Regen assemply files for aarch64.

[FreeBSD/FreeBSD.git] / secure / lib / libcrypto / aarch64 / keccak1600-armv8.S

/* $FreeBSD$ */
/* Do not modify. This file is auto-generated from keccak1600-armv8.pl. */
.text

.align  8       // strategic alignment and padding that allows to use
                // address value as loop termination condition...
.quad   0,0,0,0,0,0,0,0
.type   iotas,%object
iotas:
.quad   0x0000000000000001
.quad   0x0000000000008082
.quad   0x800000000000808a
.quad   0x8000000080008000
.quad   0x000000000000808b
.quad   0x0000000080000001
.quad   0x8000000080008081
.quad   0x8000000000008009
.quad   0x000000000000008a
.quad   0x0000000000000088
.quad   0x0000000080008009
.quad   0x000000008000000a
.quad   0x000000008000808b
.quad   0x800000000000008b
.quad   0x8000000000008089
.quad   0x8000000000008003
.quad   0x8000000000008002
.quad   0x8000000000000080
.quad   0x000000000000800a
.quad   0x800000008000000a
.quad   0x8000000080008081
.quad   0x8000000000008080
.quad   0x0000000080000001
.quad   0x8000000080008008
.size   iotas,.-iotas
.type   KeccakF1600_int,%function
.align  5
KeccakF1600_int:
        adr     x28,iotas
        stp     x28,x30,[sp,#16]                // 32 bytes on top are mine
        b       .Loop
.align  4
.Loop:
        ////////////////////////////////////////// Theta
        eor     x26,x0,x5
        stp     x4,x9,[sp,#0]   // offload pair...
        eor     x27,x1,x6
        eor     x28,x2,x7
        eor     x30,x3,x8
        eor     x4,x4,x9
        eor     x26,x26,x10
        eor     x27,x27,x11
        eor     x28,x28,x12
        eor     x30,x30,x13
        eor     x4,x4,x14
        eor     x26,x26,x15
        eor     x27,x27,x16
        eor     x28,x28,x17
        eor     x30,x30,x25
        eor     x4,x4,x19
        eor     x26,x26,x20
        eor     x28,x28,x22
        eor     x27,x27,x21
        eor     x30,x30,x23
        eor     x4,x4,x24

        eor     x9,x26,x28,ror#63

        eor     x1,x1,x9
        eor     x6,x6,x9
        eor     x11,x11,x9
        eor     x16,x16,x9
        eor     x21,x21,x9

        eor     x9,x27,x30,ror#63
        eor     x28,x28,x4,ror#63
        eor     x30,x30,x26,ror#63
        eor     x4,x4,x27,ror#63

        eor     x27,   x2,x9            // mov  x27,x2
        eor     x7,x7,x9
        eor     x12,x12,x9
        eor     x17,x17,x9
        eor     x22,x22,x9

        eor     x0,x0,x4
        eor     x5,x5,x4
        eor     x10,x10,x4
        eor     x15,x15,x4
        eor     x20,x20,x4
        ldp     x4,x9,[sp,#0]   // re-load offloaded data
        eor     x26,   x3,x28           // mov  x26,x3
        eor     x8,x8,x28
        eor     x13,x13,x28
        eor     x25,x25,x28
        eor     x23,x23,x28

        eor     x28,   x4,x30           // mov  x28,x4
        eor     x9,x9,x30
        eor     x14,x14,x30
        eor     x19,x19,x30
        eor     x24,x24,x30

        ////////////////////////////////////////// Rho+Pi
        mov     x30,x1
        ror     x1,x6,#64-44
        //mov   x27,x2
        ror     x2,x12,#64-43
        //mov   x26,x3
        ror     x3,x25,#64-21
        //mov   x28,x4
        ror     x4,x24,#64-14

        ror     x6,x9,#64-20
        ror     x12,x13,#64-25
        ror     x25,x17,#64-15
        ror     x24,x21,#64-2

        ror     x9,x22,#64-61
        ror     x13,x19,#64-8
        ror     x17,x11,#64-10
        ror     x21,x8,#64-55

        ror     x22,x14,#64-39
        ror     x19,x23,#64-56
        ror     x11,x7,#64-6
        ror     x8,x16,#64-45

        ror     x14,x20,#64-18
        ror     x23,x15,#64-41
        ror     x7,x10,#64-3
        ror     x16,x5,#64-36

        ror     x5,x26,#64-28
        ror     x10,x30,#64-1
        ror     x15,x28,#64-27
        ror     x20,x27,#64-62

