1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
|
.text
.align 8 // strategic alignment and padding that allows to use
// address value as loop termination condition...
.quad 0,0,0,0,0,0,0,0
iotas:
.quad 0x0000000000000001
.quad 0x0000000000008082
.quad 0x800000000000808a
.quad 0x8000000080008000
.quad 0x000000000000808b
.quad 0x0000000080000001
.quad 0x8000000080008081
.quad 0x8000000000008009
.quad 0x000000000000008a
.quad 0x0000000000000088
.quad 0x0000000080008009
.quad 0x000000008000000a
.quad 0x000000008000808b
.quad 0x800000000000008b
.quad 0x8000000000008089
.quad 0x8000000000008003
.quad 0x8000000000008002
.quad 0x8000000000000080
.quad 0x000000000000800a
.quad 0x800000008000000a
.quad 0x8000000080008081
.quad 0x8000000000008080
.quad 0x0000000080000001
.quad 0x8000000080008008
.align 5
KeccakF1600_int:
adr x28,iotas
.long 0xd503233f // paciasp
stp x28,x30,[sp,#16] // 32 bytes on top are mine
b Loop
.align 4
Loop:
////////////////////////////////////////// Theta
eor x26,x0,x5
stp x4,x9,[sp,#0] // offload pair...
eor x27,x1,x6
eor x28,x2,x7
eor x30,x3,x8
eor x4,x4,x9
eor x26,x26,x10
eor x27,x27,x11
eor x28,x28,x12
eor x30,x30,x13
eor x4,x4,x14
eor x26,x26,x15
eor x27,x27,x16
eor x28,x28,x17
eor x30,x30,x25
eor x4,x4,x19
eor x26,x26,x20
eor x28,x28,x22
eor x27,x27,x21
eor x30,x30,x23
eor x4,x4,x24
eor x9,x26,x28,ror#63
eor x1,x1,x9
eor x6,x6,x9
eor x11,x11,x9
eor x16,x16,x9
eor x21,x21,x9
eor x9,x27,x30,ror#63
eor x28,x28,x4,ror#63
eor x30,x30,x26,ror#63
eor x4,x4,x27,ror#63
eor x27, x2,x9 // mov x27,x2
eor x7,x7,x9
eor x12,x12,x9
eor x17,x17,x9
eor x22,x22,x9
eor x0,x0,x4
eor x5,x5,x4
eor x10,x10,x4
eor x15,x15,x4
eor x20,x20,x4
ldp x4,x9,[sp,#0] // re-load offloaded data
eor x26, x3,x28 // mov x26,x3
eor x8,x8,x28
eor x13,x13,x28
eor x25,x25,x28
eor x23,x23,x28
eor x28, x4,x30 // mov x28,x4
eor x9,x9,x30
eor x14,x14,x30
eor x19,x19,x30
eor x24,x24,x30
////////////////////////////////////////// Rho+Pi
mov x30,x1
ror x1,x6,#64-44
//mov x27,x2
ror x2,x12,#64-43
//mov x26,x3
ror x3,x25,#64-21
//mov x28,x4
ror x4,x24,#64-14
ror x6,x9,#64-20
ror x12,x13,#64-25
ror x25,x17,#64-15
ror x24,x21,#64-2
ror x9,x22,#64-61
ror x13,x19,#64-8
ror x17,x11,#64-10
ror x21,x8,#64-55
ror x22,x14,#64-39
ror x19,x23,#64-56
ror x11,x7,#64-6
ror x8,x16,#64-45
ror x14,x20,#64-18
ror x23,x15,#64-41
ror x7,x10,#64-3
ror x16,x5,#64-36
ror x5,x26,#64-28
ror x10,x30,#64-1
ror x15,x28,#64-27
ror x20,x27,#64-62
////////////////////////////////////////// Chi+Iota
bic x26,x2,x1
bic x27,x3,x2
bic x28,x0,x4
bic x30,x1,x0
eor x0,x0,x26
bic x26,x4,x3
eor x1,x1,x27
ldr x27,[sp,#16]
eor x3,x3,x28
eor x4,x4,x30
eor x2,x2,x26
ldr x30,[x27],#8 // Iota[i++]
bic x26,x7,x6
tst x27,#255 // are we done?
