/src/botan/src/lib/stream/chacha/chacha.cpp

Source (jump to first uncovered line)
/*
* ChaCha
* (C) 2014,2018 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/chacha.h>
#include <botan/exceptn.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/rotate.h>
#include <botan/internal/cpuid.h>

namespace Botan {

namespace {

inline void chacha_quarter_round(uint32_t& a,
                                 uint32_t& b,
                                 uint32_t& c,
                                 uint32_t& d)
   {
   a += b; d ^= a; d = rotl<16>(d);
   c += d; b ^= c; b = rotl<12>(b);
   a += b; d ^= a; d = rotl< 8>(d);
   c += d; b ^= c; b = rotl< 7>(b);
   }

/*
* Generate HChaCha cipher stream (for XChaCha IV setup)
*/
void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds)
   {
   BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");

   uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
            x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
            x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
            x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];

   for(size_t i = 0; i != rounds / 2; ++i)
      {
      chacha_quarter_round(x00, x04, x08, x12);
      chacha_quarter_round(x01, x05, x09, x13);
      chacha_quarter_round(x02, x06, x10, x14);
      chacha_quarter_round(x03, x07, x11, x15);

      chacha_quarter_round(x00, x05, x10, x15);
      chacha_quarter_round(x01, x06, x11, x12);
      chacha_quarter_round(x02, x07, x08, x13);
      chacha_quarter_round(x03, x04, x09, x14);
      }

   output[0] = x00;
   output[1] = x01;
   output[2] = x02;
   output[3] = x03;
   output[4] = x12;
   output[5] = x13;
   output[6] = x14;
   output[7] = x15;
   }

}

ChaCha::ChaCha(size_t rounds) : m_rounds(rounds)
   {
   BOTAN_ARG_CHECK(m_rounds == 8 || m_rounds == 12 || m_rounds == 20,
                   "ChaCha only supports 8, 12 or 20 rounds");
   }

std::string ChaCha::provider() const
   {
#if defined(BOTAN_HAS_CHACHA_AVX2)
   if(CPUID::has_avx2())
      {
      return "avx2";
      }
#endif

#if defined(BOTAN_HAS_CHACHA_SIMD32)
   if(CPUID::has_simd_32())
      {
      return "simd32";
      }
#endif

   return "base";
   }

//static
void ChaCha::chacha_x8(uint8_t output[64*8], uint32_t input[16], size_t rounds)
   {
   BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");

#if defined(BOTAN_HAS_CHACHA_AVX2)
   if(CPUID::has_avx2())
      {
      return ChaCha::chacha_avx2_x8(output, input, rounds);
      }
#endif

#if defined(BOTAN_HAS_CHACHA_SIMD32)
   if(CPUID::has_simd_32())
      {
      ChaCha::chacha_simd32_x4(output, input, rounds);
      ChaCha::chacha_simd32_x4(output + 4*64, input, rounds);
      return;
      }
#endif

   // TODO interleave rounds
   for(size_t i = 0; i != 8; ++i)
      {
      uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
               x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
               x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
               x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];

      for(size_t r = 0; r != rounds / 2; ++r)
         {
         chacha_quarter_round(x00, x04, x08, x12);
         chacha_quarter_round(x01, x05, x09, x13);
         chacha_quarter_round(x02, x06, x10, x14);
         chacha_quarter_round(x03, x07, x11, x15);

         chacha_quarter_round(x00, x05, x10, x15);
         chacha_quarter_round(x01, x06, x11, x12);
         chacha_quarter_round(x02, x07, x08, x13);
         chacha_quarter_round(x03, x04, x09, x14);
         }

      x00 += input[0];
      x01 += input[1];
      x02 += input[2];
      x03 += input[3];
      x04 += input[4];
      x05 += input[5];
      x06 += input[6];
      x07 += input[7];
      x08 += input[8];
      x09 += input[9];
      x10 += input[10];
      x11 += input[11];
      x12 += input[12];
      x13 += input[13];
      x14 += input[14];
      x15 += input[15];

