keccakf.gno
10.14 Kb · 408 lines
1package keccak256
2
3import "math/bits"
4
5// rc stores the round constants for use in the ι step.
6var rc = [24]uint64{
7 0x0000000000000001,
8 0x0000000000008082,
9 0x800000000000808A,
10 0x8000000080008000,
11 0x000000000000808B,
12 0x0000000080000001,
13 0x8000000080008081,
14 0x8000000000008009,
15 0x000000000000008A,
16 0x0000000000000088,
17 0x0000000080008009,
18 0x000000008000000A,
19 0x000000008000808B,
20 0x800000000000008B,
21 0x8000000000008089,
22 0x8000000000008003,
23 0x8000000000008002,
24 0x8000000000000080,
25 0x000000000000800A,
26 0x800000008000000A,
27 0x8000000080008081,
28 0x8000000000008080,
29 0x0000000080000001,
30 0x8000000080008008,
31}
32
33// keccakF1600 applies the Keccak permutation to a 1600b-wide
34// state represented as a slice of 25 uint64s.
35func keccakF1600(a *[25]uint64) {
36 // Implementation translated from Keccak-inplace.c
37 // in the keccak reference code.
38 var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64
39
40 for i := 0; i < 24; i += 4 {
41 // Combines the 5 steps in each round into 2 steps.
42 // Unrolls 4 rounds per loop and spreads some steps across rounds.
43
44 // Round 1
45 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
46 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
47 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
48 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
49 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
50 d0 = bc4 ^ (bc1<<1 | bc1>>63)
51 d1 = bc0 ^ (bc2<<1 | bc2>>63)
52 d2 = bc1 ^ (bc3<<1 | bc3>>63)
53 d3 = bc2 ^ (bc4<<1 | bc4>>63)
54 d4 = bc3 ^ (bc0<<1 | bc0>>63)
55
56 bc0 = a[0] ^ d0
57 t = a[6] ^ d1
58 bc1 = bits.RotateLeft64(t, 44)
59 t = a[12] ^ d2
60 bc2 = bits.RotateLeft64(t, 43)
61 t = a[18] ^ d3
62 bc3 = bits.RotateLeft64(t, 21)
63 t = a[24] ^ d4
64 bc4 = bits.RotateLeft64(t, 14)
65 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i]
66 a[6] = bc1 ^ (bc3 &^ bc2)
67 a[12] = bc2 ^ (bc4 &^ bc3)
68 a[18] = bc3 ^ (bc0 &^ bc4)
69 a[24] = bc4 ^ (bc1 &^ bc0)
70
71 t = a[10] ^ d0
72 bc2 = bits.RotateLeft64(t, 3)
73 t = a[16] ^ d1
74 bc3 = bits.RotateLeft64(t, 45)
75 t = a[22] ^ d2
76 bc4 = bits.RotateLeft64(t, 61)
77 t = a[3] ^ d3
78 bc0 = bits.RotateLeft64(t, 28)
79 t = a[9] ^ d4
80 bc1 = bits.RotateLeft64(t, 20)
81 a[10] = bc0 ^ (bc2 &^ bc1)
82 a[16] = bc1 ^ (bc3 &^ bc2)
83 a[22] = bc2 ^ (bc4 &^ bc3)
84 a[3] = bc3 ^ (bc0 &^ bc4)
85 a[9] = bc4 ^ (bc1 &^ bc0)
86
87 t = a[20] ^ d0
88 bc4 = bits.RotateLeft64(t, 18)
89 t = a[1] ^ d1
90 bc0 = bits.RotateLeft64(t, 1)
91 t = a[7] ^ d2
92 bc1 = bits.RotateLeft64(t, 6)
93 t = a[13] ^ d3
94 bc2 = bits.RotateLeft64(t, 25)
95 t = a[19] ^ d4
96 bc3 = bits.RotateLeft64(t, 8)
97 a[20] = bc0 ^ (bc2 &^ bc1)
98 a[1] = bc1 ^ (bc3 &^ bc2)
99 a[7] = bc2 ^ (bc4 &^ bc3)
100 a[13] = bc3 ^ (bc0 &^ bc4)
101 a[19] = bc4 ^ (bc1 &^ bc0)
102
103 t = a[5] ^ d0
