Reference implementations of PQC
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
 
 
 
 

806 linhas
25 KiB

  1. /* Based on the public domain implementation in
  2. * crypto_hash/keccakc512/simple/ from http://bench.cr.yp.to/supercop.html
  3. * by Ronny Van Keer
  4. * and the public domain "TweetFips202" implementation
  5. * from https://twitter.com/tweetfips202
  6. * by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe */
  7. #include <stddef.h>
  8. #include <stdint.h>
  9. #include "fips202.h"
  10. #define NROUNDS 24
  11. #define ROL(a, offset) (((a) << (offset)) ^ ((a) >> (64 - (offset))))
  12. /*************************************************
  13. * Name: load64
  14. *
  15. * Description: Load 8 bytes into uint64_t in little-endian order
  16. *
  17. * Arguments: - const uint8_t *x: pointer to input byte array
  18. *
  19. * Returns the loaded 64-bit unsigned integer
  20. **************************************************/
  21. static uint64_t load64(const uint8_t *x) {
  22. uint64_t r = 0;
  23. for (size_t i = 0; i < 8; ++i) {
  24. r |= (uint64_t)x[i] << 8 * i;
  25. }
  26. return r;
  27. }
  28. /*************************************************
  29. * Name: store64
  30. *
  31. * Description: Store a 64-bit integer to a byte array in little-endian order
  32. *
  33. * Arguments: - uint8_t *x: pointer to the output byte array
  34. * - uint64_t u: input 64-bit unsigned integer
  35. **************************************************/
  36. static void store64(uint8_t *x, uint64_t u) {
  37. for (size_t i = 0; i < 8; ++i) {
  38. x[i] = (uint8_t) (u >> 8 * i);
  39. }
  40. }
  41. /* Keccak round constants */
  42. static const uint64_t KeccakF_RoundConstants[NROUNDS] = {
  43. 0x0000000000000001ULL, 0x0000000000008082ULL,
  44. 0x800000000000808aULL, 0x8000000080008000ULL,
  45. 0x000000000000808bULL, 0x0000000080000001ULL,
  46. 0x8000000080008081ULL, 0x8000000000008009ULL,
  47. 0x000000000000008aULL, 0x0000000000000088ULL,
  48. 0x0000000080008009ULL, 0x000000008000000aULL,
  49. 0x000000008000808bULL, 0x800000000000008bULL,
  50. 0x8000000000008089ULL, 0x8000000000008003ULL,
  51. 0x8000000000008002ULL, 0x8000000000000080ULL,
  52. 0x000000000000800aULL, 0x800000008000000aULL,
  53. 0x8000000080008081ULL, 0x8000000000008080ULL,
  54. 0x0000000080000001ULL, 0x8000000080008008ULL
  55. };
  56. /*************************************************
  57. * Name: KeccakF1600_StatePermute
  58. *
  59. * Description: The Keccak F1600 Permutation
  60. *
  61. * Arguments: - uint64_t *state: pointer to input/output Keccak state
  62. **************************************************/
  63. static void KeccakF1600_StatePermute(uint64_t *state) {
  64. int round;
  65. uint64_t Aba, Abe, Abi, Abo, Abu;
