sha3 0.2.2 → 1.0.2

data/Rakefile

@@ -1,43 +1,41 @@
-# encoding: utf-8
-
 require 'rubygems'
 require 'rake'
 
 begin
-  gem 'rubygems-tasks', '~> 0.2'
+  gem 'rubygems-tasks'
   require 'rubygems/tasks'
 
   Gem::Tasks.new
 rescue LoadError => e
   warn e.message
-  warn "Run `gem install rubygems-tasks` to install Gem::Tasks."
+  warn 'Run `gem install rubygems-tasks` to install Gem::Tasks.'
 end
 
 begin
-  gem 'rspec', '~> 2.4'
+  gem 'rspec'
   require 'rspec/core/rake_task'
 
   RSpec::Core::RakeTask.new
-rescue LoadError => e
+rescue LoadError
   task :spec do
-    abort "Please run `gem install rspec` to install RSpec."
+    abort 'Please run `gem install rspec` to install RSpec.'
   end
 end
 
-task :test    => :spec
-task :default => [:compile, :spec]
+task test: :spec
+task default: %i[compile spec]
 
 begin
-  gem 'yard', '~> 0.8'
+  gem 'yard'
   require 'yard'
 
-  YARD::Rake::YardocTask.new  
-rescue LoadError => e
+  YARD::Rake::YardocTask.new
+rescue LoadError
   task :yard do
-    abort "Please run `gem install yard` to install YARD."
+    abort 'Please run `gem install yard` to install YARD.'
   end
 end
-task :doc => :yard
+task doc: :yard
 
 begin
   gem 'rake-compiler'
@@ -47,11 +45,10 @@ begin
     ext.name = 'sha3_n'
     ext.ext_dir = 'ext/sha3'
     ext.tmp_dir = 'tmp'
-    ext.source_pattern = "*.{c}"
+    ext.source_pattern = '*.{c}'
   end
-rescue LoadError => e
+rescue LoadError
   task :compile do
-    abort "Please run `gem install rake-compiler` to install Rake-Compiler."
+    abort 'Please run `gem install rake-compiler` to install Rake-Compiler.'
   end
 end
-

data/ext/sha3/KeccakF-1600-interface.h

@@ -1,46 +1,40 @@
 /*
-The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
-Michaël Peeters and Gilles Van Assche. For more information, feedback or
-questions, please refer to our website: http://keccak.noekeon.org/
+Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
+Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
+denoted as "the implementer".
 
-Implementation by the designers,
-hereby denoted as "the implementer".
+For more information, feedback or questions, please refer to our websites:
+http://keccak.noekeon.org/
+http://keyak.noekeon.org/
+http://ketje.noekeon.org/
 
 To the extent possible under law, the implementer has waived all copyright
 and related or neighboring rights to the source code in this file.
 http://creativecommons.org/publicdomain/zero/1.0/
 */
 
-#ifndef _KeccakPermutationInterface_h_
-#define _KeccakPermutationInterface_h_
+#ifndef _KeccakF1600Interface_h_
+#define _KeccakF1600Interface_h_
 
