diff --git a/src/dap_enc_ringct20.c b/src/dap_enc_ringct20.c
index ba98dbf91cc5800693294b5f3fe3d7b1f4fbeb21..250ad8c44b5d4b10a066763f422fa53cf27bb605 100644
--- a/src/dap_enc_ringct20.c
+++ b/src/dap_enc_ringct20.c
@@ -145,10 +145,7 @@ int ringct20_crypto_sign( ringct20_signature_t *sig, const unsigned char *m, uns
uint32_t Pi;
randombytes(&Pi, sizeof(Pi));
- //Pi %= p->wLen;//
- //CRUTCH
- Pi = 1 + Pi%(p->wLen - 1);
- //printf("Pi = %d\n", Pi);
+ Pi %= p->wLen;
poly_ringct20 *aList = malloc(p->POLY_RINGCT20_SIZE*p->wLen);
poly_ringct20 *S = malloc(p->POLY_RINGCT20_SIZE*p->mLen);
ringct20_unpack_prk(private_key->data,S,p);
diff --git a/src/ringct20/aes.c b/src/ringct20/aes.c
deleted file mode 100644
index bb36c516138b573f626004969185275e296c7127..0000000000000000000000000000000000000000
--- a/src/ringct20/aes.c
+++ /dev/null
@@ -1,308 +0,0 @@
-#include <assert.h>
-
-#include "aes.h"
-#include "aes_local.h"
-
-void OQS_AES128_load_schedule(const uint8_t *key, void **schedule, UNUSED int for_encryption) {
-#ifdef USE_OPENSSL
- oqs_aes128_load_schedule_ossl(key, schedule, for_encryption);
-#elif defined(AES_ENABLE_NI)
- oqs_aes128_load_schedule_ni(key, schedule);
-#else
- oqs_aes128_load_schedule_c(key, schedule);
-#endif
-}
-
-void OQS_AES128_free_schedule(void *schedule) {
-#ifdef USE_OPENSSL
- oqs_aes128_free_schedule_ossl(schedule);
-#elif defined(AES_ENABLE_NI)
- oqs_aes128_free_schedule_ni(schedule);
-#else
- oqs_aes128_free_schedule_c(schedule);
-#endif
-}
-
-void OQS_AES128_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
-#ifdef USE_OPENSSL
- oqs_aes128_ecb_enc_ossl(plaintext, plaintext_len, key, ciphertext);
-#elif defined(AES_ENABLE_NI)
- oqs_aes128_ecb_enc_ni(plaintext, plaintext_len, key, ciphertext);
-#else
- oqs_aes128_ecb_enc_c(plaintext, plaintext_len, key, ciphertext);
-#endif
-}
-
-void OQS_AES128_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
-#ifdef USE_OPENSSL
- oqs_aes128_ecb_dec_ossl(ciphertext, ciphertext_len, key, plaintext);
-#elif defined(AES_ENABLE_NI)
- oqs_aes128_ecb_dec_ni(ciphertext, ciphertext_len, key, plaintext);
-#else
- oqs_aes128_ecb_dec_c(ciphertext, ciphertext_len, key, plaintext);
-#endif
-}
-
-void OQS_AES128_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
-#ifdef USE_OPENSSL
- oqs_aes128_ecb_enc_sch_ossl(plaintext, plaintext_len, schedule, ciphertext);
-#elif defined(AES_ENABLE_NI)
- oqs_aes128_ecb_enc_sch_ni(plaintext, plaintext_len, schedule, ciphertext);
-#else
- oqs_aes128_ecb_enc_sch_c(plaintext, plaintext_len, schedule, ciphertext);
-#endif
-}
-
-void OQS_AES128_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
-#ifdef USE_OPENSSL
- oqs_aes128_ecb_dec_sch_ossl(ciphertext, ciphertext_len, schedule, plaintext);
-#elif defined(AES_ENABLE_NI)
- oqs_aes128_ecb_dec_sch_ni(ciphertext, ciphertext_len, schedule, plaintext);
-#else
- oqs_aes128_ecb_dec_sch_c(ciphertext, ciphertext_len, schedule, plaintext);
-#endif
-}
-
-#ifdef AES_ENABLE_NI
-void oqs_aes128_ecb_enc_ni(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
- void *schedule = NULL;
- oqs_aes128_load_schedule_ni(key, &schedule);
- oqs_aes128_ecb_enc_sch_ni(plaintext, plaintext_len, schedule, ciphertext);
- oqs_aes128_free_schedule_ni(schedule);
-}
-#endif
-
-void oqs_aes128_ecb_enc_c(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
- void *schedule = NULL;
- oqs_aes128_load_schedule_c(key, &schedule);
- oqs_aes128_ecb_enc_sch_c(plaintext, plaintext_len, schedule, ciphertext);
- oqs_aes128_free_schedule_c(schedule);
-}
-
-#ifdef AES_ENABLE_NI
-void oqs_aes128_ecb_enc_sch_ni(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
- assert(plaintext_len % 16 == 0);
- for (size_t block = 0; block < plaintext_len / 16; block++) {
- oqs_aes128_enc_ni(plaintext + (16 * block), schedule, ciphertext + (16 * block));
- }
-}
-#endif
-
-void oqs_aes128_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
- assert(plaintext_len % 16 == 0);
- for (size_t block = 0; block < plaintext_len / 16; block++) {
- oqs_aes128_enc_c(plaintext + (16 * block), schedule, ciphertext + (16 * block));
- }
-}
-
-#ifdef AES_ENABLE_NI
-void oqs_aes128_ecb_dec_ni(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
- void *schedule = NULL;
- oqs_aes128_load_schedule_ni(key, &schedule);
- oqs_aes128_ecb_dec_sch_ni(ciphertext, ciphertext_len, schedule, plaintext);
- oqs_aes128_free_schedule_ni(schedule);
-}
-#endif
-
-void oqs_aes128_ecb_dec_c(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
- void *schedule = NULL;
- oqs_aes128_load_schedule_c(key, &schedule);
- oqs_aes128_ecb_dec_sch_c(ciphertext, ciphertext_len, schedule, plaintext);
- oqs_aes128_free_schedule_c(schedule);
-}
-
-#ifdef AES_ENABLE_NI
-void oqs_aes128_ecb_dec_sch_ni(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
- assert(ciphertext_len % 16 == 0);
- for (size_t block = 0; block < ciphertext_len / 16; block++) {
- oqs_aes128_dec_ni(ciphertext + (16 * block), schedule, plaintext + (16 * block));
- }
-}
-#endif
-
-void oqs_aes128_ecb_dec_sch_c(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
- assert(ciphertext_len % 16 == 0);
- for (size_t block = 0; block < ciphertext_len / 16; block++) {
- oqs_aes128_dec_c(ciphertext + (16 * block), schedule, plaintext + (16 * block));
- }
-}
-
-#ifdef USE_OPENSSL
-#include <openssl/evp.h>
-
-void oqs_aes128_load_schedule_ossl(const uint8_t *key, void **schedule, int for_encryption) {
- EVP_CIPHER_CTX *aes_ctx = EVP_CIPHER_CTX_new();
- assert(aes_ctx != NULL);
- if (for_encryption) {
- assert(1 == EVP_EncryptInit_ex(aes_ctx, EVP_aes_128_ecb(), NULL, key, NULL));
- } else {
- assert(1 == EVP_DecryptInit_ex(aes_ctx, EVP_aes_128_ecb(), NULL, key, NULL));
- }
- EVP_CIPHER_CTX_set_padding(aes_ctx, 0);
- *schedule = aes_ctx;
-}
-
-void oqs_aes128_free_schedule_ossl(void *schedule) {
- if (schedule != NULL) {
- EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *) schedule);
- }
-}
-
-void oqs_aes128_ecb_enc_ossl(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
- void *schedule = NULL;
- oqs_aes128_load_schedule_ossl(key, &schedule, 1);
- oqs_aes128_ecb_enc_sch_ossl(plaintext, plaintext_len, schedule, ciphertext);
- oqs_aes128_free_schedule_ossl(schedule);
-}
-
-void oqs_aes128_ecb_dec_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
- void *schedule = NULL;
- oqs_aes128_load_schedule_ossl(key, &schedule, 0);
- oqs_aes128_ecb_dec_sch_ossl(ciphertext, ciphertext_len, schedule, plaintext);
- oqs_aes128_free_schedule_ossl(schedule);
-}
-
-void oqs_aes128_ecb_enc_sch_ossl(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
- assert(plaintext_len % 16 == 0);
- int outlen;
- assert(1 == EVP_EncryptUpdate((EVP_CIPHER_CTX *) schedule, ciphertext, &outlen, plaintext, plaintext_len));
- assert((size_t) outlen == plaintext_len);
- assert(1 == EVP_EncryptFinal_ex((EVP_CIPHER_CTX *) schedule, ciphertext, &outlen));
-}
-
-void oqs_aes128_ecb_dec_sch_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
- assert(ciphertext_len % 16 == 0);
- int outlen;
- assert(1 == EVP_DecryptUpdate((EVP_CIPHER_CTX *) schedule, plaintext, &outlen, ciphertext, ciphertext_len));
- assert((size_t) outlen == ciphertext_len);
- assert(1 == EVP_DecryptFinal_ex((EVP_CIPHER_CTX *) schedule, plaintext, &outlen));
-}
-
-#endif
-
-void OQS_AES256_load_schedule(const uint8_t *key, void **schedule, UNUSED int for_encryption) {
-#ifdef USE_OPENSSL
- oqs_aes256_load_schedule_ossl(key, schedule, for_encryption);
-#else
- oqs_aes256_load_schedule_c(key, schedule);
-#endif
-}
-
-void OQS_AES256_free_schedule(void *schedule) {
-#ifdef USE_OPENSSL
- oqs_aes256_free_schedule_ossl(schedule);
-#else
- oqs_aes256_free_schedule_c(schedule);
-#endif
-}
-
-void OQS_AES256_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
-#ifdef USE_OPENSSL
- oqs_aes256_ecb_enc_ossl(plaintext, plaintext_len, key, ciphertext);
-#else
- oqs_aes256_ecb_enc_c(plaintext, plaintext_len, key, ciphertext);
-#endif
-}
-
-void OQS_AES256_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
-#ifdef USE_OPENSSL
- oqs_aes256_ecb_dec_ossl(ciphertext, ciphertext_len, key, plaintext);
-#else
- oqs_aes256_ecb_dec_c(ciphertext, ciphertext_len, key, plaintext);
-#endif
-}
-
-void OQS_AES256_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
-#ifdef USE_OPENSSL
- oqs_aes256_ecb_enc_sch_ossl(plaintext, plaintext_len, schedule, ciphertext);
-#else
- oqs_aes256_ecb_enc_sch_c(plaintext, plaintext_len, schedule, ciphertext);
-#endif
-}
-
-void OQS_AES256_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
-#ifdef USE_OPENSSL
- oqs_aes256_ecb_dec_sch_ossl(ciphertext, ciphertext_len, schedule, plaintext);
-#else
- oqs_aes256_ecb_dec_sch_c(ciphertext, ciphertext_len, schedule, plaintext);
-#endif
-}
-
-void oqs_aes256_ecb_enc_c(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
- void *schedule = NULL;
- oqs_aes256_load_schedule_c(key, &schedule);
- oqs_aes256_ecb_enc_sch_c(plaintext, plaintext_len, schedule, ciphertext);
- oqs_aes256_free_schedule_c(schedule);
-}
-
-void oqs_aes256_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
- assert(plaintext_len % 16 == 0);
- for (size_t block = 0; block < plaintext_len / 16; block++) {
- oqs_aes256_enc_c(plaintext + (16 * block), schedule, ciphertext + (16 * block));
- }
-}
-
-void oqs_aes256_ecb_dec_c(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
- void *schedule = NULL;
- oqs_aes256_load_schedule_c(key, &schedule);
- oqs_aes256_ecb_dec_sch_c(ciphertext, ciphertext_len, schedule, plaintext);
- oqs_aes256_free_schedule_c(schedule);
-}
-
-void oqs_aes256_ecb_dec_sch_c(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
- assert(ciphertext_len % 16 == 0);
- for (size_t block = 0; block < ciphertext_len / 16; block++) {
- oqs_aes256_dec_c(ciphertext + (16 * block), schedule, plaintext + (16 * block));
- }
-}
-
-#ifdef USE_OPENSSL
-void oqs_aes256_load_schedule_ossl(const uint8_t *key, void **schedule, int for_encryption) {
- EVP_CIPHER_CTX *aes_ctx = EVP_CIPHER_CTX_new();
- assert(aes_ctx != NULL);
- if (for_encryption) {
- assert(1 == EVP_EncryptInit_ex(aes_ctx, EVP_aes_256_ecb(), NULL, key, NULL));
- } else {
- assert(1 == EVP_DecryptInit_ex(aes_ctx, EVP_aes_256_ecb(), NULL, key, NULL));
- }
- EVP_CIPHER_CTX_set_padding(aes_ctx, 0);
- *schedule = aes_ctx;
-}
-
-void oqs_aes256_free_schedule_ossl(void *schedule) {
- if (schedule != NULL) {
- EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *) schedule);
- }
-}
-
-void oqs_aes256_ecb_enc_ossl(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext) {
- void *schedule = NULL;
- oqs_aes256_load_schedule_ossl(key, &schedule, 1);
- oqs_aes256_ecb_enc_sch_ossl(plaintext, plaintext_len, schedule, ciphertext);
- oqs_aes256_free_schedule_ossl(schedule);
-}
-
-void oqs_aes256_ecb_dec_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext) {
- void *schedule = NULL;
- oqs_aes256_load_schedule_ossl(key, &schedule, 0);
- oqs_aes256_ecb_dec_sch_ossl(ciphertext, ciphertext_len, schedule, plaintext);
- oqs_aes256_free_schedule_ossl(schedule);
-}
-
-void oqs_aes256_ecb_enc_sch_ossl(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext) {
- assert(plaintext_len % 16 == 0);
- int outlen;
- assert(1 == EVP_EncryptUpdate((EVP_CIPHER_CTX *) schedule, ciphertext, &outlen, plaintext, plaintext_len));
- assert((size_t) outlen == plaintext_len);
- assert(1 == EVP_EncryptFinal_ex((EVP_CIPHER_CTX *) schedule, ciphertext, &outlen));
-}
-
-void oqs_aes256_ecb_dec_sch_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext) {
- assert(ciphertext_len % 16 == 0);
- int outlen;
- assert(1 == EVP_DecryptUpdate((EVP_CIPHER_CTX *) schedule, plaintext, &outlen, ciphertext, ciphertext_len));
- assert((size_t) outlen == ciphertext_len);
- assert(1 == EVP_DecryptFinal_ex((EVP_CIPHER_CTX *) schedule, plaintext, &outlen));
-}
-
-#endif
diff --git a/src/ringct20/aes.h b/src/ringct20/aes.h
deleted file mode 100644
index 8581e460fef445f71c3d3ea7005c4b18e805908a..0000000000000000000000000000000000000000
--- a/src/ringct20/aes.h
+++ /dev/null
@@ -1,120 +0,0 @@
-/**
- * \file aes.h
- * \brief Header defining the API for OQS AES
- */
-
-#ifndef __OQS_AES_H
-#define __OQS_AES_H
-
-#include <stdint.h>
-#include <stdlib.h>
-
-/**
- * Function to fill a key schedule given an initial key.
- *
- * @param key Initial Key.
- * @param schedule Abstract data structure for a key schedule.
- * @param for_encryption 1 if key schedule is for encryption, 0 if for decryption.
- */
-void OQS_AES128_load_schedule(const uint8_t *key, void **schedule, int for_encryption);
-
-/**
- * Function to free a key schedule.
- *
- * @param schedule Schedule generated with OQS_AES128_load_schedule().
- */
-void OQS_AES128_free_schedule(void *schedule);
-
-/**
- * Function to encrypt blocks of plaintext using ECB mode.
- * A schedule based on the key is generated and used internally.
- *
- * @param plaintext Plaintext to be encrypted.
- * @param plaintext_len Length on the plaintext in bytes. Must be a multiple of 16.
- * @param key Key to be used for encryption.
- * @param ciphertext Pointer to a block of memory which >= in size to the plaintext block. The result will be written here.
