8 files changed, 1234 insertions, 0 deletions
diff --git a/lib/liboqs/src/common/aes/Makefile b/lib/liboqs/src/common/aes/Makefile
new file mode 100644
index 000000000..fe090f3ff
--- /dev/null
+++ b/lib/liboqs/src/common/aes/Makefile
@@ -0,0 +1,49 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+USE_GCOV =
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+WARNING_CFLAGS = $(NULL)
+
diff --git a/lib/liboqs/src/common/aes/aes.c b/lib/liboqs/src/common/aes/aes.c
new file mode 100644
index 000000000..1fef083a7
--- /dev/null
+++ b/lib/liboqs/src/common/aes/aes.c
@@ -0,0 +1,137 @@
+// SPDX-License-Identifier: MIT
+
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <oqs/common.h>
+
+#include "aes.h"
+#include "aes_local.h"
+
+#if defined(OQS_DIST_X86_64_BUILD)
+#define C_OR_NI_OR_ARM(stmt_c, stmt_ni, stmt_arm) \
+   do { \
+      if (OQS_CPU_has_extension(OQS_CPU_EXT_AES)) { \
+          stmt_ni; \
+      } else { \
+          stmt_c; \
+      } \
+   } while(0)
+#elif defined(OQS_DIST_ARM64_V8_BUILD)
+#define C_OR_NI_OR_ARM(stmt_c, stmt_ni, stmt_arm) \
+    do { \
+        if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_AES)) {  \
+            stmt_arm; \
+        } else { \
+            stmt_c; \
+        } \
+    } while(0)
+#elif defined(OQS_USE_AES_INSTRUCTIONS)
+#define C_OR_NI_OR_ARM(stmt_c, stmt_ni, stmt_arm) \
+    stmt_ni
+#elif defined(OQS_USE_ARM_AES_INSTRUCTIONS)
+#define C_OR_NI_OR_ARM(stmt_c, stmt_ni, stmt_arm) \
+    stmt_arm
+#else
+#define C_OR_NI_OR_ARM(stmt_c, stmt_ni, stmt_arm) \
+    stmt_c
+#endif
+
+void OQS_AES128_ECB_load_schedule(const uint8_t *key, void **_schedule) {
+	C_OR_NI_OR_ARM(
+	    oqs_aes128_load_schedule_c(key, _schedule),
+	    oqs_aes128_load_schedule_ni(key, _schedule),
+	    oqs_aes128_load_schedule_no_bitslice(key, _schedule)
+	);
+}
+
+void OQS_AES128_free_schedule(void *schedule) {
+	C_OR_NI_OR_ARM(
+	    oqs_aes128_free_schedule_c(schedule),
+	    oqs_aes128_free_schedule_ni(schedule),
+	    oqs_aes128_free_schedule_no_bitslice(schedule)
+	);
+}
+
+void OQS_AES256_ECB_load_schedule(const uint8_t *key, void **_schedule) {
+	C_OR_NI_OR_ARM(
+	    oqs_aes256_load_schedule_c(key, _schedule),
+	    oqs_aes256_load_schedule_ni(key, _schedule),
+	    oqs_aes256_load_schedule_no_bitslice(key, _schedule)
+	);
+}
+
+void OQS_AES256_CTR_inc_init(const uint8_t *key, void **_schedule) {
+	OQS_AES256_ECB_load_schedule(key, _schedule);
+}
+
+void OQS_AES256_CTR_inc_iv(const uint8_t *iv, size_t iv_len, void *_schedule) {
+	C_OR_NI_OR_ARM(
+	    oqs_aes256_load_iv_c(iv, iv_len, _schedule),
+	    oqs_aes256_load_iv_ni(iv, iv_len, _schedule),
+	    oqs_aes256_load_iv_armv8(iv, iv_len, _schedule)
+	);
+}
+
+void OQS_AES256_CTR_inc_ivu64(uint64_t iv, void *_schedule) {
+	C_OR_NI_OR_ARM(
+	    oqs_aes256_load_iv_u64_c(iv, _schedule),
+	    oqs_aes256_load_iv_u64_ni(iv, _schedule),
+	    (void) iv; (void) _schedule
+	);
+}
+
+void OQS_AES256_free_schedule(void *schedule) {
+	C_OR_NI_OR_ARM(
+	    oqs_aes256_free_schedule_c(schedule),
+	    oqs_aes256_free_schedule_ni(schedule),
+	    oqs_aes256_free_schedule_no_bitslice(schedule)
+	);
+}
+
+void OQS_AES128_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
+	void *schedule = NULL;
+	OQS_AES128_ECB_load_schedule(key, &schedule);
+	OQS_AES128_ECB_enc_sch(plaintext, plaintext_len, schedule, ciphertext);
+	OQS_AES128_free_schedule(schedule);
+}
+
+void OQS_AES128_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
+	C_OR_NI_OR_ARM(
+	    oqs_aes128_ecb_enc_sch_c(plaintext, plaintext_len, schedule, ciphertext),
+	    oqs_aes128_ecb_enc_sch_ni(plaintext, plaintext_len, schedule, ciphertext),
+	    oqs_aes128_ecb_enc_sch_armv8(plaintext, plaintext_len, schedule, ciphertext)
+	);
+}
+
+void OQS_AES256_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
+	void *schedule = NULL;
+	OQS_AES256_ECB_load_schedule(key, &schedule);
+	OQS_AES256_ECB_enc_sch(plaintext, plaintext_len, schedule, ciphertext);
+	OQS_AES256_free_schedule(schedule);
+}
+
+void OQS_AES256_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
+	C_OR_NI_OR_ARM(
+	    oqs_aes256_ecb_enc_sch_c(plaintext, plaintext_len, schedule, ciphertext),
+	    oqs_aes256_ecb_enc_sch_ni(plaintext, plaintext_len, schedule, ciphertext),
+	    oqs_aes256_ecb_enc_sch_armv8(plaintext, plaintext_len, schedule, ciphertext)
+	);
+}
+
+void OQS_AES256_CTR_inc_stream_iv(const uint8_t *iv, const size_t iv_len, const void *schedule, uint8_t *out, size_t out_len) {
+	C_OR_NI_OR_ARM(
+	    oqs_aes256_ctr_enc_sch_c(iv, iv_len, schedule, out, out_len),
+	    oqs_aes256_ctr_enc_sch_ni(iv, iv_len, schedule, out, out_len),
+	    oqs_aes256_ctr_enc_sch_armv8(iv, iv_len, schedule, out, out_len)
+	);
+}
+
+void OQS_AES256_CTR_inc_stream_blks(void *schedule, uint8_t *out, size_t out_blks) {
+	C_OR_NI_OR_ARM(
+	    oqs_aes256_ctr_enc_sch_upd_blks_c(schedule, out, out_blks),
+	    oqs_aes256_ctr_enc_sch_upd_blks_ni(schedule, out, out_blks),
