include/cryptopp/shake.h

0001 // shake.h - written and placed in the public domain by Jeffrey Walton

0002
0003 /// \file shake.h

0004 /// \brief Classes for SHAKE message digests

0005 /// \details The library provides byte oriented SHAKE128 and SHAKE256 using F1600.

0006 ///   FIPS 202 allows nearly unlimited output sizes, but Crypto++ limits the output

0007 ///   size to <tt>UINT_MAX</tt> due underlying data types.

0008 /// \sa Keccak, SHA3, SHAKE128, SHAKE256,

0009 ///   <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202,

0010 ///   SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a>

0011 /// \since Crypto++ 8.1

0012
0013 #ifndef CRYPTOPP_SHAKE_H
0014 #define CRYPTOPP_SHAKE_H
0015
0016 #include "cryptlib.h"
0017 #include "secblock.h"
0018
0019 NAMESPACE_BEGIN(CryptoPP)
0020
0021 /// \brief SHAKE message digest base class

0022 /// \details SHAKE is the base class for SHAKE128 and SHAKE258.

0023 ///   Library users should instantiate a derived class, and only use SHAKE

0024 ///   as a base class reference or pointer.

0025 /// \sa Keccak, SHA3, SHAKE128, SHAKE256,

0026 ///   <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202,

0027 ///   SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a>

0028 /// \since Crypto++ 8.1

0029 class SHAKE : public HashTransformation
0030 {
0031 protected:
0032     /// \brief Construct a SHAKE

0033     /// \param digestSize the digest size, in bytes

0034     /// \details SHAKE is the base class for SHAKE128 and SHAKE256.

0035     ///   Library users should instantiate a derived class, and only use SHAKE

0036     ///   as a base class reference or pointer.

0037     /// \details This constructor was moved to protected at Crypto++ 8.1

0038     ///   because users were attempting to create Keccak objects with it.

0039     /// \since Crypto++ 8.1

0040     SHAKE(unsigned int digestSize) : m_digestSize(digestSize) {Restart();}
0041
0042 public:
0043     unsigned int DigestSize() const {return m_digestSize;}
0044     unsigned int OptimalDataAlignment() const {return GetAlignmentOf<word64>();}
0045
0046     void Update(const byte *input, size_t length);
0047     void Restart();
0048     void TruncatedFinal(byte *hash, size_t size);
0049
0050 protected:
0051     inline unsigned int r() const {return BlockSize();}
0052
0053     // SHAKE-128 and SHAKE-256 effectively allow unlimited

0054     // output length. However, we use an unsigned int so

0055     // we are limited in practice to UINT_MAX.

0056     void ThrowIfInvalidTruncatedSize(size_t size) const;
0057
0058     FixedSizeSecBlock<word64, 25> m_state;
0059     unsigned int m_digestSize, m_counter;
0060 };
0061
0062 /// \brief SHAKE message digest template

0063 /// \tparam T_Strength the strength of the digest

0064 /// \since Crypto++ 8.1

0065 template<unsigned int T_Strength>
0066 class SHAKE_Final : public SHAKE
0067 {
0068 public:
0069     CRYPTOPP_CONSTANT(DIGESTSIZE = (T_Strength == 128 ? 32 : 64));
0070     CRYPTOPP_CONSTANT(BLOCKSIZE = (T_Strength == 128 ? 1344/8 : 1088/8));
0071     static std::string StaticAlgorithmName()
0072         { return "SHAKE-" + IntToString(T_Strength); }
0073
0074     /// \brief Construct a SHAKE-X message digest

0075     /// \details SHAKE128 and SHAKE256 don't need the output size in advance

0076     ///   because the output size does not affect the digest. TruncatedFinal

0077     ///   produces the correct digest for any output size. However, cSHAKE

0078     ///   requires the output size in advance because the algorithm uses

0079     ///   output size as a parameter to the hash function.

