main
1// Copyright 2014 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5//go:build !amd64 || purego || !gc
6
7package sha3
8
9import "math/bits"
10
11// rc stores the round constants for use in the ι step.
12var rc = [24]uint64{
13 0x0000000000000001,
14 0x0000000000008082,
15 0x800000000000808A,
16 0x8000000080008000,
17 0x000000000000808B,
18 0x0000000080000001,
19 0x8000000080008081,
20 0x8000000000008009,
21 0x000000000000008A,
22 0x0000000000000088,
23 0x0000000080008009,
24 0x000000008000000A,
25 0x000000008000808B,
26 0x800000000000008B,
27 0x8000000000008089,
28 0x8000000000008003,
29 0x8000000000008002,
30 0x8000000000000080,
31 0x000000000000800A,
32 0x800000008000000A,
33 0x8000000080008081,
34 0x8000000000008080,
35 0x0000000080000001,
36 0x8000000080008008,
37}
38
39// keccakF1600 applies the Keccak permutation to a 1600b-wide
40// state represented as a slice of 25 uint64s.
41func keccakF1600(a *[25]uint64) {
42 // Implementation translated from Keccak-inplace.c
43 // in the keccak reference code.
44 var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64
45
46 for i := 0; i < 24; i += 4 {
47 // Combines the 5 steps in each round into 2 steps.
48 // Unrolls 4 rounds per loop and spreads some steps across rounds.
49
50 // Round 1
51 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
52 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
53 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
54 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
55 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
56 d0 = bc4 ^ (bc1<<1 | bc1>>63)
57 d1 = bc0 ^ (bc2<<1 | bc2>>63)
58 d2 = bc1 ^ (bc3<<1 | bc3>>63)
59 d3 = bc2 ^ (bc4<<1 | bc4>>63)
60 d4 = bc3 ^ (bc0<<1 | bc0>>63)
61
62 bc0 = a[0] ^ d0
63 t = a[6] ^ d1
64 bc1 = bits.RotateLeft64(t, 44)
65 t = a[12] ^ d2
66 bc2 = bits.RotateLeft64(t, 43)
67 t = a[18] ^ d3
68 bc3 = bits.RotateLeft64(t, 21)
69 t = a[24] ^ d4
70 bc4 = bits.RotateLeft64(t, 14)
71 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i]
72 a[6] = bc1 ^ (bc3 &^ bc2)
73 a[12] = bc2 ^ (bc4 &^ bc3)
74 a[18] = bc3 ^ (bc0 &^ bc4)
75 a[24] = bc4 ^ (bc1 &^ bc0)
76
77 t = a[10] ^ d0
78 bc2 = bits.RotateLeft64(t, 3)
79 t = a[16] ^ d1
80 bc3 = bits.RotateLeft64(t, 45)
81 t = a[22] ^ d2
82 bc4 = bits.RotateLeft64(t, 61)
83 t = a[3] ^ d3
84 bc0 = bits.RotateLeft64(t, 28)
85 t = a[9] ^ d4
86 bc1 = bits.RotateLeft64(t, 20)
87 a[10] = bc0 ^ (bc2 &^ bc1)
88 a[16] = bc1 ^ (bc3 &^ bc2)
89 a[22] = bc2 ^ (bc4 &^ bc3)
90 a[3] = bc3 ^ (bc0 &^ bc4)
91 a[9] = bc4 ^ (bc1 &^ bc0)
92
93 t = a[20] ^ d0
94 bc4 = bits.RotateLeft64(t, 18)
95 t = a[1] ^ d1
96 bc0 = bits.RotateLeft64(t, 1)
97 t = a[7] ^ d2
98 bc1 = bits.RotateLeft64(t, 6)
99 t = a[13] ^ d3
100 bc2 = bits.RotateLeft64(t, 25)
101 t = a[19] ^ d4
102 bc3 = bits.RotateLeft64(t, 8)
103 a[20] = bc0 ^ (bc2 &^ bc1)
104 a[1] = bc1 ^ (bc3 &^ bc2)
105 a[7] = bc2 ^ (bc4 &^ bc3)
