCQ AX, R9 \ + MOVQ (112)(OUT), AX \ + ADCQ AX, R10 \ + MOVQ (120)(OUT), AX \ + ADCQ AX, R11 \ + \ // R[12-15, 8-11] = (U0+U1) x (V0+V1) - U0xV0 + MOVQ (64)(OUT), R12 \ + MOVQ (72)(OUT), R13 \ + MOVQ (80)(OUT), R14 \ + MOVQ (88)(OUT), R15 \ + SUBQ ( 0)(OUT), R12 \ + SBBQ ( 8)(OUT), R13 \ + SBBQ (16)(OUT), R14 \ + SBBQ (24)(OUT), R15 \ + SBBQ (32)(OUT), R8 \ + SBBQ (40)(OUT), R9 \ + SBBQ (48)(OUT), R10 \ + SBBQ (56)(OUT), R11 \ + \ // r8-r15 <- (U0+U1) x (V0+V1) - U0xV0 - U1xV1 + SUBQ ( 0)(SP), R12 \ + SBBQ ( 8)(SP), R13 \ + SBBQ (16)(SP), R14 \ + SBBQ (24)(SP), R15 \ + SBBQ (32)(SP), R8 \ + SBBQ (40)(SP), R9 \ + SBBQ (48)(SP), R10 \ + SBBQ (56)(SP), R11 \ + \ + ; ADDQ (32)(OUT), R12; MOVQ R12, ( 32)(OUT) \ + ; ADCQ (40)(OUT), R13; MOVQ R13, ( 40)(OUT) \ + ; ADCQ (48)(OUT), R14; MOVQ R14, ( 48)(OUT) \ + ; ADCQ (56)(OUT), R15; MOVQ R15, ( 56)(OUT) \ + MOVQ ( 0)(SP), AX; ADCQ AX, R8; MOVQ R8, ( 64)(OUT) \ + MOVQ ( 8)(SP), AX; ADCQ AX, R9; MOVQ R9, ( 72)(OUT) \ + MOVQ (16)(SP), AX; ADCQ AX, R10; MOVQ R10, ( 80)(OUT) \ + MOVQ (24)(SP), AX; ADCQ AX, R11; MOVQ R11, ( 88)(OUT) \ + MOVQ (32)(SP), R12; ADCQ $0, R12; MOVQ R12, ( 96)(OUT) \ + MOVQ (40)(SP), R13; ADCQ $0, R13; MOVQ R13, (104)(OUT) \ + MOVQ (48)(SP), R14; ADCQ $0, R14; MOVQ R14, (112)(OUT) \ + MOVQ (56)(SP), R15; ADCQ $0, R15; MOVQ R15, (120)(OUT) + +// Template for calculating the Montgomery reduction algorithm described in +// section 5.2.3 of https://eprint.iacr.org/2017/1015.pdf. Template must be +// customized with schoolbook multiplicaton for 128 x 320-bit number. +// This macro reuses memory of IN value and *changes* it. Smashes registers +// R[8-15], BX, CX +// Input: +// * IN: 1024-bit number to be reduced +// * MULS: either MULS_128x320_MULX or MULS_128x320_MULX_ADCX_ADOX +// Output: OUT 512-bit +#define REDC(OUT, IN, MULS) \ + MULS(0(IN), ·P503p1, R8, R9, R10, R11, R12, R13, R14, BX, CX, R15) \ + XORQ R15, R15 \ + ADDQ (24)(IN), R8 \ + ADCQ (32)(IN), R9 \ + ADCQ (40)(IN), R10 \ + ADCQ (48)(IN), R11 \ + ADCQ (56)(IN), R12 \ + ADCQ (64)(IN), R13 \ + ADCQ (72)(IN), R14 \ + ADCQ (80)(IN), R15 \ + MOVQ R8, (24)(IN) \ + MOVQ R9, (32)(IN) \ + MOVQ R10, (40)(IN) \ + MOVQ R11, (48)(IN) \ + MOVQ R12, (56)(IN) \ + MOVQ R13, (64)(IN) \ + MOVQ R14, (72)(IN) \ + MOVQ R15, (80)(IN) \ + MOVQ (88)(IN), R8 \ + MOVQ (96)(IN), R9 \ + MOVQ (104)(IN), R10 \ + MOVQ (112)(IN), R11 \ + MOVQ (120)(IN), R12 \ + ADCQ $0, R8 \ + ADCQ $0, R9 \ + ADCQ $0, R10 \ + ADCQ $0, R11 \ + ADCQ $0, R12 \ + MOVQ R8, (88)(IN) \ + MOVQ R9, (96)(IN) \ + MOVQ R10, (104)(IN) \ + MOVQ R11, (112)(IN) \ + MOVQ R12, (120)(IN) \ + \ + MULS(16(IN), ·P503p1, R8, R9, R10, R11, R12, R13, R14, BX, CX, R15) \ + XORQ R15, R15 \ + ADDQ (40)(IN), R8 \ + ADCQ (48)(IN), R9 \ + ADCQ (56)(IN), R10 \ + ADCQ (64)(IN), R11 \ + ADCQ (72)(IN), R12 \ + ADCQ (80)(IN), R13 \ + ADCQ (88)(IN), R14 \ + ADCQ (96)(IN), R15 \ + MOVQ R8, (40)(IN) \ + MOVQ R9, (48)(IN) \ + MOVQ R10, (56)(IN) \ + MOVQ R11, (64)(IN) \ + MOVQ R12, (72)(IN) \ + MOVQ R13, (80)(IN) \ + MOVQ R14, (88)(IN) \ + MOVQ R15, (96)(IN) \ + MOVQ (104)(IN), R8 \ + MOVQ (112)(IN), R9 \ + MOVQ (120)(IN), R10 \ + ADCQ $0, R8 \ + ADCQ $0, R9 \ + ADCQ $0, R10 \ + MOVQ R8, (104)(IN) \ + MOVQ R9, (112)(IN) \ + MOVQ R10, (120)(IN) \ + \ + MULS(32(IN), ·P503p1, R8, R9, R10, R11, R12, R13, R14, BX, CX, R15) \ + XORQ R15, R15 \ + XORQ BX, BX \ + ADDQ ( 56)(IN), R8 \ + ADCQ ( 64)(IN), R9 \ + ADCQ ( 72)(IN), R10 \ + ADCQ ( 80)(IN), R11 \ + ADCQ ( 88)(IN), R12 \ + ADCQ ( 96)(IN), R13 \ + ADCQ (104)(IN), R14 \ + ADCQ (112)(IN), R15 \ + ADCQ (120)(IN), BX \ + MOVQ R8, ( 56)(IN) \ + MOVQ R10, ( 72)(IN) \ + MOVQ R11, ( 80)(IN) \ + MOVQ R12, ( 88)(IN) \ + MOVQ R13, ( 96)(IN) \ + MOVQ R14, (104)(IN) \ + MOVQ R15, (112)(IN) \ + MOVQ BX, (120)(IN) \ + MOVQ R9, ( 0)(OUT) \ // Result: OUT[0] + \ + MULS(48(IN), ·P503p1, R8, R9, R10, R11, R12, R13, R14, BX, CX, R15) \ + ADDQ ( 72)(IN), R8 \ + ADCQ ( 80)(IN), R9 \ + ADCQ ( 88)(IN), R10 \ + ADCQ ( 96)(IN), R11 \ + ADCQ (104)(IN), R12 \ + ADCQ (112)(IN), R13 \ + ADCQ (120)(IN), R14 \ + MOVQ R8, ( 8)(OUT) \ // Result: OUT[1] + MOVQ R9, (16)(OUT) \ // Result: OUT[2] + MOVQ R10, (24)(OUT) \ // Result: OUT[3] + MOVQ R11, (32)(OUT) \ // Result: OUT[4] + MOVQ R12, (40)(OUT) \ // Result: OUT[5] + MOVQ R13, (48)(OUT) \ // Result: OUT[6] and OUT[7] + MOVQ R14, (56)(OUT) + +TEXT ·modP503(SB), NOSPLIT, $0-8 + MOVQ x+0(FP), REG_P1 + + // Zero AX for later use: + XORQ AX, AX + + // Load p into registers: + MOVQ P503_0, R8 + // P503_{1,2} = P503_0, so reuse R8 + MOVQ P503_3, R9 + MOVQ P503_4, R10 + MOVQ P503_5, R11 + MOVQ P503_6, R12 + MOVQ P503_7, R13 + + // Set x <- x - p + SUBQ R8, ( 0)(REG_P1) + SBBQ R8, ( 8)(REG_P1) + SBBQ R8, (16)(REG_P1) + SBBQ R9, (24)(REG_P1) + SBBQ R10, (32)(REG_P1) + SBBQ R11, (40)(REG_P1) + SBBQ R12, (48)(REG_P1) + SBBQ R13, (56)(REG_P1) + + // Save carry flag indicating x-p < 0 as a mask + SBBQ $0, AX + + // Conditionally add p to x if x-p < 0 + ANDQ AX, R8 + ANDQ AX, R9 + ANDQ AX, R10 + ANDQ AX, R11 + ANDQ AX, R12 + ANDQ AX, R13 + + ADDQ R8, ( 0)(REG_P1) + ADCQ R8, ( 8)(REG_P1) + ADCQ R8, (16)(REG_P1) + ADCQ R9, (24)(REG_P1) + ADCQ R10,(32)(REG_P1) + ADCQ R11,(40)(REG_P1) + ADCQ R12,(48)(REG_P1) + ADCQ R13,(56)(REG_P1) + + RET + +TEXT ·cswapP503(SB),NOSPLIT,$0-17 + + MOVQ x+0(FP), REG_P1 + MOVQ y+8(FP), REG_P2 + MOVB choice+16(FP), AL // AL = 0 or 1 + MOVBLZX AL, AX // AX = 0 or 1 + NEGQ AX // AX = 0x00..00 or 0xff..ff + +#ifndef CSWAP_BLOCK +#define CSWAP_BLOCK(idx) \ + MOVQ (idx*8)(REG_P1), BX \ // BX = x[idx] + MOVQ (idx*8)(REG_P2), CX \ // CX = y[idx] + MOVQ CX, DX \ // DX = y[idx] + XORQ BX, DX \ // DX = y[idx] ^ x[idx] + ANDQ AX, DX \ // DX = (y[idx] ^ x[idx]) & mask + XORQ DX, BX \ // BX = (y[idx] ^ x[idx]) & mask) ^ x[idx] = x[idx] or y[idx] + XORQ DX, CX \ // CX = (y[idx] ^ x[idx]) & mask) ^ y[idx] = y[idx] or x[idx] + MOVQ BX, (idx*8)(REG_P1) \ + MOVQ CX, (idx*8)(REG_P2) +#endif + + CSWAP_BLOCK(0) + CSWAP_BLOCK(1) + CSWAP_BLOCK(2) + CSWAP_BLOCK(3) + CSWAP_BLOCK(4) + CSWAP_BLOCK(5) + CSWAP_BLOCK(6) + CSWAP_BLOCK(7) + +#ifdef CSWAP_BLOCK +#undef CSWAP_BLOCK +#endif + + RET + +TEXT ·addP503(SB),NOSPLIT,$0-24 + + MOVQ z+0(FP), REG_P3 + MOVQ x+8(FP), REG_P1 + MOVQ y+16(FP), REG_P2 + + // Used later to calculate a mask + XORQ CX, CX + + // [R8-R15]: z = x + y + MOVQ ( 0)(REG_P1), R8 + MOVQ ( 8)(REG_P1), R9 + MOVQ (16)(REG_P1), R10 + MOVQ (24)(REG_P1), R11 + MOVQ (32)(REG_P1), R12 + MOVQ (40)(REG_P1), R13 + MOVQ (48)(REG_P1), R14 + MOVQ (56)(REG_P1), R15 + ADDQ ( 0)(REG_P2), R8 + ADCQ ( 8)(REG_P2), R9 + ADCQ (16)(REG_P2), R10 + ADCQ (24)(REG_P2), R11 + ADCQ (32)(REG_P2), R12 + ADCQ (40)(REG_P2), R13 + ADCQ (48)(REG_P2), R14 + ADCQ (56)(REG_P2), R15 + + MOVQ P503X2_0, AX + SUBQ AX, R8 + MOVQ P503X2_1, AX + SBBQ AX, R9 + SBBQ AX, R10 + MOVQ P503X2_3, AX + SBBQ AX, R11 + MOVQ P503X2_4, AX + SBBQ AX, R12 + MOVQ P503X2_5, AX + SBBQ AX, R13 + MOVQ P503X2_6, AX + SBBQ AX, R14 + MOVQ P503X2_7, AX + SBBQ AX, R15 + + // mask + SBBQ $0, CX + + // move z to REG_P3 + MOVQ R8, ( 0)(REG_P3) + MOVQ R9, ( 8)(REG_P3) + MOVQ R10, (16)(REG_P3) + MOVQ R11, (24)(REG_P3) + MOVQ R12, (32)(REG_P3) + MOVQ R13, (40)(REG_P3) + MOVQ R14, (48)(REG_P3) + MOVQ R15, (56)(REG_P3) + + // if z<0 add p503x2 back + MOVQ P503X2_0, R8 + MOVQ P503X2_1, R9 + MOVQ P503X2_3, R10 + MOVQ P503X2_4, R11 + MOVQ P503X2_5, R12 + MOVQ P503X2_6, R13 + MOVQ P503X2_7, R14 + ANDQ CX, R8 + ANDQ CX, R9 + ANDQ CX, R10 + ANDQ CX, R11 + ANDQ CX, R12 + ANDQ CX, R13 + ANDQ CX, R14 + MOVQ ( 0)(REG_P3), AX; ADDQ R8, AX; MOVQ AX, ( 0)(REG_P3) + MOVQ ( 8)(REG_P3), AX; ADCQ R9, AX; MOVQ AX, ( 8)(REG_P3) + MOVQ (16)(REG_P3), AX; ADCQ R9, AX; MOVQ AX, (16)(REG_P3) + MOVQ (24)(REG_P3), AX; ADCQ R10, AX; MOVQ AX, (24)(REG_P3) + MOVQ (32)(REG_P3), AX; ADCQ R11, AX; MOVQ AX, (32)(REG_P3) + MOVQ (40)(REG_P3), AX; ADCQ R12, AX; MOVQ AX, (40)(REG_P3) + MOVQ (48)(REG_P3), AX; ADCQ R13, AX; MOVQ AX, (48)(REG_P3) + MOVQ (56)(REG_P3), AX; ADCQ R14, AX; MOVQ AX, (56)(REG_P3) + RET + +TEXT ·subP503(SB), NOSPLIT, $0-24 + + MOVQ z+0(FP), REG_P3 + MOVQ x+8(FP), REG_P1 + MOVQ y+16(FP), REG_P2 + + // Used later to calculate a mask + XORQ CX, CX + + MOVQ ( 0)(REG_P1), R8 + MOVQ ( 8)(REG_P1), R9 + MOVQ (16)(REG_P1), R10 + MOVQ (24)(REG_P1), R11 + MOVQ (32)(REG_P1), R12 + MOVQ (40)(REG_P1), R13 + MOVQ (48)(REG_P1), R14 + MOVQ (56)(REG_P1), R15 + + SUBQ ( 0)(REG_P2), R8 + SBBQ ( 8)(REG_P2), R9 + SBBQ (16)(REG_P2), R10 + SBBQ (24)(REG_P2), R11 + SBBQ (32)(REG_P2), R12 + SBBQ (40)(REG_P2), R13 + SBBQ (48)(REG_P2), R14 + SBBQ (56)(REG_P2), R15 + + // mask + SBBQ $0, CX + + // store x-y in REG_P3 + MOVQ R8, ( 0)(REG_P3) + MOVQ R9, ( 8)(REG_P3) + MOVQ R10, (16)(REG_P3) + MOVQ R11, (24)(REG_P3) + MOVQ R12, (32)(REG_P3) + MOVQ R13, (40)(REG_P3) + MOVQ R14, (48)(REG_P3) + MOVQ R15, (56)(REG_P3) + + // if z<0 add p503x2 back + MOVQ P503X2_0, R8 + MOVQ P503X2_1, R9 + MOVQ P503X2_3, R10 + MOVQ P503X2_4, R11 + MOVQ P503X2_5, R12 + MOVQ P503X2_6, R13 + MOVQ P503X2_7, R14 + ANDQ CX, R8 + ANDQ CX, R9 + ANDQ CX, R10 + ANDQ CX, R11 + ANDQ CX, R12 + ANDQ CX, R13 + ANDQ CX, R14 + MOVQ ( 0)(REG_P3), AX; ADDQ R8, AX; MOVQ AX, ( 0)(REG_P3) + MOVQ ( 8)(REG_P3), AX; ADCQ R9, AX; MOVQ AX, ( 8)(REG_P3) + MOVQ (16)(REG_P3), AX; ADCQ R9, AX; MOVQ AX, (16)(REG_P3) + MOVQ (24)(REG_P3), AX; ADCQ R10, AX; MOVQ AX, (24)(REG_P3) + MOVQ (32)(REG_P3), AX; ADCQ R11, AX; MOVQ AX, (32)(REG_P3) + MOVQ (40)(REG_P3), AX; ADCQ R12, AX; MOVQ AX, (40)(REG_P3) + MOVQ (48)(REG_P3), AX; ADCQ R13, AX; MOVQ AX, (48)(REG_P3) + MOVQ (56)(REG_P3), AX; ADCQ R14, AX; MOVQ AX, (56)(REG_P3) + + RET + +TEXT ·mulP503(SB), NOSPLIT, $104-24 + MOVQ z+0(FP), CX + MOVQ x+8(FP), REG_P1 + MOVQ y+16(FP), REG_P2 + + // Check wether to use optimized implementation + CMPB ·HasADXandBMI2(SB), $1 + JE mul_with_mulx_adcx_adox + CMPB ·HasBMI2(SB), $1 + JE mul_with_mulx + + // Generic x86 implementation (below) uses variant of Karatsuba method. + // + // Here we store the destination in CX instead of in REG_P3 because the + // multiplication instructions use DX as an implicit destination + // operand: MULQ $REG sets DX:AX <-- AX * $REG. + + // RAX and RDX will be used for a mask (0-borrow) + XORQ AX, AX + + // RCX[0-3]: U1+U0 + MOVQ (32)(REG_P1), R8 + MOVQ (40)(REG_P1), R9 + MOVQ (48)(REG_P1), R10 + MOVQ (56)(REG_P1), R11 + ADDQ ( 0)(REG_P1), R8 + ADCQ ( 8)(REG_P1), R9 + ADCQ (16)(REG_P1), R10 + ADCQ (24)(REG_P1), R11 + MOVQ R8, ( 0)(CX) + MOVQ R9, ( 8)(CX) + MOVQ R10, (16)(CX) + MOVQ R11, (24)(CX) + + SBBQ $0, AX + + // R12-R15: V1+V0 + XORQ DX, DX + MOVQ (32)(REG_P2), R12 + MOVQ (40)(REG_P2), R13 + MOVQ (48)(REG_P2), R14 + MOVQ (56)(REG_P2), R15 + ADDQ ( 0)(REG_P2), R12 + ADCQ ( 8)(REG_P2), R13 + ADCQ (16)(REG_P2), R14 + ADCQ (24)(REG_P2), R15 + + SBBQ $0, DX + + // Store carries on stack + MOVQ AX, (64)(SP) + MOVQ DX, (72)(SP) + + // (SP[0-3],R8,R9,R10,R11) <- (U0+U1)*(V0+V1). + // MUL using comba; In comments below U=U0+U1 V=V0+V1 + + // U0*V0 + MOVQ (CX), AX + MULQ R12 + MOVQ AX, (SP) // C0 + MOVQ DX, R8 + + // U0*V1 + XORQ R9, R9 + MOVQ (CX), AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + + // U1*V0 + XORQ R10, R10 + MOVQ (8)(CX), AX + MULQ R12 + ADDQ AX, R8 + MOVQ R8, (8)(SP) // C1 + ADCQ DX, R9 + ADCQ $0, R10 + + // U0*V2 + XORQ R8, R8 + MOVQ (CX), AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + // U2*V0 + MOVQ (16)(CX), AX + MULQ R12 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + // U1*V1 + MOVQ (8)(CX), AX + MULQ R13 + ADDQ AX, R9 + MOVQ R9, (16)(SP) // C2 + ADCQ DX, R10 + ADCQ $0, R8 + + // U0*V3 + XORQ R9, R9 + MOVQ (CX), AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + // U3*V0 + MOVQ (24)(CX), AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + // U1*V2 + MOVQ (8)(CX), AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + // U2*V1 + MOVQ (16)(CX), AX + MULQ R13 + ADDQ AX, R10 + MOVQ R10, (24)(SP) // C3 + ADCQ DX, R8 + ADCQ $0, R9 + + // U1*V3 + XORQ R10, R10 + MOVQ (8)(CX), AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + // U3*V1 + MOVQ (24)(CX), AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + // U2*V2 + MOVQ (16)(CX), AX + MULQ R14 + ADDQ AX, R8 + MOVQ R8, (32)(SP) // C4 + ADCQ DX, R9 + ADCQ $0, R10 + + // U2*V3 + XORQ R11, R11 + MOVQ (16)(CX), AX + MULQ R15 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R11 + + // U3*V2 + MOVQ (24)(CX), AX + MULQ R14 + ADDQ AX, R9 // C5 + ADCQ DX, R10 + ADCQ $0, R11 + + // U3*V3 + MOVQ (24)(CX), AX + MULQ R15 + ADDQ AX, R10 // C6 + ADCQ DX, R11 // C7 + + MOVQ (64)(SP), AX + ANDQ AX, R12 + ANDQ AX, R13 + ANDQ AX, R14 + ANDQ AX, R15 + ADDQ R8, R12 + ADCQ R9, R13 + ADCQ R10, R14 + ADCQ R11, R15 + + MOVQ (72)(SP), AX + MOVQ (CX), R8 + MOVQ (8)(CX), R9 + MOVQ (16)(CX), R10 + MOVQ (24)(CX), R11 + ANDQ AX, R8 + ANDQ AX, R9 + ANDQ AX, R10 + ANDQ AX, R11 + ADDQ R12, R8 + ADCQ R13, R9 + ADCQ R14, R10 + ADCQ R15, R11 + MOVQ R8, (32)(SP) + MOVQ R9, (40)(SP) + MOVQ R10, (48)(SP) + MOVQ R11, (56)(SP) + + // CX[0-7] <- AL*BL + + // U0*V0 + MOVQ (REG_P1), R11 + MOVQ (REG_P2), AX + MULQ R11 + XORQ R9, R9 + MOVQ AX, (CX) // C0 + MOVQ DX, R8 + + // U0*V1 + MOVQ (16)(REG_P1), R14 + MOVQ (8)(REG_P2), AX + MULQ R11 + XORQ R10, R10 + ADDQ AX, R8 + ADCQ DX, R9 + + // U1*V0 + MOVQ (8)(REG_P1), R12 + MOVQ (REG_P2), AX + MULQ R12 + ADDQ AX, R8 + MOVQ R8, (8)(CX) // C1 + ADCQ DX, R9 + ADCQ $0, R10 + + // U0*V2 + XORQ R8, R8 + MOVQ (16)(REG_P2), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + // U2*V0 + MOVQ (REG_P2), R13 + MOVQ R14, AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + // U1*V1 + MOVQ (8)(REG_P2), AX + MULQ R12 + ADDQ AX, R9 + MOVQ R9, (16)(CX) // C2 + ADCQ DX, R10 + ADCQ $0, R8 + + // U0*V3 + XORQ R9, R9 + MOVQ (24)(REG_P2), AX + MULQ R11 + MOVQ (24)(REG_P1), R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + // U3*V1 + MOVQ R15, AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + // U2*V2 + MOVQ (16)(REG_P2), AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + // U2*V3 + MOVQ (8)(REG_P2), AX + MULQ R14 + ADDQ AX, R10 + MOVQ R10, (24)(CX) // C3 + ADCQ DX, R8 + ADCQ $0, R9 + + // U3*V2 + XORQ R10, R10 + MOVQ (24)(REG_P2), AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + // U3*V1 + MOVQ (8)(REG_P2), AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + // U2*V2 + MOVQ (16)(REG_P2), AX + MULQ R14 + ADDQ AX, R8 + MOVQ R8, (32)(CX) // C4 + ADCQ DX, R9 + ADCQ $0, R10 + + // U2*V3 + XORQ R8, R8 + MOVQ (24)(REG_P2), AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + // U3*V2 + MOVQ (16)(REG_P2), AX + MULQ R15 + ADDQ AX, R9 + MOVQ R9, (40)(CX) // C5 + ADCQ DX, R10 + ADCQ $0, R8 + + // U3*V3 + MOVQ (24)(REG_P2), AX + MULQ R15 + ADDQ AX, R10 + MOVQ R10, (48)(CX) // C6 + ADCQ DX, R8 + MOVQ R8, (56)(CX) // C7 + + // CX[8-15] <- U1*V1 + MOVQ (32)(REG_P1), R11 + MOVQ (32)(REG_P2), AX + MULQ R11 + XORQ R9, R9 + MOVQ AX, (64)(CX) // C0 + MOVQ DX, R8 + + MOVQ (48)(REG_P1), R14 + MOVQ (40)(REG_P2), AX + MULQ R11 + XORQ R10, R10 + ADDQ AX, R8 + ADCQ DX, R9 + + MOVQ (40)(REG_P1), R12 + MOVQ (32)(REG_P2), AX + MULQ R12 + ADDQ AX, R8 + MOVQ R8, (72)(CX) // C1 + ADCQ DX, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ (48)(REG_P2), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (32)(REG_P2), R13 + MOVQ R14, AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (40)(REG_P2), AX + MULQ R12 + ADDQ AX, R9 + MOVQ R9, (80)(CX) // C2 + ADCQ DX, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ (56)(REG_P2), AX + MULQ R11 + MOVQ (56)(REG_P1), R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ R15, AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (48)(REG_P2), AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (40)(REG_P2), AX + MULQ R14 + ADDQ AX, R10 + MOVQ R10, (88)(CX) // C3 + ADCQ DX, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ (56)(REG_P2), AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (40)(REG_P2), AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (48)(REG_P2), AX + MULQ R14 + ADDQ AX, R8 + MOVQ R8, (96)(CX) // C4 + ADCQ DX, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ (56)(REG_P2), AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (48)(REG_P2), AX + MULQ R15 + ADDQ AX, R9 + MOVQ R9, (104)(CX) // C5 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (56)(REG_P2), AX + MULQ R15 + ADDQ AX, R10 + MOVQ R10, (112)(CX) // C6 + ADCQ DX, R8 + MOVQ R8, (120)(CX) // C7 + + // [R8-R15] <- (U0+U1)*(V0+V1) - U1*V1 + MOVQ (SP), R8 + SUBQ (CX), R8 + MOVQ (8)(SP), R9 + SBBQ (8)(CX), R9 + MOVQ (16)(SP), R10 + SBBQ (16)(CX), R10 + MOVQ (24)(SP), R11 + SBBQ (24)(CX), R11 + MOVQ (32)(SP), R12 + SBBQ (32)(CX), R12 + MOVQ (40)(SP), R13 + SBBQ (40)(CX), R13 + MOVQ (48)(SP), R14 + SBBQ (48)(CX), R14 + MOVQ (56)(SP), R15 + SBBQ (56)(CX), R15 + + // [R8-R15] <- (U0+U1)*(V0+V1) - U1*V0 - U0*U1 + MOVQ ( 64)(CX), AX; SUBQ AX, R8 + MOVQ ( 72)(CX), AX; SBBQ AX, R9 + MOVQ ( 80)(CX), AX; SBBQ AX, R10 + MOVQ ( 88)(CX), AX; SBBQ AX, R11 + MOVQ ( 96)(CX), AX; SBBQ AX, R12 + MOVQ (104)(CX), DX; SBBQ DX, R13 + MOVQ (112)(CX), DI; SBBQ DI, R14 + MOVQ (120)(CX), SI; SBBQ SI, R15 + + // Final result + ADDQ (32)(CX), R8; MOVQ R8, (32)(CX) + ADCQ (40)(CX), R9; MOVQ R9, (40)(CX) + ADCQ (48)(CX), R10; MOVQ R10, (48)(CX) + ADCQ (56)(CX), R11; MOVQ R11, (56)(CX) + ADCQ (64)(CX), R12; MOVQ R12, (64)(CX) + ADCQ (72)(CX), R13; MOVQ R13, (72)(CX) + ADCQ (80)(CX), R14; MOVQ R14, (80)(CX) + ADCQ (88)(CX), R15; MOVQ R15, (88)(CX) + ADCQ $0, AX; MOVQ AX, (96)(CX) + ADCQ $0, DX; MOVQ DX, (104)(CX) + ADCQ $0, DI; MOVQ DI, (112)(CX) + ADCQ $0, SI; MOVQ SI, (120)(CX) + RET + +mul_with_mulx_adcx_adox: + // Mul implementation for CPUs supporting two independent carry chain + // (ADOX/ADCX) instructions and carry-less MULX multiplier + MUL(CX, REG_P1, REG_P2, MULS256_MULX_ADCX_ADOX) + RET + +mul_with_mulx: + // Mul implementation for CPUs supporting carry-less MULX multiplier. + MUL(CX, REG_P1, REG_P2, MULS256_MULX) + RET + +TEXT ·rdcP503(SB), $0-16 + MOVQ z+0(FP), REG_P2 + MOVQ x+8(FP), REG_P1 + + // Check wether to use optimized implementation + CMPB ·HasADXandBMI2(SB), $1 + JE redc_with_mulx_adcx_adox + CMPB ·HasBMI2(SB), $1 + JE redc_with_mulx + + MOVQ (REG_P1), R11 + MOVQ P503P1_3, AX + MULQ R11 + XORQ R8, R8 + ADDQ (24)(REG_P1), AX + MOVQ AX, (24)(REG_P2) + ADCQ DX, R8 + + XORQ R9, R9 + MOVQ P503P1_4, AX + MULQ R11 + XORQ R10, R10 + ADDQ AX, R8 + ADCQ DX, R9 + + MOVQ (8)(REG_P1), R12 + MOVQ P503P1_3, AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + ADDQ (32)(REG_P1), R8 + MOVQ R8, (32)(REG_P2) // Z4 + ADCQ $0, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ P503P1_5, AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P503P1_4, AX + MULQ R12 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (16)(REG_P1), R13 + MOVQ P503P1_3, AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + ADDQ (40)(REG_P1), R9 + MOVQ R9, (40)(REG_P2) // Z5 + ADCQ $0, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ P503P1_6, AX + MULQ R11 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P503P1_5, AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P503P1_4, AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (24)(REG_P2), R14 + MOVQ P503P1_3, AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + ADDQ (48)(REG_P1), R10 + MOVQ R10, (48)(REG_P2) // Z6 + ADCQ $0, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ P503P1_7, AX + MULQ R11 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P503P1_6, AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P503P1_5, AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P503P1_4, AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (32)(REG_P2), R15 + MOVQ P503P1_3, AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + ADDQ (56)(REG_P1), R8 + MOVQ R8, (56)(REG_P2) // Z7 + ADCQ $0, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ P503P1_7, AX + MULQ R12 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P503P1_6, AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P503P1_5, AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P503P1_4, AX + MULQ R15 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (40)(REG_P2), CX + MOVQ P503P1_3, AX + MULQ CX + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + ADDQ (64)(REG_P1), R9 + MOVQ R9, (REG_P2) // Z0 + ADCQ $0, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ P503P1_7, AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P503P1_6, AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P503P1_5, AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P503P1_4, AX + MULQ CX + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (48)(REG_P2), R13 + MOVQ P503P1_3, AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + ADDQ (72)(REG_P1), R10 + MOVQ R10, (8)(REG_P2) // Z1 + ADCQ $0, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ P503P1_7, AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P503P1_6, AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P503P1_5, AX + MULQ CX + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P503P1_4, AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (56)(REG_P2), R14 + MOVQ P503P1_3, AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + ADDQ (80)(REG_P1), R8 + MOVQ R8, (16)(REG_P2) // Z2 + ADCQ $0, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ P503P1_7, AX + MULQ R15 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P503P1_6, AX + MULQ CX + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P503P1_5, AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P503P1_4, AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + ADDQ (88)(REG_P1), R9 + MOVQ R9, (24)(REG_P2) // Z3 + ADCQ $0, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ P503P1_7, AX + MULQ CX + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P503P1_6, AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P503P1_5, AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + ADDQ (96)(REG_P1), R10 + MOVQ R10, (32)(REG_P2) // Z4 + ADCQ $0, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ P503P1_7, AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P503P1_6, AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + ADDQ (104)(REG_P1), R8 // Z5 + MOVQ R8, (40)(REG_P2) // Z5 + ADCQ $0, R9 + ADCQ $0, R10 + + MOVQ P503P1_7, AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADDQ (112)(REG_P1), R9 // Z6 + MOVQ R9, (48)(REG_P2) // Z6 + ADCQ $0, R10 + ADDQ (120)(REG_P1), R10 // Z7 + MOVQ R10, (56)(REG_P2) // Z7 + RET + +redc_with_mulx_adcx_adox: + // Implementation of the Montgomery reduction for CPUs + // supporting two independent carry chain (ADOX/ADCX) + // instructions and carry-less MULX multiplier + REDC(REG_P2, REG_P1, MULS_128x320_MULX_ADCX_ADOX) + RET + +redc_with_mulx: + // Implementation of the Montgomery reduction for CPUs + // supporting carry-less MULX multiplier. + REDC(REG_P2, REG_P1, MULS_128x320_MULX) + RET + +TEXT ·adlP503(SB), NOSPLIT, $0-24 + + MOVQ z+0(FP), REG_P3 + MOVQ x+8(FP), REG_P1 + MOVQ y+16(FP), REG_P2 + + MOVQ (REG_P1), R8 + MOVQ (8)(REG_P1), R9 + MOVQ (16)(REG_P1), R10 + MOVQ (24)(REG_P1), R11 + MOVQ (32)(REG_P1), R12 + MOVQ (40)(REG_P1), R13 + MOVQ (48)(REG_P1), R14 + MOVQ (56)(REG_P1), R15 + MOVQ (64)(REG_P1), AX + MOVQ (72)(REG_P1), BX + MOVQ (80)(REG_P1), CX + + ADDQ (REG_P2), R8 + ADCQ (8)(REG_P2), R9 + ADCQ (16)(REG_P2), R10 + ADCQ (24)(REG_P2), R11 + ADCQ (32)(REG_P2), R12 + ADCQ (40)(REG_P2), R13 + ADCQ (48)(REG_P2), R14 + ADCQ (56)(REG_P2), R15 + ADCQ (64)(REG_P2), AX + ADCQ (72)(REG_P2), BX + ADCQ (80)(REG_P2), CX + + MOVQ R8, (REG_P3) + MOVQ R9, (8)(REG_P3) + MOVQ R10, (16)(REG_P3) + MOVQ R11, (24)(REG_P3) + MOVQ R12, (32)(REG_P3) + MOVQ R13, (40)(REG_P3) + MOVQ R14, (48)(REG_P3) + MOVQ R15, (56)(REG_P3) + MOVQ AX, (64)(REG_P3) + MOVQ BX, (72)(REG_P3) + MOVQ CX, (80)(REG_P3) + + MOVQ (88)(REG_P1), R8 + MOVQ (96)(REG_P1), R9 + MOVQ (104)(REG_P1), R10 + MOVQ (112)(REG_P1), R11 + MOVQ (120)(REG_P1), R12 + + ADCQ (88)(REG_P2), R8 + ADCQ (96)(REG_P2), R9 + ADCQ (104)(REG_P2), R10 + ADCQ (112)(REG_P2), R11 + ADCQ (120)(REG_P2), R12 + + MOVQ R8, (88)(REG_P3) + MOVQ R9, (96)(REG_P3) + MOVQ R10, (104)(REG_P3) + MOVQ R11, (112)(REG_P3) + MOVQ R12, (120)(REG_P3) + + RET + +TEXT ·sulP503(SB), NOSPLIT, $0-24 + + MOVQ z+0(FP), REG_P3 + MOVQ x+8(FP), REG_P1 + MOVQ y+16(FP), REG_P2 + // Used later to store result of 0-borrow + XORQ CX, CX + + // SUBC for first 11 limbs + MOVQ (REG_P1), R8 + MOVQ (8)(REG_P1), R9 + MOVQ (16)(REG_P1), R10 + MOVQ (24)(REG_P1), R11 + MOVQ (32)(REG_P1), R12 + MOVQ (40)(REG_P1), R13 + MOVQ (48)(REG_P1), R14 + MOVQ (56)(REG_P1), R15 + MOVQ (64)(REG_P1), AX + MOVQ (72)(REG_P1), BX + + SUBQ (REG_P2), R8 + SBBQ (8)(REG_P2), R9 + SBBQ (16)(REG_P2), R10 + SBBQ (24)(REG_P2), R11 + SBBQ (32)(REG_P2), R12 + SBBQ (40)(REG_P2), R13 + SBBQ (48)(REG_P2), R14 + SBBQ (56)(REG_P2), R15 + SBBQ (64)(REG_P2), AX + SBBQ (72)(REG_P2), BX + + MOVQ R8, (REG_P3) + MOVQ R9, (8)(REG_P3) + MOVQ R10, (16)(REG_P3) + MOVQ R11, (24)(REG_P3) + MOVQ R12, (32)(REG_P3) + MOVQ R13, (40)(REG_P3) + MOVQ R14, (48)(REG_P3) + MOVQ R15, (56)(REG_P3) + MOVQ AX, (64)(REG_P3) + MOVQ BX, (72)(REG_P3) + + // SUBC for last 5 limbs + MOVQ (80)(REG_P1), R8 + MOVQ (88)(REG_P1), R9 + MOVQ (96)(REG_P1), R10 + MOVQ (104)(REG_P1), R11 + MOVQ (112)(REG_P1), R12 + MOVQ (120)(REG_P1), R13 + + SBBQ (80)(REG_P2), R8 + SBBQ (88)(REG_P2), R9 + SBBQ (96)(REG_P2), R10 + SBBQ (104)(REG_P2), R11 + SBBQ (112)(REG_P2), R12 + SBBQ (120)(REG_P2), R13 + + MOVQ R8, (80)(REG_P3) + MOVQ R9, (88)(REG_P3) + MOVQ R10, (96)(REG_P3) + MOVQ R11, (104)(REG_P3) + MOVQ R12, (112)(REG_P3) + MOVQ R13, (120)(REG_P3) + + // Now the carry flag is 1 if x-y < 0. If so, add p*2^512. + SBBQ $0, CX + + // Load p into registers: + MOVQ P503_0, R8 + // P503_{1,2} = P503_0, so reuse R8 + MOVQ P503_3, R9 + MOVQ P503_4, R10 + MOVQ P503_5, R11 + MOVQ P503_6, R12 + MOVQ P503_7, R13 + + ANDQ CX, R8 + ANDQ CX, R9 + ANDQ CX, R10 + ANDQ CX, R11 + ANDQ CX, R12 + ANDQ CX, R13 + + MOVQ (64 )(REG_P3), AX; ADDQ R8, AX; MOVQ AX, (64 )(REG_P3) + MOVQ (64+ 8)(REG_P3), AX; ADCQ R8, AX; MOVQ AX, (64+ 8)(REG_P3) + MOVQ (64+16)(REG_P3), AX; ADCQ R8, AX; MOVQ AX, (64+16)(REG_P3) + MOVQ (64+24)(REG_P3), AX; ADCQ R9, AX; MOVQ AX, (64+24)(REG_P3) + MOVQ (64+32)(REG_P3), AX; ADCQ R10, AX; MOVQ AX, (64+32)(REG_P3) + MOVQ (64+40)(REG_P3), AX; ADCQ R11, AX; MOVQ AX, (64+40)(REG_P3) + MOVQ (64+48)(REG_P3), AX; ADCQ R12, AX; MOVQ AX, (64+48)(REG_P3) + MOVQ (64+56)(REG_P3), AX; ADCQ R13, AX; MOVQ AX, (64+56)(REG_P3) + + RET diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_arm64.s b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_arm64.s new file mode 100644 index 00000000..559806a7 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_arm64.s @@ -0,0 +1,769 @@ +// +build arm64,!noasm + +#include "textflag.h" + +TEXT ·cswapP503(SB), NOSPLIT, $0-17 + MOVD x+0(FP), R0 + MOVD y+8(FP), R1 + MOVB choice+16(FP), R2 + + // Set flags + // If choice is not 0 or 1, this implementation will swap completely + CMP $0, R2 + + LDP 0(R0), (R3, R4) + LDP 0(R1), (R5, R6) + CSEL EQ, R3, R5, R7 + CSEL EQ, R4, R6, R8 + STP (R7, R8), 0(R0) + CSEL NE, R3, R5, R9 + CSEL NE, R4, R6, R10 + STP (R9, R10), 0(R1) + + LDP 16(R0), (R3, R4) + LDP 16(R1), (R5, R6) + CSEL EQ, R3, R5, R7 + CSEL EQ, R4, R6, R8 + STP (R7, R8), 16(R0) + CSEL NE, R3, R5, R9 + CSEL NE, R4, R6, R10 + STP (R9, R10), 16(R1) + + LDP 32(R0), (R3, R4) + LDP 32(R1), (R5, R6) + CSEL EQ, R3, R5, R7 + CSEL EQ, R4, R6, R8 + STP (R7, R8), 32(R0) + CSEL NE, R3, R5, R9 + CSEL NE, R4, R6, R10 + STP (R9, R10), 32(R1) + + LDP 48(R0), (R3, R4) + LDP 48(R1), (R5, R6) + CSEL EQ, R3, R5, R7 + CSEL EQ, R4, R6, R8 + STP (R7, R8), 48(R0) + CSEL NE, R3, R5, R9 + CSEL NE, R4, R6, R10 + STP (R9, R10), 48(R1) + + RET + +TEXT ·addP503(SB), NOSPLIT, $0-24 + MOVD z+0(FP), R2 + MOVD x+8(FP), R0 + MOVD y+16(FP), R1 + + // Load first summand into R3-R10 + // Add first summand and second summand and store result in R3-R10 + LDP 0(R0), (R3, R4) + LDP 0(R1), (R11, R12) + LDP 16(R0), (R5, R6) + LDP 16(R1), (R13, R14) + ADDS R11, R3 + ADCS R12, R4 + ADCS R13, R5 + ADCS R14, R6 + + LDP 32(R0), (R7, R8) + LDP 32(R1), (R11, R12) + LDP 48(R0), (R9, R10) + LDP 48(R1), (R13, R14) + ADCS R11, R7 + ADCS R12, R8 + ADCS R13, R9 + ADC R14, R10 + + // Subtract 2 * p503 in R11-R17 from the result in R3-R10 + LDP ·P503x2+0(SB), (R11, R12) + LDP ·P503x2+24(SB), (R13, R14) + SUBS R11, R3 + SBCS R12, R4 + LDP ·P503x2+40(SB), (R15, R16) + SBCS R12, R5 + SBCS R13, R6 + MOVD ·P503x2+56(SB), R17 + SBCS R14, R7 + SBCS R15, R8 + SBCS R16, R9 + SBCS R17, R10 + SBC ZR, ZR, R19 + + // If x + y - 2 * p503 < 0, R19 is 1 and 2 * p503 should be added + AND R19, R11 + AND R19, R12 + AND R19, R13 + AND R19, R14 + AND R19, R15 + AND R19, R16 + AND R19, R17 + + ADDS R11, R3 + ADCS R12, R4 + STP (R3, R4), 0(R2) + ADCS R12, R5 + ADCS R13, R6 + STP (R5, R6), 16(R2) + ADCS R14, R7 + ADCS R15, R8 + STP (R7, R8), 32(R2) + ADCS R16, R9 + ADC R17, R10 + STP (R9, R10), 48(R2) + + RET + +TEXT ·subP503(SB), NOSPLIT, $0-24 + MOVD z+0(FP), R2 + MOVD x+8(FP), R0 + MOVD y+16(FP), R1 + + // Load x into R3-R10 + // Subtract y from x and store result in R3-R10 + LDP 0(R0), (R3, R4) + LDP 0(R1), (R11, R12) + LDP 16(R0), (R5, R6) + LDP 16(R1), (R13, R14) + SUBS R11, R3 + SBCS R12, R4 + SBCS R13, R5 + SBCS R14, R6 + + LDP 32(R0), (R7, R8) + LDP 32(R1), (R11, R12) + LDP 48(R0), (R9, R10) + LDP 48(R1), (R13, R14) + SBCS R11, R7 + SBCS R12, R8 + SBCS R13, R9 + SBCS R14, R10 + SBC ZR, ZR, R19 + + // If x - y < 0, R19 is 1 and 2 * p503 should be added + LDP ·P503x2+0(SB), (R11, R12) + LDP ·P503x2+24(SB), (R13, R14) + AND R19, R11 + AND R19, R12 + LDP ·P503x2+40(SB), (R15, R16) + AND R19, R13 + AND R19, R14 + MOVD ·P503x2+56(SB), R17 + AND R19, R15 + AND R19, R16 + AND R19, R17 + + ADDS R11, R3 + ADCS R12, R4 + STP (R3, R4), 0(R2) + ADCS R12, R5 + ADCS R13, R6 + STP (R5, R6), 16(R2) + ADCS R14, R7 + ADCS R15, R8 + STP (R7, R8), 32(R2) + ADCS R16, R9 + ADC R17, R10 + STP (R9, R10), 48(R2) + + RET + +TEXT ·adlP503(SB), NOSPLIT, $0-24 + MOVD z+0(FP), R2 + MOVD x+8(FP), R0 + MOVD y+16(FP), R1 + + LDP 0(R0), (R3, R4) + LDP 0(R1), (R11, R12) + LDP 16(R0), (R5, R6) + LDP 16(R1), (R13, R14) + ADDS R11, R3 + ADCS R12, R4 + STP (R3, R4), 0(R2) + ADCS R13, R5 + ADCS R14, R6 + STP (R5, R6), 16(R2) + + LDP 32(R0), (R7, R8) + LDP 32(R1), (R11, R12) + LDP 48(R0), (R9, R10) + LDP 48(R1), (R13, R14) + ADCS R11, R7 + ADCS R12, R8 + STP (R7, R8), 32(R2) + ADCS R13, R9 + ADCS R14, R10 + STP (R9, R10), 48(R2) + + LDP 64(R0), (R3, R4) + LDP 64(R1), (R11, R12) + LDP 80(R0), (R5, R6) + LDP 80(R1), (R13, R14) + ADCS R11, R3 + ADCS R12, R4 + STP (R3, R4), 64(R2) + ADCS R13, R5 + ADCS R14, R6 + STP (R5, R6), 80(R2) + + LDP 96(R0), (R7, R8) + LDP 96(R1), (R11, R12) + LDP 112(R0), (R9, R10) + LDP 112(R1), (R13, R14) + ADCS R11, R7 + ADCS R12, R8 + STP (R7, R8), 96(R2) + ADCS R13, R9 + ADC R14, R10 + STP (R9, R10), 112(R2) + + RET + +TEXT ·sulP503(SB), NOSPLIT, $0-24 + MOVD z+0(FP), R2 + MOVD x+8(FP), R0 + MOVD y+16(FP), R1 + + LDP 0(R0), (R3, R4) + LDP 0(R1), (R11, R12) + LDP 16(R0), (R5, R6) + LDP 16(R1), (R13, R14) + SUBS R11, R3 + SBCS R12, R4 + STP (R3, R4), 0(R2) + SBCS R13, R5 + SBCS R14, R6 + STP (R5, R6), 16(R2) + + LDP 32(R0), (R7, R8) + LDP 32(R1), (R11, R12) + LDP 48(R0), (R9, R10) + LDP 48(R1), (R13, R14) + SBCS R11, R7 + SBCS R12, R8 + STP (R7, R8), 32(R2) + SBCS R13, R9 + SBCS R14, R10 + STP (R9, R10), 48(R2) + + LDP 64(R0), (R3, R4) + LDP 64(R1), (R11, R12) + LDP 80(R0), (R5, R6) + LDP 80(R1), (R13, R14) + SBCS R11, R3 + SBCS R12, R4 + SBCS R13, R5 + SBCS R14, R6 + + LDP 96(R0), (R7, R8) + LDP 96(R1), (R11, R12) + LDP 112(R0), (R9, R10) + LDP 112(R1), (R13, R14) + SBCS R11, R7 + SBCS R12, R8 + SBCS R13, R9 + SBCS R14, R10 + SBC ZR, ZR, R15 + + // If x - y < 0, R15 is 1 and p503 should be added + LDP ·P503+16(SB), (R16, R17) + LDP ·P503+32(SB), (R19, R20) + AND R15, R16 + AND R15, R17 + LDP ·P503+48(SB), (R21, R22) + AND R15, R19 + AND R15, R20 + AND R15, R21 + AND R15, R22 + + ADDS R16, R3 + ADCS R16, R4 + STP (R3, R4), 64(R2) + ADCS R16, R5 + ADCS R17, R6 + STP (R5, R6), 80(R2) + ADCS R19, R7 + ADCS R20, R8 + STP (R7, R8), 96(R2) + ADCS R21, R9 + ADC R22, R10 + STP (R9, R10), 112(R2) + + RET + +// Expects that X0*Y0 is already in Z0(low),Z3(high) and X0*Y1 in Z1(low),Z2(high) +// Z0 is not actually touched +// Result of (X0-X1) * (Y0-Y1) will be in Z0-Z3 +// Inputs get overwritten, except for X1 +#define mul128x128comba(X0, X1, Y0, Y1, Z0, Z1, Z2, Z3, T0) \ + MUL X1, Y0, X0 \ + UMULH X1, Y0, Y0 \ + ADDS Z3, Z1 \ + ADC ZR, Z2 \ + \ + MUL Y1, X1, T0 \ + UMULH Y1, X1, Y1 \ + ADDS X0, Z1 \ + ADCS Y0, Z2 \ + ADC ZR, ZR, Z3 \ + \ + ADDS T0, Z2 \ + ADC Y1, Z3 + +// Expects that X points to (X0-X1) +// Result of (X0-X3) * (Y0-Y3) will be in Z0-Z7 +// Inputs get overwritten, except X2-X3 and Y2-Y3 +#define mul256x256karatsuba(X, X0, X1, X2, X3, Y0, Y1, Y2, Y3, Z0, Z1, Z2, Z3, Z4, Z5, Z6, Z7, T0, T1)\ + ADDS X2, X0 \ // xH + xL, destroys xL + ADCS X3, X1 \ + ADCS ZR, ZR, T0 \ + \ + ADDS Y2, Y0, Z6 \ // yH + yL + ADCS Y3, Y1, T1 \ + ADC ZR, ZR, Z7 \ + \ + SUB T0, ZR, Z2 \ + SUB Z7, ZR, Z3 \ + AND Z7, T0 \ // combined carry + \ + AND Z2, Z6, Z0 \ // masked(yH + yL) + AND Z2, T1, Z1 \ + \ + AND Z3, X0, Z4 \ // masked(xH + xL) + AND Z3, X1, Z5 \ + \ + MUL Z6, X0, Z2 \ + MUL T1, X0, Z3 \ + \ + ADDS Z4, Z0 \ + UMULH T1, X0, Z4 \ + ADCS Z5, Z1 \ + UMULH Z6, X0, Z5 \ + ADC ZR, T0 \ + \ // (xH + xL) * (yH + yL) + mul128x128comba(X0, X1, Z6, T1, Z2, Z3, Z4, Z5, Z7)\ + \ + LDP 0+X, (X0, X1) \ + \ + ADDS Z0, Z4 \ + UMULH Y0, X0, Z7 \ + UMULH Y1, X0, T1 \ + ADCS Z1, Z5 \ + MUL Y0, X0, Z0 \ + MUL Y1, X0, Z1 \ + ADC ZR, T0 \ + \ // xL * yL + mul128x128comba(X0, X1, Y0, Y1, Z0, Z1, T1, Z7, Z6)\ + \ + MUL Y2, X2, X0 \ + UMULH Y2, X2, Y0 \ + SUBS Z0, Z2 \ // (xH + xL) * (yH + yL) - xL * yL + SBCS Z1, Z3 \ + SBCS T1, Z4 \ + MUL Y3, X2, X1 \ + UMULH Y3, X2, Z6 \ + SBCS Z7, Z5 \ + SBCS ZR, T0 \ + \ // xH * yH + mul128x128comba(X2, X3, Y2, Y3, X0, X1, Z6, Y0, Y1)\ + \ + SUBS X0, Z2 \ // (xH + xL) * (yH + yL) - xL * yL - xH * yH + SBCS X1, Z3 \ + SBCS Z6, Z4 \ + SBCS Y0, Z5 \ + SBCS ZR, T0 \ + \ + ADDS T1, Z2 \ // (xH * yH) * 2^256 + ((xH + xL) * (yH + yL) - xL * yL - xH * yH) * 2^128 + xL * yL + ADCS Z7, Z3 \ + ADCS X0, Z4 \ + ADCS X1, Z5 \ + ADCS T0, Z6 \ + ADC Y0, ZR, Z7 + + +// This implements two-level Karatsuba with a 128x128 Comba multiplier +// at the bottom +TEXT ·mulP503(SB), NOSPLIT, $0-24 + MOVD z+0(FP), R2 + MOVD x+8(FP), R0 + MOVD y+16(FP), R1 + + // Load xL in R3-R6, xH in R7-R10 + // (xH + xL) in R25-R29 + LDP 0(R0), (R3, R4) + LDP 32(R0), (R7, R8) + ADDS R3, R7, R25 + ADCS R4, R8, R26 + LDP 16(R0), (R5, R6) + LDP 48(R0), (R9, R10) + ADCS R5, R9, R27 + ADCS R6, R10, R29 + ADC ZR, ZR, R7 + + // Load yL in R11-R14, yH in R15-19 + // (yH + yL) in R11-R14, destroys yL + LDP 0(R1), (R11, R12) + LDP 32(R1), (R15, R16) + ADDS R15, R11 + ADCS R16, R12 + LDP 16(R1), (R13, R14) + LDP 48(R1), (R17, R19) + ADCS R17, R13 + ADCS R19, R14 + ADC ZR, ZR, R8 + + // Compute maskes and combined carry + SUB R7, ZR, R9 + SUB R8, ZR, R10 + AND R8, R7 + + // masked(yH + yL) + AND R9, R11, R15 + AND R9, R12, R16 + AND R9, R13, R17 + AND R9, R14, R19 + + // masked(xH + xL) + AND R10, R25, R20 + AND R10, R26, R21 + AND R10, R27, R22 + AND R10, R29, R23 + + // masked(xH + xL) + masked(yH + yL) in R15-R19 + ADDS R20, R15 + ADCS R21, R16 + ADCS R22, R17 + ADCS R23, R19 + ADC ZR, R7 + + // Use z as temporary storage + STP (R25, R26), 0(R2) + + // (xH + xL) * (yH + yL) + mul256x256karatsuba(0(R2), R25, R26, R27, R29, R11, R12, R13, R14, R8, R9, R10, R20, R21, R22, R23, R24, R0, R1) + + MOVD x+8(FP), R0 + MOVD y+16(FP), R1 + + ADDS R21, R15 + ADCS R22, R16 + ADCS R23, R17 + ADCS R24, R19 + ADC ZR, R7 + + // Load yL in R11-R14 + LDP 0(R1), (R11, R12) + LDP 16(R1), (R13, R14) + + // xL * yL + mul256x256karatsuba(0(R0), R3, R4, R5, R6, R11, R12, R13, R14, R21, R22, R23, R24, R25, R26, R27, R29, R1, R2) + + MOVD z+0(FP), R2 + MOVD y+16(FP), R1 + + // (xH + xL) * (yH + yL) - xL * yL + SUBS R21, R8 + SBCS R22, R9 + STP (R21, R22), 0(R2) + SBCS R23, R10 + SBCS R24, R20 + STP (R23, R24), 16(R2) + SBCS R25, R15 + SBCS R26, R16 + SBCS R27, R17 + SBCS R29, R19 + SBC ZR, R7 + + // Load xH in R3-R6, yH in R11-R14 + LDP 32(R0), (R3, R4) + LDP 48(R0), (R5, R6) + LDP 32(R1), (R11, R12) + LDP 48(R1), (R13, R14) + + ADDS R25, R8 + ADCS R26, R9 + ADCS R27, R10 + ADCS R29, R20 + ADC ZR, ZR, R1 + + MOVD R20, 32(R2) + + // xH * yH + mul256x256karatsuba(32(R0), R3, R4, R5, R6, R11, R12, R13, R14, R21, R22, R23, R24, R25, R26, R27, R29, R2, R20) + NEG R1, R1 + + MOVD z+0(FP), R2 + MOVD 32(R2), R20 + + // (xH + xL) * (yH + yL) - xL * yL - xH * yH in R8-R10,R20,R15-R19 + // Store lower half in z, that's done + SUBS R21, R8 + SBCS R22, R9 + STP (R8, R9), 32(R2) + SBCS R23, R10 + SBCS R24, R20 + STP (R10, R20), 48(R2) + SBCS R25, R15 + SBCS R26, R16 + SBCS R27, R17 + SBCS R29, R19 + SBC ZR, R7 + + // (xH * yH) * 2^512 + ((xH + xL) * (yH + yL) - xL * yL - xH * yH) * 2^256 + xL * yL + // Store remaining limbs in z + ADDS $1, R1 + ADCS R21, R15 + ADCS R22, R16 + STP (R15, R16), 64(R2) + ADCS R23, R17 + ADCS R24, R19 + STP (R17, R19), 80(R2) + ADCS R7, R25 + ADCS ZR, R26 + STP (R25, R26), 96(R2) + ADCS ZR, R27 + ADC ZR, R29 + STP (R27, R29), 112(R2) + + RET + +// Expects that X0*Y0 is already in Z0(low),Z3(high) and X0*Y1 in Z1(low),Z2(high) +// Z0 is not actually touched +// Result of (X0-X1) * (Y0-Y3) will be in Z0-Z5 +// Inputs remain intact +#define mul128x256comba(X0, X1, Y0, Y1, Y2, Y3, Z0, Z1, Z2, Z3, Z4, Z5, T0, T1, T2, T3)\ + MUL X1, Y0, T0 \ + UMULH X1, Y0, T1 \ + ADDS Z3, Z1 \ + ADC ZR, Z2 \ + \ + MUL X0, Y2, T2 \ + UMULH X0, Y2, T3 \ + ADDS T0, Z1 \ + ADCS T1, Z2 \ + ADC ZR, ZR, Z3 \ + \ + MUL X1, Y1, T0 \ + UMULH X1, Y1, T1 \ + ADDS T2, Z2 \ + ADCS T3, Z3 \ + ADC ZR, ZR, Z4 \ + \ + MUL X0, Y3, T2 \ + UMULH X0, Y3, T3 \ + ADDS T0, Z2 \ + ADCS T1, Z3 \ + ADC ZR, Z4 \ + \ + MUL X1, Y2, T0 \ + UMULH X1, Y2, T1 \ + ADDS T2, Z3 \ + ADCS T3, Z4 \ + ADC ZR, ZR, Z5 \ + \ + MUL X1, Y3, T2 \ + UMULH X1, Y3, T3 \ + ADDS T0, Z3 \ + ADCS T1, Z4 \ + ADC ZR, Z5 \ + ADDS T2, Z4 \ + ADC T3, Z5 + +// This implements the shifted 2^(B*w) Montgomery reduction from +// https://eprint.iacr.org/2016/986.pdf with B = 4, w = 64 +TEXT ·rdcP503(SB), NOSPLIT, $0-16 + MOVD x+8(FP), R0 + + // Load x0-x1 + LDP 0(R0), (R2, R3) + + // Load the prime constant in R25-R29 + LDP ·P503p1s8+32(SB), (R25, R26) + LDP ·P503p1s8+48(SB), (R27, R29) + + // [x0,x1] * p503p1s8 to R4-R9 + MUL R2, R25, R4 // x0 * p503p1s8[0] + UMULH R2, R25, R7 + MUL R2, R26, R5 // x0 * p503p1s8[1] + UMULH R2, R26, R6 + + mul128x256comba(R2, R3, R25, R26, R27, R29, R4, R5, R6, R7, R8, R9, R10, R11, R12, R13) + + LDP 16(R0), (R3, R11) // x2 + LDP 32(R0), (R12, R13) + LDP 48(R0), (R14, R15) + + // Left-shift result in R4-R9 by 56 to R4-R10 + ORR R9>>8, ZR, R10 + LSL $56, R9 + ORR R8>>8, R9 + LSL $56, R8 + ORR R7>>8, R8 + LSL $56, R7 + ORR R6>>8, R7 + LSL $56, R6 + ORR R5>>8, R6 + LSL $56, R5 + ORR R4>>8, R5 + LSL $56, R4 + + ADDS R4, R11 // x3 + ADCS R5, R12 // x4 + ADCS R6, R13 + ADCS R7, R14 + ADCS R8, R15 + LDP 64(R0), (R16, R17) + LDP 80(R0), (R19, R20) + MUL R3, R25, R4 // x2 * p503p1s8[0] + UMULH R3, R25, R7 + ADCS R9, R16 + ADCS R10, R17 + ADCS ZR, R19 + ADCS ZR, R20 + LDP 96(R0), (R21, R22) + LDP 112(R0), (R23, R24) + MUL R3, R26, R5 // x2 * p503p1s8[1] + UMULH R3, R26, R6 + ADCS ZR, R21 + ADCS ZR, R22 + ADCS ZR, R23 + ADC ZR, R24 + + // [x2,x3] * p503p1s8 to R4-R9 + mul128x256comba(R3, R11, R25, R26, R27, R29, R4, R5, R6, R7, R8, R9, R10, R0, R1, R2) + + ORR R9>>8, ZR, R10 + LSL $56, R9 + ORR R8>>8, R9 + LSL $56, R8 + ORR R7>>8, R8 + LSL $56, R7 + ORR R6>>8, R7 + LSL $56, R6 + ORR R5>>8, R6 + LSL $56, R5 + ORR R4>>8, R5 + LSL $56, R4 + + ADDS R4, R13 // x5 + ADCS R5, R14 // x6 + ADCS R6, R15 + ADCS R7, R16 + MUL R12, R25, R4 // x4 * p503p1s8[0] + UMULH R12, R25, R7 + ADCS R8, R17 + ADCS R9, R19 + ADCS R10, R20 + ADCS ZR, R21 + MUL R12, R26, R5 // x4 * p503p1s8[1] + UMULH R12, R26, R6 + ADCS ZR, R22 + ADCS ZR, R23 + ADC ZR, R24 + + // [x4,x5] * p503p1s8 to R4-R9 + mul128x256comba(R12, R13, R25, R26, R27, R29, R4, R5, R6, R7, R8, R9, R10, R0, R1, R2) + + ORR R9>>8, ZR, R10 + LSL $56, R9 + ORR R8>>8, R9 + LSL $56, R8 + ORR R7>>8, R8 + LSL $56, R7 + ORR R6>>8, R7 + LSL $56, R6 + ORR R5>>8, R6 + LSL $56, R5 + ORR R4>>8, R5 + LSL $56, R4 + + ADDS R4, R15 // x7 + ADCS R5, R16 // x8 + ADCS R6, R17 + ADCS R7, R19 + MUL R14, R25, R4 // x6 * p503p1s8[0] + UMULH R14, R25, R7 + ADCS R8, R20 + ADCS R9, R21 + ADCS R10, R22 + MUL R14, R26, R5 // x6 * p503p1s8[1] + UMULH R14, R26, R6 + ADCS ZR, R23 + ADC ZR, R24 + + // [x6,x7] * p503p1s8 to R4-R9 + mul128x256comba(R14, R15, R25, R26, R27, R29, R4, R5, R6, R7, R8, R9, R10, R0, R1, R2) + + ORR R9>>8, ZR, R10 + LSL $56, R9 + ORR R8>>8, R9 + LSL $56, R8 + ORR R7>>8, R8 + LSL $56, R7 + ORR R6>>8, R7 + LSL $56, R6 + ORR R5>>8, R6 + LSL $56, R5 + ORR R4>>8, R5 + LSL $56, R4 + + MOVD z+0(FP), R0 + ADDS R4, R17 + ADCS R5, R19 + STP (R16, R17), 0(R0) // Store final result to z + ADCS R6, R20 + ADCS R7, R21 + STP (R19, R20), 16(R0) + ADCS R8, R22 + ADCS R9, R23 + STP (R21, R22), 32(R0) + ADC R10, R24 + STP (R23, R24), 48(R0) + + RET + +TEXT ·modP503(SB), NOSPLIT, $0-8 + MOVD x+0(FP), R0 + + // Keep x in R1-R8, p503 in R9-R14, subtract to R1-R8 + LDP ·P503+16(SB), (R9, R10) + LDP 0(R0), (R1, R2) + LDP 16(R0), (R3, R4) + SUBS R9, R1 + SBCS R9, R2 + + LDP 32(R0), (R5, R6) + LDP ·P503+32(SB), (R11, R12) + SBCS R9, R3 + SBCS R10, R4 + + LDP 48(R0), (R7, R8) + LDP ·P503+48(SB), (R13, R14) + SBCS R11, R5 + SBCS R12, R6 + + SBCS R13, R7 + SBCS R14, R8 + SBC ZR, ZR, R15 + + // Mask with the borrow and add p503 + AND R15, R9 + AND R15, R10 + AND R15, R11 + AND R15, R12 + AND R15, R13 + AND R15, R14 + + ADDS R9, R1 + ADCS R9, R2 + STP (R1, R2), 0(R0) + ADCS R9, R3 + ADCS R10, R4 + STP (R3, R4), 16(R0) + ADCS R11, R5 + ADCS R12, R6 + STP (R5, R6), 32(R0) + ADCS R13, R7 + ADCS R14, R8 + STP (R7, R8), 48(R0) + + RET diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_decl.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_decl.go new file mode 100644 index 00000000..a9556a44 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_decl.go @@ -0,0 +1,45 @@ +// Code generated by go generate; DO NOT EDIT. +// This file was generated by robots. + +// +build amd64,!noasm arm64,!noasm + +package p503 + +import ( + . "github.com/cloudflare/circl/dh/sidh/internal/common" +) + +// If choice = 0, leave x,y unchanged. If choice = 1, set x,y = y,x. +// If choice is neither 0 nor 1 then behaviour is undefined. +// This function executes in constant time. +//go:noescape +func cswapP503(x, y *Fp, choice uint8) + +// Compute z = x + y (mod p). +//go:noescape +func addP503(z, x, y *Fp) + +// Compute z = x - y (mod p). +//go:noescape +func subP503(z, x, y *Fp) + +// Compute z = x + y, without reducing mod p. +//go:noescape +func adlP503(z, x, y *FpX2) + +// Compute z = x - y, without reducing mod p. +//go:noescape +func sulP503(z, x, y *FpX2) + +// Reduce a field element in [0, 2*p) to one in [0,p). +//go:noescape +func modP503(x *Fp) + +// Computes z = x * y. +//go:noescape +func mulP503(z *FpX2, x, y *Fp) + +// Computes the Montgomery reduction z = x R^{-1} (mod 2*p). On return value +// of x may be changed. z=x not allowed. +//go:noescape +func rdcP503(z *Fp, x *FpX2) diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_generic.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_generic.go new file mode 100644 index 00000000..2a813f20 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/arith_generic.go @@ -0,0 +1,192 @@ +// Code generated by go generate; DO NOT EDIT. +// This file was generated by robots. + +// +build noasm !amd64,!arm64 + +package p503 + +import ( + "math/bits" + + "github.com/cloudflare/circl/dh/sidh/internal/common" +) + +// Compute z = x + y (mod p). +func addP503(z, x, y *common.Fp) { + var carry uint64 + + // z=x+y % P503 + for i := 0; i < FpWords; i++ { + z[i], carry = bits.Add64(x[i], y[i], carry) + } + + // z = z - P503x2 + carry = 0 + for i := 0; i < FpWords; i++ { + z[i], carry = bits.Sub64(z[i], P503x2[i], carry) + } + + // if z<0 add P503x2 back + mask := uint64(0 - carry) + carry = 0 + for i := 0; i < FpWords; i++ { + z[i], carry = bits.Add64(z[i], P503x2[i]&mask, carry) + } +} + +// Compute z = x - y (mod p). +func subP503(z, x, y *common.Fp) { + var borrow uint64 + + for i := 0; i < FpWords; i++ { + z[i], borrow = bits.Sub64(x[i], y[i], borrow) + } + + mask := uint64(0 - borrow) + borrow = 0 + + for i := 0; i < FpWords; i++ { + z[i], borrow = bits.Add64(z[i], P503x2[i]&mask, borrow) + } +} + +// Conditionally swaps bits in x and y in constant time. +// mask indicates bits to be swapped (set bits are swapped) +// For details see "Hackers Delight, 2.20" +// +// Implementation doesn't actually depend on a prime field. +func cswapP503(x, y *common.Fp, mask uint8) { + var tmp, mask64 uint64 + + mask64 = 0 - uint64(mask) + for i := 0; i < FpWords; i++ { + tmp = mask64 & (x[i] ^ y[i]) + x[i] = tmp ^ x[i] + y[i] = tmp ^ y[i] + } +} + +// Perform Montgomery reduction: set z = x R^{-1} (mod 2*p) +// with R=2^(FpWords*64). Destroys the input value. +func rdcP503(z *common.Fp, x *common.FpX2) { + var carry, t, u, v uint64 + var hi, lo uint64 + var count int + + count = P503p1Zeros + + for i := 0; i < FpWords; i++ { + for j := 0; j < i; j++ { + if j < (i - count + 1) { + hi, lo = bits.Mul64(z[j], P503p1[i-j]) + v, carry = bits.Add64(lo, v, 0) + u, carry = bits.Add64(hi, u, carry) + t += carry + } + } + v, carry = bits.Add64(v, x[i], 0) + u, carry = bits.Add64(u, 0, carry) + t += carry + + z[i] = v + v = u + u = t + t = 0 + } + + for i := FpWords; i < 2*FpWords-1; i++ { + if count > 0 { + count-- + } + for j := i - FpWords + 1; j < FpWords; j++ { + if j < (FpWords - count) { + hi, lo = bits.Mul64(z[j], P503p1[i-j]) + v, carry = bits.Add64(lo, v, 0) + u, carry = bits.Add64(hi, u, carry) + t += carry + } + } + v, carry = bits.Add64(v, x[i], 0) + u, carry = bits.Add64(u, 0, carry) + + t += carry + z[i-FpWords] = v + v = u + u = t + t = 0 + } + v, carry = bits.Add64(v, x[2*FpWords-1], 0) + z[FpWords-1] = v +} + +// Compute z = x * y. +func mulP503(z *common.FpX2, x, y *common.Fp) { + var u, v, t uint64 + var hi, lo uint64 + var carry uint64 + + for i := uint64(0); i < FpWords; i++ { + for j := uint64(0); j <= i; j++ { + hi, lo = bits.Mul64(x[j], y[i-j]) + v, carry = bits.Add64(lo, v, 0) + u, carry = bits.Add64(hi, u, carry) + t += carry + } + z[i] = v + v = u + u = t + t = 0 + } + + for i := FpWords; i < (2*FpWords)-1; i++ { + for j := i - FpWords + 1; j < FpWords; j++ { + hi, lo = bits.Mul64(x[j], y[i-j]) + v, carry = bits.Add64(lo, v, 0) + u, carry = bits.Add64(hi, u, carry) + t += carry + } + z[i] = v + v = u + u = t + t = 0 + } + z[2*FpWords-1] = v +} + +// Compute z = x + y, without reducing mod p. +func adlP503(z, x, y *common.FpX2) { + var carry uint64 + for i := 0; i < 2*FpWords; i++ { + z[i], carry = bits.Add64(x[i], y[i], carry) + } +} + +// Reduce a field element in [0, 2*p) to one in [0,p). +func modP503(x *common.Fp) { + var borrow, mask uint64 + for i := 0; i < FpWords; i++ { + x[i], borrow = bits.Sub64(x[i], P503[i], borrow) + } + + // Sets all bits if borrow = 1 + mask = 0 - borrow + borrow = 0 + for i := 0; i < FpWords; i++ { + x[i], borrow = bits.Add64(x[i], P503[i]&mask, borrow) + } +} + +// Compute z = x - y, without reducing mod p. +func sulP503(z, x, y *common.FpX2) { + var borrow, mask uint64 + for i := 0; i < 2*FpWords; i++ { + z[i], borrow = bits.Sub64(x[i], y[i], borrow) + } + + // Sets all bits if borrow = 1 + mask = 0 - borrow + borrow = 0 + for i := FpWords; i < 2*FpWords; i++ { + z[i], borrow = bits.Add64(z[i], P503[i-FpWords]&mask, borrow) + } +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/core.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/core.go new file mode 100644 index 00000000..8d3d40e7 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/core.go @@ -0,0 +1,294 @@ +// Code generated by go generate; DO NOT EDIT. +// This file was generated by robots. + +package p503 + +import ( + . "github.com/cloudflare/circl/dh/sidh/internal/common" +) + +// ----------------------------------------------------------------------------- +// Functions for traversing isogeny trees acoording to strategy. Key type 'A' is +// + +// Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed +// for public key generation. +func traverseTreePublicKeyA(curve *ProjectiveCurveParameters, xR, phiP, phiQ, phiR *ProjectivePoint) { + var points = make([]ProjectivePoint, 0, 8) + var indices = make([]int, 0, 8) + var i, sIdx int + var phi isogeny4 + + cparam := CalcCurveParamsEquiv4(curve) + strat := params.A.IsogenyStrategy + stratSz := len(strat) + + for j := 1; j <= stratSz; j++ { + for i <= stratSz-j { + points = append(points, *xR) + indices = append(indices, i) + + k := strat[sIdx] + sIdx++ + Pow2k(xR, &cparam, 2*k) + i += int(k) + } + cparam = phi.GenerateCurve(xR) + + for k := 0; k < len(points); k++ { + points[k] = phi.EvaluatePoint(&points[k]) + } + *phiP = phi.EvaluatePoint(phiP) + *phiQ = phi.EvaluatePoint(phiQ) + *phiR = phi.EvaluatePoint(phiR) + + // pop xR from points + *xR, points = points[len(points)-1], points[:len(points)-1] + i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1] + } +} + +// Traverses isogeny tree in order to compute xR needed +// for public key generation. +func traverseTreeSharedKeyA(curve *ProjectiveCurveParameters, xR *ProjectivePoint) { + var points = make([]ProjectivePoint, 0, 8) + var indices = make([]int, 0, 8) + var i, sIdx int + var phi isogeny4 + + cparam := CalcCurveParamsEquiv4(curve) + strat := params.A.IsogenyStrategy + stratSz := len(strat) + + for j := 1; j <= stratSz; j++ { + for i <= stratSz-j { + points = append(points, *xR) + indices = append(indices, i) + + k := strat[sIdx] + sIdx++ + Pow2k(xR, &cparam, 2*k) + i += int(k) + } + cparam = phi.GenerateCurve(xR) + + for k := 0; k < len(points); k++ { + points[k] = phi.EvaluatePoint(&points[k]) + } + + // pop xR from points + *xR, points = points[len(points)-1], points[:len(points)-1] + i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1] + } +} + +// Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed +// for public key generation. +func traverseTreePublicKeyB(curve *ProjectiveCurveParameters, xR, phiP, phiQ, phiR *ProjectivePoint) { + var points = make([]ProjectivePoint, 0, 8) + var indices = make([]int, 0, 8) + var i, sIdx int + var phi isogeny3 + + cparam := CalcCurveParamsEquiv3(curve) + strat := params.B.IsogenyStrategy + stratSz := len(strat) + + for j := 1; j <= stratSz; j++ { + for i <= stratSz-j { + points = append(points, *xR) + indices = append(indices, i) + + k := strat[sIdx] + sIdx++ + Pow3k(xR, &cparam, k) + i += int(k) + } + + cparam = phi.GenerateCurve(xR) + for k := 0; k < len(points); k++ { + points[k] = phi.EvaluatePoint(&points[k]) + } + + *phiP = phi.EvaluatePoint(phiP) + *phiQ = phi.EvaluatePoint(phiQ) + *phiR = phi.EvaluatePoint(phiR) + + // pop xR from points + *xR, points = points[len(points)-1], points[:len(points)-1] + i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1] + } +} + +// Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed +// for public key generation. +func traverseTreeSharedKeyB(curve *ProjectiveCurveParameters, xR *ProjectivePoint) { + var points = make([]ProjectivePoint, 0, 8) + var indices = make([]int, 0, 8) + var i, sIdx int + var phi isogeny3 + + cparam := CalcCurveParamsEquiv3(curve) + strat := params.B.IsogenyStrategy + stratSz := len(strat) + + for j := 1; j <= stratSz; j++ { + for i <= stratSz-j { + points = append(points, *xR) + indices = append(indices, i) + + k := strat[sIdx] + sIdx++ + Pow3k(xR, &cparam, k) + i += int(k) + } + + cparam = phi.GenerateCurve(xR) + for k := 0; k < len(points); k++ { + points[k] = phi.EvaluatePoint(&points[k]) + } + + // pop xR from points + *xR, points = points[len(points)-1], points[:len(points)-1] + i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1] + } +} + +// Generate a public key in the 2-torsion group. Public key is a set +// of three x-coordinates: xP,xQ,x(P-Q), where P,Q are points on E_a(Fp2) +func PublicKeyGenA(pub3Pt *[3]Fp2, prvBytes []byte) { + var xPA, xQA, xRA ProjectivePoint + var xPB, xQB, xRB, xR ProjectivePoint + var invZP, invZQ, invZR Fp2 + var tmp ProjectiveCurveParameters + var phi isogeny4 + + // Load points for A + xPA = ProjectivePoint{X: params.A.AffineP, Z: params.OneFp2} + xQA = ProjectivePoint{X: params.A.AffineQ, Z: params.OneFp2} + xRA = ProjectivePoint{X: params.A.AffineR, Z: params.OneFp2} + + // Load points for B + xRB = ProjectivePoint{X: params.B.AffineR, Z: params.OneFp2} + xQB = ProjectivePoint{X: params.B.AffineQ, Z: params.OneFp2} + xPB = ProjectivePoint{X: params.B.AffineP, Z: params.OneFp2} + + // Find isogeny kernel + tmp.C = params.OneFp2 + xR = ScalarMul3Pt(&tmp, &xPA, &xQA, &xRA, params.A.SecretBitLen, prvBytes) + + // Reset params object and travers isogeny tree + tmp.C = params.OneFp2 + tmp.A = Fp2{} + traverseTreePublicKeyA(&tmp, &xR, &xPB, &xQB, &xRB) + + // Secret isogeny + phi.GenerateCurve(&xR) + xPA = phi.EvaluatePoint(&xPB) + xQA = phi.EvaluatePoint(&xQB) + xRA = phi.EvaluatePoint(&xRB) + Fp2Batch3Inv(&xPA.Z, &xQA.Z, &xRA.Z, &invZP, &invZQ, &invZR) + + mul(&pub3Pt[0], &xPA.X, &invZP) + mul(&pub3Pt[1], &xQA.X, &invZQ) + mul(&pub3Pt[2], &xRA.X, &invZR) +} + +// Generate a public key in the 2-torsion group. Public key is a set +// of three x-coordinates: xP,xQ,x(P-Q), where P,Q are points on E_a(Fp2) +func PublicKeyGenB(pub3Pt *[3]Fp2, prvBytes []byte) { + var xPB, xQB, xRB, xR ProjectivePoint + var xPA, xQA, xRA ProjectivePoint + var invZP, invZQ, invZR Fp2 + var tmp ProjectiveCurveParameters + var phi isogeny3 + + // Load points for B + xRB = ProjectivePoint{X: params.B.AffineR, Z: params.OneFp2} + xQB = ProjectivePoint{X: params.B.AffineQ, Z: params.OneFp2} + xPB = ProjectivePoint{X: params.B.AffineP, Z: params.OneFp2} + + // Load points for A + xPA = ProjectivePoint{X: params.A.AffineP, Z: params.OneFp2} + xQA = ProjectivePoint{X: params.A.AffineQ, Z: params.OneFp2} + xRA = ProjectivePoint{X: params.A.AffineR, Z: params.OneFp2} + + tmp.C = params.OneFp2 + xR = ScalarMul3Pt(&tmp, &xPB, &xQB, &xRB, params.B.SecretBitLen, prvBytes) + + tmp.C = params.OneFp2 + tmp.A = Fp2{} + traverseTreePublicKeyB(&tmp, &xR, &xPA, &xQA, &xRA) + + phi.GenerateCurve(&xR) + xPB = phi.EvaluatePoint(&xPA) + xQB = phi.EvaluatePoint(&xQA) + xRB = phi.EvaluatePoint(&xRA) + Fp2Batch3Inv(&xPB.Z, &xQB.Z, &xRB.Z, &invZP, &invZQ, &invZR) + + mul(&pub3Pt[0], &xPB.X, &invZP) + mul(&pub3Pt[1], &xQB.X, &invZQ) + mul(&pub3Pt[2], &xRB.X, &invZR) +} + +// ----------------------------------------------------------------------------- +// Key agreement functions +// + +// Establishing shared keys in in 2-torsion group +func DeriveSecretA(ss, prv []byte, pub3Pt *[3]Fp2) { + var cparam ProjectiveCurveParameters + var xP, xQ, xQmP ProjectivePoint + var xR ProjectivePoint + var phi isogeny4 + var jInv Fp2 + + // Recover curve coefficients + cparam.C = params.OneFp2 + RecoverCoordinateA(&cparam, &pub3Pt[0], &pub3Pt[1], &pub3Pt[2]) + + // Find kernel of the morphism + xP = ProjectivePoint{X: pub3Pt[0], Z: params.OneFp2} + xQ = ProjectivePoint{X: pub3Pt[1], Z: params.OneFp2} + xQmP = ProjectivePoint{X: pub3Pt[2], Z: params.OneFp2} + xR = ScalarMul3Pt(&cparam, &xP, &xQ, &xQmP, params.A.SecretBitLen, prv) + + // Traverse isogeny tree + traverseTreeSharedKeyA(&cparam, &xR) + + // Calculate j-invariant on isogeneus curve + c := phi.GenerateCurve(&xR) + RecoverCurveCoefficients4(&cparam, &c) + Jinvariant(&cparam, &jInv) + FromMontgomery(&jInv, &jInv) + Fp2ToBytes(ss, &jInv, params.Bytelen) +} + +// Establishing shared keys in in 3-torsion group +func DeriveSecretB(ss, prv []byte, pub3Pt *[3]Fp2) { + var xP, xQ, xQmP ProjectivePoint + var xR ProjectivePoint + var cparam ProjectiveCurveParameters + var phi isogeny3 + var jInv Fp2 + + // Recover curve coefficients + cparam.C = params.OneFp2 + RecoverCoordinateA(&cparam, &pub3Pt[0], &pub3Pt[1], &pub3Pt[2]) + + // Find kernel of the morphism + xP = ProjectivePoint{X: pub3Pt[0], Z: params.OneFp2} + xQ = ProjectivePoint{X: pub3Pt[1], Z: params.OneFp2} + xQmP = ProjectivePoint{X: pub3Pt[2], Z: params.OneFp2} + xR = ScalarMul3Pt(&cparam, &xP, &xQ, &xQmP, params.B.SecretBitLen, prv) + + // Traverse isogeny tree + traverseTreeSharedKeyB(&cparam, &xR) + + // Calculate j-invariant on isogeneus curve + c := phi.GenerateCurve(&xR) + RecoverCurveCoefficients3(&cparam, &c) + Jinvariant(&cparam, &jInv) + FromMontgomery(&jInv, &jInv) + Fp2ToBytes(ss, &jInv, params.Bytelen) +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/curve.