Botan 3.7.1
Crypto and TLS for C&
sha2_32_x86.cpp
Go to the documentation of this file.
1/*
2* Support for SHA-256 x86 instrinsic
3* Based on public domain code by Sean Gulley
4* (https://github.com/mitls/hacl-star/tree/master/experimental/hash)
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/sha2_32.h>
10#include <immintrin.h>
11
12namespace Botan {
13
14// called from sha2_32.cpp
15BOTAN_FUNC_ISA("sha,sse4.1,ssse3")
16void SHA_256::compress_digest_x86(digest_type& digest, std::span<const uint8_t> input, size_t blocks) {
17 alignas(64) static const uint32_t K[] = {
18 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
19 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
20 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
21 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
22 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
23 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
24 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
25 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
26 };
27
28 const __m128i* K_mm = reinterpret_cast<const __m128i*>(K);
29
30 uint32_t* state = &digest[0];
31
32 const __m128i* input_mm = reinterpret_cast<const __m128i*>(input.data());
33 const __m128i MASK = _mm_set_epi64x(0x0c0d0e0f08090a0b, 0x0405060700010203);
34
35 // Load initial values
36 __m128i STATE0 = _mm_loadu_si128(reinterpret_cast<__m128i*>(&state[0]));
37 __m128i STATE1 = _mm_loadu_si128(reinterpret_cast<__m128i*>(&state[4]));
38
39 STATE0 = _mm_shuffle_epi32(STATE0, 0xB1); // CDAB
40 STATE1 = _mm_shuffle_epi32(STATE1, 0x1B); // EFGH
41
42 __m128i TMP = _mm_alignr_epi8(STATE0, STATE1, 8); // ABEF
43 STATE1 = _mm_blend_epi16(STATE1, STATE0, 0xF0); // CDGH
44 STATE0 = TMP;
45
46 while(blocks > 0) {
47 // Save current state
48 const __m128i ABEF_SAVE = STATE0;
49 const __m128i CDGH_SAVE = STATE1;
50
51 __m128i MSG;
52
53 __m128i TMSG0 = _mm_shuffle_epi8(_mm_loadu_si128(input_mm), MASK);
54 __m128i TMSG1 = _mm_shuffle_epi8(_mm_loadu_si128(input_mm + 1), MASK);
55 __m128i TMSG2 = _mm_shuffle_epi8(_mm_loadu_si128(input_mm + 2), MASK);
56 __m128i TMSG3 = _mm_shuffle_epi8(_mm_loadu_si128(input_mm + 3), MASK);
57
58 // Rounds 0-3
59 MSG = _mm_add_epi32(TMSG0, _mm_load_si128(K_mm));
60 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
61 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
62
63 // Rounds 4-7
64 MSG = _mm_add_epi32(TMSG1, _mm_load_si128(K_mm + 1));
65 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
66 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
67
68 TMSG0 = _mm_sha256msg1_epu32(TMSG0, TMSG1);
69
70 // Rounds 8-11
71 MSG = _mm_add_epi32(TMSG2, _mm_load_si128(K_mm + 2));
72 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
73 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
74
75 TMSG1 = _mm_sha256msg1_epu32(TMSG1, TMSG2);
76
77 // Rounds 12-15
78 MSG = _mm_add_epi32(TMSG3, _mm_load_si128(K_mm + 3));
79 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
80 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
81
82 TMSG0 = _mm_add_epi32(TMSG0, _mm_alignr_epi8(TMSG3, TMSG2, 4));
83 TMSG0 = _mm_sha256msg2_epu32(TMSG0, TMSG3);
84 TMSG2 = _mm_sha256msg1_epu32(TMSG2, TMSG3);
85
86 // Rounds 16-19
87 MSG = _mm_add_epi32(TMSG0, _mm_load_si128(K_mm + 4));
88 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
89 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
90
91 TMSG1 = _mm_add_epi32(TMSG1, _mm_alignr_epi8(TMSG0, TMSG3, 4));
92 TMSG1 = _mm_sha256msg2_epu32(TMSG1, TMSG0);
93 TMSG3 = _mm_sha256msg1_epu32(TMSG3, TMSG0);
94
95 // Rounds 20-23
96 MSG = _mm_add_epi32(TMSG1, _mm_load_si128(K_mm + 5));
97 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
98 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
99
100 TMSG2 = _mm_add_epi32(TMSG2, _mm_alignr_epi8(TMSG1, TMSG0, 4));
101 TMSG2 = _mm_sha256msg2_epu32(TMSG2, TMSG1);
102 TMSG0 = _mm_sha256msg1_epu32(TMSG0, TMSG1);
103
104 // Rounds 24-27
105 MSG = _mm_add_epi32(TMSG2, _mm_load_si128(K_mm + 6));
106 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
