search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added the BLAKE2 hash algorithm.
[MUtilities.git] / src / 3rd_party / keccak / include / keccak_impl.h
blob74649e912a619149064b8b02bc31ea17c090f2d8
1 /***************************************************************************
2 ** **
3 ** Keccak (http://keccak.noekeon.org/) implementation file **
4 ** **
5 ** This file implements the Keccak hash algorithm as provided by the **
6 ** inventors, and submitted to the third round of the NIST SHA-3 **
7 ** competition. **
8 ** For the QKeccakHash wrapper, the originally multiple files were **
9 ** combined in this one. Slight modifications have been made to **
10 ** allow use in C++ as an independently included .cpp file. **
11 ** It is not meant to be compiled into an object, hence, there is no **
12 ** header. **
13 ** **
14 ** The code here is not part of the actual QKeccakHash implementation **
15 ** and thus not licensed under the GPLv3 but under its respecitve **
16 ** license given by the inventors. Typically, this means it is in the **
17 ** public domain, if not noted otherwise. **
18 ** **
19 ***************************************************************************/
20
21 namespace MUtils {
22 namespace Hash {
23 namespace Internal {
24 namespace KeccakImpl {
25
26 typedef unsigned char UINT8;
27 typedef unsigned short UINT16;
28 typedef unsigned int UINT32;
29 typedef unsigned long long int UINT64;
30
31 // ================================================================================
32 // =================== brg_endian.h
33 // ================================================================================
34
35
36 /*
37 ---------------------------------------------------------------------------
38 Copyright (c) 1998-2008, Brian Gladman, Worcester, UK. All rights reserved.
39
40 LICENSE TERMS
41
42 The redistribution and use of this software (with or without changes)
43 is allowed without the payment of fees or royalties provided that:
44
45 1. source code distributions include the above copyright notice, this
46 list of conditions and the following disclaimer;
47
48 2. binary distributions include the above copyright notice, this list
49 of conditions and the following disclaimer in their documentation;
50
51 3. the name of the copyright holder is not used to endorse products
52 built using this software without specific written permission.
53
54 DISCLAIMER
55
56 This software is provided 'as is' with no explicit or implied warranties
57 in respect of its properties, including, but not limited to, correctness
58 and/or fitness for purpose.
59 ---------------------------------------------------------------------------
60 Issue Date: 20/12/2007
61 Changes for ARM 9/9/2010
62 */
63
64 #ifndef _BRG_ENDIAN_H
65 #define _BRG_ENDIAN_H
66
67 #define IS_BIG_ENDIAN 4321 /* byte 0 is most significant (mc68k) */
68 #define IS_LITTLE_ENDIAN 1234 /* byte 0 is least significant (i386) */
69
70 #if 0
71 /* Include files where endian defines and byteswap functions may reside */
72 #if defined( __sun )
73 # include <sys/isa_defs.h>
74 #elif defined( __FreeBSD__ ) || defined( __OpenBSD__ ) || defined( __NetBSD__ )
75 # include <sys/endian.h>
76 #elif defined( BSD ) && ( BSD >= 199103 ) || defined( __APPLE__ ) || \
77 defined( __CYGWIN32__ ) || defined( __DJGPP__ ) || defined( __osf__ )
78 # include <machine/endian.h>
79 #elif defined( __linux__ ) || defined( __GNUC__ ) || defined( __GNU_LIBRARY__ )
80 # if !defined( __MINGW32__ ) && !defined( _AIX )
81 # include <endian.h>
82 # if !defined( __BEOS__ )
83 # include <byteswap.h>
84 # endif
85 # endif
86 #endif
87 #endif
88
89 /* Now attempt to set the define for platform byte order using any */
90 /* of the four forms SYMBOL, _SYMBOL, __SYMBOL & __SYMBOL__, which */
91 /* seem to encompass most endian symbol definitions */
92
93 #if defined( BIG_ENDIAN ) && defined( LITTLE_ENDIAN )
94 # if defined( BYTE_ORDER ) && BYTE_ORDER == BIG_ENDIAN
95 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
96 # elif defined( BYTE_ORDER ) && BYTE_ORDER == LITTLE_ENDIAN
97 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
98 # endif
99 #elif defined( BIG_ENDIAN )
100 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
101 #elif defined( LITTLE_ENDIAN )
102 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
103 #endif
104
105 #if defined( _BIG_ENDIAN ) && defined( _LITTLE_ENDIAN )
106 # if defined( _BYTE_ORDER ) && _BYTE_ORDER == _BIG_ENDIAN
107 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
108 # elif defined( _BYTE_ORDER ) && _BYTE_ORDER == _LITTLE_ENDIAN
109 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
110 # endif
111 #elif defined( _BIG_ENDIAN )
112 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
113 #elif defined( _LITTLE_ENDIAN )
114 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
115 #endif
116
117 #if defined( __BIG_ENDIAN ) && defined( __LITTLE_ENDIAN )
118 # if defined( __BYTE_ORDER ) && __BYTE_ORDER == __BIG_ENDIAN
119 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
120 # elif defined( __BYTE_ORDER ) && __BYTE_ORDER == __LITTLE_ENDIAN
121 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
122 # endif
123 #elif defined( __BIG_ENDIAN )
124 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
125 #elif defined( __LITTLE_ENDIAN )
126 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
127 #endif
128
129 #if defined( __BIG_ENDIAN__ ) && defined( __LITTLE_ENDIAN__ )
130 # if defined( __BYTE_ORDER__ ) && __BYTE_ORDER__ == __BIG_ENDIAN__
131 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
132 # elif defined( __BYTE_ORDER__ ) && __BYTE_ORDER__ == __LITTLE_ENDIAN__
133 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
134 # endif
135 #elif defined( __BIG_ENDIAN__ )
136 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
137 #elif defined( __LITTLE_ENDIAN__ )
138 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
139 #endif
140
141 /* if the platform byte order could not be determined, then try to */
142 /* set this define using common machine defines */
143 #if !defined(PLATFORM_BYTE_ORDER)
144
145 #if defined( __alpha__ ) || defined( __alpha ) || defined( i386 ) || \
146 defined( __i386__ ) || defined( _M_I86 ) || defined( _M_IX86 ) || \
147 defined( __OS2__ ) || defined( sun386 ) || defined( __TURBOC__ ) || \
148 defined( vax ) || defined( vms ) || defined( VMS ) || \
149 defined( __VMS ) || defined( _M_X64 )
150 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
151
152 #elif defined( AMIGA ) || defined( applec ) || defined( __AS400__ ) || \
153 defined( _CRAY ) || defined( __hppa ) || defined( __hp9000 ) || \
154 defined( ibm370 ) || defined( mc68000 ) || defined( m68k ) || \
155 defined( __MRC__ ) || defined( __MVS__ ) || defined( __MWERKS__ ) || \
156 defined( sparc ) || defined( __sparc) || defined( SYMANTEC_C ) || \
157 defined( __VOS__ ) || defined( __TIGCC__ ) || defined( __TANDEM ) || \
158 defined( THINK_C ) || defined( __VMCMS__ ) || defined( _AIX )
159 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
160
161 #elif defined(__arm__)
162 # ifdef __BIG_ENDIAN
163 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
164 # else
165 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
166 # endif
167 #elif 1 /* **** EDIT HERE IF NECESSARY **** */
168 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
169 #elif 0 /* **** EDIT HERE IF NECESSARY **** */
170 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
171 #else
172 # error Please edit lines 132 or 134 in brg_endian.h to set the platform byte order
173 #endif
174
175 #endif
176
177 #endif
178
179 // ================================================================================
180 // =================== KeccakSponge.h
181 // ================================================================================
182
183 /*
184 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
185 Michaël Peeters and Gilles Van Assche. For more information, feedback or
186 questions, please refer to our website: http://keccak.noekeon.org/
187
188 Implementation by the designers,
189 hereby denoted as "the implementer".
190
191 To the extent possible under law, the implementer has waived all copyright
192 and related or neighboring rights to the source code in this file.
193 http://creativecommons.org/publicdomain/zero/1.0/
194 */
195
196 #ifndef _KeccakSponge_h_
197 #define _KeccakSponge_h_
198
199 /**
200 * Function to initialize the state of the Keccak[r, c] sponge function.
201 * The sponge function is set to the absorbing phase.
202 * @param state Pointer to the state of the sponge function to be initialized.
203 * @param rate The value of the rate r.
204 * @param capacity The value of the capacity c.
205 * @pre One must have r+c=1600 and the rate a multiple of 64 bits in this implementation.
206 * @return Zero if successful, 1 otherwise.
207 */
208 int InitSponge(spongeState *state, unsigned int rate, unsigned int capacity);
209 /**
210 * Function to give input data for the sponge function to absorb.
211 * @param state Pointer to the state of the sponge function initialized by InitSponge().
212 * @param data Pointer to the input data.
213 * When @a databitLen is not a multiple of 8, the last bits of data must be
214 * in the least significant bits of the last byte.
215 * @param databitLen The number of input bits provided in the input data.
216 * @pre In the previous call to Absorb(), databitLen was a multiple of 8.
217 * @pre The sponge function must be in the absorbing phase,
218 * i.e., Squeeze() must not have been called before.
219 * @return Zero if successful, 1 otherwise.
220 */
221 int Absorb(spongeState *state, const unsigned char *data, unsigned long long databitlen);
222 /**
223 * Function to squeeze output data from the sponge function.
224 * If the sponge function was in the absorbing phase, this function
225 * switches it to the squeezing phase.
226 * @param state Pointer to the state of the sponge function initialized by InitSponge().
227 * @param output Pointer to the buffer where to store the output data.
228 * @param outputLength The number of output bits desired.
229 * It must be a multiple of 8.
230 * @return Zero if successful, 1 otherwise.
231 */
232 int Squeeze(spongeState *state, unsigned char *output, unsigned long long outputLength);
233
234 #endif
235
236 // ================================================================================
237 // =================== KeccakF-1600-int-set.h
238 // ================================================================================
239
240
241 #define ProvideFast576
242 #define ProvideFast832
243 #define ProvideFast1024
244 #define ProvideFast1088
245 #define ProvideFast1152
246 #define ProvideFast1344
247
248
249 // ================================================================================
250 // =================== KeccakF-1600-interface.h
251 // ================================================================================
252
253
254 /*
255 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
256 Michaël Peeters and Gilles Van Assche. For more information, feedback or
257 questions, please refer to our website: http://keccak.noekeon.org/
258
259 Implementation by the designers,
260 hereby denoted as "the implementer".
261
262 To the extent possible under law, the implementer has waived all copyright
263 and related or neighboring rights to the source code in this file.