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/curve.go new file mode 100644 index 00000000..e5c2e835 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/curve.go @@ -0,0 +1,362 @@ +// Code generated by go generate; DO NOT EDIT. +// This file was generated by robots. + +package p503 + +import ( + . "github.com/cloudflare/circl/dh/sidh/internal/common" +) + +// Stores isogeny 3 curve constants +type isogeny3 struct { + K1 Fp2 + K2 Fp2 +} + +// Stores isogeny 4 curve constants +type isogeny4 struct { + isogeny3 + K3 Fp2 +} + +// Computes j-invariant for a curve y2=x3+A/Cx+x with A,C in F_(p^2). Result +// is returned in jBytes buffer, encoded in little-endian format. Caller +// provided jBytes buffer has to be big enough to j-invariant value. In case +// of SIDH, buffer size must be at least size of shared secret. +// Implementation corresponds to Algorithm 9 from SIKE. +func Jinvariant(cparams *ProjectiveCurveParameters, j *Fp2) { + var t0, t1 Fp2 + + sqr(j, &cparams.A) // j = A^2 + sqr(&t1, &cparams.C) // t1 = C^2 + add(&t0, &t1, &t1) // t0 = t1 + t1 + sub(&t0, j, &t0) // t0 = j - t0 + sub(&t0, &t0, &t1) // t0 = t0 - t1 + sub(j, &t0, &t1) // t0 = t0 - t1 + sqr(&t1, &t1) // t1 = t1^2 + mul(j, j, &t1) // j = j * t1 + add(&t0, &t0, &t0) // t0 = t0 + t0 + add(&t0, &t0, &t0) // t0 = t0 + t0 + sqr(&t1, &t0) // t1 = t0^2 + mul(&t0, &t0, &t1) // t0 = t0 * t1 + add(&t0, &t0, &t0) // t0 = t0 + t0 + add(&t0, &t0, &t0) // t0 = t0 + t0 + inv(j, j) // j = 1/j + mul(j, &t0, j) // j = t0 * j +} + +// Given affine points x(P), x(Q) and x(Q-P) in a extension field F_{p^2}, function +// recorvers projective coordinate A of a curve. This is Algorithm 10 from SIKE. +func RecoverCoordinateA(curve *ProjectiveCurveParameters, xp, xq, xr *Fp2) { + var t0, t1 Fp2 + + add(&t1, xp, xq) // t1 = Xp + Xq + mul(&t0, xp, xq) // t0 = Xp * Xq + mul(&curve.A, xr, &t1) // A = X(q-p) * t1 + add(&curve.A, &curve.A, &t0) // A = A + t0 + mul(&t0, &t0, xr) // t0 = t0 * X(q-p) + sub(&curve.A, &curve.A, ¶ms.OneFp2) // A = A - 1 + add(&t0, &t0, &t0) // t0 = t0 + t0 + add(&t1, &t1, xr) // t1 = t1 + X(q-p) + add(&t0, &t0, &t0) // t0 = t0 + t0 + sqr(&curve.A, &curve.A) // A = A^2 + inv(&t0, &t0) // t0 = 1/t0 + mul(&curve.A, &curve.A, &t0) // A = A * t0 + sub(&curve.A, &curve.A, &t1) // A = A - t1 +} + +// Computes equivalence (A:C) ~ (A+2C : A-2C) +func CalcCurveParamsEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv { + var coef CurveCoefficientsEquiv + var c2 Fp2 + + add(&c2, &cparams.C, &cparams.C) + // A24p = A+2*C + add(&coef.A, &cparams.A, &c2) + // A24m = A-2*C + sub(&coef.C, &cparams.A, &c2) + return coef +} + +// Computes equivalence (A:C) ~ (A+2C : 4C) +func CalcCurveParamsEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv { + var coefEq CurveCoefficientsEquiv + + add(&coefEq.C, &cparams.C, &cparams.C) + // A24p = A+2C + add(&coefEq.A, &cparams.A, &coefEq.C) + // C24 = 4*C + add(&coefEq.C, &coefEq.C, &coefEq.C) + return coefEq +} + +// Helper function for RightToLeftLadder(). Returns A+2C / 4. +func CalcAplus2Over4(cparams *ProjectiveCurveParameters) (ret Fp2) { + var tmp Fp2 + + // 2C + add(&tmp, &cparams.C, &cparams.C) + // A+2C + add(&ret, &cparams.A, &tmp) + // 1/4C + add(&tmp, &tmp, &tmp) + inv(&tmp, &tmp) + // A+2C/4C + mul(&ret, &ret, &tmp) + return +} + +// Recovers (A:C) curve parameters from projectively equivalent (A+2C:A-2C). +func RecoverCurveCoefficients3(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) { + add(&cparams.A, &coefEq.A, &coefEq.C) + // cparams.A = 2*(A+2C+A-2C) = 4A + add(&cparams.A, &cparams.A, &cparams.A) + // cparams.C = (A+2C-A+2C) = 4C + sub(&cparams.C, &coefEq.A, &coefEq.C) + return +} + +// Recovers (A:C) curve parameters from projectively equivalent (A+2C:4C). +func RecoverCurveCoefficients4(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) { + // cparams.C = (4C)*1/2=2C + mul(&cparams.C, &coefEq.C, ¶ms.HalfFp2) + // cparams.A = A+2C - 2C = A + sub(&cparams.A, &coefEq.A, &cparams.C) + // cparams.C = 2C * 1/2 = C + mul(&cparams.C, &cparams.C, ¶ms.HalfFp2) +} + +// Combined coordinate doubling and differential addition. Takes projective points +// P,Q,Q-P and (A+2C)/4C curve E coefficient. Returns 2*P and P+Q calculated on E. +// Function is used only by RightToLeftLadder. Corresponds to Algorithm 5 of SIKE +func xDbladd(P, Q, QmP *ProjectivePoint, a24 *Fp2) (dblP, PaQ ProjectivePoint) { + var t0, t1, t2 Fp2 + + xQmP, zQmP := &QmP.X, &QmP.Z + xPaQ, zPaQ := &PaQ.X, &PaQ.Z + x2P, z2P := &dblP.X, &dblP.Z + xP, zP := &P.X, &P.Z + xQ, zQ := &Q.X, &Q.Z + + add(&t0, xP, zP) // t0 = Xp+Zp + sub(&t1, xP, zP) // t1 = Xp-Zp + sqr(x2P, &t0) // 2P.X = t0^2 + sub(&t2, xQ, zQ) // t2 = Xq-Zq + add(xPaQ, xQ, zQ) // Xp+q = Xq+Zq + mul(&t0, &t0, &t2) // t0 = t0 * t2 + mul(z2P, &t1, &t1) // 2P.Z = t1 * t1 + mul(&t1, &t1, xPaQ) // t1 = t1 * Xp+q + sub(&t2, x2P, z2P) // t2 = 2P.X - 2P.Z + mul(x2P, x2P, z2P) // 2P.X = 2P.X * 2P.Z + mul(xPaQ, a24, &t2) // Xp+q = A24 * t2 + sub(zPaQ, &t0, &t1) // Zp+q = t0 - t1 + add(z2P, xPaQ, z2P) // 2P.Z = Xp+q + 2P.Z + add(xPaQ, &t0, &t1) // Xp+q = t0 + t1 + mul(z2P, z2P, &t2) // 2P.Z = 2P.Z * t2 + sqr(zPaQ, zPaQ) // Zp+q = Zp+q ^ 2 + sqr(xPaQ, xPaQ) // Xp+q = Xp+q ^ 2 + mul(zPaQ, xQmP, zPaQ) // Zp+q = Xq-p * Zp+q + mul(xPaQ, zQmP, xPaQ) // Xp+q = Zq-p * Xp+q + return +} + +// Given the curve parameters, xP = x(P), computes xP = x([2^k]P) +// Safe to overlap xP, x2P. +func Pow2k(xP *ProjectivePoint, params *CurveCoefficientsEquiv, k uint32) { + var t0, t1 Fp2 + + x, z := &xP.X, &xP.Z + for i := uint32(0); i < k; i++ { + sub(&t0, x, z) // t0 = Xp - Zp + add(&t1, x, z) // t1 = Xp + Zp + sqr(&t0, &t0) // t0 = t0 ^ 2 + sqr(&t1, &t1) // t1 = t1 ^ 2 + mul(z, ¶ms.C, &t0) // Z2p = C24 * t0 + mul(x, z, &t1) // X2p = Z2p * t1 + sub(&t1, &t1, &t0) // t1 = t1 - t0 + mul(&t0, ¶ms.A, &t1) // t0 = A24+ * t1 + add(z, z, &t0) // Z2p = Z2p + t0 + mul(z, z, &t1) // Zp = Z2p * t1 + } +} + +// Given the curve parameters, xP = x(P), and k >= 0, compute xP = x([3^k]P). +// +// Safe to overlap xP, xR. +func Pow3k(xP *ProjectivePoint, params *CurveCoefficientsEquiv, k uint32) { + var t0, t1, t2, t3, t4, t5, t6 Fp2 + + x, z := &xP.X, &xP.Z + for i := uint32(0); i < k; i++ { + sub(&t0, x, z) // t0 = Xp - Zp + sqr(&t2, &t0) // t2 = t0^2 + add(&t1, x, z) // t1 = Xp + Zp + sqr(&t3, &t1) // t3 = t1^2 + add(&t4, &t1, &t0) // t4 = t1 + t0 + sub(&t0, &t1, &t0) // t0 = t1 - t0 + sqr(&t1, &t4) // t1 = t4^2 + sub(&t1, &t1, &t3) // t1 = t1 - t3 + sub(&t1, &t1, &t2) // t1 = t1 - t2 + mul(&t5, &t3, ¶ms.A) // t5 = t3 * A24+ + mul(&t3, &t3, &t5) // t3 = t5 * t3 + mul(&t6, &t2, ¶ms.C) // t6 = t2 * A24- + mul(&t2, &t2, &t6) // t2 = t2 * t6 + sub(&t3, &t2, &t3) // t3 = t2 - t3 + sub(&t2, &t5, &t6) // t2 = t5 - t6 + mul(&t1, &t2, &t1) // t1 = t2 * t1 + add(&t2, &t3, &t1) // t2 = t3 + t1 + sqr(&t2, &t2) // t2 = t2^2 + mul(x, &t2, &t4) // X3p = t2 * t4 + sub(&t1, &t3, &t1) // t1 = t3 - t1 + sqr(&t1, &t1) // t1 = t1^2 + mul(z, &t1, &t0) // Z3p = t1 * t0 + } +} + +// Set (y1, y2, y3) = (1/x1, 1/x2, 1/x3). +// +// All xi, yi must be distinct. +func Fp2Batch3Inv(x1, x2, x3, y1, y2, y3 *Fp2) { + var x1x2, t Fp2 + + mul(&x1x2, x1, x2) // x1*x2 + mul(&t, &x1x2, x3) // 1/(x1*x2*x3) + inv(&t, &t) + mul(y1, &t, x2) // 1/x1 + mul(y1, y1, x3) + mul(y2, &t, x1) // 1/x2 + mul(y2, y2, x3) + mul(y3, &t, &x1x2) // 1/x3 +} + +// Scalarmul3Pt is a right-to-left point multiplication that given the +// x-coordinate of P, Q and P-Q calculates the x-coordinate of R=Q+[scalar]P. +// nbits must be smaller or equal to len(scalar). +func ScalarMul3Pt(cparams *ProjectiveCurveParameters, P, Q, PmQ *ProjectivePoint, nbits uint, scalar []uint8) ProjectivePoint { + var R0, R2, R1 ProjectivePoint + aPlus2Over4 := CalcAplus2Over4(cparams) + R1 = *P + R2 = *PmQ + R0 = *Q + + // Iterate over the bits of the scalar, bottom to top + prevBit := uint8(0) + for i := uint(0); i < nbits; i++ { + bit := (scalar[i>>3] >> (i & 7) & 1) + swap := prevBit ^ bit + prevBit = bit + cswap(&R1.X, &R1.Z, &R2.X, &R2.Z, swap) + R0, R2 = xDbladd(&R0, &R2, &R1, &aPlus2Over4) + } + cswap(&R1.X, &R1.Z, &R2.X, &R2.Z, prevBit) + return R1 +} + +// Given a three-torsion point p = x(PB) on the curve E_(A:C), construct the +// three-isogeny phi : E_(A:C) -> E_(A:C)/ = E_(A':C'). +// +// Input: (XP_3: ZP_3), where P_3 has exact order 3 on E_A/C +// Output: * Curve coordinates (A' + 2C', A' - 2C') corresponding to E_A'/C' = A_E/C/ +// * Isogeny phi with constants in F_p^2 +func (phi *isogeny3) GenerateCurve(p *ProjectivePoint) CurveCoefficientsEquiv { + var t0, t1, t2, t3, t4 Fp2 + var coefEq CurveCoefficientsEquiv + var K1, K2 = &phi.K1, &phi.K2 + + sub(K1, &p.X, &p.Z) // K1 = XP3 - ZP3 + sqr(&t0, K1) // t0 = K1^2 + add(K2, &p.X, &p.Z) // K2 = XP3 + ZP3 + sqr(&t1, K2) // t1 = K2^2 + add(&t2, &t0, &t1) // t2 = t0 + t1 + add(&t3, K1, K2) // t3 = K1 + K2 + sqr(&t3, &t3) // t3 = t3^2 + sub(&t3, &t3, &t2) // t3 = t3 - t2 + add(&t2, &t1, &t3) // t2 = t1 + t3 + add(&t3, &t3, &t0) // t3 = t3 + t0 + add(&t4, &t3, &t0) // t4 = t3 + t0 + add(&t4, &t4, &t4) // t4 = t4 + t4 + add(&t4, &t1, &t4) // t4 = t1 + t4 + mul(&coefEq.C, &t2, &t4) // A24m = t2 * t4 + add(&t4, &t1, &t2) // t4 = t1 + t2 + add(&t4, &t4, &t4) // t4 = t4 + t4 + add(&t4, &t0, &t4) // t4 = t0 + t4 + mul(&t4, &t3, &t4) // t4 = t3 * t4 + sub(&t0, &t4, &coefEq.C) // t0 = t4 - A24m + add(&coefEq.A, &coefEq.C, &t0) // A24p = A24m + t0 + return coefEq +} + +// Given a 3-isogeny phi and a point pB = x(PB), compute x(QB), the x-coordinate +// of the image QB = phi(PB) of PB under phi : E_(A:C) -> E_(A':C'). +// +// The output xQ = x(Q) is then a point on the curve E_(A':C'); the curve +// parameters are returned by the GenerateCurve function used to construct phi. +func (phi *isogeny3) EvaluatePoint(p *ProjectivePoint) ProjectivePoint { + var t0, t1, t2 Fp2 + var q ProjectivePoint + var K1, K2 = &phi.K1, &phi.K2 + var px, pz = &p.X, &p.Z + + add(&t0, px, pz) // t0 = XQ + ZQ + sub(&t1, px, pz) // t1 = XQ - ZQ + mul(&t0, K1, &t0) // t2 = K1 * t0 + mul(&t1, K2, &t1) // t1 = K2 * t1 + add(&t2, &t0, &t1) // t2 = t0 + t1 + sub(&t0, &t1, &t0) // t0 = t1 - t0 + sqr(&t2, &t2) // t2 = t2 ^ 2 + sqr(&t0, &t0) // t0 = t0 ^ 2 + mul(&q.X, px, &t2) // XQ'= XQ * t2 + mul(&q.Z, pz, &t0) // ZQ'= ZQ * t0 + return q +} + +// Given a four-torsion point p = x(PB) on the curve E_(A:C), construct the +// four-isogeny phi : E_(A:C) -> E_(A:C)/ = E_(A':C'). +// +// Input: (XP_4: ZP_4), where P_4 has exact order 4 on E_A/C +// Output: * Curve coordinates (A' + 2C', 4C') corresponding to E_A'/C' = A_E/C/ +// * Isogeny phi with constants in F_p^2 +func (phi *isogeny4) GenerateCurve(p *ProjectivePoint) CurveCoefficientsEquiv { + var coefEq CurveCoefficientsEquiv + var xp4, zp4 = &p.X, &p.Z + var K1, K2, K3 = &phi.K1, &phi.K2, &phi.K3 + + sub(K2, xp4, zp4) + add(K3, xp4, zp4) + sqr(K1, zp4) + add(K1, K1, K1) + sqr(&coefEq.C, K1) + add(K1, K1, K1) + sqr(&coefEq.A, xp4) + add(&coefEq.A, &coefEq.A, &coefEq.A) + sqr(&coefEq.A, &coefEq.A) + return coefEq +} + +// Given a 4-isogeny phi and a point xP = x(P), compute x(Q), the x-coordinate +// of the image Q = phi(P) of P under phi : E_(A:C) -> E_(A':C'). +// +// Input: Isogeny returned by GenerateCurve and point q=(Qx,Qz) from E0_A/C +// Output: Corresponding point q from E1_A'/C', where E1 is 4-isogenous to E0 +func (phi *isogeny4) EvaluatePoint(p *ProjectivePoint) ProjectivePoint { + var t0, t1 Fp2 + var q = *p + var xq, zq = &q.X, &q.Z + var K1, K2, K3 = &phi.K1, &phi.K2, &phi.K3 + + add(&t0, xq, zq) + sub(&t1, xq, zq) + mul(xq, &t0, K2) + mul(zq, &t1, K3) + mul(&t0, &t0, &t1) + mul(&t0, &t0, K1) + add(&t1, xq, zq) + sub(zq, xq, zq) + sqr(&t1, &t1) + sqr(zq, zq) + add(xq, &t0, &t1) + sub(&t0, zq, &t0) + mul(xq, xq, &t1) + mul(zq, zq, &t0) + return q +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/doc.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/doc.go new file mode 100644 index 00000000..3541a440 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/doc.go @@ -0,0 +1,2 @@ +// Package p503 provides implementation of field arithmetic used in SIDH and SIKE. +package p503 diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/fp2.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/fp2.go new file mode 100644 index 00000000..a2fc5954 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/fp2.go @@ -0,0 +1,195 @@ +// Code generated by go generate; DO NOT EDIT. +// This file was generated by robots. + +package p503 + +import ( + "github.com/cloudflare/circl/dh/sidh/internal/common" +) + +// Montgomery multiplication. Input values must be already +// in Montgomery domain. +func mulP(dest, lhs, rhs *common.Fp) { + var ab common.FpX2 + mulP503(&ab, lhs, rhs) // = a*b*R*R + rdcP503(dest, &ab) // = a*b*R mod p +} + +// Set dest = x^((p-3)/4). If x is square, this is 1/sqrt(x). +// Uses variation of sliding-window algorithm from with window size +// of 5 and least to most significant bit sliding (left-to-right) +// See HAC 14.85 for general description. +// +// Allowed to overlap x with dest. +// All values in Montgomery domains +// Set dest = x^(2^k), for k >= 1, by repeated squarings. +func p34(dest, x *common.Fp) { + var lookup [16]common.Fp + + // This performs sum(powStrategy) + 1 squarings and len(lookup) + len(mulStrategy) + // multiplications. + powStrategy := []uint8{12, 5, 5, 2, 7, 11, 3, 8, 4, 11, 4, 7, 5, 6, 3, 7, 5, 7, 2, 12, 5, 6, 4, 6, 8, 6, 4, 7, 5, 5, 8, 5, 8, 5, 5, 8, 9, 3, 6, 2, 10, 6, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 3} + mulStrategy := []uint8{12, 11, 10, 0, 1, 8, 3, 7, 1, 8, 3, 6, 7, 14, 2, 14, 14, 9, 0, 13, 9, 15, 5, 12, 7, 13, 7, 15, 6, 7, 9, 0, 5, 7, 6, 8, 8, 3, 7, 0, 10, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 3} + initialMul := uint8(0) + + // Precompute lookup table of odd multiples of x for window + // size k=5. + var xx common.Fp + mulP(&xx, x, x) + lookup[0] = *x + for i := 1; i < 16; i++ { + mulP(&lookup[i], &lookup[i-1], &xx) + } + + // Now lookup = {x, x^3, x^5, ... } + // so that lookup[i] = x^{2*i + 1} + // so that lookup[k/2] = x^k, for odd k + *dest = lookup[initialMul] + for i := uint8(0); i < uint8(len(powStrategy)); i++ { + mulP(dest, dest, dest) + for j := uint8(1); j < powStrategy[i]; j++ { + mulP(dest, dest, dest) + } + mulP(dest, dest, &lookup[mulStrategy[i]]) + } +} + +func add(dest, lhs, rhs *common.Fp2) { + addP503(&dest.A, &lhs.A, &rhs.A) + addP503(&dest.B, &lhs.B, &rhs.B) +} + +func sub(dest, lhs, rhs *common.Fp2) { + subP503(&dest.A, &lhs.A, &rhs.A) + subP503(&dest.B, &lhs.B, &rhs.B) +} + +func mul(dest, lhs, rhs *common.Fp2) { + var bMinA, cMinD common.Fp + var ac, bd common.FpX2 + var adPlusBc common.FpX2 + var acMinBd common.FpX2 + + // Let (a,b,c,d) = (lhs.a,lhs.b,rhs.a,rhs.b). + // + // (a + bi)*(c + di) = (a*c - b*d) + (a*d + b*c)i + // + // Use Karatsuba's trick: note that + // + // (b - a)*(c - d) = (b*c + a*d) - a*c - b*d + // + // so (a*d + b*c) = (b-a)*(c-d) + a*c + b*d. + mulP503(&ac, &lhs.A, &rhs.A) // = a*c*R*R + mulP503(&bd, &lhs.B, &rhs.B) // = b*d*R*R + subP503(&bMinA, &lhs.B, &lhs.A) // = (b-a)*R + subP503(&cMinD, &rhs.A, &rhs.B) // = (c-d)*R + mulP503(&adPlusBc, &bMinA, &cMinD) // = (b-a)*(c-d)*R*R + adlP503(&adPlusBc, &adPlusBc, &ac) // = ((b-a)*(c-d) + a*c)*R*R + adlP503(&adPlusBc, &adPlusBc, &bd) // = ((b-a)*(c-d) + a*c + b*d)*R*R + rdcP503(&dest.B, &adPlusBc) // = (a*d + b*c)*R mod p + sulP503(&acMinBd, &ac, &bd) // = (a*c - b*d)*R*R + rdcP503(&dest.A, &acMinBd) // = (a*c - b*d)*R mod p +} + +// Set dest = 1/x +// +// Allowed to overlap dest with x. +// +// Returns dest to allow chaining operations. +func inv(dest, x *common.Fp2) { + var e1, e2 common.FpX2 + var f1, f2 common.Fp + + // We want to compute + // + // 1 1 (a - bi) (a - bi) + // -------- = -------- -------- = ----------- + // (a + bi) (a + bi) (a - bi) (a^2 + b^2) + // + // Letting c = 1/(a^2 + b^2), this is + // + // 1/(a+bi) = a*c - b*ci. + + mulP503(&e1, &x.A, &x.A) // = a*a*R*R + mulP503(&e2, &x.B, &x.B) // = b*b*R*R + adlP503(&e1, &e1, &e2) // = (a^2 + b^2)*R*R + rdcP503(&f1, &e1) // = (a^2 + b^2)*R mod p + // Now f1 = a^2 + b^2 + + mulP(&f2, &f1, &f1) + p34(&f2, &f2) + mulP(&f2, &f2, &f2) + mulP(&f2, &f2, &f1) + + mulP503(&e1, &x.A, &f2) + rdcP503(&dest.A, &e1) + + subP503(&f1, &common.Fp{}, &x.B) + mulP503(&e1, &f1, &f2) + rdcP503(&dest.B, &e1) +} + +func sqr(dest, x *common.Fp2) { + var a2, aPlusB, aMinusB common.Fp + var a2MinB2, ab2 common.FpX2 + + a := &x.A + b := &x.B + + // (a + bi)*(a + bi) = (a^2 - b^2) + 2abi. + addP503(&a2, a, a) // = a*R + a*R = 2*a*R + addP503(&aPlusB, a, b) // = a*R + b*R = (a+b)*R + subP503(&aMinusB, a, b) // = a*R - b*R = (a-b)*R + mulP503(&a2MinB2, &aPlusB, &aMinusB) // = (a+b)*(a-b)*R*R = (a^2 - b^2)*R*R + mulP503(&ab2, &a2, b) // = 2*a*b*R*R + rdcP503(&dest.A, &a2MinB2) // = (a^2 - b^2)*R mod p + rdcP503(&dest.B, &ab2) // = 2*a*b*R mod p +} + +// In case choice == 1, performs following swap in constant time: +// xPx <-> xQx +// xPz <-> xQz +// Otherwise returns xPx, xPz, xQx, xQz unchanged +func cswap(xPx, xPz, xQx, xQz *common.Fp2, choice uint8) { + cswapP503(&xPx.A, &xQx.A, choice) + cswapP503(&xPx.B, &xQx.B, choice) + cswapP503(&xPz.A, &xQz.A, choice) + cswapP503(&xPz.B, &xQz.B, choice) +} + +// Converts in.A and in.B to Montgomery domain and stores +// in 'out' +// out.A = in.A * R mod p +// out.B = in.B * R mod p +// Performs v = v*R^2*R^(-1) mod p, for both in.A and in.B +func ToMontgomery(out, in *common.Fp2) { + var aRR common.FpX2 + + // a*R*R + mulP503(&aRR, &in.A, &P503R2) + // a*R mod p + rdcP503(&out.A, &aRR) + mulP503(&aRR, &in.B, &P503R2) + rdcP503(&out.B, &aRR) +} + +// Converts in.A and in.B from Montgomery domain and stores +// in 'out' +// out.A = in.A mod p +// out.B = in.B mod p +// +// After returning from the call 'in' is not modified. +func FromMontgomery(out, in *common.Fp2) { + var aR common.FpX2 + + // convert from montgomery domain + copy(aR[:], in.A[:]) + rdcP503(&out.A, &aR) // = a mod p in [0, 2p) + modP503(&out.A) // = a mod p in [0, p) + for i := range aR { + aR[i] = 0 + } + copy(aR[:], in.B[:]) + rdcP503(&out.B, &aR) + modP503(&out.B) +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/params.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/params.go new file mode 100644 index 00000000..66bbf82f --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p503/params.go @@ -0,0 +1,191 @@ +package p503 + +//go:generate go run ../templates/gen.go P503 + +import ( + "github.com/cloudflare/circl/dh/sidh/internal/common" + "golang.org/x/sys/cpu" +) + +const ( + // Number of uint64 limbs used to store field element + FpWords = 8 +) + +// P503 is a prime used by field Fp503 +var ( + // According to https://github.com/golang/go/issues/28230, + // variables referred from the assembly must be in the same package. + // HasBMI2 signals support for MULX which is in BMI2 + HasBMI2 = cpu.X86.HasBMI2 + // HasADXandBMI2 signals support for ADX and BMI2 + HasADXandBMI2 = cpu.X86.HasBMI2 && cpu.X86.HasADX + + // P503 is a prime used by field Fp503 + P503 = common.Fp{ + 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xABFFFFFFFFFFFFFF, + 0x13085BDA2211E7A0, 0x1B9BF6C87B7E7DAF, 0x6045C6BDDA77A4D0, 0x004066F541811E1E, + } + + // P503x2 = 2*p503 - 1 + P503x2 = common.Fp{ + 0xFFFFFFFFFFFFFFFE, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0x57FFFFFFFFFFFFFF, + 0x2610B7B44423CF41, 0x3737ED90F6FCFB5E, 0xC08B8D7BB4EF49A0, 0x0080CDEA83023C3C, + } + + // P503p1 = p503 + 1 + P503p1 = common.Fp{ + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0xAC00000000000000, + 0x13085BDA2211E7A0, 0x1B9BF6C87B7E7DAF, 0x6045C6BDDA77A4D0, 0x004066F541811E1E, + } + + // P503R2 = (2^512)^2 mod p + P503R2 = common.Fp{ + 0x5289A0CF641D011F, 0x9B88257189FED2B9, 0xA3B365D58DC8F17A, 0x5BC57AB6EFF168EC, + 0x9E51998BD84D4423, 0xBF8999CBAC3B5695, 0x46E9127BCE14CDB6, 0x003F6CFCE8B81771, + } + + // P503p1s8 = p503 + 1 left-shifted by 8, assuming little endianness + P503p1s8 = common.Fp{ + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x085BDA2211E7A0AC, 0x9BF6C87B7E7DAF13, 0x45C6BDDA77A4D01B, 0x4066F541811E1E60, + } + + // P503p1Zeros number of 0 digits in the least significant part of P503+1 + P503p1Zeros = 3 + + params common.SidhParams +) + +func init() { + params = common.SidhParams{ + ID: common.Fp503, + // SIDH public key byte size. + PublicKeySize: 378, + // SIDH shared secret byte size. + SharedSecretSize: 126, + A: common.DomainParams{ + // The x-coordinate of PA + AffineP: common.Fp2{ + A: common.Fp{ + 0xE7EF4AA786D855AF, 0xED5758F03EB34D3B, 0x09AE172535A86AA9, 0x237B9CC07D622723, + 0xE3A284CBA4E7932D, 0x27481D9176C5E63F, 0x6A323FF55C6E71BF, 0x002ECC31A6FB8773, + }, + B: common.Fp{ + 0x64D02E4E90A620B8, 0xDAB8128537D4B9F1, 0x4BADF77B8A228F98, 0x0F5DBDF9D1FB7D1B, + 0xBEC4DB288E1A0DCC, 0xE76A8665E80675DB, 0x6D6F252E12929463, 0x003188BD1463FACC, + }, + }, + // The x-coordinate of QA + AffineQ: common.Fp2{ + A: common.Fp{ + 0xB79D41025DE85D56, 0x0B867DA9DF169686, 0x740E5368021C827D, 0x20615D72157BF25C, + 0xFF1590013C9B9F5B, 0xC884DCADE8C16CEA, 0xEBD05E53BF724E01, 0x0032FEF8FDA5748C, + }, + B: common.Fp{ + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + }, + }, + // The x-coordinate of RA = PA-QA + AffineR: common.Fp2{ + A: common.Fp{ + 0x12E2E849AA0A8006, 0x41CF47008635A1E8, 0x9CD720A70798AED7, 0x42A820B42FCF04CF, + 0x7BF9BAD32AAE88B1, 0xF619127A54090BBE, 0x1CB10D8F56408EAA, 0x001D6B54C3C0EDEB, + }, + B: common.Fp{ + 0x34DB54931CBAAC36, 0x420A18CB8DD5F0C4, 0x32008C1A48C0F44D, 0x3B3BA772B1CFD44D, + 0xA74B058FDAF13515, 0x095FC9CA7EEC17B4, 0x448E829D28F120F8, 0x00261EC3ED16A489, + }, + }, + // Max size of secret key for 2-torsion group, corresponds to 2^e2 - 1 + SecretBitLen: 250, + // SecretBitLen in bytes. + SecretByteLen: uint((250 + 7) / 8), + // 2-torsion group computation strategy + IsogenyStrategy: []uint32{ + 0x3D, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, + 0x01, 0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, + 0x01, 0x01, 0x02, 0x01, 0x01, 0x10, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, + 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, + 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x1D, 0x10, 0x08, 0x04, 0x02, 0x01, + 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x08, 0x04, 0x02, + 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x0D, 0x08, + 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, + 0x05, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x01}, + }, + B: common.DomainParams{ + // The x-coordinate of PB + AffineP: common.Fp2{ + A: common.Fp{ + 0x7EDE37F4FA0BC727, 0xF7F8EC5C8598941C, 0xD15519B516B5F5C8, 0xF6D5AC9B87A36282, + 0x7B19F105B30E952E, 0x13BD8B2025B4EBEE, 0x7B96D27F4EC579A2, 0x00140850CAB7E5DE, + }, + B: common.Fp{ + 0x7764909DAE7B7B2D, 0x578ABB16284911AB, 0x76E2BFD146A6BF4D, 0x4824044B23AA02F0, + 0x1105048912A321F3, 0xB8A2E482CF0F10C1, 0x42FF7D0BE2152085, 0x0018E599C5223352, + }, + }, + // The x-coordinate of QB + AffineQ: common.Fp2{ + A: common.Fp{ + 0x4256C520FB388820, 0x744FD7C3BAAF0A13, 0x4B6A2DDDB12CBCB8, 0xE46826E27F427DF8, + 0xFE4A663CD505A61B, 0xD6B3A1BAF025C695, 0x7C3BB62B8FCC00BD, 0x003AFDDE4A35746C, + }, + B: common.Fp{ + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + }, + }, + // The x-coordinate of RB = PB - QB + AffineR: common.Fp2{ + A: common.Fp{ + 0x75601CD1E6C0DFCB, 0x1A9007239B58F93E, 0xC1F1BE80C62107AC, 0x7F513B898F29FF08, + 0xEA0BEDFF43E1F7B2, 0x2C6D94018CBAE6D0, 0x3A430D31BCD84672, 0x000D26892ECCFE83, + }, + B: common.Fp{ + 0x1119D62AEA3007A1, 0xE3702AA4E04BAE1B, 0x9AB96F7D59F990E7, 0xF58440E8B43319C0, + 0xAF8134BEE1489775, 0xE7F7774E905192AA, 0xF54AE09308E98039, 0x001EF7A041A86112, + }, + }, + // Size of secret key for 3-torsion group, corresponds to log_2(3^e3) - 1. + SecretBitLen: 252, + // SecretBitLen in bytes. + SecretByteLen: uint((252 + 7) / 8), + // 3-torsion group computation strategy + IsogenyStrategy: []uint32{ + 0x47, 0x26, 0x15, 0x0D, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, + 0x01, 0x01, 0x02, 0x01, 0x01, 0x05, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x02, + 0x01, 0x01, 0x01, 0x09, 0x05, 0x03, 0x02, 0x01, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, + 0x01, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x11, 0x09, 0x05, 0x03, 0x02, + 0x01, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02, + 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, + 0x01, 0x02, 0x01, 0x01, 0x21, 0x11, 0x09, 0x05, 0x03, 0x02, 0x01, 0x01, 0x01, 0x01, + 0x02, 0x01, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x08, 0x04, + 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, + 0x10, 0x08, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, + 0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, + 0x01, 0x02, 0x01, 0x01}, + }, + // 1*R mod p + OneFp2: common.Fp2{ + A: common.Fp{ + 0x00000000000003F9, 0x0000000000000000, 0x0000000000000000, 0xB400000000000000, + 0x63CB1A6EA6DED2B4, 0x51689D8D667EB37D, 0x8ACD77C71AB24142, 0x0026FBAEC60F5953}, + }, + // 1/2 * R mod p + HalfFp2: common.Fp2{ + A: common.Fp{ + 0x00000000000001FC, 0x0000000000000000, 0x0000000000000000, 0xB000000000000000, + 0x3B69BB2464785D2A, 0x36824A2AF0FE9896, 0xF5899F427A94F309, 0x0033B15203C83BB8}, + }, + MsgLen: 24, + // SIKEp503 provides 128 bit of classical security ([SIKE], 5.1) + KemSize: 16, + // ceil(503+7/8) + Bytelen: 63, + CiphertextSize: 16 + 8 + 378, + } + + common.Register(common.Fp503, ¶ms) +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_amd64.s b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_amd64.s new file mode 100644 index 00000000..2ae2094f --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_amd64.s @@ -0,0 +1,2573 @@ +// +build amd64,!noasm + +#include "textflag.h" + +// p751 + 1 +#define P751P1_5 $0xEEB0000000000000 +#define P751P1_6 $0xE3EC968549F878A8 +#define P751P1_7 $0xDA959B1A13F7CC76 +#define P751P1_8 $0x084E9867D6EBE876 +#define P751P1_9 $0x8562B5045CB25748 +#define P751P1_10 $0x0E12909F97BADC66 +#define P751P1_11 $0x00006FE5D541F71C + +#define P751_0 $0xFFFFFFFFFFFFFFFF +#define P751_5 $0xEEAFFFFFFFFFFFFF +#define P751_6 $0xE3EC968549F878A8 +#define P751_7 $0xDA959B1A13F7CC76 +#define P751_8 $0x084E9867D6EBE876 +#define P751_9 $0x8562B5045CB25748 +#define P751_10 $0x0E12909F97BADC66 +#define P751_11 $0x00006FE5D541F71C + +#define P751X2_0 $0xFFFFFFFFFFFFFFFE +#define P751X2_1 $0xFFFFFFFFFFFFFFFF +#define P751X2_5 $0xDD5FFFFFFFFFFFFF +#define P751X2_6 $0xC7D92D0A93F0F151 +#define P751X2_7 $0xB52B363427EF98ED +#define P751X2_8 $0x109D30CFADD7D0ED +#define P751X2_9 $0x0AC56A08B964AE90 +#define P751X2_10 $0x1C25213F2F75B8CD +#define P751X2_11 $0x0000DFCBAA83EE38 + +// The MSR code uses these registers for parameter passing. Keep using +// them to avoid significant code changes. This means that when the Go +// assembler does something strange, we can diff the machine code +// against a different assembler to find out what Go did. + +#define REG_P1 DI +#define REG_P2 SI +#define REG_P3 DX + +TEXT ·modP751(SB), NOSPLIT, $0-8 + MOVQ x+0(FP), REG_P1 + + // Zero AX for later use: + XORQ AX, AX + + // Load p into registers: + MOVQ P751_0, R8 + // P751_{1,2,3,4} = P751_0, so reuse R8 + MOVQ P751_5, R9 + MOVQ P751_6, R10 + MOVQ P751_7, R11 + MOVQ P751_8, R12 + MOVQ P751_9, R13 + MOVQ P751_10, R14 + MOVQ P751_11, R15 + + // Set x <- x - p + SUBQ R8, (REG_P1) + SBBQ R8, (8)(REG_P1) + SBBQ R8, (16)(REG_P1) + SBBQ R8, (24)(REG_P1) + SBBQ R8, (32)(REG_P1) + SBBQ R9, (40)(REG_P1) + SBBQ R10, (48)(REG_P1) + SBBQ R11, (56)(REG_P1) + SBBQ R12, (64)(REG_P1) + SBBQ R13, (72)(REG_P1) + SBBQ R14, (80)(REG_P1) + SBBQ R15, (88)(REG_P1) + + // Save carry flag indicating x-p < 0 as a mask in AX + SBBQ $0, AX + + // Conditionally add p to x if x-p < 0 + ANDQ AX, R8 + ANDQ AX, R9 + ANDQ AX, R10 + ANDQ AX, R11 + ANDQ AX, R12 + ANDQ AX, R13 + ANDQ AX, R14 + ANDQ AX, R15 + + ADDQ R8, (REG_P1) + ADCQ R8, (8)(REG_P1) + ADCQ R8, (16)(REG_P1) + ADCQ R8, (24)(REG_P1) + ADCQ R8, (32)(REG_P1) + ADCQ R9, (40)(REG_P1) + ADCQ R10, (48)(REG_P1) + ADCQ R11, (56)(REG_P1) + ADCQ R12, (64)(REG_P1) + ADCQ R13, (72)(REG_P1) + ADCQ R14, (80)(REG_P1) + ADCQ R15, (88)(REG_P1) + + RET + +TEXT ·cswapP751(SB), NOSPLIT, $0-17 + + MOVQ x+0(FP), REG_P1 + MOVQ y+8(FP), REG_P2 + MOVB choice+16(FP), AL // AL = 0 or 1 + MOVBLZX AL, AX // AX = 0 or 1 + NEGQ AX // RAX = 0x00..00 or 0xff..ff + + MOVQ (0*8)(REG_P1), BX // BX = x[0] + MOVQ (0*8)(REG_P2), CX // CX = y[0] + MOVQ CX, DX // DX = y[0] + XORQ BX, DX // DX = y[0] ^ x[0] + ANDQ AX, DX // DX = (y[0] ^ x[0]) & mask + XORQ DX, BX // BX = (y[0] ^ x[0]) & mask) ^ x[0] = x[0] or y[0] + XORQ DX, CX // CX = (y[0] ^ x[0]) & mask) ^ y[0] = y[0] or x[0] + MOVQ BX, (0*8)(REG_P1) + MOVQ CX, (0*8)(REG_P2) + + MOVQ (1*8)(REG_P1), BX + MOVQ (1*8)(REG_P2), CX + MOVQ CX, DX + XORQ BX, DX + ANDQ AX, DX + XORQ DX, BX + XORQ DX, CX + MOVQ BX, (1*8)(REG_P1) + MOVQ CX, (1*8)(REG_P2) + + MOVQ (2*8)(REG_P1), BX + MOVQ (2*8)(REG_P2), CX + MOVQ CX, DX + XORQ BX, DX + ANDQ AX, DX + XORQ DX, BX + XORQ DX, CX + MOVQ BX, (2*8)(REG_P1) + MOVQ CX, (2*8)(REG_P2) + + MOVQ (3*8)(REG_P1), BX + MOVQ (3*8)(REG_P2), CX + MOVQ CX, DX + XORQ BX, DX + ANDQ AX, DX + XORQ DX, BX + XORQ DX, CX + MOVQ BX, (3*8)(REG_P1) + MOVQ CX, (3*8)(REG_P2) + + MOVQ (4*8)(REG_P1), BX + MOVQ (4*8)(REG_P2), CX + MOVQ CX, DX + XORQ BX, DX + ANDQ AX, DX + XORQ DX, BX + XORQ DX, CX + MOVQ BX, (4*8)(REG_P1) + MOVQ CX, (4*8)(REG_P2) + + MOVQ (5*8)(REG_P1), BX + MOVQ (5*8)(REG_P2), CX + MOVQ CX, DX + XORQ BX, DX + ANDQ AX, DX + XORQ DX, BX + XORQ DX, CX + MOVQ BX, (5*8)(REG_P1) + MOVQ CX, (5*8)(REG_P2) + + MOVQ (6*8)(REG_P1), BX + MOVQ (6*8)(REG_P2), CX + MOVQ CX, DX + XORQ BX, DX + ANDQ AX, DX + XORQ DX, BX + XORQ DX, CX + MOVQ BX, (6*8)(REG_P1) + MOVQ CX, (6*8)(REG_P2) + + MOVQ (7*8)(REG_P1), BX + MOVQ (7*8)(REG_P2), CX + MOVQ CX, DX + XORQ BX, DX + ANDQ AX, DX + XORQ DX, BX + XORQ DX, CX + MOVQ BX, (7*8)(REG_P1) + MOVQ CX, (7*8)(REG_P2) + + MOVQ (8*8)(REG_P1), BX + MOVQ (8*8)(REG_P2), CX + MOVQ CX, DX + XORQ BX, DX + ANDQ AX, DX + XORQ DX, BX + XORQ DX, CX + MOVQ BX, (8*8)(REG_P1) + MOVQ CX, (8*8)(REG_P2) + + MOVQ (9*8)(REG_P1), BX + MOVQ (9*8)(REG_P2), CX + MOVQ CX, DX + XORQ BX, DX + ANDQ AX, DX + XORQ DX, BX + XORQ DX, CX + MOVQ BX, (9*8)(REG_P1) + MOVQ CX, (9*8)(REG_P2) + + MOVQ (10*8)(REG_P1), BX + MOVQ (10*8)(REG_P2), CX + MOVQ CX, DX + XORQ BX, DX + ANDQ AX, DX + XORQ DX, BX + XORQ DX, CX + MOVQ BX, (10*8)(REG_P1) + MOVQ CX, (10*8)(REG_P2) + + MOVQ (11*8)(REG_P1), BX + MOVQ (11*8)(REG_P2), CX + MOVQ CX, DX + XORQ BX, DX + ANDQ AX, DX + XORQ DX, BX + XORQ DX, CX + MOVQ BX, (11*8)(REG_P1) + MOVQ CX, (11*8)(REG_P2) + + RET + +TEXT ·addP751(SB), NOSPLIT, $0-24 + + MOVQ z+0(FP), REG_P3 + MOVQ x+8(FP), REG_P1 + MOVQ y+16(FP), REG_P2 + + MOVQ (REG_P1), R8 + MOVQ (8)(REG_P1), R9 + MOVQ (16)(REG_P1), R10 + MOVQ (24)(REG_P1), R11 + MOVQ (32)(REG_P1), R12 + MOVQ (40)(REG_P1), R13 + MOVQ (48)(REG_P1), R14 + MOVQ (56)(REG_P1), R15 + MOVQ (64)(REG_P1), CX + ADDQ (REG_P2), R8 + ADCQ (8)(REG_P2), R9 + ADCQ (16)(REG_P2), R10 + ADCQ (24)(REG_P2), R11 + ADCQ (32)(REG_P2), R12 + ADCQ (40)(REG_P2), R13 + ADCQ (48)(REG_P2), R14 + ADCQ (56)(REG_P2), R15 + ADCQ (64)(REG_P2), CX + MOVQ (72)(REG_P1), AX + ADCQ (72)(REG_P2), AX + MOVQ AX, (72)(REG_P3) + MOVQ (80)(REG_P1), AX + ADCQ (80)(REG_P2), AX + MOVQ AX, (80)(REG_P3) + MOVQ (88)(REG_P1), AX + ADCQ (88)(REG_P2), AX + MOVQ AX, (88)(REG_P3) + + MOVQ P751X2_0, AX + SUBQ AX, R8 + MOVQ P751X2_1, AX + SBBQ AX, R9 + SBBQ AX, R10 + SBBQ AX, R11 + SBBQ AX, R12 + MOVQ P751X2_5, AX + SBBQ AX, R13 + MOVQ P751X2_6, AX + SBBQ AX, R14 + MOVQ P751X2_7, AX + SBBQ AX, R15 + MOVQ P751X2_8, AX + SBBQ AX, CX + MOVQ R8, (REG_P3) + MOVQ R9, (8)(REG_P3) + MOVQ R10, (16)(REG_P3) + MOVQ R11, (24)(REG_P3) + MOVQ R12, (32)(REG_P3) + MOVQ R13, (40)(REG_P3) + MOVQ R14, (48)(REG_P3) + MOVQ R15, (56)(REG_P3) + MOVQ CX, (64)(REG_P3) + MOVQ (72)(REG_P3), R8 + MOVQ (80)(REG_P3), R9 + MOVQ (88)(REG_P3), R10 + MOVQ P751X2_9, AX + SBBQ AX, R8 + MOVQ P751X2_10, AX + SBBQ AX, R9 + MOVQ P751X2_11, AX + SBBQ AX, R10 + MOVQ R8, (72)(REG_P3) + MOVQ R9, (80)(REG_P3) + MOVQ R10, (88)(REG_P3) + MOVQ $0, AX + SBBQ $0, AX + + MOVQ P751X2_0, SI + ANDQ AX, SI + MOVQ P751X2_1, R8 + ANDQ AX, R8 + MOVQ P751X2_5, R9 + ANDQ AX, R9 + MOVQ P751X2_6, R10 + ANDQ AX, R10 + MOVQ P751X2_7, R11 + ANDQ AX, R11 + MOVQ P751X2_8, R12 + ANDQ AX, R12 + MOVQ P751X2_9, R13 + ANDQ AX, R13 + MOVQ P751X2_10, R14 + ANDQ AX, R14 + MOVQ P751X2_11, R15 + ANDQ AX, R15 + + MOVQ (REG_P3), AX + ADDQ SI, AX + MOVQ AX, (REG_P3) + MOVQ (8)(REG_P3), AX + ADCQ R8, AX + MOVQ AX, (8)(REG_P3) + MOVQ (16)(REG_P3), AX + ADCQ R8, AX + MOVQ AX, (16)(REG_P3) + MOVQ (24)(REG_P3), AX + ADCQ R8, AX + MOVQ AX, (24)(REG_P3) + MOVQ (32)(REG_P3), AX + ADCQ R8, AX + MOVQ AX, (32)(REG_P3) + MOVQ (40)(REG_P3), AX + ADCQ R9, AX + MOVQ AX, (40)(REG_P3) + MOVQ (48)(REG_P3), AX + ADCQ R10, AX + MOVQ AX, (48)(REG_P3) + MOVQ (56)(REG_P3), AX + ADCQ R11, AX + MOVQ AX, (56)(REG_P3) + MOVQ (64)(REG_P3), AX + ADCQ R12, AX + MOVQ AX, (64)(REG_P3) + MOVQ (72)(REG_P3), AX + ADCQ R13, AX + MOVQ AX, (72)(REG_P3) + MOVQ (80)(REG_P3), AX + ADCQ R14, AX + MOVQ AX, (80)(REG_P3) + MOVQ (88)(REG_P3), AX + ADCQ R15, AX + MOVQ AX, (88)(REG_P3) + + RET + +TEXT ·subP751(SB), NOSPLIT, $0-24 + + MOVQ z+0(FP), REG_P3 + MOVQ x+8(FP), REG_P1 + MOVQ y+16(FP), REG_P2 + + MOVQ (REG_P1), R8 + MOVQ (8)(REG_P1), R9 + MOVQ (16)(REG_P1), R10 + MOVQ (24)(REG_P1), R11 + MOVQ (32)(REG_P1), R12 + MOVQ (40)(REG_P1), R13 + MOVQ (48)(REG_P1), R14 + MOVQ (56)(REG_P1), R15 + MOVQ (64)(REG_P1), CX + SUBQ (REG_P2), R8 + SBBQ (8)(REG_P2), R9 + SBBQ (16)(REG_P2), R10 + SBBQ (24)(REG_P2), R11 + SBBQ (32)(REG_P2), R12 + SBBQ (40)(REG_P2), R13 + SBBQ (48)(REG_P2), R14 + SBBQ (56)(REG_P2), R15 + SBBQ (64)(REG_P2), CX + MOVQ R8, (REG_P3) + MOVQ R9, (8)(REG_P3) + MOVQ R10, (16)(REG_P3) + MOVQ R11, (24)(REG_P3) + MOVQ R12, (32)(REG_P3) + MOVQ R13, (40)(REG_P3) + MOVQ R14, (48)(REG_P3) + MOVQ R15, (56)(REG_P3) + MOVQ CX, (64)(REG_P3) + MOVQ (72)(REG_P1), AX + SBBQ (72)(REG_P2), AX + MOVQ AX, (72)(REG_P3) + MOVQ (80)(REG_P1), AX + SBBQ (80)(REG_P2), AX + MOVQ AX, (80)(REG_P3) + MOVQ (88)(REG_P1), AX + SBBQ (88)(REG_P2), AX + MOVQ AX, (88)(REG_P3) + MOVQ $0, AX + SBBQ $0, AX + + MOVQ P751X2_0, SI + ANDQ AX, SI + MOVQ P751X2_1, R8 + ANDQ AX, R8 + MOVQ P751X2_5, R9 + ANDQ AX, R9 + MOVQ P751X2_6, R10 + ANDQ AX, R10 + MOVQ P751X2_7, R11 + ANDQ AX, R11 + MOVQ P751X2_8, R12 + ANDQ AX, R12 + MOVQ P751X2_9, R13 + ANDQ AX, R13 + MOVQ P751X2_10, R14 + ANDQ AX, R14 + MOVQ P751X2_11, R15 + ANDQ AX, R15 + + MOVQ (REG_P3), AX + ADDQ SI, AX + MOVQ AX, (REG_P3) + MOVQ (8)(REG_P3), AX + ADCQ R8, AX + MOVQ AX, (8)(REG_P3) + MOVQ (16)(REG_P3), AX + ADCQ R8, AX + MOVQ AX, (16)(REG_P3) + MOVQ (24)(REG_P3), AX + ADCQ R8, AX + MOVQ AX, (24)(REG_P3) + MOVQ (32)(REG_P3), AX + ADCQ R8, AX + MOVQ AX, (32)(REG_P3) + MOVQ (40)(REG_P3), AX + ADCQ R9, AX + MOVQ AX, (40)(REG_P3) + MOVQ (48)(REG_P3), AX + ADCQ R10, AX + MOVQ AX, (48)(REG_P3) + MOVQ (56)(REG_P3), AX + ADCQ R11, AX + MOVQ AX, (56)(REG_P3) + MOVQ (64)(REG_P3), AX + ADCQ R12, AX + MOVQ AX, (64)(REG_P3) + MOVQ (72)(REG_P3), AX + ADCQ R13, AX + MOVQ AX, (72)(REG_P3) + MOVQ (80)(REG_P3), AX + ADCQ R14, AX + MOVQ AX, (80)(REG_P3) + MOVQ (88)(REG_P3), AX + ADCQ R15, AX + MOVQ AX, (88)(REG_P3) + + RET + +TEXT ·mulP751(SB), $96-24 + + // Here we store the destination in CX instead of in REG_P3 because the + // multiplication instructions use DX as an implicit destination + // operand: MULQ $REG sets DX:AX <-- AX * $REG. + + MOVQ z+0(FP), CX + MOVQ x+8(FP), REG_P1 + MOVQ y+16(FP), REG_P2 + + XORQ AX, AX + MOVQ (48)(REG_P1), R8 + MOVQ (56)(REG_P1), R9 + MOVQ (64)(REG_P1), R10 + MOVQ (72)(REG_P1), R11 + MOVQ (80)(REG_P1), R12 + MOVQ (88)(REG_P1), R13 + ADDQ (REG_P1), R8 + ADCQ (8)(REG_P1), R9 + ADCQ (16)(REG_P1), R10 + ADCQ (24)(REG_P1), R11 + ADCQ (32)(REG_P1), R12 + ADCQ (40)(REG_P1), R13 + MOVQ R8, (CX) + MOVQ R9, (8)(CX) + MOVQ R10, (16)(CX) + MOVQ R11, (24)(CX) + MOVQ R12, (32)(CX) + MOVQ R13, (40)(CX) + SBBQ $0, AX + + XORQ DX, DX + MOVQ (48)(REG_P2), R8 + MOVQ (56)(REG_P2), R9 + MOVQ (64)(REG_P2), R10 + MOVQ (72)(REG_P2), R11 + MOVQ (80)(REG_P2), R12 + MOVQ (88)(REG_P2), R13 + ADDQ (REG_P2), R8 + ADCQ (8)(REG_P2), R9 + ADCQ (16)(REG_P2), R10 + ADCQ (24)(REG_P2), R11 + ADCQ (32)(REG_P2), R12 + ADCQ (40)(REG_P2), R13 + MOVQ R8, (48)(CX) + MOVQ R9, (56)(CX) + MOVQ R10, (64)(CX) + MOVQ R11, (72)(CX) + MOVQ R12, (80)(CX) + MOVQ R13, (88)(CX) + SBBQ $0, DX + MOVQ AX, (80)(SP) + MOVQ DX, (88)(SP) + + // (SP[0-8],R10,R8,R9) <- (AH+AL)*(BH+BL) + + MOVQ (CX), R11 + MOVQ R8, AX + MULQ R11 + MOVQ AX, (SP) // c0 + MOVQ DX, R14 + + XORQ R15, R15 + MOVQ R9, AX + MULQ R11 + XORQ R9, R9 + ADDQ AX, R14 + ADCQ DX, R9 + + MOVQ (8)(CX), R12 + MOVQ R8, AX + MULQ R12 + ADDQ AX, R14 + MOVQ R14, (8)(SP) // c1 + ADCQ DX, R9 + ADCQ $0, R15 + + XORQ R8, R8 + MOVQ R10, AX + MULQ R11 + ADDQ AX, R9 + MOVQ (48)(CX), R13 + ADCQ DX, R15 + ADCQ $0, R8 + + MOVQ (16)(CX), AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R15 + MOVQ (56)(CX), AX + ADCQ $0, R8 + + MULQ R12 + ADDQ AX, R9 + MOVQ R9, (16)(SP) // c2 + ADCQ DX, R15 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ (72)(CX), AX + MULQ R11 + ADDQ AX, R15 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (24)(CX), AX + MULQ R13 + ADDQ AX, R15 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ R10, AX + MULQ R12 + ADDQ AX, R15 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (16)(CX), R14 + MOVQ (56)(CX), AX + MULQ R14 + ADDQ AX, R15 + MOVQ R15, (24)(SP) // c3 + ADCQ DX, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ (80)(CX), AX + MULQ R11 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (64)(CX), AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (48)(CX), R15 + MOVQ (32)(CX), AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (72)(CX), AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (24)(CX), R13 + MOVQ (56)(CX), AX + MULQ R13 + ADDQ AX, R8 + MOVQ R8, (32)(SP) // c4 + ADCQ DX, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ (88)(CX), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (64)(CX), AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (72)(CX), AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (40)(CX), AX + MULQ R15 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (80)(CX), AX + MULQ R12 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (32)(CX), R15 + MOVQ (56)(CX), AX + MULQ R15 + ADDQ AX, R9 + MOVQ R9, (40)(SP) // c5 + ADCQ DX, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ (64)(CX), AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (88)(CX), AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (80)(CX), AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (40)(CX), R11 + MOVQ (56)(CX), AX + MULQ R11 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (72)(CX), AX + MULQ R13 + ADDQ AX, R10 + MOVQ R10, (48)(SP) // c6 + ADCQ DX, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ (88)(CX), AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (64)(CX), AX + MULQ R11 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (80)(CX), AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (72)(CX), AX + MULQ R15 + ADDQ AX, R8 + MOVQ R8, (56)(SP) // c7 + ADCQ DX, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ (72)(CX), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (80)(CX), AX + MULQ R15 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (88)(CX), AX + MULQ R13 + ADDQ AX, R9 + MOVQ R9, (64)(SP) // c8 + ADCQ DX, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ (88)(CX), AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (80)(CX), AX + MULQ R11 + ADDQ AX, R10 // c9 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (88)(CX), AX + MULQ R11 + ADDQ AX, R8 // c10 + ADCQ DX, R9 // c11 + + MOVQ (88)(SP), AX + MOVQ (CX), DX + ANDQ AX, R12 + ANDQ AX, R14 + ANDQ AX, DX + ANDQ AX, R13 + ANDQ AX, R15 + ANDQ AX, R11 + MOVQ (48)(SP), AX + ADDQ AX, DX + MOVQ (56)(SP), AX + ADCQ AX, R12 + MOVQ (64)(SP), AX + ADCQ AX, R14 + ADCQ R10, R13 + ADCQ R8, R15 + ADCQ R9, R11 + MOVQ (80)(SP), AX + MOVQ DX, (48)(SP) + MOVQ R12, (56)(SP) + MOVQ R14, (64)(SP) + MOVQ R13, (72)(SP) + MOVQ R15, (80)(SP) + MOVQ R11, (88)(SP) + + MOVQ (48)(CX), R8 + MOVQ (56)(CX), R9 + MOVQ (64)(CX), R10 + MOVQ (72)(CX), R11 + MOVQ (80)(CX), R12 + MOVQ (88)(CX), R13 + ANDQ AX, R8 + ANDQ AX, R9 + ANDQ AX, R10 + ANDQ AX, R11 + ANDQ AX, R12 + ANDQ AX, R13 + MOVQ (48)(SP), AX + ADDQ AX, R8 + MOVQ (56)(SP), AX + ADCQ AX, R9 + MOVQ (64)(SP), AX + ADCQ AX, R10 + MOVQ (72)(SP), AX + ADCQ AX, R11 + MOVQ (80)(SP), AX + ADCQ AX, R12 + MOVQ (88)(SP), AX + ADCQ AX, R13 + MOVQ R8, (48)(SP) + MOVQ R9, (56)(SP) + MOVQ R11, (72)(SP) + + // CX[0-11] <- AL*BL + MOVQ (REG_P1), R11 + MOVQ (REG_P2), AX + MULQ R11 + XORQ R9, R9 + MOVQ AX, (CX) // c0 + MOVQ R10, (64)(SP) + MOVQ DX, R8 + + MOVQ (8)(REG_P2), AX + MULQ R11 + XORQ R10, R10 + ADDQ AX, R8 + MOVQ R12, (80)(SP) + ADCQ DX, R9 + + MOVQ (8)(REG_P1), R12 + MOVQ (REG_P2), AX + MULQ R12 + ADDQ AX, R8 + MOVQ R8, (8)(CX) // c1 + ADCQ DX, R9 + MOVQ R13, (88)(SP) + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ (16)(REG_P2), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (REG_P2), R13 + MOVQ (16)(REG_P1), AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (8)(REG_P2), AX + MULQ R12 + ADDQ AX, R9 + MOVQ R9, (16)(CX) // c2 + ADCQ DX, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ (24)(REG_P2), AX + MULQ R11 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (24)(REG_P1), AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (16)(REG_P2), AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (16)(REG_P1), R14 + MOVQ (8)(REG_P2), AX + MULQ R14 + ADDQ AX, R10 + MOVQ R10, (24)(CX) // c3 + ADCQ DX, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ (32)(REG_P2), AX + MULQ R11 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (16)(REG_P2), AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (32)(REG_P1), AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (24)(REG_P2), AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (24)(REG_P1), R13 + MOVQ (8)(REG_P2), AX + MULQ R13 + ADDQ AX, R8 + MOVQ R8, (32)(CX) // c4 + ADCQ DX, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ (40)(REG_P2), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (16)(REG_P2), AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (24)(REG_P2), AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (40)(REG_P1), R11 + MOVQ (REG_P2), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (32)(REG_P2), AX + MULQ R12 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (32)(REG_P1), R15 + MOVQ (8)(REG_P2), AX + MULQ R15 + ADDQ AX, R9 + MOVQ R9, (40)(CX) //c5 + ADCQ DX, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ (16)(REG_P2), AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (40)(REG_P2), AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (32)(REG_P2), AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (8)(REG_P2), AX + MULQ R11 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (24)(REG_P2), AX + MULQ R13 + ADDQ AX, R10 + MOVQ R10, (48)(CX) // c6 + ADCQ DX, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ (40)(REG_P2), AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (16)(REG_P2), AX + MULQ R11 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (32)(REG_P2), AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (24)(REG_P2), AX + MULQ R15 + ADDQ AX, R8 + MOVQ R8, (56)(CX) // c7 + ADCQ DX, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ (24)(REG_P2), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (32)(REG_P2), AX + MULQ R15 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (40)(REG_P2), AX + MULQ R13 + ADDQ AX, R9 + MOVQ R9, (64)(CX) // c8 + ADCQ DX, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ (40)(REG_P2), AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (32)(REG_P2), AX + MULQ R11 + ADDQ AX, R10 + MOVQ R10, (72)(CX) // c9 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (40)(REG_P2), AX + MULQ R11 + ADDQ AX, R8 + MOVQ R8, (80)(CX) // c10 + ADCQ DX, R9 + MOVQ R9, (88)(CX) // c11 + + // CX[12-23] <- AH*BH + MOVQ (48)(REG_P1), R11 + MOVQ (48)(REG_P2), AX + MULQ R11 + XORQ R9, R9 + MOVQ AX, (96)(CX) // c0 + MOVQ DX, R8 + + MOVQ (56)(REG_P2), AX + MULQ R11 + XORQ R10, R10 + ADDQ AX, R8 + ADCQ DX, R9 + + MOVQ (56)(REG_P1), R12 + MOVQ (48)(REG_P2), AX + MULQ R12 + ADDQ AX, R8 + MOVQ R8, (104)(CX) // c1 + ADCQ DX, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ (64)(REG_P2), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (48)(REG_P2), R13 + MOVQ (64)(REG_P1), AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (56)(REG_P2), AX + MULQ R12 + ADDQ AX, R9 + MOVQ R9, (112)(CX) // c2 + ADCQ DX, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ (72)(REG_P2), AX + MULQ R11 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (72)(REG_P1), AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (64)(REG_P2), AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (64)(REG_P1), R14 + MOVQ (56)(REG_P2), AX + MULQ R14 + ADDQ AX, R10 + MOVQ R10, (120)(CX) // c3 + ADCQ DX, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ (80)(REG_P2), AX + MULQ R11 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (64)(REG_P2), AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (80)(REG_P1), R15 + MOVQ R13, AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (72)(REG_P2), AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (72)(REG_P1), R13 + MOVQ (56)(REG_P2), AX + MULQ R13 + ADDQ AX, R8 + MOVQ R8, (128)(CX) // c4 + ADCQ DX, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ (88)(REG_P2), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (64)(REG_P2), AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (72)(REG_P2), AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (88)(REG_P1), R11 + MOVQ (48)(REG_P2), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (80)(REG_P2), AX + MULQ R12 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (56)(REG_P2), AX + MULQ R15 + ADDQ AX, R9 + MOVQ R9, (136)(CX) // c5 + ADCQ DX, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ (64)(REG_P2), AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (88)(REG_P2), AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (80)(REG_P2), AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (56)(REG_P2), AX + MULQ R11 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (72)(REG_P2), AX + MULQ R13 + ADDQ AX, R10 + MOVQ R10, (144)(CX) // c6 + ADCQ DX, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ (88)(REG_P2), AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (64)(REG_P2), AX + MULQ R11 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (80)(REG_P2), AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (72)(REG_P2), AX + MULQ R15 + ADDQ AX, R8 + MOVQ R8, (152)(CX) // c7 + ADCQ DX, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ (72)(REG_P2), AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (80)(REG_P2), AX + MULQ R15 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (88)(REG_P2), AX + MULQ R13 + ADDQ AX, R9 + MOVQ R9, (160)(CX) // c8 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (88)(REG_P2), AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + + MOVQ (80)(REG_P2), AX + MULQ R11 + ADDQ AX, R10 + MOVQ R10, (168)(CX) // c9 + ADCQ DX, R8 + + MOVQ (88)(REG_P2), AX + MULQ R11 + ADDQ AX, R8 + MOVQ R8, (176)(CX) // c10 + ADCQ $0, DX + MOVQ DX, (184)(CX) // c11 + + // [R8-R15,AX,DX,DI,(SP)] <- (AH+AL)*(BH+BL)-AL*BL + MOVQ (SP), R8 + SUBQ (CX), R8 + MOVQ (8)(SP), R9 + SBBQ (8)(CX), R9 + MOVQ (16)(SP), R10 + SBBQ (16)(CX), R10 + MOVQ (24)(SP), R11 + SBBQ (24)(CX), R11 + MOVQ (32)(SP), R12 + SBBQ (32)(CX), R12 + MOVQ (40)(SP), R13 + SBBQ (40)(CX), R13 + MOVQ (48)(SP), R14 + SBBQ (48)(CX), R14 + MOVQ (56)(SP), R15 + SBBQ (56)(CX), R15 + MOVQ (64)(SP), AX + SBBQ (64)(CX), AX + MOVQ (72)(SP), DX + SBBQ (72)(CX), DX + MOVQ (80)(SP), DI + SBBQ (80)(CX), DI + MOVQ (88)(SP), SI + SBBQ (88)(CX), SI + MOVQ SI, (SP) + + // [R8-R15,AX,DX,DI,(SP)] <- (AH+AL)*(BH+BL) - AL*BL - AH*BH + MOVQ (96)(CX), SI + SUBQ SI, R8 + MOVQ (104)(CX), SI + SBBQ SI, R9 + MOVQ (112)(CX), SI + SBBQ SI, R10 + MOVQ (120)(CX), SI + SBBQ SI, R11 + MOVQ (128)(CX), SI + SBBQ SI, R12 + MOVQ (136)(CX), SI + SBBQ SI, R13 + MOVQ (144)(CX), SI + SBBQ SI, R14 + MOVQ (152)(CX), SI + SBBQ SI, R15 + MOVQ (160)(CX), SI + SBBQ SI, AX + MOVQ (168)(CX), SI + SBBQ SI, DX + MOVQ (176)(CX), SI + SBBQ SI, DI + MOVQ (SP), SI + SBBQ (184)(CX), SI + + // FINAL RESULT + ADDQ (48)(CX), R8 + MOVQ R8, (48)(CX) + ADCQ (56)(CX), R9 + MOVQ R9, (56)(CX) + ADCQ (64)(CX), R10 + MOVQ R10, (64)(CX) + ADCQ (72)(CX), R11 + MOVQ R11, (72)(CX) + ADCQ (80)(CX), R12 + MOVQ R12, (80)(CX) + ADCQ (88)(CX), R13 + MOVQ R13, (88)(CX) + ADCQ (96)(CX), R14 + MOVQ R14, (96)(CX) + ADCQ (104)(CX), R15 + MOVQ R15, (104)(CX) + ADCQ (112)(CX), AX + MOVQ AX, (112)(CX) + ADCQ (120)(CX), DX + MOVQ DX, (120)(CX) + ADCQ (128)(CX), DI + MOVQ DI, (128)(CX) + ADCQ (136)(CX), SI + MOVQ SI, (136)(CX) + MOVQ (144)(CX), AX + ADCQ $0, AX + MOVQ AX, (144)(CX) + MOVQ (152)(CX), AX + ADCQ $0, AX + MOVQ AX, (152)(CX) + MOVQ (160)(CX), AX + ADCQ $0, AX + MOVQ AX, (160)(CX) + MOVQ (168)(CX), AX + ADCQ $0, AX + MOVQ AX, (168)(CX) + MOVQ (176)(CX), AX + ADCQ $0, AX + MOVQ AX, (176)(CX) + MOVQ (184)(CX), AX + ADCQ $0, AX + MOVQ AX, (184)(CX) + + RET + +// This multiplies a 256-bit number pointed to by M0 with p751+1. +// It is assumed that M1 points to p751+1 stored as a 768-bit Fp751Element. +// C points to the place to store the result and should be at least 192 bits. +// This should only be used when the BMI2 and ADX instruction set extensions +// are available. +#define mul256x448bmi2adx(M0, M1, C, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10) \ + MOVQ 0+M0, DX \ + MULXQ M1+40(SB), T1, T0 \ + MULXQ M1+48(SB), T3, T2 \ + MOVQ T1, 0+C \ // C0_final + XORQ AX, AX \ + MULXQ M1+56(SB), T5, T4 \ + ADOXQ T3, T0 \ + ADOXQ T5, T2 \ + MULXQ M1+64(SB), T3, T1 \ + ADOXQ T3, T4 \ + MULXQ M1+72(SB), T6, T5 \ + ADOXQ T6, T1 \ + MULXQ M1+80(SB), T7, T3 \ + ADOXQ T7, T5 \ + MULXQ M1+88(SB), T8, T6 \ + ADOXQ T8, T3 \ + ADOXQ AX, T6 \ + \ + MOVQ 8+M0, DX \ + MULXQ M1+40(SB), T7, T8 \ + XORQ AX, AX \ + ADCXQ T7, T0 \ + MOVQ T0, 8+C \ // C1_final + ADCXQ T8, T2 \ + MULXQ M1+48(SB), T8, T7 \ + ADOXQ T8, T2 \ + ADCXQ T7, T4 \ + MULXQ M1+56(SB), T8, T0 \ + ADOXQ T8, T4 \ + ADCXQ T1, T0 \ + MULXQ M1+64(SB), T7, T1 \ + ADCXQ T5, T1 \ + MULXQ M1+72(SB), T8, T5 \ + ADCXQ T5, T3 \ + MULXQ M1+80(SB), T9, T5 \ + ADCXQ T5, T6 \ + MULXQ M1+88(SB), DX, T5 \ + ADCXQ AX, T5 \ + \ + ADOXQ T7, T0 \ + ADOXQ T8, T1 \ + ADOXQ T9, T3 \ + ADOXQ DX, T6 \ + ADOXQ AX, T5 \ + \ + MOVQ 16+M0, DX \ + MULXQ M1+40(SB), T7, T8 \ + XORQ AX, AX \ + ADCXQ T7, T2 \ + MOVQ T2, 16+C \ // C2_final + ADCXQ T8, T4 \ + MULXQ M1+48(SB), T7, T8 \ + ADOXQ T7, T4 \ + ADCXQ T8, T0 \ + MULXQ M1+56(SB), T8, T2 \ + ADOXQ T8, T0 \ + ADCXQ T2, T1 \ + MULXQ M1+64(SB), T7, T2 \ + ADCXQ T2, T3 \ + MULXQ M1+72(SB), T8, T2 \ + ADCXQ T2, T6 \ + MULXQ M1+80(SB), T9, T2 \ + ADCXQ T2, T5 \ + MULXQ M1+88(SB), DX, T2 \ + ADCXQ AX, T2 \ + \ + ADOXQ T7, T1 \ + ADOXQ T8, T3 \ + ADOXQ T9, T6 \ + ADOXQ DX, T5 \ + ADOXQ AX, T2 \ + \ + MOVQ 24+M0, DX \ + MULXQ M1+40(SB), T7, T8 \ + XORQ AX, AX \ + ADCXQ T4, T7 \ + ADCXQ T8, T0 \ + MULXQ M1+48(SB), T10, T8 \ + ADOXQ T10, T0 \ + ADCXQ T8, T1 \ + MULXQ M1+56(SB), T8, T4 \ + ADOXQ T8, T1 \ + ADCXQ T4, T3 \ + MULXQ M1+64(SB), T10, T4 \ + ADCXQ T4, T6 \ + MULXQ M1+72(SB), T8, T4 \ + ADCXQ T4, T5 \ + MULXQ M1+80(SB), T9, T4 \ + ADCXQ T4, T2 \ + MULXQ M1+88(SB), DX, T4 \ + ADCXQ AX, T4 \ + \ + ADOXQ T10, T3 \ + ADOXQ T8, T6 \ + ADOXQ T9, T5 \ + ADOXQ DX, T2 \ + ADOXQ AX, T4 + +// This multiplies a 256-bit number pointed to by M0 with p751+1. +// It is assumed that M1 points to p751+1 stored as a 768-bit Fp751Element. +// C points to the place to store the result and should be at least 192 bits. +// This should only be used when the BMI2 instruction set extension is +// available. +#define mul256x448bmi2(M0, M1, C, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10) \ + MOVQ 0+M0, DX \ + MULXQ M1+40(SB), T1, T0 \ + MULXQ M1+48(SB), T3, T2 \ + MOVQ T1, 0+C \ // C0_final + XORQ AX, AX \ + MULXQ M1+56(SB), T5, T4 \ + ADDQ T3, T0 \ + ADCQ T5, T2 \ + MULXQ M1+64(SB), T3, T1 \ + ADCQ T3, T4 \ + MULXQ M1+72(SB), T6, T5 \ + ADCQ T6, T1 \ + MULXQ M1+80(SB), T7, T3 \ + ADCQ T7, T5 \ + MULXQ M1+88(SB), T8, T6 \ + ADCQ T8, T3 \ + ADCQ AX, T6 \ + \ + MOVQ 8+M0, DX \ + MULXQ M1+40(SB), T7, T8 \ + ADDQ T7, T0 \ + MOVQ T0, 8+C \ // C1_final + ADCQ T8, T2 \ + MULXQ M1+48(SB), T8, T7 \ + MOVQ T8, 32+C \ + ADCQ T7, T4 \ + MULXQ M1+56(SB), T8, T0 \ + MOVQ T8, 40+C \ + ADCQ T1, T0 \ + MULXQ M1+64(SB), T7, T1 \ + ADCQ T5, T1 \ + MULXQ M1+72(SB), T8, T5 \ + ADCQ T5, T3 \ + MULXQ M1+80(SB), T9, T5 \ + ADCQ T5, T6 \ + MULXQ M1+88(SB), DX, T5 \ + ADCQ AX, T5 \ + \ + XORQ AX, AX \ + ADDQ 32+C, T2 \ + ADCQ 40+C, T4 \ + ADCQ T7, T0 \ + ADCQ T8, T1 \ + ADCQ T9, T3 \ + ADCQ DX, T6 \ + ADCQ AX, T5 \ + \ + MOVQ 16+M0, DX \ + MULXQ M1+40(SB), T7, T8 \ + ADDQ T7, T2 \ + MOVQ T2, 16+C \ // C2_final + ADCQ T8, T4 \ + MULXQ M1+48(SB), T7, T8 \ + MOVQ T7, 32+C \ + ADCQ T8, T0 \ + MULXQ M1+56(SB), T8, T2 \ + MOVQ T8, 40+C \ + ADCQ T2, T1 \ + MULXQ M1+64(SB), T7, T2 \ + ADCQ T2, T3 \ + MULXQ M1+72(SB), T8, T2 \ + ADCQ T2, T6 \ + MULXQ M1+80(SB), T9, T2 \ + ADCQ T2, T5 \ + MULXQ M1+88(SB), DX, T2 \ + ADCQ AX, T2 \ + \ + XORQ AX, AX \ + ADDQ 32+C, T4 \ + ADCQ 40+C, T0 \ + ADCQ T7, T1 \ + ADCQ T8, T3 \ + ADCQ T9, T6 \ + ADCQ DX, T5 \ + ADCQ AX, T2 \ + \ + MOVQ 24+M0, DX \ + MULXQ M1+40(SB), T7, T8 \ + ADDQ T4, T7 \ + ADCQ T8, T0 \ + MULXQ M1+48(SB), T10, T8 \ + MOVQ T10, 32+C \ + ADCQ T8, T1 \ + MULXQ M1+56(SB), T8, T4 \ + MOVQ T8, 40+C \ + ADCQ T4, T3 \ + MULXQ M1+64(SB), T10, T4 \ + ADCQ T4, T6 \ + MULXQ M1+72(SB), T8, T4 \ + ADCQ T4, T5 \ + MULXQ M1+80(SB), T9, T4 \ + ADCQ T4, T2 \ + MULXQ M1+88(SB), DX, T4 \ + ADCQ AX, T4 \ + \ + XORQ AX, AX \ + ADDQ 32+C, T0 \ + ADCQ 40+C, T1 \ + ADCQ T10, T3 \ + ADCQ T8, T6 \ + ADCQ T9, T5 \ + ADCQ DX, T2 \ + ADCQ AX, T4 + +// Template for calculating the Montgomery reduction algorithm described in +// section 5.2.3 of https://eprint.iacr.org/2017/1015.pdf. Template must be +// customized with schoolbook multiplicaton for 256 x 448-bit number. +// This macro reuses memory of IN value and *changes* it. Smashes registers +// R[8-15], AX, BX, CX, DX, BP. +// Input: +// * M0: 1536-bit number to be reduced +// * C : either mul256x448bmi2 or mul256x448bmi2adx +// Output: OUT 768-bit +#define REDC(C, M0, MULS) \ + \ // a[0-3] x p751p1_nz --> result: [reg_p2+48], [reg_p2+56], [reg_p2+64], and rbp, r8:r14 + MULS(M0, ·P751p1, 48+C, R8, R9, R13, R10, R14, R12, R11, BP, BX, CX, R15) \ + XORQ R15, R15 \ + MOVQ 48+C, AX \ + MOVQ 56+C, DX \ + MOVQ 64+C, BX \ + ADDQ 40+M0, AX \ + ADCQ 48+M0, DX \ + ADCQ 56+M0, BX \ + MOVQ AX, 40+M0 \ + MOVQ DX, 48+M0 \ + MOVQ BX, 56+M0 \ + ADCQ 64+M0, BP \ + ADCQ 72+M0, R8 \ + ADCQ 80+M0, R9 \ + ADCQ 88+M0, R10 \ + ADCQ 96+M0, R11 \ + ADCQ 104+M0, R12 \ + ADCQ 112+M0, R13 \ + ADCQ 120+M0, R14 \ + ADCQ 128+M0, R15 \ + MOVQ BP, 64+M0 \ + MOVQ R8, 72+M0 \ + MOVQ R9, 80+M0 \ + MOVQ R10, 88+M0 \ + MOVQ R11, 96+M0 \ + MOVQ R12, 104+M0 \ + MOVQ R13, 112+M0 \ + MOVQ R14, 120+M0 \ + MOVQ R15, 128+M0 \ + MOVQ 136+M0, R8 \ + MOVQ 144+M0, R9 \ + MOVQ 152+M0, R10 \ + MOVQ 160+M0, R11 \ + MOVQ 168+M0, R12 \ + MOVQ 176+M0, R13 \ + MOVQ 184+M0, R14 \ + ADCQ $0, R8 \ + ADCQ $0, R9 \ + ADCQ $0, R10 \ + ADCQ $0, R11 \ + ADCQ $0, R12 \ + ADCQ $0, R13 \ + ADCQ $0, R14 \ + MOVQ R8, 136+M0 \ + MOVQ R9, 144+M0 \ + MOVQ R10, 152+M0 \ + MOVQ R11, 160+M0 \ + MOVQ R12, 168+M0 \ + MOVQ R13, 176+M0 \ + MOVQ R14, 184+M0 \ + \ // a[4-7] x p751p1_nz --> result: [reg_p2+48], [reg_p2+56], [reg_p2+64], and rbp, r8:r14 + MULS(32+M0, ·P751p1, 48+C, R8, R9, R13, R10, R14, R12, R11, BP, BX, CX, R15) \ + XORQ R15, R15 \ + MOVQ 48+C, AX \ + MOVQ 56+C, DX \ + MOVQ 64+C, BX \ + ADDQ 72+M0, AX \ + ADCQ 80+M0, DX \ + ADCQ 88+M0, BX \ + MOVQ AX, 72+M0 \ + MOVQ DX, 80+M0 \ + MOVQ BX, 88+M0 \ + ADCQ 96+M0, BP \ + ADCQ 104+M0, R8 \ + ADCQ 112+M0, R9 \ + ADCQ 120+M0, R10 \ + ADCQ 128+M0, R11 \ + ADCQ 136+M0, R12 \ + ADCQ 144+M0, R13 \ + ADCQ 152+M0, R14 \ + ADCQ 160+M0, R15 \ + MOVQ BP, 0+C \ // Final result c0 + MOVQ R8, 104+M0 \ + MOVQ R9, 112+M0 \ + MOVQ R10, 120+M0 \ + MOVQ R11, 128+M0 \ + MOVQ R12, 136+M0 \ + MOVQ R13, 144+M0 \ + MOVQ R14, 152+M0 \ + MOVQ R15, 160+M0 \ + MOVQ 168+M0, R12 \ + MOVQ 176+M0, R13 \ + MOVQ 184+M0, R14 \ + ADCQ $0, R12 \ + ADCQ $0, R13 \ + ADCQ $0, R14 \ + MOVQ R12, 168+M0 \ + MOVQ R13, 176+M0 \ + MOVQ R14, 184+M0 \ + \ // a[8-11] x p751p1_nz --> result: [reg_p2+48], [reg_p2+56], [reg_p2+64], and rbp, r8:r14 + MULS(64+M0, ·P751p1, 48+C, R8, R9, R13, R10, R14, R12, R11, BP, BX, CX, R15) \ + MOVQ 48+C, AX \ // Final result c1:c11 + MOVQ 56+C, DX \ + MOVQ 64+C, BX \ + ADDQ 104+M0, AX \ + ADCQ 112+M0, DX \ + ADCQ 120+M0, BX \ + MOVQ AX, 8+C \ + MOVQ DX, 16+C \ + MOVQ BX, 24+C \ + ADCQ 128+M0, BP \ + ADCQ 136+M0, R8 \ + ADCQ 144+M0, R9 \ + ADCQ 152+M0, R10 \ + ADCQ 160+M0, R11 \ + ADCQ 168+M0, R12 \ + ADCQ 176+M0, R13 \ + ADCQ 184+M0, R14 \ + MOVQ BP, 32+C \ + MOVQ R8, 40+C \ + MOVQ R9, 48+C \ + MOVQ R10, 56+C \ + MOVQ R11, 64+C \ + MOVQ R12, 72+C \ + MOVQ R13, 80+C \ + MOVQ R14, 88+C + +TEXT ·rdcP751(SB), $0-16 + MOVQ z+0(FP), REG_P2 + MOVQ x+8(FP), REG_P1 + + // Check wether to use optimized implementation + CMPB ·HasADXandBMI2(SB), $1 + JE redc_with_mulx_adcx_adox + CMPB ·HasBMI2(SB), $1 + JE redc_with_mulx + + MOVQ (REG_P1), R11 + MOVQ P751P1_5, AX + MULQ R11 + XORQ R8, R8 + ADDQ (40)(REG_P1), AX + MOVQ AX, (40)(REG_P2) // Z5 + ADCQ DX, R8 + + XORQ R9, R9 + MOVQ P751P1_6, AX + MULQ R11 + XORQ R10, R10 + ADDQ AX, R8 + ADCQ DX, R9 + + MOVQ (8)(REG_P1), R12 + MOVQ P751P1_5, AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + ADDQ (48)(REG_P1), R8 + MOVQ R8, (48)(REG_P2) // Z6 + ADCQ $0, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ P751P1_7, AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_6, AX + MULQ R12 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (16)(REG_P1), R13 + MOVQ P751P1_5, AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + ADDQ (56)(REG_P1), R9 + MOVQ R9, (56)(REG_P2) // Z7 + ADCQ $0, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ P751P1_8, AX + MULQ R11 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_7, AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_6, AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (24)(REG_P1), R14 + MOVQ P751P1_5, AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + ADDQ (64)(REG_P1), R10 + MOVQ R10, (64)(REG_P2) // Z8 + ADCQ $0, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ P751P1_9, AX + MULQ R11 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_8, AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_7, AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_6, AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (32)(REG_P1), R15 + MOVQ P751P1_5, AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + ADDQ (72)(REG_P1), R8 + MOVQ R8, (72)(REG_P2) // Z9 + ADCQ $0, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ P751P1_10, AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_9, AX + MULQ R12 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_8, AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_7, AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_6, AX + MULQ R15 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (40)(REG_P2), CX + MOVQ P751P1_5, AX + MULQ CX + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + ADDQ (80)(REG_P1), R9 + MOVQ R9, (80)(REG_P2) // Z10 + ADCQ $0, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ P751P1_11, AX + MULQ R11 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_10, AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_9, AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_8, AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_7, AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_6, AX + MULQ CX + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (48)(REG_P2), R11 + MOVQ P751P1_5, AX + MULQ R11 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + ADDQ (88)(REG_P1), R10 + MOVQ R10, (88)(REG_P2) // Z11 + ADCQ $0, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ P751P1_11, AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_10, AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_9, AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_8, AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_7, AX + MULQ CX + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_6, AX + MULQ R11 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (56)(REG_P2), R12 + MOVQ P751P1_5, AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + ADDQ (96)(REG_P1), R8 + MOVQ R8, (REG_P2) // Z0 + ADCQ $0, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ P751P1_11, AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_10, AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_9, AX + MULQ R15 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_8, AX + MULQ CX + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_7, AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_6, AX + MULQ R12 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (64)(REG_P2), R13 + MOVQ P751P1_5, AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + ADDQ (104)(REG_P1), R9 + MOVQ R9, (8)(REG_P2) // Z1 + ADCQ $0, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ P751P1_11, AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_10, AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_9, AX + MULQ CX + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_8, AX + MULQ R11 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_7, AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_6, AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ (72)(REG_P2), R14 + MOVQ P751P1_5, AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + ADDQ (112)(REG_P1), R10 + MOVQ R10, (16)(REG_P2) // Z2 + ADCQ $0, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ P751P1_11, AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_10, AX + MULQ CX + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_9, AX + MULQ R11 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_8, AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_7, AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_6, AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ (80)(REG_P2), R15 + MOVQ P751P1_5, AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + ADDQ (120)(REG_P1), R8 + MOVQ R8, (24)(REG_P2) // Z3 + ADCQ $0, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ P751P1_11, AX + MULQ CX + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_10, AX + MULQ R11 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_9, AX + MULQ R12 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_8, AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_7, AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_6, AX + MULQ R15 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ (88)(REG_P2), CX + MOVQ P751P1_5, AX + MULQ CX + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + ADDQ (128)(REG_P1), R9 + MOVQ R9, (32)(REG_P2) // Z4 + ADCQ $0, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ P751P1_11, AX + MULQ R11 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_10, AX + MULQ R12 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_9, AX + MULQ R13 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_8, AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_7, AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_6, AX + MULQ CX + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + ADDQ (136)(REG_P1), R10 + MOVQ R10, (40)(REG_P2) // Z5 + ADCQ $0, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ P751P1_11, AX + MULQ R12 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_10, AX + MULQ R13 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_9, AX + MULQ R14 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_8, AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_7, AX + MULQ CX + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + ADDQ (144)(REG_P1), R8 + MOVQ R8, (48)(REG_P2) // Z6 + ADCQ $0, R9 + ADCQ $0, R10 + + XORQ R8, R8 + MOVQ P751P1_11, AX + MULQ R13 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_10, AX + MULQ R14 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_9, AX + MULQ R15 + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + + MOVQ P751P1_8, AX + MULQ CX + ADDQ AX, R9 + ADCQ DX, R10 + ADCQ $0, R8 + ADDQ (152)(REG_P1), R9 + MOVQ R9, (56)(REG_P2) // Z7 + ADCQ $0, R10 + ADCQ $0, R8 + + XORQ R9, R9 + MOVQ P751P1_11, AX + MULQ R14 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_10, AX + MULQ R15 + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + + MOVQ P751P1_9, AX + MULQ CX + ADDQ AX, R10 + ADCQ DX, R8 + ADCQ $0, R9 + ADDQ (160)(REG_P1), R10 + MOVQ R10, (64)(REG_P2) // Z8 + ADCQ $0, R8 + ADCQ $0, R9 + + XORQ R10, R10 + MOVQ P751P1_11, AX + MULQ R15 + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + + MOVQ P751P1_10, AX + MULQ CX + ADDQ AX, R8 + ADCQ DX, R9 + ADCQ $0, R10 + ADDQ (168)(REG_P1), R8 // Z9 + MOVQ R8, (72)(REG_P2) // Z9 + ADCQ $0, R9 + ADCQ $0, R10 + + MOVQ P751P1_11, AX + MULQ CX + ADDQ AX, R9 + ADCQ DX, R10 + ADDQ (176)(REG_P1), R9 // Z10 + MOVQ R9, (80)(REG_P2) // Z10 + ADCQ $0, R10 + ADDQ (184)(REG_P1), R10 // Z11 + MOVQ R10, (88)(REG_P2) // Z11 + RET + +redc_with_mulx_adcx_adox: + // This implements the Montgomery reduction algorithm described in + // section 5.2.3 of https://eprint.iacr.org/2017/1015.pdf. + // This assumes that the BMI2 and ADX instruction set extensions are available. + REDC(0(REG_P2), 0(REG_P1), mul256x448bmi2adx) + RET + +redc_with_mulx: + // This implements the Montgomery reduction algorithm described in + // section 5.2.3 of https://eprint.iacr.org/2017/1015.pdf. + // This assumes that the BMI2 instruction set extension is available. + REDC(0(REG_P2), 0(REG_P1), mul256x448bmi2) + RET + +TEXT ·adlP751(SB), NOSPLIT, $0-24 + + MOVQ z+0(FP), REG_P3 + MOVQ x+8(FP), REG_P1 + MOVQ y+16(FP), REG_P2 + + MOVQ (REG_P1), R8 + MOVQ (8)(REG_P1), R9 + MOVQ (16)(REG_P1), R10 + MOVQ (24)(REG_P1), R11 + MOVQ (32)(REG_P1), R12 + MOVQ (40)(REG_P1), R13 + MOVQ (48)(REG_P1), R14 + MOVQ (56)(REG_P1), R15 + MOVQ (64)(REG_P1), AX + MOVQ (72)(REG_P1), BX + MOVQ (80)(REG_P1), CX + + ADDQ (REG_P2), R8 + ADCQ (8)(REG_P2), R9 + ADCQ (16)(REG_P2), R10 + ADCQ (24)(REG_P2), R11 + ADCQ (32)(REG_P2), R12 + ADCQ (40)(REG_P2), R13 + ADCQ (48)(REG_P2), R14 + ADCQ (56)(REG_P2), R15 + ADCQ (64)(REG_P2), AX + ADCQ (72)(REG_P2), BX + ADCQ (80)(REG_P2), CX + + MOVQ R8, (REG_P3) + MOVQ R9, (8)(REG_P3) + MOVQ R10, (16)(REG_P3) + MOVQ R11, (24)(REG_P3) + MOVQ R12, (32)(REG_P3) + MOVQ R13, (40)(REG_P3) + MOVQ R14, (48)(REG_P3) + MOVQ R15, (56)(REG_P3) + MOVQ AX, (64)(REG_P3) + MOVQ BX, (72)(REG_P3) + MOVQ CX, (80)(REG_P3) + MOVQ (88)(REG_P1), AX + ADCQ (88)(REG_P2), AX + MOVQ AX, (88)(REG_P3) + + MOVQ (96)(REG_P1), R8 + MOVQ (104)(REG_P1), R9 + MOVQ (112)(REG_P1), R10 + MOVQ (120)(REG_P1), R11 + MOVQ (128)(REG_P1), R12 + MOVQ (136)(REG_P1), R13 + MOVQ (144)(REG_P1), R14 + MOVQ (152)(REG_P1), R15 + MOVQ (160)(REG_P1), AX + MOVQ (168)(REG_P1), BX + MOVQ (176)(REG_P1), CX + MOVQ (184)(REG_P1), DI + + ADCQ (96)(REG_P2), R8 + ADCQ (104)(REG_P2), R9 + ADCQ (112)(REG_P2), R10 + ADCQ (120)(REG_P2), R11 + ADCQ (128)(REG_P2), R12 + ADCQ (136)(REG_P2), R13 + ADCQ (144)(REG_P2), R14 + ADCQ (152)(REG_P2), R15 + ADCQ (160)(REG_P2), AX + ADCQ (168)(REG_P2), BX + ADCQ (176)(REG_P2), CX + ADCQ (184)(REG_P2), DI + + MOVQ R8, (96)(REG_P3) + MOVQ R9, (104)(REG_P3) + MOVQ R10, (112)(REG_P3) + MOVQ R11, (120)(REG_P3) + MOVQ R12, (128)(REG_P3) + MOVQ R13, (136)(REG_P3) + MOVQ R14, (144)(REG_P3) + MOVQ R15, (152)(REG_P3) + MOVQ AX, (160)(REG_P3) + MOVQ BX, (168)(REG_P3) + MOVQ CX, (176)(REG_P3) + MOVQ DI, (184)(REG_P3) + + RET + + +TEXT ·sulP751(SB), NOSPLIT, $0-24 + + MOVQ z+0(FP), REG_P3 + MOVQ x+8(FP), REG_P1 + MOVQ y+16(FP), REG_P2 + + MOVQ (REG_P1), R8 + MOVQ (8)(REG_P1), R9 + MOVQ (16)(REG_P1), R10 + MOVQ (24)(REG_P1), R11 + MOVQ (32)(REG_P1), R12 + MOVQ (40)(REG_P1), R13 + MOVQ (48)(REG_P1), R14 + MOVQ (56)(REG_P1), R15 + MOVQ (64)(REG_P1), AX + MOVQ (72)(REG_P1), BX + MOVQ (80)(REG_P1), CX + + SUBQ (REG_P2), R8 + SBBQ (8)(REG_P2), R9 + SBBQ (16)(REG_P2), R10 + SBBQ (24)(REG_P2), R11 + SBBQ (32)(REG_P2), R12 + SBBQ (40)(REG_P2), R13 + SBBQ (48)(REG_P2), R14 + SBBQ (56)(REG_P2), R15 + SBBQ (64)(REG_P2), AX + SBBQ (72)(REG_P2), BX + SBBQ (80)(REG_P2), CX + + MOVQ R8, (REG_P3) + MOVQ R9, (8)(REG_P3) + MOVQ R10, (16)(REG_P3) + MOVQ R11, (24)(REG_P3) + MOVQ R12, (32)(REG_P3) + MOVQ R13, (40)(REG_P3) + MOVQ R14, (48)(REG_P3) + MOVQ R15, (56)(REG_P3) + MOVQ AX, (64)(REG_P3) + MOVQ BX, (72)(REG_P3) + MOVQ CX, (80)(REG_P3) + MOVQ (88)(REG_P1), AX + SBBQ (88)(REG_P2), AX + MOVQ AX, (88)(REG_P3) + + MOVQ (96)(REG_P1), R8 + MOVQ (104)(REG_P1), R9 + MOVQ (112)(REG_P1), R10 + MOVQ (120)(REG_P1), R11 + MOVQ (128)(REG_P1), R12 + MOVQ (136)(REG_P1), R13 + MOVQ (144)(REG_P1), R14 + MOVQ (152)(REG_P1), R15 + MOVQ (160)(REG_P1), AX + MOVQ (168)(REG_P1), BX + MOVQ (176)(REG_P1), CX + MOVQ (184)(REG_P1), DI + + SBBQ (96)(REG_P2), R8 + SBBQ (104)(REG_P2), R9 + SBBQ (112)(REG_P2), R10 + SBBQ (120)(REG_P2), R11 + SBBQ (128)(REG_P2), R12 + SBBQ (136)(REG_P2), R13 + SBBQ (144)(REG_P2), R14 + SBBQ (152)(REG_P2), R15 + SBBQ (160)(REG_P2), AX + SBBQ (168)(REG_P2), BX + SBBQ (176)(REG_P2), CX + SBBQ (184)(REG_P2), DI + + MOVQ R8, (96)(REG_P3) + MOVQ R9, (104)(REG_P3) + MOVQ R10, (112)(REG_P3) + MOVQ R11, (120)(REG_P3) + MOVQ R12, (128)(REG_P3) + MOVQ R13, (136)(REG_P3) + MOVQ R14, (144)(REG_P3) + MOVQ R15, (152)(REG_P3) + MOVQ AX, (160)(REG_P3) + MOVQ BX, (168)(REG_P3) + MOVQ CX, (176)(REG_P3) + MOVQ DI, (184)(REG_P3) + + // Now the carry flag is 1 if x-y < 0. If so, add p*2^768. + MOVQ $0, AX + SBBQ $0, AX + + // Load p into registers: + MOVQ P751_0, R8 + // P751_{1,2,3,4} = P751_0, so reuse R8 + MOVQ P751_5, R9 + MOVQ P751_6, R10 + MOVQ P751_7, R11 + MOVQ P751_8, R12 + MOVQ P751_9, R13 + MOVQ P751_10, R14 + MOVQ P751_11, R15 + + ANDQ AX, R8 + ANDQ AX, R9 + ANDQ AX, R10 + ANDQ AX, R11 + ANDQ AX, R12 + ANDQ AX, R13 + ANDQ AX, R14 + ANDQ AX, R15 + + ADDQ R8, (96 )(REG_P3) + ADCQ R8, (96+ 8)(REG_P3) + ADCQ R8, (96+16)(REG_P3) + ADCQ R8, (96+24)(REG_P3) + ADCQ R8, (96+32)(REG_P3) + ADCQ R9, (96+40)(REG_P3) + ADCQ R10, (96+48)(REG_P3) + ADCQ R11, (96+56)(REG_P3) + ADCQ R12, (96+64)(REG_P3) + ADCQ R13, (96+72)(REG_P3) + ADCQ R14, (96+80)(REG_P3) + ADCQ R15, (96+88)(REG_P3) + + RET + diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_arm64.s b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_arm64.s new file mode 100644 index 00000000..2c564f91 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_arm64.s @@ -0,0 +1,1478 @@ +// +build arm64,!noasm + +#include "textflag.h" + +TEXT ·cswapP751(SB), NOSPLIT, $0-17 + MOVD x+0(FP), R0 + MOVD y+8(FP), R1 + MOVB choice+16(FP), R2 + + // Set flags + // If choice is not 0 or 1, this implementation will swap completely + CMP $0, R2 + + LDP 0(R0), (R3, R4) + LDP 0(R1), (R5, R6) + CSEL EQ, R3, R5, R7 + CSEL EQ, R4, R6, R8 + STP (R7, R8), 0(R0) + CSEL NE, R3, R5, R9 + CSEL NE, R4, R6, R10 + STP (R9, R10), 0(R1) + + LDP 16(R0), (R3, R4) + LDP 16(R1), (R5, R6) + CSEL EQ, R3, R5, R7 + CSEL EQ, R4, R6, R8 + STP (R7, R8), 16(R0) + CSEL NE, R3, R5, R9 + CSEL NE, R4, R6, R10 + STP (R9, R10), 16(R1) + + LDP 32(R0), (R3, R4) + LDP 32(R1), (R5, R6) + CSEL EQ, R3, R5, R7 + CSEL EQ, R4, R6, R8 + STP (R7, R8), 32(R0) + CSEL NE, R3, R5, R9 + CSEL NE, R4, R6, R10 + STP (R9, R10), 32(R1) + + LDP 48(R0), (R3, R4) + LDP 48(R1), (R5, R6) + CSEL EQ, R3, R5, R7 + CSEL EQ, R4, R6, R8 + STP (R7, R8), 48(R0) + CSEL NE, R3, R5, R9 + CSEL NE, R4, R6, R10 + STP (R9, R10), 48(R1) + + LDP 64(R0), (R3, R4) + LDP 64(R1), (R5, R6) + CSEL EQ, R3, R5, R7 + CSEL EQ, R4, R6, R8 + STP (R7, R8), 64(R0) + CSEL NE, R3, R5, R9 + CSEL NE, R4, R6, R10 + STP (R9, R10), 64(R1) + + LDP 80(R0), (R3, R4) + LDP 80(R1), (R5, R6) + CSEL EQ, R3, R5, R7 + CSEL EQ, R4, R6, R8 + STP (R7, R8), 80(R0) + CSEL NE, R3, R5, R9 + CSEL NE, R4, R6, R10 + STP (R9, R10), 80(R1) + + RET + +TEXT ·addP751(SB), NOSPLIT, $0-24 + MOVD z+0(FP), R2 + MOVD x+8(FP), R0 + MOVD y+16(FP), R1 + + // Load first summand into R3-R14 + // Add first summand and second summand and store result in R3-R14 + LDP 0(R0), (R3, R4) + LDP 0(R1), (R15, R16) + LDP 16(R0), (R5, R6) + LDP 16(R1), (R17, R19) + ADDS R15, R3 + ADCS R16, R4 + ADCS R17, R5 + ADCS R19, R6 + + LDP 32(R0), (R7, R8) + LDP 32(R1), (R15, R16) + LDP 48(R0), (R9, R10) + LDP 48(R1), (R17, R19) + ADCS R15, R7 + ADCS R16, R8 + ADCS R17, R9 + ADCS R19, R10 + + LDP 64(R0), (R11, R12) + LDP 64(R1), (R15, R16) + LDP 80(R0), (R13, R14) + LDP 80(R1), (R17, R19) + ADCS R15, R11 + ADCS R16, R12 + ADCS R17, R13 + ADC R19, R14 + + // Subtract 2 * p751 in R15-R24 from the result in R3-R14 + LDP ·P751x2+0(SB), (R15, R16) + SUBS R15, R3 + SBCS R16, R4 + LDP ·P751x2+40(SB), (R17, R19) + SBCS R16, R5 + SBCS R16, R6 + SBCS R16, R7 + LDP ·P751x2+56(SB), (R20, R21) + SBCS R17, R8 + SBCS R19, R9 + LDP ·P751x2+72(SB), (R22, R23) + SBCS R20, R10 + SBCS R21, R11 + MOVD ·P751x2+88(SB), R24 + SBCS R22, R12 + SBCS R23, R13 + SBCS R24, R14 + SBC ZR, ZR, R25 + + // If x + y - 2 * p751 < 0, R25 is 1 and 2 * p751 should be added + AND R25, R15 + AND R25, R16 + AND R25, R17 + AND R25, R19 + AND R25, R20 + AND R25, R21 + AND R25, R22 + AND R25, R23 + AND R25, R24 + + ADDS R15, R3 + ADCS R16, R4 + STP (R3, R4), 0(R2) + ADCS R16, R5 + ADCS R16, R6 + STP (R5, R6), 16(R2) + ADCS R16, R7 + ADCS R17, R8 + STP (R7, R8), 32(R2) + ADCS R19, R9 + ADCS R20, R10 + STP (R9, R10), 48(R2) + ADCS R21, R11 + ADCS R22, R12 + STP (R11, R12), 64(R2) + ADCS R23, R13 + ADC R24, R14 + STP (R13, R14), 80(R2) + + RET + +TEXT ·subP751(SB), NOSPLIT, $0-24 + MOVD z+0(FP), R2 + MOVD x+8(FP), R0 + MOVD y+16(FP), R1 + + // Load x into R3-R14 + // Subtract y from x and store result in R3-R14 + LDP 0(R0), (R3, R4) + LDP 0(R1), (R15, R16) + LDP 16(R0), (R5, R6) + LDP 16(R1), (R17, R19) + SUBS R15, R3 + SBCS R16, R4 + SBCS R17, R5 + SBCS R19, R6 + + LDP 32(R0), (R7, R8) + LDP 32(R1), (R15, R16) + LDP 48(R0), (R9, R10) + LDP 48(R1), (R17, R19) + SBCS R15, R7 + SBCS R16, R8 + SBCS R17, R9 + SBCS R19, R10 + + LDP 64(R0), (R11, R12) + LDP 64(R1), (R15, R16) + LDP 80(R0), (R13, R14) + LDP 80(R1), (R17, R19) + SBCS R15, R11 + SBCS R16, R12 + SBCS R17, R13 + SBCS R19, R14 + SBC ZR, ZR, R15 + + // If x - y < 0, R15 is 1 and 2 * p751 should be added + LDP ·P751x2+0(SB), (R16, R17) + AND R15, R16 + AND R15, R17 + LDP ·P751x2+40(SB), (R19, R20) + AND R15, R19 + AND R15, R20 + + ADDS R16, R3 + ADCS R17, R4 + STP (R3, R4), 0(R2) + ADCS R17, R5 + ADCS R17, R6 + STP (R5, R6), 16(R2) + ADCS R17, R7 + ADCS R19, R8 + STP (R7, R8), 32(R2) + ADCS R20, R9 + + LDP ·P751x2+56(SB), (R16, R17) + AND R15, R16 + AND R15, R17 + LDP ·P751x2+72(SB), (R19, R20) + AND R15, R19 + AND R15, R20 + + ADCS R16, R10 + STP (R9, R10), 48(R2) + ADCS R17, R11 + ADCS R19, R12 + STP (R11, R12), 64(R2) + ADCS R20, R13 + + MOVD ·P751x2+88(SB), R16 + AND R15, R16 + ADC R16, R14 + STP (R13, R14), 80(R2) + + RET + +TEXT ·adlP751(SB), NOSPLIT, $0-24 + MOVD z+0(FP), R2 + MOVD x+8(FP), R0 + MOVD y+16(FP), R1 + + LDP 0(R0), (R3, R4) + LDP 0(R1), (R15, R16) + LDP 16(R0), (R5, R6) + LDP 16(R1), (R17, R19) + ADDS R15, R3 + ADCS R16, R4 + STP (R3, R4), 0(R2) + ADCS R17, R5 + ADCS R19, R6 + STP (R5, R6), 16(R2) + + LDP 32(R0), (R7, R8) + LDP 32(R1), (R15, R16) + LDP 48(R0), (R9, R10) + LDP 48(R1), (R17, R19) + ADCS R15, R7 + ADCS R16, R8 + STP (R7, R8), 32(R2) + ADCS R17, R9 + ADCS R19, R10 + STP (R9, R10), 48(R2) + + LDP 64(R0), (R11, R12) + LDP 64(R1), (R15, R16) + LDP 80(R0), (R13, R14) + LDP 80(R1), (R17, R19) + ADCS R15, R11 + ADCS R16, R12 + STP (R11, R12), 64(R2) + ADCS R17, R13 + ADCS R19, R14 + STP (R13, R14), 80(R2) + + LDP 96(R0), (R3, R4) + LDP 96(R1), (R15, R16) + LDP 112(R0), (R5, R6) + LDP 112(R1), (R17, R19) + ADCS R15, R3 + ADCS R16, R4 + STP (R3, R4), 96(R2) + ADCS R17, R5 + ADCS R19, R6 + STP (R5, R6), 112(R2) + + LDP 128(R0), (R7, R8) + LDP 128(R1), (R15, R16) + LDP 144(R0), (R9, R10) + LDP 144(R1), (R17, R19) + ADCS R15, R7 + ADCS R16, R8 + STP (R7, R8), 128(R2) + ADCS R17, R9 + ADCS R19, R10 + STP (R9, R10), 144(R2) + + LDP 160(R0), (R11, R12) + LDP 160(R1), (R15, R16) + LDP 176(R0), (R13, R14) + LDP 176(R1), (R17, R19) + ADCS R15, R11 + ADCS R16, R12 + STP (R11, R12), 160(R2) + ADCS R17, R13 + ADC R19, R14 + STP (R13, R14), 176(R2) + + RET + +TEXT ·sulP751(SB), NOSPLIT, $0-24 + MOVD z+0(FP), R2 + MOVD x+8(FP), R0 + MOVD y+16(FP), R1 + + LDP 0(R0), (R3, R4) + LDP 0(R1), (R15, R16) + LDP 16(R0), (R5, R6) + LDP 16(R1), (R17, R19) + SUBS R15, R3 + SBCS R16, R4 + STP (R3, R4), 0(R2) + SBCS R17, R5 + SBCS R19, R6 + STP (R5, R6), 16(R2) + + LDP 32(R0), (R7, R8) + LDP 32(R1), (R15, R16) + LDP 48(R0), (R9, R10) + LDP 48(R1), (R17, R19) + SBCS R15, R7 + SBCS R16, R8 + STP (R7, R8), 32(R2) + SBCS R17, R9 + SBCS R19, R10 + STP (R9, R10), 48(R2) + + LDP 64(R0), (R11, R12) + LDP 64(R1), (R15, R16) + LDP 80(R0), (R13, R14) + LDP 80(R1), (R17, R19) + SBCS R15, R11 + SBCS R16, R12 + STP (R11, R12), 64(R2) + SBCS R17, R13 + SBCS R19, R14 + STP (R13, R14), 80(R2) + + LDP 96(R0), (R3, R4) + LDP 96(R1), (R15, R16) + LDP 112(R0), (R5, R6) + LDP 112(R1), (R17, R19) + SBCS R15, R3 + SBCS R16, R4 + SBCS R17, R5 + SBCS R19, R6 + + LDP 128(R0), (R7, R8) + LDP 128(R1), (R15, R16) + LDP 144(R0), (R9, R10) + LDP 144(R1), (R17, R19) + SBCS R15, R7 + SBCS R16, R8 + SBCS R17, R9 + SBCS R19, R10 + + LDP 160(R0), (R11, R12) + LDP 160(R1), (R15, R16) + LDP 176(R0), (R13, R14) + LDP 176(R1), (R17, R19) + SBCS R15, R11 + SBCS R16, R12 + SBCS R17, R13 + SBCS R19, R14 + SBC ZR, ZR, R15 + + // If x - y < 0, R15 is 1 and p751 should be added + MOVD ·P751+0(SB), R20 + AND R15, R20 + LDP ·P751+40(SB), (R16, R17) + ADDS R20, R3 + ADCS R20, R4 + STP (R3, R4), 96(R2) + ADCS R20, R5 + ADCS R20, R6 + STP (R5, R6), 112(R2) + ADCS R20, R7 + + LDP ·P751+56(SB), (R19, R20) + AND R15, R16 + AND R15, R17 + ADCS R16, R8 + STP (R7, R8), 128(R2) + ADCS R17, R9 + + LDP ·P751+72(SB), (R16, R17) + AND R15, R19 + AND R15, R20 + ADCS R19, R10 + STP (R9, R10), 144(R2) + ADCS R20, R11 + + MOVD ·P751+88(SB), R19 + AND R15, R16 + AND R15, R17 + ADCS R16, R12 + STP (R11, R12), 160(R2) + ADCS R17, R13 + + AND R15, R19 + ADC R19, R14 + STP (R13, R14), 176(R2) + + RET + +// Expects that X0*Y0 is already in Z0(low),Z3(high) and X0*Y1 in Z1(low),Z2(high) +// Z0 is not actually touched +// Result of (X0-X2) * (Y0-Y2) will be in Z0-Z5 +// Inputs remain intact +#define mul192x192comba(X0, X1, X2, Y0, Y1, Y2, Z0, Z1, Z2, Z3, Z4, Z5, T0, T1, T2, T3) \ + MUL X1, Y0, T2 \ + UMULH X1, Y0, T3 \ + \ + ADDS Z3, Z1 \ + ADCS ZR, Z2 \ + ADC ZR, ZR, Z3 \ + \ + MUL X0, Y2, T0 \ + UMULH X0, Y2, T1 \ + \ + ADDS T2, Z1 \ + ADCS T3, Z2 \ + ADC ZR, Z3 \ + \ + MUL X1, Y1, T2 \ + UMULH X1, Y1, T3 \ + \ + ADDS T0, Z2 \ + ADCS T1, Z3 \ + ADC ZR, ZR, Z4 \ + \ + MUL X2, Y0, T0 \ + UMULH X2, Y0, T1 \ + \ + ADDS T2, Z2 \ + ADCS T3, Z3 \ + ADC ZR, Z4 \ + \ + MUL X1, Y2, T2 \ + UMULH X1, Y2, T3 \ + \ + ADDS T0, Z2 \ + ADCS T1, Z3 \ + ADC ZR, Z4 \ + \ + MUL X2, Y1, T0 \ + UMULH X2, Y1, T1 \ + \ + ADDS T2, Z3 \ + ADCS T3, Z4 \ + ADC ZR, ZR, Z5 \ + \ + MUL X2, Y2, T2 \ + UMULH X2, Y2, T3 \ + \ + ADDS T0, Z3 \ + ADCS T1, Z4 \ + ADC ZR, Z5 \ + \ + ADDS T2, Z4 \ + ADC T3, Z5 + +// Expects that X points to (X4-X6), Y to (Y4-Y6) +// Result of (X0-X5) * (Y0-Y5) will be in (0(Z), 8(Z), 16(Z), T0-T8) +// Inputs get overwritten +#define mul384x384karatsuba(X, Y, Z, X0, X1, X2, X3, X4, X5, Y0, Y1, Y2, Y3, Y4, Y5, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10)\ + ADDS X0, X3 \ // xH + xL, destroys xH + ADCS X1, X4 \ + ADCS X2, X5 \ + ADC ZR, ZR, T10 \ + \ + ADDS Y0, Y3 \ // yH + yL, destroys yH + ADCS Y1, Y4 \ + ADCS Y2, Y5 \ + ADC ZR, ZR, T6 \ + \ + SUB T10, ZR, T7 \ + SUB T6, ZR, T8 \ + AND T6, T10 \ // combined carry + \ + AND T7, Y3, T0 \ // masked(yH + yL) + AND T7, Y4, T1 \ + AND T7, Y5, T2 \ + \ + AND T8, X3, T3 \ // masked(xH + xL) + AND T8, X4, T4 \ + AND T8, X5, T5 \ + \ + ADDS T3, T0 \ + ADCS T4, T1 \ + STP (T0, T1), 0+Z \ + \ + MUL X3, Y3, T0 \ + MUL X3, Y4, T1 \ + \ + ADCS T5, T2 \ + MOVD T2, 16+Z \ + \ + UMULH X3, Y4, T2 \ + UMULH X3, Y3, T3 \ + \ + ADC ZR, T10 \ + \ // (xH + xL) * (yH + yL) + mul192x192comba(X3, X4, X5, Y3, Y4, Y5, T0, T1, T2, T3, T4, T5, T6, T7, T8, T9)\ + \ + MUL X0, Y0, X3 \ + LDP 0+Z, (T6, T7) \ + MOVD 16+Z, T8 \ + \ + UMULH X0, Y0, Y3 \ + ADDS T6, T3 \ + ADCS T7, T4 \ + MUL X0, Y1, X4 \ + ADCS T8, T5 \ + ADC ZR, T10 \ + UMULH X0, Y1, X5 \ + \ // xL * yL + mul192x192comba(X0, X1, X2, Y0, Y1, Y2, X3, X4, X5, Y3, Y4, Y5, T6, T7, T8, T9)\ + \ + STP (X3, X4), 0+Z \ + MOVD X5, 16+Z \ + \ + SUBS X3, T0 \ // (xH + xL) * (yH + yL) - xL * yL + SBCS X4, T1 \ + LDP 0+X, (X3, X4) \ + SBCS X5, T2 \ + MOVD 16+X, X5 \ + SBCS Y3, T3 \ + SBCS Y4, T4 \ + SBCS Y5, T5 \ + SBC ZR, T10 \ + \ + ADDS Y3, T0 \ // ((xH + xL) * (yH + yL) - xL * yL) * 2^192 + xL * yL + ADCS Y4, T1 \ + LDP 0+Y, (Y3, Y4) \ + MUL X3, Y3, X0 \ + ADCS Y5, T2 \ + UMULH X3, Y3, Y0 \ + MOVD 16+Y, Y5 \ + MUL X3, Y4, X1 \ + ADCS ZR, T3 \ + UMULH X3, Y4, X2 \ + ADCS ZR, T4 \ + ADCS ZR, T5 \ + ADC ZR, T10 \ + \ // xH * yH, overwrite xLow, yLow + mul192x192comba(X3, X4, X5, Y3, Y4, Y5, X0, X1, X2, Y0, Y1, Y2, T6, T7, T8, T9)\ + \ + SUBS X0, T0 \ // ((xH + xL) * (yH + yL) - xL * yL - xH * yH) + SBCS X1, T1 \ + SBCS X2, T2 \ + SBCS Y0, T3 \ + SBCS Y1, T4 \ + SBCS Y2, T5 \ + SBC ZR, T10 \ + \ + ADDS X0, T3 \ + ADCS X1, T4 \ + ADCS X2, T5 \ + ADCS T10, Y0, T6 \ + ADCS ZR, Y1, T7 \ + ADC ZR, Y2, T8 + + +TEXT ·mulP751(SB), NOSPLIT, $0-24 + MOVD z+0(FP), R2 + MOVD x+8(FP), R0 + MOVD y+16(FP), R1 + + // Load xL in R3-R8, xH in R9-R14 + // (xH + xL) in R3-R8, destroys xH + LDP 0(R0), (R3, R4) + LDP 48(R0), (R9, R10) + ADDS R9, R3 + ADCS R10, R4 + LDP 16(R0), (R5, R6) + LDP 64(R0), (R11, R12) + ADCS R11, R5 + ADCS R12, R6 + LDP 32(R0), (R7, R8) + LDP 80(R0), (R13, R14) + ADCS R13, R7 + ADCS R14, R8 + ADC ZR, ZR, R22 + + // Load yL in R9-R14, yH in R15-21 + // (yH + yL) in R9-R14, destroys yH + LDP 0(R1), (R9, R10) + LDP 48(R1), (R15, R16) + ADDS R15, R9 + ADCS R16, R10 + LDP 16(R1), (R11, R12) + LDP 64(R1), (R17, R19) + ADCS R17, R11 + ADCS R19, R12 + LDP 32(R1), (R13, R14) + LDP 80(R1), (R20, R21) + ADCS R20, R13 + ADCS R21, R14 + ADC ZR, ZR, R23 + + // Compute masks and combined carry + SUB R22, ZR, R24 + SUB R23, ZR, R25 + AND R23, R22 + + // Store xH, yH in z so mul384x384karatsuba can retrieve them from memory + // It doesn't have enough registers + // Meanwhile computed masked(xH + xL) in R15-R21 + STP (R6, R7), 0(R2) + AND R25, R3, R15 + AND R25, R4, R16 + STP (R8, R12), 16(R2) + AND R25, R5, R17 + AND R25, R6, R19 + STP (R13, R14), 32(R2) + AND R25, R7, R20 + AND R25, R8, R21 + + // Masked(xH + xL) + masked(yH + yL) in R15-R21 + // Store intermediate values in z + AND R24, R9, R25 + AND R24, R10, R26 + ADDS R25, R15 + ADCS R26, R16 + STP (R15, R16), 96(R2) + AND R24, R11, R25 + AND R24, R12, R26 + ADCS R25, R17 + ADCS R26, R19 + STP (R17, R19), 112(R2) + AND R24, R13, R25 + AND R24, R14, R26 + ADCS R25, R20 + ADCS R26, R21 + STP (R20, R21), 128(R2) + // Store carry in R29 so it can remain there + ADC ZR, R22, R29 + + // (xH + xL) * (yH + yL) + mul384x384karatsuba(0(R2), 24(R2), 48(R2), R3, R4, R5, R6, R7, R8, R9, R10, R11, R12, R13, R14, R15, R16, R17, R19, R20, R21, R22, R23, R24, R25, R26) + + // Load masked(xH + xL) + masked(yH + yL) and add that to its top half + // Store the result back in z + STP (R15, R16), 72(R2) + LDP 96(R2), (R3, R4) + ADDS R3, R19 + STP (R17, R19), 88(R2) + ADCS R4, R20 + LDP 112(R2), (R5, R6) + ADCS R5, R21 + STP (R20, R21), 104(R2) + ADCS R6, R22 + LDP 128(R2), (R7, R8) + ADCS R7, R23 + STP (R22, R23), 120(R2) + ADCS R8, R24 + MOVD R24, 136(R2) + ADC ZR, R29 + + // Load xL, yL + LDP 0(R0), (R3, R4) + LDP 16(R0), (R5, R6) + LDP 32(R0), (R7, R8) + LDP 0(R1), (R9, R10) + LDP 16(R1), (R11, R12) + LDP 32(R1), (R13, R14) + + // xL * yL + mul384x384karatsuba(24(R0), 24(R1), 0(R2), R3, R4, R5, R6, R7, R8, R9, R10, R11, R12, R13, R14, R15, R16, R17, R19, R20, R21, R22, R23, R24, R25, R26) + + // (xH + xL) * (yH + yL) - xL * yL in R3-R14 + LDP 0(R2), (R12, R13) + LDP 48(R2), (R3, R4) + SUBS R12, R3 + LDP 64(R2), (R5, R6) + MOVD 16(R2), R14 + SBCS R13, R4 + SBCS R14, R5 + LDP 80(R2), (R7, R8) + SBCS R15, R6 + SBCS R16, R7 + LDP 96(R2), (R9, R10) + SBCS R17, R8 + SBCS R19, R9 + LDP 112(R2), (R11, R12) + SBCS R20, R10 + SBCS R21, R11 + LDP 128(R2), (R13, R14) + SBCS R22, R12 + SBCS R23, R13 + SBCS R24, R14 + SBC ZR, R29 + + STP (R15, R16), 24(R2) + MOVD R17, 40(R2) + + // ((xH + xL) * (yH + yL) - xL * yL) * 2^384 + xL * yL and store back in z + ADDS R19, R3 + ADCS R20, R4 + STP (R3, R4), 48(R2) + ADCS R21, R5 + ADCS R22, R6 + STP (R5, R6), 64(R2) + ADCS R23, R7 + ADCS R24, R8 + STP (R7, R8), 80(R2) + ADCS ZR, R9 + ADCS ZR, R10 + STP (R9, R10), 96(R2) + ADCS ZR, R11 + ADCS ZR, R12 + STP (R11, R12), 112(R2) + ADCS ZR, R13 + ADCS ZR, R14 + STP (R13, R14), 128(R2) + ADC ZR, R29 + + // Load xH, yH + LDP 48(R0), (R3, R4) + LDP 64(R0), (R5, R6) + LDP 80(R0), (R7, R8) + LDP 48(R1), (R9, R10) + LDP 64(R1), (R11, R12) + LDP 80(R1), (R13, R14) + + // xH * yH + mul384x384karatsuba(72(R0), 72(R1), 144(R2), R3, R4, R5, R6, R7, R8, R9, R10, R11, R12, R13, R14, R15, R16, R17, R19, R20, R21, R22, R23, R24, R25, R26) + + LDP 144(R2), (R12, R13) + MOVD 160(R2), R14 + + // (xH + xL) * (yH + yL) - xL * yL - xH * yH in R3-R14 + // Store lower half in z, that's done + LDP 48(R2), (R3, R4) + SUBS R12, R3 + LDP 64(R2), (R5, R6) + SBCS R13, R4 + SBCS R14, R5 + LDP 80(R2), (R7, R8) + SBCS R15, R6 + SBCS R16, R7 + LDP 96(R2), (R9, R10) + SBCS R17, R8 + SBCS R19, R9 + LDP 112(R2), (R11, R12) + SBCS R20, R10 + SBCS R21, R11 + LDP 128(R2), (R13, R14) + SBCS R22, R12 + SBCS R23, R13 + STP (R3, R4), 48(R2) + SBCS R24, R14 + STP (R5, R6), 64(R2) + SBC ZR, R29 + STP (R7, R8), 80(R2) + + // (xH * yH) * 2^768 + ((xH + xL) * (yH + yL) - xL * yL - xH * yH) * 2^384 + xL * yL + // Store remaining limbs in z + LDP 144(R2), (R3, R4) + MOVD 160(R2), R5 + + ADDS R3, R9 + ADCS R4, R10 + STP (R9, R10), 96(R2) + ADCS R5, R11 + ADCS R15, R12 + STP (R11, R12), 112(R2) + ADCS R16, R13 + ADCS R17, R14 + STP (R13, R14), 128(R2) + + ADCS R29, R19 + ADCS ZR, R20 + STP (R19, R20), 144(R2) + ADCS ZR, R21 + ADCS ZR, R22 + STP (R21, R22), 160(R2) + ADCS ZR, R23 + ADC ZR, R24 + STP (R23, R24), 176(R2) + + RET + +TEXT ·rdcP751(SB), NOSPLIT, $0-16 + MOVD z+0(FP), R0 + MOVD x+8(FP), R1 + + // Load p751+1 in R14-R17, R29, R19-R20, spread over arithmetic + LDP ·P751p1+40(SB), (R14, R15) + // z0-z11 will be R2-R13 + // Load x0-x4 to z0-z4 and x5, spread over arithmetic + LDP 0(R1), (R2, R3) + + // x5 iteration + MUL R2, R14, R22 + LDP 32(R1), (R6, R21) + UMULH R2, R14, R23 + ADDS R21, R22, R7 // Set z5 + ADC ZR, R23, R25 + + // x6 iteration + MUL R2, R15, R22 + MOVD 48(R1), R21 + UMULH R2, R15, R23 + ADDS R22, R25 + ADC R23, ZR, R26 + + MUL R3, R14, R22 + LDP ·P751p1+56(SB), (R16, R17) + UMULH R3, R14, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, ZR, R24 + + ADDS R21, R25, R8 // Set z6 + ADCS ZR, R26 + ADC ZR, R24 + + // x7 iteration + MUL R2, R16, R22 + MOVD 56(R1), R21 + UMULH R2, R16, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, ZR, R25 + + MUL R3, R15, R22 + LDP 16(R1), (R4, R5) + UMULH R3, R15, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R4, R14, R22 + LDP ·P751p1+72(SB), (R29, R19) + UMULH R4, R14, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + ADDS R21, R26, R9 // Set z7 + ADCS ZR, R24 + ADC ZR, R25 + + // x8 iteration + MUL R2, R17, R22 + MOVD 64(R1), R21 + UMULH R2, R17, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, ZR, R26 + + MUL R3, R16, R22 + MOVD ·P751p1+88(SB), R20 + UMULH R3, R16, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R4, R15, R22 + UMULH R4, R15, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R5, R14, R22 + UMULH R5, R14, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + ADDS R24, R21, R10 // Set z8 + ADCS ZR, R25 + ADC ZR, R26 + + // x9 iteration + MUL R2, R29, R22 + MOVD 72(R1), R21 + UMULH R2, R29, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, ZR, R24 + + MUL R3, R17, R22 + UMULH R3, R17, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R4, R16, R22 + UMULH R4, R16, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R5, R15, R22 + UMULH R5, R15, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R6, R14, R22 + UMULH R6, R14, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + ADDS R21, R25, R11 // Set z9 + ADCS ZR, R26 + ADC ZR, R24 + + // x10 iteration + MUL R2, R19, R22 + MOVD 80(R1), R21 + UMULH R2, R19, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, ZR, R25 + + MUL R3, R29, R22 + UMULH R3, R29, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R4, R17, R22 + UMULH R4, R17, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R5, R16, R22 + UMULH R5, R16, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R6, R15, R22 + UMULH R6, R15, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R7, R14, R22 + UMULH R7, R14, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + ADDS R21, R26, R12 // Set z10 + ADCS ZR, R24 + ADC ZR, R25 + + // x11 iteration + MUL R2, R20, R22 + MOVD 88(R1), R21 + UMULH R2, R20, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, ZR, R26 + + MUL R3, R19, R22 + UMULH R3, R19, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R4, R29, R22 + UMULH R4, R29, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R5, R17, R22 + UMULH R5, R17, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R6, R16, R22 + UMULH R6, R16, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R7, R15, R22 + UMULH R7, R15, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R8, R14, R22 + UMULH R8, R14, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + ADDS R21, R24, R13 // Set z11 + ADCS ZR, R25 + ADC ZR, R26 + + // x12 iteration + MUL R3, R20, R22 + MOVD 96(R1), R21 + UMULH R3, R20, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, ZR, R24 + + MUL R4, R19, R22 + UMULH R4, R19, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R5, R29, R22 + UMULH R5, R29, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R6, R17, R22 + UMULH R6, R17, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R7, R16, R22 + UMULH R7, R16, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R8, R15, R22 + UMULH R8, R15, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R9, R14, R22 + UMULH R9, R14, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + ADDS R21, R25, R2 // Set z0 + ADCS ZR, R26 + ADC ZR, R24 + + // x13 iteration + MUL R4, R20, R22 + MOVD 104(R1), R21 + UMULH R4, R20, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, ZR, R25 + + MUL R5, R19, R22 + UMULH R5, R19, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R6, R29, R22 + UMULH R6, R29, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R7, R17, R22 + UMULH R7, R17, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R8, R16, R22 + UMULH R8, R16, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R9, R15, R22 + UMULH R9, R15, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R10, R14, R22 + UMULH R10, R14, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + ADDS R21, R26, R3 // Set z1 + STP (R2, R3), 0(R0) + ADCS ZR, R24 + ADC ZR, R25 + + // x14 iteration + MUL R5, R20, R22 + MOVD 112(R1), R21 + UMULH R5, R20, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, ZR, R26 + + MUL R6, R19, R22 + UMULH R6, R19, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R7, R29, R22 + UMULH R7, R29, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R8, R17, R22 + UMULH R8, R17, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R9, R16, R22 + UMULH R9, R16, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R10, R15, R22 + UMULH R10, R15, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R11, R14, R22 + UMULH R11, R14, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + ADDS R21, R24, R4 // Set z2 + ADCS ZR, R25 + ADC ZR, R26 + + // x15 iteration + MUL R6, R20, R22 + MOVD 120(R1), R21 + UMULH R6, R20, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, ZR, R24 + + MUL R7, R19, R22 + UMULH R7, R19, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R8, R29, R22 + UMULH R8, R29, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R9, R17, R22 + UMULH R9, R17, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R10, R16, R22 + UMULH R10, R16, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R11, R15, R22 + UMULH R11, R15, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R12, R14, R22 + UMULH R12, R14, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + ADDS R21, R25, R5 // Set z3 + STP (R4, R5), 16(R0) + ADCS ZR, R26 + ADC ZR, R24 + + // x16 iteration + MUL R7, R20, R22 + MOVD 128(R1), R21 + UMULH R7, R20, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, ZR, R25 + + MUL R8, R19, R22 + UMULH R8, R19, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R9, R29, R22 + UMULH R9, R29, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R10, R17, R22 + UMULH R10, R17, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R11, R16, R22 + UMULH R11, R16, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R12, R15, R22 + UMULH R12, R15, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R13, R14, R22 + UMULH R13, R14, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + ADDS R21, R26, R6 // Set z4 + ADCS ZR, R24 + ADC ZR, R25 + + // x17 iteration + MUL R8, R20, R22 + MOVD 136(R1), R21 + UMULH R8, R20, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, ZR, R26 + + MUL R9, R19, R22 + UMULH R9, R19, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R10, R29, R22 + UMULH R10, R29, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R11, R17, R22 + UMULH R11, R17, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R12, R16, R22 + UMULH R12, R16, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R13, R15, R22 + UMULH R13, R15, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + ADDS R21, R24, R7 // Set z5 + STP (R6, R7), 32(R0) + ADCS ZR, R25 + ADC ZR, R26 + + // x18 iteration + MUL R9, R20, R22 + MOVD 144(R1), R21 + UMULH R9, R20, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, ZR, R24 + + MUL R10, R19, R22 + UMULH R10, R19, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R11, R29, R22 + UMULH R11, R29, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R12, R17, R22 + UMULH R12, R17, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + MUL R13, R16, R22 + UMULH R13, R16, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + ADDS R21, R25, R8 // Set z6 + ADCS ZR, R26 + ADC ZR, R24 + + // x19 iteration + MUL R10, R20, R22 + MOVD 152(R1), R21 + UMULH R10, R20, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, ZR, R25 + + MUL R11, R19, R22 + UMULH R11, R19, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R12, R29, R22 + UMULH R12, R29, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + MUL R13, R17, R22 + UMULH R13, R17, R23 + ADDS R22, R26 + ADCS R23, R24 + ADC ZR, R25 + + ADDS R21, R26, R9 // Set z7 + STP (R8, R9), 48(R0) + ADCS ZR, R24 + ADC ZR, R25 + + // x20 iteration + MUL R11, R20, R22 + MOVD 160(R1), R21 + UMULH R11, R20, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, ZR, R26 + + MUL R12, R19, R22 + UMULH R12, R19, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + MUL R13, R29, R22 + UMULH R13, R29, R23 + ADDS R22, R24 + ADCS R23, R25 + ADC ZR, R26 + + ADDS R21, R24, R10 // Set z8 + ADCS ZR, R25 + ADC ZR, R26 + + // x21 iteration + MUL R12, R20, R22 + MOVD 168(R1), R21 + UMULH R12, R20, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, ZR, R24 + + MUL R13, R19, R22 + UMULH R13, R19, R23 + ADDS R22, R25 + ADCS R23, R26 + ADC ZR, R24 + + ADDS R21, R25, R11 // Set z9 + STP (R10, R11), 64(R0) + ADCS ZR, R26 + ADC ZR, R24 + + // x22 iteration + MUL R13, R20, R22 + MOVD 176(R1), R21 + UMULH R13, R20, R23 + ADDS R22, R26 + ADC R23, R24 + ADDS R21, R26, R12 // Set z10 + + MOVD 184(R1), R21 + ADC R21, R24, R13 // Set z11 + STP (R12, R13), 80(R0) + + RET + +TEXT ·modP751(SB), NOSPLIT, $0-8 + MOVD x+0(FP), R0 + + // Keep x in R1-R12, p751 in R13-R21, subtract to R1-R12 + MOVD ·P751+0(SB), R13 + LDP 0(R0), (R1, R2) + LDP 16(R0), (R3, R4) + SUBS R13, R1 + SBCS R13, R2 + + LDP 32(R0), (R5, R6) + LDP ·P751+40(SB), (R14, R15) + SBCS R13, R3 + SBCS R13, R4 + + LDP 48(R0), (R7, R8) + LDP ·P751+56(SB), (R16, R17) + SBCS R13, R5 + SBCS R14, R6 + + LDP 64(R0), (R9, R10) + LDP ·P751+72(SB), (R19, R20) + SBCS R15, R7 + SBCS R16, R8 + + LDP 80(R0), (R11, R12) + MOVD ·P751+88(SB), R21 + SBCS R17, R9 + SBCS R19, R10 + + SBCS R20, R11 + SBCS R21, R12 + SBC ZR, ZR, R22 + + // Mask with the borrow and add p751 + AND R22, R13 + AND R22, R14 + AND R22, R15 + AND R22, R16 + AND R22, R17 + AND R22, R19 + AND R22, R20 + AND R22, R21 + + ADDS R13, R1 + ADCS R13, R2 + STP (R1, R2), 0(R0) + ADCS R13, R3 + ADCS R13, R4 + STP (R3, R4), 16(R0) + ADCS R13, R5 + ADCS R14, R6 + STP (R5, R6), 32(R0) + ADCS R15, R7 + ADCS R16, R8 + STP (R7, R8), 48(R0) + ADCS R17, R9 + ADCS R19, R10 + STP (R9, R10), 64(R0) + ADCS R20, R11 + ADC R21, R12 + STP (R11, R12), 80(R0) + + RET diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_decl.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_decl.go new file mode 100644 index 00000000..c3af55a7 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_decl.go @@ -0,0 +1,45 @@ +// Code generated by go generate; DO NOT EDIT. +// This file was generated by robots. + +// +build amd64,!noasm arm64,!noasm + +package p751 + +import ( + . "github.com/cloudflare/circl/dh/sidh/internal/common" +) + +// If choice = 0, leave x,y unchanged. If choice = 1, set x,y = y,x. +// If choice is neither 0 nor 1 then behaviour is undefined. +// This function executes in constant time. +//go:noescape +func cswapP751(x, y *Fp, choice uint8) + +// Compute z = x + y (mod p). +//go:noescape +func addP751(z, x, y *Fp) + +// Compute z = x - y (mod p). +//go:noescape +func subP751(z, x, y *Fp) + +// Compute z = x + y, without reducing mod p. +//go:noescape +func adlP751(z, x, y *FpX2) + +// Compute z = x - y, without reducing mod p. +//go:noescape +func sulP751(z, x, y *FpX2) + +// Reduce a field element in [0, 2*p) to one in [0,p). +//go:noescape +func modP751(x *Fp) + +// Computes z = x * y. +//go:noescape +func mulP751(z *FpX2, x, y *Fp) + +// Computes the Montgomery reduction z = x R^{-1} (mod 2*p). On return value +// of x may be changed. z=x not allowed. +//go:noescape +func rdcP751(z *Fp, x *FpX2) diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_generic.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_generic.go new file mode 100644 index 00000000..fff30d93 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/arith_generic.go @@ -0,0 +1,192 @@ +// Code generated by go generate; DO NOT EDIT. +// This file was generated by robots. + +// +build noasm !amd64,!arm64 + +package p751 + +import ( + "math/bits" + + "github.com/cloudflare/circl/dh/sidh/internal/common" +) + +// Compute z = x + y (mod p). +func addP751(z, x, y *common.Fp) { + var carry uint64 + + // z=x+y % P751 + for i := 0; i < FpWords; i++ { + z[i], carry = bits.Add64(x[i], y[i], carry) + } + + // z = z - P751x2 + carry = 0 + for i := 0; i < FpWords; i++ { + z[i], carry = bits.Sub64(z[i], P751x2[i], carry) + } + + // if z<0 add P751x2 back + mask := uint64(0 - carry) + carry = 0 + for i := 0; i < FpWords; i++ { + z[i], carry = bits.Add64(z[i], P751x2[i]&mask, carry) + } +} + +// Compute z = x - y (mod p). +func subP751(z, x, y *common.Fp) { + var borrow uint64 + + for i := 0; i < FpWords; i++ { + z[i], borrow = bits.Sub64(x[i], y[i], borrow) + } + + mask := uint64(0 - borrow) + borrow = 0 + + for i := 0; i < FpWords; i++ { + z[i], borrow = bits.Add64(z[i], P751x2[i]&mask, borrow) + } +} + +// Conditionally swaps bits in x and y in constant time. +// mask indicates bits to be swapped (set bits are swapped) +// For details see "Hackers Delight, 2.20" +// +// Implementation doesn't actually depend on a prime field. +func cswapP751(x, y *common.Fp, mask uint8) { + var tmp, mask64 uint64 + + mask64 = 0 - uint64(mask) + for i := 0; i < FpWords; i++ { + tmp = mask64 & (x[i] ^ y[i]) + x[i] = tmp ^ x[i] + y[i] = tmp ^ y[i] + } +} + +// Perform Montgomery reduction: set z = x R^{-1} (mod 2*p) +// with R=2^(FpWords*64). Destroys the input value. +func rdcP751(z *common.Fp, x *common.FpX2) { + var carry, t, u, v uint64 + var hi, lo uint64 + var count int + + count = P751p1Zeros + + for i := 0; i < FpWords; i++ { + for j := 0; j < i; j++ { + if j < (i - count + 1) { + hi, lo = bits.Mul64(z[j], P751p1[i-j]) + v, carry = bits.Add64(lo, v, 0) + u, carry = bits.Add64(hi, u, carry) + t += carry + } + } + v, carry = bits.Add64(v, x[i], 0) + u, carry = bits.Add64(u, 0, carry) + t += carry + + z[i] = v + v = u + u = t + t = 0 + } + + for i := FpWords; i < 2*FpWords-1; i++ { + if count > 0 { + count-- + } + for j := i - FpWords + 1; j < FpWords; j++ { + if j < (FpWords - count) { + hi, lo = bits.Mul64(z[j], P751p1[i-j]) + v, carry = bits.Add64(lo, v, 0) + u, carry = bits.Add64(hi, u, carry) + t += carry + } + } + v, carry = bits.Add64(v, x[i], 0) + u, carry = bits.Add64(u, 0, carry) + + t += carry + z[i-FpWords] = v + v = u + u = t + t = 0 + } + v, carry = bits.Add64(v, x[2*FpWords-1], 0) + z[FpWords-1] = v +} + +// Compute z = x * y. +func mulP751(z *common.FpX2, x, y *common.Fp) { + var u, v, t uint64 + var hi, lo uint64 + var carry uint64 + + for i := uint64(0); i < FpWords; i++ { + for j := uint64(0); j <= i; j++ { + hi, lo = bits.Mul64(x[j], y[i-j]) + v, carry = bits.Add64(lo, v, 0) + u, carry = bits.Add64(hi, u, carry) + t += carry + } + z[i] = v + v = u + u = t + t = 0 + } + + for i := FpWords; i < (2*FpWords)-1; i++ { + for j := i - FpWords + 1; j < FpWords; j++ { + hi, lo = bits.Mul64(x[j], y[i-j]) + v, carry = bits.Add64(lo, v, 0) + u, carry = bits.Add64(hi, u, carry) + t += carry + } + z[i] = v + v = u + u = t + t = 0 + } + z[2*FpWords-1] = v +} + +// Compute z = x + y, without reducing mod p. +func adlP751(z, x, y *common.FpX2) { + var carry uint64 + for i := 0; i < 2*FpWords; i++ { + z[i], carry = bits.Add64(x[i], y[i], carry) + } +} + +// Reduce a field element in [0, 2*p) to one in [0,p). +func modP751(x *common.Fp) { + var borrow, mask uint64 + for i := 0; i < FpWords; i++ { + x[i], borrow = bits.Sub64(x[i], P751[i], borrow) + } + + // Sets all bits if borrow = 1 + mask = 0 - borrow + borrow = 0 + for i := 0; i < FpWords; i++ { + x[i], borrow = bits.Add64(x[i], P751[i]&mask, borrow) + } +} + +// Compute z = x - y, without reducing mod p. +func sulP751(z, x, y *common.FpX2) { + var borrow, mask uint64 + for i := 0; i < 2*FpWords; i++ { + z[i], borrow = bits.Sub64(x[i], y[i], borrow) + } + + // Sets all bits if borrow = 1 + mask = 0 - borrow + borrow = 0 + for i := FpWords; i < 2*FpWords; i++ { + z[i], borrow = bits.Add64(z[i], P751[i-FpWords]&mask, borrow) + } +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/core.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/core.go new file mode 100644 index 00000000..b4596f6e --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/core.go @@ -0,0 +1,294 @@ +// Code generated by go generate; DO NOT EDIT. +// This file was generated by robots. + +package p751 + +import ( + . "github.com/cloudflare/circl/dh/sidh/internal/common" +) + +// ----------------------------------------------------------------------------- +// Functions for traversing isogeny trees acoording to strategy. Key type 'A' is +// + +// Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed +// for public key generation. +func traverseTreePublicKeyA(curve *ProjectiveCurveParameters, xR, phiP, phiQ, phiR *ProjectivePoint) { + var points = make([]ProjectivePoint, 0, 8) + var indices = make([]int, 0, 8) + var i, sIdx int + var phi isogeny4 + + cparam := CalcCurveParamsEquiv4(curve) + strat := params.A.IsogenyStrategy + stratSz := len(strat) + + for j := 1; j <= stratSz; j++ { + for i <= stratSz-j { + points = append(points, *xR) + indices = append(indices, i) + + k := strat[sIdx] + sIdx++ + Pow2k(xR, &cparam, 2*k) + i += int(k) + } + cparam = phi.GenerateCurve(xR) + + for k := 0; k < len(points); k++ { + points[k] = phi.EvaluatePoint(&points[k]) + } + *phiP = phi.EvaluatePoint(phiP) + *phiQ = phi.EvaluatePoint(phiQ) + *phiR = phi.EvaluatePoint(phiR) + + // pop xR from points + *xR, points = points[len(points)-1], points[:len(points)-1] + i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1] + } +} + +// Traverses isogeny tree in order to compute xR needed +// for public key generation. +func traverseTreeSharedKeyA(curve *ProjectiveCurveParameters, xR *ProjectivePoint) { + var points = make([]ProjectivePoint, 0, 8) + var indices = make([]int, 0, 8) + var i, sIdx int + var phi isogeny4 + + cparam := CalcCurveParamsEquiv4(curve) + strat := params.A.IsogenyStrategy + stratSz := len(strat) + + for j := 1; j <= stratSz; j++ { + for i <= stratSz-j { + points = append(points, *xR) + indices = append(indices, i) + + k := strat[sIdx] + sIdx++ + Pow2k(xR, &cparam, 2*k) + i += int(k) + } + cparam = phi.GenerateCurve(xR) + + for k := 0; k < len(points); k++ { + points[k] = phi.EvaluatePoint(&points[k]) + } + + // pop xR from points + *xR, points = points[len(points)-1], points[:len(points)-1] + i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1] + } +} + +// Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed +// for public key generation. +func traverseTreePublicKeyB(curve *ProjectiveCurveParameters, xR, phiP, phiQ, phiR *ProjectivePoint) { + var points = make([]ProjectivePoint, 0, 8) + var indices = make([]int, 0, 8) + var i, sIdx int + var phi isogeny3 + + cparam := CalcCurveParamsEquiv3(curve) + strat := params.B.IsogenyStrategy + stratSz := len(strat) + + for j := 1; j <= stratSz; j++ { + for i <= stratSz-j { + points = append(points, *xR) + indices = append(indices, i) + + k := strat[sIdx] + sIdx++ + Pow3k(xR, &cparam, k) + i += int(k) + } + + cparam = phi.GenerateCurve(xR) + for k := 0; k < len(points); k++ { + points[k] = phi.EvaluatePoint(&points[k]) + } + + *phiP = phi.EvaluatePoint(phiP) + *phiQ = phi.EvaluatePoint(phiQ) + *phiR = phi.EvaluatePoint(phiR) + + // pop xR from points + *xR, points = points[len(points)-1], points[:len(points)-1] + i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1] + } +} + +// Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed +// for public key generation. +func traverseTreeSharedKeyB(curve *ProjectiveCurveParameters, xR *ProjectivePoint) { + var points = make([]ProjectivePoint, 0, 8) + var indices = make([]int, 0, 8) + var i, sIdx int + var phi isogeny3 + + cparam := CalcCurveParamsEquiv3(curve) + strat := params.B.IsogenyStrategy + stratSz := len(strat) + + for j := 1; j <= stratSz; j++ { + for i <= stratSz-j { + points = append(points, *xR) + indices = append(indices, i) + + k := strat[sIdx] + sIdx++ + Pow3k(xR, &cparam, k) + i += int(k) + } + + cparam = phi.GenerateCurve(xR) + for k := 0; k < len(points); k++ { + points[k] = phi.EvaluatePoint(&points[k]) + } + + // pop xR from points + *xR, points = points[len(points)-1], points[:len(points)-1] + i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1] + } +} + +// Generate a public key in the 2-torsion group. Public key is a set +// of three x-coordinates: xP,xQ,x(P-Q), where P,Q are points on E_a(Fp2) +func PublicKeyGenA(pub3Pt *[3]Fp2, prvBytes []byte) { + var xPA, xQA, xRA ProjectivePoint + var xPB, xQB, xRB, xR ProjectivePoint + var invZP, invZQ, invZR Fp2 + var tmp ProjectiveCurveParameters + var phi isogeny4 + + // Load points for A + xPA = ProjectivePoint{X: params.A.AffineP, Z: params.OneFp2} + xQA = ProjectivePoint{X: params.A.AffineQ, Z: params.OneFp2} + xRA = ProjectivePoint{X: params.A.AffineR, Z: params.OneFp2} + + // Load points for B + xRB = ProjectivePoint{X: params.B.AffineR, Z: params.OneFp2} + xQB = ProjectivePoint{X: params.B.AffineQ, Z: params.OneFp2} + xPB = ProjectivePoint{X: params.B.AffineP, Z: params.OneFp2} + + // Find isogeny kernel + tmp.C = params.OneFp2 + xR = ScalarMul3Pt(&tmp, &xPA, &xQA, &xRA, params.A.SecretBitLen, prvBytes) + + // Reset params object and travers isogeny tree + tmp.C = params.OneFp2 + tmp.A = Fp2{} + traverseTreePublicKeyA(&tmp, &xR, &xPB, &xQB, &xRB) + + // Secret isogeny + phi.GenerateCurve(&xR) + xPA = phi.EvaluatePoint(&xPB) + xQA = phi.EvaluatePoint(&xQB) + xRA = phi.EvaluatePoint(&xRB) + Fp2Batch3Inv(&xPA.Z, &xQA.Z, &xRA.Z, &invZP, &invZQ, &invZR) + + mul(&pub3Pt[0], &xPA.X, &invZP) + mul(&pub3Pt[1], &xQA.X, &invZQ) + mul(&pub3Pt[2], &xRA.X, &invZR) +} + +// Generate a public key in the 2-torsion group. Public key is a set +// of three x-coordinates: xP,xQ,x(P-Q), where P,Q are points on E_a(Fp2) +func PublicKeyGenB(pub3Pt *[3]Fp2, prvBytes []byte) { + var xPB, xQB, xRB, xR ProjectivePoint + var xPA, xQA, xRA ProjectivePoint + var invZP, invZQ, invZR Fp2 + var tmp ProjectiveCurveParameters + var phi isogeny3 + + // Load points for B + xRB = ProjectivePoint{X: params.B.AffineR, Z: params.OneFp2} + xQB = ProjectivePoint{X: params.B.AffineQ, Z: params.OneFp2} + xPB = ProjectivePoint{X: params.B.AffineP, Z: params.OneFp2} + + // Load points for A + xPA = ProjectivePoint{X: params.A.AffineP, Z: params.OneFp2} + xQA = ProjectivePoint{X: params.A.AffineQ, Z: params.OneFp2} + xRA = ProjectivePoint{X: params.A.AffineR, Z: params.OneFp2} + + tmp.C = params.OneFp2 + xR = ScalarMul3Pt(&tmp, &xPB, &xQB, &xRB, params.B.SecretBitLen, prvBytes) + + tmp.C = params.OneFp2 + tmp.A = Fp2{} + traverseTreePublicKeyB(&tmp, &xR, &xPA, &xQA, &xRA) + + phi.GenerateCurve(&xR) + xPB = phi.EvaluatePoint(&xPA) + xQB = phi.EvaluatePoint(&xQA) + xRB = phi.EvaluatePoint(&xRA) + Fp2Batch3Inv(&xPB.Z, &xQB.Z, &xRB.Z, &invZP, &invZQ, &invZR) + + mul(&pub3Pt[0], &xPB.X, &invZP) + mul(&pub3Pt[1], &xQB.X, &invZQ) + mul(&pub3Pt[2], &xRB.X, &invZR) +} + +// ----------------------------------------------------------------------------- +// Key agreement functions +// + +// Establishing shared keys in in 2-torsion group +func DeriveSecretA(ss, prv []byte, pub3Pt *[3]Fp2) { + var cparam ProjectiveCurveParameters + var xP, xQ, xQmP ProjectivePoint + var xR ProjectivePoint + var phi isogeny4 + var jInv Fp2 + + // Recover curve coefficients + cparam.C = params.OneFp2 + RecoverCoordinateA(&cparam, &pub3Pt[0], &pub3Pt[1], &pub3Pt[2]) + + // Find kernel of the morphism + xP = ProjectivePoint{X: pub3Pt[0], Z: params.OneFp2} + xQ = ProjectivePoint{X: pub3Pt[1], Z: params.OneFp2} + xQmP = ProjectivePoint{X: pub3Pt[2], Z: params.OneFp2} + xR = ScalarMul3Pt(&cparam, &xP, &xQ, &xQmP, params.A.SecretBitLen, prv) + + // Traverse isogeny tree + traverseTreeSharedKeyA(&cparam, &xR) + + // Calculate j-invariant on isogeneus curve + c := phi.GenerateCurve(&xR) + RecoverCurveCoefficients4(&cparam, &c) + Jinvariant(&cparam, &jInv) + FromMontgomery(&jInv, &jInv) + Fp2ToBytes(ss, &jInv, params.Bytelen) +} + +// Establishing shared keys in in 3-torsion group +func DeriveSecretB(ss, prv []byte, pub3Pt *[3]Fp2) { + var xP, xQ, xQmP ProjectivePoint + var xR ProjectivePoint + var cparam ProjectiveCurveParameters + var phi isogeny3 + var jInv Fp2 + + // Recover curve coefficients + cparam.C = params.OneFp2 + RecoverCoordinateA(&cparam, &pub3Pt[0], &pub3Pt[1], &pub3Pt[2]) + + // Find kernel of the morphism + xP = ProjectivePoint{X: pub3Pt[0], Z: params.OneFp2} + xQ = ProjectivePoint{X: pub3Pt[1], Z: params.OneFp2} + xQmP = ProjectivePoint{X: pub3Pt[2], Z: params.OneFp2} + xR = ScalarMul3Pt(&cparam, &xP, &xQ, &xQmP, params.B.SecretBitLen, prv) + + // Traverse isogeny tree + traverseTreeSharedKeyB(&cparam, &xR) + + // Calculate j-invariant on isogeneus curve + c := phi.GenerateCurve(&xR) + RecoverCurveCoefficients3(&cparam, &c) + Jinvariant(&cparam, &jInv) + FromMontgomery(&jInv, &jInv) + Fp2ToBytes(ss, &jInv, params.Bytelen) +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/curve.