        ////////////////////////////////////////// Chi+Iota
        bic     x26,x2,x1
        bic     x27,x3,x2
        bic     x28,x0,x4
        bic     x30,x1,x0
        eor     x0,x0,x26
        bic     x26,x4,x3
        eor     x1,x1,x27
        ldr     x27,[sp,#16]
        eor     x3,x3,x28
        eor     x4,x4,x30
        eor     x2,x2,x26
        ldr     x30,[x27],#8            // Iota[i++]

        bic     x26,x7,x6
        tst     x27,#255                        // are we done?
        str     x27,[sp,#16]
        bic     x27,x8,x7
        bic     x28,x5,x9
        eor     x0,x0,x30               // A[0][0] ^= Iota
        bic     x30,x6,x5
        eor     x5,x5,x26
        bic     x26,x9,x8
        eor     x6,x6,x27
        eor     x8,x8,x28
        eor     x9,x9,x30
        eor     x7,x7,x26

        bic     x26,x12,x11
        bic     x27,x13,x12
        bic     x28,x10,x14
        bic     x30,x11,x10
        eor     x10,x10,x26
        bic     x26,x14,x13
        eor     x11,x11,x27
        eor     x13,x13,x28
        eor     x14,x14,x30
        eor     x12,x12,x26

        bic     x26,x17,x16
        bic     x27,x25,x17
        bic     x28,x15,x19
        bic     x30,x16,x15
        eor     x15,x15,x26
        bic     x26,x19,x25
        eor     x16,x16,x27
        eor     x25,x25,x28
        eor     x19,x19,x30
        eor     x17,x17,x26

        bic     x26,x22,x21
        bic     x27,x23,x22
        bic     x28,x20,x24
        bic     x30,x21,x20
        eor     x20,x20,x26
        bic     x26,x24,x23
        eor     x21,x21,x27
        eor     x23,x23,x28
        eor     x24,x24,x30
        eor     x22,x22,x26

        bne     .Loop

        ldr     x30,[sp,#24]
        ret
.size   KeccakF1600_int,.-KeccakF1600_int

.type   KeccakF1600,%function
.align  5
KeccakF1600:
        stp     x29,x30,[sp,#-128]!
        add     x29,sp,#0
        stp     x19,x20,[sp,#16]
        stp     x21,x22,[sp,#32]
        stp     x23,x24,[sp,#48]
        stp     x25,x26,[sp,#64]
        stp     x27,x28,[sp,#80]
        sub     sp,sp,#48

        str     x0,[sp,#32]                     // offload argument
        mov     x26,x0
        ldp     x0,x1,[x0,#16*0]
        ldp     x2,x3,[x26,#16*1]
        ldp     x4,x5,[x26,#16*2]
        ldp     x6,x7,[x26,#16*3]
        ldp     x8,x9,[x26,#16*4]
        ldp     x10,x11,[x26,#16*5]
        ldp     x12,x13,[x26,#16*6]
        ldp     x14,x15,[x26,#16*7]
        ldp     x16,x17,[x26,#16*8]
        ldp     x25,x19,[x26,#16*9]
        ldp     x20,x21,[x26,#16*10]
        ldp     x22,x23,[x26,#16*11]
        ldr     x24,[x26,#16*12]

        bl      KeccakF1600_int

        ldr     x26,[sp,#32]
        stp     x0,x1,[x26,#16*0]
        stp     x2,x3,[x26,#16*1]
        stp     x4,x5,[x26,#16*2]
        stp     x6,x7,[x26,#16*3]
        stp     x8,x9,[x26,#16*4]
        stp     x10,x11,[x26,#16*5]
        stp     x12,x13,[x26,#16*6]
        stp     x14,x15,[x26,#16*7]
        stp     x16,x17,[x26,#16*8]
        stp     x25,x19,[x26,#16*9]
        stp     x20,x21,[x26,#16*10]
        stp     x22,x23,[x26,#16*11]
        str     x24,[x26,#16*12]

        ldp     x19,x20,[x29,#16]
        add     sp,sp,#48
        ldp     x21,x22,[x29,#32]
        ldp     x23,x24,[x29,#48]
        ldp     x25,x26,[x29,#64]
        ldp     x27,x28,[x29,#80]
        ldp     x29,x30,[sp],#128
        ret
.size   KeccakF1600,.-KeccakF1600