+	    oqs_aes256_ctr_enc_sch_upd_blks_armv8(schedule, out, out_blks)
+	);
+}
diff --git a/lib/liboqs/src/common/aes/aes.gyp b/lib/liboqs/src/common/aes/aes.gyp
new file mode 100644
index 000000000..851c954be
--- /dev/null
+++ b/lib/liboqs/src/common/aes/aes.gyp
@@ -0,0 +1,40 @@
+# DO NOT EDIT: generated from  subdir.gyp.template
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../../../../coreconf/config.gypi'
+  ],
+  'targets': [
+    {
+      'target_name': 'oqs_src_common_aes',
+      'type': 'static_library',
+      'sources': [
+            'aes.c',
+            'aes_c.c',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports'
+      ]
+    }
+  ],
+  'target_defaults': {
+    'defines': [
+    ],
+    'include_dirs': [
+      '<(DEPTH)/lib/liboqs/src/common/pqclean_shims',
+      '<(DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits',
+    ],
+    [ 'OS=="mac"', {
+        'defines': [
+            'OQS_HAVE_POSIX_MEMALIGN',
+            'OQS_HAVE_ALIGNED_ALLOC',
+            'OQS_HAVE_MEMALIGN'
+        ]
+    }]
+  },
+  'variables': {
+    'module': 'oqs'
+  }
+}
diff --git a/lib/liboqs/src/common/aes/aes.h b/lib/liboqs/src/common/aes/aes.h
new file mode 100644
index 000000000..ce0cb3616
--- /dev/null
+++ b/lib/liboqs/src/common/aes/aes.h
@@ -0,0 +1,151 @@
+/**
+ * \file aes.h
+ * \brief Header defining the API for OQS AES
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef OQS_AES_H
+#define OQS_AES_H
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+/**
+ * Function to fill a key schedule given an initial key for use in ECB mode.
+ *
+ * @param key            Initial Key.
+ * @param ctx            Abstract data structure for a key schedule.
+ */
+void OQS_AES128_ECB_load_schedule(const uint8_t *key, void **ctx);
+
+/**
+ * Function to free a key schedule.
+ *
+ * @param ctx            Context generated with OQS_AES128_ECB_load_schedule().
+ */
+void OQS_AES128_free_schedule(void *ctx);
+
+/**
+ * Function to encrypt blocks of plaintext using ECB mode.
+ * A schedule based on the key is generated and used internally.
+ *
+ * @param plaintext     Plaintext to be encrypted.
+ * @param plaintext_len Length on the plaintext in bytes. Must be a multiple of 16.
+ * @param key           Key to be used for encryption.
+ * @param ciphertext    Pointer to a block of memory which >= in size to the plaintext block. The result will be written here.
+ * @warning plaintext_len must be a multiple of 16.
+ */
+void OQS_AES128_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
+
+/**
+ * Same as OQS_AES128_ECB_enc() except a schedule generated by
+ * OQS_AES128_ECB_load_schedule() is passed rather then a key. This is faster
+ * if the same schedule is used for multiple encryptions since it does
+ * not have to be regenerated from the key.
+ */
+void OQS_AES128_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+
+/**
+ * Function to fill a key schedule given an initial key for use in ECB mode encryption.
+ *
+ * @param key            Initial Key.
+ * @param ctx            Abstract data structure for a key schedule.
+ */
+void OQS_AES256_ECB_load_schedule(const uint8_t *key, void **ctx);
+
+/**
+ * Function to initialize a context and fill a key schedule given an initial key for
+ * use in CTR mode.
+ *
+ * @param key            Initial Key.
+ * @param ctx            Abstract data structure for a key schedule.
+ */
+void OQS_AES256_CTR_inc_init(const uint8_t *key, void **ctx);
+
+/**
+ * Function to fill a context given an IV for use in CTR mode.
+ *
+ * Handles a 12- or 16-byte IV.  If a 12-byte IV is given, then 4 counter
+ * bytes are initialized to all zeros.
+ *
+ * @param iv             Initialization Vector.
+ * @param iv_len         Length of the initialization vector.
+ * @param ctx            Abstract data structure for IV.
+ */
+void OQS_AES256_CTR_inc_iv(const uint8_t *iv, size_t iv_len, void *ctx);
+
+/**
+ * Function to fill a context given an IV for use in CTR mode.
+ * Handles an 8-byte IV passed as a 64-bit unsigned integer,
+ * counter bytes are initialized to zero.
+ *
+ * @param iv             Initialization Vector as 64-bit integer.
+ * @param ctx            Abstract data structure for IV.
+ */
+void OQS_AES256_CTR_inc_ivu64(uint64_t iv, void *ctx);
+
+/**
+ * Function to free a key schedule.
+ *
+ * @param ctx            Schedule generated with OQS_AES256_ECB_load_schedule
+ *                       or OQS_AES256_CTR_inc_init.
+ */
+void OQS_AES256_free_schedule(void *ctx);
+
+/**
+ * Function to encrypt blocks of plaintext using ECB mode.
+ * A schedule based on the key is generated and used internally.
+ *
+ * @param plaintext     Plaintext to be encrypted.
+ * @param plaintext_len Length on the plaintext in bytes. Must be a multiple of 16.
+ * @param key           Key to be used for encryption.
+ * @param ciphertext    Pointer to a block of memory which >= in size to the plaintext block. The result will be written here.
