/*
-----------------------------------------------------------------
Software implementation of a 1024-bit hash.  A candidate for being
a candidate for the NIST SHA-3 cryptographic hash competition.

Bits are arranged in an 8x8 grid of 16-bit chunks.  A round (perm())
consists of applying a 16-bit permutation to each chunk, then 
rotating each of the 16 bit positions by different amounts through 
the 64 chunks.  The rotates are chosen so 2 bits each are shifted 
up by 0..7 and left by 0..7.

The nonlinear mix of 16-bit chunks is actually an 8-bit permutation 
applied to the even bits and again to the odd bits, with the 16 bits 
shuffled at the end.  This is 5 NAND-gates deep.  6 of the 16 bits
implement a^b^c^d, and can be inverted and still be implemented 5 
NAND-gates deep.  Symmetry is broken by inverting different subsets
of these 6 bits in each of the 64 chunks.  Symmetry breaking is done
in software by XORing constants.

The 64 16-bit permutations are actually 128 8-bit permutations.  All
128 8-bit permutations could be done at once with SSE instructions, 
but I'm only using 64-bit registers here.  It takes 8 rounds forward 
or 7 rounds backwards for all bits to be affected by all one-bit 
deltas for nearly-zero states.  (7 forward or 6 backwards for random 
states.)  

I'll take a leap of faith and say that twice forward + backward
avalanche, 30 rounds that is, is enough to thwart cryptanalysis,
providing there are no self-referential differentials.  This is done
by combining a block every 3 rounds.  Each block is combined four 
times, at offsets i, i+12-5(i%3), i+28-5((i+2)%3), and i+31.  
A round is applied to each input before the last two combines, to 
muddy linear algebra on how blocks are combined.  Brute-force search 
said that all sets of 8 variables or less require at least 30 rounds 
of differentials that way.

(by Bob Jenkins, July 27 2008, public domain)
-----------------------------------------------------------------
*/

#include <stdio.h>
#include <stddef.h>
#include <windows.h>
#include <emmintrin.h>

typedef unsigned long  u4;
typedef unsigned long long u8;

#define LEN 16     /* number of 8-byte values per block */

#define ROWS 8
#define COLS 8

#define ROUNDS 20000

/* apply the 8-bit permutation to the even bits */
static void eight( u8 *x, u8 *y)
{
  u8 a0,a1,a2,a3,a4,a5,a6,a7,b8,b9,b10,b11,b12,b13,b14,b15;
  a1 = x[2];
  a7 = x[14];
  b8 = a1 ^ a7;
  a0 = x[0];
  a3 = x[6];
  a5 = x[10];
  y[8] = ((b8 & ((a0 &  ~a5) | (a3 & ~a0))) | 
	  ~(b8 | (a0 ^ a5)));
  b9 = a3 ^ a5;
  b10 = b9 ^ a0;
  y[2] = b10 ^ a1;
  a2 = x[4];
  y[14] = b10 ^ a2;
  a4 = x[8];
  b11 = a2 ^ a4;
  y[6] = b9 ^ b11;
  a6 = x[12];
  b12 = a1 & a6;
  b13 = a1 ^ a6;
  b14 = a0 ^ a4;
  y[4] = ((b14 & b13) | 
	  ~(b14 | ((a1 | a7) & ~b12)));
  y[12] = ((b13 & ((a2 & ~a4) | (a7 & ~(a1 & a4)))) | 
	  ~(b13 | ((a2 | a7) & ~(a2 & a4))));
  b15 = a1 & a7;
  y[10] = ((b11 & b8) | 
	   (~b11 & (b15 | (a6 & ~a7))));
  y[0] = ((b13 & ~(~(a2 & ~a7) & (b15 | a4))) | 
	  (~(~b12 & (a1 | (a4 & a6))) & ((a2 & a7) | (a4 & ~a2))));
}


static void eightSSE(__m128i *x, __m128i *y)
{
  __m128i a0,a1,a2,a3,a4,a5,a6,a7,b9,b10;
  a0 = _mm_load_si128((void *)&x[0]);
  a1 = _mm_load_si128((void *)&x[1]);
  a2 = _mm_load_si128((void *)&x[2]);
  a3 = _mm_load_si128((void *)&x[3]);
  a4 = _mm_load_si128((void *)&x[4]);
  a5 = _mm_load_si128((void *)&x[5]);
  a6 = _mm_load_si128((void *)&x[6]);
  a7 = _mm_load_si128((void *)&x[7]);