  66. uint64_t Aga, Age, Agi, Ago, Agu;
  67. uint64_t Aka, Ake, Aki, Ako, Aku;
  68. uint64_t Ama, Ame, Ami, Amo, Amu;
  69. uint64_t Asa, Ase, Asi, Aso, Asu;
  70. uint64_t BCa, BCe, BCi, BCo, BCu;
  71. uint64_t Da, De, Di, Do, Du;
  72. uint64_t Eba, Ebe, Ebi, Ebo, Ebu;
  73. uint64_t Ega, Ege, Egi, Ego, Egu;
  74. uint64_t Eka, Eke, Eki, Eko, Eku;
  75. uint64_t Ema, Eme, Emi, Emo, Emu;
  76. uint64_t Esa, Ese, Esi, Eso, Esu;
  77. // copyFromState(A, state)
  78. Aba = state[0];
  79. Abe = state[1];
  80. Abi = state[2];
  81. Abo = state[3];
  82. Abu = state[4];
  83. Aga = state[5];
  84. Age = state[6];
  85. Agi = state[7];
  86. Ago = state[8];
  87. Agu = state[9];
  88. Aka = state[10];
  89. Ake = state[11];
  90. Aki = state[12];
  91. Ako = state[13];
  92. Aku = state[14];
  93. Ama = state[15];
  94. Ame = state[16];
  95. Ami = state[17];
  96. Amo = state[18];
  97. Amu = state[19];
  98. Asa = state[20];
  99. Ase = state[21];
  100. Asi = state[22];
  101. Aso = state[23];
  102. Asu = state[24];
  103. for (round = 0; round < NROUNDS; round += 2) {
  104. // prepareTheta
  105. BCa = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
  106. BCe = Abe ^ Age ^ Ake ^ Ame ^ Ase;
  107. BCi = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
  108. BCo = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
  109. BCu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
  110. // thetaRhoPiChiIotaPrepareTheta(round , A, E)
  111. Da = BCu ^ ROL(BCe, 1);
  112. De = BCa ^ ROL(BCi, 1);
  113. Di = BCe ^ ROL(BCo, 1);
  114. Do = BCi ^ ROL(BCu, 1);
  115. Du = BCo ^ ROL(BCa, 1);
  116. Aba ^= Da;
  117. BCa = Aba;
  118. Age ^= De;
  119. BCe = ROL(Age, 44);
  120. Aki ^= Di;
  121. BCi = ROL(Aki, 43);
  122. Amo ^= Do;
  123. BCo = ROL(Amo, 21);
  124. Asu ^= Du;
  125. BCu = ROL(Asu, 14);
  126. Eba = BCa ^ ((~BCe) & BCi);
  127. Eba ^= KeccakF_RoundConstants[round];
  128. Ebe = BCe ^ ((~BCi) & BCo);
  129. Ebi = BCi ^ ((~BCo) & BCu);
  130. Ebo = BCo ^ ((~BCu) & BCa);
  131. Ebu = BCu ^ ((~BCa) & BCe);
  132. Abo ^= Do;
  133. BCa = ROL(Abo, 28);
  134. Agu ^= Du;
  135. BCe = ROL(Agu, 20);
  136. Aka ^= Da;
  137. BCi = ROL(Aka, 3);
  138. Ame ^= De;
  139. BCo = ROL(Ame, 45);
  140. Asi ^= Di;
  141. BCu = ROL(Asi, 61);
  142. Ega = BCa ^ ((~BCe) & BCi);
  143. Ege = BCe ^ ((~BCi) & BCo);
  144. Egi = BCi ^ ((~BCo) & BCu);
  145. Ego = BCo ^ ((~BCu) & BCa);
  146. Egu = BCu ^ ((~BCa) & BCe);
  147. Abe ^= De;
  148. BCa = ROL(Abe, 1);
  149. Agi ^= Di;
  150. BCe = ROL(Agi, 6);
  151. Ako ^= Do;
  152. BCi = ROL(Ako, 25);
  153. Amu ^= Du;
  154. BCo = ROL(Amu, 8);
  155. Asa ^= Da;
  156. BCu = ROL(Asa, 18);
  157. Eka = BCa ^ ((~BCe) & BCi);
  158. Eke = BCe ^ ((~BCi) & BCo);
  159. Eki = BCi ^ ((~BCo) & BCu);
