sha3: make it mostly a wrapper around crypto/sha3

crypto/sha3 was introduced in Go 1.24, which is now the minimum Go version of this module. Made the hashes go:fix inline wrappers, since the new types can be used as hash.Hash directly. The SHAKE instances need a wrapper for the methods we dropped from crypto.XOF, so no go:fix inline there. Kept the generic implementation for the legacy Keccak hashes we did not bring to the standard library. We need to keep them working, but they don't need to be fast. Fixes golang/go#73681 Updates golang/go#65269 Change-Id: I6a6a69648b6353b153c70a2cec84864e64dcd61b Reviewed-on: https://go-review.googlesource.com/c/crypto/+/710115 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
author: Filippo Valsorda <filippo@golang.org> 2025-10-08 14:56:11 +0200
committer: Gopher Robot <gobot@golang.org> 2025-10-22 18:01:01 -0700
commit: cf29fa96f8b66328e59829f064539321159bfa5b (patch)
tree: 3008fb5954b723ca65d58d8fc972409b03d77c4d
parent: 0b7aa0cfb07b6b13ead990b67cb3cb8639871f90 (diff)
download: go-x-crypto-cf29fa96f8b66328e59829f064539321159bfa5b.tar.xz
16 files changed, 136 insertions, 6742 deletions
diff --git a/sha3/_asm/go.mod b/sha3/_asm/go.mod
deleted file mode 100644
index cd16c58..0000000
--- a/sha3/_asm/go.mod
+++ /dev/null
@@ -1,15 +0,0 @@
-module sha3/_asm
-
-go 1.22
-
-require (
-	github.com/mmcloughlin/avo v0.6.0
-	golang.org/x/crypto v0.33.0
-)
-
-require (
-	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/tools v0.23.0 // indirect
-)
diff --git a/sha3/_asm/go.sum b/sha3/_asm/go.sum
deleted file mode 100644
index 6083f86..0000000
--- a/sha3/_asm/go.sum
+++ /dev/null
@@ -1,12 +0,0 @@
-github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY=
-github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
-golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
-golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
-golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
diff --git a/sha3/_asm/keccakf_amd64_asm.go b/sha3/_asm/keccakf_amd64_asm.go
deleted file mode 100644
index 78e931f..0000000
--- a/sha3/_asm/keccakf_amd64_asm.go
+++ /dev/null
@@ -1,438 +0,0 @@
-// Copyright 2024 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources at https://github.com/gvanas/KeccakCodePackage
-
-package main
-
-import (
-	. "github.com/mmcloughlin/avo/build"
-	. "github.com/mmcloughlin/avo/operand"
-	. "github.com/mmcloughlin/avo/reg"
-	_ "golang.org/x/crypto/sha3"
-)
-
-//go:generate go run . -out ../keccakf_amd64.s -pkg sha3
-
-// Round Constants for use in the ι step.
-var RoundConstants = [24]uint64{
-	0x0000000000000001,
-	0x0000000000008082,
-	0x800000000000808A,
-	0x8000000080008000,
-	0x000000000000808B,
-	0x0000000080000001,
-	0x8000000080008081,
-	0x8000000000008009,
-	0x000000000000008A,
-	0x0000000000000088,
-	0x0000000080008009,
-	0x000000008000000A,
-	0x000000008000808B,
-	0x800000000000008B,
-	0x8000000000008089,
-	0x8000000000008003,
-	0x8000000000008002,
-	0x8000000000000080,
-	0x000000000000800A,
-	0x800000008000000A,
-	0x8000000080008081,
-	0x8000000000008080,
-	0x0000000080000001,
-	0x8000000080008008,
-}
-
-var (
-	// Temporary registers
-	rT1 GPPhysical = RAX
-
-	// Round vars
-	rpState = Mem{Base: RDI}
-	rpStack = Mem{Base: RSP}
-
-	rDa = RBX
-	rDe = RCX
-	rDi = RDX
-	rDo = R8
-	rDu = R9
-
-	rBa = R10
-	rBe = R11
-	rBi = R12
-	rBo = R13
-	rBu = R14
-
-	rCa = RSI
-	rCe = RBP
-	rCi = rBi
-	rCo = rBo
-	rCu = R15
-)
-
-const (
-	_ba = iota * 8
-	_be
-	_bi
-	_bo
-	_bu
-	_ga
-	_ge
-	_gi
-	_go
-	_gu
-	_ka
-	_ke
-	_ki
-	_ko
-	_ku
-	_ma
-	_me
-	_mi
-	_mo
-	_mu
-	_sa
-	_se
-	_si
-	_so
-	_su
-)
-
-func main() {
-	Package("golang.org/x/crypto/sha3")
-	ConstraintExpr("amd64,!purego,gc")
-	keccakF1600()
-	Generate()
-}
-
-func MOVQ_RBI_RCE() { MOVQ(rBi, rCe) }
-func XORQ_RT1_RCA() { XORQ(rT1, rCa) }
-func XORQ_RT1_RCE() { XORQ(rT1, rCe) }
-func XORQ_RBA_RCU() { XORQ(rBa, rCu) }
-func XORQ_RBE_RCU() { XORQ(rBe, rCu) }
-func XORQ_RDU_RCU() { XORQ(rDu, rCu) }
-func XORQ_RDA_RCA() { XORQ(rDa, rCa) }
-func XORQ_RDE_RCE() { XORQ(rDe, rCe) }
-
-type ArgMacro func()
-
-func mKeccakRound(
-	iState, oState Mem,
-	rc U64,
-	B_RBI_RCE, G_RT1_RCA, G_RT1_RCE, G_RBA_RCU,
-	K_RT1_RCA, K_RT1_RCE, K_RBA_RCU, M_RT1_RCA,
-	M_RT1_RCE, M_RBE_RCU, S_RDU_RCU, S_RDA_RCA,
-	S_RDE_RCE ArgMacro,
-) {
-	Comment("Prepare round")
-	MOVQ(rCe, rDa)
-	ROLQ(Imm(1), rDa)
-
-	MOVQ(iState.Offset(_bi), rCi)
-	XORQ(iState.Offset(_gi), rDi)
-	XORQ(rCu, rDa)
-	XORQ(iState.Offset(_ki), rCi)
-	XORQ(iState.Offset(_mi), rDi)
-	XORQ(rDi, rCi)
-
-	MOVQ(rCi, rDe)
-	ROLQ(Imm(1), rDe)
-
-	MOVQ(iState.Offset(_bo), rCo)
-	XORQ(iState.Offset(_go), rDo)
-	XORQ(rCa, rDe)
-	XORQ(iState.Offset(_ko), rCo)
-	XORQ(iState.Offset(_mo), rDo)
-	XORQ(rDo, rCo)
-
-	MOVQ(rCo, rDi)
-	ROLQ(Imm(1), rDi)
-
-	MOVQ(rCu, rDo)
-	XORQ(rCe, rDi)
-	ROLQ(Imm(1), rDo)
-
-	MOVQ(rCa, rDu)
-	XORQ(rCi, rDo)
-	ROLQ(Imm(1), rDu)
-
-	Comment("Result b")
-	MOVQ(iState.Offset(_ba), rBa)
-	MOVQ(iState.Offset(_ge), rBe)
-	XORQ(rCo, rDu)
-	MOVQ(iState.Offset(_ki), rBi)
-	MOVQ(iState.Offset(_mo), rBo)
-	MOVQ(iState.Offset(_su), rBu)
-	XORQ(rDe, rBe)
-	ROLQ(Imm(44), rBe)
-	XORQ(rDi, rBi)
-	XORQ(rDa, rBa)
-	ROLQ(Imm(43), rBi)
-
-	MOVQ(rBe, rCa)
-	MOVQ(rc, rT1)
-	ORQ(rBi, rCa)
-	XORQ(rBa, rT1)
-	XORQ(rT1, rCa)
-	MOVQ(rCa, oState.Offset(_ba))
-
-	XORQ(rDu, rBu)
-	ROLQ(Imm(14), rBu)
-	MOVQ(rBa, rCu)