-#include "KeccakF-1600-int-set.h"
+#include <string.h>
 
-void KeccakInitialize( void );
-void KeccakInitializeState(unsigned char *state);
-void KeccakPermutation(unsigned char *state);
-#ifdef ProvideFast576
-void KeccakAbsorb576bits(unsigned char *state, const unsigned char *data);
-#endif
-#ifdef ProvideFast832
-void KeccakAbsorb832bits(unsigned char *state, const unsigned char *data);
-#endif
-#ifdef ProvideFast1024
-void KeccakAbsorb1024bits(unsigned char *state, const unsigned char *data);
-#endif
-#ifdef ProvideFast1088
-void KeccakAbsorb1088bits(unsigned char *state, const unsigned char *data);
-#endif
-#ifdef ProvideFast1152
-void KeccakAbsorb1152bits(unsigned char *state, const unsigned char *data);
-#endif
-#ifdef ProvideFast1344
-void KeccakAbsorb1344bits(unsigned char *state, const unsigned char *data);
-#endif
-void KeccakAbsorb(unsigned char *state, const unsigned char *data, unsigned int laneCount);
-#ifdef ProvideFast1024
-void KeccakExtract1024bits(const unsigned char *state, unsigned char *data);
-#endif
-void KeccakExtract(const unsigned char *state, unsigned char *data, unsigned int laneCount);
+#define KeccakF_width 1600
+#define KeccakF_laneInBytes 8
+#define KeccakF_stateSizeInBytes (KeccakF_width/8)
+#define KeccakF_1600
+
+void KeccakF1600_Initialize( void );
+void KeccakF1600_StateInitialize(void *state);
+void KeccakF1600_StateXORBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length);
+void KeccakF1600_StateOverwriteBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length);
+void KeccakF1600_StateOverwriteWithZeroes(void *state, unsigned int byteCount);
+void KeccakF1600_StateComplementBit(void *state, unsigned int position);
+void KeccakF1600_StatePermute(void *state);
+void KeccakF1600_StateExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length);
+void KeccakF1600_StateExtractAndXORBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length);
+size_t KeccakF1600_FBWL_Absorb(void *state, unsigned int laneCount, const unsigned char *data, size_t dataByteLen, unsigned char trailingBits);
+size_t KeccakF1600_FBWL_Squeeze(void *state, unsigned int laneCount, unsigned char *data, size_t dataByteLen);
+size_t KeccakF1600_FBWL_Wrap(void *state, unsigned int laneCount, const unsigned char *dataIn, unsigned char *dataOut, size_t dataByteLen, unsigned char trailingBits);
+size_t KeccakF1600_FBWL_Unwrap(void *state, unsigned int laneCount, const unsigned char *dataIn, unsigned char *dataOut, size_t dataByteLen, unsigned char trailingBits);
 
 #endif

data/ext/sha3/KeccakHash.c

@@ -0,0 +1,80 @@
+/*
+Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
+Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
+denoted as "the implementer".
+
+For more information, feedback or questions, please refer to our websites:
+http://keccak.noekeon.org/
+http://keyak.noekeon.org/
+http://ketje.noekeon.org/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+*/
+
+#include <string.h>
+#include "KeccakHash.h"
+
+/* ---------------------------------------------------------------- */
+
+HashReturn Keccak_HashInitialize(Keccak_HashInstance *instance, unsigned int rate, unsigned int capacity, unsigned int hashbitlen, unsigned char delimitedSuffix)
+{
+    HashReturn result;
+
+    if (delimitedSuffix == 0)
+        return FAIL;
+    result = (HashReturn)Keccak_SpongeInitialize(&instance->sponge, rate, capacity);
+    if (result != SUCCESS)
+        return result;
+    instance->fixedOutputLength = hashbitlen;
+    instance->delimitedSuffix = delimitedSuffix;
+    return SUCCESS;
+}
+
+/* ---------------------------------------------------------------- */
+
+HashReturn Keccak_HashUpdate(Keccak_HashInstance *instance, const BitSequence *data, DataLength databitlen)
+{
+    if ((databitlen % 8) == 0)
+        return (HashReturn)Keccak_SpongeAbsorb(&instance->sponge, data, databitlen/8);
+    else {
+        HashReturn ret = (HashReturn)Keccak_SpongeAbsorb(&instance->sponge, data, databitlen/8);
+        if (ret == SUCCESS) {
+            // The last partial byte is assumed to be aligned on the least significant bits
+            unsigned char lastByte = data[databitlen/8];
+            // Concatenate the last few bits provided here with those of the suffix
+            unsigned short delimitedLastBytes = (unsigned short)lastByte | ((unsigned short)instance->delimitedSuffix << (databitlen % 8));
+            if ((delimitedLastBytes & 0xFF00) == 0x0000) {
+                instance->delimitedSuffix = delimitedLastBytes & 0xFF;
+            }
+            else {
+                unsigned char oneByte[1];
+                oneByte[0] = delimitedLastBytes & 0xFF;
+                ret = (HashReturn)Keccak_SpongeAbsorb(&instance->sponge, oneByte, 1);
+                instance->delimitedSuffix = (delimitedLastBytes >> 8) & 0xFF;
+            }
+        }
+        return ret;
+    }
+}
+
+/* ---------------------------------------------------------------- */
+
+HashReturn Keccak_HashFinal(Keccak_HashInstance *instance, BitSequence *hashval)
+{
+    HashReturn ret = (HashReturn)Keccak_SpongeAbsorbLastFewBits(&instance->sponge, instance->delimitedSuffix);
+    if (ret == SUCCESS)
+        return (HashReturn)Keccak_SpongeSqueeze(&instance->sponge, hashval, instance->fixedOutputLength/8);
+    else
+        return ret;
+}
+
+/* ---------------------------------------------------------------- */
+
+HashReturn Keccak_HashSqueeze(Keccak_HashInstance *instance, BitSequence *data, DataLength databitlen)
+{
+    if ((databitlen % 8) != 0)
+        return FAIL;
+    return (HashReturn)Keccak_SpongeSqueeze(&instance->sponge, data, databitlen/8);
+}

