sha/asm/keccak1600-armv4.pl: add SHA3_absorb and SHA3_squeeze.

[openssl.git] / crypto / sha / asm / keccak1600-armv4.pl

#!/usr/bin/env perl
# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
#
# ====================================================================
# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
# ====================================================================
#
# Keccak-1600 for ARMv4.
#
# June 2017.
#
# This is KECCAK_1X variant (see keccak1600.c) with bit interleaving.
# How does it compare to Keccak Code Package? It's as fast, but several
# times smaller, and is endian- and ISA-neutral. ISA neutrality means
# that minimum ISA requirement is ARMv4, yet it can be assembled even
# as ARMv7 Thumb-2.
#
########################################################################
# Numbers are cycles per processed byte accounting even for input bit
# interleaving.
#
#               r=1600(*)       r=1024
#
# Cortex-A7     71/+180%        103
# Cortex-A8     48/+290%        69
# Cortex-A15    34/+210%        49
#
# (*)   Not used in real life, meaningful as estimate for single sponge
#       operation performance. Numbers after slash are improvement over
#       compiler-generated KECCAK_1X reference code.

my @C = map("r$_",(0..9));
my @E = map("r$_",(10..12,14));

########################################################################
# Stack layout
# ----->+-----------------------+
#       | uint64_t A[5][5]      |
#       | ...                   |
# +200->+-----------------------+
#       | uint64_t D[5]         |
#       | ...                   |
# +240->+-----------------------+
#       | uint64_t T[2][5]      |
#       | ...                   |
# +320->+-----------------------+
#       | saved lr              |
# +324->+-----------------------+
#       | loop counter          |
# +328->+-----------------------+
#       | ...

my @A = map([ 8*$_, 8*($_+1), 8*($_+2), 8*($_+3), 8*($_+4) ], (0,5,10,15,20));
my @D = map(8*$_, (25..29));
my @T = map([ 8*$_, 8*($_+1), 8*($_+2), 8*($_+3), 8*($_+4) ], (30,35));

$code.=<<___;
.text

#if defined(__thumb2__)
.syntax unified
.thumb
#else
.code   32
#endif

.type   iotas,%object
.align  5
iotas:
        .long   0x00000001, 0x00000000
        .long   0x00000000, 0x00000089
        .long   0x00000000, 0x8000008b
        .long   0x00000000, 0x80008080
        .long   0x00000001, 0x0000008b
        .long   0x00000001, 0x00008000
        .long   0x00000001, 0x80008088
        .long   0x00000001, 0x80000082
        .long   0x00000000, 0x0000000b
        .long   0x00000000, 0x0000000a
        .long   0x00000001, 0x00008082
        .long   0x00000000, 0x00008003
        .long   0x00000001, 0x0000808b
        .long   0x00000001, 0x8000000b
        .long   0x00000001, 0x8000008a
        .long   0x00000001, 0x80000081
        .long   0x00000000, 0x80000081
        .long   0x00000000, 0x80000008
        .long   0x00000000, 0x00000083
        .long   0x00000000, 0x80008003
        .long   0x00000001, 0x80008088
        .long   0x00000000, 0x80000088
        .long   0x00000001, 0x00008000
        .long   0x00000000, 0x80008082
.size   iotas,.-iotas

.type   KeccakF1600_int, %function
.align  5
KeccakF1600_int:
        ldmia   sp,{@C[0]-@C[9]}                @ A[0][0..4]
        add     @E[0],sp,#$A[1][0]
KeccakF1600_enter:
        str     lr,[sp,#320]
        eor     @E[1],@E[1],@E[1]
        str     @E[1],[sp,#324]
        b       .Lround_enter

