Google Git
Sign in
go / crypto.git / c3b1d0d6d8690eaebe3064711b026770cc37efa3 / . / sha3 / keccakf.go
blob: 46d03ed385dfe2da9d0168405f843cb913b914a6 [file] [log] [blame]
David Leon Gil1b32d8b2014-09-03 12:04:00 -0700[diff] [blame]1// Copyright 2014 The Go Authors. All rights reserved.
Joseph Bonneau0bc0bcc2013-03-22 14:59:59 -0400[diff] [blame]2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Péter Szilágyi80b25ed2015-12-17 14:01:42 +0200[diff] [blame]5// +build !amd64 appengine gccgo
6
Joseph Bonneau0bc0bcc2013-03-22 14:59:59 -0400[diff] [blame]7package sha3
8
Joseph Bonneau0bc0bcc2013-03-22 14:59:59 -0400[diff] [blame]9// rc stores the round constants for use in the ι step.
David Leon Gil1b32d8b2014-09-03 12:04:00 -0700[diff] [blame]10var rc = [24]uint64{
Joseph Bonneau0bc0bcc2013-03-22 14:59:59 -0400[diff] [blame]11 0x0000000000000001,
12 0x0000000000008082,
13 0x800000000000808A,
14 0x8000000080008000,
15 0x000000000000808B,
16 0x0000000080000001,
17 0x8000000080008081,
18 0x8000000000008009,
19 0x000000000000008A,
20 0x0000000000000088,
21 0x0000000080008009,
22 0x000000008000000A,
23 0x000000008000808B,
24 0x800000000000008B,
25 0x8000000000008089,
26 0x8000000000008003,
27 0x8000000000008002,
28 0x8000000000000080,
29 0x000000000000800A,
30 0x800000008000000A,
31 0x8000000080008081,
32 0x8000000000008080,
33 0x0000000080000001,
34 0x8000000080008008,
35}
36
David Leon Gil1b32d8b2014-09-03 12:04:00 -0700[diff] [blame]37// keccakF1600 applies the Keccak permutation to a 1600b-wide
38// state represented as a slice of 25 uint64s.
39func keccakF1600(a *[25]uint64) {
Eric Roshan-Eisner9b55b542014-10-08 10:57:02 -0700[diff] [blame]40 // Implementation translated from Keccak-inplace.c
41 // in the keccak reference code.
42 var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64
43
44 for i := 0; i < 24; i += 4 {
45 // Combines the 5 steps in each round into 2 steps.
46 // Unrolls 4 rounds per loop and spreads some steps across rounds.
47
48 // Round 1
Eric Roshan-Eisnerd52ec732013-04-02 10:41:35 -0400[diff] [blame]49 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
50 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
51 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
52 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
53 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
Eric Roshan-Eisner9b55b542014-10-08 10:57:02 -0700[diff] [blame]54 d0 = bc4 ^ (bc1<<1 | bc1>>63)
55 d1 = bc0 ^ (bc2<<1 | bc2>>63)
