From 988009f90c2a7e30cf2ba5c56ae75d03b32c3f64 Mon Sep 17 00:00:00 2001 From: Vladimir Rozic Date: Mon, 31 Jul 2023 16:01:44 +0100 Subject: [PATCH] Remove traces of pyXKCP from the project. Signed-off-by: Vladimir Rozic --- .gitignore | 8 - cw/pyXKCP/README.md | 25 - cw/pyXKCP/__init__.py | 7 - cw/pyXKCP/pyxkcp.py | 109 ---- cw/pyXKCP/pyxkcp_build.py | 75 --- cw/vendor/xkcp_xkcp.lock.hjson | 14 - cw/vendor/xkcp_xkcp.vendor.hjson | 27 - cw/vendor/xkcp_xkcp/KeccakP-1600-SnP.h | 40 -- cw/vendor/xkcp_xkcp/KeccakP-1600-compact64.c | 420 ------------- cw/vendor/xkcp_xkcp/KeccakSponge.c | 111 ---- cw/vendor/xkcp_xkcp/KeccakSponge.h | 76 --- cw/vendor/xkcp_xkcp/KeccakSponge.inc | 314 ---------- cw/vendor/xkcp_xkcp/Phases.h | 25 - cw/vendor/xkcp_xkcp/SP800-185.c | 93 --- cw/vendor/xkcp_xkcp/SP800-185.h | 599 ------------------- cw/vendor/xkcp_xkcp/SP800-185.inc | 573 ------------------ cw/vendor/xkcp_xkcp/SnP-Relaned.h | 141 ----- cw/vendor/xkcp_xkcp/align.h | 33 - cw/vendor/xkcp_xkcp/brg_endian.h | 143 ----- 19 files changed, 2833 deletions(-) delete mode 100644 cw/pyXKCP/README.md delete mode 100644 cw/pyXKCP/__init__.py delete mode 100644 cw/pyXKCP/pyxkcp.py delete mode 100755 cw/pyXKCP/pyxkcp_build.py delete mode 100644 cw/vendor/xkcp_xkcp.lock.hjson delete mode 100644 cw/vendor/xkcp_xkcp.vendor.hjson delete mode 100644 cw/vendor/xkcp_xkcp/KeccakP-1600-SnP.h delete mode 100644 cw/vendor/xkcp_xkcp/KeccakP-1600-compact64.c delete mode 100644 cw/vendor/xkcp_xkcp/KeccakSponge.c delete mode 100644 cw/vendor/xkcp_xkcp/KeccakSponge.h delete mode 100644 cw/vendor/xkcp_xkcp/KeccakSponge.inc delete mode 100644 cw/vendor/xkcp_xkcp/Phases.h delete mode 100644 cw/vendor/xkcp_xkcp/SP800-185.c delete mode 100644 cw/vendor/xkcp_xkcp/SP800-185.h delete mode 100644 cw/vendor/xkcp_xkcp/SP800-185.inc delete mode 100644 cw/vendor/xkcp_xkcp/SnP-Relaned.h delete mode 100644 cw/vendor/xkcp_xkcp/align.h delete mode 100644 cw/vendor/xkcp_xkcp/brg_endian.h diff --git a/.gitignore b/.gitignore index 63f2995e..2b03e312 100644 --- a/.gitignore +++ b/.gitignore @@ -5,14 +5,6 @@ __pycache__/ # C extensions *.so -KeccakP-1600-compact64.o -KeccakSponge.o -SP800-185.o -_xkcp.c -_xkcp.cpython*.so -_xkcp.o -cw/vendor/xkcp_xkcp/config.h - # Jupyter Notebook .ipynb_checkpoints diff --git a/cw/pyXKCP/README.md b/cw/pyXKCP/README.md deleted file mode 100644 index f0e8504b..00000000 --- a/cw/pyXKCP/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Why do we need a C-Extension? -At the moment, there are no Python implementations of [NIST SP 8000-185](https://doi.org/10.6028/NIST.SP.800-185). -However, there is a [feature request](https://bugs.python.org/issue39539) to add this functionality to [hashlib](https://docs.python.org/3/library/hashlib.html). -Thus, this extension might become obsolete once this feature is implemented as part of hashlib. -In the meantime, pyXKCP can be used to verify the KMAC hardware implementation. - -## pyXKCP -pyXKCP is a python wrapper for the [eXtended Keccak Code Package (XKCP)](https://github.com/XKCP/XKCP). -XKCP features different high- and lowlevel implementation of Keccak. -At the moment only the highlevel function KMAC and the lowlevel implementation `compact` are supported. - -### Building pyXKCP -There shouldn't be anything to do for the user. -The extension is build on-the-fly if not existing. -To explicitly build the SP800-185-C-extension `pyxkcp_build.py` can be used. -This will generate the needed configuration, compile the sources, and provides a shared library. - -### Example -To see an example call `pyxkcp.test()`. - -### License -Most of the used source files from XKCP are released to the **public domain** and associated to the [CC0](http://creativecommons.org/publicdomain/zero/1.0/) deed. -The only exception is the following: - -* [`brg_endian.h`](../vendor/xkcp_xkcp/brg_endian.h) is copyrighted by Brian Gladman and comes with a BSD 3-clause license; diff --git a/cw/pyXKCP/__init__.py b/cw/pyXKCP/__init__.py deleted file mode 100644 index 47717974..00000000 --- a/cw/pyXKCP/__init__.py +++ /dev/null @@ -1,7 +0,0 @@ -# Copyright lowRISC contributors. -# Licensed under the Apache License, Version 2.0, see LICENSE for details. -# SPDX-License-Identifier: Apache-2.0 - -from . import pyxkcp_build - -pyxkcp_build.initialize() diff --git a/cw/pyXKCP/pyxkcp.py b/cw/pyXKCP/pyxkcp.py deleted file mode 100644 index 7c9f286e..00000000 --- a/cw/pyXKCP/pyxkcp.py +++ /dev/null @@ -1,109 +0,0 @@ -# Copyright lowRISC contributors. -# Licensed under the Apache License, Version 2.0, see LICENSE for details. -# SPDX-License-Identifier: Apache-2.0 - -import binascii - -import cffi - -from . import _xkcp - -ffi = cffi.FFI() - - -def kmac128_raw(key, keyLen, input, inputLen, output, outputLen, customization, - customLen): - # all data (besides lengths) are passed as references, like in the C implementation - - # from bytearray to uint8 pointer - key_p = ffi.from_buffer(key) - input_p = ffi.from_buffer(input) - output_p = ffi.from_buffer(output) - customization_p = ffi.from_buffer(customization) - status = _xkcp.lib.KMAC128(key_p, keyLen * 8, input_p, inputLen * 8, - output_p, outputLen * 8, customization_p, - customLen * 8) - return status - - -def kmac128(key, keyLen, input, inputLen, outputLen, customization, customLen): - # experimental: output is returned, no need for a reference - output = bytearray(outputLen) - status = kmac128_raw(key, keyLen, input, inputLen, output, outputLen, - customization, customLen) - if status == 0: - return output - - -def kmac256_raw(key, keyLen, input, inputLen, output, outputLen, customization, - customLen): - # NOT TESTED ATM - - # from bytearray to uint8 pointer - key_p = ffi.from_buffer(key) - input_p = ffi.from_buffer(input) - output_p = ffi.from_buffer(output) - customization_p = ffi.from_buffer(customization) - status = _xkcp.lib.KMAC256(key_p, keyLen * 8, input_p, inputLen * 8, - output_p, outputLen * 8, customization_p, - customLen * 8) - return status - - -def kmac256(key, keyLen, input, inputLen, outputLen, customization, customLen): - # NOT TESTED ATM - - output = bytearray(outputLen) - status = kmac256_raw(key, keyLen, input, inputLen, output, outputLen, - customization, customLen) - if status == 0: - return output - - -def test(): - print("https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/" - "documents/examples/KMAC_samples.pdf") - print("KMAC: Sample #1") - print("Security Strength: 128-bits") - print("Length of Key is 256-bits") - print("Length of data is 32-bits") - print("Requested output length is 256-bits") - - keyLen = 32 - inputLen = 4 - outputLen = 32 - customLen = 0 - - # with python buffers/bytearray - key = bytearray(keyLen) - input = bytearray(inputLen) - output = bytearray(outputLen) - customization = bytearray(customLen) - - key = b'\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54'\ - b'\x55\x56\x57\x58\x59\x5A\x5B\x5C\x5D\x5E\x5F' - input = b'\x00\x01\x02\x03' - customization = b'\x00' - expected_output = b'\xE5\x78\x0B\x0D\x3E\xA6\xF7\xD3\xA4\x29\xC5\x70\x6A\xA4\x3A\x00\xFA\xDB'\ - b'\xD7\xD4\x96\x28\x83\x9E\x31\x87\x24\x3F\x45\x6E\xE1\x4E' - - print("key: ", binascii.hexlify(key)) - print("input: ", binascii.hexlify(input)) - print("S: ", "\"(null)\"") - print("expected output: ", binascii.hexlify(expected_output)) - - kmac128_raw(key, keyLen, input, inputLen, output, outputLen, customization, - customLen) - print("Output by reference : ", binascii.hexlify(output)) - if output == expected_output: - print("Output by reference matches. PASS!") - else: - print("Output by reference does not match!") - - ret = kmac128(key, keyLen, input, inputLen, outputLen, customization, - customLen) - print("Output by value: ", binascii.hexlify(ret)) - if ret == expected_output: - print("Output by value matches. PASS!") - else: - print("Output by value does not match!") diff --git a/cw/pyXKCP/pyxkcp_build.py b/cw/pyXKCP/pyxkcp_build.py deleted file mode 100755 index 89d3aa04..00000000 --- a/cw/pyXKCP/pyxkcp_build.py +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/env python3 -# Copyright lowRISC contributors. -# Licensed under the Apache License, Version 2.0, see LICENSE for details. -# SPDX-License-Identifier: Apache-2.0 - -import os - -from cffi import FFI - -ffibuilder = FFI() - -ffibuilder.cdef('\n'.join([ - "typedef uint8_t BitSequence;", - "typedef size_t BitLength;", - ("int cSHAKE128( const BitSequence *input, BitLength inputBitLen, BitSequence *output, " - "BitLength outputBitLen, const BitSequence *name, BitLength nameBitLen, " - "const BitSequence *customization, BitLength customBitLen );"), - ("int cSHAKE256( const BitSequence *input, BitLength inputBitLen, BitSequence *output, " - "BitLength outputBitLen, const BitSequence *name, BitLength nameBitLen, " - "const BitSequence *customization, BitLength customBitLen );"), - ("int KMAC128(const BitSequence *key, BitLength keyBitLen, const BitSequence *input, " - "BitLength inputBitLen, BitSequence *output, BitLength outputBitLen, " - "const BitSequence *customization, BitLength customBitLen);"), - ("int KMAC256(const BitSequence *key, BitLength keyBitLen, const BitSequence *input, " - "BitLength inputBitLen, BitSequence *output, BitLength outputBitLen, " - "const BitSequence *customization, BitLength customBitLen);") -])) - -ffibuilder.set_source( - "_xkcp", # name of the output C extension - """ - #include "../vendor/xkcp_xkcp/align.h" - #include "../vendor/xkcp_xkcp/Phases.h" - #include "../vendor/xkcp_xkcp/KeccakSponge.h" - #include "../vendor/xkcp_xkcp/SP800-185.h" - #include "../vendor/xkcp_xkcp/KeccakP-1600-SnP.h" - #include "../vendor/xkcp_xkcp/SnP-Relaned.h" - #include "../vendor/xkcp_xkcp/brg_endian.h" - -""", - sources=[ - '../vendor/xkcp_xkcp/SP800-185.c', - '../vendor/xkcp_xkcp/KeccakSponge.c', - '../vendor/xkcp_xkcp/KeccakP-1600-compact64.c' - ], - libraries=[]) - - -def create_config_file(): - with open('../vendor/xkcp_xkcp/config.h', 'w') as the_file: - the_file.write('// Copyright lowRISC contributors\n') - the_file.write( - '// Licensed under the Apache License, Version 2.0, see LICENSE for details.\n' - ) - the_file.write('// SPDX-License-Identifier: Apache-2.0 \n\n') - the_file.write('// This file is autogenerated by ' + __file__ + - '\n// DO NOT CHANGE!\n\n') - # Define which KeccakPermutation is used - the_file.write('#define XKCP_has_KeccakP1600\n') - the_file.close() - - -def initialize(): - cw = os.getcwd() - os.chdir(os.path.dirname(__file__)) - if not os.path.exists("_xkcp.o"): - print("Building xkcp-extension") - create_config_file() - ffibuilder.compile(verbose=False) - os.chdir(cw) - - -if __name__ == "__main__": - create_config_file() - ffibuilder.compile(verbose=True) diff --git a/cw/vendor/xkcp_xkcp.lock.hjson b/cw/vendor/xkcp_xkcp.lock.hjson deleted file mode 100644 index 4332d754..00000000 --- a/cw/vendor/xkcp_xkcp.lock.hjson +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright lowRISC contributors. -// Licensed under the Apache License, Version 2.0, see LICENSE for details. -// SPDX-License-Identifier: Apache-2.0 - -// This file is generated by the util/vendor script. Please do not modify it -// manually. - -{ - upstream: - { - url: https://github.com/xkcp/xkcp - rev: 715fbb4d654b474eecc0706ee7efffaebeda4258 - } -} diff --git a/cw/vendor/xkcp_xkcp.vendor.hjson b/cw/vendor/xkcp_xkcp.vendor.hjson deleted file mode 100644 index d7ec9393..00000000 --- a/cw/vendor/xkcp_xkcp.vendor.hjson +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright lowRISC contributors. -// Licensed under the Apache License, Version 2.0, see LICENSE for details. -// SPDX-License-Identifier: Apache-2.0 -{ - name: "xkcp_xkcp", - target_dir: "xkcp_xkcp", - - upstream: { - url: "https://github.com/xkcp/xkcp" - rev: "master" - } - - mapping: [ - {from: "lib/common/align.h", to: "align.h"}, - {from: "lib/common/brg_endian.h", to: "brg_endian.h"}, - {from: "lib/low/KeccakP-1600/compact/KeccakP-1600-compact64.c", to: "KeccakP-1600-compact64.c"}, - {from: "lib/low/KeccakP-1600/compact/KeccakP-1600-SnP.h", to: "KeccakP-1600-SnP.h"}, - {from: "lib/low/common/SnP-Relaned.h", to: "SnP-Relaned.h"}, - {from: "lib/high/common/Phases.h", to: "Phases.h"}, - {from: "lib/high/Keccak/KeccakSponge.c", to: "KeccakSponge.c"}, - {from: "lib/high/Keccak/KeccakSponge.inc", to: "KeccakSponge.inc"}, - {from: "lib/high/Keccak/KeccakSponge.h", to: "KeccakSponge.h"}, - {from: "lib/high/Keccak/SP800-185/SP800-185.c", to: "SP800-185.c"}, - {from: "lib/high/Keccak/SP800-185/SP800-185.inc", to: "SP800-185.inc"}, - {from: "lib/high/Keccak/SP800-185/SP800-185.h", to: "SP800-185.h"}, - ] -} diff --git a/cw/vendor/xkcp_xkcp/KeccakP-1600-SnP.h b/cw/vendor/xkcp_xkcp/KeccakP-1600-SnP.h deleted file mode 100644 index 399d086c..00000000 --- a/cw/vendor/xkcp_xkcp/KeccakP-1600-SnP.h +++ /dev/null @@ -1,40 +0,0 @@ -/* -The eXtended Keccak Code Package (XKCP) -https://github.com/XKCP/XKCP - -The Keccak-p permutations, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. - -Implementation by Ronny Van Keer, hereby denoted as "the implementer". - -For more information, feedback or questions, please refer to the Keccak Team website: -https://keccak.team/ - -To the extent possible under law, the implementer has waived all copyright -and related or neighboring rights to the source code in this file. -http://creativecommons.org/publicdomain/zero/1.0/ - ---- - -Please refer to SnP-documentation.h for more details. -*/ - -#ifndef _KeccakP_1600_SnP_h_ -#define _KeccakP_1600_SnP_h_ - -#define KeccakP1600_implementation "64-bit compact implementation" -#define KeccakP1600_stateSizeInBytes 200 -#define KeccakP1600_stateAlignment 8 - -#define KeccakP1600_StaticInitialize() -void KeccakP1600_Initialize(void *state); -void KeccakP1600_AddByte(void *state, unsigned char data, unsigned int offset); -void KeccakP1600_AddBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length); -void KeccakP1600_OverwriteBytes(void *state, const unsigned char *data, unsigned int offset, unsigned int length); -void KeccakP1600_OverwriteWithZeroes(void *state, unsigned int byteCount); -void KeccakP1600_Permute_Nrounds(void *state, unsigned int nrounds); -void KeccakP1600_Permute_12rounds(void *state); -void KeccakP1600_Permute_24rounds(void *state); -void KeccakP1600_ExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length); -void KeccakP1600_ExtractAndAddBytes(const void *state, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length); - -#endif diff --git a/cw/vendor/xkcp_xkcp/KeccakP-1600-compact64.c b/cw/vendor/xkcp_xkcp/KeccakP-1600-compact64.c deleted file mode 100644 index 02a9ee08..00000000 --- a/cw/vendor/xkcp_xkcp/KeccakP-1600-compact64.c +++ /dev/null @@ -1,420 +0,0 @@ -/* -The eXtended Keccak Code Package (XKCP) -https://github.com/XKCP/XKCP - -The Keccak-p permutations, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. - -Implementation by Ronny Van Keer, hereby denoted as "the implementer". - -For more information, feedback or questions, please refer to the Keccak Team website: -https://keccak.team/ - -To the extent possible under law, the implementer has waived all copyright -and related or neighboring rights to the source code in this file. -http://creativecommons.org/publicdomain/zero/1.0/ - ---- - -This file implements Keccak-p[1600] in a SnP-compatible way. -Please refer to SnP-documentation.h for more details. - -This implementation comes with KeccakP-1600-SnP.h in the same folder. -Please refer to LowLevel.build for the exact list of other files it must be combined with. -*/ - -#include -#include -#include -#include "brg_endian.h" -#include "KeccakP-1600-SnP.h" -#include "SnP-Relaned.h" - -#define USE_MEMSET -/* #define DIVISION_INSTRUCTION */ /* comment if no division instruction or more compact when not using division */ -#define UNROLL_CHILOOP /* comment more compact using for loop */ - -typedef uint_fast8_t tSmallUInt; -typedef uint64_t tKeccakLane; - -#if defined(_MSC_VER) -#define ROL64(a, offset) _rotl64(a, offset) -#elif defined(UseSHLD) - #define ROL64(x,N) ({ \ - register uint64_t __out; \ - register uint64_t __in = x; \ - __asm__ ("shld %2,%0,%0" : "=r"(__out) : "0"(__in), "i"(N)); \ - __out; \ - }) -#else -#define ROL64(a, offset) ((((uint64_t)a) << offset) ^ (((uint64_t)a) >> (64-offset))) -#endif - -#define cKeccakNumberOfRounds 24 - -const uint8_t KeccakP1600_RotationConstants[25] = -{ - 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44 -}; - -const uint8_t KeccakP1600_PiLane[25] = -{ - 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1 -}; - -#if defined(DIVISION_INSTRUCTION) -#define MOD5(argValue) ((argValue) % 5) -#else -const uint8_t KeccakP1600_Mod5[10] = -{ - 0, 1, 2, 3, 4, 0, 1, 2, 3, 4 -}; -#define MOD5(argValue) KeccakP1600_Mod5[argValue] -#endif - -/* ---------------------------------------------------------------- */ - -static tKeccakLane KeccakF1600_GetNextRoundConstant( uint8_t *LFSR ); -static tKeccakLane KeccakF1600_GetNextRoundConstant( uint8_t *LFSR ) -{ - tSmallUInt i; - tKeccakLane roundConstant; - tSmallUInt doXOR; - tSmallUInt tempLSFR; - - roundConstant = 0; - tempLSFR = *LFSR; - for(i=1; i<128; i <<= 1) - { - doXOR = tempLSFR & 1; - if ((tempLSFR & 0x80) != 0) - /* Primitive polynomial over GF(2): x^8+x^6+x^5+x^4+1 */ - tempLSFR = (tempLSFR << 1) ^ 0x71; - else - tempLSFR <<= 1; - - if ( doXOR != 0 ) - roundConstant ^= (tKeccakLane)1ULL << (i - 1); - } - *LFSR = (uint8_t)tempLSFR; - return ( roundConstant ); -} - -/* ---------------------------------------------------------------- */ - -void KeccakP1600_Initialize(void *argState) -{ - #if defined(USE_MEMSET) - memset( argState, 0, 25 * 8 ); - #else - tSmallUInt i; - tKeccakLane *state; - - state = argState; - i = 25; - do - { - *(state++) = 0; - } - while ( --i != 0 ); - #endif -} - -/* ---------------------------------------------------------------- */ - -void KeccakP1600_AddBytesInLane(void *argState, unsigned int lanePosition, const unsigned char *data, unsigned int offset, unsigned int length) -{ - unsigned int i; - #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN) - unsigned char * state = (unsigned char*)argState + lanePosition * sizeof(tKeccakLane) + offset; - for(i=0; i>= offset*8; - for(i=0; i>= 8; - } -#endif -} - -/* ---------------------------------------------------------------- */ - -void KeccakP1600_ExtractLanes(const void *state, unsigned char *data, unsigned int laneCount) -{ -#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN) - memcpy(data, state, laneCount*8); -#else - tSmallUInt i, j; - for(i=0; i> (8*j)) & 0xFF; - } - } -#endif -} - -/* ---------------------------------------------------------------- */ - -void KeccakP1600_ExtractBytes(const void *state, unsigned char *data, unsigned int offset, unsigned int length) -{ - SnP_ExtractBytes(state, data, offset, length, KeccakP1600_ExtractLanes, KeccakP1600_ExtractBytesInLane, 8); -} - -/* ---------------------------------------------------------------- */ - -void KeccakP1600_ExtractAndAddBytesInLane(const void *state, unsigned int lanePosition, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length) -{ - tSmallUInt i; - tKeccakLane lane = ((tKeccakLane*)state)[lanePosition]; - lane >>= offset*8; - for(i=0; i>= 8; - } -} - -/* ---------------------------------------------------------------- */ - -void KeccakP1600_ExtractAndAddLanes(const void *state, const unsigned char *input, unsigned char *output, unsigned int laneCount) -{ -#if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN) - tSmallUInt i; - for(i=0; i> (8*j)) & 0xFF); - } - } -#endif -} - -/* ---------------------------------------------------------------- */ - -void KeccakP1600_ExtractAndAddBytes(const void *state, const unsigned char *input, unsigned char *output, unsigned int offset, unsigned int length) -{ - SnP_ExtractAndAddBytes(state, input, output, offset, length, KeccakP1600_ExtractAndAddLanes, KeccakP1600_ExtractAndAddBytesInLane, 8); -} - -/* ---------------------------------------------------------------- */ diff --git a/cw/vendor/xkcp_xkcp/KeccakSponge.c b/cw/vendor/xkcp_xkcp/KeccakSponge.c deleted file mode 100644 index 350df772..00000000 --- a/cw/vendor/xkcp_xkcp/KeccakSponge.c +++ /dev/null @@ -1,111 +0,0 @@ -/* -The eXtended Keccak Code Package (XKCP) -https://github.com/XKCP/XKCP - -Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. - -Implementation by the designers, hereby denoted as "the implementer". - -For more information, feedback or questions, please refer to the Keccak Team website: -https://keccak.team/ - -To the extent possible under law, the implementer has waived all copyright -and related or neighboring rights to the source code in this file. -http://creativecommons.org/publicdomain/zero/1.0/ -*/ - -#include "KeccakSponge.h" - -#ifdef KeccakReference - #include "displayIntermediateValues.h" -#endif - -#ifdef XKCP_has_KeccakP200 - #include "KeccakP-200-SnP.h" - - #define prefix KeccakWidth200 - #define SnP KeccakP200 - #define SnP_width 200 - #define SnP_Permute KeccakP200_Permute_18rounds - #if defined(KeccakF200_FastLoop_supported) - #define SnP_FastLoop_Absorb KeccakF200_FastLoop_Absorb - #endif - #include "KeccakSponge.inc" - #undef prefix - #undef SnP - #undef SnP_width - #undef SnP_Permute - #undef SnP_FastLoop_Absorb -#endif - -#ifdef XKCP_has_KeccakP400 - #include "KeccakP-400-SnP.h" - - #define prefix KeccakWidth400 - #define SnP KeccakP400 - #define SnP_width 400 - #define SnP_Permute KeccakP400_Permute_20rounds - #if defined(KeccakF400_FastLoop_supported) - #define SnP_FastLoop_Absorb KeccakF400_FastLoop_Absorb - #endif - #include "KeccakSponge.inc" - #undef prefix - #undef SnP - #undef SnP_width - #undef SnP_Permute - #undef SnP_FastLoop_Absorb -#endif - -#ifdef XKCP_has_KeccakP800 - #include "KeccakP-800-SnP.h" - - #define prefix KeccakWidth800 - #define SnP KeccakP800 - #define SnP_width 800 - #define SnP_Permute KeccakP800_Permute_22rounds - #if defined(KeccakF800_FastLoop_supported) - #define SnP_FastLoop_Absorb KeccakF800_FastLoop_Absorb - #endif - #include "KeccakSponge.inc" - #undef prefix - #undef SnP - #undef SnP_width - #undef SnP_Permute - #undef SnP_FastLoop_Absorb -#endif - -#ifdef XKCP_has_KeccakP1600 - #include "KeccakP-1600-SnP.h" - - #define prefix KeccakWidth1600 - #define SnP KeccakP1600 - #define SnP_width 1600 - #define SnP_Permute KeccakP1600_Permute_24rounds - #if defined(KeccakF1600_FastLoop_supported) - #define SnP_FastLoop_Absorb KeccakF1600_FastLoop_Absorb - #endif - #include "KeccakSponge.inc" - #undef prefix - #undef SnP - #undef SnP_width - #undef SnP_Permute - #undef SnP_FastLoop_Absorb -#endif - -#ifdef XKCP_has_KeccakP1600 - #include "KeccakP-1600-SnP.h" - - #define prefix KeccakWidth1600_12rounds - #define SnP KeccakP1600 - #define SnP_width 1600 - #define SnP_Permute KeccakP1600_Permute_12rounds - #if defined(KeccakP1600_12rounds_FastLoop_supported) - #define SnP_FastLoop_Absorb KeccakP1600_12rounds_FastLoop_Absorb - #endif - #include "KeccakSponge.inc" - #undef prefix - #undef SnP - #undef SnP_width - #undef SnP_Permute - #undef SnP_FastLoop_Absorb -#endif diff --git a/cw/vendor/xkcp_xkcp/KeccakSponge.h b/cw/vendor/xkcp_xkcp/KeccakSponge.h deleted file mode 100644 index 31c2d05c..00000000 --- a/cw/vendor/xkcp_xkcp/KeccakSponge.h +++ /dev/null @@ -1,76 +0,0 @@ -/* -The eXtended Keccak Code Package (XKCP) -https://github.com/XKCP/XKCP - -Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. - -Implementation by the designers, hereby denoted as "the implementer". - -For more information, feedback or questions, please refer to the Keccak Team website: -https://keccak.team/ - -To the extent possible under law, the implementer has waived all copyright -and related or neighboring rights to the source code in this file. -http://creativecommons.org/publicdomain/zero/1.0/ -*/ - -#ifndef _KeccakSponge_h_ -#define _KeccakSponge_h_ - -/* For the documentation, please follow the link: */ -/* #include "KeccakSponge-documentation.h" */ - -#include -#include "align.h" -#include "config.h" - -#define XKCP_DeclareSpongeStructure(prefix, size, alignment) \ - ALIGN(alignment) typedef struct prefix##_SpongeInstanceStruct { \ - unsigned char state[size]; \ - unsigned int rate; \ - unsigned int byteIOIndex; \ - int squeezing; \ - } prefix##_SpongeInstance; - -#define XKCP_DeclareSpongeFunctions(prefix) \ - int prefix##_Sponge(unsigned int rate, unsigned int capacity, const unsigned char *input, size_t inputByteLen, unsigned char suffix, unsigned char *output, size_t outputByteLen); \ - int prefix##_SpongeInitialize(prefix##_SpongeInstance *spongeInstance, unsigned int rate, unsigned int capacity); \ - int prefix##_SpongeAbsorb(prefix##_SpongeInstance *spongeInstance, const unsigned char *data, size_t dataByteLen); \ - int prefix##_SpongeAbsorbLastFewBits(prefix##_SpongeInstance *spongeInstance, unsigned char delimitedData); \ - int prefix##_SpongeSqueeze(prefix##_SpongeInstance *spongeInstance, unsigned char *data, size_t dataByteLen); - -#ifdef XKCP_has_KeccakP200 - #include "KeccakP-200-SnP.h" - XKCP_DeclareSpongeStructure(KeccakWidth200, KeccakP200_stateSizeInBytes, KeccakP200_stateAlignment) - XKCP_DeclareSpongeFunctions(KeccakWidth200) - #define XKCP_has_Sponge_Keccak_width200 -#endif - -#ifdef XKCP_has_KeccakP400 - #include "KeccakP-400-SnP.h" - XKCP_DeclareSpongeStructure(KeccakWidth400, KeccakP400_stateSizeInBytes, KeccakP400_stateAlignment) - XKCP_DeclareSpongeFunctions(KeccakWidth400) - #define XKCP_has_Sponge_Keccak_width400 -#endif - -#ifdef XKCP_has_KeccakP800 - #include "KeccakP-800-SnP.h" - XKCP_DeclareSpongeStructure(KeccakWidth800, KeccakP800_stateSizeInBytes, KeccakP800_stateAlignment) - XKCP_DeclareSpongeFunctions(KeccakWidth800) - #define XKCP_has_Sponge_Keccak_width800 -#endif - -#ifdef XKCP_has_KeccakP1600 - #include "KeccakP-1600-SnP.h" - XKCP_DeclareSpongeStructure(KeccakWidth1600, KeccakP1600_stateSizeInBytes, KeccakP1600_stateAlignment) - XKCP_DeclareSpongeFunctions(KeccakWidth1600) - #define XKCP_has_Sponge_Keccak_width1600 -#endif - -#ifdef XKCP_has_KeccakP1600 - #include "KeccakP-1600-SnP.h" - XKCP_DeclareSpongeStructure(KeccakWidth1600_12rounds, KeccakP1600_stateSizeInBytes, KeccakP1600_stateAlignment) - XKCP_DeclareSpongeFunctions(KeccakWidth1600_12rounds) -#endif - -#endif diff --git a/cw/vendor/xkcp_xkcp/KeccakSponge.inc b/cw/vendor/xkcp_xkcp/KeccakSponge.inc deleted file mode 100644 index 70080923..00000000 --- a/cw/vendor/xkcp_xkcp/KeccakSponge.inc +++ /dev/null @@ -1,314 +0,0 @@ -/* -The eXtended Keccak Code Package (XKCP) -https://github.com/XKCP/XKCP - -Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. - -Implementation by the designers, hereby denoted as "the implementer". - -For more information, feedback or questions, please refer to the Keccak Team website: -https://keccak.team/ - -To the extent possible under law, the implementer has waived all copyright -and related or neighboring rights to the source code in this file. -http://creativecommons.org/publicdomain/zero/1.0/ -*/ - -#define JOIN0(a, b) a ## b -#define JOIN(a, b) JOIN0(a, b) - -#define Sponge JOIN(prefix, _Sponge) -#define SpongeInstance JOIN(prefix, _SpongeInstance) -#define SpongeInitialize JOIN(prefix, _SpongeInitialize) -#define SpongeAbsorb JOIN(prefix, _SpongeAbsorb) -#define SpongeAbsorbLastFewBits JOIN(prefix, _SpongeAbsorbLastFewBits) -#define SpongeSqueeze JOIN(prefix, _SpongeSqueeze) - -#define SnP_stateSizeInBytes JOIN(SnP, _stateSizeInBytes) -#define SnP_stateAlignment JOIN(SnP, _stateAlignment) -#define SnP_StaticInitialize JOIN(SnP, _StaticInitialize) -#define SnP_Initialize JOIN(SnP, _Initialize) -#define SnP_AddByte JOIN(SnP, _AddByte) -#define SnP_AddBytes JOIN(SnP, _AddBytes) -#define SnP_ExtractBytes JOIN(SnP, _ExtractBytes) - -int Sponge(unsigned int rate, unsigned int capacity, const unsigned char *input, size_t inputByteLen, unsigned char suffix, unsigned char *output, size_t outputByteLen) -{ - ALIGN(SnP_stateAlignment) unsigned char state[SnP_stateSizeInBytes]; - unsigned int partialBlock; - const unsigned char *curInput = input; - unsigned char *curOutput = output; - unsigned int rateInBytes = rate/8; - - if (rate+capacity != SnP_width) - return 1; - if ((rate <= 0) || (rate > SnP_width) || ((rate % 8) != 0)) - return 1; - if (suffix == 0) - return 1; - - /* Initialize the state */ - SnP_StaticInitialize(); - SnP_Initialize(state); - - /* First, absorb whole blocks */ -#ifdef SnP_FastLoop_Absorb - if (((rateInBytes % (SnP_width/200)) == 0) && (inputByteLen >= rateInBytes)) { - /* fast lane: whole lane rate */ - size_t j; - j = SnP_FastLoop_Absorb(state, rateInBytes/(SnP_width/200), curInput, inputByteLen); - curInput += j; - inputByteLen -= j; - } -#endif - while(inputByteLen >= (size_t)rateInBytes) { - #ifdef KeccakReference - displayBytes(1, "Block to be absorbed", curInput, rateInBytes); - #endif - SnP_AddBytes(state, curInput, 0, rateInBytes); - SnP_Permute(state); - curInput += rateInBytes; - inputByteLen -= rateInBytes; - } - - /* Then, absorb what remains */ - partialBlock = (unsigned int)inputByteLen; - #ifdef KeccakReference - displayBytes(1, "Block to be absorbed (part)", curInput, partialBlock); - #endif - SnP_AddBytes(state, curInput, 0, partialBlock); - - /* Finally, absorb the suffix */ - #ifdef KeccakReference - { - unsigned char delimitedData1[1]; - delimitedData1[0] = suffix; - displayBytes(1, "Block to be absorbed (last few bits + first bit of padding)", delimitedData1, 1); - } - #endif - /* Last few bits, whose delimiter coincides with first bit of padding */ - SnP_AddByte(state, suffix, partialBlock); - /* If the first bit of padding is at position rate-1, we need a whole new block for the second bit of padding */ - if ((suffix >= 0x80) && (partialBlock == (rateInBytes-1))) - SnP_Permute(state); - /* Second bit of padding */ - SnP_AddByte(state, 0x80, rateInBytes-1); - #ifdef KeccakReference - { - unsigned char block[SnP_width/8]; - memset(block, 0, SnP_width/8); - block[rateInBytes-1] = 0x80; - displayBytes(1, "Second bit of padding", block, rateInBytes); - } - #endif - SnP_Permute(state); - #ifdef KeccakReference - displayText(1, "--- Switching to squeezing phase ---"); - #endif - - /* First, output whole blocks */ - while(outputByteLen > (size_t)rateInBytes) { - SnP_ExtractBytes(state, curOutput, 0, rateInBytes); - SnP_Permute(state); - #ifdef KeccakReference - displayBytes(1, "Squeezed block", curOutput, rateInBytes); - #endif - curOutput += rateInBytes; - outputByteLen -= rateInBytes; - } - - /* Finally, output what remains */ - partialBlock = (unsigned int)outputByteLen; - SnP_ExtractBytes(state, curOutput, 0, partialBlock); - #ifdef KeccakReference - displayBytes(1, "Squeezed block (part)", curOutput, partialBlock); - #endif - - return 0; -} - -/* ---------------------------------------------------------------- */ -/* ---------------------------------------------------------------- */ -/* ---------------------------------------------------------------- */ - -int SpongeInitialize(SpongeInstance *instance, unsigned int rate, unsigned int capacity) -{ - if (rate+capacity != SnP_width) - return 1; - if ((rate <= 0) || (rate > SnP_width) || ((rate % 8) != 0)) - return 1; - SnP_StaticInitialize(); - SnP_Initialize(instance->state); - instance->rate = rate; - instance->byteIOIndex = 0; - instance->squeezing = 0; - - return 0; -} - -/* ---------------------------------------------------------------- */ - -int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dataByteLen) -{ - size_t i, j; - unsigned int partialBlock; - const unsigned char *curData; - unsigned int rateInBytes = instance->rate/8; - - if (instance->squeezing) - return 1; /* Too late for additional input */ - - i = 0; - curData = data; - while(i < dataByteLen) { - if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { -#ifdef SnP_FastLoop_Absorb - /* processing full blocks first */ - if ((rateInBytes % (SnP_width/200)) == 0) { - /* fast lane: whole lane rate */ - j = SnP_FastLoop_Absorb(instance->state, rateInBytes/(SnP_width/200), curData, dataByteLen - i); - i += j; - curData += j; - } - else { -#endif - for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { - #ifdef KeccakReference - displayBytes(1, "Block to be absorbed", curData, rateInBytes); - #endif - SnP_AddBytes(instance->state, curData, 0, rateInBytes); - SnP_Permute(instance->state); - curData+=rateInBytes; - } - i = dataByteLen - j; -#ifdef SnP_FastLoop_Absorb - } -#endif - } - else { - /* normal lane: using the message queue */ - partialBlock = (unsigned int)(dataByteLen - i); - if (partialBlock+instance->byteIOIndex > rateInBytes) - partialBlock = rateInBytes-instance->byteIOIndex; - #ifdef KeccakReference - displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); - #endif - i += partialBlock; - - SnP_AddBytes(instance->state, curData, instance->byteIOIndex, partialBlock); - curData += partialBlock; - instance->byteIOIndex += partialBlock; - if (instance->byteIOIndex == rateInBytes) { - SnP_Permute(instance->state); - instance->byteIOIndex = 0; - } - } - } - return 0; -} - -/* ---------------------------------------------------------------- */ - -int SpongeAbsorbLastFewBits(SpongeInstance *instance, unsigned char delimitedData) -{ - unsigned int rateInBytes = instance->rate/8; - - if (delimitedData == 0) - return 1; - if (instance->squeezing) - return 1; /* Too late for additional input */ - - #ifdef KeccakReference - { - unsigned char delimitedData1[1]; - delimitedData1[0] = delimitedData; - displayBytes(1, "Block to be absorbed (last few bits + first bit of padding)", delimitedData1, 1); - } - #endif - /* Last few bits, whose delimiter coincides with first bit of padding */ - SnP_AddByte(instance->state, delimitedData, instance->byteIOIndex); - /* If the first bit of padding is at position rate-1, we need a whole new block for the second bit of padding */ - if ((delimitedData >= 0x80) && (instance->byteIOIndex == (rateInBytes-1))) - SnP_Permute(instance->state); - /* Second bit of padding */ - SnP_AddByte(instance->state, 0x80, rateInBytes-1); - #ifdef KeccakReference - { - unsigned char block[SnP_width/8]; - memset(block, 0, SnP_width/8); - block[rateInBytes-1] = 0x80; - displayBytes(1, "Second bit of padding", block, rateInBytes); - } - #endif - SnP_Permute(instance->state); - instance->byteIOIndex = 0; - instance->squeezing = 1; - #ifdef KeccakReference - displayText(1, "--- Switching to squeezing phase ---"); - #endif - return 0; -} - -/* ---------------------------------------------------------------- */ - -int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByteLen) -{ - size_t i, j; - unsigned int partialBlock; - unsigned int rateInBytes = instance->rate/8; - unsigned char *curData; - - if (!instance->squeezing) - SpongeAbsorbLastFewBits(instance, 0x01); - - i = 0; - curData = data; - while(i < dataByteLen) { - if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { - for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { - SnP_Permute(instance->state); - SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); - #ifdef KeccakReference - displayBytes(1, "Squeezed block", curData, rateInBytes); - #endif - curData+=rateInBytes; - } - i = dataByteLen - j; - } - else { - /* normal lane: using the message queue */ - if (instance->byteIOIndex == rateInBytes) { - SnP_Permute(instance->state); - instance->byteIOIndex = 0; - } - partialBlock = (unsigned int)(dataByteLen - i); - if (partialBlock+instance->byteIOIndex > rateInBytes) - partialBlock = rateInBytes-instance->byteIOIndex; - i += partialBlock; - - SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock); - #ifdef KeccakReference - displayBytes(1, "Squeezed block (part)", curData, partialBlock); - #endif - curData += partialBlock; - instance->byteIOIndex += partialBlock; - } - } - return 0; -} - -/* ---------------------------------------------------------------- */ - -#undef Sponge -#undef SpongeInstance -#undef SpongeInitialize -#undef SpongeAbsorb -#undef SpongeAbsorbLastFewBits -#undef SpongeSqueeze -#undef SnP_stateSizeInBytes -#undef SnP_stateAlignment -#undef SnP_StaticInitialize -#undef SnP_Initialize -#undef SnP_AddByte -#undef SnP_AddBytes -#undef SnP_ExtractBytes diff --git a/cw/vendor/xkcp_xkcp/Phases.h b/cw/vendor/xkcp_xkcp/Phases.h deleted file mode 100644 index 55efb8a9..00000000 --- a/cw/vendor/xkcp_xkcp/Phases.h +++ /dev/null @@ -1,25 +0,0 @@ -/* -The eXtended Keccak Code Package (XKCP) -https://github.com/XKCP/XKCP - -Implementation by Ronny Van Keer, hereby denoted as "the implementer". - -For more information, feedback or questions, please refer to the Keccak Team website: -https://keccak.team/ - -To the extent possible under law, the implementer has waived all copyright -and related or neighboring rights to the source code in this file. -http://creativecommons.org/publicdomain/zero/1.0/ -*/ - -#ifndef _Phases_h_ -#define _Phases_h_ - -typedef enum { - NOT_INITIALIZED, - ABSORBING, - FINAL, - SQUEEZING -} KCP_Phases; - -#endif diff --git a/cw/vendor/xkcp_xkcp/SP800-185.c b/cw/vendor/xkcp_xkcp/SP800-185.c deleted file mode 100644 index 00d0b9be..00000000 --- a/cw/vendor/xkcp_xkcp/SP800-185.c +++ /dev/null @@ -1,93 +0,0 @@ -/* -The eXtended Keccak Code Package (XKCP) -https://github.com/XKCP/XKCP - -Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. - -Implementation by Ronny Van Keer, hereby denoted as "the implementer". - -For more information, feedback or questions, please