src/internal/chacha8rand/chacha8_generic.go - go - Git at Google

 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 // ChaCha8 is ChaCha with 8 rounds.
 // See https://cr.yp.to/chacha/chacha-20080128.pdf.
 //
 // ChaCha8 operates on a 4x4 matrix of uint32 values, initially set to:
 //
 //	const1 const2 const3 const4
 //	seed   seed   seed   seed
 //	seed   seed   seed   seed
 //	counter64     0      0
 //
 // We use the same constants as ChaCha20 does, a random seed,
 // and a counter. Running ChaCha8 on this input produces
 // a 4x4 matrix of pseudo-random values with as much entropy
 // as the seed.
 //
 // Given SIMD registers that can hold N uint32s, it is possible
 // to run N ChaCha8 block transformations in parallel by filling
 // the first register with the N copies of const1, the second
 // with N copies of const2, and so on, and then running the operations.
 //
 // Each iteration of ChaCha8Rand operates over 32 bytes of input and
 // produces 992 bytes of RNG output, plus 32 bytes of input for the next
 // iteration.
 //
 // The 32 bytes of input are used as a ChaCha8 key, with a zero nonce, to
 // produce 1024 bytes of output (16 blocks, with counters 0 to 15).
 // First, for each block, the values 0x61707865, 0x3320646e, 0x79622d32,
 // 0x6b206574 are subtracted from the 32-bit little-endian words at
 // position 0, 1, 2, and 3 respectively, and an increasing counter
 // starting at zero is subtracted from each word at position 12. Then,
 // this stream is permuted such that for each sequence of four blocks,
 // first we output the first four bytes of each block, then the next four
 // bytes of each block, and so on. Finally, the last 32 bytes of output
 // are used as the input of the next iteration, and the remaining 992
 // bytes are the RNG output.
 //
 // See https://c2sp.org/chacha8rand for additional details.
 //
 // Normal ChaCha20 implementations for encryption use this same
 // parallelism but then have to deinterlace the results so that
 // it appears the blocks were generated separately. For the purposes
 // of generating random numbers, the interlacing is fine.
 // We are simply locked in to preserving the 4-way interlacing
 // in any future optimizations.
 package chacha8rand

 import (
 	"internal/goarch"
 	"unsafe"
 )

 // setup sets up 4 ChaCha8 blocks in b32 with the counter and seed.
 // Note that b32 is [16][4]uint32 not [4][16]uint32: the blocks are interlaced
 // the same way they would be in a 4-way SIMD implementations.
 func setup(seed *[4]uint64, b32 *[16][4]uint32, counter uint32) {
 	// Convert to uint64 to do half as many stores to memory.
 	b := (*[16][2]uint64)(unsafe.Pointer(b32))

 	// Constants; same as in ChaCha20: "expand 32-byte k"
 	b[0][0] = 0x61707865_61707865
 	b[0][1] = 0x61707865_61707865

 	b[1][0] = 0x3320646e_3320646e
 	b[1][1] = 0x3320646e_3320646e

 	b[2][0] = 0x79622d32_79622d32
 	b[2][1] = 0x79622d32_79622d32

 	b[3][0] = 0x6b206574_6b206574
 	b[3][1] = 0x6b206574_6b206574

 	// Seed values.
 	var x64 uint64
 	var x uint32

 	x = uint32(seed[0])
 	x64 = uint64(x)<<32 | uint64(x)
 	b[4][0] = x64
 	b[4][1] = x64

 	x = uint32(seed[0] >> 32)
 	x64 = uint64(x)<<32 | uint64(x)
 	b[5][0] = x64
 	b[5][1] = x64

 	x = uint32(seed[1])
 	x64 = uint64(x)<<32 | uint64(x)
 	b[6][0] = x64
 	b[6][1] = x64

 	x = uint32(seed[1] >> 32)
 	x64 = uint64(x)<<32 | uint64(x)
 	b[7][0] = x64
 	b[7][1] = x64

 	x = uint32(seed[2])
 	x64 = uint64(x)<<32 | uint64(x)
 	b[8][0] = x64
 	b[8][1] = x64

 	x = uint32(seed[2] >> 32)
 	x64 = uint64(x)<<32 | uint64(x)
 	b[9][0] = x64
 	b[9][1] = x64

 	x = uint32(seed[3])
 	x64 = uint64(x)<<32 | uint64(x)
 	b[10][0] = x64
 	b[10][1] = x64

 	x = uint32(seed[3] >> 32)
 	x64 = uint64(x)<<32 | uint64(x)
 	b[11][0] = x64
 	b[11][1] = x64

