23486908132

Committed 24 Mar 2026 10:53AM UTC coverage: 89.449% (-2.4%) from 91.889%

Build # 23486908132

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #5479 from randombit/jack/aria-hwaes

Add ARIA implementation using hardware AES instructions

Coverage Stats

105058 of 117450 relevant lines covered (89.45%)

11951797.05 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

91.67

/src/lib/permutations/keccak_perm/keccak_perm.cpp

/*
* Keccak Permutation
* (C) 2010,2016 Jack Lloyd
* (C) 2023 Falko Strenzke
* (C) 2023,2025 René Meusel - Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/keccak_perm.h>

#include <botan/internal/keccak_perm_round.h>
#include <botan/internal/sponge_processing.h>

#if defined(BOTAN_HAS_CPUID)
   #include <botan/internal/cpuid.h>
#endif

namespace Botan {

std::string Keccak_Permutation::provider() const {
#if defined(BOTAN_HAS_KECCAK_PERM_AVX512)
   if(auto feat = CPUID::check(CPUID::Feature::AVX512)) {
      return *feat;
   }
#endif

#if defined(BOTAN_HAS_KECCAK_PERM_BMI2)
   if(auto feat = CPUID::check(CPUID::Feature::BMI)) {
      return *feat;
   }
#endif

   return "base";
}

void Keccak_Permutation::clear() {
   state() = {};
   reset_cursor();
}

void Keccak_Permutation::absorb(std::span<const uint8_t> input) {
   absorb_into_sponge(*this, input);
}

void Keccak_Permutation::squeeze(std::span<uint8_t> output) {
   squeeze_from_sponge(*this, output);
}

void Keccak_Permutation::finish() {
   // The padding for Keccak[c]-based functions spans the entire remaining
   // byterate until the next permute() call. At most that could be an entire
   // byterate. First are a few bits of "custom" padding defined by the using
   // function (e.g. SHA-3 uses "01"), then the remaining space is filled with
   // "pad10*1" (see NIST FIPS 202 Section 5.1) followed by a final permute().

   auto& S = state();

   // Apply the custom padding + the left-most 1-bit of "pad10*1" to the current
   // (partial) word of the sponge state

   const uint64_t start_of_padding = (m_padding.padding | uint64_t(1) << m_padding.bit_len);
   S[cursor() / word_bytes] ^= start_of_padding << (8 * (cursor() % word_bytes));

   // XOR'ing the 0-bits of "pad10*1" into the state is a NOOP

   // If the custom padding + the left-most 1-bit of "pad10*1" had resulted in a
   // byte-aligned "partial padding", the final 1-bit of of "pad10*1" could
   // potentially override parts of the already-appended "start_of_padding".
   // In case we ever introduce a Keccak-based function with such a need, we
   // have to modify this padding algorithm.
   BOTAN_DEBUG_ASSERT(m_padding.bit_len % 8 != 7);

   // Append the final bit of "pad10*1" into the last word of the input range
   S[(byte_rate() / word_bytes) - 1] ^= uint64_t(0x8000000000000000);

   // Perform the final permutation and reset the state cursor
   permute();
   reset_cursor();

   BOTAN_DEBUG_ASSERT(cursor() == 0);
}

void Keccak_Permutation::permute() {
#if defined(BOTAN_HAS_KECCAK_PERM_AVX512)
   if(CPUID::has(CPUID::Feature::AVX512)) {
      return permute_avx512();
   }
#endif

#if defined(BOTAN_HAS_KECCAK_PERM_BMI2)
   if(CPUID::has(CPUID::Feature::BMI)) {
      return permute_bmi2();
   }
#endif

   static const uint64_t RC[24] = {0x0000000000000001, 0x0000000000008082, 0x800000000000808A, 0x8000000080008000,
                                   0x000000000000808B, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009,
                                   0x000000000000008A, 0x0000000000000088, 0x0000000080008009, 0x000000008000000A,
                                   0x000000008000808B, 0x800000000000008B, 0x8000000000008089, 0x8000000000008003,
                                   0x8000000000008002, 0x8000000000000080, 0x000000000000800A, 0x800000008000000A,
                                   0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008};

   uint64_t T[25];

   for(size_t i = 0; i != 24; i += 2) {
      Keccak_Permutation_round(T, state().data(), RC[i + 0]);
      Keccak_Permutation_round(state().data(), T, RC[i + 1]);
   }
}

