github.com/immesys/bw2bc@v1.1.0/crypto/sha3/keccakf.go (about) 1 // Copyright 2014 The Go Authors. All rights reserved. 2 // 3 // Redistribution and use in source and binary forms, with or without 4 // modification, are permitted provided that the following conditions are 5 // met: 6 // 7 // * Redistributions of source code must retain the above copyright 8 // notice, this list of conditions and the following disclaimer. 9 // * Redistributions in binary form must reproduce the above 10 // copyright notice, this list of conditions and the following disclaimer 11 // in the documentation and/or other materials provided with the 12 // distribution. 13 // * Neither the name of Google Inc. nor the names of its 14 // contributors may be used to endorse or promote products derived from 15 // this software without specific prior written permission. 16 // 17 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 18 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 20 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 21 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 22 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 23 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 27 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 29 package sha3 30 31 // rc stores the round constants for use in the ι step. 32 var rc = [24]uint64{ 33 0x0000000000000001, 34 0x0000000000008082, 35 0x800000000000808A, 36 0x8000000080008000, 37 0x000000000000808B, 38 0x0000000080000001, 39 0x8000000080008081, 40 0x8000000000008009, 41 0x000000000000008A, 42 0x0000000000000088, 43 0x0000000080008009, 44 0x000000008000000A, 45 0x000000008000808B, 46 0x800000000000008B, 47 0x8000000000008089, 48 0x8000000000008003, 49 0x8000000000008002, 50 0x8000000000000080, 51 0x000000000000800A, 52 0x800000008000000A, 53 0x8000000080008081, 54 0x8000000000008080, 55 0x0000000080000001, 56 0x8000000080008008, 57 } 58 59 // keccakF1600 applies the Keccak permutation to a 1600b-wide 60 // state represented as a slice of 25 uint64s. 61 func keccakF1600(a *[25]uint64) { 62 // Implementation translated from Keccak-inplace.c 63 // in the keccak reference code. 64 var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64 65 66 for i := 0; i < 24; i += 4 { 67 // Combines the 5 steps in each round into 2 steps. 68 // Unrolls 4 rounds per loop and spreads some steps across rounds. 