106 a[13] = bc3 ^ (bc0 &^ bc4)
107 a[19] = bc4 ^ (bc1 &^ bc0)
108
109 t = a[5] ^ d0
110 bc1 = bits.RotateLeft64(t, 36)
111 t = a[11] ^ d1
112 bc2 = bits.RotateLeft64(t, 10)
113 t = a[17] ^ d2
114 bc3 = bits.RotateLeft64(t, 15)
115 t = a[23] ^ d3
116 bc4 = bits.RotateLeft64(t, 56)
117 t = a[4] ^ d4
118 bc0 = bits.RotateLeft64(t, 27)
119 a[5] = bc0 ^ (bc2 &^ bc1)
120 a[11] = bc1 ^ (bc3 &^ bc2)
121 a[17] = bc2 ^ (bc4 &^ bc3)
122 a[23] = bc3 ^ (bc0 &^ bc4)
123 a[4] = bc4 ^ (bc1 &^ bc0)
124
125 t = a[15] ^ d0
126 bc3 = bits.RotateLeft64(t, 41)
127 t = a[21] ^ d1
128 bc4 = bits.RotateLeft64(t, 2)
129 t = a[2] ^ d2
130 bc0 = bits.RotateLeft64(t, 62)
131 t = a[8] ^ d3
132 bc1 = bits.RotateLeft64(t, 55)
133 t = a[14] ^ d4
134 bc2 = bits.RotateLeft64(t, 39)
135 a[15] = bc0 ^ (bc2 &^ bc1)
136 a[21] = bc1 ^ (bc3 &^ bc2)
137 a[2] = bc2 ^ (bc4 &^ bc3)
138 a[8] = bc3 ^ (bc0 &^ bc4)
139 a[14] = bc4 ^ (bc1 &^ bc0)
140
141 // Round 2
142 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
143 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
144 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
145 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
146 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
147 d0 = bc4 ^ (bc1<<1 | bc1>>63)
148 d1 = bc0 ^ (bc2<<1 | bc2>>63)
149 d2 = bc1 ^ (bc3<<1 | bc3>>63)
150 d3 = bc2 ^ (bc4<<1 | bc4>>63)
151 d4 = bc3 ^ (bc0<<1 | bc0>>63)
152
153 bc0 = a[0] ^ d0
154 t = a[16] ^ d1
155 bc1 = bits.RotateLeft64(t, 44)
156 t = a[7] ^ d2
157 bc2 = bits.RotateLeft64(t, 43)
158 t = a[23] ^ d3
159 bc3 = bits.RotateLeft64(t, 21)
160 t = a[14] ^ d4
161 bc4 = bits.RotateLeft64(t, 14)
162 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1]
163 a[16] = bc1 ^ (bc3 &^ bc2)
164 a[7] = bc2 ^ (bc4 &^ bc3)
165 a[23] = bc3 ^ (bc0 &^ bc4)
166 a[14] = bc4 ^ (bc1 &^ bc0)
167
168 t = a[20] ^ d0
169 bc2 = bits.RotateLeft64(t, 3)
170 t = a[11] ^ d1
171 bc3 = bits.RotateLeft64(t, 45)
172 t = a[2] ^ d2
173 bc4 = bits.RotateLeft64(t, 61)
174 t = a[18] ^ d3
175 bc0 = bits.RotateLeft64(t, 28)
176 t = a[9] ^ d4
177 bc1 = bits.RotateLeft64(t, 20)
178 a[20] = bc0 ^ (bc2 &^ bc1)
179 a[11] = bc1 ^ (bc3 &^ bc2)
180 a[2] = bc2 ^ (bc4 &^ bc3)
181 a[18] = bc3 ^ (bc0 &^ bc4)
182 a[9] = bc4 ^ (bc1 &^ bc0)
183
184 t = a[15] ^ d0
185 bc4 = bits.RotateLeft64(t, 18)
186 t = a[6] ^ d1
187 bc0 = bits.RotateLeft64(t, 1)
188 t = a[22] ^ d2
189 bc1 = bits.RotateLeft64(t, 6)
190 t = a[13] ^ d3
191 bc2 = bits.RotateLeft64(t, 25)
192 t = a[4] ^ d4
193 bc3 = bits.RotateLeft64(t, 8)
194 a[15] = bc0 ^ (bc2 &^ bc1)
195 a[6] = bc1 ^ (bc3 &^ bc2)
196 a[22] = bc2 ^ (bc4 &^ bc3)
197 a[13] = bc3 ^ (bc0 &^ bc4)
198 a[4] = bc4 ^ (bc1 &^ bc0)
199
200 t = a[10] ^ d0
201 bc1 = bits.RotateLeft64(t, 36)
202 t = a[1] ^ d1
203 bc2 = bits.RotateLeft64(t, 10)
204 t = a[17] ^ d2
205 bc3 = bits.RotateLeft64(t, 15)
206 t = a[8] ^ d3
207 bc4 = bits.RotateLeft64(t, 56)
208 t = a[24] ^ d4
