From 85e688a3a7d81f7917481e9f40bca010757a2842 Mon Sep 17 00:00:00 2001
From: root <root@p.const-desktop>
Date: Thu, 3 Oct 2019 15:46:01 +0300
Subject: [PATCH] Rollback to non-XKCP algos
---
include/dap_crypto_common.h | 6 +-
src/dap_enc_iaes.c | 12 +-
src/iaes/iaes256_cbc_cernal.c | 1 -
src/msrln/kex.c | 20 +-
src/msrln/random.c | 19 +-
src/sha3/fips202.c | 587 +++++++++++++++++++++++++++++
src/sha3/fips202.h | 2 -
src/sha3/sha3.pri | 5 +-
src/sig_bliss/bliss_b.h | 6 +-
src/sig_bliss/bliss_b_signatures.c | 12 +-
src/sig_bliss/entropy.c | 3 +-
src/sig_tesla/poly.c | 12 +-
src/sig_tesla/sample.c | 60 +--
13 files changed, 666 insertions(+), 79 deletions(-)
create mode 100644 src/sha3/fips202.c
diff --git a/include/dap_crypto_common.h b/include/dap_crypto_common.h
index ec7f385..f213209 100755
--- a/include/dap_crypto_common.h
+++ b/include/dap_crypto_common.h
@@ -15,9 +15,9 @@ extern "C" {
#include "sha3/fips202.h"
-#include "KeccakHash.h"
-#include "SimpleFIPS202.h"
-#include "SP800-185.h"
+//#include "KeccakHash.h"
+//#include "SimpleFIPS202.h"
+//#include "SP800-185.h"
#include "rand/dap_rand.h"
diff --git a/src/dap_enc_iaes.c b/src/dap_enc_iaes.c
index bdd4a25..a3636d4 100755
--- a/src/dap_enc_iaes.c
+++ b/src/dap_enc_iaes.c
@@ -3,10 +3,10 @@
#include <string.h>
#include "dap_enc_key.h"
#include "dap_enc_iaes.h"
-//#include "sha3/fips202.h"
+#include "sha3/fips202.h"
-#include "KeccakHash.h"
-#include "SimpleFIPS202.h"
+//#include "KeccakHash.h"
+//#include "SimpleFIPS202.h"
#include "dap_common.h"
@@ -56,8 +56,10 @@ void dap_enc_aes_key_generate(struct dap_enc_key * a_key, const void *kex_buf,
memcpy(id_concat_kex,seed, seed_size);
memcpy(id_concat_kex + seed_size, kex_buf, kex_size);
- SHAKE256(a_key->priv_key_data, IAES_KEYSIZE, id_concat_kex, (kex_size + seed_size));
- SHAKE128(DAP_ENC_AES_KEY(a_key)->ivec, IAES_BLOCK_SIZE, seed, seed_size);
+ //SHAKE256(a_key->priv_key_data, IAES_KEYSIZE, id_concat_kex, (kex_size + seed_size));
+ //SHAKE128(DAP_ENC_AES_KEY(a_key)->ivec, IAES_BLOCK_SIZE, seed, seed_size);
+ shake256(a_key->priv_key_data, IAES_KEYSIZE, id_concat_kex, (kex_size + seed_size));
+ shake128(DAP_ENC_AES_KEY(a_key)->ivec, IAES_BLOCK_SIZE, seed, seed_size);
free(id_concat_kex);
}
diff --git a/src/iaes/iaes256_cbc_cernal.c b/src/iaes/iaes256_cbc_cernal.c
index a7eef85..da86720 100755
--- a/src/iaes/iaes256_cbc_cernal.c
+++ b/src/iaes/iaes256_cbc_cernal.c
@@ -490,7 +490,6 @@ size_t IAES_256_CBC_decrypt(const uint8_t *cdata, uint8_t *data, uint8_t *ivec,
size_t i, padding = 0;
size_t end = length > 16 ? length - 16 : 0;
- if(length>0)
for(i = length-1; i >= end; i--)
{
if(data[i] == 0)
diff --git a/src/msrln/kex.c b/src/msrln/kex.c
index 41574b2..6dffe22 100755
--- a/src/msrln/kex.c
+++ b/src/msrln/kex.c
@@ -5,8 +5,8 @@
#include <malloc.h>
#endif
-#include "KeccakHash.h"
-#include "SimpleFIPS202.h"
+//#include "KeccakHash.h"
+//#include "SimpleFIPS202.h"
// N^-1 * prime_scale^-8
@@ -467,22 +467,22 @@ CRYPTO_MSRLN_STATUS generate_a(uint32_t* a, const unsigned char* seed, Extendabl
uint16_t val;
unsigned int nblocks = 16;
uint8_t buf[SHAKE128_RATE * 16]; // was * nblocks, but VS doesn't like this buf init
- Keccak_HashInstance ks;
+ //Keccak_HashInstance ks;
-// uint64_t state[SHA3_STATESIZE] = {0};
-// shake128_absorb(state, seed, SEED_BYTES);
-// shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+ uint64_t state[SHA3_STATESIZE] = {0};
+ shake128_absorb(state, seed, SEED_BYTES);
+ shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
/*#ifdef _WIN32
SHAKE128_InitAbsorb( &ks, seed, SEED_BYTES );