107 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
108
109 TMSG3 = _mm_add_epi32(TMSG3, _mm_alignr_epi8(TMSG2, TMSG1, 4));
110 TMSG3 = _mm_sha256msg2_epu32(TMSG3, TMSG2);
111 TMSG1 = _mm_sha256msg1_epu32(TMSG1, TMSG2);
112
113 // Rounds 28-31
114 MSG = _mm_add_epi32(TMSG3, _mm_load_si128(K_mm + 7));
115 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
116 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
117
118 TMSG0 = _mm_add_epi32(TMSG0, _mm_alignr_epi8(TMSG3, TMSG2, 4));
119 TMSG0 = _mm_sha256msg2_epu32(TMSG0, TMSG3);
120 TMSG2 = _mm_sha256msg1_epu32(TMSG2, TMSG3);
121
122 // Rounds 32-35
123 MSG = _mm_add_epi32(TMSG0, _mm_load_si128(K_mm + 8));
124 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
125 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
126
127 TMSG1 = _mm_add_epi32(TMSG1, _mm_alignr_epi8(TMSG0, TMSG3, 4));
128 TMSG1 = _mm_sha256msg2_epu32(TMSG1, TMSG0);
129 TMSG3 = _mm_sha256msg1_epu32(TMSG3, TMSG0);
130
131 // Rounds 36-39
132 MSG = _mm_add_epi32(TMSG1, _mm_load_si128(K_mm + 9));
133 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
134 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
135
136 TMSG2 = _mm_add_epi32(TMSG2, _mm_alignr_epi8(TMSG1, TMSG0, 4));
137 TMSG2 = _mm_sha256msg2_epu32(TMSG2, TMSG1);
138 TMSG0 = _mm_sha256msg1_epu32(TMSG0, TMSG1);
139
140 // Rounds 40-43
141 MSG = _mm_add_epi32(TMSG2, _mm_load_si128(K_mm + 10));
142 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
143 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
144
145 TMSG3 = _mm_add_epi32(TMSG3, _mm_alignr_epi8(TMSG2, TMSG1, 4));
146 TMSG3 = _mm_sha256msg2_epu32(TMSG3, TMSG2);
147 TMSG1 = _mm_sha256msg1_epu32(TMSG1, TMSG2);
148
149 // Rounds 44-47
150 MSG = _mm_add_epi32(TMSG3, _mm_load_si128(K_mm + 11));
151 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
152 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
153
154 TMSG0 = _mm_add_epi32(TMSG0, _mm_alignr_epi8(TMSG3, TMSG2, 4));
155 TMSG0 = _mm_sha256msg2_epu32(TMSG0, TMSG3);
156 TMSG2 = _mm_sha256msg1_epu32(TMSG2, TMSG3);
157
158 // Rounds 48-51
159 MSG = _mm_add_epi32(TMSG0, _mm_load_si128(K_mm + 12));
160 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
161 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
162
163 TMSG1 = _mm_add_epi32(TMSG1, _mm_alignr_epi8(TMSG0, TMSG3, 4));
164 TMSG1 = _mm_sha256msg2_epu32(TMSG1, TMSG0);
165 TMSG3 = _mm_sha256msg1_epu32(TMSG3, TMSG0);
166
167 // Rounds 52-55
168 MSG = _mm_add_epi32(TMSG1, _mm_load_si128(K_mm + 13));
169 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
170 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
171
172 TMSG2 = _mm_add_epi32(TMSG2, _mm_alignr_epi8(TMSG1, TMSG0, 4));
173 TMSG2 = _mm_sha256msg2_epu32(TMSG2, TMSG1);
174
175 // Rounds 56-59
176 MSG = _mm_add_epi32(TMSG2, _mm_load_si128(K_mm + 14));
177 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
178 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
179
180 TMSG3 = _mm_add_epi32(TMSG3, _mm_alignr_epi8(TMSG2, TMSG1, 4));
181 TMSG3 = _mm_sha256msg2_epu32(TMSG3, TMSG2);
182
183 // Rounds 60-63
184 MSG = _mm_add_epi32(TMSG3, _mm_load_si128(K_mm + 15));
185 STATE1 = _mm_sha256rnds2_epu32(STATE1, STATE0, MSG);
186 STATE0 = _mm_sha256rnds2_epu32(STATE0, STATE1, _mm_shuffle_epi32(MSG, 0x0E));
187
188 // Add values back to state
189 STATE0 = _mm_add_epi32(STATE0, ABEF_SAVE);
190 STATE1 = _mm_add_epi32(STATE1, CDGH_SAVE);
191
192 input_mm += 4;
193 blocks--;
194 }
195
196 STATE0 = _mm_shuffle_epi32(STATE0, 0x1B); // FEBA
197 STATE1 = _mm_shuffle_epi32(STATE1, 0xB1); // DCHG
198
199 // Save state
200 _mm_storeu_si128(reinterpret_cast<__m128i*>(&state[0]), _mm_blend_epi16(STATE0, STATE1, 0xF0)); // DCBA
201 _mm_storeu_si128(reinterpret_cast<__m128i*>(&state[4]), _mm_alignr_epi8(STATE1, STATE0, 8)); // ABEF
202}
203
204} // namespace Botan
Botan::SHA_256
Definition sha2_32.h:59
Botan::SHA_256::digest_type
secure_vector< uint32_t > digest_type
Definition sha2_32.h:61
BOTAN_FUNC_ISA
#define BOTAN_FUNC_ISA(isa)
Definition compiler.h:42
Generated by doxygen 1.12.0