refer to the Keccak Team website: -https://keccak.team/ - -To the extent possible under law, the implementer has waived all copyright -and related or neighboring rights to the source code in this file. -http://creativecommons.org/publicdomain/zero/1.0/ -*/ - -#include -#include "SP800-185.h" - -#ifdef XKCP_has_KeccakP1600times2 - #include "KeccakP-1600-times2-SnP.h" -#endif - -#ifdef XKCP_has_KeccakP1600times4 - #include "KeccakP-1600-times4-SnP.h" -#endif - -#ifdef XKCP_has_KeccakP1600times8 - #include "KeccakP-1600-times8-SnP.h" -#endif - -/* #define DEBUG_DUMP */ - -#if defined(DEBUG_DUMP) - -#include - -static void DUMP( const unsigned char * pText, const unsigned char * pData, unsigned int size ) -{ - unsigned int i; - printf("%s (%u bytes):", pText, size); - for(i=0; i>= 8 ) - ; /* empty */ - if (n == 0) - n = 1; - for ( i = 1; i <= n; ++i ) - { - encbuf[i] = (unsigned char)(value >> (8 * (n-i))); - } - encbuf[0] = (unsigned char)n; - return n + 1; -} - -static unsigned int right_encode( unsigned char * encbuf, size_t value ) -{ - unsigned int n, i; - size_t v; - - for ( v = value, n = 0; v && (n < sizeof(size_t)); ++n, v >>= 8 ) - ; /* empty */ - if (n == 0) - n = 1; - for ( i = 1; i <= n; ++i ) - { - encbuf[i-1] = (unsigned char)(value >> (8 * (n-i))); - } - encbuf[n] = (unsigned char)n; - return n + 1; -} - -#define laneSize 8 -#define suffix 0x1F - -#define security 128 -#include "SP800-185.inc" -#undef security - -#define security 256 -#include "SP800-185.inc" -#undef security diff --git a/cw/vendor/xkcp_xkcp/SP800-185.h b/cw/vendor/xkcp_xkcp/SP800-185.h deleted file mode 100644 index d5c153b9..00000000 --- a/cw/vendor/xkcp_xkcp/SP800-185.h +++ /dev/null @@ -1,599 +0,0 @@ -/* -The eXtended Keccak Code Package (XKCP) -https://github.com/XKCP/XKCP - -Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. - -Implementation by Ronny Van Keer, hereby denoted as "the implementer". - -For more information, feedback or questions, please refer to the Keccak Team website: -https://keccak.team/ - -To the extent possible under law, the implementer has waived all copyright -and related or neighboring rights to the source code in this file. -http://creativecommons.org/publicdomain/zero/1.0/ -*/ - -#ifndef _SP800_185_h_ -#define _SP800_185_h_ - -#include "config.h" -#ifdef XKCP_has_KeccakP1600 - -#include -#include -#include "align.h" -#include "KeccakSponge.h" -#include "Phases.h" - -#ifndef _Keccak_BitTypes_ -#define _Keccak_BitTypes_ -typedef uint8_t BitSequence; - -typedef size_t BitLength; -#endif - -typedef struct { - KeccakWidth1600_SpongeInstance sponge; - BitLength fixedOutputLength; - unsigned int lastByteBitLen; - BitSequence lastByteValue; - int emptyNameCustom; - KCP_Phases phase; -} cSHAKE_Instance; - -/** cSHAKE128 function, as defined in NIST's Special Publication 800-185, - * published December 2016. - * @param input Pointer to the input message (X). - * @param inputBitLen The length of the input message in bits. - * @param output Pointer to the output buffer. - * @param outputBitLen The desired number of output bits (L). - * @param name Pointer to the function name string (N). - * @param nameBitLen The length of the function name in bits. - * Only full bytes are supported, length must be a multiple of 8. - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int cSHAKE128( const BitSequence *input, BitLength inputBitLen, BitSequence *output, BitLength outputBitLen, const BitSequence *name, BitLength nameBitLen, const BitSequence *customization, BitLength customBitLen ); - -/** - * Function to initialize the cSHAKE128 instance used in sequential hashing mode. - * @param cskInstance Pointer to the hash instance to be initialized. - * @param outputBitLen The desired number of output bits (L). - * or 0 for an arbitrarily-long output (XOF). - * @param name Pointer to the function name string (N). - * @param nameBitLen The length of the function name in bits. - * Only full bytes are supported, length must be a multiple of 8. - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int cSHAKE128_Initialize(cSHAKE_Instance *cskInstance, BitLength outputBitLen, const BitSequence *name, BitLength nameBitLen, const BitSequence *customization, BitLength customBitLen); - -/** - * Function to give input data to be absorbed. - * @param cskInstance Pointer to the hash instance initialized by cSHAKE128_Initialize(). - * @param input Pointer to the input data. - * @param inputBitLen The number of input bits provided in the input data. - * Only the last update call can input a partial byte, other calls must have a length multiple of 8. - * @return 0 if successful, 1 otherwise. - */ -int cSHAKE128_Update(cSHAKE_Instance *cskInstance, const BitSequence *input, BitLength inputBitLen); - -/** - * Function to call after all input blocks have been input and to get - * output bits if the length was specified when calling cSHAKE128_Initialize(). - * @param cskInstance Pointer to the hash instance initialized by cSHAKE128_Initialize(). - * If @a outputBitLen was not 0 in the call to cSHAKE128_Initialize(), the number of - * output bits is equal to @a outputBitLen. - * If @a outputBitLen was 0 in the call to cSHAKE128_Initialize(), the output bits - * must be extracted using the cSHAKE128_Squeeze() function. - * @param output Pointer to the buffer where to store the output data. - * @return 0 if successful, 1 otherwise. - */ -int cSHAKE128_Final(cSHAKE_Instance *cskInstance, BitSequence *output); - - /** - * Function to squeeze output data. - * @param cskInstance Pointer to the hash instance initialized by cSHAKE128_Initialize(). - * @param output Pointer to the buffer where to store the output data. - * @param outputBitLen The number of output bits desired. - * Only the last squeeze call can output a partial byte, - * other calls must have a length multiple of 8. - * @pre cSHAKE128_Final() must have been already called. - * @return 0 if successful, 1 otherwise. - */ -int cSHAKE128_Squeeze(cSHAKE_Instance *cskInstance, BitSequence *output, BitLength outputBitLen); - -/* ------------------------------------------------------------------------- */ - -/** cSHAKE256 function, as defined in NIST's Special Publication 800-185, - * published December 2016. - * @param input Pointer to the input message (X). - * @param inputBitLen The length of the input message in bits. - * @param output Pointer to the output buffer. - * @param outputBitLen The desired number of output bits (L). - * @param name Pointer to the function name string (N). - * @param nameBitLen The length of the function name in bits. - * Only full bytes are supported, length must be a multiple of 8. - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int cSHAKE256( const BitSequence *input, BitLength inputBitLen, BitSequence *output, BitLength outputBitLen, const BitSequence *name, BitLength nameBitLen, const BitSequence *customization, BitLength customBitLen ); - -/** - * Function to initialize the cSHAKE256 instance used in sequential hashing mode. - * @param cskInstance Pointer to the hash instance to be initialized. - * @param outputBitLen The desired number of output bits (L). - * or 0 for an arbitrarily-long output (XOF). - * @param name Pointer to the function name string (N). - * @param nameBitLen The length of the function name in bits. - * Only full bytes are supported, length must be a multiple of 8. - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int cSHAKE256_Initialize(cSHAKE_Instance *cskInstance, BitLength outputBitLen, const BitSequence *name, BitLength nameBitLen, const BitSequence *customization, BitLength customBitLen); - -/** - * Function to give input data to be absorbed. - * @param cskInstance Pointer to the hash instance initialized by cSHAKE256_Initialize(). - * @param input Pointer to the input data. - * @param inputBitLen The number of input bits provided in the input data. - * Only the last update call can input a partial byte, other calls must have a length multiple of 8. - * @return 0 if successful, 1 otherwise. - */ -int cSHAKE256_Update(cSHAKE_Instance *cskInstance, const BitSequence *input, BitLength inputBitLen); - -/** - * Function to call after all input blocks have been input and to get - * output bits if the length was specified when calling cSHAKE256_Initialize(). - * @param cskInstance Pointer to the hash instance initialized by cSHAKE256_Initialize(). - * If @a outputBitLen was not 0 in the call to cSHAKE256_Initialize(), the number of - * output bits is equal to @a outputBitLen. - * If @a outputBitLen was 0 in the call to cSHAKE256_Initialize(), the output bits - * must be extracted using the cSHAKE256_Squeeze() function. - * @param output Pointer to the buffer where to store the output data. - * @return 0 if successful, 1 otherwise. - */ -int cSHAKE256_Final(cSHAKE_Instance *cskInstance, BitSequence *output); - - /** - * Function to squeeze output data. - * @param cskInstance Pointer to the hash instance initialized by cSHAKE256_Initialize(). - * @param output Pointer to the buffer where to store the output data. - * @param outputBitLen The number of output bits desired. - * Only the last squeeze call can output a partial byte, - * other calls must have a length multiple of 8. - * @pre cSHAKE256_Final() must have been already called. - * @return 0 if successful, 1 otherwise. - */ -int cSHAKE256_Squeeze(cSHAKE_Instance *cskInstance, BitSequence *output, BitLength outputBitLen); - -/* ------------------------------------------------------------------------- */ - -typedef struct { - cSHAKE_Instance csi; - BitLength outputBitLen; -} KMAC_Instance; - -/** KMAC128 function, as defined in NIST's Special Publication 800-185, - * published December 2016. - * @param key Pointer to the key (K). - * @param keyBitLen The length of the key in bits. - * @param input Pointer to the input message (X). - * @param inputBitLen The length of the input message in bits. - * Only full bytes are supported, length must be a multiple of 8. - * @param output Pointer to the output buffer. - * @param outputBitLen The desired number of output bits (L). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int KMAC128(const BitSequence *key, BitLength keyBitLen, const BitSequence *input, BitLength inputBitLen, - BitSequence *output, BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen); - -/** - * Function to initialize the KMAC128 instance used in sequential MACing mode. - * @param kmInstance Pointer to the instance to be initialized. - * @param key Pointer to the key (K). - * @param keyBitLen The length of the key in bits. - * @param outputBitLen The desired number of output bits (L). - * or 0 for an arbitrarily-long output (XOF). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int KMAC128_Initialize(KMAC_Instance *kmkInstance, const BitSequence *key, BitLength keyBitLen, BitLength outputBitLen, - const BitSequence *customization, BitLength customBitLen); - -/** - * Function to give input data to be MACed. - * @param kmInstance Pointer to the instance initialized by KMAC128_Initialize(). - * @param input Pointer to the input data. - * @param inputBitLen The number of input bits provided in the input data. - * Only full bytes are supported, length must be a multiple of 8. - * @return 0 if successful, 1 otherwise. - */ -int KMAC128_Update(KMAC_Instance *kmkInstance, const BitSequence *input, BitLength inputBitLen); - -/** - * Function to call after all input data have been input and to get - * output bits if the length was specified when calling KMAC128_Initialize(). - * @param kmInstance Pointer to the instance initialized by KMAC128_Initialize(). - * If @a outputBitLen was not 0 in the call to KMAC128_Initialize(), the number of - * output bits is equal to @a outputBitLen. - * If @a outputBitLen was 0 in the call to KMAC128_Initialize(), the output bits - * must be extracted using the KMAC128_Squeeze() function. - * @param output Pointer to the buffer where to store the output data. - * @return 0 if successful, 1 otherwise. - */ -int KMAC128_Final(KMAC_Instance *kmkInstance, BitSequence *output); - - /** - * Function to squeeze output data. - * @param kmInstance Pointer to the instance initialized by KMAC128_Initialize(). - * @param output Pointer to the buffer where to store the output data. - * @param outputBitLen The number of output bits desired. - * Only the last squeeze call can output a partial byte, - * other calls must have a length multiple of 8. - * @pre KMAC128_Final() must have been already called. - * @return 0 if successful, 1 otherwise. - */ -int KMAC128_Squeeze(KMAC_Instance *kmkInstance, BitSequence *output, BitLength outputBitLen); - -/* ------------------------------------------------------------------------- */ - -/** KMAC256 function, as defined in NIST's Special Publication 800-185, - * published December 2016. - * @param key Pointer to the key (K). - * @param keyBitLen The length of the key in bits. - * @param input Pointer to the input message (X). - * @param inputBitLen The length of the input message in bits. - * Only full bytes are supported, length must be a multiple of 8. - * @param output Pointer to the output buffer. - * @param outputBitLen The desired number of output bits (L). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int KMAC256(const BitSequence *key, BitLength keyBitLen, const BitSequence *input, BitLength inputBitLen, - BitSequence *output, BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen); - -/** - * Function to initialize the KMAC256 instance used in sequential MACing mode. - * @param kmInstance Pointer to the instance to be initialized. - * @param key Pointer to the key (K). - * @param keyBitLen The length of the key in bits. - * @param outputBitLen The desired number of output bits (L). - * or 0 for an arbitrarily-long output (XOF). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int KMAC256_Initialize(KMAC_Instance *kmkInstance, const BitSequence *key, BitLength keyBitLen, BitLength outputBitLen, - const BitSequence *customization, BitLength customBitLen); - -/** - * Function to give input data to be MACed. - * @param kmInstance Pointer to the instance initialized by KMAC256_Initialize(). - * @param input Pointer to the input data. - * @param inputBitLen The number of input bits provided in the input data. - * Only full bytes are supported, length must be a multiple of 8. - * @return 0 if successful, 1 otherwise. - */ -int KMAC256_Update(KMAC_Instance *kmkInstance, const BitSequence *input, BitLength inputBitLen); - -/** - * Function to call after all input data have been input and to get - * output bits if the length was specified when calling KMAC256_Initialize(). - * @param kmInstance Pointer to the instance initialized by KMAC256_Initialize(). - * If @a outputBitLen was not 0 in the call to KMAC256_Initialize(), the number of - * output bits is equal to @a outputBitLen. - * If @a outputBitLen was 0 in the call to KMAC256_Initialize(), the output bits - * must be extracted using the KMAC256_Squeeze() function. - * @param output Pointer to the buffer where to store the output data. - * @return 0 if successful, 1 otherwise. - */ -int KMAC256_Final(KMAC_Instance *kmkInstance, BitSequence *output); - - /** - * Function to squeeze output data. - * @param kmInstance Pointer to the instance initialized by KMAC256_Initialize(). - * @param output Pointer to the buffer where to store the output data. - * @param outputBitLen The number of output bits desired. - * Only the last squeeze call can output a partial byte, - * other calls must have a length multiple of 8. - * @pre KMAC256_Final() must have been already called. - * @return 0 if successful, 1 otherwise. - */ -int KMAC256_Squeeze(KMAC_Instance *kmkInstance, BitSequence *output, BitLength outputBitLen); - -/* ------------------------------------------------------------------------- */ - -typedef struct { - KeccakWidth1600_SpongeInstance queueNode; - KeccakWidth1600_SpongeInstance finalNode; - size_t fixedOutputLength; - size_t blockLen; - size_t queueAbsorbedLen; - size_t totalInputSize; - KCP_Phases phase; -} ParallelHash_Instance; - -/** Parallel hash function ParallelHash128, as defined in NIST's Special Publication 800-185, - * published December 2016. - * @param input Pointer to the input message (X). - * @param inputBitLen The number of input bits provided in the input data. - * Only full bytes are supported, length must be a multiple of 8. - * @param blockByteLen Block size (B) in bytes, must be a power of 2. - * The minimum value is 8 in this implementation. - * @param output Pointer to the output buffer. - * @param outputBitLen The desired number of output bits (L). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int ParallelHash128( const BitSequence *input, BitLength inputBitLen, size_t blockByteLen, - BitSequence *output, BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen); - -/** - * Function to initialize the parallel hash function ParallelHash128 instance used in sequential hashing mode. - * @param ParallelHashInstance Pointer to the hash instance to be initialized. - * @param blockByteLen Block size (B) in bytes, must be a power of 2. - * The minimum value is 8 in this implementation. - * @param outputBitLen The desired number of output bits (L). - * or 0 for an arbitrarily-long output (XOF). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int ParallelHash128_Initialize(ParallelHash_Instance *ParallelHashInstance, size_t blockByteLen, - BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen); - -/** - * Function to give input data to be absorbed. - * @param ParallelHashInstance Pointer to the hash instance initialized by ParallelHash128_Initialize(). - * @param input Pointer to the input data (X). - * @param inputBitLen The number of input bits provided in the input data. - * Only full bytes are supported, length must be a multiple of 8. - * @return 0 if successful, 1 otherwise. - */ -int ParallelHash128_Update(ParallelHash_Instance *ParallelHashInstance, const BitSequence *input, BitLength inputBitLen); - -/** - * Function to call after all input blocks have been input and to get - * output bits if the length was specified when calling ParallelHash128_Initialize(). - * @param ParallelHashInstance Pointer to the hash instance initialized by ParallelHash128_Initialize(). - * If @a outputBitLen was not 0 in the call to ParallelHash128_Initialize(), the number of - * output bits is equal to @a outputBitLen. - * If @a outputBitLen was 0 in the call to ParallelHash128_Initialize(), the output bits - * must be extracted using the ParallelHash128_Squeeze() function. - * @param output Pointer to the buffer where to store the output data. - * @return 0 if successful, 1 otherwise. - */ -int ParallelHash128_Final(ParallelHash_Instance *ParallelHashInstance, BitSequence * output); - - /** - * Function to squeeze output data. - * @param ParallelHashInstance Pointer to the hash instance initialized by ParallelHash128_Initialize(). - * @param output Pointer to the buffer where to store the output data. - * @param outputBitLen The number of output bits desired. - * Only the last squeeze call can output a partial byte, - * other calls must have a length multiple of 8. - * @pre ParallelHash128_Final() must have been already called. - * @return 0 if successful, 1 otherwise. - */ -int ParallelHash128_Squeeze(ParallelHash_Instance *ParallelHashInstance, BitSequence *output, BitLength outputBitLen); - -/* ------------------------------------------------------------------------- */ - -/** Parallel hash function ParallelHash256, as defined in NIST's Special Publication 800-185, - * published December 2016. - * @param input Pointer to the input message (X). - * @param inputBitLen The number of input bits provided in the input data. - * Only full bytes are supported, length must be a multiple of 8. - * @param blockByteLen Block size (B) in bytes, must be a power of 2. - * The minimum value is 8 in this implementation. - * @param output Pointer to the output buffer. - * @param outputBitLen The desired number of output bits (L). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int ParallelHash256( const BitSequence *input, BitLength inputBitLen, size_t blockByteLen, - BitSequence *output, BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen); - -/** - * Function to initialize the parallel hash function ParallelHash256 instance used in sequential hashing mode. - * @param ParallelHashInstance Pointer to the hash instance to be initialized. - * @param blockByteLen Block size (B) in bytes, must be a power of 2. - * The minimum value is 8 in this implementation. - * @param outputBitLen The desired number of output bits (L). - * or 0 for an arbitrarily-long output (XOF). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int ParallelHash256_Initialize(ParallelHash_Instance *ParallelHashInstance, size_t blockByteLen, - BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen); - -/** - * Function to give input data to be absorbed. - * @param ParallelHashInstance Pointer to the hash instance initialized by ParallelHash256_Initialize(). - * @param input Pointer to the input data (X). - * @param inputBitLen The number of input bits provided in the input data. - * Only full bytes are supported, length must be a multiple of 8. - * @return 0 if successful, 1 otherwise. - */ -int ParallelHash256_Update(ParallelHash_Instance *ParallelHashInstance, const BitSequence *input, BitLength inputBitLen); - -/** - * Function to call after all input blocks have been input and to get - * output bits if the length was specified when calling ParallelHash256_Initialize(). - * @param ParallelHashInstance Pointer to the hash instance initialized by ParallelHash256_Initialize(). - * If @a outputBitLen was not 0 in the call to ParallelHash256_Initialize(), the number of - * output bits is equal to @a outputBitLen. - * If @a outputBitLen was 0 in the call to ParallelHash256_Initialize(), the output bits - * must be extracted using the ParallelHash256_Squeeze() function. - * @param output Pointer to the buffer where to store the output data. - * @return 0 if successful, 1 otherwise. - */ -int ParallelHash256_Final(ParallelHash_Instance *ParallelHashInstance, BitSequence * output); - - /** - * Function to squeeze output data. - * @param ParallelHashInstance Pointer to the hash instance initialized by ParallelHash256_Initialize(). - * @param output Pointer to the buffer where to store the output data. - * @param outputBitLen The number of output bits desired. - * Only the last squeeze call can output a partial byte, - * other calls must have a length multiple of 8. - * @pre ParallelHash256_Final() must have been already called. - * @return 0 if successful, 1 otherwise. - */ -int ParallelHash256_Squeeze(ParallelHash_Instance *ParallelHashInstance, BitSequence *output, BitLength outputBitLen); - -/* ------------------------------------------------------------------------- */ - -typedef struct { - cSHAKE_Instance csi; - BitLength outputBitLen; -} TupleHash_Instance; - -typedef struct { - /** Pointer to the tuple element data (Xn). */ - const BitSequence *input; - - /** The number of input bits provided in this tuple element. - * Only full bytes are supported, length must be a multiple of 8. - */ - BitLength inputBitLen; -} TupleElement; - -/** Tuple hash function TupleHash128, as defined in NIST's Special Publication 800-185, - * published December 2016. - * @param tuple Pointer to an array of tuple elements (X). - * @param numberOfElements The number of tuple elements provided in the input data. - * @param output Pointer to the output buffer. - * @param outputBitLen The desired number of output bits (L). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int TupleHash128( const TupleElement *tuple, size_t numberOfElements, - BitSequence *output, BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen); - -/** - * Function to initialize the Tuple hash function TupleHash128 instance used in sequential hashing mode. - * @param TupleHashInstance Pointer to the hash instance to be initialized. - * @param outputBitLen The desired number of output bits (L). - * or 0 for an arbitrarily-long output (XOF). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int TupleHash128_Initialize(TupleHash_Instance *TupleHashInstance, BitLength outputBitLen, - const BitSequence *customization, BitLength customBitLen); - -/** - * Function to give input data to be absorbed. - * @param TupleHashInstance Pointer to the hash instance initialized by TupleHash128_Initialize(). - * @param tuple Pointer to an array of tuple elements (X). - * @param numberOfElements The number of tuple elements provided in the input data. - * @return 0 if successful, 1 otherwise. - */ -int TupleHash128_Update(TupleHash_Instance *TupleHashInstance, const TupleElement *tuple, size_t numberOfElements); - -/** - * Function to call after all input blocks have been input and to get - * output bits if the length was specified when calling TupleHash128_Initialize(). - * @param TupleHashInstance Pointer to the hash instance initialized by TupleHash128_Initialize(). - * If @a outputBitLen was not 0 in the call to TupleHash128_Initialize(), the number of - * output bits is equal to @a outputBitLen. - * If @a outputBitLen was 0 in the call to TupleHash128_Initialize(), the output bits - * must be extracted using the TupleHash128_Squeeze() function. - * @param output Pointer to the buffer where to store the output data. - * @return 0 if successful, 1 otherwise. - */ -int TupleHash128_Final(TupleHash_Instance *TupleHashInstance, BitSequence * output); - - /** - * Function to squeeze output data. - * @param TupleHashInstance Pointer to the hash instance initialized by TupleHash128_Initialize(). - * @param output Pointer to the buffer where to store the output data. - * @param outputBitLen The number of output bits desired. - * Only the last squeeze call can output a partial byte, - * other calls must have a length multiple of 8. - * @pre TupleHash128_Final() must have been already called. - * @return 0 if successful, 1 otherwise. - */ -int TupleHash128_Squeeze(TupleHash_Instance *TupleHashInstance, BitSequence *output, BitLength outputBitLen); - -/* ------------------------------------------------------------------------- */ - -/** Tuple hash function TupleHash256, as defined in NIST's Special Publication 800-185, - * published December 2016. - * @param tuple Pointer to an array of tuple elements (X). - * @param numberOfElements The number of tuple elements provided in the input data. - * @param output Pointer to the output buffer. - * @param outputBitLen The desired number of output bits (L). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int TupleHash256( const TupleElement *tuple, size_t numberOfElements, - BitSequence *output, BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen); - -/** - * Function to initialize the Tuple hash function TupleHash256 instance used in sequential hashing mode. - * @param TupleHashInstance Pointer to the hash instance to be initialized. - * @param outputBitLen The desired number of output bits (L). - * or 0 for an arbitrarily-long output (XOF). - * @param customization Pointer to the customization string (S). - * @param customBitLen The length of the customization string in bits. - * @return 0 if successful, 1 otherwise. - */ -int TupleHash256_Initialize(TupleHash_Instance *TupleHashInstance, BitLength outputBitLen, - const BitSequence *customization, BitLength customBitLen); - -/** - * Function to give input data to be absorbed. - * @param TupleHashInstance Pointer to the hash instance initialized by TupleHash256_Initialize(). - * @param tuple Pointer to an array of tuple elements (X). - * @param numberOfElements The number of tuple elements provided in the input data. - * @return 0 if successful, 1 otherwise. - */ -int TupleHash256_Update(TupleHash_Instance *TupleHashInstance, const TupleElement *tuple, size_t numberOfElements); - -/** - * Function to call after all input blocks have been input and to get - * output bits if the length was specified when calling TupleHash256_Initialize(). - * @param TupleHashInstance Pointer to the hash instance initialized by TupleHash256_Initialize(). - * If @a outputBitLen was not 0 in the call to TupleHash256_Initialize(), the number of - * output bits is equal to @a outputBitLen. - * If @a outputBitLen was 0 in the call to TupleHash256_Initialize(), the output bits - * must be extracted using the TupleHash256_Squeeze() function. - * @param output Pointer to the buffer where to store the output data. - * @return 0 if successful, 1 otherwise. - */ -int TupleHash256_Final(TupleHash_Instance *TupleHashInstance, BitSequence * output); - - /** - * Function to squeeze output data. - * @param TupleHashInstance Pointer to the hash instance initialized by TupleHash256_Initialize(). - * @param output Pointer to the buffer where to store the output data. - * @param outputBitLen The number of output bits desired. - * Only the last squeeze call can output a partial byte, - * other calls must have a length multiple of 8. - * @pre TupleHash256_Final() must have been already called. - * @return 0 if successful, 1 otherwise. - */ -int TupleHash256_Squeeze(TupleHash_Instance *TupleHashInstance, BitSequence *output, BitLength outputBitLen); - -#else -#error This requires an implementation of Keccak-p[1600] -#endif - -#endif diff --git a/cw/vendor/xkcp_xkcp/SP800-185.inc b/cw/vendor/xkcp_xkcp/SP800-185.inc deleted file mode 100644 index 98c033a8..00000000 --- a/cw/vendor/xkcp_xkcp/SP800-185.inc +++ /dev/null @@ -1,573 +0,0 @@ -/* -The eXtended Keccak Code Package (XKCP) -https://github.com/XKCP/XKCP - -Keccak, designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. - -Implementation by Ronny Van Keer, hereby denoted as "the implementer". - -For more information, feedback or questions, please refer to the Keccak Team website: -https://keccak.team/ - -To the extent possible under law, the implementer has waived all copyright -and related or neighboring rights to the source code in this file. -http://creativecommons.org/publicdomain/zero/1.0/ -*/ - -#define JOIN0(a, b) a ## b -#define JOIN(a, b) JOIN0(a, b) - -#define capacity (2*security) -#define capacityInBytes (capacity/8) -#define capacityInLanes (capacityInBytes/laneSize) -#define rate (1600-capacity) -#define rateInBytes (rate/8) -#define rateInLanes (rateInBytes/laneSize) - - -#define cSHAKE JOIN(cSHAKE,security) -#define cSHAKE_Initialize JOIN(cSHAKE,_Initialize) -#define cSHAKE_Update JOIN(cSHAKE,_Update) -#define cSHAKE_Final JOIN(cSHAKE,_Final) -#define cSHAKE_Squeeze JOIN(cSHAKE,_Squeeze) - -int cSHAKE_Initialize(cSHAKE_Instance *csk, BitLength outputBitLen, const BitSequence *name, BitLength nameBitLen, const BitSequence *customization, BitLength customBitLen) -{ - unsigned char encbuf[sizeof(BitLength)+1]; - - /* Only full bytes are supported for 'name', otherwise customization string would have to be shifted before absorbing */ - if ((nameBitLen & 7) != 0) - return 1; - if (KeccakWidth1600_SpongeInitialize(&csk->sponge, rate, capacity) != 0) - return 1; - csk->lastByteBitLen = 0; - csk->lastByteValue = 0; - csk->fixedOutputLength = outputBitLen; - csk->phase = ABSORBING; - - if ((nameBitLen == 0) && (customBitLen == 0)) - csk->emptyNameCustom = 1; - else - { - csk->emptyNameCustom = 0; - - /* Absorb bytepad(.., rate) */ - if (KeccakWidth1600_SpongeAbsorb(&csk->sponge, encbuf, left_encode(encbuf, rateInBytes)) != 0) - return 1; - - /* Absorb encode_string(name) */ - if (KeccakWidth1600_SpongeAbsorb(&csk->sponge, encbuf, left_encode(encbuf, nameBitLen)) != 0) - return 1; - if (KeccakWidth1600_SpongeAbsorb(&csk->sponge, name, nameBitLen / 8) != 0) - return 1; - - /* Absorb encode_string(customization) */ - if (KeccakWidth1600_SpongeAbsorb(&csk->sponge, encbuf, left_encode(encbuf, customBitLen)) != 0) - return 1; - if (KeccakWidth1600_SpongeAbsorb(&csk->sponge, customization, (customBitLen + 7) / 8) != 0) /* allowed to be a bit string, as zero padding is following */ - return 1; - - /* Zero padding up to rate */ - if ( csk->sponge.byteIOIndex != 0 ) { - csk->sponge.byteIOIndex = rateInBytes - 1; - encbuf[0] = 0; - return KeccakWidth1600_SpongeAbsorb(&csk->sponge, encbuf, 1); - } - } - return 0; -} - -int cSHAKE_Update(cSHAKE_Instance *csk, const BitSequence *input, BitLength inputBitLen) -{ - - if (csk->phase != ABSORBING) - return 1; - if (csk->lastByteBitLen != 0) /* check if previous call input were full bytes */ - return 1; - csk->lastByteBitLen = inputBitLen & 7; - if(csk->lastByteBitLen != 0) - csk->lastByteValue = input[inputBitLen / 8] & ((1 << csk->lastByteBitLen) - 1); /* strip unwanted bits */ - return KeccakWidth1600_SpongeAbsorb(&csk->sponge, input, inputBitLen / 8); -} - -int cSHAKE_Final(cSHAKE_Instance *csk, BitSequence *output) -{ - unsigned short delimitedLastBytes; - unsigned char delimitedSuffix; - - if (csk->phase != ABSORBING) - return 1; - - /* Concatenate the last few input bits with those of the suffix */ - if (csk->emptyNameCustom != 0) - delimitedLastBytes = (unsigned short)(csk->lastByteValue | (0x1F << csk->lastByteBitLen)); - else - delimitedLastBytes = (unsigned short)(csk->lastByteValue | (0x04 << csk->lastByteBitLen)); /* Suffix '04': 2 zero bits '00' */ - if ((delimitedLastBytes >> 8) == 0) { - delimitedSuffix = (unsigned char)delimitedLastBytes; - } - else { - unsigned char oneByte[1]; - oneByte[0] = (unsigned char)delimitedLastBytes; - if(KeccakWidth1600_SpongeAbsorb(&csk->sponge, oneByte, 1) != 0) - return 1; - delimitedSuffix = (unsigned char)(delimitedLastBytes >> 8); - } - if (KeccakWidth1600_SpongeAbsorbLastFewBits(&csk->sponge, delimitedSuffix) != 0) - return 1; - csk->phase = SQUEEZING; - if ( csk->fixedOutputLength != 0 ) { - if(cSHAKE_Squeeze(csk, output, csk->fixedOutputLength) != 0) - return 1; - csk->phase = FINAL; - } - return 0; -} - -int cSHAKE_Squeeze(cSHAKE_Instance *csk, BitSequence *output, BitLength outputBitLen) -{ - if (csk->phase != SQUEEZING) - return 1; - if(KeccakWidth1600_SpongeSqueeze(&csk->sponge, output, (outputBitLen + 7) / 8) != 0) - return 1; - if ((outputBitLen & 7) !=0) { - output[outputBitLen / 8] &= (1 << (outputBitLen & 7)) - 1; /* clear unwanted bits */ - csk->phase = FINAL; /* only last output can have an non complete byte, block nexts calls */ - } - return 0; -} - -int cSHAKE( const BitSequence *input, BitLength inputBitLen, BitSequence *output, BitLength outputBitLen, - const BitSequence *name, BitLength nameBitLen, const BitSequence *customization, BitLength customBitLen ) -{ - cSHAKE_Instance csk; - - if (outputBitLen == 0) - return 1; - if (cSHAKE_Initialize(&csk, outputBitLen, name, nameBitLen, customization, customBitLen) != 0) - return 1; - if (cSHAKE_Update(&csk, input, inputBitLen) != 0) - return 1; - return cSHAKE_Final(&csk, output); -} - -/* ------------------------------------------------------------------------- */ - -#define KMAC JOIN(KMAC,security) -#define KMAC_Initialize JOIN(KMAC,_Initialize) -#define KMAC_Update JOIN(KMAC,_Update) -#define KMAC_Final JOIN(KMAC,_Final) -#define KMAC_Squeeze JOIN(KMAC,_Squeeze) - -int KMAC_Initialize(KMAC_Instance *km, const BitSequence *key, BitLength keyBitLen, BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen) -{ - BitLength bufferLen; - BitLength keyByteLen; - BitSequence buffer[rateInBytes]; - - if (cSHAKE_Initialize(&km->csi, outputBitLen, (const BitSequence*)"KMAC", 4*8, customization, customBitLen) != 0) - return 1; - km->outputBitLen = outputBitLen; - - /* bytepad(encode_string(k)) */ - bufferLen = left_encode(buffer, rateInBytes); - bufferLen += left_encode(buffer + bufferLen, keyBitLen); - if (cSHAKE_Update(&km->csi, buffer, bufferLen*8) != 0) - return 1; - keyByteLen = (keyBitLen + 7) / 8; - if (cSHAKE_Update(&km->csi, key, keyByteLen*8) != 0) - return 1; - bufferLen = (bufferLen + keyByteLen) % rateInBytes; /* zero padding */ - if (bufferLen != 0) { - bufferLen = rateInBytes - bufferLen; - memset(buffer, 0, bufferLen); - if (cSHAKE_Update(&km->csi, buffer, bufferLen*8) != 0) - return 1; - } - return 0; -} - -int KMAC_Update(KMAC_Instance *km, const BitSequence *input, BitLength inputBitLen) -{ - if ((inputBitLen & 7) != 0) /* Only full bytes are supported */ - return 1; - return cSHAKE_Update(&km->csi, input, inputBitLen); -} - -int KMAC_Final(KMAC_Instance *km, BitSequence *output) -{ - unsigned char encbuf[sizeof(BitLength)+1]; - - if (cSHAKE_Update(&km->csi, encbuf, right_encode(encbuf, km->outputBitLen)*8) != 0) - return 1; - return cSHAKE_Final(&km->csi, output); -} - -int KMAC_Squeeze(KMAC_Instance *km, BitSequence *output, BitLength outputBitLen) -{ - return cSHAKE_Squeeze(&km->csi, output, outputBitLen); -} - -int KMAC(const BitSequence *key, BitLength keyBitLen, const BitSequence *input, BitLength inputBitLen, - BitSequence *output, BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen) -{ - KMAC_Instance km; - - if (outputBitLen == 0) - return 1; - if (KMAC_Initialize(&km, key, keyBitLen, outputBitLen, customization, customBitLen) != 0) - return 1; - if (KMAC_Update(&km, input, inputBitLen) != 0) - return 1; - return KMAC_Final(&km, output); -} - -#undef KMAC_Initialize -#undef KMAC_Update -#undef KMAC_Final -#undef KMAC_Squeeze -#undef KMAC - -/* ------------------------------------------------------------------------- */ - -#define ParallelHash JOIN(ParallelHash,security) -#define