keccakf.go raw
1 // Copyright 2014 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 package sha3
6
7 // KeccakF1600 applies the Keccak permutation to a 1600b-wide
8 // state represented as a slice of 25 uint64s.
9 // If turbo is true, applies the 12-round variant instead of the
10 // regular 24-round variant.
11 // nolint:funlen
12 func KeccakF1600(a *[25]uint64, turbo bool) {
13 // Implementation translated from Keccak-inplace.c
14 // in the keccak reference code.
15 var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64
16
17 i := 0
18
19 if turbo {
20 i = 12
21 }
22
23 for ; i < 24; i += 4 {
24 // Combines the 5 steps in each round into 2 steps.
25 // Unrolls 4 rounds per loop and spreads some steps across rounds.
26
27 // Round 1
28 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
29 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
30 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
31 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
32 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
33 d0 = bc4 ^ (bc1<<1 | bc1>>63)
34 d1 = bc0 ^ (bc2<<1 | bc2>>63)
35 d2 = bc1 ^ (bc3<<1 | bc3>>63)
36 d3 = bc2 ^ (bc4<<1 | bc4>>63)
37 d4 = bc3 ^ (bc0<<1 | bc0>>63)
38
39 bc0 = a[0] ^ d0
40 t = a[6] ^ d1
41 bc1 = t<<44 | t>>(64-44)
42 t = a[12] ^ d2
43 bc2 = t<<43 | t>>(64-43)
44 t = a[18] ^ d3
45 bc3 = t<<21 | t>>(64-21)
46 t = a[24] ^ d4
47 bc4 = t<<14 | t>>(64-14)
48 a[0] = bc0 ^ (bc2 &^ bc1) ^ RC[i]
49 a[6] = bc1 ^ (bc3 &^ bc2)
50 a[12] = bc2 ^ (bc4 &^ bc3)
51 a[18] = bc3 ^ (bc0 &^ bc4)
52 a[24] = bc4 ^ (bc1 &^ bc0)
53
54 t = a[10] ^ d0
55 bc2 = t<<3 | t>>(64-3)
56 t = a[16] ^ d1
57 bc3 = t<<45 | t>>(64-45)
58 t = a[22] ^ d2
59 bc4 = t<<61 | t>>(64-61)
60 t = a[3] ^ d3
61 bc0 = t<<28 | t>>(64-28)
62 t = a[9] ^ d4
63 bc1 = t<<20 | t>>(64-20)
64 a[10] = bc0 ^ (bc2 &^ bc1)
65 a[16] = bc1 ^ (bc3 &^ bc2)
66 a[22] = bc2 ^ (bc4 &^ bc3)
67 a[3] = bc3 ^ (bc0 &^ bc4)
68 a[9] = bc4 ^ (bc1 &^ bc0)
69
70 t = a[20] ^ d0
71 bc4 = t<<18 | t>>(64-18)
72 t = a[1] ^ d1
73 bc0 = t<<1 | t>>(64-1)
74 t = a[7] ^ d2
75 bc1 = t<<6 | t>>(64-6)
76 t = a[13] ^ d3
77 bc2 = t<<25 | t>>(64-25)
78 t = a[19] ^ d4
79 bc3 = t<<8 | t>>(64-8)
80 a[20] = bc0 ^ (bc2 &^ bc1)
81 a[1] = bc1 ^ (bc3 &^ bc2)
82 a[7] = bc2 ^ (bc4 &^ bc3)
83 a[13] = bc3 ^ (bc0 &^ bc4)
84 a[19] = bc4 ^ (bc1 &^ bc0)
85
86 t = a[5] ^ d0
87 bc1 = t<<36 | t>>(64-36)
88 t = a[11] ^ d1
89 bc2 = t<<10 | t>>(64-10)
90 t = a[17] ^ d2
91 bc3 = t<<15 | t>>(64-15)
92 t = a[23] ^ d3
93 bc4 = t<<56 | t>>(64-56)
94 t = a[4] ^ d4
95 bc0 = t<<27 | t>>(64-27)
96 a[5] = bc0 ^ (bc2 &^ bc1)
97 a[11] = bc1 ^ (bc3 &^ bc2)
