Reference implementations of PQC
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

930 lines
28 KiB

  1. /* Based on the public domain implementation in
  2. * crypto_hash/keccakc512/simple/ from http://bench.cr.yp.to/supercop.html
  3. * by Ronny Van Keer
  4. * and the public domain "TweetFips202" implementation
  5. * from https://twitter.com/tweetfips202
  6. * by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe */
  7. #include <stddef.h>
  8. #include <stdint.h>
  9. #include <stdlib.h>
  10. #include <string.h>
  11. #include "fips202.h"
  12. #define NROUNDS 24
  13. #define ROL(a, offset) (((a) << (offset)) ^ ((a) >> (64 - (offset))))
  14. /*************************************************
  15. * Name: load64
  16. *
  17. * Description: Load 8 bytes into uint64_t in little-endian order
  18. *
  19. * Arguments: - const uint8_t *x: pointer to input byte array
  20. *
  21. * Returns the loaded 64-bit unsigned integer
  22. **************************************************/
  23. static uint64_t load64(const uint8_t *x) {
  24. uint64_t r = 0;
  25. for (size_t i = 0; i < 8; ++i) {
  26. r |= (uint64_t)x[i] << 8 * i;
  27. }
  28. return r;
  29. }
  30. /*************************************************
  31. * Name: store64
  32. *
  33. * Description: Store a 64-bit integer to a byte array in little-endian order
  34. *
  35. * Arguments: - uint8_t *x: pointer to the output byte array
  36. * - uint64_t u: input 64-bit unsigned integer
  37. **************************************************/
  38. static void store64(uint8_t *x, uint64_t u) {
  39. for (size_t i = 0; i < 8; ++i) {
  40. x[i] = (uint8_t) (u >> 8 * i);
  41. }
  42. }
  43. /* Keccak round constants */
  44. static const uint64_t KeccakF_RoundConstants[NROUNDS] = {
  45. 0x0000000000000001ULL, 0x0000000000008082ULL,
  46. 0x800000000000808aULL, 0x8000000080008000ULL,
  47. 0x000000000000808bULL, 0x0000000080000001ULL,
  48. 0x8000000080008081ULL, 0x8000000000008009ULL,
  49. 0x000000000000008aULL, 0x0000000000000088ULL,
  50. 0x0000000080008009ULL, 0x000000008000000aULL,
  51. 0x000000008000808bULL, 0x800000000000008bULL,
  52. 0x8000000000008089ULL, 0x8000000000008003ULL,
  53. 0x8000000000008002ULL, 0x8000000000000080ULL,
  54. 0x000000000000800aULL, 0x800000008000000aULL,
  55. 0x8000000080008081ULL, 0x8000000000008080ULL,
  56. 0x0000000080000001ULL, 0x8000000080008008ULL
  57. };
  58. /*************************************************
  59. * Name: KeccakF1600_StatePermute
  60. *
  61. * Description: The Keccak F1600 Permutation
  62. *
  63. * Arguments: - uint64_t *state: pointer to input/output Keccak state
  64. **************************************************/
  65. static void KeccakF1600_StatePermute(uint64_t *state) {
  66. int round;
  67. uint64_t Aba, Abe, Abi, Abo, Abu;
  68. uint64_t Aga, Age, Agi, Ago, Agu;
  69. uint64_t Aka, Ake, Aki, Ako, Aku;
  70. uint64_t Ama, Ame, Ami, Amo, Amu;
  71. uint64_t Asa, Ase, Asi, Aso, Asu;
  72. uint64_t BCa, BCe, BCi, BCo, BCu;
  73. uint64_t Da, De, Di, Do, Du;
  74. uint64_t Eba, Ebe, Ebi, Ebo, Ebu;
  75. uint64_t Ega, Ege, Egi, Ego, Egu;
  76. uint64_t Eka, Eke, Eki, Eko, Eku;
  77. uint64_t Ema, Eme, Emi, Emo, Emu;
  78. uint64_t Esa, Ese, Esi, Eso, Esu;
  79. // copyFromState(A, state)
