Botan 3.10.0
Crypto and TLS for C&
Classes | Public Types | Public Member Functions | Static Public Member Functions | Static Public Attributes | Protected Member Functions | List of all members
Botan::Keccak_Permutation Class Referencefinal

#include <keccak_perm.h>

Inheritance diagram for Botan::Keccak_Permutation:
Botan::Sponge< 25, uint64_t >

Classes

struct  Config

Public Types

using state_t
using word_t

Public Member Functions

size_t & _cursor ()
void absorb (std::span< const uint8_t > input)
 Absorb input data into the Keccak sponge.
constexpr size_t bit_capacity () const
constexpr size_t bit_rate () const
constexpr size_t byte_capacity () const
constexpr size_t byte_rate () const
void clear ()
size_t cursor () const
void finish ()
 Add final padding (as provided in the constructor) and permute.
constexpr Keccak_Permutation (Config config)
 Instantiate a Keccak permutation.
void permute ()
std::string provider () const
void squeeze (std::span< uint8_t > output)
 Expand output data from the current Keccak state.
constexpr auto & state ()

Static Public Member Functions

static constexpr size_t state_bits ()
static constexpr size_t state_bytes ()

Static Public Attributes

static constexpr size_t word_bits
static constexpr size_t word_bytes

Protected Member Functions

void reset_cursor ()

Detailed Description

KECCAK FIPS

This file implements Keccak[c] which is specified by NIST FIPS 202 [1], where "c" is the variable capacity of this hash primitive. Keccak[c] is not a general purpose hash function, but used as the basic primitive for algorithms such as SHA-3 and KMAC. This is not to be confused with the "informal" general purpose hash function which is referred to as "Keccak" and apparently refers to the final submission version of the Keccak submission in the SHA-3 contest, possibly what is released by NIST under the name "KECCAK - Final Algorithm Package" [2]. See also the file keccak.h for the details how the keccak hash function is defined in terms of the Keccak[c] – a detail which cannot be found in [1].

[1] FIPS PUB 202 – FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION – SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf#page=28 [2] https://csrc.nist.gov/projects/hash-functions/sha-3-project

Definition at line 55 of file keccak_perm.h.

Member Typedef Documentation

◆ state_t

using Botan::Sponge< words, word >::state_t
inherited

Definition at line 28 of file sponge.h.

◆ word_t

using Botan::Sponge< words, word >::word_t
inherited

Definition at line 27 of file sponge.h.

Constructor & Destructor Documentation

◆ Keccak_Permutation()

Botan::Keccak_Permutation::Keccak_Permutation ( Config config)
inlineexplicitconstexpr

Instantiate a Keccak permutation.

Parameters
configKeccak parameter configuration

Definition at line 68 of file keccak_perm.h.

68 :
69 Sponge({.bit_rate = state_bits() - config.capacity_bits, .initial_state = {}}), m_padding(config.padding) {}
Botan::Sponge< 25, uint64_t >::state_bits
static constexpr size_t state_bits()
Definition sponge.h:46
Botan::Sponge< 25, uint64_t >::Sponge
constexpr Sponge(Config config)
Definition sponge.h:38

References Botan::Keccak_Permutation::Config::capacity_bits, Botan::Sponge< 25, uint64_t >::Sponge(), and Botan::Sponge< 25, uint64_t >::state_bits().

Member Function Documentation

◆ _cursor()

size_t & Botan::Sponge< words, word >::_cursor ( )
inlineinherited

Definition at line 60 of file sponge.h.

60{ return m_S_cursor; }

◆ absorb()

void Botan::Keccak_Permutation::absorb ( std::span< const uint8_t > input)

Absorb input data into the Keccak sponge.

This method can be called multiple times with arbitrary-length buffers.

Parameters
inputthe input data

Definition at line 38 of file keccak_perm.cpp.

38 {
39 absorb_into_sponge(*this, input);
40}
Botan::absorb_into_sponge
void absorb_into_sponge(SpongeT &sponge, std::span< const uint8_t > input, const detail::PermutationFn auto &permutation_fn)
Definition sponge_processing.h:219

References Botan::absorb_into_sponge().

◆ bit_capacity()

size_t Botan::Sponge< words, word >::bit_capacity ( ) const
inlineconstexprinherited

Definition at line 52 of file sponge.h.

