taigrr/arduinolibs
1
0
Fork 0
mirror of https://github.com/taigrr/arduinolibs synced 2025-01-18 04:33:12 -08:00
Code Issues Projects Releases Wiki Activity

Extendable output functions: SHAKE128 and SHAKE256

Browse Source
This commit is contained in:
Rhys Weatherley 2016-02-14 08:27:27 +10:00
parent 41cc393de5
commit c624a3eab3
10 changed files with 1272 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/crypto.dox
View File

@ -31,6 +31,7 @@
\li Stream ciphers: ChaCha
\li Authenticated encryption with associated data (AEAD): ChaChaPoly, EAX, GCM
\li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
\li Extendable output functions (XOF's): SHAKE128, SHAKE256
\li Message authenticators: Poly1305, GHASH, OMAC
\li Public key algorithms: Curve25519, Ed25519
\li Random number generation: \link RNGClass RNG\endlink, TransistorNoiseSource, RingOscillatorNoiseSource
@ -113,6 +114,10 @@ Ardunino Mega 2560 running at 16 MHz are similar:
<tr><td>Poly1305</td><td align="right">26.26us</td><td align="right">489.11us</td><td align="right">17.06us</td><td align="right">53</td></tr>
<tr><td>GHASH</td><td align="right">74.59us</td><td align="right">15.91us</td><td align="right">14.79us</td><td align="right">33</td></tr>
<tr><td colspan="5"> </td></tr>
<tr><td>XOF Algorithm</td><td align="right">Hashing (per byte)</td><td align="right">Extending (per byte)</td><td>Encryption (per byte)</td><td>State Size (bytes)</td></tr>
<tr><td>SHAKE128</td><td align="right">49.43us</td><td align="right">49.02us</td><td align="right">49.59us</td><td align="right">206</td></tr>
<tr><td>SHAKE256</td><td align="right">60.77us</td><td align="right">60.37us</td><td align="right">60.93us</td><td align="right">206</td></tr>
<tr><td colspan="5"> </td></tr>
<tr><td>Public Key Operation</td><td align="right">Time (per operation)</td><td colspan="3">Comment</td></tr>
<tr><td>Curve25519::eval()</td><td align="right">2716ms</td><td colspan="3">Raw curve evaluation</td></tr>
<tr><td>Curve25519::dh1()</td><td align="right">2718ms</td><td colspan="3">First half of Diffie-Hellman key agreement</td></tr>
@ -174,6 +179,10 @@ All figures are for the Arduino Due running at 84 MHz:
<tr><td>Poly1305</td><td align="right">0.81us</td><td align="right">19.01us</td><td align="right">2.57us</td><td align="right">60</td></tr>
<tr><td>GHASH</td><td align="right">4.47us</td><td align="right">1.52us</td><td align="right">2.60us</td><td align="right">36</td></tr>
<tr><td colspan="5"> </td></tr>
<tr><td>XOF Algorithm</td><td align="right">Hashing (per byte)</td><td align="right">Extending (per byte)</td><td>Encryption (per byte)</td><td>State Size (bytes)</td></tr>
<tr><td>SHAKE128</td><td align="right">4.60us</td><td align="right">4.45us</td><td align="right">4.59us</td><td align="right">232</td></tr>
<tr><td>SHAKE256</td><td align="right">5.64us</td><td align="right">5.49us</td><td align="right">5.63us</td><td align="right">232</td></tr>
<tr><td colspan="5"> </td></tr>
<tr><td>Public Key Operation</td><td align="right">Time (per operation)</td><td colspan="3">Comment</td></tr>
<tr><td>Curve25519::eval()</td><td align="right">103ms</td><td colspan="3">Raw curve evaluation</td></tr>
<tr><td>Curve25519::dh1()</td><td align="right">103ms</td><td colspan="3">First half of Diffie-Hellman key agreement</td></tr>

1
doc/mainpage.dox
View File

@ -96,6 +96,7 @@ realtime clock and the LCD library to implement an alarm clock.
\li Stream ciphers: ChaCha
\li Authenticated encryption with associated data (AEAD): ChaChaPoly, EAX, GCM
\li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
\li Extendable output functions (XOF's): SHAKE128, SHAKE256
\li Message authenticators: Poly1305, GHASH, OMAC
\li Public key algorithms: Curve25519, Ed25519
\li Random number generation: \link RNGClass RNG\endlink, TransistorNoiseSource, RingOscillatorNoiseSource

56
libraries/Crypto/KeccakCore.cpp
View File

@ -32,11 +32,11 @@
* \brief Keccak core sponge function.
*
* KeccakCore provides the core sponge function for different capacities.
* It is used to implement Hash algorithms such as SHA3.
* It is used to implement algorithms such as SHA3 and SHAKE.
*
* References: http://en.wikipedia.org/wiki/SHA-3
*
* \sa SHA3
* \sa SHA3_256, SHAKE256
*/
#if !defined(CRYPTO_LITTLE_ENDIAN)
@ -189,7 +189,7 @@ void KeccakCore::pad(uint8_t tag)
* If more than blockSize() bytes are required, the sponge function will
* be invoked to generate additional data.
*
* \sa update(), reset(), extractHash()
* \sa update(), reset(), encrypt()
*/
void KeccakCore::extract(void *data, size_t size)
{
@ -219,6 +219,56 @@ void KeccakCore::extract(void *data, size_t size)
}
}
/**
* \brief Extracts data from the Keccak sponge function and uses it to
* encrypt a buffer.
*
* \param output The output buffer to write to, which may be the same
* buffer as \a input. The \a output buffer must have at least as many
* bytes as the \a input buffer.
* \param input The input buffer to read from.
* \param size The number of bytes to encrypt.
*
* This function extracts data from the sponge function and then XOR's
* it with \a input to generate the \a output.
*
* If more than blockSize() bytes are required, the sponge function will
* be invoked to generate additional data.
*
* \sa update(), reset(), extract()
*/
void KeccakCore::encrypt(void *output, const void *input, size_t size)
{
// Stop accepting input while we are generating output.
state.inputSize = 0;
// Copy the output data into the caller's return buffer.
uint8_t *out = (uint8_t *)output;
const uint8_t *in = (const uint8_t *)input;
uint8_t tempSize;
while (size > 0) {
// Generate another output block if the current one has been exhausted.
if (state.outputSize >= _blockSize) {
keccakp();
state.outputSize = 0;
}
// How many bytes can we extract this time around?
tempSize = _blockSize - state.outputSize;
if (tempSize > size)
tempSize = size;
// XOR the partial output data into the caller's return buffer.
const uint8_t *d = ((const uint8_t *)(state.A)) + state.outputSize;
for (uint8_t index = 0; index < tempSize; ++index)
out[index] = in[index] ^ d[index];
state.outputSize += tempSize;
size -= tempSize;
out += tempSize;
in += tempSize;
}
}
/**
* \brief Clears all sensitive data from this object.
*/

