Let us walk on the 3-isogeny graph
Loading...
Searching...
No Matches
fips202.c
Go to the documentation of this file.
1/* Based on the public domain implementation in
2 * crypto_hash/keccakc512/simple/ from http://bench.cr.yp.to/supercop.html
3 * by Ronny Van Keer
4 * and the public domain "TweetFips202" implementation
5 * from https://twitter.com/tweetfips202
6 * by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe */
7
8#include <stddef.h>
9#include <stdint.h>
10#include <string.h>
11
12#include "fips202.h"
13#include "keccakf1600.h"
14
15#define NROUNDS 24
16#define ROL(a, offset) (((a) << (offset)) ^ ((a) >> (64 - (offset))))
17
18#ifdef PROFILE_HASHING
19#include "hal.h"
20extern unsigned long long hash_cycles;
21#endif
22
23
24/*************************************************
25 * Name: keccak_absorb
26 *
27 * Description: Absorb step of Keccak;
28 * non-incremental, starts by zeroeing the state.
29 *
30 * Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state
31 * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
32 * - const uint8_t *m: pointer to input to be absorbed into s
33 * - size_t mlen: length of input in bytes
34 * - uint8_t p: domain-separation byte for different Keccak-derived functions
35 **************************************************/
36static void keccak_absorb(uint64_t *s,
37 uint32_t r,
38 const uint8_t *m, size_t mlen,
39 uint8_t p)
40{
41 while (mlen >= r)
42 {
43 KeccakF1600_StateXORBytes(s, m, 0, r);
44 KeccakF1600_StatePermute(s);
45 mlen -= r;
46 m += r;
47 }
48
49 if(mlen > 0){
50 KeccakF1600_StateXORBytes(s, m, 0, mlen);
51 }
52
53 if(mlen == r-1){
54 p |= 128;
55 KeccakF1600_StateXORBytes(s, &p, mlen, 1);
56 } else {
57 KeccakF1600_StateXORBytes(s, &p, mlen, 1);
58 p = 128;
59 KeccakF1600_StateXORBytes(s, &p, r-1, 1);
60 }
61}
62
63
64/*************************************************
65 * Name: keccak_squeezeblocks
66 *
67 * Description: Squeeze step of Keccak. Squeezes full blocks of r bytes each.
68 * Modifies the state. Can be called multiple times to keep squeezing,
69 * i.e., is incremental.
70 *
71 * Arguments: - uint8_t *h: pointer to output blocks
72 * - size_t nblocks: number of blocks to be squeezed (written to h)
73 * - uint64_t *s: pointer to in/output Keccak state
74 * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
75 **************************************************/
76static void keccak_squeezeblocks(uint8_t *h, size_t nblocks,
77 uint64_t *s,
78 uint32_t r)
79{
80 while(nblocks > 0)
81 {
82 KeccakF1600_StatePermute(s);
83 KeccakF1600_StateExtractBytes(s, h, 0, r);
84 h += r;
85 nblocks--;
86 }
87}
88
89/*************************************************
90 * Name: keccak_inc_init
91 *
92 * Description: Initializes the incremental Keccak state to zero.
93 *
94 * Arguments: - uint64_t *s_inc: pointer to input/output incremental state
95 * First 25 values represent Keccak state.
96 * 26th value represents either the number of absorbed bytes
97 * that have not been permuted, or not-yet-squeezed bytes.
98 **************************************************/
99static void keccak_inc_init(uint64_t *s_inc) {
100 size_t i;
101
102 for (i = 0; i < 25; ++i) {
103 s_inc[i] = 0;
104 }
105 s_inc[25] = 0;
106}
107/*************************************************
108 * Name: keccak_inc_absorb
109 *
110 * Description: Incremental keccak absorb
111 * Preceded by keccak_inc_init, succeeded by keccak_inc_finalize
112 *
113 * Arguments: - uint64_t *s_inc: pointer to input/output incremental state
114 * First 25 values represent Keccak state.
115 * 26th value represents either the number of absorbed bytes
116 * that have not been permuted, or not-yet-squeezed bytes.
