2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/e_os2.h>
14 #define ROL32(a, offset) (((a) << (offset)) | ((a) >> ((32 - (offset)) & 31)))
16 static uint64_t ROL64(uint64_t val, int offset)
20 } else if (sizeof(void *) == 8) {
21 return (val << offset) | (val >> (64-offset));
23 uint32_t hi = (uint32_t)(val >> 32), lo = (uint32_t)val;
29 hi = ROL32(lo, offset);
30 lo = ROL32(tmp, offset + 1);
33 lo = ROL32(lo, offset);
34 hi = ROL32(hi, offset);
37 return ((uint64_t)hi << 32) | lo;
41 static const unsigned char rhotates[5][5] = {
43 { 36, 44, 6, 55, 20 },
44 { 3, 10, 43, 25, 39 },
45 { 41, 45, 15, 21, 8 },
49 static const uint64_t iotas[] = {
50 sizeof(void *) == 8 ? 0x0000000000000001U : 0x0000000000000001U,
51 sizeof(void *) == 8 ? 0x0000000000008082U : 0x0000008900000000U,
52 sizeof(void *) == 8 ? 0x800000000000808aU : 0x8000008b00000000U,
53 sizeof(void *) == 8 ? 0x8000000080008000U : 0x8000808000000000U,
54 sizeof(void *) == 8 ? 0x000000000000808bU : 0x0000008b00000001U,
55 sizeof(void *) == 8 ? 0x0000000080000001U : 0x0000800000000001U,
56 sizeof(void *) == 8 ? 0x8000000080008081U : 0x8000808800000001U,
57 sizeof(void *) == 8 ? 0x8000000000008009U : 0x8000008200000001U,
58 sizeof(void *) == 8 ? 0x000000000000008aU : 0x0000000b00000000U,
59 sizeof(void *) == 8 ? 0x0000000000000088U : 0x0000000a00000000U,
60 sizeof(void *) == 8 ? 0x0000000080008009U : 0x0000808200000001U,
61 sizeof(void *) == 8 ? 0x000000008000000aU : 0x0000800300000000U,
62 sizeof(void *) == 8 ? 0x000000008000808bU : 0x0000808b00000001U,
63 sizeof(void *) == 8 ? 0x800000000000008bU : 0x8000000b00000001U,
64 sizeof(void *) == 8 ? 0x8000000000008089U : 0x8000008a00000001U,
65 sizeof(void *) == 8 ? 0x8000000000008003U : 0x8000008100000001U,
66 sizeof(void *) == 8 ? 0x8000000000008002U : 0x8000008100000000U,
67 sizeof(void *) == 8 ? 0x8000000000000080U : 0x8000000800000000U,
68 sizeof(void *) == 8 ? 0x000000000000800aU : 0x0000008300000000U,
69 sizeof(void *) == 8 ? 0x800000008000000aU : 0x8000800300000000U,
70 sizeof(void *) == 8 ? 0x8000000080008081U : 0x8000808800000001U,
71 sizeof(void *) == 8 ? 0x8000000000008080U : 0x8000008800000000U,
72 sizeof(void *) == 8 ? 0x0000000080000001U : 0x0000800000000001U,
73 sizeof(void *) == 8 ? 0x8000000080008008U : 0x8000808200000000U
76 #if defined(KECCAK_REF)
78 * This is straightforward or "maximum clarity" implementation aiming
79 * to resemble section 3.2 of the FIPS PUB 202 "SHA-3 Standard:
80 * Permutation-Based Hash and Extendible-Output Functions" as much as
81 * possible. With one caveat. Because of the way C stores matrices,
82 * references to A[x,y] in the specification are presented as A[y][x].
83 * Implementation unrolls inner x-loops so that modulo 5 operations are
84 * explicitly pre-computed.
86 static void Theta(uint64_t A[5][5])
97 for (y = 1; y < 5; y++) {
105 D[0] = ROL64(C[1], 1) ^ C[4];
106 D[1] = ROL64(C[2], 1) ^ C[0];
107 D[2] = ROL64(C[3], 1) ^ C[1];
108 D[3] = ROL64(C[4], 1) ^ C[2];
109 D[4] = ROL64(C[0], 1) ^ C[3];
111 for (y = 0; y < 5; y++) {
120 static void Rho(uint64_t A[5][5])
124 for (y = 0; y < 5; y++) {
125 A[y][0] = ROL64(A[y][0], rhotates[y][0]);
126 A[y][1] = ROL64(A[y][1], rhotates[y][1]);
127 A[y][2] = ROL64(A[y][2], rhotates[y][2]);
128 A[y][3] = ROL64(A[y][3], rhotates[y][3]);
129 A[y][4] = ROL64(A[y][4], rhotates[y][4]);
133 static void Pi(uint64_t A[5][5])
139 * A[y][x] = T[x][(3*y+x)%5]
141 memcpy(T, A, sizeof(T));
174 static void Chi(uint64_t A[5][5])
179 for (y = 0; y < 5; y++) {
180 C[0] = A[y][0] ^ (~A[y][1] & A[y][2]);
181 C[1] = A[y][1] ^ (~A[y][2] & A[y][3]);
182 C[2] = A[y][2] ^ (~A[y][3] & A[y][4]);
183 C[3] = A[y][3] ^ (~A[y][4] & A[y][0]);
184 C[4] = A[y][4] ^ (~A[y][0] & A[y][1]);
194 static void Iota(uint64_t A[5][5], size_t i)
196 assert(i < (sizeof(iotas) / sizeof(iotas[0])));
200 void KeccakF1600(uint64_t A[5][5])
204 for (i = 0; i < 24; i++) {
213 #elif defined(KECCAK_1X)
215 * This implementation is optimization of above code featuring unroll
216 * of even y-loops, their fusion and code motion. It also minimizes
217 * temporary storage. Compiler would normally do all these things for
218 * you, purpose of manual optimization is to provide "unobscured"
219 * reference for assembly implementation [in case this approach is
220 * chosen for implementation on some platform]. In the nutshell it's
221 * equivalent of "plane-per-plane processing" approach discussed in
222 * section 2.4 of "Keccak implementation overview".