1
libraries/Crypto/KeccakCore.h
View File

@ -43,6 +43,7 @@ public:
void pad(uint8_t tag);
void extract(void *data, size_t size);
void encrypt(void *output, const void *input, size_t size);
void clear();

137
libraries/Crypto/SHAKE.cpp Normal file
View File

@ -0,0 +1,137 @@
/*
* Copyright (C) 2016 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#include "SHAKE.h"
/**
* \class SHAKE SHAKE.h <SHAKE.h>
* \brief Abstract base class for the SHAKE Extendable-Output Functions (XOFs).
*
* Reference: http://en.wikipedia.org/wiki/SHA-3
*
* \sa SHAKE256, SHAKE128, SHA3_256
*/
/**
* \brief Constructs a SHAKE object.
*
* \param capacity The capacity of the Keccak sponge function in bits which
* should be a multiple of 64 and between 64 and 1536.
*/
SHAKE::SHAKE(size_t capacity)
: finalized(false)
{
core.setCapacity(capacity);
}
/**
* \brief Destroys this SHAKE object after clearing all sensitive information.
*/
SHAKE::~SHAKE()
{
}
size_t SHAKE::blockSize() const
{
return core.blockSize();
}
void SHAKE::reset()
{
core.reset();
finalized = false;
}
void SHAKE::update(const void *data, size_t len)
{
if (finalized)
reset();
core.update(data, len);
}
void SHAKE::extend(uint8_t *data, size_t len)
{
if (!finalized) {
core.pad(0x1F);
finalized = true;
}
core.extract(data, len);
}
void SHAKE::encrypt(uint8_t *output, const uint8_t *input, size_t len)
{
if (!finalized) {
core.pad(0x1F);
finalized = true;
}
core.encrypt(output, input, len);
}
void SHAKE::clear()
{
core.clear();
finalized = false;
}
/**
* \class SHAKE128 SHAKE.h <SHAKE.h>
* \brief SHAKE Extendable-Output Function (XOF) with 128-bit security.
*
* Reference: http://en.wikipedia.org/wiki/SHA-3
*
* \sa SHAKE256, SHAKE, SHA3_256
*/
/**
* \fn SHAKE128::SHAKE128()
* \brief Constructs a SHAKE object with 128-bit security.
*/
/**
* \brief Destroys this SHAKE128 object after clearing all sensitive
* information.
*/
SHAKE128::~SHAKE128()
{
}
/**
* \class SHAKE256 SHAKE.h <SHAKE.h>
* \brief SHAKE Extendable-Output Function (XOF) with 256-bit security.
*
* Reference: http://en.wikipedia.org/wiki/SHA-3
*
* \sa SHAKE128, SHAKE, SHA3_256
*/
/**
* \fn SHAKE256::SHAKE256()
* \brief Constructs a SHAKE object with 256-bit security.
*/
/**
* \brief Destroys this SHAKE256 object after clearing all sensitive
* information.
*/
SHAKE256::~SHAKE256()
{
}

66
libraries/Crypto/SHAKE.h Normal file
View File

@ -0,0 +1,66 @@
/*
* Copyright (C) 2016 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#ifndef CRYPTO_SHAKE_h
#define CRYPTO_SHAKE_h
#include "XOF.h"
#include "KeccakCore.h"
class SHAKE : public XOF
{
public:
virtual ~SHAKE();
size_t blockSize() const;
void reset();
void update(const void *data, size_t len);
void extend(uint8_t *data, size_t len);
void encrypt(uint8_t *output, const uint8_t *input, size_t len);
void clear();
protected:
SHAKE(size_t capacity);
private:
KeccakCore core;
bool finalized;
};
class SHAKE128 : public SHAKE
{
public:
SHAKE128() : SHAKE(256) {}
virtual ~SHAKE128();
};
class SHAKE256 : public SHAKE
{
public:
SHAKE256() : SHAKE(512) {}
virtual ~SHAKE256();
};
#endif