-	ANDQ(rBe, rCu)
-	XORQ(rBu, rCu)
-	MOVQ(rCu, oState.Offset(_bu))
-
-	XORQ(rDo, rBo)
-	ROLQ(Imm(21), rBo)
-	MOVQ(rBo, rT1)
-	ANDQ(rBu, rT1)
-	XORQ(rBi, rT1)
-	MOVQ(rT1, oState.Offset(_bi))
-
-	NOTQ(rBi)
-	ORQ(rBa, rBu)
-	ORQ(rBo, rBi)
-	XORQ(rBo, rBu)
-	XORQ(rBe, rBi)
-	MOVQ(rBu, oState.Offset(_bo))
-	MOVQ(rBi, oState.Offset(_be))
-	B_RBI_RCE()
-
-	Comment("Result g")
-	MOVQ(iState.Offset(_gu), rBe)
-	XORQ(rDu, rBe)
-	MOVQ(iState.Offset(_ka), rBi)
-	ROLQ(Imm(20), rBe)
-	XORQ(rDa, rBi)
-	ROLQ(Imm(3), rBi)
-	MOVQ(iState.Offset(_bo), rBa)
-	MOVQ(rBe, rT1)
-	ORQ(rBi, rT1)
-	XORQ(rDo, rBa)
-	MOVQ(iState.Offset(_me), rBo)
-	MOVQ(iState.Offset(_si), rBu)
-	ROLQ(Imm(28), rBa)
-	XORQ(rBa, rT1)
-	MOVQ(rT1, oState.Offset(_ga))
-	G_RT1_RCA()
-
-	XORQ(rDe, rBo)
-	ROLQ(Imm(45), rBo)
-	MOVQ(rBi, rT1)
-	ANDQ(rBo, rT1)
-	XORQ(rBe, rT1)
-	MOVQ(rT1, oState.Offset(_ge))
-	G_RT1_RCE()
-
-	XORQ(rDi, rBu)
-	ROLQ(Imm(61), rBu)
-	MOVQ(rBu, rT1)
-	ORQ(rBa, rT1)
-	XORQ(rBo, rT1)
-	MOVQ(rT1, oState.Offset(_go))
-
-	ANDQ(rBe, rBa)
-	XORQ(rBu, rBa)
-	MOVQ(rBa, oState.Offset(_gu))
-	NOTQ(rBu)
-	G_RBA_RCU()
-
-	ORQ(rBu, rBo)
-	XORQ(rBi, rBo)
-	MOVQ(rBo, oState.Offset(_gi))
-
-	Comment("Result k")
-	MOVQ(iState.Offset(_be), rBa)
-	MOVQ(iState.Offset(_gi), rBe)
-	MOVQ(iState.Offset(_ko), rBi)
-	MOVQ(iState.Offset(_mu), rBo)
-	MOVQ(iState.Offset(_sa), rBu)
-	XORQ(rDi, rBe)
-	ROLQ(Imm(6), rBe)
-	XORQ(rDo, rBi)
-	ROLQ(Imm(25), rBi)
-	MOVQ(rBe, rT1)
-	ORQ(rBi, rT1)
-	XORQ(rDe, rBa)
-	ROLQ(Imm(1), rBa)
-	XORQ(rBa, rT1)
-	MOVQ(rT1, oState.Offset(_ka))
-	K_RT1_RCA()
-
-	XORQ(rDu, rBo)
-	ROLQ(Imm(8), rBo)
-	MOVQ(rBi, rT1)
-	ANDQ(rBo, rT1)
-	XORQ(rBe, rT1)
-	MOVQ(rT1, oState.Offset(_ke))
-	K_RT1_RCE()
-
-	XORQ(rDa, rBu)
-	ROLQ(Imm(18), rBu)
-	NOTQ(rBo)
-	MOVQ(rBo, rT1)
-	ANDQ(rBu, rT1)
-	XORQ(rBi, rT1)
-	MOVQ(rT1, oState.Offset(_ki))
-
-	MOVQ(rBu, rT1)
-	ORQ(rBa, rT1)
-	XORQ(rBo, rT1)
-	MOVQ(rT1, oState.Offset(_ko))
-
-	ANDQ(rBe, rBa)
-	XORQ(rBu, rBa)
-	MOVQ(rBa, oState.Offset(_ku))
-	K_RBA_RCU()
-
-	Comment("Result m")
-	MOVQ(iState.Offset(_ga), rBe)
-	XORQ(rDa, rBe)
-	MOVQ(iState.Offset(_ke), rBi)
-	ROLQ(Imm(36), rBe)
-	XORQ(rDe, rBi)
-	MOVQ(iState.Offset(_bu), rBa)
-	ROLQ(Imm(10), rBi)
-	MOVQ(rBe, rT1)
-	MOVQ(iState.Offset(_mi), rBo)
-	ANDQ(rBi, rT1)
-	XORQ(rDu, rBa)
-	MOVQ(iState.Offset(_so), rBu)
-	ROLQ(Imm(27), rBa)
-	XORQ(rBa, rT1)
-	MOVQ(rT1, oState.Offset(_ma))
-	M_RT1_RCA()
-
-	XORQ(rDi, rBo)
-	ROLQ(Imm(15), rBo)
-	MOVQ(rBi, rT1)
-	ORQ(rBo, rT1)
-	XORQ(rBe, rT1)
-	MOVQ(rT1, oState.Offset(_me))
-	M_RT1_RCE()
-
-	XORQ(rDo, rBu)
-	ROLQ(Imm(56), rBu)
-	NOTQ(rBo)
-	MOVQ(rBo, rT1)
-	ORQ(rBu, rT1)
-	XORQ(rBi, rT1)
-	MOVQ(rT1, oState.Offset(_mi))
-
-	ORQ(rBa, rBe)
-	XORQ(rBu, rBe)
-	MOVQ(rBe, oState.Offset(_mu))
-
-	ANDQ(rBa, rBu)
-	XORQ(rBo, rBu)
-	MOVQ(rBu, oState.Offset(_mo))
-	M_RBE_RCU()
-
-	Comment("Result s")
-	MOVQ(iState.Offset(_bi), rBa)
-	MOVQ(iState.Offset(_go), rBe)
-	MOVQ(iState.Offset(_ku), rBi)
-	XORQ(rDi, rBa)
-	MOVQ(iState.Offset(_ma), rBo)
-	ROLQ(Imm(62), rBa)
-	XORQ(rDo, rBe)
-	MOVQ(iState.Offset(_se), rBu)
-	ROLQ(Imm(55), rBe)
-
-	XORQ(rDu, rBi)
-	MOVQ(rBa, rDu)
-	XORQ(rDe, rBu)
-	ROLQ(Imm(2), rBu)
-	ANDQ(rBe, rDu)
-	XORQ(rBu, rDu)
-	MOVQ(rDu, oState.Offset(_su))
-
-	ROLQ(Imm(39), rBi)
-	S_RDU_RCU()
-	NOTQ(rBe)
-	XORQ(rDa, rBo)
-	MOVQ(rBe, rDa)
-	ANDQ(rBi, rDa)
-	XORQ(rBa, rDa)
-	MOVQ(rDa, oState.Offset(_sa))
-	S_RDA_RCA()
-
-	ROLQ(Imm(41), rBo)
-	MOVQ(rBi, rDe)
-	ORQ(rBo, rDe)
-	XORQ(rBe, rDe)
-	MOVQ(rDe, oState.Offset(_se))
-	S_RDE_RCE()
-
-	MOVQ(rBo, rDi)
-	MOVQ(rBu, rDo)
-	ANDQ(rBu, rDi)
-	ORQ(rBa, rDo)
-	XORQ(rBi, rDi)
-	XORQ(rBo, rDo)
-	MOVQ(rDi, oState.Offset(_si))
-	MOVQ(rDo, oState.Offset(_so))
-}
-
-// keccakF1600 applies the Keccak permutation to a 1600b-wide
-// state represented as a slice of 25 uint64s.
-func keccakF1600() {
-	Implement("keccakF1600")
-	AllocLocal(200)
-
-	Load(Param("a"), rpState.Base)
-
-	Comment("Convert the user state into an internal state")
-	NOTQ(rpState.Offset(_be))
-	NOTQ(rpState.Offset(_bi))
-	NOTQ(rpState.Offset(_go))
-	NOTQ(rpState.Offset(_ki))
-	NOTQ(rpState.Offset(_mi))
-	NOTQ(rpState.Offset(_sa))
-
-	Comment("Execute the KeccakF permutation")
-	MOVQ(rpState.Offset(_ba), rCa)
-	MOVQ(rpState.Offset(_be), rCe)
-	MOVQ(rpState.Offset(_bu), rCu)
-
-	XORQ(rpState.Offset(_ga), rCa)
-	XORQ(rpState.Offset(_ge), rCe)
-	XORQ(rpState.Offset(_gu), rCu)
-
-	XORQ(rpState.Offset(_ka), rCa)
-	XORQ(rpState.Offset(_ke), rCe)
-	XORQ(rpState.Offset(_ku), rCu)
-
-	XORQ(rpState.Offset(_ma), rCa)
-	XORQ(rpState.Offset(_me), rCe)
-	XORQ(rpState.Offset(_mu), rCu)
-
-	XORQ(rpState.Offset(_sa), rCa)
-	XORQ(rpState.Offset(_se), rCe)
-	MOVQ(rpState.Offset(_si), rDi)
-	MOVQ(rpState.Offset(_so), rDo)
-	XORQ(rpState.Offset(_su), rCu)
-
-	for i, rc := range RoundConstants[:len(RoundConstants)-1] {
-		var iState, oState Mem
-		if i%2 == 0 {
-			iState, oState = rpState, rpStack
-		} else {
-			iState, oState = rpStack, rpState
-		}
-		mKeccakRound(iState, oState, U64(rc), MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	}
-	mKeccakRound(rpStack, rpState, U64(RoundConstants[len(RoundConstants)-1]), NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP)
-
-	Comment("Revert the internal state to the user state")
-	NOTQ(rpState.Offset(_be))
-	NOTQ(rpState.Offset(_bi))
-	NOTQ(rpState.Offset(_go))
-	NOTQ(rpState.Offset(_ki))
-	NOTQ(rpState.Offset(_mi))
-	NOTQ(rpState.Offset(_sa))
