doxygen/whirlpool__avx512_8cpp_source.html

/*

* (C) 2026 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/internal/whirlpool.h>


#include <botan/internal/isa_extn.h>

#include <immintrin.h>


namespace Botan {


namespace WhirlpoolAVX512 {


namespace {


// NOLINTBEGIN(portability-simd-intrinsics)


class WhirlpoolState {

   public:

      BOTAN_FN_ISA_AVX512

      WhirlpoolState() : m_v(_mm512_setzero_si512()) {}


      BOTAN_FN_ISA_AVX512

      explicit WhirlpoolState(__m512i v) : m_v(v) {}


      WhirlpoolState(const WhirlpoolState& other) = default;

      WhirlpoolState(WhirlpoolState&& other) = default;

      WhirlpoolState& operator=(const WhirlpoolState& other) = default;

      WhirlpoolState& operator=(WhirlpoolState&& other) = default;

      ~WhirlpoolState() = default;


      // Load 64 bytes of message data

      BOTAN_FN_ISA_AVX512

      static WhirlpoolState load_bytes(const uint8_t src[64]) { return WhirlpoolState(_mm512_loadu_si512(src)); }


      BOTAN_FN_ISA_AVX512

      static WhirlpoolState load_be(const uint64_t src[8]) { return WhirlpoolState(_mm512_loadu_si512(src)).bswap(); }


      BOTAN_FN_ISA_AVX512

      void store_be(uint64_t dst[8]) const { _mm512_storeu_si512(dst, bswap().m_v); }


      BOTAN_FN_ISA_AVX512

      inline friend WhirlpoolState operator^(WhirlpoolState a, WhirlpoolState b) {

         return WhirlpoolState(_mm512_xor_si512(a.m_v, b.m_v));

      }


      BOTAN_FN_ISA_AVX512

      inline WhirlpoolState& operator^=(WhirlpoolState other) {

         m_v = _mm512_xor_si512(m_v, other.m_v);

         return *this;

      }


      /*

      * The Whirlpool 8-bit Sbox is built out of 4-bit sboxes, which can be

      * individually computed using pshufb-style shuffles.

      */

      BOTAN_FN_ISA_AVX512

      inline WhirlpoolState sub_bytes() const {

         const __m512i Ebox =

            _mm512_broadcast_i32x4(_mm_setr_epi8(1, 11, 9, 12, 13, 6, 15, 3, 14, 8, 7, 4, 10, 2, 5, 0));

         const __m512i Eibox =

            _mm512_broadcast_i32x4(_mm_setr_epi8(15, 0, 13, 7, 11, 14, 5, 10, 9, 2, 12, 1, 3, 4, 8, 6));

         const __m512i Rbox =

            _mm512_broadcast_i32x4(_mm_setr_epi8(7, 12, 11, 13, 14, 4, 9, 15, 6, 3, 8, 10, 2, 5, 1, 0));


         const __m512i lo_mask = _mm512_set1_epi8(0x0F);


         const __m512i lo_nib = _mm512_and_si512(m_v, lo_mask);

         const __m512i hi_nib = _mm512_and_si512(_mm512_srli_epi16(m_v, 4), lo_mask);


         // L = Ebox[hi], R = Eibox[lo], T = Rbox[L ^ R]

         const __m512i L = _mm512_shuffle_epi8(Ebox, hi_nib);

         const __m512i R = _mm512_shuffle_epi8(Eibox, lo_nib);

         const __m512i T = _mm512_shuffle_epi8(Rbox, _mm512_xor_si512(L, R));


         // result = (Ebox[L ^ T] << 4) | Eibox[R ^ T]

         const __m512i out_hi = _mm512_shuffle_epi8(Ebox, _mm512_xor_si512(L, T));

         const __m512i out_lo = _mm512_shuffle_epi8(Eibox, _mm512_xor_si512(R, T));


         return WhirlpoolState(_mm512_or_si512(_mm512_slli_epi16(out_hi, 4), _mm512_and_si512(out_lo, lo_mask)));

      }


      /*

      * ShiftColumns: column j is cyclically shifted down by j positions.