+ * @warning plaintext_len must be a multiple of 16.
+ */
+void OQS_AES256_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
+
+/**
+ * Same as OQS_AES256_ECB_enc() except a schedule generated by
+ * OQS_AES256_ECB_load_schedule() is passed rather then a key. This is faster
+ * if the same schedule is used for multiple encryptions since it does
+ * not have to be regenerated from the key.
+ */
+void OQS_AES256_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+
+/**
+ * AES counter mode keystream generator.  A context generated by
+ * OQS_AES256_CTR_inc_init() is passed rather then a key.
+ *
+ * Handles a 12- or 16-byte IV.  If a 12-byte IV is given, then 4 counter
+ * bytes are initialized to all zeros.
+ *
+ * @param iv       12- or 16-byte initialization vector.
+ * @param iv_len   Lengh of IV in bytes.
+ * @param ctx      Abstract data structure for a key schedule.
+ * @param out      Pointer to a block of memory which is big enough to contain out_len bytes; the result will be written here.
+ * @param out_len  Length of output bytes to generate.
+ */
+void OQS_AES256_CTR_inc_stream_iv(const uint8_t *iv, size_t iv_len, const void *ctx, uint8_t *out, size_t out_len);
+
+/**
+ * AES counter mode keystream generator. A context generated by
+ * OQS_AES256_CTR_inc_init() and OQS_AES256_CTR_inc_iv() is passed
+ * rather than a key and an IV. The counter is internally updated, which allows
+ * the function to be called multiple times.
+ *
+ * @param ctx         Abstract data structure for key schedule and IV.
+ * @param out         Pointer to a block of memory which is big enough to contain out_blks*16 bytes; the result will be written here.
+ * @param out_blks    Length of output blocks to generate, where one block is 16 bytes.
+ */
+void OQS_AES256_CTR_inc_stream_blks(void *ctx, uint8_t *out, size_t out_blks);
+
+#if defined(__cplusplus)
+} // extern "C"
+#endif
+
+#endif // OQS_AES_H
diff --git a/lib/liboqs/src/common/aes/aes_c.c b/lib/liboqs/src/common/aes/aes_c.c
new file mode 100644
index 000000000..e55869024
--- /dev/null
+++ b/lib/liboqs/src/common/aes/aes_c.c
@@ -0,0 +1,774 @@
+// SPDX-License-Identifier: MIT
+/* Adapted for OQS from PQClean. */
+/*
+ * AES implementation based on code from BearSSL (https://bearssl.org/)
+ * by Thomas Pornin.
+ *
+ *
+ * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include <assert.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "aes.h"
+#include <oqs/common.h>
+
+#define AES128_KEYBYTES 16
+#define AES256_KEYBYTES 32
+#define AESCTR_NONCEBYTES 12
+#define AES_BLOCKBYTES 16
+
+#define PQC_AES128_STATESIZE 88
+typedef struct {
+	uint64_t sk_exp[PQC_AES128_STATESIZE];
+	uint8_t iv[AES_BLOCKBYTES];
+} aes128ctx;
+
+#define PQC_AES256_STATESIZE 120
+typedef struct {
+	uint64_t sk_exp[PQC_AES256_STATESIZE];
+	uint8_t iv[AES_BLOCKBYTES];
+} aes256ctx;
+
+typedef struct {
+	uint32_t sk_exp[60];
+	uint8_t iv[16];
+} aes256ctx_nobitslice;
+
+static inline uint32_t br_dec32le(const unsigned char *src) {
+	return (uint32_t)src[0]
+	       | ((uint32_t)src[1] << 8)
+	       | ((uint32_t)src[2] << 16)
+	       | ((uint32_t)src[3] << 24);
+}
+
+
+static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) {
+	while (num-- > 0) {
+		*v ++ = br_dec32le(src);
+		src += 4;
+	}
+}
+
+
+static inline uint32_t br_swap32(uint32_t x) {
+	x = ((x & (uint32_t)0x00FF00FF) << 8)
+	    | ((x >> 8) & (uint32_t)0x00FF00FF);
+	return (x << 16) | (x >> 16);
+}
+
+
+static inline void br_enc32le(unsigned char *dst, uint32_t x) {
+	dst[0] = (unsigned char)x;
+	dst[1] = (unsigned char)(x >> 8);
+	dst[2] = (unsigned char)(x >> 16);
+	dst[3] = (unsigned char)(x >> 24);
+}
+
+static inline void br_enc32be(unsigned char *dst, uint32_t x) {
+	dst[0] = (unsigned char)(x >> 24);
+	dst[1] = (unsigned char)(x >> 16);
+	dst[2] = (unsigned char)(x >>  8);
+	dst[3] = (unsigned char)x;
+}
+
+static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) {
+	while (num-- > 0) {
+		br_enc32le(dst, *v ++);
+		dst += 4;
+	}
+}
+
+
+static void br_aes_ct64_bitslice_Sbox(uint64_t *q) {
+	/*
+	 * This S-box implementation is a straightforward translation of
+	 * the circuit described by Boyar and Peralta in "A new
+	 * combinational logic minimization technique with applications
+	 * to cryptology" (https://eprint.iacr.org/2009/191.pdf).
+	 *
+	 * Note that variables x* (input) and s* (output) are numbered
+	 * in "reverse" order (x0 is the high bit, x7 is the low bit).
+	 */
+
+	uint64_t x0, x1, x2, x3, x4, x5, x6, x7;
+	uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9;
+	uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19;
+	uint64_t y20, y21;
+	uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9;
+	uint64_t z10, z11, z12, z13, z14, z15, z16, z17;
+	uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9;
+	uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19;
+	uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29;
+	uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39;
+	uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49;
+	uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59;
+	uint64_t t60, t61, t62, t63, t64, t65, t66, t67;
+	uint64_t s0, s1, s2, s3, s4, s5, s6, s7;
+
+	x0 = q[7];
+	x1 = q[6];
+	x2 = q[5];
+	x3 = q[4];
+	x4 = q[3];
+	x5 = q[2];
+	x6 = q[1];
+	x7 = q[0];
+
+	/*
+	 * Top linear transformation.