117 * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
118 * - const uint8_t *m: pointer to input to be absorbed into s_inc
119 * - size_t mlen: length of input in bytes
120 **************************************************/
121static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m,
122 size_t mlen) {
123 /* Recall that s_inc[25] is the non-absorbed bytes xored into the state */
124 while (mlen + s_inc[25] >= r) {
125
126 KeccakF1600_StateXORBytes(s_inc, m, s_inc[25], r-s_inc[25]);
127 mlen -= (size_t)(r - s_inc[25]);
128 m += r - s_inc[25];
129 s_inc[25] = 0;
130
131 KeccakF1600_StatePermute(s_inc);
132 }
133
134 KeccakF1600_StateXORBytes(s_inc, m, s_inc[25], mlen);
135 s_inc[25] += mlen;
136}
137
138/*************************************************
139 * Name: keccak_inc_finalize
140 *
141 * Description: Finalizes Keccak absorb phase, prepares for squeezing
142 *
143 * Arguments: - uint64_t *s_inc: pointer to input/output incremental state
144 * First 25 values represent Keccak state.
145 * 26th value represents either the number of absorbed bytes
146 * that have not been permuted, or not-yet-squeezed bytes.
147 * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
148 * - uint8_t p: domain-separation byte for different
149 * Keccak-derived functions
150 **************************************************/
151static void keccak_inc_finalize(uint64_t *s_inc, uint32_t r, uint8_t p) {
152 /* After keccak_inc_absorb, we are guaranteed that s_inc[25] < r,
153 so we can always use one more byte for p in the current state. */
154 if(s_inc[25] == r-1){
155 p |= 128;
156 KeccakF1600_StateXORBytes(s_inc, &p, s_inc[25], 1);
157 } else {
158 KeccakF1600_StateXORBytes(s_inc, &p, s_inc[25], 1);
159 p = 128;
160 KeccakF1600_StateXORBytes(s_inc, &p, r-1, 1);
161 }
162 s_inc[25] = 0;
163}
164
165/*************************************************
166 * Name: keccak_inc_squeeze
167 *
168 * Description: Incremental Keccak squeeze; can be called on byte-level
169 *
170 * Arguments: - uint8_t *h: pointer to output bytes
171 * - size_t outlen: number of bytes to be squeezed
172 * - uint64_t *s_inc: pointer to input/output incremental state
173 * First 25 values represent Keccak state.
174 * 26th value represents either the number of absorbed bytes
175 * that have not been permuted, or not-yet-squeezed bytes.
176 * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
177 **************************************************/
178static void keccak_inc_squeeze(uint8_t *h, size_t outlen,
179 uint64_t *s_inc, uint32_t r) {
180 size_t len;
181 if(outlen < s_inc[25])
182 {
183 len = outlen;
184 }
185 else
186 {
187 len = s_inc[25];
188 }
189
190 KeccakF1600_StateExtractBytes(s_inc, h, r-s_inc[25], len);
191 h += len;
192 outlen -= len;
193 s_inc[25] -= len;
194
195 /* Then squeeze the remaining necessary blocks */
196 while (outlen > 0) {
197 KeccakF1600_StatePermute(s_inc);
198
199 if(outlen < r)
200 {
201 len = outlen;
202 }
203 else
204 {
205 len = r;
206 }
207 KeccakF1600_StateExtractBytes(s_inc, h, 0, len);
208 h += len;
209 outlen -= len;
210 s_inc[25] = r - len;
211 }
212}
213
214void shake128_inc_init(shake128incctx *state) {
215#ifdef PROFILE_HASHING
216 uint64_t t0 = hal_get_time();
217#endif
218 keccak_inc_init(state->ctx);
219#ifdef PROFILE_HASHING
220 uint64_t t1 = hal_get_time();
221 hash_cycles += (t1-t0);
222#endif
223}
224
225void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen) {
226#ifdef PROFILE_HASHING
227 uint64_t t0 = hal_get_time();
228#endif
229 keccak_inc_absorb(state->ctx, SHAKE128_RATE, input, inlen);
230#ifdef PROFILE_HASHING
231 uint64_t t1 = hal_get_time();
232 hash_cycles += (t1-t0);
233#endif
234}
235
236void shake128_inc_finalize(shake128incctx *state) {
237#ifdef PROFILE_HASHING
238 uint64_t t0 = hal_get_time();
239#endif
240 keccak_inc_finalize(state->ctx, SHAKE128_RATE, 0x1F);
241#ifdef PROFILE_HASHING
242 uint64_t t1 = hal_get_time();
243 hash_cycles += (t1-t0);
244#endif
245}
246
247void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state) {
248#ifdef PROFILE_HASHING
249 uint64_t t0 = hal_get_time();
