go-ethereum/crypto/blake2b/blake2b_generic.go

// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package blake2b

import (
	"encoding/binary"
	"math/bits"
)

// the precomputed values for BLAKE2b
// there are 10 16-byte arrays - one for each round
// the entries are calculated from the sigma constants.
var precomputed = [10][16]byte{
	{0, 2, 4, 6, 1, 3, 5, 7, 8, 10, 12, 14, 9, 11, 13, 15},
	{14, 4, 9, 13, 10, 8, 15, 6, 1, 0, 11, 5, 12, 2, 7, 3},
	{11, 12, 5, 15, 8, 0, 2, 13, 10, 3, 7, 9, 14, 6, 1, 4},
	{7, 3, 13, 11, 9, 1, 12, 14, 2, 5, 4, 15, 6, 10, 0, 8},
	{9, 5, 2, 10, 0, 7, 4, 15, 14, 11, 6, 3, 1, 12, 8, 13},
	{2, 6, 0, 8, 12, 10, 11, 3, 4, 7, 15, 1, 13, 5, 14, 9},
	{12, 1, 14, 4, 5, 15, 13, 10, 0, 6, 9, 8, 7, 3, 2, 11},
	{13, 7, 12, 3, 11, 14, 1, 9, 5, 15, 8, 2, 0, 4, 6, 10},
	{6, 14, 11, 0, 15, 9, 3, 8, 12, 13, 1, 10, 2, 7, 4, 5},
	{10, 8, 7, 1, 2, 4, 6, 5, 15, 9, 3, 13, 11, 14, 12, 0},
}

func hashBlocksGeneric(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) {
	var m [16]uint64
	c0, c1 := c[0], c[1]

	for i := 0; i < len(blocks); {
		c0 += BlockSize
		if c0 < BlockSize {
			c1++
		}
		for j := range m {
			m[j] = binary.LittleEndian.Uint64(blocks[i:])
			i += 8
		}
		fGeneric(h, &m, c0, c1, flag, 12)
	}
	c[0], c[1] = c0, c1
}

func fGeneric(h *[8]uint64, m *[16]uint64, c0, c1 uint64, flag uint64, rounds uint64) {
	v0, v1, v2, v3, v4, v5, v6, v7 := h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7]
	v8, v9, v10, v11, v12, v13, v14, v15 := iv[0], iv[1], iv[2], iv[3], iv[4], iv[5], iv[6], iv[7]
	v12 ^= c0
	v13 ^= c1
	v14 ^= flag

	for i := 0; i < int(rounds); i++ {
		s := &(precomputed[i%10])

		v0 += m[s[0]]
		v0 += v4
		v12 ^= v0
		v12 = bits.RotateLeft64(v12, -32)
		v8 += v12
		v4 ^= v8
		v4 = bits.RotateLeft64(v4, -24)
		v1 += m[s[1]]
		v1 += v5
		v13 ^= v1
		v13 = bits.RotateLeft64(v13, -32)
		v9 += v13
		v5 ^= v9
		v5 = bits.RotateLeft64(v5, -24)
		v2 += m[s[2]]
		v2 += v6
		v14 ^= v2
		v14 = bits.RotateLeft64(v14, -32)
		v10 += v14
		v6 ^= v10
		v6 = bits.RotateLeft64(v6, -24)
		v3 += m[s[3]]
		v3 += v7
		v15 ^= v3
		v15 = bits.RotateLeft64(v15, -32)
		v11 += v15
		v7 ^= v11
		v7 = bits.RotateLeft64(v7, -24)