  80. Aba = state[0];
  81. Abe = state[1];
  82. Abi = state[2];
  83. Abo = state[3];
  84. Abu = state[4];
  85. Aga = state[5];
  86. Age = state[6];
  87. Agi = state[7];
  88. Ago = state[8];
  89. Agu = state[9];
  90. Aka = state[10];
  91. Ake = state[11];
  92. Aki = state[12];
  93. Ako = state[13];
  94. Aku = state[14];
  95. Ama = state[15];
  96. Ame = state[16];
  97. Ami = state[17];
  98. Amo = state[18];
  99. Amu = state[19];
  100. Asa = state[20];
  101. Ase = state[21];
  102. Asi = state[22];
  103. Aso = state[23];
  104. Asu = state[24];
  105. for (round = 0; round < NROUNDS; round += 2) {
  106. // prepareTheta
  107. BCa = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
  108. BCe = Abe ^ Age ^ Ake ^ Ame ^ Ase;
  109. BCi = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
  110. BCo = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
  111. BCu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
  112. // thetaRhoPiChiIotaPrepareTheta(round , A, E)
  113. Da = BCu ^ ROL(BCe, 1);
  114. De = BCa ^ ROL(BCi, 1);
  115. Di = BCe ^ ROL(BCo, 1);
  116. Do = BCi ^ ROL(BCu, 1);
  117. Du = BCo ^ ROL(BCa, 1);
  118. Aba ^= Da;
  119. BCa = Aba;
  120. Age ^= De;
  121. BCe = ROL(Age, 44);
  122. Aki ^= Di;
  123. BCi = ROL(Aki, 43);
  124. Amo ^= Do;
  125. BCo = ROL(Amo, 21);
  126. Asu ^= Du;
  127. BCu = ROL(Asu, 14);
  128. Eba = BCa ^ ((~BCe) & BCi);
  129. Eba ^= KeccakF_RoundConstants[round];
  130. Ebe = BCe ^ ((~BCi) & BCo);
  131. Ebi = BCi ^ ((~BCo) & BCu);
  132. Ebo = BCo ^ ((~BCu) & BCa);
  133. Ebu = BCu ^ ((~BCa) & BCe);
  134. Abo ^= Do;
  135. BCa = ROL(Abo, 28);
  136. Agu ^= Du;
  137. BCe = ROL(Agu, 20);
  138. Aka ^= Da;
  139. BCi = ROL(Aka, 3);
  140. Ame ^= De;
  141. BCo = ROL(Ame, 45);
  142. Asi ^= Di;
  143. BCu = ROL(Asi, 61);
  144. Ega = BCa ^ ((~BCe) & BCi);
  145. Ege = BCe ^ ((~BCi) & BCo);
  146. Egi = BCi ^ ((~BCo) & BCu);
  147. Ego = BCo ^ ((~BCu) & BCa);
  148. Egu = BCu ^ ((~BCa) & BCe);
  149. Abe ^= De;
  150. BCa = ROL(Abe, 1);
  151. Agi ^= Di;
  152. BCe = ROL(Agi, 6);
  153. Ako ^= Do;
  154. BCi = ROL(Ako, 25);
  155. Amu ^= Du;
  156. BCo = ROL(Amu, 8);
  157. Asa ^= Da;
  158. BCu = ROL(Asa, 18);
  159. Eka = BCa ^ ((~BCe) & BCi);
  160. Eke = BCe ^ ((~BCi) & BCo);
  161. Eki = BCi ^ ((~BCo) & BCu);
  162. Eko = BCo ^ ((~BCu) & BCa);
  163. Eku = BCu ^ ((~BCa) & BCe);
  164. Abu ^= Du;
  165. BCa = ROL(Abu, 27);
  166. Aga ^= Da;
  167. BCe = ROL(Aga, 36);
  168. Ake ^= De;
  169. BCi = ROL(Ake, 10);
  170. Ami ^= Di;
  171. BCo = ROL(Ami, 15);
  172. Aso ^= Do;
  173. BCu = ROL(Aso, 56);
  174. Ema = BCa ^ ((~BCe) & BCi);
  175. Eme = BCe ^ ((~BCi) & BCo);
  176. Emi = BCi ^ ((~BCo) & BCu);
  177. Emo = BCo ^ ((~BCu) & BCa);
  178. Emu = BCu ^ ((~BCa) & BCe);
  179. Abi ^= Di;
  180. BCa = ROL(Abi, 62);
  181. Ago ^= Do;
  182. BCe = ROL(Ago, 55);
  183. Aku ^= Du;
  184. BCi = ROL(Aku, 39);
  185. Ama ^= Da;
  186. BCo = ROL(Ama, 41);
  187. Ase ^= De;
  188. BCu = ROL(Ase, 2);
  189. Esa = BCa ^ ((~BCe) & BCi);
  190. Ese = BCe ^ ((~BCi) & BCo);
  191. Esi = BCi ^ ((~BCo) & BCu);
  192. Eso = BCo ^ ((~BCu) & BCa);
  193. Esu = BCu ^ ((~BCa) & BCe);
  194. // prepareTheta
  195. BCa = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
  196. BCe = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