 	// Counters.
 	if goarch.BigEndian {
 		b[12][0] = uint64(counter+0)<<32 | uint64(counter+1)
 		b[12][1] = uint64(counter+2)<<32 | uint64(counter+3)
 	} else {
 		b[12][0] = uint64(counter+0) | uint64(counter+1)<<32
 		b[12][1] = uint64(counter+2) | uint64(counter+3)<<32
 	}

 	// Zeros.
 	b[13][0] = 0
 	b[13][1] = 0
 	b[14][0] = 0
 	b[14][1] = 0

 	b[15][0] = 0
 	b[15][1] = 0
 }

 func _() {
 	// block and block_generic must have same type
 	x := block
 	x = block_generic
 	_ = x
 }

 // block_generic is the non-assembly block implementation,
 // for use on systems without special assembly.
 // Even on such systems, it is quite fast: on GOOS=386,
 // ChaCha8 using this code generates random values faster than PCG-DXSM.
 func block_generic(seed *[4]uint64, buf *[32]uint64, counter uint32) {
 	b := (*[16][4]uint32)(unsafe.Pointer(buf))

 	setup(seed, b, counter)

 	for i := range b[0] {
 		// Load block i from b[*][i] into local variables.
 		b0 := b[0][i]
 		b1 := b[1][i]
 		b2 := b[2][i]
 		b3 := b[3][i]
 		b4 := b[4][i]
 		b5 := b[5][i]
 		b6 := b[6][i]
 		b7 := b[7][i]
 		b8 := b[8][i]
 		b9 := b[9][i]
 		b10 := b[10][i]
 		b11 := b[11][i]
 		b12 := b[12][i]
 		b13 := b[13][i]
 		b14 := b[14][i]
 		b15 := b[15][i]

 		// 4 iterations of eight quarter-rounds each is 8 rounds
 		for round := 0; round < 4; round++ {
 			b0, b4, b8, b12 = qr(b0, b4, b8, b12)
 			b1, b5, b9, b13 = qr(b1, b5, b9, b13)
 			b2, b6, b10, b14 = qr(b2, b6, b10, b14)
 			b3, b7, b11, b15 = qr(b3, b7, b11, b15)

 			b0, b5, b10, b15 = qr(b0, b5, b10, b15)
 			b1, b6, b11, b12 = qr(b1, b6, b11, b12)
 			b2, b7, b8, b13 = qr(b2, b7, b8, b13)
 			b3, b4, b9, b14 = qr(b3, b4, b9, b14)
 		}

 		// Store block i back into b[*][i].
 		// Add b4..b11 back to the original key material,
 		// like in ChaCha20, to avoid trivial invertibility.
 		// There is no entropy in b0..b3 and b12..b15
 		// so we can skip the additions and save some time.
 		b[0][i] = b0
 		b[1][i] = b1
 		b[2][i] = b2
 		b[3][i] = b3
 		b[4][i] += b4
 		b[5][i] += b5
 		b[6][i] += b6
 		b[7][i] += b7
 		b[8][i] += b8
 		b[9][i] += b9
 		b[10][i] += b10
 		b[11][i] += b11
 		b[12][i] = b12
 		b[13][i] = b13
 		b[14][i] = b14
 		b[15][i] = b15
 	}

 	if goarch.BigEndian {
 		// On a big-endian system, reading the uint32 pairs as uint64s
 		// will word-swap them compared to little-endian, so we word-swap
 		// them here first to make the next swap get the right answer.
 		for i, x := range buf {
 			buf[i] = x>>32 | x<<32
 		}
 	}
 }

