aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile2
-rw-r--r--main.c21
-rw-r--r--poly1305-hacl32.c636
-rw-r--r--poly1305-hacl64.c1117
-rw-r--r--test_vectors.h2285
5 files changed, 1948 insertions, 2113 deletions
diff --git a/Makefile b/Makefile
index 0a7958b..1c762dc 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
ifneq ($(KERNELRELEASE),)
-kbench9000-y := main.o poly1305-hacl64.o poly1305-ref.o poly1305-openssl-asm.o poly1305-openssl.o poly1305-donna32.o poly1305-donna64.o
+kbench9000-y := main.o poly1305-hacl32.o poly1305-hacl64.o poly1305-ref.o poly1305-openssl-asm.o poly1305-openssl.o poly1305-donna32.o poly1305-donna64.o
obj-m := kbench9000.o
ccflags-y += -O3
ccflags-y += -D'pr_fmt(fmt)=KBUILD_MODNAME ": " fmt'
diff --git a/main.c b/main.c
index ff26798..b904cb3 100644
--- a/main.c
+++ b/main.c
@@ -40,9 +40,9 @@ static __always_inline int name(size_t len) \
#define test_it(name, before, after) do { \
memset(out, __LINE__, POLY1305_MAC_SIZE); \
before; \
- ret = poly1305_ ## name(out, poly1305_test_vectors[i].input.data, poly1305_test_vectors[i].input.size, poly1305_test_vectors[i].key.data); \
+ ret = poly1305_ ## name(out, poly1305_testvecs[i].input, poly1305_testvecs[i].ilen, poly1305_testvecs[i].key); \
after; \
- if (memcmp(out, poly1305_test_vectors[i].expected.data, POLY1305_MAC_SIZE)) { \
+ if (memcmp(out, poly1305_testvecs[i].output, POLY1305_MAC_SIZE)) { \
pr_err(#name " self-test %zu: FAIL\n", i + 1); \
return false; \
} \
@@ -68,7 +68,6 @@ u8 dummy_out[POLY1305_MAC_SIZE];
u8 input_key[POLY1305_KEY_SIZE];
u8 input_data[STARTING_SIZE * (1ULL << DOUBLING_STEPS)];
-declare_it(hacl64)
declare_it(ref)
declare_it(ossl_c)
declare_it(ossl_amd64)
@@ -77,6 +76,8 @@ declare_it(ossl_avx2)
declare_it(ossl_avx512)
declare_it(donna32)
declare_it(donna64)
+declare_it(hacl32)
+declare_it(hacl64)
static bool verify(void)
{
@@ -84,12 +85,13 @@ static bool verify(void)
size_t i = 0;
u8 out[POLY1305_MAC_SIZE];
- for (i = 0; i < ARRAY_SIZE(poly1305_test_vectors); ++i) {
- test_it(hacl64, {}, {});
+ for (i = 0; i < ARRAY_SIZE(poly1305_testvecs); ++i) {
test_it(ref, {}, {});
test_it(ossl_c, {}, {});
test_it(donna32, {}, {});
test_it(donna64, {}, {});
+ test_it(hacl32, {}, {});
+ test_it(hacl64, {}, {});
test_it(ossl_amd64, {}, {});
if (boot_cpu_has(X86_FEATURE_AVX) && cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL))
test_it(ossl_avx, kernel_fpu_begin(), kernel_fpu_end());
@@ -105,7 +107,6 @@ static int __init mod_init(void)
{
size_t s;
int ret = 0, i, j;
- cycles_t start_hacl64[DOUBLING_STEPS + 1], end_hacl64[DOUBLING_STEPS + 1];
cycles_t start_ref[DOUBLING_STEPS + 1], end_ref[DOUBLING_STEPS + 1];
cycles_t start_ossl_c[DOUBLING_STEPS + 1], end_ossl_c[DOUBLING_STEPS + 1];
cycles_t start_ossl_amd64[DOUBLING_STEPS + 1], end_ossl_amd64[DOUBLING_STEPS + 1];
@@ -114,6 +115,8 @@ static int __init mod_init(void)
cycles_t start_ossl_avx512[DOUBLING_STEPS + 1], end_ossl_avx512[DOUBLING_STEPS + 1];
cycles_t start_donna32[DOUBLING_STEPS + 1], end_donna32[DOUBLING_STEPS + 1];
cycles_t start_donna64[DOUBLING_STEPS + 1], end_donna64[DOUBLING_STEPS + 1];
+ cycles_t start_hacl32[DOUBLING_STEPS + 1], end_hacl32[DOUBLING_STEPS + 1];
+ cycles_t start_hacl64[DOUBLING_STEPS + 1], end_hacl64[DOUBLING_STEPS + 1];
unsigned long flags;
DEFINE_SPINLOCK(lock);
@@ -131,11 +134,12 @@ static int __init mod_init(void)
spin_lock_irqsave(&lock, flags);
- do_it(hacl64);
do_it(ref);
do_it(ossl_c);
do_it(donna32);
do_it(donna64);
+ do_it(hacl32);
+ do_it(hacl64);
do_it(ossl_amd64);
if (boot_cpu_has(X86_FEATURE_AVX) && cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL))
do_it(ossl_avx);
@@ -152,11 +156,12 @@ static int __init mod_init(void)
pr_err("%lu: ", stamp);
for (j = 0, s = STARTING_SIZE; j <= DOUBLING_STEPS; ++j, s *= 2) \
printk(KERN_CONT " \x1b[4m%6zu\x1b[24m", s);
- report_it(hacl64);
report_it(ref);
report_it(ossl_c);
report_it(donna32);
report_it(donna64);
+ report_it(hacl32);
+ report_it(hacl64);
report_it(ossl_amd64);
if (boot_cpu_has(X86_FEATURE_AVX) && cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL))
report_it(ossl_avx);
diff --git a/poly1305-hacl32.c b/poly1305-hacl32.c
new file mode 100644
index 0000000..b2895cc
--- /dev/null
+++ b/poly1305-hacl32.c
@@ -0,0 +1,636 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2016-2018 INRIA and Microsoft Corporation
+ */
+
+
+#include <linux/kernel.h>
+#include <linux/string.h>
+#include <asm/unaligned.h>
+
+#define load64_le(x) get_unaligned_le64(x)
+#define store64_le(d, s) put_unaligned_le64(s, d)
+
+static uint32_t Lib_Utils_uint32_eq_mask(uint32_t a, uint32_t b)
+{
+ uint32_t x = a ^ b;
+ uint32_t minus_x = ~x + (uint32_t)1U;
+ uint32_t x_or_minus_x = x | minus_x;
+ uint32_t xnx = x_or_minus_x >> (uint32_t)31U;
+ uint32_t c = xnx - (uint32_t)1U;
+ return c;
+}
+
+static uint32_t Lib_Utils_uint32_gte_mask(uint32_t a, uint32_t b)
+{
+ uint32_t x = a;
+ uint32_t y = b;
+ uint32_t x_xor_y = x ^ y;
+ uint32_t x_sub_y = x - y;
+ uint32_t x_sub_y_xor_y = x_sub_y ^ y;
+ uint32_t q = x_xor_y | x_sub_y_xor_y;
+ uint32_t x_xor_q = x ^ q;
+ uint32_t x_xor_q_ = x_xor_q >> (uint32_t)31U;
+ uint32_t c = x_xor_q_ - (uint32_t)1U;
+ return c;
+}
+
+inline static void Hacl_Impl_Poly1305_Field32_add_felem(uint32_t *f1, uint32_t *f2)
+{
+ uint32_t f10 = f1[0U];
+ uint32_t f11 = f1[1U];
+ uint32_t f12 = f1[2U];
+ uint32_t f13 = f1[3U];
+ uint32_t f14 = f1[4U];
+ uint32_t f20 = f2[0U];
+ uint32_t f21 = f2[1U];
+ uint32_t f22 = f2[2U];
+ uint32_t f23 = f2[3U];
+ uint32_t f24 = f2[4U];
+ f1[0U] = f10 + f20;
+ f1[1U] = f11 + f21;
+ f1[2U] = f12 + f22;
+ f1[3U] = f13 + f23;
+ f1[4U] = f14 + f24;
+}
+
+inline static void
+Hacl_Impl_Poly1305_Field32_smul_felem(uint64_t *out, uint32_t u1, uint32_t *f2)
+{
+ uint32_t f20 = f2[0U];
+ uint32_t f21 = f2[1U];
+ uint32_t f22 = f2[2U];
+ uint32_t f23 = f2[3U];
+ uint32_t f24 = f2[4U];
+ out[0U] = (uint64_t)u1 * (uint64_t)f20;
+ out[1U] = (uint64_t)u1 * (uint64_t)f21;
+ out[2U] = (uint64_t)u1 * (uint64_t)f22;
+ out[3U] = (uint64_t)u1 * (uint64_t)f23;
+ out[4U] = (uint64_t)u1 * (uint64_t)f24;
+}
+
+inline static void
+Hacl_Impl_Poly1305_Field32_smul_add_felem(uint64_t *out, uint32_t u1, uint32_t *f2)
+{
+ uint32_t f20 = f2[0U];
+ uint32_t f21 = f2[1U];
+ uint32_t f22 = f2[2U];
+ uint32_t f23 = f2[3U];
+ uint32_t f24 = f2[4U];
+ uint64_t o0 = out[0U];
+ uint64_t o1 = out[1U];
+ uint64_t o2 = out[2U];
+ uint64_t o3 = out[3U];
+ uint64_t o4 = out[4U];
+ out[0U] = o0 + (uint64_t)u1 * (uint64_t)f20;
+ out[1U] = o1 + (uint64_t)u1 * (uint64_t)f21;
+ out[2U] = o2 + (uint64_t)u1 * (uint64_t)f22;
+ out[3U] = o3 + (uint64_t)u1 * (uint64_t)f23;
+ out[4U] = o4 + (uint64_t)u1 * (uint64_t)f24;
+}
+
+inline static void
+Hacl_Impl_Poly1305_Field32_mul_felem(
+ uint64_t *out,
+ uint32_t *f1,
+ uint32_t *f2,
+ uint32_t *f2_20
+)
+{
+ uint32_t tmp[5U] = { 0U };
+ Hacl_Impl_Poly1305_Field32_smul_felem(out, f1[0U], f2);
+ tmp[0U] = f2_20[4U];
+ tmp[1U] = f2[0U];
+ tmp[2U] = f2[1U];
+ tmp[3U] = f2[2U];
+ tmp[4U] = f2[3U];
+ Hacl_Impl_Poly1305_Field32_smul_add_felem(out, f1[1U], tmp);
+ tmp[0U] = f2_20[3U];
+ tmp[1U] = f2_20[4U];
+ tmp[2U] = f2[0U];
+ tmp[3U] = f2[1U];
+ tmp[4U] = f2[2U];
+ Hacl_Impl_Poly1305_Field32_smul_add_felem(out, f1[2U], tmp);
+ tmp[0U] = f2_20[2U];
+ tmp[1U] = f2_20[3U];
+ tmp[2U] = f2_20[4U];
+ tmp[3U] = f2[0U];
+ tmp[4U] = f2[1U];
+ Hacl_Impl_Poly1305_Field32_smul_add_felem(out, f1[3U], tmp);
+ tmp[0U] = f2_20[1U];
+ tmp[1U] = f2_20[2U];
+ tmp[2U] = f2_20[3U];
+ tmp[3U] = f2_20[4U];
+ tmp[4U] = f2[0U];
+ Hacl_Impl_Poly1305_Field32_smul_add_felem(out, f1[4U], tmp);
+}
+
+inline static void Hacl_Impl_Poly1305_Field32_carry_wide_felem(uint32_t *out, uint64_t *inp)
+{
+ uint64_t i0 = inp[0U];
+ uint64_t i1 = inp[1U];
+ uint64_t i2 = inp[2U];
+ uint64_t i3 = inp[3U];
+ uint64_t i4 = inp[4U];
+ uint64_t l = i0 + (uint64_t)(uint32_t)0U;
+ uint32_t tmp0 = (uint32_t)l & (uint32_t)0x3ffffffU;
+ uint32_t carry1 = (uint32_t)(l >> (uint32_t)26U);
+ uint64_t l0 = i1 + (uint64_t)carry1;
+ uint32_t tmp1 = (uint32_t)l0 & (uint32_t)0x3ffffffU;
+ uint32_t carry2 = (uint32_t)(l0 >> (uint32_t)26U);
+ uint64_t l1 = i2 + (uint64_t)carry2;
+ uint32_t tmp2 = (uint32_t)l1 & (uint32_t)0x3ffffffU;
+ uint32_t carry3 = (uint32_t)(l1 >> (uint32_t)26U);
+ uint64_t l2 = i3 + (uint64_t)carry3;
+ uint32_t tmp3 = (uint32_t)l2 & (uint32_t)0x3ffffffU;
+ uint32_t carry4 = (uint32_t)(l2 >> (uint32_t)26U);
+ uint64_t l3 = i4 + (uint64_t)carry4;
+ uint32_t tmp4 = (uint32_t)l3 & (uint32_t)0x3ffffffU;
+ uint32_t carry5 = (uint32_t)(l3 >> (uint32_t)26U);
+ uint32_t tmp01 = tmp0 + carry5 * (uint32_t)5U;
+ out[0U] = tmp01;
+ out[1U] = tmp1;
+ out[2U] = tmp2;
+ out[3U] = tmp3;
+ out[4U] = tmp4;
+}
+
+inline static void Hacl_Impl_Poly1305_Field32_carry_felem(uint32_t *f)
+{
+ uint32_t f0 = f[0U];
+ uint32_t f1 = f[1U];
+ uint32_t f2 = f[2U];
+ uint32_t f3 = f[3U];
+ uint32_t f4 = f[4U];
+ uint32_t l = f0 + (uint32_t)0U;
+ uint32_t tmp0 = l & (uint32_t)0x3ffffffU;
+ uint32_t carry1 = l >> (uint32_t)26U;
+ uint32_t l0 = f1 + carry1;
+ uint32_t tmp1 = l0 & (uint32_t)0x3ffffffU;
+ uint32_t carry2 = l0 >> (uint32_t)26U;
+ uint32_t l1 = f2 + carry2;
+ uint32_t tmp2 = l1 & (uint32_t)0x3ffffffU;
+ uint32_t carry3 = l1 >> (uint32_t)26U;
+ uint32_t l2 = f3 + carry3;
+ uint32_t tmp3 = l2 & (uint32_t)0x3ffffffU;
+ uint32_t carry4 = l2 >> (uint32_t)26U;
+ uint32_t tmp4 = f4 + carry4;
+ f[0U] = tmp0;
+ f[1U] = tmp1;
+ f[2U] = tmp2;
+ f[3U] = tmp3;
+ f[4U] = tmp4;
+}
+
+inline static void Hacl_Impl_Poly1305_Field32_carry_top_felem(uint32_t *f)
+{
+ uint32_t f0 = f[0U];
+ uint32_t f1 = f[1U];
+ uint32_t f4 = f[4U];
+ uint32_t l = f4 + (uint32_t)0U;
+ uint32_t tmp4 = l & (uint32_t)0x3ffffffU;
+ uint32_t carry1 = l >> (uint32_t)26U;
+ uint32_t l0 = f0 + carry1 * (uint32_t)5U;
+ uint32_t tmp0 = l0 & (uint32_t)0x3ffffffU;
+ uint32_t carry2 = l0 >> (uint32_t)26U;
+ uint32_t tmp1 = f1 + carry2;
+ f[0U] = tmp0;
+ f[1U] = tmp1;
+ f[4U] = tmp4;
+}
+
+uint32_t Hacl_Poly1305_32_ctxlen = (uint32_t)20U;
+
+uint32_t Hacl_Poly1305_32_blocklen = (uint32_t)16U;
+
+void Hacl_Poly1305_32_poly1305_init(uint32_t *ctx, uint8_t *key)
+{
+ uint8_t *kr = key;
+ uint8_t *ks = key + (uint32_t)16U;
+ uint32_t *acc = ctx;
+ uint32_t *r = ctx + (uint32_t)5U;
+ uint32_t *r_20 = ctx + (uint32_t)5U * (uint32_t)2U;
+ uint32_t *sk = ctx + (uint32_t)5U * (uint32_t)3U;
+ uint64_t u0;
+ uint64_t lo0;
+ uint64_t u1;
+ uint64_t hi0;
+ uint64_t lo2;
+ uint64_t hi2;
+ uint64_t mask0;
+ uint64_t mask1;
+ uint64_t lo1;
+ uint64_t hi1;
+ uint64_t u2;
+ uint64_t lo;
+ uint64_t u;
+ uint64_t hi;
+ uint64_t sl;
+ uint64_t sh;
+ acc[0U] = (uint32_t)0U;
+ acc[1U] = (uint32_t)0U;
+ acc[2U] = (uint32_t)0U;
+ acc[3U] = (uint32_t)0U;
+ acc[4U] = (uint32_t)0U;
+ u0 = load64_le(kr);
+ lo0 = u0;
+ u1 = load64_le(kr + (uint32_t)8U);
+ hi0 = u1;
+ lo2 = lo0;
+ hi2 = hi0;
+ mask0 = (uint64_t)0x0ffffffc0fffffffU;
+ mask1 = (uint64_t)0x0ffffffc0ffffffcU;
+ lo1 = lo2 & mask0;
+ hi1 = hi2 & mask1;
+ r[0U] = (uint32_t)lo1 & (uint32_t)0x3ffffffU;
+ r[1U] = (uint32_t)(lo1 >> (uint32_t)26U) & (uint32_t)0x3ffffffU;
+ r[2U] = (uint32_t)(lo1 >> (uint32_t)52U) ^ ((uint32_t)hi1 & (uint32_t)0x3fffU) << (uint32_t)12U;
+ r[3U] = (uint32_t)(hi1 >> (uint32_t)14U) & (uint32_t)0x3ffffffU;
+ r[4U] = (uint32_t)(hi1 >> (uint32_t)40U);
+ r_20[0U] = r[0U] * (uint32_t)5U;
+ r_20[1U] = r[1U] * (uint32_t)5U;
+ r_20[2U] = r[2U] * (uint32_t)5U;
+ r_20[3U] = r[3U] * (uint32_t)5U;
+ r_20[4U] = r[4U] * (uint32_t)5U;
+ u2 = load64_le(ks);
+ lo = u2;
+ u = load64_le(ks + (uint32_t)8U);
+ hi = u;
+ sl = lo;
+ sh = hi;
+ sk[0U] = (uint32_t)sl & (uint32_t)0x3ffffffU;
+ sk[1U] = (uint32_t)(sl >> (uint32_t)26U) & (uint32_t)0x3ffffffU;
+ sk[2U] = (uint32_t)(sl >> (uint32_t)52U) ^ ((uint32_t)sh & (uint32_t)0x3fffU) << (uint32_t)12U;
+ sk[3U] = (uint32_t)(sh >> (uint32_t)14U) & (uint32_t)0x3ffffffU;
+ sk[4U] = (uint32_t)(sh >> (uint32_t)40U);
+}
+
+void Hacl_Poly1305_32_poly1305_update(uint32_t *ctx, uint8_t *text, uint32_t len)
+{
+ uint32_t *acc = ctx;
+ uint32_t *r = ctx + (uint32_t)5U;
+ uint32_t *r_20 = ctx + (uint32_t)5U * (uint32_t)2U;
+ uint32_t e[5U] = { 0U };
+ uint32_t blocks = len / (uint32_t)16U;
+ uint32_t rem1;
+ {
+ uint32_t i;
+ for (i = (uint32_t)0U; i < blocks; i = i + (uint32_t)1U)
+ {
+ uint8_t *b = text + i * (uint32_t)16U;
+ uint64_t u0 = load64_le(b);
+ uint64_t lo0 = u0;
+ uint64_t u = load64_le(b + (uint32_t)8U);
+ uint64_t hi0 = u;
+ uint64_t lo = lo0;
+ uint64_t hi = hi0;
+ e[0U] = (uint32_t)lo & (uint32_t)0x3ffffffU;
+ e[1U] = (uint32_t)(lo >> (uint32_t)26U) & (uint32_t)0x3ffffffU;
+ e[2U] = (uint32_t)(lo >> (uint32_t)52U) ^ ((uint32_t)hi & (uint32_t)0x3fffU) << (uint32_t)12U;
+ e[3U] = (uint32_t)(hi >> (uint32_t)14U) & (uint32_t)0x3ffffffU;
+ e[4U] = (uint32_t)(hi >> (uint32_t)40U);
+ e[4U] = e[4U] | (uint32_t)0x1000000U;
+ {
+ uint64_t tmp[5U] = { 0U };
+ Hacl_Impl_Poly1305_Field32_add_felem(acc, e);
+ Hacl_Impl_Poly1305_Field32_mul_felem(tmp, acc, r, r_20);
+ Hacl_Impl_Poly1305_Field32_carry_wide_felem(acc, tmp);
+ }
+ }
+ }
+ rem1 = len % (uint32_t)16U;
+ if (rem1 > (uint32_t)0U)
+ {
+ uint8_t *b = text + blocks * (uint32_t)16U;
+ uint8_t tmp[16U] = { 0U };
+ memcpy(tmp, b, rem1 * sizeof b[0U]);
+ {
+ uint64_t u0 = load64_le(tmp);
+ uint64_t lo0 = u0;
+ uint64_t u = load64_le(tmp + (uint32_t)8U);
+ uint64_t hi0 = u;
+ uint64_t lo = lo0;
+ uint64_t hi = hi0;
+ e[0U] = (uint32_t)lo & (uint32_t)0x3ffffffU;
+ e[1U] = (uint32_t)(lo >> (uint32_t)26U) & (uint32_t)0x3ffffffU;
+ e[2U] = (uint32_t)(lo >> (uint32_t)52U) ^ ((uint32_t)hi & (uint32_t)0x3fffU) << (uint32_t)12U;
+ e[3U] = (uint32_t)(hi >> (uint32_t)14U) & (uint32_t)0x3ffffffU;
+ e[4U] = (uint32_t)(hi >> (uint32_t)40U);
+ if (rem1 * (uint32_t)8U < (uint32_t)26U)
+ {
+ e[0U] = e[0U] | (uint32_t)1U << rem1 * (uint32_t)8U;
+ }
+ else
+ {
+ if (rem1 * (uint32_t)8U < (uint32_t)52U)
+ {
+ e[1U] = e[1U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)26U);
+ }
+ else
+ {
+ if (rem1 * (uint32_t)8U < (uint32_t)78U)
+ {
+ e[2U] = e[2U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)52U);
+ }
+ else
+ {
+ if (rem1 * (uint32_t)8U < (uint32_t)104U)
+ {
+ e[3U] = e[3U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)78U);