  197. BCi = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
  198. BCo = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
  199. BCu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
  200. // thetaRhoPiChiIotaPrepareTheta(round+1, E, A)
  201. Da = BCu ^ ROL(BCe, 1);
  202. De = BCa ^ ROL(BCi, 1);
  203. Di = BCe ^ ROL(BCo, 1);
  204. Do = BCi ^ ROL(BCu, 1);
  205. Du = BCo ^ ROL(BCa, 1);
  206. Eba ^= Da;
  207. BCa = Eba;
  208. Ege ^= De;
  209. BCe = ROL(Ege, 44);
  210. Eki ^= Di;
  211. BCi = ROL(Eki, 43);
  212. Emo ^= Do;
  213. BCo = ROL(Emo, 21);
  214. Esu ^= Du;
  215. BCu = ROL(Esu, 14);
  216. Aba = BCa ^ ((~BCe) & BCi);
  217. Aba ^= KeccakF_RoundConstants[round + 1];
  218. Abe = BCe ^ ((~BCi) & BCo);
  219. Abi = BCi ^ ((~BCo) & BCu);
  220. Abo = BCo ^ ((~BCu) & BCa);
  221. Abu = BCu ^ ((~BCa) & BCe);
  222. Ebo ^= Do;
  223. BCa = ROL(Ebo, 28);
  224. Egu ^= Du;
  225. BCe = ROL(Egu, 20);
  226. Eka ^= Da;
  227. BCi = ROL(Eka, 3);
  228. Eme ^= De;
  229. BCo = ROL(Eme, 45);
  230. Esi ^= Di;
  231. BCu = ROL(Esi, 61);
  232. Aga = BCa ^ ((~BCe) & BCi);
  233. Age = BCe ^ ((~BCi) & BCo);
  234. Agi = BCi ^ ((~BCo) & BCu);
  235. Ago = BCo ^ ((~BCu) & BCa);
  236. Agu = BCu ^ ((~BCa) & BCe);
  237. Ebe ^= De;
  238. BCa = ROL(Ebe, 1);
  239. Egi ^= Di;
  240. BCe = ROL(Egi, 6);
  241. Eko ^= Do;
  242. BCi = ROL(Eko, 25);
  243. Emu ^= Du;
  244. BCo = ROL(Emu, 8);
  245. Esa ^= Da;
  246. BCu = ROL(Esa, 18);
  247. Aka = BCa ^ ((~BCe) & BCi);
  248. Ake = BCe ^ ((~BCi) & BCo);
  249. Aki = BCi ^ ((~BCo) & BCu);
  250. Ako = BCo ^ ((~BCu) & BCa);
  251. Aku = BCu ^ ((~BCa) & BCe);
  252. Ebu ^= Du;
  253. BCa = ROL(Ebu, 27);
  254. Ega ^= Da;
  255. BCe = ROL(Ega, 36);
  256. Eke ^= De;
  257. BCi = ROL(Eke, 10);
  258. Emi ^= Di;
  259. BCo = ROL(Emi, 15);
  260. Eso ^= Do;
  261. BCu = ROL(Eso, 56);
  262. Ama = BCa ^ ((~BCe) & BCi);
  263. Ame = BCe ^ ((~BCi) & BCo);
  264. Ami = BCi ^ ((~BCo) & BCu);
  265. Amo = BCo ^ ((~BCu) & BCa);
  266. Amu = BCu ^ ((~BCa) & BCe);
  267. Ebi ^= Di;
  268. BCa = ROL(Ebi, 62);
  269. Ego ^= Do;
  270. BCe = ROL(Ego, 55);
  271. Eku ^= Du;
  272. BCi = ROL(Eku, 39);
  273. Ema ^= Da;
  274. BCo = ROL(Ema, 41);
  275. Ese ^= De;
  276. BCu = ROL(Ese, 2);
  277. Asa = BCa ^ ((~BCe) & BCi);
  278. Ase = BCe ^ ((~BCi) & BCo);
  279. Asi = BCi ^ ((~BCo) & BCu);
  280. Aso = BCo ^ ((~BCu) & BCa);
  281. Asu = BCu ^ ((~BCa) & BCe);
  282. }
  283. // copyToState(state, A)
  284. state[0] = Aba;
  285. state[1] = Abe;
  286. state[2] = Abi;
  287. state[3] = Abo;
  288. state[4] = Abu;
  289. state[5] = Aga;
  290. state[6] = Age;
  291. state[7] = Agi;
  292. state[8] = Ago;
  293. state[9] = Agu;
  294. state[10] = Aka;
  295. state[11] = Ake;
  296. state[12] = Aki;
  297. state[13] = Ako;
  298. state[14] = Aku;
  299. state[15] = Ama;
  300. state[16] = Ame;
  301. state[17] = Ami;
  302. state[18] = Amo;
  303. state[19] = Amu;
  304. state[20] = Asa;
  305. state[21] = Ase;
  306. state[22] = Asi;
  307. state[23] = Aso;
  308. state[24] = Asu;
  309. }
  310. /*************************************************
  311. * Name: keccak_absorb
  312. *
  313. * Description: Absorb step of Keccak;
  314. * non-incremental, starts by zeroeing the state.