0080     SHAKE_Final(unsigned int outputSize=DIGESTSIZE) : SHAKE(outputSize) {}
0081
0082     /// \brief Provides the block size of the compression function

0083     /// \return block size of the compression function, in bytes

0084     /// \details BlockSize() will return 0 if the hash is not block based

0085     ///   or does not have an equivalent block size. For example, Keccak

0086     ///   and SHA-3 do not have a block size, but they do have an equivalent

0087     ///   to block size called rate expressed as <tt>r</tt>.

0088     unsigned int BlockSize() const { return BLOCKSIZE; }
0089
0090     std::string AlgorithmName() const { return StaticAlgorithmName(); }
0091
0092 private:
0093 #if !defined(__BORLANDC__)
0094     // ensure there was no underflow in the math

0095     CRYPTOPP_COMPILE_ASSERT(BLOCKSIZE < 200);
0096 #endif
0097 };
0098
0099 /// \brief SHAKE128 message digest

0100 /// \details The library provides byte oriented SHAKE128 using F1600.

0101 ///   FIPS 202 allows nearly unlimited output sizes, but Crypto++ limits

0102 ///   the output size to <tt>UINT_MAX</tt> due underlying data types.

0103 /// \sa Keccak, SHA3, SHAKE256,

0104 ///   <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202,

0105 ///   SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a>

0106 /// \since Crypto++ 8.1

0107 class SHAKE128 : public SHAKE_Final<128>
0108 {
0109 public:
0110     /// \brief Construct a SHAKE128 message digest

0111     /// \details SHAKE128 and SHAKE256 don't need the output size in advance

0112     ///   because the output size does not affect the digest. TruncatedFinal

0113     ///   produces the correct digest for any output size. However, cSHAKE

0114     ///   requires the output size in advance because the algorithm uses

0115     ///   output size as a parameter to the hash function.

0116     /// \since Crypto++ 8.1

0117     SHAKE128() {}
0118
0119     /// \brief Construct a SHAKE128 message digest

0120     /// \details SHAKE128 and SHAKE256 don't need the output size in advance

0121     ///   because the output size does not affect the digest. TruncatedFinal

0122     ///   produces the correct digest for any output size. However, cSHAKE

0123     ///   requires the output size in advance because the algorithm uses

0124     ///   output size as a parameter to the hash function.

0125     /// \since Crypto++ 8.1

0126     SHAKE128(unsigned int outputSize) : SHAKE_Final<128>(outputSize) {}
0127 };
0128
0129 /// \brief SHAKE256 message digest

0130 /// \details The library provides byte oriented SHAKE256 using F1600.

0131 ///   FIPS 202 allows nearly unlimited output sizes, but Crypto++ limits

0132 ///   the output size to <tt>UINT_MAX</tt> due underlying data types.

0133 /// \sa Keccak, SHA3, SHAKE128,

0134 ///   <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202,

0135 ///   SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a>

0136 /// \since Crypto++ 8.1

0137 class SHAKE256 : public SHAKE_Final<256>
0138 {
0139 public:
0140     /// \brief Construct a SHAKE256 message digest

0141     /// \details SHAKE128 and SHAKE256 don't need the output size in advance

0142     ///   because the output size does not affect the digest. TruncatedFinal

0143     ///   produces the correct digest for any output size. However, cSHAKE

0144     ///   requires the output size in advance because the algorithm uses

0145     ///   output size as a parameter to the hash function.

0146     /// \since Crypto++ 8.1

0147     SHAKE256() {}
0148
0149     /// \brief Construct a SHAKE256 message digest

0150     /// \details SHAKE128 and SHAKE256 don't need the output size in advance

0151     ///   because the output size does not affect the digest. TruncatedFinal

0152     ///   produces the correct digest for any output size. However, cSHAKE

0153     ///   requires the output size in advance because the algorithm uses

0154     ///   output size as a parameter to the hash function.

0155     /// \since Crypto++ 8.1

0156     SHAKE256(unsigned int outputSize) : SHAKE_Final<256>(outputSize) {}
0157 };
0158
0159 NAMESPACE_END
0160
0161 #endif