2 ***********************************************************************
4 * Implementation of the Skein block functions.
6 * Source code author: Doug Whiting, 2008.
8 * This algorithm and source code is released to the public domain.
10 * Compile-time switches:
12 * SKEIN_USE_ASM -- set bits (256/512/1024) to select which
13 * versions use ASM code for block processing
14 * [default: use C for all block sizes]
16 ***********************************************************************
19 #include <linux/string.h>
20 #include <linux/bitops.h>
21 #include "skein_base.h"
22 #include "skein_block.h"
25 #define SKEIN_USE_ASM (0) /* default is all C code (no ASM) */
29 #define SKEIN_LOOP 001 /* default: unroll 256 and 512, but not 1024 */
32 #define BLK_BITS (WCNT * 64) /* some useful definitions for code here */
33 #define KW_TWK_BASE (0)
34 #define KW_KEY_BASE (3)
35 #define ks (kw + KW_KEY_BASE)
36 #define ts (kw + KW_TWK_BASE)
39 #define debug_save_tweak(ctx) \
41 ctx->h.tweak[0] = ts[0]; \
42 ctx->h.tweak[1] = ts[1]; \
45 #define debug_save_tweak(ctx)
48 #if !(SKEIN_USE_ASM & 256)
50 #define RCNT (SKEIN_256_ROUNDS_TOTAL / 8)
51 #ifdef SKEIN_LOOP /* configure how much to unroll the loop */
52 #define SKEIN_UNROLL_256 (((SKEIN_LOOP) / 100) % 10)
54 #define SKEIN_UNROLL_256 (0)
58 #if (RCNT % SKEIN_UNROLL_256)
59 #error "Invalid SKEIN_UNROLL_256" /* sanity check on unroll count */
62 #define ROUND256(p0, p1, p2, p3, ROT, r_num) \
65 X##p1 = rol64(X##p1, ROT##_0); \
68 X##p3 = rol64(X##p3, ROT##_1); \
72 #if SKEIN_UNROLL_256 == 0
73 #define R256(p0, p1, p2, p3, ROT, r_num) /* fully unrolled */ \
74 ROUND256(p0, p1, p2, p3, ROT, r_num)
78 /* inject the key schedule value */ \
79 X0 += ks[((R) + 1) % 5]; \
80 X1 += ks[((R) + 2) % 5] + ts[((R) + 1) % 3]; \
81 X2 += ks[((R) + 3) % 5] + ts[((R) + 2) % 3]; \
82 X3 += ks[((R) + 4) % 5] + (R) + 1; \
86 #define R256(p0, p1, p2, p3, ROT, r_num) ROUND256(p0, p1, p2, p3, ROT, r_num)
90 /* inject the key schedule value */ \
91 X0 += ks[r + (R) + 0]; \
92 X1 += ks[r + (R) + 1] + ts[r + (R) + 0];\
93 X2 += ks[r + (R) + 2] + ts[r + (R) + 1];\
94 X3 += ks[r + (R) + 3] + r + (R); \
95 /* rotate key schedule */ \
96 ks[r + (R) + 4] = ks[r + (R) - 1]; \
97 ts[r + (R) + 2] = ts[r + (R) - 1]; \
100 #define R256_8_ROUNDS(R) \
102 R256(0, 1, 2, 3, R_256_0, 8 * (R) + 1); \
103 R256(0, 3, 2, 1, R_256_1, 8 * (R) + 2); \
104 R256(0, 1, 2, 3, R_256_2, 8 * (R) + 3); \
105 R256(0, 3, 2, 1, R_256_3, 8 * (R) + 4); \
107 R256(0, 1, 2, 3, R_256_4, 8 * (R) + 5); \
108 R256(0, 3, 2, 1, R_256_5, 8 * (R) + 6); \
109 R256(0, 1, 2, 3, R_256_6, 8 * (R) + 7); \
110 R256(0, 3, 2, 1, R_256_7, 8 * (R) + 8); \
114 #define R256_UNROLL_R(NN) \
