/src/botan/src/lib/stream/chacha/chacha.cpp

Source (jump to first uncovered line)
/*
* ChaCha
* (C) 2014,2018 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/chacha.h>
#include <botan/exceptn.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/rotate.h>
#include <botan/internal/cpuid.h>

namespace Botan {

namespace {

#define CHACHA_QUARTER_ROUND(a, b, c, d) \
      do {                               \
      a += b; d ^= a; d = rotl<16>(d);   \
      c += d; b ^= c; b = rotl<12>(b);   \
      a += b; d ^= a; d = rotl<8>(d);    \
      c += d; b ^= c; b = rotl<7>(b);    \
      } while(0)

/*
* Generate HChaCha cipher stream (for XChaCha IV setup)
*/
void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds)
   {
   BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");

   uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
            x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
            x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
            x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];

   for(size_t i = 0; i != rounds / 2; ++i)
      {
      CHACHA_QUARTER_ROUND(x00, x04, x08, x12);
      CHACHA_QUARTER_ROUND(x01, x05, x09, x13);
      CHACHA_QUARTER_ROUND(x02, x06, x10, x14);
      CHACHA_QUARTER_ROUND(x03, x07, x11, x15);

      CHACHA_QUARTER_ROUND(x00, x05, x10, x15);
      CHACHA_QUARTER_ROUND(x01, x06, x11, x12);
      CHACHA_QUARTER_ROUND(x02, x07, x08, x13);
      CHACHA_QUARTER_ROUND(x03, x04, x09, x14);
      }

   output[0] = x00;
   output[1] = x01;
   output[2] = x02;
   output[3] = x03;
   output[4] = x12;
   output[5] = x13;
   output[6] = x14;
   output[7] = x15;
   }

}

ChaCha::ChaCha(size_t rounds) : m_rounds(rounds)
   {
   BOTAN_ARG_CHECK(m_rounds == 8 || m_rounds == 12 || m_rounds == 20,
                   "ChaCha only supports 8, 12 or 20 rounds");
   }

std::string ChaCha::provider() const
   {
#if defined(BOTAN_HAS_CHACHA_AVX2)
   if(CPUID::has_avx2())
      {
      return "avx2";
      }
#endif

#if defined(BOTAN_HAS_CHACHA_SIMD32)
   if(CPUID::has_simd_32())
      {
      return "simd32";
      }
#endif

   return "base";
   }

//static
void ChaCha::chacha_x8(uint8_t output[64*8], uint32_t input[16], size_t rounds)
   {
   BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");

#if defined(BOTAN_HAS_CHACHA_AVX2)
   if(CPUID::has_avx2())
      {
      return ChaCha::chacha_avx2_x8(output, input, rounds);
      }
#endif

#if defined(BOTAN_HAS_CHACHA_SIMD32)
   if(CPUID::has_simd_32())
      {
      ChaCha::chacha_simd32_x4(output, input, rounds);
      ChaCha::chacha_simd32_x4(output + 4*64, input, rounds);
      return;
      }
#endif

   // TODO interleave rounds
   for(size_t i = 0; i != 8; ++i)
      {
      uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
               x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
               x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
               x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];

      for(size_t r = 0; r != rounds / 2; ++r)
         {
         CHACHA_QUARTER_ROUND(x00, x04, x08, x12);
         CHACHA_QUARTER_ROUND(x01, x05, x09, x13);
         CHACHA_QUARTER_ROUND(x02, x06, x10, x14);
         CHACHA_QUARTER_ROUND(x03, x07, x11, x15);

