lsh256.cpp

// lsh.cpp - written and placed in the public domain by Jeffrey Walton
//           Based on the specification and source code provided by
//           Korea Internet & Security Agency (KISA) website. Also
//           see https://seed.kisa.or.kr/kisa/algorithm/EgovLSHInfo.do
//           and https://seed.kisa.or.kr/kisa/Board/22/detailView.do.
 
// We are hitting some sort of GCC bug in the LSH AVX2 code path.
// Clang is OK on the AVX2 code path. We believe it is GCC Issue
// 82735, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82735. It
// makes using zeroupper a little tricky.
 
#include "pch.h"
#include "config.h"
 
#include "lsh.h"
#include "cpu.h"
#include "misc.h"
 
ANONYMOUS_NAMESPACE_BEGIN
 
/* LSH Constants */
 
const unsigned int LSH256_MSG_BLK_BYTE_LEN = 128;
// const unsigned int LSH256_MSG_BLK_BIT_LEN = 1024;
// const unsigned int LSH256_CV_BYTE_LEN = 64;
const unsigned int LSH256_HASH_VAL_MAX_BYTE_LEN = 32;
 
// const unsigned int MSG_BLK_WORD_LEN = 32;
const unsigned int CV_WORD_LEN = 16;
const unsigned int CONST_WORD_LEN = 8;
const unsigned int HASH_VAL_MAX_WORD_LEN = 8;
// const unsigned int WORD_BIT_LEN = 32;
const unsigned int NUM_STEPS = 26;
 
const unsigned int ROT_EVEN_ALPHA = 29;
const unsigned int ROT_EVEN_BETA = 1;
const unsigned int ROT_ODD_ALPHA = 5;
const unsigned int ROT_ODD_BETA = 17;
 
const unsigned int LSH_TYPE_256_256 = 0x0000020;
const unsigned int LSH_TYPE_256_224 = 0x000001C;
 
// const unsigned int LSH_TYPE_224 = LSH_TYPE_256_224;
// const unsigned int LSH_TYPE_256 = LSH_TYPE_256_256;
 
/* Error Code */
 
const unsigned int LSH_SUCCESS = 0x0;
// const unsigned int LSH_ERR_NULL_PTR = 0x2401;
// const unsigned int LSH_ERR_INVALID_ALGTYPE = 0x2402;
const unsigned int LSH_ERR_INVALID_DATABITLEN = 0x2403;
const unsigned int LSH_ERR_INVALID_STATE = 0x2404;
 
/* Index into our state array */
 
const unsigned int AlgorithmType = 80;
const unsigned int RemainingBits = 81;
 
NAMESPACE_END
 
NAMESPACE_BEGIN(CryptoPP)
NAMESPACE_BEGIN(LSH)
 
/* -------------------------------------------------------- *
* LSH: iv
* -------------------------------------------------------- */
 
//extern const word32 LSH256_IV224[CV_WORD_LEN];
//extern const word32 LSH256_IV256[CV_WORD_LEN];
//extern const word32 LSH256_StepConstants[CONST_WORD_LEN * NUM_STEPS];
 
CRYPTOPP_ALIGN_DATA(32)
extern
const word32 LSH256_IV224[CV_WORD_LEN] = {
    0x068608D3, 0x62D8F7A7, 0xD76652AB, 0x4C600A43, 0xBDC40AA8, 0x1ECA0B68, 0xDA1A89BE, 0x3147D354,
    0x707EB4F9, 0xF65B3862, 0x6B0B2ABE, 0x56B8EC0A, 0xCF237286, 0xEE0D1727, 0x33636595, 0x8BB8D05F
};
 
CRYPTOPP_ALIGN_DATA(32)
extern
const word32 LSH256_IV256[CV_WORD_LEN] = {
    0x46a10f1f, 0xfddce486, 0xb41443a8, 0x198e6b9d, 0x3304388d, 0xb0f5a3c7, 0xb36061c4, 0x7adbd553,
    0x105d5378, 0x2f74de54, 0x5c2f2d95, 0xf2553fbe, 0x8051357a, 0x138668c8, 0x47aa4484, 0xe01afb41
};
 
/* -------------------------------------------------------- *
* LSH: step constants
* -------------------------------------------------------- */
 
