KMAC / cSHAKE in Libgcrypt

Falko Strenzke falko.strenzke at mtg.de
Thu Sep 14 15:38:20 CEST 2023 

Hi Werner,

Am 14.09.23 um 14:50 schrieb Werner Koch:
> On Tue, 12 Sep 2023 13:50, Falko Strenzke said:
> Insted we use:
>
>    gcry_md_ctl (hd, GCRYCTL_CSHAKE_N, n, nlen);
>    gcry_md_ctl (hd, GCRYCTL_CSHAKE_S, n, nlen)
>
> (which should return an error if the parmeters are not okay.
Agreed, we will use gcry_md_ctl like you are proposing.
>
>>     have to be made to set N and S in that order. If data is added
>>     without having made these calls, then it will behave as normal
>>     SHAKE as required by the specification.
> Well, in that case we may not even need GCRY_MD_CSHAKE but could reuse
> GCRY_MD_SHAKE256 and check that the parameters are only used for this
> algo - a test which is anyway required.  Below an unfinished example.
I don't understand what you mean exactly by "we may not even need 
GCRY_MD_CSHAKE". Maybe it is with respect to how we implement it, in 
that case see my comment below on reusing the SHAKE implementation.
>
>
> --8<---------------cut here---------------start------------->8---
> commit 1b4bb2ee125a91084f0fe6fa74d57cd47d2164fe (HEAD -> refs/heads/master)
> Author: Werner Koch<wk at gnupg.org>
> Date:   Thu Sep 14 14:43:13 2023 +0200
>
>      xxxxxxxxxxxxxxxxxxxxxxx
>
> 	Modified   cipher/md.c
> diff --git a/cipher/md.c b/cipher/md.c
> index a128dd82..4052bc90 100644
> --- a/cipher/md.c
> +++ b/cipher/md.c
> @@ -1001,8 +1001,6 @@ _gcry_md_ctl (gcry_md_hd_t hd, int cmd, void *buffer, size_t buflen)
>   {
>     gcry_err_code_t rc = 0;
>
> -  (void)buflen; /* Currently not used.  */
> -
>     switch (cmd)
>       {
>       case GCRYCTL_FINALIZE:
> @@ -1014,6 +1012,12 @@ _gcry_md_ctl (gcry_md_hd_t hd, int cmd, void *buffer, size_t buflen)
>       case GCRYCTL_STOP_DUMP:
>         md_stop_debug ( hd );
>         break;
> +    case GCRYCTL_CSHAKE_N:
> +      rc = _gcry_md_cshake_set_n (hd, buffer, buflen);
> +      break;
> +    case GCRYCTL_CSHAKE_S:
> +      rc = _gcry_md_cshake_set_s (hd, buffer, buflen);
> +      break;
>       default:
>         rc = GPG_ERR_INV_OP;
>       }
Makes sense to me.
> 	Modified   src/gcrypt.h.in
> diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
> index 7dc1196b..a861a11e 100644
> --- a/src/gcrypt.h.in
> +++ b/src/gcrypt.h.in
> @@ -333,7 +333,9 @@ enum gcry_ctl_cmds
>       GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
>       GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
>       GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
> -    GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87
> +    GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
> +    GCRYCTL_CSHAKE_N = 88,
> +    GCRYCTL_CSHAKE_S = 89
OK.
>     };
>
>   /* Perform various operations defined by CMD. */
> @@ -1304,7 +1306,8 @@ enum gcry_md_algos
>       GCRY_MD_BLAKE2S_128   = 325,
>       GCRY_MD_SM3           = 326,
>       GCRY_MD_SHA512_256    = 327,
> -    GCRY_MD_SHA512_224    = 328
> +    GCRY_MD_SHA512_224    = 328,
> +    GCRY_MD_CSHAKE        = 329

In my opinion we need to add GCRY_MD_CSHAKE128 and GCRY_MD_CSHAKE256, 
the two algorithms defined by NIST and needed for KMAC128 and KMAC256, 
respectively. The implementation that I have made is thin though, it 
basically reuses the SHAKE implementation and its functions together 
with the KECCAK_CONTEXT and only adds some state management for the 
additional inputs N and S (and of course the corresponding encoding 
functions). I will be able to provide it for review in the next weeks 
after the corrections we are still discussing.

- Falko

>
>
-- 

*MTG AG*
Dr. Falko Strenzke
Executive System Architect

Phone: +49 6151 8000 24
E-Mail: falko.strenzke at mtg.de
Web: mtg.de <https://www.mtg.de>


*MTG Exhibitions – See you in 2023*

------------------------------------------------------------------------
<https://community.e-world-essen.com/institutions/allExhibitors?query=true&keywords=mtg> 
<https://www.itsa365.de/de-de/companies/m/mtg-ag>

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email. Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20230914/84690039/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Sg1h9hNKk5xDxXDp.png
Type: image/png
Size: 5256 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20230914/84690039/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CyCRIsl2ctm9q9uc.png
Type: image/png
Size: 4906 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20230914/84690039/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4764 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20230914/84690039/attachment-0001.bin>

More information about the Gcrypt-devel mailing list