         CHACHA_QUARTER_ROUND(x00, x05, x10, x15);
         CHACHA_QUARTER_ROUND(x01, x06, x11, x12);
         CHACHA_QUARTER_ROUND(x02, x07, x08, x13);
         CHACHA_QUARTER_ROUND(x03, x04, x09, x14);
         }

      x00 += input[0];
      x01 += input[1];
      x02 += input[2];
      x03 += input[3];
      x04 += input[4];
      x05 += input[5];
      x06 += input[6];
      x07 += input[7];
      x08 += input[8];
      x09 += input[9];
      x10 += input[10];
      x11 += input[11];
      x12 += input[12];
      x13 += input[13];
      x14 += input[14];
      x15 += input[15];

      store_le(x00, output + 64 * i + 4 *  0);
      store_le(x01, output + 64 * i + 4 *  1);
      store_le(x02, output + 64 * i + 4 *  2);
      store_le(x03, output + 64 * i + 4 *  3);
      store_le(x04, output + 64 * i + 4 *  4);
      store_le(x05, output + 64 * i + 4 *  5);
      store_le(x06, output + 64 * i + 4 *  6);
      store_le(x07, output + 64 * i + 4 *  7);
      store_le(x08, output + 64 * i + 4 *  8);
      store_le(x09, output + 64 * i + 4 *  9);
      store_le(x10, output + 64 * i + 4 * 10);
      store_le(x11, output + 64 * i + 4 * 11);
      store_le(x12, output + 64 * i + 4 * 12);
      store_le(x13, output + 64 * i + 4 * 13);
      store_le(x14, output + 64 * i + 4 * 14);
      store_le(x15, output + 64 * i + 4 * 15);

      input[12]++;
      input[13] += (input[12] == 0);
      }
   }

#undef CHACHA_QUARTER_ROUND

/*
* Combine cipher stream with message
*/
void ChaCha::cipher(const uint8_t in[], uint8_t out[], size_t length)
   {
   verify_key_set(m_state.empty() == false);

   while(length >= m_buffer.size() - m_position)
      {
      const size_t available = m_buffer.size() - m_position;

      xor_buf(out, in, &m_buffer[m_position], available);
      chacha_x8(m_buffer.data(), m_state.data(), m_rounds);

      length -= available;
      in += available;
      out += available;
      m_position = 0;
      }

   xor_buf(out, in, &m_buffer[m_position], length);

   m_position += length;
   }

void ChaCha::write_keystream(uint8_t out[], size_t length)
   {
   verify_key_set(m_state.empty() == false);

   while(length >= m_buffer.size() - m_position)
      {
      const size_t available = m_buffer.size() - m_position;

      copy_mem(out, &m_buffer[m_position], available);
      chacha_x8(m_buffer.data(), m_state.data(), m_rounds);

      length -= available;
      out += available;
      m_position = 0;
      }

   copy_mem(out, &m_buffer[m_position], length);

   m_position += length;
   }

void ChaCha::initialize_state()
   {
   static const uint32_t TAU[] =
      { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };

   static const uint32_t SIGMA[] =
      { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };

   m_state[4] = m_key[0];
   m_state[5] = m_key[1];
   m_state[6] = m_key[2];
   m_state[7] = m_key[3];

   if(m_key.size() == 4)
      {
      m_state[0] = TAU[0];
      m_state[1] = TAU[1];
      m_state[2] = TAU[2];
      m_state[3] = TAU[3];

      m_state[8] = m_key[0];
      m_state[9] = m_key[1];
      m_state[10] = m_key[2];
      m_state[11] = m_key[3];
      }
   else
      {
      m_state[0] = SIGMA[0];
      m_state[1] = SIGMA[1];
      m_state[2] = SIGMA[2];
      m_state[3] = SIGMA[3];

      m_state[8] = m_key[4];
      m_state[9] = m_key[5];
      m_state[10] = m_key[6];
      m_state[11] = m_key[7];
      }

   m_state[12] = 0;
   m_state[13] = 0;
   m_state[14] = 0;
   m_state[15] = 0;

   m_position = 0;
   }

/*
* ChaCha Key Schedule
*/
void ChaCha::key_schedule(const uint8_t key[], size_t length)
   {
   m_key.resize(length / 4);
   load_le<uint32_t>(m_key.data(), key, m_key.size());

   m_state.resize(16);

   const size_t chacha_parallelism = 8; // chacha_x8
   const size_t chacha_block = 64;
   m_buffer.resize(chacha_parallelism * chacha_block);

   set_iv(nullptr, 0);
   }

size_t ChaCha::default_iv_length() const
   {
   return 24;
   }

Key_Length_Specification ChaCha::key_spec() const
   {
   return Key_Length_Specification(16, 32, 16);
   }