115 ((SKEIN_UNROLL_256 == 0 && \
116 SKEIN_256_ROUNDS_TOTAL / 8 > (NN)) || \
117 (SKEIN_UNROLL_256 > (NN)))
119 #if (SKEIN_UNROLL_256 > 14)
120 #error "need more unrolling in skein_256_process_block"
124 #if !(SKEIN_USE_ASM & 512)
126 #define RCNT (SKEIN_512_ROUNDS_TOTAL / 8)
128 #ifdef SKEIN_LOOP /* configure how much to unroll the loop */
129 #define SKEIN_UNROLL_512 (((SKEIN_LOOP) / 10) % 10)
131 #define SKEIN_UNROLL_512 (0)
135 #if (RCNT % SKEIN_UNROLL_512)
136 #error "Invalid SKEIN_UNROLL_512" /* sanity check on unroll count */
139 #define ROUND512(p0, p1, p2, p3, p4, p5, p6, p7, ROT, r_num) \
142 X##p1 = rol64(X##p1, ROT##_0); \
145 X##p3 = rol64(X##p3, ROT##_1); \
148 X##p5 = rol64(X##p5, ROT##_2); \
151 X##p7 = rol64(X##p7, ROT##_3); \
155 #if SKEIN_UNROLL_512 == 0
156 #define R512(p0, p1, p2, p3, p4, p5, p6, p7, ROT, r_num) /* unrolled */ \
157 ROUND512(p0, p1, p2, p3, p4, p5, p6, p7, ROT, r_num)
161 /* inject the key schedule value */ \
162 X0 += ks[((R) + 1) % 9]; \
163 X1 += ks[((R) + 2) % 9]; \
164 X2 += ks[((R) + 3) % 9]; \
165 X3 += ks[((R) + 4) % 9]; \
166 X4 += ks[((R) + 5) % 9]; \
167 X5 += ks[((R) + 6) % 9] + ts[((R) + 1) % 3]; \
168 X6 += ks[((R) + 7) % 9] + ts[((R) + 2) % 3]; \
169 X7 += ks[((R) + 8) % 9] + (R) + 1; \
172 #else /* looping version */
173 #define R512(p0, p1, p2, p3, p4, p5, p6, p7, ROT, r_num) \
174 ROUND512(p0, p1, p2, p3, p4, p5, p6, p7, ROT, r_num) \
178 /* inject the key schedule value */ \
179 X0 += ks[r + (R) + 0]; \
180 X1 += ks[r + (R) + 1]; \
181 X2 += ks[r + (R) + 2]; \
182 X3 += ks[r + (R) + 3]; \
183 X4 += ks[r + (R) + 4]; \
184 X5 += ks[r + (R) + 5] + ts[r + (R) + 0]; \
185 X6 += ks[r + (R) + 6] + ts[r + (R) + 1]; \
186 X7 += ks[r + (R) + 7] + r + (R); \
187 /* rotate key schedule */ \
188 ks[r + (R) + 8] = ks[r + (R) - 1]; \
189 ts[r + (R) + 2] = ts[r + (R) - 1]; \
191 #endif /* end of looped code definitions */
192 #define R512_8_ROUNDS(R) /* do 8 full rounds */ \
194 R512(0, 1, 2, 3, 4, 5, 6, 7, R_512_0, 8 * (R) + 1); \
195 R512(2, 1, 4, 7, 6, 5, 0, 3, R_512_1, 8 * (R) + 2); \
196 R512(4, 1, 6, 3, 0, 5, 2, 7, R_512_2, 8 * (R) + 3); \
197 R512(6, 1, 0, 7, 2, 5, 4, 3, R_512_3, 8 * (R) + 4); \
199 R512(0, 1, 2, 3, 4, 5, 6, 7, R_512_4, 8 * (R) + 5); \
200 R512(2, 1, 4, 7, 6, 5, 0, 3, R_512_5, 8 * (R) + 6); \
201 R512(4, 1, 6, 3, 0, 5, 2, 7, R_512_6, 8 * (R) + 7); \
202 R512(6, 1, 0, 7, 2, 5, 4, 3, R_512_7, 8 * (R) + 8); \
203 I512(2 * (R) + 1); /* and key injection */ \
205 #define R512_UNROLL_R(NN) \
206 ((SKEIN_UNROLL_512 == 0 && \
207 SKEIN_512_ROUNDS_TOTAL / 8 > (NN)) || \
208 (SKEIN_UNROLL_512 > (NN)))
210 #if (SKEIN_UNROLL_512 > 14)
211 #error "need more unrolling in skein_512_process_block"
