Botan 3.11.1
Crypto and TLS for C&
sha2_64_avx512.cpp
Go to the documentation of this file.
1/*
2* (C) 2025,2026 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/internal/sha2_64.h>
8
9#include <botan/internal/isa_extn.h>
10#include <botan/internal/sha2_64_f.h>
11#include <botan/internal/simd_2x64.h>
12#include <botan/internal/simd_8x64.h>
13
14namespace Botan {
15
16namespace SHA512_AVX512 {
17
18namespace {
19
20template <size_t R1, size_t R2, size_t S1>
21BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX512_BMI2 SIMD_2x64 avx512_sigma(SIMD_2x64 v) {
22 const auto vr1 = _mm_ror_epi64(v.raw(), R1);
23 const auto vr2 = _mm_ror_epi64(v.raw(), R2);
24 const auto vs1 = _mm_srli_epi64(v.raw(), S1);
25 return SIMD_2x64(_mm_ternarylogic_epi64(vr1, vr2, vs1, 0x96));
26}
27
28BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX512_BMI2 SIMD_2x64 sha512_next_w_avx512(SIMD_2x64 x[8]) {
29 auto t0 = SIMD_2x64::alignr8(x[1], x[0]);
30 auto t1 = SIMD_2x64::alignr8(x[5], x[4]);
31
32 auto s0 = avx512_sigma<1, 8, 7>(t0);
33 auto s1 = avx512_sigma<19, 61, 6>(x[7]);
34
35 auto nx = x[0] + s0 + s1 + t1;
36
37 x[0] = x[1];
38 x[1] = x[2];
39 x[2] = x[3];
40 x[3] = x[4];
41 x[4] = x[5];
42 x[5] = x[6];
43 x[6] = x[7];
44 x[7] = nx;
45
46 return nx;
47}
48
49template <size_t R1, size_t R2, size_t R3>
50BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX512_BMI2 SIMD_2x64 rho(SIMD_2x64 v) {
51 const auto vr1 = _mm_ror_epi64(v.raw(), R1);
52 const auto vr2 = _mm_ror_epi64(v.raw(), R2);
53 const auto vr3 = _mm_ror_epi64(v.raw(), R3);
54 return SIMD_2x64(_mm_ternarylogic_epi64(vr1, vr2, vr3, 0x96));
55}
56
57BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX512_BMI2 void SHA2_64_F(SIMD_2x64 A,
58 SIMD_2x64 B,
59 SIMD_2x64 C,
60 SIMD_2x64& D,
61 SIMD_2x64 E,
62 SIMD_2x64 F,
63 SIMD_2x64 G,
64 SIMD_2x64& H,
65 uint64_t M) {
66 constexpr uint8_t ch = 0xca;
67 constexpr uint8_t maj = 0xe8;
68
69 H += rho<14, 18, 41>(E) + SIMD_2x64(_mm_ternarylogic_epi64(E.raw(), F.raw(), G.raw(), ch)) + SIMD_2x64::splat(M);
70 D += H;
71 H += rho<28, 34, 39>(A) + SIMD_2x64(_mm_ternarylogic_epi64(A.raw(), B.raw(), C.raw(), maj));
72}
73
74} // namespace
75
76} // namespace SHA512_AVX512
77
78BOTAN_FN_ISA_AVX512_BMI2 void SHA_512::compress_digest_x86_avx512(digest_type& digest,
79 std::span<const uint8_t> input,
80 size_t blocks) {
81 using namespace SHA512_AVX512;
82
83 // clang-format off
84 alignas(64) const uint64_t K[80] = {
