2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
14 #define ROL64(a, offset) ((offset) ? (((a) << offset) | ((a) >> (64-offset))) \
17 #if defined(KECCAK_REF)
19 * This is straightforward or "maximum clarity" implementation aiming
20 * to resemble section 3.2 of the FIPS PUB 202 "SHA-3 Standard:
21 * Permutation-Based Hash and Extendible-Output Functions" as much as
22 * possible. With one caveat. Because of the way C stores matrices,
23 * references to A[x,y] in the specification are presented as A[y][x].
24 * Implementation unrolls inner x-loops so that modulo 5 operations are
25 * explicitly pre-computed.
27 static void Theta(uint64_t A[5][5])
38 for (y = 1; y < 5; y++) {
46 D[0] = ROL64(C[1], 1) ^ C[4];
47 D[1] = ROL64(C[2], 1) ^ C[0];
48 D[2] = ROL64(C[3], 1) ^ C[1];
49 D[3] = ROL64(C[4], 1) ^ C[2];
50 D[4] = ROL64(C[0], 1) ^ C[3];
52 for (y = 0; y < 5; y++) {
61 static void Rho(uint64_t A[5][5])
63 static const unsigned char rhotates[5][5] = {
65 { 36, 44, 6, 55, 20 },
66 { 3, 10, 43, 25, 39 },
67 { 41, 45, 15, 21, 8 },
72 for (y = 0; y < 5; y++) {
73 A[y][0] = ROL64(A[y][0], rhotates[y][0]);
74 A[y][1] = ROL64(A[y][1], rhotates[y][1]);
75 A[y][2] = ROL64(A[y][2], rhotates[y][2]);
76 A[y][3] = ROL64(A[y][3], rhotates[y][3]);
77 A[y][4] = ROL64(A[y][4], rhotates[y][4]);
81 static void Pi(uint64_t A[5][5])
87 * A[y][x] = T[x][(3*y+x)%5]
89 memcpy(T, A, sizeof(T));
122 static void Chi(uint64_t A[5][5])
127 for (y = 0; y < 5; y++) {
128 C[0] = A[y][0] ^ (~A[y][1] & A[y][2]);
129 C[1] = A[y][1] ^ (~A[y][2] & A[y][3]);
130 C[2] = A[y][2] ^ (~A[y][3] & A[y][4]);
131 C[3] = A[y][3] ^ (~A[y][4] & A[y][0]);
132 C[4] = A[y][4] ^ (~A[y][0] & A[y][1]);
142 static void Iota(uint64_t A[5][5], size_t i)
144 static const uint64_t iotas[] = {
145 0x0000000000000001U, 0x0000000000008082U, 0x800000000000808aU,
146 0x8000000080008000U, 0x000000000000808bU, 0x0000000080000001U,
147 0x8000000080008081U, 0x8000000000008009U, 0x000000000000008aU,
148 0x0000000000000088U, 0x0000000080008009U, 0x000000008000000aU,
149 0x000000008000808bU, 0x800000000000008bU, 0x8000000000008089U,
150 0x8000000000008003U, 0x8000000000008002U, 0x8000000000000080U,
151 0x000000000000800aU, 0x800000008000000aU, 0x8000000080008081U,
152 0x8000000000008080U, 0x0000000080000001U, 0x8000000080008008U
155 assert(i < (sizeof(iotas) / sizeof(iotas[0])));
159 void KeccakF1600(uint64_t A[5][5])
163 for (i = 0; i < 24; i++) {
172 #elif defined(KECCAK_1X)
174 * This implementation is optimization of above code featuring unroll
175 * of even y-loops, their fusion and code motion. It also minimizes
176 * temporary storage. Compiler would normally do all these things for
177 * you, purpose of manual optimization is to provide "unobscured"
178 * reference for assembly implementation [in case this approach is
179 * chosen for implementation on some platform]. In the nutshell it's
180 * equivalent of "plane-per-plane processing" approach discussed in
181 * section 2.4 of "Keccak implementation overview".
183 static void Round(uint64_t A[5][5], size_t i)
185 uint64_t C[5], D[5], T[2][5];
186 static const unsigned char rhotates[5][5] = {
187 { 0, 1, 62, 28, 27 },
188 { 36, 44, 6, 55, 20 },
189 { 3, 10, 43, 25, 39 },
190 { 41, 45, 15, 21, 8 },
191 { 18, 2, 61, 56, 14 }
193 static const uint64_t iotas[] = {
194 0x0000000000000001U, 0x0000000000008082U, 0x800000000000808aU,
195 0x8000000080008000U, 0x000000000000808bU, 0x0000000080000001U,
196 0x8000000080008081U, 0x8000000000008009U, 0x000000000000008aU,
197 0x0000000000000088U, 0x0000000080008009U, 0x000000008000000aU,
198 0x000000008000808bU, 0x800000000000008bU, 0x8000000000008089U,
199 0x8000000000008003U, 0x8000000000008002U, 0x8000000000000080U,
200 0x000000000000800aU, 0x800000008000000aU, 0x8000000080008081U,