104 bc1 = bits.RotateLeft64(t, 36)
105 t = a[11] ^ d1
106 bc2 = bits.RotateLeft64(t, 10)
107 t = a[17] ^ d2
108 bc3 = bits.RotateLeft64(t, 15)
109 t = a[23] ^ d3
110 bc4 = bits.RotateLeft64(t, 56)
111 t = a[4] ^ d4
112 bc0 = bits.RotateLeft64(t, 27)
113 a[5] = bc0 ^ (bc2 &^ bc1)
114 a[11] = bc1 ^ (bc3 &^ bc2)
115 a[17] = bc2 ^ (bc4 &^ bc3)
116 a[23] = bc3 ^ (bc0 &^ bc4)
117 a[4] = bc4 ^ (bc1 &^ bc0)
118
119 t = a[15] ^ d0
120 bc3 = bits.RotateLeft64(t, 41)
121 t = a[21] ^ d1
122 bc4 = bits.RotateLeft64(t, 2)
123 t = a[2] ^ d2
124 bc0 = bits.RotateLeft64(t, 62)
125 t = a[8] ^ d3
126 bc1 = bits.RotateLeft64(t, 55)
127 t = a[14] ^ d4
128 bc2 = bits.RotateLeft64(t, 39)
129 a[15] = bc0 ^ (bc2 &^ bc1)
130 a[21] = bc1 ^ (bc3 &^ bc2)
131 a[2] = bc2 ^ (bc4 &^ bc3)
132 a[8] = bc3 ^ (bc0 &^ bc4)
133 a[14] = bc4 ^ (bc1 &^ bc0)
134
135 // Round 2
136 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
137 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
138 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
139 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
140 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
141 d0 = bc4 ^ (bc1<<1 | bc1>>63)
142 d1 = bc0 ^ (bc2<<1 | bc2>>63)
143 d2 = bc1 ^ (bc3<<1 | bc3>>63)
144 d3 = bc2 ^ (bc4<<1 | bc4>>63)
145 d4 = bc3 ^ (bc0<<1 | bc0>>63)
146
147 bc0 = a[0] ^ d0
148 t = a[16] ^ d1
149 bc1 = bits.RotateLeft64(t, 44)
150 t = a[7] ^ d2
151 bc2 = bits.RotateLeft64(t, 43)
152 t = a[23] ^ d3
153 bc3 = bits.RotateLeft64(t, 21)
154 t = a[14] ^ d4
155 bc4 = bits.RotateLeft64(t, 14)
156 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1]
157 a[16] = bc1 ^ (bc3 &^ bc2)
158 a[7] = bc2 ^ (bc4 &^ bc3)
159 a[23] = bc3 ^ (bc0 &^ bc4)
160 a[14] = bc4 ^ (bc1 &^ bc0)
161
162 t = a[20] ^ d0
163 bc2 = bits.RotateLeft64(t, 3)
164 t = a[11] ^ d1
165 bc3 = bits.RotateLeft64(t, 45)
166 t = a[2] ^ d2
167 bc4 = bits.RotateLeft64(t, 61)
168 t = a[18] ^ d3
169 bc0 = bits.RotateLeft64(t, 28)
170 t = a[9] ^ d4
171 bc1 = bits.RotateLeft64(t, 20)
172 a[20] = bc0 ^ (bc2 &^ bc1)
173 a[11] = bc1 ^ (bc3 &^ bc2)
174 a[2] = bc2 ^ (bc4 &^ bc3)
175 a[18] = bc3 ^ (bc0 &^ bc4)
176 a[9] = bc4 ^ (bc1 &^ bc0)
177
178 t = a[15] ^ d0
179 bc4 = bits.RotateLeft64(t, 18)
180 t = a[6] ^ d1
181 bc0 = bits.RotateLeft64(t, 1)
182 t = a[22] ^ d2
183 bc1 = bits.RotateLeft64(t, 6)
184 t = a[13] ^ d3
185 bc2 = bits.RotateLeft64(t, 25)
186 t = a[4] ^ d4
187 bc3 = bits.RotateLeft64(t, 8)
188 a[15] = bc0 ^ (bc2 &^ bc1)
189 a[6] = bc1 ^ (bc3 &^ bc2)
190 a[22] = bc2 ^ (bc4 &^ bc3)
191 a[13] = bc3 ^ (bc0 &^ bc4)
192 a[4] = bc4 ^ (bc1 &^ bc0)
193
194 t = a[10] ^ d0
195 bc1 = bits.RotateLeft64(t, 36)
196 t = a[1] ^ d1
197 bc2 = bits.RotateLeft64(t, 10)
198 t = a[17] ^ d2
199 bc3 = bits.RotateLeft64(t, 15)
200 t = a[8] ^ d3
201 bc4 = bits.RotateLeft64(t, 56)
202 t = a[24] ^ d4
203 bc0 = bits.RotateLeft64(t, 27)
204 a[10] = bc0 ^ (bc2 &^ bc1)
