jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
396 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: a32fd62512
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a32fd62512'
${ noResults }
ed448goldilocks/src/sha512.c

254 lines
6.8 KiB
Raw Blame History 

  1. 

  2. 

  3. /* Based on DJB's crypto_hashblocks/ref implementation.

  4.  * Public domain.

  5.  */

  6. 

  7. #include <decaf/sha512.h>

  8. #include <string.h>

  9. #include <assert.h>

  10. 

  11. static uint64_t load_bigendian(const uint8_t *x)

  12. {

  13.   return

  14.       (uint64_t) (x[7]) \

  15.   | (((uint64_t) (x[6])) << 8) \

  16.   | (((uint64_t) (x[5])) << 16) \

  17.   | (((uint64_t) (x[4])) << 24) \

  18.   | (((uint64_t) (x[3])) << 32) \

  19.   | (((uint64_t) (x[2])) << 40) \

  20.   | (((uint64_t) (x[1])) << 48) \

  21.   | (((uint64_t) (x[0])) << 56)

  22.   ;

  23. }

  24. 

  25. #define SHR(x,c) ((x) >> (c))

  26. #define ROTR(x,c) (((x) >> (c)) | ((x) << (64 - (c))))

  27. 

  28. #define Ch(x,y,z) ((x & y) ^ (~x & z))

  29. #define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z))

  30. #define Sigma0(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))

  31. #define Sigma1(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))

  32. #define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x,7))

  33. #define sigma1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x,6))

  34. 

  35. #define M(w0,w14,w9,w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0;

  36. 

  37. #define EXPAND \

  38.   M(w0 ,w14,w9 ,w1 ) \

  39.   M(w1 ,w15,w10,w2 ) \

  40.   M(w2 ,w0 ,w11,w3 ) \

  41.   M(w3 ,w1 ,w12,w4 ) \

  42.   M(w4 ,w2 ,w13,w5 ) \

  43.   M(w5 ,w3 ,w14,w6 ) \

  44.   M(w6 ,w4 ,w15,w7 ) \

  45.   M(w7 ,w5 ,w0 ,w8 ) \

  46.   M(w8 ,w6 ,w1 ,w9 ) \

  47.   M(w9 ,w7 ,w2 ,w10) \

  48.   M(w10,w8 ,w3 ,w11) \

  49.   M(w11,w9 ,w4 ,w12) \

  50.   M(w12,w10,w5 ,w13) \

  51.   M(w13,w11,w6 ,w14) \

  52.   M(w14,w12,w7 ,w15) \

  53.   M(w15,w13,w8 ,w0 )

  54. 

  55. #define F(w,k) \

  56.   T1 = h + Sigma1(e) + Ch(e,f,g) + k + w; \

  57.   T2 = Sigma0(a) + Maj(a,b,c); \

  58.   h = g; \

  59.   g = f; \

  60.   f = e; \

  61.   e = d + T1; \

  62.   d = c; \

  63.   c = b; \

  64.   b = a; \

  65.   a = T1 + T2;

  66. 

  67. static NOINLINE void hashblock(decaf_sha512_ctx_t ctx) {

  68.     const uint8_t *in = ctx->block;

  69.     uint64_t a = ctx->state[0];

  70.     uint64_t b = ctx->state[1];

  71.     uint64_t c = ctx->state[2];

  72.     uint64_t d = ctx->state[3];

  73.     uint64_t e = ctx->state[4];

  74.     uint64_t f = ctx->state[5];

  75.     uint64_t g = ctx->state[6];

  76.     uint64_t h = ctx->state[7];

  77.     uint64_t T1;

  78.     uint64_t T2;

  79.     

  80.     uint64_t w0  = load_bigendian(in +   0);

  81.     uint64_t w1  = load_bigendian(in +   8);

  82.     uint64_t w2  = load_bigendian(in +  16);

  83.     uint64_t w3  = load_bigendian(in +  24);

  84.     uint64_t w4  = load_bigendian(in +  32);

  85.     uint64_t w5  = load_bigendian(in +  40);

  86.     uint64_t w6  = load_bigendian(in +  48);

  87.     uint64_t w7  = load_bigendian(in +  56);

  88.     uint64_t w8  = load_bigendian(in +  64);

  89.     uint64_t w9  = load_bigendian(in +  72);

  90.     uint64_t w10 = load_bigendian(in +  80);

  91.     uint64_t w11 = load_bigendian(in +  88);

  92.     uint64_t w12 = load_bigendian(in +  96);

  93.     uint64_t w13 = load_bigendian(in + 104);

  94.     uint64_t w14 = load_bigendian(in + 112);

  95.     uint64_t w15 = load_bigendian(in + 120);

  96. 