+ }
+ else
+ {
+ e[4U] = e[4U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)104U);
+ }
+ }
+ }
+ }
+ {
+ uint64_t tmp0[5U] = { 0U };
+ Hacl_Impl_Poly1305_Field32_add_felem(acc, e);
+ Hacl_Impl_Poly1305_Field32_mul_felem(tmp0, acc, r, r_20);
+ Hacl_Impl_Poly1305_Field32_carry_wide_felem(acc, tmp0);
+ }
+ }
+ }
+}
+
+void Hacl_Poly1305_32_poly1305_finish(uint32_t *ctx, uint8_t *tag)
+{
+ uint32_t *acc = ctx;
+ uint32_t *sk = ctx + (uint32_t)5U * (uint32_t)3U;
+ uint32_t f00;
+ uint32_t f10;
+ uint32_t f2;
+ uint32_t f3;
+ uint32_t f4;
+ uint32_t mask;
+ uint32_t mask1;
+ uint32_t mask2;
+ uint32_t mask3;
+ uint32_t mask4;
+ uint32_t p0;
+ uint32_t p1;
+ uint32_t p2;
+ uint32_t p3;
+ uint32_t p4;
+ uint64_t f0;
+ uint64_t f1;
+ uint64_t lo;
+ uint64_t hi;
+ Hacl_Impl_Poly1305_Field32_carry_felem(acc);
+ Hacl_Impl_Poly1305_Field32_carry_top_felem(acc);
+ f00 = acc[0U];
+ f10 = acc[1U];
+ f2 = acc[2U];
+ f3 = acc[3U];
+ f4 = acc[4U];
+ mask = Lib_Utils_uint32_eq_mask(f4, (uint32_t)0x3ffffffU);
+ mask1 = mask & Lib_Utils_uint32_eq_mask(f3, (uint32_t)0x3ffffffU);
+ mask2 = mask1 & Lib_Utils_uint32_eq_mask(f2, (uint32_t)0x3ffffffU);
+ mask3 = mask2 & Lib_Utils_uint32_eq_mask(f10, (uint32_t)0x3ffffffU);
+ mask4 = mask3 & Lib_Utils_uint32_gte_mask(f00, (uint32_t)0x3fffffbU);
+ p0 = mask4 & (uint32_t)0x3fffffbU;
+ p1 = mask4 & (uint32_t)0x3ffffffU;
+ p2 = mask4 & (uint32_t)0x3ffffffU;
+ p3 = mask4 & (uint32_t)0x3ffffffU;
+ p4 = mask4 & (uint32_t)0x3ffffffU;
+ acc[0U] = f00 - p0;
+ acc[1U] = f10 - p1;
+ acc[2U] = f2 - p2;
+ acc[3U] = f3 - p3;
+ acc[4U] = f4 - p4;
+ Hacl_Impl_Poly1305_Field32_add_felem(acc, sk);
+ Hacl_Impl_Poly1305_Field32_carry_felem(acc);
+ f0 =
+ ((uint64_t)acc[0U] | (uint64_t)acc[1U] << (uint32_t)26U)
+ | (uint64_t)acc[2U] << (uint32_t)52U;
+ f1 =
+ ((uint64_t)acc[2U] >> (uint32_t)12U | (uint64_t)acc[3U] << (uint32_t)14U)
+ | (uint64_t)acc[4U] << (uint32_t)40U;
+ lo = f0;
+ hi = f1;
+ store64_le(tag, lo);
+ store64_le(tag + (uint32_t)8U, hi);
+}
+
+void poly1305_hacl32(uint8_t *o, uint8_t *t, uint32_t l, uint8_t *k)
+{
+ {
+ uint32_t ctx[(uint32_t)5U * (uint32_t)4U];
+ memset(ctx, 0U, (uint32_t)5U * (uint32_t)4U * sizeof ctx[0U]);
+ {
+ uint8_t *kr = k;
+ uint8_t *ks = k + (uint32_t)16U;
+ uint32_t *acc0 = ctx;
+ uint32_t *r0 = ctx + (uint32_t)5U;
+ uint32_t *r_200 = ctx + (uint32_t)5U * (uint32_t)2U;
+ uint32_t *sk0 = ctx + (uint32_t)5U * (uint32_t)3U;
+ uint64_t u0;
+ uint64_t lo0;
+ uint64_t u1;
+ uint64_t hi0;
+ uint64_t lo2;
+ uint64_t hi2;
+ uint64_t mask0;
+ uint64_t mask10;
+ uint64_t lo1;
+ uint64_t hi1;
+ uint64_t u2;
+ uint64_t lo3;
+ uint64_t u3;
+ uint64_t hi3;
+ uint64_t sl;
+ uint64_t sh;
+ acc0[0U] = (uint32_t)0U;
+ acc0[1U] = (uint32_t)0U;
+ acc0[2U] = (uint32_t)0U;
+ acc0[3U] = (uint32_t)0U;
+ acc0[4U] = (uint32_t)0U;
+ u0 = load64_le(kr);
+ lo0 = u0;
+ u1 = load64_le(kr + (uint32_t)8U);
+ hi0 = u1;
+ lo2 = lo0;
+ hi2 = hi0;
+ mask0 = (uint64_t)0x0ffffffc0fffffffU;
+ mask10 = (uint64_t)0x0ffffffc0ffffffcU;
+ lo1 = lo2 & mask0;
+ hi1 = hi2 & mask10;
+ r0[0U] = (uint32_t)lo1 & (uint32_t)0x3ffffffU;
+ r0[1U] = (uint32_t)(lo1 >> (uint32_t)26U) & (uint32_t)0x3ffffffU;
+ r0[2U] =
+ (uint32_t)(lo1 >> (uint32_t)52U)
+ ^ ((uint32_t)hi1 & (uint32_t)0x3fffU) << (uint32_t)12U;
+ r0[3U] = (uint32_t)(hi1 >> (uint32_t)14U) & (uint32_t)0x3ffffffU;
+ r0[4U] = (uint32_t)(hi1 >> (uint32_t)40U);
+ r_200[0U] = r0[0U] * (uint32_t)5U;
+ r_200[1U] = r0[1U] * (uint32_t)5U;
+ r_200[2U] = r0[2U] * (uint32_t)5U;
+ r_200[3U] = r0[3U] * (uint32_t)5U;
+ r_200[4U] = r0[4U] * (uint32_t)5U;
+ u2 = load64_le(ks);
+ lo3 = u2;
+ u3 = load64_le(ks + (uint32_t)8U);
+ hi3 = u3;
+ sl = lo3;
+ sh = hi3;
+ sk0[0U] = (uint32_t)sl & (uint32_t)0x3ffffffU;
+ sk0[1U] = (uint32_t)(sl >> (uint32_t)26U) & (uint32_t)0x3ffffffU;
+ sk0[2U] =
+ (uint32_t)(sl >> (uint32_t)52U)
+ ^ ((uint32_t)sh & (uint32_t)0x3fffU) << (uint32_t)12U;
+ sk0[3U] = (uint32_t)(sh >> (uint32_t)14U) & (uint32_t)0x3ffffffU;
+ sk0[4U] = (uint32_t)(sh >> (uint32_t)40U);
+ {
+ uint32_t *acc1 = ctx;
+ uint32_t *r = ctx + (uint32_t)5U;
+ uint32_t *r_20 = ctx + (uint32_t)5U * (uint32_t)2U;
+ uint32_t e[5U] = { 0U };
+ uint32_t blocks = l / (uint32_t)16U;
+ uint32_t rem1;
+ uint32_t *acc;
+ uint32_t *sk;
+ uint32_t f00;
+ uint32_t f10;
+ uint32_t f2;
+ uint32_t f3;
+ uint32_t f4;
+ uint32_t mask;
+ uint32_t mask1;
+ uint32_t mask2;
+ uint32_t mask3;
+ uint32_t mask4;
+ uint32_t p0;
+ uint32_t p1;
+ uint32_t p2;
+ uint32_t p3;
+ uint32_t p4;
+ uint64_t f0;
+ uint64_t f1;
+ uint64_t lo4;
+ uint64_t hi4;
+ {
+ uint32_t i;
+ for (i = (uint32_t)0U; i < blocks; i = i + (uint32_t)1U)
+ {
+ uint8_t *b = t + i * (uint32_t)16U;
+ uint64_t u0 = load64_le(b);
+ uint64_t lo0 = u0;
+ uint64_t u = load64_le(b + (uint32_t)8U);
+ uint64_t hi0 = u;
+ uint64_t lo = lo0;
+ uint64_t hi = hi0;
+ e[0U] = (uint32_t)lo & (uint32_t)0x3ffffffU;
+ e[1U] = (uint32_t)(lo >> (uint32_t)26U) & (uint32_t)0x3ffffffU;
+ e[2U] =
+ (uint32_t)(lo >> (uint32_t)52U)
+ ^ ((uint32_t)hi & (uint32_t)0x3fffU) << (uint32_t)12U;
+ e[3U] = (uint32_t)(hi >> (uint32_t)14U) & (uint32_t)0x3ffffffU;
+ e[4U] = (uint32_t)(hi >> (uint32_t)40U);
+ e[4U] = e[4U] | (uint32_t)0x1000000U;
+ {
+ uint64_t tmp[5U] = { 0U };
+ Hacl_Impl_Poly1305_Field32_add_felem(acc1, e);
+ Hacl_Impl_Poly1305_Field32_mul_felem(tmp, acc1, r, r_20);
+ Hacl_Impl_Poly1305_Field32_carry_wide_felem(acc1, tmp);
+ }
+ }
+ }
+ rem1 = l % (uint32_t)16U;
+ if (rem1 > (uint32_t)0U)
+ {
+ uint8_t *b = t + blocks * (uint32_t)16U;
+ uint8_t tmp[16U] = { 0U };
+ memcpy(tmp, b, rem1 * sizeof b[0U]);
+ {
+ uint64_t u0 = load64_le(tmp);
+ uint64_t lo0 = u0;
+ uint64_t u = load64_le(tmp + (uint32_t)8U);
+ uint64_t hi0 = u;
+ uint64_t lo = lo0;
+ uint64_t hi = hi0;
+ e[0U] = (uint32_t)lo & (uint32_t)0x3ffffffU;
+ e[1U] = (uint32_t)(lo >> (uint32_t)26U) & (uint32_t)0x3ffffffU;
+ e[2U] =
+ (uint32_t)(lo >> (uint32_t)52U)
+ ^ ((uint32_t)hi & (uint32_t)0x3fffU) << (uint32_t)12U;
+ e[3U] = (uint32_t)(hi >> (uint32_t)14U) & (uint32_t)0x3ffffffU;
+ e[4U] = (uint32_t)(hi >> (uint32_t)40U);
+ if (rem1 * (uint32_t)8U < (uint32_t)26U)
+ {
+ e[0U] = e[0U] | (uint32_t)1U << rem1 * (uint32_t)8U;
+ }
+ else
+ {
+ if (rem1 * (uint32_t)8U < (uint32_t)52U)
+ {
+ e[1U] = e[1U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)26U);
+ }
+ else
+ {
+ if (rem1 * (uint32_t)8U < (uint32_t)78U)
+ {
+ e[2U] = e[2U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)52U);
+ }
+ else
+ {
+ if (rem1 * (uint32_t)8U < (uint32_t)104U)
+ {
+ e[3U] = e[3U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)78U);
+ }
+ else
+ {
+ e[4U] = e[4U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)104U);
+ }
+ }
+ }
+ }
+ {
+ uint64_t tmp0[5U] = { 0U };
+ Hacl_Impl_Poly1305_Field32_add_felem(acc1, e);
+ Hacl_Impl_Poly1305_Field32_mul_felem(tmp0, acc1, r, r_20);
+ Hacl_Impl_Poly1305_Field32_carry_wide_felem(acc1, tmp0);
+ }
+ }
+ }
+ acc = ctx;
+ sk = ctx + (uint32_t)5U * (uint32_t)3U;
+ Hacl_Impl_Poly1305_Field32_carry_felem(acc);
+ Hacl_Impl_Poly1305_Field32_carry_top_felem(acc);
+ f00 = acc[0U];
+ f10 = acc[1U];
+ f2 = acc[2U];
+ f3 = acc[3U];
+ f4 = acc[4U];
+ mask = Lib_Utils_uint32_eq_mask(f4, (uint32_t)0x3ffffffU);
+ mask1 = mask & Lib_Utils_uint32_eq_mask(f3, (uint32_t)0x3ffffffU);
+ mask2 = mask1 & Lib_Utils_uint32_eq_mask(f2, (uint32_t)0x3ffffffU);
+ mask3 = mask2 & Lib_Utils_uint32_eq_mask(f10, (uint32_t)0x3ffffffU);
+ mask4 = mask3 & Lib_Utils_uint32_gte_mask(f00, (uint32_t)0x3fffffbU);
+ p0 = mask4 & (uint32_t)0x3fffffbU;
+ p1 = mask4 & (uint32_t)0x3ffffffU;
+ p2 = mask4 & (uint32_t)0x3ffffffU;
+ p3 = mask4 & (uint32_t)0x3ffffffU;
+ p4 = mask4 & (uint32_t)0x3ffffffU;
+ acc[0U] = f00 - p0;
+ acc[1U] = f10 - p1;
+ acc[2U] = f2 - p2;
+ acc[3U] = f3 - p3;
+ acc[4U] = f4 - p4;
+ Hacl_Impl_Poly1305_Field32_add_felem(acc, sk);
+ Hacl_Impl_Poly1305_Field32_carry_felem(acc);
+ f0 =
+ ((uint64_t)acc[0U] | (uint64_t)acc[1U] << (uint32_t)26U)
+ | (uint64_t)acc[2U] << (uint32_t)52U;
+ f1 =
+ ((uint64_t)acc[2U] >> (uint32_t)12U | (uint64_t)acc[3U] << (uint32_t)14U)
+ | (uint64_t)acc[4U] << (uint32_t)40U;
+ lo4 = f0;
+ hi4 = f1;
+ store64_le(o, lo4);
+ store64_le(o + (uint32_t)8U, hi4);
+ }
+ }
+ }
+}
diff --git a/poly1305-hacl64.c b/poly1305-hacl64.c
index 87fe277..55625f1 100644
--- a/poly1305-hacl64.c
+++ b/poly1305-hacl64.c
@@ -1,629 +1,488 @@
-/* MIT License
- *
- * Copyright (c) 2016-2017 INRIA and Microsoft Corporation
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include <linux/kernel.h>
-#include <linux/string.h>
-
-typedef struct
-{
- u64* r;
- u64* h;
- u64* r5;
-}
-Hacl_Impl_Poly1305_64_State_poly1305_state;
-
-typedef __uint128_t u128;
-
-#define u128_logand(a,b) ((a) & (b))
-#define u128_logor(a,b) ((a) | (b))
-#define u128_add(a,b) ((a) + (b))
-#define u128_add_mod(a,b) ((a) + (b))
-#define u128_shift_right(a,b) ((a) >> (b))
-#define u128_shift_left(a,b) ((a) << (b))
-#define u128_mul_wide(a,b) (((u128)(a)) * b)
-
-#define KRML_CHECK_SIZE(a,b) {}
-#define u64_to_u128(a) ((u128)a)
-#define u128_to_u64(a) ((u64)a)
-
-static __always_inline u64 FStar_UInt64_eq_mask(u64 x, u64 y) {
- x = ~(x ^ y);
- x &= x << 32;
- x &= x << 16;
- x &= x << 8;
- x &= x << 4;
- x &= x << 2;
- x &= x << 1;
- return ((s64)x) >> 63;
-}
-
-static __always_inline u64 FStar_UInt64_gte_mask(u64 x, u64 y) {
- u64 low63 =
- ~((u64)((s64)((s64)(x & (u64)(0x7fffffffffffffff)) -
- (s64)(y & (u64)(0x7fffffffffffffff))) >>
- 63));
- u64 high_bit =
- ~((u64)((s64)((s64)(x & (u64)(0x8000000000000000)) -
- (s64)(y & (u64)(0x8000000000000000))) >>
- 63));
- return low63 & high_bit;
-}
-
-static __always_inline u128 load128_le(u8 *b) {
- u64 l = le64_to_cpup((__force __le64 *)b);
- u64 h = le64_to_cpup((__force __le64 *)(b+8));
- return ((((u128)h) << 64) | l);
-}
-
-static __always_inline void store128_le(u8 *b, u128 n) {
- *(__force __le64 *)b = cpu_to_le64((u64)n);
- *(__force __le64 *)(b+8) = cpu_to_le64((u64)(n >> 64));
-}
-
-__always_inline static void Hacl_Bignum_Modulo_carry_top(u64 *b)
-{
- u64 b2 = b[2U];
- u64 b0 = b[0U];
- u64 b2_42 = b2 >> (u32)42U;
- b[2U] = b2 & (u64)0x3ffffffffffU;
- b[0U] = (b2_42 << (u32)2U) + b2_42 + b0;
-}
-
-__always_inline static void Hacl_Bignum_Modulo_carry_top_wide(u128 *b)
-{
- u128 b2 = b[2U];
- u128 b0 = b[0U];
- u128
- b2_ = u128_logand(b2, u64_to_u128((u64)0x3ffffffffffU));
- u64 b2_42 = u128_to_u64(u128_shift_right(b2, (u32)42U));
- u128
- b0_ = u128_add(b0, u64_to_u128((b2_42 << (u32)2U) + b2_42));
- b[2U] = b2_;
- b[0U] = b0_;
-}
-
-__always_inline static void
-Hacl_Bignum_Fproduct_copy_from_wide_(u64 *output, u128 *input)
-{
- u32 i;
- { i = 0;
- u128 xi = input[i];
- output[i] = u128_to_u64(xi);
- }
- { i = 1;
- u128 xi = input[i];
- output[i] = u128_to_u64(xi);
- }
- { i = 2;
- u128 xi = input[i];
- output[i] = u128_to_u64(xi);
- }
-}
-
-__always_inline static void
-Hacl_Bignum_Fproduct_sum_scalar_multiplication_(
- u128 *output,
- u64 *input,
- u64 s
-)
-{
- u32 i;
- {
- i = 0;
- u128 xi = output[i];
- u64 yi = input[i];
- output[i] = u128_add_mod(xi, u128_mul_wide(yi, s));
- }
- {
- i = 1;
- u128 xi = output[i];
- u64 yi = input[i];
- output[i] = u128_add_mod(xi, u128_mul_wide(yi, s));
- }
- {
- i = 2;
- u128 xi = output[i];
- u64 yi = input[i];
- output[i] = u128_add_mod(xi, u128_mul_wide(yi, s));
- }
-}
-
-__always_inline static void Hacl_Bignum_Fproduct_carry_wide_(u128 *tmp)
-{
- {
- u32 ctr = 0;
- u128 tctr = tmp[ctr];
- u128 tctrp1 = tmp[ctr + (u32)1U];
- u64 r0 = u128_to_u64(tctr) & (u64)0xfffffffffffU;
- u128 c = u128_shift_right(tctr, (u32)44U);
- tmp[ctr] = u64_to_u128(r0);
- tmp[ctr + (u32)1U] = u128_add(tctrp1, c);
- }
- {
- u32 ctr = 1;
- u128 tctr = tmp[ctr];
- u128 tctrp1 = tmp[ctr + (u32)1U];
- u64 r0 = u128_to_u64(tctr) & (u64)0xfffffffffffU;
- u128 c = u128_shift_right(tctr, (u32)44U);
- tmp[ctr] = u64_to_u128(r0);
- tmp[ctr + (u32)1U] = u128_add(tctrp1, c);
- }
-}
-
-__always_inline static void Hacl_Bignum_Fproduct_carry_limb_(u64 *tmp)
-{
- {
- u32 ctr = 0;
- u64 tctr = tmp[ctr];
- u64 tctrp1 = tmp[ctr + (u32)1U];
- u64 r0 = tctr & (u64)0xfffffffffffU;
- u64 c = tctr >> (u32)44U;
- tmp[ctr] = r0;
- tmp[ctr + (u32)1U] = tctrp1 + c;
- }
- {
- u32 ctr = 1;
- u64 tctr = tmp[ctr];
- u64 tctrp1 = tmp[ctr + (u32)1U];
- u64 r0 = tctr & (u64)0xfffffffffffU;
- u64 c = tctr >> (u32)44U;
- tmp[ctr] = r0;
- tmp[ctr + (u32)1U] = tctrp1 + c;
- }
-}
-
-
-__always_inline static void Hacl_Bignum_Modulo_reduce(u64 *key, u64 *key5, u32 i)
-{
- u64 b0 = key5[2-i];
- key[0U] = b0;
-}
-
-
-__always_inline static void Hacl_Bignum_Fmul_shift_reduce(u64 *key,u64 *key5, u32 i)
-{
- u64 tmp = key[2U];
- {
- u32 ctr = (u32)3U - 0 - (u32)1U;
- u64 z = key[ctr - (u32)1U];
- key[ctr] = z;
- }
- {
- u32 ctr = (u32)3U - 1 - (u32)1U;
- u64 z = key[ctr - (u32)1U];
- key[ctr] = z;
- }
- key[0U] = tmp;
- Hacl_Bignum_Modulo_reduce(key,key5,i);
-}
-
-__always_inline static void
-Hacl_Bignum_Fmul_mul_shift_reduce_(u128 *output, u64 *input, u64 *key, u64 *key5)
-{
- u64 tmp[3U];
- memcpy(tmp, key, (u32)3U * sizeof key[0U]);
- u32 i;
- {
- i = 0;
- u64 inputi = input[i];
- Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, tmp, inputi);
- Hacl_Bignum_Fmul_shift_reduce(tmp,key5,i);
- }
- {
- i = 1;
- u64 inputi = input[i];
- Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, tmp, inputi);
- Hacl_Bignum_Fmul_shift_reduce(tmp,key5,i);
- }
- i = 2;
- u64 inputi = input[i];
- Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, tmp, inputi);
-}
-
-__always_inline static void Hacl_Bignum_Fmul_fmul(u64 *output, u64 *input, u64 *key, u64* key5)
-{
- u128 t[3U] = {0};
- Hacl_Bignum_Fmul_mul_shift_reduce_(t, input, key, key5);
- Hacl_Bignum_Fproduct_carry_wide_(t);
- Hacl_Bignum_Modulo_carry_top_wide(t);
- Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
- u64 i0 = output[0U];
- u64 i1 = output[1U];
- u64 i0_ = i0 & (u64)0xfffffffffffU;
- u64 i1_ = i1 + (i0 >> (u32)44U);
- output[0U] = i0_;
- output[1U] = i1_;
-}
-
-__always_inline static void
-Hacl_Bignum_AddAndMultiply_add_and_multiply(u64 *acc, u64 *block, u64 *r, u64* r5)
-{
- u32 i;
- { i = 0;
- u64 xi = acc[i];
- u64 yi = block[i];
- acc[i] = xi + yi;
- }
- { i = 1;
- u64 xi = acc[i];
- u64 yi = block[i];