250#endif
251 keccak_inc_squeeze(output, outlen, state->ctx, SHAKE128_RATE);
252#ifdef PROFILE_HASHING
253 uint64_t t1 = hal_get_time();
254 hash_cycles += (t1-t0);
255#endif
256}
257
258void shake128_inc_ctx_clone(shake128incctx* dest, const shake128incctx *src) {
259 memcpy(dest, src, sizeof(shake128incctx));
260}
261
262void shake128_inc_ctx_release(shake128incctx *state) {
263 (void) state;
264}
265
266void shake256_inc_init(shake256incctx *state) {
267#ifdef PROFILE_HASHING
268 uint64_t t0 = hal_get_time();
269#endif
270 keccak_inc_init(state->ctx);
271#ifdef PROFILE_HASHING
272 uint64_t t1 = hal_get_time();
273 hash_cycles += (t1-t0);
274#endif
275}
276
277void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen) {
278#ifdef PROFILE_HASHING
279 uint64_t t0 = hal_get_time();
280#endif
281 keccak_inc_absorb(state->ctx, SHAKE256_RATE, input, inlen);
282#ifdef PROFILE_HASHING
283 uint64_t t1 = hal_get_time();
284 hash_cycles += (t1-t0);
285#endif
286}
287
288void shake256_inc_finalize(shake256incctx *state) {
289#ifdef PROFILE_HASHING
290 uint64_t t0 = hal_get_time();
291#endif
292 keccak_inc_finalize(state->ctx, SHAKE256_RATE, 0x1F);
293#ifdef PROFILE_HASHING
294 uint64_t t1 = hal_get_time();
295 hash_cycles += (t1-t0);
296#endif
297}
298
299void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) {
300#ifdef PROFILE_HASHING
301 uint64_t t0 = hal_get_time();
302#endif
303 keccak_inc_squeeze(output, outlen, state->ctx, SHAKE256_RATE);
304#ifdef PROFILE_HASHING
305 uint64_t t1 = hal_get_time();
306 hash_cycles += (t1-t0);
307#endif
308}
309
310void shake256_inc_ctx_clone(shake256incctx* dest, const shake256incctx *src) {
311 memcpy(dest, src, sizeof(shake256incctx));
312}
313
314void shake256_inc_ctx_release(shake256incctx *state) {
315 (void) state;
316}
317
318/********** cSHAKE128 ***********/
319
320void cshake128_simple_absorb(shake128ctx *state, uint16_t cstm, const uint8_t *in, size_t inlen)
321{
322#ifdef PROFILE_HASHING
323 uint64_t t0 = hal_get_time();
324#endif
325
326
327 uint8_t sep[8];
328 size_t i;
329
330 for (i = 0; i < 25; i++)
331 state->ctx[i] = 0;
332
333 /* Absorb customization (domain-separation) string */
334 sep[0] = 0x01;
335 sep[1] = 0xa8;
336 sep[2] = 0x01;
337 sep[3] = 0x00;
338 sep[4] = 0x01;
339 sep[5] = 16; // fixed bitlen of cstm
340 sep[6] = cstm & 0xff;
341 sep[7] = cstm >> 8;
342
343 KeccakF1600_StateXORBytes(state->ctx, sep, 0, 8);
344 KeccakF1600_StatePermute(state->ctx);
345
346 /* Absorb input */
347 keccak_absorb(state->ctx, SHAKE128_RATE, in, inlen, 0x04);
348
349#ifdef PROFILE_HASHING
350 uint64_t t1 = hal_get_time();
351 hash_cycles += (t1-t0);
352#endif
353
354}
355
356
357void cshake128_simple_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state)
358{
359#ifdef PROFILE_HASHING
360 uint64_t t0 = hal_get_time();
361#endif
362 keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE);
363#ifdef PROFILE_HASHING
364 uint64_t t1 = hal_get_time();
365 hash_cycles += (t1-t0);
366#endif
367}
368
369
370void cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *in, size_t inlen)
371{
372 shake128incctx state;
373 uint8_t sep[8];
374#ifdef PROFILE_HASHING
375 uint64_t t0 = hal_get_time();
376#endif
377
378 keccak_inc_init(state.ctx);
379
380 /* Absorb customization (domain-separation) string */
381 sep[0] = 0x01;
382 sep[1] = 0xa8;
383 sep[2] = 0x01;
384 sep[3] = 0x00;
385 sep[4] = 0x01;
386 sep[5] = 16; // fixed bitlen of cstm
387 sep[6] = cstm & 0xff;
388 sep[7] = cstm >> 8;
389
390 KeccakF1600_StateXORBytes(state.ctx, sep, 0, 8);
391 KeccakF1600_StatePermute(state.ctx);
392
393 /* Absorb input */
394 keccak_inc_absorb(state.ctx, SHAKE128_RATE, in, inlen);
395 keccak_inc_finalize(state.ctx, SHAKE128_RATE, 0x04);
396
397 /* Squeeze output */
398 keccak_inc_squeeze(output, outlen, state.ctx, SHAKE128_RATE);
399#ifdef PROFILE_HASHING
400 uint64_t t1 = hal_get_time();
401 hash_cycles += (t1-t0);
402#endif
403}
404
405
406
407/*************************************************
408 * Name: shake128_absorb
409 *
410 * Description: Absorb step of the SHAKE128 XOF.
