1 /***************************************************************************
3 ** Keccak (http://keccak.noekeon.org/) implementation file **
5 ** This file implements the Keccak hash algorithm as provided by the **
6 ** inventors, and submitted to the third round of the NIST SHA-3 **
8 ** For the QKeccakHash wrapper, the originally multiple files were **
9 ** combined in this one. Slight modifications have been made to **
10 ** allow use in C++ as an independently included .cpp file. **
11 ** It is not meant to be compiled into an object, hence, there is no **
14 ** The code here is not part of the actual QKeccakHash implementation **
15 ** and thus not licensed under the GPLv3 but under its respecitve **
16 ** license given by the inventors. Typically, this means it is in the **
17 ** public domain, if not noted otherwise. **
19 ***************************************************************************/
23 namespace KeccakImpl {
25 typedef unsigned char UINT8;
26 typedef unsigned short UINT16;
27 typedef unsigned int UINT32;
28 typedef unsigned long long int UINT64;
30 // ================================================================================
31 // =================== brg_endian.h
32 // ================================================================================
36 ---------------------------------------------------------------------------
37 Copyright (c) 1998-2008, Brian Gladman, Worcester, UK. All rights reserved.
41 The redistribution and use of this software (with or without changes)
42 is allowed without the payment of fees or royalties provided that:
44 1. source code distributions include the above copyright notice, this
45 list of conditions and the following disclaimer;
47 2. binary distributions include the above copyright notice, this list
48 of conditions and the following disclaimer in their documentation;
50 3. the name of the copyright holder is not used to endorse products
51 built using this software without specific written permission.
55 This software is provided 'as is' with no explicit or implied warranties
56 in respect of its properties, including, but not limited to, correctness
57 and/or fitness for purpose.
58 ---------------------------------------------------------------------------
59 Issue Date: 20/12/2007
60 Changes for ARM 9/9/2010
66 #define IS_BIG_ENDIAN 4321 /* byte 0 is most significant (mc68k) */
67 #define IS_LITTLE_ENDIAN 1234 /* byte 0 is least significant (i386) */
70 /* Include files where endian defines and byteswap functions may reside */
72 # include <sys/isa_defs.h>
73 #elif defined( __FreeBSD__ ) || defined( __OpenBSD__ ) || defined( __NetBSD__ )
74 # include <sys/endian.h>
75 #elif defined( BSD ) && ( BSD >= 199103 ) || defined( __APPLE__ ) || \
76 defined( __CYGWIN32__ ) || defined( __DJGPP__ ) || defined( __osf__ )
77 # include <machine/endian.h>
78 #elif defined( __linux__ ) || defined( __GNUC__ ) || defined( __GNU_LIBRARY__ )
79 # if !defined( __MINGW32__ ) && !defined( _AIX )
81 # if !defined( __BEOS__ )
82 # include <byteswap.h>
88 /* Now attempt to set the define for platform byte order using any */
89 /* of the four forms SYMBOL, _SYMBOL, __SYMBOL & __SYMBOL__, which */
90 /* seem to encompass most endian symbol definitions */
92 #if defined( BIG_ENDIAN ) && defined( LITTLE_ENDIAN )
93 # if defined( BYTE_ORDER ) && BYTE_ORDER == BIG_ENDIAN
94 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
95 # elif defined( BYTE_ORDER ) && BYTE_ORDER == LITTLE_ENDIAN
96 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
98 #elif defined( BIG_ENDIAN )
99 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
100 #elif defined( LITTLE_ENDIAN )
101 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
104 #if defined( _BIG_ENDIAN ) && defined( _LITTLE_ENDIAN )
105 # if defined( _BYTE_ORDER ) && _BYTE_ORDER == _BIG_ENDIAN
106 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
107 # elif defined( _BYTE_ORDER ) && _BYTE_ORDER == _LITTLE_ENDIAN
108 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
110 #elif defined( _BIG_ENDIAN )
111 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
112 #elif defined( _LITTLE_ENDIAN )
113 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
116 #if defined( __BIG_ENDIAN ) && defined( __LITTLE_ENDIAN )
117 # if defined( __BYTE_ORDER ) && __BYTE_ORDER == __BIG_ENDIAN
118 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
119 # elif defined( __BYTE_ORDER ) && __BYTE_ORDER == __LITTLE_ENDIAN
120 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
122 #elif defined( __BIG_ENDIAN )
123 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
124 #elif defined( __LITTLE_ENDIAN )
125 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
128 #if defined( __BIG_ENDIAN__ ) && defined( __LITTLE_ENDIAN__ )
129 # if defined( __BYTE_ORDER__ ) && __BYTE_ORDER__ == __BIG_ENDIAN__
130 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
131 # elif defined( __BYTE_ORDER__ ) && __BYTE_ORDER__ == __LITTLE_ENDIAN__
132 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
134 #elif defined( __BIG_ENDIAN__ )
135 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
136 #elif defined( __LITTLE_ENDIAN__ )
137 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
140 /* if the platform byte order could not be determined, then try to */
141 /* set this define using common machine defines */
142 #if !defined(PLATFORM_BYTE_ORDER)
144 #if defined( __alpha__ ) || defined( __alpha ) || defined( i386 ) || \
145 defined( __i386__ ) || defined( _M_I86 ) || defined( _M_IX86 ) || \
146 defined( __OS2__ ) || defined( sun386 ) || defined( __TURBOC__ ) || \
147 defined( vax ) || defined( vms ) || defined( VMS ) || \
148 defined( __VMS ) || defined( _M_X64 )
149 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
151 #elif defined( AMIGA ) || defined( applec ) || defined( __AS400__ ) || \
152 defined( _CRAY ) || defined( __hppa ) || defined( __hp9000 ) || \
153 defined( ibm370 ) || defined( mc68000 ) || defined( m68k ) || \
154 defined( __MRC__ ) || defined( __MVS__ ) || defined( __MWERKS__ ) || \
155 defined( sparc ) || defined( __sparc) || defined( SYMANTEC_C ) || \
156 defined( __VOS__ ) || defined( __TIGCC__ ) || defined( __TANDEM ) || \
157 defined( THINK_C ) || defined( __VMCMS__ ) || defined( _AIX )
158 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
160 #elif defined(__arm__)
162 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
164 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
166 #elif 1 /* **** EDIT HERE IF NECESSARY **** */
167 # define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
168 #elif 0 /* **** EDIT HERE IF NECESSARY **** */
169 # define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
171 # error Please edit lines 132 or 134 in brg_endian.h to set the platform byte order
178 // ================================================================================
179 // =================== KeccakSponge.h
180 // ================================================================================
183 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
184 Michaël Peeters and Gilles Van Assche. For more information, feedback or
185 questions, please refer to our website: http://keccak.noekeon.org/
187 Implementation by the designers,
188 hereby denoted as "the implementer".
190 To the extent possible under law, the implementer has waived all copyright
191 and related or neighboring rights to the source code in this file.
192 http://creativecommons.org/publicdomain/zero/1.0/
195 #ifndef _KeccakSponge_h_
196 #define _KeccakSponge_h_
199 * Function to initialize the state of the Keccak[r, c] sponge function.
200 * The sponge function is set to the absorbing phase.
201 * @param state Pointer to the state of the sponge function to be initialized.
202 * @param rate The value of the rate r.
203 * @param capacity The value of the capacity c.
204 * @pre One must have r+c=1600 and the rate a multiple of 64 bits in this implementation.
205 * @return Zero if successful, 1 otherwise.
207 int InitSponge(spongeState *state, unsigned int rate, unsigned int capacity);
209 * Function to give input data for the sponge function to absorb.
210 * @param state Pointer to the state of the sponge function initialized by InitSponge().
211 * @param data Pointer to the input data.
212 * When @a databitLen is not a multiple of 8, the last bits of data must be
213 * in the least significant bits of the last byte.
214 * @param databitLen The number of input bits provided in the input data.
215 * @pre In the previous call to Absorb(), databitLen was a multiple of 8.
216 * @pre The sponge function must be in the absorbing phase,
217 * i.e., Squeeze() must not have been called before.
218 * @return Zero if successful, 1 otherwise.
220 int Absorb(spongeState *state, const unsigned char *data, unsigned long long databitlen);
222 * Function to squeeze output data from the sponge function.
223 * If the sponge function was in the absorbing phase, this function
224 * switches it to the squeezing phase.
225 * @param state Pointer to the state of the sponge function initialized by InitSponge().
226 * @param output Pointer to the buffer where to store the output data.
227 * @param outputLength The number of output bits desired.
228 * It must be a multiple of 8.
229 * @return Zero if successful, 1 otherwise.
231 int Squeeze(spongeState *state, unsigned char *output, unsigned long long outputLength);
235 // ================================================================================
236 // =================== KeccakF-1600-int-set.h
237 // ================================================================================
240 #define ProvideFast576
241 #define ProvideFast832
242 #define ProvideFast1024
243 #define ProvideFast1088
244 #define ProvideFast1152
245 #define ProvideFast1344
248 // ================================================================================
249 // =================== KeccakF-1600-interface.h
250 // ================================================================================
254 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
255 Michaël Peeters and Gilles Van Assche. For more information, feedback or
256 questions, please refer to our website: http://keccak.noekeon.org/
258 Implementation by the designers,
259 hereby denoted as "the implementer".
