jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
227 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 36380f3e2a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '36380f3e2a'
${ noResults }
ed448goldilocks/src/shake.c

725 lines
21 KiB
Raw Blame History 

  1. /**

  2.  * @cond internal

  3.  * @file shake.c

  4.  * @copyright

  5.  *   Uses public domain code by Mathias Panzenböck \n

  6.  *   Uses CC0 code by David Leon Gil, 2015 \n

  7.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  8.  *   Released under the MIT License.  See LICENSE.txt for license information.

  9.  * @author Mike Hamburg

  10.  * @brief SHA-3-n and SHAKE-n instances.

  11.  * @warning EXPERIMENTAL!  The names, parameter orders etc are likely to change.

  12.  */

  13. 

  14. #define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s */

  15. #define _BSD_SOURCE 1 /* for endian */

  16. #include <assert.h>

  17. #include <stdint.h>

  18. #include <string.h>

  19. 

  20. /* to open and read from /dev/urandom */

  21. #include <sys/types.h>

  22. #include <sys/stat.h>

  23. #include <fcntl.h>

  24. #include <errno.h>

  25. #include <unistd.h>

  26. 

  27. /* Subset of Mathias Panzenböck's portable endian code, public domain */

  28. #if defined(__linux__) || defined(__CYGWIN__)

  29. #	include <endian.h>

  30. #elif defined(__OpenBSD__)

  31. #	include <sys/endian.h>

  32. #elif defined(__APPLE__)

  33. #	include <libkern/OSByteOrder.h>

  34. #	define htole64(x) OSSwapHostToLittleInt64(x)

  35. #	define le64toh(x) OSSwapLittleToHostInt64(x)

  36. #elif defined(__NetBSD__) || defined(__FreeBSD__) || defined(__DragonFly__)

  37. #	include <sys/endian.h>

  38. #	define le64toh(x) letoh64(x)

  39. #elif defined(_WIN16) || defined(_WIN32) || defined(_WIN64) || defined(__WINDOWS__)

  40. #	include <winsock2.h>

  41. #	include <sys/param.h>

  42. #	if BYTE_ORDER == LITTLE_ENDIAN

  43. #		define htole64(x) (x)

  44. #		define le64toh(x) (x)

  45. #	elif BYTE_ORDER == BIG_ENDIAN

  46. #		define htole64(x) __builtin_bswap64(x)

  47. #		define le64toh(x) __builtin_bswap64(x)

  48. #	else

  49. #		error byte order not supported

  50. #	endif

  51. #else

  52. #	error platform not supported

  53. #endif

  54. 

  55. /* The internal, non-opaque definition of the sponge struct. */

  56. typedef union {

  57.     uint64_t w[25]; uint8_t b[25*8];

  58. } kdomain_t[1];

  59. 

  60. typedef struct kparams_s {

  61.     uint8_t position, flags, rate, startRound, pad, ratePad, maxOut, client;

  62. } kparams_t[1];

  63. 

  64. typedef struct keccak_sponge_s {

  65.     kdomain_t state;

  66.     kparams_t params;

  67. } keccak_sponge_t[1];

  68. 

  69. #define INTERNAL_SPONGE_STRUCT 1

  70. #include "shake.h"

  71. 

  72. #define FLAG_ABSORBING 'A'

  73. #define FLAG_SQUEEZING 'Z'

  74. #define FLAG_RNG_SQU   'R'

  75. #define FLAG_DET_SQU   'D'

  76. #define FLAG_RNG_ABS   'r'

  77. #define FLAG_DET_ABS   'd'

  78. #define FLAG_RNG_UNI   'u'

  79. #define FLAG_DET_UNI   'g'

  80. 

  81. /** Constants. **/

  82. static const uint8_t pi[24] = {

  83.     10, 7,  11, 17, 18, 3, 5,  16, 8,  21, 24, 4,

  84.     15, 23, 19, 13, 12, 2, 20, 14, 22, 9,  6,  1

  85. };

  86. 