KECCAK_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 );
- #else */
+ #else
Keccak_HashInitialize_SHAKE128(&ks);
Keccak_HashUpdate( &ks, seed, SEED_BYTES * 8 );
Keccak_HashFinal( &ks, seed );
Keccak_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 * 8 );
//#endif
-
+ */
while (ctr < PARAMETER_N) {
val = (buf[pos] | ((uint16_t) buf[pos + 1] << 8)) & 0x3fff;
if (val < PARAMETER_Q) {
@@ -491,8 +491,8 @@ CRYPTO_MSRLN_STATUS generate_a(uint32_t* a, const unsigned char* seed, Extendabl
pos += 2;
if (pos > SHAKE128_RATE * nblocks - 2) {
nblocks = 1;
-// shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
- Keccak_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 * 8 );
+ shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+// Keccak_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 * 8 );
pos = 0;
}
}
diff --git a/src/msrln/random.c b/src/msrln/random.c
index d25bf72..ab2b129 100755
--- a/src/msrln/random.c
+++ b/src/msrln/random.c
@@ -1,6 +1,6 @@
#include "msrln_priv.h"
-#include "KeccakHash.h"
+//#include "KeccakHash.h"
//#include "SimpleFIPS202.h"
#define LOG_TAG "RANDOM"
@@ -12,16 +12,16 @@ CRYPTO_MSRLN_STATUS MSRLN_generate_a(const unsigned char* seed, unsigned int see
uint16_t val;
unsigned int nblocks = 16;
uint8_t buf[SHAKE128_RATE * 16]; // was * nblocks, but VS doesn't like this buf init
- Keccak_HashInstance ks;
+ //Keccak_HashInstance ks;
-// uint64_t state[SHA3_STATESIZE];
-// shake128_absorb(state, seed, seed_nbytes);
-// shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+ uint64_t state[SHA3_STATESIZE];
+ shake128_absorb(state, seed, seed_nbytes);
+ shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
- Keccak_HashInitialize_SHAKE128(&ks);
+ /*Keccak_HashInitialize_SHAKE128(&ks);
Keccak_HashUpdate( &ks, seed, seed_nbytes * 8 );
Keccak_HashFinal( &ks, seed );
- Keccak_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 * 8 );
+ Keccak_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 * 8 );*/
while (ctr < array_ndigits) {
val = (buf[pos] | ((uint16_t) buf[pos + 1] << 8)) & 0x3fff;
@@ -31,12 +31,11 @@ CRYPTO_MSRLN_STATUS MSRLN_generate_a(const unsigned char* seed, unsigned int see
pos += 2;
if (pos > SHAKE128_RATE * nblocks - 2) {
nblocks = 1;
-// shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
- Keccak_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 * 8 );
+ shake128_squeezeblocks((unsigned char *) buf, nblocks, state);
+// Keccak_HashSqueeze( &ks, (unsigned char *) buf, nblocks * 8 * 8 );
pos = 0;
}
}
-
return CRYPTO_MSRLN_SUCCESS;
}
diff --git a/src/sha3/fips202.c b/src/sha3/fips202.c
new file mode 100644
index 0000000..022be71
--- /dev/null
+++ b/src/sha3/fips202.c
@@ -0,0 +1,587 @@
+/********************************************************************************************
+* SHA3-derived functions: SHAKE and cSHAKE
+*
+* Based on the public domain implementation in crypto_hash/keccakc512/simple/
+* from http://bench.cr.yp.to/supercop.html by Ronny Van Keer
+* and the public domain "TweetFips202" implementation from https://twitter.com/tweetfips202
+* by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe
+*
+* See NIST Special Publication 800-185 for more information:
+* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf
+*
+*********************************************************************************************/
+
+#include <stdint.h>
+#include <assert.h>
+#include "fips202.h"
+
+#define NROUNDS 24
+#define ROL(a, offset) ((a << offset) ^ (a >> (64-offset)))
+
+
+static uint64_t load64(const unsigned char *x)
+{
+ unsigned long long r = 0, i;
+
+ for (i = 0; i < 8; ++i) {