.align  4
.Lround:
        ldmia   sp,{@C[0]-@C[9]}                @ A[0][0..4]
.Lround_enter:
        ldmia   @E[0],{@E[0]-@E[2],@E[3]}       @ A[1][0..1]
        eor     @C[0],@C[0],@E[0]
         add    @E[0],sp,#$A[1][2]
        eor     @C[1],@C[1],@E[1]
        eor     @C[2],@C[2],@E[2]
        eor     @C[3],@C[3],@E[3]
        ldmia   @E[0],{@E[0]-@E[2],@E[3]}       @ A[1][2..3]
        eor     @C[4],@C[4],@E[0]
         add    @E[0],sp,#$A[1][4]
        eor     @C[5],@C[5],@E[1]
        eor     @C[6],@C[6],@E[2]
        eor     @C[7],@C[7],@E[3]
        ldmia   @E[0],{@E[0]-@E[2],@E[3]}       @ A[1][4]..A[2][0]
        eor     @C[8],@C[8],@E[0]
         add    @E[0],sp,#$A[2][1]
        eor     @C[9],@C[9],@E[1]
        eor     @C[0],@C[0],@E[2]
        eor     @C[1],@C[1],@E[3]
        ldmia   @E[0],{@E[0]-@E[2],@E[3]}       @ A[2][1..2]
        eor     @C[2],@C[2],@E[0]
         add    @E[0],sp,#$A[2][3]
        eor     @C[3],@C[3],@E[1]
        eor     @C[4],@C[4],@E[2]
        eor     @C[5],@C[5],@E[3]
        ldmia   @E[0],{@E[0]-@E[2],@E[3]}       @ A[2][3..4]
        eor     @C[6],@C[6],@E[0]
         add    @E[0],sp,#$A[3][0]
        eor     @C[7],@C[7],@E[1]
        eor     @C[8],@C[8],@E[2]
        eor     @C[9],@C[9],@E[3]
        ldmia   @E[0],{@E[0]-@E[2],@E[3]}       @ A[3][0..1]
        eor     @C[0],@C[0],@E[0]
         add    @E[0],sp,#$A[3][2]
        eor     @C[1],@C[1],@E[1]
        eor     @C[2],@C[2],@E[2]
        eor     @C[3],@C[3],@E[3]
        ldmia   @E[0],{@E[0]-@E[2],@E[3]}       @ A[3][2..3]
        eor     @C[4],@C[4],@E[0]
         add    @E[0],sp,#$A[3][4]
        eor     @C[5],@C[5],@E[1]
        eor     @C[6],@C[6],@E[2]
        eor     @C[7],@C[7],@E[3]
        ldmia   @E[0],{@E[0]-@E[2],@E[3]}       @ A[3][4]..A[4][0]
        eor     @C[8],@C[8],@E[0]
         add    @E[0],sp,#$A[4][1]
        eor     @C[9],@C[9],@E[1]
        eor     @C[0],@C[0],@E[2]
        eor     @C[1],@C[1],@E[3]
        ldmia   @E[0],{@E[0]-@E[2],@E[3]}       @ A[4][1..2]
        eor     @C[2],@C[2],@E[0]
         add    @E[0],sp,#$A[4][3]
        eor     @C[3],@C[3],@E[1]
        eor     @C[4],@C[4],@E[2]
        eor     @C[5],@C[5],@E[3]
        ldmia   @E[0],{@E[0]-@E[2],@E[3]}       @ A[4][3..4]
        eor     @C[6],@C[6],@E[0]
        eor     @C[7],@C[7],@E[1]
        eor     @C[8],@C[8],@E[2]
        eor     @C[9],@C[9],@E[3]

        eor     @E[0],@C[0],@C[5],ror#32-1      @ E[0] = ROL64(C[2], 1) ^ C[0];
        eor     @E[1],@C[1],@C[4]
        str     @E[0],[sp,#$D[1]]               @ D[1] = E[0]
        eor     @E[2],@C[6],@C[1],ror#32-1      @ E[1] = ROL64(C[0], 1) ^ C[3];
        str     @E[1],[sp,#$D[1]+4]
        eor     @E[3],@C[7],@C[0]
        str     @E[2],[sp,#$D[4]]               @ D[4] = E[1]
        eor     @C[0],@C[8],@C[3],ror#32-1      @ C[0] = ROL64(C[1], 1) ^ C[4];
        str     @E[3],[sp,#$D[4]+4]
        eor     @C[1],@C[9],@C[2]
        str     @C[0],[sp,#$D[0]]               @ D[0] = C[0]
        eor     @C[2],@C[2],@C[7],ror#32-1      @ C[1] = ROL64(C[3], 1) ^ C[1];
        str     @C[1],[sp,#$D[0]+4]
        eor     @C[3],@C[3],@C[6]
        str     @C[2],[sp,#$D[2]]               @ D[2] = C[1]
        eor     @C[4],@C[4],@C[9],ror#32-1      @ C[2] = ROL64(C[4], 1) ^ C[2];
        str     @C[3],[sp,#$D[2]+4]
        eor     @C[5],@C[5],@C[8]
         ldr    @C[8],[sp,#$A[3][0]]
         ldr    @C[9],[sp,#$A[3][0]+4]
        str     @C[4],[sp,#$D[3]]               @ D[3] = C[2]
        str     @C[5],[sp,#$D[3]+4]

        ldr     @C[6],[sp,#$A[0][1]]
        eor     @C[8],@C[8],@C[0]
        ldr     @C[7],[sp,#$A[0][1]+4]
        eor     @C[9],@C[9],@C[1]
        str     @C[8],[sp,#$T[0][0]]            @ T[0][0] = A[3][0] ^ C[0]; /* borrow T[0][0] */
        ldr     @C[8],[sp,#$A[0][2]]
        str     @C[9],[sp,#$T[0][0]+4]
        ldr     @C[9],[sp,#$A[0][2]+4]
        eor     @C[6],@C[6],@E[0]
        eor     @C[7],@C[7],@E[1]
        str     @C[6],[sp,#$T[0][1]]            @ T[0][1] = A[0][1] ^ E[0]; /* D[1] */
        ldr     @C[6],[sp,#$A[0][3]]
        str     @C[7],[sp,#$T[0][1]+4]
        ldr     @C[7],[sp,#$A[0][3]+4]
        eor     @C[8],@C[8],@C[2]
        eor     @C[9],@C[9],@C[3]
        str     @C[8],[sp,#$T[0][2]]            @ T[0][2] = A[0][2] ^ C[1]; /* D[2] */
        ldr     @C[8],[sp,#$A[0][4]]
        str     @C[9],[sp,#$T[0][2]+4]
        ldr     @C[9],[sp,#$A[0][4]+4]
        eor     @C[6],@C[6],@C[4]
        eor     @C[7],@C[7],@C[5]
        str     @C[6],[sp,#$T[0][3]]            @ T[0][3] = A[0][3] ^ C[2]; /* D[3] */
        eor     @C[8],@C[8],@E[2]
        str     @C[7],[sp,#$T[0][3]+4]
        eor     @C[9],@C[9],@E[3]
         ldr    @C[6],[sp,#$A[3][3]]
         ldr    @C[7],[sp,#$A[3][3]+4]
        str     @C[8],[sp,#$T[0][4]]            @ T[0][4] = A[0][4] ^ E[1]; /* D[4] */
        str     @C[9],[sp,#$T[0][4]+4]

