[secnet] / sha3.h

/* -*-c-*-
 *
 * The SHA3 algorithm family
 *
 * (c) 2017 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of secnet.
 * See README for full list of copyright holders.
 *
 * secnet is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version d of the License, or
 * (at your option) any later version.
 *
 * secnet is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 3 along with secnet; if not, see
 * https://www.gnu.org/licenses/gpl.html.
 *
 * This file was originally part of Catacomb, but has been automatically
 * modified for incorporation into secnet: see `import-catacomb-crypto'
 * for details.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#ifndef CATACOMB_SHA3_H
#define CATACOMB_SHA3_H

#ifdef __cplusplus
  extern "C" {
#endif

/*----- Notes on the SHA3 algorithm family --------------------------------*
 *
 * The winner of the SHA3 competition was Keccak, designed by Guido Bertoni,
 * Joan Daemen, Michaël Peeters, and Gilles Van Assche.  The algorithm uses
 * their `sponge construction', based on a fixed attempt to instantiate an
 * `ideal permutation'.  The construction is rather versatile, and NIST has
 * standardized a number of algorithms based on it.
 *
 * The basic offerings are the drop-in replacements for the SHA2 family.
 * These are slower than is ideal, because of the decision to provide O(2^n)
 * resistance to second-preimage attacks for the n-bit hash function, which
 * means that, effectively, the capacity parameter is set unnecessarily
 * large.  (There was a major fuss when NIST tried to change this in a draft
 * of te standard.)  All of the obvious hash modes, e.g., HMAC, MGF, can be
 * applied to the SHA3 hash functions, though I can't really recommend this:
 * there's almost certainly a better way of doing whatever it is.
 *
 * Other members of the family are: SHAKE and cSHAKE, `extendable-output
 * funnctions' which can be used directly in place of MGFs; and KMAC, a
 * message authentication code with arbitrary-length key, message, and tag,
 * which can therefore be used as a key-derivation function.  The cSHAKE
 * construction, on which KMAC is based, introduces a personalization string
 * which can be used for domain separation.
 */

/*----- Header files ------------------------------------------------------*/

#include "fake-mLib-bits.h"

#ifndef CATACOMB_KECCAK1600_H
#  include "keccak1600.h"
#endif

/*----- The SHA3 hash function family -------------------------------------*/

typedef struct sha3_ctx {
  keccak1600_state s;
  unsigned r, w, n;
  octet buf[200];
} sha3_ctx;
#define sha3_224_ctx sha3_ctx
#define sha3_256_ctx sha3_ctx
#define sha3_384_ctx sha3_ctx
#define sha3_512_ctx sha3_ctx

#define SHA3_224_HASHSZ 28
#define SHA3_256_HASHSZ 32
#define SHA3_384_HASHSZ 48
#define SHA3_512_HASHSZ 64

#define SHA3_224_BUFSZ 144
#define SHA3_256_BUFSZ 136
#define SHA3_384_BUFSZ 104
#define SHA3_512_BUFSZ 72

#define SHA3_STATESZ (sizeof(sha3_ctx))
#define SHA3_224_STATESZ SHA3_STATESZ
#define SHA3_256_STATESZ SHA3_STATESZ
#define SHA3_384_STATESZ SHA3_STATESZ
#define SHA3_512_STATESZ SHA3_STATESZ

/* --- @sha3_{224,256,384,512}_init@ --- *
 *
 * Arguments:	@sha3_ctx *ctx@ = pointer to context block to initialize
 *
 * Returns:	---
 *
 * Use:		Initializes a SHA3 hashing context for use.
 */

extern void sha3_224_init(sha3_ctx */*ctx*/);
extern void sha3_256_init(sha3_ctx */*ctx*/);
extern void sha3_384_init(sha3_ctx */*ctx*/);
extern void sha3_512_init(sha3_ctx */*ctx*/);

/* --- @sha3_hash@ --- *
 *
 * Arguments:	@sha3_ctx *ctx@ = pointer to context bock
 *		@const void *p@ = pointer to data to hash
 *		@size_t sz@ = size of buffer to hash
 *
 * Returns:	---
 *
 * Use:		Hashes a buffer of data.  The buffer may be of any size and
 *		alignment.
 */

#define sha3_224_hash sha3_hash
#define sha3_256_hash sha3_hash
#define sha3_384_hash sha3_hash
#define sha3_512_hash sha3_hash

extern void sha3_hash(sha3_ctx */*ctx*/, const void */*p*/, size_t /*sz*/);

/* --- @sha3_done@ --- *
 *
 * Arguments:	@sha3_ctx *ctx@ = pointer to context block
 *		@void *hash@ = pointer to output buffer
 *
 * Returns:	---
 *
 * Use:		Returns the hash of the data read so far.
 */