201 0x8000000000008080U, 0x0000000080000001U, 0x8000000080008008U
204 assert(i < (sizeof(iotas) / sizeof(iotas[0])));
206 C[0] = A[0][0] ^ A[1][0] ^ A[2][0] ^ A[3][0] ^ A[4][0];
207 C[1] = A[0][1] ^ A[1][1] ^ A[2][1] ^ A[3][1] ^ A[4][1];
208 C[2] = A[0][2] ^ A[1][2] ^ A[2][2] ^ A[3][2] ^ A[4][2];
209 C[3] = A[0][3] ^ A[1][3] ^ A[2][3] ^ A[3][3] ^ A[4][3];
210 C[4] = A[0][4] ^ A[1][4] ^ A[2][4] ^ A[3][4] ^ A[4][4];
212 D[0] = ROL64(C[1], 1) ^ C[4];
213 D[1] = ROL64(C[2], 1) ^ C[0];
214 D[2] = ROL64(C[3], 1) ^ C[1];
215 D[3] = ROL64(C[4], 1) ^ C[2];
216 D[4] = ROL64(C[0], 1) ^ C[3];
218 C[0] = A[0][0] ^ D[0]; /* rotate by 0 */
219 C[1] = ROL64(A[1][1] ^ D[1], rhotates[1][1]);
220 C[2] = ROL64(A[2][2] ^ D[2], rhotates[2][2]);
221 C[3] = ROL64(A[3][3] ^ D[3], rhotates[3][3]);
222 C[4] = ROL64(A[4][4] ^ D[4], rhotates[4][4]);
224 T[0][0] = A[3][0] ^ D[0]; /* borrow T[0][0] */
225 T[0][1] = A[0][1] ^ D[1];
226 T[0][2] = A[0][2] ^ D[2];
227 T[0][3] = A[0][3] ^ D[3];
228 T[0][4] = A[0][4] ^ D[4];
230 A[0][0] = C[0] ^ (~C[1] & C[2]) ^ iotas[i];
231 A[0][1] = C[1] ^ (~C[2] & C[3]);
232 A[0][2] = C[2] ^ (~C[3] & C[4]);
233 A[0][3] = C[3] ^ (~C[4] & C[0]);
234 A[0][4] = C[4] ^ (~C[0] & C[1]);
236 C[0] = ROL64(T[0][3], rhotates[0][3]);
237 C[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
238 C[2] = ROL64(A[2][0] ^ D[0], rhotates[2][0]);
239 C[3] = ROL64(A[3][1] ^ D[1], rhotates[3][1]);
240 C[4] = ROL64(A[4][2] ^ D[2], rhotates[4][2]);
242 T[1][0] = A[1][0] ^ D[0];
243 T[1][1] = A[2][1] ^ D[1]; /* borrow T[1][1] */
244 T[1][2] = A[1][2] ^ D[2];
245 T[1][3] = A[1][3] ^ D[3];
246 T[1][4] = A[2][4] ^ D[4]; /* borrow T[1][4] */
248 A[1][0] = C[0] ^ (~C[1] & C[2]);
249 A[1][1] = C[1] ^ (~C[2] & C[3]);
250 A[1][2] = C[2] ^ (~C[3] & C[4]);
251 A[1][3] = C[3] ^ (~C[4] & C[0]);
252 A[1][4] = C[4] ^ (~C[0] & C[1]);
254 C[0] = ROL64(T[0][1], rhotates[0][1]);
255 C[1] = ROL64(T[1][2], rhotates[1][2]);
256 C[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
257 C[3] = ROL64(A[3][4] ^ D[4], rhotates[3][4]);
258 C[4] = ROL64(A[4][0] ^ D[0], rhotates[4][0]);
260 A[2][0] = C[0] ^ (~C[1] & C[2]);
261 A[2][1] = C[1] ^ (~C[2] & C[3]);
262 A[2][2] = C[2] ^ (~C[3] & C[4]);
263 A[2][3] = C[3] ^ (~C[4] & C[0]);
264 A[2][4] = C[4] ^ (~C[0] & C[1]);
266 C[0] = ROL64(T[0][4], rhotates[0][4]);
267 C[1] = ROL64(T[1][0], rhotates[1][0]);
268 C[2] = ROL64(T[1][1], rhotates[2][1]); /* originally A[2][1] */
269 C[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
270 C[4] = ROL64(A[4][3] ^ D[3], rhotates[4][3]);
272 A[3][0] = C[0] ^ (~C[1] & C[2]);
273 A[3][1] = C[1] ^ (~C[2] & C[3]);
274 A[3][2] = C[2] ^ (~C[3] & C[4]);
275 A[3][3] = C[3] ^ (~C[4] & C[0]);
276 A[3][4] = C[4] ^ (~C[0] & C[1]);
278 C[0] = ROL64(T[0][2], rhotates[0][2]);
279 C[1] = ROL64(T[1][3], rhotates[1][3]);
280 C[2] = ROL64(T[1][4], rhotates[2][4]); /* originally A[2][4] */
281 C[3] = ROL64(T[0][0], rhotates[3][0]); /* originally A[3][0] */
282 C[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
284 A[4][0] = C[0] ^ (~C[1] & C[2]);
285 A[4][1] = C[1] ^ (~C[2] & C[3]);
286 A[4][2] = C[2] ^ (~C[3] & C[4]);
287 A[4][3] = C[3] ^ (~C[4] & C[0]);
288 A[4][4] = C[4] ^ (~C[0] & C[1]);
291 void KeccakF1600(uint64_t A[5][5])
295 for (i = 0; i < 24; i++) {
300 #elif defined(KECCAK_2X)
302 * This implementation is variant of KECCAK_1X above with outer-most
303 * round loop unrolled twice. This allows to take temporary storage
304 * out of round procedure and simplify references to it by alternating
305 * it with actual data (see round loop below). Just like original, it's
306 * rather meant as reference for an assembly implementation. It's likely
307 * to provide best instruction per processed byte ratio at minimal
308 * round unroll factor...