85 0x428A2F98D728AE22, 0x7137449123EF65CD, 0xB5C0FBCFEC4D3B2F, 0xE9B5DBA58189DBBC,
86 0x3956C25BF348B538, 0x59F111F1B605D019, 0x923F82A4AF194F9B, 0xAB1C5ED5DA6D8118,
87 0xD807AA98A3030242, 0x12835B0145706FBE, 0x243185BE4EE4B28C, 0x550C7DC3D5FFB4E2,
88 0x72BE5D74F27B896F, 0x80DEB1FE3B1696B1, 0x9BDC06A725C71235, 0xC19BF174CF692694,
89 0xE49B69C19EF14AD2, 0xEFBE4786384F25E3, 0x0FC19DC68B8CD5B5, 0x240CA1CC77AC9C65,
90 0x2DE92C6F592B0275, 0x4A7484AA6EA6E483, 0x5CB0A9DCBD41FBD4, 0x76F988DA831153B5,
91 0x983E5152EE66DFAB, 0xA831C66D2DB43210, 0xB00327C898FB213F, 0xBF597FC7BEEF0EE4,
92 0xC6E00BF33DA88FC2, 0xD5A79147930AA725, 0x06CA6351E003826F, 0x142929670A0E6E70,
93 0x27B70A8546D22FFC, 0x2E1B21385C26C926, 0x4D2C6DFC5AC42AED, 0x53380D139D95B3DF,
94 0x650A73548BAF63DE, 0x766A0ABB3C77B2A8, 0x81C2C92E47EDAEE6, 0x92722C851482353B,
95 0xA2BFE8A14CF10364, 0xA81A664BBC423001, 0xC24B8B70D0F89791, 0xC76C51A30654BE30,
96 0xD192E819D6EF5218, 0xD69906245565A910, 0xF40E35855771202A, 0x106AA07032BBD1B8,
97 0x19A4C116B8D2D0C8, 0x1E376C085141AB53, 0x2748774CDF8EEB99, 0x34B0BCB5E19B48A8,
98 0x391C0CB3C5C95A63, 0x4ED8AA4AE3418ACB, 0x5B9CCA4F7763E373, 0x682E6FF3D6B2B8A3,
99 0x748F82EE5DEFB2FC, 0x78A5636F43172F60, 0x84C87814A1F0AB72, 0x8CC702081A6439EC,
100 0x90BEFFFA23631E28, 0xA4506CEBDE82BDE9, 0xBEF9A3F7B2C67915, 0xC67178F2E372532B,
101 0xCA273ECEEA26619C, 0xD186B8C721C0C207, 0xEADA7DD6CDE0EB1E, 0xF57D4F7FEE6ED178,
102 0x06F067AA72176FBA, 0x0A637DC5A2C898A6, 0x113F9804BEF90DAE, 0x1B710B35131C471B,
103 0x28DB77F523047D84, 0x32CAAB7B40C72493, 0x3C9EBE0A15C9BEBC, 0x431D67C49C100D4C,
104 0x4CC5D4BECB3E42B6, 0x597F299CFC657E2A, 0x5FCB6FAB3AD6FAEC, 0x6C44198C4A475817,
105 };
106
107 // clang-format on
108
109 alignas(64) uint64_t W[16] = {0};
110
111 auto digest0 = SIMD_2x64::splat(digest[0]);
112 auto digest1 = SIMD_2x64::splat(digest[1]);
113 auto digest2 = SIMD_2x64::splat(digest[2]);
114 auto digest3 = SIMD_2x64::splat(digest[3]);
115 auto digest4 = SIMD_2x64::splat(digest[4]);
116 auto digest5 = SIMD_2x64::splat(digest[5]);
117 auto digest6 = SIMD_2x64::splat(digest[6]);
118 auto digest7 = SIMD_2x64::splat(digest[7]);
119
120 auto A = digest0;
121 auto B = digest1;
122 auto C = digest2;
123 auto D = digest3;
124 auto E = digest4;
125 auto F = digest5;
126 auto G = digest6;
127 auto H = digest7;
128
129 const uint8_t* data = input.data();
130
131 while(blocks > 0) {
132 SIMD_2x64 WS[8];
133
134 for(size_t i = 0; i < 8; i++) {
135 WS[i] = SIMD_2x64::load_be(&data[16 * i]);