str x27,[sp,#16]
bic x27,x8,x7
bic x28,x5,x9
eor x0,x0,x30 // A[0][0] ^= Iota
bic x30,x6,x5
eor x5,x5,x26
bic x26,x9,x8
eor x6,x6,x27
eor x8,x8,x28
eor x9,x9,x30
eor x7,x7,x26
bic x26,x12,x11
bic x27,x13,x12
bic x28,x10,x14
bic x30,x11,x10
eor x10,x10,x26
bic x26,x14,x13
eor x11,x11,x27
eor x13,x13,x28
eor x14,x14,x30
eor x12,x12,x26
bic x26,x17,x16
bic x27,x25,x17
bic x28,x15,x19
bic x30,x16,x15
eor x15,x15,x26
bic x26,x19,x25
eor x16,x16,x27
eor x25,x25,x28
eor x19,x19,x30
eor x17,x17,x26
bic x26,x22,x21
bic x27,x23,x22
bic x28,x20,x24
bic x30,x21,x20
eor x20,x20,x26
bic x26,x24,x23
eor x21,x21,x27
eor x23,x23,x28
eor x24,x24,x30
eor x22,x22,x26
bne Loop
ldr x30,[sp,#24]
.long 0xd50323bf // autiasp
ret
.align 5
KeccakF1600:
.long 0xd503233f // paciasp
stp x29,x30,[sp,#-128]!
add x29,sp,#0
stp x19,x20,[sp,#16]
stp x21,x22,[sp,#32]
stp x23,x24,[sp,#48]
stp x25,x26,[sp,#64]
stp x27,x28,[sp,#80]
sub sp,sp,#48
str x0,[sp,#32] // offload argument
mov x26,x0
ldp x0,x1,[x0,#16*0]
ldp x2,x3,[x26,#16*1]
ldp x4,x5,[x26,#16*2]
ldp x6,x7,[x26,#16*3]
ldp x8,x9,[x26,#16*4]
ldp x10,x11,[x26,#16*5]
ldp x12,x13,[x26,#16*6]
ldp x14,x15,[x26,#16*7]
ldp x16,x17,[x26,#16*8]
ldp x25,x19,[x26,#16*9]
ldp x20,x21,[x26,#16*10]
ldp x22,x23,[x26,#16*11]
ldr x24,[x26,#16*12]
bl KeccakF1600_int
ldr x26,[sp,#32]
stp x0,x1,[x26,#16*0]
stp x2,x3,[x26,#16*1]
stp x4,x5,[x26,#16*2]
stp x6,x7,[x26,#16*3]
stp x8,x9,[x26,#16*4]
stp x10,x11,[x26,#16*5]
stp x12,x13,[x26,#16*6]
stp x14,x15,[x26,#16*7]
stp x16,x17,[x26,#16*8]
stp x25,x19,[x26,#16*9]
stp x20,x21,[x26,#16*10]
stp x22,x23,[x26,#16*11]
str x24,[x26,#16*12]
ldp x19,x20,[x29,#16]
add sp,sp,#48
ldp x21,x22,[x29,#32]
ldp x23,x24,[x29,#48]
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldp x29,x30,[sp],#128
.long 0xd50323bf // autiasp
ret
.globl _SHA3_absorb
.align 5
_SHA3_absorb:
.long 0xd503233f // paciasp
stp x29,x30,[sp,#-128]!