        ldr     @C[8],[sp,#$A[4][4]]
        eor     @C[4],@C[4],@C[6]
        ldr     @C[9],[sp,#$A[4][4]+4]
        eor     @C[5],@C[5],@C[7]
        ror     @C[7],@C[4],#32-10              @ C[3] = ROL64(A[3][3] ^ C[2], rhotates[3][3]);   /* D[3] */
        ldr     @C[4],[sp,#$A[0][0]]
        ror     @C[6],@C[5],#32-11
        ldr     @C[5],[sp,#$A[0][0]+4]
        eor     @C[8],@C[8],@E[2]
        eor     @C[9],@C[9],@E[3]
        ror     @C[8],@C[8],#32-7               @ C[4] = ROL64(A[4][4] ^ E[1], rhotates[4][4]);   /* D[4] */
        ldr     @E[2],[sp,#$A[2][2]]
        ror     @C[9],@C[9],#32-7
        ldr     @E[3],[sp,#$A[2][2]+4]
        eor     @C[0],@C[0],@C[4]
        eor     @C[1],@C[1],@C[5]               @ C[0] =       A[0][0] ^ C[0]; /* rotate by 0 */  /* D[0] */
        eor     @E[2],@E[2],@C[2]
        ldr     @C[2],[sp,#$A[1][1]]
        eor     @E[3],@E[3],@C[3]
        ldr     @C[3],[sp,#$A[1][1]+4]
        ror     @C[5],@E[2],#32-21              @ C[2] = ROL64(A[2][2] ^ C[1], rhotates[2][2]);   /* D[2] */
         ldr    @E[2],[sp,#324]                 @ load counter
        eor     @C[2],@C[2],@E[0]
        ror     @C[4],@E[3],#32-22
         adr    @E[3],iotas
        eor     @C[3],@C[3],@E[1]
        ror     @C[2],@C[2],#32-22              @ C[1] = ROL64(A[1][1] ^ E[0], rhotates[1][1]);   /* D[1] */
         add    @E[3],@E[3],@E[2]
        ror     @C[3],@C[3],#32-22

        ldr     @E[0],[@E[3],#0]                @ iotas[i].lo
        add     @E[2],@E[2],#8
        ldr     @E[1],[@E[3],#4]                @ iotas[i].hi
        cmp     @E[2],#192
        str     @E[2],[sp,#324]                 @ store counter

        bic     @E[2],@C[4],@C[2]
        bic     @E[3],@C[5],@C[3]
        eor     @E[2],@E[2],@C[0]
        eor     @E[3],@E[3],@C[1]
        eor     @E[0],@E[0],@E[2]
        eor     @E[1],@E[1],@E[3]
        str     @E[0],[sp,#$A[0][0]]            @ A[0][0] = C[0] ^ (~C[1] & C[2]) ^ iotas[i];
        bic     @E[2],@C[6],@C[4]
        str     @E[1],[sp,#$A[0][0]+4]
        bic     @E[3],@C[7],@C[5]
        eor     @E[2],@E[2],@C[2]
        eor     @E[3],@E[3],@C[3]
        str     @E[2],[sp,#$A[0][1]]            @ A[0][1] = C[1] ^ (~C[2] & C[3]);
        bic     @E[0],@C[8],@C[6]
        str     @E[3],[sp,#$A[0][1]+4]
        bic     @E[1],@C[9],@C[7]
        eor     @E[0],@E[0],@C[4]
        eor     @E[1],@E[1],@C[5]
        str     @E[0],[sp,#$A[0][2]]            @ A[0][2] = C[2] ^ (~C[3] & C[4]);
        bic     @E[2],@C[0],@C[8]
        str     @E[1],[sp,#$A[0][2]+4]
        bic     @E[3],@C[1],@C[9]
        eor     @E[2],@E[2],@C[6]
        eor     @E[3],@E[3],@C[7]
        str     @E[2],[sp,#$A[0][3]]            @ A[0][3] = C[3] ^ (~C[4] & C[0]);
        bic     @E[0],@C[2],@C[0]
        str     @E[3],[sp,#$A[0][3]+4]
         add    @E[3],sp,#$D[0]
        bic     @E[1],@C[3],@C[1]
        eor     @E[0],@E[0],@C[8]
        eor     @E[1],@E[1],@C[9]
        str     @E[0],[sp,#$A[0][4]]            @ A[0][4] = C[4] ^ (~C[0] & C[1]);
        str     @E[1],[sp,#$A[0][4]+4]

