keccak.cpp

Go to the documentation of this file.

/*
 * libxcks
 * Copyright (C) 2022 Julien Couot
 *
 * This program is free software: you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or (at your
 * option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
 * License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 
//---------------------------------------------------------------------------
#include <cstring>
#include <cassert>
 
#include "keccak.hpp"
//---------------------------------------------------------------------------
 
using namespace std;
//---------------------------------------------------------------------------
 
 
namespace libxcks
{
//###########################################################################
// Implementation of AbstractKeccakImpl
//###########################################################################
 
AbstractKeccakImpl::AbstractKeccakImpl(const unsigned size,
                                       const bool isSHA3Hash) :
  capacityWords((2 * size) / sizeof(uint64_t)), useSHA3Hash(isSHA3Hash)
{
  reset();
}
//---------------------------------------------------------------------------
 
/*
 * Resets the Keccak hash to initial value.
 */
void AbstractKeccakImpl::reset()
{
  saved = UINT64_C(0);
  memset(state, 0, SHA3_KECCAK_SPONGE_WORDS * sizeof(uint64_t));
  byteIndex = 0;
  wordIndex = 0;
}
//---------------------------------------------------------------------------
 
 
/*
 * Updates the Keccak hash with specified array of bytes.
 */
void AbstractKeccakImpl::update(const uint8_t* buf, size_t len)
{
  // 0...7 -- how much is needed to have a word
  size_t old_tail = (8 - byteIndex) & 7;
 
  size_t words;
  unsigned tail;
  size_t i;
 
  assert(byteIndex < 8);
  assert(wordIndex < sizeof(state) / sizeof(state[0]));
 
  if (len < old_tail)  // have no complete word or haven't started the word yet
  {
    // Endian-independent code follows:
    while (len--)
      saved |= (uint64_t) (*(buf++)) << ((byteIndex++) * 8);
    assert(byteIndex < 8);
    return;
  }
 
  if (old_tail)  // will have one word to process
  {
    // Endian-independent code follows:
    len -= old_tail;
    while (old_tail--)
      saved |= (uint64_t) (*(buf++)) << ((byteIndex++) * 8);
 
    // Now ready to add saved to the sponge
    state[wordIndex] ^= saved;
    assert(byteIndex == 8);
    byteIndex = 0;
    saved = 0;
    if (++wordIndex == (SHA3_KECCAK_SPONGE_WORDS - capacityWords))
    {
      transform();
      wordIndex = 0;
    }
  }
 
  // Now work in full words directly from input
  assert(byteIndex == 0);
 
  words = len / sizeof(uint64_t);
  tail = len - words * sizeof(uint64_t);
 
  for (i = 0; i < words; i++, buf += sizeof(uint64_t))
  {
    const uint64_t t =  (uint64_t) (buf[0]) |
                       ((uint64_t) (buf[1]) << 8 * 1) |
                       ((uint64_t) (buf[2]) << 8 * 2) |
                       ((uint64_t) (buf[3]) << 8 * 3) |
                       ((uint64_t) (buf[4]) << 8 * 4) |
                       ((uint64_t) (buf[5]) << 8 * 5) |
                       ((uint64_t) (buf[6]) << 8 * 6) |
                       ((uint64_t) (buf[7]) << 8 * 7);
    #if defined(__x86_64__ ) || defined(__i386__)
    assert(memcmp(&t, buf, 8) == 0);
    #endif
    state[wordIndex] ^= t;
    if (++wordIndex == (SHA3_KECCAK_SPONGE_WORDS - capacityWords))
    {
      transform();
      wordIndex = 0;
    }
  }
 
  // Finally, save the partial word
  assert(byteIndex == 0 && tail < 8);
  while (tail--)
    saved |= (uint64_t) (*(buf++)) << ((byteIndex++) * 8);
  assert(byteIndex < 8);
}
//---------------------------------------------------------------------------
 
 
/*
 * Process a full block.
 */
void AbstractKeccakImpl::transform()
{
  static constexpr int KECCAK_ROUNDS = 24;
  static const uint64_t keccakf_rndc[KECCAK_ROUNDS] = {
    UINT64_C(0x0000000000000001), UINT64_C(0x0000000000008082),
    UINT64_C(0x800000000000808a), UINT64_C(0x8000000080008000),
    UINT64_C(0x000000000000808b), UINT64_C(0x0000000080000001),
    UINT64_C(0x8000000080008081), UINT64_C(0x8000000000008009),
    UINT64_C(0x000000000000008a), UINT64_C(0x0000000000000088),
    UINT64_C(0x0000000080008009), UINT64_C(0x000000008000000a),
    UINT64_C(0x000000008000808b), UINT64_C(0x800000000000008b),
    UINT64_C(0x8000000000008089), UINT64_C(0x8000000000008003),
    UINT64_C(0x8000000000008002), UINT64_C(0x8000000000000080),
    UINT64_C(0x000000000000800a), UINT64_C(0x800000008000000a),
    UINT64_C(0x8000000080008081), UINT64_C(0x8000000000008080),
    UINT64_C(0x0000000080000001), UINT64_C(0x8000000080008008)
  };
 