ParallelHash_Initialize JOIN(ParallelHash,_Initialize) -#define ParallelHash_Update JOIN(ParallelHash,_Update) -#define ParallelHash_Final JOIN(ParallelHash,_Final) -#define ParallelHash_Squeeze JOIN(ParallelHash,_Squeeze) - -#define ParallelSpongeFastLoop( Parallellism ) \ - while ( inputByteLen >= Parallellism * phi->blockLen ) { \ - ALIGN(KeccakP1600times##Parallellism##_statesAlignment) unsigned char states[KeccakP1600times##Parallellism##_statesSizeInBytes]; \ - unsigned char intermediate[Parallellism*capacityInBytes]; \ - size_t localBlockLen = phi->blockLen; \ - const unsigned char * localInput = input; \ - unsigned int i; \ - size_t fastLoopOffset; \ - \ - KeccakP1600times##Parallellism##_StaticInitialize(); \ - KeccakP1600times##Parallellism##_InitializeAll(states); \ - fastLoopOffset = KeccakF1600times##Parallellism##_FastLoop_Absorb(states, rateInLanes, phi->blockLen / laneSize, rateInLanes, localInput, Parallellism * phi->blockLen); \ - localBlockLen -= fastLoopOffset; \ - localInput += fastLoopOffset; \ - for ( i = 0; i < Parallellism; ++i, localInput += phi->blockLen ) { \ - KeccakP1600times##Parallellism##_AddBytes(states, i, localInput, 0, localBlockLen); \ - KeccakP1600times##Parallellism##_AddByte(states, i, suffix, localBlockLen); \ - KeccakP1600times##Parallellism##_AddByte(states, i, 0x80, rateInBytes-1); \ - } \ - KeccakP1600times##Parallellism##_PermuteAll_24rounds(states); \ - input += Parallellism * phi->blockLen; \ - inputByteLen -= Parallellism * phi->blockLen; \ - KeccakP1600times##Parallellism##_ExtractLanesAll(states, intermediate, capacityInLanes, capacityInLanes ); \ - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, intermediate, Parallellism * capacityInBytes) != 0) return 1; \ - } - -#define ParallelSpongeLoop( Parallellism ) \ - while ( inputByteLen >= Parallellism * phi->blockLen ) { \ - ALIGN(KeccakP1600times##Parallellism##_statesAlignment) unsigned char states[KeccakP1600times##Parallellism##_statesSizeInBytes]; \ - unsigned char intermediate[Parallellism*capacityInBytes]; \ - size_t localBlockLen = phi->blockLen; \ - const unsigned char * localInput = input; \ - unsigned int i; \ - \ - KeccakP1600times##Parallellism##_StaticInitialize(); \ - KeccakP1600times##Parallellism##_InitializeAll(states); \ - while(localBlockLen >= rateInBytes) { \ - KeccakP1600times##Parallellism##_AddLanesAll(states, localInput, rateInLanes, phi->blockLen / laneSize); \ - KeccakP1600times##Parallellism##_PermuteAll_24rounds(states); \ - localBlockLen -= rateInBytes; \ - localInput += rateInBytes; \ - } \ - for ( i = 0; i < Parallellism; ++i, localInput += phi->blockLen ) { \ - KeccakP1600times##Parallellism##_AddBytes(states, i, localInput, 0, localBlockLen); \ - KeccakP1600times##Parallellism##_AddByte(states, i, suffix, localBlockLen); \ - KeccakP1600times##Parallellism##_AddByte(states, i, 0x80, rateInBytes-1); \ - } \ - KeccakP1600times##Parallellism##_PermuteAll_24rounds(states); \ - input += Parallellism * phi->blockLen; \ - inputByteLen -= Parallellism * phi->blockLen; \ - KeccakP1600times##Parallellism##_ExtractLanesAll(states, intermediate, capacityInLanes, capacityInLanes ); \ - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, intermediate, Parallellism * capacityInBytes) != 0) return 1; \ - } - -int ParallelHash_Initialize(ParallelHash_Instance *phi, size_t blockByteLen, - BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen) -{ - size_t t; - unsigned char encbuf[sizeof(size_t)+1]; - - if ( blockByteLen < laneSize) /* blockLen must be greater than or equal to lane size */ - return 1; - for ( t = blockByteLen; t > 1; t >>= 1 ) /* blockLen (in bytes) must be a power of two */ - if ( (t & 1) && (t != 1) ) /* bit0 set and other bits unset */ - return 1; - if (KeccakWidth1600_SpongeInitialize(&phi->finalNode, rate, capacity) != 0) - return 1; - phi->fixedOutputLength = outputBitLen; - phi->blockLen = blockByteLen; - phi->queueAbsorbedLen = 0; - phi->totalInputSize = 0; - phi->phase = ABSORBING; - - /* Absorb bytepad(.., rate) */ - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, encbuf, left_encode(encbuf, rateInBytes)) != 0) - return 1; - - /* Absorb string_encode("ParallelHash") */ - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, (const BitSequence*)"\x01\x60" "ParallelHash", 14) != 0) - return 1; - - /* Absorb string_encode(customization) */ - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, encbuf, left_encode(encbuf, customBitLen)) != 0) - return 1; - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, customization, (customBitLen + 7) / 8) != 0) - return 1; - - /* Zero padding up to rate */ - if ( phi->finalNode.byteIOIndex != 0 ) { - phi->finalNode.byteIOIndex = rateInBytes - 1; - encbuf[0] = 0; - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, encbuf, 1) != 0) - return 1; - } - - /* Absorb B */ - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, encbuf, left_encode(encbuf, blockByteLen)) != 0) - return 1; - return 0; -} - -int ParallelHash_Update(ParallelHash_Instance *phi, const BitSequence *input, BitLength inputBitLen) -{ - size_t inputByteLen; - - if (phi->phase != ABSORBING) - return 1; - if ((inputBitLen & 7) != 0) /* Only full bytes are supported */ - return 1; - phi->totalInputSize += inputBitLen; - inputByteLen = inputBitLen / 8; - if ( phi->queueAbsorbedLen != 0 ) { - /* There is data in the queue, absorb further in queue until full */ - size_t len = (inputByteLen < (phi->blockLen - phi->queueAbsorbedLen)) ? inputByteLen : (phi->blockLen - phi->queueAbsorbedLen); - if (KeccakWidth1600_SpongeAbsorb(&phi->queueNode, input, len) != 0) - return 1; - input += len; - inputByteLen -= len; - phi->queueAbsorbedLen += len; - if ( phi->queueAbsorbedLen == phi->blockLen ) { - unsigned char intermediate[capacityInBytes]; - phi->queueAbsorbedLen = 0; - if (KeccakWidth1600_SpongeAbsorbLastFewBits(&phi->queueNode, suffix) != 0) - return 1; - if (KeccakWidth1600_SpongeSqueeze(&phi->queueNode, intermediate, capacityInBytes) != 0) - return 1; - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, intermediate, capacityInBytes) != 0) - return 1; - } - } - - #if defined(KeccakP1600times8_implementation) && !defined(KeccakP1600times8_isFallback) - #if defined(KeccakF1600times8_FastLoop_supported) - ParallelSpongeFastLoop( 8 ) - #else - ParallelSpongeLoop( 8 ) - #endif - #endif - - #if defined(KeccakP1600times4_implementation) && !defined(KeccakP1600times4_isFallback) - #if defined(KeccakF1600times4_FastLoop_supported) - ParallelSpongeFastLoop( 4 ) - #else - ParallelSpongeLoop( 4 ) - #endif - #endif - - #if defined(KeccakP1600times2_implementation) && !defined(KeccakP1600times2_isFallback) - #if defined(KeccakF1600times2_FastLoop_supported) - ParallelSpongeFastLoop( 2 ) - #else - ParallelSpongeLoop( 2 ) - #endif - #endif - - while ( inputByteLen > 0 ) { - size_t len = (inputByteLen < phi->blockLen) ? inputByteLen : phi->blockLen; - if (KeccakWidth1600_SpongeInitialize(&phi->queueNode, rate, capacity) != 0) - return 1; - if (KeccakWidth1600_SpongeAbsorb(&phi->queueNode, input, len) != 0) - return 1; - input += len; - inputByteLen -= len; - if ( len == phi->blockLen ) { - unsigned char intermediate[capacityInBytes]; - if (KeccakWidth1600_SpongeAbsorbLastFewBits(&phi->queueNode, suffix) != 0) - return 1; - if (KeccakWidth1600_SpongeSqueeze(&phi->queueNode, intermediate, capacityInBytes) != 0) - return 1; - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, intermediate, capacityInBytes) != 0) - return 1; - } - else - phi->queueAbsorbedLen = len; - } - - return 0; -} - -int ParallelHash_Final(ParallelHash_Instance *phi, BitSequence * output) -{ - unsigned char encbuf[sizeof(size_t)+1]; - size_t nBlocks; - - if (phi->phase != ABSORBING) - return 1; - if ( phi->queueAbsorbedLen != 0 ) { - /* There is data in the queue */ - unsigned char intermediate[capacityInBytes]; - if (KeccakWidth1600_SpongeAbsorbLastFewBits(&phi->queueNode, suffix) != 0) - return 1; - if (KeccakWidth1600_SpongeSqueeze(&phi->queueNode, intermediate, capacityInBytes) != 0) - return 1; - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, intermediate, capacityInBytes) != 0) - return 1; - } - - nBlocks = (phi->totalInputSize / 8 + phi->blockLen - 1) / phi->blockLen; - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, encbuf, right_encode(encbuf, nBlocks)) != 0) /* Absorb number of blocks */ - return 1; - - if (KeccakWidth1600_SpongeAbsorb(&phi->finalNode, encbuf, right_encode(encbuf, phi->fixedOutputLength)) != 0) /* Absorb output length in bits */ - return 1; - - if (KeccakWidth1600_SpongeAbsorbLastFewBits(&phi->finalNode, 0x04) != 0) /* Absorb 2 zero bits '00' */ - return 1; - phi->phase = SQUEEZING; - if ( phi->fixedOutputLength != 0 ) { - if (ParallelHash_Squeeze(phi, output, phi->fixedOutputLength) != 0) - return 1; - phi->phase = FINAL; - } - return 0; -} - -int ParallelHash_Squeeze(ParallelHash_Instance *phi, BitSequence *output, BitLength outputBitLen) -{ - if (phi->phase != SQUEEZING) - return 1; - if (KeccakWidth1600_SpongeSqueeze(&phi->finalNode, output, (outputBitLen + 7) / 8) != 0) - return 1; - if ((outputBitLen & 7) !=0) { - output[outputBitLen / 8] &= (1 << (outputBitLen & 7)) - 1; /* clear unwanted bits */ - phi->phase = FINAL; /* only last output can have an non complete byte, block nexts calls */ - } - return 0; -} - -int ParallelHash( const BitSequence *input, BitLength inputBitLen, size_t blockByteLen, - BitSequence *output, BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen) -{ - ParallelHash_Instance phi; - - if (outputBitLen == 0) - return 1; - if (ParallelHash_Initialize(&phi, blockByteLen, outputBitLen, customization, customBitLen) != 0) - return 1; - if (ParallelHash_Update(&phi, input, inputBitLen) != 0) - return 1; - return ParallelHash_Final(&phi, output); -} - -#undef ParallelHash_Initialize -#undef ParallelHash_Update -#undef ParallelHash_Final -#undef ParallelHash_Squeeze -#undef ParallelHash - -#undef ParallelSpongeFastLoop -#undef ParallelSpongeLoop - -/* ------------------------------------------------------------------------- */ - -#define TupleHash JOIN(TupleHash,security) -#define TupleHash_Initialize JOIN(TupleHash,_Initialize) -#define TupleHash_Update JOIN(TupleHash,_Update) -#define TupleHash_Final JOIN(TupleHash,_Final) -#define TupleHash_Squeeze JOIN(TupleHash,_Squeeze) - -int TupleHash_Initialize(TupleHash_Instance *thi, BitLength outputBitLen, - const BitSequence *customization, BitLength customBitLen) -{ - if (cSHAKE_Initialize(&thi->csi, outputBitLen, (const BitSequence*)"TupleHash", 9*8, customization, customBitLen) != 0) - return 1; - thi->outputBitLen = outputBitLen; - return 0; -} - -int TupleHash_Update(TupleHash_Instance *thi, const TupleElement *tuple, size_t numberOfElements) -{ - unsigned char encbuf[sizeof(BitLength)+1]; - - while (numberOfElements-- != 0) { - if ((tuple->inputBitLen & 7) != 0) /* Only full bytes are supported */ - return 1; - if (cSHAKE_Update(&thi->csi, encbuf, left_encode(encbuf, tuple->inputBitLen)*8) != 0) - return 1; - if (cSHAKE_Update(&thi->csi, tuple->input, tuple->inputBitLen) != 0) - return 1; - ++tuple; - } - return 0; -} - -int TupleHash_Final(TupleHash_Instance *thi, BitSequence * output) -{ - unsigned char encbuf[sizeof(BitLength)+1]; - - if (cSHAKE_Update(&thi->csi, encbuf, right_encode(encbuf, thi->outputBitLen)*8) != 0) - return 1; - return cSHAKE_Final(&thi->csi, output); -} - -int TupleHash_Squeeze(TupleHash_Instance *thi, BitSequence *output, BitLength outputBitLen) -{ - return cSHAKE_Squeeze(&thi->csi, output, outputBitLen); -} - -int TupleHash( const TupleElement *tuple, size_t numberOfElements, - BitSequence *output, BitLength outputBitLen, const BitSequence *customization, BitLength customBitLen) -{ - TupleHash_Instance thi; - - if (outputBitLen == 0) - return 1; - if (TupleHash_Initialize(&thi, outputBitLen, customization, customBitLen) != 0) - return 1; - if (TupleHash_Update(&thi, tuple, numberOfElements) != 0) - return 1; - return TupleHash_Final(&thi, output); -} - -#undef TupleHash_Initialize -#undef TupleHash_Update -#undef TupleHash_Final -#undef TupleHash_Squeeze -#undef TupleHash - -/* ------------------------------------------------------------------------- */ - -#undef JOIN0 -#undef JOIN - -#undef capacity -#undef capacityInBytes -#undef capacityInLanes -#undef rate -#undef rateInBytes -#undef rateInLanes - -#undef cSHAKE_Initialize -#undef cSHAKE_Update -#undef cSHAKE_Final -#undef