• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2 Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
3 Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
4 denoted as "the implementer".
5 
6 For more information, feedback or questions, please refer to our websites:
7 http://keccak.noekeon.org/
8 http://keyak.noekeon.org/
9 http://ketje.noekeon.org/
10 
11 To the extent possible under law, the implementer has waived all copyright
12 and related or neighboring rights to the source code in this file.
13 http://creativecommons.org/publicdomain/zero/1.0/
14 */
15 
16 #include    <string.h>
17 /* #include "brg_endian.h" */
18 #include "KeccakP-1600-SnP.h"
19 #include "SnP-Relaned.h"
20 
21 typedef unsigned char UINT8;
22 typedef unsigned int UINT32;
23 /* WARNING: on 8-bit and 16-bit platforms, this should be replaced by: */
24 
25 /*typedef unsigned long       UINT32; */
26 
27 
28 #define ROL32(a, offset) ((((UINT32)a) << (offset)) ^ (((UINT32)a) >> (32-(offset))))
29 
30 /* Credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */
31 
32 #define prepareToBitInterleaving(low, high, temp, temp0, temp1) \
33         temp0 = (low); \
34         temp = (temp0 ^ (temp0 >>  1)) & 0x22222222UL;  temp0 = temp0 ^ temp ^ (temp <<  1); \
35         temp = (temp0 ^ (temp0 >>  2)) & 0x0C0C0C0CUL;  temp0 = temp0 ^ temp ^ (temp <<  2); \
36         temp = (temp0 ^ (temp0 >>  4)) & 0x00F000F0UL;  temp0 = temp0 ^ temp ^ (temp <<  4); \
37         temp = (temp0 ^ (temp0 >>  8)) & 0x0000FF00UL;  temp0 = temp0 ^ temp ^ (temp <<  8); \
38         temp1 = (high); \
39         temp = (temp1 ^ (temp1 >>  1)) & 0x22222222UL;  temp1 = temp1 ^ temp ^ (temp <<  1); \
40         temp = (temp1 ^ (temp1 >>  2)) & 0x0C0C0C0CUL;  temp1 = temp1 ^ temp ^ (temp <<  2); \
41         temp = (temp1 ^ (temp1 >>  4)) & 0x00F000F0UL;  temp1 = temp1 ^ temp ^ (temp <<  4); \
42         temp = (temp1 ^ (temp1 >>  8)) & 0x0000FF00UL;  temp1 = temp1 ^ temp ^ (temp <<  8);
43 
44 #define toBitInterleavingAndXOR(low, high, even, odd, temp, temp0, temp1) \
45         prepareToBitInterleaving(low, high, temp, temp0, temp1) \
46         even ^= (temp0 & 0x0000FFFF) | (temp1 << 16); \
47         odd ^= (temp0 >> 16) | (temp1 & 0xFFFF0000);
48 
49 #define toBitInterleavingAndAND(low, high, even, odd, temp, temp0, temp1) \
50         prepareToBitInterleaving(low, high, temp, temp0, temp1) \
51         even &= (temp0 & 0x0000FFFF) | (temp1 << 16); \
52         odd &= (temp0 >> 16) | (temp1 & 0xFFFF0000);
53 
54 #define toBitInterleavingAndSet(low, high, even, odd, temp, temp0, temp1) \
55         prepareToBitInterleaving(low, high, temp, temp0, temp1) \
56         even = (temp0 & 0x0000FFFF) | (temp1 << 16); \
57         odd = (temp0 >> 16) | (temp1 & 0xFFFF0000);
58 
59 /* Credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */
60 
61 #define prepareFromBitInterleaving(even, odd, temp, temp0, temp1) \
62         temp0 = (even); \
63         temp1 = (odd); \
64         temp = (temp0 & 0x0000FFFF) | (temp1 << 16); \
65         temp1 = (temp0 >> 16) | (temp1 & 0xFFFF0000); \
66         temp0 = temp; \
67         temp = (temp0 ^ (temp0 >>  8)) & 0x0000FF00UL;  temp0 = temp0 ^ temp ^ (temp <<  8); \
68         temp = (temp0 ^ (temp0 >>  4)) & 0x00F000F0UL;  temp0 = temp0 ^ temp ^ (temp <<  4); \
69         temp = (temp0 ^ (temp0 >>  2)) & 0x0C0C0C0CUL;  temp0 = temp0 ^ temp ^ (temp <<  2); \
70         temp = (temp0 ^ (temp0 >>  1)) & 0x22222222UL;  temp0 = temp0 ^ temp ^ (temp <<  1); \
71         temp = (temp1 ^ (temp1 >>  8)) & 0x0000FF00UL;  temp1 = temp1 ^ temp ^ (temp <<  8); \
72         temp = (temp1 ^ (temp1 >>  4)) & 0x00F000F0UL;  temp1 = temp1 ^ temp ^ (temp <<  4); \
73         temp = (temp1 ^ (temp1 >>  2)) & 0x0C0C0C0CUL;  temp1 = temp1 ^ temp ^ (temp <<  2); \
74         temp = (temp1 ^ (temp1 >>  1)) & 0x22222222UL;  temp1 = temp1 ^ temp ^ (temp <<  1);
75 
76 #define fromBitInterleaving(even, odd, low, high, temp, temp0, temp1) \
77         prepareFromBitInterleaving(even, odd, temp, temp0, temp1) \
78         low = temp0; \
79         high = temp1;
80 
81 #define fromBitInterleavingAndXOR(even, odd, lowIn, highIn, lowOut, highOut, temp, temp0, temp1) \
82         prepareFromBitInterleaving(even, odd, temp, temp0, temp1) \
83         lowOut = lowIn ^ temp0; \
84         highOut = highIn ^ temp1;
85 
KeccakP1600_SetBytesInLaneToZero(void * state,unsigned int lanePosition,unsigned int offset,unsigned int length)86 void KeccakP1600_SetBytesInLaneToZero(void *state, unsigned int lanePosition, unsigned int offset, unsigned int length)
87 {
88     UINT8 laneAsBytes[8];
89     UINT32 low, high;
90     UINT32 temp, temp0, temp1;
91     UINT32 *stateAsHalfLanes = (UINT32*)state;
92 
93     memset(laneAsBytes, 0xFF, offset);
94     memset(laneAsBytes+offset, 0x00, length);
95     memset(laneAsBytes+offset+length, 0xFF, 8-offset-length);
96 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
97     low = *((UINT32*)(laneAsBytes+0));
98     high = *((UINT32*)(laneAsBytes+4));
99 #else
100     low = laneAsBytes[0]
101         | ((UINT32)(laneAsBytes[1]) << 8)
102         | ((UINT32)(laneAsBytes[2]) << 16)
103         | ((UINT32)(laneAsBytes[3]) << 24);
104     high = laneAsBytes[4]
105         | ((UINT32)(laneAsBytes[5]) << 8)
106         | ((UINT32)(laneAsBytes[6]) << 16)
107         | ((UINT32)(laneAsBytes[7]) << 24);
108 #endif
109     toBitInterleavingAndAND(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1);
110 }
111 
112 /* ---------------------------------------------------------------- */
113 
KeccakP1600_Initialize(void * state)114 void KeccakP1600_Initialize(void *state)
115 {
116     memset(state, 0, 200);
117 }
118 
119 /* ---------------------------------------------------------------- */
120 
KeccakP1600_AddByte(void * state,unsigned char byte,unsigned int offset)121 void KeccakP1600_AddByte(void *state, unsigned char byte, unsigned int offset)
