keccakf.go

     1  // Copyright 2014 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build !amd64 || purego || !gc
     6  
     7  package sha3
     8  
     9  import "math/bits"
    10  
    11  // rc stores the round constants for use in the ι step.
    12  var rc = [24]uint64{
    13  	0x0000000000000001,
    14  	0x0000000000008082,
    15  	0x800000000000808A,
    16  	0x8000000080008000,
    17  	0x000000000000808B,
    18  	0x0000000080000001,
    19  	0x8000000080008081,
    20  	0x8000000000008009,
    21  	0x000000000000008A,
    22  	0x0000000000000088,
    23  	0x0000000080008009,
    24  	0x000000008000000A,
    25  	0x000000008000808B,
    26  	0x800000000000008B,
    27  	0x8000000000008089,
    28  	0x8000000000008003,
    29  	0x8000000000008002,
    30  	0x8000000000000080,
    31  	0x000000000000800A,
    32  	0x800000008000000A,
    33  	0x8000000080008081,
    34  	0x8000000000008080,
    35  	0x0000000080000001,
    36  	0x8000000080008008,
    37  }
    38  
    39  // keccakF1600 applies the Keccak permutation to a 1600b-wide
    40  // state represented as a slice of 25 uint64s.
    41  func keccakF1600(a *[25]uint64) {
    42  	// Implementation translated from Keccak-inplace.c
    43  	// in the keccak reference code.
    44  	var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64
    45  
    46  	for i := 0; i < 24; i += 4 {
    47  		// Combines the 5 steps in each round into 2 steps.
    48  		// Unrolls 4 rounds per loop and spreads some steps across rounds.
    49  
    50  		// Round 1
    51  		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
    52  		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
    53  		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
    54  		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
    55  		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
    56  		d0 = bc4 ^ (bc1<<1 | bc1>>63)
    57  		d1 = bc0 ^ (bc2<<1 | bc2>>63)
    58  		d2 = bc1 ^ (bc3<<1 | bc3>>63)
    59  		d3 = bc2 ^ (bc4<<1 | bc4>>63)
    60  		d4 = bc3 ^ (bc0<<1 | bc0>>63)
    61  
    62  		bc0 = a[0] ^ d0
    63  		t = a[6] ^ d1
    64  		bc1 = bits.RotateLeft64(t, 44)
    65  		t = a[12] ^ d2
    66  		bc2 = bits.RotateLeft64(t, 43)
    67  		t = a[18] ^ d3
    68  		bc3 = bits.RotateLeft64(t, 21)
    69  		t = a[24] ^ d4
    70  		bc4 = bits.RotateLeft64(t, 14)
    71  		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i]
    72  		a[6] = bc1 ^ (bc3 &^ bc2)
    73  		a[12] = bc2 ^ (bc4 &^ bc3)
    74  		a[18] = bc3 ^ (bc0 &^ bc4)
    75  		a[24] = bc4 ^ (bc1 &^ bc0)
    76  
    77  		t = a[10] ^ d0
    78  		bc2 = bits.RotateLeft64(t, 3)
    79  		t = a[16] ^ d1
    80  		bc3 = bits.RotateLeft64(t, 45)
    81  		t = a[22] ^ d2
    82  		bc4 = bits.RotateLeft64(t, 61)
    83  		t = a[3] ^ d3
