CVE-2022-37454

@@ -0,0 +1,26 @@
+/* File generated by ToTargetConfigFile.xsl */
+
+#define XKCP_has_Sponge_Keccak
+#define XKCP_has_FIPS202
+#define XKCP_has_KeccakP1600
+
+// #define XKCP_has_SP800_185
+// #define XKCP_has_Duplex_Keccak
+// #define XKCP_has_PRG_Keccak
+// #define XKCP_has_Ketje
+// #define XKCP_has_Keyak
+// #define XKCP_has_KangarooTwelve
+// #define XKCP_has_Kravatte
+// #define XKCP_has_Xoofff
+// #define XKCP_has_Xoodyak
+// #define XKCP_has_KeccakP200
+// #define XKCP_has_KeccakP400
+// #define XKCP_has_KeccakP800
+// #define XKCP_has_KeccakP1600
+// #define XKCP_has_KeccakP1600times2
+// #define XKCP_has_KeccakP1600times4
+// #define XKCP_has_KeccakP1600times8
+// #define XKCP_has_Xoodoo
+// #define XKCP_has_Xoodootimes4
+// #define XKCP_has_Xoodootimes8
+// #define XKCP_has_Xoodootimes16

@@ -1,40 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#ifndef _KeccakF1600Interface_h_
-#define _KeccakF1600Interface_h_
-
-#include <string.h>
-
-#define KeccakF_width 1600
-#define KeccakF_laneInBytes 8
-#define KeccakF_stateSizeInBytes (KeccakF_width/8)
-#define KeccakF_1600
-
-void KeccakF1600_Initialize( void );
-void KeccakF1600_StateInitialize(void *state);
-void KeccakF1600_StateXORBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length);
-void KeccakF1600_StateOverwriteBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length);
-void KeccakF1600_StateOverwriteWithZeroes(void *state, unsigned int byteCount);
-void KeccakF1600_StateComplementBit(void *state, unsigned int position);
-void KeccakF1600_StatePermute(void *state);
-void KeccakF1600_StateExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length);
-void KeccakF1600_StateExtractAndXORBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length);
-size_t KeccakF1600_FBWL_Absorb(void *state, unsigned int laneCount, const unsigned char *data, size_t dataByteLen, unsigned char trailingBits);
-size_t KeccakF1600_FBWL_Squeeze(void *state, unsigned int laneCount, unsigned char *data, size_t dataByteLen);
-size_t KeccakF1600_FBWL_Wrap(void *state, unsigned int laneCount, const unsigned char *dataIn, unsigned char *dataOut, size_t dataByteLen, unsigned char trailingBits);
-size_t KeccakF1600_FBWL_Unwrap(void *state, unsigned int laneCount, const unsigned char *dataIn, unsigned char *dataOut, size_t dataByteLen, unsigned char trailingBits);
-
-#endif

@@ -1,192 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#include <string.h>
-#include "KeccakSponge.h"
-#include "SnP-interface.h"
-#ifdef KeccakReference
-#include "displayIntermediateValues.h"
-#endif
-
-/* ---------------------------------------------------------------- */
-
-int Keccak_SpongeInitialize(Keccak_SpongeInstance *instance, unsigned int rate, unsigned int capacity)
-{
-    if (rate+capacity != SnP_width)
-        return 1;
-    if ((rate <= 0) || (rate > SnP_width) || ((rate % 8) != 0))
-        return 1;
-    SnP_StaticInitialize();
-    SnP_Initialize(instance->state);
-    instance->rate = rate;
-    instance->byteIOIndex = 0;
-    instance->squeezing = 0;
-
-    return 0;
-}
-
-/* ---------------------------------------------------------------- */
-
-int Keccak_SpongeAbsorb(Keccak_SpongeInstance *instance, const unsigned char *data, size_t dataByteLen)
-{
-    size_t i, j;
-    unsigned int partialBlock;
-    const unsigned char *curData;
-    unsigned int rateInBytes = instance->rate/8;
-
-    if (instance->squeezing)
-        return 1; // Too late for additional input
-
-    i = 0;
-    curData = data;
-    while(i < dataByteLen) {
-        if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
-            // processing full blocks first
-            if ((rateInBytes % SnP_laneLengthInBytes) == 0) {
-                // fast lane: whole lane rate
-                j = SnP_FBWL_Absorb(instance->state, rateInBytes/SnP_laneLengthInBytes, curData, dataByteLen - i, 0);
-                i += j;
-                curData += j;
-            }
-            else {
-                for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, rateInBytes);
-                    #endif
-                    SnP_XORBytes(instance->state, curData, 0, rateInBytes);
-                    SnP_Permute(instance->state);
-                    curData+=rateInBytes;
-                }
-                i = dataByteLen - j;
-            }
-        }
-        else {
-            // normal lane: using the message queue
-            partialBlock = (unsigned int)(dataByteLen - i);
-            if (partialBlock+instance->byteIOIndex > rateInBytes)
-                partialBlock = rateInBytes-instance->byteIOIndex;
-            #ifdef KeccakReference
-            displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
-            #endif
-            i += partialBlock;
-
-            SnP_XORBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
-            curData += partialBlock;
-            instance->byteIOIndex += partialBlock;
-            if (instance->byteIOIndex == rateInBytes) {
-                SnP_Permute(instance->state);
-                instance->byteIOIndex = 0;
-            }
-        }
-    }
-    return 0;
-}
-
-/* ---------------------------------------------------------------- */
-
-int Keccak_SpongeAbsorbLastFewBits(Keccak_SpongeInstance *instance, unsigned char delimitedData)
-{
-    unsigned char delimitedData1[1];
-    unsigned int rateInBytes = instance->rate/8;
-
-    if (delimitedData == 0)
-        return 1;
-    if (instance->squeezing)
-        return 1; // Too late for additional input
-
-    delimitedData1[0] = delimitedData;
-    #ifdef KeccakReference
-    displayBytes(1, "Block to be absorbed (last few bits + first bit of padding)", delimitedData1, 1);
-    #endif
-    // Last few bits, whose delimiter coincides with first bit of padding
-    SnP_XORBytes(instance->state, delimitedData1, instance->byteIOIndex, 1);
-    // If the first bit of padding is at position rate-1, we need a whole new block for the second bit of padding
-    if ((delimitedData >= 0x80) && (instance->byteIOIndex == (rateInBytes-1)))
-        SnP_Permute(instance->state);
-    // Second bit of padding
-    SnP_ComplementBit(instance->state, rateInBytes*8-1);
-    #ifdef KeccakReference
-    {
-        unsigned char block[SnP_width/8];
-        memset(block, 0, SnP_width/8);
-        block[rateInBytes-1] = 0x80;
-        displayBytes(1, "Second bit of padding", block, rateInBytes);
-    }
-    #endif
-    SnP_Permute(instance->state);
-    instance->byteIOIndex = 0;
-    instance->squeezing = 1;
-    #ifdef KeccakReference
-    displayText(1, "--- Switching to squeezing phase ---");
-    #endif
-    return 0;
-}
-
-/* ---------------------------------------------------------------- */
-
-int Keccak_SpongeSqueeze(Keccak_SpongeInstance *instance, unsigned char *data, size_t dataByteLen)
-{
-    size_t i, j;
-    unsigned int partialBlock;
-    unsigned int rateInBytes = instance->rate/8;
-    unsigned char *curData;
-
-    if (!instance->squeezing)
-        Keccak_SpongeAbsorbLastFewBits(instance, 0x01);
-
-    i = 0;
-    curData = data;
-    while(i < dataByteLen) {
-        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
-            // processing full blocks first
-            if ((rateInBytes % SnP_laneLengthInBytes) == 0) {
-                // fast lane: whole lane rate
-                j = SnP_FBWL_Squeeze(instance->state, rateInBytes/SnP_laneLengthInBytes, curData, dataByteLen - i);
-                i += j;
-                curData += j;
-            }
-            else {
-                for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
-                    SnP_Permute(instance->state);
-                    SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
-                    #ifdef KeccakReference
-                    displayBytes(1, "Squeezed block", curData, rateInBytes);
-                    #endif
-                    curData+=rateInBytes;
-                }
-                i = dataByteLen - j;
-            }
-        }
-        else {
-            // normal lane: using the message queue
-            if (instance->byteIOIndex == rateInBytes) {
-                SnP_Permute(instance->state);
-                instance->byteIOIndex = 0;
-            }
-            partialBlock = (unsigned int)(dataByteLen - i);
-            if (partialBlock+instance->byteIOIndex > rateInBytes)
-                partialBlock = rateInBytes-instance->byteIOIndex;
-            i += partialBlock;
-
-            SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
-            #ifdef KeccakReference
-            displayBytes(1, "Squeezed block (part)", curData, partialBlock);
-            #endif
-            curData += partialBlock;
-            instance->byteIOIndex += partialBlock;
-        }
-    }
-    return 0;
-}

@@ -1,113 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#ifndef _KeccakSponge_h_
-#define _KeccakSponge_h_
-
-#include "SnP-interface.h"
-#include <string.h>
-
-// on Mac OS-X and possibly others, ALIGN(x) is defined in param.h, and -Werror chokes on the redef.
-#ifdef ALIGN
-#undef ALIGN
-#endif
-
-#if defined(__GNUC__)
-#define ALIGN __attribute__ ((aligned(32)))
-#elif defined(_MSC_VER)
-#define ALIGN __declspec(align(32))
-#else
-#define ALIGN
-#endif
-
-/**
-  * Structure that contains the sponge instance attributes for use with the
-  * Keccak_Sponge* functions.
-  * It gathers the state processed by the permutation as well as the rate,
-  * the position of input/output bytes in the state and the phase
-  * (absorbing or squeezing).
-  */
-ALIGN typedef struct Keccak_SpongeInstanceStruct {
-    /** The state processed by the permutation. */
-    ALIGN unsigned char state[SnP_stateSizeInBytes];
-    /** The value of the rate in bits.*/
-    unsigned int rate;
-    /** The position in the state of the next byte to be input (when absorbing) or output (when squeezing). */
-    unsigned int byteIOIndex;
-    /** If set to 0, in the absorbing phase; otherwise, in the squeezing phase. */
-    int squeezing;
-} Keccak_SpongeInstance;
-
-/**
-  * Function to initialize the state of the Keccak[r, c] sponge function.
-  * The phase of the sponge function is set to absorbing.
-  * @param  spongeInstance  Pointer to the sponge instance to be initialized.
-  * @param  rate        The value of the rate r.
-  * @param  capacity    The value of the capacity c.
-  * @pre    One must have r+c equal to the supported width of this implementation
-  *         and the rate a multiple of 8 bits (one byte) in this implementation.
-  * @return Zero if successful, 1 otherwise.
-  */
-int Keccak_SpongeInitialize(Keccak_SpongeInstance *spongeInstance, unsigned int rate, unsigned int capacity);
-
-/**
-  * Function to give input data bytes for the sponge function to absorb.
-  * @param  spongeInstance  Pointer to the sponge instance initialized by Keccak_SpongeInitialize().
-  * @param  data        Pointer to the input data.
-  * @param  dataByteLen  The number of input bytes provided in the input data.
-  * @pre    The sponge function must be in the absorbing phase,
-  *         i.e., Keccak_SpongeSqueeze() or Keccak_SpongeAbsorbLastFewBits()
-  *         must not have been called before.
-  * @return Zero if successful, 1 otherwise.
-  */
-int Keccak_SpongeAbsorb(Keccak_SpongeInstance *spongeInstance, const unsigned char *data, size_t dataByteLen);
-
-/**
-  * Function to give input data bits for the sponge function to absorb
-  * and then to switch to the squeezing phase.
-  * @param  spongeInstance  Pointer to the sponge instance initialized by Keccak_SpongeInitialize().
-  * @param  delimitedData   Byte containing from 0 to 7 trailing bits
-  *                     that must be absorbed.
-  *                     These <i>n</i> bits must be in the least significant bit positions.
-  *                     These bits must be delimited with a bit 1 at position <i>n</i>
-  *                     (counting from 0=LSB to 7=MSB) and followed by bits 0
-  *                     from position <i>n</i>+1 to position 7.
-  *                     Some examples:
-  *                         - If no bits are to be absorbed, then @a delimitedData must be 0x01.
-  *                         - If the 2-bit sequence 0,0 is to be absorbed, @a delimitedData must be 0x04.
-  *                         - If the 5-bit sequence 0,1,0,0,1 is to be absorbed, @a delimitedData must be 0x32.
-  *                         - If the 7-bit sequence 1,1,0,1,0,0,0 is to be absorbed, @a delimitedData must be 0x8B.
-  *                     .
-  * @pre    The sponge function must be in the absorbing phase,
-  *         i.e., Keccak_SpongeSqueeze() or Keccak_SpongeAbsorbLastFewBits()
-  *         must not have been called before.
-  * @pre    @a delimitedData ≠ 0x00
-  * @return Zero if successful, 1 otherwise.
-  */
-int Keccak_SpongeAbsorbLastFewBits(Keccak_SpongeInstance *spongeInstance, unsigned char delimitedData);
-
-/**
-  * Function to squeeze output data from the sponge function.
-  * If the sponge function was in the absorbing phase, this function
-  * switches it to the squeezing phase
-  * as if Keccak_SpongeAbsorbLastFewBits(spongeInstance, 0x01) was called.
-  * @param  spongeInstance  Pointer to the sponge instance initialized by Keccak_SpongeInitialize().
-  * @param  data        Pointer to the buffer where to store the output data.
-  * @param  dataByteLen The number of output bytes desired.
-  * @return Zero if successful, 1 otherwise.
-  */
-int Keccak_SpongeSqueeze(Keccak_SpongeInstance *spongeInstance, unsigned char *data, size_t dataByteLen);
-
-#endif

@@ -0,0 +1,33 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+Implementation by Gilles Van Assche and Ronny Van Keer, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+*/
+
+#ifndef _align_h_
+#define _align_h_
+
+/* on Mac OS-X and possibly others, ALIGN(x) is defined in param.h, and -Werror chokes on the redef. */
+#ifdef ALIGN
+#undef ALIGN
+#endif
+
+#if defined(__GNUC__)
+#define ALIGN(x) __attribute__ ((aligned(x)))
+#elif defined(_MSC_VER)
+#define ALIGN(x) __declspec(align(x))
+#elif defined(__ARMCC_VERSION)
+#define ALIGN(x) __align(x)
+#else
+#define ALIGN(x)
+#endif
+
+#endif

@@ -114,13 +114,14 @@
       defined( __VMS )     || defined( _M_X64 )
 #  define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN
 
-#elif defined( AMIGA )   || defined( applec )    || defined( __AS400__ )  || \
-      defined( _CRAY )   || defined( __hppa )    || defined( __hp9000 )   || \
-      defined( ibm370 )  || defined( mc68000 )   || defined( m68k )       || \
-      defined( __MRC__ ) || defined( __MVS__ )   || defined( __MWERKS__ ) || \
-      defined( sparc )   || defined( __sparc)    || defined( SYMANTEC_C ) || \
-      defined( __VOS__ ) || defined( __TIGCC__ ) || defined( __TANDEM )   || \
-      defined( THINK_C ) || defined( __VMCMS__ ) || defined( _AIX )
+#elif defined( AMIGA )    || defined( applec )    || defined( __AS400__ )  || \
+      defined( _CRAY )    || defined( __hppa )    || defined( __hp9000 )   || \
+      defined( ibm370 )   || defined( mc68000 )   || defined( m68k )       || \
+      defined( __MRC__ )  || defined( __MVS__ )   || defined( __MWERKS__ ) || \
+      defined( sparc )    || defined( __sparc)    || defined( SYMANTEC_C ) || \
+      defined( __VOS__ )  || defined( __TIGCC__ ) || defined( __TANDEM )   || \
+      defined( THINK_C )  || defined( __VMCMS__ ) || defined( _AIX )       || \
+      defined( __s390__ ) || defined( __s390x__ ) || defined( __zarch__ )
 #  define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN
 
 #elif defined(__arm__)

@@ -1,12 +1,13 @@
 /*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
 
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
+Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by the designers, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
 
 To the extent possible under law, the implementer has waived all copyright
 and related or neighboring rights to the source code in this file.
@@ -23,35 +24,35 @@ HashReturn Keccak_HashInitialize(Keccak_HashInstance *instance, unsigned int rat
     HashReturn result;
 
     if (delimitedSuffix == 0)
-        return FAIL;
-    result = (HashReturn)Keccak_SpongeInitialize(&instance->sponge, rate, capacity);
-    if (result != SUCCESS)
+        return KECCAK_FAIL;
+    result = (HashReturn)KeccakWidth1600_SpongeInitialize(&instance->sponge, rate, capacity);
+    if (result != KECCAK_SUCCESS)
         return result;
     instance->fixedOutputLength = hashbitlen;
     instance->delimitedSuffix = delimitedSuffix;
-    return SUCCESS;
+    return KECCAK_SUCCESS;
 }
 
 /* ---------------------------------------------------------------- */
 
-HashReturn Keccak_HashUpdate(Keccak_HashInstance *instance, const BitSequence *data, DataLength databitlen)
+HashReturn Keccak_HashUpdate(Keccak_HashInstance *instance, const BitSequence *data, BitLength databitlen)
 {
     if ((databitlen % 8) == 0)
-        return (HashReturn)Keccak_SpongeAbsorb(&instance->sponge, data, databitlen/8);
+        return (HashReturn)KeccakWidth1600_SpongeAbsorb(&instance->sponge, data, databitlen/8);
     else {
-        HashReturn ret = (HashReturn)Keccak_SpongeAbsorb(&instance->sponge, data, databitlen/8);
-        if (ret == SUCCESS) {
-            // The last partial byte is assumed to be aligned on the least significant bits
+        HashReturn ret = (HashReturn)KeccakWidth1600_SpongeAbsorb(&instance->sponge, data, databitlen/8);
+        if (ret == KECCAK_SUCCESS) {
+            /* The last partial byte is assumed to be aligned on the least significant bits */
             unsigned char lastByte = data[databitlen/8];
-            // Concatenate the last few bits provided here with those of the suffix
-            unsigned short delimitedLastBytes = (unsigned short)lastByte | ((unsigned short)instance->delimitedSuffix << (databitlen % 8));
+            /* Concatenate the last few bits provided here with those of the suffix */
+            unsigned short delimitedLastBytes = (unsigned short)((unsigned short)(lastByte & ((1 << (databitlen % 8)) - 1)) | ((unsigned short)instance->delimitedSuffix << (databitlen % 8)));
             if ((delimitedLastBytes & 0xFF00) == 0x0000) {
                 instance->delimitedSuffix = delimitedLastBytes & 0xFF;
             }
             else {
                 unsigned char oneByte[1];
                 oneByte[0] = delimitedLastBytes & 0xFF;
-                ret = (HashReturn)Keccak_SpongeAbsorb(&instance->sponge, oneByte, 1);
+                ret = (HashReturn)KeccakWidth1600_SpongeAbsorb(&instance->sponge, oneByte, 1);
                 instance->delimitedSuffix = (delimitedLastBytes >> 8) & 0xFF;
             }
         }
@@ -63,18 +64,18 @@ HashReturn Keccak_HashUpdate(Keccak_HashInstance *instance, const BitSequence *d
 
 HashReturn Keccak_HashFinal(Keccak_HashInstance *instance, BitSequence *hashval)
 {
-    HashReturn ret = (HashReturn)Keccak_SpongeAbsorbLastFewBits(&instance->sponge, instance->delimitedSuffix);
-    if (ret == SUCCESS)
-        return (HashReturn)Keccak_SpongeSqueeze(&instance->sponge, hashval, instance->fixedOutputLength/8);
+    HashReturn ret = (HashReturn)KeccakWidth1600_SpongeAbsorbLastFewBits(&instance->sponge, instance->delimitedSuffix);
+    if (ret == KECCAK_SUCCESS)
+        return (HashReturn)KeccakWidth1600_SpongeSqueeze(&instance->sponge, hashval, instance->fixedOutputLength/8);
     else
         return ret;
 }
 
 /* ---------------------------------------------------------------- */
 
-HashReturn Keccak_HashSqueeze(Keccak_HashInstance *instance, BitSequence *data, DataLength databitlen)
+HashReturn Keccak_HashSqueeze(Keccak_HashInstance *instance, BitSequence *data, BitLength databitlen)
 {
     if ((databitlen % 8) != 0)
-        return FAIL;
-    return (HashReturn)Keccak_SpongeSqueeze(&instance->sponge, data, databitlen/8);
+        return KECCAK_FAIL;
+    return (HashReturn)KeccakWidth1600_SpongeSqueeze(&instance->sponge, data, databitlen/8);
 }

@@ -1,12 +1,13 @@
 /*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
 
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
+Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by the designers, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
 
 To the extent possible under law, the implementer has waived all copyright
 and related or neighboring rights to the source code in this file.
@@ -16,15 +17,24 @@ and related or neighboring rights to the source code in this file.
 #ifndef _KeccakHashInterface_h_
 #define _KeccakHashInterface_h_
 
-#include "KeccakSponge.h"
+#include "config.h"
+#ifdef XKCP_has_KeccakP1600
+
+#include <stdint.h>
 #include <string.h>
+#include "KeccakSponge.h"
 
-typedef unsigned char BitSequence;
-typedef size_t DataLength;
-typedef enum { SUCCESS = 0, FAIL = 1, BAD_HASHLEN = 2 } HashReturn;
+#ifndef _Keccak_BitTypes_
+#define _Keccak_BitTypes_
+typedef uint8_t BitSequence;
+
+typedef size_t BitLength;
+#endif
+
+typedef enum { KECCAK_SUCCESS = 0, KECCAK_FAIL = 1, KECCAK_BAD_HASHLEN = 2 } HashReturn;
 
 typedef struct {
-    Keccak_SpongeInstance sponge;
+    KeccakWidth1600_SpongeInstance sponge;
     unsigned int fixedOutputLength;
     unsigned char delimitedSuffix;
 } Keccak_HashInstance;
@@ -42,7 +52,7 @@ typedef struct {
   *                         formatted like the @a delimitedData parameter of
   *                         the Keccak_SpongeAbsorbLastFewBits() function.
   * @pre    One must have r+c=1600 and the rate a multiple of 8 bits in this implementation.
-  * @return SUCCESS if successful, FAIL otherwise.
+  * @return KECCAK_SUCCESS if successful, KECCAK_FAIL otherwise.
   */
 HashReturn Keccak_HashInitialize(Keccak_HashInstance *hashInstance, unsigned int rate, unsigned int capacity, unsigned int hashbitlen, unsigned char delimitedSuffix);
 
@@ -76,11 +86,13 @@ HashReturn Keccak_HashInitialize(Keccak_HashInstance *hashInstance, unsigned int
   * @param  data        Pointer to the input data.
   *                     When @a databitLen is not a multiple of 8, the last bits of data must be
   *                     in the least significant bits of the last byte (little-endian convention).
+  *                     In this case, the (8 - @a databitLen mod 8) most significant bits
+  *                     of the last byte are ignored.
   * @param  databitLen  The number of input bits provided in the input data.
   * @pre    In the previous call to Keccak_HashUpdate(), databitlen was a multiple of 8.
-  * @return SUCCESS if successful, FAIL otherwise.
+  * @return KECCAK_SUCCESS if successful, KECCAK_FAIL otherwise.
   */
-HashReturn Keccak_HashUpdate(Keccak_HashInstance *hashInstance, const BitSequence *data, DataLength databitlen);
+HashReturn Keccak_HashUpdate(Keccak_HashInstance *hashInstance, const BitSequence *data, BitLength databitlen);
 
 /**
   * Function to call after all input blocks have been input and to get
@@ -90,9 +102,8 @@ HashReturn Keccak_HashUpdate(Keccak_HashInstance *hashInstance, const BitSequenc
   *     output bits is equal to @a hashbitlen.
   * If @a hashbitlen was 0 in the call to Keccak_HashInitialize(), the output bits
   *     must be extracted using the Keccak_HashSqueeze() function.
-  * @param  state       Pointer to the state of the sponge function initialized by Init().
   * @param  hashval     Pointer to the buffer where to store the output data.
-  * @return SUCCESS if successful, FAIL otherwise.
+  * @return KECCAK_SUCCESS if successful, KECCAK_FAIL otherwise.
   */
 HashReturn Keccak_HashFinal(Keccak_HashInstance *hashInstance, BitSequence *hashval);
 
@@ -103,8 +114,12 @@ HashReturn Keccak_HashFinal(Keccak_HashInstance *hashInstance, BitSequence *hash
   * @param  databitlen  The number of output bits desired (must be a multiple of 8).
   * @pre    Keccak_HashFinal() must have been already called.
   * @pre    @a databitlen is a multiple of 8.
-  * @return SUCCESS if successful, FAIL otherwise.
+  * @return KECCAK_SUCCESS if successful, KECCAK_FAIL otherwise.
   */
-HashReturn Keccak_HashSqueeze(Keccak_HashInstance *hashInstance, BitSequence *data, DataLength databitlen);
+HashReturn Keccak_HashSqueeze(Keccak_HashInstance *hashInstance, BitSequence *data, BitLength databitlen);
+
+#else
+#error This requires an implementation of Keccak-p[1600]
+#endif
 
 #endif

@@ -0,0 +1,111 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by the designers, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+*/
+
+#include "KeccakSponge.h"
+
+#ifdef KeccakReference
+    #include "displayIntermediateValues.h"
+#endif
+
+#ifdef XKCP_has_KeccakP200
+    #include "KeccakP-200-SnP.h"
+
+    #define prefix KeccakWidth200
+    #define SnP KeccakP200
+    #define SnP_width 200
+    #define SnP_Permute KeccakP200_Permute_18rounds
+    #if defined(KeccakF200_FastLoop_supported)
+        #define SnP_FastLoop_Absorb KeccakF200_FastLoop_Absorb
+    #endif
+        #include "KeccakSponge.inc"
+    #undef prefix
+    #undef SnP
+    #undef SnP_width
+    #undef SnP_Permute
+    #undef SnP_FastLoop_Absorb
+#endif
+
+#ifdef XKCP_has_KeccakP400
+    #include "KeccakP-400-SnP.h"
+
+    #define prefix KeccakWidth400
+    #define SnP KeccakP400
+    #define SnP_width 400
+    #define SnP_Permute KeccakP400_Permute_20rounds
+    #if defined(KeccakF400_FastLoop_supported)
+        #define SnP_FastLoop_Absorb KeccakF400_FastLoop_Absorb
+    #endif
+        #include "KeccakSponge.inc"
+    #undef prefix
+    #undef SnP
+    #undef SnP_width
+    #undef SnP_Permute
+    #undef SnP_FastLoop_Absorb
+#endif
+
+#ifdef XKCP_has_KeccakP800
+    #include "KeccakP-800-SnP.h"
+
+    #define prefix KeccakWidth800
+    #define SnP KeccakP800
+    #define SnP_width 800
+    #define SnP_Permute KeccakP800_Permute_22rounds
+    #if defined(KeccakF800_FastLoop_supported)
+        #define SnP_FastLoop_Absorb KeccakF800_FastLoop_Absorb
+    #endif
+        #include "KeccakSponge.inc"
+    #undef prefix
+    #undef SnP
+    #undef SnP_width
+    #undef SnP_Permute
+    #undef SnP_FastLoop_Absorb
+#endif
+
+#ifdef XKCP_has_KeccakP1600
+    #include "KeccakP-1600-SnP.h"
+
+    #define prefix KeccakWidth1600
+    #define SnP KeccakP1600
+    #define SnP_width 1600
+    #define SnP_Permute KeccakP1600_Permute_24rounds
+    #if defined(KeccakF1600_FastLoop_supported)
+        #define SnP_FastLoop_Absorb KeccakF1600_FastLoop_Absorb
+    #endif
+        #include "KeccakSponge.inc"
+    #undef prefix
+    #undef SnP
+    #undef SnP_width
+    #undef SnP_Permute
+    #undef SnP_FastLoop_Absorb
+#endif
+
+#ifdef XKCP_has_KeccakP1600
+    #include "KeccakP-1600-SnP.h"
+
+    #define prefix KeccakWidth1600_12rounds
+    #define SnP KeccakP1600
+    #define SnP_width 1600
+    #define SnP_Permute KeccakP1600_Permute_12rounds
+    #if defined(KeccakP1600_12rounds_FastLoop_supported)
+        #define SnP_FastLoop_Absorb KeccakP1600_12rounds_FastLoop_Absorb
+    #endif
+        #include "KeccakSponge.inc"
+    #undef prefix
+    #undef SnP
+    #undef SnP_width
+    #undef SnP_Permute
+    #undef SnP_FastLoop_Absorb
+#endif

@@ -0,0 +1,76 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by the designers, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+*/
+
+#ifndef _KeccakSponge_h_
+#define _KeccakSponge_h_
+
+/* For the documentation, please follow the link: */
+/* #include "KeccakSponge-documentation.h" */
+
+#include <string.h>
+#include "align.h"
+#include "config.h"
+
+#define XKCP_DeclareSpongeStructure(prefix, size, alignment) \
+    ALIGN(alignment) typedef struct prefix##_SpongeInstanceStruct { \
+        unsigned char state[size]; \
+        unsigned int rate; \
+        unsigned int byteIOIndex; \
+        int squeezing; \
+    } prefix##_SpongeInstance;
+
+#define XKCP_DeclareSpongeFunctions(prefix) \
+    int prefix##_Sponge(unsigned int rate, unsigned int capacity, const unsigned char *input, size_t inputByteLen, unsigned char suffix, unsigned char *output, size_t outputByteLen); \
+    int prefix##_SpongeInitialize(prefix##_SpongeInstance *spongeInstance, unsigned int rate, unsigned int capacity); \
+    int prefix##_SpongeAbsorb(prefix##_SpongeInstance *spongeInstance, const unsigned char *data, size_t dataByteLen); \
+    int prefix##_SpongeAbsorbLastFewBits(prefix##_SpongeInstance *spongeInstance, unsigned char delimitedData); \
+    int prefix##_SpongeSqueeze(prefix##_SpongeInstance *spongeInstance, unsigned char *data, size_t dataByteLen);
+
+#ifdef XKCP_has_KeccakP200
+    #include "KeccakP-200-SnP.h"
+    XKCP_DeclareSpongeStructure(KeccakWidth200, KeccakP200_stateSizeInBytes, KeccakP200_stateAlignment)
+    XKCP_DeclareSpongeFunctions(KeccakWidth200)
+    #define XKCP_has_Sponge_Keccak_width200
+#endif
+
+#ifdef XKCP_has_KeccakP400
+    #include "KeccakP-400-SnP.h"
+    XKCP_DeclareSpongeStructure(KeccakWidth400, KeccakP400_stateSizeInBytes, KeccakP400_stateAlignment)
+    XKCP_DeclareSpongeFunctions(KeccakWidth400)
+    #define XKCP_has_Sponge_Keccak_width400
+#endif
+
+#ifdef XKCP_has_KeccakP800
+    #include "KeccakP-800-SnP.h"
+    XKCP_DeclareSpongeStructure(KeccakWidth800, KeccakP800_stateSizeInBytes, KeccakP800_stateAlignment)
+    XKCP_DeclareSpongeFunctions(KeccakWidth800)
+    #define XKCP_has_Sponge_Keccak_width800
+#endif
+
+#ifdef XKCP_has_KeccakP1600
+    #include "KeccakP-1600-SnP.h"
+    XKCP_DeclareSpongeStructure(KeccakWidth1600, KeccakP1600_stateSizeInBytes, KeccakP1600_stateAlignment)
+    XKCP_DeclareSpongeFunctions(KeccakWidth1600)
+    #define XKCP_has_Sponge_Keccak_width1600
+#endif
+
+#ifdef XKCP_has_KeccakP1600
+    #include "KeccakP-1600-SnP.h"
+    XKCP_DeclareSpongeStructure(KeccakWidth1600_12rounds, KeccakP1600_stateSizeInBytes, KeccakP1600_stateAlignment)
+    XKCP_DeclareSpongeFunctions(KeccakWidth1600_12rounds)
+#endif
+
+#endif

