1 /*
2 Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
3 Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
4 denoted as "the implementer".
5
6 For more information, feedback or questions, please refer to our websites:
7 http://keccak.noekeon.org/
8 http://keyak.noekeon.org/
9 http://ketje.noekeon.org/
10
11 To the extent possible under law, the implementer has waived all copyright
12 and related or neighboring rights to the source code in this file.
13 http://creativecommons.org/publicdomain/zero/1.0/
14 */
15
16 #include <string.h>
17 /* #include "brg_endian.h" */
18 #include "KeccakP-1600-SnP.h"
19 #include "SnP-Relaned.h"
20
21 typedef unsigned char UINT8;
22 typedef unsigned int UINT32;
23 /* WARNING: on 8-bit and 16-bit platforms, this should be replaced by: */
24
25 /*typedef unsigned long UINT32; */
26
27
28 #define ROL32(a, offset) ((((UINT32)a) << (offset)) ^ (((UINT32)a) >> (32-(offset))))
29
30 /* Credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */
31
32 #define prepareToBitInterleaving(low, high, temp, temp0, temp1) \
33 temp0 = (low); \
34 temp = (temp0 ^ (temp0 >> 1)) & 0x22222222UL; temp0 = temp0 ^ temp ^ (temp << 1); \
35 temp = (temp0 ^ (temp0 >> 2)) & 0x0C0C0C0CUL; temp0 = temp0 ^ temp ^ (temp << 2); \
36 temp = (temp0 ^ (temp0 >> 4)) & 0x00F000F0UL; temp0 = temp0 ^ temp ^ (temp << 4); \
37 temp = (temp0 ^ (temp0 >> 8)) & 0x0000FF00UL; temp0 = temp0 ^ temp ^ (temp << 8); \
38 temp1 = (high); \
39 temp = (temp1 ^ (temp1 >> 1)) & 0x22222222UL; temp1 = temp1 ^ temp ^ (temp << 1); \
40 temp = (temp1 ^ (temp1 >> 2)) & 0x0C0C0C0CUL; temp1 = temp1 ^ temp ^ (temp << 2); \
41 temp = (temp1 ^ (temp1 >> 4)) & 0x00F000F0UL; temp1 = temp1 ^ temp ^ (temp << 4); \
42 temp = (temp1 ^ (temp1 >> 8)) & 0x0000FF00UL; temp1 = temp1 ^ temp ^ (temp << 8);
43
44 #define toBitInterleavingAndXOR(low, high, even, odd, temp, temp0, temp1) \
45 prepareToBitInterleaving(low, high, temp, temp0, temp1) \
46 even ^= (temp0 & 0x0000FFFF) | (temp1 << 16); \
47 odd ^= (temp0 >> 16) | (temp1 & 0xFFFF0000);
48
49 #define toBitInterleavingAndAND(low, high, even, odd, temp, temp0, temp1) \
50 prepareToBitInterleaving(low, high, temp, temp0, temp1) \
51 even &= (temp0 & 0x0000FFFF) | (temp1 << 16); \
52 odd &= (temp0 >> 16) | (temp1 & 0xFFFF0000);
53
54 #define toBitInterleavingAndSet(low, high, even, odd, temp, temp0, temp1) \
55 prepareToBitInterleaving(low, high, temp, temp0, temp1) \
56 even = (temp0 & 0x0000FFFF) | (temp1 << 16); \
57 odd = (temp0 >> 16) | (temp1 & 0xFFFF0000);
58
59 /* Credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */
60
61 #define prepareFromBitInterleaving(even, odd, temp, temp0, temp1) \
62 temp0 = (even); \
63 temp1 = (odd); \
64 temp = (temp0 & 0x0000FFFF) | (temp1 << 16); \
65 temp1 = (temp0 >> 16) | (temp1 & 0xFFFF0000); \
66 temp0 = temp; \
67 temp = (temp0 ^ (temp0 >> 8)) & 0x0000FF00UL; temp0 = temp0 ^ temp ^ (temp << 8); \
68 temp = (temp0 ^ (temp0 >> 4)) & 0x00F000F0UL; temp0 = temp0 ^ temp ^ (temp << 4); \
69 temp = (temp0 ^ (temp0 >> 2)) & 0x0C0C0C0CUL; temp0 = temp0 ^ temp ^ (temp << 2); \
70 temp = (temp0 ^ (temp0 >> 1)) & 0x22222222UL; temp0 = temp0 ^ temp ^ (temp << 1); \
71 temp = (temp1 ^ (temp1 >> 8)) & 0x0000FF00UL; temp1 = temp1 ^ temp ^ (temp << 8); \
72 temp = (temp1 ^ (temp1 >> 4)) & 0x00F000F0UL; temp1 = temp1 ^ temp ^ (temp << 4); \
73 temp = (temp1 ^ (temp1 >> 2)) & 0x0C0C0C0CUL; temp1 = temp1 ^ temp ^ (temp << 2); \
74 temp = (temp1 ^ (temp1 >> 1)) & 0x22222222UL; temp1 = temp1 ^ temp ^ (temp << 1);
75
76 #define fromBitInterleaving(even, odd, low, high, temp, temp0, temp1) \
77 prepareFromBitInterleaving(even, odd, temp, temp0, temp1) \
78 low = temp0; \
79 high = temp1;
80
81 #define fromBitInterleavingAndXOR(even, odd, lowIn, highIn, lowOut, highOut, temp, temp0, temp1) \
82 prepareFromBitInterleaving(even, odd, temp, temp0, temp1) \
83 lowOut = lowIn ^ temp0; \
84 highOut = highIn ^ temp1;
85
KeccakP1600_SetBytesInLaneToZero(void * state,unsigned int lanePosition,unsigned int offset,unsigned int length)86 void KeccakP1600_SetBytesInLaneToZero(void *state, unsigned int lanePosition, unsigned int offset, unsigned int length)
87 {
88 UINT8 laneAsBytes[8];
89 UINT32 low, high;
90 UINT32 temp, temp0, temp1;
91 UINT32 *stateAsHalfLanes = (UINT32*)state;
92
93 memset(laneAsBytes, 0xFF, offset);
94 memset(laneAsBytes+offset, 0x00, length);
95 memset(laneAsBytes+offset+length, 0xFF, 8-offset-length);
96 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
97 low = *((UINT32*)(laneAsBytes+0));
98 high = *((UINT32*)(laneAsBytes+4));
99 #else
100 low = laneAsBytes[0]
101 | ((UINT32)(laneAsBytes[1]) << 8)
102 | ((UINT32)(laneAsBytes[2]) << 16)
103 | ((UINT32)(laneAsBytes[3]) << 24);
104 high = laneAsBytes[4]
105 | ((UINT32)(laneAsBytes[5]) << 8)