+ r |= (unsigned long long)x[i] << 8 * i;
+ }
+ return r;
+}
+
+
+static void store64(uint8_t *x, uint64_t u)
+{
+ unsigned int i;
+
+ for (i = 0; i < 8; ++i) {
+ x[i] = (uint8_t)u;
+ u >>= 8;
+ }
+}
+
+
+static const uint64_t KeccakF_RoundConstants[NROUNDS] =
+{
+ (uint64_t)0x0000000000000001ULL,
+ (uint64_t)0x0000000000008082ULL,
+ (uint64_t)0x800000000000808aULL,
+ (uint64_t)0x8000000080008000ULL,
+ (uint64_t)0x000000000000808bULL,
+ (uint64_t)0x0000000080000001ULL,
+ (uint64_t)0x8000000080008081ULL,
+ (uint64_t)0x8000000000008009ULL,
+ (uint64_t)0x000000000000008aULL,
+ (uint64_t)0x0000000000000088ULL,
+ (uint64_t)0x0000000080008009ULL,
+ (uint64_t)0x000000008000000aULL,
+ (uint64_t)0x000000008000808bULL,
+ (uint64_t)0x800000000000008bULL,
+ (uint64_t)0x8000000000008089ULL,
+ (uint64_t)0x8000000000008003ULL,
+ (uint64_t)0x8000000000008002ULL,
+ (uint64_t)0x8000000000000080ULL,
+ (uint64_t)0x000000000000800aULL,
+ (uint64_t)0x800000008000000aULL,
+ (uint64_t)0x8000000080008081ULL,
+ (uint64_t)0x8000000000008080ULL,
+ (uint64_t)0x0000000080000001ULL,
+ (uint64_t)0x8000000080008008ULL
+};
+
+
+void KeccakF1600_StatePermute(uint64_t * state)
+{
+ int round;
+
+ uint64_t Aba, Abe, Abi, Abo, Abu;
+ uint64_t Aga, Age, Agi, Ago, Agu;
+ uint64_t Aka, Ake, Aki, Ako, Aku;
+ uint64_t Ama, Ame, Ami, Amo, Amu;
+ uint64_t Asa, Ase, Asi, Aso, Asu;
+ uint64_t BCa, BCe, BCi, BCo, BCu;
+ uint64_t Da, De, Di, Do, Du;
+ uint64_t Eba, Ebe, Ebi, Ebo, Ebu;
+ uint64_t Ega, Ege, Egi, Ego, Egu;
+ uint64_t Eka, Eke, Eki, Eko, Eku;
+ uint64_t Ema, Eme, Emi, Emo, Emu;
+ uint64_t Esa, Ese, Esi, Eso, Esu;
+
+ //copyFromState(A, state)
+ Aba = state[ 0];
+ Abe = state[ 1];
+ Abi = state[ 2];
+ Abo = state[ 3];
+ Abu = state[ 4];
+ Aga = state[ 5];
+ Age = state[ 6];
+ Agi = state[ 7];
+ Ago = state[ 8];
+ Agu = state[ 9];
+ Aka = state[10];
+ Ake = state[11];
+ Aki = state[12];
+ Ako = state[13];
+ Aku = state[14];
+ Ama = state[15];
+ Ame = state[16];
+ Ami = state[17];
+ Amo = state[18];
+ Amu = state[19];
+ Asa = state[20];
+ Ase = state[21];
+ Asi = state[22];
+ Aso = state[23];
+ Asu = state[24];
+
+ for( round = 0; round < NROUNDS; round += 2 )
+ {
+ // prepareTheta
+ BCa = Aba^Aga^Aka^Ama^Asa;
+ BCe = Abe^Age^Ake^Ame^Ase;
+ BCi = Abi^Agi^Aki^Ami^Asi;
+ BCo = Abo^Ago^Ako^Amo^Aso;
+ BCu = Abu^Agu^Aku^Amu^Asu;
+
+ //thetaRhoPiChiIotaPrepareTheta(round , A, E)
+ Da = BCu^ROL(BCe, 1);
+ De = BCa^ROL(BCi, 1);
+ Di = BCe^ROL(BCo, 1);
+ Do = BCi^ROL(BCu, 1);
+ Du = BCo^ROL(BCa, 1);
+
+ Aba ^= Da;
+ BCa = Aba;
+ Age ^= De;
+ BCe = ROL(Age, 44);
+ Aki ^= Di;
+ BCi = ROL(Aki, 43);
+ Amo ^= Do;
+ BCo = ROL(Amo, 21);
+ Asu ^= Du;
+ BCu = ROL(Asu, 14);
+ Eba = BCa ^((~BCe)& BCi );
+ Eba ^= (uint64_t)KeccakF_RoundConstants[round];
+ Ebe = BCe ^((~BCi)& BCo );
+ Ebi = BCi ^((~BCo)& BCu );
+ Ebo = BCo ^((~BCu)& BCa );
+ Ebu = BCu ^((~BCa)& BCe );
+
+ Abo ^= Do;
+ BCa = ROL(Abo, 28);
+ Agu ^= Du;
+ BCe = ROL(Agu, 20);
+ Aka ^= Da;
+ BCi = ROL(Aka, 3);
+ Ame ^= De;
+ BCo = ROL(Ame, 45);
+ Asi ^= Di;
+ BCu = ROL(Asi, 61);
+ Ega = BCa ^((~BCe)& BCi );
+ Ege = BCe ^((~BCi)& BCo );
+ Egi = BCi ^((~BCo)& BCu );
+ Ego = BCo ^((~BCu)& BCa );
+ Egu = BCu ^((~BCa)& BCe );
+
+ Abe ^= De;
+ BCa = ROL(Abe, 1);
+ Agi ^= Di;
+ BCe = ROL(Agi, 6);
+ Ako ^= Do;
+ BCi = ROL(Ako, 25);
+ Amu ^= Du;
+ BCo = ROL(Amu, 8);
+ Asa ^= Da;
+ BCu = ROL(Asa, 18);
+ Eka = BCa ^((~BCe)& BCi );
+ Eke = BCe ^((~BCi)& BCo );
+ Eki = BCi ^((~BCo)& BCu );
+ Eko = BCo ^((~BCu)& BCa );
+ Eku = BCu ^((~BCa)& BCe );
+
+ Abu ^= Du;
+ BCa = ROL(Abu, 27);
+ Aga ^= Da;
+ BCe = ROL(Aga, 36);
+ Ake ^= De;
+ BCi = ROL(Ake, 10);
+ Ami ^= Di;