411 * non-incremental, starts by zeroeing the state.
412 *
413 * Arguments: - uint64_t *state: pointer to (uninitialized) output Keccak state
414 * - const uint8_t *input: pointer to input to be absorbed into state
415 * - size_t inlen: length of input in bytes
416 **************************************************/
417void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen)
418{
419#ifdef PROFILE_HASHING
420 uint64_t t0 = hal_get_time();
421#endif
422 int i;
423 for (i = 0; i < 25; i++)
424 state->ctx[i] = 0;
425
426 keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F);
427#ifdef PROFILE_HASHING
428 uint64_t t1 = hal_get_time();
429 hash_cycles += (t1-t0);
430#endif
431}
432
433/*************************************************
434 * Name: shake128_squeezeblocks
435 *
436 * Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of SHAKE128_RATE bytes each.
437 * Modifies the state. Can be called multiple times to keep squeezing,
438 * i.e., is incremental.
439 *
440 * Arguments: - uint8_t *output: pointer to output blocks
441 * - size_t nblocks: number of blocks to be squeezed (written to output)
442 * - shake128ctx *state: pointer to in/output Keccak state
443 **************************************************/
444void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state)
445{
446#ifdef PROFILE_HASHING
447 uint64_t t0 = hal_get_time();
448#endif
449 keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE);
450#ifdef PROFILE_HASHING
451 uint64_t t1 = hal_get_time();
452 hash_cycles += (t1-t0);
453#endif
454}
455
456void shake128(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen)
457{
458#ifdef PROFILE_HASHING
459 uint64_t t0 = hal_get_time();
460#endif
461 shake128incctx state;
462
463 keccak_inc_init(state.ctx);
464
465 /* Absorb input */
466 keccak_inc_absorb(state.ctx, SHAKE128_RATE, input, inlen);
467 keccak_inc_finalize(state.ctx, SHAKE128_RATE, 0x1F);
468
469 /* Squeeze output */
470 keccak_inc_squeeze(output, outlen, state.ctx, SHAKE128_RATE);
471#ifdef PROFILE_HASHING
472 uint64_t t1 = hal_get_time();
473 hash_cycles += (t1-t0);
474#endif
475}
476
477void shake128_ctx_release(shake128ctx *state) {
478 (void) state;
479}
480void shake128_ctx_clone(shake128ctx *dest, const shake128ctx *src) {
481 memcpy(dest, src, sizeof(shake128ctx));
482}
483
484void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen)
485{
486#ifdef PROFILE_HASHING
487 uint64_t t0 = hal_get_time();
488#endif
489 int i;
490 for (i = 0; i < 25; i++)
491 state->ctx[i] = 0;
492
493 keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F);
494#ifdef PROFILE_HASHING
495 uint64_t t1 = hal_get_time();
496 hash_cycles += (t1-t0);
497#endif
498}
499
500
501void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state)
502{
503#ifdef PROFILE_HASHING
504 uint64_t t0 = hal_get_time();
505#endif
506 keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE);
507#ifdef PROFILE_HASHING
508 uint64_t t1 = hal_get_time();
509 hash_cycles += (t1-t0);
510#endif
511}
512
513/*************************************************
514 * Name: shake256
515 *
516 * Description: SHAKE256 XOF with non-incremental API
517 *
518 * Arguments: - uint8_t *output: pointer to output
519 * - size_t outlen: requested output length in bytes
520 * - const uint8_t *input: pointer to input
521 * - size_t inlen: length of input in bytes
522 **************************************************/
523void shake256(uint8_t *output, size_t outlen,
524 const uint8_t *input, size_t inlen)
525{
526#ifdef PROFILE_HASHING
527 uint64_t t0 = hal_get_time();
528#endif
529 shake256incctx state;
530
531 keccak_inc_init(state.ctx);
532
533 /* Absorb input */
534 keccak_inc_absorb(state.ctx, SHAKE256_RATE, input, inlen);
535 keccak_inc_finalize(state.ctx, SHAKE256_RATE, 0x1F);
536
537 /* Squeeze output */
538 keccak_inc_squeeze(output, outlen, state.ctx, SHAKE256_RATE);