- acc[i] = xi + yi;
- }
- { i = 2;
- u64 xi = acc[i];
- u64 yi = block[i];
- acc[i] = xi + yi;
- }
- Hacl_Bignum_Fmul_fmul(acc, acc, r, r5);
-}
-
-
-__always_inline static void
-Hacl_Impl_Poly1305_64_poly1305_update(
- Hacl_Impl_Poly1305_64_State_poly1305_state st,
- u8 *m
-)
-{
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
- u64 *h = scrut0.h;
- u64 *acc = h;
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
- u64 *r = scrut.r;
- u64 *r3 = r;
- u64 *r5 = scrut.r5;
- u64 tmp[3U] = { 0U };
- u128 m0 = load128_le(m);
- u64 r0 = u128_to_u64(m0) & (u64)0xfffffffffffU;
- u64
- r1 =
- u128_to_u64(u128_shift_right(m0, (u32)44U))
- & (u64)0xfffffffffffU;
- u64 r2 = u128_to_u64(u128_shift_right(m0, (u32)88U));
- tmp[0U] = r0;
- tmp[1U] = r1;
- tmp[2U] = r2;
- u64 b2 = tmp[2U];
- u64 b2_ = (u64)0x10000000000U | b2;
- tmp[2U] = b2_;
- Hacl_Bignum_AddAndMultiply_add_and_multiply(acc, tmp, r3, r5);
-}
-
-__always_inline static void
-Hacl_Impl_Poly1305_64_poly1305_process_last_block_(
- u8 *block,
- Hacl_Impl_Poly1305_64_State_poly1305_state st,
- u8 *m,
- u64 rem_
-)
-{
- u64 tmp[3U] = { 0U };
- u128 m0 = load128_le(block);
- u64 r0 = u128_to_u64(m0) & (u64)0xfffffffffffU;
- u64
- r1 =
- u128_to_u64(u128_shift_right(m0, (u32)44U))
- & (u64)0xfffffffffffU;
- u64 r2 = u128_to_u64(u128_shift_right(m0, (u32)88U));
- tmp[0U] = r0;
- tmp[1U] = r1;
- tmp[2U] = r2;
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
- u64 *h = scrut0.h;
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
- u64 *r = scrut.r;
- Hacl_Bignum_AddAndMultiply_add_and_multiply(h, tmp, r, scrut.r5);
-}
-
-__always_inline static void
-Hacl_Impl_Poly1305_64_poly1305_process_last_block(
- Hacl_Impl_Poly1305_64_State_poly1305_state st,
- u8 *m,
- u64 rem_
-)
-{
- u8 block[16U] = {0};
- u32 i0 = (u32)rem_;
- u32 i = (u32)rem_;
- memcpy(block, m, i * sizeof m[0U]);
- block[i0] = (u8)1U;
- Hacl_Impl_Poly1305_64_poly1305_process_last_block_(block, st, m, rem_);
-}
-
-__always_inline static void Hacl_Impl_Poly1305_64_poly1305_last_pass(u64 *acc)
-{
- Hacl_Bignum_Fproduct_carry_limb_(acc);
- Hacl_Bignum_Modulo_carry_top(acc);
- u64 a0 = acc[0U];
- u64 a10 = acc[1U];
- u64 a20 = acc[2U];
- u64 a0_ = a0 & (u64)0xfffffffffffU;
- u64 r0 = a0 >> (u32)44U;
- u64 a1_ = (a10 + r0) & (u64)0xfffffffffffU;
- u64 r1 = (a10 + r0) >> (u32)44U;
- u64 a2_ = a20 + r1;
- acc[0U] = a0_;
- acc[1U] = a1_;
- acc[2U] = a2_;
- Hacl_Bignum_Modulo_carry_top(acc);
- u64 i0 = acc[0U];
- u64 i1 = acc[1U];
- u64 i0_ = i0 & (u64)0xfffffffffffU;
- u64 i1_ = i1 + (i0 >> (u32)44U);
- acc[0U] = i0_;
- acc[1U] = i1_;
- u64 a00 = acc[0U];
- u64 a1 = acc[1U];
- u64 a2 = acc[2U];
- u64 mask0 = FStar_UInt64_gte_mask(a00, (u64)0xffffffffffbU);
- u64 mask1 = FStar_UInt64_eq_mask(a1, (u64)0xfffffffffffU);
- u64 mask2 = FStar_UInt64_eq_mask(a2, (u64)0x3ffffffffffU);
- u64 mask = (mask0 & mask1) & mask2;
- u64 a0_0 = a00 - ((u64)0xffffffffffbU & mask);
- u64 a1_0 = a1 - ((u64)0xfffffffffffU & mask);
- u64 a2_0 = a2 - ((u64)0x3ffffffffffU & mask);
- acc[0U] = a0_0;
- acc[1U] = a1_0;
- acc[2U] = a2_0;
-}
-
-__always_inline static Hacl_Impl_Poly1305_64_State_poly1305_state
-Hacl_Impl_Poly1305_64_mk_state(u64 *r, u64 *h, u64* r5)
-{
- Hacl_Impl_Poly1305_64_State_poly1305_state st;
- st.r = r;
- st.h = h;
- st.r5 = r5;
- return st;
-}
-
-static void
-Hacl_Standalone_Poly1305_64_poly1305_blocks(
- Hacl_Impl_Poly1305_64_State_poly1305_state st,
- u8 *m,
- u64 len1
-)
-{
- u32 i;
- u8* msg = m;
- for (i = 0; i < len1; ++i) {
- Hacl_Impl_Poly1305_64_poly1305_update(st, msg);
- msg = msg + (u32)16U;
- }
-}
-
-
-__always_inline static void
-Hacl_Standalone_Poly1305_64_poly1305_partial(
- Hacl_Impl_Poly1305_64_State_poly1305_state st,
- u8 *input,
- u64 len1,
- u8 *kr
-)
-{
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
- u64 *r = scrut.r;
- u64 *x0 = r;
- u128 k1 = load128_le(kr);
- u128
- k_clamped =
- u128_logand(k1,
- u128_logor(u128_shift_left(u64_to_u128((u64)0x0ffffffc0ffffffcU),
- (u32)64U),
- u64_to_u128((u64)0x0ffffffc0fffffffU)));
- u64 r0 = u128_to_u64(k_clamped) & (u64)0xfffffffffffU;
- u64
- r1 =
- u128_to_u64(u128_shift_right(k_clamped, (u32)44U))
- & (u64)0xfffffffffffU;
- u64
- r2 = u128_to_u64(u128_shift_right(k_clamped, (u32)88U));
- x0[0U] = r0;
- x0[1U] = r1;
- x0[2U] = r2;
- u64 *r5 = scrut.r5;
- r5[0U] = 20 * r0;
- r5[1U] = 20 * r1;
- r5[2U] = 20 * r2;
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
- u64 *h = scrut0.h;
- u64 *x00 = h;
- x00[0U] = (u64)0U;
- x00[1U] = (u64)0U;
- x00[2U] = (u64)0U;
- Hacl_Standalone_Poly1305_64_poly1305_blocks(st, input, len1);
-}
-
-__always_inline static void
-Hacl_Standalone_Poly1305_64_poly1305_complete(
- Hacl_Impl_Poly1305_64_State_poly1305_state st,
- u8 *m,
- u64 len1,
- u8 *k1
-)
-{
- u8 *kr = k1;
- u64 len16 = len1 >> (u32)4U;
- u64 rem16 = len1 & (u64)0xfU;
- u8 *part_input = m;
- u8 *last_block = m + (u32)((u64)16U * len16);
- Hacl_Standalone_Poly1305_64_poly1305_partial(st, part_input, len16, kr);
- if (!(rem16 == (u64)0U))
- Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, last_block, rem16);
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
- u64 *h = scrut.h;
- u64 *acc = h;
- Hacl_Impl_Poly1305_64_poly1305_last_pass(acc);
-}
-
-__always_inline static void
-Hacl_Standalone_Poly1305_64_crypto_onetimeauth_(
- u8 *output,
- u8 *input,
- u64 len1,
- u8 *k1
-)
-{
- u64 buf[9U] = { 0U };
- u64 *r = buf;
- u64 *h = buf + (u32)3U;
- u64 *r5 = buf + (u32)6U;
-
- Hacl_Impl_Poly1305_64_State_poly1305_state st = Hacl_Impl_Poly1305_64_mk_state(r, h, r5);
- u8 *key_s = k1 + (u32)16U;
- Hacl_Standalone_Poly1305_64_poly1305_complete(st, input, len1, k1);
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
- u64 *h3 = scrut.h;
- u64 *acc = h3;
- u128 k_ = load128_le(key_s);
- u64 h0 = acc[0U];
- u64 h1 = acc[1U];
- u64 h2 = acc[2U];
- u128
- acc_ =
- u128_logor(u128_shift_left(u64_to_u128(h2
- << (u32)24U
- | h1 >> (u32)20U),
- (u32)64U),
- u64_to_u128(h1 << (u32)44U | h0));
- u128 mac_ = u128_add_mod(acc_, k_);
- store128_le(output, mac_);
-}
-
-__always_inline static void
-Hacl_Standalone_Poly1305_64_crypto_onetimeauth(
- u8 *output,
- u8 *input,
- u64 len1,
- u8 *k1
-)
-{
- Hacl_Standalone_Poly1305_64_crypto_onetimeauth_(output, input, len1, k1);
-}
-
-void Hacl_Poly1305_64_init(Hacl_Impl_Poly1305_64_State_poly1305_state st, u8 *k1)
-{
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
- u64 *r = scrut.r;
- u64 *r5= scrut.r5;
- u64 *x0 = r;
- u128 k10 = load128_le(k1);
- u128
- k_clamped =
- u128_logand(k10,
- u128_logor(u128_shift_left(u64_to_u128((u64)0x0ffffffc0ffffffcU),
- (u32)64U),
- u64_to_u128((u64)0x0ffffffc0fffffffU)));
- u64 r0 = u128_to_u64(k_clamped) & (u64)0xfffffffffffU;
- u64
- r1 =
- u128_to_u64(u128_shift_right(k_clamped, (u32)44U))
- & (u64)0xfffffffffffU;
- u64
- r2 = u128_to_u64(u128_shift_right(k_clamped, (u32)88U));
- x0[0U] = r0;
- x0[1U] = r1;
- x0[2U] = r2;
- r5[0U] = 20 * r0;
- r5[1U] = 20 * r1;
- r5[2U] = 20 * r2;
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
- u64 *h = scrut0.h;
- u64 *x00 = h;
- x00[0U] = (u64)0U;
- x00[1U] = (u64)0U;
- x00[2U] = (u64)0U;
-}
-
-void Hacl_Poly1305_64_update_block(Hacl_Impl_Poly1305_64_State_poly1305_state st, u8 *m)
-{
- Hacl_Impl_Poly1305_64_poly1305_update(st, m);
-}
-
-void
-Hacl_Poly1305_64_update(
- Hacl_Impl_Poly1305_64_State_poly1305_state st,
- u8 *m,
- u32 num_blocks
-)
-{
- u32 i;
- u8* msg = m;
- for (i = 0; i < num_blocks; i++)
- {
- u8 *block = msg;
- Hacl_Poly1305_64_update_block(st, block);
- msg = msg + (u32)16U;
- }
-}
-
-void
-Hacl_Poly1305_64_update_last(
- Hacl_Impl_Poly1305_64_State_poly1305_state st,
- u8 *m,
- u32 len1
-)
-{
- if (!((u64)len1 == (u64)0U))
- Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, m, (u64)len1);
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
- u64 *h = scrut.h;
- u64 *acc = h;
- Hacl_Impl_Poly1305_64_poly1305_last_pass(acc);
-}
-
-void
-Hacl_Poly1305_64_finish(
- Hacl_Impl_Poly1305_64_State_poly1305_state st,
- u8 *mac,
- u8 *k1
-)
-{
- Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
- u64 *h = scrut.h;
- u64 *acc = h;
- u128 k_ = load128_le(k1);
- u64 h0 = acc[0U];
- u64 h1 = acc[1U];
- u64 h2 = acc[2U];
- u128
- acc_ =
- u128_logor(u128_shift_left(u64_to_u128(h2
- << (u32)24U
- | h1 >> (u32)20U),
- (u32)64U),
- u64_to_u128(h1 << (u32)44U | h0));
- u128 mac_ = u128_add_mod(acc_, k_);
- store128_le(mac, mac_);
-}
-
-void
-poly1305_hacl64(
- u8 *output,
- u8 *input,
- u64 len1,
- u8 *k1
-)
-{
- Hacl_Standalone_Poly1305_64_crypto_onetimeauth(output, input, len1, k1);
-}
-
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2016-2018 INRIA and Microsoft Corporation
+ */
+
+#include <linux/kernel.h>
+#include <linux/string.h>
+#include <asm/unaligned.h>
+
+typedef __uint128_t uint128_t;
+#define store64_le(d, s) put_unaligned_le64(s, d)
+#define load64_le(x) get_unaligned_le64(x)
+
+static uint64_t Lib_Utils_uint64_eq_mask(uint64_t a, uint64_t b)
+{
+ uint64_t x = a ^ b;
+ uint64_t minus_x = ~x + (uint64_t)1U;
+ uint64_t x_or_minus_x = x | minus_x;
+ uint64_t xnx = x_or_minus_x >> (uint32_t)63U;
+ uint64_t c = xnx - (uint64_t)1U;
+ return c;
+}
+
+static uint64_t Lib_Utils_uint64_gte_mask(uint64_t a, uint64_t b)
+{
+ uint64_t x = a;
+ uint64_t y = b;
+ uint64_t x_xor_y = x ^ y;
+ uint64_t x_sub_y = x - y;
+ uint64_t x_sub_y_xor_y = x_sub_y ^ y;
+ uint64_t q = x_xor_y | x_sub_y_xor_y;
+ uint64_t x_xor_q = x ^ q;
+ uint64_t x_xor_q_ = x_xor_q >> (uint32_t)63U;
+ uint64_t c = x_xor_q_ - (uint64_t)1U;
+ return c;
+}
+
+inline static void Hacl_Impl_Poly1305_Field64_add_felem(uint64_t *f1, uint64_t *f2)
+{
+ uint64_t f10 = f1[0U];
+ uint64_t f11 = f1[1U];
+ uint64_t f12 = f1[2U];
+ uint64_t f20 = f2[0U];
+ uint64_t f21 = f2[1U];
+ uint64_t f22 = f2[2U];
+ f1[0U] = f10 + f20;
+ f1[1U] = f11 + f21;
+ f1[2U] = f12 + f22;
+}
+
+inline static void
+Hacl_Impl_Poly1305_Field64_smul_felem(uint128_t *out, uint64_t u1, uint64_t *f2)
+{
+ uint64_t f20 = f2[0U];
+ uint64_t f21 = f2[1U];
+ uint64_t f22 = f2[2U];
+ out[0U] = (uint128_t)u1 * f20;
+ out[1U] = (uint128_t)u1 * f21;
+ out[2U] = (uint128_t)u1 * f22;
+}
+
+inline static void
+Hacl_Impl_Poly1305_Field64_smul_add_felem(uint128_t *out, uint64_t u1, uint64_t *f2)
+{
+ uint64_t f20 = f2[0U];
+ uint64_t f21 = f2[1U];
+ uint64_t f22 = f2[2U];
+ uint128_t o0 = out[0U];
+ uint128_t o1 = out[1U];
+ uint128_t o2 = out[2U];
+ out[0U] = o0 + (uint128_t)u1 * f20;
+ out[1U] = o1 + (uint128_t)u1 * f21;
+ out[2U] = o2 + (uint128_t)u1 * f22;
+}
+
+inline static void
+Hacl_Impl_Poly1305_Field64_mul_felem(
+ uint128_t *out,
+ uint64_t *f1,
+ uint64_t *f2,
+ uint64_t *f2_20
+)
+{
+ uint64_t tmp[3U] = { 0U };
+ Hacl_Impl_Poly1305_Field64_smul_felem(out, f1[0U], f2);
+ tmp[0U] = f2_20[2U];
+ tmp[1U] = f2[0U];
+ tmp[2U] = f2[1U];
+ Hacl_Impl_Poly1305_Field64_smul_add_felem(out, f1[1U], tmp);
+ tmp[0U] = f2_20[1U];
+ tmp[1U] = f2_20[2U];
+ tmp[2U] = f2[0U];
+ Hacl_Impl_Poly1305_Field64_smul_add_felem(out, f1[2U], tmp);
+}
+
+inline static void Hacl_Impl_Poly1305_Field64_carry_wide_felem(uint64_t *out, uint128_t *inp)
+{
+ uint128_t i0 = inp[0U];
+ uint128_t i1 = inp[1U];
+ uint128_t i2 = inp[2U];
+ uint128_t l = i0 + (uint128_t)(uint64_t)0U;
+ uint64_t tmp0 = (uint64_t)l & (uint64_t)0xfffffffffffU;
+ uint64_t carry1 = (uint64_t)(l >> (uint32_t)44U);
+ uint128_t l0 = i1 + (uint128_t)carry1;
+ uint64_t tmp1 = (uint64_t)l0 & (uint64_t)0xfffffffffffU;
+ uint64_t carry2 = (uint64_t)(l0 >> (uint32_t)44U);
+ uint128_t l1 = i2 + (uint128_t)carry2;
+ uint64_t tmp2 = (uint64_t)l1 & (uint64_t)0x3ffffffffffU;
+ uint64_t carry3 = (uint64_t)(l1 >> (uint32_t)42U);
+ out[0U] = tmp0 + carry3 * (uint64_t)5U;
+ out[1U] = tmp1;
+ out[2U] = tmp2;
+}
+
+inline static void Hacl_Impl_Poly1305_Field64_carry_felem(uint64_t *f)
+{
+ uint64_t f0 = f[0U];
+ uint64_t f1 = f[1U];
+ uint64_t f2 = f[2U];
+ uint64_t l = f0 + (uint64_t)0U;
+ uint64_t tmp0 = l & (uint64_t)0xfffffffffffU;
+ uint64_t carry1 = l >> (uint32_t)44U;
+ uint64_t l0 = f1 + carry1;
+ uint64_t tmp1 = l0 & (uint64_t)0xfffffffffffU;
+ uint64_t carry2 = l0 >> (uint32_t)44U;
+ uint64_t tmp2 = f2 + carry2;
+ f[0U] = tmp0;
+ f[1U] = tmp1;
+ f[2U] = tmp2;
+}
+
+inline static void Hacl_Impl_Poly1305_Field64_carry_top_felem(uint64_t *f)
+{
+ uint64_t f0 = f[0U];
+ uint64_t f1 = f[1U];
+ uint64_t f2 = f[2U];
+ uint64_t l = f2 + (uint64_t)0U;
+ uint64_t tmp2 = l & (uint64_t)0x3ffffffffffU;
+ uint64_t carry1 = l >> (uint32_t)42U;
+ uint64_t l0 = f0 + carry1 * (uint64_t)5U;
+ uint64_t tmp0 = l0 & (uint64_t)0xfffffffffffU;
+ uint64_t carry2 = l0 >> (uint32_t)44U;
+ uint64_t tmp1 = f1 + carry2;
+ f[0U] = tmp0;
+ f[1U] = tmp1;
+ f[2U] = tmp2;
+}
+
+inline static void
+Hacl_Impl_Poly1305_Field64_fadd_mul_felem(
+ uint64_t *acc,
+ uint64_t *f1,
+ uint64_t *f2,
+ uint64_t *f2_20
+)
+{
+ {
+ uint128_t tmp[3U];
+ {
+ uint32_t _i;
+ for (_i = 0U; _i < (uint32_t)3U; ++_i)
+ tmp[_i] = (uint128_t)(uint64_t)0U;
+ }
+ Hacl_Impl_Poly1305_Field64_add_felem(acc, f1);
+ Hacl_Impl_Poly1305_Field64_mul_felem(tmp, acc, f2, f2_20);
+ Hacl_Impl_Poly1305_Field64_carry_wide_felem(acc, tmp);
+ }
+}
+
+uint32_t Hacl_Poly1305_64_ctxlen = (uint32_t)12U;
+
+uint32_t Hacl_Poly1305_64_blocklen = (uint32_t)16U;
+
+void Hacl_Poly1305_64_poly1305_init(uint64_t *ctx, uint8_t *key)
+{
+ uint8_t *kr = key;
+ uint8_t *ks = key + (uint32_t)16U;
+ uint64_t *acc = ctx;
+ uint64_t *r = ctx + (uint32_t)3U;
+ uint64_t *r_20 = ctx + (uint32_t)3U * (uint32_t)2U;
+ uint64_t *sk = ctx + (uint32_t)3U * (uint32_t)3U;
+ uint64_t u0;
+ uint64_t lo0;
+ uint64_t u1;
+ uint64_t hi0;
+ uint64_t lo2;
+ uint64_t hi2;
+ uint64_t mask0;
+ uint64_t mask1;
+ uint64_t lo1;
+ uint64_t hi1;
+ uint64_t u2;
+ uint64_t lo;
+ uint64_t u;
+ uint64_t hi;
+ uint64_t sl;
+ uint64_t sh;
+ acc[0U] = (uint64_t)0U;
+ acc[1U] = (uint64_t)0U;
+ acc[2U] = (uint64_t)0U;
+ u0 = load64_le(kr);
+ lo0 = u0;
+ u1 = load64_le(kr + (uint32_t)8U);
+ hi0 = u1;
+ lo2 = lo0;
+ hi2 = hi0;
+ mask0 = (uint64_t)0x0ffffffc0fffffffU;
+ mask1 = (uint64_t)0x0ffffffc0ffffffcU;
+ lo1 = lo2 & mask0;
+ hi1 = hi2 & mask1;
+ r[0U] = lo1 & (uint64_t)0xfffffffffffU;
+ r[1U] = lo1 >> (uint32_t)44U ^ (hi1 & (uint64_t)0xffffffU) << (uint32_t)20U;
