From debc9f8fd8f640a32037e8242ec96b4c6fe735b7 Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Thu, 18 Jul 2019 09:16:50 +0200 Subject: [PATCH] Document what exactly hash_state.h defines --- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- .../clean/hash_state.h | 25 +++++++++++++++++-- 36 files changed, 828 insertions(+), 72 deletions(-) diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-128f-robust/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-128f-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-128f-simple/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-128f-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-128s-robust/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-128s-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-128s-simple/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-128s-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-192f-robust/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-192f-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-192f-simple/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-192f-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-192s-robust/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-192s-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-192s-simple/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-192s-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-256f-robust/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-256f-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-256f-simple/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-256f-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-256s-robust/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-256s-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-256s-simple/clean/hash_state.h index bf2f4be4..cbe8a4ef 100644 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-haraka-256s-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "haraka.h" #define hash_state harakactx diff --git a/crypto_sign/sphincs-sha256-128f-robust/clean/hash_state.h b/crypto_sign/sphincs-sha256-128f-robust/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-128f-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-128f-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-sha256-128f-simple/clean/hash_state.h b/crypto_sign/sphincs-sha256-128f-simple/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-128f-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-128f-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-sha256-128s-robust/clean/hash_state.h b/crypto_sign/sphincs-sha256-128s-robust/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-128s-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-128s-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-sha256-128s-simple/clean/hash_state.h b/crypto_sign/sphincs-sha256-128s-simple/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-128s-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-128s-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-sha256-192f-robust/clean/hash_state.h b/crypto_sign/sphincs-sha256-192f-robust/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-192f-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-192f-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-sha256-192f-simple/clean/hash_state.h b/crypto_sign/sphincs-sha256-192f-simple/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-192f-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-192f-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-sha256-192s-robust/clean/hash_state.h b/crypto_sign/sphincs-sha256-192s-robust/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-192s-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-192s-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-sha256-192s-simple/clean/hash_state.h b/crypto_sign/sphincs-sha256-192s-simple/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-192s-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-192s-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-sha256-256f-robust/clean/hash_state.h b/crypto_sign/sphincs-sha256-256f-robust/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-256f-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-256f-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-sha256-256f-simple/clean/hash_state.h b/crypto_sign/sphincs-sha256-256f-simple/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-256f-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-256f-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-sha256-256s-robust/clean/hash_state.h b/crypto_sign/sphincs-sha256-256s-robust/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-256s-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-256s-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-sha256-256s-simple/clean/hash_state.h b/crypto_sign/sphincs-sha256-256s-simple/clean/hash_state.h index 7b038e71..6feb2461 100644 --- a/crypto_sign/sphincs-sha256-256s-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-sha256-256s-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #include "sha2.h" #define hash_state sha256ctx diff --git a/crypto_sign/sphincs-shake256-128f-robust/clean/hash_state.h b/crypto_sign/sphincs-shake256-128f-robust/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-128f-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-128f-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int diff --git a/crypto_sign/sphincs-shake256-128f-simple/clean/hash_state.h b/crypto_sign/sphincs-shake256-128f-simple/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-128f-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-128f-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int diff --git a/crypto_sign/sphincs-shake256-128s-robust/clean/hash_state.h b/crypto_sign/sphincs-shake256-128s-robust/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-128s-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-128s-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int diff --git a/crypto_sign/sphincs-shake256-128s-simple/clean/hash_state.h b/crypto_sign/sphincs-shake256-128s-simple/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-128s-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-128s-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int diff --git a/crypto_sign/sphincs-shake256-192f-robust/clean/hash_state.h b/crypto_sign/sphincs-shake256-192f-robust/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-192f-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-192f-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int diff --git a/crypto_sign/sphincs-shake256-192f-simple/clean/hash_state.h b/crypto_sign/sphincs-shake256-192f-simple/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-192f-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-192f-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int diff --git a/crypto_sign/sphincs-shake256-192s-robust/clean/hash_state.h b/crypto_sign/sphincs-shake256-192s-robust/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-192s-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-192s-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int diff --git a/crypto_sign/sphincs-shake256-192s-simple/clean/hash_state.h b/crypto_sign/sphincs-shake256-192s-simple/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-192s-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-192s-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int diff --git a/crypto_sign/sphincs-shake256-256f-robust/clean/hash_state.h b/crypto_sign/sphincs-shake256-256f-robust/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-256f-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-256f-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int diff --git a/crypto_sign/sphincs-shake256-256f-simple/clean/hash_state.h b/crypto_sign/sphincs-shake256-256f-simple/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-256f-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-256f-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int diff --git a/crypto_sign/sphincs-shake256-256s-robust/clean/hash_state.h b/crypto_sign/sphincs-shake256-256s-robust/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-256s-robust/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-256s-robust/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int diff --git a/crypto_sign/sphincs-shake256-256s-simple/clean/hash_state.h b/crypto_sign/sphincs-shake256-256s-simple/clean/hash_state.h index 52ce4d50..e3f4bfd7 100644 --- a/crypto_sign/sphincs-shake256-256s-simple/clean/hash_state.h +++ b/crypto_sign/sphincs-shake256-256s-simple/clean/hash_state.h @@ -1,5 +1,26 @@ -#ifndef SPX_PRIMITIVE_H -#define SPX_PRIMITIVE_H +#ifndef SPX_HASH_STATE_H +#define SPX_HASH_STATE_H + +/** + * Defines the type of the hash function state. + * + * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! + * + * From Section 7.2.2 from the SPHINCS+ round-2 specification: + * + * Each of the instances of the tweakable hash function take PK.seed as its + * first input, which is constant for a given key pair – and, thus, across + * a single signature. This leads to a lot of redundant computation. To remedy + * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. + * Because of the Merkle-Damgård construction that underlies SHA-256, this + * allows for reuse of the intermediate SHA-256 state after the initial call to + * the compression function which improves performance. + * + * SHAKE256 does not need this state. Because this implementation is generated + * from a shared code base, we still need to specify some hash_state as it is + * still passed around. We chose to use an `int` as a placeholder for this + * purpose. + */ #define hash_state int