1// Copyright 2014 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package sha3
6
7// This implementation is only used for NewLegacyKeccak256 and
8// NewLegacyKeccak512, which are not implemented by crypto/sha3.
9// All other functions in this package are wrappers around crypto/sha3.
10
11import "math/bits"
12
13// rc stores the round constants for use in the ι step.
14var rc = [24]uint64{
15 0x0000000000000001,
16 0x0000000000008082,
17 0x800000000000808A,
18 0x8000000080008000,
19 0x000000000000808B,
20 0x0000000080000001,
21 0x8000000080008081,
22 0x8000000000008009,
23 0x000000000000008A,
24 0x0000000000000088,
25 0x0000000080008009,
26 0x000000008000000A,
27 0x000000008000808B,
28 0x800000000000008B,
29 0x8000000000008089,
30 0x8000000000008003,
31 0x8000000000008002,
32 0x8000000000000080,
33 0x000000000000800A,
34 0x800000008000000A,
35 0x8000000080008081,
36 0x8000000000008080,
37 0x0000000080000001,
38 0x8000000080008008,
39}
40
41// keccakF1600 applies the Keccak permutation to a 1600b-wide
42// state represented as a slice of 25 uint64s.
43func keccakF1600(a *[25]uint64) {
44 // Implementation translated from Keccak-inplace.c
45 // in the keccak reference code.
46 var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64
47
48 for i := 0; i < 24; i += 4 {
49 // Combines the 5 steps in each round into 2 steps.
50 // Unrolls 4 rounds per loop and spreads some steps across rounds.
51
52 // Round 1
53 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
54 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
55 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
56 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
57 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
58 d0 = bc4 ^ (bc1<<1 | bc1>>63)
59 d1 = bc0 ^ (bc2<<1 | bc2>>63)
60 d2 = bc1 ^ (bc3<<1 | bc3>>63)
61 d3 = bc2 ^ (bc4<<1 | bc4>>63)
62 d4 = bc3 ^ (bc0<<1 | bc0>>63)
63
64 bc0 = a[0] ^ d0
65 t = a[6] ^ d1
66 bc1 = bits.RotateLeft64(t, 44)
67 t = a[12] ^ d2
68 bc2 = bits.RotateLeft64(t, 43)
69 t = a[18] ^ d3
70 bc3 = bits.RotateLeft64(t, 21)
71 t = a[24] ^ d4
72 bc4 = bits.RotateLeft64(t, 14)
73 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i]
74 a[6] = bc1 ^ (bc3 &^ bc2)
75 a[12] = bc2 ^ (bc4 &^ bc3)
76 a[18] = bc3 ^ (bc0 &^ bc4)
77 a[24] = bc4 ^ (bc1 &^ bc0)
78
79 t = a[10] ^ d0
80 bc2 = bits.RotateLeft64(t, 3)