  /* y[2] */
  b9 = _mm_andnot_si128(a1, _mm_andnot_si128(a7, _mm_set_epi32(0xffffffff,
							       0xffffffff,
							       0xffffffff,
							       0xffffffff)));
  b10 = _mm_andnot_si128(_mm_xor_si128(a0,a4),
			 _mm_or_si128(b9,
				      _mm_and_si128(a1, a6)));

  _mm_storeu_si128((void *)&y[2],
		   _mm_or_si128(_mm_and_si128(_mm_xor_si128(a0,a4),
					      _mm_xor_si128(a1, a6)),
				b10));

  /* y[6] */
  b9 = _mm_andnot_si128(_mm_or_si128(_mm_xor_si128(a1, a6),
				     _mm_andnot_si128(_mm_and_si128(a2,a4),
						      _mm_or_si128(a2,a7))),
			_mm_set_epi32(0xffffffff, 
				      0xffffffff, 
				      0xffffffff, 
				      0xffffffff));
  b10 = _mm_and_si128(_mm_xor_si128(a1, a6),
		      _mm_or_si128(_mm_andnot_si128(a4,a2),
				   _mm_andnot_si128(_mm_and_si128(a1,a4),
						    a7)));
  _mm_storeu_si128((void *)&y[6], _mm_or_si128(b9, b10));

  /* y[0] */
  b9 = _mm_andnot_si128(_mm_andnot_si128(_mm_andnot_si128(a7,a2),
					 _mm_or_si128(_mm_and_si128(a1,a7),
						      a4)),
			_mm_xor_si128(a1, a6));
  b10 = _mm_andnot_si128(_mm_andnot_si128(_mm_and_si128(a1, a6),
					  _mm_or_si128(a1,
						       _mm_and_si128(a4,a6))),
			 _mm_or_si128(_mm_and_si128(a2,a7),
				      _mm_andnot_si128(a2,a4)));
  _mm_storeu_si128((void *)&y[0], _mm_or_si128(b9,b10));

  /* y[5] */
  b9 = _mm_andnot_si128(_mm_xor_si128(a2,a4),
			_mm_or_si128(_mm_and_si128(a1,a7),
				     _mm_andnot_si128(a7,a6)));
  _mm_storeu_si128((void *)&y[5],
		   _mm_or_si128(_mm_and_si128(_mm_xor_si128(a2,a4),
					      _mm_xor_si128(a1,a7)),
				b9));

  /* y[4] */
  b9 = _mm_and_si128(_mm_xor_si128(a1,a7),
		     _mm_or_si128(_mm_andnot_si128(a5,a0),
				  _mm_andnot_si128(a0,a3)));
  b10 =	_mm_andnot_si128(_mm_or_si128(_mm_xor_si128(a1,a7),
				      _mm_xor_si128(a0,a5)),
			 _mm_set_epi32(0xffffffff, 
				       0xffffffff, 
				       0xffffffff, 
				       0xffffffff));
  _mm_storeu_si128((void *)&y[4], _mm_or_si128(b9, b10));

  /* y[1] */
  _mm_storeu_si128((void *)&y[1], 
		   _mm_xor_si128(_mm_xor_si128(_mm_xor_si128(a3, a5),
					       a0),
				 _mm_xor_si128(a1,
					       _mm_set_epi32(0x82ed31eb, 
							     0x138e02ef, 
							     0x18f8aa72, 
							     0x369b75c2))));

