aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sha3.c328
-rw-r--r--sha3.h85
2 files changed, 76 insertions, 337 deletions
diff --git a/sha3.c b/sha3.c
index 38e9a04..9d0d385 100644
--- a/sha3.c
+++ b/sha3.c
@@ -2,7 +2,7 @@
* sha3
* https://pablotron.org/sha3
*
- * Copyright (c) 2023 Paul Duncan
+ * Copyright (c) 2023, 2024 Paul Duncan
* SPDX-License-Identifier: MIT-0
*
* Embeddable, dependency-free, MIT-0-licensed C11 implementation of the
@@ -10,7 +10,7 @@
*
* - SHA3-224, SHA3-256, SHA3-384, and SHA3-512
* - HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, and HMAC-SHA3-512
- * - SHAKE128, SHAKE128-XOF, SHAKE256, and SHAKE256-XOF
+ * - SHAKE128 and SHAKE256
* - cSHAKE128, cSHAKE128-XOF, cSHAKE256, and cSHAKE256-XOF
* - KMAC128, KMAC128-XOF, KMAC256, and KMAC256-XOF
* - TupleHash128, TupleHash128-XOF, TupleHash256, and TupleHash256-XOF
@@ -875,14 +875,6 @@ static inline void shake(const uint8_t *m, size_t m_len, uint8_t * const dst, co
memcpy(dst, a.u8, dst_len);
}
-void shake128(const uint8_t *m, size_t m_len, uint8_t dst[static 16]) {
- shake(m, m_len, dst, 16);
-}
-
-void shake256(const uint8_t *m, size_t m_len, uint8_t dst[static 32]) {
- shake(m, m_len, dst, 32);
-}
-
static inline void xof_init(sha3_xof_t * const xof) {
memset(xof, 0, sizeof(sha3_xof_t));
}
@@ -963,42 +955,42 @@ static inline void xof_once(const size_t rate, const size_t num_rounds, const ui
xof_squeeze_raw(&xof, rate, num_rounds, dst, dst_len);
}
-#define SHAKE128_XOF_RATE (200 - 2 * 16)
-#define SHAKE128_XOF_PAD 0x1f
+#define SHAKE128_RATE (200 - 2 * 16)
+#define SHAKE128_PAD 0x1f
-void shake128_xof_init(sha3_xof_t * const xof) {
+void shake128_init(sha3_xof_t * const xof) {
xof_init(xof);
}
-_Bool shake128_xof_absorb(sha3_xof_t * const xof, const uint8_t * const m, const size_t len) {
- return xof_absorb(xof, SHAKE128_XOF_RATE, SHA3_NUM_ROUNDS, m, len);
+_Bool shake128_absorb(sha3_xof_t * const xof, const uint8_t * const m, const size_t len) {
+ return xof_absorb(xof, SHAKE128_RATE, SHA3_NUM_ROUNDS, m, len);
}
-void shake128_xof_squeeze(sha3_xof_t * const xof, uint8_t * const dst, const size_t dst_len) {
- xof_squeeze(xof, SHAKE128_XOF_RATE, SHA3_NUM_ROUNDS, SHAKE128_XOF_PAD, dst, dst_len);
+void shake128_squeeze(sha3_xof_t * const xof, uint8_t * const dst, const size_t dst_len) {
+ xof_squeeze(xof, SHAKE128_RATE, SHA3_NUM_ROUNDS, SHAKE128_PAD, dst, dst_len);
}
-void shake128_xof_once(const uint8_t * const src, const size_t src_len, uint8_t * const dst, const size_t dst_len) {
- xof_once(SHAKE128_XOF_RATE, SHA3_NUM_ROUNDS, SHAKE128_XOF_PAD, src, src_len, dst, dst_len);
+void shake128(const uint8_t * const src, const size_t src_len, uint8_t * const dst, const size_t dst_len) {
+ xof_once(SHAKE128_RATE, SHA3_NUM_ROUNDS, SHAKE128_PAD, src, src_len, dst, dst_len);
}
-#define SHAKE256_XOF_RATE (200 - 2 * 32)
-#define SHAKE256_XOF_PAD 0x1f
+#define SHAKE256_RATE (200 - 2 * 32)
+#define SHAKE256_PAD 0x1f
-void shake256_xof_init(sha3_xof_t * const xof) {
+void shake256_init(sha3_xof_t * const xof) {
xof_init(xof);
}
-_Bool shake256_xof_absorb(sha3_xof_t * const xof, const uint8_t * const m, const size_t len) {
- return xof_absorb(xof, SHAKE256_XOF_RATE, SHA3_NUM_ROUNDS, m, len);
+_Bool shake256_absorb(sha3_xof_t * const xof, const uint8_t * const m, const size_t len) {
+ return xof_absorb(xof, SHAKE256_RATE, SHA3_NUM_ROUNDS, m, len);
}
-void shake256_xof_squeeze(sha3_xof_t * const xof, uint8_t * const dst, const size_t dst_len) {
- xof_squeeze(xof, SHAKE256_XOF_RATE, SHA3_NUM_ROUNDS, SHAKE256_XOF_PAD, dst, dst_len);
+void shake256_squeeze(sha3_xof_t * const xof, uint8_t * const dst, const size_t dst_len) {
+ xof_squeeze(xof, SHAKE256_RATE, SHA3_NUM_ROUNDS, SHAKE256_PAD, dst, dst_len);
}
-void shake256_xof_once(const uint8_t * const src, const size_t src_len, uint8_t * const dst, const size_t dst_len) {
- xof_once(SHAKE256_XOF_RATE, SHA3_NUM_ROUNDS, SHAKE256_XOF_PAD, src, src_len, dst, dst_len);
+void shake256(const uint8_t * const src, const size_t src_len, uint8_t * const dst, const size_t dst_len) {
+ xof_once(SHAKE256_RATE, SHA3_NUM_ROUNDS, SHAKE256_PAD, src, src_len, dst, dst_len);
}
// NIST SP 800-105 utility function.