  315. *
  316. * Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state
  317. * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
  318. * - const uint8_t *m: pointer to input to be absorbed into s
  319. * - size_t mlen: length of input in bytes
  320. * - uint8_t p: domain-separation byte for different
  321. * Keccak-derived functions
  322. **************************************************/
  323. static void keccak_absorb(uint64_t *s, uint32_t r, const uint8_t *m,
  324. size_t mlen, uint8_t p) {
  325. size_t i;
  326. uint8_t t[200];
  327. /* Zero state */
  328. for (i = 0; i < 25; ++i) {
  329. s[i] = 0;
  330. }
  331. while (mlen >= r) {
  332. for (i = 0; i < r / 8; ++i) {
  333. s[i] ^= load64(m + 8 * i);
  334. }
  335. KeccakF1600_StatePermute(s);
  336. mlen -= r;
  337. m += r;
  338. }
  339. for (i = 0; i < r; ++i) {
  340. t[i] = 0;
  341. }
  342. for (i = 0; i < mlen; ++i) {
  343. t[i] = m[i];
  344. }
  345. t[i] = p;
  346. t[r - 1] |= 128;
  347. for (i = 0; i < r / 8; ++i) {
  348. s[i] ^= load64(t + 8 * i);
  349. }
  350. }
  351. /*************************************************
  352. * Name: keccak_squeezeblocks
  353. *
  354. * Description: Squeeze step of Keccak. Squeezes full blocks of r bytes each.
  355. * Modifies the state. Can be called multiple times to keep
  356. * squeezing, i.e., is incremental.
  357. *
  358. * Arguments: - uint8_t *h: pointer to output blocks
  359. * - size_t nblocks: number of blocks to be
  360. * squeezed (written to h)
  361. * - uint64_t *s: pointer to input/output Keccak state
  362. * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
  363. **************************************************/
  364. static void keccak_squeezeblocks(uint8_t *h, size_t nblocks,
  365. uint64_t *s, uint32_t r) {
  366. while (nblocks > 0) {
  367. KeccakF1600_StatePermute(s);
  368. for (size_t i = 0; i < (r >> 3); i++) {
  369. store64(h + 8 * i, s[i]);
  370. }
  371. h += r;
  372. nblocks--;
  373. }
  374. }
  375. /*************************************************
  376. * Name: keccak_inc_init
  377. *
  378. * Description: Initializes the incremental Keccak state to zero.
  379. *
  380. * Arguments: - uint64_t *s_inc: pointer to input/output incremental state
  381. * First 25 values represent Keccak state.
  382. * 26th value represents either the number of absorbed bytes
  383. * that have not been permuted, or not-yet-squeezed bytes.
  384. **************************************************/
  385. static void keccak_inc_init(uint64_t *s_inc) {
  386. size_t i;
  387. for (i = 0; i < 25; ++i) {
  388. s_inc[i] = 0;
  389. }
  390. s_inc[25] = 0;
  391. }
  392. /*************************************************
  393. * Name: keccak_inc_absorb
  394. *
  395. * Description: Incremental keccak absorb
  396. * Preceded by keccak_inc_init, succeeded by keccak_inc_finalize
  397. *
  398. * Arguments: - uint64_t *s_inc: pointer to input/output incremental state
  399. * First 25 values represent Keccak state.
