keccakf.mx raw
1 // Copyright 2014 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 package sha3
6
7 import (
8 "crypto/internal/fips140deps/byteorder"
9 "crypto/internal/fips140deps/cpu"
10 "math/bits"
11 "unsafe"
12 )
13
14 // rc stores the round constants for use in the ι step.
15 var rc = [24]uint64{
16 0x0000000000000001,
17 0x0000000000008082,
18 0x800000000000808A,
19 0x8000000080008000,
20 0x000000000000808B,
21 0x0000000080000001,
22 0x8000000080008081,
23 0x8000000000008009,
24 0x000000000000008A,
25 0x0000000000000088,
26 0x0000000080008009,
27 0x000000008000000A,
28 0x000000008000808B,
29 0x800000000000008B,
30 0x8000000000008089,
31 0x8000000000008003,
32 0x8000000000008002,
33 0x8000000000000080,
34 0x000000000000800A,
35 0x800000008000000A,
36 0x8000000080008081,
37 0x8000000000008080,
38 0x0000000080000001,
39 0x8000000080008008,
40 }
41
42 // keccakF1600Generic applies the Keccak permutation.
43 func keccakF1600Generic(da *[200]byte) {
44 var a *[25]uint64
45 if cpu.BigEndian {
46 a = &[25]uint64{}
47 for i := range a {
48 a[i] = byteorder.LEUint64(da[i*8:])
49 }
50 defer func() {
51 for i := range a {
52 byteorder.LEPutUint64(da[i*8:], a[i])
53 }
54 }()
55 } else {
56 a = (*[25]uint64)(unsafe.Pointer(da))
57 }
58
59 // Implementation translated from Keccak-inplace.c
60 // in the keccak reference code.
61 var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64
62
63 for i := 0; i < 24; i += 4 {
64 // Combines the 5 steps in each round into 2 steps.
65 // Unrolls 4 rounds per loop and spreads some steps across rounds.
66
67 // Round 1
68 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
69 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
70 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
71 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
72 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
73 d0 = bc4 ^ (bc1<<1 | bc1>>63)
74 d1 = bc0 ^ (bc2<<1 | bc2>>63)
75 d2 = bc1 ^ (bc3<<1 | bc3>>63)
76 d3 = bc2 ^ (bc4<<1 | bc4>>63)
77 d4 = bc3 ^ (bc0<<1 | bc0>>63)
78
79 bc0 = a[0] ^ d0
80 t = a[6] ^ d1
81 bc1 = bits.RotateLeft64(t, 44)
82 t = a[12] ^ d2
83 bc2 = bits.RotateLeft64(t, 43)
84 t = a[18] ^ d3
85 bc3 = bits.RotateLeft64(t, 21)
86 t = a[24] ^ d4
87 bc4 = bits.RotateLeft64(t, 14)
88 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i]
89 a[6] = bc1 ^ (bc3 &^ bc2)
90 a[12] = bc2 ^ (bc4 &^ bc3)