205 a[1] = bc1 ^ (bc3 &^ bc2)
206 a[17] = bc2 ^ (bc4 &^ bc3)
207 a[8] = bc3 ^ (bc0 &^ bc4)
208 a[24] = bc4 ^ (bc1 &^ bc0)
209
210 t = a[5] ^ d0
211 bc3 = bits.RotateLeft64(t, 41)
212 t = a[21] ^ d1
213 bc4 = bits.RotateLeft64(t, 2)
214 t = a[12] ^ d2
215 bc0 = bits.RotateLeft64(t, 62)
216 t = a[3] ^ d3
217 bc1 = bits.RotateLeft64(t, 55)
218 t = a[19] ^ d4
219 bc2 = bits.RotateLeft64(t, 39)
220 a[5] = bc0 ^ (bc2 &^ bc1)
221 a[21] = bc1 ^ (bc3 &^ bc2)
222 a[12] = bc2 ^ (bc4 &^ bc3)
223 a[3] = bc3 ^ (bc0 &^ bc4)
224 a[19] = bc4 ^ (bc1 &^ bc0)
225
226 // Round 3
227 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
228 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
229 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
230 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
231 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
232 d0 = bc4 ^ (bc1<<1 | bc1>>63)
233 d1 = bc0 ^ (bc2<<1 | bc2>>63)
234 d2 = bc1 ^ (bc3<<1 | bc3>>63)
235 d3 = bc2 ^ (bc4<<1 | bc4>>63)
236 d4 = bc3 ^ (bc0<<1 | bc0>>63)
237
238 bc0 = a[0] ^ d0
239 t = a[11] ^ d1
240 bc1 = bits.RotateLeft64(t, 44)
241 t = a[22] ^ d2
242 bc2 = bits.RotateLeft64(t, 43)
243 t = a[8] ^ d3
244 bc3 = bits.RotateLeft64(t, 21)
245 t = a[19] ^ d4
246 bc4 = bits.RotateLeft64(t, 14)
247 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2]
248 a[11] = bc1 ^ (bc3 &^ bc2)
249 a[22] = bc2 ^ (bc4 &^ bc3)
250 a[8] = bc3 ^ (bc0 &^ bc4)
251 a[19] = bc4 ^ (bc1 &^ bc0)
252
253 t = a[15] ^ d0
254 bc2 = bits.RotateLeft64(t, 3)
255 t = a[1] ^ d1
256 bc3 = bits.RotateLeft64(t, 45)
257 t = a[12] ^ d2
258 bc4 = bits.RotateLeft64(t, 61)
259 t = a[23] ^ d3
260 bc0 = bits.RotateLeft64(t, 28)
261 t = a[9] ^ d4
262 bc1 = bits.RotateLeft64(t, 20)
263 a[15] = bc0 ^ (bc2 &^ bc1)
264 a[1] = bc1 ^ (bc3 &^ bc2)
265 a[12] = bc2 ^ (bc4 &^ bc3)
266 a[23] = bc3 ^ (bc0 &^ bc4)
267 a[9] = bc4 ^ (bc1 &^ bc0)
268
269 t = a[5] ^ d0
270 bc4 = bits.RotateLeft64(t, 18)
271 t = a[16] ^ d1
272 bc0 = bits.RotateLeft64(t, 1)
273 t = a[2] ^ d2
274 bc1 = bits.RotateLeft64(t, 6)
275 t = a[13] ^ d3
276 bc2 = bits.RotateLeft64(t, 25)
277 t = a[24] ^ d4
278 bc3 = bits.RotateLeft64(t, 8)
279 a[5] = bc0 ^ (bc2 &^ bc1)
280 a[16] = bc1 ^ (bc3 &^ bc2)
281 a[2] = bc2 ^ (bc4 &^ bc3)
282 a[13] = bc3 ^ (bc0 &^ bc4)
283 a[24] = bc4 ^ (bc1 &^ bc0)
284
285 t = a[20] ^ d0
286 bc1 = bits.RotateLeft64(t, 36)
287 t = a[6] ^ d1
288 bc2 = bits.RotateLeft64(t, 10)
289 t = a[17] ^ d2
290 bc3 = bits.RotateLeft64(t, 15)
291 t = a[3] ^ d3
292 bc4 = bits.RotateLeft64(t, 56)
293 t = a[14] ^ d4
294 bc0 = bits.RotateLeft64(t, 27)
295 a[20] = bc0 ^ (bc2 &^ bc1)
296 a[6] = bc1 ^ (bc3 &^ bc2)
297 a[17] = bc2 ^ (bc4 &^ bc3)
298 a[3] = bc3 ^ (bc0 &^ bc4)
299 a[14] = bc4 ^ (bc1 &^ bc0)
300
301 t = a[10] ^ d0
302 bc3 = bits.RotateLeft64(t, 41)
303 t = a[21] ^ d1
304 bc4 = bits.RotateLeft64(t, 2)
305 t = a[7] ^ d2
306 bc0 = bits.RotateLeft64(t, 62)