- */
-void OQS_AES128_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
-
-/**
- * Function to decrypt blocks of plaintext using ECB mode.
- * A schedule based on the key is generated and used internally.
- *
- * @param ciphertext Ciphertext to be decrypted.
- * @param ciphertext_len Length on the ciphertext in bytes. Must be a multiple of 16.
- * @param key Key to be used for encryption.
- * @param plaintext Pointer to a block of memory which >= in size to the ciphertext block. The result will be written here.
- */
-void OQS_AES128_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
-
-/**
- * Same as OQS_AES128_ECB_enc() except a schedule generated by
- * OQS_AES128_load_schedule() is passed rather then a key. This is faster
- * if the same schedule is used for multiple encryptions since it does
- * not have to be regenerated from the key.
- */
-void OQS_AES128_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
-
-/**
- * Same as OQS_AES128_ECB_dec() except a schedule generated by
- * OQS_AES128_load_schedule() is passed rather then a key. This is faster
- * if the same schedule is used for multiple encryptions since it does
- * not have to be regenerated from the key.
- */
-void OQS_AES128_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
-
-/**
- * Function to fill a key schedule given an initial key.
- *
- * @param key Initial Key.
- * @param schedule Abstract data structure for a key schedule.
- * @param for_encryption 1 if key schedule is for encryption, 0 if for decryption.
- */
-void OQS_AES256_load_schedule(const uint8_t *key, void **schedule, int for_encryption);
-
-/**
- * Function to free a key schedule.
- *
- * @param schedule Schedule generated with OQS_AES256_load_schedule().
- */
-void OQS_AES256_free_schedule(void *schedule);
-
-/**
- * Function to encrypt blocks of plaintext using ECB mode.
- * A schedule based on the key is generated and used internally.
- *
- * @param plaintext Plaintext to be encrypted.
- * @param plaintext_len Length on the plaintext in bytes. Must be a multiple of 16.
- * @param key Key to be used for encryption.
- * @param ciphertext Pointer to a block of memory which >= in size to the plaintext block. The result will be written here.
- */
-void OQS_AES256_ECB_enc(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
-
-/**
- * Function to decrypt blocks of plaintext using ECB mode.
- * A schedule based on the key is generated and used internally.
- *
- * @param ciphertext Ciphertext to be decrypted.
- * @param ciphertext_len Length on the ciphertext in bytes. Must be a multiple of 16.
- * @param key Key to be used for encryption.
- * @param plaintext Pointer to a block of memory which >= in size to the ciphertext block. The result will be written here.
- */
-void OQS_AES256_ECB_dec(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
-
-/**
- * Same as OQS_AES256_ECB_enc() except a schedule generated by
- * OQS_AES256_load_schedule() is passed rather then a key. This is faster
- * if the same schedule is used for multiple encryptions since it does
- * not have to be regenerated from the key.
- */
-void OQS_AES256_ECB_enc_sch(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
-
-/**
- * Same as OQS_AES256_ECB_dec() except a schedule generated by
- * OQS_AES256_load_schedule() is passed rather then a key. This is faster
- * if the same schedule is used for multiple encryptions since it does
- * not have to be regenerated from the key.
- */
-void OQS_AES256_ECB_dec_sch(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
-
-#endif
diff --git a/src/ringct20/aes_c.c b/src/ringct20/aes_c.c
deleted file mode 100644
index be543ca9f580dc92a4783bb77940729d357c7755..0000000000000000000000000000000000000000
--- a/src/ringct20/aes_c.c
+++ /dev/null
@@ -1,434 +0,0 @@
-// Simple, thoroughly commented implementation of 128-bit AES / Rijndael using C
-// Chris Hulbert - chris.hulbert@gmail.com - http://splinter.com.au/blog
-// References:
-// http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
-// http://en.wikipedia.org/wiki/Rijndael_key_schedule
-// http://en.wikipedia.org/wiki/Rijndael_mix_columns
-// http://en.wikipedia.org/wiki/Rijndael_S-box
-// This code is public domain, or any OSI-approved license, your choice. No warranty.
-
-#include <assert.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "aes.h"
-#include "common.h"
-
-typedef unsigned char byte;
-
-// Here are all the lookup tables for the row shifts, rcon, s-boxes, and galois field multiplications
-static const byte shift_rows_table[] = {0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11};
-static const byte shift_rows_table_inv[] = {0, 13, 10, 7, 4, 1, 14, 11, 8, 5, 2, 15, 12, 9, 6, 3};
-static const byte lookup_rcon[] = {
- 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a};
-static const byte lookup_sbox[] = {
- 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
- 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
- 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
- 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
- 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
- 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
- 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
- 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
- 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
- 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
- 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
- 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
- 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
- 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
- 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
- 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16};
-static const byte lookup_sbox_inv[] = {
- 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
- 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
- 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
- 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
- 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
- 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
- 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
- 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
- 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
- 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
- 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
- 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
- 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
- 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
- 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
- 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d};
-static const byte lookup_g2[] = {
- 0x00, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1a, 0x1c, 0x1e,
- 0x20, 0x22, 0x24, 0x26, 0x28, 0x2a, 0x2c, 0x2e, 0x30, 0x32, 0x34, 0x36, 0x38, 0x3a, 0x3c, 0x3e,
- 0x40, 0x42, 0x44, 0x46, 0x48, 0x4a, 0x4c, 0x4e, 0x50, 0x52, 0x54, 0x56, 0x58, 0x5a, 0x5c, 0x5e,
- 0x60, 0x62, 0x64, 0x66, 0x68, 0x6a, 0x6c, 0x6e, 0x70, 0x72, 0x74, 0x76, 0x78, 0x7a, 0x7c, 0x7e,
- 0x80, 0x82, 0x84, 0x86, 0x88, 0x8a, 0x8c, 0x8e, 0x90, 0x92, 0x94, 0x96, 0x98, 0x9a, 0x9c, 0x9e,
- 0xa0, 0xa2, 0xa4, 0xa6, 0xa8, 0xaa, 0xac, 0xae, 0xb0, 0xb2, 0xb4, 0xb6, 0xb8, 0xba, 0xbc, 0xbe,
- 0xc0, 0xc2, 0xc4, 0xc6, 0xc8, 0xca, 0xcc, 0xce, 0xd0, 0xd2, 0xd4, 0xd6, 0xd8, 0xda, 0xdc, 0xde,
- 0xe0, 0xe2, 0xe4, 0xe6, 0xe8, 0xea, 0xec, 0xee, 0xf0, 0xf2, 0xf4, 0xf6, 0xf8, 0xfa, 0xfc, 0xfe,
- 0x1b, 0x19, 0x1f, 0x1d, 0x13, 0x11, 0x17, 0x15, 0x0b, 0x09, 0x0f, 0x0d, 0x03, 0x01, 0x07, 0x05,
- 0x3b, 0x39, 0x3f, 0x3d, 0x33, 0x31, 0x37, 0x35, 0x2b, 0x29, 0x2f, 0x2d, 0x23, 0x21, 0x27, 0x25,
- 0x5b, 0x59, 0x5f, 0x5d, 0x53, 0x51, 0x57, 0x55, 0x4b, 0x49, 0x4f, 0x4d, 0x43, 0x41, 0x47, 0x45,
- 0x7b, 0x79, 0x7f, 0x7d, 0x73, 0x71, 0x77, 0x75, 0x6b, 0x69, 0x6f, 0x6d, 0x63, 0x61, 0x67, 0x65,
- 0x9b, 0x99, 0x9f, 0x9d, 0x93, 0x91, 0x97, 0x95, 0x8b, 0x89, 0x8f, 0x8d, 0x83, 0x81, 0x87, 0x85,
- 0xbb, 0xb9, 0xbf, 0xbd, 0xb3, 0xb1, 0xb7, 0xb5, 0xab, 0xa9, 0xaf, 0xad, 0xa3, 0xa1, 0xa7, 0xa5,
- 0xdb, 0xd9, 0xdf, 0xdd, 0xd3, 0xd1, 0xd7, 0xd5, 0xcb, 0xc9, 0xcf, 0xcd, 0xc3, 0xc1, 0xc7, 0xc5,
- 0xfb, 0xf9, 0xff, 0xfd, 0xf3, 0xf1, 0xf7, 0xf5, 0xeb, 0xe9, 0xef, 0xed, 0xe3, 0xe1, 0xe7, 0xe5};
-static const byte lookup_g3[] = {
- 0x00, 0x03, 0x06, 0x05, 0x0c, 0x0f, 0x0a, 0x09, 0x18, 0x1b, 0x1e, 0x1d, 0x14, 0x17, 0x12, 0x11,
- 0x30, 0x33, 0x36, 0x35, 0x3c, 0x3f, 0x3a, 0x39, 0x28, 0x2b, 0x2e, 0x2d, 0x24, 0x27, 0x22, 0x21,
- 0x60, 0x63, 0x66, 0x65, 0x6c, 0x6f, 0x6a, 0x69, 0x78, 0x7b, 0x7e, 0x7d, 0x74, 0x77, 0x72, 0x71,
- 0x50, 0x53, 0x56, 0x55, 0x5c, 0x5f, 0x5a, 0x59, 0x48, 0x4b, 0x4e, 0x4d, 0x44, 0x47, 0x42, 0x41,
- 0xc0, 0xc3, 0xc6, 0xc5, 0xcc, 0xcf, 0xca, 0xc9, 0xd8, 0xdb, 0xde, 0xdd, 0xd4, 0xd7, 0xd2, 0xd1,
- 0xf0, 0xf3, 0xf6, 0xf5, 0xfc, 0xff, 0xfa, 0xf9, 0xe8, 0xeb, 0xee, 0xed, 0xe4, 0xe7, 0xe2, 0xe1,
- 0xa0, 0xa3, 0xa6, 0xa5, 0xac, 0xaf, 0xaa, 0xa9, 0xb8, 0xbb, 0xbe, 0xbd, 0xb4, 0xb7, 0xb2, 0xb1,
- 0x90, 0x93, 0x96, 0x95, 0x9c, 0x9f, 0x9a, 0x99, 0x88, 0x8b, 0x8e, 0x8d, 0x84, 0x87, 0x82, 0x81,
- 0x9b, 0x98, 0x9d, 0x9e, 0x97, 0x94, 0x91, 0x92, 0x83, 0x80, 0x85, 0x86, 0x8f, 0x8c, 0x89, 0x8a,
- 0xab, 0xa8, 0xad, 0xae, 0xa7, 0xa4, 0xa1, 0xa2, 0xb3, 0xb0, 0xb5, 0xb6, 0xbf, 0xbc, 0xb9, 0xba,
- 0xfb, 0xf8, 0xfd, 0xfe, 0xf7, 0xf4, 0xf1, 0xf2, 0xe3, 0xe0, 0xe5, 0xe6, 0xef, 0xec, 0xe9, 0xea,
- 0xcb, 0xc8, 0xcd, 0xce, 0xc7, 0xc4, 0xc1, 0xc2, 0xd3, 0xd0, 0xd5, 0xd6, 0xdf, 0xdc, 0xd9, 0xda,