69 70 // Round 1 71 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] 72 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] 73 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] 74 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] 75 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] 76 d0 = bc4 ^ (bc1<<1 | bc1>>63) 77 d1 = bc0 ^ (bc2<<1 | bc2>>63) 78 d2 = bc1 ^ (bc3<<1 | bc3>>63) 79 d3 = bc2 ^ (bc4<<1 | bc4>>63) 80 d4 = bc3 ^ (bc0<<1 | bc0>>63) 81 82 bc0 = a[0] ^ d0 83 t = a[6] ^ d1 84 bc1 = t<<44 | t>>(64-44) 85 t = a[12] ^ d2 86 bc2 = t<<43 | t>>(64-43) 87 t = a[18] ^ d3 88 bc3 = t<<21 | t>>(64-21) 89 t = a[24] ^ d4 90 bc4 = t<<14 | t>>(64-14) 91 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i] 92 a[6] = bc1 ^ (bc3 &^ bc2) 93 a[12] = bc2 ^ (bc4 &^ bc3) 94 a[18] = bc3 ^ (bc0 &^ bc4) 95 a[24] = bc4 ^ (bc1 &^ bc0) 96 97 t = a[10] ^ d0 98 bc2 = t<<3 | t>>(64-3) 99 t = a[16] ^ d1 100 bc3 = t<<45 | t>>(64-45) 101 t = a[22] ^ d2 102 bc4 = t<<61 | t>>(64-61) 103 t = a[3] ^ d3 104 bc0 = t<<28 | t>>(64-28) 105 t = a[9] ^ d4 106 bc1 = t<<20 | t>>(64-20) 107 a[10] = bc0 ^ (bc2 &^ bc1) 108 a[16] = bc1 ^ (bc3 &^ bc2) 109 a[22] = bc2 ^ (bc4 &^ bc3) 110 a[3] = bc3 ^ (bc0 &^ bc4) 111 a[9] = bc4 ^ (bc1 &^ bc0) 112 113 t = a[20] ^ d0 114 bc4 = t<<18 | t>>(64-18) 115 t = a[1] ^ d1 116 bc0 = t<<1 | t>>(64-1) 117 t = a[7] ^ d2 118 bc1 = t<<6 | t>>(64-6) 119 t = a[13] ^ d3 120 bc2 = t<<25 | t>>(64-25) 121 t = a[19] ^ d4 122 bc3 = t<<8 | t>>(64-8) 123 a[20] = bc0 ^ (bc2 &^ bc1) 124 a[1] = bc1 ^ (bc3 &^ bc2) 125 a[7] = bc2 ^ (bc4 &^ bc3) 126 a[13] = bc3 ^ (bc0 &^ bc4) 127 a[19] = bc4 ^ (bc1 &^ bc0) 128 129 t = a[5] ^ d0 130 bc1 = t<<36 | t>>(64-36) 131 t = a[11] ^ d1 132 bc2 = t<<10 | t>>(64-10) 133 t = a[17] ^ d2 134 bc3 = t<<15 | t>>(64-15) 135 t = a[23] ^ d3 136 bc4 = t<<56 | t>>(64-56) 137 t = a[4] ^ d4 138 bc0 = t<<27 | t>>(64-27) 139 a[5] = bc0 ^ (bc2 &^ bc1) 140 a[11] = bc1 ^ (bc3 &^ bc2) 141 a[17] = bc2 ^ (bc4 &^ bc3) 142 a[23] = bc3 ^ (bc0 &^ bc4) 143 a[4] = bc4 ^ (bc1 &^ bc0) 144 145 t = a[15] ^ d0 146 bc3 = t<<41 | t>>(64-41) 147 t = a[21] ^ d1 148 bc4 = t<<2 | t>>(64-2) 149 t = a[2] ^ d2 150 bc0 = t<<62 | t>>(64-62) 151 t = a[8] ^ d3 152 bc1 = t<<55 | t>>(64-55) 153 t = a[14] ^ d4 154 bc2 = t<<39 | t>>(64-39) 155 a[15] = bc0 ^ (bc2 &^ bc1) 156 a[21] = bc1 ^ (bc3 &^ bc2) 157 a[2] = bc2 ^ (bc4 &^ bc3) 158 a[8] = bc3 ^ (bc0 &^ bc4) 159 a[14] = bc4 ^ (bc1 &^ bc0) 160 161 // Round 2 162 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] 