1 /* 2 Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni, 3 Joan Daemen, Michal Peeters, Gilles Van Assche and Ronny Van Keer, hereby 4 denoted as "the implementer". 5 6 For more information, feedback or questions, please refer to our websites: 7 http://keccak.noekeon.org/ 8 http://keyak.noekeon.org/ 9 http://ketje.noekeon.org/ 10 11 To the extent possible under law, the implementer has waived all copyright 12 and related or neighboring rights to the source code in this file. 13 http://creativecommons.org/publicdomain/zero/1.0/ 14 */ 15 16 #include <string.h> 17 /* #include "brg_endian.h" */ 18 #include "KeccakP-1600-SnP.h" 19 #include "SnP-Relaned.h" 20 21 typedef unsigned char UINT8; 22 typedef unsigned int UINT32; 23 /* WARNING: on 8-bit and 16-bit platforms, this should be replaced by: */ 24 25 /*typedef unsigned long UINT32; */ 26 27 28 #define ROL32(a, offset) ((((UINT32)a) << (offset)) ^ (((UINT32)a) >> (32-(offset)))) 29 30 /* Credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ 31 32 #define prepareToBitInterleaving(low, high, temp, temp0, temp1) \ 33 temp0 = (low); \ 34 temp = (temp0 ^ (temp0 >> 1)) & 0x22222222UL; temp0 = temp0 ^ temp ^ (temp << 1); \ 35 temp = (temp0 ^ (temp0 >> 2)) & 0x0C0C0C0CUL; temp0 = temp0 ^ temp ^ (temp << 2); \ 36 temp = (temp0 ^ (temp0 >> 4)) & 0x00F000F0UL; temp0 = temp0 ^ temp ^ (temp << 4); \ 37 temp = (temp0 ^ (temp0 >> 8)) & 0x0000FF00UL; temp0 = temp0 ^ temp ^ (temp << 8); \ 38 temp1 = (high); \ 39 temp = (temp1 ^ (temp1 >> 1)) & 0x22222222UL; temp1 = temp1 ^ temp ^ (temp << 1); \ 40 temp = (temp1 ^ (temp1 >> 2)) & 0x0C0C0C0CUL; temp1 = temp1 ^ temp ^ (temp << 2); \ 41 temp = (temp1 ^ (temp1 >> 4)) & 0x00F000F0UL; temp1 = temp1 ^ temp ^ (temp << 4); \ 42 temp = (temp1 ^ (temp1 >> 8)) & 0x0000FF00UL; temp1 = temp1 ^ temp ^ (temp << 8); 43 44 #define toBitInterleavingAndXOR(low, high, even, odd, temp, temp0, temp1) \ 45 prepareToBitInterleaving(low, high, temp, temp0, temp1) \ 46 even ^= (temp0 & 0x0000FFFF) | (temp1 << 16); \ 47 odd ^= (temp0 >> 16) | (temp1 & 0xFFFF0000); 48 49 #define toBitInterleavingAndAND(low, high, even, odd, temp, temp0, temp1) \ 50 prepareToBitInterleaving(low, high, temp, temp0, temp1) \ 51 even &= (temp0 & 0x0000FFFF) | (temp1 << 16); \ 52 odd &= (temp0 >> 16) | (temp1 & 0xFFFF0000); 53 54 #define toBitInterleavingAndSet(low, high, even, odd, temp, temp0, temp1) \ 55 prepareToBitInterleaving(low, high, temp, temp0, temp1) \ 56 even = (temp0 & 0x0000FFFF) | (temp1 << 16); \ 57 odd = (temp0 >> 16) | (temp1 & 0xFFFF0000); 58 59 /* Credit to Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002 */ 60 61 #define prepareFromBitInterleaving(even, odd, temp, temp0, temp1) \ 62 temp0 = (even); \ 63 temp1 = (odd); \ 64 temp = (temp0 & 0x0000FFFF) | (temp1 << 16); \ 65 temp1 = (temp0 >> 16) | (temp1 & 0xFFFF0000); \ 66 temp0 = temp; \ 67 temp = (temp0 ^ (temp0 >> 8)) & 0x0000FF00UL; temp0 = temp0 ^ temp ^ (temp << 8); \ 68 temp = (temp0 ^ (temp0 >> 4)) & 0x00F000F0UL; temp0 = temp0 ^ temp ^ (temp << 4); \ 69 temp = (temp0 ^ (temp0 >> 2)) & 0x0C0C0C0CUL; temp0 = temp0 ^ temp ^ (temp << 2); \ 70 temp = (temp0 ^ (temp0 >> 1)) & 0x22222222UL; temp0 = temp0 ^ temp ^ (temp << 1); \ 71 temp = (temp1 ^ (temp1 >> 8)) & 0x0000FF00UL; temp1 = temp1 ^ temp ^ (temp << 8); \ 72 temp = (temp1 ^ (temp1 >> 4)) & 0x00F000F0UL; temp1 = temp1 ^ temp ^ (temp << 4); \ 73 temp = (temp1 ^ (temp1 >> 2)) & 0x0C0C0C0CUL; temp1 = temp1 ^ temp ^ (temp << 2); \ 74 temp = (temp1 ^ (temp1 >> 1)) & 0x22222222UL; temp1 = temp1 ^ temp ^ (temp << 1); 75 76 #define fromBitInterleaving(even, odd, low, high, temp, temp0, temp1) \ 77 prepareFromBitInterleaving(even, odd, temp, temp0, temp1) \ 78 low = temp0; \ 79 high = temp1; 80 81 #define fromBitInterleavingAndXOR(even, odd, lowIn, highIn, lowOut, highOut, temp, temp0, temp1) \ 82 prepareFromBitInterleaving(even, odd, temp, temp0, temp1) \ 83 lowOut = lowIn ^ temp0; \ 84 highOut = highIn ^ temp1; 85 86 void KeccakP1600_SetBytesInLaneToZero(void *state, unsigned int lanePosition, unsigned int offset, unsigned int length) 87 { 88 UINT8 laneAsBytes[8]; 89 UINT32 low, high; 90 UINT32 temp, temp0, temp1; 91 UINT32 *stateAsHalfLanes = (UINT32*)state; 92 93 memset(laneAsBytes, 0xFF, offset); 94 memset(laneAsBytes+offset, 0x00, length); 95 memset(laneAsBytes+offset+length, 0xFF, 8-offset-length); 96 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN) 97 low = *((UINT32*)(laneAsBytes+0)); 98 high = *((UINT32*)(laneAsBytes+4)); 99 #else 100 low = laneAsBytes[0] 101 | ((UINT32)(laneAsBytes[1]) << 8) 