2 * HEFTY1 cryptographic hash function
4 * Copyright (c) 2014, dbcc14 <BM-NBx4AKznJuyem3dArgVY8MGyABpihRy5>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions are met:
10 * 1. Redistributions of source code must retain the above copyright notice, this
11 * list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright notice,
13 * this list of conditions and the following disclaimer in the documentation
14 * and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
20 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
23 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
25 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 * The views and conclusions contained in the software and documentation are those
28 * of the authors and should not be interpreted as representing official policies,
29 * either expressed or implied, of the FreeBSD Project.
35 #include "sph_hefty1.h"
37 #define Min(A, B) (A <= B ? A : B)
38 #define RoundFunc(ctx, A, B, C, D, E, F, G, H, W, K) \
40 /* To thwart parallelism, Br modifies itself each time it's \
41 * called. This also means that calling it in different \
42 * orders yeilds different results. In C the order of \
43 * evaluation of function arguments and + operands are \
44 * unspecified (and depends on the compiler), so we must make \
45 * the order of Br calls explicit. \
47 uint32_t brG = Br(ctx, G); \
48 uint32_t tmp1 = Ch(E, Br(ctx, F), brG) + H + W + K; \
49 uint32_t tmp2 = tmp1 + Sigma1(Br(ctx, E)); \
50 uint32_t brC = Br(ctx, C); \
51 uint32_t brB = Br(ctx, B); \
52 uint32_t tmp3 = Ma(Br(ctx, A), brB, brC); \
53 uint32_t tmp4 = tmp3 + Sigma0(Br(ctx, A)); \
57 E = D + Br(ctx, tmp2); \
64 /* Nothing up my sleeve constants */
65 const static uint32_t K[64] = {
66 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
67 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
68 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
69 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
70 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
71 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
72 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
73 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
74 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
75 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
76 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
77 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
78 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
79 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
80 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
81 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
84 /* Initial hash values */
85 const static uint32_t H[HEFTY1_STATE_WORDS] = {
96 static inline uint32_t Rr(uint32_t X, uint8_t n)
98 return (X >> n) | (X << (32 - n));
101 static inline uint32_t Ch(uint32_t E, uint32_t F, uint32_t G)
103 return (E & F) ^ (~E & G);
106 static inline uint32_t Sigma1(uint32_t E)
108 return Rr(E, 6) ^ Rr(E, 11) ^ Rr(E, 25);
111 static inline uint32_t sigma1(uint32_t X)
113 return Rr(X, 17) ^ Rr(X, 19) ^ (X >> 10);
116 static inline uint32_t Ma(uint32_t A, uint32_t B, uint32_t C)
118 return (A & B) ^ (A & C) ^ (B & C);
121 static inline uint32_t Sigma0(uint32_t A)
123 return Rr(A, 2) ^ Rr(A, 13) ^ Rr(A, 22);
126 static inline uint32_t sigma0(uint32_t X)
128 return Rr(X, 7) ^ Rr(X, 18) ^ (X >> 3);
131 static inline uint32_t Reverse32(uint32_t n)
133 #if BYTE_ORDER == LITTLE_ENDIAN
134 return n << 24 | (n & 0x0000ff00) << 8 | (n & 0x00ff0000) >> 8 | n >> 24;