224 static void Round(uint64_t A[5][5], size_t i)
226 uint64_t C[5], D[5], T[2][5];
228 assert(i < (sizeof(iotas) / sizeof(iotas[0])));
230 C[0] = A[0][0] ^ A[1][0] ^ A[2][0] ^ A[3][0] ^ A[4][0];
231 C[1] = A[0][1] ^ A[1][1] ^ A[2][1] ^ A[3][1] ^ A[4][1];
232 C[2] = A[0][2] ^ A[1][2] ^ A[2][2] ^ A[3][2] ^ A[4][2];
233 C[3] = A[0][3] ^ A[1][3] ^ A[2][3] ^ A[3][3] ^ A[4][3];
234 C[4] = A[0][4] ^ A[1][4] ^ A[2][4] ^ A[3][4] ^ A[4][4];
236 D[0] = ROL64(C[1], 1) ^ C[4];
237 D[1] = ROL64(C[2], 1) ^ C[0];
238 D[2] = ROL64(C[3], 1) ^ C[1];
239 D[3] = ROL64(C[4], 1) ^ C[2];
240 D[4] = ROL64(C[0], 1) ^ C[3];
242 C[0] = A[0][0] ^ D[0]; /* rotate by 0 */
243 C[1] = ROL64(A[1][1] ^ D[1], rhotates[1][1]);
244 C[2] = ROL64(A[2][2] ^ D[2], rhotates[2][2]);
245 C[3] = ROL64(A[3][3] ^ D[3], rhotates[3][3]);
246 C[4] = ROL64(A[4][4] ^ D[4], rhotates[4][4]);
248 T[0][0] = A[3][0] ^ D[0]; /* borrow T[0][0] */
249 T[0][1] = A[0][1] ^ D[1];
250 T[0][2] = A[0][2] ^ D[2];
251 T[0][3] = A[0][3] ^ D[3];
252 T[0][4] = A[0][4] ^ D[4];
254 A[0][0] = C[0] ^ (~C[1] & C[2]) ^ iotas[i];
255 A[0][1] = C[1] ^ (~C[2] & C[3]);
256 A[0][2] = C[2] ^ (~C[3] & C[4]);
257 A[0][3] = C[3] ^ (~C[4] & C[0]);
258 A[0][4] = C[4] ^ (~C[0] & C[1]);
260 C[0] = ROL64(T[0][3], rhotates[0][3]);
261 C[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
262 C[2] = ROL64(A[2][0] ^ D[0], rhotates[2][0]);
263 C[3] = ROL64(A[3][1] ^ D[1], rhotates[3][1]);
264 C[4] = ROL64(A[4][2] ^ D[2], rhotates[4][2]);
266 T[1][0] = A[1][0] ^ D[0];
267 T[1][1] = A[2][1] ^ D[1]; /* borrow T[1][1] */
268 T[1][2] = A[1][2] ^ D[2];
269 T[1][3] = A[1][3] ^ D[3];
270 T[1][4] = A[2][4] ^ D[4]; /* borrow T[1][4] */
272 A[1][0] = C[0] ^ (~C[1] & C[2]);
273 A[1][1] = C[1] ^ (~C[2] & C[3]);
274 A[1][2] = C[2] ^ (~C[3] & C[4]);
275 A[1][3] = C[3] ^ (~C[4] & C[0]);
276 A[1][4] = C[4] ^ (~C[0] & C[1]);
278 C[0] = ROL64(T[0][1], rhotates[0][1]);
279 C[1] = ROL64(T[1][2], rhotates[1][2]);
280 C[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
281 C[3] = ROL64(A[3][4] ^ D[4], rhotates[3][4]);
282 C[4] = ROL64(A[4][0] ^ D[0], rhotates[4][0]);
284 A[2][0] = C[0] ^ (~C[1] & C[2]);
285 A[2][1] = C[1] ^ (~C[2] & C[3]);
286 A[2][2] = C[2] ^ (~C[3] & C[4]);
287 A[2][3] = C[3] ^ (~C[4] & C[0]);
288 A[2][4] = C[4] ^ (~C[0] & C[1]);
290 C[0] = ROL64(T[0][4], rhotates[0][4]);
291 C[1] = ROL64(T[1][0], rhotates[1][0]);
292 C[2] = ROL64(T[1][1], rhotates[2][1]); /* originally A[2][1] */
293 C[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
294 C[4] = ROL64(A[4][3] ^ D[3], rhotates[4][3]);
296 A[3][0] = C[0] ^ (~C[1] & C[2]);
297 A[3][1] = C[1] ^ (~C[2] & C[3]);
298 A[3][2] = C[2] ^ (~C[3] & C[4]);
299 A[3][3] = C[3] ^ (~C[4] & C[0]);
300 A[3][4] = C[4] ^ (~C[0] & C[1]);
302 C[0] = ROL64(T[0][2], rhotates[0][2]);
303 C[1] = ROL64(T[1][3], rhotates[1][3]);
304 C[2] = ROL64(T[1][4], rhotates[2][4]); /* originally A[2][4] */
305 C[3] = ROL64(T[0][0], rhotates[3][0]); /* originally A[3][0] */
306 C[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
308 A[4][0] = C[0] ^ (~C[1] & C[2]);
309 A[4][1] = C[1] ^ (~C[2] & C[3]);
310 A[4][2] = C[2] ^ (~C[3] & C[4]);
311 A[4][3] = C[3] ^ (~C[4] & C[0]);
312 A[4][4] = C[4] ^ (~C[0] & C[1]);
315 void KeccakF1600(uint64_t A[5][5])
319 for (i = 0; i < 24; i++) {
324 #elif defined(KECCAK_2X)
326 * This implementation is variant of KECCAK_1X above with outer-most
327 * round loop unrolled twice. This allows to take temporary storage
328 * out of round procedure and simplify references to it by alternating
329 * it with actual data (see round loop below). Just like original, it's
330 * rather meant as reference for an assembly implementation. It's likely
331 * to provide best instruction per processed byte ratio at minimal
332 * round unroll factor...