  /* y[3] */
  _mm_storeu_si128((void *)&y[3], 
		   _mm_xor_si128(_mm_xor_si128(a2,a4),
				 _mm_xor_si128(_mm_xor_si128(a3, a5),
					       _mm_set_epi32(0x5fe101ed,
							     0x66fc3130,
							     0x337b824a,
							     0xab77201f))));

  /* y[7] */
  b9 = _mm_xor_si128(_mm_set_epi32(0x1019906d, 
				   0xca58dffb,
				   0x60bd5131,
				   0x5e37b49c),
		     _mm_xor_si128(_mm_xor_si128(a3, a5),
				   a0));

  _mm_storeu_si128((void *)&y[7], _mm_xor_si128(a2, b9));

}


static int shift[LEN] = {56,38,43,1,22,48,41,35,15,13,52,2,28,31,18,61};
static int map[LEN] = {4,0,6,10,8,2,14,1,3,12,9,11,13,5,15,7};

/* one permutation of the internal state */
static void perm(u8 *x)
{
  int i;
  __m128i y2[LEN/2];
  u8 *y = (u8 *)y2;

  /* do 128 8-bit permutations */
  eightSSE((__m128i *)x, (__m128i *)y);

  /* shuffle and rotate the 16 output bits among the 64 chunks */
  x[ 4] = (y[0] << 22) | (y[0] >> 42);
  x[ 0] = (y[1] << 56) | (y[1] >>  8);
  x[ 6] = (y[2] << 41) | (y[2] >> 23);
  x[10] = (y[3] << 52) | (y[3] >> 12);
  x[ 8] = (y[4] << 15) | (y[4] >> 49);
  x[ 2] = (y[5] << 43) | (y[5] >> 21);
  x[14] = (y[6] << 18) | (y[6] >> 46);
  x[ 1] = (y[7] << 38) | (y[7] >> 26);
  x[ 3] = (y[8] <<  1) | (y[8] >> 63);
  x[12] = (y[9] << 28) | (y[9] >> 36);
  x[ 9] = (y[10]<< 13) | (y[10]>> 51);
  x[11] = (y[11]<<  2) | (y[11]>> 62);
  x[13] = (y[12]<< 31) | (y[12]>> 33);
  x[ 5] = (y[13]<< 48) | (y[13]>> 16);
  x[15] = (y[14]<< 61) | (y[14]>>  3);
  x[ 7] = (y[15]<< 35) | (y[15]>> 29);
}

static int unperm[256];

/* the inverse of eight(x,y) */
static void uneight(u8 *y, u8 *x)
{
  int i, j;
  for (i=0; i<LEN/2; ++i) {
    x[2*i] = 0;
  }
  for (i=0; i<64; ++i) {
    int z = 0;
    for (j=0; j<LEN/2; ++j) {
      if (y[2*j] & (((u8)1)<<i)) {
	z ^= (1<<j);
      }
    }
    z = unperm[z];
    for (j=0; j<LEN/2; ++j) {
      if (z & (1<<j)) {
	x[2*j] ^= (((u8)1)<<i);
      }
    }
  }
}

/* do the inverse of one permutation of the internal state */
static void iperm(u8 x[LEN])
{
  int i;
  u8 y[LEN];

  /* unrotate the output bits */
  for (i=0; i<LEN; ++i) {
    x[i] = (x[i] >> shift[i]) ^ (x[i] << (64-shift[i]));
  }

  /* unshuffle the output bits */
  for (i=0; i<LEN; ++i) {
    y[i] = x[map[i]];
  }

  /* break symmetry among the 64 16-bit permutations */
  y[2] ^= 0x18f8aa72369b75c2LL;
  y[3] ^= 0x82ed31eb138e02efLL;
  y[6] ^= 0x337b824aab77201fLL;
  y[7] ^= 0x5fe101ed66fc3130LL;
  y[14] ^= 0x60bd51315e37b49cLL;
  y[15] ^= 0x1019906dca58dffbLL;