102 | ((UINT32)(laneAsBytes[2]) << 16) 103 | ((UINT32)(laneAsBytes[3]) << 24); 104 high = laneAsBytes[4] 105 | ((UINT32)(laneAsBytes[5]) << 8) 106 | ((UINT32)(laneAsBytes[6]) << 16) 107 | ((UINT32)(laneAsBytes[7]) << 24); 108 #endif 109 toBitInterleavingAndAND(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1); 110 } 111 112 /* ---------------------------------------------------------------- */ 113 114 void KeccakP1600_Initialize(void *state) 115 { 116 memset(state, 0, 200); 117 } 118 119 /* ---------------------------------------------------------------- */ 120 121 void KeccakP1600_AddByte(void *state, unsigned char byte, unsigned int offset) 122 { 123 unsigned int lanePosition = offset/8; 124 unsigned int offsetInLane = offset%8; 125 UINT32 low, high; 126 UINT32 temp, temp0, temp1; 127 UINT32 *stateAsHalfLanes = (UINT32*)state; 128 129 if (offsetInLane < 4) { 130 low = (UINT32)byte << (offsetInLane*8); 131 high = 0; 132 } 133 else { 134 low = 0; 135 high = (UINT32)byte << ((offsetInLane-4)*8); 136 } 137 toBitInterleavingAndXOR(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1); 138 } 139 140 /* ---------------------------------------------------------------- */ 141 142 void KeccakP1600_AddBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length) 143 { 144 UINT8 laneAsBytes[8]; 145 UINT32 low, high; 146 UINT32 temp, temp0, temp1; 147 UINT32 *stateAsHalfLanes = (UINT32*)state; 148 149 memset(laneAsBytes, 0, 8); 150 memcpy(laneAsBytes+offset, data, length); 151 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN) 152 low = *((UINT32*)(laneAsBytes+0)); 153 high = *((UINT32*)(laneAsBytes+4)); 154 #else 155 low = laneAsBytes[0] 156 | ((UINT32)(laneAsBytes[1]) << 8) 157 | ((UINT32)(laneAsBytes[2]) << 16) 158 | ((UINT32)(laneAsBytes[3]) << 24); 159 high = laneAsBytes[4] 160 | ((UINT32)(laneAsBytes[5]) << 8) 161 | ((UINT32)(laneAsBytes[6]) << 16) 162 | ((UINT32)(laneAsBytes[7]) << 24); 163 #endif 164 toBitInterleavingAndXOR(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1); 165 } 166 167 /* ---------------------------------------------------------------- */ 168 169 void KeccakP1600_AddLanes(void *state, const unsigned char *data, unsigned int laneCount) 170 { 171 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN) 172 const UINT32 * pI = (const UINT32 *)data; 173 UINT32 * pS = (UINT32*)state; 174 UINT32 t, x0, x1; 175 int i; 176 for (i = laneCount-1; i >= 0; --i) { 177 #ifdef NO_MISALIGNED_ACCESSES 178 UINT32 low; 179 UINT32 high; 180 memcpy(&low, pI++, 4); 181 memcpy(&high, pI++, 4); 182 toBitInterleavingAndXOR(low, high, *(pS++), *(pS++), t, x0, x1); 183 #else 184 toBitInterleavingAndXOR(*(pI++), *(pI++), *(pS++), *(pS++), t, x0, x1) 185 #endif 186 } 187 #else 188 unsigned int lanePosition; 189 for(lanePosition=0; lanePosition<laneCount; lanePosition++) { 190 UINT8 laneAsBytes[8]; 191 UINT32 low, high, temp, temp0, temp1; 192 UINT32 *stateAsHalfLanes; 193 memcpy(laneAsBytes, data+lanePosition*8, 8); 194 low = laneAsBytes[0] 195 | ((UINT32)(laneAsBytes[1]) << 8) 196 | ((UINT32)(laneAsBytes[2]) << 16) 197 | ((UINT32)(laneAsBytes[3]) << 24); 198 high = laneAsBytes[4] 199 | ((UINT32)(laneAsBytes[5]) << 8) 200 | ((UINT32)(laneAsBytes[6]) << 16) 201 | ((UINT32)(laneAsBytes[7]) << 24); 202 stateAsHalfLanes = (UINT32*)state; 203 toBitInterleavingAndXOR(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1); 204 } 205 #endif 206 } 207 208 /* ---------------------------------------------------------------- */ 209 210 void KeccakP1600_AddBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length) 211 { 212 SnP_AddBytes(state, data, offset, length, KeccakP1600_AddLanes, KeccakP1600_AddBytesInLane, 8); 213 } 214 215 /* ---------------------------------------------------------------- */ 216 217 void KeccakP1600_OverwriteBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length) 218 { 219 KeccakP1600_SetBytesInLaneToZero(state, lanePosition, offset, length); 220 KeccakP1600_AddBytesInLane(state, lanePosition, data, offset, length); 221 } 222 223 /* ---------------------------------------------------------------- */ 224 225 void KeccakP1600_OverwriteLanes(void *state, const unsigned char *data, unsigned int laneCount) 226 { 227 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN) 228 const UINT32 * pI = (const UINT32 *)data; 229 UINT32 * pS = (UINT32 *)state; 230 UINT32 t, x0, x1; 231 int i; 232 for (i = laneCount-1; i >= 0; --i) { 233 #ifdef NO_MISALIGNED_ACCESSES 234 UINT32 low; 235 UINT32 high; 236 memcpy(&low, pI++, 4); 237 memcpy(&high, pI++, 4); 238 