jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
514 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: b0af873fc8
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b0af873fc8'
${ noResults }
ed448goldilocks/src/shake.c

241 lines
7.2 KiB
Raw Blame History 

  1. /**

  2.  * @cond internal

  3.  * @file shake.c

  4.  * @copyright

  5.  *   Uses public domain code by Mathias Panzenböck \n

  6.  *   Uses CC0 code by David Leon Gil, 2015 \n

  7.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  8.  *   Released under the MIT License.  See LICENSE.txt for license information.

  9.  * @author Mike Hamburg

  10.  * @brief SHA-3-n and SHAKE-n instances.

  11.  * @warning EXPERIMENTAL!  The names, parameter orders etc are likely to change.

  12.  */

  13. 

  14. #define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s */

  15. #define _BSD_SOURCE 1 /* for endian */

  16. #define _DEFAULT_SOURCE 1 /* for endian with glibc 2.20 */

  17. #include <assert.h>

  18. #include <stdint.h>

  19. #include <string.h>

  20. 

  21. #include "portable_endian.h"

  22. #include "keccak_internal.h"

  23. #include <decaf/shake.h>

  24. 

  25. #define FLAG_ABSORBING 'A'

  26. #define FLAG_SQUEEZING 'Z'

  27. 

  28. /** Constants. **/

  29. static const uint8_t pi[24] = {

  30.     10, 7,  11, 17, 18, 3, 5,  16, 8,  21, 24, 4,

  31.     15, 23, 19, 13, 12, 2, 20, 14, 22, 9,  6,  1

  32. };

  33. 

  34. #define RC_B(x,n) ((((x##ull)>>n)&1)<<((1<<n)-1))

  35. #define RC_X(x) (RC_B(x,0)|RC_B(x,1)|RC_B(x,2)|RC_B(x,3)|RC_B(x,4)|RC_B(x,5)|RC_B(x,6))

  36. static const uint64_t RC[24] = {

  37.     RC_X(0x01), RC_X(0x1a), RC_X(0x5e), RC_X(0x70), RC_X(0x1f), RC_X(0x21),

  38.     RC_X(0x79), RC_X(0x55), RC_X(0x0e), RC_X(0x0c), RC_X(0x35), RC_X(0x26),

  39.     RC_X(0x3f), RC_X(0x4f), RC_X(0x5d), RC_X(0x53), RC_X(0x52), RC_X(0x48),

  40.     RC_X(0x16), RC_X(0x66), RC_X(0x79), RC_X(0x58), RC_X(0x21), RC_X(0x74)

  41. };

  42. 

  43. static inline uint64_t rol(uint64_t x, int s) {

  44.     return (x << s) | (x >> (64 - s));

  45. }

  46. 

  47. /* Helper macros to unroll the permutation. */

  48. #define REPEAT5(e) e e e e e

  49. #define FOR51(v, e) v = 0; REPEAT5(e; v += 1;)

  50. #ifndef SHAKE_NO_UNROLL_LOOPS

  51. #    define FOR55(v, e) v = 0; REPEAT5(e; v += 5;)

  52. #    define REPEAT24(e) e e e e e e e e e e e e e e e e e e e e e e e e

  53. #else

  54. #    define FOR55(v, e) for (v=0; v<25; v+= 5) { e; }

  55. #    define REPEAT24(e) {int _j=0; for (_j=0; _j<24; _j++) { e }}

  56. #endif

  57. 

  58. /*** The Keccak-f[1600] permutation ***/

  59. void keccakf(kdomain_t state, uint8_t start_round) {

  60.     uint64_t* a = state->w;

  61.     uint64_t b[5] = {0}, t, u;

  62.     uint8_t x, y, i;

  63.     

  64.     for (i=0; i<25; i++) a[i] = le64toh(a[i]);

  65. 