-
-	RET()
-}
diff --git a/sha3/allocations_test.go b/sha3/allocations_test.go
deleted file mode 100644
index 36de5d5..0000000
--- a/sha3/allocations_test.go
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright 2023 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !noopt
-
-package sha3_test
-
-import (
-	"runtime"
-	"testing"
-
-	"golang.org/x/crypto/sha3"
-)
-
-var sink byte
-
-func TestAllocations(t *testing.T) {
-	want := 0.0
-
-	if runtime.GOARCH == "s390x" {
-		// On s390x the returned hash.Hash is conditional so it escapes.
-		want = 3.0
-	}
-
-	t.Run("New", func(t *testing.T) {
-		if allocs := testing.AllocsPerRun(10, func() {
-			h := sha3.New256()
-			b := []byte("ABC")
-			h.Write(b)
-			out := make([]byte, 0, 32)
-			out = h.Sum(out)
-			sink ^= out[0]
-		}); allocs > want {
-			t.Errorf("expected zero allocations, got %0.1f", allocs)
-		}
-	})
-	t.Run("NewShake", func(t *testing.T) {
-		if allocs := testing.AllocsPerRun(10, func() {
-			h := sha3.NewShake128()
-			b := []byte("ABC")
-			h.Write(b)
-			out := make([]byte, 0, 32)
-			out = h.Sum(out)
-			sink ^= out[0]
-			h.Read(out)
-			sink ^= out[0]
-		}); allocs > want {
-			t.Errorf("expected zero allocations, got %0.1f", allocs)
-		}
-	})
-	t.Run("Sum", func(t *testing.T) {
-		if allocs := testing.AllocsPerRun(10, func() {
-			b := []byte("ABC")
-			out := sha3.Sum256(b)
-			sink ^= out[0]
-		}); allocs > want {
-			t.Errorf("expected zero allocations, got %0.1f", allocs)
-		}
-	})
-}
diff --git a/sha3/doc.go b/sha3/doc.go
deleted file mode 100644
index bbf391f..0000000
--- a/sha3/doc.go
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package sha3 implements the SHA-3 fixed-output-length hash functions and
-// the SHAKE variable-output-length hash functions defined by FIPS-202.
-//
-// All types in this package also implement [encoding.BinaryMarshaler],
-// [encoding.BinaryAppender] and [encoding.BinaryUnmarshaler] to marshal and
-// unmarshal the internal state of the hash.
-//
-// Both types of hash function use the "sponge" construction and the Keccak
-// permutation. For a detailed specification see http://keccak.noekeon.org/
-//
-// # Guidance
-//
-// If you aren't sure what function you need, use SHAKE256 with at least 64
-// bytes of output. The SHAKE instances are faster than the SHA3 instances;
-// the latter have to allocate memory to conform to the hash.Hash interface.
-//
-// If you need a secret-key MAC (message authentication code), prepend the
-// secret key to the input, hash with SHAKE256 and read at least 32 bytes of
-// output.
-//
-// # Security strengths
-//
-// The SHA3-x (x equals 224, 256, 384, or 512) functions have a security
-// strength against preimage attacks of x bits. Since they only produce "x"
-// bits of output, their collision-resistance is only "x/2" bits.
-//
-// The SHAKE-256 and -128 functions have a generic security strength of 256 and
-// 128 bits against all attacks, provided that at least 2x bits of their output
-// is used.  Requesting more than 64 or 32 bytes of output, respectively, does
-// not increase the collision-resistance of the SHAKE functions.
-//
-// # The sponge construction
-//
-// A sponge builds a pseudo-random function from a public pseudo-random
-// permutation, by applying the permutation to a state of "rate + capacity"
-// bytes, but hiding "capacity" of the bytes.
-//
-// A sponge starts out with a zero state. To hash an input using a sponge, up
-// to "rate" bytes of the input are XORed into the sponge's state. The sponge
-// is then "full" and the permutation is applied to "empty" it. This process is
-// repeated until all the input has been "absorbed". The input is then padded.
-// The digest is "squeezed" from the sponge in the same way, except that output
-// is copied out instead of input being XORed in.
-//
-// A sponge is parameterized by its generic security strength, which is equal
-// to half its capacity; capacity + rate is equal to the permutation's width.
-// Since the KeccakF-1600 permutation is 1600 bits (200 bytes) wide, this means
-// that the security strength of a sponge instance is equal to (1600 - bitrate) / 2.
-//
-// # Recommendations
-//
-// The SHAKE functions are recommended for most new uses. They can produce
-// output of arbitrary length. SHAKE256, with an output length of at least
-// 64 bytes, provides 256-bit security against all attacks.  The Keccak team
-// recommends it for most applications upgrading from SHA2-512. (NIST chose a
-// much stronger, but much slower, sponge instance for SHA3-512.)
-//
-// The SHA-3 functions are "drop-in" replacements for the SHA-2 functions.
-// They produce output of the same length, with the same security strengths
-// against all attacks. This means, in particular, that SHA3-256 only has
-// 128-bit collision resistance, because its output length is 32 bytes.
-package sha3
diff --git a/sha3/hashes.go b/sha3/hashes.go
index 31fffbe..a51269d 100644
--- a/sha3/hashes.go
+++ b/sha3/hashes.go
@@ -2,127 +2,94 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+// Package sha3 implements the SHA-3 hash algorithms and the SHAKE extendable
+// output functions defined in FIPS 202.
+//
+// Most of this package is a wrapper around the crypto/sha3 package in the
+// standard library. The only exception is the legacy Keccak hash functions.
 package sha3
 