    84  		bc0 = bits.RotateLeft64(t, 28)
    85  		t = a[9] ^ d4
    86  		bc1 = bits.RotateLeft64(t, 20)
    87  		a[10] = bc0 ^ (bc2 &^ bc1)
    88  		a[16] = bc1 ^ (bc3 &^ bc2)
    89  		a[22] = bc2 ^ (bc4 &^ bc3)
    90  		a[3] = bc3 ^ (bc0 &^ bc4)
    91  		a[9] = bc4 ^ (bc1 &^ bc0)
    92  
    93  		t = a[20] ^ d0
    94  		bc4 = bits.RotateLeft64(t, 18)
    95  		t = a[1] ^ d1
    96  		bc0 = bits.RotateLeft64(t, 1)
    97  		t = a[7] ^ d2
    98  		bc1 = bits.RotateLeft64(t, 6)
    99  		t = a[13] ^ d3
   100  		bc2 = bits.RotateLeft64(t, 25)
   101  		t = a[19] ^ d4
   102  		bc3 = bits.RotateLeft64(t, 8)
   103  		a[20] = bc0 ^ (bc2 &^ bc1)
   104  		a[1] = bc1 ^ (bc3 &^ bc2)
   105  		a[7] = bc2 ^ (bc4 &^ bc3)
   106  		a[13] = bc3 ^ (bc0 &^ bc4)
   107  		a[19] = bc4 ^ (bc1 &^ bc0)
   108  
   109  		t = a[5] ^ d0
   110  		bc1 = bits.RotateLeft64(t, 36)
   111  		t = a[11] ^ d1
   112  		bc2 = bits.RotateLeft64(t, 10)
   113  		t = a[17] ^ d2
   114  		bc3 = bits.RotateLeft64(t, 15)
   115  		t = a[23] ^ d3
   116  		bc4 = bits.RotateLeft64(t, 56)
   117  		t = a[4] ^ d4
   118  		bc0 = bits.RotateLeft64(t, 27)
   119  		a[5] = bc0 ^ (bc2 &^ bc1)
   120  		a[11] = bc1 ^ (bc3 &^ bc2)
   121  		a[17] = bc2 ^ (bc4 &^ bc3)
   122  		a[23] = bc3 ^ (bc0 &^ bc4)
   123  		a[4] = bc4 ^ (bc1 &^ bc0)
   124  
   125  		t = a[15] ^ d0
   126  		bc3 = bits.RotateLeft64(t, 41)
   127  		t = a[21] ^ d1
   128  		bc4 = bits.RotateLeft64(t, 2)
   129  		t = a[2] ^ d2
   130  		bc0 = bits.RotateLeft64(t, 62)
   131  		t = a[8] ^ d3
   132  		bc1 = bits.RotateLeft64(t, 55)
   133  		t = a[14] ^ d4
   134  		bc2 = bits.RotateLeft64(t, 39)
   135  		a[15] = bc0 ^ (bc2 &^ bc1)
   136  		a[21] = bc1 ^ (bc3 &^ bc2)
   137  		a[2] = bc2 ^ (bc4 &^ bc3)
   138  		a[8] = bc3 ^ (bc0 &^ bc4)
   139  		a[14] = bc4 ^ (bc1 &^ bc0)
   140  
   141  		// Round 2
   142  		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
   143  		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
   144  		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
   145  		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
   146  		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
   147  		d0 = bc4 ^ (bc1<<1 | bc1>>63)
   148  		d1 = bc0 ^ (bc2<<1 | bc2>>63)
   149  		d2 = bc1 ^ (bc3<<1 | bc3>>63)
   150  		d3 = bc2 ^ (bc4<<1 | bc4>>63)
   151  		d4 = bc3 ^ (bc0<<1 | bc0>>63)
   152  
   153  		bc0 = a[0] ^ d0
   154  		t = a[16] ^ d1
   155  		bc1 = bits.RotateLeft64(t, 44)
   156  		t = a[7] ^ d2
   157  		bc2 = bits.RotateLeft64(t, 43)
   158  		t = a[23] ^ d3
   159  		bc3 = bits.RotateLeft64(t, 21)
   160  		t = a[14] ^ d4
   161  		bc4 = bits.RotateLeft64(t, 14)
   162  		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1]
   163  		a[16] = bc1 ^ (bc3 &^ bc2)
   164  		a[7] = bc2 ^ (bc4 &^ bc3)
