diff --git a/include/decaf_crypto.h b/include/decaf_crypto.h index 6e34bdd..a20cb65 100644 --- a/include/decaf_crypto.h +++ b/include/decaf_crypto.h @@ -122,11 +122,11 @@ void decaf_255_sign_shake ( decaf_255_signature_t sig, const decaf_255_private_key_t priv, - const keccak_sponge_t shake + const shake256_ctx_t shake ) NONNULL3 API_VIS; /** - * @brief Sign a message from its SHAKE context. + * @brief Sign a message. * * @param [out] sig The signature. * @param [in] priv Your private key. @@ -152,7 +152,7 @@ decaf_bool_t decaf_255_verify_shake ( const decaf_255_signature_t sig, const decaf_255_public_key_t pub, - const keccak_sponge_t shake + const shake256_ctx_t shake ) NONNULL3 API_VIS WARN_UNUSED; /** diff --git a/include/shake.h b/include/shake.h index 2b4e350..26abeb0 100644 --- a/include/shake.h +++ b/include/shake.h @@ -26,7 +26,6 @@ #define NONNULL3 __attribute__((nonnull(1,2,3))) /** @endcond */ -/* TODO: different containing structs for each primitive? */ #ifndef INTERNAL_SPONGE_STRUCT /** Sponge container object for the various primitives. */ typedef struct keccak_sponge_s { @@ -119,40 +118,48 @@ void sponge_hash ( /** @cond internal */ #define DECSHAKE(n) \ extern const struct kparams_s SHAKE##n##_params_s API_VIS; \ - static inline void NONNULL1 shake##n##_init(keccak_sponge_t sponge) { \ + typedef struct shake##n##_ctx_s { keccak_sponge_t s; } shake##n##_ctx_t[1]; \ + static inline void NONNULL1 shake##n##_init(shake##n##_ctx_t sponge) { \ + sponge_init(sponge->s, &SHAKE##n##_params_s); \ + } \ + static inline void NONNULL1 shake##n##_gen_init(keccak_sponge_t sponge) { \ sponge_init(sponge, &SHAKE##n##_params_s); \ } \ - static inline void NONNULL2 shake##n##_update(keccak_sponge_t sponge, const uint8_t *in, size_t inlen ) { \ - sha3_update(sponge, in, inlen); \ + static inline void NONNULL2 shake##n##_update(shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \ + sha3_update(sponge->s, in, inlen); \ } \ - static inline void NONNULL2 shake##n##_final(keccak_sponge_t sponge, uint8_t *out, size_t outlen ) { \ - sha3_output(sponge, out, outlen); \ - sponge_init(sponge, &SHAKE##n##_params_s); \ + static inline void NONNULL2 shake##n##_final(shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ + sha3_output(sponge->s, out, outlen); \ + sponge_init(sponge->s, &SHAKE##n##_params_s); \ } \ static inline void NONNULL13 shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \ sponge_hash(in,inlen,out,outlen,&SHAKE##n##_params_s); \ } \ - static inline void NONNULL1 shake##n##_destroy( keccak_sponge_t sponge ) { \ - sponge_destroy(sponge); \ + static inline void NONNULL1 shake##n##_destroy( shake##n##_ctx_t sponge ) { \ + sponge_destroy(sponge->s); \ } #define DECSHA3(n) \ extern const struct kparams_s SHA3_##n##_params_s API_VIS; \ - static inline void NONNULL1 sha3_##n##_init(keccak_sponge_t sponge) { \ + typedef struct sha3_##n##_ctx_s { keccak_sponge_t s; } sha3_##n##_ctx_t[1]; \ + static inline void NONNULL1 sha3_##n##_init(sha3_##n##_ctx_t sponge) { \ + sponge_init(sponge->s, &SHA3_##n##_params_s); \ + } \ + static inline void NONNULL1 sha3_##n##_gen_init(keccak_sponge_t sponge) { \ sponge_init(sponge, &SHA3_##n##_params_s); \ } \ - static inline void NONNULL2 sha3_##n##_update(keccak_sponge_t sponge, const uint8_t *in, size_t inlen ) { \ - sha3_update(sponge, in, inlen); \ + static inline void NONNULL2 sha3_##n##_update(sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \ + sha3_update(sponge->s, in, inlen); \ } \ - static inline void NONNULL2 