fips202.c 12 KB


  1. /* Based on the public domain implementation in
  2. * crypto_hash/keccakc512/simple/ from http://bench.cr.yp.to/supercop.html
  3. * by Ronny Van Keer
  4. * and the public domain "TweetFips202" implementation
  5. * from https://twitter.com/tweetfips202
  6. * by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe */
  7. #include <stdint.h>
  8. #include <assert.h>
  9. #include "../include/fips202.h"
  10. #define NROUNDS 24
  11. #define ROL(a, offset) ((a << offset) ^ (a >> (64-offset)))
  12. static uint64_t load64(const unsigned char *x)
  13. {
  14. unsigned long long r = 0, i;
  15. for (i = 0; i < 8; ++i) {
  16. r |= (unsigned long long)x[i] << 8 * i;
  17. }
  18. return r;
  19. }
  20. static void store64(uint8_t *x, uint64_t u)
  21. {
  22. unsigned int i;
  23. for(i=0; i<8; ++i) {
  24. x[i] = u;
  25. u >>= 8;
  26. }
  27. }
  28. static const uint64_t KeccakF_RoundConstants[NROUNDS] =
  29. {
  30. (uint64_t)0x0000000000000001ULL,
  31. (uint64_t)0x0000000000008082ULL,
  32. (uint64_t)0x800000000000808aULL,
  33. (uint64_t)0x8000000080008000ULL,
  34. (uint64_t)0x000000000000808bULL,
  35. (uint64_t)0x0000000080000001ULL,
  36. (uint64_t)0x8000000080008081ULL,
  37. (uint64_t)0x8000000000008009ULL,
  38. (uint64_t)0x000000000000008aULL,
  39. (uint64_t)0x0000000000000088ULL,
  40. (uint64_t)0x0000000080008009ULL,
  41. (uint64_t)0x000000008000000aULL,
  42. (uint64_t)0x000000008000808bULL,
  43. (uint64_t)0x800000000000008bULL,
  44. (uint64_t)0x8000000000008089ULL,
  45. (uint64_t)0x8000000000008003ULL,
  46. (uint64_t)0x8000000000008002ULL,
  47. (uint64_t)0x8000000000000080ULL,
  48. (uint64_t)0x000000000000800aULL,
  49. (uint64_t)0x800000008000000aULL,
  50. (uint64_t)0x8000000080008081ULL,
  51. (uint64_t)0x8000000000008080ULL,
  52. (uint64_t)0x0000000080000001ULL,
  53. (uint64_t)0x8000000080008008ULL
  54. };
  55. void KeccakF1600_StatePermute(uint64_t * state)
  56. {
  57. int round;
  58. uint64_t Aba, Abe, Abi, Abo, Abu;
  59. uint64_t Aga, Age, Agi, Ago, Agu;
  60. uint64_t Aka, Ake, Aki, Ako, Aku;
  61. uint64_t Ama, Ame, Ami, Amo, Amu;
  62. uint64_t Asa, Ase, Asi, Aso, Asu;
  63. uint64_t BCa, BCe, BCi, BCo, BCu;
  64. uint64_t Da, De, Di, Do, Du;
  65. uint64_t Eba, Ebe, Ebi, Ebo, Ebu;
  66. uint64_t Ega, Ege, Egi, Ego, Egu;
  67. uint64_t Eka, Eke, Eki, Eko, Eku;
  68. uint64_t Ema, Eme, Emi, Emo, Emu;
  69. uint64_t Esa, Ese, Esi, Eso, Esu;
  70. //copyFromState(A, state)
  71. Aba = state[ 0];
  72. Abe = state[ 1];
  73. Abi = state[ 2];
  74. Abo = state[ 3];
  75. Abu = state[ 4];
  76. Aga = state[ 5];
  77. Age = state[ 6];
  78. Agi = state[ 7];
  79. Ago = state[ 8];
  80. Agu = state[ 9];
  81. Aka = state[10];
  82. Ake = state[11];
  83. Aki = state[12];
  84. Ako = state[13];
  85. Aku = state[14];
  86. Ama = state[15];