		v0 += m[s[4]]
		v0 += v4
		v12 ^= v0
		v12 = bits.RotateLeft64(v12, -16)
		v8 += v12
		v4 ^= v8
		v4 = bits.RotateLeft64(v4, -63)
		v1 += m[s[5]]
		v1 += v5
		v13 ^= v1
		v13 = bits.RotateLeft64(v13, -16)
		v9 += v13
		v5 ^= v9
		v5 = bits.RotateLeft64(v5, -63)
		v2 += m[s[6]]
		v2 += v6
		v14 ^= v2
		v14 = bits.RotateLeft64(v14, -16)
		v10 += v14
		v6 ^= v10
		v6 = bits.RotateLeft64(v6, -63)
		v3 += m[s[7]]
		v3 += v7
		v15 ^= v3
		v15 = bits.RotateLeft64(v15, -16)
		v11 += v15
		v7 ^= v11
		v7 = bits.RotateLeft64(v7, -63)

		v0 += m[s[8]]
		v0 += v5
		v15 ^= v0
		v15 = bits.RotateLeft64(v15, -32)
		v10 += v15
		v5 ^= v10
		v5 = bits.RotateLeft64(v5, -24)
		v1 += m[s[9]]
		v1 += v6
		v12 ^= v1
		v12 = bits.RotateLeft64(v12, -32)
		v11 += v12
		v6 ^= v11
		v6 = bits.RotateLeft64(v6, -24)
		v2 += m[s[10]]
		v2 += v7
		v13 ^= v2
		v13 = bits.RotateLeft64(v13, -32)
		v8 += v13
		v7 ^= v8
		v7 = bits.RotateLeft64(v7, -24)
		v3 += m[s[11]]
		v3 += v4
		v14 ^= v3
		v14 = bits.RotateLeft64(v14, -32)
		v9 += v14
		v4 ^= v9
		v4 = bits.RotateLeft64(v4, -24)

		v0 += m[s[12]]
		v0 += v5
		v15 ^= v0
		v15 = bits.RotateLeft64(v15, -16)
		v10 += v15
		v5 ^= v10
		v5 = bits.RotateLeft64(v5, -63)
		v1 += m[s[13]]
		v1 += v6
		v12 ^= v1
		v12 = bits.RotateLeft64(v12, -16)
		v11 += v12
		v6 ^= v11
		v6 = bits.RotateLeft64(v6, -63)
		v2 += m[s[14]]
		v2 += v7
		v13 ^= v2
		v13 = bits.RotateLeft64(v13, -16)
		v8 += v13
		v7 ^= v8
		v7 = bits.RotateLeft64(v7, -63)
		v3 += m[s[15]]
		v3 += v4
		v14 ^= v3
		v14 = bits.RotateLeft64(v14, -16)
		v9 += v14
		v4 ^= v9
		v4 = bits.RotateLeft64(v4, -63)
	}
	h[0] ^= v0 ^ v8
	h[1] ^= v1 ^ v9
	h[2] ^= v2 ^ v10
	h[3] ^= v3 ^ v11
	h[4] ^= v4 ^ v12
	h[5] ^= v5 ^ v13
	h[6] ^= v6 ^ v14
	h[7] ^= v7 ^ v15
}
core/vm, crypto/blake2b: add BLAKE2b compression func at 0x09 The precompile at 0x09 wraps the BLAKE2b F compression function: https://tools.ietf.org/html/rfc7693#section-3.2 The precompile requires 6 inputs tightly encoded, taking exactly 213 bytes, as explained below. - `rounds` - the number of rounds - 32-bit unsigned big-endian word - `h` - the state vector - 8 unsigned 64-bit little-endian words - `m` - the message block vector - 16 unsigned 64-bit little-endian words - `t_0, t_1` - offset counters - 2 unsigned 64-bit little-endian words - `f` - the final block indicator flag - 8-bit word [4 bytes for rounds][64 bytes for h][128 bytes for m][8 bytes for t_0] [8 bytes for t_1][1 byte for f] The boolean `f` parameter is considered as `true` if set to `1`. The boolean `f` parameter is considered as `false` if set to `0`. All other values yield an invalid encoding of `f` error. The precompile should compute the F function as specified in the RFC (https://tools.ietf.org/html/rfc7693#section-3.2) and return the updated state vector `h` with unchanged encoding (little-endian). See EIP-152 for details. 2019-06-17 19:19:47 +02:00			`// Copyright 2016 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`package blake2b`