      store_le(x00, output + 64 * i + 4 *  0);
      store_le(x01, output + 64 * i + 4 *  1);
      store_le(x02, output + 64 * i + 4 *  2);
      store_le(x03, output + 64 * i + 4 *  3);
      store_le(x04, output + 64 * i + 4 *  4);
      store_le(x05, output + 64 * i + 4 *  5);
      store_le(x06, output + 64 * i + 4 *  6);
      store_le(x07, output + 64 * i + 4 *  7);
      store_le(x08, output + 64 * i + 4 *  8);
      store_le(x09, output + 64 * i + 4 *  9);
      store_le(x10, output + 64 * i + 4 * 10);
      store_le(x11, output + 64 * i + 4 * 11);
      store_le(x12, output + 64 * i + 4 * 12);
      store_le(x13, output + 64 * i + 4 * 13);
      store_le(x14, output + 64 * i + 4 * 14);
      store_le(x15, output + 64 * i + 4 * 15);

      input[12]++;
      input[13] += (input[12] == 0);
      }
   }

/*
* Combine cipher stream with message
*/
void ChaCha::cipher(const uint8_t in[], uint8_t out[], size_t length)
   {
   verify_key_set(m_state.empty() == false);

   while(length >= m_buffer.size() - m_position)
      {
      const size_t available = m_buffer.size() - m_position;

      xor_buf(out, in, &m_buffer[m_position], available);
      chacha_x8(m_buffer.data(), m_state.data(), m_rounds);

      length -= available;
      in += available;
      out += available;
      m_position = 0;
      }

   xor_buf(out, in, &m_buffer[m_position], length);

   m_position += length;
   }

void ChaCha::write_keystream(uint8_t out[], size_t length)
   {
   verify_key_set(m_state.empty() == false);

   while(length >= m_buffer.size() - m_position)
      {
      const size_t available = m_buffer.size() - m_position;

      copy_mem(out, &m_buffer[m_position], available);
      chacha_x8(m_buffer.data(), m_state.data(), m_rounds);

      length -= available;
      out += available;
      m_position = 0;
      }

   copy_mem(out, &m_buffer[m_position], length);

   m_position += length;
   }

void ChaCha::initialize_state()
   {
   static const uint32_t TAU[] =
      { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };

   static const uint32_t SIGMA[] =
      { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };

   m_state[4] = m_key[0];
   m_state[5] = m_key[1];
   m_state[6] = m_key[2];
   m_state[7] = m_key[3];

   if(m_key.size() == 4)
      {
      m_state[0] = TAU[0];
      m_state[1] = TAU[1];
      m_state[2] = TAU[2];
      m_state[3] = TAU[3];

      m_state[8] = m_key[0];
      m_state[9] = m_key[1];
      m_state[10] = m_key[2];
      m_state[11] = m_key[3];
      }
   else
      {
      m_state[0] = SIGMA[0];
      m_state[1] = SIGMA[1];
      m_state[2] = SIGMA[2];
      m_state[3] = SIGMA[3];

      m_state[8] = m_key[4];
      m_state[9] = m_key[5];
      m_state[10] = m_key[6];
      m_state[11] = m_key[7];
      }

   m_state[12] = 0;
   m_state[13] = 0;
   m_state[14] = 0;
   m_state[15] = 0;

   m_position = 0;
   }

/*
* ChaCha Key Schedule
*/
void ChaCha::key_schedule(const uint8_t key[], size_t length)
   {
   m_key.resize(length / 4);
   load_le<uint32_t>(m_key.data(), key, m_key.size());

   m_state.resize(16);

   const size_t chacha_parallelism = 8; // chacha_x8
   const size_t chacha_block = 64;
   m_buffer.resize(chacha_parallelism * chacha_block);

   set_iv(nullptr, 0);
   }

size_t ChaCha::default_iv_length() const
   {
   return 24;
   }

Key_Length_Specification ChaCha::key_spec() const
   {
   return Key_Length_Specification(16, 32, 16);
   }