+	 */
+	y14 = x3 ^ x5;
+	y13 = x0 ^ x6;
+	y9 = x0 ^ x3;
+	y8 = x0 ^ x5;
+	t0 = x1 ^ x2;
+	y1 = t0 ^ x7;
+	y4 = y1 ^ x3;
+	y12 = y13 ^ y14;
+	y2 = y1 ^ x0;
+	y5 = y1 ^ x6;
+	y3 = y5 ^ y8;
+	t1 = x4 ^ y12;
+	y15 = t1 ^ x5;
+	y20 = t1 ^ x1;
+	y6 = y15 ^ x7;
+	y10 = y15 ^ t0;
+	y11 = y20 ^ y9;
+	y7 = x7 ^ y11;
+	y17 = y10 ^ y11;
+	y19 = y10 ^ y8;
+	y16 = t0 ^ y11;
+	y21 = y13 ^ y16;
+	y18 = x0 ^ y16;
+
+	/*
+	 * Non-linear section.
+	 */
+	t2 = y12 & y15;
+	t3 = y3 & y6;
+	t4 = t3 ^ t2;
+	t5 = y4 & x7;
+	t6 = t5 ^ t2;
+	t7 = y13 & y16;
+	t8 = y5 & y1;
+	t9 = t8 ^ t7;
+	t10 = y2 & y7;
+	t11 = t10 ^ t7;
+	t12 = y9 & y11;
+	t13 = y14 & y17;
+	t14 = t13 ^ t12;
+	t15 = y8 & y10;
+	t16 = t15 ^ t12;
+	t17 = t4 ^ t14;
+	t18 = t6 ^ t16;
+	t19 = t9 ^ t14;
+	t20 = t11 ^ t16;
+	t21 = t17 ^ y20;
+	t22 = t18 ^ y19;
+	t23 = t19 ^ y21;
+	t24 = t20 ^ y18;
+
+	t25 = t21 ^ t22;
+	t26 = t21 & t23;
+	t27 = t24 ^ t26;
+	t28 = t25 & t27;
+	t29 = t28 ^ t22;
+	t30 = t23 ^ t24;
+	t31 = t22 ^ t26;
+	t32 = t31 & t30;
+	t33 = t32 ^ t24;
+	t34 = t23 ^ t33;
+	t35 = t27 ^ t33;
+	t36 = t24 & t35;
+	t37 = t36 ^ t34;
+	t38 = t27 ^ t36;
+	t39 = t29 & t38;
+	t40 = t25 ^ t39;
+
+	t41 = t40 ^ t37;
+	t42 = t29 ^ t33;
+	t43 = t29 ^ t40;
+	t44 = t33 ^ t37;
+	t45 = t42 ^ t41;
+	z0 = t44 & y15;
+	z1 = t37 & y6;
+	z2 = t33 & x7;
+	z3 = t43 & y16;
+	z4 = t40 & y1;
+	z5 = t29 & y7;
+	z6 = t42 & y11;
+	z7 = t45 & y17;
+	z8 = t41 & y10;
+	z9 = t44 & y12;
+	z10 = t37 & y3;
+	z11 = t33 & y4;
+	z12 = t43 & y13;
+	z13 = t40 & y5;
+	z14 = t29 & y2;
+	z15 = t42 & y9;
+	z16 = t45 & y14;
+	z17 = t41 & y8;
+
+	/*
+	 * Bottom linear transformation.
+	 */
+	t46 = z15 ^ z16;
+	t47 = z10 ^ z11;
+	t48 = z5 ^ z13;
+	t49 = z9 ^ z10;
+	t50 = z2 ^ z12;
+	t51 = z2 ^ z5;
+	t52 = z7 ^ z8;
+	t53 = z0 ^ z3;
+	t54 = z6 ^ z7;
+	t55 = z16 ^ z17;
+	t56 = z12 ^ t48;
+	t57 = t50 ^ t53;
+	t58 = z4 ^ t46;
+	t59 = z3 ^ t54;
+	t60 = t46 ^ t57;
+	t61 = z14 ^ t57;
+	t62 = t52 ^ t58;
+	t63 = t49 ^ t58;
+	t64 = z4 ^ t59;
+	t65 = t61 ^ t62;
+	t66 = z1 ^ t63;
+	s0 = t59 ^ t63;
+	s6 = t56 ^ ~t62;
+	s7 = t48 ^ ~t60;
+	t67 = t64 ^ t65;
+	s3 = t53 ^ t66;
+	s4 = t51 ^ t66;
+	s5 = t47 ^ t65;
+	s1 = t64 ^ ~s3;
+	s2 = t55 ^ ~t67;
+
+	q[7] = s0;
+	q[6] = s1;
+	q[5] = s2;
+	q[4] = s3;
+	q[3] = s4;
+	q[2] = s5;
+	q[1] = s6;
+	q[0] = s7;
+}
+
+static void br_aes_ct64_ortho(uint64_t *q) {
+#define SWAPN(cl, ch, s, x, y)   do { \
+        uint64_t a, b; \
+        a = (x); \
+        b = (y); \
+        (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \
+        (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \
+    } while (0)
+
+#define SWAP2(x, y)    SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA,  1, x, y)
+#define SWAP4(x, y)    SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC,  2, x, y)
+#define SWAP8(x, y)    SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0,  4, x, y)
+
+	SWAP2(q[0], q[1]);
+	SWAP2(q[2], q[3]);
+	SWAP2(q[4], q[5]);
+	SWAP2(q[6], q[7]);
+
+	SWAP4(q[0], q[2]);
+	SWAP4(q[1], q[3]);
+	SWAP4(q[4], q[6]);
+	SWAP4(q[5], q[7]);
+
+	SWAP8(q[0], q[4]);
+	SWAP8(q[1], q[5]);
+	SWAP8(q[2], q[6]);
+	SWAP8(q[3], q[7]);
+}
+
+
+static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) {
+	uint64_t x0, x1, x2, x3;
+
+	x0 = w[0];
+	x1 = w[1];
+	x2 = w[2];
+	x3 = w[3];
+	x0 |= (x0 << 16);
+	x1 |= (x1 << 16);
+	x2 |= (x2 << 16);
+	x3 |= (x3 << 16);
+	x0 &= (uint64_t)0x0000FFFF0000FFFF;
+	x1 &= (uint64_t)0x0000FFFF0000FFFF;
+	x2 &= (uint64_t)0x0000FFFF0000FFFF;
+	x3 &= (uint64_t)0x0000FFFF0000FFFF;
+	x0 |= (x0 << 8);
+	x1 |= (x1 << 8);
+	x2 |= (x2 << 8);
+	x3 |= (x3 << 8);
+	x0 &= (uint64_t)0x00FF00FF00FF00FF;
+	x1 &= (uint64_t)0x00FF00FF00FF00FF;
+	x2 &= (uint64_t)0x00FF00FF00FF00FF;
+	x3 &= (uint64_t)0x00FF00FF00FF00FF;
+	*q0 = x0 | (x2 << 8);
+	*q1 = x1 | (x3 << 8);
+}
+
+
+static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) {
+	uint64_t x0, x1, x2, x3;
+
+	x0 = q0 & (uint64_t)0x00FF00FF00FF00FF;
+	x1 = q1 & (uint64_t)0x00FF00FF00FF00FF;
+	x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF;
+	x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF;
+	x0 |= (x0 >> 8);
+	x1 |= (x1 >> 8);