  static const unsigned keccakf_rotc[KECCAK_ROUNDS] = {
    1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, 27, 41, 56, 8, 25, 43, 62,
    18, 39, 61, 20, 44 };
 
  static const unsigned keccakf_piln[KECCAK_ROUNDS] = {
    10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, 15, 23, 19, 13, 12, 2, 20,
    14, 22, 9, 6, 1 };
 
  int i, j, round;
  uint64_t t, bc[5];
 
  for (round = 0; round < KECCAK_ROUNDS; round++)
  {
    // Theta
    for (i = 0; i < 5; i++)
      bc[i] = state[i] ^ state[i + 5] ^ state[i + 10] ^ state[i + 15] ^ state[i + 20];
 
    for (i = 0; i < 5; i++)
    {
      t = bc[(i + 4) % 5] ^ rol(bc[(i + 1) % 5], 1);
      for (j = 0; j < 25; j += 5)
        state[j + i] ^= t;
    }
 
    // Rho Pi
    t = state[1];
    for (i = 0; i < 24; i++)
    {
      j = keccakf_piln[i];
      bc[0] = state[j];
      state[j] = rol(t, keccakf_rotc[i]);
      t = bc[0];
    }
 
    // Chi
    for (j = 0; j < 25; j += 5)
    {
      for (i = 0; i < 5; i++)
        bc[i] = state[j + i];
      for (i = 0; i < 5; i++)
        state[j + i] ^= (~bc[(i + 1) % 5]) & bc[(i + 2) % 5];
    }
 
    // Iota
    state[0] ^= keccakf_rndc[round];
  }
}
//---------------------------------------------------------------------------
 
 
/*
 * Process the remaining bytes in the internal buffer and the usual
 * prolog according to the standard.
 */
void AbstractKeccakImpl::finish()
{
  /* Append 2-bit suffix 01, per SHA-3 spec. Instead of 1 for padding we
   * use 1<<2 below. The 0x02 below corresponds to the suffix 01.
   * Overall, we feed 0, then 1, and finally 1 to start padding. Without
   * M || 01, we would simply use 1 to start padding. */
 
  uint64_t t;
 
  if (!useSHA3Hash)
    // Keccak version
    t = (uint64_t)(((uint64_t) 1) << (byteIndex * 8));
  else  // SHA3 version
    t = (uint64_t)(((uint64_t)(0x02 | (1 << 2))) << ((byteIndex) * 8));
 
  state[wordIndex] ^= saved ^ t;
  state[SHA3_KECCAK_SPONGE_WORDS - capacityWords - 1] ^= UINT64_C(0x8000000000000000);
  transform();
 
  /* Return first bytes of the ctx->s. This conversion is not needed for
   * little-endian platforms e.g. wrap with #if !defined(__BYTE_ORDER__)
   * || !defined(__ORDER_LITTLE_ENDIAN__) || __BYTE_ORDER__!=__ORDER_LITTLE_ENDIAN__
   *    ... the conversion below ...
   * #endif */
  #if (LIBXCKS_BYTE_ORDER != LIBXCKS_LITTLE_ENDIAN)
  for (unsigned i = 0; i < SHA3_KECCAK_SPONGE_WORDS; i++)
    swapOnBE(state[i]);
  #endif
}
//---------------------------------------------------------------------------
 
 
 
//###########################################################################
// Implementation of SHA3-224
//###########################################################################
 
/*
 * Returns the SHA3-224 hash value in the first 28 bytes of the given address.
 */
uint8_t* SHA3_224::getValue(uint8_t* buffer) const
{
  SHA3_224 sha3_224(*this);
  sha3_224.finish();
 
  memcpy(buffer, sha3_224.state, getSize());
 
  return buffer;
}
//---------------------------------------------------------------------------
 
 
/*
 * Returns the alternative names of the SHA3-224 hash algorithm.
 */
ArrayString SHA3_224::getAlternativeNames()
{
  return ArrayString{ "SHA-3-224" };
}
//---------------------------------------------------------------------------
 
 
 
//###########################################################################
// Implementation of SHA3-256
//###########################################################################
 