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/curve.go new file mode 100644 index 00000000..7ae83ee8 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/curve.go @@ -0,0 +1,362 @@ +// Code generated by go generate; DO NOT EDIT. +// This file was generated by robots. + +package p751 + +import ( + . "github.com/cloudflare/circl/dh/sidh/internal/common" +) + +// Stores isogeny 3 curve constants +type isogeny3 struct { + K1 Fp2 + K2 Fp2 +} + +// Stores isogeny 4 curve constants +type isogeny4 struct { + isogeny3 + K3 Fp2 +} + +// Computes j-invariant for a curve y2=x3+A/Cx+x with A,C in F_(p^2). Result +// is returned in jBytes buffer, encoded in little-endian format. Caller +// provided jBytes buffer has to be big enough to j-invariant value. In case +// of SIDH, buffer size must be at least size of shared secret. +// Implementation corresponds to Algorithm 9 from SIKE. +func Jinvariant(cparams *ProjectiveCurveParameters, j *Fp2) { + var t0, t1 Fp2 + + sqr(j, &cparams.A) // j = A^2 + sqr(&t1, &cparams.C) // t1 = C^2 + add(&t0, &t1, &t1) // t0 = t1 + t1 + sub(&t0, j, &t0) // t0 = j - t0 + sub(&t0, &t0, &t1) // t0 = t0 - t1 + sub(j, &t0, &t1) // t0 = t0 - t1 + sqr(&t1, &t1) // t1 = t1^2 + mul(j, j, &t1) // j = j * t1 + add(&t0, &t0, &t0) // t0 = t0 + t0 + add(&t0, &t0, &t0) // t0 = t0 + t0 + sqr(&t1, &t0) // t1 = t0^2 + mul(&t0, &t0, &t1) // t0 = t0 * t1 + add(&t0, &t0, &t0) // t0 = t0 + t0 + add(&t0, &t0, &t0) // t0 = t0 + t0 + inv(j, j) // j = 1/j + mul(j, &t0, j) // j = t0 * j +} + +// Given affine points x(P), x(Q) and x(Q-P) in a extension field F_{p^2}, function +// recorvers projective coordinate A of a curve. This is Algorithm 10 from SIKE. +func RecoverCoordinateA(curve *ProjectiveCurveParameters, xp, xq, xr *Fp2) { + var t0, t1 Fp2 + + add(&t1, xp, xq) // t1 = Xp + Xq + mul(&t0, xp, xq) // t0 = Xp * Xq + mul(&curve.A, xr, &t1) // A = X(q-p) * t1 + add(&curve.A, &curve.A, &t0) // A = A + t0 + mul(&t0, &t0, xr) // t0 = t0 * X(q-p) + sub(&curve.A, &curve.A, ¶ms.OneFp2) // A = A - 1 + add(&t0, &t0, &t0) // t0 = t0 + t0 + add(&t1, &t1, xr) // t1 = t1 + X(q-p) + add(&t0, &t0, &t0) // t0 = t0 + t0 + sqr(&curve.A, &curve.A) // A = A^2 + inv(&t0, &t0) // t0 = 1/t0 + mul(&curve.A, &curve.A, &t0) // A = A * t0 + sub(&curve.A, &curve.A, &t1) // A = A - t1 +} + +// Computes equivalence (A:C) ~ (A+2C : A-2C) +func CalcCurveParamsEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv { + var coef CurveCoefficientsEquiv + var c2 Fp2 + + add(&c2, &cparams.C, &cparams.C) + // A24p = A+2*C + add(&coef.A, &cparams.A, &c2) + // A24m = A-2*C + sub(&coef.C, &cparams.A, &c2) + return coef +} + +// Computes equivalence (A:C) ~ (A+2C : 4C) +func CalcCurveParamsEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv { + var coefEq CurveCoefficientsEquiv + + add(&coefEq.C, &cparams.C, &cparams.C) + // A24p = A+2C + add(&coefEq.A, &cparams.A, &coefEq.C) + // C24 = 4*C + add(&coefEq.C, &coefEq.C, &coefEq.C) + return coefEq +} + +// Helper function for RightToLeftLadder(). Returns A+2C / 4. +func CalcAplus2Over4(cparams *ProjectiveCurveParameters) (ret Fp2) { + var tmp Fp2 + + // 2C + add(&tmp, &cparams.C, &cparams.C) + // A+2C + add(&ret, &cparams.A, &tmp) + // 1/4C + add(&tmp, &tmp, &tmp) + inv(&tmp, &tmp) + // A+2C/4C + mul(&ret, &ret, &tmp) + return +} + +// Recovers (A:C) curve parameters from projectively equivalent (A+2C:A-2C). +func RecoverCurveCoefficients3(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) { + add(&cparams.A, &coefEq.A, &coefEq.C) + // cparams.A = 2*(A+2C+A-2C) = 4A + add(&cparams.A, &cparams.A, &cparams.A) + // cparams.C = (A+2C-A+2C) = 4C + sub(&cparams.C, &coefEq.A, &coefEq.C) + return +} + +// Recovers (A:C) curve parameters from projectively equivalent (A+2C:4C). +func RecoverCurveCoefficients4(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) { + // cparams.C = (4C)*1/2=2C + mul(&cparams.C, &coefEq.C, ¶ms.HalfFp2) + // cparams.A = A+2C - 2C = A + sub(&cparams.A, &coefEq.A, &cparams.C) + // cparams.C = 2C * 1/2 = C + mul(&cparams.C, &cparams.C, ¶ms.HalfFp2) +} + +// Combined coordinate doubling and differential addition. Takes projective points +// P,Q,Q-P and (A+2C)/4C curve E coefficient. Returns 2*P and P+Q calculated on E. +// Function is used only by RightToLeftLadder. Corresponds to Algorithm 5 of SIKE +func xDbladd(P, Q, QmP *ProjectivePoint, a24 *Fp2) (dblP, PaQ ProjectivePoint) { + var t0, t1, t2 Fp2 + + xQmP, zQmP := &QmP.X, &QmP.Z + xPaQ, zPaQ := &PaQ.X, &PaQ.Z + x2P, z2P := &dblP.X, &dblP.Z + xP, zP := &P.X, &P.Z + xQ, zQ := &Q.X, &Q.Z + + add(&t0, xP, zP) // t0 = Xp+Zp + sub(&t1, xP, zP) // t1 = Xp-Zp + sqr(x2P, &t0) // 2P.X = t0^2 + sub(&t2, xQ, zQ) // t2 = Xq-Zq + add(xPaQ, xQ, zQ) // Xp+q = Xq+Zq + mul(&t0, &t0, &t2) // t0 = t0 * t2 + mul(z2P, &t1, &t1) // 2P.Z = t1 * t1 + mul(&t1, &t1, xPaQ) // t1 = t1 * Xp+q + sub(&t2, x2P, z2P) // t2 = 2P.X - 2P.Z + mul(x2P, x2P, z2P) // 2P.X = 2P.X * 2P.Z + mul(xPaQ, a24, &t2) // Xp+q = A24 * t2 + sub(zPaQ, &t0, &t1) // Zp+q = t0 - t1 + add(z2P, xPaQ, z2P) // 2P.Z = Xp+q + 2P.Z + add(xPaQ, &t0, &t1) // Xp+q = t0 + t1 + mul(z2P, z2P, &t2) // 2P.Z = 2P.Z * t2 + sqr(zPaQ, zPaQ) // Zp+q = Zp+q ^ 2 + sqr(xPaQ, xPaQ) // Xp+q = Xp+q ^ 2 + mul(zPaQ, xQmP, zPaQ) // Zp+q = Xq-p * Zp+q + mul(xPaQ, zQmP, xPaQ) // Xp+q = Zq-p * Xp+q + return +} + +// Given the curve parameters, xP = x(P), computes xP = x([2^k]P) +// Safe to overlap xP, x2P. +func Pow2k(xP *ProjectivePoint, params *CurveCoefficientsEquiv, k uint32) { + var t0, t1 Fp2 + + x, z := &xP.X, &xP.Z + for i := uint32(0); i < k; i++ { + sub(&t0, x, z) // t0 = Xp - Zp + add(&t1, x, z) // t1 = Xp + Zp + sqr(&t0, &t0) // t0 = t0 ^ 2 + sqr(&t1, &t1) // t1 = t1 ^ 2 + mul(z, ¶ms.C, &t0) // Z2p = C24 * t0 + mul(x, z, &t1) // X2p = Z2p * t1 + sub(&t1, &t1, &t0) // t1 = t1 - t0 + mul(&t0, ¶ms.A, &t1) // t0 = A24+ * t1 + add(z, z, &t0) // Z2p = Z2p + t0 + mul(z, z, &t1) // Zp = Z2p * t1 + } +} + +// Given the curve parameters, xP = x(P), and k >= 0, compute xP = x([3^k]P). +// +// Safe to overlap xP, xR. +func Pow3k(xP *ProjectivePoint, params *CurveCoefficientsEquiv, k uint32) { + var t0, t1, t2, t3, t4, t5, t6 Fp2 + + x, z := &xP.X, &xP.Z + for i := uint32(0); i < k; i++ { + sub(&t0, x, z) // t0 = Xp - Zp + sqr(&t2, &t0) // t2 = t0^2 + add(&t1, x, z) // t1 = Xp + Zp + sqr(&t3, &t1) // t3 = t1^2 + add(&t4, &t1, &t0) // t4 = t1 + t0 + sub(&t0, &t1, &t0) // t0 = t1 - t0 + sqr(&t1, &t4) // t1 = t4^2 + sub(&t1, &t1, &t3) // t1 = t1 - t3 + sub(&t1, &t1, &t2) // t1 = t1 - t2 + mul(&t5, &t3, ¶ms.A) // t5 = t3 * A24+ + mul(&t3, &t3, &t5) // t3 = t5 * t3 + mul(&t6, &t2, ¶ms.C) // t6 = t2 * A24- + mul(&t2, &t2, &t6) // t2 = t2 * t6 + sub(&t3, &t2, &t3) // t3 = t2 - t3 + sub(&t2, &t5, &t6) // t2 = t5 - t6 + mul(&t1, &t2, &t1) // t1 = t2 * t1 + add(&t2, &t3, &t1) // t2 = t3 + t1 + sqr(&t2, &t2) // t2 = t2^2 + mul(x, &t2, &t4) // X3p = t2 * t4 + sub(&t1, &t3, &t1) // t1 = t3 - t1 + sqr(&t1, &t1) // t1 = t1^2 + mul(z, &t1, &t0) // Z3p = t1 * t0 + } +} + +// Set (y1, y2, y3) = (1/x1, 1/x2, 1/x3). +// +// All xi, yi must be distinct. +func Fp2Batch3Inv(x1, x2, x3, y1, y2, y3 *Fp2) { + var x1x2, t Fp2 + + mul(&x1x2, x1, x2) // x1*x2 + mul(&t, &x1x2, x3) // 1/(x1*x2*x3) + inv(&t, &t) + mul(y1, &t, x2) // 1/x1 + mul(y1, y1, x3) + mul(y2, &t, x1) // 1/x2 + mul(y2, y2, x3) + mul(y3, &t, &x1x2) // 1/x3 +} + +// Scalarmul3Pt is a right-to-left point multiplication that given the +// x-coordinate of P, Q and P-Q calculates the x-coordinate of R=Q+[scalar]P. +// nbits must be smaller or equal to len(scalar). +func ScalarMul3Pt(cparams *ProjectiveCurveParameters, P, Q, PmQ *ProjectivePoint, nbits uint, scalar []uint8) ProjectivePoint { + var R0, R2, R1 ProjectivePoint + aPlus2Over4 := CalcAplus2Over4(cparams) + R1 = *P + R2 = *PmQ + R0 = *Q + + // Iterate over the bits of the scalar, bottom to top + prevBit := uint8(0) + for i := uint(0); i < nbits; i++ { + bit := (scalar[i>>3] >> (i & 7) & 1) + swap := prevBit ^ bit + prevBit = bit + cswap(&R1.X, &R1.Z, &R2.X, &R2.Z, swap) + R0, R2 = xDbladd(&R0, &R2, &R1, &aPlus2Over4) + } + cswap(&R1.X, &R1.Z, &R2.X, &R2.Z, prevBit) + return R1 +} + +// Given a three-torsion point p = x(PB) on the curve E_(A:C), construct the +// three-isogeny phi : E_(A:C) -> E_(A:C)/ = E_(A':C'). +// +// Input: (XP_3: ZP_3), where P_3 has exact order 3 on E_A/C +// Output: * Curve coordinates (A' + 2C', A' - 2C') corresponding to E_A'/C' = A_E/C/ +// * Isogeny phi with constants in F_p^2 +func (phi *isogeny3) GenerateCurve(p *ProjectivePoint) CurveCoefficientsEquiv { + var t0, t1, t2, t3, t4 Fp2 + var coefEq CurveCoefficientsEquiv + var K1, K2 = &phi.K1, &phi.K2 + + sub(K1, &p.X, &p.Z) // K1 = XP3 - ZP3 + sqr(&t0, K1) // t0 = K1^2 + add(K2, &p.X, &p.Z) // K2 = XP3 + ZP3 + sqr(&t1, K2) // t1 = K2^2 + add(&t2, &t0, &t1) // t2 = t0 + t1 + add(&t3, K1, K2) // t3 = K1 + K2 + sqr(&t3, &t3) // t3 = t3^2 + sub(&t3, &t3, &t2) // t3 = t3 - t2 + add(&t2, &t1, &t3) // t2 = t1 + t3 + add(&t3, &t3, &t0) // t3 = t3 + t0 + add(&t4, &t3, &t0) // t4 = t3 + t0 + add(&t4, &t4, &t4) // t4 = t4 + t4 + add(&t4, &t1, &t4) // t4 = t1 + t4 + mul(&coefEq.C, &t2, &t4) // A24m = t2 * t4 + add(&t4, &t1, &t2) // t4 = t1 + t2 + add(&t4, &t4, &t4) // t4 = t4 + t4 + add(&t4, &t0, &t4) // t4 = t0 + t4 + mul(&t4, &t3, &t4) // t4 = t3 * t4 + sub(&t0, &t4, &coefEq.C) // t0 = t4 - A24m + add(&coefEq.A, &coefEq.C, &t0) // A24p = A24m + t0 + return coefEq +} + +// Given a 3-isogeny phi and a point pB = x(PB), compute x(QB), the x-coordinate +// of the image QB = phi(PB) of PB under phi : E_(A:C) -> E_(A':C'). +// +// The output xQ = x(Q) is then a point on the curve E_(A':C'); the curve +// parameters are returned by the GenerateCurve function used to construct phi. +func (phi *isogeny3) EvaluatePoint(p *ProjectivePoint) ProjectivePoint { + var t0, t1, t2 Fp2 + var q ProjectivePoint + var K1, K2 = &phi.K1, &phi.K2 + var px, pz = &p.X, &p.Z + + add(&t0, px, pz) // t0 = XQ + ZQ + sub(&t1, px, pz) // t1 = XQ - ZQ + mul(&t0, K1, &t0) // t2 = K1 * t0 + mul(&t1, K2, &t1) // t1 = K2 * t1 + add(&t2, &t0, &t1) // t2 = t0 + t1 + sub(&t0, &t1, &t0) // t0 = t1 - t0 + sqr(&t2, &t2) // t2 = t2 ^ 2 + sqr(&t0, &t0) // t0 = t0 ^ 2 + mul(&q.X, px, &t2) // XQ'= XQ * t2 + mul(&q.Z, pz, &t0) // ZQ'= ZQ * t0 + return q +} + +// Given a four-torsion point p = x(PB) on the curve E_(A:C), construct the +// four-isogeny phi : E_(A:C) -> E_(A:C)/ = E_(A':C'). +// +// Input: (XP_4: ZP_4), where P_4 has exact order 4 on E_A/C +// Output: * Curve coordinates (A' + 2C', 4C') corresponding to E_A'/C' = A_E/C/ +// * Isogeny phi with constants in F_p^2 +func (phi *isogeny4) GenerateCurve(p *ProjectivePoint) CurveCoefficientsEquiv { + var coefEq CurveCoefficientsEquiv + var xp4, zp4 = &p.X, &p.Z + var K1, K2, K3 = &phi.K1, &phi.K2, &phi.K3 + + sub(K2, xp4, zp4) + add(K3, xp4, zp4) + sqr(K1, zp4) + add(K1, K1, K1) + sqr(&coefEq.C, K1) + add(K1, K1, K1) + sqr(&coefEq.A, xp4) + add(&coefEq.A, &coefEq.A, &coefEq.A) + sqr(&coefEq.A, &coefEq.A) + return coefEq +} + +// Given a 4-isogeny phi and a point xP = x(P), compute x(Q), the x-coordinate +// of the image Q = phi(P) of P under phi : E_(A:C) -> E_(A':C'). +// +// Input: Isogeny returned by GenerateCurve and point q=(Qx,Qz) from E0_A/C +// Output: Corresponding point q from E1_A'/C', where E1 is 4-isogenous to E0 +func (phi *isogeny4) EvaluatePoint(p *ProjectivePoint) ProjectivePoint { + var t0, t1 Fp2 + var q = *p + var xq, zq = &q.X, &q.Z + var K1, K2, K3 = &phi.K1, &phi.K2, &phi.K3 + + add(&t0, xq, zq) + sub(&t1, xq, zq) + mul(xq, &t0, K2) + mul(zq, &t1, K3) + mul(&t0, &t0, &t1) + mul(&t0, &t0, K1) + add(&t1, xq, zq) + sub(zq, xq, zq) + sqr(&t1, &t1) + sqr(zq, zq) + add(xq, &t0, &t1) + sub(&t0, zq, &t0) + mul(xq, xq, &t1) + mul(zq, zq, &t0) + return q +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/doc.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/doc.go new file mode 100644 index 00000000..fb774fec --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/doc.go @@ -0,0 +1,2 @@ +// Package p751 provides implementation of field arithmetic used in SIDH and SIKE. +package p751 diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/fp2.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/fp2.go new file mode 100644 index 00000000..87df9831 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/fp2.go @@ -0,0 +1,195 @@ +// Code generated by go generate; DO NOT EDIT. +// This file was generated by robots. + +package p751 + +import ( + "github.com/cloudflare/circl/dh/sidh/internal/common" +) + +// Montgomery multiplication. Input values must be already +// in Montgomery domain. +func mulP(dest, lhs, rhs *common.Fp) { + var ab common.FpX2 + mulP751(&ab, lhs, rhs) // = a*b*R*R + rdcP751(dest, &ab) // = a*b*R mod p +} + +// Set dest = x^((p-3)/4). If x is square, this is 1/sqrt(x). +// Uses variation of sliding-window algorithm from with window size +// of 5 and least to most significant bit sliding (left-to-right) +// See HAC 14.85 for general description. +// +// Allowed to overlap x with dest. +// All values in Montgomery domains +// Set dest = x^(2^k), for k >= 1, by repeated squarings. +func p34(dest, x *common.Fp) { + var lookup [16]common.Fp + + // This performs sum(powStrategy) + 1 squarings and len(lookup) + len(mulStrategy) + // multiplications. + powStrategy := []uint8{5, 7, 6, 2, 10, 4, 6, 9, 8, 5, 9, 4, 7, 5, 5, 4, 8, 3, 9, 5, 5, 4, 10, 4, 6, 6, 6, 5, 8, 9, 3, 4, 9, 4, 5, 6, 6, 2, 9, 4, 5, 5, 5, 7, 7, 9, 4, 6, 4, 8, 5, 8, 6, 6, 2, 9, 7, 4, 8, 8, 8, 4, 6, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 2} + mulStrategy := []uint8{15, 11, 10, 0, 15, 3, 3, 3, 4, 4, 9, 7, 11, 11, 5, 3, 12, 2, 10, 8, 5, 2, 8, 3, 5, 4, 11, 4, 0, 9, 2, 1, 12, 7, 5, 14, 15, 0, 14, 5, 6, 4, 5, 13, 6, 9, 7, 15, 1, 14, 11, 15, 12, 5, 0, 10, 9, 7, 7, 10, 14, 6, 11, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 1} + initialMul := uint8(13) + + // Precompute lookup table of odd multiples of x for window + // size k=5. + var xx common.Fp + mulP(&xx, x, x) + lookup[0] = *x + for i := 1; i < 16; i++ { + mulP(&lookup[i], &lookup[i-1], &xx) + } + + // Now lookup = {x, x^3, x^5, ... } + // so that lookup[i] = x^{2*i + 1} + // so that lookup[k/2] = x^k, for odd k + *dest = lookup[initialMul] + for i := uint8(0); i < uint8(len(powStrategy)); i++ { + mulP(dest, dest, dest) + for j := uint8(1); j < powStrategy[i]; j++ { + mulP(dest, dest, dest) + } + mulP(dest, dest, &lookup[mulStrategy[i]]) + } +} + +func add(dest, lhs, rhs *common.Fp2) { + addP751(&dest.A, &lhs.A, &rhs.A) + addP751(&dest.B, &lhs.B, &rhs.B) +} + +func sub(dest, lhs, rhs *common.Fp2) { + subP751(&dest.A, &lhs.A, &rhs.A) + subP751(&dest.B, &lhs.B, &rhs.B) +} + +func mul(dest, lhs, rhs *common.Fp2) { + var bMinA, cMinD common.Fp + var ac, bd common.FpX2 + var adPlusBc common.FpX2 + var acMinBd common.FpX2 + + // Let (a,b,c,d) = (lhs.a,lhs.b,rhs.a,rhs.b). + // + // (a + bi)*(c + di) = (a*c - b*d) + (a*d + b*c)i + // + // Use Karatsuba's trick: note that + // + // (b - a)*(c - d) = (b*c + a*d) - a*c - b*d + // + // so (a*d + b*c) = (b-a)*(c-d) + a*c + b*d. + mulP751(&ac, &lhs.A, &rhs.A) // = a*c*R*R + mulP751(&bd, &lhs.B, &rhs.B) // = b*d*R*R + subP751(&bMinA, &lhs.B, &lhs.A) // = (b-a)*R + subP751(&cMinD, &rhs.A, &rhs.B) // = (c-d)*R + mulP751(&adPlusBc, &bMinA, &cMinD) // = (b-a)*(c-d)*R*R + adlP751(&adPlusBc, &adPlusBc, &ac) // = ((b-a)*(c-d) + a*c)*R*R + adlP751(&adPlusBc, &adPlusBc, &bd) // = ((b-a)*(c-d) + a*c + b*d)*R*R + rdcP751(&dest.B, &adPlusBc) // = (a*d + b*c)*R mod p + sulP751(&acMinBd, &ac, &bd) // = (a*c - b*d)*R*R + rdcP751(&dest.A, &acMinBd) // = (a*c - b*d)*R mod p +} + +// Set dest = 1/x +// +// Allowed to overlap dest with x. +// +// Returns dest to allow chaining operations. +func inv(dest, x *common.Fp2) { + var e1, e2 common.FpX2 + var f1, f2 common.Fp + + // We want to compute + // + // 1 1 (a - bi) (a - bi) + // -------- = -------- -------- = ----------- + // (a + bi) (a + bi) (a - bi) (a^2 + b^2) + // + // Letting c = 1/(a^2 + b^2), this is + // + // 1/(a+bi) = a*c - b*ci. + + mulP751(&e1, &x.A, &x.A) // = a*a*R*R + mulP751(&e2, &x.B, &x.B) // = b*b*R*R + adlP751(&e1, &e1, &e2) // = (a^2 + b^2)*R*R + rdcP751(&f1, &e1) // = (a^2 + b^2)*R mod p + // Now f1 = a^2 + b^2 + + mulP(&f2, &f1, &f1) + p34(&f2, &f2) + mulP(&f2, &f2, &f2) + mulP(&f2, &f2, &f1) + + mulP751(&e1, &x.A, &f2) + rdcP751(&dest.A, &e1) + + subP751(&f1, &common.Fp{}, &x.B) + mulP751(&e1, &f1, &f2) + rdcP751(&dest.B, &e1) +} + +func sqr(dest, x *common.Fp2) { + var a2, aPlusB, aMinusB common.Fp + var a2MinB2, ab2 common.FpX2 + + a := &x.A + b := &x.B + + // (a + bi)*(a + bi) = (a^2 - b^2) + 2abi. + addP751(&a2, a, a) // = a*R + a*R = 2*a*R + addP751(&aPlusB, a, b) // = a*R + b*R = (a+b)*R + subP751(&aMinusB, a, b) // = a*R - b*R = (a-b)*R + mulP751(&a2MinB2, &aPlusB, &aMinusB) // = (a+b)*(a-b)*R*R = (a^2 - b^2)*R*R + mulP751(&ab2, &a2, b) // = 2*a*b*R*R + rdcP751(&dest.A, &a2MinB2) // = (a^2 - b^2)*R mod p + rdcP751(&dest.B, &ab2) // = 2*a*b*R mod p +} + +// In case choice == 1, performs following swap in constant time: +// xPx <-> xQx +// xPz <-> xQz +// Otherwise returns xPx, xPz, xQx, xQz unchanged +func cswap(xPx, xPz, xQx, xQz *common.Fp2, choice uint8) { + cswapP751(&xPx.A, &xQx.A, choice) + cswapP751(&xPx.B, &xQx.B, choice) + cswapP751(&xPz.A, &xQz.A, choice) + cswapP751(&xPz.B, &xQz.B, choice) +} + +// Converts in.A and in.B to Montgomery domain and stores +// in 'out' +// out.A = in.A * R mod p +// out.B = in.B * R mod p +// Performs v = v*R^2*R^(-1) mod p, for both in.A and in.B +func ToMontgomery(out, in *common.Fp2) { + var aRR common.FpX2 + + // a*R*R + mulP751(&aRR, &in.A, &P751R2) + // a*R mod p + rdcP751(&out.A, &aRR) + mulP751(&aRR, &in.B, &P751R2) + rdcP751(&out.B, &aRR) +} + +// Converts in.A and in.B from Montgomery domain and stores +// in 'out' +// out.A = in.A mod p +// out.B = in.B mod p +// +// After returning from the call 'in' is not modified. +func FromMontgomery(out, in *common.Fp2) { + var aR common.FpX2 + + // convert from montgomery domain + copy(aR[:], in.A[:]) + rdcP751(&out.A, &aR) // = a mod p in [0, 2p) + modP751(&out.A) // = a mod p in [0, p) + for i := range aR { + aR[i] = 0 + } + copy(aR[:], in.B[:]) + rdcP751(&out.B, &aR) + modP751(&out.B) +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/params.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/params.go new file mode 100644 index 00000000..9b7f12e0 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/p751/params.go @@ -0,0 +1,235 @@ +package p751 + +//go:generate go run ../templates/gen.go P751 + +import ( + "github.com/cloudflare/circl/dh/sidh/internal/common" + "golang.org/x/sys/cpu" +) + +const ( + // Number of uint64 limbs used to store field element + FpWords = 12 +) + +var ( + // HasBMI2 signals support for MULX which is in BMI2 + HasBMI2 = cpu.X86.HasBMI2 + // HasADXandBMI2 signals support for ADX and BMI2 + HasADXandBMI2 = cpu.X86.HasBMI2 && cpu.X86.HasADX + // P751 is a prime used by field Fp751 + P751 = common.Fp{ + 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, + 0xffffffffffffffff, 0xffffffffffffffff, 0xeeafffffffffffff, + 0xe3ec968549f878a8, 0xda959b1a13f7cc76, 0x084e9867d6ebe876, + 0x8562b5045cb25748, 0x0e12909f97badc66, 0x00006fe5d541f71c} + + // P751x2 = 2*p751 - 1 + P751x2 = common.Fp{ + 0xFFFFFFFFFFFFFFFE, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, + 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xDD5FFFFFFFFFFFFF, + 0xC7D92D0A93F0F151, 0xB52B363427EF98ED, 0x109D30CFADD7D0ED, + 0x0AC56A08B964AE90, 0x1C25213F2F75B8CD, 0x0000DFCBAA83EE38} + + // P751p1 = p751 + 1 + P751p1 = common.Fp{ + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0xeeb0000000000000, + 0xe3ec968549f878a8, 0xda959b1a13f7cc76, 0x084e9867d6ebe876, + 0x8562b5045cb25748, 0x0e12909f97badc66, 0x00006fe5d541f71c} + + // P751R2 = (2^768)^2 mod p + P751R2 = common.Fp{ + 2535603850726686808, 15780896088201250090, 6788776303855402382, + 17585428585582356230, 5274503137951975249, 2266259624764636289, + 11695651972693921304, 13072885652150159301, 4908312795585420432, + 6229583484603254826, 488927695601805643, 72213483953973} + + // P751p1Zeros number of 0 digits in the least significant part of P751+1 + P751p1Zeros = 5 + + params common.SidhParams +) + +func init() { + params = common.SidhParams{ + ID: common.Fp751, + // SIDH public key byte size. + PublicKeySize: 564, + // SIDH shared secret byte size. + SharedSecretSize: 188, + A: common.DomainParams{ + // The x-coordinate of PA + AffineP: common.Fp2{ + A: common.Fp{ + 0xC2FC08CEAB50AD8B, 0x1D7D710F55E457B1, 0xE8738D92953DCD6E, + 0xBAA7EBEE8A3418AA, 0xC9A288345F03F46F, 0xC8D18D167CFE2616, + 0x02043761F6B1C045, 0xAA1975E13180E7E9, 0x9E13D3FDC6690DE6, + 0x3A024640A3A3BB4F, 0x4E5AD44E6ACBBDAE, 0x0000544BEB561DAD, + }, + B: common.Fp{ + 0xE6CC41D21582E411, 0x07C2ECB7C5DF400A, 0xE8E34B521432AEC4, + 0x50761E2AB085167D, 0x032CFBCAA6094B3C, 0x6C522F5FDF9DDD71, + 0x1319217DC3A1887D, 0xDC4FB25803353A86, 0x362C8D7B63A6AB09, + 0x39DCDFBCE47EA488, 0x4C27C99A2C28D409, 0x00003CB0075527C4, + }, + }, + // The x-coordinate of QA + AffineQ: common.Fp2{ + A: common.Fp{ + 0xD56FE52627914862, 0x1FAD60DC96B5BAEA, 0x01E137D0BF07AB91, + 0x404D3E9252161964, 0x3C5385E4CD09A337, 0x4476426769E4AF73, + 0x9790C6DB989DFE33, 0xE06E1C04D2AA8B5E, 0x38C08185EDEA73B9, + 0xAA41F678A4396CA6, 0x92B9259B2229E9A0, 0x00002F9326818BE0, + }, + B: common.Fp{ + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + }, + }, + // The x-coordinate of RA = PA-QA + AffineR: common.Fp2{ + A: common.Fp{ + 0x0BB84441DFFD19B3, 0x84B4DEA99B48C18E, 0x692DE648AD313805, + 0xE6D72761B6DFAEE0, 0x223975C672C3058D, 0xA0FDE0C3CBA26FDC, + 0xA5326132A922A3CA, 0xCA5E7F5D5EA96FA4, 0x127C7EFE33FFA8C6, + 0x4749B1567E2A23C4, 0x2B7DF5B4AF413BFA, 0x0000656595B9623C, + }, + B: common.Fp{ + 0xED78C17F1EC71BE8, 0xF824D6DF753859B1, 0x33A10839B2A8529F, + 0xFC03E9E25FDEA796, 0xC4708A8054DF1762, 0x4034F2EC034C6467, + 0xABFB70FBF06ECC79, 0xDABE96636EC108B7, 0x49CBCFB090605FD3, + 0x20B89711819A45A7, 0xFB8E1590B2B0F63E, 0x0000556A5F964AB2, + }, + }, + // Max size of secret key for 2-torsion group, corresponds to 2^e2 - 1 + SecretBitLen: 372, + // SecretBitLen in bytes. + SecretByteLen: 47, + // 2-torsion group computation strategy + IsogenyStrategy: []uint32{ + 0x50, 0x30, 0x1B, 0x0F, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, + 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x07, + 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x03, 0x02, 0x01, + 0x01, 0x01, 0x01, 0x0C, 0x07, 0x04, 0x02, 0x01, 0x01, 0x02, + 0x01, 0x01, 0x03, 0x02, 0x01, 0x01, 0x01, 0x01, 0x05, 0x03, + 0x02, 0x01, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x01, 0x15, + 0x0C, 0x07, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x03, + 0x02, 0x01, 0x01, 0x01, 0x01, 0x05, 0x03, 0x02, 0x01, 0x01, + 0x01, 0x01, 0x02, 0x01, 0x01, 0x01, 0x09, 0x05, 0x03, 0x02, + 0x01, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x01, 0x04, 0x02, + 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x21, 0x14, 0x0C, 0x07, + 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x03, 0x02, 0x01, + 0x01, 0x01, 0x01, 0x05, 0x03, 0x02, 0x01, 0x01, 0x01, 0x01, + 0x02, 0x01, 0x01, 0x01, 0x08, 0x05, 0x03, 0x02, 0x01, 0x01, + 0x01, 0x01, 0x02, 0x01, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, + 0x02, 0x01, 0x01, 0x10, 0x08, 0x04, 0x02, 0x01, 0x01, 0x01, + 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, + 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, + 0x01, 0x01, 0x02, 0x01, 0x01}, + }, + B: common.DomainParams{ + // The x-coordinate of PB + AffineP: common.Fp2{ + A: common.Fp{ + 0xCFB6D71EF867AB0B, 0x4A5FDD76E9A45C76, 0x38B1EE69194B1F03, + 0xF6E7B18A7761F3F0, 0xFCF01A486A52C84C, 0xCBE2F63F5AA75466, + 0x6487BCE837B5E4D6, 0x7747F5A8C622E9B8, 0x4CBFE1E4EE6AEBBA, + 0x8A8616A13FA91512, 0x53DB980E1579E0A5, 0x000058FEBFF3BE69, + }, + B: common.Fp{ + 0xA492034E7C075CC3, 0x677BAF00B04AA430, 0x3AAE0C9A755C94C8, + 0x1DC4B064E9EBB08B, 0x3684EDD04E826C66, 0x9BAA6CB661F01B22, + 0x20285A00AD2EFE35, 0xDCE95ABD0497065F, 0x16C7FBB3778E3794, + 0x26B3AC29CEF25AAF, 0xFB3C28A31A30AC1D, 0x000046ED190624EE, + }, + }, + // The x-coordinate of QB + AffineQ: common.Fp2{ + A: common.Fp{ + 0xF1A8C9ED7B96C4AB, 0x299429DA5178486E, 0xEF4926F20CD5C2F4, + 0x683B2E2858B4716A, 0xDDA2FBCC3CAC3EEB, 0xEC055F9F3A600460, + 0xD5A5A17A58C3848B, 0x4652D836F42EAED5, 0x2F2E71ED78B3A3B3, + 0xA771C057180ADD1D, 0xC780A5D2D835F512, 0x0000114EA3B55AC1, + }, + B: common.Fp{ + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + }, + }, + // The x-coordinate of RB = PB - QB + AffineR: common.Fp2{ + A: common.Fp{ + 0x1C0D6733769D0F31, 0xF084C3086E2659D1, 0xE23D5DA27BCBD133, + 0xF38EC9A8D5864025, 0x6426DC781B3B645B, 0x4B24E8E3C9FB03EE, + 0x6432792F9D2CEA30, 0x7CC8E8B1AE76E857, 0x7F32BFB626BB8963, + 0xB9F05995B48D7B74, 0x4D71200A7D67E042, 0x0000228457AF0637, + }, + B: common.Fp{ + 0x4AE37E7D8F72BD95, 0xDD2D504B3E993488, 0x5D14E7FA1ECB3C3E, + 0x127610CEB75D6350, 0x255B4B4CAC446B11, 0x9EA12336C1F70CAF, + 0x79FA68A2147BC2F8, 0x11E895CFDADBBC49, 0xE4B9D3C4D6356C18, + 0x44B25856A67F951C, 0x5851541F61308D0B, 0x00002FFD994F7E4C, + }, + }, + // Size of secret key for 3-torsion group, corresponds to log_2(3^e3) - 1. + SecretBitLen: 378, + // SecretBitLen in bytes. + SecretByteLen: 48, + // 3-torsion group computation strategy + IsogenyStrategy: []uint32{ + 0x70, 0x3F, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, + 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x08, + 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, + 0x01, 0x02, 0x01, 0x01, 0x10, 0x08, 0x04, 0x02, 0x01, 0x01, + 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, + 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, + 0x01, 0x01, 0x02, 0x01, 0x01, 0x1F, 0x10, 0x08, 0x04, 0x02, + 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, + 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, + 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x0F, 0x08, 0x04, + 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, + 0x02, 0x01, 0x01, 0x07, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, + 0x01, 0x03, 0x02, 0x01, 0x01, 0x01, 0x01, 0x31, 0x1F, 0x10, + 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, + 0x01, 0x01, 0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, + 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, + 0x0F, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, + 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x07, 0x04, 0x02, 0x01, + 0x01, 0x02, 0x01, 0x01, 0x03, 0x02, 0x01, 0x01, 0x01, 0x01, + 0x15, 0x0C, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, + 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x05, 0x03, 0x02, + 0x01, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x01, 0x09, 0x05, + 0x03, 0x02, 0x01, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x01, + 0x04, 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01}, + }, + // 1*R mod p + OneFp2: common.Fp2{ + A: common.Fp{ + 0x00000000000249ad, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x8310000000000000, + 0x5527b1e4375c6c66, 0x697797bf3f4f24d0, 0xc89db7b2ac5c4e2e, + 0x4ca4b439d2076956, 0x10f7926c7512c7e9, 0x00002d5b24bce5e2}, + }, + // 1/2 * R mod p + HalfFp2: common.Fp2{ + A: common.Fp{ + 0x00000000000124D6, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0xB8E0000000000000, + 0x9C8A2434C0AA7287, 0xA206996CA9A378A3, 0x6876280D41A41B52, + 0xE903B49F175CE04F, 0x0F8511860666D227, 0x00004EA07CFF6E7F}, + }, + MsgLen: 32, + // SIKEp751 provides 128 bit of classical security ([SIKE], 5.1) + KemSize: 24, + // ceil(751+7/8) + Bytelen: 94, + CiphertextSize: 24 + 8 + 564, + } + + common.Register(common.Fp751, ¶ms) +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/LICENSE b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/LICENSE new file mode 100644 index 00000000..6a66aea5 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/LICENSE @@ -0,0 +1,27 @@ +Copyright (c) 2009 The Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/doc.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/doc.go new file mode 100644 index 00000000..bd195b88 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/doc.go @@ -0,0 +1,7 @@ +// Package shake provides implementation of SHA-3 and cSHAKE +// This code has been copied from golang.org/x/crypto/sha3 +// and havily modified. This version doesn't use heap when +// computing cSHAKE. It makes it possible to allocate +// heap once when object is created and then reuse heap +// allocated structures in subsequent calls. +package shake diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/keccakf.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/keccakf.go new file mode 100644 index 00000000..93231239 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/keccakf.go @@ -0,0 +1,412 @@ +// Copyright 2014 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// +build !amd64 appengine gccgo + +package shake + +// rc stores the round constants for use in the ι step. +var rc = [24]uint64{ + 0x0000000000000001, + 0x0000000000008082, + 0x800000000000808A, + 0x8000000080008000, + 0x000000000000808B, + 0x0000000080000001, + 0x8000000080008081, + 0x8000000000008009, + 0x000000000000008A, + 0x0000000000000088, + 0x0000000080008009, + 0x000000008000000A, + 0x000000008000808B, + 0x800000000000008B, + 0x8000000000008089, + 0x8000000000008003, + 0x8000000000008002, + 0x8000000000000080, + 0x000000000000800A, + 0x800000008000000A, + 0x8000000080008081, + 0x8000000000008080, + 0x0000000080000001, + 0x8000000080008008, +} + +// keccakF1600 applies the Keccak permutation to a 1600b-wide +// state represented as a slice of 25 uint64s. +func keccakF1600(a *[25]uint64) { + // Implementation translated from Keccak-inplace.c + // in the keccak reference code. + var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64 + + for i := 0; i < 24; i += 4 { + // Combines the 5 steps in each round into 2 steps. + // Unrolls 4 rounds per loop and spreads some steps across rounds. + + // Round 1 + bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] + bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] + bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] + bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] + bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] + d0 = bc4 ^ (bc1<<1 | bc1>>63) + d1 = bc0 ^ (bc2<<1 | bc2>>63) + d2 = bc1 ^ (bc3<<1 | bc3>>63) + d3 = bc2 ^ (bc4<<1 | bc4>>63) + d4 = bc3 ^ (bc0<<1 | bc0>>63) + + bc0 = a[0] ^ d0 + t = a[6] ^ d1 + bc1 = t<<44 | t>>(64-44) + t = a[12] ^ d2 + bc2 = t<<43 | t>>(64-43) + t = a[18] ^ d3 + bc3 = t<<21 | t>>(64-21) + t = a[24] ^ d4 + bc4 = t<<14 | t>>(64-14) + a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i] + a[6] = bc1 ^ (bc3 &^ bc2) + a[12] = bc2 ^ (bc4 &^ bc3) + a[18] = bc3 ^ (bc0 &^ bc4) + a[24] = bc4 ^ (bc1 &^ bc0) + + t = a[10] ^ d0 + bc2 = t<<3 | t>>(64-3) + t = a[16] ^ d1 + bc3 = t<<45 | t>>(64-45) + t = a[22] ^ d2 + bc4 = t<<61 | t>>(64-61) + t = a[3] ^ d3 + bc0 = t<<28 | t>>(64-28) + t = a[9] ^ d4 + bc1 = t<<20 | t>>(64-20) + a[10] = bc0 ^ (bc2 &^ bc1) + a[16] = bc1 ^ (bc3 &^ bc2) + a[22] = bc2 ^ (bc4 &^ bc3) + a[3] = bc3 ^ (bc0 &^ bc4) + a[9] = bc4 ^ (bc1 &^ bc0) + + t = a[20] ^ d0 + bc4 = t<<18 | t>>(64-18) + t = a[1] ^ d1 + bc0 = t<<1 | t>>(64-1) + t = a[7] ^ d2 + bc1 = t<<6 | t>>(64-6) + t = a[13] ^ d3 + bc2 = t<<25 | t>>(64-25) + t = a[19] ^ d4 + bc3 = t<<8 | t>>(64-8) + a[20] = bc0 ^ (bc2 &^ bc1) + a[1] = bc1 ^ (bc3 &^ bc2) + a[7] = bc2 ^ (bc4 &^ bc3) + a[13] = bc3 ^ (bc0 &^ bc4) + a[19] = bc4 ^ (bc1 &^ bc0) + + t = a[5] ^ d0 + bc1 = t<<36 | t>>(64-36) + t = a[11] ^ d1 + bc2 = t<<10 | t>>(64-10) + t = a[17] ^ d2 + bc3 = t<<15 | t>>(64-15) + t = a[23] ^ d3 + bc4 = t<<56 | t>>(64-56) + t = a[4] ^ d4 + bc0 = t<<27 | t>>(64-27) + a[5] = bc0 ^ (bc2 &^ bc1) + a[11] = bc1 ^ (bc3 &^ bc2) + a[17] = bc2 ^ (bc4 &^ bc3) + a[23] = bc3 ^ (bc0 &^ bc4) + a[4] = bc4 ^ (bc1 &^ bc0) + + t = a[15] ^ d0 + bc3 = t<<41 | t>>(64-41) + t = a[21] ^ d1 + bc4 = t<<2 | t>>(64-2) + t = a[2] ^ d2 + bc0 = t<<62 | t>>(64-62) + t = a[8] ^ d3 + bc1 = t<<55 | t>>(64-55) + t = a[14] ^ d4 + bc2 = t<<39 | t>>(64-39) + a[15] = bc0 ^ (bc2 &^ bc1) + a[21] = bc1 ^ (bc3 &^ bc2) + a[2] = bc2 ^ (bc4 &^ bc3) + a[8] = bc3 ^ (bc0 &^ bc4) + a[14] = bc4 ^ (bc1 &^ bc0) + + // Round 2 + bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] + bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] + bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] + bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] + bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] + d0 = bc4 ^ (bc1<<1 | bc1>>63) + d1 = bc0 ^ (bc2<<1 | bc2>>63) + d2 = bc1 ^ (bc3<<1 | bc3>>63) + d3 = bc2 ^ (bc4<<1 | bc4>>63) + d4 = bc3 ^ (bc0<<1 | bc0>>63) + + bc0 = a[0] ^ d0 + t = a[16] ^ d1 + bc1 = t<<44 | t>>(64-44) + t = a[7] ^ d2 + bc2 = t<<43 | t>>(64-43) + t = a[23] ^ d3 + bc3 = t<<21 | t>>(64-21) + t = a[14] ^ d4 + bc4 = t<<14 | t>>(64-14) + a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1] + a[16] = bc1 ^ (bc3 &^ bc2) + a[7] = bc2 ^ (bc4 &^ bc3) + a[23] = bc3 ^ (bc0 &^ bc4) + a[14] = bc4 ^ (bc1 &^ bc0) + + t = a[20] ^ d0 + bc2 = t<<3 | t>>(64-3) + t = a[11] ^ d1 + bc3 = t<<45 | t>>(64-45) + t = a[2] ^ d2 + bc4 = t<<61 | t>>(64-61) + t = a[18] ^ d3 + bc0 = t<<28 | t>>(64-28) + t = a[9] ^ d4 + bc1 = t<<20 | t>>(64-20) + a[20] = bc0 ^ (bc2 &^ bc1) + a[11] = bc1 ^ (bc3 &^ bc2) + a[2] = bc2 ^ (bc4 &^ bc3) + a[18] = bc3 ^ (bc0 &^ bc4) + a[9] = bc4 ^ (bc1 &^ bc0) + + t = a[15] ^ d0 + bc4 = t<<18 | t>>(64-18) + t = a[6] ^ d1 + bc0 = t<<1 | t>>(64-1) + t = a[22] ^ d2 + bc1 = t<<6 | t>>(64-6) + t = a[13] ^ d3 + bc2 = t<<25 | t>>(64-25) + t = a[4] ^ d4 + bc3 = t<<8 | t>>(64-8) + a[15] = bc0 ^ (bc2 &^ bc1) + a[6] = bc1 ^ (bc3 &^ bc2) + a[22] = bc2 ^ (bc4 &^ bc3) + a[13] = bc3 ^ (bc0 &^ bc4) + a[4] = bc4 ^ (bc1 &^ bc0) + + t = a[10] ^ d0 + bc1 = t<<36 | t>>(64-36) + t = a[1] ^ d1 + bc2 = t<<10 | t>>(64-10) + t = a[17] ^ d2 + bc3 = t<<15 | t>>(64-15) + t = a[8] ^ d3 + bc4 = t<<56 | t>>(64-56) + t = a[24] ^ d4 + bc0 = t<<27 | t>>(64-27) + a[10] = bc0 ^ (bc2 &^ bc1) + a[1] = bc1 ^ (bc3 &^ bc2) + a[17] = bc2 ^ (bc4 &^ bc3) + a[8] = bc3 ^ (bc0 &^ bc4) + a[24] = bc4 ^ (bc1 &^ bc0) + + t = a[5] ^ d0 + bc3 = t<<41 | t>>(64-41) + t = a[21] ^ d1 + bc4 = t<<2 | t>>(64-2) + t = a[12] ^ d2 + bc0 = t<<62 | t>>(64-62) + t = a[3] ^ d3 + bc1 = t<<55 | t>>(64-55) + t = a[19] ^ d4 + bc2 = t<<39 | t>>(64-39) + a[5] = bc0 ^ (bc2 &^ bc1) + a[21] = bc1 ^ (bc3 &^ bc2) + a[12] = bc2 ^ (bc4 &^ bc3) + a[3] = bc3 ^ (bc0 &^ bc4) + a[19] = bc4 ^ (bc1 &^ bc0) + + // Round 3 + bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] + bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] + bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] + bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] + bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] + d0 = bc4 ^ (bc1<<1 | bc1>>63) + d1 = bc0 ^ (bc2<<1 | bc2>>63) + d2 = bc1 ^ (bc3<<1 | bc3>>63) + d3 = bc2 ^ (bc4<<1 | bc4>>63) + d4 = bc3 ^ (bc0<<1 | bc0>>63) + + bc0 = a[0] ^ d0 + t = a[11] ^ d1 + bc1 = t<<44 | t>>(64-44) + t = a[22] ^ d2 + bc2 = t<<43 | t>>(64-43) + t = a[8] ^ d3 + bc3 = t<<21 | t>>(64-21) + t = a[19] ^ d4 + bc4 = t<<14 | t>>(64-14) + a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2] + a[11] = bc1 ^ (bc3 &^ bc2) + a[22] = bc2 ^ (bc4 &^ bc3) + a[8] = bc3 ^ (bc0 &^ bc4) + a[19] = bc4 ^ (bc1 &^ bc0) + + t = a[15] ^ d0 + bc2 = t<<3 | t>>(64-3) + t = a[1] ^ d1 + bc3 = t<<45 | t>>(64-45) + t = a[12] ^ d2 + bc4 = t<<61 | t>>(64-61) + t = a[23] ^ d3 + bc0 = t<<28 | t>>(64-28) + t = a[9] ^ d4 + bc1 = t<<20 | t>>(64-20) + a[15] = bc0 ^ (bc2 &^ bc1) + a[1] = bc1 ^ (bc3 &^ bc2) + a[12] = bc2 ^ (bc4 &^ bc3) + a[23] = bc3 ^ (bc0 &^ bc4) + a[9] = bc4 ^ (bc1 &^ bc0) + + t = a[5] ^ d0 + bc4 = t<<18 | t>>(64-18) + t = a[16] ^ d1 + bc0 = t<<1 | t>>(64-1) + t = a[2] ^ d2 + bc1 = t<<6 | t>>(64-6) + t = a[13] ^ d3 + bc2 = t<<25 | t>>(64-25) + t = a[24] ^ d4 + bc3 = t<<8 | t>>(64-8) + a[5] = bc0 ^ (bc2 &^ bc1) + a[16] = bc1 ^ (bc3 &^ bc2) + a[2] = bc2 ^ (bc4 &^ bc3) + a[13] = bc3 ^ (bc0 &^ bc4) + a[24] = bc4 ^ (bc1 &^ bc0) + + t = a[20] ^ d0 + bc1 = t<<36 | t>>(64-36) + t = a[6] ^ d1 + bc2 = t<<10 | t>>(64-10) + t = a[17] ^ d2 + bc3 = t<<15 | t>>(64-15) + t = a[3] ^ d3 + bc4 = t<<56 | t>>(64-56) + t = a[14] ^ d4 + bc0 = t<<27 | t>>(64-27) + a[20] = bc0 ^ (bc2 &^ bc1) + a[6] = bc1 ^ (bc3 &^ bc2) + a[17] = bc2 ^ (bc4 &^ bc3) + a[3] = bc3 ^ (bc0 &^ bc4) + a[14] = bc4 ^ (bc1 &^ bc0) + + t = a[10] ^ d0 + bc3 = t<<41 | t>>(64-41) + t = a[21] ^ d1 + bc4 = t<<2 | t>>(64-2) + t = a[7] ^ d2 + bc0 = t<<62 | t>>(64-62) + t = a[18] ^ d3 + bc1 = t<<55 | t>>(64-55) + t = a[4] ^ d4 + bc2 = t<<39 | t>>(64-39) + a[10] = bc0 ^ (bc2 &^ bc1) + a[21] = bc1 ^ (bc3 &^ bc2) + a[7] = bc2 ^ (bc4 &^ bc3) + a[18] = bc3 ^ (bc0 &^ bc4) + a[4] = bc4 ^ (bc1 &^ bc0) + + // Round 4 + bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] + bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] + bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] + bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] + bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] + d0 = bc4 ^ (bc1<<1 | bc1>>63) + d1 = bc0 ^ (bc2<<1 | bc2>>63) + d2 = bc1 ^ (bc3<<1 | bc3>>63) + d3 = bc2 ^ (bc4<<1 | bc4>>63) + d4 = bc3 ^ (bc0<<1 | bc0>>63) + + bc0 = a[0] ^ d0 + t = a[1] ^ d1 + bc1 = t<<44 | t>>(64-44) + t = a[2] ^ d2 + bc2 = t<<43 | t>>(64-43) + t = a[3] ^ d3 + bc3 = t<<21 | t>>(64-21) + t = a[4] ^ d4 + bc4 = t<<14 | t>>(64-14) + a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3] + a[1] = bc1 ^ (bc3 &^ bc2) + a[2] = bc2 ^ (bc4 &^ bc3) + a[3] = bc3 ^ (bc0 &^ bc4) + a[4] = bc4 ^ (bc1 &^ bc0) + + t = a[5] ^ d0 + bc2 = t<<3 | t>>(64-3) + t = a[6] ^ d1 + bc3 = t<<45 | t>>(64-45) + t = a[7] ^ d2 + bc4 = t<<61 | t>>(64-61) + t = a[8] ^ d3 + bc0 = t<<28 | t>>(64-28) + t = a[9] ^ d4 + bc1 = t<<20 | t>>(64-20) + a[5] = bc0 ^ (bc2 &^ bc1) + a[6] = bc1 ^ (bc3 &^ bc2) + a[7] = bc2 ^ (bc4 &^ bc3) + a[8] = bc3 ^ (bc0 &^ bc4) + a[9] = bc4 ^ (bc1 &^ bc0) + + t = a[10] ^ d0 + bc4 = t<<18 | t>>(64-18) + t = a[11] ^ d1 + bc0 = t<<1 | t>>(64-1) + t = a[12] ^ d2 + bc1 = t<<6 | t>>(64-6) + t = a[13] ^ d3 + bc2 = t<<25 | t>>(64-25) + t = a[14] ^ d4 + bc3 = t<<8 | t>>(64-8) + a[10] = bc0 ^ (bc2 &^ bc1) + a[11] = bc1 ^ (bc3 &^ bc2) + a[12] = bc2 ^ (bc4 &^ bc3) + a[13] = bc3 ^ (bc0 &^ bc4) + a[14] = bc4 ^ (bc1 &^ bc0) + + t = a[15] ^ d0 + bc1 = t<<36 | t>>(64-36) + t = a[16] ^ d1 + bc2 = t<<10 | t>>(64-10) + t = a[17] ^ d2 + bc3 = t<<15 | t>>(64-15) + t = a[18] ^ d3 + bc4 = t<<56 | t>>(64-56) + t = a[19] ^ d4 + bc0 = t<<27 | t>>(64-27) + a[15] = bc0 ^ (bc2 &^ bc1) + a[16] = bc1 ^ (bc3 &^ bc2) + a[17] = bc2 ^ (bc4 &^ bc3) + a[18] = bc3 ^ (bc0 &^ bc4) + a[19] = bc4 ^ (bc1 &^ bc0) + + t = a[20] ^ d0 + bc3 = t<<41 | t>>(64-41) + t = a[21] ^ d1 + bc4 = t<<2 | t>>(64-2) + t = a[22] ^ d2 + bc0 = t<<62 | t>>(64-62) + t = a[23] ^ d3 + bc1 = t<<55 | t>>(64-55) + t = a[24] ^ d4 + bc2 = t<<39 | t>>(64-39) + a[20] = bc0 ^ (bc2 &^ bc1) + a[21] = bc1 ^ (bc3 &^ bc2) + a[22] = bc2 ^ (bc4 &^ bc3) + a[23] = bc3 ^ (bc0 &^ bc4) + a[24] = bc4 ^ (bc1 &^ bc0) + } +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/keccakf_amd64.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/keccakf_amd64.go new file mode 100644 index 00000000..de8aa56b --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/keccakf_amd64.go @@ -0,0 +1,13 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// +build amd64,!appengine,!gccgo + +package shake + +// This function is implemented in keccakf_amd64.s. + +//go:noescape + +func keccakF1600(a *[25]uint64) diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/keccakf_amd64.s b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/keccakf_amd64.s new file mode 100644 index 00000000..d9819089 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/keccakf_amd64.s @@ -0,0 +1,390 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// +build amd64,!appengine,!gccgo + +// This code was translated into a form compatible with 6a from the public +// domain sources at https://github.com/gvanas/KeccakCodePackage + +// Offsets in state +#define _ba (0*8) +#define _be (1*8) +#define _bi (2*8) +#define _bo (3*8) +#define _bu (4*8) +#define _ga (5*8) +#define _ge (6*8) +#define _gi (7*8) +#define _go (8*8) +#define _gu (9*8) +#define _ka (10*8) +#define _ke (11*8) +#define _ki (12*8) +#define _ko (13*8) +#define _ku (14*8) +#define _ma (15*8) +#define _me (16*8) +#define _mi (17*8) +#define _mo (18*8) +#define _mu (19*8) +#define _sa (20*8) +#define _se (21*8) +#define _si (22*8) +#define _so (23*8) +#define _su (24*8) + +// Temporary registers +#define rT1 AX + +// Round vars +#define rpState DI +#define rpStack SP + +#define rDa BX +#define rDe CX +#define rDi DX +#define rDo R8 +#define rDu R9 + +#define rBa R10 +#define rBe R11 +#define rBi R12 +#define rBo R13 +#define rBu R14 + +#define rCa SI +#define rCe BP +#define rCi rBi +#define rCo rBo +#define rCu R15 + +#define MOVQ_RBI_RCE MOVQ rBi, rCe +#define XORQ_RT1_RCA XORQ rT1, rCa +#define XORQ_RT1_RCE XORQ rT1, rCe +#define XORQ_RBA_RCU XORQ rBa, rCu +#define XORQ_RBE_RCU XORQ rBe, rCu +#define XORQ_RDU_RCU XORQ rDu, rCu +#define XORQ_RDA_RCA XORQ rDa, rCa +#define XORQ_RDE_RCE XORQ rDe, rCe + +#define mKeccakRound(iState, oState, rc, B_RBI_RCE, G_RT1_RCA, G_RT1_RCE, G_RBA_RCU, K_RT1_RCA, K_RT1_RCE, K_RBA_RCU, M_RT1_RCA, M_RT1_RCE, M_RBE_RCU, S_RDU_RCU, S_RDA_RCA, S_RDE_RCE) \ + /* Prepare round */ \ + MOVQ rCe, rDa; \ + ROLQ $1, rDa; \ + \ + MOVQ _bi(iState), rCi; \ + XORQ _gi(iState), rDi; \ + XORQ rCu, rDa; \ + XORQ _ki(iState), rCi; \ + XORQ _mi(iState), rDi; \ + XORQ rDi, rCi; \ + \ + MOVQ rCi, rDe; \ + ROLQ $1, rDe; \ + \ + MOVQ _bo(iState), rCo; \ + XORQ _go(iState), rDo; \ + XORQ rCa, rDe; \ + XORQ _ko(iState), rCo; \ + XORQ _mo(iState), rDo; \ + XORQ rDo, rCo; \ + \ + MOVQ rCo, rDi; \ + ROLQ $1, rDi; \ + \ + MOVQ rCu, rDo; \ + XORQ rCe, rDi; \ + ROLQ $1, rDo; \ + \ + MOVQ rCa, rDu; \ + XORQ rCi, rDo; \ + ROLQ $1, rDu; \ + \ + /* Result b */ \ + MOVQ _ba(iState), rBa; \ + MOVQ _ge(iState), rBe; \ + XORQ rCo, rDu; \ + MOVQ _ki(iState), rBi; \ + MOVQ _mo(iState), rBo; \ + MOVQ _su(iState), rBu; \ + XORQ rDe, rBe; \ + ROLQ $44, rBe; \ + XORQ rDi, rBi; \ + XORQ rDa, rBa; \ + ROLQ $43, rBi; \ + \ + MOVQ rBe, rCa; \ + MOVQ rc, rT1; \ + ORQ rBi, rCa; \ + XORQ rBa, rT1; \ + XORQ rT1, rCa; \ + MOVQ rCa, _ba(oState); \ + \ + XORQ rDu, rBu; \ + ROLQ $14, rBu; \ + MOVQ rBa, rCu; \ + ANDQ rBe, rCu; \ + XORQ rBu, rCu; \ + MOVQ rCu, _bu(oState); \ + \ + XORQ rDo, rBo; \ + ROLQ $21, rBo; \ + MOVQ rBo, rT1; \ + ANDQ rBu, rT1; \ + XORQ rBi, rT1; \ + MOVQ rT1, _bi(oState); \ + \ + NOTQ rBi; \ + ORQ rBa, rBu; \ + ORQ rBo, rBi; \ + XORQ rBo, rBu; \ + XORQ rBe, rBi; \ + MOVQ rBu, _bo(oState); \ + MOVQ rBi, _be(oState); \ + B_RBI_RCE; \ + \ + /* Result g */ \ + MOVQ _gu(iState), rBe; \ + XORQ rDu, rBe; \ + MOVQ _ka(iState), rBi; \ + ROLQ $20, rBe; \ + XORQ rDa, rBi; \ + ROLQ $3, rBi; \ + MOVQ _bo(iState), rBa; \ + MOVQ rBe, rT1; \ + ORQ rBi, rT1; \ + XORQ rDo, rBa; \ + MOVQ _me(iState), rBo; \ + MOVQ _si(iState), rBu; \ + ROLQ $28, rBa; \ + XORQ rBa, rT1; \ + MOVQ rT1, _ga(oState); \ + G_RT1_RCA; \ + \ + XORQ rDe, rBo; \ + ROLQ $45, rBo; \ + MOVQ rBi, rT1; \ + ANDQ rBo, rT1; \ + XORQ rBe, rT1; \ + MOVQ rT1, _ge(oState); \ + G_RT1_RCE; \ + \ + XORQ rDi, rBu; \ + ROLQ $61, rBu; \ + MOVQ rBu, rT1; \ + ORQ rBa, rT1; \ + XORQ rBo, rT1; \ + MOVQ rT1, _go(oState); \ + \ + ANDQ rBe, rBa; \ + XORQ rBu, rBa; \ + MOVQ rBa, _gu(oState); \ + NOTQ rBu; \ + G_RBA_RCU; \ + \ + ORQ rBu, rBo; \ + XORQ rBi, rBo; \ + MOVQ rBo, _gi(oState); \ + \ + /* Result k */ \ + MOVQ _be(iState), rBa; \ + MOVQ _gi(iState), rBe; \ + MOVQ _ko(iState), rBi; \ + MOVQ _mu(iState), rBo; \ + MOVQ _sa(iState), rBu; \ + XORQ rDi, rBe; \ + ROLQ $6, rBe; \ + XORQ rDo, rBi; \ + ROLQ $25, rBi; \ + MOVQ rBe, rT1; \ + ORQ rBi, rT1; \ + XORQ rDe, rBa; \ + ROLQ $1, rBa; \ + XORQ rBa, rT1; \ + MOVQ rT1, _ka(oState); \ + K_RT1_RCA; \ + \ + XORQ rDu, rBo; \ + ROLQ $8, rBo; \ + MOVQ rBi, rT1; \ + ANDQ rBo, rT1; \ + XORQ rBe, rT1; \ + MOVQ rT1, _ke(oState); \ + K_RT1_RCE; \ + \ + XORQ rDa, rBu; \ + ROLQ $18, rBu; \ + NOTQ rBo; \ + MOVQ rBo, rT1; \ + ANDQ rBu, rT1; \ + XORQ rBi, rT1; \ + MOVQ rT1, _ki(oState); \ + \ + MOVQ rBu, rT1; \ + ORQ rBa, rT1; \ + XORQ rBo, rT1; \ + MOVQ rT1, _ko(oState); \ + \ + ANDQ rBe, rBa; \ + XORQ rBu, rBa; \ + MOVQ rBa, _ku(oState); \ + K_RBA_RCU; \ + \ + /* Result m */ \ + MOVQ _ga(iState), rBe; \ + XORQ rDa, rBe; \ + MOVQ _ke(iState), rBi; \ + ROLQ $36, rBe; \ + XORQ rDe, rBi; \ + MOVQ _bu(iState), rBa; \ + ROLQ $10, rBi; \ + MOVQ rBe, rT1; \ + MOVQ _mi(iState), rBo; \ + ANDQ rBi, rT1; \ + XORQ rDu, rBa; \ + MOVQ _so(iState), rBu; \ + ROLQ $27, rBa; \ + XORQ rBa, rT1; \ + MOVQ rT1, _ma(oState); \ + M_RT1_RCA; \ + \ + XORQ rDi, rBo; \ + ROLQ $15, rBo; \ + MOVQ rBi, rT1; \ + ORQ rBo, rT1; \ + XORQ rBe, rT1; \ + MOVQ rT1, _me(oState); \ + M_RT1_RCE; \ + \ + XORQ rDo, rBu; \ + ROLQ $56, rBu; \ + NOTQ rBo; \ + MOVQ rBo, rT1; \ + ORQ rBu, rT1; \ + XORQ rBi, rT1; \ + MOVQ rT1, _mi(oState); \ + \ + ORQ rBa, rBe; \ + XORQ rBu, rBe; \ + MOVQ rBe, _mu(oState); \ + \ + ANDQ rBa, rBu; \ + XORQ rBo, rBu; \ + MOVQ rBu, _mo(oState); \ + M_RBE_RCU; \ + \ + /* Result s */ \ + MOVQ _bi(iState), rBa; \ + MOVQ _go(iState), rBe; \ + MOVQ _ku(iState), rBi; \ + XORQ rDi, rBa; \ + MOVQ _ma(iState), rBo; \ + ROLQ $62, rBa; \ + XORQ rDo, rBe; \ + MOVQ _se(iState), rBu; \ + ROLQ $55, rBe; \ + \ + XORQ rDu, rBi; \ + MOVQ rBa, rDu; \ + XORQ rDe, rBu; \ + ROLQ $2, rBu; \ + ANDQ rBe, rDu; \ + XORQ rBu, rDu; \ + MOVQ rDu, _su(oState); \ + \ + ROLQ $39, rBi; \ + S_RDU_RCU; \ + NOTQ rBe; \ + XORQ rDa, rBo; \ + MOVQ rBe, rDa; \ + ANDQ rBi, rDa; \ + XORQ rBa, rDa; \ + MOVQ rDa, _sa(oState); \ + S_RDA_RCA; \ + \ + ROLQ $41, rBo; \ + MOVQ rBi, rDe; \ + ORQ rBo, rDe; \ + XORQ rBe, rDe; \ + MOVQ rDe, _se(oState); \ + S_RDE_RCE; \ + \ + MOVQ rBo, rDi; \ + MOVQ rBu, rDo; \ + ANDQ rBu, rDi; \ + ORQ rBa, rDo; \ + XORQ rBi, rDi; \ + XORQ rBo, rDo; \ + MOVQ rDi, _si(oState); \ + MOVQ rDo, _so(oState) \ + +// func keccakF1600(a *[25]uint64) +TEXT ·keccakF1600(SB), 0, $200-8 + MOVQ a+0(FP), rpState + + // Convert the user state into an internal state + NOTQ _be(rpState) + NOTQ _bi(rpState) + NOTQ _go(rpState) + NOTQ _ki(rpState) + NOTQ _mi(rpState) + NOTQ _sa(rpState) + + // Execute the KeccakF permutation + MOVQ _ba(rpState), rCa + MOVQ _be(rpState), rCe + MOVQ _bu(rpState), rCu + + XORQ _ga(rpState), rCa + XORQ _ge(rpState), rCe + XORQ _gu(rpState), rCu + + XORQ _ka(rpState), rCa + XORQ _ke(rpState), rCe + XORQ _ku(rpState), rCu + + XORQ _ma(rpState), rCa + XORQ _me(rpState), rCe + XORQ _mu(rpState), rCu + + XORQ _sa(rpState), rCa + XORQ _se(rpState), rCe + MOVQ _si(rpState), rDi + MOVQ _so(rpState), rDo + XORQ _su(rpState), rCu + + mKeccakRound(rpState, rpStack, $0x0000000000000001, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x0000000000008082, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpState, rpStack, $0x800000000000808a, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x8000000080008000, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpState, rpStack, $0x000000000000808b, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x0000000080000001, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpState, rpStack, $0x8000000080008081, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x8000000000008009, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpState, rpStack, $0x000000000000008a, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x0000000000000088, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpState, rpStack, $0x0000000080008009, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x000000008000000a, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpState, rpStack, $0x000000008000808b, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x800000000000008b, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpState, rpStack, $0x8000000000008089, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x8000000000008003, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpState, rpStack, $0x8000000000008002, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x8000000000000080, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpState, rpStack, $0x000000000000800a, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x800000008000000a, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpState, rpStack, $0x8000000080008081, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x8000000000008080, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpState, rpStack, $0x0000000080000001, MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) + mKeccakRound(rpStack, rpState, $0x8000000080008008, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP) + + // Revert the internal state to the user state + NOTQ _be(rpState) + NOTQ _bi(rpState) + NOTQ _go(rpState) + NOTQ _ki(rpState) + NOTQ _mi(rpState) + NOTQ _sa(rpState) + + RET diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/sha3.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/sha3.go new file mode 100644 index 00000000..b7ccb9b4 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/sha3.go @@ -0,0 +1,199 @@ +// Copyright 2014 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package shake + +import "hash" + +// spongeDirection indicates the direction bytes are flowing through the sponge. +type spongeDirection int + +const ( + // spongeAbsorbing indicates that the sponge is absorbing input. + spongeAbsorbing spongeDirection = iota + // spongeSqueezing indicates that the sponge is being squeezed. + spongeSqueezing +) + +const ( + // maxRate is the maximum size of the internal buffer. SHAKE-256 + // currently needs the largest buffer. + maxRate = 168 +) + +type state struct { + // Generic sponge components. + a [25]uint64 // main state of the hash + buf []byte // points into storage + rate int // the number of bytes of state to use + + // dsbyte contains the "domain separation" bits and the first bit of + // the padding. Sections 6.1 and 6.2 of [1] separate the outputs of the + // SHA-3 and SHAKE functions by appending bitstrings to the message. + // Using a little-endian bit-ordering convention, these are "01" for SHA-3 + // and "1111" for SHAKE, or 00000010b and 00001111b, respectively. Then the + // padding rule from section 5.1 is applied to pad the message to a multiple + // of the rate, which involves adding a "1" bit, zero or more "0" bits, and + // a final "1" bit. We merge the first "1" bit from the padding into dsbyte, + // giving 00000110b (0x06) and 00011111b (0x1f). + // [1] http://csrc.nist.gov/publications/drafts/fips-202/fips_202_draft.pdf + // "Draft FIPS 202: SHA-3 Standard: Permutation-Based Hash and + // Extendable-Output Functions (May 2014)" + dsbyte byte + storage [maxRate]byte + + // Specific to SHA-3 and SHAKE. + outputLen int // the default output size in bytes + state spongeDirection // whether the sponge is absorbing or squeezing +} + +// BlockSize returns the rate of sponge underlying this hash function. +func (d *state) BlockSize() int { return d.rate } + +// Size returns the output size of the hash function in bytes. +func (d *state) Size() int { return d.outputLen } + +// Reset clears the internal state by zeroing the sponge state and +// the byte buffer, and setting Sponge.state to absorbing. +func (d *state) Reset() { + // Zero the permutation's state. + for i := range d.a { + d.a[i] = 0 + } + d.state = spongeAbsorbing + d.buf = d.storage[:0] +} + +func (d *state) clone(ret *state) { + // shallow copy + *ret = *d + // deep copy for a buf + if ret.state == spongeAbsorbing { + ret.buf = ret.storage[:len(d.buf)] + } else { + ret.buf = ret.storage[d.rate-len(d.buf) : d.rate] + } +} + +// permute applies the KeccakF-1600 permutation. It handles +// any input-output buffering. +func (d *state) permute() { + switch d.state { + case spongeAbsorbing: + // If we're absorbing, we need to xor the input into the state + // before applying the permutation. + xorIn(d, d.buf) + d.buf = d.storage[:0] + keccakF1600(&d.a) + case spongeSqueezing: + // If we're squeezing, we need to apply the permutatin before + // copying more output. + keccakF1600(&d.a) + d.buf = d.storage[:d.rate] + copyOut(d, d.buf) + } +} + +// pads appends the domain separation bits in dsbyte, applies +// the multi-bitrate 10..1 padding rule, and permutes the state. +func (d *state) padAndPermute(dsbyte byte) { + if d.buf == nil { + d.buf = d.storage[:0] + } + // Pad with this instance's domain-separator bits. We know that there's + // at least one byte of space in d.buf because, if it were full, + // permute would have been called to empty it. dsbyte also contains the + // first one bit for the padding. See the comment in the state struct. + d.buf = append(d.buf, dsbyte) + zerosStart := len(d.buf) + d.buf = d.storage[:d.rate] + for i := zerosStart; i < d.rate; i++ { + d.buf[i] = 0 + } + // This adds the final one bit for the padding. Because of the way that + // bits are numbered from the LSB upwards, the final bit is the MSB of + // the last byte. + d.buf[d.rate-1] ^= 0x80 + // Apply the permutation + d.permute() + d.state = spongeSqueezing + d.buf = d.storage[:d.rate] + copyOut(d, d.buf) +} + +// Write absorbs more data into the hash's state. It produces an error +// if more data is written to the ShakeHash after writing +func (d *state) Write(p []byte) (int, error) { + if d.state != spongeAbsorbing { + panic("shake: write to sponge after read") + } + if d.buf == nil { + d.buf = d.storage[:0] + } + written := len(p) + + for len(p) > 0 { + if len(d.buf) == 0 && len(p) >= d.rate { + // The fast path; absorb a full "rate" bytes of input and apply the permutation. + xorIn(d, p[:d.rate]) + p = p[d.rate:] + keccakF1600(&d.a) + } else { + // The slow path; buffer the input until we can fill the sponge, and then xor it in. + todo := d.rate - len(d.buf) + if todo > len(p) { + todo = len(p) + } + d.buf = append(d.buf, p[:todo]...) + p = p[todo:] + + // If the sponge is full, apply the permutation. + if len(d.buf) == d.rate { + d.permute() + } + } + } + + return written, nil +} + +// Read squeezes an arbitrary number of bytes from the sponge. +func (d *state) Read(out []byte) (n int, err error) { + // If we're still absorbing, pad and apply the permutation. + if d.state == spongeAbsorbing { + d.padAndPermute(d.dsbyte) + } + + n = len(out) + + // Now, do the squeezing. + for len(out) > 0 { + n := copy(out, d.buf) + d.buf = d.buf[n:] + out = out[n:] + + // Apply the permutation if we've squeezed the sponge dry. + if len(d.buf) == 0 { + d.permute() + } + } + + return +} + +// Sum applies padding to the hash state and then squeezes out the desired +// number of output bytes. +func (d *state) Sum(in []byte) []byte { + // Make a copy of the original hash so that caller can keep writing + // and summing. + var dup state + d.clone(&dup) + hash := make([]byte, dup.outputLen) + dup.Read(hash) + return append(in, hash...) +} + +// Only use this function if you require compatibility with an existing cryptosystem +// that uses non-standard padding. All other users should use New256 instead. +func NewLegacyKeccak256() hash.Hash { return &state{rate: 136, outputLen: 32, dsbyte: 0x01} } diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/shake.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/shake.go new file mode 100644 index 00000000..b21b0455 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/shake.go @@ -0,0 +1,134 @@ +// Copyright 2014 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package shake + +// This file defines the CShake struct, and provides +// functions for creating SHAKE and cSHAKE instances, as well as utility +// functions for hashing bytes to arbitrary-length output. +// +// +// SHAKE implementation is based on FIPS PUB 202 [1] +// cSHAKE implementations is based on NIST SP 800-185 [2] +// +// [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf +// [2] https://doi.org/10.6028/NIST.SP.800-185 + +import ( + "encoding/binary" +) + +// cSHAKE specific context +type CShake struct { + state // SHA-3 state context and Read/Write operations + + // initBlock is the cSHAKE specific initialization set of bytes. It is initialized + // by newCShake function and stores concatenation of N followed by S, encoded + // by the method specified in 3.3 of [1]. + // It is stored here in order for Reset() to be able to put context into + // initial state. + initBlock []byte +} + +// Consts for configuring initial SHA-3 state +const ( + dsbyteShake = 0x1f + dsbyteCShake = 0x04 + rate128 = 168 + rate256 = 136 +) + +func bytepad(input []byte, w int) []byte { + // leftEncode always returns max 9 bytes + buf := make([]byte, 0, 9+len(input)+w) + buf = append(buf, leftEncode(uint64(w))...) + buf = append(buf, input...) + padlen := w - (len(buf) % w) + return append(buf, make([]byte, padlen)...) +} + +func leftEncode(value uint64) []byte { + var b [9]byte + binary.BigEndian.PutUint64(b[1:], value) + // Trim all but last leading zero bytes + i := byte(1) + for i < 8 && b[i] == 0 { + i++ + } + // Prepend number of encoded bytes + b[i-1] = 9 - i + return b[i-1:] +} + +func newCShake(N, S []byte, rate int, dsbyte byte) *CShake { + + // leftEncode returns max 9 bytes + initBlock := make([]byte, 0, 9*2+len(N)+len(S)) + initBlock = append(initBlock, leftEncode(uint64(len(N)*8))...) + initBlock = append(initBlock, N...) + initBlock = append(initBlock, leftEncode(uint64(len(S)*8))...) + initBlock = append(initBlock, S...) + + c := CShake{ + state: state{rate: rate, dsbyte: dsbyte}, + initBlock: bytepad(initBlock, rate), + } + c.Write(c.initBlock) + return &c +} + +// Reset resets the hash to initial state. +func (c *CShake) Reset() { + c.state.Reset() + c.Write(c.initBlock) +} + +// Clone returns copy of a cSHAKE context within its current state. +func (c *CShake) Clone() CShake { + var ret CShake + c.clone(&ret.state) + ret.initBlock = make([]byte, len(c.initBlock)) + copy(ret.initBlock, c.initBlock) + return ret +} + +// NewShake128 creates a new SHAKE128 variable-output-length CShake. +// Its generic security strength is 128 bits against all attacks if at +// least 32 bytes of its output are used. +func NewShake128() *CShake { + return &CShake{state{rate: rate128, dsbyte: dsbyteShake}, nil} +} + +// NewShake256 creates a new SHAKE256 variable-output-length CShake. +// Its generic security strength is 256 bits against all attacks if +// at least 64 bytes of its output are used. +func NewShake256() *CShake { + return &CShake{state{rate: rate256, dsbyte: dsbyteShake}, nil} +} + +// NewCShake128 creates a new instance of cSHAKE128 variable-output-length CShake, +// a customizable variant of SHAKE128. +// N is used to define functions based on cSHAKE, it can be empty when plain cSHAKE is +// desired. S is a customization byte string used for domain separation - two cSHAKE +// computations on same input with different S yield unrelated outputs. +// When N and S are both empty, this is equivalent to NewShake128. +func NewCShake128(N, S []byte) *CShake { + if len(N) == 0 && len(S) == 0 { + return NewShake128() + } + return newCShake(N, S, rate128, dsbyteCShake) +} + +// NewCShake256 creates a new instance of cSHAKE256 variable-output-length CShake, +// a customizable variant of SHAKE256. +// N is used to define functions based on cSHAKE, it can be empty when plain cSHAKE is +// desired. S is a customization byte string used for domain separation - two cSHAKE +// computations on same input with different S yield unrelated outputs. +// When N and S are both empty, this is equivalent to NewShake256. +func NewCShake256(N, S []byte) *CShake { + if len(N) == 0 && len(S) == 0 { + return NewShake256() + } + return newCShake(N, S, rate256, dsbyteCShake) +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/xor_generic.