+	x2 |= (x2 >> 8);
+	x3 |= (x3 >> 8);
+	x0 &= (uint64_t)0x0000FFFF0000FFFF;
+	x1 &= (uint64_t)0x0000FFFF0000FFFF;
+	x2 &= (uint64_t)0x0000FFFF0000FFFF;
+	x3 &= (uint64_t)0x0000FFFF0000FFFF;
+	w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16);
+	w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16);
+	w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16);
+	w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16);
+}
+
+static const unsigned char Rcon[] = {
+	0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36
+};
+
+static uint32_t sub_word(uint32_t x) {
+	uint64_t q[8];
+
+	memset(q, 0, sizeof q);
+	q[0] = x;
+	br_aes_ct64_ortho(q);
+	br_aes_ct64_bitslice_Sbox(q);
+	br_aes_ct64_ortho(q);
+	return (uint32_t)q[0];
+}
+
+static void br_aes_ct64_keysched(uint64_t *comp_skey, const unsigned char *key, unsigned int key_len) {
+	unsigned int i, j, k, nk, nkf;
+	uint32_t tmp;
+	uint32_t skey[60];
+	unsigned nrounds = 10 + ((key_len - 16) >> 2);
+
+	nk = (key_len >> 2);
+	nkf = ((nrounds + 1) << 2);
+	br_range_dec32le(skey, (key_len >> 2), key);
+	tmp = skey[(key_len >> 2) - 1];
+	for (i = nk, j = 0, k = 0; i < nkf; i ++) {
+		if (j == 0) {
+			tmp = (tmp << 24) | (tmp >> 8);
+			tmp = sub_word(tmp) ^ Rcon[k];
+		} else if (nk > 6 && j == 4) {
+			tmp = sub_word(tmp);
+		}
+		tmp ^= skey[i - nk];
+		skey[i] = tmp;
+		if (++ j == nk) {
+			j = 0;
+			k ++;
+		}
+	}
+
+	for (i = 0, j = 0; i < nkf; i += 4, j += 2) {
+		uint64_t q[8];
+
+		br_aes_ct64_interleave_in(&q[0], &q[4], skey + i);
+		q[1] = q[0];
+		q[2] = q[0];
+		q[3] = q[0];
+		q[5] = q[4];
+		q[6] = q[4];
+		q[7] = q[4];
+		br_aes_ct64_ortho(q);
+		comp_skey[j + 0] =
+		    (q[0] & (uint64_t)0x1111111111111111)
+		    | (q[1] & (uint64_t)0x2222222222222222)
+		    | (q[2] & (uint64_t)0x4444444444444444)
+		    | (q[3] & (uint64_t)0x8888888888888888);
+		comp_skey[j + 1] =
+		    (q[4] & (uint64_t)0x1111111111111111)
+		    | (q[5] & (uint64_t)0x2222222222222222)
+		    | (q[6] & (uint64_t)0x4444444444444444)
+		    | (q[7] & (uint64_t)0x8888888888888888);
+	}
+}
+
+static void br_aes_ct64_skey_expand(uint64_t *skey, const uint64_t *comp_skey, unsigned int nrounds) {
+	unsigned u, v, n;
+
+	n = (nrounds + 1) << 1;
+	for (u = 0, v = 0; u < n; u ++, v += 4) {
+		uint64_t x0, x1, x2, x3;
+
+		x0 = x1 = x2 = x3 = comp_skey[u];
+		x0 &= (uint64_t)0x1111111111111111;
+		x1 &= (uint64_t)0x2222222222222222;
+		x2 &= (uint64_t)0x4444444444444444;
+		x3 &= (uint64_t)0x8888888888888888;
+		x1 >>= 1;
+		x2 >>= 2;
+		x3 >>= 3;
+		skey[v + 0] = (x0 << 4) - x0;
+		skey[v + 1] = (x1 << 4) - x1;
+		skey[v + 2] = (x2 << 4) - x2;
+		skey[v + 3] = (x3 << 4) - x3;
+	}
+}
+
+
+static inline void add_round_key(uint64_t *q, const uint64_t *sk) {
+	q[0] ^= sk[0];
+	q[1] ^= sk[1];
+	q[2] ^= sk[2];
+	q[3] ^= sk[3];
+	q[4] ^= sk[4];
+	q[5] ^= sk[5];
+	q[6] ^= sk[6];
+	q[7] ^= sk[7];
+}
+
+static inline void shift_rows(uint64_t *q) {
+	int i;
+
+	for (i = 0; i < 8; i ++) {
+		uint64_t x;
+
+		x = q[i];
+		q[i] = (x & (uint64_t)0x000000000000FFFF)
+		       | ((x & (uint64_t)0x00000000FFF00000) >> 4)
+		       | ((x & (uint64_t)0x00000000000F0000) << 12)
+		       | ((x & (uint64_t)0x0000FF0000000000) >> 8)
+		       | ((x & (uint64_t)0x000000FF00000000) << 8)
+		       | ((x & (uint64_t)0xF000000000000000) >> 12)
+		       | ((x & (uint64_t)0x0FFF000000000000) << 4);
+	}
+}
+
+static inline uint64_t rotr32(uint64_t x) {
+	return (x << 32) | (x >> 32);
+}
+
+static inline void mix_columns(uint64_t *q) {
+	uint64_t q0, q1, q2, q3, q4, q5, q6, q7;
+	uint64_t r0, r1, r2, r3, r4, r5, r6, r7;
+
+	q0 = q[0];
+	q1 = q[1];
+	q2 = q[2];
+	q3 = q[3];
+	q4 = q[4];
+	q5 = q[5];
+	q6 = q[6];
+	q7 = q[7];
+	r0 = (q0 >> 16) | (q0 << 48);
+	r1 = (q1 >> 16) | (q1 << 48);
+	r2 = (q2 >> 16) | (q2 << 48);
+	r3 = (q3 >> 16) | (q3 << 48);
+	r4 = (q4 >> 16) | (q4 << 48);
+	r5 = (q5 >> 16) | (q5 << 48);
+	r6 = (q6 >> 16) | (q6 << 48);
+	r7 = (q7 >> 16) | (q7 << 48);
+
+	q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0);
+	q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1);
