diff --git a/doc/crypto.dox b/doc/crypto.dox
index 156e827f..d2546451 100644
--- a/doc/crypto.dox
+++ b/doc/crypto.dox
@@ -31,6 +31,7 @@
\li Stream ciphers: ChaCha
\li Authenticated encryption with associated data (AEAD): ChaChaPoly, EAX, GCM
\li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
+\li Extendable output functions (XOF's): SHAKE128, SHAKE256
\li Message authenticators: Poly1305, GHASH, OMAC
\li Public key algorithms: Curve25519, Ed25519
\li Random number generation: \link RNGClass RNG\endlink, TransistorNoiseSource, RingOscillatorNoiseSource
@@ -113,6 +114,10 @@ Ardunino Mega 2560 running at 16 MHz are similar:
| Poly1305 | 26.26us | 489.11us | 17.06us | 53 |
| GHASH | 74.59us | 15.91us | 14.79us | 33 |
| |
+| XOF Algorithm | Hashing (per byte) | Extending (per byte) | Encryption (per byte) | State Size (bytes) |
+| SHAKE128 | 49.43us | 49.02us | 49.59us | 206 |
+| SHAKE256 | 60.77us | 60.37us | 60.93us | 206 |
+| |
| Public Key Operation | Time (per operation) | Comment |
| Curve25519::eval() | 2716ms | Raw curve evaluation |
| Curve25519::dh1() | 2718ms | First half of Diffie-Hellman key agreement |
@@ -174,6 +179,10 @@ All figures are for the Arduino Due running at 84 MHz:
| Poly1305 | 0.81us | 19.01us | 2.57us | 60 |
| GHASH | 4.47us | 1.52us | 2.60us | 36 |
| |
+| XOF Algorithm | Hashing (per byte) | Extending (per byte) | Encryption (per byte) | State Size (bytes) |
+| SHAKE128 | 4.60us | 4.45us | 4.59us | 232 |
+| SHAKE256 | 5.64us | 5.49us | 5.63us | 232 |
+| |
| Public Key Operation | Time (per operation) | Comment |
| Curve25519::eval() | 103ms | Raw curve evaluation |
| Curve25519::dh1() | 103ms | First half of Diffie-Hellman key agreement |
diff --git a/doc/mainpage.dox b/doc/mainpage.dox
index 892772a9..27c319a0 100644
--- a/doc/mainpage.dox
+++ b/doc/mainpage.dox
@@ -96,6 +96,7 @@ realtime clock and the LCD library to implement an alarm clock.
\li Stream ciphers: ChaCha
\li Authenticated encryption with associated data (AEAD): ChaChaPoly, EAX, GCM
\li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
+\li Extendable output functions (XOF's): SHAKE128, SHAKE256
\li Message authenticators: Poly1305, GHASH, OMAC
\li Public key algorithms: Curve25519, Ed25519
\li Random number generation: \link RNGClass RNG\endlink, TransistorNoiseSource, RingOscillatorNoiseSource
diff --git a/libraries/Crypto/KeccakCore.cpp b/libraries/Crypto/KeccakCore.cpp
index 1abfb604..4cc108af 100644
--- a/libraries/Crypto/KeccakCore.cpp
+++ b/libraries/Crypto/KeccakCore.cpp
@@ -32,11 +32,11 @@
* \brief Keccak core sponge function.
*
* KeccakCore provides the core sponge function for different capacities.
- * It is used to implement Hash algorithms such as SHA3.
+ * It is used to implement algorithms such as SHA3 and SHAKE.
*
* References: http://en.wikipedia.org/wiki/SHA-3
*
- * \sa SHA3
+ * \sa SHA3_256, SHAKE256
*/
#if !defined(CRYPTO_LITTLE_ENDIAN)
@@ -189,7 +189,7 @@ void KeccakCore::pad(uint8_t tag)
* If more than blockSize() bytes are required, the sponge function will
* be invoked to generate additional data.
*
- * \sa update(), reset(), extractHash()
+ * \sa update(), reset(), encrypt()
*/
void KeccakCore::extract(void *data, size_t size)
{
@@ -219,6 +219,56 @@ void KeccakCore::extract(void *data, size_t size)
}
}
+/**
+ * \brief Extracts data from the Keccak sponge function and uses it to
+ * encrypt a buffer.
+ *
+ * \param output The output buffer to write to, which may be the same
+ * buffer as \a input. The \a output buffer must have at least as many
+ * bytes as the \a input buffer.
+ * \param input The input buffer to read from.
+ * \param size The number of bytes to encrypt.
+ *
+ * This function extracts data from the sponge function and then XOR's
+ * it with \a input to generate the \a output.
+ *
+ * If more than blockSize() bytes are required, the sponge function will
+ * be invoked to generate additional data.
+ *
+ * \sa update(), reset(), extract()
+ */
+void KeccakCore::encrypt(void *output, const void *input, size_t size)
+{
+ // Stop accepting input while we are generating output.
+ state.inputSize = 0;
+
+ // Copy the output data into the caller's return buffer.
+ uint8_t *out = (uint8_t *)output;
+ const uint8_t *in = (const uint8_t *)input;
+ uint8_t tempSize;
+ while (size > 0) {
+ // Generate another output block if the current one has been exhausted.
+ if (state.outputSize >= _blockSize) {
+ keccakp();
+ state.outputSize = 0;
+ }
+
+ // How many bytes can we extract this time around?
+ tempSize = _blockSize - state.outputSize;
+ if (tempSize > size)
+ tempSize = size;
+
+ // XOR the partial output data into the caller's return buffer.
+ const uint8_t *d = ((const uint8_t *)(state.A)) + state.outputSize;
+ for (uint8_t index = 0; index < tempSize; ++index)
+ out[index] = in[index] ^ d[index];
+ state.outputSize += tempSize;
+ size -= tempSize;
+ out += tempSize;
+ in += tempSize;
+ }
+}
+
/**
* \brief Clears all sensitive data from this object.
*/
diff --git a/libraries/Crypto/KeccakCore.h b/libraries/Crypto/KeccakCore.h
index 12a5402b..ca2447ee 100644
--- a/libraries/Crypto/KeccakCore.h
+++ b/libraries/Crypto/KeccakCore.h
@@ -43,6 +43,7 @@ public:
void pad(uint8_t tag);
void extract(void *data, size_t size);
+ void encrypt(void *output, const void *input, size_t size);
void clear();
diff --git a/libraries/Crypto/SHAKE.cpp b/libraries/Crypto/SHAKE.cpp
new file mode 100644
index 00000000..b813675c
--- /dev/null
+++ b/libraries/Crypto/SHAKE.cpp
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2016 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#include "SHAKE.h"
+
+/**
+ * \class SHAKE SHAKE.h
+ * \brief Abstract base class for the SHAKE Extendable-Output Functions (XOFs).
+ *
+ * Reference: http://en.wikipedia.org/wiki/SHA-3
+ *
+ * \sa SHAKE256, SHAKE128, SHA3_256
+ */
+
+/**
+ * \brief Constructs a SHAKE object.
+ *
+ * \param capacity The capacity of the Keccak sponge function in bits which
+ * should be a multiple of 64 and between 64 and 1536.
+ */
+SHAKE::SHAKE(size_t capacity)
+ : finalized(false)
+{
+ core.setCapacity(capacity);
+}
+
+/**
+ * \brief Destroys this SHAKE object after clearing all sensitive information.