261 To the extent possible under law, the implementer has waived all copyright
262 and related or neighboring rights to the source code in this file.
263 http://creativecommons.org/publicdomain/zero/1.0/
266 #ifndef _KeccakPermutationInterface_h_
267 #define _KeccakPermutationInterface_h_
269 //#include "KeccakF-1600-int-set.h"
271 void KeccakInitialize( void );
272 void KeccakInitializeState(unsigned char *state);
273 void KeccakPermutation(unsigned char *state);
274 #ifdef ProvideFast576
275 void KeccakAbsorb576bits(unsigned char *state, const unsigned char *data);
277 #ifdef ProvideFast832
278 void KeccakAbsorb832bits(unsigned char *state, const unsigned char *data);
280 #ifdef ProvideFast1024
281 void KeccakAbsorb1024bits(unsigned char *state, const unsigned char *data);
283 #ifdef ProvideFast1088
284 void KeccakAbsorb1088bits(unsigned char *state, const unsigned char *data);
286 #ifdef ProvideFast1152
287 void KeccakAbsorb1152bits(unsigned char *state, const unsigned char *data);
289 #ifdef ProvideFast1344
290 void KeccakAbsorb1344bits(unsigned char *state, const unsigned char *data);
292 void KeccakAbsorb(unsigned char *state, const unsigned char *data, unsigned int laneCount);
293 #ifdef ProvideFast1024
294 void KeccakExtract1024bits(const unsigned char *state, unsigned char *data);
296 void KeccakExtract(const unsigned char *state, unsigned char *data, unsigned int laneCount);
301 // ================================================================================
302 // =================== KeccakF-1600-opt32-settings.h
303 // ================================================================================
307 //#define UseBebigokimisa
308 //#define UseInterleaveTables
309 #define UseSchedule 3
312 // ================================================================================
313 // =================== KeccakF-1600-unrolling.macros
314 // ================================================================================
317 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
318 Michaël Peeters and Gilles Van Assche. For more information, feedback or
319 questions, please refer to our website: http://keccak.noekeon.org/
321 Implementation by the designers,
322 hereby denoted as "the implementer".
324 To the extent possible under law, the implementer has waived all copyright
325 and related or neighboring rights to the source code in this file.
326 http://creativecommons.org/publicdomain/zero/1.0/
329 #if (Unrolling == 24)
332 thetaRhoPiChiIotaPrepareTheta( 0, A, E) \
333 thetaRhoPiChiIotaPrepareTheta( 1, E, A) \
334 thetaRhoPiChiIotaPrepareTheta( 2, A, E) \
335 thetaRhoPiChiIotaPrepareTheta( 3, E, A) \
336 thetaRhoPiChiIotaPrepareTheta( 4, A, E) \
337 thetaRhoPiChiIotaPrepareTheta( 5, E, A) \
338 thetaRhoPiChiIotaPrepareTheta( 6, A, E) \
339 thetaRhoPiChiIotaPrepareTheta( 7, E, A) \
340 thetaRhoPiChiIotaPrepareTheta( 8, A, E) \
341 thetaRhoPiChiIotaPrepareTheta( 9, E, A) \
342 thetaRhoPiChiIotaPrepareTheta(10, A, E) \
343 thetaRhoPiChiIotaPrepareTheta(11, E, A) \
344 thetaRhoPiChiIotaPrepareTheta(12, A, E) \
345 thetaRhoPiChiIotaPrepareTheta(13, E, A) \
346 thetaRhoPiChiIotaPrepareTheta(14, A, E) \
347 thetaRhoPiChiIotaPrepareTheta(15, E, A) \
348 thetaRhoPiChiIotaPrepareTheta(16, A, E) \
349 thetaRhoPiChiIotaPrepareTheta(17, E, A) \
350 thetaRhoPiChiIotaPrepareTheta(18, A, E) \
351 thetaRhoPiChiIotaPrepareTheta(19, E, A) \
352 thetaRhoPiChiIotaPrepareTheta(20, A, E) \
353 thetaRhoPiChiIotaPrepareTheta(21, E, A) \
354 thetaRhoPiChiIotaPrepareTheta(22, A, E) \
355 thetaRhoPiChiIota(23, E, A) \
356 copyToState(state, A)
357 #elif (Unrolling == 12)
360 for(i=0; i<24; i+=12) { \
361 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
362 thetaRhoPiChiIotaPrepareTheta(i+ 1, E, A) \
363 thetaRhoPiChiIotaPrepareTheta(i+ 2, A, E) \
364 thetaRhoPiChiIotaPrepareTheta(i+ 3, E, A) \
365 thetaRhoPiChiIotaPrepareTheta(i+ 4, A, E) \
366 thetaRhoPiChiIotaPrepareTheta(i+ 5, E, A) \
367 thetaRhoPiChiIotaPrepareTheta(i+ 6, A, E) \
368 thetaRhoPiChiIotaPrepareTheta(i+ 7, E, A) \
369 thetaRhoPiChiIotaPrepareTheta(i+ 8, A, E) \
370 thetaRhoPiChiIotaPrepareTheta(i+ 9, E, A) \
371 thetaRhoPiChiIotaPrepareTheta(i+10, A, E) \
372 thetaRhoPiChiIotaPrepareTheta(i+11, E, A) \
374 copyToState(state, A)
375 #elif (Unrolling == 8)
378 for(i=0; i<24; i+=8) { \
379 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
380 thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
381 thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
382 thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
383 thetaRhoPiChiIotaPrepareTheta(i+4, A, E) \
384 thetaRhoPiChiIotaPrepareTheta(i+5, E, A) \
385 thetaRhoPiChiIotaPrepareTheta(i+6, A, E) \
386 thetaRhoPiChiIotaPrepareTheta(i+7, E, A) \
388 copyToState(state, A)
389 #elif (Unrolling == 6)
392 for(i=0; i<24; i+=6) { \
393 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
394 thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
395 thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
396 thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
397 thetaRhoPiChiIotaPrepareTheta(i+4, A, E) \
398 thetaRhoPiChiIotaPrepareTheta(i+5, E, A) \
400 copyToState(state, A)
401 #elif (Unrolling == 4)
404 for(i=0; i<24; i+=4) { \
405 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
406 thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
407 thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
408 thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
410 copyToState(state, A)
411 #elif (Unrolling == 3)
414 for(i=0; i<24; i+=3) { \
415 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
416 thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
417 thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
418 copyStateVariables(A, E) \
420 copyToState(state, A)
421 #elif (Unrolling == 2)
424 for(i=0; i<24; i+=2) { \
425 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
426 thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
428 copyToState(state, A)
429 #elif (Unrolling == 1)
432 for(i=0; i<24; i++) { \
433 thetaRhoPiChiIotaPrepareTheta(i , A, E) \
434 copyStateVariables(A, E) \
436 copyToState(state, A)
438 #error "Unrolling is not correctly specified!"
442 // ================================================================================
443 // =================== KeccakF-1600-32-rvk.macros
444 // ================================================================================
447 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
448 Michaël Peeters and Gilles Van Assche. For more information, feedback or
449 questions, please refer to our website: http://keccak.noekeon.org/
451 Implementation by Ronny Van Keer,
452 hereby denoted as "the implementer".
454 To the extent possible under law, the implementer has waived all copyright
455 and related or neighboring rights to the source code in this file.