216
libraries/Crypto/XOF.cpp Normal file
View File

@ -0,0 +1,216 @@
/*
* Copyright (C) 2016 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#include "XOF.h"
/**
* \class XOF XOF.h <XOF.h>
* \brief Abstract base class for Extendable-Output Functions (XOFs).
*
* Extendable-Output Functions, or XOFs, are a new class of cryptographic
* primitive that was defined by NIST during the SHA-3 standardization
* process. Essentially an XOF is a hash algorithm that has an
* arbitrary-length output instead of a fixed-length digest.
*
* XOFs can be used for a variety of cryptographic tasks:
*
* \li Mask generation functions for RSA OAEP style padding.
* \li Key derivation functions for expanding key seed material into
* arbitrary amounts of keying material for a secure session.
* \li Stream ciphers based on a key and IV.
*
* To use an XOF, it is first reset() and then data is added via multiple
* calls to update():
*
* \code
* SHAKE256 xof;
* xof.reset();
* xof.update(data1, sizeof(data1));
* xof.update(data2, sizeof(data2));
* ...
* \endcode
*
* Once all input data has been added, the XOF switches into extend mode
* to generate the arbitrary-length output data:
*
* \code
* xof.extend(output1, sizeof(output1));
* xof.extend(output2, sizeof(output2));
* ...
* \endcode
*
* Mask generation and key derivation is achieved as follows, where the
* key is unique for each invocation:
*
* \code
* SHAKE256 xof;
* xof.reset();
* xof.update(key, sizeof(key));
* xof.extend(output, sizeof(output));
* \endcode
*
* Stream ciphers can be constructed as follows, using the special
* encrypt() function that XOR's the output of extend() with the
* input plaintext to generate the output ciphertext (or alternatively
* XOR's the output of extend() with the ciphertext to recover the
* plaintext):
*
* \code
* SHAKE256 xof;
* xof.reset();
* xof.update(key, sizeof(key));
* xof.update(iv, sizeof(iv));
* xof.encrypt(output1, input1, sizeof(input1));
* xof.encrypt(output2, input2, sizeof(input2));
* ...
* \endcode
*
* If the key is reused, then the IV must be different for each session
* or the encryption scheme can be easily broken. It is better to
* generate a new key and IV combination for every session.
*
* It may also be a good idea to include some tag information with the input
* data to distinguish different uses of the XOF. For example:
*
* \code
* SHAKE256 xof;
* xof.reset();
* xof.update(key, sizeof(key));
* xof.update(iv, sizeof(iv));
* xof.update("MyCrypt", 7);
* xof.encrypt(output, input, sizeof(input));
* \endcode
*
* If the same key and IV was used with a different package, then it would
* not generate the same output as "MyCrypt".
*
* NIST warns that XOFs should not be used in place of hash functions.
* This is because of related outputs: if the same input is provided to
* an XOF with different output lengths, then the shorter output will
* be a prefix of the larger. This breaks the expected collision-resistance
* of regular hash functions. There is typically no need to use an XOF
* for hashing because NIST has already defined SHA3_256 and SHA3_512
* for that purpose.
*
* Reference: http://en.wikipedia.org/wiki/SHA-3
*
* \sa SHAKE256, SHAKE128, SHA3_256
*/
/**
* \brief Constructs a new XOF object.
*/
XOF::XOF()
{
}
/**
* \brief Destroys this XOF object.
*
* \note Subclasses are responsible for clearing any sensitive data
* that remains in the XOF object when it is destroyed.
*
* \sa clear()
*/
XOF::~XOF()
{
}
/**
* \fn size_t XOF::blockSize() const
* \brief Size of the internal block used by the XOF algorithm, in bytes.
*
* \sa update()
*/
/**
* \fn void XOF::reset()
* \brief Resets the XOF ready for a new session.
*
* \sa update(), extend(), encrypt()
*/
/**
* \fn void XOF::update(const void *data, size_t len)
* \brief Updates the XOF with more data.
*
* \param data Data to be hashed.
* \param len Number of bytes of data to be added to the XOF.
*
* If extend() or encrypt() has already been called, then the behavior of
* update() will be undefined. Call reset() first to start a new session.
*
* \sa reset(), extend(), encrypt()
*/
/**
* \fn void XOF::extend(uint8_t *data, size_t len)
* \brief Generates extendable output from this XOF.
*
* \param data The data buffer to be filled.
* \param len The number of bytes to write to \a data.
*
* \sa reset(), update(), encrypt()
*/
/**
* \fn void XOF::encrypt(uint8_t *output, const uint8_t *input, size_t len)
* \brief Encrypts an input buffer with extendable output from this XOF.
*
* \param output The output buffer to write to, which may be the same
* buffer as \a input. The \a output buffer must have at least as many
* bytes as the \a input buffer.
* \param input The input buffer to read from.
* \param len The number of bytes to encrypt.
*
* This function is a convenience that generates data with extend() and
* then XOR's it with the contents of \a input to generate the \a output.
* This function can also be used to decrypt.
*
* The encrypt() function can be called multiple times with different
* regions of the plaintext data.
*
* \sa reset(), update(), extend(), decrypt()
*/
/**
* \fn void XOF::decrypt(uint8_t *output, const uint8_t *input, size_t len)
* \brief Decrypts an input buffer with extendable output from this XOF.
*
* \param output The output buffer to write to, which may be the same
* buffer as \a input. The \a output buffer must have at least as many
* bytes as the \a input buffer.
* \param input The input buffer to read from.
* \param len The number of bytes to encrypt.
*
* This is a convenience function that merely calls encrypt().
*
* \sa reset(), update(), extend(), encrypt()
*/
/**
* \fn void XOF::clear()
* \brief Clears the hash state, removing all sensitive data, and then
* resets the XOF ready for a new session.
*
* \sa reset()
*/

51
libraries/Crypto/XOF.h Normal file
View File

@ -0,0 +1,51 @@
/*
* Copyright (C) 2016 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#ifndef CRYPTO_XOF_h
#define CRYPTO_XOF_h
#include <inttypes.h>
#include <stddef.h>
class XOF
{
public:
XOF();
virtual ~XOF();
virtual size_t blockSize() const = 0;
virtual void reset() = 0;
virtual void update(const void *data, size_t len) = 0;
virtual void extend(uint8_t *data, size_t len) = 0;
virtual void encrypt(uint8_t *output, const uint8_t *input, size_t len) = 0;
inline void decrypt(uint8_t *output, const uint8_t *input, size_t len)
{
encrypt(output, input, len);
}
virtual void clear() = 0;
};
#endif

371
libraries/Crypto/examples/TestSHAKE128/TestSHAKE128.ino Normal file
View File