140 static inline uint64_t Reverse64(uint64_t n)
142 #if BYTE_ORDER == LITTLE_ENDIAN
143 uint32_t a = n >> 32;
144 uint32_t b = (n << 32) >> 32;
146 return (uint64_t)Reverse32(b) << 32 | Reverse32(a);
152 /* Smoosh byte into nibble */
153 static inline uint8_t Smoosh4(uint8_t X)
155 return (X >> 4) ^ (X & 0xf);
158 /* Smoosh 32-bit word into 2-bits */
159 static inline uint8_t Smoosh2(uint32_t X)
161 uint16_t w = (X >> 16) ^ (X & 0xffff);
162 uint8_t n = Smoosh4((w >> 8) ^ (w & 0xff));
163 return (n >> 2) ^ (n & 0x3);
166 static void Mangle(uint32_t *S)
171 uint8_t r0 = Smoosh4(R[0] >> 24);
172 uint8_t r1 = Smoosh4(R[0] >> 16);
173 uint8_t r2 = Smoosh4(R[0] >> 8);
174 uint8_t r3 = Smoosh4(R[0] & 0xff);
180 for (i = 0; i < HEFTY1_SPONGE_WORDS - 1; i++) {
181 uint8_t r = Smoosh2(tmp);
184 C[i] ^= Rr(R[0], i + r0);
187 C[i] += Rr(~R[0], i + r1);
190 C[i] &= Rr(~R[0], i + r2);
193 C[i] ^= Rr(R[0], i + r3);
201 for (i = 0; i < HEFTY1_SPONGE_WORDS - 1; i++)
209 static void Absorb(uint32_t *S, uint32_t X)
216 static uint32_t Squeeze(uint32_t *S)
223 /* Branch, compress and serialize function */
224 static inline uint32_t Br(HEFTY1_CTX *ctx, uint32_t X)
226 uint32_t R = Squeeze(ctx->sponge);
229 uint8_t r1 = R & 0xff;
231 uint32_t Y = 1 << (r0 % 32);
249 static void HashBlock(HEFTY1_CTX *ctx)
251 uint32_t A, B, C, D, E, F, G, H;
252 uint32_t W[HEFTY1_BLOCK_BYTES];
266 for (; t < 16; t++) {
267 W[t] = Reverse32(((uint32_t *)&ctx->block[0])[t]); /* To host byte order */
268 Absorb(ctx->sponge, W[t] ^ K[t]);
271 for (t = 0; t < 16; t++) {
272 Absorb(ctx->sponge, D ^ H);
273 RoundFunc(ctx, A, B, C, D, E, F, G, H, W[t], K[t]);
275 for (t = 16; t < 64; t++) {
276 Absorb(ctx->sponge, H + D);
277 W[t] = sigma1(W[t - 2]) + W[t - 7] + sigma0(W[t - 15]) + W[t - 16];
278 RoundFunc(ctx, A, B, C, D, E, F, G, H, W[t], K[t]);
299 memset(W, 0, sizeof(W));
302 /* Public interface */
304 void HEFTY1_Init(HEFTY1_CTX *ctx)
308 memcpy(ctx->h, H, sizeof(ctx->h));
309 memset(ctx->block, 0, sizeof(ctx->block));
311 memset(ctx->sponge, 0, sizeof(ctx->sponge));
314 void HEFTY1_Update(HEFTY1_CTX *ctx, const void *buf, size_t len)
320 uint64_t end = ctx->written % HEFTY1_BLOCK_BYTES;
321 uint64_t count = Min(len, HEFTY1_BLOCK_BYTES - end);
322 memcpy(&ctx->block[end], &((unsigned char *)buf)[read], count);
325 ctx->written += count;
326 if (!(ctx->written % HEFTY1_BLOCK_BYTES))
331 void HEFTY1_Final(unsigned char *digest, HEFTY1_CTX *ctx)
336 /* Pad message (FIPS 180 Section 5.1.1) */
337 uint64_t used = ctx->written % HEFTY1_BLOCK_BYTES;
338 ctx->block[used++] = 0x80; /* Append 1 to end of message */
339 if (used > HEFTY1_BLOCK_BYTES - 8) {
340 /* We have already written into the last 64bits, so
341 * we must continue into the next block. */
342 memset(&ctx->block[used], 0, HEFTY1_BLOCK_BYTES - used);
344 used = 0; /* Create a new block (below) */
347 /* All remaining bits to zero */
348 memset(&ctx->block[used], 0, HEFTY1_BLOCK_BYTES - 8 - used);
350 /* The last 64bits encode the length (in network byte order) */
351 uint64_t *len = (uint64_t *)&ctx->block[HEFTY1_BLOCK_BYTES - 8];
352 *len = Reverse64(ctx->written*8);
356 /* Convert back to network byte order */
358 for (; i < HEFTY1_STATE_WORDS; i++)
359 ctx->h[i] = Reverse32(ctx->h[i]);
361 memcpy(digest, ctx->h, sizeof(ctx->h));
362 memset(ctx, 0, sizeof(HEFTY1_CTX));
365 unsigned char* HEFTY1(const unsigned char *buf, size_t len, unsigned char *digest)
368 static unsigned char m[HEFTY1_DIGEST_BYTES];
374 HEFTY1_Update(&ctx, buf, len);
375 HEFTY1_Final(digest, &ctx);
projects / cpuminer-multi.git / blob