Botan  2.8.0
Crypto and TLS for C++11
sha3.cpp
Go to the documentation of this file.
1 /*
2 * SHA-3
3 * (C) 2010,2016 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/sha3.h>
9 #include <botan/exceptn.h>
10 
11 namespace Botan {
12 
13 //static
14 void SHA_3::permute(uint64_t A[25])
15  {
16  static const uint64_t RC[24] = {
17  0x0000000000000001, 0x0000000000008082, 0x800000000000808A,
18  0x8000000080008000, 0x000000000000808B, 0x0000000080000001,
19  0x8000000080008081, 0x8000000000008009, 0x000000000000008A,
20  0x0000000000000088, 0x0000000080008009, 0x000000008000000A,
21  0x000000008000808B, 0x800000000000008B, 0x8000000000008089,
22  0x8000000000008003, 0x8000000000008002, 0x8000000000000080,
23  0x000000000000800A, 0x800000008000000A, 0x8000000080008081,
24  0x8000000000008080, 0x0000000080000001, 0x8000000080008008
25  };
26 
27  for(size_t i = 0; i != 24; ++i)
28  {
29  const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20];
30  const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21];
31  const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22];
32  const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23];
33  const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24];
34 
35  const uint64_t D0 = rotl<1>(C0) ^ C3;
36  const uint64_t D1 = rotl<1>(C1) ^ C4;
37  const uint64_t D2 = rotl<1>(C2) ^ C0;
38  const uint64_t D3 = rotl<1>(C3) ^ C1;
39  const uint64_t D4 = rotl<1>(C4) ^ C2;
40 
41  const uint64_t B00 = A[ 0] ^ D1;
42  const uint64_t B10 = rotl< 1>(A[ 1] ^ D2);
43  const uint64_t B20 = rotl<62>(A[ 2] ^ D3);
44  const uint64_t B05 = rotl<28>(A[ 3] ^ D4);
45  const uint64_t B15 = rotl<27>(A[ 4] ^ D0);
46  const uint64_t B16 = rotl<36>(A[ 5] ^ D1);
47  const uint64_t B01 = rotl<44>(A[ 6] ^ D2);
48  const uint64_t B11 = rotl< 6>(A[ 7] ^ D3);
49  const uint64_t B21 = rotl<55>(A[ 8] ^ D4);
50  const uint64_t B06 = rotl<20>(A[ 9] ^ D0);
51  const uint64_t B07 = rotl< 3>(A[10] ^ D1);
52  const uint64_t B17 = rotl<10>(A[11] ^ D2);
53  const uint64_t B02 = rotl<43>(A[12] ^ D3);
54  const uint64_t B12 = rotl<25>(A[13] ^ D4);
55  const uint64_t B22 = rotl<39>(A[14] ^ D0);
56  const uint64_t B23 = rotl<41>(A[15] ^ D1);
57  const uint64_t B08 = rotl<45>(A[16] ^ D2);
58  const uint64_t B18 = rotl<15>(A[17] ^ D3);
59  const uint64_t B03 = rotl<21>(A[18] ^ D4);
60  const uint64_t B13 = rotl< 8>(A[19] ^ D0);
61  const uint64_t B14 = rotl<18>(A[20] ^ D1);
62  const uint64_t B24 = rotl< 2>(A[21] ^ D2);
63  const uint64_t B09 = rotl<61>(A[22] ^ D3);
64  const uint64_t B19 = rotl<56>(A[23] ^ D4);
65  const uint64_t B04 = rotl<14>(A[24] ^ D0);
66 
67  A[ 0] = B00 ^ (~B01 & B02);
68  A[ 1] = B01 ^ (~B02 & B03);
69  A[ 2] = B02 ^ (~B03 & B04);
70  A[ 3] = B03 ^ (~B04 & B00);
71  A[ 4] = B04 ^ (~B00 & B01);
72  A[ 5] = B05 ^ (~B06 & B07);
73  A[ 6] = B06 ^ (~B07 & B08);
74  A[ 7] = B07 ^ (~B08 & B09);
75  A[ 8] = B08 ^ (~B09 & B05);
76  A[ 9] = B09 ^ (~B05 & B06);
77  A[10] = B10 ^ (~B11 & B12);
78  A[11] = B11 ^ (~B12 & B13);
79  A[12] = B12 ^ (~B13 & B14);
80  A[13] = B13 ^ (~B14 & B10);
81  A[14] = B14 ^ (~B10 & B11);
82  A[15] = B15 ^ (~B16 & B17);
83  A[16] = B16 ^ (~B17 & B18);
84  A[17] = B17 ^ (~B18 & B19);
85  A[18] = B18 ^ (~B19 & B15);
86  A[19] = B19 ^ (~B15 & B16);
87  A[20] = B20 ^ (~B21 & B22);
88  A[21] = B21 ^ (~B22 & B23);
89  A[22] = B22 ^ (~B23 & B24);
90  A[23] = B23 ^ (~B24 & B20);
91  A[24] = B24 ^ (~B20 & B21);
92 
93  A[0] ^= RC[i];
94  }
95  }
96 
97 //static
98 size_t SHA_3::absorb(size_t bitrate,
99  secure_vector<uint64_t>& S, size_t S_pos,
100  const uint8_t input[], size_t length)
101  {
102  while(length > 0)
103  {
104  size_t to_take = std::min(length, bitrate / 8 - S_pos);
105 
106  length -= to_take;
107 
108  while(to_take && S_pos % 8)
109  {
110  S[S_pos / 8] ^= static_cast<uint64_t>(input[0]) << (8 * (S_pos % 8));
111 
112  ++S_pos;
113  ++input;
114  --to_take;
115  }
116 
117  while(to_take && to_take % 8 == 0)