std::unique_ptr<StreamCipher> ChaCha::new_object() const
   {
   return std::make_unique<ChaCha>(m_rounds);
   }

bool ChaCha::valid_iv_length(size_t iv_len) const
   {
   return (iv_len == 0 || iv_len == 8 || iv_len == 12 || iv_len == 24);
   }

void ChaCha::set_iv(const uint8_t iv[], size_t length)
   {
   verify_key_set(m_state.empty() == false);

   if(!valid_iv_length(length))
      throw Invalid_IV_Length(name(), length);

   initialize_state();

   if(length == 0)
      {
      // Treat zero length IV same as an all-zero IV
      m_state[14] = 0;
      m_state[15] = 0;
      }
   else if(length == 8)
      {
      m_state[14] = load_le<uint32_t>(iv, 0);
      m_state[15] = load_le<uint32_t>(iv, 1);
      }
   else if(length == 12)
      {
      m_state[13] = load_le<uint32_t>(iv, 0);
      m_state[14] = load_le<uint32_t>(iv, 1);
      m_state[15] = load_le<uint32_t>(iv, 2);
      }
   else if(length == 24)
      {
      m_state[12] = load_le<uint32_t>(iv, 0);
      m_state[13] = load_le<uint32_t>(iv, 1);
      m_state[14] = load_le<uint32_t>(iv, 2);
      m_state[15] = load_le<uint32_t>(iv, 3);

      secure_vector<uint32_t> hc(8);
      hchacha(hc.data(), m_state.data(), m_rounds);

      m_state[ 4] = hc[0];
      m_state[ 5] = hc[1];
      m_state[ 6] = hc[2];
      m_state[ 7] = hc[3];
      m_state[ 8] = hc[4];
      m_state[ 9] = hc[5];
      m_state[10] = hc[6];
      m_state[11] = hc[7];
      m_state[12] = 0;
      m_state[13] = 0;
      m_state[14] = load_le<uint32_t>(iv, 4);
      m_state[15] = load_le<uint32_t>(iv, 5);
      }

   chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
   m_position = 0;
   }

void ChaCha::clear()
   {
   zap(m_key);
   zap(m_state);
   zap(m_buffer);
   m_position = 0;
   }

std::string ChaCha::name() const
   {
   return "ChaCha(" + std::to_string(m_rounds) + ")";
   }

void ChaCha::seek(uint64_t offset)
   {
   verify_key_set(m_state.empty() == false);

   // Find the block offset
   const uint64_t counter = offset / 64;

   uint8_t out[8];

   store_le(counter, out);

   m_state[12] = load_le<uint32_t>(out, 0);
   m_state[13] += load_le<uint32_t>(out, 1);

   chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
   m_position = offset % 64;
   }
}