extern
const word32 LSH256_StepConstants[CONST_WORD_LEN * NUM_STEPS] = {
    0x917caf90, 0x6c1b10a2, 0x6f352943, 0xcf778243, 0x2ceb7472, 0x29e96ff2, 0x8a9ba428, 0x2eeb2642,
    0x0e2c4021, 0x872bb30e, 0xa45e6cb2, 0x46f9c612, 0x185fe69e, 0x1359621b, 0x263fccb2, 0x1a116870,
    0x3a6c612f, 0xb2dec195, 0x02cb1f56, 0x40bfd858, 0x784684b6, 0x6cbb7d2e, 0x660c7ed8, 0x2b79d88a,
    0xa6cd9069, 0x91a05747, 0xcdea7558, 0x00983098, 0xbecb3b2e, 0x2838ab9a, 0x728b573e, 0xa55262b5,
    0x745dfa0f, 0x31f79ed8, 0xb85fce25, 0x98c8c898, 0x8a0669ec, 0x60e445c2, 0xfde295b0, 0xf7b5185a,
    0xd2580983, 0x29967709, 0x182df3dd, 0x61916130, 0x90705676, 0x452a0822, 0xe07846ad, 0xaccd7351,
    0x2a618d55, 0xc00d8032, 0x4621d0f5, 0xf2f29191, 0x00c6cd06, 0x6f322a67, 0x58bef48d, 0x7a40c4fd,
    0x8beee27f, 0xcd8db2f2, 0x67f2c63b, 0xe5842383, 0xc793d306, 0xa15c91d6, 0x17b381e5, 0xbb05c277,
    0x7ad1620a, 0x5b40a5bf, 0x5ab901a2, 0x69a7a768, 0x5b66d9cd, 0xfdee6877, 0xcb3566fc, 0xc0c83a32,
    0x4c336c84, 0x9be6651a, 0x13baa3fc, 0x114f0fd1, 0xc240a728, 0xec56e074, 0x009c63c7, 0x89026cf2,
    0x7f9ff0d0, 0x824b7fb5, 0xce5ea00f, 0x605ee0e2, 0x02e7cfea, 0x43375560, 0x9d002ac7, 0x8b6f5f7b,
    0x1f90c14f, 0xcdcb3537, 0x2cfeafdd, 0xbf3fc342, 0xeab7b9ec, 0x7a8cb5a3, 0x9d2af264, 0xfacedb06,
    0xb052106e, 0x99006d04, 0x2bae8d09, 0xff030601, 0xa271a6d6, 0x0742591d, 0xc81d5701, 0xc9a9e200,
    0x02627f1e, 0x996d719d, 0xda3b9634, 0x02090800, 0x14187d78, 0x499b7624, 0xe57458c9, 0x738be2c9,
    0x64e19d20, 0x06df0f36, 0x15d1cb0e, 0x0b110802, 0x2c95f58c, 0xe5119a6d, 0x59cd22ae, 0xff6eac3c,
    0x467ebd84, 0xe5ee453c, 0xe79cd923, 0x1c190a0d, 0xc28b81b8, 0xf6ac0852, 0x26efd107, 0x6e1ae93b,
    0xc53c41ca, 0xd4338221, 0x8475fd0a, 0x35231729, 0x4e0d3a7a, 0xa2b45b48, 0x16c0d82d, 0x890424a9,
    0x017e0c8f, 0x07b5a3f5, 0xfa73078e, 0x583a405e, 0x5b47b4c8, 0x570fa3ea, 0xd7990543, 0x8d28ce32,
    0x7f8a9b90, 0xbd5998fc, 0x6d7a9688, 0x927a9eb6, 0xa2fc7d23, 0x66b38e41, 0x709e491a, 0xb5f700bf,
    0x0a262c0f, 0x16f295b9, 0xe8111ef5, 0x0d195548, 0x9f79a0c5, 0x1a41cfa7, 0x0ee7638a, 0xacf7c074,
    0x30523b19, 0x09884ecf, 0xf93014dd, 0x266e9d55, 0x191a6664, 0x5c1176c1, 0xf64aed98, 0xa4b83520,
    0x828d5449, 0x91d71dd8, 0x2944f2d6, 0x950bf27b, 0x3380ca7d, 0x6d88381d, 0x4138868e, 0x5ced55c4,
    0x0fe19dcb, 0x68f4f669, 0x6e37c8ff, 0xa0fe6e10, 0xb44b47b0, 0xf5c0558a, 0x79bf14cf, 0x4a431a20,
    0xf17f68da, 0x5deb5fd1, 0xa600c86d, 0x9f6c7eb0, 0xff92f864, 0xb615e07f, 0x38d3e448, 0x8d5d3a6a,
    0x70e843cb, 0x494b312e, 0xa6c93613, 0x0beb2f4f, 0x928b5d63, 0xcbf66035, 0x0cb82c80, 0xea97a4f7,
    0x592c0f3b, 0x947c5f77, 0x6fff49b9, 0xf71a7e5a, 0x1de8c0f5, 0xc2569600, 0xc4e4ac8c, 0x823c9ce1
};
 