539#ifdef PROFILE_HASHING
540 uint64_t t1 = hal_get_time();
541 hash_cycles += (t1-t0);
542#endif
543}
544
545void shake256_ctx_release(shake256ctx *state) {
546 (void) state;
547}
548
549void shake256_ctx_clone(shake256ctx *dest, const shake256ctx *src) {
550 memcpy(dest, src, sizeof(shake256ctx));
551}
552
553
554/*************************************************
555 * Name: sha3_256
556 *
557 * Description: SHA3-256 with non-incremental API
558 *
559 * Arguments: - uint8_t *output: pointer to output
560 * - const uint8_t *input: pointer to input
561 * - size_t inlen: length of input in bytes
562 **************************************************/
563void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen)
564{
565#ifdef PROFILE_HASHING
566 uint64_t t0 = hal_get_time();
567#endif
568 sha3_256incctx state;
569 keccak_inc_init(state.ctx);
570
571 /* Absorb input */
572 keccak_inc_absorb(state.ctx, SHA3_256_RATE, input, inlen);
573 keccak_inc_finalize(state.ctx, SHA3_256_RATE, 0x06);
574
575 /* Squeeze output */
576 keccak_inc_squeeze(output, 32, state.ctx, SHA3_256_RATE);
577#ifdef PROFILE_HASHING
578 uint64_t t1 = hal_get_time();
579 hash_cycles += (t1-t0);
580#endif
581}
582void sha3_256_inc_init(sha3_256incctx *state) {
583#ifdef PROFILE_HASHING
584 uint64_t t0 = hal_get_time();
585#endif
586 keccak_inc_init(state->ctx);
587#ifdef PROFILE_HASHING
588 uint64_t t1 = hal_get_time();
589 hash_cycles += (t1-t0);
590#endif
591}
592
593void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen) {
594#ifdef PROFILE_HASHING
595 uint64_t t0 = hal_get_time();
596#endif
597 keccak_inc_absorb(state->ctx, SHA3_256_RATE, input, inlen);
598#ifdef PROFILE_HASHING
599 uint64_t t1 = hal_get_time();
600 hash_cycles += (t1-t0);
601#endif
602}
603
604void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state) {
605#ifdef PROFILE_HASHING
606 uint64_t t0 = hal_get_time();
607#endif
608 uint8_t t[SHA3_256_RATE];
609 keccak_inc_finalize(state->ctx, SHA3_256_RATE, 0x06);
610
611 keccak_squeezeblocks(t, 1, state->ctx, SHA3_256_RATE);
612
613 for (size_t i = 0; i < 32; i++) {
614 output[i] = t[i];
615 }
616#ifdef PROFILE_HASHING
617 uint64_t t1 = hal_get_time();
618 hash_cycles += (t1-t0);
619#endif
620}
621
622void sha3_256_inc_ctx_clone(sha3_256incctx *dest, const sha3_256incctx *src) {
623 memcpy(dest, src, sizeof(sha3_256incctx));
624}
625
626void sha3_256_inc_ctx_release(sha3_256incctx *state) {
627 (void) state;
628}
629
630void sha3_384_inc_init(sha3_384incctx *state) {
631#ifdef PROFILE_HASHING
632 uint64_t t0 = hal_get_time();
633#endif
634 keccak_inc_init(state->ctx);
635#ifdef PROFILE_HASHING
636 uint64_t t1 = hal_get_time();
637 hash_cycles += (t1-t0);
638#endif
639}
640
641void sha3_384_inc_absorb(sha3_384incctx *state, const uint8_t *input, size_t inlen) {
642#ifdef PROFILE_HASHING
643 uint64_t t0 = hal_get_time();
644#endif
645 keccak_inc_absorb(state->ctx, SHA3_384_RATE, input, inlen);
646#ifdef PROFILE_HASHING
647 uint64_t t1 = hal_get_time();
648 hash_cycles += (t1-t0);
649#endif
650}
651
652void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state) {
653#ifdef PROFILE_HASHING
654 uint64_t t0 = hal_get_time();
655#endif
656 uint8_t t[SHA3_384_RATE];
657 keccak_inc_finalize(state->ctx, SHA3_384_RATE, 0x06);
658
659 keccak_squeezeblocks(t, 1, state->ctx, SHA3_384_RATE);
660
661 for (size_t i = 0; i < 48; i++) {
662 output[i] = t[i];
663 }
664#ifdef PROFILE_HASHING
665 uint64_t t1 = hal_get_time();
666 hash_cycles += (t1-t0);
667#endif
668}
669
670void sha3_384_inc_ctx_clone(sha3_384incctx *dest, const sha3_384incctx *src) {
671 memcpy(dest, src, sizeof(sha3_384incctx));
672}
673
674void sha3_384_inc_ctx_release(sha3_384incctx *state) {
675 (void) state;
676}
677
678/*************************************************
679 * Name: sha3_384