data/ext/sha3/KeccakHash.h

@@ -0,0 +1,110 @@
+/*
+Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
+Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
+denoted as "the implementer".
+
+For more information, feedback or questions, please refer to our websites:
+http://keccak.noekeon.org/
+http://keyak.noekeon.org/
+http://ketje.noekeon.org/
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+*/
+
+#ifndef _KeccakHashInterface_h_
+#define _KeccakHashInterface_h_
+
+#include "KeccakSponge.h"
+#include <string.h>
+
+typedef unsigned char BitSequence;
+typedef size_t DataLength;
+typedef enum { SUCCESS = 0, FAIL = 1, BAD_HASHLEN = 2 } HashReturn;
+
+typedef struct {
+    Keccak_SpongeInstance sponge;
+    unsigned int fixedOutputLength;
+    unsigned char delimitedSuffix;
+} Keccak_HashInstance;
+
+/**
+  * Function to initialize the Keccak[r, c] sponge function instance used in sequential hashing mode.
+  * @param  hashInstance    Pointer to the hash instance to be initialized.
+  * @param  rate        The value of the rate r.
+  * @param  capacity    The value of the capacity c.
+  * @param  hashbitlen  The desired number of output bits,
+  *                     or 0 for an arbitrarily-long output.
+  * @param  delimitedSuffix Bits that will be automatically appended to the end
+  *                         of the input message, as in domain separation.
+  *                         This is a byte containing from 0 to 7 bits
+  *                         formatted like the @a delimitedData parameter of
+  *                         the Keccak_SpongeAbsorbLastFewBits() function.
+  * @pre    One must have r+c=1600 and the rate a multiple of 8 bits in this implementation.
+  * @return SUCCESS if successful, FAIL otherwise.
+  */
+HashReturn Keccak_HashInitialize(Keccak_HashInstance *hashInstance, unsigned int rate, unsigned int capacity, unsigned int hashbitlen, unsigned char delimitedSuffix);
+
+/** Macro to initialize a SHAKE128 instance as specified in the FIPS 202 standard.
+  */
+#define Keccak_HashInitialize_SHAKE128(hashInstance)        Keccak_HashInitialize(hashInstance, 1344,  256,   0, 0x1F)
+
+/** Macro to initialize a SHAKE256 instance as specified in the FIPS 202 standard.
+  */
+#define Keccak_HashInitialize_SHAKE256(hashInstance)        Keccak_HashInitialize(hashInstance, 1088,  512,   0, 0x1F)
+
+/** Macro to initialize a SHA3-224 instance as specified in the FIPS 202 standard.
+  */
+#define Keccak_HashInitialize_SHA3_224(hashInstance)        Keccak_HashInitialize(hashInstance, 1152,  448, 224, 0x06)
+
+/** Macro to initialize a SHA3-256 instance as specified in the FIPS 202 standard.
+  */
+#define Keccak_HashInitialize_SHA3_256(hashInstance)        Keccak_HashInitialize(hashInstance, 1088,  512, 256, 0x06)
+
+/** Macro to initialize a SHA3-384 instance as specified in the FIPS 202 standard.
+  */
+#define Keccak_HashInitialize_SHA3_384(hashInstance)        Keccak_HashInitialize(hashInstance,  832,  768, 384, 0x06)
+
+/** Macro to initialize a SHA3-512 instance as specified in the FIPS 202 standard.
+  */
+#define Keccak_HashInitialize_SHA3_512(hashInstance)        Keccak_HashInitialize(hashInstance,  576, 1024, 512, 0x06)
+
+/**
+  * Function to give input data to be absorbed.
+  * @param  hashInstance    Pointer to the hash instance initialized by Keccak_HashInitialize().
+  * @param  data        Pointer to the input data.
+  *                     When @a databitLen is not a multiple of 8, the last bits of data must be
+  *                     in the least significant bits of the last byte (little-endian convention).
+  * @param  databitLen  The number of input bits provided in the input data.
+  * @pre    In the previous call to Keccak_HashUpdate(), databitlen was a multiple of 8.
+  * @return SUCCESS if successful, FAIL otherwise.
+  */
+HashReturn Keccak_HashUpdate(Keccak_HashInstance *hashInstance, const BitSequence *data, DataLength databitlen);
+
+/**
+  * Function to call after all input blocks have been input and to get
+  * output bits if the length was specified when calling Keccak_HashInitialize().
+  * @param  hashInstance    Pointer to the hash instance initialized by Keccak_HashInitialize().
+  * If @a hashbitlen was not 0 in the call to Keccak_HashInitialize(), the number of
+  *     output bits is equal to @a hashbitlen.
+  * If @a hashbitlen was 0 in the call to Keccak_HashInitialize(), the output bits
+  *     must be extracted using the Keccak_HashSqueeze() function.
+  * @param  state       Pointer to the state of the sponge function initialized by Init().
+  * @param  hashval     Pointer to the buffer where to store the output data.
+  * @return SUCCESS if successful, FAIL otherwise.
+  */
+HashReturn Keccak_HashFinal(Keccak_HashInstance *hashInstance, BitSequence *hashval);
+
+ /**
+  * Function to squeeze output data.
+  * @param  hashInstance    Pointer to the hash instance initialized by Keccak_HashInitialize().
+  * @param  data        Pointer to the buffer where to store the output data.
+  * @param  databitlen  The number of output bits desired (must be a multiple of 8).
+  * @pre    Keccak_HashFinal() must have been already called.
+  * @pre    @a databitlen is a multiple of 8.
+  * @return SUCCESS if successful, FAIL otherwise.
+  */
+HashReturn Keccak_HashSqueeze(Keccak_HashInstance *hashInstance, BitSequence *data, DataLength databitlen);
+
+#endif