toBitInterleavingAndSet(low, high, *(pS++), *(pS++), t, x0, x1); 239 #else 240 toBitInterleavingAndSet(*(pI++), *(pI++), *(pS++), *(pS++), t, x0, x1) 241 #endif 242 } 243 #else 244 unsigned int lanePosition; 245 for(lanePosition=0; lanePosition<laneCount; lanePosition++) { 246 UINT8 laneAsBytes[8]; 247 UINT32 low, high, temp, temp0, temp1; 248 UINT32 *stateAsHalfLanes; 249 memcpy(laneAsBytes, data+lanePosition*8, 8); 250 low = laneAsBytes[0] 251 | ((UINT32)(laneAsBytes[1]) << 8) 252 | ((UINT32)(laneAsBytes[2]) << 16) 253 | ((UINT32)(laneAsBytes[3]) << 24); 254 high = laneAsBytes[4] 255 | ((UINT32)(laneAsBytes[5]) << 8) 256 | ((UINT32)(laneAsBytes[6]) << 16) 257 | ((UINT32)(laneAsBytes[7]) << 24); 258 stateAsHalfLanes = (UINT32*)state; 259 toBitInterleavingAndSet(low, high, stateAsHalfLanes[lanePosition*2+0], stateAsHalfLanes[lanePosition*2+1], temp, temp0, temp1); 260 } 261 #endif 262 } 263 264 /* ---------------------------------------------------------------- */ 265 266 void KeccakP1600_OverwriteBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length) 267 { 268 SnP_OverwriteBytes(state, data, offset, length, KeccakP1600_OverwriteLanes, KeccakP1600_OverwriteBytesInLane, 8); 269 } 270 271 /* ---------------------------------------------------------------- */ 272 273 void KeccakP1600_OverwriteWithZeroes(void *state, unsigned int byteCount) 274 { 275 UINT32 *stateAsHalfLanes = (UINT32*)state; 276 unsigned int i; 277 278 for(i=0; i<byteCount/8; i++) { 279 stateAsHalfLanes[i*2+0] = 0; 280 stateAsHalfLanes[i*2+1] = 0; 281 } 282 if (byteCount%8 != 0) 283 KeccakP1600_SetBytesInLaneToZero(state, byteCount/8, 0, byteCount%8); 284 } 285 286 /* ---------------------------------------------------------------- */ 287 288 void KeccakP1600_ExtractBytesInLane(const void *state, unsigned int lanePosition, unsigned char *data, unsigned int offset, unsigned int length) 289 { 290 UINT32 *stateAsHalfLanes = (UINT32*)state; 291 UINT32 low, high, temp, temp0, temp1; 292 UINT8 laneAsBytes[8]; 293 294 fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1); 295 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN) 296 *((UINT32*)(laneAsBytes+0)) = low; 297 *((UINT32*)(laneAsBytes+4)) = high; 298 #else 299 laneAsBytes[0] = low & 0xFF; 300 laneAsBytes[1] = (low >> 8) & 0xFF; 301 laneAsBytes[2] = (low >> 16) & 0xFF; 302 laneAsBytes[3] = (low >> 24) & 0xFF; 303 laneAsBytes[4] = high & 0xFF; 304 laneAsBytes[5] = (high >> 8) & 0xFF; 305 laneAsBytes[6] = (high >> 16) & 0xFF; 306 laneAsBytes[7] = (high >> 24) & 0xFF; 307 #endif 308 memcpy(data, laneAsBytes+offset, length); 309 } 310 311 /* ---------------------------------------------------------------- */ 312 313 void KeccakP1600_ExtractLanes(const void *state, unsigned char *data, unsigned int laneCount) 314 { 315 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN) 316 UINT32 * pI = (UINT32 *)data; 317 const UINT32 * pS = ( const UINT32 *)state; 318 UINT32 t, x0, x1; 319 int i; 320 for (i = laneCount-1; i >= 0; --i) { 321 #ifdef NO_MISALIGNED_ACCESSES 322 UINT32 low; 323 UINT32 high; 324 fromBitInterleaving(*(pS++), *(pS++), low, high, t, x0, x1); 325 memcpy(pI++, &low, 4); 326 memcpy(pI++, &high, 4); 327 #else 328 fromBitInterleaving(*(pS++), *(pS++), *(pI++), *(pI++), t, x0, x1) 329 #endif 330 } 331 #else 332 unsigned int lanePosition; 333 for(lanePosition=0; lanePosition<laneCount; lanePosition++) { 334 UINT32 *stateAsHalfLanes = (UINT32*)state; 335 UINT32 low, high, temp, temp0, temp1; 336 UINT8 laneAsBytes[8]; 337 fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1); 338 laneAsBytes[0] = low & 0xFF; 339 laneAsBytes[1] = (low >> 8) & 0xFF; 340 laneAsBytes[2] = (low >> 16) & 0xFF; 341 laneAsBytes[3] = (low >> 24) & 0xFF; 342 laneAsBytes[4] = high & 0xFF; 343 laneAsBytes[5] = (high >> 8) & 0xFF; 344 laneAsBytes[6] = (high >> 16) & 0xFF; 345 laneAsBytes[7] = (high >> 24) & 0xFF; 346 memcpy(data+lanePosition*8, laneAsBytes, 8); 347 } 348 #endif 349 } 350 351 /* ---------------------------------------------------------------- */ 352 353 void KeccakP1600_ExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length) 354 { 355 SnP_ExtractBytes(state, data, offset, length, KeccakP1600_ExtractLanes, KeccakP1600_ExtractBytesInLane, 8); 356 } 357 358 /* ---------------------------------------------------------------- */ 359 360 void KeccakP1600_ExtractAndAddBytesInLane(const void *state, unsigned int lanePosition, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length) 361 { 362 UINT32 *stateAsHalfLanes = (UINT32*)state; 363 UINT32 low, high, temp, temp0, temp1; 