98 a[17] = bc2 ^ (bc4 &^ bc3)
99 a[23] = bc3 ^ (bc0 &^ bc4)
100 a[4] = bc4 ^ (bc1 &^ bc0)
101
102 t = a[15] ^ d0
103 bc3 = t<<41 | t>>(64-41)
104 t = a[21] ^ d1
105 bc4 = t<<2 | t>>(64-2)
106 t = a[2] ^ d2
107 bc0 = t<<62 | t>>(64-62)
108 t = a[8] ^ d3
109 bc1 = t<<55 | t>>(64-55)
110 t = a[14] ^ d4
111 bc2 = t<<39 | t>>(64-39)
112 a[15] = bc0 ^ (bc2 &^ bc1)
113 a[21] = bc1 ^ (bc3 &^ bc2)
114 a[2] = bc2 ^ (bc4 &^ bc3)
115 a[8] = bc3 ^ (bc0 &^ bc4)
116 a[14] = bc4 ^ (bc1 &^ bc0)
117
118 // Round 2
119 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
120 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
121 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
122 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
123 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
124 d0 = bc4 ^ (bc1<<1 | bc1>>63)
125 d1 = bc0 ^ (bc2<<1 | bc2>>63)
126 d2 = bc1 ^ (bc3<<1 | bc3>>63)
127 d3 = bc2 ^ (bc4<<1 | bc4>>63)
128 d4 = bc3 ^ (bc0<<1 | bc0>>63)
129
130 bc0 = a[0] ^ d0
131 t = a[16] ^ d1
132 bc1 = t<<44 | t>>(64-44)
133 t = a[7] ^ d2
134 bc2 = t<<43 | t>>(64-43)
135 t = a[23] ^ d3
136 bc3 = t<<21 | t>>(64-21)
137 t = a[14] ^ d4
138 bc4 = t<<14 | t>>(64-14)
139 a[0] = bc0 ^ (bc2 &^ bc1) ^ RC[i+1]
140 a[16] = bc1 ^ (bc3 &^ bc2)
141 a[7] = bc2 ^ (bc4 &^ bc3)
142 a[23] = bc3 ^ (bc0 &^ bc4)
143 a[14] = bc4 ^ (bc1 &^ bc0)
144
145 t = a[20] ^ d0
146 bc2 = t<<3 | t>>(64-3)
147 t = a[11] ^ d1
148 bc3 = t<<45 | t>>(64-45)
149 t = a[2] ^ d2
150 bc4 = t<<61 | t>>(64-61)
151 t = a[18] ^ d3
152 bc0 = t<<28 | t>>(64-28)
153 t = a[9] ^ d4
154 bc1 = t<<20 | t>>(64-20)
155 a[20] = bc0 ^ (bc2 &^ bc1)
156 a[11] = bc1 ^ (bc3 &^ bc2)
157 a[2] = bc2 ^ (bc4 &^ bc3)
158 a[18] = bc3 ^ (bc0 &^ bc4)
159 a[9] = bc4 ^ (bc1 &^ bc0)
160
161 t = a[15] ^ d0
162 bc4 = t<<18 | t>>(64-18)
163 t = a[6] ^ d1
164 bc0 = t<<1 | t>>(64-1)
165 t = a[22] ^ d2
166 bc1 = t<<6 | t>>(64-6)
167 t = a[13] ^ d3
168 bc2 = t<<25 | t>>(64-25)
169 t = a[4] ^ d4
170 bc3 = t<<8 | t>>(64-8)
171 a[15] = bc0 ^ (bc2 &^ bc1)
172 a[6] = bc1 ^ (bc3 &^ bc2)
173 a[22] = bc2 ^ (bc4 &^ bc3)
174 a[13] = bc3 ^ (bc0 &^ bc4)
175 a[4] = bc4 ^ (bc1 &^ bc0)
176
177 t = a[10] ^ d0
178 bc1 = t<<36 | t>>(64-36)
179 t = a[1] ^ d1
180 bc2 = t<<10 | t>>(64-10)
181 t = a[17] ^ d2
182 bc3 = t<<15 | t>>(64-15)
183 t = a[8] ^ d3
184 bc4 = t<<56 | t>>(64-56)
185 t = a[24] ^ d4
186 bc0 = t<<27 | t>>(64-27)
187 a[10] = bc0 ^ (bc2 &^ bc1)
188 a[1] = bc1 ^ (bc3 &^ bc2)
189 a[17] = bc2 ^ (bc4 &^ bc3)
190 a[8] = bc3 ^ (bc0 &^ bc4)
191 a[24] = bc4 ^ (bc1 &^ bc0)
192
193 t = a[5] ^ d0
194 bc3 = t<<41 | t>>(64-41)
195 t = a[21] ^ d1