163 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] 164 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] 165 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] 166 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] 167 d0 = bc4 ^ (bc1<<1 | bc1>>63) 168 d1 = bc0 ^ (bc2<<1 | bc2>>63) 169 d2 = bc1 ^ (bc3<<1 | bc3>>63) 170 d3 = bc2 ^ (bc4<<1 | bc4>>63) 171 d4 = bc3 ^ (bc0<<1 | bc0>>63) 172 173 bc0 = a[0] ^ d0 174 t = a[16] ^ d1 175 bc1 = t<<44 | t>>(64-44) 176 t = a[7] ^ d2 177 bc2 = t<<43 | t>>(64-43) 178 t = a[23] ^ d3 179 bc3 = t<<21 | t>>(64-21) 180 t = a[14] ^ d4 181 bc4 = t<<14 | t>>(64-14) 182 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1] 183 a[16] = bc1 ^ (bc3 &^ bc2) 184 a[7] = bc2 ^ (bc4 &^ bc3) 185 a[23] = bc3 ^ (bc0 &^ bc4) 186 a[14] = bc4 ^ (bc1 &^ bc0) 187 188 t = a[20] ^ d0 189 bc2 = t<<3 | t>>(64-3) 190 t = a[11] ^ d1 191 bc3 = t<<45 | t>>(64-45) 192 t = a[2] ^ d2 193 bc4 = t<<61 | t>>(64-61) 194 t = a[18] ^ d3 195 bc0 = t<<28 | t>>(64-28) 196 t = a[9] ^ d4 197 bc1 = t<<20 | t>>(64-20) 198 a[20] = bc0 ^ (bc2 &^ bc1) 199 a[11] = bc1 ^ (bc3 &^ bc2) 200 a[2] = bc2 ^ (bc4 &^ bc3) 201 a[18] = bc3 ^ (bc0 &^ bc4) 202 a[9] = bc4 ^ (bc1 &^ bc0) 203 204 t = a[15] ^ d0 205 bc4 = t<<18 | t>>(64-18) 206 t = a[6] ^ d1 207 bc0 = t<<1 | t>>(64-1) 208 t = a[22] ^ d2 209 bc1 = t<<6 | t>>(64-6) 210 t = a[13] ^ d3 211 bc2 = t<<25 | t>>(64-25) 212 t = a[4] ^ d4 213 bc3 = t<<8 | t>>(64-8) 214 a[15] = bc0 ^ (bc2 &^ bc1) 215 a[6] = bc1 ^ (bc3 &^ bc2) 216 a[22] = bc2 ^ (bc4 &^ bc3) 217 a[13] = bc3 ^ (bc0 &^ bc4) 218 a[4] = bc4 ^ (bc1 &^ bc0) 219 220 t = a[10] ^ d0 221 bc1 = t<<36 | t>>(64-36) 222 t = a[1] ^ d1 223 bc2 = t<<10 | t>>(64-10) 224 t = a[17] ^ d2 225 bc3 = t<<15 | t>>(64-15) 226 t = a[8] ^ d3 227 bc4 = t<<56 | t>>(64-56) 228 t = a[24] ^ d4 229 bc0 = t<<27 | t>>(64-27) 230 a[10] = bc0 ^ (bc2 &^ bc1) 231 a[1] = bc1 ^ (bc3 &^ bc2) 232 a[17] = bc2 ^ (bc4 &^ bc3) 233 a[8] = bc3 ^ (bc0 &^ bc4) 234 a[24] = bc4 ^ (bc1 &^ bc0) 235 236 t = a[5] ^ d0 237 bc3 = t<<41 | t>>(64-41) 238 t = a[21] ^ d1 239 bc4 = t<<2 | t>>(64-2) 240 t = a[12] ^ d2 241 bc0 = t<<62 | t>>(64-62) 242 t = a[3] ^ d3 243 bc1 = t<<55 | t>>(64-55) 244 t = a[19] ^ d4 245 bc2 = t<<39 | t>>(64-39) 246 a[5] = bc0 ^ (bc2 &^ bc1) 247 a[21] = bc1 ^ (bc3 &^ bc2) 248 a[12] = bc2 ^ (bc4 &^ bc3) 249 a[3] = bc3 ^ (bc0 &^ bc4) 250 a[19] = bc4 ^ (bc1 &^ bc0) 251 252 // Round 3 253 