364 UINT8 laneAsBytes[8]; 365 unsigned int i; 366 367 fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1); 368 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN) 369 *((UINT32*)(laneAsBytes+0)) = low; 370 *((UINT32*)(laneAsBytes+4)) = high; 371 #else 372 laneAsBytes[0] = low & 0xFF; 373 laneAsBytes[1] = (low >> 8) & 0xFF; 374 laneAsBytes[2] = (low >> 16) & 0xFF; 375 laneAsBytes[3] = (low >> 24) & 0xFF; 376 laneAsBytes[4] = high & 0xFF; 377 laneAsBytes[5] = (high >> 8) & 0xFF; 378 laneAsBytes[6] = (high >> 16) & 0xFF; 379 laneAsBytes[7] = (high >> 24) & 0xFF; 380 #endif 381 for(i=0; i<length; i++) 382 output[i] = input[i] ^ laneAsBytes[offset+i]; 383 } 384 385 /* ---------------------------------------------------------------- */ 386 387 void KeccakP1600_ExtractAndAddLanes(const void *state, const unsigned char *input, unsigned char *output, unsigned int laneCount) 388 { 389 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN) 390 const UINT32 * pI = (const UINT32 *)input; 391 UINT32 * pO = (UINT32 *)output; 392 const UINT32 * pS = (const UINT32 *)state; 393 UINT32 t, x0, x1; 394 int i; 395 for (i = laneCount-1; i >= 0; --i) { 396 #ifdef NO_MISALIGNED_ACCESSES 397 UINT32 low; 398 UINT32 high; 399 fromBitInterleaving(*(pS++), *(pS++), low, high, t, x0, x1); 400 *(pO++) = *(pI++) ^ low; 401 *(pO++) = *(pI++) ^ high; 402 #else 403 fromBitInterleavingAndXOR(*(pS++), *(pS++), *(pI++), *(pI++), *(pO++), *(pO++), t, x0, x1) 404 #endif 405 } 406 #else 407 unsigned int lanePosition; 408 for(lanePosition=0; lanePosition<laneCount; lanePosition++) { 409 UINT32 *stateAsHalfLanes = (UINT32*)state; 410 UINT32 low, high, temp, temp0, temp1; 411 UINT8 laneAsBytes[8]; 412 fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], low, high, temp, temp0, temp1); 413 laneAsBytes[0] = low & 0xFF; 414 laneAsBytes[1] = (low >> 8) & 0xFF; 415 laneAsBytes[2] = (low >> 16) & 0xFF; 416 laneAsBytes[3] = (low >> 24) & 0xFF; 417 laneAsBytes[4] = high & 0xFF; 418 laneAsBytes[5] = (high >> 8) & 0xFF; 419 laneAsBytes[6] = (high >> 16) & 0xFF; 420 laneAsBytes[7] = (high >> 24) & 0xFF; 421 ((UINT32*)(output+lanePosition*8))[0] = ((UINT32*)(input+lanePosition*8))[0] ^ (*(const UINT32*)(laneAsBytes+0)); 422 ((UINT32*)(output+lanePosition*8))[1] = ((UINT32*)(input+lanePosition*8))[0] ^ (*(const UINT32*)(laneAsBytes+4)); 423 } 424 #endif 425 } 426 /* ---------------------------------------------------------------- */ 427 428 void KeccakP1600_ExtractAndAddBytes(const void *state, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length) 429 { 430 SnP_ExtractAndAddBytes(state, input, output, offset, length, KeccakP1600_ExtractAndAddLanes, KeccakP1600_ExtractAndAddBytesInLane, 8); 431 } 432 433 /* ---------------------------------------------------------------- */ 434 435 static const UINT32 KeccakF1600RoundConstants_int2[2*24+1] = 436 { 437 0x00000001UL, 0x00000000UL, 438 0x00000000UL, 0x00000089UL, 439 0x00000000UL, 0x8000008bUL, 440 0x00000000UL, 0x80008080UL, 441 0x00000001UL, 0x0000008bUL, 442 0x00000001UL, 0x00008000UL, 443 0x00000001UL, 0x80008088UL, 444 0x00000001UL, 0x80000082UL, 445 0x00000000UL, 0x0000000bUL, 446 0x00000000UL, 0x0000000aUL, 447 0x00000001UL, 0x00008082UL, 448 0x00000000UL, 0x00008003UL, 449 0x00000001UL, 0x0000808bUL, 450 0x00000001UL, 0x8000000bUL, 451 0x00000001UL, 0x8000008aUL, 452 0x00000001UL, 0x80000081UL, 453 0x00000000UL, 0x80000081UL, 454 0x00000000UL, 0x80000008UL, 455 0x00000000UL, 0x00000083UL, 456 0x00000000UL, 0x80008003UL, 457 0x00000001UL, 0x80008088UL, 458 0x00000000UL, 0x80000088UL, 459 0x00000001UL, 0x00008000UL, 460 0x00000000UL, 0x80008082UL, 461 0x000000FFUL 462 }; 463 464 #define KeccakAtoD_round0() \ 465 Cx = Abu0^Agu0^Aku0^Amu0^Asu0; \ 466 Du1 = Abe1^Age1^Ake1^Ame1^Ase1; \ 467 Da0 = Cx^ROL32(Du1, 1); \ 468 Cz = Abu1^Agu1^Aku1^Amu1^Asu1; \ 469 Du0 = Abe0^Age0^Ake0^Ame0^Ase0; \ 470 Da1 = Cz^Du0; \ 471 \ 472 Cw = Abi0^Agi0^Aki0^Ami0^Asi0; \ 473 Do0 = Cw^ROL32(Cz, 1); \ 474 Cy = Abi1^Agi1^Aki1^Ami1^Asi1; \ 475 Do1 = Cy^Cx; \ 476 \ 477 Cx = Aba0^Aga0^Aka0^Ama0^Asa0; \ 478 De0 = Cx^ROL32(Cy, 1); \ 479 Cz = Aba1^Aga1^Aka1^Ama1^Asa1; \ 480 De1 = Cz^Cw; \ 481 \ 482 Cy = Abo1^Ago1^Ako1^Amo1^Aso1; \ 483 Di0 = Du0^ROL32(Cy, 1); \ 484 Cw = Abo0^Ago0^Ako0^Amo0^Aso0; \ 485 Di1 = Du1^Cw; \ 486 \ 487 Du0 = Cw^ROL32(Cz, 1); \ 488 Du1 = Cy^Cx; \ 489 490 #define KeccakAtoD_round1() \ 491 Cx = Asu0^Agu0^Amu0^Abu1^Aku1; \ 492 Du1 = Age1^Ame0^Abe0^Ake1^Ase1; \ 493 Da0 = Cx^ROL32(Du1, 1); \ 494 Cz = Asu1^Agu1^Amu1^Abu0^Aku0; \ 495 Du0 = Age0^Ame1^Abe1^Ake0^Ase0; \ 496 