334 static void Round(uint64_t R[5][5], uint64_t A[5][5], size_t i)
338 assert(i < (sizeof(iotas) / sizeof(iotas[0])));
340 C[0] = A[0][0] ^ A[1][0] ^ A[2][0] ^ A[3][0] ^ A[4][0];
341 C[1] = A[0][1] ^ A[1][1] ^ A[2][1] ^ A[3][1] ^ A[4][1];
342 C[2] = A[0][2] ^ A[1][2] ^ A[2][2] ^ A[3][2] ^ A[4][2];
343 C[3] = A[0][3] ^ A[1][3] ^ A[2][3] ^ A[3][3] ^ A[4][3];
344 C[4] = A[0][4] ^ A[1][4] ^ A[2][4] ^ A[3][4] ^ A[4][4];
346 D[0] = ROL64(C[1], 1) ^ C[4];
347 D[1] = ROL64(C[2], 1) ^ C[0];
348 D[2] = ROL64(C[3], 1) ^ C[1];
349 D[3] = ROL64(C[4], 1) ^ C[2];
350 D[4] = ROL64(C[0], 1) ^ C[3];
352 C[0] = A[0][0] ^ D[0]; /* rotate by 0 */
353 C[1] = ROL64(A[1][1] ^ D[1], rhotates[1][1]);
354 C[2] = ROL64(A[2][2] ^ D[2], rhotates[2][2]);
355 C[3] = ROL64(A[3][3] ^ D[3], rhotates[3][3]);
356 C[4] = ROL64(A[4][4] ^ D[4], rhotates[4][4]);
358 R[0][0] = C[0] ^ (~C[1] & C[2]) ^ iotas[i];
359 R[0][1] = C[1] ^ (~C[2] & C[3]);
360 R[0][2] = C[2] ^ (~C[3] & C[4]);
361 R[0][3] = C[3] ^ (~C[4] & C[0]);
362 R[0][4] = C[4] ^ (~C[0] & C[1]);
364 C[0] = ROL64(A[0][3] ^ D[3], rhotates[0][3]);
365 C[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
366 C[2] = ROL64(A[2][0] ^ D[0], rhotates[2][0]);
367 C[3] = ROL64(A[3][1] ^ D[1], rhotates[3][1]);
368 C[4] = ROL64(A[4][2] ^ D[2], rhotates[4][2]);
370 R[1][0] = C[0] ^ (~C[1] & C[2]);
371 R[1][1] = C[1] ^ (~C[2] & C[3]);
372 R[1][2] = C[2] ^ (~C[3] & C[4]);
373 R[1][3] = C[3] ^ (~C[4] & C[0]);
374 R[1][4] = C[4] ^ (~C[0] & C[1]);
376 C[0] = ROL64(A[0][1] ^ D[1], rhotates[0][1]);
377 C[1] = ROL64(A[1][2] ^ D[2], rhotates[1][2]);
378 C[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
379 C[3] = ROL64(A[3][4] ^ D[4], rhotates[3][4]);
380 C[4] = ROL64(A[4][0] ^ D[0], rhotates[4][0]);
382 R[2][0] = C[0] ^ (~C[1] & C[2]);
383 R[2][1] = C[1] ^ (~C[2] & C[3]);
384 R[2][2] = C[2] ^ (~C[3] & C[4]);
385 R[2][3] = C[3] ^ (~C[4] & C[0]);
386 R[2][4] = C[4] ^ (~C[0] & C[1]);
388 C[0] = ROL64(A[0][4] ^ D[4], rhotates[0][4]);
389 C[1] = ROL64(A[1][0] ^ D[0], rhotates[1][0]);
390 C[2] = ROL64(A[2][1] ^ D[1], rhotates[2][1]);
391 C[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
392 C[4] = ROL64(A[4][3] ^ D[3], rhotates[4][3]);
394 R[3][0] = C[0] ^ (~C[1] & C[2]);
395 R[3][1] = C[1] ^ (~C[2] & C[3]);
396 R[3][2] = C[2] ^ (~C[3] & C[4]);
397 R[3][3] = C[3] ^ (~C[4] & C[0]);
398 R[3][4] = C[4] ^ (~C[0] & C[1]);
400 C[0] = ROL64(A[0][2] ^ D[2], rhotates[0][2]);
401 C[1] = ROL64(A[1][3] ^ D[3], rhotates[1][3]);
402 C[2] = ROL64(A[2][4] ^ D[4], rhotates[2][4]);
403 C[3] = ROL64(A[3][0] ^ D[0], rhotates[3][0]);
404 C[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
406 R[4][0] = C[0] ^ (~C[1] & C[2]);
407 R[4][1] = C[1] ^ (~C[2] & C[3]);
408 R[4][2] = C[2] ^ (~C[3] & C[4]);
409 R[4][3] = C[3] ^ (~C[4] & C[0]);
410 R[4][4] = C[4] ^ (~C[0] & C[1]);
413 void KeccakF1600(uint64_t A[5][5])
418 for (i = 0; i < 24; i += 2) {
426 * This implementation is KECCAK_1X from above combined 4 times with
427 * a twist that allows to omit temporary storage and perform in-place
428 * processing. It's discussed in section 2.5 of "Keccak implementation
429 * overview". It's likely to be best suited for processors with large
432 static void FourRounds(uint64_t A[5][5], size_t i)
434 uint64_t B[5], C[5], D[5];
436 assert(i <= (sizeof(iotas) / sizeof(iotas[0]) - 4));
439 C[0] = A[0][0] ^ A[1][0] ^ A[2][0] ^ A[3][0] ^ A[4][0];
440 C[1] = A[0][1] ^ A[1][1] ^ A[2][1] ^ A[3][1] ^ A[4][1];
441 C[2] = A[0][2] ^ A[1][2] ^ A[2][2] ^ A[3][2] ^ A[4][2];
442 C[3] = A[0][3] ^ A[1][3] ^ A[2][3] ^ A[3][3] ^ A[4][3];
443 C[4] = A[0][4] ^ A[1][4] ^ A[2][4] ^ A[3][4] ^ A[4][4];
445 D[0] = ROL64(C[1], 1) ^ C[4];
446 D[1] = ROL64(C[2], 1) ^ C[0];
447 D[2] = ROL64(C[3], 1) ^ C[1];
448 D[3] = ROL64(C[4], 1) ^ C[2];
449 D[4] = ROL64(C[0], 1) ^ C[3];
451 B[0] = A[0][0] ^ D[0]; /* rotate by 0 */