-// This file provides functions for creating instances of the SHA-3
-// and SHAKE hash functions, as well as utility functions for hashing
-// bytes.
-
 import (
-	"crypto"
+	"crypto/sha3"
 	"hash"
 )
 
 // New224 creates a new SHA3-224 hash.
 // Its generic security strength is 224 bits against preimage attacks,
 // and 112 bits against collision attacks.
+//
+// It is a wrapper for the [sha3.New224] function in the standard library.
+//
+//go:fix inline
 func New224() hash.Hash {
-	return new224()
+	return sha3.New224()
 }
 
 // New256 creates a new SHA3-256 hash.
 // Its generic security strength is 256 bits against preimage attacks,
 // and 128 bits against collision attacks.
+//
+// It is a wrapper for the [sha3.New256] function in the standard library.
+//
+//go:fix inline
 func New256() hash.Hash {
-	return new256()
+	return sha3.New256()
 }
 
 // New384 creates a new SHA3-384 hash.
 // Its generic security strength is 384 bits against preimage attacks,
 // and 192 bits against collision attacks.
+//
+// It is a wrapper for the [sha3.New384] function in the standard library.
+//
+//go:fix inline
 func New384() hash.Hash {
-	return new384()
+	return sha3.New384()
 }
 
 // New512 creates a new SHA3-512 hash.
 // Its generic security strength is 512 bits against preimage attacks,
 // and 256 bits against collision attacks.
-func New512() hash.Hash {
-	return new512()
-}
-
-func init() {
-	crypto.RegisterHash(crypto.SHA3_224, New224)
-	crypto.RegisterHash(crypto.SHA3_256, New256)
-	crypto.RegisterHash(crypto.SHA3_384, New384)
-	crypto.RegisterHash(crypto.SHA3_512, New512)
-}
-
-const (
-	dsbyteSHA3   = 0b00000110
-	dsbyteKeccak = 0b00000001
-	dsbyteShake  = 0b00011111
-	dsbyteCShake = 0b00000100
-
-	// rateK[c] is the rate in bytes for Keccak[c] where c is the capacity in
-	// bits. Given the sponge size is 1600 bits, the rate is 1600 - c bits.
-	rateK256  = (1600 - 256) / 8
-	rateK448  = (1600 - 448) / 8
-	rateK512  = (1600 - 512) / 8
-	rateK768  = (1600 - 768) / 8
-	rateK1024 = (1600 - 1024) / 8
-)
-
-func new224Generic() *state {
-	return &state{rate: rateK448, outputLen: 28, dsbyte: dsbyteSHA3}
-}
-
-func new256Generic() *state {
-	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteSHA3}
-}
-
-func new384Generic() *state {
-	return &state{rate: rateK768, outputLen: 48, dsbyte: dsbyteSHA3}
-}
-
-func new512Generic() *state {
-	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteSHA3}
-}
-
-// NewLegacyKeccak256 creates a new Keccak-256 hash.
 //
-// Only use this function if you require compatibility with an existing cryptosystem
-// that uses non-standard padding. All other users should use New256 instead.
-func NewLegacyKeccak256() hash.Hash {
-	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteKeccak}
-}
-
-// NewLegacyKeccak512 creates a new Keccak-512 hash.
+// It is a wrapper for the [sha3.New512] function in the standard library.
 //
-// Only use this function if you require compatibility with an existing cryptosystem
-// that uses non-standard padding. All other users should use New512 instead.
-func NewLegacyKeccak512() hash.Hash {
-	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteKeccak}
+//go:fix inline
+func New512() hash.Hash {
+	return sha3.New512()
 }
 
 // Sum224 returns the SHA3-224 digest of the data.
-func Sum224(data []byte) (digest [28]byte) {
-	h := New224()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum224] function in the standard library.
+//
+//go:fix inline
+func Sum224(data []byte) [28]byte {
+	return sha3.Sum224(data)
 }
 
 // Sum256 returns the SHA3-256 digest of the data.
-func Sum256(data []byte) (digest [32]byte) {
-	h := New256()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum256] function in the standard library.
+//
+//go:fix inline
+func Sum256(data []byte) [32]byte {
+	return sha3.Sum256(data)
 }
 
 // Sum384 returns the SHA3-384 digest of the data.
-func Sum384(data []byte) (digest [48]byte) {
-	h := New384()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum384] function in the standard library.
+//
+//go:fix inline
+func Sum384(data []byte) [48]byte {
+	return sha3.Sum384(data)
 }
 
 // Sum512 returns the SHA3-512 digest of the data.
-func Sum512(data []byte) (digest [64]byte) {
-	h := New512()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum512] function in the standard library.
+//
+//go:fix inline
+func Sum512(data []byte) [64]byte {
+	return sha3.Sum512(data)
 }
diff --git a/sha3/hashes_noasm.go b/sha3/hashes_noasm.go
deleted file mode 100644
index 9d85fb6..0000000
--- a/sha3/hashes_noasm.go
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright 2023 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !gc || purego || !s390x
-
-package sha3
-
-func new224() *state {
-	return new224Generic()
-}
-
-func new256() *state {
-	return new256Generic()
-}
-
-func new384() *state {
-	return new384Generic()
-}
-
-func new512() *state {
-	return new512Generic()
-}
diff --git a/sha3/keccakf_amd64.go b/sha3/keccakf_amd64.go
deleted file mode 100644
index b908696..0000000
--- a/sha3/keccakf_amd64.go
+++ /dev/null
@@ -1,13 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build amd64 && !purego && gc
-
-package sha3
-
-// This function is implemented in keccakf_amd64.s.
-
-//go:noescape
-
-func keccakF1600(a *[25]uint64)
diff --git a/sha3/keccakf_amd64.s b/sha3/keccakf_amd64.s
deleted file mode 100644
index 99e2f16..0000000
--- a/sha3/keccakf_amd64.s
+++ /dev/null
@@ -1,5419 +0,0 @@
-// Code generated by command: go run keccakf_amd64_asm.go -out ../keccakf_amd64.s -pkg sha3. DO NOT EDIT.
-
-//go:build amd64 && !purego && gc
-
-// func keccakF1600(a *[25]uint64)
-TEXT ·keccakF1600(SB), $200-8
-	MOVQ a+0(FP), DI
-
-	// Convert the user state into an internal state
-	NOTQ 8(DI)
-	NOTQ 16(DI)
-	NOTQ 64(DI)
-	NOTQ 96(DI)
-	NOTQ 136(DI)
-	NOTQ 160(DI)
-
-	// Execute the KeccakF permutation
-	MOVQ (DI), SI
-	MOVQ 8(DI), BP
-	MOVQ 32(DI), R15
-	XORQ 40(DI), SI
-	XORQ 48(DI), BP
-	XORQ 72(DI), R15
-	XORQ 80(DI), SI
-	XORQ 88(DI), BP
-	XORQ 112(DI), R15
-	XORQ 120(DI), SI
-	XORQ 128(DI), BP
-	XORQ 152(DI), R15
-	XORQ 160(DI), SI
-	XORQ 168(DI), BP
-	MOVQ 176(DI), DX
-	MOVQ 184(DI), R8
-	XORQ 192(DI), R15
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000000000001, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000000008082, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x800000000000808a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008000, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000000000808b, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000080000001, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008081, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008009, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000000000008a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000000000088, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000080008009, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000008000000a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000008000808b, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x800000000000008b, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008089, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008003, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008002, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000000080, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000000000800a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x800000008000000a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008081, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008080, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000080000001, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008008, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	NOP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	NOP
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	NOP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	NOP
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	NOP
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	NOP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	NOP
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	NOP
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	NOP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	NOP
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	NOP
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	NOP
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	NOP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Revert the internal state to the user state
-	NOTQ 8(DI)
-	NOTQ 16(DI)
-	NOTQ 64(DI)
-	NOTQ 96(DI)
-	NOTQ 136(DI)
-	NOTQ 160(DI)
-	RET
diff --git a/sha3/sha3.go b/sha3/legacy_hash.go
index 6658c44..b878453 100644
--- a/sha3/sha3.go
+++ b/sha3/legacy_hash.go
@@ -4,15 +4,46 @@
 