91 a[18] = bc3 ^ (bc0 &^ bc4)
92 a[24] = bc4 ^ (bc1 &^ bc0)
93
94 t = a[10] ^ d0
95 bc2 = bits.RotateLeft64(t, 3)
96 t = a[16] ^ d1
97 bc3 = bits.RotateLeft64(t, 45)
98 t = a[22] ^ d2
99 bc4 = bits.RotateLeft64(t, 61)
100 t = a[3] ^ d3
101 bc0 = bits.RotateLeft64(t, 28)
102 t = a[9] ^ d4
103 bc1 = bits.RotateLeft64(t, 20)
104 a[10] = bc0 ^ (bc2 &^ bc1)
105 a[16] = bc1 ^ (bc3 &^ bc2)
106 a[22] = bc2 ^ (bc4 &^ bc3)
107 a[3] = bc3 ^ (bc0 &^ bc4)
108 a[9] = bc4 ^ (bc1 &^ bc0)
109
110 t = a[20] ^ d0
111 bc4 = bits.RotateLeft64(t, 18)
112 t = a[1] ^ d1
113 bc0 = bits.RotateLeft64(t, 1)
114 t = a[7] ^ d2
115 bc1 = bits.RotateLeft64(t, 6)
116 t = a[13] ^ d3
117 bc2 = bits.RotateLeft64(t, 25)
118 t = a[19] ^ d4
119 bc3 = bits.RotateLeft64(t, 8)
120 a[20] = bc0 ^ (bc2 &^ bc1)
121 a[1] = bc1 ^ (bc3 &^ bc2)
122 a[7] = bc2 ^ (bc4 &^ bc3)
123 a[13] = bc3 ^ (bc0 &^ bc4)
124 a[19] = bc4 ^ (bc1 &^ bc0)
125
126 t = a[5] ^ d0
127 bc1 = bits.RotateLeft64(t, 36)
128 t = a[11] ^ d1
129 bc2 = bits.RotateLeft64(t, 10)
130 t = a[17] ^ d2
131 bc3 = bits.RotateLeft64(t, 15)
132 t = a[23] ^ d3
133 bc4 = bits.RotateLeft64(t, 56)
134 t = a[4] ^ d4
135 bc0 = bits.RotateLeft64(t, 27)
136 a[5] = bc0 ^ (bc2 &^ bc1)
137 a[11] = bc1 ^ (bc3 &^ bc2)
138 a[17] = bc2 ^ (bc4 &^ bc3)
139 a[23] = bc3 ^ (bc0 &^ bc4)
140 a[4] = bc4 ^ (bc1 &^ bc0)
141
142 t = a[15] ^ d0
143 bc3 = bits.RotateLeft64(t, 41)
144 t = a[21] ^ d1
145 bc4 = bits.RotateLeft64(t, 2)
146 t = a[2] ^ d2
147 bc0 = bits.RotateLeft64(t, 62)
148 t = a[8] ^ d3
149 bc1 = bits.RotateLeft64(t, 55)
150 t = a[14] ^ d4
151 bc2 = bits.RotateLeft64(t, 39)
152 a[15] = bc0 ^ (bc2 &^ bc1)
153 a[21] = bc1 ^ (bc3 &^ bc2)
154 a[2] = bc2 ^ (bc4 &^ bc3)
155 a[8] = bc3 ^ (bc0 &^ bc4)
156 a[14] = bc4 ^ (bc1 &^ bc0)
157
158 // Round 2
159 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
160 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
161 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
162 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
163 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
164 d0 = bc4 ^ (bc1<<1 | bc1>>63)
165 d1 = bc0 ^ (bc2<<1 | bc2>>63)
166 d2 = bc1 ^ (bc3<<1 | bc3>>63)
167 d3 = bc2 ^ (bc4<<1 | bc4>>63)
168 d4 = bc3 ^ (bc0<<1 | bc0>>63)
169
170 bc0 = a[0] ^ d0
171 t = a[16] ^ d1
172 bc1 = bits.RotateLeft64(t, 44)
173 t = a[7] ^ d2
174 bc2 = bits.RotateLeft64(t, 43)
175 t = a[23] ^ d3