NAMESPACE_END  // LSH
NAMESPACE_END  // Crypto++
 
ANONYMOUS_NAMESPACE_BEGIN
 
using CryptoPP::byte;
using CryptoPP::word32;
using CryptoPP::rotlFixed;
using CryptoPP::rotlConstant;
 
using CryptoPP::GetBlock;
using CryptoPP::LittleEndian;
using CryptoPP::ConditionalByteReverse;
using CryptoPP::LITTLE_ENDIAN_ORDER;
 
using CryptoPP::LSH::LSH256_IV224;
using CryptoPP::LSH::LSH256_IV256;
using CryptoPP::LSH::LSH256_StepConstants;
 
typedef byte lsh_u8;
typedef word32 lsh_u32;
typedef word32 lsh_uint;
typedef word32 lsh_err;
typedef word32 lsh_type;
 
struct LSH256_Context
{
    LSH256_Context(word32* state, word32 algType, word32& remainingBitLength) :
        cv_l(state+0), cv_r(state+8), sub_msgs(state+16),
        last_block(reinterpret_cast<byte*>(state+48)),
        remain_databitlen(remainingBitLength),
        alg_type(static_cast<lsh_type>(algType)) {}
 
    lsh_u32* cv_l;  // start of our state block
    lsh_u32* cv_r;
    lsh_u32* sub_msgs;
    lsh_u8*  last_block;
    lsh_u32& remain_databitlen;
    lsh_type alg_type;
};
 
struct LSH256_Internal
{
    LSH256_Internal(word32* state) :
        submsg_e_l(state+16), submsg_e_r(state+24),
        submsg_o_l(state+32), submsg_o_r(state+40) { }
 
    lsh_u32* submsg_e_l; /* even left sub-message  */
    lsh_u32* submsg_e_r; /* even right sub-message */
    lsh_u32* submsg_o_l; /* odd left sub-message   */
    lsh_u32* submsg_o_r; /* odd right sub-message  */
};
 
const word32 g_gamma256[8] = { 0, 8, 16, 24, 24, 16, 8, 0 };
 
/* LSH AlgType Macro */
 
inline bool LSH_IS_LSH512(lsh_uint val) {
    return (val & 0xf0000) == 0;
}
 
inline lsh_uint LSH_GET_SMALL_HASHBIT(lsh_uint val) {
    return val >> 24;
}
 
inline lsh_uint LSH_GET_HASHBYTE(lsh_uint val) {
    return val & 0xffff;
}
 
inline lsh_uint LSH_GET_HASHBIT(lsh_uint val) {
    return (LSH_GET_HASHBYTE(val) << 3) - LSH_GET_SMALL_HASHBIT(val);
}
 
inline lsh_u32 loadLE32(lsh_u32 v) {
    return ConditionalByteReverse(LITTLE_ENDIAN_ORDER, v);
}
 
lsh_u32 ROTL(lsh_u32 x, lsh_u32 r) {
    return rotlFixed(x, r);
}
 
// Original code relied upon unaligned lsh_u32 buffer
inline void load_msg_blk(LSH256_Internal* i_state, const lsh_u8 msgblk[LSH256_MSG_BLK_BYTE_LEN])
{
    CRYPTOPP_ASSERT(i_state != NULLPTR);
 
    lsh_u32* submsg_e_l = i_state->submsg_e_l;
    lsh_u32* submsg_e_r = i_state->submsg_e_r;
    lsh_u32* submsg_o_l = i_state->submsg_o_l;
    lsh_u32* submsg_o_r = i_state->submsg_o_r;
 
    typedef GetBlock<word32, LittleEndian, false> InBlock;
 
    InBlock input(msgblk);
    input(submsg_e_l[0])(submsg_e_l[1])(submsg_e_l[2])(submsg_e_l[3])
        (submsg_e_l[4])(submsg_e_l[5])(submsg_e_l[6])(submsg_e_l[7])
        (submsg_e_r[0])(submsg_e_r[1])(submsg_e_r[2])(submsg_e_r[3])
        (submsg_e_r[4])(submsg_e_r[5])(submsg_e_r[6])(submsg_e_r[7])
        (submsg_o_l[0])(submsg_o_l[1])(submsg_o_l[2])(submsg_o_l[3])
        (submsg_o_l[4])(submsg_o_l[5])(submsg_o_l[6])(submsg_o_l[7])
        (submsg_o_r[0])(submsg_o_r[1])(submsg_o_r[2])(submsg_o_r[3])
        (submsg_o_r[4])(submsg_o_r[5])(submsg_o_r[6])(submsg_o_r[7]);
}
 
inline void msg_exp_even(LSH256_Internal* i_state)
{
    CRYPTOPP_ASSERT(i_state != NULLPTR);
 
    lsh_u32* submsg_e_l = i_state->submsg_e_l;
    lsh_u32* submsg_e_r = i_state->submsg_e_r;
    lsh_u32* submsg_o_l = i_state->submsg_o_l;
    lsh_u32* submsg_o_r = i_state->submsg_o_r;
 