			`import (`
core/vm, crypto/blake2b: add SSE, AVX and AVX2 code 2019-08-21 12:38:18 +03:00			`"encoding/binary"`
core/vm, crypto/blake2b: add BLAKE2b compression func at 0x09 The precompile at 0x09 wraps the BLAKE2b F compression function: https://tools.ietf.org/html/rfc7693#section-3.2 The precompile requires 6 inputs tightly encoded, taking exactly 213 bytes, as explained below. - `rounds` - the number of rounds - 32-bit unsigned big-endian word - `h` - the state vector - 8 unsigned 64-bit little-endian words - `m` - the message block vector - 16 unsigned 64-bit little-endian words - `t_0, t_1` - offset counters - 2 unsigned 64-bit little-endian words - `f` - the final block indicator flag - 8-bit word [4 bytes for rounds][64 bytes for h][128 bytes for m][8 bytes for t_0] [8 bytes for t_1][1 byte for f] The boolean `f` parameter is considered as `true` if set to `1`. The boolean `f` parameter is considered as `false` if set to `0`. All other values yield an invalid encoding of `f` error. The precompile should compute the F function as specified in the RFC (https://tools.ietf.org/html/rfc7693#section-3.2) and return the updated state vector `h` with unchanged encoding (little-endian). See EIP-152 for details. 2019-06-17 19:19:47 +02:00			`"math/bits"`
			`)`

			`// the precomputed values for BLAKE2b`
			`// there are 10 16-byte arrays - one for each round`
			`// the entries are calculated from the sigma constants.`
			`var precomputed = [10][16]byte{`
			`{0, 2, 4, 6, 1, 3, 5, 7, 8, 10, 12, 14, 9, 11, 13, 15},`
			`{14, 4, 9, 13, 10, 8, 15, 6, 1, 0, 11, 5, 12, 2, 7, 3},`
			`{11, 12, 5, 15, 8, 0, 2, 13, 10, 3, 7, 9, 14, 6, 1, 4},`
			`{7, 3, 13, 11, 9, 1, 12, 14, 2, 5, 4, 15, 6, 10, 0, 8},`
			`{9, 5, 2, 10, 0, 7, 4, 15, 14, 11, 6, 3, 1, 12, 8, 13},`
			`{2, 6, 0, 8, 12, 10, 11, 3, 4, 7, 15, 1, 13, 5, 14, 9},`
			`{12, 1, 14, 4, 5, 15, 13, 10, 0, 6, 9, 8, 7, 3, 2, 11},`
			`{13, 7, 12, 3, 11, 14, 1, 9, 5, 15, 8, 2, 0, 4, 6, 10},`
			`{6, 14, 11, 0, 15, 9, 3, 8, 12, 13, 1, 10, 2, 7, 4, 5},`
			`{10, 8, 7, 1, 2, 4, 6, 5, 15, 9, 3, 13, 11, 14, 12, 0},`
			`}`

core/vm, crypto/blake2b: add SSE, AVX and AVX2 code 2019-08-21 12:38:18 +03:00			`func hashBlocksGeneric(h [8]uint64, c [2]uint64, flag uint64, blocks []byte) {`
			`var m [16]uint64`
core/vm, crypto/blake2b: add BLAKE2b compression func at 0x09 The precompile at 0x09 wraps the BLAKE2b F compression function: https://tools.ietf.org/html/rfc7693#section-3.2 The precompile requires 6 inputs tightly encoded, taking exactly 213 bytes, as explained below. - `rounds` - the number of rounds - 32-bit unsigned big-endian word - `h` - the state vector - 8 unsigned 64-bit little-endian words - `m` - the message block vector - 16 unsigned 64-bit little-endian words - `t_0, t_1` - offset counters - 2 unsigned 64-bit little-endian words - `f` - the final block indicator flag - 8-bit word [4 bytes for rounds][64 bytes for h][128 bytes for m][8 bytes for t_0] [8 bytes for t_1][1 byte for f] The boolean `f` parameter is considered as `true` if set to `1`. The boolean `f` parameter is considered as `false` if set to `0`. All other values yield an invalid encoding of `f` error. The precompile should compute the F function as specified in the RFC (https://tools.ietf.org/html/rfc7693#section-3.2) and return the updated state vector `h` with unchanged encoding (little-endian). See EIP-152 for details. 2019-06-17 19:19:47 +02:00			`c0, c1 := c[0], c[1]`

