diff options
author | Mattias Andrée <maandree@operamail.com> | 2013-02-05 10:17:32 +0100 |
---|---|---|
committer | Mattias Andrée <maandree@operamail.com> | 2013-02-05 10:17:32 +0100 |
commit | 184c0f9579a64b650cb789e689ae96c9661aede8 (patch) | |
tree | fdf90320b518b23f3e51ad8c4ef304425a67ff97 /c | |
parent | add makefile (diff) | |
download | sha3sum-184c0f9579a64b650cb789e689ae96c9661aede8.tar.gz sha3sum-184c0f9579a64b650cb789e689ae96c9661aede8.tar.bz2 sha3sum-184c0f9579a64b650cb789e689ae96c9661aede8.tar.xz |
basically coping the java version to c (naturally this does not compile)
Signed-off-by: Mattias Andrée <maandree@operamail.com>
Diffstat (limited to 'c')
-rw-r--r-- | c/sha3.c | 601 |
1 files changed, 601 insertions, 0 deletions
diff --git a/c/sha3.c b/c/sha3.c new file mode 100644 index 0000000..909c9e7 --- /dev/null +++ b/c/sha3.c @@ -0,0 +1,601 @@ +/** + * sha3sum – SHA-3 (Keccak) checksum calculator + * + * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#if __x86_64__ || __ppc64__ + #define llong long int +#else + #define llong long long int +#endif + + +#define null 0 +#define byte char +#define boolean long +#define true 1 +#define false 0 + + +/** + * Round contants + */ +static const llong RC[] = { + 0x0000000000000001L, 0x0000000000008082L, 0x800000000000808AL, 0x8000000080008000L, + 0x000000000000808BL, 0x0000000080000001L, 0x8000000080008081L, 0x8000000000008009L, + 0x000000000000008AL, 0x0000000000000088L, 0x0000000080008009L, 0x000000008000000AL, + 0x000000008000808BL, 0x800000000000008BL, 0x8000000000008089L, 0x8000000000008003L, + 0x8000000000008002L, 0x8000000000000080L, 0x000000000000800AL, 0x800000008000000AL, + 0x8000000080008081L, 0x8000000000008080L, 0x0000000080000001L, 0x8000000080008008L}; + +/** + * Keccak-f round temporary + */ +static llong B[25]; + +/** + * Keccak-f round temporary + */ +static llong C[5]; + + +/** + * The bitrate + */ +static long r = 0; + +/** + * The capacity + */ +static long c = 0; + +/** + * The output size + */ +static long n = 0; + +/** + * The state size + */ +static long b = 0; + +/** + * The word size + */ +static long w = 0; + +/** + * The word mask + */ +static llong wmod = 0; + +/** + * ℓ, the binary logarithm of the word size + */ +static long l = 0; + +/** + * 12 + 2ℓ, the number of rounds + */ +static long nr = 0; + + +/** + * The current state + */ +static llong* S = null; + +/** + * Left over water to fill the sponge with at next update + */ +static byte* M = null; + +/** + * Polonger for {@link #M} + */ +static long mptr = 0; + + + +/** + * Rotate a word + * + * @param x The value to rotate + * @param n Rotation steps, may not be 0 + * @return The value rotated + */ +static llong rotate(llong x, long n) +{ + llong m; + return ((x >> (w - (m = n % w))) + (x << m)) & wmod; +} + + +/** + * Rotate a 64-bit word + * + * @param x The value to rotate + * @param n Rotation steps, may not be 0 + * @return The value rotated + */ +static llong rotate64(llong x, long n) +{ + return (llong)((unsigned llong)x >> (w - n)) + (x << n); +} + + +/** + * Binary logarithm + * + * @param x The value of which to calculate the binary logarithm + * @return The binary logarithm + */ +static long lb(long x) +{ + return (((x & 0xFF00) == 0 ? 