cSHAKE_Squeeze -#undef cSHAKE diff --git a/cw/vendor/xkcp_xkcp/SnP-Relaned.h b/cw/vendor/xkcp_xkcp/SnP-Relaned.h deleted file mode 100644 index 631fb5ae..00000000 --- a/cw/vendor/xkcp_xkcp/SnP-Relaned.h +++ /dev/null @@ -1,141 +0,0 @@ -/* -The eXtended Keccak Code Package (XKCP) -https://github.com/XKCP/XKCP - -Implementation by Gilles Van Assche and Ronny Van Keer, hereby denoted as "the implementer". - -For more information, feedback or questions, please refer to the Keccak Team website: -https://keccak.team/ - -To the extent possible under law, the implementer has waived all copyright -and related or neighboring rights to the source code in this file. -http://creativecommons.org/publicdomain/zero/1.0/ - ---- - -This file contains macros that help implement a permutation in a SnP-compatible way. -It converts an implementation that implement state input/output functions -in a lane-oriented fashion (i.e., using SnP_AddLanes() and SnP_AddBytesInLane, -and similarly for Overwite, Extract and ExtractAndAdd) to the byte-oriented SnP. -Please refer to SnP-documentation.h for more details. -*/ - -#ifndef _SnP_Relaned_h_ -#define _SnP_Relaned_h_ - -#define SnP_AddBytes(state, data, offset, length, SnP_AddLanes, SnP_AddBytesInLane, SnP_laneLengthInBytes) \ - { \ - if ((offset) == 0) { \ - SnP_AddLanes(state, data, (length)/SnP_laneLengthInBytes); \ - SnP_AddBytesInLane(state, \ - (length)/SnP_laneLengthInBytes, \ - (data)+((length)/SnP_laneLengthInBytes)*SnP_laneLengthInBytes, \ - 0, \ - (length)%SnP_laneLengthInBytes); \ - } \ - else { \ - unsigned int _sizeLeft = (length); \ - unsigned int _lanePosition = (offset)/SnP_laneLengthInBytes; \ - unsigned int _offsetInLane = (offset)%SnP_laneLengthInBytes; \ - const unsigned char *_curData = (data); \ - while(_sizeLeft > 0) { \ - unsigned int _bytesInLane = SnP_laneLengthInBytes - _offsetInLane; \ - if (_bytesInLane > _sizeLeft) \ - _bytesInLane = _sizeLeft; \ - SnP_AddBytesInLane(state, _lanePosition, _curData, _offsetInLane, _bytesInLane); \ - _sizeLeft -= _bytesInLane; \ - _lanePosition++; \ - _offsetInLane = 0; \ - _curData += _bytesInLane; \ - } \ - } \ - } - -#define SnP_OverwriteBytes(state, data, offset, length, SnP_OverwriteLanes, SnP_OverwriteBytesInLane, SnP_laneLengthInBytes) \ - { \ - if ((offset) == 0) { \ - SnP_OverwriteLanes(state, data, (length)/SnP_laneLengthInBytes); \ - SnP_OverwriteBytesInLane(state, \ - (length)/SnP_laneLengthInBytes, \ - (data)+((length)/SnP_laneLengthInBytes)*SnP_laneLengthInBytes, \ - 0, \ - (length)%SnP_laneLengthInBytes); \ - } \ - else { \ - unsigned int _sizeLeft = (length); \ - unsigned int _lanePosition = (offset)/SnP_laneLengthInBytes; \ - unsigned int _offsetInLane = (offset)%SnP_laneLengthInBytes; \ - const unsigned char *_curData = (data); \ - while(_sizeLeft > 0) { \ - unsigned int _bytesInLane = SnP_laneLengthInBytes - _offsetInLane; \ - if (_bytesInLane > _sizeLeft) \ - _bytesInLane = _sizeLeft; \ - SnP_OverwriteBytesInLane(state, _lanePosition, _curData, _offsetInLane, _bytesInLane); \ - _sizeLeft -= _bytesInLane; \ - _lanePosition++; \ - _offsetInLane = 0; \ - _curData += _bytesInLane; \ - } \ - } \ - } - -#define SnP_ExtractBytes(state, data, offset, length, SnP_ExtractLanes, SnP_ExtractBytesInLane, SnP_laneLengthInBytes) \ - { \ - if ((offset) == 0) { \ - SnP_ExtractLanes(state, data, (length)/SnP_laneLengthInBytes); \ - SnP_ExtractBytesInLane(state, \ - (length)/SnP_laneLengthInBytes, \ - (data)+((length)/SnP_laneLengthInBytes)*SnP_laneLengthInBytes, \ - 0, \ - (length)%SnP_laneLengthInBytes); \ - } \ - else { \ - unsigned int _sizeLeft = (length); \ - unsigned int _lanePosition = (offset)/SnP_laneLengthInBytes; \ - unsigned int _offsetInLane = (offset)%SnP_laneLengthInBytes; \ - unsigned char *_curData = (data); \ - while(_sizeLeft > 0) { \ - unsigned int _bytesInLane = SnP_laneLengthInBytes - _offsetInLane; \ - if (_bytesInLane > _sizeLeft) \ - _bytesInLane = _sizeLeft; \ - SnP_ExtractBytesInLane(state, _lanePosition, _curData, _offsetInLane, _bytesInLane); \ - _sizeLeft -= _bytesInLane; \ - _lanePosition++; \ - _offsetInLane = 0; \ - _curData += _bytesInLane; \ - } \ - } \ - } - -#define SnP_ExtractAndAddBytes(state, input, output, offset, length, SnP_ExtractAndAddLanes, SnP_ExtractAndAddBytesInLane, SnP_laneLengthInBytes) \ - { \ - if ((offset) == 0) { \ - SnP_ExtractAndAddLanes(state, input, output, (length)/SnP_laneLengthInBytes); \ - SnP_ExtractAndAddBytesInLane(state, \ - (length)/SnP_laneLengthInBytes, \ - (input)+((length)/SnP_laneLengthInBytes)*SnP_laneLengthInBytes, \ - (output)+((length)/SnP_laneLengthInBytes)*SnP_laneLengthInBytes, \ - 0, \ - (length)%SnP_laneLengthInBytes); \ - } \ - else { \ - unsigned int _sizeLeft = (length); \ - unsigned int _lanePosition = (offset)/SnP_laneLengthInBytes; \ - unsigned int _offsetInLane = (offset)%SnP_laneLengthInBytes; \ - const unsigned char *_curInput = (input); \ - unsigned char *_curOutput = (output); \ - while(_sizeLeft > 0) { \ - unsigned int _bytesInLane = SnP_laneLengthInBytes - _offsetInLane; \ - if (_bytesInLane > _sizeLeft) \ - _bytesInLane = _sizeLeft; \ - SnP_ExtractAndAddBytesInLane(state, _lanePosition, _curInput, _curOutput, _offsetInLane, _bytesInLane); \ - _sizeLeft -= _bytesInLane; \ - _lanePosition++; \ - _offsetInLane = 0; \ - _curInput += _bytesInLane; \ - _curOutput += _bytesInLane; \ - } \ - } \ - } - -#endif diff --git a/cw/vendor/xkcp_xkcp/align.h b/cw/vendor/xkcp_xkcp/align.h deleted file mode 100644 index 82ad2f90..00000000 --- a/cw/vendor/xkcp_xkcp/align.h +++ /dev/null @@ -1,33 +0,0 @@ -/* -The eXtended Keccak Code Package (XKCP) -https://github.com/XKCP/XKCP - -Implementation by Gilles Van Assche and Ronny Van Keer, hereby denoted as "the implementer". - -For more information, feedback or questions, please refer to the Keccak Team website: -https://keccak.team/ - -To the extent possible under law, the implementer has waived all copyright -and related or neighboring rights to the source code in this file. -http://creativecommons.org/publicdomain/zero/1.0/ -*/ - -#ifndef _align_h_ -#define _align_h_ - -/* on Mac OS-X and possibly others, ALIGN(x) is defined in param.h, and -Werror chokes on the redef. */ -#ifdef ALIGN -#undef ALIGN -#endif - -#if defined(__GNUC__) -#define ALIGN(x) __attribute__ ((aligned(x))) -#elif defined(_MSC_VER) -#define ALIGN(x) __declspec(align(x)) -#elif defined(__ARMCC_VERSION) -#define ALIGN(x) __align(x) -#else -#define ALIGN(x) -#endif - -#endif diff --git a/cw/vendor/xkcp_xkcp/brg_endian.h b/cw/vendor/xkcp_xkcp/brg_endian.h deleted file mode 100644 index 7c640b90..00000000 --- a/cw/vendor/xkcp_xkcp/brg_endian.h +++ /dev/null @@ -1,143 +0,0 @@ -/* - --------------------------------------------------------------------------- - Copyright (c) 1998-2008, Brian Gladman, Worcester, UK. All rights reserved. - - LICENSE TERMS - - The redistribution and use of this software (with or without changes) - is allowed without the payment of fees or royalties provided that: - - 1. source code distributions include the above copyright notice, this - list of conditions and the following disclaimer; - - 2. binary distributions include the above copyright notice, this list - of conditions and the following disclaimer in their documentation; - - 3. the name of the copyright holder is not used to endorse products - built using this software without specific written permission. - - DISCLAIMER - - This software is provided 'as is' with no explicit or implied warranties - in respect of its properties, including, but not limited to, correctness - and/or fitness for purpose. - --------------------------------------------------------------------------- - Issue Date: 20/12/2007 - Changes for ARM 9/9/2010 -*/ - -#ifndef _BRG_ENDIAN_H -#define _BRG_ENDIAN_H - -#define IS_BIG_ENDIAN 4321 /* byte 0 is most significant (mc68k) */ -#define IS_LITTLE_ENDIAN 1234 /* byte 0 is least significant (i386) */ - -#if 0 -/* Include files where endian defines and byteswap functions may reside */ -#if defined( __sun ) -# include -#elif defined( __FreeBSD__ ) || defined( __OpenBSD__ ) || defined( __NetBSD__ ) -# include -#elif defined( BSD ) && ( BSD >= 199103 ) || defined( __APPLE__ ) || \ - defined( __CYGWIN32__ ) || defined( __DJGPP__ ) || defined( __osf__ ) -# include -#elif defined( __linux__ ) || defined( __GNUC__ ) || defined( __GNU_LIBRARY__ ) -# if !defined( __MINGW32__ ) && !defined( _AIX ) -# include -# if !defined( __BEOS__ ) -# include -# endif -# endif -#endif -#endif - -/* Now attempt to set the define for platform byte order using any */ -/* of the four forms SYMBOL, _SYMBOL, __SYMBOL & __SYMBOL__, which */ -/* seem to encompass most endian symbol definitions */ - -#if defined( BIG_ENDIAN ) && defined( LITTLE_ENDIAN ) -# if defined( BYTE_ORDER ) && BYTE_ORDER == BIG_ENDIAN -# define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN -# elif defined( BYTE_ORDER ) && BYTE_ORDER == LITTLE_ENDIAN -# define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN -# endif -#elif defined( BIG_ENDIAN ) -# define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN -#elif defined( LITTLE_ENDIAN ) -# define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN -#endif - -#if defined( _BIG_ENDIAN ) && defined( _LITTLE_ENDIAN ) -# if defined( _BYTE_ORDER ) && _BYTE_ORDER == _BIG_ENDIAN -# define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN -# elif defined( _BYTE_ORDER ) && _BYTE_ORDER == _LITTLE_ENDIAN -# define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN -# endif -#elif defined( _BIG_ENDIAN ) -# define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN -#elif defined( _LITTLE_ENDIAN ) -# define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN -#endif - -#if defined( __BIG_ENDIAN ) && defined( __LITTLE_ENDIAN ) -# if defined( __BYTE_ORDER ) && __BYTE_ORDER == __BIG_ENDIAN -# define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN -# elif defined( __BYTE_ORDER ) && __BYTE_ORDER == __LITTLE_ENDIAN -# define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN -# endif -#elif defined( __BIG_ENDIAN ) -# define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN -#elif defined( __LITTLE_ENDIAN ) -# define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN -#endif - -#if defined( __BIG_ENDIAN__ ) && defined( __LITTLE_ENDIAN__ ) -# if defined( __BYTE_ORDER__ ) && __BYTE_ORDER__ == __BIG_ENDIAN__ -# define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN -# elif defined( __BYTE_ORDER__ ) && __BYTE_ORDER__ == __LITTLE_ENDIAN__ -# define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN -# endif -#elif defined( __BIG_ENDIAN__ ) -# define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN -#elif defined( __LITTLE_ENDIAN__ ) -# define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN -#endif - -/* if the platform byte order could not be determined, then try to */ -/* set this define using common machine defines */ -#if !defined(PLATFORM_BYTE_ORDER) - -#if defined( __alpha__ ) || defined( __alpha ) || defined( i386 ) || \ - defined( __i386__ ) || defined( _M_I86 ) || defined( _M_IX86 ) || \ - defined( __OS2__ ) || defined( sun386 ) || defined( __TURBOC__ ) || \ - defined( vax ) || defined( vms ) || defined( VMS ) || \ - defined( __VMS ) || defined( _M_X64 ) -# define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN - -#elif defined( AMIGA ) || defined( applec ) || defined( __AS400__ ) || \ - defined( _CRAY ) || defined( __hppa ) || defined( __hp9000 ) || \ - defined( ibm370 ) || defined( mc68000 ) || defined( m68k ) || \ - defined( __MRC__ ) || defined( __MVS__ ) || defined( __MWERKS__ ) || \ - defined( sparc ) || defined( __sparc) || defined( SYMANTEC_C ) || \ - defined( __VOS__ ) || defined( __TIGCC__ ) || defined( __TANDEM ) || \ - defined( THINK_C ) || defined( __VMCMS__ ) || defined( _AIX ) || \ - defined( __s390__ ) || defined( __s390x__ ) || defined( __zarch__ ) -# define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN - -#elif defined(__arm__) -# ifdef __BIG_ENDIAN -# define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN -# else -# define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN -# endif -#elif 1 /* **** EDIT HERE IF NECESSARY **** */ -# define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN -#elif 0 /* **** EDIT HERE IF NECESSARY **** */ -# define PLATFORM_BYTE_ORDER IS_BIG_ENDIAN -#else -# error Please edit lines 132 or 134 in brg_endian.h to set the platform byte order -#endif - -#endif - -#endif