81 t = a[16] ^ d1
82 bc3 = bits.RotateLeft64(t, 45)
83 t = a[22] ^ d2
84 bc4 = bits.RotateLeft64(t, 61)
85 t = a[3] ^ d3
86 bc0 = bits.RotateLeft64(t, 28)
87 t = a[9] ^ d4
88 bc1 = bits.RotateLeft64(t, 20)
89 a[10] = bc0 ^ (bc2 &^ bc1)
90 a[16] = bc1 ^ (bc3 &^ bc2)
91 a[22] = bc2 ^ (bc4 &^ bc3)
92 a[3] = bc3 ^ (bc0 &^ bc4)
93 a[9] = bc4 ^ (bc1 &^ bc0)
94
95 t = a[20] ^ d0
96 bc4 = bits.RotateLeft64(t, 18)
97 t = a[1] ^ d1
98 bc0 = bits.RotateLeft64(t, 1)
99 t = a[7] ^ d2
100 bc1 = bits.RotateLeft64(t, 6)
101 t = a[13] ^ d3
102 bc2 = bits.RotateLeft64(t, 25)
103 t = a[19] ^ d4
104 bc3 = bits.RotateLeft64(t, 8)
105 a[20] = bc0 ^ (bc2 &^ bc1)
106 a[1] = bc1 ^ (bc3 &^ bc2)
107 a[7] = bc2 ^ (bc4 &^ bc3)
108 a[13] = bc3 ^ (bc0 &^ bc4)
109 a[19] = bc4 ^ (bc1 &^ bc0)
110
111 t = a[5] ^ d0
112 bc1 = bits.RotateLeft64(t, 36)
113 t = a[11] ^ d1
114 bc2 = bits.RotateLeft64(t, 10)
115 t = a[17] ^ d2
116 bc3 = bits.RotateLeft64(t, 15)
117 t = a[23] ^ d3
118 bc4 = bits.RotateLeft64(t, 56)
119 t = a[4] ^ d4
120 bc0 = bits.RotateLeft64(t, 27)
121 a[5] = bc0 ^ (bc2 &^ bc1)
122 a[11] = bc1 ^ (bc3 &^ bc2)
123 a[17] = bc2 ^ (bc4 &^ bc3)
124 a[23] = bc3 ^ (bc0 &^ bc4)
125 a[4] = bc4 ^ (bc1 &^ bc0)
126
127 t = a[15] ^ d0
128 bc3 = bits.RotateLeft64(t, 41)
129 t = a[21] ^ d1
130 bc4 = bits.RotateLeft64(t, 2)
131 t = a[2] ^ d2
132 bc0 = bits.RotateLeft64(t, 62)
133 t = a[8] ^ d3
134 bc1 = bits.RotateLeft64(t, 55)
135 t = a[14] ^ d4
136 bc2 = bits.RotateLeft64(t, 39)
137 a[15] = bc0 ^ (bc2 &^ bc1)
138 a[21] = bc1 ^ (bc3 &^ bc2)
139 a[2] = bc2 ^ (bc4 &^ bc3)
140 a[8] = bc3 ^ (bc0 &^ bc4)
141 a[14] = bc4 ^ (bc1 &^ bc0)
142
143 // Round 2
144 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
145 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
146 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
147 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
148 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
149 d0 = bc4 ^ (bc1<<1 | bc1>>63)
150 d1 = bc0 ^ (bc2<<1 | bc2>>63)
151 d2 = bc1 ^ (bc3<<1 | bc3>>63)
152 d3 = bc2 ^ (bc4<<1 | bc4>>63)
153 d4 = bc3 ^ (bc0<<1 | bc0>>63)
154
155 bc0 = a[0] ^ d0
156 t = a[16] ^ d1
157 bc1 = bits.RotateLeft64(t, 44)
158 t = a[7] ^ d2
159 bc2 = bits.RotateLeft64(t, 43)
160 t = a[23] ^ d3
161 bc3 = bits.RotateLeft64(t, 21)
162 t = a[14] ^ d4
163 bc4 = bits.RotateLeft64(t, 14)