std::unique_ptr<StreamCipher> ChaCha::new_object() const
   {
   return std::make_unique<ChaCha>(m_rounds);
   }

bool ChaCha::valid_iv_length(size_t iv_len) const
   {
   return (iv_len == 0 || iv_len == 8 || iv_len == 12 || iv_len == 24);
   }

void ChaCha::set_iv(const uint8_t iv[], size_t length)
   {
   verify_key_set(m_state.empty() == false);

   if(!valid_iv_length(length))
      throw Invalid_IV_Length(name(), length);

   initialize_state();

   if(length == 0)
      {
      // Treat zero length IV same as an all-zero IV
      m_state[14] = 0;
      m_state[15] = 0;
      }
   else if(length == 8)
      {
      m_state[14] = load_le<uint32_t>(iv, 0);
      m_state[15] = load_le<uint32_t>(iv, 1);
      }
   else if(length == 12)
      {
      m_state[13] = load_le<uint32_t>(iv, 0);
      m_state[14] = load_le<uint32_t>(iv, 1);
      m_state[15] = load_le<uint32_t>(iv, 2);
      }
   else if(length == 24)
      {
      m_state[12] = load_le<uint32_t>(iv, 0);
      m_state[13] = load_le<uint32_t>(iv, 1);
      m_state[14] = load_le<uint32_t>(iv, 2);
      m_state[15] = load_le<uint32_t>(iv, 3);

      secure_vector<uint32_t> hc(8);
      hchacha(hc.data(), m_state.data(), m_rounds);

      m_state[ 4] = hc[0];
      m_state[ 5] = hc[1];
      m_state[ 6] = hc[2];
      m_state[ 7] = hc[3];
      m_state[ 8] = hc[4];
      m_state[ 9] = hc[5];
      m_state[10] = hc[6];
      m_state[11] = hc[7];
      m_state[12] = 0;
      m_state[13] = 0;
      m_state[14] = load_le<uint32_t>(iv, 4);
      m_state[15] = load_le<uint32_t>(iv, 5);
      }

   chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
   m_position = 0;
   }

void ChaCha::clear()
   {
   zap(m_key);
   zap(m_state);
   zap(m_buffer);
   m_position = 0;
   }

std::string ChaCha::name() const
   {
   return "ChaCha(" + std::to_string(m_rounds) + ")";
   }

void ChaCha::seek(uint64_t offset)
   {
   verify_key_set(m_state.empty() == false);

   // Find the block offset
   const uint64_t counter = offset / 64;

   uint8_t out[8];

   store_le(counter, out);

   m_state[12] = load_le<uint32_t>(out, 0);
   m_state[13] += load_le<uint32_t>(out, 1);

   chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
   m_position = offset % 64;
   }
}