264 http://creativecommons.org/publicdomain/zero/1.0/
265 */
266
267 #ifndef _KeccakPermutationInterface_h_
268 #define _KeccakPermutationInterface_h_
269
270 //#include "KeccakF-1600-int-set.h"
271
272 void KeccakInitialize( void );
273 void KeccakInitializeState(unsigned char *state);
274 void KeccakPermutation(unsigned char *state);
275 #ifdef ProvideFast576
276 void KeccakAbsorb576bits(unsigned char *state, const unsigned char *data);
277 #endif
278 #ifdef ProvideFast832
279 void KeccakAbsorb832bits(unsigned char *state, const unsigned char *data);
280 #endif
281 #ifdef ProvideFast1024
282 void KeccakAbsorb1024bits(unsigned char *state, const unsigned char *data);
283 #endif
284 #ifdef ProvideFast1088
285 void KeccakAbsorb1088bits(unsigned char *state, const unsigned char *data);
286 #endif
287 #ifdef ProvideFast1152
288 void KeccakAbsorb1152bits(unsigned char *state, const unsigned char *data);
289 #endif
290 #ifdef ProvideFast1344
291 void KeccakAbsorb1344bits(unsigned char *state, const unsigned char *data);
292 #endif
293 void KeccakAbsorb(unsigned char *state, const unsigned char *data, unsigned int laneCount);
294 #ifdef ProvideFast1024
295 void KeccakExtract1024bits(const unsigned char *state, unsigned char *data);
296 #endif
297 void KeccakExtract(const unsigned char *state, unsigned char *data, unsigned int laneCount);
298
299 #endif
300
301
302 // ================================================================================
303 // =================== KeccakF-1600-opt32-settings.h
304 // ================================================================================
305
306
307 #define Unrolling 2
308 //#define UseBebigokimisa
309 //#define UseInterleaveTables
310 #define UseSchedule 3
311
312
313 // ================================================================================
314 // =================== KeccakF-1600-unrolling.macros
315 // ================================================================================
316
317 /*
318 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
319 Michaël Peeters and Gilles Van Assche. For more information, feedback or
320 questions, please refer to our website: http://keccak.noekeon.org/
321
322 Implementation by the designers,
323 hereby denoted as "the implementer".
324
325 To the extent possible under law, the implementer has waived all copyright
326 and related or neighboring rights to the source code in this file.
327 http://creativecommons.org/publicdomain/zero/1.0/
328 */
329
330 #if (Unrolling == 24)
331 #define rounds \
332 prepareTheta \
333 thetaRhoPiChiIotaPrepareTheta( 0, A, E) \
334 thetaRhoPiChiIotaPrepareTheta( 1, E, A) \
335 thetaRhoPiChiIotaPrepareTheta( 2, A, E) \
336 thetaRhoPiChiIotaPrepareTheta( 3, E, A) \
337 thetaRhoPiChiIotaPrepareTheta( 4, A, E) \
338 thetaRhoPiChiIotaPrepareTheta( 5, E, A) \
339 thetaRhoPiChiIotaPrepareTheta( 6, A, E) \
340 thetaRhoPiChiIotaPrepareTheta( 7, E, A) \
341 thetaRhoPiChiIotaPrepareTheta( 8, A, E) \
342 thetaRhoPiChiIotaPrepareTheta( 9, E, A) \
343 thetaRhoPiChiIotaPrepareTheta(10, A, E) \
344 thetaRhoPiChiIotaPrepareTheta(11, E, A) \
345 thetaRhoPiChiIotaPrepareTheta(12, A, E) \
346 thetaRhoPiChiIotaPrepareTheta(13, E, A) \
347 thetaRhoPiChiIotaPrepareTheta(14, A, E) \
348 thetaRhoPiChiIotaPrepareTheta(15, E, A) \
349 thetaRhoPiChiIotaPrepareTheta(16, A, E) \
350 thetaRhoPiChiIotaPrepareTheta(17, E, A) \
351 thetaRhoPiChiIotaPrepareTheta(18, A, E) \
352 thetaRhoPiChiIotaPrepareTheta(19, E, A) \
353 thetaRhoPiChiIotaPrepareTheta(20, A, E) \
354 thetaRhoPiChiIotaPrepareTheta(21, E, A) \
355 thetaRhoPiChiIotaPrepareTheta(22, A, E) \
356 thetaRhoPiChiIota(23, E, A) \
357 copyToState(state, A)
358 #elif (Unrolling == 12)
359 #define rounds \
360 prepareTheta \
361 for(i=0; i<24; i+=12) { \
362 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
363 thetaRhoPiChiIotaPrepareTheta(i+ 1, E, A) \
364 thetaRhoPiChiIotaPrepareTheta(i+ 2, A, E) \
365 thetaRhoPiChiIotaPrepareTheta(i+ 3, E, A) \
366 thetaRhoPiChiIotaPrepareTheta(i+ 4, A, E) \
367 thetaRhoPiChiIotaPrepareTheta(i+ 5, E, A) \
368 thetaRhoPiChiIotaPrepareTheta(i+ 6, A, E) \
369 thetaRhoPiChiIotaPrepareTheta(i+ 7, E, A) \
370 thetaRhoPiChiIotaPrepareTheta(i+ 8, A, E) \
371 thetaRhoPiChiIotaPrepareTheta(i+ 9, E, A) \
372 thetaRhoPiChiIotaPrepareTheta(i+10, A, E) \
373 thetaRhoPiChiIotaPrepareTheta(i+11, E, A) \
374 } \
375 copyToState(state, A)
376 #elif (Unrolling == 8)
377 #define rounds \
378 prepareTheta \
379 for(i=0; i<24; i+=8) { \
380 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
381 thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
382 thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
383 thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
384 thetaRhoPiChiIotaPrepareTheta(i+4, A, E) \
385 thetaRhoPiChiIotaPrepareTheta(i+5, E, A) \
386 thetaRhoPiChiIotaPrepareTheta(i+6, A, E) \
387 thetaRhoPiChiIotaPrepareTheta(i+7, E, A) \
388 } \
389 copyToState(state, A)
390 #elif (Unrolling == 6)
391 #define rounds \
392 prepareTheta \
393 for(i=0; i<24; i+=6) { \
394 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
395 thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
396 thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
397 thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
398 thetaRhoPiChiIotaPrepareTheta(i+4, A, E) \
399 thetaRhoPiChiIotaPrepareTheta(i+5, E, A) \
400 } \
401 copyToState(state, A)
402 #elif (Unrolling == 4)
403 #define rounds \
404 prepareTheta \
405 for(i=0; i<24; i+=4) { \
406 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
407 thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
408 thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
409 thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
410 } \
411 copyToState(state, A)
412 #elif (Unrolling == 3)
413 #define rounds \
414 prepareTheta \
415 for(i=0; i<24; i+=3) { \
416 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
417 thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
418 thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
419 copyStateVariables(A, E) \
420 } \
421 copyToState(state, A)
422 #elif (Unrolling == 2)
423 #define rounds \
424 prepareTheta \
425 for(i=0; i<24; i+=2) { \
426 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
427 thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
428 } \
429 copyToState(state, A)
430 #elif (Unrolling == 1)
431 #define rounds \
432 prepareTheta \
433 for(i=0; i<24; i++) { \
434 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
435 copyStateVariables(A, E) \
436 } \
437 copyToState(state, A)
438 #else
439 #error "Unrolling is not correctly specified!"
440 #endif
441
442
443 // ================================================================================
444 // =================== KeccakF-1600-32-rvk.macros
445 // ================================================================================
446
447 /*
448 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
449 Michaël Peeters and Gilles Van Assche. For more information, feedback or
450 questions, please refer to our website: http://keccak.noekeon.org/
451
452 Implementation by Ronny Van Keer,
453 hereby denoted as "the implementer".
454
455 To the extent possible under law, the implementer has waived all copyright
456 and related or neighboring rights to the source code in this file.
