github.com/cloudflare/circl@v1.5.0/internal/sha3/keccakf.go (about) 1 // Copyright 2014 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package sha3 6 7 // KeccakF1600 applies the Keccak permutation to a 1600b-wide 8 // state represented as a slice of 25 uint64s. 9 // If turbo is true, applies the 12-round variant instead of the 10 // regular 24-round variant. 11 // nolint:funlen 12 func KeccakF1600(a *[25]uint64, turbo bool) { 13 // Implementation translated from Keccak-inplace.c 14 // in the keccak reference code. 15 var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64 16 17 i := 0 18 19 if turbo { 20 i = 12 21 } 22 23 for ; i < 24; i += 4 { 24 // Combines the 5 steps in each round into 2 steps. 25 // Unrolls 4 rounds per loop and spreads some steps across rounds. 26 27 // Round 1 28 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] 29 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] 30 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] 31 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] 32 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] 33 d0 = bc4 ^ (bc1<<1 | bc1>>63) 34 d1 = bc0 ^ (bc2<<1 | bc2>>63) 35 d2 = bc1 ^ (bc3<<1 | bc3>>63) 36 d3 = bc2 ^ (bc4<<1 | bc4>>63) 37 d4 = bc3 ^ (bc0<<1 | bc0>>63) 38 39 bc0 = a[0] ^ d0 40 t = a[6] ^ d1 41 bc1 = t<<44 | t>>(64-44) 42 t = a[12] ^ d2 43 bc2 = t<<43 | t>>(64-43) 44 t = a[18] ^ d3 45 bc3 = t<<21 | t>>(64-21) 46 t = a[24] ^ d4 47 bc4 = t<<14 | t>>(64-14) 48 a[0] = bc0 ^ (bc2 &^ bc1) ^ RC[i] 49 a[6] = bc1 ^ (bc3 &^ bc2) 50 a[12] = bc2 ^ (bc4 &^ bc3) 51 a[18] = bc3 ^ (bc0 &^ bc4) 52 a[24] = bc4 ^ (bc1 &^ bc0) 53 54 t = a[10] ^ d0 55 bc2 = t<<3 | t>>(64-3) 56 t = a[16] ^ d1 57 bc3 = t<<45 | t>>(64-45) 58 t = a[22] ^ d2 59 bc4 = t<<61 | t>>(64-61) 60 t = a[3] ^ d3 61 bc0 = t<<28 | t>>(64-28) 62 t = a[9] ^ d4 63 bc1 = t<<20 | t>>(64-20) 64 a[10] = bc0 ^ (bc2 &^ bc1) 65 a[16] = bc1 ^ (bc3 &^ bc2) 66 a[22] = bc2 ^ (bc4 &^ bc3) 67 a[3] = bc3 ^ (bc0 &^ bc4) 68 a[9] = bc4 ^ (bc1 &^ bc0) 69 70 t = a[20] ^ d0 71 bc4 = t<<18 | t>>(64-18) 72 t = a[1] ^ d1 73 bc0 = t<<1 | t>>(64-1) 74 t = a[7] ^ d2 75 bc1 = t<<6 | t>>(64-6) 76 t = a[13] ^ d3 77 bc2 = t<<25 | t>>(64-25) 78 t = a[19] ^ d4 79 bc3 = t<<8 | t>>(64-8) 80 a[20] = bc0 ^ (bc2 &^ bc1) 81 a[1] = bc1 ^ (bc3 &^ bc2) 82 a[7] = bc2 ^ (bc4 &^ bc3) 83 a[13] = bc3 ^ (bc0 &^ bc4) 84 a[19] = bc4 ^ (bc1 &^ bc0) 85 86 t = a[5] ^ d0 87 bc1 = t<<36 | t>>(64-36) 88 t = a[11] ^ d1 89 bc2 = t<<10 | t>>(64-10) 90 t = a[17] ^ d2 91 bc3 = t<<15 | t>>(64-15) 92 t = a[23] ^ d3 93 bc4 = t<<56 | t>>(64-56) 94 t = a[4] ^ d4 95 bc0 = t<<27 | t>>(64-27) 96 a[5] = bc0 ^ (bc2 &^ bc1) 97 a[11] = bc1 ^ (bc3 &^ bc2) 98 a[17] = bc2 ^ (bc4 &^ bc3) 99 a[23] = bc3 ^ (bc0 &^ bc4) 100 a[4] = bc4 ^ (bc1 &^ bc0) 101 102 t = a[15] ^ d0 103 bc3 = t<<41 | t>>(64-41) 104 t = a[21] ^ d1 105 bc4 = t<<2 | t>>(64-2) 106 t = a[2] ^ d2 107 bc0 = t<<62 | t>>(64-62) 108 t = a[8] ^ d3 109 bc1 = t<<55 | t>>(64-55) 110 t = a[14] ^ d4 111 bc2 = t<<39 | t>>(64-39) 112 a[15] = bc0 ^ (bc2 &^ bc1) 113 a[21] = bc1 ^ (bc3 &^ bc2) 114 a[2] = bc2 ^ (bc4 &^ bc3) 115 a[8] = bc3 ^ (bc0 &^ bc4) 116 a[14] = bc4 ^ (bc1 &^ bc0) 117 118 // Round 2 119 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] 120 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] 121 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] 122 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] 123 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] 124 d0 = bc4 ^ (bc1<<1 | bc1>>63) 125 d1 = bc0 ^ (bc2<<1 | bc2>>63) 126 d2 = bc1 ^ (bc3<<1 | bc3>>63) 127 d3 = bc2 ^ (bc4<<1 | bc4>>63) 128 d4 = bc3 ^ (bc0<<1 | bc0>>63) 129 130 bc0 = a[0] ^ d0 131 t = a[16] ^ d1 132 bc1 = t<<44 | t>>(64-44) 133 t = a[7] ^ d2 134 bc2 = t<<43 | t>>(64-43) 135 t = a[23] ^ d3 136 bc3 = t<<21 | t>>(64-21) 137 t = a[14] ^ d4 138 bc4 = t<<14 | t>>(64-14) 139 a[0] = bc0 ^ (bc2 &^ bc1) ^ RC[i+1] 140 a[16] = bc1 ^ (bc3 &^ bc2) 141 a[7] = bc2 ^ (bc4 &^ bc3) 142 a[23] = bc3 ^ (bc0 &^ bc4) 143 a[14] = bc4 ^ (bc1 &^ bc0) 144 145 t = a[20] ^ d0 146 bc2 = t<<3 | t>>(64-3) 147 t = a[11] ^ d1 148 bc3 = t<<45 | t>>(64-45) 149 t = a[2] ^ d2 150 bc4 = t<<61 | t>>(64-61) 151 t = a[18] ^ d3 152 bc0 = t<<28 | t>>(64-28) 153 t = a[9] ^ d4 154 bc1 = t<<20 | t>>(64-20) 155 a[20] = bc0 ^ (bc2 &^ bc1) 156 a[11] = bc1 ^ (bc3 &^ bc2) 157 a[2] = bc2 ^ (bc4 &^ bc3) 158 a[18] = bc3 ^ (bc0 &^ bc4) 159 a[9] = bc4 ^ (bc1 &^ bc0) 160 161 t = a[15] ^ d0 162 bc4 = t<<18 | t>>(64-18) 163 t = a[6] ^ d1 164 bc0 = t<<1 | t>>(64-1) 165 t = a[22] ^ d2 166 bc1 = t<<6 | t>>(64-6) 167 t = a[13] ^ d3 168 bc2 = t<<25 | t>>(64-25) 169 t = a[4] ^ d4 170 bc3 = t<<8 | t>>(64-8) 171 a[15] = bc0 ^ (bc2 &^ bc1) 172 a[6] = bc1 ^ (bc3 &^ bc2) 173 a[22] = bc2 ^ (bc4 &^ bc3) 174 a[13] = bc3 ^ (bc0 &^ bc4) 175 a[4] = bc4 ^ (bc1 &^ bc0) 176 177 t = a[10] ^ d0 178 bc1 = t<<36 | t>>(64-36) 179 t = a[1] ^ d1 180 bc2 = t<<10 | t>>(64-10) 181 t = a[17] ^ d2 182 bc3 = t<<15 | t>>(64-15) 183 t = a[8] ^ d3 184 bc4 = t<<56 | t>>(64-56) 185 t = a[24] ^ d4 186 bc0 = t<<27 | t>>(64-27) 187 a[10] = bc0 ^ (bc2 &^ bc1) 188 a[1] = bc1 ^ (bc3 &^ bc2) 189 a[17] = bc2 ^ (bc4 &^ bc3) 190 a[8] = bc3 ^ (bc0 &^ bc4) 191 a[24] = bc4 ^ (bc1 &^ bc0) 192 193 t = a[5] ^ d0 194 bc3 = t<<41 | t>>(64-41) 195 t = a[21] ^ d1 196 bc4 = t<<2 | t>>(64-2) 197 t = a[12] ^ d2 198 bc0 = t<<62 | t>>(64-62) 199 t = a[3] ^ d3 200 bc1 = t<<55 | t>>(64-55) 201 t = a[19] ^ d4 202 bc2 = t<<39 | t>>(64-39) 203 a[5] = bc0 ^ (bc2 &^ bc1) 204 a[21] = bc1 ^ (bc3 &^ bc2) 205 a[12] = bc2 ^ (bc4 &^ bc3) 206 a[3] = bc3 ^ (bc0 &^ bc4) 207 a[19] = bc4 ^ (bc1 &^ bc0) 208 209 // Round 3 210 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] 211 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] 212 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] 213 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] 214 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] 215 d0 = bc4 ^ (bc1<<1 | bc1>>63) 216 d1 = bc0 ^ (bc2<<1 | bc2>>63) 217 d2 = bc1 ^ (bc3<<1 | bc3>>63) 218 d3 = bc2 ^ (bc4<<1 | bc4>>63) 219 d4 = bc3 ^ (bc0<<1 | bc0>>63) 220 221 bc0 = a[0] ^ d0 222 t = a[11] ^ d1 223 bc1 = t<<44 | t>>(64-44) 224 t = a[22] ^ d2 225 bc2 = t<<43 | t>>(64-43) 226 t = a[8] ^ d3 227 bc3 = t<<21 | t>>(64-21) 228 t = a[19] ^ d4 229 bc4 = t<<14 | t>>(64-14) 230 a[0] = bc0 ^ (bc2 &^ bc1) ^ RC[i+2] 231 a[11] = bc1 ^ (bc3 &^ bc2) 232 a[22] = bc2 ^ (bc4 &^ bc3) 233 a[8] = bc3 ^ (bc0 &^ bc4) 234 a[19] = bc4 ^ (bc1 &^ bc0) 235 236 t = a[15] ^ d0 237 bc2 = t<<3 | t>>(64-3) 238 t = a[1] ^ d1 239 bc3 = t<<45 | t>>(64-45) 240 t = a[12] ^ d2 241 bc4 = t<<61 | t>>(64-61) 242 t = a[23] ^ d3 243 bc0 = t<<28 | t>>(64-28) 244 t = a[9] ^ d4 245 bc1 = t<<20 | t>>(64-20) 246 a[15] = bc0 ^ (bc2 &^ bc1) 247 a[1] = bc1 ^ (bc3 &^ bc2) 248 a[12] = bc2 ^ (bc4 &^ bc3) 249 a[23] = bc3 ^ (bc0 &^ bc4) 250 a[9] = bc4 ^ (bc1 &^ bc0) 251 252 t = a[5] ^ d0 253 bc4 = t<<18 | t>>(64-18) 254 t = a[16] ^ d1 255 bc0 = t<<1 | t>>(64-1) 256 t = a[2] ^ d2 257 bc1 = t<<6 | t>>(64-6) 258 t = a[13] ^ d3 259 bc2 = t<<25 | t>>(64-25) 260 t = a[24] ^ d4 261 bc3 = t<<8 | t>>(64-8) 262 a[5] = bc0 ^ (bc2 &^ bc1) 263 a[16] = bc1 ^ (bc3 &^ bc2) 264 a[2] = bc2 ^ (bc4 &^ bc3) 265 a[13] = bc3 ^ (bc0 &^ bc4) 266 a[24] = bc4 ^ (bc1 &^ bc0) 267 268 t = a[20] ^ d0 269 bc1 = t<<36 | t>>(64-36) 270 t = a[6] ^ d1 271 bc2 = t<<10 | t>>(64-10) 272 t = a[17] ^ d2 273 bc3 = t<<15 | t>>(64-15) 274 t = a[3] ^ d3 275 bc4 = t<<56 | t>>(64-56) 276 t = a[14] ^ d4 277 bc0 = t<<27 | t>>(64-27) 278 a[20] = bc0 ^ (bc2 &^ bc1) 279 a[6] = bc1 ^ (bc3 &^ bc2) 280 a[17] = bc2 ^ (bc4 &^ bc3) 281 a[3] = bc3 ^ (bc0 &^ bc4) 282 a[14] = bc4 ^ (bc1 &^ bc0) 283 284 t = a[10] ^ d0 285 bc3 = t<<41 | t>>(64-41) 286 t = a[21] ^ d1 287 bc4 = t<<2 | t>>(64-2) 288 t = a[7] ^ d2 289 bc0 = t<<62 | t>>(64-62) 290 t = a[18] ^ d3 291 bc1 = t<<55 | t>>(64-55) 292 t = a[4] ^ d4 293 bc2 = t<<39 | t>>(64-39) 294 a[10] = bc0 ^ (bc2 &^ bc1) 295 a[21] = bc1 ^ (bc3 &^ bc2) 296 a[7] = bc2 ^ (bc4 &^ bc3) 297 a[18] = bc3 ^ (bc0 &^ bc4) 298 a[4] = bc4 ^ (bc1 &^ bc0) 299 300 // Round 4 301 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] 302 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] 303 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] 304 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] 305 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] 306 d0 = bc4 ^ (bc1<<1 | bc1>>63) 307 d1 = bc0 ^ (bc2<<1 | bc2>>63) 308 d2 = bc1 ^ (bc3<<1 | bc3>>63) 309 d3 = bc2 ^ (bc4<<1 | bc4>>63) 310 d4 = bc3 ^ (bc0<<1 | bc0>>63) 311 312 bc0 = a[0] ^ d0 313 t = a[1] ^ d1 314 bc1 = t<<44 | t>>(64-44) 315 t = a[2] ^ d2 316 bc2 = t<<43 | t>>(64-43) 317 t = a[3] ^ d3 318 bc3 = t<<21 | t>>(64-21) 319 t = a[4] ^ d4 320 bc4 = t<<14 | t>>(64-14) 321 a[0] = bc0 ^ (bc2 &^ bc1) ^ RC[i+3] 322 a[1] = bc1 ^ (bc3 &^ bc2) 323 a[2] = bc2 ^ (bc4 &^ bc3) 324 a[3] = bc3 ^ (bc0 &^ bc4) 325 a[4] = bc4 ^ (bc1 &^ bc0) 326 327 t = a[5] ^ d0 328 bc2 = t<<3 | t>>(64-3) 329 t = a[6] ^ d1 330 bc3 = t<<45 | t>>(64-45) 331 t = a[7] ^ d2 332 bc4 = t<<61 | t>>(64-61) 333 t = a[8] ^ d3 334 bc0 = t<<28 | t>>(64-28) 335 t = a[9] ^ d4 336 bc1 = t<<20 | t>>(64-20) 337 a[5] = bc0 ^ (bc2 &^ bc1) 338 a[6] = bc1 ^ (bc3 &^ bc2) 339 a[7] = bc2 ^ (bc4 &^ bc3) 340 a[8] = bc3 ^ (bc0 &^ bc4) 341 a[9] = bc4 ^ (bc1 &^ bc0) 342 343 t = a[10] ^ d0 344 bc4 = t<<18 | t>>(64-18) 345 t = a[11] ^ d1 346 bc0 = t<<1 | t>>(64-1) 347 t = a[12] ^ d2 348 bc1 = t<<6 | t>>(64-6) 349 t = a[13] ^ d3 350 bc2 = t<<25 | t>>(64-25) 351 t = a[14] ^ d4 352 bc3 = t<<8 | t>>(64-8) 353 a[10] = bc0 ^ (bc2 &^ bc1) 354 a[11] = bc1 ^ (bc3 &^ bc2) 355 a[12] = bc2 ^ (bc4 &^ bc3) 356 a[13] = bc3 ^ (bc0 &^ bc4) 357 a[14] = bc4 ^ (bc1 &^ bc0) 358 359 t = a[15] ^ d0 360 bc1 = t<<36 | t>>(64-36) 361 t = a[16] ^ d1 362 bc2 = t<<10 | t>>(64-10) 363 t = a[17] ^ d2 364 bc3 = t<<15 | t>>(64-15) 365 t = a[18] ^ d3 366 bc4 = t<<56 | t>>(64-56) 367 t = a[19] ^ d4 368 bc0 = t<<27 | t>>(64-27) 369 a[15] = bc0 ^ (bc2 &^ bc1) 370 a[16] = bc1 ^ (bc3 &^ bc2) 371 a[17] = bc2 ^ (bc4 &^ bc3) 372 a[18] = bc3 ^ (bc0 &^ bc4) 373 a[19] = bc4 ^ (bc1 &^ bc0) 374 375 t = a[20] ^ d0 376 bc3 = t<<41 | t>>(64-41) 377 t = a[21] ^ d1 378 bc4 = t<<2 | t>>(64-2) 379 t = a[22] ^ d2 380 bc0 = t<<62 | t>>(64-62) 381 t = a[23] ^ d3 382 bc1 = t<<55 | t>>(64-55) 383 t = a[24] ^ d4 384 bc2 = t<<39 | t>>(64-39) 385 a[20] = bc0 ^ (bc2 &^ bc1) 386 a[21] = bc1 ^ (bc3 &^ bc2) 387 a[22] = bc2 ^ (bc4 &^ bc3) 388 a[23] = bc3 ^ (bc0 &^ bc4) 389 a[24] = bc4 ^ (bc1 &^ bc0) 390 } 391 }