KMAC / cSHAKE in Libgcrypt
Werner Koch
wk at gnupg.org
Thu Sep 14 14:50:45 CEST 2023
On Tue, 12 Sep 2023 13:50, Falko Strenzke said:
> I agree, for the implementation of KMAC itself we should use the MAC API. But
> my question was about the integration of cSHAKE, which is an XOF hash
> function, not a MAC.
I see. Now for your suggested API.
> * cSHAKE is added as an XOF message digest like SHAKE
That is easy
> * For the purpose of providing the additional arguments N and S we add
[..]
> gcry_md_set_add_input (gcry_md_hd_t *h,
> gcry_md_add_input_t addin_type,
> const void* v, size_t v_len);
Adding another API call is not a good idea, though. We should use
gcry_md_ctl with two new control values.
> In order to invoke cSHAKE with non-empty N and S parameters, after
> the call to _gcry_md_open(), two calls to gcry_md_set_add_input()
Insted we use:
gcry_md_ctl (hd, GCRYCTL_CSHAKE_N, n, nlen);
gcry_md_ctl (hd, GCRYCTL_CSHAKE_S, n, nlen)
(which should return an error if the parmeters are not okay.
> have to be made to set N and S in that order. If data is added
> without having made these calls, then it will behave as normal
> SHAKE as required by the specification.
Well, in that case we may not even need GCRY_MD_CSHAKE but could reuse
GCRY_MD_SHAKE256 and check that the parameters are only used for this
algo - a test which is anyway required. Below an unfinished example.
--8<---------------cut here---------------start------------->8---
commit 1b4bb2ee125a91084f0fe6fa74d57cd47d2164fe (HEAD -> refs/heads/master)
Author: Werner Koch <wk at gnupg.org>
Date: Thu Sep 14 14:43:13 2023 +0200
xxxxxxxxxxxxxxxxxxxxxxx
Modified cipher/md.c
diff --git a/cipher/md.c b/cipher/md.c
index a128dd82..4052bc90 100644
--- a/cipher/md.c
+++ b/cipher/md.c
@@ -1001,8 +1001,6 @@ _gcry_md_ctl (gcry_md_hd_t hd, int cmd, void *buffer, size_t buflen)
{
gcry_err_code_t rc = 0;
- (void)buflen; /* Currently not used. */
-
switch (cmd)
{
case GCRYCTL_FINALIZE:
@@ -1014,6 +1012,12 @@ _gcry_md_ctl (gcry_md_hd_t hd, int cmd, void *buffer, size_t buflen)
case GCRYCTL_STOP_DUMP:
md_stop_debug ( hd );
break;
+ case GCRYCTL_CSHAKE_N:
+ rc = _gcry_md_cshake_set_n (hd, buffer, buflen);
+ break;
+ case GCRYCTL_CSHAKE_S:
+ rc = _gcry_md_cshake_set_s (hd, buffer, buflen);
+ break;
default:
rc = GPG_ERR_INV_OP;
}
Modified src/gcrypt.h.in
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index 7dc1196b..a861a11e 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -333,7 +333,9 @@ enum gcry_ctl_cmds
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
- GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
+ GCRYCTL_CSHAKE_N = 88,
+ GCRYCTL_CSHAKE_S = 89
};
/* Perform various operations defined by CMD. */
@@ -1304,7 +1306,8 @@ enum gcry_md_algos
GCRY_MD_BLAKE2S_128 = 325,
GCRY_MD_SM3 = 326,
GCRY_MD_SHA512_256 = 327,
- GCRY_MD_SHA512_224 = 328
+ GCRY_MD_SHA512_224 = 328,
+ GCRY_MD_CSHAKE = 329
};
/* Flags used with the open function. */
--8<---------------cut here---------------end--------------->8---
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20230914/e30daee8/attachment.sig>
More information about the Gcrypt-devel
mailing list