github.com/karalabe/go-ethereum@v0.8.5/crypto/sha3/keccakf.go (about) 1 // Copyright 2013 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package sha3 6 7 // This file implements the core Keccak permutation function necessary for computing SHA3. 8 // This is implemented in a separate file to allow for replacement by an optimized implementation. 9 // Nothing in this package is exported. 10 // For the detailed specification, refer to the Keccak web site (http://keccak.noekeon.org/). 11 12 // rc stores the round constants for use in the ι step. 13 var rc = [...]uint64{ 14 0x0000000000000001, 15 0x0000000000008082, 16 0x800000000000808A, 17 0x8000000080008000, 18 0x000000000000808B, 19 0x0000000080000001, 20 0x8000000080008081, 21 0x8000000000008009, 22 0x000000000000008A, 23 0x0000000000000088, 24 0x0000000080008009, 25 0x000000008000000A, 26 0x000000008000808B, 27 0x800000000000008B, 28 0x8000000000008089, 29 0x8000000000008003, 30 0x8000000000008002, 31 0x8000000000000080, 32 0x000000000000800A, 33 0x800000008000000A, 34 0x8000000080008081, 35 0x8000000000008080, 36 0x0000000080000001, 37 0x8000000080008008, 38 } 39 40 // ro_xx represent the rotation offsets for use in the χ step. 41 // Defining them as const instead of in an array allows the compiler to insert constant shifts. 42 const ( 43 ro_00 = 0 44 ro_01 = 36 45 ro_02 = 3 46 ro_03 = 41 47 ro_04 = 18 48 ro_05 = 1 49 ro_06 = 44 50 ro_07 = 10 51 ro_08 = 45 52 ro_09 = 2 53 ro_10 = 62 54 ro_11 = 6 55 ro_12 = 43 56 ro_13 = 15 57 ro_14 = 61 58 ro_15 = 28 59 ro_16 = 55 60 ro_17 = 25 61 ro_18 = 21 62 ro_19 = 56 63 ro_20 = 27 64 ro_21 = 20 65 ro_22 = 39 66 ro_23 = 8 67 ro_24 = 14 68 ) 69 70 // keccakF computes the complete Keccak-f function consisting of 24 rounds with a different 71 // constant (rc) in each round. This implementation fully unrolls the round function to avoid 72 // inner loops, as well as pre-calculating shift offsets. 73 func (d *digest) keccakF() { 74 for _, roundConstant := range rc { 75 // θ step 76 d.c[0] = d.a[0] ^ d.a[5] ^ d.a[10] ^ d.a[15] ^ d.a[20] 77 d.c[1] = d.a[1] ^ d.a[6] ^ d.a[11] ^ d.a[16] ^ d.a[21] 78 d.c[2] = d.a[2] ^ d.a[7] ^ d.a[12] ^ d.a[17] ^ d.a[22] 79 d.c[3] = d.a[3] ^ d.a[8] ^ d.a[13] ^ d.a[18] ^ d.a[23] 80 d.c[4] = d.a[4] ^ d.a[9] ^ d.a[14] ^ d.a[19] ^ d.a[24] 81 82 d.d[0] = d.c[4] ^ (d.c[1]<<1 ^ d.c[1]>>63) 83 d.d[1] = d.c[0] ^ (d.c[2]<<1 ^ d.c[2]>>63) 84 d.d[2] = d.c[1] ^ (d.c[3]<<1 ^ d.c[3]>>63) 85 d.d[3] = d.c[2] ^ (d.c[4]<<1 ^ d.c[4]>>63) 86 d.d[4] = d.c[3] ^ (d.c[0]<<1 ^ d.c[0]>>63) 87 88 d.a[0] ^= d.d[0] 89 d.a[1] ^= d.d[1] 90 d.a[2] ^= d.d[2] 91 d.a[3] ^= d.d[3] 92 d.a[4] ^= d.d[4] 93 d.a[5] ^= d.d[0] 94 d.a[6] ^= d.d[1] 95 d.a[7] ^= d.d[2] 96 d.a[8] ^= d.d[3] 97 d.a[9] ^= d.d[4] 