209 bc0 = bits.RotateLeft64(t, 27)
210 a[10] = bc0 ^ (bc2 &^ bc1)
211 a[1] = bc1 ^ (bc3 &^ bc2)
212 a[17] = bc2 ^ (bc4 &^ bc3)
213 a[8] = bc3 ^ (bc0 &^ bc4)
214 a[24] = bc4 ^ (bc1 &^ bc0)
215
216 t = a[5] ^ d0
217 bc3 = bits.RotateLeft64(t, 41)
218 t = a[21] ^ d1
219 bc4 = bits.RotateLeft64(t, 2)
220 t = a[12] ^ d2
221 bc0 = bits.RotateLeft64(t, 62)
222 t = a[3] ^ d3
223 bc1 = bits.RotateLeft64(t, 55)
224 t = a[19] ^ d4
225 bc2 = bits.RotateLeft64(t, 39)
226 a[5] = bc0 ^ (bc2 &^ bc1)
227 a[21] = bc1 ^ (bc3 &^ bc2)
228 a[12] = bc2 ^ (bc4 &^ bc3)
229 a[3] = bc3 ^ (bc0 &^ bc4)
230 a[19] = bc4 ^ (bc1 &^ bc0)
231
232 // Round 3
233 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
234 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
235 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
236 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
237 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
238 d0 = bc4 ^ (bc1<<1 | bc1>>63)
239 d1 = bc0 ^ (bc2<<1 | bc2>>63)
240 d2 = bc1 ^ (bc3<<1 | bc3>>63)
241 d3 = bc2 ^ (bc4<<1 | bc4>>63)
242 d4 = bc3 ^ (bc0<<1 | bc0>>63)
243
244 bc0 = a[0] ^ d0
245 t = a[11] ^ d1
246 bc1 = bits.RotateLeft64(t, 44)
247 t = a[22] ^ d2
248 bc2 = bits.RotateLeft64(t, 43)
249 t = a[8] ^ d3
250 bc3 = bits.RotateLeft64(t, 21)
251 t = a[19] ^ d4
252 bc4 = bits.RotateLeft64(t, 14)
253 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2]
254 a[11] = bc1 ^ (bc3 &^ bc2)
255 a[22] = bc2 ^ (bc4 &^ bc3)
256 a[8] = bc3 ^ (bc0 &^ bc4)
257 a[19] = bc4 ^ (bc1 &^ bc0)
258
259 t = a[15] ^ d0
260 bc2 = bits.RotateLeft64(t, 3)
261 t = a[1] ^ d1
262 bc3 = bits.RotateLeft64(t, 45)
263 t = a[12] ^ d2
264 bc4 = bits.RotateLeft64(t, 61)
265 t = a[23] ^ d3
266 bc0 = bits.RotateLeft64(t, 28)
267 t = a[9] ^ d4
268 bc1 = bits.RotateLeft64(t, 20)
269 a[15] = bc0 ^ (bc2 &^ bc1)
270 a[1] = bc1 ^ (bc3 &^ bc2)
271 a[12] = bc2 ^ (bc4 &^ bc3)
272 a[23] = bc3 ^ (bc0 &^ bc4)
273 a[9] = bc4 ^ (bc1 &^ bc0)
274
275 t = a[5] ^ d0
276 bc4 = bits.RotateLeft64(t, 18)
277 t = a[16] ^ d1
278 bc0 = bits.RotateLeft64(t, 1)
279 t = a[2] ^ d2
280 bc1 = bits.RotateLeft64(t, 6)
281 t = a[13] ^ d3
282 bc2 = bits.RotateLeft64(t, 25)
283 t = a[24] ^ d4
284 bc3 = bits.RotateLeft64(t, 8)
285 a[5] = bc0 ^ (bc2 &^ bc1)
286 a[16] = bc1 ^ (bc3 &^ bc2)
287 a[2] = bc2 ^ (bc4 &^ bc3)
288 a[13] = bc3 ^ (bc0 &^ bc4)
289 a[24] = bc4 ^ (bc1 &^ bc0)
290
291 t = a[20] ^ d0
292 bc1 = bits.RotateLeft64(t, 36)
293 t = a[6] ^ d1
294 bc2 = bits.RotateLeft64(t, 10)
295 t = a[17] ^ d2
296 bc3 = bits.RotateLeft64(t, 15)
297 t = a[3] ^ d3
298 bc4 = bits.RotateLeft64(t, 56)
299 t = a[14] ^ d4
300 bc0 = bits.RotateLeft64(t, 27)
301 a[20] = bc0 ^ (bc2 &^ bc1)
302 a[6] = bc1 ^ (bc3 &^ bc2)
303 a[17] = bc2 ^ (bc4 &^ bc3)
304 a[3] = bc3 ^ (bc0 &^ bc4)
305 a[14] = bc4 ^ (bc1 &^ bc0)
306
307 t = a[10] ^ d0
308 bc3 = bits.RotateLeft64(t, 41)
309 t = a[21] ^ d1
310 bc4 = bits.RotateLeft64(t, 2)
311 t = a[7] ^ d2