+ BCo = ROL(Ami, 15);
+ Aso ^= Do;
+ BCu = ROL(Aso, 56);
+ Ema = BCa ^((~BCe)& BCi );
+ Eme = BCe ^((~BCi)& BCo );
+ Emi = BCi ^((~BCo)& BCu );
+ Emo = BCo ^((~BCu)& BCa );
+ Emu = BCu ^((~BCa)& BCe );
+
+ Abi ^= Di;
+ BCa = ROL(Abi, 62);
+ Ago ^= Do;
+ BCe = ROL(Ago, 55);
+ Aku ^= Du;
+ BCi = ROL(Aku, 39);
+ Ama ^= Da;
+ BCo = ROL(Ama, 41);
+ Ase ^= De;
+ BCu = ROL(Ase, 2);
+ Esa = BCa ^((~BCe)& BCi );
+ Ese = BCe ^((~BCi)& BCo );
+ Esi = BCi ^((~BCo)& BCu );
+ Eso = BCo ^((~BCu)& BCa );
+ Esu = BCu ^((~BCa)& BCe );
+
+ // prepareTheta
+ BCa = Eba^Ega^Eka^Ema^Esa;
+ BCe = Ebe^Ege^Eke^Eme^Ese;
+ BCi = Ebi^Egi^Eki^Emi^Esi;
+ BCo = Ebo^Ego^Eko^Emo^Eso;
+ BCu = Ebu^Egu^Eku^Emu^Esu;
+
+ //thetaRhoPiChiIotaPrepareTheta(round+1, E, A)
+ Da = BCu^ROL(BCe, 1);
+ De = BCa^ROL(BCi, 1);
+ Di = BCe^ROL(BCo, 1);
+ Do = BCi^ROL(BCu, 1);
+ Du = BCo^ROL(BCa, 1);
+
+ Eba ^= Da;
+ BCa = Eba;
+ Ege ^= De;
+ BCe = ROL(Ege, 44);
+ Eki ^= Di;
+ BCi = ROL(Eki, 43);
+ Emo ^= Do;
+ BCo = ROL(Emo, 21);
+ Esu ^= Du;
+ BCu = ROL(Esu, 14);
+ Aba = BCa ^((~BCe)& BCi );
+ Aba ^= (uint64_t)KeccakF_RoundConstants[round+1];
+ Abe = BCe ^((~BCi)& BCo );
+ Abi = BCi ^((~BCo)& BCu );
+ Abo = BCo ^((~BCu)& BCa );
+ Abu = BCu ^((~BCa)& BCe );
+
+ Ebo ^= Do;
+ BCa = ROL(Ebo, 28);
+ Egu ^= Du;
+ BCe = ROL(Egu, 20);
+ Eka ^= Da;
+ BCi = ROL(Eka, 3);
+ Eme ^= De;
+ BCo = ROL(Eme, 45);
+ Esi ^= Di;
+ BCu = ROL(Esi, 61);
+ Aga = BCa ^((~BCe)& BCi );
+ Age = BCe ^((~BCi)& BCo );
+ Agi = BCi ^((~BCo)& BCu );
+ Ago = BCo ^((~BCu)& BCa );
+ Agu = BCu ^((~BCa)& BCe );
+
+ Ebe ^= De;
+ BCa = ROL(Ebe, 1);
+ Egi ^= Di;
+ BCe = ROL(Egi, 6);
+ Eko ^= Do;
+ BCi = ROL(Eko, 25);
+ Emu ^= Du;
+ BCo = ROL(Emu, 8);
+ Esa ^= Da;
+ BCu = ROL(Esa, 18);
+ Aka = BCa ^((~BCe)& BCi );
+ Ake = BCe ^((~BCi)& BCo );
+ Aki = BCi ^((~BCo)& BCu );
+ Ako = BCo ^((~BCu)& BCa );
+ Aku = BCu ^((~BCa)& BCe );
+
+ Ebu ^= Du;
+ BCa = ROL(Ebu, 27);
+ Ega ^= Da;
+ BCe = ROL(Ega, 36);
+ Eke ^= De;
+ BCi = ROL(Eke, 10);
+ Emi ^= Di;
+ BCo = ROL(Emi, 15);
+ Eso ^= Do;
+ BCu = ROL(Eso, 56);
+ Ama = BCa ^((~BCe)& BCi );
+ Ame = BCe ^((~BCi)& BCo );
+ Ami = BCi ^((~BCo)& BCu );
+ Amo = BCo ^((~BCu)& BCa );
+ Amu = BCu ^((~BCa)& BCe );
+
+ Ebi ^= Di;
+ BCa = ROL(Ebi, 62);
+ Ego ^= Do;
+ BCe = ROL(Ego, 55);
+ Eku ^= Du;
+ BCi = ROL(Eku, 39);
+ Ema ^= Da;
+ BCo = ROL(Ema, 41);
+ Ese ^= De;
+ BCu = ROL(Ese, 2);
+ Asa = BCa ^((~BCe)& BCi );
+ Ase = BCe ^((~BCi)& BCo );
+ Asi = BCi ^((~BCo)& BCu );
+ Aso = BCo ^((~BCu)& BCa );
+ Asu = BCu ^((~BCa)& BCe );
+ }
+
+ //copyToState(state, A)
+ state[ 0] = Aba;
+ state[ 1] = Abe;
+ state[ 2] = Abi;
+ state[ 3] = Abo;
+ state[ 4] = Abu;
+ state[ 5] = Aga;
+ state[ 6] = Age;
+ state[ 7] = Agi;
+ state[ 8] = Ago;
+ state[ 9] = Agu;
+ state[10] = Aka;
+ state[11] = Ake;
+ state[12] = Aki;
+ state[13] = Ako;
+ state[14] = Aku;
+ state[15] = Ama;
+ state[16] = Ame;
+ state[17] = Ami;
+ state[18] = Amo;
+ state[19] = Amu;
+ state[20] = Asa;
+ state[21] = Ase;
+ state[22] = Asi;
+ state[23] = Aso;
+ state[24] = Asu;
+
+ #undef round
+}
+
+#include <string.h>
+#define MIN(a, b) ((a) < (b) ? (a) : (b))
+
+
+static void keccak_absorb(uint64_t *s, unsigned int r, const unsigned char *m, unsigned long long int mlen, unsigned char p)
+{
+ unsigned long long i;
+ unsigned char t[200];
+
+ while (mlen >= r)
+ {
+ for (i = 0; i < r / 8; ++i)
+ s[i] ^= load64(m + 8 * i);
+
+ KeccakF1600_StatePermute(s);
+ mlen -= r;
+ m += r;
+ }
+
+ for (i = 0; i < r; ++i)
+ t[i] = 0;
+ for (i = 0; i < mlen; ++i)
+ t[i] = m[i];
+ t[i] = p;
+ t[r - 1] |= 128;
+ for (i = 0; i < r / 8; ++i)
+ s[i] ^= load64(t + 8 * i);