456 http://creativecommons.org/publicdomain/zero/1.0/
459 static const UINT32 KeccakF1600RoundConstants_int2[2*24] =
461 0x00000001UL, 0x00000000UL,
462 0x00000000UL, 0x00000089UL,
463 0x00000000UL, 0x8000008bUL,
464 0x00000000UL, 0x80008080UL,
465 0x00000001UL, 0x0000008bUL,
466 0x00000001UL, 0x00008000UL,
467 0x00000001UL, 0x80008088UL,
468 0x00000001UL, 0x80000082UL,
469 0x00000000UL, 0x0000000bUL,
470 0x00000000UL, 0x0000000aUL,
471 0x00000001UL, 0x00008082UL,
472 0x00000000UL, 0x00008003UL,
473 0x00000001UL, 0x0000808bUL,
474 0x00000001UL, 0x8000000bUL,
475 0x00000001UL, 0x8000008aUL,
476 0x00000001UL, 0x80000081UL,
477 0x00000000UL, 0x80000081UL,
478 0x00000000UL, 0x80000008UL,
479 0x00000000UL, 0x00000083UL,
480 0x00000000UL, 0x80008003UL,
481 0x00000001UL, 0x80008088UL,
482 0x00000000UL, 0x80000088UL,
483 0x00000001UL, 0x00008000UL,
484 0x00000000UL, 0x80008082UL
491 UINT32 Da0, De0, Di0, Do0, Du0; \
492 UINT32 Da1, De1, Di1, Do1, Du1; \
493 UINT32 Ba, Be, Bi, Bo, Bu; \
494 UINT32 Aba0, Abe0, Abi0, Abo0, Abu0; \
495 UINT32 Aba1, Abe1, Abi1, Abo1, Abu1; \
496 UINT32 Aga0, Age0, Agi0, Ago0, Agu0; \
497 UINT32 Aga1, Age1, Agi1, Ago1, Agu1; \
498 UINT32 Aka0, Ake0, Aki0, Ako0, Aku0; \
499 UINT32 Aka1, Ake1, Aki1, Ako1, Aku1; \
500 UINT32 Ama0, Ame0, Ami0, Amo0, Amu0; \
501 UINT32 Ama1, Ame1, Ami1, Amo1, Amu1; \
502 UINT32 Asa0, Ase0, Asi0, Aso0, Asu0; \
503 UINT32 Asa1, Ase1, Asi1, Aso1, Asu1; \
504 UINT32 Cw, Cx, Cy, Cz; \
505 UINT32 Eba0, Ebe0, Ebi0, Ebo0, Ebu0; \
506 UINT32 Eba1, Ebe1, Ebi1, Ebo1, Ebu1; \
507 UINT32 Ega0, Ege0, Egi0, Ego0, Egu0; \
508 UINT32 Ega1, Ege1, Egi1, Ego1, Egu1; \
509 UINT32 Eka0, Eke0, Eki0, Eko0, Eku0; \
510 UINT32 Eka1, Eke1, Eki1, Eko1, Eku1; \
511 UINT32 Ema0, Eme0, Emi0, Emo0, Emu0; \
512 UINT32 Ema1, Eme1, Emi1, Emo1, Emu1; \
513 UINT32 Esa0, Ese0, Esi0, Eso0, Esu0; \
514 UINT32 Esa1, Ese1, Esi1, Eso1, Esu1; \
515 const UINT32 * pRoundConstants = KeccakF1600RoundConstants_int2; \
518 copyFromState(A, state) \
520 for( i = 12; i != 0; --i ) { \
521 Cx = Abu0^Agu0^Aku0^Amu0^Asu0; \
522 Du1 = Abe1^Age1^Ake1^Ame1^Ase1; \
523 Da0 = Cx^ROL32(Du1, 1); \
524 Cz = Abu1^Agu1^Aku1^Amu1^Asu1; \
525 Du0 = Abe0^Age0^Ake0^Ame0^Ase0; \
528 Cw = Abi0^Agi0^Aki0^Ami0^Asi0; \
529 Do0 = Cw^ROL32(Cz, 1); \
530 Cy = Abi1^Agi1^Aki1^Ami1^Asi1; \
533 Cx = Aba0^Aga0^Aka0^Ama0^Asa0; \
534 De0 = Cx^ROL32(Cy, 1); \
535 Cz = Aba1^Aga1^Aka1^Ama1^Asa1; \
538 Cy = Abo1^Ago1^Ako1^Amo1^Aso1; \
539 Di0 = Du0^ROL32(Cy, 1); \
540 Cw = Abo0^Ago0^Ako0^Amo0^Aso0; \
543 Du0 = Cw^ROL32(Cz, 1); \
549 Be = ROL32(Age0, 22); \
551 Bi = ROL32(Aki1, 22); \
553 Bo = ROL32(Amo1, 11); \
555 Bu = ROL32(Asu0, 7); \
556 Eba0 = Ba ^((~Be)& Bi ) ^ *(pRoundConstants++); \
557 Ebe0 = Be ^((~Bi)& Bo ); \
558 Ebi0 = Bi ^((~Bo)& Bu ); \
559 Ebo0 = Bo ^((~Bu)& Ba ); \
560 Ebu0 = Bu ^((~Ba)& Be ); \
563 Ba = ROL32(Abo0, 14); \
565 Be = ROL32(Agu0, 10); \
567 Bi = ROL32(Aka1, 2); \
569 Bo = ROL32(Ame1, 23); \
571 Bu = ROL32(Asi1, 31); \
572 Ega0 = Ba ^((~Be)& Bi ); \
573 Ege0 = Be ^((~Bi)& Bo ); \
574 Egi0 = Bi ^((~Bo)& Bu ); \
575 Ego0 = Bo ^((~Bu)& Ba ); \
576 Egu0 = Bu ^((~Ba)& Be ); \
579 Ba = ROL32(Abe1, 1); \
581 Be = ROL32(Agi0, 3); \
583 Bi = ROL32(Ako1, 13); \
585 Bo = ROL32(Amu0, 4); \
587 Bu = ROL32(Asa0, 9); \
588 Eka0 = Ba ^((~Be)& Bi ); \
589 Eke0 = Be ^((~Bi)& Bo ); \
590 Eki0 = Bi ^((~Bo)& Bu ); \
591 Eko0 = Bo ^((~Bu)& Ba ); \
592 Eku0 = Bu ^((~Ba)& Be ); \
595 Ba = ROL32(Abu1, 14); \
597 Be = ROL32(Aga0, 18); \
599 Bi = ROL32(Ake0, 5); \
601 Bo = ROL32(Ami1, 8); \
603 Bu = ROL32(Aso0, 28); \
604 Ema0 = Ba ^((~Be)& Bi ); \
605 Eme0 = Be ^((~Bi)& Bo ); \
606 Emi0 = Bi ^((~Bo)& Bu ); \
607 Emo0 = Bo ^((~Bu)& Ba ); \
608 Emu0 = Bu ^((~Ba)& Be ); \
611 Ba = ROL32(Abi0, 31); \
613 Be = ROL32(Ago1, 28); \
615 Bi = ROL32(Aku1, 20); \
617 Bo = ROL32(Ama1, 21); \
619 Bu = ROL32(Ase0, 1); \
620 Esa0 = Ba ^((~Be)& Bi ); \
621 Ese0 = Be ^((~Bi)& Bo ); \
622 Esi0 = Bi ^((~Bo)& Bu ); \
623 Eso0 = Bo ^((~Bu)& Ba ); \
624 Esu0 = Bu ^((~Ba)& Be ); \
629 Be = ROL32(Age1, 22); \
631 Bi = ROL32(Aki0, 21); \
633 Bo = ROL32(Amo0, 10); \
635 Bu = ROL32(Asu1, 7); \
636 Eba1 = Ba ^((~Be)& Bi ); \
637 Eba1 ^= *(pRoundConstants++); \
638 Ebe1 = Be ^((~Bi)& Bo ); \
639 Ebi1 = Bi ^((~Bo)& Bu ); \
640 Ebo1 = Bo ^((~Bu)& Ba ); \
641 Ebu1 = Bu ^((~Ba)& Be ); \
644 Ba = ROL32(Abo1, 14); \
646 Be = ROL32(Agu1, 10); \
648 Bi = ROL32(Aka0, 1); \
650 Bo = ROL32(Ame0, 22); \
652 Bu = ROL32(Asi0, 30); \
653 Ega1 = Ba ^((~Be)& Bi ); \
654 Ege1 = Be ^((~Bi)& Bo ); \
655 Egi1 = Bi ^((~Bo)& Bu ); \
656 Ego1 = Bo ^((~Bu)& Ba ); \
657 Egu1 = Bu ^((~Ba)& Be ); \
662 Be = ROL32(Agi1, 3); \
664 Bi = ROL32(Ako0, 12); \
666 Bo = ROL32(Amu1, 4); \
668 Bu = ROL32(Asa1, 9); \
669 Eka1 = Ba ^((~Be)& Bi ); \
670 Eke1 = Be ^((~Bi)& Bo ); \
671 Eki1 = Bi ^((~Bo)& Bu ); \
672 Eko1 = Bo ^((~Bu)& Ba ); \
673 Eku1 = Bu ^((~Ba)& Be ); \
676 Ba = ROL32(Abu0, 13); \
678 Be = ROL32(Aga1, 18); \
680 Bi = ROL32(Ake1, 5); \
682 Bo = ROL32(Ami0, 7); \
684 Bu = ROL32(Aso1, 28); \
685 Ema1 = Ba ^((~Be)& Bi ); \
686 Eme1 = Be ^((~Bi)& Bo ); \
687 Emi1 = Bi ^((~Bo)& Bu ); \
688 Emo1 = Bo ^((~Bu)& Ba ); \
689 Emu1 = Bu ^((~Ba)& Be ); \
692 Ba = ROL32(Abi1, 31); \
694 Be = ROL32(Ago0, 27); \
696 Bi = ROL32(Aku0, 19); \
698 Bo = ROL32(Ama0, 20); \
700 Bu = ROL32(Ase1, 1); \
701 Esa1 = Ba ^((~Be)& Bi ); \
702 Ese1 = Be ^((~Bi)& Bo ); \
703 Esi1 = Bi ^((~Bo)& Bu ); \
704 Eso1 = Bo ^((~Bu)& Ba ); \
705 Esu1 = Bu ^((~Ba)& Be ); \
707 Cx = Ebu0^Egu0^Eku0^Emu0^Esu0; \
708 Du1 = Ebe1^Ege1^Eke1^Eme1^Ese1; \
709 Da0 = Cx^ROL32(Du1, 1); \
710 Cz = Ebu1^Egu1^Eku1^Emu1^Esu1; \
711 Du0 = Ebe0^Ege0^Eke0^Eme0^Ese0; \
714 Cw = Ebi0^Egi0^Eki0^Emi0^Esi0; \
715 Do0 = Cw^ROL32(Cz, 1); \
716 Cy = Ebi1^Egi1^Eki1^Emi1^Esi1; \
719 Cx = Eba0^Ega0^Eka0^Ema0^Esa0; \
720 De0 = Cx^ROL32(Cy, 1); \
721 Cz = Eba1^Ega1^Eka1^Ema1^Esa1; \
724 Cy = Ebo1^Ego1^Eko1^Emo1^Eso1; \
725 Di0 = Du0^ROL32(Cy, 1); \
726 Cw = Ebo0^Ego0^Eko0^Emo0^Eso0; \
729 Du0 = Cw^ROL32(Cz, 1); \
735 Be = ROL32(Ege0, 22); \
737 Bi = ROL32(Eki1, 22); \
739 Bo = ROL32(Emo1, 11); \