data/ext/sha3/KeccakSponge.c

@@ -1,10 +1,12 @@
 /*
-The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
-Michaël Peeters and Gilles Van Assche. For more information, feedback or
-questions, please refer to our website: http://keccak.noekeon.org/
+Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
+Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
+denoted as "the implementer".
 
-Implementation by the designers,
-hereby denoted as "the implementer".
+For more information, feedback or questions, please refer to our websites:
+http://keccak.noekeon.org/
+http://keyak.noekeon.org/
+http://ketje.noekeon.org/
 
 To the extent possible under law, the implementer has waived all copyright
 and related or neighboring rights to the source code in this file.
@@ -13,254 +15,178 @@ http://creativecommons.org/publicdomain/zero/1.0/
 
 #include <string.h>
 #include "KeccakSponge.h"
-#include "KeccakF-1600-interface.h"
+#include "SnP-interface.h"
 #ifdef KeccakReference
 #include "displayIntermediateValues.h"
 #endif
 
-int InitSponge(spongeState *state, unsigned int rate, unsigned int capacity)
+/* ---------------------------------------------------------------- */
+
+int Keccak_SpongeInitialize(Keccak_SpongeInstance *instance, unsigned int rate, unsigned int capacity)
 {
-    if (rate+capacity != 1600)
+    if (rate+capacity != SnP_width)
         return 1;
-    if ((rate <= 0) || (rate >= 1600) || ((rate % 64) != 0))
+    if ((rate <= 0) || (rate > SnP_width) || ((rate % 8) != 0))
         return 1;
-    KeccakInitialize();
-    state->rate = rate;
-    state->capacity = capacity;
-    state->fixedOutputLength = 0;
-    KeccakInitializeState(state->state);
-    memset(state->dataQueue, 0, KeccakMaximumRateInBytes);
-    state->bitsInQueue = 0;
-    state->squeezing = 0;
-    state->bitsAvailableForSqueezing = 0;
+    SnP_StaticInitialize();
+    SnP_Initialize(instance->state);
+    instance->rate = rate;
+    instance->byteIOIndex = 0;
+    instance->squeezing = 0;
 