+	q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2);
+	q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3);
+	q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4);
+	q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5);
+	q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6);
+	q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7);
+}
+
+
+static void inc4_be(uint32_t *x) {
+	uint32_t t = br_swap32(*x) + 4;
+	*x = br_swap32(t);
+}
+
+
+static void aes_ecb4x(unsigned char out[64], const uint32_t ivw[16], const uint64_t *sk_exp, unsigned int nrounds) {
+	uint32_t w[16];
+	uint64_t q[8];
+	unsigned int i;
+
+	memcpy(w, ivw, sizeof(w));
+	for (i = 0; i < 4; i++) {
+		br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2));
+	}
+	br_aes_ct64_ortho(q);
+
+
+	add_round_key(q, sk_exp);
+	for (i = 1; i < nrounds; i++) {
+		br_aes_ct64_bitslice_Sbox(q);
+		shift_rows(q);
+		mix_columns(q);
+		add_round_key(q, sk_exp + (i << 3));
+	}
+	br_aes_ct64_bitslice_Sbox(q);
+	shift_rows(q);
+	add_round_key(q, sk_exp + 8 * nrounds);
+
+	br_aes_ct64_ortho(q);
+	for (i = 0; i < 4; i ++) {
+		br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]);
+	}
+	br_range_enc32le(out, w, 16);
+}
+
+
+static void aes_ctr4x(unsigned char out[64], uint32_t ivw[16], const uint64_t *sk_exp, unsigned int nrounds) {
+	aes_ecb4x(out, ivw, sk_exp, nrounds);
+
+	/* Increase counter for next 4 blocks */
+	inc4_be(ivw + 3);
+	inc4_be(ivw + 7);
+	inc4_be(ivw + 11);
+	inc4_be(ivw + 15);
+}
+
+
+static void aes_ecb(unsigned char *out, const unsigned char *in, size_t nblocks, const uint64_t *rkeys, unsigned int nrounds) {
+	uint32_t blocks[16];
+	unsigned char t[64];
+
+	while (nblocks >= 4) {
+		br_range_dec32le(blocks, 16, in);
+		aes_ecb4x(out, blocks, rkeys, nrounds);
+		nblocks -= 4;
+		in += 64;
+		out += 64;
+	}
+
+	if (nblocks) {
+		br_range_dec32le(blocks, nblocks * 4, in);
+		aes_ecb4x(t, blocks, rkeys, nrounds);
+		memcpy(out, t, nblocks * 16);
+	}
+}
+
+static inline void aes256_ctr_upd_blks(unsigned char *out, size_t outblks, aes256ctx *ctx) {
+	uint32_t ivw[16];
+	size_t i;
+	uint32_t cc;
+	uint8_t *iv = ctx->iv;
+	uint32_t blocks = (uint32_t) outblks;
+	unsigned int nrounds = 14;
+
+	br_range_dec32le(ivw, 4, iv);
+
+	memcpy(ivw +  4, ivw, 3 * sizeof(uint32_t));
+	memcpy(ivw +  8, ivw, 3 * sizeof(uint32_t));
+	memcpy(ivw + 12, ivw, 3 * sizeof(uint32_t));
+	cc = br_swap32(ivw[3]);
+	ivw[ 7] = br_swap32(cc + 1);
+	ivw[11] = br_swap32(cc + 2);
+	ivw[15] = br_swap32(cc + 3);
+
+	while (outblks >= 4) {
+		aes_ctr4x(out, ivw, ctx->sk_exp, nrounds);
+		out += 64;
+		outblks -= 4;
+	}
+	if (outblks > 0) {
+		unsigned char tmp[64];
+		aes_ctr4x(tmp, ivw, ctx->sk_exp, nrounds);
+		for (i = 0; i < outblks * 16; i++) {
+			out[i] = tmp[i];
+		}
+	}
+	br_enc32be(&ctx->iv[12], cc + blocks);
+}
+
+static void aes_ctr(unsigned char *out, size_t outlen, const unsigned char *iv, const size_t iv_len, const uint64_t *rkeys, unsigned int nrounds) {
+	uint32_t ivw[16];
+	size_t i;
+	uint32_t cc;
+
+	if (iv_len == 12) {
+		br_range_dec32le(ivw, 3, iv);
+		ivw[3] = 0;
+	} else if (iv_len == 16) {
+		br_range_dec32le(ivw, 4, iv);
+	} else {
+		exit(EXIT_FAILURE);
+	}
+	memcpy(ivw +  4, ivw, 3 * sizeof(uint32_t));
+	memcpy(ivw +  8, ivw, 3 * sizeof(uint32_t));
+	memcpy(ivw + 12, ivw, 3 * sizeof(uint32_t));
+	cc = br_swap32(ivw[3]);
+	ivw[ 7] = br_swap32(cc + 1);
+	ivw[11] = br_swap32(cc + 2);
+	ivw[15] = br_swap32(cc + 3);
+
+	while (outlen >= 64) {
+		aes_ctr4x(out, ivw, rkeys, nrounds);
+		out += 64;
+		outlen -= 64;
+	}
+	if (outlen > 0) {
+		unsigned char tmp[64];
+		aes_ctr4x(tmp, ivw, rkeys, nrounds);
+		for (i = 0; i < outlen; i++) {
+			out[i] = tmp[i];
+		}
+	}
+}
+
+void oqs_aes128_load_schedule_c(const uint8_t *key, void **_schedule) {
+	*_schedule = malloc(sizeof(aes128ctx));
+	OQS_EXIT_IF_NULLPTR(*_schedule);
+	aes128ctx *ctx = (aes128ctx *) *_schedule;
+	uint64_t skey[22];
+	br_aes_ct64_keysched(skey, key, 16);
+	br_aes_ct64_skey_expand(ctx->sk_exp, skey, 10);
+}
+
+void oqs_aes256_load_schedule_c(const uint8_t *key, void **_schedule) {
+	*_schedule = malloc(sizeof(aes256ctx));