215 #if !(SKEIN_USE_ASM & 1024)
217 #define RCNT (SKEIN_1024_ROUNDS_TOTAL / 8)
218 #ifdef SKEIN_LOOP /* configure how much to unroll the loop */
219 #define SKEIN_UNROLL_1024 ((SKEIN_LOOP) % 10)
221 #define SKEIN_UNROLL_1024 (0)
224 #if (SKEIN_UNROLL_1024 != 0)
225 #if (RCNT % SKEIN_UNROLL_1024)
226 #error "Invalid SKEIN_UNROLL_1024" /* sanity check on unroll count */
229 #define ROUND1024(p0, p1, p2, p3, p4, p5, p6, p7, p8, p9, pA, pB, pC, pD, pE, \
233 X##p1 = rol64(X##p1, ROT##_0); \
236 X##p3 = rol64(X##p3, ROT##_1); \
239 X##p5 = rol64(X##p5, ROT##_2); \
242 X##p7 = rol64(X##p7, ROT##_3); \
245 X##p9 = rol64(X##p9, ROT##_4); \
248 X##pB = rol64(X##pB, ROT##_5); \
251 X##pD = rol64(X##pD, ROT##_6); \
254 X##pF = rol64(X##pF, ROT##_7); \
258 #if SKEIN_UNROLL_1024 == 0
259 #define R1024(p0, p1, p2, p3, p4, p5, p6, p7, p8, p9, pA, pB, pC, pD, pE, pF, \
261 ROUND1024(p0, p1, p2, p3, p4, p5, p6, p7, p8, p9, pA, pB, pC, pD, pE, \
266 /* inject the key schedule value */ \
267 X00 += ks[((R) + 1) % 17]; \
268 X01 += ks[((R) + 2) % 17]; \
269 X02 += ks[((R) + 3) % 17]; \
270 X03 += ks[((R) + 4) % 17]; \
271 X04 += ks[((R) + 5) % 17]; \
272 X05 += ks[((R) + 6) % 17]; \
273 X06 += ks[((R) + 7) % 17]; \
274 X07 += ks[((R) + 8) % 17]; \
275 X08 += ks[((R) + 9) % 17]; \
276 X09 += ks[((R) + 10) % 17]; \
277 X10 += ks[((R) + 11) % 17]; \
278 X11 += ks[((R) + 12) % 17]; \
279 X12 += ks[((R) + 13) % 17]; \
280 X13 += ks[((R) + 14) % 17] + ts[((R) + 1) % 3]; \
281 X14 += ks[((R) + 15) % 17] + ts[((R) + 2) % 3]; \
282 X15 += ks[((R) + 16) % 17] + (R) + 1; \
284 #else /* looping version */
285 #define R1024(p0, p1, p2, p3, p4, p5, p6, p7, p8, p9, pA, pB, pC, pD, pE, pF, \
287 ROUND1024(p0, p1, p2, p3, p4, p5, p6, p7, p8, p9, pA, pB, pC, pD, pE, \
292 /* inject the key schedule value */ \
293 X00 += ks[r + (R) + 0]; \
294 X01 += ks[r + (R) + 1]; \
295 X02 += ks[r + (R) + 2]; \
296 X03 += ks[r + (R) + 3]; \
297 X04 += ks[r + (R) + 4]; \
298 X05 += ks[r + (R) + 5]; \
299 X06 += ks[r + (R) + 6]; \
300 X07 += ks[r + (R) + 7]; \
301 X08 += ks[r + (R) + 8]; \
302 X09 += ks[r + (R) + 9]; \
303 X10 += ks[r + (R) + 10]; \
304 X11 += ks[r + (R) + 11]; \
305 X12 += ks[r + (R) + 12]; \
306 X13 += ks[r + (R) + 13] + ts[r + (R) + 0]; \
307 X14 += ks[r + (R) + 14] + ts[r + (R) + 1]; \
308 X15 += ks[r + (R) + 15] + r + (R); \
309 /* rotate key schedule */ \
310 ks[r + (R) + 16] = ks[r + (R) - 1]; \
311 ts[r + (R) + 2] = ts[r + (R) - 1]; \
315 #define R1024_8_ROUNDS(R) \
317 R1024(00, 01, 02, 03, 04, 05, 06, 07, 08, 09, 10, 11, 12, \
318 13, 14, 15, R1024_0, 8 * (R) + 1); \
319 R1024(00, 09, 02, 13, 06, 11, 04, 15, 10, 07, 12, 03, 14, \
320 05, 08, 01, R1024_1, 8 * (R) + 2); \
