/tmp/bitcoin/src/crypto/sha3.cpp

Source
// Copyright (c) 2020-present The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

// Based on https://github.com/mjosaarinen/tiny_sha3/blob/master/sha3.c
// by Markku-Juhani O. Saarinen <mjos@iki.fi>

#include <crypto/sha3.h>
#include <crypto/common.h>

#include <algorithm>
#include <bit>
#include <cassert>
#include <iterator>
#include <span>

void KeccakF(uint64_t (&st)[25])
{
    static constexpr uint64_t RNDC[24] = {
        0x0000000000000001, 0x0000000000008082, 0x800000000000808a, 0x8000000080008000,
        0x000000000000808b, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009,
        0x000000000000008a, 0x0000000000000088, 0x0000000080008009, 0x000000008000000a,
        0x000000008000808b, 0x800000000000008b, 0x8000000000008089, 0x8000000000008003,
        0x8000000000008002, 0x8000000000000080, 0x000000000000800a, 0x800000008000000a,
        0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008
    };
    static constexpr int ROUNDS = 24;

    for (int round = 0; round < ROUNDS; ++round) {
        uint64_t bc0, bc1, bc2, bc3, bc4, t;

        // Theta
        bc0 = st[0] ^ st[5] ^ st[10] ^ st[15] ^ st[20];
        bc1 = st[1] ^ st[6] ^ st[11] ^ st[16] ^ st[21];
        bc2 = st[2] ^ st[7] ^ st[12] ^ st[17] ^ st[22];
        bc3 = st[3] ^ st[8] ^ st[13] ^ st[18] ^ st[23];
        bc4 = st[4] ^ st[9] ^ st[14] ^ st[19] ^ st[24];
        t = bc4 ^ std::rotl(bc1, 1); st[0] ^= t; st[5] ^= t; st[10] ^= t; st[15] ^= t; st[20] ^= t;
        t = bc0 ^ std::rotl(bc2, 1); st[1] ^= t; st[6] ^= t; st[11] ^= t; st[16] ^= t; st[21] ^= t;
        t = bc1 ^ std::rotl(bc3, 1); st[2] ^= t; st[7] ^= t; st[12] ^= t; st[17] ^= t; st[22] ^= t;
        t = bc2 ^ std::rotl(bc4, 1); st[3] ^= t; st[8] ^= t; st[13] ^= t; st[18] ^= t; st[23] ^= t;
        t = bc3 ^ std::rotl(bc0, 1); st[4] ^= t; st[9] ^= t; st[14] ^= t; st[19] ^= t; st[24] ^= t;

        // Rho Pi
        t = st[1];
        bc0 = st[10]; st[10] = std::rotl(t, 1); t = bc0;
        bc0 = st[7]; st[7] = std::rotl(t, 3); t = bc0;
        bc0 = st[11]; st[11] = std::rotl(t, 6); t = bc0;
        bc0 = st[17]; st[17] = std::rotl(t, 10); t = bc0;
        bc0 = st[18]; st[18] = std::rotl(t, 15); t = bc0;
        bc0 = st[3]; st[3] = std::rotl(t, 21); t = bc0;
        bc0 = st[5]; st[5] = std::rotl(t, 28); t = bc0;
        bc0 = st[16]; st[16] = std::rotl(t, 36); t = bc0;
        bc0 = st[8]; st[8] = std::rotl(t, 45); t = bc0;
        bc0 = st[21]; st[21] = std::rotl(t, 55); t = bc0;
        bc0 = st[24]; st[24] = std::rotl(t, 2); t = bc0;
        bc0 = st[4]; st[4] = std::rotl(t, 14); t = bc0;
        bc0 = st[15]; st[15] = std::rotl(t, 27); t = bc0;
        bc0 = st[23]; st[23] = std::rotl(t, 41); t = bc0;
        bc0 = st[19]; st[19] = std::rotl(t, 56); t = bc0;
        bc0 = st[13]; st[13] = std::rotl(t, 8); t = bc0;
        bc0 = st[12]; st[12] = std::rotl(t, 25); t = bc0;
        bc0 = st[2]; st[2] = std::rotl(t, 43); t = bc0;
        bc0 = st[20]; st[20] = std::rotl(t, 62); t = bc0;
        bc0 = st[14]; st[14] = std::rotl(t, 18); t = bc0;
        bc0 = st[22]; st[22] = std::rotl(t, 39); t = bc0;
        bc0 = st[9]; st[9] = std::rotl(t, 61); t = bc0;
        bc0 = st[6]; st[6] = std::rotl(t, 20); t = bc0;
        st[1] = std::rotl(t, 44);