  /* revert the two 8-bit permutations */
  uneight(&y[1], &x[1]);
  uneight(y, x);
}


/* a random number generator, for testing, not part of the hash */
typedef struct ranctx { u4 a; u4 b; u4 c; u4 d; } ranctx;

#define rot(x,k) ((x<<k)|(x>>(32-k)))
u4 ranval( ranctx *x ) {
  u4 e = x->a - rot(x->b, 27);
  x->a = x->b ^ rot(x->c, 17);
  x->b = x->c + x->d;
  x->c = x->d + e;
  x->d = e + x->a;
  return e;
}

void show(u8 x[LEN])
{
  int i,j,k;
  for (i=0; i<ROWS; ++i) {
    for (j=0; j<COLS; ++j) {
      for (k=0; k<4; ++k) {
	printf(" %s", (x[k] & (((u8)1)<<(COLS*i+j))) ? "1" : "0");
      }
    }
    printf("\n");
    for (j=0; j<COLS; ++j) {
      for (k=8; --k>=4; ) {
	printf(" %s", (x[k] & (((u8)1)<<(COLS*i+j))) ? "1" : "0");
      }
    }
    printf("\n");
    for (j=0; j<COLS; ++j) {
      for (k=8; k<12; ++k) {
	printf(" %s", (x[k] & (((u8)1)<<(COLS*i+j))) ? "1" : "0");
      }
    }
    printf("\n");
    for (j=0; j<COLS; ++j) {
      for (k=16; --k>=12; ) {
	printf(" %s", (x[k] & (((u8)1)<<(COLS*i+j))) ? "1" : "0");
      }
    }
    printf("\n");
  }
  printf("\n");
}

void showx(float x, float *worst, int verbose)
{
  x = x/ROUNDS;
  if (x < *worst) *worst = x;
  if (verbose) printf("%3d", (int)(100*x + 0.5));
  if (1.0-x < *worst) *worst = 1.0-x;
}

float showc(float c[ROWS][COLS][LEN], int verbose)
{
  int i,j,k;
  float worst = 1.0;
  for (i=0; i<ROWS; ++i) {
    for (j=0; j<COLS; ++j) {
      for (k=0; k<4; ++k) {
	showx(c[i][j][k], &worst, verbose);
      }
      if (verbose) printf(" ");
    }
    if (verbose) printf("\n");
    for (j=0; j<COLS; ++j) {
      for (k=8; --k>=4; ) {
	showx(c[i][j][k], &worst, verbose);
      }
      if (verbose) printf(" ");
    }
    if (verbose) printf("\n");
    for (j=0; j<COLS; ++j) {
      for (k=8; k<12; ++k) {
	showx(c[i][j][k], &worst, verbose);
      }
      if (verbose) printf(" ");
    }
    if (verbose) printf("\n");
    for (j=0; j<COLS; ++j) {
      for (k=16; --k>=12; ) {
	showx(c[i][j][k], &worst, verbose);
      }
      if (verbose) printf(" ");
    }
    if (verbose) printf("\n\n");
  }
  /* printf("  worst = %f\n", worst); */
  return worst;
}

void testsse()
{
  int i, j, k;
  __m128i x2[LEN/2];
  __m128i y2[LEN/2];
  u8 *x = (u8 *)x2;
  u8 *y = (u8 *)y2;

  for (j=0; j<256; ++j) {
    for (i=0; i<LEN; ++i) {
      x[i] = 0;
    }
    for (k=0; k<8; ++k) {
      if (j&(1<<k)) x[2*k] = 1;
    }
    eightSSE((__m128i *)x, (__m128i *)y);
    for (i=0; i<LEN; ++i) {
      printf("%d ", (u4)y[i]);
    }
    printf("\n");
    