56 d2 = bc1 ^ (bc3<<1 | bc3>>63)
57 d3 = bc2 ^ (bc4<<1 | bc4>>63)
58 d4 = bc3 ^ (bc0<<1 | bc0>>63)
Joseph Bonneau0bc0bcc2013-03-22 14:59:59 -0400[diff] [blame]59
Eric Roshan-Eisner9b55b542014-10-08 10:57:02 -0700[diff] [blame]60 bc0 = a[0] ^ d0
61 t = a[6] ^ d1
62 bc1 = t<<44 | t>>(64-44)
63 t = a[12] ^ d2
64 bc2 = t<<43 | t>>(64-43)
65 t = a[18] ^ d3
66 bc3 = t<<21 | t>>(64-21)
67 t = a[24] ^ d4
68 bc4 = t<<14 | t>>(64-14)
69 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i]
70 a[6] = bc1 ^ (bc3 &^ bc2)
71 a[12] = bc2 ^ (bc4 &^ bc3)
72 a[18] = bc3 ^ (bc0 &^ bc4)
73 a[24] = bc4 ^ (bc1 &^ bc0)
Joseph Bonneau0bc0bcc2013-03-22 14:59:59 -0400[diff] [blame]74
Eric Roshan-Eisner9b55b542014-10-08 10:57:02 -0700[diff] [blame]75 t = a[10] ^ d0
76 bc2 = t<<3 | t>>(64-3)
77 t = a[16] ^ d1
78 bc3 = t<<45 | t>>(64-45)
79 t = a[22] ^ d2
80 bc4 = t<<61 | t>>(64-61)
81 t = a[3] ^ d3
82 bc0 = t<<28 | t>>(64-28)
83 t = a[9] ^ d4
84 bc1 = t<<20 | t>>(64-20)
85 a[10] = bc0 ^ (bc2 &^ bc1)
86 a[16] = bc1 ^ (bc3 &^ bc2)
87 a[22] = bc2 ^ (bc4 &^ bc3)
88 a[3] = bc3 ^ (bc0 &^ bc4)
89 a[9] = bc4 ^ (bc1 &^ bc0)
Joseph Bonneau0bc0bcc2013-03-22 14:59:59 -0400[diff] [blame]90
Eric Roshan-Eisner9b55b542014-10-08 10:57:02 -0700[diff] [blame]91 t = a[20] ^ d0
92 bc4 = t<<18 | t>>(64-18)
93 t = a[1] ^ d1
94 bc0 = t<<1 | t>>(64-1)
95 t = a[7] ^ d2
96 bc1 = t<<6 | t>>(64-6)
97 t = a[13] ^ d3
98 bc2 = t<<25 | t>>(64-25)
99 t = a[19] ^ d4
100 bc3 = t<<8 | t>>(64-8)
101 a[20] = bc0 ^ (bc2 &^ bc1)
102 a[1] = bc1 ^ (bc3 &^ bc2)
103 a[7] = bc2 ^ (bc4 &^ bc3)
104 a[13] = bc3 ^ (bc0 &^ bc4)
105 a[19] = bc4 ^ (bc1 &^ bc0)
106
107 t = a[5] ^ d0
108 bc1 = t<<36 | t>>(64-36)
109 t = a[11] ^ d1
110 bc2 = t<<10 | t>>(64-10)
111 t = a[17] ^ d2
112 bc3 = t<<15 | t>>(64-15)
113 t = a[23] ^ d3
114 bc4 = t<<56 | t>>(64-56)
115 t = a[4] ^ d4
116 bc0 = t<<27 | t>>(64-27)
117 a[5] = bc0 ^ (bc2 &^ bc1)
118 a[11] = bc1 ^ (bc3 &^ bc2)
119 a[17] = bc2 ^ (bc4 &^ bc3)
120 a[23] = bc3 ^ (bc0 &^ bc4)
121 a[4] = bc4 ^ (bc1 &^ bc0)
122
123 t = a[15] ^ d0
124 bc3 = t<<41 | t>>(64-41)
125 t = a[21] ^ d1
126 bc4 = t<<2 | t>>(64-2)
127 t = a[2] ^ d2
128 bc0 = t<<62 | t>>(64-62)
129 t = a[8] ^ d3
130 bc1 = t<<55 | t>>(64-55)
131 t = a[14] ^ d4
132 bc2 = t<<39 | t>>(64-39)
133 a[15] = bc0 ^ (bc2 &^ bc1)
134 a[21] = bc1 ^ (bc3 &^ bc2)
135 a[2] = bc2 ^ (bc4 &^ bc3)
136 a[8] = bc3 ^ (bc0 &^ bc4)
137 a[14] = bc4 ^ (bc1 &^ bc0)
138
139 // Round 2