310 static void Round(uint64_t R[5][5], uint64_t A[5][5], size_t i)
313 static const unsigned char rhotates[5][5] = {
314 { 0, 1, 62, 28, 27 },
315 { 36, 44, 6, 55, 20 },
316 { 3, 10, 43, 25, 39 },
317 { 41, 45, 15, 21, 8 },
318 { 18, 2, 61, 56, 14 }
320 static const uint64_t iotas[] = {
321 0x0000000000000001U, 0x0000000000008082U, 0x800000000000808aU,
322 0x8000000080008000U, 0x000000000000808bU, 0x0000000080000001U,
323 0x8000000080008081U, 0x8000000000008009U, 0x000000000000008aU,
324 0x0000000000000088U, 0x0000000080008009U, 0x000000008000000aU,
325 0x000000008000808bU, 0x800000000000008bU, 0x8000000000008089U,
326 0x8000000000008003U, 0x8000000000008002U, 0x8000000000000080U,
327 0x000000000000800aU, 0x800000008000000aU, 0x8000000080008081U,
328 0x8000000000008080U, 0x0000000080000001U, 0x8000000080008008U
331 assert(i < (sizeof(iotas) / sizeof(iotas[0])));
333 C[0] = A[0][0] ^ A[1][0] ^ A[2][0] ^ A[3][0] ^ A[4][0];
334 C[1] = A[0][1] ^ A[1][1] ^ A[2][1] ^ A[3][1] ^ A[4][1];
335 C[2] = A[0][2] ^ A[1][2] ^ A[2][2] ^ A[3][2] ^ A[4][2];
336 C[3] = A[0][3] ^ A[1][3] ^ A[2][3] ^ A[3][3] ^ A[4][3];
337 C[4] = A[0][4] ^ A[1][4] ^ A[2][4] ^ A[3][4] ^ A[4][4];
339 D[0] = ROL64(C[1], 1) ^ C[4];
340 D[1] = ROL64(C[2], 1) ^ C[0];
341 D[2] = ROL64(C[3], 1) ^ C[1];
342 D[3] = ROL64(C[4], 1) ^ C[2];
343 D[4] = ROL64(C[0], 1) ^ C[3];
345 C[0] = A[0][0] ^ D[0]; /* rotate by 0 */
346 C[1] = ROL64(A[1][1] ^ D[1], rhotates[1][1]);
347 C[2] = ROL64(A[2][2] ^ D[2], rhotates[2][2]);
348 C[3] = ROL64(A[3][3] ^ D[3], rhotates[3][3]);
349 C[4] = ROL64(A[4][4] ^ D[4], rhotates[4][4]);
351 R[0][0] = C[0] ^ (~C[1] & C[2]) ^ iotas[i];
352 R[0][1] = C[1] ^ (~C[2] & C[3]);
353 R[0][2] = C[2] ^ (~C[3] & C[4]);
354 R[0][3] = C[3] ^ (~C[4] & C[0]);
355 R[0][4] = C[4] ^ (~C[0] & C[1]);
357 C[0] = ROL64(A[0][3] ^ D[3], rhotates[0][3]);
358 C[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
359 C[2] = ROL64(A[2][0] ^ D[0], rhotates[2][0]);
360 C[3] = ROL64(A[3][1] ^ D[1], rhotates[3][1]);
361 C[4] = ROL64(A[4][2] ^ D[2], rhotates[4][2]);
363 R[1][0] = C[0] ^ (~C[1] & C[2]);
364 R[1][1] = C[1] ^ (~C[2] & C[3]);
365 R[1][2] = C[2] ^ (~C[3] & C[4]);
366 R[1][3] = C[3] ^ (~C[4] & C[0]);
367 R[1][4] = C[4] ^ (~C[0] & C[1]);
369 C[0] = ROL64(A[0][1] ^ D[1], rhotates[0][1]);
370 C[1] = ROL64(A[1][2] ^ D[2], rhotates[1][2]);
371 C[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
372 C[3] = ROL64(A[3][4] ^ D[4], rhotates[3][4]);
373 C[4] = ROL64(A[4][0] ^ D[0], rhotates[4][0]);
375 R[2][0] = C[0] ^ (~C[1] & C[2]);
376 R[2][1] = C[1] ^ (~C[2] & C[3]);
377 R[2][2] = C[2] ^ (~C[3] & C[4]);
378 R[2][3] = C[3] ^ (~C[4] & C[0]);
379 R[2][4] = C[4] ^ (~C[0] & C[1]);
381 C[0] = ROL64(A[0][4] ^ D[4], rhotates[0][4]);
382 C[1] = ROL64(A[1][0] ^ D[0], rhotates[1][0]);
383 C[2] = ROL64(A[2][1] ^ D[1], rhotates[2][1]);
384 C[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
385 C[4] = ROL64(A[4][3] ^ D[3], rhotates[4][3]);
387 R[3][0] = C[0] ^ (~C[1] & C[2]);
388 R[3][1] = C[1] ^ (~C[2] & C[3]);
389 R[3][2] = C[2] ^ (~C[3] & C[4]);
390 R[3][3] = C[3] ^ (~C[4] & C[0]);
391 R[3][4] = C[4] ^ (~C[0] & C[1]);
393 C[0] = ROL64(A[0][2] ^ D[2], rhotates[0][2]);
394 C[1] = ROL64(A[1][3] ^ D[3], rhotates[1][3]);
395 C[2] = ROL64(A[2][4] ^ D[4], rhotates[2][4]);
396 C[3] = ROL64(A[3][0] ^ D[0], rhotates[3][0]);
397 C[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
399 R[4][0] = C[0] ^ (~C[1] & C[2]);
400 R[4][1] = C[1] ^ (~C[2] & C[3]);
401 R[4][2] = C[2] ^ (~C[3] & C[4]);
402 R[4][3] = C[3] ^ (~C[4] & C[0]);
403 R[4][4] = C[4] ^ (~C[0] & C[1]);
406 void KeccakF1600(uint64_t A[5][5])
411 for (i = 0; i < 24; i += 2) {
419 * This implementation is KECCAK_1X from above combined 4 times with
420 * a twist that allows to omit temporary storage and perform in-place
421 * processing. It's discussed in section 2.5 of "Keccak implementation
422 * overview". It's likely to be best suited for processors with large
425 static void FourRounds(uint64_t A[5][5], size_t i)
427 uint64_t B[5], C[5], D[5];
428 static const unsigned char rhotates[5][5] = {