307 t = a[18] ^ d3
308 bc1 = bits.RotateLeft64(t, 55)
309 t = a[4] ^ d4
310 bc2 = bits.RotateLeft64(t, 39)
311 a[10] = bc0 ^ (bc2 &^ bc1)
312 a[21] = bc1 ^ (bc3 &^ bc2)
313 a[7] = bc2 ^ (bc4 &^ bc3)
314 a[18] = bc3 ^ (bc0 &^ bc4)
315 a[4] = bc4 ^ (bc1 &^ bc0)
316
317 // Round 4
318 bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
319 bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
320 bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
321 bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
322 bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
323 d0 = bc4 ^ (bc1<<1 | bc1>>63)
324 d1 = bc0 ^ (bc2<<1 | bc2>>63)
325 d2 = bc1 ^ (bc3<<1 | bc3>>63)
326 d3 = bc2 ^ (bc4<<1 | bc4>>63)
327 d4 = bc3 ^ (bc0<<1 | bc0>>63)
328
329 bc0 = a[0] ^ d0
330 t = a[1] ^ d1
331 bc1 = bits.RotateLeft64(t, 44)
332 t = a[2] ^ d2
333 bc2 = bits.RotateLeft64(t, 43)
334 t = a[3] ^ d3
335 bc3 = bits.RotateLeft64(t, 21)
336 t = a[4] ^ d4
337 bc4 = bits.RotateLeft64(t, 14)
338 a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3]
339 a[1] = bc1 ^ (bc3 &^ bc2)
340 a[2] = bc2 ^ (bc4 &^ bc3)
341 a[3] = bc3 ^ (bc0 &^ bc4)
342 a[4] = bc4 ^ (bc1 &^ bc0)
343
344 t = a[5] ^ d0
345 bc2 = bits.RotateLeft64(t, 3)
346 t = a[6] ^ d1
347 bc3 = bits.RotateLeft64(t, 45)
348 t = a[7] ^ d2
349 bc4 = bits.RotateLeft64(t, 61)
350 t = a[8] ^ d3
351 bc0 = bits.RotateLeft64(t, 28)
352 t = a[9] ^ d4
353 bc1 = bits.RotateLeft64(t, 20)
354 a[5] = bc0 ^ (bc2 &^ bc1)
355 a[6] = bc1 ^ (bc3 &^ bc2)
356 a[7] = bc2 ^ (bc4 &^ bc3)
357 a[8] = bc3 ^ (bc0 &^ bc4)
358 a[9] = bc4 ^ (bc1 &^ bc0)
359
360 t = a[10] ^ d0
361 bc4 = bits.RotateLeft64(t, 18)
362 t = a[11] ^ d1
363 bc0 = bits.RotateLeft64(t, 1)
364 t = a[12] ^ d2
365 bc1 = bits.RotateLeft64(t, 6)
366 t = a[13] ^ d3
367 bc2 = bits.RotateLeft64(t, 25)
368 t = a[14] ^ d4
369 bc3 = bits.RotateLeft64(t, 8)
370 a[10] = bc0 ^ (bc2 &^ bc1)
371 a[11] = bc1 ^ (bc3 &^ bc2)
372 a[12] = bc2 ^ (bc4 &^ bc3)
373 a[13] = bc3 ^ (bc0 &^ bc4)
374 a[14] = bc4 ^ (bc1 &^ bc0)
375
376 t = a[15] ^ d0
377 bc1 = bits.RotateLeft64(t, 36)
378 t = a[16] ^ d1
379 bc2 = bits.RotateLeft64(t, 10)
380 t = a[17] ^ d2
381 bc3 = bits.RotateLeft64(t, 15)
382 t = a[18] ^ d3
383 bc4 = bits.RotateLeft64(t, 56)
384 t = a[19] ^ d4
385 bc0 = bits.RotateLeft64(t, 27)
386 a[15] = bc0 ^ (bc2 &^ bc1)
387 a[16] = bc1 ^ (bc3 &^ bc2)
388 a[17] = bc2 ^ (bc4 &^ bc3)
389 a[18] = bc3 ^ (bc0 &^ bc4)
390 a[19] = bc4 ^ (bc1 &^ bc0)
391
392 t = a[20] ^ d0
393 bc3 = bits.RotateLeft64(t, 41)
394 t = a[21] ^ d1
395 bc4 = bits.RotateLeft64(t, 2)
396 t = a[22] ^ d2
397 bc0 = bits.RotateLeft64(t, 62)
398 t = a[23] ^ d3
399 bc1 = bits.RotateLeft64(t, 55)
400 t = a[24] ^ d4
401 bc2 = bits.RotateLeft64(t, 39)
402 a[20] = bc0 ^ (bc2 &^ bc1)
403 a[21] = bc1 ^ (bc3 &^ bc2)
404 a[22] = bc2 ^ (bc4 &^ bc3)
405 a[23] = bc3 ^ (bc0 &^ bc4)
406 a[24] = bc4 ^ (bc1 &^ bc0)
407 }
408}