 package sha3
 
+// This implementation is only used for NewLegacyKeccak256 and
+// NewLegacyKeccak512, which are not implemented by crypto/sha3.
+// All other functions in this package are wrappers around crypto/sha3.
+
 import (
 	"crypto/subtle"
 	"encoding/binary"
 	"errors"
+	"hash"
 	"unsafe"
 
 	"golang.org/x/sys/cpu"
 )
 
+const (
+	dsbyteKeccak = 0b00000001
+
+	// rateK[c] is the rate in bytes for Keccak[c] where c is the capacity in
+	// bits. Given the sponge size is 1600 bits, the rate is 1600 - c bits.
+	rateK256  = (1600 - 256) / 8
+	rateK512  = (1600 - 512) / 8
+	rateK1024 = (1600 - 1024) / 8
+)
+
+// NewLegacyKeccak256 creates a new Keccak-256 hash.
+//
+// Only use this function if you require compatibility with an existing cryptosystem
+// that uses non-standard padding. All other users should use New256 instead.
+func NewLegacyKeccak256() hash.Hash {
+	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteKeccak}
+}
+
+// NewLegacyKeccak512 creates a new Keccak-512 hash.
+//
+// Only use this function if you require compatibility with an existing cryptosystem
+// that uses non-standard padding. All other users should use New512 instead.
+func NewLegacyKeccak512() hash.Hash {
+	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteKeccak}
+}
+
 // spongeDirection indicates the direction bytes are flowing through the sponge.
 type spongeDirection int
 
@@ -173,12 +204,9 @@ func (d *state) Sum(in []byte) []byte {
 }
 
 const (
-	magicSHA3   = "sha\x08"
-	magicShake  = "sha\x09"
-	magicCShake = "sha\x0a"
 	magicKeccak = "sha\x0b"
 	// magic || rate || main state || n || sponge direction
-	marshaledSize = len(magicSHA3) + 1 + 200 + 1 + 1
+	marshaledSize = len(magicKeccak) + 1 + 200 + 1 + 1
 )
 
 func (d *state) MarshalBinary() ([]byte, error) {
@@ -187,12 +215,6 @@ func (d *state) MarshalBinary() ([]byte, error) {
 
 func (d *state) AppendBinary(b []byte) ([]byte, error) {
 	switch d.dsbyte {
-	case dsbyteSHA3:
-		b = append(b, magicSHA3...)
-	case dsbyteShake:
-		b = append(b, magicShake...)
-	case dsbyteCShake:
-		b = append(b, magicCShake...)
 	case dsbyteKeccak:
 		b = append(b, magicKeccak...)
 	default:
@@ -210,12 +232,9 @@ func (d *state) UnmarshalBinary(b []byte) error {
 		return errors.New("sha3: invalid hash state")
 	}
 
-	magic := string(b[:len(magicSHA3)])
-	b = b[len(magicSHA3):]
+	magic := string(b[:len(magicKeccak)])
+	b = b[len(magicKeccak):]
 	switch {
-	case magic == magicSHA3 && d.dsbyte == dsbyteSHA3:
-	case magic == magicShake && d.dsbyte == dsbyteShake:
-	case magic == magicCShake && d.dsbyte == dsbyteCShake:
 	case magic == magicKeccak && d.dsbyte == dsbyteKeccak:
 	default:
 		return errors.New("sha3: invalid hash state identifier")
diff --git a/sha3/keccakf.go b/sha3/legacy_keccakf.go
index ce48b1d..101588c 100644
--- a/sha3/keccakf.go
+++ b/sha3/legacy_keccakf.go
@@ -2,10 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !amd64 || purego || !gc
-
 package sha3
 
+// This implementation is only used for NewLegacyKeccak256 and
+// NewLegacyKeccak512, which are not implemented by crypto/sha3.
+// All other functions in this package are wrappers around crypto/sha3.
+
 import "math/bits"
 