452 B[1] = ROL64(A[1][1] ^ D[1], rhotates[1][1]);
453 B[2] = ROL64(A[2][2] ^ D[2], rhotates[2][2]);
454 B[3] = ROL64(A[3][3] ^ D[3], rhotates[3][3]);
455 B[4] = ROL64(A[4][4] ^ D[4], rhotates[4][4]);
457 C[0] = A[0][0] = B[0] ^ (~B[1] & B[2]) ^ iotas[i];
458 C[1] = A[1][1] = B[1] ^ (~B[2] & B[3]);
459 C[2] = A[2][2] = B[2] ^ (~B[3] & B[4]);
460 C[3] = A[3][3] = B[3] ^ (~B[4] & B[0]);
461 C[4] = A[4][4] = B[4] ^ (~B[0] & B[1]);
463 B[0] = ROL64(A[0][3] ^ D[3], rhotates[0][3]);
464 B[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
465 B[2] = ROL64(A[2][0] ^ D[0], rhotates[2][0]);
466 B[3] = ROL64(A[3][1] ^ D[1], rhotates[3][1]);
467 B[4] = ROL64(A[4][2] ^ D[2], rhotates[4][2]);
469 C[0] ^= A[2][0] = B[0] ^ (~B[1] & B[2]);
470 C[1] ^= A[3][1] = B[1] ^ (~B[2] & B[3]);
471 C[2] ^= A[4][2] = B[2] ^ (~B[3] & B[4]);
472 C[3] ^= A[0][3] = B[3] ^ (~B[4] & B[0]);
473 C[4] ^= A[1][4] = B[4] ^ (~B[0] & B[1]);
475 B[0] = ROL64(A[0][1] ^ D[1], rhotates[0][1]);
476 B[1] = ROL64(A[1][2] ^ D[2], rhotates[1][2]);
477 B[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
478 B[3] = ROL64(A[3][4] ^ D[4], rhotates[3][4]);
479 B[4] = ROL64(A[4][0] ^ D[0], rhotates[4][0]);
481 C[0] ^= A[4][0] = B[0] ^ (~B[1] & B[2]);
482 C[1] ^= A[0][1] = B[1] ^ (~B[2] & B[3]);
483 C[2] ^= A[1][2] = B[2] ^ (~B[3] & B[4]);
484 C[3] ^= A[2][3] = B[3] ^ (~B[4] & B[0]);
485 C[4] ^= A[3][4] = B[4] ^ (~B[0] & B[1]);
487 B[0] = ROL64(A[0][4] ^ D[4], rhotates[0][4]);
488 B[1] = ROL64(A[1][0] ^ D[0], rhotates[1][0]);
489 B[2] = ROL64(A[2][1] ^ D[1], rhotates[2][1]);
490 B[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
491 B[4] = ROL64(A[4][3] ^ D[3], rhotates[4][3]);
493 C[0] ^= A[1][0] = B[0] ^ (~B[1] & B[2]);
494 C[1] ^= A[2][1] = B[1] ^ (~B[2] & B[3]);
495 C[2] ^= A[3][2] = B[2] ^ (~B[3] & B[4]);
496 C[3] ^= A[4][3] = B[3] ^ (~B[4] & B[0]);
497 C[4] ^= A[0][4] = B[4] ^ (~B[0] & B[1]);
499 B[0] = ROL64(A[0][2] ^ D[2], rhotates[0][2]);
500 B[1] = ROL64(A[1][3] ^ D[3], rhotates[1][3]);
501 B[2] = ROL64(A[2][4] ^ D[4], rhotates[2][4]);
502 B[3] = ROL64(A[3][0] ^ D[0], rhotates[3][0]);
503 B[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
505 C[0] ^= A[3][0] = B[0] ^ (~B[1] & B[2]);
506 C[1] ^= A[4][1] = B[1] ^ (~B[2] & B[3]);
507 C[2] ^= A[0][2] = B[2] ^ (~B[3] & B[4]);
508 C[3] ^= A[1][3] = B[3] ^ (~B[4] & B[0]);
509 C[4] ^= A[2][4] = B[4] ^ (~B[0] & B[1]);
512 D[0] = ROL64(C[1], 1) ^ C[4];
513 D[1] = ROL64(C[2], 1) ^ C[0];
514 D[2] = ROL64(C[3], 1) ^ C[1];
515 D[3] = ROL64(C[4], 1) ^ C[2];
516 D[4] = ROL64(C[0], 1) ^ C[3];
518 B[0] = A[0][0] ^ D[0]; /* rotate by 0 */
519 B[1] = ROL64(A[3][1] ^ D[1], rhotates[1][1]);
520 B[2] = ROL64(A[1][2] ^ D[2], rhotates[2][2]);
521 B[3] = ROL64(A[4][3] ^ D[3], rhotates[3][3]);
522 B[4] = ROL64(A[2][4] ^ D[4], rhotates[4][4]);
524 C[0] = A[0][0] = B[0] ^ (~B[1] & B[2]) ^ iotas[i + 1];
525 C[1] = A[3][1] = B[1] ^ (~B[2] & B[3]);
526 C[2] = A[1][2] = B[2] ^ (~B[3] & B[4]);
527 C[3] = A[4][3] = B[3] ^ (~B[4] & B[0]);
528 C[4] = A[2][4] = B[4] ^ (~B[0] & B[1]);
530 B[0] = ROL64(A[3][3] ^ D[3], rhotates[0][3]);
531 B[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
532 B[2] = ROL64(A[4][0] ^ D[0], rhotates[2][0]);
533 B[3] = ROL64(A[2][1] ^ D[1], rhotates[3][1]);
534 B[4] = ROL64(A[0][2] ^ D[2], rhotates[4][2]);
536 C[0] ^= A[4][0] = B[0] ^ (~B[1] & B[2]);
537 C[1] ^= A[2][1] = B[1] ^ (~B[2] & B[3]);
538 C[2] ^= A[0][2] = B[2] ^ (~B[3] & B[4]);
539 C[3] ^= A[3][3] = B[3] ^ (~B[4] & B[0]);
540 C[4] ^= A[1][4] = B[4] ^ (~B[0] & B[1]);
542 B[0] = ROL64(A[1][1] ^ D[1], rhotates[0][1]);
543 B[1] = ROL64(A[4][2] ^ D[2], rhotates[1][2]);
544 B[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
545 B[3] = ROL64(A[0][4] ^ D[4], rhotates[3][4]);
546 B[4] = ROL64(A[3][0] ^ D[0], rhotates[4][0]);
548 C[0] ^= A[3][0] = B[0] ^ (~B[1] & B[2]);