@@ -0,0 +1,316 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by the designers, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+*/
+
+#define JOIN0(a, b)                     a ## b
+#define JOIN(a, b)                      JOIN0(a, b)
+
+#define Sponge                          JOIN(prefix, _Sponge)
+#define SpongeInstance                  JOIN(prefix, _SpongeInstance)
+#define SpongeInitialize                JOIN(prefix, _SpongeInitialize)
+#define SpongeAbsorb                    JOIN(prefix, _SpongeAbsorb)
+#define SpongeAbsorbLastFewBits         JOIN(prefix, _SpongeAbsorbLastFewBits)
+#define SpongeSqueeze                   JOIN(prefix, _SpongeSqueeze)
+
+#define SnP_stateSizeInBytes            JOIN(SnP, _stateSizeInBytes)
+#define SnP_stateAlignment              JOIN(SnP, _stateAlignment)
+#define SnP_StaticInitialize            JOIN(SnP, _StaticInitialize)
+#define SnP_Initialize                  JOIN(SnP, _Initialize)
+#define SnP_AddByte                     JOIN(SnP, _AddByte)
+#define SnP_AddBytes                    JOIN(SnP, _AddBytes)
+#define SnP_ExtractBytes                JOIN(SnP, _ExtractBytes)
+
+int Sponge(unsigned int rate, unsigned int capacity, const unsigned char *input, size_t inputByteLen, unsigned char suffix, unsigned char *output, size_t outputByteLen)
+{
+    ALIGN(SnP_stateAlignment) unsigned char state[SnP_stateSizeInBytes];
+    unsigned int partialBlock;
+    const unsigned char *curInput = input;
+    unsigned char *curOutput = output;
+    unsigned int rateInBytes = rate/8;
+
+    if (rate+capacity != SnP_width)
+        return 1;
+    if ((rate <= 0) || (rate > SnP_width) || ((rate % 8) != 0))
+        return 1;
+    if (suffix == 0)
+        return 1;
+
+    /* Initialize the state */
+    SnP_StaticInitialize();
+    SnP_Initialize(state);
+
+    /* First, absorb whole blocks */
+#ifdef SnP_FastLoop_Absorb
+    if (((rateInBytes % (SnP_width/200)) == 0) && (inputByteLen >= rateInBytes)) {
+        /* fast lane: whole lane rate */
+        size_t j;
+        j = SnP_FastLoop_Absorb(state, rateInBytes/(SnP_width/200), curInput, inputByteLen);
+        curInput += j;
+        inputByteLen -= j;
+    }
+#endif
+    while(inputByteLen >= (size_t)rateInBytes) {
+        #ifdef KeccakReference
+        displayBytes(1, "Block to be absorbed", curInput, rateInBytes);
+        #endif
+        SnP_AddBytes(state, curInput, 0, rateInBytes);
+        SnP_Permute(state);
+        curInput += rateInBytes;
+        inputByteLen -= rateInBytes;
+    }
+
+    /* Then, absorb what remains */
+    partialBlock = (unsigned int)inputByteLen;
+    #ifdef KeccakReference
+    displayBytes(1, "Block to be absorbed (part)", curInput, partialBlock);
+    #endif
+    SnP_AddBytes(state, curInput, 0, partialBlock);
+
+    /* Finally, absorb the suffix */
+    #ifdef KeccakReference
+    {
+        unsigned char delimitedData1[1];
+        delimitedData1[0] = suffix;
+        displayBytes(1, "Block to be absorbed (last few bits + first bit of padding)", delimitedData1, 1);
+    }
+    #endif
+    /* Last few bits, whose delimiter coincides with first bit of padding */
+    SnP_AddByte(state, suffix, partialBlock);
+    /* If the first bit of padding is at position rate-1, we need a whole new block for the second bit of padding */
+    if ((suffix >= 0x80) && (partialBlock == (rateInBytes-1)))
+        SnP_Permute(state);
+    /* Second bit of padding */
+    SnP_AddByte(state, 0x80, rateInBytes-1);
+    #ifdef KeccakReference
+    {
+        unsigned char block[SnP_width/8];
+        memset(block, 0, SnP_width/8);
+        block[rateInBytes-1] = 0x80;
+        displayBytes(1, "Second bit of padding", block, rateInBytes);
+    }
+    #endif
+    SnP_Permute(state);
+    #ifdef KeccakReference
+    displayText(1, "--- Switching to squeezing phase ---");
+    #endif
+
+    /* First, output whole blocks */
+    while(outputByteLen > (size_t)rateInBytes) {
+        SnP_ExtractBytes(state, curOutput, 0, rateInBytes);
+        SnP_Permute(state);
+        #ifdef KeccakReference
+        displayBytes(1, "Squeezed block", curOutput, rateInBytes);
+        #endif
+        curOutput += rateInBytes;
+        outputByteLen -= rateInBytes;
+    }
+
+    /* Finally, output what remains */
+    partialBlock = (unsigned int)outputByteLen;
+    SnP_ExtractBytes(state, curOutput, 0, partialBlock);
+    #ifdef KeccakReference
+    displayBytes(1, "Squeezed block (part)", curOutput, partialBlock);
+    #endif
+
+    return 0;
+}
+
+/* ---------------------------------------------------------------- */
+/* ---------------------------------------------------------------- */
+/* ---------------------------------------------------------------- */
+
+int SpongeInitialize(SpongeInstance *instance, unsigned int rate, unsigned int capacity)
+{
+    if (rate+capacity != SnP_width)
+        return 1;
+    if ((rate <= 0) || (rate > SnP_width) || ((rate % 8) != 0))
+        return 1;
+    SnP_StaticInitialize();
+    SnP_Initialize(instance->state);
+    instance->rate = rate;
+    instance->byteIOIndex = 0;
+    instance->squeezing = 0;
+
+    return 0;
+}
+
+/* ---------------------------------------------------------------- */
+
+int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dataByteLen)
+{
+    size_t i, j;
+    unsigned int partialBlock;
+    const unsigned char *curData;
+    unsigned int rateInBytes = instance->rate/8;
+
+    if (instance->squeezing)
+        return 1; /* Too late for additional input */
+
+    i = 0;
+    curData = data;
+    while(i < dataByteLen) {
+        if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
+#ifdef SnP_FastLoop_Absorb
+            /* processing full blocks first */
+            if ((rateInBytes % (SnP_width/200)) == 0) {
+                /* fast lane: whole lane rate */
+                j = SnP_FastLoop_Absorb(instance->state, rateInBytes/(SnP_width/200), curData, dataByteLen - i);
+                i += j;
+                curData += j;
+            }
+            else {
+#endif
+                for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
+                    #ifdef KeccakReference
+                    displayBytes(1, "Block to be absorbed", curData, rateInBytes);
+                    #endif
+                    SnP_AddBytes(instance->state, curData, 0, rateInBytes);
+                    SnP_Permute(instance->state);
+                    curData+=rateInBytes;
+                }
+                i = dataByteLen - j;
+#ifdef SnP_FastLoop_Absorb
+            }
+#endif
+        }
+        else {
+            /* normal lane: using the message queue */
+            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
+                partialBlock = rateInBytes-instance->byteIOIndex;
+            else
+                partialBlock = (unsigned int)(dataByteLen - i);
+            #ifdef KeccakReference
+            displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
+            #endif
+            i += partialBlock;
+
+            SnP_AddBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
+            curData += partialBlock;
+            instance->byteIOIndex += partialBlock;
+            if (instance->byteIOIndex == rateInBytes) {
+                SnP_Permute(instance->state);
+                instance->byteIOIndex = 0;
+            }
+        }
+    }
+    return 0;
+}
+
+/* ---------------------------------------------------------------- */
+
+int SpongeAbsorbLastFewBits(SpongeInstance *instance, unsigned char delimitedData)
+{
+    unsigned int rateInBytes = instance->rate/8;
+
+    if (delimitedData == 0)
+        return 1;
+    if (instance->squeezing)
+        return 1; /* Too late for additional input */
+
+    #ifdef KeccakReference
+    {
+        unsigned char delimitedData1[1];
+        delimitedData1[0] = delimitedData;
+        displayBytes(1, "Block to be absorbed (last few bits + first bit of padding)", delimitedData1, 1);
+    }
+    #endif
+    /* Last few bits, whose delimiter coincides with first bit of padding */
+    SnP_AddByte(instance->state, delimitedData, instance->byteIOIndex);
+    /* If the first bit of padding is at position rate-1, we need a whole new block for the second bit of padding */
+    if ((delimitedData >= 0x80) && (instance->byteIOIndex == (rateInBytes-1)))
+        SnP_Permute(instance->state);
+    /* Second bit of padding */
+    SnP_AddByte(instance->state, 0x80, rateInBytes-1);
+    #ifdef KeccakReference
+    {
+        unsigned char block[SnP_width/8];
+        memset(block, 0, SnP_width/8);
+        block[rateInBytes-1] = 0x80;
+        displayBytes(1, "Second bit of padding", block, rateInBytes);
+    }
+    #endif
+    SnP_Permute(instance->state);
+    instance->byteIOIndex = 0;
+    instance->squeezing = 1;
+    #ifdef KeccakReference
+    displayText(1, "--- Switching to squeezing phase ---");
+    #endif
+    return 0;
+}
+
+/* ---------------------------------------------------------------- */
+
+int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByteLen)
+{
+    size_t i, j;
+    unsigned int partialBlock;
+    unsigned int rateInBytes = instance->rate/8;
+    unsigned char *curData;
+
+    if (!instance->squeezing)
+        SpongeAbsorbLastFewBits(instance, 0x01);
+
+    i = 0;
+    curData = data;
+    while(i < dataByteLen) {
+        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
+            for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
+                SnP_Permute(instance->state);
+                SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
+                #ifdef KeccakReference
+                displayBytes(1, "Squeezed block", curData, rateInBytes);
+                #endif
+                curData+=rateInBytes;
+            }
+            i = dataByteLen - j;
+        }
+        else {
+            /* normal lane: using the message queue */
+            if (instance->byteIOIndex == rateInBytes) {
+                SnP_Permute(instance->state);
+                instance->byteIOIndex = 0;
+            }
+            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
+                partialBlock = rateInBytes-instance->byteIOIndex;
+            else
+                partialBlock = (unsigned int)(dataByteLen - i);
+            i += partialBlock;
+
+            SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
+            #ifdef KeccakReference
+            displayBytes(1, "Squeezed block (part)", curData, partialBlock);
+            #endif
+            curData += partialBlock;
+            instance->byteIOIndex += partialBlock;
+        }
+    }
+    return 0;
+}
+
+/* ---------------------------------------------------------------- */
+
+#undef Sponge
+#undef SpongeInstance
+#undef SpongeInitialize
+#undef SpongeAbsorb
+#undef SpongeAbsorbLastFewBits
+#undef SpongeSqueeze
+#undef SnP_stateSizeInBytes
+#undef SnP_stateAlignment
+#undef SnP_StaticInitialize
+#undef SnP_Initialize
+#undef SnP_AddByte
+#undef SnP_AddBytes
+#undef SnP_ExtractBytes

@@ -0,0 +1,748 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+The Keccak-p permutations, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by Gilles Van Assche and Ronny Van Keer, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+*/
+
+#define declareABCDE \
+    uint64_t Aba, Abe, Abi, Abo, Abu; \
+    uint64_t Aga, Age, Agi, Ago, Agu; \
+    uint64_t Aka, Ake, Aki, Ako, Aku; \
+    uint64_t Ama, Ame, Ami, Amo, Amu; \
+    uint64_t Asa, Ase, Asi, Aso, Asu; \
+    uint64_t Bba, Bbe, Bbi, Bbo, Bbu; \
+    uint64_t Bga, Bge, Bgi, Bgo, Bgu; \
+    uint64_t Bka, Bke, Bki, Bko, Bku; \
+    uint64_t Bma, Bme, Bmi, Bmo, Bmu; \
+    uint64_t Bsa, Bse, Bsi, Bso, Bsu; \
+    uint64_t Ca, Ce, Ci, Co, Cu; \
+    uint64_t Da, De, Di, Do, Du; \
+    uint64_t Eba, Ebe, Ebi, Ebo, Ebu; \
+    uint64_t Ega, Ege, Egi, Ego, Egu; \
+    uint64_t Eka, Eke, Eki, Eko, Eku; \
+    uint64_t Ema, Eme, Emi, Emo, Emu; \
+    uint64_t Esa, Ese, Esi, Eso, Esu; \
+
+#define prepareTheta \
+    Ca = Aba^Aga^Aka^Ama^Asa; \
+    Ce = Abe^Age^Ake^Ame^Ase; \
+    Ci = Abi^Agi^Aki^Ami^Asi; \
+    Co = Abo^Ago^Ako^Amo^Aso; \
+    Cu = Abu^Agu^Aku^Amu^Asu; \
+
+#ifdef UseBebigokimisa
+/* --- Code for round, with prepare-theta (lane complementing pattern 'bebigokimisa') */
+/* --- 64-bit lanes mapped to 64-bit words */
+#define thetaRhoPiChiIotaPrepareTheta(i, A, E) \
+    Da = Cu^ROL64(Ce, 1); \
+    De = Ca^ROL64(Ci, 1); \
+    Di = Ce^ROL64(Co, 1); \
+    Do = Ci^ROL64(Cu, 1); \
+    Du = Co^ROL64(Ca, 1); \
+\
+    A##ba ^= Da; \
+    Bba = A##ba; \
+    A##ge ^= De; \
+    Bbe = ROL64(A##ge, 44); \
+    A##ki ^= Di; \
+    Bbi = ROL64(A##ki, 43); \
+    A##mo ^= Do; \
+    Bbo = ROL64(A##mo, 21); \
+    A##su ^= Du; \
+    Bbu = ROL64(A##su, 14); \
+    E##ba =   Bba ^(  Bbe |  Bbi ); \
+    E##ba ^= KeccakF1600RoundConstants[i]; \
+    Ca = E##ba; \
+    E##be =   Bbe ^((~Bbi)|  Bbo ); \
+    Ce = E##be; \
+    E##bi =   Bbi ^(  Bbo &  Bbu ); \
+    Ci = E##bi; \
+    E##bo =   Bbo ^(  Bbu |  Bba ); \
+    Co = E##bo; \
+    E##bu =   Bbu ^(  Bba &  Bbe ); \
+    Cu = E##bu; \
+\
+    A##bo ^= Do; \
+    Bga = ROL64(A##bo, 28); \
+    A##gu ^= Du; \
+    Bge = ROL64(A##gu, 20); \
+    A##ka ^= Da; \
+    Bgi = ROL64(A##ka, 3); \
+    A##me ^= De; \
+    Bgo = ROL64(A##me, 45); \
+    A##si ^= Di; \
+    Bgu = ROL64(A##si, 61); \
+    E##ga =   Bga ^(  Bge |  Bgi ); \
+    Ca ^= E##ga; \
+    E##ge =   Bge ^(  Bgi &  Bgo ); \
+    Ce ^= E##ge; \
+    E##gi =   Bgi ^(  Bgo |(~Bgu)); \
+    Ci ^= E##gi; \
+    E##go =   Bgo ^(  Bgu |  Bga ); \
+    Co ^= E##go; \
+    E##gu =   Bgu ^(  Bga &  Bge ); \
+    Cu ^= E##gu; \
+\
+    A##be ^= De; \
+    Bka = ROL64(A##be, 1); \
+    A##gi ^= Di; \
+    Bke = ROL64(A##gi, 6); \
+    A##ko ^= Do; \
+    Bki = ROL64(A##ko, 25); \
+    A##mu ^= Du; \
+    Bko = ROL64(A##mu, 8); \
+    A##sa ^= Da; \
+    Bku = ROL64(A##sa, 18); \
+    E##ka =   Bka ^(  Bke |  Bki ); \
+    Ca ^= E##ka; \
+    E##ke =   Bke ^(  Bki &  Bko ); \
+    Ce ^= E##ke; \
+    E##ki =   Bki ^((~Bko)&  Bku ); \
+    Ci ^= E##ki; \
+    E##ko = (~Bko)^(  Bku |  Bka ); \
+    Co ^= E##ko; \
+    E##ku =   Bku ^(  Bka &  Bke ); \
+    Cu ^= E##ku; \
+\
+    A##bu ^= Du; \
+    Bma = ROL64(A##bu, 27); \
+    A##ga ^= Da; \
+    Bme = ROL64(A##ga, 36); \
+    A##ke ^= De; \
+    Bmi = ROL64(A##ke, 10); \
+    A##mi ^= Di; \
+    Bmo = ROL64(A##mi, 15); \
+    A##so ^= Do; \
+    Bmu = ROL64(A##so, 56); \
+    E##ma =   Bma ^(  Bme &  Bmi ); \
+    Ca ^= E##ma; \
+    E##me =   Bme ^(  Bmi |  Bmo ); \
+    Ce ^= E##me; \
+    E##mi =   Bmi ^((~Bmo)|  Bmu ); \
+    Ci ^= E##mi; \
+    E##mo = (~Bmo)^(  Bmu &  Bma ); \
+    Co ^= E##mo; \
+    E##mu =   Bmu ^(  Bma |  Bme ); \
+    Cu ^= E##mu; \
+\
+    A##bi ^= Di; \
+    Bsa = ROL64(A##bi, 62); \
+    A##go ^= Do; \
+    Bse = ROL64(A##go, 55); \
+    A##ku ^= Du; \
+    Bsi = ROL64(A##ku, 39); \
+    A##ma ^= Da; \
+    Bso = ROL64(A##ma, 41); \
+    A##se ^= De; \
+    Bsu = ROL64(A##se, 2); \
+    E##sa =   Bsa ^((~Bse)&  Bsi ); \
+    Ca ^= E##sa; \
+    E##se = (~Bse)^(  Bsi |  Bso ); \
+    Ce ^= E##se; \
+    E##si =   Bsi ^(  Bso &  Bsu ); \
+    Ci ^= E##si; \
+    E##so =   Bso ^(  Bsu |  Bsa ); \
+    Co ^= E##so; \
+    E##su =   Bsu ^(  Bsa &  Bse ); \
+    Cu ^= E##su; \
+\
+
+/* --- Code for round (lane complementing pattern 'bebigokimisa') */
+/* --- 64-bit lanes mapped to 64-bit words */
+#define thetaRhoPiChiIota(i, A, E) \
+    Da = Cu^ROL64(Ce, 1); \
+    De = Ca^ROL64(Ci, 1); \
+    Di = Ce^ROL64(Co, 1); \
+    Do = Ci^ROL64(Cu, 1); \
+    Du = Co^ROL64(Ca, 1); \
+\
+    A##ba ^= Da; \
+    Bba = A##ba; \
+    A##ge ^= De; \
+    Bbe = ROL64(A##ge, 44); \
+    A##ki ^= Di; \
+    Bbi = ROL64(A##ki, 43); \
+    A##mo ^= Do; \
+    Bbo = ROL64(A##mo, 21); \
+    A##su ^= Du; \
+    Bbu = ROL64(A##su, 14); \
+    E##ba =   Bba ^(  Bbe |  Bbi ); \
+    E##ba ^= KeccakF1600RoundConstants[i]; \
+    E##be =   Bbe ^((~Bbi)|  Bbo ); \
+    E##bi =   Bbi ^(  Bbo &  Bbu ); \
+    E##bo =   Bbo ^(  Bbu |  Bba ); \
+    E##bu =   Bbu ^(  Bba &  Bbe ); \
+\
+    A##bo ^= Do; \
+    Bga = ROL64(A##bo, 28); \
+    A##gu ^= Du; \
+    Bge = ROL64(A##gu, 20); \
+    A##ka ^= Da; \
+    Bgi = ROL64(A##ka, 3); \
+    A##me ^= De; \
+    Bgo = ROL64(A##me, 45); \
+    A##si ^= Di; \
+    Bgu = ROL64(A##si, 61); \
+    E##ga =   Bga ^(  Bge |  Bgi ); \
+    E##ge =   Bge ^(  Bgi &  Bgo ); \
+    E##gi =   Bgi ^(  Bgo |(~Bgu)); \
+    E##go =   Bgo ^(  Bgu |  Bga ); \
+    E##gu =   Bgu ^(  Bga &  Bge ); \
+\
+    A##be ^= De; \
+    Bka = ROL64(A##be, 1); \
+    A##gi ^= Di; \
+    Bke = ROL64(A##gi, 6); \
+    A##ko ^= Do; \
+    Bki = ROL64(A##ko, 25); \
+    A##mu ^= Du; \
+    Bko = ROL64(A##mu, 8); \
+    A##sa ^= Da; \
+    Bku = ROL64(A##sa, 18); \
+    E##ka =   Bka ^(  Bke |  Bki ); \
+    E##ke =   Bke ^(  Bki &  Bko ); \
+    E##ki =   Bki ^((~Bko)&  Bku ); \
+    E##ko = (~Bko)^(  Bku |  Bka ); \
+    E##ku =   Bku ^(  Bka &  Bke ); \
+\
+    A##bu ^= Du; \
+    Bma = ROL64(A##bu, 27); \
+    A##ga ^= Da; \
+    Bme = ROL64(A##ga, 36); \
+    A##ke ^= De; \
+    Bmi = ROL64(A##ke, 10); \
+    A##mi ^= Di; \
+    Bmo = ROL64(A##mi, 15); \
+    A##so ^= Do; \
+    Bmu = ROL64(A##so, 56); \
+    E##ma =   Bma ^(  Bme &  Bmi ); \
+    E##me =   Bme ^(  Bmi |  Bmo ); \
+    E##mi =   Bmi ^((~Bmo)|  Bmu ); \
+    E##mo = (~Bmo)^(  Bmu &  Bma ); \
+    E##mu =   Bmu ^(  Bma |  Bme ); \
+\
+    A##bi ^= Di; \
+    Bsa = ROL64(A##bi, 62); \
+    A##go ^= Do; \
+    Bse = ROL64(A##go, 55); \
+    A##ku ^= Du; \
+    Bsi = ROL64(A##ku, 39); \
+    A##ma ^= Da; \
+    Bso = ROL64(A##ma, 41); \
+    A##se ^= De; \
+    Bsu = ROL64(A##se, 2); \
+    E##sa =   Bsa ^((~Bse)&  Bsi ); \
+    E##se = (~Bse)^(  Bsi |  Bso ); \
+    E##si =   Bsi ^(  Bso &  Bsu ); \
+    E##so =   Bso ^(  Bsu |  Bsa ); \
+    E##su =   Bsu ^(  Bsa &  Bse ); \
+\
+
+#else /* UseBebigokimisa */
+/* --- Code for round, with prepare-theta */
+/* --- 64-bit lanes mapped to 64-bit words */
+#define thetaRhoPiChiIotaPrepareTheta(i, A, E) \
+    Da = Cu^ROL64(Ce, 1); \
+    De = Ca^ROL64(Ci, 1); \
+    Di = Ce^ROL64(Co, 1); \
+    Do = Ci^ROL64(Cu, 1); \
+    Du = Co^ROL64(Ca, 1); \
+\
+    A##ba ^= Da; \
+    Bba = A##ba; \
+    A##ge ^= De; \
+    Bbe = ROL64(A##ge, 44); \
+    A##ki ^= Di; \
+    Bbi = ROL64(A##ki, 43); \
+    A##mo ^= Do; \
+    Bbo = ROL64(A##mo, 21); \
+    A##su ^= Du; \
+    Bbu = ROL64(A##su, 14); \
+    E##ba =   Bba ^((~Bbe)&  Bbi ); \
+    E##ba ^= KeccakF1600RoundConstants[i]; \
+    Ca = E##ba; \
+    E##be =   Bbe ^((~Bbi)&  Bbo ); \
+    Ce = E##be; \
+    E##bi =   Bbi ^((~Bbo)&  Bbu ); \
+    Ci = E##bi; \
+    E##bo =   Bbo ^((~Bbu)&  Bba ); \
+    Co = E##bo; \
+    E##bu =   Bbu ^((~Bba)&  Bbe ); \
+    Cu = E##bu; \
+\
+    A##bo ^= Do; \
+    Bga = ROL64(A##bo, 28); \
+    A##gu ^= Du; \
+    Bge = ROL64(A##gu, 20); \
+    A##ka ^= Da; \
+    Bgi = ROL64(A##ka, 3); \
+    A##me ^= De; \
+    Bgo = ROL64(A##me, 45); \
+    A##si ^= Di; \
+    Bgu = ROL64(A##si, 61); \
+    E##ga =   Bga ^((~Bge)&  Bgi ); \
+    Ca ^= E##ga; \
+    E##ge =   Bge ^((~Bgi)&  Bgo ); \
+    Ce ^= E##ge; \
+    E##gi =   Bgi ^((~Bgo)&  Bgu ); \
+    Ci ^= E##gi; \
+    E##go =   Bgo ^((~Bgu)&  Bga ); \
+    Co ^= E##go; \
+    E##gu =   Bgu ^((~Bga)&  Bge ); \
+    Cu ^= E##gu; \
+\
+    A##be ^= De; \
+    Bka = ROL64(A##be, 1); \
+    A##gi ^= Di; \
+    Bke = ROL64(A##gi, 6); \
+    A##ko ^= Do; \
+    Bki = ROL64(A##ko, 25); \
+    A##mu ^= Du; \
+    Bko = ROL64(A##mu, 8); \
+    A##sa ^= Da; \
+    Bku = ROL64(A##sa, 18); \
+    E##ka =   Bka ^((~Bke)&  Bki ); \
+    Ca ^= E##ka; \
+    E##ke =   Bke ^((~Bki)&  Bko ); \
+    Ce ^= E##ke; \
+    E##ki =   Bki ^((~Bko)&  Bku ); \
+    Ci ^= E##ki; \
+    E##ko =   Bko ^((~Bku)&  Bka ); \
+    Co ^= E##ko; \
+    E##ku =   Bku ^((~Bka)&  Bke ); \
+    Cu ^= E##ku; \
+\
+    A##bu ^= Du; \
+    Bma = ROL64(A##bu, 27); \
+    A##ga ^= Da; \
+    Bme = ROL64(A##ga, 36); \
+    A##ke ^= De; \
+    Bmi = ROL64(A##ke, 10); \
+    A##mi ^= Di; \
+    Bmo = ROL64(A##mi, 15); \
+    A##so ^= Do; \
+    Bmu = ROL64(A##so, 56); \
+    E##ma =   Bma ^((~Bme)&  Bmi ); \
+    Ca ^= E##ma; \
+    E##me =   Bme ^((~Bmi)&  Bmo ); \
+    Ce ^= E##me; \
+    E##mi =   Bmi ^((~Bmo)&  Bmu ); \
+    Ci ^= E##mi; \
+    E##mo =   Bmo ^((~Bmu)&  Bma ); \
+    Co ^= E##mo; \
+    E##mu =   Bmu ^((~Bma)&  Bme ); \
+    Cu ^= E##mu; \
+\
+    A##bi ^= Di; \
+    Bsa = ROL64(A##bi, 62); \
+    A##go ^= Do; \
+    Bse = ROL64(A##go, 55); \
+    A##ku ^= Du; \
+    Bsi = ROL64(A##ku, 39); \
+    A##ma ^= Da; \
+    Bso = ROL64(A##ma, 41); \
+    A##se ^= De; \
+    Bsu = ROL64(A##se, 2); \
+    E##sa =   Bsa ^((~Bse)&  Bsi ); \
+    Ca ^= E##sa; \
+    E##se =   Bse ^((~Bsi)&  Bso ); \
+    Ce ^= E##se; \
+    E##si =   Bsi ^((~Bso)&  Bsu ); \
+    Ci ^= E##si; \
+    E##so =   Bso ^((~Bsu)&  Bsa ); \
+    Co ^= E##so; \
+    E##su =   Bsu ^((~Bsa)&  Bse ); \
+    Cu ^= E##su; \
+\
+
+/* --- Code for round */
+/* --- 64-bit lanes mapped to 64-bit words */
+#define thetaRhoPiChiIota(i, A, E) \
+    Da = Cu^ROL64(Ce, 1); \
+    De = Ca^ROL64(Ci, 1); \
+    Di = Ce^ROL64(Co, 1); \
+    Do = Ci^ROL64(Cu, 1); \
+    Du = Co^ROL64(Ca, 1); \
+\
+    A##ba ^= Da; \
+    Bba = A##ba; \
+    A##ge ^= De; \
+    Bbe = ROL64(A##ge, 44); \
+    A##ki ^= Di; \
+    Bbi = ROL64(A##ki, 43); \
+    A##mo ^= Do; \
+    Bbo = ROL64(A##mo, 21); \
+    A##su ^= Du; \
+    Bbu = ROL64(A##su, 14); \
+    E##ba =   Bba ^((~Bbe)&  Bbi ); \
+    E##ba ^= KeccakF1600RoundConstants[i]; \
+    E##be =   Bbe ^((~Bbi)&  Bbo ); \
+    E##bi =   Bbi ^((~Bbo)&  Bbu ); \
+    E##bo =   Bbo ^((~Bbu)&  Bba ); \
+    E##bu =   Bbu ^((~Bba)&  Bbe ); \
+\
+    A##bo ^= Do; \
+    Bga = ROL64(A##bo, 28); \
+    A##gu ^= Du; \
+    Bge = ROL64(A##gu, 20); \
+    A##ka ^= Da; \
+    Bgi = ROL64(A##ka, 3); \
+    A##me ^= De; \
+    Bgo = ROL64(A##me, 45); \
+    A##si ^= Di; \
+    Bgu = ROL64(A##si, 61); \
+    E##ga =   Bga ^((~Bge)&  Bgi ); \
+    E##ge =   Bge ^((~Bgi)&  Bgo ); \
+    E##gi =   Bgi ^((~Bgo)&  Bgu ); \
+    E##go =   Bgo ^((~Bgu)&  Bga ); \
+    E##gu =   Bgu ^((~Bga)&  Bge ); \
+\
+    A##be ^= De; \
+    Bka = ROL64(A##be, 1); \
+    A##gi ^= Di; \
+    Bke = ROL64(A##gi, 6); \
+    A##ko ^= Do; \
+    Bki = ROL64(A##ko, 25); \
+    A##mu ^= Du; \
+    Bko = ROL64(A##mu, 8); \
+    A##sa ^= Da; \
+    Bku = ROL64(A##sa, 18); \
+    E##ka =   Bka ^((~Bke)&  Bki ); \
+    E##ke =   Bke ^((~Bki)&  Bko ); \
+    E##ki =   Bki ^((~Bko)&  Bku ); \
+    E##ko =   Bko ^((~Bku)&  Bka ); \
+    E##ku =   Bku ^((~Bka)&  Bke ); \
+\
+    A##bu ^= Du; \
+    Bma = ROL64(A##bu, 27); \
+    A##ga ^= Da; \
+    Bme = ROL64(A##ga, 36); \
+    A##ke ^= De; \
+    Bmi = ROL64(A##ke, 10); \
+    A##mi ^= Di; \
+    Bmo = ROL64(A##mi, 15); \
+    A##so ^= Do; \
+    Bmu = ROL64(A##so, 56); \
+    E##ma =   Bma ^((~Bme)&  Bmi ); \
+    E##me =   Bme ^((~Bmi)&  Bmo ); \
+    E##mi =   Bmi ^((~Bmo)&  Bmu ); \
+    E##mo =   Bmo ^((~Bmu)&  Bma ); \
+    E##mu =   Bmu ^((~Bma)&  Bme ); \
+\
+    A##bi ^= Di; \
+    Bsa = ROL64(A##bi, 62); \
+    A##go ^= Do; \
+    Bse = ROL64(A##go, 55); \
+    A##ku ^= Du; \
+    Bsi = ROL64(A##ku, 39); \
+    A##ma ^= Da; \
+    Bso = ROL64(A##ma, 41); \
+    A##se ^= De; \
+    Bsu = ROL64(A##se, 2); \
+    E##sa =   Bsa ^((~Bse)&  Bsi ); \
+    E##se =   Bse ^((~Bsi)&  Bso ); \
+    E##si =   Bsi ^((~Bso)&  Bsu ); \
+    E##so =   Bso ^((~Bsu)&  Bsa ); \
+    E##su =   Bsu ^((~Bsa)&  Bse ); \
+\
+
+#endif /* UseBebigokimisa */
+
+#define copyFromState(X, state) \
+    X##ba = state[ 0]; \
+    X##be = state[ 1]; \
+    X##bi = state[ 2]; \
+    X##bo = state[ 3]; \
+    X##bu = state[ 4]; \
+    X##ga = state[ 5]; \
+    X##ge = state[ 6]; \
+    X##gi = state[ 7]; \
+    X##go = state[ 8]; \
+    X##gu = state[ 9]; \
+    X##ka = state[10]; \
+    X##ke = state[11]; \
+    X##ki = state[12]; \
+    X##ko = state[13]; \
+    X##ku = state[14]; \
+    X##ma = state[15]; \
+    X##me = state[16]; \
+    X##mi = state[17]; \
+    X##mo = state[18]; \
+    X##mu = state[19]; \
+    X##sa = state[20]; \
+    X##se = state[21]; \
+    X##si = state[22]; \
+    X##so = state[23]; \
+    X##su = state[24]; \
+
+#define copyToState(state, X) \
+    state[ 0] = X##ba; \
+    state[ 1] = X##be; \
+    state[ 2] = X##bi; \
+    state[ 3] = X##bo; \
+    state[ 4] = X##bu; \
+    state[ 5] = X##ga; \
+    state[ 6] = X##ge; \
+    state[ 7] = X##gi; \
+    state[ 8] = X##go; \
+    state[ 9] = X##gu; \
+    state[10] = X##ka; \
+    state[11] = X##ke; \
+    state[12] = X##ki; \
+    state[13] = X##ko; \
+    state[14] = X##ku; \
+    state[15] = X##ma; \
+    state[16] = X##me; \
+    state[17] = X##mi; \
+    state[18] = X##mo; \
+    state[19] = X##mu; \
+    state[20] = X##sa; \
+    state[21] = X##se; \
+    state[22] = X##si; \
+    state[23] = X##so; \
+    state[24] = X##su; \
+
+#define copyStateVariables(X, Y) \
+    X##ba = Y##ba; \
+    X##be = Y##be; \
+    X##bi = Y##bi; \
+    X##bo = Y##bo; \
+    X##bu = Y##bu; \
+    X##ga = Y##ga; \
+    X##ge = Y##ge; \
+    X##gi = Y##gi; \
+    X##go = Y##go; \
+    X##gu = Y##gu; \
+    X##ka = Y##ka; \
+    X##ke = Y##ke; \
+    X##ki = Y##ki; \
+    X##ko = Y##ko; \
+    X##ku = Y##ku; \
+    X##ma = Y##ma; \
+    X##me = Y##me; \
+    X##mi = Y##mi; \
+    X##mo = Y##mo; \
+    X##mu = Y##mu; \
+    X##sa = Y##sa; \
+    X##se = Y##se; \
+    X##si = Y##si; \
+    X##so = Y##so; \
+    X##su = Y##su; \
+
+#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
+#define HTOLE64(x) (x)
+#else
+#define HTOLE64(x) (\
+  ((x & 0xff00000000000000ull) >> 56) | \
+  ((x & 0x00ff000000000000ull) >> 40) | \
+  ((x & 0x0000ff0000000000ull) >> 24) | \
+  ((x & 0x000000ff00000000ull) >> 8)  | \
+  ((x & 0x00000000ff000000ull) << 8)  | \
+  ((x & 0x0000000000ff0000ull) << 24) | \
+  ((x & 0x000000000000ff00ull) << 40) | \
+  ((x & 0x00000000000000ffull) << 56))
+#endif
+
+#define addInput(X, input, laneCount) \
+    if (laneCount == 21) { \
+        X##ba ^= HTOLE64(input[ 0]); \
+        X##be ^= HTOLE64(input[ 1]); \
+        X##bi ^= HTOLE64(input[ 2]); \
+        X##bo ^= HTOLE64(input[ 3]); \
+        X##bu ^= HTOLE64(input[ 4]); \
+        X##ga ^= HTOLE64(input[ 5]); \
+        X##ge ^= HTOLE64(input[ 6]); \
+        X##gi ^= HTOLE64(input[ 7]); \
+        X##go ^= HTOLE64(input[ 8]); \
+        X##gu ^= HTOLE64(input[ 9]); \
+        X##ka ^= HTOLE64(input[10]); \
+        X##ke ^= HTOLE64(input[11]); \
+        X##ki ^= HTOLE64(input[12]); \
+        X##ko ^= HTOLE64(input[13]); \
+        X##ku ^= HTOLE64(input[14]); \
+        X##ma ^= HTOLE64(input[15]); \
+        X##me ^= HTOLE64(input[16]); \
+        X##mi ^= HTOLE64(input[17]); \
+        X##mo ^= HTOLE64(input[18]); \
+        X##mu ^= HTOLE64(input[19]); \
+        X##sa ^= HTOLE64(input[20]); \
+    } \
+    else if (laneCount < 16) { \
+        if (laneCount < 8) { \
+            if (laneCount < 4) { \
+                if (laneCount < 2) { \
+                    if (laneCount < 1) { \
+                    } \
+                    else { \
+                        X##ba ^= HTOLE64(input[ 0]); \
+                    } \
+                } \
+                else { \
+                    X##ba ^= HTOLE64(input[ 0]); \
+                    X##be ^= HTOLE64(input[ 1]); \
+                    if (laneCount < 3) { \
+                    } \
+                    else { \
+                        X##bi ^= HTOLE64(input[ 2]); \
+                    } \
+                } \
+            } \
+            else { \
+                X##ba ^= HTOLE64(input[ 0]); \
+                X##be ^= HTOLE64(input[ 1]); \
+                X##bi ^= HTOLE64(input[ 2]); \
+                X##bo ^= HTOLE64(input[ 3]); \
+                if (laneCount < 6) { \
+                    if (laneCount < 5) { \
+                    } \
+                    else { \
+                        X##bu ^= HTOLE64(input[ 4]); \
+                    } \
+                } \
+                else { \
+                    X##bu ^= HTOLE64(input[ 4]); \
+                    X##ga ^= HTOLE64(input[ 5]); \
+                    if (laneCount < 7) { \
+                    } \
+                    else { \
+                        X##ge ^= HTOLE64(input[ 6]); \
+                    } \
+                } \
+            } \
+        } \
+        else { \
+            X##ba ^= HTOLE64(input[ 0]); \
+            X##be ^= HTOLE64(input[ 1]); \
+            X##bi ^= HTOLE64(input[ 2]); \
+            X##bo ^= HTOLE64(input[ 3]); \
+            X##bu ^= HTOLE64(input[ 4]); \
+            X##ga ^= HTOLE64(input[ 5]); \
+            X##ge ^= HTOLE64(input[ 6]); \
+            X##gi ^= HTOLE64(input[ 7]); \
+            if (laneCount < 12) { \
+                if (laneCount < 10) { \
+                    if (laneCount < 9) { \
+                    } \
+                    else { \
+                        X##go ^= HTOLE64(input[ 8]); \
+                    } \
+                } \
+                else { \
+                    X##go ^= HTOLE64(input[ 8]); \
+                    X##gu ^= HTOLE64(input[ 9]); \
+                    if (laneCount < 11) { \
+                    } \
+                    else { \
+                        X##ka ^= HTOLE64(input[10]); \
+                    } \
+                } \
+            } \
+            else { \
+                X##go ^= HTOLE64(input[ 8]); \
+                X##gu ^= HTOLE64(input[ 9]); \
+                X##ka ^= HTOLE64(input[10]); \
+                X##ke ^= HTOLE64(input[11]); \
+                if (laneCount < 14) { \
+                    if (laneCount < 13) { \
+                    } \
+                    else { \
+                        X##ki ^= HTOLE64(input[12]); \
+                    } \
+                } \
+                else { \
+                    X##ki ^= HTOLE64(input[12]); \
+                    X##ko ^= HTOLE64(input[13]); \
+                    if (laneCount < 15) { \
+                    } \
+                    else { \
+                        X##ku ^= HTOLE64(input[14]); \
+                    } \
+                } \
+            } \
+        } \
+    } \
+    else { \
+        X##ba ^= HTOLE64(input[ 0]); \
+        X##be ^= HTOLE64(input[ 1]); \
+        X##bi ^= HTOLE64(input[ 2]); \
+        X##bo ^= HTOLE64(input[ 3]); \
+        X##bu ^= HTOLE64(input[ 4]); \
+        X##ga ^= HTOLE64(input[ 5]); \
+        X##ge ^= HTOLE64(input[ 6]); \
+        X##gi ^= HTOLE64(input[ 7]); \
+        X##go ^= HTOLE64(input[ 8]); \
+        X##gu ^= HTOLE64(input[ 9]); \
+        X##ka ^= HTOLE64(input[10]); \
+        X##ke ^= HTOLE64(input[11]); \
+        X##ki ^= HTOLE64(input[12]); \
+        X##ko ^= HTOLE64(input[13]); \
+        X##ku ^= HTOLE64(input[14]); \
+        X##ma ^= HTOLE64(input[15]); \
+        if (laneCount < 24) { \
+            if (laneCount < 20) { \
+                if (laneCount < 18) { \
+                    if (laneCount < 17) { \
+                    } \
+                    else { \
+                        X##me ^= HTOLE64(input[16]); \
+                    } \
+                } \
+                else { \
+                    X##me ^= HTOLE64(input[16]); \
+                    X##mi ^= HTOLE64(input[17]); \
+                    if (laneCount < 19) { \
+                    } \
+                    else { \
+                        X##mo ^= HTOLE64(input[18]); \
+                    } \
+                } \
+            } \
+            else { \
+                X##me ^= HTOLE64(input[16]); \
+                X##mi ^= HTOLE64(input[17]); \
+                X##mo ^= HTOLE64(input[18]); \
+                X##mu ^= HTOLE64(input[19]); \
+                if (laneCount < 22) { \
+                    if (laneCount < 21) { \
+                    } \
+                    else { \
+                        X##sa ^= HTOLE64(input[20]); \
+                    } \
+                } \
+                else { \
+                    X##sa ^= HTOLE64(input[20]); \
+                    X##se ^= HTOLE64(input[21]); \
+                    if (laneCount < 23) { \
+                    } \
+                    else { \
+                        X##si ^= HTOLE64(input[22]); \
+                    } \
+                } \
+            } \
+        } \
+        else { \
+            X##me ^= HTOLE64(input[16]); \
+            X##mi ^= HTOLE64(input[17]); \
+            X##mo ^= HTOLE64(input[18]); \
+            X##mu ^= HTOLE64(input[19]); \
+            X##sa ^= HTOLE64(input[20]); \
+            X##se ^= HTOLE64(input[21]); \
+            X##si ^= HTOLE64(input[22]); \
+            X##so ^= HTOLE64(input[23]); \
+            if (laneCount < 25) { \
+            } \
+            else { \
+                X##su ^= HTOLE64(input[24]); \
+            } \
+        } \
+    }