+ r[2U] = hi1 >> (uint32_t)24U;
+ r_20[0U] = r[0U] * (uint64_t)20U;
+ r_20[1U] = r[1U] * (uint64_t)20U;
+ r_20[2U] = r[2U] * (uint64_t)20U;
+ u2 = load64_le(ks);
+ lo = u2;
+ u = load64_le(ks + (uint32_t)8U);
+ hi = u;
+ sl = lo;
+ sh = hi;
+ sk[0U] = sl & (uint64_t)0xfffffffffffU;
+ sk[1U] = sl >> (uint32_t)44U ^ (sh & (uint64_t)0xffffffU) << (uint32_t)20U;
+ sk[2U] = sh >> (uint32_t)24U;
+}
+
+void Hacl_Poly1305_64_poly1305_update(uint64_t *ctx, uint8_t *text, uint32_t len)
+{
+ uint64_t *acc = ctx;
+ uint64_t *r = ctx + (uint32_t)3U;
+ uint64_t *r_20 = ctx + (uint32_t)3U * (uint32_t)2U;
+ uint64_t e[3U] = { 0U };
+ uint32_t blocks = len / (uint32_t)16U;
+ uint32_t rem1;
+ {
+ uint32_t i;
+ for (i = (uint32_t)0U; i < blocks; i = i + (uint32_t)1U)
+ {
+ uint8_t *b = text + i * (uint32_t)16U;
+ uint64_t u0 = load64_le(b);
+ uint64_t lo0 = u0;
+ uint64_t u = load64_le(b + (uint32_t)8U);
+ uint64_t hi0 = u;
+ uint64_t lo = lo0;
+ uint64_t hi = hi0;
+ e[0U] = lo & (uint64_t)0xfffffffffffU;
+ e[1U] = lo >> (uint32_t)44U ^ (hi & (uint64_t)0xffffffU) << (uint32_t)20U;
+ e[2U] = hi >> (uint32_t)24U;
+ e[2U] = e[2U] | (uint64_t)0x10000000000U;
+ Hacl_Impl_Poly1305_Field64_fadd_mul_felem(acc, e, r, r_20);
+ }
+ }
+ rem1 = len % (uint32_t)16U;
+ if (rem1 > (uint32_t)0U)
+ {
+ uint8_t *b = text + blocks * (uint32_t)16U;
+ uint8_t tmp[16U] = { 0U };
+ memcpy(tmp, b, rem1 * sizeof b[0U]);
+ {
+ uint64_t u0 = load64_le(tmp);
+ uint64_t lo0 = u0;
+ uint64_t u = load64_le(tmp + (uint32_t)8U);
+ uint64_t hi0 = u;
+ uint64_t lo = lo0;
+ uint64_t hi = hi0;
+ e[0U] = lo & (uint64_t)0xfffffffffffU;
+ e[1U] = lo >> (uint32_t)44U ^ (hi & (uint64_t)0xffffffU) << (uint32_t)20U;
+ e[2U] = hi >> (uint32_t)24U;
+ if (rem1 * (uint32_t)8U < (uint32_t)44U)
+ {
+ e[0U] = e[0U] | (uint64_t)1U << rem1 * (uint32_t)8U;
+ }
+ else
+ {
+ if (rem1 * (uint32_t)8U < (uint32_t)88U)
+ {
+ e[1U] = e[1U] | (uint64_t)1U << (rem1 * (uint32_t)8U - (uint32_t)44U);
+ }
+ else
+ {
+ e[2U] = e[2U] | (uint64_t)1U << (rem1 * (uint32_t)8U - (uint32_t)88U);
+ }
+ }
+ Hacl_Impl_Poly1305_Field64_fadd_mul_felem(acc, e, r, r_20);
+ }
+ }
+}
+
+void Hacl_Poly1305_64_poly1305_finish(uint64_t *ctx, uint8_t *tag)
+{
+ uint64_t *acc = ctx;
+ uint64_t *sk = ctx + (uint32_t)3U * (uint32_t)3U;
+ uint64_t f00;
+ uint64_t f10;
+ uint64_t f2;
+ uint64_t mask;
+ uint64_t mask1;
+ uint64_t mask2;
+ uint64_t p0;
+ uint64_t p1;
+ uint64_t p2;
+ uint64_t f0;
+ uint64_t f1;
+ uint64_t lo;
+ uint64_t hi;
+ Hacl_Impl_Poly1305_Field64_carry_felem(acc);
+ Hacl_Impl_Poly1305_Field64_carry_top_felem(acc);
+ f00 = acc[0U];
+ f10 = acc[1U];
+ f2 = acc[2U];
+ mask = Lib_Utils_uint64_eq_mask(f2, (uint64_t)0x3ffffffffffU);
+ mask1 = mask & Lib_Utils_uint64_eq_mask(f10, (uint64_t)0xfffffffffffU);
+ mask2 = mask1 & Lib_Utils_uint64_gte_mask(f00, (uint64_t)0xffffffffffbU);
+ p0 = mask2 & (uint64_t)0xffffffffffbU;
+ p1 = mask2 & (uint64_t)0xfffffffffffU;
+ p2 = mask2 & (uint64_t)0x3ffffffffffU;
+ acc[0U] = f00 - p0;
+ acc[1U] = f10 - p1;
+ acc[2U] = f2 - p2;
+ Hacl_Impl_Poly1305_Field64_add_felem(acc, sk);
+ Hacl_Impl_Poly1305_Field64_carry_felem(acc);
+ f0 = acc[0U] | acc[1U] << (uint32_t)44U;
+ f1 = acc[1U] >> (uint32_t)20U | acc[2U] << (uint32_t)24U;
+ lo = f0;
+ hi = f1;
+ store64_le(tag, lo);
+ store64_le(tag + (uint32_t)8U, hi);
+}
+
+void poly1305_hacl64(uint8_t *o, uint8_t *t, uint32_t l, uint8_t *k)
+{
+ {
+ uint64_t ctx[(uint32_t)3U * (uint32_t)4U];
+ memset(ctx, 0U, (uint32_t)3U * (uint32_t)4U * sizeof ctx[0U]);
+ {
+ uint8_t *kr = k;
+ uint8_t *ks = k + (uint32_t)16U;
+ uint64_t *acc0 = ctx;
+ uint64_t *r0 = ctx + (uint32_t)3U;
+ uint64_t *r_200 = ctx + (uint32_t)3U * (uint32_t)2U;
+ uint64_t *sk0 = ctx + (uint32_t)3U * (uint32_t)3U;
+ uint64_t u0;
+ uint64_t lo0;
+ uint64_t u1;
+ uint64_t hi0;
+ uint64_t lo2;
+ uint64_t hi2;
+ uint64_t mask0;
+ uint64_t mask10;
+ uint64_t lo1;
+ uint64_t hi1;
+ uint64_t u2;
+ uint64_t lo3;
+ uint64_t u3;
+ uint64_t hi3;
+ uint64_t sl;
+ uint64_t sh;
+ acc0[0U] = (uint64_t)0U;
+ acc0[1U] = (uint64_t)0U;
+ acc0[2U] = (uint64_t)0U;
+ u0 = load64_le(kr);
+ lo0 = u0;
+ u1 = load64_le(kr + (uint32_t)8U);
+ hi0 = u1;
+ lo2 = lo0;
+ hi2 = hi0;
+ mask0 = (uint64_t)0x0ffffffc0fffffffU;
+ mask10 = (uint64_t)0x0ffffffc0ffffffcU;
+ lo1 = lo2 & mask0;
+ hi1 = hi2 & mask10;
+ r0[0U] = lo1 & (uint64_t)0xfffffffffffU;
+ r0[1U] = lo1 >> (uint32_t)44U ^ (hi1 & (uint64_t)0xffffffU) << (uint32_t)20U;
+ r0[2U] = hi1 >> (uint32_t)24U;
+ r_200[0U] = r0[0U] * (uint64_t)20U;
+ r_200[1U] = r0[1U] * (uint64_t)20U;
+ r_200[2U] = r0[2U] * (uint64_t)20U;
+ u2 = load64_le(ks);
+ lo3 = u2;
+ u3 = load64_le(ks + (uint32_t)8U);
+ hi3 = u3;
+ sl = lo3;
+ sh = hi3;
+ sk0[0U] = sl & (uint64_t)0xfffffffffffU;
+ sk0[1U] = sl >> (uint32_t)44U ^ (sh & (uint64_t)0xffffffU) << (uint32_t)20U;
+ sk0[2U] = sh >> (uint32_t)24U;
+ {
+ uint64_t *acc1 = ctx;
+ uint64_t *r = ctx + (uint32_t)3U;
+ uint64_t *r_20 = ctx + (uint32_t)3U * (uint32_t)2U;
+ uint64_t e[3U] = { 0U };
+ uint32_t blocks = l / (uint32_t)16U;
+ uint32_t rem1;
+ uint64_t *acc;
+ uint64_t *sk;
+ uint64_t f00;
+ uint64_t f10;
+ uint64_t f2;
+ uint64_t mask;
+ uint64_t mask1;
+ uint64_t mask2;
+ uint64_t p0;
+ uint64_t p1;
+ uint64_t p2;
+ uint64_t f0;
+ uint64_t f1;
+ uint64_t lo4;
+ uint64_t hi4;
+ {
+ uint32_t i;
+ for (i = (uint32_t)0U; i < blocks; i = i + (uint32_t)1U)
+ {
+ uint8_t *b = t + i * (uint32_t)16U;
+ uint64_t u0 = load64_le(b);
+ uint64_t lo0 = u0;
+ uint64_t u = load64_le(b + (uint32_t)8U);
+ uint64_t hi0 = u;
+ uint64_t lo = lo0;
+ uint64_t hi = hi0;
+ e[0U] = lo & (uint64_t)0xfffffffffffU;
+ e[1U] = lo >> (uint32_t)44U ^ (hi & (uint64_t)0xffffffU) << (uint32_t)20U;
+ e[2U] = hi >> (uint32_t)24U;
+ e[2U] = e[2U] | (uint64_t)0x10000000000U;
+ Hacl_Impl_Poly1305_Field64_fadd_mul_felem(acc1, e, r, r_20);
+ }
+ }
+ rem1 = l % (uint32_t)16U;
+ if (rem1 > (uint32_t)0U)
+ {
+ uint8_t *b = t + blocks * (uint32_t)16U;
+ uint8_t tmp[16U] = { 0U };
+ memcpy(tmp, b, rem1 * sizeof b[0U]);
+ {
+ uint64_t u0 = load64_le(tmp);
+ uint64_t lo0 = u0;
+ uint64_t u = load64_le(tmp + (uint32_t)8U);
+ uint64_t hi0 = u;
+ uint64_t lo = lo0;
+ uint64_t hi = hi0;
+ e[0U] = lo & (uint64_t)0xfffffffffffU;
+ e[1U] = lo >> (uint32_t)44U ^ (hi & (uint64_t)0xffffffU) << (uint32_t)20U;
+ e[2U] = hi >> (uint32_t)24U;
+ if (rem1 * (uint32_t)8U < (uint32_t)44U)
+ {
+ e[0U] = e[0U] | (uint64_t)1U << rem1 * (uint32_t)8U;
+ }
+ else
+ {
+ if (rem1 * (uint32_t)8U < (uint32_t)88U)
+ {
+ e[1U] = e[1U] | (uint64_t)1U << (rem1 * (uint32_t)8U - (uint32_t)44U);
+ }
+ else
+ {
+ e[2U] = e[2U] | (uint64_t)1U << (rem1 * (uint32_t)8U - (uint32_t)88U);
+ }
+ }
+ Hacl_Impl_Poly1305_Field64_fadd_mul_felem(acc1, e, r, r_20);
+ }
+ }
+ acc = ctx;
+ sk = ctx + (uint32_t)3U * (uint32_t)3U;
+ Hacl_Impl_Poly1305_Field64_carry_felem(acc);
+ Hacl_Impl_Poly1305_Field64_carry_top_felem(acc);
+ f00 = acc[0U];
+ f10 = acc[1U];
+ f2 = acc[2U];
+ mask = Lib_Utils_uint64_eq_mask(f2, (uint64_t)0x3ffffffffffU);
+ mask1 = mask & Lib_Utils_uint64_eq_mask(f10, (uint64_t)0xfffffffffffU);
+ mask2 = mask1 & Lib_Utils_uint64_gte_mask(f00, (uint64_t)0xffffffffffbU);
+ p0 = mask2 & (uint64_t)0xffffffffffbU;
+ p1 = mask2 & (uint64_t)0xfffffffffffU;
+ p2 = mask2 & (uint64_t)0x3ffffffffffU;
+ acc[0U] = f00 - p0;
+ acc[1U] = f10 - p1;
+ acc[2U] = f2 - p2;
+ Hacl_Impl_Poly1305_Field64_add_felem(acc, sk);
+ Hacl_Impl_Poly1305_Field64_carry_felem(acc);
+ f0 = acc[0U] | acc[1U] << (uint32_t)44U;
+ f1 = acc[1U] >> (uint32_t)20U | acc[2U] << (uint32_t)24U;
+ lo4 = f0;
+ hi4 = f1;
+ store64_le(o, lo4);
+ store64_le(o + (uint32_t)8U, hi4);
+ }
+ }
+ }
+}
diff --git a/test_vectors.h b/test_vectors.h
index eff13c0..5b94601 100644
--- a/test_vectors.h
+++ b/test_vectors.h
@@ -3,1481 +3,816 @@
* Copyright (C) 2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
*/
-struct poly1305_testdata {
- size_t size;
- const u8 data[1024];
-};
-
struct poly1305_testvec {
- struct poly1305_testdata input, key, expected;
+ u8 input[600];
+ u8 output[POLY1305_MAC_SIZE];
+ u8 key[POLY1305_KEY_SIZE];
+ size_t ilen;
};
-static const struct poly1305_testvec poly1305_test_vectors[] = {
- /*
- * RFC7539
- */
- {
- {
- 34,
- {
- 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
- 0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
- 0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
- 0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
-
- 0x75, 0x70
- }
- },
- {
- 32,
- {
- 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
- 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
- 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
- 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b
- }
- },
- {
- 16,
- {
- 0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
- 0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9
- }
- }
- },
- /*
- * test vectors from "The Poly1305-AES message-authentication code"
- */
- {
- {
- 2,
- {
- 0xf3, 0xf6
- }
- },
- {
- 32,
- {
- 0x85, 0x1f, 0xc4, 0x0c, 0x34, 0x67, 0xac, 0x0b,
- 0xe0, 0x5c, 0xc2, 0x04, 0x04, 0xf3, 0xf7, 0x00,
- 0x58, 0x0b, 0x3b, 0x0f, 0x94, 0x47, 0xbb, 0x1e,
- 0x69, 0xd0, 0x95, 0xb5, 0x92, 0x8b, 0x6d, 0xbc
- }
- },
- {
- 16,
- {
- 0xf4, 0xc6, 0x33, 0xc3, 0x04, 0x4f, 0xc1, 0x45,
- 0xf8, 0x4f, 0x33, 0x5c, 0xb8, 0x19, 0x53, 0xde
- }
- }
- },
- {
- {
- 0,
- {
- 0
- }
- },
- {
- 32,
- {
- 0xa0, 0xf3, 0x08, 0x00, 0x00, 0xf4, 0x64, 0x00,
- 0xd0, 0xc7, 0xe9, 0x07, 0x6c, 0x83, 0x44, 0x03,
- 0xdd, 0x3f, 0xab, 0x22, 0x51, 0xf1, 0x1a, 0xc7,
- 0x59, 0xf0, 0x88, 0x71, 0x29, 0xcc, 0x2e, 0xe7
- }
- },
- {
- 16,
- {
- 0xdd, 0x3f, 0xab, 0x22, 0x51, 0xf1, 0x1a, 0xc7,
- 0x59, 0xf0, 0x88, 0x71, 0x29, 0xcc, 0x2e, 0xe7
- }
- }
- },
- {
- {
- 32,
- {
- 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
- 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
- 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
- 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36
- }
- },
- {
- 32,
- {
- 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
- 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
- 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
- 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef
- }
- },
- {
- 16,
- {
- 0x0e, 0xe1, 0xc1, 0x6b, 0xb7, 0x3f, 0x0f, 0x4f,
- 0xd1, 0x98, 0x81, 0x75, 0x3c, 0x01, 0xcd, 0xbe
- }
- }
- },
- {
- {
- 63,
- {
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
- 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
- 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9
- }
- },
- {
- 32,
- {
- 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
- 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
- 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
- 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57
- }
- },
- {
- 16,
- {
- 0x51, 0x54, 0xad, 0x0d, 0x2c, 0xb2, 0x6e, 0x01,
- 0x27, 0x4f, 0xc5, 0x11, 0x48, 0x49, 0x1f, 0x1b
- }
- },
- },
- /*
- * self-generated vectors exercise "significant" lengths, such that
- * are handled by different code paths
- */
- {
- {
- 64,
- {
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
- 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
- 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf
- }
- },
- {
- 32,
- {
- 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
- 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
- 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
- 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57
- }
- },
- {
- 16,
- {
- 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
- 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66
- }
- },
- },
- {
- {
- 48,
- {
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67
- }
- },
- {
- 32,
- {
- 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
- 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
- 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
- 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57
-
- }
- },
- {
- 16,
- {
- 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2,
- 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61
- }
- },
- },
- {
- {
- 96,
- {
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
- 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
- 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
-
- 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
- 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
- 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
- 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36
- }
- },
- {
- 32,
- {
- 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
- 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
- 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
- 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57
- }
- },
- {
- 16,
- {
- 0xbb, 0xb6, 0x13, 0xb2, 0xb6, 0xd7, 0x53, 0xba,
- 0x07, 0x39, 0x5b, 0x91, 0x6a, 0xae, 0xce, 0x15
- }
- },
- },
- {
- {
- 112,
- {
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
- 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
- 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
-
- 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
- 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
- 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
- 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
-
- 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
- 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24
- }
- },
- {
- 32,
- {
- 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
- 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
- 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
- 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57
- }
- },
- {
- 16,
- {
- 0xc7, 0x94, 0xd7, 0x05, 0x7d, 0x17, 0x78, 0xc4,
- 0xbb, 0xee, 0x0a, 0x39, 0xb3, 0xd9, 0x73, 0x42
- }
- },
- },
- {
- {
- 128,
- {
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
- 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
- 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
-
- 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
- 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
- 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
- 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
-
- 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