52{ return state_bits() - bit_rate(); }
Botan::Sponge< 25, uint64_t >::bit_rate
constexpr size_t bit_rate() const
Definition sponge.h:48

◆ bit_rate()

size_t Botan::Sponge< words, word >::bit_rate ( ) const
inlineconstexprinherited

Definition at line 48 of file sponge.h.

48{ return m_bit_rate; }

◆ byte_capacity()

size_t Botan::Sponge< words, word >::byte_capacity ( ) const
inlineconstexprinherited

Definition at line 54 of file sponge.h.

54{ return state_bytes() - byte_rate(); }
Botan::Sponge< 25, uint64_t >::state_bytes
static constexpr size_t state_bytes()
Definition sponge.h:44
Botan::Sponge< 25, uint64_t >::byte_rate
constexpr size_t byte_rate() const
Definition sponge.h:50

◆ byte_rate()

size_t Botan::Sponge< words, word >::byte_rate ( ) const
inlineconstexprinherited

Definition at line 50 of file sponge.h.

50{ return m_bit_rate / 8; }

Referenced by Botan::Keccak_Permutation::finish().

◆ clear()

void Botan::Keccak_Permutation::clear ( )

Definition at line 33 of file keccak_perm.cpp.

33 {
34 state() = {};
35 reset_cursor();
36}
Botan::Sponge< 25, uint64_t >::state
constexpr auto & state()
Definition sponge.h:56

References Botan::Sponge< 25, uint64_t >::reset_cursor(), and Botan::Sponge< 25, uint64_t >::state().

◆ cursor()

size_t Botan::Sponge< words, word >::cursor ( ) const
inlineinherited

Definition at line 58 of file sponge.h.

58{ return m_S_cursor; }

Referenced by Botan::Keccak_Permutation::finish().

◆ finish()

void Botan::Keccak_Permutation::finish ( )

Add final padding (as provided in the constructor) and permute.

Definition at line 46 of file keccak_perm.cpp.

46 {
47 // The padding for Keccak[c]-based functions spans the entire remaining
48 // byterate until the next permute() call. At most that could be an entire
49 // byterate. First are a few bits of "custom" padding defined by the using
50 // function (e.g. SHA-3 uses "01"), then the remaining space is filled with
51 // "pad10*1" (see NIST FIPS 202 Section 5.1) followed by a final permute().
52
53 auto& S = state();
54
55 // Apply the custom padding + the left-most 1-bit of "pad10*1" to the current
56 // (partial) word of the sponge state
57
58 const uint64_t start_of_padding = (m_padding.padding | uint64_t(1) << m_padding.bit_len);
59 S[cursor() / word_bytes] ^= start_of_padding << (8 * (cursor() % word_bytes));
60
61 // XOR'ing the 0-bits of "pad10*1" into the state is a NOOP
62
63 // If the custom padding + the left-most 1-bit of "pad10*1" had resulted in a
64 // byte-aligned "partial padding", the final 1-bit of of "pad10*1" could
65 // potentially override parts of the already-appended "start_of_padding".
66 // In case we ever introduce a Keccak-based function with such a need, we
67 // have to modify this padding algorithm.
68 BOTAN_DEBUG_ASSERT(m_padding.bit_len % 8 != 7);
69
70 // Append the final bit of "pad10*1" into the last word of the input range
71 S[(byte_rate() / word_bytes) - 1] ^= uint64_t(0x8000000000000000);
72
73 // Perform the final permutation and reset the state cursor
74 permute();
75 reset_cursor();
76
77 BOTAN_DEBUG_ASSERT(cursor() == 0);
78}
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:129
Botan::Keccak_Permutation::permute
void permute()
Definition keccak_perm.cpp:80
Botan::Sponge< 25, uint64_t >::word_bytes
static constexpr size_t word_bytes
Definition sponge.h:29
Botan::Sponge< 25, uint64_t >::cursor
size_t cursor() const
Definition sponge.h:58

References BOTAN_DEBUG_ASSERT, Botan::Sponge< 25, uint64_t >::byte_rate(), Botan::Sponge< 25, uint64_t >::cursor(), permute(), Botan::Sponge< 25, uint64_t >::reset_cursor(), Botan::Sponge< 25, uint64_t >::state(), and Botan::Sponge< 25, uint64_t >::word_bytes.

◆ permute()

void Botan::Keccak_Permutation::permute ( )

The Keccak permutation function

Definition at line 80 of file keccak_perm.cpp.