/*
 * Returns the SHA3-256 hash value in the first 32 bytes of the given address.
 */
uint8_t* SHA3_256::getValue(uint8_t* buffer) const
{
  SHA3_256 sha3_256(*this);
  sha3_256.finish();
 
  memcpy(buffer, sha3_256.state, getSize());
 
  return buffer;
}
//---------------------------------------------------------------------------
 
 
/*
 * Returns the alternative names of the SHA3-256 hash algorithm.
 */
ArrayString SHA3_256::getAlternativeNames()
{
  return ArrayString{ "SHA-3-256" };
}
//---------------------------------------------------------------------------
 
 
 
//###########################################################################
// Implementation of SHA3-384
//###########################################################################
 
/*
 * Returns the SHA3-384 hash value in the first 48 bytes of the given address.
 */
uint8_t* SHA3_384::getValue(uint8_t* buffer) const
{
  SHA3_384 sha3_384(*this);
  sha3_384.finish();
 
  memcpy(buffer, sha3_384.state, getSize());
 
  return buffer;
}
//---------------------------------------------------------------------------
 
 
/*
 * Returns the alternative names of the SHA3-384 hash algorithm.
 */
ArrayString SHA3_384::getAlternativeNames()
{
  return ArrayString{ "SHA-3-384" };
}
//---------------------------------------------------------------------------
 
 
 
//###########################################################################
// Implementation of SHA3-512
//###########################################################################
 
/*
 * Returns the SHA3-512 hash value in the first 64 bytes of the given address.
 */
uint8_t* SHA3_512::getValue(uint8_t* buffer) const
{
  SHA3_512 sha3_512(*this);
  sha3_512.finish();
 
  memcpy(buffer, sha3_512.state, getSize());
 
  return buffer;
}
//---------------------------------------------------------------------------
 
 
/*
 * Returns the alternative names of the SHA3-512 hash algorithm.
 */
ArrayString SHA3_512::getAlternativeNames()
{
  return ArrayString{ "SHA-3-512" };
}
//---------------------------------------------------------------------------
 
 
#if 0
//###########################################################################
// Implementation of Keccak-224
//###########################################################################
 
/*
 * Returns the Keccak-224 hash value in the first 28 bytes of the given address.
 */
uint8_t* Keccak224::getValue(uint8_t* buffer) const
{
  Keccak224 keccak224(*this);
  keccak224.finish();
 
  memcpy(buffer, keccak224.state, getSize());
 
  return buffer;
}
//---------------------------------------------------------------------------
 
 
/*
 * Returns the alternative names of the Keccak-224 hash algorithm.
 */
ArrayString Keccak224::getAlternativeNames()
{
  return ArrayString{ "Keccak-224" };
}
//---------------------------------------------------------------------------
 
 
 
//###########################################################################
// Implementation of Keccak-256
//###########################################################################
 
/*
 * Returns the Keccak-256 hash value in the first 32 bytes of the given address.
 */
uint8_t* Keccak256::getValue(uint8_t* buffer) const
{
  Keccak256 keccak256(*this);
  keccak256.finish();
 
  memcpy(buffer, keccak256.state, getSize());
 
  return buffer;
}
//---------------------------------------------------------------------------
 
 
/*
 * Returns the alternative names of the Keccak-256 hash algorithm.
 */
ArrayString Keccak256::getAlternativeNames()
{
  return ArrayString{ "Keccak-256" };
}
//---------------------------------------------------------------------------
 
 
 
//###########################################################################
// Implementation of Keccak-384
//###########################################################################
 
/*
 * Returns the Keccak-384 hash value in the first 48 bytes of the given address.
 */
uint8_t* Keccak384::getValue(uint8_t* buffer) const
{
  Keccak384 keccak384(*this);
  keccak384.finish();
 
  memcpy(buffer, keccak384.state, getSize());
 
  return buffer;
}
//---------------------------------------------------------------------------
 
 
/*
 * Returns the alternative names of the Keccak-384 hash algorithm.
 */
ArrayString Keccak384::getAlternativeNames()
{
  return ArrayString{ "Keccak-384" };
}
//---------------------------------------------------------------------------
 
 
 
//###########################################################################
// Implementation of Keccak-512
//###########################################################################
 
/*
 * Returns the Keccak-512 hash value in the first 64 bytes of the given address.
 */
uint8_t* Keccak512::getValue(uint8_t* buffer) const
{
  Keccak512 keccak512(*this);
  keccak512.finish();
 
  memcpy(buffer, keccak512.state, getSize());
 
  return buffer;
}
//---------------------------------------------------------------------------
 
 
/*
 * Returns the alternative names of the Keccak-512 hash algorithm.
 */
ArrayString Keccak512::getAlternativeNames()
{
  return ArrayString{ "Keccak-512" };
}
//---------------------------------------------------------------------------
#endif
}  // namespace libxcks
//---------------------------------------------------------------------------