- 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
- 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
- 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36
- }
- },
- {
- 32,
- {
- 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
- 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
- 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
- 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57
- }
- },
- {
- 16,
- {
- 0xff, 0xbc, 0xb9, 0xb3, 0x71, 0x42, 0x31, 0x52,
- 0xd7, 0xfc, 0xa5, 0xad, 0x04, 0x2f, 0xba, 0xa9
- }
- },
- },
- {
- {
- 144,
- {
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
- 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
- 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
-
- 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
- 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
- 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
- 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
-
- 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
- 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
- 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
- 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36,
-
- 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
- 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66
- }
- },
- {
- 32,
- {
- 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
- 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
- 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
- 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57
- }
- },
- {
- 16,
- {
- 0x06, 0x9e, 0xd6, 0xb8, 0xef, 0x0f, 0x20, 0x7b,
- 0x3e, 0x24, 0x3b, 0xb1, 0x01, 0x9f, 0xe6, 0x32
- }
- },
- },
- {
- {
- 160,
- {
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
- 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
- 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
-
- 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
- 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
- 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
- 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
-
- 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
- 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
- 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
- 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36,
-
- 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
- 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66,
- 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2,
- 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61
- }
- },
- {
- 32,
- {
- 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
- 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
- 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
- 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57
- }
- },
- {
- 16,
- {
- 0xcc, 0xa3, 0x39, 0xd9, 0xa4, 0x5f, 0xa2, 0x36,
- 0x8c, 0x2c, 0x68, 0xb3, 0xa4, 0x17, 0x91, 0x33
- }
- },
- },
- {
- {
- 288,
- {
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
- 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
- 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
-
- 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
- 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
- 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
- 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
-
- 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
- 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
- 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
- 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36,
-
- 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
- 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66,
- 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2,
- 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61,
-
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
- 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
- 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
-
- 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
- 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
- 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
- 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
-
- 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
- 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
- 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
- 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36
- }
- },
- {
- 32,
- {
- 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
- 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
- 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
- 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57
- }
- },
- {
- 16,
- {
- 0x53, 0xf6, 0xe8, 0x28, 0xa2, 0xf0, 0xfe, 0x0e,
- 0xe8, 0x15, 0xbf, 0x0b, 0xd5, 0x84, 0x1a, 0x34
- }
- },
- },
- {
- {
- 320,
- {
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
- 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
- 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
-
- 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
- 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
- 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
- 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
-
- 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
- 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
- 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
- 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36,
-
- 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
- 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66,
- 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2,
- 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61,
-
- 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
- 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
- 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
- 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
-
- 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
- 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
- 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
- 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
-
- 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
- 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
- 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
- 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
-
- 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
- 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
- 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
- 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36,
-
- 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
- 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66,
- 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2,
- 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61
- }
- },
- {
- 32,
- {
- 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
- 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
- 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
- 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57
- }
- },
- {
- 16,
- {
- 0xb8, 0x46, 0xd4, 0x4e, 0x9b, 0xbd, 0x53, 0xce,
- 0xdf, 0xfb, 0xfb, 0xb6, 0xb7, 0xfa, 0x49, 0x33
- }
- },
- },
- /*
- * 4th power of the key spills to 131th bit in SIMD key setup
- */
- {
- {
- 256,
- {
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
- }
- },
- {
- 32,
- {
- 0xad, 0x62, 0x81, 0x07, 0xe8, 0x35, 0x1d, 0x0f,
- 0x2c, 0x23, 0x1a, 0x05, 0xdc, 0x4a, 0x41, 0x06,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 16,
- {
- 0x07, 0x14, 0x5a, 0x4c, 0x02, 0xfe, 0x5f, 0xa3,
- 0x20, 0x36, 0xde, 0x68, 0xfa, 0xbe, 0x90, 0x66
- }
- },
- },
- /*
- * OpenSSL's poly1305_ieee754.c failed this in final stage
- */
- {
- {
- 252,
- {
- 0x84, 0x23, 0x64, 0xe1, 0x56, 0x33, 0x6c, 0x09,
- 0x98, 0xb9, 0x33, 0xa6, 0x23, 0x77, 0x26, 0x18,
- 0x0d, 0x9e, 0x3f, 0xdc, 0xbd, 0xe4, 0xcd, 0x5d,
- 0x17, 0x08, 0x0f, 0xc3, 0xbe, 0xb4, 0x96, 0x14,
-
- 0xd7, 0x12, 0x2c, 0x03, 0x74, 0x63, 0xff, 0x10,
- 0x4d, 0x73, 0xf1, 0x9c, 0x12, 0x70, 0x46, 0x28,
- 0xd4, 0x17, 0xc4, 0xc5, 0x4a, 0x3f, 0xe3, 0x0d,
- 0x3c, 0x3d, 0x77, 0x14, 0x38, 0x2d, 0x43, 0xb0,
-
- 0x38, 0x2a, 0x50, 0xa5, 0xde, 0xe5, 0x4b, 0xe8,
- 0x44, 0xb0, 0x76, 0xe8, 0xdf, 0x88, 0x20, 0x1a,
- 0x1c, 0xd4, 0x3b, 0x90, 0xeb, 0x21, 0x64, 0x3f,
- 0xa9, 0x6f, 0x39, 0xb5, 0x18, 0xaa, 0x83, 0x40,
-
- 0xc9, 0x42, 0xff, 0x3c, 0x31, 0xba, 0xf7, 0xc9,
- 0xbd, 0xbf, 0x0f, 0x31, 0xae, 0x3f, 0xa0, 0x96,
- 0xbf, 0x8c, 0x63, 0x03, 0x06, 0x09, 0x82, 0x9f,
- 0xe7, 0x2e, 0x17, 0x98, 0x24, 0x89, 0x0b, 0xc8,
-
- 0xe0, 0x8c, 0x31, 0x5c, 0x1c, 0xce, 0x2a, 0x83,
- 0x14, 0x4d, 0xbb, 0xff, 0x09, 0xf7, 0x4e, 0x3e,
- 0xfc, 0x77, 0x0b, 0x54, 0xd0, 0x98, 0x4a, 0x8f,
- 0x19, 0xb1, 0x47, 0x19, 0xe6, 0x36, 0x35, 0x64,
-
- 0x1d, 0x6b, 0x1e, 0xed, 0xf6, 0x3e, 0xfb, 0xf0,
- 0x80, 0xe1, 0x78, 0x3d, 0x32, 0x44, 0x54, 0x12,
- 0x11, 0x4c, 0x20, 0xde, 0x0b, 0x83, 0x7a, 0x0d,
- 0xfa, 0x33, 0xd6, 0xb8, 0x28, 0x25, 0xff, 0xf4,
-
- 0x4c, 0x9a, 0x70, 0xea, 0x54, 0xce, 0x47, 0xf0,
- 0x7d, 0xf6, 0x98, 0xe6, 0xb0, 0x33, 0x23, 0xb5,
- 0x30, 0x79, 0x36, 0x4a, 0x5f, 0xc3, 0xe9, 0xdd,
- 0x03, 0x43, 0x92, 0xbd, 0xde, 0x86, 0xdc, 0xcd,
-
- 0xda, 0x94, 0x32, 0x1c, 0x5e, 0x44, 0x06, 0x04,
- 0x89, 0x33, 0x6c, 0xb6, 0x5b, 0xf3, 0x98, 0x9c,
- 0x36, 0xf7, 0x28, 0x2c, 0x2f, 0x5d, 0x2b, 0x88,
- 0x2c, 0x17, 0x1e, 0x74
- }
- },
- {
- 32,
- {
- 0x95, 0xd5, 0xc0, 0x05, 0x50, 0x3e, 0x51, 0x0d,
- 0x8c, 0xd0, 0xaa, 0x07, 0x2c, 0x4a, 0x4d, 0x06,
- 0x6e, 0xab, 0xc5, 0x2d, 0x11, 0x65, 0x3d, 0xf4,
- 0x7f, 0xbf, 0x63, 0xab, 0x19, 0x8b, 0xcc, 0x26
- }
- },
- {
- 16,
- {
- 0xf2, 0x48, 0x31, 0x2e, 0x57, 0x8d, 0x9d, 0x58,
- 0xf8, 0xb7, 0xbb, 0x4d, 0x19, 0x10, 0x54, 0x31
- }
- },
- },
- /*
- * AVX2 in OpenSSL's poly1305-x86.pl failed this with 176+32 split
- */
- {
- {
- 208,
- {
- 0x24, 0x8a, 0xc3, 0x10, 0x85, 0xb6, 0xc2, 0xad,
- 0xaa, 0xa3, 0x82, 0x59, 0xa0, 0xd7, 0x19, 0x2c,
- 0x5c, 0x35, 0xd1, 0xbb, 0x4e, 0xf3, 0x9a, 0xd9,
- 0x4c, 0x38, 0xd1, 0xc8, 0x24, 0x79, 0xe2, 0xdd,
-
- 0x21, 0x59, 0xa0, 0x77, 0x02, 0x4b, 0x05, 0x89,
- 0xbc, 0x8a, 0x20, 0x10, 0x1b, 0x50, 0x6f, 0x0a,
- 0x1a, 0xd0, 0xbb, 0xab, 0x76, 0xe8, 0x3a, 0x83,
- 0xf1, 0xb9, 0x4b, 0xe6, 0xbe, 0xae, 0x74, 0xe8,
-
- 0x74, 0xca, 0xb6, 0x92, 0xc5, 0x96, 0x3a, 0x75,
- 0x43, 0x6b, 0x77, 0x61, 0x21, 0xec, 0x9f, 0x62,
- 0x39, 0x9a, 0x3e, 0x66, 0xb2, 0xd2, 0x27, 0x07,
- 0xda, 0xe8, 0x19, 0x33, 0xb6, 0x27, 0x7f, 0x3c,
-
- 0x85, 0x16, 0xbc, 0xbe, 0x26, 0xdb, 0xbd, 0x86,
- 0xf3, 0x73, 0x10, 0x3d, 0x7c, 0xf4, 0xca, 0xd1,
- 0x88, 0x8c, 0x95, 0x21, 0x18, 0xfb, 0xfb, 0xd0,
- 0xd7, 0xb4, 0xbe, 0xdc, 0x4a, 0xe4, 0x93, 0x6a,
-
- 0xff, 0x91, 0x15, 0x7e, 0x7a, 0xa4, 0x7c, 0x54,
- 0x44, 0x2e, 0xa7, 0x8d, 0x6a, 0xc2, 0x51, 0xd3,
- 0x24, 0xa0, 0xfb, 0xe4, 0x9d, 0x89, 0xcc, 0x35,
- 0x21, 0xb6, 0x6d, 0x16, 0xe9, 0xc6, 0x6a, 0x37,
-
- 0x09, 0x89, 0x4e, 0x4e, 0xb0, 0xa4, 0xee, 0xdc,
- 0x4a, 0xe1, 0x94, 0x68, 0xe6, 0x6b, 0x81, 0xf2,
-
- 0x71, 0x35, 0x1b, 0x1d, 0x92, 0x1e, 0xa5, 0x51,
- 0x04, 0x7a, 0xbc, 0xc6, 0xb8, 0x7a, 0x90, 0x1f,
- 0xde, 0x7d, 0xb7, 0x9f, 0xa1, 0x81, 0x8c, 0x11,
- 0x33, 0x6d, 0xbc, 0x07, 0x24, 0x4a, 0x40, 0xeb
- }
- },
- {
- 32,
- {
- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 16,
- {
- 0xbc, 0x93, 0x9b, 0xc5, 0x28, 0x14, 0x80, 0xfa,
- 0x99, 0xc6, 0xd6, 0x8c, 0x25, 0x8e, 0xc4, 0x2f
- }
- },
- },
- /*
- * test vectors from Google
- */
- {
- {
- 0,
- {
- 0x00,
- }
- },
- {
- 32,
- {
- 0xc8, 0xaf, 0xaa, 0xc3, 0x31, 0xee, 0x37, 0x2c,
- 0xd6, 0x08, 0x2d, 0xe1, 0x34, 0x94, 0x3b, 0x17,
- 0x47, 0x10, 0x13, 0x0e, 0x9f, 0x6f, 0xea, 0x8d,
- 0x72, 0x29, 0x38, 0x50, 0xa6, 0x67, 0xd8, 0x6c
- }
- },
- {
- 16,
- {
- 0x47, 0x10, 0x13, 0x0e, 0x9f, 0x6f, 0xea, 0x8d,
- 0x72, 0x29, 0x38, 0x50, 0xa6, 0x67, 0xd8, 0x6c
- }
- },
- },
- {
- {
- 12,
- {
- 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x77, 0x6f,
- 0x72, 0x6c, 0x64, 0x21
- }
- },
- {
- 32,
- {
- 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
- 0x33, 0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20,
- 0x6b, 0x65, 0x79, 0x20, 0x66, 0x6f, 0x72, 0x20,
- 0x50, 0x6f, 0x6c, 0x79, 0x31, 0x33, 0x30, 0x35
- }
- },
- {
- 16,
- {
- 0xa6, 0xf7, 0x45, 0x00, 0x8f, 0x81, 0xc9, 0x16,
- 0xa2, 0x0d, 0xcc, 0x74, 0xee, 0xf2, 0xb2, 0xf0
- }
- },
- },
- {
- {
- 32,
- {
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 32,
- {
- 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
- 0x33, 0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20,
- 0x6b, 0x65, 0x79, 0x20, 0x66, 0x6f, 0x72, 0x20,
- 0x50, 0x6f, 0x6c, 0x79, 0x31, 0x33, 0x30, 0x35
- }
- },
- {
- 16,
- {
- 0x49, 0xec, 0x78, 0x09, 0x0e, 0x48, 0x1e, 0xc6,
- 0xc2, 0x6b, 0x33, 0xb9, 0x1c, 0xcc, 0x03, 0x07
- }
- },
- },
- {
- {
- 128,
- {
- 0x89, 0xda, 0xb8, 0x0b, 0x77, 0x17, 0xc1, 0xdb,
- 0x5d, 0xb4, 0x37, 0x86, 0x0a, 0x3f, 0x70, 0x21,
- 0x8e, 0x93, 0xe1, 0xb8, 0xf4, 0x61, 0xfb, 0x67,
- 0x7f, 0x16, 0xf3, 0x5f, 0x6f, 0x87, 0xe2, 0xa9,
-
- 0x1c, 0x99, 0xbc, 0x3a, 0x47, 0xac, 0xe4, 0x76,
- 0x40, 0xcc, 0x95, 0xc3, 0x45, 0xbe, 0x5e, 0xcc,
- 0xa5, 0xa3, 0x52, 0x3c, 0x35, 0xcc, 0x01, 0x89,
- 0x3a, 0xf0, 0xb6, 0x4a, 0x62, 0x03, 0x34, 0x27,
-
- 0x03, 0x72, 0xec, 0x12, 0x48, 0x2d, 0x1b, 0x1e,
- 0x36, 0x35, 0x61, 0x69, 0x8a, 0x57, 0x8b, 0x35,
- 0x98, 0x03, 0x49, 0x5b, 0xb4, 0xe2, 0xef, 0x19,
- 0x30, 0xb1, 0x7a, 0x51, 0x90, 0xb5, 0x80, 0xf1,
-
- 0x41, 0x30, 0x0d, 0xf3, 0x0a, 0xdb, 0xec, 0xa2,
- 0x8f, 0x64, 0x27, 0xa8, 0xbc, 0x1a, 0x99, 0x9f,
- 0xd5, 0x1c, 0x55, 0x4a, 0x01, 0x7d, 0x09, 0x5d,
- 0x8c, 0x3e, 0x31, 0x27, 0xda, 0xf9, 0xf5, 0x95
- }
- },
- {
- 32,
- {
- 0x2d, 0x77, 0x3b, 0xe3, 0x7a, 0xdb, 0x1e, 0x4d,
- 0x68, 0x3b, 0xf0, 0x07, 0x5e, 0x79, 0xc4, 0xee,
- 0x03, 0x79, 0x18, 0x53, 0x5a, 0x7f, 0x99, 0xcc,
- 0xb7, 0x04, 0x0f, 0xb5, 0xf5, 0xf4, 0x3a, 0xea
- }
- },
- {
- 16,
- {
- 0xc8, 0x5d, 0x15, 0xed, 0x44, 0xc3, 0x78, 0xd6,
- 0xb0, 0x0e, 0x23, 0x06, 0x4c, 0x7b, 0xcd, 0x51
- }
- },
- },
- {
- {
- 528,
- {
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b,
- 0x17, 0x03, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00,
-
- 0x06, 0xdb, 0x1f, 0x1f, 0x36, 0x8d, 0x69, 0x6a,
- 0x81, 0x0a, 0x34, 0x9c, 0x0c, 0x71, 0x4c, 0x9a,
- 0x5e, 0x78, 0x50, 0xc2, 0x40, 0x7d, 0x72, 0x1a,