    for (i=0; i<LEN; ++i) x[i] = 0;
    for (k=0; k<8; ++k) {
      if (j&(1<<k)) x[2*k] = 1;
    }
    eight(x,y);
    eight(&x[1],&y[1]);
    for (i=0; i<LEN; ++i) {
      printf("%d ", (u4)y[i]);
    }
    printf("%d\n\n", j);
  }
}

void test(ranctx *rctx)
{
  u4 m,n,o,p,count,i,j,k;
  float val, worst = 1.0;
  float zcount = 0.0;
  __m128i x2[LEN/2];
  __m128i y2[LEN/2];
  u8 *x = (u8 *)x2;
  u8 *y = (u8 *)y2;

  /* check that eight() is the reverse of uneight() */
  for (i=0; i<LEN; ++i) {
    x[i] =  0xdeadbeefdeadbeefLL;
  }
  eight(x, y);
  uneight(y, x);
  for (i=0; i<LEN; ++i) {
    if (x[i] != 0xdeadbeefdeadbeefLL) {
      printf("eight and uneight are not inverses!\n");
      return;
    }
  }

  testsse();

  /* check that perm() is reversible and iperm() is its reverse */
  for (i=0; i<LEN; ++i) {
    x[i] = y[i] = 0xdeadbeefdeadbeefLL;
  }
  for (i=0; i<LEN; ++i) {
    perm(x);
  }
  for (i=0; i<LEN; ++i) {
    iperm(x);
  }
  for (i=0; i<LEN; ++i) {
    if (x[i] != y[i]) {
      printf("perm(x) and iperm(x) are not inverses!\n");
      return;
    }
  }

  /* see how thoroughly bit "tab[m][n] & (1<<o)" propogates */
  for (m=0; m<ROWS; ++m) {
    for (n=0; n<COLS; ++n) {
      for (o=0; o<LEN; ++o) {
	for (p=0; p<2*LEN; p++) {
	  float c[ROWS][COLS][LEN];  /* count of how many times bit flipped */
	  u4 r;  /* count # of rounds */

	  if (m != 5 || n != 7 || o != 12 || p != 0) continue;
	  /* if (m != 0) continue; */

	  /* initialize c */
	  for (i=0; i<ROWS; ++i) {
	    for (j=0; j<COLS; ++j) {
	      for (k=0; k<LEN; ++k) {
		c[i][j][k] = 0;
	      }
	    }
	  }

	  /* try r keys */
	  for (r=0; r<ROUNDS; ++r) {

	    /* initialize to a random key */
	    for (i=0; i<LEN; ++i) {
	      x[i] = y[i] = ((u8)ranval(rctx)) | (((u8)ranval(rctx))<<32);
	      /* x[i] = y[i] = (p/LEN ? ~((u8)0) : ((u8)0)); */
	    }
	    x[p%LEN] ^= ((u8)r)<<0;
	    y[p%LEN] = x[p%LEN];

	    /* start with bit [m][n][o] different */
	    y[o] ^= (((u8)1) << (COLS*m+n));

	    /* apply several rounds of the hash to both keys */
	    perm(x); perm(y);
	    perm(x); perm(y);
	    perm(x); perm(y);

	    perm(x); perm(y);
	    perm(x); perm(y);
	    perm(x); perm(y);

	    perm(x); perm(y);

	    /* measure which bits were affected */
	    for (k=0; k<LEN; ++k) {
	      u8 diff = x[k] ^ y[k];
	      for (i=0; i<ROWS; ++i) {
		for (j=0; j<COLS; ++j) {
		  if (diff & (((u8)1) << (COLS*i+j))) {
		    ++c[i][j][k];
		  }
		}
	      }
	    }
	  }

