sha3 0.2.6 → 1.0.1

data/ext/sha3/KeccakSponge.c

@@ -1,10 +1,12 @@
 /*
-The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
-Michaël Peeters and Gilles Van Assche. For more information, feedback or
-questions, please refer to our website: http://keccak.noekeon.org/
+Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
+Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
+denoted as "the implementer".
 
-Implementation by the designers,
-hereby denoted as "the implementer".
+For more information, feedback or questions, please refer to our websites:
+http://keccak.noekeon.org/
+http://keyak.noekeon.org/
+http://ketje.noekeon.org/
 
 To the extent possible under law, the implementer has waived all copyright
 and related or neighboring rights to the source code in this file.
@@ -13,254 +15,178 @@ http://creativecommons.org/publicdomain/zero/1.0/
 
 #include <string.h>
 #include "KeccakSponge.h"
-#include "KeccakF-1600-interface.h"
+#include "SnP-interface.h"
 #ifdef KeccakReference
 #include "displayIntermediateValues.h"
 #endif
 
-int InitSponge(spongeState *state, unsigned int rate, unsigned int capacity)
+/* ---------------------------------------------------------------- */
+
+int Keccak_SpongeInitialize(Keccak_SpongeInstance *instance, unsigned int rate, unsigned int capacity)
 {
-    if (rate+capacity != 1600)
+    if (rate+capacity != SnP_width)
         return 1;
-    if ((rate <= 0) || (rate >= 1600) || ((rate % 64) != 0))
+    if ((rate <= 0) || (rate > SnP_width) || ((rate % 8) != 0))
         return 1;
-    KeccakInitialize();
-    state->rate = rate;
-    state->capacity = capacity;
-    state->fixedOutputLength = 0;
-    KeccakInitializeState(state->state);
-    memset(state->dataQueue, 0, KeccakMaximumRateInBytes);
-    state->bitsInQueue = 0;
-    state->squeezing = 0;
-    state->bitsAvailableForSqueezing = 0;
+    SnP_StaticInitialize();
+    SnP_Initialize(instance->state);
+    instance->rate = rate;
+    instance->byteIOIndex = 0;
+    instance->squeezing = 0;
 
     return 0;
 }
 
-void AbsorbQueue(spongeState *state)
-{
-    // state->bitsInQueue is assumed to be equal to state->rate
-    #ifdef KeccakReference
-    displayBytes(1, "Block to be absorbed", state->dataQueue, state->rate/8);
-    #endif
-#ifdef ProvideFast576
-    if (state->rate == 576)
-        KeccakAbsorb576bits(state->state, state->dataQueue);
-    else 
-#endif
-#ifdef ProvideFast832
-    if (state->rate == 832)
-        KeccakAbsorb832bits(state->state, state->dataQueue);
-    else 
-#endif
-#ifdef ProvideFast1024
-    if (state->rate == 1024)
-        KeccakAbsorb1024bits(state->state, state->dataQueue);
-    else 
-#endif
-#ifdef ProvideFast1088
-    if (state->rate == 1088)
-        KeccakAbsorb1088bits(state->state, state->dataQueue);
-    else
-#endif
-#ifdef ProvideFast1152
-    if (state->rate == 1152)
-        KeccakAbsorb1152bits(state->state, state->dataQueue);
-    else 
-#endif
-#ifdef ProvideFast1344
-    if (state->rate == 1344)
-        KeccakAbsorb1344bits(state->state, state->dataQueue);
-    else 
-#endif
-        KeccakAbsorb(state->state, state->dataQueue, state->rate/64);
-    state->bitsInQueue = 0;
-}
+/* ---------------------------------------------------------------- */
 
-int Absorb(spongeState *state, const unsigned char *data, unsigned long long databitlen)
+int Keccak_SpongeAbsorb(Keccak_SpongeInstance *instance, const unsigned char *data, size_t dataByteLen)
 {
-    unsigned long long i, j, wholeBlocks;
-    unsigned int partialBlock, partialByte;
+    size_t i, j;
+    unsigned int partialBlock;
     const unsigned char *curData;
+    unsigned int rateInBytes = instance->rate/8;
 
