2021-08-12 21:03:24 +02:00
|
|
|
// Copyright 2014 The Go Authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package sha3
|
|
|
|
|
|
|
|
// This file defines the ShakeHash interface, and provides
|
|
|
|
// functions for creating SHAKE and cSHAKE instances, as well as utility
|
|
|
|
// functions for hashing bytes to arbitrary-length output.
|
|
|
|
//
|
|
|
|
//
|
|
|
|
// SHAKE implementation is based on FIPS PUB 202 [1]
|
|
|
|
// cSHAKE implementations is based on NIST SP 800-185 [2]
|
|
|
|
//
|
|
|
|
// [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
|
|
|
|
// [2] https://doi.org/10.6028/NIST.SP.800-185
|
|
|
|
|
|
|
|
import (
|
2024-11-11 16:15:24 +01:00
|
|
|
"bytes"
|
2021-08-12 21:03:24 +02:00
|
|
|
"encoding/binary"
|
2024-11-11 16:15:24 +01:00
|
|
|
"errors"
|
2023-10-09 10:13:09 +02:00
|
|
|
"hash"
|
2021-08-12 21:03:24 +02:00
|
|
|
"io"
|
2024-11-11 16:15:24 +01:00
|
|
|
"math/bits"
|
2021-08-12 21:03:24 +02:00
|
|
|
)
|
|
|
|
|
2023-10-09 10:13:09 +02:00
|
|
|
// ShakeHash defines the interface to hash functions that support
|
|
|
|
// arbitrary-length output. When used as a plain [hash.Hash], it
|
|
|
|
// produces minimum-length outputs that provide full-strength generic
|
|
|
|
// security.
|
2021-08-12 21:03:24 +02:00
|
|
|
type ShakeHash interface {
|
2023-10-09 10:13:09 +02:00
|
|
|
hash.Hash
|
2021-08-12 21:03:24 +02:00
|
|
|
|
|
|
|
// Read reads more output from the hash; reading affects the hash's
|
|
|
|
// state. (ShakeHash.Read is thus very different from Hash.Sum)
|
2023-10-09 10:13:09 +02:00
|
|
|
// It never returns an error, but subsequent calls to Write or Sum
|
|
|
|
// will panic.
|
2021-08-12 21:03:24 +02:00
|
|
|
io.Reader
|
|
|
|
|
|
|
|
// Clone returns a copy of the ShakeHash in its current state.
|
|
|
|
Clone() ShakeHash
|
|
|
|
}
|
|
|
|
|
|
|
|
// cSHAKE specific context
|
|
|
|
type cshakeState struct {
|
|
|
|
*state // SHA-3 state context and Read/Write operations
|
|
|
|
|
|
|
|
// initBlock is the cSHAKE specific initialization set of bytes. It is initialized
|
|
|
|
// by newCShake function and stores concatenation of N followed by S, encoded
|
|
|
|
// by the method specified in 3.3 of [1].
|
|
|
|
// It is stored here in order for Reset() to be able to put context into
|
|
|
|
// initial state.
|
|
|
|
initBlock []byte
|
|
|
|
}
|
|
|
|
|
2024-11-11 16:15:24 +01:00
|
|
|
func bytepad(data []byte, rate int) []byte {
|
|
|
|
out := make([]byte, 0, 9+len(data)+rate-1)
|
|
|
|
out = append(out, leftEncode(uint64(rate))...)
|
|
|
|
out = append(out, data...)
|
|
|
|
if padlen := rate - len(out)%rate; padlen < rate {
|
|
|
|
out = append(out, make([]byte, padlen)...)
|
|
|
|
}
|
|
|
|
return out
|
|
|
|
}
|
2021-08-12 21:03:24 +02:00
|
|
|
|
2024-11-11 16:15:24 +01:00
|
|
|
func leftEncode(x uint64) []byte {
|
|
|
|
// Let n be the smallest positive integer for which 2^(8n) > x.
|
|
|
|
n := (bits.Len64(x) + 7) / 8
|
|
|
|
if n == 0 {
|
|
|
|
n = 1
|
2021-08-12 21:03:24 +02:00
|
|
|
}
|
2024-11-11 16:15:24 +01:00
|
|
|
// Return n || x with n as a byte and x an n bytes in big-endian order.
|
|
|
|
b := make([]byte, 9)
|
|
|
|
binary.BigEndian.PutUint64(b[1:], x)
|
|
|
|
b = b[9-n-1:]
|
|
|
|
b[0] = byte(n)
|
|
|
|
return b
|
2021-08-12 21:03:24 +02:00
|
|
|
}
|
|
|
|
|
2023-10-09 10:13:09 +02:00
|
|
|
func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) ShakeHash {
|
|
|
|
c := cshakeState{state: &state{rate: rate, outputLen: outputLen, dsbyte: dsbyte}}
|
2024-11-11 16:15:24 +01:00
|
|
|
c.initBlock = make([]byte, 0, 9+len(N)+9+len(S)) // leftEncode returns max 9 bytes
|
2024-10-07 14:02:26 +02:00
|
|
|
c.initBlock = append(c.initBlock, leftEncode(uint64(len(N))*8)...)
|
2021-08-12 21:03:24 +02:00
|
|
|
c.initBlock = append(c.initBlock, N...)
|
2024-10-07 14:02:26 +02:00
|
|
|
c.initBlock = append(c.initBlock, leftEncode(uint64(len(S))*8)...)
|
2021-08-12 21:03:24 +02:00
|
|
|
c.initBlock = append(c.initBlock, S...)