@ -0,0 +1,371 @@
/*
* Copyright (C) 2016 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
/*
This example runs tests on the SHAKE128 implementation to verify
correct behaviour.
*/
#include <Crypto.h>
#include <SHAKE.h>
#include <string.h>
#if defined(__AVR__)
#include <avr/pgmspace.h>
#else
#define PROGMEM
#define memcpy_P(d, s, l) memcpy((d), (s), (l))
#endif
#define MAX_HASH_DATA_SIZE 167
#define MAX_SHAKE_OUTPUT 256
struct TestHashVectorSHAKE
{
const char *name;
uint8_t data[MAX_HASH_DATA_SIZE];
size_t dataLen;
uint8_t hash[MAX_SHAKE_OUTPUT];
};
// Some test vectors from https://github.com/gvanas/KeccakCodePackage
static TestHashVectorSHAKE const testVectorSHAKE128_1 PROGMEM = {
"SHAKE128 #1",
{0},
0,
{0x7F, 0x9C, 0x2B, 0xA4, 0xE8, 0x8F, 0x82, 0x7D,
0x61, 0x60, 0x45, 0x50, 0x76, 0x05, 0x85, 0x3E,
0xD7, 0x3B, 0x80, 0x93, 0xF6, 0xEF, 0xBC, 0x88,
0xEB, 0x1A, 0x6E, 0xAC, 0xFA, 0x66, 0xEF, 0x26,
0x3C, 0xB1, 0xEE, 0xA9, 0x88, 0x00, 0x4B, 0x93,
0x10, 0x3C, 0xFB, 0x0A, 0xEE, 0xFD, 0x2A, 0x68,
0x6E, 0x01, 0xFA, 0x4A, 0x58, 0xE8, 0xA3, 0x63,
0x9C, 0xA8, 0xA1, 0xE3, 0xF9, 0xAE, 0x57, 0xE2,
0x35, 0xB8, 0xCC, 0x87, 0x3C, 0x23, 0xDC, 0x62,
0xB8, 0xD2, 0x60, 0x16, 0x9A, 0xFA, 0x2F, 0x75,
0xAB, 0x91, 0x6A, 0x58, 0xD9, 0x74, 0x91, 0x88,
0x35, 0xD2, 0x5E, 0x6A, 0x43, 0x50, 0x85, 0xB2,
0xBA, 0xDF, 0xD6, 0xDF, 0xAA, 0xC3, 0x59, 0xA5,
0xEF, 0xBB, 0x7B, 0xCC, 0x4B, 0x59, 0xD5, 0x38,
0xDF, 0x9A, 0x04, 0x30, 0x2E, 0x10, 0xC8, 0xBC,
0x1C, 0xBF, 0x1A, 0x0B, 0x3A, 0x51, 0x20, 0xEA,
0x17, 0xCD, 0xA7, 0xCF, 0xAD, 0x76, 0x5F, 0x56,
0x23, 0x47, 0x4D, 0x36, 0x8C, 0xCC, 0xA8, 0xAF,
0x00, 0x07, 0xCD, 0x9F, 0x5E, 0x4C, 0x84, 0x9F,
0x16, 0x7A, 0x58, 0x0B, 0x14, 0xAA, 0xBD, 0xEF,
0xAE, 0xE7, 0xEE, 0xF4, 0x7C, 0xB0, 0xFC, 0xA9,
0x76, 0x7B, 0xE1, 0xFD, 0xA6, 0x94, 0x19, 0xDF,
0xB9, 0x27, 0xE9, 0xDF, 0x07, 0x34, 0x8B, 0x19,
0x66, 0x91, 0xAB, 0xAE, 0xB5, 0x80, 0xB3, 0x2D,
0xEF, 0x58, 0x53, 0x8B, 0x8D, 0x23, 0xF8, 0x77,
0x32, 0xEA, 0x63, 0xB0, 0x2B, 0x4F, 0xA0, 0xF4,
0x87, 0x33, 0x60, 0xE2, 0x84, 0x19, 0x28, 0xCD,
0x60, 0xDD, 0x4C, 0xEE, 0x8C, 0xC0, 0xD4, 0xC9,
0x22, 0xA9, 0x61, 0x88, 0xD0, 0x32, 0x67, 0x5C,
0x8A, 0xC8, 0x50, 0x93, 0x3C, 0x7A, 0xFF, 0x15,
0x33, 0xB9, 0x4C, 0x83, 0x4A, 0xDB, 0xB6, 0x9C,
0x61, 0x15, 0xBA, 0xD4, 0x69, 0x2D, 0x86, 0x19}
};
static TestHashVectorSHAKE const testVectorSHAKE128_2 PROGMEM = {
"SHAKE128 #2",
{0x1F, 0x87, 0x7C},
3,
{0xE2, 0xD3, 0x14, 0x46, 0x69, 0xAB, 0x57, 0x83,
0x47, 0xFC, 0xCA, 0x0B, 0x57, 0x27, 0x83, 0xA2,
0x69, 0xA8, 0xCF, 0x9A, 0xDD, 0xA4, 0xD8, 0x77,
0x82, 0x05, 0x3D, 0x80, 0xD5, 0xF0, 0xFD, 0xD2,
0x78, 0x35, 0xCF, 0x88, 0x30, 0x36, 0xE5, 0x36,
0xCE, 0x76, 0xFE, 0xF6, 0x89, 0xA5, 0xE7, 0xBD,
0x64, 0x6A, 0x7F, 0xB7, 0xD7, 0x4F, 0x09, 0x01,
0x93, 0xB2, 0x39, 0x0E, 0x61, 0x47, 0x59, 0xB7,
0xEB, 0x7D, 0xE9, 0x15, 0xA3, 0x83, 0x28, 0x74,
0x58, 0x90, 0xB1, 0xEF, 0x1E, 0x7A, 0xED, 0x78,
0x16, 0x8E, 0x99, 0x6D, 0x7A, 0xC7, 0x74, 0xD4,
0x7F, 0x8F, 0x11, 0x8B, 0x3E, 0x00, 0xA7, 0xBD,
0x15, 0x11, 0x31, 0xBA, 0x37, 0x05, 0xAE, 0x81,
0xB5, 0x7F, 0xB7, 0xCB, 0xFF, 0xE1, 0x14, 0xE2,
0xF4, 0xC3, 0xCA, 0x15, 0x2B, 0x88, 0x74, 0xFB,
0x90, 0x6E, 0x86, 0x28, 0x40, 0x62, 0x4E, 0x02,
0xBB, 0xF9, 0x50, 0x2E, 0x46, 0xD8, 0x88, 0x84,
0x33, 0xA3, 0x8E, 0x82, 0xE0, 0x4C, 0xAA, 0xCB,
0x60, 0x01, 0x92, 0x22, 0xD4, 0x33, 0xE8, 0xF2,
0xE7, 0x58, 0xBD, 0x41, 0xAA, 0xB3, 0x95, 0xBF,
0x83, 0x61, 0x1F, 0xD0, 0xC3, 0xF7, 0xFD, 0x51,
0x73, 0x30, 0x61, 0x82, 0x44, 0x9B, 0x9A, 0x22,
0xC4, 0x01, 0x3F, 0x22, 0x63, 0xB4, 0x1E, 0xAC,
0x4D, 0x0E, 0xDA, 0x16, 0x85, 0x49, 0x61, 0xFB,
0xAA, 0x6A, 0xD0, 0x4A, 0x89, 0xE7, 0x2A, 0x60,
0x2A, 0xC5, 0x96, 0x59, 0xEC, 0x2A, 0x60, 0xC1,