add x29,sp,#0
stp x19,x20,[sp,#16]
stp x21,x22,[sp,#32]
stp x23,x24,[sp,#48]
stp x25,x26,[sp,#64]
stp x27,x28,[sp,#80]
sub sp,sp,#64
stp x0,x1,[sp,#32] // offload arguments
stp x2,x3,[sp,#48]
mov x26,x0 // uint64_t A[5][5]
mov x27,x1 // const void *inp
mov x28,x2 // size_t len
mov x30,x3 // size_t bsz
ldp x0,x1,[x26,#16*0]
ldp x2,x3,[x26,#16*1]
ldp x4,x5,[x26,#16*2]
ldp x6,x7,[x26,#16*3]
ldp x8,x9,[x26,#16*4]
ldp x10,x11,[x26,#16*5]
ldp x12,x13,[x26,#16*6]
ldp x14,x15,[x26,#16*7]
ldp x16,x17,[x26,#16*8]
ldp x25,x19,[x26,#16*9]
ldp x20,x21,[x26,#16*10]
ldp x22,x23,[x26,#16*11]
ldr x24,[x26,#16*12]
b Loop_absorb
.align 4
Loop_absorb:
subs x26,x28,x30 // len - bsz
blo Labsorbed
str x26,[sp,#48] // save len - bsz
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x0,x0,x26
cmp x30,#8*(0+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x1,x1,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x2,x2,x26
cmp x30,#8*(2+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x3,x3,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x4,x4,x26
cmp x30,#8*(4+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x5,x5,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x6,x6,x26
cmp x30,#8*(6+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x7,x7,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x8,x8,x26
cmp x30,#8*(8+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x9,x9,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x10,x10,x26
cmp x30,#8*(10+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x11,x11,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x12,x12,x26
cmp x30,#8*(12+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x13,x13,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x14,x14,x26
cmp x30,#8*(14+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x15,x15,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x16,x16,x26
cmp x30,#8*(16+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x17,x17,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x25,x25,x26
cmp x30,#8*(18+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x19,x19,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x20,x20,x26
cmp x30,#8*(20+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x21,x21,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x22,x22,x26
cmp x30,#8*(22+2)
blo Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x23,x23,x26
beq Lprocess_block
ldr x26,[x27],#8 // *inp++
#ifdef __AARCH64EB__
rev x26,x26
#endif
eor x24,x24,x26
Lprocess_block:
str x27,[sp,#40] // save inp
bl KeccakF1600_int
ldr x27,[sp,#40] // restore arguments
ldp x28,x30,[sp,#48]
b Loop_absorb
.align 4
Labsorbed:
ldr x27,[sp,#32]
stp x0,x1,[x27,#16*0]
stp x2,x3,[x27,#16*1]
stp x4,x5,[x27,#16*2]
stp x6,x7,[x27,#16*3]
stp x8,x9,[x27,#16*4]
stp x10,x11,[x27,#16*5]
stp x12,x13,[x27,#16*6]
stp x14,x15,[x27,#16*7]
stp x16,x17,[x27,#16*8]
stp x25,x19,[x27,#16*9]
stp x20,x21,[x27,#16*10]
stp x22,x23,[x27,#16*11]
str x24,[x27,#16*12]
mov x0,x28 // return value
ldp x19,x20,[x29,#16]
add sp,sp,#64