140 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
141 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
142 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
143 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
144 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
145 d0 = bc4 ^ (bc1<<1 | bc1>>63)
146 d1 = bc0 ^ (bc2<<1 | bc2>>63)
147 d2 = bc1 ^ (bc3<<1 | bc3>>63)
148 d3 = bc2 ^ (bc4<<1 | bc4>>63)
149 d4 = bc3 ^ (bc0<<1 | bc0>>63)
150
151 bc0 = a[0] ^ d0
152 t = a[16] ^ d1
153 bc1 = t<<44 | t>>(64-44)
154 t = a[7] ^ d2
155 bc2 = t<<43 | t>>(64-43)
156 t = a[23] ^ d3
157 bc3 = t<<21 | t>>(64-21)
158 t = a[14] ^ d4
159 bc4 = t<<14 | t>>(64-14)
160 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1]
161 a[16] = bc1 ^ (bc3 &^ bc2)
162 a[7] = bc2 ^ (bc4 &^ bc3)
163 a[23] = bc3 ^ (bc0 &^ bc4)
164 a[14] = bc4 ^ (bc1 &^ bc0)
165
166 t = a[20] ^ d0
167 bc2 = t<<3 | t>>(64-3)
168 t = a[11] ^ d1
169 bc3 = t<<45 | t>>(64-45)
170 t = a[2] ^ d2
171 bc4 = t<<61 | t>>(64-61)
172 t = a[18] ^ d3
173 bc0 = t<<28 | t>>(64-28)
174 t = a[9] ^ d4
175 bc1 = t<<20 | t>>(64-20)
176 a[20] = bc0 ^ (bc2 &^ bc1)
177 a[11] = bc1 ^ (bc3 &^ bc2)
178 a[2] = bc2 ^ (bc4 &^ bc3)
179 a[18] = bc3 ^ (bc0 &^ bc4)
180 a[9] = bc4 ^ (bc1 &^ bc0)
181
182 t = a[15] ^ d0
183 bc4 = t<<18 | t>>(64-18)
184 t = a[6] ^ d1
185 bc0 = t<<1 | t>>(64-1)
186 t = a[22] ^ d2
187 bc1 = t<<6 | t>>(64-6)
188 t = a[13] ^ d3
189 bc2 = t<<25 | t>>(64-25)
190 t = a[4] ^ d4
191 bc3 = t<<8 | t>>(64-8)
192 a[15] = bc0 ^ (bc2 &^ bc1)
193 a[6] = bc1 ^ (bc3 &^ bc2)
194 a[22] = bc2 ^ (bc4 &^ bc3)
195 a[13] = bc3 ^ (bc0 &^ bc4)
196 a[4] = bc4 ^ (bc1 &^ bc0)
197
198 t = a[10] ^ d0
199 bc1 = t<<36 | t>>(64-36)
200 t = a[1] ^ d1
201 bc2 = t<<10 | t>>(64-10)
202 t = a[17] ^ d2
203 bc3 = t<<15 | t>>(64-15)
204 t = a[8] ^ d3
205 bc4 = t<<56 | t>>(64-56)
206 t = a[24] ^ d4
207 bc0 = t<<27 | t>>(64-27)
208 a[10] = bc0 ^ (bc2 &^ bc1)
209 a[1] = bc1 ^ (bc3 &^ bc2)
210 a[17] = bc2 ^ (bc4 &^ bc3)
211 a[8] = bc3 ^ (bc0 &^ bc4)
212 a[24] = bc4 ^ (bc1 &^ bc0)
213
214 t = a[5] ^ d0
215 bc3 = t<<41 | t>>(64-41)
216 t = a[21] ^ d1
217 bc4 = t<<2 | t>>(64-2)
218 t = a[12] ^ d2
219 bc0 = t<<62 | t>>(64-62)
220 t = a[3] ^ d3
221 bc1 = t<<55 | t>>(64-55)
222 t = a[19] ^ d4
223 bc2 = t<<39 | t>>(64-39)
224 a[5] = bc0 ^ (bc2 &^ bc1)
225 a[21] = bc1 ^ (bc3 &^ bc2)
226 a[12] = bc2 ^ (bc4 &^ bc3)
227 a[3] = bc3 ^ (bc0 &^ bc4)
228 a[19] = bc4 ^ (bc1 &^ bc0)
229
230 // Round 3
231 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