0xD0, 0x20, 0xBA, 0xCC, 0x74, 0xA7, 0x11, 0xD4,
0x25, 0x4A, 0x2E, 0xCC, 0x5F, 0x8F, 0x06, 0x27,
0xB4, 0xF7, 0x2A, 0xE1, 0x30, 0xC5, 0x05, 0x90,
0xF8, 0xB9, 0x1C, 0x52, 0x95, 0x7B, 0x79, 0x5D,
0x12, 0xDA, 0x09, 0xBD, 0xD4, 0x0D, 0x41, 0xE3,
0xCD, 0x48, 0xE3, 0x0E, 0x37, 0xFE, 0x5F, 0xD0}
};
static TestHashVectorSHAKE const testVectorSHAKE128_3 PROGMEM = {
"SHAKE128 #3",
{0x0D, 0x8D, 0x09, 0xAE, 0xD1, 0x9F, 0x10, 0x13,
0x96, 0x9C, 0xE5, 0xE7, 0xEB, 0x92, 0xF8, 0x3A,
0x20, 0x9A, 0xE7, 0x6B, 0xE3, 0x1C, 0x75, 0x48,
0x44, 0xEA, 0x91, 0x16, 0xCE, 0xB3, 0x9A, 0x22,
0xEB, 0xB6, 0x00, 0x30, 0x17, 0xBB, 0xCF, 0x26,
0x55, 0x5F, 0xA6, 0x62, 0x41, 0x85, 0x18, 0x7D,
0xB8, 0xF0, 0xCB, 0x35, 0x64, 0xB8, 0xB1, 0xC0,
0x6B, 0xF6, 0x85, 0xD4, 0x7F, 0x32, 0x86, 0xED,
0xA2, 0x0B, 0x83, 0x35, 0x8F, 0x59, 0x9D, 0x20,
0x44, 0xBB, 0xF0, 0x58, 0x3F, 0xAB, 0x8D, 0x78,
0xF8, 0x54, 0xFE, 0x0A, 0x59, 0x61, 0x83, 0x23,
0x0C, 0x5E, 0xF8, 0xE5, 0x44, 0x26, 0x75, 0x0E,
0xAF, 0x2C, 0xC4, 0xE2, 0x9D, 0x3B, 0xDD, 0x03,
0x7E, 0x73, 0x4D, 0x86, 0x3C, 0x2B, 0xD9, 0x78,
0x9B, 0x4C, 0x24, 0x30, 0x96, 0x13, 0x8F, 0x76,
0x72, 0xC2, 0x32, 0x31, 0x4E, 0xFF, 0xDF, 0xC6,
0x51, 0x34, 0x27, 0xE2, 0xDA, 0x76, 0x91, 0x6B,
0x52, 0x48, 0x93, 0x3B, 0xE3, 0x12, 0xEB, 0x5D,
0xDE, 0x4C, 0xF7, 0x08, 0x04, 0xFB, 0x25, 0x8A,
0xC5, 0xFB, 0x82, 0xD5, 0x8D, 0x08, 0x17, 0x7A,
0xC6, 0xF4, 0x75, 0x60, 0x17, 0xFF, 0xF5},
167,
{0xC7, 0x3D, 0x8F, 0xAA, 0xB5, 0xD0, 0xB4, 0xD6,
0x60, 0xBD, 0x50, 0x82, 0xE4, 0x4C, 0x3C, 0xAC,
0x97, 0xE6, 0x16, 0x48, 0xBE, 0x0A, 0x04, 0xB1,
0x16, 0x72, 0x4E, 0x6F, 0x6B, 0x65, 0x76, 0x84,
0x67, 0x4B, 0x4B, 0x0E, 0x90, 0xD0, 0xAE, 0x96,
0xC0, 0x85, 0x3E, 0xBD, 0x83, 0x7B, 0xD8, 0x24,
0x9A, 0xDB, 0xD3, 0xB6, 0x0A, 0x1A, 0xD1, 0xFC,
0xF8, 0xA6, 0xAB, 0x8E, 0x2F, 0x5A, 0xA7, 0xFF,
0x19, 0x7A, 0x3D, 0x7D, 0xBE, 0xDE, 0xFB, 0x43,
0x3B, 0x61, 0x35, 0x36, 0xAE, 0xC4, 0xD6, 0x55,
0xB7, 0xBC, 0xD7, 0x78, 0x52, 0x6B, 0xE6, 0x67,
0x84, 0x7A, 0xCD, 0x2E, 0x05, 0x64, 0xD9, 0x6C,
0xE5, 0x14, 0x0C, 0x91, 0x35, 0x7F, 0xAD, 0xE0,
0x00, 0xEF, 0xCB, 0x40, 0x45, 0x7E, 0x1B, 0x6C,
0xED, 0x41, 0xFA, 0x10, 0x2E, 0x36, 0xE7, 0x99,
0x79, 0x2D, 0xB0, 0x3E, 0x9A, 0x40, 0xC7, 0x99,
0xBC, 0xA9, 0x12, 0x62, 0x94, 0x8E, 0x17, 0x60,
0x50, 0x65, 0xFB, 0xF6, 0x38, 0xFB, 0x40, 0xA1,
0x57, 0xB4, 0x5C, 0xF7, 0x91, 0x1A, 0x75, 0x3D,
0x0D, 0x20, 0x5D, 0xF8, 0x47, 0x16, 0xA5, 0x71,
0x12, 0xBE, 0xAB, 0x44, 0xF6, 0x20, 0x1F, 0xF7,
0x5A, 0xAD, 0xE0, 0xBA, 0xFB, 0xA5, 0x04, 0x74,
0x5C, 0xFE, 0x23, 0xE4, 0xE6, 0x0E, 0x67, 0xE3,
0x99, 0x36, 0x22, 0xAE, 0xD7, 0x3A, 0x1D, 0xD6,
0xA4, 0x65, 0xBD, 0x45, 0x3D, 0xD3, 0xC5, 0xBA,
0x7D, 0x2C, 0xDF, 0x3F, 0x1D, 0x39, 0x37, 0x6A,
0x67, 0xC2, 0x3E, 0x55, 0x5F, 0x5A, 0xCF, 0x25,
0xBC, 0xE1, 0xE5, 0x5F, 0x30, 0x72, 0x52, 0xB9,
0xAA, 0xC2, 0xC0, 0xA3, 0x9C, 0x88, 0x5C, 0x7E,
0x44, 0xF2, 0x04, 0xCB, 0x82, 0x1C, 0x0D, 0x37,
0xA2, 0x2D, 0xE3, 0xA7, 0x1F, 0x3A, 0x19, 0x09,
0xB1, 0x1B, 0x71, 0x81, 0xC4, 0x2B, 0xE9, 0xB7}
};
SHAKE128 shake128;
TestHashVectorSHAKE tst;
uint8_t output[MAX_SHAKE_OUTPUT];
bool testSHAKE_N(SHAKE *shake, const struct TestHashVectorSHAKE *test, size_t inc, bool printName = false)
{
size_t size;
size_t posn, len;
// Copy the test case out of program memory.
memcpy_P(&tst, test, sizeof(tst));
test = &tst;
// Print the test name if necessary.
if (printName) {
Serial.print(test->name);
Serial.print(" ... ");
}
// Hash the input data.
if (!inc)
inc = 1;
size = test->dataLen;
shake->reset();
for (posn = 0; posn < size; posn += inc) {
len = size - posn;
if (len > inc)
len = inc;
shake->update(test->data + posn, len);
}
// Generate data using extend() and check it.