122 {
123     unsigned int lanePosition = offset/8;
124     unsigned int offsetInLane = offset%8;
125     UINT32 low, high;
126     UINT32 temp, temp0, temp1;
127     UINT32 *stateAsHalfLanes = (UINT32*)state;
128 
129     if (offsetInLane < 4) {
130         low = (UINT32)byte << (offsetInLane*8);
131         high = 0;
132     }
133     else {
134         low = 0;
135         high = (UINT32)byte << ((offsetInLane-4)*8);
136     }
137     toBitInterleavingAndXOR(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1);
138 }
139 
140 /* ---------------------------------------------------------------- */
141 
KeccakP1600_AddBytesInLane(void * state,unsigned int lanePosition,const unsigned char * data,unsigned int offset,unsigned int length)142 void KeccakP1600_AddBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length)
143 {
144     UINT8 laneAsBytes[8];
145     UINT32 low, high;
146     UINT32 temp, temp0, temp1;
147     UINT32 *stateAsHalfLanes = (UINT32*)state;
148 
149     memset(laneAsBytes, 0, 8);
150     memcpy(laneAsBytes+offset, data, length);
151 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
152     low = *((UINT32*)(laneAsBytes+0));
153     high = *((UINT32*)(laneAsBytes+4));
154 #else
155     low = laneAsBytes[0]
156         | ((UINT32)(laneAsBytes[1]) << 8)
157         | ((UINT32)(laneAsBytes[2]) << 16)
158         | ((UINT32)(laneAsBytes[3]) << 24);
159     high = laneAsBytes[4]
160         | ((UINT32)(laneAsBytes[5]) << 8)
161         | ((UINT32)(laneAsBytes[6]) << 16)
162         | ((UINT32)(laneAsBytes[7]) << 24);
163 #endif
164     toBitInterleavingAndXOR(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1);
165 }
166 
167 /* ---------------------------------------------------------------- */
168 
KeccakP1600_AddLanes(void * state,const unsigned char * data,unsigned int laneCount)169 void KeccakP1600_AddLanes(void *state, const unsigned char *data, unsigned int laneCount)
170 {
171 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
172     const UINT32 * pI = (const UINT32 *)data;
173     UINT32 * pS = (UINT32*)state;
174     UINT32 t, x0, x1;
175     int i;
176     for (i = laneCount-1; i >= 0; --i) {
177 #ifdef NO_MISALIGNED_ACCESSES
178         UINT32 low;
179         UINT32 high;
180         memcpy(&low, pI++, 4);
181         memcpy(&high, pI++, 4);
182         toBitInterleavingAndXOR(low, high, *(pS++), *(pS++), t, x0, x1);
183 #else
184         toBitInterleavingAndXOR(*(pI++), *(pI++), *(pS++), *(pS++), t, x0, x1)
185 #endif
186     }
187 #else
188     unsigned int lanePosition;
189     for(lanePosition=0; lanePosition<laneCount; lanePosition++) {
190         UINT8 laneAsBytes[8];
191         UINT32 low, high, temp, temp0, temp1;
192         UINT32 *stateAsHalfLanes;
193         memcpy(laneAsBytes, data+lanePosition*8, 8);
194         low = laneAsBytes[0]
195             | ((UINT32)(laneAsBytes[1]) << 8)
196             | ((UINT32)(laneAsBytes[2]) << 16)
197             | ((UINT32)(laneAsBytes[3]) << 24);
198         high = laneAsBytes[4]
199             | ((UINT32)(laneAsBytes[5]) << 8)
200             | ((UINT32)(laneAsBytes[6]) << 16)
201             | ((UINT32)(laneAsBytes[7]) << 24);
202         stateAsHalfLanes = (UINT32*)state;
203         toBitInterleavingAndXOR(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1);
204     }
205 #endif
206 }
207 
208 /* ---------------------------------------------------------------- */
209 
KeccakP1600_AddBytes(void * state,const unsigned char * data,unsigned int offset,unsigned int length)210 void KeccakP1600_AddBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length)
211 {
212     SnP_AddBytes(state, data, offset, length, KeccakP1600_AddLanes, KeccakP1600_AddBytesInLane, 8);
213 }
214 
215 /* ---------------------------------------------------------------- */
216 
KeccakP1600_OverwriteBytesInLane(void * state,unsigned int lanePosition,const unsigned char * data,unsigned int offset,unsigned int length)217 void KeccakP1600_OverwriteBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length)
218 {
219     KeccakP1600_SetBytesInLaneToZero(state, lanePosition, offset, length);
220     KeccakP1600_AddBytesInLane(state, lanePosition, data, offset, length);
221 }
222 
223 /* ---------------------------------------------------------------- */
224 
KeccakP1600_OverwriteLanes(void * state,const unsigned char * data,unsigned int laneCount)225 void KeccakP1600_OverwriteLanes(void *state, const unsigned char *data, unsigned int laneCount)
226 {
227 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
228     const UINT32 * pI = (const UINT32 *)data;
229     UINT32 * pS = (UINT32 *)state;
230     UINT32 t, x0, x1;
231     int i;
232     for (i = laneCount-1; i >= 0; --i) {
233 #ifdef NO_MISALIGNED_ACCESSES
234         UINT32 low;
235         UINT32 high;
236         memcpy(&low, pI++, 4);
237         memcpy(&high, pI++, 4);
238         toBitInterleavingAndSet(low, high, *(pS++), *(pS++), t, x0, x1);
239 #else
240         toBitInterleavingAndSet(*(pI++), *(pI++), *(pS++), *(pS++), t, x0, x1)
241 #endif
242     }
243 #else
244     unsigned int lanePosition;
245     for(lanePosition=0; lanePosition<laneCount; lanePosition++) {
246         UINT8 laneAsBytes[8];
247         UINT32 low, high, temp, temp0, temp1;
248         UINT32 *stateAsHalfLanes;
249         memcpy(laneAsBytes, data+lanePosition*8, 8);
250         low = laneAsBytes[0]
251             | ((UINT32)(laneAsBytes[1]) << 8)
252             | ((UINT32)(laneAsBytes[2]) << 16)
253             | ((UINT32)(laneAsBytes[3]) << 24);
254         high = laneAsBytes[4]
255             | ((UINT32)(laneAsBytes[5]) << 8)
256             | ((UINT32)(laneAsBytes[6]) << 16)
257             | ((UINT32)(laneAsBytes[7]) << 24);
258         stateAsHalfLanes = (UINT32*)state;
259         toBitInterleavingAndSet(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1);
260     }