Coverage Report

Created: 2022-01-14 08:07

Line	Count	Source (jump to first uncovered line)
1		/*
2		* ChaCha
3		* (C) 2014,2018 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#include <botan/internal/chacha.h>
9		#include <botan/exceptn.h>
10		#include <botan/internal/loadstor.h>
11		#include <botan/internal/rotate.h>
12		#include <botan/internal/cpuid.h>
13
14		namespace Botan {
15
16		namespace {
17
18		#define CHACHA_QUARTER_ROUND(a, b, c, d) \
19	0	do { \
20	0	a += b; d ^= a; d = rotl<16>(d); \
21	0	c += d; b ^= c; b = rotl<12>(b); \
22	0	a += b; d ^= a; d = rotl<8>(d); \
23	0	c += d; b ^= c; b = rotl<7>(b); \
24	0	} while(0)
25
26		/*
27		* Generate HChaCha cipher stream (for XChaCha IV setup)
28		*/
29		void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds)
30	0	{
31	0	BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
32
33	0	uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
34	0	x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
35	0	x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
36	0	x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
37
38	0	for(size_t i = 0; i != rounds / 2; ++i)
39	0	{
40	0	CHACHA_QUARTER_ROUND(x00, x04, x08, x12);
41	0	CHACHA_QUARTER_ROUND(x01, x05, x09, x13);
42	0	CHACHA_QUARTER_ROUND(x02, x06, x10, x14);
43	0	CHACHA_QUARTER_ROUND(x03, x07, x11, x15);
44
45	0	CHACHA_QUARTER_ROUND(x00, x05, x10, x15);
46	0	CHACHA_QUARTER_ROUND(x01, x06, x11, x12);
47	0	CHACHA_QUARTER_ROUND(x02, x07, x08, x13);
48	0	CHACHA_QUARTER_ROUND(x03, x04, x09, x14);
49	0	}
50
51	0	output[0] = x00;
52	0	output[1] = x01;
53	0	output[2] = x02;
54	0	output[3] = x03;
55	0	output[4] = x12;
56	0	output[5] = x13;
57	0	output[6] = x14;
58	0	output[7] = x15;
59	0	}
60
61		}
62
63		ChaCha::ChaCha(size_t rounds) : m_rounds(rounds)
64	82	{
65	82	BOTAN_ARG_CHECK(m_rounds == 8 \|\| m_rounds == 12 \|\| m_rounds == 20,
66	82	"ChaCha only supports 8, 12 or 20 rounds");
67	82	}
68
69		std::string ChaCha::provider() const
70	0	{
71	0	#if defined(BOTAN_HAS_CHACHA_AVX2)
72	0	if(CPUID::has_avx2())
73	0	{
74	0	return "avx2";
75	0	}
76	0	#endif
77
78	0	#if defined(BOTAN_HAS_CHACHA_SIMD32)
79	0	if(CPUID::has_simd_32())
80	0	{
81	0	return "simd32";
82	0	}
83	0	#endif
84
85	0	return "base";
86	0	}
87
88		//static
89		void ChaCha::chacha_x8(uint8_t output[64*8], uint32_t input[16], size_t rounds)
90	58.2k	{
91	58.2k	BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
92
93	58.2k	#if defined(BOTAN_HAS_CHACHA_AVX2)
94	58.2k	if(CPUID::has_avx2())
95	58.2k	{
96	58.2k	return ChaCha::chacha_avx2_x8(output, input, rounds);
97	58.2k	}
98	0	#endif
99
100	0	#if defined(BOTAN_HAS_CHACHA_SIMD32)
101	0	if(CPUID::has_simd_32())
102	0	{
103	0	ChaCha::chacha_simd32_x4(output, input, rounds);
104	0	ChaCha::chacha_simd32_x4(output + 4*64, input, rounds);
105	0	return;
106	0	}
107	0	#endif
108
109		// TODO interleave rounds
110	0	for(size_t i = 0; i != 8; ++i)
111	0	{
112	0	uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
113	0	x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
114	0	x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
115	0	x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
116
117	0	for(size_t r = 0; r != rounds / 2; ++r)
118	0	{
119	0	CHACHA_QUARTER_ROUND(x00, x04, x08, x12);
120	0	CHACHA_QUARTER_ROUND(x01, x05, x09, x13);
121	0	CHACHA_QUARTER_ROUND(x02, x06, x10, x14);
122	0	CHACHA_QUARTER_ROUND(x03, x07, x11, x15);
123
124	0	CHACHA_QUARTER_ROUND(x00, x05, x10, x15);