    lsh_u32 temp;
    temp = submsg_e_l[0];
    submsg_e_l[0] = submsg_o_l[0] + submsg_e_l[3];
    submsg_e_l[3] = submsg_o_l[3] + submsg_e_l[1];
    submsg_e_l[1] = submsg_o_l[1] + submsg_e_l[2];
    submsg_e_l[2] = submsg_o_l[2] + temp;
    temp = submsg_e_l[4];
    submsg_e_l[4] = submsg_o_l[4] + submsg_e_l[7];
    submsg_e_l[7] = submsg_o_l[7] + submsg_e_l[6];
    submsg_e_l[6] = submsg_o_l[6] + submsg_e_l[5];
    submsg_e_l[5] = submsg_o_l[5] + temp;
    temp = submsg_e_r[0];
    submsg_e_r[0] = submsg_o_r[0] + submsg_e_r[3];
    submsg_e_r[3] = submsg_o_r[3] + submsg_e_r[1];
    submsg_e_r[1] = submsg_o_r[1] + submsg_e_r[2];
    submsg_e_r[2] = submsg_o_r[2] + temp;
    temp = submsg_e_r[4];
    submsg_e_r[4] = submsg_o_r[4] + submsg_e_r[7];
    submsg_e_r[7] = submsg_o_r[7] + submsg_e_r[6];
    submsg_e_r[6] = submsg_o_r[6] + submsg_e_r[5];
    submsg_e_r[5] = submsg_o_r[5] + temp;
}
 
inline void msg_exp_odd(LSH256_Internal* i_state)
{
    CRYPTOPP_ASSERT(i_state != NULLPTR);
 
    lsh_u32* submsg_e_l = i_state->submsg_e_l;
    lsh_u32* submsg_e_r = i_state->submsg_e_r;
    lsh_u32* submsg_o_l = i_state->submsg_o_l;
    lsh_u32* submsg_o_r = i_state->submsg_o_r;
 
    lsh_u32 temp;
    temp = submsg_o_l[0];
    submsg_o_l[0] = submsg_e_l[0] + submsg_o_l[3];
    submsg_o_l[3] = submsg_e_l[3] + submsg_o_l[1];
    submsg_o_l[1] = submsg_e_l[1] + submsg_o_l[2];
    submsg_o_l[2] = submsg_e_l[2] + temp;
    temp = submsg_o_l[4];
    submsg_o_l[4] = submsg_e_l[4] + submsg_o_l[7];
    submsg_o_l[7] = submsg_e_l[7] + submsg_o_l[6];
    submsg_o_l[6] = submsg_e_l[6] + submsg_o_l[5];
    submsg_o_l[5] = submsg_e_l[5] + temp;
    temp = submsg_o_r[0];
    submsg_o_r[0] = submsg_e_r[0] + submsg_o_r[3];
    submsg_o_r[3] = submsg_e_r[3] + submsg_o_r[1];
    submsg_o_r[1] = submsg_e_r[1] + submsg_o_r[2];
    submsg_o_r[2] = submsg_e_r[2] + temp;
    temp = submsg_o_r[4];
    submsg_o_r[4] = submsg_e_r[4] + submsg_o_r[7];
    submsg_o_r[7] = submsg_e_r[7] + submsg_o_r[6];
    submsg_o_r[6] = submsg_e_r[6] + submsg_o_r[5];
    submsg_o_r[5] = submsg_e_r[5] + temp;
}
 
inline void load_sc(const lsh_u32** p_const_v, size_t i)
{
    CRYPTOPP_ASSERT(p_const_v != NULLPTR);
 
    *p_const_v = &LSH256_StepConstants[i];
}
 
inline void msg_add_even(lsh_u32 cv_l[8], lsh_u32 cv_r[8], LSH256_Internal* i_state)
{
    CRYPTOPP_ASSERT(i_state != NULLPTR);
 
    lsh_u32* submsg_e_l = i_state->submsg_e_l;
    lsh_u32* submsg_e_r = i_state->submsg_e_r;
 
    cv_l[0] ^= submsg_e_l[0];  cv_l[1] ^= submsg_e_l[1];
    cv_l[2] ^= submsg_e_l[2];  cv_l[3] ^= submsg_e_l[3];
    cv_l[4] ^= submsg_e_l[4];  cv_l[5] ^= submsg_e_l[5];
    cv_l[6] ^= submsg_e_l[6];  cv_l[7] ^= submsg_e_l[7];
    cv_r[0] ^= submsg_e_r[0];  cv_r[1] ^= submsg_e_r[1];
    cv_r[2] ^= submsg_e_r[2];  cv_r[3] ^= submsg_e_r[3];
    cv_r[4] ^= submsg_e_r[4];  cv_r[5] ^= submsg_e_r[5];
    cv_r[6] ^= submsg_e_r[6];  cv_r[7] ^= submsg_e_r[7];
}
 
inline void msg_add_odd(lsh_u32 cv_l[8], lsh_u32 cv_r[8], LSH256_Internal* i_state)
{
    CRYPTOPP_ASSERT(i_state != NULLPTR);
 
    lsh_u32* submsg_o_l = i_state->submsg_o_l;
    lsh_u32* submsg_o_r = i_state->submsg_o_r;
 
    cv_l[0] ^= submsg_o_l[0];  cv_l[1] ^= submsg_o_l[1];
    cv_l[2] ^= submsg_o_l[2];  cv_l[3] ^= submsg_o_l[3];
    cv_l[4] ^= submsg_o_l[4];  cv_l[5] ^= submsg_o_l[5];
    cv_l[6] ^= submsg_o_l[6];  cv_l[7] ^= submsg_o_l[7];
    cv_r[0] ^= submsg_o_r[0];  cv_r[1] ^= submsg_o_r[1];
    cv_r[2] ^= submsg_o_r[2];  cv_r[3] ^= submsg_o_r[3];
    cv_r[4] ^= submsg_o_r[4];  cv_r[5] ^= submsg_o_r[5];
    cv_r[6] ^= submsg_o_r[6];  cv_r[7] ^= submsg_o_r[7];
}
 
