crypto/sha3/keccakf.go

// Copyright 2013 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package sha3

// This file implements the core Keccak permutation function necessary for computing SHA3.
// This is implemented in a separate file to allow for replacement by an optimized implementation.
// Nothing in this package is exported.
// For the detailed specification, refer to the Keccak web site (http://keccak.noekeon.org/).

// rc stores the round constants for use in the ι step.
var rc = [...]uint64{
	0x0000000000000001,
	0x0000000000008082,
	0x800000000000808A,
	0x8000000080008000,
	0x000000000000808B,
	0x0000000080000001,
	0x8000000080008081,
	0x8000000000008009,
	0x000000000000008A,
	0x0000000000000088,
	0x0000000080008009,
	0x000000008000000A,
	0x000000008000808B,
	0x800000000000008B,
	0x8000000000008089,
	0x8000000000008003,
	0x8000000000008002,
	0x8000000000000080,
	0x000000000000800A,
	0x800000008000000A,
	0x8000000080008081,
	0x8000000000008080,
	0x0000000080000001,
	0x8000000080008008,
}

// keccakF computes the complete Keccak-f function consisting of 24 rounds with a different
// constant (rc) in each round. This implementation fully unrolls the round function to avoid
// inner loops, as well as pre-calculating shift offsets.
func keccakF(a *[numLanes]uint64) {
	var t, bc0, bc1, bc2, bc3, bc4 uint64
	for _, roundConstant := range rc {
		// θ step
		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
		t = bc4 ^ (bc1<<1 ^ bc1>>63)
		a[0] ^= t
		a[5] ^= t
		a[10] ^= t
		a[15] ^= t
		a[20] ^= t
		t = bc0 ^ (bc2<<1 ^ bc2>>63)
		a[1] ^= t
		a[6] ^= t
		a[11] ^= t
		a[16] ^= t
		a[21] ^= t
		t = bc1 ^ (bc3<<1 ^ bc3>>63)
		a[2] ^= t
		a[7] ^= t
		a[12] ^= t
		a[17] ^= t
		a[22] ^= t
		t = bc2 ^ (bc4<<1 ^ bc4>>63)
		a[3] ^= t
		a[8] ^= t
		a[13] ^= t
		a[18] ^= t
		a[23] ^= t
		t = bc3 ^ (bc0<<1 ^ bc0>>63)
		a[4] ^= t
		a[9] ^= t
		a[14] ^= t
		a[19] ^= t
		a[24] ^= t

		// ρ and π steps
		t = a[1]
		t, a[10] = a[10], t<<1^t>>(64-1)
		t, a[7] = a[7], t<<3^t>>(64-3)
		t, a[11] = a[11], t<<6^t>>(64-6)
		t, a[17] = a[17], t<<10^t>>(64-10)
		t, a[18] = a[18], t<<15^t>>(64-15)
		t, a[3] = a[3], t<<21^t>>(64-21)
		t, a[5] = a[5], t<<28^t>>(64-28)
		t, a[16] = a[16], t<<36^t>>(64-36)
		t, a[8] = a[8], t<<45^t>>(64-45)
		t, a[21] = a[21], t<<55^t>>(64-55)
		t, a[24] = a[24], t<<2^t>>(64-2)
		t, a[4] = a[4], t<<14^t>>(64-14)
		t, a[15] = a[15], t<<27^t>>(64-27)
		t, a[23] = a[23], t<<41^t>>(64-41)
		t, a[19] = a[19], t<<56^t>>(64-56)
		t, a[13] = a[13], t<<8^t>>(64-8)
		t, a[12] = a[12], t<<25^t>>(64-25)
		t, a[2] = a[2], t<<43^t>>(64-43)
		t, a[20] = a[20], t<<62^t>>(64-62)
		t, a[14] = a[14], t<<18^t>>(64-18)
		t, a[22] = a[22], t<<39^t>>(64-39)
		t, a[9] = a[9], t<<61^t>>(64-61)
		t, a[6] = a[6], t<<20^t>>(64-20)
		a[1] = t<<44 ^ t>>(64-44)

		// χ step
		bc0 = a[0]
		bc1 = a[1]
		bc2 = a[2]
		bc3 = a[3]
		bc4 = a[4]
		a[0] ^= bc2 &^ bc1
		a[1] ^= bc3 &^ bc2
		a[2] ^= bc4 &^ bc3
		a[3] ^= bc0 &^ bc4
		a[4] ^= bc1 &^ bc0
		bc0 = a[5]
		bc1 = a[6]
		bc2 = a[7]
		bc3 = a[8]
		bc4 = a[9]
		a[5] ^= bc2 &^ bc1
		a[6] ^= bc3 &^ bc2
		a[7] ^= bc4 &^ bc3
		a[8] ^= bc0 &^ bc4
		a[9] ^= bc1 &^ bc0
		bc0 = a[10]
		bc1 = a[11]
		bc2 = a[12]
		bc3 = a[13]
		bc4 = a[14]
		a[10] ^= bc2 &^ bc1
		a[11] ^= bc3 &^ bc2
		a[12] ^= bc4 &^ bc3
		a[13] ^= bc0 &^ bc4
		a[14] ^= bc1 &^ bc0
		bc0 = a[15]
		bc1 = a[16]
		bc2 = a[17]
		bc3 = a[18]
		bc4 = a[19]
		a[15] ^= bc2 &^ bc1
		a[16] ^= bc3 &^ bc2
		a[17] ^= bc4 &^ bc3
		a[18] ^= bc0 &^ bc4
		a[19] ^= bc1 &^ bc0
		bc0 = a[20]
		bc1 = a[21]
		bc2 = a[22]
		bc3 = a[23]
		bc4 = a[24]
		a[20] ^= bc2 &^ bc1
		a[21] ^= bc3 &^ bc2
		a[22] ^= bc4 &^ bc3
		a[23] ^= bc0 &^ bc4
		a[24] ^= bc1 &^ bc0

		// ι step
		a[0] ^= roundConstant
	}
}