	  /* report which bits were affected */
	  val = showc(c, 1);
	  if (val == 0) {
	    ++zcount;
	  }
	  if (val < worst) {
	    worst = val;
	    printf("new worst: %f  %d %d %d %d\n", worst, m,n,o,p);
	  }
	}
      }
    }
  }
}

void set_unperm()
{
  u8 x[LEN];
  u8 y[LEN];
  int perm[256];
  int i, j;
  for (i=0; i<256; ++i) {
    for (j=0; j<8; ++j) {
      x[2*j] = (i & (1<<j)) ? 1 : 0;
    }
    eight(x, y);
    perm[i] = 0;

    for (j=0; j<8; ++j) {
      if (y[2*j] & 1) {
	perm[i] ^= (1<<j);
      }
    }
  }
  for (i=0; i<256; ++i) {
    unperm[perm[i]] = i;
  }
}

#define BYTES_PER_BLOCK (sizeof(u8)*LEN)
#define BLOCKS 32  /* blocks kept in memory at once */

#define FIRST_SECOND(i) \
    { \
      __m128i  val1 = _mm_load_si128((void *)&next[i]);		\
      __m128i *where = &first[i];				\
      __m128i  val2 = _mm_load_si128((void *)&key[i]);	       	\
      val2 = _mm_xor_si128(val2, val1);				\
      _mm_storeu_si128(where, val2);				\
      where = &second[(i+2) % (LEN/2)];				\
      val2 = _mm_load_si128(where);				\
      val2 = _mm_xor_si128(val2, val1);				\
      _mm_storeu_si128(where, val2);				\
    }

#define THIRD_FOURTH(i) \
  {							\
    __m128i  val1 = _mm_load_si128((void *)&buf[i]);	\
    __m128i *where = &third[i];				\
    __m128i  val2 = _mm_load_si128(where);		\
    val2 = _mm_xor_si128(val2, val1);			\
    _mm_storeu_si128(where, val2);			\
    where = &fourth[(i+5) % (LEN/2)];			\
    val2 = _mm_load_si128(where);			\
    val2 = _mm_xor_si128(val2, val1);			\
    _mm_storeu_si128(where, val2);			\
  }

#define DO(x) \
  x(0); x(1); x(2); x(3); x(4); x(5); x(6); x(7)

/* add the next block to the accumulators */
#define FIRST 0
#define SECOND  12
#define THIRD 28
#define FOURTH  31

static void add_to_a(
  __m128i *a[BLOCKS], /* accumulators */
  int  index,         /* which block is this? */
  __m128i *key,       /* the key to the hash */
  __m128i *next)      /* new block to be added to the hash */
{
  __m128i buf[LEN/2];
  __m128i *first  = a[(index + FIRST) % BLOCKS];
  __m128i *second = a[(index + SECOND - 5*(index%3)) % BLOCKS];
  __m128i *third  = a[(index + THIRD - 5*((index+2)%3)) % BLOCKS];
  __m128i *fourth = a[(index + FOURTH) % BLOCKS];

  DO(FIRST_SECOND);
  perm((u8 *)buf);
  DO(THIRD_FOURTH);
}

#define COMBINE(i) \
    {								\
      __m128i  val1 = _mm_load_si128((void *)&accum[i]);	\
      __m128i *where = &state[2*i];				\
      __m128i  val2 = _mm_load_si128(where);			\
      val2 = _mm_xor_si128(val2, val1);				\
      _mm_storeu_si128(where, val2);				\
    }

/* one combine */
void one_combine(
  __m128i **a, 
  int      *index, 
  __m128i  *state, 
  __m128i  *key, 
  void     *next)
{
  __m128i *accum = a[(*index + FOURTH) % BLOCKS];
  __m128i  val1;
  __m128i  val2;
  void    *where;

  /* add the current block to four accumulators */
  add_to_a(a, *index, key, (__m128i *)next);

  /* add the current accumulator (accum) to the internal state */
  DO(COMBINE);

  /* apply three rounds to the internal state */
  perm((u8 *)state);
  perm((u8 *)state);
  perm((u8 *)state);