457 http://creativecommons.org/publicdomain/zero/1.0/
458 */
459
460 static const UINT32 KeccakF1600RoundConstants_int2[2*24] =
461 {
462 0x00000001UL, 0x00000000UL,
463 0x00000000UL, 0x00000089UL,
464 0x00000000UL, 0x8000008bUL,
465 0x00000000UL, 0x80008080UL,
466 0x00000001UL, 0x0000008bUL,
467 0x00000001UL, 0x00008000UL,
468 0x00000001UL, 0x80008088UL,
469 0x00000001UL, 0x80000082UL,
470 0x00000000UL, 0x0000000bUL,
471 0x00000000UL, 0x0000000aUL,
472 0x00000001UL, 0x00008082UL,
473 0x00000000UL, 0x00008003UL,
474 0x00000001UL, 0x0000808bUL,
475 0x00000001UL, 0x8000000bUL,
476 0x00000001UL, 0x8000008aUL,
477 0x00000001UL, 0x80000081UL,
478 0x00000000UL, 0x80000081UL,
479 0x00000000UL, 0x80000008UL,
480 0x00000000UL, 0x00000083UL,
481 0x00000000UL, 0x80008003UL,
482 0x00000001UL, 0x80008088UL,
483 0x00000000UL, 0x80000088UL,
484 0x00000001UL, 0x00008000UL,
485 0x00000000UL, 0x80008082UL
486 };
487
488 #undef rounds
489
490 #define rounds \
491 { \
492 UINT32 Da0, De0, Di0, Do0, Du0; \
493 UINT32 Da1, De1, Di1, Do1, Du1; \
494 UINT32 Ba, Be, Bi, Bo, Bu; \
495 UINT32 Aba0, Abe0, Abi0, Abo0, Abu0; \
496 UINT32 Aba1, Abe1, Abi1, Abo1, Abu1; \
497 UINT32 Aga0, Age0, Agi0, Ago0, Agu0; \
498 UINT32 Aga1, Age1, Agi1, Ago1, Agu1; \
499 UINT32 Aka0, Ake0, Aki0, Ako0, Aku0; \
500 UINT32 Aka1, Ake1, Aki1, Ako1, Aku1; \
501 UINT32 Ama0, Ame0, Ami0, Amo0, Amu0; \
502 UINT32 Ama1, Ame1, Ami1, Amo1, Amu1; \
503 UINT32 Asa0, Ase0, Asi0, Aso0, Asu0; \
504 UINT32 Asa1, Ase1, Asi1, Aso1, Asu1; \
505 UINT32 Cw, Cx, Cy, Cz; \
506 UINT32 Eba0, Ebe0, Ebi0, Ebo0, Ebu0; \
507 UINT32 Eba1, Ebe1, Ebi1, Ebo1, Ebu1; \
508 UINT32 Ega0, Ege0, Egi0, Ego0, Egu0; \
509 UINT32 Ega1, Ege1, Egi1, Ego1, Egu1; \
510 UINT32 Eka0, Eke0, Eki0, Eko0, Eku0; \
511 UINT32 Eka1, Eke1, Eki1, Eko1, Eku1; \
512 UINT32 Ema0, Eme0, Emi0, Emo0, Emu0; \
513 UINT32 Ema1, Eme1, Emi1, Emo1, Emu1; \
514 UINT32 Esa0, Ese0, Esi0, Eso0, Esu0; \
515 UINT32 Esa1, Ese1, Esi1, Eso1, Esu1; \
516 const UINT32 * pRoundConstants = KeccakF1600RoundConstants_int2; \
517 UINT32 i; \
518 \
519 copyFromState(A, state) \
520 \
521 for( i = 12; i != 0; --i ) { \
522 Cx = Abu0^Agu0^Aku0^Amu0^Asu0; \
523 Du1 = Abe1^Age1^Ake1^Ame1^Ase1; \
524 Da0 = Cx^ROL32(Du1, 1); \
525 Cz = Abu1^Agu1^Aku1^Amu1^Asu1; \
526 Du0 = Abe0^Age0^Ake0^Ame0^Ase0; \
527 Da1 = Cz^Du0; \
528 \
529 Cw = Abi0^Agi0^Aki0^Ami0^Asi0; \
530 Do0 = Cw^ROL32(Cz, 1); \
531 Cy = Abi1^Agi1^Aki1^Ami1^Asi1; \
532 Do1 = Cy^Cx; \
533 \
534 Cx = Aba0^Aga0^Aka0^Ama0^Asa0; \
535 De0 = Cx^ROL32(Cy, 1); \
536 Cz = Aba1^Aga1^Aka1^Ama1^Asa1; \
537 De1 = Cz^Cw; \
538 \
539 Cy = Abo1^Ago1^Ako1^Amo1^Aso1; \
540 Di0 = Du0^ROL32(Cy, 1); \
541 Cw = Abo0^Ago0^Ako0^Amo0^Aso0; \
542 Di1 = Du1^Cw; \
543 \
544 Du0 = Cw^ROL32(Cz, 1); \
545 Du1 = Cy^Cx; \
546 \
547 Aba0 ^= Da0; \
548 Ba = Aba0; \
549 Age0 ^= De0; \
550 Be = ROL32(Age0, 22); \
551 Aki1 ^= Di1; \
552 Bi = ROL32(Aki1, 22); \
553 Amo1 ^= Do1; \
554 Bo = ROL32(Amo1, 11); \
555 Asu0 ^= Du0; \
556 Bu = ROL32(Asu0, 7); \
557 Eba0 = Ba ^((~Be)& Bi ) ^ *(pRoundConstants++); \
558 Ebe0 = Be ^((~Bi)& Bo ); \
559 Ebi0 = Bi ^((~Bo)& Bu ); \
560 Ebo0 = Bo ^((~Bu)& Ba ); \
561 Ebu0 = Bu ^((~Ba)& Be ); \
562 \
563 Abo0 ^= Do0; \
564 Ba = ROL32(Abo0, 14); \
565 Agu0 ^= Du0; \
566 Be = ROL32(Agu0, 10); \
567 Aka1 ^= Da1; \
568 Bi = ROL32(Aka1, 2); \
569 Ame1 ^= De1; \
570 Bo = ROL32(Ame1, 23); \
571 Asi1 ^= Di1; \
572 Bu = ROL32(Asi1, 31); \
573 Ega0 = Ba ^((~Be)& Bi ); \
574 Ege0 = Be ^((~Bi)& Bo ); \
575 Egi0 = Bi ^((~Bo)& Bu ); \
576 Ego0 = Bo ^((~Bu)& Ba ); \
577 Egu0 = Bu ^((~Ba)& Be ); \
578 \
579 Abe1 ^= De1; \
580 Ba = ROL32(Abe1, 1); \
581 Agi0 ^= Di0; \
582 Be = ROL32(Agi0, 3); \
583 Ako1 ^= Do1; \
584 Bi = ROL32(Ako1, 13); \
585 Amu0 ^= Du0; \
586 Bo = ROL32(Amu0, 4); \
587 Asa0 ^= Da0; \
588 Bu = ROL32(Asa0, 9); \
589 Eka0 = Ba ^((~Be)& Bi ); \
590 Eke0 = Be ^((~Bi)& Bo ); \
591 Eki0 = Bi ^((~Bo)& Bu ); \
592 Eko0 = Bo ^((~Bu)& Ba ); \
593 Eku0 = Bu ^((~Ba)& Be ); \
594 \
595 Abu1 ^= Du1; \
596 Ba = ROL32(Abu1, 14); \
597 Aga0 ^= Da0; \
598 Be = ROL32(Aga0, 18); \
599 Ake0 ^= De0; \
600 Bi = ROL32(Ake0, 5); \
601 Ami1 ^= Di1; \
602 Bo = ROL32(Ami1, 8); \
603 Aso0 ^= Do0; \
604 Bu = ROL32(Aso0, 28); \
605 Ema0 = Ba ^((~Be)& Bi ); \
606 Eme0 = Be ^((~Bi)& Bo ); \
607 Emi0 = Bi ^((~Bo)& Bu ); \
608 Emo0 = Bo ^((~Bu)& Ba ); \
609 Emu0 = Bu ^((~Ba)& Be ); \
610 \
611 Abi0 ^= Di0; \
612 Ba = ROL32(Abi0, 31); \
613 Ago1 ^= Do1; \
614 Be = ROL32(Ago1, 28); \
615 Aku1 ^= Du1; \
616 Bi = ROL32(Aku1, 20); \
617 Ama1 ^= Da1; \
618 Bo = ROL32(Ama1, 21); \
619 Ase0 ^= De0; \
620 Bu = ROL32(Ase0, 1); \
621 Esa0 = Ba ^((~Be)& Bi ); \
622 Ese0 = Be ^((~Bi)& Bo ); \
623 Esi0 = Bi ^((~Bo)& Bu ); \
624 Eso0 = Bo ^((~Bu)& Ba ); \
625 Esu0 = Bu ^((~Ba)& Be ); \
626 \
627 Aba1 ^= Da1; \
628 Ba = Aba1; \
629 Age1 ^= De1; \
630 Be = ROL32(Age1, 22); \
631 Aki0 ^= Di0; \
632 Bi = ROL32(Aki0, 21); \
633 Amo0 ^= Do0; \
634 Bo = ROL32(Amo0, 10); \
635 Asu1 ^= Du1; \
636 Bu = ROL32(Asu1, 7); \
637 Eba1 = Ba ^((~Be)& Bi ); \
638 Eba1 ^= *(pRoundConstants++); \
639 Ebe1 = Be ^((~Bi)& Bo ); \
640 Ebi1 = Bi ^((~Bo)& Bu ); \
641 Ebo1 = Bo ^((~Bu)& Ba ); \
642 Ebu1 = Bu ^((~Ba)& Be ); \
643 \
644 Abo1 ^= Do1; \
645 Ba = ROL32(Abo1, 14); \
646 Agu1 ^= Du1; \
647 Be = ROL32(Agu1, 10); \
648 Aka0 ^= Da0; \
649 Bi = ROL32(Aka0, 1); \
650 Ame0 ^= De0; \
651 Bo = ROL32(Ame0, 22); \
652 Asi0 ^= Di0; \
653 Bu = ROL32(Asi0, 30); \
654 Ega1 = Ba ^((~Be)& Bi ); \
655 Ege1 = Be ^((~Bi)& Bo ); \
656 Egi1 = Bi ^((~Bo)& Bu ); \
657 Ego1 = Bo ^((~Bu)& Ba ); \
658 Egu1 = Bu ^((~Ba)& Be ); \
659 \
660 Abe0 ^= De0; \
661 Ba = Abe0; \
662 Agi1 ^= Di1; \
663 Be = ROL32(Agi1, 3); \
664 Ako0 ^= Do0; \
665 Bi = ROL32(Ako0, 12); \
666 Amu1 ^= Du1; \
667 Bo = ROL32(Amu1, 4); \
668 Asa1 ^= Da1; \
669 Bu = ROL32(Asa1, 9); \
670 Eka1 = Ba ^((~Be)& Bi ); \
671 Eke1 = Be ^((~Bi)& Bo ); \
672 Eki1 = Bi ^((~Bo)& Bu ); \
673 Eko1 = Bo ^((~Bu)& Ba ); \
674 Eku1 = Bu ^((~Ba)& Be ); \
675 \
676 Abu0 ^= Du0; \
677 Ba = ROL32(Abu0, 13); \
678 Aga1 ^= Da1; \
679 Be = ROL32(Aga1, 18); \
680 Ake1 ^= De1; \
681 Bi = ROL32(Ake1, 5); \
682 Ami0 ^= Di0; \
683 Bo = ROL32(Ami0, 7); \
684 Aso1 ^= Do1; \
685 Bu = ROL32(Aso1, 28); \
686 Ema1 = Ba ^((~Be)& Bi ); \
687 Eme1 = Be ^((~Bi)& Bo ); \
688 Emi1 = Bi ^((~Bo)& Bu ); \
689 Emo1 = Bo ^((~Bu)& Ba ); \
690 Emu1 = Bu ^((~Ba)& Be ); \
691 \
692 Abi1 ^= Di1; \
693 Ba = ROL32(Abi1, 31); \
694 Ago0 ^= Do0; \
695 Be = ROL32(Ago0, 27); \
696 Aku0 ^= Du0; \
697 Bi = ROL32(Aku0, 19); \
698 Ama0 ^= Da0; \
699 Bo = ROL32(Ama0, 20); \
700 Ase1 ^= De1; \
701 Bu = ROL32(Ase1, 1); \
702 Esa1 = Ba ^((~Be)& Bi ); \
703 Ese1 = Be ^((~Bi)& Bo ); \
704 Esi1 = Bi ^((~Bo)& Bu ); \
705 Eso1 = Bo ^((~Bu)& Ba ); \
706 Esu1 = Bu ^((~Ba)& Be ); \
707 \
708 Cx = Ebu0^Egu0^Eku0^Emu0^Esu0; \
709 Du1 = Ebe1^Ege1^Eke1^Eme1^Ese1; \
710 Da0 = Cx^ROL32(Du1, 1); \
711 Cz = Ebu1^Egu1^Eku1^Emu1^Esu1; \
712 Du0 = Ebe0^Ege0^Eke0^Eme0^Ese0; \
713 Da1 = Cz^Du0; \
714 \
715 Cw = Ebi0^Egi0^Eki0^Emi0^Esi0; \
716 Do0 = Cw^ROL32(Cz, 1); \
717 Cy = Ebi1^Egi1^Eki1^Emi1^Esi1; \
718 Do1 = Cy^Cx; \
719 \
720 Cx = Eba0^Ega0^Eka0^Ema0^Esa0; \
721 De0 = Cx^ROL32(Cy, 1); \
722 Cz = Eba1^Ega1^Eka1^Ema1^Esa1; \
723 De1 = Cz^Cw; \
724 \
725 Cy = Ebo1^Ego1^Eko1^Emo1^Eso1; \
726 Di0 = Du0^ROL32(Cy, 1); \
727 Cw = Ebo0^Ego0^Eko0^Emo0^Eso0; \
728 Di1 = Du1^Cw; \