+}
+
+
+static void keccak_squeezeblocks(unsigned char *h, unsigned long long int nblocks, uint64_t *s, unsigned int r)
+{
+ unsigned int i;
+
+ while(nblocks > 0)
+ {
+ KeccakF1600_StatePermute(s);
+ for (i = 0; i < (r>>3); i++)
+ {
+ store64(h+8*i, s[i]);
+ }
+ h += r;
+ nblocks--;
+ }
+}
+
+
+/********** SHAKE128 ***********/
+
+void shake128_absorb(uint64_t *s, const unsigned char *input, unsigned int inputByteLen)
+{
+ keccak_absorb(s, SHAKE128_RATE, input, inputByteLen, 0x1F);
+}
+
+
+void shake128_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
+{
+ keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE);
+}
+
+
+void shake128(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen)
+{
+ uint64_t s[25] = {0};
+ unsigned char t[SHAKE128_RATE];
+ unsigned long long nblocks = outlen/SHAKE128_RATE;
+ size_t i;
+
+ /* Absorb input */
+ keccak_absorb(s, SHAKE128_RATE, input, inlen, 0x1F);
+
+ /* Squeeze output */
+ keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE);
+
+ output += nblocks*SHAKE128_RATE;
+ outlen -= nblocks*SHAKE128_RATE;
+
+ if (outlen)
+ {
+ keccak_squeezeblocks(t, 1, s, SHAKE128_RATE);
+ for (i = 0; i < outlen; i++)
+ output[i] = t[i];
+ }
+}
+
+
+/********** cSHAKE128 ***********/
+
+void cshake128_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char *in, unsigned long long inlen)
+{
+ unsigned char *sep = (unsigned char*)s;
+
+ /* Absorb customization (domain-separation) string */
+ sep[0] = 0x01;
+ sep[1] = 0xa8;
+ sep[2] = 0x01;
+ sep[3] = 0x00;
+ sep[4] = 0x01;
+ sep[5] = 16; // fixed bitlen of cstm
+ sep[6] = cstm & 0xff;
+ sep[7] = cstm >> 8;
+
+ KeccakF1600_StatePermute(s);
+
+ /* Absorb input */
+ keccak_absorb(s, SHAKE128_RATE, in, inlen, 0x04);
+}
+
+
+void cshake128_simple_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
+{
+ keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE);
+}
+
+
+void cshake128_simple(unsigned char *output, unsigned long long outlen, uint16_t cstm, const unsigned char *in, unsigned long long inlen)
+{
+ uint64_t s[25] = {0};
+ unsigned char t[SHAKE128_RATE];
+ unsigned int i;
+
+ cshake128_simple_absorb(s, cstm, in, inlen);
+
+ /* Squeeze output */
+ keccak_squeezeblocks(output, outlen/SHAKE128_RATE, s, SHAKE128_RATE);
+ output += (outlen/SHAKE128_RATE)*SHAKE128_RATE;
+
+ if (outlen%SHAKE128_RATE)
+ {
+ keccak_squeezeblocks(t, 1, s, SHAKE128_RATE);
+ for (i = 0; i < outlen%SHAKE128_RATE; i++)
+ output[i] = t[i];
+ }
+}
+
+
+/********** SHAKE256 ***********/
+
+void shake256_absorb(uint64_t *s, const unsigned char *input, unsigned int inputByteLen)
+{
+ keccak_absorb(s, SHAKE256_RATE, input, inputByteLen, 0x1F);
+}
+
+
+void shake256_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
+{
+ keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE);
+}
+
+
+void shake256(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen)
+{
+ uint64_t s[25] = {0};
+ unsigned char t[SHAKE256_RATE];
+ unsigned long long nblocks = outlen/SHAKE256_RATE;
+ size_t i;
+
+ /* Absorb input */
+ keccak_absorb(s, SHAKE256_RATE, input, inlen, 0x1F);
+
+ /* Squeeze output */
+ keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE);
+
+ output += nblocks*SHAKE256_RATE;
+ outlen -= nblocks*SHAKE256_RATE;
+
+ if (outlen)
+ {
+ keccak_squeezeblocks(t, 1, s, SHAKE256_RATE);
+ for (i = 0; i < outlen; i++)
+ output[i] = t[i];
+ }
+}
+
+
+/********** cSHAKE256 ***********/
+
+void cshake256_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char *in, unsigned long long inlen)
+{
+ unsigned char *sep = (unsigned char*)s;
+
+ /* Absorb customization (domain-separation) string */