  /* remember that we've done another combine */
  ++*index;
}

void hash(
  void  *data,    /* array of bytes to hash, align to 8-byte boundary! */
  size_t length,  /* original length of the data, in bytes */
  __m128i *key,   /* 128-byte key aligned to 16-byte boundary */
  __m128i *val)   /* 512-bit hash value */
{
  int i;
  __m128i buf[LEN/2]; /* for last data block*/
  __m128i final[LEN/2]; /* for ending the hash */
  __m128i *a[BLOCKS];  /* accumulators, to be added to the state */
  __m128i abuf[BLOCKS][LEN/2]; /* buffers for a */
  int offset = 0;        /* offset into the accumulators */
  size_t dataoff;        /* offset into the data */
  size_t stop = (length/BYTES_PER_BLOCK)*BYTES_PER_BLOCK;
  size_t len;
  __m128i *accum;
  __m128i state[LEN/2];

  /* set up the state and the accumulators */
  memset(state, '0', sizeof(state));
  memset(abuf, '0', sizeof(abuf));
  for (i=0; i<BLOCKS; ++i) {
    a[i] = abuf[i];
  }

  /* loop: handle 16 8-byte quantities at a time */
  for (dataoff = 0; dataoff < stop; dataoff += BYTES_PER_BLOCK) {
    one_combine(a, &offset, state, key, &((char *)data)[dataoff]);
  }
  if (dataoff != stop) printf("bob you have a bug\n");

  /* handle the last block */
  if (stop < length) {
    memcpy(buf, &((char *)data)[stop], length-stop);
    memset(((char *)buf)+length-stop, '0', BYTES_PER_BLOCK-(length-stop));
    one_combine(a, &offset, state, key, buf);
  }

  /* finish the hash except for the last combine */
  memset((char *)final, '0', sizeof(final));
  ((u8 *)final)[0] = len;
  for (i=1; i<FOURTH; ++i) {
    one_combine(a, &offset, state, key, final);
  }

  /* the last combine: no mixing needed after this */
  accum = a[(offset+FOURTH) % BLOCKS];
  DO(COMBINE);

  /* report the result */
  for (i=0; i<LEN/2; ++i) {
    ((u8 *)val)[i] = ((u8 *)state)[i] ^ ((u8 *)state)[i+LEN/2];
  }
}

int main()
{
  int i;
  ranctx rctx = {1,1,1,1};
  char message[] = "hi mom";
  __m128i key[LEN/2];
  __m128i val[LEN/4];
  __m128i buf[1<<12];
  u8 starttime;
  u8 endtime;

  for (i=0; i<20; ++i) ranval(&rctx);
  set_unperm();
  memset((char *)key, '0', sizeof(key));

  printf("usual chances of one bit affecting other bits after 7 rounds:\n");
  test(&rctx);
  printf("\n");

  hash(message, strlen(message), (__m128i *)key, (__m128i *)val);
  printf("length: %d, data: %s\n", strlen(message), message);
  printf("hash:\n");
  for (i=0; i<LEN; i += 2) {
    printf("%.8lx%.8lx\n", ((u4 *)val)[i], ((u4 *)val)[i+1]);
  }
  printf("\n");

  for (i=0; i<sizeof(buf)/sizeof(u8); ++i) {
    ((u8 *)buf)[i] = ranval(&rctx) + ((u8)ranval(&rctx))<<32;
  }
  printf("time for 1 billion bytes:\n");
  starttime = GetTickCount();
  for (i=0; i<(1<<14); ++i) {
    hash(buf, sizeof(buf), (__m128i *)key, (__m128i *)val);
  }
  endtime = GetTickCount();
  printf("   %d millisecond\n", endtime-starttime);
  for (i=0; i<LEN; i+=2) {
    printf("%.8lx%.8lx\n", ((u4 *)val)[i], ((u4 *)val)[i+1]);
  }
}