  400. * 26th value represents either the number of absorbed bytes
  401. * that have not been permuted, or not-yet-squeezed bytes.
  402. * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
  403. * - const uint8_t *m: pointer to input to be absorbed into s
  404. * - size_t mlen: length of input in bytes
  405. **************************************************/
  406. static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m,
  407. size_t mlen) {
  408. size_t i;
  409. /* Recall that s_inc[25] is the non-absorbed bytes xored into the state */
  410. while (mlen + s_inc[25] >= r) {
  411. for (i = 0; i < r - (uint32_t)s_inc[25]; i++) {
  412. /* Take the i'th byte from message
  413. xor with the s_inc[25] + i'th byte of the state; little-endian */
  414. s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07));
  415. }
  416. mlen -= (size_t)(r - s_inc[25]);
  417. m += r - s_inc[25];
  418. s_inc[25] = 0;
  419. KeccakF1600_StatePermute(s_inc);
  420. }
  421. for (i = 0; i < mlen; i++) {
  422. s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07));
  423. }
  424. s_inc[25] += mlen;
  425. }
  426. /*************************************************
  427. * Name: keccak_inc_finalize
  428. *
  429. * Description: Finalizes Keccak absorb phase, prepares for squeezing
  430. *
  431. * Arguments: - uint64_t *s_inc: pointer to input/output incremental state
  432. * First 25 values represent Keccak state.
  433. * 26th value represents either the number of absorbed bytes
  434. * that have not been permuted, or not-yet-squeezed bytes.
  435. * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
  436. * - uint8_t p: domain-separation byte for different
  437. * Keccak-derived functions
  438. **************************************************/
  439. static void keccak_inc_finalize(uint64_t *s_inc, uint32_t r, uint8_t p) {
  440. /* After keccak_inc_absorb, we are guaranteed that s_inc[25] < r,
  441. so we can always use one more byte for p in the current state. */
  442. s_inc[s_inc[25] >> 3] ^= (uint64_t)p << (8 * (s_inc[25] & 0x07));
  443. s_inc[(r - 1) >> 3] ^= (uint64_t)128 << (8 * ((r - 1) & 0x07));
  444. s_inc[25] = 0;
  445. }
  446. /*************************************************
  447. * Name: keccak_inc_squeeze
  448. *
  449. * Description: Incremental Keccak squeeze; can be called on byte-level
  450. *
  451. * Arguments: - uint8_t *h: pointer to output bytes
  452. * - size_t outlen: number of bytes to be squeezed
  453. * - uint64_t *s_inc: pointer to input/output incremental state
  454. * First 25 values represent Keccak state.
  455. * 26th value represents either the number of absorbed bytes
  456. * that have not been permuted, or not-yet-squeezed bytes.
  457. * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
  458. **************************************************/
  459. static void keccak_inc_squeeze(uint8_t *h, size_t outlen,
  460. uint64_t *s_inc, uint32_t r) {
  461. size_t i;
  462. /* First consume any bytes we still have sitting around */
  463. for (i = 0; i < outlen && i < s_inc[25]; i++) {
  464. /* There are s_inc[25] bytes left, so r - s_inc[25] is the first
  465. available byte. We consume from there, i.e., up to r. */
  466. h[i] = (uint8_t)(s_inc[(r - s_inc[25] + i) >> 3] >> (8 * ((r - s_inc[25] + i) & 0x07)));
  467. }
  468. h += i;
  469. outlen -= i;
  470. s_inc[25] -= i;
  471. /* Then squeeze the remaining necessary blocks */
  472. while (outlen > 0) {
  473. KeccakF1600_StatePermute(s_inc);
  474. for (i = 0; i < outlen && i < r; i++) {
  475. h[i] = (uint8_t)(s_inc[i >> 3] >> (8 * (i & 0x07)));
  476. }
  477. h += i;
  478. outlen -= i;
  479. s_inc[25] = r - i;
  480. }
  481. }
  482. void shake128_inc_init(shake128incctx *state) {
  483. state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
  484. if (state->ctx == NULL) {
  485. exit(111);
  486. }
  487. keccak_inc_init(state->ctx);
  488. }
  489. void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen) {
  490. keccak_inc_absorb(state->ctx, SHAKE128_RATE, input, inlen);
  491. }
  492. void shake128_inc_finalize(shake128incctx *state) {
  493. keccak_inc_finalize(state->ctx, SHAKE128_RATE, 0x1F);
  494. }
  495. void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state) {
  496. keccak_inc_squeeze(output, outlen, state->ctx, SHAKE128_RATE);