164 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1]
165 a[16] = bc1 ^ (bc3 &^ bc2)
166 a[7] = bc2 ^ (bc4 &^ bc3)
167 a[23] = bc3 ^ (bc0 &^ bc4)
168 a[14] = bc4 ^ (bc1 &^ bc0)
169
170 t = a[20] ^ d0
171 bc2 = bits.RotateLeft64(t, 3)
172 t = a[11] ^ d1
173 bc3 = bits.RotateLeft64(t, 45)
174 t = a[2] ^ d2
175 bc4 = bits.RotateLeft64(t, 61)
176 t = a[18] ^ d3
177 bc0 = bits.RotateLeft64(t, 28)
178 t = a[9] ^ d4
179 bc1 = bits.RotateLeft64(t, 20)
180 a[20] = bc0 ^ (bc2 &^ bc1)
181 a[11] = bc1 ^ (bc3 &^ bc2)
182 a[2] = bc2 ^ (bc4 &^ bc3)
183 a[18] = bc3 ^ (bc0 &^ bc4)
184 a[9] = bc4 ^ (bc1 &^ bc0)
185
186 t = a[15] ^ d0
187 bc4 = bits.RotateLeft64(t, 18)
188 t = a[6] ^ d1
189 bc0 = bits.RotateLeft64(t, 1)
190 t = a[22] ^ d2
191 bc1 = bits.RotateLeft64(t, 6)
192 t = a[13] ^ d3
193 bc2 = bits.RotateLeft64(t, 25)
194 t = a[4] ^ d4
195 bc3 = bits.RotateLeft64(t, 8)
196 a[15] = bc0 ^ (bc2 &^ bc1)
197 a[6] = bc1 ^ (bc3 &^ bc2)
198 a[22] = bc2 ^ (bc4 &^ bc3)
199 a[13] = bc3 ^ (bc0 &^ bc4)
200 a[4] = bc4 ^ (bc1 &^ bc0)
201
202 t = a[10] ^ d0
203 bc1 = bits.RotateLeft64(t, 36)
204 t = a[1] ^ d1
205 bc2 = bits.RotateLeft64(t, 10)
206 t = a[17] ^ d2
207 bc3 = bits.RotateLeft64(t, 15)
208 t = a[8] ^ d3
209 bc4 = bits.RotateLeft64(t, 56)
210 t = a[24] ^ d4
211 bc0 = bits.RotateLeft64(t, 27)
212 a[10] = bc0 ^ (bc2 &^ bc1)
213 a[1] = bc1 ^ (bc3 &^ bc2)
214 a[17] = bc2 ^ (bc4 &^ bc3)
215 a[8] = bc3 ^ (bc0 &^ bc4)
216 a[24] = bc4 ^ (bc1 &^ bc0)
217
218 t = a[5] ^ d0
219 bc3 = bits.RotateLeft64(t, 41)
220 t = a[21] ^ d1
221 bc4 = bits.RotateLeft64(t, 2)
222 t = a[12] ^ d2
223 bc0 = bits.RotateLeft64(t, 62)
224 t = a[3] ^ d3
225 bc1 = bits.RotateLeft64(t, 55)
226 t = a[19] ^ d4
227 bc2 = bits.RotateLeft64(t, 39)
228 a[5] = bc0 ^ (bc2 &^ bc1)
229 a[21] = bc1 ^ (bc3 &^ bc2)
230 a[12] = bc2 ^ (bc4 &^ bc3)
231 a[3] = bc3 ^ (bc0 &^ bc4)
232 a[19] = bc4 ^ (bc1 &^ bc0)
233
234 // Round 3
235 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
236 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
237 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
238 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
239 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
240 d0 = bc4 ^ (bc1<<1 | bc1>>63)
241 d1 = bc0 ^ (bc2<<1 | bc2>>63)
242 d2 = bc1 ^ (bc3<<1 | bc3>>63)
243 d3 = bc2 ^ (bc4<<1 | bc4>>63)
244 d4 = bc3 ^ (bc0<<1 | bc0>>63)
245
246 bc0 = a[0] ^ d0