ldp x21,x22,[x29,#32]
ldp x23,x24,[x29,#48]
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldp x29,x30,[sp],#128
.long 0xd50323bf // autiasp
ret
.globl _SHA3_squeeze
.align 5
_SHA3_squeeze:
.long 0xd503233f // paciasp
stp x29,x30,[sp,#-48]!
add x29,sp,#0
stp x19,x20,[sp,#16]
stp x21,x22,[sp,#32]
mov x19,x0 // put aside arguments
mov x20,x1
mov x21,x2
mov x22,x3
Loop_squeeze:
ldr x4,[x0],#8
cmp x21,#8
blo Lsqueeze_tail
#ifdef __AARCH64EB__
rev x4,x4
#endif
str x4,[x20],#8
subs x21,x21,#8
beq Lsqueeze_done
subs x3,x3,#8
bhi Loop_squeeze
mov x0,x19
bl KeccakF1600
mov x0,x19
mov x3,x22
b Loop_squeeze
.align 4
Lsqueeze_tail:
strb w4,[x20],#1
lsr x4,x4,#8
subs x21,x21,#1
beq Lsqueeze_done
strb w4,[x20],#1
lsr x4,x4,#8
subs x21,x21,#1
beq Lsqueeze_done
strb w4,[x20],#1
lsr x4,x4,#8
subs x21,x21,#1
beq Lsqueeze_done
strb w4,[x20],#1
lsr x4,x4,#8
subs x21,x21,#1
beq Lsqueeze_done
strb w4,[x20],#1
lsr x4,x4,#8
subs x21,x21,#1
beq Lsqueeze_done
strb w4,[x20],#1
lsr x4,x4,#8
subs x21,x21,#1
beq Lsqueeze_done
strb w4,[x20],#1
Lsqueeze_done:
ldp x19,x20,[sp,#16]
ldp x21,x22,[sp,#32]
ldp x29,x30,[sp],#48
.long 0xd50323bf // autiasp
ret
.align 5
KeccakF1600_ce:
mov x9,#12
adr x10,iotas
b Loop_ce
.align 4
Loop_ce:
////////////////////////////////////////////////// Theta
.long 0xce052819 //eor3 v25.16b,v0.16b,v5.16b,v10.16b
.long 0xce062c3a //eor3 v26.16b,v1.16b,v6.16b,v11.16b
.long 0xce07305b //eor3 v27.16b,v2.16b,v7.16b,v12.16b
.long 0xce08347c //eor3 v28.16b,v3.16b,v8.16b,v13.16b
.long 0xce09389d //eor3 v29.16b,v4.16b,v9.16b,v14.16b
.long 0xce0f5339 //eor3 v25.16b,v25.16b, v15.16b,v20.16b
.long 0xce10575a //eor3 v26.16b,v26.16b, v16.16b,v21.16b
.long 0xce115b7b //eor3 v27.16b,v27.16b, v17.16b,v22.16b
.long 0xce125f9c //eor3 v28.16b,v28.16b, v18.16b,v23.16b
.long 0xce1363bd //eor3 v29.16b,v29.16b, v19.16b,v24.16b
.long 0xce7b8f3e //rax1 v30.16b,v25.16b,v27.16b // D[1]
.long 0xce7c8f5f //rax1 v31.16b,v26.16b,v28.16b // D[2]
.long 0xce7d8f7b //rax1 v27.16b,v27.16b,v29.16b // D[3]
.long 0xce798f9c //rax1 v28.16b,v28.16b,v25.16b // D[4]
.long 0xce7a8fbd //rax1 v29.16b,v29.16b,v26.16b // D[0]
////////////////////////////////////////////////// Theta+Rho+Pi
.long 0xce9e50d9 //xar v25.16b, v6.16b,v30.16b,#64-44 // C[0]=A[0][1]
.long 0xce9cb126 //xar v6.16b,v9.16b,v28.16b,#64-20
.long 0xce9f0ec9 //xar v9.16b,v22.16b,v31.16b,#64-61
.long 0xce9c65d6 //xar v22.16b,v14.16b,v28.16b,#64-39
.long 0xce9dba8e //xar v14.16b,v20.16b,v29.16b,#64-18
.long 0xce9f0854 //xar v20.16b,v2.16b,v31.16b,#64-62
.long 0xce9f5582 //xar v2.16b,v12.16b,v31.16b,#64-43
.long 0xce9b9dac //xar v12.16b,v13.16b,v27.16b,#64-25
.long 0xce9ce26d //xar v13.16b,v19.16b,v28.16b,#64-8
.long 0xce9b22f3 //xar v19.16b,v23.16b,v27.16b,#64-56
.long 0xce9d5df7 //xar v23.16b,v15.16b,v29.16b,#64-41
.long 0xce9c948f //xar v15.16b,v4.16b,v28.16b,#64-27
eor v0.16b,v0.16b,v29.16b
ldr x11,[x10],#8
.long 0xce9bae5a //xar v26.16b, v18.16b,v27.16b,#64-21 // C[1]=A[0][3]
.long 0xce9fc632 //xar v18.16b,v17.16b,v31.16b,#64-15
.long 0xce9ed971 //xar v17.16b,v11.16b,v30.16b,#64-10