Coverage Report

Created: 2022-06-23 06:44

Line	Count	Source (jump to first uncovered line)
1		/*
2		* ChaCha
3		* (C) 2014,2018 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#include <botan/internal/chacha.h>
9		#include <botan/exceptn.h>
10		#include <botan/internal/loadstor.h>
11		#include <botan/internal/rotate.h>
12		#include <botan/internal/cpuid.h>
13
14		namespace Botan {
15
16		namespace {
17
18		inline void chacha_quarter_round(uint32_t& a,
19		uint32_t& b,
20		uint32_t& c,
21		uint32_t& d)
22	0	{
23	0	a += b; d ^= a; d = rotl<16>(d);
24	0	c += d; b ^= c; b = rotl<12>(b);
25	0	a += b; d ^= a; d = rotl< 8>(d);
26	0	c += d; b ^= c; b = rotl< 7>(b);
27	0	}
28
29		/*
30		* Generate HChaCha cipher stream (for XChaCha IV setup)
31		*/
32		void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds)
33	0	{
34	0	BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
35
36	0	uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
37	0	x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
38	0	x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
39	0	x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
40
41	0	for(size_t i = 0; i != rounds / 2; ++i)
42	0	{
43	0	chacha_quarter_round(x00, x04, x08, x12);
44	0	chacha_quarter_round(x01, x05, x09, x13);
45	0	chacha_quarter_round(x02, x06, x10, x14);
46	0	chacha_quarter_round(x03, x07, x11, x15);
47
48	0	chacha_quarter_round(x00, x05, x10, x15);
49	0	chacha_quarter_round(x01, x06, x11, x12);
50	0	chacha_quarter_round(x02, x07, x08, x13);
51	0	chacha_quarter_round(x03, x04, x09, x14);
52	0	}
53
54	0	output[0] = x00;
55	0	output[1] = x01;
56	0	output[2] = x02;
57	0	output[3] = x03;
58	0	output[4] = x12;
59	0	output[5] = x13;
60	0	output[6] = x14;
61	0	output[7] = x15;
62	0	}
63
64		}
65
66		ChaCha::ChaCha(size_t rounds) : m_rounds(rounds)
67	66	{
68	66	BOTAN_ARG_CHECK(m_rounds == 8 \|\| m_rounds == 12 \|\| m_rounds == 20,
69	66	"ChaCha only supports 8, 12 or 20 rounds");
70	66	}
71
72		std::string ChaCha::provider() const
73	0	{
74	0	#if defined(BOTAN_HAS_CHACHA_AVX2)
75	0	if(CPUID::has_avx2())
76	0	{
77	0	return "avx2";
78	0	}
79	0	#endif
80
81	0	#if defined(BOTAN_HAS_CHACHA_SIMD32)
82	0	if(CPUID::has_simd_32())
83	0	{
84	0	return "simd32";
85	0	}
86	0	#endif
87
88	0	return "base";
89	0	}
90
91		//static
92		void ChaCha::chacha_x8(uint8_t output[64*8], uint32_t input[16], size_t rounds)
93	54.0k	{
94	54.0k	BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
95
96	54.0k	#if defined(BOTAN_HAS_CHACHA_AVX2)
97	54.0k	if(CPUID::has_avx2())
98	54.0k	{
99	54.0k	return ChaCha::chacha_avx2_x8(output, input, rounds);
100	54.0k	}
101	0	#endif
102
103	0	#if defined(BOTAN_HAS_CHACHA_SIMD32)
104	0	if(CPUID::has_simd_32())
105	0	{
106	0	ChaCha::chacha_simd32_x4(output, input, rounds);
107	0	ChaCha::chacha_simd32_x4(output + 4*64, input, rounds);
108	0	return;
109	0	}
110	0	#endif
111
112		// TODO interleave rounds
113	0	for(size_t i = 0; i != 8; ++i)
114	0	{
115	0	uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
116	0	x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
117	0	x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
118	0	x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
119
120	0	for(size_t r = 0; r != rounds / 2; ++r)
121	0	{
122	0	chacha_quarter_round(x00, x04, x08, x12);
123	0	chacha_quarter_round(x01, x05, x09, x13);
124	0	chacha_quarter_round(x02, x06, x10, x14);
125	0	chacha_quarter_round(x03, x07, x11, x15);
126
