输入80E3，可执行算法正确性检验，验证通过，对len=38Bytes明文加密结果符合预期、解密结果符合输入;

输入80E2，可写入密钥到flash，若算法类型、key id, key版本一致，就写入，已满就报错，无记录就写入新记录;
输入80CA，可执行伪位置加密，原封不动将输入的data返回回来。

Project/Src/com/cscn/Zuc256Util.java

@@ -134,34 +134,19 @@ public final class Zuc256Util {
 //    }
     /** 32位循环左移: (a<<<k) */
     public static void rot32(short a_lo, short a_hi, short k, short[] out /*len==2*/) {
-        k = (short)(k & 31); // 限制 0..31
-        if (k == 0) {
-            out[0] = a_lo;
-            out[1] = a_hi;
-            return;
+        k = (short)(k & 31);          // 0..31
+        short lo = a_lo, hi = a_hi, nw_hi, nw_lo;
+        while (k > 0) {
+            // 先做 1 位循环左移
+            // 注意：short 在 >>> 时会先提升为 int，所以下面都再用 &1 取最低位，避免符号扩展影响
+            nw_hi = (short)((hi << 1) | ((lo >>> 15) & 1));
+            nw_lo = (short)((lo << 1) | ((hi >>> 15) & 1));
+            hi = nw_hi;
+            lo = nw_lo;
+            k--;
         }
-
-        short lo, hi;
-
-        if (k < 16) {
-            // 左移 k
-            lo = (short)(a_lo << k);
-            hi = (short)(a_hi << k);
-
-            // 把溢出部分拼接
-            lo |= (short)((a_hi & (short)0xFFFF) >>> (16 - k));
-            hi |= (short)((a_lo & (short)0xFFFF) >>> (16 - k));
-        } else {
-            short s = (short)(k - 16);
-            lo = (short)(a_hi << s);
-            hi = (short)(a_lo << s);
-
-            lo |= (short)((a_lo & (short)0xFFFF) >>> (16 - s));
-            hi |= (short)((a_hi & (short)0xFFFF) >>> (16 - s));
-        }
-
-        out[0] = lo;
-        out[1] = hi;
+        out[0] = lo;    // 低16位
+        out[1] = hi;    // 高16位
     }
 
 
@@ -221,7 +206,7 @@ public final class Zuc256Util {
      * 输出: out[0]=lo, out[1]=hi
      */
     public static void L2(short x_lo, short x_hi, short[] out /*len==2*/) {
-        short[] t = new short[2];
+        short[] t = new short[2];//todo to ram
         short[] acc = new short[2];
 
         // acc = x
@@ -358,35 +343,39 @@ public final class Zuc256Util {
     }
 
     /**
-     * 32位加法 + 返回进位
+     * 32位加法 + 返回进位（只用 short）
      * 输入: (a_hi:a_lo) + (b_hi:b_lo)
      * 输出: out[0]=lo, out[1]=hi
-     * 返回: 进位 (0或1)
+     * 返回: 最终进位(0/1)
      */
     static short add32_with_carry(short a_lo, short a_hi,
                                   short b_lo, short b_hi,
                                   short[] out /* len=2 */) {
-        // 低 16 位相加
-        short lo = (short)(a_lo + b_lo);
-        // 判断低 16 位是否溢出
-        short carry_lo = (short)(((a_lo & (short)0xFFFF) + (b_lo & (short)0xFFFF)) >>> 16);
+        // ---- 低16位：分两段8位相加 ----
+        short s0 = (short)((a_lo & (short)0x00FF) + (b_lo & (short)0x00FF));   // 0..510
+        short c0 = (short)(s0 >>> 8);                                          // 0/1
+        short s1 = (short)(((a_lo >>> 8) & (short)0x00FF)
+                + ((b_lo >>> 8) & (short)0x00FF)
+                + c0);                                                // 0..511
+        short c1 = (short)(s1 >>> 8);                                          // 0/1
+        short lo = (short)((s1 << 8) | (s0 & (short)0x00FF));
 
-        // 高 16 位相加 + 低位进位
-        short hi_tmp = (short)(a_hi + b_hi);
-        short carry_hi1 = (short)(((a_hi & (short)0xFFFF) + (b_hi & (short)0xFFFF)) >>> 16);
+        // ---- 高16位：再分两段8位相加，并加上 c1 ----
+        short s2 = (short)((a_hi & (short)0x00FF) + (b_hi & (short)0x00FF) + c1);
+        short c2 = (short)(s2 >>> 8);                                          // 0/1
+        short s3 = (short)(((a_hi >>> 8) & (short)0x00FF)
+                + ((b_hi >>> 8) & (short)0x00FF)
+                + c2);                                                // 0..511
+        short c3 = (short)(s3 >>> 8);                                          // 最终进位 0/1
+        short hi = (short)((s3 << 8) | (s2 & (short)0x00FF));
 