+ sep[0] = 0x01;
+ sep[1] = 0x88;
+ sep[2] = 0x01;
+ sep[3] = 0x00;
+ sep[4] = 0x01;
+ sep[5] = 16; // fixed bitlen of cstm
+ sep[6] = cstm & 0xff;
+ sep[7] = cstm >> 8;
+
+ KeccakF1600_StatePermute(s);
+
+ /* Absorb input */
+ keccak_absorb(s, SHAKE256_RATE, in, inlen, 0x04);
+}
+
+
+void cshake256_simple_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
+{
+ keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE);
+}
+
+
+void cshake256_simple(unsigned char *output, unsigned long long outlen, uint16_t cstm, const unsigned char *in, unsigned long long inlen)
+{
+ uint64_t s[25] = {0};
+ unsigned char t[SHAKE256_RATE];
+ unsigned int i;
+
+ cshake256_simple_absorb(s, cstm, in, inlen);
+
+ /* Squeeze output */
+ keccak_squeezeblocks(output, outlen/SHAKE256_RATE, s, SHAKE256_RATE);
+ output += (outlen/SHAKE256_RATE)*SHAKE256_RATE;
+
+ if(outlen%SHAKE256_RATE)
+ {
+ keccak_squeezeblocks(t, 1, s, SHAKE256_RATE);
+ for (i = 0; i < outlen%SHAKE256_RATE; i++)
+ output[i] = t[i];
+ }
+}
+
+void sha3_256(unsigned char *output, const unsigned char *input, unsigned int inputByteLen)
+{
+ uint64_t s[25] = {0};
+ unsigned char t[SHA3_256_RATE];
+ int i;
+
+ keccak_absorb(s, SHA3_256_RATE, input, inputByteLen, 0x06);
+ keccak_squeezeblocks(t, 1, s, SHA3_256_RATE);
+ for(i=0;i<32;i++)
+ output[i] = t[i];
+}
+
+void sha3_512(unsigned char *output, const unsigned char *input, unsigned int inputByteLen)
+{
+ uint64_t s[25] = {0};
+ unsigned char t[SHA3_512_RATE];
+ uint32_t i;
+
+ keccak_absorb(s, SHA3_512_RATE, input, inputByteLen, 0x06);
+ keccak_squeezeblocks(t, 1, s, SHA3_512_RATE);
+ for(i=0;i<64;i++)
+ output[i] = t[i];
+}
+
diff --git a/src/sha3/fips202.h b/src/sha3/fips202.h
index 40b3fa7..5bd9cb6 100755
--- a/src/sha3/fips202.h
+++ b/src/sha3/fips202.h
@@ -12,7 +12,6 @@
#define SHA3_256_RATE 136
-#if 0
void shake128_absorb(uint64_t *s, const unsigned char *input, unsigned int inputByteLen);
void shake128_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s);
void shake128(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen);
@@ -31,7 +30,6 @@ void cshake256_simple(unsigned char *output, unsigned long long outlen, uint16_t
void sha3_256(unsigned char *output, const unsigned char *input, unsigned int inputByteLen);
void sha3_512(unsigned char *output, const unsigned char *input, unsigned int inputByteLen);
-#endif
#endif
diff --git a/src/sha3/sha3.pri b/src/sha3/sha3.pri
index be9685f..b93b260 100755
--- a/src/sha3/sha3.pri
+++ b/src/sha3/sha3.pri
@@ -8,7 +8,8 @@ HEADERS += $$PWD/fips202.h \
$$PWD/KeccakSponge-common.h \
$$PWD/KeccakSpongeWidth1600.h
-SOURCES += $$PWD/KeccakHash.c \
+SOURCES += $$PWD/fips202.c \
+ $$PWD/KeccakHash.c \
$$PWD/KeccakP-1600-reference.c \
$$PWD/KeccakSpongeWidth1600.c
-
+
\ No newline at end of file
diff --git a/src/sig_bliss/bliss_b.h b/src/sig_bliss/bliss_b.h
index c60800b..e00a98d 100755
--- a/src/sig_bliss/bliss_b.h
+++ b/src/sig_bliss/bliss_b.h
@@ -5,10 +5,10 @@
#include <stddef.h>
#include <stdlib.h>
#include <assert.h>
-//#include "../sha3/fips202.h"
+#include "sha3/fips202.h"
-#include "KeccakHash.h"
-#include "SimpleFIPS202.h"
+//#include "KeccakHash.h"
+//#include "SimpleFIPS202.h"
#define BLISS_B_CRYPTO_SECRETKEYBYTES 256
#define BLISS_B_CRYPTO_PUBLICKEYBYTES 85
diff --git a/src/sig_bliss/bliss_b_signatures.c b/src/sig_bliss/bliss_b_signatures.c
index 4feee4e..0e1de13 100755
--- a/src/sig_bliss/bliss_b_signatures.c
+++ b/src/sig_bliss/bliss_b_signatures.c
@@ -134,8 +134,8 @@ static void generateC(uint32_t *indices, uint32_t kappa, const int32_t *n_vector
* (so that n_vector[n-1] is taken into account).