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/xor_generic.go new file mode 100644 index 00000000..867cab3c --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/xor_generic.go @@ -0,0 +1,30 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// +build !amd64,!386,!ppc64le + +package shake + +import "encoding/binary" + +// xorInGeneric xors the bytes in buf into the state; it +// makes no non-portable assumptions about memory layout +// or alignment. +func xorIn(d *state, buf []byte) { + n := len(buf) / 8 + + for i := 0; i < n; i++ { + a := binary.LittleEndian.Uint64(buf) + d.a[i] ^= a + buf = buf[8:] + } +} + +// copyOutGeneric copies ulint64s to a byte buffer. +func copyOut(d *state, b []byte) { + for i := 0; len(b) >= 8; i++ { + binary.LittleEndian.PutUint64(b, d.a[i]) + b = b[8:] + } +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/xor_unaligned.go b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/xor_unaligned.go new file mode 100644 index 00000000..d7348f0a --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/internal/shake/xor_unaligned.go @@ -0,0 +1,51 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// +build amd64 386 ppc64le +// +build !appengine + +package shake + +import "unsafe" + +func xorIn(d *state, buf []byte) { + bw := (*[maxRate / 8]uint64)(unsafe.Pointer(&buf[0])) + n := len(buf) + if n >= 72 { + d.a[0] ^= bw[0] + d.a[1] ^= bw[1] + d.a[2] ^= bw[2] + d.a[3] ^= bw[3] + d.a[4] ^= bw[4] + d.a[5] ^= bw[5] + d.a[6] ^= bw[6] + d.a[7] ^= bw[7] + d.a[8] ^= bw[8] + } + if n >= 104 { + d.a[9] ^= bw[9] + d.a[10] ^= bw[10] + d.a[11] ^= bw[11] + d.a[12] ^= bw[12] + } + if n >= 136 { + d.a[13] ^= bw[13] + d.a[14] ^= bw[14] + d.a[15] ^= bw[15] + d.a[16] ^= bw[16] + } + if n >= 144 { + d.a[17] ^= bw[17] + } + if n >= 168 { + d.a[18] ^= bw[18] + d.a[19] ^= bw[19] + d.a[20] ^= bw[20] + } +} + +func copyOut(d *state, buf []byte) { + ab := (*[maxRate]uint8)(unsafe.Pointer(&d.a[0])) + copy(buf, ab[:]) +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/sidh.go b/vendor/github.com/cloudflare/circl/dh/sidh/sidh.go new file mode 100644 index 00000000..7397ff53 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/sidh.go @@ -0,0 +1,267 @@ +package sidh + +import ( + "errors" + "io" + + "github.com/cloudflare/circl/dh/sidh/internal/common" + "github.com/cloudflare/circl/dh/sidh/internal/p503" + "github.com/cloudflare/circl/dh/sidh/internal/p751" +) + +// I keep it bool in order to be able to apply logical NOT +type KeyVariant uint + +// Base type for public and private key. Used mainly to carry domain +// parameters. +type key struct { + // Domain parameters of the algorithm to be used with a key + params *common.SidhParams + // Flag indicates wether corresponds to 2-, 3-torsion group or SIKE + keyVariant KeyVariant +} + +// Defines operations on public key +type PublicKey struct { + key + // x-coordinates of P,Q,P-Q in this exact order + affine3Pt [3]common.Fp2 +} + +// Defines operations on private key +type PrivateKey struct { + key + // Secret key + Scalar []byte + // Used only by KEM + S []byte +} + +// Id's correspond to bitlength of the prime field characteristic +// Currently Fp751 is the only one supported by this implementation +const ( + Fp503 = common.Fp503 + Fp751 = common.Fp751 +) + +const ( + // First 2 bits identify SIDH variant third bit indicates + // wether key is a SIKE variant (set) or SIDH (not set) + + // 001 - SIDH: corresponds to 2-torsion group + KeyVariantSidhA KeyVariant = 1 << 0 + // 010 - SIDH: corresponds to 3-torsion group + KeyVariantSidhB = 1 << 1 + // 110 - SIKE + KeyVariantSike = 1<<2 | KeyVariantSidhB +) + +// Accessor to key variant +func (key *key) Variant() KeyVariant { + return key.keyVariant +} + +// NewPublicKey initializes public key. +// Usage of this function guarantees that the object is correctly initialized. +func NewPublicKey(id uint8, v KeyVariant) *PublicKey { + return &PublicKey{key: key{params: common.Params(id), keyVariant: v}} +} + +// Import clears content of the public key currently stored in the structure +// and imports key stored in the byte string. Returns error in case byte string +// size is wrong. Doesn't perform any validation. +func (pub *PublicKey) Import(input []byte) error { + if len(input) != pub.Size() { + return errors.New("sidh: input to short") + } + ssSz := pub.params.SharedSecretSize + common.BytesToFp2(&pub.affine3Pt[0], input[0:ssSz], pub.params.Bytelen) + common.BytesToFp2(&pub.affine3Pt[1], input[ssSz:2*ssSz], pub.params.Bytelen) + common.BytesToFp2(&pub.affine3Pt[2], input[2*ssSz:3*ssSz], pub.params.Bytelen) + switch pub.params.ID { + case Fp503: + p503.ToMontgomery(&pub.affine3Pt[0], &pub.affine3Pt[0]) + p503.ToMontgomery(&pub.affine3Pt[1], &pub.affine3Pt[1]) + p503.ToMontgomery(&pub.affine3Pt[2], &pub.affine3Pt[2]) + case Fp751: + p751.ToMontgomery(&pub.affine3Pt[0], &pub.affine3Pt[0]) + p751.ToMontgomery(&pub.affine3Pt[1], &pub.affine3Pt[1]) + p751.ToMontgomery(&pub.affine3Pt[2], &pub.affine3Pt[2]) + default: + panic("Unsupported key") + } + return nil +} + +// Exports currently stored key. In case structure hasn't been filled with key data +// returned byte string is filled with zeros. +func (pub *PublicKey) Export(out []byte) { + var feTmp [3]common.Fp2 + ssSz := pub.params.SharedSecretSize + switch pub.params.ID { + case Fp503: + p503.FromMontgomery(&feTmp[0], &pub.affine3Pt[0]) + p503.FromMontgomery(&feTmp[1], &pub.affine3Pt[1]) + p503.FromMontgomery(&feTmp[2], &pub.affine3Pt[2]) + case Fp751: + p751.FromMontgomery(&feTmp[0], &pub.affine3Pt[0]) + p751.FromMontgomery(&feTmp[1], &pub.affine3Pt[1]) + p751.FromMontgomery(&feTmp[2], &pub.affine3Pt[2]) + default: + panic("Unsupported key") + } + common.Fp2ToBytes(out[0:ssSz], &feTmp[0], pub.params.Bytelen) + common.Fp2ToBytes(out[ssSz:2*ssSz], &feTmp[1], pub.params.Bytelen) + common.Fp2ToBytes(out[2*ssSz:3*ssSz], &feTmp[2], pub.params.Bytelen) +} + +// Size returns size of the public key in bytes +func (pub *PublicKey) Size() int { + return pub.params.PublicKeySize +} + +// NewPrivateKey initializes private key. +// Usage of this function guarantees that the object is correctly initialized. +func NewPrivateKey(id uint8, v KeyVariant) *PrivateKey { + prv := &PrivateKey{key: key{params: common.Params(id), keyVariant: v}} + if (v & KeyVariantSidhA) == KeyVariantSidhA { + prv.Scalar = make([]byte, prv.params.A.SecretByteLen) + } else { + prv.Scalar = make([]byte, prv.params.B.SecretByteLen) + } + if v == KeyVariantSike { + prv.S = make([]byte, prv.params.MsgLen) + } + return prv +} + +// Exports currently stored key. In case structure hasn't been filled with key data +// returned byte string is filled with zeros. +func (prv *PrivateKey) Export(out []byte) { + copy(out, prv.S) + copy(out[len(prv.S):], prv.Scalar) +} + +// Size returns size of the private key in bytes +func (prv *PrivateKey) Size() int { + tmp := len(prv.Scalar) + if prv.Variant() == KeyVariantSike { + tmp += prv.params.MsgLen + } + return tmp +} + +// Size returns size of the shared secret +func (prv *PrivateKey) SharedSecretSize() int { + return prv.params.SharedSecretSize +} + +// Import clears content of the private key currently stored in the structure +// and imports key from octet string. In case of SIKE, the random value 'S' +// must be prepended to the value of actual private key (see SIKE spec for details). +// Function doesn't import public key value to PrivateKey object. +func (prv *PrivateKey) Import(input []byte) error { + if len(input) != prv.Size() { + return errors.New("sidh: input to short") + } + copy(prv.S, input[:len(prv.S)]) + copy(prv.Scalar, input[len(prv.S):]) + return nil +} + +// Generates random private key for SIDH or SIKE. Generated value is +// formed as little-endian integer from key-space <2^(e2-1)..2^e2 - 1> +// for KeyVariant_A or <2^(s-1)..2^s - 1>, where s = floor(log_2(3^e3)), +// for KeyVariant_B. +// +// Returns error in case user provided RNG fails. +func (prv *PrivateKey) Generate(rand io.Reader) error { + var dp *common.DomainParams + + if (prv.keyVariant & KeyVariantSidhA) == KeyVariantSidhA { + dp = &prv.params.A + } else { + dp = &prv.params.B + } + + if prv.keyVariant == KeyVariantSike { + if _, err := io.ReadFull(rand, prv.S); err != nil { + return err + } + } + + // Private key generation takes advantage of the fact that keyspace for secret + // key is (0, 2^x - 1), for some possitivite value of 'x' (see SIKE, 1.3.8). + // It means that all bytes in the secret key, but the last one, can take any + // value between <0x00,0xFF>. Similarly for the last byte, but generation + // needs to chop off some bits, to make sure generated value is an element of + // a key-space. + if _, err := io.ReadFull(rand, prv.Scalar); err != nil { + return err + } + + prv.Scalar[len(prv.Scalar)-1] &= (1 << (dp.SecretBitLen % 8)) - 1 + // Make sure scalar is SecretBitLen long. SIKE spec says that key + // space starts from 0, but I'm not comfortable with having low + // value scalars used for private keys. It is still secrure as per + // table 5.1 in [SIKE]. + prv.Scalar[len(prv.Scalar)-1] |= 1 << ((dp.SecretBitLen % 8) - 1) + + return nil +} + +// Generates public key. +func (prv *PrivateKey) GeneratePublicKey(pub *PublicKey) { + var isA = (prv.keyVariant & KeyVariantSidhA) == KeyVariantSidhA + + if (pub.keyVariant != prv.keyVariant) || (pub.params.ID != prv.params.ID) { + panic("sidh: incompatbile public key") + } + + switch prv.params.ID { + case Fp503: + if isA { + p503.PublicKeyGenA(&pub.affine3Pt, prv.Scalar) + } else { + p503.PublicKeyGenB(&pub.affine3Pt, prv.Scalar) + } + case Fp751: + if isA { + p751.PublicKeyGenA(&pub.affine3Pt, prv.Scalar) + } else { + p751.PublicKeyGenB(&pub.affine3Pt, prv.Scalar) + } + default: + panic("Field not supported") + } +} + +// Computes a SIDH shared secret. Function requires that pub has different +// KeyVariant than prv. Length of returned output is 2*ceil(log_2 P)/8), +// where P is a prime defining finite field. +// +// Caller must make sure key SIDH key pair is not used more than once. +func (prv *PrivateKey) DeriveSecret(ss []byte, pub *PublicKey) { + var isA = (prv.keyVariant & KeyVariantSidhA) == KeyVariantSidhA + + if (pub.keyVariant == prv.keyVariant) || (pub.params.ID != prv.params.ID) { + panic("sidh: public and private are incompatbile") + } + + switch prv.params.ID { + case Fp503: + if isA { + p503.DeriveSecretA(ss, prv.Scalar, &pub.affine3Pt) + } else { + p503.DeriveSecretB(ss, prv.Scalar, &pub.affine3Pt) + } + case Fp751: + if isA { + p751.DeriveSecretA(ss, prv.Scalar, &pub.affine3Pt) + } else { + p751.DeriveSecretB(ss, prv.Scalar, &pub.affine3Pt) + } + default: + panic("Field not supported") + } +} diff --git a/vendor/github.com/cloudflare/circl/dh/sidh/sike.go b/vendor/github.com/cloudflare/circl/dh/sidh/sike.go new file mode 100644 index 00000000..801a2ac2 --- /dev/null +++ b/vendor/github.com/cloudflare/circl/dh/sidh/sike.go @@ -0,0 +1,260 @@ +package sidh + +import ( + "crypto/subtle" + "errors" + "io" + + "github.com/cloudflare/circl/dh/sidh/internal/common" + "github.com/cloudflare/circl/dh/sidh/internal/shake" +) + +// SIKE KEM interface +type KEM struct { + allocated bool + rng io.Reader + msg []byte + secretBytes []byte + params *common.SidhParams + cshakeG, cshakeH, cshakeF *shake.CShake +} + +// NewSike503 instantiates SIKE/p503 KEM +func NewSike503(rng io.Reader) *KEM { + var c KEM + c.Allocate(Fp503, rng) + return &c +} + +// NewSike751 instantiates SIKE/p751 KEM +func NewSike751(rng io.Reader) *KEM { + var c KEM + c.Allocate(Fp751, rng) + return &c +} + +// Allocate allocates KEM object for multiple SIKE operations. The rng +// must be cryptographically secure PRNG. +func (c *KEM) Allocate(id uint8, rng io.Reader) { + // Constants used for cSHAKE customization + // Those values are different than in [SIKE] - they are encoded on 16bits. This is + // done in order for implementation to be compatible with [REF] and test vectors. + var G = []byte{0x00, 0x00} + var H = []byte{0x01, 0x00} + var F = []byte{0x02, 0x00} + + c.cshakeG = shake.NewCShake256(nil, G) + c.cshakeH = shake.NewCShake256(nil, H) + c.cshakeF = shake.NewCShake256(nil, F) + c.rng = rng + c.params = common.Params(id) + c.msg = make([]byte, c.params.MsgLen) + c.secretBytes = make([]byte, c.params.A.SecretByteLen) + c.allocated = true +} + +// Encapsulate receives the public key and generates SIKE ciphertext and shared secret. +// The generated ciphertext is used for authentication. +// Error is returned in case PRNG fails. Function panics in case wrongly formated +// input was provided. +func (c *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error { + if !c.allocated { + panic("KEM unallocated") + } + + if KeyVariantSike != pub.keyVariant { + panic("Wrong type of public key") + } + + if len(secret) < c.SharedSecretSize() { + panic("shared secret buffer to small") + } + + if len(ciphertext) < c.CiphertextSize() { + panic("ciphertext buffer to small") + } + + // Generate ephemeral value + _, err := io.ReadFull(c.rng, c.msg[:]) + if err != nil { + return err + } + + var buf [3 * common.MaxSharedSecretBsz]byte + var skA = PrivateKey{ + key: key{ + params: c.params, + keyVariant: KeyVariantSidhA}, + Scalar: c.secretBytes} + var pkA = NewPublicKey(c.params.ID, KeyVariantSidhA) + + pub.Export(buf[:]) + c.cshakeG.Reset() + c.cshakeG.Write(c.msg) + c.cshakeG.Write(buf[:3*c.params.SharedSecretSize]) + c.cshakeG.Read(skA.Scalar) + + // Ensure bitlength is not bigger then to 2^e2-1 + skA.Scalar[len(skA.Scalar)-1] &= (1 << (c.params.A.SecretBitLen % 8)) - 1 + skA.GeneratePublicKey(pkA) + c.generateCiphertext(ciphertext, &skA, pkA, pub, c.msg[:]) + + // K = H(msg||(c0||c1)) + c.cshakeH.Reset() + c.cshakeH.Write(c.msg) + c.cshakeH.Write(ciphertext) + c.cshakeH.Read(secret[:c.SharedSecretSize()]) + return nil +} + +// Decapsulate given the keypair and ciphertext as inputs, Decapsulate outputs a shared +// secret if plaintext verifies correctly, otherwise function outputs random value. +// Decapsulation may panic in case input is wrongly formated, in particular, size of +// the 'ciphertext' must be exactly equal to c.CiphertextSize(). +func (c *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, ciphertext []byte) error { + if !c.allocated { + panic("KEM unallocated") + } + + if KeyVariantSike != pub.keyVariant { + panic("Wrong type of public key") + } + + if pub.keyVariant != prv.keyVariant { + panic("Public and private key are of different type") + } + + if len(secret) < c.SharedSecretSize() { + panic("shared secret buffer to small") + } + + if len(ciphertext) != c.CiphertextSize() { + panic("ciphertext buffer to small") + } + + var m [common.MaxMsgBsz]byte + var r [common.MaxSidhPrivateKeyBsz]byte + var pkBytes [3 * common.MaxSharedSecretBsz]byte + var skA = PrivateKey{ + key: key{ + params: c.params, + keyVariant: KeyVariantSidhA}, + Scalar: c.secretBytes} + var pkA = NewPublicKey(c.params.ID, KeyVariantSidhA) + c1Len := c.decrypt(m[:], prv, ciphertext) + + // r' = G(m'||pub) + pub.Export(pkBytes[:]) + c.cshakeG.Reset() + c.cshakeG.Write(m[:c1Len]) + c.cshakeG.Write(pkBytes[:3*c.params.SharedSecretSize]) + c.cshakeG.Read(r[:c.params.A.SecretByteLen]) + // Ensure bitlength is not bigger than 2^e2-1 + r[c.params.A.SecretByteLen-1] &= (1 << (c.params.A.SecretBitLen % 8)) - 1 + + // Never fails + skA.Import(r[:c.params.A.SecretByteLen]) + skA.GeneratePublicKey(pkA) + pkA.Export(pkBytes[:]) + + // S is chosen at random when generating a key and unknown to other party. It is + // important that S is unpredictable to the other party. Without this check, would + // be possible to recover a secret, by providing series of invalid ciphertexts. + // + // See more details in "On the security of supersingular isogeny cryptosystems" + // (S. Galbraith, et al., 2016, ePrint #859). + mask := subtle.ConstantTimeCompare(pkBytes[:c.params.PublicKeySize], ciphertext[:pub.params.PublicKeySize]) + common.Cpick(mask, m[:c1Len], m[:c1Len], prv.S) + c.cshakeH.Reset() + c.cshakeH.Write(m[:c1Len]) + c.cshakeH.Write(ciphertext) + c.cshakeH.Read(secret[:c.SharedSecretSize()]) + return nil +} + +// Resets internal state of KEM. Function should be used +// after Allocate and between subsequent calls to Encapsulate +// and/or Decapsulate. +func (c *KEM) Reset() { + for i := range c.msg { + c.msg[i] = 0 + } + + for i := range c.secretBytes { + c.secretBytes[i] = 0 + } +} + +// Returns size of resulting ciphertext +func (c *KEM) CiphertextSize() int { + return c.params.CiphertextSize +} + +// Returns size of resulting shared secret +func (c *KEM) SharedSecretSize() int { + return c.params.KemSize +} + +func (c *KEM) generateCiphertext(ctext []byte, skA *PrivateKey, pkA, pkB *PublicKey, ptext []byte) { + var n [common.MaxMsgBsz]byte + var j [common.MaxSharedSecretBsz]byte + var ptextLen = skA.params.MsgLen + + skA.DeriveSecret(j[:], pkB) + c.cshakeF.Reset() + c.cshakeF.Write(j[:skA.params.SharedSecretSize]) + c.cshakeF.Read(n[:ptextLen]) + for i := range ptext { + n[i] ^= ptext[i] + } + + pkA.Export(ctext) + copy(ctext[pkA.Size():], n[:ptextLen]) +} + +// encrypt uses SIKE public key to encrypt plaintext. Requires cryptographically secure +// PRNG. Returns ciphertext in case encryption succeeds. Returns error in case PRNG fails +// or wrongly formated input was provided. +func (c *KEM) encrypt(ctext []byte, rng io.Reader, pub *PublicKey, ptext []byte) error { + var ptextLen = len(ptext) + // c1 must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3) + if ptextLen != (pub.params.KemSize + 8) { + return errors.New("unsupported message length") + } + + skA := NewPrivateKey(pub.params.ID, KeyVariantSidhA) + pkA := NewPublicKey(pub.params.ID, KeyVariantSidhA) + err := skA.Generate(rng) + if err != nil { + return err + } + + skA.GeneratePublicKey(pkA) + c.generateCiphertext(ctext, skA, pkA, pub, ptext) + return nil +} + +// decrypt uses SIKE private key to decrypt ciphertext. Returns plaintext in case +// decryption succeeds or error in case unexptected input was provided. +// Constant time +func (c *KEM) decrypt(n []byte, prv *PrivateKey, ctext []byte) int { + var c1Len int + var j [common.MaxSharedSecretBsz]byte + var pkLen = prv.params.PublicKeySize + + // ctext is a concatenation of (ciphertext = pubkey_A || c1) + // it must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3) + // Lengths has been already checked by Decapsulate() + c1Len = len(ctext) - pkLen + c0 := NewPublicKey(prv.params.ID, KeyVariantSidhA) + // Never fails + c0.Import(ctext[:pkLen]) + prv.DeriveSecret(j[:], c0) + c.cshakeF.Reset() + c.cshakeF.Write(j[:prv.params.SharedSecretSize]) + c.cshakeF.Read(n[:c1Len]) + for i := range n[:c1Len] { + n[i] ^= ctext[pkLen+i] + } + return c1Len +} diff --git a/vendor/github.com/cloudflare/odoh-go/LICENSE.md b/vendor/github.com/cloudflare/odoh-go/LICENSE.md new file mode 100644 index 00000000..dbda78c6 --- /dev/null +++ b/vendor/github.com/cloudflare/odoh-go/LICENSE.md @@ -0,0 +1,21 @@ +The MIT License + +Copyright (c) 2019-2020, Cloudflare, Inc. and Apple, Inc. All rights reserved. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/cloudflare/odoh-go/README.md b/vendor/github.com/cloudflare/odoh-go/README.md new file mode 100644 index 00000000..f46830ca --- /dev/null +++ b/vendor/github.com/cloudflare/odoh-go/README.md @@ -0,0 +1,20 @@ +# odoh-go + +[![Coverage Status](https://coveralls.io/repos/github/cloudflare/odoh-go/badge.svg?branch=master)](https://coveralls.io/github/cloudflare/odoh-go?branch=master) +[![GoDoc](https://godoc.org/github.com/cloudflare/odoh-go?status.svg)](https://godoc.org/github.com/cloudflare/odoh-go) + +This library implements draft -03 of [Oblivious DoH](https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh-03). It is based on the original implementation [available here](https://github.com/chris-wood/odoh). + +## Test vector generation + +To generate test vectors, run: + +``` +$ ODOH_TEST_VECTORS_OUT=test-vectors.json go test -v -run TestVectorGenerate +``` + +To check test vectors, run: + +``` +$ ODOH_TEST_VECTORS_IN=test-vectors.json go test -v -run TestVectorVerify +``` diff --git a/vendor/github.com/cloudflare/odoh-go/codec.go b/vendor/github.com/cloudflare/odoh-go/codec.go new file mode 100644 index 00000000..97ad4388 --- /dev/null +++ b/vendor/github.com/cloudflare/odoh-go/codec.go @@ -0,0 +1,47 @@ +// The MIT License +// +// Copyright (c) 2019-2020, Cloudflare, Inc. and Apple, Inc. All rights reserved. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + +package odoh + +import ( + "encoding/binary" + "fmt" +) + +func encodeLengthPrefixedSlice(slice []byte) []byte { + result := make([]byte, 2) + binary.BigEndian.PutUint16(result, uint16(len(slice))) + return append(result, slice...) +} + +func decodeLengthPrefixedSlice(slice []byte) ([]byte, int, error) { + if len(slice) < 2 { + return nil, 0, fmt.Errorf("Expected at least 2 bytes of length encoded prefix") + } + + length := binary.BigEndian.Uint16(slice) + if int(2+length) > len(slice) { + return nil, 0, fmt.Errorf("Insufficient data. Expected %d, got %d", 2+length, len(slice)) + } + + return slice[2 : 2+length], int(2 + length), nil +} diff --git a/vendor/github.com/cloudflare/odoh-go/go.mod b/vendor/github.com/cloudflare/odoh-go/go.mod new file mode 100644 index 00000000..99a6ec32 --- /dev/null +++ b/vendor/github.com/cloudflare/odoh-go/go.mod @@ -0,0 +1,5 @@ +module github.com/cloudflare/odoh-go + +go 1.14 + +require github.com/cisco/go-hpke v0.0.0-20201023221920-2866d2aa0603 diff --git a/vendor/github.com/cloudflare/odoh-go/messages.go b/vendor/github.com/cloudflare/odoh-go/messages.go new file mode 100644 index 00000000..457b8ee4 --- /dev/null +++ b/vendor/github.com/cloudflare/odoh-go/messages.go @@ -0,0 +1,176 @@ +// The MIT License +// +// Copyright (c) 2019-2020, Cloudflare, Inc. and Apple, Inc. All rights reserved. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + +package odoh + +import ( + "encoding/binary" + "fmt" +) + +type ObliviousMessageType uint8 + +const ( + QueryType ObliviousMessageType = 0x01 + ResponseType ObliviousMessageType = 0x02 +) + +// +// struct { +// opaque dns_message<1..2^16-1>; +// opaque padding<0..2^16-1>; +// } ObliviousDoHQueryBody; +// +type ObliviousDNSMessageBody struct { + DnsMessage []byte + Padding []byte +} + +func (m ObliviousDNSMessageBody) Marshal() []byte { + return append(encodeLengthPrefixedSlice(m.DnsMessage), encodeLengthPrefixedSlice(m.Padding)...) +} + +func UnmarshalMessageBody(data []byte) (ObliviousDNSMessageBody, error) { + messageLength := binary.BigEndian.Uint16(data) + if int(2+messageLength) > len(data) { + return ObliviousDNSMessageBody{}, fmt.Errorf("Invalid DNS message length") + } + message := data[2 : 2+messageLength] + + paddingLength := binary.BigEndian.Uint16(data[2+messageLength:]) + if int(2+messageLength+2+paddingLength) > len(data) { + return ObliviousDNSMessageBody{}, fmt.Errorf("Invalid DNS padding length") + } + + padding := data[2+messageLength+2 : 2+messageLength+2+paddingLength] + return ObliviousDNSMessageBody{ + DnsMessage: message, + Padding: padding, + }, nil +} + +func (m ObliviousDNSMessageBody) Message() []byte { + return m.DnsMessage +} + +type ObliviousDNSQuery struct { + ObliviousDNSMessageBody +} + +func CreateObliviousDNSQuery(query []byte, paddingBytes uint16) *ObliviousDNSQuery { + msg := ObliviousDNSMessageBody{ + DnsMessage: query, + Padding: make([]byte, int(paddingBytes)), + } + return &ObliviousDNSQuery{ + msg, + } +} + +func UnmarshalQueryBody(data []byte) (*ObliviousDNSQuery, error) { + msg, err := UnmarshalMessageBody(data) + if err != nil { + return nil, err + } + + return &ObliviousDNSQuery{msg}, nil +} + +type ObliviousDNSResponse struct { + ObliviousDNSMessageBody +} + +func CreateObliviousDNSResponse(response []byte, paddingBytes uint16) *ObliviousDNSResponse { + msg := ObliviousDNSMessageBody{ + DnsMessage: response, + Padding: make([]byte, int(paddingBytes)), + } + return &ObliviousDNSResponse{ + msg, + } +} + +func UnmarshalResponseBody(data []byte) (*ObliviousDNSResponse, error) { + msg, err := UnmarshalMessageBody(data) + if err != nil { + return nil, err + } + + return &ObliviousDNSResponse{msg}, nil +} + +// +// struct { +// uint8 message_type; +// opaque key_id<0..2^16-1>; +// opaque encrypted_message<1..2^16-1>; +// } ObliviousDoHMessage; +// +type ObliviousDNSMessage struct { + MessageType ObliviousMessageType + KeyID []byte + EncryptedMessage []byte +} + +func (m ObliviousDNSMessage) Type() ObliviousMessageType { + return m.MessageType +} + +func CreateObliviousDNSMessage(messageType ObliviousMessageType, keyID []byte, encryptedMessage []byte) *ObliviousDNSMessage { + return &ObliviousDNSMessage{ + MessageType: messageType, + KeyID: keyID, + EncryptedMessage: encryptedMessage, + } +} + +func (m ObliviousDNSMessage) Marshal() []byte { + encodedKey := encodeLengthPrefixedSlice(m.KeyID) + encodedMessage := encodeLengthPrefixedSlice(m.EncryptedMessage) + + result := append([]byte{uint8(m.MessageType)}, encodedKey...) + result = append(result, encodedMessage...) + + return result +} + +func UnmarshalDNSMessage(data []byte) (ObliviousDNSMessage, error) { + if len(data) < 1 { + return ObliviousDNSMessage{}, fmt.Errorf("Invalid data length: %d", len(data)) + } + + messageType := data[0] + keyID, messageOffset, err := decodeLengthPrefixedSlice(data[1:]) + if err != nil { + return ObliviousDNSMessage{}, err + } + encryptedMessage, _, err := decodeLengthPrefixedSlice(data[1+messageOffset:]) + if err != nil { + return ObliviousDNSMessage{}, err + } + + return ObliviousDNSMessage{ + MessageType: ObliviousMessageType(messageType), + KeyID: keyID, + EncryptedMessage: encryptedMessage, + }, nil +} diff --git a/vendor/github.com/cloudflare/odoh-go/odoh.go b/vendor/github.com/cloudflare/odoh-go/odoh.go new file mode 100644 index 00000000..21522b28 --- /dev/null +++ b/vendor/github.com/cloudflare/odoh-go/odoh.go @@ -0,0 +1,564 @@ +// The MIT License +// +// Copyright (c) 2019-2020, Cloudflare, Inc. and Apple, Inc. All rights reserved. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + +package odoh + +import ( + "crypto/rand" + "crypto/subtle" + "encoding/binary" + "errors" + "fmt" + "github.com/cisco/go-hpke" +) + +const ( + ODOH_VERSION = uint16(0xff03) + ODOH_SECRET_LENGTH = 32 + ODOH_PADDING_BYTE = uint8(0) + ODOH_LABEL_KEY_ID = "odoh key id" + ODOH_LABEL_KEY = "odoh key" + ODOH_LABEL_NONCE = "odoh nonce" + ODOH_LABEL_SECRET = "odoh secret" + ODOH_LABEL_QUERY = "odoh query" + ODOH_DEFAULT_KEMID hpke.KEMID = hpke.DHKEM_X25519 + ODOH_DEFAULT_KDFID hpke.KDFID = hpke.KDF_HKDF_SHA256 + ODOH_DEFAULT_AEADID hpke.AEADID = hpke.AEAD_AESGCM128 +) + +type ObliviousDoHConfigContents struct { + KemID hpke.KEMID + KdfID hpke.KDFID + AeadID hpke.AEADID + PublicKeyBytes []byte +} + +func CreateObliviousDoHConfigContents(kemID hpke.KEMID, kdfID hpke.KDFID, aeadID hpke.AEADID, publicKeyBytes []byte) (ObliviousDoHConfigContents, error) { + suite, err := hpke.AssembleCipherSuite(kemID, kdfID, aeadID) + if err != nil { + return ObliviousDoHConfigContents{}, err + } + + _, err = suite.KEM.Deserialize(publicKeyBytes) + if err != nil { + return ObliviousDoHConfigContents{}, err + } + + return ObliviousDoHConfigContents{ + KemID: kemID, + KdfID: kdfID, + AeadID: aeadID, + PublicKeyBytes: publicKeyBytes, + }, nil +} + +func (k ObliviousDoHConfigContents) KeyID() []byte { + suite, err := hpke.AssembleCipherSuite(k.KemID, k.KdfID, k.AeadID) + if err != nil { + return nil + } + + identifiers := make([]byte, 8) + binary.BigEndian.PutUint16(identifiers[0:], uint16(k.KemID)) + binary.BigEndian.PutUint16(identifiers[2:], uint16(k.KdfID)) + binary.BigEndian.PutUint16(identifiers[4:], uint16(k.AeadID)) + binary.BigEndian.PutUint16(identifiers[6:], uint16(len(k.PublicKeyBytes))) + config := append(identifiers, k.PublicKeyBytes...) + + prk := suite.KDF.Extract(nil, config) + identifier := suite.KDF.Expand(prk, []byte(ODOH_LABEL_KEY_ID), suite.KDF.OutputSize()) + + return identifier +} + +func (k ObliviousDoHConfigContents) Marshal() []byte { + identifiers := make([]byte, 8) + binary.BigEndian.PutUint16(identifiers[0:], uint16(k.KemID)) + binary.BigEndian.PutUint16(identifiers[2:], uint16(k.KdfID)) + binary.BigEndian.PutUint16(identifiers[4:], uint16(k.AeadID)) + binary.BigEndian.PutUint16(identifiers[6:], uint16(len(k.PublicKeyBytes))) + + response := append(identifiers, k.PublicKeyBytes...) + return response +} + +func UnmarshalObliviousDoHConfigContents(buffer []byte) (ObliviousDoHConfigContents, error) { + if len(buffer) < 8 { + return ObliviousDoHConfigContents{}, errors.New("Invalid serialized ObliviousDoHConfigContents") + } + + kemId := binary.BigEndian.Uint16(buffer[0:]) + kdfId := binary.BigEndian.Uint16(buffer[2:]) + aeadId := binary.BigEndian.Uint16(buffer[4:]) + publicKeyLength := binary.BigEndian.Uint16(buffer[6:]) + + if len(buffer[8:]) < int(publicKeyLength) { + return ObliviousDoHConfigContents{}, errors.New("Invalid serialized ObliviousDoHConfigContents") + } + + publicKeyBytes := buffer[8 : 8+publicKeyLength] + + var KemID hpke.KEMID + var KdfID hpke.KDFID + var AeadID hpke.AEADID + + switch kemId { + case 0x0010: + KemID = hpke.DHKEM_P256 + break + case 0x0012: + KemID = hpke.DHKEM_P521 + break + case 0x0020: + KemID = hpke.DHKEM_X25519 + break + case 0x0021: + KemID = hpke.DHKEM_X448 + break + case 0xFFFE: + KemID = hpke.KEM_SIKE503 + break + case 0xFFFF: + KemID = hpke.KEM_SIKE751 + break + default: + return ObliviousDoHConfigContents{}, errors.New(fmt.Sprintf("Unsupported KEMID: %04x", kemId)) + } + + switch kdfId { + case 0x0001: + KdfID = hpke.KDF_HKDF_SHA256 + break + case 0x0002: + KdfID = hpke.KDF_HKDF_SHA384 + break + case 0x0003: + KdfID = hpke.KDF_HKDF_SHA512 + break + default: + return ObliviousDoHConfigContents{}, errors.New(fmt.Sprintf("Unsupported KDFID: %04x", kdfId)) + } + + switch aeadId { + case 0x0001: + AeadID = hpke.AEAD_AESGCM128 + break + case 0x0002: + AeadID = hpke.AEAD_AESGCM256 + break + case 0x0003: + AeadID = hpke.AEAD_CHACHA20POLY1305 + break + default: + return ObliviousDoHConfigContents{}, errors.New(fmt.Sprintf("Unsupported AEADID: %04x", aeadId)) + } + + suite, err := hpke.AssembleCipherSuite(KemID, KdfID, AeadID) + if err != nil { + return ObliviousDoHConfigContents{}, errors.New(fmt.Sprintf("Unsupported HPKE ciphersuite")) + } + + _, err = suite.KEM.Deserialize(publicKeyBytes) + if err != nil { + return ObliviousDoHConfigContents{}, errors.New(fmt.Sprintf("Invalid HPKE public key bytes")) + } + + return ObliviousDoHConfigContents{ + KemID: KemID, + KdfID: KdfID, + AeadID: AeadID, + PublicKeyBytes: publicKeyBytes, + }, nil +} + +func (k ObliviousDoHConfigContents) PublicKey() []byte { + return k.PublicKeyBytes +} + +func (k ObliviousDoHConfigContents) CipherSuite() (hpke.CipherSuite, error) { + return hpke.AssembleCipherSuite(k.KemID, k.KdfID, k.AeadID) +} + +type ObliviousDoHConfig struct { + Version uint16 + Contents ObliviousDoHConfigContents +} + +func CreateObliviousDoHConfig(contents ObliviousDoHConfigContents) ObliviousDoHConfig { + return ObliviousDoHConfig{ + Version: ODOH_VERSION, + Contents: contents, + } +} + +func (c ObliviousDoHConfig) Marshal() []byte { + marshalledConfig := c.Contents.Marshal() + + buffer := make([]byte, 4) + binary.BigEndian.PutUint16(buffer[0:], uint16(c.Version)) + binary.BigEndian.PutUint16(buffer[2:], uint16(len(marshalledConfig))) + + configBytes := append(buffer, marshalledConfig...) + return configBytes +} + +func parseConfigHeader(buffer []byte) (uint16, uint16, error) { + if len(buffer) < 4 { + return uint16(0), uint16(0), errors.New("Invalid ObliviousDoHConfig encoding") + } + + version := binary.BigEndian.Uint16(buffer[0:]) + length := binary.BigEndian.Uint16(buffer[2:]) + return version, length, nil +} + +func isSupportedConfigVersion(version uint16) bool { + return version == ODOH_VERSION +} + +func UnmarshalObliviousDoHConfig(buffer []byte) (ObliviousDoHConfig, error) { + version, length, err := parseConfigHeader(buffer) + if err != nil { + return ObliviousDoHConfig{}, err + } + + if !isSupportedConfigVersion(version) { + return ObliviousDoHConfig{}, errors.New(fmt.Sprintf("Unsupported version: %04x", version)) + } + if len(buffer[4:]) < int(length) { + return ObliviousDoHConfig{}, errors.New(fmt.Sprintf("Invalid serialized ObliviousDoHConfig, expected %v bytes, got %v", length, len(buffer[4:]))) + } + + configContents, err := UnmarshalObliviousDoHConfigContents(buffer[4:]) + if err != nil { + return ObliviousDoHConfig{}, err + } + + return ObliviousDoHConfig{ + Version: version, + Contents: configContents, + }, nil +} + +type ObliviousDoHConfigs struct { + Configs []ObliviousDoHConfig +} + +func CreateObliviousDoHConfigs(configs []ObliviousDoHConfig) ObliviousDoHConfigs { + return ObliviousDoHConfigs{ + Configs: configs, + } +} + +func (c ObliviousDoHConfigs) Marshal() []byte { + serializedConfigs := make([]byte, 0) + for _, config := range c.Configs { + serializedConfigs = append(serializedConfigs, config.Marshal()...) + } + + buffer := make([]byte, 2) + binary.BigEndian.PutUint16(buffer[0:], uint16(len(serializedConfigs))) + + result := append(buffer, serializedConfigs...) + return result +} + +func UnmarshalObliviousDoHConfigs(buffer []byte) (ObliviousDoHConfigs, error) { + if len(buffer) < 2 { + return ObliviousDoHConfigs{}, errors.New("Invalid ObliviousDoHConfigs encoding") + } + + configs := make([]ObliviousDoHConfig, 0) + length := binary.BigEndian.Uint16(buffer[0:]) + offset := uint16(2) + + for { + configVersion, configLength, err := parseConfigHeader(buffer[offset:]) + if err != nil { + return ObliviousDoHConfigs{}, errors.New("Invalid ObliviousDoHConfigs encoding") + } + + if uint16(len(buffer[offset:])) < configLength { + // The configs vector is encoded incorrectly, so discard the whole thing + return ObliviousDoHConfigs{}, errors.New(fmt.Sprintf("Invalid serialized ObliviousDoHConfig, expected %v bytes, got %v", length, len(buffer[offset:]))) + } + + if isSupportedConfigVersion(configVersion) { + config, err := UnmarshalObliviousDoHConfig(buffer[offset:]) + if err == nil { + configs = append(configs, config) + } + } else { + // Skip over unsupported versions + } + + offset += 4 + configLength + if offset >= 2+length { + // Stop reading + break + } + } + + return CreateObliviousDoHConfigs(configs), nil +} + +type ObliviousDoHKeyPair struct { + Config ObliviousDoHConfig + secretKey hpke.KEMPrivateKey + Seed []byte +} + +func CreateKeyPairFromSeed(kemID hpke.KEMID, kdfID hpke.KDFID, aeadID hpke.AEADID, ikm []byte) (ObliviousDoHKeyPair, error) { + suite, err := hpke.AssembleCipherSuite(kemID, kdfID, aeadID) + if err != nil { + return ObliviousDoHKeyPair{}, err + } + + sk, pk, err := suite.KEM.DeriveKeyPair(ikm) + if err != nil { + return ObliviousDoHKeyPair{}, err + } + + configContents, err := CreateObliviousDoHConfigContents(kemID, kdfID, aeadID, suite.KEM.Serialize(pk)) + if err != nil { + return ObliviousDoHKeyPair{}, err + } + + config := CreateObliviousDoHConfig(configContents) + + return ObliviousDoHKeyPair{ + Config: config, + secretKey: sk, + Seed: ikm, + }, nil +} + +func CreateDefaultKeyPairFromSeed(seed []byte) (ObliviousDoHKeyPair, error) { + return CreateKeyPairFromSeed(ODOH_DEFAULT_KEMID, ODOH_DEFAULT_KDFID, ODOH_DEFAULT_AEADID, seed) +} + +func CreateKeyPair(kemID hpke.KEMID, kdfID hpke.KDFID, aeadID hpke.AEADID) (ObliviousDoHKeyPair, error) { + suite, err := hpke.AssembleCipherSuite(kemID, kdfID, aeadID) + if err != nil { + return ObliviousDoHKeyPair{}, err + } + + ikm := make([]byte, suite.KEM.PrivateKeySize()) + rand.Reader.Read(ikm) + sk, pk, err := suite.KEM.DeriveKeyPair(ikm) + if err != nil { + return ObliviousDoHKeyPair{}, err + } + + configContents, err := CreateObliviousDoHConfigContents(kemID, kdfID, aeadID, suite.KEM.Serialize(pk)) + if err != nil { + return ObliviousDoHKeyPair{}, err + } + + config := CreateObliviousDoHConfig(configContents) + + return ObliviousDoHKeyPair{ + Config: config, + secretKey: sk, + Seed: ikm, + }, nil +} + +func CreateDefaultKeyPair() (ObliviousDoHKeyPair, error) { + return CreateKeyPair(ODOH_DEFAULT_KEMID, ODOH_DEFAULT_KDFID, ODOH_DEFAULT_AEADID) +} + +type QueryContext struct { + odohSecret []byte + suite hpke.CipherSuite + query []byte + publicKey ObliviousDoHConfigContents +} + +func (c QueryContext) DecryptResponse(message ObliviousDNSMessage) ([]byte, error) { + aad := append([]byte{byte(ResponseType)}, []byte{0x00, 0x00}...) // 0-length encoded KeyID + + odohPRK := c.suite.KDF.Extract(c.query, c.odohSecret) + key := c.suite.KDF.Expand(odohPRK, []byte(ODOH_LABEL_KEY), c.suite.AEAD.KeySize()) + nonce := c.suite.KDF.Expand(odohPRK, []byte(ODOH_LABEL_NONCE), c.suite.AEAD.NonceSize()) + + aead, err := c.suite.AEAD.New(key) + if err != nil { + return nil, err + } + + return aead.Open(nil, nonce, message.EncryptedMessage, aad) +} + +type ResponseContext struct { + query []byte + suite hpke.CipherSuite + odohSecret []byte +} + +func (c ResponseContext) EncryptResponse(response *ObliviousDNSResponse) (ObliviousDNSMessage, error) { + aad := append([]byte{byte(ResponseType)}, []byte{0x00, 0x00}...) // 0-length encoded KeyID + + odohPRK := c.suite.KDF.Extract(c.query, c.odohSecret) + key := c.suite.KDF.Expand(odohPRK, []byte(ODOH_LABEL_KEY), c.suite.AEAD.KeySize()) + nonce := c.suite.KDF.Expand(odohPRK, []byte(ODOH_LABEL_NONCE), c.suite.AEAD.NonceSize()) + + aead, err := c.suite.AEAD.New(key) + if err != nil { + return ObliviousDNSMessage{}, err + } + + ciphertext := aead.Seal(nil, nonce, response.Marshal(), aad) + + odohMessage := ObliviousDNSMessage{ + KeyID: nil, + MessageType: ResponseType, + EncryptedMessage: ciphertext, + } + + return odohMessage, nil +} + +func (targetKey ObliviousDoHConfigContents) EncryptQuery(query *ObliviousDNSQuery) (ObliviousDNSMessage, QueryContext, error) { + suite, err := hpke.AssembleCipherSuite(targetKey.KemID, targetKey.KdfID, targetKey.AeadID) + if err != nil { + return ObliviousDNSMessage{}, QueryContext{}, err + } + + pkR, err := suite.KEM.Deserialize(targetKey.PublicKeyBytes) + if err != nil { + return ObliviousDNSMessage{}, QueryContext{}, err + } + + enc, ctxI, err := hpke.SetupBaseS(suite, rand.Reader, pkR, []byte(ODOH_LABEL_QUERY)) + if err != nil { + return ObliviousDNSMessage{}, QueryContext{}, err + } + + keyID := targetKey.KeyID() + keyIDLength := make([]byte, 2) + binary.BigEndian.PutUint16(keyIDLength, uint16(len(keyID))) + aad := append([]byte{byte(QueryType)}, keyIDLength...) + aad = append(aad, keyID...) + + encodedMessage := query.Marshal() + ct := ctxI.Seal(aad, encodedMessage) + odohSecret := ctxI.Export([]byte(ODOH_LABEL_SECRET), ODOH_SECRET_LENGTH) + + return ObliviousDNSMessage{ + KeyID: targetKey.KeyID(), + MessageType: QueryType, + EncryptedMessage: append(enc, ct...), + }, QueryContext{ + odohSecret: odohSecret, + suite: suite, + query: query.Marshal(), + publicKey: targetKey, + }, nil +} + +func validateMessagePadding(padding []byte) bool { + validPadding := 1 + for _, v := range padding { + validPadding &= subtle.ConstantTimeByteEq(v, ODOH_PADDING_BYTE) + } + return validPadding == 1 +} + +func (privateKey ObliviousDoHKeyPair) DecryptQuery(message ObliviousDNSMessage) (*ObliviousDNSQuery, ResponseContext, error) { + if message.MessageType != QueryType { + return nil, ResponseContext{}, errors.New("message is not a query") + } + + suite, err := hpke.AssembleCipherSuite(privateKey.Config.Contents.KemID, privateKey.Config.Contents.KdfID, privateKey.Config.Contents.AeadID) + if err != nil { + return nil, ResponseContext{}, err + } + + keySize := suite.KEM.PublicKeySize() + enc := message.EncryptedMessage[0:keySize] + ct := message.EncryptedMessage[keySize:] + + ctxR, err := hpke.SetupBaseR(suite, privateKey.secretKey, enc, []byte(ODOH_LABEL_QUERY)) + if err != nil { + return nil, ResponseContext{}, err + } + + odohSecret := ctxR.Export([]byte(ODOH_LABEL_SECRET), ODOH_SECRET_LENGTH) + + keyID := privateKey.Config.Contents.KeyID() + keyIDLength := make([]byte, 2) + binary.BigEndian.PutUint16(keyIDLength, uint16(len(keyID))) + aad := append([]byte{byte(QueryType)}, keyIDLength...) + aad = append(aad, keyID...) + + dnsMessage, err := ctxR.Open(aad, ct) + if err != nil { + return nil, ResponseContext{}, err + } + + query, err := UnmarshalQueryBody(dnsMessage) + if err != nil { + return nil, ResponseContext{}, err + } + + if !validateMessagePadding(query.Padding) { + return nil, ResponseContext{}, errors.New("invalid padding") + } + + responseContext := ResponseContext{ + odohSecret: odohSecret, + suite: suite, + query: query.Marshal(), + } + + return query, responseContext, nil +} + +func SealQuery(dnsQuery []byte, publicKey ObliviousDoHConfigContents) (ObliviousDNSMessage, QueryContext, error) { + odohQuery := CreateObliviousDNSQuery(dnsQuery, 0) + + odohMessage, queryContext, err := publicKey.EncryptQuery(odohQuery) + if err != nil { + return ObliviousDNSMessage{}, QueryContext{}, err + } + + return odohMessage, queryContext, nil +} + +func (c QueryContext) OpenAnswer(message ObliviousDNSMessage) ([]byte, error) { + if message.MessageType != ResponseType { + return nil, errors.New("message is not a response") + } + + decryptedResponseBytes, err := c.DecryptResponse(message) + if err != nil { + return nil, errors.New("unable to decrypt the obtained response using the symmetric key sent") + } + + decryptedResponse, err := UnmarshalResponseBody(decryptedResponseBytes) + if err != nil { + return nil, err + } + + return decryptedResponse.DnsMessage, nil +} diff --git a/vendor/github.com/cloudflare/odoh-go/test-vectors.json b/vendor/github.com/cloudflare/odoh-go/test-vectors.json new file mode 100644 index 00000000..91bb023d --- /dev/null +++ b/vendor/github.com/cloudflare/odoh-go/test-vectors.json @@ -0,0 +1 @@ +[{"kem_id":32,"kdf_id":1,"aead_id":1,"odohconfigs":"002cff030028002000010001002056d573d378d8072c7a968e36ca410d184c6aa2c066965dcd716f5b29bc614c3f","public_key_seed":"e55f9fc1639d1b11c185f41b66a714ab8bd0eabdb387fad4a1c56219ebcc8627","key_id":"447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da6","transactions":[{"query":"7856cd7c97fcfdfe0e3bf5be8cda951b553f5fa5d92d782c1b86d6e10aad3e4b","queryPaddingLength":0,"response":"7856cd7c97fcfdfe0e3bf5be8cda951b553f5fa5d92d782c1b86d6e10aad3e4b7856cd7c97fcfdfe0e3bf5be8cda951b553f5fa5d92d782c1b86d6e10aad3e4b","responsePaddingLength":0,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da60054cc8be8fb4ff84fbeec26405cf34d98c4a879eff81b1f87b4ecf5c6cac5426d1bd936710187afa01dfb9d1f1b1936b6e84774a61debfba24e21b848e301d4eb57ed47d340d9107f05dcd95ae46b9fa72f7fcf742c","obliviousResponse":"0200000054e3076e3590e85c0925f4c6380fd6f76494af7e6276b63ce8e733ebea450f9996af503c84cbfa71b46ae18d813f5ee1bc19e9f2df808515549f10adcda4dbdde073533d4b16b2979fa4dc67eeb0104ec3f4630f09"},{"query":"555aeef8eb580e59485820a0ecf102dc52dc5bbf118df2ee86845e072d3d39b2","queryPaddingLength":0,"response":"555aeef8eb580e59485820a0ecf102dc52dc5bbf118df2ee86845e072d3d39b2555aeef8eb580e59485820a0ecf102dc52dc5bbf118df2ee86845e072d3d39b2","responsePaddingLength":64,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da60054af7957dd01d19fc469a9ba50ebc94d3297893e531d74170242e2f0e11426a93e4f61d449bca5a7bbcae5ff1cf4310f91b01bf2026b0181862c30029196d4fb271c94725ef63b3b49957ff875153bd6ca40c5dd29","obliviousResponse":"020000009417d88c8c4b10856e06a5d8a3855efd6617943630b30bc3aa9ed0139c45857645e11d127a76062460d2777275bc544f434b4113c05bf0a6aec3adeb58d58ce60152b8b1cb861077dc61f634383f225eff2be2ea7d4f4881edb77a64ac4d644602ff1546a934e1d1e8902005d0f4d231c47a00bcc959d60dd16f92f856e72bee56a843df285aa17751fcf62791aa819a6075ee0857"},{"query":"dc352956591c1fe8deabb1ea6bc2af5d63ac985b4636564e6f03827e909a9443","queryPaddingLength":0,"response":"dc352956591c1fe8deabb1ea6bc2af5d63ac985b4636564e6f03827e909a9443dc352956591c1fe8deabb1ea6bc2af5d63ac985b4636564e6f03827e909a9443","responsePaddingLength":192,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da60054b8f2291e0a4d1f300db2e62915190c7befd1bea3ae831d27f200c3c8ea09dd269f8f331004cd7049a9258bbba79d9efe4ed5cd8755ad6f6ac1f745e7ad29067bb131dc7e5e60e98721edd5418697ccf9679b8541","obliviousResponse":"0200000114edaf2380301c73468f6955fd650370daf64f48ff2d7b1d92bdd75a6cac82dd6576c3d0dc97a1f14e148701766f471cc428ea74fa4e0beef567a7e18ff5d36a5086f8dda9509c4cef447a4507269da30eddc5f1f2f4a15f59c7223f886b017a81e877e03794fff946c09c429917dea130ebf3df084f316da71bd2982ac370a29039572054f78e57b005bc6fded8040c75ca64ea941e8569b59a0011a0488c7d2458077861d5dcaf28171cdfda7dcf80a66edf056e421aeba4c2c88d823006f9b4a2f6099263286544754a0db2ecfab76a7521a0a316b702faea1ff6df333e5c9ea09228e3928ad95f9f17c228ce55f3ad4a3957eb37117630392334aabd7499e1cd6d5760970ed25b8bf545059a70ddde6229ebcc"},{"query":"713b149df6f1887202ff5d7fb8659a7e90c28b460aee34d8403df6a69d51d1a1","queryPaddingLength":0,"response":"713b149df6f1887202ff5d7fb8659a7e90c28b460aee34d8403df6a69d51d1a1713b149df6f1887202ff5d7fb8659a7e90c28b460aee34d8403df6a69d51d1a1","responsePaddingLength":404,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da600540ff24e67794eca0ba67a599074ccd618ec72be9a5a93cefdec020649ee31b041df2cccc0e4a837559507e33186b668ab3ba85c67bdee9443d68920d86ece5a09239938229c9ca9cca89cbab831ee48a13b4cf321","obliviousResponse":"02000001e8dce26569546b23e3aeee6414b3e9a726511afd7ab725101203ae62adf0add4b69dd27aec164d61074acce86d444610069366f7b255727a4489e3820bdb56e85595da0ea426b4669fe5b674cefade66185b2b1fb434f0f7b712d72ce318c5f5f34a78385ccf66d95c838355236074f2211617af3c3a4696761f7e7e588bb208c3d50d043dfbbd457757cd42a8d11341a807a99573a5f3e73e4d60f86d397e9d813bb319513e60f76b121d7636f83040c97f4df2b83f1648e993d131e106b0135ceddfdb6626b81a1c117e7316f0005fa3474b3211bc90745c0be03cfb2d225754ccd178862be39c16d38276c2f6db3eb9e188a749dce8ea446bf537865ae3bff014c2dfeaef7364238fa0330e23e55435501f6368669b6e61a1362454ad84bdf7aff386de578269a25794f4117916ca1c8875f2e9354d920f2fb236363437db0bfe43db108467eef34545c90f191b5b270e6c51e26b6c9c47f84cceea0a608b9da5fd81e864fd4506b958ab3241430d86d1387383ea0f2e9727c54ddaff78a0b67b0bbfa191bab258800ef739f6fb73fd17031e839080a738730aa762db92097acbb8f37966bd7b4c373a2a1db10fcd0c351ad8d961fe956751e7d5030e021b2f3c5d2c67dd8009946c0b09fb92eb7c4962302663d62aef8e42b930f33d0876d63e4957a38e45e20d"},{"query":"853d330d8b9335ea25b1ed1bd776e75b893843235501944edddcbc2a69a4dadc","queryPaddingLength":32,"response":"853d330d8b9335ea25b1ed1bd776e75b893843235501944edddcbc2a69a4dadc853d330d8b9335ea25b1ed1bd776e75b893843235501944edddcbc2a69a4dadc","responsePaddingLength":0,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da60074833b791618faca1daf47f88c16b34065cb9ed57415ec2bf955f38b44d93f135a7408529d1515897c0cf4c5471f3e44d6dd65422bbe5f755f07fa00c556b1b335b62803b07f3fa62041302dae4de80726ddab07449c2f1d4b31ed5cf06e4ce16a4326e18f082346d3250f3b1a1e02558ca7fd5e35","obliviousResponse":"020000005411b398c4c9d871470e237c18bc3b1aec5e1b91a10c83df2981bc5c1495ee153f6f6d1e48ad1160df2c37c7334038b7f9d345efb09674c5b2f71ecf7eaca027107a9bd904907b70042ed0928d405d73a348417af0"},{"query":"ba8fa751a218a21cfdb66e3822d159adf0bd7085e7d51eb37e109cdd31d2ea10","queryPaddingLength":32,"response":"ba8fa751a218a21cfdb66e3822d159adf0bd7085e7d51eb37e109cdd31d2ea10ba8fa751a218a21cfdb66e3822d159adf0bd7085e7d51eb37e109cdd31d2ea10","responsePaddingLength":64,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da60074ed75936f6b609309784a1cd109406b54b0459b6168f832f43b1159a99ed0530c22928001bd5f29c66524c5dc101f187c3dd2dc9e6d6b96b169bbce595de400401195953624fc1cff0abfaff89b5df1a6d3abfba9218d8d0169c63c12dc32ce444acad32a6b6a929b5c022123b1bc86183a9bf685","obliviousResponse":"02000000944e0afbb764264f0563e53af79f57618e595630117c82bb639d5c6f9a72177c2b9678676bb67d366e20a426a042cb2a52f172ce7abe3e17abcb525a540ad297a8ebb5d3f9d4b61f2990d4f855e8ac726317e52f2727fce971c8e6661b64d5212bc736e0464b5a8d2e81a07589f2014521436e8183f3c669fe823f69a43d7f4b672e6383902896ca4c6814190ee740d1019f638401"},{"query":"b81cf850c78f615ce0b865991dd8243fdc0c43dc0b65aa48fcdd08b1ca5b4198","queryPaddingLength":32,"response":"b81cf850c78f615ce0b865991dd8243fdc0c43dc0b65aa48fcdd08b1ca5b4198b81cf850c78f615ce0b865991dd8243fdc0c43dc0b65aa48fcdd08b1ca5b4198","responsePaddingLength":192,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da60074913ecdbc75943b520009656ff5765165922c2fa0a99904fc25a24b0b4886be5970c7837a1632063b7e46a9e4db042daddc16f5e2a740075f85c757f7a4025d78dcb0ffb5146e92263d31e0e78f2e0b6eef99e19859d7d731c13ef7558f757f1ca637eb0b4a2659fbc50b855f322a3885b096a763","obliviousResponse":"0200000114327021145058543e43601b3cf5b03f2311e7a998442007ab8049172cdda5b8c1c7e9b9189b9b34bc29c10811ced450b302fd8c3c5ed99a3bbd7bc4396626a065c9615f68c0d12e4c4ddc1533c557f9c9dc97ea4d7d36c764b59ac88639872d2c6ed13e8cdd48e590cf57127d49db9117d8a4ee52b4a7c524ca8e2a633728b3a54b9883e4b328b3869e63c659442aa272cc77353a4ee277361d9ea14b5aae7a1b13329ec7adb2e86fad769e1bcd0e63feafd9dbfb9a99cfa9067a7eca185b49f6e9e0285215382f7753cea9515430c6fabd2b5a4022e15434cd3b9b04b7940c4605766b45533ccc4703ef4b3ec09a8dffce8d706f295e60151b831f5c09609720d56f624224eff32d5224115283ae31d34ed054d6"},{"query":"f4b4d904adb39e73fb05f88eb233253686a0a4e70fd8fae84cee51ea931bcde0","queryPaddingLength":32,"response":"f4b4d904adb39e73fb05f88eb233253686a0a4e70fd8fae84cee51ea931bcde0f4b4d904adb39e73fb05f88eb233253686a0a4e70fd8fae84cee51ea931bcde0","responsePaddingLength":404,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da6007425b68ed9121f8e0c9701a3a57735a212ed1bce9926e2a5b3d215de14591bc037144c7a4cf0fed4d75be7ec55e6b632ad050bc29a3f752fc9acd8d851f4c2540fca7357a874a18dda5fb33ab0c4eccad79ab0210f1e7c9d76ac2aa0591d9356da222a7ca3f0d8de6fff6d70f20a8a70c5dd76742a","obliviousResponse":"02000001e8c30f87013d56c8dc34d0f9262922a6d9b061ffc743067272f2fbc30bb3640d53f96d20d3d624df5cdbb785c0501b3484c174e8a010e898609b5c1d8ede45d76f0e879437dae1c3818d043f7a378c94a398867cf5840b7648a3c0b51554fb39409c9b2630d661a27c6830fa16693f74d9d139487e6d4046e771f2884af8af242ec8594cef14554818286272f101f231c9b07ed447fb808aaaf36bc26144b3e987dda8e98667a87d4c8885b4bcf6248792204bea227531e8eb2a5a58c57761e8ee2e4bf32ba8b436a1f518df04ffc8046feb59b796ed4b60445c9c56207e2066b8e68fa729d3715813aba827f23e458e9b912bd9be0132e005ffd1c87fb27bf3ded4d3fe429fe3031f5d5ed80bdf5f304d630f2ae3c4bff6cc2b9186d9a53d5c6a20b0649091d778725895954ea17f19daa9f93542d025f04950b62040b3e24d60edbc294a0ce823344154d0e9fdd782fd1c7c5ab36186a4fdcc9867d8630875a50bd940e3b2468f68c14a5289e8eeb6a53279c6b8bd3f4c419e484f37f05fe80d574adf770eb32cb542d6b4016fe48534bfcbe3897220f85baa1ecb74efcf5d06a6f2c92fe651b10402171f08db039690f1849dc42e8f85ab903c79d4df64fe2425af593fa7da1ec67bd31bf61a86aed17d800e7fbc52f9d516e0e243b466506dbcf153fb736712ce"},{"query":"79e681ed185ae8e4ee00141ee1042c0d2535f0d3051dee9114f17a7e9957f0e1","queryPaddingLength":32,"response":"79e681ed185ae8e4ee00141ee1042c0d2535f0d3051dee9114f17a7e9957f0e179e681ed185ae8e4ee00141ee1042c0d2535f0d3051dee9114f17a7e9957f0e1","responsePaddingLength":0,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da6007493b80142872af1731bf7c6c0157ea8f28ae8526ee4d636b63cc41cddffe4b1690b46a6d68dbee2b1cfafa3e60a52d2acbcbeb7d2fb03941c3448d757826f3f7064d6a1b37c96f66898bc3d49ee7a7d16aad2abdc4f9e0db58cd3c4a49fa2c8cf97a364f95ef8aff82723353fcdabf1447c888c49","obliviousResponse":"0200000054d3dc5234af6d7461bb87c33383d151ba8e2418d55557e16f63b5c3ff2b71f164bee548df3d43b8319424b273287d0c14f3a3f27b0bef6463c9392a6e47ec9c46b9df870f9abf86eef2410be4ccbde44118d4c85b"},{"query":"ad7a8c42088d4e4b67b710dd811b9f4db722c35a0280dfce5c60074fedfe2468","queryPaddingLength":32,"response":"ad7a8c42088d4e4b67b710dd811b9f4db722c35a0280dfce5c60074fedfe2468ad7a8c42088d4e4b67b710dd811b9f4db722c35a0280dfce5c60074fedfe2468","responsePaddingLength":64,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da60074357f2907e06a1d1908e47a8076141e65f0b5361fad62e7de4a11bce810c4292f1a3b54a6d1de0831279c462f739fc765858d845f4d28b667fff9573cfbaee298a6d95cff38d2947ee6469b0bdd669e9b0cd41fa3eb5efff45b2b73738782eea7f586d1739181253c58e11367c45d6f5bc6afae90","obliviousResponse":"0200000094b486cc8b2f3144570111631d2d04428aa59deb63341471f749b0d5a70a8f4c178e0bec1b6b07b855b6aacca79a1ed6c4f8c03397b1c037060d2ea510f0ecbd201a644db9a16c09dccb7fa1525f523c2352564c546bad19e678437a67dfd1678c919cd491a1468c304434f0ada68cdd32e567db54ddb64b5052a8596274c39f5787cdaee58dc578cf25bc02874b9852cb9faf0335"},{"query":"84f1feed6b5ec35513c71107be639c15d6c7554d07af57cb8c6e5b6faeb23b36","queryPaddingLength":32,"response":"84f1feed6b5ec35513c71107be639c15d6c7554d07af57cb8c6e5b6faeb23b3684f1feed6b5ec35513c71107be639c15d6c7554d07af57cb8c6e5b6faeb23b36","responsePaddingLength":192,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da60074ae9464f9dbb9f761f0130ca2f64ddc09e12a759caebbab62a81aca242024a141ce560125654aa7afe1ec98012ba8c00e9031a86241d46369fb8b12024dba34bbbad98197e3c78a95b44534c7c90f2cd4bfeee23d5a13cca397b7d479a4fca61d7cdaaea8627657ec745464752313d1389eb657be","obliviousResponse":"0200000114d40270446bbf19146007da8971da86ab7c407f25a2d3b08519b42d64092fdbad77043eae5d72ed0b4c3d477768a4a325998ee54a953438ec991214aa3cb42128755709351e15e0e5c05febde3545505a7da39b8fce522fd6c368aaff4e052fddc6b951a5dfbbb29115fe384d3dd347cc59604505fbd3a4a4700772c3592f6af9c30b700011d2959e17968e26e0d72cef725883238f32a40cc1ad49eee89971b22527adfd33ff9234a345a9df084bd1bbcad2372e6694ccceded2ffa3f248ed8dc34a82fd2c0c5fa7d97d7107361f661317db353e36cf983cd2b7c1d4e89fdb3cf158ff01b5d368e7d3227672da6ae470b2eb26334f82d058793c2873d8f4e08b0926f92cda26cfcf33aaee94c0ced84f22140d15"},{"query":"e5156ec316c5d053610659027daef35fab33ffcff6ea23868f69e001d3f38f0d","queryPaddingLength":32,"response":"e5156ec316c5d053610659027daef35fab33ffcff6ea23868f69e001d3f38f0de5156ec316c5d053610659027daef35fab33ffcff6ea23868f69e001d3f38f0d","responsePaddingLength":404,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da6007411034f861edec7f01d7aafda32af7eb14815419fe9d7c67e4aa3aa472b4b6f2139e8ab20d385529ca15cfa33e493113f27dc01f0d076cfcac76227a3068c609f5d0a6bc8b9fb1fb2092c61e04cbc5c0fa389266b555017f63966472b230d3bfd7cee3bd121d33d4a37cd10082e03bc0b167f4ed1","obliviousResponse":"02000001e8c62bf1a7b37b3e3feed3958c6177e0e17ded8f1fec5de3a1a39e76bafe91f2379d12de4d5b64d99a2c233fae4bedec5b850b11d171d991c988fa9f34417d5cc714049edf311c6998c8171b9c3ad71a33ca7163b15af32ac65c9bbf11252d010169cdedadeb88a67c20acb5bac01e7d9e6d3746c1de74a5933be7dc079422f813718da66c87a7d9b9500666e6c88a2a74750fad40f63afec7b022d749a4a5f49240ebf704163977be59cb389171bd0318358e9272b34dcf3fb36745fa486722c9434aeb0f1df1ad183645ed2fc378cba98804bb5b646fa8bf809417ecab068ba66382180c01ae3d72255f347815a64ec4920001ff49f69c3304289af1fceed728dbf2d524027dbce6074e0908fd49abc57fa74acd4a1f85364386172840e10dab51403cee2ad0914b4fded383b6c00759233d4f8ed87cc993342da312d094cddcc5900b058126cf054756af56e8265b9d2627caeee81180a49c27886e74c375b1504175e2b0f7f43096be50076e6053fc0e5669c794b024d09a685c45b7c0cc830e759b0a9b9581eebdfd35625eb6bba8417098427d54f34ca5d7b12640898127a99afef4134629b004c32dfd0da5db78a4840397779cba1c281a5900b09c02dadea1df5636913cb85597921d616504a08a8c99351fddb0f2f4f8cfcb18d8cea51998a9868d40cb40"},{"query":"b3b15a7f8e391f081849c1574d270d8a44caabaae96b7aab55f49e7f0d8082e5","queryPaddingLength":96,"response":"b3b15a7f8e391f081849c1574d270d8a44caabaae96b7aab55f49e7f0d8082e5b3b15a7f8e391f081849c1574d270d8a44caabaae96b7aab55f49e7f0d8082e5","responsePaddingLength":0,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da600b4f9fbe6539bf9fafc8ef632a9397f1a5511e8f3336655527ccd3e91ce267a1d5d5ef77735449fc625d942860ab2fb386d41b44ae8b938820e4a8e7681973e60f4bb02372adb6b3372923d013fdea2fdd56580b5bcce0c9dfb6ddfc168c2f216fe9ba05d587ffa5aca132618a8707570f6fccb533576d2e59406304485f997d5ad756a8e01e7b87fe1575b90b34909e4662465b41e459b7a24ffebd35b0b51f4ad307931c1af6261028c246b39b7074461dd2f2321","obliviousResponse":"02000000546d6ec3c3401009e7d236aa7d2be434dd9de3d753d883c8a8a3c104fdd2b284bf9c9405180105257fba91c17711dc4f495957cd6a309971506e3a32147b53e7374d113f7db67e7debb88b3eee422645edc86b6930"},{"query":"345c5843229fc63bbbd18f685ac1a2207970a8ebc09a43a875be3f50f446c669","queryPaddingLength":96,"response":"345c5843229fc63bbbd18f685ac1a2207970a8ebc09a43a875be3f50f446c669345c5843229fc63bbbd18f685ac1a2207970a8ebc09a43a875be3f50f446c669","responsePaddingLength":64,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da600b4db9de47be6d6ea10d971e1479cbb8d00ab7c300ddcfaca7b98a81d24b274846c0bc58b547517aa4affb21655f860926b72870020556b22bcff20001ad37c65971f8ce3ec91734f4662fa6dfa8d97baa1c12db009bee6ff6452306e73ebcf09687b11e953198bf3613d76cdbbc9a1efddc13f1a0f0059c494ed63c10aec2333cd7c56a1bb498e4f564978eb7e256df4c9828a592fdf64788ee6448ce9dc79869ac74bec89584335383c05a2b9030c20df173fab22","obliviousResponse":"020000009469233077aacf36bfc5a46863fced171721a519f66db6ed957dbfede517268669385d91684bd574185bc7dc8948387432c7bcacd13c2a68d93fd95995de1f2f821cddfc97d4501e44c4bc7d7ee468241b8fab527f17fd128a478d6ebba24eff7479029410537d101ed4c282c6c13ba16b1ba46054a40fdf08bea6b78af0b7a2debf161bce463e9a1c6fe0a8de7210538a5863837a"},{"query":"117094d7db9364ca320f96b743051744857a6ec99f23d2b4574830fb10301044","queryPaddingLength":96,"response":"117094d7db9364ca320f96b743051744857a6ec99f23d2b4574830fb10301044117094d7db9364ca320f96b743051744857a6ec99f23d2b4574830fb10301044","responsePaddingLength":192,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da600b49e17dd77e7fc91e0c4da86ab59f5a1068af2315593667fac717056fa9d016678a485c05280153297198fa7ab0688f70812ae270d2895dda9a8be7e7e206183d4cb665ab9f92fcd8bffd48da281b0ec382810a3aa1b025310298536519d55a8e6484f7e95bf1512cda80195ad2b91214e715b217b41499eaa511343b6be01e7cb689802321107c0967ed9de3fd7dfd32111764cd2599dec126b3862bb828c20e5a53f18342cf361c2b3fc4ed7546327320871b290","obliviousResponse":"02000001148e7687bb5a156aa8d930697dbcc6264a769b1bc0116a2555383674e90e352ebfb05f8c5a6e1258b390d0f811412d285648d5371c2e914a1c85f2f9517f20ed67d0a89e6910bd86122a4626fe883bc01cf83a34d3735aa3bb5941ffedfe0975c4130a9785dfaabab4d43f2e0a4a222ad7f39053c2fba08dbb4e27b7cc27c47c87078bb1717820302858d03a61b0af18a487d8348a6f3c0795399176158e7b581641db97be4d45f991da4251743fc8314b12a9cdd172371e0efc8f5a18d5fe049107a5d86d65dfd42ed363f6c92634e2ffc01a301c11b3fca0d73d0e5475f2ccabbc2c9888c8180ab5cbde5b40bd587e33b8789d60dbc8a762cf914f496c9bf2aa8abd755fbfa91ca27b49f4c4f9f636c1a647abbd"},{"query":"5a8058d2555f4e2f2b71e963a9b0f13261db2c74715f1db4007a23b7c617a717","queryPaddingLength":96,"response":"5a8058d2555f4e2f2b71e963a9b0f13261db2c74715f1db4007a23b7c617a7175a8058d2555f4e2f2b71e963a9b0f13261db2c74715f1db4007a23b7c617a717","responsePaddingLength":404,"obliviousQuery":"010020447d31cbc19e56bb4c19a951c5616d9f21560a5dfc9c4c80d7007c1de1376da600b4484f4e40c78a907b69ea8939352e37621f940426496137d67ec4d89afbe9401edaef4e984becfdf1f4603873b6a0edc3dcc74c880f1301cd2351b067f2574ced1974bee4de5696f585b4ecddc8ddae00a2762b9ddef7931f298d10d69811c6e2354bd723697b90b69af762d56ef20b517b36ed568b648b66bb24481d02e13b44a76ca5b97dcb4c53d680d829d9ab389efb1e03c759973fcc5972b27e781f01d706f8340a67bdc9a8cdb83965eb65767f5ef68de6","obliviousResponse":"02000001e8b8fa9339fb504fa4e2dcde507bd025f47d3d32c3c79ae1ec33753dc1cb2488cddb040e764c3fdbe95be89a9b026435c259da01fea1422b691d0716993e7d21305c67ba71c54ad0d8fb9b2f0f3efa3e5af92f458f00391e3285172d99b1ec334c4d0a20dab391a6907b6f3ff97d9fbc2102884163fe02dd335534f758ae6f4ee52f32246d575017a75115f210ba06093d4508632f225e5648d3c5fe85fb3143e1859340f9d469c616cb2610c537b8d57cc4594a4b66b3d9f4b2f2311bee9d208f1d4eee322d8bf4d0b1fdfd7aeb66857b66b132c6930e8c8d3cffc9544602399fb802e0b5eac138838c5c7b67743c903703647dc8854e61750af23e72b66f7dcd68aca895e5b3e361bfbec7df07ec3985b5223b78cbd782af6f6d557c5934a2cbc82c7a1afe7f0b9062d4dadd5025f9121fe5f73e5892d148ffe9db72fe0855ae8f4d714bf2246f95a7d1e65988114e50fe3e731db25c8a1f6a74e1dd31ec551236f8f91659712ae426519fe84194b9b347989e44e3ce674e615318bf11781b9e6945213a03fe1aebe374f15dcb167f7975c195deadbd80c0dd96226a0484e8789df09ce838873053bf2b1aa8840632a8f4cf94a8ebc648c2c77cbb05053f5ec47d8b487806230cc1ca3200908d6f6d50fd2753e5319b063020b2590dbe1cdbfff171306cde3bc4ac"}]}] \ No newline at end of file diff --git a/vendor/github.com/miekg/dns/README.md b/vendor/github.com/miekg/dns/README.md index 1e6b7c52..effb96bf 100644 --- a/vendor/github.com/miekg/dns/README.md +++ b/vendor/github.com/miekg/dns/README.md @@ -26,7 +26,6 @@ avoiding breaking changes wherever reasonable. We support the last two versions A not-so-up-to-date-list-that-may-be-actually-current: * https://github.com/coredns/coredns -* https://cloudflare.com * https://github.com/abh/geodns * https://github.com/baidu/bfe * http://www.statdns.com/ @@ -42,11 +41,9 @@ A not-so-up-to-date-list-that-may-be-actually-current: * https://github.com/StalkR/dns-reverse-proxy * https://github.com/tianon/rawdns * https://mesosphere.github.io/mesos-dns/ -* https://pulse.turbobytes.com/ * https://github.com/fcambus/statzone * https://github.com/benschw/dns-clb-go * https://github.com/corny/dnscheck for -* https://namesmith.io * https://github.com/miekg/unbound * https://github.com/miekg/exdns * https://dnslookup.org @@ -55,24 +52,22 @@ A not-so-up-to-date-list-that-may-be-actually-current: * https://github.com/mehrdadrad/mylg * https://github.com/bamarni/dockness * https://github.com/fffaraz/microdns -* http://kelda.io * https://github.com/ipdcode/hades * https://github.com/StackExchange/dnscontrol/ * https://www.dnsperf.com/ * https://dnssectest.net/ -* https://dns.apebits.com * https://github.com/oif/apex * https://github.com/jedisct1/dnscrypt-proxy * https://github.com/jedisct1/rpdns * https://github.com/xor-gate/sshfp * https://github.com/rs/dnstrace * https://blitiri.com.ar/p/dnss ([github mirror](https://github.com/albertito/dnss)) -* https://github.com/semihalev/sdns * https://render.com * https://github.com/peterzen/goresolver * https://github.com/folbricht/routedns * https://domainr.com/ * https://zonedb.org/ +* https://router7.org/ Send pull request if you want to be listed here. diff --git a/vendor/github.com/miekg/dns/client.go b/vendor/github.com/miekg/dns/client.go index bb8667fd..edd9368b 100644 --- a/vendor/github.com/miekg/dns/client.go +++ b/vendor/github.com/miekg/dns/client.go @@ -34,7 +34,7 @@ type Client struct { Dialer *net.Dialer // a net.Dialer used to set local address, timeouts and more // Timeout is a cumulative timeout for dial, write and read, defaults to 0 (disabled) - overrides DialTimeout, ReadTimeout, // WriteTimeout when non-zero. Can be overridden with net.Dialer.Timeout (see Client.ExchangeWithDialer and - // Client.Dialer) or context.Context.Deadline (see the deprecated ExchangeContext) + // Client.Dialer) or context.Context.Deadline (see ExchangeContext) Timeout time.Duration DialTimeout time.Duration // net.DialTimeout, defaults to 2 seconds, or net.Dialer.Timeout if expiring earlier - overridden by Timeout when that value is non-zero ReadTimeout time.Duration // net.Conn.SetReadTimeout value for connections, defaults to 2 seconds - overridden by Timeout when that value is non-zero @@ -106,7 +106,7 @@ func (c *Client) Dial(address string) (conn *Conn, err error) { if err != nil { return nil, err } - + conn.UDPSize = c.UDPSize return conn, nil } diff --git a/vendor/github.com/miekg/dns/msg_helpers.go b/vendor/github.com/miekg/dns/msg_helpers.go index cbcab57b..47625ed0 100644 --- a/vendor/github.com/miekg/dns/msg_helpers.go +++ b/vendor/github.com/miekg/dns/msg_helpers.go @@ -6,6 +6,7 @@ import ( "encoding/binary" "encoding/hex" "net" + "sort" "strings" ) @@ -612,6 +613,65 @@ func packDataNsec(bitmap []uint16, msg []byte, off int) (int, error) { return off, nil } +func unpackDataSVCB(msg []byte, off int) ([]SVCBKeyValue, int, error) { + var xs []SVCBKeyValue + var code uint16 + var length uint16 + var err error + for off < len(msg) { + code, off, err = unpackUint16(msg, off) + if err != nil { + return nil, len(msg), &Error{err: "overflow unpacking SVCB"} + } + length, off, err = unpackUint16(msg, off) + if err != nil || off+int(length) > len(msg) { + return nil, len(msg), &Error{err: "overflow unpacking SVCB"} + } + e := makeSVCBKeyValue(SVCBKey(code)) + if e == nil { + return nil, len(msg), &Error{err: "bad SVCB key"} + } + if err := e.unpack(msg[off : off+int(length)]); err != nil { + return nil, len(msg), err + } + if len(xs) > 0 && e.Key() <= xs[len(xs)-1].Key() { + return nil, len(msg), &Error{err: "SVCB keys not in strictly increasing order"} + } + xs = append(xs, e) + off += int(length) + } + return xs, off, nil +} + +func packDataSVCB(pairs []SVCBKeyValue, msg []byte, off int) (int, error) { + pairs = append([]SVCBKeyValue(nil), pairs...) + sort.Slice(pairs, func(i, j int) bool { + return pairs[i].Key() < pairs[j].Key() + }) + prev := svcb_RESERVED + for _, el := range pairs { + if el.Key() == prev { + return len(msg), &Error{err: "repeated SVCB keys are not allowed"} + } + prev = el.Key() + packed, err := el.pack() + if err != nil { + return len(msg), err + } + off, err = packUint16(uint16(el.Key()), msg, off) + if err != nil { + return len(msg), &Error{err: "overflow packing SVCB"} + } + off, err = packUint16(uint16(len(packed)), msg, off) + if err != nil || off+len(packed) > len(msg) { + return len(msg), &Error{err: "overflow packing SVCB"} + } + copy(msg[off:off+len(packed)], packed) + off += len(packed) + } + return off, nil +} + func unpackDataDomainNames(msg []byte, off, end int) ([]string, int, error) { var ( servers []string @@ -683,6 +743,13 @@ func packDataAplPrefix(p *APLPrefix, msg []byte, off int) (int, error) { if p.Negation { n = 0x80 } + + // trim trailing zero bytes as specified in RFC3123 Sections 4.1 and 4.2. + i := len(addr) - 1 + for ; i >= 0 && addr[i] == 0; i-- { + } + addr = addr[:i+1] + adflen := uint8(len(addr)) & 0x7f off, err = packUint8(n|adflen, msg, off) if err != nil { diff --git a/vendor/github.com/miekg/dns/scan.go b/vendor/github.com/miekg/dns/scan.go index e18566fc..aa2840ef 100644 --- a/vendor/github.com/miekg/dns/scan.go +++ b/vendor/github.com/miekg/dns/scan.go @@ -1210,11 +1210,29 @@ func stringToCm(token string) (e, m uint8, ok bool) { if cmeters, err = strconv.Atoi(s[1]); err != nil { return } + // There's no point in having more than 2 digits in this part, and would rather make the implementation complicated ('123' should be treated as '12'). + // So we simply reject it. + // We also make sure the first character is a digit to reject '+-' signs. + if len(s[1]) > 2 || s[1][0] < '0' || s[1][0] > '9' { + return + } + if len(s[1]) == 1 { + // 'nn.1' must be treated as 'nn-meters and 10cm, not 1cm. + cmeters *= 10 + } + if len(s[0]) == 0 { + // This will allow omitting the 'meter' part, like .01 (meaning 0.01m = 1cm). + break + } fallthrough case 1: if meters, err = strconv.Atoi(s[0]); err != nil { return } + // RFC1876 states the max value is 90000000.00. The latter two conditions enforce it. + if s[0][0] < '0' || s[0][0] > '9' || meters > 90000000 || (meters == 90000000 && cmeters != 0) { + return + } case 0: // huh? return 0, 0, false @@ -1227,13 +1245,10 @@ func stringToCm(token string) (e, m uint8, ok bool) { e = 0 val = cmeters } - for val > 10 { + for val >= 10 { e++ val /= 10 } - if e > 9 { - ok = false - } m = uint8(val) return } @@ -1275,6 +1290,9 @@ func appendOrigin(name, origin string) string { // LOC record helper function func locCheckNorth(token string, latitude uint32) (uint32, bool) { + if latitude > 90 * 1000 * 60 * 60 { + return latitude, false + } switch token { case "n", "N": return LOC_EQUATOR + latitude, true @@ -1286,6 +1304,9 @@ func locCheckNorth(token string, latitude uint32) (uint32, bool) { // LOC record helper function func locCheckEast(token string, longitude uint32) (uint32, bool) { + if longitude > 180 * 1000 * 60 * 60 { + return longitude, false + } switch token { case "e", "E": return LOC_EQUATOR + longitude, true diff --git a/vendor/github.com/miekg/dns/scan_rr.go b/vendor/github.com/miekg/dns/scan_rr.go index 11b08ad1..69f10052 100644 --- a/vendor/github.com/miekg/dns/scan_rr.go +++ b/vendor/github.com/miekg/dns/scan_rr.go @@ -590,7 +590,7 @@ func (rr *LOC) parse(c *zlexer, o string) *ParseError { // North l, _ := c.Next() i, e := strconv.ParseUint(l.token, 10, 32) - if e != nil || l.err { + if e != nil || l.err || i > 90 { return &ParseError{"", "bad LOC Latitude", l} } rr.Latitude = 1000 * 60 * 60 * uint32(i) @@ -601,7 +601,7 @@ func (rr *LOC) parse(c *zlexer, o string) *ParseError { if rr.Latitude, ok = locCheckNorth(l.token, rr.Latitude); ok { goto East } - if i, err := strconv.ParseUint(l.token, 10, 32); err != nil || l.err { + if i, err := strconv.ParseUint(l.token, 10, 32); err != nil || l.err || i > 59 { return &ParseError{"", "bad LOC Latitude minutes", l} } else { rr.Latitude += 1000 * 60 * uint32(i) @@ -609,7 +609,7 @@ func (rr *LOC) parse(c *zlexer, o string) *ParseError { c.Next() // zBlank l, _ = c.Next() - if i, err := strconv.ParseFloat(l.token, 32); err != nil || l.err { + if i, err := strconv.ParseFloat(l.token, 32); err != nil || l.err || i < 0 || i >= 60 { return &ParseError{"", "bad LOC Latitude seconds", l} } else { rr.Latitude += uint32(1000 * i) @@ -627,7 +627,7 @@ East: // East c.Next() // zBlank l, _ = c.Next() - if i, err := strconv.ParseUint(l.token, 10, 32); err != nil || l.err { + if i, err := strconv.ParseUint(l.token, 10, 32); err != nil || l.err || i > 180 { return &ParseError{"", "bad LOC Longitude", l} } else { rr.Longitude = 1000 * 60 * 60 * uint32(i) @@ -638,14 +638,14 @@ East: if rr.Longitude, ok = locCheckEast(l.token, rr.Longitude); ok { goto Altitude } - if i, err := strconv.ParseUint(l.token, 10, 32); err != nil || l.err { + if i, err := strconv.ParseUint(l.token, 10, 32); err != nil || l.err || i > 59 { return &ParseError{"", "bad LOC Longitude minutes", l} } else { rr.Longitude += 1000 * 60 * uint32(i) } c.Next() // zBlank l, _ = c.Next() - if i, err := strconv.ParseFloat(l.token, 32); err != nil || l.err { + if i, err := strconv.ParseFloat(l.token, 32); err != nil || l.err || i < 0 || i >= 60 { return &ParseError{"", "bad LOC Longitude seconds", l} } else { rr.Longitude += uint32(1000 * i) @@ -668,7 +668,7 @@ Altitude: if l.token[len(l.token)-1] == 'M' || l.token[len(l.token)-1] == 'm' { l.token = l.token[0 : len(l.token)-1] } - if i, err := strconv.ParseFloat(l.token, 32); err != nil { + if i, err := strconv.ParseFloat(l.token, 64); err != nil { return &ParseError{"", "bad LOC Altitude", l} } else { rr.Altitude = uint32(i*100.0 + 10000000.0 + 0.5) @@ -893,8 +893,7 @@ func (rr *RRSIG) parse(c *zlexer, o string) *ParseError { l, _ = c.Next() if i, err := StringToTime(l.token); err != nil { // Try to see if all numeric and use it as epoch - if i, err := strconv.ParseInt(l.token, 10, 64); err == nil { - // TODO(miek): error out on > MAX_UINT32, same below + if i, err := strconv.ParseUint(l.token, 10, 32); err == nil { rr.Expiration = uint32(i) } else { return &ParseError{"", "bad RRSIG Expiration", l} @@ -906,7 +905,7 @@ func (rr *RRSIG) parse(c *zlexer, o string) *ParseError { c.Next() // zBlank l, _ = c.Next() if i, err := StringToTime(l.token); err != nil { - if i, err := strconv.ParseInt(l.token, 10, 64); err == nil { + if i, err := strconv.ParseUint(l.token, 10, 32); err == nil { rr.Inception = uint32(i) } else { return &ParseError{"", "bad RRSIG Inception", l} diff --git a/vendor/github.com/miekg/dns/serve_mux.go b/vendor/github.com/miekg/dns/serve_mux.go index aadb0bf0..e7f36e22 100644 --- a/vendor/github.com/miekg/dns/serve_mux.go +++ b/vendor/github.com/miekg/dns/serve_mux.go @@ -91,7 +91,7 @@ func (mux *ServeMux) HandleRemove(pattern string) { // are redirected to the parent zone (if that is also registered), // otherwise the child gets the query. // -// If no handler is found, or there is no question, a standard SERVFAIL +// If no handler is found, or there is no question, a standard REFUSED // message is returned func (mux *ServeMux) ServeDNS(w ResponseWriter, req *Msg) { var h Handler @@ -102,7 +102,7 @@ func (mux *ServeMux) ServeDNS(w ResponseWriter, req *Msg) { if h != nil { h.ServeDNS(w, req) } else { - HandleFailed(w, req) + handleRefused(w, req) } } diff --git a/vendor/github.com/miekg/dns/server.go b/vendor/github.com/miekg/dns/server.go index 3cf1a024..77b43dea 100644 --- a/vendor/github.com/miekg/dns/server.go +++ b/vendor/github.com/miekg/dns/server.go @@ -78,7 +78,15 @@ type response struct { writer Writer // writer to output the raw DNS bits } +// handleRefused returns a HandlerFunc that returns REFUSED for every request it gets. +func handleRefused(w ResponseWriter, r *Msg) { + m := new(Msg) + m.SetRcode(r, RcodeRefused) + w.WriteMsg(m) +} + // HandleFailed returns a HandlerFunc that returns SERVFAIL for every request it gets. +// Deprecated: This function is going away. func HandleFailed(w ResponseWriter, r *Msg) { m := new(Msg) m.SetRcode(r, RcodeServerFailure) diff --git a/vendor/github.com/miekg/dns/svcb.go b/vendor/github.com/miekg/dns/svcb.go new file mode 100644 index 00000000..ec124c73 --- /dev/null +++ b/vendor/github.com/miekg/dns/svcb.go @@ -0,0 +1,773 @@ +package dns + +import ( + "bytes" + "encoding/binary" + "errors" + "net" + "sort" + "strconv" + "strings" +) + +type SVCBKey uint16 + +// Keys defined in draft-ietf-dnsop-svcb-https-02 Section 11.1.2 +const ( + SVCB_MANDATORY SVCBKey = 0 + SVCB_ALPN SVCBKey = 1 + SVCB_NO_DEFAULT_ALPN SVCBKey = 2 + SVCB_PORT SVCBKey = 3 + SVCB_IPV4HINT SVCBKey = 4 + SVCB_ECHCONFIG SVCBKey = 5 + SVCB_IPV6HINT SVCBKey = 6 + svcb_RESERVED SVCBKey = 65535 +) + +var svcbKeyToStringMap = map[SVCBKey]string{ + SVCB_MANDATORY: "mandatory", + SVCB_ALPN: "alpn", + SVCB_NO_DEFAULT_ALPN: "no-default-alpn", + SVCB_PORT: "port", + SVCB_IPV4HINT: "ipv4hint", + SVCB_ECHCONFIG: "echconfig", + SVCB_IPV6HINT: "ipv6hint", +} + +var svcbStringToKeyMap = reverseSVCBKeyMap(svcbKeyToStringMap) + +func reverseSVCBKeyMap(m map[SVCBKey]string) map[string]SVCBKey { + n := make(map[string]SVCBKey, len(m)) + for u, s := range m { + n[s] = u + } + return n +} + +// String takes the numerical code of an SVCB key and returns its name. +// Returns an empty string for reserved keys. +// Accepts unassigned keys as well as experimental/private keys. +func (key SVCBKey) String() string { + if x := svcbKeyToStringMap[key]; x != "" { + return x + } + if key == svcb_RESERVED { + return "" + } + return "key" + strconv.FormatUint(uint64(key), 10) +} + +// svcbStringToKey returns the numerical code of an SVCB key. +// Returns svcb_RESERVED for reserved/invalid keys. +// Accepts unassigned keys as well as experimental/private keys. +func svcbStringToKey(s string) SVCBKey { + if strings.HasPrefix(s, "key") { + a, err := strconv.ParseUint(s[3:], 10, 16) + // no leading zeros + // key shouldn't be registered + if err != nil || a == 65535 || s[3] == '0' || svcbKeyToStringMap[SVCBKey(a)] != "" { + return svcb_RESERVED + } + return SVCBKey(a) + } + if key, ok := svcbStringToKeyMap[s]; ok { + return key + } + return svcb_RESERVED +} + +func (rr *SVCB) parse(c *zlexer, o string) *ParseError { + l, _ := c.Next() + i, e := strconv.ParseUint(l.token, 10, 16) + if e != nil || l.err { + return &ParseError{l.token, "bad SVCB priority", l} + } + rr.Priority = uint16(i) + + c.Next() // zBlank + l, _ = c.Next() // zString + rr.Target = l.token + + name, nameOk := toAbsoluteName(l.token, o) + if l.err || !nameOk { + return &ParseError{l.token, "bad SVCB Target", l} + } + rr.Target = name + + // Values (if any) + l, _ = c.Next() + var xs []SVCBKeyValue + // Helps require whitespace between pairs. + // Prevents key1000="a"key1001=... + canHaveNextKey := true + for l.value != zNewline && l.value != zEOF { + switch l.value { + case zString: + if !canHaveNextKey { + // The key we can now read was probably meant to be + // a part of the last value. + return &ParseError{l.token, "bad SVCB value quotation", l} + } + + // In key=value pairs, value does not have to be quoted unless value + // contains whitespace. And keys don't need to have values. + // Similarly, keys with an equality signs after them don't need values. + // l.token includes at least up to the first equality sign. + idx := strings.IndexByte(l.token, '=') + var key, value string + if idx < 0 { + // Key with no value and no equality sign + key = l.token + } else if idx == 0 { + return &ParseError{l.token, "bad SVCB key", l} + } else { + key, value = l.token[:idx], l.token[idx+1:] + + if value == "" { + // We have a key and an equality sign. Maybe we have nothing + // after "=" or we have a double quote. + l, _ = c.Next() + if l.value == zQuote { + // Only needed when value ends with double quotes. + // Any value starting with zQuote ends with it. + canHaveNextKey = false + + l, _ = c.Next() + switch l.value { + case zString: + // We have a value in double quotes. + value = l.token + l, _ = c.Next() + if l.value != zQuote { + return &ParseError{l.token, "SVCB unterminated value", l} + } + case zQuote: + // There's nothing in double quotes. + default: + return &ParseError{l.token, "bad SVCB value", l} + } + } + } + } + kv := makeSVCBKeyValue(svcbStringToKey(key)) + if kv == nil { + return &ParseError{l.token, "bad SVCB key", l} + } + if err := kv.parse(value); err != nil { + return &ParseError{l.token, err.Error(), l} + } + xs = append(xs, kv) + case zQuote: + return &ParseError{l.token, "SVCB key can't contain double quotes", l} + case zBlank: + canHaveNextKey = true + default: + return &ParseError{l.token, "bad SVCB values", l} + } + l, _ = c.Next() + } + rr.Value = xs + if rr.Priority == 0 && len(xs) > 0 { + return &ParseError{l.token, "SVCB aliasform can't have values", l} + } + return nil +} + +// makeSVCBKeyValue returns an SVCBKeyValue struct with the key +// or nil for reserved keys. +func makeSVCBKeyValue(key SVCBKey) SVCBKeyValue { + switch key { + case SVCB_MANDATORY: + return new(SVCBMandatory) + case SVCB_ALPN: + return new(SVCBAlpn) + case SVCB_NO_DEFAULT_ALPN: + return new(SVCBNoDefaultAlpn) + case SVCB_PORT: + return new(SVCBPort) + case SVCB_IPV4HINT: + return new(SVCBIPv4Hint) + case SVCB_ECHCONFIG: + return new(SVCBECHConfig) + case SVCB_IPV6HINT: + return new(SVCBIPv6Hint) + case svcb_RESERVED: + return nil + default: + e := new(SVCBLocal) + e.KeyCode = key + return e + } +} + +// SVCB RR. See RFC xxxx (https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-00) + +// The one with the smallest priority should be given preference. Of those with +// equal priority, a random one should be preferred for load balancing. +type SVCB struct { + Hdr RR_Header + Priority uint16 + Target string `dns:"domain-name"` + Value []SVCBKeyValue `dns:"pairs"` // This must be empty if Priority is non-zero +} + +// HTTPS RR. Everything valid for SVCB applies to HTTPS as well +// except that the HTTPS record is intended for use with the HTTP and HTTPS protocols. +type HTTPS struct { + SVCB +} + +func (rr *HTTPS) String() string { + return rr.SVCB.String() +} + +func (rr *HTTPS) parse(c *zlexer, o string) *ParseError { + return rr.SVCB.parse(c, o) +} + +// SVCBKeyValue defines a key=value pair for the SVCB RR type. +// An SVCB RR can have multiple SVCBKeyValues appended to it. +type SVCBKeyValue interface { + // Key returns the numerical key code. + Key() SVCBKey + // pack returns the encoded value. + pack() ([]byte, error) + // unpack sets the value. + unpack([]byte) error + // String returns the string representation of the value. + String() string + // parse sets the value to the given string representation of the value. + parse(string) error + // copy returns a deep-copy of the pair. + copy() SVCBKeyValue + // len returns the length of value in the wire format. + len() int +} + +// SVCBMandatory pair adds to required keys that must be interpreted for the RR +// to be functional. +// Basic use pattern for creating a mandatory option: +// +// o := new(dns.SVCB) +// o.Hdr.Name = "." +// o.Hdr.Rrtype = dns.TypeSVCB +// e := new(dns.SVCBMandatory) +// e.Code = []uint16{65403} +// o.Value = append(o.Value, e) +// // Then add key-value pair for key65403 +type SVCBMandatory struct { + Code []SVCBKey // Must not include mandatory +} + +func (*SVCBMandatory) Key() SVCBKey { return SVCB_MANDATORY } + +func (s *SVCBMandatory) String() string { + str := make([]string, len(s.Code)) + for i, e := range s.Code { + str[i] = e.String() + } + return strings.Join(str, ",") +} + +func (s *SVCBMandatory) pack() ([]byte, error) { + codes := append([]SVCBKey(nil), s.Code...) + sort.Slice(codes, func(i, j int) bool { + return codes[i] < codes[j] + }) + b := make([]byte, 2*len(codes)) + for i, e := range codes { + binary.BigEndian.PutUint16(b[2*i:], uint16(e)) + } + return b, nil +} + +func (s *SVCBMandatory) unpack(b []byte) error { + if len(b)%2 != 0 { + return errors.New("dns: svcbmandatory: value length is not a multiple of 2") + } + codes := make([]SVCBKey, 0, len(b)/2) + for i := 0; i < len(b); i += 2 { + // We assume strictly increasing order. + codes = append(codes, SVCBKey(binary.BigEndian.Uint16(b[i:]))) + } + s.Code = codes + return nil +} + +func (s *SVCBMandatory) parse(b string) error { + str := strings.Split(b, ",") + codes := make([]SVCBKey, 0, len(str)) + for _, e := range str { + codes = append(codes, svcbStringToKey(e)) + } + s.Code = codes + return nil +} + +func (s *SVCBMandatory) len() int { + return 2 * len(s.Code) +} + +func (s *SVCBMandatory) copy() SVCBKeyValue { + return &SVCBMandatory{ + append([]SVCBKey(nil), s.Code...), + } +} + +// SVCBAlpn pair is used to list supported connection protocols. +// Protocol ids can be found at: +// https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids +// Basic use pattern for creating an alpn option: +// +// o := new(dns.HTTPS) +// o.Hdr.Name = "." +// o.Hdr.Rrtype = dns.TypeHTTPS +// e := new(dns.SVCBAlpn) +// e.Alpn = []string{"h2", "http/1.1"} +// o.Value = append(o.Value, e) +type SVCBAlpn struct { + Alpn []string +} + +func (*SVCBAlpn) Key() SVCBKey { return SVCB_ALPN } +func (s *SVCBAlpn) String() string { return strings.Join(s.Alpn, ",") } + +// The spec requires the alpn keys including \ or , to be escaped. +// In practice, no standard key including those exists. +// Therefore those characters are not escaped. + +func (s *SVCBAlpn) pack() ([]byte, error) { + // Liberally estimate the size of an alpn as 10 octets + b := make([]byte, 0, 10*len(s.Alpn)) + for _, e := range s.Alpn { + if len(e) == 0 { + return nil, errors.New("dns: svcbalpn: empty alpn-id") + } + if len(e) > 255 { + return nil, errors.New("dns: svcbalpn: alpn-id too long") + } + b = append(b, byte(len(e))) + b = append(b, e...) + } + return b, nil +} + +func (s *SVCBAlpn) unpack(b []byte) error { + // Estimate the size of the smallest alpn as 4 bytes + alpn := make([]string, 0, len(b)/4) + for i := 0; i < len(b); { + length := int(b[i]) + i++ + if i+length > len(b) { + return errors.New("dns: svcbalpn: alpn array overflowing") + } + alpn = append(alpn, string(b[i:i+length])) + i += length + } + s.Alpn = alpn + return nil +} + +func (s *SVCBAlpn) parse(b string) error { + s.Alpn = strings.Split(b, ",") + return nil +} + +func (s *SVCBAlpn) len() int { + var l int + for _, e := range s.Alpn { + l += 1 + len(e) + } + return l +} + +func (s *SVCBAlpn) copy() SVCBKeyValue { + return &SVCBAlpn{ + append([]string(nil), s.Alpn...), + } +} + +// SVCBNoDefaultAlpn pair signifies no support for default connection protocols. +// Basic use pattern for creating a no-default-alpn option: +// +// o := new(dns.SVCB) +// o.Hdr.Name = "." +// o.Hdr.Rrtype = dns.SVCB +// e := new(dns.SVCBNoDefaultAlpn) +// o.Value = append(o.Value, e) +type SVCBNoDefaultAlpn struct { + // Empty +} + +func (*SVCBNoDefaultAlpn) Key() SVCBKey { return SVCB_NO_DEFAULT_ALPN } +func (*SVCBNoDefaultAlpn) copy() SVCBKeyValue { return &SVCBNoDefaultAlpn{} } +func (*SVCBNoDefaultAlpn) pack() ([]byte, error) { return []byte{}, nil } +func (*SVCBNoDefaultAlpn) String() string { return "" } +func (*SVCBNoDefaultAlpn) len() int { return 0 } + +func (*SVCBNoDefaultAlpn) unpack(b []byte) error { + if len(b) != 0 { + return errors.New("dns: svcbnodefaultalpn: no_default_alpn must have no value") + } + return nil +} + +func (*SVCBNoDefaultAlpn) parse(b string) error { + if len(b) != 0 { + return errors.New("dns: svcbnodefaultalpn: no_default_alpn must have no value") + } + return nil +} + +// SVCBPort pair defines the port for connection. +// Basic use pattern for creating a port option: +// +// o := new(dns.SVCB) +// o.Hdr.Name = "." +// o.Hdr.Rrtype = dns.SVCB +// e := new(dns.SVCBPort) +// e.Port = 80 +// o.Value = append(o.Value, e) +type SVCBPort struct { + Port uint16 +} + +func (*SVCBPort) Key() SVCBKey { return SVCB_PORT } +func (*SVCBPort) len() int { return 2 } +func (s *SVCBPort) String() string { return strconv.FormatUint(uint64(s.Port), 10) } +func (s *SVCBPort) copy() SVCBKeyValue { return &SVCBPort{s.Port} } + +func (s *SVCBPort) unpack(b []byte) error { + if len(b) != 2 { + return errors.New("dns: svcbport: port length is not exactly 2 octets") + } + s.Port = binary.BigEndian.Uint16(b) + return nil +} + +func (s *SVCBPort) pack() ([]byte, error) { + b := make([]byte, 2) + binary.BigEndian.PutUint16(b, s.Port) + return b, nil +} + +func (s *SVCBPort) parse(b string) error { + port, err := strconv.ParseUint(b, 10, 16) + if err != nil { + return errors.New("dns: svcbport: port out of range") + } + s.Port = uint16(port) + return nil +} + +// SVCBIPv4Hint pair suggests an IPv4 address which may be used to open connections +// if A and AAAA record responses for SVCB's Target domain haven't been received. +// In that case, optionally, A and AAAA requests can be made, after which the connection +// to the hinted IP address may be terminated and a new connection may be opened. +// Basic use pattern for creating an ipv4hint option: +// +// o := new(dns.HTTPS) +// o.Hdr.Name = "." +// o.Hdr.Rrtype = dns.HTTPS +// e := new(dns.SVCBIPv4Hint) +// e.Hint = []net.IP{net.IPv4(1,1,1,1).To4()} +// // or +// e.Hint = []net.IP{net.ParseIP("1.1.1.1").To4()} +// o.Value = append(o.Value, e) +type SVCBIPv4Hint struct { + Hint []net.IP +} + +func (*SVCBIPv4Hint) Key() SVCBKey { return SVCB_IPV4HINT } +func (s *SVCBIPv4Hint) len() int { return 4 * len(s.Hint) } + +func (s *SVCBIPv4Hint) pack() ([]byte, error) { + b := make([]byte, 0, 4*len(s.Hint)) + for _, e := range s.Hint { + x := e.To4() + if x == nil { + return nil, errors.New("dns: svcbipv4hint: expected ipv4, hint is ipv6") + } + b = append(b, x...) + } + return b, nil +} + +func (s *SVCBIPv4Hint) unpack(b []byte) error { + if len(b) == 0 || len(b)%4 != 0 { + return errors.New("dns: svcbipv4hint: ipv4 address byte array length is not a multiple of 4") + } + x := make([]net.IP, 0, len(b)/4) + for i := 0; i < len(b); i += 4 { + x = append(x, net.IP(b[i:i+4])) + } + s.Hint = x + return nil +} + +// String returns the string form of s, it returns "" if s is invalid. +func (s *SVCBIPv4Hint) String() string { + str := make([]string, len(s.Hint)) + for i, e := range s.Hint { + x := e.To4() + if x == nil { + return "" + } + str[i] = x.String() + } + return strings.Join(str, ",") +} + +func (s *SVCBIPv4Hint) parse(b string) error { + if strings.Contains(b, ":") { + return errors.New("dns: svcbipv4hint: expected ipv4, got ipv6") + } + str := strings.Split(b, ",") + dst := make([]net.IP, len(str)) + for i, e := range str { + ip := net.ParseIP(e).To4() + if ip == nil { + return errors.New("dns: svcbipv4hint: bad ip") + } + dst[i] = ip + } + s.Hint = dst + return nil +} + +func (s *SVCBIPv4Hint) copy() SVCBKeyValue { + return &SVCBIPv4Hint{ + append([]net.IP(nil), s.Hint...), + } +} + +// SVCBECHConfig pair contains the ECHConfig structure defined in draft-ietf-tls-esni [RFC xxxx]. +// Basic use pattern for creating an echconfig option: +// +// o := new(dns.HTTPS) +// o.Hdr.Name = "." +// o.Hdr.Rrtype = dns.HTTPS +// e := new(dns.SVCBECHConfig) +// e.ECH = "/wH...=" +// o.Value = append(o.Value, e) +type SVCBECHConfig struct { + ECH []byte +} + +func (*SVCBECHConfig) Key() SVCBKey { return SVCB_ECHCONFIG } +func (s *SVCBECHConfig) String() string { return toBase64(s.ECH) } +func (s *SVCBECHConfig) len() int { return len(s.ECH) } + +func (s *SVCBECHConfig) pack() ([]byte, error) { + return append([]byte(nil), s.ECH...), nil +} + +func (s *SVCBECHConfig) copy() SVCBKeyValue { + return &SVCBECHConfig{ + append([]byte(nil), s.ECH...), + } +} + +func (s *SVCBECHConfig) unpack(b []byte) error { + s.ECH = append([]byte(nil), b...) + return nil +} +func (s *SVCBECHConfig) parse(b string) error { + x, err := fromBase64([]byte(b)) + if err != nil { + return errors.New("dns: svcbechconfig: bad base64 echconfig") + } + s.ECH = x + return nil +} + +// SVCBIPv6Hint pair suggests an IPv6 address which may be used to open connections +// if A and AAAA record responses for SVCB's Target domain haven't been received. +// In that case, optionally, A and AAAA requests can be made, after which the +// connection to the hinted IP address may be terminated and a new connection may be opened. +// Basic use pattern for creating an ipv6hint option: +// +// o := new(dns.HTTPS) +// o.Hdr.Name = "." +// o.Hdr.Rrtype = dns.HTTPS +// e := new(dns.SVCBIPv6Hint) +// e.Hint = []net.IP{net.ParseIP("2001:db8::1")} +// o.Value = append(o.Value, e) +type SVCBIPv6Hint struct { + Hint []net.IP +} + +func (*SVCBIPv6Hint) Key() SVCBKey { return SVCB_IPV6HINT } +func (s *SVCBIPv6Hint) len() int { return 16 * len(s.Hint) } + +func (s *SVCBIPv6Hint) pack() ([]byte, error) { + b := make([]byte, 0, 16*len(s.Hint)) + for _, e := range s.Hint { + if len(e) != net.IPv6len || e.To4() != nil { + return nil, errors.New("dns: svcbipv6hint: expected ipv6, hint is ipv4") + } + b = append(b, e...) + } + return b, nil +} + +func (s *SVCBIPv6Hint) unpack(b []byte) error { + if len(b) == 0 || len(b)%16 != 0 { + return errors.New("dns: svcbipv6hint: ipv6 address byte array length not a multiple of 16") + } + x := make([]net.IP, 0, len(b)/16) + for i := 0; i < len(b); i += 16 { + ip := net.IP(b[i : i+16]) + if ip.To4() != nil { + return errors.New("dns: svcbipv6hint: expected ipv6, got ipv4") + } + x = append(x, ip) + } + s.Hint = x + return nil +} + +// String returns the string form of s, it returns "" if s is invalid. +func (s *SVCBIPv6Hint) String() string { + str := make([]string, len(s.Hint)) + for i, e := range s.Hint { + if x := e.To4(); x != nil { + return "" + } + str[i] = e.String() + } + return strings.Join(str, ",") +} + +func (s *SVCBIPv6Hint) parse(b string) error { + if strings.Contains(b, ".") { + return errors.New("dns: svcbipv6hint: expected ipv6, got ipv4") + } + str := strings.Split(b, ",") + dst := make([]net.IP, len(str)) + for i, e := range str { + ip := net.ParseIP(e) + if ip == nil { + return errors.New("dns: svcbipv6hint: bad ip") + } + dst[i] = ip + } + s.Hint = dst + return nil +} + +func (s *SVCBIPv6Hint) copy() SVCBKeyValue { + return &SVCBIPv6Hint{ + append([]net.IP(nil), s.Hint...), + } +} + +// SVCBLocal pair is intended for experimental/private use. The key is recommended +// to be in the range [SVCB_PRIVATE_LOWER, SVCB_PRIVATE_UPPER]. +// Basic use pattern for creating a keyNNNNN option: +// +// o := new(dns.HTTPS) +// o.Hdr.Name = "." +// o.Hdr.Rrtype = dns.HTTPS +// e := new(dns.SVCBLocal) +// e.KeyCode = 65400 +// e.Data = []byte("abc") +// o.Value = append(o.Value, e) +type SVCBLocal struct { + KeyCode SVCBKey // Never 65535 or any assigned keys + Data []byte // All byte sequences are allowed +} + +func (s *SVCBLocal) Key() SVCBKey { return s.KeyCode } +func (s *SVCBLocal) pack() ([]byte, error) { return append([]byte(nil), s.Data...), nil } +func (s *SVCBLocal) len() int { return len(s.Data) } + +func (s *SVCBLocal) unpack(b []byte) error { + s.Data = append([]byte(nil), b...) + return nil +} + +func (s *SVCBLocal) String() string { + var str strings.Builder + str.Grow(4 * len(s.Data)) + for _, e := range s.Data { + if ' ' <= e && e <= '~' { + switch e { + case '"', ';', ' ', '\\': + str.WriteByte('\\') + str.WriteByte(e) + default: + str.WriteByte(e) + } + } else { + str.WriteString(escapeByte(e)) + } + } + return str.String() +} + +func (s *SVCBLocal) parse(b string) error { + data := make([]byte, 0, len(b)) + for i := 0; i < len(b); { + if b[i] != '\\' { + data = append(data, b[i]) + i++ + continue + } + if i+1 == len(b) { + return errors.New("dns: svcblocal: svcb private/experimental key escape unterminated") + } + if isDigit(b[i+1]) { + if i+3 < len(b) && isDigit(b[i+2]) && isDigit(b[i+3]) { + a, err := strconv.ParseUint(b[i+1:i+4], 10, 8) + if err == nil { + i += 4 + data = append(data, byte(a)) + continue + } + } + return errors.New("dns: svcblocal: svcb private/experimental key bad escaped octet") + } else { + data = append(data, b[i+1]) + i += 2 + } + } + s.Data = data + return nil +} + +func (s *SVCBLocal) copy() SVCBKeyValue { + return &SVCBLocal{s.KeyCode, + append([]byte(nil), s.Data...), + } +} + +func (rr *SVCB) String() string { + s := rr.Hdr.String() + + strconv.Itoa(int(rr.Priority)) + " " + + sprintName(rr.Target) + for _, e := range rr.Value { + s += " " + e.Key().String() + "=\"" + e.String() + "\"" + } + return s +} + +// areSVCBPairArraysEqual checks if SVCBKeyValue arrays are equal after sorting their +// copies. arrA and arrB have equal lengths, otherwise zduplicate.go wouldn't call this function. +func areSVCBPairArraysEqual(a []SVCBKeyValue, b []SVCBKeyValue) bool { + a = append([]SVCBKeyValue(nil), a...) + b = append([]SVCBKeyValue(nil), b...) + sort.Slice(a, func(i, j int) bool { return a[i].Key() < a[j].Key() }) + sort.Slice(b, func(i, j int) bool { return b[i].Key() < b[j].Key() }) + for i, e := range a { + if e.Key() != b[i].Key() { + return false + } + b1, err1 := e.pack() + b2, err2 := b[i].pack() + if err1 != nil || err2 != nil || !bytes.Equal(b1, b2) { + return false + } + } + return true +} diff --git a/vendor/github.com/miekg/dns/types.go b/vendor/github.com/miekg/dns/types.go index 7776b4f0..1f385bd2 100644 --- a/vendor/github.com/miekg/dns/types.go +++ b/vendor/github.com/miekg/dns/types.go @@ -81,6 +81,8 @@ const ( TypeCDNSKEY uint16 = 60 TypeOPENPGPKEY uint16 = 61 TypeCSYNC uint16 = 62 + TypeSVCB uint16 = 64 + TypeHTTPS uint16 = 65 TypeSPF uint16 = 99 TypeUINFO uint16 = 100 TypeUID uint16 = 101 diff --git a/vendor/github.com/miekg/dns/version.go b/vendor/github.com/miekg/dns/version.go index 26403f30..4defdb57 100644 --- a/vendor/github.com/miekg/dns/version.go +++ b/vendor/github.com/miekg/dns/version.go @@ -3,7 +3,7 @@ package dns import "fmt" // Version is current version of this library. -var Version = v{1, 1, 31} +var Version = v{1, 1, 32} // v holds the version of this library. type v struct { diff --git a/vendor/github.com/miekg/dns/zduplicate.go b/vendor/github.com/miekg/dns/zduplicate.go index d7ec2d97..0d3b34bd 100644 --- a/vendor/github.com/miekg/dns/zduplicate.go +++ b/vendor/github.com/miekg/dns/zduplicate.go @@ -402,6 +402,27 @@ func (r1 *HIP) isDuplicate(_r2 RR) bool { return true } +func (r1 *HTTPS) isDuplicate(_r2 RR) bool { + r2, ok := _r2.(*HTTPS) + if !ok { + return false + } + _ = r2 + if r1.Priority != r2.Priority { + return false + } + if !isDuplicateName(r1.Target, r2.Target) { + return false + } + if len(r1.Value) != len(r2.Value) { + return false + } + if !areSVCBPairArraysEqual(r1.Value, r2.Value) { + return false + } + return true +} + func (r1 *KEY) isDuplicate(_r2 RR) bool { r2, ok := _r2.(*KEY) if !ok { @@ -1076,6 +1097,27 @@ func (r1 *SSHFP) isDuplicate(_r2 RR) bool { return true } +func (r1 *SVCB) isDuplicate(_r2 RR) bool { + r2, ok := _r2.(*SVCB) + if !ok { + return false + } + _ = r2 + if r1.Priority != r2.Priority { + return false + } + if !isDuplicateName(r1.Target, r2.Target) { + return false + } + if len(r1.Value) != len(r2.Value) { + return false + } + if !areSVCBPairArraysEqual(r1.Value, r2.Value) { + return false + } + return true +} + func (r1 *TA) isDuplicate(_r2 RR) bool { r2, ok := _r2.(*TA) if !ok { diff --git a/vendor/github.com/miekg/dns/zmsg.go b/vendor/github.com/miekg/dns/zmsg.go index 02a5dfa4..d24a10fa 100644 --- a/vendor/github.com/miekg/dns/zmsg.go +++ b/vendor/github.com/miekg/dns/zmsg.go @@ -316,6 +316,22 @@ func (rr *HIP) pack(msg []byte, off int, compression compressionMap, compress bo return off, nil } +func (rr *HTTPS) pack(msg []byte, off int, compression compressionMap, compress bool) (off1 int, err error) { + off, err = packUint16(rr.Priority, msg, off) + if err != nil { + return off, err + } + off, err = packDomainName(rr.Target, msg, off, compression, false) + if err != nil { + return off, err + } + off, err = packDataSVCB(rr.Value, msg, off) + if err != nil { + return off, err + } + return off, nil +} + func (rr *KEY) pack(msg []byte, off int, compression compressionMap, compress bool) (off1 int, err error) { off, err = packUint16(rr.Flags, msg, off) if err != nil { @@ -906,6 +922,22 @@ func (rr *SSHFP) pack(msg []byte, off int, compression compressionMap, compress return off, nil } +func (rr *SVCB) pack(msg []byte, off int, compression compressionMap, compress bool) (off1 int, err error) { + off, err = packUint16(rr.Priority, msg, off) + if err != nil { + return off, err + } + off, err = packDomainName(rr.Target, msg, off, compression, false) + if err != nil { + return off, err + } + off, err = packDataSVCB(rr.Value, msg, off) + if err != nil { + return off, err + } + return off, nil +} + func (rr *TA) pack(msg []byte, off int, compression compressionMap, compress bool) (off1 int, err error) { off, err = packUint16(rr.KeyTag, msg, off) if err != nil { @@ -1559,6 +1591,31 @@ func (rr *HIP) unpack(msg []byte, off int) (off1 int, err error) { return off, nil } +func (rr *HTTPS) unpack(msg []byte, off int) (off1 int, err error) { + rdStart := off + _ = rdStart + + rr.Priority, off, err = unpackUint16(msg, off) + if err != nil { + return off, err + } + if off == len(msg) { + return off, nil + } + rr.Target, off, err = UnpackDomainName(msg, off) + if err != nil { + return off, err + } + if off == len(msg) { + return off, nil + } + rr.Value, off, err = unpackDataSVCB(msg, off) + if err != nil { + return off, err + } + return off, nil +} + func (rr *KEY) unpack(msg []byte, off int) (off1 int, err error) { rdStart := off _ = rdStart @@ -2461,6 +2518,31 @@ func (rr *SSHFP) unpack(msg []byte, off int) (off1 int, err error) { return off, nil } +func (rr *SVCB) unpack(msg []byte, off int) (off1 int, err error) { + rdStart := off + _ = rdStart + + rr.Priority, off, err = unpackUint16(msg, off) + if err != nil { + return off, err + } + if off == len(msg) { + return off, nil + } + rr.Target, off, err = UnpackDomainName(msg, off) + if err != nil { + return off, err + } + if off == len(msg) { + return off, nil + } + rr.Value, off, err = unpackDataSVCB(msg, off) + if err != nil { + return off, err + } + return off, nil +} + func (rr *TA) unpack(msg []byte, off int) (off1 int, err error) { rdStart := off _ = rdStart diff --git a/vendor/github.com/miekg/dns/ztypes.go b/vendor/github.com/miekg/dns/ztypes.go index 5bb59fa6..11b51bf2 100644 --- a/vendor/github.com/miekg/dns/ztypes.go +++ b/vendor/github.com/miekg/dns/ztypes.go @@ -33,6 +33,7 @@ var TypeToRR = map[uint16]func() RR{ TypeGPOS: func() RR { return new(GPOS) }, TypeHINFO: func() RR { return new(HINFO) }, TypeHIP: func() RR { return new(HIP) }, + TypeHTTPS: func() RR { return new(HTTPS) }, TypeKEY: func() RR { return new(KEY) }, TypeKX: func() RR { return new(KX) }, TypeL32: func() RR { return new(L32) }, @@ -70,6 +71,7 @@ var TypeToRR = map[uint16]func() RR{ TypeSPF: func() RR { return new(SPF) }, TypeSRV: func() RR { return new(SRV) }, TypeSSHFP: func() RR { return new(SSHFP) }, + TypeSVCB: func() RR { return new(SVCB) }, TypeTA: func() RR { return new(TA) }, TypeTALINK: func() RR { return new(TALINK) }, TypeTKEY: func() RR { return new(TKEY) }, @@ -110,6 +112,7 @@ var TypeToString = map[uint16]string{ TypeGPOS: "GPOS", TypeHINFO: "HINFO", TypeHIP: "HIP", + TypeHTTPS: "HTTPS", TypeISDN: "ISDN", TypeIXFR: "IXFR", TypeKEY: "KEY", @@ -153,6 +156,7 @@ var TypeToString = map[uint16]string{ TypeSPF: "SPF", TypeSRV: "SRV", TypeSSHFP: "SSHFP", + TypeSVCB: "SVCB", TypeTA: "TA", TypeTALINK: "TALINK", TypeTKEY: "TKEY", @@ -191,6 +195,7 @@ func (rr *GID) Header() *RR_Header { return &rr.Hdr } func (rr *GPOS) Header() *RR_Header { return &rr.Hdr } func (rr *HINFO) Header() *RR_Header { return &rr.Hdr } func (rr *HIP) Header() *RR_Header { return &rr.Hdr } +func (rr *HTTPS) Header() *RR_Header { return &rr.Hdr } func (rr *KEY) Header() *RR_Header { return &rr.Hdr } func (rr *KX) Header() *RR_Header { return &rr.Hdr } func (rr *L32) Header() *RR_Header { return &rr.Hdr } @@ -229,6 +234,7 @@ func (rr *SOA) Header() *RR_Header { return &rr.Hdr } func (rr *SPF) Header() *RR_Header { return &rr.Hdr } func (rr *SRV) Header() *RR_Header { return &rr.Hdr } func (rr *SSHFP) Header() *RR_Header { return &rr.Hdr } +func (rr *SVCB) Header() *RR_Header { return &rr.Hdr } func (rr *TA) Header() *RR_Header { return &rr.Hdr } func (rr *TALINK) Header() *RR_Header { return &rr.Hdr } func (rr *TKEY) Header() *RR_Header { return &rr.Hdr } @@ -592,6 +598,15 @@ func (rr *SSHFP) len(off int, compression map[string]struct{}) int { l += len(rr.FingerPrint) / 2 return l } +func (rr *SVCB) len(off int, compression map[string]struct{}) int { + l := rr.Hdr.len(off, compression) + l += 2 // Priority + l += domainNameLen(rr.Target, off+l, compression, false) + for _, x := range rr.Value { + l += 4 + int(x.len()) + } + return l +} func (rr *TA) len(off int, compression map[string]struct{}) int { l := rr.Hdr.len(off, compression) l += 2 // KeyTag @@ -753,6 +768,9 @@ func (rr *HIP) copy() RR { copy(RendezvousServers, rr.RendezvousServers) return &HIP{rr.Hdr, rr.HitLength, rr.PublicKeyAlgorithm, rr.PublicKeyLength, rr.Hit, rr.PublicKey, RendezvousServers} } +func (rr *HTTPS) copy() RR { + return &HTTPS{*rr.SVCB.copy().(*SVCB)} +} func (rr *KEY) copy() RR { return &KEY{*rr.DNSKEY.copy().(*DNSKEY)} } @@ -879,6 +897,13 @@ func (rr *SRV) copy() RR { func (rr *SSHFP) copy() RR { return &SSHFP{rr.Hdr, rr.Algorithm, rr.Type, rr.FingerPrint} } +func (rr *SVCB) copy() RR { + Value := make([]SVCBKeyValue, len(rr.Value)) + for i, e := range rr.Value { + Value[i] = e.copy() + } + return &SVCB{rr.Hdr, rr.Priority, rr.Target, Value} +} func (rr *TA) copy() RR { return &TA{rr.Hdr, rr.KeyTag, rr.Algorithm, rr.DigestType, rr.Digest} } diff --git a/vendor/github.com/stretchr/testify/assert/assertion_format.go b/vendor/github.com/stretchr/testify/assert/assertion_format.go index b4c46042..49370eb1 100644 --- a/vendor/github.com/stretchr/testify/assert/assertion_format.go +++ b/vendor/github.com/stretchr/testify/assert/assertion_format.go @@ -6,7 +6,6 @@ package assert import ( - io "io" http "net/http" url "net/url" time "time" @@ -202,11 +201,11 @@ func GreaterOrEqualf(t TestingT, e1 interface{}, e2 interface{}, msg string, arg // assert.HTTPBodyContainsf(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") // // Returns whether the assertion was successful (true) or not (false). -func HTTPBodyContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msg string, args ...interface{}) bool { +func HTTPBodyContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) bool { if h, ok := t.(tHelper); ok { h.Helper() } - return HTTPBodyContains(t, handler, method, url, values, body, str, append([]interface{}{msg}, args...)...) + return HTTPBodyContains(t, handler, method, url, values, str, append([]interface{}{msg}, args...)...) } // HTTPBodyNotContainsf asserts that a specified handler returns a @@ -215,11 +214,11 @@ func HTTPBodyContainsf(t TestingT, handler http.HandlerFunc, method string, url // assert.HTTPBodyNotContainsf(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") // // Returns whether the assertion was successful (true) or not (false). -func HTTPBodyNotContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msg string, args ...interface{}) bool { +func HTTPBodyNotContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) bool { if h, ok := t.(tHelper); ok { h.Helper() } - return HTTPBodyNotContains(t, handler, method, url, values, body, str, append([]interface{}{msg}, args...)...) + return HTTPBodyNotContains(t, handler, method, url, values, str, append([]interface{}{msg}, args...)...) } // HTTPErrorf asserts that a specified handler returns an error status code. diff --git a/vendor/github.com/stretchr/testify/assert/assertion_forward.go b/vendor/github.com/stretchr/testify/assert/assertion_forward.go index 9bea8d18..9db88942 100644 --- a/vendor/github.com/stretchr/testify/assert/assertion_forward.go +++ b/vendor/github.com/stretchr/testify/assert/assertion_forward.go @@ -6,7 +6,6 @@ package assert import ( - io "io" http "net/http" url "net/url" time "time" @@ -386,11 +385,11 @@ func (a *Assertions) Greaterf(e1 interface{}, e2 interface{}, msg string, args . // a.HTTPBodyContains(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") // // Returns whether the assertion was successful (true) or not (false). -func (a *Assertions) HTTPBodyContains(handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msgAndArgs ...interface{}) bool { +func (a *Assertions) HTTPBodyContains(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) bool { if h, ok := a.t.(tHelper); ok { h.Helper() } - return HTTPBodyContains(a.t, handler, method, url, values, body, str, msgAndArgs...) + return HTTPBodyContains(a.t, handler, method, url, values, str, msgAndArgs...) } // HTTPBodyContainsf asserts that a specified handler returns a @@ -399,11 +398,11 @@ func (a *Assertions) HTTPBodyContains(handler http.HandlerFunc, method string, u // a.HTTPBodyContainsf(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") // // Returns whether the assertion was successful (true) or not (false). -func (a *Assertions) HTTPBodyContainsf(handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msg string, args ...interface{}) bool { +func (a *Assertions) HTTPBodyContainsf(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) bool { if h, ok := a.t.(tHelper); ok { h.Helper() } - return HTTPBodyContainsf(a.t, handler, method, url, values, body, str, msg, args...) + return HTTPBodyContainsf(a.t, handler, method, url, values, str, msg, args...) } // HTTPBodyNotContains asserts that a specified handler returns a @@ -412,11 +411,11 @@ func (a *Assertions) HTTPBodyContainsf(handler http.HandlerFunc, method string, // a.HTTPBodyNotContains(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") // // Returns whether the assertion was successful (true) or not (false). -func (a *Assertions) HTTPBodyNotContains(handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msgAndArgs ...interface{}) bool { +func (a *Assertions) HTTPBodyNotContains(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) bool { if h, ok := a.t.(tHelper); ok { h.Helper() } - return HTTPBodyNotContains(a.t, handler, method, url, values, body, str, msgAndArgs...) + return HTTPBodyNotContains(a.t, handler, method, url, values, str, msgAndArgs...) } // HTTPBodyNotContainsf asserts that a specified handler returns a @@ -425,11 +424,11 @@ func (a *Assertions) HTTPBodyNotContains(handler http.HandlerFunc, method string // a.HTTPBodyNotContainsf(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") // // Returns whether the assertion was successful (true) or not (false). -func (a *Assertions) HTTPBodyNotContainsf(handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msg string, args ...interface{}) bool { +func (a *Assertions) HTTPBodyNotContainsf(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) bool { if h, ok := a.t.(tHelper); ok { h.Helper() } - return HTTPBodyNotContainsf(a.t, handler, method, url, values, body, str, msg, args...) + return HTTPBodyNotContainsf(a.t, handler, method, url, values, str, msg, args...) } // HTTPError asserts that a specified handler returns an error status code. diff --git a/vendor/github.com/stretchr/testify/assert/http_assertions.go b/vendor/github.com/stretchr/testify/assert/http_assertions.go index 30ef7cc0..4ed341dd 100644 --- a/vendor/github.com/stretchr/testify/assert/http_assertions.go +++ b/vendor/github.com/stretchr/testify/assert/http_assertions.go @@ -2,7 +2,6 @@ package assert import ( "fmt" - "io" "net/http" "net/http/httptest" "net/url" @@ -112,13 +111,9 @@ func HTTPStatusCode(t TestingT, handler http.HandlerFunc, method, url string, va // HTTPBody is a helper that returns HTTP body of the response. It returns // empty string if building a new request fails. -func HTTPBody(handler http.HandlerFunc, method, url string, values url.Values, body io.Reader) string { +func HTTPBody(handler http.HandlerFunc, method, url string, values url.Values) string { w := httptest.NewRecorder() - - if values != nil { - url = url + "?" + values.Encode() - } - req, err := http.NewRequest(method, url, body) + req, err := http.NewRequest(method, url+"?"+values.Encode(), nil) if err != nil { return "" } @@ -132,13 +127,13 @@ func HTTPBody(handler http.HandlerFunc, method, url string, values url.Values, b // assert.HTTPBodyContains(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") // // Returns whether the assertion was successful (true) or not (false). -func HTTPBodyContains(t TestingT, handler http.HandlerFunc, method, url string, values url.Values, body io.Reader, str interface{}, msgAndArgs ...interface{}) bool { +func HTTPBodyContains(t TestingT, handler http.HandlerFunc, method, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) bool { if h, ok := t.(tHelper); ok { h.Helper() } - httpBody := HTTPBody(handler, method, url, values, body) + body := HTTPBody(handler, method, url, values) - contains := strings.Contains(httpBody, fmt.Sprint(str)) + contains := strings.Contains(body, fmt.Sprint(str)) if !contains { Fail(t, fmt.Sprintf("Expected response body for \"%s\" to contain \"%s\" but found \"%s\"", url+"?"+values.Encode(), str, body)) } @@ -152,13 +147,13 @@ func HTTPBodyContains(t TestingT, handler http.HandlerFunc, method, url string, // assert.HTTPBodyNotContains(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") // // Returns whether the assertion was successful (true) or not (false). -func HTTPBodyNotContains(t TestingT, handler http.HandlerFunc, method, url string, values url.Values, body io.Reader, str interface{}, msgAndArgs ...interface{}) bool { +func HTTPBodyNotContains(t TestingT, handler http.HandlerFunc, method, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) bool { if h, ok := t.(tHelper); ok { h.Helper() } - httpBody := HTTPBody(handler, method, url, values, body) + body := HTTPBody(handler, method, url, values) - contains := strings.Contains(httpBody, fmt.Sprint(str)) + contains := strings.Contains(body, fmt.Sprint(str)) if contains { Fail(t, fmt.Sprintf("Expected response body for \"%s\" to NOT contain \"%s\" but found \"%s\"", url+"?"+values.Encode(), str, body)) } diff --git a/vendor/github.com/stretchr/testify/require/require.go b/vendor/github.com/stretchr/testify/require/require.go index 693648f8..ec4624b2 100644 --- a/vendor/github.com/stretchr/testify/require/require.go +++ b/vendor/github.com/stretchr/testify/require/require.go @@ -7,7 +7,6 @@ package require import ( assert "github.com/stretchr/testify/assert" - io "io" http "net/http" url "net/url" time "time" @@ -489,11 +488,11 @@ func Greaterf(t TestingT, e1 interface{}, e2 interface{}, msg string, args ...in // assert.HTTPBodyContains(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") // // Returns whether the assertion was successful (true) or not (false). -func HTTPBodyContains(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msgAndArgs ...interface{}) { +func HTTPBodyContains(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) { if h, ok := t.(tHelper); ok { h.Helper() } - if assert.HTTPBodyContains(t, handler, method, url, values, body, str, msgAndArgs...) { + if assert.HTTPBodyContains(t, handler, method, url, values, str, msgAndArgs...) { return } t.FailNow() @@ -505,11 +504,11 @@ func HTTPBodyContains(t TestingT, handler http.HandlerFunc, method string, url s // assert.HTTPBodyContainsf(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") // // Returns whether the assertion was successful (true) or not (false). -func HTTPBodyContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msg string, args ...interface{}) { +func HTTPBodyContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) { if h, ok := t.(tHelper); ok { h.Helper() } - if assert.HTTPBodyContainsf(t, handler, method, url, values, body, str, msg, args...) { + if assert.HTTPBodyContainsf(t, handler, method, url, values, str, msg, args...) { return } t.FailNow() @@ -521,11 +520,11 @@ func HTTPBodyContainsf(t TestingT, handler http.HandlerFunc, method string, url // assert.HTTPBodyNotContains(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") // // Returns whether the assertion was successful (true) or not (false). -func HTTPBodyNotContains(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msgAndArgs ...interface{}) { +func HTTPBodyNotContains(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) { if h, ok := t.(tHelper); ok { h.Helper() } - if assert.HTTPBodyNotContains(t, handler, method, url, values, body, str, msgAndArgs...) { + if assert.HTTPBodyNotContains(t, handler, method, url, values, str, msgAndArgs...) { return } t.FailNow() @@ -537,11 +536,11 @@ func HTTPBodyNotContains(t TestingT, handler http.HandlerFunc, method string, ur // assert.HTTPBodyNotContainsf(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") // // Returns whether the assertion was successful (true) or not (false). -func HTTPBodyNotContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msg string, args ...interface{}) { +func HTTPBodyNotContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) { if h, ok := t.(tHelper); ok { h.Helper() } - if assert.HTTPBodyNotContainsf(t, handler, method, url, values, body, str, msg, args...) { + if assert.HTTPBodyNotContainsf(t, handler, method, url, values, str, msg, args...) { return } t.FailNow() diff --git a/vendor/github.com/stretchr/testify/require/require_forward.go b/vendor/github.com/stretchr/testify/require/require_forward.go index 84fc1c88..103d7dcb 100644 --- a/vendor/github.com/stretchr/testify/require/require_forward.go +++ b/vendor/github.com/stretchr/testify/require/require_forward.go @@ -7,7 +7,6 @@ package require import ( assert "github.com/stretchr/testify/assert" - io "io" http "net/http" url "net/url" time "time" @@ -387,11 +386,11 @@ func (a *Assertions) Greaterf(e1 interface{}, e2 interface{}, msg string, args . // a.HTTPBodyContains(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") // // Returns whether the assertion was successful (true) or not (false). -func (a *Assertions) HTTPBodyContains(handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msgAndArgs ...interface{}) { +func (a *Assertions) HTTPBodyContains(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) { if h, ok := a.t.