@@ -1241,7 +1233,7 @@ void cshake128_xof_init(sha3_xof_t * const xof, const cshake_params_t params) {
if (!params.name_len && !params.custom_len) {
// cshake w/o nist prefix and domain is shake
- shake128_xof_init(xof);
+ shake128_init(xof);
// FIXME: padding will be wrong on subsequent cshake128_xof_absorb()
// calls
@@ -1293,7 +1285,7 @@ void cshake128(
) {
if (!params.name_len && !params.custom_len) {
// cshake w/o nist prefix and domain is shake
- shake128_xof_once(msg, msg_len, dst, dst_len);
+ shake128(msg, msg_len, dst, dst_len);
return;
}
@@ -1324,7 +1316,7 @@ void cshake256_xof_init(sha3_xof_t * const xof, const cshake_params_t params) {
if (!params.name_len && !params.custom_len) {
// cshake w/o nist prefix and domain is shake
- shake256_xof_init(xof);
+ shake256_init(xof);
// FIXME: padding will be wrong on subsequent cshake256_xof_absorb()
// calls
@@ -1376,7 +1368,7 @@ void cshake256(
) {
if (!params.name_len && !params.custom_len) {
// cshake w/o nist prefix and domain is shake
- shake256_xof_once(msg, msg_len, dst, dst_len);
+ shake256(msg, msg_len, dst, dst_len);
return;
}
@@ -1746,7 +1738,7 @@ void tuplehash256_xof_once(const tuplehash_params_t params, uint8_t * const dst,
static void parallelhash128_emit_block(parallelhash_t * const hash) {
// squeeze curr xof, absorb into root xof
uint8_t buf[32];
- shake128_xof_squeeze(&(hash->curr_xof), buf, sizeof(buf));
+ shake128_squeeze(&(hash->curr_xof), buf, sizeof(buf));
(void) cshake128_xof_absorb(&(hash->root_xof), buf, sizeof(buf));
// increment block count
@@ -1755,7 +1747,7 @@ static void parallelhash128_emit_block(parallelhash_t * const hash) {
static inline void parallelhash128_reset_curr_xof(parallelhash_t *hash) {
// init curr xof
- shake128_xof_init(&(hash->curr_xof));
+ shake128_init(&(hash->curr_xof));
hash->ofs = 0;
}
@@ -1792,7 +1784,7 @@ static inline void parallelhash128_init(parallelhash_t *hash, const parallelhash
static inline void parallelhash128_absorb(parallelhash_t * const hash, const uint8_t *msg, size_t msg_len) {
while (msg_len > 0) {
const size_t len = MIN(msg_len, hash->block_len - hash->ofs);
- (void) shake128_xof_absorb(&(hash->curr_xof), msg, len);
+ (void) shake128_absorb(&(hash->curr_xof), msg, len);
msg += len;
msg_len -= len;
@@ -1883,7 +1875,7 @@ void parallelhash128_xof_once(const parallelhash_params_t params, const uint8_t
static void parallelhash256_emit_block(parallelhash_t * const hash) {
// squeeze curr xof, absorb into root xof
uint8_t buf[64];
- shake256_xof_squeeze(&(hash->curr_xof), buf, sizeof(buf));
+ shake256_squeeze(&(hash->curr_xof), buf, sizeof(buf));
(void) cshake256_xof_absorb(&(hash->root_xof), buf, sizeof(buf));
// increment block count
@@ -1892,7 +1884,7 @@ static void parallelhash256_emit_block(parallelhash_t * const hash) {
static inline void parallelhash256_reset_curr_xof(parallelhash_t *hash) {
// init curr xof
- shake256_xof_init(&(hash->curr_xof));
+ shake256_init(&(hash->curr_xof));
hash->ofs = 0;
}
@@ -1929,7 +1921,7 @@ static inline void parallelhash256_init(parallelhash_t *hash, const parallelhash
static inline void parallelhash256_absorb(parallelhash_t * const hash, const uint8_t *msg, size_t msg_len) {
while (msg_len > 0) {
const size_t len = MIN(msg_len, hash->block_len - hash->ofs);
- (void) shake256_xof_absorb(&(hash->curr_xof), msg, len);
+ (void) shake256_absorb(&(hash->curr_xof), msg, len);
msg += len;
msg_len -= len;
@@ -2053,19 +2045,19 @@ void turboshake128_init(turboshake_t * const ts) {
// absorb bytes into turboshake128 context.