core/vm, crypto/blake2b: add SSE, AVX and AVX2 code 2019-08-21 12:38:18 +03:00			`for i := 0; i < len(blocks); {`
			`c0 += BlockSize`
			`if c0 < BlockSize {`
			`c1++`
			`}`
			`for j := range m {`
			`m[j] = binary.LittleEndian.Uint64(blocks[i:])`
			`i += 8`
			`}`
			`fGeneric(h, &m, c0, c1, flag, 12)`
			`}`
			`c[0], c[1] = c0, c1`
			`}`

			`func fGeneric(h [8]uint64, m [16]uint64, c0, c1 uint64, flag uint64, rounds uint64) {`
core/vm, crypto/blake2b: add BLAKE2b compression func at 0x09 The precompile at 0x09 wraps the BLAKE2b F compression function: https://tools.ietf.org/html/rfc7693#section-3.2 The precompile requires 6 inputs tightly encoded, taking exactly 213 bytes, as explained below. - `rounds` - the number of rounds - 32-bit unsigned big-endian word - `h` - the state vector - 8 unsigned 64-bit little-endian words - `m` - the message block vector - 16 unsigned 64-bit little-endian words - `t_0, t_1` - offset counters - 2 unsigned 64-bit little-endian words - `f` - the final block indicator flag - 8-bit word [4 bytes for rounds][64 bytes for h][128 bytes for m][8 bytes for t_0] [8 bytes for t_1][1 byte for f] The boolean `f` parameter is considered as `true` if set to `1`. The boolean `f` parameter is considered as `false` if set to `0`. All other values yield an invalid encoding of `f` error. The precompile should compute the F function as specified in the RFC (https://tools.ietf.org/html/rfc7693#section-3.2) and return the updated state vector `h` with unchanged encoding (little-endian). See EIP-152 for details. 2019-06-17 19:19:47 +02:00			`v0, v1, v2, v3, v4, v5, v6, v7 := h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7]`
core/vm, crypto/blake2b: add SSE, AVX and AVX2 code 2019-08-21 12:38:18 +03:00			`v8, v9, v10, v11, v12, v13, v14, v15 := iv[0], iv[1], iv[2], iv[3], iv[4], iv[5], iv[6], iv[7]`
core/vm, crypto/blake2b: add BLAKE2b compression func at 0x09 The precompile at 0x09 wraps the BLAKE2b F compression function: https://tools.ietf.org/html/rfc7693#section-3.2 The precompile requires 6 inputs tightly encoded, taking exactly 213 bytes, as explained below. - `rounds` - the number of rounds - 32-bit unsigned big-endian word - `h` - the state vector - 8 unsigned 64-bit little-endian words - `m` - the message block vector - 16 unsigned 64-bit little-endian words - `t_0, t_1` - offset counters - 2 unsigned 64-bit little-endian words - `f` - the final block indicator flag - 8-bit word [4 bytes for rounds][64 bytes for h][128 bytes for m][8 bytes for t_0] [8 bytes for t_1][1 byte for f] The boolean `f` parameter is considered as `true` if set to `1`. The boolean `f` parameter is considered as `false` if set to `0`. All other values yield an invalid encoding of `f` error. The precompile should compute the F function as specified in the RFC (https://tools.ietf.org/html/rfc7693#section-3.2) and return the updated state vector `h` with unchanged encoding (little-endian). See EIP-152 for details. 2019-06-17 19:19:47 +02:00			`v12 ^= c0`
			`v13 ^= c1`
core/vm, crypto/blake2b: add SSE, AVX and AVX2 code 2019-08-21 12:38:18 +03:00			`v14 ^= flag`