261 #endif
262 }
263 
264 /* ---------------------------------------------------------------- */
265 
KeccakP1600_OverwriteBytes(void * state,const unsigned char * data,unsigned int offset,unsigned int length)266 void KeccakP1600_OverwriteBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length)
267 {
268     SnP_OverwriteBytes(state, data, offset, length, KeccakP1600_OverwriteLanes, KeccakP1600_OverwriteBytesInLane, 8);
269 }
270 
271 /* ---------------------------------------------------------------- */
272 
KeccakP1600_OverwriteWithZeroes(void * state,unsigned int byteCount)273 void KeccakP1600_OverwriteWithZeroes(void *state, unsigned int byteCount)
274 {
275     UINT32 *stateAsHalfLanes = (UINT32*)state;
276     unsigned int i;
277 
278     for(i=0; i<byteCount/8; i++) {
279         stateAsHalfLanes[i*2+0] = 0;
280         stateAsHalfLanes[i*2+1] = 0;
281     }
282     if (byteCount%8 != 0)
283         KeccakP1600_SetBytesInLaneToZero(state, byteCount/8, 0, byteCount%8);
284 }
285 
286 /* ---------------------------------------------------------------- */
287 
KeccakP1600_ExtractBytesInLane(const void * state,unsigned int lanePosition,unsigned char * data,unsigned int offset,unsigned int length)288 void KeccakP1600_ExtractBytesInLane(const void *state, unsigned int lanePosition, unsigned char *data, unsigned int offset, unsigned int length)
289 {
290     UINT32 *stateAsHalfLanes = (UINT32*)state;
291     UINT32 low, high, temp, temp0, temp1;
292     UINT8 laneAsBytes[8];
293 
294     fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1);
295 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
296     *((UINT32*)(laneAsBytes+0)) = low;
297     *((UINT32*)(laneAsBytes+4)) = high;
298 #else
299     laneAsBytes[0] = low & 0xFF;
300     laneAsBytes[1] = (low >> 8) & 0xFF;
301     laneAsBytes[2] = (low >> 16) & 0xFF;
302     laneAsBytes[3] = (low >> 24) & 0xFF;
303     laneAsBytes[4] = high & 0xFF;
304     laneAsBytes[5] = (high >> 8) & 0xFF;
305     laneAsBytes[6] = (high >> 16) & 0xFF;
306     laneAsBytes[7] = (high >> 24) & 0xFF;
307 #endif
308     memcpy(data, laneAsBytes+offset, length);
309 }
310 
311 /* ---------------------------------------------------------------- */
312 
KeccakP1600_ExtractLanes(const void * state,unsigned char * data,unsigned int laneCount)313 void KeccakP1600_ExtractLanes(const void *state, unsigned char *data, unsigned int laneCount)
314 {
315 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
316     UINT32 * pI = (UINT32 *)data;
317     const UINT32 * pS = ( const UINT32 *)state;
318     UINT32 t, x0, x1;
319     int i;
320     for (i = laneCount-1; i >= 0; --i) {
321 #ifdef NO_MISALIGNED_ACCESSES
322         UINT32 low;
323         UINT32 high;
324         fromBitInterleaving(*(pS++), *(pS++), low, high, t, x0, x1);
325         memcpy(pI++, &low, 4);
326         memcpy(pI++, &high, 4);
327 #else
328         fromBitInterleaving(*(pS++), *(pS++), *(pI++), *(pI++), t, x0, x1)
329 #endif
330     }
331 #else
332     unsigned int lanePosition;
333     for(lanePosition=0; lanePosition<laneCount; lanePosition++) {
334         UINT32 *stateAsHalfLanes = (UINT32*)state;
335         UINT32 low, high, temp, temp0, temp1;
336         UINT8 laneAsBytes[8];
337         fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1);
338         laneAsBytes[0] = low & 0xFF;
339         laneAsBytes[1] = (low >> 8) & 0xFF;
340         laneAsBytes[2] = (low >> 16) & 0xFF;
341         laneAsBytes[3] = (low >> 24) & 0xFF;
342         laneAsBytes[4] = high & 0xFF;
343         laneAsBytes[5] = (high >> 8) & 0xFF;
344         laneAsBytes[6] = (high >> 16) & 0xFF;
345         laneAsBytes[7] = (high >> 24) & 0xFF;
346         memcpy(data+lanePosition*8, laneAsBytes, 8);
347     }
348 #endif
349 }
350 
351 /* ---------------------------------------------------------------- */
352 
KeccakP1600_ExtractBytes(const void * state,unsigned char * data,unsigned int offset,unsigned int length)353 void KeccakP1600_ExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length)
354 {
355     SnP_ExtractBytes(state, data, offset, length, KeccakP1600_ExtractLanes, KeccakP1600_ExtractBytesInLane, 8);
356 }
357 
358 /* ---------------------------------------------------------------- */
359 
KeccakP1600_ExtractAndAddBytesInLane(const void * state,unsigned int lanePosition,const unsigned char * input,unsigned char * output,unsigned int offset,unsigned int length)360 void KeccakP1600_ExtractAndAddBytesInLane(const void *state, unsigned int lanePosition, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length)
361 {
362     UINT32 *stateAsHalfLanes = (UINT32*)state;
363     UINT32 low, high, temp, temp0, temp1;
364     UINT8 laneAsBytes[8];
365     unsigned int i;
366 
367     fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1);
368 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
369     *((UINT32*)(laneAsBytes+0)) = low;
370     *((UINT32*)(laneAsBytes+4)) = high;
371 #else
372     laneAsBytes[0] = low & 0xFF;
373     laneAsBytes[1] = (low >> 8) & 0xFF;
374     laneAsBytes[2] = (low >> 16) & 0xFF;
375     laneAsBytes[3] = (low >> 24) & 0xFF;
376     laneAsBytes[4] = high & 0xFF;
377     laneAsBytes[5] = (high >> 8) & 0xFF;
378     laneAsBytes[6] = (high >> 16) & 0xFF;
379     laneAsBytes[7] = (high >> 24) & 0xFF;
380 #endif
381     for(i=0; i<length; i++)
382         output[i] = input[i] ^ laneAsBytes[offset+i];
383 }
384 
385 /* ---------------------------------------------------------------- */
386 
KeccakP1600_ExtractAndAddLanes(const void * state,const unsigned char * input,unsigned char * output,unsigned int laneCount)387 void KeccakP1600_ExtractAndAddLanes(const void *state, const unsigned char *input, unsigned char *output, unsigned int laneCount)
388 {
389 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
390     const UINT32 * pI = (const UINT32 *)input;
391     UINT32 * pO = (UINT32 *)output;