  497. }
  498. void shake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src) {
  499. dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
  500. if (dest->ctx == NULL) {
  501. exit(111);
  502. }
  503. memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
  504. }
  505. void shake128_inc_ctx_release(shake128incctx *state) {
  506. free(state->ctx);
  507. }
  508. void shake256_inc_init(shake256incctx *state) {
  509. state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
  510. if (state->ctx == NULL) {
  511. exit(111);
  512. }
  513. keccak_inc_init(state->ctx);
  514. }
  515. void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen) {
  516. keccak_inc_absorb(state->ctx, SHAKE256_RATE, input, inlen);
  517. }
  518. void shake256_inc_finalize(shake256incctx *state) {
  519. keccak_inc_finalize(state->ctx, SHAKE256_RATE, 0x1F);
  520. }
  521. void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) {
  522. keccak_inc_squeeze(output, outlen, state->ctx, SHAKE256_RATE);
  523. }
  524. void shake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src) {
  525. dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
  526. if (dest->ctx == NULL) {
  527. exit(111);
  528. }
  529. memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
  530. }
  531. void shake256_inc_ctx_release(shake256incctx *state) {
  532. free(state->ctx);
  533. }
  534. /*************************************************
  535. * Name: shake128_absorb
  536. *
  537. * Description: Absorb step of the SHAKE128 XOF.
  538. * non-incremental, starts by zeroeing the state.
  539. *
  540. * Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state
  541. * - const uint8_t *input: pointer to input to be absorbed
  542. * into s
  543. * - size_t inlen: length of input in bytes
  544. **************************************************/
  545. void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen) {
  546. state->ctx = malloc(PQC_SHAKECTX_BYTES);
  547. if (state->ctx == NULL) {
  548. exit(111);
  549. }
  550. keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F);
  551. }
  552. /*************************************************
  553. * Name: shake128_squeezeblocks
  554. *
  555. * Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of
  556. * SHAKE128_RATE bytes each. Modifies the state. Can be called
  557. * multiple times to keep squeezing, i.e., is incremental.
  558. *
  559. * Arguments: - uint8_t *output: pointer to output blocks
  560. * - size_t nblocks: number of blocks to be squeezed
  561. * (written to output)
  562. * - shake128ctx *state: pointer to input/output Keccak state
  563. **************************************************/
  564. void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) {
  565. keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE);
  566. }
  567. void shake128_ctx_clone(shake128ctx *dest, const shake128ctx *src) {
  568. dest->ctx = malloc(PQC_SHAKECTX_BYTES);
  569. if (dest->ctx == NULL) {
  570. exit(111);
  571. }
  572. memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES);
  573. }
  574. /** Release the allocated state. Call only once. */
  575. void shake128_ctx_release(shake128ctx *state) {
  576. free(state->ctx);
  577. }
  578. /*************************************************
  579. * Name: shake256_absorb
  580. *
  581. * Description: Absorb step of the SHAKE256 XOF.
  582. * non-incremental, starts by zeroeing the state.
  583. *
  584. * Arguments: - shake256ctx *state: pointer to (uninitialized) output Keccak state
  585. * - const uint8_t *input: pointer to input to be absorbed
  586. * into s
  587. * - size_t inlen: length of input in bytes
  588. **************************************************/
  589. void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen) {
  590. state->ctx = malloc(PQC_SHAKECTX_BYTES);
  591. if (state->ctx == NULL) {
  592. exit(111);
  593. }
  594. keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F);
  595. }
  596. /*************************************************
  597. * Name: shake256_squeezeblocks
  598. *
  599. * Description: Squeeze step of SHAKE256 XOF. Squeezes full blocks of
  600. * SHAKE256_RATE bytes each. Modifies the state. Can be called
  601. * multiple times to keep squeezing, i.e., is incremental.