106 | ((UINT32)(laneAsBytes[6]) << 16)
107 | ((UINT32)(laneAsBytes[7]) << 24);
108 #endif
109 toBitInterleavingAndAND(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1);
110 }
111
112 /* ---------------------------------------------------------------- */
113
KeccakP1600_Initialize(void * state)114 void KeccakP1600_Initialize(void *state)
115 {
116 memset(state, 0, 200);
117 }
118
119 /* ---------------------------------------------------------------- */
120
KeccakP1600_AddByte(void * state,unsigned char byte,unsigned int offset)121 void KeccakP1600_AddByte(void *state, unsigned char byte, unsigned int offset)
122 {
123 unsigned int lanePosition = offset/8;
124 unsigned int offsetInLane = offset%8;
125 UINT32 low, high;
126 UINT32 temp, temp0, temp1;
127 UINT32 *stateAsHalfLanes = (UINT32*)state;
128
129 if (offsetInLane < 4) {
130 low = (UINT32)byte << (offsetInLane*8);
131 high = 0;
132 }
133 else {
134 low = 0;
135 high = (UINT32)byte << ((offsetInLane-4)*8);
136 }
137 toBitInterleavingAndXOR(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1);
138 }
139
140 /* ---------------------------------------------------------------- */
141
KeccakP1600_AddBytesInLane(void * state,unsigned int lanePosition,const unsigned char * data,unsigned int offset,unsigned int length)142 void KeccakP1600_AddBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length)
143 {
144 UINT8 laneAsBytes[8];
145 UINT32 low, high;
146 UINT32 temp, temp0, temp1;
147 UINT32 *stateAsHalfLanes = (UINT32*)state;
148
149 memset(laneAsBytes, 0, 8);
150 memcpy(laneAsBytes+offset, data, length);
151 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
152 low = *((UINT32*)(laneAsBytes+0));
153 high = *((UINT32*)(laneAsBytes+4));
154 #else
155 low = laneAsBytes[0]
156 | ((UINT32)(laneAsBytes[1]) << 8)
157 | ((UINT32)(laneAsBytes[2]) << 16)
158 | ((UINT32)(laneAsBytes[3]) << 24);
159 high = laneAsBytes[4]
160 | ((UINT32)(laneAsBytes[5]) << 8)
161 | ((UINT32)(laneAsBytes[6]) << 16)
162 | ((UINT32)(laneAsBytes[7]) << 24);
163 #endif
164 toBitInterleavingAndXOR(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1);
165 }
166
167 /* ---------------------------------------------------------------- */
168
KeccakP1600_AddLanes(void * state,const unsigned char * data,unsigned int laneCount)169 void KeccakP1600_AddLanes(void *state, const unsigned char *data, unsigned int laneCount)
170 {
171 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
172 const UINT32 * pI = (const UINT32 *)data;
173 UINT32 * pS = (UINT32*)state;
174 UINT32 t, x0, x1;
175 int i;
176 for (i = laneCount-1; i >= 0; --i) {
177 #ifdef NO_MISALIGNED_ACCESSES
178 UINT32 low;
179 UINT32 high;
180 memcpy(&low, pI++, 4);
181 memcpy(&high, pI++, 4);
182 toBitInterleavingAndXOR(low, high, *(pS++), *(pS++), t, x0, x1);
183 #else
184 toBitInterleavingAndXOR(*(pI++), *(pI++), *(pS++), *(pS++), t, x0, x1)
185 #endif
186 }
187 #else
188 unsigned int lanePosition;
189 for(lanePosition=0; lanePosition<laneCount; lanePosition++) {
190 UINT8 laneAsBytes[8];
191 UINT32 low, high, temp, temp0, temp1;
192 UINT32 *stateAsHalfLanes;
193 memcpy(laneAsBytes, data+lanePosition*8, 8);
194 low = laneAsBytes[0]
195 | ((UINT32)(laneAsBytes[1]) << 8)
196 | ((UINT32)(laneAsBytes[2]) << 16)
197 | ((UINT32)(laneAsBytes[3]) << 24);
198 high = laneAsBytes[4]
199 | ((UINT32)(laneAsBytes[5]) << 8)
200 | ((UINT32)(laneAsBytes[6]) << 16)
201 | ((UINT32)(laneAsBytes[7]) << 24);
202 stateAsHalfLanes = (UINT32*)state;
203 toBitInterleavingAndXOR(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1);
204 }
205 #endif
206 }
207
208 /* ---------------------------------------------------------------- */
209
KeccakP1600_AddBytes(void * state,const unsigned char * data,unsigned int offset,unsigned int length)210 void KeccakP1600_AddBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length)
211 {
212 SnP_AddBytes(state, data, offset, length, KeccakP1600_AddLanes, KeccakP1600_AddBytesInLane, 8);
213 }
214
215 /* ---------------------------------------------------------------- */
216
KeccakP1600_OverwriteBytesInLane(void * state,unsigned int lanePosition,const unsigned char * data,unsigned int offset,unsigned int length)217 void KeccakP1600_OverwriteBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length)
218 {
219 KeccakP1600_SetBytesInLaneToZero(state, lanePosition, offset, length);
220 KeccakP1600_AddBytesInLane(state, lanePosition, data, offset, length);
221 }
222
223 /* ---------------------------------------------------------------- */
224
KeccakP1600_OverwriteLanes(void * state,const unsigned char * data,unsigned int laneCount)225 void KeccakP1600_OverwriteLanes(void *state, const unsigned char *data, unsigned int laneCount)
226 {
227 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