  160. Eko = BCo ^ ((~BCu) & BCa);
  161. Eku = BCu ^ ((~BCa) & BCe);
  162. Abu ^= Du;
  163. BCa = ROL(Abu, 27);
  164. Aga ^= Da;
  165. BCe = ROL(Aga, 36);
  166. Ake ^= De;
  167. BCi = ROL(Ake, 10);
  168. Ami ^= Di;
  169. BCo = ROL(Ami, 15);
  170. Aso ^= Do;
  171. BCu = ROL(Aso, 56);
  172. Ema = BCa ^ ((~BCe) & BCi);
  173. Eme = BCe ^ ((~BCi) & BCo);
  174. Emi = BCi ^ ((~BCo) & BCu);
  175. Emo = BCo ^ ((~BCu) & BCa);
  176. Emu = BCu ^ ((~BCa) & BCe);
  177. Abi ^= Di;
  178. BCa = ROL(Abi, 62);
  179. Ago ^= Do;
  180. BCe = ROL(Ago, 55);
  181. Aku ^= Du;
  182. BCi = ROL(Aku, 39);
  183. Ama ^= Da;
  184. BCo = ROL(Ama, 41);
  185. Ase ^= De;
  186. BCu = ROL(Ase, 2);
  187. Esa = BCa ^ ((~BCe) & BCi);
  188. Ese = BCe ^ ((~BCi) & BCo);
  189. Esi = BCi ^ ((~BCo) & BCu);
  190. Eso = BCo ^ ((~BCu) & BCa);
  191. Esu = BCu ^ ((~BCa) & BCe);
  192. // prepareTheta
  193. BCa = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
  194. BCe = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
  195. BCi = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
  196. BCo = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
  197. BCu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
  198. // thetaRhoPiChiIotaPrepareTheta(round+1, E, A)
  199. Da = BCu ^ ROL(BCe, 1);
  200. De = BCa ^ ROL(BCi, 1);
  201. Di = BCe ^ ROL(BCo, 1);
  202. Do = BCi ^ ROL(BCu, 1);
  203. Du = BCo ^ ROL(BCa, 1);
  204. Eba ^= Da;
  205. BCa = Eba;
  206. Ege ^= De;
  207. BCe = ROL(Ege, 44);
  208. Eki ^= Di;
  209. BCi = ROL(Eki, 43);
  210. Emo ^= Do;
  211. BCo = ROL(Emo, 21);
  212. Esu ^= Du;
  213. BCu = ROL(Esu, 14);
  214. Aba = BCa ^ ((~BCe) & BCi);
  215. Aba ^= KeccakF_RoundConstants[round + 1];
  216. Abe = BCe ^ ((~BCi) & BCo);
  217. Abi = BCi ^ ((~BCo) & BCu);
  218. Abo = BCo ^ ((~BCu) & BCa);
  219. Abu = BCu ^ ((~BCa) & BCe);
  220. Ebo ^= Do;
  221. BCa = ROL(Ebo, 28);
  222. Egu ^= Du;
  223. BCe = ROL(Egu, 20);
  224. Eka ^= Da;
  225. BCi = ROL(Eka, 3);
  226. Eme ^= De;
  227. BCo = ROL(Eme, 45);
  228. Esi ^= Di;
  229. BCu = ROL(Esi, 61);
  230. Aga = BCa ^ ((~BCe) & BCi);
  231. Age = BCe ^ ((~BCi) & BCo);
  232. Agi = BCi ^ ((~BCo) & BCu);
  233. Ago = BCo ^ ((~BCu) & BCa);
  234. Agu = BCu ^ ((~BCa) & BCe);
  235. Ebe ^= De;
  236. BCa = ROL(Ebe, 1);
  237. Egi ^= Di;
  238. BCe = ROL(Egi, 6);
  239. Eko ^= Do;
  240. BCi = ROL(Eko, 25);
  241. Emu ^= Du;
  242. BCo = ROL(Emu, 8);
  243. Esa ^= Da;
  244. BCu = ROL(Esa, 18);
  245. Aka = BCa ^ ((~BCe) & BCi);
  246. Ake = BCe ^ ((~BCi) & BCo);
  247. Aki = BCi ^ ((~BCo) & BCu);
  248. Ako = BCo ^ ((~BCu) & BCa);
  249. Aku = BCu ^ ((~BCa) & BCe);
  250. Ebu ^= Du;
  251. BCa = ROL(Ebu, 27);
  252. Ega ^= Da;
  253. BCe = ROL(Ega, 36);
  254. Eke ^= De;