   165  		a[23] = bc3 ^ (bc0 &^ bc4)
   166  		a[14] = bc4 ^ (bc1 &^ bc0)
   167  
   168  		t = a[20] ^ d0
   169  		bc2 = bits.RotateLeft64(t, 3)
   170  		t = a[11] ^ d1
   171  		bc3 = bits.RotateLeft64(t, 45)
   172  		t = a[2] ^ d2
   173  		bc4 = bits.RotateLeft64(t, 61)
   174  		t = a[18] ^ d3
   175  		bc0 = bits.RotateLeft64(t, 28)
   176  		t = a[9] ^ d4
   177  		bc1 = bits.RotateLeft64(t, 20)
   178  		a[20] = bc0 ^ (bc2 &^ bc1)
   179  		a[11] = bc1 ^ (bc3 &^ bc2)
   180  		a[2] = bc2 ^ (bc4 &^ bc3)
   181  		a[18] = bc3 ^ (bc0 &^ bc4)
   182  		a[9] = bc4 ^ (bc1 &^ bc0)
   183  
   184  		t = a[15] ^ d0
   185  		bc4 = bits.RotateLeft64(t, 18)
   186  		t = a[6] ^ d1
   187  		bc0 = bits.RotateLeft64(t, 1)
   188  		t = a[22] ^ d2
   189  		bc1 = bits.RotateLeft64(t, 6)
   190  		t = a[13] ^ d3
   191  		bc2 = bits.RotateLeft64(t, 25)
   192  		t = a[4] ^ d4
   193  		bc3 = bits.RotateLeft64(t, 8)
   194  		a[15] = bc0 ^ (bc2 &^ bc1)
   195  		a[6] = bc1 ^ (bc3 &^ bc2)
   196  		a[22] = bc2 ^ (bc4 &^ bc3)
   197  		a[13] = bc3 ^ (bc0 &^ bc4)
   198  		a[4] = bc4 ^ (bc1 &^ bc0)
   199  
   200  		t = a[10] ^ d0
   201  		bc1 = bits.RotateLeft64(t, 36)
   202  		t = a[1] ^ d1
   203  		bc2 = bits.RotateLeft64(t, 10)
   204  		t = a[17] ^ d2
   205  		bc3 = bits.RotateLeft64(t, 15)
   206  		t = a[8] ^ d3
   207  		bc4 = bits.RotateLeft64(t, 56)
   208  		t = a[24] ^ d4
   209  		bc0 = bits.RotateLeft64(t, 27)
   210  		a[10] = bc0 ^ (bc2 &^ bc1)
   211  		a[1] = bc1 ^ (bc3 &^ bc2)
   212  		a[17] = bc2 ^ (bc4 &^ bc3)
   213  		a[8] = bc3 ^ (bc0 &^ bc4)
   214  		a[24] = bc4 ^ (bc1 &^ bc0)
   215  
   216  		t = a[5] ^ d0
   217  		bc3 = bits.RotateLeft64(t, 41)
   218  		t = a[21] ^ d1
   219  		bc4 = bits.RotateLeft64(t, 2)
   220  		t = a[12] ^ d2
   221  		bc0 = bits.RotateLeft64(t, 62)
   222  		t = a[3] ^ d3
   223  		bc1 = bits.RotateLeft64(t, 55)
   224  		t = a[19] ^ d4
   225  		bc2 = bits.RotateLeft64(t, 39)
   226  		a[5] = bc0 ^ (bc2 &^ bc1)
   227  		a[21] = bc1 ^ (bc3 &^ bc2)
   228  		a[12] = bc2 ^ (bc4 &^ bc3)
   229  		a[3] = bc3 ^ (bc0 &^ bc4)
   230  		a[19] = bc4 ^ (bc1 &^ bc0)
   231  
   232  		// Round 3
   233  		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
   234  		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
   235  		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
   236  		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
   237  		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
   238  		d0 = bc4 ^ (bc1<<1 | bc1>>63)
   239  		d1 = bc0 ^ (bc2<<1 | bc2>>63)
   240  		d2 = bc1 ^ (bc3<<1 | bc3>>63)
   241  		d3 = bc2 ^ (bc4<<1 | bc4>>63)
   242  		d4 = bc3 ^ (bc0<<1 | bc0>>63)
   243  
   244  		bc0 = a[0] ^ d0
   245  		t = a[11] ^ d1
   246  		bc1 = bits.RotateLeft64(t, 44)
   247  		t = a[22] ^ d2