.globl  SHA3_absorb
.type   SHA3_absorb,%function
.align  5
SHA3_absorb:
        stp     x29,x30,[sp,#-128]!
        add     x29,sp,#0
        stp     x19,x20,[sp,#16]
        stp     x21,x22,[sp,#32]
        stp     x23,x24,[sp,#48]
        stp     x25,x26,[sp,#64]
        stp     x27,x28,[sp,#80]
        sub     sp,sp,#64

        stp     x0,x1,[sp,#32]                  // offload arguments
        stp     x2,x3,[sp,#48]

        mov     x26,x0                  // uint64_t A[5][5]
        mov     x27,x1                  // const void *inp
        mov     x28,x2                  // size_t len
        mov     x30,x3                  // size_t bsz
        ldp     x0,x1,[x26,#16*0]
        ldp     x2,x3,[x26,#16*1]
        ldp     x4,x5,[x26,#16*2]
        ldp     x6,x7,[x26,#16*3]
        ldp     x8,x9,[x26,#16*4]
        ldp     x10,x11,[x26,#16*5]
        ldp     x12,x13,[x26,#16*6]
        ldp     x14,x15,[x26,#16*7]
        ldp     x16,x17,[x26,#16*8]
        ldp     x25,x19,[x26,#16*9]
        ldp     x20,x21,[x26,#16*10]
        ldp     x22,x23,[x26,#16*11]
        ldr     x24,[x26,#16*12]
        b       .Loop_absorb

.align  4
.Loop_absorb:
        subs    x26,x28,x30             // len - bsz
        blo     .Labsorbed

        str     x26,[sp,#48]                    // save len - bsz
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x0,x0,x26
        cmp     x30,#8*(0+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x1,x1,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x2,x2,x26
        cmp     x30,#8*(2+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x3,x3,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x4,x4,x26
        cmp     x30,#8*(4+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x5,x5,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x6,x6,x26
        cmp     x30,#8*(6+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x7,x7,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x8,x8,x26
        cmp     x30,#8*(8+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x9,x9,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x10,x10,x26
        cmp     x30,#8*(10+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x11,x11,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x12,x12,x26
        cmp     x30,#8*(12+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x13,x13,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x14,x14,x26
        cmp     x30,#8*(14+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x15,x15,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x16,x16,x26
        cmp     x30,#8*(16+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x17,x17,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x25,x25,x26
        cmp     x30,#8*(18+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x19,x19,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x20,x20,x26
        cmp     x30,#8*(20+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x21,x21,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x22,x22,x26
        cmp     x30,#8*(22+2)
        blo     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x23,x23,x26
        beq     .Lprocess_block
        ldr     x26,[x27],#8            // *inp++
#ifdef  __AARCH64EB__
        rev     x26,x26
#endif
        eor     x24,x24,x26

.Lprocess_block:
        str     x27,[sp,#40]                    // save inp

        bl      KeccakF1600_int

        ldr     x27,[sp,#40]                    // restore arguments
        ldp     x28,x30,[sp,#48]
        b       .Loop_absorb

.align  4
.Labsorbed:
        ldr     x27,[sp,#32]
        stp     x0,x1,[x27,#16*0]
        stp     x2,x3,[x27,#16*1]
        stp     x4,x5,[x27,#16*2]
        stp     x6,x7,[x27,#16*3]
        stp     x8,x9,[x27,#16*4]
        stp     x10,x11,[x27,#16*5]
        stp     x12,x13,[x27,#16*6]
        stp     x14,x15,[x27,#16*7]
        stp     x16,x17,[x27,#16*8]
        stp     x25,x19,[x27,#16*9]
        stp     x20,x21,[x27,#16*10]
        stp     x22,x23,[x27,#16*11]
        str     x24,[x27,#16*12]

        mov     x0,x28                  // return value
        ldp     x19,x20,[x29,#16]
        add     sp,sp,#64
        ldp     x21,x22,[x29,#32]
        ldp     x23,x24,[x29,#48]
        ldp     x25,x26,[x29,#64]
        ldp     x27,x28,[x29,#80]
        ldp     x29,x30,[sp],#128
        ret
.size   SHA3_absorb,.-SHA3_absorb
.globl  SHA3_squeeze
.type   SHA3_squeeze,%function
.align  5
SHA3_squeeze:
        stp     x29,x30,[sp,#-48]!
        add     x29,sp,#0
        stp     x19,x20,[sp,#16]
        stp     x21,x22,[sp,#32]

        mov     x19,x0                  // put aside arguments
        mov     x20,x1
        mov     x21,x2
        mov     x22,x3

.Loop_squeeze:
        ldr     x4,[x0],#8
        cmp     x21,#8
        blo     .Lsqueeze_tail
#ifdef  __AARCH64EB__
        rev     x4,x4
#endif
        str     x4,[x20],#8
        subs    x21,x21,#8
        beq     .Lsqueeze_done

        subs    x3,x3,#8
        bhi     .Loop_squeeze

        mov     x0,x19
        bl      KeccakF1600
        mov     x0,x19
        mov     x3,x22
        b       .Loop_squeeze