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] 254 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] 255 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] 256 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] 257 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] 258 d0 = bc4 ^ (bc1<<1 | bc1>>63) 259 d1 = bc0 ^ (bc2<<1 | bc2>>63) 260 d2 = bc1 ^ (bc3<<1 | bc3>>63) 261 d3 = bc2 ^ (bc4<<1 | bc4>>63) 262 d4 = bc3 ^ (bc0<<1 | bc0>>63) 263 264 bc0 = a[0] ^ d0 265 t = a[11] ^ d1 266 bc1 = t<<44 | t>>(64-44) 267 t = a[22] ^ d2 268 bc2 = t<<43 | t>>(64-43) 269 t = a[8] ^ d3 270 bc3 = t<<21 | t>>(64-21) 271 t = a[19] ^ d4 272 bc4 = t<<14 | t>>(64-14) 273 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2] 274 a[11] = bc1 ^ (bc3 &^ bc2) 275 a[22] = bc2 ^ (bc4 &^ bc3) 276 a[8] = bc3 ^ (bc0 &^ bc4) 277 a[19] = bc4 ^ (bc1 &^ bc0) 278 279 t = a[15] ^ d0 280 bc2 = t<<3 | t>>(64-3) 281 t = a[1] ^ d1 282 bc3 = t<<45 | t>>(64-45) 283 t = a[12] ^ d2 284 bc4 = t<<61 | t>>(64-61) 285 t = a[23] ^ d3 286 bc0 = t<<28 | t>>(64-28) 287 t = a[9] ^ d4 288 bc1 = t<<20 | t>>(64-20) 289 a[15] = bc0 ^ (bc2 &^ bc1) 290 a[1] = bc1 ^ (bc3 &^ bc2) 291 a[12] = bc2 ^ (bc4 &^ bc3) 292 a[23] = bc3 ^ (bc0 &^ bc4) 293 a[9] = bc4 ^ (bc1 &^ bc0) 294 295 t = a[5] ^ d0 296 bc4 = t<<18 | t>>(64-18) 297 t = a[16] ^ d1 298 bc0 = t<<1 | t>>(64-1) 299 t = a[2] ^ d2 300 bc1 = t<<6 | t>>(64-6) 301 t = a[13] ^ d3 302 bc2 = t<<25 | t>>(64-25) 303 t = a[24] ^ d4 304 bc3 = t<<8 | t>>(64-8) 305 a[5] = bc0 ^ (bc2 &^ bc1) 306 a[16] = bc1 ^ (bc3 &^ bc2) 307 a[2] = bc2 ^ (bc4 &^ bc3) 308 a[13] = bc3 ^ (bc0 &^ bc4) 309 a[24] = bc4 ^ (bc1 &^ bc0) 310 311 t = a[20] ^ d0 312 bc1 = t<<36 | t>>(64-36) 313 t = a[6] ^ d1 314 bc2 = t<<10 | t>>(64-10) 315 t = a[17] ^ d2 316 bc3 = t<<15 | t>>(64-15) 317 t = a[3] ^ d3 318 bc4 = t<<56 | t>>(64-56) 319 t = a[14] ^ d4 320 bc0 = t<<27 | t>>(64-27) 321 a[20] = bc0 ^ (bc2 &^ bc1) 322 a[6] = bc1 ^ (bc3 &^ bc2) 323 a[17] = bc2 ^ (bc4 &^ bc3) 324 a[3] = bc3 ^ (bc0 &^ bc4) 325 a[14] = bc4 ^ (bc1 &^ bc0) 326 327 t = a[10] ^ d0 328 bc3 = t<<41 | t>>(64-41) 329 t = a[21] ^ d1 330 bc4 = t<<2 | t>>(64-2) 331 t = a[7] ^ d2 332 bc0 = t<<62 | t>>(64-62) 333 t = a[18] ^ d3 334 bc1 = t<<55 | t>>(64-55) 335 t = a[4] ^ d4 336 bc2 = t<<39 | t>>(64-39) 337 a[10] = bc0 ^ (bc2 &^ bc1) 338 a[21] = bc1 ^ (bc3 &^ bc2) 339 a[7] = bc2 ^ (bc4 &^ bc3) 340 a[18] = bc3 ^ (bc0 &^ bc4) 341 a[4] = bc4 ^ (bc1 &^ bc0) 342 343 // Round 4 344 