}  // namespace Botan

1	/*
2	* Keccak Permutation
3	* (C) 2010,2016 Jack Lloyd
4	* (C) 2023 Falko Strenzke
5	* (C) 2023,2025 René Meusel - Rohde & Schwarz Cybersecurity
6	*
7	* Botan is released under the Simplified BSD License (see license.txt)
8	*/
9
10	#include <botan/internal/keccak_perm.h>
11
12	#include <botan/internal/keccak_perm_round.h>
13	#include <botan/internal/sponge_processing.h>
14
15	#if defined(BOTAN_HAS_CPUID)
16	#include <botan/internal/cpuid.h>
17	#endif
18
19	namespace Botan {
20
21	std::string Keccak_Permutation::provider() const {	2,505✔
22	#if defined(BOTAN_HAS_KECCAK_PERM_AVX512)
23	if(auto feat = CPUID::check(CPUID::Feature::AVX512)) {	2,505✔
24	return *feat;	×
25	}	×
26	#endif
27
28	#if defined(BOTAN_HAS_KECCAK_PERM_BMI2)
29	if(auto feat = CPUID::check(CPUID::Feature::BMI)) {	2,505✔
30	return *feat;	3,768✔
31	}	1,884✔
32	#endif
33
34	return "base";	621✔
35	}
36
37	void Keccak_Permutation::clear() {	134,303,105✔
38	state() = {};	134,303,105✔
39	reset_cursor();	134,303,105✔
40	}	134,303,105✔
41
42	void Keccak_Permutation::absorb(std::span<const uint8_t> input) {	493,287,245✔
43	absorb_into_sponge(*this, input);	493,287,245✔
44	}	493,287,245✔
45
46	void Keccak_Permutation::squeeze(std::span<uint8_t> output) {	166,471,641✔
47	squeeze_from_sponge(*this, output);	166,471,641✔
48	}	166,471,641✔
49
50	void Keccak_Permutation::finish() {	134,471,097✔
51	// The padding for Keccak[c]-based functions spans the entire remaining
52	// byterate until the next permute() call. At most that could be an entire
53	// byterate. First are a few bits of "custom" padding defined by the using
54	// function (e.g. SHA-3 uses "01"), then the remaining space is filled with
55	// "pad10*1" (see NIST FIPS 202 Section 5.1) followed by a final permute().
56
57	auto& S = state();	134,471,097✔
58
59	// Apply the custom padding + the left-most 1-bit of "pad10*1" to the current
60	// (partial) word of the sponge state
61
62	const uint64_t start_of_padding = (m_padding.padding \| uint64_t(1) << m_padding.bit_len);	134,471,097✔
63	S[cursor() / word_bytes] ^= start_of_padding << (8 * (cursor() % word_bytes));	134,471,097✔
64
65	// XOR'ing the 0-bits of "pad10*1" into the state is a NOOP
66
67	// If the custom padding + the left-most 1-bit of "pad10*1" had resulted in a
68	// byte-aligned "partial padding", the final 1-bit of of "pad10*1" could
69	// potentially override parts of the already-appended "start_of_padding".
70	// In case we ever introduce a Keccak-based function with such a need, we
71	// have to modify this padding algorithm.
72	BOTAN_DEBUG_ASSERT(m_padding.bit_len % 8 != 7);	134,471,097✔
73
74	// Append the final bit of "pad10*1" into the last word of the input range
75	S[(byte_rate() / word_bytes) - 1] ^= uint64_t(0x8000000000000000);	134,471,097✔
76
77	// Perform the final permutation and reset the state cursor
78	permute();	134,471,097✔
79	reset_cursor();	134,471,097✔
80
81	BOTAN_DEBUG_ASSERT(cursor() == 0);	134,471,097✔
82	}	134,471,097✔
83
84	void Keccak_Permutation::permute() {	212,728,331✔
85	#if defined(BOTAN_HAS_KECCAK_PERM_AVX512)
86	if(CPUID::has(CPUID::Feature::AVX512)) {	212,728,331✔
87	return permute_avx512();	×
88	}
89	#endif
90
91	#if defined(BOTAN_HAS_KECCAK_PERM_BMI2)
92	if(CPUID::has(CPUID::Feature::BMI)) {	212,728,331✔
93	return permute_bmi2();	212,716,367✔
94	}
95	#endif
96
97	static const uint64_t RC[24] = {0x0000000000000001, 0x0000000000008082, 0x800000000000808A, 0x8000000080008000,
98	0x000000000000808B, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009,
99	0x000000000000008A, 0x0000000000000088, 0x0000000080008009, 0x000000008000000A,
100	0x000000008000808B, 0x800000000000008B, 0x8000000000008089, 0x8000000000008003,
101	0x8000000000008002, 0x8000000000000080, 0x000000000000800A, 0x800000008000000A,
102	0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008};
103
104	uint64_t T[25];
105
106	for(size_t i = 0; i != 24; i += 2) {	155,532✔
107	Keccak_Permutation_round(T, state().data(), RC[i + 0]);	143,568✔
108	Keccak_Permutation_round(state().data(), T, RC[i + 1]);	143,568✔
109	}
110	}
111
112	} // namespace Botan

randombit / botan / 23486908132

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous