1 /* Based on the public domain implementation in 2 * crypto_hash/sha512/ref/ from http://bench.cr.yp.to/supercop.html 3 * by D. J. Bernstein */ 4 5 #include <stddef.h> 6 #include <stdint.h> 7 #include <string.h> 8 9 #include "sha2.h" 10 #include "sha256.h" 11 #include "utils.h" 12 13 /* 14 * Compresses an address to a 22-byte sequence. 15 * This reduces the number of required SHA256 compression calls, as the last 16 * block of input is padded with at least 65 bits. 17 */ 18 void PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_compress_address(unsigned char *out, const uint32_t addr[8]) { 19 PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ull_to_bytes(out, 1, addr[0]); /* drop 3 bytes of the layer field */ 20 PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ull_to_bytes(out + 1, 4, addr[2]); /* drop the highest tree address word */ 21 PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ull_to_bytes(out + 5, 4, addr[3]); 22 PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ull_to_bytes(out + 9, 1, addr[4]); /* drop 3 bytes of the type field */ 23 PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ull_to_bytes(out + 10, 4, addr[5]); 24 PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ull_to_bytes(out + 14, 4, addr[6]); 25 PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ull_to_bytes(out + 18, 4, addr[7]); 26 } 27 28 /** 29 * Requires 'input_plus_four_bytes' to have 'inlen' + 4 bytes, so that the last 30 * four bytes can be used for the counter. Typically 'input' is merely a seed. 31 * Outputs outlen number of bytes 32 */ 33 void PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_mgf1( 34 unsigned char *out, unsigned long outlen, 35 unsigned char *input_plus_four_bytes, unsigned long inlen) { 36 unsigned char outbuf[PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_SHA256_OUTPUT_BYTES]; 37 unsigned long i; 38 39 /* While we can fit in at least another full block of SHA256 output.. */ 40 for (i = 0; (i + 1)*PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_SHA256_OUTPUT_BYTES <= outlen; i++) { 41 PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ull_to_bytes(input_plus_four_bytes + inlen, 4, i); 42 sha256(out, input_plus_four_bytes, inlen + 4); 43 out += PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_SHA256_OUTPUT_BYTES; 44 } 45 /* Until we cannot anymore, and we fill the remainder. */ 46 if (outlen > i * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_SHA256_OUTPUT_BYTES) { 47 PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ull_to_bytes(input_plus_four_bytes + inlen, 4, i); 48 sha256(outbuf, input_plus_four_bytes, inlen + 4); 49 memcpy(out, outbuf, outlen - i * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_SHA256_OUTPUT_BYTES); 50 } 51 } 52 53 54 /** 55 * Absorb the constant pub_seed using one round of the compression function 56 * This initializes hash_state_seeded, which can then be reused in thash 57 **/ 58 void PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_seed_state(sha256ctx *hash_state_seeded, const unsigned char *pub_seed) { 59 uint8_t block[PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_SHA256_BLOCK_BYTES]; 60 size_t i; 61 62 for (i = 0; i < PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N; ++i) { 63 block[i] = pub_seed[i]; 64 } 65 for (i = PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N; i < PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_SHA256_BLOCK_BYTES; ++i) { 66 block[i] = 0; 67 } 68 69 sha256_inc_init(hash_state_seeded); 70 sha256_inc_blocks(hash_state_seeded, block, 1); 71 } 72