      *

      * For output row r, column c: source = row (r - c + 8) % 8, column c.

      * Implemented as a single vpermb with a fixed 64-byte permutation.

      */

      BOTAN_FN_ISA_AVX512

      inline WhirlpoolState shift_columns() const {

         // Register byte for (row r, col c) = r*8 + c

         // Source byte = ((r - c + 8) % 8) * 8 + c

         alignas(64) static constexpr uint8_t perm[64] = {

            // clang-format off

             0*8+0, 7*8+1, 6*8+2, 5*8+3, 4*8+4, 3*8+5, 2*8+6, 1*8+7,

             1*8+0, 0*8+1, 7*8+2, 6*8+3, 5*8+4, 4*8+5, 3*8+6, 2*8+7,

             2*8+0, 1*8+1, 0*8+2, 7*8+3, 6*8+4, 5*8+5, 4*8+6, 3*8+7,

             3*8+0, 2*8+1, 1*8+2, 0*8+3, 7*8+4, 6*8+5, 5*8+6, 4*8+7,

             4*8+0, 3*8+1, 2*8+2, 1*8+3, 0*8+4, 7*8+5, 6*8+6, 5*8+7,

             5*8+0, 4*8+1, 3*8+2, 2*8+3, 1*8+4, 0*8+5, 7*8+6, 6*8+7,

             6*8+0, 5*8+1, 4*8+2, 3*8+3, 2*8+4, 1*8+5, 0*8+6, 7*8+7,

             7*8+0, 6*8+1, 5*8+2, 4*8+3, 3*8+4, 2*8+5, 1*8+6, 0*8+7,

            // clang-format on

         };

         return WhirlpoolState(_mm512_permutexvar_epi8(_mm512_load_si512(perm), m_v));

      }


      /*

      * MixRows: MDS circulant [1, 1, 4, 1, 8, 5, 2, 9] over GF(2^8) mod 0x11D

      *

      * Since the MDS coefficients are so small we can easily compute them using

      * a few xtimes plus additions (aka XOR)

      */

      BOTAN_FN_ISA_AVX512

      inline WhirlpoolState mix_rows() const {

         /*

         Constants for quadword rotations by X bytes.


         Could use _mm512_rol_epi64 for this, but it's oddly slower even though

         all documentation suggests that both instructions have the same latency

         and throughput.

         */

         const __m512i rot1 =

            _mm512_broadcast_i32x4(_mm_setr_epi8(7, 0, 1, 2, 3, 4, 5, 6, 15, 8, 9, 10, 11, 12, 13, 14));

         const __m512i rot2 =

            _mm512_broadcast_i32x4(_mm_setr_epi8(6, 7, 0, 1, 2, 3, 4, 5, 14, 15, 8, 9, 10, 11, 12, 13));

         const __m512i rot3 =

            _mm512_broadcast_i32x4(_mm_setr_epi8(5, 6, 7, 0, 1, 2, 3, 4, 13, 14, 15, 8, 9, 10, 11, 12));

         const __m512i rot4 =

            _mm512_broadcast_i32x4(_mm_setr_epi8(4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11));

         const __m512i rot5 =

            _mm512_broadcast_i32x4(_mm_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10));

         const __m512i rot6 =

            _mm512_broadcast_i32x4(_mm_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9));

         const __m512i rot7 =

            _mm512_broadcast_i32x4(_mm_setr_epi8(1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8));


         const __m512i x2 = xtime(m_v);

         const __m512i x4 = xtime(x2);

         const __m512i x8 = xtime(x4);

         const __m512i x5 = _mm512_xor_si512(x4, m_v);

         const __m512i x9 = _mm512_xor_si512(x8, m_v);


         const __m512i t01 = _mm512_xor_si512(m_v, _mm512_shuffle_epi8(m_v, rot1));

         const __m512i t23 = _mm512_xor_si512(_mm512_shuffle_epi8(x4, rot2), _mm512_shuffle_epi8(m_v, rot3));

         const __m512i t45 = _mm512_xor_si512(_mm512_shuffle_epi8(x8, rot4), _mm512_shuffle_epi8(x5, rot5));

         const __m512i t67 = _mm512_xor_si512(_mm512_shuffle_epi8(x2, rot6), _mm512_shuffle_epi8(x9, rot7));


         return WhirlpoolState(_mm512_xor_si512(_mm512_xor_si512(t01, t23), _mm512_xor_si512(t45, t67)));