Da1 = Cz^Du0; \ 497 \ 498 Cw = Aki1^Asi1^Agi0^Ami1^Abi0; \ 499 Do0 = Cw^ROL32(Cz, 1); \ 500 Cy = Aki0^Asi0^Agi1^Ami0^Abi1; \ 501 Do1 = Cy^Cx; \ 502 \ 503 Cx = Aba0^Aka1^Asa0^Aga0^Ama1; \ 504 De0 = Cx^ROL32(Cy, 1); \ 505 Cz = Aba1^Aka0^Asa1^Aga1^Ama0; \ 506 De1 = Cz^Cw; \ 507 \ 508 Cy = Amo0^Abo1^Ako0^Aso1^Ago0; \ 509 Di0 = Du0^ROL32(Cy, 1); \ 510 Cw = Amo1^Abo0^Ako1^Aso0^Ago1; \ 511 Di1 = Du1^Cw; \ 512 \ 513 Du0 = Cw^ROL32(Cz, 1); \ 514 Du1 = Cy^Cx; \ 515 516 #define KeccakAtoD_round2() \ 517 Cx = Aku1^Agu0^Abu1^Asu1^Amu1; \ 518 Du1 = Ame0^Ake0^Age0^Abe0^Ase1; \ 519 Da0 = Cx^ROL32(Du1, 1); \ 520 Cz = Aku0^Agu1^Abu0^Asu0^Amu0; \ 521 Du0 = Ame1^Ake1^Age1^Abe1^Ase0; \ 522 Da1 = Cz^Du0; \ 523 \ 524 Cw = Agi1^Abi1^Asi1^Ami0^Aki1; \ 525 Do0 = Cw^ROL32(Cz, 1); \ 526 Cy = Agi0^Abi0^Asi0^Ami1^Aki0; \ 527 Do1 = Cy^Cx; \ 528 \ 529 Cx = Aba0^Asa1^Ama1^Aka1^Aga1; \ 530 De0 = Cx^ROL32(Cy, 1); \ 531 Cz = Aba1^Asa0^Ama0^Aka0^Aga0; \ 532 De1 = Cz^Cw; \ 533 \ 534 Cy = Aso0^Amo0^Ako1^Ago0^Abo0; \ 535 Di0 = Du0^ROL32(Cy, 1); \ 536 Cw = Aso1^Amo1^Ako0^Ago1^Abo1; \ 537 Di1 = Du1^Cw; \ 538 \ 539 Du0 = Cw^ROL32(Cz, 1); \ 540 Du1 = Cy^Cx; \ 541 542 #define KeccakAtoD_round3() \ 543 Cx = Amu1^Agu0^Asu1^Aku0^Abu0; \ 544 Du1 = Ake0^Abe1^Ame1^Age0^Ase1; \ 545 Da0 = Cx^ROL32(Du1, 1); \ 546 Cz = Amu0^Agu1^Asu0^Aku1^Abu1; \ 547 Du0 = Ake1^Abe0^Ame0^Age1^Ase0; \ 548 Da1 = Cz^Du0; \ 549 \ 550 Cw = Asi0^Aki0^Abi1^Ami1^Agi1; \ 551 Do0 = Cw^ROL32(Cz, 1); \ 552 Cy = Asi1^Aki1^Abi0^Ami0^Agi0; \ 553 Do1 = Cy^Cx; \ 554 \ 555 Cx = Aba0^Ama0^Aga1^Asa1^Aka0; \ 556 De0 = Cx^ROL32(Cy, 1); \ 557 Cz = Aba1^Ama1^Aga0^Asa0^Aka1; \ 558 De1 = Cz^Cw; \ 559 \ 560 Cy = Ago1^Aso0^Ako0^Abo0^Amo1; \ 561 Di0 = Du0^ROL32(Cy, 1); \ 562 Cw = Ago0^Aso1^Ako1^Abo1^Amo0; \ 563 Di1 = Du1^Cw; \ 564 \ 565 Du0 = Cw^ROL32(Cz, 1); \ 566 Du1 = Cy^Cx; \ 567 568 void KeccakP1600_Permute_Nrounds(void *state, unsigned int nRounds) 569 { 570 { 571 UINT32 Da0, De0, Di0, Do0, Du0; 572 UINT32 Da1, De1, Di1, Do1, Du1; 573 UINT32 Ca0, Ce0, Ci0, Co0, Cu0; 574 UINT32 Cx, Cy, Cz, Cw; 575 #define Ba Ca0 576 #define Be Ce0 577 #define Bi Ci0 578 #define Bo Co0 579 #define Bu Cu0 580 const UINT32 *pRoundConstants = KeccakF1600RoundConstants_int2+(24-nRounds)*2; 581 UINT32 *stateAsHalfLanes = (UINT32*)state; 582 #define Aba0 stateAsHalfLanes[ 0] 583 #define Aba1 stateAsHalfLanes[ 1] 584 #define Abe0 stateAsHalfLanes[ 2] 585 #define Abe1 stateAsHalfLanes[ 3] 586 #define Abi0 stateAsHalfLanes[ 4] 587 #define Abi1 stateAsHalfLanes[ 5] 588 #define Abo0 stateAsHalfLanes[ 6] 589 #define Abo1 stateAsHalfLanes[ 7] 590 #define Abu0 stateAsHalfLanes[ 8] 591 #define Abu1 stateAsHalfLanes[ 9] 592 #define Aga0 stateAsHalfLanes[10] 593 #define Aga1 stateAsHalfLanes[11] 594 #define Age0 stateAsHalfLanes[12] 595 #define Age1 stateAsHalfLanes[13] 596 #define Agi0 stateAsHalfLanes[14] 597 #define Agi1 stateAsHalfLanes[15] 598 #define Ago0 stateAsHalfLanes[16] 599 #define Ago1 stateAsHalfLanes[17] 600 #define Agu0 stateAsHalfLanes[18] 601 #define Agu1 stateAsHalfLanes[19] 602 #define Aka0 stateAsHalfLanes[20] 603 #define Aka1 stateAsHalfLanes[21] 604 #define Ake0 stateAsHalfLanes[22] 605 #define Ake1 stateAsHalfLanes[23] 606 #define Aki0 stateAsHalfLanes[24] 607 #define Aki1 stateAsHalfLanes[25] 608 #define Ako0 stateAsHalfLanes[26] 609 #define Ako1 stateAsHalfLanes[27] 610 #define Aku0 stateAsHalfLanes[28] 611 #define Aku1 stateAsHalfLanes[29] 612 #define Ama0 stateAsHalfLanes[30] 613 #define Ama1 stateAsHalfLanes[31] 614 #define Ame0 stateAsHalfLanes[32] 615 #define Ame1 stateAsHalfLanes[33] 616 #define Ami0 stateAsHalfLanes[34] 617 #define Ami1 stateAsHalfLanes[35] 618 #define Amo0 stateAsHalfLanes[36] 619 #define Amo1 stateAsHalfLanes[37] 620 #define Amu0 stateAsHalfLanes[38] 621 #define Amu1 stateAsHalfLanes[39] 622 #define Asa0 stateAsHalfLanes[40] 623 #define Asa1 stateAsHalfLanes[41] 624 #define Ase0 stateAsHalfLanes[42] 625 #define Ase1 stateAsHalfLanes[43] 626 #define Asi0 stateAsHalfLanes[44] 627 #define Asi1 stateAsHalfLanes[45] 628 #define Aso0 stateAsHalfLanes[46] 629 #define Aso1 stateAsHalfLanes[47] 630 #define Asu0 stateAsHalfLanes[48] 631 #define Asu1 stateAsHalfLanes[49] 632 633 do 634 { 635 /* --- Code for 4 rounds */ 636 637 /* --- using factor 2 interleaving, 64-bit lanes mapped to 32-bit words */ 638 639 KeccakAtoD_round0(); 640 641 Ba = (Aba0^Da0); 642 Be = ROL32((Age0^De0), 22); 643 Bi = ROL32((Aki1^Di1), 22); 644 Bo = ROL32((Amo1^Do1), 11); 645 Bu = ROL32((Asu0^Du0), 7); 646 Aba0 = Ba ^((~Be)& Bi ); 647 Aba0 ^= *(pRoundConstants++); 648 Age0 = Be ^((~Bi)& Bo ); 649 Aki1 = Bi ^((~Bo)& Bu ); 650 Amo1 = Bo ^((~Bu)& Ba ); 651 Asu0 = Bu ^((~Ba)& Be ); 652 653 Ba = (Aba1^Da1); 654 Be = ROL32((Age1^De1), 22); 655 Bi = ROL32((Aki0^Di0), 21); 656 Bo = ROL32((Amo0^Do0), 10); 657 Bu = ROL32((Asu1^Du1), 7); 658 Aba1 = Ba ^((~Be)& Bi ); 659 Aba1 ^= *(pRoundConstants++); 660 Age1 = Be ^((~Bi)& Bo ); 661 Aki0 = Bi ^((~Bo)& Bu ); 662 Amo0 = Bo ^((~Bu)& Ba ); 663 Asu1 = Bu ^((~Ba)& Be ); 664 665 Bi = ROL32((Aka1^Da1), 2); 666 Bo = ROL32((Ame1^De1), 23); 667 Bu = ROL32((Asi1^Di1), 31); 668 Ba = ROL32((Abo0^Do0), 14); 669 Be = ROL32((Agu0^Du0), 10); 670 Aka1 = Ba ^((~Be)& Bi ); 671 Ame1 = Be ^((~Bi)& Bo ); 672 Asi1 = Bi ^((~Bo)& Bu ); 673 Abo0 = Bo ^((~Bu)& Ba ); 674 Agu0 = Bu ^((~Ba)& Be ); 675 676 Bi = ROL32((Aka0^Da0), 1); 677 Bo = ROL32((Ame0^De0), 22); 678 Bu = ROL32((Asi0^Di0), 30); 679 Ba = ROL32((Abo1^Do1), 14); 680 Be = ROL32((Agu1^Du1), 10); 681 Aka0 = Ba ^((~Be)& Bi ); 682 Ame0 = Be ^((~Bi)& Bo ); 683 Asi0 = Bi ^((~Bo)& Bu ); 684 Abo1 = Bo ^((~Bu)& Ba ); 685 Agu1 = Bu ^((~Ba)& Be ); 686 687 Bu = ROL32((Asa0^Da0), 9); 688 Ba = ROL32((Abe1^De1), 1); 689 Be = ROL32((Agi0^Di0), 3); 690 Bi = ROL32((Ako1^Do1), 13); 691 Bo = ROL32((Amu0^Du0), 4); 692 Asa0 = Ba ^((~Be)& Bi ); 693 Abe1 = Be ^((~Bi)& Bo ); 694 Agi0 = Bi ^((~Bo)& Bu ); 695 Ako1 = Bo ^((~Bu)& Ba ); 696 Amu0 = Bu ^((~Ba)& Be ); 697 698 Bu = ROL32((Asa1^Da1), 9); 699 Ba = (Abe0^De0); 700 Be = ROL32((Agi1^Di1), 3); 701 Bi = ROL32((Ako0^Do0), 12); 702 Bo = ROL32((Amu1^Du1), 4); 703 Asa1 = Ba ^((~Be)& Bi ); 704 Abe0 = Be ^((~Bi)& Bo ); 705 Agi1 = Bi ^((~Bo)& Bu ); 706 Ako0 = Bo ^((~Bu)& Ba ); 707 Amu1 = Bu ^((~Ba)& Be ); 708 709 Be = ROL32((Aga0^Da0), 18); 710 Bi = ROL32((Ake0^De0), 5); 711 Bo = ROL32((Ami1^Di1), 8); 712 Bu = ROL32((Aso0^Do0), 28); 713 Ba = ROL32((Abu1^Du1), 14); 714 Aga0 = Ba ^((~Be)& Bi ); 715 Ake0 = Be ^((~Bi)& Bo ); 716 Ami1 = Bi ^((~Bo)& Bu ); 717 Aso0 = Bo ^((~Bu)& Ba ); 718 Abu1 = Bu ^((~Ba)& Be ); 719 720 Be = ROL32((Aga1^Da1), 18); 721 Bi = ROL32((Ake1^De1), 5); 722 Bo = ROL32((Ami0^Di0), 7); 723 Bu = ROL32((Aso1^Do1), 28); 724 Ba = ROL32((Abu0^Du0), 13); 725 Aga1 = Ba ^((~Be)& Bi ); 726 Ake1 = Be ^((~Bi)& Bo ); 727 Ami0 = Bi ^((~Bo)& Bu ); 728 Aso1 = Bo ^((~Bu)& Ba ); 729 Abu0 = Bu ^((~Ba)& Be ); 730 731 Bo = ROL32((Ama1^Da1), 21); 732 Bu = ROL32((Ase0^De0), 1); 733 Ba = ROL32((Abi0^Di0), 31); 734 Be = ROL32((Ago1^Do1), 28); 735 Bi = ROL32((Aku1^Du1), 20); 736 Ama1 = Ba ^((~Be)& Bi ); 737 Ase0 = Be ^((~Bi)& Bo ); 738 Abi0 = Bi ^((~Bo)& Bu ); 739 Ago1 = Bo ^((~Bu)& Ba ); 740 Aku1 = Bu ^((~Ba)& Be ); 741 742 Bo = ROL32((Ama0^Da0), 20); 743 Bu = ROL32((Ase1^De1), 1); 744 Ba = ROL32((Abi1^Di1), 31); 745 Be = ROL32((Ago0^Do0), 27); 746 Bi = ROL32((Aku0^Du0), 19); 747 Ama0 = Ba ^((~Be)& Bi ); 748 Ase1 = Be ^((~Bi)& Bo ); 749 Abi1 = Bi ^((~Bo)& Bu ); 750 Ago0 = Bo ^((~Bu)& Ba ); 751 Aku0 = Bu ^((~Ba)& Be ); 752 753 KeccakAtoD_round1(); 754 755 Ba = (Aba0^Da0); 756 Be = ROL32((Ame1^De0), 22); 757 Bi = ROL32((Agi1^Di1), 22); 758 Bo = ROL32((Aso1^Do1), 11); 759 Bu = ROL32((Aku1^Du0), 7); 760 Aba0 = Ba ^((~Be)& Bi ); 761 Aba0 ^= *(pRoundConstants++); 762 Ame1 = Be ^((~Bi)& Bo ); 763 Agi1 = Bi ^((~Bo)& Bu ); 764 Aso1 = Bo ^((~Bu)& Ba ); 765 Aku1 = Bu ^((~Ba)& Be ); 766 767 Ba = (Aba1^Da1); 768 Be = ROL32((Ame0^De1), 22); 769 Bi = ROL32((Agi0^Di0), 21); 770 Bo = ROL32((Aso0^Do0), 10); 771 Bu = ROL32((Aku0^Du1), 7); 772 Aba1 = Ba ^((~Be)& Bi ); 773 Aba1 ^= *(pRoundConstants++); 774 Ame0 = Be ^((~Bi)& Bo ); 775 Agi0 = Bi ^((~Bo)& Bu ); 776 Aso0 = Bo ^((~Bu)& Ba ); 777 Aku0 = Bu ^((~Ba)& Be ); 778 779 Bi = ROL32((Asa1^Da1), 2); 780 Bo = ROL32((Ake1^De1), 23); 781 Bu = ROL32((Abi1^Di1), 31); 782 Ba = ROL32((Amo1^Do0), 14); 783 Be = ROL32((Agu0^Du0), 10); 784 Asa1 = Ba ^((~Be)& Bi ); 785 Ake1 = Be ^((~Bi)& Bo ); 786 Abi1 = Bi ^((~Bo)& Bu ); 787 Amo1 = Bo ^((~Bu)& Ba ); 788 Agu0 = Bu ^((~Ba)& Be ); 789 790 Bi = ROL32((Asa0^Da0), 1); 791 Bo = ROL32((Ake0^De0), 22); 792 Bu = ROL32((Abi0^Di0), 30); 793 Ba = ROL32((Amo0^Do1), 14); 794 Be = ROL32((Agu1^Du1), 10); 795 Asa0 = Ba ^((~Be)& Bi ); 796 Ake0 = Be ^((~Bi)& Bo ); 797 Abi0 = Bi ^((~Bo)& Bu ); 798 Amo0 = Bo ^((~Bu)& Ba ); 799 Agu1 = Bu ^((~Ba)& Be ); 800 801 Bu = ROL32((Ama1^Da0), 9); 802 Ba = ROL32((Age1^De1), 1); 803 Be = ROL32((Asi1^Di0), 3); 804 Bi = ROL32((Ako0^Do1), 13); 805 Bo = ROL32((Abu1^Du0), 4); 806 Ama1 = Ba ^((~Be)& Bi ); 807 Age1 = Be ^((~Bi)& Bo ); 808 Asi1 = Bi ^((~Bo)& Bu ); 809 Ako0 = Bo ^((~Bu)& Ba ); 810 Abu1 = Bu ^((~Ba)& Be ); 811 812 Bu = ROL32((Ama0^Da1), 9); 813 Ba = (Age0^De0); 814 Be = ROL32((Asi0^Di1), 