+	OQS_EXIT_IF_NULLPTR(*_schedule);
+	aes256ctx *ctx = (aes256ctx *) *_schedule;
+	uint64_t skey[30];
+	br_aes_ct64_keysched(skey, key, 32);
+	br_aes_ct64_skey_expand(ctx->sk_exp, skey, 14);
+}
+
+static void aes_keysched_no_bitslice(uint32_t *skey, const unsigned char *key, unsigned int key_len) {
+	unsigned int i, j, k, nk, nkf;
+	uint32_t tmp;
+	unsigned nrounds = 10 + ((key_len - 16) >> 2);
+
+	nk = (key_len >> 2);
+	nkf = ((nrounds + 1) << 2);
+	br_range_dec32le(skey, (key_len >> 2), key);
+	tmp = skey[(key_len >> 2) - 1];
+	for (i = nk, j = 0, k = 0; i < nkf; i ++) {
+		if (j == 0) {
+			tmp = (tmp << 24) | (tmp >> 8);
+			tmp = sub_word(tmp) ^ Rcon[k];
+		} else if (nk > 6 && j == 4) {
+			tmp = sub_word(tmp);
+		}
+		tmp ^= skey[i - nk];
+		skey[i] = tmp;
+		if (++ j == nk) {
+			j = 0;
+			k ++;
+		}
+	}
+}
+
+void oqs_aes256_load_schedule_no_bitslice(const uint8_t *key, void **_schedule) {
+	*_schedule = malloc(sizeof(aes256ctx_nobitslice));
+	assert(*_schedule != NULL);
+	uint32_t *schedule = ((aes256ctx_nobitslice *) *_schedule)->sk_exp;
+	aes_keysched_no_bitslice(schedule, (const unsigned char *) key, 32);
+}
+
+void oqs_aes256_load_iv_c(const uint8_t *iv, size_t iv_len, void *_schedule) {
+	aes256ctx *ctx = _schedule;
+	if (iv_len == 12) {
+		memcpy(ctx->iv, iv, 12);
+		memset(&ctx->iv[12], 0, 4);
+	} else if (iv_len == 16) {
+		memcpy(ctx->iv, iv, 16);
+	} else {
+		exit(EXIT_FAILURE);
+	}
+}
+
+void oqs_aes256_load_iv_u64_c(uint64_t iv, void *schedule) {
+	OQS_EXIT_IF_NULLPTR(schedule);
+	aes256ctx *ctx = (aes256ctx *) schedule;
+	ctx->iv[7] = (unsigned char)(iv >> 56);
+	ctx->iv[6] = (unsigned char)(iv >> 48);
+	ctx->iv[5] = (unsigned char)(iv >> 40);
+	ctx->iv[4] = (unsigned char)(iv >> 32);
+	ctx->iv[3] = (unsigned char)(iv >> 24);
+	ctx->iv[2] = (unsigned char)(iv >> 16);
+	ctx->iv[1] = (unsigned char)(iv >>  8);
+	ctx->iv[0] = (unsigned char)iv;
+	memset(&ctx->iv[8], 0, 8);
+}
+
+void oqs_aes128_load_schedule_no_bitslice(const uint8_t *key, void **_schedule) {
+	*_schedule = malloc(44 * sizeof(int));
+	assert(*_schedule != NULL);
+	uint32_t *schedule = (uint32_t *) *_schedule;
+	aes_keysched_no_bitslice(schedule, (const unsigned char *) key, 16);
+}
+
+void oqs_aes128_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
+	assert(plaintext_len % 16 == 0);
+	const aes128ctx *ctx = (const aes128ctx *) schedule;
+	aes_ecb(ciphertext, plaintext, plaintext_len / 16, ctx->sk_exp, 10);
+}
+
+void oqs_aes256_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
+	assert(plaintext_len % 16 == 0);
+	const aes256ctx *ctx = (const aes256ctx *) schedule;
+	aes_ecb(ciphertext, plaintext, plaintext_len / 16, ctx->sk_exp, 14);
+}
+
+void oqs_aes256_ctr_enc_sch_c(const uint8_t *iv, const size_t iv_len, const void *schedule, uint8_t *out, size_t out_len) {
+	const aes256ctx *ctx = (const aes256ctx *) schedule;
+	aes_ctr(out, out_len, iv, iv_len, ctx->sk_exp, 14);
+}
+
+void oqs_aes256_ctr_enc_sch_upd_blks_c(void *schedule, uint8_t *out, size_t out_blks) {
+	aes256ctx *ctx = (aes256ctx *) schedule;
+	aes256_ctr_upd_blks(out, out_blks, ctx);
+}
+
+void oqs_aes128_free_schedule_c(void *schedule) {
+	if (schedule != NULL) {
+		aes128ctx *ctx = (aes128ctx *) schedule;
+		OQS_MEM_secure_free(ctx, sizeof(aes128ctx));
+	}
+}
+
+void oqs_aes256_free_schedule_c(void *schedule) {
+	if (schedule != NULL) {
+		aes256ctx *ctx = (aes256ctx *) schedule;
+		OQS_MEM_secure_free(ctx, sizeof(aes256ctx));
+	}
+}
+
+void oqs_aes256_free_schedule_no_bitslice(void *schedule) {
+	if (schedule != NULL) {
+		OQS_MEM_secure_free(schedule, sizeof(aes256ctx_nobitslice));
+	}
+}
+
+void oqs_aes128_free_schedule_no_bitslice(void *schedule) {
+	if (schedule != NULL) {
+		OQS_MEM_secure_free(schedule, 44 * sizeof(int));
+	}
+}
diff --git a/lib/liboqs/src/common/aes/aes_local.h b/lib/liboqs/src/common/aes/aes_local.h
new file mode 100644
index 000000000..eac879352
--- /dev/null
+++ b/lib/liboqs/src/common/aes/aes_local.h
@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: MIT
+
+#include <stdint.h>
+
+void oqs_aes128_load_schedule_ni(const uint8_t *key, void **_schedule);
