jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
168 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: f18cf359c6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f18cf359c6'
${ noResults }
ed448goldilocks/include/shake.hxx

376 lines
12 KiB
Raw Blame History 

  1. /**

  2.  * @file shake.hxx

  3.  * @copyright

  4.  *   Based on CC0 code by David Leon Gil, 2015 \n

  5.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  6.  *   Released under the MIT License.  See LICENSE.txt for license information.

  7.  * @author Mike Hamburg

  8.  * @brief SHA-3-n and SHAKE-n instances, C++ wrapper.

  9.  * @warning EXPERIMENTAL!  The names, parameter orders etc are likely to change.

  10.  */

  11. 

  12. #ifndef __SHAKE_HXX__

  13. #define __SHAKE_HXX__

  14. 

  15. #include "shake.h"

  16. #include <string>

  17. #include <sys/types.h>

  18. 

  19. /** @cond internal */

  20. #if __cplusplus >= 201103L

  21. #define DELETE = delete

  22. #define NOEXCEPT noexcept

  23. #define EXPLICIT_CON explicit

  24. #define GET_DATA(str) ((const unsigned char *)&(str)[0])

  25. #else

  26. #define DELETE

  27. #define NOEXCEPT throw()

  28. #define EXPLICIT_CON

  29. #define GET_DATA(str) ((const unsigned char *)((str).data()))

  30. #endif

  31. /** @endcond */

  32. 

  33. namespace decaf {

  34. 

  35. /** A Keccak sponge internal class */

  36. class KeccakSponge {

  37. protected:

  38.     /** The C-wrapper sponge state */

  39.     keccak_sponge_t sp;

  40. 

  41.     /** Initialize from parameters */

  42.     inline KeccakSponge(const struct kparams_s *params) NOEXCEPT { sponge_init(sp, params); }

  43.     

  44.     /** No initialization */

  45.     inline KeccakSponge(const NOINIT &) NOEXCEPT { }

  46. 

  47. public:

  48.     /** Destructor zeroizes state */

  49.     inline ~KeccakSponge() NOEXCEPT { sponge_destroy(sp); }

  50. };

  51. 

  52. /**

  53.  * Hash function derived from Keccak

  54.  * @todo throw exceptions when hash is misused.

  55.  */

  56. class KeccakHash : public KeccakSponge {

  57. protected:

  58.     /** Initialize from parameters */

  59.     inline KeccakHash(const kparams_s *params) NOEXCEPT : KeccakSponge(params) {}

  60.     

  61. public:

  62.     /** Add more data to running hash */

  63.     inline void update(const uint8_t *__restrict__ in, size_t len) { sha3_update(sp,in,len); }

  64. 

  65.     /** Add more data to running hash, C++ version. */

  66.     inline void update(const Block &s) { sha3_update(sp,s.data(),s.size()); }

  67.     

  68.     /** Add more data, stream version. */

  69.     inline KeccakHash &operator<<(const Block &s) { update(s); return *this; }

  70.     

  71.     /** Same as <<. */

  72.     inline KeccakHash &operator+=(const Block &s) { return *this << s; }

  73.     

  74.     /**

  75.      * @brief Output bytes from the sponge.

  76.      * @todo make this throw exceptions.

  77.      */

  78.     inline void output(TmpBuffer b) { sha3_output(sp,b.data(),b.size()); }

  79.     

  80.     /**

  81.      * @brief Output bytes from the sponge.

  82.      * @todo make this throw exceptions.

  83.      */

  84.     inline void output(Buffer &b) { sha3_output(sp,b.data(),b.size()); }

  85.     

  86.     /** @brief Output bytes from the sponge. */

  87.     inline SecureBuffer output(size_t len) {

  88.         SecureBuffer buffer(len);

  89.         sha3_output(sp,buffer,len);

  90.         return buffer;

  91.     }

  92.     

  93.     /** @brief Return the sponge's default output size. */

  94.     inline size_t default_output_size() const NOEXCEPT {

  95.         return sponge_default_output_bytes(sp);

  96.     }

  97.     

  98.     /** Output the default number of bytes. */

  99.     inline SecureBuffer output() {

  100.         return output(default_output_size());

  101.     }

  102. };

  103. 