.align  4
.Lsqueeze_tail:
        strb    w4,[x20],#1
        lsr     x4,x4,#8
        subs    x21,x21,#1
        beq     .Lsqueeze_done
        strb    w4,[x20],#1
        lsr     x4,x4,#8
        subs    x21,x21,#1
        beq     .Lsqueeze_done
        strb    w4,[x20],#1
        lsr     x4,x4,#8
        subs    x21,x21,#1
        beq     .Lsqueeze_done
        strb    w4,[x20],#1
        lsr     x4,x4,#8
        subs    x21,x21,#1
        beq     .Lsqueeze_done
        strb    w4,[x20],#1
        lsr     x4,x4,#8
        subs    x21,x21,#1
        beq     .Lsqueeze_done
        strb    w4,[x20],#1
        lsr     x4,x4,#8
        subs    x21,x21,#1
        beq     .Lsqueeze_done
        strb    w4,[x20],#1

.Lsqueeze_done:
        ldp     x19,x20,[sp,#16]
        ldp     x21,x22,[sp,#32]
        ldp     x29,x30,[sp],#48
        ret
.size   SHA3_squeeze,.-SHA3_squeeze
.type   KeccakF1600_ce,%function
.align  5
KeccakF1600_ce:
        mov     x9,#12
        adr     x10,iotas
        b       .Loop_ce
.align  4
.Loop_ce:
        ////////////////////////////////////////////////// Theta
.inst   0xce052819      //eor3 v25.16b,v0.16b,v5.16b,v10.16b
.inst   0xce062c3a      //eor3 v26.16b,v1.16b,v6.16b,v11.16b
.inst   0xce07305b      //eor3 v27.16b,v2.16b,v7.16b,v12.16b
.inst   0xce08347c      //eor3 v28.16b,v3.16b,v8.16b,v13.16b
.inst   0xce09389d      //eor3 v29.16b,v4.16b,v9.16b,v14.16b
.inst   0xce0f5339      //eor3 v25.16b,v25.16b,   v15.16b,v20.16b
.inst   0xce10575a      //eor3 v26.16b,v26.16b,   v16.16b,v21.16b
.inst   0xce115b7b      //eor3 v27.16b,v27.16b,   v17.16b,v22.16b
.inst   0xce125f9c      //eor3 v28.16b,v28.16b,   v18.16b,v23.16b
.inst   0xce1363bd      //eor3 v29.16b,v29.16b,   v19.16b,v24.16b

.inst   0xce7b8f3e      //rax1 v30.16b,v25.16b,v27.16b                  // D[1]
.inst   0xce7c8f5f      //rax1 v31.16b,v26.16b,v28.16b                  // D[2]
.inst   0xce7d8f7b      //rax1 v27.16b,v27.16b,v29.16b                  // D[3]
.inst   0xce798f9c      //rax1 v28.16b,v28.16b,v25.16b                  // D[4]
.inst   0xce7a8fbd      //rax1 v29.16b,v29.16b,v26.16b                  // D[0]

        ////////////////////////////////////////////////// Theta+Rho+Pi
.inst   0xce9e50d9      //xar v25.16b,   v6.16b,v30.16b,#64-44  // C[0]=A[0][1]
.inst   0xce9cb126      //xar v6.16b,v9.16b,v28.16b,#64-20
.inst   0xce9f0ec9      //xar v9.16b,v22.16b,v31.16b,#64-61
.inst   0xce9c65d6      //xar v22.16b,v14.16b,v28.16b,#64-39
.inst   0xce9dba8e      //xar v14.16b,v20.16b,v29.16b,#64-18

.inst   0xce9f0854      //xar v20.16b,v2.16b,v31.16b,#64-62

.inst   0xce9f5582      //xar v2.16b,v12.16b,v31.16b,#64-43
.inst   0xce9b9dac      //xar v12.16b,v13.16b,v27.16b,#64-25
.inst   0xce9ce26d      //xar v13.16b,v19.16b,v28.16b,#64-8
.inst   0xce9b22f3      //xar v19.16b,v23.16b,v27.16b,#64-56
.inst   0xce9d5df7      //xar v23.16b,v15.16b,v29.16b,#64-41

.inst   0xce9c948f      //xar v15.16b,v4.16b,v28.16b,#64-27

        eor     v0.16b,v0.16b,v29.16b
        ldr     x11,[x10],#8

.inst   0xce9bae5a      //xar v26.16b,   v18.16b,v27.16b,#64-21 // C[1]=A[0][3]
.inst   0xce9fc632      //xar v18.16b,v17.16b,v31.16b,#64-15
.inst   0xce9ed971      //xar v17.16b,v11.16b,v30.16b,#64-10
.inst   0xce9fe8eb      //xar v11.16b,v7.16b,v31.16b,#64-6
.inst   0xce9df547      //xar v7.16b,v10.16b,v29.16b,#64-3