0 : 8) + + ((x & 0xF0F0) == 0 ? 0 : 4)) + + (((x & 0xCCCC) == 0 ? 0 : 2) + + ((x & 0xAAAA) == 0 ? 0 : 1)); +} + + +/** + * Perform one round of computation + * + * @param A The current state + * @param rc Round constant + */ +static void keccakFRound(llong* A, llong rc) +{ + /* θ step (step 1 of 3) */ + for (long i = 0, j = 0; i < 5; i++, j += 5) + SHA3.C[i] = (A[j] ^ A[j + 1]) ^ (A[j + 2] ^ A[j + 3]) ^ A[j + 4]; + + llong da, db, dc, dd, de; + + if (SHA3.w == 64) + { + /* ρ and π steps, with last two part of θ */ + SHA3.B[0] = A[ 0] ^ (da = SHA3.C[4] ^ SHA3.rotate64(SHA3.C[1], 1)); + SHA3.B[1] = SHA3.rotate64(A[15] ^ (dd = SHA3.C[2] ^ SHA3.rotate64(SHA3.C[4], 1)), 28); + SHA3.B[2] = SHA3.rotate64(A[ 5] ^ (db = SHA3.C[0] ^ SHA3.rotate64(SHA3.C[2], 1)), 1); + SHA3.B[3] = SHA3.rotate64(A[20] ^ (de = SHA3.C[3] ^ SHA3.rotate64(SHA3.C[0], 1)), 27); + SHA3.B[4] = SHA3.rotate64(A[10] ^ (dc = SHA3.C[1] ^ SHA3.rotate64(SHA3.C[3], 1)), 62); + + SHA3.B[5] = SHA3.rotate64(A[ 6] ^ db, 44); + SHA3.B[6] = SHA3.rotate64(A[21] ^ de, 20); + SHA3.B[7] = SHA3.rotate64(A[11] ^ dc, 6); + SHA3.B[8] = SHA3.rotate64(A[ 1] ^ da, 36); + SHA3.B[9] = SHA3.rotate64(A[16] ^ dd, 55); + + SHA3.B[10] = SHA3.rotate64(A[12] ^ dc, 43); + SHA3.B[11] = SHA3.rotate64(A[ 2] ^ da, 3); + SHA3.B[12] = SHA3.rotate64(A[17] ^ dd, 25); + SHA3.B[13] = SHA3.rotate64(A[ 7] ^ db, 10); + SHA3.B[14] = SHA3.rotate64(A[22] ^ de, 39); + + SHA3.B[15] = SHA3.rotate64(A[18] ^ dd, 21); + SHA3.B[16] = SHA3.rotate64(A[ 8] ^ db, 45); + SHA3.B[17] = SHA3.rotate64(A[23] ^ de, 8); + SHA3.B[18] = SHA3.rotate64(A[13] ^ dc, 15); + SHA3.B[19] = SHA3.rotate64(A[ 3] ^ da, 41); + + SHA3.B[20] = SHA3.rotate64(A[24] ^ de, 14); + SHA3.B[21] = SHA3.rotate64(A[14] ^ dc, 61); + SHA3.B[22] = SHA3.rotate64(A[ 4] ^ da, 18); + SHA3.B[23] = SHA3.rotate64(A[19] ^ dd, 56); + SHA3.B[24] = SHA3.rotate64(A[ 9] ^ db, 2); + } + else + { + /* ρ and π steps, with last two part of θ */ + SHA3.B[0] = A[ 0] ^ (da = SHA3.C[4] ^ SHA3.rotate(SHA3.C[1], 1)); + SHA3.B[1] = SHA3.rotate(A[15] ^ (dd = SHA3.C[2] ^ SHA3.rotate(SHA3.C[4], 1)), 28); + SHA3.B[2] = SHA3.rotate(A[ 5] ^ (db = SHA3.C[0] ^ SHA3.rotate(SHA3.C[2], 1)), 1); + SHA3.B[3] = SHA3.rotate(A[20] ^ (de = SHA3.C[3] ^ SHA3.rotate(SHA3.C[0], 1)), 27); + SHA3.B[4] = SHA3.rotate(A[10] ^ (dc = SHA3.C[1] ^ SHA3.rotate(SHA3.C[3], 1)), 62); + + SHA3.B[5] = SHA3.rotate(A[ 6] ^ db, 44); + SHA3.B[6] = SHA3.rotate(A[21] ^ de, 20); + SHA3.B[7] = SHA3.rotate(A[11] ^ dc, 6); + SHA3.B[8] = SHA3.rotate(A[ 1] ^ da, 36); + SHA3.B[9] = SHA3.rotate(A[16] ^ dd, 55); + + SHA3.B[10] = SHA3.rotate(A[12] ^ dc, 43); + SHA3.B[11] = SHA3.rotate(A[ 2] ^ da, 3); + SHA3.B[12] = SHA3.rotate(A[17] ^ dd, 