228 const UINT32 * pI = (const UINT32 *)data;
229 UINT32 * pS = (UINT32 *)state;
230 UINT32 t, x0, x1;
231 int i;
232 for (i = laneCount-1; i >= 0; --i) {
233 #ifdef NO_MISALIGNED_ACCESSES
234 UINT32 low;
235 UINT32 high;
236 memcpy(&low, pI++, 4);
237 memcpy(&high, pI++, 4);
238 toBitInterleavingAndSet(low, high, *(pS++), *(pS++), t, x0, x1);
239 #else
240 toBitInterleavingAndSet(*(pI++), *(pI++), *(pS++), *(pS++), t, x0, x1)
241 #endif
242 }
243 #else
244 unsigned int lanePosition;
245 for(lanePosition=0; lanePosition<laneCount; lanePosition++) {
246 UINT8 laneAsBytes[8];
247 UINT32 low, high, temp, temp0, temp1;
248 UINT32 *stateAsHalfLanes;
249 memcpy(laneAsBytes, data+lanePosition*8, 8);
250 low = laneAsBytes[0]
251 | ((UINT32)(laneAsBytes[1]) << 8)
252 | ((UINT32)(laneAsBytes[2]) << 16)
253 | ((UINT32)(laneAsBytes[3]) << 24);
254 high = laneAsBytes[4]
255 | ((UINT32)(laneAsBytes[5]) << 8)
256 | ((UINT32)(laneAsBytes[6]) << 16)
257 | ((UINT32)(laneAsBytes[7]) << 24);
258 stateAsHalfLanes = (UINT32*)state;
259 toBitInterleavingAndSet(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1);
260 }
261 #endif
262 }
263
264 /* ---------------------------------------------------------------- */
265
KeccakP1600_OverwriteBytes(void * state,const unsigned char * data,unsigned int offset,unsigned int length)266 void KeccakP1600_OverwriteBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length)
267 {
268 SnP_OverwriteBytes(state, data, offset, length, KeccakP1600_OverwriteLanes, KeccakP1600_OverwriteBytesInLane, 8);
269 }
270
271 /* ---------------------------------------------------------------- */
272
KeccakP1600_OverwriteWithZeroes(void * state,unsigned int byteCount)273 void KeccakP1600_OverwriteWithZeroes(void *state, unsigned int byteCount)
274 {
275 UINT32 *stateAsHalfLanes = (UINT32*)state;
276 unsigned int i;
277
278 for(i=0; i<byteCount/8; i++) {
279 stateAsHalfLanes[i*2+0] = 0;
280 stateAsHalfLanes[i*2+1] = 0;
281 }
282 if (byteCount%8 != 0)
283 KeccakP1600_SetBytesInLaneToZero(state, byteCount/8, 0, byteCount%8);
284 }
285
286 /* ---------------------------------------------------------------- */
287
KeccakP1600_ExtractBytesInLane(const void * state,unsigned int lanePosition,unsigned char * data,unsigned int offset,unsigned int length)288 void KeccakP1600_ExtractBytesInLane(const void *state, unsigned int lanePosition, unsigned char *data, unsigned int offset, unsigned int length)
289 {
290 UINT32 *stateAsHalfLanes = (UINT32*)state;
291 UINT32 low, high, temp, temp0, temp1;
292 UINT8 laneAsBytes[8];
293
294 fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1);
295 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
296 *((UINT32*)(laneAsBytes+0)) = low;
297 *((UINT32*)(laneAsBytes+4)) = high;
298 #else
299 laneAsBytes[0] = low & 0xFF;
300 laneAsBytes[1] = (low >> 8) & 0xFF;
301 laneAsBytes[2] = (low >> 16) & 0xFF;
302 laneAsBytes[3] = (low >> 24) & 0xFF;
303 laneAsBytes[4] = high & 0xFF;
304 laneAsBytes[5] = (high >> 8) & 0xFF;
305 laneAsBytes[6] = (high >> 16) & 0xFF;
306 laneAsBytes[7] = (high >> 24) & 0xFF;
307 #endif
308 memcpy(data, laneAsBytes+offset, length);
309 }
310
311 /* ---------------------------------------------------------------- */
312
KeccakP1600_ExtractLanes(const void * state,unsigned char * data,unsigned int laneCount)313 void KeccakP1600_ExtractLanes(const void *state, unsigned char *data, unsigned int laneCount)
314 {
315 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
316 UINT32 * pI = (UINT32 *)data;
317 const UINT32 * pS = ( const UINT32 *)state;
318 UINT32 t, x0, x1;
319 int i;
320 for (i = laneCount-1; i >= 0; --i) {
321 #ifdef NO_MISALIGNED_ACCESSES
322 UINT32 low;
323 UINT32 high;
324 fromBitInterleaving(*(pS++), *(pS++), low, high, t, x0, x1);
325 memcpy(pI++, &low, 4);
326 memcpy(pI++, &high, 4);
327 #else
328 fromBitInterleaving(*(pS++), *(pS++), *(pI++), *(pI++), t, x0, x1)
329 #endif
330 }
331 #else
332 unsigned int lanePosition;
333 for(lanePosition=0; lanePosition<laneCount; lanePosition++) {
334 UINT32 *stateAsHalfLanes = (UINT32*)state;
335 UINT32 low, high, temp, temp0, temp1;
336 UINT8 laneAsBytes[8];
337 fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1);
338 laneAsBytes[0] = low & 0xFF;
339 laneAsBytes[1] = (low >> 8) & 0xFF;
340 laneAsBytes[2] = (low >> 16) & 0xFF;
341 laneAsBytes[3] = (low >> 24) & 0xFF;
342 laneAsBytes[4] = high & 0xFF;
343 laneAsBytes[5] = (high >> 8) & 0xFF;
344 laneAsBytes[6] = (high >> 16) & 0xFF;
345 laneAsBytes[7] = (high >> 24) & 0xFF;
346 memcpy(data+lanePosition*8, laneAsBytes, 8);
347 }
348 #endif
349 }
350
351 /* ---------------------------------------------------------------- */
352
KeccakP1600_ExtractBytes(const void * state,unsigned char * data,unsigned int offset,unsigned int length)353 void KeccakP1600_ExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length)
