Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update structure of SHA3 #137

Merged
merged 10 commits into from
Sep 17, 2024
Merged

Update structure of SHA3 #137

merged 10 commits into from
Sep 17, 2024

Conversation

marsella
Copy link
Contributor

@marsella marsella commented Sep 6, 2024
edited
Loading

Addresses part of #132, but doesn't complete it.

This PR updates the high-level structure of SHA-3 to more closely imitate the spec. In particular, it:

  • adds parameters to the keccak implementation to reduce per-function parameterization
  • rearranges code to more closely match the order that things appear in the spec and to make many methods private.
  • adds documentation on the high-level functions

One effect of this is to change the way that the hash and XOF functions are called; a remaining TODO for this PR is to fix all of the downstream failures that result from this API change. Addressed this with clarified types instead of changing a dozen downstream files! Yay!

Several things here are being left to future PRs. I'll write up issues for these before this PR is merged.

  • many functions don't really look like their spec equivalents. Lower-level modifications of this kind are being saved for a separate PR
  • some of the keccak implementation is overly specific to the SHA-3 instantiation parameters, when the spec writes it as more generic. Reducing hard-coded parameters (nr specifically) that don't affect the SHA-3 instantiations is being saved for a separate PR.

@marsella
sha3: add header and start docs #132
21690a7
@marsella
sha3: adjust spacing in keccak #132
d591643
@marsella
sha3: parameterize keccak implementation #132
975633f 
- Refactors keccak to be in terms of `b` and `nr` per the spec
- Instantiates SHA3 and SHAKE with the allowed security parameters
- removes an unused reference to keccak

All the tests that I could find still pass :)
@marsella
sha3: move internal methods to private #132
2f98756
@marsella
sha3: rewrite keccak to look like the spec #132
1ac4595
@marsella
sha3: add capacity parameter #132
84815f2 
- removes all the functions that parameterize on `r` because r = b - c
- adjust the instantiations to set `c` appropriately
- rearrange a little thing with flatten since it doesn't do padding any
  more
@marsella
sha3: improve documentation
731ce8a
@marsella
sha3: add copyright notices #132
c514ca2
@marsella
sha3: fix types to work with infinite output #132
7a311f3 
Specifically, this allows callers of `SHAKE` functions to either specify
a concrete output lengths (if the needed length is known at call time)
or infinite length (if there's some additional processing before
truncating the output).
@weaversa
Copy link
Contributor

weaversa commented Sep 9, 2024

It kind of feels like something is wrong the with sha3 if join (toBytes ... is needed every time its run. I've struggled quite a bit with SHA3's bit reorganization routine and haven't yet found an elegant way to avoid asking the user to rejigger values at the function boundary. If you consider updates here, please keep in in the loop.

marsella
marsella commented Sep 9, 2024
View reviewed changes
@marsella marsella marked this pull request as ready for review September 9, 2024 17:54
@marsella
Copy link
Contributor Author

marsella commented Sep 9, 2024
edited
Loading

It kind of feels like something is wrong the with sha3 if join (toBytes ... is needed every time its run. I've struggled quite a bit with SHA3's bit reorganization routine and haven't yet found an elegant way to avoid asking the user to rejigger values at the function boundary. If you consider updates here, please keep in in the loop.

Hm, that's a good point. I'll make a follow-up issue about it. It actually seems like we could package up the to/fromBytes calls into the SHA functions for any non-infinite return type, so at least the caller wouldn't have to do it -- that would cover most use cases in here except for some functions that operate over infinite streams out of SHAKE. Technically SHAKE is supposed to take a finite length parameter so I could dive into those (old versions of Dilithium, mostly) to see if we could refactor them and add a fin d constraint to the output length of Keccak.

I also have on my list to look more carefully at the state representation in this implementation. As you mention, the spec has a fairly weird indexing scheme and I'm not exactly sure that we're implementing that fully faithfully. I wonder if getting that in line would solve the input/output format inconsistency.

Edit: Added #138.

@marsella marsella mentioned this pull request Sep 10, 2024
Closed
4 tasks
@marsella
sha3: clarify docs and examples #132
4e5f9d7 
- adds some docs to various confusing bits
- expands the demo calls to shake to include the nicest version
mccleeary-galois
mccleeary-galois approved these changes Sep 13, 2024
View reviewed changes
Copy link
Contributor

@mccleeary-galois mccleeary-galois left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good step in the right direction, as the diff is getting a bit unwieldy I would prefer to get this in and punt most things to the next PR as you had stated.

@marsella marsella mentioned this pull request Sep 17, 2024
Open
3 tasks
@marsella marsella merged commit 122045b into master Sep 17, 2024
2 checks passed
@marsella marsella deleted the 132-document-sha3 branch September 17, 2024 14:37
@marsella
Copy link
Contributor Author

@weaversa: It kind of feels like something is wrong the with sha3 if join (toBytes ... is needed every time its run. I've struggled quite a bit with SHA3's bit reorganization routine and haven't yet found an elegant way to avoid asking the user to rejigger values at the function boundary. If you consider updates here, please keep in in the loop.

I made #142 that introduces what I think is a nicer API for interacting with the SHA3 functions. Biggest caveat is that it's not quite as obvious how it correlates with the spec. Would appreciate your input on whether it aligns with your expectations / hopes for this spec!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@b13decker b13decker b13decker left review comments

@mccleeary-galois mccleeary-galois mccleeary-galois approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@marsella @weaversa @b13decker @mccleeary-galois