Line | Count | Source (jump to first uncovered line) |
1 | | // shake.h - written and placed in the public domain by Jeffrey Walton |
2 | | |
3 | | /// \file shake.h |
4 | | /// \brief Classes for SHAKE message digests |
5 | | /// \details The library provides byte oriented SHAKE128 and SHAKE256 using F1600. |
6 | | /// FIPS 202 allows nearly unlimited output sizes, but Crypto++ limits the output |
7 | | /// size to <tt>UINT_MAX</tt> due underlying data types. |
8 | | /// \sa Keccak, SHA3, SHAKE128, SHAKE256, |
9 | | /// <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202, |
10 | | /// SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a> |
11 | | /// \since Crypto++ 8.1 |
12 | | |
13 | | #ifndef CRYPTOPP_SHAKE_H |
14 | | #define CRYPTOPP_SHAKE_H |
15 | | |
16 | | #include "cryptlib.h" |
17 | | #include "secblock.h" |
18 | | |
19 | | NAMESPACE_BEGIN(CryptoPP) |
20 | | |
21 | | /// \brief SHAKE message digest base class |
22 | | /// \details SHAKE is the base class for SHAKE128 and SHAKE258. |
23 | | /// Library users should instantiate a derived class, and only use SHAKE |
24 | | /// as a base class reference or pointer. |
25 | | /// \sa Keccak, SHA3, SHAKE128, SHAKE256, |
26 | | /// <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202, |
27 | | /// SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a> |
28 | | /// \since Crypto++ 8.1 |
29 | | class SHAKE : public HashTransformation |
30 | | { |
31 | | protected: |
32 | | /// \brief Construct a SHAKE |
33 | | /// \param digestSize the digest size, in bytes |
34 | | /// \details SHAKE is the base class for SHAKE128 and SHAKE256. |
35 | | /// Library users should instantiate a derived class, and only use SHAKE |
36 | | /// as a base class reference or pointer. |
37 | | /// \details This constructor was moved to protected at Crypto++ 8.1 |
38 | | /// because users were attempting to create Keccak objects with it. |
39 | | /// \since Crypto++ 8.1 |
40 | 405 | SHAKE(unsigned int digestSize) : m_digestSize(digestSize) {Restart();} |
41 | | |
42 | | public: |
43 | 42.9k | unsigned int DigestSize() const {return m_digestSize;} |
44 | 0 | unsigned int OptimalDataAlignment() const {return GetAlignmentOf<word64>();} |
45 | | |
46 | | void Update(const byte *input, size_t length); |
47 | | void Restart(); |
48 | | void TruncatedFinal(byte *hash, size_t size); |
49 | | |
50 | | protected: |
51 | 409k | inline unsigned int r() const {return BlockSize();} |
52 | | |
53 | | // SHAKE-128 and SHAKE-256 effectively allow unlimited |
54 | | // output length. However, we use an unsigned int so |
55 | | // we are limited in practice to UINT_MAX. |
56 | | void ThrowIfInvalidTruncatedSize(size_t size) const; |
57 | | |
58 | | FixedSizeSecBlock<word64, 25> m_state; |
59 | | unsigned int m_digestSize, m_counter; |
60 | | }; |
61 | | |
62 | | /// \brief SHAKE message digest template |
63 | | /// \tparam T_Strength the strength of the digest |
64 | | /// \since Crypto++ 8.1 |
65 | | template<unsigned int T_Strength> |
66 | | class SHAKE_Final : public SHAKE |
67 | | { |
68 | | public: |
69 | | CRYPTOPP_CONSTANT(DIGESTSIZE = (T_Strength == 128 ? 32 : 64)); |
70 | | CRYPTOPP_CONSTANT(BLOCKSIZE = (T_Strength == 128 ? 1344/8 : 1088/8)); |
71 | | static std::string StaticAlgorithmName() |
72 | 22 | { return "SHAKE-" + IntToString(T_Strength); } CryptoPP::SHAKE_Final<128u>::StaticAlgorithmName() Line | Count | Source | 72 | 18 | { return "SHAKE-" + IntToString(T_Strength); } |
CryptoPP::SHAKE_Final<256u>::StaticAlgorithmName() Line | Count | Source | 72 | 4 | { return "SHAKE-" + IntToString(T_Strength); } |
|
73 | | |
74 | | /// \brief Construct a SHAKE-X message digest |
75 | | /// \details SHAKE128 and SHAKE256 don't need the output size in advance |
76 | | /// because the output size does not affect the digest. TruncatedFinal |
77 | | /// produces the correct digest for any output size. However, cSHAKE |
78 | | /// requires the output size in advance because the algorithm uses |
79 | | /// output size as a parameter to the hash function. |
80 | 405 | SHAKE_Final(unsigned int outputSize=DIGESTSIZE) : SHAKE(outputSize) {} CryptoPP::SHAKE_Final<128u>::SHAKE_Final(unsigned int) Line | Count | Source | 80 | 201 | SHAKE_Final(unsigned int outputSize=DIGESTSIZE) : SHAKE(outputSize) {} |
CryptoPP::SHAKE_Final<256u>::SHAKE_Final(unsigned int) Line | Count | Source | 80 | 204 | SHAKE_Final(unsigned int outputSize=DIGESTSIZE) : SHAKE(outputSize) {} |
|
81 | | |
82 | | /// \brief Provides the block size of the compression function |