741 Bu = ROL32(Esu0, 7); \
742 Aba0 = Ba ^((~Be)& Bi ); \
743 Aba0 ^= *(pRoundConstants++); \
744 Abe0 = Be ^((~Bi)& Bo ); \
745 Abi0 = Bi ^((~Bo)& Bu ); \
746 Abo0 = Bo ^((~Bu)& Ba ); \
747 Abu0 = Bu ^((~Ba)& Be ); \
750 Ba = ROL32(Ebo0, 14); \
752 Be = ROL32(Egu0, 10); \
754 Bi = ROL32(Eka1, 2); \
756 Bo = ROL32(Eme1, 23); \
758 Bu = ROL32(Esi1, 31); \
759 Aga0 = Ba ^((~Be)& Bi ); \
760 Age0 = Be ^((~Bi)& Bo ); \
761 Agi0 = Bi ^((~Bo)& Bu ); \
762 Ago0 = Bo ^((~Bu)& Ba ); \
763 Agu0 = Bu ^((~Ba)& Be ); \
766 Ba = ROL32(Ebe1, 1); \
768 Be = ROL32(Egi0, 3); \
770 Bi = ROL32(Eko1, 13); \
772 Bo = ROL32(Emu0, 4); \
774 Bu = ROL32(Esa0, 9); \
775 Aka0 = Ba ^((~Be)& Bi ); \
776 Ake0 = Be ^((~Bi)& Bo ); \
777 Aki0 = Bi ^((~Bo)& Bu ); \
778 Ako0 = Bo ^((~Bu)& Ba ); \
779 Aku0 = Bu ^((~Ba)& Be ); \
782 Ba = ROL32(Ebu1, 14); \
784 Be = ROL32(Ega0, 18); \
786 Bi = ROL32(Eke0, 5); \
788 Bo = ROL32(Emi1, 8); \
790 Bu = ROL32(Eso0, 28); \
791 Ama0 = Ba ^((~Be)& Bi ); \
792 Ame0 = Be ^((~Bi)& Bo ); \
793 Ami0 = Bi ^((~Bo)& Bu ); \
794 Amo0 = Bo ^((~Bu)& Ba ); \
795 Amu0 = Bu ^((~Ba)& Be ); \
798 Ba = ROL32(Ebi0, 31); \
800 Be = ROL32(Ego1, 28); \
802 Bi = ROL32(Eku1, 20); \
804 Bo = ROL32(Ema1, 21); \
806 Bu = ROL32(Ese0, 1); \
807 Asa0 = Ba ^((~Be)& Bi ); \
808 Ase0 = Be ^((~Bi)& Bo ); \
809 Asi0 = Bi ^((~Bo)& Bu ); \
810 Aso0 = Bo ^((~Bu)& Ba ); \
811 Asu0 = Bu ^((~Ba)& Be ); \
816 Be = ROL32(Ege1, 22); \
818 Bi = ROL32(Eki0, 21); \
820 Bo = ROL32(Emo0, 10); \
822 Bu = ROL32(Esu1, 7); \
823 Aba1 = Ba ^((~Be)& Bi ); \
824 Aba1 ^= *(pRoundConstants++); \
825 Abe1 = Be ^((~Bi)& Bo ); \
826 Abi1 = Bi ^((~Bo)& Bu ); \
827 Abo1 = Bo ^((~Bu)& Ba ); \
828 Abu1 = Bu ^((~Ba)& Be ); \
831 Ba = ROL32(Ebo1, 14); \
833 Be = ROL32(Egu1, 10); \
835 Bi = ROL32(Eka0, 1); \
837 Bo = ROL32(Eme0, 22); \
839 Bu = ROL32(Esi0, 30); \
840 Aga1 = Ba ^((~Be)& Bi ); \
841 Age1 = Be ^((~Bi)& Bo ); \
842 Agi1 = Bi ^((~Bo)& Bu ); \
843 Ago1 = Bo ^((~Bu)& Ba ); \
844 Agu1 = Bu ^((~Ba)& Be ); \
849 Be = ROL32(Egi1, 3); \
851 Bi = ROL32(Eko0, 12); \
853 Bo = ROL32(Emu1, 4); \
855 Bu = ROL32(Esa1, 9); \
856 Aka1 = Ba ^((~Be)& Bi ); \
857 Ake1 = Be ^((~Bi)& Bo ); \
858 Aki1 = Bi ^((~Bo)& Bu ); \
859 Ako1 = Bo ^((~Bu)& Ba ); \
860 Aku1 = Bu ^((~Ba)& Be ); \
863 Ba = ROL32(Ebu0, 13); \
865 Be = ROL32(Ega1, 18); \
867 Bi = ROL32(Eke1, 5); \
869 Bo = ROL32(Emi0, 7); \
871 Bu = ROL32(Eso1, 28); \
872 Ama1 = Ba ^((~Be)& Bi ); \
873 Ame1 = Be ^((~Bi)& Bo ); \
874 Ami1 = Bi ^((~Bo)& Bu ); \
875 Amo1 = Bo ^((~Bu)& Ba ); \
876 Amu1 = Bu ^((~Ba)& Be ); \
879 Ba = ROL32(Ebi1, 31); \
881 Be = ROL32(Ego0, 27); \
883 Bi = ROL32(Eku0, 19); \
885 Bo = ROL32(Ema0, 20); \
887 Bu = ROL32(Ese1, 1); \
888 Asa1 = Ba ^((~Be)& Bi ); \
889 Ase1 = Be ^((~Bi)& Bo ); \
890 Asi1 = Bi ^((~Bo)& Bu ); \
891 Aso1 = Bo ^((~Bu)& Ba ); \
892 Asu1 = Bu ^((~Ba)& Be ); \
894 copyToState(state, A) \
897 #define copyFromState(X, state) \
898 X##ba0 = state[ 0]; \
899 X##ba1 = state[ 1]; \
900 X##be0 = state[ 2]; \
901 X##be1 = state[ 3]; \
902 X##bi0 = state[ 4]; \
903 X##bi1 = state[ 5]; \
904 X##bo0 = state[ 6]; \
905 X##bo1 = state[ 7]; \
906 X##bu0 = state[ 8]; \
907 X##bu1 = state[ 9]; \
908 X##ga0 = state[10]; \
909 X##ga1 = state[11]; \
910 X##ge0 = state[12]; \
911 X##ge1 = state[13]; \
912 X##gi0 = state[14]; \
913 X##gi1 = state[15]; \
914 X##go0 = state[16]; \
915 X##go1 = state[17]; \
916 X##gu0 = state[18]; \
917 X##gu1 = state[19]; \
918 X##ka0 = state[20]; \
919 X##ka1 = state[21]; \
920 X##ke0 = state[22]; \
921 X##ke1 = state[23]; \
922 X##ki0 = state[24]; \
923 X##ki1 = state[25]; \
924 X##ko0 = state[26]; \
925 X##ko1 = state[27]; \
926 X##ku0 = state[28]; \
927 X##ku1 = state[29]; \
928 X##ma0 = state[30]; \
929 X##ma1 = state[31]; \
930 X##me0 = state[32]; \
931 X##me1 = state[33]; \
932 X##mi0 = state[34]; \
933 X##mi1 = state[35]; \
934 X##mo0 = state[36]; \
935 X##mo1 = state[37]; \
936 X##mu0 = state[38]; \
937 X##mu1 = state[39]; \
938 X##sa0 = state[40]; \
939 X##sa1 = state[41]; \
940 X##se0 = state[42]; \
941 X##se1 = state[43]; \
942 X##si0 = state[44]; \
943 X##si1 = state[45]; \
944 X##so0 = state[46]; \
945 X##so1 = state[47]; \
946 X##su0 = state[48]; \
947 X##su1 = state[49]; \
949 #define copyToState(state, X) \
950 state[ 0] = X##ba0; \
951 state[ 1] = X##ba1; \
952 state[ 2] = X##be0; \
953 state[ 3] = X##be1; \
954 state[ 4] = X##bi0; \
955 state[ 5] = X##bi1; \
956 state[ 6] = X##bo0; \
957 state[ 7] = X##bo1; \
958 state[ 8] = X##bu0; \
959 state[ 9] = X##bu1; \
960 state[10] = X##ga0; \
961 state[11] = X##ga1; \
962 state[12] = X##ge0; \
963 state[13] = X##ge1; \
964 state[14] = X##gi0; \
965 state[15] = X##gi1; \
966 state[16] = X##go0; \
967 state[17] = X##go1; \
968 state[18] = X##gu0; \
969 state[19] = X##gu1; \
970 state[20] = X##ka0; \
971 state[21] = X##ka1; \
972 state[22] = X##ke0; \
973 state[23] = X##ke1; \
974 state[24] = X##ki0; \
975 state[25] = X##ki1; \
976 state[26] = X##ko0; \
977 state[27] = X##ko1; \
978 state[28] = X##ku0; \
979 state[29] = X##ku1; \
980 state[30] = X##ma0; \
981 state[31] = X##ma1; \
982 state[32] = X##me0; \
983 state[33] = X##me1; \
984 state[34] = X##mi0; \
985 state[35] = X##mi1; \
986 state[36] = X##mo0; \
987 state[37] = X##mo1; \
988 state[38] = X##mu0; \
989 state[39] = X##mu1; \
990 state[40] = X##sa0; \
991 state[41] = X##sa1; \
992 state[42] = X##se0; \
993 state[43] = X##se1; \
994 state[44] = X##si0; \
995 state[45] = X##si1; \
996 state[46] = X##so0; \
997 state[47] = X##so1; \
998 state[48] = X##su0; \
999 state[49] = X##su1; \
1002 // ================================================================================
1003 // =================== KeccakF-1600-32.macros
1004 // ================================================================================
1007 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
1008 Michaël Peeters and Gilles Van Assche. For more information, feedback or
1009 questions, please refer to our website: http://keccak.noekeon.org/
1011 Implementation by the designers,
1012 hereby denoted as "the implementer".