- 0x5b, 0x58, 0x5d, 0x5e, 0x57, 0x54, 0x51, 0x52, 0x43, 0x40, 0x45, 0x46, 0x4f, 0x4c, 0x49, 0x4a,
- 0x6b, 0x68, 0x6d, 0x6e, 0x67, 0x64, 0x61, 0x62, 0x73, 0x70, 0x75, 0x76, 0x7f, 0x7c, 0x79, 0x7a,
- 0x3b, 0x38, 0x3d, 0x3e, 0x37, 0x34, 0x31, 0x32, 0x23, 0x20, 0x25, 0x26, 0x2f, 0x2c, 0x29, 0x2a,
- 0x0b, 0x08, 0x0d, 0x0e, 0x07, 0x04, 0x01, 0x02, 0x13, 0x10, 0x15, 0x16, 0x1f, 0x1c, 0x19, 0x1a};
-static const byte lookup_g9[] = {
- 0x00, 0x09, 0x12, 0x1b, 0x24, 0x2d, 0x36, 0x3f, 0x48, 0x41, 0x5a, 0x53, 0x6c, 0x65, 0x7e, 0x77,
- 0x90, 0x99, 0x82, 0x8b, 0xb4, 0xbd, 0xa6, 0xaf, 0xd8, 0xd1, 0xca, 0xc3, 0xfc, 0xf5, 0xee, 0xe7,
- 0x3b, 0x32, 0x29, 0x20, 0x1f, 0x16, 0x0d, 0x04, 0x73, 0x7a, 0x61, 0x68, 0x57, 0x5e, 0x45, 0x4c,
- 0xab, 0xa2, 0xb9, 0xb0, 0x8f, 0x86, 0x9d, 0x94, 0xe3, 0xea, 0xf1, 0xf8, 0xc7, 0xce, 0xd5, 0xdc,
- 0x76, 0x7f, 0x64, 0x6d, 0x52, 0x5b, 0x40, 0x49, 0x3e, 0x37, 0x2c, 0x25, 0x1a, 0x13, 0x08, 0x01,
- 0xe6, 0xef, 0xf4, 0xfd, 0xc2, 0xcb, 0xd0, 0xd9, 0xae, 0xa7, 0xbc, 0xb5, 0x8a, 0x83, 0x98, 0x91,
- 0x4d, 0x44, 0x5f, 0x56, 0x69, 0x60, 0x7b, 0x72, 0x05, 0x0c, 0x17, 0x1e, 0x21, 0x28, 0x33, 0x3a,
- 0xdd, 0xd4, 0xcf, 0xc6, 0xf9, 0xf0, 0xeb, 0xe2, 0x95, 0x9c, 0x87, 0x8e, 0xb1, 0xb8, 0xa3, 0xaa,
- 0xec, 0xe5, 0xfe, 0xf7, 0xc8, 0xc1, 0xda, 0xd3, 0xa4, 0xad, 0xb6, 0xbf, 0x80, 0x89, 0x92, 0x9b,
- 0x7c, 0x75, 0x6e, 0x67, 0x58, 0x51, 0x4a, 0x43, 0x34, 0x3d, 0x26, 0x2f, 0x10, 0x19, 0x02, 0x0b,
- 0xd7, 0xde, 0xc5, 0xcc, 0xf3, 0xfa, 0xe1, 0xe8, 0x9f, 0x96, 0x8d, 0x84, 0xbb, 0xb2, 0xa9, 0xa0,
- 0x47, 0x4e, 0x55, 0x5c, 0x63, 0x6a, 0x71, 0x78, 0x0f, 0x06, 0x1d, 0x14, 0x2b, 0x22, 0x39, 0x30,
- 0x9a, 0x93, 0x88, 0x81, 0xbe, 0xb7, 0xac, 0xa5, 0xd2, 0xdb, 0xc0, 0xc9, 0xf6, 0xff, 0xe4, 0xed,
- 0x0a, 0x03, 0x18, 0x11, 0x2e, 0x27, 0x3c, 0x35, 0x42, 0x4b, 0x50, 0x59, 0x66, 0x6f, 0x74, 0x7d,
- 0xa1, 0xa8, 0xb3, 0xba, 0x85, 0x8c, 0x97, 0x9e, 0xe9, 0xe0, 0xfb, 0xf2, 0xcd, 0xc4, 0xdf, 0xd6,
- 0x31, 0x38, 0x23, 0x2a, 0x15, 0x1c, 0x07, 0x0e, 0x79, 0x70, 0x6b, 0x62, 0x5d, 0x54, 0x4f, 0x46};
-static const byte lookup_g11[] = {
- 0x00, 0x0b, 0x16, 0x1d, 0x2c, 0x27, 0x3a, 0x31, 0x58, 0x53, 0x4e, 0x45, 0x74, 0x7f, 0x62, 0x69,
- 0xb0, 0xbb, 0xa6, 0xad, 0x9c, 0x97, 0x8a, 0x81, 0xe8, 0xe3, 0xfe, 0xf5, 0xc4, 0xcf, 0xd2, 0xd9,
- 0x7b, 0x70, 0x6d, 0x66, 0x57, 0x5c, 0x41, 0x4a, 0x23, 0x28, 0x35, 0x3e, 0x0f, 0x04, 0x19, 0x12,
- 0xcb, 0xc0, 0xdd, 0xd6, 0xe7, 0xec, 0xf1, 0xfa, 0x93, 0x98, 0x85, 0x8e, 0xbf, 0xb4, 0xa9, 0xa2,
- 0xf6, 0xfd, 0xe0, 0xeb, 0xda, 0xd1, 0xcc, 0xc7, 0xae, 0xa5, 0xb8, 0xb3, 0x82, 0x89, 0x94, 0x9f,
- 0x46, 0x4d, 0x50, 0x5b, 0x6a, 0x61, 0x7c, 0x77, 0x1e, 0x15, 0x08, 0x03, 0x32, 0x39, 0x24, 0x2f,
- 0x8d, 0x86, 0x9b, 0x90, 0xa1, 0xaa, 0xb7, 0xbc, 0xd5, 0xde, 0xc3, 0xc8, 0xf9, 0xf2, 0xef, 0xe4,
- 0x3d, 0x36, 0x2b, 0x20, 0x11, 0x1a, 0x07, 0x0c, 0x65, 0x6e, 0x73, 0x78, 0x49, 0x42, 0x5f, 0x54,
- 0xf7, 0xfc, 0xe1, 0xea, 0xdb, 0xd0, 0xcd, 0xc6, 0xaf, 0xa4, 0xb9, 0xb2, 0x83, 0x88, 0x95, 0x9e,
- 0x47, 0x4c, 0x51, 0x5a, 0x6b, 0x60, 0x7d, 0x76, 0x1f, 0x14, 0x09, 0x02, 0x33, 0x38, 0x25, 0x2e,
- 0x8c, 0x87, 0x9a, 0x91, 0xa0, 0xab, 0xb6, 0xbd, 0xd4, 0xdf, 0xc2, 0xc9, 0xf8, 0xf3, 0xee, 0xe5,
- 0x3c, 0x37, 0x2a, 0x21, 0x10, 0x1b, 0x06, 0x0d, 0x64, 0x6f, 0x72, 0x79, 0x48, 0x43, 0x5e, 0x55,
- 0x01, 0x0a, 0x17, 0x1c, 0x2d, 0x26, 0x3b, 0x30, 0x59, 0x52, 0x4f, 0x44, 0x75, 0x7e, 0x63, 0x68,
- 0xb1, 0xba, 0xa7, 0xac, 0x9d, 0x96, 0x8b, 0x80, 0xe9, 0xe2, 0xff, 0xf4, 0xc5, 0xce, 0xd3, 0xd8,
- 0x7a, 0x71, 0x6c, 0x67, 0x56, 0x5d, 0x40, 0x4b, 0x22, 0x29, 0x34, 0x3f, 0x0e, 0x05, 0x18, 0x13,
- 0xca, 0xc1, 0xdc, 0xd7, 0xe6, 0xed, 0xf0, 0xfb, 0x92, 0x99, 0x84, 0x8f, 0xbe, 0xb5, 0xa8, 0xa3};
-static const byte lookup_g13[] = {
- 0x00, 0x0d, 0x1a, 0x17, 0x34, 0x39, 0x2e, 0x23, 0x68, 0x65, 0x72, 0x7f, 0x5c, 0x51, 0x46, 0x4b,
- 0xd0, 0xdd, 0xca, 0xc7, 0xe4, 0xe9, 0xfe, 0xf3, 0xb8, 0xb5, 0xa2, 0xaf, 0x8c, 0x81, 0x96, 0x9b,
- 0xbb, 0xb6, 0xa1, 0xac, 0x8f, 0x82, 0x95, 0x98, 0xd3, 0xde, 0xc9, 0xc4, 0xe7, 0xea, 0xfd, 0xf0,
- 0x6b, 0x66, 0x71, 0x7c, 0x5f, 0x52, 0x45, 0x48, 0x03, 0x0e, 0x19, 0x14, 0x37, 0x3a, 0x2d, 0x20,
- 0x6d, 0x60, 0x77, 0x7a, 0x59, 0x54, 0x43, 0x4e, 0x05, 0x08, 0x1f, 0x12, 0x31, 0x3c, 0x2b, 0x26,
- 0xbd, 0xb0, 0xa7, 0xaa, 0x89, 0x84, 0x93, 0x9e, 0xd5, 0xd8, 0xcf, 0xc2, 0xe1, 0xec, 0xfb, 0xf6,
- 0xd6, 0xdb, 0xcc, 0xc1, 0xe2, 0xef, 0xf8, 0xf5, 0xbe, 0xb3, 0xa4, 0xa9, 0x8a, 0x87, 0x90, 0x9d,
- 0x06, 0x0b, 0x1c, 0x11, 0x32, 0x3f, 0x28, 0x25, 0x6e, 0x63, 0x74, 0x79, 0x5a, 0x57, 0x40, 0x4d,
- 0xda, 0xd7, 0xc0, 0xcd, 0xee, 0xe3, 0xf4, 0xf9, 0xb2, 0xbf, 0xa8, 0xa5, 0x86, 0x8b, 0x9c, 0x91,
- 0x0a, 0x07, 0x10, 0x1d, 0x3e, 0x33, 0x24, 0x29, 0x62, 0x6f, 0x78, 0x75, 0x56, 0x5b, 0x4c, 0x41,
- 0x61, 0x6c, 0x7b, 0x76, 0x55, 0x58, 0x4f, 0x42, 0x09, 0x04, 0x13, 0x1e, 0x3d, 0x30, 0x27, 0x2a,
- 0xb1, 0xbc, 0xab, 0xa6, 0x85, 0x88, 0x9f, 0x92, 0xd9, 0xd4, 0xc3, 0xce, 0xed, 0xe0, 0xf7, 0xfa,
- 0xb7, 0xba, 0xad, 0xa0, 0x83, 0x8e, 0x99, 0x94, 0xdf, 0xd2, 0xc5, 0xc8, 0xeb, 0xe6, 0xf1, 0xfc,
- 0x67, 0x6a, 0x7d, 0x70, 0x53, 0x5e, 0x49, 0x44, 0x0f, 0x02, 0x15, 0x18, 0x3b, 0x36, 0x21, 0x2c,
- 0x0c, 0x01, 0x16, 0x1b, 0x38, 0x35, 0x22, 0x2f, 0x64, 0x69, 0x7e, 0x73, 0x50, 0x5d, 0x4a, 0x47,
- 0xdc, 0xd1, 0xc6, 0xcb, 0xe8, 0xe5, 0xf2, 0xff, 0xb4, 0xb9, 0xae, 0xa3, 0x80, 0x8d, 0x9a, 0x97};
-static const byte lookup_g14[] = {
- 0x00, 0x0e, 0x1c, 0x12, 0x38, 0x36, 0x24, 0x2a, 0x70, 0x7e, 0x6c, 0x62, 0x48, 0x46, 0x54, 0x5a,
- 0xe0, 0xee, 0xfc, 0xf2, 0xd8, 0xd6, 0xc4, 0xca, 0x90, 0x9e, 0x8c, 0x82, 0xa8, 0xa6, 0xb4, 0xba,
- 0xdb, 0xd5, 0xc7, 0xc9, 0xe3, 0xed, 0xff, 0xf1, 0xab, 0xa5, 0xb7, 0xb9, 0x93, 0x9d, 0x8f, 0x81,
- 0x3b, 0x35, 0x27, 0x29, 0x03, 0x0d, 0x1f, 0x11, 0x4b, 0x45, 0x57, 0x59, 0x73, 0x7d, 0x6f, 0x61,
- 0xad, 0xa3, 0xb1, 0xbf, 0x95, 0x9b, 0x89, 0x87, 0xdd, 0xd3, 0xc1, 0xcf, 0xe5, 0xeb, 0xf9, 0xf7,
- 0x4d, 0x43, 0x51, 0x5f, 0x75, 0x7b, 0x69, 0x67, 0x3d, 0x33, 0x21, 0x2f, 0x05, 0x0b, 0x19, 0x17,
- 0x76, 0x78, 0x6a, 0x64, 0x4e, 0x40, 0x52, 0x5c, 0x06, 0x08, 0x1a, 0x14, 0x3e, 0x30, 0x22, 0x2c,
- 0x96, 0x98, 0x8a, 0x84, 0xae, 0xa0, 0xb2, 0xbc, 0xe6, 0xe8, 0xfa, 0xf4, 0xde, 0xd0, 0xc2, 0xcc,
- 0x41, 0x4f, 0x5d, 0x53, 0x79, 0x77, 0x65, 0x6b, 0x31, 0x3f, 0x2d, 0x23, 0x09, 0x07, 0x15, 0x1b,
- 0xa1, 0xaf, 0xbd, 0xb3, 0x99, 0x97, 0x85, 0x8b, 0xd1, 0xdf, 0xcd, 0xc3, 0xe9, 0xe7, 0xf5, 0xfb,
- 0x9a, 0x94, 0x86, 0x88, 0xa2, 0xac, 0xbe, 0xb0, 0xea, 0xe4, 0xf6, 0xf8, 0xd2, 0xdc, 0xce, 0xc0,
- 0x7a, 0x74, 0x66, 0x68, 0x42, 0x4c, 0x5e, 0x50, 0x0a, 0x04, 0x16, 0x18, 0x32, 0x3c, 0x2e, 0x20,
- 0xec, 0xe2, 0xf0, 0xfe, 0xd4, 0xda, 0xc8, 0xc6, 0x9c, 0x92, 0x80, 0x8e, 0xa4, 0xaa, 0xb8, 0xb6,
- 0x0c, 0x02, 0x10, 0x1e, 0x34, 0x3a, 0x28, 0x26, 0x7c, 0x72, 0x60, 0x6e, 0x44, 0x4a, 0x58, 0x56,
- 0x37, 0x39, 0x2b, 0x25, 0x0f, 0x01, 0x13, 0x1d, 0x47, 0x49, 0x5b, 0x55, 0x7f, 0x71, 0x63, 0x6d,
- 0xd7, 0xd9, 0xcb, 0xc5, 0xef, 0xe1, 0xf3, 0xfd, 0xa7, 0xa9, 0xbb, 0xb5, 0x9f, 0x91, 0x83, 0x8d};
-
-// Xor's all elements in a n byte array a by b
-static void xor (byte * a, const byte *b, int n) {
- int i;
- for (i = 0; i < n; i++) {
- a[i] ^= b[i];
- }
-}
-
- // Xor the current cipher state by a specific round key
- static void xor_round_key(byte *state, const byte *keys, int round) {
- xor(state, keys + round * 16, 16);
-}
-
-// Apply the rijndael s-box to all elements in an array
-// http://en.wikipedia.org/wiki/Rijndael_S-box
-static void sub_bytes(byte *a, int n) {
- int i;
- for (i = 0; i < n; i++) {
- a[i] = lookup_sbox[a[i]];
- }
-}
-static void sub_bytes_inv(byte *a, int n) {
- int i;
- for (i = 0; i < n; i++) {
- a[i] = lookup_sbox_inv[a[i]];
- }
-}
-
-// Rotate the first four bytes of the input eight bits to the left
-static void rot_word(byte *a) {
- byte temp = a[0];
- a[0] = a[1];
- a[1] = a[2];
- a[2] = a[3];
- a[3] = temp;
-}
-
-// Perform the core key schedule transform on 4 bytes, as part of the key expansion process
-// http://en.wikipedia.org/wiki/Rijndael_key_schedule#Key_schedule_core
-static void key_schedule_core(byte *a, int i) {
- byte temp = a[0]; // Rotate the output eight bits to the left
- a[0] = a[1];
- a[1] = a[2];
- a[2] = a[3];
- a[3] = temp;
- sub_bytes(a, 4); // Apply Rijndael's S-box on all four individual bytes in the output word
- a[0] ^= lookup_rcon[i]; // On just the first (leftmost) byte of the output word, perform the rcon operation with i
- // as the input, and exclusive or the rcon output with the first byte of the output word
-}
-
-// Expand the 16-byte key to 11 round keys (176 bytes)
-// http://en.wikipedia.org/wiki/Rijndael_key_schedule#The_key_schedule
-void oqs_aes128_load_schedule_c(const uint8_t *key, void **_schedule) {
- *_schedule = malloc(16 * 11);
- assert(*_schedule != NULL);
- uint8_t *schedule = (uint8_t *) *_schedule;
- int bytes = 16; // The count of how many bytes we've created so far
- int i = 1; // The rcon iteration value i is set to 1
- int j; // For repeating the second stage 3 times
- byte t[4]; // Temporary working area known as 't' in the Wiki article
- memcpy(schedule, key, 16); // The first 16 bytes of the expanded key are simply the encryption key
-
- while (bytes < 176) { // Until we have 176 bytes of expanded key, we do the following:
- memcpy(t, schedule + bytes - 4, 4); // We assign the value of the previous four bytes in the expanded key to t
- key_schedule_core(t, i); // We perform the key schedule core on t, with i as the rcon iteration value
- i++; // We increment i by 1
- xor(t, schedule + bytes - 16, 4); // We exclusive-or t with the four-byte block 16 bytes before the new expanded key.
