You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

418 line
10 KiB

  1. /* Based on the public domain implementation in
  2. * crypto_hash/keccakc512/simple/ from http://bench.cr.yp.to/supercop.html
  3. * by Ronny Van Keer
  4. * and the public domain "TweetFips202" implementation
  5. * from https://twitter.com/tweetfips202
  6. * by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe */
  7. #include <stdint.h>
  8. #include <assert.h>
  9. #include "fips202.h"
  10. #define NROUNDS 24
  11. #define ROL(a, offset) ((a << offset) ^ (a >> (64-offset)))
  12. static uint64_t load64(const unsigned char *x)
  13. {
  14. unsigned long long r = 0, i;
  15. for (i = 0; i < 8; ++i) {
  16. r |= (unsigned long long)x[i] << 8 * i;
  17. }
  18. return r;
  19. }
  20. static void store64(uint8_t *x, uint64_t u)
  21. {
  22. unsigned int i;
  23. for (i = 0; i < 8; ++i) {
  24. x[i] = u;
  25. u >>= 8;
  26. }
  27. }
  28. static const uint64_t KeccakF_RoundConstants[NROUNDS] =
  29. {
  30. (uint64_t)0x0000000000000001ULL,
  31. (uint64_t)0x0000000000008082ULL,
  32. (uint64_t)0x800000000000808aULL,
  33. (uint64_t)0x8000000080008000ULL,
  34. (uint64_t)0x000000000000808bULL,
  35. (uint64_t)0x0000000080000001ULL,
  36. (uint64_t)0x8000000080008081ULL,
  37. (uint64_t)0x8000000000008009ULL,
  38. (uint64_t)0x000000000000008aULL,
  39. (uint64_t)0x0000000000000088ULL,
  40. (uint64_t)0x0000000080008009ULL,
  41. (uint64_t)0x000000008000000aULL,
  42. (uint64_t)0x000000008000808bULL,
  43. (uint64_t)0x800000000000008bULL,
  44. (uint64_t)0x8000000000008089ULL,
  45. (uint64_t)0x8000000000008003ULL,
  46. (uint64_t)0x8000000000008002ULL,
  47. (uint64_t)0x8000000000000080ULL,
  48. (uint64_t)0x000000000000800aULL,
  49. (uint64_t)0x800000008000000aULL,
  50. (uint64_t)0x8000000080008081ULL,
  51. (uint64_t)0x8000000000008080ULL,
  52. (uint64_t)0x0000000080000001ULL,
  53. (uint64_t)0x8000000080008008ULL
  54. };
  55. void KeccakF1600_StatePermute(uint64_t * state)
  56. {
  57. int round;
  58. uint64_t Aba, Abe, Abi, Abo, Abu;
  59. uint64_t Aga, Age, Agi, Ago, Agu;
  60. uint64_t Aka, Ake, Aki, Ako, Aku;
  61. uint64_t Ama, Ame, Ami, Amo, Amu;
  62. uint64_t Asa, Ase, Asi, Aso, Asu;
  63. uint64_t BCa, BCe, BCi, BCo, BCu;
  64. uint64_t Da, De, Di, Do, Du;
  65. uint64_t Eba, Ebe, Ebi, Ebo, Ebu;
  66. uint64_t Ega, Ege, Egi, Ego, Egu;
  67. uint64_t Eka, Eke, Eki, Eko, Eku;
  68. uint64_t Ema, Eme, Emi, Emo, Emu;
  69. uint64_t Esa, Ese, Esi, Eso, Esu;
  70. //copyFromState(A, state)
  71. Aba = state[ 0];
  72. Abe = state[ 1];
  73. Abi = state[ 2];
  74. Abo = state[ 3];
  75. Abu = state[ 4];
  76. Aga = state[ 5];
  77. Age = state[ 6];
  78. Agi = state[ 7];
  79. Ago = state[ 8];
  80. Agu = state[ 9];