1014 To the extent possible under law, the implementer has waived all copyright
1015 and related or neighboring rights to the source code in this file.
1016 http://creativecommons.org/publicdomain/zero/1.0/
1020 #if (UseSchedule == 1)
1021 #include "KeccakF-1600-32-s1.macros"
1022 #elif (UseSchedule == 2)
1023 #include "KeccakF-1600-32-s2.macros"
1024 #elif (UseSchedule == 3)
1025 //#include "KeccakF-1600-32-rvk.macros"
1027 #error "This schedule is not supported."
1030 #include "KeccakF-1600-32-s1.macros"
1033 // ================================================================================
1034 // =================== KeccakF-1600-opt32.c
1035 // ================================================================================
1039 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
1040 Michaël Peeters and Gilles Van Assche. For more information, feedback or
1041 questions, please refer to our website: http://keccak.noekeon.org/
1043 Implementation by the designers,
1044 hereby denoted as "the implementer".
1046 To the extent possible under law, the implementer has waived all copyright
1047 and related or neighboring rights to the source code in this file.
1048 http://creativecommons.org/publicdomain/zero/1.0/
1052 //#include "brg_endian.h"
1053 //#include "KeccakF-1600-opt32-settings.h"
1054 //#include "KeccakF-1600-interface.h"
1058 #ifdef UseInterleaveTables
1059 int interleaveTablesBuilt = 0;
1060 UINT16 interleaveTable[65536];
1061 UINT16 deinterleaveTable[65536];
1063 void buildInterleaveTables()
1068 if (!interleaveTablesBuilt) {
1069 for(i=0; i<65536; i++) {
1071 for(j=0; j<16; j++) {
1073 x |= (1 << (j/2 + 8*(j%2)));
1075 interleaveTable[i] = x;
1076 deinterleaveTable[x] = (UINT16)i;
1078 interleaveTablesBuilt = 1;
1082 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
1084 #define xor2bytesIntoInterleavedWords(even, odd, source, j) \
1085 i##j = interleaveTable[((const UINT16*)source)[j]]; \
1086 ((UINT8*)even)[j] ^= i##j & 0xFF; \
1087 ((UINT8*)odd)[j] ^= i##j >> 8;
1089 #define setInterleavedWordsInto2bytes(dest, even, odd, j) \
1090 d##j = deinterleaveTable[((even >> (j*8)) & 0xFF) ^ (((odd >> (j*8)) & 0xFF) << 8)]; \
1091 ((UINT16*)dest)[j] = d##j;
1093 #else // (PLATFORM_BYTE_ORDER == IS_BIG_ENDIAN)
1095 #define xor2bytesIntoInterleavedWords(even, odd, source, j) \
1096 i##j = interleaveTable[source[2*j] ^ ((UINT16)source[2*j+1] << 8)]; \
1097 *even ^= (i##j & 0xFF) << (j*8); \
1098 *odd ^= ((i##j >> 8) & 0xFF) << (j*8);
1100 #define setInterleavedWordsInto2bytes(dest, even, odd, j) \
1101 d##j = deinterleaveTable[((even >> (j*8)) & 0xFF) ^ (((odd >> (j*8)) & 0xFF) << 8)]; \
1102 dest[2*j] = d##j & 0xFF; \
1103 dest[2*j+1] = d##j >> 8;
1105 #endif // Endianness
1107 void xor8bytesIntoInterleavedWords(UINT32 *even, UINT32 *odd, const UINT8* source)
1109 UINT16 i0, i1, i2, i3;
1111 xor2bytesIntoInterleavedWords(even, odd, source, 0)
1112 xor2bytesIntoInterleavedWords(even, odd, source, 1)
1113 xor2bytesIntoInterleavedWords(even, odd, source, 2)
1114 xor2bytesIntoInterleavedWords(even, odd, source, 3)
1117 #define xorLanesIntoState(laneCount, state, input) \
1120 for(i=0; i<(laneCount); i++) \
1121 xor8bytesIntoInterleavedWords(state+i*2, state+i*2+1, input+i*8); \
1124 void setInterleavedWordsInto8bytes(UINT8* dest, UINT32 even, UINT32 odd)
1126 UINT16 d0, d1, d2, d3;
1128 setInterleavedWordsInto2bytes(dest, even, odd, 0)
1129 setInterleavedWordsInto2bytes(dest, even, odd, 1)
1130 setInterleavedWordsInto2bytes(dest, even, odd, 2)
1131 setInterleavedWordsInto2bytes(dest, even, odd, 3)
1134 #define extractLanes(laneCount, state, data) \
1137 for(i=0; i<(laneCount); i++) \
1138 setInterleavedWordsInto8bytes(data+i*8, ((UINT32*)state)[i*2], ((UINT32*)state)[i*2+1]); \
1141 #else // No interleaving tables
1143 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
1145 // Credit: Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002
1146 #define xorInterleavedLE(rateInLanes, state, input) \
1148 const UINT32 * pI = (const UINT32 *)input; \
1149 UINT32 * pS = state; \
1152 for (i = (rateInLanes)-1; i >= 0; --i) \
1155 t = (x0 ^ (x0 >> 1)) & 0x22222222UL; x0 = x0 ^ t ^ (t << 1); \
1156 t = (x0 ^ (x0 >> 2)) & 0x0C0C0C0CUL; x0 = x0 ^ t ^ (t << 2); \
1157 t = (x0 ^ (x0 >> 4)) & 0x00F000F0UL; x0 = x0 ^ t ^ (t << 4); \
1158 t = (x0 ^ (x0 >> 8)) & 0x0000FF00UL; x0 = x0 ^ t ^ (t << 8); \
1160 t = (x1 ^ (x1 >> 1)) & 0x22222222UL; x1 = x1 ^ t ^ (t << 1); \
1161 t = (x1 ^ (x1 >> 2)) & 0x0C0C0C0CUL; x1 = x1 ^ t ^ (t << 2); \
1162 t = (x1 ^ (x1 >> 4)) & 0x00F000F0UL; x1 = x1 ^ t ^ (t << 4); \
1163 t = (x1 ^ (x1 >> 8)) & 0x0000FF00UL; x1 = x1 ^ t ^ (t << 8); \
1164 *(pS++) ^= (UINT16)x0 | (x1 << 16); \
1165 *(pS++) ^= (x0 >> 16) | (x1 & 0xFFFF0000); \
1169 #define xorLanesIntoState(laneCount, state, input) \
1170 xorInterleavedLE(laneCount, state, input)
1172 #else // (PLATFORM_BYTE_ORDER == IS_BIG_ENDIAN)
1174 // Credit: Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002
1175 UINT64 toInterleaving(UINT64 x)
1179 t = (x ^ (x >> 1)) & 0x2222222222222222ULL; x = x ^ t ^ (t << 1);
1180 t = (x ^ (x >> 2)) & 0x0C0C0C0C0C0C0C0CULL; x = x ^ t ^ (t << 2);
1181 t = (x ^ (x >> 4)) & 0x00F000F000F000F0ULL; x = x ^ t ^ (t << 4);
1182 t = (x ^ (x >> 8)) & 0x0000FF000000FF00ULL; x = x ^ t ^ (t << 8);
1183 t = (x ^ (x >> 16)) & 0x00000000FFFF0000ULL; x = x ^ t ^ (t << 16);
1188 void xor8bytesIntoInterleavedWords(UINT32* evenAndOdd, const UINT8* source)
1190 // This can be optimized
1193 ^ (((UINT64)source[1]) << 8)
1194 ^ (((UINT64)source[2]) << 16)
1195 ^ (((UINT64)source[3]) << 24)
1196 ^ (((UINT64)source[4]) << 32)
1197 ^ (((UINT64)source[5]) << 40)
1198 ^ (((UINT64)source[6]) << 48)
1199 ^ (((UINT64)source[7]) << 56);
1200 UINT64 evenAndOddWord = toInterleaving(sourceWord);
1201 evenAndOdd[0] ^= (UINT32)evenAndOddWord;
1202 evenAndOdd[1] ^= (UINT32)(evenAndOddWord >> 32);
1205 #define xorLanesIntoState(laneCount, state, input) \
1208 for(i=0; i<(laneCount); i++) \
1209 xor8bytesIntoInterleavedWords(state+i*2, input+i*8); \
1212 #endif // Endianness
1214 // Credit: Henry S. Warren, Hacker's Delight, Addison-Wesley, 2002
1215 UINT64 fromInterleaving(UINT64 x)
1219 t = (x ^ (x >> 16)) & 0x00000000FFFF0000ULL; x = x ^ t ^ (t << 16);
1220 t = (x ^ (x >> 8)) & 0x0000FF000000FF00ULL; x = x ^ t ^ (t << 8);
1221 t = (x ^ (x >> 4)) & 0x00F000F000F000F0ULL; x = x ^ t ^ (t << 4);
1222 t = (x ^ (x >> 2)) & 0x0C0C0C0C0C0C0C0CULL; x = x ^ t ^ (t << 2);
1223 t = (x ^ (x >> 1)) & 0x2222222222222222ULL; x = x ^ t ^ (t << 1);
1228 void setInterleavedWordsInto8bytes(UINT8* dest, UINT32* evenAndOdd)
1230 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
1231 ((UINT64*)dest)[0] = fromInterleaving(*(UINT64*)evenAndOdd);
1232 #else // (PLATFORM_BYTE_ORDER == IS_BIG_ENDIAN)
1233 // This can be optimized
1234 UINT64 evenAndOddWord = (UINT64)evenAndOdd[0] ^ ((UINT64)evenAndOdd[1] << 32);
1235 UINT64 destWord = fromInterleaving(evenAndOddWord);
1236 dest[0] = destWord & 0xFF;