*/
hash[hash_sz - 1]++;
- SHA3_512(whash, hash, hash_sz);
-
+ //SHA3_512(whash, hash, hash_sz);
+ sha3_512(whash, hash, hash_sz);
memset(array, 0, n);
if (n == 256) {
@@ -474,8 +474,8 @@ int32_t bliss_b_sign(bliss_signature_t *signature, const bliss_private_key_t *p
/* 0: compute the hash of the msg */
- SHA3_512(hash, msg, msg_sz);
-
+ //SHA3_512(hash, msg, msg_sz);
+ sha3_512(hash, msg, msg_sz);
// for debugging
if (false) {
printf("sign hash\n");
@@ -830,8 +830,8 @@ int32_t bliss_b_verify(const bliss_signature_t *signature, const bliss_public_k
/* hash the message into the first SHA3_512_DIGEST_LENGTH bytes of the hash */
- SHA3_512(hash, msg, msg_sz);
-
+ //SHA3_512(hash, msg, msg_sz);
+ sha3_512(hash, msg, msg_sz);
if (false) {
printf("verify hash\n");
for (i=0; i<SHA3_512_DIGEST_LENGTH; i++) {
diff --git a/src/sig_bliss/entropy.c b/src/sig_bliss/entropy.c
index e7fbf3d..2032eb2 100755
--- a/src/sig_bliss/entropy.c
+++ b/src/sig_bliss/entropy.c
@@ -23,7 +23,8 @@ static void refresh(entropy_t *entropy, uint8_t *hash, uint32_t n) {
assert(n > 0);
while (n > 0) {
- SHA3_512(hash, entropy->seed, SHA3_512_DIGEST_LENGTH);
+ //SHA3_512(hash, entropy->seed, SHA3_512_DIGEST_LENGTH);
+ sha3_512(hash, entropy->seed, SHA3_512_DIGEST_LENGTH);
increment_seed(entropy);
hash += SHA3_512_DIGEST_LENGTH;
n --;
diff --git a/src/sig_tesla/poly.c b/src/sig_tesla/poly.c
index 996e88a..8d2fb6f 100755
--- a/src/sig_tesla/poly.c
+++ b/src/sig_tesla/poly.c
@@ -182,15 +182,15 @@ void poly_uniform(poly_k *a, const unsigned char *seed, tesla_param_t *p) {
unsigned char *buf = malloc(SHAKE128_RATE * nblocks * sizeof(char));
uint16_t dmsp = 0;
-// cshake128_simple( buf, SHAKE128_RATE * nblocks, dmsp++, seed, CRYPTO_RANDOMBYTES);
- cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, buf, SHAKE128_RATE * nblocks * 8, NULL, 0, &dmsp, 16 );
- ++ dmsp;
+ cshake128_simple( buf, SHAKE128_RATE * nblocks, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, buf, SHAKE128_RATE * nblocks * 8, NULL, 0, &dmsp, 16 );
+// ++ dmsp;
while (i < p->PARAM_K * p->PARAM_N) {
if (pos > SHAKE128_RATE * nblocks - 4 * nbytes) {
nblocks = 1;
-// cshake128_simple(buf, SHAKE128_RATE * nblocks, dmsp++, seed, CRYPTO_RANDOMBYTES);
- cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, buf, SHAKE128_RATE * nblocks * 8, NULL, 0, &dmsp, 16 );
- ++ dmsp;
+ cshake128_simple(buf, SHAKE128_RATE * nblocks, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, buf, SHAKE128_RATE * nblocks * 8, NULL, 0, &dmsp, 16 );
+// ++ dmsp;
pos = 0;
}
val1 = (*(uint32_t *) (buf + pos)) & mask;
diff --git a/src/sig_tesla/sample.c b/src/sig_tesla/sample.c
index a72fb90..67da29b 100755
--- a/src/sig_tesla/sample.c
+++ b/src/sig_tesla/sample.c
@@ -17,15 +17,15 @@ void sample_y(int64_t *y, const unsigned char *seed, int nonce, tesla_param_t *p
uint32_t NBLOCKS_SHAKE = 0;
if(p->kind == 0 || p->kind == 3) {
-// cshake128_simple((uint8_t *) buf, p->PARAM_N * nbytes, dmsp++, seed, CRYPTO_RANDOMBYTES);
- cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, p->PARAM_N * nbytes * 8, NULL, 0, &dmsp, 16 );
- ++dmsp;
+ cshake128_simple((uint8_t *) buf, p->PARAM_N * nbytes, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, p->PARAM_N * nbytes * 8, NULL, 0, &dmsp, 16 );
+// ++dmsp;
NBLOCKS_SHAKE = SHAKE128_RATE / (((p->PARAM_B_BITS + 1) + 7) / 8);
}
else {
-// cshake256_simple((uint8_t *) buf, p->PARAM_N * nbytes, dmsp++, seed, CRYPTO_RANDOMBYTES);
- cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, p->PARAM_N * nbytes * 8, NULL, 0, &dmsp, 16 );
- ++dmsp;
+ cshake256_simple((uint8_t *) buf, p->PARAM_N * nbytes, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, p->PARAM_N * nbytes * 8, NULL, 0, &dmsp, 16 );
+// ++dmsp;
NBLOCKS_SHAKE = SHAKE256_RATE / (((p->PARAM_B_BITS + 1) + 7) / 8);
}
@@ -33,15 +33,15 @@ void sample_y(int64_t *y, const unsigned char *seed, int nonce, tesla_param_t *p
if (pos >= nblocks * nbytes) {
if(p->kind == 0 || p->kind == 3) {