.long 0xce9fe8eb //xar v11.16b,v7.16b,v31.16b,#64-6
.long 0xce9df547 //xar v7.16b,v10.16b,v29.16b,#64-3
.long 0xce9efc2a //xar v10.16b,v1.16b,v30.16b,#64-1 // *
.long 0xce9ccb04 //xar v4.16b,v24.16b,v28.16b,#64-14
.long 0xce9efab8 //xar v24.16b,v21.16b,v30.16b,#64-2
.long 0xce9b2515 //xar v21.16b,v8.16b,v27.16b,#64-55
.long 0xce9e4e08 //xar v8.16b,v16.16b,v30.16b,#64-45
.long 0xce9d70b0 //xar v16.16b,v5.16b,v29.16b,#64-36
.long 0xce9b907b //xar v27.16b, v3.16b,v27.16b,#64-28 // C[2]=A[1][0]
////////////////////////////////////////////////// Chi+Iota
dup v31.2d,x11 // borrow C[6]
.long 0xce22641c //bcax v28.16b, v0.16b,v2.16b,v25.16b // *
.long 0xce3a0b21 //bcax v1.16b,v25.16b, v26.16b, v2.16b // *
.long 0xce246842 //bcax v2.16b,v2.16b,v4.16b,v26.16b
.long 0xce201343 //bcax v3.16b,v26.16b, v0.16b,v4.16b
.long 0xce390084 //bcax v4.16b,v4.16b,v25.16b, v0.16b
.long 0xce271b65 //bcax v5.16b,v27.16b, v7.16b,v6.16b // *
.long 0xce281cd9 //bcax v25.16b, v6.16b,v8.16b,v7.16b // *
.long 0xce2920e7 //bcax v7.16b,v7.16b,v9.16b,v8.16b
.long 0xce3b2508 //bcax v8.16b,v8.16b,v27.16b, v9.16b
.long 0xce266d29 //bcax v9.16b,v9.16b,v6.16b,v27.16b
eor v0.16b,v28.16b,v31.16b // Iota
.long 0xce2c2d5a //bcax v26.16b, v10.16b,v12.16b,v11.16b // *
.long 0xce2d317b //bcax v27.16b, v11.16b,v13.16b,v12.16b // *
.long 0xce2e358c //bcax v12.16b,v12.16b,v14.16b,v13.16b
.long 0xce2a39ad //bcax v13.16b,v13.16b,v10.16b,v14.16b
.long 0xce2b29ce //bcax v14.16b,v14.16b,v11.16b,v10.16b
.long 0xce3141fc //bcax v28.16b, v15.16b,v17.16b,v16.16b // *
.long 0xce32461d //bcax v29.16b, v16.16b,v18.16b,v17.16b // *
.long 0xce334a31 //bcax v17.16b,v17.16b,v19.16b,v18.16b
.long 0xce2f4e52 //bcax v18.16b,v18.16b,v15.16b,v19.16b
.long 0xce303e73 //bcax v19.16b,v19.16b,v16.16b,v15.16b
.long 0xce36569e //bcax v30.16b, v20.16b,v22.16b,v21.16b // *
.long 0xce375abf //bcax v31.16b, v21.16b,v23.16b,v22.16b // *
.long 0xce385ed6 //bcax v22.16b,v22.16b,v24.16b,v23.16b
.long 0xce3462f7 //bcax v23.16b,v23.16b,v20.16b,v24.16b
.long 0xce355318 //bcax v24.16b,v24.16b,v21.16b,v20.16b
////////////////////////////////////////////////// Theta
.long 0xce056806 //eor3 v6.16b,v0.16b,v5.16b,v26.16b
.long 0xce196c2a //eor3 v10.16b,v1.16b,v25.16b,v27.16b
.long 0xce07304b //eor3 v11.16b,v2.16b,v7.16b,v12.16b
.long 0xce08346f //eor3 v15.16b,v3.16b,v8.16b,v13.16b
.long 0xce093890 //eor3 v16.16b,v4.16b,v9.16b,v14.16b
.long 0xce1c78c6 //eor3 v6.16b,v6.16b, v28.16b,v30.16b
.long 0xce1d7d4a //eor3 v10.16b,v10.16b, v29.16b,v31.16b
.long 0xce11596b //eor3 v11.16b,v11.16b, v17.16b,v22.16b
.long 0xce125def //eor3 v15.16b,v15.16b, v18.16b,v23.16b
.long 0xce136210 //eor3 v16.16b,v16.16b, v19.16b,v24.16b
.long 0xce6b8cd4 //rax1 v20.16b,v6.16b,v11.16b // D[1]
.long 0xce6f8d55 //rax1 v21.16b,v10.16b,v15.16b // D[2]
.long 0xce708d6b //rax1 v11.16b,v11.16b,v16.16b // D[3]
.long 0xce668def //rax1 v15.16b,v15.16b,v6.16b // D[4]
.long 0xce6a8e10 //rax1 v16.16b,v16.16b,v10.16b // D[0]
////////////////////////////////////////////////// Theta+Rho+Pi