729 \
730 Du0 = Cw^ROL32(Cz, 1); \
731 Du1 = Cy^Cx; \
732 \
733 Eba0 ^= Da0; \
734 Ba = Eba0; \
735 Ege0 ^= De0; \
736 Be = ROL32(Ege0, 22); \
737 Eki1 ^= Di1; \
738 Bi = ROL32(Eki1, 22); \
739 Emo1 ^= Do1; \
740 Bo = ROL32(Emo1, 11); \
741 Esu0 ^= Du0; \
742 Bu = ROL32(Esu0, 7); \
743 Aba0 = Ba ^((~Be)& Bi ); \
744 Aba0 ^= *(pRoundConstants++); \
745 Abe0 = Be ^((~Bi)& Bo ); \
746 Abi0 = Bi ^((~Bo)& Bu ); \
747 Abo0 = Bo ^((~Bu)& Ba ); \
748 Abu0 = Bu ^((~Ba)& Be ); \
749 \
750 Ebo0 ^= Do0; \
751 Ba = ROL32(Ebo0, 14); \
752 Egu0 ^= Du0; \
753 Be = ROL32(Egu0, 10); \
754 Eka1 ^= Da1; \
755 Bi = ROL32(Eka1, 2); \
756 Eme1 ^= De1; \
757 Bo = ROL32(Eme1, 23); \
758 Esi1 ^= Di1; \
759 Bu = ROL32(Esi1, 31); \
760 Aga0 = Ba ^((~Be)& Bi ); \
761 Age0 = Be ^((~Bi)& Bo ); \
762 Agi0 = Bi ^((~Bo)& Bu ); \
763 Ago0 = Bo ^((~Bu)& Ba ); \
764 Agu0 = Bu ^((~Ba)& Be ); \
765 \
766 Ebe1 ^= De1; \
767 Ba = ROL32(Ebe1, 1); \
768 Egi0 ^= Di0; \
769 Be = ROL32(Egi0, 3); \
770 Eko1 ^= Do1; \
771 Bi = ROL32(Eko1, 13); \
772 Emu0 ^= Du0; \
773 Bo = ROL32(Emu0, 4); \
774 Esa0 ^= Da0; \
775 Bu = ROL32(Esa0, 9); \
776 Aka0 = Ba ^((~Be)& Bi ); \
777 Ake0 = Be ^((~Bi)& Bo ); \
778 Aki0 = Bi ^((~Bo)& Bu ); \
779 Ako0 = Bo ^((~Bu)& Ba ); \
780 Aku0 = Bu ^((~Ba)& Be ); \
781 \
782 Ebu1 ^= Du1; \
783 Ba = ROL32(Ebu1, 14); \
784 Ega0 ^= Da0; \
785 Be = ROL32(Ega0, 18); \
786 Eke0 ^= De0; \
787 Bi = ROL32(Eke0, 5); \
788 Emi1 ^= Di1; \
789 Bo = ROL32(Emi1, 8); \
790 Eso0 ^= Do0; \
791 Bu = ROL32(Eso0, 28); \
792 Ama0 = Ba ^((~Be)& Bi ); \
793 Ame0 = Be ^((~Bi)& Bo ); \
794 Ami0 = Bi ^((~Bo)& Bu ); \
795 Amo0 = Bo ^((~Bu)& Ba ); \
796 Amu0 = Bu ^((~Ba)& Be ); \
797 \
798 Ebi0 ^= Di0; \
799 Ba = ROL32(Ebi0, 31); \
800 Ego1 ^= Do1; \
801 Be = ROL32(Ego1, 28); \
802 Eku1 ^= Du1; \
803 Bi = ROL32(Eku1, 20); \
804 Ema1 ^= Da1; \
805 Bo = ROL32(Ema1, 21); \
806 Ese0 ^= De0; \
807 Bu = ROL32(Ese0, 1); \
808 Asa0 = Ba ^((~Be)& Bi ); \
809 Ase0 = Be ^((~Bi)& Bo ); \
810 Asi0 = Bi ^((~Bo)& Bu ); \
811 Aso0 = Bo ^((~Bu)& Ba ); \
812 Asu0 = Bu ^((~Ba)& Be ); \
813 \
814 Eba1 ^= Da1; \
815 Ba = Eba1; \
816 Ege1 ^= De1; \
817 Be = ROL32(Ege1, 22); \
818 Eki0 ^= Di0; \
819 Bi = ROL32(Eki0, 21); \
820 Emo0 ^= Do0; \
821 Bo = ROL32(Emo0, 10); \
822 Esu1 ^= Du1; \
823 Bu = ROL32(Esu1, 7); \
824 Aba1 = Ba ^((~Be)& Bi ); \
825 Aba1 ^= *(pRoundConstants++); \
826 Abe1 = Be ^((~Bi)& Bo ); \
827 Abi1 = Bi ^((~Bo)& Bu ); \
828 Abo1 = Bo ^((~Bu)& Ba ); \
829 Abu1 = Bu ^((~Ba)& Be ); \
830 \
831 Ebo1 ^= Do1; \
832 Ba = ROL32(Ebo1, 14); \
833 Egu1 ^= Du1; \
834 Be = ROL32(Egu1, 10); \
835 Eka0 ^= Da0; \
836 Bi = ROL32(Eka0, 1); \
837 Eme0 ^= De0; \
838 Bo = ROL32(Eme0, 22); \
839 Esi0 ^= Di0; \
840 Bu = ROL32(Esi0, 30); \
841 Aga1 = Ba ^((~Be)& Bi ); \
842 Age1 = Be ^((~Bi)& Bo ); \
843 Agi1 = Bi ^((~Bo)& Bu ); \
844 Ago1 = Bo ^((~Bu)& Ba ); \
845 Agu1 = Bu ^((~Ba)& Be ); \
846 \
847 Ebe0 ^= De0; \
848 Ba = Ebe0; \
849 Egi1 ^= Di1; \
850 Be = ROL32(Egi1, 3); \
851 Eko0 ^= Do0; \
852 Bi = ROL32(Eko0, 12); \
853 Emu1 ^= Du1; \
854 Bo = ROL32(Emu1, 4); \
855 Esa1 ^= Da1; \
856 Bu = ROL32(Esa1, 9); \
857 Aka1 = Ba ^((~Be)& Bi ); \
858 Ake1 = Be ^((~Bi)& Bo ); \
859 Aki1 = Bi ^((~Bo)& Bu ); \
860 Ako1 = Bo ^((~Bu)& Ba ); \
861 Aku1 = Bu ^((~Ba)& Be ); \
862 \
863 Ebu0 ^= Du0; \
864 Ba = ROL32(Ebu0, 13); \
865 Ega1 ^= Da1; \
866 Be = ROL32(Ega1, 18); \
867 Eke1 ^= De1; \
868 Bi = ROL32(Eke1, 5); \
869 Emi0 ^= Di0; \
870 Bo = ROL32(Emi0, 7); \
871 Eso1 ^= Do1; \
872 Bu = ROL32(Eso1, 28); \
873 Ama1 = Ba ^((~Be)& Bi ); \
874 Ame1 = Be ^((~Bi)& Bo ); \
875 Ami1 = Bi ^((~Bo)& Bu ); \
876 Amo1 = Bo ^((~Bu)& Ba ); \
877 Amu1 = Bu ^((~Ba)& Be ); \
878 \
879 Ebi1 ^= Di1; \
880 Ba = ROL32(Ebi1, 31); \
881 Ego0 ^= Do0; \
882 Be = ROL32(Ego0, 27); \
883 Eku0 ^= Du0; \
884 Bi = ROL32(Eku0, 19); \
885 Ema0 ^= Da0; \
886 Bo = ROL32(Ema0, 20); \
887 Ese1 ^= De1; \
888 Bu = ROL32(Ese1, 1); \
889 Asa1 = Ba ^((~Be)& Bi ); \
890 Ase1 = Be ^((~Bi)& Bo ); \
891 Asi1 = Bi ^((~Bo)& Bu ); \
892 Aso1 = Bo ^((~Bu)& Ba ); \
893 Asu1 = Bu ^((~Ba)& Be ); \
894 } \
895 copyToState(state, A) \
896 }
897
898 #define copyFromState(X, state) \
899 X##ba0 = state[ 0]; \
900 X##ba1 = state[ 1]; \
901 X##be0 = state[ 2]; \
902 X##be1 = state[ 3]; \
903 X##bi0 = state[ 4]; \
904 X##bi1 = state[ 5]; \
905 X##bo0 = state[ 6]; \
906 X##bo1 = state[ 7]; \
907 X##bu0 = state[ 8]; \
908 X##bu1 = state[ 9]; \
909 X##ga0 = state[10]; \
910 X##ga1 = state[11]; \
911 X##ge0 = state[12]; \
912 X##ge1 = state[13]; \
913 X##gi0 = state[14]; \
914 X##gi1 = state[15]; \
915 X##go0 = state[16]; \
916 X##go1 = state[17]; \
917 X##gu0 = state[18]; \
918 X##gu1 = state[19]; \
919 X##ka0 = state[20]; \
920 X##ka1 = state[21]; \
921 X##ke0 = state[22]; \
922 X##ke1 = state[23]; \
923 X##ki0 = state[24]; \
924 X##ki1 = state[25]; \
925 X##ko0 = state[26]; \
926 X##ko1 = state[27]; \
927 X##ku0 = state[28]; \
928 X##ku1 = state[29]; \
929 X##ma0 = state[30]; \
930 X##ma1 = state[31]; \
931 X##me0 = state[32]; \
932 X##me1 = state[33]; \
933 X##mi0 = state[34]; \
934 X##mi1 = state[35]; \
935 X##mo0 = state[36]; \
936 X##mo1 = state[37]; \
937 X##mu0 = state[38]; \
938 X##mu1 = state[39]; \
939 X##sa0 = state[40]; \
940 X##sa1 = state[41]; \
941 X##se0 = state[42]; \
942 X##se1 = state[43]; \
943 X##si0 = state[44]; \
944 X##si1 = state[45]; \
945 X##so0 = state[46]; \
946 X##so1 = state[47]; \
947 X##su0 = state[48]; \
948 X##su1 = state[49]; \
949
950 #define copyToState(state, X) \
951 state[ 0] = X##ba0; \
952 state[ 1] = X##ba1; \
953 state[ 2] = X##be0; \
954 state[ 3] = X##be1; \
955 state[ 4] = X##bi0; \
956 state[ 5] = X##bi1; \
957 state[ 6] = X##bo0; \
958 state[ 7] = X##bo1; \
959 state[ 8] = X##bu0; \
960 state[ 9] = X##bu1; \
961 state[10] = X##ga0; \
962 state[11] = X##ga1; \
963 state[12] = X##ge0; \
964 state[13] = X##ge1; \
965 state[14] = X##gi0; \
966 state[15] = X##gi1; \
967 state[16] = X##go0; \
968 state[17] = X##go1; \
969 state[18] = X##gu0; \
970 state[19] = X##gu1; \
971 state[20] = X##ka0; \
972 state[21] = X##ka1; \
973 state[22] = X##ke0; \
974 state[23] = X##ke1; \
975 state[24] = X##ki0; \
976 state[25] = X##ki1; \
977 state[26] = X##ko0; \
978 state[27] = X##ko1; \
979 state[28] = X##ku0; \
980 state[29] = X##ku1; \
981 state[30] = X##ma0; \
982 state[31] = X##ma1; \
983 state[32] = X##me0; \
984 state[33] = X##me1; \
985 state[34] = X##mi0; \
986 state[35] = X##mi1; \
987 state[36] = X##mo0; \
988 state[37] = X##mo1; \
989 state[38] = X##mu0; \
990 state[39] = X##mu1; \
991 state[40] = X##sa0; \
992 state[41] = X##sa1; \
993 state[42] = X##se0; \
994 state[43] = X##se1; \
995 state[44] = X##si0; \
996 state[45] = X##si1; \
997 state[46] = X##so0; \
998 state[47] = X##so1; \
999 state[48] = X##su0; \
1000 state[49] = X##su1; \
1001
1002
1003 // ================================================================================
1004 // =================== KeccakF-1600-32.macros
1005 // ================================================================================
1006
1007 /*
1008 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
1009 Michaël Peeters and Gilles Van Assche. For more information, feedback or
1010 questions, please refer to our website: http://keccak.noekeon.org/
1011
1012 Implementation by the designers,
1013 hereby denoted as "the implementer".
