kris/pqc
1
1
Derivar 0
Código Questões Pedidos de integração Lançamentos Wiki Trabalho

Implement ctx struct for fips202

Ver a proveniência
Este cometimento está contido em:
Thom Wiggers 2019-05-20 10:22:51 +02:00
ascendente 6953a0b32e
cometimento b153768783
Não foi encontrada uma chave conhecida para esta assinatura, na base de dados
ID da chave GPG: 001BB0A7CE26E363
3 ficheiros modificados com 129 adições e 118 eliminações
Mostrar estatísticas Descarregar ficheiro patch Descarregar ficheiro diff Expandir todos os ficheiros Colapsar todos os ficheiros

98
common/fips202.c
Ver ficheiro

@ -520,36 +520,36 @@ static void keccak_inc_squeeze(uint8_t *h, size_t outlen,
}
}
void shake128_inc_init(uint64_t *s_inc) {
keccak_inc_init(s_inc);
void shake128_inc_init(shake128incctx *state) {
keccak_inc_init(state->ctx);
}
void shake128_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen) {
keccak_inc_absorb(s_inc, SHAKE128_RATE, input, inlen);
void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen) {
keccak_inc_absorb(state->ctx, SHAKE128_RATE, input, inlen);
}
void shake128_inc_finalize(uint64_t *s_inc) {
keccak_inc_finalize(s_inc, SHAKE128_RATE, 0x1F);
void shake128_inc_finalize(shake128incctx *state) {
keccak_inc_finalize(state->ctx, SHAKE128_RATE, 0x1F);
}
void shake128_inc_squeeze(uint8_t *output, size_t outlen, uint64_t *s_inc) {
keccak_inc_squeeze(output, outlen, s_inc, SHAKE128_RATE);
void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state) {
keccak_inc_squeeze(output, outlen, state->ctx, SHAKE128_RATE);
}
void shake256_inc_init(uint64_t *s_inc) {
keccak_inc_init(s_inc);
void shake256_inc_init(shake256incctx *state) {
keccak_inc_init(state->ctx);
}
void shake256_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen) {
keccak_inc_absorb(s_inc, SHAKE256_RATE, input, inlen);
void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen) {
keccak_inc_absorb(state->ctx, SHAKE256_RATE, input, inlen);
}
void shake256_inc_finalize(uint64_t *s_inc) {
keccak_inc_finalize(s_inc, SHAKE256_RATE, 0x1F);
void shake256_inc_finalize(shake256incctx *state) {
keccak_inc_finalize(state->ctx, SHAKE256_RATE, 0x1F);
}
void shake256_inc_squeeze(uint8_t *output, size_t outlen, uint64_t *s_inc) {
keccak_inc_squeeze(output, outlen, s_inc, SHAKE256_RATE);
void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) {
keccak_inc_squeeze(output, outlen, state->ctx, SHAKE256_RATE);
}
@ -564,8 +564,8 @@ void shake256_inc_squeeze(uint8_t *output, size_t outlen, uint64_t *s_inc) {
* into s
* - size_t inlen: length of input in bytes
**************************************************/
void shake128_absorb(uint64_t *s, const uint8_t *input, size_t inlen) {
keccak_absorb(s, SHAKE128_RATE, input, inlen, 0x1F);
void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen) {
keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F);
}
/*************************************************
@ -578,10 +578,10 @@ void shake128_absorb(uint64_t *s, const uint8_t *input, size_t inlen) {
* Arguments: - uint8_t *output: pointer to output blocks
* - size_t nblocks: number of blocks to be squeezed
* (written to output)
* - uint64_t *s: pointer to input/output Keccak state
* - shake128ctx *state: pointer to input/output Keccak state
**************************************************/
void shake128_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *s) {
keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE);
void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) {
keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE);
}
/*************************************************
@ -590,13 +590,13 @@ void shake128_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *s) {
* Description: Absorb step of the SHAKE256 XOF.
* non-incremental, starts by zeroeing the state.
*
* Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state
* Arguments: - shake256ctx *state: pointer to (uninitialized) output Keccak state
* - const uint8_t *input: pointer to input to be absorbed