        ldmia   @E[3],{@C[6]-@C[9],@E[0],@E[1],@E[2],@E[3]}     @ D[0..3]
        ldr     @C[0],[sp,#$A[1][0]]
        ldr     @C[1],[sp,#$A[1][0]+4]
        ldr     @C[2],[sp,#$A[2][1]]
        ldr     @C[3],[sp,#$A[2][1]+4]
        ldr     @C[4],[sp,#$D[4]]
        eor     @C[0],@C[0],@C[6]
        ldr     @C[5],[sp,#$D[4]+4]
        eor     @C[1],@C[1],@C[7]
        str     @C[0],[sp,#$T[1][0]]            @ T[1][0] = A[1][0] ^ (C[3] = D[0]);
        add     @C[0],sp,#$A[1][2]
        str     @C[1],[sp,#$T[1][0]+4]
        eor     @C[2],@C[2],@C[8]
        eor     @C[3],@C[3],@C[9]
        str     @C[2],[sp,#$T[1][1]]            @ T[1][1] = A[2][1] ^ (C[4] = D[1]); /* borrow T[1][1] */
        str     @C[3],[sp,#$T[1][1]+4]
        ldmia   @C[0],{@C[0]-@C[3]}             @ A[1][2..3]
        eor     @C[0],@C[0],@E[0]
        eor     @C[1],@C[1],@E[1]
        str     @C[0],[sp,#$T[1][2]]            @ T[1][2] = A[1][2] ^ (E[0] = D[2]);
        ldr     @C[0],[sp,#$A[2][4]]
        str     @C[1],[sp,#$T[1][2]+4]
        ldr     @C[1],[sp,#$A[2][4]+4]
        eor     @C[2],@C[2],@E[2]
        eor     @C[3],@C[3],@E[3]
        str     @C[2],[sp,#$T[1][3]]            @ T[1][3] = A[1][3] ^ (E[1] = D[3]);
         ldr    @C[2],[sp,#$T[0][3]]
        str     @C[3],[sp,#$T[1][3]+4]
         ldr    @C[3],[sp,#$T[0][3]+4]
        eor     @C[0],@C[0],@C[4]
         ldr    @E[2],[sp,#$A[1][4]]
        eor     @C[1],@C[1],@C[5]
         ldr    @E[3],[sp,#$A[1][4]+4]
        str     @C[0],[sp,#$T[1][4]]            @ T[1][4] = A[2][4] ^ (C[2] = D[4]); /* borrow T[1][4] */

        ror     @C[0],@C[2],#32-14              @ C[0] = ROL64(T[0][3],        rhotates[0][3]);
         str    @C[1],[sp,#$T[1][4]+4]
        ror     @C[1],@C[3],#32-14
        eor     @C[2],@E[2],@C[4]
        ldr     @C[4],[sp,#$A[2][0]]
        eor     @C[3],@E[3],@C[5]
        ldr     @C[5],[sp,#$A[2][0]+4]
        ror     @C[2],@C[2],#32-10              @ C[1] = ROL64(A[1][4] ^ C[2], rhotates[1][4]);   /* D[4] */
        ldr     @E[2],[sp,#$A[3][1]]
        ror     @C[3],@C[3],#32-10
        ldr     @E[3],[sp,#$A[3][1]+4]
        eor     @C[6],@C[6],@C[4]
        eor     @C[7],@C[7],@C[5]
        ror     @C[5],@C[6],#32-1               @ C[2] = ROL64(A[2][0] ^ C[3], rhotates[2][0]);   /* D[0] */
        eor     @E[2],@E[2],@C[8]
        ror     @C[4],@C[7],#32-2
        ldr     @C[8],[sp,#$A[4][2]]
        eor     @E[3],@E[3],@C[9]
        ldr     @C[9],[sp,#$A[4][2]+4]
        ror     @C[7],@E[2],#32-22              @ C[3] = ROL64(A[3][1] ^ C[4], rhotates[3][1]);   /* D[1] */
        eor     @E[0],@E[0],@C[8]
        ror     @C[6],@E[3],#32-23
        eor     @E[1],@E[1],@C[9]
        ror     @C[9],@E[0],#32-30              @ C[4] = ROL64(A[4][2] ^ E[0], rhotates[4][2]);   /* D[2] */