1237 dest[1] = (destWord >> 8) & 0xFF;
1238 dest[2] = (destWord >> 16) & 0xFF;
1239 dest[3] = (destWord >> 24) & 0xFF;
1240 dest[4] = (destWord >> 32) & 0xFF;
1241 dest[5] = (destWord >> 40) & 0xFF;
1242 dest[6] = (destWord >> 48) & 0xFF;
1243 dest[7] = (destWord >> 56) & 0xFF;
1244 #endif // Endianness
1247 #define extractLanes(laneCount, state, data) \
1250 for(i=0; i<(laneCount); i++) \
1251 setInterleavedWordsInto8bytes(data+i*8, (UINT32*)state+i*2); \
1254 #endif // With or without interleaving tables
1256 #if defined(_MSC_VER)
1257 #define ROL32(a, offset) _rotl(a, offset)
1258 #elif (defined (__arm__) && defined(__ARMCC_VERSION))
1259 #define ROL32(a, offset) __ror(a, 32-(offset))
1261 #define ROL32(a, offset) ((((UINT32)a) << (offset)) ^ (((UINT32)a) >> (32-(offset))))
1264 //#include "KeccakF-1600-unrolling.macros"
1265 //#include "KeccakF-1600-32.macros"
1267 #if (UseSchedule == 3)
1269 #ifdef UseBebigokimisa
1270 #error "No lane complementing with schedule 3."
1273 #if (Unrolling != 2)
1274 #error "Only unrolling 2 is supported by schedule 3."
1277 void KeccakPermutationOnWords(UINT32 *state)
1282 void KeccakPermutationOnWordsAfterXoring(UINT32 *state, const UINT8 *input, unsigned int laneCount)
1284 xorLanesIntoState(laneCount, state, input)
1288 #ifdef ProvideFast576
1289 void KeccakPermutationOnWordsAfterXoring576bits(UINT32 *state, const UINT8 *input)
1291 xorLanesIntoState(9, state, input)
1296 #ifdef ProvideFast832
1297 void KeccakPermutationOnWordsAfterXoring832bits(UINT32 *state, const UINT8 *input)
1299 xorLanesIntoState(13, state, input)
1304 #ifdef ProvideFast1024
1305 void KeccakPermutationOnWordsAfterXoring1024bits(UINT32 *state, const UINT8 *input)
1307 xorLanesIntoState(16, state, input)
1312 #ifdef ProvideFast1088
1313 void KeccakPermutationOnWordsAfterXoring1088bits(UINT32 *state, const UINT8 *input)
1315 xorLanesIntoState(17, state, input)
1320 #ifdef ProvideFast1152
1321 void KeccakPermutationOnWordsAfterXoring1152bits(UINT32 *state, const UINT8 *input)
1323 xorLanesIntoState(18, state, input)
1328 #ifdef ProvideFast1344
1329 void KeccakPermutationOnWordsAfterXoring1344bits(UINT32 *state, const UINT8 *input)
1331 xorLanesIntoState(21, state, input)
1336 #else // (Schedule != 3)
1338 void KeccakPermutationOnWords(UINT32 *state)
1341 #if (Unrolling != 24)
1345 copyFromState(A, state)
1349 void KeccakPermutationOnWordsAfterXoring(UINT32 *state, const UINT8 *input, unsigned int laneCount)
1354 xorLanesIntoState(laneCount, state, input)
1355 copyFromState(A, state)
1359 #ifdef ProvideFast576
1360 void KeccakPermutationOnWordsAfterXoring576bits(UINT32 *state, const UINT8 *input)
1365 xorLanesIntoState(9, state, input)
1366 copyFromState(A, state)
1371 #ifdef ProvideFast832
1372 void KeccakPermutationOnWordsAfterXoring832bits(UINT32 *state, const UINT8 *input)
1377 xorLanesIntoState(13, state, input)
1378 copyFromState(A, state)
1383 #ifdef ProvideFast1024
1384 void KeccakPermutationOnWordsAfterXoring1024bits(UINT32 *state, const UINT8 *input)
1389 xorLanesIntoState(16, state, input)
1390 copyFromState(A, state)
1395 #ifdef ProvideFast1088
1396 void KeccakPermutationOnWordsAfterXoring1088bits(UINT32 *state, const UINT8 *input)
1401 xorLanesIntoState(17, state, input)
1402 copyFromState(A, state)
1407 #ifdef ProvideFast1152
1408 void KeccakPermutationOnWordsAfterXoring1152bits(UINT32 *state, const UINT8 *input)
1413 xorLanesIntoState(18, state, input)
1414 copyFromState(A, state)
1419 #ifdef ProvideFast1344
1420 void KeccakPermutationOnWordsAfterXoring1344bits(UINT32 *state, const UINT8 *input)
1425 xorLanesIntoState(21, state, input)
1426 copyFromState(A, state)
1433 void KeccakInitialize()
1435 #ifdef UseInterleaveTables
1436 buildInterleaveTables();
1440 void KeccakInitializeState(unsigned char *state)
1442 memset(state, 0, 200);
1443 #ifdef UseBebigokimisa
1444 ((UINT32*)state)[ 2] = ~(UINT32)0;
1445 ((UINT32*)state)[ 3] = ~(UINT32)0;
1446 ((UINT32*)state)[ 4] = ~(UINT32)0;
1447 ((UINT32*)state)[ 5] = ~(UINT32)0;
1448 ((UINT32*)state)[16] = ~(UINT32)0;
1449 ((UINT32*)state)[17] = ~(UINT32)0;
1450 ((UINT32*)state)[24] = ~(UINT32)0;
1451 ((UINT32*)state)[25] = ~(UINT32)0;
1452 ((UINT32*)state)[34] = ~(UINT32)0;
1453 ((UINT32*)state)[35] = ~(UINT32)0;
1454 ((UINT32*)state)[40] = ~(UINT32)0;
1455 ((UINT32*)state)[41] = ~(UINT32)0;
1459 void KeccakPermutation(unsigned char *state)
1461 // We assume the state is always stored as interleaved 32-bit words
1462 KeccakPermutationOnWords((UINT32*)state);
1465 #ifdef ProvideFast576
1466 void KeccakAbsorb576bits(unsigned char *state, const unsigned char *data)
1468 KeccakPermutationOnWordsAfterXoring576bits((UINT32*)state, data);
1472 #ifdef ProvideFast832
1473 void KeccakAbsorb832bits(unsigned char *state, const unsigned char *data)
1475 KeccakPermutationOnWordsAfterXoring832bits((UINT32*)state, data);
1479 #ifdef ProvideFast1024
1480 void KeccakAbsorb1024bits(unsigned char *state, const unsigned char *data)
1482 KeccakPermutationOnWordsAfterXoring1024bits((UINT32*)state, data);
1486 #ifdef ProvideFast1088
1487 void KeccakAbsorb1088bits(unsigned char *state, const unsigned char *data)
1489 KeccakPermutationOnWordsAfterXoring1088bits((UINT32*)state, data);
1493 #ifdef ProvideFast1152
1494 void KeccakAbsorb1152bits(unsigned char *state, const unsigned char *data)
1496 KeccakPermutationOnWordsAfterXoring1152bits((UINT32*)state, data);
1500 #ifdef ProvideFast1344
1501 void KeccakAbsorb1344bits(unsigned char *state, const unsigned char *data)
1503 KeccakPermutationOnWordsAfterXoring1344bits((UINT32*)state, data);
1507 void KeccakAbsorb(unsigned char *state, const unsigned char *data, unsigned int laneCount)
1509 KeccakPermutationOnWordsAfterXoring((UINT32*)state, data, laneCount);
1512 #ifdef ProvideFast1024
1513 void KeccakExtract1024bits(const unsigned char *state, unsigned char *data)
1515 extractLanes(16, state, data)
1516 #ifdef UseBebigokimisa
1517 ((UINT32*)data)[ 2] = ~((UINT32*)data)[ 2];
1518 ((UINT32*)data)[ 3] = ~((UINT32*)data)[ 3];
1519 ((UINT32*)data)[ 4] = ~((UINT32*)data)[ 4];
1520 ((UINT32*)data)[ 5] = ~((UINT32*)data)[ 5];
1521 ((UINT32*)data)[16] = ~((UINT32*)data)[16];
1522 ((UINT32*)data)[17] = ~((UINT32*)data)[17];
1523 ((UINT32*)data)[24] = ~((UINT32*)data)[24];
1524 ((UINT32*)data)[25] = ~((UINT32*)data)[25];
1529 void KeccakExtract(const unsigned char *state, unsigned char *data, unsigned int laneCount)
1531 extractLanes((int)laneCount, state, data)
1532 #ifdef UseBebigokimisa
1533 if (laneCount > 1) {
1534 ((UINT32*)data)[ 2] = ~((UINT32*)data)[ 2];
1535 ((UINT32*)data)[ 3] = ~((UINT32*)data)[ 3];
1536 if (laneCount > 2) {
1537 ((UINT32*)data)[ 4] = ~((UINT32*)data)[ 4];
1538 ((UINT32*)data)[ 5] = ~((UINT32*)data)[ 5];
1539 if (laneCount > 8) {
1540 ((UINT32*)data)[16] = ~((UINT32*)data)[16];
1541 ((UINT32*)data)[17] = ~((UINT32*)data)[17];
1542 if (laneCount > 12) {
1543 ((UINT32*)data)[24] = ~((UINT32*)data)[24];
1544 ((UINT32*)data)[25] = ~((UINT32*)data)[25];