     return 0;
 }
 
-void AbsorbQueue(spongeState *state)
-{
-    // state->bitsInQueue is assumed to be equal to state->rate
-    #ifdef KeccakReference
-    displayBytes(1, "Block to be absorbed", state->dataQueue, state->rate/8);
-    #endif
-#ifdef ProvideFast576
-    if (state->rate == 576)
-        KeccakAbsorb576bits(state->state, state->dataQueue);
-    else 
-#endif
-#ifdef ProvideFast832
-    if (state->rate == 832)
-        KeccakAbsorb832bits(state->state, state->dataQueue);
-    else 
-#endif
-#ifdef ProvideFast1024
-    if (state->rate == 1024)
-        KeccakAbsorb1024bits(state->state, state->dataQueue);
-    else 
-#endif
-#ifdef ProvideFast1088
-    if (state->rate == 1088)
-        KeccakAbsorb1088bits(state->state, state->dataQueue);
-    else
-#endif
-#ifdef ProvideFast1152
-    if (state->rate == 1152)
-        KeccakAbsorb1152bits(state->state, state->dataQueue);
-    else 
-#endif
-#ifdef ProvideFast1344
-    if (state->rate == 1344)
-        KeccakAbsorb1344bits(state->state, state->dataQueue);
-    else 
-#endif
-        KeccakAbsorb(state->state, state->dataQueue, state->rate/64);
-    state->bitsInQueue = 0;
-}
+/* ---------------------------------------------------------------- */
 
-int Absorb(spongeState *state, const unsigned char *data, unsigned long long databitlen)
+int Keccak_SpongeAbsorb(Keccak_SpongeInstance *instance, const unsigned char *data, size_t dataByteLen)
 {
-    unsigned long long i, j, wholeBlocks;
-    unsigned int partialBlock, partialByte;
+    size_t i, j;
+    unsigned int partialBlock;
     const unsigned char *curData;
+    unsigned int rateInBytes = instance->rate/8;
 
-    if ((state->bitsInQueue % 8) != 0)
-        return 1; // Only the last call may contain a partial byte
-    if (state->squeezing)
+    if (instance->squeezing)
         return 1; // Too late for additional input
 