680 *
681 * Description: SHA3-256 with non-incremental API
682 *
683 * Arguments: - uint8_t *output: pointer to output
684 * - const uint8_t *input: pointer to input
685 * - size_t inlen: length of input in bytes
686 **************************************************/
687void sha3_384(uint8_t *output, const uint8_t *input, size_t inlen) {
688#ifdef PROFILE_HASHING
689 uint64_t t0 = hal_get_time();
690#endif
691 sha3_384incctx state;
692 keccak_inc_init(state.ctx);
693
694 /* Absorb input */
695 keccak_inc_absorb(state.ctx, SHA3_384_RATE, input, inlen);
696 keccak_inc_finalize(state.ctx, SHA3_384_RATE, 0x06);
697
698 /* Squeeze output */
699 keccak_inc_squeeze(output, 48, state.ctx, SHA3_384_RATE);
700#ifdef PROFILE_HASHING
701 uint64_t t1 = hal_get_time();
702 hash_cycles += (t1-t0);
703#endif
704}
705/*************************************************
706 * Name: sha3_512
707 *
708 * Description: SHA3-512 with non-incremental API
709 *
710 * Arguments: - uint8_t *output: pointer to output
711 * - const uint8_t *input: pointer to input
712 * - size_t inlen: length of input in bytes
713 **************************************************/
714void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen)
715{
716#ifdef PROFILE_HASHING
717 uint64_t t0 = hal_get_time();
718#endif
719 sha3_512incctx state;
720 keccak_inc_init(state.ctx);
721
722 /* Absorb input */
723 keccak_inc_absorb(state.ctx, SHA3_512_RATE, input, inlen);
724 keccak_inc_finalize(state.ctx, SHA3_512_RATE, 0x06);
725
726 /* Squeeze output */
727 keccak_inc_squeeze(output, 64, state.ctx, SHA3_512_RATE);
728#ifdef PROFILE_HASHING
729 uint64_t t1 = hal_get_time();
730 hash_cycles += (t1-t0);
731#endif
732}
733void sha3_512_inc_init(sha3_512incctx *state) {
734#ifdef PROFILE_HASHING
735 uint64_t t0 = hal_get_time();
736#endif
737 keccak_inc_init(state->ctx);
738#ifdef PROFILE_HASHING
739 uint64_t t1 = hal_get_time();
740 hash_cycles += (t1-t0);
741#endif
742}
743
744void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen) {
745#ifdef PROFILE_HASHING
746 uint64_t t0 = hal_get_time();
747#endif
748 keccak_inc_absorb(state->ctx, SHA3_512_RATE, input, inlen);
749#ifdef PROFILE_HASHING
750 uint64_t t1 = hal_get_time();
751 hash_cycles += (t1-t0);
752#endif
753}
754
755void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state) {
756#ifdef PROFILE_HASHING
757 uint64_t t0 = hal_get_time();
758#endif
759 uint8_t t[SHA3_512_RATE];
760 keccak_inc_finalize(state->ctx, SHA3_512_RATE, 0x06);
761
762 keccak_squeezeblocks(t, 1, state->ctx, SHA3_512_RATE);
763
764 for (size_t i = 0; i < 64; i++) {
765 output[i] = t[i];
766 }
767#ifdef PROFILE_HASHING
768 uint64_t t1 = hal_get_time();
769 hash_cycles += (t1-t0);
770#endif
771}
772
773void sha3_512_inc_ctx_clone(sha3_512incctx *dest, const sha3_512incctx *src) {
774 memcpy(dest, src, sizeof(sha3_512incctx));
775}
776
777void sha3_512_inc_ctx_release(sha3_512incctx *state) {
778 (void) state;
779}
780
781/********** cSHAKE256 ***********/
782
783void cshake256_simple_absorb(shake256ctx *state, uint16_t cstm, const uint8_t *in, size_t inlen)
784{
785#ifdef PROFILE_HASHING
786 uint64_t t0 = hal_get_time();
787#endif
788 uint8_t sep[8];
789 size_t i;
790
791 for (i = 0; i < 25; i++)
792 state->ctx[i] = 0;
793
794 /* Absorb customization (domain-separation) string */
795 sep[0] = 0x01;
796 sep[1] = 0x88;
797 sep[2] = 0x01;
798 sep[3] = 0x00;
799 sep[4] = 0x01;
800 sep[5] = 16; // fixed bitlen of cstm
801 sep[6] = cstm & 0xff;
802 sep[7] = cstm >> 8;
803
804 KeccakF1600_StateXORBytes(state->ctx, sep, 0, 8);
805 KeccakF1600_StatePermute(state->ctx);
806
807 /* Absorb input */
808 keccak_absorb(state->ctx, SHAKE256_RATE, in, inlen, 0x04);
809#ifdef PROFILE_HASHING
810 uint64_t t1 = hal_get_time();
811 hash_cycles += (t1-t0);
812#endif
813}
814
815