196 bc4 = t<<2 | t>>(64-2)
197 t = a[12] ^ d2
198 bc0 = t<<62 | t>>(64-62)
199 t = a[3] ^ d3
200 bc1 = t<<55 | t>>(64-55)
201 t = a[19] ^ d4
202 bc2 = t<<39 | t>>(64-39)
203 a[5] = bc0 ^ (bc2 &^ bc1)
204 a[21] = bc1 ^ (bc3 &^ bc2)
205 a[12] = bc2 ^ (bc4 &^ bc3)
206 a[3] = bc3 ^ (bc0 &^ bc4)
207 a[19] = bc4 ^ (bc1 &^ bc0)
208
209 // Round 3
210 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
211 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
212 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
213 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
214 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
215 d0 = bc4 ^ (bc1<<1 | bc1>>63)
216 d1 = bc0 ^ (bc2<<1 | bc2>>63)
217 d2 = bc1 ^ (bc3<<1 | bc3>>63)
218 d3 = bc2 ^ (bc4<<1 | bc4>>63)
219 d4 = bc3 ^ (bc0<<1 | bc0>>63)
220
221 bc0 = a[0] ^ d0
222 t = a[11] ^ d1
223 bc1 = t<<44 | t>>(64-44)
224 t = a[22] ^ d2
225 bc2 = t<<43 | t>>(64-43)
226 t = a[8] ^ d3
227 bc3 = t<<21 | t>>(64-21)
228 t = a[19] ^ d4
229 bc4 = t<<14 | t>>(64-14)
230 a[0] = bc0 ^ (bc2 &^ bc1) ^ RC[i+2]
231 a[11] = bc1 ^ (bc3 &^ bc2)
232 a[22] = bc2 ^ (bc4 &^ bc3)
233 a[8] = bc3 ^ (bc0 &^ bc4)
234 a[19] = bc4 ^ (bc1 &^ bc0)
235
236 t = a[15] ^ d0
237 bc2 = t<<3 | t>>(64-3)
238 t = a[1] ^ d1
239 bc3 = t<<45 | t>>(64-45)
240 t = a[12] ^ d2
241 bc4 = t<<61 | t>>(64-61)
242 t = a[23] ^ d3
243 bc0 = t<<28 | t>>(64-28)
244 t = a[9] ^ d4
245 bc1 = t<<20 | t>>(64-20)
246 a[15] = bc0 ^ (bc2 &^ bc1)
247 a[1] = bc1 ^ (bc3 &^ bc2)
248 a[12] = bc2 ^ (bc4 &^ bc3)
249 a[23] = bc3 ^ (bc0 &^ bc4)
250 a[9] = bc4 ^ (bc1 &^ bc0)
251
252 t = a[5] ^ d0
253 bc4 = t<<18 | t>>(64-18)
254 t = a[16] ^ d1
255 bc0 = t<<1 | t>>(64-1)
256 t = a[2] ^ d2
257 bc1 = t<<6 | t>>(64-6)
258 t = a[13] ^ d3
259 bc2 = t<<25 | t>>(64-25)
260 t = a[24] ^ d4
261 bc3 = t<<8 | t>>(64-8)
262 a[5] = bc0 ^ (bc2 &^ bc1)
263 a[16] = bc1 ^ (bc3 &^ bc2)
264 a[2] = bc2 ^ (bc4 &^ bc3)
265 a[13] = bc3 ^ (bc0 &^ bc4)
266 a[24] = bc4 ^ (bc1 &^ bc0)
267
268 t = a[20] ^ d0
269 bc1 = t<<36 | t>>(64-36)
270 t = a[6] ^ d1
271 bc2 = t<<10 | t>>(64-10)
272 t = a[17] ^ d2
273 bc3 = t<<15 | t>>(64-15)
274 t = a[3] ^ d3
275 bc4 = t<<56 | t>>(64-56)
276 t = a[14] ^ d4
277 bc0 = t<<27 | t>>(64-27)
278 a[20] = bc0 ^ (bc2 &^ bc1)
279 a[6] = bc1 ^ (bc3 &^ bc2)
280 a[17] = bc2 ^ (bc4 &^ bc3)
281 a[3] = bc3 ^ (bc0 &^ bc4)
282 a[14] = bc4 ^ (bc1 &^ bc0)
283
284 t = a[10] ^ d0
285 bc3 = t<<41 | t>>(64-41)
286 t = a[21] ^ d1
287 bc4 = t<<2 | t>>(64-2)
288 t = a[7] ^ d2
289 bc0 = t<<62 | t>>(64-62)
290 t = a[18] ^ d3
291 bc1 = t<<55 | t>>(64-55)
292 t = a[4] ^ d4
293 bc2 = t<<39 | t>>(64-39)