size = MAX_SHAKE_OUTPUT;
for (posn = 0; posn < size; posn += inc) {
len = size - posn;
if (len > inc)
len = inc;
shake->extend(output + posn, len);
}
if (memcmp(output, test->hash, size) != 0)
return false;
// Restart and use encrypt() this time.
shake->reset();
shake->update(test->data, test->dataLen);
for (posn = 0; posn < size; ++posn)
output[posn] = (uint8_t)(posn + 0xAA);
for (posn = 0; posn < size; posn += inc) {
len = size - posn;
if (len > inc)
len = inc;
shake->encrypt(output + posn, output + posn, len);
}
for (posn = 0; posn < size; ++posn)
output[posn] ^= (uint8_t)(posn + 0xAA);
if (memcmp(output, test->hash, size) != 0)
return false;
return true;
}
void testSHAKE(SHAKE *shake, const struct TestHashVectorSHAKE *test)
{
bool ok;
const char *str;
uint8_t ch;
size_t dataLen;
memcpy_P(&dataLen, &(test->dataLen), sizeof(size_t));
ok = testSHAKE_N(shake, test, dataLen, true);
ok &= testSHAKE_N(shake, test, 1);
ok &= testSHAKE_N(shake, test, 2);
ok &= testSHAKE_N(shake, test, 5);
ok &= testSHAKE_N(shake, test, 8);
ok &= testSHAKE_N(shake, test, 13);
ok &= testSHAKE_N(shake, test, 16);
ok &= testSHAKE_N(shake, test, 24);
ok &= testSHAKE_N(shake, test, 63);
ok &= testSHAKE_N(shake, test, 64);
if (ok)
Serial.println("Passed");
else
Serial.println("Failed");
}
void perfUpdate(SHAKE *shake)
{
unsigned long start;
unsigned long elapsed;
int count;
Serial.print("Updating ... ");
for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
output[posn] = (uint8_t)posn;
shake->reset();
start = micros();
for (count = 0; count < 300; ++count) {
shake->update(output, MAX_SHAKE_OUTPUT);
}
shake->extend(output, 0); // Force a finalize after the update.
elapsed = micros() - start;
Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
Serial.print("us per byte, ");
Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
Serial.println(" bytes per second");
}
void perfExtend(SHAKE *shake)
{
unsigned long start;
unsigned long elapsed;
int count;
Serial.print("Extending ... ");
for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
output[posn] = (uint8_t)posn;
shake->reset();
shake->update(output, MAX_SHAKE_OUTPUT);
shake->extend(output, 0); // Force a finalize after the update.
start = micros();
for (count = 0; count < 300; ++count) {
shake->extend(output, MAX_SHAKE_OUTPUT);
}
elapsed = micros() - start;
Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
Serial.print("us per byte, ");
Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
Serial.println(" bytes per second");
}
void perfEncrypt(SHAKE *shake)
{
unsigned long start;
unsigned long elapsed;
int count;
Serial.print("Encrypting ... ");
for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
output[posn] = (uint8_t)posn;
shake->reset();
shake->update(output, MAX_SHAKE_OUTPUT);
shake->extend(output, 0); // Force a finalize after the update.
start = micros();
for (count = 0; count < 300; ++count) {
shake->encrypt(output, output, MAX_SHAKE_OUTPUT);
}
elapsed = micros() - start;
Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
Serial.print("us per byte, ");
Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
Serial.println(" bytes per second");
}
void setup()
{
Serial.begin(9600);
Serial.println();
Serial.print("State Size ...");
Serial.println(sizeof(SHAKE128));
Serial.println();
Serial.println("Test Vectors:");
testSHAKE(&shake128, &testVectorSHAKE128_1);
testSHAKE(&shake128, &testVectorSHAKE128_2);
testSHAKE(&shake128, &testVectorSHAKE128_3);
Serial.println();
Serial.println("Performance Tests:");
perfUpdate(&shake128);
perfExtend(&shake128);
perfEncrypt(&shake128);
}
void loop()
{
}