3); 815 Bi = ROL32((Ako1^Do0), 12); 816 Bo = ROL32((Abu0^Du1), 4); 817 Ama0 = Ba ^((~Be)& Bi ); 818 Age0 = Be ^((~Bi)& Bo ); 819 Asi0 = Bi ^((~Bo)& Bu ); 820 Ako1 = Bo ^((~Bu)& Ba ); 821 Abu0 = Bu ^((~Ba)& Be ); 822 823 Be = ROL32((Aka1^Da0), 18); 824 Bi = ROL32((Abe1^De0), 5); 825 Bo = ROL32((Ami0^Di1), 8); 826 Bu = ROL32((Ago1^Do0), 28); 827 Ba = ROL32((Asu1^Du1), 14); 828 Aka1 = Ba ^((~Be)& Bi ); 829 Abe1 = Be ^((~Bi)& Bo ); 830 Ami0 = Bi ^((~Bo)& Bu ); 831 Ago1 = Bo ^((~Bu)& Ba ); 832 Asu1 = Bu ^((~Ba)& Be ); 833 834 Be = ROL32((Aka0^Da1), 18); 835 Bi = ROL32((Abe0^De1), 5); 836 Bo = ROL32((Ami1^Di0), 7); 837 Bu = ROL32((Ago0^Do1), 28); 838 Ba = ROL32((Asu0^Du0), 13); 839 Aka0 = Ba ^((~Be)& Bi ); 840 Abe0 = Be ^((~Bi)& Bo ); 841 Ami1 = Bi ^((~Bo)& Bu ); 842 Ago0 = Bo ^((~Bu)& Ba ); 843 Asu0 = Bu ^((~Ba)& Be ); 844 845 Bo = ROL32((Aga1^Da1), 21); 846 Bu = ROL32((Ase0^De0), 1); 847 Ba = ROL32((Aki1^Di0), 31); 848 Be = ROL32((Abo1^Do1), 28); 849 Bi = ROL32((Amu1^Du1), 20); 850 Aga1 = Ba ^((~Be)& Bi ); 851 Ase0 = Be ^((~Bi)& Bo ); 852 Aki1 = Bi ^((~Bo)& Bu ); 853 Abo1 = Bo ^((~Bu)& Ba ); 854 Amu1 = Bu ^((~Ba)& Be ); 855 856 Bo = ROL32((Aga0^Da0), 20); 857 Bu = ROL32((Ase1^De1), 1); 858 Ba = ROL32((Aki0^Di1), 31); 859 Be = ROL32((Abo0^Do0), 27); 860 Bi = ROL32((Amu0^Du0), 19); 861 Aga0 = Ba ^((~Be)& Bi ); 862 Ase1 = Be ^((~Bi)& Bo ); 863 Aki0 = Bi ^((~Bo)& Bu ); 864 Abo0 = Bo ^((~Bu)& Ba ); 865 Amu0 = Bu ^((~Ba)& Be ); 866 867 KeccakAtoD_round2(); 868 869 Ba = (Aba0^Da0); 870 Be = ROL32((Ake1^De0), 22); 871 Bi = ROL32((Asi0^Di1), 22); 872 Bo = ROL32((Ago0^Do1), 11); 873 Bu = ROL32((Amu1^Du0), 7); 874 Aba0 = Ba ^((~Be)& Bi ); 875 Aba0 ^= *(pRoundConstants++); 876 Ake1 = Be ^((~Bi)& Bo ); 877 Asi0 = Bi ^((~Bo)& Bu ); 878 Ago0 = Bo ^((~Bu)& Ba ); 879 Amu1 = Bu ^((~Ba)& Be ); 880 881 Ba = (Aba1^Da1); 882 Be = ROL32((Ake0^De1), 22); 883 Bi = ROL32((Asi1^Di0), 21); 884 Bo = ROL32((Ago1^Do0), 10); 885 Bu = ROL32((Amu0^Du1), 7); 886 Aba1 = Ba ^((~Be)& Bi ); 887 Aba1 ^= *(pRoundConstants++); 888 Ake0 = Be ^((~Bi)& Bo ); 889 Asi1 = Bi ^((~Bo)& Bu ); 890 Ago1 = Bo ^((~Bu)& Ba ); 891 Amu0 = Bu ^((~Ba)& Be ); 892 893 Bi = ROL32((Ama0^Da1), 2); 894 Bo = ROL32((Abe0^De1), 23); 895 Bu = ROL32((Aki0^Di1), 31); 896 Ba = ROL32((Aso1^Do0), 14); 897 Be = ROL32((Agu0^Du0), 10); 898 Ama0 = Ba ^((~Be)& Bi ); 899 Abe0 = Be ^((~Bi)& Bo ); 900 Aki0 = Bi ^((~Bo)& Bu ); 901 Aso1 = Bo ^((~Bu)& Ba ); 902 Agu0 = Bu ^((~Ba)& Be ); 903 904 Bi = ROL32((Ama1^Da0), 1); 905 Bo = ROL32((Abe1^De0), 22); 906 Bu = ROL32((Aki1^Di0), 30); 907 Ba = ROL32((Aso0^Do1), 14); 908 Be = ROL32((Agu1^Du1), 10); 909 Ama1 = Ba ^((~Be)& Bi ); 910 Abe1 = Be ^((~Bi)& Bo ); 911 Aki1 = Bi ^((~Bo)& Bu ); 912 Aso0 = Bo ^((~Bu)& Ba ); 913 Agu1 = Bu ^((~Ba)& Be ); 914 915 Bu = ROL32((Aga1^Da0), 9); 916 Ba = ROL32((Ame0^De1), 1); 917 Be = ROL32((Abi1^Di0), 3); 918 Bi = ROL32((Ako1^Do1), 13); 919 Bo = ROL32((Asu1^Du0), 4); 920 Aga1 = Ba ^((~Be)& Bi ); 921 Ame0 = Be ^((~Bi)& Bo ); 922 Abi1 = Bi ^((~Bo)& Bu ); 923 Ako1 = Bo ^((~Bu)& Ba ); 924 Asu1 = Bu ^((~Ba)& Be ); 925 926 Bu = ROL32((Aga0^Da1), 9); 927 Ba = (Ame1^De0); 928 Be = ROL32((Abi0^Di1), 3); 929 Bi = ROL32((Ako0^Do0), 12); 930 Bo = ROL32((Asu0^Du1), 4); 931 Aga0 = Ba ^((~Be)& Bi ); 932 Ame1 = Be ^((~Bi)& Bo ); 933 Abi0 = Bi ^((~Bo)& Bu ); 934 Ako0 = Bo ^((~Bu)& Ba ); 935 Asu0 = Bu ^((~Ba)& Be ); 936 937 Be = ROL32((Asa1^Da0), 18); 938 Bi = ROL32((Age1^De0), 5); 939 Bo = ROL32((Ami1^Di1), 8); 940 Bu = ROL32((Abo1^Do0), 28); 941 Ba = ROL32((Aku0^Du1), 14); 942 Asa1 = Ba ^((~Be)& Bi ); 943 Age1 = Be ^((~Bi)& Bo ); 944 Ami1 = Bi ^((~Bo)& Bu ); 945 Abo1 = Bo ^((~Bu)& Ba ); 946 Aku0 = Bu ^((~Ba)& Be ); 947 948 Be = ROL32((Asa0^Da1), 18); 949 Bi = ROL32((Age0^De1), 5); 950 Bo = ROL32((Ami0^Di0), 7); 951 Bu = ROL32((Abo0^Do1), 28); 952 Ba = ROL32((Aku1^Du0), 13); 953 Asa0 = Ba ^((~Be)& Bi ); 954 Age0 = Be ^((~Bi)& Bo ); 955 Ami0 = Bi ^((~Bo)& Bu ); 956 Abo0 = Bo ^((~Bu)& Ba ); 957 Aku1 = Bu ^((~Ba)& Be ); 958 959 Bo = ROL32((Aka0^Da1), 21); 960 Bu = ROL32((Ase0^De0), 1); 961 Ba = ROL32((Agi1^Di0), 31); 962 Be = ROL32((Amo0^Do1), 28); 963 Bi = ROL32((Abu0^Du1), 20); 964 Aka0 = Ba ^((~Be)& Bi ); 965 Ase0 = Be ^((~Bi)& Bo ); 966 Agi1 = Bi ^((~Bo)& Bu ); 967 Amo0 = Bo ^((~Bu)& Ba ); 968 Abu0 = Bu ^((~Ba)& Be ); 969 970 Bo = ROL32((Aka1^Da0), 20); 971 Bu = ROL32((Ase1^De1), 1); 972 Ba = ROL32((Agi0^Di1), 31); 973 Be = ROL32((Amo1^Do0), 27); 974 Bi = ROL32((Abu1^Du0), 19); 975 Aka1 = Ba ^((~Be)& Bi ); 976 Ase1 = Be ^((~Bi)& Bo ); 977 Agi0 = Bi ^((~Bo)& Bu ); 978 Amo1 = Bo ^((~Bu)& Ba ); 979 Abu1 = Bu ^((~Ba)& Be ); 980 981 KeccakAtoD_round3(); 982 983 Ba = (Aba0^Da0); 984 Be = ROL32((Abe0^De0), 22); 985 Bi = ROL32((Abi0^Di1), 22); 986 Bo = ROL32((Abo0^Do1), 11); 987 Bu = ROL32((Abu0^Du0), 7); 988 Aba0 = Ba ^((~Be)& Bi ); 989 Aba0 ^= *(pRoundConstants++); 990 Abe0 = Be ^((~Bi)& Bo ); 991 Abi0 = Bi ^((~Bo)& Bu ); 992 Abo0 = Bo ^((~Bu)& Ba ); 993 Abu0 = Bu ^((~Ba)& Be ); 994 995 Ba = (Aba1^Da1); 996 Be = ROL32((Abe1^De1), 22); 997 Bi = ROL32((Abi1^Di0), 21); 998 Bo = ROL32((Abo1^Do0), 10); 999 Bu = ROL32((Abu1^Du1), 7); 1000 Aba1 = Ba ^((~Be)& Bi ); 1001 Aba1 ^= *(pRoundConstants++); 1002 Abe1 = Be ^((~Bi)& Bo ); 1003 Abi1 = Bi ^((~Bo)& Bu ); 1004 Abo1 = Bo ^((~Bu)& Ba ); 1005 Abu1 = Bu ^((~Ba)& Be ); 1006 1007 Bi = ROL32((Aga0^Da1), 2); 1008 Bo = ROL32((Age0^De1), 23); 1009 Bu = ROL32((Agi0^Di1), 31); 1010 Ba = ROL32((Ago0^Do0), 14); 1011 Be = ROL32((Agu0^Du0), 10); 1012 Aga0 = Ba ^((~Be)& Bi ); 1013 Age0 = Be ^((~Bi)& Bo ); 1014 Agi0 = Bi ^((~Bo)& Bu ); 1015 Ago0 = Bo ^((~Bu)& Ba ); 1016 Agu0 = Bu ^((~Ba)& Be ); 1017 1018 Bi = ROL32((Aga1^Da0), 1); 1019 Bo = ROL32((Age1^De0), 22); 1020 Bu = ROL32((Agi1^Di0), 30); 1021 Ba = ROL32((Ago1^Do1), 14); 1022 Be = ROL32((Agu1^Du1), 10); 1023 Aga1 = Ba ^((~Be)& Bi ); 1024 Age1 = Be ^((~Bi)& Bo ); 1025 Agi1 = Bi ^((~Bo)& Bu ); 1026 Ago1 = Bo ^((~Bu)& Ba ); 1027 Agu1 = Bu ^((~Ba)& Be ); 1028 1029 Bu = ROL32((Aka0^Da0), 9); 1030 Ba = ROL32((Ake0^De1), 1); 1031 Be = ROL32((Aki0^Di0), 3); 1032 Bi = ROL32((Ako0^Do1), 13); 1033 Bo = ROL32((Aku0^Du0), 4); 1034 Aka0 = Ba ^((~Be)& Bi ); 1035 Ake0 = Be ^((~Bi)& Bo ); 1036 Aki0 = Bi ^((~Bo)& Bu ); 1037 Ako0 = Bo ^((~Bu)& Ba ); 1038 Aku0 = Bu ^((~Ba)& Be ); 1039 1040 Bu = ROL32((Aka1^Da1), 9); 1041 Ba = (Ake1^De0); 1042 Be = ROL32((Aki1^Di1), 3); 1043 Bi = ROL32((Ako1^Do0), 12); 1044 Bo = ROL32((Aku1^Du1), 4); 1045 Aka1 = Ba ^((~Be)& Bi ); 1046 Ake1 = Be ^((~Bi)& Bo ); 1047 Aki1 = Bi ^((~Bo)& Bu ); 1048 Ako1 = Bo ^((~Bu)& Ba ); 1049 Aku1 = Bu ^((~Ba)& Be ); 1050 1051 Be = ROL32((Ama0^Da0), 18); 1052 Bi = ROL32((Ame0^De0), 5); 1053 Bo = ROL32((Ami0^Di1), 8); 1054 Bu = ROL32((Amo0^Do0), 28); 1055 Ba = ROL32((Amu0^Du1), 14); 1056 Ama0 = Ba ^((~Be)& Bi ); 1057 Ame0 = Be ^((~Bi)& Bo ); 1058 Ami0 = Bi ^((~Bo)& Bu ); 1059 Amo0 = Bo ^((~Bu)& Ba ); 1060 Amu0 = Bu ^((~Ba)& Be ); 1061 1062 Be = ROL32((Ama1^Da1), 18); 1063 Bi = ROL32((Ame1^De1), 5); 1064 Bo = ROL32((Ami1^Di0), 7); 1065 Bu = ROL32((Amo1^Do1), 28); 1066 Ba = ROL32((Amu1^Du0), 13); 1067 Ama1 = Ba ^((~Be)& Bi ); 1068 Ame1 = Be ^((~Bi)& Bo ); 1069 Ami1 = Bi ^((~Bo)& Bu ); 1070 Amo1 = Bo ^((~Bu)& Ba ); 1071 Amu1 = Bu ^((~Ba)& Be ); 1072 1073 Bo = ROL32((Asa0^Da1), 21); 1074 Bu = ROL32((Ase0^De0), 1); 1075 Ba = ROL32((Asi0^Di0), 31); 1076 Be = ROL32((Aso0^Do1), 28); 1077 Bi = ROL32((Asu0^Du1), 20); 1078 Asa0 = Ba ^((~Be)& Bi ); 1079 Ase0 = Be ^((~Bi)& Bo ); 1080 Asi0 = Bi ^((~Bo)& Bu ); 1081 Aso0 = Bo ^((~Bu)& Ba ); 1082 Asu0 = Bu ^((~Ba)& Be ); 1083 1084 Bo = ROL32((Asa1^Da0), 20); 1085 Bu = ROL32((Ase1^De1), 1); 1086 Ba = ROL32((Asi1^Di1), 31); 1087 Be = ROL32((Aso1^Do0), 27); 1088 Bi = ROL32((Asu1^Du0), 19); 1089 Asa1 = Ba ^((~Be)& Bi ); 1090 Ase1 = Be ^((~Bi)& Bo ); 1091 Asi1 = Bi ^((~Bo)& Bu ); 1092 Aso1 = Bo ^((~Bu)& Ba ); 1093 Asu1 = Bu ^((~Ba)& Be ); 1094 } 1095 while ( *pRoundConstants != 0xFF ); 1096 1097 #undef Aba0 1098 #undef Aba1 1099 #undef Abe0 1100 #undef Abe1 1101 #undef Abi0 1102 #undef Abi1 1103 #undef Abo0 1104 #undef Abo1 1105 #undef Abu0 1106 #undef Abu1 1107 #undef Aga0 1108 #undef Aga1 1109 #undef Age0 1110 #undef Age1 1111 #undef Agi0 1112 #undef Agi1 1113 #undef Ago0 1114 #undef Ago1 1115 #undef Agu0 1116 #undef Agu1 1117 #undef Aka0 1118 #undef Aka1 1119 #undef Ake0 1120 #undef Ake1 1121 #undef Aki0 1122 #undef Aki1 1123 #undef Ako0 1124 #undef Ako1 1125 #undef Aku0 1126 #undef Aku1 1127 #undef Ama0 1128 #undef Ama1 1129 #undef Ame0 1130 #undef Ame1 1131 #undef Ami0 1132 #undef Ami1 1133 #undef Amo0 1134 #undef Amo1 1135 #undef Amu0 1136 #undef Amu1 1137 #undef Asa0 1138 #undef Asa1 1139 #undef Ase0 1140 #undef Ase1 1141 #undef Asi0 1142 #undef Asi1 1143 #undef Aso0 1144 #undef Aso1 1145 #undef Asu0 1146 #undef Asu1 1147 } 1148 } 1149 1150 /* ---------------------------------------------------------------- */ 1151 1152 void KeccakP1600_Permute_12rounds(void *state) 1153 { 1154 KeccakP1600_Permute_Nrounds(state, 12); 1155 } 1156 1157 /* ---------------------------------------------------------------- */ 1158 1159 void KeccakP1600_Permute_24rounds(void *state) 1160 { 1161 KeccakP1600_Permute_Nrounds(state, 24); 1162 } 1163