.inst   0xce9efc2a      //xar v10.16b,v1.16b,v30.16b,#64-1      // *

.inst   0xce9ccb04      //xar v4.16b,v24.16b,v28.16b,#64-14
.inst   0xce9efab8      //xar v24.16b,v21.16b,v30.16b,#64-2
.inst   0xce9b2515      //xar v21.16b,v8.16b,v27.16b,#64-55
.inst   0xce9e4e08      //xar v8.16b,v16.16b,v30.16b,#64-45
.inst   0xce9d70b0      //xar v16.16b,v5.16b,v29.16b,#64-36

.inst   0xce9b907b      //xar v27.16b,   v3.16b,v27.16b,#64-28  // C[2]=A[1][0]

        ////////////////////////////////////////////////// Chi+Iota
        dup     v31.2d,x11                              // borrow C[6]
.inst   0xce22641c      //bcax v28.16b,   v0.16b,v2.16b,v25.16b // *
.inst   0xce3a0b21      //bcax v1.16b,v25.16b,   v26.16b,   v2.16b      // *
.inst   0xce246842      //bcax v2.16b,v2.16b,v4.16b,v26.16b
.inst   0xce201343      //bcax v3.16b,v26.16b,   v0.16b,v4.16b
.inst   0xce390084      //bcax v4.16b,v4.16b,v25.16b,   v0.16b

.inst   0xce271b65      //bcax v5.16b,v27.16b,   v7.16b,v6.16b  // *
.inst   0xce281cd9      //bcax v25.16b,   v6.16b,v8.16b,v7.16b  // *
.inst   0xce2920e7      //bcax v7.16b,v7.16b,v9.16b,v8.16b
.inst   0xce3b2508      //bcax v8.16b,v8.16b,v27.16b,   v9.16b
.inst   0xce266d29      //bcax v9.16b,v9.16b,v6.16b,v27.16b

        eor     v0.16b,v28.16b,v31.16b                  // Iota

.inst   0xce2c2d5a      //bcax v26.16b,   v10.16b,v12.16b,v11.16b       // *
.inst   0xce2d317b      //bcax v27.16b,   v11.16b,v13.16b,v12.16b       // *
.inst   0xce2e358c      //bcax v12.16b,v12.16b,v14.16b,v13.16b
.inst   0xce2a39ad      //bcax v13.16b,v13.16b,v10.16b,v14.16b
.inst   0xce2b29ce      //bcax v14.16b,v14.16b,v11.16b,v10.16b

.inst   0xce3141fc      //bcax v28.16b,   v15.16b,v17.16b,v16.16b       // *
.inst   0xce32461d      //bcax v29.16b,   v16.16b,v18.16b,v17.16b       // *
.inst   0xce334a31      //bcax v17.16b,v17.16b,v19.16b,v18.16b
.inst   0xce2f4e52      //bcax v18.16b,v18.16b,v15.16b,v19.16b
.inst   0xce303e73      //bcax v19.16b,v19.16b,v16.16b,v15.16b

.inst   0xce36569e      //bcax v30.16b,   v20.16b,v22.16b,v21.16b       // *
.inst   0xce375abf      //bcax v31.16b,   v21.16b,v23.16b,v22.16b       // *
.inst   0xce385ed6      //bcax v22.16b,v22.16b,v24.16b,v23.16b
.inst   0xce3462f7      //bcax v23.16b,v23.16b,v20.16b,v24.16b
.inst   0xce355318      //bcax v24.16b,v24.16b,v21.16b,v20.16b
        ////////////////////////////////////////////////// Theta
.inst   0xce056806      //eor3 v6.16b,v0.16b,v5.16b,v26.16b
.inst   0xce196c2a      //eor3 v10.16b,v1.16b,v25.16b,v27.16b
.inst   0xce07304b      //eor3 v11.16b,v2.16b,v7.16b,v12.16b
.inst   0xce08346f      //eor3 v15.16b,v3.16b,v8.16b,v13.16b
.inst   0xce093890      //eor3 v16.16b,v4.16b,v9.16b,v14.16b
.inst   0xce1c78c6      //eor3 v6.16b,v6.16b,   v28.16b,v30.16b
.inst   0xce1d7d4a      //eor3 v10.16b,v10.16b,   v29.16b,v31.16b
.inst   0xce11596b      //eor3 v11.16b,v11.16b,   v17.16b,v22.16b
.inst   0xce125def      //eor3 v15.16b,v15.16b,   v18.16b,v23.16b
.inst   0xce136210      //eor3 v16.16b,v16.16b,   v19.16b,v24.16b

.inst   0xce6b8cd4      //rax1 v20.16b,v6.16b,v11.16b                   // D[1]
.inst   0xce6f8d55      //rax1 v21.16b,v10.16b,v15.16b                  // D[2]
.inst   0xce708d6b      //rax1 v11.16b,v11.16b,v16.16b                  // D[3]
.inst   0xce668def      //rax1 v15.16b,v15.16b,v6.16b                   // D[4]
.inst   0xce6a8e10      //rax1 v16.16b,v16.16b,v10.16b                  // D[0]

        ////////////////////////////////////////////////// Theta+Rho+Pi
.inst   0xce945326      //xar v6.16b,   v25.16b,v20.16b,#64-44  // C[0]=A[0][1]
.inst   0xce8fb139      //xar v25.16b,v9.16b,v15.16b,#64-20
.inst   0xce950ec9      //xar v9.16b,v22.16b,v21.16b,#64-61
.inst   0xce8f65d6      //xar v22.16b,v14.16b,v15.16b,#64-39
.inst   0xce90bbce      //xar v14.16b,v30.16b,v16.16b,#64-18

.inst   0xce95085e      //xar v30.16b,v2.16b,v21.16b,#64-62

.inst   0xce955582      //xar v2.16b,v12.16b,v21.16b,#64-43
.inst   0xce8b9dac      //xar v12.16b,v13.16b,v11.16b,#64-25
.inst   0xce8fe26d      //xar v13.16b,v19.16b,v15.16b,#64-8
.inst   0xce8b22f3      //xar v19.16b,v23.16b,v11.16b,#64-56
.inst   0xce905f97      //xar v23.16b,v28.16b,v16.16b,#64-41

.inst   0xce8f949c      //xar v28.16b,v4.16b,v15.16b,#64-27

        eor     v0.16b,v0.16b,v16.16b
        ldr     x11,[x10],#8

.inst   0xce8bae4a      //xar v10.16b,   v18.16b,v11.16b,#64-21 // C[1]=A[0][3]
.inst   0xce95c632      //xar v18.16b,v17.16b,v21.16b,#64-15
.inst   0xce94db71      //xar v17.16b,v27.16b,v20.16b,#64-10
.inst   0xce95e8fb      //xar v27.16b,v7.16b,v21.16b,#64-6
.inst   0xce90f747      //xar v7.16b,v26.16b,v16.16b,#64-3

.inst   0xce94fc3a      //xar v26.16b,v1.16b,v20.16b,#64-1      // *

.inst   0xce8fcb04      //xar v4.16b,v24.16b,v15.16b,#64-14
.inst   0xce94fbf8      //xar v24.16b,v31.16b,v20.16b,#64-2
.inst   0xce8b251f      //xar v31.16b,v8.16b,v11.16b,#64-55
.inst   0xce944fa8      //xar v8.16b,v29.16b,v20.16b,#64-45
.inst   0xce9070bd      //xar v29.16b,v5.16b,v16.16b,#64-36

.inst   0xce8b906b      //xar v11.16b,   v3.16b,v11.16b,#64-28  // C[2]=A[1][0]

        ////////////////////////////////////////////////// Chi+Iota
        dup     v21.2d,x11                              // borrow C[6]
.inst   0xce22180f      //bcax v15.16b,   v0.16b,v2.16b,v6.16b  // *
.inst   0xce2a08c1      //bcax v1.16b,v6.16b,   v10.16b,   v2.16b       // *
.inst   0xce242842      //bcax v2.16b,v2.16b,v4.16b,v10.16b
.inst   0xce201143      //bcax v3.16b,v10.16b,   v0.16b,v4.16b
.inst   0xce260084      //bcax v4.16b,v4.16b,v6.16b,   v0.16b

.inst   0xce276565      //bcax v5.16b,v11.16b,   v7.16b,v25.16b // *
.inst   0xce281f26      //bcax v6.16b,   v25.16b,v8.16b,v7.16b  // *
.inst   0xce2920e7      //bcax v7.16b,v7.16b,v9.16b,v8.16b
.inst   0xce2b2508      //bcax v8.16b,v8.16b,v11.16b,   v9.16b
.inst   0xce392d29      //bcax v9.16b,v9.16b,v25.16b,v11.16b

        eor     v0.16b,v15.16b,v21.16b                  // Iota

.inst   0xce2c6f4a      //bcax v10.16b,   v26.16b,v12.16b,v27.16b       // *
.inst   0xce2d336b      //bcax v11.16b,   v27.16b,v13.16b,v12.16b       // *
.inst   0xce2e358c      //bcax v12.16b,v12.16b,v14.16b,v13.16b
.inst   0xce3a39ad      //bcax v13.16b,v13.16b,v26.16b,v14.16b
.inst   0xce3b69ce      //bcax v14.16b,v14.16b,v27.16b,v26.16b