  87. Ame = state[16];
  88. Ami = state[17];
  89. Amo = state[18];
  90. Amu = state[19];
  91. Asa = state[20];
  92. Ase = state[21];
  93. Asi = state[22];
  94. Aso = state[23];
  95. Asu = state[24];
  96. for( round = 0; round < NROUNDS; round += 2 )
  97. {
  98. // prepareTheta
  99. BCa = Aba^Aga^Aka^Ama^Asa;
  100. BCe = Abe^Age^Ake^Ame^Ase;
  101. BCi = Abi^Agi^Aki^Ami^Asi;
  102. BCo = Abo^Ago^Ako^Amo^Aso;
  103. BCu = Abu^Agu^Aku^Amu^Asu;
  104. //thetaRhoPiChiIotaPrepareTheta(round , A, E)
  105. Da = BCu^ROL(BCe, 1);
  106. De = BCa^ROL(BCi, 1);
  107. Di = BCe^ROL(BCo, 1);
  108. Do = BCi^ROL(BCu, 1);
  109. Du = BCo^ROL(BCa, 1);
  110. Aba ^= Da;
  111. BCa = Aba;
  112. Age ^= De;
  113. BCe = ROL(Age, 44);
  114. Aki ^= Di;
  115. BCi = ROL(Aki, 43);
  116. Amo ^= Do;
  117. BCo = ROL(Amo, 21);
  118. Asu ^= Du;
  119. BCu = ROL(Asu, 14);
  120. Eba = BCa ^((~BCe)& BCi );
  121. Eba ^= (uint64_t)KeccakF_RoundConstants[round];
  122. Ebe = BCe ^((~BCi)& BCo );
  123. Ebi = BCi ^((~BCo)& BCu );
  124. Ebo = BCo ^((~BCu)& BCa );
  125. Ebu = BCu ^((~BCa)& BCe );
  126. Abo ^= Do;
  127. BCa = ROL(Abo, 28);
  128. Agu ^= Du;
  129. BCe = ROL(Agu, 20);
  130. Aka ^= Da;
  131. BCi = ROL(Aka, 3);
  132. Ame ^= De;
  133. BCo = ROL(Ame, 45);
  134. Asi ^= Di;
  135. BCu = ROL(Asi, 61);
  136. Ega = BCa ^((~BCe)& BCi );
  137. Ege = BCe ^((~BCi)& BCo );
  138. Egi = BCi ^((~BCo)& BCu );
  139. Ego = BCo ^((~BCu)& BCa );
  140. Egu = BCu ^((~BCa)& BCe );
  141. Abe ^= De;
  142. BCa = ROL(Abe, 1);
  143. Agi ^= Di;
  144. BCe = ROL(Agi, 6);
  145. Ako ^= Do;
  146. BCi = ROL(Ako, 25);
  147. Amu ^= Du;
  148. BCo = ROL(Amu, 8);
  149. Asa ^= Da;
  150. BCu = ROL(Asa, 18);
  151. Eka = BCa ^((~BCe)& BCi );
  152. Eke = BCe ^((~BCi)& BCo );
  153. Eki = BCi ^((~BCo)& BCu );
  154. Eko = BCo ^((~BCu)& BCa );
  155. Eku = BCu ^((~BCa)& BCe );
  156. Abu ^= Du;
  157. BCa = ROL(Abu, 27);
  158. Aga ^= Da;
  159. BCe = ROL(Aga, 36);
  160. Ake ^= De;
  161. BCi = ROL(Ake, 10);
  162. Ami ^= Di;
  163. BCo = ROL(Ami, 15);
  164. Aso ^= Do;
  165. BCu = ROL(Aso, 56);
  166. Ema = BCa ^((~BCe)& BCi );
  167. Eme = BCe ^((~BCi)& BCo );
  168. Emi = BCi ^((~BCo)& BCu );
  169. Emo = BCo ^((~BCu)& BCa );
  170. Emu = BCu ^((~BCa)& BCe );
  171. Abi ^= Di;
  172. BCa = ROL(Abi, 62);
  173. Ago ^= Do;
  174. BCe = ROL(Ago, 55);
  175. Aku ^= Du;
  176. BCi = ROL(Aku, 39);
  177. Ama ^= Da;
  178. BCo = ROL(Ama, 41);
  179. Ase ^= De;
  180. BCu = ROL(Ase, 2);
  181. Esa = BCa ^((~BCe)& BCi );
  182. Ese = BCe ^((~BCi)& BCo );
  183. Esi = BCi ^((~BCo)& BCu );
  184. Eso = BCo ^((~BCu)& BCa );
  185. Esu = BCu ^((~BCa)& BCe );
  186. // prepareTheta
  187. BCa = Eba^Ega^Eka^Ema^Esa;
  188. BCe = Ebe^Ege^Eke^Eme^Ese;
  189. BCi = Ebi^Egi^Eki^Emi^Esi;
  190. BCo = Ebo^Ego^Eko^Emo^Eso;
  191. BCu = Ebu^Egu^Eku^Emu^Esu;