367
libraries/Crypto/examples/TestSHAKE256/TestSHAKE256.ino Normal file
View File

@ -0,0 +1,367 @@
/*
* Copyright (C) 2016 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
/*
This example runs tests on the SHAKE256 implementation to verify
correct behaviour.
*/
#include <Crypto.h>
#include <SHAKE.h>
#include <string.h>
#if defined(__AVR__)
#include <avr/pgmspace.h>
#else
#define PROGMEM
#define memcpy_P(d, s, l) memcpy((d), (s), (l))
#endif
#define MAX_HASH_DATA_SIZE 135
#define MAX_SHAKE_OUTPUT 256
struct TestHashVectorSHAKE
{
const char *name;
uint8_t data[MAX_HASH_DATA_SIZE];
size_t dataLen;
uint8_t hash[MAX_SHAKE_OUTPUT];
};
// Some test vectors from https://github.com/gvanas/KeccakCodePackage
static TestHashVectorSHAKE const testVectorSHAKE256_1 PROGMEM = {
"SHAKE256 #1",
{0},
0,
{0x46, 0xB9, 0xDD, 0x2B, 0x0B, 0xA8, 0x8D, 0x13,
0x23, 0x3B, 0x3F, 0xEB, 0x74, 0x3E, 0xEB, 0x24,
0x3F, 0xCD, 0x52, 0xEA, 0x62, 0xB8, 0x1B, 0x82,
0xB5, 0x0C, 0x27, 0x64, 0x6E, 0xD5, 0x76, 0x2F,
0xD7, 0x5D, 0xC4, 0xDD, 0xD8, 0xC0, 0xF2, 0x00,
0xCB, 0x05, 0x01, 0x9D, 0x67, 0xB5, 0x92, 0xF6,
0xFC, 0x82, 0x1C, 0x49, 0x47, 0x9A, 0xB4, 0x86,
0x40, 0x29, 0x2E, 0xAC, 0xB3, 0xB7, 0xC4, 0xBE,
0x14, 0x1E, 0x96, 0x61, 0x6F, 0xB1, 0x39, 0x57,
0x69, 0x2C, 0xC7, 0xED, 0xD0, 0xB4, 0x5A, 0xE3,
0xDC, 0x07, 0x22, 0x3C, 0x8E, 0x92, 0x93, 0x7B,
0xEF, 0x84, 0xBC, 0x0E, 0xAB, 0x86, 0x28, 0x53,
0x34, 0x9E, 0xC7, 0x55, 0x46, 0xF5, 0x8F, 0xB7,
0xC2, 0x77, 0x5C, 0x38, 0x46, 0x2C, 0x50, 0x10,
0xD8, 0x46, 0xC1, 0x85, 0xC1, 0x51, 0x11, 0xE5,
0x95, 0x52, 0x2A, 0x6B, 0xCD, 0x16, 0xCF, 0x86,
0xF3, 0xD1, 0x22, 0x10, 0x9E, 0x3B, 0x1F, 0xDD,
0x94, 0x3B, 0x6A, 0xEC, 0x46, 0x8A, 0x2D, 0x62,
0x1A, 0x7C, 0x06, 0xC6, 0xA9, 0x57, 0xC6, 0x2B,
0x54, 0xDA, 0xFC, 0x3B, 0xE8, 0x75, 0x67, 0xD6,
0x77, 0x23, 0x13, 0x95, 0xF6, 0x14, 0x72, 0x93,
0xB6, 0x8C, 0xEA, 0xB7, 0xA9, 0xE0, 0xC5, 0x8D,
0x86, 0x4E, 0x8E, 0xFD, 0xE4, 0xE1, 0xB9, 0xA4,
0x6C, 0xBE, 0x85, 0x47, 0x13, 0x67, 0x2F, 0x5C,
0xAA, 0xAE, 0x31, 0x4E, 0xD9, 0x08, 0x3D, 0xAB,
0x4B, 0x09, 0x9F, 0x8E, 0x30, 0x0F, 0x01, 0xB8,
0x65, 0x0F, 0x1F, 0x4B, 0x1D, 0x8F, 0xCF, 0x3F,
0x3C, 0xB5, 0x3F, 0xB8, 0xE9, 0xEB, 0x2E, 0xA2,
0x03, 0xBD, 0xC9, 0x70, 0xF5, 0x0A, 0xE5, 0x54,
0x28, 0xA9, 0x1F, 0x7F, 0x53, 0xAC, 0x26, 0x6B,
0x28, 0x41, 0x9C, 0x37, 0x78, 0xA1, 0x5F, 0xD2,
0x48, 0xD3, 0x39, 0xED, 0xE7, 0x85, 0xFB, 0x7F}
};
static TestHashVectorSHAKE const testVectorSHAKE256_2 PROGMEM = {
"SHAKE256 #2",
{0x1F, 0x87, 0x7C},
3,
{0xF6, 0xBF, 0x03, 0x97, 0xDB, 0xFB, 0xB2, 0x0E,
0x4A, 0xE3, 0x0F, 0x0A, 0x47, 0xFE, 0x97, 0x6C,
0xD1, 0x09, 0xB3, 0xAA, 0x09, 0xB0, 0xE3, 0xF2,
0x9F, 0x56, 0x0E, 0x4E, 0xD3, 0x33, 0xC0, 0xD0,
0x83, 0x32, 0x6B, 0x03, 0xF6, 0xEA, 0xEB, 0x57,
0xE2, 0x77, 0xBB, 0xFE, 0x1C, 0xCE, 0x36, 0xC4,
0x99, 0x43, 0x4D, 0x83, 0x8C, 0xB4, 0xC8, 0xCD,
0x8B, 0x02, 0xA8, 0x77, 0x90, 0xF4, 0xA6, 0x71,
0x7B, 0x22, 0xD4, 0x6F, 0x92, 0x20, 0x39, 0x1C,
0x42, 0x0A, 0x1A, 0x1B, 0xFA, 0xA9, 0xED, 0x5B,
0x85, 0x11, 0x6B, 0xA1, 0xD9, 0xE1, 0x7F, 0xF1,
0x6F, 0x6B, 0xCE, 0x67, 0x04, 0xC8, 0x0A, 0x49,
0xFD, 0x9A, 0xC4, 0x26, 0x89, 0xDB, 0x09, 0x96,
0xC6, 0xBD, 0x32, 0x66, 0x69, 0x40, 0x77, 0xC6,
0xDE, 0x12, 0x00, 0x43, 0xA8, 0x27, 0xD4, 0x49,
0x79, 0xCE, 0x8C, 0xCC, 0x6A, 0xA7, 0xE5, 0x30,
0x8E, 0xBA, 0x64, 0xAC, 0xF9, 0xFF, 0xFF, 0x51,
0xD3, 0x6B, 0xC4, 0x40, 0x1F, 0x81, 0x17, 0xD4,
0xB9, 0x63, 0x40, 0xC6, 0x2D, 0x10, 0x6B, 0x0A,
0x64, 0x45, 0xF0, 0x19, 0x87, 0xF9, 0xC4, 0xC0,
0xA4, 0x20, 0xE1, 0xA9, 0xBA, 0xEB, 0x59, 0x4B,
0xCB, 0x1B, 0xDB, 0xFE, 0x59, 0xB6, 0x06, 0x5E,
0xB9, 0x1C, 0xBE, 0xB2, 0x52, 0x47, 0x3C, 0x78,
0x58, 0xEC, 0xA4, 0x75, 0xE1, 0xC8, 0x1E, 0x84,
0x25, 0xC7, 0xE2, 0xC1, 0x70, 0x6C, 0x4C, 0x4A,
0xBB, 0x3A, 0xEA, 0xE3, 0x93, 0x32, 0x47, 0x9E,
0xCD, 0xEF, 0xDF, 0xA9, 0x3C, 0x60, 0xEC, 0x40,
0x07, 0xA5, 0x1C, 0x5D, 0xD0, 0x93, 0xB5, 0x27,
0x26, 0x41, 0x55, 0xF2, 0x20, 0x2E, 0x01, 0xD2,
0x08, 0x3D, 0x27, 0xD7, 0x1A, 0x6F, 0x6C, 0x92,
0xD8, 0x39, 0xE6, 0xEA, 0x7D, 0x24, 0xAF, 0xDB,
0x5C, 0x43, 0x63, 0x0F, 0x1B, 0xD0, 0x6E, 0x2B}
};
static TestHashVectorSHAKE const testVectorSHAKE256_3 PROGMEM = {
"SHAKE256 #3",
{0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A,
0x93, 0xD1, 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A,
0x2E, 0xF0, 0xA8, 0xE8, 0x4D, 0x91, 0x81, 0x2F,
0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE, 0xF7, 0x32,
0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F,
0x10, 0xDC, 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39,
0xA6, 0x77, 0xB9, 0x60, 0x21, 0x8F, 0x71, 0xE7,
0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34, 0x94, 0x06,
0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89,
0x6B, 0x49, 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15,
0xAD, 0x96, 0x7C, 0x71, 0x2B, 0x24, 0xE5, 0x03,
0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C, 0x12, 0x74,
0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3,
0xB0, 0xFE, 0xD6, 0xA8, 0x05, 0x2F, 0xBB},
135,
{0x6C, 0x60, 0x95, 0x5D, 0xCB, 0x8A, 0x66, 0x3B,
0x6D, 0xC7, 0xF5, 0xEF, 0x7E, 0x06, 0x9C, 0xA8,
0xFE, 0x3D, 0xA9, 0x9A, 0x66, 0xDF, 0x65, 0x96,
0x92, 0x5D, 0x55, 0x7F, 0xED, 0x91, 0xF4, 0x70,
0x91, 0x40, 0x7D, 0x6F, 0xDE, 0x32, 0x02, 0x3B,
0x57, 0xE2, 0xEE, 0x4C, 0x6A, 0xC9, 0x7B, 0x07,
0x76, 0x24, 0xFA, 0xC2, 0x5F, 0x6E, 0x13, 0xF4,
0x19, 0x16, 0x96, 0xB4, 0x0A, 0x4D, 0xF7, 0x5F,
0x61, 0xCD, 0x55, 0x21, 0xD9, 0x82, 0xC6, 0xD0,