.inst   0xce31778f      //bcax v15.16b,   v28.16b,v17.16b,v29.16b       // *
.inst   0xce3247b0      //bcax v16.16b,   v29.16b,v18.16b,v17.16b       // *
.inst   0xce334a31      //bcax v17.16b,v17.16b,v19.16b,v18.16b
.inst   0xce3c4e52      //bcax v18.16b,v18.16b,v28.16b,v19.16b
.inst   0xce3d7273      //bcax v19.16b,v19.16b,v29.16b,v28.16b

.inst   0xce367fd4      //bcax v20.16b,   v30.16b,v22.16b,v31.16b       // *
.inst   0xce375bf5      //bcax v21.16b,   v31.16b,v23.16b,v22.16b       // *
.inst   0xce385ed6      //bcax v22.16b,v22.16b,v24.16b,v23.16b
.inst   0xce3e62f7      //bcax v23.16b,v23.16b,v30.16b,v24.16b
.inst   0xce3f7b18      //bcax v24.16b,v24.16b,v31.16b,v30.16b
        subs    x9,x9,#1
        bne     .Loop_ce

        ret
.size   KeccakF1600_ce,.-KeccakF1600_ce

.type   KeccakF1600_cext,%function
.align  5
KeccakF1600_cext:
        stp     x29,x30,[sp,#-80]!
        add     x29,sp,#0
        stp     d8,d9,[sp,#16]          // per ABI requirement
        stp     d10,d11,[sp,#32]
        stp     d12,d13,[sp,#48]
        stp     d14,d15,[sp,#64]
        ldp     d0,d1,[x0,#8*0]
        ldp     d2,d3,[x0,#8*2]
        ldp     d4,d5,[x0,#8*4]
        ldp     d6,d7,[x0,#8*6]
        ldp     d8,d9,[x0,#8*8]
        ldp     d10,d11,[x0,#8*10]
        ldp     d12,d13,[x0,#8*12]
        ldp     d14,d15,[x0,#8*14]
        ldp     d16,d17,[x0,#8*16]
        ldp     d18,d19,[x0,#8*18]
        ldp     d20,d21,[x0,#8*20]
        ldp     d22,d23,[x0,#8*22]
        ldr     d24,[x0,#8*24]
        bl      KeccakF1600_ce
        ldr     x30,[sp,#8]
        stp     d0,d1,[x0,#8*0]
        stp     d2,d3,[x0,#8*2]
        stp     d4,d5,[x0,#8*4]
        stp     d6,d7,[x0,#8*6]
        stp     d8,d9,[x0,#8*8]
        stp     d10,d11,[x0,#8*10]
        stp     d12,d13,[x0,#8*12]
        stp     d14,d15,[x0,#8*14]
        stp     d16,d17,[x0,#8*16]
        stp     d18,d19,[x0,#8*18]
        stp     d20,d21,[x0,#8*20]
        stp     d22,d23,[x0,#8*22]
        str     d24,[x0,#8*24]

        ldp     d8,d9,[sp,#16]
        ldp     d10,d11,[sp,#32]
        ldp     d12,d13,[sp,#48]
        ldp     d14,d15,[sp,#64]
        ldr     x29,[sp],#80
        ret
.size   KeccakF1600_cext,.-KeccakF1600_cext
.globl  SHA3_absorb_cext
.type   SHA3_absorb_cext,%function
.align  5
SHA3_absorb_cext:
        stp     x29,x30,[sp,#-80]!
        add     x29,sp,#0
        stp     d8,d9,[sp,#16]          // per ABI requirement
        stp     d10,d11,[sp,#32]
        stp     d12,d13,[sp,#48]
        stp     d14,d15,[sp,#64]
        ldp     d0,d1,[x0,#8*0]
        ldp     d2,d3,[x0,#8*2]
        ldp     d4,d5,[x0,#8*4]
        ldp     d6,d7,[x0,#8*6]
        ldp     d8,d9,[x0,#8*8]
        ldp     d10,d11,[x0,#8*10]
        ldp     d12,d13,[x0,#8*12]
        ldp     d14,d15,[x0,#8*14]
        ldp     d16,d17,[x0,#8*16]
        ldp     d18,d19,[x0,#8*18]
        ldp     d20,d21,[x0,#8*20]
        ldp     d22,d23,[x0,#8*22]
        ldr     d24,[x0,#8*24]
        b       .Loop_absorb_ce