   248  		bc2 = bits.RotateLeft64(t, 43)
   249  		t = a[8] ^ d3
   250  		bc3 = bits.RotateLeft64(t, 21)
   251  		t = a[19] ^ d4
   252  		bc4 = bits.RotateLeft64(t, 14)
   253  		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2]
   254  		a[11] = bc1 ^ (bc3 &^ bc2)
   255  		a[22] = bc2 ^ (bc4 &^ bc3)
   256  		a[8] = bc3 ^ (bc0 &^ bc4)
   257  		a[19] = bc4 ^ (bc1 &^ bc0)
   258  
   259  		t = a[15] ^ d0
   260  		bc2 = bits.RotateLeft64(t, 3)
   261  		t = a[1] ^ d1
   262  		bc3 = bits.RotateLeft64(t, 45)
   263  		t = a[12] ^ d2
   264  		bc4 = bits.RotateLeft64(t, 61)
   265  		t = a[23] ^ d3
   266  		bc0 = bits.RotateLeft64(t, 28)
   267  		t = a[9] ^ d4
   268  		bc1 = bits.RotateLeft64(t, 20)
   269  		a[15] = bc0 ^ (bc2 &^ bc1)
   270  		a[1] = bc1 ^ (bc3 &^ bc2)
   271  		a[12] = bc2 ^ (bc4 &^ bc3)
   272  		a[23] = bc3 ^ (bc0 &^ bc4)
   273  		a[9] = bc4 ^ (bc1 &^ bc0)
   274  
   275  		t = a[5] ^ d0
   276  		bc4 = bits.RotateLeft64(t, 18)
   277  		t = a[16] ^ d1
   278  		bc0 = bits.RotateLeft64(t, 1)
   279  		t = a[2] ^ d2
   280  		bc1 = bits.RotateLeft64(t, 6)
   281  		t = a[13] ^ d3
   282  		bc2 = bits.RotateLeft64(t, 25)
   283  		t = a[24] ^ d4
   284  		bc3 = bits.RotateLeft64(t, 8)
   285  		a[5] = bc0 ^ (bc2 &^ bc1)
   286  		a[16] = bc1 ^ (bc3 &^ bc2)
   287  		a[2] = bc2 ^ (bc4 &^ bc3)
   288  		a[13] = bc3 ^ (bc0 &^ bc4)
   289  		a[24] = bc4 ^ (bc1 &^ bc0)
   290  
   291  		t = a[20] ^ d0
   292  		bc1 = bits.RotateLeft64(t, 36)
   293  		t = a[6] ^ d1
   294  		bc2 = bits.RotateLeft64(t, 10)
   295  		t = a[17] ^ d2
   296  		bc3 = bits.RotateLeft64(t, 15)
   297  		t = a[3] ^ d3
   298  		bc4 = bits.RotateLeft64(t, 56)
   299  		t = a[14] ^ d4
   300  		bc0 = bits.RotateLeft64(t, 27)
   301  		a[20] = bc0 ^ (bc2 &^ bc1)
   302  		a[6] = bc1 ^ (bc3 &^ bc2)
   303  		a[17] = bc2 ^ (bc4 &^ bc3)
   304  		a[3] = bc3 ^ (bc0 &^ bc4)
   305  		a[14] = bc4 ^ (bc1 &^ bc0)
   306  
   307  		t = a[10] ^ d0
   308  		bc3 = bits.RotateLeft64(t, 41)
   309  		t = a[21] ^ d1
   310  		bc4 = bits.RotateLeft64(t, 2)
   311  		t = a[7] ^ d2
   312  		bc0 = bits.RotateLeft64(t, 62)
   313  		t = a[18] ^ d3
   314  		bc1 = bits.RotateLeft64(t, 55)
   315  		t = a[4] ^ d4
   316  		bc2 = bits.RotateLeft64(t, 39)
   317  		a[10] = bc0 ^ (bc2 &^ bc1)
   318  		a[21] = bc1 ^ (bc3 &^ bc2)
   319  		a[7] = bc2 ^ (bc4 &^ bc3)
   320  		a[18] = bc3 ^ (bc0 &^ bc4)
   321  		a[4] = bc4 ^ (bc1 &^ bc0)
   322  
   323  		// Round 4
   324  		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
   325  		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
   326  		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
   327  		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
   328  		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