_Bool turboshake128_absorb(turboshake_t * const ts, const uint8_t * const m, const size_t len) {
- return xof_absorb(&(ts->xof), SHAKE128_XOF_RATE, TURBOSHAKE_NUM_ROUNDS, m, len);
+ return xof_absorb(&(ts->xof), SHAKE128_RATE, TURBOSHAKE_NUM_ROUNDS, m, len);
}
void turboshake128_squeeze(turboshake_t * const ts, uint8_t * const dst, const size_t dst_len) {
- xof_squeeze(&(ts->xof), SHAKE128_XOF_RATE, TURBOSHAKE_NUM_ROUNDS, ts->pad, dst, dst_len);
+ xof_squeeze(&(ts->xof), SHAKE128_RATE, TURBOSHAKE_NUM_ROUNDS, ts->pad, dst, dst_len);
}
void turboshake128(const uint8_t * const src, const size_t src_len, uint8_t * const dst, const size_t dst_len) {
- xof_once(SHAKE128_XOF_RATE, TURBOSHAKE_NUM_ROUNDS, TURBOSHAKE_PAD, src, src_len, dst, dst_len);
+ xof_once(SHAKE128_RATE, TURBOSHAKE_NUM_ROUNDS, TURBOSHAKE_PAD, src, src_len, dst, dst_len);
}
void turboshake128_custom(const uint8_t pad, const uint8_t * const src, const size_t src_len, uint8_t * const dst, const size_t dst_len) {
- xof_once(SHAKE128_XOF_RATE, TURBOSHAKE_NUM_ROUNDS, pad, src, src_len, dst, dst_len);
+ xof_once(SHAKE128_RATE, TURBOSHAKE_NUM_ROUNDS, pad, src, src_len, dst, dst_len);
}
_Bool turboshake256_init_custom(turboshake_t * const ts, const uint8_t pad) {
@@ -2077,19 +2069,19 @@ void turboshake256_init(turboshake_t * const ts) {
}
_Bool turboshake256_absorb(turboshake_t * const ts, const uint8_t * const m, const size_t len) {
- return xof_absorb(&(ts->xof), SHAKE256_XOF_RATE, TURBOSHAKE_NUM_ROUNDS, m, len);
+ return xof_absorb(&(ts->xof), SHAKE256_RATE, TURBOSHAKE_NUM_ROUNDS, m, len);
}
void turboshake256_squeeze(turboshake_t * const ts, uint8_t * const dst, const size_t dst_len) {
- xof_squeeze(&(ts->xof), SHAKE256_XOF_RATE, TURBOSHAKE_NUM_ROUNDS, ts->pad, dst, dst_len);
+ xof_squeeze(&(ts->xof), SHAKE256_RATE, TURBOSHAKE_NUM_ROUNDS, ts->pad, dst, dst_len);
}
void turboshake256(const uint8_t * const src, const size_t src_len, uint8_t * const dst, const size_t dst_len) {
- xof_once(SHAKE256_XOF_RATE, TURBOSHAKE_NUM_ROUNDS, TURBOSHAKE_PAD, src, src_len, dst, dst_len);
+ xof_once(SHAKE256_RATE, TURBOSHAKE_NUM_ROUNDS, TURBOSHAKE_PAD, src, src_len, dst, dst_len);
}
void turboshake256_custom(const uint8_t pad, const uint8_t * const src, const size_t src_len, uint8_t * const dst, const size_t dst_len) {
- xof_once(SHAKE256_XOF_RATE, TURBOSHAKE_NUM_ROUNDS, pad, src, src_len, dst, dst_len);
+ xof_once(SHAKE256_RATE, TURBOSHAKE_NUM_ROUNDS, pad, src, src_len, dst, dst_len);
}
// kangarootwelve block size, in bytes
@@ -3528,209 +3520,7 @@ static void test_sha3_512_ctx(void) {
}
}
-static void test_shake128(void) {
- static const struct {
- const char *name; // test name
- const uint8_t msg[256]; // test message
- const size_t len; // test message length
- const uint8_t exp[16]; // expected hash
- } tests[] = {{
- .name = "empty",
- .msg = "",
- .len = 0,
- .exp = {
- 0x7f, 0x9c, 0x2b, 0xa4, 0xe8, 0x8f, 0x82, 0x7d,
- 0x61, 0x60, 0x45, 0x50, 0x76, 0x05, 0x85, 0x3e,
- },
- }, {
- .name = "asdf",
- .msg = "asdf",
- .len = 4,
- .exp = {
- 0xef, 0x02, 0x2c, 0xc5, 0x3c, 0x74, 0xb3, 0x28,
- 0x43, 0xf9, 0xc1, 0xf1, 0x14, 0x13, 0xd5, 0x9c,
- },
- }, {
- .name = "a-134",
- .msg = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
- .len = 134,
- .exp = {
- 0xc8, 0x73, 0x5e, 0x5f, 0x6f, 0x15, 0xaf, 0xe5,