549 C[1] ^= A[1][1] = B[1] ^ (~B[2] & B[3]);
550 C[2] ^= A[4][2] = B[2] ^ (~B[3] & B[4]);
551 C[3] ^= A[2][3] = B[3] ^ (~B[4] & B[0]);
552 C[4] ^= A[0][4] = B[4] ^ (~B[0] & B[1]);
554 B[0] = ROL64(A[4][4] ^ D[4], rhotates[0][4]);
555 B[1] = ROL64(A[2][0] ^ D[0], rhotates[1][0]);
556 B[2] = ROL64(A[0][1] ^ D[1], rhotates[2][1]);
557 B[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
558 B[4] = ROL64(A[1][3] ^ D[3], rhotates[4][3]);
560 C[0] ^= A[2][0] = B[0] ^ (~B[1] & B[2]);
561 C[1] ^= A[0][1] = B[1] ^ (~B[2] & B[3]);
562 C[2] ^= A[3][2] = B[2] ^ (~B[3] & B[4]);
563 C[3] ^= A[1][3] = B[3] ^ (~B[4] & B[0]);
564 C[4] ^= A[4][4] = B[4] ^ (~B[0] & B[1]);
566 B[0] = ROL64(A[2][2] ^ D[2], rhotates[0][2]);
567 B[1] = ROL64(A[0][3] ^ D[3], rhotates[1][3]);
568 B[2] = ROL64(A[3][4] ^ D[4], rhotates[2][4]);
569 B[3] = ROL64(A[1][0] ^ D[0], rhotates[3][0]);
570 B[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
572 C[0] ^= A[1][0] = B[0] ^ (~B[1] & B[2]);
573 C[1] ^= A[4][1] = B[1] ^ (~B[2] & B[3]);
574 C[2] ^= A[2][2] = B[2] ^ (~B[3] & B[4]);
575 C[3] ^= A[0][3] = B[3] ^ (~B[4] & B[0]);
576 C[4] ^= A[3][4] = B[4] ^ (~B[0] & B[1]);
579 D[0] = ROL64(C[1], 1) ^ C[4];
580 D[1] = ROL64(C[2], 1) ^ C[0];
581 D[2] = ROL64(C[3], 1) ^ C[1];
582 D[3] = ROL64(C[4], 1) ^ C[2];
583 D[4] = ROL64(C[0], 1) ^ C[3];
585 B[0] = A[0][0] ^ D[0]; /* rotate by 0 */
586 B[1] = ROL64(A[2][1] ^ D[1], rhotates[1][1]);
587 B[2] = ROL64(A[4][2] ^ D[2], rhotates[2][2]);
588 B[3] = ROL64(A[1][3] ^ D[3], rhotates[3][3]);
589 B[4] = ROL64(A[3][4] ^ D[4], rhotates[4][4]);
591 C[0] = A[0][0] = B[0] ^ (~B[1] & B[2]) ^ iotas[i + 2];
592 C[1] = A[2][1] = B[1] ^ (~B[2] & B[3]);
593 C[2] = A[4][2] = B[2] ^ (~B[3] & B[4]);
594 C[3] = A[1][3] = B[3] ^ (~B[4] & B[0]);
595 C[4] = A[3][4] = B[4] ^ (~B[0] & B[1]);
597 B[0] = ROL64(A[4][3] ^ D[3], rhotates[0][3]);
598 B[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
599 B[2] = ROL64(A[3][0] ^ D[0], rhotates[2][0]);
600 B[3] = ROL64(A[0][1] ^ D[1], rhotates[3][1]);
601 B[4] = ROL64(A[2][2] ^ D[2], rhotates[4][2]);
603 C[0] ^= A[3][0] = B[0] ^ (~B[1] & B[2]);
604 C[1] ^= A[0][1] = B[1] ^ (~B[2] & B[3]);
605 C[2] ^= A[2][2] = B[2] ^ (~B[3] & B[4]);
606 C[3] ^= A[4][3] = B[3] ^ (~B[4] & B[0]);
607 C[4] ^= A[1][4] = B[4] ^ (~B[0] & B[1]);
609 B[0] = ROL64(A[3][1] ^ D[1], rhotates[0][1]);
610 B[1] = ROL64(A[0][2] ^ D[2], rhotates[1][2]);
611 B[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
612 B[3] = ROL64(A[4][4] ^ D[4], rhotates[3][4]);
613 B[4] = ROL64(A[1][0] ^ D[0], rhotates[4][0]);
615 C[0] ^= A[1][0] = B[0] ^ (~B[1] & B[2]);
616 C[1] ^= A[3][1] = B[1] ^ (~B[2] & B[3]);
617 C[2] ^= A[0][2] = B[2] ^ (~B[3] & B[4]);
618 C[3] ^= A[2][3] = B[3] ^ (~B[4] & B[0]);
619 C[4] ^= A[4][4] = B[4] ^ (~B[0] & B[1]);
621 B[0] = ROL64(A[2][4] ^ D[4], rhotates[0][4]);
622 B[1] = ROL64(A[4][0] ^ D[0], rhotates[1][0]);
623 B[2] = ROL64(A[1][1] ^ D[1], rhotates[2][1]);
624 B[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
625 B[4] = ROL64(A[0][3] ^ D[3], rhotates[4][3]);
627 C[0] ^= A[4][0] = B[0] ^ (~B[1] & B[2]);
628 C[1] ^= A[1][1] = B[1] ^ (~B[2] & B[3]);
629 C[2] ^= A[3][2] = B[2] ^ (~B[3] & B[4]);
630 C[3] ^= A[0][3] = B[3] ^ (~B[4] & B[0]);
631 C[4] ^= A[2][4] = B[4] ^ (~B[0] & B[1]);
633 B[0] = ROL64(A[1][2] ^ D[2], rhotates[0][2]);
634 B[1] = ROL64(A[3][3] ^ D[3], rhotates[1][3]);
635 B[2] = ROL64(A[0][4] ^ D[4], rhotates[2][4]);
636 B[3] = ROL64(A[2][0] ^ D[0], rhotates[3][0]);
637 B[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
639 C[0] ^= A[2][0] = B[0] ^ (~B[1] & B[2]);
640 C[1] ^= A[4][1] = B[1] ^ (~B[2] & B[3]);
641 C[2] ^= A[1][2] = B[2] ^ (~B[3] & B[4]);
642 C[3] ^= A[3][3] = B[3] ^ (~B[4] & B[0]);
643 C[4] ^= A[0][4] = B[4] ^ (~B[0] & B[1]);
646 D[0] = ROL64(C[1], 1) ^ C[4];
647 D[1] = ROL64(C[2], 1) ^ C[0];