   329  		d0 = bc4 ^ (bc1<<1 | bc1>>63)
   330  		d1 = bc0 ^ (bc2<<1 | bc2>>63)
   331  		d2 = bc1 ^ (bc3<<1 | bc3>>63)
   332  		d3 = bc2 ^ (bc4<<1 | bc4>>63)
   333  		d4 = bc3 ^ (bc0<<1 | bc0>>63)
   334  
   335  		bc0 = a[0] ^ d0
   336  		t = a[1] ^ d1
   337  		bc1 = bits.RotateLeft64(t, 44)
   338  		t = a[2] ^ d2
   339  		bc2 = bits.RotateLeft64(t, 43)
   340  		t = a[3] ^ d3
   341  		bc3 = bits.RotateLeft64(t, 21)
   342  		t = a[4] ^ d4
   343  		bc4 = bits.RotateLeft64(t, 14)
   344  		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3]
   345  		a[1] = bc1 ^ (bc3 &^ bc2)
   346  		a[2] = bc2 ^ (bc4 &^ bc3)
   347  		a[3] = bc3 ^ (bc0 &^ bc4)
   348  		a[4] = bc4 ^ (bc1 &^ bc0)
   349  
   350  		t = a[5] ^ d0
   351  		bc2 = bits.RotateLeft64(t, 3)
   352  		t = a[6] ^ d1
   353  		bc3 = bits.RotateLeft64(t, 45)
   354  		t = a[7] ^ d2
   355  		bc4 = bits.RotateLeft64(t, 61)
   356  		t = a[8] ^ d3
   357  		bc0 = bits.RotateLeft64(t, 28)
   358  		t = a[9] ^ d4
   359  		bc1 = bits.RotateLeft64(t, 20)
   360  		a[5] = bc0 ^ (bc2 &^ bc1)
   361  		a[6] = bc1 ^ (bc3 &^ bc2)
   362  		a[7] = bc2 ^ (bc4 &^ bc3)
   363  		a[8] = bc3 ^ (bc0 &^ bc4)
   364  		a[9] = bc4 ^ (bc1 &^ bc0)
   365  
   366  		t = a[10] ^ d0
   367  		bc4 = bits.RotateLeft64(t, 18)
   368  		t = a[11] ^ d1
   369  		bc0 = bits.RotateLeft64(t, 1)
   370  		t = a[12] ^ d2
   371  		bc1 = bits.RotateLeft64(t, 6)
   372  		t = a[13] ^ d3
   373  		bc2 = bits.RotateLeft64(t, 25)
   374  		t = a[14] ^ d4
   375  		bc3 = bits.RotateLeft64(t, 8)
   376  		a[10] = bc0 ^ (bc2 &^ bc1)
   377  		a[11] = bc1 ^ (bc3 &^ bc2)
   378  		a[12] = bc2 ^ (bc4 &^ bc3)
   379  		a[13] = bc3 ^ (bc0 &^ bc4)
   380  		a[14] = bc4 ^ (bc1 &^ bc0)
   381  
   382  		t = a[15] ^ d0
   383  		bc1 = bits.RotateLeft64(t, 36)
   384  		t = a[16] ^ d1
   385  		bc2 = bits.RotateLeft64(t, 10)
   386  		t = a[17] ^ d2
   387  		bc3 = bits.RotateLeft64(t, 15)
   388  		t = a[18] ^ d3
   389  		bc4 = bits.RotateLeft64(t, 56)
   390  		t = a[19] ^ d4
   391  		bc0 = bits.RotateLeft64(t, 27)
   392  		a[15] = bc0 ^ (bc2 &^ bc1)
   393  		a[16] = bc1 ^ (bc3 &^ bc2)
   394  		a[17] = bc2 ^ (bc4 &^ bc3)
   395  		a[18] = bc3 ^ (bc0 &^ bc4)
   396  		a[19] = bc4 ^ (bc1 &^ bc0)
   397  
   398  		t = a[20] ^ d0
   399  		bc3 = bits.RotateLeft64(t, 41)
   400  		t = a[21] ^ d1
   401  		bc4 = bits.RotateLeft64(t, 2)
   402  		t = a[22] ^ d2
   403  		bc0 = bits.RotateLeft64(t, 62)
   404  		t = a[23] ^ d3
   405  		bc1 = bits.RotateLeft64(t, 55)
   406  		t = a[24] ^ d4
   407  		bc2 = bits.RotateLeft64(t, 39)
   408  		a[20] = bc0 ^ (bc2 &^ bc1)
   409  		a[21] = bc1 ^ (bc3 &^ bc2)
   410  		a[22] = bc2 ^ (bc4 &^ bc3)
   411  		a[23] = bc3 ^ (bc0 &^ bc4)
   412  		a[24] = bc4 ^ (bc1 &^ bc0)
   413  	}
   414  }
   415
View as plain text