core/vm, crypto/blake2b: add BLAKE2b compression func at 0x09 The precompile at 0x09 wraps the BLAKE2b F compression function: https://tools.ietf.org/html/rfc7693#section-3.2 The precompile requires 6 inputs tightly encoded, taking exactly 213 bytes, as explained below. - `rounds` - the number of rounds - 32-bit unsigned big-endian word - `h` - the state vector - 8 unsigned 64-bit little-endian words - `m` - the message block vector - 16 unsigned 64-bit little-endian words - `t_0, t_1` - offset counters - 2 unsigned 64-bit little-endian words - `f` - the final block indicator flag - 8-bit word [4 bytes for rounds][64 bytes for h][128 bytes for m][8 bytes for t_0] [8 bytes for t_1][1 byte for f] The boolean `f` parameter is considered as `true` if set to `1`. The boolean `f` parameter is considered as `false` if set to `0`. All other values yield an invalid encoding of `f` error. The precompile should compute the F function as specified in the RFC (https://tools.ietf.org/html/rfc7693#section-3.2) and return the updated state vector `h` with unchanged encoding (little-endian). See EIP-152 for details. 2019-06-17 19:19:47 +02:00
core/vm, crypto/blake2b: add SSE, AVX and AVX2 code 2019-08-21 12:38:18 +03:00			`for i := 0; i < int(rounds); i++ {`
			`s := &(precomputed[i%10])`
core/vm, crypto/blake2b: add BLAKE2b compression func at 0x09 The precompile at 0x09 wraps the BLAKE2b F compression function: https://tools.ietf.org/html/rfc7693#section-3.2 The precompile requires 6 inputs tightly encoded, taking exactly 213 bytes, as explained below. - `rounds` - the number of rounds - 32-bit unsigned big-endian word - `h` - the state vector - 8 unsigned 64-bit little-endian words - `m` - the message block vector - 16 unsigned 64-bit little-endian words - `t_0, t_1` - offset counters - 2 unsigned 64-bit little-endian words - `f` - the final block indicator flag - 8-bit word [4 bytes for rounds][64 bytes for h][128 bytes for m][8 bytes for t_0] [8 bytes for t_1][1 byte for f] The boolean `f` parameter is considered as `true` if set to `1`. The boolean `f` parameter is considered as `false` if set to `0`. All other values yield an invalid encoding of `f` error. The precompile should compute the F function as specified in the RFC (https://tools.ietf.org/html/rfc7693#section-3.2) and return the updated state vector `h` with unchanged encoding (little-endian). See EIP-152 for details. 2019-06-17 19:19:47 +02:00
			`v0 += m[s[0]]`
			`v0 += v4`
			`v12 ^= v0`
			`v12 = bits.RotateLeft64(v12, -32)`
			`v8 += v12`
			`v4 ^= v8`
			`v4 = bits.RotateLeft64(v4, -24)`
			`v1 += m[s[1]]`
			`v1 += v5`
			`v13 ^= v1`
			`v13 = bits.RotateLeft64(v13, -32)`
			`v9 += v13`
			`v5 ^= v9`
			`v5 = bits.RotateLeft64(v5, -24)`
			`v2 += m[s[2]]`
			`v2 += v6`
			`v14 ^= v2`
			`v14 = bits.RotateLeft64(v14, -32)`
			`v10 += v14`
			`v6 ^= v10`
			`v6 = bits.RotateLeft64(v6, -24)`
			`v3 += m[s[3]]`
			`v3 += v7`
			`v15 ^= v3`
			`v15 = bits.RotateLeft64(v15, -32)`
			`v11 += v15`
			`v7 ^= v11`
			`v7 = bits.RotateLeft64(v7, -24)`