392     const UINT32 * pS = (const UINT32 *)state;
393     UINT32 t, x0, x1;
394     int i;
395     for (i = laneCount-1; i >= 0; --i) {
396 #ifdef NO_MISALIGNED_ACCESSES
397         UINT32 low;
398         UINT32 high;
399         fromBitInterleaving(*(pS++), *(pS++), low, high, t, x0, x1);
400         *(pO++) = *(pI++) ^ low;
401         *(pO++) = *(pI++) ^ high;
402 #else
403         fromBitInterleavingAndXOR(*(pS++), *(pS++), *(pI++), *(pI++), *(pO++), *(pO++), t, x0, x1)
404 #endif
405     }
406 #else
407     unsigned int lanePosition;
408     for(lanePosition=0; lanePosition<laneCount; lanePosition++) {
409         UINT32 *stateAsHalfLanes = (UINT32*)state;
410         UINT32 low, high, temp, temp0, temp1;
411         UINT8 laneAsBytes[8];
412         fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1);
413         laneAsBytes[0] = low & 0xFF;
414         laneAsBytes[1] = (low >> 8) & 0xFF;
415         laneAsBytes[2] = (low >> 16) & 0xFF;
416         laneAsBytes[3] = (low >> 24) & 0xFF;
417         laneAsBytes[4] = high & 0xFF;
418         laneAsBytes[5] = (high >> 8) & 0xFF;
419         laneAsBytes[6] = (high >> 16) & 0xFF;
420         laneAsBytes[7] = (high >> 24) & 0xFF;
421         ((UINT32*)(output+lanePosition*8))[0] = ((UINT32*)(input+lanePosition*8))[0] ^ (*(const UINT32*)(laneAsBytes+0));
422         ((UINT32*)(output+lanePosition*8))[1] = ((UINT32*)(input+lanePosition*8))[0] ^ (*(const UINT32*)(laneAsBytes+4));
423     }
424 #endif
425 }
426 /* ---------------------------------------------------------------- */
427 
KeccakP1600_ExtractAndAddBytes(const void * state,const unsigned char * input,unsigned char * output,unsigned int offset,unsigned int length)428 void KeccakP1600_ExtractAndAddBytes(const void *state, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length)
429 {
430     SnP_ExtractAndAddBytes(state, input, output, offset, length, KeccakP1600_ExtractAndAddLanes, KeccakP1600_ExtractAndAddBytesInLane, 8);
431 }
432 
433 /* ---------------------------------------------------------------- */
434 
435 static const UINT32 KeccakF1600RoundConstants_int2[2*24+1] =
436 {
437     0x00000001UL,    0x00000000UL,
438     0x00000000UL,    0x00000089UL,
439     0x00000000UL,    0x8000008bUL,
440     0x00000000UL,    0x80008080UL,
441     0x00000001UL,    0x0000008bUL,
442     0x00000001UL,    0x00008000UL,
443     0x00000001UL,    0x80008088UL,
444     0x00000001UL,    0x80000082UL,
445     0x00000000UL,    0x0000000bUL,
446     0x00000000UL,    0x0000000aUL,
447     0x00000001UL,    0x00008082UL,
448     0x00000000UL,    0x00008003UL,
449     0x00000001UL,    0x0000808bUL,
450     0x00000001UL,    0x8000000bUL,
451     0x00000001UL,    0x8000008aUL,
452     0x00000001UL,    0x80000081UL,
453     0x00000000UL,    0x80000081UL,
454     0x00000000UL,    0x80000008UL,
455     0x00000000UL,    0x00000083UL,
456     0x00000000UL,    0x80008003UL,
457     0x00000001UL,    0x80008088UL,
458     0x00000000UL,    0x80000088UL,
459     0x00000001UL,    0x00008000UL,
460     0x00000000UL,    0x80008082UL,
461     0x000000FFUL
462 };
463 
464 #define KeccakAtoD_round0() \
465         Cx = Abu0^Agu0^Aku0^Amu0^Asu0; \
466         Du1 = Abe1^Age1^Ake1^Ame1^Ase1; \
467         Da0 = Cx^ROL32(Du1, 1); \
468         Cz = Abu1^Agu1^Aku1^Amu1^Asu1; \
469         Du0 = Abe0^Age0^Ake0^Ame0^Ase0; \
470         Da1 = Cz^Du0; \
471 \
472         Cw = Abi0^Agi0^Aki0^Ami0^Asi0; \
473         Do0 = Cw^ROL32(Cz, 1); \
474         Cy = Abi1^Agi1^Aki1^Ami1^Asi1; \
475         Do1 = Cy^Cx; \
476 \
477         Cx = Aba0^Aga0^Aka0^Ama0^Asa0; \
478         De0 = Cx^ROL32(Cy, 1); \
479         Cz = Aba1^Aga1^Aka1^Ama1^Asa1; \
480         De1 = Cz^Cw; \
481 \
482         Cy = Abo1^Ago1^Ako1^Amo1^Aso1; \
483         Di0 = Du0^ROL32(Cy, 1); \
484         Cw = Abo0^Ago0^Ako0^Amo0^Aso0; \
485         Di1 = Du1^Cw; \
486 \
487         Du0 = Cw^ROL32(Cz, 1); \
488         Du1 = Cy^Cx; \
489 
490 #define KeccakAtoD_round1() \
491         Cx = Asu0^Agu0^Amu0^Abu1^Aku1; \
492         Du1 = Age1^Ame0^Abe0^Ake1^Ase1; \
493         Da0 = Cx^ROL32(Du1, 1); \
494         Cz = Asu1^Agu1^Amu1^Abu0^Aku0; \
495         Du0 = Age0^Ame1^Abe1^Ake0^Ase0; \
496         Da1 = Cz^Du0; \
497 \
498         Cw = Aki1^Asi1^Agi0^Ami1^Abi0; \
499         Do0 = Cw^ROL32(Cz, 1); \
500         Cy = Aki0^Asi0^Agi1^Ami0^Abi1; \
501         Do1 = Cy^Cx; \
502 \
503         Cx = Aba0^Aka1^Asa0^Aga0^Ama1; \
504         De0 = Cx^ROL32(Cy, 1); \
505         Cz = Aba1^Aka0^Asa1^Aga1^Ama0; \
506         De1 = Cz^Cw; \
507 \
508         Cy = Amo0^Abo1^Ako0^Aso1^Ago0; \
509         Di0 = Du0^ROL32(Cy, 1); \
510         Cw = Amo1^Abo0^Ako1^Aso0^Ago1; \
511         Di1 = Du1^Cw; \
512 \
513         Du0 = Cw^ROL32(Cz, 1); \
514         Du1 = Cy^Cx; \
515 
516 #define KeccakAtoD_round2() \
517         Cx = Aku1^Agu0^Abu1^Asu1^Amu1; \
518         Du1 = Ame0^Ake0^Age0^Abe0^Ase1; \
519         Da0 = Cx^ROL32(Du1, 1); \
520         Cz = Aku0^Agu1^Abu0^Asu0^Amu0; \
521         Du0 = Ame1^Ake1^Age1^Abe1^Ase0; \
522         Da1 = Cz^Du0; \
523 \
524         Cw = Agi1^Abi1^Asi1^Ami0^Aki1; \
525         Do0 = Cw^ROL32(Cz, 1); \
526         Cy = Agi0^Abi0^Asi0^Ami1^Aki0; \
527         Do1 = Cy^Cx; \
528 \
529         Cx = Aba0^Asa1^Ama1^Aka1^Aga1; \
530         De0 = Cx^ROL32(Cy, 1); \
531         Cz = Aba1^Asa0^Ama0^Aka0^Aga0; \
532         De1 = Cz^Cw; \
533 \
534         Cy = Aso0^Amo0^Ako1^Ago0^Abo0; \
535         Di0 = Du0^ROL32(Cy, 1); \
536         Cw = Aso1^Amo1^Ako0^Ago1^Abo1; \
537         Di1 = Du1^Cw; \
538 \
539         Du0 = Cw^ROL32(Cz, 1); \
540         Du1 = Cy^Cx; \
541 
542 #define KeccakAtoD_round3() \
543         Cx = Amu1^Agu0^Asu1^Aku0^Abu0; \
544         Du1 = Ake0^Abe1^Ame1^Age0^Ase1; \
545         Da0 = Cx^ROL32(Du1, 1); \
546         Cz = Amu0^Agu1^Asu0^Aku1^Abu1; \
547         Du0 = Ake1^Abe0^Ame0^Age1^Ase0; \
548         Da1 = Cz^Du0; \
549 \