25); + SHA3.B[13] = SHA3.rotate(A[ 7] ^ db, 10); + SHA3.B[14] = SHA3.rotate(A[22] ^ de, 39); + + SHA3.B[15] = SHA3.rotate(A[18] ^ dd, 21); + SHA3.B[16] = SHA3.rotate(A[ 8] ^ db, 45); + SHA3.B[17] = SHA3.rotate(A[23] ^ de, 8); + SHA3.B[18] = SHA3.rotate(A[13] ^ dc, 15); + SHA3.B[19] = SHA3.rotate(A[ 3] ^ da, 41); + + SHA3.B[20] = SHA3.rotate(A[24] ^ de, 14); + SHA3.B[21] = SHA3.rotate(A[14] ^ dc, 61); + SHA3.B[22] = SHA3.rotate(A[ 4] ^ da, 18); + SHA3.B[23] = SHA3.rotate(A[19] ^ dd, 56); + SHA3.B[24] = SHA3.rotate(A[ 9] ^ db, 2); + } + + /* ξ step */ + for (long i = 0; i < 15; i++) + A[i ] = SHA3.B[i ] ^ ((~(SHA3.B[i + 5])) & SHA3.B[i + 10]); + for (long i = 0; i < 5; i++) + { + A[i + 15] = SHA3.B[i + 15] ^ ((~(SHA3.B[i + 20])) & SHA3.B[i ]); + A[i + 20] = SHA3.B[i + 20] ^ ((~(SHA3.B[i ])) & SHA3.B[i + 5]); + } + + /* ι step */ + A[0] ^= rc; +} + + +/** + * Perform Keccak-f function + * + * @param A The current state + */ +static void keccakF(llong* A) +{ + if (SHA3.nr == 24) + for (long i = 0; i < SHA3.nr; i++) + SHA3.keccakFRound(A, SHA3.RC[i]); + else + for (long i = 0; i < SHA3.nr; i++) + SHA3.keccakFRound(A, SHA3.RC[i] & SHA3.wmod); +} + + +/** + * Convert a chunk of byte:s to a word + * + * @param message The message + * @param rr Bitrate in bytes + * @param ww Word size in bytes + * @param off The offset in the message + * @return Lane + */ +static llong toLane(byte* message, long rr, long ww, long off) +{ + llong rc = 0; + long n = Math.min(message.length, rr); + for (long i = off + ww - 1; i >= off; i--) + rc = (rc << 8) | ((i < n) ? (llong)(message[i] & 255) : 0L); + return rc; +} + + +/** + * Convert a chunk of byte:s to a 64-bit word + * + * @param message The message + * @param rr Bitrate in bytes + * @param off The offset in the message + * @return Lane + */ +static llong toLane64(byte* message, long rr, long off) +{ + long n = Math.min(message.length, rr); + return ((off + 7 < n) ? ((llong)(message[off + 7] & 255) << 56) : 0L) | + ((off + 6 < n) ? ((llong)(message[off + 6] & 255) << 48) : 0L) | + ((off + 5 < n) ? ((llong)(message[off + 5] & 255) << 40) : 0L) | + ((off + 4 < n) ? ((llong)(message[off + 4] & 255) << 32) : 0L) | + ((off + 3 < n) ? ((llong)(message[off + 3] & 255) << 24) : 0L) | + ((off + 2 < n) ? ((llong)(message[off + 2] & 255) << 16) : 0L) | + ((off + 1 < n) ? ((llong)(message[off + 1] & 255) << 8) : 0L) | + ((off < n) ? ((llong)(message[off] & 255)) : 0L); +} + + +/** + * pad 10*1 + * + * @param msg The message to pad + * @parm len The length of the message + * @param r The bitrate + * @return The message padded + */ +static byte* pad10star1(byte* msg, long len, long r) +{ + long nrf = len >> 3; + long nbrf = len & 7; + long ll = len % r; + + byte b = (byte)(nbrf == 0 ? 