Coverage Report

Created: 2024-11-21 07:03

/src/cryptopp/shake.h
Line
Count
Source (jump to first uncovered line)
1
// shake.h - written and placed in the public domain by Jeffrey Walton
2
3
/// \file shake.h
4
/// \brief Classes for SHAKE message digests
5
/// \details The library provides byte oriented SHAKE128 and SHAKE256 using F1600.
6
///   FIPS 202 allows nearly unlimited output sizes, but Crypto++ limits the output
7
///   size to <tt>UINT_MAX</tt> due underlying data types.
8
/// \sa Keccak, SHA3, SHAKE128, SHAKE256,
9
///   <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202,
10
///   SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a>
11
/// \since Crypto++ 8.1
12
13
#ifndef CRYPTOPP_SHAKE_H
14
#define CRYPTOPP_SHAKE_H
15
16
#include "cryptlib.h"
17
#include "secblock.h"
18
19
NAMESPACE_BEGIN(CryptoPP)
20
21
/// \brief SHAKE message digest base class
22
/// \details SHAKE is the base class for SHAKE128 and SHAKE258.
23
///   Library users should instantiate a derived class, and only use SHAKE
24
///   as a base class reference or pointer.
25
/// \sa Keccak, SHA3, SHAKE128, SHAKE256,
26
///   <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202,
27
///   SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a>
28
/// \since Crypto++ 8.1
29
class SHAKE : public HashTransformation
30
{
31
protected:
32
    /// \brief Construct a SHAKE
33
    /// \param digestSize the digest size, in bytes
34
    /// \details SHAKE is the base class for SHAKE128 and SHAKE256.
35
    ///   Library users should instantiate a derived class, and only use SHAKE
36
    ///   as a base class reference or pointer.
37
    /// \details This constructor was moved to protected at Crypto++ 8.1
38
    ///   because users were attempting to create Keccak objects with it.
39
    /// \since Crypto++ 8.1
40
405
    SHAKE(unsigned int digestSize) : m_digestSize(digestSize) {Restart();}
41
42
public:
43
42.9k
    unsigned int DigestSize() const {return m_digestSize;}
44
0
    unsigned int OptimalDataAlignment() const {return GetAlignmentOf<word64>();}
45
46
    void Update(const byte *input, size_t length);
47
    void Restart();
48
    void TruncatedFinal(byte *hash, size_t size);
49
50
protected:
51
409k
    inline unsigned int r() const {return BlockSize();}
52
53
    // SHAKE-128 and SHAKE-256 effectively allow unlimited
54
    // output length. However, we use an unsigned int so
55
    // we are limited in practice to UINT_MAX.
56
    void ThrowIfInvalidTruncatedSize(size_t size) const;
57
58
    FixedSizeSecBlock<word64, 25> m_state;
59
    unsigned int m_digestSize, m_counter;
60
};
61
62
/// \brief SHAKE message digest template
63
/// \tparam T_Strength the strength of the digest
64
/// \since Crypto++ 8.1
65
template<unsigned int T_Strength>
66
class SHAKE_Final : public SHAKE
67
{
68
public:
69
    CRYPTOPP_CONSTANT(DIGESTSIZE = (T_Strength == 128 ? 32 : 64));
70
    CRYPTOPP_CONSTANT(BLOCKSIZE = (T_Strength == 128 ? 1344/8 : 1088/8));
71
    static std::string StaticAlgorithmName()
72
22
        { return "SHAKE-" + IntToString(T_Strength); }
CryptoPP::SHAKE_Final<128u>::StaticAlgorithmName()
Line
Count
Source
72
18
        { return "SHAKE-" + IntToString(T_Strength); }
CryptoPP::SHAKE_Final<256u>::StaticAlgorithmName()
Line
Count
Source
72
4
        { return "SHAKE-" + IntToString(T_Strength); }
73
74
    /// \brief Construct a SHAKE-X message digest
75
    /// \details SHAKE128 and SHAKE256 don't need the output size in advance
76
    ///   because the output size does not affect the digest. TruncatedFinal
77
    ///   produces the correct digest for any output size. However, cSHAKE
78
    ///   requires the output size in advance because the algorithm uses
79
    ///   output size as a parameter to the hash function.