176 bc3 = bits.RotateLeft64(t, 21)
177 t = a[14] ^ d4
178 bc4 = bits.RotateLeft64(t, 14)
179 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1]
180 a[16] = bc1 ^ (bc3 &^ bc2)
181 a[7] = bc2 ^ (bc4 &^ bc3)
182 a[23] = bc3 ^ (bc0 &^ bc4)
183 a[14] = bc4 ^ (bc1 &^ bc0)
184
185 t = a[20] ^ d0
186 bc2 = bits.RotateLeft64(t, 3)
187 t = a[11] ^ d1
188 bc3 = bits.RotateLeft64(t, 45)
189 t = a[2] ^ d2
190 bc4 = bits.RotateLeft64(t, 61)
191 t = a[18] ^ d3
192 bc0 = bits.RotateLeft64(t, 28)
193 t = a[9] ^ d4
194 bc1 = bits.RotateLeft64(t, 20)
195 a[20] = bc0 ^ (bc2 &^ bc1)
196 a[11] = bc1 ^ (bc3 &^ bc2)
197 a[2] = bc2 ^ (bc4 &^ bc3)
198 a[18] = bc3 ^ (bc0 &^ bc4)
199 a[9] = bc4 ^ (bc1 &^ bc0)
200
201 t = a[15] ^ d0
202 bc4 = bits.RotateLeft64(t, 18)
203 t = a[6] ^ d1
204 bc0 = bits.RotateLeft64(t, 1)
205 t = a[22] ^ d2
206 bc1 = bits.RotateLeft64(t, 6)
207 t = a[13] ^ d3
208 bc2 = bits.RotateLeft64(t, 25)
209 t = a[4] ^ d4
210 bc3 = bits.RotateLeft64(t, 8)
211 a[15] = bc0 ^ (bc2 &^ bc1)
212 a[6] = bc1 ^ (bc3 &^ bc2)
213 a[22] = bc2 ^ (bc4 &^ bc3)
214 a[13] = bc3 ^ (bc0 &^ bc4)
215 a[4] = bc4 ^ (bc1 &^ bc0)
216
217 t = a[10] ^ d0
218 bc1 = bits.RotateLeft64(t, 36)
219 t = a[1] ^ d1
220 bc2 = bits.RotateLeft64(t, 10)
221 t = a[17] ^ d2
222 bc3 = bits.RotateLeft64(t, 15)
223 t = a[8] ^ d3
224 bc4 = bits.RotateLeft64(t, 56)
225 t = a[24] ^ d4
226 bc0 = bits.RotateLeft64(t, 27)
227 a[10] = bc0 ^ (bc2 &^ bc1)
228 a[1] = bc1 ^ (bc3 &^ bc2)
229 a[17] = bc2 ^ (bc4 &^ bc3)
230 a[8] = bc3 ^ (bc0 &^ bc4)
231 a[24] = bc4 ^ (bc1 &^ bc0)
232
233 t = a[5] ^ d0
234 bc3 = bits.RotateLeft64(t, 41)
235 t = a[21] ^ d1
236 bc4 = bits.RotateLeft64(t, 2)
237 t = a[12] ^ d2
238 bc0 = bits.RotateLeft64(t, 62)
239 t = a[3] ^ d3
240 bc1 = bits.RotateLeft64(t, 55)
241 t = a[19] ^ d4
242 bc2 = bits.RotateLeft64(t, 39)
243 a[5] = bc0 ^ (bc2 &^ bc1)
244 a[21] = bc1 ^ (bc3 &^ bc2)
245 a[12] = bc2 ^ (bc4 &^ bc3)
246 a[3] = bc3 ^ (bc0 &^ bc4)
247 a[19] = bc4 ^ (bc1 &^ bc0)
248
249 // Round 3
250 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
251 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
252 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
253 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
254 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
255 d0 = bc4 ^ (bc1<<1 | bc1>>63)
256 d1 = bc0 ^ (bc2<<1 | bc2>>63)
257 d2 = bc1 ^ (bc3<<1 | bc3>>63)
258 d3 = bc2 ^ (bc4<<1 | bc4>>63)