1 : ((msg[nrf] >> (8 - nbrf)) | (1 << nbrf))); + + byte* message; + if ((r - 8 <= ll) && (ll <= r - 2)) + { + message = new byte[len = nrf + 1]; + message[nrf] = (byte)(b ^ 128); + } + else + { + len = (nrf + 1) << 3; + len = ((len - (len % r) + (r - 8)) >> 3) + 1; + message = new byte[len]; + message[nrf] = b; + //for (llong i = nrf + 1; i < len; i++) + // message[i + nrf] = 0; + message[len - 1] = -128; + } + System.arraycopy(msg, 0, message, 0, nrf); + + return message; +} + + +/** + * Initialise Keccak sponge + * + * @param r The bitrate + * @param c The capacity + * @param n The output size + */ +extern void initialise(long r, long c, long n) +{ + SHA3.r = r; + SHA3.c = c; + SHA3.n = n; + SHA3.b = r + c; + SHA3.w = SHA3.b / 25; + SHA3.l = SHA3.lb(SHA3.w); + SHA3.nr = 12 + (SHA3.l << 1); + SHA3.wmod = (1L << SHA3.w) - 1L; + SHA3.S = new llong[25]; + SHA3.M = new byte[(SHA3.r * SHA3.b) >> 2]; + SHA3.mptr = 0; +} + + +/** + * Absorb the more of the message message to the Keccak sponge + * + * @param msg The partial message + */ +extern void update(byte* msg) +{ + update(msg, msg.length); +} + + +/** + * Absorb the more of the message message to the Keccak sponge + * + * @param msg The partial message + * @param msglen The length of the partial message + */ +extern void update(byte* msg, long msglen) +{ + long rr = SHA3.r >> 3; + long ww = SHA3.w >> 3; + + if (SHA3.mptr + msglen > SHA3.M.length) + System.arraycopy(SHA3.M, 0, SHA3.M = new byte[(SHA3.M.length + msglen) << 1], 0, SHA3.mptr); + System.arraycopy(msg, 0, SHA3.M, SHA3.mptr, msglen); + long len = SHA3.mptr += msglen; + len -= len % ((SHA3.r * SHA3.b) >> 3); + byte* message; + System.arraycopy(SHA3.M, 0, message = new byte[len], 0, len); + System.arraycopy(SHA3.M, len, SHA3.M, 0, SHA3.mptr -= len); + + /* Absorbing phase */ + if (ww == 8) + for (long i = 0; i < len; i += rr) + { + SHA3.S[ 0] ^= SHA3.toLane64(message, rr, i + 0); + SHA3.S[ 5] ^= SHA3.toLane64(message, rr, i + 8); + SHA3.S[10] ^= SHA3.toLane64(message, rr, i + 16); + SHA3.S[15] ^= SHA3.toLane64(message, rr, i + 24); + SHA3.S[20] ^= SHA3.toLane64(message, rr, i + 32); + SHA3.S[ 1] ^= SHA3.toLane64(message, rr, i + 40); + SHA3.S[ 6] ^= SHA3.toLane64(message, rr, i + 48); + SHA3.S[11] ^= SHA3.toLane64(message, rr, i + 56); + SHA3.S[16] ^= SHA3.toLane64(message, rr, i + 64); + SHA3.S[21] ^= SHA3.toLane64(message, rr, i + 72); + SHA3.S[ 2] ^= SHA3.toLane64(message, rr, i + 80); + SHA3.S[ 7] ^= SHA3.toLane64(message, rr, i + 88); + SHA3.S[12] ^= SHA3.toLane64(message, rr, i + 96); + SHA3.S[17] ^= SHA3.toLane64(message, rr, i + 104); + SHA3.S[22] ^= SHA3.toLane64(message, rr, i + 112); + SHA3.S[ 3] ^= SHA3.toLane64(message, rr, i + 120); + SHA3.S[ 8] ^= SHA3.toLane64(message, rr, i + 128); + SHA3.S[13] ^= SHA3.toLane64(message, rr, i + 136); + SHA3.S[18] ^= SHA3.toLane64(message, rr, i + 144); + SHA3.S[23] ^= SHA3.toLane64(message, rr, i + 152); + SHA3.S[ 4] ^= SHA3.toLane64(message, rr, i + 160); + SHA3.S[ 9] ^= SHA3.toLane64(message, rr, i + 168); + SHA3.S[14] ^= SHA3.toLane64(message, rr, i + 176); + SHA3.S[19] ^= SHA3.toLane64(message, rr, i + 184); + SHA3.S[24] ^= SHA3.toLane64(message, rr, i + 192); + SHA3.keccakF(SHA3.S); + } + else + for (long i = 0; i < len; i += rr) + { + SHA3.S[ 0] ^= SHA3.toLane(message, rr, ww, i + 0 ); + SHA3.S[ 5] ^= SHA3.toLane(message, rr, ww, i + w); + SHA3.S[10] ^= SHA3.toLane(message, rr, ww, i + 2 * w); + SHA3.S[15] ^= SHA3.toLane(message, rr, ww, i + 3 * w); + SHA3.S[20] ^= SHA3.toLane(message, rr, ww, i + 4 * w); + SHA3.S[ 1] ^= SHA3.toLane(message, rr, ww, i + 5 * w); + SHA3.S[ 6] ^= SHA3.toLane(message, rr, ww, i + 6 * w); + SHA3.S[11] ^= SHA3.toLane(message, rr, ww, i + 7 * w); + SHA3.S[16] ^= SHA3.toLane(message, rr, ww, i + 8 * w); + SHA3.S[21] ^= SHA3.toLane(message, rr, ww, i + 9 * w); + SHA3.S[ 2] ^= SHA3.toLane(message, rr, ww, i + 10 * w); + SHA3.S[ 7] ^= SHA3.toLane(message, rr, ww, i + 11 * w); + SHA3.S[12] ^= SHA3.toLane(message, rr, ww, i + 12 * w); + SHA3.S[17] ^= SHA3.toLane(message, rr, ww, i + 13 * w); + SHA3.S[22] ^= SHA3.toLane(message, rr, ww, i + 14 * w); + SHA3.S[ 3] ^= SHA3.toLane(message, rr, ww, i + 15 * w); + SHA3.S[ 8] ^= SHA3.toLane(message, rr, ww, i + 16 * w); + SHA3.S[13] ^= SHA3.toLane(message, rr, ww, i + 17 * w); + SHA3.S[18] ^= SHA3.toLane(message, rr, ww, i + 18 * w); + SHA3.S[23] ^= SHA3.toLane(message, rr, ww, i + 19 * w); + SHA3.S[ 4] ^= SHA3.toLane(message, rr, ww, i + 20 * w); + SHA3.S[ 9] ^= SHA3.toLane(message, rr, ww, i + 21 * w); + SHA3.S[14] ^= SHA3.toLane(message, rr, ww, i + 22 * w); + SHA3.S[19] ^= SHA3.toLane(message, rr, ww, i + 23 * w); + SHA3.S[24] ^= SHA3.toLane(message, rr, ww, i + 24 * w); + SHA3.keccakF(SHA3.S); + } +} + + +/** + * Squeeze the Keccak sponge + */ +extern byte* digest() +{ + return digest(null); +} + + +/** + * Absorb the last part of the message and squeeze the Keccak sponge + * + * @param msg The rest of the message + */ +extern byte* digest(byte* msg) +{ + return digest(msg, msg == null ? 0 : msg.length); +} + + +/** + * Absorb the last part of the message and squeeze the Keccak sponge + * + * @param msg The rest of the message + * @param msglen The length of the partial message + */ +extern byte* digest(byte* msg, long msglen) +{ + byte* message; + if ((msg == null) || (msglen == 0)) + message = SHA3.pad10star1(SHA3.M, SHA3.mptr, SHA3.r); + else + { + if (SHA3.mptr + msglen > SHA3.M.length) + System.arraycopy(SHA3.M, 0, SHA3.M = new byte[SHA3.M.length + msglen], 0, SHA3.mptr); + System.arraycopy(msg, 0, SHA3.M, SHA3.mptr, msglen); + message = SHA3.pad10star1(SHA3.M, SHA3.mptr + msglen, SHA3.r); + } + SHA3.M = null; + long len = message.length; + byte* rc = new byte[(SHA3.n + 7) >> 3]; + long ptr = 0; + + long rr = SHA3.r >> 3; + long nn = SHA3.n >> 3; + long ww = SHA3.w >> 3; + + /* Absorbing phase */ + if (ww == 8) + for (long i = 0; i < len; i += rr) + { + SHA3.S[ 0] ^= SHA3.toLane64(message, rr, i + 0); + SHA3.S[ 5] ^= SHA3.toLane64(message, rr, i + 8); + SHA3.S[10] ^= SHA3.toLane64(message, rr, i + 16); + SHA3.S[15] ^= SHA3.toLane64(message, rr, i + 24); + SHA3.S[20] ^= SHA3.toLane64(message, rr, i + 32); + SHA3.S[ 