294 a[10] = bc0 ^ (bc2 &^ bc1)
295 a[21] = bc1 ^ (bc3 &^ bc2)
296 a[7] = bc2 ^ (bc4 &^ bc3)
297 a[18] = bc3 ^ (bc0 &^ bc4)
298 a[4] = bc4 ^ (bc1 &^ bc0)
299
300 // Round 4
301 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
302 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
303 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
304 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
305 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
306 d0 = bc4 ^ (bc1<<1 | bc1>>63)
307 d1 = bc0 ^ (bc2<<1 | bc2>>63)
308 d2 = bc1 ^ (bc3<<1 | bc3>>63)
309 d3 = bc2 ^ (bc4<<1 | bc4>>63)
310 d4 = bc3 ^ (bc0<<1 | bc0>>63)
311
312 bc0 = a[0] ^ d0
313 t = a[1] ^ d1
314 bc1 = t<<44 | t>>(64-44)
315 t = a[2] ^ d2
316 bc2 = t<<43 | t>>(64-43)
317 t = a[3] ^ d3
318 bc3 = t<<21 | t>>(64-21)
319 t = a[4] ^ d4
320 bc4 = t<<14 | t>>(64-14)
321 a[0] = bc0 ^ (bc2 &^ bc1) ^ RC[i+3]
322 a[1] = bc1 ^ (bc3 &^ bc2)
323 a[2] = bc2 ^ (bc4 &^ bc3)
324 a[3] = bc3 ^ (bc0 &^ bc4)
325 a[4] = bc4 ^ (bc1 &^ bc0)
326
327 t = a[5] ^ d0
328 bc2 = t<<3 | t>>(64-3)
329 t = a[6] ^ d1
330 bc3 = t<<45 | t>>(64-45)
331 t = a[7] ^ d2
332 bc4 = t<<61 | t>>(64-61)
333 t = a[8] ^ d3
334 bc0 = t<<28 | t>>(64-28)
335 t = a[9] ^ d4
336 bc1 = t<<20 | t>>(64-20)
337 a[5] = bc0 ^ (bc2 &^ bc1)
338 a[6] = bc1 ^ (bc3 &^ bc2)
339 a[7] = bc2 ^ (bc4 &^ bc3)
340 a[8] = bc3 ^ (bc0 &^ bc4)
341 a[9] = bc4 ^ (bc1 &^ bc0)
342
343 t = a[10] ^ d0
344 bc4 = t<<18 | t>>(64-18)
345 t = a[11] ^ d1
346 bc0 = t<<1 | t>>(64-1)
347 t = a[12] ^ d2
348 bc1 = t<<6 | t>>(64-6)
349 t = a[13] ^ d3
350 bc2 = t<<25 | t>>(64-25)
351 t = a[14] ^ d4
352 bc3 = t<<8 | t>>(64-8)
353 a[10] = bc0 ^ (bc2 &^ bc1)
354 a[11] = bc1 ^ (bc3 &^ bc2)
355 a[12] = bc2 ^ (bc4 &^ bc3)
356 a[13] = bc3 ^ (bc0 &^ bc4)
357 a[14] = bc4 ^ (bc1 &^ bc0)
358
359 t = a[15] ^ d0
360 bc1 = t<<36 | t>>(64-36)
361 t = a[16] ^ d1
362 bc2 = t<<10 | t>>(64-10)
363 t = a[17] ^ d2
364 bc3 = t<<15 | t>>(64-15)
365 t = a[18] ^ d3
366 bc4 = t<<56 | t>>(64-56)
367 t = a[19] ^ d4
368 bc0 = t<<27 | t>>(64-27)
369 a[15] = bc0 ^ (bc2 &^ bc1)
370 a[16] = bc1 ^ (bc3 &^ bc2)
371 a[17] = bc2 ^ (bc4 &^ bc3)
372 a[18] = bc3 ^ (bc0 &^ bc4)
373 a[19] = bc4 ^ (bc1 &^ bc0)
374
375 t = a[20] ^ d0
376 bc3 = t<<41 | t>>(64-41)
377 t = a[21] ^ d1
378 bc4 = t<<2 | t>>(64-2)
379 t = a[22] ^ d2
380 bc0 = t<<62 | t>>(64-62)
381 t = a[23] ^ d3
382 bc1 = t<<55 | t>>(64-55)
383 t = a[24] ^ d4
384 bc2 = t<<39 | t>>(64-39)
385 a[20] = bc0 ^ (bc2 &^ bc1)
386 a[21] = bc1 ^ (bc3 &^ bc2)
387 a[22] = bc2 ^ (bc4 &^ bc3)
388 a[23] = bc3 ^ (bc0 &^ bc4)
389 a[24] = bc4 ^ (bc1 &^ bc0)
390 }
391 }
392