.long 0xce945326 //xar v6.16b, v25.16b,v20.16b,#64-44 // C[0]=A[0][1]
.long 0xce8fb139 //xar v25.16b,v9.16b,v15.16b,#64-20
.long 0xce950ec9 //xar v9.16b,v22.16b,v21.16b,#64-61
.long 0xce8f65d6 //xar v22.16b,v14.16b,v15.16b,#64-39
.long 0xce90bbce //xar v14.16b,v30.16b,v16.16b,#64-18
.long 0xce95085e //xar v30.16b,v2.16b,v21.16b,#64-62
.long 0xce955582 //xar v2.16b,v12.16b,v21.16b,#64-43
.long 0xce8b9dac //xar v12.16b,v13.16b,v11.16b,#64-25
.long 0xce8fe26d //xar v13.16b,v19.16b,v15.16b,#64-8
.long 0xce8b22f3 //xar v19.16b,v23.16b,v11.16b,#64-56
.long 0xce905f97 //xar v23.16b,v28.16b,v16.16b,#64-41
.long 0xce8f949c //xar v28.16b,v4.16b,v15.16b,#64-27
eor v0.16b,v0.16b,v16.16b
ldr x11,[x10],#8
.long 0xce8bae4a //xar v10.16b, v18.16b,v11.16b,#64-21 // C[1]=A[0][3]
.long 0xce95c632 //xar v18.16b,v17.16b,v21.16b,#64-15
.long 0xce94db71 //xar v17.16b,v27.16b,v20.16b,#64-10
.long 0xce95e8fb //xar v27.16b,v7.16b,v21.16b,#64-6
.long 0xce90f747 //xar v7.16b,v26.16b,v16.16b,#64-3
.long 0xce94fc3a //xar v26.16b,v1.16b,v20.16b,#64-1 // *
.long 0xce8fcb04 //xar v4.16b,v24.16b,v15.16b,#64-14
.long 0xce94fbf8 //xar v24.16b,v31.16b,v20.16b,#64-2
.long 0xce8b251f //xar v31.16b,v8.16b,v11.16b,#64-55
.long 0xce944fa8 //xar v8.16b,v29.16b,v20.16b,#64-45
.long 0xce9070bd //xar v29.16b,v5.16b,v16.16b,#64-36
.long 0xce8b906b //xar v11.16b, v3.16b,v11.16b,#64-28 // C[2]=A[1][0]
////////////////////////////////////////////////// Chi+Iota
dup v21.2d,x11 // borrow C[6]
.long 0xce22180f //bcax v15.16b, v0.16b,v2.16b,v6.16b // *
.long 0xce2a08c1 //bcax v1.16b,v6.16b, v10.16b, v2.16b // *
.long 0xce242842 //bcax v2.16b,v2.16b,v4.16b,v10.16b
.long 0xce201143 //bcax v3.16b,v10.16b, v0.16b,v4.16b
.long 0xce260084 //bcax v4.16b,v4.16b,v6.16b, v0.16b
.long 0xce276565 //bcax v5.16b,v11.16b, v7.16b,v25.16b // *
.long 0xce281f26 //bcax v6.16b, v25.16b,v8.16b,v7.16b // *
.long 0xce2920e7 //bcax v7.16b,v7.16b,v9.16b,v8.16b
.long 0xce2b2508 //bcax v8.16b,v8.16b,v11.16b, v9.16b
.long 0xce392d29 //bcax v9.16b,v9.16b,v25.16b,v11.16b
eor v0.16b,v15.16b,v21.16b // Iota
.long 0xce2c6f4a //bcax v10.16b, v26.16b,v12.16b,v27.16b // *
.long 0xce2d336b //bcax v11.16b, v27.16b,v13.16b,v12.16b // *
.long 0xce2e358c //bcax v12.16b,v12.16b,v14.16b,v13.16b
.long 0xce3a39ad //bcax v13.16b,v13.16b,v26.16b,v14.16b
.long 0xce3b69ce //bcax v14.16b,v14.16b,v27.16b,v26.16b
.long 0xce31778f //bcax v15.16b, v28.16b,v17.16b,v29.16b // *
.long 0xce3247b0 //bcax v16.16b, v29.16b,v18.16b,v17.16b // *
.long 0xce334a31 //bcax v17.16b,v17.16b,v19.16b,v18.16b
.long 0xce3c4e52 //bcax v18.16b,v18.16b,v28.16b,v19.16b
.long 0xce3d7273 //bcax v19.16b,v19.16b,v29.16b,v28.16b
.long 0xce367fd4 //bcax v20.16b, v30.16b,v22.16b,v31.16b // *
.long 0xce375bf5 //bcax v21.16b, v31.16b,v23.16b,v22.16b // *
.long 0xce385ed6 //bcax v22.16b,v22.16b,v24.16b,v23.16b
.long 0xce3e62f7 //bcax v23.16b,v23.16b,v30.16b,v24.16b
.long 0xce3f7b18 //bcax v24.16b,v24.16b,v31.16b,v30.16b
subs x9,x9,#1
bne Loop_ce
ret
.align 5
KeccakF1600_cext:
.long 0xd503233f // paciasp
stp x29,x30,[sp,#-80]!