  255. BCi = ROL(Eke, 10);
  256. Emi ^= Di;
  257. BCo = ROL(Emi, 15);
  258. Eso ^= Do;
  259. BCu = ROL(Eso, 56);
  260. Ama = BCa ^ ((~BCe) & BCi);
  261. Ame = BCe ^ ((~BCi) & BCo);
  262. Ami = BCi ^ ((~BCo) & BCu);
  263. Amo = BCo ^ ((~BCu) & BCa);
  264. Amu = BCu ^ ((~BCa) & BCe);
  265. Ebi ^= Di;
  266. BCa = ROL(Ebi, 62);
  267. Ego ^= Do;
  268. BCe = ROL(Ego, 55);
  269. Eku ^= Du;
  270. BCi = ROL(Eku, 39);
  271. Ema ^= Da;
  272. BCo = ROL(Ema, 41);
  273. Ese ^= De;
  274. BCu = ROL(Ese, 2);
  275. Asa = BCa ^ ((~BCe) & BCi);
  276. Ase = BCe ^ ((~BCi) & BCo);
  277. Asi = BCi ^ ((~BCo) & BCu);
  278. Aso = BCo ^ ((~BCu) & BCa);
  279. Asu = BCu ^ ((~BCa) & BCe);
  280. }
  281. // copyToState(state, A)
  282. state[0] = Aba;
  283. state[1] = Abe;
  284. state[2] = Abi;
  285. state[3] = Abo;
  286. state[4] = Abu;
  287. state[5] = Aga;
  288. state[6] = Age;
  289. state[7] = Agi;
  290. state[8] = Ago;
  291. state[9] = Agu;
  292. state[10] = Aka;
  293. state[11] = Ake;
  294. state[12] = Aki;
  295. state[13] = Ako;
  296. state[14] = Aku;
  297. state[15] = Ama;
  298. state[16] = Ame;
  299. state[17] = Ami;
  300. state[18] = Amo;
  301. state[19] = Amu;
  302. state[20] = Asa;
  303. state[21] = Ase;
  304. state[22] = Asi;
  305. state[23] = Aso;
  306. state[24] = Asu;
  307. }
  308. /*************************************************
  309. * Name: keccak_absorb
  310. *
  311. * Description: Absorb step of Keccak;
  312. * non-incremental, starts by zeroeing the state.
  313. *
  314. * Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state
  315. * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
  316. * - const uint8_t *m: pointer to input to be absorbed into s
  317. * - size_t mlen: length of input in bytes
  318. * - uint8_t p: domain-separation byte for different
  319. * Keccak-derived functions
  320. **************************************************/
  321. static void keccak_absorb(uint64_t *s, uint32_t r, const uint8_t *m,
  322. size_t mlen, uint8_t p) {
  323. size_t i;
  324. uint8_t t[200];
  325. /* Zero state */
  326. for (i = 0; i < 25; ++i) {
  327. s[i] = 0;
  328. }
  329. while (mlen >= r) {
  330. for (i = 0; i < r / 8; ++i) {
  331. s[i] ^= load64(m + 8 * i);
  332. }
  333. KeccakF1600_StatePermute(s);
  334. mlen -= r;
  335. m += r;
  336. }
  337. for (i = 0; i < r; ++i) {
  338. t[i] = 0;
  339. }
  340. for (i = 0; i < mlen; ++i) {
  341. t[i] = m[i];
  342. }
  343. t[i] = p;
  344. t[r - 1] |= 128;
  345. for (i = 0; i < r / 8; ++i) {
  346. s[i] ^= load64(t + 8 * i);
  347. }
  348. }
  349. /*************************************************
  350. * Name: keccak_squeezeblocks
  351. *
  352. * Description: Squeeze step of Keccak. Squeezes full blocks of r bytes each.