648 D[2] = ROL64(C[3], 1) ^ C[1];
649 D[3] = ROL64(C[4], 1) ^ C[2];
650 D[4] = ROL64(C[0], 1) ^ C[3];
652 B[0] = A[0][0] ^ D[0]; /* rotate by 0 */
653 B[1] = ROL64(A[0][1] ^ D[1], rhotates[1][1]);
654 B[2] = ROL64(A[0][2] ^ D[2], rhotates[2][2]);
655 B[3] = ROL64(A[0][3] ^ D[3], rhotates[3][3]);
656 B[4] = ROL64(A[0][4] ^ D[4], rhotates[4][4]);
658 /* C[0] = */ A[0][0] = B[0] ^ (~B[1] & B[2]) ^ iotas[i + 3];
659 /* C[1] = */ A[0][1] = B[1] ^ (~B[2] & B[3]);
660 /* C[2] = */ A[0][2] = B[2] ^ (~B[3] & B[4]);
661 /* C[3] = */ A[0][3] = B[3] ^ (~B[4] & B[0]);
662 /* C[4] = */ A[0][4] = B[4] ^ (~B[0] & B[1]);
664 B[0] = ROL64(A[1][3] ^ D[3], rhotates[0][3]);
665 B[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
666 B[2] = ROL64(A[1][0] ^ D[0], rhotates[2][0]);
667 B[3] = ROL64(A[1][1] ^ D[1], rhotates[3][1]);
668 B[4] = ROL64(A[1][2] ^ D[2], rhotates[4][2]);
670 /* C[0] ^= */ A[1][0] = B[0] ^ (~B[1] & B[2]);
671 /* C[1] ^= */ A[1][1] = B[1] ^ (~B[2] & B[3]);
672 /* C[2] ^= */ A[1][2] = B[2] ^ (~B[3] & B[4]);
673 /* C[3] ^= */ A[1][3] = B[3] ^ (~B[4] & B[0]);
674 /* C[4] ^= */ A[1][4] = B[4] ^ (~B[0] & B[1]);
676 B[0] = ROL64(A[2][1] ^ D[1], rhotates[0][1]);
677 B[1] = ROL64(A[2][2] ^ D[2], rhotates[1][2]);
678 B[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
679 B[3] = ROL64(A[2][4] ^ D[4], rhotates[3][4]);
680 B[4] = ROL64(A[2][0] ^ D[0], rhotates[4][0]);
682 /* C[0] ^= */ A[2][0] = B[0] ^ (~B[1] & B[2]);
683 /* C[1] ^= */ A[2][1] = B[1] ^ (~B[2] & B[3]);
684 /* C[2] ^= */ A[2][2] = B[2] ^ (~B[3] & B[4]);
685 /* C[3] ^= */ A[2][3] = B[3] ^ (~B[4] & B[0]);
686 /* C[4] ^= */ A[2][4] = B[4] ^ (~B[0] & B[1]);
688 B[0] = ROL64(A[3][4] ^ D[4], rhotates[0][4]);
689 B[1] = ROL64(A[3][0] ^ D[0], rhotates[1][0]);
690 B[2] = ROL64(A[3][1] ^ D[1], rhotates[2][1]);
691 B[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
692 B[4] = ROL64(A[3][3] ^ D[3], rhotates[4][3]);
694 /* C[0] ^= */ A[3][0] = B[0] ^ (~B[1] & B[2]);
695 /* C[1] ^= */ A[3][1] = B[1] ^ (~B[2] & B[3]);
696 /* C[2] ^= */ A[3][2] = B[2] ^ (~B[3] & B[4]);
697 /* C[3] ^= */ A[3][3] = B[3] ^ (~B[4] & B[0]);
698 /* C[4] ^= */ A[3][4] = B[4] ^ (~B[0] & B[1]);
700 B[0] = ROL64(A[4][2] ^ D[2], rhotates[0][2]);
701 B[1] = ROL64(A[4][3] ^ D[3], rhotates[1][3]);
702 B[2] = ROL64(A[4][4] ^ D[4], rhotates[2][4]);
703 B[3] = ROL64(A[4][0] ^ D[0], rhotates[3][0]);
704 B[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
706 /* C[0] ^= */ A[4][0] = B[0] ^ (~B[1] & B[2]);
707 /* C[1] ^= */ A[4][1] = B[1] ^ (~B[2] & B[3]);
708 /* C[2] ^= */ A[4][2] = B[2] ^ (~B[3] & B[4]);
709 /* C[3] ^= */ A[4][3] = B[3] ^ (~B[4] & B[0]);
710 /* C[4] ^= */ A[4][4] = B[4] ^ (~B[0] & B[1]);
713 void KeccakF1600(uint64_t A[5][5])
717 for (i = 0; i < 24; i += 4) {
724 static uint64_t BitInterleave(uint64_t Ai)
726 if (sizeof(void *) < 8) {
727 uint32_t hi = 0, lo = 0;
730 for (j = 0; j < 32; j++) {
731 lo |= ((uint32_t)(Ai >> (2 * j)) & 1) << j;
732 hi |= ((uint32_t)(Ai >> (2 * j + 1)) & 1) << j;
735 Ai = ((uint64_t)hi << 32) | lo;
741 static uint64_t BitDeinterleave(uint64_t Ai)
743 if (sizeof(void *) < 8) {
744 uint32_t hi = (uint32_t)(Ai >> 32), lo = (uint32_t)Ai;
748 for (j = 0; j < 32; j++) {
749 Ai |= (uint64_t)((lo >> j) & 1) << (2 * j);
750 Ai |= (uint64_t)((hi >> j) & 1) << (2 * j + 1);
758 * SHA3_absorb can be called multiple times, but at each invocation
759 * largest multiple of |r| out of |len| bytes are processed. Then
760 * remaining amount of bytes are returned. This is done to spare caller
761 * trouble of calculating the largest multiple of |r|, effectively the
762 * blocksize. It is commonly (1600 - 256*n)/8, e.g. 168, 136, 104, 72,
763 * but can also be (1600 - 448)/8 = 144. All this means that message
764 * padding and intermediate sub-block buffering, byte- or bitwise, is
765 * caller's reponsibility.