354 {
355 SnP_ExtractBytes(state, data, offset, length, KeccakP1600_ExtractLanes, KeccakP1600_ExtractBytesInLane, 8);
356 }
357
358 /* ---------------------------------------------------------------- */
359
KeccakP1600_ExtractAndAddBytesInLane(const void * state,unsigned int lanePosition,const unsigned char * input,unsigned char * output,unsigned int offset,unsigned int length)360 void KeccakP1600_ExtractAndAddBytesInLane(const void *state, unsigned int lanePosition, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length)
361 {
362 UINT32 *stateAsHalfLanes = (UINT32*)state;
363 UINT32 low, high, temp, temp0, temp1;
364 UINT8 laneAsBytes[8];
365 unsigned int i;
366
367 fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1);
368 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
369 *((UINT32*)(laneAsBytes+0)) = low;
370 *((UINT32*)(laneAsBytes+4)) = high;
371 #else
372 laneAsBytes[0] = low & 0xFF;
373 laneAsBytes[1] = (low >> 8) & 0xFF;
374 laneAsBytes[2] = (low >> 16) & 0xFF;
375 laneAsBytes[3] = (low >> 24) & 0xFF;
376 laneAsBytes[4] = high & 0xFF;
377 laneAsBytes[5] = (high >> 8) & 0xFF;
378 laneAsBytes[6] = (high >> 16) & 0xFF;
379 laneAsBytes[7] = (high >> 24) & 0xFF;
380 #endif
381 for(i=0; i<length; i++)
382 output[i] = input[i] ^ laneAsBytes[offset+i];
383 }
384
385 /* ---------------------------------------------------------------- */
386
KeccakP1600_ExtractAndAddLanes(const void * state,const unsigned char * input,unsigned char * output,unsigned int laneCount)387 void KeccakP1600_ExtractAndAddLanes(const void *state, const unsigned char *input, unsigned char *output, unsigned int laneCount)
388 {
389 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
390 const UINT32 * pI = (const UINT32 *)input;
391 UINT32 * pO = (UINT32 *)output;
392 const UINT32 * pS = (const UINT32 *)state;
393 UINT32 t, x0, x1;
394 int i;
395 for (i = laneCount-1; i >= 0; --i) {
396 #ifdef NO_MISALIGNED_ACCESSES
397 UINT32 low;
398 UINT32 high;
399 fromBitInterleaving(*(pS++), *(pS++), low, high, t, x0, x1);
400 *(pO++) = *(pI++) ^ low;
401 *(pO++) = *(pI++) ^ high;
402 #else
403 fromBitInterleavingAndXOR(*(pS++), *(pS++), *(pI++), *(pI++), *(pO++), *(pO++), t, x0, x1)
404 #endif
405 }
406 #else
407 unsigned int lanePosition;
408 for(lanePosition=0; lanePosition<laneCount; lanePosition++) {
409 UINT32 *stateAsHalfLanes = (UINT32*)state;
410 UINT32 low, high, temp, temp0, temp1;
411 UINT8 laneAsBytes[8];
412 fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1);
413 laneAsBytes[0] = low & 0xFF;
414 laneAsBytes[1] = (low >> 8) & 0xFF;
415 laneAsBytes[2] = (low >> 16) & 0xFF;
416 laneAsBytes[3] = (low >> 24) & 0xFF;
417 laneAsBytes[4] = high & 0xFF;
418 laneAsBytes[5] = (high >> 8) & 0xFF;
419 laneAsBytes[6] = (high >> 16) & 0xFF;
420 laneAsBytes[7] = (high >> 24) & 0xFF;
421 ((UINT32*)(output+lanePosition*8))[0] = ((UINT32*)(input+lanePosition*8))[0] ^ (*(const UINT32*)(laneAsBytes+0));
422 ((UINT32*)(output+lanePosition*8))[1] = ((UINT32*)(input+lanePosition*8))[0] ^ (*(const UINT32*)(laneAsBytes+4));
423 }
424 #endif
425 }
426 /* ---------------------------------------------------------------- */
427
KeccakP1600_ExtractAndAddBytes(const void * state,const unsigned char * input,unsigned char * output,unsigned int offset,unsigned int length)428 void KeccakP1600_ExtractAndAddBytes(const void *state, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length)
429 {
430 SnP_ExtractAndAddBytes(state, input, output, offset, length, KeccakP1600_ExtractAndAddLanes, KeccakP1600_ExtractAndAddBytesInLane, 8);
431 }
432
433 /* ---------------------------------------------------------------- */
434
435 static const UINT32 KeccakF1600RoundConstants_int2[2*24+1] =
436 {
437 0x00000001UL, 0x00000000UL,
438 0x00000000UL, 0x00000089UL,
439 0x00000000UL, 0x8000008bUL,
440 0x00000000UL, 0x80008080UL,
441 0x00000001UL, 0x0000008bUL,
442 0x00000001UL, 0x00008000UL,
443 0x00000001UL, 0x80008088UL,
444 0x00000001UL, 0x80000082UL,
445 0x00000000UL, 0x0000000bUL,
446 0x00000000UL, 0x0000000aUL,
447 0x00000001UL, 0x00008082UL,
448 0x00000000UL, 0x00008003UL,
449 0x00000001UL, 0x0000808bUL,
450 0x00000001UL, 0x8000000bUL,
451 0x00000001UL, 0x8000008aUL,
452 0x00000001UL, 0x80000081UL,
453 0x00000000UL, 0x80000081UL,
454 0x00000000UL, 0x80000008UL,
455 0x00000000UL, 0x00000083UL,
456 0x00000000UL, 0x80008003UL,
457 0x00000001UL, 0x80008088UL,
458 0x00000000UL, 0x80000088UL,
459 0x00000001UL, 0x00008000UL,
460 0x00000000UL, 0x80008082UL,
461 0x000000FFUL
462 };
463
464 #define KeccakAtoD_round0() \
465 Cx = Abu0^Agu0^Aku0^Amu0^Asu0; \
466 Du1 = Abe1^Age1^Ake1^Ame1^Ase1; \
467 Da0 = Cx^ROL32(Du1, 1); \
468 Cz = Abu1^Agu1^Aku1^Amu1^Asu1; \
