1
// keccak.c
2
// 19-Nov-11  Markku-Juhani O. Saarinen <[email protected]>
3
// A baseline Keccak (3rd round) implementation.
4

5
#include "hash-ops.h"
6
#include "c_keccak.h"
7

8
const uint64_t keccakf_rndc[24] = 
9
{
10
    0x0000000000000001, 0x0000000000008082, 0x800000000000808a,
11
    0x8000000080008000, 0x000000000000808b, 0x0000000080000001,
12
    0x8000000080008081, 0x8000000000008009, 0x000000000000008a,
13
    0x0000000000000088, 0x0000000080008009, 0x000000008000000a,
14
    0x000000008000808b, 0x800000000000008b, 0x8000000000008089,
15
    0x8000000000008003, 0x8000000000008002, 0x8000000000000080, 
16
    0x000000000000800a, 0x800000008000000a, 0x8000000080008081,
17
    0x8000000000008080, 0x0000000080000001, 0x8000000080008008
18
};
19

20
const int keccakf_rotc[24] = 
21
{
22
    1,  3,  6,  10, 15, 21, 28, 36, 45, 55, 2,  14, 
23
    27, 41, 56, 8,  25, 43, 62, 18, 39, 61, 20, 44
24
};
25

26
const int keccakf_piln[24] = 
27
{
28
    10, 7,  11, 17, 18, 3, 5,  16, 8,  21, 24, 4, 
29
    15, 23, 19, 13, 12, 2, 20, 14, 22, 9,  6,  1 
30
};
31

32
// update the state with given number of rounds
33

34
void keccakf(uint64_t st[25], int rounds)
35
{
36
    int i, j, round;
37
    uint64_t t, bc[5];
38

39
    for (round = 0; round < rounds; ++round) {
40

41
        // Theta
42
        bc[0] = st[0] ^ st[5] ^ st[10] ^ st[15] ^ st[20];
43
        bc[1] = st[1] ^ st[6] ^ st[11] ^ st[16] ^ st[21];
44
        bc[2] = st[2] ^ st[7] ^ st[12] ^ st[17] ^ st[22];
45
        bc[3] = st[3] ^ st[8] ^ st[13] ^ st[18] ^ st[23];
46
        bc[4] = st[4] ^ st[9] ^ st[14] ^ st[19] ^ st[24];
47

48
        for (i = 0; i < 5; ++i) {
49
            t = bc[(i + 4) % 5] ^ ROTL64(bc[(i + 1) % 5], 1);
50
            st[i     ] ^= t;
51
            st[i +  5] ^= t;
52
            st[i + 10] ^= t;
53
            st[i + 15] ^= t;
54
            st[i + 20] ^= t;
55
        }
56

57
        // Rho Pi
58
        t = st[1];
59
        for (i = 0; i < 24; ++i) {
60
            bc[0] = st[keccakf_piln[i]];
61
            st[keccakf_piln[i]] = ROTL64(t, keccakf_rotc[i]);
62
            t = bc[0];
63
        }
64

65
        //  Chi
66
        for (j = 0; j < 25; j += 5) {
67
            bc[0] = st[j    ];
68
            bc[1] = st[j + 1];
69
            bc[2] = st[j + 2];
70
            bc[3] = st[j + 3];
71
            bc[4] = st[j + 4];
72
            st[j    ] ^= (~bc[1]) & bc[2];
73
            st[j + 1] ^= (~bc[2]) & bc[3];
74
            st[j + 2] ^= (~bc[3]) & bc[4];
75
            st[j + 3] ^= (~bc[4]) & bc[0];
76
            st[j + 4] ^= (~bc[0]) & bc[1];
77
        }
78

79
        //  Iota
80
        st[0] ^= keccakf_rndc[round];
81
    }
82
}
83

84
// compute a keccak hash (md) of given byte length from "in"
85
typedef uint64_t state_t[25];
86

87
int keccak(const uint8_t *in, int inlen, uint8_t *md, int mdlen)
88
{
89
    state_t st;
90
    uint8_t temp[144];
91
    int i, rsiz, rsizw;
92

93
    rsiz = sizeof(state_t) == mdlen ? HASH_DATA_AREA : 200 - 2 * mdlen;
94
    rsizw = rsiz / 8;
95
    
96
    memset(st, 0, sizeof(st));
97

98
    for ( ; inlen >= rsiz; inlen -= rsiz, in += rsiz) {
99
        for (i = 0; i < rsizw; i++)
100
            st[i] ^= ((uint64_t *) in)[i];
101
        keccakf(st, KECCAK_ROUNDS);
102
    }
103
    
104
    // last block and padding
105
    memcpy(temp, in, inlen);
106
    temp[inlen++] = 1;
107
    memset(temp + inlen, 0, rsiz - inlen);
108
    temp[rsiz - 1] |= 0x80;
109

110
    for (i = 0; i < rsizw; i++)
111
        st[i] ^= ((uint64_t *) temp)[i];
112

113
    keccakf(st, KECCAK_ROUNDS);
114

115
    memcpy(md, st, mdlen);
116

117
    return 0;
118
}
119

120
void keccak1600(const uint8_t *in, int inlen, uint8_t *md)
121
{
122
    keccak(in, inlen, md, sizeof(state_t));
123
}
124

125