429 { 0, 1, 62, 28, 27 },
430 { 36, 44, 6, 55, 20 },
431 { 3, 10, 43, 25, 39 },
432 { 41, 45, 15, 21, 8 },
433 { 18, 2, 61, 56, 14 }
435 static const uint64_t iotas[] = {
436 0x0000000000000001U, 0x0000000000008082U, 0x800000000000808aU,
437 0x8000000080008000U, 0x000000000000808bU, 0x0000000080000001U,
438 0x8000000080008081U, 0x8000000000008009U, 0x000000000000008aU,
439 0x0000000000000088U, 0x0000000080008009U, 0x000000008000000aU,
440 0x000000008000808bU, 0x800000000000008bU, 0x8000000000008089U,
441 0x8000000000008003U, 0x8000000000008002U, 0x8000000000000080U,
442 0x000000000000800aU, 0x800000008000000aU, 0x8000000080008081U,
443 0x8000000000008080U, 0x0000000080000001U, 0x8000000080008008U
446 assert(i <= (sizeof(iotas) / sizeof(iotas[0]) - 4));
449 C[0] = A[0][0] ^ A[1][0] ^ A[2][0] ^ A[3][0] ^ A[4][0];
450 C[1] = A[0][1] ^ A[1][1] ^ A[2][1] ^ A[3][1] ^ A[4][1];
451 C[2] = A[0][2] ^ A[1][2] ^ A[2][2] ^ A[3][2] ^ A[4][2];
452 C[3] = A[0][3] ^ A[1][3] ^ A[2][3] ^ A[3][3] ^ A[4][3];
453 C[4] = A[0][4] ^ A[1][4] ^ A[2][4] ^ A[3][4] ^ A[4][4];
455 D[0] = ROL64(C[1], 1) ^ C[4];
456 D[1] = ROL64(C[2], 1) ^ C[0];
457 D[2] = ROL64(C[3], 1) ^ C[1];
458 D[3] = ROL64(C[4], 1) ^ C[2];
459 D[4] = ROL64(C[0], 1) ^ C[3];
461 B[0] = A[0][0] ^ D[0]; /* rotate by 0 */
462 B[1] = ROL64(A[1][1] ^ D[1], rhotates[1][1]);
463 B[2] = ROL64(A[2][2] ^ D[2], rhotates[2][2]);
464 B[3] = ROL64(A[3][3] ^ D[3], rhotates[3][3]);
465 B[4] = ROL64(A[4][4] ^ D[4], rhotates[4][4]);
467 C[0] = A[0][0] = B[0] ^ (~B[1] & B[2]) ^ iotas[i];
468 C[1] = A[1][1] = B[1] ^ (~B[2] & B[3]);
469 C[2] = A[2][2] = B[2] ^ (~B[3] & B[4]);
470 C[3] = A[3][3] = B[3] ^ (~B[4] & B[0]);
471 C[4] = A[4][4] = B[4] ^ (~B[0] & B[1]);
473 B[0] = ROL64(A[0][3] ^ D[3], rhotates[0][3]);
474 B[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
475 B[2] = ROL64(A[2][0] ^ D[0], rhotates[2][0]);
476 B[3] = ROL64(A[3][1] ^ D[1], rhotates[3][1]);
477 B[4] = ROL64(A[4][2] ^ D[2], rhotates[4][2]);
479 C[0] ^= A[2][0] = B[0] ^ (~B[1] & B[2]);
480 C[1] ^= A[3][1] = B[1] ^ (~B[2] & B[3]);
481 C[2] ^= A[4][2] = B[2] ^ (~B[3] & B[4]);
482 C[3] ^= A[0][3] = B[3] ^ (~B[4] & B[0]);
483 C[4] ^= A[1][4] = B[4] ^ (~B[0] & B[1]);
485 B[0] = ROL64(A[0][1] ^ D[1], rhotates[0][1]);
486 B[1] = ROL64(A[1][2] ^ D[2], rhotates[1][2]);
487 B[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
488 B[3] = ROL64(A[3][4] ^ D[4], rhotates[3][4]);
489 B[4] = ROL64(A[4][0] ^ D[0], rhotates[4][0]);
491 C[0] ^= A[4][0] = B[0] ^ (~B[1] & B[2]);
492 C[1] ^= A[0][1] = B[1] ^ (~B[2] & B[3]);
493 C[2] ^= A[1][2] = B[2] ^ (~B[3] & B[4]);
494 C[3] ^= A[2][3] = B[3] ^ (~B[4] & B[0]);
495 C[4] ^= A[3][4] = B[4] ^ (~B[0] & B[1]);
497 B[0] = ROL64(A[0][4] ^ D[4], rhotates[0][4]);
498 B[1] = ROL64(A[1][0] ^ D[0], rhotates[1][0]);
499 B[2] = ROL64(A[2][1] ^ D[1], rhotates[2][1]);
500 B[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
501 B[4] = ROL64(A[4][3] ^ D[3], rhotates[4][3]);
503 C[0] ^= A[1][0] = B[0] ^ (~B[1] & B[2]);
504 C[1] ^= A[2][1] = B[1] ^ (~B[2] & B[3]);
505 C[2] ^= A[3][2] = B[2] ^ (~B[3] & B[4]);
506 C[3] ^= A[4][3] = B[3] ^ (~B[4] & B[0]);
507 C[4] ^= A[0][4] = B[4] ^ (~B[0] & B[1]);
509 B[0] = ROL64(A[0][2] ^ D[2], rhotates[0][2]);
510 B[1] = ROL64(A[1][3] ^ D[3], rhotates[1][3]);
511 B[2] = ROL64(A[2][4] ^ D[4], rhotates[2][4]);
512 B[3] = ROL64(A[3][0] ^ D[0], rhotates[3][0]);
513 B[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
515 C[0] ^= A[3][0] = B[0] ^ (~B[1] & B[2]);
516 C[1] ^= A[4][1] = B[1] ^ (~B[2] & B[3]);
517 C[2] ^= A[0][2] = B[2] ^ (~B[3] & B[4]);
518 C[3] ^= A[1][3] = B[3] ^ (~B[4] & B[0]);
519 C[4] ^= A[2][4] = B[4] ^ (~B[0] & B[1]);
522 D[0] = ROL64(C[1], 1) ^ C[4];
523 D[1] = ROL64(C[2], 1) ^ C[0];
524 D[2] = ROL64(C[3], 1) ^ C[1];
525 D[3] = ROL64(C[4], 1) ^ C[2];
526 D[4] = ROL64(C[0], 1) ^ C[3];
528 B[0] = A[0][0] ^ D[0]; /* rotate by 0 */
529 B[1] = ROL64(A[3][1] ^ D[1], rhotates[1][1]);
530 B[2] = ROL64(A[1][2] ^ D[2], rhotates[2][2]);
531 B[3] = ROL64(A[4][3] ^ D[3], rhotates[3][3]);