- 0x1a, 0x8c, 0x3b, 0x07, 0xc4, 0xc6, 0x8d, 0x86,
- },
- }, {
- .name = "a-135",
- .msg = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
- .len = 135,
- .exp = {
- 0xa5, 0xe2, 0xb2, 0x27, 0x8d, 0x1b, 0x75, 0x86,
- 0x6c, 0x78, 0x77, 0xa0, 0xff, 0xa2, 0x47, 0x37,
- },
- }, {
- .name = "a-136",
- .msg = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
- .len = 136,
- .exp = {
- 0x0d, 0x01, 0x58, 0xd4, 0x46, 0x78, 0x3a, 0x9b,
- 0x18, 0xa6, 0x90, 0x8c, 0x08, 0xbb, 0x5d, 0xe6,
- },
- }, {
- .name = "ff-256",
- .msg = {
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- },
- .len = 256,
- .exp = {
- 0xf3, 0x06, 0x93, 0x04, 0x16, 0x5c, 0x0e, 0xad,
- 0x13, 0x25, 0xb5, 0x26, 0x76, 0x05, 0x95, 0xed,
- },
- }, {
- .name = "a-210",
- .msg = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
- .len = 210,
- .exp = {
- 0xb1, 0xb4, 0xf3, 0xad, 0x3a, 0x1f, 0x67, 0x60,
- 0xe3, 0x08, 0x67, 0xdd, 0x71, 0xb3, 0x49, 0xfa,
- },
- }};
-
- for (size_t i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
- uint8_t got[16] = { 0 };
- shake128(tests[i].msg, tests[i].len, got);
- if (memcmp(got, tests[i].exp, sizeof(got))) {
- fprintf(stderr, "test_shake128(\"%s\") failed, got:\n", tests[i].name);
- dump_hex(stderr, got, 16);
-
- fprintf(stderr, "exp:\n");
- dump_hex(stderr, tests[i].exp, 16);
- }
- }
-}
-
-static void test_shake256(void) {
- static const struct {
- const char *name; // test name
- const uint8_t msg[256]; // test message
- const size_t len; // test message length
- const uint8_t exp[32]; // expected hash
- } tests[] = {{
- .name = "empty",
- .msg = "",
- .len = 0,
- .exp = {
- 0x46, 0xb9, 0xdd, 0x2b, 0x0b, 0xa8, 0x8d, 0x13,
- 0x23, 0x3b, 0x3f, 0xeb, 0x74, 0x3e, 0xeb, 0x24,
- 0x3f, 0xcd, 0x52, 0xea, 0x62, 0xb8, 0x1b, 0x82,
- 0xb5, 0x0c, 0x27, 0x64, 0x6e, 0xd5, 0x76, 0x2f,
- },
- }, {
- .name = "asdf",
- .msg = "asdf",
- .len = 4,
- .exp = {
- 0xf0, 0x0c, 0x15, 0x64, 0x33, 0x96, 0x61, 0x6a,
- 0x89, 0xa0, 0xcb, 0x79, 0x03, 0x9f, 0x74, 0x05,
- 0x75, 0xde, 0xfe, 0x9d, 0xbe, 0x30, 0x7c, 0xcc,
- 0xda, 0xf8, 0xae, 0x21, 0x0e, 0x1c, 0x9c, 0xc6,
- },
- }, {
- .name = "a-134",
- .msg = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
- .len = 134,
- .exp = {
- 0xf1, 0xe0, 0x3f, 0x37, 0x8e, 0xb7, 0x79, 0x04,
- 0xba, 0x15, 0xbb, 0x64, 0x2a, 0x84, 0xb9, 0x0d,
- 0xe5, 0x2e, 0x29, 0x3e, 0xaf, 0xc2, 0x7c, 0xef,
- 0x05, 0x88, 0x3b, 0x16, 0x56, 0xae, 0xc3, 0x41,
- },
- }, {
- .name = "a-135",
- .msg = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
- .len = 135,
- .exp = {
- 0x55, 0xb9, 0x91, 0xec, 0xe1, 0xe5, 0x67, 0xb6,
- 0xe7, 0xc2, 0xc7, 0x14, 0x44, 0x4d, 0xd2, 0x01,
- 0xcd, 0x51, 0xf4, 0xf3, 0x83, 0x2d, 0x08, 0xe1,
- 0xd2, 0x6b, 0xeb, 0xc6, 0x3e, 0x07, 0xa3, 0xd7,
- },
- }, {
- .name = "a-136",
- .msg = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
- .len = 136,
- .exp = {
- 0x8f, 0xcc, 0x5a, 0x08, 0xf0, 0xa1, 0xf6, 0x82,
- 0x7c, 0x9c, 0xf6, 0x4e, 0xe8, 0xd1, 0x6e, 0x04,
- 0x43, 0x10, 0x63, 0x59, 0xca, 0x6c, 0x8e, 0xfd,
- 0x23, 0x07, 0x59, 0x25, 0x6f, 0x44, 0x99, 0x6a,
- },
- }, {
- .name = "ff-256",
- .msg = {
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- },
- .len = 256,
- .exp = {
- 0x3f, 0x25, 0xdf, 0x0e, 0x37, 0x17, 0x14, 0xdf,
- 0xb0, 0xcc, 0x3d, 0x96, 0x17, 0xe1, 0xa0, 0x71,