- 0xcd, 0xed, 0x95, 0xe0, 0x18, 0xd7, 0xa8, 0x52,
-
- 0x66, 0xa6, 0xe1, 0x28, 0x9c, 0xdb, 0x4a, 0xeb,
- 0x18, 0xda, 0x5a, 0xc8, 0xa2, 0xb0, 0x02, 0x6d,
- 0x24, 0xa5, 0x9a, 0xd4, 0x85, 0x22, 0x7f, 0x3e,
- 0xae, 0xdb, 0xb2, 0xe7, 0xe3, 0x5e, 0x1c, 0x66,
-
- 0xcd, 0x60, 0xf9, 0xab, 0xf7, 0x16, 0xdc, 0xc9,
- 0xac, 0x42, 0x68, 0x2d, 0xd7, 0xda, 0xb2, 0x87,
- 0xa7, 0x02, 0x4c, 0x4e, 0xef, 0xc3, 0x21, 0xcc,
- 0x05, 0x74, 0xe1, 0x67, 0x93, 0xe3, 0x7c, 0xec,
-
- 0x03, 0xc5, 0xbd, 0xa4, 0x2b, 0x54, 0xc1, 0x14,
- 0xa8, 0x0b, 0x57, 0xaf, 0x26, 0x41, 0x6c, 0x7b,
- 0xe7, 0x42, 0x00, 0x5e, 0x20, 0x85, 0x5c, 0x73,
- 0xe2, 0x1d, 0xc8, 0xe2, 0xed, 0xc9, 0xd4, 0x35,
-
- 0xcb, 0x6f, 0x60, 0x59, 0x28, 0x00, 0x11, 0xc2,
- 0x70, 0xb7, 0x15, 0x70, 0x05, 0x1c, 0x1c, 0x9b,
- 0x30, 0x52, 0x12, 0x66, 0x20, 0xbc, 0x1e, 0x27,
- 0x30, 0xfa, 0x06, 0x6c, 0x7a, 0x50, 0x9d, 0x53,
-
- 0xc6, 0x0e, 0x5a, 0xe1, 0xb4, 0x0a, 0xa6, 0xe3,
- 0x9e, 0x49, 0x66, 0x92, 0x28, 0xc9, 0x0e, 0xec,
- 0xb4, 0xa5, 0x0d, 0xb3, 0x2a, 0x50, 0xbc, 0x49,
- 0xe9, 0x0b, 0x4f, 0x4b, 0x35, 0x9a, 0x1d, 0xfd,
-
- 0x11, 0x74, 0x9c, 0xd3, 0x86, 0x7f, 0xcf, 0x2f,
- 0xb7, 0xbb, 0x6c, 0xd4, 0x73, 0x8f, 0x6a, 0x4a,
- 0xd6, 0xf7, 0xca, 0x50, 0x58, 0xf7, 0x61, 0x88,
- 0x45, 0xaf, 0x9f, 0x02, 0x0f, 0x6c, 0x3b, 0x96,
-
- 0x7b, 0x8f, 0x4c, 0xd4, 0xa9, 0x1e, 0x28, 0x13,
- 0xb5, 0x07, 0xae, 0x66, 0xf2, 0xd3, 0x5c, 0x18,
- 0x28, 0x4f, 0x72, 0x92, 0x18, 0x60, 0x62, 0xe1,
- 0x0f, 0xd5, 0x51, 0x0d, 0x18, 0x77, 0x53, 0x51,
-
- 0xef, 0x33, 0x4e, 0x76, 0x34, 0xab, 0x47, 0x43,
- 0xf5, 0xb6, 0x8f, 0x49, 0xad, 0xca, 0xb3, 0x84,
- 0xd3, 0xfd, 0x75, 0xf7, 0x39, 0x0f, 0x40, 0x06,
- 0xef, 0x2a, 0x29, 0x5c, 0x8c, 0x7a, 0x07, 0x6a,
-
- 0xd5, 0x45, 0x46, 0xcd, 0x25, 0xd2, 0x10, 0x7f,
- 0xbe, 0x14, 0x36, 0xc8, 0x40, 0x92, 0x4a, 0xae,
- 0xbe, 0x5b, 0x37, 0x08, 0x93, 0xcd, 0x63, 0xd1,
- 0x32, 0x5b, 0x86, 0x16, 0xfc, 0x48, 0x10, 0x88,
-
- 0x6b, 0xc1, 0x52, 0xc5, 0x32, 0x21, 0xb6, 0xdf,
- 0x37, 0x31, 0x19, 0x39, 0x32, 0x55, 0xee, 0x72,
- 0xbc, 0xaa, 0x88, 0x01, 0x74, 0xf1, 0x71, 0x7f,
- 0x91, 0x84, 0xfa, 0x91, 0x64, 0x6f, 0x17, 0xa2,
-
- 0x4a, 0xc5, 0x5d, 0x16, 0xbf, 0xdd, 0xca, 0x95,
- 0x81, 0xa9, 0x2e, 0xda, 0x47, 0x92, 0x01, 0xf0,
- 0xed, 0xbf, 0x63, 0x36, 0x00, 0xd6, 0x06, 0x6d,
- 0x1a, 0xb3, 0x6d, 0x5d, 0x24, 0x15, 0xd7, 0x13,
-
- 0x51, 0xbb, 0xcd, 0x60, 0x8a, 0x25, 0x10, 0x8d,
- 0x25, 0x64, 0x19, 0x92, 0xc1, 0xf2, 0x6c, 0x53,
- 0x1c, 0xf9, 0xf9, 0x02, 0x03, 0xbc, 0x4c, 0xc1,
- 0x9f, 0x59, 0x27, 0xd8, 0x34, 0xb0, 0xa4, 0x71,
-
- 0x16, 0xd3, 0x88, 0x4b, 0xbb, 0x16, 0x4b, 0x8e,
- 0xc8, 0x83, 0xd1, 0xac, 0x83, 0x2e, 0x56, 0xb3,
- 0x91, 0x8a, 0x98, 0x60, 0x1a, 0x08, 0xd1, 0x71,
- 0x88, 0x15, 0x41, 0xd5, 0x94, 0xdb, 0x39, 0x9c,
-
- 0x6a, 0xe6, 0x15, 0x12, 0x21, 0x74, 0x5a, 0xec,
- 0x81, 0x4c, 0x45, 0xb0, 0xb0, 0x5b, 0x56, 0x54,
- 0x36, 0xfd, 0x6f, 0x13, 0x7a, 0xa1, 0x0a, 0x0c,
- 0x0b, 0x64, 0x37, 0x61, 0xdb, 0xd6, 0xf9, 0xa9,
-
- 0xdc, 0xb9, 0x9b, 0x1a, 0x6e, 0x69, 0x08, 0x54,
- 0xce, 0x07, 0x69, 0xcd, 0xe3, 0x97, 0x61, 0xd8,
- 0x2f, 0xcd, 0xec, 0x15, 0xf0, 0xd9, 0x2d, 0x7d,
- 0x8e, 0x94, 0xad, 0xe8, 0xeb, 0x83, 0xfb, 0xe0
- }
- },
- {
- 32,
- {
- 0x99, 0xe5, 0x82, 0x2d, 0xd4, 0x17, 0x3c, 0x99,
- 0x5e, 0x3d, 0xae, 0x0d, 0xde, 0xfb, 0x97, 0x74,
- 0x3f, 0xde, 0x3b, 0x08, 0x01, 0x34, 0xb3, 0x9f,
- 0x76, 0xe9, 0xbf, 0x8d, 0x0e, 0x88, 0xd5, 0x46
- }
- },
- {
- 16,
- {
- 0x26, 0x37, 0x40, 0x8f, 0xe1, 0x30, 0x86, 0xea,
- 0x73, 0xf9, 0x71, 0xe3, 0x42, 0x5e, 0x28, 0x20
- }
- },
- },
- /*
- * test vectors from Hanno Böck
- */
- {
- {
- 257,
- {
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
- 0xcc, 0x80, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
-
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xce, 0xcc, 0xcc, 0xcc,
-
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xc5,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
-
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xe3, 0xcc, 0xcc,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
-
- 0xcc, 0xcc, 0xcc, 0xcc, 0xac, 0xcc, 0xcc, 0xcc,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xe6,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x00, 0x00, 0x00,
- 0xaf, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
-
- 0xcc, 0xcc, 0xff, 0xff, 0xff, 0xf5, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-
- 0x00, 0xff, 0xff, 0xff, 0xe7, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x71, 0x92, 0x05, 0xa8, 0x52, 0x1d,
-
- 0xfc
- }
- },
- {
- 32,
- {
- 0x7f, 0x1b, 0x02, 0x64, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc
- }
- },
- {
- 16,
- {
- 0x85, 0x59, 0xb8, 0x76, 0xec, 0xee, 0xd6, 0x6e,
- 0xb3, 0x77, 0x98, 0xc0, 0x45, 0x7b, 0xaf, 0xf9
- }
- },
- },
- {
- {
- 39,
- {
- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
- 0xaa, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00, 0x00,
-
- 0x00, 0x00, 0x00, 0x00, 0x80, 0x02, 0x64
- }
- },
- {
- 32,
- {
- 0xe0, 0x00, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
- }
- },
- {
- 16,
- {
- 0x00, 0xbd, 0x12, 0x58, 0x97, 0x8e, 0x20, 0x54,
- 0x44, 0xc9, 0xaa, 0xaa, 0x82, 0x00, 0x6f, 0xed
- }
- },
- },
- {
- {
- 2,
- {
- 0x02, 0xfc
- }
- },
- {
- 32,
- {
- 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
- 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
- 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
- 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c
- }
- },
- {
- 16,
- {
- 0x06, 0x12, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
- 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c
- }
- },
- },
- {
- {
- 415,
- {
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
-
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7a, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
-
- 0x7b, 0x7b, 0x5c, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
-
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x6e, 0x7b, 0x00, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
-
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7a, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
-
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x5c,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
-
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
- 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
-
- 0x7b, 0x6e, 0x7b, 0x00, 0x13, 0x00, 0x00, 0x00,
- 0x00, 0xb3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-
- 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x20, 0x00, 0xef, 0xff, 0x00,
- 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
- 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x64, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00,
-
- 0xb3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x20, 0x00, 0xef, 0xff, 0x00, 0x09,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x7a, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
-
- 0x00, 0x09, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc
- }
- },
- {
- 32,
- {
- 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x7b
- }
- },
- {
- 16,
- {
- 0x33, 0x20, 0x5b, 0xbf, 0x9e, 0x9f, 0x8f, 0x72,
- 0x12, 0xab, 0x9e, 0x2a, 0xb9, 0xb7, 0xe4, 0xa5
- }
- },
- },
- {
- {
- 118,
- {
- 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
- 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
- 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
- 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-
- 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
- 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
- 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
- 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
-
- 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
- 0x77, 0x77, 0x77, 0x77, 0xff, 0xff, 0xff, 0xe9,
- 0xe9, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac,
- 0xac, 0xac, 0xac, 0xac, 0x00, 0x00, 0xac, 0xac,
-
- 0xec, 0x01, 0x00, 0xac, 0xac, 0xac, 0x2c, 0xac,
- 0xa2, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac,
- 0xac, 0xac, 0xac, 0xac, 0x64, 0xf2
- }
- },
- {
- 32,
- {
- 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00, 0x7f,
- 0x01, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0xcf, 0x77, 0x77, 0x77, 0x77, 0x77,
- 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77
- }
- },
- {
- 16,
- {
- 0x02, 0xee, 0x7c, 0x8c, 0x54, 0x6d, 0xde, 0xb1,
- 0xa4, 0x67, 0xe4, 0xc3, 0x98, 0x11, 0x58, 0xb9
- }
- },
- },
- /*
- * test vectors from Andrew Moon
- */
- { /* nacl */
- {
- 131,
- {
- 0x8e, 0x99, 0x3b, 0x9f, 0x48, 0x68, 0x12, 0x73,
- 0xc2, 0x96, 0x50, 0xba, 0x32, 0xfc, 0x76, 0xce,
- 0x48, 0x33, 0x2e, 0xa7, 0x16, 0x4d, 0x96, 0xa4,
- 0x47, 0x6f, 0xb8, 0xc5, 0x31, 0xa1, 0x18, 0x6a,
-
- 0xc0, 0xdf, 0xc1, 0x7c, 0x98, 0xdc, 0xe8, 0x7b,
- 0x4d, 0xa7, 0xf0, 0x11, 0xec, 0x48, 0xc9, 0x72,
- 0x71, 0xd2, 0xc2, 0x0f, 0x9b, 0x92, 0x8f, 0xe2,
- 0x27, 0x0d, 0x6f, 0xb8, 0x63, 0xd5, 0x17, 0x38,
-
- 0xb4, 0x8e, 0xee, 0xe3, 0x14, 0xa7, 0xcc, 0x8a,
- 0xb9, 0x32, 0x16, 0x45, 0x48, 0xe5, 0x26, 0xae,
- 0x90, 0x22, 0x43, 0x68, 0x51, 0x7a, 0xcf, 0xea,
- 0xbd, 0x6b, 0xb3, 0x73, 0x2b, 0xc0, 0xe9, 0xda,
-
- 0x99, 0x83, 0x2b, 0x61, 0xca, 0x01, 0xb6, 0xde,
- 0x56, 0x24, 0x4a, 0x9e, 0x88, 0xd5, 0xf9, 0xb3,
- 0x79, 0x73, 0xf6, 0x22, 0xa4, 0x3d, 0x14, 0xa6,
- 0x59, 0x9b, 0x1f, 0x65, 0x4c, 0xb4, 0x5a, 0x74,
-
- 0xe3, 0x55, 0xa5
- }
- },
- {
- 32,
- {
- 0xee, 0xa6, 0xa7, 0x25, 0x1c, 0x1e, 0x72, 0x91,
- 0x6d, 0x11, 0xc2, 0xcb, 0x21, 0x4d, 0x3c, 0x25,
- 0x25, 0x39, 0x12, 0x1d, 0x8e, 0x23, 0x4e, 0x65,
- 0x2d, 0x65, 0x1f, 0xa4, 0xc8, 0xcf, 0xf8, 0x80
- }
- },
- {
- 16,
- {
- 0xf3, 0xff, 0xc7, 0x70, 0x3f, 0x94, 0x00, 0xe5,
- 0x2a, 0x7d, 0xfb, 0x4b, 0x3d, 0x33, 0x05, 0xd9
- }
- },
- },
- { /* wrap 2^130-5 */
- {
- 16,
- {
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
- }
- },
- {
- 32,
- {
- 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 16,
- {
- 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- },
- { /* wrap 2^128 */
- {
- 16,
- {
- 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 32,
- {
- 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
- }
- },
- {
- 16,
- {
- 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- },
- { /* limb carry */
- {
- 48,
- {
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-
- 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 32,
- {
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 16,
- {
- 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- },
- { /* 2^130-5 */
- {
- 48,
- {
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xfb, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe,
- 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe,
-
- 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
- 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01
- }
- },
- {
- 32,
- {
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 16,
- {
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-
- }
- },
- },
- { /* 2^130-6 */
- {
- 16,
- {
- 0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
- }
- },
- {
- 32,
- {
- 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 16,
- {
- 0xfa, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
- }
- },
- },
- { /* 5*H+L reduction intermediate */
- {
- 64,
- {
- 0xe3, 0x35, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0xb9,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x33, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0x79, 0xcd,
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 32,
- {
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 16,
- {
- 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x55, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- },
- { /* 5*H+L reduction final */
- {
- 48,
- {
- 0xe3, 0x35, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0xb9,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x33, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0x79, 0xcd,
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-
- }
- },
- {
- 32,
- {
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- },
- {
- 16,
- {
- 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
- }
- }
- }
-};
+static const struct poly1305_testvec poly1305_testvecs[] = {
+{ /* RFC7539 */
+ .input = { 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
+ 0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
+ 0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
+ 0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
+ 0x75, 0x70 },
+ .ilen = 34,
+ .output = { 0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
+ 0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9 },
+ .key = { 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
+ 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
+ 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
+ 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b },
+}, { /* "The Poly1305-AES message-authentication code" */
+ .input = { 0xf3, 0xf6 },
+ .ilen = 2,
+ .output = { 0xf4, 0xc6, 0x33, 0xc3, 0x04, 0x4f, 0xc1, 0x45,
+ 0xf8, 0x4f, 0x33, 0x5c, 0xb8, 0x19, 0x53, 0xde },
+ .key = { 0x85, 0x1f, 0xc4, 0x0c, 0x34, 0x67, 0xac, 0x0b,
+ 0xe0, 0x5c, 0xc2, 0x04, 0x04, 0xf3, 0xf7, 0x00,
+ 0x58, 0x0b, 0x3b, 0x0f, 0x94, 0x47, 0xbb, 0x1e,
+ 0x69, 0xd0, 0x95, 0xb5, 0x92, 0x8b, 0x6d, 0xbc },
+}, {
+ .input = "",
+ .ilen = 0,
+ .output = { 0xdd, 0x3f, 0xab, 0x22, 0x51, 0xf1, 0x1a, 0xc7,
+ 0x59, 0xf0, 0x88, 0x71, 0x29, 0xcc, 0x2e, 0xe7 },
+ .key = { 0xa0, 0xf3, 0x08, 0x00, 0x00, 0xf4, 0x64, 0x00,
+ 0xd0, 0xc7, 0xe9, 0x07, 0x6c, 0x83, 0x44, 0x03,
+ 0xdd, 0x3f, 0xab, 0x22, 0x51, 0xf1, 0x1a, 0xc7,
+ 0x59, 0xf0, 0x88, 0x71, 0x29, 0xcc, 0x2e, 0xe7 },
+}, {
+ .input = { 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
+ 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
+ 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
+ 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 },
+ .ilen = 32,
+ .output = { 0x0e, 0xe1, 0xc1, 0x6b, 0xb7, 0x3f, 0x0f, 0x4f,
+ 0xd1, 0x98, 0x81, 0x75, 0x3c, 0x01, 0xcd, 0xbe },
+ .key = { 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
+ 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
+ 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
+ 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef },
+}, {
+ .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
