Merge pull request #208 from PQClean/hash_state_comment

Document what exactly hash_state.h defines

crypto_sign/sphincs-haraka-128f-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-haraka-128f-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-haraka-128s-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-haraka-128s-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-haraka-192f-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-haraka-192f-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-haraka-192s-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-haraka-192s-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-haraka-256f-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-haraka-256f-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-haraka-256s-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-haraka-256s-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

crypto_sign/sphincs-sha256-128f-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-sha256-128f-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-sha256-128s-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-sha256-128s-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-sha256-192f-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-sha256-192f-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-sha256-192s-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-sha256-192s-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-sha256-256f-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-sha256-256f-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-sha256-256s-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-sha256-256s-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

crypto_sign/sphincs-shake256-128f-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

crypto_sign/sphincs-shake256-128f-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

crypto_sign/sphincs-shake256-128s-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

crypto_sign/sphincs-shake256-128s-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

crypto_sign/sphincs-shake256-192f-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

crypto_sign/sphincs-shake256-192f-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

crypto_sign/sphincs-shake256-192s-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

crypto_sign/sphincs-shake256-192s-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

crypto_sign/sphincs-shake256-256f-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

crypto_sign/sphincs-shake256-256f-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

crypto_sign/sphincs-shake256-256s-robust/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

crypto_sign/sphincs-shake256-256s-simple/clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int