  87. #define RC_B(x,n) ((((x##ull)>>n)&1)<<((1<<n)-1))

  88. #define RC_X(x) (RC_B(x,0)|RC_B(x,1)|RC_B(x,2)|RC_B(x,3)|RC_B(x,4)|RC_B(x,5)|RC_B(x,6))

  89. static const uint64_t RC[24] = {

  90.     RC_X(0x01), RC_X(0x1a), RC_X(0x5e), RC_X(0x70), RC_X(0x1f), RC_X(0x21),

  91.     RC_X(0x79), RC_X(0x55), RC_X(0x0e), RC_X(0x0c), RC_X(0x35), RC_X(0x26),

  92.     RC_X(0x3f), RC_X(0x4f), RC_X(0x5d), RC_X(0x53), RC_X(0x52), RC_X(0x48),

  93.     RC_X(0x16), RC_X(0x66), RC_X(0x79), RC_X(0x58), RC_X(0x21), RC_X(0x74)

  94. };

  95. 

  96. static inline uint64_t rol(uint64_t x, int s) {

  97.     return (x << s) | (x >> (64 - s));

  98. }

  99. 

  100. /* Helper macros to unroll the permutation. */

  101. #define REPEAT5(e) e e e e e

  102. #define FOR51(v, e) v = 0; REPEAT5(e; v += 1;)

  103. #ifndef SHAKE_NO_UNROLL_LOOPS

  104. #    define FOR55(v, e) v = 0; REPEAT5(e; v += 5;)

  105. #    define REPEAT24(e) e e e e e e e e e e e e e e e e e e e e e e e e

  106. #else

  107. #    define FOR55(v, e) for (v=0; v<25; v+= 5) { e; }

  108. #    define REPEAT24(e) {int _j=0; for (_j=0; _j<24; _j++) { e }}

  109. #endif

  110. 

  111. /*** The Keccak-f[1600] permutation ***/

  112. static void

  113. __attribute__((noinline))

  114. keccakf(kdomain_t state, uint8_t startRound) {

  115.     uint64_t* a = state->w;

  116.     uint64_t b[5] = {0}, t, u;

  117.     uint8_t x, y, i;

  118.     

  119.     for (i=0; i<25; i++) a[i] = le64toh(a[i]);

  120. 

  121.     for (i = startRound; i < 24; i++) {

  122.         FOR51(x, b[x] = 0; FOR55(y, b[x] ^= a[x + y];))

  123.         FOR51(x, FOR55(y,

  124.             a[y + x] ^= b[(x + 4) % 5] ^ rol(b[(x + 1) % 5], 1);

  125.         ))

  126.         // Rho and pi

  127.         t = a[1];

  128.         x = y = 0;

  129.         REPEAT24(u = a[pi[x]]; y += x+1; a[pi[x]] = rol(t, y % 64); t = u; x++; )

  130.         // Chi

  131.         FOR55(y,

  132.              FOR51(x, b[x] = a[y + x];)

  133.              FOR51(x, a[y + x] = b[x] ^ ((~b[(x + 1) % 5]) & b[(x + 2) % 5]);)

  134.         )

  135.         // Iota

  136.         a[0] ^= RC[i];

  137.     }

  138. 

  139.     for (i=0; i<25; i++) a[i] = htole64(a[i]);

  140. }

  141. 

  142. static inline void dokeccak (keccak_sponge_t sponge) {

  143.     keccakf(sponge->state, sponge->params->startRound);

  144.     sponge->params->position = 0;

  145. }

  146. 