127	0	chacha_quarter_round(x00, x05, x10, x15);
128	0	chacha_quarter_round(x01, x06, x11, x12);
129	0	chacha_quarter_round(x02, x07, x08, x13);
130	0	chacha_quarter_round(x03, x04, x09, x14);
131	0	}
132
133	0	x00 += input[0];
134	0	x01 += input[1];
135	0	x02 += input[2];
136	0	x03 += input[3];
137	0	x04 += input[4];
138	0	x05 += input[5];
139	0	x06 += input[6];
140	0	x07 += input[7];
141	0	x08 += input[8];
142	0	x09 += input[9];
143	0	x10 += input[10];
144	0	x11 += input[11];
145	0	x12 += input[12];
146	0	x13 += input[13];
147	0	x14 += input[14];
148	0	x15 += input[15];
149
150	0	store_le(x00, output + 64 * i + 4 * 0);
151	0	store_le(x01, output + 64 * i + 4 * 1);
152	0	store_le(x02, output + 64 * i + 4 * 2);
153	0	store_le(x03, output + 64 * i + 4 * 3);
154	0	store_le(x04, output + 64 * i + 4 * 4);
155	0	store_le(x05, output + 64 * i + 4 * 5);
156	0	store_le(x06, output + 64 * i + 4 * 6);
157	0	store_le(x07, output + 64 * i + 4 * 7);
158	0	store_le(x08, output + 64 * i + 4 * 8);
159	0	store_le(x09, output + 64 * i + 4 * 9);
160	0	store_le(x10, output + 64 * i + 4 * 10);
161	0	store_le(x11, output + 64 * i + 4 * 11);
162	0	store_le(x12, output + 64 * i + 4 * 12);
163	0	store_le(x13, output + 64 * i + 4 * 13);
164	0	store_le(x14, output + 64 * i + 4 * 14);
165	0	store_le(x15, output + 64 * i + 4 * 15);
166
167	0	input[12]++;
168	0	input[13] += (input[12] == 0);
169	0	}
170	0	}
171
172		/*
173		* Combine cipher stream with message
174		*/
175		void ChaCha::cipher(const uint8_t in[], uint8_t out[], size_t length)
176	60	{
177	60	verify_key_set(m_state.empty() == false);
178
179	118	while(length >= m_buffer.size() - m_position)
180	58	{
181	58	const size_t available = m_buffer.size() - m_position;
182
183	58	xor_buf(out, in, &m_buffer[m_position], available);
184	58	chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
185
186	58	length -= available;
187	58	in += available;
188	58	out += available;
189	58	m_position = 0;
190	58	}
191
192	60	xor_buf(out, in, &m_buffer[m_position], length);
193
194	60	m_position += length;
195	60	}
196
197		void ChaCha::write_keystream(uint8_t out[], size_t length)
198	599k	{
199	599k	verify_key_set(m_state.empty() == false);
200
201	652k	while(length >= m_buffer.size() - m_position)
202	53.8k	{
203	53.8k	const size_t available = m_buffer.size() - m_position;
204
205	53.8k	copy_mem(out, &m_buffer[m_position], available);
206	53.8k	chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
207
208	53.8k	length -= available;
209	53.8k	out += available;
210	53.8k	m_position = 0;
211	53.8k	}
212
213	599k	copy_mem(out, &m_buffer[m_position], length);
214
215	599k	m_position += length;
216	599k	}
217
218		void ChaCha::initialize_state()
219	134	{
220	134	static const uint32_t TAU[] =
221	134	{ 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
222
223	134	static const uint32_t SIGMA[] =
224	134	{ 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
225
226	134	m_state[4] = m_key[0];
227	134	m_state[5] = m_key[1];
228	134	m_state[6] = m_key[2];
229	134	m_state[7] = m_key[3];
230
231	134	if(m_key.size() == 4)
232	0	{
233	0	m_state[0] = TAU[0];
234	0	m_state[1] = TAU[1];
235	0	m_state[2] = TAU[2];
236	0	m_state[3] = TAU[3];
237
238	0	m_state[8] = m_key[0];
239	0	m_state[9] = m_key[1];
240	0	m_state[10] = m_key[2];
241	0	m_state[11] = m_key[3];
242	0	}
243	134	else
244	134	{
245	134	m_state[0] = SIGMA[0];
246	134	m_state[1] = SIGMA[1];
247	134	m_state[2] = SIGMA[2];