        // Chi Iota
        bc0 = st[0]; bc1 = st[1]; bc2 = st[2]; bc3 = st[3]; bc4 = st[4];
        st[0] = bc0 ^ (~bc1 & bc2) ^ RNDC[round];
        st[1] = bc1 ^ (~bc2 & bc3);
        st[2] = bc2 ^ (~bc3 & bc4);
        st[3] = bc3 ^ (~bc4 & bc0);
        st[4] = bc4 ^ (~bc0 & bc1);
        bc0 = st[5]; bc1 = st[6]; bc2 = st[7]; bc3 = st[8]; bc4 = st[9];
        st[5] = bc0 ^ (~bc1 & bc2);
        st[6] = bc1 ^ (~bc2 & bc3);
        st[7] = bc2 ^ (~bc3 & bc4);
        st[8] = bc3 ^ (~bc4 & bc0);
        st[9] = bc4 ^ (~bc0 & bc1);
        bc0 = st[10]; bc1 = st[11]; bc2 = st[12]; bc3 = st[13]; bc4 = st[14];
        st[10] = bc0 ^ (~bc1 & bc2);
        st[11] = bc1 ^ (~bc2 & bc3);
        st[12] = bc2 ^ (~bc3 & bc4);
        st[13] = bc3 ^ (~bc4 & bc0);
        st[14] = bc4 ^ (~bc0 & bc1);
        bc0 = st[15]; bc1 = st[16]; bc2 = st[17]; bc3 = st[18]; bc4 = st[19];
        st[15] = bc0 ^ (~bc1 & bc2);
        st[16] = bc1 ^ (~bc2 & bc3);
        st[17] = bc2 ^ (~bc3 & bc4);
        st[18] = bc3 ^ (~bc4 & bc0);
        st[19] = bc4 ^ (~bc0 & bc1);
        bc0 = st[20]; bc1 = st[21]; bc2 = st[22]; bc3 = st[23]; bc4 = st[24];
        st[20] = bc0 ^ (~bc1 & bc2);
        st[21] = bc1 ^ (~bc2 & bc3);
        st[22] = bc2 ^ (~bc3 & bc4);
        st[23] = bc3 ^ (~bc4 & bc0);
        st[24] = bc4 ^ (~bc0 & bc1);
    }
}

SHA3_256& SHA3_256::Write(std::span<const unsigned char> data)
{
    if (m_bufsize && data.size() >= sizeof(m_buffer) - m_bufsize) {
        // Fill the buffer and process it.
        std::copy(data.begin(), data.begin() + (sizeof(m_buffer) - m_bufsize), m_buffer + m_bufsize);
        data = data.subspan(sizeof(m_buffer) - m_bufsize);
        m_state[m_pos++] ^= ReadLE64(m_buffer);
        m_bufsize = 0;
        if (m_pos == RATE_BUFFERS) {
            KeccakF(m_state);
            m_pos = 0;
        }
    }
    while (data.size() >= sizeof(m_buffer)) {
        // Process chunks directly from the buffer.
        m_state[m_pos++] ^= ReadLE64(data.data());
        data = data.subspan(8);
        if (m_pos == RATE_BUFFERS) {
            KeccakF(m_state);
            m_pos = 0;
        }
    }
    if (data.size()) {
        // Keep the remainder in the buffer.
        std::copy(data.begin(), data.end(), m_buffer + m_bufsize);
        m_bufsize += data.size();
    }
    return *this;
}