  147. void sha3_update (

  148.     struct keccak_sponge_s * __restrict__ sponge,

  149.     const uint8_t *in,

  150.     size_t len

  151. ) {

  152.     if (!len) return;

  153.     assert(sponge->params->position < sponge->params->rate);

  154.     assert(sponge->params->rate < sizeof(sponge->state));

  155.     assert(sponge->params->flags == FLAG_ABSORBING);

  156.     while (len) {

  157.         size_t cando = sponge->params->rate - sponge->params->position, i;

  158.         uint8_t* state = &sponge->state->b[sponge->params->position];

  159.         if (cando > len) {

  160.             for (i = 0; i < len; i += 1) state[i] ^= in[i];

  161.             sponge->params->position += len;

  162.             return;

  163.         } else {

  164.             for (i = 0; i < cando; i += 1) state[i] ^= in[i];

  165.             dokeccak(sponge);

  166.             len -= cando;

  167.             in += cando;

  168.         }

  169.     }

  170. }

  171. 

  172. void sha3_output (

  173.     keccak_sponge_t sponge,

  174.     uint8_t * __restrict__ out,

  175.     size_t len

  176. ) {

  177.     assert(sponge->params->position < sponge->params->rate);

  178.     assert(sponge->params->rate < sizeof(sponge->state));

  179.     

  180.     if (sponge->params->maxOut != 0xFF) {

  181.         assert(sponge->params->maxOut >= len);

  182.         sponge->params->maxOut -= len;

  183.     }

  184.     

  185.     switch (sponge->params->flags) {

  186.     case FLAG_SQUEEZING: break;

  187.     case FLAG_ABSORBING:

  188.         {

  189.             uint8_t* state = sponge->state->b;

  190.             state[sponge->params->position] ^= sponge->params->pad;

  191.             state[sponge->params->rate - 1] ^= sponge->params->ratePad;

  192.             dokeccak(sponge);

  193.             break;

  194.         }

  195.     default:

  196.         assert(0);

  197.     }

  198.     

  199.     while (len) {

  200.         size_t cando = sponge->params->rate - sponge->params->position;

  201.         uint8_t* state = &sponge->state->b[sponge->params->position];

  202.         if (cando > len) {

  203.             memcpy(out, state, len);

  204.             sponge->params->position += len;

  205.             return;

  206.         } else {

  207.             memcpy(out, state, cando);

  208.             dokeccak(sponge);

  209.             len -= cando;

  210.             out += cando;

  211.         }

  212.     }

  213. }

  214. 

  215. void sponge_destroy (keccak_sponge_t sponge) { decaf_bzero(sponge, sizeof(keccak_sponge_t)); }

  216. 

  217. void sponge_init (

  218.     keccak_sponge_t sponge,

  219.     const struct kparams_s *params

  220. ) {

  221.     memset(sponge->state, 0, sizeof(sponge->state));

  222.     sponge->params[0] = params[0];

  223. }

  224. 

  225. void sponge_hash (

  226.     const uint8_t *in,

  227.     size_t inlen,

  228.     uint8_t *out,

  229.     size_t outlen,

  230.     const struct kparams_s *params

  231. ) {

  232.     keccak_sponge_t sponge;

  233.     sponge_init(sponge, params);

  234.     sha3_update(sponge, in, inlen);

  235.     sha3_output(sponge, out, outlen);

  236.     sponge_destroy(sponge);

  237. }

  238. 

  239. #define DEFSHAKE(n) \

  240.     const struct kparams_s SHAKE##n##_params_s = \

  241.         { 0, FLAG_ABSORBING, 200-n/4, 0, 0x1f, 0x80, 0xFF, 0 };

  242.     

  243. #define DEFSHA3(n) \

  244.     const struct kparams_s SHA3_##n##_params_s = \

  245.         { 0, FLAG_ABSORBING, 200-n/4, 0, 0x06, 0x80, n/8, 0 };

  246. 

  247. size_t sponge_default_output_bytes (

  248.     const keccak_sponge_t s

  249. ) {

  250.     return (s->params->maxOut == 0xFF)

  251.         ? (200-s->params->rate)

  252.         : ((200-s->params->rate)/2);

  253. }

  254. 

  255. DEFSHAKE(128)

  256. DEFSHAKE(256)

  257. DEFSHA3(224)

  258. DEFSHA3(256)

  259. DEFSHA3(384)

  260. DEFSHA3(512)

  261. 