        bic     @E[0],@C[4],@C[2]
         ror    @C[8],@E[1],#32-31
        bic     @E[1],@C[5],@C[3]
        eor     @E[0],@E[0],@C[0]
        eor     @E[1],@E[1],@C[1]
        str     @E[0],[sp,#$A[1][0]]            @ A[1][0] = C[0] ^ (~C[1] & C[2])
        bic     @E[2],@C[6],@C[4]
        str     @E[1],[sp,#$A[1][0]+4]
        bic     @E[3],@C[7],@C[5]
        eor     @E[2],@E[2],@C[2]
        eor     @E[3],@E[3],@C[3]
        str     @E[2],[sp,#$A[1][1]]            @ A[1][1] = C[1] ^ (~C[2] & C[3]);
        bic     @E[0],@C[8],@C[6]
        str     @E[3],[sp,#$A[1][1]+4]
        bic     @E[1],@C[9],@C[7]
        eor     @E[0],@E[0],@C[4]
        eor     @E[1],@E[1],@C[5]
        str     @E[0],[sp,#$A[1][2]]            @ A[1][2] = C[2] ^ (~C[3] & C[4]);
        bic     @E[2],@C[0],@C[8]
        str     @E[1],[sp,#$A[1][2]+4]
        bic     @E[3],@C[1],@C[9]
        eor     @E[2],@E[2],@C[6]
        eor     @E[3],@E[3],@C[7]
        str     @E[2],[sp,#$A[1][3]]            @ A[1][3] = C[3] ^ (~C[4] & C[0]);
        bic     @E[0],@C[2],@C[0]
        str     @E[3],[sp,#$A[1][3]+4]
         add    @E[3],sp,#$D[3]
        bic     @E[1],@C[3],@C[1]
         ldr    @C[1],[sp,#$T[0][1]]
        eor     @E[0],@E[0],@C[8]
         ldr    @C[0],[sp,#$T[0][1]+4]
        eor     @E[1],@E[1],@C[9]
        str     @E[0],[sp,#$A[1][4]]            @ A[1][4] = C[4] ^ (~C[0] & C[1]);
        str     @E[1],[sp,#$A[1][4]+4]

        ldr     @C[2],[sp,#$T[1][2]]
        ldr     @C[3],[sp,#$T[1][2]+4]
        ldmia   @E[3],{@E[0]-@E[2],@E[3]}       @ D[3..4]
        ldr     @C[4],[sp,#$A[2][3]]
        ror     @C[0],@C[0],#32-1               @ C[0] = ROL64(T[0][1],        rhotates[0][1]);
        ldr     @C[5],[sp,#$A[2][3]+4]
        ror     @C[2],@C[2],#32-3               @ C[1] = ROL64(T[1][2],        rhotates[1][2]);
        ldr     @C[6],[sp,#$A[3][4]]
        ror     @C[3],@C[3],#32-3
        ldr     @C[7],[sp,#$A[3][4]+4]
        eor     @E[0],@E[0],@C[4]
        ldr     @C[8],[sp,#$A[4][0]]
        eor     @E[1],@E[1],@C[5]
        ldr     @C[9],[sp,#$A[4][0]+4]
        ror     @C[5],@E[0],#32-12              @ C[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
        ldr     @E[0],[sp,#$D[0]]
        ror     @C[4],@E[1],#32-13
        ldr     @E[1],[sp,#$D[0]+4]
        eor     @C[6],@C[6],@E[2]
        eor     @C[7],@C[7],@E[3]
        ror     @C[6],@C[6],#32-4               @ C[3] = ROL64(A[3][4] ^ D[4], rhotates[3][4]);
        eor     @C[8],@C[8],@E[0]
        ror     @C[7],@C[7],#32-4
        eor     @C[9],@C[9],@E[1]
        ror     @C[8],@C[8],#32-9               @ C[4] = ROL64(A[4][0] ^ D[0], rhotates[4][0]);

        bic     @E[0],@C[4],@C[2]
         ror    @C[9],@C[9],#32-9
        bic     @E[1],@C[5],@C[3]
        eor     @E[0],@E[0],@C[0]
        eor     @E[1],@E[1],@C[1]
        str     @E[0],[sp,#$A[2][0]]            @ A[2][0] = C[0] ^ (~C[1] & C[2])
        bic     @E[2],@C[6],@C[4]
        str     @E[1],[sp,#$A[2][0]+4]
        bic     @E[3],@C[7],@C[5]
        eor     @E[2],@E[2],@C[2]
        eor     @E[3],@E[3],@C[3]
        str     @E[2],[sp,#$A[2][1]]            @ A[2][1] = C[1] ^ (~C[2] & C[3]);
        bic     @E[0],@C[8],@C[6]
        str     @E[3],[sp,#$A[2][1]+4]
        bic     @E[1],@C[9],@C[7]
        eor     @E[0],@E[0],@C[4]
        eor     @E[1],@E[1],@C[5]
        str     @E[0],[sp,#$A[2][2]]            @ A[2][2] = C[2] ^ (~C[3] & C[4]);
        bic     @E[2],@C[0],@C[8]
        str     @E[1],[sp,#$A[2][2]+4]
        bic     @E[3],@C[1],@C[9]
        eor     @E[2],@E[2],@C[6]
        eor     @E[3],@E[3],@C[7]
        str     @E[2],[sp,#$A[2][3]]            @ A[2][3] = C[3] ^ (~C[4] & C[0]);
        bic     @E[0],@C[2],@C[0]
        str     @E[3],[sp,#$A[2][3]+4]
        bic     @E[1],@C[3],@C[1]
        eor     @E[0],@E[0],@C[8]
        eor     @E[1],@E[1],@C[9]
        str     @E[0],[sp,#$A[2][4]]            @ A[2][4] = C[4] ^ (~C[0] & C[1]);
         add    @C[2],sp,#$T[1][0]
        str     @E[1],[sp,#$A[2][4]+4]

