/*
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdint.h>
#include <string.h>
#include <assert.h>
#define ROL64(a, offset) ((offset) ? (((a) << offset) | ((a) >> (64-offset))) \
: a)
#if defined(KECCAK_REF)
/*
* This is straightforward or "maximum clarity" implementation aiming
* to resemble section 3.2 of the FIPS PUB 202 "SHA-3 Standard:
* Permutation-Based Hash and Extendible-Output Functions" as much as
* possible. With one caveat. Because of the way C stores matrices,
* references to A[x,y] in the specification are presented as A[y][x].
* Implementation unrolls inner x-loops so that modulo 5 operations are
* explicitly pre-computed.
*/
static void Theta(uint64_t A[5][5])
{
uint64_t C[5], D[5];
size_t y;
C[0] = A[0][0];
C[1] = A[0][1];
C[2] = A[0][2];
C[3] = A[0][3];
C[4] = A[0][4];
for (y = 1; y < 5; y++) {
C[0] ^= A[y][0];
C[1] ^= A[y][1];
C[2] ^= A[y][2];
C[3] ^= A[y][3];
C[4] ^= A[y][4];
}
D[0] = ROL64(C[1], 1) ^ C[4];
D[1] = ROL64(C[2], 1) ^ C[0];
D[2] = ROL64(C[3], 1) ^ C[1];
D[3] = ROL64(C[4], 1) ^ C[2];
D[4] = ROL64(C[0], 1) ^ C[3];
for (y = 0; y < 5; y++) {
A[y][0] ^= D[0];
A[y][1] ^= D[1];
A[y][2] ^= D[2];
A[y][3] ^= D[3];
A[y][4] ^= D[4];
}
}
static void Rho(uint64_t A[5][5])
{
static const unsigned char rhotates[5][5] = {
{ 0, 1, 62, 28, 27 },
{ 36, 44, 6, 55, 20 },
{ 3, 10, 43, 25, 39 },
{ 41, 45, 15, 21, 8 },
{ 18, 2, 61, 56, 14 }
};
size_t y;
for (y = 0; y < 5; y++) {
A[y][0] = ROL64(A[y][0], rhotates[y][0]);
A[y][1] = ROL64(A[y][1], rhotates[y][1]);
A[y][2] = ROL64(A[y][2], rhotates[y][2]);
A[y][3] = ROL64(A[y][3], rhotates[y][3]);
A[y][4] = ROL64(A[y][4], rhotates[y][4]);
}
}
static void Pi(uint64_t A[5][5])
{
uint64_t T[5][5];
/*
* T = A
* A[y][x] = T[x][(3*y+x)%5]
*/
memcpy(T, A, sizeof(T));
A[0][0] = T[0][0];
A[0][1] = T[1][1];
A[0][2] = T[2][2];
A[0][3] = T[3][3];
A[0][4] = T[4][4];
A[1][0] = T[0][3];
A[1][1] = T[1][4<