-    if ((state->bitsInQueue % 8) != 0)
-        return 1; // Only the last call may contain a partial byte
-    if (state->squeezing)
+    if (instance->squeezing)
         return 1; // Too late for additional input
 
     i = 0;
-    while(i < databitlen) {
-        if ((state->bitsInQueue == 0) && (databitlen >= state->rate) && (i <= (databitlen-state->rate))) {
-            wholeBlocks = (databitlen-i)/state->rate;
-            curData = data+i/8;
-#ifdef ProvideFast576
-            if (state->rate == 576) {
-                for(j=0; j<wholeBlocks; j++, curData+=576/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb576bits(state->state, curData);
-                }
-            }
-            else
-#endif
-#ifdef ProvideFast832
-            if (state->rate == 832) {
-                for(j=0; j<wholeBlocks; j++, curData+=832/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb832bits(state->state, curData);
-                }
+    curData = data;
+    while(i < dataByteLen) {
+        if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
+            // processing full blocks first
+            if ((rateInBytes % SnP_laneLengthInBytes) == 0) {
+                // fast lane: whole lane rate
+                j = SnP_FBWL_Absorb(instance->state, rateInBytes/SnP_laneLengthInBytes, curData, dataByteLen - i, 0);
+                i += j;
+                curData += j;
             }
-            else
-#endif
-#ifdef ProvideFast1024
-            if (state->rate == 1024) {
-                for(j=0; j<wholeBlocks; j++, curData+=1024/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb1024bits(state->state, curData);
-                }
-            }
-            else
-#endif
-#ifdef ProvideFast1088
-            if (state->rate == 1088) {
-                for(j=0; j<wholeBlocks; j++, curData+=1088/8) {
+            else {
+                for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
                     #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
+                    displayBytes(1, "Block to be absorbed", curData, rateInBytes);
                     #endif
-                    KeccakAbsorb1088bits(state->state, curData);
+                    SnP_XORBytes(instance->state, curData, 0, rateInBytes);
+                    SnP_Permute(instance->state);
+                    curData+=rateInBytes;
                 }
+                i = dataByteLen - j;
             }
-            else
-#endif
-#ifdef ProvideFast1152
-            if (state->rate == 1152) {
-                for(j=0; j<wholeBlocks; j++, curData+=1152/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb1152bits(state->state, curData);
-                }
-            }
-            else
-#endif
-#ifdef ProvideFast1344
-            if (state->rate == 1344) {
-                for(j=0; j<wholeBlocks; j++, curData+=1344/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb1344bits(state->state, curData);
-                }
-            }
-            else
-#endif
-            {
-                for(j=0; j<wholeBlocks; j++, curData+=state->rate/8) {
-                    #ifdef KeccakReference
-                    displayBytes(1, "Block to be absorbed", curData, state->rate/8);
-                    #endif
-                    KeccakAbsorb(state->state, curData, state->rate/64);
-                }
-            }
-            i += wholeBlocks*state->rate;
         }
         else {
-            partialBlock = (unsigned int)(databitlen - i);
-            if (partialBlock+state->bitsInQueue > state->rate)
-                partialBlock = state->rate-state->bitsInQueue;
-            partialByte = partialBlock % 8;
-            partialBlock -= partialByte;
-            memcpy(state->dataQueue+state->bitsInQueue/8, data+i/8, partialBlock/8);
-            state->bitsInQueue += partialBlock;
+            // normal lane: using the message queue
+            partialBlock = (unsigned int)(dataByteLen - i);
+            if (partialBlock+instance->byteIOIndex > rateInBytes)
+                partialBlock = rateInBytes-instance->byteIOIndex;
+            #ifdef KeccakReference
+            displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
+            #endif
             i += partialBlock;
-            if (state->bitsInQueue == state->rate)
-                AbsorbQueue(state);
-            if (partialByte > 0) {
-                unsigned char mask = (1 << partialByte)-1;
-                state->dataQueue[state->bitsInQueue/8] = data[i/8] & mask;
-                state->bitsInQueue += partialByte;
-                i += partialByte;
+
+            SnP_XORBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
+            curData += partialBlock;
+            instance->byteIOIndex += partialBlock;
+            if (instance->byteIOIndex == rateInBytes) {
+                SnP_Permute(instance->state);
+                instance->byteIOIndex = 0;
             }
         }
     }
     return 0;
 }
 
-void PadAndSwitchToSqueezingPhase(spongeState *state)
+/* ---------------------------------------------------------------- */
+
+int Keccak_SpongeAbsorbLastFewBits(Keccak_SpongeInstance *instance, unsigned char delimitedData)
 {
-    // Note: the bits are numbered from 0=LSB to 7=MSB
-    if (state->bitsInQueue + 1 == state->rate) {
-        state->dataQueue[state->bitsInQueue/8 ] |= 1 << (state->bitsInQueue % 8);
-        AbsorbQueue(state);
-        memset(state->dataQueue, 0, state->rate/8);
-    }
-    else {
-        memset(state->dataQueue + (state->bitsInQueue+7)/8, 0, state->rate/8 - (state->bitsInQueue+7)/8);
-        state->dataQueue[state->bitsInQueue/8 ] |= 1 << (state->bitsInQueue % 8);
-    }
-    state->dataQueue[(state->rate-1)/8] |= 1 << ((state->rate-1) % 8);
-    AbsorbQueue(state);
+    unsigned char delimitedData1[1];
+    unsigned int rateInBytes = instance->rate/8;
 