532 B[4] = ROL64(A[2][4] ^ D[4], rhotates[4][4]);
534 C[0] = A[0][0] = B[0] ^ (~B[1] & B[2]) ^ iotas[i + 1];
535 C[1] = A[3][1] = B[1] ^ (~B[2] & B[3]);
536 C[2] = A[1][2] = B[2] ^ (~B[3] & B[4]);
537 C[3] = A[4][3] = B[3] ^ (~B[4] & B[0]);
538 C[4] = A[2][4] = B[4] ^ (~B[0] & B[1]);
540 B[0] = ROL64(A[3][3] ^ D[3], rhotates[0][3]);
541 B[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
542 B[2] = ROL64(A[4][0] ^ D[0], rhotates[2][0]);
543 B[3] = ROL64(A[2][1] ^ D[1], rhotates[3][1]);
544 B[4] = ROL64(A[0][2] ^ D[2], rhotates[4][2]);
546 C[0] ^= A[4][0] = B[0] ^ (~B[1] & B[2]);
547 C[1] ^= A[2][1] = B[1] ^ (~B[2] & B[3]);
548 C[2] ^= A[0][2] = B[2] ^ (~B[3] & B[4]);
549 C[3] ^= A[3][3] = B[3] ^ (~B[4] & B[0]);
550 C[4] ^= A[1][4] = B[4] ^ (~B[0] & B[1]);
552 B[0] = ROL64(A[1][1] ^ D[1], rhotates[0][1]);
553 B[1] = ROL64(A[4][2] ^ D[2], rhotates[1][2]);
554 B[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
555 B[3] = ROL64(A[0][4] ^ D[4], rhotates[3][4]);
556 B[4] = ROL64(A[3][0] ^ D[0], rhotates[4][0]);
558 C[0] ^= A[3][0] = B[0] ^ (~B[1] & B[2]);
559 C[1] ^= A[1][1] = B[1] ^ (~B[2] & B[3]);
560 C[2] ^= A[4][2] = B[2] ^ (~B[3] & B[4]);
561 C[3] ^= A[2][3] = B[3] ^ (~B[4] & B[0]);
562 C[4] ^= A[0][4] = B[4] ^ (~B[0] & B[1]);
564 B[0] = ROL64(A[4][4] ^ D[4], rhotates[0][4]);
565 B[1] = ROL64(A[2][0] ^ D[0], rhotates[1][0]);
566 B[2] = ROL64(A[0][1] ^ D[1], rhotates[2][1]);
567 B[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
568 B[4] = ROL64(A[1][3] ^ D[3], rhotates[4][3]);
570 C[0] ^= A[2][0] = B[0] ^ (~B[1] & B[2]);
571 C[1] ^= A[0][1] = B[1] ^ (~B[2] & B[3]);
572 C[2] ^= A[3][2] = B[2] ^ (~B[3] & B[4]);
573 C[3] ^= A[1][3] = B[3] ^ (~B[4] & B[0]);
574 C[4] ^= A[4][4] = B[4] ^ (~B[0] & B[1]);
576 B[0] = ROL64(A[2][2] ^ D[2], rhotates[0][2]);
577 B[1] = ROL64(A[0][3] ^ D[3], rhotates[1][3]);
578 B[2] = ROL64(A[3][4] ^ D[4], rhotates[2][4]);
579 B[3] = ROL64(A[1][0] ^ D[0], rhotates[3][0]);
580 B[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
582 C[0] ^= A[1][0] = B[0] ^ (~B[1] & B[2]);
583 C[1] ^= A[4][1] = B[1] ^ (~B[2] & B[3]);
584 C[2] ^= A[2][2] = B[2] ^ (~B[3] & B[4]);
585 C[3] ^= A[0][3] = B[3] ^ (~B[4] & B[0]);
586 C[4] ^= A[3][4] = B[4] ^ (~B[0] & B[1]);
589 D[0] = ROL64(C[1], 1) ^ C[4];
590 D[1] = ROL64(C[2], 1) ^ C[0];
591 D[2] = ROL64(C[3], 1) ^ C[1];
592 D[3] = ROL64(C[4], 1) ^ C[2];
593 D[4] = ROL64(C[0], 1) ^ C[3];
595 B[0] = A[0][0] ^ D[0]; /* rotate by 0 */
596 B[1] = ROL64(A[2][1] ^ D[1], rhotates[1][1]);
597 B[2] = ROL64(A[4][2] ^ D[2], rhotates[2][2]);
598 B[3] = ROL64(A[1][3] ^ D[3], rhotates[3][3]);
599 B[4] = ROL64(A[3][4] ^ D[4], rhotates[4][4]);
601 C[0] = A[0][0] = B[0] ^ (~B[1] & B[2]) ^ iotas[i + 2];
602 C[1] = A[2][1] = B[1] ^ (~B[2] & B[3]);
603 C[2] = A[4][2] = B[2] ^ (~B[3] & B[4]);
604 C[3] = A[1][3] = B[3] ^ (~B[4] & B[0]);
605 C[4] = A[3][4] = B[4] ^ (~B[0] & B[1]);
607 B[0] = ROL64(A[4][3] ^ D[3], rhotates[0][3]);
608 B[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
609 B[2] = ROL64(A[3][0] ^ D[0], rhotates[2][0]);
610 B[3] = ROL64(A[0][1] ^ D[1], rhotates[3][1]);
611 B[4] = ROL64(A[2][2] ^ D[2], rhotates[4][2]);
613 C[0] ^= A[3][0] = B[0] ^ (~B[1] & B[2]);
614 C[1] ^= A[0][1] = B[1] ^ (~B[2] & B[3]);
615 C[2] ^= A[2][2] = B[2] ^ (~B[3] & B[4]);
616 C[3] ^= A[4][3] = B[3] ^ (~B[4] & B[0]);
617 C[4] ^= A[1][4] = B[4] ^ (~B[0] & B[1]);
619 B[0] = ROL64(A[3][1] ^ D[1], rhotates[0][1]);
620 B[1] = ROL64(A[0][2] ^ D[2], rhotates[1][2]);
621 B[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
622 B[3] = ROL64(A[4][4] ^ D[4], rhotates[3][4]);
623 B[4] = ROL64(A[1][0] ^ D[0], rhotates[4][0]);
625 C[0] ^= A[1][0] = B[0] ^ (~B[1] & B[2]);
626 C[1] ^= A[3][1] = B[1] ^ (~B[2] & B[3]);
627 C[2] ^= A[0][2] = B[2] ^ (~B[3] & B[4]);
628 C[3] ^= A[2][3] = B[3] ^ (~B[4] & B[0]);
629 C[4] ^= A[4][4] = B[4] ^ (~B[0] & B[1]);
631 B[0] = ROL64(A[2][4] ^ D[4], rhotates[0][4]);
632 B[1] = ROL64(A[4][0] ^ D[0], rhotates[1][0]);
633 B[2] = ROL64(A[1][1] ^ D[1], rhotates[2][1]);
634 B[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