* into s
* - size_t inlen: length of input in bytes
**************************************************/
void shake256_absorb(uint64_t *s, const uint8_t *input, size_t inlen) {
keccak_absorb(s, SHAKE256_RATE, input, inlen, 0x1F);
void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen) {
keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F);
}
/*************************************************
@ -609,10 +609,10 @@ void shake256_absorb(uint64_t *s, const uint8_t *input, size_t inlen) {
* Arguments: - uint8_t *output: pointer to output blocks
* - size_t nblocks: number of blocks to be squeezed
* (written to output)
* - uint64_t *s: pointer to input/output Keccak state
* - shake256ctx *state: pointer to input/output Keccak state
**************************************************/
void shake256_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *s) {
keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE);
void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state) {
keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE);
}
/*************************************************
@ -629,16 +629,16 @@ void shake128(uint8_t *output, size_t outlen,
const uint8_t *input, size_t inlen) {
size_t nblocks = outlen / SHAKE128_RATE;
uint8_t t[SHAKE128_RATE];
uint64_t s[25];
shake128ctx s;
shake128_absorb(s, input, inlen);
shake128_squeezeblocks(output, nblocks, s);
shake128_absorb(&s, input, inlen);
shake128_squeezeblocks(output, nblocks, &s);
output += nblocks * SHAKE128_RATE;
outlen -= nblocks * SHAKE128_RATE;
if (outlen) {
shake128_squeezeblocks(t, 1, s);
shake128_squeezeblocks(t, 1, &s);
for (size_t i = 0; i < outlen; ++i) {
output[i] = t[i];
}
@ -659,35 +659,35 @@ void shake256(uint8_t *output, size_t outlen,
const uint8_t *input, size_t inlen) {
size_t nblocks = outlen / SHAKE256_RATE;
uint8_t t[SHAKE256_RATE];
uint64_t s[25];
shake256ctx s;
shake256_absorb(s, input, inlen);
shake256_squeezeblocks(output, nblocks, s);
shake256_absorb(&s, input, inlen);
shake256_squeezeblocks(output, nblocks, &s);
output += nblocks * SHAKE256_RATE;
outlen -= nblocks * SHAKE256_RATE;
if (outlen) {
shake256_squeezeblocks(t, 1, s);
shake256_squeezeblocks(t, 1, &s);
for (size_t i = 0; i < outlen; ++i) {
output[i] = t[i];
}
}
}
void sha3_256_inc_init(uint64_t *s_inc) {
keccak_inc_init(s_inc);
void sha3_256_inc_init(sha3_256incctx *state) {
keccak_inc_init(state->ctx);
}
void sha3_256_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen) {
keccak_inc_absorb(s_inc, SHA3_256_RATE, input, inlen);
void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen) {
keccak_inc_absorb(state->ctx, SHA3_256_RATE, input, inlen);
}
void sha3_256_inc_finalize(uint8_t *output, uint64_t *s_inc) {
void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state) {
uint8_t t[SHA3_256_RATE];
keccak_inc_finalize(s_inc, SHA3_256_RATE, 0x06);
keccak_inc_finalize(state->ctx, SHA3_256_RATE, 0x06);
keccak_squeezeblocks(t, 1, s_inc, SHA3_256_RATE);
keccak_squeezeblocks(t, 1, state->ctx, SHA3_256_RATE);
for (size_t i = 0; i < 32; i++) {
output[i] = t[i];
@ -718,19 +718,19 @@ void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen) {
}
}
void sha3_512_inc_init(uint64_t *s_inc) {
keccak_inc_init(s_inc);
void sha3_512_inc_init(sha3_512incctx *state) {
keccak_inc_init(state->ctx);
}
void sha3_512_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen) {
keccak_inc_absorb(s_inc, SHA3_512_RATE, input, inlen);
void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen) {
keccak_inc_absorb(state->ctx, SHA3_512_RATE, input, inlen);
}
void sha3_512_inc_finalize(uint8_t *output, uint64_t *s_inc) {
void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state) {
uint8_t t[SHA3_512_RATE];
keccak_inc_finalize(s_inc, SHA3_512_RATE, 0x06);
keccak_inc_finalize(state->ctx, SHA3_512_RATE, 0x06);
keccak_squeezeblocks(t, 1, s_inc, SHA3_512_RATE);
keccak_squeezeblocks(t, 1, state->ctx, SHA3_512_RATE);
for (size_t i = 0; i < 32; i++) {
output[i] = t[i];