0x9D, 0x83, 0x42, 0xC1, 0x7A, 0x36, 0x6E, 0xC6,
0x34, 0x6E, 0x35, 0x28, 0xB2, 0x6C, 0xFF, 0x91,
0x5B, 0xE9, 0x44, 0x2B, 0x9E, 0xBC, 0xC3, 0x0F,
0xF2, 0xF6, 0xAD, 0xD0, 0xE8, 0x2B, 0xA9, 0x04,
0xC7, 0x37, 0x00, 0xCC, 0x99, 0xAC, 0xFF, 0x48,
0x0C, 0xAF, 0x04, 0x87, 0xCE, 0xE5, 0x4C, 0xBA,
0x37, 0x53, 0xB6, 0xA5, 0xDD, 0x6F, 0x0D, 0xFE,
0x65, 0x71, 0xF0, 0x11, 0x5E, 0x87, 0x37, 0xB0,
0x71, 0x03, 0x10, 0x23, 0xB6, 0xBB, 0x0D, 0x79,
0x86, 0x4C, 0x3F, 0x33, 0x16, 0x2E, 0x78, 0x26,
0x9C, 0xEE, 0x23, 0xFC, 0xE4, 0x7B, 0x91, 0xB4,
0xFD, 0xF9, 0x1F, 0x98, 0x46, 0x4A, 0x1D, 0x21,
0xE7, 0x99, 0xD1, 0x7F, 0x76, 0xC1, 0xBB, 0x80,
0x7D, 0xEE, 0x66, 0x7B, 0x0B, 0x27, 0x30, 0x54,
0xBE, 0x29, 0x82, 0x99, 0xBD, 0x12, 0xB7, 0xA8,
0x0F, 0xB3, 0x54, 0xCE, 0x3E, 0x6D, 0x1A, 0xCF,
0x98, 0x44, 0x38, 0x79, 0xA5, 0x54, 0xEC, 0xA6,
0xB9, 0x6D, 0xF0, 0x61, 0xD0, 0x4A, 0x11, 0x7C,
0x98, 0xAE, 0xEC, 0x1C, 0xDE, 0x1A, 0xFA, 0x9C,
0xEF, 0x62, 0xDD, 0x68, 0x6D, 0xA9, 0x1B, 0xB2,
0xB1, 0xF1, 0x23, 0x79, 0xBB, 0xDC, 0x9F, 0xA3,
0x2A, 0x6B, 0x69, 0x98, 0xB7, 0x7E, 0x8E, 0xB0,
0xB5, 0x05, 0x07, 0x86, 0x2A, 0xFA, 0x77, 0x99}
};
SHAKE256 shake256;
TestHashVectorSHAKE tst;
uint8_t output[MAX_SHAKE_OUTPUT];
bool testSHAKE_N(SHAKE *shake, const struct TestHashVectorSHAKE *test, size_t inc, bool printName = false)
{
size_t size;
size_t posn, len;
// Copy the test case out of program memory.
memcpy_P(&tst, test, sizeof(tst));
test = &tst;
// Print the test name if necessary.
if (printName) {
Serial.print(test->name);
Serial.print(" ... ");
}
// Hash the input data.
if (!inc)
inc = 1;
size = test->dataLen;
shake->reset();
for (posn = 0; posn < size; posn += inc) {
len = size - posn;
if (len > inc)
len = inc;
shake->update(test->data + posn, len);
}
// Generate data using extend() and check it.
size = MAX_SHAKE_OUTPUT;
for (posn = 0; posn < size; posn += inc) {
len = size - posn;
if (len > inc)
len = inc;
shake->extend(output + posn, len);
}
if (memcmp(output, test->hash, size) != 0)
return false;
// Restart and use encrypt() this time.
shake->reset();
shake->update(test->data, test->dataLen);
for (posn = 0; posn < size; ++posn)
output[posn] = (uint8_t)(posn + 0xAA);
for (posn = 0; posn < size; posn += inc) {
len = size - posn;
if (len > inc)
len = inc;
shake->encrypt(output + posn, output + posn, len);
}
for (posn = 0; posn < size; ++posn)
output[posn] ^= (uint8_t)(posn + 0xAA);
if (memcmp(output, test->hash, size) != 0)
return false;
return true;
}
void testSHAKE(SHAKE *shake, const struct TestHashVectorSHAKE *test)
{
bool ok;
const char *str;
uint8_t ch;
size_t dataLen;
memcpy_P(&dataLen, &(test->dataLen), sizeof(size_t));
ok = testSHAKE_N(shake, test, dataLen, true);
ok &= testSHAKE_N(shake, test, 1);
ok &= testSHAKE_N(shake, test, 2);
ok &= testSHAKE_N(shake, test, 5);
ok &= testSHAKE_N(shake, test, 8);
ok &= testSHAKE_N(shake, test, 13);
ok &= testSHAKE_N(shake, test, 16);
ok &= testSHAKE_N(shake, test, 24);
ok &= testSHAKE_N(shake, test, 63);
ok &= testSHAKE_N(shake, test, 64);
if (ok)
Serial.println("Passed");
else
Serial.println("Failed");
}
void perfUpdate(SHAKE *shake)
{
unsigned long start;
unsigned long elapsed;
int count;
Serial.print("Updating ... ");
for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
output[posn] = (uint8_t)posn;
shake->reset();
start = micros();
for (count = 0; count < 300; ++count) {
shake->update(output, MAX_SHAKE_OUTPUT);
}
shake->extend(output, 0); // Force a finalize after the update.
elapsed = micros() - start;
Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
Serial.print("us per byte, ");
Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
Serial.println(" bytes per second");
}
void perfExtend(SHAKE *shake)
{
unsigned long start;
unsigned long elapsed;
int count;
Serial.print("Extending ... ");
for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
output[posn] = (uint8_t)posn;
shake->reset();
shake->update(output, MAX_SHAKE_OUTPUT);
shake->extend(output, 0); // Force a finalize after the update.
start = micros();
for (count = 0; count < 300; ++count) {
shake->extend(output, MAX_SHAKE_OUTPUT);
}
elapsed = micros() - start;
Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
Serial.print("us per byte, ");
Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
Serial.println(" bytes per second");
}
void perfEncrypt(SHAKE *shake)
{
unsigned long start;
unsigned long elapsed;
int count;
Serial.print("Encrypting ... ");
for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
output[posn] = (uint8_t)posn;
shake->reset();
shake->update(output, MAX_SHAKE_OUTPUT);
shake->extend(output, 0); // Force a finalize after the update.
start = micros();
for (count = 0; count < 300; ++count) {
shake->encrypt(output, output, MAX_SHAKE_OUTPUT);
}
elapsed = micros() - start;
Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
Serial.print("us per byte, ");
Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
Serial.println(" bytes per second");
}
void setup()
{
Serial.begin(9600);
Serial.println();
Serial.print("State Size ...");
Serial.println(sizeof(SHAKE256));
Serial.println();
Serial.println("Test Vectors:");
testSHAKE(&shake256, &testVectorSHAKE256_1);
testSHAKE(&shake256, &testVectorSHAKE256_2);
testSHAKE(&shake256, &testVectorSHAKE256_3);
Serial.println();
Serial.println("Performance Tests:");
perfUpdate(&shake256);
perfExtend(&shake256);
perfEncrypt(&shake256);
}
void loop()
{
}