1014
1015 To the extent possible under law, the implementer has waived all copyright
1016 and related or neighboring rights to the source code in this file.
1017 http://creativecommons.org/publicdomain/zero/1.0/
1018 */
1019
1020 #ifdef UseSchedule
1021 #if (UseSchedule == 1)
1022 #include "KeccakF-1600-32-s1.macros"
1023 #elif (UseSchedule == 2)
1024 #include "KeccakF-1600-32-s2.macros"
1025 #elif (UseSchedule == 3)
1026 //#include "KeccakF-1600-32-rvk.macros"
1027 #else
1028 #error "This schedule is not supported."
1029 #endif
1030 #else
1031 #include "KeccakF-1600-32-s1.macros"
1032 #endif
1033
1034 // ================================================================================
1035 // =================== KeccakF-1600-opt32.c
1036 // ================================================================================
1037
1038
1039 /*
1040 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
1041 Michaël Peeters and Gilles Van Assche. For more information, feedback or
1042 questions, please refer to our website: http://keccak.noekeon.org/
1043
1044 Implementation by the designers,
1045 hereby denoted as "the implementer".
1046
1047 To the extent possible under law, the implementer has waived all copyright
1048 and related or neighboring rights to the source code in this file.
1049 http://creativecommons.org/publicdomain/zero/1.0/
1050 */
1051
1052 #include <string.h>
1053 //#include "brg_endian.h"
1054 //#include "KeccakF-1600-opt32-settings.h"
1055 //#include "KeccakF-1600-interface.h"
1056
1057
1058
1059 #ifdef UseInterleaveTables
1060 int interleaveTablesBuilt = 0;
1061 UINT16 interleaveTable[65536];
1062 UINT16 deinterleaveTable[65536];
1063
1064 void buildInterleaveTables()
1065 {
1066 UINT32 i, j;
1067 UINT16 x;
1068
1069 if (!interleaveTablesBuilt) {
1070 for(i=0; i<65536; i++) {
1071 x = 0;
1072 for(j=0; j<16; j++) {
1073 if (i & (1 << j))
1074 x |= (1 << (j/2 + 8*(j%2)));
1075 }
1076 interleaveTable[i] = x;
1077 deinterleaveTable[x] = (UINT16)i;
1078 }
1079 interleaveTablesBuilt = 1;
1080 }
1081 }
1082
1083 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
1084
1085 #define xor2bytesIntoInterleavedWords(even, odd, source, j) \
1086 i##j = interleaveTable[((const UINT16*)source)[j]]; \
1087 ((UINT8*)even)[j] ^= i##j & 0xFF; \
1088 ((UINT8*)odd)[j] ^= i##j >> 8;
1089
1090 #define setInterleavedWordsInto2bytes(dest, even, odd, j) \
1091 d##j = deinterleaveTable[((even >> (j*8)) & 0xFF) ^ (((odd >> (j*8)) & 0xFF) << 8)]; \
1092 ((UINT16*)dest)[j] = d##j;
1093
1094 #else // (PLATFORM_BYTE_ORDER == IS_BIG_ENDIAN)
1095
1096 #define xor2bytesIntoInterleavedWords(even, odd, source, j) \
1097 i##j = interleaveTable[source[2*j] ^ ((UINT16)source[2*j+1] << 8)]; \
1098 *even ^= (i##j & 0xFF) << (j*8); \
1099 *odd ^= ((i##j >> 8) & 0xFF) << (j*8);
1100
1101 #define setInterleavedWordsInto2bytes(dest, even, odd, j) \
1102 d##j = deinterleaveTable[((even >> (j*8)) & 0xFF) ^ (((odd >> (j*8)) & 0xFF) << 8)]; \
1103 dest[2*j] = d##j & 0xFF; \
1104 dest[2*j+1] = d##j >> 8;
1105
1106 #endif // Endianness
1107
1108 void xor8bytesIntoInterleavedWords(UINT32 *even, UINT32 *odd, const UINT8* source)
1109 {
1110 UINT16 i0, i1, i2, i3;
1111
1112 xor2bytesIntoInterleavedWords(even, odd, source, 0)
1113 xor2bytesIntoInterleavedWords(even, odd, source, 1)
1114 xor2bytesIntoInterleavedWords(even, odd, source, 2)
1115 xor2bytesIntoInterleavedWords(even, odd, source, 3)
1116 }
1117
1118 #define xorLanesIntoState(laneCount, state, input) \
1119 { \
1120 int i; \
1121 for(i=0; i<(laneCount); i++) \
1122 xor8bytesIntoInterleavedWords(state+i*2, state+i*2+1, input+i*8); \
1123 }
1124
1125 void setInterleavedWordsInto8bytes(UINT8* dest, UINT32 even, UINT32 odd)
1126 {
1127 UINT16 d0, d1, d2, d3;
1128
1129 setInterleavedWordsInto2bytes(dest, even, odd, 0)
1130 setInterleavedWordsInto2bytes(dest, even, odd, 1)
1131 setInterleavedWordsInto2bytes(dest, even, odd, 2)
1132 setInterleavedWordsInto2bytes(dest, even, odd, 3)
1133 }
1134
1135 #define extractLanes(laneCount, state, data) \
1136 { \
1137 int i; \
1138 for(i=0; i<(laneCount); i++) \
1139 setInterleavedWordsInto8bytes(data+i*8, ((UINT32*)state)[i*2], ((UINT32*)state)[i*2+1]); \
1140 }
1141
1142 #else // No interleaving tables
1143
1144 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
1145
1146 // Credit: Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002
1147 #define xorInterleavedLE(rateInLanes, state, input) \
1148 { \
1149 const UINT32 * pI = (const UINT32 *)input; \
1150 UINT32 * pS = state; \
1151 UINT32 t, x0, x1; \
1152 int i; \
1153 for (i = (rateInLanes)-1; i >= 0; --i) \
1154 { \
1155 x0 = *(pI++); \
1156 t = (x0 ^ (x0 >> 1)) & 0x22222222UL; x0 = x0 ^ t ^ (t << 1); \
1157 t = (x0 ^ (x0 >> 2)) & 0x0C0C0C0CUL; x0 = x0 ^ t ^ (t << 2); \
1158 t = (x0 ^ (x0 >> 4)) & 0x00F000F0UL; x0 = x0 ^ t ^ (t << 4); \
1159 t = (x0 ^ (x0 >> 8)) & 0x0000FF00UL; x0 = x0 ^ t ^ (t << 8); \
1160 x1 = *(pI++); \
1161 t = (x1 ^ (x1 >> 1)) & 0x22222222UL; x1 = x1 ^ t ^ (t << 1); \
1162 t = (x1 ^ (x1 >> 2)) & 0x0C0C0C0CUL; x1 = x1 ^ t ^ (t << 2); \
1163 t = (x1 ^ (x1 >> 4)) & 0x00F000F0UL; x1 = x1 ^ t ^ (t << 4); \
1164 t = (x1 ^ (x1 >> 8)) & 0x0000FF00UL; x1 = x1 ^ t ^ (t << 8); \
1165 *(pS++) ^= (UINT16)x0 | (x1 << 16); \
1166 *(pS++) ^= (x0 >> 16) | (x1 & 0xFFFF0000); \
1167 } \
1168 }
1169
1170 #define xorLanesIntoState(laneCount, state, input) \
1171 xorInterleavedLE(laneCount, state, input)
1172
1173 #else // (PLATFORM_BYTE_ORDER == IS_BIG_ENDIAN)
1174
1175 // Credit: Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002
1176 UINT64 toInterleaving(UINT64 x)
1177 {
1178 UINT64 t;
1179
1180 t = (x ^ (x >> 1)) & 0x2222222222222222ULL; x = x ^ t ^ (t << 1);
1181 t = (x ^ (x >> 2)) & 0x0C0C0C0C0C0C0C0CULL; x = x ^ t ^ (t << 2);
1182 t = (x ^ (x >> 4)) & 0x00F000F000F000F0ULL; x = x ^ t ^ (t << 4);
1183 t = (x ^ (x >> 8)) & 0x0000FF000000FF00ULL; x = x ^ t ^ (t << 8);
1184 t = (x ^ (x >> 16)) & 0x00000000FFFF0000ULL; x = x ^ t ^ (t << 16);
1185
1186 return x;
1187 }
1188
1189 void xor8bytesIntoInterleavedWords(UINT32* evenAndOdd, const UINT8* source)
1190 {
1191 // This can be optimized
1192 UINT64 sourceWord =
1193 (UINT64)source[0]
1194 ^ (((UINT64)source[1]) << 8)
1195 ^ (((UINT64)source[2]) << 16)
1196 ^ (((UINT64)source[3]) << 24)
1197 ^ (((UINT64)source[4]) << 32)
1198 ^ (((UINT64)source[5]) << 40)
1199 ^ (((UINT64)source[6]) << 48)
1200 ^ (((UINT64)source[7]) << 56);
1201 UINT64 evenAndOddWord = toInterleaving(sourceWord);
1202 evenAndOdd[0] ^= (UINT32)evenAndOddWord;
1203 evenAndOdd[1] ^= (UINT32)(evenAndOddWord >> 32);
1204 }
1205
1206 #define xorLanesIntoState(laneCount, state, input) \
1207 { \
1208 int i; \
1209 for(i=0; i<(laneCount); i++) \
1210 xor8bytesIntoInterleavedWords(state+i*2, input+i*8); \
1211 }
1212
1213 #endif // Endianness
1214
1215 // Credit: Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002
1216 UINT64 fromInterleaving(UINT64 x)
1217 {
1218 UINT64 t;
1219
1220 t = (x ^ (x >> 16)) & 0x00000000FFFF0000ULL; x = x ^ t ^ (t << 16);
1221 t = (x ^ (x >> 8)) & 0x0000FF000000FF00ULL; x = x ^ t ^ (t << 8);
1222 t = (x ^ (x >> 4)) & 0x00F000F000F000F0ULL; x = x ^ t ^ (t << 4);
1223 t = (x ^ (x >> 2)) & 0x0C0C0C0C0C0C0C0CULL; x = x ^ t ^ (t << 2);
1224 t = (x ^ (x >> 1)) & 0x2222222222222222ULL; x = x ^ t ^ (t << 1);
1225
1226 return x;
1227 }
1228
1229 void setInterleavedWordsInto8bytes(UINT8* dest, UINT32* evenAndOdd)
1230 {
1231 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
1232 ((UINT64*)dest)[0] = fromInterleaving(*(UINT64*)evenAndOdd);
1233 #else // (PLATFORM_BYTE_ORDER == IS_BIG_ENDIAN)
1234 // This can be optimized
1235 UINT64 evenAndOddWord = (UINT64)evenAndOdd[0] ^ ((UINT64)evenAndOdd[1] << 32);
1236 UINT64 destWord = fromInterleaving(evenAndOddWord);
1237 dest[0] = destWord & 0xFF;
1238 dest[1] = (destWord >> 8) & 0xFF;
1239 dest[2] = (destWord >> 16) & 0xFF;
1240 dest[3] = (destWord >> 24) & 0xFF;
1241 dest[4] = (destWord >> 32) & 0xFF;
1242 dest[5] = (destWord >> 40) & 0xFF;
1243 dest[6] = (destWord >> 48) & 0xFF;