469 Du0 = Abe0^Age0^Ake0^Ame0^Ase0; \
470 Da1 = Cz^Du0; \
471 \
472 Cw = Abi0^Agi0^Aki0^Ami0^Asi0; \
473 Do0 = Cw^ROL32(Cz, 1); \
474 Cy = Abi1^Agi1^Aki1^Ami1^Asi1; \
475 Do1 = Cy^Cx; \
476 \
477 Cx = Aba0^Aga0^Aka0^Ama0^Asa0; \
478 De0 = Cx^ROL32(Cy, 1); \
479 Cz = Aba1^Aga1^Aka1^Ama1^Asa1; \
480 De1 = Cz^Cw; \
481 \
482 Cy = Abo1^Ago1^Ako1^Amo1^Aso1; \
483 Di0 = Du0^ROL32(Cy, 1); \
484 Cw = Abo0^Ago0^Ako0^Amo0^Aso0; \
485 Di1 = Du1^Cw; \
486 \
487 Du0 = Cw^ROL32(Cz, 1); \
488 Du1 = Cy^Cx; \
489
490 #define KeccakAtoD_round1() \
491 Cx = Asu0^Agu0^Amu0^Abu1^Aku1; \
492 Du1 = Age1^Ame0^Abe0^Ake1^Ase1; \
493 Da0 = Cx^ROL32(Du1, 1); \
494 Cz = Asu1^Agu1^Amu1^Abu0^Aku0; \
495 Du0 = Age0^Ame1^Abe1^Ake0^Ase0; \
496 Da1 = Cz^Du0; \
497 \
498 Cw = Aki1^Asi1^Agi0^Ami1^Abi0; \
499 Do0 = Cw^ROL32(Cz, 1); \
500 Cy = Aki0^Asi0^Agi1^Ami0^Abi1; \
501 Do1 = Cy^Cx; \
502 \
503 Cx = Aba0^Aka1^Asa0^Aga0^Ama1; \
504 De0 = Cx^ROL32(Cy, 1); \
505 Cz = Aba1^Aka0^Asa1^Aga1^Ama0; \
506 De1 = Cz^Cw; \
507 \
508 Cy = Amo0^Abo1^Ako0^Aso1^Ago0; \
509 Di0 = Du0^ROL32(Cy, 1); \
510 Cw = Amo1^Abo0^Ako1^Aso0^Ago1; \
511 Di1 = Du1^Cw; \
512 \
513 Du0 = Cw^ROL32(Cz, 1); \
514 Du1 = Cy^Cx; \
515
516 #define KeccakAtoD_round2() \
517 Cx = Aku1^Agu0^Abu1^Asu1^Amu1; \
518 Du1 = Ame0^Ake0^Age0^Abe0^Ase1; \
519 Da0 = Cx^ROL32(Du1, 1); \
520 Cz = Aku0^Agu1^Abu0^Asu0^Amu0; \
521 Du0 = Ame1^Ake1^Age1^Abe1^Ase0; \
522 Da1 = Cz^Du0; \
523 \
524 Cw = Agi1^Abi1^Asi1^Ami0^Aki1; \
525 Do0 = Cw^ROL32(Cz, 1); \
526 Cy = Agi0^Abi0^Asi0^Ami1^Aki0; \
527 Do1 = Cy^Cx; \
528 \
529 Cx = Aba0^Asa1^Ama1^Aka1^Aga1; \
530 De0 = Cx^ROL32(Cy, 1); \
531 Cz = Aba1^Asa0^Ama0^Aka0^Aga0; \
532 De1 = Cz^Cw; \
533 \
534 Cy = Aso0^Amo0^Ako1^Ago0^Abo0; \
535 Di0 = Du0^ROL32(Cy, 1); \
536 Cw = Aso1^Amo1^Ako0^Ago1^Abo1; \
537 Di1 = Du1^Cw; \
538 \
539 Du0 = Cw^ROL32(Cz, 1); \
540 Du1 = Cy^Cx; \
541
542 #define KeccakAtoD_round3() \
543 Cx = Amu1^Agu0^Asu1^Aku0^Abu0; \
544 Du1 = Ake0^Abe1^Ame1^Age0^Ase1; \
545 Da0 = Cx^ROL32(Du1, 1); \
546 Cz = Amu0^Agu1^Asu0^Aku1^Abu1; \
547 Du0 = Ake1^Abe0^Ame0^Age1^Ase0; \
548 Da1 = Cz^Du0; \
549 \
550 Cw = Asi0^Aki0^Abi1^Ami1^Agi1; \
551 Do0 = Cw^ROL32(Cz, 1); \
552 Cy = Asi1^Aki1^Abi0^Ami0^Agi0; \
553 Do1 = Cy^Cx; \
554 \
555 Cx = Aba0^Ama0^Aga1^Asa1^Aka0; \
556 De0 = Cx^ROL32(Cy, 1); \
557 Cz = Aba1^Ama1^Aga0^Asa0^Aka1; \
558 De1 = Cz^Cw; \
559 \
560 Cy = Ago1^Aso0^Ako0^Abo0^Amo1; \
561 Di0 = Du0^ROL32(Cy, 1); \
562 Cw = Ago0^Aso1^Ako1^Abo1^Amo0; \
563 Di1 = Du1^Cw; \
564 \
565 Du0 = Cw^ROL32(Cz, 1); \
566 Du1 = Cy^Cx; \
567
KeccakP1600_Permute_Nrounds(void * state,unsigned int nRounds)568 void KeccakP1600_Permute_Nrounds(void *state, unsigned int nRounds)
569 {
570 {
571 UINT32 Da0, De0, Di0, Do0, Du0;
572 UINT32 Da1, De1, Di1, Do1, Du1;
573 UINT32 Ca0, Ce0, Ci0, Co0, Cu0;
574 UINT32 Cx, Cy, Cz, Cw;
575 #define Ba Ca0
576 #define Be Ce0
577 #define Bi Ci0
578 #define Bo Co0
579 #define Bu Cu0
580 const UINT32 *pRoundConstants = KeccakF1600RoundConstants_int2+(24-nRounds)*2;
581 UINT32 *stateAsHalfLanes = (UINT32*)state;
582 #define Aba0 stateAsHalfLanes[ 0]
583 #define Aba1 stateAsHalfLanes[ 1]
584 #define Abe0 stateAsHalfLanes[ 2]
585 #define Abe1 stateAsHalfLanes[ 3]
586 #define Abi0 stateAsHalfLanes[ 4]
587 #define Abi1 stateAsHalfLanes[ 5]
588 #define Abo0 stateAsHalfLanes[ 6]
589 #define Abo1 stateAsHalfLanes[ 7]
590 #define Abu0 stateAsHalfLanes[ 8]
591 #define Abu1 stateAsHalfLanes[ 9]
592 #define Aga0 stateAsHalfLanes[10]
593 #define Aga1 stateAsHalfLanes[11]
594 #define Age0 stateAsHalfLanes[12]
595 #define Age1 stateAsHalfLanes[13]
596 #define Agi0 stateAsHalfLanes[14]
597 #define Agi1 stateAsHalfLanes[15]
598 #define Ago0 stateAsHalfLanes[16]
599 #define Ago1 stateAsHalfLanes[17]
600 #define Agu0 stateAsHalfLanes[18]
601 #define Agu1 stateAsHalfLanes[19]
602 #define Aka0 stateAsHalfLanes[20]
603 #define Aka1 stateAsHalfLanes[21]
604 #define Ake0 stateAsHalfLanes[22]
605 #define Ake1 stateAsHalfLanes[23]
606 #define Aki0 stateAsHalfLanes[24]
607 #define Aki1 stateAsHalfLanes[25]
608 #define Ako0 stateAsHalfLanes[26]
609 #define Ako1 stateAsHalfLanes[27]
610 #define Aku0 stateAsHalfLanes[28]
611 #define Aku1 stateAsHalfLanes[29]
612 #define Ama0 stateAsHalfLanes[30]
613 #define Ama1 stateAsHalfLanes[31]
614 #define Ame0 stateAsHalfLanes[32]
615 #define Ame1 stateAsHalfLanes[33]
616 #define Ami0 stateAsHalfLanes[34]
617 #define Ami1 stateAsHalfLanes[35]
618 #define Amo0 stateAsHalfLanes[36]
619 #define Amo1 stateAsHalfLanes[37]
620 #define Amu0 stateAsHalfLanes[38]
621 #define Amu1 stateAsHalfLanes[39]
622 #define Asa0 stateAsHalfLanes[40]
623 #define Asa1 stateAsHalfLanes[41]
624 #define Ase0 stateAsHalfLanes[42]
625 #define Ase1 stateAsHalfLanes[43]
626 #define Asi0 stateAsHalfLanes[44]
627 #define Asi1 stateAsHalfLanes[45]