118  {
119  S[S_pos / 8] ^= load_le<uint64_t>(input, 0);
120  S_pos += 8;
121  input += 8;
122  to_take -= 8;
123  }
124 
125  while(to_take)
126  {
127  S[S_pos / 8] ^= static_cast<uint64_t>(input[0]) << (8 * (S_pos % 8));
128 
129  ++S_pos;
130  ++input;
131  --to_take;
132  }
133 
134  if(S_pos == bitrate / 8)
135  {
136  SHA_3::permute(S.data());
137  S_pos = 0;
138  }
139  }
140 
141  return S_pos;
142  }
143 
144 //static
145 void SHA_3::finish(size_t bitrate,
146  secure_vector<uint64_t>& S, size_t S_pos,
147  uint8_t init_pad, uint8_t fini_pad)
148  {
149  BOTAN_ARG_CHECK(bitrate % 64 == 0, "SHA-3 bitrate must be multiple of 64");
150 
151  S[S_pos / 8] ^= static_cast<uint64_t>(init_pad) << (8 * (S_pos % 8));
152  S[(bitrate / 64) - 1] ^= static_cast<uint64_t>(fini_pad) << 56;
153  SHA_3::permute(S.data());
154  }
155 
156 //static
157 void SHA_3::expand(size_t bitrate,
159  uint8_t output[], size_t output_length)
160  {
161  BOTAN_ARG_CHECK(bitrate % 64 == 0, "SHA-3 bitrate must be multiple of 64");
162 
163  const size_t byterate = bitrate / 8;
164 
165  while(output_length > 0)
166  {
167  const size_t copying = std::min(byterate, output_length);
168 
169  copy_out_vec_le(output, copying, S);
170 
171  output += copying;
172  output_length -= copying;
173 
174  if(output_length > 0)
175  {
176  SHA_3::permute(S.data());
177  }
178  }
179  }
180 
181 SHA_3::SHA_3(size_t output_bits) :
182  m_output_bits(output_bits),
183  m_bitrate(1600 - 2*output_bits),
184  m_S(25),
185  m_S_pos(0)
186  {
187  // We only support the parameters for SHA-3 in this constructor
188 
189  if(output_bits != 224 && output_bits != 256 &&
190  output_bits != 384 && output_bits != 512)
191  throw Invalid_Argument("SHA_3: Invalid output length " +
192  std::to_string(output_bits));
193  }
194 
195 std::string SHA_3::name() const
196  {
197  return "SHA-3(" + std::to_string(m_output_bits) + ")";
198  }
199 
200 std::unique_ptr<HashFunction> SHA_3::copy_state() const
201  {
202  return std::unique_ptr<HashFunction>(new SHA_3(*this));
203  }
204 
206  {
207  return new SHA_3(m_output_bits);
208  }
209 
211  {
212  zeroise(m_S);
213  m_S_pos = 0;
214  }
215 
216 void SHA_3::add_data(const uint8_t input[], size_t length)
217  {
218  m_S_pos = SHA_3::absorb(m_bitrate, m_S, m_S_pos, input, length);
219  }
220 
221 void SHA_3::final_result(uint8_t output[])
222  {
223  SHA_3::finish(m_bitrate, m_S, m_S_pos, 0x06, 0x80);
224 
225  /*
226  * We never have to run the permutation again because we only support
227  * limited output lengths
228  */
229  copy_out_vec_le(output, m_output_bits/8, m_S);
230 
231  clear();
232  }
233 
234 }
std::string name() const override
Definition: sha3.cpp:195
static void finish(size_t bitrate, secure_vector< uint64_t > &S, size_t S_pos, uint8_t init_pad, uint8_t fini_pad)
Definition: sha3.cpp:145
static void expand(size_t bitrate, secure_vector< uint64_t > &S, uint8_t output[], size_t output_length)
Definition: sha3.cpp:157
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
static size_t absorb(size_t bitrate, secure_vector< uint64_t > &S, size_t S_pos, const uint8_t input[], size_t length)
Definition: sha3.cpp:98
HashFunction * clone() const override
Definition: sha3.cpp:205
size_t output_length() const override
Definition: sha3.h:31
uint64_t load_le< uint64_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:235
Definition: alg_id.cpp:13
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
std::unique_ptr< HashFunction > copy_state() const override
Definition: sha3.cpp:200
static void permute(uint64_t A[25])
Definition: sha3.cpp:14
void clear() override
Definition: sha3.cpp:210
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
SHA_3(size_t output_bits)
Definition: sha3.cpp:181
void zeroise(std::vector< T, Alloc > &vec)
Definition: secmem.h:183
void copy_out_vec_le(uint8_t out[], size_t out_bytes, const std::vector< T, Alloc > &in)
Definition: loadstor.h:690