  104. /** Fixed-output-length SHA3 */

  105. template<int bits> class SHA3 : public KeccakHash {

  106. private:

  107.     /** Get the parameter template block for this hash */

  108.     const struct kparams_s *get_params();

  109. public:

  110.     /** Initializer */

  111.     inline SHA3() NOEXCEPT : KeccakHash(get_params()) {}

  112. 

  113.     /** Reset the hash to the empty string */

  114.     inline void reset() NOEXCEPT { sponge_init(sp, get_params()); }

  115. };

  116. 

  117. /** Variable-output-length SHAKE */

  118. template<int bits>

  119. class SHAKE : public KeccakHash {

  120. private:

  121.     /** Get the parameter template block for this hash */

  122.     const struct kparams_s *get_params();

  123. public:

  124.     /** Initializer */

  125.     inline SHAKE() NOEXCEPT : KeccakHash(get_params()) {}

  126. 

  127.     /** Reset the hash to the empty string */

  128.     inline void reset() NOEXCEPT { sponge_init(sp, get_params()); }

  129. };

  130. 

  131. /** @cond internal */

  132. template<> const struct kparams_s *SHAKE<128>::get_params() { return &SHAKE128_params_s; }

  133. template<> const struct kparams_s *SHAKE<256>::get_params() { return &SHAKE256_params_s; }

  134. template<> const struct kparams_s *SHA3<224>::get_params() { return &SHA3_224_params_s; }

  135. template<> const struct kparams_s *SHA3<256>::get_params() { return &SHA3_256_params_s; }

  136. template<> const struct kparams_s *SHA3<384>::get_params() { return &SHA3_384_params_s; }

  137. template<> const struct kparams_s *SHA3<512>::get_params() { return &SHA3_512_params_s; }

  138. /** @endcond */

  139. 

  140. /** @brief An exception for misused protocol, eg encrypt with no key. */

  141. class ProtocolException : public std::exception {

  142. public:

  143.     /** @return "ProtocolException" */

  144.     virtual const char * what() const NOEXCEPT { return "ProtocolException"; }

  145. };

  146.     

  147. /** Sponge-based random-number generator */

  148. class SpongeRng : private KeccakSponge {

  149. public:

  150.     class RngException : public std::exception {

  151.     private:

  152.         const char *const what_;

  153.     public:

  154.         const int err_code;

  155.         const char *what() const NOEXCEPT { return what_; }

  156.         RngException(int err_code, const char *what_) NOEXCEPT : what_(what_), err_code(err_code) {}

  157.     };

  158.     

  159.     /** Initialize, deterministically by default, from block */

  160.     inline SpongeRng( const Block &in, bool deterministic = true )

  161.     : KeccakSponge((NOINIT())) {

  162.         spongerng_init_from_buffer(sp,in.data(),in.size(),deterministic);

  163.     }

  164.     

  165.     /** Initialize, non-deterministically by default, from C/C++ filename */

  166.     inline SpongeRng( const std::string &in = "/dev/urandom", size_t len = 32, bool deterministic = false )

  167.         throw(RngException)

  168.     : KeccakSponge((NOINIT())) {

  169.         int ret = spongerng_init_from_file(sp,in.c_str(),len,deterministic);

  170.         if (ret) {

  171.             throw RngException(ret, "Couldn't load from file");

  172.         }

  173.     }

  174.     

  175.     /** Read data to a buffer. */

  176.     inline void read(Buffer &buffer) { spongerng_next(sp,buffer.data(),buffer.size()); }

  177.     

  178.     /** Read data to a buffer. */

  179.     inline void read(TmpBuffer buffer) { read((Buffer &)buffer); }

  180.     

  181.     /** Read data to a C++ string 

  182.      * @warning TODO Future versions of this function may throw RngException if a

  183.      * nondeterministic RNG fails a reseed.

  184.      */

  185.     inline SecureBuffer read(size_t length) throw(std::bad_alloc) {

  186.         SecureBuffer out(length); read(out); return out;

  187.     }

  188.     

  189. private:

  190.     SpongeRng(const SpongeRng &) DELETE;

  191.     SpongeRng &operator=(const SpongeRng &) DELETE;

  192. };

  193. 