80
405
    SHAKE_Final(unsigned int outputSize=DIGESTSIZE) : SHAKE(outputSize) {}
CryptoPP::SHAKE_Final<128u>::SHAKE_Final(unsigned int)
Line
Count
Source
80
201
    SHAKE_Final(unsigned int outputSize=DIGESTSIZE) : SHAKE(outputSize) {}
CryptoPP::SHAKE_Final<256u>::SHAKE_Final(unsigned int)
Line
Count
Source
80
204
    SHAKE_Final(unsigned int outputSize=DIGESTSIZE) : SHAKE(outputSize) {}
81
82
    /// \brief Provides the block size of the compression function
83
    /// \return block size of the compression function, in bytes
84
    /// \details BlockSize() will return 0 if the hash is not block based
85
    ///   or does not have an equivalent block size. For example, Keccak
86
    ///   and SHA-3 do not have a block size, but they do have an equivalent
87
    ///   to block size called rate expressed as <tt>r</tt>.
88
535k
    unsigned int BlockSize() const { return BLOCKSIZE; }
CryptoPP::SHAKE_Final<128u>::BlockSize() const
Line
Count
Source
88
147k
    unsigned int BlockSize() const { return BLOCKSIZE; }
CryptoPP::SHAKE_Final<256u>::BlockSize() const
Line
Count
Source
88
387k
    unsigned int BlockSize() const { return BLOCKSIZE; }
89
90
0
    std::string AlgorithmName() const { return StaticAlgorithmName(); }
Unexecuted instantiation: CryptoPP::SHAKE_Final<128u>::AlgorithmName() const
Unexecuted instantiation: CryptoPP::SHAKE_Final<256u>::AlgorithmName() const
91
92
private:
93
#if !defined(__BORLANDC__)
94
    // ensure there was no underflow in the math
95
    CRYPTOPP_COMPILE_ASSERT(BLOCKSIZE < 200);
96
#endif
97
};
98
99
/// \brief SHAKE128 message digest
100
/// \details The library provides byte oriented SHAKE128 using F1600.
101
///   FIPS 202 allows nearly unlimited output sizes, but Crypto++ limits
102
///   the output size to <tt>UINT_MAX</tt> due underlying data types.
103
/// \sa Keccak, SHA3, SHAKE256,
104
///   <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202,
105
///   SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a>
106
/// \since Crypto++ 8.1
107
class SHAKE128 : public SHAKE_Final<128>
108
{
109
public:
110
    /// \brief Construct a SHAKE128 message digest
111
    /// \details SHAKE128 and SHAKE256 don't need the output size in advance
112
    ///   because the output size does not affect the digest. TruncatedFinal
113
    ///   produces the correct digest for any output size. However, cSHAKE
114
    ///   requires the output size in advance because the algorithm uses
115
    ///   output size as a parameter to the hash function.
116
    /// \since Crypto++ 8.1
117
201
    SHAKE128() {}
118
119
    /// \brief Construct a SHAKE128 message digest
120
    /// \details SHAKE128 and SHAKE256 don't need the output size in advance
121
    ///   because the output size does not affect the digest. TruncatedFinal
122
    ///   produces the correct digest for any output size. However, cSHAKE
123
    ///   requires the output size in advance because the algorithm uses
124
    ///   output size as a parameter to the hash function.
125
    /// \since Crypto++ 8.1
126
0
    SHAKE128(unsigned int outputSize) : SHAKE_Final<128>(outputSize) {}
127
};
128
129
/// \brief SHAKE256 message digest
130
/// \details The library provides byte oriented SHAKE256 using F1600.
131
///   FIPS 202 allows nearly unlimited output sizes, but Crypto++ limits
132
///   the output size to <tt>UINT_MAX</tt> due underlying data types.
133
/// \sa Keccak, SHA3, SHAKE128,
134
///   <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202,
135
///   SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a>
136
/// \since Crypto++ 8.1
137
class SHAKE256 : public SHAKE_Final<256>
138
{
139
public:
140
    /// \brief Construct a SHAKE256 message digest
141
    /// \details SHAKE128 and SHAKE256 don't need the output size in advance
142
    ///   because the output size does not affect the digest. TruncatedFinal
143
    ///   produces the correct digest for any output size. However, cSHAKE
144
    ///   requires the output size in advance because the algorithm uses
145
    ///   output size as a parameter to the hash function.
146
    /// \since Crypto++ 8.1
147
204
    SHAKE256() {}
148
149
    /// \brief Construct a SHAKE256 message digest
150
    /// \details SHAKE128 and SHAKE256 don't need the output size in advance
151
    ///   because the output size does not affect the digest. TruncatedFinal
152
    ///   produces the correct digest for any output size. However, cSHAKE
153
    ///   requires the output size in advance because the algorithm uses
154
    ///   output size as a parameter to the hash function.
155
    /// \since Crypto++ 8.1
156
0
    SHAKE256(unsigned int outputSize) : SHAKE_Final<256>(outputSize) {}
157
};
158
159
NAMESPACE_END
160
161
#endif