(tHelper); ok { h.Helper() } - HTTPBodyContains(a.t, handler, method, url, values, body, str, msgAndArgs...) + HTTPBodyContains(a.t, handler, method, url, values, str, msgAndArgs...) } // HTTPBodyContainsf asserts that a specified handler returns a @@ -400,11 +399,11 @@ func (a *Assertions) HTTPBodyContains(handler http.HandlerFunc, method string, u // a.HTTPBodyContainsf(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") // // Returns whether the assertion was successful (true) or not (false). -func (a *Assertions) HTTPBodyContainsf(handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msg string, args ...interface{}) { +func (a *Assertions) HTTPBodyContainsf(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) { if h, ok := a.t.(tHelper); ok { h.Helper() } - HTTPBodyContainsf(a.t, handler, method, url, values, body, str, msg, args...) + HTTPBodyContainsf(a.t, handler, method, url, values, str, msg, args...) } // HTTPBodyNotContains asserts that a specified handler returns a @@ -413,11 +412,11 @@ func (a *Assertions) HTTPBodyContainsf(handler http.HandlerFunc, method string, // a.HTTPBodyNotContains(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") // // Returns whether the assertion was successful (true) or not (false). -func (a *Assertions) HTTPBodyNotContains(handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msgAndArgs ...interface{}) { +func (a *Assertions) HTTPBodyNotContains(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) { if h, ok := a.t.(tHelper); ok { h.Helper() } - HTTPBodyNotContains(a.t, handler, method, url, values, body, str, msgAndArgs...) + HTTPBodyNotContains(a.t, handler, method, url, values, str, msgAndArgs...) } // HTTPBodyNotContainsf asserts that a specified handler returns a @@ -426,11 +425,11 @@ func (a *Assertions) HTTPBodyNotContains(handler http.HandlerFunc, method string // a.HTTPBodyNotContainsf(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") // // Returns whether the assertion was successful (true) or not (false). -func (a *Assertions) HTTPBodyNotContainsf(handler http.HandlerFunc, method string, url string, values url.Values, body io.Reader, str interface{}, msg string, args ...interface{}) { +func (a *Assertions) HTTPBodyNotContainsf(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) { if h, ok := a.t.(tHelper); ok { h.Helper() } - HTTPBodyNotContainsf(a.t, handler, method, url, values, body, str, msg, args...) + HTTPBodyNotContainsf(a.t, handler, method, url, values, str, msg, args...) } // HTTPError asserts that a specified handler returns an error status code. diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305.go b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305.go new file mode 100644 index 00000000..0d7bac3f --- /dev/null +++ b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305.go @@ -0,0 +1,94 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package chacha20poly1305 implements the ChaCha20-Poly1305 AEAD and its +// extended nonce variant XChaCha20-Poly1305, as specified in RFC 8439 and +// draft-irtf-cfrg-xchacha-01. +package chacha20poly1305 // import "golang.org/x/crypto/chacha20poly1305" + +import ( + "crypto/cipher" + "errors" +) + +const ( + // KeySize is the size of the key used by this AEAD, in bytes. + KeySize = 32 + + // NonceSize is the size of the nonce used with the standard variant of this + // AEAD, in bytes. + // + // Note that this is too short to be safely generated at random if the same + // key is reused more than 2³² times. + NonceSize = 12 + + // NonceSizeX is the size of the nonce used with the XChaCha20-Poly1305 + // variant of this AEAD, in bytes. + NonceSizeX = 24 +) + +type chacha20poly1305 struct { + key [KeySize]byte +} + +// New returns a ChaCha20-Poly1305 AEAD that uses the given 256-bit key. +func New(key []byte) (cipher.AEAD, error) { + if len(key) != KeySize { + return nil, errors.New("chacha20poly1305: bad key length") + } + ret := new(chacha20poly1305) + copy(ret.key[:], key) + return ret, nil +} + +func (c *chacha20poly1305) NonceSize() int { + return NonceSize +} + +func (c *chacha20poly1305) Overhead() int { + return 16 +} + +func (c *chacha20poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte { + if len(nonce) != NonceSize { + panic("chacha20poly1305: bad nonce length passed to Seal") + } + + if uint64(len(plaintext)) > (1<<38)-64 { + panic("chacha20poly1305: plaintext too large") + } + + return c.seal(dst, nonce, plaintext, additionalData) +} + +var errOpen = errors.New("chacha20poly1305: message authentication failed") + +func (c *chacha20poly1305) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) { + if len(nonce) != NonceSize { + panic("chacha20poly1305: bad nonce length passed to Open") + } + if len(ciphertext) < 16 { + return nil, errOpen + } + if uint64(len(ciphertext)) > (1<<38)-48 { + panic("chacha20poly1305: ciphertext too large") + } + + return c.open(dst, nonce, ciphertext, additionalData) +} + +// sliceForAppend takes a slice and a requested number of bytes. It returns a +// slice with the contents of the given slice followed by that many bytes and a +// second slice that aliases into it and contains only the extra bytes. If the +// original slice has sufficient capacity then no allocation is performed. +func sliceForAppend(in []byte, n int) (head, tail []byte) { + if total := len(in) + n; cap(in) >= total { + head = in[:total] + } else { + head = make([]byte, total) + copy(head, in) + } + tail = head[len(in):] + return +} diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go new file mode 100644 index 00000000..cda77819 --- /dev/null +++ b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go @@ -0,0 +1,86 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// +build !gccgo,!purego + +package chacha20poly1305 + +import ( + "encoding/binary" + + "golang.org/x/crypto/internal/subtle" + "golang.org/x/sys/cpu" +) + +//go:noescape +func chacha20Poly1305Open(dst []byte, key []uint32, src, ad []byte) bool + +//go:noescape +func chacha20Poly1305Seal(dst []byte, key []uint32, src, ad []byte) + +var ( + useAVX2 = cpu.X86.HasAVX2 && cpu.X86.HasBMI2 +) + +// setupState writes a ChaCha20 input matrix to state. See +// https://tools.ietf.org/html/rfc7539#section-2.3. +func setupState(state *[16]uint32, key *[32]byte, nonce []byte) { + state[0] = 0x61707865 + state[1] = 0x3320646e + state[2] = 0x79622d32 + state[3] = 0x6b206574 + + state[4] = binary.LittleEndian.Uint32(key[0:4]) + state[5] = binary.LittleEndian.Uint32(key[4:8]) + state[6] = binary.LittleEndian.Uint32(key[8:12]) + state[7] = binary.LittleEndian.Uint32(key[12:16]) + state[8] = binary.LittleEndian.Uint32(key[16:20]) + state[9] = binary.LittleEndian.Uint32(key[20:24]) + state[10] = binary.LittleEndian.Uint32(key[24:28]) + state[11] = binary.LittleEndian.Uint32(key[28:32]) + + state[12] = 0 + state[13] = binary.LittleEndian.Uint32(nonce[0:4]) + state[14] = binary.LittleEndian.Uint32(nonce[4:8]) + state[15] = binary.LittleEndian.Uint32(nonce[8:12]) +} + +func (c *chacha20poly1305) seal(dst, nonce, plaintext, additionalData []byte) []byte { + if !cpu.X86.HasSSSE3 { + return c.sealGeneric(dst, nonce, plaintext, additionalData) + } + + var state [16]uint32 + setupState(&state, &c.key, nonce) + + ret, out := sliceForAppend(dst, len(plaintext)+16) + if subtle.InexactOverlap(out, plaintext) { + panic("chacha20poly1305: invalid buffer overlap") + } + chacha20Poly1305Seal(out[:], state[:], plaintext, additionalData) + return ret +} + +func (c *chacha20poly1305) open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) { + if !cpu.X86.HasSSSE3 { + return c.openGeneric(dst, nonce, ciphertext, additionalData) + } + + var state [16]uint32 + setupState(&state, &c.key, nonce) + + ciphertext = ciphertext[:len(ciphertext)-16] + ret, out := sliceForAppend(dst, len(ciphertext)) + if subtle.InexactOverlap(out, ciphertext) { + panic("chacha20poly1305: invalid buffer overlap") + } + if !chacha20Poly1305Open(out, state[:], ciphertext, additionalData) { + for i := range out { + out[i] = 0 + } + return nil, errOpen + } + + return ret, nil +} diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s new file mode 100644 index 00000000..3469c872 --- /dev/null +++ b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s @@ -0,0 +1,2695 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// This file was originally from https://golang.org/cl/24717 by Vlad Krasnov of CloudFlare. + +// +build !gccgo,!purego + +#include "textflag.h" +// General register allocation +#define oup DI +#define inp SI +#define inl BX +#define adp CX // free to reuse, after we hash the additional data +#define keyp R8 // free to reuse, when we copy the key to stack +#define itr2 R9 // general iterator +#define itr1 CX // general iterator +#define acc0 R10 +#define acc1 R11 +#define acc2 R12 +#define t0 R13 +#define t1 R14 +#define t2 R15 +#define t3 R8 +// Register and stack allocation for the SSE code +#define rStore (0*16)(BP) +#define sStore (1*16)(BP) +#define state1Store (2*16)(BP) +#define state2Store (3*16)(BP) +#define tmpStore (4*16)(BP) +#define ctr0Store (5*16)(BP) +#define ctr1Store (6*16)(BP) +#define ctr2Store (7*16)(BP) +#define ctr3Store (8*16)(BP) +#define A0 X0 +#define A1 X1 +#define A2 X2 +#define B0 X3 +#define B1 X4 +#define B2 X5 +#define C0 X6 +#define C1 X7 +#define C2 X8 +#define D0 X9 +#define D1 X10 +#define D2 X11 +#define T0 X12 +#define T1 X13 +#define T2 X14 +#define T3 X15 +#define A3 T0 +#define B3 T1 +#define C3 T2 +#define D3 T3 +// Register and stack allocation for the AVX2 code +#define rsStoreAVX2 (0*32)(BP) +#define state1StoreAVX2 (1*32)(BP) +#define state2StoreAVX2 (2*32)(BP) +#define ctr0StoreAVX2 (3*32)(BP) +#define ctr1StoreAVX2 (4*32)(BP) +#define ctr2StoreAVX2 (5*32)(BP) +#define ctr3StoreAVX2 (6*32)(BP) +#define tmpStoreAVX2 (7*32)(BP) // 256 bytes on stack +#define AA0 Y0 +#define AA1 Y5 +#define AA2 Y6 +#define AA3 Y7 +#define BB0 Y14 +#define BB1 Y9 +#define BB2 Y10 +#define BB3 Y11 +#define CC0 Y12 +#define CC1 Y13 +#define CC2 Y8 +#define CC3 Y15 +#define DD0 Y4 +#define DD1 Y1 +#define DD2 Y2 +#define DD3 Y3 +#define TT0 DD3 +#define TT1 AA3 +#define TT2 BB3 +#define TT3 CC3 +// ChaCha20 constants +DATA ·chacha20Constants<>+0x00(SB)/4, $0x61707865 +DATA ·chacha20Constants<>+0x04(SB)/4, $0x3320646e +DATA ·chacha20Constants<>+0x08(SB)/4, $0x79622d32 +DATA ·chacha20Constants<>+0x0c(SB)/4, $0x6b206574 +DATA ·chacha20Constants<>+0x10(SB)/4, $0x61707865 +DATA ·chacha20Constants<>+0x14(SB)/4, $0x3320646e +DATA ·chacha20Constants<>+0x18(SB)/4, $0x79622d32 +DATA ·chacha20Constants<>+0x1c(SB)/4, $0x6b206574 +// <<< 16 with PSHUFB +DATA ·rol16<>+0x00(SB)/8, $0x0504070601000302 +DATA ·rol16<>+0x08(SB)/8, $0x0D0C0F0E09080B0A +DATA ·rol16<>+0x10(SB)/8, $0x0504070601000302 +DATA ·rol16<>+0x18(SB)/8, $0x0D0C0F0E09080B0A +// <<< 8 with PSHUFB +DATA ·rol8<>+0x00(SB)/8, $0x0605040702010003 +DATA ·rol8<>+0x08(SB)/8, $0x0E0D0C0F0A09080B +DATA ·rol8<>+0x10(SB)/8, $0x0605040702010003 +DATA ·rol8<>+0x18(SB)/8, $0x0E0D0C0F0A09080B + +DATA ·avx2InitMask<>+0x00(SB)/8, $0x0 +DATA ·avx2InitMask<>+0x08(SB)/8, $0x0 +DATA ·avx2InitMask<>+0x10(SB)/8, $0x1 +DATA ·avx2InitMask<>+0x18(SB)/8, $0x0 + +DATA ·avx2IncMask<>+0x00(SB)/8, $0x2 +DATA ·avx2IncMask<>+0x08(SB)/8, $0x0 +DATA ·avx2IncMask<>+0x10(SB)/8, $0x2 +DATA ·avx2IncMask<>+0x18(SB)/8, $0x0 +// Poly1305 key clamp +DATA ·polyClampMask<>+0x00(SB)/8, $0x0FFFFFFC0FFFFFFF +DATA ·polyClampMask<>+0x08(SB)/8, $0x0FFFFFFC0FFFFFFC +DATA ·polyClampMask<>+0x10(SB)/8, $0xFFFFFFFFFFFFFFFF +DATA ·polyClampMask<>+0x18(SB)/8, $0xFFFFFFFFFFFFFFFF + +DATA ·sseIncMask<>+0x00(SB)/8, $0x1 +DATA ·sseIncMask<>+0x08(SB)/8, $0x0 +// To load/store the last < 16 bytes in a buffer +DATA ·andMask<>+0x00(SB)/8, $0x00000000000000ff +DATA ·andMask<>+0x08(SB)/8, $0x0000000000000000 +DATA ·andMask<>+0x10(SB)/8, $0x000000000000ffff +DATA ·andMask<>+0x18(SB)/8, $0x0000000000000000 +DATA ·andMask<>+0x20(SB)/8, $0x0000000000ffffff +DATA ·andMask<>+0x28(SB)/8, $0x0000000000000000 +DATA ·andMask<>+0x30(SB)/8, $0x00000000ffffffff +DATA ·andMask<>+0x38(SB)/8, $0x0000000000000000 +DATA ·andMask<>+0x40(SB)/8, $0x000000ffffffffff +DATA ·andMask<>+0x48(SB)/8, $0x0000000000000000 +DATA ·andMask<>+0x50(SB)/8, $0x0000ffffffffffff +DATA ·andMask<>+0x58(SB)/8, $0x0000000000000000 +DATA ·andMask<>+0x60(SB)/8, $0x00ffffffffffffff +DATA ·andMask<>+0x68(SB)/8, $0x0000000000000000 +DATA ·andMask<>+0x70(SB)/8, $0xffffffffffffffff +DATA ·andMask<>+0x78(SB)/8, $0x0000000000000000 +DATA ·andMask<>+0x80(SB)/8, $0xffffffffffffffff +DATA ·andMask<>+0x88(SB)/8, $0x00000000000000ff +DATA ·andMask<>+0x90(SB)/8, $0xffffffffffffffff +DATA ·andMask<>+0x98(SB)/8, $0x000000000000ffff +DATA ·andMask<>+0xa0(SB)/8, $0xffffffffffffffff +DATA ·andMask<>+0xa8(SB)/8, $0x0000000000ffffff +DATA ·andMask<>+0xb0(SB)/8, $0xffffffffffffffff +DATA ·andMask<>+0xb8(SB)/8, $0x00000000ffffffff +DATA ·andMask<>+0xc0(SB)/8, $0xffffffffffffffff +DATA ·andMask<>+0xc8(SB)/8, $0x000000ffffffffff +DATA ·andMask<>+0xd0(SB)/8, $0xffffffffffffffff +DATA ·andMask<>+0xd8(SB)/8, $0x0000ffffffffffff +DATA ·andMask<>+0xe0(SB)/8, $0xffffffffffffffff +DATA ·andMask<>+0xe8(SB)/8, $0x00ffffffffffffff + +GLOBL ·chacha20Constants<>(SB), (NOPTR+RODATA), $32 +GLOBL ·rol16<>(SB), (NOPTR+RODATA), $32 +GLOBL ·rol8<>(SB), (NOPTR+RODATA), $32 +GLOBL ·sseIncMask<>(SB), (NOPTR+RODATA), $16 +GLOBL ·avx2IncMask<>(SB), (NOPTR+RODATA), $32 +GLOBL ·avx2InitMask<>(SB), (NOPTR+RODATA), $32 +GLOBL ·polyClampMask<>(SB), (NOPTR+RODATA), $32 +GLOBL ·andMask<>(SB), (NOPTR+RODATA), $240 +// No PALIGNR in Go ASM yet (but VPALIGNR is present). +#define shiftB0Left BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xdb; BYTE $0x04 // PALIGNR $4, X3, X3 +#define shiftB1Left BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xe4; BYTE $0x04 // PALIGNR $4, X4, X4 +#define shiftB2Left BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xed; BYTE $0x04 // PALIGNR $4, X5, X5 +#define shiftB3Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xed; BYTE $0x04 // PALIGNR $4, X13, X13 +#define shiftC0Left BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xf6; BYTE $0x08 // PALIGNR $8, X6, X6 +#define shiftC1Left BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xff; BYTE $0x08 // PALIGNR $8, X7, X7 +#define shiftC2Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xc0; BYTE $0x08 // PALIGNR $8, X8, X8 +#define shiftC3Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xf6; BYTE $0x08 // PALIGNR $8, X14, X14 +#define shiftD0Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xc9; BYTE $0x0c // PALIGNR $12, X9, X9 +#define shiftD1Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xd2; BYTE $0x0c // PALIGNR $12, X10, X10 +#define shiftD2Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xdb; BYTE $0x0c // PALIGNR $12, X11, X11 +#define shiftD3Left BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xff; BYTE $0x0c // PALIGNR $12, X15, X15 +#define shiftB0Right BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xdb; BYTE $0x0c // PALIGNR $12, X3, X3 +#define shiftB1Right BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xe4; BYTE $0x0c // PALIGNR $12, X4, X4 +#define shiftB2Right BYTE $0x66; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xed; BYTE $0x0c // PALIGNR $12, X5, X5 +#define shiftB3Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xed; BYTE $0x0c // PALIGNR $12, X13, X13 +#define shiftC0Right shiftC0Left +#define shiftC1Right shiftC1Left +#define shiftC2Right shiftC2Left +#define shiftC3Right shiftC3Left +#define shiftD0Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xc9; BYTE $0x04 // PALIGNR $4, X9, X9 +#define shiftD1Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xd2; BYTE $0x04 // PALIGNR $4, X10, X10 +#define shiftD2Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xdb; BYTE $0x04 // PALIGNR $4, X11, X11 +#define shiftD3Right BYTE $0x66; BYTE $0x45; BYTE $0x0f; BYTE $0x3a; BYTE $0x0f; BYTE $0xff; BYTE $0x04 // PALIGNR $4, X15, X15 +// Some macros +#define chachaQR(A, B, C, D, T) \ + PADDD B, A; PXOR A, D; PSHUFB ·rol16<>(SB), D \ + PADDD D, C; PXOR C, B; MOVO B, T; PSLLL $12, T; PSRLL $20, B; PXOR T, B \ + PADDD B, A; PXOR A, D; PSHUFB ·rol8<>(SB), D \ + PADDD D, C; PXOR C, B; MOVO B, T; PSLLL $7, T; PSRLL $25, B; PXOR T, B + +#define chachaQR_AVX2(A, B, C, D, T) \ + VPADDD B, A, A; VPXOR A, D, D; VPSHUFB ·rol16<>(SB), D, D \ + VPADDD D, C, C; VPXOR C, B, B; VPSLLD $12, B, T; VPSRLD $20, B, B; VPXOR T, B, B \ + VPADDD B, A, A; VPXOR A, D, D; VPSHUFB ·rol8<>(SB), D, D \ + VPADDD D, C, C; VPXOR C, B, B; VPSLLD $7, B, T; VPSRLD $25, B, B; VPXOR T, B, B + +#define polyAdd(S) ADDQ S, acc0; ADCQ 8+S, acc1; ADCQ $1, acc2 +#define polyMulStage1 MOVQ (0*8)(BP), AX; MOVQ AX, t2; MULQ acc0; MOVQ AX, t0; MOVQ DX, t1; MOVQ (0*8)(BP), AX; MULQ acc1; IMULQ acc2, t2; ADDQ AX, t1; ADCQ DX, t2 +#define polyMulStage2 MOVQ (1*8)(BP), AX; MOVQ AX, t3; MULQ acc0; ADDQ AX, t1; ADCQ $0, DX; MOVQ DX, acc0; MOVQ (1*8)(BP), AX; MULQ acc1; ADDQ AX, t2; ADCQ $0, DX +#define polyMulStage3 IMULQ acc2, t3; ADDQ acc0, t2; ADCQ DX, t3 +#define polyMulReduceStage MOVQ t0, acc0; MOVQ t1, acc1; MOVQ t2, acc2; ANDQ $3, acc2; MOVQ t2, t0; ANDQ $-4, t0; MOVQ t3, t1; SHRQ $2, t3, t2; SHRQ $2, t3; ADDQ t0, acc0; ADCQ t1, acc1; ADCQ $0, acc2; ADDQ t2, acc0; ADCQ t3, acc1; ADCQ $0, acc2 + +#define polyMulStage1_AVX2 MOVQ (0*8)(BP), DX; MOVQ DX, t2; MULXQ acc0, t0, t1; IMULQ acc2, t2; MULXQ acc1, AX, DX; ADDQ AX, t1; ADCQ DX, t2 +#define polyMulStage2_AVX2 MOVQ (1*8)(BP), DX; MULXQ acc0, acc0, AX; ADDQ acc0, t1; MULXQ acc1, acc1, t3; ADCQ acc1, t2; ADCQ $0, t3 +#define polyMulStage3_AVX2 IMULQ acc2, DX; ADDQ AX, t2; ADCQ DX, t3 + +#define polyMul polyMulStage1; polyMulStage2; polyMulStage3; polyMulReduceStage +#define polyMulAVX2 polyMulStage1_AVX2; polyMulStage2_AVX2; polyMulStage3_AVX2; polyMulReduceStage +// ---------------------------------------------------------------------------- +TEXT polyHashADInternal<>(SB), NOSPLIT, $0 + // adp points to beginning of additional data + // itr2 holds ad length + XORQ acc0, acc0 + XORQ acc1, acc1 + XORQ acc2, acc2 + CMPQ itr2, $13 + JNE hashADLoop + +openFastTLSAD: + // Special treatment for the TLS case of 13 bytes + MOVQ (adp), acc0 + MOVQ 5(adp), acc1 + SHRQ $24, acc1 + MOVQ $1, acc2 + polyMul + RET + +hashADLoop: + // Hash in 16 byte chunks + CMPQ itr2, $16 + JB hashADTail + polyAdd(0(adp)) + LEAQ (1*16)(adp), adp + SUBQ $16, itr2 + polyMul + JMP hashADLoop + +hashADTail: + CMPQ itr2, $0 + JE hashADDone + + // Hash last < 16 byte tail + XORQ t0, t0 + XORQ t1, t1 + XORQ t2, t2 + ADDQ itr2, adp + +hashADTailLoop: + SHLQ $8, t0, t1 + SHLQ $8, t0 + MOVB -1(adp), t2 + XORQ t2, t0 + DECQ adp + DECQ itr2 + JNE hashADTailLoop + +hashADTailFinish: + ADDQ t0, acc0; ADCQ t1, acc1; ADCQ $1, acc2 + polyMul + + // Finished AD +hashADDone: + RET + +// ---------------------------------------------------------------------------- +// func chacha20Poly1305Open(dst, key, src, ad []byte) bool +TEXT ·chacha20Poly1305Open(SB), 0, $288-97 + // For aligned stack access + MOVQ SP, BP + ADDQ $32, BP + ANDQ $-32, BP + MOVQ dst+0(FP), oup + MOVQ key+24(FP), keyp + MOVQ src+48(FP), inp + MOVQ src_len+56(FP), inl + MOVQ ad+72(FP), adp + + // Check for AVX2 support + CMPB ·useAVX2(SB), $1 + JE chacha20Poly1305Open_AVX2 + + // Special optimization, for very short buffers + CMPQ inl, $128 + JBE openSSE128 // About 16% faster + + // For long buffers, prepare the poly key first + MOVOU ·chacha20Constants<>(SB), A0 + MOVOU (1*16)(keyp), B0 + MOVOU (2*16)(keyp), C0 + MOVOU (3*16)(keyp), D0 + MOVO D0, T1 + + // Store state on stack for future use + MOVO B0, state1Store + MOVO C0, state2Store + MOVO D0, ctr3Store + MOVQ $10, itr2 + +openSSEPreparePolyKey: + chachaQR(A0, B0, C0, D0, T0) + shiftB0Left; shiftC0Left; shiftD0Left + chachaQR(A0, B0, C0, D0, T0) + shiftB0Right; shiftC0Right; shiftD0Right + DECQ itr2 + JNE openSSEPreparePolyKey + + // A0|B0 hold the Poly1305 32-byte key, C0,D0 can be discarded + PADDL ·chacha20Constants<>(SB), A0; PADDL state1Store, B0 + + // Clamp and store the key + PAND ·polyClampMask<>(SB), A0 + MOVO A0, rStore; MOVO B0, sStore + + // Hash AAD + MOVQ ad_len+80(FP), itr2 + CALL polyHashADInternal<>(SB) + +openSSEMainLoop: + CMPQ inl, $256 + JB openSSEMainLoopDone + + // Load state, increment counter blocks + MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0 + MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1 + MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2 + MOVO A2, A3; MOVO B2, B3; MOVO C2, C3; MOVO D2, D3; PADDL ·sseIncMask<>(SB), D3 + + // Store counters + MOVO D0, ctr0Store; MOVO D1, ctr1Store; MOVO D2, ctr2Store; MOVO D3, ctr3Store + + // There are 10 ChaCha20 iterations of 2QR each, so for 6 iterations we hash 2 blocks, and for the remaining 4 only 1 block - for a total of 16 + MOVQ $4, itr1 + MOVQ inp, itr2 + +openSSEInternalLoop: + MOVO C3, tmpStore + chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3) + MOVO tmpStore, C3 + MOVO C1, tmpStore + chachaQR(A3, B3, C3, D3, C1) + MOVO tmpStore, C1 + polyAdd(0(itr2)) + shiftB0Left; shiftB1Left; shiftB2Left; shiftB3Left + shiftC0Left; shiftC1Left; shiftC2Left; shiftC3Left + shiftD0Left; shiftD1Left; shiftD2Left; shiftD3Left + polyMulStage1 + polyMulStage2 + LEAQ (2*8)(itr2), itr2 + MOVO C3, tmpStore + chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3) + MOVO tmpStore, C3 + MOVO C1, tmpStore + polyMulStage3 + chachaQR(A3, B3, C3, D3, C1) + MOVO tmpStore, C1 + polyMulReduceStage + shiftB0Right; shiftB1Right; shiftB2Right; shiftB3Right + shiftC0Right; shiftC1Right; shiftC2Right; shiftC3Right + shiftD0Right; shiftD1Right; shiftD2Right; shiftD3Right + DECQ itr1 + JGE openSSEInternalLoop + + polyAdd(0(itr2)) + polyMul + LEAQ (2*8)(itr2), itr2 + + CMPQ itr1, $-6 + JG openSSEInternalLoop + + // Add in the state + PADDD ·chacha20Constants<>(SB), A0; PADDD ·chacha20Constants<>(SB), A1; PADDD ·chacha20Constants<>(SB), A2; PADDD ·chacha20Constants<>(SB), A3 + PADDD state1Store, B0; PADDD state1Store, B1; PADDD state1Store, B2; PADDD state1Store, B3 + PADDD state2Store, C0; PADDD state2Store, C1; PADDD state2Store, C2; PADDD state2Store, C3 + PADDD ctr0Store, D0; PADDD ctr1Store, D1; PADDD ctr2Store, D2; PADDD ctr3Store, D3 + + // Load - xor - store + MOVO D3, tmpStore + MOVOU (0*16)(inp), D3; PXOR D3, A0; MOVOU A0, (0*16)(oup) + MOVOU (1*16)(inp), D3; PXOR D3, B0; MOVOU B0, (1*16)(oup) + MOVOU (2*16)(inp), D3; PXOR D3, C0; MOVOU C0, (2*16)(oup) + MOVOU (3*16)(inp), D3; PXOR D3, D0; MOVOU D0, (3*16)(oup) + MOVOU (4*16)(inp), D0; PXOR D0, A1; MOVOU A1, (4*16)(oup) + MOVOU (5*16)(inp), D0; PXOR D0, B1; MOVOU B1, (5*16)(oup) + MOVOU (6*16)(inp), D0; PXOR D0, C1; MOVOU C1, (6*16)(oup) + MOVOU (7*16)(inp), D0; PXOR D0, D1; MOVOU D1, (7*16)(oup) + MOVOU (8*16)(inp), D0; PXOR D0, A2; MOVOU A2, (8*16)(oup) + MOVOU (9*16)(inp), D0; PXOR D0, B2; MOVOU B2, (9*16)(oup) + MOVOU (10*16)(inp), D0; PXOR D0, C2; MOVOU C2, (10*16)(oup) + MOVOU (11*16)(inp), D0; PXOR D0, D2; MOVOU D2, (11*16)(oup) + MOVOU (12*16)(inp), D0; PXOR D0, A3; MOVOU A3, (12*16)(oup) + MOVOU (13*16)(inp), D0; PXOR D0, B3; MOVOU B3, (13*16)(oup) + MOVOU (14*16)(inp), D0; PXOR D0, C3; MOVOU C3, (14*16)(oup) + MOVOU (15*16)(inp), D0; PXOR tmpStore, D0; MOVOU D0, (15*16)(oup) + LEAQ 256(inp), inp + LEAQ 256(oup), oup + SUBQ $256, inl + JMP openSSEMainLoop + +openSSEMainLoopDone: + // Handle the various tail sizes efficiently + TESTQ inl, inl + JE openSSEFinalize + CMPQ inl, $64 + JBE openSSETail64 + CMPQ inl, $128 + JBE openSSETail128 + CMPQ inl, $192 + JBE openSSETail192 + JMP openSSETail256 + +openSSEFinalize: + // Hash in the PT, AAD lengths + ADDQ ad_len+80(FP), acc0; ADCQ src_len+56(FP), acc1; ADCQ $1, acc2 + polyMul + + // Final reduce + MOVQ acc0, t0 + MOVQ acc1, t1 + MOVQ acc2, t2 + SUBQ $-5, acc0 + SBBQ $-1, acc1 + SBBQ $3, acc2 + CMOVQCS t0, acc0 + CMOVQCS t1, acc1 + CMOVQCS t2, acc2 + + // Add in the "s" part of the key + ADDQ 0+sStore, acc0 + ADCQ 8+sStore, acc1 + + // Finally, constant time compare to the tag at the end of the message + XORQ AX, AX + MOVQ $1, DX + XORQ (0*8)(inp), acc0 + XORQ (1*8)(inp), acc1 + ORQ acc1, acc0 + CMOVQEQ DX, AX + + // Return true iff tags are equal + MOVB AX, ret+96(FP) + RET + +// ---------------------------------------------------------------------------- +// Special optimization for buffers smaller than 129 bytes +openSSE128: + // For up to 128 bytes of ciphertext and 64 bytes for the poly key, we require to process three blocks + MOVOU ·chacha20Constants<>(SB), A0; MOVOU (1*16)(keyp), B0; MOVOU (2*16)(keyp), C0; MOVOU (3*16)(keyp), D0 + MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1 + MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2 + MOVO B0, T1; MOVO C0, T2; MOVO D1, T3 + MOVQ $10, itr2 + +openSSE128InnerCipherLoop: + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0) + shiftB0Left; shiftB1Left; shiftB2Left + shiftC0Left; shiftC1Left; shiftC2Left + shiftD0Left; shiftD1Left; shiftD2Left + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0) + shiftB0Right; shiftB1Right; shiftB2Right + shiftC0Right; shiftC1Right; shiftC2Right + shiftD0Right; shiftD1Right; shiftD2Right + DECQ itr2 + JNE openSSE128InnerCipherLoop + + // A0|B0 hold the Poly1305 32-byte key, C0,D0 can be discarded + PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1; PADDL ·chacha20Constants<>(SB), A2 + PADDL T1, B0; PADDL T1, B1; PADDL T1, B2 + PADDL T2, C1; PADDL T2, C2 + PADDL T3, D1; PADDL ·sseIncMask<>(SB), T3; PADDL T3, D2 + + // Clamp and store the key + PAND ·polyClampMask<>(SB), A0 + MOVOU A0, rStore; MOVOU B0, sStore + + // Hash + MOVQ ad_len+80(FP), itr2 + CALL polyHashADInternal<>(SB) + +openSSE128Open: + CMPQ inl, $16 + JB openSSETail16 + SUBQ $16, inl + + // Load for hashing + polyAdd(0(inp)) + + // Load for decryption + MOVOU (inp), T0; PXOR T0, A1; MOVOU A1, (oup) + LEAQ (1*16)(inp), inp + LEAQ (1*16)(oup), oup + polyMul + + // Shift the stream "left" + MOVO B1, A1 + MOVO C1, B1 + MOVO D1, C1 + MOVO A2, D1 + MOVO B2, A2 + MOVO C2, B2 + MOVO D2, C2 + JMP openSSE128Open + +openSSETail16: + TESTQ inl, inl + JE openSSEFinalize + + // We can safely load the CT from the end, because it is padded with the MAC + MOVQ inl, itr2 + SHLQ $4, itr2 + LEAQ ·andMask<>(SB), t0 + MOVOU (inp), T0 + ADDQ inl, inp + PAND -16(t0)(itr2*1), T0 + MOVO T0, 0+tmpStore + MOVQ T0, t0 + MOVQ 8+tmpStore, t1 + PXOR A1, T0 + + // We can only store one byte at a time, since plaintext can be shorter than 16 bytes +openSSETail16Store: + MOVQ T0, t3 + MOVB t3, (oup) + PSRLDQ $1, T0 + INCQ oup + DECQ inl + JNE openSSETail16Store + ADDQ t0, acc0; ADCQ t1, acc1; ADCQ $1, acc2 + polyMul + JMP openSSEFinalize + +// ---------------------------------------------------------------------------- +// Special optimization for the last 64 bytes of ciphertext +openSSETail64: + // Need to decrypt up to 64 bytes - prepare single block + MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0; MOVO D0, ctr0Store + XORQ itr2, itr2 + MOVQ inl, itr1 + CMPQ itr1, $16 + JB openSSETail64LoopB + +openSSETail64LoopA: + // Perform ChaCha rounds, while hashing the remaining input + polyAdd(0(inp)(itr2*1)) + polyMul + SUBQ $16, itr1 + +openSSETail64LoopB: + ADDQ $16, itr2 + chachaQR(A0, B0, C0, D0, T0) + shiftB0Left; shiftC0Left; shiftD0Left + chachaQR(A0, B0, C0, D0, T0) + shiftB0Right; shiftC0Right; shiftD0Right + + CMPQ itr1, $16 + JAE openSSETail64LoopA + + CMPQ itr2, $160 + JNE openSSETail64LoopB + + PADDL ·chacha20Constants<>(SB), A0; PADDL state1Store, B0; PADDL state2Store, C0; PADDL ctr0Store, D0 + +openSSETail64DecLoop: + CMPQ inl, $16 + JB openSSETail64DecLoopDone + SUBQ $16, inl + MOVOU (inp), T0 + PXOR T0, A0 + MOVOU A0, (oup) + LEAQ 16(inp), inp + LEAQ 16(oup), oup + MOVO B0, A0 + MOVO C0, B0 + MOVO D0, C0 + JMP openSSETail64DecLoop + +openSSETail64DecLoopDone: + MOVO A0, A1 + JMP openSSETail16 + +// ---------------------------------------------------------------------------- +// Special optimization for the last 128 bytes of ciphertext +openSSETail128: + // Need to decrypt up to 128 bytes - prepare two blocks + MOVO ·chacha20Constants<>(SB), A1; MOVO state1Store, B1; MOVO state2Store, C1; MOVO ctr3Store, D1; PADDL ·sseIncMask<>(SB), D1; MOVO D1, ctr0Store + MOVO A1, A0; MOVO B1, B0; MOVO C1, C0; MOVO D1, D0; PADDL ·sseIncMask<>(SB), D0; MOVO D0, ctr1Store + XORQ itr2, itr2 + MOVQ inl, itr1 + ANDQ $-16, itr1 + +openSSETail128LoopA: + // Perform ChaCha rounds, while hashing the remaining input + polyAdd(0(inp)(itr2*1)) + polyMul + +openSSETail128LoopB: + ADDQ $16, itr2 + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0) + shiftB0Left; shiftC0Left; shiftD0Left + shiftB1Left; shiftC1Left; shiftD1Left + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0) + shiftB0Right; shiftC0Right; shiftD0Right + shiftB1Right; shiftC1Right; shiftD1Right + + CMPQ itr2, itr1 + JB openSSETail128LoopA + + CMPQ itr2, $160 + JNE openSSETail128LoopB + + PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1 + PADDL state1Store, B0; PADDL state1Store, B1 + PADDL state2Store, C0; PADDL state2Store, C1 + PADDL ctr1Store, D0; PADDL ctr0Store, D1 + + MOVOU (0*16)(inp), T0; MOVOU (1*16)(inp), T1; MOVOU (2*16)(inp), T2; MOVOU (3*16)(inp), T3 + PXOR T0, A1; PXOR T1, B1; PXOR T2, C1; PXOR T3, D1 + MOVOU A1, (0*16)(oup); MOVOU B1, (1*16)(oup); MOVOU C1, (2*16)(oup); MOVOU D1, (3*16)(oup) + + SUBQ $64, inl + LEAQ 64(inp), inp + LEAQ 64(oup), oup + JMP openSSETail64DecLoop + +// ---------------------------------------------------------------------------- +// Special optimization for the last 192 bytes of ciphertext +openSSETail192: + // Need to decrypt up to 192 bytes - prepare three blocks + MOVO ·chacha20Constants<>(SB), A2; MOVO state1Store, B2; MOVO state2Store, C2; MOVO ctr3Store, D2; PADDL ·sseIncMask<>(SB), D2; MOVO D2, ctr0Store + MOVO A2, A1; MOVO B2, B1; MOVO C2, C1; MOVO D2, D1; PADDL ·sseIncMask<>(SB), D1; MOVO D1, ctr1Store + MOVO A1, A0; MOVO B1, B0; MOVO C1, C0; MOVO D1, D0; PADDL ·sseIncMask<>(SB), D0; MOVO D0, ctr2Store + + MOVQ inl, itr1 + MOVQ $160, itr2 + CMPQ itr1, $160 + CMOVQGT itr2, itr1 + ANDQ $-16, itr1 + XORQ itr2, itr2 + +openSSLTail192LoopA: + // Perform ChaCha rounds, while hashing the remaining input + polyAdd(0(inp)(itr2*1)) + polyMul + +openSSLTail192LoopB: + ADDQ $16, itr2 + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0) + shiftB0Left; shiftC0Left; shiftD0Left + shiftB1Left; shiftC1Left; shiftD1Left + shiftB2Left; shiftC2Left; shiftD2Left + + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0) + shiftB0Right; shiftC0Right; shiftD0Right + shiftB1Right; shiftC1Right; shiftD1Right + shiftB2Right; shiftC2Right; shiftD2Right + + CMPQ itr2, itr1 + JB openSSLTail192LoopA + + CMPQ itr2, $160 + JNE openSSLTail192LoopB + + CMPQ inl, $176 + JB openSSLTail192Store + + polyAdd(160(inp)) + polyMul + + CMPQ inl, $192 + JB openSSLTail192Store + + polyAdd(176(inp)) + polyMul + +openSSLTail192Store: + PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1; PADDL ·chacha20Constants<>(SB), A2 + PADDL state1Store, B0; PADDL state1Store, B1; PADDL state1Store, B2 + PADDL state2Store, C0; PADDL state2Store, C1; PADDL state2Store, C2 + PADDL ctr2Store, D0; PADDL ctr1Store, D1; PADDL ctr0Store, D2 + + MOVOU (0*16)(inp), T0; MOVOU (1*16)(inp), T1; MOVOU (2*16)(inp), T2; MOVOU (3*16)(inp), T3 + PXOR T0, A2; PXOR T1, B2; PXOR T2, C2; PXOR T3, D2 + MOVOU A2, (0*16)(oup); MOVOU B2, (1*16)(oup); MOVOU C2, (2*16)(oup); MOVOU D2, (3*16)(oup) + + MOVOU (4*16)(inp), T0; MOVOU (5*16)(inp), T1; MOVOU (6*16)(inp), T2; MOVOU (7*16)(inp), T3 + PXOR T0, A1; PXOR T1, B1; PXOR T2, C1; PXOR T3, D1 + MOVOU A1, (4*16)(oup); MOVOU B1, (5*16)(oup); MOVOU C1, (6*16)(oup); MOVOU D1, (7*16)(oup) + + SUBQ $128, inl + LEAQ 128(inp), inp + LEAQ 128(oup), oup + JMP openSSETail64DecLoop + +// ---------------------------------------------------------------------------- +// Special optimization for the last 256 bytes of ciphertext +openSSETail256: + // Need to decrypt up to 256 bytes - prepare four blocks + MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0 + MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1 + MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2 + MOVO A2, A3; MOVO B2, B3; MOVO C2, C3; MOVO D2, D3; PADDL ·sseIncMask<>(SB), D3 + + // Store counters + MOVO D0, ctr0Store; MOVO D1, ctr1Store; MOVO D2, ctr2Store; MOVO D3, ctr3Store + XORQ itr2, itr2 + +openSSETail256Loop: + // This loop inteleaves 8 ChaCha quarter rounds with 1 poly multiplication + polyAdd(0(inp)(itr2*1)) + MOVO C3, tmpStore + chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3) + MOVO tmpStore, C3 + MOVO C1, tmpStore + chachaQR(A3, B3, C3, D3, C1) + MOVO tmpStore, C1 + shiftB0Left; shiftB1Left; shiftB2Left; shiftB3Left + shiftC0Left; shiftC1Left; shiftC2Left; shiftC3Left + shiftD0Left; shiftD1Left; shiftD2Left; shiftD3Left + polyMulStage1 + polyMulStage2 + MOVO C3, tmpStore + chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3) + MOVO tmpStore, C3 + MOVO C1, tmpStore + chachaQR(A3, B3, C3, D3, C1) + MOVO tmpStore, C1 + polyMulStage3 + polyMulReduceStage + shiftB0Right; shiftB1Right; shiftB2Right; shiftB3Right + shiftC0Right; shiftC1Right; shiftC2Right; shiftC3Right + shiftD0Right; shiftD1Right; shiftD2Right; shiftD3Right + ADDQ $2*8, itr2 + CMPQ itr2, $160 + JB openSSETail256Loop + MOVQ inl, itr1 + ANDQ $-16, itr1 + +openSSETail256HashLoop: + polyAdd(0(inp)(itr2*1)) + polyMul + ADDQ $2*8, itr2 + CMPQ itr2, itr1 + JB openSSETail256HashLoop + + // Add in the state + PADDD ·chacha20Constants<>(SB), A0; PADDD ·chacha20Constants<>(SB), A1; PADDD ·chacha20Constants<>(SB), A2; PADDD ·chacha20Constants<>(SB), A3 + PADDD state1Store, B0; PADDD state1Store, B1; PADDD state1Store, B2; PADDD state1Store, B3 + PADDD state2Store, C0; PADDD state2Store, C1; PADDD state2Store, C2; PADDD state2Store, C3 + PADDD ctr0Store, D0; PADDD ctr1Store, D1; PADDD ctr2Store, D2; PADDD ctr3Store, D3 + MOVO D3, tmpStore + + // Load - xor - store + MOVOU (0*16)(inp), D3; PXOR D3, A0 + MOVOU (1*16)(inp), D3; PXOR D3, B0 + MOVOU (2*16)(inp), D3; PXOR D3, C0 + MOVOU (3*16)(inp), D3; PXOR D3, D0 + MOVOU A0, (0*16)(oup) + MOVOU B0, (1*16)(oup) + MOVOU C0, (2*16)(oup) + MOVOU D0, (3*16)(oup) + MOVOU (4*16)(inp), A0; MOVOU (5*16)(inp), B0; MOVOU (6*16)(inp), C0; MOVOU (7*16)(inp), D0 + PXOR A0, A1; PXOR B0, B1; PXOR C0, C1; PXOR D0, D1 + MOVOU A1, (4*16)(oup); MOVOU B1, (5*16)(oup); MOVOU C1, (6*16)(oup); MOVOU D1, (7*16)(oup) + MOVOU (8*16)(inp), A0; MOVOU (9*16)(inp), B0; MOVOU (10*16)(inp), C0; MOVOU (11*16)(inp), D0 + PXOR A0, A2; PXOR B0, B2; PXOR C0, C2; PXOR D0, D2 + MOVOU A2, (8*16)(oup); MOVOU B2, (9*16)(oup); MOVOU C2, (10*16)(oup); MOVOU D2, (11*16)(oup) + LEAQ 192(inp), inp + LEAQ 192(oup), oup + SUBQ $192, inl + MOVO A3, A0 + MOVO B3, B0 + MOVO C3, C0 + MOVO tmpStore, D0 + + JMP openSSETail64DecLoop + +// ---------------------------------------------------------------------------- +// ------------------------- AVX2 Code ---------------------------------------- +chacha20Poly1305Open_AVX2: + VZEROUPPER + VMOVDQU ·chacha20Constants<>(SB), AA0 + BYTE $0xc4; BYTE $0x42; BYTE $0x7d; BYTE $0x5a; BYTE $0x70; BYTE $0x10 // broadcasti128 16(r8), ymm14 + BYTE $0xc4; BYTE $0x42; BYTE $0x7d; BYTE $0x5a; BYTE $0x60; BYTE $0x20 // broadcasti128 32(r8), ymm12 + BYTE $0xc4; BYTE $0xc2; BYTE $0x7d; BYTE $0x5a; BYTE $0x60; BYTE $0x30 // broadcasti128 48(r8), ymm4 + VPADDD ·avx2InitMask<>(SB), DD0, DD0 + + // Special optimization, for very short buffers + CMPQ inl, $192 + JBE openAVX2192 + CMPQ inl, $320 + JBE openAVX2320 + + // For the general key prepare the key first - as a byproduct we have 64 bytes of cipher stream + VMOVDQA BB0, state1StoreAVX2 + VMOVDQA CC0, state2StoreAVX2 + VMOVDQA DD0, ctr3StoreAVX2 + MOVQ $10, itr2 + +openAVX2PreparePolyKey: + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0) + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $12, DD0, DD0, DD0 + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0) + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $4, DD0, DD0, DD0 + DECQ itr2 + JNE openAVX2PreparePolyKey + + VPADDD ·chacha20Constants<>(SB), AA0, AA0 + VPADDD state1StoreAVX2, BB0, BB0 + VPADDD state2StoreAVX2, CC0, CC0 + VPADDD ctr3StoreAVX2, DD0, DD0 + + VPERM2I128 $0x02, AA0, BB0, TT0 + + // Clamp and store poly key + VPAND ·polyClampMask<>(SB), TT0, TT0 + VMOVDQA TT0, rsStoreAVX2 + + // Stream for the first 64 bytes + VPERM2I128 $0x13, AA0, BB0, AA0 + VPERM2I128 $0x13, CC0, DD0, BB0 + + // Hash AD + first 64 bytes + MOVQ ad_len+80(FP), itr2 + CALL polyHashADInternal<>(SB) + XORQ itr1, itr1 + +openAVX2InitialHash64: + polyAdd(0(inp)(itr1*1)) + polyMulAVX2 + ADDQ $16, itr1 + CMPQ itr1, $64 + JNE openAVX2InitialHash64 + + // Decrypt the first 64 bytes + VPXOR (0*32)(inp), AA0, AA0 + VPXOR (1*32)(inp), BB0, BB0 + VMOVDQU AA0, (0*32)(oup) + VMOVDQU BB0, (1*32)(oup) + LEAQ (2*32)(inp), inp + LEAQ (2*32)(oup), oup + SUBQ $64, inl + +openAVX2MainLoop: + CMPQ inl, $512 + JB openAVX2MainLoopDone + + // Load state, increment counter blocks, store the incremented counters + VMOVDQU ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3 + VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3 + VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3 + VMOVDQA ctr3StoreAVX2, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2; VPADDD ·avx2IncMask<>(SB), DD2, DD3 + VMOVDQA DD0, ctr0StoreAVX2; VMOVDQA DD1, ctr1StoreAVX2; VMOVDQA DD2, ctr2StoreAVX2; VMOVDQA DD3, ctr3StoreAVX2 + XORQ itr1, itr1 + +openAVX2InternalLoop: + // Lets just say this spaghetti loop interleaves 2 quarter rounds with 3 poly multiplications + // Effectively per 512 bytes of stream we hash 480 bytes of ciphertext + polyAdd(0*8(inp)(itr1*1)) + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + polyMulStage1_AVX2 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3 + polyMulStage2_AVX2 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + polyMulStage3_AVX2 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + polyMulReduceStage + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3 + polyAdd(2*8(inp)(itr1*1)) + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + polyMulStage1_AVX2 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + polyMulStage2_AVX2 + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $4, BB3, BB3, BB3 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2; VPALIGNR $12, DD3, DD3, DD3 + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + polyMulStage3_AVX2 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3 + polyMulReduceStage + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + polyAdd(4*8(inp)(itr1*1)) + LEAQ (6*8)(itr1), itr1 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + polyMulStage1_AVX2 + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + polyMulStage2_AVX2 + VPSHUFB ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + polyMulStage3_AVX2 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + polyMulReduceStage + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $12, BB3, BB3, BB3 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2; VPALIGNR $4, DD3, DD3, DD3 + CMPQ itr1, $480 + JNE openAVX2InternalLoop + + VPADDD ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2; VPADDD ·chacha20Constants<>(SB), AA3, AA3 + VPADDD state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2; VPADDD state1StoreAVX2, BB3, BB3 + VPADDD state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2; VPADDD state2StoreAVX2, CC3, CC3 + VPADDD ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2; VPADDD ctr3StoreAVX2, DD3, DD3 + VMOVDQA CC3, tmpStoreAVX2 + + // We only hashed 480 of the 512 bytes available - hash the remaining 32 here + polyAdd(480(inp)) + polyMulAVX2 + VPERM2I128 $0x02, AA0, BB0, CC3; VPERM2I128 $0x13, AA0, BB0, BB0; VPERM2I128 $0x02, CC0, DD0, AA0; VPERM2I128 $0x13, CC0, DD0, CC0 + VPXOR (0*32)(inp), CC3, CC3; VPXOR (1*32)(inp), AA0, AA0; VPXOR (2*32)(inp), BB0, BB0; VPXOR (3*32)(inp), CC0, CC0 + VMOVDQU CC3, (0*32)(oup); VMOVDQU AA0, (1*32)(oup); VMOVDQU BB0, (2*32)(oup); VMOVDQU CC0, (3*32)(oup) + VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0 + VPXOR (4*32)(inp), AA0, AA0; VPXOR (5*32)(inp), BB0, BB0; VPXOR (6*32)(inp), CC0, CC0; VPXOR (7*32)(inp), DD0, DD0 + VMOVDQU AA0, (4*32)(oup); VMOVDQU BB0, (5*32)(oup); VMOVDQU CC0, (6*32)(oup); VMOVDQU DD0, (7*32)(oup) + + // and here + polyAdd(496(inp)) + polyMulAVX2 + VPERM2I128 $0x02, AA2, BB2, AA0; VPERM2I128 $0x02, CC2, DD2, BB0; VPERM2I128 $0x13, AA2, BB2, CC0; VPERM2I128 $0x13, CC2, DD2, DD0 + VPXOR (8*32)(inp), AA0, AA0; VPXOR (9*32)(inp), BB0, BB0; VPXOR (10*32)(inp), CC0, CC0; VPXOR (11*32)(inp), DD0, DD0 + VMOVDQU AA0, (8*32)(oup); VMOVDQU BB0, (9*32)(oup); VMOVDQU CC0, (10*32)(oup); VMOVDQU DD0, (11*32)(oup) + VPERM2I128 $0x02, AA3, BB3, AA0; VPERM2I128 $0x02, tmpStoreAVX2, DD3, BB0; VPERM2I128 $0x13, AA3, BB3, CC0; VPERM2I128 $0x13, tmpStoreAVX2, DD3, DD0 + VPXOR (12*32)(inp), AA0, AA0; VPXOR (13*32)(inp), BB0, BB0; VPXOR (14*32)(inp), CC0, CC0; VPXOR (15*32)(inp), DD0, DD0 + VMOVDQU AA0, (12*32)(oup); VMOVDQU BB0, (13*32)(oup); VMOVDQU CC0, (14*32)(oup); VMOVDQU DD0, (15*32)(oup) + LEAQ (32*16)(inp), inp + LEAQ (32*16)(oup), oup + SUBQ $(32*16), inl + JMP openAVX2MainLoop + +openAVX2MainLoopDone: + // Handle the various tail sizes efficiently + TESTQ inl, inl + JE openSSEFinalize + CMPQ inl, $128 + JBE openAVX2Tail128 + CMPQ inl, $256 + JBE openAVX2Tail256 + CMPQ inl, $384 + JBE openAVX2Tail384 + JMP openAVX2Tail512 + +// ---------------------------------------------------------------------------- +// Special optimization for buffers smaller than 193 bytes +openAVX2192: + // For up to 192 bytes of ciphertext and 64 bytes for the poly key, we process four blocks + VMOVDQA AA0, AA1 + VMOVDQA BB0, BB1 + VMOVDQA CC0, CC1 + VPADDD ·avx2IncMask<>(SB), DD0, DD1 + VMOVDQA AA0, AA2 + VMOVDQA BB0, BB2 + VMOVDQA CC0, CC2 + VMOVDQA DD0, DD2 + VMOVDQA DD1, TT3 + MOVQ $10, itr2 + +openAVX2192InnerCipherLoop: + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0) + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1 + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0) + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1 + DECQ itr2 + JNE openAVX2192InnerCipherLoop + VPADDD AA2, AA0, AA0; VPADDD AA2, AA1, AA1 + VPADDD BB2, BB0, BB0; VPADDD BB2, BB1, BB1 + VPADDD CC2, CC0, CC0; VPADDD CC2, CC1, CC1 + VPADDD DD2, DD0, DD0; VPADDD TT3, DD1, DD1 + VPERM2I128 $0x02, AA0, BB0, TT0 + + // Clamp and store poly key + VPAND ·polyClampMask<>(SB), TT0, TT0 + VMOVDQA TT0, rsStoreAVX2 + + // Stream for up to 192 bytes + VPERM2I128 $0x13, AA0, BB0, AA0 + VPERM2I128 $0x13, CC0, DD0, BB0 + VPERM2I128 $0x02, AA1, BB1, CC0 + VPERM2I128 $0x02, CC1, DD1, DD0 + VPERM2I128 $0x13, AA1, BB1, AA1 + VPERM2I128 $0x13, CC1, DD1, BB1 + +openAVX2ShortOpen: + // Hash + MOVQ ad_len+80(FP), itr2 + CALL polyHashADInternal<>(SB) + +openAVX2ShortOpenLoop: + CMPQ inl, $32 + JB openAVX2ShortTail32 + SUBQ $32, inl + + // Load for hashing + polyAdd(0*8(inp)) + polyMulAVX2 + polyAdd(2*8(inp)) + polyMulAVX2 + + // Load for decryption + VPXOR (inp), AA0, AA0 + VMOVDQU AA0, (oup) + LEAQ (1*32)(inp), inp + LEAQ (1*32)(oup), oup + + // Shift stream left + VMOVDQA BB0, AA0 + VMOVDQA CC0, BB0 + VMOVDQA DD0, CC0 + VMOVDQA AA1, DD0 + VMOVDQA BB1, AA1 + VMOVDQA CC1, BB1 + VMOVDQA DD1, CC1 + VMOVDQA AA2, DD1 + VMOVDQA BB2, AA2 + JMP openAVX2ShortOpenLoop + +openAVX2ShortTail32: + CMPQ inl, $16 + VMOVDQA A0, A1 + JB openAVX2ShortDone + + SUBQ $16, inl + + // Load for hashing + polyAdd(0*8(inp)) + polyMulAVX2 + + // Load for decryption + VPXOR (inp), A0, T0 + VMOVDQU T0, (oup) + LEAQ (1*16)(inp), inp + LEAQ (1*16)(oup), oup + VPERM2I128 $0x11, AA0, AA0, AA0 + VMOVDQA A0, A1 + +openAVX2ShortDone: + VZEROUPPER + JMP openSSETail16 + +// ---------------------------------------------------------------------------- +// Special optimization for buffers smaller than 321 bytes +openAVX2320: + // For up to 320 bytes of ciphertext and 64 bytes for the poly key, we process six blocks + VMOVDQA AA0, AA1; VMOVDQA BB0, BB1; VMOVDQA CC0, CC1; VPADDD ·avx2IncMask<>(SB), DD0, DD1 + VMOVDQA AA0, AA2; VMOVDQA BB0, BB2; VMOVDQA CC0, CC2; VPADDD ·avx2IncMask<>(SB), DD1, DD2 + VMOVDQA BB0, TT1; VMOVDQA CC0, TT2; VMOVDQA DD0, TT3 + MOVQ $10, itr2 + +openAVX2320InnerCipherLoop: + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0) + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2 + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0) + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2 + DECQ itr2 + JNE openAVX2320InnerCipherLoop + + VMOVDQA ·chacha20Constants<>(SB), TT0 + VPADDD TT0, AA0, AA0; VPADDD TT0, AA1, AA1; VPADDD TT0, AA2, AA2 + VPADDD TT1, BB0, BB0; VPADDD TT1, BB1, BB1; VPADDD TT1, BB2, BB2 + VPADDD TT2, CC0, CC0; VPADDD TT2, CC1, CC1; VPADDD TT2, CC2, CC2 + VMOVDQA ·avx2IncMask<>(SB), TT0 + VPADDD TT3, DD0, DD0; VPADDD TT0, TT3, TT3 + VPADDD TT3, DD1, DD1; VPADDD TT0, TT3, TT3 + VPADDD TT3, DD2, DD2 + + // Clamp and store poly key + VPERM2I128 $0x02, AA0, BB0, TT0 + VPAND ·polyClampMask<>(SB), TT0, TT0 + VMOVDQA TT0, rsStoreAVX2 + + // Stream for up to 320 bytes + VPERM2I128 $0x13, AA0, BB0, AA0 + VPERM2I128 $0x13, CC0, DD0, BB0 + VPERM2I128 $0x02, AA1, BB1, CC0 + VPERM2I128 $0x02, CC1, DD1, DD0 + VPERM2I128 $0x13, AA1, BB1, AA1 + VPERM2I128 $0x13, CC1, DD1, BB1 + VPERM2I128 $0x02, AA2, BB2, CC1 + VPERM2I128 $0x02, CC2, DD2, DD1 + VPERM2I128 $0x13, AA2, BB2, AA2 + VPERM2I128 $0x13, CC2, DD2, BB2 + JMP openAVX2ShortOpen + +// ---------------------------------------------------------------------------- +// Special optimization for the last 128 bytes of ciphertext +openAVX2Tail128: + // Need to decrypt up to 128 bytes - prepare two blocks + VMOVDQA ·chacha20Constants<>(SB), AA1 + VMOVDQA state1StoreAVX2, BB1 + VMOVDQA state2StoreAVX2, CC1 + VMOVDQA ctr3StoreAVX2, DD1 + VPADDD ·avx2IncMask<>(SB), DD1, DD1 + VMOVDQA DD1, DD0 + + XORQ itr2, itr2 + MOVQ inl, itr1 + ANDQ $-16, itr1 + TESTQ itr1, itr1 + JE openAVX2Tail128LoopB + +openAVX2Tail128LoopA: + // Perform ChaCha rounds, while hashing the remaining input + polyAdd(0(inp)(itr2*1)) + polyMulAVX2 + +openAVX2Tail128LoopB: + ADDQ $16, itr2 + chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0) + VPALIGNR $4, BB1, BB1, BB1 + VPALIGNR $8, CC1, CC1, CC1 + VPALIGNR $12, DD1, DD1, DD1 + chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0) + VPALIGNR $12, BB1, BB1, BB1 + VPALIGNR $8, CC1, CC1, CC1 + VPALIGNR $4, DD1, DD1, DD1 + CMPQ itr2, itr1 + JB openAVX2Tail128LoopA + CMPQ itr2, $160 + JNE openAVX2Tail128LoopB + + VPADDD ·chacha20Constants<>(SB), AA1, AA1 + VPADDD state1StoreAVX2, BB1, BB1 + VPADDD state2StoreAVX2, CC1, CC1 + VPADDD DD0, DD1, DD1 + VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0 + +openAVX2TailLoop: + CMPQ inl, $32 + JB openAVX2Tail + SUBQ $32, inl + + // Load for decryption + VPXOR (inp), AA0, AA0 + VMOVDQU AA0, (oup) + LEAQ (1*32)(inp), inp + LEAQ (1*32)(oup), oup + VMOVDQA BB0, AA0 + VMOVDQA CC0, BB0 + VMOVDQA DD0, CC0 + JMP openAVX2TailLoop + +openAVX2Tail: + CMPQ inl, $16 + VMOVDQA A0, A1 + JB openAVX2TailDone + SUBQ $16, inl + + // Load for decryption + VPXOR (inp), A0, T0 + VMOVDQU T0, (oup) + LEAQ (1*16)(inp), inp + LEAQ (1*16)(oup), oup + VPERM2I128 $0x11, AA0, AA0, AA0 + VMOVDQA A0, A1 + +openAVX2TailDone: + VZEROUPPER + JMP openSSETail16 + +// ---------------------------------------------------------------------------- +// Special optimization for the last 256 bytes of ciphertext +openAVX2Tail256: + // Need to decrypt up to 256 bytes - prepare four blocks + VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1 + VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1 + VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1 + VMOVDQA ctr3StoreAVX2, DD0 + VPADDD ·avx2IncMask<>(SB), DD0, DD0 + VPADDD ·avx2IncMask<>(SB), DD0, DD1 + VMOVDQA DD0, TT1 + VMOVDQA DD1, TT2 + + // Compute the number of iterations that will hash data + MOVQ inl, tmpStoreAVX2 + MOVQ inl, itr1 + SUBQ $128, itr1 + SHRQ $4, itr1 + MOVQ $10, itr2 + CMPQ itr1, $10 + CMOVQGT itr2, itr1 + MOVQ inp, inl + XORQ itr2, itr2 + +openAVX2Tail256LoopA: + polyAdd(0(inl)) + polyMulAVX2 + LEAQ 16(inl), inl + + // Perform ChaCha rounds, while hashing the remaining input +openAVX2Tail256LoopB: + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0) + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1 + INCQ itr2 + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0) + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1 + CMPQ itr2, itr1 + JB openAVX2Tail256LoopA + + CMPQ itr2, $10 + JNE openAVX2Tail256LoopB + + MOVQ inl, itr2 + SUBQ inp, inl + MOVQ inl, itr1 + MOVQ tmpStoreAVX2, inl + + // Hash the remainder of data (if any) +openAVX2Tail256Hash: + ADDQ $16, itr1 + CMPQ itr1, inl + JGT openAVX2Tail256HashEnd + polyAdd (0(itr2)) + polyMulAVX2 + LEAQ 16(itr2), itr2 + JMP openAVX2Tail256Hash + +// Store 128 bytes safely, then go to store loop +openAVX2Tail256HashEnd: + VPADDD ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1 + VPADDD state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1 + VPADDD state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1 + VPADDD TT1, DD0, DD0; VPADDD TT2, DD1, DD1 + VPERM2I128 $0x02, AA0, BB0, AA2; VPERM2I128 $0x02, CC0, DD0, BB2; VPERM2I128 $0x13, AA0, BB0, CC2; VPERM2I128 $0x13, CC0, DD0, DD2 + VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0 + + VPXOR (0*32)(inp), AA2, AA2; VPXOR (1*32)(inp), BB2, BB2; VPXOR (2*32)(inp), CC2, CC2; VPXOR (3*32)(inp), DD2, DD2 + VMOVDQU AA2, (0*32)(oup); VMOVDQU BB2, (1*32)(oup); VMOVDQU CC2, (2*32)(oup); VMOVDQU DD2, (3*32)(oup) + LEAQ (4*32)(inp), inp + LEAQ (4*32)(oup), oup + SUBQ $4*32, inl + + JMP openAVX2TailLoop + +// ---------------------------------------------------------------------------- +// Special optimization for the last 384 bytes of ciphertext +openAVX2Tail384: + // Need to decrypt up to 384 bytes - prepare six blocks + VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2 + VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2 + VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2 + VMOVDQA ctr3StoreAVX2, DD0 + VPADDD ·avx2IncMask<>(SB), DD0, DD0 + VPADDD ·avx2IncMask<>(SB), DD0, DD1 + VPADDD ·avx2IncMask<>(SB), DD1, DD2 + VMOVDQA DD0, ctr0StoreAVX2 + VMOVDQA DD1, ctr1StoreAVX2 + VMOVDQA DD2, ctr2StoreAVX2 + + // Compute the number of iterations that will hash two blocks of data + MOVQ inl, tmpStoreAVX2 + MOVQ inl, itr1 + SUBQ $256, itr1 + SHRQ $4, itr1 + ADDQ $6, itr1 + MOVQ $10, itr2 + CMPQ itr1, $10 + CMOVQGT itr2, itr1 + MOVQ inp, inl + XORQ itr2, itr2 + + // Perform ChaCha rounds, while hashing the remaining input +openAVX2Tail384LoopB: + polyAdd(0(inl)) + polyMulAVX2 + LEAQ 16(inl), inl + +openAVX2Tail384LoopA: + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0) + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2 + polyAdd(0(inl)) + polyMulAVX2 + LEAQ 16(inl), inl + INCQ itr2 + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0) + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2 + + CMPQ itr2, itr1 + JB openAVX2Tail384LoopB + + CMPQ itr2, $10 + JNE openAVX2Tail384LoopA + + MOVQ inl, itr2 + SUBQ inp, inl + MOVQ inl, itr1 + MOVQ tmpStoreAVX2, inl + +openAVX2Tail384Hash: + ADDQ $16, itr1 + CMPQ itr1, inl + JGT openAVX2Tail384HashEnd + polyAdd(0(itr2)) + polyMulAVX2 + LEAQ 16(itr2), itr2 + JMP openAVX2Tail384Hash + +// Store 256 bytes safely, then go to store loop +openAVX2Tail384HashEnd: + VPADDD ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2 + VPADDD state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2 + VPADDD state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2 + VPADDD ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2 + VPERM2I128 $0x02, AA0, BB0, TT0; VPERM2I128 $0x02, CC0, DD0, TT1; VPERM2I128 $0x13, AA0, BB0, TT2; VPERM2I128 $0x13, CC0, DD0, TT3 + VPXOR (0*32)(inp), TT0, TT0; VPXOR (1*32)(inp), TT1, TT1; VPXOR (2*32)(inp), TT2, TT2; VPXOR (3*32)(inp), TT3, TT3 + VMOVDQU TT0, (0*32)(oup); VMOVDQU TT1, (1*32)(oup); VMOVDQU TT2, (2*32)(oup); VMOVDQU TT3, (3*32)(oup) + VPERM2I128 $0x02, AA1, BB1, TT0; VPERM2I128 $0x02, CC1, DD1, TT1; VPERM2I128 $0x13, AA1, BB1, TT2; VPERM2I128 $0x13, CC1, DD1, TT3 + VPXOR (4*32)(inp), TT0, TT0; VPXOR (5*32)(inp), TT1, TT1; VPXOR (6*32)(inp), TT2, TT2; VPXOR (7*32)(inp), TT3, TT3 + VMOVDQU TT0, (4*32)(oup); VMOVDQU TT1, (5*32)(oup); VMOVDQU TT2, (6*32)(oup); VMOVDQU TT3, (7*32)(oup) + VPERM2I128 $0x02, AA2, BB2, AA0; VPERM2I128 $0x02, CC2, DD2, BB0; VPERM2I128 $0x13, AA2, BB2, CC0; VPERM2I128 $0x13, CC2, DD2, DD0 + LEAQ (8*32)(inp), inp + LEAQ (8*32)(oup), oup + SUBQ $8*32, inl + JMP openAVX2TailLoop + +// ---------------------------------------------------------------------------- +// Special optimization for the last 512 bytes of ciphertext +openAVX2Tail512: + VMOVDQU ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3 + VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3 + VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3 + VMOVDQA ctr3StoreAVX2, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2; VPADDD ·avx2IncMask<>(SB), DD2, DD3 + VMOVDQA DD0, ctr0StoreAVX2; VMOVDQA DD1, ctr1StoreAVX2; VMOVDQA DD2, ctr2StoreAVX2; VMOVDQA DD3, ctr3StoreAVX2 + XORQ itr1, itr1 + MOVQ inp, itr2 + +openAVX2Tail512LoopB: + polyAdd(0(itr2)) + polyMulAVX2 + LEAQ (2*8)(itr2), itr2 + +openAVX2Tail512LoopA: + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + polyAdd(0*8(itr2)) + polyMulAVX2 + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $4, BB3, BB3, BB3 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2; VPALIGNR $12, DD3, DD3, DD3 + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + polyAdd(2*8(itr2)) + polyMulAVX2 + LEAQ (4*8)(itr2), itr2 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $12, BB3, BB3, BB3 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2; VPALIGNR $4, DD3, DD3, DD3 + INCQ itr1 + CMPQ itr1, $4 + JLT openAVX2Tail512LoopB + + CMPQ itr1, $10 + JNE openAVX2Tail512LoopA + + MOVQ inl, itr1 + SUBQ $384, itr1 + ANDQ $-16, itr1 + +openAVX2Tail512HashLoop: + TESTQ itr1, itr1 + JE openAVX2Tail512HashEnd + polyAdd(0(itr2)) + polyMulAVX2 + LEAQ 16(itr2), itr2 + SUBQ $16, itr1 + JMP openAVX2Tail512HashLoop + +openAVX2Tail512HashEnd: + VPADDD ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2; VPADDD ·chacha20Constants<>(SB), AA3, AA3 + VPADDD state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2; VPADDD state1StoreAVX2, BB3, BB3 + VPADDD state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2; VPADDD state2StoreAVX2, CC3, CC3 + VPADDD ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2; VPADDD ctr3StoreAVX2, DD3, DD3 + VMOVDQA CC3, tmpStoreAVX2 + VPERM2I128 $0x02, AA0, BB0, CC3; VPERM2I128 $0x13, AA0, BB0, BB0; VPERM2I128 $0x02, CC0, DD0, AA0; VPERM2I128 $0x13, CC0, DD0, CC0 + VPXOR (0*32)(inp), CC3, CC3; VPXOR (1*32)(inp), AA0, AA0; VPXOR (2*32)(inp), BB0, BB0; VPXOR (3*32)(inp), CC0, CC0 + VMOVDQU CC3, (0*32)(oup); VMOVDQU AA0, (1*32)(oup); VMOVDQU BB0, (2*32)(oup); VMOVDQU CC0, (3*32)(oup) + VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0 + VPXOR (4*32)(inp), AA0, AA0; VPXOR (5*32)(inp), BB0, BB0; VPXOR (6*32)(inp), CC0, CC0; VPXOR (7*32)(inp), DD0, DD0 + VMOVDQU AA0, (4*32)(oup); VMOVDQU BB0, (5*32)(oup); VMOVDQU CC0, (6*32)(oup); VMOVDQU DD0, (7*32)(oup) + VPERM2I128 $0x02, AA2, BB2, AA0; VPERM2I128 $0x02, CC2, DD2, BB0; VPERM2I128 $0x13, AA2, BB2, CC0; VPERM2I128 $0x13, CC2, DD2, DD0 + VPXOR (8*32)(inp), AA0, AA0; VPXOR (9*32)(inp), BB0, BB0; VPXOR (10*32)(inp), CC0, CC0; VPXOR (11*32)(inp), DD0, DD0 + VMOVDQU AA0, (8*32)(oup); VMOVDQU BB0, (9*32)(oup); VMOVDQU CC0, (10*32)(oup); VMOVDQU DD0, (11*32)(oup) + VPERM2I128 $0x02, AA3, BB3, AA0; VPERM2I128 $0x02, tmpStoreAVX2, DD3, BB0; VPERM2I128 $0x13, AA3, BB3, CC0; VPERM2I128 $0x13, tmpStoreAVX2, DD3, DD0 + + LEAQ (12*32)(inp), inp + LEAQ (12*32)(oup), oup + SUBQ $12*32, inl + + JMP openAVX2TailLoop + +// ---------------------------------------------------------------------------- +// ---------------------------------------------------------------------------- +// func chacha20Poly1305Seal(dst, key, src, ad []byte) +TEXT ·chacha20Poly1305Seal(SB), 0, $288-96 + // For aligned stack access + MOVQ SP, BP + ADDQ $32, BP + ANDQ $-32, BP + MOVQ dst+0(FP), oup + MOVQ key+24(FP), keyp + MOVQ src+48(FP), inp + MOVQ src_len+56(FP), inl + MOVQ ad+72(FP), adp + + CMPB ·useAVX2(SB), $1 + JE chacha20Poly1305Seal_AVX2 + + // Special optimization, for very short buffers + CMPQ inl, $128 + JBE sealSSE128 // About 15% faster + + // In the seal case - prepare the poly key + 3 blocks of stream in the first iteration + MOVOU ·chacha20Constants<>(SB), A0 + MOVOU (1*16)(keyp), B0 + MOVOU (2*16)(keyp), C0 + MOVOU (3*16)(keyp), D0 + + // Store state on stack for future use + MOVO B0, state1Store + MOVO C0, state2Store + + // Load state, increment counter blocks + MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1 + MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2 + MOVO A2, A3; MOVO B2, B3; MOVO C2, C3; MOVO D2, D3; PADDL ·sseIncMask<>(SB), D3 + + // Store counters + MOVO D0, ctr0Store; MOVO D1, ctr1Store; MOVO D2, ctr2Store; MOVO D3, ctr3Store + MOVQ $10, itr2 + +sealSSEIntroLoop: + MOVO C3, tmpStore + chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3) + MOVO tmpStore, C3 + MOVO C1, tmpStore + chachaQR(A3, B3, C3, D3, C1) + MOVO tmpStore, C1 + shiftB0Left; shiftB1Left; shiftB2Left; shiftB3Left + shiftC0Left; shiftC1Left; shiftC2Left; shiftC3Left + shiftD0Left; shiftD1Left; shiftD2Left; shiftD3Left + + MOVO C3, tmpStore + chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3) + MOVO tmpStore, C3 + MOVO C1, tmpStore + chachaQR(A3, B3, C3, D3, C1) + MOVO tmpStore, C1 + shiftB0Right; shiftB1Right; shiftB2Right; shiftB3Right + shiftC0Right; shiftC1Right; shiftC2Right; shiftC3Right + shiftD0Right; shiftD1Right; shiftD2Right; shiftD3Right + DECQ itr2 + JNE sealSSEIntroLoop + + // Add in the state + PADDD ·chacha20Constants<>(SB), A0; PADDD ·chacha20Constants<>(SB), A1; PADDD ·chacha20Constants<>(SB), A2; PADDD ·chacha20Constants<>(SB), A3 + PADDD state1Store, B0; PADDD state1Store, B1; PADDD state1Store, B2; PADDD state1Store, B3 + PADDD state2Store, C1; PADDD state2Store, C2; PADDD state2Store, C3 + PADDD ctr1Store, D1; PADDD ctr2Store, D2; PADDD ctr3Store, D3 + + // Clamp and store the key + PAND ·polyClampMask<>(SB), A0 + MOVO A0, rStore + MOVO B0, sStore + + // Hash AAD + MOVQ ad_len+80(FP), itr2 + CALL polyHashADInternal<>(SB) + + MOVOU (0*16)(inp), A0; MOVOU (1*16)(inp), B0; MOVOU (2*16)(inp), C0; MOVOU (3*16)(inp), D0 + PXOR A0, A1; PXOR B0, B1; PXOR C0, C1; PXOR D0, D1 + MOVOU A1, (0*16)(oup); MOVOU B1, (1*16)(oup); MOVOU C1, (2*16)(oup); MOVOU D1, (3*16)(oup) + MOVOU (4*16)(inp), A0; MOVOU (5*16)(inp), B0; MOVOU (6*16)(inp), C0; MOVOU (7*16)(inp), D0 + PXOR A0, A2; PXOR B0, B2; PXOR C0, C2; PXOR D0, D2 + MOVOU A2, (4*16)(oup); MOVOU B2, (5*16)(oup); MOVOU C2, (6*16)(oup); MOVOU D2, (7*16)(oup) + + MOVQ $128, itr1 + SUBQ $128, inl + LEAQ 128(inp), inp + + MOVO A3, A1; MOVO B3, B1; MOVO C3, C1; MOVO D3, D1 + + CMPQ inl, $64 + JBE sealSSE128SealHash + + MOVOU (0*16)(inp), A0; MOVOU (1*16)(inp), B0; MOVOU (2*16)(inp), C0; MOVOU (3*16)(inp), D0 + PXOR A0, A3; PXOR B0, B3; PXOR C0, C3; PXOR D0, D3 + MOVOU A3, (8*16)(oup); MOVOU B3, (9*16)(oup); MOVOU C3, (10*16)(oup); MOVOU D3, (11*16)(oup) + + ADDQ $64, itr1 + SUBQ $64, inl + LEAQ 64(inp), inp + + MOVQ $2, itr1 + MOVQ $8, itr2 + + CMPQ inl, $64 + JBE sealSSETail64 + CMPQ inl, $128 + JBE sealSSETail128 + CMPQ inl, $192 + JBE sealSSETail192 + +sealSSEMainLoop: + // Load state, increment counter blocks + MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0 + MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1 + MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2 + MOVO A2, A3; MOVO B2, B3; MOVO C2, C3; MOVO D2, D3; PADDL ·sseIncMask<>(SB), D3 + + // Store counters + MOVO D0, ctr0Store; MOVO D1, ctr1Store; MOVO D2, ctr2Store; MOVO D3, ctr3Store + +sealSSEInnerLoop: + MOVO C3, tmpStore + chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3) + MOVO tmpStore, C3 + MOVO C1, tmpStore + chachaQR(A3, B3, C3, D3, C1) + MOVO tmpStore, C1 + polyAdd(0(oup)) + shiftB0Left; shiftB1Left; shiftB2Left; shiftB3Left + shiftC0Left; shiftC1Left; shiftC2Left; shiftC3Left + shiftD0Left; shiftD1Left; shiftD2Left; shiftD3Left + polyMulStage1 + polyMulStage2 + LEAQ (2*8)(oup), oup + MOVO C3, tmpStore + chachaQR(A0, B0, C0, D0, C3); chachaQR(A1, B1, C1, D1, C3); chachaQR(A2, B2, C2, D2, C3) + MOVO tmpStore, C3 + MOVO C1, tmpStore + polyMulStage3 + chachaQR(A3, B3, C3, D3, C1) + MOVO tmpStore, C1 + polyMulReduceStage + shiftB0Right; shiftB1Right; shiftB2Right; shiftB3Right + shiftC0Right; shiftC1Right; shiftC2Right; shiftC3Right + shiftD0Right; shiftD1Right; shiftD2Right; shiftD3Right + DECQ itr2 + JGE sealSSEInnerLoop + polyAdd(0(oup)) + polyMul + LEAQ (2*8)(oup), oup + DECQ itr1 + JG sealSSEInnerLoop + + // Add in the state + PADDD ·chacha20Constants<>(SB), A0; PADDD ·chacha20Constants<>(SB), A1; PADDD ·chacha20Constants<>(SB), A2; PADDD ·chacha20Constants<>(SB), A3 + PADDD state1Store, B0; PADDD state1Store, B1; PADDD state1Store, B2; PADDD state1Store, B3 + PADDD state2Store, C0; PADDD state2Store, C1; PADDD state2Store, C2; PADDD state2Store, C3 + PADDD ctr0Store, D0; PADDD ctr1Store, D1; PADDD ctr2Store, D2; PADDD ctr3Store, D3 + MOVO D3, tmpStore + + // Load - xor - store + MOVOU (0*16)(inp), D3; PXOR D3, A0 + MOVOU (1*16)(inp), D3; PXOR D3, B0 + MOVOU (2*16)(inp), D3; PXOR D3, C0 + MOVOU (3*16)(inp), D3; PXOR D3, D0 + MOVOU A0, (0*16)(oup) + MOVOU B0, (1*16)(oup) + MOVOU C0, (2*16)(oup) + MOVOU D0, (3*16)(oup) + MOVO tmpStore, D3 + + MOVOU (4*16)(inp), A0; MOVOU (5*16)(inp), B0; MOVOU (6*16)(inp), C0; MOVOU (7*16)(inp), D0 + PXOR A0, A1; PXOR B0, B1; PXOR C0, C1; PXOR D0, D1 + MOVOU A1, (4*16)(oup); MOVOU B1, (5*16)(oup); MOVOU C1, (6*16)(oup); MOVOU D1, (7*16)(oup) + MOVOU (8*16)(inp), A0; MOVOU (9*16)(inp), B0; MOVOU (10*16)(inp), C0; MOVOU (11*16)(inp), D0 + PXOR A0, A2; PXOR B0, B2; PXOR C0, C2; PXOR D0, D2 + MOVOU A2, (8*16)(oup); MOVOU B2, (9*16)(oup); MOVOU C2, (10*16)(oup); MOVOU D2, (11*16)(oup) + ADDQ $192, inp + MOVQ $192, itr1 + SUBQ $192, inl + MOVO A3, A1 + MOVO B3, B1 + MOVO C3, C1 + MOVO D3, D1 + CMPQ inl, $64 + JBE sealSSE128SealHash + MOVOU (0*16)(inp), A0; MOVOU (1*16)(inp), B0; MOVOU (2*16)(inp), C0; MOVOU (3*16)(inp), D0 + PXOR A0, A3; PXOR B0, B3; PXOR C0, C3; PXOR D0, D3 + MOVOU A3, (12*16)(oup); MOVOU B3, (13*16)(oup); MOVOU C3, (14*16)(oup); MOVOU D3, (15*16)(oup) + LEAQ 64(inp), inp + SUBQ $64, inl + MOVQ $6, itr1 + MOVQ $4, itr2 + CMPQ inl, $192 + JG sealSSEMainLoop + + MOVQ inl, itr1 + TESTQ inl, inl + JE sealSSE128SealHash + MOVQ $6, itr1 + CMPQ inl, $64 + JBE sealSSETail64 + CMPQ inl, $128 + JBE sealSSETail128 + JMP sealSSETail192 + +// ---------------------------------------------------------------------------- +// Special optimization for the last 64 bytes of plaintext +sealSSETail64: + // Need to encrypt up to 64 bytes - prepare single block, hash 192 or 256 bytes + MOVO ·chacha20Constants<>(SB), A1 + MOVO state1Store, B1 + MOVO state2Store, C1 + MOVO ctr3Store, D1 + PADDL ·sseIncMask<>(SB), D1 + MOVO D1, ctr0Store + +sealSSETail64LoopA: + // Perform ChaCha rounds, while hashing the previously encrypted ciphertext + polyAdd(0(oup)) + polyMul + LEAQ 16(oup), oup + +sealSSETail64LoopB: + chachaQR(A1, B1, C1, D1, T1) + shiftB1Left; shiftC1Left; shiftD1Left + chachaQR(A1, B1, C1, D1, T1) + shiftB1Right; shiftC1Right; shiftD1Right + polyAdd(0(oup)) + polyMul + LEAQ 16(oup), oup + + DECQ itr1 + JG sealSSETail64LoopA + + DECQ itr2 + JGE sealSSETail64LoopB + PADDL ·chacha20Constants<>(SB), A1 + PADDL state1Store, B1 + PADDL state2Store, C1 + PADDL ctr0Store, D1 + + JMP sealSSE128Seal + +// ---------------------------------------------------------------------------- +// Special optimization for the last 128 bytes of plaintext +sealSSETail128: + // Need to encrypt up to 128 bytes - prepare two blocks, hash 192 or 256 bytes + MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0; MOVO D0, ctr0Store + MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1; MOVO D1, ctr1Store + +sealSSETail128LoopA: + // Perform ChaCha rounds, while hashing the previously encrypted ciphertext + polyAdd(0(oup)) + polyMul + LEAQ 16(oup), oup + +sealSSETail128LoopB: + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0) + shiftB0Left; shiftC0Left; shiftD0Left + shiftB1Left; shiftC1Left; shiftD1Left + polyAdd(0(oup)) + polyMul + LEAQ 16(oup), oup + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0) + shiftB0Right; shiftC0Right; shiftD0Right + shiftB1Right; shiftC1Right; shiftD1Right + + DECQ itr1 + JG sealSSETail128LoopA + + DECQ itr2 + JGE sealSSETail128LoopB + + PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1 + PADDL state1Store, B0; PADDL state1Store, B1 + PADDL state2Store, C0; PADDL state2Store, C1 + PADDL ctr0Store, D0; PADDL ctr1Store, D1 + + MOVOU (0*16)(inp), T0; MOVOU (1*16)(inp), T1; MOVOU (2*16)(inp), T2; MOVOU (3*16)(inp), T3 + PXOR T0, A0; PXOR T1, B0; PXOR T2, C0; PXOR T3, D0 + MOVOU A0, (0*16)(oup); MOVOU B0, (1*16)(oup); MOVOU C0, (2*16)(oup); MOVOU D0, (3*16)(oup) + + MOVQ $64, itr1 + LEAQ 64(inp), inp + SUBQ $64, inl + + JMP sealSSE128SealHash + +// ---------------------------------------------------------------------------- +// Special optimization for the last 192 bytes of plaintext +sealSSETail192: + // Need to encrypt up to 192 bytes - prepare three blocks, hash 192 or 256 bytes + MOVO ·chacha20Constants<>(SB), A0; MOVO state1Store, B0; MOVO state2Store, C0; MOVO ctr3Store, D0; PADDL ·sseIncMask<>(SB), D0; MOVO D0, ctr0Store + MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1; MOVO D1, ctr1Store + MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2; MOVO D2, ctr2Store + +sealSSETail192LoopA: + // Perform ChaCha rounds, while hashing the previously encrypted ciphertext + polyAdd(0(oup)) + polyMul + LEAQ 16(oup), oup + +sealSSETail192LoopB: + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0) + shiftB0Left; shiftC0Left; shiftD0Left + shiftB1Left; shiftC1Left; shiftD1Left + shiftB2Left; shiftC2Left; shiftD2Left + + polyAdd(0(oup)) + polyMul + LEAQ 16(oup), oup + + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0) + shiftB0Right; shiftC0Right; shiftD0Right + shiftB1Right; shiftC1Right; shiftD1Right + shiftB2Right; shiftC2Right; shiftD2Right + + DECQ itr1 + JG sealSSETail192LoopA + + DECQ itr2 + JGE sealSSETail192LoopB + + PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1; PADDL ·chacha20Constants<>(SB), A2 + PADDL state1Store, B0; PADDL state1Store, B1; PADDL state1Store, B2 + PADDL state2Store, C0; PADDL state2Store, C1; PADDL state2Store, C2 + PADDL ctr0Store, D0; PADDL ctr1Store, D1; PADDL ctr2Store, D2 + + MOVOU (0*16)(inp), T0; MOVOU (1*16)(inp), T1; MOVOU (2*16)(inp), T2; MOVOU (3*16)(inp), T3 + PXOR T0, A0; PXOR T1, B0; PXOR T2, C0; PXOR T3, D0 + MOVOU A0, (0*16)(oup); MOVOU B0, (1*16)(oup); MOVOU C0, (2*16)(oup); MOVOU D0, (3*16)(oup) + MOVOU (4*16)(inp), T0; MOVOU (5*16)(inp), T1; MOVOU (6*16)(inp), T2; MOVOU (7*16)(inp), T3 + PXOR T0, A1; PXOR T1, B1; PXOR T2, C1; PXOR T3, D1 + MOVOU A1, (4*16)(oup); MOVOU B1, (5*16)(oup); MOVOU C1, (6*16)(oup); MOVOU D1, (7*16)(oup) + + MOVO A2, A1 + MOVO B2, B1 + MOVO C2, C1 + MOVO D2, D1 + MOVQ $128, itr1 + LEAQ 128(inp), inp + SUBQ $128, inl + + JMP sealSSE128SealHash + +// ---------------------------------------------------------------------------- +// Special seal optimization for buffers smaller than 129 bytes +sealSSE128: + // For up to 128 bytes of ciphertext and 64 bytes for the poly key, we require to process three blocks + MOVOU ·chacha20Constants<>(SB), A0; MOVOU (1*16)(keyp), B0; MOVOU (2*16)(keyp), C0; MOVOU (3*16)(keyp), D0 + MOVO A0, A1; MOVO B0, B1; MOVO C0, C1; MOVO D0, D1; PADDL ·sseIncMask<>(SB), D1 + MOVO A1, A2; MOVO B1, B2; MOVO C1, C2; MOVO D1, D2; PADDL ·sseIncMask<>(SB), D2 + MOVO B0, T1; MOVO C0, T2; MOVO D1, T3 + MOVQ $10, itr2 + +sealSSE128InnerCipherLoop: + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0) + shiftB0Left; shiftB1Left; shiftB2Left + shiftC0Left; shiftC1Left; shiftC2Left + shiftD0Left; shiftD1Left; shiftD2Left + chachaQR(A0, B0, C0, D0, T0); chachaQR(A1, B1, C1, D1, T0); chachaQR(A2, B2, C2, D2, T0) + shiftB0Right; shiftB1Right; shiftB2Right + shiftC0Right; shiftC1Right; shiftC2Right + shiftD0Right; shiftD1Right; shiftD2Right + DECQ itr2 + JNE sealSSE128InnerCipherLoop + + // A0|B0 hold the Poly1305 32-byte key, C0,D0 can be discarded + PADDL ·chacha20Constants<>(SB), A0; PADDL ·chacha20Constants<>(SB), A1; PADDL ·chacha20Constants<>(SB), A2 + PADDL T1, B0; PADDL T1, B1; PADDL T1, B2 + PADDL T2, C1; PADDL T2, C2 + PADDL T3, D1; PADDL ·sseIncMask<>(SB), T3; PADDL T3, D2 + PAND ·polyClampMask<>(SB), A0 + MOVOU A0, rStore + MOVOU B0, sStore + + // Hash + MOVQ ad_len+80(FP), itr2 + CALL polyHashADInternal<>(SB) + XORQ itr1, itr1 + +sealSSE128SealHash: + // itr1 holds the number of bytes encrypted but not yet hashed + CMPQ itr1, $16 + JB sealSSE128Seal + polyAdd(0(oup)) + polyMul + + SUBQ $16, itr1 + ADDQ $16, oup + + JMP sealSSE128SealHash + +sealSSE128Seal: + CMPQ inl, $16 + JB sealSSETail + SUBQ $16, inl + + // Load for decryption + MOVOU (inp), T0 + PXOR T0, A1 + MOVOU A1, (oup) + LEAQ (1*16)(inp), inp + LEAQ (1*16)(oup), oup + + // Extract for hashing + MOVQ A1, t0 + PSRLDQ $8, A1 + MOVQ A1, t1 + ADDQ t0, acc0; ADCQ t1, acc1; ADCQ $1, acc2 + polyMul + + // Shift the stream "left" + MOVO B1, A1 + MOVO C1, B1 + MOVO D1, C1 + MOVO A2, D1 + MOVO B2, A2 + MOVO C2, B2 + MOVO D2, C2 + JMP sealSSE128Seal + +sealSSETail: + TESTQ inl, inl + JE sealSSEFinalize + + // We can only load the PT one byte at a time to avoid read after end of buffer + MOVQ inl, itr2 + SHLQ $4, itr2 + LEAQ ·andMask<>(SB), t0 + MOVQ inl, itr1 + LEAQ -1(inp)(inl*1), inp + XORQ t2, t2 + XORQ t3, t3 + XORQ AX, AX + +sealSSETailLoadLoop: + SHLQ $8, t2, t3 + SHLQ $8, t2 + MOVB (inp), AX + XORQ AX, t2 + LEAQ -1(inp), inp + DECQ itr1 + JNE sealSSETailLoadLoop + MOVQ t2, 0+tmpStore + MOVQ t3, 8+tmpStore + PXOR 0+tmpStore, A1 + MOVOU A1, (oup) + MOVOU -16(t0)(itr2*1), T0 + PAND T0, A1 + MOVQ A1, t0 + PSRLDQ $8, A1 + MOVQ A1, t1 + ADDQ t0, acc0; ADCQ t1, acc1; ADCQ $1, acc2 + polyMul + + ADDQ inl, oup + +sealSSEFinalize: + // Hash in the buffer lengths + ADDQ ad_len+80(FP), acc0 + ADCQ src_len+56(FP), acc1 + ADCQ $1, acc2 + polyMul + + // Final reduce + MOVQ acc0, t0 + MOVQ acc1, t1 + MOVQ acc2, t2 + SUBQ $-5, acc0 + SBBQ $-1, acc1 + SBBQ $3, acc2 + CMOVQCS t0, acc0 + CMOVQCS t1, acc1 + CMOVQCS t2, acc2 + + // Add in the "s" part of the key + ADDQ 0+sStore, acc0 + ADCQ 8+sStore, acc1 + + // Finally store the tag at the end of the message + MOVQ acc0, (0*8)(oup) + MOVQ acc1, (1*8)(oup) + RET + +// ---------------------------------------------------------------------------- +// ------------------------- AVX2 Code ---------------------------------------- +chacha20Poly1305Seal_AVX2: + VZEROUPPER + VMOVDQU ·chacha20Constants<>(SB), AA0 + BYTE $0xc4; BYTE $0x42; BYTE $0x7d; BYTE $0x5a; BYTE $0x70; BYTE $0x10 // broadcasti128 16(r8), ymm14 + BYTE $0xc4; BYTE $0x42; BYTE $0x7d; BYTE $0x5a; BYTE $0x60; BYTE $0x20 // broadcasti128 32(r8), ymm12 + BYTE $0xc4; BYTE $0xc2; BYTE $0x7d; BYTE $0x5a; BYTE $0x60; BYTE $0x30 // broadcasti128 48(r8), ymm4 + VPADDD ·avx2InitMask<>(SB), DD0, DD0 + + // Special optimizations, for very short buffers + CMPQ inl, $192 + JBE seal192AVX2 // 33% faster + CMPQ inl, $320 + JBE seal320AVX2 // 17% faster + + // For the general key prepare the key first - as a byproduct we have 64 bytes of cipher stream + VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3 + VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3; VMOVDQA BB0, state1StoreAVX2 + VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3; VMOVDQA CC0, state2StoreAVX2 + VPADDD ·avx2IncMask<>(SB), DD0, DD1; VMOVDQA DD0, ctr0StoreAVX2 + VPADDD ·avx2IncMask<>(SB), DD1, DD2; VMOVDQA DD1, ctr1StoreAVX2 + VPADDD ·avx2IncMask<>(SB), DD2, DD3; VMOVDQA DD2, ctr2StoreAVX2 + VMOVDQA DD3, ctr3StoreAVX2 + MOVQ $10, itr2 + +sealAVX2IntroLoop: + VMOVDQA CC3, tmpStoreAVX2 + chachaQR_AVX2(AA0, BB0, CC0, DD0, CC3); chachaQR_AVX2(AA1, BB1, CC1, DD1, CC3); chachaQR_AVX2(AA2, BB2, CC2, DD2, CC3) + VMOVDQA tmpStoreAVX2, CC3 + VMOVDQA CC1, tmpStoreAVX2 + chachaQR_AVX2(AA3, BB3, CC3, DD3, CC1) + VMOVDQA tmpStoreAVX2, CC1 + + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $12, DD0, DD0, DD0 + VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $12, DD1, DD1, DD1 + VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $12, DD2, DD2, DD2 + VPALIGNR $4, BB3, BB3, BB3; VPALIGNR $8, CC3, CC3, CC3; VPALIGNR $12, DD3, DD3, DD3 + + VMOVDQA CC3, tmpStoreAVX2 + chachaQR_AVX2(AA0, BB0, CC0, DD0, CC3); chachaQR_AVX2(AA1, BB1, CC1, DD1, CC3); chachaQR_AVX2(AA2, BB2, CC2, DD2, CC3) + VMOVDQA tmpStoreAVX2, CC3 + VMOVDQA CC1, tmpStoreAVX2 + chachaQR_AVX2(AA3, BB3, CC3, DD3, CC1) + VMOVDQA tmpStoreAVX2, CC1 + + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $4, DD0, DD0, DD0 + VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $4, DD1, DD1, DD1 + VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $4, DD2, DD2, DD2 + VPALIGNR $12, BB3, BB3, BB3; VPALIGNR $8, CC3, CC3, CC3; VPALIGNR $4, DD3, DD3, DD3 + DECQ itr2 + JNE sealAVX2IntroLoop + + VPADDD ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2; VPADDD ·chacha20Constants<>(SB), AA3, AA3 + VPADDD state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2; VPADDD state1StoreAVX2, BB3, BB3 + VPADDD state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2; VPADDD state2StoreAVX2, CC3, CC3 + VPADDD ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2; VPADDD ctr3StoreAVX2, DD3, DD3 + + VPERM2I128 $0x13, CC0, DD0, CC0 // Stream bytes 96 - 127 + VPERM2I128 $0x02, AA0, BB0, DD0 // The Poly1305 key + VPERM2I128 $0x13, AA0, BB0, AA0 // Stream bytes 64 - 95 + + // Clamp and store poly key + VPAND ·polyClampMask<>(SB), DD0, DD0 + VMOVDQA DD0, rsStoreAVX2 + + // Hash AD + MOVQ ad_len+80(FP), itr2 + CALL polyHashADInternal<>(SB) + + // Can store at least 320 bytes + VPXOR (0*32)(inp), AA0, AA0 + VPXOR (1*32)(inp), CC0, CC0 + VMOVDQU AA0, (0*32)(oup) + VMOVDQU CC0, (1*32)(oup) + + VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0 + VPXOR (2*32)(inp), AA0, AA0; VPXOR (3*32)(inp), BB0, BB0; VPXOR (4*32)(inp), CC0, CC0; VPXOR (5*32)(inp), DD0, DD0 + VMOVDQU AA0, (2*32)(oup); VMOVDQU BB0, (3*32)(oup); VMOVDQU CC0, (4*32)(oup); VMOVDQU DD0, (5*32)(oup) + VPERM2I128 $0x02, AA2, BB2, AA0; VPERM2I128 $0x02, CC2, DD2, BB0; VPERM2I128 $0x13, AA2, BB2, CC0; VPERM2I128 $0x13, CC2, DD2, DD0 + VPXOR (6*32)(inp), AA0, AA0; VPXOR (7*32)(inp), BB0, BB0; VPXOR (8*32)(inp), CC0, CC0; VPXOR (9*32)(inp), DD0, DD0 + VMOVDQU AA0, (6*32)(oup); VMOVDQU BB0, (7*32)(oup); VMOVDQU CC0, (8*32)(oup); VMOVDQU DD0, (9*32)(oup) + + MOVQ $320, itr1 + SUBQ $320, inl + LEAQ 320(inp), inp + + VPERM2I128 $0x02, AA3, BB3, AA0; VPERM2I128 $0x02, CC3, DD3, BB0; VPERM2I128 $0x13, AA3, BB3, CC0; VPERM2I128 $0x13, CC3, DD3, DD0 + CMPQ inl, $128 + JBE sealAVX2SealHash + + VPXOR (0*32)(inp), AA0, AA0; VPXOR (1*32)(inp), BB0, BB0; VPXOR (2*32)(inp), CC0, CC0; VPXOR (3*32)(inp), DD0, DD0 + VMOVDQU AA0, (10*32)(oup); VMOVDQU BB0, (11*32)(oup); VMOVDQU CC0, (12*32)(oup); VMOVDQU DD0, (13*32)(oup) + SUBQ $128, inl + LEAQ 128(inp), inp + + MOVQ $8, itr1 + MOVQ $2, itr2 + + CMPQ inl, $128 + JBE sealAVX2Tail128 + CMPQ inl, $256 + JBE sealAVX2Tail256 + CMPQ inl, $384 + JBE sealAVX2Tail384 + CMPQ inl, $512 + JBE sealAVX2Tail512 + + // We have 448 bytes to hash, but main loop hashes 512 bytes at a time - perform some rounds, before the main loop + VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3 + VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3 + VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3 + VMOVDQA ctr3StoreAVX2, DD0 + VPADDD ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2; VPADDD ·avx2IncMask<>(SB), DD2, DD3 + VMOVDQA DD0, ctr0StoreAVX2; VMOVDQA DD1, ctr1StoreAVX2; VMOVDQA DD2, ctr2StoreAVX2; VMOVDQA DD3, ctr3StoreAVX2 + + VMOVDQA CC3, tmpStoreAVX2 + chachaQR_AVX2(AA0, BB0, CC0, DD0, CC3); chachaQR_AVX2(AA1, BB1, CC1, DD1, CC3); chachaQR_AVX2(AA2, BB2, CC2, DD2, CC3) + VMOVDQA tmpStoreAVX2, CC3 + VMOVDQA CC1, tmpStoreAVX2 + chachaQR_AVX2(AA3, BB3, CC3, DD3, CC1) + VMOVDQA tmpStoreAVX2, CC1 + + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $12, DD0, DD0, DD0 + VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $12, DD1, DD1, DD1 + VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $12, DD2, DD2, DD2 + VPALIGNR $4, BB3, BB3, BB3; VPALIGNR $8, CC3, CC3, CC3; VPALIGNR $12, DD3, DD3, DD3 + + VMOVDQA CC3, tmpStoreAVX2 + chachaQR_AVX2(AA0, BB0, CC0, DD0, CC3); chachaQR_AVX2(AA1, BB1, CC1, DD1, CC3); chachaQR_AVX2(AA2, BB2, CC2, DD2, CC3) + VMOVDQA tmpStoreAVX2, CC3 + VMOVDQA CC1, tmpStoreAVX2 + chachaQR_AVX2(AA3, BB3, CC3, DD3, CC1) + VMOVDQA tmpStoreAVX2, CC1 + + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $4, DD0, DD0, DD0 + VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $4, DD1, DD1, DD1 + VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $4, DD2, DD2, DD2 + VPALIGNR $12, BB3, BB3, BB3; VPALIGNR $8, CC3, CC3, CC3; VPALIGNR $4, DD3, DD3, DD3 + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + + SUBQ $16, oup // Adjust the pointer + MOVQ $9, itr1 + JMP sealAVX2InternalLoopStart + +sealAVX2MainLoop: + // Load state, increment counter blocks, store the incremented counters + VMOVDQU ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3 + VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3 + VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3 + VMOVDQA ctr3StoreAVX2, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2; VPADDD ·avx2IncMask<>(SB), DD2, DD3 + VMOVDQA DD0, ctr0StoreAVX2; VMOVDQA DD1, ctr1StoreAVX2; VMOVDQA DD2, ctr2StoreAVX2; VMOVDQA DD3, ctr3StoreAVX2 + MOVQ $10, itr1 + +sealAVX2InternalLoop: + polyAdd(0*8(oup)) + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + polyMulStage1_AVX2 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3 + polyMulStage2_AVX2 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + polyMulStage3_AVX2 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + polyMulReduceStage + +sealAVX2InternalLoopStart: + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3 + polyAdd(2*8(oup)) + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + polyMulStage1_AVX2 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + polyMulStage2_AVX2 + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $4, BB3, BB3, BB3 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2; VPALIGNR $12, DD3, DD3, DD3 + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + polyMulStage3_AVX2 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3 + polyMulReduceStage + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + polyAdd(4*8(oup)) + LEAQ (6*8)(oup), oup + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + polyMulStage1_AVX2 + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + polyMulStage2_AVX2 + VPSHUFB ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + polyMulStage3_AVX2 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + polyMulReduceStage + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $12, BB3, BB3, BB3 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2; VPALIGNR $4, DD3, DD3, DD3 + DECQ itr1 + JNE sealAVX2InternalLoop + + VPADDD ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2; VPADDD ·chacha20Constants<>(SB), AA3, AA3 + VPADDD state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2; VPADDD state1StoreAVX2, BB3, BB3 + VPADDD state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2; VPADDD state2StoreAVX2, CC3, CC3 + VPADDD ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2; VPADDD ctr3StoreAVX2, DD3, DD3 + VMOVDQA CC3, tmpStoreAVX2 + + // We only hashed 480 of the 512 bytes available - hash the remaining 32 here + polyAdd(0*8(oup)) + polyMulAVX2 + LEAQ (4*8)(oup), oup + VPERM2I128 $0x02, AA0, BB0, CC3; VPERM2I128 $0x13, AA0, BB0, BB0; VPERM2I128 $0x02, CC0, DD0, AA0; VPERM2I128 $0x13, CC0, DD0, CC0 + VPXOR (0*32)(inp), CC3, CC3; VPXOR (1*32)(inp), AA0, AA0; VPXOR (2*32)(inp), BB0, BB0; VPXOR (3*32)(inp), CC0, CC0 + VMOVDQU CC3, (0*32)(oup); VMOVDQU AA0, (1*32)(oup); VMOVDQU BB0, (2*32)(oup); VMOVDQU CC0, (3*32)(oup) + VPERM2I128 $0x02, AA1, BB1, AA0; VPERM2I128 $0x02, CC1, DD1, BB0; VPERM2I128 $0x13, AA1, BB1, CC0; VPERM2I128 $0x13, CC1, DD1, DD0 + VPXOR (4*32)(inp), AA0, AA0; VPXOR (5*32)(inp), BB0, BB0; VPXOR (6*32)(inp), CC0, CC0; VPXOR (7*32)(inp), DD0, DD0 + VMOVDQU AA0, (4*32)(oup); VMOVDQU BB0, (5*32)(oup); VMOVDQU CC0, (6*32)(oup); VMOVDQU DD0, (7*32)(oup) + + // and here + polyAdd(-2*8(oup)) + polyMulAVX2 + VPERM2I128 $0x02, AA2, BB2, AA0; VPERM2I128 $0x02, CC2, DD2, BB0; VPERM2I128 $0x13, AA2, BB2, CC0; VPERM2I128 $0x13, CC2, DD2, DD0 + VPXOR (8*32)(inp), AA0, AA0; VPXOR (9*32)(inp), BB0, BB0; VPXOR (10*32)(inp), CC0, CC0; VPXOR (11*32)(inp), DD0, DD0 + VMOVDQU AA0, (8*32)(oup); VMOVDQU BB0, (9*32)(oup); VMOVDQU CC0, (10*32)(oup); VMOVDQU DD0, (11*32)(oup) + VPERM2I128 $0x02, AA3, BB3, AA0; VPERM2I128 $0x02, tmpStoreAVX2, DD3, BB0; VPERM2I128 $0x13, AA3, BB3, CC0; VPERM2I128 $0x13, tmpStoreAVX2, DD3, DD0 + VPXOR (12*32)(inp), AA0, AA0; VPXOR (13*32)(inp), BB0, BB0; VPXOR (14*32)(inp), CC0, CC0; VPXOR (15*32)(inp), DD0, DD0 + VMOVDQU AA0, (12*32)(oup); VMOVDQU BB0, (13*32)(oup); VMOVDQU CC0, (14*32)(oup); VMOVDQU DD0, (15*32)(oup) + LEAQ (32*16)(inp), inp + SUBQ $(32*16), inl + CMPQ inl, $512 + JG sealAVX2MainLoop + + // Tail can only hash 480 bytes + polyAdd(0*8(oup)) + polyMulAVX2 + polyAdd(2*8(oup)) + polyMulAVX2 + LEAQ 32(oup), oup + + MOVQ $10, itr1 + MOVQ $0, itr2 + CMPQ inl, $128 + JBE sealAVX2Tail128 + CMPQ inl, $256 + JBE sealAVX2Tail256 + CMPQ inl, $384 + JBE sealAVX2Tail384 + JMP sealAVX2Tail512 + +// ---------------------------------------------------------------------------- +// Special optimization for buffers smaller than 193 bytes +seal192AVX2: + // For up to 192 bytes of ciphertext and 64 bytes for the poly key, we process four blocks + VMOVDQA AA0, AA1 + VMOVDQA BB0, BB1 + VMOVDQA CC0, CC1 + VPADDD ·avx2IncMask<>(SB), DD0, DD1 + VMOVDQA AA0, AA2 + VMOVDQA BB0, BB2 + VMOVDQA CC0, CC2 + VMOVDQA DD0, DD2 + VMOVDQA DD1, TT3 + MOVQ $10, itr2 + +sealAVX2192InnerCipherLoop: + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0) + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1 + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0) + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1 + DECQ itr2 + JNE sealAVX2192InnerCipherLoop + VPADDD AA2, AA0, AA0; VPADDD AA2, AA1, AA1 + VPADDD BB2, BB0, BB0; VPADDD BB2, BB1, BB1 + VPADDD CC2, CC0, CC0; VPADDD CC2, CC1, CC1 + VPADDD DD2, DD0, DD0; VPADDD TT3, DD1, DD1 + VPERM2I128 $0x02, AA0, BB0, TT0 + + // Clamp and store poly key + VPAND ·polyClampMask<>(SB), TT0, TT0 + VMOVDQA TT0, rsStoreAVX2 + + // Stream for up to 192 bytes + VPERM2I128 $0x13, AA0, BB0, AA0 + VPERM2I128 $0x13, CC0, DD0, BB0 + VPERM2I128 $0x02, AA1, BB1, CC0 + VPERM2I128 $0x02, CC1, DD1, DD0 + VPERM2I128 $0x13, AA1, BB1, AA1 + VPERM2I128 $0x13, CC1, DD1, BB1 + +sealAVX2ShortSeal: + // Hash aad + MOVQ ad_len+80(FP), itr2 + CALL polyHashADInternal<>(SB) + XORQ itr1, itr1 + +sealAVX2SealHash: + // itr1 holds the number of bytes encrypted but not yet hashed + CMPQ itr1, $16 + JB sealAVX2ShortSealLoop + polyAdd(0(oup)) + polyMul + SUBQ $16, itr1 + ADDQ $16, oup + JMP sealAVX2SealHash + +sealAVX2ShortSealLoop: + CMPQ inl, $32 + JB sealAVX2ShortTail32 + SUBQ $32, inl + + // Load for encryption + VPXOR (inp), AA0, AA0 + VMOVDQU AA0, (oup) + LEAQ (1*32)(inp), inp + + // Now can hash + polyAdd(0*8(oup)) + polyMulAVX2 + polyAdd(2*8(oup)) + polyMulAVX2 + LEAQ (1*32)(oup), oup + + // Shift stream left + VMOVDQA BB0, AA0 + VMOVDQA CC0, BB0 + VMOVDQA DD0, CC0 + VMOVDQA AA1, DD0 + VMOVDQA BB1, AA1 + VMOVDQA CC1, BB1 + VMOVDQA DD1, CC1 + VMOVDQA AA2, DD1 + VMOVDQA BB2, AA2 + JMP sealAVX2ShortSealLoop + +sealAVX2ShortTail32: + CMPQ inl, $16 + VMOVDQA A0, A1 + JB sealAVX2ShortDone + + SUBQ $16, inl + + // Load for encryption + VPXOR (inp), A0, T0 + VMOVDQU T0, (oup) + LEAQ (1*16)(inp), inp + + // Hash + polyAdd(0*8(oup)) + polyMulAVX2 + LEAQ (1*16)(oup), oup + VPERM2I128 $0x11, AA0, AA0, AA0 + VMOVDQA A0, A1 + +sealAVX2ShortDone: + VZEROUPPER + JMP sealSSETail + +// ---------------------------------------------------------------------------- +// Special optimization for buffers smaller than 321 bytes +seal320AVX2: + // For up to 320 bytes of ciphertext and 64 bytes for the poly key, we process six blocks + VMOVDQA AA0, AA1; VMOVDQA BB0, BB1; VMOVDQA CC0, CC1; VPADDD ·avx2IncMask<>(SB), DD0, DD1 + VMOVDQA AA0, AA2; VMOVDQA BB0, BB2; VMOVDQA CC0, CC2; VPADDD ·avx2IncMask<>(SB), DD1, DD2 + VMOVDQA BB0, TT1; VMOVDQA CC0, TT2; VMOVDQA DD0, TT3 + MOVQ $10, itr2 + +sealAVX2320InnerCipherLoop: + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0) + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2 + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0) + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2 + DECQ itr2 + JNE sealAVX2320InnerCipherLoop + + VMOVDQA ·chacha20Constants<>(SB), TT0 + VPADDD TT0, AA0, AA0; VPADDD TT0, AA1, AA1; VPADDD TT0, AA2, AA2 + VPADDD TT1, BB0, BB0; VPADDD TT1, BB1, BB1; VPADDD TT1, BB2, BB2 + VPADDD TT2, CC0, CC0; VPADDD TT2, CC1, CC1; VPADDD TT2, CC2, CC2 + VMOVDQA ·avx2IncMask<>(SB), TT0 + VPADDD TT3, DD0, DD0; VPADDD TT0, TT3, TT3 + VPADDD TT3, DD1, DD1; VPADDD TT0, TT3, TT3 + VPADDD TT3, DD2, DD2 + + // Clamp and store poly key + VPERM2I128 $0x02, AA0, BB0, TT0 + VPAND ·polyClampMask<>(SB), TT0, TT0 + VMOVDQA TT0, rsStoreAVX2 + + // Stream for up to 320 bytes + VPERM2I128 $0x13, AA0, BB0, AA0 + VPERM2I128 $0x13, CC0, DD0, BB0 + VPERM2I128 $0x02, AA1, BB1, CC0 + VPERM2I128 $0x02, CC1, DD1, DD0 + VPERM2I128 $0x13, AA1, BB1, AA1 + VPERM2I128 $0x13, CC1, DD1, BB1 + VPERM2I128 $0x02, AA2, BB2, CC1 + VPERM2I128 $0x02, CC2, DD2, DD1 + VPERM2I128 $0x13, AA2, BB2, AA2 + VPERM2I128 $0x13, CC2, DD2, BB2 + JMP sealAVX2ShortSeal + +// ---------------------------------------------------------------------------- +// Special optimization for the last 128 bytes of ciphertext +sealAVX2Tail128: + // Need to decrypt up to 128 bytes - prepare two blocks + // If we got here after the main loop - there are 512 encrypted bytes waiting to be hashed + // If we got here before the main loop - there are 448 encrpyred bytes waiting to be hashed + VMOVDQA ·chacha20Constants<>(SB), AA0 + VMOVDQA state1StoreAVX2, BB0 + VMOVDQA state2StoreAVX2, CC0 + VMOVDQA ctr3StoreAVX2, DD0 + VPADDD ·avx2IncMask<>(SB), DD0, DD0 + VMOVDQA DD0, DD1 + +sealAVX2Tail128LoopA: + polyAdd(0(oup)) + polyMul + LEAQ 16(oup), oup + +sealAVX2Tail128LoopB: + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0) + polyAdd(0(oup)) + polyMul + VPALIGNR $4, BB0, BB0, BB0 + VPALIGNR $8, CC0, CC0, CC0 + VPALIGNR $12, DD0, DD0, DD0 + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0) + polyAdd(16(oup)) + polyMul + LEAQ 32(oup), oup + VPALIGNR $12, BB0, BB0, BB0 + VPALIGNR $8, CC0, CC0, CC0 + VPALIGNR $4, DD0, DD0, DD0 + DECQ itr1 + JG sealAVX2Tail128LoopA + DECQ itr2 + JGE sealAVX2Tail128LoopB + + VPADDD ·chacha20Constants<>(SB), AA0, AA1 + VPADDD state1StoreAVX2, BB0, BB1 + VPADDD state2StoreAVX2, CC0, CC1 + VPADDD DD1, DD0, DD1 + + VPERM2I128 $0x02, AA1, BB1, AA0 + VPERM2I128 $0x02, CC1, DD1, BB0 + VPERM2I128 $0x13, AA1, BB1, CC0 + VPERM2I128 $0x13, CC1, DD1, DD0 + JMP sealAVX2ShortSealLoop + +// ---------------------------------------------------------------------------- +// Special optimization for the last 256 bytes of ciphertext +sealAVX2Tail256: + // Need to decrypt up to 256 bytes - prepare two blocks + // If we got here after the main loop - there are 512 encrypted bytes waiting to be hashed + // If we got here before the main loop - there are 448 encrpyred bytes waiting to be hashed + VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA ·chacha20Constants<>(SB), AA1 + VMOVDQA state1StoreAVX2, BB0; VMOVDQA state1StoreAVX2, BB1 + VMOVDQA state2StoreAVX2, CC0; VMOVDQA state2StoreAVX2, CC1 + VMOVDQA ctr3StoreAVX2, DD0 + VPADDD ·avx2IncMask<>(SB), DD0, DD0 + VPADDD ·avx2IncMask<>(SB), DD0, DD1 + VMOVDQA DD0, TT1 + VMOVDQA DD1, TT2 + +sealAVX2Tail256LoopA: + polyAdd(0(oup)) + polyMul + LEAQ 16(oup), oup + +sealAVX2Tail256LoopB: + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0) + polyAdd(0(oup)) + polyMul + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1 + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0) + polyAdd(16(oup)) + polyMul + LEAQ 32(oup), oup + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1 + DECQ itr1 + JG sealAVX2Tail256LoopA + DECQ itr2 + JGE sealAVX2Tail256LoopB + + VPADDD ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1 + VPADDD state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1 + VPADDD state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1 + VPADDD TT1, DD0, DD0; VPADDD TT2, DD1, DD1 + VPERM2I128 $0x02, AA0, BB0, TT0 + VPERM2I128 $0x02, CC0, DD0, TT1 + VPERM2I128 $0x13, AA0, BB0, TT2 + VPERM2I128 $0x13, CC0, DD0, TT3 + VPXOR (0*32)(inp), TT0, TT0; VPXOR (1*32)(inp), TT1, TT1; VPXOR (2*32)(inp), TT2, TT2; VPXOR (3*32)(inp), TT3, TT3 + VMOVDQU TT0, (0*32)(oup); VMOVDQU TT1, (1*32)(oup); VMOVDQU TT2, (2*32)(oup); VMOVDQU TT3, (3*32)(oup) + MOVQ $128, itr1 + LEAQ 128(inp), inp + SUBQ $128, inl + VPERM2I128 $0x02, AA1, BB1, AA0 + VPERM2I128 $0x02, CC1, DD1, BB0 + VPERM2I128 $0x13, AA1, BB1, CC0 + VPERM2I128 $0x13, CC1, DD1, DD0 + + JMP sealAVX2SealHash + +// ---------------------------------------------------------------------------- +// Special optimization for the last 384 bytes of ciphertext +sealAVX2Tail384: + // Need to decrypt up to 384 bytes - prepare two blocks + // If we got here after the main loop - there are 512 encrypted bytes waiting to be hashed + // If we got here before the main loop - there are 448 encrpyred bytes waiting to be hashed + VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2 + VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2 + VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2 + VMOVDQA ctr3StoreAVX2, DD0 + VPADDD ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2 + VMOVDQA DD0, TT1; VMOVDQA DD1, TT2; VMOVDQA DD2, TT3 + +sealAVX2Tail384LoopA: + polyAdd(0(oup)) + polyMul + LEAQ 16(oup), oup + +sealAVX2Tail384LoopB: + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0) + polyAdd(0(oup)) + polyMul + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2 + chachaQR_AVX2(AA0, BB0, CC0, DD0, TT0); chachaQR_AVX2(AA1, BB1, CC1, DD1, TT0); chachaQR_AVX2(AA2, BB2, CC2, DD2, TT0) + polyAdd(16(oup)) + polyMul + LEAQ 32(oup), oup + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2 + DECQ itr1 + JG sealAVX2Tail384LoopA + DECQ itr2 + JGE sealAVX2Tail384LoopB + + VPADDD ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2 + VPADDD state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2 + VPADDD state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2 + VPADDD TT1, DD0, DD0; VPADDD TT2, DD1, DD1; VPADDD TT3, DD2, DD2 + VPERM2I128 $0x02, AA0, BB0, TT0 + VPERM2I128 $0x02, CC0, DD0, TT1 + VPERM2I128 $0x13, AA0, BB0, TT2 + VPERM2I128 $0x13, CC0, DD0, TT3 + VPXOR (0*32)(inp), TT0, TT0; VPXOR (1*32)(inp), TT1, TT1; VPXOR (2*32)(inp), TT2, TT2; VPXOR (3*32)(inp), TT3, TT3 + VMOVDQU TT0, (0*32)(oup); VMOVDQU TT1, (1*32)(oup); VMOVDQU TT2, (2*32)(oup); VMOVDQU TT3, (3*32)(oup) + VPERM2I128 $0x02, AA1, BB1, TT0 + VPERM2I128 $0x02, CC1, DD1, TT1 + VPERM2I128 $0x13, AA1, BB1, TT2 + VPERM2I128 $0x13, CC1, DD1, TT3 + VPXOR (4*32)(inp), TT0, TT0; VPXOR (5*32)(inp), TT1, TT1; VPXOR (6*32)(inp), TT2, TT2; VPXOR (7*32)(inp), TT3, TT3 + VMOVDQU TT0, (4*32)(oup); VMOVDQU TT1, (5*32)(oup); VMOVDQU TT2, (6*32)(oup); VMOVDQU TT3, (7*32)(oup) + MOVQ $256, itr1 + LEAQ 256(inp), inp + SUBQ $256, inl + VPERM2I128 $0x02, AA2, BB2, AA0 + VPERM2I128 $0x02, CC2, DD2, BB0 + VPERM2I128 $0x13, AA2, BB2, CC0 + VPERM2I128 $0x13, CC2, DD2, DD0 + + JMP sealAVX2SealHash + +// ---------------------------------------------------------------------------- +// Special optimization for the last 512 bytes of ciphertext +sealAVX2Tail512: + // Need to decrypt up to 512 bytes - prepare two blocks + // If we got here after the main loop - there are 512 encrypted bytes waiting to be hashed + // If we got here before the main loop - there are 448 encrpyred bytes waiting to be hashed + VMOVDQA ·chacha20Constants<>(SB), AA0; VMOVDQA AA0, AA1; VMOVDQA AA0, AA2; VMOVDQA AA0, AA3 + VMOVDQA state1StoreAVX2, BB0; VMOVDQA BB0, BB1; VMOVDQA BB0, BB2; VMOVDQA BB0, BB3 + VMOVDQA state2StoreAVX2, CC0; VMOVDQA CC0, CC1; VMOVDQA CC0, CC2; VMOVDQA CC0, CC3 + VMOVDQA ctr3StoreAVX2, DD0 + VPADDD ·avx2IncMask<>(SB), DD0, DD0; VPADDD ·avx2IncMask<>(SB), DD0, DD1; VPADDD ·avx2IncMask<>(SB), DD1, DD2; VPADDD ·avx2IncMask<>(SB), DD2, DD3 + VMOVDQA DD0, ctr0StoreAVX2; VMOVDQA DD1, ctr1StoreAVX2; VMOVDQA DD2, ctr2StoreAVX2; VMOVDQA DD3, ctr3StoreAVX2 + +sealAVX2Tail512LoopA: + polyAdd(0(oup)) + polyMul + LEAQ 16(oup), oup + +sealAVX2Tail512LoopB: + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + polyAdd(0*8(oup)) + polyMulAVX2 + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + VPALIGNR $4, BB0, BB0, BB0; VPALIGNR $4, BB1, BB1, BB1; VPALIGNR $4, BB2, BB2, BB2; VPALIGNR $4, BB3, BB3, BB3 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3 + VPALIGNR $12, DD0, DD0, DD0; VPALIGNR $12, DD1, DD1, DD1; VPALIGNR $12, DD2, DD2, DD2; VPALIGNR $12, DD3, DD3, DD3 + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol16<>(SB), DD0, DD0; VPSHUFB ·rol16<>(SB), DD1, DD1; VPSHUFB ·rol16<>(SB), DD2, DD2; VPSHUFB ·rol16<>(SB), DD3, DD3 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + polyAdd(2*8(oup)) + polyMulAVX2 + LEAQ (4*8)(oup), oup + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $12, BB0, CC3; VPSRLD $20, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $12, BB1, CC3; VPSRLD $20, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $12, BB2, CC3; VPSRLD $20, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $12, BB3, CC3; VPSRLD $20, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + VPADDD BB0, AA0, AA0; VPADDD BB1, AA1, AA1; VPADDD BB2, AA2, AA2; VPADDD BB3, AA3, AA3 + VPXOR AA0, DD0, DD0; VPXOR AA1, DD1, DD1; VPXOR AA2, DD2, DD2; VPXOR AA3, DD3, DD3 + VPSHUFB ·rol8<>(SB), DD0, DD0; VPSHUFB ·rol8<>(SB), DD1, DD1; VPSHUFB ·rol8<>(SB), DD2, DD2; VPSHUFB ·rol8<>(SB), DD3, DD3 + VPADDD DD0, CC0, CC0; VPADDD DD1, CC1, CC1; VPADDD DD2, CC2, CC2; VPADDD DD3, CC3, CC3 + VPXOR CC0, BB0, BB0; VPXOR CC1, BB1, BB1; VPXOR CC2, BB2, BB2; VPXOR CC3, BB3, BB3 + VMOVDQA CC3, tmpStoreAVX2 + VPSLLD $7, BB0, CC3; VPSRLD $25, BB0, BB0; VPXOR CC3, BB0, BB0 + VPSLLD $7, BB1, CC3; VPSRLD $25, BB1, BB1; VPXOR CC3, BB1, BB1 + VPSLLD $7, BB2, CC3; VPSRLD $25, BB2, BB2; VPXOR CC3, BB2, BB2 + VPSLLD $7, BB3, CC3; VPSRLD $25, BB3, BB3; VPXOR CC3, BB3, BB3 + VMOVDQA tmpStoreAVX2, CC3 + VPALIGNR $12, BB0, BB0, BB0; VPALIGNR $12, BB1, BB1, BB1; VPALIGNR $12, BB2, BB2, BB2; VPALIGNR $12, BB3, BB3, BB3 + VPALIGNR $8, CC0, CC0, CC0; VPALIGNR $8, CC1, CC1, CC1; VPALIGNR $8, CC2, CC2, CC2; VPALIGNR $8, CC3, CC3, CC3 + VPALIGNR $4, DD0, DD0, DD0; VPALIGNR $4, DD1, DD1, DD1; VPALIGNR $4, DD2, DD2, DD2; VPALIGNR $4, DD3, DD3, DD3 + + DECQ itr1 + JG sealAVX2Tail512LoopA + DECQ itr2 + JGE sealAVX2Tail512LoopB + + VPADDD ·chacha20Constants<>(SB), AA0, AA0; VPADDD ·chacha20Constants<>(SB), AA1, AA1; VPADDD ·chacha20Constants<>(SB), AA2, AA2; VPADDD ·chacha20Constants<>(SB), AA3, AA3 + VPADDD state1StoreAVX2, BB0, BB0; VPADDD state1StoreAVX2, BB1, BB1; VPADDD state1StoreAVX2, BB2, BB2; VPADDD state1StoreAVX2, BB3, BB3 + VPADDD state2StoreAVX2, CC0, CC0; VPADDD state2StoreAVX2, CC1, CC1; VPADDD state2StoreAVX2, CC2, CC2; VPADDD state2StoreAVX2, CC3, CC3 + VPADDD ctr0StoreAVX2, DD0, DD0; VPADDD ctr1StoreAVX2, DD1, DD1; VPADDD ctr2StoreAVX2, DD2, DD2; VPADDD ctr3StoreAVX2, DD3, DD3 + VMOVDQA CC3, tmpStoreAVX2 + VPERM2I128 $0x02, AA0, BB0, CC3 + VPXOR (0*32)(inp), CC3, CC3 + VMOVDQU CC3, (0*32)(oup) + VPERM2I128 $0x02, CC0, DD0, CC3 + VPXOR (1*32)(inp), CC3, CC3 + VMOVDQU CC3, (1*32)(oup) + VPERM2I128 $0x13, AA0, BB0, CC3 + VPXOR (2*32)(inp), CC3, CC3 + VMOVDQU CC3, (2*32)(oup) + VPERM2I128 $0x13, CC0, DD0, CC3 + VPXOR (3*32)(inp), CC3, CC3 + VMOVDQU CC3, (3*32)(oup) + + VPERM2I128 $0x02, AA1, BB1, AA0 + VPERM2I128 $0x02, CC1, DD1, BB0 + VPERM2I128 $0x13, AA1, BB1, CC0 + VPERM2I128 $0x13, CC1, DD1, DD0 + VPXOR (4*32)(inp), AA0, AA0; VPXOR (5*32)(inp), BB0, BB0; VPXOR (6*32)(inp), CC0, CC0; VPXOR (7*32)(inp), DD0, DD0 + VMOVDQU AA0, (4*32)(oup); VMOVDQU BB0, (5*32)(oup); VMOVDQU CC0, (6*32)(oup); VMOVDQU DD0, (7*32)(oup) + + VPERM2I128 $0x02, AA2, BB2, AA0 + VPERM2I128 $0x02, CC2, DD2, BB0 + VPERM2I128 $0x13, AA2, BB2, CC0 + VPERM2I128 $0x13, CC2, DD2, DD0 + VPXOR (8*32)(inp), AA0, AA0; VPXOR (9*32)(inp), BB0, BB0; VPXOR (10*32)(inp), CC0, CC0; VPXOR (11*32)(inp), DD0, DD0 + VMOVDQU AA0, (8*32)(oup); VMOVDQU BB0, (9*32)(oup); VMOVDQU CC0, (10*32)(oup); VMOVDQU DD0, (11*32)(oup) + + MOVQ $384, itr1 + LEAQ 384(inp), inp + SUBQ $384, inl + VPERM2I128 $0x02, AA3, BB3, AA0 + VPERM2I128 $0x02, tmpStoreAVX2, DD3, BB0 + VPERM2I128 $0x13, AA3, BB3, CC0 + VPERM2I128 $0x13, tmpStoreAVX2, DD3, DD0 + + JMP sealAVX2SealHash diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_generic.go b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_generic.go new file mode 100644 index 00000000..fe191d39 --- /dev/null +++ b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_generic.go @@ -0,0 +1,81 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package chacha20poly1305 + +import ( + "encoding/binary" + + "golang.org/x/crypto/chacha20" + "golang.org/x/crypto/internal/subtle" + "golang.org/x/crypto/poly1305" +) + +func writeWithPadding(p *poly1305.MAC, b []byte) { + p.Write(b) + if rem := len(b) % 16; rem != 0 { + var buf [16]byte + padLen := 16 - rem + p.Write(buf[:padLen]) + } +} + +func writeUint64(p *poly1305.MAC, n int) { + var buf [8]byte + binary.LittleEndian.PutUint64(buf[:], uint64(n)) + p.Write(buf[:]) +} + +func (c *chacha20poly1305) sealGeneric(dst, nonce, plaintext, additionalData []byte) []byte { + ret, out := sliceForAppend(dst, len(plaintext)+poly1305.TagSize) + ciphertext, tag := out[:len(plaintext)], out[len(plaintext):] + if subtle.InexactOverlap(out, plaintext) { + panic("chacha20poly1305: invalid buffer overlap") + } + + var polyKey [32]byte + s, _ := chacha20.NewUnauthenticatedCipher(c.key[:], nonce) + s.XORKeyStream(polyKey[:], polyKey[:]) + s.SetCounter(1) // set the counter to 1, skipping 32 bytes + s.XORKeyStream(ciphertext, plaintext) + + p := poly1305.New(&polyKey) + writeWithPadding(p, additionalData) + writeWithPadding(p, ciphertext) + writeUint64(p, len(additionalData)) + writeUint64(p, len(plaintext)) + p.Sum(tag[:0]) + + return ret +} + +func (c *chacha20poly1305) openGeneric(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) { + tag := ciphertext[len(ciphertext)-16:] + ciphertext = ciphertext[:len(ciphertext)-16] + + var polyKey [32]byte + s, _ := chacha20.NewUnauthenticatedCipher(c.key[:], nonce) + s.XORKeyStream(polyKey[:], polyKey[:]) + s.SetCounter(1) // set the counter to 1, skipping 32 bytes + + p := poly1305.New(&polyKey) + writeWithPadding(p, additionalData) + writeWithPadding(p, ciphertext) + writeUint64(p, len(additionalData)) + writeUint64(p, len(ciphertext)) + + ret, out := sliceForAppend(dst, len(ciphertext)) + if subtle.InexactOverlap(out, ciphertext) { + panic("chacha20poly1305: invalid buffer overlap") + } + if !p.Verify(tag) { + for i := range out { + out[i] = 0 + } + return nil, errOpen + } + + s.XORKeyStream(out, ciphertext) + return ret, nil +} diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_noasm.go b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_noasm.go new file mode 100644 index 00000000..9ce4aa9f --- /dev/null +++ b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_noasm.go @@ -0,0 +1,15 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// +build !amd64 gccgo purego + +package chacha20poly1305 + +func (c *chacha20poly1305) seal(dst, nonce, plaintext, additionalData []byte) []byte { + return c.sealGeneric(dst, nonce, plaintext, additionalData) +} + +func (c *chacha20poly1305) open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) { + return c.openGeneric(dst, nonce, ciphertext, additionalData) +} diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/xchacha20poly1305.go b/vendor/golang.org/x/crypto/chacha20poly1305/xchacha20poly1305.go new file mode 100644 index 00000000..d9d46b96 --- /dev/null +++ b/vendor/golang.org/x/crypto/chacha20poly1305/xchacha20poly1305.go @@ -0,0 +1,86 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package chacha20poly1305 + +import ( + "crypto/cipher" + "errors" + + "golang.org/x/crypto/chacha20" +) + +type xchacha20poly1305 struct { + key [KeySize]byte +} + +// NewX returns a XChaCha20-Poly1305 AEAD that uses the given 256-bit key. +// +// XChaCha20-Poly1305 is a ChaCha20-Poly1305 variant that takes a longer nonce, +// suitable to be generated randomly without risk of collisions. It should be +// preferred when nonce uniqueness cannot be trivially ensured, or whenever +// nonces are randomly generated. +func NewX(key []byte) (cipher.AEAD, error) { + if len(key) != KeySize { + return nil, errors.New("chacha20poly1305: bad key length") + } + ret := new(xchacha20poly1305) + copy(ret.key[:], key) + return ret, nil +} + +func (*xchacha20poly1305) NonceSize() int { + return NonceSizeX +} + +func (*xchacha20poly1305) Overhead() int { + return 16 +} + +func (x *xchacha20poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte { + if len(nonce) != NonceSizeX { + panic("chacha20poly1305: bad nonce length passed to Seal") + } + + // XChaCha20-Poly1305 technically supports a 64-bit counter, so there is no + // size limit. However, since we reuse the ChaCha20-Poly1305 implementation, + // the second half of the counter is not available. This is unlikely to be + // an issue because the cipher.AEAD API requires the entire message to be in + // memory, and the counter overflows at 256 GB. + if uint64(len(plaintext)) > (1<<38)-64 { + panic("chacha20poly1305: plaintext too large") + } + + c := new(chacha20poly1305) + hKey, _ := chacha20.HChaCha20(x.key[:], nonce[0:16]) + copy(c.key[:], hKey) + + // The first 4 bytes of the final nonce are unused counter space. + cNonce := make([]byte, NonceSize) + copy(cNonce[4:12], nonce[16:24]) + + return c.seal(dst, cNonce[:], plaintext, additionalData) +} + +func (x *xchacha20poly1305) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) { + if len(nonce) != NonceSizeX { + panic("chacha20poly1305: bad nonce length passed to Open") + } + if len(ciphertext) < 16 { + return nil, errOpen + } + if uint64(len(ciphertext)) > (1<<38)-48 { + panic("chacha20poly1305: ciphertext too large") + } + + c := new(chacha20poly1305) + hKey, _ := chacha20.HChaCha20(x.key[:], nonce[0:16]) + copy(c.key[:], hKey) + + // The first 4 bytes of the final nonce are unused counter space. + cNonce := make([]byte, NonceSize) + copy(cNonce[4:12], nonce[16:24]) + + return c.open(dst, cNonce[:], ciphertext, additionalData) +} diff --git a/vendor/modules.txt b/vendor/modules.txt index dd2f9a53..d9d3c3b2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,19 +1,16 @@ +# git.schwanenlied.me/yawning/x448.git v0.0.0-20170617130356-01b048fb03d6 +git.schwanenlied.me/yawning/x448.git # github.com/BurntSushi/toml v0.3.1 github.com/BurntSushi/toml # github.com/DATA-DOG/go-sqlmock v1.3.3 -## explicit github.com/DATA-DOG/go-sqlmock # github.com/acmacalister/skittles v0.0.0-20160609003031-7423546701e1 -## explicit github.com/acmacalister/skittles # github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d -## explicit github.com/alecthomas/units # github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 -## explicit github.com/anmitsu/go-shlex # github.com/aws/aws-sdk-go v1.34.19 -## explicit github.com/aws/aws-sdk-go/aws github.com/aws/aws-sdk-go/aws/arn github.com/aws/aws-sdk-go/aws/awserr @@ -64,24 +61,32 @@ github.com/caddyserver/caddy github.com/caddyserver/caddy/caddyfile github.com/caddyserver/caddy/telemetry # github.com/certifi/gocertifi v0.0.0-20200211180108-c7c1fbc02894 -## explicit github.com/certifi/gocertifi # github.com/cespare/xxhash/v2 v2.1.1 github.com/cespare/xxhash/v2 +# github.com/cisco/go-hpke v0.0.0-20201023221920-2866d2aa0603 +github.com/cisco/go-hpke +# github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b +github.com/cisco/go-tls-syntax # github.com/cloudflare/brotli-go v0.0.0-20191101163834-d34379f7ff93 -## explicit github.com/cloudflare/brotli-go github.com/cloudflare/brotli-go/brotli github.com/cloudflare/brotli-go/common github.com/cloudflare/brotli-go/dec github.com/cloudflare/brotli-go/enc +# github.com/cloudflare/circl v1.0.0 +github.com/cloudflare/circl/dh/sidh +github.com/cloudflare/circl/dh/sidh/internal/common +github.com/cloudflare/circl/dh/sidh/internal/p503 +github.com/cloudflare/circl/dh/sidh/internal/p751 +github.com/cloudflare/circl/dh/sidh/internal/shake # github.com/cloudflare/golibs v0.0.0-20170913112048-333127dbecfc -## explicit github.com/cloudflare/golibs/lrucache # github.com/cloudflare/golz4 v0.0.0-20150217214814-ef862a3cdc58 github.com/cloudflare/golz4 +# github.com/cloudflare/odoh-go v0.1.3 +github.com/cloudflare/odoh-go # github.com/coredns/coredns v1.7.0 -## explicit github.com/coredns/coredns/core/dnsserver github.com/coredns/coredns/coremain github.com/coredns/coredns/pb @@ -109,45 +114,27 @@ github.com/coredns/coredns/plugin/pkg/uniq github.com/coredns/coredns/plugin/test github.com/coredns/coredns/request # github.com/coreos/go-oidc v0.0.0-20171002155002-a93f71fdfe73 -## explicit github.com/coreos/go-oidc/jose # github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf -## explicit github.com/coreos/go-systemd/daemon # github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d github.com/cpuguy83/go-md2man/v2/md2man # github.com/davecgh/go-spew v1.1.1 github.com/davecgh/go-spew/spew # github.com/denisenkom/go-mssqldb v0.0.0-20191001013358-cfbb681360f0 -## explicit github.com/denisenkom/go-mssqldb github.com/denisenkom/go-mssqldb/internal/cp github.com/denisenkom/go-mssqldb/internal/decimal github.com/denisenkom/go-mssqldb/internal/querytext -# github.com/equinox-io/equinox v1.2.0 -## explicit -# github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51 -## explicit -# github.com/facebookgo/freeport v0.0.0-20150612182905-d4adf43b75b9 -## explicit # github.com/facebookgo/grace v0.0.0-20180706040059-75cf19382434 -## explicit github.com/facebookgo/grace/gracenet -# github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 -## explicit -# github.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870 -## explicit # github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 github.com/flynn/go-shlex -# github.com/frankban/quicktest v1.10.0 -## explicit # github.com/fsnotify/fsnotify v1.4.9 -## explicit github.com/fsnotify/fsnotify # github.com/gdamore/encoding v1.0.0 github.com/gdamore/encoding # github.com/gdamore/tcell v1.3.0 -## explicit github.com/gdamore/tcell github.com/gdamore/tcell/terminfo github.com/gdamore/tcell/terminfo/a/adm3a @@ -199,29 +186,22 @@ github.com/gdamore/tcell/terminfo/x/xnuppc github.com/gdamore/tcell/terminfo/x/xterm github.com/gdamore/tcell/terminfo/x/xterm_kitty # github.com/getsentry/raven-go v0.0.0-20180517221441-ed7bcb39ff10 -## explicit github.com/getsentry/raven-go # github.com/gliderlabs/ssh v0.0.0-20191009160644-63518b5243e0 -## explicit github.com/gliderlabs/ssh # github.com/go-sql-driver/mysql v1.5.0 -## explicit github.com/go-sql-driver/mysql # github.com/gobwas/httphead v0.0.0-20200921212729-da3d93bc3c58 -## explicit github.com/gobwas/httphead # github.com/gobwas/pool v0.2.1 -## explicit github.com/gobwas/pool github.com/gobwas/pool/internal/pmath github.com/gobwas/pool/pbufio github.com/gobwas/pool/pbytes # github.com/gobwas/ws v1.0.4 -## explicit github.com/gobwas/ws github.com/gobwas/ws/wsutil # github.com/golang-collections/collections v0.0.0-20130729185459-604e922904d3 -## explicit github.com/golang-collections/collections/queue # github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe github.com/golang-sql/civil @@ -231,32 +211,22 @@ github.com/golang/protobuf/ptypes github.com/golang/protobuf/ptypes/any github.com/golang/protobuf/ptypes/duration github.com/golang/protobuf/ptypes/timestamp -# github.com/google/go-cmp v0.5.2 -## explicit # github.com/google/uuid v1.1.2 -## explicit github.com/google/uuid # github.com/gorilla/mux v1.7.3 -## explicit github.com/gorilla/mux # github.com/gorilla/websocket v1.4.2 -## explicit github.com/gorilla/websocket # github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc # github.com/jmespath/go-jmespath v0.3.0 github.com/jmespath/go-jmespath # github.com/jmoiron/sqlx v1.2.0 -## explicit github.com/jmoiron/sqlx github.com/jmoiron/sqlx/reflectx # github.com/json-iterator/go v1.1.10 -## explicit github.com/json-iterator/go -# github.com/kr/text v0.2.0 -## explicit # github.com/kshvakov/clickhouse v1.3.11 -## explicit github.com/kshvakov/clickhouse github.com/kshvakov/clickhouse/lib/binary github.com/kshvakov/clickhouse/lib/cityhash102 @@ -267,10 +237,7 @@ github.com/kshvakov/clickhouse/lib/lz4 github.com/kshvakov/clickhouse/lib/protocol github.com/kshvakov/clickhouse/lib/types github.com/kshvakov/clickhouse/lib/writebuffer -# github.com/kylelemons/godebug v1.1.0 -## explicit # github.com/lib/pq v1.2.0 -## explicit github.com/lib/pq github.com/lib/pq/oid github.com/lib/pq/scram @@ -279,47 +246,35 @@ github.com/lucasb-eyer/go-colorful # github.com/mattn/go-runewidth v0.0.8 github.com/mattn/go-runewidth # github.com/mattn/go-sqlite3 v1.11.0 -## explicit github.com/mattn/go-sqlite3 # github.com/matttproud/golang_protobuf_extensions v1.0.1 github.com/matttproud/golang_protobuf_extensions/pbutil -# github.com/miekg/dns v1.1.31 -## explicit +# github.com/miekg/dns v1.1.32 github.com/miekg/dns # github.com/mitchellh/go-homedir v1.1.0 -## explicit github.com/mitchellh/go-homedir # github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd github.com/modern-go/concurrent # github.com/modern-go/reflect2 v1.0.1 github.com/modern-go/reflect2 -# github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e -## explicit # github.com/opentracing/opentracing-go v1.2.0 -## explicit github.com/opentracing/opentracing-go github.com/opentracing/opentracing-go/ext github.com/opentracing/opentracing-go/log -# github.com/pierrec/lz4 v2.5.2+incompatible -## explicit # github.com/pkg/errors v0.9.1 -## explicit github.com/pkg/errors # github.com/pmezard/go-difflib v1.0.0 github.com/pmezard/go-difflib/difflib # github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 -## explicit github.com/pquerna/cachecontrol github.com/pquerna/cachecontrol/cacheobject # github.com/prometheus/client_golang v1.7.1 -## explicit github.com/prometheus/client_golang/prometheus github.com/prometheus/client_golang/prometheus/internal github.com/prometheus/client_golang/prometheus/promhttp # github.com/prometheus/client_model v0.2.0 github.com/prometheus/client_model/go # github.com/prometheus/common v0.13.0 -## explicit github.com/prometheus/common/expfmt github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg github.com/prometheus/common/model @@ -327,10 +282,7 @@ github.com/prometheus/common/model github.com/prometheus/procfs github.com/prometheus/procfs/internal/fs github.com/prometheus/procfs/internal/util -# github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5 -## explicit # github.com/rivo/tview v0.0.0-20200712113419-c65badfc3d92 -## explicit github.com/rivo/tview # github.com/rivo/uniseg v0.1.0 github.com/rivo/uniseg @@ -338,22 +290,19 @@ github.com/rivo/uniseg github.com/russross/blackfriday/v2 # github.com/shurcooL/sanitized_anchor_name v1.0.0 github.com/shurcooL/sanitized_anchor_name -# github.com/stretchr/testify v1.6.0 -## explicit +# github.com/stretchr/testify v1.6.1 github.com/stretchr/testify/assert github.com/stretchr/testify/require # github.com/urfave/cli/v2 v2.2.0 -## explicit github.com/urfave/cli/v2 github.com/urfave/cli/v2/altsrc # github.com/xo/dburl v0.0.0-20191005012637-293c3298d6c0 -## explicit github.com/xo/dburl # golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a -## explicit golang.org/x/crypto/blake2b golang.org/x/crypto/blowfish golang.org/x/crypto/chacha20 +golang.org/x/crypto/chacha20poly1305 golang.org/x/crypto/curve25519 golang.org/x/crypto/ed25519 golang.org/x/crypto/ed25519/internal/edwards25519 @@ -368,7 +317,6 @@ golang.org/x/crypto/ssh golang.org/x/crypto/ssh/internal/bcrypt_pbkdf golang.org/x/crypto/ssh/terminal # golang.org/x/net v0.0.0-20200904194848-62affa334b73 -## explicit golang.org/x/net/bpf golang.org/x/net/context golang.org/x/net/context/ctxhttp @@ -386,14 +334,11 @@ golang.org/x/net/proxy golang.org/x/net/trace golang.org/x/net/websocket # golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43 -## explicit golang.org/x/oauth2 golang.org/x/oauth2/internal # golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 -## explicit golang.org/x/sync/errgroup # golang.org/x/sys v0.0.0-20200909081042-eff7692f9009 -## explicit golang.org/x/sys/cpu golang.org/x/sys/internal/unsafeheader golang.org/x/sys/unix @@ -418,10 +363,8 @@ google.golang.org/appengine/internal/remote_api google.golang.org/appengine/internal/urlfetch google.golang.org/appengine/urlfetch # google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d -## explicit google.golang.org/genproto/googleapis/rpc/status # google.golang.org/grpc v1.32.0 -## explicit google.golang.org/grpc google.golang.org/grpc/attributes google.golang.org/grpc/backoff @@ -492,24 +435,17 @@ google.golang.org/protobuf/runtime/protoimpl google.golang.org/protobuf/types/known/anypb google.golang.org/protobuf/types/known/durationpb google.golang.org/protobuf/types/known/timestamppb -# gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f -## explicit # gopkg.in/coreos/go-oidc.v2 v2.1.0 -## explicit gopkg.in/coreos/go-oidc.v2 # gopkg.in/square/go-jose.v2 v2.4.0 -## explicit gopkg.in/square/go-jose.v2 gopkg.in/square/go-jose.v2/cipher gopkg.in/square/go-jose.v2/json # gopkg.in/yaml.v2 v2.3.0 -## explicit gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 -## explicit gopkg.in/yaml.v3 # zombiezen.com/go/capnproto2 v2.18.0+incompatible -## explicit zombiezen.com/go/capnproto2 zombiezen.com/go/capnproto2/encoding/text zombiezen.com/go/capnproto2/internal/fulfiller