@@ -0,0 +1,305 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+The Keccak-p permutations, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by Gilles Van Assche and Ronny Van Keer, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+*/
+
+#if (defined(FullUnrolling))
+#define rounds24 \
+    prepareTheta \
+    thetaRhoPiChiIotaPrepareTheta( 0, A, E) \
+    thetaRhoPiChiIotaPrepareTheta( 1, E, A) \
+    thetaRhoPiChiIotaPrepareTheta( 2, A, E) \
+    thetaRhoPiChiIotaPrepareTheta( 3, E, A) \
+    thetaRhoPiChiIotaPrepareTheta( 4, A, E) \
+    thetaRhoPiChiIotaPrepareTheta( 5, E, A) \
+    thetaRhoPiChiIotaPrepareTheta( 6, A, E) \
+    thetaRhoPiChiIotaPrepareTheta( 7, E, A) \
+    thetaRhoPiChiIotaPrepareTheta( 8, A, E) \
+    thetaRhoPiChiIotaPrepareTheta( 9, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(10, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(11, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(12, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(13, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(14, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(15, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(16, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(17, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(18, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(19, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(20, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(21, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(22, A, E) \
+    thetaRhoPiChiIota(23, E, A) \
+
+#define rounds12 \
+    prepareTheta \
+    thetaRhoPiChiIotaPrepareTheta(12, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(13, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(14, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(15, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(16, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(17, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(18, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(19, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(20, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(21, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(22, A, E) \
+    thetaRhoPiChiIota(23, E, A) \
+
+#define rounds6 \
+    prepareTheta \
+    thetaRhoPiChiIotaPrepareTheta(18, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(19, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(20, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(21, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(22, A, E) \
+    thetaRhoPiChiIota(23, E, A) \
+
+#define rounds4 \
+    prepareTheta \
+    thetaRhoPiChiIotaPrepareTheta(20, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(21, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(22, A, E) \
+    thetaRhoPiChiIota(23, E, A) \
+
+#elif (Unrolling == 12)
+#define rounds24 \
+    prepareTheta \
+    for(i=0; i<24; i+=12) { \
+        thetaRhoPiChiIotaPrepareTheta(i   , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+ 1, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+ 2, A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+ 3, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+ 4, A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+ 5, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+ 6, A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+ 7, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+ 8, A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+ 9, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+10, A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+11, E, A) \
+    } \
+
+#define rounds12 \
+    prepareTheta \
+    thetaRhoPiChiIotaPrepareTheta(12, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(13, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(14, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(15, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(16, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(17, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(18, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(19, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(20, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(21, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(22, A, E) \
+    thetaRhoPiChiIota(23, E, A) \
+
+#define rounds6 \
+    prepareTheta \
+    thetaRhoPiChiIotaPrepareTheta(18, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(19, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(20, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(21, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(22, A, E) \
+    thetaRhoPiChiIota(23, E, A) \
+
+#define rounds4 \
+    prepareTheta \
+    thetaRhoPiChiIotaPrepareTheta(20, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(21, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(22, A, E) \
+    thetaRhoPiChiIota(23, E, A) \
+
+#elif (Unrolling == 6)
+#define rounds24 \
+    prepareTheta \
+    for(i=0; i<24; i+=6) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+4, A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+5, E, A) \
+    } \
+
+#define rounds12 \
+    prepareTheta \
+    for(i=12; i<24; i+=6) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+4, A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+5, E, A) \
+    } \
+
+#define rounds6 \
+    prepareTheta \
+    thetaRhoPiChiIotaPrepareTheta(18, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(19, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(20, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(21, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(22, A, E) \
+    thetaRhoPiChiIota(23, E, A) \
+
+#define rounds4 \
+    prepareTheta \
+    thetaRhoPiChiIotaPrepareTheta(20, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(21, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(22, A, E) \
+    thetaRhoPiChiIota(23, E, A) \
+
+#elif (Unrolling == 4)
+#define rounds24 \
+    prepareTheta \
+    for(i=0; i<24; i+=4) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
+    } \
+
+#define rounds12 \
+    prepareTheta \
+    for(i=12; i<24; i+=4) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
+    } \
+
+#define rounds6 \
+    prepareTheta \
+    for(i=18; i<24; i+=2) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+    } \
+
+#define rounds4 \
+    prepareTheta \
+    thetaRhoPiChiIotaPrepareTheta(20, A, E) \
+    thetaRhoPiChiIotaPrepareTheta(21, E, A) \
+    thetaRhoPiChiIotaPrepareTheta(22, A, E) \
+    thetaRhoPiChiIota(23, E, A) \
+
+#elif (Unrolling == 3)
+#define rounds24 \
+    prepareTheta \
+    for(i=0; i<24; i+=3) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
+        copyStateVariables(A, E) \
+    } \
+
+#define rounds12 \
+    prepareTheta \
+    for(i=12; i<24; i+=3) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
+        copyStateVariables(A, E) \
+    } \
+
+#define rounds6 \
+    prepareTheta \
+    for(i=18; i<24; i+=3) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+        thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
+        copyStateVariables(A, E) \
+    } \
+
+#define rounds4 \
+    prepareTheta \
+    for(i=20; i<24; i+=2) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+    } \
+
+#elif (Unrolling == 2)
+#define rounds24 \
+    prepareTheta \
+    for(i=0; i<24; i+=2) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+    } \
+
+#define rounds12 \
+    prepareTheta \
+    for(i=12; i<24; i+=2) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+    } \
+
+#define rounds6 \
+    prepareTheta \
+    for(i=18; i<24; i+=2) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+    } \
+
+#define rounds4 \
+    prepareTheta \
+    for(i=20; i<24; i+=2) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+    } \
+
+#elif (Unrolling == 1)
+#define rounds24 \
+    prepareTheta \
+    for(i=0; i<24; i++) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        copyStateVariables(A, E) \
+    } \
+
+#define rounds12 \
+    prepareTheta \
+    for(i=12; i<24; i++) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        copyStateVariables(A, E) \
+    } \
+
+#define rounds6 \
+    prepareTheta \
+    for(i=18; i<24; i++) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        copyStateVariables(A, E) \
+    } \
+
+#define rounds4 \
+    prepareTheta \
+    for(i=20; i<24; i++) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        copyStateVariables(A, E) \
+    } \
+
+#else
+#error "Unrolling is not correctly specified!"
+#endif
+
+#define roundsN(__nrounds) \
+    prepareTheta \
+    i = 24 - (__nrounds); \
+    if ((i&1) != 0) { \
+        thetaRhoPiChiIotaPrepareTheta(i, A, E) \
+        copyStateVariables(A, E) \
+        ++i; \
+    } \
+    for( /* empty */; i<24; i+=2) { \
+        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
+        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
+    }

@@ -0,0 +1,625 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+The Keccak-p permutations, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by the designers, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+
+---
+
+This file implements Keccak-p[1600] in a SnP-compatible way.
+Please refer to SnP-documentation.h for more details.
+
+This implementation comes with KeccakP-1600-SnP.h in the same folder.
+Please refer to LowLevel.build for the exact list of other files it must be combined with.
+*/
+
+#if DEBUG
+#include <assert.h>
+#endif
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include "brg_endian.h"
+#ifdef KeccakReference
+#include "displayIntermediateValues.h"
+#endif
+
+#define maxNrRounds 24
+#define nrLanes 25
+
+#ifdef KeccakReference
+
+static uint32_t KeccakRoundConstants[maxNrRounds][2];
+static unsigned int KeccakRhoOffsets[nrLanes];
+
+#endif
+
+/* ---------------------------------------------------------------- */
+
+void toBitInterleaving(uint32_t low, uint32_t high, uint32_t *even, uint32_t *odd);
+void fromBitInterleaving(uint32_t even, uint32_t odd, uint32_t *low, uint32_t *high);
+
+void toBitInterleaving(uint32_t low, uint32_t high, uint32_t *even, uint32_t *odd)
+{
+    unsigned int i;
+
+    *even = 0;
+    *odd = 0;
+    for(i=0; i<64; i++) {
+        unsigned int inBit;
+        if (i < 32)
+            inBit = (low >> i) & 1;
+        else
+            inBit = (high >> (i-32)) & 1;
+        if ((i % 2) == 0)
+            *even |= inBit << (i/2);
+        else
+            *odd |= inBit << ((i-1)/2);
+    }
+}
+
+void fromBitInterleaving(uint32_t even, uint32_t odd, uint32_t *low, uint32_t *high)
+{
+    unsigned int i;
+
+    *low = 0;
+    *high = 0;
+    for(i=0; i<64; i++) {
+        unsigned int inBit;
+        if ((i % 2) == 0)
+            inBit = (even >> (i/2)) & 1;
+        else
+            inBit = (odd >> ((i-1)/2)) & 1;
+        if (i < 32)
+            *low |= inBit << i;
+        else
+            *high |= inBit << (i-32);
+    }
+}
+
+#ifdef KeccakReference
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_InitializeRoundConstants(void);
+void KeccakP1600_InitializeRhoOffsets(void);
+static int LFSR86540(uint8_t *LFSR);
+
+void KeccakP1600_StaticInitialize(void)
+{
+    KeccakP1600_InitializeRoundConstants();
+    KeccakP1600_InitializeRhoOffsets();
+}
+
+void KeccakP1600_InitializeRoundConstants(void)
+{
+    uint8_t LFSRstate = 0x01;
+    unsigned int i, j, bitPosition;
+    uint32_t low, high;
+
+    for(i=0; i<maxNrRounds; i++) {
+        low = high = 0;
+        for(j=0; j<7; j++) {
+            bitPosition = (1<<j)-1; /* 2^j-1 */
+            if (LFSR86540(&LFSRstate)) {
+                if (bitPosition < 32)
+                    low ^= (uint32_t)1 << bitPosition;
+                else
+                    high ^= (uint32_t)1 << (bitPosition-32);
+            }
+        }
+        toBitInterleaving(low, high, &(KeccakRoundConstants[i][0]), &(KeccakRoundConstants[i][1]));
+    }
+}
+
+void KeccakP1600_InitializeRhoOffsets(void)
+{
+    unsigned int x, y, t, newX, newY;
+
+    KeccakRhoOffsets[0] = 0;
+    x = 1;
+    y = 0;
+    for(t=0; t<24; t++) {
+        KeccakRhoOffsets[5*y+x] = ((t+1)*(t+2)/2) % 64;
+        newX = (0*x+1*y) % 5;
+        newY = (2*x+3*y) % 5;
+        x = newX;
+        y = newY;
+    }
+}
+
+static int LFSR86540(uint8_t *LFSR)
+{
+    int result = ((*LFSR) & 0x01) != 0;
+    if (((*LFSR) & 0x80) != 0)
+        /* Primitive polynomial over GF(2): x^8+x^6+x^5+x^4+1 */
+        (*LFSR) = ((*LFSR) << 1) ^ 0x71;
+    else
+        (*LFSR) <<= 1;
+    return result;
+}
+
+#else
+
+static const uint32_t KeccakRoundConstants[maxNrRounds][2] =
+{
+    0x00000001, 0x00000000,
+    0x00000000, 0x00000089,
+    0x00000000, 0x8000008B,
+    0x00000000, 0x80008080,
+    0x00000001, 0x0000008B,
+    0x00000001, 0x00008000,
+    0x00000001, 0x80008088,
+    0x00000001, 0x80000082,
+    0x00000000, 0x0000000B,
+    0x00000000, 0x0000000A,
+    0x00000001, 0x00008082,
+    0x00000000, 0x00008003,
+    0x00000001, 0x0000808B,
+    0x00000001, 0x8000000B,
+    0x00000001, 0x8000008A,
+    0x00000001, 0x80000081,
+    0x00000000, 0x80000081,
+    0x00000000, 0x80000008,
+    0x00000000, 0x00000083,
+    0x00000000, 0x80008003,
+    0x00000001, 0x80008088,
+    0x00000000, 0x80000088,
+    0x00000001, 0x00008000,
+    0x00000000, 0x80008082
+};
+
+static const unsigned int KeccakRhoOffsets[nrLanes] =
+{
+     0,  1, 62, 28, 27, 36, 44,  6, 55, 20,  3, 10, 43, 25, 39, 41, 45, 15, 21,  8, 18,  2, 61, 56, 14
+};
+
+#endif
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_Initialize(void *state)
+{
+    memset(state, 0, 1600/8);
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_AddBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length);
+
+void KeccakP1600_AddByte(void *state, unsigned char byte, unsigned int offset)
+{
+    unsigned char data[1];
+
+    #if DEBUG
+    assert(offset < 200);
+    #endif
+    data[0] = byte;
+    KeccakP1600_AddBytes(state, data, offset, 1);
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_AddBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length)
+{
+    if ((lanePosition < 25) && (offset < 8) && (offset+length <= 8)) {
+        uint8_t laneAsBytes[8];
+        uint32_t low, high;
+        uint32_t lane[2];
+        uint32_t *stateAsHalfLanes;
+
+        memset(laneAsBytes, 0, 8);
+        memcpy(laneAsBytes+offset, data, length);
+        low = laneAsBytes[0]
+            | ((uint32_t)(laneAsBytes[1]) << 8)
+            | ((uint32_t)(laneAsBytes[2]) << 16)
+            | ((uint32_t)(laneAsBytes[3]) << 24);
+        high = laneAsBytes[4]
+            | ((uint32_t)(laneAsBytes[5]) << 8)
+            | ((uint32_t)(laneAsBytes[6]) << 16)
+            | ((uint32_t)(laneAsBytes[7]) << 24);
+        toBitInterleaving(low, high, lane, lane+1);
+        stateAsHalfLanes = (uint32_t*)state;
+        stateAsHalfLanes[lanePosition*2+0] ^= lane[0];
+        stateAsHalfLanes[lanePosition*2+1] ^= lane[1];
+    }
+}
+
+void KeccakP1600_AddBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length)
+{
+    unsigned int lanePosition = offset/8;
+    unsigned int offsetInLane = offset%8;
+
+    #if DEBUG
+    assert(offset < 200);
+    assert(offset+length <= 200);
+    #endif
+    while(length > 0) {
+        unsigned int bytesInLane = 8 - offsetInLane;
+        if (bytesInLane > length)
+            bytesInLane = length;
+        KeccakP1600_AddBytesInLane(state, lanePosition, data, offsetInLane, bytesInLane);
+        length -= bytesInLane;
+        lanePosition++;
+        offsetInLane = 0;
+        data += bytesInLane;
+    }
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_ExtractBytesInLane(const void *state, unsigned int lanePosition, unsigned char *data, unsigned int offset, unsigned int length);
+
+void KeccakP1600_OverwriteBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length)
+{
+    if ((lanePosition < 25) && (offset < 8) && (offset+length <= 8)) {
+        uint8_t laneAsBytes[8];
+        uint32_t low, high;
+        uint32_t lane[2];
+        uint32_t *stateAsHalfLanes;
+
+        KeccakP1600_ExtractBytesInLane(state, lanePosition, laneAsBytes, 0, 8);
+        memcpy(laneAsBytes+offset, data, length);
+        low = laneAsBytes[0]
+            | ((uint32_t)(laneAsBytes[1]) << 8)
+            | ((uint32_t)(laneAsBytes[2]) << 16)
+            | ((uint32_t)(laneAsBytes[3]) << 24);
+        high = laneAsBytes[4]
+            | ((uint32_t)(laneAsBytes[5]) << 8)
+            | ((uint32_t)(laneAsBytes[6]) << 16)
+            | ((uint32_t)(laneAsBytes[7]) << 24);
+        toBitInterleaving(low, high, lane, lane+1);
+        stateAsHalfLanes = (uint32_t*)state;
+        stateAsHalfLanes[lanePosition*2+0] = lane[0];
+        stateAsHalfLanes[lanePosition*2+1] = lane[1];
+    }
+}
+
+void KeccakP1600_OverwriteBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length)
+{
+    unsigned int lanePosition = offset/8;
+    unsigned int offsetInLane = offset%8;
+
+    #if DEBUG
+    assert(offset < 200);
+    assert(offset+length <= 200);
+    #endif
+    while(length > 0) {
+        unsigned int bytesInLane = 8 - offsetInLane;
+        if (bytesInLane > length)
+            bytesInLane = length;
+        KeccakP1600_OverwriteBytesInLane(state, lanePosition, data, offsetInLane, bytesInLane);
+        length -= bytesInLane;
+        lanePosition++;
+        offsetInLane = 0;
+        data += bytesInLane;
+    }
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_OverwriteWithZeroes(void *state, unsigned int byteCount)
+{
+    uint8_t laneAsBytes[8];
+    unsigned int lanePosition = 0;
+
+    #if DEBUG
+    assert(byteCount <= 200);
+    #endif
+    memset(laneAsBytes, 0, 8);
+    while(byteCount > 0) {
+        if (byteCount < 8) {
+            KeccakP1600_OverwriteBytesInLane(state, lanePosition, laneAsBytes, 0, byteCount);
+            byteCount = 0;
+        }
+        else {
+            uint32_t *stateAsHalfLanes = (uint32_t*)state;
+            stateAsHalfLanes[lanePosition*2+0] = 0;
+            stateAsHalfLanes[lanePosition*2+1] = 0;
+            byteCount -= 8;
+            lanePosition++;
+        }
+    }
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_PermutationOnWords(uint32_t *state, unsigned int nrRounds);
+static void theta(uint32_t *A);
+static void rho(uint32_t *A);
+static void pi(uint32_t *A);
+static void chi(uint32_t *A);
+static void iota(uint32_t *A, unsigned int indexRound);
+void KeccakP1600_ExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length);
+
+void KeccakP1600_Permute_Nrounds(void *state, unsigned int nrounds)
+{
+    uint32_t *stateAsHalfLanes = (uint32_t*)state;
+    {
+        uint8_t stateAsBytes[1600/8];
+        KeccakP1600_ExtractBytes(state, stateAsBytes, 0, 1600/8);
+#ifdef KeccakReference
+        displayStateAsBytes(1, "Input of permutation", stateAsBytes, 1600);
+#endif
+    }
+    KeccakP1600_PermutationOnWords(stateAsHalfLanes, nrounds);
+    {
+        uint8_t stateAsBytes[1600/8];
+        KeccakP1600_ExtractBytes(state, stateAsBytes, 0, 1600/8);
+#ifdef KeccakReference
+        displayStateAsBytes(1, "State after permutation", stateAsBytes, 1600);
+#endif
+    }
+}
+
+
+void KeccakP1600_Permute_12rounds(void *state)
+{
+    uint32_t *stateAsHalfLanes = (uint32_t*)state;
+    {
+        uint8_t stateAsBytes[1600/8];
+        KeccakP1600_ExtractBytes(state, stateAsBytes, 0, 1600/8);
+#ifdef KeccakReference
+        displayStateAsBytes(1, "Input of permutation", stateAsBytes, 1600);
+#endif
+    }
+    KeccakP1600_PermutationOnWords(stateAsHalfLanes, 12);
+    {
+        uint8_t stateAsBytes[1600/8];
+        KeccakP1600_ExtractBytes(state, stateAsBytes, 0, 1600/8);
+#ifdef KeccakReference
+        displayStateAsBytes(1, "State after permutation", stateAsBytes, 1600);
+#endif
+    }
+}
+
+void KeccakP1600_Permute_24rounds(void *state)
+{
+    uint32_t *stateAsHalfLanes = (uint32_t*)state;
+    {
+        uint8_t stateAsBytes[1600/8];
+        KeccakP1600_ExtractBytes(state, stateAsBytes, 0, 1600/8);
+#ifdef KeccakReference
+        displayStateAsBytes(1, "Input of permutation", stateAsBytes, 1600);
+#endif
+    }
+    KeccakP1600_PermutationOnWords(stateAsHalfLanes, 24);
+    {
+        uint8_t stateAsBytes[1600/8];
+        KeccakP1600_ExtractBytes(state, stateAsBytes, 0, 1600/8);
+#ifdef KeccakReference
+        displayStateAsBytes(1, "State after permutation", stateAsBytes, 1600);
+#endif
+    }
+}
+
+void KeccakP1600_PermutationOnWords(uint32_t *state, unsigned int nrRounds)
+{
+    unsigned int i;
+
+#ifdef KeccakReference
+    displayStateAs32bitWords(3, "Same, with lanes as pairs of 32-bit words (bit interleaving)", state);
+#endif
+
+    for(i=(maxNrRounds-nrRounds); i<maxNrRounds; i++) {
+#ifdef KeccakReference
+        displayRoundNumber(3, i);
+#endif
+
+        theta(state);
+#ifdef KeccakReference
+        displayStateAs32bitWords(3, "After theta", state);
+#endif
+
+        rho(state);
+#ifdef KeccakReference
+        displayStateAs32bitWords(3, "After rho", state);
+#endif
+
+        pi(state);
+#ifdef KeccakReference
+        displayStateAs32bitWords(3, "After pi", state);
+#endif
+
+        chi(state);
+#ifdef KeccakReference
+        displayStateAs32bitWords(3, "After chi", state);
+#endif
+
+        iota(state, i);
+#ifdef KeccakReference
+        displayStateAs32bitWords(3, "After iota", state);
+#endif
+    }
+}
+
+#define index(x, y,z) ((((x)%5)+5*((y)%5))*2 + z)
+#define ROL32(a, offset) ((offset != 0) ? ((((uint32_t)a) << offset) ^ (((uint32_t)a) >> (32-offset))) : a)
+
+void ROL64(uint32_t inEven, uint32_t inOdd, uint32_t *outEven, uint32_t *outOdd, unsigned int offset)
+{
+    if ((offset % 2) == 0) {
+        *outEven = ROL32(inEven, offset/2);
+        *outOdd = ROL32(inOdd, offset/2);
+    }
+    else {
+        *outEven = ROL32(inOdd, (offset+1)/2);
+        *outOdd = ROL32(inEven, (offset-1)/2);
+    }
+}
+
+static void theta(uint32_t *A)
+{
+    unsigned int x, y, z;
+    uint32_t C[5][2], D[5][2];
+
+    for(x=0; x<5; x++) {
+        for(z=0; z<2; z++) {
+            C[x][z] = 0;
+            for(y=0; y<5; y++)
+                C[x][z] ^= A[index(x, y, z)];
+        }
+    }
+    for(x=0; x<5; x++) {
+        ROL64(C[(x+1)%5][0], C[(x+1)%5][1], &(D[x][0]), &(D[x][1]), 1);
+        for(z=0; z<2; z++)
+            D[x][z] ^= C[(x+4)%5][z];
+    }
+    for(x=0; x<5; x++)
+        for(y=0; y<5; y++)
+            for(z=0; z<2; z++)
+                A[index(x, y, z)] ^= D[x][z];
+}
+
+static void rho(uint32_t *A)
+{
+    unsigned int x, y;
+
+    for(x=0; x<5; x++) for(y=0; y<5; y++)
+        ROL64(A[index(x, y, 0)], A[index(x, y, 1)], &(A[index(x, y, 0)]), &(A[index(x, y, 1)]), KeccakRhoOffsets[5*y+x]);
+}
+
+static void pi(uint32_t *A)
+{
+    unsigned int x, y, z;
+    uint32_t tempA[50];
+
+    for(x=0; x<5; x++) for(y=0; y<5; y++) for(z=0; z<2; z++)
+        tempA[index(x, y, z)] = A[index(x, y, z)];
+    for(x=0; x<5; x++) for(y=0; y<5; y++) for(z=0; z<2; z++)
+        A[index(0*x+1*y, 2*x+3*y, z)] = tempA[index(x, y, z)];
+}
+
+static void chi(uint32_t *A)
+{
+    unsigned int x, y, z;
+    uint32_t C[5][2];
+
+    for(y=0; y<5; y++) {
+        for(x=0; x<5; x++)
+            for(z=0; z<2; z++)
+                C[x][z] = A[index(x, y, z)] ^ ((~A[index(x+1, y, z)]) & A[index(x+2, y, z)]);
+        for(x=0; x<5; x++)
+            for(z=0; z<2; z++)
+                A[index(x, y, z)] = C[x][z];
+    }
+}
+
+static void iota(uint32_t *A, unsigned int indexRound)
+{
+    A[index(0, 0, 0)] ^= KeccakRoundConstants[indexRound][0];
+    A[index(0, 0, 1)] ^= KeccakRoundConstants[indexRound][1];
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_ExtractBytesInLane(const void *state, unsigned int lanePosition, unsigned char *data, unsigned int offset, unsigned int length)
+{
+    if ((lanePosition < 25) && (offset < 8) && (offset+length <= 8)) {
+        uint32_t *stateAsHalfLanes = (uint32_t*)state;
+        uint32_t lane[2];
+        uint8_t laneAsBytes[8];
+        fromBitInterleaving(stateAsHalfLanes[lanePosition*2], stateAsHalfLanes[lanePosition*2+1], lane, lane+1);
+        laneAsBytes[0] = lane[0] & 0xFF;
+        laneAsBytes[1] = (lane[0] >> 8) & 0xFF;
+        laneAsBytes[2] = (lane[0] >> 16) & 0xFF;
+        laneAsBytes[3] = (lane[0] >> 24) & 0xFF;
+        laneAsBytes[4] = lane[1] & 0xFF;
+        laneAsBytes[5] = (lane[1] >> 8) & 0xFF;
+        laneAsBytes[6] = (lane[1] >> 16) & 0xFF;
+        laneAsBytes[7] = (lane[1] >> 24) & 0xFF;
+        memcpy(data, laneAsBytes+offset, length);
+    }
+}
+
+void KeccakP1600_ExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length)
+{
+    unsigned int lanePosition = offset/8;
+    unsigned int offsetInLane = offset%8;
+
+    #if DEBUG
+    assert(offset < 200);
+    assert(offset+length <= 200);
+    #endif
+    while(length > 0) {
+        unsigned int bytesInLane = 8 - offsetInLane;
+        if (bytesInLane > length)
+            bytesInLane = length;
+        KeccakP1600_ExtractBytesInLane(state, lanePosition, data, offsetInLane, bytesInLane);
+        length -= bytesInLane;
+        lanePosition++;
+        offsetInLane = 0;
+        data += bytesInLane;
+    }
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_ExtractAndAddBytesInLane(const void *state, unsigned int lanePosition, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length)
+{
+    if ((lanePosition < 25) && (offset < 8) && (offset+length <= 8)) {
+        uint8_t laneAsBytes[8];
+        unsigned int i;
+
+        KeccakP1600_ExtractBytesInLane(state, lanePosition, laneAsBytes, offset, length);
+        for(i=0; i<length; i++)
+            output[i] = input[i] ^ laneAsBytes[i];
+    }
+}
+
+void KeccakP1600_ExtractAndAddBytes(const void *state, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length)
+{
+    unsigned int lanePosition = offset/8;
+    unsigned int offsetInLane = offset%8;
+
+    #if DEBUG
+    assert(offset < 200);
+    assert(offset+length <= 200);
+    #endif
+    while(length > 0) {
+        unsigned int bytesInLane = 8 - offsetInLane;
+        if (bytesInLane > length)
+            bytesInLane = length;
+        KeccakP1600_ExtractAndAddBytesInLane(state, lanePosition, input, output, offsetInLane, bytesInLane);
+        length -= bytesInLane;
+        lanePosition++;
+        offsetInLane = 0;
+        input += bytesInLane;
+        output += bytesInLane;
+    }
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_DisplayRoundConstants(FILE *f)
+{
+    unsigned int i;
+
+    for(i=0; i<maxNrRounds; i++) {
+        fprintf(f, "RC[%02i][0][0] = ", i);
+        fprintf(f, "%08X:%08X", (unsigned int)(KeccakRoundConstants[i][0]), (unsigned int)(KeccakRoundConstants[i][1]));
+        fprintf(f, "\n");
+    }
+    fprintf(f, "\n");
+}
+
+void KeccakP1600_DisplayRhoOffsets(FILE *f)
+{
+    unsigned int x, y;
+
+    for(y=0; y<5; y++) for(x=0; x<5; x++) {
+        fprintf(f, "RhoOffset[%i][%i] = ", x, y);
+        fprintf(f, "%2i", KeccakRhoOffsets[5*y+x]);
+        fprintf(f, "\n");
+    }
+    fprintf(f, "\n");
+}