  66.     for (i = start_round; i < 24; i++) {

  67.         FOR51(x, b[x] = 0; )

  68.         FOR55(y, FOR51(x, b[x] ^= a[x + y]; ))

  69.         FOR55(y, FOR51(x,

  70.             a[y + x] ^= b[(x + 4) % 5] ^ rol(b[(x + 1) % 5], 1);

  71.         ))

  72.         // Rho and pi

  73.         t = a[1];

  74.         x = y = 0;

  75.         REPEAT24(u = a[pi[x]]; y += x+1; a[pi[x]] = rol(t, y % 64); t = u; x++; )

  76.         // Chi

  77.         FOR55(y,

  78.              FOR51(x, b[x] = a[y + x];)

  79.              FOR51(x, a[y + x] = b[x] ^ ((~b[(x + 1) % 5]) & b[(x + 2) % 5]);)

  80.         )

  81.         // Iota

  82.         a[0] ^= RC[i];

  83.     }

  84. 

  85.     for (i=0; i<25; i++) a[i] = htole64(a[i]);

  86. }

  87. 

  88. decaf_error_t decaf_sha3_update (

  89.     struct decaf_keccak_sponge_s * __restrict__ decaf_sponge,

  90.     const uint8_t *in,

  91.     size_t len

  92. ) {

  93.     assert(decaf_sponge->params->position < decaf_sponge->params->rate);

  94.     assert(decaf_sponge->params->rate < sizeof(decaf_sponge->state));

  95.     assert(decaf_sponge->params->flags == FLAG_ABSORBING);

  96.     while (len) {

  97.         size_t cando = decaf_sponge->params->rate - decaf_sponge->params->position, i;

  98.         uint8_t* state = &decaf_sponge->state->b[decaf_sponge->params->position];

  99.         if (cando > len) {

  100.             for (i = 0; i < len; i += 1) state[i] ^= in[i];

  101.             decaf_sponge->params->position += len;

  102.             break;

  103.         } else {

  104.             for (i = 0; i < cando; i += 1) state[i] ^= in[i];

  105.             dokeccak(decaf_sponge);

  106.             len -= cando;

  107.             in += cando;

  108.         }

  109.     }

  110.     return (decaf_sponge->params->flags == FLAG_ABSORBING) ? DECAF_SUCCESS : DECAF_FAILURE;

  111. }

  112. 

  113. decaf_error_t decaf_sha3_output (

  114.     decaf_keccak_sponge_t decaf_sponge,

  115.     uint8_t * __restrict__ out,

  116.     size_t len

  117. ) {

  118.     decaf_error_t ret = DECAF_SUCCESS;

  119.     assert(decaf_sponge->params->position < decaf_sponge->params->rate);

  120.     assert(decaf_sponge->params->rate < sizeof(decaf_sponge->state));

  121.     

  122.     if (decaf_sponge->params->max_out != 0xFF) {

  123.         if (decaf_sponge->params->remaining >= len) {

  124.             decaf_sponge->params->remaining -= len;

  125.         } else {

  126.             decaf_sponge->params->remaining = 0;

  127.             ret = DECAF_FAILURE;

  128.         }

  129.     }

  130.     

  131.     switch (decaf_sponge->params->flags) {

  132.     case FLAG_SQUEEZING: break;

  133.     case FLAG_ABSORBING:

  134.         {

  135.             uint8_t* state = decaf_sponge->state->b;

  136.             state[decaf_sponge->params->position] ^= decaf_sponge->params->pad;

  137.             state[decaf_sponge->params->rate - 1] ^= decaf_sponge->params->rate_pad;

  138.             dokeccak(decaf_sponge);

  139.             decaf_sponge->params->flags = FLAG_SQUEEZING;

  140.             break;

  141.         }

  142.     default:

  143.         assert(0);

  144.     }

  145.     