98 d.a[10] ^= d.d[0] 99 d.a[11] ^= d.d[1] 100 d.a[12] ^= d.d[2] 101 d.a[13] ^= d.d[3] 102 d.a[14] ^= d.d[4] 103 d.a[15] ^= d.d[0] 104 d.a[16] ^= d.d[1] 105 d.a[17] ^= d.d[2] 106 d.a[18] ^= d.d[3] 107 d.a[19] ^= d.d[4] 108 d.a[20] ^= d.d[0] 109 d.a[21] ^= d.d[1] 110 d.a[22] ^= d.d[2] 111 d.a[23] ^= d.d[3] 112 d.a[24] ^= d.d[4] 113 114 // ρ and π steps 115 d.b[0] = d.a[0] 116 d.b[1] = d.a[6]<<ro_06 ^ d.a[6]>>(64-ro_06) 117 d.b[2] = d.a[12]<<ro_12 ^ d.a[12]>>(64-ro_12) 118 d.b[3] = d.a[18]<<ro_18 ^ d.a[18]>>(64-ro_18) 119 d.b[4] = d.a[24]<<ro_24 ^ d.a[24]>>(64-ro_24) 120 d.b[5] = d.a[3]<<ro_15 ^ d.a[3]>>(64-ro_15) 121 d.b[6] = d.a[9]<<ro_21 ^ d.a[9]>>(64-ro_21) 122 d.b[7] = d.a[10]<<ro_02 ^ d.a[10]>>(64-ro_02) 123 d.b[8] = d.a[16]<<ro_08 ^ d.a[16]>>(64-ro_08) 124 d.b[9] = d.a[22]<<ro_14 ^ d.a[22]>>(64-ro_14) 125 d.b[10] = d.a[1]<<ro_05 ^ d.a[1]>>(64-ro_05) 126 d.b[11] = d.a[7]<<ro_11 ^ d.a[7]>>(64-ro_11) 127 d.b[12] = d.a[13]<<ro_17 ^ d.a[13]>>(64-ro_17) 128 d.b[13] = d.a[19]<<ro_23 ^ d.a[19]>>(64-ro_23) 129 d.b[14] = d.a[20]<<ro_04 ^ d.a[20]>>(64-ro_04) 130 d.b[15] = d.a[4]<<ro_20 ^ d.a[4]>>(64-ro_20) 131 d.b[16] = d.a[5]<<ro_01 ^ d.a[5]>>(64-ro_01) 132 d.b[17] = d.a[11]<<ro_07 ^ d.a[11]>>(64-ro_07) 133 d.b[18] = d.a[17]<<ro_13 ^ d.a[17]>>(64-ro_13) 134 d.b[19] = d.a[23]<<ro_19 ^ d.a[23]>>(64-ro_19) 135 d.b[20] = d.a[2]<<ro_10 ^ d.a[2]>>(64-ro_10) 136 d.b[21] = d.a[8]<<ro_16 ^ d.a[8]>>(64-ro_16) 137 d.b[22] = d.a[14]<<ro_22 ^ d.a[14]>>(64-ro_22) 138 d.b[23] = d.a[15]<<ro_03 ^ d.a[15]>>(64-ro_03) 139 d.b[24] = d.a[21]<<ro_09 ^ d.a[21]>>(64-ro_09) 140 141 // χ step 142 d.a[0] = d.b[0] ^ (^d.b[1] & d.b[2]) 143 d.a[1] = d.b[1] ^ (^d.b[2] & d.b[3]) 144 d.a[2] = d.b[2] ^ (^d.b[3] & d.b[4]) 145 d.a[3] = d.b[3] ^ (^d.b[4] & d.b[0]) 146 d.a[4] = d.b[4] ^ (^d.b[0] & d.b[1]) 147 d.a[5] = d.b[5] ^ (^d.b[6] & d.b[7]) 148 d.a[6] = d.b[6] ^ (^d.b[7] & d.b[8]) 149 d.a[7] = d.b[7] ^ (^d.b[8] & d.b[9]) 150 d.a[8] = d.b[8] ^ (^d.b[9] & d.b[5]) 151 d.a[9] = d.b[9] ^ (^d.b[5] & d.b[6]) 152 d.a[10] = d.b[10] ^ (^d.b[11] & d.b[12]) 153 d.a[11] = d.b[11] ^ (^d.b[12] & d.b[13]) 154 d.a[12] = d.b[12] ^ (^d.b[13] & d.b[14]) 155 d.a[13] = d.b[13] ^ (^d.b[14] & d.b[10]) 156 d.a[14] = d.b[14] ^ (^d.b[10] & d.b[11]) 157 d.a[15] = d.b[15] ^ (^d.b[16] & d.b[17]) 158 d.a[16] = d.b[16] ^ (^d.b[17] & d.b[18]) 159 d.a[17] = d.b[17] ^ (^d.b[18] & d.b[19]) 160 d.a[18] = d.b[18] ^ (^d.b[19] & d.b[15]) 161 d.a[19] = d.b[19] ^ (^d.b[15] & d.b[16]) 162 d.a[20] = d.b[20] ^ (^d.b[21] & d.b[22]) 163 d.a[21] = d.b[21] ^ (^d.b[22] & d.b[23]) 164 d.a[22] = d.b[22] ^ (^d.b[23] & d.b[24]) 165 d.a[23] = d.b[23] ^ (^d.b[24] & d.b[20]) 166 d.a[24] = d.b[24] ^ (^d.b[20] & d.b[21]) 167 168 // ι step 169 d.a[0] ^= roundConstant 170 } 171 }