#define sha3_224_done sha3_done
#define sha3_256_done sha3_done
#define sha3_384_done sha3_done
#define sha3_512_done sha3_done

extern void sha3_done(sha3_ctx */*ctx*/, void */*hash*/);

/*----- The cSHAKE XOF algorithm ------------------------------------------*/

typedef struct shake_ctx {
  sha3_ctx h;
  unsigned st, op;
} shake_ctx;
#define shake128_ctx shake_ctx
#define shake256_ctx shake_ctx

#define SHAKE128_KEYSZ 16
#define SHAKE256_KEYSZ 32

#define SHAKE128_HASHSZ 32		/* Somewhat arbitrary... */
#define SHAKE256_HASHSZ 64

/* --- @cshake{128,256}_init@ --- *
 *
 * Arguments:	@shake_ctx *ctx@ = pointer to context to initialize
 *		@const void *func@ = NIST-allocated function name
 *		@size_t fsz@ = length of function name
 *		@const void *perso@ = user personalization string
 *		@size_t psz@ = length of personalization string
 *
 * Returns:	---
 *
 * Use:		Initializes a cSHAKE context.  The context is initially in
 *		the `absorbing' state: feed it data with @shake_hash@.
 */

extern void cshake128_init(shake_ctx */*ctx*/,
			   const void */*func*/, size_t /*fsz*/,
			   const void */*perso*/, size_t /*psz*/);

extern void cshake256_init(shake_ctx */*ctx*/,
			   const void */*func*/, size_t /*fsz*/,
			   const void */*perso*/, size_t /*psz*/);

/* --- @shake{128,256}_init@ --- *
 *
 * Arguments:	@sha3_ctx *ctx@ = pointer to context to initialize
 *
 * Returns:	---
 *
 * Use:		Initializes a SHAKE context.  The context is initially in
 *		the `absorbing' state: feed it data with @shake_hash@.
 */

extern void shake128_init(shake_ctx */*ctx*/);
extern void shake256_init(shake_ctx */*ctx*/);

/* --- @shake_hash@ --- *
 *
 * Arguments:	@shake_ctx *ctx@ = context to update
 *		@const void *p@ = input buffer
 *		@size_t sz@ = size of input
 *
 * Returns:	---
 *
 * Use:		Feeds input data into a SHAKE context.  The context must be
 *		in `absorbing' state.
 */

extern void shake_hash(shake_ctx */*ctx*/, const void */*p*/, size_t /*sz*/);

/* --- @shake_xof@ --- *
 *
 * Arguments:	@shake_ctx *ctx@ = context to update
 *
 * Returns:	---
 *
 * Use:		Switches the context into `squeezing' state.  Use @shake_get@
 *		or @shake_mask@ to extract data.
 */

extern void shake_xof(shake_ctx */*ctx*/);

/* --- @shake_get@ --- *
 *
 * Arguments:	@shake_ctx *ctx@ = context to update
 *		@void *p@ = output buffer
 *		@size_t sz@ = size of output
 *
 * Returns:	---
 *
 * Use:		Extracts output from a SHAKE context.  The context must be
 *		in `squeezing' state.
 */

extern void shake_get(shake_ctx */*ctx*/, void */*p*/, size_t /*sz*/);

/* --- @shake_done@ --- *
 *
 * Arguments:	@shake_ctx *ctx@ = context to update
 *		@void *h@ = where to write the hash
 *		@size_t hsz@ = size of the hash to make
 *
 * Returns:	---
 *
 * Use:		Switches the context into `squeezing' state.  Use @shake_get@
 *		or @shake_mask@ to extract data.
 */

extern void shake_done(shake_ctx */*ctx*/, void */*h*/, size_t /*hsz*/);