@@ -0,0 +1,23 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+The Keccak-p permutations, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by the designers, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+*/
+
+#ifndef _KeccakP_1600_reference_h_
+#define _KeccakP_1600_reference_h_
+
+void KeccakP1600_DisplayRoundConstants(FILE *f);
+void KeccakP1600_DisplayRhoOffsets(FILE *f);
+
+#endif

@@ -0,0 +1,44 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+The Keccak-p permutations, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by the designers, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+
+---
+
+Please refer to SnP-documentation.h for more details.
+*/
+
+#ifndef _KeccakP_1600_SnP_h_
+#define _KeccakP_1600_SnP_h_
+
+#define KeccakP1600_implementation      "32-bit bit-interleaved reference implementation"
+#define KeccakP1600_stateSizeInBytes    200
+#define KeccakP1600_stateAlignment      4
+
+#ifdef KeccakReference
+void KeccakP1600_StaticInitialize( void );
+#else
+#define KeccakP1600_StaticInitialize()
+#endif
+void KeccakP1600_Initialize(void *state);
+void KeccakP1600_AddByte(void *state, unsigned char data, unsigned int offset);
+void KeccakP1600_AddBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length);
+void KeccakP1600_OverwriteBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length);
+void KeccakP1600_OverwriteWithZeroes(void *state, unsigned int byteCount);
+void KeccakP1600_Permute_Nrounds(void *state, unsigned int nrounds);
+void KeccakP1600_Permute_12rounds(void *state);
+void KeccakP1600_Permute_24rounds(void *state);
+void KeccakP1600_ExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length);
+void KeccakP1600_ExtractAndAddBytes(const void *state, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length);
+
+#endif

@@ -0,0 +1,444 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+The Keccak-p permutations, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by the designers, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+
+---
+
+This file implements Keccak-p[1600] in a SnP-compatible way.
+Please refer to SnP-documentation.h for more details.
+
+This implementation comes with KeccakP-1600-SnP.h in the same folder.
+Please refer to LowLevel.build for the exact list of other files it must be combined with.
+*/
+
+#if DEBUG
+#include <assert.h>
+#endif
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "brg_endian.h"
+#ifdef KeccakReference
+#include "displayIntermediateValues.h"
+#endif
+
+typedef uint64_t tKeccakLane;
+
+#define maxNrRounds 24
+#define nrLanes 25
+#define index(x, y) (((x)%5)+5*((y)%5))
+
+#ifdef KeccakReference
+
+static tKeccakLane KeccakRoundConstants[maxNrRounds];
+static unsigned int KeccakRhoOffsets[nrLanes];
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_InitializeRoundConstants(void);
+void KeccakP1600_InitializeRhoOffsets(void);
+static int LFSR86540(uint8_t *LFSR);
+
+void KeccakP1600_StaticInitialize(void)
+{
+    if (sizeof(tKeccakLane) != 8) {
+        printf("tKeccakLane should be 64-bit wide\n");
+        abort();
+    }
+    KeccakP1600_InitializeRoundConstants();
+    KeccakP1600_InitializeRhoOffsets();
+}
+
+void KeccakP1600_InitializeRoundConstants(void)
+{
+    uint8_t LFSRstate = 0x01;
+    unsigned int i, j, bitPosition;
+
+    for(i=0; i<maxNrRounds; i++) {
+        KeccakRoundConstants[i] = 0;
+        for(j=0; j<7; j++) {
+            bitPosition = (1<<j)-1; /* 2^j-1 */
+            if (LFSR86540(&LFSRstate))
+                KeccakRoundConstants[i] ^= (tKeccakLane)1<<bitPosition;
+        }
+    }
+}
+
+void KeccakP1600_InitializeRhoOffsets(void)
+{
+    unsigned int x, y, t, newX, newY;
+
+    KeccakRhoOffsets[index(0, 0)] = 0;
+    x = 1;
+    y = 0;
+    for(t=0; t<24; t++) {
+        KeccakRhoOffsets[index(x, y)] = ((t+1)*(t+2)/2) % 64;
+        newX = (0*x+1*y) % 5;
+        newY = (2*x+3*y) % 5;
+        x = newX;
+        y = newY;
+    }
+}
+
+static int LFSR86540(uint8_t *LFSR)
+{
+    int result = ((*LFSR) & 0x01) != 0;
+    if (((*LFSR) & 0x80) != 0)
+        /* Primitive polynomial over GF(2): x^8+x^6+x^5+x^4+1 */
+        (*LFSR) = ((*LFSR) << 1) ^ 0x71;
+    else
+        (*LFSR) <<= 1;
+    return result;
+}
+
+#else
+
+static const tKeccakLane KeccakRoundConstants[maxNrRounds] =
+{
+    0x0000000000000001,
+    0x0000000000008082,
+    0x800000000000808a,
+    0x8000000080008000,
+    0x000000000000808b,
+    0x0000000080000001,
+    0x8000000080008081,
+    0x8000000000008009,
+    0x000000000000008a,
+    0x0000000000000088,
+    0x0000000080008009,
+    0x000000008000000a,
+    0x000000008000808b,
+    0x800000000000008b,
+    0x8000000000008089,
+    0x8000000000008003,
+    0x8000000000008002,
+    0x8000000000000080,
+    0x000000000000800a,
+    0x800000008000000a,
+    0x8000000080008081,
+    0x8000000000008080,
+    0x0000000080000001,
+    0x8000000080008008,
+};
+
+static const unsigned int KeccakRhoOffsets[nrLanes] =
+{
+     0,  1, 62, 28, 27, 36, 44,  6, 55, 20,  3, 10, 43, 25, 39, 41, 45, 15, 21,  8, 18,  2, 61, 56, 14
+};
+
+#endif
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_Initialize(void *state)
+{
+    memset(state, 0, 1600/8);
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_AddByte(void *state, unsigned char byte, unsigned int offset)
+{
+    #if DEBUG
+    assert(offset < 200);
+    #endif
+    ((unsigned char *)state)[offset] ^= byte;
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_AddBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length)
+{
+    unsigned int i;
+
+    #if DEBUG
+    assert(offset < 200);
+    assert(offset+length <= 200);
+    #endif
+    for(i=0; i<length; i++)
+        ((unsigned char *)state)[offset+i] ^= data[i];
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_OverwriteBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length)
+{
+    #if DEBUG
+    assert(offset < 200);
+    assert(offset+length <= 200);
+    #endif
+    memcpy((unsigned char*)state+offset, data, length);
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_OverwriteWithZeroes(void *state, unsigned int byteCount)
+{
+    #if DEBUG
+    assert(byteCount <= 200);
+    #endif
+    memset(state, 0, byteCount);
+}
+
+/* ---------------------------------------------------------------- */
+
+#if (PLATFORM_BYTE_ORDER != IS_LITTLE_ENDIAN)
+static void fromBytesToWords(tKeccakLane *stateAsWords, const unsigned char *state);
+static void fromWordsToBytes(unsigned char *state, const tKeccakLane *stateAsWords);
+#endif
+void KeccakP1600OnWords(tKeccakLane *state, unsigned int nrRounds);
+void KeccakP1600Round(tKeccakLane *state, unsigned int indexRound);
+static void theta(tKeccakLane *A);
+static void rho(tKeccakLane *A);
+static void pi(tKeccakLane *A);
+static void chi(tKeccakLane *A);
+static void iota(tKeccakLane *A, unsigned int indexRound);
+
+void KeccakP1600_Permute_Nrounds(void *state, unsigned int nrounds)
+{
+#if (PLATFORM_BYTE_ORDER != IS_LITTLE_ENDIAN)
+    tKeccakLane stateAsWords[1600/64];
+#endif
+
+#ifdef KeccakReference
+    displayStateAsBytes(1, "Input of permutation", (const unsigned char *)state, 1600);
+#endif
+#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
+    KeccakP1600OnWords((tKeccakLane*)state, nrounds);
+#else
+    fromBytesToWords(stateAsWords, (const unsigned char *)state);
+    KeccakP1600OnWords(stateAsWords, nrounds);
+    fromWordsToBytes((unsigned char *)state, stateAsWords);
+#endif
+#ifdef KeccakReference
+    displayStateAsBytes(1, "State after permutation", (const unsigned char *)state, 1600);
+#endif
+}
+
+void KeccakP1600_Permute_12rounds(void *state)
+{
+#if (PLATFORM_BYTE_ORDER != IS_LITTLE_ENDIAN)
+    tKeccakLane stateAsWords[1600/64];
+#endif
+
+#ifdef KeccakReference
+    displayStateAsBytes(1, "Input of permutation", (const unsigned char *)state, 1600);
+#endif
+#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
+    KeccakP1600OnWords((tKeccakLane*)state, 12);
+#else
+    fromBytesToWords(stateAsWords, (const unsigned char *)state);
+    KeccakP1600OnWords(stateAsWords, 12);
+    fromWordsToBytes((unsigned char *)state, stateAsWords);
+#endif
+#ifdef KeccakReference
+    displayStateAsBytes(1, "State after permutation", (const unsigned char *)state, 1600);
+#endif
+}
+
+void KeccakP1600_Permute_24rounds(void *state)
+{
+#if (PLATFORM_BYTE_ORDER != IS_LITTLE_ENDIAN)
+    tKeccakLane stateAsWords[1600/64];
+#endif
+
+#ifdef KeccakReference
+    displayStateAsBytes(1, "Input of permutation", (const unsigned char *)state, 1600);
+#endif
+#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
+    KeccakP1600OnWords((tKeccakLane*)state, 24);
+#else
+    fromBytesToWords(stateAsWords, (const unsigned char *)state);
+    KeccakP1600OnWords(stateAsWords, 24);
+    fromWordsToBytes((unsigned char *)state, stateAsWords);
+#endif
+#ifdef KeccakReference
+    displayStateAsBytes(1, "State after permutation", (const unsigned char *)state, 1600);
+#endif
+}
+
+#if (PLATFORM_BYTE_ORDER != IS_LITTLE_ENDIAN)
+static void fromBytesToWords(tKeccakLane *stateAsWords, const unsigned char *state)
+{
+    unsigned int i, j;
+
+    for(i=0; i<nrLanes; i++) {
+        stateAsWords[i] = 0;
+        for(j=0; j<(64/8); j++)
+            stateAsWords[i] |= (tKeccakLane)(state[i*(64/8)+j]) << (8*j);
+    }
+}
+
+static void fromWordsToBytes(unsigned char *state, const tKeccakLane *stateAsWords)
+{
+    unsigned int i, j;
+
+    for(i=0; i<nrLanes; i++)
+        for(j=0; j<(64/8); j++)
+            state[i*(64/8)+j] = (unsigned char)((stateAsWords[i] >> (8*j)) & 0xFF);
+}
+#endif
+
+void KeccakP1600OnWords(tKeccakLane *state, unsigned int nrRounds)
+{
+    unsigned int i;
+
+#ifdef KeccakReference
+    displayStateAsLanes(3, "Same, with lanes as 64-bit words", state, 1600);
+#endif
+
+    for(i=(maxNrRounds-nrRounds); i<maxNrRounds; i++)
+        KeccakP1600Round(state, i);
+}
+
+void KeccakP1600Round(tKeccakLane *state, unsigned int indexRound)
+{
+#ifdef KeccakReference
+    displayRoundNumber(3, indexRound);
+#endif
+
+    theta(state);
+#ifdef KeccakReference
+    displayStateAsLanes(3, "After theta", state, 1600);
+#endif
+
+    rho(state);
+#ifdef KeccakReference
+    displayStateAsLanes(3, "After rho", state, 1600);
+#endif
+
+    pi(state);
+#ifdef KeccakReference
+    displayStateAsLanes(3, "After pi", state, 1600);
+#endif
+
+    chi(state);
+#ifdef KeccakReference
+    displayStateAsLanes(3, "After chi", state, 1600);
+#endif
+
+    iota(state, indexRound);
+#ifdef KeccakReference
+    displayStateAsLanes(3, "After iota", state, 1600);
+#endif
+}
+
+#define ROL64(a, offset) ((offset != 0) ? ((((tKeccakLane)a) << offset) ^ (((tKeccakLane)a) >> (64-offset))) : a)
+
+static void theta(tKeccakLane *A)
+{
+    unsigned int x, y;
+    tKeccakLane C[5], D[5];
+
+    for(x=0; x<5; x++) {
+        C[x] = 0;
+        for(y=0; y<5; y++)
+            C[x] ^= A[index(x, y)];
+    }
+    for(x=0; x<5; x++)
+        D[x] = ROL64(C[(x+1)%5], 1) ^ C[(x+4)%5];
+    for(x=0; x<5; x++)
+        for(y=0; y<5; y++)
+            A[index(x, y)] ^= D[x];
+}
+
+static void rho(tKeccakLane *A)
+{
+    unsigned int x, y;
+
+    for(x=0; x<5; x++) for(y=0; y<5; y++)
+        A[index(x, y)] = ROL64(A[index(x, y)], KeccakRhoOffsets[index(x, y)]);
+}
+
+static void pi(tKeccakLane *A)
+{
+    unsigned int x, y;
+    tKeccakLane tempA[25];
+
+    for(x=0; x<5; x++) for(y=0; y<5; y++)
+        tempA[index(x, y)] = A[index(x, y)];
+    for(x=0; x<5; x++) for(y=0; y<5; y++)
+        A[index(0*x+1*y, 2*x+3*y)] = tempA[index(x, y)];
+}
+
+static void chi(tKeccakLane *A)
+{
+    unsigned int x, y;
+    tKeccakLane C[5];
+
+    for(y=0; y<5; y++) {
+        for(x=0; x<5; x++)
+            C[x] = A[index(x, y)] ^ ((~A[index(x+1, y)]) & A[index(x+2, y)]);
+        for(x=0; x<5; x++)
+            A[index(x, y)] = C[x];
+    }
+}
+
+static void iota(tKeccakLane *A, unsigned int indexRound)
+{
+    A[index(0, 0)] ^= KeccakRoundConstants[indexRound];
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_ExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length)
+{
+    #if DEBUG
+    assert(offset < 200);
+    assert(offset+length <= 200);
+    #endif
+    memcpy(data, (unsigned char*)state+offset, length);
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_ExtractAndAddBytes(const void *state, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length)
+{
+    unsigned int i;
+
+    #if DEBUG
+    assert(offset < 200);
+    assert(offset+length <= 200);
+    #endif
+    for(i=0; i<length; i++)
+        output[i] = input[i] ^ ((unsigned char *)state)[offset+i];
+}
+
+/* ---------------------------------------------------------------- */
+
+void KeccakP1600_DisplayRoundConstants(FILE *f)
+{
+    unsigned int i;
+
+    for(i=0; i<maxNrRounds; i++) {
+        fprintf(f, "RC[%02i][0][0] = ", i);
+        fprintf(f, "%08X", (unsigned int)(KeccakRoundConstants[i] >> 32));
+        fprintf(f, "%08X", (unsigned int)(KeccakRoundConstants[i] & 0xFFFFFFFFULL));
+        fprintf(f, "\n");
+    }
+    fprintf(f, "\n");
+}
+
+void KeccakP1600_DisplayRhoOffsets(FILE *f)
+{
+    unsigned int x, y;
+
+    for(y=0; y<5; y++) for(x=0; x<5; x++) {
+        fprintf(f, "RhoOffset[%i][%i] = ", x, y);
+        fprintf(f, "%2i", KeccakRhoOffsets[index(x, y)]);
+        fprintf(f, "\n");
+    }
+    fprintf(f, "\n");
+}

@@ -0,0 +1,23 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+The Keccak-p permutations, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by the designers, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+*/
+
+#ifndef _KeccakP_1600_reference_h_
+#define _KeccakP_1600_reference_h_
+
+void KeccakP1600_DisplayRoundConstants(FILE *f);
+void KeccakP1600_DisplayRhoOffsets(FILE *f);
+
+#endif

@@ -0,0 +1,44 @@
+/*
+The eXtended Keccak Code Package (XKCP)
+https://github.com/XKCP/XKCP
+
+The Keccak-p permutations, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
+
+Implementation by the designers, hereby denoted as "the implementer".
+
+For more information, feedback or questions, please refer to the Keccak Team website:
+https://keccak.team/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+
+---
+
+Please refer to SnP-documentation.h for more details.
+*/
+
+#ifndef _KeccakP_1600_SnP_h_
+#define _KeccakP_1600_SnP_h_
+
+#define KeccakP1600_implementation      "64-bit reference implementation"
+#define KeccakP1600_stateSizeInBytes    200
+#define KeccakP1600_stateAlignment      8
+
+#ifdef KeccakReference
+void KeccakP1600_StaticInitialize( void );
+#else
+#define KeccakP1600_StaticInitialize()
+#endif
+void KeccakP1600_Initialize(void *state);
+void KeccakP1600_AddByte(void *state, unsigned char data, unsigned int offset);
+void KeccakP1600_AddBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length);
+void KeccakP1600_OverwriteBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length);
+void KeccakP1600_OverwriteWithZeroes(void *state, unsigned int byteCount);
+void KeccakP1600_Permute_Nrounds(void *state, unsigned int nrounds);
+void KeccakP1600_Permute_12rounds(void *state);
+void KeccakP1600_Permute_24rounds(void *state);
+void KeccakP1600_ExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length);
+void KeccakP1600_ExtractAndAddBytes(const void *state, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length);
+
+#endif