+ */
+SHAKE::~SHAKE()
+{
+}
+
+size_t SHAKE::blockSize() const
+{
+ return core.blockSize();
+}
+
+void SHAKE::reset()
+{
+ core.reset();
+ finalized = false;
+}
+
+void SHAKE::update(const void *data, size_t len)
+{
+ if (finalized)
+ reset();
+ core.update(data, len);
+}
+
+void SHAKE::extend(uint8_t *data, size_t len)
+{
+ if (!finalized) {
+ core.pad(0x1F);
+ finalized = true;
+ }
+ core.extract(data, len);
+}
+
+void SHAKE::encrypt(uint8_t *output, const uint8_t *input, size_t len)
+{
+ if (!finalized) {
+ core.pad(0x1F);
+ finalized = true;
+ }
+ core.encrypt(output, input, len);
+}
+
+void SHAKE::clear()
+{
+ core.clear();
+ finalized = false;
+}
+
+/**
+ * \class SHAKE128 SHAKE.h
+ * \brief SHAKE Extendable-Output Function (XOF) with 128-bit security.
+ *
+ * Reference: http://en.wikipedia.org/wiki/SHA-3
+ *
+ * \sa SHAKE256, SHAKE, SHA3_256
+ */
+
+/**
+ * \fn SHAKE128::SHAKE128()
+ * \brief Constructs a SHAKE object with 128-bit security.
+ */
+
+/**
+ * \brief Destroys this SHAKE128 object after clearing all sensitive
+ * information.
+ */
+SHAKE128::~SHAKE128()
+{
+}
+
+/**
+ * \class SHAKE256 SHAKE.h
+ * \brief SHAKE Extendable-Output Function (XOF) with 256-bit security.
+ *
+ * Reference: http://en.wikipedia.org/wiki/SHA-3
+ *
+ * \sa SHAKE128, SHAKE, SHA3_256
+ */
+
+/**
+ * \fn SHAKE256::SHAKE256()
+ * \brief Constructs a SHAKE object with 256-bit security.
+ */
+
+/**
+ * \brief Destroys this SHAKE256 object after clearing all sensitive
+ * information.
+ */
+SHAKE256::~SHAKE256()
+{
+}
diff --git a/libraries/Crypto/SHAKE.h b/libraries/Crypto/SHAKE.h
new file mode 100644
index 00000000..83826e6d
--- /dev/null
+++ b/libraries/Crypto/SHAKE.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2016 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifndef CRYPTO_SHAKE_h
+#define CRYPTO_SHAKE_h
+
+#include "XOF.h"
+#include "KeccakCore.h"
+
+class SHAKE : public XOF
+{
+public:
+ virtual ~SHAKE();
+
+ size_t blockSize() const;
+
+ void reset();
+ void update(const void *data, size_t len);
+
+ void extend(uint8_t *data, size_t len);
+ void encrypt(uint8_t *output, const uint8_t *input, size_t len);
+
+ void clear();
+
+protected:
+ SHAKE(size_t capacity);
+
+private:
+ KeccakCore core;
+ bool finalized;
+};
+
+class SHAKE128 : public SHAKE
+{
+public:
+ SHAKE128() : SHAKE(256) {}
+ virtual ~SHAKE128();
+};
+
+class SHAKE256 : public SHAKE
+{
+public:
+ SHAKE256() : SHAKE(512) {}
+ virtual ~SHAKE256();
+};
+
+#endif
diff --git a/libraries/Crypto/XOF.cpp b/libraries/Crypto/XOF.cpp
new file mode 100644
index 00000000..2462a819
--- /dev/null
+++ b/libraries/Crypto/XOF.cpp
@@ -0,0 +1,216 @@
+/*
+ * Copyright (C) 2016 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#include "XOF.h"
+
+/**
+ * \class XOF XOF.h
+ * \brief Abstract base class for Extendable-Output Functions (XOFs).
+ *
+ * Extendable-Output Functions, or XOFs, are a new class of cryptographic
+ * primitive that was defined by NIST during the SHA-3 standardization
+ * process. Essentially an XOF is a hash algorithm that has an
+ * arbitrary-length output instead of a fixed-length digest.
+ *
+ * XOFs can be used for a variety of cryptographic tasks:
+ *
+ * \li Mask generation functions for RSA OAEP style padding.
+ * \li Key derivation functions for expanding key seed material into
+ * arbitrary amounts of keying material for a secure session.
+ * \li Stream ciphers based on a key and IV.
+ *
+ * To use an XOF, it is first reset() and then data is added via multiple
+ * calls to update():
+ *
+ * \code
+ * SHAKE256 xof;
+ * xof.reset();
+ * xof.update(data1, sizeof(data1));
+ * xof.update(data2, sizeof(data2));
+ * ...
+ * \endcode
+ *
+ * Once all input data has been added, the XOF switches into extend mode
+ * to generate the arbitrary-length output data:
+ *
+ * \code
+ * xof.extend(output1, sizeof(output1));
+ * xof.extend(output2, sizeof(output2));
+ * ...
+ * \endcode
+ *
+ * Mask generation and key derivation is achieved as follows, where the
+ * key is unique for each invocation:
+ *
+ * \code
+ * SHAKE256 xof;
+ * xof.reset();
+ * xof.update(key, sizeof(key));
+ * xof.extend(output, sizeof(output));
+ * \endcode
+ *
+ * Stream ciphers can be constructed as follows, using the special
+ * encrypt() function that XOR's the output of extend() with the
+ * input plaintext to generate the output ciphertext (or alternatively
+ * XOR's the output of extend() with the ciphertext to recover the
+ * plaintext):
+ *
+ * \code
+ * SHAKE256 xof;
+ * xof.reset();
+ * xof.update(key, sizeof(key));
+ * xof.update(iv, sizeof(iv));
+ * xof.encrypt(output1, input1, sizeof(input1));
+ * xof.encrypt(output2, input2, sizeof(input2));
+ * ...
+ * \endcode
+ *
+ * If the key is reused, then the IV must be different for each session
+ * or the encryption scheme can be easily broken. It is better to
+ * generate a new key and IV combination for every session.
+ *
+ * It may also be a good idea to include some tag information with the input
+ * data to distinguish different uses of the XOF. For example:
+ *
+ * \code
+ * SHAKE256 xof;
+ * xof.reset();
+ * xof.update(key, sizeof(key));
+ * xof.update(iv, sizeof(iv));
+ * xof.update("MyCrypt", 7);
+ * xof.encrypt(output, input, sizeof(input));
+ * \endcode
+ *
+ * If the same key and IV was used with a different package, then it would
+ * not generate the same output as "MyCrypt".
+ *
+ * NIST warns that XOFs should not be used in place of hash functions.
+ * This is because of related outputs: if the same input is provided to
+ * an XOF with different output lengths, then the shorter output will
+ * be a prefix of the larger. This breaks the expected collision-resistance
+ * of regular hash functions. There is typically no need to use an XOF
+ * for hashing because NIST has already defined SHA3_256 and SHA3_512
+ * for that purpose.
+ *
+ * Reference: http://en.wikipedia.org/wiki/SHA-3
+ *
+ * \sa SHAKE256, SHAKE128, SHA3_256
+ */
+
+/**
+ * \brief Constructs a new XOF object.
+ */
+XOF::XOF()
+{
+}
+
+/**
+ * \brief Destroys this XOF object.
+ *
+ * \note Subclasses are responsible for clearing any sensitive data
+ * that remains in the XOF object when it is destroyed.
+ *
+ * \sa clear()
+ */
+XOF::~XOF()
+{
+}
+
+/**
+ * \fn size_t XOF::blockSize() const
+ * \brief Size of the internal block used by the XOF algorithm, in bytes.
+ *
+ * \sa update()
+ */
+
+/**
+ * \fn void XOF::reset()
+ * \brief Resets the XOF ready for a new session.