67
common/fips202.h
Ver ficheiro

@ -9,22 +9,53 @@
#define SHA3_256_RATE 136
#define SHA3_512_RATE 72
void shake128_absorb(uint64_t *s, const uint8_t *input, size_t inlen);
void shake128_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *s);
// Context for incremental API
typedef struct {
uint64_t ctx[26];
} shake128incctx;
void shake128_inc_init(uint64_t *s_inc);
void shake128_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen);
void shake128_inc_finalize(uint64_t *s_inc);
void shake128_inc_squeeze(uint8_t *output, size_t outlen, uint64_t *s_inc);
// Context for non-incremental API
typedef struct {
uint64_t ctx[25];
} shake128ctx;
void shake256_absorb(uint64_t *s, const uint8_t *input, size_t inlen);
void shake256_squeezeblocks(uint8_t *output, size_t nblocks, uint64_t *s);
// Context for incremental API
typedef struct {
uint64_t ctx[26];
} shake256incctx;
void shake256_inc_init(uint64_t *s_inc);
void shake256_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen);
void shake256_inc_finalize(uint64_t *s_inc);
void shake256_inc_squeeze(uint8_t *output, size_t outlen, uint64_t *s_inc);
// Context for non-incremental API
typedef struct {
uint64_t ctx[25];
} shake256ctx;
// Context for incremental API
typedef struct {
uint64_t ctx[26];
} sha3_256incctx;
// Context for incremental API
typedef struct {
uint64_t ctx[26];
} sha3_512incctx;
void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen);
void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state);
void shake128_inc_init(shake128incctx *state);
void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen);
void shake128_inc_finalize(shake128incctx *state);
void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state);
void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen);
void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state);
void shake256_inc_init(shake256incctx *state);
void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen);
void shake256_inc_finalize(shake256incctx *state);
void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state);
void shake128(uint8_t *output, size_t outlen,
const uint8_t *input, size_t inlen);
@ -32,15 +63,15 @@ void shake128(uint8_t *output, size_t outlen,
void shake256(uint8_t *output, size_t outlen,
const uint8_t *input, size_t inlen);
void sha3_256_inc_init(uint64_t *s_inc);
void sha3_256_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen);
void sha3_256_inc_finalize(uint8_t *output, uint64_t *s_inc);
void sha3_256_inc_init(sha3_256incctx *state);
void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen);
void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state);
void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen);
void sha3_512_inc_init(uint64_t *s_inc);
void sha3_512_inc_absorb(uint64_t *s_inc, const uint8_t *input, size_t inlen);
void sha3_512_inc_finalize(uint8_t *output, uint64_t *s_inc);
void sha3_512_inc_init(sha3_512incctx *state);
void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen);
void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state);
void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen);