- 0x75, 0xa0, 0xf0, 0x84, 0xc7, 0x00, 0x29, 0x23,
- 0x5c, 0x72, 0x7c, 0x5a, 0x68, 0x5e, 0xf0, 0x14,
- },
- }, {
- .name = "a-210",
- .msg = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
- .len = 210,
- .exp = {
- 0xc9, 0xe2, 0xd9, 0x58, 0xf2, 0xdd, 0x3d, 0x97,
- 0x53, 0x8a, 0x1b, 0xac, 0x1b, 0x4e, 0xb3, 0x2e,
- 0x28, 0x23, 0x6b, 0x5d, 0xfc, 0xe0, 0x29, 0xfc,
- 0xc8, 0x73, 0xc0, 0xf2, 0x70, 0xe1, 0x3e, 0x9f,
- },
- }};
-
- for (size_t i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
- uint8_t got[32] = { 0 };
- shake256(tests[i].msg, tests[i].len, got);
- if (memcmp(got, tests[i].exp, sizeof(got))) {
- fprintf(stderr, "test_shake256(\"%s\") failed, got:\n", tests[i].name);
- dump_hex(stderr, got, 32);
-
- fprintf(stderr, "exp:\n");
- dump_hex(stderr, tests[i].exp, 32);
- }
- }
-}
-
-static void test_shake128_xof(void) {
+static void test_shake128_ctx(void) {
static const struct {
const char *name; // test name
const uint8_t msg[256]; // test message
@@ -3815,24 +3605,24 @@ static void test_shake128_xof(void) {
for (size_t len = 1; len < tests[i].len; len++) {
// init xof
sha3_xof_t xof;
- shake128_xof_init(&xof);
+ shake128_init(&xof);
// absorb
for (size_t ofs = 0; ofs < tests[i].len; ofs += len) {
const size_t absorb_len = MIN(tests[i].len - ofs, len);
- if (!shake128_xof_absorb(&xof, tests[i].msg + ofs, absorb_len)) {
- fprintf(stderr, "test_shake128_xof(\"%s\", %zu) failed: shake128_xof_absorb()\n", tests[i].name, len);
+ if (!shake128_absorb(&xof, tests[i].msg + ofs, absorb_len)) {
+ fprintf(stderr, "%s(\"%s\", %zu) failed: shake128_absorb()\n", __func__, tests[i].name, len);
return;
}
}
// squeeze
uint8_t got[16] = { 0 };
- shake128_xof_squeeze(&xof, got, sizeof(got));
+ shake128_squeeze(&xof, got, sizeof(got));
// check
if (memcmp(got, tests[i].exp, sizeof(got))) {
- fprintf(stderr, "test_shake128_xof(\"%s\", %zu) failed, got:\n", tests[i].name, len);
+ fprintf(stderr, "%s(\"%s\", %zu) failed, got:\n", __func__, tests[i].name, len);
dump_hex(stderr, got, 16);
fprintf(stderr, "exp:\n");
@@ -3842,7 +3632,7 @@ static void test_shake128_xof(void) {
}
}
-static void test_shake128_xof_once(void) {
+static void test_shake128(void) {
static const struct {
const char *name; // test name
const uint8_t msg[256]; // test message
@@ -3927,11 +3717,11 @@ static void test_shake128_xof_once(void) {
for (size_t len = 1; len < tests[i].len; len++) {
// run
uint8_t got[16];
- shake128_xof_once(tests[i].msg, tests[i].len, got, sizeof(got));
+ shake128(tests[i].msg, tests[i].len, got, sizeof(got));
// check
if (memcmp(got, tests[i].exp, sizeof(got))) {
- fprintf(stderr, "test_shake128_xof_once(\"%s\", %zu) failed, got:\n", tests[i].name, len);
+ fprintf(stderr, "%s(\"%s\", %zu) failed, got:\n", __func__, tests[i].name, len);
dump_hex(stderr, got, 16);
fprintf(stderr, "exp:\n");
@@ -3941,7 +3731,7 @@ static void test_shake128_xof_once(void) {
}
}
-static void test_shake256_xof(void) {
+static void test_shake256_ctx(void) {
static const struct {
const char *name; // test name
const uint8_t msg[256]; // test message
@@ -4040,24 +3830,24 @@ static void test_shake256_xof(void) {
for (size_t len = 1; len < tests[i].len; len++) {
// init xof
sha3_xof_t xof;
- shake256_xof_init(&xof);
+ shake256_init(&xof);
// absorb