  97.     F(w0 ,0x428a2f98d728ae22ULL)

  98.     F(w1 ,0x7137449123ef65cdULL)

  99.     F(w2 ,0xb5c0fbcfec4d3b2fULL)

  100.     F(w3 ,0xe9b5dba58189dbbcULL)

  101.     F(w4 ,0x3956c25bf348b538ULL)

  102.     F(w5 ,0x59f111f1b605d019ULL)

  103.     F(w6 ,0x923f82a4af194f9bULL)

  104.     F(w7 ,0xab1c5ed5da6d8118ULL)

  105.     F(w8 ,0xd807aa98a3030242ULL)

  106.     F(w9 ,0x12835b0145706fbeULL)

  107.     F(w10,0x243185be4ee4b28cULL)

  108.     F(w11,0x550c7dc3d5ffb4e2ULL)

  109.     F(w12,0x72be5d74f27b896fULL)

  110.     F(w13,0x80deb1fe3b1696b1ULL)

  111.     F(w14,0x9bdc06a725c71235ULL)

  112.     F(w15,0xc19bf174cf692694ULL)

  113. 

  114.     EXPAND

  115. 

  116.     F(w0 ,0xe49b69c19ef14ad2ULL)

  117.     F(w1 ,0xefbe4786384f25e3ULL)

  118.     F(w2 ,0x0fc19dc68b8cd5b5ULL)

  119.     F(w3 ,0x240ca1cc77ac9c65ULL)

  120.     F(w4 ,0x2de92c6f592b0275ULL)

  121.     F(w5 ,0x4a7484aa6ea6e483ULL)

  122.     F(w6 ,0x5cb0a9dcbd41fbd4ULL)

  123.     F(w7 ,0x76f988da831153b5ULL)

  124.     F(w8 ,0x983e5152ee66dfabULL)

  125.     F(w9 ,0xa831c66d2db43210ULL)

  126.     F(w10,0xb00327c898fb213fULL)

  127.     F(w11,0xbf597fc7beef0ee4ULL)

  128.     F(w12,0xc6e00bf33da88fc2ULL)

  129.     F(w13,0xd5a79147930aa725ULL)

  130.     F(w14,0x06ca6351e003826fULL)

  131.     F(w15,0x142929670a0e6e70ULL)

  132. 

  133.     EXPAND

  134. 

  135.     F(w0 ,0x27b70a8546d22ffcULL)

  136.     F(w1 ,0x2e1b21385c26c926ULL)

  137.     F(w2 ,0x4d2c6dfc5ac42aedULL)

  138.     F(w3 ,0x53380d139d95b3dfULL)

  139.     F(w4 ,0x650a73548baf63deULL)

  140.     F(w5 ,0x766a0abb3c77b2a8ULL)

  141.     F(w6 ,0x81c2c92e47edaee6ULL)

  142.     F(w7 ,0x92722c851482353bULL)

  143.     F(w8 ,0xa2bfe8a14cf10364ULL)

  144.     F(w9 ,0xa81a664bbc423001ULL)

  145.     F(w10,0xc24b8b70d0f89791ULL)

  146.     F(w11,0xc76c51a30654be30ULL)

  147.     F(w12,0xd192e819d6ef5218ULL)

  148.     F(w13,0xd69906245565a910ULL)

  149.     F(w14,0xf40e35855771202aULL)

  150.     F(w15,0x106aa07032bbd1b8ULL)

  151. 

  152.     EXPAND

  153. 

  154.     F(w0 ,0x19a4c116b8d2d0c8ULL)

  155.     F(w1 ,0x1e376c085141ab53ULL)

  156.     F(w2 ,0x2748774cdf8eeb99ULL)

  157.     F(w3 ,0x34b0bcb5e19b48a8ULL)

  158.     F(w4 ,0x391c0cb3c5c95a63ULL)

  159.     F(w5 ,0x4ed8aa4ae3418acbULL)

  160.     F(w6 ,0x5b9cca4f7763e373ULL)

  161.     F(w7 ,0x682e6ff3d6b2b8a3ULL)

  162.     F(w8 ,0x748f82ee5defb2fcULL)

  163.     F(w9 ,0x78a5636f43172f60ULL)

  164.     F(w10,0x84c87814a1f0ab72ULL)

  165.     F(w11,0x8cc702081a6439ecULL)

  166.     F(w12,0x90befffa23631e28ULL)

  167.     F(w13,0xa4506cebde82bde9ULL)

  168.     F(w14,0xbef9a3f7b2c67915ULL)

  169.     F(w15,0xc67178f2e372532bULL)

  170. 