321 R1024(00, 07, 02, 05, 04, 03, 06, 01, 12, 15, 14, 13, 08, \
322 11, 10, 09, R1024_2, 8 * (R) + 3); \
323 R1024(00, 15, 02, 11, 06, 13, 04, 09, 14, 01, 08, 05, 10, \
324 03, 12, 07, R1024_3, 8 * (R) + 4); \
326 R1024(00, 01, 02, 03, 04, 05, 06, 07, 08, 09, 10, 11, 12, \
327 13, 14, 15, R1024_4, 8 * (R) + 5); \
328 R1024(00, 09, 02, 13, 06, 11, 04, 15, 10, 07, 12, 03, 14, \
329 05, 08, 01, R1024_5, 8 * (R) + 6); \
330 R1024(00, 07, 02, 05, 04, 03, 06, 01, 12, 15, 14, 13, 08, \
331 11, 10, 09, R1024_6, 8 * (R) + 7); \
332 R1024(00, 15, 02, 11, 06, 13, 04, 09, 14, 01, 08, 05, 10, \
333 03, 12, 07, R1024_7, 8 * (R) + 8); \
334 I1024(2 * (R) + 1); \
337 #define R1024_UNROLL_R(NN) \
338 ((SKEIN_UNROLL_1024 == 0 && \
339 SKEIN_1024_ROUNDS_TOTAL / 8 > (NN)) || \
340 (SKEIN_UNROLL_1024 > (NN)))
342 #if (SKEIN_UNROLL_1024 > 14)
343 #error "need more unrolling in Skein_1024_Process_Block"
347 /***************************** SKEIN_256 ******************************/
348 #if !(SKEIN_USE_ASM & 256)
349 void skein_256_process_block(struct skein_256_ctx *ctx, const u8 *blk_ptr,
350 size_t blk_cnt, size_t byte_cnt_add)
353 WCNT = SKEIN_256_STATE_WORDS
357 /* key schedule: chaining vars + tweak + "rot"*/
358 u64 kw[WCNT + 4 + (RCNT * 2)];
360 /* key schedule words : chaining vars + tweak */
363 u64 X0, X1, X2, X3; /* local copy of context vars, for speed */
364 u64 w[WCNT]; /* local copy of input block */
366 const u64 *X_ptr[4]; /* use for debugging (help cc put Xn in regs) */
373 skein_assert(blk_cnt != 0); /* never call with blk_cnt == 0! */
374 ts[0] = ctx->h.tweak[0];
375 ts[1] = ctx->h.tweak[1];
378 * this implementation only supports 2**64 input bytes
379 * (no carry out here)
381 ts[0] += byte_cnt_add; /* update processed length */
383 /* precompute the key schedule for this block */
388 ks[4] = ks[0] ^ ks[1] ^ ks[2] ^ ks[3] ^ SKEIN_KS_PARITY;
390 ts[2] = ts[0] ^ ts[1];
392 /* get input block in little-endian format */
393 skein_get64_lsb_first(w, blk_ptr, WCNT);
394 debug_save_tweak(ctx);
396 /* do the first full key injection */
398 X1 = w[1] + ks[1] + ts[0];
399 X2 = w[2] + ks[2] + ts[1];
402 blk_ptr += SKEIN_256_BLOCK_BYTES;
406 r < (SKEIN_UNROLL_256 ? 2 * RCNT : 2);
407 r += (SKEIN_UNROLL_256 ? 2 * SKEIN_UNROLL_256 : 1)) {
436 #if R256_UNROLL_R(10)
439 #if R256_UNROLL_R(11)
442 #if R256_UNROLL_R(12)
445 #if R256_UNROLL_R(13)
448 #if R256_UNROLL_R(14)
452 /* do the final "feedforward" xor, update context chaining */
453 ctx->x[0] = X0 ^ w[0];
454 ctx->x[1] = X1 ^ w[1];
455 ctx->x[2] = X2 ^ w[2];
456 ctx->x[3] = X3 ^ w[3];
458 ts[1] &= ~SKEIN_T1_FLAG_FIRST;
460 ctx->h.tweak[0] = ts[0];
461 ctx->h.tweak[1] = ts[1];
464 #if defined(SKEIN_CODE_SIZE) || defined(SKEIN_PERF)
