-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathfips202.c
229 lines (210 loc) · 7.21 KB
/
fips202.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
/*
* Copyright (c) 2024-2025 The mlkem-native project authors
* SPDX-License-Identifier: Apache-2.0
*/
/* Based on the CC0 implementation in https://github.com/mupq/mupq and
* the public domain implementation in
* crypto_hash/keccakc512/simple/ from http://bench.cr.yp.to/supercop.html
* by Ronny Van Keer
* and the public domain "TweetFips202" implementation
* from https://twitter.com/tweetfips202
* by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe */
#include "../common.h"
#if !defined(MLK_MULTILEVEL_BUILD_NO_SHARED)
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#include "../verify.h"
#include "fips202.h"
#include "keccakf1600.h"
/*************************************************
* Name: mlk_keccak_absorb_once
*
* Description: Absorb step of Keccak;
* non-incremental, starts by zeroeing the state.
*
* WARNING: Must only be called once.
*
* Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak
* state
* - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
* - const uint8_t *m: pointer to input to be absorbed into s
* - size_t mlen: length of input in bytes
* - uint8_t p: domain-separation byte for different
* Keccak-derived functions
**************************************************/
static void mlk_keccak_absorb_once(uint64_t *s, uint32_t r, const uint8_t *m,
size_t mlen, uint8_t p)
__contract__(
requires(r <= sizeof(uint64_t) * MLK_KECCAK_LANES)
requires(memory_no_alias(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
requires(memory_no_alias(m, mlen))
assigns(memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES)))
{
/* Initialize state */
size_t i;
for (i = 0; i < 25; ++i)
__loop__(invariant(i <= 25))
{
s[i] = 0;
}
while (mlen >= r)
__loop__(
assigns(mlen, m, memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
invariant(mlen <= loop_entry(mlen))
invariant(m == loop_entry(m) + (loop_entry(mlen) - mlen)))
{
mlk_keccakf1600_xor_bytes(s, m, 0, r);
mlk_keccakf1600_permute(s);
mlen -= r;
m += r;
}
if (mlen > 0)
{
mlk_keccakf1600_xor_bytes(s, m, 0, mlen);
}
if (mlen == r - 1)
{
p |= 128;
mlk_keccakf1600_xor_bytes(s, &p, mlen, 1);
}
else
{
mlk_keccakf1600_xor_bytes(s, &p, mlen, 1);
p = 128;
mlk_keccakf1600_xor_bytes(s, &p, r - 1, 1);
}
}
/*************************************************
* Name: mlk_keccak_squeezeblocks
*
* Description: block-level Keccak squeeze
*
* Arguments: - uint8_t *h: pointer to output bytes
* - size_t nblocks: number of blocks to be squeezed
* - uint64_t *s_inc: pointer to input/output state
* - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
**************************************************/
static void mlk_keccak_squeezeblocks(uint8_t *h, size_t nblocks, uint64_t *s,
uint32_t r)
__contract__(
requires(r <= sizeof(uint64_t) * MLK_KECCAK_LANES)
requires(nblocks <= 8 /* somewhat arbitrary bound */)
requires(memory_no_alias(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
requires(memory_no_alias(h, nblocks * r))
assigns(memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
assigns(memory_slice(h, nblocks * r)))
{
while (nblocks > 0)
__loop__(
assigns(h, nblocks,
memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES),
memory_slice(h, nblocks * r))
invariant(nblocks <= loop_entry(nblocks) &&
h == loop_entry(h) + r * (loop_entry(nblocks) - nblocks)))
{
mlk_keccakf1600_permute(s);
mlk_keccakf1600_extract_bytes(s, h, 0, r);
h += r;
nblocks--;
}
}
/*************************************************
* Name: mlk_keccak_squeeze_once
*
* Description: Keccak squeeze; can be called on byte-level
*
* WARNING: This must only be called once.
*
* Arguments: - uint8_t *h: pointer to output bytes
* - size_t outlen: number of bytes to be squeezed
* - uint64_t *s_inc: pointer to Keccak state
* - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
**************************************************/
static void mlk_keccak_squeeze_once(uint8_t *h, size_t outlen, uint64_t *s,
uint32_t r)
__contract__(
requires(r <= sizeof(uint64_t) * MLK_KECCAK_LANES)
requires(memory_no_alias(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
requires(memory_no_alias(h, outlen))
assigns(memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
assigns(memory_slice(h, outlen)))
{
size_t len;
while (outlen > 0)
__loop__(
assigns(len, h, outlen,
memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES),
memory_slice(h, outlen))
invariant(outlen <= loop_entry(outlen) &&
h == loop_entry(h) + (loop_entry(outlen) - outlen)))
{
mlk_keccakf1600_permute(s);
if (outlen < r)
{
len = outlen;
}
else
{
len = r;
}
mlk_keccakf1600_extract_bytes(s, h, 0, len);
h += len;
outlen -= len;
}
}
void mlk_shake128_absorb_once(mlk_shake128ctx *state, const uint8_t *input,
size_t inlen)
{
mlk_keccak_absorb_once(state->ctx, SHAKE128_RATE, input, inlen, 0x1F);
}
void mlk_shake128_squeezeblocks(uint8_t *output, size_t nblocks,
mlk_shake128ctx *state)
{
mlk_keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE);
}
void mlk_shake128_init(mlk_shake128ctx *state) { (void)state; }
void mlk_shake128_release(mlk_shake128ctx *state)
{
/* Specification: Partially implements
* [FIPS 203, Section 3.3, Destruction of intermediate values] */
mlk_zeroize(state, sizeof(mlk_shake128ctx));
}
typedef mlk_shake128ctx mlk_shake256ctx;
void mlk_shake256(uint8_t *output, size_t outlen, const uint8_t *input,
size_t inlen)
{
mlk_shake256ctx state;
/* Absorb input */
mlk_keccak_absorb_once(state.ctx, SHAKE256_RATE, input, inlen, 0x1F);
/* Squeeze output */
mlk_keccak_squeeze_once(output, outlen, state.ctx, SHAKE256_RATE);
/* Specification: Partially implements
* [FIPS 203, Section 3.3, Destruction of intermediate values] */
mlk_zeroize(&state, sizeof(state));
}
void mlk_sha3_256(uint8_t *output, const uint8_t *input, size_t inlen)
{
uint64_t ctx[25];
/* Absorb input */
mlk_keccak_absorb_once(ctx, SHA3_256_RATE, input, inlen, 0x06);
/* Squeeze output */
mlk_keccak_squeeze_once(output, 32, ctx, SHA3_256_RATE);
/* Specification: Partially implements
* [FIPS 203, Section 3.3, Destruction of intermediate values] */
mlk_zeroize(ctx, sizeof(ctx));
}
void mlk_sha3_512(uint8_t *output, const uint8_t *input, size_t inlen)
{
uint64_t ctx[25];
/* Absorb input */
mlk_keccak_absorb_once(ctx, SHA3_512_RATE, input, inlen, 0x06);
/* Squeeze output */
mlk_keccak_squeeze_once(output, 64, ctx, SHA3_512_RATE);
/* Specification: Partially implements
* [FIPS 203, Section 3.3, Destruction of intermediate values] */
mlk_zeroize(ctx, sizeof(ctx));
}
#else /* MLK_MULTILEVEL_BUILD_NO_SHARED */
MLK_EMPTY_CU(fips202)
#endif /* MLK_MULTILEVEL_BUILD_NO_SHARED */