  262. /** Get entropy from a CPU, preferably in the form of RDRAND, but possibly instead from RDTSC. */

  263. static void get_cpu_entropy(uint8_t *entropy, size_t len) {

  264. # if (defined(__i386__) || defined(__x86_64__))

  265.     static char tested = 0, have_rdrand = 0;

  266.     if (!tested) {

  267.         u_int32_t a,b,c,d;

  268.         a=1; __asm__("cpuid" : "+a"(a), "=b"(b), "=c"(c), "=d"(d));

  269.         have_rdrand = (c>>30)&1;

  270.         tested = 1;

  271.     }

  272. 

  273.     if (have_rdrand) {

  274.         # if defined(__x86_64__)

  275.             uint64_t out, a=0, *eo = (uint64_t *)entropy;

  276.         # elif defined(__i386__)

  277.             uint32_t out, a=0, *eo = (uint64_t *)entropy;

  278.         #endif

  279.         len /= sizeof(out);

  280. 

  281.         uint32_t tries;

  282.         for (tries = 100+len; tries && len; len--, eo++) {

  283.             for (a = 0; tries && !a; tries--) {

  284.                 __asm__ __volatile__ ("rdrand %0\n\tsetc %%al" : "=r"(out), "+a"(a) :: "cc" );

  285.             }

  286.             *eo ^= out;

  287.         }

  288.     } else if (len>8) {

  289.         uint64_t out;

  290.         __asm__ __volatile__ ("rdtsc" : "=A"(out));

  291.         *(uint64_t*) entropy ^= out;

  292.     }

  293. 

  294. #else

  295.     (void) entropy;

  296.     (void) len;

  297. #endif

  298. }

  299. 

  300. void spongerng_next (

  301.     keccak_sponge_t sponge,

  302.     uint8_t * __restrict__ out,

  303.     size_t len

  304. ) {

  305.     assert(sponge->params->position < sponge->params->rate);

  306.     assert(sponge->params->rate < sizeof(sponge->state));

  307. 

  308.     switch(sponge->params->flags) {

  309.     case FLAG_DET_SQU: case FLAG_RNG_SQU: break;

  310.     case FLAG_DET_ABS: case FLAG_RNG_ABS:

  311.         {

  312.             uint8_t* state = sponge->state->b;

  313.             state[sponge->params->position] ^= sponge->params->pad;

  314.             state[sponge->params->rate - 1] ^= sponge->params->ratePad;

  315.             dokeccak(sponge);

  316.             sponge->params->flags = (sponge->params->flags == FLAG_DET_ABS) ? FLAG_DET_SQU : FLAG_RNG_SQU;

  317.             break;

  318.         }

  319.     default: assert(0);

  320.     };

  321. 

  322.     while (len) {

  323.         size_t cando = sponge->params->rate - sponge->params->position;

  324.         uint8_t* state = &sponge->state->b[sponge->params->position];

  325.         if (cando > len) {

  326.             memcpy(out, state, len);

  327.             memset(state, 0, len);

  328.             sponge->params->position += len;

  329.             return;

  330.         } else {

  331.             memcpy(out, state, cando);

  332.             memset(state, 0, cando);

  333.             if (sponge->params->flags == FLAG_RNG_SQU)

  334.                 get_cpu_entropy(sponge->state->b, 32);

  335.             dokeccak(sponge);

  336.             len -= cando;

  337.             out += cando;

  338.         }

  339.     }

  340. 

  341.     /* Anti-rollback */

  342.     if (sponge->params->position < 32) {

  343.         memset(&sponge->state->b, 0, 32);

  344.         sponge->params->position = 32;

  345.     }

  346. }

  347. 

  348. void spongerng_stir (

  349.     keccak_sponge_t sponge,

  350.     const uint8_t * __restrict__ in,

  351.     size_t len

  352. ) {

  353.     assert(sponge->params->position < sponge->params->rate);

  354.     assert(sponge->params->rate < sizeof(sponge->state));

  355. 

