/src/nettle/sha3-permute.c

Line	Count	Source
1		/* sha3-permute.c
2
3		The sha3 permutation function (aka Keccak).
4
5		Copyright (C) 2012 Niels Möller
6
7		This file is part of GNU Nettle.
8
9		GNU Nettle is free software: you can redistribute it and/or
10		modify it under the terms of either:
11
12		* the GNU Lesser General Public License as published by the Free
13		Software Foundation; either version 3 of the License, or (at your
14		option) any later version.
15
16		or
17
18		* the GNU General Public License as published by the Free
19		Software Foundation; either version 2 of the License, or (at your
20		option) any later version.
21
22		or both in parallel, as here.
23
24		GNU Nettle is distributed in the hope that it will be useful,
25		but WITHOUT ANY WARRANTY; without even the implied warranty of
26		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
27		General Public License for more details.
28
29		You should have received copies of the GNU General Public License and
30		the GNU Lesser General Public License along with this program. If
31		not, see http://www.gnu.org/licenses/.
32		*/
33
34		#if HAVE_CONFIG_H
35		# include "config.h"
36		#endif
37
38		#include "sha3.h"
39		#include "sha3-internal.h"
40
41		#include "macros.h"
42
43	169k	#define SHA3_ROUNDS 24
44
45		/* For fat builds */
46		#if HAVE_NATIVE_sha3_permute
47		void
48		_nettle_sha3_permute_c(struct sha3_state *state);
49		#define nettle_sha3_permute _nettle_sha3_permute_c
50		#endif
51
52		void
53		sha3_permute (struct sha3_state *state)
54	6.78k	{
55	6.78k	static const uint64_t rc[SHA3_ROUNDS] = {
56	6.78k	0x0000000000000001ULL, 0X0000000000008082ULL,
57	6.78k	0X800000000000808AULL, 0X8000000080008000ULL,
58	6.78k	0X000000000000808BULL, 0X0000000080000001ULL,
59	6.78k	0X8000000080008081ULL, 0X8000000000008009ULL,
60	6.78k	0X000000000000008AULL, 0X0000000000000088ULL,
61	6.78k	0X0000000080008009ULL, 0X000000008000000AULL,
62	6.78k	0X000000008000808BULL, 0X800000000000008BULL,
63	6.78k	0X8000000000008089ULL, 0X8000000000008003ULL,
64	6.78k	0X8000000000008002ULL, 0X8000000000000080ULL,
65	6.78k	0X000000000000800AULL, 0X800000008000000AULL,
66	6.78k	0X8000000080008081ULL, 0X8000000000008080ULL,
67	6.78k	0X0000000080000001ULL, 0X8000000080008008ULL,
68	6.78k	};
69
70		/* Original permutation:
71
72		0,10,20, 5,15,
73		16, 1,11,21, 6,
74		7,17, 2,12,22,
75		23, 8,18, 3,13,
76		14,24, 9,19, 4
77
78		Rotation counts:
79
80		0, 1, 62, 28, 27,
81		36, 44, 6, 55, 20,
82		3, 10, 43, 25, 39,
83		41, 45, 15, 21, 8,
84		18, 2, 61, 56, 14,
85		*/
86
87		/* In-place implementation. Permutation done as a long sequence of
88		25 moves "following" the permutation.
89
90		T <-- 1
91		1 <-- 6
92		6 <-- 9
93		9 <-- 22
94		22 <-- 14
95		14 <-- 20
96		20 <-- 2
97		2 <-- 12
98		12 <-- 13
99		13 <-- 19
100		19 <-- 23
101		23 <-- 15
102		15 <-- 4
103		4 <-- 24
104		24 <-- 21
105		21 <-- 8
106		8 <-- 16
107		16 <-- 5
108		5 <-- 3
109		3 <-- 18
110		18 <-- 17