  353. * Modifies the state. Can be called multiple times to keep
  354. * squeezing, i.e., is incremental.
  355. *
  356. * Arguments: - uint8_t *h: pointer to output blocks
  357. * - size_t nblocks: number of blocks to be
  358. * squeezed (written to h)
  359. * - uint64_t *s: pointer to input/output Keccak state
  360. * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
  361. **************************************************/
  362. static void keccak_squeezeblocks(uint8_t *h, size_t nblocks,
  363. uint64_t *s, uint32_t r) {
  364. while (nblocks > 0) {
  365. KeccakF1600_StatePermute(s);
  366. for (size_t i = 0; i < (r >> 3); i++) {
  367. store64(h + 8 * i, s[i]);
  368. }
  369. h += r;
  370. nblocks--;
  371. }
  372. }
  373. /*************************************************
  374. * Name: keccak_inc_init
  375. *
  376. * Description: Initializes the incremental Keccak state to zero.
  377. *
  378. * Arguments: - uint64_t *s_inc: pointer to input/output incremental state
  379. * First 25 values represent Keccak state.
  380. * 26th value represents either the number of absorbed bytes
  381. * that have not been permuted, or not-yet-squeezed bytes.
  382. **************************************************/
  383. static void keccak_inc_init(uint64_t *s_inc) {
  384. size_t i;
  385. for (i = 0; i < 25; ++i) {
  386. s_inc[i] = 0;
  387. }
  388. s_inc[25] = 0;
  389. }
  390. /*************************************************
  391. * Name: keccak_inc_absorb
  392. *
  393. * Description: Incremental keccak absorb
  394. * Preceded by keccak_inc_init, succeeded by keccak_inc_finalize
  395. *
  396. * Arguments: - uint64_t *s_inc: pointer to input/output incremental state
  397. * First 25 values represent Keccak state.
  398. * 26th value represents either the number of absorbed bytes
  399. * that have not been permuted, or not-yet-squeezed bytes.
  400. * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
  401. * - const uint8_t *m: pointer to input to be absorbed into s
  402. * - size_t mlen: length of input in bytes
  403. **************************************************/
  404. static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m,
  405. size_t mlen) {
  406. size_t i;
  407. /* Recall that s_inc[25] is the non-absorbed bytes xored into the state */
  408. while (mlen + s_inc[25] >= r) {
  409. for (i = 0; i < r - s_inc[25]; i++) {
  410. /* Take the i'th byte from message
  411. xor with the s_inc[25] + i'th byte of the state; little-endian */
  412. s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07));
  413. }
  414. mlen -= (size_t)(r - s_inc[25]);
  415. m += r - s_inc[25];
  416. s_inc[25] = 0;
  417. KeccakF1600_StatePermute(s_inc);
  418. }
  419. for (i = 0; i < mlen; i++) {
  420. s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07));
  421. }
  422. s_inc[25] += mlen;
  423. }
  424. /*************************************************
  425. * Name: keccak_inc_finalize
  426. *
  427. * Description: Finalizes Keccak absorb phase, prepares for squeezing
  428. *
  429. * Arguments: - uint64_t *s_inc: pointer to input/output incremental state
  430. * First 25 values represent Keccak state.
  431. * 26th value represents either the number of absorbed bytes
  432. * that have not been permuted, or not-yet-squeezed bytes.