- memcpy(schedule + bytes, t, 4); // This becomes the next 4 bytes in the expanded key
- bytes += 4; // Keep track of how many expanded key bytes we've added
-
- // We then do the following three times to create the next twelve bytes
- for (j = 0; j < 3; j++) {
- memcpy(t, schedule + bytes - 4, 4); // We assign the value of the previous 4 bytes in the expanded key to t
- xor(t, schedule + bytes - 16, 4); // We exclusive-or t with the four-byte block n bytes before
- memcpy(schedule + bytes, t, 4); // This becomes the next 4 bytes in the expanded key
- bytes += 4; // Keep track of how many expanded key bytes we've added
- }
- }
-}
-
-void oqs_aes128_free_schedule_c(void *schedule) {
- if (schedule != NULL) {
- OQS_MEM_secure_free(schedule, 176);
- }
-}
-
-// Expand the 16-byte key to 15 round keys (240 bytes)
-// http://en.wikipedia.org/wiki/Rijndael_key_schedule#The_key_schedule
-void oqs_aes256_load_schedule_c(const uint8_t *key, void **_schedule) {
- *_schedule = malloc(16 * 15);
- assert(*_schedule != NULL);
- uint8_t *schedule = (uint8_t *) *_schedule;
- int i = 0; // The count of how many iterations we've done
- uint8_t t[4]; // Temporary working area
-
- // The first 32 bytes of the expanded key are simply the encryption key
- memcpy(schedule, key, 8 * 4);
-
- // The remaining 240-32 bytes of the expanded key are computed in one of three ways:
- for (i = 8; i < 4 * 15; i++) {
- if (i % 8 == 0) {
- memcpy(t, schedule + 4 * (i - 1), 4); // We assign the value of the previous 4 bytes in the expanded key to t
- sub_bytes(t, 4); // We apply byte-wise substitution to t
- rot_word(t); // We rotate t one byte left
- t[0] ^= lookup_rcon[i / 8]; // We xor in the round constant
- xor(t, schedule + 4 * (i - 8), 4); // We xor in the four-byte block n bytes before
- memcpy(schedule + 4 * i, t, 4); // This becomes the next 4 bytes in the expanded key
- } else if (i % 8 == 4) {
- memcpy(t, schedule + 4 * (i - 1), 4); // We assign the value of the previous 4 bytes in the expanded key to t
- sub_bytes(t, 4); // We apply byte-wise substitution to t
- xor(t, schedule + 4 * (i - 8), 4); // We xor in the four-byte block n bytes before
- memcpy(schedule + 4 * i, t, 4); // This becomes the next 4 bytes in the expanded key
- } else {
- memcpy(t, schedule + 4 * (i - 1), 4); // We assign the value of the previous 4 bytes in the expanded key to t
- xor(t, schedule + 4 * (i - 8), 4); // We xor in the four-byte block n bytes before
- memcpy(schedule + 4 * i, t, 4); // This becomes the next 4 bytes in the expanded key
- }
- }
-}
-
-void oqs_aes256_free_schedule_c(void *schedule) {
- if (schedule != NULL) {
- OQS_MEM_secure_free(schedule, 16 * 15);
- }
-}
-
-// Apply the shift rows step on the 16 byte cipher state
-// http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#The_ShiftRows_step
-static void shift_rows(byte *state) {
- int i;
- byte temp[16];
- memcpy(temp, state, 16);
- for (i = 0; i < 16; i++) {
- state[i] = temp[shift_rows_table[i]];
- }
-}
-static void shift_rows_inv(byte *state) {
- int i;
- byte temp[16];
- memcpy(temp, state, 16);
- for (i = 0; i < 16; i++) {
- state[i] = temp[shift_rows_table_inv[i]];
- }
-}
-
-// Perform the mix columns matrix on one column of 4 bytes
-// http://en.wikipedia.org/wiki/Rijndael_mix_columns
-static void mix_col(byte *state) {
- byte a0 = state[0];
- byte a1 = state[1];
- byte a2 = state[2];
- byte a3 = state[3];
- state[0] = lookup_g2[a0] ^ lookup_g3[a1] ^ a2 ^ a3;
- state[1] = lookup_g2[a1] ^ lookup_g3[a2] ^ a3 ^ a0;
- state[2] = lookup_g2[a2] ^ lookup_g3[a3] ^ a0 ^ a1;
- state[3] = lookup_g2[a3] ^ lookup_g3[a0] ^ a1 ^ a2;
-}
-
-// Perform the mix columns matrix on each column of the 16 bytes
-static void mix_cols(byte *state) {
- mix_col(state);
- mix_col(state + 4);
- mix_col(state + 8);
- mix_col(state + 12);
-}
-
-// Perform the inverse mix columns matrix on one column of 4 bytes
-// http://en.wikipedia.org/wiki/Rijndael_mix_columns
-static void mix_col_inv(byte *state) {
- byte a0 = state[0];
- byte a1 = state[1];
- byte a2 = state[2];
- byte a3 = state[3];
- state[0] = lookup_g14[a0] ^ lookup_g9[a3] ^ lookup_g13[a2] ^ lookup_g11[a1];
- state[1] = lookup_g14[a1] ^ lookup_g9[a0] ^ lookup_g13[a3] ^ lookup_g11[a2];
- state[2] = lookup_g14[a2] ^ lookup_g9[a1] ^ lookup_g13[a0] ^ lookup_g11[a3];
- state[3] = lookup_g14[a3] ^ lookup_g9[a2] ^ lookup_g13[a1] ^ lookup_g11[a0];
-}
-
-// Perform the inverse mix columns matrix on each column of the 16 bytes
-static void mix_cols_inv(byte *state) {
- mix_col_inv(state);
- mix_col_inv(state + 4);
- mix_col_inv(state + 8);
- mix_col_inv(state + 12);
-}
-
-void oqs_aes128_enc_c(const uint8_t *plaintext, const void *_schedule, uint8_t *ciphertext) {
- const uint8_t *schedule = (const uint8_t *) _schedule;
- int i; // To count the rounds
-
- // First Round
- memcpy(ciphertext, plaintext, 16);
- xor_round_key(ciphertext, schedule, 0);
-
- // Middle rounds
- for (i = 0; i < 9; i++) {
- sub_bytes(ciphertext, 16);
- shift_rows(ciphertext);
- mix_cols(ciphertext);
- xor_round_key(ciphertext, schedule, i + 1);
- }
-
- // Final Round
- sub_bytes(ciphertext, 16);
- shift_rows(ciphertext);
- xor_round_key(ciphertext, schedule, 10);
-}
-
-void oqs_aes128_dec_c(const uint8_t *ciphertext, const void *_schedule, uint8_t *plaintext) {
- const uint8_t *schedule = (const uint8_t *) _schedule;
- int i; // To count the rounds
-
- // Reverse the final Round
- memcpy(plaintext, ciphertext, 16);
- xor_round_key(plaintext, schedule, 10);
- shift_rows_inv(plaintext);
- sub_bytes_inv(plaintext, 16);
-
- // Reverse the middle rounds
- for (i = 0; i < 9; i++) {
- xor_round_key(plaintext, schedule, 9 - i);
- mix_cols_inv(plaintext);
- shift_rows_inv(plaintext);
- sub_bytes_inv(plaintext, 16);
- }
-
- // Reverse the first Round
- xor_round_key(plaintext, schedule, 0);
-}
-
-void oqs_aes256_enc_c(const uint8_t *plaintext, const void *_schedule, uint8_t *ciphertext) {
- const uint8_t *schedule = (const uint8_t *) _schedule;
- int i; // To count the rounds
-
- // First Round
- memcpy(ciphertext, plaintext, 16);
- xor_round_key(ciphertext, schedule, 0);
-
- // Middle rounds
- for (i = 0; i < 13; i++) {
- sub_bytes(ciphertext, 16);
- shift_rows(ciphertext);
- mix_cols(ciphertext);
- xor_round_key(ciphertext, schedule, i + 1);
- }
-
- // Final Round
- sub_bytes(ciphertext, 16);
- shift_rows(ciphertext);
- xor_round_key(ciphertext, schedule, 14);
-}
-
-void oqs_aes256_dec_c(const uint8_t *ciphertext, const void *_schedule, uint8_t *plaintext) {
- const uint8_t *schedule = (const uint8_t *) _schedule;
- int i; // To count the rounds
-
- // Reverse the final Round
- memcpy(plaintext, ciphertext, 16);
- xor_round_key(plaintext, schedule, 14);
- shift_rows_inv(plaintext);
- sub_bytes_inv(plaintext, 16);
-
- // Reverse the middle rounds
- for (i = 0; i < 13; i++) {
- xor_round_key(plaintext, schedule, 13 - i);
- mix_cols_inv(plaintext);
- shift_rows_inv(plaintext);
- sub_bytes_inv(plaintext, 16);
- }
-
- // Reverse the first Round
- xor_round_key(plaintext, schedule, 0);
-}
diff --git a/src/ringct20/aes_local.h b/src/ringct20/aes_local.h
deleted file mode 100644
index b5b543889b3c8a70e78b5d92c7278669eb5ec58f..0000000000000000000000000000000000000000
--- a/src/ringct20/aes_local.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * \file aes_local.h
- * \brief Header defining additional internal functions for OQS AES
- */
-
-#ifndef __OQS_AES_LOCAL_H
-#define __OQS_AES_LOCAL_H
-
-#include <stdint.h>
-#include <stdlib.h>
-#include "common.h"
-
-void oqs_aes128_ecb_enc_ni(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
-void oqs_aes128_ecb_dec_ni(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
-void oqs_aes128_ecb_enc_sch_ni(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
-void oqs_aes128_ecb_dec_sch_ni(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
-
-void oqs_aes128_load_schedule_c(const uint8_t *key, void **schedule);
-void oqs_aes128_free_schedule_c(void *schedule);
-void oqs_aes128_enc_c(const uint8_t *plaintext, const void *schedule, uint8_t *ciphertext);
-void oqs_aes128_dec_c(const uint8_t *ciphertext, const void *schedule, uint8_t *plaintext);
-void oqs_aes128_ecb_enc_c(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
-void oqs_aes128_ecb_dec_c(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
-void oqs_aes128_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
-void oqs_aes128_ecb_dec_sch_c(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
-
-#ifdef USE_OPENSSL
-void oqs_aes128_load_schedule_ossl(const uint8_t *key, void **schedule, int for_encryption);
-void oqs_aes128_free_schedule_ossl(void *schedule);
-void oqs_aes128_ecb_enc_ossl(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
-void oqs_aes128_ecb_dec_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
-void oqs_aes128_ecb_enc_sch_ossl(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
-void oqs_aes128_ecb_dec_sch_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
-#endif
-
-void oqs_aes256_load_schedule_c(const uint8_t *key, void **schedule);
-void oqs_aes256_free_schedule_c(void *schedule);
-void oqs_aes256_enc_c(const uint8_t *plaintext, const void *schedule, uint8_t *ciphertext);
-void oqs_aes256_dec_c(const uint8_t *ciphertext, const void *schedule, uint8_t *plaintext);
-void oqs_aes256_ecb_enc_c(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
-void oqs_aes256_ecb_dec_c(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
-void oqs_aes256_ecb_enc_sch_c(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
-void oqs_aes256_ecb_dec_sch_c(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
-
-#ifdef USE_OPENSSL
-void oqs_aes256_load_schedule_ossl(const uint8_t *key, void **schedule, int for_encryption);
-void oqs_aes256_free_schedule_ossl(void *schedule);
-void oqs_aes256_ecb_enc_ossl(const uint8_t *plaintext, const size_t plaintext_len, const uint8_t *key, uint8_t *ciphertext);
-void oqs_aes256_ecb_dec_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const uint8_t *key, uint8_t *plaintext);
-void oqs_aes256_ecb_enc_sch_ossl(const uint8_t *plaintext, const size_t plaintext_len, const void *schedule, uint8_t *ciphertext);
-void oqs_aes256_ecb_dec_sch_ossl(const uint8_t *ciphertext, const size_t ciphertext_len, const void *schedule, uint8_t *plaintext);
-#endif
-
-#endif
diff --git a/src/ringct20/fips202.h b/src/ringct20/fips202.h
deleted file mode 100644
index 19f1fc16ec574ff52dc849c063f51b8207797cdd..0000000000000000000000000000000000000000
--- a/src/ringct20/fips202.h
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef FIPS202_H
-#define FIPS202_H
-
-#include <stdint.h>
-
-#define SHAKE128_RATE 168
-#define SHAKE256_RATE 136
-
-void shake128_absorb(uint64_t *s, const unsigned char *input, unsigned long long inputByteLen);
-void shake128_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s);
-void shake256(unsigned char *output, unsigned long long outputByteLen, const unsigned char *input, unsigned long long inputByteLen);
-
-#endif
diff --git a/src/ringct20/oqs.h b/src/ringct20/oqs.h
deleted file mode 100644
index fc0a3dcd101a36a574da45a888909a988d8d69a9..0000000000000000000000000000000000000000
--- a/src/ringct20/oqs.h
+++ /dev/null
@@ -1,18 +0,0 @@
-/**
- * \file oqs.h
- * \brief Overall header file for liboqs.
- *
- * C programs using liboqs can include just this one file, and it will include all
- * other necessary headers from liboqs.
- */
-
-#ifndef __OQS_H
-#define __OQS_H
-
-#include "common.h"
-#include "aes.h"
-#include "sha3.h"
-#include "rand.h"
-
-
-#endif // __OQS_H
diff --git a/src/ringct20/poly.c b/src/ringct20/poly.c
index d954590c7abddcdef912c7245b210e3ab08066c0..cfb07a8af1bc0a0629ef634f23ca49ca4c1f14f6 100644
--- a/src/ringct20/poly.c
+++ b/src/ringct20/poly.c
@@ -2,8 +2,8 @@
#include "ntt.h"
#include "reduce.h"
-#include "sha3.h"
-
+//#include "sha3.h"
+#include"sha3/fips202.h"
void poly_init(poly_ringct20 *r)
{
@@ -238,28 +238,28 @@ void poly_tomsg(unsigned char *msg, const poly_ringct20 *x) {
void poly_uniform_ringct20(poly_ringct20 *a, const unsigned char *seed) {
unsigned int ctr = 0;
uint16_t val;
- uint64_t state[OQS_SHA3_STATESIZE];
- uint8_t buf[OQS_SHA3_CSHAKE128_RATE];
+ uint64_t state[SHA3_STATESIZE];
+ uint8_t buf[SHAKE128_RATE];
uint8_t extseed[NEWHOPE_SYMBYTES + 1];
int i, j, k;
for (i = 0; i < NEWHOPE_SYMBYTES; i++)
extseed[i] = seed[i];
- for (i = 0; i < OQS_SHA3_STATESIZE; ++i)
+ for (i = 0; i < SHA3_STATESIZE; ++i)
state[i] = 0;
for (i = 0; i < NEWHOPE_N / 64; i++) /* generate a in blocks of 64 coefficients */
{
ctr = 0;
extseed[NEWHOPE_SYMBYTES] = i; /* domain-separate the 16 independent calls */
- for (k = 0; k < OQS_SHA3_STATESIZE; ++k)
+ for (k = 0; k < SHA3_STATESIZE; ++k)
state[k] = 0;
- OQS_SHA3_shake128_absorb(state, extseed, NEWHOPE_SYMBYTES + 1);
+ shake128_absorb(state, extseed, NEWHOPE_SYMBYTES + 1);
while (ctr < 64) /* Very unlikely to run more than once */
{
- OQS_SHA3_shake128_squeezeblocks(buf, 1, state);
- for (j = 0; j < OQS_SHA3_CSHAKE128_RATE && ctr < 64; j += 2) {
+ shake128_squeezeblocks(buf, 1, state);
+ for (j = 0; j < SHAKE128_RATE && ctr < 64; j += 2) {
val = (buf[j] | ((uint16_t) buf[j + 1] << 8));
if (val < 5 * NEWHOPE_Q) {
a->coeffs[i * 64 + ctr] = val;
@@ -312,7 +312,7 @@ void poly_sample(poly_ringct20 *r, const unsigned char *seed, unsigned char nonc
for (i = 0; i < NEWHOPE_N / 64; i++) /* Generate noise in blocks of 64 coefficients */
{
extseed[NEWHOPE_SYMBYTES + 1] = i;