for (size_t ofs = 0; ofs < tests[i].len; ofs += len) {
const size_t absorb_len = MIN(tests[i].len - ofs, len);
- if (!shake256_xof_absorb(&xof, tests[i].msg + ofs, absorb_len)) {
- fprintf(stderr, "test_shake256_xof(\"%s\", %zu) failed: shake256_xof_absorb()\n", tests[i].name, len);
+ if (!shake256_absorb(&xof, tests[i].msg + ofs, absorb_len)) {
+ fprintf(stderr, "%s(\"%s\", %zu) failed: shake256_xof_absorb()\n", __func__, tests[i].name, len);
return;
}
}
// squeeze
uint8_t got[32] = { 0 };
- shake256_xof_squeeze(&xof, got, sizeof(got));
+ shake256_squeeze(&xof, got, sizeof(got));
// check
if (memcmp(got, tests[i].exp, sizeof(got))) {
- fprintf(stderr, "test_shake256_xof(\"%s\", %zu) failed, got:\n", tests[i].name, len);
+ fprintf(stderr, "%s(\"%s\", %zu) failed, got:\n", __func__, tests[i].name, len);
dump_hex(stderr, got, 16);
fprintf(stderr, "exp:\n");
@@ -4067,7 +3857,7 @@ static void test_shake256_xof(void) {
}
}
-static void test_shake256_xof_once(void) {
+static void test_shake256(void) {
static const struct {
const char *name; // test name
const uint8_t msg[256]; // test message
@@ -4166,11 +3956,11 @@ static void test_shake256_xof_once(void) {
for (size_t len = 1; len < tests[i].len; len++) {
// run shake256
uint8_t got[32];
- shake256_xof_once(tests[i].msg, tests[i].len, got, sizeof(got));
+ shake256(tests[i].msg, tests[i].len, got, sizeof(got));
// check
if (memcmp(got, tests[i].exp, sizeof(got))) {
- fprintf(stderr, "test_shake256_xof_once(\"%s\", %zu) failed, got:\n", tests[i].name, len);
+ fprintf(stderr, "%s(\"%s\", %zu) failed, got:\n", __func__, tests[i].name, len);
dump_hex(stderr, got, 16);
fprintf(stderr, "exp:\n");
@@ -7024,12 +6814,10 @@ int main(void) {
test_sha3_256_ctx();
test_sha3_384_ctx();
test_sha3_512_ctx();
+ test_shake128_ctx();
test_shake128();
+ test_shake256_ctx();
test_shake256();
- test_shake128_xof();
- test_shake128_xof_once();
- test_shake256_xof();
- test_shake256_xof_once();
test_left_encode();
test_right_encode();
test_encode_string_prefix();
diff --git a/sha3.h b/sha3.h
index 589c44f..a64f6b1 100644
--- a/sha3.h
+++ b/sha3.h
@@ -15,7 +15,7 @@
*
* - SHA3-224, SHA3-256, SHA3-384, and SHA3-512
* - HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, and HMAC-SHA3-512
- * - SHAKE128, SHAKE128-XOF, SHAKE256, and SHAKE256-XOF
+ * - SHAKE128 and SHAKE256
* - cSHAKE128, cSHAKE128-XOF, cSHAKE256, and cSHAKE256-XOF
* - KMAC128, KMAC128-XOF, KMAC256, and KMAC256-XOF
* - TupleHash128, TupleHash128-XOF, TupleHash256, and TupleHash256-XOF
@@ -689,8 +689,7 @@ void hmac_sha3_512_final(hmac_sha3_t *ctx, uint8_t mac[64]);
* @defgroup shake SHAKE
*
* @brief [SHA-3][] [Extendable-output functions (XOFs)][xof] with
- * fixed-length and arbitrary-length output, as defined in section 6.2
- * of [FIPS 202][].
+ * arbitrary-length output, as defined in section 6.2 of [FIPS 202][].
*
* [FIPS 202]: https://csrc.nist.gov/pubs/fips/202/final
* "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions"
@@ -701,46 +700,6 @@ void hmac_sha3_512_final(hmac_sha3_t *ctx, uint8_t mac[64]);
*/
/**
- * @brief Hash data with SHAKE128.
- * @ingroup shake
- *
- * Hash input message in buffer `msg` of length `len` bytes with
- * SHAKE128 ([FIPS 202][], section 6.2) and write 16 bytes of output to
- * destination buffer `dst`.