+ *
+ * \sa update(), extend(), encrypt()
+ */
+
+/**
+ * \fn void XOF::update(const void *data, size_t len)
+ * \brief Updates the XOF with more data.
+ *
+ * \param data Data to be hashed.
+ * \param len Number of bytes of data to be added to the XOF.
+ *
+ * If extend() or encrypt() has already been called, then the behavior of
+ * update() will be undefined. Call reset() first to start a new session.
+ *
+ * \sa reset(), extend(), encrypt()
+ */
+
+/**
+ * \fn void XOF::extend(uint8_t *data, size_t len)
+ * \brief Generates extendable output from this XOF.
+ *
+ * \param data The data buffer to be filled.
+ * \param len The number of bytes to write to \a data.
+ *
+ * \sa reset(), update(), encrypt()
+ */
+
+/**
+ * \fn void XOF::encrypt(uint8_t *output, const uint8_t *input, size_t len)
+ * \brief Encrypts an input buffer with extendable output from this XOF.
+ *
+ * \param output The output buffer to write to, which may be the same
+ * buffer as \a input. The \a output buffer must have at least as many
+ * bytes as the \a input buffer.
+ * \param input The input buffer to read from.
+ * \param len The number of bytes to encrypt.
+ *
+ * This function is a convenience that generates data with extend() and
+ * then XOR's it with the contents of \a input to generate the \a output.
+ * This function can also be used to decrypt.
+ *
+ * The encrypt() function can be called multiple times with different
+ * regions of the plaintext data.
+ *
+ * \sa reset(), update(), extend(), decrypt()
+ */
+
+/**
+ * \fn void XOF::decrypt(uint8_t *output, const uint8_t *input, size_t len)
+ * \brief Decrypts an input buffer with extendable output from this XOF.
+ *
+ * \param output The output buffer to write to, which may be the same
+ * buffer as \a input. The \a output buffer must have at least as many
+ * bytes as the \a input buffer.
+ * \param input The input buffer to read from.
+ * \param len The number of bytes to encrypt.
+ *
+ * This is a convenience function that merely calls encrypt().
+ *
+ * \sa reset(), update(), extend(), encrypt()
+ */
+
+/**
+ * \fn void XOF::clear()
+ * \brief Clears the hash state, removing all sensitive data, and then
+ * resets the XOF ready for a new session.
+ *
+ * \sa reset()
+ */
diff --git a/libraries/Crypto/XOF.h b/libraries/Crypto/XOF.h
new file mode 100644
index 00000000..fc728563
--- /dev/null
+++ b/libraries/Crypto/XOF.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2016 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifndef CRYPTO_XOF_h
+#define CRYPTO_XOF_h
+
+#include
+#include
+
+class XOF
+{
+public:
+ XOF();
+ virtual ~XOF();
+
+ virtual size_t blockSize() const = 0;
+
+ virtual void reset() = 0;
+ virtual void update(const void *data, size_t len) = 0;
+
+ virtual void extend(uint8_t *data, size_t len) = 0;
+ virtual void encrypt(uint8_t *output, const uint8_t *input, size_t len) = 0;
+
+ inline void decrypt(uint8_t *output, const uint8_t *input, size_t len)
+ {
+ encrypt(output, input, len);
+ }
+
+ virtual void clear() = 0;
+};
+
+#endif
diff --git a/libraries/Crypto/examples/TestSHAKE128/TestSHAKE128.ino b/libraries/Crypto/examples/TestSHAKE128/TestSHAKE128.ino
new file mode 100644
index 00000000..5d1acc1c
--- /dev/null
+++ b/libraries/Crypto/examples/TestSHAKE128/TestSHAKE128.ino
@@ -0,0 +1,371 @@
+/*
+ * Copyright (C) 2016 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+/*
+This example runs tests on the SHAKE128 implementation to verify
+correct behaviour.
+*/
+
+#include
+#include
+#include
+#if defined(__AVR__)
+#include
+#else
+#define PROGMEM
+#define memcpy_P(d, s, l) memcpy((d), (s), (l))
+#endif
+
+#define MAX_HASH_DATA_SIZE 167
+#define MAX_SHAKE_OUTPUT 256
+
+struct TestHashVectorSHAKE
+{
+ const char *name;
+ uint8_t data[MAX_HASH_DATA_SIZE];
+ size_t dataLen;
+ uint8_t hash[MAX_SHAKE_OUTPUT];
+};
+
+// Some test vectors from https://github.com/gvanas/KeccakCodePackage
+static TestHashVectorSHAKE const testVectorSHAKE128_1 PROGMEM = {
+ "SHAKE128 #1",
+ {0},
+ 0,
+ {0x7F, 0x9C, 0x2B, 0xA4, 0xE8, 0x8F, 0x82, 0x7D,
+ 0x61, 0x60, 0x45, 0x50, 0x76, 0x05, 0x85, 0x3E,
+ 0xD7, 0x3B, 0x80, 0x93, 0xF6, 0xEF, 0xBC, 0x88,
+ 0xEB, 0x1A, 0x6E, 0xAC, 0xFA, 0x66, 0xEF, 0x26,
+ 0x3C, 0xB1, 0xEE, 0xA9, 0x88, 0x00, 0x4B, 0x93,
+ 0x10, 0x3C, 0xFB, 0x0A, 0xEE, 0xFD, 0x2A, 0x68,
+ 0x6E, 0x01, 0xFA, 0x4A, 0x58, 0xE8, 0xA3, 0x63,
+ 0x9C, 0xA8, 0xA1, 0xE3, 0xF9, 0xAE, 0x57, 0xE2,