@@ -1,2199 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#define declareABCDE \
-    UINT64 Aba, Abe, Abi, Abo, Abu; \
-    UINT64 Aga, Age, Agi, Ago, Agu; \
-    UINT64 Aka, Ake, Aki, Ako, Aku; \
-    UINT64 Ama, Ame, Ami, Amo, Amu; \
-    UINT64 Asa, Ase, Asi, Aso, Asu; \
-    UINT64 Bba, Bbe, Bbi, Bbo, Bbu; \
-    UINT64 Bga, Bge, Bgi, Bgo, Bgu; \
-    UINT64 Bka, Bke, Bki, Bko, Bku; \
-    UINT64 Bma, Bme, Bmi, Bmo, Bmu; \
-    UINT64 Bsa, Bse, Bsi, Bso, Bsu; \
-    UINT64 Ca, Ce, Ci, Co, Cu; \
-    UINT64 Da, De, Di, Do, Du; \
-    UINT64 Eba, Ebe, Ebi, Ebo, Ebu; \
-    UINT64 Ega, Ege, Egi, Ego, Egu; \
-    UINT64 Eka, Eke, Eki, Eko, Eku; \
-    UINT64 Ema, Eme, Emi, Emo, Emu; \
-    UINT64 Esa, Ese, Esi, Eso, Esu; \
-
-#define prepareTheta \
-    Ca = Aba^Aga^Aka^Ama^Asa; \
-    Ce = Abe^Age^Ake^Ame^Ase; \
-    Ci = Abi^Agi^Aki^Ami^Asi; \
-    Co = Abo^Ago^Ako^Amo^Aso; \
-    Cu = Abu^Agu^Aku^Amu^Asu; \
-
-#ifdef UseBebigokimisa
-// --- Code for round, with prepare-theta (lane complementing pattern 'bebigokimisa')
-// --- 64-bit lanes mapped to 64-bit words
-#define thetaRhoPiChiIotaPrepareTheta(i, A, E) \
-    Da = Cu^ROL64(Ce, 1); \
-    De = Ca^ROL64(Ci, 1); \
-    Di = Ce^ROL64(Co, 1); \
-    Do = Ci^ROL64(Cu, 1); \
-    Du = Co^ROL64(Ca, 1); \
-\
-    A##ba ^= Da; \
-    Bba = A##ba; \
-    A##ge ^= De; \
-    Bbe = ROL64(A##ge, 44); \
-    A##ki ^= Di; \
-    Bbi = ROL64(A##ki, 43); \
-    A##mo ^= Do; \
-    Bbo = ROL64(A##mo, 21); \
-    A##su ^= Du; \
-    Bbu = ROL64(A##su, 14); \
-    E##ba =   Bba ^(  Bbe |  Bbi ); \
-    E##ba ^= KeccakF1600RoundConstants[i]; \
-    Ca = E##ba; \
-    E##be =   Bbe ^((~Bbi)|  Bbo ); \
-    Ce = E##be; \
-    E##bi =   Bbi ^(  Bbo &  Bbu ); \
-    Ci = E##bi; \
-    E##bo =   Bbo ^(  Bbu |  Bba ); \
-    Co = E##bo; \
-    E##bu =   Bbu ^(  Bba &  Bbe ); \
-    Cu = E##bu; \
-\
-    A##bo ^= Do; \
-    Bga = ROL64(A##bo, 28); \
-    A##gu ^= Du; \
-    Bge = ROL64(A##gu, 20); \
-    A##ka ^= Da; \
-    Bgi = ROL64(A##ka, 3); \
-    A##me ^= De; \
-    Bgo = ROL64(A##me, 45); \
-    A##si ^= Di; \
-    Bgu = ROL64(A##si, 61); \
-    E##ga =   Bga ^(  Bge |  Bgi ); \
-    Ca ^= E##ga; \
-    E##ge =   Bge ^(  Bgi &  Bgo ); \
-    Ce ^= E##ge; \
-    E##gi =   Bgi ^(  Bgo |(~Bgu)); \
-    Ci ^= E##gi; \
-    E##go =   Bgo ^(  Bgu |  Bga ); \
-    Co ^= E##go; \
-    E##gu =   Bgu ^(  Bga &  Bge ); \
-    Cu ^= E##gu; \
-\
-    A##be ^= De; \
-    Bka = ROL64(A##be, 1); \
-    A##gi ^= Di; \
-    Bke = ROL64(A##gi, 6); \
-    A##ko ^= Do; \
-    Bki = ROL64(A##ko, 25); \
-    A##mu ^= Du; \
-    Bko = ROL64(A##mu, 8); \
-    A##sa ^= Da; \
-    Bku = ROL64(A##sa, 18); \
-    E##ka =   Bka ^(  Bke |  Bki ); \
-    Ca ^= E##ka; \
-    E##ke =   Bke ^(  Bki &  Bko ); \
-    Ce ^= E##ke; \
-    E##ki =   Bki ^((~Bko)&  Bku ); \
-    Ci ^= E##ki; \
-    E##ko = (~Bko)^(  Bku |  Bka ); \
-    Co ^= E##ko; \
-    E##ku =   Bku ^(  Bka &  Bke ); \
-    Cu ^= E##ku; \
-\
-    A##bu ^= Du; \
-    Bma = ROL64(A##bu, 27); \
-    A##ga ^= Da; \
-    Bme = ROL64(A##ga, 36); \
-    A##ke ^= De; \
-    Bmi = ROL64(A##ke, 10); \
-    A##mi ^= Di; \
-    Bmo = ROL64(A##mi, 15); \
-    A##so ^= Do; \
-    Bmu = ROL64(A##so, 56); \
-    E##ma =   Bma ^(  Bme &  Bmi ); \
-    Ca ^= E##ma; \
-    E##me =   Bme ^(  Bmi |  Bmo ); \
-    Ce ^= E##me; \
-    E##mi =   Bmi ^((~Bmo)|  Bmu ); \
-    Ci ^= E##mi; \
-    E##mo = (~Bmo)^(  Bmu &  Bma ); \
-    Co ^= E##mo; \
-    E##mu =   Bmu ^(  Bma |  Bme ); \
-    Cu ^= E##mu; \
-\
-    A##bi ^= Di; \
-    Bsa = ROL64(A##bi, 62); \
-    A##go ^= Do; \
-    Bse = ROL64(A##go, 55); \
-    A##ku ^= Du; \
-    Bsi = ROL64(A##ku, 39); \
-    A##ma ^= Da; \
-    Bso = ROL64(A##ma, 41); \
-    A##se ^= De; \
-    Bsu = ROL64(A##se, 2); \
-    E##sa =   Bsa ^((~Bse)&  Bsi ); \
-    Ca ^= E##sa; \
-    E##se = (~Bse)^(  Bsi |  Bso ); \
-    Ce ^= E##se; \
-    E##si =   Bsi ^(  Bso &  Bsu ); \
-    Ci ^= E##si; \
-    E##so =   Bso ^(  Bsu |  Bsa ); \
-    Co ^= E##so; \
-    E##su =   Bsu ^(  Bsa &  Bse ); \
-    Cu ^= E##su; \
-\
-
-// --- Code for round (lane complementing pattern 'bebigokimisa')
-// --- 64-bit lanes mapped to 64-bit words
-#define thetaRhoPiChiIota(i, A, E) \
-    Da = Cu^ROL64(Ce, 1); \
-    De = Ca^ROL64(Ci, 1); \
-    Di = Ce^ROL64(Co, 1); \
-    Do = Ci^ROL64(Cu, 1); \
-    Du = Co^ROL64(Ca, 1); \
-\
-    A##ba ^= Da; \
-    Bba = A##ba; \
-    A##ge ^= De; \
-    Bbe = ROL64(A##ge, 44); \
-    A##ki ^= Di; \
-    Bbi = ROL64(A##ki, 43); \
-    A##mo ^= Do; \
-    Bbo = ROL64(A##mo, 21); \
-    A##su ^= Du; \
-    Bbu = ROL64(A##su, 14); \
-    E##ba =   Bba ^(  Bbe |  Bbi ); \
-    E##ba ^= KeccakF1600RoundConstants[i]; \
-    E##be =   Bbe ^((~Bbi)|  Bbo ); \
-    E##bi =   Bbi ^(  Bbo &  Bbu ); \
-    E##bo =   Bbo ^(  Bbu |  Bba ); \
-    E##bu =   Bbu ^(  Bba &  Bbe ); \
-\
-    A##bo ^= Do; \
-    Bga = ROL64(A##bo, 28); \
-    A##gu ^= Du; \
-    Bge = ROL64(A##gu, 20); \
-    A##ka ^= Da; \
-    Bgi = ROL64(A##ka, 3); \
-    A##me ^= De; \
-    Bgo = ROL64(A##me, 45); \
-    A##si ^= Di; \
-    Bgu = ROL64(A##si, 61); \
-    E##ga =   Bga ^(  Bge |  Bgi ); \
-    E##ge =   Bge ^(  Bgi &  Bgo ); \
-    E##gi =   Bgi ^(  Bgo |(~Bgu)); \
-    E##go =   Bgo ^(  Bgu |  Bga ); \
-    E##gu =   Bgu ^(  Bga &  Bge ); \
-\
-    A##be ^= De; \
-    Bka = ROL64(A##be, 1); \
-    A##gi ^= Di; \
-    Bke = ROL64(A##gi, 6); \
-    A##ko ^= Do; \
-    Bki = ROL64(A##ko, 25); \
-    A##mu ^= Du; \
-    Bko = ROL64(A##mu, 8); \
-    A##sa ^= Da; \
-    Bku = ROL64(A##sa, 18); \
-    E##ka =   Bka ^(  Bke |  Bki ); \
-    E##ke =   Bke ^(  Bki &  Bko ); \
-    E##ki =   Bki ^((~Bko)&  Bku ); \
-    E##ko = (~Bko)^(  Bku |  Bka ); \
-    E##ku =   Bku ^(  Bka &  Bke ); \
-\
-    A##bu ^= Du; \
-    Bma = ROL64(A##bu, 27); \
-    A##ga ^= Da; \
-    Bme = ROL64(A##ga, 36); \
-    A##ke ^= De; \
-    Bmi = ROL64(A##ke, 10); \
-    A##mi ^= Di; \
-    Bmo = ROL64(A##mi, 15); \
-    A##so ^= Do; \
-    Bmu = ROL64(A##so, 56); \
-    E##ma =   Bma ^(  Bme &  Bmi ); \
-    E##me =   Bme ^(  Bmi |  Bmo ); \
-    E##mi =   Bmi ^((~Bmo)|  Bmu ); \
-    E##mo = (~Bmo)^(  Bmu &  Bma ); \
-    E##mu =   Bmu ^(  Bma |  Bme ); \
-\
-    A##bi ^= Di; \
-    Bsa = ROL64(A##bi, 62); \
-    A##go ^= Do; \
-    Bse = ROL64(A##go, 55); \
-    A##ku ^= Du; \
-    Bsi = ROL64(A##ku, 39); \
-    A##ma ^= Da; \
-    Bso = ROL64(A##ma, 41); \
-    A##se ^= De; \
-    Bsu = ROL64(A##se, 2); \
-    E##sa =   Bsa ^((~Bse)&  Bsi ); \
-    E##se = (~Bse)^(  Bsi |  Bso ); \
-    E##si =   Bsi ^(  Bso &  Bsu ); \
-    E##so =   Bso ^(  Bsu |  Bsa ); \
-    E##su =   Bsu ^(  Bsa &  Bse ); \
-\
-
-#else // UseBebigokimisa
-// --- Code for round, with prepare-theta
-// --- 64-bit lanes mapped to 64-bit words
-#define thetaRhoPiChiIotaPrepareTheta(i, A, E) \
-    Da = Cu^ROL64(Ce, 1); \
-    De = Ca^ROL64(Ci, 1); \
-    Di = Ce^ROL64(Co, 1); \
-    Do = Ci^ROL64(Cu, 1); \
-    Du = Co^ROL64(Ca, 1); \
-\
-    A##ba ^= Da; \
-    Bba = A##ba; \
-    A##ge ^= De; \
-    Bbe = ROL64(A##ge, 44); \
-    A##ki ^= Di; \
-    Bbi = ROL64(A##ki, 43); \
-    A##mo ^= Do; \
-    Bbo = ROL64(A##mo, 21); \
-    A##su ^= Du; \
-    Bbu = ROL64(A##su, 14); \
-    E##ba =   Bba ^((~Bbe)&  Bbi ); \
-    E##ba ^= KeccakF1600RoundConstants[i]; \
-    Ca = E##ba; \
-    E##be =   Bbe ^((~Bbi)&  Bbo ); \
-    Ce = E##be; \
-    E##bi =   Bbi ^((~Bbo)&  Bbu ); \
-    Ci = E##bi; \
-    E##bo =   Bbo ^((~Bbu)&  Bba ); \
-    Co = E##bo; \
-    E##bu =   Bbu ^((~Bba)&  Bbe ); \
-    Cu = E##bu; \
-\
-    A##bo ^= Do; \
-    Bga = ROL64(A##bo, 28); \
-    A##gu ^= Du; \
-    Bge = ROL64(A##gu, 20); \
-    A##ka ^= Da; \
-    Bgi = ROL64(A##ka, 3); \
-    A##me ^= De; \
-    Bgo = ROL64(A##me, 45); \
-    A##si ^= Di; \
-    Bgu = ROL64(A##si, 61); \
-    E##ga =   Bga ^((~Bge)&  Bgi ); \
-    Ca ^= E##ga; \
-    E##ge =   Bge ^((~Bgi)&  Bgo ); \
-    Ce ^= E##ge; \
-    E##gi =   Bgi ^((~Bgo)&  Bgu ); \
-    Ci ^= E##gi; \
-    E##go =   Bgo ^((~Bgu)&  Bga ); \
-    Co ^= E##go; \
-    E##gu =   Bgu ^((~Bga)&  Bge ); \
-    Cu ^= E##gu; \
-\
-    A##be ^= De; \
-    Bka = ROL64(A##be, 1); \
-    A##gi ^= Di; \
-    Bke = ROL64(A##gi, 6); \
-    A##ko ^= Do; \
-    Bki = ROL64(A##ko, 25); \
-    A##mu ^= Du; \
-    Bko = ROL64(A##mu, 8); \
-    A##sa ^= Da; \
-    Bku = ROL64(A##sa, 18); \
-    E##ka =   Bka ^((~Bke)&  Bki ); \
-    Ca ^= E##ka; \
-    E##ke =   Bke ^((~Bki)&  Bko ); \
-    Ce ^= E##ke; \
-    E##ki =   Bki ^((~Bko)&  Bku ); \
-    Ci ^= E##ki; \
-    E##ko =   Bko ^((~Bku)&  Bka ); \
-    Co ^= E##ko; \
-    E##ku =   Bku ^((~Bka)&  Bke ); \
-    Cu ^= E##ku; \
-\
-    A##bu ^= Du; \
-    Bma = ROL64(A##bu, 27); \
-    A##ga ^= Da; \
-    Bme = ROL64(A##ga, 36); \
-    A##ke ^= De; \
-    Bmi = ROL64(A##ke, 10); \
-    A##mi ^= Di; \
-    Bmo = ROL64(A##mi, 15); \
-    A##so ^= Do; \
-    Bmu = ROL64(A##so, 56); \
-    E##ma =   Bma ^((~Bme)&  Bmi ); \
-    Ca ^= E##ma; \
-    E##me =   Bme ^((~Bmi)&  Bmo ); \
-    Ce ^= E##me; \
-    E##mi =   Bmi ^((~Bmo)&  Bmu ); \
-    Ci ^= E##mi; \
-    E##mo =   Bmo ^((~Bmu)&  Bma ); \
-    Co ^= E##mo; \
-    E##mu =   Bmu ^((~Bma)&  Bme ); \
-    Cu ^= E##mu; \
-\
-    A##bi ^= Di; \
-    Bsa = ROL64(A##bi, 62); \
-    A##go ^= Do; \
-    Bse = ROL64(A##go, 55); \
-    A##ku ^= Du; \
-    Bsi = ROL64(A##ku, 39); \
-    A##ma ^= Da; \
-    Bso = ROL64(A##ma, 41); \
-    A##se ^= De; \
-    Bsu = ROL64(A##se, 2); \
-    E##sa =   Bsa ^((~Bse)&  Bsi ); \
-    Ca ^= E##sa; \
-    E##se =   Bse ^((~Bsi)&  Bso ); \
-    Ce ^= E##se; \
-    E##si =   Bsi ^((~Bso)&  Bsu ); \
-    Ci ^= E##si; \
-    E##so =   Bso ^((~Bsu)&  Bsa ); \
-    Co ^= E##so; \
-    E##su =   Bsu ^((~Bsa)&  Bse ); \
-    Cu ^= E##su; \
-\
-
-// --- Code for round
-// --- 64-bit lanes mapped to 64-bit words
-#define thetaRhoPiChiIota(i, A, E) \
-    Da = Cu^ROL64(Ce, 1); \
-    De = Ca^ROL64(Ci, 1); \
-    Di = Ce^ROL64(Co, 1); \
-    Do = Ci^ROL64(Cu, 1); \
-    Du = Co^ROL64(Ca, 1); \
-\
-    A##ba ^= Da; \
-    Bba = A##ba; \
-    A##ge ^= De; \
-    Bbe = ROL64(A##ge, 44); \
-    A##ki ^= Di; \
-    Bbi = ROL64(A##ki, 43); \
-    A##mo ^= Do; \
-    Bbo = ROL64(A##mo, 21); \
-    A##su ^= Du; \
-    Bbu = ROL64(A##su, 14); \
-    E##ba =   Bba ^((~Bbe)&  Bbi ); \
-    E##ba ^= KeccakF1600RoundConstants[i]; \
-    E##be =   Bbe ^((~Bbi)&  Bbo ); \
-    E##bi =   Bbi ^((~Bbo)&  Bbu ); \
-    E##bo =   Bbo ^((~Bbu)&  Bba ); \
-    E##bu =   Bbu ^((~Bba)&  Bbe ); \
-\
-    A##bo ^= Do; \
-    Bga = ROL64(A##bo, 28); \
-    A##gu ^= Du; \
-    Bge = ROL64(A##gu, 20); \
-    A##ka ^= Da; \
-    Bgi = ROL64(A##ka, 3); \
-    A##me ^= De; \
-    Bgo = ROL64(A##me, 45); \
-    A##si ^= Di; \
-    Bgu = ROL64(A##si, 61); \
-    E##ga =   Bga ^((~Bge)&  Bgi ); \
-    E##ge =   Bge ^((~Bgi)&  Bgo ); \
-    E##gi =   Bgi ^((~Bgo)&  Bgu ); \
-    E##go =   Bgo ^((~Bgu)&  Bga ); \
-    E##gu =   Bgu ^((~Bga)&  Bge ); \
-\
-    A##be ^= De; \
-    Bka = ROL64(A##be, 1); \
-    A##gi ^= Di; \
-    Bke = ROL64(A##gi, 6); \
-    A##ko ^= Do; \
-    Bki = ROL64(A##ko, 25); \
-    A##mu ^= Du; \
-    Bko = ROL64(A##mu, 8); \
-    A##sa ^= Da; \
-    Bku = ROL64(A##sa, 18); \
-    E##ka =   Bka ^((~Bke)&  Bki ); \
-    E##ke =   Bke ^((~Bki)&  Bko ); \
-    E##ki =   Bki ^((~Bko)&  Bku ); \
-    E##ko =   Bko ^((~Bku)&  Bka ); \
-    E##ku =   Bku ^((~Bka)&  Bke ); \
-\
-    A##bu ^= Du; \
-    Bma = ROL64(A##bu, 27); \
-    A##ga ^= Da; \
-    Bme = ROL64(A##ga, 36); \
-    A##ke ^= De; \
-    Bmi = ROL64(A##ke, 10); \
-    A##mi ^= Di; \
-    Bmo = ROL64(A##mi, 15); \
-    A##so ^= Do; \
-    Bmu = ROL64(A##so, 56); \
-    E##ma =   Bma ^((~Bme)&  Bmi ); \
-    E##me =   Bme ^((~Bmi)&  Bmo ); \
-    E##mi =   Bmi ^((~Bmo)&  Bmu ); \
-    E##mo =   Bmo ^((~Bmu)&  Bma ); \
-    E##mu =   Bmu ^((~Bma)&  Bme ); \
-\
-    A##bi ^= Di; \
-    Bsa = ROL64(A##bi, 62); \
-    A##go ^= Do; \
-    Bse = ROL64(A##go, 55); \
-    A##ku ^= Du; \
-    Bsi = ROL64(A##ku, 39); \
-    A##ma ^= Da; \
-    Bso = ROL64(A##ma, 41); \
-    A##se ^= De; \
-    Bsu = ROL64(A##se, 2); \
-    E##sa =   Bsa ^((~Bse)&  Bsi ); \
-    E##se =   Bse ^((~Bsi)&  Bso ); \
-    E##si =   Bsi ^((~Bso)&  Bsu ); \
-    E##so =   Bso ^((~Bsu)&  Bsa ); \
-    E##su =   Bsu ^((~Bsa)&  Bse ); \
-\
-
-#endif // UseBebigokimisa
-
-#define copyFromState(X, state) \
-    X##ba = state[ 0]; \
-    X##be = state[ 1]; \
-    X##bi = state[ 2]; \
-    X##bo = state[ 3]; \
-    X##bu = state[ 4]; \
-    X##ga = state[ 5]; \
-    X##ge = state[ 6]; \
-    X##gi = state[ 7]; \
-    X##go = state[ 8]; \
-    X##gu = state[ 9]; \
-    X##ka = state[10]; \
-    X##ke = state[11]; \
-    X##ki = state[12]; \
-    X##ko = state[13]; \
-    X##ku = state[14]; \
-    X##ma = state[15]; \
-    X##me = state[16]; \
-    X##mi = state[17]; \
-    X##mo = state[18]; \
-    X##mu = state[19]; \
-    X##sa = state[20]; \
-    X##se = state[21]; \
-    X##si = state[22]; \
-    X##so = state[23]; \
-    X##su = state[24]; \
-
-#define copyToState(state, X) \
-    state[ 0] = X##ba; \
-    state[ 1] = X##be; \
-    state[ 2] = X##bi; \
-    state[ 3] = X##bo; \
-    state[ 4] = X##bu; \
-    state[ 5] = X##ga; \
-    state[ 6] = X##ge; \
-    state[ 7] = X##gi; \
-    state[ 8] = X##go; \
-    state[ 9] = X##gu; \
-    state[10] = X##ka; \
-    state[11] = X##ke; \
-    state[12] = X##ki; \
-    state[13] = X##ko; \
-    state[14] = X##ku; \
-    state[15] = X##ma; \
-    state[16] = X##me; \
-    state[17] = X##mi; \
-    state[18] = X##mo; \
-    state[19] = X##mu; \
-    state[20] = X##sa; \
-    state[21] = X##se; \
-    state[22] = X##si; \
-    state[23] = X##so; \
-    state[24] = X##su; \
-
-#define copyStateVariables(X, Y) \
-    X##ba = Y##ba; \
-    X##be = Y##be; \
-    X##bi = Y##bi; \
-    X##bo = Y##bo; \
-    X##bu = Y##bu; \
-    X##ga = Y##ga; \
-    X##ge = Y##ge; \
-    X##gi = Y##gi; \
-    X##go = Y##go; \
-    X##gu = Y##gu; \
-    X##ka = Y##ka; \
-    X##ke = Y##ke; \
-    X##ki = Y##ki; \
-    X##ko = Y##ko; \
-    X##ku = Y##ku; \
-    X##ma = Y##ma; \
-    X##me = Y##me; \
-    X##mi = Y##mi; \
-    X##mo = Y##mo; \
-    X##mu = Y##mu; \
-    X##sa = Y##sa; \
-    X##se = Y##se; \
-    X##si = Y##si; \
-    X##so = Y##so; \
-    X##su = Y##su; \
-
-#define copyFromStateAndXOR(X, state, input, laneCount) \
-    if (laneCount < 16) { \
-        if (laneCount < 8) { \
-            if (laneCount < 4) { \
-                if (laneCount < 2) { \
-                    if (laneCount < 1) { \
-                        X##ba = state[ 0]; \
-                    } \
-                    else { \
-                        X##ba = state[ 0]^input[ 0]; \
-                    } \
-                    X##be = state[ 1]; \
-                    X##bi = state[ 2]; \
-                } \
-                else { \
-                    X##ba = state[ 0]^input[ 0]; \
-                    X##be = state[ 1]^input[ 1]; \
-                    if (laneCount < 3) { \
-                        X##bi = state[ 2]; \
-                    } \
-                    else { \
-                        X##bi = state[ 2]^input[ 2]; \
-                    } \
-                } \
-                X##bo = state[ 3]; \
-                X##bu = state[ 4]; \
-                X##ga = state[ 5]; \
-                X##ge = state[ 6]; \
-            } \
-            else { \
-                X##ba = state[ 0]^input[ 0]; \
-                X##be = state[ 1]^input[ 1]; \
-                X##bi = state[ 2]^input[ 2]; \
-                X##bo = state[ 3]^input[ 3]; \
-                if (laneCount < 6) { \
-                    if (laneCount < 5) { \
-                        X##bu = state[ 4]; \
-                    } \
-                    else { \
-                        X##bu = state[ 4]^input[ 4]; \
-                    } \
-                    X##ga = state[ 5]; \
-                    X##ge = state[ 6]; \
-                } \
-                else { \
-                    X##bu = state[ 4]^input[ 4]; \
-                    X##ga = state[ 5]^input[ 5]; \
-                    if (laneCount < 7) { \
-                        X##ge = state[ 6]; \
-                    } \
-                    else { \
-                        X##ge = state[ 6]^input[ 6]; \
-                    } \
-                } \
-            } \
-            X##gi = state[ 7]; \
-            X##go = state[ 8]; \
-            X##gu = state[ 9]; \
-            X##ka = state[10]; \
-            X##ke = state[11]; \
-            X##ki = state[12]; \
-            X##ko = state[13]; \
-            X##ku = state[14]; \
-        } \
-        else { \
-            X##ba = state[ 0]^input[ 0]; \
-            X##be = state[ 1]^input[ 1]; \
-            X##bi = state[ 2]^input[ 2]; \
-            X##bo = state[ 3]^input[ 3]; \
-            X##bu = state[ 4]^input[ 4]; \
-            X##ga = state[ 5]^input[ 5]; \
-            X##ge = state[ 6]^input[ 6]; \
-            X##gi = state[ 7]^input[ 7]; \
-            if (laneCount < 12) { \
-                if (laneCount < 10) { \
-                    if (laneCount < 9) { \
-                        X##go = state[ 8]; \
-                    } \
-                    else { \
-                        X##go = state[ 8]^input[ 8]; \
-                    } \
-                    X##gu = state[ 9]; \
-                    X##ka = state[10]; \
-                } \
-                else { \
-                    X##go = state[ 8]^input[ 8]; \
-                    X##gu = state[ 9]^input[ 9]; \
-                    if (laneCount < 11) { \
-                        X##ka = state[10]; \
-                    } \
-                    else { \
-                        X##ka = state[10]^input[10]; \
-                    } \
-                } \
-                X##ke = state[11]; \
-                X##ki = state[12]; \
-                X##ko = state[13]; \
-                X##ku = state[14]; \
-            } \
-            else { \
-                X##go = state[ 8]^input[ 8]; \
-                X##gu = state[ 9]^input[ 9]; \
-                X##ka = state[10]^input[10]; \
-                X##ke = state[11]^input[11]; \
-                if (laneCount < 14) { \
-                    if (laneCount < 13) { \
-                        X##ki = state[12]; \
-                    } \
-                    else { \
-                        X##ki = state[12]^input[12]; \
-                    } \
-                    X##ko = state[13]; \
-                    X##ku = state[14]; \
-                } \
-                else { \
-                    X##ki = state[12]^input[12]; \
-                    X##ko = state[13]^input[13]; \
-                    if (laneCount < 15) { \
-                        X##ku = state[14]; \
-                    } \
-                    else { \
-                        X##ku = state[14]^input[14]; \
-                    } \
-                } \
-            } \
-        } \
-        X##ma = state[15]; \
-        X##me = state[16]; \
-        X##mi = state[17]; \
-        X##mo = state[18]; \
-        X##mu = state[19]; \
-        X##sa = state[20]; \
-        X##se = state[21]; \
-        X##si = state[22]; \
-        X##so = state[23]; \
-        X##su = state[24]; \
-    } \
-    else { \
-        X##ba = state[ 0]^input[ 0]; \
-        X##be = state[ 1]^input[ 1]; \
-        X##bi = state[ 2]^input[ 2]; \
-        X##bo = state[ 3]^input[ 3]; \
-        X##bu = state[ 4]^input[ 4]; \
-        X##ga = state[ 5]^input[ 5]; \
-        X##ge = state[ 6]^input[ 6]; \
-        X##gi = state[ 7]^input[ 7]; \
-        X##go = state[ 8]^input[ 8]; \
-        X##gu = state[ 9]^input[ 9]; \
-        X##ka = state[10]^input[10]; \
-        X##ke = state[11]^input[11]; \
-        X##ki = state[12]^input[12]; \
-        X##ko = state[13]^input[13]; \
-        X##ku = state[14]^input[14]; \
-        X##ma = state[15]^input[15]; \
-        if (laneCount < 24) { \
-            if (laneCount < 20) { \
-                if (laneCount < 18) { \
-                    if (laneCount < 17) { \
-                        X##me = state[16]; \
-                    } \
-                    else { \
-                        X##me = state[16]^input[16]; \
-                    } \
-                    X##mi = state[17]; \
-                    X##mo = state[18]; \
-                } \
-                else { \
-                    X##me = state[16]^input[16]; \
-                    X##mi = state[17]^input[17]; \
-                    if (laneCount < 19) { \
-                        X##mo = state[18]; \
-                    } \
-                    else { \
-                        X##mo = state[18]^input[18]; \
-                    } \
-                } \
-                X##mu = state[19]; \
-                X##sa = state[20]; \
-                X##se = state[21]; \
-                X##si = state[22]; \
-            } \
-            else { \
-                X##me = state[16]^input[16]; \
-                X##mi = state[17]^input[17]; \
-                X##mo = state[18]^input[18]; \
-                X##mu = state[19]^input[19]; \
-                if (laneCount < 22) { \
-                    if (laneCount < 21) { \
-                        X##sa = state[20]; \
-                    } \
-                    else { \
-                        X##sa = state[20]^input[20]; \
-                    } \
-                    X##se = state[21]; \
-                    X##si = state[22]; \
-                } \
-                else { \
-                    X##sa = state[20]^input[20]; \
-                    X##se = state[21]^input[21]; \
-                    if (laneCount < 23) { \
-                        X##si = state[22]; \
-                    } \
-                    else { \
-                        X##si = state[22]^input[22]; \
-                    } \
-                } \
-            } \
-            X##so = state[23]; \
-            X##su = state[24]; \
-        } \
-        else { \
-            X##me = state[16]^input[16]; \
-            X##mi = state[17]^input[17]; \
-            X##mo = state[18]^input[18]; \
-            X##mu = state[19]^input[19]; \
-            X##sa = state[20]^input[20]; \
-            X##se = state[21]^input[21]; \
-            X##si = state[22]^input[22]; \
-            X##so = state[23]^input[23]; \
-            if (laneCount < 25) { \
-                X##su = state[24]; \
-            } \
-            else { \
-                X##su = state[24]^input[24]; \
-            } \
-        } \
-    }
-
-#define XORinputAndTrailingBits(X, input, laneCount, trailingBits) \
-    if (laneCount < 16) { \
-        if (laneCount < 8) { \
-            if (laneCount < 4) { \
-                if (laneCount < 2) { \
-                    if (laneCount < 1) { \
-                        X##ba ^= trailingBits; \
-                    } \
-                    else { \
-                        X##ba ^= input[ 0]; \
-                        X##be ^= trailingBits; \
-                    } \
-                } \
-                else { \
-                    X##ba ^= input[ 0]; \
-                    X##be ^= input[ 1]; \
-                    if (laneCount < 3) { \
-                        X##bi ^= trailingBits; \
-                    } \
-                    else { \
-                        X##bi ^= input[ 2]; \
-                        X##bo ^= trailingBits; \
-                    } \
-                } \
-            } \
-            else { \
-                X##ba ^= input[ 0]; \
-                X##be ^= input[ 1]; \
-                X##bi ^= input[ 2]; \
-                X##bo ^= input[ 3]; \
-                if (laneCount < 6) { \
-                    if (laneCount < 5) { \
-                        X##bu ^= trailingBits; \
-                    } \
-                    else { \
-                        X##bu ^= input[ 4]; \
-                        X##ga ^= trailingBits; \
-                    } \
-                } \
-                else { \
-                    X##bu ^= input[ 4]; \
-                    X##ga ^= input[ 5]; \
-                    if (laneCount < 7) { \
-                        X##ge ^= trailingBits; \
-                    } \
-                    else { \
-                        X##ge ^= input[ 6]; \
-                        X##gi ^= trailingBits; \
-                    } \
-                } \
-            } \
-        } \
-        else { \
-            X##ba ^= input[ 0]; \
-            X##be ^= input[ 1]; \
-            X##bi ^= input[ 2]; \
-            X##bo ^= input[ 3]; \
-            X##bu ^= input[ 4]; \
-            X##ga ^= input[ 5]; \
-            X##ge ^= input[ 6]; \
-            X##gi ^= input[ 7]; \
-            if (laneCount < 12) { \
-                if (laneCount < 10) { \
-                    if (laneCount < 9) { \
-                        X##go ^= trailingBits; \
-                    } \
-                    else { \
-                        X##go ^= input[ 8]; \
-                        X##gu ^= trailingBits ; \
-                    } \
-                } \
-                else { \
-                    X##go ^= input[ 8]; \
-                    X##gu ^= input[ 9]; \
-                    if (laneCount < 11) { \
-                        X##ka ^= trailingBits; \
-                    } \
-                    else { \
-                        X##ka ^= input[10]; \
-                        X##ke ^= trailingBits; \
-                    } \
-                } \
-            } \
-            else { \
-                X##go ^= input[ 8]; \
-                X##gu ^= input[ 9]; \
-                X##ka ^= input[10]; \
-                X##ke ^= input[11]; \
-                if (laneCount < 14) { \
-                    if (laneCount < 13) { \
-                        X##ki ^= trailingBits; \
-                    } \
-                    else { \
-                        X##ki ^= input[12]; \
-                        X##ko ^= trailingBits; \
-                    } \
-                } \
-                else { \
-                    X##ki ^= input[12]; \
-                    X##ko ^= input[13]; \
-                    if (laneCount < 15) { \
-                        X##ku ^= trailingBits; \
-                    } \
-                    else { \
-                        X##ku ^= input[14]; \
-                        X##ma ^= trailingBits; \
-                    } \
-                } \
-            } \
-        } \
-    } \
-    else { \
-        X##ba ^= input[ 0]; \
-        X##be ^= input[ 1]; \
-        X##bi ^= input[ 2]; \
-        X##bo ^= input[ 3]; \
-        X##bu ^= input[ 4]; \
-        X##ga ^= input[ 5]; \
-        X##ge ^= input[ 6]; \
-        X##gi ^= input[ 7]; \
-        X##go ^= input[ 8]; \
-        X##gu ^= input[ 9]; \
-        X##ka ^= input[10]; \
-        X##ke ^= input[11]; \
-        X##ki ^= input[12]; \
-        X##ko ^= input[13]; \
-        X##ku ^= input[14]; \
-        X##ma ^= input[15]; \
-        if (laneCount < 24) { \
-            if (laneCount < 20) { \
-                if (laneCount < 18) { \
-                    if (laneCount < 17) { \
-                        X##me ^= trailingBits; \
-                    } \
-                    else { \
-                        X##me ^= input[16]; \
-                        X##mi ^= trailingBits; \
-                    } \
-                } \
-                else { \
-                    X##me ^= input[16]; \
-                    X##mi ^= input[17]; \
-                    if (laneCount < 19) { \
-                        X##mo ^= trailingBits; \
-                    } \
-                    else { \
-                        X##mo ^= input[18]; \
-                        X##mu ^= trailingBits; \
-                    } \
-                } \
-            } \
-            else { \
-                X##me ^= input[16]; \
-                X##mi ^= input[17]; \
-                X##mo ^= input[18]; \
-                X##mu ^= input[19]; \
-                if (laneCount < 22) { \
-                    if (laneCount < 21) { \
-                        X##sa ^= trailingBits; \
-                    } \
-                    else { \
-                        X##sa ^= input[20]; \
-                        X##se ^= trailingBits; \
-                    } \
-                } \
-                else { \
-                    X##sa ^= input[20]; \
-                    X##se ^= input[21]; \
-                    if (laneCount < 23) { \
-                        X##si ^= trailingBits; \
-                    } \
-                    else { \
-                        X##si ^= input[22]; \
-                        X##so ^= trailingBits; \
-                    } \
-                } \
-            } \
-        } \
-        else { \
-            X##me ^= input[16]; \
-            X##mi ^= input[17]; \
-            X##mo ^= input[18]; \
-            X##mu ^= input[19]; \
-            X##sa ^= input[20]; \
-            X##se ^= input[21]; \
-            X##si ^= input[22]; \
-            X##so ^= input[23]; \
-            if (laneCount < 25) { \
-                X##su ^= trailingBits; \
-            } \
-            else { \
-                X##su ^= input[24]; \
-            } \
-        } \
-    }
-
-#ifdef UseBebigokimisa
-
-#define copyToStateAndOutput(X, state, output, laneCount) \
-    if (laneCount < 16) { \
-        if (laneCount < 8) { \
-            if (laneCount < 4) { \
-                if (laneCount < 2) { \
-                    state[ 0] = X##ba; \
-                    if (laneCount >= 1) { \
-                        output[ 0] = X##ba; \
-                    } \
-                    state[ 1] = X##be; \
-                    state[ 2] = X##bi; \
-                } \
-                else { \
-                    state[ 0] = X##ba; \
-                    output[ 0] = X##ba; \
-                    state[ 1] = X##be; \
-                    output[ 1] = ~X##be; \
-                    state[ 2] = X##bi; \
-                    if (laneCount >= 3) { \
-                        output[ 2] = ~X##bi; \
-                    } \
-                } \
-                state[ 3] = X##bo; \
-                state[ 4] = X##bu; \
-                state[ 5] = X##ga; \
-                state[ 6] = X##ge; \
-            } \
-            else { \
-                state[ 0] = X##ba; \
-                output[ 0] = X##ba; \
-                state[ 1] = X##be; \
-                output[ 1] = ~X##be; \
-                state[ 2] = X##bi; \
-                output[ 2] = ~X##bi; \
-                state[ 3] = X##bo; \
-                output[ 3] = X##bo; \
-                if (laneCount < 6) { \
-                    state[ 4] = X##bu; \
-                    if (laneCount >= 5) { \
-                        output[ 4] = X##bu; \
-                    } \
-                    state[ 5] = X##ga; \
-                    state[ 6] = X##ge; \
-                } \
-                else { \
-                    state[ 4] = X##bu; \
-                    output[ 4] = X##bu; \
-                    state[ 5] = X##ga; \
-                    output[ 5] = X##ga; \
-                    state[ 6] = X##ge; \
-                    if (laneCount >= 7) { \
-                        output[ 6] = X##ge; \
-                    } \
-                } \
-            } \
-            state[ 7] = X##gi; \
-            state[ 8] = X##go; \
-            state[ 9] = X##gu; \
-            state[10] = X##ka; \
-            state[11] = X##ke; \
-            state[12] = X##ki; \
-            state[13] = X##ko; \
-            state[14] = X##ku; \
-        } \
-        else { \
-            state[ 0] = X##ba; \
-            output[ 0] = X##ba; \
-            state[ 1] = X##be; \
-            output[ 1] = ~X##be; \
-            state[ 2] = X##bi; \
-            output[ 2] = ~X##bi; \
-            state[ 3] = X##bo; \
-            output[ 3] = X##bo; \
-            state[ 4] = X##bu; \
-            output[ 4] = X##bu; \
-            state[ 5] = X##ga; \
-            output[ 5] = X##ga; \
-            state[ 6] = X##ge; \
-            output[ 6] = X##ge; \
-            state[ 7] = X##gi; \
-            output[ 7] = X##gi; \
-            if (laneCount < 12) { \
-                if (laneCount < 10) { \
-                    state[ 8] = X##go; \
-                    if (laneCount >= 9) { \
-                        output[ 8] = ~X##go; \
-                    } \
-                    state[ 9] = X##gu; \
-                    state[10] = X##ka; \
-                } \
-                else { \
-                    state[ 8] = X##go; \
-                    output[ 8] = ~X##go; \
-                    state[ 9] = X##gu; \
-                    output[ 9] = X##gu; \
-                    state[10] = X##ka; \
-                    if (laneCount >= 11) { \
-                        output[10] = X##ka; \
-                    } \
-                } \
-                state[11] = X##ke; \
-                state[12] = X##ki; \
-                state[13] = X##ko; \
-                state[14] = X##ku; \
-            } \
-            else { \
-                state[ 8] = X##go; \
-                output[ 8] = ~X##go; \
-                state[ 9] = X##gu; \
-                output[ 9] = X##gu; \
-                state[10] = X##ka; \
-                output[10] = X##ka; \
-                state[11] = X##ke; \
-                output[11] = X##ke; \
-                if (laneCount < 14) { \
-                    state[12] = X##ki; \
-                    if (laneCount >= 13) { \
-                        output[12] = ~X##ki; \
-                    } \
-                    state[13] = X##ko; \
-                    state[14] = X##ku; \
-                } \
-                else { \
-                    state[12] = X##ki; \
-                    output[12] = ~X##ki; \
-                    state[13] = X##ko; \
-                    output[13] = X##ko; \
-                    state[14] = X##ku; \
-                    if (laneCount >= 15) { \
-                        output[14] = X##ku; \
-                    } \
-                } \
-            } \
-        } \
-        state[15] = X##ma; \
-        state[16] = X##me; \
-        state[17] = X##mi; \
-        state[18] = X##mo; \
-        state[19] = X##mu; \
-        state[20] = X##sa; \
-        state[21] = X##se; \
-        state[22] = X##si; \
-        state[23] = X##so; \
-        state[24] = X##su; \
-    } \
-    else { \
-        state[ 0] = X##ba; \
-        output[ 0] = X##ba; \
-        state[ 1] = X##be; \
-        output[ 1] = ~X##be; \
-        state[ 2] = X##bi; \
-        output[ 2] = ~X##bi; \
-        state[ 3] = X##bo; \
-        output[ 3] = X##bo; \
-        state[ 4] = X##bu; \
-        output[ 4] = X##bu; \
-        state[ 5] = X##ga; \
-        output[ 5] = X##ga; \
-        state[ 6] = X##ge; \
-        output[ 6] = X##ge; \
-        state[ 7] = X##gi; \
-        output[ 7] = X##gi; \
-        state[ 8] = X##go; \
-        output[ 8] = ~X##go; \
-        state[ 9] = X##gu; \
-        output[ 9] = X##gu; \
-        state[10] = X##ka; \
-        output[10] = X##ka; \
-        state[11] = X##ke; \
-        output[11] = X##ke; \
-        state[12] = X##ki; \
-        output[12] = ~X##ki; \
-        state[13] = X##ko; \
-        output[13] = X##ko; \
-        state[14] = X##ku; \
-        output[14] = X##ku; \
-        state[15] = X##ma; \
-        output[15] = X##ma; \
-        if (laneCount < 24) { \
-            if (laneCount < 20) { \
-                if (laneCount < 18) { \
-                    state[16] = X##me; \
-                    if (laneCount >= 17) { \
-                        output[16] = X##me; \
-                    } \
-                    state[17] = X##mi; \
-                    state[18] = X##mo; \
-                } \
-                else { \
-                    state[16] = X##me; \
-                    output[16] = X##me; \
-                    state[17] = X##mi; \
-                    output[17] = ~X##mi; \
-                    state[18] = X##mo; \
-                    if (laneCount >= 19) { \
-                        output[18] = X##mo; \
-                    } \
-                } \
-                state[19] = X##mu; \
-                state[20] = X##sa; \
-                state[21] = X##se; \
-                state[22] = X##si; \
-            } \
-            else { \
-                state[16] = X##me; \
-                output[16] = X##me; \
-                state[17] = X##mi; \
-                output[17] = ~X##mi; \
-                state[18] = X##mo; \
-                output[18] = X##mo; \
-                state[19] = X##mu; \
-                output[19] = X##mu; \
-                if (laneCount < 22) { \
-                    state[20] = X##sa; \
-                    if (laneCount >= 21) { \
-                        output[20] = ~X##sa; \
-                    } \
-                    state[21] = X##se; \
-                    state[22] = X##si; \
-                } \
-                else { \
-                    state[20] = X##sa; \
-                    output[20] = ~X##sa; \
-                    state[21] = X##se; \
-                    output[21] = X##se; \
-                    state[22] = X##si; \
-                    if (laneCount >= 23) { \
-                        output[22] = X##si; \
-                    } \
-                } \
-            } \
-            state[23] = X##so; \
-            state[24] = X##su; \
-        } \
-        else { \
-            state[16] = X##me; \
-            output[16] = X##me; \
-            state[17] = X##mi; \
-            output[17] = ~X##mi; \
-            state[18] = X##mo; \
-            output[18] = X##mo; \
-            state[19] = X##mu; \
-            output[19] = X##mu; \
-            state[20] = X##sa; \
-            output[20] = ~X##sa; \
-            state[21] = X##se; \
-            output[21] = X##se; \
-            state[22] = X##si; \
-            output[22] = X##si; \
-            state[23] = X##so; \
-            output[23] = X##so; \
-            state[24] = X##su; \
-            if (laneCount >= 25) { \
-                output[24] = X##su; \
-            } \
-        } \
-    }
-
-#define output(X, output, laneCount) \
-    if (laneCount < 16) { \
-        if (laneCount < 8) { \
-            if (laneCount < 4) { \
-                if (laneCount < 2) { \
-                    if (laneCount >= 1) { \
-                        output[ 0] = X##ba; \
-                    } \
-                } \
-                else { \
-                    output[ 0] = X##ba; \
-                    output[ 1] = ~X##be; \
-                    if (laneCount >= 3) { \
-                        output[ 2] = ~X##bi; \
-                    } \
-                } \
-            } \
-            else { \
-                output[ 0] = X##ba; \
-                output[ 1] = ~X##be; \
-                output[ 2] = ~X##bi; \
-                output[ 3] = X##bo; \
-                if (laneCount < 6) { \
-                    if (laneCount >= 5) { \
-                        output[ 4] = X##bu; \
-                    } \
-                } \
-                else { \
-                    output[ 4] = X##bu; \
-                    output[ 5] = X##ga; \
-                    if (laneCount >= 7) { \
-                        output[ 6] = X##ge; \
-                    } \
-                } \
-            } \
-        } \
-        else { \
-            output[ 0] = X##ba; \
-            output[ 1] = ~X##be; \
-            output[ 2] = ~X##bi; \
-            output[ 3] = X##bo; \
-            output[ 4] = X##bu; \
-            output[ 5] = X##ga; \
-            output[ 6] = X##ge; \
-            output[ 7] = X##gi; \
-            if (laneCount < 12) { \
-                if (laneCount < 10) { \
-                    if (laneCount >= 9) { \
-                        output[ 8] = ~X##go; \
-                    } \
-                } \
-                else { \
-                    output[ 8] = ~X##go; \
-                    output[ 9] = X##gu; \
-                    if (laneCount >= 11) { \
-                        output[10] = X##ka; \
-                    } \
-                } \
-            } \
-            else { \
-                output[ 8] = ~X##go; \
-                output[ 9] = X##gu; \
-                output[10] = X##ka; \
-                output[11] = X##ke; \
-                if (laneCount < 14) { \
-                    if (laneCount >= 13) { \
-                        output[12] = ~X##ki; \
-                    } \
-                } \
-                else { \
-                    output[12] = ~X##ki; \
-                    output[13] = X##ko; \
-                    if (laneCount >= 15) { \
-                        output[14] = X##ku; \
-                    } \
-                } \
-            } \
-        } \
-    } \
-    else { \
-        output[ 0] = X##ba; \
-        output[ 1] = ~X##be; \
-        output[ 2] = ~X##bi; \
-        output[ 3] = X##bo; \
-        output[ 4] = X##bu; \
-        output[ 5] = X##ga; \
-        output[ 6] = X##ge; \
-        output[ 7] = X##gi; \
-        output[ 8] = ~X##go; \
-        output[ 9] = X##gu; \
-        output[10] = X##ka; \
-        output[11] = X##ke; \
-        output[12] = ~X##ki; \
-        output[13] = X##ko; \
-        output[14] = X##ku; \
-        output[15] = X##ma; \
-        if (laneCount < 24) { \
-            if (laneCount < 20) { \
-                if (laneCount < 18) { \
-                    if (laneCount >= 17) { \
-                        output[16] = X##me; \
-                    } \
-                } \
-                else { \
-                    output[16] = X##me; \
-                    output[17] = ~X##mi; \
-                    if (laneCount >= 19) { \
-                        output[18] = X##mo; \
-                    } \
-                } \
-            } \
-            else { \
-                output[16] = X##me; \
-                output[17] = ~X##mi; \
-                output[18] = X##mo; \
-                output[19] = X##mu; \
-                if (laneCount < 22) { \
-                    if (laneCount >= 21) { \
-                        output[20] = ~X##sa; \
-                    } \
-                } \
-                else { \
-                    output[20] = ~X##sa; \
-                    output[21] = X##se; \
-                    if (laneCount >= 23) { \
-                        output[22] = X##si; \
-                    } \
-                } \
-            } \
-        } \
-        else { \
-            output[16] = X##me; \
-            output[17] = ~X##mi; \
-            output[18] = X##mo; \
-            output[19] = X##mu; \
-            output[20] = ~X##sa; \
-            output[21] = X##se; \
-            output[22] = X##si; \
-            output[23] = X##so; \
-            if (laneCount >= 25) { \
-                output[24] = X##su; \
-            } \
-        } \
-    }
-
-#define wrapOne(X, input, output, index, name) \
-    X##name ^= input[index]; \
-    output[index] = X##name;
-
-#define wrapOneInvert(X, input, output, index, name) \
-    X##name ^= input[index]; \
-    output[index] = ~X##name;
-
-#define unwrapOne(X, input, output, index, name) \
-    output[index] = input[index] ^ X##name; \
-    X##name ^= output[index];
-
-#define unwrapOneInvert(X, input, output, index, name) \
-    output[index] = ~(input[index] ^ X##name); \
-    X##name ^= output[index]; \
-
-#else // UseBebigokimisa
-
-#define copyToStateAndOutput(X, state, output, laneCount) \
-    if (laneCount < 16) { \
-        if (laneCount < 8) { \
-            if (laneCount < 4) { \
-                if (laneCount < 2) { \
-                    state[ 0] = X##ba; \
-                    if (laneCount >= 1) { \
-                        output[ 0] = X##ba; \
-                    } \
-                    state[ 1] = X##be; \
-                    state[ 2] = X##bi; \
-                } \
-                else { \
-                    state[ 0] = X##ba; \
-                    output[ 0] = X##ba; \
-                    state[ 1] = X##be; \
-                    output[ 1] = X##be; \
-                    state[ 2] = X##bi; \
-                    if (laneCount >= 3) { \
-                        output[ 2] = X##bi; \
-                    } \
-                } \
-                state[ 3] = X##bo; \
-                state[ 4] = X##bu; \
-                state[ 5] = X##ga; \
-                state[ 6] = X##ge; \
-            } \
-            else { \
-                state[ 0] = X##ba; \
-                output[ 0] = X##ba; \
-                state[ 1] = X##be; \
-                output[ 1] = X##be; \
-                state[ 2] = X##bi; \
-                output[ 2] = X##bi; \
-                state[ 3] = X##bo; \
-                output[ 3] = X##bo; \
-                if (laneCount < 6) { \
-                    state[ 4] = X##bu; \
-                    if (laneCount >= 5) { \
-                        output[ 4] = X##bu; \
-                    } \
-                    state[ 5] = X##ga; \
-                    state[ 6] = X##ge; \
-                } \
-                else { \
-                    state[ 4] = X##bu; \
-                    output[ 4] = X##bu; \
-                    state[ 5] = X##ga; \
-                    output[ 5] = X##ga; \
-                    state[ 6] = X##ge; \
-                    if (laneCount >= 7) { \
-                        output[ 6] = X##ge; \
-                    } \
-                } \
-            } \
-            state[ 7] = X##gi; \
-            state[ 8] = X##go; \
-            state[ 9] = X##gu; \
-            state[10] = X##ka; \
-            state[11] = X##ke; \
-            state[12] = X##ki; \
-            state[13] = X##ko; \
-            state[14] = X##ku; \
-        } \
-        else { \
-            state[ 0] = X##ba; \
-            output[ 0] = X##ba; \
-            state[ 1] = X##be; \
-            output[ 1] = X##be; \
-            state[ 2] = X##bi; \
-            output[ 2] = X##bi; \
-            state[ 3] = X##bo; \
-            output[ 3] = X##bo; \
-            state[ 4] = X##bu; \
-            output[ 4] = X##bu; \
-            state[ 5] = X##ga; \
-            output[ 5] = X##ga; \
-            state[ 6] = X##ge; \
-            output[ 6] = X##ge; \
-            state[ 7] = X##gi; \
-            output[ 7] = X##gi; \
-            if (laneCount < 12) { \
-                if (laneCount < 10) { \
-                    state[ 8] = X##go; \
-                    if (laneCount >= 9) { \
-                        output[ 8] = X##go; \
-                    } \
-                    state[ 9] = X##gu; \
-                    state[10] = X##ka; \
-                } \
-                else { \
-                    state[ 8] = X##go; \
-                    output[ 8] = X##go; \
-                    state[ 9] = X##gu; \
-                    output[ 9] = X##gu; \
-                    state[10] = X##ka; \
-                    if (laneCount >= 11) { \
-                        output[10] = X##ka; \
-                    } \
-                } \
-                state[11] = X##ke; \
-                state[12] = X##ki; \
-                state[13] = X##ko; \
-                state[14] = X##ku; \
-            } \
-            else { \
-                state[ 8] = X##go; \
-                output[ 8] = X##go; \
-                state[ 9] = X##gu; \
-                output[ 9] = X##gu; \
-                state[10] = X##ka; \
-                output[10] = X##ka; \
-                state[11] = X##ke; \
-                output[11] = X##ke; \
-                if (laneCount < 14) { \
-                    state[12] = X##ki; \
-                    if (laneCount >= 13) { \
-                        output[12]= X##ki; \
-                    } \
-                    state[13] = X##ko; \
-                    state[14] = X##ku; \
-                } \
-                else { \
-                    state[12] = X##ki; \
-                    output[12]= X##ki; \
-                    state[13] = X##ko; \
-                    output[13] = X##ko; \
-                    state[14] = X##ku; \
-                    if (laneCount >= 15) { \
-                        output[14] = X##ku; \
-                    } \
-                } \
-            } \
-        } \
-        state[15] = X##ma; \
-        state[16] = X##me; \
-        state[17] = X##mi; \
-        state[18] = X##mo; \
-        state[19] = X##mu; \
-        state[20] = X##sa; \
-        state[21] = X##se; \
-        state[22] = X##si; \
-        state[23] = X##so; \
-        state[24] = X##su; \
-    } \
-    else { \
-        state[ 0] = X##ba; \
-        output[ 0] = X##ba; \
-        state[ 1] = X##be; \
-        output[ 1] = X##be; \
-        state[ 2] = X##bi; \
-        output[ 2] = X##bi; \
-        state[ 3] = X##bo; \
-        output[ 3] = X##bo; \
-        state[ 4] = X##bu; \
-        output[ 4] = X##bu; \
-        state[ 5] = X##ga; \
-        output[ 5] = X##ga; \
-        state[ 6] = X##ge; \
-        output[ 6] = X##ge; \
-        state[ 7] = X##gi; \
-        output[ 7] = X##gi; \
-        state[ 8] = X##go; \
-        output[ 8] = X##go; \
-        state[ 9] = X##gu; \
-        output[ 9] = X##gu; \
-        state[10] = X##ka; \
-        output[10] = X##ka; \
-        state[11] = X##ke; \
-        output[11] = X##ke; \
-        state[12] = X##ki; \
-        output[12]= X##ki; \
-        state[13] = X##ko; \
-        output[13] = X##ko; \
-        state[14] = X##ku; \
-        output[14] = X##ku; \
-        state[15] = X##ma; \
-        output[15] = X##ma; \
-        if (laneCount < 24) { \
-            if (laneCount < 20) { \
-                if (laneCount < 18) { \
-                    state[16] = X##me; \
-                    if (laneCount >= 17) { \
-                        output[16] = X##me; \
-                    } \
-                    state[17] = X##mi; \
-                    state[18] = X##mo; \
-                } \
-                else { \
-                    state[16] = X##me; \
-                    output[16] = X##me; \
-                    state[17] = X##mi; \
-                    output[17] = X##mi; \
-                    state[18] = X##mo; \
-                    if (laneCount >= 19) { \
-                        output[18] = X##mo; \
-                    } \
-                } \
-                state[19] = X##mu; \
-                state[20] = X##sa; \
-                state[21] = X##se; \
-                state[22] = X##si; \
-            } \
-            else { \
-                state[16] = X##me; \
-                output[16] = X##me; \
-                state[17] = X##mi; \
-                output[17] = X##mi; \
-                state[18] = X##mo; \
-                output[18] = X##mo; \
-                state[19] = X##mu; \
-                output[19] = X##mu; \
-                if (laneCount < 22) { \
-                    state[20] = X##sa; \
-                    if (laneCount >= 21) { \
-                        output[20] = X##sa; \
-                    } \
-                    state[21] = X##se; \
-                    state[22] = X##si; \
-                } \
-                else { \
-                    state[20] = X##sa; \
-                    output[20] = X##sa; \
-                    state[21] = X##se; \
-                    output[21] = X##se; \
-                    state[22] = X##si; \
-                    if (laneCount >= 23) { \
-                        output[22] = X##si; \
-                    } \
-                } \
-            } \
-            state[23] = X##so; \
-            state[24] = X##su; \
-        } \
-        else { \
-            state[16] = X##me; \
-            output[16] = X##me; \
-            state[17] = X##mi; \
-            output[17] = X##mi; \
-            state[18] = X##mo; \
-            output[18] = X##mo; \
-            state[19] = X##mu; \
-            output[19] = X##mu; \
-            state[20] = X##sa; \
-            output[20] = X##sa; \
-            state[21] = X##se; \
-            output[21] = X##se; \
-            state[22] = X##si; \
-            output[22] = X##si; \
-            state[23] = X##so; \
-            output[23] = X##so; \
-            state[24] = X##su; \
-            if (laneCount >= 25) { \
-                output[24] = X##su; \
-            } \
-        } \
-    }
-
-#define output(X, output, laneCount) \
-    if (laneCount < 16) { \
-        if (laneCount < 8) { \
-            if (laneCount < 4) { \
-                if (laneCount < 2) { \
-                    if (laneCount >= 1) { \
-                        output[ 0] = X##ba; \
-                    } \
-                } \
-                else { \
-                    output[ 0] = X##ba; \
-                    output[ 1] = X##be; \
-                    if (laneCount >= 3) { \
-                        output[ 2] = X##bi; \
-                    } \
-                } \
-            } \
-            else { \
-                output[ 0] = X##ba; \
-                output[ 1] = X##be; \
-                output[ 2] = X##bi; \
-                output[ 3] = X##bo; \
-                if (laneCount < 6) { \
-                    if (laneCount >= 5) { \
-                        output[ 4] = X##bu; \
-                    } \
-                } \
-                else { \
-                    output[ 4] = X##bu; \
-                    output[ 5] = X##ga; \
-                    if (laneCount >= 7) { \
-                        output[ 6] = X##ge; \
-                    } \
-                } \
-            } \
-        } \
-        else { \
-            output[ 0] = X##ba; \
-            output[ 1] = X##be; \
-            output[ 2] = X##bi; \
-            output[ 3] = X##bo; \
-            output[ 4] = X##bu; \
-            output[ 5] = X##ga; \
-            output[ 6] = X##ge; \
-            output[ 7] = X##gi; \
-            if (laneCount < 12) { \
-                if (laneCount < 10) { \
-                    if (laneCount >= 9) { \
-                        output[ 8] = X##go; \
-                    } \
-                } \
-                else { \
-                    output[ 8] = X##go; \
-                    output[ 9] = X##gu; \
-                    if (laneCount >= 11) { \
-                        output[10] = X##ka; \
-                    } \
-                } \
-            } \
-            else { \
-                output[ 8] = X##go; \
-                output[ 9] = X##gu; \
-                output[10] = X##ka; \
-                output[11] = X##ke; \
-                if (laneCount < 14) { \
-                    if (laneCount >= 13) { \
-                        output[12] = X##ki; \
-                    } \
-                } \
-                else { \
-                    output[12] = X##ki; \
-                    output[13] = X##ko; \
-                    if (laneCount >= 15) { \
-                        output[14] = X##ku; \
-                    } \
-                } \
-            } \
-        } \
-    } \
-    else { \
-        output[ 0] = X##ba; \
-        output[ 1] = X##be; \
-        output[ 2] = X##bi; \
-        output[ 3] = X##bo; \
-        output[ 4] = X##bu; \
-        output[ 5] = X##ga; \
-        output[ 6] = X##ge; \
-        output[ 7] = X##gi; \
-        output[ 8] = X##go; \
-        output[ 9] = X##gu; \
-        output[10] = X##ka; \
-        output[11] = X##ke; \
-        output[12] = X##ki; \
-        output[13] = X##ko; \
-        output[14] = X##ku; \
-        output[15] = X##ma; \
-        if (laneCount < 24) { \
-            if (laneCount < 20) { \
-                if (laneCount < 18) { \
-                    if (laneCount >= 17) { \
-                        output[16] = X##me; \
-                    } \
-                } \
-                else { \
-                    output[16] = X##me; \
-                    output[17] = X##mi; \
-                    if (laneCount >= 19) { \
-                        output[18] = X##mo; \
-                    } \
-                } \
-            } \
-            else { \
-                output[16] = X##me; \
-                output[17] = X##mi; \
-                output[18] = X##mo; \
-                output[19] = X##mu; \
-                if (laneCount < 22) { \
-                    if (laneCount >= 21) { \
-                        output[20] = X##sa; \
-                    } \
-                } \
-                else { \
-                    output[20] = X##sa; \
-                    output[21] = X##se; \
-                    if (laneCount >= 23) { \
-                        output[22] = X##si; \
-                    } \
-                } \
-            } \
-        } \
-        else { \
-            output[16] = X##me; \
-            output[17] = X##mi; \
-            output[18] = X##mo; \
-            output[19] = X##mu; \
-            output[20] = X##sa; \
-            output[21] = X##se; \
-            output[22] = X##si; \
-            output[23] = X##so; \
-            if (laneCount >= 25) { \
-                output[24] = X##su; \
-            } \
-        } \
-    }
-
-#define wrapOne(X, input, output, index, name) \
-    X##name ^= input[index]; \
-    output[index] = X##name;
-
-#define wrapOneInvert(X, input, output, index, name) \
-    X##name ^= input[index]; \
-    output[index] = X##name;
-
-#define unwrapOne(X, input, output, index, name) \
-    output[index] = input[index] ^ X##name; \
-    X##name ^= output[index];
-
-#define unwrapOneInvert(X, input, output, index, name) \
-    output[index] = input[index] ^ X##name; \
-    X##name ^= output[index];
-
-#endif
-
-#define wrap(X, input, output, laneCount, trailingBits) \
-    if (laneCount < 16) { \
-        if (laneCount < 8) { \
-            if (laneCount < 4) { \
-                if (laneCount < 2) { \
-                    if (laneCount < 1) { \
-                        X##ba ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOne(X, input, output, 0, ba) \
-                        X##be ^= trailingBits; \
-                    } \
-                } \
-                else { \
-                    wrapOne(X, input, output, 0, ba) \
-                    wrapOneInvert(X, input, output, 1, be) \
-                    if (laneCount < 3) { \
-                        X##bi ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOneInvert(X, input, output, 2, bi) \
-                        X##bo ^= trailingBits; \
-                    } \
-                } \
-            } \
-            else { \
-                wrapOne(X, input, output, 0, ba) \
-                wrapOneInvert(X, input, output, 1, be) \
-                wrapOneInvert(X, input, output, 2, bi) \
-                wrapOne(X, input, output, 3, bo) \
-                if (laneCount < 6) { \
-                    if (laneCount < 5) { \
-                        X##bu ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOne(X, input, output, 4, bu) \
-                        X##ga ^= trailingBits; \
-                    } \
-                } \
-                else { \
-                    wrapOne(X, input, output, 4, bu) \
-                    wrapOne(X, input, output, 5, ga) \
-                    if (laneCount < 7) { \
-                        X##ge ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOne(X, input, output, 6, ge) \
-                        X##gi ^= trailingBits; \
-                    } \
-                } \
-            } \
-        } \
-        else { \
-            wrapOne(X, input, output, 0, ba) \
-            wrapOneInvert(X, input, output, 1, be) \
-            wrapOneInvert(X, input, output, 2, bi) \
-            wrapOne(X, input, output, 3, bo) \
-            wrapOne(X, input, output, 4, bu) \
-            wrapOne(X, input, output, 5, ga) \
-            wrapOne(X, input, output, 6, ge) \
-            wrapOne(X, input, output, 7, gi) \
-            if (laneCount < 12) { \
-                if (laneCount < 10) { \
-                    if (laneCount < 9) { \
-                        X##go ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOneInvert(X, input, output, 8, go) \
-                        X##gu ^= trailingBits; \
-                    } \
-                } \
-                else { \
-                    wrapOneInvert(X, input, output, 8, go) \
-                    wrapOne(X, input, output, 9, gu) \
-                    if (laneCount < 11) { \
-                        X##ka ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOne(X, input, output, 10, ka) \
-                        X##ke ^= trailingBits; \
-                    } \
-                } \
-            } \
-            else { \
-                wrapOneInvert(X, input, output, 8, go) \
-                wrapOne(X, input, output, 9, gu) \
-                wrapOne(X, input, output, 10, ka) \
-                wrapOne(X, input, output, 11, ke) \
-                if (laneCount < 14) { \
-                    if (laneCount < 13) { \
-                        X##ki ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOneInvert(X, input, output, 12, ki) \
-                        X##ko ^= trailingBits; \
-                    } \
-                } \
-                else { \
-                    wrapOneInvert(X, input, output, 12, ki) \
-                    wrapOne(X, input, output, 13, ko) \
-                    if (laneCount < 15) { \
-                        X##ku ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOne(X, input, output, 14, ku) \
-                        X##ma ^= trailingBits; \
-                    } \
-                } \
-            } \
-        } \
-    } \
-    else { \
-        wrapOne(X, input, output, 0, ba) \
-        wrapOneInvert(X, input, output, 1, be) \
-        wrapOneInvert(X, input, output, 2, bi) \
-        wrapOne(X, input, output, 3, bo) \
-        wrapOne(X, input, output, 4, bu) \
-        wrapOne(X, input, output, 5, ga) \
-        wrapOne(X, input, output, 6, ge) \
-        wrapOne(X, input, output, 7, gi) \
-        wrapOneInvert(X, input, output, 8, go) \
-        wrapOne(X, input, output, 9, gu) \
-        wrapOne(X, input, output, 10, ka) \
-        wrapOne(X, input, output, 11, ke) \
-        wrapOneInvert(X, input, output, 12, ki) \
-        wrapOne(X, input, output, 13, ko) \
-        wrapOne(X, input, output, 14, ku) \
-        wrapOne(X, input, output, 15, ma) \
-        if (laneCount < 24) { \
-            if (laneCount < 20) { \
-                if (laneCount < 18) { \
-                    if (laneCount < 17) { \
-                        X##me ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOne(X, input, output, 16, me) \
-                        X##mi ^= trailingBits; \
-                    } \
-                } \
-                else { \
-                    wrapOne(X, input, output, 16, me) \
-                    wrapOneInvert(X, input, output, 17, mi) \
-                    if (laneCount < 19) { \
-                        X##mo ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOne(X, input, output, 18, mo) \
-                        X##mu ^= trailingBits; \
-                    } \
-                } \
-            } \
-            else { \
-                wrapOne(X, input, output, 16, me) \
-                wrapOneInvert(X, input, output, 17, mi) \
-                wrapOne(X, input, output, 18, mo) \
-                wrapOne(X, input, output, 19, mu) \
-                if (laneCount < 22) { \
-                    if (laneCount < 21) { \
-                        X##sa ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOneInvert(X, input, output, 20, sa) \
-                        X##se ^= trailingBits; \
-                    } \
-                } \
-                else { \
-                    wrapOneInvert(X, input, output, 20, sa) \
-                    wrapOne(X, input, output, 21, se) \
-                    if (laneCount < 23) { \
-                        X##si ^= trailingBits; \
-                    } \
-                    else { \
-                        wrapOne(X, input, output, 22, si) \
-                        X##so ^= trailingBits; \
-                    } \
-                } \
-            } \
-        } \
-        else { \
-            wrapOne(X, input, output, 16, me) \
-            wrapOneInvert(X, input, output, 17, mi) \
-            wrapOne(X, input, output, 18, mo) \
-            wrapOne(X, input, output, 19, mu) \
-            wrapOneInvert(X, input, output, 20, sa) \
-            wrapOne(X, input, output, 21, se) \
-            wrapOne(X, input, output
... [truncated]