  194. /**@cond internal*/

  195. /* FIXME: multiple sizes */

  196. decaf<448>::Scalar::Scalar(SpongeRng &rng) {

  197.     *this = rng.read(SER_BYTES);

  198. }

  199. 

  200. decaf<448>::Point::Point(SpongeRng &rng, bool uniform) {

  201.     SecureBuffer buffer((uniform ? 2 : 1) * HASH_BYTES);

  202.     rng.read(buffer);

  203.     if (uniform) {

  204.         decaf_448_point_from_hash_uniform(p,buffer);

  205.     } else {

  206.         decaf_448_point_from_hash_nonuniform(p,buffer);

  207.     }

  208. }

  209. /**@endcond*/

  210. 

  211. class Strobe : private KeccakSponge {

  212. public:

  213.     /* TODO: pull out parameters */

  214.     

  215.     /** Am I a server or a client? */

  216.     enum client_or_server { SERVER, CLIENT };

  217.     

  218.     inline Strobe (

  219.         client_or_server whoami,

  220.         const kparams_s &params = STROBE_256

  221.     ) NOEXCEPT : KeccakSponge(NOINIT()) {

  222.         strobe_init(sp, &params, whoami == CLIENT);

  223.     }

  224. 

  225.     inline void key (

  226.         const Block &data, bool more = false

  227.     ) throw(ProtocolException) {

  228.         if (!strobe_key(sp, data, data.size(), more)) throw ProtocolException();

  229.     }

  230. 

  231.     inline void nonce(const Block &data, bool more = false

  232.     ) throw(ProtocolException) {

  233.         if (!strobe_nonce(sp, data, data.size(), more)) throw ProtocolException();

  234.     }

  235. 

  236.     inline void send_plaintext(const Block &data, bool more = false

  237.     ) throw(ProtocolException) {

  238.         if (!strobe_plaintext(sp, data, data.size(), true, more))

  239.             throw(ProtocolException());

  240.     }

  241. 

  242.     inline void recv_plaintext(const Block &data, bool more = false

  243.     ) throw(ProtocolException) {

  244.         if (!strobe_plaintext(sp, data, data.size(), false, more))

  245.             throw(ProtocolException());

  246.     }

  247. 

  248.     inline void ad(const Block &data, bool more = false

  249.     ) throw(ProtocolException) {

  250.         if (!strobe_ad(sp, data, data.size(), more))

  251.             throw(ProtocolException());

  252.     }

  253.     

  254.     inline void encrypt_no_auth(

  255.         Buffer &out, const Block &data, bool more = false

  256.     ) throw(LengthException,ProtocolException) {

  257.         if (out.size() != data.size()) throw LengthException();

  258.         if (!strobe_encrypt(sp, out, data, data.size(), more)) throw(ProtocolException());

  259.     }

  260.     

  261.     inline void encrypt_no_auth(

  262.         TmpBuffer out, const Block &data, bool more = false

  263.     ) throw(LengthException,ProtocolException) {

  264.         encrypt_no_auth((Buffer &)out, data, more);

  265.     }

  266.     

  267.     inline SecureBuffer encrypt_no_auth(const Block &data, bool more = false

  268.     ) throw(ProtocolException) {

  269.         SecureBuffer out(data.size()); encrypt_no_auth(out, data, more); return out;

  270.     }

  271.     

  272.     inline void decrypt_no_auth(

  273.         Buffer &out, const Block &data, bool more = false

  274.     ) throw(LengthException,ProtocolException) {

  275.         if (out.size() != data.size()) throw LengthException();

  276.         if (!strobe_decrypt(sp, out, data, data.size(), more)) throw ProtocolException();

  277.     }

  278.     

  279.     inline void decrypt_no_auth(

  280.         TmpBuffer out, const Block &data, bool more = false

  281.     ) throw(LengthException,ProtocolException) {

  282.         decrypt_no_auth((Buffer &)out, data, more);

  283.     }

  284.     

  285.     inline SecureBuffer decrypt_no_auth(const Block &data, bool more = false

  286.     ) throw(ProtocolException) {

  287.         SecureBuffer out(data.size()); decrypt_no_auth(out, data, more); return out;

  288.     }

  289.     