1545 if (laneCount > 17) {
1546 ((UINT32*)data)[34] = ~((UINT32*)data)[34];
1547 ((UINT32*)data)[35] = ~((UINT32*)data)[35];
1548 if (laneCount > 20) {
1549 ((UINT32*)data)[40] = ~((UINT32*)data)[40];
1550 ((UINT32*)data)[41] = ~((UINT32*)data)[41];
1561 // ================================================================================
1562 // =================== KeccakSponge.c
1563 // ================================================================================
1567 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
1568 Michaël Peeters and Gilles Van Assche. For more information, feedback or
1569 questions, please refer to our website: http://keccak.noekeon.org/
1571 Implementation by the designers,
1572 hereby denoted as "the implementer".
1574 To the extent possible under law, the implementer has waived all copyright
1575 and related or neighboring rights to the source code in this file.
1576 http://creativecommons.org/publicdomain/zero/1.0/
1580 //#include "KeccakSponge.h"
1581 //#include "KeccakF-1600-interface.h"
1582 #ifdef KeccakReference
1583 //#include "displayIntermediateValues.h"
1586 int InitSponge(spongeState *state, unsigned int rate, unsigned int capacity)
1588 if (rate+capacity != 1600)
1590 if ((rate <= 0) || (rate >= 1600) || ((rate % 64) != 0))
1594 state->capacity = capacity;
1595 state->fixedOutputLength = 0;
1596 KeccakInitializeState(state->state);
1597 memset(state->dataQueue, 0, KeccakMaximumRateInBytes);
1598 state->bitsInQueue = 0;
1599 state->squeezing = 0;
1600 state->bitsAvailableForSqueezing = 0;
1605 void AbsorbQueue(spongeState *state)
1607 // state->bitsInQueue is assumed to be equal to state->rate
1608 #ifdef KeccakReference
1609 displayBytes(1, "Block to be absorbed", state->dataQueue, state->rate/8);
1611 #ifdef ProvideFast576
1612 if (state->rate == 576)
1613 KeccakAbsorb576bits(state->state, state->dataQueue);
1616 #ifdef ProvideFast832
1617 if (state->rate == 832)
1618 KeccakAbsorb832bits(state->state, state->dataQueue);
1621 #ifdef ProvideFast1024
1622 if (state->rate == 1024)
1623 KeccakAbsorb1024bits(state->state, state->dataQueue);
1626 #ifdef ProvideFast1088
1627 if (state->rate == 1088)
1628 KeccakAbsorb1088bits(state->state, state->dataQueue);
1631 #ifdef ProvideFast1152
1632 if (state->rate == 1152)
1633 KeccakAbsorb1152bits(state->state, state->dataQueue);
1636 #ifdef ProvideFast1344
1637 if (state->rate == 1344)
1638 KeccakAbsorb1344bits(state->state, state->dataQueue);
1641 KeccakAbsorb(state->state, state->dataQueue, state->rate/64);
1642 state->bitsInQueue = 0;
1645 int Absorb(spongeState *state, const unsigned char *data, unsigned long long databitlen)
1647 unsigned long long i, j, wholeBlocks;
1648 unsigned int partialBlock, partialByte;
1649 const unsigned char *curData;
1651 if ((state->bitsInQueue % 8) != 0)
1652 return 1; // Only the last call may contain a partial byte
1653 if (state->squeezing)
1654 return 1; // Too late for additional input
1657 while(i < databitlen) {
1658 if ((state->bitsInQueue == 0) && (databitlen >= state->rate) && (i <= (databitlen-state->rate))) {
1659 wholeBlocks = (databitlen-i)/state->rate;
1661 #ifdef ProvideFast576
1662 if (state->rate == 576) {
1663 for(j=0; j<wholeBlocks; j++, curData+=576/8) {
1664 #ifdef KeccakReference
1665 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1667 KeccakAbsorb576bits(state->state, curData);
1672 #ifdef ProvideFast832
1673 if (state->rate == 832) {
1674 for(j=0; j<wholeBlocks; j++, curData+=832/8) {
1675 #ifdef KeccakReference
1676 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1678 KeccakAbsorb832bits(state->state, curData);
1683 #ifdef ProvideFast1024
1684 if (state->rate == 1024) {
1685 for(j=0; j<wholeBlocks; j++, curData+=1024/8) {
1686 #ifdef KeccakReference
1687 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1689 KeccakAbsorb1024bits(state->state, curData);
1694 #ifdef ProvideFast1088
1695 if (state->rate == 1088) {
1696 for(j=0; j<wholeBlocks; j++, curData+=1088/8) {
1697 #ifdef KeccakReference
1698 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1700 KeccakAbsorb1088bits(state->state, curData);
1705 #ifdef ProvideFast1152
1706 if (state->rate == 1152) {
1707 for(j=0; j<wholeBlocks; j++, curData+=1152/8) {
1708 #ifdef KeccakReference
1709 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1711 KeccakAbsorb1152bits(state->state, curData);
1716 #ifdef ProvideFast1344
1717 if (state->rate == 1344) {
1718 for(j=0; j<wholeBlocks; j++, curData+=1344/8) {
1719 #ifdef KeccakReference
1720 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1722 KeccakAbsorb1344bits(state->state, curData);
1728 for(j=0; j<wholeBlocks; j++, curData+=state->rate/8) {
1729 #ifdef KeccakReference
1730 displayBytes(1, "Block to be absorbed", curData, state->rate/8);
1732 KeccakAbsorb(state->state, curData, state->rate/64);
1735 i += wholeBlocks*state->rate;
1738 partialBlock = (unsigned int)(databitlen - i);
1739 if (partialBlock+state->bitsInQueue > state->rate)
1740 partialBlock = state->rate-state->bitsInQueue;
1741 partialByte = partialBlock % 8;
1742 partialBlock -= partialByte;
1743 memcpy(state->dataQueue+state->bitsInQueue/8, data+i/8, partialBlock/8);
1744 state->bitsInQueue += partialBlock;
1746 if (state->bitsInQueue == state->rate)
1748 if (partialByte > 0) {
1749 unsigned char mask = (1 << partialByte)-1;
1750 state->dataQueue[state->bitsInQueue/8] = data[i/8] & mask;
1751 state->bitsInQueue += partialByte;
1759 void PadAndSwitchToSqueezingPhase(spongeState *state)
1761 // Note: the bits are numbered from 0=LSB to 7=MSB
1762 if (state->bitsInQueue + 1 == state->rate) {
1763 state->dataQueue[state->bitsInQueue/8 ] |= 1 << (state->bitsInQueue % 8);
1765 memset(state->dataQueue, 0, state->rate/8);
1768 memset(state->dataQueue + (state->bitsInQueue+7)/8, 0, state->rate/8 - (state->bitsInQueue+7)/8);
1769 state->dataQueue[state->bitsInQueue/8 ] |= 1 << (state->bitsInQueue % 8);
1771 state->dataQueue[(state->rate-1)/8] |= 1 << ((state->rate-1) % 8);
1774 #ifdef KeccakReference
1775 displayText(1, "--- Switching to squeezing phase ---");
1777 #ifdef ProvideFast1024
1778 if (state->rate == 1024) {
1779 KeccakExtract1024bits(state->state, state->dataQueue);
1780 state->bitsAvailableForSqueezing = 1024;
1785 KeccakExtract(state->state, state->dataQueue, state->rate/64);
1786 state->bitsAvailableForSqueezing = state->rate;
1788 #ifdef KeccakReference
1789 displayBytes(1, "Block available for squeezing", state->dataQueue, state->bitsAvailableForSqueezing/8);
1791 state->squeezing = 1;
1794 int Squeeze(spongeState *state, unsigned char *output, unsigned long long outputLength)
1796 unsigned long long i;
1797 unsigned int partialBlock;
1799 if (!state->squeezing)
1800 PadAndSwitchToSqueezingPhase(state);
1801 if ((outputLength % 8) != 0)
1802 return 1; // Only multiple of 8 bits are allowed, truncation can be done at user level
1805 while(i < outputLength) {
1806 if (state->bitsAvailableForSqueezing == 0) {