550         Cw = Asi0^Aki0^Abi1^Ami1^Agi1; \
551         Do0 = Cw^ROL32(Cz, 1); \
552         Cy = Asi1^Aki1^Abi0^Ami0^Agi0; \
553         Do1 = Cy^Cx; \
554 \
555         Cx = Aba0^Ama0^Aga1^Asa1^Aka0; \
556         De0 = Cx^ROL32(Cy, 1); \
557         Cz = Aba1^Ama1^Aga0^Asa0^Aka1; \
558         De1 = Cz^Cw; \
559 \
560         Cy = Ago1^Aso0^Ako0^Abo0^Amo1; \
561         Di0 = Du0^ROL32(Cy, 1); \
562         Cw = Ago0^Aso1^Ako1^Abo1^Amo0; \
563         Di1 = Du1^Cw; \
564 \
565         Du0 = Cw^ROL32(Cz, 1); \
566         Du1 = Cy^Cx; \
567 
KeccakP1600_Permute_Nrounds(void * state,unsigned int nRounds)568 void KeccakP1600_Permute_Nrounds(void *state, unsigned int nRounds)
569 {
570     {
571         UINT32 Da0, De0, Di0, Do0, Du0;
572         UINT32 Da1, De1, Di1, Do1, Du1;
573         UINT32 Ca0, Ce0, Ci0, Co0, Cu0;
574         UINT32 Cx, Cy, Cz, Cw;
575         #define Ba Ca0
576         #define Be Ce0
577         #define Bi Ci0
578         #define Bo Co0
579         #define Bu Cu0
580         const UINT32 *pRoundConstants = KeccakF1600RoundConstants_int2+(24-nRounds)*2;
581         UINT32 *stateAsHalfLanes = (UINT32*)state;
582         #define Aba0 stateAsHalfLanes[ 0]
583         #define Aba1 stateAsHalfLanes[ 1]
584         #define Abe0 stateAsHalfLanes[ 2]
585         #define Abe1 stateAsHalfLanes[ 3]
586         #define Abi0 stateAsHalfLanes[ 4]
587         #define Abi1 stateAsHalfLanes[ 5]
588         #define Abo0 stateAsHalfLanes[ 6]
589         #define Abo1 stateAsHalfLanes[ 7]
590         #define Abu0 stateAsHalfLanes[ 8]
591         #define Abu1 stateAsHalfLanes[ 9]
592         #define Aga0 stateAsHalfLanes[10]
593         #define Aga1 stateAsHalfLanes[11]
594         #define Age0 stateAsHalfLanes[12]
595         #define Age1 stateAsHalfLanes[13]
596         #define Agi0 stateAsHalfLanes[14]
597         #define Agi1 stateAsHalfLanes[15]
598         #define Ago0 stateAsHalfLanes[16]
599         #define Ago1 stateAsHalfLanes[17]
600         #define Agu0 stateAsHalfLanes[18]
601         #define Agu1 stateAsHalfLanes[19]
602         #define Aka0 stateAsHalfLanes[20]
603         #define Aka1 stateAsHalfLanes[21]
604         #define Ake0 stateAsHalfLanes[22]
605         #define Ake1 stateAsHalfLanes[23]
606         #define Aki0 stateAsHalfLanes[24]
607         #define Aki1 stateAsHalfLanes[25]
608         #define Ako0 stateAsHalfLanes[26]
609         #define Ako1 stateAsHalfLanes[27]
610         #define Aku0 stateAsHalfLanes[28]
611         #define Aku1 stateAsHalfLanes[29]
612         #define Ama0 stateAsHalfLanes[30]
613         #define Ama1 stateAsHalfLanes[31]
614         #define Ame0 stateAsHalfLanes[32]
615         #define Ame1 stateAsHalfLanes[33]
616         #define Ami0 stateAsHalfLanes[34]
617         #define Ami1 stateAsHalfLanes[35]
618         #define Amo0 stateAsHalfLanes[36]
619         #define Amo1 stateAsHalfLanes[37]
620         #define Amu0 stateAsHalfLanes[38]
621         #define Amu1 stateAsHalfLanes[39]
622         #define Asa0 stateAsHalfLanes[40]
623         #define Asa1 stateAsHalfLanes[41]
624         #define Ase0 stateAsHalfLanes[42]
625         #define Ase1 stateAsHalfLanes[43]
626         #define Asi0 stateAsHalfLanes[44]
627         #define Asi1 stateAsHalfLanes[45]
628         #define Aso0 stateAsHalfLanes[46]
629         #define Aso1 stateAsHalfLanes[47]
630         #define Asu0 stateAsHalfLanes[48]
631         #define Asu1 stateAsHalfLanes[49]
632 
633         do
634         {
635             /* --- Code for 4 rounds */
636 
637             /* --- using factor 2 interleaving, 64-bit lanes mapped to 32-bit words */
638 
639             KeccakAtoD_round0();
640 
641             Ba = (Aba0^Da0);
642             Be = ROL32((Age0^De0), 22);
643             Bi = ROL32((Aki1^Di1), 22);
644             Bo = ROL32((Amo1^Do1), 11);
645             Bu = ROL32((Asu0^Du0), 7);
646             Aba0 =   Ba ^((~Be)&  Bi );
647             Aba0 ^= *(pRoundConstants++);
648             Age0 =   Be ^((~Bi)&  Bo );
649             Aki1 =   Bi ^((~Bo)&  Bu );
650             Amo1 =   Bo ^((~Bu)&  Ba );
651             Asu0 =   Bu ^((~Ba)&  Be );
652 
653             Ba = (Aba1^Da1);
654             Be = ROL32((Age1^De1), 22);
655             Bi = ROL32((Aki0^Di0), 21);
656             Bo = ROL32((Amo0^Do0), 10);
657             Bu = ROL32((Asu1^Du1), 7);
658             Aba1 =   Ba ^((~Be)&  Bi );
659             Aba1 ^= *(pRoundConstants++);
660             Age1 =   Be ^((~Bi)&  Bo );
661             Aki0 =   Bi ^((~Bo)&  Bu );
662             Amo0 =   Bo ^((~Bu)&  Ba );
663             Asu1 =   Bu ^((~Ba)&  Be );
664 
665             Bi = ROL32((Aka1^Da1), 2);
666             Bo = ROL32((Ame1^De1), 23);
667             Bu = ROL32((Asi1^Di1), 31);
668             Ba = ROL32((Abo0^Do0), 14);
669             Be = ROL32((Agu0^Du0), 10);
670             Aka1 =   Ba ^((~Be)&  Bi );
671             Ame1 =   Be ^((~Bi)&  Bo );
672             Asi1 =   Bi ^((~Bo)&  Bu );
673             Abo0 =   Bo ^((~Bu)&  Ba );
674             Agu0 =   Bu ^((~Ba)&  Be );
675 
676             Bi = ROL32((Aka0^Da0), 1);
677             Bo = ROL32((Ame0^De0), 22);
678             Bu = ROL32((Asi0^Di0), 30);
679             Ba = ROL32((Abo1^Do1), 14);
680             Be = ROL32((Agu1^Du1), 10);
681             Aka0 =   Ba ^((~Be)&  Bi );
682             Ame0 =   Be ^((~Bi)&  Bo );
683             Asi0 =   Bi ^((~Bo)&  Bu );
684             Abo1 =   Bo ^((~Bu)&  Ba );
685             Agu1 =   Bu ^((~Ba)&  Be );
686 
687             Bu = ROL32((Asa0^Da0), 9);
688             Ba = ROL32((Abe1^De1), 1);
689             Be = ROL32((Agi0^Di0), 3);
690             Bi = ROL32((Ako1^Do1), 13);
691             Bo = ROL32((Amu0^Du0), 4);
692             Asa0 =   Ba ^((~Be)&  Bi );
693             Abe1 =   Be ^((~Bi)&  Bo );
694             Agi0 =   Bi ^((~Bo)&  Bu );
695             Ako1 =   Bo ^((~Bu)&  Ba );