@@ -1,508 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#include <string.h>
-#include <stdlib.h>
-#include "brg_endian.h"
-#include "KeccakF-1600-opt64-settings.h"
-#include "KeccakF-1600-interface.h"
-
-typedef unsigned char UINT8;
-typedef unsigned long long int UINT64;
-
-#if defined(__GNUC__)
-#define ALIGN __attribute__ ((aligned(32)))
-#elif defined(_MSC_VER)
-#define ALIGN __declspec(align(32))
-#else
-#define ALIGN
-#endif
-
-#if defined(UseLaneComplementing)
-#define UseBebigokimisa
-#endif
-
-#if defined(_MSC_VER)
-#define ROL64(a, offset) _rotl64(a, offset)
-#elif defined(UseSHLD)
-    #define ROL64(x,N) ({ \
-    register UINT64 __out; \
-    register UINT64 __in = x; \
-    __asm__ ("shld %2,%0,%0" : "=r"(__out) : "0"(__in), "i"(N)); \
-    __out; \
-    })
-#else
-#define ROL64(a, offset) ((((UINT64)a) << offset) ^ (((UINT64)a) >> (64-offset)))
-#endif
-
-#include "KeccakF-1600-64.macros"
-#include "KeccakF-1600-unrolling.macros"
-
-const UINT64 KeccakF1600RoundConstants[24] = {
-    0x0000000000000001ULL,
-    0x0000000000008082ULL,
-    0x800000000000808aULL,
-    0x8000000080008000ULL,
-    0x000000000000808bULL,
-    0x0000000080000001ULL,
-    0x8000000080008081ULL,
-    0x8000000000008009ULL,
-    0x000000000000008aULL,
-    0x0000000000000088ULL,
-    0x0000000080008009ULL,
-    0x000000008000000aULL,
-    0x000000008000808bULL,
-    0x800000000000008bULL,
-    0x8000000000008089ULL,
-    0x8000000000008003ULL,
-    0x8000000000008002ULL,
-    0x8000000000000080ULL,
-    0x000000000000800aULL,
-    0x800000008000000aULL,
-    0x8000000080008081ULL,
-    0x8000000000008080ULL,
-    0x0000000080000001ULL,
-    0x8000000080008008ULL };
-
-void KeccakF1600_StateXORPermuteExtract(void *state, const unsigned char *inData, unsigned int inLaneCount, unsigned char *outData, unsigned int outLaneCount);
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_Initialize( void )
-{
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateInitialize(void *state)
-{
-    memset(state, 0, 200);
-#ifdef UseLaneComplementing
-    ((UINT64*)state)[ 1] = ~(UINT64)0;
-    ((UINT64*)state)[ 2] = ~(UINT64)0;
-    ((UINT64*)state)[ 8] = ~(UINT64)0;
-    ((UINT64*)state)[12] = ~(UINT64)0;
-    ((UINT64*)state)[17] = ~(UINT64)0;
-    ((UINT64*)state)[20] = ~(UINT64)0;
-#endif
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateXORBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length)
-{
-#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
-    if (length == 0)
-        return;
-    UINT64 lane;
-    if (length == 1)
-        lane = data[0];
-    else {
-        lane = 0;
-        memcpy(&lane, data, length);
-    }
-    lane <<= offset*8;
-#else
-    UINT64 lane = 0;
-    unsigned int i;
-    for(i=0; i<length; i++)
-        lane |= ((UINT64)data[i]) << ((i+offset)*8);
-#endif
-    ((UINT64*)state)[lanePosition] ^= lane;
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateXORLanes(void *state, const unsigned char *data, unsigned int laneCount)
-{
-#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
-    unsigned int i = 0;
-#ifdef NO_MISALIGNED_ACCESSES
-    // If either pointer is misaligned, fall back to byte-wise xor.
-    if (((((uintptr_t)state) & 7) != 0) || ((((uintptr_t)data) & 7) != 0)) {
-      for (i = 0; i < laneCount * 8; i++) {
-        ((unsigned char*)state)[i] ^= data[i];
-      }
-    }
-    else
-#endif
-    {
-      // Otherwise...
-      for( ; (i+8)<=laneCount; i+=8) {
-          ((UINT64*)state)[i+0] ^= ((UINT64*)data)[i+0];
-          ((UINT64*)state)[i+1] ^= ((UINT64*)data)[i+1];
-          ((UINT64*)state)[i+2] ^= ((UINT64*)data)[i+2];
-          ((UINT64*)state)[i+3] ^= ((UINT64*)data)[i+3];
-          ((UINT64*)state)[i+4] ^= ((UINT64*)data)[i+4];
-          ((UINT64*)state)[i+5] ^= ((UINT64*)data)[i+5];
-          ((UINT64*)state)[i+6] ^= ((UINT64*)data)[i+6];
-          ((UINT64*)state)[i+7] ^= ((UINT64*)data)[i+7];
-      }
-      for( ; (i+4)<=laneCount; i+=4) {
-          ((UINT64*)state)[i+0] ^= ((UINT64*)data)[i+0];
-          ((UINT64*)state)[i+1] ^= ((UINT64*)data)[i+1];
-          ((UINT64*)state)[i+2] ^= ((UINT64*)data)[i+2];
-          ((UINT64*)state)[i+3] ^= ((UINT64*)data)[i+3];
-      }
-      for( ; (i+2)<=laneCount; i+=2) {
-          ((UINT64*)state)[i+0] ^= ((UINT64*)data)[i+0];
-          ((UINT64*)state)[i+1] ^= ((UINT64*)data)[i+1];
-      }
-      if (i<laneCount) {
-          ((UINT64*)state)[i+0] ^= ((UINT64*)data)[i+0];
-      }
-    }
-#else
-    unsigned int i;
-    UINT8 *curData = data;
-    for(i=0; i<laneCount; i++, curData+=8) {
-        UINT64 lane = (UINT64)curData[0]
-            | ((UINT64)curData[1] << 8)
-            | ((UINT64)curData[2] << 16)
-            | ((UINT64)curData[3] << 24)
-            | ((UINT64)curData[4] <<32)
-            | ((UINT64)curData[5] << 40)
-            | ((UINT64)curData[6] << 48)
-            | ((UINT64)curData[7] << 56);
-        ((UINT64*)state)[i] ^= lane;
-    }
-#endif
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateOverwriteBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length)
-{
-#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
-#ifdef UseLaneComplementing
-    if ((lanePosition == 1) || (lanePosition == 2) || (lanePosition == 8) || (lanePosition == 12) || (lanePosition == 17) || (lanePosition == 20)) {
-        unsigned int i;
-        for(i=0; i<length; i++)
-            ((unsigned char*)state)[lanePosition*8+offset+i] = ~data[i];
-    }
-    else
-#endif
-    {
-        memcpy((unsigned char*)state+lanePosition*8+offset, data, length);
-    }
-#else
-#error "Not yet implemented"
-#endif
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateOverwriteLanes(void *state, const unsigned char *data, unsigned int laneCount)
-{
-#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
-#ifdef UseLaneComplementing
-    unsigned int lanePosition;
-
-    for(lanePosition=0; lanePosition<laneCount; lanePosition++)
-        if ((lanePosition == 1) || (lanePosition == 2) || (lanePosition == 8) || (lanePosition == 12) || (lanePosition == 17) || (lanePosition == 20))
-            ((UINT64*)state)[lanePosition] = ~((const UINT64*)data)[lanePosition];
-        else
-            ((UINT64*)state)[lanePosition] = ((const UINT64*)data)[lanePosition];
-#else
-    memcpy(state, data, laneCount*8);
-#endif
-#else
-#error "Not yet implemented"
-#endif
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateOverwriteWithZeroes(void *state, unsigned int byteCount)
-{
-#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
-#ifdef UseLaneComplementing
-    unsigned int lanePosition;
-
-    for(lanePosition=0; lanePosition<byteCount/8; lanePosition++)
-        if ((lanePosition == 1) || (lanePosition == 2) || (lanePosition == 8) || (lanePosition == 12) || (lanePosition == 17) || (lanePosition == 20))
-            ((UINT64*)state)[lanePosition] = ~0;
-        else
-            ((UINT64*)state)[lanePosition] = 0;
-    if (byteCount%8 != 0) {
-        lanePosition = byteCount/8;
-        if ((lanePosition == 1) || (lanePosition == 2) || (lanePosition == 8) || (lanePosition == 12) || (lanePosition == 17) || (lanePosition == 20))
-            memset(state+lanePosition*8, 0xFF, byteCount%8);
-        else
-            memset(state+lanePosition*8, 0, byteCount%8);
-    }
-#else
-    memset(state, 0, byteCount);
-#endif
-#else
-#error "Not yet implemented"
-#endif
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateComplementBit(void *state, unsigned int position)
-{
-    UINT64 lane = (UINT64)1 << (position%64);
-    ((UINT64*)state)[position/64] ^= lane;
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StatePermute(void *state)
-{
-    declareABCDE
-    #ifndef FullUnrolling
-    unsigned int i;
-    #endif
-    UINT64 *stateAsLanes = (UINT64*)state;
-
-    copyFromState(A, stateAsLanes)
-    rounds
-    copyToState(stateAsLanes, A)
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateExtractBytesInLane(const void *state, unsigned int lanePosition, unsigned char *data, unsigned int offset, unsigned int length)
-{
-    UINT64 lane = ((UINT64*)state)[lanePosition];
-#ifdef UseLaneComplementing
-    if ((lanePosition == 1) || (lanePosition == 2) || (lanePosition == 8) || (lanePosition == 12) || (lanePosition == 17) || (lanePosition == 20))
-        lane = ~lane;
-#endif
-#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
-    {
-        UINT64 lane1[1];
-        lane1[0] = lane;
-        memcpy(data, (UINT8*)lane1+offset, length);
-    }
-#else
-    unsigned int i;
-    lane >>= offset*8;
-    for(i=0; i<length; i++) {
-        data[i] = lane & 0xFF;
-        lane >>= 8;
-    }
-#endif
-}
-
-/* ---------------------------------------------------------------- */
-
-#if (PLATFORM_BYTE_ORDER != IS_LITTLE_ENDIAN)
-void fromWordToBytes(UINT8 *bytes, const UINT64 word)
-{
-    unsigned int i;
-
-    for(i=0; i<(64/8); i++)
-        bytes[i] = (word >> (8*i)) & 0xFF;
-}
-#endif
-
-void KeccakF1600_StateExtractLanes(const void *state, unsigned char *data, unsigned int laneCount)
-{
-#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
-    memcpy(data, state, laneCount*8);
-#else
-    unsigned int i;
-
-    for(i=0; i<laneCount; i++)
-        fromWordToBytes(data+(i*8), ((const UINT64*)state)[i]);
-#endif
-#ifdef UseLaneComplementing
-    if (laneCount > 1) {
-        ((UINT64*)data)[ 1] = ~((UINT64*)data)[ 1];
-        if (laneCount > 2) {
-            ((UINT64*)data)[ 2] = ~((UINT64*)data)[ 2];
-            if (laneCount > 8) {
-                ((UINT64*)data)[ 8] = ~((UINT64*)data)[ 8];
-                if (laneCount > 12) {
-                    ((UINT64*)data)[12] = ~((UINT64*)data)[12];
-                    if (laneCount > 17) {
-                        ((UINT64*)data)[17] = ~((UINT64*)data)[17];
-                        if (laneCount > 20) {
-                            ((UINT64*)data)[20] = ~((UINT64*)data)[20];
-                        }
-                    }
-                }
-            }
-        }
-    }
-#endif
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateExtractAndXORBytesInLane(const void *state, unsigned int lanePosition, unsigned char *data, unsigned int offset, unsigned int length)
-{
-    UINT64 lane = ((UINT64*)state)[lanePosition];
-#ifdef UseLaneComplementing
-    if ((lanePosition == 1) || (lanePosition == 2) || (lanePosition == 8) || (lanePosition == 12) || (lanePosition == 17) || (lanePosition == 20))
-        lane = ~lane;
-#endif
-#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
-    {
-        unsigned int i;
-        UINT64 lane1[1];
-        lane1[0] = lane;
-        for(i=0; i<length; i++)
-            data[i] ^= ((UINT8*)lane1)[offset+i];
-    }
-#else
-    unsigned int i;
-    lane >>= offset*8;
-    for(i=0; i<length; i++) {
-        data[i] ^= lane & 0xFF;
-        lane >>= 8;
-    }
-#endif
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateExtractAndXORLanes(const void *state, unsigned char *data, unsigned int laneCount)
-{
-    unsigned int i;
-#if (PLATFORM_BYTE_ORDER != IS_LITTLE_ENDIAN)
-    unsigned char temp[8];
-    unsigned int j;
-#endif
-
-    for(i=0; i<laneCount; i++) {
-#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
-        ((UINT64*)data)[i] ^= ((const UINT64*)state)[i];
-#else
-        fromWordToBytes(temp, ((const UINT64*)state)[i]);
-        for(j=0; j<8; j++)
-            data[i*8+j] ^= temp[j];
-#endif
-    }
-#ifdef UseLaneComplementing
-    if (laneCount > 1) {
-        ((UINT64*)data)[ 1] = ~((UINT64*)data)[ 1];
-        if (laneCount > 2) {
-            ((UINT64*)data)[ 2] = ~((UINT64*)data)[ 2];
-            if (laneCount > 8) {
-                ((UINT64*)data)[ 8] = ~((UINT64*)data)[ 8];
-                if (laneCount > 12) {
-                    ((UINT64*)data)[12] = ~((UINT64*)data)[12];
-                    if (laneCount > 17) {
-                        ((UINT64*)data)[17] = ~((UINT64*)data)[17];
-                        if (laneCount > 20) {
-                            ((UINT64*)data)[20] = ~((UINT64*)data)[20];
-                        }
-                    }
-                }
-            }
-        }
-    }
-#endif
-}
-
-/* ---------------------------------------------------------------- */
-
-size_t KeccakF1600_FBWL_Absorb(void *state, unsigned int laneCount, const unsigned char *data, size_t dataByteLen, unsigned char trailingBits)
-{
-    size_t originalDataByteLen = dataByteLen;
-    declareABCDE
-    #ifndef FullUnrolling
-    unsigned int i;
-    #endif
-    UINT64 *stateAsLanes = (UINT64*)state;
-    UINT64 *inDataAsLanes = (UINT64*)data;
-
-    copyFromState(A, stateAsLanes)
-    while(dataByteLen >= laneCount*8) {
-        XORinputAndTrailingBits(A, inDataAsLanes, laneCount, ((UINT64)trailingBits))
-        rounds
-        inDataAsLanes += laneCount;
-        dataByteLen -= laneCount*8;
-    }
-    copyToState(stateAsLanes, A)
-    return originalDataByteLen - dataByteLen;
-}
-
-/* ---------------------------------------------------------------- */
-
-size_t KeccakF1600_FBWL_Squeeze(void *state, unsigned int laneCount, unsigned char *data, size_t dataByteLen)
-{
-    size_t originalDataByteLen = dataByteLen;
-    declareABCDE
-    #ifndef FullUnrolling
-    unsigned int i;
-    #endif
-    UINT64 *stateAsLanes = (UINT64*)state;
-    UINT64 *outDataAsLanes = (UINT64*)data;
-
-    copyFromState(A, stateAsLanes)
-    while(dataByteLen >= laneCount*8) {
-        rounds
-        output(A, outDataAsLanes, laneCount)
-        outDataAsLanes += laneCount;
-        dataByteLen -= laneCount*8;
-    }
-    copyToState(stateAsLanes, A)
-    return originalDataByteLen - dataByteLen;
-}
-
-/* ---------------------------------------------------------------- */
-
-size_t KeccakF1600_FBWL_Wrap(void *state, unsigned int laneCount, const unsigned char *dataIn, unsigned char *dataOut, size_t dataByteLen, unsigned char trailingBits)
-{
-    size_t originalDataByteLen = dataByteLen;
-    declareABCDE
-    #ifndef FullUnrolling
-    unsigned int i;
-    #endif
-    UINT64 *stateAsLanes = (UINT64*)state;
-    UINT64 *inDataAsLanes = (UINT64*)dataIn;
-    UINT64 *outDataAsLanes = (UINT64*)dataOut;
-
-    copyFromState(A, stateAsLanes)
-    while(dataByteLen >= laneCount*8) {
-        wrap(A, inDataAsLanes, outDataAsLanes, laneCount, ((UINT64)trailingBits))
-        rounds
-        inDataAsLanes += laneCount;
-        outDataAsLanes += laneCount;
-        dataByteLen -= laneCount*8;
-    }
-    copyToState(stateAsLanes, A)
-    return originalDataByteLen - dataByteLen;
-}
-
-/* ---------------------------------------------------------------- */
-
-size_t KeccakF1600_FBWL_Unwrap(void *state, unsigned int laneCount, const unsigned char *dataIn, unsigned char *dataOut, size_t dataByteLen, unsigned char trailingBits)
-{
-    size_t originalDataByteLen = dataByteLen;
-    declareABCDE
-    #ifndef FullUnrolling
-    unsigned int i;
-    #endif
-    UINT64 *stateAsLanes = (UINT64*)state;
-    UINT64 *inDataAsLanes = (UINT64*)dataIn;
-    UINT64 *outDataAsLanes = (UINT64*)dataOut;
-
-    copyFromState(A, stateAsLanes)
-    while(dataByteLen >= laneCount*8) {
-        unwrap(A, inDataAsLanes, outDataAsLanes, laneCount, ((UINT64)trailingBits))
-        rounds
-        inDataAsLanes += laneCount;
-        outDataAsLanes += laneCount;
-        dataByteLen -= laneCount*8;
-    }
-    copyToState(stateAsLanes, A)
-    return originalDataByteLen - dataByteLen;
-}