inline void add_blk(lsh_u32 cv_l[8], lsh_u32 cv_r[8])
{
    cv_l[0] += cv_r[0];
    cv_l[1] += cv_r[1];
    cv_l[2] += cv_r[2];
    cv_l[3] += cv_r[3];
    cv_l[4] += cv_r[4];
    cv_l[5] += cv_r[5];
    cv_l[6] += cv_r[6];
    cv_l[7] += cv_r[7];
}
 
template <unsigned int R>
inline void rotate_blk(lsh_u32 cv[8])
{
    cv[0] = rotlConstant<R>(cv[0]);
    cv[1] = rotlConstant<R>(cv[1]);
    cv[2] = rotlConstant<R>(cv[2]);
    cv[3] = rotlConstant<R>(cv[3]);
    cv[4] = rotlConstant<R>(cv[4]);
    cv[5] = rotlConstant<R>(cv[5]);
    cv[6] = rotlConstant<R>(cv[6]);
    cv[7] = rotlConstant<R>(cv[7]);
}
 
inline void xor_with_const(lsh_u32 cv_l[8], const lsh_u32 const_v[8])
{
    cv_l[0] ^= const_v[0];
    cv_l[1] ^= const_v[1];
    cv_l[2] ^= const_v[2];
    cv_l[3] ^= const_v[3];
    cv_l[4] ^= const_v[4];
    cv_l[5] ^= const_v[5];
    cv_l[6] ^= const_v[6];
    cv_l[7] ^= const_v[7];
}
 
inline void rotate_msg_gamma(lsh_u32 cv_r[8])
{
    cv_r[1] = rotlFixed(cv_r[1], g_gamma256[1]);
    cv_r[2] = rotlFixed(cv_r[2], g_gamma256[2]);
    cv_r[3] = rotlFixed(cv_r[3], g_gamma256[3]);
    cv_r[4] = rotlFixed(cv_r[4], g_gamma256[4]);
    cv_r[5] = rotlFixed(cv_r[5], g_gamma256[5]);
    cv_r[6] = rotlFixed(cv_r[6], g_gamma256[6]);
}
 
inline void word_perm(lsh_u32 cv_l[8], lsh_u32 cv_r[8])
{
    lsh_u32 temp;
    temp = cv_l[0];
    cv_l[0] = cv_l[6];
    cv_l[6] = cv_r[6];
    cv_r[6] = cv_r[2];
    cv_r[2] = cv_l[1];
    cv_l[1] = cv_l[4];
    cv_l[4] = cv_r[4];
    cv_r[4] = cv_r[0];
    cv_r[0] = cv_l[2];
    cv_l[2] = cv_l[5];
    cv_l[5] = cv_r[7];
    cv_r[7] = cv_r[1];
    cv_r[1] = temp;
    temp = cv_l[3];
    cv_l[3] = cv_l[7];
    cv_l[7] = cv_r[5];
    cv_r[5] = cv_r[3];
    cv_r[3] = temp;
}
 
/* -------------------------------------------------------- *
* step function
* -------------------------------------------------------- */
 
template <unsigned int Alpha, unsigned int Beta>
inline void mix(lsh_u32 cv_l[8], lsh_u32 cv_r[8], const lsh_u32 const_v[8])
{
    add_blk(cv_l, cv_r);
    rotate_blk<Alpha>(cv_l);
    xor_with_const(cv_l, const_v);
    add_blk(cv_r, cv_l);
    rotate_blk<Beta>(cv_r);
    add_blk(cv_l, cv_r);
    rotate_msg_gamma(cv_r);
}
 
/* -------------------------------------------------------- *
* compression function
* -------------------------------------------------------- */
 
inline void compress(LSH256_Context* ctx, const lsh_u8 pdMsgBlk[LSH256_MSG_BLK_BYTE_LEN])
{
    CRYPTOPP_ASSERT(ctx != NULLPTR);
 
    LSH256_Internal  s_state(ctx->cv_l);
    LSH256_Internal* i_state = &s_state;
 
    const lsh_u32* const_v = NULL;
    lsh_u32* cv_l = ctx->cv_l;
    lsh_u32* cv_r = ctx->cv_r;
 
    load_msg_blk(i_state, pdMsgBlk);
 
    msg_add_even(cv_l, cv_r, i_state);
    load_sc(&const_v, 0);
    mix<ROT_EVEN_ALPHA, ROT_EVEN_BETA>(cv_l, cv_r, const_v);
    word_perm(cv_l, cv_r);
 
    msg_add_odd(cv_l, cv_r, i_state);
    load_sc(&const_v, 8);
    mix<ROT_ODD_ALPHA, ROT_ODD_BETA>(cv_l, cv_r, const_v);
    word_perm(cv_l, cv_r);
 