125	0	CHACHA_QUARTER_ROUND(x01, x06, x11, x12);
126	0	CHACHA_QUARTER_ROUND(x02, x07, x08, x13);
127	0	CHACHA_QUARTER_ROUND(x03, x04, x09, x14);
128	0	}
129
130	0	x00 += input[0];
131	0	x01 += input[1];
132	0	x02 += input[2];
133	0	x03 += input[3];
134	0	x04 += input[4];
135	0	x05 += input[5];
136	0	x06 += input[6];
137	0	x07 += input[7];
138	0	x08 += input[8];
139	0	x09 += input[9];
140	0	x10 += input[10];
141	0	x11 += input[11];
142	0	x12 += input[12];
143	0	x13 += input[13];
144	0	x14 += input[14];
145	0	x15 += input[15];
146
147	0	store_le(x00, output + 64 * i + 4 * 0);
148	0	store_le(x01, output + 64 * i + 4 * 1);
149	0	store_le(x02, output + 64 * i + 4 * 2);
150	0	store_le(x03, output + 64 * i + 4 * 3);
151	0	store_le(x04, output + 64 * i + 4 * 4);
152	0	store_le(x05, output + 64 * i + 4 * 5);
153	0	store_le(x06, output + 64 * i + 4 * 6);
154	0	store_le(x07, output + 64 * i + 4 * 7);
155	0	store_le(x08, output + 64 * i + 4 * 8);
156	0	store_le(x09, output + 64 * i + 4 * 9);
157	0	store_le(x10, output + 64 * i + 4 * 10);
158	0	store_le(x11, output + 64 * i + 4 * 11);
159	0	store_le(x12, output + 64 * i + 4 * 12);
160	0	store_le(x13, output + 64 * i + 4 * 13);
161	0	store_le(x14, output + 64 * i + 4 * 14);
162	0	store_le(x15, output + 64 * i + 4 * 15);
163
164	0	input[12]++;
165	0	input[13] += (input[12] == 0);
166	0	}
167	0	}
168
169		#undef CHACHA_QUARTER_ROUND
170
171		/*
172		* Combine cipher stream with message
173		*/
174		void ChaCha::cipher(const uint8_t in[], uint8_t out[], size_t length)
175	80	{
176	80	verify_key_set(m_state.empty() == false);
177
178	131	while(length >= m_buffer.size() - m_position)
179	51	{
180	51	const size_t available = m_buffer.size() - m_position;
181
182	51	xor_buf(out, in, &m_buffer[m_position], available);
183	51	chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
184
185	51	length -= available;
186	51	in += available;
187	51	out += available;
188	51	m_position = 0;
189	51	}
190
191	80	xor_buf(out, in, &m_buffer[m_position], length);
192
193	80	m_position += length;
194	80	}
195
196		void ChaCha::write_keystream(uint8_t out[], size_t length)
197	660k	{
198	660k	verify_key_set(m_state.empty() == false);
199
200	718k	while(length >= m_buffer.size() - m_position)
201	58.0k	{
202	58.0k	const size_t available = m_buffer.size() - m_position;
203
204	58.0k	copy_mem(out, &m_buffer[m_position], available);
205	58.0k	chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
206
207	58.0k	length -= available;
208	58.0k	out += available;
209	58.0k	m_position = 0;
210	58.0k	}
211
212	660k	copy_mem(out, &m_buffer[m_position], length);
213
214	660k	m_position += length;
215	660k	}
216
217		void ChaCha::initialize_state()
218	170	{
219	170	static const uint32_t TAU[] =
220	170	{ 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
221
222	170	static const uint32_t SIGMA[] =
223	170	{ 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
224
225	170	m_state[4] = m_key[0];
226	170	m_state[5] = m_key[1];
227	170	m_state[6] = m_key[2];
228	170	m_state[7] = m_key[3];
229
230	170	if(m_key.size() == 4)
231	0	{
232	0	m_state[0] = TAU[0];
233	0	m_state[1] = TAU[1];
234	0	m_state[2] = TAU[2];
235	0	m_state[3] = TAU[3];
236
237	0	m_state[8] = m_key[0];
238	0	m_state[9] = m_key[1];
239	0	m_state[10] = m_key[2];
240	0	m_state[11] = m_key[3];
241	0	}
242	170	else
243	170	{
244	170	m_state[0] = SIGMA[0];
245	170	m_state[1] = SIGMA[1];
246	170	m_state[2] = SIGMA[2];