635 B[4] = ROL64(A[0][3] ^ D[3], rhotates[4][3]);
637 C[0] ^= A[4][0] = B[0] ^ (~B[1] & B[2]);
638 C[1] ^= A[1][1] = B[1] ^ (~B[2] & B[3]);
639 C[2] ^= A[3][2] = B[2] ^ (~B[3] & B[4]);
640 C[3] ^= A[0][3] = B[3] ^ (~B[4] & B[0]);
641 C[4] ^= A[2][4] = B[4] ^ (~B[0] & B[1]);
643 B[0] = ROL64(A[1][2] ^ D[2], rhotates[0][2]);
644 B[1] = ROL64(A[3][3] ^ D[3], rhotates[1][3]);
645 B[2] = ROL64(A[0][4] ^ D[4], rhotates[2][4]);
646 B[3] = ROL64(A[2][0] ^ D[0], rhotates[3][0]);
647 B[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
649 C[0] ^= A[2][0] = B[0] ^ (~B[1] & B[2]);
650 C[1] ^= A[4][1] = B[1] ^ (~B[2] & B[3]);
651 C[2] ^= A[1][2] = B[2] ^ (~B[3] & B[4]);
652 C[3] ^= A[3][3] = B[3] ^ (~B[4] & B[0]);
653 C[4] ^= A[0][4] = B[4] ^ (~B[0] & B[1]);
656 D[0] = ROL64(C[1], 1) ^ C[4];
657 D[1] = ROL64(C[2], 1) ^ C[0];
658 D[2] = ROL64(C[3], 1) ^ C[1];
659 D[3] = ROL64(C[4], 1) ^ C[2];
660 D[4] = ROL64(C[0], 1) ^ C[3];
662 B[0] = A[0][0] ^ D[0]; /* rotate by 0 */
663 B[1] = ROL64(A[0][1] ^ D[1], rhotates[1][1]);
664 B[2] = ROL64(A[0][2] ^ D[2], rhotates[2][2]);
665 B[3] = ROL64(A[0][3] ^ D[3], rhotates[3][3]);
666 B[4] = ROL64(A[0][4] ^ D[4], rhotates[4][4]);
668 /* C[0] = */ A[0][0] = B[0] ^ (~B[1] & B[2]) ^ iotas[i + 3];
669 /* C[1] = */ A[0][1] = B[1] ^ (~B[2] & B[3]);
670 /* C[2] = */ A[0][2] = B[2] ^ (~B[3] & B[4]);
671 /* C[3] = */ A[0][3] = B[3] ^ (~B[4] & B[0]);
672 /* C[4] = */ A[0][4] = B[4] ^ (~B[0] & B[1]);
674 B[0] = ROL64(A[1][3] ^ D[3], rhotates[0][3]);
675 B[1] = ROL64(A[1][4] ^ D[4], rhotates[1][4]);
676 B[2] = ROL64(A[1][0] ^ D[0], rhotates[2][0]);
677 B[3] = ROL64(A[1][1] ^ D[1], rhotates[3][1]);
678 B[4] = ROL64(A[1][2] ^ D[2], rhotates[4][2]);
680 /* C[0] ^= */ A[1][0] = B[0] ^ (~B[1] & B[2]);
681 /* C[1] ^= */ A[1][1] = B[1] ^ (~B[2] & B[3]);
682 /* C[2] ^= */ A[1][2] = B[2] ^ (~B[3] & B[4]);
683 /* C[3] ^= */ A[1][3] = B[3] ^ (~B[4] & B[0]);
684 /* C[4] ^= */ A[1][4] = B[4] ^ (~B[0] & B[1]);
686 B[0] = ROL64(A[2][1] ^ D[1], rhotates[0][1]);
687 B[1] = ROL64(A[2][2] ^ D[2], rhotates[1][2]);
688 B[2] = ROL64(A[2][3] ^ D[3], rhotates[2][3]);
689 B[3] = ROL64(A[2][4] ^ D[4], rhotates[3][4]);
690 B[4] = ROL64(A[2][0] ^ D[0], rhotates[4][0]);
692 /* C[0] ^= */ A[2][0] = B[0] ^ (~B[1] & B[2]);
693 /* C[1] ^= */ A[2][1] = B[1] ^ (~B[2] & B[3]);
694 /* C[2] ^= */ A[2][2] = B[2] ^ (~B[3] & B[4]);
695 /* C[3] ^= */ A[2][3] = B[3] ^ (~B[4] & B[0]);
696 /* C[4] ^= */ A[2][4] = B[4] ^ (~B[0] & B[1]);
698 B[0] = ROL64(A[3][4] ^ D[4], rhotates[0][4]);
699 B[1] = ROL64(A[3][0] ^ D[0], rhotates[1][0]);
700 B[2] = ROL64(A[3][1] ^ D[1], rhotates[2][1]);
701 B[3] = ROL64(A[3][2] ^ D[2], rhotates[3][2]);
702 B[4] = ROL64(A[3][3] ^ D[3], rhotates[4][3]);
704 /* C[0] ^= */ A[3][0] = B[0] ^ (~B[1] & B[2]);
705 /* C[1] ^= */ A[3][1] = B[1] ^ (~B[2] & B[3]);
706 /* C[2] ^= */ A[3][2] = B[2] ^ (~B[3] & B[4]);
707 /* C[3] ^= */ A[3][3] = B[3] ^ (~B[4] & B[0]);
708 /* C[4] ^= */ A[3][4] = B[4] ^ (~B[0] & B[1]);
710 B[0] = ROL64(A[4][2] ^ D[2], rhotates[0][2]);
711 B[1] = ROL64(A[4][3] ^ D[3], rhotates[1][3]);
712 B[2] = ROL64(A[4][4] ^ D[4], rhotates[2][4]);
713 B[3] = ROL64(A[4][0] ^ D[0], rhotates[3][0]);
714 B[4] = ROL64(A[4][1] ^ D[1], rhotates[4][1]);
716 /* C[0] ^= */ A[4][0] = B[0] ^ (~B[1] & B[2]);
717 /* C[1] ^= */ A[4][1] = B[1] ^ (~B[2] & B[3]);
718 /* C[2] ^= */ A[4][2] = B[2] ^ (~B[3] & B[4]);
719 /* C[3] ^= */ A[4][3] = B[3] ^ (~B[4] & B[0]);
720 /* C[4] ^= */ A[4][4] = B[4] ^ (~B[0] & B[1]);
723 void KeccakF1600(uint64_t A[5][5])
727 for (i = 0; i < 24; i += 4) {
735 * SHA3_absorb can be called multiple times, but at each invocation
736 * largest multiple of |r| out of |len| bytes are processed. Then
737 * remaining amount of bytes are returned. This is done to spare caller
738 * trouble of calculating the largest multiple of |r|, effectively the
739 * blocksize. It is commonly (1600 - 256*n)/8, e.g. 168, 136, 104, 72,
740 * but can also be (1600 - 448)/8 = 144. All this means that message
741 * padding and intermediate sub-block buffering, byte- or bitwise, is
742 * caller's reponsibility.