  192. //thetaRhoPiChiIotaPrepareTheta(round+1, E, A)
  193. Da = BCu^ROL(BCe, 1);
  194. De = BCa^ROL(BCi, 1);
  195. Di = BCe^ROL(BCo, 1);
  196. Do = BCi^ROL(BCu, 1);
  197. Du = BCo^ROL(BCa, 1);
  198. Eba ^= Da;
  199. BCa = Eba;
  200. Ege ^= De;
  201. BCe = ROL(Ege, 44);
  202. Eki ^= Di;
  203. BCi = ROL(Eki, 43);
  204. Emo ^= Do;
  205. BCo = ROL(Emo, 21);
  206. Esu ^= Du;
  207. BCu = ROL(Esu, 14);
  208. Aba = BCa ^((~BCe)& BCi );
  209. Aba ^= (uint64_t)KeccakF_RoundConstants[round+1];
  210. Abe = BCe ^((~BCi)& BCo );
  211. Abi = BCi ^((~BCo)& BCu );
  212. Abo = BCo ^((~BCu)& BCa );
  213. Abu = BCu ^((~BCa)& BCe );
  214. Ebo ^= Do;
  215. BCa = ROL(Ebo, 28);
  216. Egu ^= Du;
  217. BCe = ROL(Egu, 20);
  218. Eka ^= Da;
  219. BCi = ROL(Eka, 3);
  220. Eme ^= De;
  221. BCo = ROL(Eme, 45);
  222. Esi ^= Di;
  223. BCu = ROL(Esi, 61);
  224. Aga = BCa ^((~BCe)& BCi );
  225. Age = BCe ^((~BCi)& BCo );
  226. Agi = BCi ^((~BCo)& BCu );
  227. Ago = BCo ^((~BCu)& BCa );
  228. Agu = BCu ^((~BCa)& BCe );
  229. Ebe ^= De;
  230. BCa = ROL(Ebe, 1);
  231. Egi ^= Di;
  232. BCe = ROL(Egi, 6);
  233. Eko ^= Do;
  234. BCi = ROL(Eko, 25);
  235. Emu ^= Du;
  236. BCo = ROL(Emu, 8);
  237. Esa ^= Da;
  238. BCu = ROL(Esa, 18);
  239. Aka = BCa ^((~BCe)& BCi );
  240. Ake = BCe ^((~BCi)& BCo );
  241. Aki = BCi ^((~BCo)& BCu );
  242. Ako = BCo ^((~BCu)& BCa );
  243. Aku = BCu ^((~BCa)& BCe );
  244. Ebu ^= Du;
  245. BCa = ROL(Ebu, 27);
  246. Ega ^= Da;
  247. BCe = ROL(Ega, 36);
  248. Eke ^= De;
  249. BCi = ROL(Eke, 10);
  250. Emi ^= Di;
  251. BCo = ROL(Emi, 15);
  252. Eso ^= Do;
  253. BCu = ROL(Eso, 56);
  254. Ama = BCa ^((~BCe)& BCi );
  255. Ame = BCe ^((~BCi)& BCo );
  256. Ami = BCi ^((~BCo)& BCu );
  257. Amo = BCo ^((~BCu)& BCa );
  258. Amu = BCu ^((~BCa)& BCe );
  259. Ebi ^= Di;
  260. BCa = ROL(Ebi, 62);
  261. Ego ^= Do;
  262. BCe = ROL(Ego, 55);
  263. Eku ^= Du;
  264. BCi = ROL(Eku, 39);
  265. Ema ^= Da;
  266. BCo = ROL(Ema, 41);
  267. Ese ^= De;
  268. BCu = ROL(Ese, 2);
  269. Asa = BCa ^((~BCe)& BCi );
  270. Ase = BCe ^((~BCi)& BCo );
  271. Asi = BCi ^((~BCo)& BCu );
  272. Aso = BCo ^((~BCu)& BCa );
  273. Asu = BCu ^((~BCa)& BCe );
  274. }
  275. //copyToState(state, A)
  276. state[ 0] = Aba;
  277. state[ 1] = Abe;
  278. state[ 2] = Abi;
  279. state[ 3] = Abo;
  280. state[ 4] = Abu;
  281. state[ 5] = Aga;
  282. state[ 6] = Age;
  283. state[ 7] = Agi;
  284. state[ 8] = Ago;
  285. state[ 9] = Agu;
  286. state[10] = Aka;
  287. state[11] = Ake;
  288. state[12] = Aki;
  289. state[13] = Ako;
  290. state[14] = Aku;
  291. state[15] = Ama;
  292. state[16] = Ame;
  293. state[17] = Ami;
  294. state[18] = Amo;
  295. state[19] = Amu;
  296. state[20] = Asa;
  297. state[21] = Ase;
  298. state[22] = Asi;
  299. state[23] = Aso;
  300. state[24] = Asu;