+ 0x35, 0xB8, 0xCC, 0x87, 0x3C, 0x23, 0xDC, 0x62,
+ 0xB8, 0xD2, 0x60, 0x16, 0x9A, 0xFA, 0x2F, 0x75,
+ 0xAB, 0x91, 0x6A, 0x58, 0xD9, 0x74, 0x91, 0x88,
+ 0x35, 0xD2, 0x5E, 0x6A, 0x43, 0x50, 0x85, 0xB2,
+ 0xBA, 0xDF, 0xD6, 0xDF, 0xAA, 0xC3, 0x59, 0xA5,
+ 0xEF, 0xBB, 0x7B, 0xCC, 0x4B, 0x59, 0xD5, 0x38,
+ 0xDF, 0x9A, 0x04, 0x30, 0x2E, 0x10, 0xC8, 0xBC,
+ 0x1C, 0xBF, 0x1A, 0x0B, 0x3A, 0x51, 0x20, 0xEA,
+ 0x17, 0xCD, 0xA7, 0xCF, 0xAD, 0x76, 0x5F, 0x56,
+ 0x23, 0x47, 0x4D, 0x36, 0x8C, 0xCC, 0xA8, 0xAF,
+ 0x00, 0x07, 0xCD, 0x9F, 0x5E, 0x4C, 0x84, 0x9F,
+ 0x16, 0x7A, 0x58, 0x0B, 0x14, 0xAA, 0xBD, 0xEF,
+ 0xAE, 0xE7, 0xEE, 0xF4, 0x7C, 0xB0, 0xFC, 0xA9,
+ 0x76, 0x7B, 0xE1, 0xFD, 0xA6, 0x94, 0x19, 0xDF,
+ 0xB9, 0x27, 0xE9, 0xDF, 0x07, 0x34, 0x8B, 0x19,
+ 0x66, 0x91, 0xAB, 0xAE, 0xB5, 0x80, 0xB3, 0x2D,
+ 0xEF, 0x58, 0x53, 0x8B, 0x8D, 0x23, 0xF8, 0x77,
+ 0x32, 0xEA, 0x63, 0xB0, 0x2B, 0x4F, 0xA0, 0xF4,
+ 0x87, 0x33, 0x60, 0xE2, 0x84, 0x19, 0x28, 0xCD,
+ 0x60, 0xDD, 0x4C, 0xEE, 0x8C, 0xC0, 0xD4, 0xC9,
+ 0x22, 0xA9, 0x61, 0x88, 0xD0, 0x32, 0x67, 0x5C,
+ 0x8A, 0xC8, 0x50, 0x93, 0x3C, 0x7A, 0xFF, 0x15,
+ 0x33, 0xB9, 0x4C, 0x83, 0x4A, 0xDB, 0xB6, 0x9C,
+ 0x61, 0x15, 0xBA, 0xD4, 0x69, 0x2D, 0x86, 0x19}
+};
+static TestHashVectorSHAKE const testVectorSHAKE128_2 PROGMEM = {
+ "SHAKE128 #2",
+ {0x1F, 0x87, 0x7C},
+ 3,
+ {0xE2, 0xD3, 0x14, 0x46, 0x69, 0xAB, 0x57, 0x83,
+ 0x47, 0xFC, 0xCA, 0x0B, 0x57, 0x27, 0x83, 0xA2,
+ 0x69, 0xA8, 0xCF, 0x9A, 0xDD, 0xA4, 0xD8, 0x77,
+ 0x82, 0x05, 0x3D, 0x80, 0xD5, 0xF0, 0xFD, 0xD2,
+ 0x78, 0x35, 0xCF, 0x88, 0x30, 0x36, 0xE5, 0x36,
+ 0xCE, 0x76, 0xFE, 0xF6, 0x89, 0xA5, 0xE7, 0xBD,
+ 0x64, 0x6A, 0x7F, 0xB7, 0xD7, 0x4F, 0x09, 0x01,
+ 0x93, 0xB2, 0x39, 0x0E, 0x61, 0x47, 0x59, 0xB7,
+ 0xEB, 0x7D, 0xE9, 0x15, 0xA3, 0x83, 0x28, 0x74,
+ 0x58, 0x90, 0xB1, 0xEF, 0x1E, 0x7A, 0xED, 0x78,
+ 0x16, 0x8E, 0x99, 0x6D, 0x7A, 0xC7, 0x74, 0xD4,
+ 0x7F, 0x8F, 0x11, 0x8B, 0x3E, 0x00, 0xA7, 0xBD,
+ 0x15, 0x11, 0x31, 0xBA, 0x37, 0x05, 0xAE, 0x81,
+ 0xB5, 0x7F, 0xB7, 0xCB, 0xFF, 0xE1, 0x14, 0xE2,
+ 0xF4, 0xC3, 0xCA, 0x15, 0x2B, 0x88, 0x74, 0xFB,
+ 0x90, 0x6E, 0x86, 0x28, 0x40, 0x62, 0x4E, 0x02,
+ 0xBB, 0xF9, 0x50, 0x2E, 0x46, 0xD8, 0x88, 0x84,
+ 0x33, 0xA3, 0x8E, 0x82, 0xE0, 0x4C, 0xAA, 0xCB,
+ 0x60, 0x01, 0x92, 0x22, 0xD4, 0x33, 0xE8, 0xF2,
+ 0xE7, 0x58, 0xBD, 0x41, 0xAA, 0xB3, 0x95, 0xBF,
+ 0x83, 0x61, 0x1F, 0xD0, 0xC3, 0xF7, 0xFD, 0x51,
+ 0x73, 0x30, 0x61, 0x82, 0x44, 0x9B, 0x9A, 0x22,
+ 0xC4, 0x01, 0x3F, 0x22, 0x63, 0xB4, 0x1E, 0xAC,
+ 0x4D, 0x0E, 0xDA, 0x16, 0x85, 0x49, 0x61, 0xFB,
+ 0xAA, 0x6A, 0xD0, 0x4A, 0x89, 0xE7, 0x2A, 0x60,
+ 0x2A, 0xC5, 0x96, 0x59, 0xEC, 0x2A, 0x60, 0xC1,
+ 0xD0, 0x20, 0xBA, 0xCC, 0x74, 0xA7, 0x11, 0xD4,
+ 0x25, 0x4A, 0x2E, 0xCC, 0x5F, 0x8F, 0x06, 0x27,
+ 0xB4, 0xF7, 0x2A, 0xE1, 0x30, 0xC5, 0x05, 0x90,
+ 0xF8, 0xB9, 0x1C, 0x52, 0x95, 0x7B, 0x79, 0x5D,
+ 0x12, 0xDA, 0x09, 0xBD, 0xD4, 0x0D, 0x41, 0xE3,
+ 0xCD, 0x48, 0xE3, 0x0E, 0x37, 0xFE, 0x5F, 0xD0}
+};
+static TestHashVectorSHAKE const testVectorSHAKE128_3 PROGMEM = {
+ "SHAKE128 #3",
+ {0x0D, 0x8D, 0x09, 0xAE, 0xD1, 0x9F, 0x10, 0x13,
+ 0x96, 0x9C, 0xE5, 0xE7, 0xEB, 0x92, 0xF8, 0x3A,
+ 0x20, 0x9A, 0xE7, 0x6B, 0xE3, 0x1C, 0x75, 0x48,
+ 0x44, 0xEA, 0x91, 0x16, 0xCE, 0xB3, 0x9A, 0x22,
+ 0xEB, 0xB6, 0x00, 0x30, 0x17, 0xBB, 0xCF, 0x26,
+ 0x55, 0x5F, 0xA6, 0x62, 0x41, 0x85, 0x18, 0x7D,
+ 0xB8, 0xF0, 0xCB, 0x35, 0x64, 0xB8, 0xB1, 0xC0,
+ 0x6B, 0xF6, 0x85, 0xD4, 0x7F, 0x32, 0x86, 0xED,
+ 0xA2, 0x0B, 0x83, 0x35, 0x8F, 0x59, 0x9D, 0x20,
+ 0x44, 0xBB, 0xF0, 0x58, 0x3F, 0xAB, 0x8D, 0x78,
+ 0xF8, 0x54, 0xFE, 0x0A, 0x59, 0x61, 0x83, 0x23,
+ 0x0C, 0x5E, 0xF8, 0xE5, 0x44, 0x26, 0x75, 0x0E,
+ 0xAF, 0x2C, 0xC4, 0xE2, 0x9D, 0x3B, 0xDD, 0x03,
+ 0x7E, 0x73, 0x4D, 0x86, 0x3C, 0x2B, 0xD9, 0x78,
+ 0x9B, 0x4C, 0x24, 0x30, 0x96, 0x13, 0x8F, 0x76,
+ 0x72, 0xC2, 0x32, 0x31, 0x4E, 0xFF, 0xDF, 0xC6,
+ 0x51, 0x34, 0x27, 0xE2, 0xDA, 0x76, 0x91, 0x6B,
+ 0x52, 0x48, 0x93, 0x3B, 0xE3, 0x12, 0xEB, 0x5D,
+ 0xDE, 0x4C, 0xF7, 0x08, 0x04, 0xFB, 0x25, 0x8A,
+ 0xC5, 0xFB, 0x82, 0xD5, 0x8D, 0x08, 0x17, 0x7A,
+ 0xC6, 0xF4, 0x75, 0x60, 0x17, 0xFF, 0xF5},
+ 167,
+ {0xC7, 0x3D, 0x8F, 0xAA, 0xB5, 0xD0, 0xB4, 0xD6,
+ 0x60, 0xBD, 0x50, 0x82, 0xE4, 0x4C, 0x3C, 0xAC,
+ 0x97, 0xE6, 0x16, 0x48, 0xBE, 0x0A, 0x04, 0xB1,
+ 0x16, 0x72, 0x4E, 0x6F, 0x6B, 0x65, 0x76, 0x84,
+ 0x67, 0x4B, 0x4B, 0x0E, 0x90, 0xD0, 0xAE, 0x96,
+ 0xC0, 0x85, 0x3E, 0xBD, 0x83, 0x7B, 0xD8, 0x24,