        add     @E[3],sp,#$D[2]
        ldr     @C[1],[sp,#$T[0][4]]
        ldr     @C[0],[sp,#$T[0][4]+4]
        ldmia   @C[2],{@C[2]-@C[5]}             @ T[1][0..1]
        ldmia   @E[3],{@E[0]-@E[2],@E[3]}       @ D[2..3]
        ror     @C[1],@C[1],#32-13              @ C[0] = ROL64(T[0][4],        rhotates[0][4]);
        ldr     @C[6],[sp,#$A[3][2]]
        ror     @C[0],@C[0],#32-14
        ldr     @C[7],[sp,#$A[3][2]+4]
        ror     @C[2],@C[2],#32-18              @ C[1] = ROL64(T[1][0],        rhotates[1][0]);
        ldr     @C[8],[sp,#$A[4][3]]
        ror     @C[3],@C[3],#32-18
        ldr     @C[9],[sp,#$A[4][3]+4]
        ror     @C[4],@C[4],#32-5               @ C[2] = ROL64(T[1][1],        rhotates[2][1]); /* originally A[2][1] */
        eor     @E[0],@E[0],@C[6]
        ror     @C[5],@C[5],#32-5
        eor     @E[1],@E[1],@C[7]
        ror     @C[7],@E[0],#32-7               @ C[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
        eor     @C[8],@C[8],@E[2]
        ror     @C[6],@E[1],#32-8
        eor     @C[9],@C[9],@E[3]
        ror     @C[8],@C[8],#32-28              @ C[4] = ROL64(A[4][3] ^ D[3], rhotates[4][3]);

        bic     @E[0],@C[4],@C[2]
         ror    @C[9],@C[9],#32-28
        bic     @E[1],@C[5],@C[3]
        eor     @E[0],@E[0],@C[0]
        eor     @E[1],@E[1],@C[1]
        str     @E[0],[sp,#$A[3][0]]            @ A[3][0] = C[0] ^ (~C[1] & C[2])
        bic     @E[2],@C[6],@C[4]
        str     @E[1],[sp,#$A[3][0]+4]
        bic     @E[3],@C[7],@C[5]
        eor     @E[2],@E[2],@C[2]
        eor     @E[3],@E[3],@C[3]
        str     @E[2],[sp,#$A[3][1]]            @ A[3][1] = C[1] ^ (~C[2] & C[3]);
        bic     @E[0],@C[8],@C[6]
        str     @E[3],[sp,#$A[3][1]+4]
        bic     @E[1],@C[9],@C[7]
        eor     @E[0],@E[0],@C[4]
        eor     @E[1],@E[1],@C[5]
        str     @E[0],[sp,#$A[3][2]]            @ A[3][2] = C[2] ^ (~C[3] & C[4]);
        bic     @E[2],@C[0],@C[8]
        str     @E[1],[sp,#$A[3][2]+4]
        bic     @E[3],@C[1],@C[9]
        eor     @E[2],@E[2],@C[6]
        eor     @E[3],@E[3],@C[7]
        str     @E[2],[sp,#$A[3][3]]            @ A[3][3] = C[3] ^ (~C[4] & C[0]);
        bic     @E[0],@C[2],@C[0]
        str     @E[3],[sp,#$A[3][3]+4]
        bic     @E[1],@C[3],@C[1]
        eor     @E[0],@E[0],@C[8]
        eor     @E[1],@E[1],@C[9]
        str     @E[0],[sp,#$A[3][4]]            @ A[3][4] = C[4] ^ (~C[0] & C[1]);
         add    @E[3],sp,#$T[1][3]
        str     @E[1],[sp,#$A[3][4]+4]

        ldr     @C[0],[sp,#$T[0][2]]
        ldr     @C[1],[sp,#$T[0][2]+4]
        ldmia   @E[3],{@E[0]-@E[2],@E[3]}       @ T[1][3..4]
        ldr     @C[7],[sp,#$T[0][0]]
        ror     @C[0],@C[0],#32-31              @ C[0] = ROL64(T[0][2],        rhotates[0][2]);
        ldr     @C[6],[sp,#$T[0][0]+4]
        ror     @C[1],@C[1],#32-31
        ldr     @C[8],[sp,#$A[4][1]]
        ror     @C[3],@E[0],#32-27              @ C[1] = ROL64(T[1][3],        rhotates[1][3]);
        ldr     @E[0],[sp,#$D[1]]
        ror     @C[2],@E[1],#32-28
        ldr     @C[9],[sp,#$A[4][1]+4]
        ror     @C[5],@E[2],#32-19              @ C[2] = ROL64(T[1][4],        rhotates[2][4]); /* originally A[2][4] */
        ldr     @E[1],[sp,#$D[1]+4]
        ror     @C[4],@E[3],#32-20
        eor     @C[8],@C[8],@E[0]
        ror     @C[7],@C[7],#32-20              @ C[3] = ROL64(T[0][0],        rhotates[3][0]); /* originally A[3][0] */
        eor     @C[9],@C[9],@E[1]
        ror     @C[6],@C[6],#32-21

