Botan  2.9.0
Crypto and TLS for C++11
sha3.cpp
Go to the documentation of this file.
1 /*
2 * SHA-3
3 * (C) 2010,2016 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/sha3.h>
9 #include <botan/rotate.h>
10 #include <botan/exceptn.h>
11 
12 namespace Botan {
13 
14 //static
15 void SHA_3::permute(uint64_t A[25])
16  {
17  static const uint64_t RC[24] = {
18  0x0000000000000001, 0x0000000000008082, 0x800000000000808A,
19  0x8000000080008000, 0x000000000000808B, 0x0000000080000001,
20  0x8000000080008081, 0x8000000000008009, 0x000000000000008A,
21  0x0000000000000088, 0x0000000080008009, 0x000000008000000A,
22  0x000000008000808B, 0x800000000000008B, 0x8000000000008089,
23  0x8000000000008003, 0x8000000000008002, 0x8000000000000080,
24  0x000000000000800A, 0x800000008000000A, 0x8000000080008081,
25  0x8000000000008080, 0x0000000080000001, 0x8000000080008008
26  };
27 
28  for(size_t i = 0; i != 24; ++i)
29  {
30  const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20];
31  const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21];
32  const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22];
33  const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23];
34  const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24];
35 
36  const uint64_t D0 = rotl<1>(C0) ^ C3;
37  const uint64_t D1 = rotl<1>(C1) ^ C4;
38  const uint64_t D2 = rotl<1>(C2) ^ C0;
39  const uint64_t D3 = rotl<1>(C3) ^ C1;
40  const uint64_t D4 = rotl<1>(C4) ^ C2;
41 
42  const uint64_t B00 = A[ 0] ^ D1;
43  const uint64_t B10 = rotl< 1>(A[ 1] ^ D2);
44  const uint64_t B20 = rotl<62>(A[ 2] ^ D3);
45  const uint64_t B05 = rotl<28>(A[ 3] ^ D4);
46  const uint64_t B15 = rotl<27>(A[ 4] ^ D0);
47  const uint64_t B16 = rotl<36>(A[ 5] ^ D1);
48  const uint64_t B01 = rotl<44>(A[ 6] ^ D2);
49  const uint64_t B11 = rotl< 6>(A[ 7] ^ D3);
50  const uint64_t B21 = rotl<55>(A[ 8] ^ D4);
51  const uint64_t B06 = rotl<20>(A[ 9] ^ D0);
52  const uint64_t B07 = rotl< 3>(A[10] ^ D1);
53  const uint64_t B17 = rotl<10>(A[11] ^ D2);
54  const uint64_t B02 = rotl<43>(A[12] ^ D3);
55  const uint64_t B12 = rotl<25>(A[13] ^ D4);
56  const uint64_t B22 = rotl<39>(A[14] ^ D0);
57  const uint64_t B23 = rotl<41>(A[15] ^ D1);
58  const uint64_t B08 = rotl<45>(A[16] ^ D2);
59  const uint64_t B18 = rotl<15>(A[17] ^ D3);
60  const uint64_t B03 = rotl<21>(A[18] ^ D4);
61  const uint64_t B13 = rotl< 8>(A[19] ^ D0);
62  const uint64_t B14 = rotl<18>(A[20] ^ D1);
63  const uint64_t B24 = rotl< 2>(A[21] ^ D2);
64  const uint64_t B09 = rotl<61>(A[22] ^ D3);
65  const uint64_t B19 = rotl<56>(A[23] ^ D4);
66  const uint64_t B04 = rotl<14>(A[24] ^ D0);
67 
68  A[ 0] = B00 ^ (~B01 & B02);
69  A[ 1] = B01 ^ (~B02 & B03);
70  A[ 2] = B02 ^ (~B03 & B04);
71  A[ 3] = B03 ^ (~B04 & B00);
72  A[ 4] = B04 ^ (~B00 & B01);
73  A[ 5] = B05 ^ (~B06 & B07);
74  A[ 6] = B06 ^ (~B07 & B08);
75  A[ 7] = B07 ^ (~B08 & B09);
76  A[ 8] = B08 ^ (~B09 & B05);
77  A[ 9] = B09 ^ (~B05 & B06);
78  A[10] = B10 ^ (~B11 & B12);
79  A[11] = B11 ^ (~B12 & B13);
80  A[12] = B12 ^ (~B13 & B14);
81  A[13] = B13 ^ (~B14 & B10);
82  A[14] = B14 ^ (~B10 & B11);
83  A[15] = B15 ^ (~B16 & B17);
84  A[16] = B16 ^ (~B17 & B18);
85  A[17] = B17 ^ (~B18 & B19);
86  A[18] = B18 ^ (~B19 & B15);
87  A[19] = B19 ^ (~B15 & B16);
88  A[20] = B20 ^ (~B21 & B22);
89  A[21] = B21 ^ (~B22 & B23);
90  A[22] = B22 ^ (~B23 & B24);
91  A[23] = B23 ^ (~B24 & B20);
92  A[24] = B24 ^ (~B20 & B21);
93 
94  A[0] ^= RC[i];
95  }
96  }
97 
98 //static
99 size_t SHA_3::absorb(size_t bitrate,
100  secure_vector<uint64_t>& S, size_t S_pos,
101  const uint8_t input[], size_t length)
102  {
103  while(length > 0)
104  {
105  size_t to_take = std::min(length, bitrate / 8 - S_pos);
106 
107  length -= to_take;
108 
109  while(to_take && S_pos % 8)
110  {
111  S[S_pos / 8] ^= static_cast<uint64_t>(input[0]) << (8 * (S_pos % 8));
112 
113  ++S_pos;
114  ++input;
115  --to_take;
116  }
117 
118  while(to_take && to_take % 8 == 0)