  602. *
  603. * Arguments: - uint8_t *output: pointer to output blocks
  604. * - size_t nblocks: number of blocks to be squeezed
  605. * (written to output)
  606. * - shake256ctx *state: pointer to input/output Keccak state
  607. **************************************************/
  608. void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state) {
  609. keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE);
  610. }
  611. void shake256_ctx_clone(shake256ctx *dest, const shake256ctx *src) {
  612. dest->ctx = malloc(PQC_SHAKECTX_BYTES);
  613. if (dest->ctx == NULL) {
  614. exit(111);
  615. }
  616. memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES);
  617. }
  618. /** Release the allocated state. Call only once. */
  619. void shake256_ctx_release(shake256ctx *state) {
  620. free(state->ctx);
  621. }
  622. /*************************************************
  623. * Name: shake128
  624. *
  625. * Description: SHAKE128 XOF with non-incremental API
  626. *
  627. * Arguments: - uint8_t *output: pointer to output
  628. * - size_t outlen: requested output length in bytes
  629. * - const uint8_t *input: pointer to input
  630. * - size_t inlen: length of input in bytes
  631. **************************************************/
  632. void shake128(uint8_t *output, size_t outlen,
  633. const uint8_t *input, size_t inlen) {
  634. size_t nblocks = outlen / SHAKE128_RATE;
  635. uint8_t t[SHAKE128_RATE];
  636. shake128ctx s;
  637. shake128_absorb(&s, input, inlen);
  638. shake128_squeezeblocks(output, nblocks, &s);
  639. output += nblocks * SHAKE128_RATE;
  640. outlen -= nblocks * SHAKE128_RATE;
  641. if (outlen) {
  642. shake128_squeezeblocks(t, 1, &s);
  643. for (size_t i = 0; i < outlen; ++i) {
  644. output[i] = t[i];
  645. }
  646. }
  647. shake128_ctx_release(&s);
  648. }
  649. /*************************************************
  650. * Name: shake256
  651. *
  652. * Description: SHAKE256 XOF with non-incremental API
  653. *
  654. * Arguments: - uint8_t *output: pointer to output
  655. * - size_t outlen: requested output length in bytes
  656. * - const uint8_t *input: pointer to input
  657. * - size_t inlen: length of input in bytes
  658. **************************************************/
  659. void shake256(uint8_t *output, size_t outlen,
  660. const uint8_t *input, size_t inlen) {
  661. size_t nblocks = outlen / SHAKE256_RATE;
  662. uint8_t t[SHAKE256_RATE];
  663. shake256ctx s;
  664. shake256_absorb(&s, input, inlen);
  665. shake256_squeezeblocks(output, nblocks, &s);
  666. output += nblocks * SHAKE256_RATE;
  667. outlen -= nblocks * SHAKE256_RATE;
  668. if (outlen) {
  669. shake256_squeezeblocks(t, 1, &s);
  670. for (size_t i = 0; i < outlen; ++i) {
  671. output[i] = t[i];
  672. }
  673. }
  674. shake256_ctx_release(&s);
  675. }
  676. void sha3_256_inc_init(sha3_256incctx *state) {
  677. state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
  678. if (state->ctx == NULL) {
  679. exit(111);
  680. }
  681. keccak_inc_init(state->ctx);
  682. }
  683. void sha3_256_inc_ctx_clone(sha3_256incctx *dest, const sha3_256incctx *src) {
  684. dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
  685. if (dest->ctx == NULL) {
  686. exit(111);
  687. }
  688. memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
  689. }
  690. void sha3_256_inc_ctx_release(sha3_256incctx *state) {
  691. free(state->ctx);
  692. }
  693. void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen) {
  694. keccak_inc_absorb(state->ctx, SHA3_256_RATE, input, inlen);
  695. }
  696. void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state) {
  697. uint8_t t[SHA3_256_RATE];
  698. keccak_inc_finalize(state->ctx, SHA3_256_RATE, 0x06);
  699. keccak_squeezeblocks(t, 1, state->ctx, SHA3_256_RATE);
  700. sha3_256_inc_ctx_release(state);
  701. for (size_t i = 0; i < 32; i++) {
  702. output[i] = t[i];
  703. }
  704. }
  705. /*************************************************
  706. * Name: sha3_256
  707. *
  708. * Description: SHA3-256 with non-incremental API
  709. *
  710. * Arguments: - uint8_t *output: pointer to output
  711. * - const uint8_t *input: pointer to input