add x29,sp,#0
stp d8,d9,[sp,#16] // per ABI requirement
stp d10,d11,[sp,#32]
stp d12,d13,[sp,#48]
stp d14,d15,[sp,#64]
ldp d0,d1,[x0,#8*0]
ldp d2,d3,[x0,#8*2]
ldp d4,d5,[x0,#8*4]
ldp d6,d7,[x0,#8*6]
ldp d8,d9,[x0,#8*8]
ldp d10,d11,[x0,#8*10]
ldp d12,d13,[x0,#8*12]
ldp d14,d15,[x0,#8*14]
ldp d16,d17,[x0,#8*16]
ldp d18,d19,[x0,#8*18]
ldp d20,d21,[x0,#8*20]
ldp d22,d23,[x0,#8*22]
ldr d24,[x0,#8*24]
bl KeccakF1600_ce
ldr x30,[sp,#8]
stp d0,d1,[x0,#8*0]
stp d2,d3,[x0,#8*2]
stp d4,d5,[x0,#8*4]
stp d6,d7,[x0,#8*6]
stp d8,d9,[x0,#8*8]
stp d10,d11,[x0,#8*10]
stp d12,d13,[x0,#8*12]
stp d14,d15,[x0,#8*14]
stp d16,d17,[x0,#8*16]
stp d18,d19,[x0,#8*18]
stp d20,d21,[x0,#8*20]
stp d22,d23,[x0,#8*22]
str d24,[x0,#8*24]
ldp d8,d9,[sp,#16]
ldp d10,d11,[sp,#32]
ldp d12,d13,[sp,#48]
ldp d14,d15,[sp,#64]
ldr x29,[sp],#80
.long 0xd50323bf // autiasp
ret
.globl _SHA3_absorb_cext
.align 5
_SHA3_absorb_cext:
.long 0xd503233f // paciasp
stp x29,x30,[sp,#-80]!