@@ -1,3 +0,0 @@
-#define FullUnrolling
-#define UseLaneComplementing
-#define UseSHLD

@@ -1,126 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#if (defined(FullUnrolling))
-#define rounds \
-    prepareTheta \
-    thetaRhoPiChiIotaPrepareTheta( 0, A, E) \
-    thetaRhoPiChiIotaPrepareTheta( 1, E, A) \
-    thetaRhoPiChiIotaPrepareTheta( 2, A, E) \
-    thetaRhoPiChiIotaPrepareTheta( 3, E, A) \
-    thetaRhoPiChiIotaPrepareTheta( 4, A, E) \
-    thetaRhoPiChiIotaPrepareTheta( 5, E, A) \
-    thetaRhoPiChiIotaPrepareTheta( 6, A, E) \
-    thetaRhoPiChiIotaPrepareTheta( 7, E, A) \
-    thetaRhoPiChiIotaPrepareTheta( 8, A, E) \
-    thetaRhoPiChiIotaPrepareTheta( 9, E, A) \
-    thetaRhoPiChiIotaPrepareTheta(10, A, E) \
-    thetaRhoPiChiIotaPrepareTheta(11, E, A) \
-    thetaRhoPiChiIotaPrepareTheta(12, A, E) \
-    thetaRhoPiChiIotaPrepareTheta(13, E, A) \
-    thetaRhoPiChiIotaPrepareTheta(14, A, E) \
-    thetaRhoPiChiIotaPrepareTheta(15, E, A) \
-    thetaRhoPiChiIotaPrepareTheta(16, A, E) \
-    thetaRhoPiChiIotaPrepareTheta(17, E, A) \
-    thetaRhoPiChiIotaPrepareTheta(18, A, E) \
-    thetaRhoPiChiIotaPrepareTheta(19, E, A) \
-    thetaRhoPiChiIotaPrepareTheta(20, A, E) \
-    thetaRhoPiChiIotaPrepareTheta(21, E, A) \
-    thetaRhoPiChiIotaPrepareTheta(22, A, E) \
-    thetaRhoPiChiIota(23, E, A) \
-
-#elif (Unrolling == 12)
-#define rounds \
-    prepareTheta \
-    for(i=0; i<24; i+=12) { \
-        thetaRhoPiChiIotaPrepareTheta(i   , A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+ 1, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+ 2, A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+ 3, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+ 4, A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+ 5, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+ 6, A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+ 7, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+ 8, A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+ 9, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+10, A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+11, E, A) \
-    } \
-
-#elif (Unrolling == 8)
-#define rounds \
-    prepareTheta \
-    for(i=0; i<24; i+=8) { \
-        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+4, A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+5, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+6, A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+7, E, A) \
-    } \
-
-#elif (Unrolling == 6)
-#define rounds \
-    prepareTheta \
-    for(i=0; i<24; i+=6) { \
-        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+4, A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+5, E, A) \
-    } \
-
-#elif (Unrolling == 4)
-#define rounds \
-    prepareTheta \
-    for(i=0; i<24; i+=4) { \
-        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+3, E, A) \
-    } \
-
-#elif (Unrolling == 3)
-#define rounds \
-    prepareTheta \
-    for(i=0; i<24; i+=3) { \
-        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
-        thetaRhoPiChiIotaPrepareTheta(i+2, A, E) \
-        copyStateVariables(A, E) \
-    } \
-
-#elif (Unrolling == 2)
-#define rounds \
-    prepareTheta \
-    for(i=0; i<24; i+=2) { \
-        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
-        thetaRhoPiChiIotaPrepareTheta(i+1, E, A) \
-    } \
-
-#elif (Unrolling == 1)
-#define rounds \
-    prepareTheta \
-    for(i=0; i<24; i++) { \
-        thetaRhoPiChiIotaPrepareTheta(i  , A, E) \
-        copyStateVariables(A, E) \
-    } \
-
-#else
-#error "Unrolling is not correctly specified!"
-#endif

@@ -1,47 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#ifndef _SnP_Interface_h_
-#define _SnP_Interface_h_
-
-#include "KeccakF-1600-interface.h"
-
-#define SnP_width                           KeccakF_width
-#define SnP_stateSizeInBytes                KeccakF_stateSizeInBytes
-#define SnP_laneLengthInBytes               KeccakF_laneInBytes
-#define SnP_laneCount                       25
-
-#define SnP_StaticInitialize                KeccakF1600_Initialize
-#define SnP_Initialize                      KeccakF1600_StateInitialize
-#define SnP_XORBytesInLane                  KeccakF1600_StateXORBytesInLane
-#define SnP_XORLanes                        KeccakF1600_StateXORLanes
-#define SnP_OverwriteBytesInLane            KeccakF1600_StateOverwriteBytesInLane
-#define SnP_OverwriteLanes                  KeccakF1600_StateOverwriteLanes
-#define SnP_OverwriteWithZeroes             KeccakF1600_StateOverwriteWithZeroes
-#define SnP_ComplementBit                   KeccakF1600_StateComplementBit
-#define SnP_Permute                         KeccakF1600_StatePermute
-#define SnP_ExtractBytesInLane              KeccakF1600_StateExtractBytesInLane
-#define SnP_ExtractLanes                    KeccakF1600_StateExtractLanes
-#define SnP_ExtractAndXORBytesInLane        KeccakF1600_StateExtractAndXORBytesInLane
-#define SnP_ExtractAndXORLanes              KeccakF1600_StateExtractAndXORLanes
-
-#include "SnP-Relaned.h"
-
-#define SnP_FBWL_Absorb                     KeccakF1600_FBWL_Absorb
-#define SnP_FBWL_Squeeze                    KeccakF1600_FBWL_Squeeze
-#define SnP_FBWL_Wrap                       KeccakF1600_FBWL_Wrap
-#define SnP_FBWL_Unwrap                     KeccakF1600_FBWL_Unwrap
-
-#endif

@@ -1,158 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#include <stdio.h>
-#include "displayIntermediateValues.h"
-#include "SnP-interface.h"
-
-FILE *intermediateValueFile = 0;
-int displayLevel = 0;
-
-void displaySetIntermediateValueFile(FILE *f)
-{
-    intermediateValueFile = f;
-}
-
-void displaySetLevel(int level)
-{
-    displayLevel = level;
-}
-
-void displayBytes(int level, const char *text, const unsigned char *bytes, unsigned int size)
-{
-    unsigned int i;
-
-    if ((intermediateValueFile) && (level <= displayLevel)) {
-        fprintf(intermediateValueFile, "%s:\n", text);
-        for(i=0; i<size; i++)
-            fprintf(intermediateValueFile, "%02X ", bytes[i]);
-        fprintf(intermediateValueFile, "\n");
-        fprintf(intermediateValueFile, "\n");
-    }
-}
-
-void displayBits(int level, const char *text, const unsigned char *data, unsigned int size, int MSBfirst)
-{
-    unsigned int i, iByte, iBit;
-
-    if ((intermediateValueFile) && (level <= displayLevel)) {
-        fprintf(intermediateValueFile, "%s:\n", text);
-        for(i=0; i<size; i++) {
-            iByte = i/8;
-            iBit = i%8;
-            if (MSBfirst)
-                fprintf(intermediateValueFile, "%d ", ((data[iByte] << iBit) & 0x80) != 0);
-            else
-                fprintf(intermediateValueFile, "%d ", ((data[iByte] >> iBit) & 0x01) != 0);
-        }
-        fprintf(intermediateValueFile, "\n");
-        fprintf(intermediateValueFile, "\n");
-    }
-}
-
-void displayStateAsBytes(int level, const char *text, const unsigned char *state)
-{
-    displayBytes(level, text, state, SnP_width/8);
-}
-
-#if (SnP_laneLengthInBytes == 8)
-void displayStateAs32bitWords(int level, const char *text, const unsigned int *state)
-{
-    unsigned int i;
-
-    if ((intermediateValueFile) && (level <= displayLevel)) {
-        fprintf(intermediateValueFile, "%s:\n", text);
-        for(i=0; i<SnP_width/64; i++) {
-            fprintf(intermediateValueFile, "%08X:%08X", (unsigned int)state[2*i+0], (unsigned int)state[2*i+1]);
-            if ((i%5) == 4)
-                fprintf(intermediateValueFile, "\n");
-            else
-                fprintf(intermediateValueFile, " ");
-        }
-    }
-}
-#endif
-
-void displayStateAsLanes(int level, const char *text, void *statePointer)
-{
-    unsigned int i;
-#if (SnP_laneLengthInBytes == 8)
-    unsigned long long int *state = statePointer;
-#endif
-#if (SnP_laneLengthInBytes == 4)
-    unsigned int *state = statePointer;
-#endif
-#if (SnP_laneLengthInBytes == 2)
-    unsigned short *state = statePointer;
-#endif
-#if (SnP_laneLengthInBytes == 1)
-    unsigned char *state = statePointer;
-#endif
-
-    if ((intermediateValueFile) && (level <= displayLevel)) {
-        fprintf(intermediateValueFile, "%s:\n", text);
-#if (SnP_laneLengthInBytes == 8)
-        for(i=0; i<25; i++) {
-            fprintf(intermediateValueFile, "%08X", (unsigned int)(state[i] >> 32));
-            fprintf(intermediateValueFile, "%08X", (unsigned int)(state[i] & 0xFFFFFFFFULL));
-            if ((i%5) == 4)
-                fprintf(intermediateValueFile, "\n");
-            else
-                fprintf(intermediateValueFile, " ");
-        }
-#endif
-#if (SnP_laneLengthInBytes == 4)
-        for(i=0; i<25; i++) {
-            fprintf(intermediateValueFile, "%08X", state[i]);
-            if ((i%5) == 4)
-                fprintf(intermediateValueFile, "\n");
-            else
-                fprintf(intermediateValueFile, " ");
-        }
-#endif
-#if (SnP_laneLengthInBytes == 2)
-        for(i=0; i<25; i++) {
-            fprintf(intermediateValueFile, "%04X ", state[i]);
-            if ((i%5) == 4)
-                fprintf(intermediateValueFile, "\n");
-        }
-#endif
-#if (SnP_laneLengthInBytes == 1)
-        for(i=0; i<25; i++) {
-            fprintf(intermediateValueFile, "%02X ", state[i]);
-            if ((i%5) == 4)
-                fprintf(intermediateValueFile, "\n");
-        }
-#endif
-    }
-}
-
-void displayRoundNumber(int level, unsigned int i)
-{
-    if ((intermediateValueFile) && (level <= displayLevel)) {
-        fprintf(intermediateValueFile, "\n");
-        fprintf(intermediateValueFile, "--- Round %d ---\n", i);
-        fprintf(intermediateValueFile, "\n");
-    }
-}
-
-void displayText(int level, const char *text)
-{
-    if ((intermediateValueFile) && (level <= displayLevel)) {
-        fprintf(intermediateValueFile, "%s", text);
-        fprintf(intermediateValueFile, "\n");
-        fprintf(intermediateValueFile, "\n");
-    }
-}