.align  4
.Loop_absorb_ce:
        subs    x2,x2,x3                // len - bsz
        blo     .Labsorbed_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v0.16b,v0.16b,v31.16b
        cmp     x3,#8*(0+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v1.16b,v1.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v2.16b,v2.16b,v31.16b
        cmp     x3,#8*(2+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v3.16b,v3.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v4.16b,v4.16b,v31.16b
        cmp     x3,#8*(4+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v5.16b,v5.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v6.16b,v6.16b,v31.16b
        cmp     x3,#8*(6+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v7.16b,v7.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v8.16b,v8.16b,v31.16b
        cmp     x3,#8*(8+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v9.16b,v9.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v10.16b,v10.16b,v31.16b
        cmp     x3,#8*(10+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v11.16b,v11.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v12.16b,v12.16b,v31.16b
        cmp     x3,#8*(12+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v13.16b,v13.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v14.16b,v14.16b,v31.16b
        cmp     x3,#8*(14+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v15.16b,v15.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v16.16b,v16.16b,v31.16b
        cmp     x3,#8*(16+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v17.16b,v17.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v18.16b,v18.16b,v31.16b
        cmp     x3,#8*(18+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v19.16b,v19.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v20.16b,v20.16b,v31.16b
        cmp     x3,#8*(20+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v21.16b,v21.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev64   v31.16b,v31.16b
#endif
        eor     v22.16b,v22.16b,v31.16b
        cmp     x3,#8*(22+2)
        blo     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v23.16b,v23.16b,v31.16b
        beq     .Lprocess_block_ce
        ldr     d31,[x1],#8             // *inp++
#ifdef  __AARCH64EB__
        rev     v31.16b,v31.16b
#endif
        eor     v24.16b,v24.16b,v31.16b

.Lprocess_block_ce:

        bl      KeccakF1600_ce

        b       .Loop_absorb_ce

.align  4
.Labsorbed_ce:
        stp     d0,d1,[x0,#8*0]
        stp     d2,d3,[x0,#8*2]
        stp     d4,d5,[x0,#8*4]
        stp     d6,d7,[x0,#8*6]
        stp     d8,d9,[x0,#8*8]
        stp     d10,d11,[x0,#8*10]
        stp     d12,d13,[x0,#8*12]
        stp     d14,d15,[x0,#8*14]
        stp     d16,d17,[x0,#8*16]
        stp     d18,d19,[x0,#8*18]
        stp     d20,d21,[x0,#8*20]
        stp     d22,d23,[x0,#8*22]
        str     d24,[x0,#8*24]
        add     x0,x2,x3                // return value

        ldp     d8,d9,[sp,#16]
        ldp     d10,d11,[sp,#32]
        ldp     d12,d13,[sp,#48]
        ldp     d14,d15,[sp,#64]
        ldp     x29,x30,[sp],#80
        ret
.size   SHA3_absorb_cext,.-SHA3_absorb_cext
.globl  SHA3_squeeze_cext
.type   SHA3_squeeze_cext,%function
.align  5
SHA3_squeeze_cext:
        stp     x29,x30,[sp,#-16]!
        add     x29,sp,#0
        mov     x9,x0
        mov     x10,x3

.Loop_squeeze_ce:
        ldr     x4,[x9],#8
        cmp     x2,#8
        blo     .Lsqueeze_tail_ce
#ifdef  __AARCH64EB__
        rev     x4,x4
#endif
        str     x4,[x1],#8
        beq     .Lsqueeze_done_ce

        sub     x2,x2,#8
        subs    x10,x10,#8
        bhi     .Loop_squeeze_ce

        bl      KeccakF1600_cext
        ldr     x30,[sp,#8]
        mov     x9,x0
        mov     x10,x3
        b       .Loop_squeeze_ce

.align  4
.Lsqueeze_tail_ce:
        strb    w4,[x1],#1
        lsr     x4,x4,#8
        subs    x2,x2,#1
        beq     .Lsqueeze_done_ce
        strb    w4,[x1],#1
        lsr     x4,x4,#8
        subs    x2,x2,#1
        beq     .Lsqueeze_done_ce
        strb    w4,[x1],#1
        lsr     x4,x4,#8
        subs    x2,x2,#1
        beq     .Lsqueeze_done_ce
        strb    w4,[x1],#1
        lsr     x4,x4,#8
        subs    x2,x2,#1
        beq     .Lsqueeze_done_ce
        strb    w4,[x1],#1
        lsr     x4,x4,#8
        subs    x2,x2,#1
        beq     .Lsqueeze_done_ce
        strb    w4,[x1],#1
        lsr     x4,x4,#8
        subs    x2,x2,#1
        beq     .Lsqueeze_done_ce
        strb    w4,[x1],#1

.Lsqueeze_done_ce:
        ldr     x29,[sp],#16
        ret
.size   SHA3_squeeze_cext,.-SHA3_squeeze_cext
.byte   75,101,99,99,97,107,45,49,54,48,48,32,97,98,115,111,114,98,32,97,110,100,32,115,113,117,101,101,122,101,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
.align  2