1244 dest[7] = (destWord >> 56) & 0xFF;
1245 #endif // Endianness
1246 }
1247
1248 #define extractLanes(laneCount, state, data) \
1249 { \
1250 int i; \
1251 for(i=0; i<(laneCount); i++) \
1252 setInterleavedWordsInto8bytes(data+i*8, (UINT32*)state+i*2); \
1253 }
1254
1255 #endif // With or without interleaving tables
1256
1257 #if defined(_MSC_VER)
1258 #define ROL32(a, offset) _rotl(a, offset)
1259 #elif (defined (__arm__) && defined(__ARMCC_VERSION))
1260 #define ROL32(a, offset) __ror(a, 32-(offset))
1261 #else
1262 #define ROL32(a, offset) ((((UINT32)a) << (offset)) ^ (((UINT32)a) >> (32-(offset))))
1263 #endif
1264
1265 //#include "KeccakF-1600-unrolling.macros"
1266 //#include "KeccakF-1600-32.macros"
1267
1268 #if (UseSchedule == 3)
1269
1270 #ifdef UseBebigokimisa
1271 #error "No lane complementing with schedule 3."
1272 #endif
1273
1274 #if (Unrolling != 2)
1275 #error "Only unrolling 2 is supported by schedule 3."
1276 #endif
1277
1278 void KeccakPermutationOnWords(UINT32 *state)
1279 {
1280 rounds
1281 }
1282
1283 void KeccakPermutationOnWordsAfterXoring(UINT32 *state, const UINT8 *input, unsigned int laneCount)
1284 {
1285 xorLanesIntoState(laneCount, state, input)
1286 rounds
1287 }
1288
1289 #ifdef ProvideFast576
1290 void KeccakPermutationOnWordsAfterXoring576bits(UINT32 *state, const UINT8 *input)
1291 {
1292 xorLanesIntoState(9, state, input)
1293 rounds
1294 }
1295 #endif
1296
1297 #ifdef ProvideFast832
1298 void KeccakPermutationOnWordsAfterXoring832bits(UINT32 *state, const UINT8 *input)
1299 {
1300 xorLanesIntoState(13, state, input)
1301 rounds
1302 }
1303 #endif
1304
1305 #ifdef ProvideFast1024
1306 void KeccakPermutationOnWordsAfterXoring1024bits(UINT32 *state, const UINT8 *input)
1307 {
1308 xorLanesIntoState(16, state, input)
1309 rounds
1310 }
1311 #endif
1312
1313 #ifdef ProvideFast1088
1314 void KeccakPermutationOnWordsAfterXoring1088bits(UINT32 *state, const UINT8 *input)
1315 {
1316 xorLanesIntoState(17, state, input)
1317 rounds
1318 }
1319 #endif
1320
1321 #ifdef ProvideFast1152
1322 void KeccakPermutationOnWordsAfterXoring1152bits(UINT32 *state, const UINT8 *input)
1323 {
1324 xorLanesIntoState(18, state, input)
1325 rounds
1326 }
1327 #endif
1328
1329 #ifdef ProvideFast1344
1330 void KeccakPermutationOnWordsAfterXoring1344bits(UINT32 *state, const UINT8 *input)
1331 {
1332 xorLanesIntoState(21, state, input)
1333 rounds
1334 }
1335 #endif
1336
1337 #else // (Schedule != 3)
1338
1339 void KeccakPermutationOnWords(UINT32 *state)
1340 {
1341 declareABCDE
1342 #if (Unrolling != 24)
1343 unsigned int i;
1344 #endif
1345
1346 copyFromState(A, state)
1347 rounds
1348 }
1349
1350 void KeccakPermutationOnWordsAfterXoring(UINT32 *state, const UINT8 *input, unsigned int laneCount)
1351 {
1352 declareABCDE
1353 unsigned int i;
1354
1355 xorLanesIntoState(laneCount, state, input)
1356 copyFromState(A, state)
1357 rounds
1358 }
1359
1360 #ifdef ProvideFast576
1361 void KeccakPermutationOnWordsAfterXoring576bits(UINT32 *state, const UINT8 *input)
1362 {
1363 declareABCDE
1364 unsigned int i;
1365
1366 xorLanesIntoState(9, state, input)
1367 copyFromState(A, state)
1368 rounds
1369 }
1370 #endif
1371
1372 #ifdef ProvideFast832
1373 void KeccakPermutationOnWordsAfterXoring832bits(UINT32 *state, const UINT8 *input)
1374 {
1375 declareABCDE
1376 unsigned int i;
1377
1378 xorLanesIntoState(13, state, input)
1379 copyFromState(A, state)
1380 rounds
1381 }
1382 #endif
1383
1384 #ifdef ProvideFast1024
1385 void KeccakPermutationOnWordsAfterXoring1024bits(UINT32 *state, const UINT8 *input)
1386 {
1387 declareABCDE
1388 unsigned int i;
1389
1390 xorLanesIntoState(16, state, input)
1391 copyFromState(A, state)
1392 rounds
1393 }
1394 #endif
1395
1396 #ifdef ProvideFast1088
1397 void KeccakPermutationOnWordsAfterXoring1088bits(UINT32 *state, const UINT8 *input)
1398 {
1399 declareABCDE
1400 unsigned int i;
1401
1402 xorLanesIntoState(17, state, input)
1403 copyFromState(A, state)
1404 rounds
1405 }
1406 #endif
1407
1408 #ifdef ProvideFast1152
1409 void KeccakPermutationOnWordsAfterXoring1152bits(UINT32 *state, const UINT8 *input)
1410 {
1411 declareABCDE
1412 unsigned int i;
1413
1414 xorLanesIntoState(18, state, input)
1415 copyFromState(A, state)
1416 rounds
1417 }
1418 #endif
1419
1420 #ifdef ProvideFast1344
1421 void KeccakPermutationOnWordsAfterXoring1344bits(UINT32 *state, const UINT8 *input)
1422 {
1423 declareABCDE
1424 unsigned int i;
1425
1426 xorLanesIntoState(21, state, input)
1427 copyFromState(A, state)
1428 rounds
1429 }
1430 #endif
1431
1432 #endif
1433
1434 void KeccakInitialize()
1435 {
1436 #ifdef UseInterleaveTables
1437 buildInterleaveTables();
1438 #endif
1439 }
1440
1441 void KeccakInitializeState(unsigned char *state)
1442 {
1443 memset(state, 0, 200);
1444 #ifdef UseBebigokimisa
1445 ((UINT32*)state)[ 2] = ~(UINT32)0;
1446 ((UINT32*)state)[ 3] = ~(UINT32)0;
1447 ((UINT32*)state)[ 4] = ~(UINT32)0;
1448 ((UINT32*)state)[ 5] = ~(UINT32)0;
1449 ((UINT32*)state)[16] = ~(UINT32)0;
1450 ((UINT32*)state)[17] = ~(UINT32)0;
1451 ((UINT32*)state)[24] = ~(UINT32)0;
1452 ((UINT32*)state)[25] = ~(UINT32)0;
1453 ((UINT32*)state)[34] = ~(UINT32)0;
1454 ((UINT32*)state)[35] = ~(UINT32)0;
1455 ((UINT32*)state)[40] = ~(UINT32)0;
1456 ((UINT32*)state)[41] = ~(UINT32)0;
1457 #endif
1458 }
1459
1460 void KeccakPermutation(unsigned char *state)
1461 {
1462 // We assume the state is always stored as interleaved 32-bit words
1463 KeccakPermutationOnWords((UINT32*)state);
1464 }
1465
1466 #ifdef ProvideFast576
1467 void KeccakAbsorb576bits(unsigned char *state, const unsigned char *data)
1468 {
1469 KeccakPermutationOnWordsAfterXoring576bits((UINT32*)state, data);
1470 }
1471 #endif
1472
1473 #ifdef ProvideFast832
1474 void KeccakAbsorb832bits(unsigned char *state, const unsigned char *data)
1475 {
1476 KeccakPermutationOnWordsAfterXoring832bits((UINT32*)state, data);
1477 }
1478 #endif
1479
1480 #ifdef ProvideFast1024
1481 void KeccakAbsorb1024bits(unsigned char *state, const unsigned char *data)
1482 {
1483 KeccakPermutationOnWordsAfterXoring1024bits((UINT32*)state, data);
1484 }
1485 #endif
1486
1487 #ifdef ProvideFast1088
1488 void KeccakAbsorb1088bits(unsigned char *state, const unsigned char *data)
1489 {
1490 KeccakPermutationOnWordsAfterXoring1088bits((UINT32*)state, data);
1491 }
1492 #endif
1493
1494 #ifdef ProvideFast1152
1495 void KeccakAbsorb1152bits(unsigned char *state, const unsigned char *data)
1496 {
1497 KeccakPermutationOnWordsAfterXoring1152bits((UINT32*)state, data);
1498 }
1499 #endif
1500
1501 #ifdef ProvideFast1344
1502 void KeccakAbsorb1344bits(unsigned char *state, const unsigned char *data)
1503 {
1504 KeccakPermutationOnWordsAfterXoring1344bits((UINT32*)state, data);
1505 }
1506 #endif
1507
1508 void KeccakAbsorb(unsigned char *state, const unsigned char *data, unsigned int laneCount)
1509 {
1510 KeccakPermutationOnWordsAfterXoring((UINT32*)state, data, laneCount);
1511 }
1512
1513 #ifdef ProvideFast1024
1514 void KeccakExtract1024bits(const unsigned char *state, unsigned char *data)
1515 {
1516 extractLanes(16, state, data)
1517 #ifdef UseBebigokimisa
1518 ((UINT32*)data)[ 2] = ~((UINT32*)data)[ 2];
1519 ((UINT32*)data)[ 3] = ~((UINT32*)data)[ 3];
1520 ((UINT32*)data)[ 4] = ~((UINT32*)data)[ 4];
1521 ((UINT32*)data)[ 5] = ~((UINT32*)data)[ 5];
1522 ((UINT32*)data)[16] = ~((UINT32*)data)[16];
1523 ((UINT32*)data)[17] = ~((UINT32*)data)[17];
1524 ((UINT32*)data)[24] = ~((UINT32*)data)[24];
1525 ((UINT32*)data)[25] = ~((UINT32*)data)[25];
1526 #endif
1527 }
1528 #endif
1529
1530 void KeccakExtract(const unsigned char *state, unsigned char *data, unsigned int laneCount)
1531 {
1532 extractLanes((int)laneCount, state, data)
1533 #ifdef UseBebigokimisa
1534 if (laneCount > 1) {
1535 ((UINT32*)data)[ 2] = ~((UINT32*)data)[ 2];
1536 ((UINT32*)data)[ 3] = ~((UINT32*)data)[ 3];
1537 if (laneCount > 2) {
1538 ((UINT32*)data)[ 4] = ~((UINT32*)data)[ 4];
1539 ((UINT32*)data)[ 5] = ~((UINT32*)data)[ 5];
1540 if (laneCount > 8) {
1541 ((UINT32*)data)[16] = ~((UINT32*)data)[16];