+ 0x9A, 0xDB, 0xD3, 0xB6, 0x0A, 0x1A, 0xD1, 0xFC,
+ 0xF8, 0xA6, 0xAB, 0x8E, 0x2F, 0x5A, 0xA7, 0xFF,
+ 0x19, 0x7A, 0x3D, 0x7D, 0xBE, 0xDE, 0xFB, 0x43,
+ 0x3B, 0x61, 0x35, 0x36, 0xAE, 0xC4, 0xD6, 0x55,
+ 0xB7, 0xBC, 0xD7, 0x78, 0x52, 0x6B, 0xE6, 0x67,
+ 0x84, 0x7A, 0xCD, 0x2E, 0x05, 0x64, 0xD9, 0x6C,
+ 0xE5, 0x14, 0x0C, 0x91, 0x35, 0x7F, 0xAD, 0xE0,
+ 0x00, 0xEF, 0xCB, 0x40, 0x45, 0x7E, 0x1B, 0x6C,
+ 0xED, 0x41, 0xFA, 0x10, 0x2E, 0x36, 0xE7, 0x99,
+ 0x79, 0x2D, 0xB0, 0x3E, 0x9A, 0x40, 0xC7, 0x99,
+ 0xBC, 0xA9, 0x12, 0x62, 0x94, 0x8E, 0x17, 0x60,
+ 0x50, 0x65, 0xFB, 0xF6, 0x38, 0xFB, 0x40, 0xA1,
+ 0x57, 0xB4, 0x5C, 0xF7, 0x91, 0x1A, 0x75, 0x3D,
+ 0x0D, 0x20, 0x5D, 0xF8, 0x47, 0x16, 0xA5, 0x71,
+ 0x12, 0xBE, 0xAB, 0x44, 0xF6, 0x20, 0x1F, 0xF7,
+ 0x5A, 0xAD, 0xE0, 0xBA, 0xFB, 0xA5, 0x04, 0x74,
+ 0x5C, 0xFE, 0x23, 0xE4, 0xE6, 0x0E, 0x67, 0xE3,
+ 0x99, 0x36, 0x22, 0xAE, 0xD7, 0x3A, 0x1D, 0xD6,
+ 0xA4, 0x65, 0xBD, 0x45, 0x3D, 0xD3, 0xC5, 0xBA,
+ 0x7D, 0x2C, 0xDF, 0x3F, 0x1D, 0x39, 0x37, 0x6A,
+ 0x67, 0xC2, 0x3E, 0x55, 0x5F, 0x5A, 0xCF, 0x25,
+ 0xBC, 0xE1, 0xE5, 0x5F, 0x30, 0x72, 0x52, 0xB9,
+ 0xAA, 0xC2, 0xC0, 0xA3, 0x9C, 0x88, 0x5C, 0x7E,
+ 0x44, 0xF2, 0x04, 0xCB, 0x82, 0x1C, 0x0D, 0x37,
+ 0xA2, 0x2D, 0xE3, 0xA7, 0x1F, 0x3A, 0x19, 0x09,
+ 0xB1, 0x1B, 0x71, 0x81, 0xC4, 0x2B, 0xE9, 0xB7}
+};
+
+SHAKE128 shake128;
+TestHashVectorSHAKE tst;
+uint8_t output[MAX_SHAKE_OUTPUT];
+
+bool testSHAKE_N(SHAKE *shake, const struct TestHashVectorSHAKE *test, size_t inc, bool printName = false)
+{
+ size_t size;
+ size_t posn, len;
+
+ // Copy the test case out of program memory.
+ memcpy_P(&tst, test, sizeof(tst));
+ test = &tst;
+
+ // Print the test name if necessary.
+ if (printName) {
+ Serial.print(test->name);
+ Serial.print(" ... ");
+ }
+
+ // Hash the input data.
+ if (!inc)
+ inc = 1;
+ size = test->dataLen;
+ shake->reset();
+ for (posn = 0; posn < size; posn += inc) {
+ len = size - posn;
+ if (len > inc)
+ len = inc;
+ shake->update(test->data + posn, len);
+ }
+
+ // Generate data using extend() and check it.
+ size = MAX_SHAKE_OUTPUT;
+ for (posn = 0; posn < size; posn += inc) {
+ len = size - posn;
+ if (len > inc)
+ len = inc;
+ shake->extend(output + posn, len);
+ }
+ if (memcmp(output, test->hash, size) != 0)
+ return false;
+
+ // Restart and use encrypt() this time.
+ shake->reset();
+ shake->update(test->data, test->dataLen);
+ for (posn = 0; posn < size; ++posn)
+ output[posn] = (uint8_t)(posn + 0xAA);
+ for (posn = 0; posn < size; posn += inc) {
+ len = size - posn;
+ if (len > inc)
+ len = inc;
+ shake->encrypt(output + posn, output + posn, len);
+ }
+ for (posn = 0; posn < size; ++posn)
+ output[posn] ^= (uint8_t)(posn + 0xAA);
+ if (memcmp(output, test->hash, size) != 0)
+ return false;
+
+ return true;
+}
+
+void testSHAKE(SHAKE *shake, const struct TestHashVectorSHAKE *test)
+{
+ bool ok;
+ const char *str;
+ uint8_t ch;
+ size_t dataLen;
+
+ memcpy_P(&dataLen, &(test->dataLen), sizeof(size_t));
+
+ ok = testSHAKE_N(shake, test, dataLen, true);
+ ok &= testSHAKE_N(shake, test, 1);
+ ok &= testSHAKE_N(shake, test, 2);
+ ok &= testSHAKE_N(shake, test, 5);
+ ok &= testSHAKE_N(shake, test, 8);
+ ok &= testSHAKE_N(shake, test, 13);
+ ok &= testSHAKE_N(shake, test, 16);
+ ok &= testSHAKE_N(shake, test, 24);
+ ok &= testSHAKE_N(shake, test, 63);
+ ok &= testSHAKE_N(shake, test, 64);
+
+ if (ok)
+ Serial.println("Passed");
+ else
+ Serial.println("Failed");
+}
+
+void perfUpdate(SHAKE *shake)
+{
+ unsigned long start;
+ unsigned long elapsed;
+ int count;
+
+ Serial.print("Updating ... ");
+
+ for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
+ output[posn] = (uint8_t)posn;
+
+ shake->reset();
+ start = micros();
+ for (count = 0; count < 300; ++count) {
+ shake->update(output, MAX_SHAKE_OUTPUT);
+ }
+ shake->extend(output, 0); // Force a finalize after the update.
+ elapsed = micros() - start;
+
+ Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
+ Serial.print("us per byte, ");
+ Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
+ Serial.println(" bytes per second");
+}
+
+void perfExtend(SHAKE *shake)
+{
+ unsigned long start;
+ unsigned long elapsed;
+ int count;
+
+ Serial.print("Extending ... ");
+
+ for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
+ output[posn] = (uint8_t)posn;
+
+ shake->reset();
+ shake->update(output, MAX_SHAKE_OUTPUT);
+ shake->extend(output, 0); // Force a finalize after the update.