628 #define Aso0 stateAsHalfLanes[46]
629 #define Aso1 stateAsHalfLanes[47]
630 #define Asu0 stateAsHalfLanes[48]
631 #define Asu1 stateAsHalfLanes[49]
632
633 do
634 {
635 /* --- Code for 4 rounds */
636
637 /* --- using factor 2 interleaving, 64-bit lanes mapped to 32-bit words */
638
639 KeccakAtoD_round0();
640
641 Ba = (Aba0^Da0);
642 Be = ROL32((Age0^De0), 22);
643 Bi = ROL32((Aki1^Di1), 22);
644 Bo = ROL32((Amo1^Do1), 11);
645 Bu = ROL32((Asu0^Du0), 7);
646 Aba0 = Ba ^((~Be)& Bi );
647 Aba0 ^= *(pRoundConstants++);
648 Age0 = Be ^((~Bi)& Bo );
649 Aki1 = Bi ^((~Bo)& Bu );
650 Amo1 = Bo ^((~Bu)& Ba );
651 Asu0 = Bu ^((~Ba)& Be );
652
653 Ba = (Aba1^Da1);
654 Be = ROL32((Age1^De1), 22);
655 Bi = ROL32((Aki0^Di0), 21);
656 Bo = ROL32((Amo0^Do0), 10);
657 Bu = ROL32((Asu1^Du1), 7);
658 Aba1 = Ba ^((~Be)& Bi );
659 Aba1 ^= *(pRoundConstants++);
660 Age1 = Be ^((~Bi)& Bo );
661 Aki0 = Bi ^((~Bo)& Bu );
662 Amo0 = Bo ^((~Bu)& Ba );
663 Asu1 = Bu ^((~Ba)& Be );
664
665 Bi = ROL32((Aka1^Da1), 2);
666 Bo = ROL32((Ame1^De1), 23);
667 Bu = ROL32((Asi1^Di1), 31);
668 Ba = ROL32((Abo0^Do0), 14);
669 Be = ROL32((Agu0^Du0), 10);
670 Aka1 = Ba ^((~Be)& Bi );
671 Ame1 = Be ^((~Bi)& Bo );
672 Asi1 = Bi ^((~Bo)& Bu );
673 Abo0 = Bo ^((~Bu)& Ba );
674 Agu0 = Bu ^((~Ba)& Be );
675
676 Bi = ROL32((Aka0^Da0), 1);
677 Bo = ROL32((Ame0^De0), 22);
678 Bu = ROL32((Asi0^Di0), 30);
679 Ba = ROL32((Abo1^Do1), 14);
680 Be = ROL32((Agu1^Du1), 10);
681 Aka0 = Ba ^((~Be)& Bi );
682 Ame0 = Be ^((~Bi)& Bo );
683 Asi0 = Bi ^((~Bo)& Bu );
684 Abo1 = Bo ^((~Bu)& Ba );
685 Agu1 = Bu ^((~Ba)& Be );
686
687 Bu = ROL32((Asa0^Da0), 9);
688 Ba = ROL32((Abe1^De1), 1);
689 Be = ROL32((Agi0^Di0), 3);
690 Bi = ROL32((Ako1^Do1), 13);
691 Bo = ROL32((Amu0^Du0), 4);
692 Asa0 = Ba ^((~Be)& Bi );
693 Abe1 = Be ^((~Bi)& Bo );
694 Agi0 = Bi ^((~Bo)& Bu );
695 Ako1 = Bo ^((~Bu)& Ba );
696 Amu0 = Bu ^((~Ba)& Be );
697
698 Bu = ROL32((Asa1^Da1), 9);
699 Ba = (Abe0^De0);
700 Be = ROL32((Agi1^Di1), 3);
701 Bi = ROL32((Ako0^Do0), 12);
702 Bo = ROL32((Amu1^Du1), 4);
703 Asa1 = Ba ^((~Be)& Bi );
704 Abe0 = Be ^((~Bi)& Bo );
705 Agi1 = Bi ^((~Bo)& Bu );
706 Ako0 = Bo ^((~Bu)& Ba );
707 Amu1 = Bu ^((~Ba)& Be );
708
709 Be = ROL32((Aga0^Da0), 18);
710 Bi = ROL32((Ake0^De0), 5);
711 Bo = ROL32((Ami1^Di1), 8);
712 Bu = ROL32((Aso0^Do0), 28);
713 Ba = ROL32((Abu1^Du1), 14);
714 Aga0 = Ba ^((~Be)& Bi );
715 Ake0 = Be ^((~Bi)& Bo );
716 Ami1 = Bi ^((~Bo)& Bu );
717 Aso0 = Bo ^((~Bu)& Ba );
718 Abu1 = Bu ^((~Ba)& Be );
719
720 Be = ROL32((Aga1^Da1), 18);
721 Bi = ROL32((Ake1^De1), 5);
722 Bo = ROL32((Ami0^Di0), 7);
723 Bu = ROL32((Aso1^Do1), 28);
724 Ba = ROL32((Abu0^Du0), 13);
725 Aga1 = Ba ^((~Be)& Bi );
726 Ake1 = Be ^((~Bi)& Bo );
727 Ami0 = Bi ^((~Bo)& Bu );
728 Aso1 = Bo ^((~Bu)& Ba );
729 Abu0 = Bu ^((~Ba)& Be );
730
731 Bo = ROL32((Ama1^Da1), 21);
732 Bu = ROL32((Ase0^De0), 1);
733 Ba = ROL32((Abi0^Di0), 31);
734 Be = ROL32((Ago1^Do1), 28);
735 Bi = ROL32((Aku1^Du1), 20);
736 Ama1 = Ba ^((~Be)& Bi );
737 Ase0 = Be ^((~Bi)& Bo );
738 Abi0 = Bi ^((~Bo)& Bu );
739 Ago1 = Bo ^((~Bu)& Ba );
740 Aku1 = Bu ^((~Ba)& Be );
741
742 Bo = ROL32((Ama0^Da0), 20);
743 Bu = ROL32((Ase1^De1), 1);
744 Ba = ROL32((Abi1^Di1), 31);
745 Be = ROL32((Ago0^Do0), 27);
746 Bi = ROL32((Aku0^Du0), 19);
747 Ama0 = Ba ^((~Be)& Bi );
748 Ase1 = Be ^((~Bi)& Bo );
749 Abi1 = Bi ^((~Bo)& Bu );
750 Ago0 = Bo ^((~Bu)& Ba );
751 Aku0 = Bu ^((~Ba)& Be );
752
753 KeccakAtoD_round1();
754
755 Ba = (Aba0^Da0);
756 Be = ROL32((Ame1^De0), 22);
757 Bi = ROL32((Agi1^Di1), 22);
758 Bo = ROL32((Aso1^Do1), 11);
759 Bu = ROL32((Aku1^Du0), 7);
760 Aba0 = Ba ^((~Be)& Bi );
761 Aba0 ^= *(pRoundConstants++);
762 Ame1 = Be ^((~Bi)& Bo );
763 Agi1 = Bi ^((~Bo)& Bu );
764 Aso1 = Bo ^((~Bu)& Ba );
765 Aku1 = Bu ^((~Ba)& Be );
766
767 Ba = (Aba1^Da1);
768 Be = ROL32((Ame0^De1), 22);
769 Bi = ROL32((Agi0^Di0), 21);
770 Bo = ROL32((Aso0^Do0), 10);
771 Bu = ROL32((Aku0^Du1), 7);
772 Aba1 = Ba ^((~Be)& Bi );
773 Aba1 ^= *(pRoundConstants++);
774 Ame0 = Be ^((~Bi)& Bo );
775 Agi0 = Bi ^((~Bo)& Bu );
776 Aso0 = Bo ^((~Bu)& Ba );
777 Aku0 = Bu ^((~Ba)& Be );
778
779 Bi = ROL32((Asa1^Da1), 2);
780 Bo = ROL32((Ake1^De1), 23);
781 Bu = ROL32((Abi1^Di1), 31);
782 Ba = ROL32((Amo1^Do0), 14);
783 Be = ROL32((Agu0^Du0), 10);
784 Asa1 = Ba ^((~Be)& Bi );
785 Ake1 = Be ^((~Bi)& Bo );
786 Abi1 = Bi ^((~Bo)& Bu );
787 Amo1 = Bo ^((~Bu)& Ba );
788 Agu0 = Bu ^((~Ba)& Be );
789
790 Bi = ROL32((Asa0^Da0), 1);
791 Bo = ROL32((Ake0^De0), 22);
792 Bu = ROL32((Abi0^Di0), 30);
793 Ba = ROL32((Amo0^Do1), 14);
794 Be = ROL32((Agu1^Du1), 10);
795 Asa0 = Ba ^((~Be)& Bi );
796 Ake0 = Be ^((~Bi)& Bo );
797 Abi0 = Bi ^((~Bo)& Bu );
798 Amo0 = Bo ^((~Bu)& Ba );
799 Agu1 = Bu ^((~Ba)& Be );
800
801 Bu = ROL32((Ama1^Da0), 9);