 // rc stores the round constants for use in the ι step.
diff --git a/sha3/sha3_s390x.go b/sha3/sha3_s390x.go
deleted file mode 100644
index 00d8034..0000000
--- a/sha3/sha3_s390x.go
+++ /dev/null
@@ -1,303 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build gc && !purego
-
-package sha3
-
-// This file contains code for using the 'compute intermediate
-// message digest' (KIMD) and 'compute last message digest' (KLMD)
-// instructions to compute SHA-3 and SHAKE hashes on IBM Z.
-
-import (
-	"hash"
-
-	"golang.org/x/sys/cpu"
-)
-
-// codes represent 7-bit KIMD/KLMD function codes as defined in
-// the Principles of Operation.
-type code uint64
-
-const (
-	// function codes for KIMD/KLMD
-	sha3_224  code = 32
-	sha3_256       = 33
-	sha3_384       = 34
-	sha3_512       = 35
-	shake_128      = 36
-	shake_256      = 37
-	nopad          = 0x100
-)
-
-// kimd is a wrapper for the 'compute intermediate message digest' instruction.
-// src must be a multiple of the rate for the given function code.
-//
-//go:noescape
-func kimd(function code, chain *[200]byte, src []byte)
-
-// klmd is a wrapper for the 'compute last message digest' instruction.
-// src padding is handled by the instruction.
-//
-//go:noescape
-func klmd(function code, chain *[200]byte, dst, src []byte)
-
-type asmState struct {
-	a         [200]byte       // 1600 bit state
-	buf       []byte          // care must be taken to ensure cap(buf) is a multiple of rate
-	rate      int             // equivalent to block size
-	storage   [3072]byte      // underlying storage for buf
-	outputLen int             // output length for full security
-	function  code            // KIMD/KLMD function code
-	state     spongeDirection // whether the sponge is absorbing or squeezing
-}
-
-func newAsmState(function code) *asmState {
-	var s asmState
-	s.function = function
-	switch function {
-	case sha3_224:
-		s.rate = 144
-		s.outputLen = 28
-	case sha3_256:
-		s.rate = 136
-		s.outputLen = 32
-	case sha3_384:
-		s.rate = 104
-		s.outputLen = 48
-	case sha3_512:
-		s.rate = 72
-		s.outputLen = 64
-	case shake_128:
-		s.rate = 168
-		s.outputLen = 32
-	case shake_256:
-		s.rate = 136
-		s.outputLen = 64
-	default:
-		panic("sha3: unrecognized function code")
-	}
-
-	// limit s.buf size to a multiple of s.rate
-	s.resetBuf()
-	return &s
-}
-
-func (s *asmState) clone() *asmState {
-	c := *s
-	c.buf = c.storage[:len(s.buf):cap(s.buf)]
-	return &c
-}
-
-// copyIntoBuf copies b into buf. It will panic if there is not enough space to
-// store all of b.
-func (s *asmState) copyIntoBuf(b []byte) {
-	bufLen := len(s.buf)
-	s.buf = s.buf[:len(s.buf)+len(b)]
-	copy(s.buf[bufLen:], b)
-}
-
-// resetBuf points buf at storage, sets the length to 0 and sets cap to be a
-// multiple of the rate.
-func (s *asmState) resetBuf() {
-	max := (cap(s.storage) / s.rate) * s.rate
-	s.buf = s.storage[:0:max]
-}
-
-// Write (via the embedded io.Writer interface) adds more data to the running hash.
-// It never returns an error.
-func (s *asmState) Write(b []byte) (int, error) {
-	if s.state != spongeAbsorbing {
-		panic("sha3: Write after Read")
-	}
-	length := len(b)
-	for len(b) > 0 {
-		if len(s.buf) == 0 && len(b) >= cap(s.buf) {
-			// Hash the data directly and push any remaining bytes
-			// into the buffer.
-			remainder := len(b) % s.rate
-			kimd(s.function, &s.a, b[:len(b)-remainder])
-			if remainder != 0 {
-				s.copyIntoBuf(b[len(b)-remainder:])
-			}
-			return length, nil
-		}
-
-		if len(s.buf) == cap(s.buf) {
-			// flush the buffer
-			kimd(s.function, &s.a, s.buf)
-			s.buf = s.buf[:0]
-		}
-
-		// copy as much as we can into the buffer
-		n := len(b)
-		if len(b) > cap(s.buf)-len(s.buf) {
-			n = cap(s.buf) - len(s.buf)
-		}
-		s.copyIntoBuf(b[:n])
-		b = b[n:]
-	}
-	return length, nil
-}
-
-// Read squeezes an arbitrary number of bytes from the sponge.
-func (s *asmState) Read(out []byte) (n int, err error) {
-	// The 'compute last message digest' instruction only stores the digest
-	// at the first operand (dst) for SHAKE functions.
-	if s.function != shake_128 && s.function != shake_256 {
-		panic("sha3: can only call Read for SHAKE functions")
-	}
-
-	n = len(out)
-
-	// need to pad if we were absorbing
-	if s.state == spongeAbsorbing {
-		s.state = spongeSqueezing
-
-		// write hash directly into out if possible
-		if len(out)%s.rate == 0 {
-			klmd(s.function, &s.a, out, s.buf) // len(out) may be 0
-			s.buf = s.buf[:0]
-			return
-		}
-
-		// write hash into buffer
-		max := cap(s.buf)
-		if max > len(out) {
-			max = (len(out)/s.rate)*s.rate + s.rate
-		}
-		klmd(s.function, &s.a, s.buf[:max], s.buf)
-		s.buf = s.buf[:max]
-	}
-
-	for len(out) > 0 {
-		// flush the buffer
-		if len(s.buf) != 0 {
-			c := copy(out, s.buf)
-			out = out[c:]
-			s.buf = s.buf[c:]
-			continue
-		}
-
-		// write hash directly into out if possible
-		if len(out)%s.rate == 0 {
-			klmd(s.function|nopad, &s.a, out, nil)
-			return
-		}
-
-		// write hash into buffer
-		s.resetBuf()
-		if cap(s.buf) > len(out) {
-			s.buf = s.buf[:(len(out)/s.rate)*s.rate+s.rate]
-		}
-		klmd(s.function|nopad, &s.a, s.buf, nil)
-	}
-	return
-}
-
-// Sum appends the current hash to b and returns the resulting slice.
-// It does not change the underlying hash state.
-func (s *asmState) Sum(b []byte) []byte {
-	if s.state != spongeAbsorbing {
-		panic("sha3: Sum after Read")
-	}
-
-	// Copy the state to preserve the original.
-	a := s.a
-
-	// Hash the buffer. Note that we don't clear it because we
-	// aren't updating the state.
-	switch s.function {
-	case sha3_224, sha3_256, sha3_384, sha3_512:
-		klmd(s.function, &a, nil, s.buf)
-		return append(b, a[:s.outputLen]...)
-	case shake_128, shake_256:
-		d := make([]byte, s.outputLen, 64)
-		klmd(s.function, &a, d, s.buf)
-		return append(b, d[:s.outputLen]...)
-	default:
-		panic("sha3: unknown function")
-	}
-}
-
-// Reset resets the Hash to its initial state.
-func (s *asmState) Reset() {
-	for i := range s.a {
-		s.a[i] = 0
-	}
-	s.resetBuf()
-	s.state = spongeAbsorbing
-}
-
-// Size returns the number of bytes Sum will return.
-func (s *asmState) Size() int {
-	return s.outputLen
-}
-
-// BlockSize returns the hash's underlying block size.
-// The Write method must be able to accept any amount
-// of data, but it may operate more efficiently if all writes
-// are a multiple of the block size.
-func (s *asmState) BlockSize() int {
-	return s.rate
-}
-
-// Clone returns a copy of the ShakeHash in its current state.
-func (s *asmState) Clone() ShakeHash {
-	return s.clone()
-}
-
-// new224 returns an assembly implementation of SHA3-224 if available,
-// otherwise it returns a generic implementation.
-func new224() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_224)
-	}
-	return new224Generic()
-}
-