- OQS_SHA3_shake256(buf, 128, extseed, NEWHOPE_SYMBYTES + 2);
+ shake256(buf, 128, extseed, NEWHOPE_SYMBYTES + 2);
for (j = 0; j < 64; j++) {
a = buf[2 * j];
b = buf[2 * j + 1];
diff --git a/src/ringct20/ring.c b/src/ringct20/ring.c
index 06f9c65738f37b45ff6c7557bd662defd4b14516..67c70469b548c4c0c01138eb24fdcc85d255ff3e 100644
--- a/src/ringct20/ring.c
+++ b/src/ringct20/ring.c
@@ -1,8 +1,8 @@
#include <stdio.h>
#include "ring.h"
-//#include "rand.h"
#include "common.h"
#include "sha256.h"
+#include"sha3/fips202.h"
void LRCT_SampleKey(poly_ringct20 *r, size_t mLen)
@@ -116,7 +116,7 @@ void LRCT_SigGen(poly_ringct20 *c1, poly_ringct20 **t, poly_ringct20 *h, poly_ri
SHA256_Final(bHash, &ctx);//C_(pai+1)
SHA256_KDF(bHash, 32, NEWHOPE_POLYBYTES, bt);
poly_frombytes(&c, bt);
- poly_serial(&c);
+ poly_serial(&c);
//poly_print(&c);
/////////////////////////////////////
for ( i = 0; i < (w-1); i++)
@@ -163,10 +163,14 @@ void LRCT_SigGen(poly_ringct20 *c1, poly_ringct20 **t, poly_ringct20 *h, poly_ri
SHA256_KDF(bHash, 32, NEWHOPE_POLYBYTES, bt);
poly_frombytes(&c, bt);
poly_serial(&c);//C_{j+1}
- if (j == (pai-1))
+ if (j == (w + pai-1)%w)
{
poly_cofcopy(&cpai, &c);
- break;
+ if(pai == 0)
+ {
+ poly_cofcopy(c1, &c);
+ }
+ break;
}
}
diff --git a/src/ringct20/ring_test.c b/src/ringct20/ring_test.c
deleted file mode 100644
index 192347fc4759f0ab8b3a16afa6ee6c3ee58494b0..0000000000000000000000000000000000000000
--- a/src/ringct20/ring_test.c
+++ /dev/null
@@ -1,428 +0,0 @@
-#include "ring.h"
-//#include "rand.h"
-#include "common.h"
-
-#define MSIZE 2
-#define WSIZE 3
-#define NSIZE 3
-
-void LRCT_Byte_Test()
-{
- poly_ringct20 a, ra;
- uint8_t seed[NEWHOPE_SYMBYTES] = { 0 };
- unsigned char bCof[NEWHOPE_POLYBYTES] = { 0 };
- OQS_randombytes(seed, NEWHOPE_SYMBYTES);
- poly_uniform_ringct20(&a, seed);
- printf("begin:\n");
- poly_print(&a);
- printf("serial:\n");
- poly_serial(&a);
- poly_print(&a);
- poly_tobytes(bCof, &a);
- printf("ra:\n");
- poly_frombytes(&ra, bCof);
- poly_print(&ra);
-
-
-}
-
-
-void LRCT_Setup_Test()
-{
- poly_ringct20 A[2], H[2];
- poly_ringct20 S[2];
- poly_ringct20 L[2];
- poly_ringct20 h;
- poly_ringct20 u[3];
- poly_ringct20 c1;
- poly_ringct20* t[2];
- unsigned char msg[2] = { 0x01, 0x02 };
- int msgLen = 2;
- unsigned char bt[NEWHOPE_POLYBYTES] = { 0 };
- size_t mLen = 2;
- size_t i = 0;
- size_t k = 0;
- int result = 0;
- int w = 2;
- int pai = 1;
-
- t[0] = (poly_ringct20 *)malloc((3) * sizeof(poly_ringct20));
- t[1] = (poly_ringct20 *)malloc((3) * sizeof(poly_ringct20));
-
- for (i = 0; i < 2; i++)
- {
- for (k = 0; k < 3; k++)
- {
- poly_init(t[i] + k);
- }
-
- }
- LRCT_Setup(A, H, 2);
- LRCT_SampleKey(S, 2);
- LRCT_KeyGen(L, A, S, 2);
- LRCT_SampleKey(S, 2);
- LRCT_KeyGen(L+1, A, S, 2);
-
- for (k = 0; k < 3; k++)
- {
- OQS_randombytes(bt, NEWHOPE_POLYBYTES);
- poly_frombytes(u + k, bt);
- poly_serial(u + k);
- ///poly_print(u+k);
- }
- //printf("====================================\n");
- LRCT_SigGen(&c1, t, &h, A, H,S, u, mLen, L, w,pai, msg, msgLen);
- // printf("c1\n");
- // poly_print(&c1);
- //printf("=================\n");
- result = LRCT_SigVer(&c1, t, A, H, mLen, &h, L,w, msg, msgLen);
- if (result ==1)
- {
- printf("Successful!\n");
- }
- else
- {
- printf("fail\n");
- }
- free(t[0]);
- free(t[1]);
-
-}
-
-void MIMO_LRCT_Setup_Test()
-{
- poly_ringct20 A[MSIZE], H[MSIZE];
- poly_ringct20 SList[MSIZE*NSIZE];
- poly_ringct20 S[MSIZE];
- poly_ringct20 LList[NSIZE*WSIZE];
- poly_ringct20 hList[NSIZE];
- poly_ringct20 c1;
- poly_ringct20 tList[NSIZE*WSIZE*(MSIZE+1)];
- int i, j, k;
- int pai = 2;
- unsigned char msg[2] = { 0x01, 0x02 };
- int msgLen = 2;
- int result = 0;
- MIMO_LRCT_Setup(A, H, MSIZE);
- for ( i = 0; i < NSIZE; i++)
- {
- LRCT_SampleKey(SList + i*MSIZE, MSIZE);
- MIMO_LRCT_KeyGen(LList + i*WSIZE + (pai-1) , A, SList + i * MSIZE, MSIZE);
- }
- for ( i = 0; i < WSIZE; i++)
- {
- if (i != pai-1)
- {
- for (j = 0; j < NSIZE; j++)
- {
- LRCT_SampleKey(S, MSIZE);
- MIMO_LRCT_KeyGen(LList + j* WSIZE + i, A, S, MSIZE);
- }
- }
-
- }
- MIMO_LRCT_SigGen(&c1, tList, hList, SList, NSIZE, A, H, MSIZE, LList, WSIZE, pai, msg, msgLen);
- result = MIMO_LRCT_SigVer(&c1, tList, hList, NSIZE, A, H, MSIZE, LList, WSIZE, msg, msgLen);
- if (result == 1)
- {
- printf("Successful!\n");
- }
- else
- {
- printf("fail\n");
- }
-
-}
-///spent coins
-void LRCT_Spent_Test()
-{
- poly_ringct20 A[MSIZE], H[MSIZE];
- poly_ringct20 skPai[MSIZE], pkPai;
- poly_ringct20 ckPai[MSIZE];
- poly_ringct20* t[WSIZE];
- unsigned char bMessage[4] = { 0x01, 0x02, 0x03, 0x4 };
- size_t msglen = 4;
- IW iw;
- //////////////////
- poly_ringct20 skOA[MSIZE];
- poly_ringct20 pkOA;
- IW iwOA;
- poly_ringct20 ckOA[MSIZE];
- ////////////////////
- IW iwList[WSIZE];
- poly_ringct20 skTmp[MSIZE];
- poly_ringct20 pkList[WSIZE];
- poly_ringct20 ckList[WSIZE][MSIZE];
- unsigned char bListMessage[2] = { 0x01, 0x02};
- size_t msgListlen = 2;
- int i = 0;
- ///////////////////
- poly_ringct20 L[WSIZE];
- int paiIndex = 1;
- poly_ringct20 c1, h;
- unsigned char bSignMessage[3] = { 0x01, 0x02, 0x03 };
- size_t msgSignlen = 3;
- int result =0;
- size_t k = 0;
- /////////////////
- for ( i = 0; i < WSIZE; i++)
- {
- t[i] = (poly_ringct20 *)malloc((MSIZE+1) * sizeof(poly_ringct20));
- for (k = 0; k < MSIZE+1; k++)
- {
- poly_init(t[i] + k);
- }
- }
- ///////////////////
- LRCT_Setup(A, H, MSIZE);
- LRCT_SampleKey(skPai, MSIZE);
- LRCT_KeyGen(&pkPai, A, skPai, MSIZE);//A*S+0
- LRCT_Mint(&iw, ckPai, &pkPai, A, MSIZE, bMessage, msglen);//A*ck + $
- ///
- LRCT_SampleKey(skOA, MSIZE);
- LRCT_KeyGen(&pkOA, A, skOA, MSIZE);//
- //LRCT_Mint(&iwOA, ckOA, &pkOA, A, MSIZE, bMessage, msglen);
- //////
- for( i = 0; i < WSIZE; i++)
- {
- if (i == paiIndex)
- {
- poly_cofcopy(&iwList[i].a, &iw.a);
- poly_cofcopy(&iwList[i].cn, &iw.cn);
- }
- else
- {
- LRCT_SampleKey(skTmp, MSIZE);
- LRCT_KeyGen(pkList + i, A, skTmp, MSIZE);//A*S+0
- LRCT_Mint(iwList + i, ckList[i], pkList + i, A, MSIZE, bListMessage, msgListlen);
- }
-
- }
- LRCT_Spend(&iwOA, ckOA, &c1, t, &h, L, bSignMessage, msgSignlen, iwList, WSIZE, paiIndex, skPai, ckPai, bMessage, msglen, &pkOA, A, H, MSIZE);
- result = LRCT_Verify(&c1, t, &h, A, H, MSIZE, bSignMessage, msgSignlen, L, WSIZE);
- if (result == 1)
- {
- printf("Successful!\n");
- }
- else
- {
- printf("fail\n");
- }
- for (i = 0; i < WSIZE; i++)
- {
- free(t[i]);
- }
-}
-
-
-void LRCT_Mul_Test()
-{
- poly_ringct20 A[2], H[2], H2[2];
- poly_ringct20 h,h1,r;
- poly_ringct20 S[2];
- LRCT_Setup(A, H, 2);
- LRCT_SampleKey(S, 2);
-
- LRCT_MatrixMulPoly(&h, H, S, 2);
-
-
- for (size_t i = 0; i < NEWHOPE_N; i++)
- {
- h.coeffs[i] = coeff_freeze2Q(NEWHOPE_2Q + NEWHOPE_Q - h.coeffs[i] * 2);
- }
- LRCT_ConstMulMatrix(H2, H, 2, 2);
- LRCT_MatrixMulPoly(&h1, H2, S, 2);
- poly_add_ringct20(&r, &h1, &h);
- poly_print(&r);
-
-
-}
-void LRCT_MatrixMulVect_Test()
-{
- poly_ringct20 A[2], H[2];
- LRCT_Setup(A, H, 2);
- uint8_t bt[2] = { 0 };
- bt[0] = 1;
- bt[1] = 2;
-
-
-}
-void LRCT_Lift_Test()
-{
- poly_ringct20 A[2], H[2], LA[3], H2[3];
- poly_ringct20 h;
- poly_ringct20 S[2];
- LRCT_SampleKey(S, 2);
- LRCT_Setup(A, H, 2);
- LRCT_MatrixMulPoly(&h, H, S, 2);
- LRCT_Lift(LA, H, &h, 2);
- ////////////////////////////////////
- LRCT_ConstMulMatrix(H2, H, 2, 2);
- for (size_t i = 0; i < NEWHOPE_N; i++)
- {
- H2[2].coeffs[i] = coeff_freeze2Q(NEWHOPE_2Q + NEWHOPE_Q - h.coeffs[i] * 2);
- }
- for (size_t i = 0; i < 3; i++)
- {
- if (poly_equal(LA + i, H2 + i) != 1)
- {
- printf("Lift error_%d!\n", i);
- }
- }
-}
-void LRCT_KDF_Test()
-{
-
-}
-
-void LRCT_Com_Test()
-{
- IW iw;
- poly_ringct20 ck[2];
- size_t mLen = 2;
- poly_ringct20 A[2], H[2], sk[2];
- unsigned char bMessage[4] = { 0x01, 0x02, 0x03, 0x4 };
- size_t msglen = 4;
- poly_ringct20 a;
- LRCT_Setup(A, H, mLen);
- LRCT_SampleKey(sk, mLen);
- LRCT_KeyGen(&a, A, sk, mLen);
- printf("public key:");
- poly_print(&a);
- LRCT_Mint(&iw, ck, &a, A, mLen, bMessage, msglen);
- printf("a:\n");
- poly_print(&(iw.a));
- printf("cn:\n");
- poly_print(&(iw.cn));
-}
-//ntt_ringct20 transformation test
-void LRCT_Fun_Test()
-{
- uint8_t seed[NEWHOPE_SYMBYTES] = { 0 };
- poly_ringct20 a;
- OQS_randombytes(seed, NEWHOPE_SYMBYTES);
- poly_uniform_ringct20(&a, seed);
- poly_serial(&a);
- ////////////
- printf("begin:\n");
- poly_print(&a);
- //////
- poly_ntt_ringct20(&a);
- printf("after:\n");
- poly_print(&a);
- ////
- poly_invntt(&a);
- printf("recover:\n");
- poly_print(&a);
-
-}
-//Shift test
-void LRCT_Shift_Test()
-{
- poly_ringct20 r, a;
- poly_init(&r);
- poly_init(&a);
- r.coeffs[NEWHOPE_N - 1] = 1;
- r.coeffs[0] = 1;
-
- poly_ntt_ringct20(&r);
- poly_shift(&a, &r, 1);
- poly_invntt(&a);
-
- poly_serial(&a);
- poly_print(&a);
-}
-void LRCT_ComHom_Test()
-{
- unsigned char message[2] = { 0xF0, 0x0F };
- int messLen = 2;
- int messBitLen = messLen*8;
- int i = 0;
- unsigned char bitTmp = 0;
- poly_ringct20 *CKi = (poly_ringct20 *)malloc((MSIZE*(messBitLen)) * sizeof(poly_ringct20));
- poly_ringct20 *comList = (poly_ringct20 *)malloc(((messBitLen)) * sizeof(poly_ringct20));
- poly_ringct20 A[MSIZE], H[MSIZE], sk[MSIZE], ck0[MSIZE], tmpM[MSIZE];
- poly_ringct20 a, r, tmp;
-
- poly_init(&a);
- poly_init(&tmp);
- poly_init(&r);
- for ( i = 0; i < MSIZE; i++)
- {
- poly_init(ck0 + i);
- }
- LRCT_Setup(A, H, MSIZE);
- LRCT_SampleKey(sk, MSIZE);
- //left
- LRCT_nttCom(&r, A, sk, MSIZE, message, messLen);
- //right
- for (i = 1; i < messBitLen; i++)
- {
- LRCT_SampleKey(CKi + i*MSIZE, MSIZE);
- }
-
- LRCT_GetCK0(CKi, sk, MSIZE, CKi+MSIZE, messBitLen-1);
-
- for ( i = 0; i < messBitLen; i++)
- {
- LRCT_MatrixShift(tmpM, CKi+i*MSIZE, MSIZE, i);
- LRCT_MatrixAddMatrix(ck0, ck0, tmpM, MSIZE);
- }
- for ( i = 0; i < MSIZE; i++)
- {
- if (poly_equal(ck0 + i, sk + i) != 1)
- {
- printf("error\n");
- break;
- }
- }
-
- for ( i = 0; i < messLen; i++)
- {
- bitTmp = (message[i] & 0x01);
- LRCT_nttCom(comList + i * 8, A, CKi + (i * 8) * MSIZE, MSIZE, &bitTmp, 1);
- //////////////////////////////
- bitTmp = (message[i] & 0x02)>>1;
- LRCT_nttCom(comList + i * 8 + 1, A, CKi + (i * 8 + 1) * MSIZE, MSIZE, &bitTmp, 1);
- ////////////
- bitTmp = (message[i] & 0x04)>>2;
- LRCT_nttCom(comList + i * 8 + 2, A, CKi + (i * 8 + 2) * MSIZE, MSIZE, &bitTmp, 1);
- ////////////
- bitTmp = (message[i] & 0x08)>>3;
- LRCT_nttCom(comList + i * 8 + 3, A, CKi + (i * 8 + 3) * MSIZE, MSIZE, &bitTmp, 1);
-
- ////////////
- bitTmp = (message[i] & 0x10)>>4;
- LRCT_nttCom(comList + i * 8 + 4, A, CKi + (i * 8 + 4) * MSIZE, MSIZE, &bitTmp, 1);
-
- ////////////
- bitTmp = (message[i] & 0x20)>>5;
- LRCT_nttCom(comList + i * 8 + 5, A, CKi + (i * 8 + 5) * MSIZE, MSIZE, &bitTmp, 1);
-
- ////////////
- bitTmp = (message[i] & 0x40)>>6;
- LRCT_nttCom(comList + i * 8 + 6, A, CKi + (i * 8 + 6) * MSIZE, MSIZE, &bitTmp, 1);
-
- ////////////
- bitTmp = (message[i] & 0x80)>>7;
- LRCT_nttCom(comList + i * 8 + 7, A, CKi + (i * 8 + 7) * MSIZE, MSIZE, &bitTmp, 1);
- }
- //poly_cofcopy(&a, comList);
- for ( i = 0; i < messBitLen; i++)
- {
- poly_shift(&tmp, comList + i, i);
- poly_add_ringct20(&a, &a, &tmp);
- }
- printf("a:\n");
- poly_print(&a);
- printf("r:\n");
- poly_print(&r);
- if (poly_equal(&a, &r) == 1)
- {
- printf("successfull\n");
- }
- else
- printf("\nfail\n");
- free(CKi);
- free(comList);
-}
diff --git a/src/ringct20/ring_test.h b/src/ringct20/ring_test.h
deleted file mode 100644
index 263ac05d102b90a92979abe5f67ec2d98af30578..0000000000000000000000000000000000000000
--- a/src/ringct20/ring_test.h
+++ /dev/null
@@ -1,30 +0,0 @@
-#ifndef RING_TEST_H
-#define RING_TEST_H
-
-#include "ring.h"
-
-
-/**/
-void LRCT_Byte_Test();
-/***function: setup test*/
-void LRCT_Setup_Test();
-void LRCT_Spent_Test();
-void MIMO_LRCT_Setup_Test();
-/***/
-void LRCT_Com_Test();
-//
-void LRCT_Mul_Test();
-void LRCT_MatrixMulVect_Test();
-//
-void LRCT_Lift_Test();
-//
-void LRCT_KDF_Test();
-//
-void LRCT_Fun_Test();
-void LRCT_Shift_Test();
-void LRCT_ComHom_Test();
-
-
-
-#endif
-#pragma once
diff --git a/src/ringct20/sha256.c b/src/ringct20/sha256.c
index 75e88743731a135eea61c39be651f5471fa8534f..eee466a76c42e656d2b3a9f839c3184f5e3daf68 100644
--- a/src/ringct20/sha256.c
+++ b/src/ringct20/sha256.c
@@ -26,7 +26,7 @@ static void uint8_to_uint32(uint32 *output, const uint8 *input, const size_t len
#define G0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
#define G1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
-static const uint32 K[64] = {
+static const uint32 Key_out[64] = {
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
@@ -61,7 +61,7 @@ static void SHA256_compress(SHA256_CTX *ctx)
}
else
W[i] = G1(W[i-2]) + W[i-7] + G0(W[i-15]) + W[i-16];
- T1 = h + F1(e) + CH(e, f, g) + K[i] + W[i];
+ T1 = h + F1(e) + CH(e, f, g) + Key_out[i] + W[i];
T2 = F0(a) + MAJ(a, b, c);
h = g;
g = f;
@@ -161,28 +161,28 @@ unsigned char *SHA256(unsigned char *md, const unsigned char *data, size_t len)
return md;
}
-void SHA256_KDF(unsigned char *Z, unsigned short zlen, unsigned short klen, unsigned char *K)
+void SHA256_KDF(unsigned char *Z, unsigned short input_len, unsigned short K_out_byte_len, unsigned char *Key_out)
{
unsigned short i, j, t;
unsigned int bitklen;
SHA256_CTX md;
unsigned char Ha[SHA256_len / 8];
unsigned char ct[4] = { 0,0,0,1 };
- bitklen = klen * 8;
+ bitklen = K_out_byte_len * 8;
//set number of output blocks
if (bitklen%SHA256_len)
t = bitklen / SHA256_len + 1;
else
t = bitklen / SHA256_len;
- //s4: K=Ha1||Ha2||...