744 size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len,
747 uint64_t *A_flat = (uint64_t *)A;
750 assert(r < (25 * sizeof(A[0][0])) && (r % 8) == 0);
753 for (i = 0; i < w; i++) {
754 A_flat[i] ^= (uint64_t)inp[0] | (uint64_t)inp[1] << 8 |
755 (uint64_t)inp[2] << 16 | (uint64_t)inp[3] << 24 |
756 (uint64_t)inp[4] << 32 | (uint64_t)inp[5] << 40 |
757 (uint64_t)inp[6] << 48 | (uint64_t)inp[7] << 56;
768 * SHA3_squeeze is called once at the end to generate |out| hash value
771 void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r)
773 uint64_t *A_flat = (uint64_t *)A;
774 size_t i, rem, w = r / 8;
776 assert(r < (25 * sizeof(A[0][0])) && (r % 8) == 0);
779 for (i = 0; i < w; i++) {
780 uint64_t Ai = A_flat[i];
782 out[0] = (unsigned char)(Ai);
783 out[1] = (unsigned char)(Ai >> 8);
784 out[2] = (unsigned char)(Ai >> 16);
785 out[3] = (unsigned char)(Ai >> 24);
786 out[4] = (unsigned char)(Ai >> 32);
787 out[5] = (unsigned char)(Ai >> 40);
788 out[6] = (unsigned char)(Ai >> 48);
789 out[7] = (unsigned char)(Ai >> 56);
800 for (i = 0; i < len; i++) {
801 uint64_t Ai = A_flat[i];
803 out[0] = (unsigned char)(Ai);
804 out[1] = (unsigned char)(Ai >> 8);
805 out[2] = (unsigned char)(Ai >> 16);
806 out[3] = (unsigned char)(Ai >> 24);
807 out[4] = (unsigned char)(Ai >> 32);
808 out[5] = (unsigned char)(Ai >> 40);
809 out[6] = (unsigned char)(Ai >> 48);
810 out[7] = (unsigned char)(Ai >> 56);
815 uint64_t Ai = A_flat[i];
817 for (i = 0; i < rem; i++) {
818 *out++ = (unsigned char)Ai;
826 * Post-padding one-shot implementations would look as following:
828 * SHA3_224 SHA3_sponge(inp, len, out, 224/8, (1600-448)/8);
829 * SHA3_256 SHA3_sponge(inp, len, out, 256/8, (1600-512)/8);
830 * SHA3_384 SHA3_sponge(inp, len, out, 384/8, (1600-768)/8);
831 * SHA3_512 SHA3_sponge(inp, len, out, 512/8, (1600-1024)/8);
832 * SHAKE_128 SHA3_sponge(inp, len, out, d, (1600-256)/8);
833 * SHAKE_256 SHA3_sponge(inp, len, out, d, (1600-512)/8);
836 void SHA3_sponge(const unsigned char *inp, size_t len,
837 unsigned char *out, size_t d, size_t r)
841 memset(A, 0, sizeof(A));
842 SHA3_absorb(A, inp, len, r);
843 SHA3_squeeze(A, out, d, r);
851 * This is 5-bit SHAKE128 test from http://csrc.nist.gov/groups/ST/toolkit/examples.html#aHashing
853 unsigned char test[168] = { '\xf3', '\x3' };
854 unsigned char out[512];
856 static const unsigned char result[512] = {
857 0x2E, 0x0A, 0xBF, 0xBA, 0x83, 0xE6, 0x72, 0x0B,
858 0xFB, 0xC2, 0x25, 0xFF, 0x6B, 0x7A, 0xB9, 0xFF,
859 0xCE, 0x58, 0xBA, 0x02, 0x7E, 0xE3, 0xD8, 0x98,
860 0x76, 0x4F, 0xEF, 0x28, 0x7D, 0xDE, 0xCC, 0xCA,
861 0x3E, 0x6E, 0x59, 0x98, 0x41, 0x1E, 0x7D, 0xDB,
862 0x32, 0xF6, 0x75, 0x38, 0xF5, 0x00, 0xB1, 0x8C,
863 0x8C, 0x97, 0xC4, 0x52, 0xC3, 0x70, 0xEA, 0x2C,
864 0xF0, 0xAF, 0xCA, 0x3E, 0x05, 0xDE, 0x7E, 0x4D,
865 0xE2, 0x7F, 0xA4, 0x41, 0xA9, 0xCB, 0x34, 0xFD,
866 0x17, 0xC9, 0x78, 0xB4, 0x2D, 0x5B, 0x7E, 0x7F,
867 0x9A, 0xB1, 0x8F, 0xFE, 0xFF, 0xC3, 0xC5, 0xAC,
868 0x2F, 0x3A, 0x45, 0x5E, 0xEB, 0xFD, 0xC7, 0x6C,
869 0xEA, 0xEB, 0x0A, 0x2C, 0xCA, 0x22, 0xEE, 0xF6,
870 0xE6, 0x37, 0xF4, 0xCA, 0xBE, 0x5C, 0x51, 0xDE,