-// new256 returns an assembly implementation of SHA3-256 if available,
-// otherwise it returns a generic implementation.
-func new256() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_256)
-	}
-	return new256Generic()
-}
-
-// new384 returns an assembly implementation of SHA3-384 if available,
-// otherwise it returns a generic implementation.
-func new384() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_384)
-	}
-	return new384Generic()
-}
-
-// new512 returns an assembly implementation of SHA3-512 if available,
-// otherwise it returns a generic implementation.
-func new512() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_512)
-	}
-	return new512Generic()
-}
-
-// newShake128 returns an assembly implementation of SHAKE-128 if available,
-// otherwise it returns a generic implementation.
-func newShake128() ShakeHash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(shake_128)
-	}
-	return newShake128Generic()
-}
-
-// newShake256 returns an assembly implementation of SHAKE-256 if available,
-// otherwise it returns a generic implementation.
-func newShake256() ShakeHash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(shake_256)
-	}
-	return newShake256Generic()
-}
diff --git a/sha3/sha3_s390x.s b/sha3/sha3_s390x.s
deleted file mode 100644
index 826b862..0000000
--- a/sha3/sha3_s390x.s
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build gc && !purego
-
-#include "textflag.h"
-
-// func kimd(function code, chain *[200]byte, src []byte)
-TEXT ·kimd(SB), NOFRAME|NOSPLIT, $0-40
-	MOVD function+0(FP), R0
-	MOVD chain+8(FP), R1
-	LMG  src+16(FP), R2, R3 // R2=base, R3=len
-
-continue:
-	WORD $0xB93E0002 // KIMD --, R2
-	BVS  continue    // continue if interrupted
-	MOVD $0, R0      // reset R0 for pre-go1.8 compilers
-	RET
-
-// func klmd(function code, chain *[200]byte, dst, src []byte)
-TEXT ·klmd(SB), NOFRAME|NOSPLIT, $0-64
-	// TODO: SHAKE support
-	MOVD function+0(FP), R0
-	MOVD chain+8(FP), R1
-	LMG  dst+16(FP), R2, R3 // R2=base, R3=len
-	LMG  src+40(FP), R4, R5 // R4=base, R5=len
-
-continue:
-	WORD $0xB93F0024 // KLMD R2, R4
-	BVS  continue    // continue if interrupted
-	MOVD $0, R0      // reset R0 for pre-go1.8 compilers
-	RET
diff --git a/sha3/sha3_test.go b/sha3/sha3_test.go
index d97a970..bee9b10 100644
--- a/sha3/sha3_test.go
+++ b/sha3/sha3_test.go
@@ -16,7 +16,6 @@ import (
 	"encoding"
 	"encoding/hex"
 	"encoding/json"
-	"fmt"
 	"hash"
 	"io"
 	"math/rand"
@@ -523,124 +522,3 @@ func testMarshalUnmarshal(t *testing.T, h hash.Hash) {
 		t.Errorf("got %x, want %x", got, want)
 	}
 }
-
-// BenchmarkPermutationFunction measures the speed of the permutation function
-// with no input data.
-func BenchmarkPermutationFunction(b *testing.B) {
-	b.SetBytes(int64(200))
-	var lanes [25]uint64
-	for i := 0; i < b.N; i++ {
-		keccakF1600(&lanes)
-	}
-}
-
-// benchmarkHash tests the speed to hash num buffers of buflen each.
-func benchmarkHash(b *testing.B, h hash.Hash, size, num int) {
-	b.StopTimer()
-	h.Reset()
-	data := sequentialBytes(size)
-	b.SetBytes(int64(size * num))
-	b.StartTimer()
-
-	var state []byte
-	for i := 0; i < b.N; i++ {
-		for j := 0; j < num; j++ {
-			h.Write(data)
-		}
-		state = h.Sum(state[:0])
-	}
-	b.StopTimer()
-	h.Reset()
-}
-
-// benchmarkShake is specialized to the Shake instances, which don't
-// require a copy on reading output.
-func benchmarkShake(b *testing.B, h ShakeHash, size, num int) {
-	b.StopTimer()
-	h.Reset()
-	data := sequentialBytes(size)
-	d := make([]byte, 32)
-
-	b.SetBytes(int64(size * num))
-	b.StartTimer()
-
-	for i := 0; i < b.N; i++ {
-		h.Reset()
-		for j := 0; j < num; j++ {
-			h.Write(data)
-		}
-		h.Read(d)
-	}
-}
-
-func BenchmarkSha3_512_MTU(b *testing.B) { benchmarkHash(b, New512(), 1350, 1) }
-func BenchmarkSha3_384_MTU(b *testing.B) { benchmarkHash(b, New384(), 1350, 1) }
-func BenchmarkSha3_256_MTU(b *testing.B) { benchmarkHash(b, New256(), 1350, 1) }
-func BenchmarkSha3_224_MTU(b *testing.B) { benchmarkHash(b, New224(), 1350, 1) }
-
-func BenchmarkShake128_MTU(b *testing.B)  { benchmarkShake(b, NewShake128(), 1350, 1) }
-func BenchmarkShake256_MTU(b *testing.B)  { benchmarkShake(b, NewShake256(), 1350, 1) }
-func BenchmarkShake256_16x(b *testing.B)  { benchmarkShake(b, NewShake256(), 16, 1024) }
-func BenchmarkShake256_1MiB(b *testing.B) { benchmarkShake(b, NewShake256(), 1024, 1024) }
-
-func BenchmarkSha3_512_1MiB(b *testing.B) { benchmarkHash(b, New512(), 1024, 1024) }
-
-func Example_sum() {
-	buf := []byte("some data to hash")
-	// A hash needs to be 64 bytes long to have 256-bit collision resistance.
-	h := make([]byte, 64)
-	// Compute a 64-byte hash of buf and put it in h.
-	ShakeSum256(h, buf)
-	fmt.Printf("%x\n", h)
-	// Output: 0f65fe41fc353e52c55667bb9e2b27bfcc8476f2c413e9437d272ee3194a4e3146d05ec04a25d16b8f577c19b82d16b1424c3e022e783d2b4da98de3658d363d
-}
-
-func Example_mac() {
-	k := []byte("this is a secret key; you should generate a strong random key that's at least 32 bytes long")
-	buf := []byte("and this is some data to authenticate")
-	// A MAC with 32 bytes of output has 256-bit security strength -- if you use at least a 32-byte-long key.
-	h := make([]byte, 32)
-	d := NewShake256()
-	// Write the key into the hash.
-	d.Write(k)
-	// Now write the data.
-	d.Write(buf)
-	// Read 32 bytes of output from the hash into h.
-	d.Read(h)
-	fmt.Printf("%x\n", h)
-	// Output: 78de2974bd2711d5549ffd32b753ef0f5fa80a0db2556db60f0987eb8a9218ff
-}
-
-func ExampleNewCShake256() {
-	out := make([]byte, 32)
-	msg := []byte("The quick brown fox jumps over the lazy dog")
-
-	// Example 1: Simple cshake
-	c1 := NewCShake256([]byte("NAME"), []byte("Partition1"))
-	c1.Write(msg)
-	c1.Read(out)
-	fmt.Println(hex.EncodeToString(out))
-
-	// Example 2: Different customization string produces different digest
-	c1 = NewCShake256([]byte("NAME"), []byte("Partition2"))
-	c1.Write(msg)
-	c1.Read(out)
-	fmt.Println(hex.EncodeToString(out))
-
-	// Example 3: Longer output length produces longer digest
-	out = make([]byte, 64)
-	c1 = NewCShake256([]byte("NAME"), []byte("Partition1"))
-	c1.Write(msg)
-	c1.Read(out)
-	fmt.Println(hex.EncodeToString(out))
-
-	// Example 4: Next read produces different result
-	c1.Read(out)
-	fmt.Println(hex.EncodeToString(out))
-
-	// Output:
-	//a90a4c6ca9af2156eba43dc8398279e6b60dcd56fb21837afe6c308fd4ceb05b
-	//a8db03e71f3e4da5c4eee9d28333cdd355f51cef3c567e59be5beb4ecdbb28f0
-	//a90a4c6ca9af2156eba43dc8398279e6b60dcd56fb21837afe6c308fd4ceb05b9dd98c6ee866ca7dc5a39d53e960f400bcd5a19c8a2d6ec6459f63696543a0d8
-	//85e73a72228d08b46515553ca3a29d47df3047e5d84b12d6c2c63e579f4fd1105716b7838e92e981863907f434bfd4443c9e56ea09da998d2f9b47db71988109
-}
diff --git a/sha3/shake.go b/sha3/shake.go
index a6b3a42..6f3f70c 100644
--- a/sha3/shake.go
+++ b/sha3/shake.go
@@ -4,24 +4,10 @@
 
