C nettle, low-level cryptographics library
C 
C Copyright (C) 2013 Niels Möller
C  
C The nettle library is free software; you can redistribute it and/or modify
C it under the terms of the GNU Lesser General Public License as published by
C the Free Software Foundation; either version 2.1 of the License, or (at your
C option) any later version.
C 
C The nettle library is distributed in the hope that it will be useful, but
C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
C or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
C License for more details.
C 
C You should have received a copy of the GNU Lesser General Public License
C along with the nettle library; see the file COPYING.LIB.  If not, write to
C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
C MA 02111-1301, USA.

	.file "sha3-permute.asm"
	.fpu	neon

define(<CTX>, <r0>)
define(<COUNT>, <r1>)
define(<RC>, <r2>)
C First column
define(<A0>, <d0>)
define(<A5>, <d2>)
define(<A10>, <d3>)
define(<A15>, <d4>)
define(<A20>, <d5>)

define(<A1>, <d6>)
define(<A2>, <d7>)
define(<A3>, <d8>)
define(<A4>, <d9>)

define(<A6>, <d16>)
define(<A7>, <d17>)
define(<A8>, <d18>)
define(<A9>, <d19>)

define(<A11>, <d20>)
define(<A12>, <d21>)
define(<A13>, <d22>)
define(<A14>, <d23>)

define(<A16>, <d24>)
define(<A17>, <d25>)
define(<A18>, <d26>)
define(<A19>, <d27>)

define(<A21>, <d28>)
define(<A22>, <d29>)
define(<A23>, <d30>)
define(<A24>, <d31>)

define(<T0>, <d10>)
define(<T1>, <d11>)

define(<C0>, <d1>)
define(<C1>, <d12>)
define(<C2>, <d13>)
define(<C3>, <d14>)
define(<C4>, <d15>)


C ROL(DST, SRC, COUNT)
C Must have SRC != DST
define(<ROL>, <
	vshr.u64	$1, $2, #eval(64-$3)
	vsli.i64	$1, $2, #$3
	>)
C sha3_permute(struct sha3_ctx *ctx)

	.text
	.align	3
.Lrc:
	.quad	0x0000000000000001
	.quad	0x0000000000008082
	.quad	0x800000000000808A
	.quad	0x8000000080008000
	.quad	0x000000000000808B
	.quad	0x0000000080000001
	.quad	0x8000000080008081
	.quad	0x8000000000008009
	.quad	0x000000000000008A
	.quad	0x0000000000000088
	.quad	0x0000000080008009
	.quad	0x000000008000000A
	.quad	0x000000008000808B
	.quad	0x800000000000008B
	.quad	0x8000000000008089
	.quad	0x8000000000008003
	.quad	0x8000000000008002
	.quad	0x8000000000000080
	.quad	0x000000000000800A
	.quad	0x800000008000000A
	.quad	0x8000000080008081
	.quad	0x8000000000008080
	.quad	0x0000000080000001
	.quad	0x8000000080008008
	
PROLOGUE(nettle_sha3_permute)
	vpush	{d8-d15}

	vld1.64	{A0}, [CTX]!
	vldm	CTX!, {A1,A2,A3,A4}
	vld1.64	{A5}, [CTX]!
	vldm	CTX!, {A6,A7,A8,A9}
	vld1.64	{A10}, [CTX]!
	vldm	CTX!, {A11,A12,A13,A14}
	vld1.64	{A15}, [CTX]!
	vldm	CTX!, {A16,A17,A18,A19}
	vld1.64	{A20}, [CTX]!
	vldm	CTX, {A21,A22,A23,A24}
	sub	CTX, CTX, #168

	mov	COUNT, #24
	adr	RC, .Lrc

	.align 3
.Loop:
	veor	QREG(T0), QREG(A5), QREG(A15)
	veor	C0, A0, T0
	veor	C0, C0, T1
	veor	QREG(C1), QREG(A1), QREG(A6)
	veor	QREG(C1), QREG(C1), QREG(A11)
	veor	QREG(C1), QREG(C1), QREG(A16)
	veor	QREG(C1), QREG(C1), QREG(A21)

	veor	QREG(C3), QREG(A3), QREG(A8)
	veor	QREG(C3), QREG(C3), QREG(A13)
	veor	QREG(C3), QREG(C3), QREG(A18)
	veor	QREG(C3), QREG(C3), QREG(A23)

	C	FIXME: Can we make use of 128-bit xors?
	C	One more register would help. Or the VSLI instruction?
	C 	D0 = C4 ^ (C1 <<< 1)
	vshl.i64	T0, C1, #1
	vshr.u64	T1, C1, #63
	veor		T0, T0, C4
	veor		T0, T0, T1
	veor		A0, A0, T0
	veor		A5, A5, T0
	veor		A10, A10, T0
	veor		A15, A15, T0
	veor		A20, A20, T0