816void cshake256_simple_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state)
817{
818#ifdef PROFILE_HASHING
819 uint64_t t0 = hal_get_time();
820#endif
821 keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE);
822#ifdef PROFILE_HASHING
823 uint64_t t1 = hal_get_time();
824 hash_cycles += (t1-t0);
825#endif
826}
827
828
829void cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *in, size_t inlen)
830{
831 shake256incctx state;
832 uint8_t sep[8];
833 #ifdef PROFILE_HASHING
834 uint64_t t0 = hal_get_time();
835 #endif
836
837
838 keccak_inc_init(state.ctx);
839
840 /* Absorb customization (domain-separation) string */
841 sep[0] = 0x01;
842 sep[1] = 0x88;
843 sep[2] = 0x01;
844 sep[3] = 0x00;
845 sep[4] = 0x01;
846 sep[5] = 16; // fixed bitlen of cstm
847 sep[6] = cstm & 0xff;
848 sep[7] = cstm >> 8;
849
850 KeccakF1600_StateXORBytes(state.ctx, sep, 0, 8);
851 KeccakF1600_StatePermute(state.ctx);
852
853 /* Absorb input */
854 keccak_inc_absorb(state.ctx, SHAKE256_RATE, in, inlen);
855 keccak_inc_finalize(state.ctx, SHAKE256_RATE, 0x04);
856
857 /* Squeeze output */
858 keccak_inc_squeeze(output, outlen, state.ctx, SHAKE256_RATE);
859#ifdef PROFILE_HASHING
860 uint64_t t1 = hal_get_time();
861 hash_cycles += (t1-t0);
862#endif
863}
cshake128_simple_absorb
void cshake128_simple_absorb(shake128ctx *state, uint16_t cstm, const uint8_t *in, size_t inlen)
Definition fips202.c:320
sha3_256_inc_ctx_clone
void sha3_256_inc_ctx_clone(sha3_256incctx *dest, const sha3_256incctx *src)
Definition fips202.c:622
shake256
void shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen)
Definition fips202.c:523
shake256_ctx_release
void shake256_ctx_release(shake256ctx *state)
Definition fips202.c:545
shake256_inc_finalize
void shake256_inc_finalize(shake256incctx *state)
Definition fips202.c:288
cshake256_simple_absorb
void cshake256_simple_absorb(shake256ctx *state, uint16_t cstm, const uint8_t *in, size_t inlen)
Definition fips202.c:783
sha3_384_inc_ctx_release
void sha3_384_inc_ctx_release(sha3_384incctx *state)
Definition fips202.c:674
shake128_inc_init
void shake128_inc_init(shake128incctx *state)
Definition fips202.c:214
shake128_inc_absorb
void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen)
Definition fips202.c:225
shake128_inc_squeeze
void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state)
Definition fips202.c:247
sha3_512_inc_init
void sha3_512_inc_init(sha3_512incctx *state)
Definition fips202.c:733
sha3_256_inc_absorb
void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen)
Definition fips202.c:593
sha3_384
void sha3_384(uint8_t *output, const uint8_t *input, size_t inlen)
Definition fips202.c:687
sha3_512_inc_absorb
void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen)
Definition fips202.c:744
shake128_inc_ctx_clone
void shake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src)
Definition fips202.c:258
sha3_512_inc_ctx_clone
void sha3_512_inc_ctx_clone(sha3_512incctx *dest, const sha3_512incctx *src)
Definition fips202.c:773
cshake256_simple
void cshake256_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *in, size_t inlen)
Definition fips202.c:829
shake128_ctx_clone
void shake128_ctx_clone(shake128ctx *dest, const shake128ctx *src)
Definition fips202.c:480
shake128_inc_ctx_release
void shake128_inc_ctx_release(shake128incctx *state)
Definition fips202.c:262
shake128_inc_finalize
void shake128_inc_finalize(shake128incctx *state)
Definition fips202.c:236
shake256_squeezeblocks
void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state)
Definition fips202.c:501
sha3_256_inc_finalize
void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state)
Definition fips202.c:604
shake256_ctx_clone
void shake256_ctx_clone(shake256ctx *dest, const shake256ctx *src)
Definition fips202.c:549
shake128_absorb
void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen)