/*----- That's all, folks -------------------------------------------------*/

#ifdef __cplusplus
  }
#endif

#endif
Commit	Line	Data
a1a6042e MW	1	/* --c--
	2	*
	3	* The SHA3 algorithm family
	4	*
	5	* (c) 2017 Straylight/Edgeware
	6	*/
	7
	8	/----- Licensing notice --------------------------------------------------
	9	*
	10	* This file is part of secnet.
	11	* See README for full list of copyright holders.
	12	*
	13	* secnet is free software; you can redistribute it and/or modify it
	14	* under the terms of the GNU General Public License as published by
	15	* the Free Software Foundation; either version d of the License, or
	16	* (at your option) any later version.
	17	*
	18	* secnet is distributed in the hope that it will be useful, but
	19	* WITHOUT ANY WARRANTY; without even the implied warranty of
	20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	21	* General Public License for more details.
	22	*
	23	* You should have received a copy of the GNU General Public License
	24	* version 3 along with secnet; if not, see
	25	* https://www.gnu.org/licenses/gpl.html.
	26	*
	27	* This file was originally part of Catacomb, but has been automatically
	28	* modified for incorporation into secnet: see `import-catacomb-crypto'
	29	* for details.
	30	*
	31	* Catacomb is free software; you can redistribute it and/or modify
	32	* it under the terms of the GNU Library General Public License as
	33	* published by the Free Software Foundation; either version 2 of the
	34	* License, or (at your option) any later version.
	35	*
	36	* Catacomb is distributed in the hope that it will be useful,
	37	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	38	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	39	* GNU Library General Public License for more details.
	40	*
	41	* You should have received a copy of the GNU Library General Public
	42	* License along with Catacomb; if not, write to the Free
	43	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	44	* MA 02111-1307, USA.
	45	*/
	46
	47	#ifndef CATACOMB_SHA3_H
	48	#define CATACOMB_SHA3_H
	49
	50	#ifdef __cplusplus
	51	extern "C" {
	52	#endif
	53
	54	/----- Notes on the SHA3 algorithm family --------------------------------
	55	*
	56	* The winner of the SHA3 competition was Keccak, designed by Guido Bertoni,
	57	* Joan Daemen, Michaël Peeters, and Gilles Van Assche. The algorithm uses
	58	* their `sponge construction', based on a fixed attempt to instantiate an
	59	* `ideal permutation'. The construction is rather versatile, and NIST has
	60	* standardized a number of algorithms based on it.
	61	*
	62	* The basic offerings are the drop-in replacements for the SHA2 family.
	63	* These are slower than is ideal, because of the decision to provide O(2^n)
	64	* resistance to second-preimage attacks for the n-bit hash function, which
65	* means that, effectively, the capacity parameter is set unnecessarily
66	* large. (There was a major fuss when NIST tried to change this in a draft
67	* of te standard.) All of the obvious hash modes, e.g., HMAC, MGF, can be
68	* applied to the SHA3 hash functions, though I can't really recommend this:
69	* there's almost certainly a better way of doing whatever it is.
70	*
71	* Other members of the family are: SHAKE and cSHAKE, `extendable-output
72	* funnctions' which can be used directly in place of MGFs; and KMAC, a
73	* message authentication code with arbitrary-length key, message, and tag,
74	* which can therefore be used as a key-derivation function. The cSHAKE
75	* construction, on which KMAC is based, introduces a personalization string
76	* which can be used for domain separation.
77	*/
78
79	/----- Header files ------------------------------------------------------/
80
81	#include "fake-mLib-bits.h"
82
83	#ifndef CATACOMB_KECCAK1600_H
84	# include "keccak1600.h"
85	#endif
86
87	/----- The SHA3 hash function family -------------------------------------/
88
89	typedef struct sha3_ctx {
90	keccak1600_state s;
91	unsigned r, w, n;
92	octet buf[200];
93	} sha3_ctx;
94	#define sha3_224_ctx sha3_ctx
95	#define sha3_256_ctx sha3_ctx
96	#define sha3_384_ctx sha3_ctx
97	#define sha3_512_ctx sha3_ctx
98
99	#define SHA3_224_HASHSZ 28
100	#define SHA3_256_HASHSZ 32
101	#define SHA3_384_HASHSZ 48
102	#define SHA3_512_HASHSZ 64
103
104	#define SHA3_224_BUFSZ 144
105	#define SHA3_256_BUFSZ 136
106	#define SHA3_384_BUFSZ 104
107	#define SHA3_512_BUFSZ 72
108
109	#define SHA3_STATESZ (sizeof(sha3_ctx))
110	#define SHA3_224_STATESZ SHA3_STATESZ
111	#define SHA3_256_STATESZ SHA3_STATESZ
112	#define SHA3_384_STATESZ SHA3_STATESZ