 // qr is the (inlinable) ChaCha8 quarter round.
 func qr(a, b, c, d uint32) (_a, _b, _c, _d uint32) {
 	a += b
 	d ^= a
 	d = d<<16 | d>>16
 	c += d
 	b ^= c
 	b = b<<12 | b>>20
 	a += b
 	d ^= a
 	d = d<<8 | d>>24
 	c += d
 	b ^= c
 	b = b<<7 | b>>25
 	return a, b, c, d
 }
	// Copyright 2023 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	// ChaCha8 is ChaCha with 8 rounds.
	// See https://cr.yp.to/chacha/chacha-20080128.pdf.
	//
	// ChaCha8 operates on a 4x4 matrix of uint32 values, initially set to:
	//
	// const1 const2 const3 const4
	// seed seed seed seed
	// seed seed seed seed
	// counter64 0 0
	//
	// We use the same constants as ChaCha20 does, a random seed,
	// and a counter. Running ChaCha8 on this input produces
	// a 4x4 matrix of pseudo-random values with as much entropy
	// as the seed.
	//
	// Given SIMD registers that can hold N uint32s, it is possible
	// to run N ChaCha8 block transformations in parallel by filling
	// the first register with the N copies of const1, the second
	// with N copies of const2, and so on, and then running the operations.
	//
	// Each iteration of ChaCha8Rand operates over 32 bytes of input and
	// produces 992 bytes of RNG output, plus 32 bytes of input for the next
	// iteration.
	//
	// The 32 bytes of input are used as a ChaCha8 key, with a zero nonce, to
	// produce 1024 bytes of output (16 blocks, with counters 0 to 15).
	// First, for each block, the values 0x61707865, 0x3320646e, 0x79622d32,
	// 0x6b206574 are subtracted from the 32-bit little-endian words at
	// position 0, 1, 2, and 3 respectively, and an increasing counter
	// starting at zero is subtracted from each word at position 12. Then,
	// this stream is permuted such that for each sequence of four blocks,
	// first we output the first four bytes of each block, then the next four
	// bytes of each block, and so on. Finally, the last 32 bytes of output
	// are used as the input of the next iteration, and the remaining 992
	// bytes are the RNG output.
	//
	// See https://c2sp.org/chacha8rand for additional details.
	//
	// Normal ChaCha20 implementations for encryption use this same
	// parallelism but then have to deinterlace the results so that
	// it appears the blocks were generated separately. For the purposes
	// of generating random numbers, the interlacing is fine.
	// We are simply locked in to preserving the 4-way interlacing
	// in any future optimizations.
	package chacha8rand

	import (
	"internal/goarch"
	"unsafe"
	)

	// setup sets up 4 ChaCha8 blocks in b32 with the counter and seed.
	// Note that b32 is [16][4]uint32 not [4][16]uint32: the blocks are interlaced
	// the same way they would be in a 4-way SIMD implementations.
	func setup(seed [4]uint64, b32 [16][4]uint32, counter uint32) {
	// Convert to uint64 to do half as many stores to memory.
	b := (*[16][2]uint64)(unsafe.Pointer(b32))

	// Constants; same as in ChaCha20: "expand 32-byte k"
	b[0][0] = 0x61707865_61707865
	b[0][1] = 0x61707865_61707865

	b[1][0] = 0x3320646e_3320646e
	b[1][1] = 0x3320646e_3320646e

	b[2][0] = 0x79622d32_79622d32
	b[2][1] = 0x79622d32_79622d32

	b[3][0] = 0x6b206574_6b206574
	b[3][1] = 0x6b206574_6b206574

	// Seed values.
	var x64 uint64
	var x uint32

	x = uint32(seed[0])
	x64 = uint64(x)<<32 \| uint64(x)
	b[4][0] = x64
	b[4][1] = x64

	x = uint32(seed[0] >> 32)
	x64 = uint64(x)<<32 \| uint64(x)
	b[5][0] = x64
	b[5][1] = x64

	x = uint32(seed[1])
	x64 = uint64(x)<<32 \| uint64(x)
	b[6][0] = x64
	b[6][1] = x64

	x = uint32(seed[1] >> 32)
	x64 = uint64(x)<<32 \| uint64(x)
	b[7][0] = x64
	b[7][1] = x64

	x = uint32(seed[2])
	x64 = uint64(x)<<32 \| uint64(x)
	b[8][0] = x64
	b[8][1] = x64

	x = uint32(seed[2] >> 32)
	x64 = uint64(x)<<32 \| uint64(x)
	b[9][0] = x64
	b[9][1] = x64

	x = uint32(seed[3])
	x64 = uint64(x)<<32 \| uint64(x)
	b[10][0] = x64
	b[10][1] = x64

	x = uint32(seed[3] >> 32)
	x64 = uint64(x)<<32 \| uint64(x)
	b[11][0] = x64
	b[11][1] = x64