802 Ba = ROL32((Age1^De1), 1);
803 Be = ROL32((Asi1^Di0), 3);
804 Bi = ROL32((Ako0^Do1), 13);
805 Bo = ROL32((Abu1^Du0), 4);
806 Ama1 = Ba ^((~Be)& Bi );
807 Age1 = Be ^((~Bi)& Bo );
808 Asi1 = Bi ^((~Bo)& Bu );
809 Ako0 = Bo ^((~Bu)& Ba );
810 Abu1 = Bu ^((~Ba)& Be );
811
812 Bu = ROL32((Ama0^Da1), 9);
813 Ba = (Age0^De0);
814 Be = ROL32((Asi0^Di1), 3);
815 Bi = ROL32((Ako1^Do0), 12);
816 Bo = ROL32((Abu0^Du1), 4);
817 Ama0 = Ba ^((~Be)& Bi );
818 Age0 = Be ^((~Bi)& Bo );
819 Asi0 = Bi ^((~Bo)& Bu );
820 Ako1 = Bo ^((~Bu)& Ba );
821 Abu0 = Bu ^((~Ba)& Be );
822
823 Be = ROL32((Aka1^Da0), 18);
824 Bi = ROL32((Abe1^De0), 5);
825 Bo = ROL32((Ami0^Di1), 8);
826 Bu = ROL32((Ago1^Do0), 28);
827 Ba = ROL32((Asu1^Du1), 14);
828 Aka1 = Ba ^((~Be)& Bi );
829 Abe1 = Be ^((~Bi)& Bo );
830 Ami0 = Bi ^((~Bo)& Bu );
831 Ago1 = Bo ^((~Bu)& Ba );
832 Asu1 = Bu ^((~Ba)& Be );
833
834 Be = ROL32((Aka0^Da1), 18);
835 Bi = ROL32((Abe0^De1), 5);
836 Bo = ROL32((Ami1^Di0), 7);
837 Bu = ROL32((Ago0^Do1), 28);
838 Ba = ROL32((Asu0^Du0), 13);
839 Aka0 = Ba ^((~Be)& Bi );
840 Abe0 = Be ^((~Bi)& Bo );
841 Ami1 = Bi ^((~Bo)& Bu );
842 Ago0 = Bo ^((~Bu)& Ba );
843 Asu0 = Bu ^((~Ba)& Be );
844
845 Bo = ROL32((Aga1^Da1), 21);
846 Bu = ROL32((Ase0^De0), 1);
847 Ba = ROL32((Aki1^Di0), 31);
848 Be = ROL32((Abo1^Do1), 28);
849 Bi = ROL32((Amu1^Du1), 20);
850 Aga1 = Ba ^((~Be)& Bi );
851 Ase0 = Be ^((~Bi)& Bo );
852 Aki1 = Bi ^((~Bo)& Bu );
853 Abo1 = Bo ^((~Bu)& Ba );
854 Amu1 = Bu ^((~Ba)& Be );
855
856 Bo = ROL32((Aga0^Da0), 20);
857 Bu = ROL32((Ase1^De1), 1);
858 Ba = ROL32((Aki0^Di1), 31);
859 Be = ROL32((Abo0^Do0), 27);
860 Bi = ROL32((Amu0^Du0), 19);
861 Aga0 = Ba ^((~Be)& Bi );
862 Ase1 = Be ^((~Bi)& Bo );
863 Aki0 = Bi ^((~Bo)& Bu );
864 Abo0 = Bo ^((~Bu)& Ba );
865 Amu0 = Bu ^((~Ba)& Be );
866
867 KeccakAtoD_round2();
868
869 Ba = (Aba0^Da0);
870 Be = ROL32((Ake1^De0), 22);
871 Bi = ROL32((Asi0^Di1), 22);
872 Bo = ROL32((Ago0^Do1), 11);
873 Bu = ROL32((Amu1^Du0), 7);
874 Aba0 = Ba ^((~Be)& Bi );
875 Aba0 ^= *(pRoundConstants++);
876 Ake1 = Be ^((~Bi)& Bo );
877 Asi0 = Bi ^((~Bo)& Bu );
878 Ago0 = Bo ^((~Bu)& Ba );
879 Amu1 = Bu ^((~Ba)& Be );
880
881 Ba = (Aba1^Da1);
882 Be = ROL32((Ake0^De1), 22);
883 Bi = ROL32((Asi1^Di0), 21);
884 Bo = ROL32((Ago1^Do0), 10);
885 Bu = ROL32((Amu0^Du1), 7);
886 Aba1 = Ba ^((~Be)& Bi );
887 Aba1 ^= *(pRoundConstants++);
888 Ake0 = Be ^((~Bi)& Bo );
889 Asi1 = Bi ^((~Bo)& Bu );
890 Ago1 = Bo ^((~Bu)& Ba );
891 Amu0 = Bu ^((~Ba)& Be );
892
893 Bi = ROL32((Ama0^Da1), 2);
894 Bo = ROL32((Abe0^De1), 23);
895 Bu = ROL32((Aki0^Di1), 31);
896 Ba = ROL32((Aso1^Do0), 14);
897 Be = ROL32((Agu0^Du0), 10);
898 Ama0 = Ba ^((~Be)& Bi );
899 Abe0 = Be ^((~Bi)& Bo );
900 Aki0 = Bi ^((~Bo)& Bu );
901 Aso1 = Bo ^((~Bu)& Ba );
902 Agu0 = Bu ^((~Ba)& Be );
903
904 Bi = ROL32((Ama1^Da0), 1);
905 Bo = ROL32((Abe1^De0), 22);
906 Bu = ROL32((Aki1^Di0), 30);
907 Ba = ROL32((Aso0^Do1), 14);
908 Be = ROL32((Agu1^Du1), 10);
909 Ama1 = Ba ^((~Be)& Bi );
910 Abe1 = Be ^((~Bi)& Bo );
911 Aki1 = Bi ^((~Bo)& Bu );
912 Aso0 = Bo ^((~Bu)& Ba );
913 Agu1 = Bu ^((~Ba)& Be );
914
915 Bu = ROL32((Aga1^Da0), 9);
916 Ba = ROL32((Ame0^De1), 1);
917 Be = ROL32((Abi1^Di0), 3);
918 Bi = ROL32((Ako1^Do1), 13);
919 Bo = ROL32((Asu1^Du0), 4);
920 Aga1 = Ba ^((~Be)& Bi );
921 Ame0 = Be ^((~Bi)& Bo );
922 Abi1 = Bi ^((~Bo)& Bu );
923 Ako1 = Bo ^((~Bu)& Ba );
924 Asu1 = Bu ^((~Ba)& Be );
925
926 Bu = ROL32((Aga0^Da1), 9);
927 Ba = (Ame1^De0);
928 Be = ROL32((Abi0^Di1), 3);
929 Bi = ROL32((Ako0^Do0), 12);
930 Bo = ROL32((Asu0^Du1), 4);
931 Aga0 = Ba ^((~Be)& Bi );
932 Ame1 = Be ^((~Bi)& Bo );
933 Abi0 = Bi ^((~Bo)& Bu );
934 Ako0 = Bo ^((~Bu)& Ba );
935 Asu0 = Bu ^((~Ba)& Be );
936
937 Be = ROL32((Asa1^Da0), 18);
938 Bi = ROL32((Age1^De0), 5);
939 Bo = ROL32((Ami1^Di1), 8);
940 Bu = ROL32((Abo1^Do0), 28);
941 Ba = ROL32((Aku0^Du1), 14);
942 Asa1 = Ba ^((~Be)& Bi );
943 Age1 = Be ^((~Bi)& Bo );
944 Ami1 = Bi ^((~Bo)& Bu );
945 Abo1 = Bo ^((~Bu)& Ba );
946 Aku0 = Bu ^((~Ba)& Be );
947
948 Be = ROL32((Asa0^Da1), 18);
949 Bi = ROL32((Age0^De1), 5);
950 Bo = ROL32((Ami0^Di0), 7);
951 Bu = ROL32((Abo0^Do1), 28);
952 Ba = ROL32((Aku1^Du0), 13);
953 Asa0 = Ba ^((~Be)& Bi );
954 Age0 = Be ^((~Bi)& Bo );
955 Ami0 = Bi ^((~Bo)& Bu );
956 Abo0 = Bo ^((~Bu)& Ba );
957 Aku1 = Bu ^((~Ba)& Be );
958
959 Bo = ROL32((Aka0^Da1), 21);
960 Bu = ROL32((Ase0^De0), 1);
961 Ba = ROL32((Agi1^Di0), 31);
962 Be = ROL32((Amo0^Do1), 28);
963 Bi = ROL32((Abu0^Du1), 20);
964 Aka0 = Ba ^((~Be)& Bi );
965 Ase0 = Be ^((~Bi)& Bo );
966 Agi1 = Bi ^((~Bo)& Bu );
967 Amo0 = Bo ^((~Bu)& Ba );
968 Abu0 = Bu ^((~Ba)& Be );
969
970 Bo = ROL32((Aka1^Da0), 20);
971 Bu = ROL32((Ase1^De1), 1);
972 Ba = ROL32((Agi0^Di1), 31);
973 Be = ROL32((Amo1^Do0), 27);
974 Bi = ROL32((Abu1^Du0), 19);