119  {
120  S[S_pos / 8] ^= load_le<uint64_t>(input, 0);
121  S_pos += 8;
122  input += 8;
123  to_take -= 8;
124  }
125 
126  while(to_take)
127  {
128  S[S_pos / 8] ^= static_cast<uint64_t>(input[0]) << (8 * (S_pos % 8));
129 
130  ++S_pos;
131  ++input;
132  --to_take;
133  }
134 
135  if(S_pos == bitrate / 8)
136  {
137  SHA_3::permute(S.data());
138  S_pos = 0;
139  }
140  }
141 
142  return S_pos;
143  }
144 
145 //static
146 void SHA_3::finish(size_t bitrate,
147  secure_vector<uint64_t>& S, size_t S_pos,
148  uint8_t init_pad, uint8_t fini_pad)
149  {
150  BOTAN_ARG_CHECK(bitrate % 64 == 0, "SHA-3 bitrate must be multiple of 64");
151 
152  S[S_pos / 8] ^= static_cast<uint64_t>(init_pad) << (8 * (S_pos % 8));
153  S[(bitrate / 64) - 1] ^= static_cast<uint64_t>(fini_pad) << 56;
154  SHA_3::permute(S.data());
155  }
156 
157 //static
158 void SHA_3::expand(size_t bitrate,
160  uint8_t output[], size_t output_length)
161  {
162  BOTAN_ARG_CHECK(bitrate % 64 == 0, "SHA-3 bitrate must be multiple of 64");
163 
164  const size_t byterate = bitrate / 8;
165 
166  while(output_length > 0)
167  {
168  const size_t copying = std::min(byterate, output_length);
169 
170  copy_out_vec_le(output, copying, S);
171 
172  output += copying;
173  output_length -= copying;
174 
175  if(output_length > 0)
176  {
177  SHA_3::permute(S.data());
178  }
179  }
180  }
181 
182 SHA_3::SHA_3(size_t output_bits) :
183  m_output_bits(output_bits),
184  m_bitrate(1600 - 2*output_bits),
185  m_S(25),
186  m_S_pos(0)
187  {
188  // We only support the parameters for SHA-3 in this constructor
189 
190  if(output_bits != 224 && output_bits != 256 &&
191  output_bits != 384 && output_bits != 512)
192  throw Invalid_Argument("SHA_3: Invalid output length " +
193  std::to_string(output_bits));
194  }
195 
196 std::string SHA_3::name() const
197  {
198  return "SHA-3(" + std::to_string(m_output_bits) + ")";
199  }
200 
201 std::unique_ptr<HashFunction> SHA_3::copy_state() const
202  {
203  return std::unique_ptr<HashFunction>(new SHA_3(*this));
204  }
205 
207  {
208  return new SHA_3(m_output_bits);
209  }
210 
212  {
213  zeroise(m_S);
214  m_S_pos = 0;
215  }
216 
217 void SHA_3::add_data(const uint8_t input[], size_t length)
218  {
219  m_S_pos = SHA_3::absorb(m_bitrate, m_S, m_S_pos, input, length);
220  }
221 
222 void SHA_3::final_result(uint8_t output[])
223  {
224  SHA_3::finish(m_bitrate, m_S, m_S_pos, 0x06, 0x80);
225 
226  /*
227  * We never have to run the permutation again because we only support
228  * limited output lengths
229  */
230  copy_out_vec_le(output, m_output_bits/8, m_S);
231 
232  clear();
233  }
234 
235 }
std::string name() const override
Definition: sha3.cpp:196
static void finish(size_t bitrate, secure_vector< uint64_t > &S, size_t S_pos, uint8_t init_pad, uint8_t fini_pad)
Definition: sha3.cpp:146
static void expand(size_t bitrate, secure_vector< uint64_t > &S, uint8_t output[], size_t output_length)
Definition: sha3.cpp:158
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
static size_t absorb(size_t bitrate, secure_vector< uint64_t > &S, size_t S_pos, const uint8_t input[], size_t length)
Definition: sha3.cpp:99
HashFunction * clone() const override
Definition: sha3.cpp:206
size_t output_length() const override
Definition: sha3.h:31
uint64_t load_le< uint64_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:235
Definition: alg_id.cpp:13
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
std::unique_ptr< HashFunction > copy_state() const override
Definition: sha3.cpp:201
static void permute(uint64_t A[25])
Definition: sha3.cpp:15
void clear() override
Definition: sha3.cpp:211
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
SHA_3(size_t output_bits)
Definition: sha3.cpp:182
void zeroise(std::vector< T, Alloc > &vec)
Definition: secmem.h:160
void copy_out_vec_le(uint8_t out[], size_t out_bytes, const std::vector< T, Alloc > &in)
Definition: loadstor.h:692