83 | | /// \return block size of the compression function, in bytes |
84 | | /// \details BlockSize() will return 0 if the hash is not block based |
85 | | /// or does not have an equivalent block size. For example, Keccak |
86 | | /// and SHA-3 do not have a block size, but they do have an equivalent |
87 | | /// to block size called rate expressed as <tt>r</tt>. |
88 | 535k | unsigned int BlockSize() const { return BLOCKSIZE; } CryptoPP::SHAKE_Final<128u>::BlockSize() const Line | Count | Source | 88 | 147k | unsigned int BlockSize() const { return BLOCKSIZE; } |
CryptoPP::SHAKE_Final<256u>::BlockSize() const Line | Count | Source | 88 | 387k | unsigned int BlockSize() const { return BLOCKSIZE; } |
|
89 | | |
90 | 0 | std::string AlgorithmName() const { return StaticAlgorithmName(); } Unexecuted instantiation: CryptoPP::SHAKE_Final<128u>::AlgorithmName() const Unexecuted instantiation: CryptoPP::SHAKE_Final<256u>::AlgorithmName() const |
91 | | |
92 | | private: |
93 | | #if !defined(__BORLANDC__) |
94 | | // ensure there was no underflow in the math |
95 | | CRYPTOPP_COMPILE_ASSERT(BLOCKSIZE < 200); |
96 | | #endif |
97 | | }; |
98 | | |
99 | | /// \brief SHAKE128 message digest |
100 | | /// \details The library provides byte oriented SHAKE128 using F1600. |
101 | | /// FIPS 202 allows nearly unlimited output sizes, but Crypto++ limits |
102 | | /// the output size to <tt>UINT_MAX</tt> due underlying data types. |
103 | | /// \sa Keccak, SHA3, SHAKE256, |
104 | | /// <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202, |
105 | | /// SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a> |
106 | | /// \since Crypto++ 8.1 |
107 | | class SHAKE128 : public SHAKE_Final<128> |
108 | | { |
109 | | public: |
110 | | /// \brief Construct a SHAKE128 message digest |
111 | | /// \details SHAKE128 and SHAKE256 don't need the output size in advance |
112 | | /// because the output size does not affect the digest. TruncatedFinal |
113 | | /// produces the correct digest for any output size. However, cSHAKE |
114 | | /// requires the output size in advance because the algorithm uses |
115 | | /// output size as a parameter to the hash function. |
116 | | /// \since Crypto++ 8.1 |
117 | 201 | SHAKE128() {} |
118 | | |
119 | | /// \brief Construct a SHAKE128 message digest |
120 | | /// \details SHAKE128 and SHAKE256 don't need the output size in advance |
121 | | /// because the output size does not affect the digest. TruncatedFinal |
122 | | /// produces the correct digest for any output size. However, cSHAKE |
123 | | /// requires the output size in advance because the algorithm uses |
124 | | /// output size as a parameter to the hash function. |
125 | | /// \since Crypto++ 8.1 |
126 | 0 | SHAKE128(unsigned int outputSize) : SHAKE_Final<128>(outputSize) {} |
127 | | }; |
128 | | |
129 | | /// \brief SHAKE256 message digest |
130 | | /// \details The library provides byte oriented SHAKE256 using F1600. |
131 | | /// FIPS 202 allows nearly unlimited output sizes, but Crypto++ limits |
132 | | /// the output size to <tt>UINT_MAX</tt> due underlying data types. |
133 | | /// \sa Keccak, SHA3, SHAKE128, |
134 | | /// <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202, |
135 | | /// SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a> |
136 | | /// \since Crypto++ 8.1 |
137 | | class SHAKE256 : public SHAKE_Final<256> |
138 | | { |
139 | | public: |
140 | | /// \brief Construct a SHAKE256 message digest |
141 | | /// \details SHAKE128 and SHAKE256 don't need the output size in advance |
142 | | /// because the output size does not affect the digest. TruncatedFinal |
143 | | /// produces the correct digest for any output size. However, cSHAKE |
144 | | /// requires the output size in advance because the algorithm uses |
145 | | /// output size as a parameter to the hash function. |
146 | | /// \since Crypto++ 8.1 |
147 | 204 | SHAKE256() {} |
148 | | |
149 | | /// \brief Construct a SHAKE256 message digest |
150 | | /// \details SHAKE128 and SHAKE256 don't need the output size in advance |
151 | | /// because the output size does not affect the digest. TruncatedFinal |
152 | | /// produces the correct digest for any output size. However, cSHAKE |
153 | | /// requires the output size in advance because the algorithm uses |
154 | | /// output size as a parameter to the hash function. |
155 | | /// \since Crypto++ 8.1 |
156 | 0 | SHAKE256(unsigned int outputSize) : SHAKE_Final<256>(outputSize) {} |
157 | | }; |
158 | | |
159 | | NAMESPACE_END |
160 | | |
161 | | #endif |