1] ^= SHA3.toLane64(message, rr, i + 40); + SHA3.S[ 6] ^= SHA3.toLane64(message, rr, i + 48); + SHA3.S[11] ^= SHA3.toLane64(message, rr, i + 56); + SHA3.S[16] ^= SHA3.toLane64(message, rr, i + 64); + SHA3.S[21] ^= SHA3.toLane64(message, rr, i + 72); + SHA3.S[ 2] ^= SHA3.toLane64(message, rr, i + 80); + SHA3.S[ 7] ^= SHA3.toLane64(message, rr, i + 88); + SHA3.S[12] ^= SHA3.toLane64(message, rr, i + 96); + SHA3.S[17] ^= SHA3.toLane64(message, rr, i + 104); + SHA3.S[22] ^= SHA3.toLane64(message, rr, i + 112); + SHA3.S[ 3] ^= SHA3.toLane64(message, rr, i + 120); + SHA3.S[ 8] ^= SHA3.toLane64(message, rr, i + 128); + SHA3.S[13] ^= SHA3.toLane64(message, rr, i + 136); + SHA3.S[18] ^= SHA3.toLane64(message, rr, i + 144); + SHA3.S[23] ^= SHA3.toLane64(message, rr, i + 152); + SHA3.S[ 4] ^= SHA3.toLane64(message, rr, i + 160); + SHA3.S[ 9] ^= SHA3.toLane64(message, rr, i + 168); + SHA3.S[14] ^= SHA3.toLane64(message, rr, i + 176); + SHA3.S[19] ^= SHA3.toLane64(message, rr, i + 184); + SHA3.S[24] ^= SHA3.toLane64(message, rr, i + 192); + SHA3.keccakF(SHA3.S); + } + else + for (long i = 0; i < len; i += rr) + { + SHA3.S[ 0] ^= SHA3.toLane(message, rr, ww, i + 0 ); + SHA3.S[ 5] ^= SHA3.toLane(message, rr, ww, i + w); + SHA3.S[10] ^= SHA3.toLane(message, rr, ww, i + 2 * w); + SHA3.S[15] ^= SHA3.toLane(message, rr, ww, i + 3 * w); + SHA3.S[20] ^= SHA3.toLane(message, rr, ww, i + 4 * w); + SHA3.S[ 1] ^= SHA3.toLane(message, rr, ww, i + 5 * w); + SHA3.S[ 6] ^= SHA3.toLane(message, rr, ww, i + 6 * w); + SHA3.S[11] ^= SHA3.toLane(message, rr, ww, i + 7 * w); + SHA3.S[16] ^= SHA3.toLane(message, rr, ww, i + 8 * w); + SHA3.S[21] ^= SHA3.toLane(message, rr, ww, i + 9 * w); + SHA3.S[ 2] ^= SHA3.toLane(message, rr, ww, i + 10 * w); + SHA3.S[ 7] ^= SHA3.toLane(message, rr, ww, i + 11 * w); + SHA3.S[12] ^= SHA3.toLane(message, rr, ww, i + 12 * w); + SHA3.S[17] ^= SHA3.toLane(message, rr, ww, i + 13 * w); + SHA3.S[22] ^= SHA3.toLane(message, rr, ww, i + 14 * w); + SHA3.S[ 3] ^= SHA3.toLane(message, rr, ww, i + 15 * w); + SHA3.S[ 8] ^= SHA3.toLane(message, rr, ww, i + 16 * w); + SHA3.S[13] ^= SHA3.toLane(message, rr, ww, i + 17 * w); + SHA3.S[18] ^= SHA3.toLane(message, rr, ww, i + 18 * w); + SHA3.S[23] ^= SHA3.toLane(message, rr, ww, i + 19 * w); + SHA3.S[ 4] ^= SHA3.toLane(message, rr, ww, i + 20 * w); + SHA3.S[ 9] ^= SHA3.toLane(message, rr, ww, i + 21 * w); + SHA3.S[14] ^= SHA3.toLane(message, rr, ww, i + 22 * w); + SHA3.S[19] ^= SHA3.toLane(message, rr, ww, i + 23 * w); + SHA3.S[24] ^= SHA3.toLane(message, rr, ww, i + 24 * w); + SHA3.keccakF(SHA3.S); + } + + /* Squeezing phase */ + long olen = SHA3.n; + long j = 0; + long ni = Math.min(25, rr); + while (olen > 0) + { + long i = 0; + while ((i < ni) && (j < nn)) + { + llong v = SHA3.S[(i % 5) * 5 + i / 5]; + for (long _ = 0; _ < ww; _++) + { + if (j < nn) + { + rc[ptr] = (byte)v; + ptr += 1; + } + v >>= 8; + j += 1; + } + i += 1; + } + olen -= SHA3.r; + if (olen > 0) + SHA3.keccakF(S); + } + return rc; +} + |