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] 345 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] 346 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] 347 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] 348 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] 349 d0 = bc4 ^ (bc1<<1 | bc1>>63) 350 d1 = bc0 ^ (bc2<<1 | bc2>>63) 351 d2 = bc1 ^ (bc3<<1 | bc3>>63) 352 d3 = bc2 ^ (bc4<<1 | bc4>>63) 353 d4 = bc3 ^ (bc0<<1 | bc0>>63) 354 355 bc0 = a[0] ^ d0 356 t = a[1] ^ d1 357 bc1 = t<<44 | t>>(64-44) 358 t = a[2] ^ d2 359 bc2 = t<<43 | t>>(64-43) 360 t = a[3] ^ d3 361 bc3 = t<<21 | t>>(64-21) 362 t = a[4] ^ d4 363 bc4 = t<<14 | t>>(64-14) 364 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3] 365 a[1] = bc1 ^ (bc3 &^ bc2) 366 a[2] = bc2 ^ (bc4 &^ bc3) 367 a[3] = bc3 ^ (bc0 &^ bc4) 368 a[4] = bc4 ^ (bc1 &^ bc0) 369 370 t = a[5] ^ d0 371 bc2 = t<<3 | t>>(64-3) 372 t = a[6] ^ d1 373 bc3 = t<<45 | t>>(64-45) 374 t = a[7] ^ d2 375 bc4 = t<<61 | t>>(64-61) 376 t = a[8] ^ d3 377 bc0 = t<<28 | t>>(64-28) 378 t = a[9] ^ d4 379 bc1 = t<<20 | t>>(64-20) 380 a[5] = bc0 ^ (bc2 &^ bc1) 381 a[6] = bc1 ^ (bc3 &^ bc2) 382 a[7] = bc2 ^ (bc4 &^ bc3) 383 a[8] = bc3 ^ (bc0 &^ bc4) 384 a[9] = bc4 ^ (bc1 &^ bc0) 385 386 t = a[10] ^ d0 387 bc4 = t<<18 | t>>(64-18) 388 t = a[11] ^ d1 389 bc0 = t<<1 | t>>(64-1) 390 t = a[12] ^ d2 391 bc1 = t<<6 | t>>(64-6) 392 t = a[13] ^ d3 393 bc2 = t<<25 | t>>(64-25) 394 t = a[14] ^ d4 395 bc3 = t<<8 | t>>(64-8) 396 a[10] = bc0 ^ (bc2 &^ bc1) 397 a[11] = bc1 ^ (bc3 &^ bc2) 398 a[12] = bc2 ^ (bc4 &^ bc3) 399 a[13] = bc3 ^ (bc0 &^ bc4) 400 a[14] = bc4 ^ (bc1 &^ bc0) 401 402 t = a[15] ^ d0 403 bc1 = t<<36 | t>>(64-36) 404 t = a[16] ^ d1 405 bc2 = t<<10 | t>>(64-10) 406 t = a[17] ^ d2 407 bc3 = t<<15 | t>>(64-15) 408 t = a[18] ^ d3 409 bc4 = t<<56 | t>>(64-56) 410 t = a[19] ^ d4 411 bc0 = t<<27 | t>>(64-27) 412 a[15] = bc0 ^ (bc2 &^ bc1) 413 a[16] = bc1 ^ (bc3 &^ bc2) 414 a[17] = bc2 ^ (bc4 &^ bc3) 415 a[18] = bc3 ^ (bc0 &^ bc4) 416 a[19] = bc4 ^ (bc1 &^ bc0) 417 418 t = a[20] ^ d0 419 bc3 = t<<41 | t>>(64-41) 420 t = a[21] ^ d1 421 bc4 = t<<2 | t>>(64-2) 422 t = a[22] ^ d2 423 bc0 = t<<62 | t>>(64-62) 424 t = a[23] ^ d3 425 bc1 = t<<55 | t>>(64-55) 426 t = a[24] ^ d4 427 bc2 = t<<39 | t>>(64-39) 428 a[20] = bc0 ^ (bc2 &^ bc1) 429 a[21] = bc1 ^ (bc3 &^ bc2) 430 a[22] = bc2 ^ (bc4 &^ bc3) 431 a[23] = bc3 ^ (bc0 &^ bc4) 432 a[24] = bc4 ^ (bc1 &^ bc0) 433 } 434 }