136 auto WK = WS[i] + SIMD_2x64::load_le(&K[2 * i]);
137 WK.store_le(&W[2 * i]);
138 }
139
140 data += 128;
141 blocks -= 1;
142
143 // First 64 rounds of SHA-512
144 for(size_t r = 0; r != 64; r += 16) {
145 auto w = sha512_next_w_avx512(WS) + SIMD_2x64::load_le(&K[r + 16]);
146 SHA2_64_F(A, B, C, D, E, F, G, H, W[0]);
147 SHA2_64_F(H, A, B, C, D, E, F, G, W[1]);
148 w.store_le(&W[0]);
149
150 w = sha512_next_w_avx512(WS) + SIMD_2x64::load_le(&K[r + 18]);
151 SHA2_64_F(G, H, A, B, C, D, E, F, W[2]);
152 SHA2_64_F(F, G, H, A, B, C, D, E, W[3]);
153 w.store_le(&W[2]);
154
155 w = sha512_next_w_avx512(WS) + SIMD_2x64::load_le(&K[r + 20]);
156 SHA2_64_F(E, F, G, H, A, B, C, D, W[4]);
157 SHA2_64_F(D, E, F, G, H, A, B, C, W[5]);
158 w.store_le(&W[4]);
159
160 w = sha512_next_w_avx512(WS) + SIMD_2x64::load_le(&K[r + 22]);
161 SHA2_64_F(C, D, E, F, G, H, A, B, W[6]);
162 SHA2_64_F(B, C, D, E, F, G, H, A, W[7]);
163 w.store_le(&W[6]);
164
165 w = sha512_next_w_avx512(WS) + SIMD_2x64::load_le(&K[r + 24]);
166 SHA2_64_F(A, B, C, D, E, F, G, H, W[8]);
167 SHA2_64_F(H, A, B, C, D, E, F, G, W[9]);
168 w.store_le(&W[8]);
169
170 w = sha512_next_w_avx512(WS) + SIMD_2x64::load_le(&K[r + 26]);
171 SHA2_64_F(G, H, A, B, C, D, E, F, W[10]);
172 SHA2_64_F(F, G, H, A, B, C, D, E, W[11]);
173 w.store_le(&W[10]);
174
175 w = sha512_next_w_avx512(WS) + SIMD_2x64::load_le(&K[r + 28]);
176 SHA2_64_F(E, F, G, H, A, B, C, D, W[12]);
177 SHA2_64_F(D, E, F, G, H, A, B, C, W[13]);
178 w.store_le(&W[12]);
179
180 w = sha512_next_w_avx512(WS) + SIMD_2x64::load_le(&K[r + 30]);
181 SHA2_64_F(C, D, E, F, G, H, A, B, W[14]);
182 SHA2_64_F(B, C, D, E, F, G, H, A, W[15]);
183 w.store_le(&W[14]);
184 }
185
186 // Final 16 rounds of SHA-512
187 SHA2_64_F(A, B, C, D, E, F, G, H, W[0]);
188 SHA2_64_F(H, A, B, C, D, E, F, G, W[1]);
189 SHA2_64_F(G, H, A, B, C, D, E, F, W[2]);
190 SHA2_64_F(F, G, H, A, B, C, D, E, W[3]);
191 SHA2_64_F(E, F, G, H, A, B, C, D, W[4]);
192 SHA2_64_F(D, E, F, G, H, A, B, C, W[5]);
193 SHA2_64_F(C, D, E, F, G, H, A, B, W[6]);
194 SHA2_64_F(B, C, D, E, F, G, H, A, W[7]);
195 SHA2_64_F(A, B, C, D, E, F, G, H, W[8]);
196 SHA2_64_F(H, A, B, C, D, E, F, G, W[9]);
197 SHA2_64_F(G, H, A, B, C, D, E, F, W[10]);
198 SHA2_64_F(F, G, H, A, B, C, D, E, W[11]);
199 SHA2_64_F(E, F, G, H, A, B, C, D, W[12]);
200 SHA2_64_F(D, E, F, G, H, A, B, C, W[13]);
201 SHA2_64_F(C, D, E, F, G, H, A, B, W[14]);
202 SHA2_64_F(B, C, D, E, F, G, H, A, W[15]);
203
204 digest0 += A;
205 digest1 += B;
206 digest2 += C;
