-rw-r--r-- 1733 libmceliece-20241009/crypto_xof/shake256/tweet/shake256.c raw
#include "crypto_xof.h" #include "crypto_uint64.h" #define ratebytes 136 #define squeezebytes 136 #define padding 31 // the following is mostly copied from https://twitter.com/tweetfips202 // (by Daniel J. Bernstein, Peter Schwabe, Gilles Van Assche) // except for the following changes in Keccak() function: // * r arg replaced with ratebytes // * d arg replaced with squeezebytes // * p arg replaced with padding // * u64 n arg replaced with long long mlen // * new arg: long long hlen // * final squeeze changed to hlen loop // * arg order: h,hlen,m,mlen // * function name crypto_xof instead of Keccak // and the following change: // * u64 is defined as crypto_uint64 instead of unsigned long long #define FOR(i,n) for (i = 0;i < n;++i) typedef unsigned char u8; typedef crypto_uint64 u64; static u64 ROL(u64 a,u8 n){return(a<<n)|(a>>(64-n));} static u64 L64(const u8*x){u64 r=0,i;FOR(i,8)r|=(u64)x[i]<<8*i;return r;} static void F(u64*s){u8 x,y,j,R=1,r,n;u64 t,B[5],Y;FOR(n,24){FOR(x,5){B[x]=0;FOR(y,5)B[x]^=s[x+5*y];}FOR(x,5){t=B[(x+4)%5]^ROL(B[(x+1)%5],1);FOR(y,5)s[x+5*y]^=t;}t=s[1];y=r=0;x=1;FOR(j,24){r+=j+1;Y=2*x+3*y;x=y;y=Y%5;Y=s[x+5*y];s[x+5*y]=ROL(t,r%64);t=Y;}FOR(y,5){FOR(x,5)B[x]=s[x+5*y];FOR(x,5)s[x+5*y]=B[x]^(~B[(x+1)%5]&B[(x+2)%5]);}FOR(y,7)if((R=(R<<1)^(113*(R>>7)))&2)*s^=1ULL<<((1<<y)-1);}} void crypto_xof(u8 *h,long long hlen,const u8*m,long long mlen){u64 s[25],i;u8 t[200];FOR(i,25)s[i]=0;while(mlen>=ratebytes){FOR(i,ratebytes/8)s[i]^=L64(m+8*i);F(s);mlen-=ratebytes;m+=ratebytes;}FOR(i,ratebytes)t[i]=0;FOR(i,mlen)t[i]=m[i];t[i]=padding;t[ratebytes-1]|=128;FOR(i,ratebytes/8)s[i]^=L64(t+8*i); while(hlen>0){F(s);FOR(i,squeezebytes)if(i<hlen)h[i]=s[i/8]>>8*(i%8);h+=squeezebytes;hlen-=squeezebytes;}}