259 d4 = bc3 ^ (bc0<<1 | bc0>>63)
260
261 bc0 = a[0] ^ d0
262 t = a[11] ^ d1
263 bc1 = bits.RotateLeft64(t, 44)
264 t = a[22] ^ d2
265 bc2 = bits.RotateLeft64(t, 43)
266 t = a[8] ^ d3
267 bc3 = bits.RotateLeft64(t, 21)
268 t = a[19] ^ d4
269 bc4 = bits.RotateLeft64(t, 14)
270 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2]
271 a[11] = bc1 ^ (bc3 &^ bc2)
272 a[22] = bc2 ^ (bc4 &^ bc3)
273 a[8] = bc3 ^ (bc0 &^ bc4)
274 a[19] = bc4 ^ (bc1 &^ bc0)
275
276 t = a[15] ^ d0
277 bc2 = bits.RotateLeft64(t, 3)
278 t = a[1] ^ d1
279 bc3 = bits.RotateLeft64(t, 45)
280 t = a[12] ^ d2
281 bc4 = bits.RotateLeft64(t, 61)
282 t = a[23] ^ d3
283 bc0 = bits.RotateLeft64(t, 28)
284 t = a[9] ^ d4
285 bc1 = bits.RotateLeft64(t, 20)
286 a[15] = bc0 ^ (bc2 &^ bc1)
287 a[1] = bc1 ^ (bc3 &^ bc2)
288 a[12] = bc2 ^ (bc4 &^ bc3)
289 a[23] = bc3 ^ (bc0 &^ bc4)
290 a[9] = bc4 ^ (bc1 &^ bc0)
291
292 t = a[5] ^ d0
293 bc4 = bits.RotateLeft64(t, 18)
294 t = a[16] ^ d1
295 bc0 = bits.RotateLeft64(t, 1)
296 t = a[2] ^ d2
297 bc1 = bits.RotateLeft64(t, 6)
298 t = a[13] ^ d3
299 bc2 = bits.RotateLeft64(t, 25)
300 t = a[24] ^ d4
301 bc3 = bits.RotateLeft64(t, 8)
302 a[5] = bc0 ^ (bc2 &^ bc1)
303 a[16] = bc1 ^ (bc3 &^ bc2)
304 a[2] = bc2 ^ (bc4 &^ bc3)
305 a[13] = bc3 ^ (bc0 &^ bc4)
306 a[24] = bc4 ^ (bc1 &^ bc0)
307
308 t = a[20] ^ d0
309 bc1 = bits.RotateLeft64(t, 36)
310 t = a[6] ^ d1
311 bc2 = bits.RotateLeft64(t, 10)
312 t = a[17] ^ d2
313 bc3 = bits.RotateLeft64(t, 15)
314 t = a[3] ^ d3
315 bc4 = bits.RotateLeft64(t, 56)
316 t = a[14] ^ d4
317 bc0 = bits.RotateLeft64(t, 27)
318 a[20] = bc0 ^ (bc2 &^ bc1)
319 a[6] = bc1 ^ (bc3 &^ bc2)
320 a[17] = bc2 ^ (bc4 &^ bc3)
321 a[3] = bc3 ^ (bc0 &^ bc4)
322 a[14] = bc4 ^ (bc1 &^ bc0)
323
324 t = a[10] ^ d0
325 bc3 = bits.RotateLeft64(t, 41)
326 t = a[21] ^ d1
327 bc4 = bits.RotateLeft64(t, 2)
328 t = a[7] ^ d2
329 bc0 = bits.RotateLeft64(t, 62)
330 t = a[18] ^ d3
331 bc1 = bits.RotateLeft64(t, 55)
332 t = a[4] ^ d4
333 bc2 = bits.RotateLeft64(t, 39)
334 a[10] = bc0 ^ (bc2 &^ bc1)
335 a[21] = bc1 ^ (bc3 &^ bc2)
336 a[7] = bc2 ^ (bc4 &^ bc3)
337 a[18] = bc3 ^ (bc0 &^ bc4)
338 a[4] = bc4 ^ (bc1 &^ bc0)
339
340 // Round 4
341 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
342 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
343 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
344 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