  171.     EXPAND

  172. 

  173.     F(w0 ,0xca273eceea26619cULL)

  174.     F(w1 ,0xd186b8c721c0c207ULL)

  175.     F(w2 ,0xeada7dd6cde0eb1eULL)

  176.     F(w3 ,0xf57d4f7fee6ed178ULL)

  177.     F(w4 ,0x06f067aa72176fbaULL)

  178.     F(w5 ,0x0a637dc5a2c898a6ULL)

  179.     F(w6 ,0x113f9804bef90daeULL)

  180.     F(w7 ,0x1b710b35131c471bULL)

  181.     F(w8 ,0x28db77f523047d84ULL)

  182.     F(w9 ,0x32caab7b40c72493ULL)

  183.     F(w10,0x3c9ebe0a15c9bebcULL)

  184.     F(w11,0x431d67c49c100d4cULL)

  185.     F(w12,0x4cc5d4becb3e42b6ULL)

  186.     F(w13,0x597f299cfc657e2aULL)

  187.     F(w14,0x5fcb6fab3ad6faecULL)

  188.     F(w15,0x6c44198c4a475817ULL)

  189.   

  190.     ctx->state[0] += a;

  191.     ctx->state[1] += b;

  192.     ctx->state[2] += c;

  193.     ctx->state[3] += d;

  194.     ctx->state[4] += e;

  195.     ctx->state[5] += f;

  196.     ctx->state[6] += g;

  197.     ctx->state[7] += h;

  198. }

  199. 

  200. void decaf_sha512_init(decaf_sha512_ctx_t ctx) {

  201.     static const uint64_t iv[8] = {

  202.         0x6a09e667f3bcc908,

  203.         0xbb67ae8584caa73b,

  204.         0x3c6ef372fe94f82b,

  205.         0xa54ff53a5f1d36f1,

  206.         0x510e527fade682d1,

  207.         0x9b05688c2b3e6c1f,

  208.         0x1f83d9abfb41bd6b,

  209.         0x5be0cd19137e2179

  210.     };

  211.     memcpy(ctx->state,iv,sizeof(iv));

  212.     memset(ctx->block,0,sizeof(ctx->block));

  213.     ctx->bytes_processed = 0;

  214. }

  215. 

  216. void decaf_sha512_update(decaf_sha512_ctx_t ctx, const uint8_t *message, size_t length) {

  217.     while (length > 0) {

  218.         size_t grab = length, off = ctx->bytes_processed % 128;

  219.         if (grab > 128-off) grab = 128-off;

  220.         memcpy(&ctx->block[off], message, grab);

  221.         

  222.         ctx->bytes_processed += grab;

  223.         length -= grab;

  224.         message += grab;

  225.         

  226.         if (grab == 128 - off) {

  227.             hashblock(ctx);

  228.         }

  229.     }

  230. }

  231. 

  232. void decaf_sha512_final(decaf_sha512_ctx_t ctx, uint8_t *out, size_t length) {

  233.     assert(length <= 512/8);

  234.     

  235.     size_t off = ctx->bytes_processed % 128, bp = ctx->bytes_processed * 8;

  236.     ctx->block[off] = 0x80;

  237.     memset(&ctx->block[off+1], 0, 128-off-1);

  238.     

  239.     if (off >= 112) {

  240.         hashblock(ctx);

  241.         memset(&ctx->block,0,128);

  242.     }

  243.     

  244.     for (size_t i=0; i<8; i++)

  245.         ctx->block[120 + i] = bp >> (56 - 8*i);

  246.     hashblock(ctx);

  247.     

  248.     for (size_t i=0; i<length; i++) {

  249.         out[i] = ctx->state[i/8] >> (56 - 8*(i%8));

  250.     }

  251.     

  252.     decaf_sha512_init(ctx);

  253. }