Definition fips202.c:417
shake256_inc_ctx_clone
void shake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src)
Definition fips202.c:310
sha3_384_inc_ctx_clone
void sha3_384_inc_ctx_clone(sha3_384incctx *dest, const sha3_384incctx *src)
Definition fips202.c:670
sha3_384_inc_init
void sha3_384_inc_init(sha3_384incctx *state)
Definition fips202.c:630
shake128_squeezeblocks
void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state)
Definition fips202.c:444
sha3_512_inc_finalize
void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state)
Definition fips202.c:755
sha3_384_inc_finalize
void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state)
Definition fips202.c:652
cshake256_simple_squeezeblocks
void cshake256_simple_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state)
Definition fips202.c:816
shake256_inc_ctx_release
void shake256_inc_ctx_release(shake256incctx *state)
Definition fips202.c:314
shake128
void shake128(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen)
Definition fips202.c:456
shake256_inc_squeeze
void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state)
Definition fips202.c:299
sha3_256_inc_init
void sha3_256_inc_init(sha3_256incctx *state)
Definition fips202.c:582
sha3_512
void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen)
Definition fips202.c:714
sha3_512_inc_ctx_release
void sha3_512_inc_ctx_release(sha3_512incctx *state)
Definition fips202.c:777
sha3_384_inc_absorb
void sha3_384_inc_absorb(sha3_384incctx *state, const uint8_t *input, size_t inlen)
Definition fips202.c:641
shake256_inc_init
void shake256_inc_init(shake256incctx *state)
Definition fips202.c:266
shake128_ctx_release
void shake128_ctx_release(shake128ctx *state)
Definition fips202.c:477
shake256_inc_absorb
void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen)
Definition fips202.c:277
sha3_256
void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen)
Definition fips202.c:563
cshake128_simple_squeezeblocks
void cshake128_simple_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state)
Definition fips202.c:357
cshake128_simple
void cshake128_simple(uint8_t *output, size_t outlen, uint16_t cstm, const uint8_t *in, size_t inlen)
Definition fips202.c:370
sha3_256_inc_ctx_release
void sha3_256_inc_ctx_release(sha3_256incctx *state)
Definition fips202.c:626
shake256_absorb
void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen)
Definition fips202.c:484
SHAKE128_RATE
#define SHAKE128_RATE
Definition fips202.h:7
SHA3_384_RATE
#define SHA3_384_RATE
Definition fips202.h:10
SHA3_512_RATE
#define SHA3_512_RATE
Definition fips202.h:11
SHAKE256_RATE
#define SHAKE256_RATE
Definition fips202.h:8
SHA3_256_RATE
#define SHA3_256_RATE
Definition fips202.h:9
p
#define p
Definition fp-gmp.h:44
hal_get_time
uint64_t hal_get_time()
Definition hal-cortexa.c:10
KeccakF1600_StateExtractBytes
void KeccakF1600_StateExtractBytes(uint64_t *state, unsigned char *data, unsigned int offset, unsigned int length)
Definition keccakf1600.c:43
KeccakF1600_StateXORBytes
void KeccakF1600_StateXORBytes(uint64_t *state, const unsigned char *data, unsigned int offset, unsigned int length)
Definition keccakf1600.c:52
KeccakF1600_StatePermute
void KeccakF1600_StatePermute(uint64_t *state)
Definition keccakf1600.c:61
i
for i
Definition prime_search.m:10
sha3_256incctx
Definition fips202.h:35
sha3_256incctx::ctx
uint64_t ctx[26]
Definition fips202.h:36
sha3_384incctx
Definition fips202.h:40
sha3_384incctx::ctx
uint64_t ctx[26]
Definition fips202.h:41
sha3_512incctx
Definition fips202.h:45
sha3_512incctx::ctx
uint64_t ctx[26]
Definition fips202.h:46
shake128ctx::ctx
uint64_t ctx[25]
Definition fips202.h:21
shake128incctx::ctx
uint64_t ctx[26]
Definition fips202.h:16
shake256ctx::ctx
uint64_t ctx[25]
Definition fips202.h:31
shake256incctx::ctx
uint64_t ctx[26]
Definition fips202.h:26