111		17 <-- 11
112		11 <-- 7
113		7 <-- 10
114		10 <-- T
115
116		*/
117	6.78k	uint64_t C[5], D[5], T, X;
118	6.78k	unsigned i, y;
119
120	24.4M	#define A state->a
121
122	6.78k	C[0] = A[0] ^ A[5+0] ^ A[10+0] ^ A[15+0] ^ A[20+0];
123	6.78k	C[1] = A[1] ^ A[5+1] ^ A[10+1] ^ A[15+1] ^ A[20+1];
124	6.78k	C[2] = A[2] ^ A[5+2] ^ A[10+2] ^ A[15+2] ^ A[20+2];
125	6.78k	C[3] = A[3] ^ A[5+3] ^ A[10+3] ^ A[15+3] ^ A[20+3];
126	6.78k	C[4] = A[4] ^ A[5+4] ^ A[10+4] ^ A[15+4] ^ A[20+4];
127
128	169k	for (i = 0; i < SHA3_ROUNDS; i++)
129	162k	{
130	162k	D[0] = C[4] ^ ROTL64(1, C[1]);
131	162k	D[1] = C[0] ^ ROTL64(1, C[2]);
132	162k	D[2] = C[1] ^ ROTL64(1, C[3]);
133	162k	D[3] = C[2] ^ ROTL64(1, C[4]);
134	162k	D[4] = C[3] ^ ROTL64(1, C[0]);
135
136	162k	A[0] ^= D[0];
137	162k	X = A[ 1] ^ D[1]; T = ROTL64(1, X);
138	162k	X = A[ 6] ^ D[1]; A[ 1] = ROTL64 (44, X);
139	162k	X = A[ 9] ^ D[4]; A[ 6] = ROTL64 (20, X);
140	162k	X = A[22] ^ D[2]; A[ 9] = ROTL64 (61, X);
141	162k	X = A[14] ^ D[4]; A[22] = ROTL64 (39, X);
142	162k	X = A[20] ^ D[0]; A[14] = ROTL64 (18, X);
143	162k	X = A[ 2] ^ D[2]; A[20] = ROTL64 (62, X);
144	162k	X = A[12] ^ D[2]; A[ 2] = ROTL64 (43, X);
145	162k	X = A[13] ^ D[3]; A[12] = ROTL64 (25, X);
146	162k	X = A[19] ^ D[4]; A[13] = ROTL64 ( 8, X);
147	162k	X = A[23] ^ D[3]; A[19] = ROTL64 (56, X);
148	162k	X = A[15] ^ D[0]; A[23] = ROTL64 (41, X);
149	162k	X = A[ 4] ^ D[4]; A[15] = ROTL64 (27, X);
150	162k	X = A[24] ^ D[4]; A[ 4] = ROTL64 (14, X);
151	162k	X = A[21] ^ D[1]; A[24] = ROTL64 ( 2, X);
152	162k	X = A[ 8] ^ D[3]; A[21] = ROTL64 (55, X); /* row 4 done */
153	162k	X = A[16] ^ D[1]; A[ 8] = ROTL64 (45, X);
154	162k	X = A[ 5] ^ D[0]; A[16] = ROTL64 (36, X);
155	162k	X = A[ 3] ^ D[3]; A[ 5] = ROTL64 (28, X);
156	162k	X = A[18] ^ D[3]; A[ 3] = ROTL64 (21, X); /* row 0 done */
157	162k	X = A[17] ^ D[2]; A[18] = ROTL64 (15, X);
158	162k	X = A[11] ^ D[1]; A[17] = ROTL64 (10, X); /* row 3 done */
159	162k	X = A[ 7] ^ D[2]; A[11] = ROTL64 ( 6, X); /* row 1 done */
160	162k	X = A[10] ^ D[0]; A[ 7] = ROTL64 ( 3, X);
161	162k	A[10] = T; /* row 2 done */
162
163	162k	D[0] = ~A[1] & A[2];
164	162k	D[1] = ~A[2] & A[3];
165	162k	D[2] = ~A[3] & A[4];
166	162k	D[3] = ~A[4] & A[0];
167	162k	D[4] = ~A[0] & A[1];
168
169	162k	A[0] ^= D[0] ^ rc[i]; C[0] = A[0];
170	162k	A[1] ^= D[1]; C[1] = A[1];
171	162k	A[2] ^= D[2]; C[2] = A[2];
172	162k	A[3] ^= D[3]; C[3] = A[3];
173	162k	A[4] ^= D[4]; C[4] = A[4];
174
175	814k	for (y = 5; y < 25; y+= 5)
176	651k	{
177	651k	D[0] = ~A[y+1] & A[y+2];
178	651k	D[1] = ~A[y+2] & A[y+3];
179	651k	D[2] = ~A[y+3] & A[y+4];
180	651k	D[3] = ~A[y+4] & A[y+0];
181	651k	D[4] = ~A[y+0] & A[y+1];
182
183	651k	A[y+0] ^= D[0]; C[0] ^= A[y+0];
184	651k	A[y+1] ^= D[1]; C[1] ^= A[y+1];
185	651k	A[y+2] ^= D[2]; C[2] ^= A[y+2];
186	651k	A[y+3] ^= D[3]; C[3] ^= A[y+3];
187	651k	A[y+4] ^= D[4]; C[4] ^= A[y+4];
188	651k	}
189	162k	}
190	6.78k	#undef A
191	6.78k	}

Coverage Report

Created: 2024-11-25 06:30