 package sha3
 
-// This file defines the ShakeHash interface, and provides
-// functions for creating SHAKE and cSHAKE instances, as well as utility
-// functions for hashing bytes to arbitrary-length output.
-//
-//
-// SHAKE implementation is based on FIPS PUB 202 [1]
-// cSHAKE implementations is based on NIST SP 800-185 [2]
-//
-// [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
-// [2] https://doi.org/10.6028/NIST.SP.800-185
-
 import (
-	"bytes"
-	"encoding/binary"
-	"errors"
+	"crypto/sha3"
 	"hash"
 	"io"
-	"math/bits"
 )
 
 // ShakeHash defines the interface to hash functions that support
@@ -32,7 +18,7 @@ type ShakeHash interface {
 	hash.Hash
 
 	// Read reads more output from the hash; reading affects the hash's
-	// state. (ShakeHash.Read is thus very different from Hash.Sum)
+	// state. (ShakeHash.Read is thus very different from Hash.Sum.)
 	// It never returns an error, but subsequent calls to Write or Sum
 	// will panic.
 	io.Reader
@@ -41,115 +27,18 @@ type ShakeHash interface {
 	Clone() ShakeHash
 }
 
-// cSHAKE specific context
-type cshakeState struct {
-	*state // SHA-3 state context and Read/Write operations
-
-	// initBlock is the cSHAKE specific initialization set of bytes. It is initialized
-	// by newCShake function and stores concatenation of N followed by S, encoded
-	// by the method specified in 3.3 of [1].
-	// It is stored here in order for Reset() to be able to put context into
-	// initial state.
-	initBlock []byte
-}
-
-func bytepad(data []byte, rate int) []byte {
-	out := make([]byte, 0, 9+len(data)+rate-1)
-	out = append(out, leftEncode(uint64(rate))...)
-	out = append(out, data...)
-	if padlen := rate - len(out)%rate; padlen < rate {
-		out = append(out, make([]byte, padlen)...)
-	}
-	return out
-}
-
-func leftEncode(x uint64) []byte {
-	// Let n be the smallest positive integer for which 2^(8n) > x.
-	n := (bits.Len64(x) + 7) / 8
-	if n == 0 {
-		n = 1
-	}
-	// Return n || x with n as a byte and x an n bytes in big-endian order.
-	b := make([]byte, 9)
-	binary.BigEndian.PutUint64(b[1:], x)
-	b = b[9-n-1:]
-	b[0] = byte(n)
-	return b
-}
-
-func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) ShakeHash {
-	c := cshakeState{state: &state{rate: rate, outputLen: outputLen, dsbyte: dsbyte}}
-	c.initBlock = make([]byte, 0, 9+len(N)+9+len(S)) // leftEncode returns max 9 bytes
-	c.initBlock = append(c.initBlock, leftEncode(uint64(len(N))*8)...)
-	c.initBlock = append(c.initBlock, N...)
-	c.initBlock = append(c.initBlock, leftEncode(uint64(len(S))*8)...)
-	c.initBlock = append(c.initBlock, S...)
-	c.Write(bytepad(c.initBlock, c.rate))
-	return &c
-}
-
-// Reset resets the hash to initial state.
-func (c *cshakeState) Reset() {
-	c.state.Reset()
-	c.Write(bytepad(c.initBlock, c.rate))
-}
-
-// Clone returns copy of a cSHAKE context within its current state.
-func (c *cshakeState) Clone() ShakeHash {
-	b := make([]byte, len(c.initBlock))
-	copy(b, c.initBlock)
-	return &cshakeState{state: c.clone(), initBlock: b}
-}
-
-// Clone returns copy of SHAKE context within its current state.
-func (c *state) Clone() ShakeHash {
-	return c.clone()
-}
-
-func (c *cshakeState) MarshalBinary() ([]byte, error) {
-	return c.AppendBinary(make([]byte, 0, marshaledSize+len(c.initBlock)))
-}
-
-func (c *cshakeState) AppendBinary(b []byte) ([]byte, error) {
-	b, err := c.state.AppendBinary(b)
-	if err != nil {
-		return nil, err
-	}
-	b = append(b, c.initBlock...)
-	return b, nil
-}
-
-func (c *cshakeState) UnmarshalBinary(b []byte) error {
-	if len(b) <= marshaledSize {
-		return errors.New("sha3: invalid hash state")
-	}
-	if err := c.state.UnmarshalBinary(b[:marshaledSize]); err != nil {
-		return err
-	}
-	c.initBlock = bytes.Clone(b[marshaledSize:])
-	return nil
-}
-
 // NewShake128 creates a new SHAKE128 variable-output-length ShakeHash.
 // Its generic security strength is 128 bits against all attacks if at
 // least 32 bytes of its output are used.
 func NewShake128() ShakeHash {
-	return newShake128()
+	return &shakeWrapper{sha3.NewSHAKE128(), 32, false, sha3.NewSHAKE128}
 }
 
 // NewShake256 creates a new SHAKE256 variable-output-length ShakeHash.
 // Its generic security strength is 256 bits against all attacks if
 // at least 64 bytes of its output are used.
 func NewShake256() ShakeHash {
-	return newShake256()
-}
-
-func newShake128Generic() *state {
-	return &state{rate: rateK256, outputLen: 32, dsbyte: dsbyteShake}
-}
-
-func newShake256Generic() *state {
-	return &state{rate: rateK512, outputLen: 64, dsbyte: dsbyteShake}
+	return &shakeWrapper{sha3.NewSHAKE256(), 64, false, sha3.NewSHAKE256}
 }
 
 // NewCShake128 creates a new instance of cSHAKE128 variable-output-length ShakeHash,
@@ -159,10 +48,9 @@ func newShake256Generic() *state {
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake128.
 func NewCShake128(N, S []byte) ShakeHash {
-	if len(N) == 0 && len(S) == 0 {
-		return NewShake128()
-	}
-	return newCShake(N, S, rateK256, 32, dsbyteCShake)
+	return &shakeWrapper{sha3.NewCSHAKE128(N, S), 32, false, func() *sha3.SHAKE {
+		return sha3.NewCSHAKE128(N, S)
+	}}
 }
 
 // NewCShake256 creates a new instance of cSHAKE256 variable-output-length ShakeHash,
@@ -172,10 +60,9 @@ func NewCShake128(N, S []byte) ShakeHash {
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake256.
 func NewCShake256(N, S []byte) ShakeHash {
-	if len(N) == 0 && len(S) == 0 {
-		return NewShake256()
-	}
-	return newCShake(N, S, rateK512, 64, dsbyteCShake)
+	return &shakeWrapper{sha3.NewCSHAKE256(N, S), 64, false, func() *sha3.SHAKE {
+		return sha3.NewCSHAKE256(N, S)
+	}}
 }
 
 // ShakeSum128 writes an arbitrary-length digest of data into hash.
@@ -191,3 +78,42 @@ func ShakeSum256(hash, data []byte) {
 	h.Write(data)
 	h.Read(hash)
 }
+
+// shakeWrapper adds the Size, Sum, and Clone methods to a sha3.SHAKE
+// to implement the ShakeHash interface.
+type shakeWrapper struct {
+	*sha3.SHAKE
+	outputLen int
+	squeezing bool
+	newSHAKE  func() *sha3.SHAKE
+}
+
+func (w *shakeWrapper) Read(p []byte) (n int, err error) {
+	w.squeezing = true
+	return w.SHAKE.Read(p)
+}
+
+func (w *shakeWrapper) Clone() ShakeHash {
+	s := w.newSHAKE()
+	b, err := w.MarshalBinary()
+	if err != nil {
+		panic(err) // unreachable
+	}
+	if err := s.UnmarshalBinary(b); err != nil {
+		panic(err) // unreachable
+	}
+	return &shakeWrapper{s, w.outputLen, w.squeezing, w.newSHAKE}
+}
+
+func (w *shakeWrapper) Size() int { return w.outputLen }
+
+func (w *shakeWrapper) Sum(b []byte) []byte {
+	if w.squeezing {
+		panic("sha3: Sum after Read")
+	}
+	out := make([]byte, w.outputLen)
+	// Clone the state so that we don't affect future Write calls.
+	s := w.Clone()
+	s.Read(out)
+	return append(b, out...)
+}
diff --git a/sha3/shake_noasm.go b/sha3/shake_noasm.go
deleted file mode 100644
index 4276ba4..0000000
--- a/sha3/shake_noasm.go
+++ /dev/null
@@ -1,15 +0,0 @@
-// Copyright 2023 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !gc || purego || !s390x
-
-package sha3
-
-func newShake128() *state {
-	return newShake128Generic()
-}
-
-func newShake256() *state {
-	return newShake256Generic()
-}
author	Filippo Valsorda <filippo@golang.org>	2025-10-08 14:56:11 +0200
committer	Gopher Robot <gobot@golang.org>	2025-10-22 18:01:01 -0700
commit	cf29fa96f8b66328e59829f064539321159bfa5b (patch)
tree	3008fb5954b723ca65d58d8fc972409b03d77c4d
parent	0b7aa0cfb07b6b13ead990b67cb3cb8639871f90 (diff)
download	go-x-crypto-cf29fa96f8b66328e59829f064539321159bfa5b.tar.xz