+    if (delimitedData == 0)
+        return 1;
+    if (instance->squeezing)
+        return 1; // Too late for additional input
+
+    delimitedData1[0] = delimitedData;
     #ifdef KeccakReference
-    displayText(1, "--- Switching to squeezing phase ---");
+    displayBytes(1, "Block to be absorbed (last few bits + first bit of padding)", delimitedData1, 1);
     #endif
-#ifdef ProvideFast1024
-    if (state->rate == 1024) {
-        KeccakExtract1024bits(state->state, state->dataQueue);
-        state->bitsAvailableForSqueezing = 1024;
-    }
-    else
-#endif
+    // Last few bits, whose delimiter coincides with first bit of padding
+    SnP_XORBytes(instance->state, delimitedData1, instance->byteIOIndex, 1);
+    // If the first bit of padding is at position rate-1, we need a whole new block for the second bit of padding
+    if ((delimitedData >= 0x80) && (instance->byteIOIndex == (rateInBytes-1)))
+        SnP_Permute(instance->state);
+    // Second bit of padding
+    SnP_ComplementBit(instance->state, rateInBytes*8-1);
+    #ifdef KeccakReference
     {
-        KeccakExtract(state->state, state->dataQueue, state->rate/64);
-        state->bitsAvailableForSqueezing = state->rate;
+        unsigned char block[SnP_width/8];
+        memset(block, 0, SnP_width/8);
+        block[rateInBytes-1] = 0x80;
+        displayBytes(1, "Second bit of padding", block, rateInBytes);
     }
+    #endif
+    SnP_Permute(instance->state);
+    instance->byteIOIndex = 0;
+    instance->squeezing = 1;
     #ifdef KeccakReference
-    displayBytes(1, "Block available for squeezing", state->dataQueue, state->bitsAvailableForSqueezing/8);
+    displayText(1, "--- Switching to squeezing phase ---");
     #endif
-    state->squeezing = 1;
+    return 0;
 }
 
-int Squeeze(spongeState *state, unsigned char *output, unsigned long long outputLength)
+/* ---------------------------------------------------------------- */
+
+int Keccak_SpongeSqueeze(Keccak_SpongeInstance *instance, unsigned char *data, size_t dataByteLen)
 {
-    unsigned long long i;
+    size_t i, j;
     unsigned int partialBlock;
+    unsigned int rateInBytes = instance->rate/8;
+    unsigned char *curData;
 
-    if (!state->squeezing)
-        PadAndSwitchToSqueezingPhase(state);
-    if ((outputLength % 8) != 0)
-        return 1; // Only multiple of 8 bits are allowed, truncation can be done at user level
+    if (!instance->squeezing)
+        Keccak_SpongeAbsorbLastFewBits(instance, 0x01);
 