+ start = micros();
+ for (count = 0; count < 300; ++count) {
+ shake->extend(output, MAX_SHAKE_OUTPUT);
+ }
+ elapsed = micros() - start;
+
+ Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
+ Serial.print("us per byte, ");
+ Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
+ Serial.println(" bytes per second");
+}
+
+void perfEncrypt(SHAKE *shake)
+{
+ unsigned long start;
+ unsigned long elapsed;
+ int count;
+
+ Serial.print("Encrypting ... ");
+
+ for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
+ output[posn] = (uint8_t)posn;
+
+ shake->reset();
+ shake->update(output, MAX_SHAKE_OUTPUT);
+ shake->extend(output, 0); // Force a finalize after the update.
+ start = micros();
+ for (count = 0; count < 300; ++count) {
+ shake->encrypt(output, output, MAX_SHAKE_OUTPUT);
+ }
+ elapsed = micros() - start;
+
+ Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
+ Serial.print("us per byte, ");
+ Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
+ Serial.println(" bytes per second");
+}
+
+void setup()
+{
+ Serial.begin(9600);
+
+ Serial.println();
+
+ Serial.print("State Size ...");
+ Serial.println(sizeof(SHAKE128));
+ Serial.println();
+
+ Serial.println("Test Vectors:");
+ testSHAKE(&shake128, &testVectorSHAKE128_1);
+ testSHAKE(&shake128, &testVectorSHAKE128_2);
+ testSHAKE(&shake128, &testVectorSHAKE128_3);
+
+ Serial.println();
+
+ Serial.println("Performance Tests:");
+ perfUpdate(&shake128);
+ perfExtend(&shake128);
+ perfEncrypt(&shake128);
+}
+
+void loop()
+{
+}
diff --git a/libraries/Crypto/examples/TestSHAKE256/TestSHAKE256.ino b/libraries/Crypto/examples/TestSHAKE256/TestSHAKE256.ino
new file mode 100644
index 00000000..074bd48c
--- /dev/null
+++ b/libraries/Crypto/examples/TestSHAKE256/TestSHAKE256.ino
@@ -0,0 +1,367 @@
+/*
+ * Copyright (C) 2016 Southern Storm Software, Pty Ltd.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+/*
+This example runs tests on the SHAKE256 implementation to verify
+correct behaviour.
+*/
+
+#include
+#include
+#include
+#if defined(__AVR__)
+#include
+#else
+#define PROGMEM
+#define memcpy_P(d, s, l) memcpy((d), (s), (l))
+#endif
+
+#define MAX_HASH_DATA_SIZE 135
+#define MAX_SHAKE_OUTPUT 256
+
+struct TestHashVectorSHAKE
+{
+ const char *name;
+ uint8_t data[MAX_HASH_DATA_SIZE];
+ size_t dataLen;
+ uint8_t hash[MAX_SHAKE_OUTPUT];
+};
+
+// Some test vectors from https://github.com/gvanas/KeccakCodePackage
+static TestHashVectorSHAKE const testVectorSHAKE256_1 PROGMEM = {
+ "SHAKE256 #1",
+ {0},
+ 0,
+ {0x46, 0xB9, 0xDD, 0x2B, 0x0B, 0xA8, 0x8D, 0x13,
+ 0x23, 0x3B, 0x3F, 0xEB, 0x74, 0x3E, 0xEB, 0x24,
+ 0x3F, 0xCD, 0x52, 0xEA, 0x62, 0xB8, 0x1B, 0x82,
+ 0xB5, 0x0C, 0x27, 0x64, 0x6E, 0xD5, 0x76, 0x2F,
+ 0xD7, 0x5D, 0xC4, 0xDD, 0xD8, 0xC0, 0xF2, 0x00,
+ 0xCB, 0x05, 0x01, 0x9D, 0x67, 0xB5, 0x92, 0xF6,
+ 0xFC, 0x82, 0x1C, 0x49, 0x47, 0x9A, 0xB4, 0x86,
+ 0x40, 0x29, 0x2E, 0xAC, 0xB3, 0xB7, 0xC4, 0xBE,
+ 0x14, 0x1E, 0x96, 0x61, 0x6F, 0xB1, 0x39, 0x57,
+ 0x69, 0x2C, 0xC7, 0xED, 0xD0, 0xB4, 0x5A, 0xE3,
+ 0xDC, 0x07, 0x22, 0x3C, 0x8E, 0x92, 0x93, 0x7B,
+ 0xEF, 0x84, 0xBC, 0x0E, 0xAB, 0x86, 0x28, 0x53,
+ 0x34, 0x9E, 0xC7, 0x55, 0x46, 0xF5, 0x8F, 0xB7,
+ 0xC2, 0x77, 0x5C, 0x38, 0x46, 0x2C, 0x50, 0x10,
+ 0xD8, 0x46, 0xC1, 0x85, 0xC1, 0x51, 0x11, 0xE5,
+ 0x95, 0x52, 0x2A, 0x6B, 0xCD, 0x16, 0xCF, 0x86,
+ 0xF3, 0xD1, 0x22, 0x10, 0x9E, 0x3B, 0x1F, 0xDD,
+ 0x94, 0x3B, 0x6A, 0xEC, 0x46, 0x8A, 0x2D, 0x62,
+ 0x1A, 0x7C, 0x06, 0xC6, 0xA9, 0x57, 0xC6, 0x2B,
+ 0x54, 0xDA, 0xFC, 0x3B, 0xE8, 0x75, 0x67, 0xD6,
+ 0x77, 0x23, 0x13, 0x95, 0xF6, 0x14, 0x72, 0x93,
+ 0xB6, 0x8C, 0xEA, 0xB7, 0xA9, 0xE0, 0xC5, 0x8D,
+ 0x86, 0x4E, 0x8E, 0xFD, 0xE4, 0xE1, 0xB9, 0xA4,
+ 0x6C, 0xBE, 0x85, 0x47, 0x13, 0x67, 0x2F, 0x5C,
+ 0xAA, 0xAE, 0x31, 0x4E, 0xD9, 0x08, 0x3D, 0xAB,
+ 0x4B, 0x09, 0x9F, 0x8E, 0x30, 0x0F, 0x01, 0xB8,
+ 0x65, 0x0F, 0x1F, 0x4B, 0x1D, 0x8F, 0xCF, 0x3F,
+ 0x3C, 0xB5, 0x3F, 0xB8, 0xE9, 0xEB, 0x2E, 0xA2,
+ 0x03, 0xBD, 0xC9, 0x70, 0xF5, 0x0A, 0xE5, 0x54,
+ 0x28, 0xA9, 0x1F, 0x7F, 0x53, 0xAC, 0x26, 0x6B,
+ 0x28, 0x41, 0x9C, 0x37, 0x78, 0xA1, 0x5F, 0xD2,
+ 0x48, 0xD3, 0x39, 0xED, 0xE7, 0x85, 0xFB, 0x7F}
+};
+static TestHashVectorSHAKE const testVectorSHAKE256_2 PROGMEM = {
+ "SHAKE256 #2",
+ {0x1F, 0x87, 0x7C},
+ 3,
+ {0xF6, 0xBF, 0x03, 0x97, 0xDB, 0xFB, 0xB2, 0x0E,
+ 0x4A, 0xE3, 0x0F, 0x0A, 0x47, 0xFE, 0x97, 0x6C,