345 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
346 d0 = bc4 ^ (bc1<<1 | bc1>>63)
347 d1 = bc0 ^ (bc2<<1 | bc2>>63)
348 d2 = bc1 ^ (bc3<<1 | bc3>>63)
349 d3 = bc2 ^ (bc4<<1 | bc4>>63)
350 d4 = bc3 ^ (bc0<<1 | bc0>>63)
351
352 bc0 = a[0] ^ d0
353 t = a[1] ^ d1
354 bc1 = bits.RotateLeft64(t, 44)
355 t = a[2] ^ d2
356 bc2 = bits.RotateLeft64(t, 43)
357 t = a[3] ^ d3
358 bc3 = bits.RotateLeft64(t, 21)
359 t = a[4] ^ d4
360 bc4 = bits.RotateLeft64(t, 14)
361 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3]
362 a[1] = bc1 ^ (bc3 &^ bc2)
363 a[2] = bc2 ^ (bc4 &^ bc3)
364 a[3] = bc3 ^ (bc0 &^ bc4)
365 a[4] = bc4 ^ (bc1 &^ bc0)
366
367 t = a[5] ^ d0
368 bc2 = bits.RotateLeft64(t, 3)
369 t = a[6] ^ d1
370 bc3 = bits.RotateLeft64(t, 45)
371 t = a[7] ^ d2
372 bc4 = bits.RotateLeft64(t, 61)
373 t = a[8] ^ d3
374 bc0 = bits.RotateLeft64(t, 28)
375 t = a[9] ^ d4
376 bc1 = bits.RotateLeft64(t, 20)
377 a[5] = bc0 ^ (bc2 &^ bc1)
378 a[6] = bc1 ^ (bc3 &^ bc2)
379 a[7] = bc2 ^ (bc4 &^ bc3)
380 a[8] = bc3 ^ (bc0 &^ bc4)
381 a[9] = bc4 ^ (bc1 &^ bc0)
382
383 t = a[10] ^ d0
384 bc4 = bits.RotateLeft64(t, 18)
385 t = a[11] ^ d1
386 bc0 = bits.RotateLeft64(t, 1)
387 t = a[12] ^ d2
388 bc1 = bits.RotateLeft64(t, 6)
389 t = a[13] ^ d3
390 bc2 = bits.RotateLeft64(t, 25)
391 t = a[14] ^ d4
392 bc3 = bits.RotateLeft64(t, 8)
393 a[10] = bc0 ^ (bc2 &^ bc1)
394 a[11] = bc1 ^ (bc3 &^ bc2)
395 a[12] = bc2 ^ (bc4 &^ bc3)
396 a[13] = bc3 ^ (bc0 &^ bc4)
397 a[14] = bc4 ^ (bc1 &^ bc0)
398
399 t = a[15] ^ d0
400 bc1 = bits.RotateLeft64(t, 36)
401 t = a[16] ^ d1
402 bc2 = bits.RotateLeft64(t, 10)
403 t = a[17] ^ d2
404 bc3 = bits.RotateLeft64(t, 15)
405 t = a[18] ^ d3
406 bc4 = bits.RotateLeft64(t, 56)
407 t = a[19] ^ d4
408 bc0 = bits.RotateLeft64(t, 27)
409 a[15] = bc0 ^ (bc2 &^ bc1)
410 a[16] = bc1 ^ (bc3 &^ bc2)
411 a[17] = bc2 ^ (bc4 &^ bc3)
412 a[18] = bc3 ^ (bc0 &^ bc4)
413 a[19] = bc4 ^ (bc1 &^ bc0)
414
415 t = a[20] ^ d0
416 bc3 = bits.RotateLeft64(t, 41)
417 t = a[21] ^ d1
418 bc4 = bits.RotateLeft64(t, 2)
419 t = a[22] ^ d2
420 bc0 = bits.RotateLeft64(t, 62)
421 t = a[23] ^ d3
422 bc1 = bits.RotateLeft64(t, 55)
423 t = a[24] ^ d4
424 bc2 = bits.RotateLeft64(t, 39)
425 a[20] = bc0 ^ (bc2 &^ bc1)
426 a[21] = bc1 ^ (bc3 &^ bc2)
427 a[22] = bc2 ^ (bc4 &^ bc3)
428 a[23] = bc3 ^ (bc0 &^ bc4)
429 a[24] = bc4 ^ (bc1 &^ bc0)
430 }
431 }
432