			`v0 += m[s[4]]`
			`v0 += v4`
			`v12 ^= v0`
			`v12 = bits.RotateLeft64(v12, -16)`
			`v8 += v12`
			`v4 ^= v8`
			`v4 = bits.RotateLeft64(v4, -63)`
			`v1 += m[s[5]]`
			`v1 += v5`
			`v13 ^= v1`
			`v13 = bits.RotateLeft64(v13, -16)`
			`v9 += v13`
			`v5 ^= v9`
			`v5 = bits.RotateLeft64(v5, -63)`
			`v2 += m[s[6]]`
			`v2 += v6`
			`v14 ^= v2`
			`v14 = bits.RotateLeft64(v14, -16)`
			`v10 += v14`
			`v6 ^= v10`
			`v6 = bits.RotateLeft64(v6, -63)`
			`v3 += m[s[7]]`
			`v3 += v7`
			`v15 ^= v3`
			`v15 = bits.RotateLeft64(v15, -16)`
			`v11 += v15`
			`v7 ^= v11`
			`v7 = bits.RotateLeft64(v7, -63)`

			`v0 += m[s[8]]`
			`v0 += v5`
			`v15 ^= v0`
			`v15 = bits.RotateLeft64(v15, -32)`
			`v10 += v15`
			`v5 ^= v10`
			`v5 = bits.RotateLeft64(v5, -24)`
			`v1 += m[s[9]]`
			`v1 += v6`
			`v12 ^= v1`
			`v12 = bits.RotateLeft64(v12, -32)`
			`v11 += v12`
			`v6 ^= v11`
			`v6 = bits.RotateLeft64(v6, -24)`
			`v2 += m[s[10]]`
			`v2 += v7`
			`v13 ^= v2`
			`v13 = bits.RotateLeft64(v13, -32)`
			`v8 += v13`
			`v7 ^= v8`
			`v7 = bits.RotateLeft64(v7, -24)`
			`v3 += m[s[11]]`
			`v3 += v4`
			`v14 ^= v3`
			`v14 = bits.RotateLeft64(v14, -32)`
			`v9 += v14`
			`v4 ^= v9`
			`v4 = bits.RotateLeft64(v4, -24)`

			`v0 += m[s[12]]`
			`v0 += v5`
			`v15 ^= v0`
			`v15 = bits.RotateLeft64(v15, -16)`
			`v10 += v15`
			`v5 ^= v10`
			`v5 = bits.RotateLeft64(v5, -63)`
			`v1 += m[s[13]]`
			`v1 += v6`
			`v12 ^= v1`
			`v12 = bits.RotateLeft64(v12, -16)`
			`v11 += v12`
			`v6 ^= v11`
			`v6 = bits.RotateLeft64(v6, -63)`
			`v2 += m[s[14]]`
			`v2 += v7`
			`v13 ^= v2`
			`v13 = bits.RotateLeft64(v13, -16)`
			`v8 += v13`
			`v7 ^= v8`
			`v7 = bits.RotateLeft64(v7, -63)`
			`v3 += m[s[15]]`
			`v3 += v4`
			`v14 ^= v3`
			`v14 = bits.RotateLeft64(v14, -16)`
			`v9 += v14`
			`v4 ^= v9`
			`v4 = bits.RotateLeft64(v4, -63)`
			`}`
			`h[0] ^= v0 ^ v8`
			`h[1] ^= v1 ^ v9`
			`h[2] ^= v2 ^ v10`
			`h[3] ^= v3 ^ v11`
			`h[4] ^= v4 ^ v12`
			`h[5] ^= v5 ^ v13`
			`h[6] ^= v6 ^ v14`
			`h[7] ^= v7 ^ v15`
			`}`