+ 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
+ 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9 },
+ .ilen = 63,
+ .output = { 0x51, 0x54, 0xad, 0x0d, 0x2c, 0xb2, 0x6e, 0x01,
+ 0x27, 0x4f, 0xc5, 0x11, 0x48, 0x49, 0x1f, 0x1b },
+ .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
+ 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
+ 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
+ 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 },
+}, { /* self-generated vectors exercise "significant" lengths, such that they
+ * are handled by different code paths */
+ .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
+ 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
+ 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf },
+ .ilen = 64,
+ .output = { 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
+ 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66 },
+ .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
+ 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
+ 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
+ 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 },
+}, {
+ .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67 },
+ .ilen = 48,
+ .output = { 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2,
+ 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61 },
+ .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
+ 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
+ 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
+ 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 },
+}, {
+ .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
+ 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
+ 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
+ 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
+ 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
+ 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
+ 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 },
+ .ilen = 96,
+ .output = { 0xbb, 0xb6, 0x13, 0xb2, 0xb6, 0xd7, 0x53, 0xba,
+ 0x07, 0x39, 0x5b, 0x91, 0x6a, 0xae, 0xce, 0x15 },
+ .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
+ 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
+ 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
+ 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 },
+}, {
+ .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
+ 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
+ 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
+ 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
+ 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
+ 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
+ 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
+ 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
+ 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24 },
+ .ilen = 112,
+ .output = { 0xc7, 0x94, 0xd7, 0x05, 0x7d, 0x17, 0x78, 0xc4,
+ 0xbb, 0xee, 0x0a, 0x39, 0xb3, 0xd9, 0x73, 0x42 },
+ .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
+ 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
+ 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
+ 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 },
+}, {
+ .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
+ 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
+ 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
+ 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
+ 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
+ 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
+ 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
+ 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
+ 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
+ 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
+ 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 },
+ .ilen = 128,
+ .output = { 0xff, 0xbc, 0xb9, 0xb3, 0x71, 0x42, 0x31, 0x52,
+ 0xd7, 0xfc, 0xa5, 0xad, 0x04, 0x2f, 0xba, 0xa9 },
+ .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
+ 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
+ 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
+ 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 },
+}, {
+ .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
+ 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
+ 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
+ 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
+ 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
+ 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
+ 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
+ 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
+ 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
+ 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
+ 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36,
+ 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
+ 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66 },
+ .ilen = 144,
+ .output = { 0x06, 0x9e, 0xd6, 0xb8, 0xef, 0x0f, 0x20, 0x7b,
+ 0x3e, 0x24, 0x3b, 0xb1, 0x01, 0x9f, 0xe6, 0x32 },
+ .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
+ 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
+ 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
+ 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 },
+}, {
+ .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
+ 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
+ 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
+ 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
+ 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
+ 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
+ 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
+ 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
+ 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
+ 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
+ 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36,
+ 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
+ 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66,
+ 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2,
+ 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61 },
+ .ilen = 160,
+ .output = { 0xcc, 0xa3, 0x39, 0xd9, 0xa4, 0x5f, 0xa2, 0x36,
+ 0x8c, 0x2c, 0x68, 0xb3, 0xa4, 0x17, 0x91, 0x33 },
+ .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
+ 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
+ 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
+ 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 },
+}, {
+ .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
+ 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
+ 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
+ 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
+ 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
+ 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
+ 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
+ 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
+ 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
+ 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
+ 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36,
+ 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
+ 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66,
+ 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2,
+ 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61,
+ 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
+ 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
+ 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
+ 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
+ 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
+ 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
+ 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
+ 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
+ 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
+ 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
+ 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 },
+ .ilen = 288,
+ .output = { 0x53, 0xf6, 0xe8, 0x28, 0xa2, 0xf0, 0xfe, 0x0e,
+ 0xe8, 0x15, 0xbf, 0x0b, 0xd5, 0x84, 0x1a, 0x34 },
+ .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
+ 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
+ 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
+ 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 },
+}, {
+ .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
+ 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
+ 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
+ 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
+ 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
+ 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
+ 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
+ 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
+ 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
+ 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
+ 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36,
+ 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
+ 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66,
+ 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2,
+ 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61,
+ 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34,
+ 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1,
+ 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81,
+ 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0,
+ 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2,
+ 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67,
+ 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61,
+ 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf,
+ 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09,
+ 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08,
+ 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88,
+ 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef,
+ 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8,
+ 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24,
+ 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb,
+ 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36,
+ 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37,
+ 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66,
+ 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2,
+ 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61 },
+ .ilen = 320,
+ .output = { 0xb8, 0x46, 0xd4, 0x4e, 0x9b, 0xbd, 0x53, 0xce,
+ 0xdf, 0xfb, 0xfb, 0xb6, 0xb7, 0xfa, 0x49, 0x33 },
+ .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c,
+ 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07,
+ 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1,
+ 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 },
+}, { /* 4th power of the key spills to 131th bit in SIMD key setup */
+ .input = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
+ .ilen = 256,
+ .output = { 0x07, 0x14, 0x5a, 0x4c, 0x02, 0xfe, 0x5f, 0xa3,
+ 0x20, 0x36, 0xde, 0x68, 0xfa, 0xbe, 0x90, 0x66 },
+ .key = { 0xad, 0x62, 0x81, 0x07, 0xe8, 0x35, 0x1d, 0x0f,
+ 0x2c, 0x23, 0x1a, 0x05, 0xdc, 0x4a, 0x41, 0x06,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+}, { /* OpenSSL's poly1305_ieee754.c failed this in final stage */
+ .input = { 0x84, 0x23, 0x64, 0xe1, 0x56, 0x33, 0x6c, 0x09,
+ 0x98, 0xb9, 0x33, 0xa6, 0x23, 0x77, 0x26, 0x18,
+ 0x0d, 0x9e, 0x3f, 0xdc, 0xbd, 0xe4, 0xcd, 0x5d,
+ 0x17, 0x08, 0x0f, 0xc3, 0xbe, 0xb4, 0x96, 0x14,
+ 0xd7, 0x12, 0x2c, 0x03, 0x74, 0x63, 0xff, 0x10,
+ 0x4d, 0x73, 0xf1, 0x9c, 0x12, 0x70, 0x46, 0x28,
+ 0xd4, 0x17, 0xc4, 0xc5, 0x4a, 0x3f, 0xe3, 0x0d,
+ 0x3c, 0x3d, 0x77, 0x14, 0x38, 0x2d, 0x43, 0xb0,
+ 0x38, 0x2a, 0x50, 0xa5, 0xde, 0xe5, 0x4b, 0xe8,
+ 0x44, 0xb0, 0x76, 0xe8, 0xdf, 0x88, 0x20, 0x1a,
+ 0x1c, 0xd4, 0x3b, 0x90, 0xeb, 0x21, 0x64, 0x3f,
+ 0xa9, 0x6f, 0x39, 0xb5, 0x18, 0xaa, 0x83, 0x40,
+ 0xc9, 0x42, 0xff, 0x3c, 0x31, 0xba, 0xf7, 0xc9,
+ 0xbd, 0xbf, 0x0f, 0x31, 0xae, 0x3f, 0xa0, 0x96,
+ 0xbf, 0x8c, 0x63, 0x03, 0x06, 0x09, 0x82, 0x9f,
+ 0xe7, 0x2e, 0x17, 0x98, 0x24, 0x89, 0x0b, 0xc8,
+ 0xe0, 0x8c, 0x31, 0x5c, 0x1c, 0xce, 0x2a, 0x83,
+ 0x14, 0x4d, 0xbb, 0xff, 0x09, 0xf7, 0x4e, 0x3e,
+ 0xfc, 0x77, 0x0b, 0x54, 0xd0, 0x98, 0x4a, 0x8f,
+ 0x19, 0xb1, 0x47, 0x19, 0xe6, 0x36, 0x35, 0x64,
+ 0x1d, 0x6b, 0x1e, 0xed, 0xf6, 0x3e, 0xfb, 0xf0,
+ 0x80, 0xe1, 0x78, 0x3d, 0x32, 0x44, 0x54, 0x12,
+ 0x11, 0x4c, 0x20, 0xde, 0x0b, 0x83, 0x7a, 0x0d,
+ 0xfa, 0x33, 0xd6, 0xb8, 0x28, 0x25, 0xff, 0xf4,
+ 0x4c, 0x9a, 0x70, 0xea, 0x54, 0xce, 0x47, 0xf0,
+ 0x7d, 0xf6, 0x98, 0xe6, 0xb0, 0x33, 0x23, 0xb5,
+ 0x30, 0x79, 0x36, 0x4a, 0x5f, 0xc3, 0xe9, 0xdd,
+ 0x03, 0x43, 0x92, 0xbd, 0xde, 0x86, 0xdc, 0xcd,
+ 0xda, 0x94, 0x32, 0x1c, 0x5e, 0x44, 0x06, 0x04,
+ 0x89, 0x33, 0x6c, 0xb6, 0x5b, 0xf3, 0x98, 0x9c,
+ 0x36, 0xf7, 0x28, 0x2c, 0x2f, 0x5d, 0x2b, 0x88,
+ 0x2c, 0x17, 0x1e, 0x74 },
+ .ilen = 252,
+ .output = { 0xf2, 0x48, 0x31, 0x2e, 0x57, 0x8d, 0x9d, 0x58,
+ 0xf8, 0xb7, 0xbb, 0x4d, 0x19, 0x10, 0x54, 0x31 },
+ .key = { 0x95, 0xd5, 0xc0, 0x05, 0x50, 0x3e, 0x51, 0x0d,
+ 0x8c, 0xd0, 0xaa, 0x07, 0x2c, 0x4a, 0x4d, 0x06,
+ 0x6e, 0xab, 0xc5, 0x2d, 0x11, 0x65, 0x3d, 0xf4,
+ 0x7f, 0xbf, 0x63, 0xab, 0x19, 0x8b, 0xcc, 0x26 },
+}, { /* AVX2 in OpenSSL's poly1305-x86.pl failed this with 176+32 split */
+ .input = { 0x24, 0x8a, 0xc3, 0x10, 0x85, 0xb6, 0xc2, 0xad,
+ 0xaa, 0xa3, 0x82, 0x59, 0xa0, 0xd7, 0x19, 0x2c,
+ 0x5c, 0x35, 0xd1, 0xbb, 0x4e, 0xf3, 0x9a, 0xd9,
+ 0x4c, 0x38, 0xd1, 0xc8, 0x24, 0x79, 0xe2, 0xdd,
+ 0x21, 0x59, 0xa0, 0x77, 0x02, 0x4b, 0x05, 0x89,
+ 0xbc, 0x8a, 0x20, 0x10, 0x1b, 0x50, 0x6f, 0x0a,
+ 0x1a, 0xd0, 0xbb, 0xab, 0x76, 0xe8, 0x3a, 0x83,
+ 0xf1, 0xb9, 0x4b, 0xe6, 0xbe, 0xae, 0x74, 0xe8,
+ 0x74, 0xca, 0xb6, 0x92, 0xc5, 0x96, 0x3a, 0x75,
+ 0x43, 0x6b, 0x77, 0x61, 0x21, 0xec, 0x9f, 0x62,
+ 0x39, 0x9a, 0x3e, 0x66, 0xb2, 0xd2, 0x27, 0x07,
+ 0xda, 0xe8, 0x19, 0x33, 0xb6, 0x27, 0x7f, 0x3c,
+ 0x85, 0x16, 0xbc, 0xbe, 0x26, 0xdb, 0xbd, 0x86,
+ 0xf3, 0x73, 0x10, 0x3d, 0x7c, 0xf4, 0xca, 0xd1,
+ 0x88, 0x8c, 0x95, 0x21, 0x18, 0xfb, 0xfb, 0xd0,
+ 0xd7, 0xb4, 0xbe, 0xdc, 0x4a, 0xe4, 0x93, 0x6a,
+ 0xff, 0x91, 0x15, 0x7e, 0x7a, 0xa4, 0x7c, 0x54,
+ 0x44, 0x2e, 0xa7, 0x8d, 0x6a, 0xc2, 0x51, 0xd3,
+ 0x24, 0xa0, 0xfb, 0xe4, 0x9d, 0x89, 0xcc, 0x35,