  356.     switch(sponge->params->flags) {

  357.     case FLAG_RNG_SQU:

  358.         get_cpu_entropy(sponge->state->b, 32);

  359.         /* fall through */

  360.     case FLAG_DET_SQU: 

  361.         sponge->params->flags = (sponge->params->flags == FLAG_DET_SQU) ? FLAG_DET_ABS : FLAG_RNG_ABS;

  362.         dokeccak(sponge);

  363.         break;

  364.     case FLAG_DET_ABS: case FLAG_RNG_ABS: break;

  365.     case FLAG_DET_UNI: case FLAG_RNG_UNI: break;

  366.     default: assert(0);

  367.     };

  368. 

  369.     while (len) {

  370.         size_t i;

  371.         size_t cando = sponge->params->rate - sponge->params->position;

  372.         uint8_t* state = &sponge->state->b[sponge->params->position];

  373.         if (cando > len) {

  374.             for (i = 0; i < len; i += 1) state[i] ^= in[i];

  375.             sponge->params->position += len;

  376.             return;

  377.         } else {

  378.             for (i = 0; i < cando; i += 1) state[i] ^= in[i];

  379.             dokeccak(sponge);

  380.             len -= cando;

  381.             in += cando;

  382.         }

  383.     }

  384. }

  385. 

  386. static const struct kparams_s spongerng_params = {

  387.     0, FLAG_RNG_UNI, 200-256/4, 0, 0x06, 0x80, 0xFF, 0

  388. };

  389. 

  390. void spongerng_init_from_buffer (

  391.     keccak_sponge_t sponge,

  392.     const uint8_t * __restrict__ in,

  393.     size_t len,

  394.     int deterministic

  395. ) {

  396.     sponge_init(sponge, &spongerng_params);

  397.     sponge->params->flags = deterministic ? FLAG_DET_ABS : FLAG_RNG_ABS;

  398.     spongerng_stir(sponge, in, len);

  399. }

  400. 

  401. int spongerng_init_from_file (

  402.     keccak_sponge_t sponge,

  403.     const char *file,

  404.     size_t len,

  405.     int deterministic

  406. ) {

  407.     sponge_init(sponge, &spongerng_params);

  408.     sponge->params->flags = deterministic ? FLAG_DET_UNI : FLAG_RNG_UNI;

  409.     if (!len) return -2;

  410. 

  411.     int fd = open(file, O_RDONLY);

  412.     if (fd < 0) return errno ? errno : -1;

  413.     

  414.     uint8_t buffer[128];

  415.     while (len) {

  416.         ssize_t red = read(fd, buffer, (len > sizeof(buffer)) ? sizeof(buffer) : len);

  417.         if (red <= 0) {

  418.             close(fd);

  419.             return errno ? errno : -1;

  420.         }

  421.         spongerng_stir(sponge,buffer,red);

  422.         len -= red;

  423.     };

  424.     close(fd);

  425. 

  426.     sponge->params->flags = deterministic ? FLAG_DET_ABS : FLAG_RNG_ABS;

  427.     return 0;

  428. }

  429. 

  430. int spongerng_init_from_dev_urandom (

  431.     keccak_sponge_t sponge

  432. ) {

  433.     return spongerng_init_from_file(sponge, "/dev/urandom", 64, 0);

  434. }

  435. 

  436. const struct kparams_s STROBE_128 = { 0, 0, 200-128/4, 0, 0, 0, 0, 0 };

  437. const struct kparams_s STROBE_256 = { 0, 0, 200-256/4, 0, 0, 0, 0, 0 };

  438. const struct kparams_s STROBE_KEYED_256 = { 0, 0, 200-256/4, 12, 0, 0, 0, 0 };

  439. const struct kparams_s STROBE_KEYED_128 = { 0, 0, 200-128/4, 12, 0, 0, 0, 0 };

  440. 