     i = 0;
-    while(i < outputLength) {
-        if (state->bitsAvailableForSqueezing == 0) {
-            KeccakPermutation(state->state);
-#ifdef ProvideFast1024
-            if (state->rate == 1024) {
-                KeccakExtract1024bits(state->state, state->dataQueue);
-                state->bitsAvailableForSqueezing = 1024;
+    curData = data;
+    while(i < dataByteLen) {
+        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
+            // processing full blocks first
+            if ((rateInBytes % SnP_laneLengthInBytes) == 0) {
+                // fast lane: whole lane rate
+                j = SnP_FBWL_Squeeze(instance->state, rateInBytes/SnP_laneLengthInBytes, curData, dataByteLen - i);
+                i += j;
+                curData += j;
             }
-            else
-#endif
-            {
-                KeccakExtract(state->state, state->dataQueue, state->rate/64);
-                state->bitsAvailableForSqueezing = state->rate;
+            else {
+                for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
+                    SnP_Permute(instance->state);
+                    SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
+                    #ifdef KeccakReference
+                    displayBytes(1, "Squeezed block", curData, rateInBytes);
+                    #endif
+                    curData+=rateInBytes;
+                }
+                i = dataByteLen - j;
+            }
+        }
+        else {
+            // normal lane: using the message queue
+            if (instance->byteIOIndex == rateInBytes) {
+                SnP_Permute(instance->state);
+                instance->byteIOIndex = 0;
             }
+            partialBlock = (unsigned int)(dataByteLen - i);
+            if (partialBlock+instance->byteIOIndex > rateInBytes)
+                partialBlock = rateInBytes-instance->byteIOIndex;
+            i += partialBlock;
+
+            SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
             #ifdef KeccakReference
-            displayBytes(1, "Block available for squeezing", state->dataQueue, state->bitsAvailableForSqueezing/8);
+            displayBytes(1, "Squeezed block (part)", curData, partialBlock);
             #endif
+            curData += partialBlock;
+            instance->byteIOIndex += partialBlock;
         }
-        partialBlock = state->bitsAvailableForSqueezing;
-        if ((unsigned long long)partialBlock > outputLength - i)
-            partialBlock = (unsigned int)(outputLength - i);
-        memcpy(output+i/8, state->dataQueue+(state->rate-state->bitsAvailableForSqueezing)/8, partialBlock/8);
-        state->bitsAvailableForSqueezing -= partialBlock;
-        i += partialBlock;
     }
     return 0;
 }

data/ext/sha3/KeccakSponge.h

@@ -1,10 +1,12 @@
 /*
-The Keccak sponge function, designed by Guido Bertoni, Joan Daemen,
-Michaël Peeters and Gilles Van Assche. For more information, feedback or
-questions, please refer to our website: http://keccak.noekeon.org/
+Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni,
+Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby
+denoted as "the implementer".
 
-Implementation by the designers,
-hereby denoted as "the implementer".
+For more information, feedback or questions, please refer to our websites:
+http://keccak.noekeon.org/
+http://keyak.noekeon.org/
+http://ketje.noekeon.org/
 
 To the extent possible under law, the implementer has waived all copyright
 and related or neighboring rights to the source code in this file.
@@ -14,10 +16,13 @@ http://creativecommons.org/publicdomain/zero/1.0/
 #ifndef _KeccakSponge_h_
 #define _KeccakSponge_h_
 
-#define KeccakPermutationSize 1600
-#define KeccakPermutationSizeInBytes (KeccakPermutationSize/8)
-#define KeccakMaximumRate 1536
-#define KeccakMaximumRateInBytes (KeccakMaximumRate/8)
+#include "SnP-interface.h"
+#include <string.h>
+
+// on Mac OS-X and possibly others, ALIGN(x) is defined in param.h, and -Werror chokes on the redef.
+#ifdef ALIGN
+#undef ALIGN
+#endif
 
 #if defined(__GNUC__)
 #define ALIGN __attribute__ ((aligned(32)))
@@ -27,50 +32,82 @@ http://creativecommons.org/publicdomain/zero/1.0/
 #define ALIGN
 #endif
 
-ALIGN typedef struct spongeStateStruct {
-    ALIGN unsigned char state[KeccakPermutationSizeInBytes];
-    ALIGN unsigned char dataQueue[KeccakMaximumRateInBytes];
+/**
+  * Structure that contains the sponge instance attributes for use with the
+  * Keccak_Sponge* functions.
+  * It gathers the state processed by the permutation as well as the rate,
+  * the position of input/output bytes in the state and the phase
+  * (absorbing or squeezing).
+  */
+ALIGN typedef struct Keccak_SpongeInstanceStruct {
+    /** The state processed by the permutation. */
+    ALIGN unsigned char state[SnP_stateSizeInBytes];
+    /** The value of the rate in bits.*/
     unsigned int rate;
-    unsigned int capacity;
-    unsigned int bitsInQueue;
-    unsigned int fixedOutputLength;
+    /** The position in the state of the next byte to be input (when absorbing) or output (when squeezing). */
+    unsigned int byteIOIndex;
+    /** If set to 0, in the absorbing phase; otherwise, in the squeezing phase. */
     int squeezing;
-    unsigned int bitsAvailableForSqueezing;
-} spongeState;
+} Keccak_SpongeInstance;
 