312 bc0 = bits.RotateLeft64(t, 62)
313 t = a[18] ^ d3
314 bc1 = bits.RotateLeft64(t, 55)
315 t = a[4] ^ d4
316 bc2 = bits.RotateLeft64(t, 39)
317 a[10] = bc0 ^ (bc2 &^ bc1)
318 a[21] = bc1 ^ (bc3 &^ bc2)
319 a[7] = bc2 ^ (bc4 &^ bc3)
320 a[18] = bc3 ^ (bc0 &^ bc4)
321 a[4] = bc4 ^ (bc1 &^ bc0)
322
323 // Round 4
324 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
325 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
326 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
327 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
328 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
329 d0 = bc4 ^ (bc1<<1 | bc1>>63)
330 d1 = bc0 ^ (bc2<<1 | bc2>>63)
331 d2 = bc1 ^ (bc3<<1 | bc3>>63)
332 d3 = bc2 ^ (bc4<<1 | bc4>>63)
333 d4 = bc3 ^ (bc0<<1 | bc0>>63)
334
335 bc0 = a[0] ^ d0
336 t = a[1] ^ d1
337 bc1 = bits.RotateLeft64(t, 44)
338 t = a[2] ^ d2
339 bc2 = bits.RotateLeft64(t, 43)
340 t = a[3] ^ d3
341 bc3 = bits.RotateLeft64(t, 21)
342 t = a[4] ^ d4
343 bc4 = bits.RotateLeft64(t, 14)
344 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3]
345 a[1] = bc1 ^ (bc3 &^ bc2)
346 a[2] = bc2 ^ (bc4 &^ bc3)
347 a[3] = bc3 ^ (bc0 &^ bc4)
348 a[4] = bc4 ^ (bc1 &^ bc0)
349
350 t = a[5] ^ d0
351 bc2 = bits.RotateLeft64(t, 3)
352 t = a[6] ^ d1
353 bc3 = bits.RotateLeft64(t, 45)
354 t = a[7] ^ d2
355 bc4 = bits.RotateLeft64(t, 61)
356 t = a[8] ^ d3
357 bc0 = bits.RotateLeft64(t, 28)
358 t = a[9] ^ d4
359 bc1 = bits.RotateLeft64(t, 20)
360 a[5] = bc0 ^ (bc2 &^ bc1)
361 a[6] = bc1 ^ (bc3 &^ bc2)
362 a[7] = bc2 ^ (bc4 &^ bc3)
363 a[8] = bc3 ^ (bc0 &^ bc4)
364 a[9] = bc4 ^ (bc1 &^ bc0)
365
366 t = a[10] ^ d0
367 bc4 = bits.RotateLeft64(t, 18)
368 t = a[11] ^ d1
369 bc0 = bits.RotateLeft64(t, 1)
370 t = a[12] ^ d2
371 bc1 = bits.RotateLeft64(t, 6)
372 t = a[13] ^ d3
373 bc2 = bits.RotateLeft64(t, 25)
374 t = a[14] ^ d4
375 bc3 = bits.RotateLeft64(t, 8)
376 a[10] = bc0 ^ (bc2 &^ bc1)
377 a[11] = bc1 ^ (bc3 &^ bc2)
378 a[12] = bc2 ^ (bc4 &^ bc3)
379 a[13] = bc3 ^ (bc0 &^ bc4)
380 a[14] = bc4 ^ (bc1 &^ bc0)
381
382 t = a[15] ^ d0
383 bc1 = bits.RotateLeft64(t, 36)
384 t = a[16] ^ d1
385 bc2 = bits.RotateLeft64(t, 10)
386 t = a[17] ^ d2
387 bc3 = bits.RotateLeft64(t, 15)
388 t = a[18] ^ d3
389 bc4 = bits.RotateLeft64(t, 56)
390 t = a[19] ^ d4
391 bc0 = bits.RotateLeft64(t, 27)
392 a[15] = bc0 ^ (bc2 &^ bc1)
393 a[16] = bc1 ^ (bc3 &^ bc2)
394 a[17] = bc2 ^ (bc4 &^ bc3)
395 a[18] = bc3 ^ (bc0 &^ bc4)
396 a[19] = bc4 ^ (bc1 &^ bc0)
397
398 t = a[20] ^ d0
399 bc3 = bits.RotateLeft64(t, 41)
400 t = a[21] ^ d1
401 bc4 = bits.RotateLeft64(t, 2)
402 t = a[22] ^ d2
403 bc0 = bits.RotateLeft64(t, 62)
404 t = a[23] ^ d3
405 bc1 = bits.RotateLeft64(t, 55)
406 t = a[24] ^ d4
407 bc2 = bits.RotateLeft64(t, 39)
408 a[20] = bc0 ^ (bc2 &^ bc1)
409 a[21] = bc1 ^ (bc3 &^ bc2)
410 a[22] = bc2 ^ (bc4 &^ bc3)
411 a[23] = bc3 ^ (bc0 &^ bc4)
412 a[24] = bc4 ^ (bc1 &^ bc0)
413 }
414}