  301. #undef round
  302. }
  303. #include <string.h>
  304. #define MIN(a, b) ((a) < (b) ? (a) : (b))
  305. static void keccak_absorb(uint64_t *s,
  306. unsigned int r,
  307. const unsigned char *m, unsigned long long int mlen,
  308. unsigned char p)
  309. {
  310. unsigned long long i;
  311. unsigned char t[200];
  312. // Zero state
  313. for (i = 0; i < 25; ++i)
  314. s[i] = 0;
  315. while (mlen >= r)
  316. {
  317. for (i = 0; i < r / 8; ++i)
  318. s[i] ^= load64(m + 8 * i);
  319. KeccakF1600_StatePermute(s);
  320. mlen -= r;
  321. m += r;
  322. }
  323. for (i = 0; i < r; ++i)
  324. t[i] = 0;
  325. for (i = 0; i < mlen; ++i)
  326. t[i] = m[i];
  327. t[i] = p;
  328. t[r - 1] |= 128;
  329. for (i = 0; i < r / 8; ++i)
  330. s[i] ^= load64(t + 8 * i);
  331. }
  332. static void keccak_squeezeblocks(unsigned char *h, unsigned long long int nblocks,
  333. uint64_t *s,
  334. unsigned int r)
  335. {
  336. unsigned int i;
  337. while(nblocks > 0)
  338. {
  339. KeccakF1600_StatePermute(s);
  340. for(i=0;i<(r>>3);i++)
  341. {
  342. store64(h+8*i, s[i]);
  343. }
  344. h += r;
  345. nblocks--;
  346. }
  347. }
  348. void shake128_absorb(uint64_t *s, const unsigned char *input, unsigned int inputByteLen)
  349. {
  350. keccak_absorb(s, SHAKE128_RATE, input, inputByteLen, 0x1F);
  351. }
  352. void shake128_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
  353. {
  354. keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE);
  355. }
  356. void shake256(unsigned char *output, unsigned long long outlen,
  357. const unsigned char *input, unsigned long long inlen)
  358. {
  359. uint64_t s[25];
  360. unsigned char t[SHAKE256_RATE];
  361. unsigned long long nblocks = outlen/SHAKE256_RATE;
  362. size_t i;
  363. /* Absorb input */
  364. keccak_absorb(s, SHAKE256_RATE, input, inlen, 0x1F);
  365. /* Squeeze output */
  366. keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE);
  367. output+=nblocks*SHAKE256_RATE;
  368. outlen-=nblocks*SHAKE256_RATE;
  369. if(outlen)
  370. {
  371. keccak_squeezeblocks(t, 1, s, SHAKE256_RATE);
  372. for(i=0;i<outlen;i++)
  373. output[i] = t[i];
  374. }
  375. }
  376. void shake128(unsigned char *output, unsigned long long outlen,
  377. const unsigned char *input, unsigned long long inlen)
  378. {
  379. uint64_t s[25];
  380. unsigned char t[SHAKE128_RATE];
  381. unsigned long long nblocks = outlen/SHAKE128_RATE;
  382. size_t i;
  383. /* Absorb input */
  384. keccak_absorb(s, SHAKE128_RATE, input, inlen, 0x1F);
  385. /* Squeeze output */
  386. keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE);
  387. output+=nblocks*SHAKE128_RATE;
  388. outlen-=nblocks*SHAKE128_RATE;
  389. if(outlen)
  390. {
  391. keccak_squeezeblocks(t, 1, s, SHAKE128_RATE);
  392. for(i=0;i<outlen;i++)
  393. output[i] = t[i];
  394. }
  395. }