-        short hi = (short)(hi_tmp + carry_lo);
-        short carry_hi2 = (short)(((hi_tmp & (short)0xFFFF) + (carry_lo & (short)0xFFFF)) >>> 16);
-
-        // 输出结果
         out[0] = lo;
         out[1] = hi;
-
-        // 最终进位 = 高位相加本身的进位 + 高位再加低位进位的进位
-        return (short)((carry_hi1 + carry_hi2) & 0x1);
+        return (short)(c3 & 1);
     }
 
 
+
     /**
      * 64位加法: a4 + b4 -> a4
      * 输入输出: short[4]，低到高 (a[0]=lo16, a[1]=hi16, a[2]=lo16 of high dword, a[3]=hi16 of high dword)
@@ -400,7 +389,7 @@ public final class Zuc256Util {
         a[1] = tmp[1];
 
         // 高 32 位 + carry
-        add32((short)(a[2] + (carry & (short)0xFFFF)), a[3], b[2], b[3], tmp);
+        add32((short)(a[2] + (short)(carry & (short)0x0001)), a[3], b[2], b[3], tmp);
         a[2] = tmp[0];
         a[3] = tmp[1];
     }
@@ -418,38 +407,32 @@ public final class Zuc256Util {
      * 结果放到64位数 a (a[0]=最低16位 ... a[3]=最高16位)。
      */
     static void create_64b_from_32b(short[] a/*len=4*/, short[] b/*len=2*/, short k) {
-        // 先清零
-        a[0] = 0; a[1] = 0; a[2] = 0; a[3] = 0;
+        short a0 = b[0], a1 = b[1], a2 = 0, a3 = 0;
 
-        if (k == 0) {
-            a[0] = b[0];
-            a[1] = b[1];
-            return;
+        if (k >= 16) {
+            a3 = a2;       // 0
+            a2 = a1;       // 原 hi16
+            a1 = a0;       // 原 lo16
+            a0 = 0;
+            k  = (short)(k - 16);
         }
 
-        if (k < 16) {
-            // lo << k
-            a[0] = (short)(b[0] << k);
-            // hi << k, 以及 lo >>> (16-k) 进位
-            a[1] = (short)((b[1] << k) | ((b[0] & (short)0xFFFF) >>> (16 - k)));
-            // hi >>> (16-k) 残留进到 a[2]
-            a[2] = (short)((b[1] & (short)0xFFFF) >>> (16 - k));
-            return;
+        while (k > 0) {
+            short c0 = (short)((a0 >>> 15) & 1);
+            short c1 = (short)((a1 >>> 15) & 1);
+            short c2 = (short)((a2 >>> 15) & 1);
+
+            a3 = (short)((a3 << 1) | c2);
+            a2 = (short)((a2 << 1) | c1);
+            a1 = (short)((a1 << 1) | c0);
+            a0 = (short)(a0 << 1);
+            k--;
         }
 
-        if (k == 16) {
-            a[1] = b[0];
-            a[2] = b[1];
-            return;
-        }
-
-        // 16 < k < 32
-        short kk = (short)(k - 16);
-        a[1] = (short)(b[0] << kk);
-        a[2] = (short)((b[1] << kk) | ((b[0] & (short)0xFFFF) >>> (16 - kk)));
-        a[3] = (short)((b[1] & (short)0xFFFF) >>> (16 - kk));
+        a[0] = a0; a[1] = a1; a[2] = a2; a[3] = a3;
     }
 
+
     /**
      * (A & 0x7FFFFFFF)，结果放在 out[4]，只保留低32位并清掉最高bit。
      */
@@ -480,10 +463,9 @@ public final class Zuc256Util {
         short c1 = (short)((out[1] & (short)0xFFFF) >>> 15);
         short c2 = (short)((out[2] & (short)0xFFFF) >>> 15);
 
-        out[0] = (short)(((out[0] & (short)0xFFFF) >>> 15) | (out[1] << 1));
-        out[1] = (short)(((out[1] & (short)0xFFFF) >>> 15) | (out[2] << 1));
-        out[2] = (short)(((out[2] & (short)0xFFFF) >>> 15) | (out[3] << 1));
-        out[3] = (short)((out[3] & (short)0xFFFF) >>> 15);
+        out[0] = (short)((c0 & 0x0001) | (out[1] << 1));
+        out[1] = (short)((c1 & 0x0001) | (out[2] << 1));
+        out[2] = (short)(c2 & 0x0001);
     }
 
     /**
@@ -493,8 +475,8 @@ public final class Zuc256Util {
      */
     static void shr32u1(short lo, short hi, short[] out) {
         // >>>1：先处理低16位
-        short newLo = (short)(((lo & (short)0xFFFF) >>> 1) | ((hi & 0x0001) << 15));
-        short newHi = (short)((hi & (short)0xFFFF) >>> 1);
+        short newLo = (short)(((((lo & (short)0xFFFF) >>> 1) & (short)0x7FFF)) | ((hi & 0x0001) << 15));
+        short newHi = (short)(((hi & (short)0xFFFF) >>> 1) & (short)0x7FFF);
 
         out[0] = newLo;
         out[1] = newHi;