sha3_##n##_final(keccak_sponge_t sponge, uint8_t *out, size_t outlen ) { \ - sha3_output(sponge, out, outlen); \ - sponge_init(sponge, &SHA3_##n##_params_s); \ + static inline void NONNULL2 sha3_##n##_final(sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \ + sha3_output(sponge->s, out, outlen); \ + sponge_init(sponge->s, &SHA3_##n##_params_s); \ } \ static inline void NONNULL13 sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \ sponge_hash(in,inlen,out,outlen,&SHA3_##n##_params_s); \ } \ - static inline void NONNULL1 sha3_##n##_destroy( keccak_sponge_t sponge ) { \ - sponge_destroy(sponge); \ + static inline void NONNULL1 sha3_##n##_destroy(sha3_##n##_ctx_t sponge) { \ + sponge_destroy(sponge->s); \ } /** @endcond */ @@ -253,7 +260,6 @@ extern const struct kparams_s STROBE_256 API_VIS; extern const struct kparams_s STROBE_KEYED_128 API_VIS; extern const struct kparams_s STROBE_KEYED_256 API_VIS; -/** TODO: remove this restriction?? */ #define STROBE_MAX_AUTH_BYTES 255 /** TODO: check "more" flags? */ diff --git a/src/decaf.c b/src/decaf.c index d5c9e6e..689b32f 100644 --- a/src/decaf.c +++ b/src/decaf.c @@ -81,7 +81,6 @@ const decaf_448_point_t decaf_448_point_base = {{ struct decaf_448_precomputed_s { decaf_448_point_t p[1]; }; -/* FIXME: restore */ const struct decaf_448_precomputed_s *decaf_448_precomputed_base = (const struct decaf_448_precomputed_s *)decaf_448_point_base; diff --git a/src/decaf_crypto.c b/src/decaf_crypto.c index 1527370..89d85d6 100644 --- a/src/decaf_crypto.c +++ b/src/decaf_crypto.c @@ -21,7 +21,7 @@ void decaf_255_derive_private_key ( uint8_t encoded_scalar[DECAF_255_SCALAR_OVERKILL_BYTES]; decaf_255_point_t pub; - keccak_sponge_t sponge; + shake256_ctx_t sponge; shake256_init(sponge); shake256_update(sponge, proto, sizeof(decaf_255_symmetric_key_t)); shake256_update(sponge, (const unsigned char *)magic, strlen(magic)); @@ -77,7 +77,7 @@ decaf_255_shared_secret ( } less >>= 8; - keccak_sponge_t sponge; + shake256_ctx_t sponge; shake256_init(sponge); /* update the lesser */ @@ -117,7 +117,7 @@ void decaf_255_sign_shake ( decaf_255_signature_t sig, const decaf_255_private_key_t priv, - const keccak_sponge_t shake + const shake256_ctx_t shake ) { const char *magic = "decaf_255_sign_shake"; @@ -126,7 +126,7 @@ decaf_255_sign_shake ( decaf_255_scalar_t nonce, challenge; /* Derive nonce */ - keccak_sponge_t ctx; + shake256_ctx_t ctx; memcpy(ctx, shake, sizeof(ctx)); shake256_update(ctx, priv->sym, sizeof(priv->sym)); shake256_update(ctx, (const unsigned char *)magic, strlen(magic)); @@ -163,7 +163,7 @@ decaf_bool_t decaf_255_verify_shake ( const decaf_255_signature_t sig, const decaf_255_public_key_t pub, - const keccak_sponge_t shake + const shake256_ctx_t shake ) { decaf_bool_t ret; @@ -172,7 +172,7 @@ decaf_255_verify_shake ( decaf_255_scalar_t challenge, response; /* Derive challenge */ - keccak_sponge_t ctx; + shake256_ctx_t ctx; memcpy(ctx, shake, sizeof(ctx)); shake256_update(ctx, pub, sizeof(decaf_255_public_key_t)); shake256_update(ctx, sig, DECAF_255_SER_BYTES); @@ -201,7 +201,7 @@ decaf_255_sign ( const unsigned char *message, size_t message_len ) { - keccak_sponge_t ctx; + shake256_ctx_t ctx; shake256_init(ctx); shake256_update(ctx, message, message_len); decaf_255_sign_shake(sig, priv, ctx); @@ -215,7 +215,7 @@ decaf_255_verify ( const unsigned char *message, size_t message_len ) { - keccak_sponge_t ctx; + shake256_ctx_t ctx; shake256_init(ctx); shake256_update(ctx, message, message_len); decaf_bool_t ret = decaf_255_verify_shake(sig, pub, ctx); diff --git a/src/decaf_gen_tables.c b/src/decaf_gen_tables.c index 78bc046..cdd8b36 100644 --- a/src/decaf_gen_tables.c +++ b/src/decaf_gen_tables.c @@ -151,7 +151,8 @@ int main(int argc, char **argv) { } scalar_print("sc_r2", smadj); - API_NS(scalar_sub)(smadj,API_NS(scalar_zero),API_NS(scalar_one)); /* HACK */ + + API_NS(scalar_sub)(smadj,API_NS(scalar_zero),API_NS(scalar_one)); /* get p-1 */ unsigned long long w = 1, plo = smadj->limb[0]+1; #if DECAF_WORD_BITS == 32 diff --git a/src/p448/arch_neon_experimental/p448.c b/src/p448/arch_neon_experimental/p448.c index 30151cc..8b4c9bc 100644 --- a/src/p448/arch_neon_experimental/p448.c +++ b/src/p448/arch_neon_experimental/p448.c @@ -618,7 +618,7 @@ p448_mulw ( vo[1] += vmovn_u64(accum); } -/* TODO: vectorize? */ +/* PERF: vectorize? */ void p448_strong_reduce ( p448_t *a diff --git a/src/p480/arch_x86_64/x86-64-arith.h b/src/p480/arch_x86_64/x86-64-arith.h index 32ee832..a4d40da 100644 --- a/src/p480/arch_x86_64/x86-64-arith.h +++ b/src/p480/arch_x86_64/x86-64-arith.h @@ -7,10 +7,6 @@ #include -/* TODO: non x86-64 versions of these. - * FUTURE: autogenerate - */ - static __inline__ __uint128_t widemul(const uint64_t *a, const uint64_t *b) { #ifndef __BMI2__ uint64_t c,d; diff --git a/src/shake.c b/src/shake.c index 2649164..07c1d66 100644 --- a/src/shake.c +++ b/src/shake.c @@ -669,11 +669,13 @@ decaf_bool_t strobe_prng ( size_t len, uint8_t more ) { - /* FIXME: length?? */ - unsigned char control[] = { PRNG }; + unsigned char control[9] = { PRNG }; + int i; + for (i=0; i<8; i++) control[i+1] = len>>(8*i); + decaf_bool_t ret = strobe_control_word(sponge, control, sizeof(control), more); strobe_duplex(sponge, out, NULL, len); - // /** TODO: orly? */ + // TODO: forget as follows? this breaks "more" // unsigned char control2[] = { 0, STROBE_FORGET_BYTES, TAGFORGET }; // ret &= strobe_control_word(sponge, control2, sizeof(control2)); // strobe_forget(sponge, STROBE_FORGET_BYTES); @@ -681,7 +683,6 @@ decaf_bool_t strobe_prng ( return ret; } -/* TODO: remove reliance on decaf? */ decaf_bool_t strobe_verify_auth ( keccak_sponge_t sponge, const unsigned char *in, @@ -720,4 +721,4 @@ decaf_bool_t strobe_respec ( return ret; } -/* TODO: Keyak instances, etc */ +/* FUTURE: Keyak instances, etc */ diff --git a/test/shakesum.c b/test/shakesum.c index 5be1a80..6c28a86 100644 --- a/test/shakesum.c +++ b/test/shakesum.c @@ -20,28 +20,28 @@ int main(int argc, char **argv) { unsigned char buf[1024]; unsigned int outlen = 512; - shake256_init(sponge); + shake256_gen_init(sponge); /* Sloppy. Real utility would parse --algo, --size ... */ if (argc > 1) { if (!strcmp(argv[1], "shake256") || !strcmp(argv[1], "SHAKE256")) { outlen = 512; - shake256_init(sponge); + shake256_gen_init(sponge); } else if (!strcmp(argv[1], "shake128") || !strcmp(argv[1], "SHAKE128")) { outlen = 512; - shake128_init(sponge); + shake128_gen_init(sponge); } else if (!strcmp(argv[1], "sha3-224") || !strcmp(argv[1], "SHA3-224")) { outlen = 224/8; - sha3_224_init(sponge); + sha3_224_gen_init(sponge); } else if (!strcmp(argv[1], "sha3-256") || !strcmp(argv[1], "SHA3-256")) { outlen = 256/8; - sha3_256_init(sponge); + sha3_256_gen_init(sponge); } else if (!strcmp(argv[1], "sha3-384") || !strcmp(argv[1], "SHA3-384")) { outlen = 384/8; - sha3_384_init(sponge); + sha3_384_gen_init(sponge); } else if (!strcmp(argv[1], "sha3-512") || !strcmp(argv[1], "SHA3-512")) { outlen = 512/8; - sha3_512_init(sponge); + sha3_512_gen_init(sponge); } }