SHA3_256& SHA3_256::Finalize(std::span<unsigned char> output)
{
    assert(output.size() == OUTPUT_SIZE);
    std::fill(m_buffer + m_bufsize, m_buffer + sizeof(m_buffer), 0);
    m_buffer[m_bufsize] ^= 0x06;
    m_state[m_pos] ^= ReadLE64(m_buffer);
    m_state[RATE_BUFFERS - 1] ^= 0x8000000000000000;
    KeccakF(m_state);
    for (unsigned i = 0; i < 4; ++i) {
        WriteLE64(output.data() + 8 * i, m_state[i]);
    }
    return *this;
}

SHA3_256& SHA3_256::Reset()
{
    m_bufsize = 0;
    m_pos = 0;
    std::fill(std::begin(m_state), std::end(m_state), 0);
    return *this;
}

Line	Count	Source
1		// Copyright (c) 2020-present The Bitcoin Core developers
2		// Distributed under the MIT software license, see the accompanying
3		// file COPYING or http://www.opensource.org/licenses/mit-license.php.
4
5		// Based on https://github.com/mjosaarinen/tiny_sha3/blob/master/sha3.c
6		// by Markku-Juhani O. Saarinen <mjos@iki.fi>
7
8		#include <crypto/sha3.h>
9		#include <crypto/common.h>
10
11		#include <algorithm>
12		#include <bit>
13		#include <cassert>
14		#include <iterator>
15		#include <span>
16
17		void KeccakF(uint64_t (&st)[25])
18	262k	{
19	262k	static constexpr uint64_t RNDC[24] = {
20	262k	0x0000000000000001, 0x0000000000008082, 0x800000000000808a, 0x8000000080008000,
21	262k	0x000000000000808b, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009,
22	262k	0x000000000000008a, 0x0000000000000088, 0x0000000080008009, 0x000000008000000a,
23	262k	0x000000008000808b, 0x800000000000008b, 0x8000000000008089, 0x8000000000008003,
24	262k	0x8000000000008002, 0x8000000000000080, 0x000000000000800a, 0x800000008000000a,
25	262k	0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008
26	262k	};
27	262k	static constexpr int ROUNDS = 24;
28
29	6.56M	for (int round = 0; round < ROUNDS; ++round) {
30	6.30M	uint64_t bc0, bc1, bc2, bc3, bc4, t;
31
32		// Theta
33	6.30M	bc0 = st[0] ^ st[5] ^ st[10] ^ st[15] ^ st[20];
34	6.30M	bc1 = st[1] ^ st[6] ^ st[11] ^ st[16] ^ st[21];
35	6.30M	bc2 = st[2] ^ st[7] ^ st[12] ^ st[17] ^ st[22];
36	6.30M	bc3 = st[3] ^ st[8] ^ st[13] ^ st[18] ^ st[23];
37	6.30M	bc4 = st[4] ^ st[9] ^ st[14] ^ st[19] ^ st[24];
38	6.30M	t = bc4 ^ std::rotl(bc1, 1); st[0] ^= t; st[5] ^= t; st[10] ^= t; st[15] ^= t; st[20] ^= t;
39	6.30M	t = bc0 ^ std::rotl(bc2, 1); st[1] ^= t; st[6] ^= t; st[11] ^= t; st[16] ^= t; st[21] ^= t;