nblocks = NBLOCKS_SHAKE;
-// cshake128_simple((uint8_t *) buf, SHAKE128_RATE, dmsp++, seed, CRYPTO_RANDOMBYTES);
- cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, SHAKE128_RATE * 8, NULL, 0, &dmsp, 16 );
- ++dmsp;
+ cshake128_simple((uint8_t *) buf, SHAKE128_RATE, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, SHAKE128_RATE * 8, NULL, 0, &dmsp, 16 );
+// ++dmsp;
}
else {
nblocks = NBLOCKS_SHAKE;
-// cshake256_simple((uint8_t *) buf, SHAKE256_RATE, dmsp++, seed, CRYPTO_RANDOMBYTES);
- cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, SHAKE256_RATE * 8, NULL, 0, &dmsp, 16 );
- ++dmsp;
+ cshake256_simple((uint8_t *) buf, SHAKE256_RATE, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, SHAKE256_RATE * 8, NULL, 0, &dmsp, 16 );
+// ++dmsp;
}
pos = 0;
}
@@ -677,15 +677,15 @@ void sample_gauss_poly(int64_t *x, const unsigned char *seed, int nonce, tesla_p
{0x0321020100200100LL, 0x0200010000200001LL},
};
-// cshake128_simple(seed_ex, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
- cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, seed_ex, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
- ++dmsp;
+ cshake128_simple(seed_ex, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, seed_ex, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
+// ++dmsp;
for (x_ind = 0; x_ind < (int64_t)(p->PARAM_N); x_ind++) {
if ((j + 46) > (int64_t)(p->PARAM_N)) {
-// cshake128_simple((uint8_t *) buf, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
- cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
- ++dmsp;
+ cshake128_simple((uint8_t *) buf, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cSHAKE128( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
+// ++dmsp;
j = 0;
}
do {
@@ -772,15 +772,15 @@ void sample_gauss_poly(int64_t *x, const unsigned char *seed, int nonce, tesla_p
{0x0000032102010020LL, 0x0100020001000020LL, 0x0001000002000001LL},
};
-// cshake256_simple(seed_ex, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
- cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, seed_ex, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
- ++dmsp;
+ cshake256_simple(seed_ex, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, seed_ex, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
+// ++dmsp;
for (x_ind = 0; x_ind < (int64_t)(p->PARAM_N); x_ind++) {
if ((j + 46) > (int64_t)(p->PARAM_N)) {
-// cshake256_simple((uint8_t *) buf, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
- cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
- ++dmsp;
+ cshake256_simple((uint8_t *) buf, (p->PARAM_N) * 8, dmsp++, seed, CRYPTO_RANDOMBYTES);
+// cSHAKE256( seed, CRYPTO_RANDOMBYTES * 8, (uint8_t *) buf, (p->PARAM_N) * 8 * 8, NULL, 0, &dmsp, 16 );
+// ++dmsp;
j = 0;
}
@@ -869,9 +869,9 @@ void encode_c(uint32_t *pos_list, int16_t *sign_list, unsigned char *c_bin, tesl
uint16_t dmsp = 0;
// Use the hash value as key to generate some randomness
-// cshake128_simple(r, RLENGTH, dmsp++, c_bin, CRYPTO_RANDOMBYTES);
- cSHAKE128( c_bin, CRYPTO_RANDOMBYTES * 8, r, RLENGTH * 8, NULL, 0, &dmsp, 16 );
- ++dmsp;
+ cshake128_simple(r, RLENGTH, dmsp++, c_bin, CRYPTO_RANDOMBYTES);
+// cSHAKE128( c_bin, CRYPTO_RANDOMBYTES * 8, r, RLENGTH * 8, NULL, 0, &dmsp, 16 );
+// ++dmsp;
// Use rejection sampling to determine positions to be set in the new vector
for (i = 0; i < p->PARAM_N; i++)
@@ -879,9 +879,9 @@ void encode_c(uint32_t *pos_list, int16_t *sign_list, unsigned char *c_bin, tesl
for (i = 0; i < p->PARAM_W;) { // Sample a unique position k times. Use two bytes
if (cnt > (RLENGTH - 3)) {
-// cshake128_simple(r, RLENGTH, dmsp++, c_bin, CRYPTO_RANDOMBYTES);
- cSHAKE128( c_bin, CRYPTO_RANDOMBYTES * 8, r, RLENGTH * 8, NULL, 0, &dmsp, 16 );
- ++dmsp;
+ cshake128_simple(r, RLENGTH, dmsp++, c_bin, CRYPTO_RANDOMBYTES);
+// cSHAKE128( c_bin, CRYPTO_RANDOMBYTES * 8, r, RLENGTH * 8, NULL, 0, &dmsp, 16 );
+// ++dmsp;
cnt = 0;
}
pos = (r[cnt] << 8) | (r[cnt + 1]);
--
GitLab