696             Amu0 =   Bu ^((~Ba)&  Be );
697 
698             Bu = ROL32((Asa1^Da1), 9);
699             Ba = (Abe0^De0);
700             Be = ROL32((Agi1^Di1), 3);
701             Bi = ROL32((Ako0^Do0), 12);
702             Bo = ROL32((Amu1^Du1), 4);
703             Asa1 =   Ba ^((~Be)&  Bi );
704             Abe0 =   Be ^((~Bi)&  Bo );
705             Agi1 =   Bi ^((~Bo)&  Bu );
706             Ako0 =   Bo ^((~Bu)&  Ba );
707             Amu1 =   Bu ^((~Ba)&  Be );
708 
709             Be = ROL32((Aga0^Da0), 18);
710             Bi = ROL32((Ake0^De0), 5);
711             Bo = ROL32((Ami1^Di1), 8);
712             Bu = ROL32((Aso0^Do0), 28);
713             Ba = ROL32((Abu1^Du1), 14);
714             Aga0 =   Ba ^((~Be)&  Bi );
715             Ake0 =   Be ^((~Bi)&  Bo );
716             Ami1 =   Bi ^((~Bo)&  Bu );
717             Aso0 =   Bo ^((~Bu)&  Ba );
718             Abu1 =   Bu ^((~Ba)&  Be );
719 
720             Be = ROL32((Aga1^Da1), 18);
721             Bi = ROL32((Ake1^De1), 5);
722             Bo = ROL32((Ami0^Di0), 7);
723             Bu = ROL32((Aso1^Do1), 28);
724             Ba = ROL32((Abu0^Du0), 13);
725             Aga1 =   Ba ^((~Be)&  Bi );
726             Ake1 =   Be ^((~Bi)&  Bo );
727             Ami0 =   Bi ^((~Bo)&  Bu );
728             Aso1 =   Bo ^((~Bu)&  Ba );
729             Abu0 =   Bu ^((~Ba)&  Be );
730 
731             Bo = ROL32((Ama1^Da1), 21);
732             Bu = ROL32((Ase0^De0), 1);
733             Ba = ROL32((Abi0^Di0), 31);
734             Be = ROL32((Ago1^Do1), 28);
735             Bi = ROL32((Aku1^Du1), 20);
736             Ama1 =   Ba ^((~Be)&  Bi );
737             Ase0 =   Be ^((~Bi)&  Bo );
738             Abi0 =   Bi ^((~Bo)&  Bu );
739             Ago1 =   Bo ^((~Bu)&  Ba );
740             Aku1 =   Bu ^((~Ba)&  Be );
741 
742             Bo = ROL32((Ama0^Da0), 20);
743             Bu = ROL32((Ase1^De1), 1);
744             Ba = ROL32((Abi1^Di1), 31);
745             Be = ROL32((Ago0^Do0), 27);
746             Bi = ROL32((Aku0^Du0), 19);
747             Ama0 =   Ba ^((~Be)&  Bi );
748             Ase1 =   Be ^((~Bi)&  Bo );
749             Abi1 =   Bi ^((~Bo)&  Bu );
750             Ago0 =   Bo ^((~Bu)&  Ba );
751             Aku0 =   Bu ^((~Ba)&  Be );
752 
753             KeccakAtoD_round1();
754 
755             Ba = (Aba0^Da0);
756             Be = ROL32((Ame1^De0), 22);
757             Bi = ROL32((Agi1^Di1), 22);
758             Bo = ROL32((Aso1^Do1), 11);
759             Bu = ROL32((Aku1^Du0), 7);
760             Aba0 =   Ba ^((~Be)&  Bi );
761             Aba0 ^= *(pRoundConstants++);
762             Ame1 =   Be ^((~Bi)&  Bo );
763             Agi1 =   Bi ^((~Bo)&  Bu );
764             Aso1 =   Bo ^((~Bu)&  Ba );
765             Aku1 =   Bu ^((~Ba)&  Be );
766 
767             Ba = (Aba1^Da1);
768             Be = ROL32((Ame0^De1), 22);
769             Bi = ROL32((Agi0^Di0), 21);
770             Bo = ROL32((Aso0^Do0), 10);
771             Bu = ROL32((Aku0^Du1), 7);
772             Aba1 =   Ba ^((~Be)&  Bi );
773             Aba1 ^= *(pRoundConstants++);
774             Ame0 =   Be ^((~Bi)&  Bo );
775             Agi0 =   Bi ^((~Bo)&  Bu );
776             Aso0 =   Bo ^((~Bu)&  Ba );
777             Aku0 =   Bu ^((~Ba)&  Be );
778 
779             Bi = ROL32((Asa1^Da1), 2);
780             Bo = ROL32((Ake1^De1), 23);
781             Bu = ROL32((Abi1^Di1), 31);
782             Ba = ROL32((Amo1^Do0), 14);
783             Be = ROL32((Agu0^Du0), 10);
784             Asa1 =   Ba ^((~Be)&  Bi );
785             Ake1 =   Be ^((~Bi)&  Bo );
786             Abi1 =   Bi ^((~Bo)&  Bu );
787             Amo1 =   Bo ^((~Bu)&  Ba );
788             Agu0 =   Bu ^((~Ba)&  Be );
789 
790             Bi = ROL32((Asa0^Da0), 1);
791             Bo = ROL32((Ake0^De0), 22);
792             Bu = ROL32((Abi0^Di0), 30);
793             Ba = ROL32((Amo0^Do1), 14);
794             Be = ROL32((Agu1^Du1), 10);
795             Asa0 =   Ba ^((~Be)&  Bi );
796             Ake0 =   Be ^((~Bi)&  Bo );
797             Abi0 =   Bi ^((~Bo)&  Bu );
798             Amo0 =   Bo ^((~Bu)&  Ba );
799             Agu1 =   Bu ^((~Ba)&  Be );
800 
801             Bu = ROL32((Ama1^Da0), 9);
802             Ba = ROL32((Age1^De1), 1);
803             Be = ROL32((Asi1^Di0), 3);
804             Bi = ROL32((Ako0^Do1), 13);
805             Bo = ROL32((Abu1^Du0), 4);
806             Ama1 =   Ba ^((~Be)&  Bi );
807             Age1 =   Be ^((~Bi)&  Bo );
808             Asi1 =   Bi ^((~Bo)&  Bu );
809             Ako0 =   Bo ^((~Bu)&  Ba );
810             Abu1 =   Bu ^((~Ba)&  Be );
811 
812             Bu = ROL32((Ama0^Da1), 9);
813             Ba = (Age0^De0);
814             Be = ROL32((Asi0^Di1), 3);
815             Bi = ROL32((Ako1^Do0), 12);
816             Bo = ROL32((Abu0^Du1), 4);
817             Ama0 =   Ba ^((~Be)&  Bi );
818             Age0 =   Be ^((~Bi)&  Bo );
819             Asi0 =   Bi ^((~Bo)&  Bu );
820             Ako1 =   Bo ^((~Bu)&  Ba );
821             Abu0 =   Bu ^((~Ba)&  Be );
822 
823             Be = ROL32((Aka1^Da0), 18);
824             Bi = ROL32((Abe1^De0), 5);
825             Bo = ROL32((Ami0^Di1), 8);
826             Bu = ROL32((Ago1^Do0), 28);
827             Ba = ROL32((Asu1^Du1), 14);
828             Aka1 =   Ba ^((~Be)&  Bi );
829             Abe1 =   Be ^((~Bi)&  Bo );
830             Ami0 =   Bi ^((~Bo)&  Bu );
831             Ago1 =   Bo ^((~Bu)&  Ba );
832             Asu1 =   Bu ^((~Ba)&  Be );
833 
834             Be = ROL32((Aka0^Da1), 18);
835             Bi = ROL32((Abe0^De1), 5);
836             Bo = ROL32((Ami1^Di0), 7);
837             Bu = ROL32((Ago0^Do1), 28);
838             Ba = ROL32((Asu0^Du0), 13);
839             Aka0 =   Ba ^((~Be)&  Bi );
840             Abe0 =   Be ^((~Bi)&  Bo );
841             Ami1 =   Bi ^((~Bo)&  Bu );
842             Ago0 =   Bo ^((~Bu)&  Ba );
843             Asu0 =   Bu ^((~Ba)&  Be );
844 
845             Bo = ROL32((Aga1^Da1), 21);
