Botan 3.8.1
Crypto and TLS for C&
sha2_32_armv8.cpp
Go to the documentation of this file.
1/*
2* SHA-256 using CPU instructions in ARMv8
3*
4* Contributed by Jeffrey Walton. Based on public domain code by
5* Johannes Schneiders, Skip Hovsmith and Barry O'Rourke.
6*
7* Further changes (C) 2020 Jack Lloyd
8*
9* Botan is released under the Simplified BSD License (see license.txt)
10*/
11
12#include <botan/internal/sha2_32.h>
13
14#include <botan/internal/isa_extn.h>
15#include <arm_neon.h>
16
17namespace Botan {
18
19/*
20* SHA-256 using CPU instructions in ARMv8
21*/
22//static
23void BOTAN_FN_ISA_SHA2 SHA_256::compress_digest_armv8(digest_type& digest,
24 std::span<const uint8_t> input8,
25 size_t blocks) {
26 alignas(64) static const uint32_t K[] = {
27 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
28 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
29 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
30 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
31 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
32 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
33 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
34 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
35 };
36
37 // Load initial values
38 uint32x4_t STATE0 = vld1q_u32(&digest[0]);
39 uint32x4_t STATE1 = vld1q_u32(&digest[4]);
40
41 // Intermediate void* cast due to https://llvm.org/bugs/show_bug.cgi?id=20670
42 const uint32_t* input32 = reinterpret_cast<const uint32_t*>(reinterpret_cast<const void*>(input8.data()));
43
44 while(blocks > 0) {
45 // Save current state
46 const uint32x4_t ABCD_SAVE = STATE0;
47 const uint32x4_t EFGH_SAVE = STATE1;
48
49 uint32x4_t MSG0 = vld1q_u32(input32 + 0);
50 uint32x4_t MSG1 = vld1q_u32(input32 + 4);
51 uint32x4_t MSG2 = vld1q_u32(input32 + 8);
52 uint32x4_t MSG3 = vld1q_u32(input32 + 12);
53
54 MSG0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG0)));
55 MSG1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG1)));
56 MSG2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG2)));
57 MSG3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG3)));
58
59 uint32x4_t MSG_K, TSTATE;
60
61 // Rounds 0-3
62 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 0]));
63 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
64 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
65 STATE0 = TSTATE;
66 MSG0 = vsha256su1q_u32(vsha256su0q_u32(MSG0, MSG1), MSG2, MSG3);
67
68 // Rounds 4-7
69 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 1]));
70 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
71 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
72 STATE0 = TSTATE;
73 MSG1 = vsha256su1q_u32(vsha256su0q_u32(MSG1, MSG2), MSG3, MSG0);
74
75 // Rounds 8-11
76 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 2]));
77 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
78 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
79 STATE0 = TSTATE;
80 MSG2 = vsha256su1q_u32(vsha256su0q_u32(MSG2, MSG3), MSG0, MSG1);
81
82 // Rounds 12-15
83 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 3]));
84 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
85 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
86 STATE0 = TSTATE;
87 MSG3 = vsha256su1q_u32(vsha256su0q_u32(MSG3, MSG0), MSG1, MSG2);
88
89 // Rounds 16-19
90 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 4]));
91 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
92 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
93 STATE0 = TSTATE;
94 MSG0 = vsha256su1q_u32(vsha256su0q_u32(MSG0, MSG1), MSG2, MSG3);
95
96 // Rounds 20-23
97 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 5]));
98 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
99 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
100 STATE0 = TSTATE;
101 MSG1 = vsha256su1q_u32(vsha256su0q_u32(MSG1, MSG2), MSG3, MSG0);
102
103 // Rounds 24-27
104 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 6]));
105 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
106 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
107 STATE0 = TSTATE;
108 MSG2 = vsha256su1q_u32(vsha256su0q_u32(MSG2, MSG3), MSG0, MSG1);
109
110 // Rounds 28-31
111 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 7]));
112 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
113 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
114 STATE0 = TSTATE;
115 MSG3 = vsha256su1q_u32(vsha256su0q_u32(MSG3, MSG0), MSG1, MSG2);
116
117 // Rounds 32-35
118 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 8]));
119 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
120 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
121 STATE0 = TSTATE;
122 MSG0 = vsha256su1q_u32(vsha256su0q_u32(MSG0, MSG1), MSG2, MSG3);
123
124 // Rounds 36-39
125 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 9]));
126 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
127 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
128 STATE0 = TSTATE;
129 MSG1 = vsha256su1q_u32(vsha256su0q_u32(MSG1, MSG2), MSG3, MSG0);
130
131 // Rounds 40-43
132 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 10]));
133 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
134 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
135 STATE0 = TSTATE;
136 MSG2 = vsha256su1q_u32(vsha256su0q_u32(MSG2, MSG3), MSG0, MSG1);
137
138 // Rounds 44-47
139 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 11]));
140 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
141 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
142 STATE0 = TSTATE;
143 MSG3 = vsha256su1q_u32(vsha256su0q_u32(MSG3, MSG0), MSG1, MSG2);
144
145 // Rounds 48-51
146 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 12]));
147 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
148 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
149 STATE0 = TSTATE;
150
151 // Rounds 52-55
152 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 13]));
153 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
154 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
155 STATE0 = TSTATE;
156
157 // Rounds 56-59
158 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 14]));
159 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
160 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
161 STATE0 = TSTATE;
162
163 // Rounds 60-63
164 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 15]));
165 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
166 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
167 STATE0 = TSTATE;
168
169 // Add back to state
170 STATE0 = vaddq_u32(STATE0, ABCD_SAVE);
171 STATE1 = vaddq_u32(STATE1, EFGH_SAVE);
172
173 input32 += 64 / 4;
174 blocks--;
175 }
176
177 // Save state
178 vst1q_u32(&digest[0], STATE0);
179 vst1q_u32(&digest[4], STATE1);
180}
181
182} // namespace Botan
Botan::SHA_256::digest_type
secure_vector< uint32_t > digest_type
Definition sha2_32.h:61
Botan::SHA_256::compress_digest_armv8
static void compress_digest_armv8(digest_type &digest, std::span< const uint8_t > input, size_t blocks)
Definition sha2_32_armv8.cpp:23
Generated by doxygen 1.13.2