+ 0xD1, 0x09, 0xB3, 0xAA, 0x09, 0xB0, 0xE3, 0xF2,
+ 0x9F, 0x56, 0x0E, 0x4E, 0xD3, 0x33, 0xC0, 0xD0,
+ 0x83, 0x32, 0x6B, 0x03, 0xF6, 0xEA, 0xEB, 0x57,
+ 0xE2, 0x77, 0xBB, 0xFE, 0x1C, 0xCE, 0x36, 0xC4,
+ 0x99, 0x43, 0x4D, 0x83, 0x8C, 0xB4, 0xC8, 0xCD,
+ 0x8B, 0x02, 0xA8, 0x77, 0x90, 0xF4, 0xA6, 0x71,
+ 0x7B, 0x22, 0xD4, 0x6F, 0x92, 0x20, 0x39, 0x1C,
+ 0x42, 0x0A, 0x1A, 0x1B, 0xFA, 0xA9, 0xED, 0x5B,
+ 0x85, 0x11, 0x6B, 0xA1, 0xD9, 0xE1, 0x7F, 0xF1,
+ 0x6F, 0x6B, 0xCE, 0x67, 0x04, 0xC8, 0x0A, 0x49,
+ 0xFD, 0x9A, 0xC4, 0x26, 0x89, 0xDB, 0x09, 0x96,
+ 0xC6, 0xBD, 0x32, 0x66, 0x69, 0x40, 0x77, 0xC6,
+ 0xDE, 0x12, 0x00, 0x43, 0xA8, 0x27, 0xD4, 0x49,
+ 0x79, 0xCE, 0x8C, 0xCC, 0x6A, 0xA7, 0xE5, 0x30,
+ 0x8E, 0xBA, 0x64, 0xAC, 0xF9, 0xFF, 0xFF, 0x51,
+ 0xD3, 0x6B, 0xC4, 0x40, 0x1F, 0x81, 0x17, 0xD4,
+ 0xB9, 0x63, 0x40, 0xC6, 0x2D, 0x10, 0x6B, 0x0A,
+ 0x64, 0x45, 0xF0, 0x19, 0x87, 0xF9, 0xC4, 0xC0,
+ 0xA4, 0x20, 0xE1, 0xA9, 0xBA, 0xEB, 0x59, 0x4B,
+ 0xCB, 0x1B, 0xDB, 0xFE, 0x59, 0xB6, 0x06, 0x5E,
+ 0xB9, 0x1C, 0xBE, 0xB2, 0x52, 0x47, 0x3C, 0x78,
+ 0x58, 0xEC, 0xA4, 0x75, 0xE1, 0xC8, 0x1E, 0x84,
+ 0x25, 0xC7, 0xE2, 0xC1, 0x70, 0x6C, 0x4C, 0x4A,
+ 0xBB, 0x3A, 0xEA, 0xE3, 0x93, 0x32, 0x47, 0x9E,
+ 0xCD, 0xEF, 0xDF, 0xA9, 0x3C, 0x60, 0xEC, 0x40,
+ 0x07, 0xA5, 0x1C, 0x5D, 0xD0, 0x93, 0xB5, 0x27,
+ 0x26, 0x41, 0x55, 0xF2, 0x20, 0x2E, 0x01, 0xD2,
+ 0x08, 0x3D, 0x27, 0xD7, 0x1A, 0x6F, 0x6C, 0x92,
+ 0xD8, 0x39, 0xE6, 0xEA, 0x7D, 0x24, 0xAF, 0xDB,
+ 0x5C, 0x43, 0x63, 0x0F, 0x1B, 0xD0, 0x6E, 0x2B}
+};
+static TestHashVectorSHAKE const testVectorSHAKE256_3 PROGMEM = {
+ "SHAKE256 #3",
+ {0xB7, 0x71, 0xD5, 0xCE, 0xF5, 0xD1, 0xA4, 0x1A,
+ 0x93, 0xD1, 0x56, 0x43, 0xD7, 0x18, 0x1D, 0x2A,
+ 0x2E, 0xF0, 0xA8, 0xE8, 0x4D, 0x91, 0x81, 0x2F,
+ 0x20, 0xED, 0x21, 0xF1, 0x47, 0xBE, 0xF7, 0x32,
+ 0xBF, 0x3A, 0x60, 0xEF, 0x40, 0x67, 0xC3, 0x73,
+ 0x4B, 0x85, 0xBC, 0x8C, 0xD4, 0x71, 0x78, 0x0F,
+ 0x10, 0xDC, 0x9E, 0x82, 0x91, 0xB5, 0x83, 0x39,
+ 0xA6, 0x77, 0xB9, 0x60, 0x21, 0x8F, 0x71, 0xE7,
+ 0x93, 0xF2, 0x79, 0x7A, 0xEA, 0x34, 0x94, 0x06,
+ 0x51, 0x28, 0x29, 0x06, 0x5D, 0x37, 0xBB, 0x55,
+ 0xEA, 0x79, 0x6F, 0xA4, 0xF5, 0x6F, 0xD8, 0x89,
+ 0x6B, 0x49, 0xB2, 0xCD, 0x19, 0xB4, 0x32, 0x15,
+ 0xAD, 0x96, 0x7C, 0x71, 0x2B, 0x24, 0xE5, 0x03,
+ 0x2D, 0x06, 0x52, 0x32, 0xE0, 0x2C, 0x12, 0x74,
+ 0x09, 0xD2, 0xED, 0x41, 0x46, 0xB9, 0xD7, 0x5D,
+ 0x76, 0x3D, 0x52, 0xDB, 0x98, 0xD9, 0x49, 0xD3,
+ 0xB0, 0xFE, 0xD6, 0xA8, 0x05, 0x2F, 0xBB},
+ 135,
+ {0x6C, 0x60, 0x95, 0x5D, 0xCB, 0x8A, 0x66, 0x3B,
+ 0x6D, 0xC7, 0xF5, 0xEF, 0x7E, 0x06, 0x9C, 0xA8,
+ 0xFE, 0x3D, 0xA9, 0x9A, 0x66, 0xDF, 0x65, 0x96,
+ 0x92, 0x5D, 0x55, 0x7F, 0xED, 0x91, 0xF4, 0x70,
+ 0x91, 0x40, 0x7D, 0x6F, 0xDE, 0x32, 0x02, 0x3B,
+ 0x57, 0xE2, 0xEE, 0x4C, 0x6A, 0xC9, 0x7B, 0x07,
+ 0x76, 0x24, 0xFA, 0xC2, 0x5F, 0x6E, 0x13, 0xF4,
+ 0x19, 0x16, 0x96, 0xB4, 0x0A, 0x4D, 0xF7, 0x5F,
+ 0x61, 0xCD, 0x55, 0x21, 0xD9, 0x82, 0xC6, 0xD0,
+ 0x9D, 0x83, 0x42, 0xC1, 0x7A, 0x36, 0x6E, 0xC6,
+ 0x34, 0x6E, 0x35, 0x28, 0xB2, 0x6C, 0xFF, 0x91,
+ 0x5B, 0xE9, 0x44, 0x2B, 0x9E, 0xBC, 0xC3, 0x0F,
+ 0xF2, 0xF6, 0xAD, 0xD0, 0xE8, 0x2B, 0xA9, 0x04,
+ 0xC7, 0x37, 0x00, 0xCC, 0x99, 0xAC, 0xFF, 0x48,
+ 0x0C, 0xAF, 0x04, 0x87, 0xCE, 0xE5, 0x4C, 0xBA,
+ 0x37, 0x53, 0xB6, 0xA5, 0xDD, 0x6F, 0x0D, 0xFE,
+ 0x65, 0x71, 0xF0, 0x11, 0x5E, 0x87, 0x37, 0xB0,
+ 0x71, 0x03, 0x10, 0x23, 0xB6, 0xBB, 0x0D, 0x79,
+ 0x86, 0x4C, 0x3F, 0x33, 0x16, 0x2E, 0x78, 0x26,
+ 0x9C, 0xEE, 0x23, 0xFC, 0xE4, 0x7B, 0x91, 0xB4,
+ 0xFD, 0xF9, 0x1F, 0x98, 0x46, 0x4A, 0x1D, 0x21,
+ 0xE7, 0x99, 0xD1, 0x7F, 0x76, 0xC1, 0xBB, 0x80,
+ 0x7D, 0xEE, 0x66, 0x7B, 0x0B, 0x27, 0x30, 0x54,
+ 0xBE, 0x29, 0x82, 0x99, 0xBD, 0x12, 0xB7, 0xA8,
+ 0x0F, 0xB3, 0x54, 0xCE, 0x3E, 0x6D, 0x1A, 0xCF,
+ 0x98, 0x44, 0x38, 0x79, 0xA5, 0x54, 0xEC, 0xA6,
+ 0xB9, 0x6D, 0xF0, 0x61, 0xD0, 0x4A, 0x11, 0x7C,
+ 0x98, 0xAE, 0xEC, 0x1C, 0xDE, 0x1A, 0xFA, 0x9C,
+ 0xEF, 0x62, 0xDD, 0x68, 0x6D, 0xA9, 0x1B, 0xB2,
+ 0xB1, 0xF1, 0x23, 0x79, 0xBB, 0xDC, 0x9F, 0xA3,
+ 0x2A, 0x6B, 0x69, 0x98, 0xB7, 0x7E, 0x8E, 0xB0,
+ 0xB5, 0x05, 0x07, 0x86, 0x2A, 0xFA, 0x77, 0x99}
+};
+
+SHAKE256 shake256;
+TestHashVectorSHAKE tst;
+uint8_t output[MAX_SHAKE_OUTPUT];
+
+bool testSHAKE_N(SHAKE *shake, const struct TestHashVectorSHAKE *test, size_t inc, bool printName = false)
+{
+ size_t size;
+ size_t posn, len;
+
+ // Copy the test case out of program memory.