247	170	m_state[3] = SIGMA[3];
248
249	170	m_state[8] = m_key[4];
250	170	m_state[9] = m_key[5];
251	170	m_state[10] = m_key[6];
252	170	m_state[11] = m_key[7];
253	170	}
254
255	170	m_state[12] = 0;
256	170	m_state[13] = 0;
257	170	m_state[14] = 0;
258	170	m_state[15] = 0;
259
260	170	m_position = 0;
261	170	}
262
263		/*
264		* ChaCha Key Schedule
265		*/
266		void ChaCha::key_schedule(const uint8_t key[], size_t length)
267	89	{
268	89	m_key.resize(length / 4);
269	89	load_le<uint32_t>(m_key.data(), key, m_key.size());
270
271	89	m_state.resize(16);
272
273	89	const size_t chacha_parallelism = 8; // chacha_x8
274	89	const size_t chacha_block = 64;
275	89	m_buffer.resize(chacha_parallelism * chacha_block);
276
277	89	set_iv(nullptr, 0);
278	89	}
279
280		size_t ChaCha::default_iv_length() const
281	0	{
282	0	return 24;
283	0	}
284
285		Key_Length_Specification ChaCha::key_spec() const
286	89	{
287	89	return Key_Length_Specification(16, 32, 16);
288	89	}
289
290		std::unique_ptr<StreamCipher> ChaCha::new_object() const
291	0	{
292	0	return std::make_unique<ChaCha>(m_rounds);
293	0	}
294
295		bool ChaCha::valid_iv_length(size_t iv_len) const
296	170	{
297	170	return (iv_len == 0 \|\| iv_len == 8 \|\| iv_len == 12 \|\| iv_len == 24);
298	170	}
299
300		void ChaCha::set_iv(const uint8_t iv[], size_t length)
301	170	{
302	170	verify_key_set(m_state.empty() == false);
303
304	170	if(!valid_iv_length(length))
305	0	throw Invalid_IV_Length(name(), length);
306
307	170	initialize_state();
308
309	170	if(length == 0)
310	89	{
311		// Treat zero length IV same as an all-zero IV
312	89	m_state[14] = 0;
313	89	m_state[15] = 0;
314	89	}
315	81	else if(length == 8)
316	0	{
317	0	m_state[14] = load_le<uint32_t>(iv, 0);
318	0	m_state[15] = load_le<uint32_t>(iv, 1);
319	0	}
320	81	else if(length == 12)
321	81	{
322	81	m_state[13] = load_le<uint32_t>(iv, 0);
323	81	m_state[14] = load_le<uint32_t>(iv, 1);
324	81	m_state[15] = load_le<uint32_t>(iv, 2);
325	81	}
326	0	else if(length == 24)
327	0	{
328	0	m_state[12] = load_le<uint32_t>(iv, 0);
329	0	m_state[13] = load_le<uint32_t>(iv, 1);
330	0	m_state[14] = load_le<uint32_t>(iv, 2);
331	0	m_state[15] = load_le<uint32_t>(iv, 3);
332
333	0	secure_vector<uint32_t> hc(8);
334	0	hchacha(hc.data(), m_state.data(), m_rounds);
335
336	0	m_state[ 4] = hc[0];
337	0	m_state[ 5] = hc[1];
338	0	m_state[ 6] = hc[2];
339	0	m_state[ 7] = hc[3];
340	0	m_state[ 8] = hc[4];
341	0	m_state[ 9] = hc[5];
342	0	m_state[10] = hc[6];
343	0	m_state[11] = hc[7];
344	0	m_state[12] = 0;
345	0	m_state[13] = 0;
346	0	m_state[14] = load_le<uint32_t>(iv, 4);
347	0	m_state[15] = load_le<uint32_t>(iv, 5);
348	0	}
349
350	170	chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
351	170	m_position = 0;
352	170	}
353
354		void ChaCha::clear()
355	0	{
356	0	zap(m_key);
357	0	zap(m_state);
358	0	zap(m_buffer);
359	0	m_position = 0;
360	0	}
361
362		std::string ChaCha::name() const
363	0	{
364	0	return "ChaCha(" + std::to_string(m_rounds) + ")";
365	0	}
366
367		void ChaCha::seek(uint64_t offset)
368	0	{
369	0	verify_key_set(m_state.empty() == false);
370
371		// Find the block offset
372	0	const uint64_t counter = offset / 64;
373
374	0	uint8_t out[8];
375
376	0	store_le(counter, out);
377
378	0	m_state[12] = load_le<uint32_t>(out, 0);
379	0	m_state[13] += load_le<uint32_t>(out, 1);
380
381	0	chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
382	0	m_position = offset % 64;
383	0	}
384		}