  712. * - size_t inlen: length of input in bytes
  713. **************************************************/
  714. void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen) {
  715. uint64_t s[25];
  716. uint8_t t[SHA3_256_RATE];
  717. /* Absorb input */
  718. keccak_absorb(s, SHA3_256_RATE, input, inlen, 0x06);
  719. /* Squeeze output */
  720. keccak_squeezeblocks(t, 1, s, SHA3_256_RATE);
  721. for (size_t i = 0; i < 32; i++) {
  722. output[i] = t[i];
  723. }
  724. }
  725. void sha3_384_inc_init(sha3_384incctx *state) {
  726. state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
  727. if (state->ctx == NULL) {
  728. exit(111);
  729. }
  730. keccak_inc_init(state->ctx);
  731. }
  732. void sha3_384_inc_ctx_clone(sha3_384incctx *dest, const sha3_384incctx *src) {
  733. dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
  734. if (dest->ctx == NULL) {
  735. exit(111);
  736. }
  737. memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
  738. }
  739. void sha3_384_inc_absorb(sha3_384incctx *state, const uint8_t *input, size_t inlen) {
  740. keccak_inc_absorb(state->ctx, SHA3_384_RATE, input, inlen);
  741. }
  742. void sha3_384_inc_ctx_release(sha3_384incctx *state) {
  743. free(state->ctx);
  744. }
  745. void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state) {
  746. uint8_t t[SHA3_384_RATE];
  747. keccak_inc_finalize(state->ctx, SHA3_384_RATE, 0x06);
  748. keccak_squeezeblocks(t, 1, state->ctx, SHA3_384_RATE);
  749. sha3_384_inc_ctx_release(state);
  750. for (size_t i = 0; i < 48; i++) {
  751. output[i] = t[i];
  752. }
  753. }
  754. /*************************************************
  755. * Name: sha3_384
  756. *
  757. * Description: SHA3-256 with non-incremental API
  758. *
  759. * Arguments: - uint8_t *output: pointer to output
  760. * - const uint8_t *input: pointer to input
  761. * - size_t inlen: length of input in bytes
  762. **************************************************/
  763. void sha3_384(uint8_t *output, const uint8_t *input, size_t inlen) {
  764. uint64_t s[25];
  765. uint8_t t[SHA3_384_RATE];
  766. /* Absorb input */
  767. keccak_absorb(s, SHA3_384_RATE, input, inlen, 0x06);
  768. /* Squeeze output */
  769. keccak_squeezeblocks(t, 1, s, SHA3_384_RATE);
  770. for (size_t i = 0; i < 48; i++) {
  771. output[i] = t[i];
  772. }
  773. }
  774. void sha3_512_inc_init(sha3_512incctx *state) {
  775. state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
  776. if (state->ctx == NULL) {
  777. exit(111);
  778. }
  779. keccak_inc_init(state->ctx);
  780. }
  781. void sha3_512_inc_ctx_clone(sha3_512incctx *dest, const sha3_512incctx *src) {
  782. dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
  783. if (dest->ctx == NULL) {
  784. exit(111);
  785. }
  786. memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
  787. }
  788. void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen) {
  789. keccak_inc_absorb(state->ctx, SHA3_512_RATE, input, inlen);
  790. }
  791. void sha3_512_inc_ctx_release(sha3_512incctx *state) {
  792. free(state->ctx);
  793. }
  794. void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state) {
  795. uint8_t t[SHA3_512_RATE];
  796. keccak_inc_finalize(state->ctx, SHA3_512_RATE, 0x06);
  797. keccak_squeezeblocks(t, 1, state->ctx, SHA3_512_RATE);
  798. sha3_512_inc_ctx_release(state);
  799. for (size_t i = 0; i < 64; i++) {
  800. output[i] = t[i];
  801. }
  802. }
  803. /*************************************************
  804. * Name: sha3_512
  805. *
  806. * Description: SHA3-512 with non-incremental API
  807. *
  808. * Arguments: - uint8_t *output: pointer to output
  809. * - const uint8_t *input: pointer to input
  810. * - size_t inlen: length of input in bytes
  811. **************************************************/
  812. void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen) {
  813. uint64_t s[25];
  814. uint8_t t[SHA3_512_RATE];
  815. /* Absorb input */
  816. keccak_absorb(s, SHA3_512_RATE, input, inlen, 0x06);
  817. /* Squeeze output */
  818. keccak_squeezeblocks(t, 1, s, SHA3_512_RATE);
  819. for (size_t i = 0; i < 64; i++) {
  820. output[i] = t[i];
  821. }
  822. }