  433. * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
  434. * - uint8_t p: domain-separation byte for different
  435. * Keccak-derived functions
  436. **************************************************/
  437. static void keccak_inc_finalize(uint64_t *s_inc, uint32_t r, uint8_t p) {
  438. /* After keccak_inc_absorb, we are guaranteed that s_inc[25] < r,
  439. so we can always use one more byte for p in the current state. */
  440. s_inc[s_inc[25] >> 3] ^= (uint64_t)p << (8 * (s_inc[25] & 0x07));
  441. s_inc[(r - 1) >> 3] ^= (uint64_t)128 << (8 * ((r - 1) & 0x07));
  442. s_inc[25] = 0;
  443. }
  444. /*************************************************
  445. * Name: keccak_inc_squeeze
  446. *
  447. * Description: Incremental Keccak squeeze; can be called on byte-level
  448. *
  449. * Arguments: - uint8_t *h: pointer to output bytes
  450. * - size_t outlen: number of bytes to be squeezed
  451. * - uint64_t *s_inc: pointer to input/output incremental state
  452. * First 25 values represent Keccak state.
  453. * 26th value represents either the number of absorbed bytes
  454. * that have not been permuted, or not-yet-squeezed bytes.
  455. * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
  456. **************************************************/
  457. static void keccak_inc_squeeze(uint8_t *h, size_t outlen,
  458. uint64_t *s_inc, uint32_t r) {
  459. size_t i;
  460. /* First consume any bytes we still have sitting around */
  461. for (i = 0; i < outlen && i < s_inc[25]; i++) {
  462. /* There are s_inc[25] bytes left, so r - s_inc[25] is the first
  463. available byte. We consume from there, i.e., up to r. */
  464. h[i] = (uint8_t)(s_inc[(r - s_inc[25] + i) >> 3] >> (8 * ((r - s_inc[25] + i) & 0x07)));
  465. }
  466. h += i;
  467. outlen -= i;
  468. s_inc[25] -= i;
  469. /* Then squeeze the remaining necessary blocks */
  470. while (outlen > 0) {
  471. KeccakF1600_StatePermute(s_inc);
  472. for (i = 0; i < outlen && i < r; i++) {
  473. h[i] = (uint8_t)(s_inc[i >> 3] >> (8 * (i & 0x07)));
  474. }
  475. h += i;
  476. outlen -= i;
  477. s_inc[25] = r - i;
  478. }
  479. }
  480. void shake128_inc_init(shake128incctx *state) {
  481. keccak_inc_init(state->ctx);
  482. }
  483. void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen) {
  484. keccak_inc_absorb(state->ctx, SHAKE128_RATE, input, inlen);
  485. }
  486. void shake128_inc_finalize(shake128incctx *state) {
  487. keccak_inc_finalize(state->ctx, SHAKE128_RATE, 0x1F);
  488. }
  489. void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state) {
  490. keccak_inc_squeeze(output, outlen, state->ctx, SHAKE128_RATE);
  491. }
  492. void shake256_inc_init(shake256incctx *state) {
  493. keccak_inc_init(state->ctx);
  494. }
  495. void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen) {
  496. keccak_inc_absorb(state->ctx, SHAKE256_RATE, input, inlen);
  497. }
  498. void shake256_inc_finalize(shake256incctx *state) {
  499. keccak_inc_finalize(state->ctx, SHAKE256_RATE, 0x1F);
  500. }
  501. void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) {
  502. keccak_inc_squeeze(output, outlen, state->ctx, SHAKE256_RATE);
  503. }
  504. /*************************************************
  505. * Name: shake128_absorb
  506. *
  507. * Description: Absorb step of the SHAKE128 XOF.
  508. * non-incremental, starts by zeroeing the state.
  509. *
  510. * Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state
  511. * - const uint8_t *input: pointer to input to be absorbed
  512. * into s
  513. * - size_t inlen: length of input in bytes
  514. **************************************************/
  515. void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen) {
  516. keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F);
  517. }
  518. /*************************************************
  519. * Name: shake128_squeezeblocks
  520. *
  521. * Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of
  522. * SHAKE128_RATE bytes each. Modifies the state. Can be called
  523. * multiple times to keep squeezing, i.e., is incremental.
  524. *
  525. * Arguments: - uint8_t *output: pointer to output blocks
  526. * - size_t nblocks: number of blocks to be squeezed
  527. * (written to output)
  528. * - shake128ctx *state: pointer to input/output Keccak state
  529. **************************************************/
  530. void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) {
  531. keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE);
  532. }
  533. /*************************************************
  534. * Name: shake256_absorb
  535. *
  536. * Description: Absorb step of the SHAKE256 XOF.