    for (size_t i = 1; i < NUM_STEPS / 2; i++)
    {
        msg_exp_even(i_state);
        msg_add_even(cv_l, cv_r, i_state);
        load_sc(&const_v, 16 * i);
        mix<ROT_EVEN_ALPHA, ROT_EVEN_BETA>(cv_l, cv_r, const_v);
        word_perm(cv_l, cv_r);
 
        msg_exp_odd(i_state);
        msg_add_odd(cv_l, cv_r, i_state);
        load_sc(&const_v, 16 * i + 8);
        mix<ROT_ODD_ALPHA, ROT_ODD_BETA>(cv_l, cv_r, const_v);
        word_perm(cv_l, cv_r);
    }
 
    msg_exp_even(i_state);
    msg_add_even(cv_l, cv_r, i_state);
}
 
/* -------------------------------------------------------- */
 
inline void load_iv(lsh_u32 cv_l[8], lsh_u32 cv_r[8], const lsh_u32 iv[16])
{
    cv_l[0] = iv[0];
    cv_l[1] = iv[1];
    cv_l[2] = iv[2];
    cv_l[3] = iv[3];
    cv_l[4] = iv[4];
    cv_l[5] = iv[5];
    cv_l[6] = iv[6];
    cv_l[7] = iv[7];
    cv_r[0] = iv[8];
    cv_r[1] = iv[9];
    cv_r[2] = iv[10];
    cv_r[3] = iv[11];
    cv_r[4] = iv[12];
    cv_r[5] = iv[13];
    cv_r[6] = iv[14];
    cv_r[7] = iv[15];
}
 
inline void zero_iv(lsh_u32 cv_l[8], lsh_u32 cv_r[8])
{
    std::memset(cv_l, 0x00, 8*sizeof(lsh_u32));
    std::memset(cv_r, 0x00, 8*sizeof(lsh_u32));
}
 
inline void zero_submsgs(LSH256_Context* ctx)
{
    CRYPTOPP_ASSERT(ctx != NULLPTR);
 
    lsh_u32* sub_msgs = ctx->sub_msgs;
    std::memset(sub_msgs, 0x00, 32*sizeof(lsh_u32));
}
 
inline void init224(LSH256_Context* ctx)
{
    CRYPTOPP_ASSERT(ctx != NULLPTR);
 
    zero_submsgs(ctx);
    load_iv(ctx->cv_l, ctx->cv_r, LSH256_IV224);
}
 
inline void init256(LSH256_Context* ctx)
{
    CRYPTOPP_ASSERT(ctx != NULLPTR);
 
    zero_submsgs(ctx);
    load_iv(ctx->cv_l, ctx->cv_r, LSH256_IV256);
}
 
/* -------------------------------------------------------- */
 
inline void fin(LSH256_Context* ctx)
{
    CRYPTOPP_ASSERT(ctx != NULLPTR);
 
    for (size_t i = 0; i < HASH_VAL_MAX_WORD_LEN; i++){
        ctx->cv_l[i] = loadLE32(ctx->cv_l[i] ^ ctx->cv_r[i]);
    }
}
 
/* -------------------------------------------------------- */
 
inline void get_hash(LSH256_Context* ctx, lsh_u8* pbHashVal)
{
    CRYPTOPP_ASSERT(ctx != NULLPTR);
    CRYPTOPP_ASSERT(ctx->alg_type != 0);
    CRYPTOPP_ASSERT(pbHashVal != NULLPTR);
 
    lsh_uint alg_type = ctx->alg_type;
    lsh_uint hash_val_byte_len = LSH_GET_HASHBYTE(alg_type);
    lsh_uint hash_val_bit_len = LSH_GET_SMALL_HASHBIT(alg_type);
 
    // Multiplying by looks odd...
    std::memcpy(pbHashVal, ctx->cv_l, hash_val_byte_len);
    if (hash_val_bit_len){
        pbHashVal[hash_val_byte_len-1] &= (((lsh_u8)0xff) << hash_val_bit_len);
    }
}
 
/* -------------------------------------------------------- */
 
lsh_err lsh256_init(LSH256_Context* ctx)
{
    CRYPTOPP_ASSERT(ctx != NULLPTR);
    CRYPTOPP_ASSERT(ctx->alg_type != 0);
 
    lsh_u32 alg_type = ctx->alg_type;
    const lsh_u32* const_v = NULL;
    ctx->remain_databitlen = 0;
 
    switch (alg_type)
    {
    case LSH_TYPE_256_256:
        init256(ctx);
        return LSH_SUCCESS;
    case LSH_TYPE_256_224:
        init224(ctx);
        return LSH_SUCCESS;
    default:
        break;
    }
 
    lsh_u32* cv_l = ctx->cv_l;
    lsh_u32* cv_r = ctx->cv_r;
 
    zero_iv(cv_l, cv_r);
    cv_l[0] = LSH256_HASH_VAL_MAX_BYTE_LEN;
    cv_l[1] = LSH_GET_HASHBIT(alg_type);
 