  290.     inline void produce_auth(Buffer &out) throw(LengthException,ProtocolException) {

  291.         if (out.size() > STROBE_MAX_AUTH_BYTES) throw LengthException();

  292.         if (!strobe_produce_auth(sp, out, out.size())) throw ProtocolException();

  293.     }

  294.     

  295.     inline void produce_auth(TmpBuffer out) throw(LengthException,ProtocolException) {

  296.         produce_auth((Buffer &)out);

  297.     }

  298.     

  299.     inline SecureBuffer produce_auth(

  300.         uint8_t bytes = 8

  301.     ) throw(ProtocolException) {

  302.         SecureBuffer out(bytes); produce_auth(out); return out;

  303.     }

  304.     

  305.     inline void encrypt(

  306.         Buffer &out, const Block &data, uint8_t auth = 8

  307.     ) throw(LengthException,ProtocolException) {

  308.         if (out.size() < data.size() || out.size() != data.size() + auth) throw LengthException();

  309.         encrypt_no_auth(out.slice(0,data.size()), data);

  310.         produce_auth(out.slice(data.size(),auth));

  311.     }

  312.     

  313.     inline void encrypt (

  314.         TmpBuffer out, const Block &data, uint8_t auth = 8

  315.     ) throw(LengthException,ProtocolException) {

  316.         encrypt((Buffer &)out, data, auth);

  317.     }

  318.     

  319.     inline SecureBuffer encrypt (

  320.         const Block &data, uint8_t auth = 8

  321.     ) throw(LengthException,ProtocolException,std::bad_alloc ){

  322.         SecureBuffer out(data.size() + auth); encrypt(out, data, auth); return out;

  323.     }

  324.     

  325.     inline void decrypt (

  326.         Buffer &out, const Block &data, uint8_t bytes = 8

  327.     ) throw(LengthException, CryptoException, ProtocolException) {

  328.         if (out.size() > data.size() || out.size() != data.size() - bytes) throw LengthException();

  329.         decrypt_no_auth(out, data.slice(0,out.size()));

  330.         verify_auth(data.slice(out.size(),bytes));

  331.     }

  332.     

  333.     inline void decrypt (

  334.         TmpBuffer out, const Block &data, uint8_t bytes = 8

  335.     ) throw(LengthException,CryptoException,ProtocolException) {

  336.         decrypt((Buffer &)out, data, bytes);

  337.     }

  338.     

  339.     inline SecureBuffer decrypt (

  340.         const Block &data, uint8_t bytes = 8

  341.     ) throw(LengthException,CryptoException,ProtocolException,std::bad_alloc) {

  342.         if (data.size() < bytes) throw LengthException();

  343.         SecureBuffer out(data.size() - bytes); decrypt(out, data, bytes); return out;

  344.     }

  345.     

  346.     inline void verify_auth(const Block &auth) throw(LengthException,CryptoException) {

  347.         if (auth.size() == 0 || auth.size() > STROBE_MAX_AUTH_BYTES) throw LengthException();

  348.         if (!strobe_verify_auth(sp, auth, auth.size())) throw CryptoException();

  349.     }

  350.     

  351.     inline void prng(Buffer &out, bool more = false) NOEXCEPT {

  352.         (void)strobe_prng(sp, out, out.size(), more);

  353.     }

  354.     

  355.     inline void prng(TmpBuffer out, bool more = false) NOEXCEPT {

  356.         prng((Buffer &)out, more);

  357.     }

  358.     

  359.     inline SecureBuffer prng(size_t bytes, bool more = false) {

  360.         SecureBuffer out(bytes); prng(out, more); return out;

  361.     }

  362.     

  363.     inline void respec(const kparams_s &params) throw(ProtocolException) {

  364.         if (!strobe_respec(sp, &params)) throw(ProtocolException());

  365.     }

  366. };

  367.   

  368. } /* namespace decaf */

  369. 

  370. #undef NOEXCEPT

  371. #undef EXPLICIT_CON

  372. #undef GET_DATA

  373. #undef DELETE

  374. 

  375. #endif /* __SHAKE_HXX__ */