80 {
81#if defined(BOTAN_HAS_KECCAK_PERM_BMI2)
82 if(CPUID::has(CPUID::Feature::BMI)) {
83 return permute_bmi2();
84 }
85#endif
86
87 static const uint64_t RC[24] = {0x0000000000000001, 0x0000000000008082, 0x800000000000808A, 0x8000000080008000,
88 0x000000000000808B, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009,
89 0x000000000000008A, 0x0000000000000088, 0x0000000080008009, 0x000000008000000A,
90 0x000000008000808B, 0x800000000000008B, 0x8000000000008089, 0x8000000000008003,
91 0x8000000000008002, 0x8000000000000080, 0x000000000000800A, 0x800000008000000A,
92 0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008};
93
94 uint64_t T[25];
95
96 for(size_t i = 0; i != 24; i += 2) {
97 Keccak_Permutation_round(T, state().data(), RC[i + 0]);
98 Keccak_Permutation_round(state().data(), T, RC[i + 1]);
99 }
100}
Botan::CPUID::has
static bool has(CPUID::Feature feat)
Definition cpuid.h:94
Botan::Keccak_Permutation_round
BOTAN_FORCE_INLINE void Keccak_Permutation_round(uint64_t T[25], const uint64_t A[25], uint64_t RC)
Definition keccak_perm_round.h:15

References Botan::CPUFeature::BMI, Botan::CPUID::has(), Botan::Keccak_Permutation_round(), and Botan::Sponge< 25, uint64_t >::state().

Referenced by finish().

◆ provider()

std::string Botan::Keccak_Permutation::provider ( ) const

Definition at line 23 of file keccak_perm.cpp.

23 {
24#if defined(BOTAN_HAS_KECCAK_PERM_BMI2)
25 if(auto feat = CPUID::check(CPUID::Feature::BMI)) {
26 return *feat;
27 }
28#endif
29
30 return "base";
31}
Botan::CPUID::check
static std::optional< std::string > check(CPUID::Feature feat)
Definition cpuid.h:67

References Botan::CPUFeature::BMI, and Botan::CPUID::check().

◆ reset_cursor()

void Botan::Sponge< words, word >::reset_cursor ( )
inlineprotectedinherited

Definition at line 63 of file sponge.h.

63{ m_S_cursor = 0; }

Referenced by Botan::Keccak_Permutation::clear(), and Botan::Keccak_Permutation::finish().

◆ squeeze()

void Botan::Keccak_Permutation::squeeze ( std::span< uint8_t > output)

Expand output data from the current Keccak state.

This method can be called multiple times with arbitrary-length buffers.

Parameters
outputthe designated output memory

Definition at line 42 of file keccak_perm.cpp.

42 {
43 squeeze_from_sponge(*this, output);
44}
Botan::squeeze_from_sponge
void squeeze_from_sponge(SpongeT &sponge, std::span< uint8_t > output, const detail::PermutationFn auto &permutation_fn)
Definition sponge_processing.h:243

References Botan::squeeze_from_sponge().

◆ state()

auto & Botan::Sponge< words, word >::state ( )
inlineconstexprinherited

Definition at line 56 of file sponge.h.

56{ return m_S; }

Referenced by Botan::Keccak_Permutation::clear(), Botan::Keccak_Permutation::finish(), and Botan::Keccak_Permutation::permute().

◆ state_bits()

constexpr size_t Botan::Sponge< words, word >::state_bits ( )
inlinestaticconstexprinherited

Definition at line 46 of file sponge.h.

46{ return state_bytes() * 8; }

Referenced by Botan::Keccak_Permutation::Keccak_Permutation().

◆ state_bytes()

constexpr size_t Botan::Sponge< words, word >::state_bytes ( )
inlinestaticconstexprinherited

Definition at line 44 of file sponge.h.

44{ return sizeof(state_t); }

Member Data Documentation

◆ word_bits

size_t Botan::Sponge< words, word >::word_bits
staticconstexprinherited

Definition at line 30 of file sponge.h.

◆ word_bytes

size_t Botan::Sponge< words, word >::word_bytes
staticconstexprinherited

Definition at line 29 of file sponge.h.

Referenced by Botan::Keccak_Permutation::finish().

The documentation for this class was generated from the following files:
Generated by doxygen 1.15.0