  441. /* Strobe is different in that its rate is padded by one byte. */

  442. void strobe_init(

  443.     keccak_sponge_t sponge,

  444.     const struct kparams_s *params,

  445.     uint8_t am_client

  446. ) {

  447.     sponge_init(sponge,params);

  448.     sponge->params->client = !!am_client;

  449. }

  450. 

  451. static void strobe_duplex (

  452.     keccak_sponge_t sponge,

  453.     unsigned char *out,

  454.     const unsigned char *in,

  455.     size_t len

  456. ) {

  457.     unsigned j;

  458.     while (len) {

  459.         assert(sponge->params->rate >= sponge->params->position);

  460.         size_t cando = sponge->params->rate - sponge->params->position;

  461.         uint8_t* state = &sponge->state->b[sponge->params->position];

  462.         if (cando >= len) {

  463.             for (j=0; in && j<len; j++) state[j]^=in[j];

  464.             if (out) memcpy(out, state, len);

  465.             sponge->params->position += len;

  466.             return;

  467.         } else {

  468.             if (in) {

  469.                 for (j=0; j<cando; j++) state[j]^=in[j];

  470.                 in += cando;

  471.             }

  472.             if (out) {

  473.                 memcpy(out, state, cando);

  474.                 out += cando;

  475.             }

  476.             state[cando] ^= 0x1;

  477.             dokeccak(sponge);

  478.             len -= cando;

  479.         }

  480.     }

  481. }

  482. 

  483. static void strobe_forget (

  484.     keccak_sponge_t sponge,

  485.     size_t len

  486. ) {

  487.     assert(sponge->params->rate < sizeof(sponge->state));

  488.     assert(sponge->params->position <= sponge->params->rate);

  489.     if (sizeof(sponge->state) - sponge->params->rate < len) {

  490.         /** Tiny case */

  491.         unsigned char tmp[len];

  492.         strobe_duplex(sponge,tmp,NULL,len);

  493.         if (sponge->params->position) dokeccak(sponge);

  494.         strobe_duplex(sponge,tmp,NULL,len);

  495.         decaf_bzero(tmp,len);

  496.     } else {

  497.         if (sponge->params->rate < len + sponge->params->position) {

  498.             dokeccak(sponge);

  499.         }

  500.         memset(sponge->state->b, 0, len);

  501.         sponge->params->position = len;

  502.     }

  503. }

  504. 

  505. static void strobe_unduplex (

  506.     keccak_sponge_t sponge,

  507.     unsigned char *out,

  508.     const unsigned char *in,

  509.     size_t len

  510. ) {

  511.     unsigned j;

  512.     while (len) {

  513.         assert(sponge->params->rate >= sponge->params->position);

  514.         size_t cando = sponge->params->rate - sponge->params->position;

  515.         uint8_t* state = &sponge->state->b[sponge->params->position];

  516.         if (cando >= len) {

  517.             for (j=0; in && j<len; j++) {

  518.                 unsigned char c = in[j];

  519.                 out[j] = in[j] ^ state[j];

  520.                 state[j] = c;

  521.             }

  522.             sponge->params->position += len;

  523.             return;

  524.         } else {

  525.             for (j=0; in && j<cando; j++) {

  526.                 unsigned char c = in[j];

  527.                 out[j] = in[j] ^ state[j];

  528.                 state[j] = c;

  529.             }

  530.             state[j] ^= 0x1;

  531.             dokeccak(sponge);

  532.             len -= cando;

  533.         }

  534.     }

  535. }

  536. 

  537. enum { KEY=1, NONCE, AD, PLAINTEXT, CIPHERTEXT, TAGFORGET, DIVERSIFIER, PRNG, FORK, JOIN, RESPEC };

  538. 

  539. #define CLIENT_TO_SERVER 0

  540. #define SERVER_TO_CLIENT 0x80

  541. 