232 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
233 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
234 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
235 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
236 d0 = bc4 ^ (bc1<<1 | bc1>>63)
237 d1 = bc0 ^ (bc2<<1 | bc2>>63)
238 d2 = bc1 ^ (bc3<<1 | bc3>>63)
239 d3 = bc2 ^ (bc4<<1 | bc4>>63)
240 d4 = bc3 ^ (bc0<<1 | bc0>>63)
241
242 bc0 = a[0] ^ d0
243 t = a[11] ^ d1
244 bc1 = t<<44 | t>>(64-44)
245 t = a[22] ^ d2
246 bc2 = t<<43 | t>>(64-43)
247 t = a[8] ^ d3
248 bc3 = t<<21 | t>>(64-21)
249 t = a[19] ^ d4
250 bc4 = t<<14 | t>>(64-14)
251 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2]
252 a[11] = bc1 ^ (bc3 &^ bc2)
253 a[22] = bc2 ^ (bc4 &^ bc3)
254 a[8] = bc3 ^ (bc0 &^ bc4)
255 a[19] = bc4 ^ (bc1 &^ bc0)
256
257 t = a[15] ^ d0
258 bc2 = t<<3 | t>>(64-3)
259 t = a[1] ^ d1
260 bc3 = t<<45 | t>>(64-45)
261 t = a[12] ^ d2
262 bc4 = t<<61 | t>>(64-61)
263 t = a[23] ^ d3
264 bc0 = t<<28 | t>>(64-28)
265 t = a[9] ^ d4
266 bc1 = t<<20 | t>>(64-20)
267 a[15] = bc0 ^ (bc2 &^ bc1)
268 a[1] = bc1 ^ (bc3 &^ bc2)
269 a[12] = bc2 ^ (bc4 &^ bc3)
270 a[23] = bc3 ^ (bc0 &^ bc4)
271 a[9] = bc4 ^ (bc1 &^ bc0)
272
273 t = a[5] ^ d0
274 bc4 = t<<18 | t>>(64-18)
275 t = a[16] ^ d1
276 bc0 = t<<1 | t>>(64-1)
277 t = a[2] ^ d2
278 bc1 = t<<6 | t>>(64-6)
279 t = a[13] ^ d3
280 bc2 = t<<25 | t>>(64-25)
281 t = a[24] ^ d4
282 bc3 = t<<8 | t>>(64-8)
283 a[5] = bc0 ^ (bc2 &^ bc1)
284 a[16] = bc1 ^ (bc3 &^ bc2)
285 a[2] = bc2 ^ (bc4 &^ bc3)
286 a[13] = bc3 ^ (bc0 &^ bc4)
287 a[24] = bc4 ^ (bc1 &^ bc0)
288
289 t = a[20] ^ d0
290 bc1 = t<<36 | t>>(64-36)
291 t = a[6] ^ d1
292 bc2 = t<<10 | t>>(64-10)
293 t = a[17] ^ d2
294 bc3 = t<<15 | t>>(64-15)
295 t = a[3] ^ d3
296 bc4 = t<<56 | t>>(64-56)
297 t = a[14] ^ d4
298 bc0 = t<<27 | t>>(64-27)
299 a[20] = bc0 ^ (bc2 &^ bc1)
300 a[6] = bc1 ^ (bc3 &^ bc2)
301 a[17] = bc2 ^ (bc4 &^ bc3)
302 a[3] = bc3 ^ (bc0 &^ bc4)
303 a[14] = bc4 ^ (bc1 &^ bc0)
304
305 t = a[10] ^ d0
306 bc3 = t<<41 | t>>(64-41)
307 t = a[21] ^ d1
308 bc4 = t<<2 | t>>(64-2)
309 t = a[7] ^ d2
310 bc0 = t<<62 | t>>(64-62)
311 t = a[18] ^ d3
312 bc1 = t<<55 | t>>(64-55)
313 t = a[4] ^ d4
314 bc2 = t<<39 | t>>(64-39)
315 a[10] = bc0 ^ (bc2 &^ bc1)
316 a[21] = bc1 ^ (bc3 &^ bc2)
317 a[7] = bc2 ^ (bc4 &^ bc3)
318 a[18] = bc3 ^ (bc0 &^ bc4)
319 a[4] = bc4 ^ (bc1 &^ bc0)
320
321 // Round 4
322 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