247 t = a[11] ^ d1
248 bc1 = bits.RotateLeft64(t, 44)
249 t = a[22] ^ d2
250 bc2 = bits.RotateLeft64(t, 43)
251 t = a[8] ^ d3
252 bc3 = bits.RotateLeft64(t, 21)
253 t = a[19] ^ d4
254 bc4 = bits.RotateLeft64(t, 14)
255 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2]
256 a[11] = bc1 ^ (bc3 &^ bc2)
257 a[22] = bc2 ^ (bc4 &^ bc3)
258 a[8] = bc3 ^ (bc0 &^ bc4)
259 a[19] = bc4 ^ (bc1 &^ bc0)
260
261 t = a[15] ^ d0
262 bc2 = bits.RotateLeft64(t, 3)
263 t = a[1] ^ d1
264 bc3 = bits.RotateLeft64(t, 45)
265 t = a[12] ^ d2
266 bc4 = bits.RotateLeft64(t, 61)
267 t = a[23] ^ d3
268 bc0 = bits.RotateLeft64(t, 28)
269 t = a[9] ^ d4
270 bc1 = bits.RotateLeft64(t, 20)
271 a[15] = bc0 ^ (bc2 &^ bc1)
272 a[1] = bc1 ^ (bc3 &^ bc2)
273 a[12] = bc2 ^ (bc4 &^ bc3)
274 a[23] = bc3 ^ (bc0 &^ bc4)
275 a[9] = bc4 ^ (bc1 &^ bc0)
276
277 t = a[5] ^ d0
278 bc4 = bits.RotateLeft64(t, 18)
279 t = a[16] ^ d1
280 bc0 = bits.RotateLeft64(t, 1)
281 t = a[2] ^ d2
282 bc1 = bits.RotateLeft64(t, 6)
283 t = a[13] ^ d3
284 bc2 = bits.RotateLeft64(t, 25)
285 t = a[24] ^ d4
286 bc3 = bits.RotateLeft64(t, 8)
287 a[5] = bc0 ^ (bc2 &^ bc1)
288 a[16] = bc1 ^ (bc3 &^ bc2)
289 a[2] = bc2 ^ (bc4 &^ bc3)
290 a[13] = bc3 ^ (bc0 &^ bc4)
291 a[24] = bc4 ^ (bc1 &^ bc0)
292
293 t = a[20] ^ d0
294 bc1 = bits.RotateLeft64(t, 36)
295 t = a[6] ^ d1
296 bc2 = bits.RotateLeft64(t, 10)
297 t = a[17] ^ d2
298 bc3 = bits.RotateLeft64(t, 15)
299 t = a[3] ^ d3
300 bc4 = bits.RotateLeft64(t, 56)
301 t = a[14] ^ d4
302 bc0 = bits.RotateLeft64(t, 27)
303 a[20] = bc0 ^ (bc2 &^ bc1)
304 a[6] = bc1 ^ (bc3 &^ bc2)
305 a[17] = bc2 ^ (bc4 &^ bc3)
306 a[3] = bc3 ^ (bc0 &^ bc4)
307 a[14] = bc4 ^ (bc1 &^ bc0)
308
309 t = a[10] ^ d0
310 bc3 = bits.RotateLeft64(t, 41)
311 t = a[21] ^ d1
312 bc4 = bits.RotateLeft64(t, 2)
313 t = a[7] ^ d2
314 bc0 = bits.RotateLeft64(t, 62)
315 t = a[18] ^ d3
316 bc1 = bits.RotateLeft64(t, 55)
317 t = a[4] ^ d4
318 bc2 = bits.RotateLeft64(t, 39)
319 a[10] = bc0 ^ (bc2 &^ bc1)
320 a[21] = bc1 ^ (bc3 &^ bc2)
321 a[7] = bc2 ^ (bc4 &^ bc3)
322 a[18] = bc3 ^ (bc0 &^ bc4)
323 a[4] = bc4 ^ (bc1 &^ bc0)
324
325 // Round 4
326 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
327 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
328 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
329 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