+ memcpy_P(&tst, test, sizeof(tst));
+ test = &tst;
+
+ // Print the test name if necessary.
+ if (printName) {
+ Serial.print(test->name);
+ Serial.print(" ... ");
+ }
+
+ // Hash the input data.
+ if (!inc)
+ inc = 1;
+ size = test->dataLen;
+ shake->reset();
+ for (posn = 0; posn < size; posn += inc) {
+ len = size - posn;
+ if (len > inc)
+ len = inc;
+ shake->update(test->data + posn, len);
+ }
+
+ // Generate data using extend() and check it.
+ size = MAX_SHAKE_OUTPUT;
+ for (posn = 0; posn < size; posn += inc) {
+ len = size - posn;
+ if (len > inc)
+ len = inc;
+ shake->extend(output + posn, len);
+ }
+ if (memcmp(output, test->hash, size) != 0)
+ return false;
+
+ // Restart and use encrypt() this time.
+ shake->reset();
+ shake->update(test->data, test->dataLen);
+ for (posn = 0; posn < size; ++posn)
+ output[posn] = (uint8_t)(posn + 0xAA);
+ for (posn = 0; posn < size; posn += inc) {
+ len = size - posn;
+ if (len > inc)
+ len = inc;
+ shake->encrypt(output + posn, output + posn, len);
+ }
+ for (posn = 0; posn < size; ++posn)
+ output[posn] ^= (uint8_t)(posn + 0xAA);
+ if (memcmp(output, test->hash, size) != 0)
+ return false;
+
+ return true;
+}
+
+void testSHAKE(SHAKE *shake, const struct TestHashVectorSHAKE *test)
+{
+ bool ok;
+ const char *str;
+ uint8_t ch;
+ size_t dataLen;
+
+ memcpy_P(&dataLen, &(test->dataLen), sizeof(size_t));
+
+ ok = testSHAKE_N(shake, test, dataLen, true);
+ ok &= testSHAKE_N(shake, test, 1);
+ ok &= testSHAKE_N(shake, test, 2);
+ ok &= testSHAKE_N(shake, test, 5);
+ ok &= testSHAKE_N(shake, test, 8);
+ ok &= testSHAKE_N(shake, test, 13);
+ ok &= testSHAKE_N(shake, test, 16);
+ ok &= testSHAKE_N(shake, test, 24);
+ ok &= testSHAKE_N(shake, test, 63);
+ ok &= testSHAKE_N(shake, test, 64);
+
+ if (ok)
+ Serial.println("Passed");
+ else
+ Serial.println("Failed");
+}
+
+void perfUpdate(SHAKE *shake)
+{
+ unsigned long start;
+ unsigned long elapsed;
+ int count;
+
+ Serial.print("Updating ... ");
+
+ for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
+ output[posn] = (uint8_t)posn;
+
+ shake->reset();
+ start = micros();
+ for (count = 0; count < 300; ++count) {
+ shake->update(output, MAX_SHAKE_OUTPUT);
+ }
+ shake->extend(output, 0); // Force a finalize after the update.
+ elapsed = micros() - start;
+
+ Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
+ Serial.print("us per byte, ");
+ Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
+ Serial.println(" bytes per second");
+}
+
+void perfExtend(SHAKE *shake)
+{
+ unsigned long start;
+ unsigned long elapsed;
+ int count;
+
+ Serial.print("Extending ... ");
+
+ for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
+ output[posn] = (uint8_t)posn;
+
+ shake->reset();
+ shake->update(output, MAX_SHAKE_OUTPUT);
+ shake->extend(output, 0); // Force a finalize after the update.
+ start = micros();
+ for (count = 0; count < 300; ++count) {
+ shake->extend(output, MAX_SHAKE_OUTPUT);
+ }
+ elapsed = micros() - start;
+
+ Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
+ Serial.print("us per byte, ");
+ Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
+ Serial.println(" bytes per second");
+}
+
+void perfEncrypt(SHAKE *shake)
+{
+ unsigned long start;
+ unsigned long elapsed;
+ int count;
+
+ Serial.print("Encrypting ... ");
+
+ for (size_t posn = 0; posn < MAX_SHAKE_OUTPUT; ++posn)
+ output[posn] = (uint8_t)posn;
+
+ shake->reset();
+ shake->update(output, MAX_SHAKE_OUTPUT);
+ shake->extend(output, 0); // Force a finalize after the update.
+ start = micros();
+ for (count = 0; count < 300; ++count) {
+ shake->encrypt(output, output, MAX_SHAKE_OUTPUT);
+ }
+ elapsed = micros() - start;
+
+ Serial.print(elapsed / (MAX_SHAKE_OUTPUT * 300.0));
+ Serial.print("us per byte, ");
+ Serial.print((MAX_SHAKE_OUTPUT * 300.0 * 1000000.0) / elapsed);
+ Serial.println(" bytes per second");
+}
+
+void setup()
+{
+ Serial.begin(9600);
+
+ Serial.println();
+
+ Serial.print("State Size ...");
+ Serial.println(sizeof(SHAKE256));
+ Serial.println();
+
+ Serial.println("Test Vectors:");
+ testSHAKE(&shake256, &testVectorSHAKE256_1);
+ testSHAKE(&shake256, &testVectorSHAKE256_2);
+ testSHAKE(&shake256, &testVectorSHAKE256_3);
+
+ Serial.println();
+
+ Serial.println("Performance Tests:");
+ perfUpdate(&shake256);
+ perfExtend(&shake256);
+ perfEncrypt(&shake256);
+}
+
+void loop()
+{
+}