  81. Aka = state[10];
  82. Ake = state[11];
  83. Aki = state[12];
  84. Ako = state[13];
  85. Aku = state[14];
  86. Ama = state[15];
  87. Ame = state[16];
  88. Ami = state[17];
  89. Amo = state[18];
  90. Amu = state[19];
  91. Asa = state[20];
  92. Ase = state[21];
  93. Asi = state[22];
  94. Aso = state[23];
  95. Asu = state[24];
  96. for (round = 0; round < NROUNDS; round += 2) {
  97. // prepareTheta
  98. BCa = Aba^Aga^Aka^Ama^Asa;
  99. BCe = Abe^Age^Ake^Ame^Ase;
  100. BCi = Abi^Agi^Aki^Ami^Asi;
  101. BCo = Abo^Ago^Ako^Amo^Aso;
  102. BCu = Abu^Agu^Aku^Amu^Asu;
  103. //thetaRhoPiChiIotaPrepareTheta(round , A, E)
  104. Da = BCu^ROL(BCe, 1);
  105. De = BCa^ROL(BCi, 1);
  106. Di = BCe^ROL(BCo, 1);
  107. Do = BCi^ROL(BCu, 1);
  108. Du = BCo^ROL(BCa, 1);
  109. Aba ^= Da;
  110. BCa = Aba;
  111. Age ^= De;
  112. BCe = ROL(Age, 44);
  113. Aki ^= Di;
  114. BCi = ROL(Aki, 43);
  115. Amo ^= Do;
  116. BCo = ROL(Amo, 21);
  117. Asu ^= Du;
  118. BCu = ROL(Asu, 14);
  119. Eba = BCa ^((~BCe)& BCi );
  120. Eba ^= (uint64_t)KeccakF_RoundConstants[round];
  121. Ebe = BCe ^((~BCi)& BCo );
  122. Ebi = BCi ^((~BCo)& BCu );
  123. Ebo = BCo ^((~BCu)& BCa );
  124. Ebu = BCu ^((~BCa)& BCe );
  125. Abo ^= Do;
  126. BCa = ROL(Abo, 28);
  127. Agu ^= Du;
  128. BCe = ROL(Agu, 20);
  129. Aka ^= Da;
  130. BCi = ROL(Aka, 3);
  131. Ame ^= De;
  132. BCo = ROL(Ame, 45);
  133. Asi ^= Di;
  134. BCu = ROL(Asi, 61);
  135. Ega = BCa ^((~BCe)& BCi );
  136. Ege = BCe ^((~BCi)& BCo );
  137. Egi = BCi ^((~BCo)& BCu );
  138. Ego = BCo ^((~BCu)& BCa );
  139. Egu = BCu ^((~BCa)& BCe );
  140. Abe ^= De;
  141. BCa = ROL(Abe, 1);
  142. Agi ^= Di;
  143. BCe = ROL(Agi, 6);
  144. Ako ^= Do;
  145. BCi = ROL(Ako, 25);
  146. Amu ^= Du;
  147. BCo = ROL(Amu, 8);
  148. Asa ^= Da;
  149. BCu = ROL(Asa, 18);
  150. Eka = BCa ^((~BCe)& BCi );
  151. Eke = BCe ^((~BCi)& BCo );
  152. Eki = BCi ^((~BCo)& BCu );
  153. Eko = BCo ^((~BCu)& BCa );
  154. Eku = BCu ^((~BCa)& BCe );
  155. Abu ^= Du;
  156. BCa = ROL(Abu, 27);
  157. Aga ^= Da;
  158. BCe = ROL(Aga, 36);
  159. Ake ^= De;
  160. BCi = ROL(Ake, 10);
  161. Ami ^= Di;
  162. BCo = ROL(Ami, 15);
  163. Aso ^= Do;
  164. BCu = ROL(Aso, 56);
  165. Ema = BCa ^((~BCe)& BCi );
  166. Eme = BCe ^((~BCi)& BCo );
  167. Emi = BCi ^((~BCo)& BCu );
  168. Emo = BCo ^((~BCu)& BCa );
  169. Emu = BCu ^((~BCa)& BCe );
  170. Abi ^= Di;
  171. BCa = ROL(Abi, 62);
  172. Ago ^= Do;
  173. BCe = ROL(Ago, 55);
  174. Aku ^= Du;
  175. BCi = ROL(Aku, 39);
  176. Ama ^= Da;
  177. BCo = ROL(Ama, 41);
  178. Ase ^= De;
  179. BCu = ROL(Ase, 2);
  180. Esa = BCa ^((~BCe)& BCi );
  181. Ese = BCe ^((~BCi)& BCo );
  182. Esi = BCi ^((~BCo)& BCu );