767 size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len,
770 uint64_t *A_flat = (uint64_t *)A;
773 assert(r < (25 * sizeof(A[0][0])) && (r % 8) == 0);
776 for (i = 0; i < w; i++) {
777 uint64_t Ai = (uint64_t)inp[0] | (uint64_t)inp[1] << 8 |
778 (uint64_t)inp[2] << 16 | (uint64_t)inp[3] << 24 |
779 (uint64_t)inp[4] << 32 | (uint64_t)inp[5] << 40 |
780 (uint64_t)inp[6] << 48 | (uint64_t)inp[7] << 56;
783 A_flat[i] ^= BitInterleave(Ai);
793 * SHA3_squeeze is called once at the end to generate |out| hash value
796 void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r)
798 uint64_t *A_flat = (uint64_t *)A;
799 size_t i, rem, w = r / 8;
801 assert(r < (25 * sizeof(A[0][0])) && (r % 8) == 0);
804 for (i = 0; i < w; i++) {
805 uint64_t Ai = BitDeinterleave(A_flat[i]);
807 out[0] = (unsigned char)(Ai);
808 out[1] = (unsigned char)(Ai >> 8);
809 out[2] = (unsigned char)(Ai >> 16);
810 out[3] = (unsigned char)(Ai >> 24);
811 out[4] = (unsigned char)(Ai >> 32);
812 out[5] = (unsigned char)(Ai >> 40);
813 out[6] = (unsigned char)(Ai >> 48);
814 out[7] = (unsigned char)(Ai >> 56);
825 for (i = 0; i < len; i++) {
826 uint64_t Ai = BitDeinterleave(A_flat[i]);
828 out[0] = (unsigned char)(Ai);
829 out[1] = (unsigned char)(Ai >> 8);
830 out[2] = (unsigned char)(Ai >> 16);
831 out[3] = (unsigned char)(Ai >> 24);
832 out[4] = (unsigned char)(Ai >> 32);
833 out[5] = (unsigned char)(Ai >> 40);
834 out[6] = (unsigned char)(Ai >> 48);
835 out[7] = (unsigned char)(Ai >> 56);
840 uint64_t Ai = BitDeinterleave(A_flat[i]);
842 for (i = 0; i < rem; i++) {
843 *out++ = (unsigned char)Ai;
851 * Post-padding one-shot implementations would look as following:
853 * SHA3_224 SHA3_sponge(inp, len, out, 224/8, (1600-448)/8);
854 * SHA3_256 SHA3_sponge(inp, len, out, 256/8, (1600-512)/8);
855 * SHA3_384 SHA3_sponge(inp, len, out, 384/8, (1600-768)/8);
856 * SHA3_512 SHA3_sponge(inp, len, out, 512/8, (1600-1024)/8);
857 * SHAKE_128 SHA3_sponge(inp, len, out, d, (1600-256)/8);
858 * SHAKE_256 SHA3_sponge(inp, len, out, d, (1600-512)/8);
861 void SHA3_sponge(const unsigned char *inp, size_t len,
862 unsigned char *out, size_t d, size_t r)
866 memset(A, 0, sizeof(A));
867 SHA3_absorb(A, inp, len, r);
868 SHA3_squeeze(A, out, d, r);
876 * This is 5-bit SHAKE128 test from http://csrc.nist.gov/groups/ST/toolkit/examples.html#aHashing
878 unsigned char test[168] = { '\xf3', '\x3' };
879 unsigned char out[512];
881 static const unsigned char result[512] = {
882 0x2E, 0x0A, 0xBF, 0xBA, 0x83, 0xE6, 0x72, 0x0B,
883 0xFB, 0xC2, 0x25, 0xFF, 0x6B, 0x7A, 0xB9, 0xFF,
884 0xCE, 0x58, 0xBA, 0x02, 0x7E, 0xE3, 0xD8, 0x98,
885 0x76, 0x4F, 0xEF, 0x28, 0x7D, 0xDE, 0xCC, 0xCA,
886 0x3E, 0x6E, 0x59, 0x98, 0x41, 0x1E, 0x7D, 0xDB,
887 0x32, 0xF6, 0x75, 0x38, 0xF5, 0x00, 0xB1, 0x8C,
888 0x8C, 0x97, 0xC4, 0x52, 0xC3, 0x70, 0xEA, 0x2C,
889 0xF0, 0xAF, 0xCA, 0x3E, 0x05, 0xDE, 0x7E, 0x4D,
890 0xE2, 0x7F, 0xA4, 0x41, 0xA9, 0xCB, 0x34, 0xFD,
891 0x17, 0xC9, 0x78, 0xB4, 0x2D, 0x5B, 0x7E, 0x7F,
892 0x9A, 0xB1, 0x8F, 0xFE, 0xFF, 0xC3, 0xC5, 0xAC,
893 0x2F, 0x3A, 0x45, 0x5E, 0xEB, 0xFD, 0xC7, 0x6C,
894 0xEA, 0xEB, 0x0A, 0x2C, 0xCA, 0x22, 0xEE, 0xF6,