- *
- * @param[in] msg Input message.
- * @param[in] len Input message length, in bytes.
- * @param[out] dst Destination buffer. Must be at least 16 bytes in length.
- *
- * Example:
- * @snippet{trimleft} 06-all/all-fns.c shake128
- *
- * [FIPS 202]: https://csrc.nist.gov/pubs/fips/202/final
- * "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions"
- */
-void shake128(const uint8_t *msg, size_t len, uint8_t dst[static 16]);
-
-/**
- * @brief Hash data with SHAKE256.
- * @ingroup shake
- *
- * Hash input message in buffer `msg` of length `len` bytes with
- * SHAKE256 ([FIPS 202][], section 6.2) and write 32 bytes of output to
- * destination buffer `dst`.
- *
- * @param[in] msg Input message.
- * @param[in] len Input message length, in bytes.
- * @param[out] dst Destination buffer. Must be at least 32 bytes in length.
- *
- * Example:
- * @snippet{trimleft} 06-all/all-fns.c shake256
- *
- * [FIPS 202]: https://csrc.nist.gov/pubs/fips/202/final
- * "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions"
- */
-void shake256(const uint8_t *msg, size_t len, uint8_t dst[static 32]);
-
-/**
* @brief Initialize SHAKE128 [extendable-output function (XOF)][xof] context.
* @ingroup shake
*
@@ -752,7 +711,7 @@ void shake256(const uint8_t *msg, size_t len, uint8_t dst[static 32]);
* [xof]: https://en.wikipedia.org/wiki/Extendable-output_function
* "Extendable-Output Function (XOF)"
*/
-void shake128_xof_init(sha3_xof_t * const xof);
+void shake128_init(sha3_xof_t * const xof);
/**
* @brief Absorb data into SHAKE128 [XOF][] context.
@@ -774,7 +733,7 @@ void shake128_xof_init(sha3_xof_t * const xof);
* [xof]: https://en.wikipedia.org/wiki/Extendable-output_function
* "Extendable-Output Function (XOF)"
*/
-_Bool shake128_xof_absorb(sha3_xof_t *xof, const uint8_t *msg, const size_t len);
+_Bool shake128_absorb(sha3_xof_t *xof, const uint8_t *msg, const size_t len);
/**
* @brief Squeeze bytes from SHAKE128 [XOF][] context.
@@ -794,7 +753,7 @@ _Bool shake128_xof_absorb(sha3_xof_t *xof, const uint8_t *msg, const size_t len)
* [xof]: https://en.wikipedia.org/wiki/Extendable-output_function
* "Extendable-Output Function (XOF)"
*/
-void shake128_xof_squeeze(sha3_xof_t *xof, uint8_t *dst, const size_t len);
+void shake128_squeeze(sha3_xof_t *xof, uint8_t *dst, const size_t len);
/**
* @brief Absorb data into SHAKE128 [XOF][], then squeeze bytes out.
@@ -804,22 +763,18 @@ void shake128_xof_squeeze(sha3_xof_t *xof, uint8_t *dst, const size_t len);
* [XOF][] context, then squeeze `dst_len` bytes of output into
* destination buffer `dst`.
*
- * @note This function will produce different output than shake128(),
- * because shake128() produces fixed-length output and this function
- * produces arbitrary-length output.
- *
* @param[in] src Source buffer.
* @param[in] src_len Source buffer length, in bytes.
* @param[out] dst Destination buffer.
* @param[in] dst_len Destination buffer length, in bytes.
*
* Example:
- * @snippet{trimleft} 06-all/all-fns.c shake128_xof_once
+ * @snippet{trimleft} 06-all/all-fns.c shake128
*
* [xof]: https://en.wikipedia.org/wiki/Extendable-output_function
* "Extendable-Output Function (XOF)"
*/
-void shake128_xof_once(const uint8_t *src, const size_t src_len, uint8_t *dst, const size_t dst_len);
+void shake128(const uint8_t *src, const size_t src_len, uint8_t *dst, const size_t dst_len);
/**
* @brief Initialize SHAKE256 [extendable-output function (XOF)][xof]
@@ -834,7 +789,7 @@ void shake128_xof_once(const uint8_t *src, const size_t src_len, uint8_t *dst, c
* [xof]: https://en.wikipedia.org/wiki/Extendable-output_function
* "Extendable-Output Function (XOF)"
*/
-void shake256_xof_init(sha3_xof_t *xof);
+void shake256_init(sha3_xof_t *xof);
/**
* @brief Absorb data into SHAKE256 [XOF][] context.
@@ -856,7 +811,7 @@ void shake256_xof_init(sha3_xof_t *xof);
* [xof]: https://en.wikipedia.org/wiki/Extendable-output_function
* "Extendable-Output Function (XOF)"
*/
-_Bool shake256_xof_absorb(sha3_xof_t *xof, const uint8_t *msg, const size_t len);
+_Bool shake256_absorb(sha3_xof_t *xof, const uint8_t *msg, const size_t len);
/**
* @brief Squeeze bytes from SHAKE256 [XOF][] context.