1807 KeccakPermutation(state->state);
1808 #ifdef ProvideFast1024
1809 if (state->rate == 1024) {
1810 KeccakExtract1024bits(state->state, state->dataQueue);
1811 state->bitsAvailableForSqueezing = 1024;
1816 KeccakExtract(state->state, state->dataQueue, state->rate/64);
1817 state->bitsAvailableForSqueezing = state->rate;
1819 #ifdef KeccakReference
1820 displayBytes(1, "Block available for squeezing", state->dataQueue, state->bitsAvailableForSqueezing/8);
1823 partialBlock = state->bitsAvailableForSqueezing;
1824 if ((unsigned long long)partialBlock > outputLength - i)
1825 partialBlock = (unsigned int)(outputLength - i);
1826 memcpy(output+i/8, state->dataQueue+(state->rate-state->bitsAvailableForSqueezing)/8, partialBlock/8);
1827 state->bitsAvailableForSqueezing -= partialBlock;
1835 // ================================================================================
1836 // =================== KeccakNISTInterface.h
1837 // ================================================================================
1841 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
1842 Michaël Peeters and Gilles Van Assche. For more information, feedback or
1843 questions, please refer to our website: http://keccak.noekeon.org/
1845 Implementation by the designers,
1846 hereby denoted as "the implementer".
1848 To the extent possible under law, the implementer has waived all copyright
1849 and related or neighboring rights to the source code in this file.
1850 http://creativecommons.org/publicdomain/zero/1.0/
1853 #ifndef _KeccakNISTInterface_h_
1854 #define _KeccakNISTInterface_h_
1856 //#include "KeccakSponge.h"
1858 typedef unsigned char BitSequence;
1859 typedef unsigned long long DataLength;
1860 typedef enum { SUCCESS = 0, FAIL = 1, BAD_HASHLEN = 2 } HashReturn;
1862 typedef spongeState hashState;
1865 * Function to initialize the state of the Keccak[r, c] sponge function.
1866 * The rate r and capacity c values are determined from @a hashbitlen.
1867 * @param state Pointer to the state of the sponge function to be initialized.
1868 * @param hashbitlen The desired number of output bits,
1869 * or 0 for Keccak[] with default parameters
1870 * and arbitrarily-long output.
1871 * @pre The value of hashbitlen must be one of 0, 224, 256, 384 and 512.
1872 * @return SUCCESS if successful, BAD_HASHLEN if the value of hashbitlen is incorrect.
1874 HashReturn Init(hashState *state, int hashbitlen);
1876 * Function to give input data for the sponge function to absorb.
1877 * @param state Pointer to the state of the sponge function initialized by Init().
1878 * @param data Pointer to the input data.
1879 * When @a databitLen is not a multiple of 8, the last bits of data must be
1880 * in the most significant bits of the last byte.
1881 * @param databitLen The number of input bits provided in the input data.
1882 * @pre In the previous call to Absorb(), databitLen was a multiple of 8.
1883 * @return SUCCESS if successful, FAIL otherwise.
1885 HashReturn Update(hashState *state, const BitSequence *data, DataLength databitlen);
1887 * Function to squeeze output data from the sponge function.
1888 * If @a hashbitlen was not 0 in the call to Init(), the number of output bits is equal to @a hashbitlen.
1889 * If @a hashbitlen was 0 in the call to Init(), the output bits must be extracted using the Squeeze() function.
1890 * @param state Pointer to the state of the sponge function initialized by Init().
1891 * @param hashval Pointer to the buffer where to store the output data.
1892 * @return SUCCESS if successful, FAIL otherwise.
1894 HashReturn Final(hashState *state, BitSequence *hashval);
1896 * Function to compute a hash using the Keccak[r, c] sponge function.
1897 * The rate r and capacity c values are determined from @a hashbitlen.
1898 * @param hashbitlen The desired number of output bits.
1899 * @param data Pointer to the input data.
1900 * When @a databitLen is not a multiple of 8, the last bits of data must be
1901 * in the most significant bits of the last byte.
1902 * @param databitLen The number of input bits provided in the input data.
1903 * @param hashval Pointer to the buffer where to store the output data.
1904 * @pre The value of hashbitlen must be one of 224, 256, 384 and 512.
1905 * @return SUCCESS if successful, BAD_HASHLEN if the value of hashbitlen is incorrect.
1907 HashReturn Hash(int hashbitlen, const BitSequence *data, DataLength databitlen, BitSequence *hashval);
1912 // ================================================================================
1913 // =================== KeccakNISTInterface.c
1914 // ================================================================================
1919 The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
1920 Michaël Peeters and Gilles Van Assche. For more information, feedback or
1921 questions, please refer to our website: http://keccak.noekeon.org/
1923 Implementation by the designers,
1924 hereby denoted as "the implementer".
1926 To the extent possible under law, the implementer has waived all copyright
1927 and related or neighboring rights to the source code in this file.
1928 http://creativecommons.org/publicdomain/zero/1.0/
1932 //#include "KeccakNISTInterface.h"
1933 //#include "KeccakF-1600-interface.h"
1935 HashReturn Init(hashState *state, int hashbitlen)
1937 switch(hashbitlen) {
1938 case 0: // Default parameters, arbitrary length output
1939 InitSponge((spongeState*)state, 1024, 576);
1942 InitSponge((spongeState*)state, 1152, 448);
1945 InitSponge((spongeState*)state, 1088, 512);
1948 InitSponge((spongeState*)state, 832, 768);
1951 InitSponge((spongeState*)state, 576, 1024);
1956 state->fixedOutputLength = hashbitlen;
1960 HashReturn Update(hashState *state, const BitSequence *data, DataLength databitlen)
1962 if ((databitlen % 8) == 0)
1963 return (HashReturn)Absorb((spongeState*)state, data, databitlen);
1965 HashReturn ret = (HashReturn)Absorb((spongeState*)state, data, databitlen - (databitlen % 8));
1966 if (ret == SUCCESS) {
1967 unsigned char lastByte;
1968 // Align the last partial byte to the least significant bits
1969 lastByte = data[databitlen/8] >> (8 - (databitlen % 8));
1970 return (HashReturn)Absorb((spongeState*)state, &lastByte, databitlen % 8);
1977 HashReturn Final(hashState *state, BitSequence *hashval)
1979 return (HashReturn)Squeeze(state, hashval, state->fixedOutputLength);
1982 HashReturn Hash(int hashbitlen, const BitSequence *data, DataLength databitlen, BitSequence *hashval)
1987 if ((hashbitlen != 224) && (hashbitlen != 256) && (hashbitlen != 384) && (hashbitlen != 512))
1988 return BAD_HASHLEN; // Only the four fixed output lengths available through this API
1989 result = Init(&state, hashbitlen);
1990 if (result != SUCCESS)
1992 result = Update(&state, data, databitlen);
1993 if (result != SUCCESS)
1995 result = Final(&state, hashval);
2000 } // end of namespace KeccakImpl
2001 } // end of namespace Internal
2002 } // end of namespace MUtils
OSDN Git Service