+ //s4: Key_out=Ha1||Ha2||...
for (i = 1; i<t; i++)
{
//s2: Hai=Hv(Z||ct)
SHA256_Init(&md);
- SHA256_Update(&md, Z, zlen);
+ SHA256_Update(&md, Z, input_len);
SHA256_Update(&md, ct, 4);
SHA256_Final(Ha, &md);
- memcpy((K + (SHA256_len / 8)*(i - 1)), Ha, SHA256_len / 8);
+ memcpy((Key_out + (SHA256_len / 8)*(i - 1)), Ha, SHA256_len / 8);
if (ct[3] == 0xff)
{
ct[3] = 0;
@@ -200,20 +200,20 @@ void SHA256_KDF(unsigned char *Z, unsigned short zlen, unsigned short klen, uns
}
else ct[3]++;
}
- //s3: klen/v proccessing part block?
+ //s3: K_out_byte_len/v proccessing part block?
SHA256_Init(&md);
- SHA256_Update(&md, Z, zlen);
+ SHA256_Update(&md, Z, input_len);
SHA256_Update(&md, ct, 4);
SHA256_Final(Ha, &md);
if (bitklen%SHA256_len)
{
i = (SHA256_len - bitklen + SHA256_len * (bitklen / SHA256_len)) / 8;
j = (bitklen - SHA256_len * (bitklen / SHA256_len)) / 8;
- memcpy((K + (SHA256_len / 8)*(t - 1)), Ha, j);
+ memcpy((Key_out + (SHA256_len / 8)*(t - 1)), Ha, j);
}
else
{
- memcpy((K + (SHA256_len / 8)*(t - 1)), Ha, SHA256_len / 8);
+ memcpy((Key_out + (SHA256_len / 8)*(t - 1)), Ha, SHA256_len / 8);
}
}
diff --git a/src/ringct20/sha256.h b/src/ringct20/sha256.h
index 80967da388d569276162a587976b6a164da46229..7910b1b7813ad3fb7da2ef26036cc6fdaeb85b32 100644
--- a/src/ringct20/sha256.h
+++ b/src/ringct20/sha256.h
@@ -28,4 +28,4 @@ void SHA256_KDF(unsigned char *Z, unsigned short zlen, unsigned short klen, uns
#endif/* USE_SHA256 */
/******************************************************************************/
-#endif/* _DIGEST_H */
\ No newline at end of file
+#endif/* _DIGEST_H */
diff --git a/src/ringct20/sha3.c b/src/ringct20/sha3.c
deleted file mode 100644
index 9529497c23567892a5650f1a9f5ee31eed587a46..0000000000000000000000000000000000000000
--- a/src/ringct20/sha3.c
+++ /dev/null
@@ -1,2452 +0,0 @@
-/********************************************************************************************
-* SHA3-derived functions: SHA3-256, SHA3-512, SHAKE, and cSHAKE
-*
-* Based on the public domain implementation in crypto_hash/keccakc512/simple/
-* from http://bench.cr.yp.to/supercop.html by Ronny Van Keer
-* and the public domain "TweetFips202" implementation from https://twitter.com/tweetfips202
-* by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe
-*
-* See NIST Special Publication 800-185 for more information:
-* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf
-*
-* Updated by John Underhill, December 24, 2017
-*********************************************************************************************/
-
-#include "sha3.h"
-
-#define SHA3_CSHAKE_DOMAIN 0x04
-#define SHA3_CSHAKE128_RATE 168
-#define SHA3_CSHAKE256_RATE 136
-#define SHA3_SHA3_DOMAIN 0x06
-#define SHA3_SHA3_256_RATE 136
-#define SHA3_SHA3_512_RATE 72
-#define SHA3_SHAKE_DOMAIN 0x1F
-#define SHA3_SHAKE128_RATE 168
-#define SHA3_SHAKE256_RATE 136
-#define SHA3_STATESIZE 25
-
-/* Internal */
-
-static uint64_t load64(const uint8_t *a) {
- uint64_t r = 0;
- size_t i;
-
- for (i = 0; i < 8; ++i) {
- r |= (uint64_t) a[i] << 8 * i;
- }
-
- return r;
-}
-
-static uint64_t rotl64(const uint64_t x, uint32_t shift) {
- return (x << shift) | (x >> (64 - shift));
-}
-
-static void store64(uint8_t *a, uint64_t x) {
- size_t i;
-
- for (i = 0; i < 8; ++i) {
- a[i] = x & 0xFF;
- x >>= 8;
- }
-}
-
-/* SHA3 */
-
-void OQS_SHA3_keccak_permute(uint64_t *state) {
- uint64_t Aba = state[0];
- uint64_t Abe = state[1];
- uint64_t Abi = state[2];
- uint64_t Abo = state[3];
- uint64_t Abu = state[4];
- uint64_t Aga = state[5];
- uint64_t Age = state[6];
- uint64_t Agi = state[7];
- uint64_t Ago = state[8];
- uint64_t Agu = state[9];
- uint64_t Aka = state[10];
- uint64_t Ake = state[11];
- uint64_t Aki = state[12];
- uint64_t Ako = state[13];
- uint64_t Aku = state[14];
- uint64_t Ama = state[15];
- uint64_t Ame = state[16];
- uint64_t Ami = state[17];
- uint64_t Amo = state[18];
- uint64_t Amu = state[19];
- uint64_t Asa = state[20];
- uint64_t Ase = state[21];
- uint64_t Asi = state[22];
- uint64_t Aso = state[23];
- uint64_t Asu = state[24];
-
- /* round 1 */
- uint64_t Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- uint64_t Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- uint64_t Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- uint64_t Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- uint64_t Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- uint64_t Da = Cu ^ rotl64(Ce, 1);
- uint64_t De = Ca ^ rotl64(Ci, 1);
- uint64_t Di = Ce ^ rotl64(Co, 1);
- uint64_t Do = Ci ^ rotl64(Cu, 1);
- uint64_t Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- uint64_t Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x0000000000000001ULL;
- uint64_t Ebe = Ce ^ ((~Ci) & Co);
- uint64_t Ebi = Ci ^ ((~Co) & Cu);
- uint64_t Ebo = Co ^ ((~Cu) & Ca);
- uint64_t Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- uint64_t Ega = Ca ^ ((~Ce) & Ci);
- uint64_t Ege = Ce ^ ((~Ci) & Co);
- uint64_t Egi = Ci ^ ((~Co) & Cu);
- uint64_t Ego = Co ^ ((~Cu) & Ca);
- uint64_t Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- uint64_t Eka = Ca ^ ((~Ce) & Ci);
- uint64_t Eke = Ce ^ ((~Ci) & Co);
- uint64_t Eki = Ci ^ ((~Co) & Cu);
- uint64_t Eko = Co ^ ((~Cu) & Ca);
- uint64_t Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- uint64_t Ema = Ca ^ ((~Ce) & Ci);
- uint64_t Eme = Ce ^ ((~Ci) & Co);
- uint64_t Emi = Ci ^ ((~Co) & Cu);
- uint64_t Emo = Co ^ ((~Cu) & Ca);
- uint64_t Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- uint64_t Esa = Ca ^ ((~Ce) & Ci);
- uint64_t Ese = Ce ^ ((~Ci) & Co);
- uint64_t Esi = Ci ^ ((~Co) & Cu);
- uint64_t Eso = Co ^ ((~Cu) & Ca);
- uint64_t Esu = Cu ^ ((~Ca) & Ce);
- /* round 2 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x0000000000008082ULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
- /* round 3 */
- Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x800000000000808AULL;
- Ebe = Ce ^ ((~Ci) & Co);
- Ebi = Ci ^ ((~Co) & Cu);
- Ebo = Co ^ ((~Cu) & Ca);
- Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- Ega = Ca ^ ((~Ce) & Ci);
- Ege = Ce ^ ((~Ci) & Co);
- Egi = Ci ^ ((~Co) & Cu);
- Ego = Co ^ ((~Cu) & Ca);
- Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- Eka = Ca ^ ((~Ce) & Ci);
- Eke = Ce ^ ((~Ci) & Co);
- Eki = Ci ^ ((~Co) & Cu);
- Eko = Co ^ ((~Cu) & Ca);
- Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- Ema = Ca ^ ((~Ce) & Ci);
- Eme = Ce ^ ((~Ci) & Co);
- Emi = Ci ^ ((~Co) & Cu);
- Emo = Co ^ ((~Cu) & Ca);
- Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- Esa = Ca ^ ((~Ce) & Ci);
- Ese = Ce ^ ((~Ci) & Co);
- Esi = Ci ^ ((~Co) & Cu);
- Eso = Co ^ ((~Cu) & Ca);
- Esu = Cu ^ ((~Ca) & Ce);
- /* round 4 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x8000000080008000ULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
- /* round 5 */
- Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x000000000000808BULL;
- Ebe = Ce ^ ((~Ci) & Co);
- Ebi = Ci ^ ((~Co) & Cu);
- Ebo = Co ^ ((~Cu) & Ca);
- Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- Ega = Ca ^ ((~Ce) & Ci);
- Ege = Ce ^ ((~Ci) & Co);
- Egi = Ci ^ ((~Co) & Cu);
- Ego = Co ^ ((~Cu) & Ca);
- Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- Eka = Ca ^ ((~Ce) & Ci);
- Eke = Ce ^ ((~Ci) & Co);
- Eki = Ci ^ ((~Co) & Cu);
- Eko = Co ^ ((~Cu) & Ca);
- Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- Ema = Ca ^ ((~Ce) & Ci);
- Eme = Ce ^ ((~Ci) & Co);
- Emi = Ci ^ ((~Co) & Cu);
- Emo = Co ^ ((~Cu) & Ca);
- Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- Esa = Ca ^ ((~Ce) & Ci);
- Ese = Ce ^ ((~Ci) & Co);
- Esi = Ci ^ ((~Co) & Cu);
- Eso = Co ^ ((~Cu) & Ca);
- Esu = Cu ^ ((~Ca) & Ce);
- /* round 6 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x0000000080000001ULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
- /* round 7 */
- Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x8000000080008081ULL;
- Ebe = Ce ^ ((~Ci) & Co);
- Ebi = Ci ^ ((~Co) & Cu);
- Ebo = Co ^ ((~Cu) & Ca);
- Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- Ega = Ca ^ ((~Ce) & Ci);
- Ege = Ce ^ ((~Ci) & Co);
- Egi = Ci ^ ((~Co) & Cu);
- Ego = Co ^ ((~Cu) & Ca);
- Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- Eka = Ca ^ ((~Ce) & Ci);
- Eke = Ce ^ ((~Ci) & Co);
- Eki = Ci ^ ((~Co) & Cu);
- Eko = Co ^ ((~Cu) & Ca);
- Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- Ema = Ca ^ ((~Ce) & Ci);
- Eme = Ce ^ ((~Ci) & Co);
- Emi = Ci ^ ((~Co) & Cu);
- Emo = Co ^ ((~Cu) & Ca);
- Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- Esa = Ca ^ ((~Ce) & Ci);
- Ese = Ce ^ ((~Ci) & Co);
- Esi = Ci ^ ((~Co) & Cu);
- Eso = Co ^ ((~Cu) & Ca);
- Esu = Cu ^ ((~Ca) & Ce);
- /* round 8 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x8000000000008009ULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
- /* round 9 */
- Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x000000000000008AULL;
- Ebe = Ce ^ ((~Ci) & Co);
- Ebi = Ci ^ ((~Co) & Cu);
- Ebo = Co ^ ((~Cu) & Ca);
- Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- Ega = Ca ^ ((~Ce) & Ci);
- Ege = Ce ^ ((~Ci) & Co);
- Egi = Ci ^ ((~Co) & Cu);
- Ego = Co ^ ((~Cu) & Ca);
- Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- Eka = Ca ^ ((~Ce) & Ci);
- Eke = Ce ^ ((~Ci) & Co);
- Eki = Ci ^ ((~Co) & Cu);
- Eko = Co ^ ((~Cu) & Ca);
- Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- Ema = Ca ^ ((~Ce) & Ci);
- Eme = Ce ^ ((~Ci) & Co);
- Emi = Ci ^ ((~Co) & Cu);
- Emo = Co ^ ((~Cu) & Ca);
- Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- Esa = Ca ^ ((~Ce) & Ci);
- Ese = Ce ^ ((~Ci) & Co);
- Esi = Ci ^ ((~Co) & Cu);
- Eso = Co ^ ((~Cu) & Ca);
- Esu = Cu ^ ((~Ca) & Ce);
- /* round 10 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x0000000000000088ULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
- /* round 11 */
- Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x0000000080008009ULL;
- Ebe = Ce ^ ((~Ci) & Co);
- Ebi = Ci ^ ((~Co) & Cu);
- Ebo = Co ^ ((~Cu) & Ca);
- Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- Ega = Ca ^ ((~Ce) & Ci);
- Ege = Ce ^ ((~Ci) & Co);
- Egi = Ci ^ ((~Co) & Cu);
- Ego = Co ^ ((~Cu) & Ca);
- Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- Eka = Ca ^ ((~Ce) & Ci);
- Eke = Ce ^ ((~Ci) & Co);
- Eki = Ci ^ ((~Co) & Cu);
- Eko = Co ^ ((~Cu) & Ca);
- Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- Ema = Ca ^ ((~Ce) & Ci);
- Eme = Ce ^ ((~Ci) & Co);
- Emi = Ci ^ ((~Co) & Cu);
- Emo = Co ^ ((~Cu) & Ca);
- Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- Esa = Ca ^ ((~Ce) & Ci);
- Ese = Ce ^ ((~Ci) & Co);
- Esi = Ci ^ ((~Co) & Cu);
- Eso = Co ^ ((~Cu) & Ca);
- Esu = Cu ^ ((~Ca) & Ce);
- /* round 12 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x000000008000000AULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
- /* round 13 */
- Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x000000008000808BULL;
- Ebe = Ce ^ ((~Ci) & Co);
- Ebi = Ci ^ ((~Co) & Cu);
- Ebo = Co ^ ((~Cu) & Ca);
- Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- Ega = Ca ^ ((~Ce) & Ci);
- Ege = Ce ^ ((~Ci) & Co);
- Egi = Ci ^ ((~Co) & Cu);
- Ego = Co ^ ((~Cu) & Ca);
- Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- Eka = Ca ^ ((~Ce) & Ci);
- Eke = Ce ^ ((~Ci) & Co);
- Eki = Ci ^ ((~Co) & Cu);
- Eko = Co ^ ((~Cu) & Ca);
- Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- Ema = Ca ^ ((~Ce) & Ci);
- Eme = Ce ^ ((~Ci) & Co);
- Emi = Ci ^ ((~Co) & Cu);
- Emo = Co ^ ((~Cu) & Ca);
- Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- Esa = Ca ^ ((~Ce) & Ci);
- Ese = Ce ^ ((~Ci) & Co);
- Esi = Ci ^ ((~Co) & Cu);
- Eso = Co ^ ((~Cu) & Ca);
- Esu = Cu ^ ((~Ca) & Ce);
- /* round 14 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x800000000000008BULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
- /* round 15 */
- Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x8000000000008089ULL;
- Ebe = Ce ^ ((~Ci) & Co);
- Ebi = Ci ^ ((~Co) & Cu);
- Ebo = Co ^ ((~Cu) & Ca);
- Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- Ega = Ca ^ ((~Ce) & Ci);
- Ege = Ce ^ ((~Ci) & Co);
- Egi = Ci ^ ((~Co) & Cu);
- Ego = Co ^ ((~Cu) & Ca);
- Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- Eka = Ca ^ ((~Ce) & Ci);
- Eke = Ce ^ ((~Ci) & Co);
- Eki = Ci ^ ((~Co) & Cu);
- Eko = Co ^ ((~Cu) & Ca);
- Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- Ema = Ca ^ ((~Ce) & Ci);
- Eme = Ce ^ ((~Ci) & Co);
- Emi = Ci ^ ((~Co) & Cu);
- Emo = Co ^ ((~Cu) & Ca);
- Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- Esa = Ca ^ ((~Ce) & Ci);