465 size_t skein_256_process_block_code_size(void)
467 return ((u8 *)skein_256_process_block_code_size) -
468 ((u8 *)skein_256_process_block);
471 unsigned int skein_256_unroll_cnt(void)
473 return SKEIN_UNROLL_256;
478 /***************************** SKEIN_512 ******************************/
479 #if !(SKEIN_USE_ASM & 512)
480 void skein_512_process_block(struct skein_512_ctx *ctx, const u8 *blk_ptr,
481 size_t blk_cnt, size_t byte_cnt_add)
484 WCNT = SKEIN_512_STATE_WORDS
488 /* key sched: chaining vars + tweak + "rot"*/
489 u64 kw[WCNT + 4 + RCNT * 2];
491 /* key schedule words : chaining vars + tweak */
494 u64 X0, X1, X2, X3, X4, X5, X6, X7; /* local copies, for speed */
495 u64 w[WCNT]; /* local copy of input block */
497 const u64 *X_ptr[8]; /* use for debugging (help cc put Xn in regs) */
509 skein_assert(blk_cnt != 0); /* never call with blk_cnt == 0! */
510 ts[0] = ctx->h.tweak[0];
511 ts[1] = ctx->h.tweak[1];
514 * this implementation only supports 2**64 input bytes
515 * (no carry out here)
517 ts[0] += byte_cnt_add; /* update processed length */
519 /* precompute the key schedule for this block */
528 ks[8] = ks[0] ^ ks[1] ^ ks[2] ^ ks[3] ^
529 ks[4] ^ ks[5] ^ ks[6] ^ ks[7] ^ SKEIN_KS_PARITY;
531 ts[2] = ts[0] ^ ts[1];
533 /* get input block in little-endian format */
534 skein_get64_lsb_first(w, blk_ptr, WCNT);
535 debug_save_tweak(ctx);
537 /* do the first full key injection */
543 X5 = w[5] + ks[5] + ts[0];
544 X6 = w[6] + ks[6] + ts[1];
547 blk_ptr += SKEIN_512_BLOCK_BYTES;
551 r < (SKEIN_UNROLL_512 ? 2 * RCNT : 2);
552 r += (SKEIN_UNROLL_512 ? 2 * SKEIN_UNROLL_512 : 1)) {
582 #if R512_UNROLL_R(10)
585 #if R512_UNROLL_R(11)
588 #if R512_UNROLL_R(12)
591 #if R512_UNROLL_R(13)
594 #if R512_UNROLL_R(14)
599 /* do the final "feedforward" xor, update context chaining */
600 ctx->x[0] = X0 ^ w[0];
601 ctx->x[1] = X1 ^ w[1];
602 ctx->x[2] = X2 ^ w[2];
603 ctx->x[3] = X3 ^ w[3];
604 ctx->x[4] = X4 ^ w[4];
605 ctx->x[5] = X5 ^ w[5];
606 ctx->x[6] = X6 ^ w[6];
607 ctx->x[7] = X7 ^ w[7];
609 ts[1] &= ~SKEIN_T1_FLAG_FIRST;
611 ctx->h.tweak[0] = ts[0];
612 ctx->h.tweak[1] = ts[1];
615 #if defined(SKEIN_CODE_SIZE) || defined(SKEIN_PERF)
616 size_t skein_512_process_block_code_size(void)
618 return ((u8 *)skein_512_process_block_code_size) -
619 ((u8 *)skein_512_process_block);
622 unsigned int skein_512_unroll_cnt(void)
624 return SKEIN_UNROLL_512;
629 /***************************** SKEIN_1024 ******************************/
630 #if !(SKEIN_USE_ASM & 1024)
631 void skein_1024_process_block(struct skein_1024_ctx *ctx, const u8 *blk_ptr,
632 size_t blk_cnt, size_t byte_cnt_add)
633 { /* do it in C, always looping (unrolled is bigger AND slower!) */
