1 /* Based on the public domain implementation in
2 * crypto_hash/sha512/ref/ from http://bench.cr.yp.to/supercop.html
3 * by D. J. Bernstein */
4
5 #include <stddef.h>
6 #include <stdint.h>
7 #include <string.h>
8
9 #include "sha2.h"
10 #include "sha256.h"
11 #include "utils.h"
12
13 /*
14 * Compresses an address to a 22-byte sequence.
15 * This reduces the number of required SHA256 compression calls, as the last
16 * block of input is padded with at least 65 bits.
17 */
PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_compress_address(unsigned char * out,const uint32_t addr[8])18 void PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_compress_address(unsigned char *out, const uint32_t addr[8]) {
19 PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_ull_to_bytes(out, 1, addr[0]); /* drop 3 bytes of the layer field */
20 PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_ull_to_bytes(out + 1, 4, addr[2]); /* drop the highest tree address word */
21 PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_ull_to_bytes(out + 5, 4, addr[3]);
22 PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_ull_to_bytes(out + 9, 1, addr[4]); /* drop 3 bytes of the type field */
23 PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_ull_to_bytes(out + 10, 4, addr[5]);
24 PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_ull_to_bytes(out + 14, 4, addr[6]);
25 PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_ull_to_bytes(out + 18, 4, addr[7]);
26 }
27
28 /**
29 * Requires 'input_plus_four_bytes' to have 'inlen' + 4 bytes, so that the last
30 * four bytes can be used for the counter. Typically 'input' is merely a seed.
31 * Outputs outlen number of bytes
32 */
PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_mgf1(unsigned char * out,unsigned long outlen,unsigned char * input_plus_four_bytes,unsigned long inlen)33 void PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_mgf1(
34 unsigned char *out, unsigned long outlen,
35 unsigned char *input_plus_four_bytes, unsigned long inlen) {
36 unsigned char outbuf[PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_OUTPUT_BYTES];
37 unsigned long i;
38
39 /* While we can fit in at least another full block of SHA256 output.. */
40 for (i = 0; (i + 1)*PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_OUTPUT_BYTES <= outlen; i++) {
41 PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_ull_to_bytes(input_plus_four_bytes + inlen, 4, i);
42 sha256(out, input_plus_four_bytes, inlen + 4);
43 out += PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_OUTPUT_BYTES;
44 }
45 /* Until we cannot anymore, and we fill the remainder. */
46 if (outlen > i * PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_OUTPUT_BYTES) {
47 PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_ull_to_bytes(input_plus_four_bytes + inlen, 4, i);
48 sha256(outbuf, input_plus_four_bytes, inlen + 4);
49 memcpy(out, outbuf, outlen - i * PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_OUTPUT_BYTES);
50 }
51 }
52
53
54 /**
55 * Absorb the constant pub_seed using one round of the compression function
56 * This initializes hash_state_seeded, which can then be reused in thash
57 **/
PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_seed_state(sha256ctx * hash_state_seeded,const unsigned char * pub_seed)58 void PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_seed_state(sha256ctx *hash_state_seeded, const unsigned char *pub_seed) {
59 uint8_t block[PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_BLOCK_BYTES];
60 size_t i;
61
62 for (i = 0; i < PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_N; ++i) {
63 block[i] = pub_seed[i];
64 }
65 for (i = PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_N; i < PQCLEAN_SPHINCSSHA256192SROBUST_AVX2_SHA256_BLOCK_BYTES; ++i) {
66 block[i] = 0;
67 }
68
69 sha256_inc_init(hash_state_seeded);
70 sha256_inc_blocks(hash_state_seeded, block, 1);
71 }
72