- Ese = Ce ^ ((~Ci) & Co);
- Esi = Ci ^ ((~Co) & Cu);
- Eso = Co ^ ((~Cu) & Ca);
- Esu = Cu ^ ((~Ca) & Ce);
- /* round 16 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x8000000000008003ULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
- /* round 17 */
- Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x8000000000008002ULL;
- Ebe = Ce ^ ((~Ci) & Co);
- Ebi = Ci ^ ((~Co) & Cu);
- Ebo = Co ^ ((~Cu) & Ca);
- Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- Ega = Ca ^ ((~Ce) & Ci);
- Ege = Ce ^ ((~Ci) & Co);
- Egi = Ci ^ ((~Co) & Cu);
- Ego = Co ^ ((~Cu) & Ca);
- Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- Eka = Ca ^ ((~Ce) & Ci);
- Eke = Ce ^ ((~Ci) & Co);
- Eki = Ci ^ ((~Co) & Cu);
- Eko = Co ^ ((~Cu) & Ca);
- Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- Ema = Ca ^ ((~Ce) & Ci);
- Eme = Ce ^ ((~Ci) & Co);
- Emi = Ci ^ ((~Co) & Cu);
- Emo = Co ^ ((~Cu) & Ca);
- Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- Esa = Ca ^ ((~Ce) & Ci);
- Ese = Ce ^ ((~Ci) & Co);
- Esi = Ci ^ ((~Co) & Cu);
- Eso = Co ^ ((~Cu) & Ca);
- Esu = Cu ^ ((~Ca) & Ce);
- /* round 18 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x8000000000000080ULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
- /* round 19 */
- Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x000000000000800AULL;
- Ebe = Ce ^ ((~Ci) & Co);
- Ebi = Ci ^ ((~Co) & Cu);
- Ebo = Co ^ ((~Cu) & Ca);
- Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- Ega = Ca ^ ((~Ce) & Ci);
- Ege = Ce ^ ((~Ci) & Co);
- Egi = Ci ^ ((~Co) & Cu);
- Ego = Co ^ ((~Cu) & Ca);
- Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- Eka = Ca ^ ((~Ce) & Ci);
- Eke = Ce ^ ((~Ci) & Co);
- Eki = Ci ^ ((~Co) & Cu);
- Eko = Co ^ ((~Cu) & Ca);
- Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- Ema = Ca ^ ((~Ce) & Ci);
- Eme = Ce ^ ((~Ci) & Co);
- Emi = Ci ^ ((~Co) & Cu);
- Emo = Co ^ ((~Cu) & Ca);
- Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- Esa = Ca ^ ((~Ce) & Ci);
- Ese = Ce ^ ((~Ci) & Co);
- Esi = Ci ^ ((~Co) & Cu);
- Eso = Co ^ ((~Cu) & Ca);
- Esu = Cu ^ ((~Ca) & Ce);
- /* round 20 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x800000008000000AULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
- /* round 21 */
- Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x8000000080008081ULL;
- Ebe = Ce ^ ((~Ci) & Co);
- Ebi = Ci ^ ((~Co) & Cu);
- Ebo = Co ^ ((~Cu) & Ca);
- Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- Ega = Ca ^ ((~Ce) & Ci);
- Ege = Ce ^ ((~Ci) & Co);
- Egi = Ci ^ ((~Co) & Cu);
- Ego = Co ^ ((~Cu) & Ca);
- Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- Eka = Ca ^ ((~Ce) & Ci);
- Eke = Ce ^ ((~Ci) & Co);
- Eki = Ci ^ ((~Co) & Cu);
- Eko = Co ^ ((~Cu) & Ca);
- Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- Ema = Ca ^ ((~Ce) & Ci);
- Eme = Ce ^ ((~Ci) & Co);
- Emi = Ci ^ ((~Co) & Cu);
- Emo = Co ^ ((~Cu) & Ca);
- Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- Esa = Ca ^ ((~Ce) & Ci);
- Ese = Ce ^ ((~Ci) & Co);
- Esi = Ci ^ ((~Co) & Cu);
- Eso = Co ^ ((~Cu) & Ca);
- Esu = Cu ^ ((~Ca) & Ce);
- /* round 22 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x8000000000008080ULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
- /* round 23 */
- Ca = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
- Ce = Abe ^ Age ^ Ake ^ Ame ^ Ase;
- Ci = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
- Co = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
- Cu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Aba ^= Da;
- Ca = Aba;
- Age ^= De;
- Ce = rotl64(Age, 44);
- Aki ^= Di;
- Ci = rotl64(Aki, 43);
- Amo ^= Do;
- Co = rotl64(Amo, 21);
- Asu ^= Du;
- Cu = rotl64(Asu, 14);
- Eba = Ca ^ ((~Ce) & Ci);
- Eba ^= 0x0000000080000001ULL;
- Ebe = Ce ^ ((~Ci) & Co);
- Ebi = Ci ^ ((~Co) & Cu);
- Ebo = Co ^ ((~Cu) & Ca);
- Ebu = Cu ^ ((~Ca) & Ce);
- Abo ^= Do;
- Ca = rotl64(Abo, 28);
- Agu ^= Du;
- Ce = rotl64(Agu, 20);
- Aka ^= Da;
- Ci = rotl64(Aka, 3);
- Ame ^= De;
- Co = rotl64(Ame, 45);
- Asi ^= Di;
- Cu = rotl64(Asi, 61);
- Ega = Ca ^ ((~Ce) & Ci);
- Ege = Ce ^ ((~Ci) & Co);
- Egi = Ci ^ ((~Co) & Cu);
- Ego = Co ^ ((~Cu) & Ca);
- Egu = Cu ^ ((~Ca) & Ce);
- Abe ^= De;
- Ca = rotl64(Abe, 1);
- Agi ^= Di;
- Ce = rotl64(Agi, 6);
- Ako ^= Do;
- Ci = rotl64(Ako, 25);
- Amu ^= Du;
- Co = rotl64(Amu, 8);
- Asa ^= Da;
- Cu = rotl64(Asa, 18);
- Eka = Ca ^ ((~Ce) & Ci);
- Eke = Ce ^ ((~Ci) & Co);
- Eki = Ci ^ ((~Co) & Cu);
- Eko = Co ^ ((~Cu) & Ca);
- Eku = Cu ^ ((~Ca) & Ce);
- Abu ^= Du;
- Ca = rotl64(Abu, 27);
- Aga ^= Da;
- Ce = rotl64(Aga, 36);
- Ake ^= De;
- Ci = rotl64(Ake, 10);
- Ami ^= Di;
- Co = rotl64(Ami, 15);
- Aso ^= Do;
- Cu = rotl64(Aso, 56);
- Ema = Ca ^ ((~Ce) & Ci);
- Eme = Ce ^ ((~Ci) & Co);
- Emi = Ci ^ ((~Co) & Cu);
- Emo = Co ^ ((~Cu) & Ca);
- Emu = Cu ^ ((~Ca) & Ce);
- Abi ^= Di;
- Ca = rotl64(Abi, 62);
- Ago ^= Do;
- Ce = rotl64(Ago, 55);
- Aku ^= Du;
- Ci = rotl64(Aku, 39);
- Ama ^= Da;
- Co = rotl64(Ama, 41);
- Ase ^= De;
- Cu = rotl64(Ase, 2);
- Esa = Ca ^ ((~Ce) & Ci);
- Ese = Ce ^ ((~Ci) & Co);
- Esi = Ci ^ ((~Co) & Cu);
- Eso = Co ^ ((~Cu) & Ca);
- Esu = Cu ^ ((~Ca) & Ce);
- /* round 24 */
- Ca = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
- Ce = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
- Ci = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
- Co = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
- Cu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
- Da = Cu ^ rotl64(Ce, 1);
- De = Ca ^ rotl64(Ci, 1);
- Di = Ce ^ rotl64(Co, 1);
- Do = Ci ^ rotl64(Cu, 1);
- Du = Co ^ rotl64(Ca, 1);
- Eba ^= Da;
- Ca = Eba;
- Ege ^= De;
- Ce = rotl64(Ege, 44);
- Eki ^= Di;
- Ci = rotl64(Eki, 43);
- Emo ^= Do;
- Co = rotl64(Emo, 21);
- Esu ^= Du;
- Cu = rotl64(Esu, 14);
- Aba = Ca ^ ((~Ce) & Ci);
- Aba ^= 0x8000000080008008ULL;
- Abe = Ce ^ ((~Ci) & Co);
- Abi = Ci ^ ((~Co) & Cu);
- Abo = Co ^ ((~Cu) & Ca);
- Abu = Cu ^ ((~Ca) & Ce);
- Ebo ^= Do;
- Ca = rotl64(Ebo, 28);
- Egu ^= Du;
- Ce = rotl64(Egu, 20);
- Eka ^= Da;
- Ci = rotl64(Eka, 3);
- Eme ^= De;
- Co = rotl64(Eme, 45);
- Esi ^= Di;
- Cu = rotl64(Esi, 61);
- Aga = Ca ^ ((~Ce) & Ci);
- Age = Ce ^ ((~Ci) & Co);
- Agi = Ci ^ ((~Co) & Cu);
- Ago = Co ^ ((~Cu) & Ca);
- Agu = Cu ^ ((~Ca) & Ce);
- Ebe ^= De;
- Ca = rotl64(Ebe, 1);
- Egi ^= Di;
- Ce = rotl64(Egi, 6);
- Eko ^= Do;
- Ci = rotl64(Eko, 25);
- Emu ^= Du;
- Co = rotl64(Emu, 8);
- Esa ^= Da;
- Cu = rotl64(Esa, 18);
- Aka = Ca ^ ((~Ce) & Ci);
- Ake = Ce ^ ((~Ci) & Co);
- Aki = Ci ^ ((~Co) & Cu);
- Ako = Co ^ ((~Cu) & Ca);
- Aku = Cu ^ ((~Ca) & Ce);
- Ebu ^= Du;
- Ca = rotl64(Ebu, 27);
- Ega ^= Da;
- Ce = rotl64(Ega, 36);
- Eke ^= De;
- Ci = rotl64(Eke, 10);
- Emi ^= Di;
- Co = rotl64(Emi, 15);
- Eso ^= Do;
- Cu = rotl64(Eso, 56);
- Ama = Ca ^ ((~Ce) & Ci);
- Ame = Ce ^ ((~Ci) & Co);
- Ami = Ci ^ ((~Co) & Cu);
- Amo = Co ^ ((~Cu) & Ca);
- Amu = Cu ^ ((~Ca) & Ce);
- Ebi ^= Di;
- Ca = rotl64(Ebi, 62);
- Ego ^= Do;
- Ce = rotl64(Ego, 55);
- Eku ^= Du;
- Ci = rotl64(Eku, 39);
- Ema ^= Da;
- Co = rotl64(Ema, 41);
- Ese ^= De;
- Cu = rotl64(Ese, 2);
- Asa = Ca ^ ((~Ce) & Ci);
- Ase = Ce ^ ((~Ci) & Co);
- Asi = Ci ^ ((~Co) & Cu);
- Aso = Co ^ ((~Cu) & Ca);
- Asu = Cu ^ ((~Ca) & Ce);
-
- state[0] = Aba;
- state[1] = Abe;
- state[2] = Abi;
- state[3] = Abo;
- state[4] = Abu;
- state[5] = Aga;
- state[6] = Age;
- state[7] = Agi;
- state[8] = Ago;
- state[9] = Agu;
- state[10] = Aka;
- state[11] = Ake;
- state[12] = Aki;
- state[13] = Ako;
- state[14] = Aku;
- state[15] = Ama;
- state[16] = Ame;
- state[17] = Ami;
- state[18] = Amo;
- state[19] = Amu;
- state[20] = Asa;
- state[21] = Ase;
- state[22] = Asi;
- state[23] = Aso;
- state[24] = Asu;
-}
-
-void OQS_SHA3_keccak_absorb(uint64_t *state, size_t rate, const uint8_t *input, size_t inplen, uint8_t domain) {
- uint8_t msg[200];
- size_t i;
-
- while (inplen >= rate) {
- for (i = 0; i < rate / 8; ++i) {
- state[i] ^= load64(input + (8 * i));
- }
-
- OQS_SHA3_keccak_permute(state);
-
- inplen -= rate;
- input += rate;
- }
-
- for (i = 0; i < inplen; ++i) {
- msg[i] = input[i];
- }
-
- msg[inplen] = domain;
-
- for (i = inplen + 1; i < rate; ++i) {
- msg[i] = 0;
- }
-
- msg[rate - 1] |= 128;
-
- for (i = 0; i < rate / 8; ++i) {
- state[i] ^= load64(msg + (8 * i));
- }
-}
-
-void OQS_SHA3_sha3256(uint8_t *output, const uint8_t *input, size_t inplen) {
- uint64_t state[SHA3_STATESIZE];
- uint8_t hash[SHA3_SHA3_256_RATE];
- size_t i;
-
- for (i = 0; i < SHA3_STATESIZE; ++i) {
- state[i] = 0;
- }
-
- OQS_SHA3_keccak_absorb(state, SHA3_SHA3_256_RATE, input, inplen, SHA3_SHA3_DOMAIN);
- OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_SHA3_256_RATE);
-
- for (i = 0; i < 32; i++) {
- output[i] = hash[i];
- }
-}
-
-void OQS_SHA3_sha3512(uint8_t *output, const uint8_t *input, size_t inplen) {
- uint64_t state[SHA3_STATESIZE];
- uint8_t hash[SHA3_SHA3_512_RATE];
- size_t i;
-
- for (i = 0; i < SHA3_STATESIZE; ++i) {
- state[i] = 0;
- }
-
- OQS_SHA3_keccak_absorb(state, SHA3_SHA3_512_RATE, input, inplen, SHA3_SHA3_DOMAIN);
- OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_SHA3_512_RATE);
-
- for (i = 0; i < 64; i++) {
- output[i] = hash[i];
- }
-}
-
-void OQS_SHA3_keccak_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state, size_t rate) {
- size_t i;
-
- while (nblocks > 0) {
- OQS_SHA3_keccak_permute(state);
-
- for (i = 0; i < (rate >> 3); i++) {
- store64(output + 8 * i, state[i]);
- }
-
- output += rate;
- nblocks--;
- }
-}
-
-/* SHAKE */
-
-void OQS_SHA3_shake128(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen) {
- size_t nblocks = outlen / SHA3_SHAKE128_RATE;
- uint64_t state[SHA3_STATESIZE];
- uint8_t hash[SHA3_SHAKE128_RATE];
- size_t i;
-
- for (i = 0; i < SHA3_STATESIZE; ++i) {
- state[i] = 0;
- }
-
- OQS_SHA3_keccak_absorb(state, SHA3_SHAKE128_RATE, input, inplen, SHA3_SHAKE_DOMAIN);
- OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_SHAKE128_RATE);
-
- output += (nblocks * SHA3_SHAKE128_RATE);
- outlen -= (nblocks * SHA3_SHAKE128_RATE);
-
- if (outlen != 0) {
- OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_SHAKE128_RATE);
-
- for (i = 0; i < outlen; i++) {
- output[i] = hash[i];
- }
- }
-}
-
-void OQS_SHA3_shake128_absorb(uint64_t *state, const uint8_t *input, size_t inplen) {
- OQS_SHA3_keccak_absorb(state, SHA3_SHAKE128_RATE, input, inplen, SHA3_SHAKE_DOMAIN);
-}
-
-void OQS_SHA3_shake128_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state) {
- OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_SHAKE128_RATE);
-}
-
-void OQS_SHA3_shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen) {
- size_t nblocks = outlen / SHA3_SHAKE256_RATE;
- uint64_t state[SHA3_STATESIZE];
- uint8_t hash[SHA3_SHAKE256_RATE];
- size_t i;
-
- for (i = 0; i < SHA3_STATESIZE; ++i) {
- state[i] = 0;
- }
-
- OQS_SHA3_keccak_absorb(state, SHA3_SHAKE256_RATE, input, inplen, SHA3_SHAKE_DOMAIN);
- OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_SHAKE256_RATE);
-
- output += (nblocks * SHA3_SHAKE256_RATE);
- outlen -= (nblocks * SHA3_SHAKE256_RATE);
-
- if (outlen != 0) {
- OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_SHAKE256_RATE);
-
- for (i = 0; i < outlen; i++) {
- output[i] = hash[i];
- }
- }
-}
-
-void OQS_SHA3_shake256_absorb(uint64_t *state, const uint8_t *input, size_t inplen) {
- OQS_SHA3_keccak_absorb(state, SHA3_SHAKE256_RATE, input, inplen, SHA3_SHAKE_DOMAIN);
-}
-
-void OQS_SHA3_shake256_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state) {
- OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_SHAKE256_RATE);
-}
-
-/* cSHAKE */
-
-void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen) {
- size_t nblocks = outlen / SHA3_CSHAKE128_RATE;
- uint64_t state[SHA3_STATESIZE];
- uint8_t hash[SHA3_CSHAKE128_RATE];
- size_t i;
-
- for (i = 0; i < SHA3_STATESIZE; ++i) {
- state[i] = 0;
- }
-
- OQS_SHA3_cshake128_simple_absorb(state, cstm, input, inplen);
- OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_CSHAKE128_RATE);
-
- output += (nblocks * SHA3_CSHAKE128_RATE);
- outlen -= (nblocks * SHA3_CSHAKE128_RATE);
-
- if (outlen != 0) {
- OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_CSHAKE128_RATE);
-
- for (i = 0; i < outlen; i++) {
- output[i] = hash[i];
- }
- }
-}
-
-void OQS_SHA3_cshake128_simple_absorb(uint64_t *state, uint16_t cstm, const uint8_t *input, size_t inplen) {
- /* Note: This function doesn't align exactly to cSHAKE (SP800-185 3.2), which should produce
- SHAKE output if S and N = zero (sort of a customized custom-SHAKE function).