  542. static decaf_bool_t strobe_control_word (

  543.     keccak_sponge_t sponge,

  544.     const unsigned char *control,

  545.     size_t len,

  546.     uint8_t more

  547. ) {

  548.     assert(sponge->params->rate < sizeof(sponge->state));

  549.     decaf_bool_t ret = DECAF_SUCCESS;

  550.     if (!more) {

  551.         strobe_duplex(sponge,NULL,control,len);

  552.         sponge->state->b[sponge->params->position] ^= 0x1;

  553.         sponge->state->b[sponge->params->rate] ^= 0x2;

  554.         dokeccak(sponge);

  555.         sponge->params->flags = control[len-1];

  556.     } else if (sponge->params->flags && sponge->params->flags != control[len-1]) {

  557.         ret = DECAF_FAILURE;

  558.     }

  559.     sponge->params->flags = control[len-1];

  560.     return ret;

  561. }

  562. 

  563. decaf_bool_t strobe_encrypt (

  564.     keccak_sponge_t sponge,

  565.     unsigned char *out,

  566.     const unsigned char *in,

  567.     size_t len,

  568.     uint8_t more

  569. ) {

  570.     unsigned char control[] = { CIPHERTEXT |

  571.         (sponge->params->client ? CLIENT_TO_SERVER : SERVER_TO_CLIENT)

  572.     };

  573.     decaf_bool_t ret = strobe_control_word(sponge, control, sizeof(control), more);

  574.     strobe_duplex(sponge, out, in, len);

  575.     if (!sponge->params->pad/*keyed*/) ret = DECAF_FAILURE;

  576.     return ret;

  577. }

  578. 

  579. decaf_bool_t strobe_decrypt (

  580.     keccak_sponge_t sponge,

  581.     unsigned char *out,

  582.     const unsigned char *in,

  583.     size_t len,

  584.     uint8_t more

  585. ) {

  586.     unsigned char control[] = { CIPHERTEXT |

  587.         (sponge->params->client ? SERVER_TO_CLIENT : CLIENT_TO_SERVER)

  588.     };

  589.     decaf_bool_t ret = strobe_control_word(sponge, control, sizeof(control), more);

  590.     strobe_unduplex(sponge, out, in, len);

  591.     if (!sponge->params->pad/*keyed*/) ret = DECAF_FAILURE;

  592.     return ret;

  593. }

  594. 

  595. decaf_bool_t strobe_plaintext (

  596.     keccak_sponge_t sponge,

  597.     const unsigned char *in,

  598.     size_t len,

  599.     uint8_t iSent,

  600.     uint8_t more

  601. ) {

  602.     unsigned char control[] = { PLAINTEXT |

  603.         ((sponge->params->client == !!iSent) ? CLIENT_TO_SERVER : SERVER_TO_CLIENT)

  604.     };

  605.     decaf_bool_t ret = strobe_control_word(sponge, control, sizeof(control), more);

  606.     strobe_duplex(sponge, NULL, in, len);

  607.     return ret;

  608. }

  609. 

  610. decaf_bool_t strobe_key (

  611.     keccak_sponge_t sponge,

  612.     const unsigned char *in,

  613.     size_t len,

  614.     uint8_t more

  615. ) {

  616.     unsigned char control[] = { KEY };

  617.     decaf_bool_t ret = strobe_control_word(sponge, control, sizeof(control), more);

  618.     strobe_duplex(sponge, NULL, in, len);

  619.     sponge->params->pad/*=keyed*/ = 1;

  620.     return ret;

  621. }

  622. 

  623. decaf_bool_t strobe_nonce (

  624.     keccak_sponge_t sponge,

  625.     const unsigned char *in,

  626.     size_t len,

  627.     uint8_t more

  628. ) {

  629.     unsigned char control[] = { NONCE };

  630.     decaf_bool_t ret = strobe_control_word(sponge, control, sizeof(control), more);

  631.     strobe_duplex(sponge, NULL, in, len);

  632.     return ret;

  633. }

  634. 

  635. decaf_bool_t strobe_ad (

  636.     keccak_sponge_t sponge,

  637.     const unsigned char *in,

  638.     size_t len,

  639.     uint8_t more

  640. ) {

  641.     unsigned char control[] = { AD };

  642.     decaf_bool_t ret = strobe_control_word(sponge, control, sizeof(control), more);

  643.     strobe_duplex(sponge, NULL, in, len);

  644.     return ret;

  645. }

  646. 