        bic     @E[0],@C[4],@C[2]
         ror    @C[8],@C[8],#32-1               @ C[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
        bic     @E[1],@C[5],@C[3]
         ror    @C[9],@C[9],#32-1
        eor     @E[0],@E[0],@C[0]
        eor     @E[1],@E[1],@C[1]
        str     @E[0],[sp,#$A[4][0]]            @ A[4][0] = C[0] ^ (~C[1] & C[2])
        bic     @E[2],@C[6],@C[4]
        str     @E[1],[sp,#$A[4][0]+4]
        bic     @E[3],@C[7],@C[5]
        eor     @E[2],@E[2],@C[2]
        eor     @E[3],@E[3],@C[3]
        str     @E[2],[sp,#$A[4][1]]            @ A[4][1] = C[1] ^ (~C[2] & C[3]);
        bic     @E[0],@C[8],@C[6]
        str     @E[3],[sp,#$A[4][1]+4]
        bic     @E[1],@C[9],@C[7]
        eor     @E[0],@E[0],@C[4]
        eor     @E[1],@E[1],@C[5]
        str     @E[0],[sp,#$A[4][2]]            @ A[4][2] = C[2] ^ (~C[3] & C[4]);
        bic     @E[2],@C[0],@C[8]
        str     @E[1],[sp,#$A[4][2]+4]
        bic     @E[3],@C[1],@C[9]
        eor     @E[2],@E[2],@C[6]
        eor     @E[3],@E[3],@C[7]
        str     @E[2],[sp,#$A[4][3]]            @ A[4][3] = C[3] ^ (~C[4] & C[0]);
        bic     @E[0],@C[2],@C[0]
        str     @E[3],[sp,#$A[4][3]+4]
        bic     @E[1],@C[3],@C[1]
        eor     @E[2],@E[0],@C[8]
        eor     @E[3],@E[1],@C[9]
        str     @E[2],[sp,#$A[4][4]]            @ A[4][4] = C[4] ^ (~C[0] & C[1]);
         add    @E[0],sp,#$A[1][0]
        str     @E[3],[sp,#$A[4][4]+4]

        blo     .Lround

        ldr     pc,[sp,#320]
.size   KeccakF1600_int,.-KeccakF1600_int

.type   KeccakF1600, %function
.align  5
KeccakF1600:
        stmdb   sp!,{r0,r4-r11,lr}
        sub     sp,sp,#320+16                   @ space for A[5][5],D[5],T[2][5],...

        add     @E[0],r0,#$A[1][0]
        add     @E[1],sp,#$A[1][0]
        mov     @E[2],r0
        ldmia   @E[0]!,{@C[0]-@C[9]}            @ copy A[5][5] to stack
        stmia   @E[1]!,{@C[0]-@C[9]}
        ldmia   @E[0]!,{@C[0]-@C[9]}
        stmia   @E[1]!,{@C[0]-@C[9]}
        ldmia   @E[0]!,{@C[0]-@C[9]}
        stmia   @E[1]!,{@C[0]-@C[9]}
        ldmia   @E[0], {@C[0]-@C[9]}
        stmia   @E[1], {@C[0]-@C[9]}
        ldmia   @E[2], {@C[0]-@C[9]}            @ A[0][0..4]
        add     @E[0],sp,#$A[1][0]
        stmia   sp,    {@C[0]-@C[9]}

        bl      KeccakF1600_enter

        ldr     @E[1], [sp,#320+16]             @ restore pointer to A
        ldmia   sp,    {@C[0]-@C[9]}
        stmia   @E[1]!,{@C[0]-@C[9]}            @ return A[5][5]
        ldmia   @E[0]!,{@C[0]-@C[9]}
        stmia   @E[1]!,{@C[0]-@C[9]}
        ldmia   @E[0]!,{@C[0]-@C[9]}
        stmia   @E[1]!,{@C[0]-@C[9]}
        ldmia   @E[0]!,{@C[0]-@C[9]}
        stmia   @E[1]!,{@C[0]-@C[9]}
        ldmia   @E[0], {@C[0]-@C[9]}
        stmia   @E[1], {@C[0]-@C[9]}

        add     sp,sp,#320+20
        ldmia   sp!,{r4-r11,pc}
.size   KeccakF1600,.-KeccakF1600
___
{ my ($hi,$lo,$i,$A_flat, $len,$bsz,$inp) = map("r$_",(5..8, 10..12));

########################################################################
# Stack layout
# ----->+-----------------------+
#       | uint64_t A[5][5]      |
#       | ...                   |
#       | ...                   |
# +336->+-----------------------+
#       | uint64_t *A           |
# +340->+-----------------------+
#       | const void *inp       |
# +344->+-----------------------+
#       | size_t len            |
# +348->+-----------------------+
#       | size_t bs             |
# +352->+-----------------------+
#       | ....