1542 ((UINT32*)data)[17] = ~((UINT32*)data)[17];
1543 if (laneCount > 12) {
1544 ((UINT32*)data)[24] = ~((UINT32*)data)[24];
1545 ((UINT32*)data)[25] = ~((UINT32*)data)[25];
1546 if (laneCount > 17) {
1547 ((UINT32*)data)[34] = ~((UINT32*)data)[34];
1548 ((UINT32*)data)[35] = ~((UINT32*)data)[35];
1549 if (laneCount > 20) {
1550 ((UINT32*)data)[40] = ~((UINT32*)data)[40];
1551 ((UINT32*)data)[41] = ~((UINT32*)data)[41];
1552 }
1553 }
1554 }
1555 }
1556 }
1557 }
1558 #endif
1559 }
1560
1561
1562 // ================================================================================
1563 // =================== KeccakSponge.c
1564 // ================================================================================
1565
1566
1567 /*
1568 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
1569 Michaël Peeters and Gilles Van Assche. For more information, feedback or
1570 questions, please refer to our website: http://keccak.noekeon.org/
1571
1572 Implementation by the designers,
1573 hereby denoted as "the implementer".
1574
1575 To the extent possible under law, the implementer has waived all copyright
1576 and related or neighboring rights to the source code in this file.
1577 http://creativecommons.org/publicdomain/zero/1.0/
1578 */
1579
1580 #include <string.h>
1581 //#include "KeccakSponge.h"
1582 //#include "KeccakF-1600-interface.h"
1583 #ifdef KeccakReference
1584 //#include "displayIntermediateValues.h"
1585 #endif
1586
1587 int InitSponge(spongeState *state, unsigned int rate, unsigned int capacity)
1588 {
1589 if (rate+capacity != 1600)
1590 return 1;
1591 if ((rate <= 0) || (rate >= 1600) || ((rate % 64) != 0))
1592 return 1;
1593 KeccakInitialize();
1594 state->rate = rate;
1595 state->capacity = capacity;
1596 state->fixedOutputLength = 0;
1597 KeccakInitializeState(state->state);
1598 memset(state->dataQueue, 0, KeccakMaximumRateInBytes);
1599 state->bitsInQueue = 0;
1600 state->squeezing = 0;
1601 state->bitsAvailableForSqueezing = 0;
1602
1603 return 0;
1604 }
1605
1606 void AbsorbQueue(spongeState *state)
1607 {
1608 // state->bitsInQueue is assumed to be equal to state->rate
1609 #ifdef KeccakReference
1610 displayBytes(1, "Block to be absorbed", state->dataQueue, state->rate/8);
1611 #endif
1612 #ifdef ProvideFast576
1613 if (state->rate == 576)
1614 KeccakAbsorb576bits(state->state, state->dataQueue);
1615 else
1616 #endif
1617 #ifdef ProvideFast832
1618 if (state->rate == 832)
1619 KeccakAbsorb832bits(state->state, state->dataQueue);
1620 else
1621 #endif
1622 #ifdef ProvideFast1024
1623 if (state->rate == 1024)
1624 KeccakAbsorb1024bits(state->state, state->dataQueue);
1625 else
1626 #endif
1627 #ifdef ProvideFast1088
1628 if (state->rate == 1088)
1629 KeccakAbsorb1088bits(state->state, state->dataQueue);
1630 else
1631 #endif
1632 #ifdef ProvideFast1152
1633 if (state->rate == 1152)
1634 KeccakAbsorb1152bits(state->state, state->dataQueue);
1635 else
1636 #endif
1637 #ifdef ProvideFast1344
1638 if (state->rate == 1344)
1639 KeccakAbsorb1344bits(state->state, state->dataQueue);
1640 else
1641 #endif
1642 KeccakAbsorb(state->state, state->dataQueue, state->rate/64);
1643 state->bitsInQueue = 0;
1644 }
1645
1646 int Absorb(spongeState *state, const unsigned char *data, unsigned long long databitlen)
1647 {
1648 unsigned long long i, j, wholeBlocks;
1649 unsigned int partialBlock, partialByte;
1650 const unsigned char *curData;
1651
1652 if ((state->bitsInQueue % 8) != 0)
1653 return 1; // Only the last call may contain a partial byte
1654 if (state->squeezing)
1655 return 1; // Too late for additional input
1656
1657 i = 0;
1658 while(i < databitlen) {
1659 if ((state->bitsInQueue == 0) && (databitlen >= state->rate) && (i <= (databitlen-state->rate))) {
1660 wholeBlocks = (databitlen-i)/state->rate;
1661 curData = data+i/8;
1662 #ifdef ProvideFast576
1663 if (state->rate == 576) {
1664 for(j=0; j<wholeBlocks; j++, curData+=576/8) {
1665 #ifdef KeccakReference
1666 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1667 #endif
1668 KeccakAbsorb576bits(state->state, curData);
1669 }
1670 }
1671 else
1672 #endif
1673 #ifdef ProvideFast832
1674 if (state->rate == 832) {
1675 for(j=0; j<wholeBlocks; j++, curData+=832/8) {
1676 #ifdef KeccakReference
1677 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1678 #endif
1679 KeccakAbsorb832bits(state->state, curData);
1680 }
1681 }
1682 else
1683 #endif
1684 #ifdef ProvideFast1024
1685 if (state->rate == 1024) {
1686 for(j=0; j<wholeBlocks; j++, curData+=1024/8) {
1687 #ifdef KeccakReference
1688 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1689 #endif
1690 KeccakAbsorb1024bits(state->state, curData);
1691 }
1692 }
1693 else
1694 #endif
1695 #ifdef ProvideFast1088
1696 if (state->rate == 1088) {
1697 for(j=0; j<wholeBlocks; j++, curData+=1088/8) {
1698 #ifdef KeccakReference
1699 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1700 #endif
1701 KeccakAbsorb1088bits(state->state, curData);
1702 }
1703 }
1704 else
1705 #endif
1706 #ifdef ProvideFast1152
1707 if (state->rate == 1152) {
1708 for(j=0; j<wholeBlocks; j++, curData+=1152/8) {
1709 #ifdef KeccakReference
1710 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1711 #endif
1712 KeccakAbsorb1152bits(state->state, curData);
1713 }
1714 }
1715 else
1716 #endif
1717 #ifdef ProvideFast1344
1718 if (state->rate == 1344) {
1719 for(j=0; j<wholeBlocks; j++, curData+=1344/8) {
1720 #ifdef KeccakReference
1721 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1722 #endif
1723 KeccakAbsorb1344bits(state->state, curData);
1724 }
1725 }
1726 else
1727 #endif
1728 {
1729 for(j=0; j<wholeBlocks; j++, curData+=state->rate/8) {
1730 #ifdef KeccakReference
1731 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1732 #endif
1733 KeccakAbsorb(state->state, curData, state->rate/64);
1734 }
1735 }
1736 i += wholeBlocks*state->rate;
1737 }
1738 else {
1739 partialBlock = (unsigned int)(databitlen - i);
1740 if (partialBlock+state->bitsInQueue > state->rate)
1741 partialBlock = state->rate-state->bitsInQueue;
1742 partialByte = partialBlock % 8;
1743 partialBlock -= partialByte;
1744 memcpy(state->dataQueue+state->bitsInQueue/8, data+i/8, partialBlock/8);
1745 state->bitsInQueue += partialBlock;
1746 i += partialBlock;
1747 if (state->bitsInQueue == state->rate)
1748 AbsorbQueue(state);
1749 if (partialByte > 0) {
1750 unsigned char mask = (1 << partialByte)-1;
1751 state->dataQueue[state->bitsInQueue/8] = data[i/8] & mask;
1752 state->bitsInQueue += partialByte;
1753 i += partialByte;
1754 }
1755 }
1756 }
1757 return 0;
1758 }
1759
1760 void PadAndSwitchToSqueezingPhase(spongeState *state)
1761 {
1762 // Note: the bits are numbered from 0=LSB to 7=MSB
1763 if (state->bitsInQueue + 1 == state->rate) {
1764 state->dataQueue[state->bitsInQueue/8 ] |= 1 << (state->bitsInQueue % 8);
1765 AbsorbQueue(state);
1766 memset(state->dataQueue, 0, state->rate/8);
1767 }
1768 else {
1769 memset(state->dataQueue + (state->bitsInQueue+7)/8, 0, state->rate/8 - (state->bitsInQueue+7)/8);
1770 state->dataQueue[state->bitsInQueue/8 ] |= 1 << (state->bitsInQueue % 8);
1771 }
1772 state->dataQueue[(state->rate-1)/8] |= 1 << ((state->rate-1) % 8);
1773 AbsorbQueue(state);
1774
1775 #ifdef KeccakReference
1776 displayText(1, "--- Switching to squeezing phase ---");
1777 #endif
1778 #ifdef ProvideFast1024
1779 if (state->rate == 1024) {
1780 KeccakExtract1024bits(state->state, state->dataQueue);
1781 state->bitsAvailableForSqueezing = 1024;
1782 }
1783 else
1784 #endif
1785 {
1786 KeccakExtract(state->state, state->dataQueue, state->rate/64);
1787 state->bitsAvailableForSqueezing = state->rate;
1788 }
1789 #ifdef KeccakReference
1790 displayBytes(1, "Block available for squeezing", state->dataQueue, state->bitsAvailableForSqueezing/8);
1791 #endif
1792 state->squeezing = 1;
1793 }
1794
1795 int Squeeze(spongeState *state, unsigned char *output, unsigned long long outputLength)
1796 {
1797 unsigned long long i;
1798 unsigned int partialBlock;
1799
1800 if (!state->squeezing)
1801 PadAndSwitchToSqueezingPhase(state);