+ 0x21, 0xb6, 0x6d, 0x16, 0xe9, 0xc6, 0x6a, 0x37,
+ 0x09, 0x89, 0x4e, 0x4e, 0xb0, 0xa4, 0xee, 0xdc,
+ 0x4a, 0xe1, 0x94, 0x68, 0xe6, 0x6b, 0x81, 0xf2,
+ 0x71, 0x35, 0x1b, 0x1d, 0x92, 0x1e, 0xa5, 0x51,
+ 0x04, 0x7a, 0xbc, 0xc6, 0xb8, 0x7a, 0x90, 0x1f,
+ 0xde, 0x7d, 0xb7, 0x9f, 0xa1, 0x81, 0x8c, 0x11,
+ 0x33, 0x6d, 0xbc, 0x07, 0x24, 0x4a, 0x40, 0xeb },
+ .ilen = 208,
+ .output = { 0xbc, 0x93, 0x9b, 0xc5, 0x28, 0x14, 0x80, 0xfa,
+ 0x99, 0xc6, 0xd6, 0x8c, 0x25, 0x8e, 0xc4, 0x2f },
+ .key = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+}, { /* test vectors from Google */
+ .input = "",
+ .ilen = 0,
+ .output = { 0x47, 0x10, 0x13, 0x0e, 0x9f, 0x6f, 0xea, 0x8d,
+ 0x72, 0x29, 0x38, 0x50, 0xa6, 0x67, 0xd8, 0x6c },
+ .key = { 0xc8, 0xaf, 0xaa, 0xc3, 0x31, 0xee, 0x37, 0x2c,
+ 0xd6, 0x08, 0x2d, 0xe1, 0x34, 0x94, 0x3b, 0x17,
+ 0x47, 0x10, 0x13, 0x0e, 0x9f, 0x6f, 0xea, 0x8d,
+ 0x72, 0x29, 0x38, 0x50, 0xa6, 0x67, 0xd8, 0x6c },
+}, {
+ .input = { 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x77, 0x6f,
+ 0x72, 0x6c, 0x64, 0x21 },
+ .ilen = 12,
+ .output = { 0xa6, 0xf7, 0x45, 0x00, 0x8f, 0x81, 0xc9, 0x16,
+ 0xa2, 0x0d, 0xcc, 0x74, 0xee, 0xf2, 0xb2, 0xf0 },
+ .key = { 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+ 0x33, 0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20,
+ 0x6b, 0x65, 0x79, 0x20, 0x66, 0x6f, 0x72, 0x20,
+ 0x50, 0x6f, 0x6c, 0x79, 0x31, 0x33, 0x30, 0x35 },
+}, {
+ .input = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ .ilen = 32,
+ .output = { 0x49, 0xec, 0x78, 0x09, 0x0e, 0x48, 0x1e, 0xc6,
+ 0xc2, 0x6b, 0x33, 0xb9, 0x1c, 0xcc, 0x03, 0x07 },
+ .key = { 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+ 0x33, 0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20,
+ 0x6b, 0x65, 0x79, 0x20, 0x66, 0x6f, 0x72, 0x20,
+ 0x50, 0x6f, 0x6c, 0x79, 0x31, 0x33, 0x30, 0x35 },
+}, {
+ .input = { 0x89, 0xda, 0xb8, 0x0b, 0x77, 0x17, 0xc1, 0xdb,
+ 0x5d, 0xb4, 0x37, 0x86, 0x0a, 0x3f, 0x70, 0x21,
+ 0x8e, 0x93, 0xe1, 0xb8, 0xf4, 0x61, 0xfb, 0x67,
+ 0x7f, 0x16, 0xf3, 0x5f, 0x6f, 0x87, 0xe2, 0xa9,
+ 0x1c, 0x99, 0xbc, 0x3a, 0x47, 0xac, 0xe4, 0x76,
+ 0x40, 0xcc, 0x95, 0xc3, 0x45, 0xbe, 0x5e, 0xcc,
+ 0xa5, 0xa3, 0x52, 0x3c, 0x35, 0xcc, 0x01, 0x89,
+ 0x3a, 0xf0, 0xb6, 0x4a, 0x62, 0x03, 0x34, 0x27,
+ 0x03, 0x72, 0xec, 0x12, 0x48, 0x2d, 0x1b, 0x1e,
+ 0x36, 0x35, 0x61, 0x69, 0x8a, 0x57, 0x8b, 0x35,
+ 0x98, 0x03, 0x49, 0x5b, 0xb4, 0xe2, 0xef, 0x19,
+ 0x30, 0xb1, 0x7a, 0x51, 0x90, 0xb5, 0x80, 0xf1,
+ 0x41, 0x30, 0x0d, 0xf3, 0x0a, 0xdb, 0xec, 0xa2,
+ 0x8f, 0x64, 0x27, 0xa8, 0xbc, 0x1a, 0x99, 0x9f,
+ 0xd5, 0x1c, 0x55, 0x4a, 0x01, 0x7d, 0x09, 0x5d,
+ 0x8c, 0x3e, 0x31, 0x27, 0xda, 0xf9, 0xf5, 0x95 },
+ .ilen = 128,
+ .output = { 0xc8, 0x5d, 0x15, 0xed, 0x44, 0xc3, 0x78, 0xd6,
+ 0xb0, 0x0e, 0x23, 0x06, 0x4c, 0x7b, 0xcd, 0x51 },
+ .key = { 0x2d, 0x77, 0x3b, 0xe3, 0x7a, 0xdb, 0x1e, 0x4d,
+ 0x68, 0x3b, 0xf0, 0x07, 0x5e, 0x79, 0xc4, 0xee,
+ 0x03, 0x79, 0x18, 0x53, 0x5a, 0x7f, 0x99, 0xcc,
+ 0xb7, 0x04, 0x0f, 0xb5, 0xf5, 0xf4, 0x3a, 0xea },
+}, {
+ .input = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b,
+ 0x17, 0x03, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00,
+ 0x06, 0xdb, 0x1f, 0x1f, 0x36, 0x8d, 0x69, 0x6a,
+ 0x81, 0x0a, 0x34, 0x9c, 0x0c, 0x71, 0x4c, 0x9a,
+ 0x5e, 0x78, 0x50, 0xc2, 0x40, 0x7d, 0x72, 0x1a,
+ 0xcd, 0xed, 0x95, 0xe0, 0x18, 0xd7, 0xa8, 0x52,
+ 0x66, 0xa6, 0xe1, 0x28, 0x9c, 0xdb, 0x4a, 0xeb,
+ 0x18, 0xda, 0x5a, 0xc8, 0xa2, 0xb0, 0x02, 0x6d,
+ 0x24, 0xa5, 0x9a, 0xd4, 0x85, 0x22, 0x7f, 0x3e,
+ 0xae, 0xdb, 0xb2, 0xe7, 0xe3, 0x5e, 0x1c, 0x66,
+ 0xcd, 0x60, 0xf9, 0xab, 0xf7, 0x16, 0xdc, 0xc9,
+ 0xac, 0x42, 0x68, 0x2d, 0xd7, 0xda, 0xb2, 0x87,
+ 0xa7, 0x02, 0x4c, 0x4e, 0xef, 0xc3, 0x21, 0xcc,
+ 0x05, 0x74, 0xe1, 0x67, 0x93, 0xe3, 0x7c, 0xec,
+ 0x03, 0xc5, 0xbd, 0xa4, 0x2b, 0x54, 0xc1, 0x14,
+ 0xa8, 0x0b, 0x57, 0xaf, 0x26, 0x41, 0x6c, 0x7b,
+ 0xe7, 0x42, 0x00, 0x5e, 0x20, 0x85, 0x5c, 0x73,
+ 0xe2, 0x1d, 0xc8, 0xe2, 0xed, 0xc9, 0xd4, 0x35,
+ 0xcb, 0x6f, 0x60, 0x59, 0x28, 0x00, 0x11, 0xc2,
+ 0x70, 0xb7, 0x15, 0x70, 0x05, 0x1c, 0x1c, 0x9b,
+ 0x30, 0x52, 0x12, 0x66, 0x20, 0xbc, 0x1e, 0x27,
+ 0x30, 0xfa, 0x06, 0x6c, 0x7a, 0x50, 0x9d, 0x53,
+ 0xc6, 0x0e, 0x5a, 0xe1, 0xb4, 0x0a, 0xa6, 0xe3,
+ 0x9e, 0x49, 0x66, 0x92, 0x28, 0xc9, 0x0e, 0xec,
+ 0xb4, 0xa5, 0x0d, 0xb3, 0x2a, 0x50, 0xbc, 0x49,
+ 0xe9, 0x0b, 0x4f, 0x4b, 0x35, 0x9a, 0x1d, 0xfd,
+ 0x11, 0x74, 0x9c, 0xd3, 0x86, 0x7f, 0xcf, 0x2f,
+ 0xb7, 0xbb, 0x6c, 0xd4, 0x73, 0x8f, 0x6a, 0x4a,
+ 0xd6, 0xf7, 0xca, 0x50, 0x58, 0xf7, 0x61, 0x88,
+ 0x45, 0xaf, 0x9f, 0x02, 0x0f, 0x6c, 0x3b, 0x96,
+ 0x7b, 0x8f, 0x4c, 0xd4, 0xa9, 0x1e, 0x28, 0x13,
+ 0xb5, 0x07, 0xae, 0x66, 0xf2, 0xd3, 0x5c, 0x18,
+ 0x28, 0x4f, 0x72, 0x92, 0x18, 0x60, 0x62, 0xe1,
+ 0x0f, 0xd5, 0x51, 0x0d, 0x18, 0x77, 0x53, 0x51,
+ 0xef, 0x33, 0x4e, 0x76, 0x34, 0xab, 0x47, 0x43,
+ 0xf5, 0xb6, 0x8f, 0x49, 0xad, 0xca, 0xb3, 0x84,
+ 0xd3, 0xfd, 0x75, 0xf7, 0x39, 0x0f, 0x40, 0x06,
+ 0xef, 0x2a, 0x29, 0x5c, 0x8c, 0x7a, 0x07, 0x6a,
+ 0xd5, 0x45, 0x46, 0xcd, 0x25, 0xd2, 0x10, 0x7f,
+ 0xbe, 0x14, 0x36, 0xc8, 0x40, 0x92, 0x4a, 0xae,
+ 0xbe, 0x5b, 0x37, 0x08, 0x93, 0xcd, 0x63, 0xd1,
+ 0x32, 0x5b, 0x86, 0x16, 0xfc, 0x48, 0x10, 0x88,
+ 0x6b, 0xc1, 0x52, 0xc5, 0x32, 0x21, 0xb6, 0xdf,
+ 0x37, 0x31, 0x19, 0x39, 0x32, 0x55, 0xee, 0x72,
+ 0xbc, 0xaa, 0x88, 0x01, 0x74, 0xf1, 0x71, 0x7f,
+ 0x91, 0x84, 0xfa, 0x91, 0x64, 0x6f, 0x17, 0xa2,
+ 0x4a, 0xc5, 0x5d, 0x16, 0xbf, 0xdd, 0xca, 0x95,
+ 0x81, 0xa9, 0x2e, 0xda, 0x47, 0x92, 0x01, 0xf0,
+ 0xed, 0xbf, 0x63, 0x36, 0x00, 0xd6, 0x06, 0x6d,
+ 0x1a, 0xb3, 0x6d, 0x5d, 0x24, 0x15, 0xd7, 0x13,
+ 0x51, 0xbb, 0xcd, 0x60, 0x8a, 0x25, 0x10, 0x8d,
+ 0x25, 0x64, 0x19, 0x92, 0xc1, 0xf2, 0x6c, 0x53,
+ 0x1c, 0xf9, 0xf9, 0x02, 0x03, 0xbc, 0x4c, 0xc1,
+ 0x9f, 0x59, 0x27, 0xd8, 0x34, 0xb0, 0xa4, 0x71,
+ 0x16, 0xd3, 0x88, 0x4b, 0xbb, 0x16, 0x4b, 0x8e,
+ 0xc8, 0x83, 0xd1, 0xac, 0x83, 0x2e, 0x56, 0xb3,
+ 0x91, 0x8a, 0x98, 0x60, 0x1a, 0x08, 0xd1, 0x71,
+ 0x88, 0x15, 0x41, 0xd5, 0x94, 0xdb, 0x39, 0x9c,
+ 0x6a, 0xe6, 0x15, 0x12, 0x21, 0x74, 0x5a, 0xec,
+ 0x81, 0x4c, 0x45, 0xb0, 0xb0, 0x5b, 0x56, 0x54,
+ 0x36, 0xfd, 0x6f, 0x13, 0x7a, 0xa1, 0x0a, 0x0c,
+ 0x0b, 0x64, 0x37, 0x61, 0xdb, 0xd6, 0xf9, 0xa9,
+ 0xdc, 0xb9, 0x9b, 0x1a, 0x6e, 0x69, 0x08, 0x54,
+ 0xce, 0x07, 0x69, 0xcd, 0xe3, 0x97, 0x61, 0xd8,
+ 0x2f, 0xcd, 0xec, 0x15, 0xf0, 0xd9, 0x2d, 0x7d,
+ 0x8e, 0x94, 0xad, 0xe8, 0xeb, 0x83, 0xfb, 0xe0 },
+ .ilen = 528,
+ .output = { 0x26, 0x37, 0x40, 0x8f, 0xe1, 0x30, 0x86, 0xea,
+ 0x73, 0xf9, 0x71, 0xe3, 0x42, 0x5e, 0x28, 0x20 },
+ .key = { 0x99, 0xe5, 0x82, 0x2d, 0xd4, 0x17, 0x3c, 0x99,
+ 0x5e, 0x3d, 0xae, 0x0d, 0xde, 0xfb, 0x97, 0x74,
+ 0x3f, 0xde, 0x3b, 0x08, 0x01, 0x34, 0xb3, 0x9f,
+ 0x76, 0xe9, 0xbf, 0x8d, 0x0e, 0x88, 0xd5, 0x46 },
+}, { /* test vectors from Hanno Böck */
+ .input = { 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0x80, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xce, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xc5,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xe3, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xac, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xe6,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x00, 0x00, 0x00,
+ 0xaf, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xff, 0xff, 0xff, 0xf5, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0xff, 0xff, 0xff, 0xe7, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x71, 0x92, 0x05, 0xa8, 0x52, 0x1d,
+ 0xfc },
+ .ilen = 257,
+ .output = { 0x85, 0x59, 0xb8, 0x76, 0xec, 0xee, 0xd6, 0x6e,
+ 0xb3, 0x77, 0x98, 0xc0, 0x45, 0x7b, 0xaf, 0xf9 },
+ .key = { 0x7f, 0x1b, 0x02, 0x64, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc },
+}, {
+ .input = { 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x80, 0x02, 0x64 },
+ .ilen = 39,
+ .output = { 0x00, 0xbd, 0x12, 0x58, 0x97, 0x8e, 0x20, 0x54,
+ 0x44, 0xc9, 0xaa, 0xaa, 0x82, 0x00, 0x6f, 0xed },
+ .key = { 0xe0, 0x00, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa },
+}, {
+ .input = { 0x02, 0xfc },
+ .ilen = 2,
+ .output = { 0x06, 0x12, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+ 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c },
+ .key = { 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+ 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+ 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+ 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c },
+}, {
+ .input = { 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7a, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x5c, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x6e, 0x7b, 0x00, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7a, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x5c,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b,
+ 0x7b, 0x6e, 0x7b, 0x00, 0x13, 0x00, 0x00, 0x00,
+ 0x00, 0xb3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0xef, 0xff, 0x00,
+ 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
+ 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x64, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00,
+ 0xb3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x20, 0x00, 0xef, 0xff, 0x00, 0x09,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x7a, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
+ 0x00, 0x09, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc },
+ .ilen = 415,
+ .output = { 0x33, 0x20, 0x5b, 0xbf, 0x9e, 0x9f, 0x8f, 0x72,
+ 0x12, 0xab, 0x9e, 0x2a, 0xb9, 0xb7, 0xe4, 0xa5 },
+ .key = { 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x7b },
+}, {
+ .input = { 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+ 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+ 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+ 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+ 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+ 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+ 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+ 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+ 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+ 0x77, 0x77, 0x77, 0x77, 0xff, 0xff, 0xff, 0xe9,
+ 0xe9, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac,
+ 0xac, 0xac, 0xac, 0xac, 0x00, 0x00, 0xac, 0xac,
+ 0xec, 0x01, 0x00, 0xac, 0xac, 0xac, 0x2c, 0xac,
+ 0xa2, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac,
+ 0xac, 0xac, 0xac, 0xac, 0x64, 0xf2 },
+ .ilen = 118,
+ .output = { 0x02, 0xee, 0x7c, 0x8c, 0x54, 0x6d, 0xde, 0xb1,
+ 0xa4, 0x67, 0xe4, 0xc3, 0x98, 0x11, 0x58, 0xb9 },
+ .key = { 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00, 0x7f,
+ 0x01, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xcf, 0x77, 0x77, 0x77, 0x77, 0x77,
+ 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77 },
+}, { /* nacl */
+ .input = { 0x8e, 0x99, 0x3b, 0x9f, 0x48, 0x68, 0x12, 0x73,
+ 0xc2, 0x96, 0x50, 0xba, 0x32, 0xfc, 0x76, 0xce,
+ 0x48, 0x33, 0x2e, 0xa7, 0x16, 0x4d, 0x96, 0xa4,
+ 0x47, 0x6f, 0xb8, 0xc5, 0x31, 0xa1, 0x18, 0x6a,
+ 0xc0, 0xdf, 0xc1, 0x7c, 0x98, 0xdc, 0xe8, 0x7b,
+ 0x4d, 0xa7, 0xf0, 0x11, 0xec, 0x48, 0xc9, 0x72,
+ 0x71, 0xd2, 0xc2, 0x0f, 0x9b, 0x92, 0x8f, 0xe2,
+ 0x27, 0x0d, 0x6f, 0xb8, 0x63, 0xd5, 0x17, 0x38,
+ 0xb4, 0x8e, 0xee, 0xe3, 0x14, 0xa7, 0xcc, 0x8a,
+ 0xb9, 0x32, 0x16, 0x45, 0x48, 0xe5, 0x26, 0xae,
+ 0x90, 0x22, 0x43, 0x68, 0x51, 0x7a, 0xcf, 0xea,
+ 0xbd, 0x6b, 0xb3, 0x73, 0x2b, 0xc0, 0xe9, 0xda,
+ 0x99, 0x83, 0x2b, 0x61, 0xca, 0x01, 0xb6, 0xde,
+ 0x56, 0x24, 0x4a, 0x9e, 0x88, 0xd5, 0xf9, 0xb3,
+ 0x79, 0x73, 0xf6, 0x22, 0xa4, 0x3d, 0x14, 0xa6,
+ 0x59, 0x9b, 0x1f, 0x65, 0x4c, 0xb4, 0x5a, 0x74,
+ 0xe3, 0x55, 0xa5 },
+ .ilen = 131,
+ .output = { 0xf3, 0xff, 0xc7, 0x70, 0x3f, 0x94, 0x00, 0xe5,
+ 0x2a, 0x7d, 0xfb, 0x4b, 0x3d, 0x33, 0x05, 0xd9 },
+ .key = { 0xee, 0xa6, 0xa7, 0x25, 0x1c, 0x1e, 0x72, 0x91,
+ 0x6d, 0x11, 0xc2, 0xcb, 0x21, 0x4d, 0x3c, 0x25,
+ 0x25, 0x39, 0x12, 0x1d, 0x8e, 0x23, 0x4e, 0x65,
+ 0x2d, 0x65, 0x1f, 0xa4, 0xc8, 0xcf, 0xf8, 0x80 },
+}, { /* wrap 2^130-5 */
+ .input = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
+ .ilen = 16,
+ .output = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ .key = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+}, { /* wrap 2^128 */
+ .input = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ .ilen = 16,
+ .output = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ .key = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
+}, { /* limb carry */
+ .input = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ .ilen = 48,
+ .output = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ .key = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+}, { /* 2^130-5 */
+ .input = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xfb, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe,
+ 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe,
+ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
+ .ilen = 48,
+ .output = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ .key = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+}, { /* 2^130-6 */
+ .input = { 0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
+ .ilen = 16,
+ .output = { 0xfa, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
+ .key = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+}, { /* 5*H+L reduction intermediate */
+ .input = { 0xe3, 0x35, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0xb9,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x33, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0x79, 0xcd,
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ .ilen = 64,
+ .output = { 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x55, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ .key = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+}, { /* 5*H+L reduction final */
+ .input = { 0xe3, 0x35, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0xb9,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x33, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0x79, 0xcd,
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ .ilen = 48,
+ .output = { 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ .key = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+} };
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.