895 0xE6, 0x37, 0xF4, 0xCA, 0xBE, 0x5C, 0x51, 0xDE,
896 0xD2, 0xE3, 0xFA, 0xD8, 0xB9, 0x52, 0x70, 0xA3,
897 0x21, 0x84, 0x56, 0x64, 0xF1, 0x07, 0xD1, 0x64,
898 0x96, 0xBB, 0x7A, 0xBF, 0xBE, 0x75, 0x04, 0xB6,
899 0xED, 0xE2, 0xE8, 0x9E, 0x4B, 0x99, 0x6F, 0xB5,
900 0x8E, 0xFD, 0xC4, 0x18, 0x1F, 0x91, 0x63, 0x38,
901 0x1C, 0xBE, 0x7B, 0xC0, 0x06, 0xA7, 0xA2, 0x05,
902 0x98, 0x9C, 0x52, 0x6C, 0xD1, 0xBD, 0x68, 0x98,
903 0x36, 0x93, 0xB4, 0xBD, 0xC5, 0x37, 0x28, 0xB2,
904 0x41, 0xC1, 0xCF, 0xF4, 0x2B, 0xB6, 0x11, 0x50,
905 0x2C, 0x35, 0x20, 0x5C, 0xAB, 0xB2, 0x88, 0x75,
906 0x56, 0x55, 0xD6, 0x20, 0xC6, 0x79, 0x94, 0xF0,
907 0x64, 0x51, 0x18, 0x7F, 0x6F, 0xD1, 0x7E, 0x04,
908 0x66, 0x82, 0xBA, 0x12, 0x86, 0x06, 0x3F, 0xF8,
909 0x8F, 0xE2, 0x50, 0x8D, 0x1F, 0xCA, 0xF9, 0x03,
910 0x5A, 0x12, 0x31, 0xAD, 0x41, 0x50, 0xA9, 0xC9,
911 0xB2, 0x4C, 0x9B, 0x2D, 0x66, 0xB2, 0xAD, 0x1B,
912 0xDE, 0x0B, 0xD0, 0xBB, 0xCB, 0x8B, 0xE0, 0x5B,
913 0x83, 0x52, 0x29, 0xEF, 0x79, 0x19, 0x73, 0x73,
914 0x23, 0x42, 0x44, 0x01, 0xE1, 0xD8, 0x37, 0xB6,
915 0x6E, 0xB4, 0xE6, 0x30, 0xFF, 0x1D, 0xE7, 0x0C,
916 0xB3, 0x17, 0xC2, 0xBA, 0xCB, 0x08, 0x00, 0x1D,
917 0x34, 0x77, 0xB7, 0xA7, 0x0A, 0x57, 0x6D, 0x20,
918 0x86, 0x90, 0x33, 0x58, 0x9D, 0x85, 0xA0, 0x1D,
919 0xDB, 0x2B, 0x66, 0x46, 0xC0, 0x43, 0xB5, 0x9F,
920 0xC0, 0x11, 0x31, 0x1D, 0xA6, 0x66, 0xFA, 0x5A,
921 0xD1, 0xD6, 0x38, 0x7F, 0xA9, 0xBC, 0x40, 0x15,
922 0xA3, 0x8A, 0x51, 0xD1, 0xDA, 0x1E, 0xA6, 0x1D,
923 0x64, 0x8D, 0xC8, 0xE3, 0x9A, 0x88, 0xB9, 0xD6,
924 0x22, 0xBD, 0xE2, 0x07, 0xFD, 0xAB, 0xC6, 0xF2,
925 0x82, 0x7A, 0x88, 0x0C, 0x33, 0x0B, 0xBF, 0x6D,
926 0xF7, 0x33, 0x77, 0x4B, 0x65, 0x3E, 0x57, 0x30,
927 0x5D, 0x78, 0xDC, 0xE1, 0x12, 0xF1, 0x0A, 0x2C,
928 0x71, 0xF4, 0xCD, 0xAD, 0x92, 0xED, 0x11, 0x3E,
929 0x1C, 0xEA, 0x63, 0xB9, 0x19, 0x25, 0xED, 0x28,
930 0x19, 0x1E, 0x6D, 0xBB, 0xB5, 0xAA, 0x5A, 0x2A,
931 0xFD, 0xA5, 0x1F, 0xC0, 0x5A, 0x3A, 0xF5, 0x25,
932 0x8B, 0x87, 0x66, 0x52, 0x43, 0x55, 0x0F, 0x28,
933 0x94, 0x8A, 0xE2, 0xB8, 0xBE, 0xB6, 0xBC, 0x9C,
934 0x77, 0x0B, 0x35, 0xF0, 0x67, 0xEA, 0xA6, 0x41,
935 0xEF, 0xE6, 0x5B, 0x1A, 0x44, 0x90, 0x9D, 0x1B,
936 0x14, 0x9F, 0x97, 0xEE, 0xA6, 0x01, 0x39, 0x1C,
937 0x60, 0x9E, 0xC8, 0x1D, 0x19, 0x30, 0xF5, 0x7C,
938 0x18, 0xA4, 0xE0, 0xFA, 0xB4, 0x91, 0xD1, 0xCA,
939 0xDF, 0xD5, 0x04, 0x83, 0x44, 0x9E, 0xDC, 0x0F,
940 0x07, 0xFF, 0xB2, 0x4D, 0x2C, 0x6F, 0x9A, 0x9A,
941 0x3B, 0xFF, 0x39, 0xAE, 0x3D, 0x57, 0xF5, 0x60,
942 0x65, 0x4D, 0x7D, 0x75, 0xC9, 0x08, 0xAB, 0xE6,
943 0x25, 0x64, 0x75, 0x3E, 0xAC, 0x39, 0xD7, 0x50,
944 0x3D, 0xA6, 0xD3, 0x7C, 0x2E, 0x32, 0xE1, 0xAF,
945 0x3B, 0x8A, 0xEC, 0x8A, 0xE3, 0x06, 0x9C, 0xD9
949 SHA3_sponge(test, sizeof(test), out, sizeof(out), sizeof(test));
952 * Rationale behind keeping output [formatted as below] is that
953 * one should be able to redirect it to a file, then copy-n-paste
954 * final "output val" from official example to another file, and
955 * compare the two with diff(1).
957 for (i = 0; i < sizeof(out);) {
958 printf("%02X", out[i]);
959 printf(++i % 16 && i != sizeof(out) ? " " : "\n");
962 if (memcmp(out,result,sizeof(out))) {
963 fprintf(stderr,"failure\n");
966 fprintf(stderr,"success\n");