330 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
331 d0 = bc4 ^ (bc1<<1 | bc1>>63)
332 d1 = bc0 ^ (bc2<<1 | bc2>>63)
333 d2 = bc1 ^ (bc3<<1 | bc3>>63)
334 d3 = bc2 ^ (bc4<<1 | bc4>>63)
335 d4 = bc3 ^ (bc0<<1 | bc0>>63)
336
337 bc0 = a[0] ^ d0
338 t = a[1] ^ d1
339 bc1 = bits.RotateLeft64(t, 44)
340 t = a[2] ^ d2
341 bc2 = bits.RotateLeft64(t, 43)
342 t = a[3] ^ d3
343 bc3 = bits.RotateLeft64(t, 21)
344 t = a[4] ^ d4
345 bc4 = bits.RotateLeft64(t, 14)
346 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3]
347 a[1] = bc1 ^ (bc3 &^ bc2)
348 a[2] = bc2 ^ (bc4 &^ bc3)
349 a[3] = bc3 ^ (bc0 &^ bc4)
350 a[4] = bc4 ^ (bc1 &^ bc0)
351
352 t = a[5] ^ d0
353 bc2 = bits.RotateLeft64(t, 3)
354 t = a[6] ^ d1
355 bc3 = bits.RotateLeft64(t, 45)
356 t = a[7] ^ d2
357 bc4 = bits.RotateLeft64(t, 61)
358 t = a[8] ^ d3
359 bc0 = bits.RotateLeft64(t, 28)
360 t = a[9] ^ d4
361 bc1 = bits.RotateLeft64(t, 20)
362 a[5] = bc0 ^ (bc2 &^ bc1)
363 a[6] = bc1 ^ (bc3 &^ bc2)
364 a[7] = bc2 ^ (bc4 &^ bc3)
365 a[8] = bc3 ^ (bc0 &^ bc4)
366 a[9] = bc4 ^ (bc1 &^ bc0)
367
368 t = a[10] ^ d0
369 bc4 = bits.RotateLeft64(t, 18)
370 t = a[11] ^ d1
371 bc0 = bits.RotateLeft64(t, 1)
372 t = a[12] ^ d2
373 bc1 = bits.RotateLeft64(t, 6)
374 t = a[13] ^ d3
375 bc2 = bits.RotateLeft64(t, 25)
376 t = a[14] ^ d4
377 bc3 = bits.RotateLeft64(t, 8)
378 a[10] = bc0 ^ (bc2 &^ bc1)
379 a[11] = bc1 ^ (bc3 &^ bc2)
380 a[12] = bc2 ^ (bc4 &^ bc3)
381 a[13] = bc3 ^ (bc0 &^ bc4)
382 a[14] = bc4 ^ (bc1 &^ bc0)
383
384 t = a[15] ^ d0
385 bc1 = bits.RotateLeft64(t, 36)
386 t = a[16] ^ d1
387 bc2 = bits.RotateLeft64(t, 10)
388 t = a[17] ^ d2
389 bc3 = bits.RotateLeft64(t, 15)
390 t = a[18] ^ d3
391 bc4 = bits.RotateLeft64(t, 56)
392 t = a[19] ^ d4
393 bc0 = bits.RotateLeft64(t, 27)
394 a[15] = bc0 ^ (bc2 &^ bc1)
395 a[16] = bc1 ^ (bc3 &^ bc2)
396 a[17] = bc2 ^ (bc4 &^ bc3)
397 a[18] = bc3 ^ (bc0 &^ bc4)
398 a[19] = bc4 ^ (bc1 &^ bc0)
399
400 t = a[20] ^ d0
401 bc3 = bits.RotateLeft64(t, 41)
402 t = a[21] ^ d1
403 bc4 = bits.RotateLeft64(t, 2)
404 t = a[22] ^ d2
405 bc0 = bits.RotateLeft64(t, 62)
406 t = a[23] ^ d3
407 bc1 = bits.RotateLeft64(t, 55)
408 t = a[24] ^ d4
409 bc2 = bits.RotateLeft64(t, 39)
410 a[20] = bc0 ^ (bc2 &^ bc1)
411 a[21] = bc1 ^ (bc3 &^ bc2)
412 a[22] = bc2 ^ (bc4 &^ bc3)
413 a[23] = bc3 ^ (bc0 &^ bc4)
414 a[24] = bc4 ^ (bc1 &^ bc0)
415 }
416}