  537. * non-incremental, starts by zeroeing the state.
  538. *
  539. * Arguments: - shake256ctx *state: pointer to (uninitialized) output Keccak state
  540. * - const uint8_t *input: pointer to input to be absorbed
  541. * into s
  542. * - size_t inlen: length of input in bytes
  543. **************************************************/
  544. void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen) {
  545. keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F);
  546. }
  547. /*************************************************
  548. * Name: shake256_squeezeblocks
  549. *
  550. * Description: Squeeze step of SHAKE256 XOF. Squeezes full blocks of
  551. * SHAKE256_RATE bytes each. Modifies the state. Can be called
  552. * multiple times to keep squeezing, i.e., is incremental.
  553. *
  554. * Arguments: - uint8_t *output: pointer to output blocks
  555. * - size_t nblocks: number of blocks to be squeezed
  556. * (written to output)
  557. * - shake256ctx *state: pointer to input/output Keccak state
  558. **************************************************/
  559. void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state) {
  560. keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE);
  561. }
  562. /*************************************************
  563. * Name: shake128
  564. *
  565. * Description: SHAKE128 XOF with non-incremental API
  566. *
  567. * Arguments: - uint8_t *output: pointer to output
  568. * - size_t outlen: requested output length in bytes
  569. * - const uint8_t *input: pointer to input
  570. * - size_t inlen: length of input in bytes
  571. **************************************************/
  572. void shake128(uint8_t *output, size_t outlen,
  573. const uint8_t *input, size_t inlen) {
  574. size_t nblocks = outlen / SHAKE128_RATE;
  575. uint8_t t[SHAKE128_RATE];
  576. shake128ctx s;
  577. shake128_absorb(&s, input, inlen);
  578. shake128_squeezeblocks(output, nblocks, &s);
  579. output += nblocks * SHAKE128_RATE;
  580. outlen -= nblocks * SHAKE128_RATE;
  581. if (outlen) {
  582. shake128_squeezeblocks(t, 1, &s);
  583. for (size_t i = 0; i < outlen; ++i) {
  584. output[i] = t[i];
  585. }
  586. }
  587. }
  588. /*************************************************
  589. * Name: shake256
  590. *
  591. * Description: SHAKE256 XOF with non-incremental API
  592. *
  593. * Arguments: - uint8_t *output: pointer to output
  594. * - size_t outlen: requested output length in bytes
  595. * - const uint8_t *input: pointer to input
  596. * - size_t inlen: length of input in bytes
  597. **************************************************/
  598. void shake256(uint8_t *output, size_t outlen,
  599. const uint8_t *input, size_t inlen) {
  600. size_t nblocks = outlen / SHAKE256_RATE;
  601. uint8_t t[SHAKE256_RATE];
  602. shake256ctx s;
  603. shake256_absorb(&s, input, inlen);
  604. shake256_squeezeblocks(output, nblocks, &s);
  605. output += nblocks * SHAKE256_RATE;
  606. outlen -= nblocks * SHAKE256_RATE;
  607. if (outlen) {
  608. shake256_squeezeblocks(t, 1, &s);
  609. for (size_t i = 0; i < outlen; ++i) {
  610. output[i] = t[i];
  611. }
  612. }
  613. }
  614. void sha3_256_inc_init(sha3_256incctx *state) {
  615. keccak_inc_init(state->ctx);
  616. }
  617. void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen) {
  618. keccak_inc_absorb(state->ctx, SHA3_256_RATE, input, inlen);
  619. }
  620. void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state) {
  621. uint8_t t[SHA3_256_RATE];
  622. keccak_inc_finalize(state->ctx, SHA3_256_RATE, 0x06);