  183. Eso = BCo ^((~BCu)& BCa );
  184. Esu = BCu ^((~BCa)& BCe );
  185. // prepareTheta
  186. BCa = Eba^Ega^Eka^Ema^Esa;
  187. BCe = Ebe^Ege^Eke^Eme^Ese;
  188. BCi = Ebi^Egi^Eki^Emi^Esi;
  189. BCo = Ebo^Ego^Eko^Emo^Eso;
  190. BCu = Ebu^Egu^Eku^Emu^Esu;
  191. //thetaRhoPiChiIotaPrepareTheta(round+1, E, A)
  192. Da = BCu^ROL(BCe, 1);
  193. De = BCa^ROL(BCi, 1);
  194. Di = BCe^ROL(BCo, 1);
  195. Do = BCi^ROL(BCu, 1);
  196. Du = BCo^ROL(BCa, 1);
  197. Eba ^= Da;
  198. BCa = Eba;
  199. Ege ^= De;
  200. BCe = ROL(Ege, 44);
  201. Eki ^= Di;
  202. BCi = ROL(Eki, 43);
  203. Emo ^= Do;
  204. BCo = ROL(Emo, 21);
  205. Esu ^= Du;
  206. BCu = ROL(Esu, 14);
  207. Aba = BCa ^((~BCe)& BCi );
  208. Aba ^= (uint64_t)KeccakF_RoundConstants[round+1];
  209. Abe = BCe ^((~BCi)& BCo );
  210. Abi = BCi ^((~BCo)& BCu );
  211. Abo = BCo ^((~BCu)& BCa );
  212. Abu = BCu ^((~BCa)& BCe );
  213. Ebo ^= Do;
  214. BCa = ROL(Ebo, 28);
  215. Egu ^= Du;
  216. BCe = ROL(Egu, 20);
  217. Eka ^= Da;
  218. BCi = ROL(Eka, 3);
  219. Eme ^= De;
  220. BCo = ROL(Eme, 45);
  221. Esi ^= Di;
  222. BCu = ROL(Esi, 61);
  223. Aga = BCa ^((~BCe)& BCi );
  224. Age = BCe ^((~BCi)& BCo );
  225. Agi = BCi ^((~BCo)& BCu );
  226. Ago = BCo ^((~BCu)& BCa );
  227. Agu = BCu ^((~BCa)& BCe );
  228. Ebe ^= De;
  229. BCa = ROL(Ebe, 1);
  230. Egi ^= Di;
  231. BCe = ROL(Egi, 6);
  232. Eko ^= Do;
  233. BCi = ROL(Eko, 25);
  234. Emu ^= Du;
  235. BCo = ROL(Emu, 8);
  236. Esa ^= Da;
  237. BCu = ROL(Esa, 18);
  238. Aka = BCa ^((~BCe)& BCi );
  239. Ake = BCe ^((~BCi)& BCo );
  240. Aki = BCi ^((~BCo)& BCu );
  241. Ako = BCo ^((~BCu)& BCa );
  242. Aku = BCu ^((~BCa)& BCe );
  243. Ebu ^= Du;
  244. BCa = ROL(Ebu, 27);
  245. Ega ^= Da;
  246. BCe = ROL(Ega, 36);
  247. Eke ^= De;
  248. BCi = ROL(Eke, 10);
  249. Emi ^= Di;
  250. BCo = ROL(Emi, 15);
  251. Eso ^= Do;
  252. BCu = ROL(Eso, 56);
  253. Ama = BCa ^((~BCe)& BCi );
  254. Ame = BCe ^((~BCi)& BCo );
  255. Ami = BCi ^((~BCo)& BCu );
  256. Amo = BCo ^((~BCu)& BCa );
  257. Amu = BCu ^((~BCa)& BCe );
  258. Ebi ^= Di;
  259. BCa = ROL(Ebi, 62);
  260. Ego ^= Do;
  261. BCe = ROL(Ego, 55);
  262. Eku ^= Du;
  263. BCi = ROL(Eku, 39);
  264. Ema ^= Da;
  265. BCo = ROL(Ema, 41);
  266. Ese ^= De;
  267. BCu = ROL(Ese, 2);
  268. Asa = BCa ^((~BCe)& BCi );
  269. Ase = BCe ^((~BCi)& BCo );
  270. Asi = BCi ^((~BCo)& BCu );
  271. Aso = BCo ^((~BCu)& BCa );
  272. Asu = BCu ^((~BCa)& BCe );
  273. }
  274. //copyToState(state, A)
  275. state[ 0] = Aba;
  276. state[ 1] = Abe;
  277. state[ 2] = Abi;
  278. state[ 3] = Abo;
  279. state[ 4] = Abu;
  280. state[ 5] = Aga;
  281. state[ 6] = Age;
  282. state[ 7] = Agi;
  283. state[ 8] = Ago;
  284. state[ 9] = Agu;