     i = 0;
-    while(i < databitlen) {
-        if ((state->bitsInQueue == 0) && (databitlen >= state->rate) && (i <= (databitlen-state->rate))) {
-            wholeBlocks = (databitlen-i)/state->rate;
-            curData = data+i/8;
-#ifdef ProvideFast576
-            if (state->rate == 576) {
-                for(j=0; j<wholeBlocks; j++, curData+=576/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb576bits(state->state, curData);
-                }
-            }
-            else
-#endif
-#ifdef ProvideFast832
-            if (state->rate == 832) {
-                for(j=0; j<wholeBlocks; j++, curData+=832/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb832bits(state->state, curData);
-                }
+    curData = data;
+    while(i < dataByteLen) {
+        if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
+            // processing full blocks first
+            if ((rateInBytes % SnP_laneLengthInBytes) == 0) {
+                // fast lane: whole lane rate
+                j = SnP_FBWL_Absorb(instance->state, rateInBytes/SnP_laneLengthInBytes, curData, dataByteLen - i, 0);
+                i += j;
+                curData += j;
             }
-            else
-#endif
-#ifdef ProvideFast1024
-            if (state->rate == 1024) {
-                for(j=0; j<wholeBlocks; j++, curData+=1024/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb1024bits(state->state, curData);
-                }
-            }
-            else
-#endif
-#ifdef ProvideFast1088
-            if (state->rate == 1088) {
-                for(j=0; j<wholeBlocks; j++, curData+=1088/8) {
+            else {
+                for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
                     #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
+                    displayBytes(1, "Block to be absorbed", curData, rateInBytes);
                     #endif
-                    KeccakAbsorb1088bits(state->state, curData);
+                    SnP_XORBytes(instance->state, curData, 0, rateInBytes);
+                    SnP_Permute(instance->state);
+                    curData+=rateInBytes;
                 }
+                i = dataByteLen - j;
             }
-            else
-#endif
-#ifdef ProvideFast1152
-            if (state->rate == 1152) {
-                for(j=0; j<wholeBlocks; j++, curData+=1152/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb1152bits(state->state, curData);
-                }
-            }
-            else
-#endif
-#ifdef ProvideFast1344
-            if (state->rate == 1344) {
-                for(j=0; j<wholeBlocks; j++, curData+=1344/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb1344bits(state->state, curData);
-                }
-            }
-            else
-#endif
-            {
-                for(j=0; j<wholeBlocks; j++, curData+=state->rate/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb(state->state, curData, state->rate/64);
-                }
-            }
-            i += wholeBlocks*state->rate;
         }
         else {
-            partialBlock = (unsigned int)(databitlen - i);
-            if (partialBlock+state->bitsInQueue > state->rate)
-                partialBlock = state->rate-state->bitsInQueue;
-            partialByte = partialBlock % 8;
-            partialBlock -= partialByte;
-            memcpy(state->dataQueue+state->bitsInQueue/8, data+i/8, partialBlock/8);
-            state->bitsInQueue += partialBlock;
+            // normal lane: using the message queue
+            partialBlock = (unsigned int)(dataByteLen - i);
+            if (partialBlock+instance->byteIOIndex > rateInBytes)
+                partialBlock = rateInBytes-instance->byteIOIndex;
+            #ifdef KeccakReference
+            displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
+            #endif
             i += partialBlock;
-            if (state->bitsInQueue == state->rate)
-                AbsorbQueue(state);
-            if (partialByte > 0) {
-                unsigned char mask = (1 << partialByte)-1;
-                state->dataQueue[state->bitsInQueue/8] = data[i/8] & mask;
-                state->bitsInQueue += partialByte;
-                i += partialByte;
+
+            SnP_XORBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
+            curData += partialBlock;
+            instance->byteIOIndex += partialBlock;
+            if (instance->byteIOIndex == rateInBytes) {
+                SnP_Permute(instance->state);
+                instance->byteIOIndex = 0;
             }
         }
     }
     return 0;
 }
 
-void PadAndSwitchToSqueezingPhase(spongeState *state)
+/* ---------------------------------------------------------------- */
+
+int Keccak_SpongeAbsorbLastFewBits(Keccak_SpongeInstance *instance, unsigned char delimitedData)
 {
-    // Note: the bits are numbered from 0=LSB to 7=MSB
-    if (state->bitsInQueue + 1 == state->rate) {
-        state->dataQueue[state->bitsInQueue/8 ] |= 1 << (state->bitsInQueue % 8);
-        AbsorbQueue(state);
-        memset(state->dataQueue, 0, state->rate/8);
-    }
-    else {
-        memset(state->dataQueue + (state->bitsInQueue+7)/8, 0, state->rate/8 - (state->bitsInQueue+7)/8);
-        state->dataQueue[state->bitsInQueue/8 ] |= 1 << (state->bitsInQueue % 8);
-    }
-    state->dataQueue[(state->rate-1)/8] |= 1 << ((state->rate-1) % 8);
-    AbsorbQueue(state);
+    unsigned char delimitedData1[1];
+    unsigned int rateInBytes = instance->rate/8;
 
+    if (delimitedData == 0)
+        return 1;
+    if (instance->squeezing)
+        return 1; // Too late for additional input
+
+    delimitedData1[0] = delimitedData;
     #ifdef KeccakReference
-    displayText(1, "--- Switching to squeezing phase ---");
+    displayBytes(1, "Block to be absorbed (last few bits + first bit of padding)", delimitedData1, 1);
     #endif
-#ifdef ProvideFast1024
-    if (state->rate == 1024) {
-        KeccakExtract1024bits(state->state, state->dataQueue);
-        state->bitsAvailableForSqueezing = 1024;
-    }
-    else
-#endif
+    // Last few bits, whose delimiter coincides with first bit of padding
+    SnP_XORBytes(instance->state, delimitedData1, instance->byteIOIndex, 1);
+    // If the first bit of padding is at position rate-1, we need a whole new block for the second bit of padding
+    if ((delimitedData >= 0x80) && (instance->byteIOIndex == (rateInBytes-1)))
+        SnP_Permute(instance->state);
+    // Second bit of padding
+    SnP_ComplementBit(instance->state, rateInBytes*8-1);
+    #ifdef KeccakReference
     {
-        KeccakExtract(state->state, state->dataQueue, state->rate/64);
-        state->bitsAvailableForSqueezing = state->rate;
+        unsigned char block[SnP_width/8];
+        memset(block, 0, SnP_width/8);
+        block[rateInBytes-1] = 0x80;
+        displayBytes(1, "Second bit of padding", block, rateInBytes);
     }
+    #endif
+    SnP_Permute(instance->state);
+    instance->byteIOIndex = 0;
+    instance->squeezing = 1;
     #ifdef KeccakReference
-    displayBytes(1, "Block available for squeezing", state->dataQueue, state->bitsAvailableForSqueezing/8);
+    displayText(1, "--- Switching to squeezing phase ---");
     #endif
-    state->squeezing = 1;
+    return 0;
 }
 