323 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
324 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
325 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
326 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
327 d0 = bc4 ^ (bc1<<1 | bc1>>63)
328 d1 = bc0 ^ (bc2<<1 | bc2>>63)
329 d2 = bc1 ^ (bc3<<1 | bc3>>63)
330 d3 = bc2 ^ (bc4<<1 | bc4>>63)
331 d4 = bc3 ^ (bc0<<1 | bc0>>63)
332
333 bc0 = a[0] ^ d0
334 t = a[1] ^ d1
335 bc1 = t<<44 | t>>(64-44)
336 t = a[2] ^ d2
337 bc2 = t<<43 | t>>(64-43)
338 t = a[3] ^ d3
339 bc3 = t<<21 | t>>(64-21)
340 t = a[4] ^ d4
341 bc4 = t<<14 | t>>(64-14)
342 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3]
343 a[1] = bc1 ^ (bc3 &^ bc2)
344 a[2] = bc2 ^ (bc4 &^ bc3)
345 a[3] = bc3 ^ (bc0 &^ bc4)
346 a[4] = bc4 ^ (bc1 &^ bc0)
347
348 t = a[5] ^ d0
349 bc2 = t<<3 | t>>(64-3)
350 t = a[6] ^ d1
351 bc3 = t<<45 | t>>(64-45)
352 t = a[7] ^ d2
353 bc4 = t<<61 | t>>(64-61)
354 t = a[8] ^ d3
355 bc0 = t<<28 | t>>(64-28)
356 t = a[9] ^ d4
357 bc1 = t<<20 | t>>(64-20)
358 a[5] = bc0 ^ (bc2 &^ bc1)
359 a[6] = bc1 ^ (bc3 &^ bc2)
360 a[7] = bc2 ^ (bc4 &^ bc3)
361 a[8] = bc3 ^ (bc0 &^ bc4)
362 a[9] = bc4 ^ (bc1 &^ bc0)
363
364 t = a[10] ^ d0
365 bc4 = t<<18 | t>>(64-18)
366 t = a[11] ^ d1
367 bc0 = t<<1 | t>>(64-1)
368 t = a[12] ^ d2
369 bc1 = t<<6 | t>>(64-6)
370 t = a[13] ^ d3
371 bc2 = t<<25 | t>>(64-25)
372 t = a[14] ^ d4
373 bc3 = t<<8 | t>>(64-8)
374 a[10] = bc0 ^ (bc2 &^ bc1)
375 a[11] = bc1 ^ (bc3 &^ bc2)
376 a[12] = bc2 ^ (bc4 &^ bc3)
377 a[13] = bc3 ^ (bc0 &^ bc4)
378 a[14] = bc4 ^ (bc1 &^ bc0)
379
380 t = a[15] ^ d0
381 bc1 = t<<36 | t>>(64-36)
382 t = a[16] ^ d1
383 bc2 = t<<10 | t>>(64-10)
384 t = a[17] ^ d2
385 bc3 = t<<15 | t>>(64-15)
386 t = a[18] ^ d3
387 bc4 = t<<56 | t>>(64-56)
388 t = a[19] ^ d4
389 bc0 = t<<27 | t>>(64-27)
390 a[15] = bc0 ^ (bc2 &^ bc1)
391 a[16] = bc1 ^ (bc3 &^ bc2)
392 a[17] = bc2 ^ (bc4 &^ bc3)
393 a[18] = bc3 ^ (bc0 &^ bc4)
394 a[19] = bc4 ^ (bc1 &^ bc0)
395
396 t = a[20] ^ d0
397 bc3 = t<<41 | t>>(64-41)
398 t = a[21] ^ d1
399 bc4 = t<<2 | t>>(64-2)
400 t = a[22] ^ d2
401 bc0 = t<<62 | t>>(64-62)
402 t = a[23] ^ d3
403 bc1 = t<<55 | t>>(64-55)
404 t = a[24] ^ d4
405 bc2 = t<<39 | t>>(64-39)
406 a[20] = bc0 ^ (bc2 &^ bc1)
407 a[21] = bc1 ^ (bc3 &^ bc2)
408 a[22] = bc2 ^ (bc4 &^ bc3)
409 a[23] = bc3 ^ (bc0 &^ bc4)
410 a[24] = bc4 ^ (bc1 &^ bc0)
Joseph Bonneau0bc0bcc2013-03-22 14:59:59 -0400[diff] [blame]411 }
412}