248	134	m_state[3] = SIGMA[3];
249
250	134	m_state[8] = m_key[4];
251	134	m_state[9] = m_key[5];
252	134	m_state[10] = m_key[6];
253	134	m_state[11] = m_key[7];
254	134	}
255
256	134	m_state[12] = 0;
257	134	m_state[13] = 0;
258	134	m_state[14] = 0;
259	134	m_state[15] = 0;
260
261	134	m_position = 0;
262	134	}
263
264		/*
265		* ChaCha Key Schedule
266		*/
267		void ChaCha::key_schedule(const uint8_t key[], size_t length)
268	73	{
269	73	m_key.resize(length / 4);
270	73	load_le<uint32_t>(m_key.data(), key, m_key.size());
271
272	73	m_state.resize(16);
273
274	73	const size_t chacha_parallelism = 8; // chacha_x8
275	73	const size_t chacha_block = 64;
276	73	m_buffer.resize(chacha_parallelism * chacha_block);
277
278	73	set_iv(nullptr, 0);
279	73	}
280
281		size_t ChaCha::default_iv_length() const
282	0	{
283	0	return 24;
284	0	}
285
286		Key_Length_Specification ChaCha::key_spec() const
287	73	{
288	73	return Key_Length_Specification(16, 32, 16);
289	73	}
290
291		std::unique_ptr<StreamCipher> ChaCha::new_object() const
292	0	{
293	0	return std::make_unique<ChaCha>(m_rounds);
294	0	}
295
296		bool ChaCha::valid_iv_length(size_t iv_len) const
297	134	{
298	134	return (iv_len == 0 \|\| iv_len == 8 \|\| iv_len == 12 \|\| iv_len == 24);
299	134	}
300
301		void ChaCha::set_iv(const uint8_t iv[], size_t length)
302	134	{
303	134	verify_key_set(m_state.empty() == false);
304
305	134	if(!valid_iv_length(length))
306	0	throw Invalid_IV_Length(name(), length);
307
308	134	initialize_state();
309
310	134	if(length == 0)
311	73	{
312		// Treat zero length IV same as an all-zero IV
313	73	m_state[14] = 0;
314	73	m_state[15] = 0;
315	73	}
316	61	else if(length == 8)
317	0	{
318	0	m_state[14] = load_le<uint32_t>(iv, 0);
319	0	m_state[15] = load_le<uint32_t>(iv, 1);
320	0	}
321	61	else if(length == 12)
322	61	{
323	61	m_state[13] = load_le<uint32_t>(iv, 0);
324	61	m_state[14] = load_le<uint32_t>(iv, 1);
325	61	m_state[15] = load_le<uint32_t>(iv, 2);
326	61	}
327	0	else if(length == 24)
328	0	{
329	0	m_state[12] = load_le<uint32_t>(iv, 0);
330	0	m_state[13] = load_le<uint32_t>(iv, 1);
331	0	m_state[14] = load_le<uint32_t>(iv, 2);
332	0	m_state[15] = load_le<uint32_t>(iv, 3);
333
334	0	secure_vector<uint32_t> hc(8);
335	0	hchacha(hc.data(), m_state.data(), m_rounds);
336
337	0	m_state[ 4] = hc[0];
338	0	m_state[ 5] = hc[1];
339	0	m_state[ 6] = hc[2];
340	0	m_state[ 7] = hc[3];
341	0	m_state[ 8] = hc[4];
342	0	m_state[ 9] = hc[5];
343	0	m_state[10] = hc[6];
344	0	m_state[11] = hc[7];
345	0	m_state[12] = 0;
346	0	m_state[13] = 0;
347	0	m_state[14] = load_le<uint32_t>(iv, 4);
348	0	m_state[15] = load_le<uint32_t>(iv, 5);
349	0	}
350
351	134	chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
352	134	m_position = 0;
353	134	}
354
355		void ChaCha::clear()
356	0	{
357	0	zap(m_key);
358	0	zap(m_state);
359	0	zap(m_buffer);
360	0	m_position = 0;
361	0	}
362
363		std::string ChaCha::name() const
364	0	{
365	0	return "ChaCha(" + std::to_string(m_rounds) + ")";
366	0	}
367
368		void ChaCha::seek(uint64_t offset)
369	0	{
370	0	verify_key_set(m_state.empty() == false);
371
372		// Find the block offset
373	0	const uint64_t counter = offset / 64;
374
375	0	uint8_t out[8];
376
377	0	store_le(counter, out);
378
379	0	m_state[12] = load_le<uint32_t>(out, 0);
380	0	m_state[13] += load_le<uint32_t>(out, 1);
381
382	0	chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
383	0	m_position = offset % 64;
384	0	}
385		}