- Padding is hard-coded as the first 32 bits, plus 16 bits of fixed S,
- and 16 bits of counter, equivalant to S=cstm, N=0.
- The short integer optimizes this function for a digest counter configuration */
-
- uint8_t sep[8];
- sep[0] = 0x01; /* bytepad */
- sep[1] = 0xA8;
- sep[2] = 0x01;
- sep[3] = 0x00;
- sep[4] = 0x01;
- sep[5] = 0x10; /* bitlen of cstm */
- sep[6] = cstm & 0xFF;
- sep[7] = cstm >> 8;
-
- state[0] = load64(sep);
-
- /* transform the domain string */
- OQS_SHA3_keccak_permute(state);
-
- /* absorb the state */
- OQS_SHA3_keccak_absorb(state, SHA3_CSHAKE128_RATE, input, inplen, SHA3_CSHAKE_DOMAIN);
-}
-
-void OQS_SHA3_cshake128_simple_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state) {
- OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_CSHAKE128_RATE);
-}
-
-void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen) {
- size_t nblocks = outlen / SHA3_CSHAKE256_RATE;
- uint64_t state[SHA3_STATESIZE];
- uint8_t hash[SHA3_CSHAKE256_RATE];
- size_t i;
-
- for (i = 0; i < SHA3_STATESIZE; ++i) {
- state[i] = 0;
- }
-
- OQS_SHA3_cshake256_simple_absorb(state, cstm, input, inplen);
- OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_CSHAKE256_RATE);
-
- output += (nblocks * SHA3_CSHAKE256_RATE);
- outlen -= (nblocks * SHA3_CSHAKE256_RATE);
-
- if (outlen != 0) {
- OQS_SHA3_keccak_squeezeblocks(hash, 1, state, SHA3_CSHAKE256_RATE);
-
- for (i = 0; i < outlen; i++) {
- output[i] = hash[i];
- }
- }
-}
-
-void OQS_SHA3_cshake256_simple_absorb(uint64_t *state, uint16_t cstm, const uint8_t *input, size_t inplen) {
- uint8_t sep[8];
- sep[0] = 0x01; /* bytepad */
- sep[1] = 0x88;
- sep[2] = 0x01;
- sep[3] = 0x00;
- sep[4] = 0x01;
- sep[5] = 0x10; /* bitlen of cstm */
- sep[6] = cstm & 0xFF;
- sep[7] = cstm >> 8;
-
- state[0] = load64(sep);
-
- /* transform the domain string */
- OQS_SHA3_keccak_permute(state);
-
- /* absorb the state */
- OQS_SHA3_keccak_absorb(state, SHA3_CSHAKE256_RATE, input, inplen, SHA3_CSHAKE_DOMAIN);
-}
-
-void OQS_SHA3_cshake256_simple_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state) {
- OQS_SHA3_keccak_squeezeblocks(output, nblocks, state, SHA3_CSHAKE256_RATE);
-}
diff --git a/src/ringct20/sha3.h b/src/ringct20/sha3.h
deleted file mode 100644
index 0cd139d8c615eb8c37a113c82ddd95b35b314d3c..0000000000000000000000000000000000000000
--- a/src/ringct20/sha3.h
+++ /dev/null
@@ -1,300 +0,0 @@
-/**
-* \file sha3.h
-* \brief <b>SHA3 header definition</b> \n
-* Contains the public api and documentation for SHA3 digest and SHAKE implementations.
-*
-* \author John Underhill
-* \date December 29, 2017
-* \remarks For usage examples, see sha3_test.h
-*/
-
-#ifndef OQS_SHA3_H
-#define OQS_SHA3_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-/*!
-\def OQS_SHA3_CSHAKE_DOMAIN
-* The cSHAKE function domain code
-*/
-#define OQS_SHA3_CSHAKE_DOMAIN 0x04
-
-/*!
-\def OQS_SHA3_CSHAKE128_RATE
-* The cSHAKE-128 byte absorption rate
-*/
-#define OQS_SHA3_CSHAKE128_RATE 168
-
-/*!
-\def OQS_SHA3_CSHAKE256_RATE
-* The cSHAKE-256 byte absorption rate
-*/
-#define OQS_SHA3_CSHAKE256_RATE 136
-
-/*!
-\def OQS_SHA3_SHA3_DOMAIN
-* The SHA3 function domain code
-*/
-#define OQS_SHA3_SHA3_DOMAIN 0x06
-
-/*!
-\def OQS_SHA3_SHA3_256_RATE
-* The SHA-256 byte absorption rate
-*/
-#define OQS_SHA3_SHA3_256_RATE 136
-
-/*!
-\def OQS_SHA3_SHA3_512_RATE
-* The SHA-512 byte absorption rate
-*/
-#define OQS_SHA3_SHA3_512_RATE 72
-
-/*!
-\def OQS_SHA3_SHAKE_DOMAIN
-* The function domain code
-*/
-#define OQS_SHA3_SHAKE_DOMAIN 0x1F
-
-/*!
-\def OQS_SHA3_SHAKE128_RATE
-* The SHAKE-128 byte absorption rate
-*/
-#define OQS_SHA3_SHAKE128_RATE 168
-
-/*!
-\def OQS_SHA3_SHAKE256_RATE
-* The SHAKE-256 byte absorption rate
-*/
-#define OQS_SHA3_SHAKE256_RATE 136
-
-/*!
-\def OQS_SHA3_STATESIZE
-* The Keccak SHA3 state array size
-*/
-#define OQS_SHA3_STATESIZE 25
-
-/* SHA3 */
-
-/**
-* \brief Process a message with SHA3-256 and return the hash code in the output byte array.
-*
-* \warning The output array must be at least 32 bytes in length.
-*
-* \param output The output byte array
-* \param input The message input byte array
-* \param inplen The number of message bytes to process
-*/
-void OQS_SHA3_sha3256(uint8_t *output, const uint8_t *input, size_t inplen);
-
-/**
-* \brief Process a message with SHA3-512 and return the hash code in the output byte array.
-*
-* \warning The output array must be at least 64 bytes in length.
-*
-* \param output The output byte array
-* \param input The message input byte array
-* \param inplen The number of message bytes to process
-*/
-void OQS_SHA3_sha3512(uint8_t *output, const uint8_t *input, size_t inplen);
-
-/**
-* \brief The Keccak absorb function.
-* Absorb an input message array directly into the state.
-*
-* \warning Finalizes the message state, can not be used in consecutive calls. \n
-* State must be initialized (and zeroed) by the caller.
-*
-* \param state The function state; must be initialized
-* \param rate The rate of absorption, in bytes
-* \param input The input message byte array
-* \param inplen The number of message bytes to process
-* \param domain The domain seperation code (SHA3=0x06, SHAKE=0x1F, cSHAKE=0x04)
-*/
-void OQS_SHA3_keccak_absorb(uint64_t *state, size_t rate, const uint8_t *input, size_t inplen, uint8_t domain);
-
-/**
-* \brief The Keccak permute function.
-* Permutes the state array, can be used in conjunction with the keccak_absorb function.
-*
-* \param state The function state; must be initialized
-*/
-void OQS_SHA3_keccak_permute(uint64_t *state);
-
-/**
-* \brief The Keccak squeeze function.
-* Permutes and extracts the state to an output byte array.
-*
-* \warning Output array must be initialized to a multiple of the byte rate.
-*
-* \param output The output byte array
-* \param nblocks The number of blocks to extract
-* \param state The function state; must be pre-initialized
-* \param rate The rate of absorption, in bytes
-*/
-void OQS_SHA3_keccak_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state, size_t rate);
-
-/* SHAKE */
-
-/**
-* \brief Seed a SHAKE-128 instance, and generate an array of pseudo-random bytes.
-*
-* \warning The output array length must not be zero.
-*
-* \param output The output byte array
-* \param outlen The number of output bytes to generate
-* \param input The input seed byte array
-* \param inplen The number of seed bytes to process
-*/
-void OQS_SHA3_shake128(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen);
-
-/**
-* \brief The SHAKE-128 absorb function.
-* Absorb and finalize an input seed byte array.
-* Should be used in conjunction with the shake128_squeezeblocks function.
-*
-* \warning Finalizes the seed state, should not be used in consecutive calls. \n
-* State must be initialized (and zeroed) by the caller.
-*
-* \param state The function state; must be pre-initialized
-* \param input The input seed byte array
-* \param inplen The number of seed bytes to process
-*/
-void OQS_SHA3_shake128_absorb(uint64_t *state, const uint8_t *input, size_t inplen);
-
-/**
-* \brief The SHAKE-128 squeeze function.
-* Permutes and extracts the state to an output byte array.
-* Should be used in conjunction with the shake128_absorb function.
-*
-* \warning Output array must be initialized to a multiple of the byte rate.
-*
-* \param output The output byte array
-* \param nblocks The number of blocks to extract
-* \param state The function state; must be pre-initialized
-*/
-void OQS_SHA3_shake128_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state);
-
-/**
-* \brief Seed a SHAKE-256 instance, and generate an array of pseudo-random bytes.
-*
-* \warning The output array length must not be zero.
-*
-* \param output The output byte array
-* \param outlen The number of output bytes to generate
-* \param input The input seed byte array
-* \param inplen The number of seed bytes to process
-*/
-void OQS_SHA3_shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inplen);
-
-/**
-* \brief The SHAKE-256 absorb function.
-* Absorb and finalize an input seed byte array.
-* Should be used in conjunction with the shake256_squeezeblocks function.
-*
-* \warning Finalizes the seed state, should not be used in consecutive calls. \n
-* State must be initialized (and zeroed) by the caller.
-*
-* \param state The function state; must be pre-initialized
-* \param input The input seed byte array
-* \param inplen The number of seed bytes to process
-*/
-void OQS_SHA3_shake256_absorb(uint64_t *state, const uint8_t *input, size_t inplen);
-
-/**
-* \brief The SHAKE-256 squeeze function.
-* Permutes and extracts the state to an output byte array.
-*
-* \warning Output array must be initialized to a multiple of the byte rate.
-*
-* \param output The output byte array
-* \param nblocks The number of blocks to extract
-* \param state The function state; must be pre-initialized
-*/
-void OQS_SHA3_shake256_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state);
-
-/* cSHAKE */
-
-/**
-* \brief Seed a cSHAKE-128 instance and generate pseudo-random output.
-* Permutes and extracts the state to an output byte array.
-*
-* \warning This function has a counter period of 2^16.
-*
-* \param output The output byte array
-* \param outlen The number of output bytes to generate
-* \param cstm The 16bit customization integer
-* \param input The input seed byte array
-* \param inplen The number of seed bytes to process
-*/
-void OQS_SHA3_cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen);
-
-/**
-* \brief The cSHAKE-128 simple absorb function.
-* Absorb and finalize an input seed directly into the state.
-* Should be used in conjunction with the cshake128_simple_squeezeblocks function.
-*
-* \warning Finalizes the seed state, should not be used in consecutive calls. \n
-* State must be initialized (and zeroed) by the caller.
-*
-* \param state The function state; must be pre-initialized
-* \param cstm The 16bit customization integer
-* \param input The input seed byte array
-* \param inplen The number of seed bytes to process
-*/
-void OQS_SHA3_cshake128_simple_absorb(uint64_t *state, uint16_t cstm, const uint8_t *input, size_t inplen);
-
-/**
-* \brief The cSHAKE-128 simple squeeze function.
-* Permutes and extracts blocks of state to an output byte array.
-*
-* \warning Output array must be initialized to a multiple of the byte rate.
-*
-* \param output The output byte array
-* \param nblocks The number of blocks to extract
-* \param state The function state; must be pre-initialized
-*/
-void OQS_SHA3_cshake128_simple_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state);
-
-/**
-* \brief Seed a cSHAKE-256 instance and generate pseudo-random output.
-* Permutes and extracts the state to an output byte array.
-*
-* \warning This function has a counter period of 2^16.
-*
-* \param output The output byte array
-* \param outlen The number of output bytes to generate
-* \param cstm The 16bit customization integer
-* \param input The input seed byte array
-* \param inplen The number of seed bytes to process
-*/
-void OQS_SHA3_cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *input, size_t inplen);
-
-/**
-* \brief The cSHAKE-256 simple absorb function.
-* Absorb and finalize an input seed directly into the state.
-* Should be used in conjunction with the cshake256_simple_squeezeblocks function.
-*
-* \warning Finalizes the seed state, should not be used in consecutive calls. \n
-* State must be initialized (and zeroed) by the caller.
-*
-* \param state The function state; must be pre-initialized
-* \param cstm The 16bit customization integer
-* \param input The input seed byte array
-* \param inplen The number of seed bytes to process
-*/
-void OQS_SHA3_cshake256_simple_absorb(uint64_t *state, uint16_t cstm, const uint8_t *input, size_t inplen);
-
-/**
-* \brief The cSHAKE-256 simple squeeze function.
-* Permutes and extracts blocks of state to an output byte array.
-*
-* \warning Output array must be initialized to a multiple of the byte rate.
-*
-* \param output The output byte array
-* \param nblocks The number of blocks to extract
-* \param state The function state; must be pre-initialized
-*/
-void OQS_SHA3_cshake256_simple_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *state);
-
-#endif
diff --git a/test/crypto/main.c b/test/crypto/main.c
index dc22cb5aa9aa56359a52827b49142d7337110e80..79fad44b4cef95f17a00e40234407a997d3c14dc 100755
--- a/test/crypto/main.c
+++ b/test/crypto/main.c
@@ -14,14 +14,14 @@
#include "rand/dap_rand.h"
#include "dap_common.h"
-#include"ringct20/ring_test.h"
+
int main(void)
{
//test
//test4
// switch off debug info from library
dap_log_level_set(L_CRITICAL);
- //LRCT_Setup_Test();
+
dap_enc_ringct20_tests_run(100);
//dap_enc_picnic_tests_run();
//dap_enc_sig_bliss_tests_run(10);