40	6.30M	t = bc1 ^ std::rotl(bc3, 1); st[2] ^= t; st[7] ^= t; st[12] ^= t; st[17] ^= t; st[22] ^= t;
41	6.30M	t = bc2 ^ std::rotl(bc4, 1); st[3] ^= t; st[8] ^= t; st[13] ^= t; st[18] ^= t; st[23] ^= t;
42	6.30M	t = bc3 ^ std::rotl(bc0, 1); st[4] ^= t; st[9] ^= t; st[14] ^= t; st[19] ^= t; st[24] ^= t;
43
44		// Rho Pi
45	6.30M	t = st[1];
46	6.30M	bc0 = st[10]; st[10] = std::rotl(t, 1); t = bc0;
47	6.30M	bc0 = st[7]; st[7] = std::rotl(t, 3); t = bc0;
48	6.30M	bc0 = st[11]; st[11] = std::rotl(t, 6); t = bc0;
49	6.30M	bc0 = st[17]; st[17] = std::rotl(t, 10); t = bc0;
50	6.30M	bc0 = st[18]; st[18] = std::rotl(t, 15); t = bc0;
51	6.30M	bc0 = st[3]; st[3] = std::rotl(t, 21); t = bc0;
52	6.30M	bc0 = st[5]; st[5] = std::rotl(t, 28); t = bc0;
53	6.30M	bc0 = st[16]; st[16] = std::rotl(t, 36); t = bc0;
54	6.30M	bc0 = st[8]; st[8] = std::rotl(t, 45); t = bc0;
55	6.30M	bc0 = st[21]; st[21] = std::rotl(t, 55); t = bc0;
56	6.30M	bc0 = st[24]; st[24] = std::rotl(t, 2); t = bc0;
57	6.30M	bc0 = st[4]; st[4] = std::rotl(t, 14); t = bc0;
58	6.30M	bc0 = st[15]; st[15] = std::rotl(t, 27); t = bc0;
59	6.30M	bc0 = st[23]; st[23] = std::rotl(t, 41); t = bc0;
60	6.30M	bc0 = st[19]; st[19] = std::rotl(t, 56); t = bc0;
61	6.30M	bc0 = st[13]; st[13] = std::rotl(t, 8); t = bc0;
62	6.30M	bc0 = st[12]; st[12] = std::rotl(t, 25); t = bc0;
63	6.30M	bc0 = st[2]; st[2] = std::rotl(t, 43); t = bc0;
64	6.30M	bc0 = st[20]; st[20] = std::rotl(t, 62); t = bc0;
65	6.30M	bc0 = st[14]; st[14] = std::rotl(t, 18); t = bc0;
66	6.30M	bc0 = st[22]; st[22] = std::rotl(t, 39); t = bc0;
67	6.30M	bc0 = st[9]; st[9] = std::rotl(t, 61); t = bc0;
68	6.30M	bc0 = st[6]; st[6] = std::rotl(t, 20); t = bc0;
69	6.30M	st[1] = std::rotl(t, 44);
70
71		// Chi Iota
72	6.30M	bc0 = st[0]; bc1 = st[1]; bc2 = st[2]; bc3 = st[3]; bc4 = st[4];
73	6.30M	st[0] = bc0 ^ (~bc1 & bc2) ^ RNDC[round];
74	6.30M	st[1] = bc1 ^ (~bc2 & bc3);
75	6.30M	st[2] = bc2 ^ (~bc3 & bc4);
76	6.30M	st[3] = bc3 ^ (~bc4 & bc0);
77	6.30M	st[4] = bc4 ^ (~bc0 & bc1);
78	6.30M	bc0 = st[5]; bc1 = st[6]; bc2 = st[7]; bc3 = st[8]; bc4 = st[9];
79	6.30M	st[5] = bc0 ^ (~bc1 & bc2);
80	6.30M	st[6] = bc1 ^ (~bc2 & bc3);
81	6.30M	st[7] = bc2 ^ (~bc3 & bc4);
82	6.30M	st[8] = bc3 ^ (~bc4 & bc0);
83	6.30M	st[9] = bc4 ^ (~bc0 & bc1);
84	6.30M	bc0 = st[10]; bc1 = st[11]; bc2 = st[12]; bc3 = st[13]; bc4 = st[14];
85	6.30M	st[10] = bc0 ^ (~bc1 & bc2);
86	6.30M	st[11] = bc1 ^ (~bc2 & bc3);
87	6.30M	st[12] = bc2 ^ (~bc3 & bc4);