113	#define SHA3_512_STATESZ SHA3_STATESZ
114
115	/* --- @sha3_{224,256,384,512}_init@ --- *
116	*
117	* Arguments: @sha3_ctx *ctx@ = pointer to context block to initialize
118	*
119	* Returns: ---
120	*
121	* Use: Initializes a SHA3 hashing context for use.
122	*/
123
124	extern void sha3_224_init(sha3_ctx /ctx*/);
125	extern void sha3_256_init(sha3_ctx /ctx*/);
126	extern void sha3_384_init(sha3_ctx /ctx*/);
127	extern void sha3_512_init(sha3_ctx /ctx*/);
128
129	/* --- @sha3_hash@ --- *
130	*
131	* Arguments: @sha3_ctx *ctx@ = pointer to context bock
132	* @const void *p@ = pointer to data to hash
133	* @size_t sz@ = size of buffer to hash
134	*
135	* Returns: ---
136	*
137	* Use: Hashes a buffer of data. The buffer may be of any size and
138	* alignment.
139	*/
140
141	#define sha3_224_hash sha3_hash
142	#define sha3_256_hash sha3_hash
143	#define sha3_384_hash sha3_hash
144	#define sha3_512_hash sha3_hash
145
146	extern void sha3_hash(sha3_ctx /ctx/, const void /p/, size_t /sz/);
147
148	/* --- @sha3_done@ --- *
149	*
150	* Arguments: @sha3_ctx *ctx@ = pointer to context block
151	* @void *hash@ = pointer to output buffer
152	*
153	* Returns: ---
154	*
155	* Use: Returns the hash of the data read so far.
156	*/
157
158	#define sha3_224_done sha3_done
159	#define sha3_256_done sha3_done
160	#define sha3_384_done sha3_done
161	#define sha3_512_done sha3_done
162
163	extern void sha3_done(sha3_ctx /ctx/, void /hash/);
164
165	/----- The cSHAKE XOF algorithm ------------------------------------------/
166
167	typedef struct shake_ctx {
168	sha3_ctx h;
169	unsigned st, op;
170	} shake_ctx;
171	#define shake128_ctx shake_ctx
172	#define shake256_ctx shake_ctx
173
174	#define SHAKE128_KEYSZ 16
175	#define SHAKE256_KEYSZ 32
176
177	#define SHAKE128_HASHSZ 32 /* Somewhat arbitrary... */
178	#define SHAKE256_HASHSZ 64
179
180	/* --- @cshake{128,256}_init@ --- *
181	*
182	* Arguments: @shake_ctx *ctx@ = pointer to context to initialize
183	* @const void *func@ = NIST-allocated function name
184	* @size_t fsz@ = length of function name
185	* @const void *perso@ = user personalization string
186	* @size_t psz@ = length of personalization string
187	*
188	* Returns: ---
189	*
190	* Use: Initializes a cSHAKE context. The context is initially in
191	* the `absorbing' state: feed it data with @shake_hash@.
192	*/
193
194	extern void cshake128_init(shake_ctx /ctx*/,
195	const void /func/, size_t /fsz*/,
196	const void /perso/, size_t /psz*/);
197
198	extern void cshake256_init(shake_ctx /ctx*/,
199	const void /func/, size_t /fsz*/,
200	const void /perso/, size_t /psz*/);
201
202	/* --- @shake{128,256}_init@ --- *
203	*
204	* Arguments: @sha3_ctx *ctx@ = pointer to context to initialize
205	*
206	* Returns: ---
207	*
208	* Use: Initializes a SHAKE context. The context is initially in
209	* the `absorbing' state: feed it data with @shake_hash@.
210	*/
211
212	extern void shake128_init(shake_ctx /ctx*/);
213	extern void shake256_init(shake_ctx /ctx*/);
214
215	/* --- @shake_hash@ --- *
216	*
217	* Arguments: @shake_ctx *ctx@ = context to update
218	* @const void *p@ = input buffer
219	* @size_t sz@ = size of input
220	*
221	* Returns: ---
222	*
223	* Use: Feeds input data into a SHAKE context. The context must be
224	* in `absorbing' state.
225	*/
226
227	extern void shake_hash(shake_ctx /ctx/, const void /p/, size_t /sz/);
228
229	/* --- @shake_xof@ --- *
230	*
231	* Arguments: @shake_ctx *ctx@ = context to update
232	*
233	* Returns: ---
234	*
235	* Use: Switches the context into `squeezing' state. Use @shake_get@
236	* or @shake_mask@ to extract data.
237	*/
238
239	extern void shake_xof(shake_ctx /ctx*/);
240
241	/* --- @shake_get@ --- *
242	*
243	* Arguments: @shake_ctx *ctx@ = context to update
244	* @void *p@ = output buffer
245	* @size_t sz@ = size of output
246	*
247	* Returns: ---
248	*
249	* Use: Extracts output from a SHAKE context. The context must be
250	* in `squeezing' state.
251	*/
252
253	extern void shake_get(shake_ctx /ctx/, void /p/, size_t /sz/);
254
255	/* --- @shake_done@ --- *
256	*
257	* Arguments: @shake_ctx *ctx@ = context to update
258	* @void *h@ = where to write the hash
259	* @size_t hsz@ = size of the hash to make
260	*
261	* Returns: ---
262	*
263	* Use: Switches the context into `squeezing' state. Use @shake_get@
264	* or @shake_mask@ to extract data.
265	*/
266
267	extern void shake_done(shake_ctx /ctx/, void /h/, size_t /hsz/);
268
269	/----- That's all, folks -------------------------------------------------/
270
271	#ifdef __cplusplus
272	}
273	#endif
274
275	#endif