207 digest3 += D;
208 digest4 += E;
209 digest5 += F;
210 digest6 += G;
211 digest7 += H;
212
213 A = digest0;
214 B = digest1;
215 C = digest2;
216 D = digest3;
217 E = digest4;
218 F = digest5;
219 G = digest6;
220 H = digest7;
221 }
222
223 // Could be optimized a bit by interleaving the registers, reducing store pressure
224 // but probably not worth bothering with
225 _mm_mask_storeu_epi64(&digest[0], 0b01, digest0.raw()); // NOLINT(*-container-data-pointer)
226 _mm_mask_storeu_epi64(&digest[1], 0b01, digest1.raw());
227 _mm_mask_storeu_epi64(&digest[2], 0b01, digest2.raw());
228 _mm_mask_storeu_epi64(&digest[3], 0b01, digest3.raw());
229 _mm_mask_storeu_epi64(&digest[4], 0b01, digest4.raw());
230 _mm_mask_storeu_epi64(&digest[5], 0b01, digest5.raw());
231 _mm_mask_storeu_epi64(&digest[6], 0b01, digest6.raw());
232 _mm_mask_storeu_epi64(&digest[7], 0b01, digest7.raw());
233}
234
235} // namespace Botan
Botan::SIMD_2x64
Definition simd_2x64.h:31
Botan::SIMD_2x64::raw
native_simd_type BOTAN_FN_ISA_SIMD_2X64 raw() const noexcept
Definition simd_2x64.h:314
Botan::SIMD_2x64::load_be
static SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 load_be(const void *in)
Definition simd_2x64.h:90
Botan::SIMD_2x64::load_le
static SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 load_le(const void *in)
Definition simd_2x64.h:82
Botan::SIMD_2x64::splat
static SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 splat(uint64_t v)
Definition simd_2x64.h:57
Botan::SIMD_2x64::alignr8
static SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 alignr8(const SIMD_2x64 &a, const SIMD_2x64 &b)
Definition simd_2x64.h:240
BOTAN_FORCE_INLINE
#define BOTAN_FORCE_INLINE
Definition compiler.h:87
Botan::SHA512_AVX512
Definition sha2_64_avx512.cpp:16
Botan::SHA2_64_F
BOTAN_FORCE_INLINE void SHA2_64_F(uint64_t A, uint64_t B, uint64_t C, uint64_t &D, uint64_t E, uint64_t F, uint64_t G, uint64_t &H, uint64_t &M1, uint64_t M2, uint64_t M3, uint64_t M4, uint64_t magic)
Definition sha2_64_f.h:19
Botan::R2
void R2(uint32_t A, uint32_t &B, uint32_t C, uint32_t &D, uint32_t E, uint32_t &F, uint32_t G, uint32_t &H, uint32_t TJ, uint32_t Wi, uint32_t Wj)
Definition sm3_fn.h:43
Botan::rho
BOTAN_FORCE_INLINE constexpr T rho(T x)
Definition rotate.h:53
Botan::R1
void R1(uint32_t A, uint32_t &B, uint32_t C, uint32_t &D, uint32_t E, uint32_t &F, uint32_t G, uint32_t &H, uint32_t TJ, uint32_t Wi, uint32_t Wj)
Definition sm3_fn.h:21
Generated by doxygen 1.15.0