add x29,sp,#0
stp d8,d9,[sp,#16] // per ABI requirement
stp d10,d11,[sp,#32]
stp d12,d13,[sp,#48]
stp d14,d15,[sp,#64]
ldp d0,d1,[x0,#8*0]
ldp d2,d3,[x0,#8*2]
ldp d4,d5,[x0,#8*4]
ldp d6,d7,[x0,#8*6]
ldp d8,d9,[x0,#8*8]
ldp d10,d11,[x0,#8*10]
ldp d12,d13,[x0,#8*12]
ldp d14,d15,[x0,#8*14]
ldp d16,d17,[x0,#8*16]
ldp d18,d19,[x0,#8*18]
ldp d20,d21,[x0,#8*20]
ldp d22,d23,[x0,#8*22]
ldr d24,[x0,#8*24]
b Loop_absorb_ce
.align 4
Loop_absorb_ce:
subs x2,x2,x3 // len - bsz
blo Labsorbed_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v0.16b,v0.16b,v31.16b
cmp x3,#8*(0+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v1.16b,v1.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v2.16b,v2.16b,v31.16b
cmp x3,#8*(2+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v3.16b,v3.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v4.16b,v4.16b,v31.16b
cmp x3,#8*(4+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v5.16b,v5.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v6.16b,v6.16b,v31.16b
cmp x3,#8*(6+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v7.16b,v7.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v8.16b,v8.16b,v31.16b
cmp x3,#8*(8+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v9.16b,v9.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v10.16b,v10.16b,v31.16b
cmp x3,#8*(10+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v11.16b,v11.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v12.16b,v12.16b,v31.16b
cmp x3,#8*(12+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v13.16b,v13.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v14.16b,v14.16b,v31.16b
cmp x3,#8*(14+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v15.16b,v15.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v16.16b,v16.16b,v31.16b
cmp x3,#8*(16+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v17.16b,v17.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v18.16b,v18.16b,v31.16b
cmp x3,#8*(18+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v19.16b,v19.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v20.16b,v20.16b,v31.16b
cmp x3,#8*(20+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v21.16b,v21.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v22.16b,v22.16b,v31.16b
cmp x3,#8*(22+2)
blo Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v23.16b,v23.16b,v31.16b
beq Lprocess_block_ce
ldr d31,[x1],#8 // *inp++
#ifdef __AARCH64EB__
rev64 v31.16b,v31.16b
#endif
eor v24.16b,v24.16b,v31.16b
Lprocess_block_ce:
bl KeccakF1600_ce
b Loop_absorb_ce
.align 4
Labsorbed_ce:
stp d0,d1,[x0,#8*0]
stp d2,d3,[x0,#8*2]
stp d4,d5,[x0,#8*4]
stp d6,d7,[x0,#8*6]
stp d8,d9,[x0,#8*8]
stp d10,d11,[x0,#8*10]
stp d12,d13,[x0,#8*12]
stp d14,d15,[x0,#8*14]
stp d16,d17,[x0,#8*16]
stp d18,d19,[x0,#8*18]
stp d20,d21,[x0,#8*20]
stp d22,d23,[x0,#8*22]
str d24,[x0,#8*24]
add x0,x2,x3 // return value
ldp d8,d9,[sp,#16]
ldp d10,d11,[sp,#32]
ldp d12,d13,[sp,#48]
ldp d14,d15,[sp,#64]
ldp x29,x30,[sp],#80
.long 0xd50323bf // autiasp
ret
.globl _SHA3_squeeze_cext
.align 5
_SHA3_squeeze_cext:
.long 0xd503233f // paciasp
stp x29,x30,[sp,#-16]!
add x29,sp,#0
mov x9,x0
mov x10,x3
Loop_squeeze_ce:
ldr x4,[x9],#8
cmp x2,#8
blo Lsqueeze_tail_ce
#ifdef __AARCH64EB__
rev x4,x4
#endif
str x4,[x1],#8
beq Lsqueeze_done_ce
sub x2,x2,#8
subs x10,x10,#8
bhi Loop_squeeze_ce
bl KeccakF1600_cext
ldr x30,[sp,#8]
mov x9,x0
mov x10,x3
b Loop_squeeze_ce
.align 4
Lsqueeze_tail_ce:
strb w4,[x1],#1
lsr x4,x4,#8
subs x2,x2,#1
beq Lsqueeze_done_ce
strb w4,[x1],#1
lsr x4,x4,#8
subs x2,x2,#1
beq Lsqueeze_done_ce
strb w4,[x1],#1
lsr x4,x4,#8
subs x2,x2,#1
beq Lsqueeze_done_ce
strb w4,[x1],#1
lsr x4,x4,#8
subs x2,x2,#1
beq Lsqueeze_done_ce
strb w4,[x1],#1
lsr x4,x4,#8
subs x2,x2,#1
beq Lsqueeze_done_ce
strb w4,[x1],#1
lsr x4,x4,#8
subs x2,x2,#1
beq Lsqueeze_done_ce
strb w4,[x1],#1
Lsqueeze_done_ce:
ldr x29,[sp],#16
.long 0xd50323bf // autiasp
ret
.byte 75,101,99,99,97,107,45,49,54,48,48,32,97,98,115,111,114,98,32,97,110,100,32,115,113,117,101,101,122,101,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
.align 2
|