    for (size_t i = 0; i < NUM_STEPS / 2; i++)
    {
        //Mix
        load_sc(&const_v, i * 16);
        mix<ROT_EVEN_ALPHA, ROT_EVEN_BETA>(cv_l, cv_r, const_v);
        word_perm(cv_l, cv_r);
 
        load_sc(&const_v, i * 16 + 8);
        mix<ROT_ODD_ALPHA, ROT_ODD_BETA>(cv_l, cv_r, const_v);
        word_perm(cv_l, cv_r);
    }
 
    return LSH_SUCCESS;
}
 
lsh_err lsh256_update(LSH256_Context* ctx, const lsh_u8* data, size_t databitlen)
{
    CRYPTOPP_ASSERT(ctx != NULLPTR);
    CRYPTOPP_ASSERT(data != NULLPTR);
    CRYPTOPP_ASSERT(databitlen % 8 == 0);
    CRYPTOPP_ASSERT(ctx->alg_type != 0);
 
    if (databitlen == 0){
        return LSH_SUCCESS;
    }
 
    // We are byte oriented. tail bits will always be 0.
    size_t databytelen = databitlen >> 3;
    // lsh_uint pos2 = databitlen & 0x7;
    const size_t pos2 = 0;
 
    size_t remain_msg_byte = ctx->remain_databitlen >> 3;
    // lsh_uint remain_msg_bit = ctx->remain_databitlen & 7;
    const size_t remain_msg_bit = 0;
 
    if (remain_msg_byte >= LSH256_MSG_BLK_BYTE_LEN){
        return LSH_ERR_INVALID_STATE;
    }
    if (remain_msg_bit > 0){
        return LSH_ERR_INVALID_DATABITLEN;
    }
 
    if (databytelen + remain_msg_byte < LSH256_MSG_BLK_BYTE_LEN)
    {
        std::memcpy(ctx->last_block + remain_msg_byte, data, databytelen);
        ctx->remain_databitlen += (lsh_uint)databitlen;
        remain_msg_byte += (lsh_uint)databytelen;
        if (pos2){
            ctx->last_block[remain_msg_byte] = data[databytelen] & ((0xff >> pos2) ^ 0xff);
        }
        return LSH_SUCCESS;
    }
 
    if (remain_msg_byte > 0){
        size_t more_byte = LSH256_MSG_BLK_BYTE_LEN - remain_msg_byte;
        std::memcpy(ctx->last_block + remain_msg_byte, data, more_byte);
        compress(ctx, ctx->last_block);
        data += more_byte;
        databytelen -= more_byte;
        remain_msg_byte = 0;
        ctx->remain_databitlen = 0;
    }
 
    while (databytelen >= LSH256_MSG_BLK_BYTE_LEN)
    {
        // This call to compress caused some trouble.
        // The data pointer can become unaligned in the
        // previous block.
        compress(ctx, data);
        data += LSH256_MSG_BLK_BYTE_LEN;
        databytelen -= LSH256_MSG_BLK_BYTE_LEN;
    }
 
    if (databytelen > 0){
        std::memcpy(ctx->last_block, data, databytelen);
        ctx->remain_databitlen = (lsh_uint)(databytelen << 3);
    }
 
    if (pos2){
        ctx->last_block[databytelen] = data[databytelen] & ((0xff >> pos2) ^ 0xff);
        ctx->remain_databitlen += pos2;
    }
 
    return LSH_SUCCESS;
}
 
lsh_err lsh256_final(LSH256_Context* ctx, lsh_u8* hashval)
{
    CRYPTOPP_ASSERT(ctx != NULLPTR);
    CRYPTOPP_ASSERT(hashval != NULLPTR);
 
    // We are byte oriented. tail bits will always be 0.
    size_t remain_msg_byte = ctx->remain_databitlen >> 3;
    // lsh_uint remain_msg_bit = ctx->remain_databitlen & 7;
    const size_t remain_msg_bit = 0;
 
    if (remain_msg_byte >= LSH256_MSG_BLK_BYTE_LEN){
        return LSH_ERR_INVALID_STATE;
    }
 
    if (remain_msg_bit){
        ctx->last_block[remain_msg_byte] |= (0x1 << (7 - remain_msg_bit));
    }
    else{
        ctx->last_block[remain_msg_byte] = 0x80;
    }
    std::memset(ctx->last_block + remain_msg_byte + 1, 0, LSH256_MSG_BLK_BYTE_LEN - remain_msg_byte - 1);
 
    compress(ctx, ctx->last_block);
 
    fin(ctx);
    get_hash(ctx, hashval);
 
    return LSH_SUCCESS;
}
 
ANONYMOUS_NAMESPACE_END
 
NAMESPACE_BEGIN(CryptoPP)
 