$code.=<<___;
.global SHA3_absorb
.type   SHA3_absorb,%function
.align  5
SHA3_absorb:
        stmdb   sp!,{r0-r12,lr}
        sub     sp,sp,#320+16

        mov     r12,r0
        add     r14,sp,#0
        mov     $len,r2
        mov     $bsz,r3

        ldmia   r12!,{@C[0]-@C[9]}      @ copy A[5][5] to stack
        stmia   r14!,{@C[0]-@C[9]}
        ldmia   r12!,{@C[0]-@C[9]}
        stmia   r14!,{@C[0]-@C[9]}
        ldmia   r12!,{@C[0]-@C[9]}
        stmia   r14!,{@C[0]-@C[9]}
        ldmia   r12!,{@C[0]-@C[9]}
        stmia   r14!,{@C[0]-@C[9]}
        ldmia   r12, {@C[0]-@C[9]}
        stmia   r14, {@C[0]-@C[9]}

        ldr     $inp,[sp,#340]

.Loop_absorb:
        subs    r0,$len,$bsz
        blo     .Labsorbed
        add     $A_flat,sp,#0
        str     r0,[sp,#344]            @ save len - bsz

.Loop_block:
        ldmia   $A_flat,{r2-r3}         @ A_flat[i]
        ldrb    r0,[$inp,#7]!           @ inp[7]
        mov     $i,#8

.Lane_loop:
        subs    $i,$i,#1
        lsl     r1,r0,#24
        blo     .Lane_done
#ifdef  __thumb2__
        it      ne
        ldrbne  r0,[$inp,#-1]!
#else
        ldrneb  r0,[$inp,#-1]!
#endif
        adds    r1,r1,r1                @ sip through carry flag
        adc     $hi,$hi,$hi
        adds    r1,r1,r1
        adc     $lo,$lo,$lo
        adds    r1,r1,r1
        adc     $hi,$hi,$hi
        adds    r1,r1,r1
        adc     $lo,$lo,$lo
        adds    r1,r1,r1
        adc     $hi,$hi,$hi
        adds    r1,r1,r1
        adc     $lo,$lo,$lo
        adds    r1,r1,r1
        adc     $hi,$hi,$hi
        adds    r1,r1,r1
        adc     $lo,$lo,$lo
        b       .Lane_loop

.Lane_done:
        eor     r2,r2,$lo
        eor     r3,r3,$hi
        add     $inp,$inp,#8
        stmia   $A_flat!,{r2-r3}        @ A_flat[i++] ^= BitInterleave(inp[0..7])
        subs    $bsz,$bsz,#8
        bhi     .Loop_block

        str     $inp,[sp,#340]

        bl      KeccakF1600_int

        ldr     $inp,[sp,#340]
        ldr     $len,[sp,#344]
        ldr     $bsz,[sp,#348]
        b       .Loop_absorb

.align  4
.Labsorbed:
        add     r12,sp,#$A[1][0]
        ldr     r14, [sp,#336]          @ pull pointer to A[5][5]
        ldmia   sp,  {@C[0]-@C[9]}
        stmia   r14!,{@C[0]-@C[9]}      @ return A[5][5]
        ldmia   r12!,{@C[0]-@C[9]}
        stmia   r14!,{@C[0]-@C[9]}
        ldmia   r12!,{@C[0]-@C[9]}
        stmia   r14!,{@C[0]-@C[9]}
        ldmia   r12!,{@C[0]-@C[9]}
        stmia   r14!,{@C[0]-@C[9]}
        ldmia   r12, {@C[0]-@C[9]}
        stmia   r14, {@C[0]-@C[9]}

        add     sp,sp,#320+32
        mov     r0,$len                 @ return value
        ldmia   sp!,{r4-r12,pc}
.size   SHA3_absorb,.-SHA3_absorb
___
}
{ my ($A_flat,$out,$len,$bsz, $byte,$shl) = map("r$_", (4..9));

$code.=<<___;
.global SHA3_squeeze
.type   SHA3_squeeze,%function
.align  5
SHA3_squeeze:
        stmdb   sp!,{r4-r10,lr}
        mov     r12,r0
        mov     $A_flat,r0
        mov     $out,r1
        mov     $len,r2
        mov     $bsz,r3
        mov     r14,r3
        b       .Loop_squeeze

.align  4
.Loop_squeeze:
        ldmia   r12!,{r0,r1}            @ A_flat[i++]
        mov     $shl,#28

.Lane_squeeze:
        lsl     r2,r0,$shl
        lsl     r3,r1,$shl
        eor     $byte,$byte,$byte
        adds    r3,r3,r3                @ sip through carry flag
        adc     $byte,$byte,$byte
        adds    r2,r2,r2
        adc     $byte,$byte,$byte
        adds    r3,r3,r3
        adc     $byte,$byte,$byte
        adds    r2,r2,r2
        adc     $byte,$byte,$byte
        adds    r3,r3,r3
        adc     $byte,$byte,$byte
        adds    r2,r2,r2
        adc     $byte,$byte,$byte
        adds    r3,r3,r3
        adc     $byte,$byte,$byte
        adds    r2,r2,r2
        adc     $byte,$byte,$byte
        subs    $len,$len,#1            @ len -= 1
        str     $byte,[$out],#1
        beq     .Lsqueeze_done
        subs    $shl,$shl,#4
        bhs     .Lane_squeeze

        subs    r14,r14,#8              @ bsz -= 8
        bhi     .Loop_squeeze

        mov     r0,$A_flat

        bl      KeccakF1600

        mov     r12,$A_flat
        mov     r14,$bsz
        b       .Loop_squeeze

.Lsqueeze_done:
        ldmia   sp!,{r4-r10,pc}
.size   SHA3_squeeze,.-SHA3_squeeze
.asciz  "Keccak-1600 absorb and squeeze for ARMv4, CRYPTOGAMS by <appro\@openssl.org>"
.align  2
___
}

print $code;

close STDOUT; # enforce flush