635 WCNT = SKEIN_1024_STATE_WORDS
638 #if (SKEIN_UNROLL_1024 != 0)
639 /* key sched: chaining vars + tweak + "rot" */
640 u64 kw[WCNT + 4 + (RCNT * 2)];
642 /* key schedule words : chaining vars + tweak */
646 /* local copy of vars, for speed */
647 u64 X00, X01, X02, X03, X04, X05, X06, X07,
648 X08, X09, X10, X11, X12, X13, X14, X15;
649 u64 w[WCNT]; /* local copy of input block */
651 skein_assert(blk_cnt != 0); /* never call with blk_cnt == 0! */
652 ts[0] = ctx->h.tweak[0];
653 ts[1] = ctx->h.tweak[1];
656 * this implementation only supports 2**64 input bytes
657 * (no carry out here)
659 ts[0] += byte_cnt_add; /* update processed length */
661 /* precompute the key schedule for this block */
678 ks[16] = ks[0] ^ ks[1] ^ ks[2] ^ ks[3] ^
679 ks[4] ^ ks[5] ^ ks[6] ^ ks[7] ^
680 ks[8] ^ ks[9] ^ ks[10] ^ ks[11] ^
681 ks[12] ^ ks[13] ^ ks[14] ^ ks[15] ^ SKEIN_KS_PARITY;
683 ts[2] = ts[0] ^ ts[1];
685 /* get input block in little-endian format */
686 skein_get64_lsb_first(w, blk_ptr, WCNT);
687 debug_save_tweak(ctx);
689 /* do the first full key injection */
700 X10 = w[10] + ks[10];
701 X11 = w[11] + ks[11];
702 X12 = w[12] + ks[12];
703 X13 = w[13] + ks[13] + ts[0];
704 X14 = w[14] + ks[14] + ts[1];
705 X15 = w[15] + ks[15];
708 r < (SKEIN_UNROLL_1024 ? 2 * RCNT : 2);
709 r += (SKEIN_UNROLL_1024 ? 2 * SKEIN_UNROLL_1024 : 1)) {
711 #if R1024_UNROLL_R(1)
714 #if R1024_UNROLL_R(2)
717 #if R1024_UNROLL_R(3)
720 #if R1024_UNROLL_R(4)
723 #if R1024_UNROLL_R(5)
726 #if R1024_UNROLL_R(6)
729 #if R1024_UNROLL_R(7)
732 #if R1024_UNROLL_R(8)
735 #if R1024_UNROLL_R(9)
738 #if R1024_UNROLL_R(10)
741 #if R1024_UNROLL_R(11)
744 #if R1024_UNROLL_R(12)
747 #if R1024_UNROLL_R(13)
750 #if R1024_UNROLL_R(14)
754 /* do the final "feedforward" xor, update context chaining */
756 ctx->x[0] = X00 ^ w[0];
757 ctx->x[1] = X01 ^ w[1];
758 ctx->x[2] = X02 ^ w[2];
759 ctx->x[3] = X03 ^ w[3];
760 ctx->x[4] = X04 ^ w[4];
761 ctx->x[5] = X05 ^ w[5];
762 ctx->x[6] = X06 ^ w[6];
763 ctx->x[7] = X07 ^ w[7];
764 ctx->x[8] = X08 ^ w[8];
765 ctx->x[9] = X09 ^ w[9];
766 ctx->x[10] = X10 ^ w[10];
767 ctx->x[11] = X11 ^ w[11];
768 ctx->x[12] = X12 ^ w[12];
769 ctx->x[13] = X13 ^ w[13];
770 ctx->x[14] = X14 ^ w[14];
771 ctx->x[15] = X15 ^ w[15];
773 ts[1] &= ~SKEIN_T1_FLAG_FIRST;
774 blk_ptr += SKEIN_1024_BLOCK_BYTES;
776 ctx->h.tweak[0] = ts[0];
777 ctx->h.tweak[1] = ts[1];
780 #if defined(SKEIN_CODE_SIZE) || defined(SKEIN_PERF)
781 size_t skein_1024_process_block_code_size(void)
783 return ((u8 *)skein_1024_process_block_code_size) -
784 ((u8 *)skein_1024_process_block);
787 unsigned int skein_1024_unroll_cnt(void)
789 return SKEIN_UNROLL_1024;
git.samba.org / sfrench / cifs-2.6.git / blob