 /**
   * Function to initialize the state of the Keccak[r, c] sponge function.
-  * The sponge function is set to the absorbing phase.
-  * @param  state       Pointer to the state of the sponge function to be initialized.
+  * The phase of the sponge function is set to absorbing.
+  * @param  spongeInstance  Pointer to the sponge instance to be initialized.
   * @param  rate        The value of the rate r.
   * @param  capacity    The value of the capacity c.
-  * @pre    One must have r+c=1600 and the rate a multiple of 64 bits in this implementation.
+  * @pre    One must have r+c equal to the supported width of this implementation
+  *         and the rate a multiple of 8 bits (one byte) in this implementation.
   * @return Zero if successful, 1 otherwise.
   */
-int InitSponge(spongeState *state, unsigned int rate, unsigned int capacity);
+int Keccak_SpongeInitialize(Keccak_SpongeInstance *spongeInstance, unsigned int rate, unsigned int capacity);
+
 /**
-  * Function to give input data for the sponge function to absorb.
-  * @param  state       Pointer to the state of the sponge function initialized by InitSponge().
-  * @param  data        Pointer to the input data. 
-  *                     When @a databitLen is not a multiple of 8, the last bits of data must be
-  *                     in the least significant bits of the last byte.
-  * @param  databitLen  The number of input bits provided in the input data.
-  * @pre    In the previous call to Absorb(), databitLen was a multiple of 8.
+  * Function to give input data bytes for the sponge function to absorb.
+  * @param  spongeInstance  Pointer to the sponge instance initialized by Keccak_SpongeInitialize().
+  * @param  data        Pointer to the input data.
+  * @param  dataByteLen  The number of input bytes provided in the input data.
   * @pre    The sponge function must be in the absorbing phase,
-  *         i.e., Squeeze() must not have been called before.
+  *         i.e., Keccak_SpongeSqueeze() or Keccak_SpongeAbsorbLastFewBits()
+  *         must not have been called before.
   * @return Zero if successful, 1 otherwise.
   */
-int Absorb(spongeState *state, const unsigned char *data, unsigned long long databitlen);
+int Keccak_SpongeAbsorb(Keccak_SpongeInstance *spongeInstance, const unsigned char *data, size_t dataByteLen);
+
+/**
+  * Function to give input data bits for the sponge function to absorb
+  * and then to switch to the squeezing phase.
+  * @param  spongeInstance  Pointer to the sponge instance initialized by Keccak_SpongeInitialize().
+  * @param  delimitedData   Byte containing from 0 to 7 trailing bits
+  *                     that must be absorbed.
+  *                     These <i>n</i> bits must be in the least significant bit positions.
+  *                     These bits must be delimited with a bit 1 at position <i>n</i>
+  *                     (counting from 0=LSB to 7=MSB) and followed by bits 0
+  *                     from position <i>n</i>+1 to position 7.
+  *                     Some examples:
+  *                         - If no bits are to be absorbed, then @a delimitedData must be 0x01.
+  *                         - If the 2-bit sequence 0,0 is to be absorbed, @a delimitedData must be 0x04.
+  *                         - If the 5-bit sequence 0,1,0,0,1 is to be absorbed, @a delimitedData must be 0x32.
+  *                         - If the 7-bit sequence 1,1,0,1,0,0,0 is to be absorbed, @a delimitedData must be 0x8B.
+  *                     .
+  * @pre    The sponge function must be in the absorbing phase,
+  *         i.e., Keccak_SpongeSqueeze() or Keccak_SpongeAbsorbLastFewBits()
+  *         must not have been called before.
+  * @pre    @a delimitedData ≠ 0x00
+  * @return Zero if successful, 1 otherwise.
+  */
+int Keccak_SpongeAbsorbLastFewBits(Keccak_SpongeInstance *spongeInstance, unsigned char delimitedData);
+
 /**
   * Function to squeeze output data from the sponge function.
-  * If the sponge function was in the absorbing phase, this function 
-  * switches it to the squeezing phase.
-  * @param  state       Pointer to the state of the sponge function initialized by InitSponge().
-  * @param  output      Pointer to the buffer where to store the output data.
-  * @param  outputLength    The number of output bits desired.
-  *                     It must be a multiple of 8.
+  * If the sponge function was in the absorbing phase, this function
+  * switches it to the squeezing phase
+  * as if Keccak_SpongeAbsorbLastFewBits(spongeInstance, 0x01) was called.
+  * @param  spongeInstance  Pointer to the sponge instance initialized by Keccak_SpongeInitialize().
+  * @param  data        Pointer to the buffer where to store the output data.
+  * @param  dataByteLen The number of output bytes desired.
   * @return Zero if successful, 1 otherwise.
   */
-int Squeeze(spongeState *state, unsigned char *output, unsigned long long outputLength);
+int Keccak_SpongeSqueeze(Keccak_SpongeInstance *spongeInstance, unsigned char *data, size_t dataByteLen);
 
 #endif