871 0xD2, 0xE3, 0xFA, 0xD8, 0xB9, 0x52, 0x70, 0xA3,
872 0x21, 0x84, 0x56, 0x64, 0xF1, 0x07, 0xD1, 0x64,
873 0x96, 0xBB, 0x7A, 0xBF, 0xBE, 0x75, 0x04, 0xB6,
874 0xED, 0xE2, 0xE8, 0x9E, 0x4B, 0x99, 0x6F, 0xB5,
875 0x8E, 0xFD, 0xC4, 0x18, 0x1F, 0x91, 0x63, 0x38,
876 0x1C, 0xBE, 0x7B, 0xC0, 0x06, 0xA7, 0xA2, 0x05,
877 0x98, 0x9C, 0x52, 0x6C, 0xD1, 0xBD, 0x68, 0x98,
878 0x36, 0x93, 0xB4, 0xBD, 0xC5, 0x37, 0x28, 0xB2,
879 0x41, 0xC1, 0xCF, 0xF4, 0x2B, 0xB6, 0x11, 0x50,
880 0x2C, 0x35, 0x20, 0x5C, 0xAB, 0xB2, 0x88, 0x75,
881 0x56, 0x55, 0xD6, 0x20, 0xC6, 0x79, 0x94, 0xF0,
882 0x64, 0x51, 0x18, 0x7F, 0x6F, 0xD1, 0x7E, 0x04,
883 0x66, 0x82, 0xBA, 0x12, 0x86, 0x06, 0x3F, 0xF8,
884 0x8F, 0xE2, 0x50, 0x8D, 0x1F, 0xCA, 0xF9, 0x03,
885 0x5A, 0x12, 0x31, 0xAD, 0x41, 0x50, 0xA9, 0xC9,
886 0xB2, 0x4C, 0x9B, 0x2D, 0x66, 0xB2, 0xAD, 0x1B,
887 0xDE, 0x0B, 0xD0, 0xBB, 0xCB, 0x8B, 0xE0, 0x5B,
888 0x83, 0x52, 0x29, 0xEF, 0x79, 0x19, 0x73, 0x73,
889 0x23, 0x42, 0x44, 0x01, 0xE1, 0xD8, 0x37, 0xB6,
890 0x6E, 0xB4, 0xE6, 0x30, 0xFF, 0x1D, 0xE7, 0x0C,
891 0xB3, 0x17, 0xC2, 0xBA, 0xCB, 0x08, 0x00, 0x1D,
892 0x34, 0x77, 0xB7, 0xA7, 0x0A, 0x57, 0x6D, 0x20,
893 0x86, 0x90, 0x33, 0x58, 0x9D, 0x85, 0xA0, 0x1D,
894 0xDB, 0x2B, 0x66, 0x46, 0xC0, 0x43, 0xB5, 0x9F,
895 0xC0, 0x11, 0x31, 0x1D, 0xA6, 0x66, 0xFA, 0x5A,
896 0xD1, 0xD6, 0x38, 0x7F, 0xA9, 0xBC, 0x40, 0x15,
897 0xA3, 0x8A, 0x51, 0xD1, 0xDA, 0x1E, 0xA6, 0x1D,
898 0x64, 0x8D, 0xC8, 0xE3, 0x9A, 0x88, 0xB9, 0xD6,
899 0x22, 0xBD, 0xE2, 0x07, 0xFD, 0xAB, 0xC6, 0xF2,
900 0x82, 0x7A, 0x88, 0x0C, 0x33, 0x0B, 0xBF, 0x6D,
901 0xF7, 0x33, 0x77, 0x4B, 0x65, 0x3E, 0x57, 0x30,
902 0x5D, 0x78, 0xDC, 0xE1, 0x12, 0xF1, 0x0A, 0x2C,
903 0x71, 0xF4, 0xCD, 0xAD, 0x92, 0xED, 0x11, 0x3E,
904 0x1C, 0xEA, 0x63, 0xB9, 0x19, 0x25, 0xED, 0x28,
905 0x19, 0x1E, 0x6D, 0xBB, 0xB5, 0xAA, 0x5A, 0x2A,
906 0xFD, 0xA5, 0x1F, 0xC0, 0x5A, 0x3A, 0xF5, 0x25,
907 0x8B, 0x87, 0x66, 0x52, 0x43, 0x55, 0x0F, 0x28,
908 0x94, 0x8A, 0xE2, 0xB8, 0xBE, 0xB6, 0xBC, 0x9C,
909 0x77, 0x0B, 0x35, 0xF0, 0x67, 0xEA, 0xA6, 0x41,
910 0xEF, 0xE6, 0x5B, 0x1A, 0x44, 0x90, 0x9D, 0x1B,
911 0x14, 0x9F, 0x97, 0xEE, 0xA6, 0x01, 0x39, 0x1C,
912 0x60, 0x9E, 0xC8, 0x1D, 0x19, 0x30, 0xF5, 0x7C,
913 0x18, 0xA4, 0xE0, 0xFA, 0xB4, 0x91, 0xD1, 0xCA,
914 0xDF, 0xD5, 0x04, 0x83, 0x44, 0x9E, 0xDC, 0x0F,
915 0x07, 0xFF, 0xB2, 0x4D, 0x2C, 0x6F, 0x9A, 0x9A,
916 0x3B, 0xFF, 0x39, 0xAE, 0x3D, 0x57, 0xF5, 0x60,
917 0x65, 0x4D, 0x7D, 0x75, 0xC9, 0x08, 0xAB, 0xE6,
918 0x25, 0x64, 0x75, 0x3E, 0xAC, 0x39, 0xD7, 0x50,
919 0x3D, 0xA6, 0xD3, 0x7C, 0x2E, 0x32, 0xE1, 0xAF,
920 0x3B, 0x8A, 0xEC, 0x8A, 0xE3, 0x06, 0x9C, 0xD9
924 SHA3_sponge(test, sizeof(test), out, sizeof(out), sizeof(test));
927 * Rationale behind keeping output [formatted as below] is that
928 * one should be able to redirect it to a file, then copy-n-paste
929 * final "output val" from official example to another file, and
930 * compare the two with diff(1).
932 for (i = 0; i < sizeof(out);) {
933 printf("%02X", out[i]);
934 printf(++i % 16 && i != sizeof(out) ? " " : "\n");
937 if (memcmp(out,result,sizeof(out))) {
938 fprintf(stderr,"failure\n");
941 fprintf(stderr,"success\n");