Botan 3.4.0
Crypto and TLS for C&
sha2_32_armv8.cpp
Go to the documentation of this file.
1/*
2* SHA-256 using CPU instructions in ARMv8
3*
4* Contributed by Jeffrey Walton. Based on public domain code by
5* Johannes Schneiders, Skip Hovsmith and Barry O'Rourke.
6*
7* Further changes (C) 2020 Jack Lloyd
8*
9* Botan is released under the Simplified BSD License (see license.txt)
10*/
11
12#include <botan/internal/sha2_32.h>
13#include <arm_neon.h>
14
15namespace Botan {
16
17/*
18* SHA-256 using CPU instructions in ARMv8
19*/
20//static
21BOTAN_FUNC_ISA("+crypto+sha2")
22void SHA_256::compress_digest_armv8(digest_type& digest, std::span<const uint8_t> input8, size_t blocks) {
23 alignas(64) static const uint32_t K[] = {
24 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
25 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
26 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
27 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
28 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
29 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
30 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
31 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
32 };
33
34 // Load initial values
35 uint32x4_t STATE0 = vld1q_u32(&digest[0]);
36 uint32x4_t STATE1 = vld1q_u32(&digest[4]);
37
38 // Intermediate void* cast due to https://llvm.org/bugs/show_bug.cgi?id=20670
39 const uint32_t* input32 = reinterpret_cast<const uint32_t*>(reinterpret_cast<const void*>(input8.data()));
40
41 while(blocks > 0) {
42 // Save current state
43 const uint32x4_t ABCD_SAVE = STATE0;
44 const uint32x4_t EFGH_SAVE = STATE1;
45
46 uint32x4_t MSG0 = vld1q_u32(input32 + 0);
47 uint32x4_t MSG1 = vld1q_u32(input32 + 4);
48 uint32x4_t MSG2 = vld1q_u32(input32 + 8);
49 uint32x4_t MSG3 = vld1q_u32(input32 + 12);
50
51 MSG0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG0)));
52 MSG1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG1)));
53 MSG2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG2)));
54 MSG3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG3)));
55
56 uint32x4_t MSG_K, TSTATE;
57
58 // Rounds 0-3
59 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 0]));
60 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
61 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
62 STATE0 = TSTATE;
63 MSG0 = vsha256su1q_u32(vsha256su0q_u32(MSG0, MSG1), MSG2, MSG3);
64
65 // Rounds 4-7
66 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 1]));
67 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
68 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
69 STATE0 = TSTATE;
70 MSG1 = vsha256su1q_u32(vsha256su0q_u32(MSG1, MSG2), MSG3, MSG0);
71
72 // Rounds 8-11
73 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 2]));
74 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
75 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
76 STATE0 = TSTATE;
77 MSG2 = vsha256su1q_u32(vsha256su0q_u32(MSG2, MSG3), MSG0, MSG1);
78
79 // Rounds 12-15
80 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 3]));
81 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
82 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
83 STATE0 = TSTATE;
84 MSG3 = vsha256su1q_u32(vsha256su0q_u32(MSG3, MSG0), MSG1, MSG2);
85
86 // Rounds 16-19
87 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 4]));
88 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
89 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
90 STATE0 = TSTATE;
91 MSG0 = vsha256su1q_u32(vsha256su0q_u32(MSG0, MSG1), MSG2, MSG3);
92
93 // Rounds 20-23
94 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 5]));
95 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
96 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
97 STATE0 = TSTATE;
98 MSG1 = vsha256su1q_u32(vsha256su0q_u32(MSG1, MSG2), MSG3, MSG0);
99
100 // Rounds 24-27
101 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 6]));
102 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
103 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
104 STATE0 = TSTATE;
105 MSG2 = vsha256su1q_u32(vsha256su0q_u32(MSG2, MSG3), MSG0, MSG1);
106
107 // Rounds 28-31
108 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 7]));
109 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
110 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
111 STATE0 = TSTATE;
112 MSG3 = vsha256su1q_u32(vsha256su0q_u32(MSG3, MSG0), MSG1, MSG2);
113
114 // Rounds 32-35
115 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 8]));
116 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
117 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
118 STATE0 = TSTATE;
119 MSG0 = vsha256su1q_u32(vsha256su0q_u32(MSG0, MSG1), MSG2, MSG3);
120
121 // Rounds 36-39
122 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 9]));
123 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
124 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
125 STATE0 = TSTATE;
126 MSG1 = vsha256su1q_u32(vsha256su0q_u32(MSG1, MSG2), MSG3, MSG0);
127
128 // Rounds 40-43
129 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 10]));
130 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
131 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
132 STATE0 = TSTATE;
133 MSG2 = vsha256su1q_u32(vsha256su0q_u32(MSG2, MSG3), MSG0, MSG1);
134
135 // Rounds 44-47
136 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 11]));
137 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
138 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
139 STATE0 = TSTATE;
140 MSG3 = vsha256su1q_u32(vsha256su0q_u32(MSG3, MSG0), MSG1, MSG2);
141
142 // Rounds 48-51
143 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 12]));
144 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
145 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
146 STATE0 = TSTATE;
147
148 // Rounds 52-55
149 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 13]));
150 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
151 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
152 STATE0 = TSTATE;
153
154 // Rounds 56-59
155 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 14]));
156 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
157 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
158 STATE0 = TSTATE;
159
160 // Rounds 60-63
161 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 15]));
162 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
163 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
164 STATE0 = TSTATE;
165
166 // Add back to state
167 STATE0 = vaddq_u32(STATE0, ABCD_SAVE);
168 STATE1 = vaddq_u32(STATE1, EFGH_SAVE);
169
170 input32 += 64 / 4;
171 blocks--;
172 }
173
174 // Save state
175 vst1q_u32(&digest[0], STATE0);
176 vst1q_u32(&digest[4], STATE1);
177}
178
179} // namespace Botan
Botan::SHA_256
Definition sha2_32.h:59
Botan::SHA_256::digest_type
secure_vector< uint32_t > digest_type
Definition sha2_32.h:61
BOTAN_FUNC_ISA
#define BOTAN_FUNC_ISA(isa)
Definition compiler.h:92
Generated by doxygen 1.10.0