82
test/common/fips202.c
Ver ficheiro

@ -56,7 +56,7 @@ static int test_sha3_256_incremental(void) {
unsigned char input[512];
unsigned char check[32];
unsigned char output[32];
uint64_t s_inc[26];
sha3_256incctx state;
int i;
int absorbed;
int returncode = 0;
@ -67,18 +67,18 @@ static int test_sha3_256_incremental(void) {
sha3_256(check, input, 512);
sha3_256_inc_init(s_inc);
sha3_256_inc_init(&state);
absorbed = 0;
for (i = 0; i < 512 && absorbed + i <= 512; i++) {
sha3_256_inc_absorb(s_inc, input + absorbed, i);
sha3_256_inc_absorb(&state, input + absorbed, i);
absorbed += i;
}
sha3_256_inc_absorb(s_inc, input + absorbed, 512 - absorbed);
sha3_256_inc_absorb(&state, input + absorbed, 512 - absorbed);
sha3_256_inc_finalize(output, s_inc);
sha3_256_inc_finalize(output, &state);
if (memcmp(check, output, 32)) {
if (memcmp(check, output, 32) != 0) {
printf("ERROR sha3_256 incremental did not match sha3_256.\n");
printf(" Expected: ");
for (i = 0; i < 32; i++) {
@ -100,11 +100,11 @@ static int test_shake128_incremental(void) {
unsigned char input[512];
unsigned char check[512];
unsigned char output[512];
uint64_t s_inc_absorb[26];
uint64_t s_inc_squeeze[26];
uint64_t s_inc_squeeze_all[26];
uint64_t s_inc_both[26];
uint64_t s_combined[25];
shake128incctx state_absorb;
shake128incctx state_squeeze;
shake128incctx state_squeeze_all;
shake128incctx state_both;
shake128ctx state_combined;
int i;
int absorbed;
int squeezed;
@ -116,47 +116,27 @@ static int test_shake128_incremental(void) {
shake128(check, 512, input, 512);
shake128_inc_init(s_inc_absorb);
shake128_inc_init(&state_absorb);
absorbed = 0;
for (i = 0; i < 512 && absorbed + i <= 512; i++) {
shake128_inc_absorb(s_inc_absorb, input + absorbed, i);
shake128_inc_absorb(&state_absorb, input + absorbed, i);
absorbed += i;
}
shake128_inc_absorb(s_inc_absorb, input + absorbed, 512 - absorbed);
shake128_inc_absorb(&state_absorb, input + absorbed, 512 - absorbed);
shake128_inc_finalize(s_inc_absorb);
shake128_inc_finalize(&state_absorb);
shake128_absorb(s_combined, input, 512);
shake128_absorb(&state_combined, input, 512);
if (memcmp(s_inc_absorb, s_combined, 25 * sizeof(uint64_t))) {
if (memcmp(&state_absorb, &state_combined, sizeof(shake128ctx)) != 0) {
printf("ERROR shake128 state after incremental absorb did not match all-at-once absorb.\n");
printf(" Expected: ");
for (i = 0; i < 25; i++) {
printf("%016" PRIx64, s_combined[i]);
}
printf("\n");
printf(" State: ");
for (i = 0; i < 25; i++) {
printf("%016" PRIx64, s_inc_absorb[i]);
}
printf("\n");
for (i = 0; i < 8 * 25; i++) {
if (((s_combined[i >> 3] >> (8*(i & 0x7))) & 0xFF) !=
((s_inc_absorb[i >> 3] >> (8*(i & 0x7))) & 0xFF)) {
printf(" First occurred in int %d, byte %d (%02X should be %02X)\n",
i >> 3, i & 0x7,
(uint8_t)((s_inc_absorb[i >> 3] >> (8*(i & 0x7))) & 0xFF),
(uint8_t)((s_combined[i >> 3] >> (8*(i & 0x7))) & 0xFF));
break;
}
}
returncode = 1;
}
memcpy(s_inc_both, s_inc_absorb, 26 * sizeof(uint64_t));
memcpy(&state_both, &state_absorb, sizeof(shake128incctx));
shake128_squeezeblocks(output, 3, s_inc_absorb);
shake128_squeezeblocks(output, 3, (shake128ctx*)&state_absorb);
if (memcmp(check, output, 3*SHAKE128_RATE)) {
printf("ERROR shake128 incremental absorb did not match shake128.\n");
@ -173,14 +153,14 @@ static int test_shake128_incremental(void) {
returncode = 1;
}
shake128_absorb(s_inc_squeeze, input, 512);
s_inc_squeeze[25] = 0;
shake128_absorb((shake128ctx*)&state_squeeze, input, 512);
state_squeeze.ctx[25] = 0;
memcpy(s_inc_squeeze_all, s_inc_squeeze, 26 * sizeof(uint64_t));
memcpy(&state_squeeze_all, &state_squeeze, sizeof(shake128incctx));
shake128_inc_squeeze(output, 512, s_inc_squeeze_all);
shake128_inc_squeeze(output, 512, &state_squeeze_all);
if (memcmp(check, output, 512)) {
if (memcmp(check, output, 512) != 0) {
printf("ERROR shake128 incremental squeeze-all did not match shake128.\n");
printf(" Expected: ");
for (i = 0; i < 512; i++) {
@ -198,12 +178,12 @@ static int test_shake128_incremental(void) {
squeezed = 0;
memset(output, 0, 512);
for (i = 0; i < 512 && squeezed + i <= 512; i++) {
shake128_inc_squeeze(output + squeezed, i, s_inc_squeeze);
shake128_inc_squeeze(output + squeezed, i, &state_squeeze);
squeezed += i;
}
shake128_inc_squeeze(output + squeezed, 512 - squeezed, s_inc_squeeze);
shake128_inc_squeeze(output + squeezed, 512 - squeezed, &state_squeeze);
if (memcmp(check, output, 512)) {
if (memcmp(check, output, 512) != 0) {
printf("ERROR shake128 incremental squeeze did not match shake128.\n");
printf(" Expected: ");
for (i = 0; i < 512; i++) {
@ -221,12 +201,12 @@ static int test_shake128_incremental(void) {
squeezed = 0;
memset(output, 0, 512);
for (i = 0; i < 512 && squeezed + i <= 512; i++) {
shake128_inc_squeeze(output + squeezed, i, s_inc_both);
shake128_inc_squeeze(output + squeezed, i, &state_both);
squeezed += i;
}
shake128_inc_squeeze(output + squeezed, 512 - squeezed, s_inc_both);
shake128_inc_squeeze(output + squeezed, 512 - squeezed, &state_both);
if (memcmp(check, output, 512)) {
if (memcmp(check, output, 512) != 0) {
printf("ERROR shake128 incremental absorb + squeeze did not match shake128.\n");
printf(" Expected: ");
for (i = 0; i < 512; i++) {
@ -250,7 +230,7 @@ static int test_shake128(void) {
shake128(output, 32, plaintext, 43);
if (memcmp(expected, output, 32)) {
if (memcmp(expected, output, 32) != 0) {
printf("ERROR shake128 output did not match test vector.\n");
printf("Expected: ");
for (i = 0; i < 32; i++) {