975 Aka1 = Ba ^((~Be)& Bi );
976 Ase1 = Be ^((~Bi)& Bo );
977 Agi0 = Bi ^((~Bo)& Bu );
978 Amo1 = Bo ^((~Bu)& Ba );
979 Abu1 = Bu ^((~Ba)& Be );
980
981 KeccakAtoD_round3();
982
983 Ba = (Aba0^Da0);
984 Be = ROL32((Abe0^De0), 22);
985 Bi = ROL32((Abi0^Di1), 22);
986 Bo = ROL32((Abo0^Do1), 11);
987 Bu = ROL32((Abu0^Du0), 7);
988 Aba0 = Ba ^((~Be)& Bi );
989 Aba0 ^= *(pRoundConstants++);
990 Abe0 = Be ^((~Bi)& Bo );
991 Abi0 = Bi ^((~Bo)& Bu );
992 Abo0 = Bo ^((~Bu)& Ba );
993 Abu0 = Bu ^((~Ba)& Be );
994
995 Ba = (Aba1^Da1);
996 Be = ROL32((Abe1^De1), 22);
997 Bi = ROL32((Abi1^Di0), 21);
998 Bo = ROL32((Abo1^Do0), 10);
999 Bu = ROL32((Abu1^Du1), 7);
1000 Aba1 = Ba ^((~Be)& Bi );
1001 Aba1 ^= *(pRoundConstants++);
1002 Abe1 = Be ^((~Bi)& Bo );
1003 Abi1 = Bi ^((~Bo)& Bu );
1004 Abo1 = Bo ^((~Bu)& Ba );
1005 Abu1 = Bu ^((~Ba)& Be );
1006
1007 Bi = ROL32((Aga0^Da1), 2);
1008 Bo = ROL32((Age0^De1), 23);
1009 Bu = ROL32((Agi0^Di1), 31);
1010 Ba = ROL32((Ago0^Do0), 14);
1011 Be = ROL32((Agu0^Du0), 10);
1012 Aga0 = Ba ^((~Be)& Bi );
1013 Age0 = Be ^((~Bi)& Bo );
1014 Agi0 = Bi ^((~Bo)& Bu );
1015 Ago0 = Bo ^((~Bu)& Ba );
1016 Agu0 = Bu ^((~Ba)& Be );
1017
1018 Bi = ROL32((Aga1^Da0), 1);
1019 Bo = ROL32((Age1^De0), 22);
1020 Bu = ROL32((Agi1^Di0), 30);
1021 Ba = ROL32((Ago1^Do1), 14);
1022 Be = ROL32((Agu1^Du1), 10);
1023 Aga1 = Ba ^((~Be)& Bi );
1024 Age1 = Be ^((~Bi)& Bo );
1025 Agi1 = Bi ^((~Bo)& Bu );
1026 Ago1 = Bo ^((~Bu)& Ba );
1027 Agu1 = Bu ^((~Ba)& Be );
1028
1029 Bu = ROL32((Aka0^Da0), 9);
1030 Ba = ROL32((Ake0^De1), 1);
1031 Be = ROL32((Aki0^Di0), 3);
1032 Bi = ROL32((Ako0^Do1), 13);
1033 Bo = ROL32((Aku0^Du0), 4);
1034 Aka0 = Ba ^((~Be)& Bi );
1035 Ake0 = Be ^((~Bi)& Bo );
1036 Aki0 = Bi ^((~Bo)& Bu );
1037 Ako0 = Bo ^((~Bu)& Ba );
1038 Aku0 = Bu ^((~Ba)& Be );
1039
1040 Bu = ROL32((Aka1^Da1), 9);
1041 Ba = (Ake1^De0);
1042 Be = ROL32((Aki1^Di1), 3);
1043 Bi = ROL32((Ako1^Do0), 12);
1044 Bo = ROL32((Aku1^Du1), 4);
1045 Aka1 = Ba ^((~Be)& Bi );
1046 Ake1 = Be ^((~Bi)& Bo );
1047 Aki1 = Bi ^((~Bo)& Bu );
1048 Ako1 = Bo ^((~Bu)& Ba );
1049 Aku1 = Bu ^((~Ba)& Be );
1050
1051 Be = ROL32((Ama0^Da0), 18);
1052 Bi = ROL32((Ame0^De0), 5);
1053 Bo = ROL32((Ami0^Di1), 8);
1054 Bu = ROL32((Amo0^Do0), 28);
1055 Ba = ROL32((Amu0^Du1), 14);
1056 Ama0 = Ba ^((~Be)& Bi );
1057 Ame0 = Be ^((~Bi)& Bo );
1058 Ami0 = Bi ^((~Bo)& Bu );
1059 Amo0 = Bo ^((~Bu)& Ba );
1060 Amu0 = Bu ^((~Ba)& Be );
1061
1062 Be = ROL32((Ama1^Da1), 18);
1063 Bi = ROL32((Ame1^De1), 5);
1064 Bo = ROL32((Ami1^Di0), 7);
1065 Bu = ROL32((Amo1^Do1), 28);
1066 Ba = ROL32((Amu1^Du0), 13);
1067 Ama1 = Ba ^((~Be)& Bi );
1068 Ame1 = Be ^((~Bi)& Bo );
1069 Ami1 = Bi ^((~Bo)& Bu );
1070 Amo1 = Bo ^((~Bu)& Ba );
1071 Amu1 = Bu ^((~Ba)& Be );
1072
1073 Bo = ROL32((Asa0^Da1), 21);
1074 Bu = ROL32((Ase0^De0), 1);
1075 Ba = ROL32((Asi0^Di0), 31);
1076 Be = ROL32((Aso0^Do1), 28);
1077 Bi = ROL32((Asu0^Du1), 20);
1078 Asa0 = Ba ^((~Be)& Bi );
1079 Ase0 = Be ^((~Bi)& Bo );
1080 Asi0 = Bi ^((~Bo)& Bu );
1081 Aso0 = Bo ^((~Bu)& Ba );
1082 Asu0 = Bu ^((~Ba)& Be );
1083
1084 Bo = ROL32((Asa1^Da0), 20);
1085 Bu = ROL32((Ase1^De1), 1);
1086 Ba = ROL32((Asi1^Di1), 31);
1087 Be = ROL32((Aso1^Do0), 27);
1088 Bi = ROL32((Asu1^Du0), 19);
1089 Asa1 = Ba ^((~Be)& Bi );
1090 Ase1 = Be ^((~Bi)& Bo );
1091 Asi1 = Bi ^((~Bo)& Bu );
1092 Aso1 = Bo ^((~Bu)& Ba );
1093 Asu1 = Bu ^((~Ba)& Be );
1094 }
1095 while ( *pRoundConstants != 0xFF );
1096
1097 #undef Aba0
1098 #undef Aba1
1099 #undef Abe0
1100 #undef Abe1
1101 #undef Abi0
1102 #undef Abi1
1103 #undef Abo0
1104 #undef Abo1
1105 #undef Abu0
1106 #undef Abu1
1107 #undef Aga0
1108 #undef Aga1
1109 #undef Age0
1110 #undef Age1
1111 #undef Agi0
1112 #undef Agi1
1113 #undef Ago0
1114 #undef Ago1
1115 #undef Agu0
1116 #undef Agu1
1117 #undef Aka0
1118 #undef Aka1
1119 #undef Ake0
1120 #undef Ake1
1121 #undef Aki0
1122 #undef Aki1
1123 #undef Ako0
1124 #undef Ako1
1125 #undef Aku0
1126 #undef Aku1
1127 #undef Ama0
1128 #undef Ama1
1129 #undef Ame0
1130 #undef Ame1
1131 #undef Ami0
1132 #undef Ami1
1133 #undef Amo0
1134 #undef Amo1
1135 #undef Amu0
1136 #undef Amu1
1137 #undef Asa0
1138 #undef Asa1
1139 #undef Ase0
1140 #undef Ase1
1141 #undef Asi0
1142 #undef Asi1
1143 #undef Aso0
1144 #undef Aso1
1145 #undef Asu0
1146 #undef Asu1
1147 }
1148 }
1149
1150 /* ---------------------------------------------------------------- */
1151
KeccakP1600_Permute_12rounds(void * state)1152 void KeccakP1600_Permute_12rounds(void *state)
1153 {
1154 KeccakP1600_Permute_Nrounds(state, 12);
1155 }
1156
1157 /* ---------------------------------------------------------------- */
1158
KeccakP1600_Permute_24rounds(void * state)1159 void KeccakP1600_Permute_24rounds(void *state)
1160 {
1161 KeccakP1600_Permute_Nrounds(state, 24);
1162 }
1163