-int Squeeze(spongeState *state, unsigned char *output, unsigned long long outputLength)
+/* ---------------------------------------------------------------- */
+
+int Keccak_SpongeSqueeze(Keccak_SpongeInstance *instance, unsigned char *data, size_t dataByteLen)
 {
-    unsigned long long i;
+    size_t i, j;
     unsigned int partialBlock;
+    unsigned int rateInBytes = instance->rate/8;
+    unsigned char *curData;
 
-    if (!state->squeezing)
-        PadAndSwitchToSqueezingPhase(state);
-    if ((outputLength % 8) != 0)
-        return 1; // Only multiple of 8 bits are allowed, truncation can be done at user level
+    if (!instance->squeezing)
+        Keccak_SpongeAbsorbLastFewBits(instance, 0x01);
 
     i = 0;
-    while(i < outputLength) {
-        if (state->bitsAvailableForSqueezing == 0) {
-            KeccakPermutation(state->state);
-#ifdef ProvideFast1024
-            if (state->rate == 1024) {
-                KeccakExtract1024bits(state->state, state->dataQueue);
-                state->bitsAvailableForSqueezing = 1024;
+    curData = data;
+    while(i < dataByteLen) {
+        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
+            // processing full blocks first
+            if ((rateInBytes % SnP_laneLengthInBytes) == 0) {
+                // fast lane: whole lane rate
+                j = SnP_FBWL_Squeeze(instance->state, rateInBytes/SnP_laneLengthInBytes, curData, dataByteLen - i);
+                i += j;
+                curData += j;
             }
-            else
-#endif
-            {
-                KeccakExtract(state->state, state->dataQueue, state->rate/64);
-                state->bitsAvailableForSqueezing = state->rate;
+            else {
+                for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
+                    SnP_Permute(instance->state);
+                    SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
+                    #ifdef KeccakReference
+                    displayBytes(1, "Squeezed block", curData, rateInBytes);
+                    #endif
+                    curData+=rateInBytes;
+                }
+                i = dataByteLen - j;
+            }
+        }
+        else {
+            // normal lane: using the message queue
+            if (instance->byteIOIndex == rateInBytes) {
+                SnP_Permute(instance->state);
+                instance->byteIOIndex = 0;
             }
+            partialBlock = (unsigned int)(dataByteLen - i);
+            if (partialBlock+instance->byteIOIndex > rateInBytes)
+                partialBlock = rateInBytes-instance->byteIOIndex;
+            i += partialBlock;
+
+            SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
             #ifdef KeccakReference
-            displayBytes(1, "Block available for squeezing", state->dataQueue, state->bitsAvailableForSqueezing/8);
+            displayBytes(1, "Squeezed block (part)", curData, partialBlock);
             #endif
+            curData += partialBlock;
+            instance->byteIOIndex += partialBlock;
         }
-        partialBlock = state->bitsAvailableForSqueezing;
-        if ((unsigned long long)partialBlock > outputLength - i)
-            partialBlock = (unsigned int)(outputLength - i);
-        memcpy(output+i/8, state->dataQueue+(state->rate-state->bitsAvailableForSqueezing)/8, partialBlock/8);
-        state->bitsAvailableForSqueezing -= partialBlock;
-        i += partialBlock;
     }
     return 0;
 }