      }


      /*

      * Whirlpool round: SubBytes -> ShiftColumns -> MixRows

      */

      BOTAN_FN_ISA_AVX512

      inline WhirlpoolState round() const { return sub_bytes().shift_columns().mix_rows(); }


      // Round constant

      BOTAN_FN_ISA_AVX512

      static inline WhirlpoolState rc(uint64_t v) { return WhirlpoolState(_mm512_set_epi64(0, 0, 0, 0, 0, 0, 0, v)); }


   private:

      BOTAN_FN_ISA_AVX512

      WhirlpoolState bswap() const {

         const __m512i tbl = _mm512_broadcast_i32x4(_mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7));


         return WhirlpoolState(_mm512_shuffle_epi8(m_v, tbl));

      }


      // Packed 16-wide doubling in GF(2^8) mod 0x11D

      BOTAN_FN_ISA_AVX512

      static __m512i xtime(__m512i a) {

         const __m512i poly = _mm512_set1_epi8(0x1D);

         const __mmask64 top_bits = _mm512_movepi8_mask(a);

         const __m512i shifted = _mm512_add_epi8(a, a);  // no 8-bit shift in AVX512

         return _mm512_mask_blend_epi8(top_bits, shifted, _mm512_xor_si512(shifted, poly));

      }


      __m512i m_v;

};


// NOLINTEND(portability-simd-intrinsics)


}  // namespace


}  // namespace WhirlpoolAVX512


BOTAN_FN_ISA_AVX512

void Whirlpool::compress_n_avx512(digest_type& digest, std::span<const uint8_t> input, size_t blocks) {

   using WhirlpoolAVX512::WhirlpoolState;


   auto H = WhirlpoolState::load_be(digest.data());


   for(size_t i = 0; i != blocks; ++i) {

      const auto M = WhirlpoolState::load_bytes(input.data() + i * 64);


      auto K = H;

      H ^= M;

      auto B = H;  // B = M ^ K


      K = K.round() ^ WhirlpoolState::rc(0x4F01B887E8C62318);

      B = B.round() ^ K;


      K = K.round() ^ WhirlpoolState::rc(0x52916F79F5D2A636);

      B = B.round() ^ K;


      K = K.round() ^ WhirlpoolState::rc(0x357B0CA38E9BBC60);

      B = B.round() ^ K;


      K = K.round() ^ WhirlpoolState::rc(0x57FE4B2EC2D7E01D);

      B = B.round() ^ K;


      K = K.round() ^ WhirlpoolState::rc(0xDA4AF09FE5377715);

      B = B.round() ^ K;


      K = K.round() ^ WhirlpoolState::rc(0x856BA0B10A29C958);

      B = B.round() ^ K;


      K = K.round() ^ WhirlpoolState::rc(0x67053ECBF4105DBD);

      B = B.round() ^ K;


      K = K.round() ^ WhirlpoolState::rc(0xD8957DA78B4127E4);

      B = B.round() ^ K;


      K = K.round() ^ WhirlpoolState::rc(0x9E4717DD667CEEFB);

      B = B.round() ^ K;


      K = K.round() ^ WhirlpoolState::rc(0x33835AAD07BF2DCA);

      B = B.round() ^ K;


      H ^= B;

   }


   H.store_be(digest.data());

}


}  // namespace Botan

Botan::WhirlpoolAVX512
Definition whirlpool_avx512.cpp:14

Botan
Definition alg_id.cpp:13

Botan::operator^
OctetString operator^(const OctetString &k1, const OctetString &k2)
Definition symkey.cpp:109

Botan::operator^=
std::vector< uint8_t, Alloc > & operator^=(std::vector< uint8_t, Alloc > &out, const std::vector< uint8_t, Alloc2 > &in)
Definition mem_ops.h:445

Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745

Botan::load_be
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504