  285. state[10] = Aka;
  286. state[11] = Ake;
  287. state[12] = Aki;
  288. state[13] = Ako;
  289. state[14] = Aku;
  290. state[15] = Ama;
  291. state[16] = Ame;
  292. state[17] = Ami;
  293. state[18] = Amo;
  294. state[19] = Amu;
  295. state[20] = Asa;
  296. state[21] = Ase;
  297. state[22] = Asi;
  298. state[23] = Aso;
  299. state[24] = Asu;
  300. }
  301. #include <string.h>
  302. static void keccak_absorb(uint64_t *s, unsigned int r,
  303. const unsigned char *m, unsigned long long mlen,
  304. unsigned char p)
  305. {
  306. unsigned long long i;
  307. unsigned char t[200];
  308. while (mlen >= r) {
  309. for (i = 0; i < r / 8; ++i) {
  310. s[i] ^= load64(m + 8 * i);
  311. }
  312. KeccakF1600_StatePermute(s);
  313. mlen -= r;
  314. m += r;
  315. }
  316. for (i = 0; i < r; ++i) {
  317. t[i] = 0;
  318. }
  319. for (i = 0; i < mlen; ++i) {
  320. t[i] = m[i];
  321. }
  322. t[i] = p;
  323. t[r - 1] |= 128;
  324. for (i = 0; i < r / 8; ++i) {
  325. s[i] ^= load64(t + 8 * i);
  326. }
  327. }
  328. static void keccak_squeezeblocks(unsigned char *h, unsigned long long nblocks,
  329. uint64_t *s, unsigned int r)
  330. {
  331. unsigned int i;
  332. while (nblocks > 0) {
  333. KeccakF1600_StatePermute(s);
  334. for (i = 0; i < (r >> 3); i++) {
  335. store64(h + 8*i, s[i]);
  336. }
  337. h += r;
  338. nblocks--;
  339. }
  340. }
  341. void shake128(unsigned char *out, unsigned long long outlen,
  342. const unsigned char *in, unsigned long long inlen)
  343. {
  344. unsigned long long i;
  345. uint64_t s[25];
  346. unsigned char d[SHAKE128_RATE];
  347. for (i = 0; i < 25; i++) {
  348. s[i] = 0;
  349. }
  350. keccak_absorb(s, SHAKE128_RATE, in, inlen, 0x1F);
  351. keccak_squeezeblocks(out, outlen / SHAKE128_RATE, s, SHAKE128_RATE);
  352. out += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
  353. if (outlen % SHAKE128_RATE) {
  354. keccak_squeezeblocks(d, 1, s, SHAKE128_RATE);
  355. for (i = 0; i < outlen % SHAKE128_RATE; i++) {
  356. out[i] = d[i];
  357. }
  358. }
  359. }
  360. void shake256(unsigned char *output, unsigned long long outlen,
  361. const unsigned char *in, unsigned long long inlen)
  362. {
  363. unsigned long long i;
  364. uint64_t s[25];
  365. unsigned char d[SHAKE256_RATE];
  366. for (i = 0; i < 25; i++) {
  367. s[i] = 0;
  368. }
  369. keccak_absorb(s, SHAKE256_RATE, in, inlen, 0x1F);
  370. keccak_squeezeblocks(output, outlen / SHAKE256_RATE, s, SHAKE256_RATE);
  371. output += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
  372. if (outlen % SHAKE256_RATE) {
  373. keccak_squeezeblocks(d, 1, s, SHAKE256_RATE);
  374. for (i = 0; i < outlen % SHAKE256_RATE; i++) {
  375. output[i] = d[i];
  376. }
  377. }
  378. }