+void oqs_aes128_free_schedule_ni(void *schedule);
+void oqs_aes128_enc_sch_block_ni(const uint8_t *plaintext, const void *_schedule, uint8_t *ciphertext);
+void oqs_aes128_ecb_enc_sch_ni(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+
+void oqs_aes128_load_schedule_c(const uint8_t *key, void **_schedule);
+void oqs_aes128_free_schedule_c(void *schedule);
+void oqs_aes128_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+
+void oqs_aes128_load_schedule_no_bitslice(const uint8_t *key, void **_schedule);
+void oqs_aes128_free_schedule_no_bitslice(void *schedule);
+void oqs_aes128_enc_sch_block_armv8(const uint8_t *plaintext, const void *_schedule, uint8_t *ciphertext);
+void oqs_aes128_ecb_enc_sch_armv8(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+
+void oqs_aes256_load_schedule_ni(const uint8_t *key, void **_schedule);
+void oqs_aes256_load_iv_ni(const uint8_t *iv, size_t iv_len, void *_schedule);
+void oqs_aes256_load_iv_u64_ni(uint64_t iv, void *_schedule);
+void oqs_aes256_free_schedule_ni(void *schedule);
+void oqs_aes256_enc_sch_block_ni(const uint8_t *plaintext, const void *_schedule, uint8_t *ciphertext);
+void oqs_aes256_ecb_enc_sch_ni(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+void oqs_aes256_ctr_enc_sch_ni(const uint8_t *iv, const size_t iv_len, const void *schedule, uint8_t *out, size_t out_len);
+void oqs_aes256_ctr_enc_sch_upd_blks_ni(void *schedule, uint8_t *out, size_t out_len);
+
+void oqs_aes256_load_schedule_c(const uint8_t *key, void **_schedule);
+void oqs_aes256_load_iv_c(const uint8_t *iv, size_t iv_len, void *_schedule);
+void oqs_aes256_load_iv_u64_c(uint64_t iv, void *_schedule);
+void oqs_aes256_free_schedule_c(void *schedule);
+void oqs_aes256_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+void oqs_aes256_ctr_enc_sch_c(const uint8_t *iv, const size_t iv_len, const void *schedule, uint8_t *out, size_t out_len);
+void oqs_aes256_ctr_enc_sch_upd_blks_c(void *schedule, uint8_t *out, size_t out_len);
+
+void oqs_aes256_load_schedule_no_bitslice(const uint8_t *key, void **_schedule);
+void oqs_aes256_load_iv_armv8(const uint8_t *iv, size_t iv_len, void *_schedule);
+void oqs_aes256_free_schedule_no_bitslice(void *schedule);
+void oqs_aes256_enc_sch_block_armv8(const uint8_t *plaintext, const void *_schedule, uint8_t *ciphertext);
+void oqs_aes256_ecb_enc_sch_armv8(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
+void oqs_aes256_ctr_enc_sch_armv8(const uint8_t *iv, const size_t iv_len, const void *schedule, uint8_t *out, size_t out_len);
+void oqs_aes256_ctr_enc_sch_upd_blks_armv8(void *schedule, uint8_t *out, size_t out_blks);
diff --git a/lib/liboqs/src/common/aes/config.mk b/lib/liboqs/src/common/aes/config.mk
new file mode 100644
index 000000000..b28c9ce64
--- /dev/null
+++ b/lib/liboqs/src/common/aes/config.mk
@@ -0,0 +1,17 @@
+# DO NOT EDIT: generated from  config.mk.subdirs.template
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# add fixes for platform integration issues here.
+#
+# liboqs programs expect the public include files to be in oqs/xxxx,
+# So we put liboqs in it's own module, oqs, and point to the dist files
+INCLUDES += -I$(CORE_DEPTH)/lib/liboqs/src/common/pqclean_shims -I$(CORE_DEPTH)/lib/liboqs/src/common/sha3/xkcp_low/KeccakP-1600/plain-64bits
+DEFINES += 
+
+ifeq ($(OS_ARCH), Darwin)
+DEFINES += -DOQS_HAVE_ALIGNED_ALLOC -DOQS_HAVE_MEMALIGN -DOQS_HAVE_POSIX_MEMALIGN
+endif
+
diff --git a/lib/liboqs/src/common/aes/manifest.mn b/lib/liboqs/src/common/aes/manifest.mn
new file mode 100644
index 000000000..c43db70c6
--- /dev/null
+++ b/lib/liboqs/src/common/aes/manifest.mn
@@ -0,0 +1,24 @@
+# DO NOT EDIT: generated from  manifest.mn.subdirs.template
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../../../../..
+
+MODULE = oqs
+
+LIBRARY_NAME = oqs_src_common_aes
+SHARED_LIBRARY = $(NULL)
+
+CSRCS = \
+	aes.c \
+	aes_c.c \
+	$(NULL)
+
+# only add module debugging in opt builds if DEBUG_PKCS11 is set
+ifdef DEBUG_PKCS11
+  DEFINES += -DDEBUG_MODULE
+endif
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1