@@ -1,34 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#ifndef _displayIntermediateValues_h_
-#define _displayIntermediateValues_h_
-
-#include <stdio.h>
-#include "SnP-interface.h"
-
-void displaySetIntermediateValueFile(FILE *f);
-void displaySetLevel(int level);
-void displayBytes(int level, const char *text, const unsigned char *bytes, unsigned int size);
-void displayBits(int level, const char *text, const unsigned char *data, unsigned int size, int MSBfirst);
-void displayStateAsBytes(int level, const char *text, const unsigned char *state);
-#if (SnP_laneLengthInBytes == 8)
-void displayStateAs32bitWords(int level, const char *text, const unsigned int *state);
-#endif
-void displayStateAsLanes(int level, const char *text, void *statePointer);
-void displayRoundNumber(int level, unsigned int i);
-void displayText(int level, const char *text);
-
-#endif

@@ -1,311 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "brg_endian.h"
-#include "displayIntermediateValues.h"
-
-typedef unsigned char UINT8;
-typedef unsigned long long UINT64;
-typedef UINT64 tKeccakLane;
-
-#define nrRounds 24
-tKeccakLane KeccakRoundConstants[nrRounds];
-#define nrLanes 25
-unsigned int KeccakRhoOffsets[nrLanes];
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_InitializeRoundConstants();
-void KeccakF1600_InitializeRhoOffsets();
-int LFSR86540(UINT8 *LFSR);
-
-void KeccakF1600_Initialize()
-{
-    if (sizeof(tKeccakLane) != 8) {
-        printf("tKeccakLane should be 64-bit wide\n");
-        abort();
-    }
-    KeccakF1600_InitializeRoundConstants();
-    KeccakF1600_InitializeRhoOffsets();
-}
-
-void KeccakF1600_InitializeRoundConstants()
-{
-    UINT8 LFSRstate = 0x01;
-    unsigned int i, j, bitPosition;
-
-    for(i=0; i<nrRounds; i++) {
-        KeccakRoundConstants[i] = 0;
-        for(j=0; j<7; j++) {
-            bitPosition = (1<<j)-1; //2^j-1
-            if (LFSR86540(&LFSRstate))
-                KeccakRoundConstants[i] ^= (tKeccakLane)1<<bitPosition;
-        }
-    }
-}
-
-#define index(x, y) (((x)%5)+5*((y)%5))
-
-void KeccakF1600_InitializeRhoOffsets()
-{
-    unsigned int x, y, t, newX, newY;
-
-    KeccakRhoOffsets[index(0, 0)] = 0;
-    x = 1;
-    y = 0;
-    for(t=0; t<24; t++) {
-        KeccakRhoOffsets[index(x, y)] = ((t+1)*(t+2)/2) % 64;
-        newX = (0*x+1*y) % 5;
-        newY = (2*x+3*y) % 5;
-        x = newX;
-        y = newY;
-    }
-}
-
-int LFSR86540(UINT8 *LFSR)
-{
-    int result = ((*LFSR) & 0x01) != 0;
-    if (((*LFSR) & 0x80) != 0)
-        // Primitive polynomial over GF(2): x^8+x^6+x^5+x^4+1
-        (*LFSR) = ((*LFSR) << 1) ^ 0x71;
-    else
-        (*LFSR) <<= 1;
-    return result;
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateInitialize(void *state)
-{
-    memset(state, 0, KeccakF_width/8);
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateXORBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length)
-{
-    unsigned int i;
-
-    for(i=0; i<length; i++)
-        ((unsigned char *)state)[offset+i] ^= data[i];
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateOverwriteBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length)
-{
-    memcpy((unsigned char*)state+offset, data, length);
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateOverwriteWithZeroes(void *state, unsigned int byteCount)
-{
-    memset(state, 0, byteCount);
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateComplementBit(void *state, unsigned int position)
-{
-    if (position < 1600) {
-        unsigned int bytePosition = position/8;
-        unsigned int bitPosition = position%8;
-
-        ((unsigned char *)state)[bytePosition] ^= (UINT8)1 << bitPosition;
-    }
-}
-
-/* ---------------------------------------------------------------- */
-
-void fromBytesToWords(tKeccakLane *stateAsWords, const unsigned char *state);
-void fromWordsToBytes(unsigned char *state, const tKeccakLane *stateAsWords);
-void KeccakF1600OnWords(tKeccakLane *state);
-void KeccakF1600Round(tKeccakLane *state, unsigned int indexRound);
-void theta(tKeccakLane *A);
-void rho(tKeccakLane *A);
-void pi(tKeccakLane *A);
-void chi(tKeccakLane *A);
-void iota(tKeccakLane *A, unsigned int indexRound);
-
-void KeccakF1600_StatePermute(void *state)
-{
-#if (PLATFORM_BYTE_ORDER != IS_LITTLE_ENDIAN)
-    tKeccakLane stateAsWords[KeccakF_width/64];
-#endif
-
-    displayStateAsBytes(1, "Input of permutation", (const unsigned char *)state);
-#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
-    KeccakF1600OnWords((tKeccakLane*)state);
-#else
-    fromBytesToWords(stateAsWords, (const unsigned char *)state);
-    KeccakF1600OnWords(stateAsWords);
-    fromWordsToBytes((unsigned char *)state, stateAsWords);
-#endif
-    displayStateAsBytes(1, "State after permutation", (const unsigned char *)state);
-}
-
-void fromBytesToWords(tKeccakLane *stateAsWords, const unsigned char *state)
-{
-    unsigned int i, j;
-
-    for(i=0; i<nrLanes; i++) {
-        stateAsWords[i] = 0;
-        for(j=0; j<(64/8); j++)
-            stateAsWords[i] |= (tKeccakLane)(state[i*(64/8)+j]) << (8*j);
-    }
-}
-
-void fromWordsToBytes(unsigned char *state, const tKeccakLane *stateAsWords)
-{
-    unsigned int i, j;
-
-    for(i=0; i<nrLanes; i++)
-        for(j=0; j<(64/8); j++)
-            state[i*(64/8)+j] = (stateAsWords[i] >> (8*j)) & 0xFF;
-}
-
-void KeccakF1600OnWords(tKeccakLane *state)
-{
-    unsigned int i;
-
-    displayStateAsLanes(3, "Same, with lanes as 64-bit words", state);
-
-    for(i=0; i<nrRounds; i++)
-        KeccakF1600Round(state, i);
-}
-
-void KeccakF1600Round(tKeccakLane *state, unsigned int indexRound)
-{
-    displayRoundNumber(3, indexRound);
-
-    theta(state);
-    displayStateAsLanes(3, "After theta", state);
-
-    rho(state);
-    displayStateAsLanes(3, "After rho", state);
-
-    pi(state);
-    displayStateAsLanes(3, "After pi", state);
-
-    chi(state);
-    displayStateAsLanes(3, "After chi", state);
-
-    iota(state, indexRound);
-    displayStateAsLanes(3, "After iota", state);
-}
-
-#define ROL64(a, offset) ((offset != 0) ? ((((tKeccakLane)a) << offset) ^ (((tKeccakLane)a) >> (64-offset))) : a)
-
-void theta(tKeccakLane *A)
-{
-    unsigned int x, y;
-    tKeccakLane C[5], D[5];
-
-    for(x=0; x<5; x++) {
-        C[x] = 0;
-        for(y=0; y<5; y++)
-            C[x] ^= A[index(x, y)];
-    }
-    for(x=0; x<5; x++)
-        D[x] = ROL64(C[(x+1)%5], 1) ^ C[(x+4)%5];
-    for(x=0; x<5; x++)
-        for(y=0; y<5; y++)
-            A[index(x, y)] ^= D[x];
-}
-
-void rho(tKeccakLane *A)
-{
-    unsigned int x, y;
-
-    for(x=0; x<5; x++) for(y=0; y<5; y++)
-        A[index(x, y)] = ROL64(A[index(x, y)], KeccakRhoOffsets[index(x, y)]);
-}
-
-void pi(tKeccakLane *A)
-{
-    unsigned int x, y;
-    tKeccakLane tempA[25];
-
-    for(x=0; x<5; x++) for(y=0; y<5; y++)
-        tempA[index(x, y)] = A[index(x, y)];
-    for(x=0; x<5; x++) for(y=0; y<5; y++)
-        A[index(0*x+1*y, 2*x+3*y)] = tempA[index(x, y)];
-}
-
-void chi(tKeccakLane *A)
-{
-    unsigned int x, y;
-    tKeccakLane C[5];
-
-    for(y=0; y<5; y++) {
-        for(x=0; x<5; x++)
-            C[x] = A[index(x, y)] ^ ((~A[index(x+1, y)]) & A[index(x+2, y)]);
-        for(x=0; x<5; x++)
-            A[index(x, y)] = C[x];
-    }
-}
-
-void iota(tKeccakLane *A, unsigned int indexRound)
-{
-    A[index(0, 0)] ^= KeccakRoundConstants[indexRound];
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length)
-{
-    memcpy(data, (unsigned char*)state+offset, length);
-}
-
-/* ---------------------------------------------------------------- */
-
-void KeccakF1600_StateExtractAndXORBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length)
-{
-    unsigned int i;
-
-    for(i=0; i<length; i++)
-        data[i] ^= ((unsigned char *)state)[offset+i];
-}
-
-/* ---------------------------------------------------------------- */
-
-void displayRoundConstants(FILE *f)
-{
-    unsigned int i;
-
-    for(i=0; i<nrRounds; i++) {
-        fprintf(f, "RC[%02i][0][0] = ", i);
-        fprintf(f, "%08X", (unsigned int)(KeccakRoundConstants[i] >> 32));
-        fprintf(f, "%08X", (unsigned int)(KeccakRoundConstants[i] & 0xFFFFFFFFULL));
-        fprintf(f, "\n");
-    }
-    fprintf(f, "\n");
-}
-
-void displayRhoOffsets(FILE *f)
-{
-    unsigned int x, y;
-
-    for(y=0; y<5; y++) for(x=0; x<5; x++) {
-        fprintf(f, "RhoOffset[%i][%i] = ", x, y);
-        fprintf(f, "%2i", KeccakRhoOffsets[index(x, y)]);
-        fprintf(f, "\n");
-    }
-    fprintf(f, "\n");
-}

@@ -1,26 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#ifndef _KeccakFReference_h_
-#define _KeccakFReference_h_
-#include "KeccakF-1600-interface.h"
-
-void displayRoundConstants(FILE *f);
-void displayRhoOffsets(FILE *f);
-
-#define KeccakF_Initialize                   KeccakF1600_Initialize
-#define KeccakF_StatePermute                KeccakF1600_StatePermute
-
-#endif

@@ -1,96 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#include <string.h>
-#include "SnP-interface.h"
-#ifdef KeccakReference
-#include "displayIntermediateValues.h"
-#endif
-
-size_t SnP_FBWL_Absorb_Default(void *state, unsigned int laneCount, const unsigned char *data, size_t dataByteLen, unsigned char trailingBits)
-{
-    size_t processed = 0;
-
-    while(dataByteLen >= laneCount*SnP_laneLengthInBytes) {
-        #ifdef KeccakReference
-        if (trailingBits == 0)
-            displayBytes(1, "Block to be absorbed", data, laneCount*SnP_laneLengthInBytes);
-        else {
-            displayBytes(1, "Block to be absorbed (part)", data, laneCount*SnP_laneLengthInBytes);
-            displayBytes(1, "Block to be absorbed (trailing bits)", &trailingBits, 1);
-        }
-        #endif
-        SnP_XORBytes(state, data, 0, laneCount*SnP_laneLengthInBytes);
-        SnP_XORBytes(state, &trailingBits, laneCount*SnP_laneLengthInBytes, 1);
-        SnP_Permute(state);
-        data += laneCount*SnP_laneLengthInBytes;
-        dataByteLen -= laneCount*SnP_laneLengthInBytes;
-        processed += laneCount*SnP_laneLengthInBytes;
-    }
-    return processed;
-}
-
-size_t SnP_FBWL_Squeeze_Default(void *state, unsigned int laneCount, unsigned char *data, size_t dataByteLen)
-{
-    size_t processed = 0;
-
-    while(dataByteLen >= laneCount*SnP_laneLengthInBytes) {
-        SnP_Permute(state);
-        SnP_ExtractBytes(state, data, 0, laneCount*SnP_laneLengthInBytes);
-        #ifdef KeccakReference
-        displayBytes(1, "Squeezed block", data, laneCount*SnP_laneLengthInBytes);
-        #endif
-        data += laneCount*SnP_laneLengthInBytes;
-        dataByteLen -= laneCount*SnP_laneLengthInBytes;
-        processed += laneCount*SnP_laneLengthInBytes;
-    }
-    return processed;
-}
-
-size_t SnP_FBWL_Wrap_Default(void *state, unsigned int laneCount, const unsigned char *dataIn, unsigned char *dataOut, size_t dataByteLen, unsigned char trailingBits)
-{
-    size_t processed = 0;
-
-    while(dataByteLen >= laneCount*SnP_laneLengthInBytes) {
-        SnP_XORBytes(state, dataIn, 0, laneCount*SnP_laneLengthInBytes);
-        SnP_ExtractBytes(state, dataOut, 0, laneCount*SnP_laneLengthInBytes);
-        SnP_XORBytes(state, &trailingBits, laneCount*SnP_laneLengthInBytes, 1);
-        SnP_Permute(state);
-        dataIn += laneCount*SnP_laneLengthInBytes;
-        dataOut += laneCount*SnP_laneLengthInBytes;
-        dataByteLen -= laneCount*SnP_laneLengthInBytes;
-        processed += laneCount*SnP_laneLengthInBytes;
-    }
-    return processed;
-}
-
-size_t SnP_FBWL_Unwrap_Default(void *state, unsigned int laneCount, const unsigned char *dataIn, unsigned char *dataOut, size_t dataByteLen, unsigned char trailingBits)
-{
-    size_t processed = 0;
-
-    if (dataIn != dataOut)
-        memcpy(dataOut, dataIn, dataByteLen);
-    while(dataByteLen >= laneCount*SnP_laneLengthInBytes) {
-        SnP_ExtractAndXORBytes(state, dataOut, 0, laneCount*SnP_laneLengthInBytes);
-        SnP_XORBytes(state, dataOut, 0, laneCount*SnP_laneLengthInBytes);
-        SnP_XORBytes(state, &trailingBits, laneCount*SnP_laneLengthInBytes, 1);
-        SnP_Permute(state);
-        dataIn += laneCount*SnP_laneLengthInBytes;
-        dataOut += laneCount*SnP_laneLengthInBytes;
-        dataByteLen -= laneCount*SnP_laneLengthInBytes;
-        processed += laneCount*SnP_laneLengthInBytes;
-    }
-    return processed;
-}

@@ -1,26 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#ifndef _SnP_FBWL_Default_h_
-#define _SnP_FBWL_Default_h_
-
-#include <string.h>
-
-size_t SnP_FBWL_Absorb_Default(void *state, unsigned int laneCount, const unsigned char *data, size_t dataByteLen, unsigned char trailingBits);
-size_t SnP_FBWL_Squeeze_Default(void *state, unsigned int laneCount, unsigned char *data, size_t dataByteLen);
-size_t SnP_FBWL_Wrap_Default(void *state, unsigned int laneCount, const unsigned char *dataIn, unsigned char *dataOut, size_t dataByteLen, unsigned char trailingBits);
-size_t SnP_FBWL_Unwrap_Default(void *state, unsigned int laneCount, const unsigned char *dataIn, unsigned char *dataOut, size_t dataByteLen, unsigned char trailingBits);
-
-#endif

@@ -1,42 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#ifndef _SnP_Interface_h_
-#define _SnP_Interface_h_
-
-#include "KeccakF-1600-interface.h"
-#include "SnP-FBWL-default.h"
-
-#define SnP_width                           KeccakF_width
-#define SnP_stateSizeInBytes                KeccakF_stateSizeInBytes
-#define SnP_laneLengthInBytes               KeccakF_laneInBytes
-#define SnP_laneCount                       25
-
-#define SnP_StaticInitialize                KeccakF1600_Initialize
-#define SnP_Initialize                      KeccakF1600_StateInitialize
-#define SnP_XORBytes                        KeccakF1600_StateXORBytes
-#define SnP_OverwriteBytes                  KeccakF1600_StateOverwriteBytes
-#define SnP_OverwriteWithZeroes             KeccakF1600_StateOverwriteWithZeroes
-#define SnP_ComplementBit                   KeccakF1600_StateComplementBit
-#define SnP_Permute                         KeccakF1600_StatePermute
-#define SnP_ExtractBytes                    KeccakF1600_StateExtractBytes
-#define SnP_ExtractAndXORBytes              KeccakF1600_StateExtractAndXORBytes
-
-#define SnP_FBWL_Absorb                     SnP_FBWL_Absorb_Default
-#define SnP_FBWL_Squeeze                    SnP_FBWL_Squeeze_Default
-#define SnP_FBWL_Wrap                       SnP_FBWL_Wrap_Default
-#define SnP_FBWL_Unwrap                     SnP_FBWL_Unwrap_Default
-
-#endif

@@ -1,249 +0,0 @@
-/*
-Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
-Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
-denoted as "the implementer".
-
-For more information, feedback or questions, please refer to our websites:
-http://keccak.noekeon.org/
-http://keyak.noekeon.org/
-http://ketje.noekeon.org/
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-*/
-
-#ifndef _SnP_Relaned_h_
-#define _SnP_Relaned_h_
-
-/** Function to XOR data given as bytes into the state.
-  * The bits to modify are restricted to be consecutive and to be in the same lane.
-  * The bit positions that are affected by this function are
-  * from @a lanePosition*(lane size in bits) + @a offset*8
-  * to @a lanePosition*(lane size in bits) + @a offset*8 + @a length*8.
-  * (The bit positions, the x,y,z coordinates and their link are defined in the "Keccak reference".)
-  * @param  state   Pointer to the state.
-  * @param  lanePosition    Index of the lane to be modified (x+5*y,
-  *                         or bit position divided by the lane size).
-  * @param  data    Pointer to the input data.
-  * @param  offset  Offset in bytes within the lane.
-  * @param  length  Number of bytes.
-  * @pre    0 ≤ @a lanePosition < 25
-  * @pre    0 ≤ @a offset < (lane size in bytes)
-  * @pre    0 ≤ @a offset + @a length ≤ (lane size in bytes)
-  */
-void SnP_XORBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length);
-
-/** Function to XOR data given as bytes into the state.
-  * The bits to modify are restricted to start from the bit position 0 and
-  * to span a whole number of lanes.
-  * @param  state   Pointer to the state.
-  * @param  data    Pointer to the input data.
-  * @param  laneCount   The number of lanes, i.e., the length of the data
-  *                     divided by the lane size.
-  * @pre    0 ≤ @a laneCount ≤ 25
-  */
-void SnP_XORLanes(void *state, const unsigned char *data, unsigned int laneCount);
-
-/** Function to overwrite data given as bytes into the state.
-  * The bits to modify are restricted to be consecutive and to be in the same lane.
-  * The bit positions that are affected by this function are
-  * from @a lanePosition*(lane size in bits) + @a offset*8
-  * to @a lanePosition*(lane size in bits) + @a offset*8 + @a length*8.
-  * (The bit positions, the x,y,z coordinates and their link are defined in the "Keccak reference".)
-  * @param  state   Pointer to the state.
-  * @param  lanePosition    Index of the lane to be modified (x+5*y,
-  *                         or bit position divided by the lane size).
-  * @param  data    Pointer to the input data.
-  * @param  offset  Offset in bytes within the lane.
-  * @param  length  Number of bytes.
-  * @pre    0 ≤ @a lanePosition < 25
-  * @pre    0 ≤ @a offset < (lane size in bytes)
-  * @pre    0 ≤ @a offset + @a length ≤ (lane size in bytes)
-  */
-void SnP_OverwriteBytesInLane(void *state, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length);
-
-/** Function to overwrite data given as bytes into the state.
-  * The bits to modify are restricted to start from the bit position 0 and
-  * to span a whole number of lanes.
-  * @param  state   Pointer to the state.
-  * @param  data    Pointer to the input data.
-  * @param  laneCount   The number of lanes, i.e., the length of the data
-  *                     divided by the lane size.
-  * @pre    0 ≤ @a laneCount ≤ 25
-  */
-void SnP_OverwriteLanes(void *state, const unsigned char *data, unsigned int laneCount);
-
-/** Function to retrieve data from the state into bytes.
-  * The bits to output are restricted to be consecutive and to be in the same lane.
-  * The bit positions that are retrieved by this function are
-  * from @a lanePosition*(lane size in bits) + @a offset*8
-  * to @a lanePosition*(lane size in bits) + @a offset*8 + @a length*8.
-  * (The bit positions, the x,y,z coordinates and their link are defined in the "Keccak reference".)
-  * @param  state   Pointer to the state.
-  * @param  lanePosition    Index of the lane to be read (x+5*y,
-  *                         or bit position divided by the lane size).
-  * @param  data    Pointer to the area where to store output data.
-  * @param  offset  Offset in byte within the lane.
-  * @param  length  Number of bytes.
-  * @pre    0 ≤ @a lanePosition < 25
-  * @pre    0 ≤ @a offset < (lane size in bytes)
-  * @pre    0 ≤ @a offset + @a length ≤ (lane size in bytes)
-  */
-void SnP_ExtractBytesInLane(const void *state, unsigned int lanePosition, unsigned char *data, unsigned int offset, unsigned int length);
-
-/** Function to retrieve data from the state into bytes.
-  * The bits to output are restricted to start from the bit position 0 and
-  * to span a whole number of lanes.
-  * @param  state   Pointer to the state.
-  * @param  data    Pointer to the area where to store output data.
-  * @param  laneCount   The number of lanes, i.e., the length of the data
-  *                     divided by the lane size.
-  * @pre    0 ≤ @a laneCount ≤ 25
-  */
-void SnP_ExtractLanes(const void *state, unsigned char *data, unsigned int laneCount);
-
-/** Function to retrieve data from the state into bytes and
-  * to XOR them into the output buffer.
-  * The bits to output are restricted to be consecutive and to be in the same lane.
-  * The bit positions that are retrieved by this function are
-  * from @a lanePosition*(lane size in bits) + @a offset*8
-  * to @a lanePosition*(lane size in bits) + @a offset*8 + @a length*8.
-  * (The bit positions, the x,y,z coordinates and their link are defined in the "Keccak reference".)
-  * @param  state   Pointer to the state.
-  * @param  lanePosition    Index of the lane to be read (x+5*y,
-  *                         or bit position divided by the lane size).
-  * @param  data    Pointer to the area where to XOR output data.
-  * @param  offset  Offset in byte within the lane.
-  * @param  length  Number of bytes.
-  * @pre    0 ≤ @a lanePosition < 25
-  * @pre    0 ≤ @a offset < (lane size in bytes)
-  * @pre    0 ≤ @a offset + @a length ≤ (lane size in bytes)
-  */
-void SnP_ExtractAndXORBytesInLane(const void *state, unsigned int lanePosition, unsigned char *data, unsigned int offset, unsigned int length);
-
-/** Function to retrieve data from the state into bytes and
-  * to XOR them into the output buffer.
-  * The bits to output are restricted to start from the bit position 0 and
-  * to span a whole number of lanes.
-  * @param  state   Pointer to the state.
-  * @param  data    Pointer to the area where to XOR output data.
-  * @param  laneCount   The number of lanes, i.e., the length of the data
-  *                     divided by the lane size.
-  * @pre    0 ≤ @a laneCount ≤ 25
-  */
-void SnP_ExtractAndXORLanes(const void *state, unsigned char *data, unsigned int laneCount);
-
-#define SnP_XORBytes(state, data, offset, length) \
-    { \
-        if ((offset) == 0) { \
-            SnP_XORLanes(state, data, (length)/SnP_laneLengthInBytes); \
-            SnP_XORBytesInLane(state, \
-                (length)/SnP_laneLengthInBytes, \
-                (data)+((length)/SnP_laneLengthInBytes)*SnP_laneLengthInBytes, \
-                0, \
-                (length)%SnP_laneLengthInBytes); \
-        } \
-        else { \
-            unsigned int _sizeLeft = (length); \
-            unsigned int _lanePosition = (offset)/SnP_laneLengthInBytes; \
-            unsigned int _offsetInLane = (offset)%SnP_laneLengthInBytes; \
-            const unsigned char *_curData = (data); \
-            while(_sizeLeft > 0) { \
-                unsigned int _bytesInLane = SnP_laneLengthInBytes - _offsetInLane; \
-                if (_bytesInLane > _sizeLeft) \
-                    _bytesInLane = _sizeLeft; \
-                SnP_XORBytesInLane(state, _lanePosition, _curData, _offsetInLane, _bytesInLane); \
-                _sizeLeft -= _bytesInLane; \
-                _lanePosition++; \
-                _offsetInLane = 0; \
-                _curData += _bytesInLane; \
-            } \
-        } \
-    }
-
-#define SnP_OverwriteBytes(state, data, offset, length) \
-    { \
-        if ((offset) == 0) { \
-            SnP_OverwriteLanes(state, data, (length)/SnP_laneLengthInBytes); \
-            SnP_OverwriteBytesInLane(state, \
-                (length)/SnP_laneLengthInBytes, \
-                (data)+((length)/SnP_laneLengthInBytes)*SnP_laneLengthInBytes, \
-                0, \
-                (length)%SnP_laneLengthInBytes); \
-        } \
-        else { \
-            unsigned int _sizeLeft = (length); \
-            unsigned int _lanePosition = (offset)/SnP_laneLengthInBytes; \
-            unsigned int _offsetInLane = (offset)%SnP_laneLengthInBytes; \
-            const unsigned char *_curData = (data); \
-            while(_sizeLeft > 0) { \
-                unsigned int _bytesInLane = SnP_laneLengthInBytes - _offsetInLane; \
-                if (_bytesInLane > _sizeLeft) \
-                    _bytesInLane = _sizeLeft; \
-                SnP_OverwriteBytesInLane(state, _lanePosition, _curData, _offsetInLane, _bytesInLane); \
-                _sizeLeft -= _bytesInLane; \
-                _lanePosition++; \
-                _offsetInLane = 0; \
-                _curData += _bytesInLane; \
-            } \
-        } \
-    }
-
-#define SnP_ExtractBytes(state, data, offset, length) \
-    { \
-        if ((offset) == 0) { \
-            SnP_ExtractLanes(state, data, (length)/SnP_laneLengthInBytes); \
-            SnP_ExtractBytesInLane(state, \
-                (length)/SnP_laneLengthInBytes, \
-                (data)+((length)/SnP_laneLengthInBytes)*SnP_laneLengthInBytes, \
-                0, \
-                (length)%SnP_laneLengthInBytes); \
-        } \
-        else { \
-            unsigned int _sizeLeft = (length); \
-            unsigned int _lanePosition = (offset)/SnP_laneLengthInBytes; \
-            unsigned int _offsetInLane = (offset)%SnP_laneLengthInBytes; \
-            unsigned char *_curData = (data); \
-            while(_sizeLeft > 0) { \
-                unsigned int _bytesInLane = SnP_laneLengthInBytes - _offsetInLane; \
-                if (_bytesInLane > _sizeLeft) \
-                    _bytesInLane = _sizeLeft; \
-                SnP_ExtractBytesInLane(state, _lanePosition, _curData, _offsetInLane, _bytesInLane); \
-                _sizeLeft -= _bytesInLane; \
-                _lanePosition++; \
-                _offsetInLane = 0; \
-                _curData += _bytesInLane; \
-            } \
-        } \
-    }
-
-#define SnP_ExtractAndXORBytes(state, data, offset, length) \
-    { \
-        if ((offset) == 0) { \
-            SnP_ExtractAndXORLanes(state, data, (length)/SnP_laneLengthInBytes); \
-            SnP_ExtractAndXORBytesInLane(state, \
-                (length)/SnP_laneLengthInBytes, \
-                (data)+((length)/SnP_laneLengthInBytes)*SnP_laneLengthInBytes, \
-                0, \
-                (length)%SnP_laneLengthInBytes); \
-        } \
-        else { \
-            unsigned int _sizeLeft = (length); \
-            unsigned int _lanePosition = (offset)/SnP_laneLengthInBytes; \
-            unsigned int _offsetInLane = (offset)%SnP_laneLengthInBytes; \
-            unsigned char *_curData = (data); \
-            while(_sizeLeft > 0) { \
-                unsigned int _bytesInLane = SnP_laneLengthInBytes - _offsetInLane; \
-                if (_bytesInLane > _sizeLeft) \
-                    _bytesInLane = _sizeLeft; \
-                SnP_ExtractAndXORBytesInLane(state, _lanePosition, _curData, _offsetInLane, _bytesInLane); \
-                _sizeLeft -= _bytesInLane; \
-                _lanePosition++; \
-                _offsetInLane = 0; \
-                _curData += _bytesInLane; \
-            } \
-        } \
-    }
-
-#endif