1802 if ((outputLength % 8) != 0)
1803 return 1; // Only multiple of 8 bits are allowed, truncation can be done at user level
1804
1805 i = 0;
1806 while(i < outputLength) {
1807 if (state->bitsAvailableForSqueezing == 0) {
1808 KeccakPermutation(state->state);
1809 #ifdef ProvideFast1024
1810 if (state->rate == 1024) {
1811 KeccakExtract1024bits(state->state, state->dataQueue);
1812 state->bitsAvailableForSqueezing = 1024;
1813 }
1814 else
1815 #endif
1816 {
1817 KeccakExtract(state->state, state->dataQueue, state->rate/64);
1818 state->bitsAvailableForSqueezing = state->rate;
1819 }
1820 #ifdef KeccakReference
1821 displayBytes(1, "Block available for squeezing", state->dataQueue, state->bitsAvailableForSqueezing/8);
1822 #endif
1823 }
1824 partialBlock = state->bitsAvailableForSqueezing;
1825 if ((unsigned long long)partialBlock > outputLength - i)
1826 partialBlock = (unsigned int)(outputLength - i);
1827 memcpy(output+i/8, state->dataQueue+(state->rate-state->bitsAvailableForSqueezing)/8, partialBlock/8);
1828 state->bitsAvailableForSqueezing -= partialBlock;
1829 i += partialBlock;
1830 }
1831 return 0;
1832 }
1833
1834
1835
1836 // ================================================================================
1837 // =================== KeccakNISTInterface.h
1838 // ================================================================================
1839
1840
1841 /*
1842 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
1843 Michaël Peeters and Gilles Van Assche. For more information, feedback or
1844 questions, please refer to our website: http://keccak.noekeon.org/
1845
1846 Implementation by the designers,
1847 hereby denoted as "the implementer".
1848
1849 To the extent possible under law, the implementer has waived all copyright
1850 and related or neighboring rights to the source code in this file.
1851 http://creativecommons.org/publicdomain/zero/1.0/
1852 */
1853
1854 #ifndef _KeccakNISTInterface_h_
1855 #define _KeccakNISTInterface_h_
1856
1857 //#include "KeccakSponge.h"
1858
1859 typedef unsigned char BitSequence;
1860 typedef unsigned long long DataLength;
1861 typedef enum { SUCCESS = 0, FAIL = 1, BAD_HASHLEN = 2 } HashReturn;
1862
1863 typedef spongeState hashState;
1864
1865 /**
1866 * Function to initialize the state of the Keccak[r, c] sponge function.
1867 * The rate r and capacity c values are determined from @a hashbitlen.
1868 * @param state Pointer to the state of the sponge function to be initialized.
1869 * @param hashbitlen The desired number of output bits,
1870 * or 0 for Keccak[] with default parameters
1871 * and arbitrarily-long output.
1872 * @pre The value of hashbitlen must be one of 0, 224, 256, 384 and 512.
1873 * @return SUCCESS if successful, BAD_HASHLEN if the value of hashbitlen is incorrect.
1874 */
1875 HashReturn Init(hashState *state, int hashbitlen);
1876 /**
1877 * Function to give input data for the sponge function to absorb.
1878 * @param state Pointer to the state of the sponge function initialized by Init().
1879 * @param data Pointer to the input data.
1880 * When @a databitLen is not a multiple of 8, the last bits of data must be
1881 * in the most significant bits of the last byte.
1882 * @param databitLen The number of input bits provided in the input data.
1883 * @pre In the previous call to Absorb(), databitLen was a multiple of 8.
1884 * @return SUCCESS if successful, FAIL otherwise.
1885 */
1886 HashReturn Update(hashState *state, const BitSequence *data, DataLength databitlen);
1887 /**
1888 * Function to squeeze output data from the sponge function.
1889 * If @a hashbitlen was not 0 in the call to Init(), the number of output bits is equal to @a hashbitlen.
1890 * If @a hashbitlen was 0 in the call to Init(), the output bits must be extracted using the Squeeze() function.
1891 * @param state Pointer to the state of the sponge function initialized by Init().
1892 * @param hashval Pointer to the buffer where to store the output data.
1893 * @return SUCCESS if successful, FAIL otherwise.
1894 */
1895 HashReturn Final(hashState *state, BitSequence *hashval);
1896 /**
1897 * Function to compute a hash using the Keccak[r, c] sponge function.
1898 * The rate r and capacity c values are determined from @a hashbitlen.
1899 * @param hashbitlen The desired number of output bits.
1900 * @param data Pointer to the input data.
1901 * When @a databitLen is not a multiple of 8, the last bits of data must be
1902 * in the most significant bits of the last byte.
1903 * @param databitLen The number of input bits provided in the input data.
1904 * @param hashval Pointer to the buffer where to store the output data.
1905 * @pre The value of hashbitlen must be one of 224, 256, 384 and 512.
1906 * @return SUCCESS if successful, BAD_HASHLEN if the value of hashbitlen is incorrect.
1907 */
1908 HashReturn Hash(int hashbitlen, const BitSequence *data, DataLength databitlen, BitSequence *hashval);
1909
1910 #endif
1911
1912
1913 // ================================================================================
1914 // =================== KeccakNISTInterface.c
1915 // ================================================================================
1916
1917
1918
1919 /*
1920 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
1921 Michaël Peeters and Gilles Van Assche. For more information, feedback or
1922 questions, please refer to our website: http://keccak.noekeon.org/
1923
1924 Implementation by the designers,
1925 hereby denoted as "the implementer".
1926
1927 To the extent possible under law, the implementer has waived all copyright
1928 and related or neighboring rights to the source code in this file.
1929 http://creativecommons.org/publicdomain/zero/1.0/
1930 */
1931
1932 #include <string.h>
1933 //#include "KeccakNISTInterface.h"
1934 //#include "KeccakF-1600-interface.h"
1935
1936 HashReturn Init(hashState *state, int hashbitlen)
1937 {
1938 switch(hashbitlen) {
1939 case 0: // Default parameters, arbitrary length output
1940 InitSponge((spongeState*)state, 1024, 576);
1941 break;
1942 case 224:
1943 InitSponge((spongeState*)state, 1152, 448);
1944 break;
1945 case 256:
1946 InitSponge((spongeState*)state, 1088, 512);
1947 break;
1948 case 384:
1949 InitSponge((spongeState*)state, 832, 768);
1950 break;
1951 case 512:
1952 InitSponge((spongeState*)state, 576, 1024);
1953 break;
1954 default:
1955 return BAD_HASHLEN;
1956 }
1957 state->fixedOutputLength = hashbitlen;
1958 return SUCCESS;
1959 }
1960
1961 HashReturn Update(hashState *state, const BitSequence *data, DataLength databitlen)
1962 {
1963 if ((databitlen % 8) == 0)
1964 return (HashReturn)Absorb((spongeState*)state, data, databitlen);
1965 else {
1966 HashReturn ret = (HashReturn)Absorb((spongeState*)state, data, databitlen - (databitlen % 8));
1967 if (ret == SUCCESS) {
1968 unsigned char lastByte;
1969 // Align the last partial byte to the least significant bits
1970 lastByte = data[databitlen/8] >> (8 - (databitlen % 8));
1971 return (HashReturn)Absorb((spongeState*)state, &lastByte, databitlen % 8);
1972 }
1973 else
1974 return ret;
1975 }
1976 }
1977
1978 HashReturn Final(hashState *state, BitSequence *hashval)
1979 {
1980 return (HashReturn)Squeeze(state, hashval, state->fixedOutputLength);
1981 }
1982
1983 HashReturn Hash(int hashbitlen, const BitSequence *data, DataLength databitlen, BitSequence *hashval)
1984 {
1985 hashState state;
1986 HashReturn result;
1987
1988 if ((hashbitlen != 224) && (hashbitlen != 256) && (hashbitlen != 384) && (hashbitlen != 512))
1989 return BAD_HASHLEN; // Only the four fixed output lengths available through this API
1990 result = Init(&state, hashbitlen);
1991 if (result != SUCCESS)
1992 return result;
1993 result = Update(&state, data, databitlen);
1994 if (result != SUCCESS)
1995 return result;
1996 result = Final(&state, hashval);
1997 return result;
1998 }
1999
2000
2001 } // end of namespace KeccakImpl
2002 } // end of namespace Internal
2003 } // end of namespace Hash
2004 } // end of namespace MUtils
2005
MUtilities