  647. #define STROBE_FORGET_BYTES 32

  648. 

  649. decaf_bool_t strobe_produce_auth (

  650.     keccak_sponge_t sponge,

  651.     unsigned char *out,

  652.     size_t len

  653. ) {

  654.     unsigned char control[] = {

  655.         (unsigned char)len,

  656.         (unsigned char)STROBE_FORGET_BYTES,

  657.         TAGFORGET | (sponge->params->client ? CLIENT_TO_SERVER : SERVER_TO_CLIENT)

  658.     };

  659.     decaf_bool_t ret = strobe_control_word(sponge, control, sizeof(control), 0);

  660.     strobe_duplex(sponge, out, NULL, len);

  661.     strobe_forget(sponge, STROBE_FORGET_BYTES);

  662.     if (!sponge->params->pad/*keyed*/) ret = DECAF_FAILURE;

  663.     return ret;

  664. }

  665. 

  666. decaf_bool_t strobe_prng (

  667.     keccak_sponge_t sponge,

  668.     unsigned char *out,

  669.     size_t len,

  670.     uint8_t more

  671. ) {

  672.     unsigned char control[9] = { PRNG };

  673.     int i;

  674.     for (i=0; i<8; i++) control[i+1] = len>>(8*i);

  675.     

  676.     decaf_bool_t ret = strobe_control_word(sponge, control, sizeof(control), more);

  677.     strobe_duplex(sponge, out, NULL, len);

  678.     // TODO: forget as follows? this breaks "more"

  679.     // unsigned char control2[] = { 0, STROBE_FORGET_BYTES, TAGFORGET };

  680.     // ret &= strobe_control_word(sponge, control2, sizeof(control2));

  681.     // strobe_forget(sponge, STROBE_FORGET_BYTES);

  682.     if (!sponge->params->pad/*keyed*/) ret = DECAF_FAILURE;

  683.     return ret;

  684. }

  685. 

  686. decaf_bool_t strobe_verify_auth (

  687.     keccak_sponge_t sponge,

  688.     const unsigned char *in,

  689.     size_t len

  690. ) {

  691.     unsigned char control[] = {

  692.         (unsigned char)len,

  693.         (unsigned char)STROBE_FORGET_BYTES,

  694.         TAGFORGET | (sponge->params->client ? SERVER_TO_CLIENT : CLIENT_TO_SERVER)

  695.     };

  696.     decaf_bool_t ret = strobe_control_word(sponge, control, sizeof(control), 0);

  697.     unsigned char zero[len];

  698.     strobe_unduplex(sponge, zero, in, len);

  699.     strobe_forget(sponge, STROBE_FORGET_BYTES);

  700.     

  701.     /* Check for 0 */

  702.     decaf_bool_t chain=0;

  703.     unsigned i;

  704.     for (i=0; i<len; i++) {

  705.         chain |= zero[i];

  706.     }

  707.     ret &= ((decaf_dword_t)chain-1)>>(8*sizeof(decaf_word_t));

  708.     if (!sponge->params->pad/*keyed*/) ret = DECAF_FAILURE;

  709.     return ret;

  710. }

  711. 

  712. decaf_bool_t strobe_respec (

  713.     keccak_sponge_t sponge,

  714.     const struct kparams_s *params

  715. ) {

  716.     unsigned char control[] = { params->rate, params->startRound, RESPEC };

  717.     decaf_bool_t ret = strobe_control_word(sponge, control, sizeof(control), 0);

  718.     if (!sponge->params->pad/*keyed*/) ret = DECAF_FAILURE;

  719.     sponge->params->rate = params->rate;

  720.     sponge->params->startRound = params->startRound;

  721.     return ret;

  722. }

  723. 

  724. /* FUTURE: Keyak instances, etc */