#if defined(CRYPTOPP_ENABLE_64BIT_SSE)
# if defined(CRYPTOPP_AVX2_AVAILABLE)
    extern void LSH256_Base_Restart_AVX2(word32* state);
    extern void LSH256_Base_Update_AVX2(word32* state, const byte *input, size_t size);
    extern void LSH256_Base_TruncatedFinal_AVX2(word32* state, byte *hash, size_t size);
# endif
# if defined(CRYPTOPP_SSSE3_AVAILABLE)
    extern void LSH256_Base_Restart_SSSE3(word32* state);
    extern void LSH256_Base_Update_SSSE3(word32* state, const byte *input, size_t size);
    extern void LSH256_Base_TruncatedFinal_SSSE3(word32* state, byte *hash, size_t size);
# endif
#endif
 
void LSH256_Base_Restart_CXX(word32* state)
{
    state[RemainingBits] = 0;
    LSH256_Context ctx(state, state[AlgorithmType], state[RemainingBits]);
    lsh_err err = lsh256_init(&ctx);
 
    if (err != LSH_SUCCESS)
        throw Exception(Exception::OTHER_ERROR, "LSH256_Base: lsh256_init failed");
}
 
void LSH256_Base_Update_CXX(word32* state, const byte *input, size_t size)
{
    LSH256_Context ctx(state, state[AlgorithmType], state[RemainingBits]);
    lsh_err err = lsh256_update(&ctx, input, 8*size);
 
    if (err != LSH_SUCCESS)
        throw Exception(Exception::OTHER_ERROR, "LSH256_Base: lsh256_update failed");
}
 
void LSH256_Base_TruncatedFinal_CXX(word32* state, byte *hash, size_t)
{
    LSH256_Context ctx(state, state[AlgorithmType], state[RemainingBits]);
    lsh_err err = lsh256_final(&ctx, hash);
 
    if (err != LSH_SUCCESS)
        throw Exception(Exception::OTHER_ERROR, "LSH256_Base: lsh256_final failed");
}
 
std::string LSH256_Base::AlgorithmProvider() const
{
#if defined(CRYPTOPP_ENABLE_64BIT_SSE)
#if defined(CRYPTOPP_AVX2_AVAILABLE)
    if (HasAVX2())
        return "AVX2";
    else
#endif
#if defined(CRYPTOPP_SSSE3_AVAILABLE)
    if (HasSSSE3())
        return "SSSE3";
    else
#endif
#endif  // CRYPTOPP_ENABLE_64BIT_SSE
 
    return "C++";
}
 
void LSH256_Base::Restart()
{
#if defined(CRYPTOPP_AVX2_AVAILABLE) && defined(CRYPTOPP_ENABLE_64BIT_SSE)
    if (HasAVX2())
        LSH256_Base_Restart_AVX2(m_state);
    else
#endif
#if defined(CRYPTOPP_SSSE3_AVAILABLE) && defined(CRYPTOPP_ENABLE_64BIT_SSE)
    if (HasSSSE3())
        LSH256_Base_Restart_SSSE3(m_state);
    else
#endif
 
    LSH256_Base_Restart_CXX(m_state);
}
 
void LSH256_Base::Update(const byte *input, size_t size)
{
    CRYPTOPP_ASSERT(input != NULLPTR);
    CRYPTOPP_ASSERT(size);
 
#if defined(CRYPTOPP_AVX2_AVAILABLE) && defined(CRYPTOPP_ENABLE_64BIT_SSE)
    if (HasAVX2())
        LSH256_Base_Update_AVX2(m_state, input, size);
    else
#endif
#if defined(CRYPTOPP_SSSE3_AVAILABLE) && defined(CRYPTOPP_ENABLE_64BIT_SSE)
    if (HasSSSE3())
        LSH256_Base_Update_SSSE3(m_state, input, size);
    else
#endif
 
    LSH256_Base_Update_CXX(m_state, input, size);
}
 
void LSH256_Base::TruncatedFinal(byte *hash, size_t size)
{
    CRYPTOPP_ASSERT(hash != NULLPTR);
    ThrowIfInvalidTruncatedSize(size);
 
    // TODO: determine if LSH256 supports truncated hashes. See the code
    // in get_hash(), where a bit-length is added to the last output
    // byte of the hash function.
    byte fullHash[LSH256_HASH_VAL_MAX_BYTE_LEN];
    bool copyOut = (size < DigestSize());
 
#if defined(CRYPTOPP_AVX2_AVAILABLE) && defined(CRYPTOPP_ENABLE_64BIT_SSE)
    if (HasAVX2())
        LSH256_Base_TruncatedFinal_AVX2(m_state, copyOut ? fullHash : hash, size);
    else
#endif
#if defined(CRYPTOPP_SSSE3_AVAILABLE) && defined(CRYPTOPP_ENABLE_64BIT_SSE)
    if (HasSSSE3())
        LSH256_Base_TruncatedFinal_SSSE3(m_state, copyOut ? fullHash : hash, size);
    else
#endif
 
    LSH256_Base_TruncatedFinal_CXX(m_state, copyOut ? fullHash : hash, size);
 
    if (copyOut)
        std::memcpy(hash, fullHash, size);
 
    Restart();
}
 
NAMESPACE_END