	// Counters.
	if goarch.BigEndian {
	b[12][0] = uint64(counter+0)<<32 \| uint64(counter+1)
	b[12][1] = uint64(counter+2)<<32 \| uint64(counter+3)
	} else {
	b[12][0] = uint64(counter+0) \| uint64(counter+1)<<32
	b[12][1] = uint64(counter+2) \| uint64(counter+3)<<32
	}

	// Zeros.
	b[13][0] = 0
	b[13][1] = 0
	b[14][0] = 0
	b[14][1] = 0

	b[15][0] = 0
	b[15][1] = 0
	}

	func _() {
	// block and block_generic must have same type
	x := block
	x = block_generic
	_ = x
	}

	// block_generic is the non-assembly block implementation,
	// for use on systems without special assembly.
	// Even on such systems, it is quite fast: on GOOS=386,
	// ChaCha8 using this code generates random values faster than PCG-DXSM.
	func block_generic(seed [4]uint64, buf [32]uint64, counter uint32) {
	b := (*[16][4]uint32)(unsafe.Pointer(buf))

	setup(seed, b, counter)

	for i := range b[0] {
	// Load block i from b[*][i] into local variables.
	b0 := b[0][i]
	b1 := b[1][i]
	b2 := b[2][i]
	b3 := b[3][i]
	b4 := b[4][i]
	b5 := b[5][i]
	b6 := b[6][i]
	b7 := b[7][i]
	b8 := b[8][i]
	b9 := b[9][i]
	b10 := b[10][i]
	b11 := b[11][i]
	b12 := b[12][i]
	b13 := b[13][i]
	b14 := b[14][i]
	b15 := b[15][i]

	// 4 iterations of eight quarter-rounds each is 8 rounds
	for round := 0; round < 4; round++ {
	b0, b4, b8, b12 = qr(b0, b4, b8, b12)
	b1, b5, b9, b13 = qr(b1, b5, b9, b13)
	b2, b6, b10, b14 = qr(b2, b6, b10, b14)
	b3, b7, b11, b15 = qr(b3, b7, b11, b15)

	b0, b5, b10, b15 = qr(b0, b5, b10, b15)
	b1, b6, b11, b12 = qr(b1, b6, b11, b12)
	b2, b7, b8, b13 = qr(b2, b7, b8, b13)
	b3, b4, b9, b14 = qr(b3, b4, b9, b14)
	}

	// Store block i back into b[*][i].
	// Add b4..b11 back to the original key material,
	// like in ChaCha20, to avoid trivial invertibility.
	// There is no entropy in b0..b3 and b12..b15
	// so we can skip the additions and save some time.
	b[0][i] = b0
	b[1][i] = b1
	b[2][i] = b2
	b[3][i] = b3
	b[4][i] += b4
	b[5][i] += b5
	b[6][i] += b6
	b[7][i] += b7
	b[8][i] += b8
	b[9][i] += b9
	b[10][i] += b10
	b[11][i] += b11
	b[12][i] = b12
	b[13][i] = b13
	b[14][i] = b14
	b[15][i] = b15
	}

	if goarch.BigEndian {
	// On a big-endian system, reading the uint32 pairs as uint64s
	// will word-swap them compared to little-endian, so we word-swap
	// them here first to make the next swap get the right answer.
	for i, x := range buf {
	buf[i] = x>>32 \| x<<32
	}
	}
	}

	// qr is the (inlinable) ChaCha8 quarter round.
	func qr(a, b, c, d uint32) (_a, _b, _c, _d uint32) {
	a += b
	d ^= a
	d = d<<16 \| d>>16
	c += d
	b ^= c
	b = b<<12 \| b>>20
	a += b
	d ^= a
	d = d<<8 \| d>>24
	c += d
	b ^= c
	b = b<<7 \| b>>25
	return a, b, c, d
	}