  146.     while (len) {

  147.         size_t cando = decaf_sponge->params->rate - decaf_sponge->params->position;

  148.         uint8_t* state = &decaf_sponge->state->b[decaf_sponge->params->position];

  149.         if (cando > len) {

  150.             memcpy(out, state, len);

  151.             decaf_sponge->params->position += len;

  152.             return ret;

  153.         } else {

  154.             memcpy(out, state, cando);

  155.             dokeccak(decaf_sponge);

  156.             len -= cando;

  157.             out += cando;

  158.         }

  159.     }

  160.     return ret;

  161. }

  162. 

  163. decaf_error_t decaf_sha3_final (

  164.     decaf_keccak_sponge_t decaf_sponge,

  165.     uint8_t * __restrict__ out,

  166.     size_t len

  167. ) {

  168.     decaf_error_t ret = decaf_sha3_output(decaf_sponge,out,len);

  169.     decaf_sha3_reset(decaf_sponge);

  170.     return ret;

  171. }

  172. 

  173. void decaf_sha3_reset (

  174.     decaf_keccak_sponge_t decaf_sponge

  175. ) {

  176.     decaf_sha3_init(decaf_sponge, decaf_sponge->params);

  177.     decaf_sponge->params->flags = FLAG_ABSORBING;

  178.     decaf_sponge->params->remaining = decaf_sponge->params->max_out;

  179. }

  180. 

  181. void decaf_sha3_destroy (decaf_keccak_sponge_t decaf_sponge) {

  182.     decaf_bzero(decaf_sponge, sizeof(decaf_keccak_sponge_t));

  183. }

  184. 

  185. void decaf_sha3_init (

  186.     decaf_keccak_sponge_t decaf_sponge,

  187.     const struct decaf_kparams_s *params

  188. ) {

  189.     memset(decaf_sponge->state, 0, sizeof(decaf_sponge->state));

  190.     decaf_sponge->params[0] = params[0];

  191.     decaf_sponge->params->position = 0;

  192. }

  193. 

  194. decaf_error_t decaf_sha3_hash (

  195.     uint8_t *out,

  196.     size_t outlen,

  197.     const uint8_t *in,

  198.     size_t inlen,

  199.     const struct decaf_kparams_s *params

  200. ) {

  201.     decaf_keccak_sponge_t decaf_sponge;

  202.     decaf_sha3_init(decaf_sponge, params);

  203.     decaf_sha3_update(decaf_sponge, in, inlen);

  204.     decaf_error_t ret = decaf_sha3_output(decaf_sponge, out, outlen);

  205.     decaf_sha3_destroy(decaf_sponge);

  206.     return ret;

  207. }

  208. 

  209. #define DEFSHAKE(n) \

  210.     const struct decaf_kparams_s DECAF_SHAKE##n##_params_s = \

  211.         { 0, FLAG_ABSORBING, 200-n/4, 0, 0x1f, 0x80, 0xFF, 0xFF };

  212.     

  213. #define DEFSHA3(n) \

  214.     const struct decaf_kparams_s DECAF_SHA3_##n##_params_s = \

  215.         { 0, FLAG_ABSORBING, 200-n/4, 0, 0x06, 0x80, n/8, n/8 };

  216. 

  217. size_t decaf_sha3_default_output_bytes (

  218.     const decaf_keccak_sponge_t s

  219. ) {

  220.     return (s->params->max_out == 0xFF)

  221.         ? (200-s->params->rate)

  222.         : ((200-s->params->rate)/2);

  223. }

  224. 

  225. size_t decaf_sha3_max_output_bytes (

  226.     const decaf_keccak_sponge_t s

  227. ) {

  228.     return (s->params->max_out == 0xFF)

  229.         ? SIZE_MAX

  230.         : (size_t)((200-s->params->rate)/2);

  231. }

  232. 

  233. DEFSHAKE(128)

  234. DEFSHAKE(256)

  235. DEFSHA3(224)

  236. DEFSHA3(256)

  237. DEFSHA3(384)

  238. DEFSHA3(512)

  239. 

  240. /* FUTURE: Keyak instances, etc */