  623. keccak_squeezeblocks(t, 1, state->ctx, SHA3_256_RATE);
  624. for (size_t i = 0; i < 32; i++) {
  625. output[i] = t[i];
  626. }
  627. }
  628. /*************************************************
  629. * Name: sha3_256
  630. *
  631. * Description: SHA3-256 with non-incremental API
  632. *
  633. * Arguments: - uint8_t *output: pointer to output
  634. * - const uint8_t *input: pointer to input
  635. * - size_t inlen: length of input in bytes
  636. **************************************************/
  637. void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen) {
  638. uint64_t s[25];
  639. uint8_t t[SHA3_256_RATE];
  640. /* Absorb input */
  641. keccak_absorb(s, SHA3_256_RATE, input, inlen, 0x06);
  642. /* Squeeze output */
  643. keccak_squeezeblocks(t, 1, s, SHA3_256_RATE);
  644. for (size_t i = 0; i < 32; i++) {
  645. output[i] = t[i];
  646. }
  647. }
  648. void sha3_384_inc_init(sha3_384incctx *state) {
  649. keccak_inc_init(state->ctx);
  650. }
  651. void sha3_384_inc_absorb(sha3_384incctx *state, const uint8_t *input, size_t inlen) {
  652. keccak_inc_absorb(state->ctx, SHA3_384_RATE, input, inlen);
  653. }
  654. void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state) {
  655. uint8_t t[SHA3_384_RATE];
  656. keccak_inc_finalize(state->ctx, SHA3_384_RATE, 0x06);
  657. keccak_squeezeblocks(t, 1, state->ctx, SHA3_384_RATE);
  658. for (size_t i = 0; i < 48; i++) {
  659. output[i] = t[i];
  660. }
  661. }
  662. /*************************************************
  663. * Name: sha3_384
  664. *
  665. * Description: SHA3-256 with non-incremental API
  666. *
  667. * Arguments: - uint8_t *output: pointer to output
  668. * - const uint8_t *input: pointer to input
  669. * - size_t inlen: length of input in bytes
  670. **************************************************/
  671. void sha3_384(uint8_t *output, const uint8_t *input, size_t inlen) {
  672. uint64_t s[25];
  673. uint8_t t[SHA3_384_RATE];
  674. /* Absorb input */
  675. keccak_absorb(s, SHA3_384_RATE, input, inlen, 0x06);
  676. /* Squeeze output */
  677. keccak_squeezeblocks(t, 1, s, SHA3_384_RATE);
  678. for (size_t i = 0; i < 48; i++) {
  679. output[i] = t[i];
  680. }
  681. }
  682. void sha3_512_inc_init(sha3_512incctx *state) {
  683. keccak_inc_init(state->ctx);
  684. }
  685. void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen) {
  686. keccak_inc_absorb(state->ctx, SHA3_512_RATE, input, inlen);
  687. }
  688. void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state) {
  689. uint8_t t[SHA3_512_RATE];
  690. keccak_inc_finalize(state->ctx, SHA3_512_RATE, 0x06);
  691. keccak_squeezeblocks(t, 1, state->ctx, SHA3_512_RATE);
  692. for (size_t i = 0; i < 64; i++) {
  693. output[i] = t[i];
  694. }
  695. }
  696. /*************************************************
  697. * Name: sha3_512
  698. *
  699. * Description: SHA3-512 with non-incremental API
  700. *
  701. * Arguments: - uint8_t *output: pointer to output
  702. * - const uint8_t *input: pointer to input
  703. * - size_t inlen: length of input in bytes
  704. **************************************************/
  705. void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen) {
  706. uint64_t s[25];
  707. uint8_t t[SHA3_512_RATE];
  708. /* Absorb input */
  709. keccak_absorb(s, SHA3_512_RATE, input, inlen, 0x06);
  710. /* Squeeze output */
  711. keccak_squeezeblocks(t, 1, s, SHA3_512_RATE);
  712. for (size_t i = 0; i < 64; i++) {
  713. output[i] = t[i];
  714. }
  715. }