	C 	D1 = C0 ^ (C2 <<< 1)
	vshl.i64	T0, C2, #1
	vshr.u64	T1, C2, #63
	veor		T0, T0, C0
	veor		T0, T0, T1
	veor		A1, A1, T0
	veor		A6, A6, T0
	veor		A11, A11, T0
	veor		A16, A16, T0
	veor		A21, A21, T0

	C 	D2 = C1 ^ (C3 <<< 1)
	vshl.i64	T0, C3, #1
	vshr.u64	T1, C3, #63
	veor		T0, T0, C1
	veor		T0, T0, T1
	veor		A2, A2, T0
	veor		A7, A7, T0
	veor		A12, A12, T0
	veor		A17, A17, T0
	veor		A22, A22, T0

	C 	D3 = C2 ^ (C4 <<< 1)
	vshl.i64	T0, C4, #1
	vshr.u64	T1, C4, #63
	veor		T0, T0, C2
	veor		T0, T0, T1
	veor		A3, A3, T0
	veor		A8, A8, T0
	veor		A13, A13, T0
	veor		A18, A18, T0
	veor		A23, A23, T0

	C 	D4 = C3 ^ (C0 <<< 1)
	vshl.i64	T0, C0, #1
	vshr.u64	T1, C0, #63
	veor		T0, T0, C3
	veor		T0, T0, T1
	veor		A4, A4, T0
	veor		A9, A9, T0
	veor		A14, A14, T0
	veor		A19, A19, T0
	veor		A24, A24, T0

	ROL( T0,  A1,  1)
	ROL( A1,  A6, 44)
	ROL( A6,  A9, 20)
	ROL( A9, A22, 61)
	ROL(A22, A14, 39)
	ROL(A14, A20, 18)
	ROL(A20,  A2, 62)
	ROL( A2, A12, 43)
	ROL(A12, A13, 25)
	ROL(A13, A19,  8)
	ROL(A19, A23, 56)
	ROL(A23, A15, 41)
	ROL(A15,  A4, 27)
	ROL( A4, A24, 14)
	ROL(A24, A21,  2)
	ROL(A21,  A8, 55)
	ROL( A8, A16, 45)
	ROL(A16,  A5, 36)
	ROL( A5,  A3, 28)
	ROL( A3, A18, 21)
	ROL(A18, A17, 15)
	ROL(A17, A11, 10)
	ROL(A11,  A7,  6)
	ROL( A7, A10,  3)
	vmov	A10, T0

	vbic	C0, A2, A1
	vbic	C1, A3, A2
	vbic	C2, A4, A3
	vbic	C3, A0, A4
	vbic	C4, A1, A0

	veor	A0, A0, C0
	vld1.64	{C0}, [RC :64]!
	veor	QREG(A1), QREG(A1), QREG(C1)
	veor	QREG(A3), QREG(A3), QREG(C3)
	veor	A0, A0, C0

	vbic	C0, A7, A6
	vbic	C1, A8, A7
	vbic	C2, A9, A8
	vbic	C3, A5, A9
	vbic	C4, A6, A5

	veor	A5, A5, C0
	veor	QREG(A6), QREG(A6), QREG(C1)
	veor	QREG(A8), QREG(A8), QREG(C3)

	vbic	C0, A12, A11
	vbic	C1, A13, A12
	vbic	C2, A14, A13
	vbic	C3, A10, A14
	vbic	C4, A11, A10

	veor	A10, A10, C0
	veor	QREG(A11), QREG(A11), QREG(C1)
	veor	QREG(A13), QREG(A13), QREG(C3)

	vbic	C0, A17, A16
	vbic	C1, A18, A17
	vbic	C2, A19, A18
	vbic	C3, A15, A19
	vbic	C4, A16, A15

	veor	A15, A15, C0
	veor	QREG(A16), QREG(A16), QREG(C1)
	veor	QREG(A18), QREG(A18), QREG(C3)

	vbic	C0, A22, A21
	vbic	C1, A23, A22
	vbic	C2, A24, A23
	vbic	C3, A20, A24
	vbic	C4, A21, A20

	subs	COUNT, COUNT, #1
	veor	A20, A20, C0
	veor	QREG(A21), QREG(A21), QREG(C1)
	veor	QREG(A23), QREG(A23), QREG(C3)

	bne	.Loop

	vst1.64	{A0}, [CTX]!
	vstm	CTX!, {A1,A2,A3,A4}
	vst1.64	{A5}, [CTX]!
	vstm	CTX!, {A6,A7,A8,A9}
	vst1.64	{A10}, [CTX]!
	vstm	CTX!, {A11,A12,A13,A14}
	vst1.64	{A15}, [CTX]!
	vstm	CTX!, {A16,A17,A18,A19}
	vst1.64	{A20}, [CTX]!
	vstm	CTX, {A21,A22,A23,A24}
	
	vpop	{d8-d15}
	bx	lr
EPILOGUE(nettle_sha3_permute)