846             Bu = ROL32((Ase0^De0), 1);
847             Ba = ROL32((Aki1^Di0), 31);
848             Be = ROL32((Abo1^Do1), 28);
849             Bi = ROL32((Amu1^Du1), 20);
850             Aga1 =   Ba ^((~Be)&  Bi );
851             Ase0 =   Be ^((~Bi)&  Bo );
852             Aki1 =   Bi ^((~Bo)&  Bu );
853             Abo1 =   Bo ^((~Bu)&  Ba );
854             Amu1 =   Bu ^((~Ba)&  Be );
855 
856             Bo = ROL32((Aga0^Da0), 20);
857             Bu = ROL32((Ase1^De1), 1);
858             Ba = ROL32((Aki0^Di1), 31);
859             Be = ROL32((Abo0^Do0), 27);
860             Bi = ROL32((Amu0^Du0), 19);
861             Aga0 =   Ba ^((~Be)&  Bi );
862             Ase1 =   Be ^((~Bi)&  Bo );
863             Aki0 =   Bi ^((~Bo)&  Bu );
864             Abo0 =   Bo ^((~Bu)&  Ba );
865             Amu0 =   Bu ^((~Ba)&  Be );
866 
867             KeccakAtoD_round2();
868 
869             Ba = (Aba0^Da0);
870             Be = ROL32((Ake1^De0), 22);
871             Bi = ROL32((Asi0^Di1), 22);
872             Bo = ROL32((Ago0^Do1), 11);
873             Bu = ROL32((Amu1^Du0), 7);
874             Aba0 =   Ba ^((~Be)&  Bi );
875             Aba0 ^= *(pRoundConstants++);
876             Ake1 =   Be ^((~Bi)&  Bo );
877             Asi0 =   Bi ^((~Bo)&  Bu );
878             Ago0 =   Bo ^((~Bu)&  Ba );
879             Amu1 =   Bu ^((~Ba)&  Be );
880 
881             Ba = (Aba1^Da1);
882             Be = ROL32((Ake0^De1), 22);
883             Bi = ROL32((Asi1^Di0), 21);
884             Bo = ROL32((Ago1^Do0), 10);
885             Bu = ROL32((Amu0^Du1), 7);
886             Aba1 =   Ba ^((~Be)&  Bi );
887             Aba1 ^= *(pRoundConstants++);
888             Ake0 =   Be ^((~Bi)&  Bo );
889             Asi1 =   Bi ^((~Bo)&  Bu );
890             Ago1 =   Bo ^((~Bu)&  Ba );
891             Amu0 =   Bu ^((~Ba)&  Be );
892 
893             Bi = ROL32((Ama0^Da1), 2);
894             Bo = ROL32((Abe0^De1), 23);
895             Bu = ROL32((Aki0^Di1), 31);
896             Ba = ROL32((Aso1^Do0), 14);
897             Be = ROL32((Agu0^Du0), 10);
898             Ama0 =   Ba ^((~Be)&  Bi );
899             Abe0 =   Be ^((~Bi)&  Bo );
900             Aki0 =   Bi ^((~Bo)&  Bu );
901             Aso1 =   Bo ^((~Bu)&  Ba );
902             Agu0 =   Bu ^((~Ba)&  Be );
903 
904             Bi = ROL32((Ama1^Da0), 1);
905             Bo = ROL32((Abe1^De0), 22);
906             Bu = ROL32((Aki1^Di0), 30);
907             Ba = ROL32((Aso0^Do1), 14);
908             Be = ROL32((Agu1^Du1), 10);
909             Ama1 =   Ba ^((~Be)&  Bi );
910             Abe1 =   Be ^((~Bi)&  Bo );
911             Aki1 =   Bi ^((~Bo)&  Bu );
912             Aso0 =   Bo ^((~Bu)&  Ba );
913             Agu1 =   Bu ^((~Ba)&  Be );
914 
915             Bu = ROL32((Aga1^Da0), 9);
916             Ba = ROL32((Ame0^De1), 1);
917             Be = ROL32((Abi1^Di0), 3);
918             Bi = ROL32((Ako1^Do1), 13);
919             Bo = ROL32((Asu1^Du0), 4);
920             Aga1 =   Ba ^((~Be)&  Bi );
921             Ame0 =   Be ^((~Bi)&  Bo );
922             Abi1 =   Bi ^((~Bo)&  Bu );
923             Ako1 =   Bo ^((~Bu)&  Ba );
924             Asu1 =   Bu ^((~Ba)&  Be );
925 
926             Bu = ROL32((Aga0^Da1), 9);
927             Ba = (Ame1^De0);
928             Be = ROL32((Abi0^Di1), 3);
929             Bi = ROL32((Ako0^Do0), 12);
930             Bo = ROL32((Asu0^Du1), 4);
931             Aga0 =   Ba ^((~Be)&  Bi );
932             Ame1 =   Be ^((~Bi)&  Bo );
933             Abi0 =   Bi ^((~Bo)&  Bu );
934             Ako0 =   Bo ^((~Bu)&  Ba );
935             Asu0 =   Bu ^((~Ba)&  Be );
936 
937             Be = ROL32((Asa1^Da0), 18);
938             Bi = ROL32((Age1^De0), 5);
939             Bo = ROL32((Ami1^Di1), 8);
940             Bu = ROL32((Abo1^Do0), 28);
941             Ba = ROL32((Aku0^Du1), 14);
942             Asa1 =   Ba ^((~Be)&  Bi );
943             Age1 =   Be ^((~Bi)&  Bo );
944             Ami1 =   Bi ^((~Bo)&  Bu );
945             Abo1 =   Bo ^((~Bu)&  Ba );
946             Aku0 =   Bu ^((~Ba)&  Be );
947 
948             Be = ROL32((Asa0^Da1), 18);
949             Bi = ROL32((Age0^De1), 5);
950             Bo = ROL32((Ami0^Di0), 7);
951             Bu = ROL32((Abo0^Do1), 28);
952             Ba = ROL32((Aku1^Du0), 13);
953             Asa0 =   Ba ^((~Be)&  Bi );
954             Age0 =   Be ^((~Bi)&  Bo );
955             Ami0 =   Bi ^((~Bo)&  Bu );
956             Abo0 =   Bo ^((~Bu)&  Ba );
957             Aku1 =   Bu ^((~Ba)&  Be );
958 
959             Bo = ROL32((Aka0^Da1), 21);
960             Bu = ROL32((Ase0^De0), 1);
961             Ba = ROL32((Agi1^Di0), 31);
962             Be = ROL32((Amo0^Do1), 28);
963             Bi = ROL32((Abu0^Du1), 20);
964             Aka0 =   Ba ^((~Be)&  Bi );
965             Ase0 =   Be ^((~Bi)&  Bo );
966             Agi1 =   Bi ^((~Bo)&  Bu );
967             Amo0 =   Bo ^((~Bu)&  Ba );
968             Abu0 =   Bu ^((~Ba)&  Be );
969 
970             Bo = ROL32((Aka1^Da0), 20);
971             Bu = ROL32((Ase1^De1), 1);
972             Ba = ROL32((Agi0^Di1), 31);
973             Be = ROL32((Amo1^Do0), 27);
974             Bi = ROL32((Abu1^Du0), 19);
975             Aka1 =   Ba ^((~Be)&  Bi );
976             Ase1 =   Be ^((~Bi)&  Bo );
977             Agi0 =   Bi ^((~Bo)&  Bu );
978             Amo1 =   Bo ^((~Bu)&  Ba );
979             Abu1 =   Bu ^((~Ba)&  Be );
980 
981             KeccakAtoD_round3();
982 
983             Ba = (Aba0^Da0);
984             Be = ROL32((Abe0^De0), 22);
985             Bi = ROL32((Abi0^Di1), 22);
986             Bo = ROL32((Abo0^Do1), 11);
987             Bu = ROL32((Abu0^Du0), 7);
988             Aba0 =   Ba ^((~Be)&  Bi );
989             Aba0 ^= *(pRoundConstants++);
990             Abe0 =   Be ^((~Bi)&  Bo );
991             Abi0 =   Bi ^((~Bo)&  Bu );
992             Abo0 =   Bo ^((~Bu)&  Ba );
993             Abu0 =   Bu ^((~Ba)&  Be );
994 
995             Ba = (Aba1^Da1);
996             Be = ROL32((Abe1^De1), 22);
997             Bi = ROL32((Abi1^Di0), 21);
998             Bo = ROL32((Abo1^Do0), 10);
999             Bu = ROL32((Abu1^Du1), 7);
1000             Aba1 =   Ba ^((~Be)&  Bi );
1001             Aba1 ^= *(pRoundConstants++);
1002             Abe1 =   Be ^((~Bi)&  Bo );
1003             Abi1 =   Bi ^((~Bo)&  Bu );
1004             Abo1 =   Bo ^((~Bu)&  Ba );
1005             Abu1 =   Bu ^((~Ba)&  Be );
1006 
1007             Bi = ROL32((Aga0^Da1), 2);
1008             Bo = ROL32((Age0^De1), 23);
1009             Bu = ROL32((Agi0^Di1), 31);
1010             Ba = ROL32((Ago0^Do0), 14);
1011             Be = ROL32((Agu0^Du0), 10);
1012             Aga0 =   Ba ^((~Be)&  Bi );
1013             Age0 =   Be ^((~Bi)&  Bo );
1014             Agi0 =   Bi ^((~Bo)&  Bu );
1015             Ago0 =   Bo ^((~Bu)&  Ba );
1016             Agu0 =   Bu ^((~Ba)&  Be );
1017 
1018             Bi = ROL32((Aga1^Da0), 1);
1019             Bo = ROL32((Age1^De0), 22);
1020             Bu = ROL32((Agi1^Di0), 30);
1021             Ba = ROL32((Ago1^Do1), 14);
1022             Be = ROL32((Agu1^Du1), 10);
1023             Aga1 =   Ba ^((~Be)&  Bi );
1024             Age1 =   Be ^((~Bi)&  Bo );
1025             Agi1 =   Bi ^((~Bo)&  Bu );
1026             Ago1 =   Bo ^((~Bu)&  Ba );
1027             Agu1 =   Bu ^((~Ba)&  Be );
1028 
1029             Bu = ROL32((Aka0^Da0), 9);
1030             Ba = ROL32((Ake0^De1), 1);
1031             Be = ROL32((Aki0^Di0), 3);
1032             Bi = ROL32((Ako0^Do1), 13);
1033             Bo = ROL32((Aku0^Du0), 4);
1034             Aka0 =   Ba ^((~Be)&  Bi );
1035             Ake0 =   Be ^((~Bi)&  Bo );
1036             Aki0 =   Bi ^((~Bo)&  Bu );
1037             Ako0 =   Bo ^((~Bu)&  Ba );
1038             Aku0 =   Bu ^((~Ba)&  Be );
1039 
1040             Bu = ROL32((Aka1^Da1), 9);
1041             Ba = (Ake1^De0);
1042             Be = ROL32((Aki1^Di1), 3);
1043             Bi = ROL32((Ako1^Do0), 12);
1044             Bo = ROL32((Aku1^Du1), 4);
1045             Aka1 =   Ba ^((~Be)&  Bi );
1046             Ake1 =   Be ^((~Bi)&  Bo );
1047             Aki1 =   Bi ^((~Bo)&  Bu );
1048             Ako1 =   Bo ^((~Bu)&  Ba );
1049             Aku1 =   Bu ^((~Ba)&  Be );
1050 
1051             Be = ROL32((Ama0^Da0), 18);
1052             Bi = ROL32((Ame0^De0), 5);
1053             Bo = ROL32((Ami0^Di1), 8);
1054             Bu = ROL32((Amo0^Do0), 28);
1055             Ba = ROL32((Amu0^Du1), 14);
1056             Ama0 =   Ba ^((~Be)&  Bi );
1057             Ame0 =   Be ^((~Bi)&  Bo );
1058             Ami0 =   Bi ^((~Bo)&  Bu );
1059             Amo0 =   Bo ^((~Bu)&  Ba );
1060             Amu0 =   Bu ^((~Ba)&  Be );
1061 
1062             Be = ROL32((Ama1^Da1), 18);
1063             Bi = ROL32((Ame1^De1), 5);
1064             Bo = ROL32((Ami1^Di0), 7);
1065             Bu = ROL32((Amo1^Do1), 28);
1066             Ba = ROL32((Amu1^Du0), 13);
1067             Ama1 =   Ba ^((~Be)&  Bi );
1068             Ame1 =   Be ^((~Bi)&  Bo );
1069             Ami1 =   Bi ^((~Bo)&  Bu );
1070             Amo1 =   Bo ^((~Bu)&  Ba );
1071             Amu1 =   Bu ^((~Ba)&  Be );
1072 
1073             Bo = ROL32((Asa0^Da1), 21);
1074             Bu = ROL32((Ase0^De0), 1);
1075             Ba = ROL32((Asi0^Di0), 31);
1076             Be = ROL32((Aso0^Do1), 28);
1077             Bi = ROL32((Asu0^Du1), 20);
1078             Asa0 =   Ba ^((~Be)&  Bi );
1079             Ase0 =   Be ^((~Bi)&  Bo );
1080             Asi0 =   Bi ^((~Bo)&  Bu );
1081             Aso0 =   Bo ^((~Bu)&  Ba );
1082             Asu0 =   Bu ^((~Ba)&  Be );
1083 
1084             Bo = ROL32((Asa1^Da0), 20);
1085             Bu = ROL32((Ase1^De1), 1);
1086             Ba = ROL32((Asi1^Di1), 31);
1087             Be = ROL32((Aso1^Do0), 27);
1088             Bi = ROL32((Asu1^Du0), 19);
1089             Asa1 =   Ba ^((~Be)&  Bi );
1090             Ase1 =   Be ^((~Bi)&  Bo );
1091             Asi1 =   Bi ^((~Bo)&  Bu );
1092             Aso1 =   Bo ^((~Bu)&  Ba );
1093             Asu1 =   Bu ^((~Ba)&  Be );
1094         }
1095         while ( *pRoundConstants != 0xFF );
1096 
1097         #undef Aba0
1098         #undef Aba1
1099         #undef Abe0
1100         #undef Abe1
1101         #undef Abi0
1102         #undef Abi1
1103         #undef Abo0
1104         #undef Abo1
1105         #undef Abu0
1106         #undef Abu1
1107         #undef Aga0
1108         #undef Aga1
1109         #undef Age0
1110         #undef Age1
1111         #undef Agi0
1112         #undef Agi1
1113         #undef Ago0
1114         #undef Ago1
1115         #undef Agu0
1116         #undef Agu1
1117         #undef Aka0
1118         #undef Aka1
1119         #undef Ake0
1120         #undef Ake1
1121         #undef Aki0
1122         #undef Aki1
1123         #undef Ako0
1124         #undef Ako1
1125         #undef Aku0
1126         #undef Aku1
1127         #undef Ama0
1128         #undef Ama1
1129         #undef Ame0
1130         #undef Ame1
1131         #undef Ami0
1132         #undef Ami1
1133         #undef Amo0
1134         #undef Amo1
1135         #undef Amu0
1136         #undef Amu1
1137         #undef Asa0
1138         #undef Asa1
1139         #undef Ase0
1140         #undef Ase1
1141         #undef Asi0
1142         #undef Asi1
1143         #undef Aso0
1144         #undef Aso1
1145         #undef Asu0
1146         #undef Asu1
1147     }
1148 }
1149 
1150 /* ---------------------------------------------------------------- */
1151 
KeccakP1600_Permute_12rounds(void * state)1152 void KeccakP1600_Permute_12rounds(void *state)
1153 {
1154      KeccakP1600_Permute_Nrounds(state, 12);
1155 }
1156 
1157 /* ---------------------------------------------------------------- */
1158 
KeccakP1600_Permute_24rounds(void * state)1159 void KeccakP1600_Permute_24rounds(void *state)
1160 {
1161      KeccakP1600_Permute_Nrounds(state, 24);
1162 }
1163