|
|
|
|
c.Write(bytepad(c.initBlock, c.rate))
|
|
|
|
return &c
|
|
|
|
}
|
|
|
|
|
|
|
|
// Reset resets the hash to initial state.
|
|
|
|
func (c *cshakeState) Reset() {
|
|
|
|
c.state.Reset()
|
|
|
|
c.Write(bytepad(c.initBlock, c.rate))
|
|
|
|
}
|
|
|
|
|
|
|
|
// Clone returns copy of a cSHAKE context within its current state.
|
|
|
|
func (c *cshakeState) Clone() ShakeHash {
|
|
|
|
b := make([]byte, len(c.initBlock))
|
|
|
|
copy(b, c.initBlock)
|
|
|
|
return &cshakeState{state: c.clone(), initBlock: b}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Clone returns copy of SHAKE context within its current state.
|
|
|
|
func (c *state) Clone() ShakeHash {
|
|
|
|
return c.clone()
|
|
|
|
}
|
|
|
|
|
2024-11-11 16:15:24 +01:00
|
|
|
func (c *cshakeState) MarshalBinary() ([]byte, error) {
|
|
|
|
return c.AppendBinary(make([]byte, 0, marshaledSize+len(c.initBlock)))
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *cshakeState) AppendBinary(b []byte) ([]byte, error) {
|
|
|
|
b, err := c.state.AppendBinary(b)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
b = append(b, c.initBlock...)
|
|
|
|
return b, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *cshakeState) UnmarshalBinary(b []byte) error {
|
|
|
|
if len(b) <= marshaledSize {
|
|
|
|
return errors.New("sha3: invalid hash state")
|
|
|
|
}
|
|
|
|
if err := c.state.UnmarshalBinary(b[:marshaledSize]); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
c.initBlock = bytes.Clone(b[marshaledSize:])
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-08-12 21:03:24 +02:00
|
|
|
// NewShake128 creates a new SHAKE128 variable-output-length ShakeHash.
|
|
|
|
// Its generic security strength is 128 bits against all attacks if at
|
|
|
|
// least 32 bytes of its output are used.
|
|
|
|
func NewShake128() ShakeHash {
|
2024-06-07 15:06:43 +02:00
|
|
|
return newShake128()
|
2021-08-12 21:03:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewShake256 creates a new SHAKE256 variable-output-length ShakeHash.
|
|
|
|
// Its generic security strength is 256 bits against all attacks if
|
|
|
|
// at least 64 bytes of its output are used.
|
|
|
|
func NewShake256() ShakeHash {
|
2024-06-07 15:06:43 +02:00
|
|
|
return newShake256()
|
|
|
|
}
|
|
|
|
|
|
|
|
func newShake128Generic() *state {
|
2024-11-11 16:15:24 +01:00
|
|
|
return &state{rate: rateK256, outputLen: 32, dsbyte: dsbyteShake}
|
2024-06-07 15:06:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func newShake256Generic() *state {
|
2024-11-11 16:15:24 +01:00
|
|
|
return &state{rate: rateK512, outputLen: 64, dsbyte: dsbyteShake}
|
2021-08-12 21:03:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewCShake128 creates a new instance of cSHAKE128 variable-output-length ShakeHash,
|
|
|
|
// a customizable variant of SHAKE128.
|
|
|
|
// N is used to define functions based on cSHAKE, it can be empty when plain cSHAKE is
|
|
|
|
// desired. S is a customization byte string used for domain separation - two cSHAKE
|
|
|
|
// computations on same input with different S yield unrelated outputs.
|
|
|
|
// When N and S are both empty, this is equivalent to NewShake128.
|
|
|
|
func NewCShake128(N, S []byte) ShakeHash {
|
|
|
|
if len(N) == 0 && len(S) == 0 {
|
|
|
|
return NewShake128()
|
|
|
|
}
|
2024-11-11 16:15:24 +01:00
|
|
|
return newCShake(N, S, rateK256, 32, dsbyteCShake)
|
2021-08-12 21:03:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewCShake256 creates a new instance of cSHAKE256 variable-output-length ShakeHash,
|
|
|
|
// a customizable variant of SHAKE256.
|
|
|
|
// N is used to define functions based on cSHAKE, it can be empty when plain cSHAKE is
|
|
|
|
// desired. S is a customization byte string used for domain separation - two cSHAKE
|
|
|
|
// computations on same input with different S yield unrelated outputs.
|
|
|
|
// When N and S are both empty, this is equivalent to NewShake256.
|
|
|
|
func NewCShake256(N, S []byte) ShakeHash {
|
|
|
|
if len(N) == 0 && len(S) == 0 {
|
|
|
|
return NewShake256()
|
|
|
|
}
|
2024-11-11 16:15:24 +01:00
|
|
|
return newCShake(N, S, rateK512, 64, dsbyteCShake)
|
2021-08-12 21:03:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// ShakeSum128 writes an arbitrary-length digest of data into hash.
|
|
|
|
func ShakeSum128(hash, data []byte) {
|
|
|
|
h := NewShake128()
|
|
|
|
h.Write(data)
|
|
|
|
h.Read(hash)
|
|
|
|
}
|
|
|
|
|
|
|
|
// ShakeSum256 writes an arbitrary-length digest of data into hash.
|
|
|
|
func ShakeSum256(hash, data []byte) {
|
|
|
|
h := NewShake256()
|
|
|
|
h.Write(data)
|
|
|
|
h.Read(hash)
|
|
|
|
}
|