88	6.30M	st[13] = bc3 ^ (~bc4 & bc0);
89	6.30M	st[14] = bc4 ^ (~bc0 & bc1);
90	6.30M	bc0 = st[15]; bc1 = st[16]; bc2 = st[17]; bc3 = st[18]; bc4 = st[19];
91	6.30M	st[15] = bc0 ^ (~bc1 & bc2);
92	6.30M	st[16] = bc1 ^ (~bc2 & bc3);
93	6.30M	st[17] = bc2 ^ (~bc3 & bc4);
94	6.30M	st[18] = bc3 ^ (~bc4 & bc0);
95	6.30M	st[19] = bc4 ^ (~bc0 & bc1);
96	6.30M	bc0 = st[20]; bc1 = st[21]; bc2 = st[22]; bc3 = st[23]; bc4 = st[24];
97	6.30M	st[20] = bc0 ^ (~bc1 & bc2);
98	6.30M	st[21] = bc1 ^ (~bc2 & bc3);
99	6.30M	st[22] = bc2 ^ (~bc3 & bc4);
100	6.30M	st[23] = bc3 ^ (~bc4 & bc0);
101	6.30M	st[24] = bc4 ^ (~bc0 & bc1);
102	6.30M	}
103	262k	}
104
105		SHA3_256& SHA3_256::Write(std::span<const unsigned char> data)
106	1.00k	{
107	1.00k	if (m_bufsize && data.size() >= sizeof(m_buffer) - m_bufsize) {
108		// Fill the buffer and process it.
109	570	std::copy(data.begin(), data.begin() + (sizeof(m_buffer) - m_bufsize), m_buffer + m_bufsize);
110	570	data = data.subspan(sizeof(m_buffer) - m_bufsize);
111	570	m_state[m_pos++] ^= ReadLE64(m_buffer);
112	570	m_bufsize = 0;
113	570	if (m_pos == RATE_BUFFERS) {
114	4	KeccakF(m_state);
115	4	m_pos = 0;
116	4	}
117	570	}
118	6.41k	while (data.size() >= sizeof(m_buffer)) {
119		// Process chunks directly from the buffer.
120	5.41k	m_state[m_pos++] ^= ReadLE64(data.data());
121	5.41k	data = data.subspan(8);
122	5.41k	if (m_pos == RATE_BUFFERS) {
123	236	KeccakF(m_state);
124	236	m_pos = 0;
125	236	}
126	5.41k	}
127	1.00k	if (data.size()) {
128		// Keep the remainder in the buffer.
129	690	std::copy(data.begin(), data.end(), m_buffer + m_bufsize);
130	690	m_bufsize += data.size();
131	690	}
132	1.00k	return *this;
133	1.00k	}
134
135		SHA3_256& SHA3_256::Finalize(std::span<unsigned char> output)
136	370	{
137	370	assert(output.size() == OUTPUT_SIZE);
138	370	std::fill(m_buffer + m_bufsize, m_buffer + sizeof(m_buffer), 0);
139	370	m_buffer[m_bufsize] ^= 0x06;
140	370	m_state[m_pos] ^= ReadLE64(m_buffer);
141	370	m_state[RATE_BUFFERS - 1] ^= 0x8000000000000000;
142	370	KeccakF(m_state);
143	1.85k	for (unsigned i = 0; i < 4; ++i) {
144	1.48k	WriteLE64(output.data() + 8 * i, m_state[i]);
145	1.48k	}
146	370	return *this;
147	370	}
148
149		SHA3_256& SHA3_256::Reset()
150	55	{
151	55	m_bufsize = 0;
152	55	m_pos = 0;
153	55	std::fill(std::begin(m_state), std::end(m_state), 0);
154	55	return *this;
155	55	}

Coverage Report

Created: 2026-06-17 15:31