@@ -876,7 +831,7 @@ _Bool shake256_xof_absorb(sha3_xof_t *xof, const uint8_t *msg, const size_t len)
* [xof]: https://en.wikipedia.org/wiki/Extendable-output_function
* "Extendable-Output Function (XOF)"
*/
-void shake256_xof_squeeze(sha3_xof_t *xof, uint8_t *dst, const size_t len);
+void shake256_squeeze(sha3_xof_t *xof, uint8_t *dst, const size_t len);
/**
* @brief Absorb data into SHAKE256 [XOF][], then squeeze bytes out.
@@ -886,22 +841,18 @@ void shake256_xof_squeeze(sha3_xof_t *xof, uint8_t *dst, const size_t len);
* [XOF][] context, then squeeze `dst_len` bytes of output into
* destination buffer `dst`.
*
- * @note This function will produce different output than shake256(),
- * because shake256() produces fixed-length output and this function
- * produces arbitrary-length output.
- *
* @param[in] src Source buffer.
* @param[in] src_len Source buffer length, in bytes.
* @param[out] dst Destination buffer.
* @param[in] dst_len Destination buffer length, in bytes.
*
* Example:
- * @snippet{trimleft} 06-all/all-fns.c shake256_xof_once
+ * @snippet{trimleft} 06-all/all-fns.c shake256
*
* [xof]: https://en.wikipedia.org/wiki/Extendable-output_function
* "Extendable-Output Function (XOF)"
*/
-void shake256_xof_once(const uint8_t *src, const size_t src_len, uint8_t *dst, const size_t dst_len);
+void shake256(const uint8_t *src, const size_t src_len, uint8_t *dst, const size_t dst_len);
/**
* @defgroup cshake cSHAKE
@@ -1009,7 +960,7 @@ void cshake256(const cshake_params_t params, const uint8_t *src, const size_t sr
* [800-185]: https://csrc.nist.gov/pubs/sp/800/185/final
* "SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash"
*/
-void cshake128_xof_init(sha3_xof_t *xof, const cshake_params_t params);
+void cshake128_init(sha3_xof_t *xof, const cshake_params_t params);
/**
* @brief Absorb data into cSHAKE128 [XOF][] context.
@@ -1037,7 +988,7 @@ void cshake128_xof_init(sha3_xof_t *xof, const cshake_params_t params);
* [800-185]: https://csrc.nist.gov/pubs/sp/800/185/final
* "SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash"
*/
-_Bool cshake128_xof_absorb(sha3_xof_t *xof, const uint8_t *src, const size_t len);
+_Bool cshake128_absorb(sha3_xof_t *xof, const uint8_t *src, const size_t len);
/**
* @brief Squeeze bytes from cSHAKE128 [XOF][] context.
@@ -1063,7 +1014,7 @@ _Bool cshake128_xof_absorb(sha3_xof_t *xof, const uint8_t *src, const size_t len
* [800-185]: https://csrc.nist.gov/pubs/sp/800/185/final
* "SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash"
*/
-void cshake128_xof_squeeze(sha3_xof_t *xof, uint8_t *dst, const size_t len);
+void cshake128_squeeze(sha3_xof_t *xof, uint8_t *dst, const size_t len);
/**
* @brief Initialize cSHAKE256 [XOF][] context.
@@ -1090,7 +1041,7 @@ void cshake128_xof_squeeze(sha3_xof_t *xof, uint8_t *dst, const size_t len);
* [800-185]: https://csrc.nist.gov/pubs/sp/800/185/final
* "SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash"
*/
-void cshake256_xof_init(sha3_xof_t *xof, const cshake_params_t params);
+void cshake256_init(sha3_xof_t *xof, const cshake_params_t params);
/**
* @brief Absorb data into cSHAKE256 [XOF][] context.
@@ -1118,7 +1069,7 @@ void cshake256_xof_init(sha3_xof_t *xof, const cshake_params_t params);
* [800-185]: https://csrc.nist.gov/pubs/sp/800/185/final
* "SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash"
*/
-_Bool cshake256_xof_absorb(sha3_xof_t *xof, const uint8_t *src, const size_t len);
+_Bool cshake256_absorb(sha3_xof_t *xof, const uint8_t *src, const size_t len);
/**
* @brief Squeeze bytes from cSHAKE256 [XOF][] context.
@@ -1144,7 +1095,7 @@ _Bool cshake256_xof_absorb(sha3_xof_t *xof, const uint8_t *src, const size_t len
* [800-185]: https://csrc.nist.gov/pubs/sp/800/185/final
* "SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash"
*/
-void cshake256_xof_squeeze(sha3_xof_t *xof, uint8_t *dst, const size_t len);
+void cshake256_squeeze(sha3_xof_t *xof, uint8_t *dst, const size_t len);
/**
* @defgroup kmac KMAC